Introduction to Information Security

Similar documents
Week 12: Hash Functions and MAC

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Hashes and Message Digests Alex X. Liu & Haipeng Dai

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Leftovers from Lecture 3

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Introduction to Cryptography Lecture 4

Introduction to Cryptography

Foundations of Network and Computer Security

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Cryptographic Hash Functions

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Message Authentication Codes (MACs)

Authentication. Chapter Message Authentication

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

An introduction to Hash functions

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Digital signature schemes

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

ECS 189A Final Cryptography Spring 2011

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Digital Signatures. p1.

Introduction to Cybersecurity Cryptography (Part 4)

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Attacks on hash functions: Cat 5 storm or a drizzle?

Lecture 1: Introduction to Public key cryptography

Asymmetric Encryption

Lecture 1. Crypto Background

Public-key Cryptography: Theory and Practice

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

CPSC 467: Cryptography and Computer Security

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Lecture 10: NMAC, HMAC and Number Theory

Crypto Engineering (GBX9SY03) Hash functions

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 18: Message Authentication Codes & Digital Signa

2: Iterated Cryptographic Hash Functions

Cryptographic Hash Functions Part II

Public Key Algorithms

Message Authentication Codes (MACs) and Hashes

CPSC 467: Cryptography and Computer Security

Network Security: Hashes

Notes for Lecture 9. 1 Combining Encryption and Authentication

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Introduction Description of MD5. Message Modification Generate Messages Summary

The Hash Function JH 1

Information Security

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

Katz, Lindell Introduction to Modern Cryptrography

Attacks on hash functions. Birthday attacks and Multicollisions

Exam Security January 19, :30 11:30

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Introduction to Modern Cryptography Lecture 5

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Elliptic Curve Cryptography

Breaking H 2 -MAC Using Birthday Paradox

5199/IOC5063 Theory of Cryptology, 2014 Fall

Symmetric Crypto Systems

Symmetric Crypto Systems

AURORA: A Cryptographic Hash Algorithm Family

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Beyond the MD5 Collisions

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

SPCS Cryptography Homework 13

New Preimage Attack on MDC-4

Cryptographic Hashing

SMASH - A Cryptographic Hash Function

Message Authentication. Adam O Neill Based on

Question: Total Points: Score:

On the Big Gap Between p and q in DSA

Hash-based signatures & Hash-and-sign without collision-resistance

STRIBOB : Authenticated Encryption

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 10: NMAC, HMAC and Number Theory

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

The Hash Function Fugue

4. Hash Functions Contents. 4. Hash Functions Message Digest

Lecture 10: HMAC and Number Theory

DTTF/NB479: Dszquphsbqiz Day 27

Design Paradigms for Building Multi-Property Hash Functions

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Some Attacks on Merkle-Damgård Hashes

12 Hash Functions Defining Security

New Proofs for NMAC and HMAC: Security without Collision-Resistance

Transcription:

Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University

Contents 1. Introduction - Hash Function vs. MAC 2. Hash Functions Security Requirements Finding collisions birthday paradox Dedicated hash functions SHA-1 Hash functions based on block ciphers 3. Message Authentication Code HMAC CBC-MAC 2

1. Hash Functions vs. MAC (Message Authentication Code) 3

Hash Functions Hash Function Generate a fixed length Fingerprint for an arbitrary length message No Key involved (public function) Must be at least One-way to be useful Applications Unkeyed hash digital signature password file key stream / pseudo-random number generator Keyed hash: MAC/ICV generation (Message Authentication Code, Integrity Check Value) Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Message M H Message Digest D D = H(M) X 4

Message Authentication Codes (MACs) MAC Generate a fixed length MAC for an arbitrary length message A keyed hash function Provides Message origin authentication Message integrity Entity authentication Transaction authentication MAC MAC Shared Secret Key Constructions Keyed hash: HMAC, KMAC Block cipher: CBC-MAC Dedicated MAC: MAA, UMAC SEND MAC 5

Comparison of Hash Function & MAC Arbitrary length message Arbitrary length message Hash function MAC function Hash fixed length Secret key MAC fixed length Easy to compute Compression: arbitrary length input to fixed length output Unkeyed function vs. Keyed function 6

Symmetric Authentication (MAC) Alice Bob Message MAC transmit Message MAC K AB Shared Secret key between Alice and Bob Secret key algorithm K AB Shared Secret key between Alice and Bob Secret key algorithm MAC yes no 7

Alice Digital Signature Bob Message Signature transmit Message Signature Hash function Hash function Hash value Hash value 1 Public key algorithm yes no Alice s Public key Alice s Private key Hash value 2 Public key algorithm 8

MAC and Digital Signature MAC (Message Authentication Code) Generated and verified by a secret key algorithm Message origin authentication & Message integrity Cannot provide non-repudiation Schemes Keyed hash: HMAC Block cipher: CBC-MAC, XCBC-MAC Dedicated MAC: UMAC Digital Signature Generated and verified by a public key algorithm and a hash function Message origin authentication & Message integrity Non-repudiation Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA 9

2. Hash Functions 10

Hash Functions Definition Compression: arbitrary length input to fixed length output Ease of computation {0,1} d h( ) d >> r {0,1} r hash, hash code/value/result message digest, checksum, MIC, authentication tag, seal, compression digital fingerprint, imprint * Note that collision is inevitable (many-to-one function). 11

Hash Functions Requirements Security Properties Preimage resistance (One-wayness) : Given y, it is computationally infeasible to find any input x such that y = h(x) Hardest task, weakest requirement 2nd preimage resistance (Weak collision resistance) : Given x, it is computationally infeasible to find another input x x such that h(x) = h(x ) Collision resistance (Strong collision resistance) : It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x ) Easier task, Strongest requirement 12

Hash Functions (Unkeyed) One-way Hash functions (OWHF) Collision-Resistant Hash functions (CRHF) sufficient for most other applications Preimage resistance 2nd preimage resistance Collision resistance Required for digital signatures 13

Brute Force Attack on One-Way Hash Functions Assume that a signer had signed on a hash value y. An attacker tries to frame the signer with a wrong message. Or The signer tries to repudiate his signing. Given y, find m such that h(m) = y m i for i = 1, 2,... 2 n h Arbitrary message m Or m of the same meaning? h(m i ) h(m i ) = y? n bits 14

Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions 2 11 different messages of the same meaning 15

Finding Collision in Collision-Resistant Hash Functions Find any two distinct messages m, m such that h(m) = h(m ). m i for i = 1, 2,... 2 m m i h h h(m i ) n bits How large m should be to get a match? h(m i ) n bits 16

Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher s birthday? (complexity breaking one-wayness) 365/2 188 2. Any two of the students share the same birthday? (complexity breaking collision resistance) 1 365 364... (365-k+1) / 365 k > 0.5 k 23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals n! 1 1 e k ( n k)! n k( k 1) 2n 17

Birthday Attack Consider two sets of k instances: X = {x 1, x 2,, x k } ; Y = {y 1, y 2,, y k }, Pr[no match in Y to x1 ] 1 Pr[no match in Y to X] 1 1 n 1 n k 1 Pr[at least one match in Y to X ] 1 1 1 e n The value of k making the probability of at least one match being greater than 0.5 2 2 1 1 e 2 e ln 2 2 k k k k 2 k n n k n ln 2 0.83 n n k n k 2 k n 18

Birthday Attack on Collision Search H 1 H 2 H 3... H m H 1 H 2 H 3... H m Number of comparisons = m 2 Suppose that digest size = n bits Intuitively, Hash values can take 2 n possible values generate two sets of m=2 n/2 hash values compare each element of the two sets there is 2 n comparisons probably there will be one match But, more exactly, 1.66 x 2 n/2 hash values are required to find a match with prob.>0.5 (using the birthday attack) 19

One Million $ Hardware Brute Force Attack One-Way Hash Functions (complexity = 2 n ) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 10 17 years Collision-Resistant Hash Functions (complexity = 2 n/2 ) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 10 17 years 20

General Construction of a Secure Hash Function Message m 100 000 length Padding & length encoding M 1 M 2 M 3 M t 1 2 t-1 b b b b IV=H 0 n f n H f n H f n n... n f H H t Legend: IV : Initial Value H i : i-th Chaining variable M i : i-th input block f : Compression function g : Output transformation (optional) t : Number of input blocks b : Block size in bits n : Hash code size in bits g h(m) 21

General Construction of a Secure Hash Function b M i Compression Function (fixed-size hash function) n f n H i H i-1 Entire hash H 0 = IV H i = f (H i-1, M i ) for 1 i t H(m) = g(h t ) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h 22

Typical Hash Padding Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 ) Last 512-bit block Message m 100 000 length Let r = m mod 512 If 512-r > 64 padding = 512-(r+64) bits 64 bit integer (bit-length of message m) else padding = 512-r+448 bits (two padding blocks) 23

Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. broken MD2 MD4 Partially broken MDC-1 MDC-2 MDC-4 MASH-1 MD5 Partially broken SHA0 SHA1 Weakness discovered RIPEMD-128 RIPEMD-160 Reduced round Version broken HAS-160 SHA2 24

SHA (Secure Hash Algorithm) SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency) in 1993, and revised as SHA-1 in 1995 SHA: FIPS PUB 180, 1993 SHA-1 : FIPS Pub 180-1, 1995 US standard for use with DSA signature scheme The algorithm is SHA, the standard is SHS Based on the design of MD4 with key differences * Federal Information Processing Standard SHA-1 : Secure Hash Standard (SHS), FIPS Pub 180-1, 1995 160-bit hash value (5 words Big Endian) 512-bit block size 4 round hash, each round has 20 steps, total 80 steps 25

SHA-1 Overview Y q 512 160 CV q A B C D E round 0 f 1, ABCDE, Y q, K 0, w 0 A B C D E round 1 f 2, ABCDE, Y q, K 1, w 1 A B C D E round 79 f 80, ABCDE, Y q, K 79, w 79 160 CV q+1 26

SHA-1 round function A B C D E Input buffer f t Boolean function CLS 5 CLS30 Cyclic left shift W t K t From message Constants A B C D E Output buffer 27

SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants K t t = 0 ~ 19 K t = 5 A 8 2 7 9 9 9 t = 20 ~ 39 K t = 6 E D 9 E B A 1 t = 40 ~ 59 K t = 8 F 1 B B C D C t = 60 ~ 79 K t = C A 6 2 C 1 D 6 Boolean function f t t = 0 ~ 19 t = 20 ~ 39 t = 40 ~ 59 t = 60 ~ 79 f t (B, C, D) = B C + B D f t (B, C, D) = B C D f t (B, C, D) = B C + B D + C D f t (B, C, D) = B C D 28

SHA-1 message inputs 512-bit w 2 w 8 w t 14 w t 8 w 65 w 71 Y q w 0 w 13 w t 16 w t 3 w 63 w 76 w 0 32 w 1 32 32 CLS 1 CLS 1 CLS 1 w 15 w 16 w t w 79 29

Step Operations of MD5 & SHA1 D C B A A B C D E f r + f r + + M i <<5 + + K r + M i <<s i + <<30 + K r D C B A 15... 0 1 Little endian A B C D E 0 1... 19 Big endian 30

Step Operations of SHA1 & HAS160 A B C D E E D C B A f r + + f r <<5 + + <<s i + M i M i + <<30 + K r K r + <<s r <<s r A B C D E E D C B A 0 1... 19 19... 1 0 31

Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94 32

Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme block size H i-1 M i block size Compression function f g: a function mapping an input H i to a key suitable for E, might be the identity function g E H i block size Provably Secure under an appropriate blackbox model But produces too short hash codes for use in most applications 33

Hash Functions Based on Block Ciphers: MDC2 M i H i-1 g E E g H i-1 A B C D A D C B Compression function f H i H i 34

Hash Functions Implementation results PIII 450MHz : Widows 98 : MSVC++ 6.0 Output len. 64 bytes 1K bytes 1M bytes SHA1 160 bits 101.7 Mbps 200.8 Mbps 214.9 Mbps SHA-256 256 bits 48.2 Mbps 97.6 Mbps 104.1 Mbps SHA-512 512 bits 16.0 Mbps 28.8 Mbps 32.8 Mbps RMD160 160 bits 91.1 Mbps 174.9 Mbps 188.1 Mbps HAS160 160 bits 158.6 Mbps 328.7 Mbps 353.0 Mbps Tiger 192 bits 51.0 Mbps 98.8 Mbps 106.3 Mbps MD5 128 bits 176.5 Mbps 349.8 Mbps 376.3 Mbps Remarks Theoretical strength of hash functions with k-bit output : about 2 k/2 128-bit Hash function does not offer sufficient protection Use of MD5 not recommended SHA1 only provides 80-bit security AES offers three key sizes (128, 192, 256) Need for companion hash algorithms to give similar security SHA-(256, 384, 512) have been proposed (draft FIPS) 35

