Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Similar documents
Introduction to Cryptography

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Notes for Lecture 9. 1 Combining Encryption and Authentication

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Lecture 10: NMAC, HMAC and Number Theory

Introduction to Cryptography Lecture 4

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 10: NMAC, HMAC and Number Theory

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Leftovers from Lecture 3

Avoiding collisions Cryptographic hash functions. Table of contents

Breaking H 2 -MAC Using Birthday Paradox

Introduction to Information Security

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

1 Cryptographic hash functions

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Lecture 5, CPA Secure Encryption from PRFs

Foundations of Network and Computer Security

New Attacks on the Concatenation and XOR Hash Combiners

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Katz, Lindell Introduction to Modern Cryptrography

Foundations of Network and Computer Security

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Rainbow Tables ENEE 457/CMSC 498E

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Week 12: Hash Functions and MAC

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Authentication. Chapter Message Authentication

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Security without Collision-Resistance

Message Authentication Codes (MACs) and Hashes

CPSC 467: Cryptography and Computer Security

Foundations of Network and Computer Security

1 Cryptographic hash functions

5199/IOC5063 Theory of Cryptology, 2014 Fall

12 Hash Functions Defining Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

1 Number Theory Basics

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

2 Message authentication codes (MACs)

Block Ciphers/Pseudorandom Permutations

Avoiding collisions Cryptographic hash functions. Table of contents

Cryptographic Hash Functions

Public-key Cryptography: Theory and Practice

HASH FUNCTIONS 1 /62

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Lecture 14: Cryptographic Hash Functions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 18: Message Authentication Codes & Digital Signa

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Introduction to Cybersecurity Cryptography (Part 4)

Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Message Authentication Codes (MACs)

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Crypto Engineering (GBX9SY03) Hash functions

HASH FUNCTIONS. Mihir Bellare UCSD 1

Modern Cryptography Lecture 4

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Provable Chosen-Target-Forced-Midx Preimage Resistance

Perfectly-Crafted Swiss Army Knives in Theory

Lecture 1. Crypto Background

Lecture 10 - MAC s continued, hash & MAC

Security II: Cryptography

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Hash-based Signatures. Andreas Hülsing

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Lecture 10: HMAC and Number Theory

Number Representations

Homework 7 Solutions

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

LOWELL WEEKLY JOURNAL. ^Jberxy and (Jmott Oao M d Ccmsparftble. %m >ai ruv GEEAT INDUSTRIES

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Hash-based signatures & Hash-and-sign without collision-resistance

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

New Preimage Attack on MDC-4

An introduction to Hash functions

Message Authentication. Adam O Neill Based on

Improved Generic Attacks Against Hash-based MACs and HAIFA

Transcription:

Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1

Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic Attacks on Hash functions 2

MACs for Arbitrary Length Messages Mac K (m)= Select random n/4 bit string r Let tt ii = Mac KK rr l ii mm ii for i=1,,d (Note: encode i and l as n/4 bit strings) Output rr, tt 1,, tt dd Theorem 4.8: If Π is a secure MAC for messages of fixed length n, above construction Π = (Mac, Vrfy) is secure MAC for arbitrary length messages. 3

MACs for Arbitrary Length Messages Mac Disadvantage K (m)= 1: Long Select output random n/4 bit string r Let tt ii = Mac KK rr l ii mm ii for i=1,,d (Note: encode i and l as n/4 bit strings) Output rr, tt 1,, tt dd Two Disadvantages: 1. Lose Strong-MAC Guarantee 2. Security game arguably should give attacker Vrfy(.) oracle (CPA vs CCA security) Theorem 4.8: If Π is a secure MAC for messages of fixed length n, above construction Π = (Mac, Vrfy) Randomized is secure Construction MAC for arbitrary (no length messages. canonical verification). Disadvantage? 4

Hash and MAC Construction Start with (Mac,Vrfy) a MAC for messages of fixed length and (Gen H,H) a collision resistant hash function MMMMMM KKMM,SS mm = MMMMMM KKMM HH ss mm Theorem 5.6: Above construction is a secure MAC. Note: If Vrfy KKMM canonical. mm, tt is canonical then Vrfy KKMM,SS mm, tt can be 5

Hash and MAC Construction Start with (Mac,Vrfy) a MAC for messages of fixed length and (Gen H,H) a collision resistant hash function MMMMMM KKMM,SS mm = MMMMMM KKMM HH ss mm Theorem 5.6: Above construction is a secure MAC. Proof Intuition: If attacker successfully forges a valid MAC tag t for unseen message m then either Case 1: HH ss mm = HH ss mm ii Case 2: HH ss mmm HH ss mm ii for some previously requested message m i for every previously requested message m i 6

Hash and MAC Construction Theorem 5.6: Above construction is a secure MAC. Proof Intuition: If attacker successfully forges a valid MAC tag t for unseen message m then either Case 1: HH ss mm = HH ss mm ii for some previously requested message m i Attacker can find hash collisions! Case 2: HH ss mmm HH ss mm ii for every previously requested message m i Attacker forged a valid new tag on the new message HH ss mmm Violates security of the original fixed length MAC 7

MAC from Collision Resistant Hash Failed Attempt: MMMMMM kk,ss mm = HH ss kk mm Broken if HH ss uses Merkle-Damgård Transform MMMMMM kk,ss mm 1 mm 2 mm 3 = h ss h ss h ss h ss 0 nn kk mm 1 mm 2 mm 3 = h ss MMMMMM kk,ss mm 1 mm 2 mm 3 Why does this mean MMMMMM kk,ss is broken? 8

HMAC MMMMMM kk,ss mm = HH ss kk opad HH ss kk ipad mm ipad? 9

HMAC MMMMMM kk,ss mm = HH ss kk opad HH ss kk ipad mm ipad = inner pad opad = outer pad Both ipad and opad are fixed constants. Why use key twice? Allows us to prove security from weak collision resistance of H s 10

HMAC Security MMMMMM kk,ss mm = HH ss kk opad HH ss kk ipad mm Theorem (Informal): Assuming that HH ss is weakly collision resistant and that (certain other plausible assumptions hold) this is a secure MAC. Weak Collision Resistance: Give attacker oracle access to ff mm = HH ss kk mm (secret key k remains hidden). Attacker Goal: Find distinct m,m such that ff mm = ff mm 11

HMAC in Practice MD5 can no longer be viewed as collision resistant However, HMAC-MD5 remained unbroken after MD5 was broken Gave developers time to replace HMAC-MD5 Nevertheless, don t use HMAC-MD5! HMAC is efficient and unbroken CBC-MAC was not widely deployed because it as too slow Instead practitioners often used heuristic constructions (which were breakable) 12

Finding Collisions Ideal Hashing Algorithm Random function H from {0,1}* to {0,1} l Suppose attacker has oracle access to H(.) Attack 1: Evaluate H(.) on 2 l +1 distinct inputs. Can we do better? 13

Birthday Attack for Finding Collisions Ideal Hashing Algorithm Random function H from {0,1}* to {0,1} l Suppose attacker has oracle access to H(.) Attack 2: Evaluate H(.) on qq = 2 l/2 +1 + 1 distinct inputs x 1,,x q. Pr ii < jj. HH(x i ) HH(x j ) = 1 1 1 2 l 1 2 2 l 1 3 2 l 1 2 l/2 +1 2 l < 1 2 14

Birthday Attack for Finding Collisions Ideal Hashing Algorithm Random function H from {0,1}* to {0,1} l Suppose attacker has oracle access to H(.) Attack 2: Evaluate H(.) on qq = 2 l/2 +1 + 1 distinct inputs x 1,,x q. Store values x i, HH(x i ) in a hash table of size q Requires time/space O(qq) = OO Can we do better? 2 l 15

Small Space Birthday Attack Attack 2: Select random x 0, define x i = HH(x i 1 ) Initialize: x=x 0 and xʹ=x 0 Repeat for i=1,2, x:=h(x) xʹ:=h(h(xʹ)) now x = x i now x = x 2i If x=x then break Reset x=x 0 and set xʹ=x Repeat for j=1 to i If H(x) = H(x ) then output x,x Else x:= H(x), x = H(x) Now x=x j AND x = x i+j 16

Small Space Birthday Attack Attack 2: Select random x 0, define x i = HH(x i 1 ) Initialize: x=x 0 and xʹ=x 0 Repeat for i=1,2, x:=h(x) xʹ:=h(h(xʹ)) now x = x i now x = x 2i If x=x then break Reset x=x 0 and set xʹ=x Repeat for j=1 to i If H(x) = H(x ) then output x,x Else x:= H(x), x = H(x) Now x=x j AND x = x i+j Finds collision after O 2 l/2 steps in expectation 17

Floyd s Cycle Finding Algorithm A cycle denotes a hash collision Occurs after O 2 l/2 steps by birthday paradox First attack phase detects cycle Second phase identifies collision Analogy: Cycle detection in linked list Can traverse linked list by computing H 18

Small Space Birthday Attack Can be adapted to find meaningful collisions if we have a large message space O 2 l Example: S = SS 1 SS 2 with SS 1 = SS 2 = 2 l 1 SS 1 = Set of positive recommendation letters SS 2 = Set of negative recommendation letters Goal: find zz 1 SS 1, zz 2 SS 2, such that H(z 1 ) = H(z 2 ) Can adapt previous attack by assigning unique binary string b x 0,1 l of length to each xx SS x i = HH(b x i 1 ) 19

Targeted Collision (e.g., Password Cracking) Attacker is given y=h(pwd) Goal find x s.t. H(x ) = y There is an attack which requires Precomputation Time: OO( PPPPPPPPPPPPPPPPPP ) Space: PPPPPPPPPPPPPPPPPP 2/3 On input y finds pwd in Time: PPPPPPPPPPPPPPPPPP 2/3 Cracking costs amortize over many users Other time-memory tradeoffs are possible Defense 1: y=h(pwd salt) [password salting] Defense 2: Make sure that H is moderately expensive to compute (MHFs) 20

Targeted Collision (e.g., Password Cracking) Attacker is given y=h(x) Goal find x s.t. H(x ) = y Space: 2 l/3 Precomputation Time: 2 2l/3 Precomputation (sketch) Store s = 2 l/3 pairs SP i,ep i where EP i = HHHH SP i and t = 2 l/3 Let y=y 0 For i=1,2., 2 l/3 y i = HH(y i 1 ) For each j s.t EP j =y i Check if y is in the hash chain SP i,ep i Yes Found desired x Total #j s = ssss2 2 l < OO(1) Total Runtime = OO tt = OO(2 l/3 ) Success Rate 1 4tt 21

Targeted Collision (e.g., Password Cracking) Attacker is given y=h(x) Goal find x s.t. H(x ) = y Precomputation (sketch) Store 4st = 4 2 2l/3 pairs SP ii jj,ep i j Let y=y 0 For i=1,2., 2 l/3 y i j = HH(ccjj y i 1 ) Foreach j s.t EP i j = yi j Check if y is in the hash chain SP i,ep i Yes Found desired x Space: 2 2l/3 Precomputation Time: 2 l =2 2l/3 2 l/3 where EP i j = HHHH ccjj SP i and t = 2 l/3 Repeat for each j < t Total Runtime = OO tt tt = OO(2 2l/3 ) Success Rate > 0.63 22

Targeted Collisions (Other Applications) Define H(K) = F k (x) Suppose attacker obtains a pair x,f k (x) (chosen plaintext attack) There is a key recovery attack with Precomputation Time: KK Space: KK 2/3 Cracking Time: KK 2/3 Precomputation costs amortize if we are attacking multiple different keys As long as we have x,f k (x) we don t need to repeat precomputation phase 23

Next Class Read Katz and Lindell 5.5-5.6 Random Oracle Model + Applications of Hashing. 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback