Week 12: Hash Functions and MAC

Similar documents
Introduction to Information Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Foundations of Network and Computer Security

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Foundations of Network and Computer Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Cryptographic Hash Functions Part II

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Attacks on hash functions: Cat 5 storm or a drizzle?

Cryptographic Hash Functions

Leftovers from Lecture 3

An introduction to Hash functions

Message Authentication Codes (MACs)

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

2: Iterated Cryptographic Hash Functions

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

Foundations of Network and Computer Security

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Asymmetric Encryption

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public-key Cryptography: Theory and Practice

Beyond the MD5 Collisions

Introduction Description of MD5. Message Modification Generate Messages Summary

Crypto Engineering (GBX9SY03) Hash functions

Further progress in hashing cryptanalysis

SMASH - A Cryptographic Hash Function

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Lecture 1: Introduction to Public key cryptography

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

On the Big Gap Between p and q in DSA

Digital signature schemes

Digital Signatures. p1.

Introduction to Cryptography Lecture 4

Lecture 1. Crypto Background

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Weaknesses in the HAS-V Compression Function

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

The Hash Function JH 1

Authentication. Chapter Message Authentication

Exam Security January 19, :30 11:30

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Notes for Lecture 9. 1 Combining Encryption and Authentication

The Security of Abreast-DM in the Ideal Cipher Model

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

SMASH - A Cryptographic Hash Function

New Attacks on the Concatenation and XOR Hash Combiners

Overview. Public Key Algorithms II

New Preimage Attack on MDC-4

Analysis of SHA-1 in Encryption Mode

Chapter 8 Public-key Cryptography and Digital Signatures

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Title of Presentation

Improved Collision Attack on MD5

Some Attacks on Merkle-Damgård Hashes

5199/IOC5063 Theory of Cryptology, 2014 Fall

Breaking H 2 -MAC Using Birthday Paradox

Digital Signature Algorithm

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Preimage Attacks on Reduced Tiger and SHA-2

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Evaluation Report. Security Level of Cryptography SHA-384 and SHA- 512

ECS 189A Final Cryptography Spring 2011

DTTF/NB479: Dszquphsbqiz Day 27

Question: Total Points: Score:

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

12 Hash Functions Defining Security

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Symmetric Crypto Systems

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions

Introduction to Cybersecurity Cryptography (Part 4)

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Fundamentals of Modern Cryptography

Cryptographic Hashing

STRIBOB : Authenticated Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Finding good differential patterns for attacks on SHA-1

Message Authentication Codes (MACs) and Hashes

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

AURORA: A Cryptographic Hash Algorithm Family

Network Security: Hashes

Collision Attack on Boole

HASH FUNCTIONS 1 /62

Information Security

Symmetric Crypto Systems

Foundations of Network and Computer Security

How (not) to efficiently dither blockcipher-based hash functions?

Lecture V : Public Key Cryptography

Transcription:

Week 12: Hash Functions and MAC

1. Introduction Hash Functions vs. MAC 2

Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved. Must be at least One-way to be useful. Applications Keyed hash: MAC/ICV generation. Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator, etc. Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA-1, SHA-2, HAVAL, HAS160, etc. Hash functions based on block ciphers: MDC(Manipulation Detection Code) H Short Message Digest or Fingerprint D = H(M) 3

Message Authentication Code (MAC) MAC Generate a fixed length MAC for an arbitrary length message A keyed hash function Message origin authentication Message integrity Entity authentication Shared Secret Key Constructions Keyed hash: HMAC Block cipher: CBC-MAC MAC MAC MAC 4

Comparison of Hash Function & MAC Arbitrary length message Arbitrary length message Hash function Secret key MAC function Hash fixed length MAC fixed length Easy to compute Compression: arbitrary length input to fixed length output Unkeyed function vs. Keyed function 5

Message Authentication using MAC Alice Bob Message MAC transmit Message MAC K AB Shared Secret key between Alice and Bob Secret key algorithm K AB Shared Secret key between Alice and Bob Secret key algorithm MAC no? yes 6

Digital Signature with Hash Function Signer Verifier Message Signature Message transmit Signature Hash function Hash function Hashing Hashing Signer s Private key Public key algorithm no? yes Public key algorithm Signer s Public key 7

MAC and Digital Signature (Summary) MAC (Message Authentication Code) Generated and verified by a secret key algorithm Message origin authentication & Message integrity Schemes Keyed hash: HMAC Block cipher: CBC-MAC, Digital Signature Generated and verified by a public key algorithm and a hash function Message origin authentication & Message integrity Non-repudiation Schemes Hash + Digital signature algorithm RSA-PSS, DSA, etc. 8

2. Hash Functions 9

Hash Functions Requirements Efficient Computation Security Properties Preimage resistance (One-wayness) : Given y, it is computationally infeasible to find any input x such that y = h(x) 2nd preimage resistance (Weak collision resistance) : Given x, it is computationally infeasible to find another input x x such that h(x) = h(x ) Collision resistance (Strong collision resistance) : It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x ) 10

BFA on OW Hash Function (Preimage Attack) Given y, find m such that h(m) = y m i for i = 1, 2,... 2 n h( ) Arbitrary message, m i or m j of the same meaning? h(m i ) n bits h(m i ) = y? 11

Multiple Messages with Meaning Same I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions 2 11 different messages of the same meaning 12

Collision in Collision-Resistant Hash Function Find any two distinct messages m, m such that h(m) = h(m ). m i for i = 1, 2,... 2 m m i h h h(m i ) n bits How large m should be required to get a match? h(m i ) n bits 13

Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher s birthday? (complexity breaking one-wayness) 365/2 188 2. Any two of the students share the same birthday? (complexity breaking collision resistance) 1 365 364... (365-k+1) / 365 k > 0.5 k 23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals n! 1 1 e k ( n k)! n k( k 1) 2n 14

One Million $ Hardware Brute Force Attack One-Way Hash Functions (complexity = 2 n ) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 10 17 years Collision-Resistant Hash Functions (complexity = 2 n/2 ) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 10 17 years 15

Construction of Hash Function (1/2) Message m 100 000 length Padding & length encoding M 1 M 2 M 3 M t 1 2 t-1 b b b b IV=H 0 n f n H f n H f n n... n f H H t Legend: IV : Initial Value H i : i-th Chaining variable M i : i-th input block f : Compression function g : Output transformation (optional) t : Number of input blocks b : Block size in bits n : Hash code size in bits g h(m) 16

Construction of Hash Function b M i (2/2) Compression Function (fixed-size hash function) n f n H i H i-1 Entire hash H 0 = IV H i = f (H i-1, M i ) for 1 i t H(m) = g(h t ) Fact(by Merkle-Damgård) MD-strengthening. Any collision-resistant compression function f can be extended to a collision-resistant hash function h 17

Typical Padding Assume Block size = 512 bits (MD5, SHA-1, RMD160, HAS160 ) Last 512-bit block Message m 100 000 length Let r = m mod 512 If 512-r > 64 padding = 512-(r+64) bits 64 bit integer (bit-length of message m) else padding = 512-r+448 bits (two padding blocks) 18

Hash Function Family Dedicated (Customized) Based on block ciphers Based on Modular Arith. Broken Broken MD2 MD4 MDC-1 MDC-2 MDC-4 MASH-1 Broken MD5 Broken Weakness discovered SHA-0 SHA-1 RIPEMD-128 RIPEMD-160 Reduced round Version broken HAS-160 SHA-2 19

SHA (Secure Hash Algorithm) (1/2) SHA was designed by NIST (National Institute of Standards and Technology) & NSA (National Security Agency) US standard for use with DSA signature scheme The algorithm is SHA and the standard is SHS. Based on the design of MD4 and MD5 by Rivest@MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 20

SHA (Secure Hash Algorithm) (2/2) Algorithm and variant Output size (bits). Internal state siz e (bits) Block size (bits) Max message siz e (bits) Word size (bits ) Rounds Operation Collision s Found SHA-0 160 160 512 2 64 1 32 80 SHA-1 160 160 512 2 64 1 32 80 +,and,or, xor,rot +,and,or, xor,rot Yes Yes 2 52 attack (*) SHA-2 56/224 256/224 256 512 2 64 1 32 64 +,and,or, xor,shr,rot None SHA-2 SHA-5 12/384 512/384 512 1024 2 128 1 64 80 +,and,or, xor,shr,rot None (*) Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf. 21

SHA-1 Overview Y q 512 160 CV q A B C D E round 0 f 1, ABCDE, Y q, K 0, w 0 A B C D E round 1 f 2, ABCDE, Y q, K 1, w 1 A B C D E round 79 f 80, ABCDE, Y q, K 79, w 79 160 CV q+1 http://www.itl.nist.gov/fipspubs/fip180-1.htm 22

SHA-1 Round Function A B C D E Input buffer f t Boolean function CLS 5 CLS30 Cyclic left shift W t K t From message Constants A B C D E Output buffer 23

SHA-1 Constants & Boolean Functions Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants K t t = 0 ~ 19 K t = 5 A 8 2 7 9 9 9 t = 20 ~ 39 K t = 6 E D 9 E B A 1 t = 40 ~ 59 K t = 8 F 1 B B C D C t = 60 ~ 79 K t = C A 6 2 C 1 D 6 Boolean function f t t = 0 ~ 19 t = 20 ~ 39 t = 40 ~ 59 t = 60 ~ 79 f t (B, C, D) = B C + B D f t (B, C, D) = B C D f t (B, C, D) = B C + B D + C D f t (B, C, D) = B C D 24

SHA-1 Message Inputs 512-bit w 2 w 8 w t 14 w t 8 w 65 w 71 Y q w 0 w 13 w t 16 w t 3 w 63 w 76 w 0 32 w 1 32 32 CLS 1 CLS 1 CLS 1 w 15 w 16 w t w 79 CLS: Cyclic Left Shift 25

Step Operations of MD5 & SHA-1 D C B A A B C D E f r + f r + + M i <<5 + + K r + M i <<s i + <<30 + K r D C B A 15... 0 1 Little endian A B C D E 0 1... 19 Big endian 26

Step Operations of SHA1 & HAS160 A B C D E E D C B A f r + + f r <<5 + + <<s i + M i M i + <<30 + K r K r + <<s r <<s r A B C D E E D C B A 0 1... 19 19... 1 0 27

Comparison Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94 28

Hash Ft based on Block Ciphers : MDC1 Matyas-Meyer-Oseas Scheme H i-1 M i block size block size Compression function f g: a function mapping an input H i to a key suitable for E, might be the identity function g E H i block size Provably Secure under an appropriate blackbox model But produces too short hash codes for use in most applications 29

Hash Ft based on Block Ciphers : MDC2 M i H i-1 g E E g H i-1 A B C D A D C B Compression function f H i H i 30

Collision1.bin Ex. of MD5 Collisions Collision2.bin Same MD5 Hashed Value!! 31

MD5 Collision Attacks Colliding valid X.509 certificates Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next) 32

X.509v3 Real and Fake Certificates using MD-5 S1 Serial number A CA name Validity period A Domain name A chosen prefix (different) Serial number B CA name Validity period B Domain name B Rogue RSA key Rogue X.509 extensions S1 S2 S3 A1 A2 A3 RSA key X.509 extensions valid CA signature collision bits (computed) birthday block + near collision blocks identical bytes (copied from Real cert) Netscape Comment Extension* X.509 extensions valid CA signature S2 S3 * contents ignored by browsers 33

SHA-3 Project 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback