Chapter 7 Cryptographic Hashing Cryptography-Principles and Practice Harbin Institute of Technology...

Chapter 7 Cryptographic Hashing

Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology

Zhijun Lihttp://cst.hit.edu.cn/~lizhijun

[email protected]

Zhijun Li S1034040/Autumn08/HIT 2

Outline

• Message Authentication

• Cryptographic Hashing

• Birthday Attack

• Cryptographic Hashing Construction

• Hashing Algorithms

• Message Authentication Code


Security Goals

• Confidentiality/secrecy/privacy:– How to keep a message secret so it can be

read only by a chosen person– Use encryption

• Integrity:– How to determine a string of symbols has not

been changed since it was created– Use ?


Message Authentication

• Is a procedure to verify that received message

come from the alleged source

and

have not been altered


Naïve Idea

• Alice encrypt the message using a key K• Oscar does NOT know K

• BUT, Oscar can modify the ciphertext– What Bob can get?

Alice Bob

Oscar


Message Encryption

• Using symmetric encryption:

• If M is meaning, B can verify that Y=DK(X) is legitimate

• But if M is: binary file, compressed file


Improved Model

error detection code

• Method: for the plaintext, build some well-formed structure

• Example: Error detection code


Hash code provide a structure for the message

Keyed hash (MAC)

Encrypt (Message + Hash)


Outline



• Birthday Attack





0

1

2

3

4

5

6

7

8

9

“neanderthal”“dog”

H(char s[]) = (s[0] – ‘a’) mod 10

“horse”

Conventional Hashing


Definition of Hashing

• A hash function is a function h s.t. the following two properties:– 1. compression – h: * n

• Many-to-one mapping• So collisions can happen

– 2. ease of computation – given h and an input x,h(x) is easy to compute

• Example: – Checksums in communication protocols


Alice Bob

Judge

I owe you

I owe you

An Example Using Hashing

• Alice wants to send Bob an “I owe you” message• Bob should be able to show the message to a ju

dge to compel Alice to pay up


IOU Protocol

Alice{KUA, KRA}

M EKRA[H(M)]

Judge

M EKRA[H(M)]

knows KUA

knows KUA

Bob cannot forge (M, EKRA

[H(M)]) pair

without knowing KRA

Alice Bob

Judge

Bob can verify H(M)


But If Collision Resistance

• Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10

• Alice sends Bob:“I, Alice, owe Bob $2.”, EKRA

[H (M)]

• Bob sends Judge:“I, Alice, owe Bob $200000000000.”, EKRA

[H (M)]

• Judge validates EKUA [ EKRA

[H (M)]] = H(“I, Alice, owe Bob $200000000000.”) and makes Alice pay


For Cryptographic Hash Function

• Preimage resistant (one-wayness):– Given y Y, it is computationally infeasible to find a val

ue x X s.t. h(x) = y

• 2-nd preimage resistant (weak collision resistant):– Given x X it is computationally infeasible to find a val

ue x’ X, s.t. x’x and h(x’) = h(x)

• Collision resistant (strong collision resistant):– It is computationally infeasible to find two distinct value

s x’,x X, s.t. h(x’) = h(x)


Strong Collision Resistance

• Strong collision resistance Weak collision resistance – CollisionToSecondPreimage(h)

{ select xX;if(2ndPreimage(h,x)=x’) then return (x,x’)}

• Strong collision resistance One-wayness– CollisionToPreimage(h)

{ select xX; y=h(x);if((Preimage(h,y)=x’) and (xx’)) then return (x,x’)}


CollisionToPreimage

• A Las Vegas algorithm– Pr[CollisionToPreimage(h)=success]=?– [x]={x’X| h(x)=h(x’)}– C={[x]|xX} and |C|=|Y|

– Pr[success]=(1/|X|)xX(|[x]|-1)/|[x]|

=(1/|X|)cCxc(|c|-1)/|c|

=(1/|X|)cC(|c|-1)

=(1/|X|)(cC|c|-cC1)

=(1/|X|)(|X|-|Y|) assume |X|2|Y|

(1/|X|)(|X|-1/2|X|)1/2


Using Hash Functions

• Message Authentication• Software Integrity• Digital Signature• One-time Passwords• ……


A digital signature

Example: Digital Signature


Example: UNIX Password

• UNIX keep the passwords in a file /etc/passwd• /etc/passwd can be accesses by anyone

• Is not the password itself• But the result of a hash of password

– Brute force attacker can create a dictionary– To improve the security, UNIX adds a random

number(salt) to the password before hashing


Outline



• Birthday Attack





Birthday Problem

• Problem:

In a group of persons (q persons), the probability p of finding two different persons with same birthday


Solution

• The probability that q persons have different birthdays is

(365/365)(364/365)(363/365)…((365-q-1)/365)

• p=1-(1-1/365)(1-2/365)(1-3/365)…(1-(q-1)/365)

• If q23, p 0.5 • 23 is so small!


General Solution

• Considering the M – For n-bits output hashing, M=2n

• p=1-(1-1/M)(1-2/M)…(1-(q-1)/M)– For very little x, 1-x e-x

– e-x = 1 - x +x2/2! - x3/3!+…

• p 1-e-(1/M+2/M+…+k-1/M) 1-e-(q(q-1)/2M)

• q2-q 2M ln(1/(1-p))• q (2Mln(1/(1-p)))1/2


General Solution

• For any p

q CM

• p=0.5

q 1.17M

• M=365, p=0.5

q 22.3


For Cryptographic Hashing

• For strong collision resistance:– The length of hash outputs should double the

key length of block ciphers

– 64-bits is too short– normally 128~512 bits

– SHA-256, SHA-384, SHA-512


Outline



• Birthday Attack





From Compression Function

• Construct a hash function h: {0,1}*→ {0,1}m from a compression function f: {0,1}m+t → {0,1}m

• Compression function should follow properties– preimage resistance (one-way)– 2nd preimage resistance (weak collision resist

ance)– collision resistance (strong collision resistanc

e)– Same for hash function


Model for Iterated Hashing


Merkle-Damgard Construction

• A compression function f: {0,1}m+t+1 → {0,1}m

• Construct a hash function h: {0,1}*→ {0,1}m


Merkle-Damgard: Example

• Compression function f: {0,1}128+512+1 → {0,1}128

• Message x has 1000 bits:

– y1 = first 512 bits of x

– y2 = last 488 bits of x || 024

– y3 = 0480 || 32-bit binary representation of 24

– z1 = f(0129 || y1) z1 has 128 bits

– z2 = f(z1 || 1 || y2)

– z3 = f(z2 || 1 || y3)

– z3 is the message digest


Merkle-Damgard: Example

• Suppose message x’ has 488 bits and h(x)=h(x’)

– y1’ = x’ || 024

– y2’ = 0480 || 32-bit binary representation of 24

– z1’ = f(0129 || y1’)

– z2’ = f(z1’ || 1 || y2’) z2’=h(x’)=h(x)=z3

• Then f(z1’ || 1 || y2’) = f(z2 || 1 || y3) and y3=y2’

– if z1’ z2 then a collision is found for f

– if z1’=z2 then f(0129 || y1’) =f(z1 || 1 || y2), there is also a collision for f


Security of Merkle-Damgard

• Theorem: If f: {0,1}m+t+1 → {0,1}m is collision resistant, then the Merkle-Damgard construction h: {0,1}*→{0,1}m is collision resistant

• Proof: – Idea: suppose we find xx’ such that h(x)=h(x’), we show that we can find collision on f – Let y(x) = y1 || y2 || … || yk+1

– Let z1, z2, …, zk+1 be the intermediate results of h(x)

h(x) = zk+1= f(zk || 1 || yk+1)– Let y(x’) = y1’ || y2’ || … || yn+1’ – h(x) = f(zk || 1 || yk+1) = h(x’) = zn+1’ = f(zn’ || 1 || yn+1’)



• f(zk || 1 || yk+1) = f(zn’ || 1 || yn+1’)• Case 1: |x| |x’| mod t

– the number of padding bits are different– yk+1 yn+1’– A collision has been found

• Case 2a: |x| = |x’| and k=n– zk zk’, a collision has been found– zk = zk’

• f(zk-1 || 1 || yk) = zk = zk’ = f(zk-1’ || 1 || yk’)• if yk yk’, then a collision has been found• Otherwise consider zk-1 and zk-1’… if find collision• yi=yi’ then y=y’ then x=x’



• f(zk || 1 || yk+1) = f(zn’ || 1 || yn+1’)

• Case 2b: |x| = |x’| mod t and |x| |x’|– yk+1 = yn+1’

– If zk zn’, a collision has been found

– If zk = zn’

• f(zk-1 || 1 || yk) = zk = zn’ = f(zn-1’ || 1 || yn’)

• if yk yn’, then a collision has been found

• Otherwise consider zk-1 and zn-1’… if find collision

– f(0m+1 || y1) = f(zj’ || 1 || yj+1’)

– A collision has been found


Merkle-Damgard2 Construction

• A compression function f: {0,1}m+1 → {0,1}m

• Construct a hash function h: {0,1}*→ {0,1}m

Define f: f(0)=0; f(1)=01

n=|x|

y=11||f(x1)||f(x2)||…||f(xn)

y=y1||y2||…|yk

g1=compress(0m||y1)

for i=1 to k-1

gi+1=compress(gi||yi+1)

return gk


Security of Merkle-Damgard2

• Suppose xx’ such that h(x)=h(x’)

• y(x)=y1y2…yk; y(x’)=y1’y2’…yl’

• f(gk || yk) = f(gl’ || yl’)

• Case1: k=l– If the collision is not found, otherwise y=y’ (x=x’)

• Case2: kl (l>k)– If the collision is not found, otherwise

– yk=yl’; yk-1=y’l-1; …; y1=y’l-k+1

– f(0)=0; f(1)=01; y1=11… (contradiction)


Outline



• Birthday Attack





Structure of Hash Algorithms

b

Y0

n f

b

Y1

n f

b

YL-1

n

CVL-1

f

CV1

n n

IV = Initial VectorCV = Chain VectorYi = The ith Message Blockf = Compress Functionn = Hash Value Lengthb = Block Length

CVL

CV0=IV= initial n-bit valueCVi=f(CVi-1, Yi-1) (1 i L)H(M) = CVL

CV0


Message

K bitsL512 bits=N 32bits

Length of Message (K mod 264)

100…0

Y0

512 bits

Y1

512 bits

Yq

512 bits

YL-1

512 bits

HMD5IV

128HMD5

CV1

128HMD5

CVq

128HMD5

CVL-1

128

512

128-bit digest

padding(1 to 512 bits)

512512512

MD5 Overview


MD5 Details

• Step 1) Padding the message with 1 and following some 0 so that length 448 mod 512

• Step 2) Padding the original message length

• Step 3) Initialize 4 word (128 bits) buffer (A, B, C, D) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476

• Step 4) The message is processed in 512-bits data blocks(Y0,Y1,…,YL-1) 4 rounds of 16 steps


F,T[1…16],X[i]16 steps

G,T[17…32],X[2i]16 steps

H,T[33…48],X[3i]16 steps

I,T[49…64],X[4i]16 steps

+ + + +

A B C D

A B C D

A B C D

A B C D

CVq 128Yq

512

CVq+1128

+ is mod 232

512-bit Message

HMD5

4 Rounds


A B C D

A B C D

+

+

+

CLSs

+

g

X[k]

T[i]

MD5 Compression Function


MD5 Compression Function

• Each round has 16 steps of the form

ab + (( a + g(b,c,d) + X[k] +T[i])<<<s) a,b,c,d = 4 words of buffer g = different nonlinear function in each round (F,G,H,I) F(X,Y,Z) = (XY)((¬X)Z) G(X,Y,Z) = (XZ)(Y(¬Z)) H(X,Y,Z) = XYZ I(X,Y,Z) = Y(X(¬Z))

X[k] = the kth word in the qth 512-bits data block T[i] = the ith 32-bits word in T table (T[i]=232abs(sin(i))

)


MD5 Cryptanalysis

• Berson (1992): – For a single-round MD5, he finds collision using differential crypt

analysis – Attack does not work for 4-round MD5

• Boer & Bosselaers(1993): – Found a pseudo collision (same message, two different IV’s)

• Dobbertin (1996):– Created collisions on MD5 compression function with chosen IV

• Wang, Feng, Lai, Yu(2005): – Works on any IV – Easy to find multiple collisions


Message

K bitsL512 bits=N 32bits

Length of Message (K mod 264)

100…0

Y0

512 bits

Y1

512 bits

Yq

512 bits

YL-1

512 bits

SHAIV

128

SHACV1

128

SHACVq

128

SHACVL-1

128

512

160-bit digest

padding(1 to 512 bits)

512512512

SHA Overview


SHA1 Details

• Step 1) As in MD5 message is padded such as its length is a multiple of 512 bits

• Step 2) Initialize 5 word (160 bits) buffer (A, B, C, D, E) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476 E = C3D2E1F0

• Step 3) The message is processed in 512-bits data– expand 16 words into 80 words by mixing & shifting– use 4 rounds of 20 operations on message block and buffer


4 Rounds of SHA

4 differentfunctions:Totally 80steps

5 32- bit words


SHA1 Compression Function

From 512-bitinput block

Fixed constant

Circular left shift 5 bits


SHA1 Compression Function

• Each round consists of 20 steps – (A,B,C,D,E) (E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<3

0),C,D)– t is the step number– f(t,B,C,D) is a non-linear function for round

– Wt is derived from the message block

– Wt=S1(Wt-16Wt-14Wt-8Wt-3)

– Kt is a constant value derived from the sin function

– Sk is circular left shift by k bits


f(t,A,B,C,D) in SHA1

Step Function Value Comment

0 t 19 (BC)((¬B)D) If B then C

else D

20 t 39

BCD Parity bit of B,C, and D

40 t 59

(BC)(BD)(CD) 2 or 3 of B,C,D is true

60 t 79

BCD Parity bit of B,C, and D


SHA1 Cryptanalysis

• Brute force:– Brute force attack is harder (160 vs 128 bits for MD5)

• Remark of SHA1 operation:– SHA1 shuffles using rotates & XOR’s – Form a more complex output – Make finding collisions more difficult.

– SHA-1 is still secure as today, but it may fall soon


Outline



• Birthday Attack





Keyed Hashing Review

MAC


Message Authentication Code

• MAC is a cryptographic checksum– Condenses a variable-length message M– Using a secret key K– To a fixed-sized authenticator

– MAC=CK(M)


Requirements for MAC

• We can not find M and M’, CK(M)=CK(M’) without know the K (Forgery Attack)

M’||??? ???=CK(M’)


MAC Security

• The pair (x, z) is called a forgery if z=MACK(x)

• A (,q) forger– Can produce a forgery with probability , after

making q queries

• From a cryptographic (iterative) hash function h

– CK(M)=h(M) with K as IV

– There is a (1,1) forger


CK(M)=h(M) with K as IV

• Is this secure?– Given a message x and its MAC CK(x) – The adversary can construct x’ and CK(x’)– Let pad(x) be the padding added to x– Let x’=x || pad(x) || w, y’=x’ || pad(x’) – zr+1 = compress(CK(x) || yr+1)– zr+1 = compress(zr+1 || yr+2)– … – CK(x’)=zn we need NOT know K


HMAC

K+ is the key padded out to input block size of the hash function

ipad=3636…36opad=5C5C…5C

HMACK=Hash[(K+opad)||Hash[(K+ipad)||M)]]


HMAC Security

• HMACK=Hash[(K+opad)||Hash[(K+ipad)||M)]]

– Nested MAC– If using SHA1, NO known practical attacks ag

ainst HMAC


CBC-MAC

DES

IV

K

P1

C1

DESK

P2

C2

... DESK

Pn

Cn

Cn is the MAC

IV=00…0


CBC-MAC Security

• If the block cipher is secure• CBC-MAC is secure for messages of fixed blocks• NOT secure with variable lengths

– Given three pairs of MACs

– (x1, y1) (x2, y2), (x1||z, y3)

– y1 = EK[IVx1]

– y2 = EK[IVx2]

– y3 = EK[y1z] = EK[y2(zy1y2)]

– Let z’=(zy1y2), (x2||z’,y3) is also a valid pair


Improvement for CBC-MAC

• MAC of M:– z0=IV=0m

– zi = EK1(zi-1Mi) for 1 i n

– MAC=EK1DK2[zn]

• Defends against the previous attack• Reduces threat of exhaustive key search


Summary


• Cryptographic Hash Functions– Birthday attack– Hashing structures

• Hash Algorithms– MD5– SHA

• MAC

Chapter 7 Cryptographic Hashing Cryptography-Principles and Practice Harbin Institute of Technology...

Documents

Transcript of Chapter 7 Cryptographic Hashing Cryptography-Principles and Practice Harbin Institute of Technology...