3. Message Authentication Code 36

MAC Functions MAC algorithms Keyed hash functions whose specific purpose is message authentication Requirements Ease of computation Compression arbitrary length input to fixed length output Computation resistance Given zero or more text-mac pairs (m i, MAC K (m i )), It s computationally infeasible to find any new text-mac pair (m, MAC K (m)) for m m i 37

Attacks & Forgeries on MAC Algorithms Adversary s goal MAC key recovery MAC forgery Attacks on MAC algorithms Known-text attack Chosen text attack Adaptively chosen text attack MAC Forgeries Selective forgery Existential forgery 38

Classification of MAC Algorithms Based on Hash functions Based on block ciphers Based on Stream ciphers Dedicated HMAC KMAC CBC-MAC CFB-MAC CRC-MAC MAA RIPE-MAC 39

Constructing MAC from Hash Functions Secret Prefix Method MAC K (M) = h(k M) Extension attack: easy to generate MAC for M = M P M (P: hash padding) Secret Suffix Method MAC K (M) = h(m K) Birthday attack applies: if h(m) = h(m ), then MAC K (M) = MAC K (M ) Envelope Method MAC K (M) = h(k P M K) (P=padding to make K P one block) No known weakness yet HMAC Provably secure under some ideal assumptions on the underlying hash function http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf 40

HMAC : Keyed-Hash MAC K User key Message M K > B K 0 ipad M K 0 = H(K) Zeros K B K 0 = K Zeros K 0 Hash Algorithm : concatenation B : Block size of Hash function K 0 is B bytes ipad : 0x36 repeated B times opad : 0x5C repeated B times MAC = H(K 0 opad H( K 0 ipad M ) ) Used in SSL/TLS and IPsec K 0 opad Hash1 Hash Algorithm Hash2 MAC 41

MAC Based on Block Ciphers: CBC-MAC M 1 M 2 M t IV = 0 K E E... E Last block with padding (zero-padding in FIPS 113) H 1 H 2 H t-1 H t MAC FIPS 113 H 0 = IV = 0 H i = E K (M i H i-1 ) MAC K (M) = H t [1 b/2] or MAC K (M) = E K (D K (H t )) [1 b/2] K K D E Optional MAC strengthening MAC 42

MAC Based on Block Ciphers: XCBC-MAC M 1 M 2 M t Last block with padding (100 ) IV = 0 K 1 E E... E K 2 if original block =128 K 3 if original block <128 H 1 H 2 H t-1 H t MAC Key derivation from the secret key K (Ipsec:AES-XCBC-MAC-96) K 1 = E K (0x01010101010101010101010101010101) K 2 = E K (0x02020202020202020202020202020202) K 3 = E K (0x03030303030303030303030303030303) 43

MAC Based on Block Ciphers: RIPE-MAC M 1 M 2 M t IV = 0 K E E... E H 0 = IV = 0 H 1 H 2 H t-1 K D H t Padding: one-zero padding (possible none) + length block H i = E K (M i H i-1 ) M i MAC K (M) = E K (D K (H t )) [1 b/2] K E K = K 0x 0f0f 0f MAC 44

CBC-MAC : ISO 9797-1 M Splitting M1 M2 M3 M4 1. Zero padding 2. OneAndZero 3. Text Length(1-block) Text Zero-padding H1 M1 Initial Transform H1 M2 M3 M4 Enc(K) Enc(K) Enc(K) G Output Transform H4 MAC 45

CBC-MAC : Transformation Initial Transformation D1 Enc(K) H1 D1 Enc(K) Enc(K ) H1 Output Transformation H4 G H4 Enc(K ) G H4 Dec(K ) Enc(K) G 46

Homework #4 Birthday Paradox A professor posts the grades for a class using the last four digits of the social security number of each student. Assume that the social security numbers are randomly distributed. In a class of 200 students, what is the probability that at least two students have a collision problem (the same four digits)? 47

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback