Cryptographic Hash Functions and Message Authentication...
Transcript of Cryptographic Hash Functions and Message Authentication...
Cryptographic Hash Functions and Message Authentication Codes
Reading: Chapter 4 of Katz & Lindell
1
A function mapping from a domain to a smaller range (thus not injective). Applic
ations: Fast lookup (hash tables) Error detection/correctio
n
Cryptography: c
r p
y t o
Hash function•
•
Others Different applications require different
graphi
kinds
of
c hash
hash
functio
funct
s
ns
ion .•
2
* *
: , | | | |. E.g., :{0,1} {0,1} , :{0,1} ,
:{0,1} {0,1} , . In the last case, is also called a . For c
Hash f
compression func
unct
tio
ons
nr
i :
Cryptographic hash function
nn
k l
h X Y X Yh h Z
h k lh
• → >
• → →
→ >••
( )
yptographic applications, ( ) is intended to be a fingerprint or digest of . A classical application is to store as
(username, password)
username, (pa to protect the secss recy of pasword)
h mm
h•
swords. For this application, what property is required of ?h•
3
if ( ) , is a pre-image of . Each hash value typically has multiple pre-images. Collision: a pair ( , ), , s.t. ( ) ( ).
A hash function is
Pre-image:
s aid
Security requirementsh m y m y
m m m m h m h m
h
=
′ ′ ′≠ =
•••
• to be: given a hash value , it is
computationally infeasible to f Pre-image resistant:
Second pind a pre-image of .
given a message , ire-image resista t is infeasible
:
nt
yy
m
Collision resistant:to find a second pre-image of ( ).
if it is infeasible to find a collision.y h m=
4
Loosely speaking,
Collision resistant Second pre-image resistant
Pre-image resistan
cryptograpDef hicinitio hash
t
A functi is n: on
•
•
⇒
⇒
a hash function that is collision resistant.
5
In practice, a fixed hash function is used. However, there is a technical difficulty in defining
collision-resistance for a hash funcfixed t
Hard to define collision-resistant hash functionsh•
•
*
ion . Try this "definition": A hash function :{0,1} {0,1} is
if for polynomial-time algorithm ,
Pr (1 ) successfully produ
collisio
ces a co
e
l
ve
li
n-resi
sion f
rst
or (
yant
n
h n
hh
A
A h negl n
→
≤
•
*,
,
).
Problem with this definition: For , {0,1} , , let denote the algorithm that prints ( , ). Each is a polynomial-time algor
ithm.
For any , an algorithm
m m
m m
m m m m Am m Ah
′
′
′ ′
∃
•
∈ ≠
′
that outputs a collision with prob 1.6
{ } * ( )
Instead of a hash function, we define a of hash functions : , whe
singlefamily
re :{0,1} {0,1} , to be collision-resistant i
Collision-resistant hash functions
l ns n sh s I h∈ →
•
f for all polynomial-time algorithms , there exists a negligible function such that
Pr (1 ) produces a collision for : ( ).
is a set of indexes. For instance, {0,
s ns n
n n
h
Anegl
A h s I negl n
I I
← ≤
=• 1} .
( ) is a fixed polynomial. For instance, ( ) .
n
l n l n n=•
7
Pr (1 ) produces a collision
Pr (1 ) produces a collision for :
= Pr[ ]
= the probability that succeeds in producing
expecte a coll
for
d ision
Remarks
s
n
s ns n
s I
h ns
hA h s I
s
A
A h∈
← •
⋅ ∑
for a randomly picked hash function . For different hash functions , may succeed with different
probabilities. A family of hash functions is collision-resistant if for every
polynomia
s
s
hh A•
•l-time adversary , its probability of
finding a collision is nege
lxpec
igited
ble.A
8
* :{0,1} {0,1} ?
Provably collision-resistclaw-
ant hash functions can be constructed f free pairs oro f o m
How to construct a family of collision-resistanthash functions
nsh
•
→
. (Section 10.2 of Delfs & Knebl)
In practice, hash functions are constructed from compression functions
:{0,1} {0,1}
ne-way permutations
Me by a process cal rklled
n r nf +
•
→
e-Damgard's construction.
9
*
*
Construct a function :{0,1} {0,1} from a function :{0,1} {0,1} .
1. For {0,1} , add
hashcompression
padding so that the length of the padded i
Merkle-Damgard constructionn
n r n
hf
m m
+
→
→
∈
1 2
0 1
s a multiple of . padding = 10...0 | |, where | | is the original length of . 2. Let padded , where | | . 3. Let IV and ( ) for 1 .
IV is a consta
k i
i i i
rm m m
m m m m m rv v vf m i k−
= == = ≤ ≤
nt, e.g., IV 0 . 4. The hash value ( ) .
n
kh m v=
=
m1 m2 m3 mk
f f f IV v0 v1 v2 vk … f h(m)
10
If is collision-resistant, then is collision-resistant.
We will show that if is collision-resistant, then is collision resistant. Specifical
Theorem
ly, if
:
Proof.( , ) is a collis
notnot
f h
h fm m′
1 1
1 1
ion for , we will construct a collision for . Consider two cases:
In this case, , and so ( , ) ( , ). But ( , | | | |.
) ( ) ( ) ( , ), a collision fok k k k k k
k k k k
hf
m m m v m vf m v h
mm h m f m
mv
′ ′ ′− −
′ ′− −
′ ′≠ ≠′ ′ ′= = =
′≠
1 1 1 1
r .
In this case, . Since ( ) ( ), there exists an such that ( , ) ( , ) but ( , ) ( , ), which is a col
| |
lision f
| |.
or .i i i i i i i i
f
k k h m h mi m v m v f m v v
mm
mf
f− − − −
′ ′= =′ ′ ′ ′≠
′==
11
f f f IV v0 v1 n2 vk … f
f f f IV … f
0v′ 1v′ 2v′ kv ′′
( )h m
( )h m′
( )If an adversary can find a collision , for ,then she can find a collision for .
m m hf
′
12
1 2 3 (padded) km m m m m ′′ ′ ′ ′=
1 2 3 (padded) km m m m m=
We have proved: If is collision-resistant, then is collision-resistant.
Since collision-resistance was defined for a family of hash functions, the
Th
above thereom sho
eorem:
uld b
Remark
f h•
•
{ }
{ }
e read as follows.
If is a family of collision-resistant compression
functions, and is constructed from by Merkle-Damgard, then is a family of colli
si
Th
on r
eore
e
m
sis
:
t
n
n
s s I
s s
s s I
f
h fh
∈
∈
•
ant hash functions.
13
( )
( )
*
*, , ,
, , , : , primes, 2 1,
, generators of
:
( , ) m d
o
A family of compression functions (skipped)
nq
q q pp q g h
x y
p q g h p q p q q nI
g h Z
f Z Z Z
x y g h p
= + = =
× →
→
14
1
*
Minimum requirement: must be large enough for to resist the birthda
Bi
y attack.
randomly generate a set rthday attac
:{0,1} {0
of messages
,1}
k,
:
How large should be?n
n h
h
m
n
•
•
→
{ }2
Birthday prob
, , , and check if ( ) ( ) for some .
Why is it called a birthday attack?
In a group of people, what is the probability that at least two of th
lem:em have a same birth
k i jm m h m h m i j
k
= ≠
•
•
Having the same birthday is a collisd ?
.ay
ion
15
{ }
[ ]
If objects are each assigned a random value in 1, 2, ..., , the is
1 2 1
probability of a collisi
1 1 (i.e., 1 Pr no collision )
1
on
1
Birthday attack's success rate
p
k N
N N N kN N N
iN
− − − += − ⋅ ⋅ ⋅ ⋅ −
= − −
•
1 1
1
1
1// ( 1)/2
1
Birthday paradox:
(note: 1 if 0 1)
1 1 1
with 365, 1 2 for as small
1 2 if
as 23
1. 1
.
7 .
i k
kx
ik
i Ni N k k N
i
x e x
e e e
N p k
p k N
≤ ≤ −
−−
=
−−− − −
=
•
− ≤ < <
∑≥ − = − = −
• = ≥
≥ ≥
∏
∏
16
[ ] [ ]
[ ][ ] [ ] [ ]
1 2
1 2
Define Pr Pr object collides with some object . The birthday attack's success probabili
ty satisfies:
Pr
Pr Pr Pr0 1 2 1
( 1)
o
22
F r
i
k
k
C
k
i j ip
p C C CC C C
kN N N Nk k pN
N
= <
= ∨ ∨ ∨≤ + + +
−≤ + + + +
•
−⇒
•
•
≥=
* a hash function :{0,1} {0,1} ,To resist the birthday attack, should be large enough that
generating messages is practic
ally infeasible.
Currently, a minimu
2 .
2 m of 12 e8 is r c
nn
pn
N
k N
h N→
≥
•=
•
≥
50 29
ommended.For 128, it will take 2 to have a successful rate of 2 . n k p −• = ≥ =
17
64
an NIST standard. using Merkle-Damgard construction. input message is divided into blocks with padding. padding = 10...0 , where {0,1} indicates | | in
The Secure Hash Algorithm (SHA-1)
mm
•••
• ∈
64
0 15
0 4
binary. thus, message length limited to | | 2 1. block = 512 bits = 16 words = . IV a constant of 160 bits = 5 words = . resulting hash value: 160 bits. underlying compre
mW W
H H
• ≤ −•• =•
•
160 512 160ssion function :{0,1} {0,1} , a series (80 rounds) of , , , , +, and Rotate on words ' & 's.
i i
f
W s H
+ →∧ ∨ ⊕ ¬
18
160 is big enough to resist birthday attacks . There is no mathematical proof for its collision resistance. In 2004, a collision for a 58-round SHA-1 was found.
for n
Ne r
o
we
w
Is SHA-1 secure?n•
•••
=
SHA's have been included in the standard: SHA-256, SHA-384, SHA-512.These are called the SHA
-2 family
.
19
Message Authentication Code
20
Bob receives a message from Alice, he wants to know (Data origin authentication) whether the message was
really sent by Alic
e.
(Data integrity) whether t h
Message authenticationm•
e message has been modified.
Two solutions: Alice attaches a (MAC)
to the message (using a symmetric key to compute the MAC).message authenti
Or
sh
cation
e attac
code
hes
a u signat
•
to the message (using an asymmetric key to compute the signature
re).
21
( )
Message authentication protocol: 1. Alice and Bob share a secret key . 2. To send a message , Alice computes a tag : ( ) and sends , to Bob.
3. On receiv
Basic idea of MAC
k
km t MAC m
m t
•
=
( )ing , , Bob checks whether ( ). If so, he accepts the message; otherwise, she dis
message authenticat
cards
ion co
it.
The ta de (MAg is called a . Security requirement: compu
C)t
km t t MAC m
t
′ ′ ′ ′=
•• ationally infeasible to forge a valid pair ( , ( )) without knowing the key . kx MAC x k
22
A MAC scheme is a triple ( , , ):Key generation algorithm : On input 1 , (1
) outputs a key {0,1} .
Tag generation algorithm : On input a key and a mes
sa
MAC Scheme
n n
n
G MAC VG G
kMAC k
•
←
( ) *
ge , outputs a tag . We write ( ).
( is the message space. Assume {0,1} or {0,1} .)Verification algorithm : On input a key , a message , and
a t
kl n
m M MAC t t MAC mM M M
V k m
∈ ←
= =
ag , algorithm outputs 1 (accepting as authentic) or 0 (not accepting).
, are probabilistic algorithms. is deterministic. Correctness requirement: for each
and
,
t V m
G MAC Vk K m M∈ ∈•
( ) , ( ) 1.k kV m MAC m =23
1. A key (1
We will consider the following type of attacks on M
) is generated.2. The adversary, say Eve, is given input 1 and oracle access
AC
to .
s.
She
Chosen-Message Attacks on MAC Schemes
n
nk
k GMAC
←
may ask the oracle to compute tags for messages of her choice. Let be the set of all queries Eve has made to the oracle.3. Eve finally generates a pair ( , ), with . (Eve tries to fo
Qm t m Q∉
rge a valid pair of message and tag. She succeeds if ( , ) 1.)
Remarks: Adversary: an adaptive chosen-message attacker. Forger exis
y: an forgery.tential
kV m t
•
=
24
Definition: A MAC scheme ( , , ) is existentially unforgeable under an adaptive chosen-message attack (or simply
MAC security: existential unforgeability under an adaptive chosen-message attack
G MAC V
( )( )
) if for allpolynomial-time adversaries , there exists a negligible function such that
Pr 1 1: {0,1} ( )
Note: produces a pair ( , ), wit
secure
h .
k n nk G
MAC
A negl
V A k negl n
A m t m Q
= ← ≤
∉
25
*
A general MAC scheme can handle messages of any length, i.e., {0,1} .
The job of constructing a secure MAC scheme would be easier if all inp
u m
t
Constructing secure length-restricted MAC
M•
=
•
( )
essages are restricted to a fixed length, say ( ). A MAC scheme with {0,1} is said to be an ( )-restricted
( )-restricted
MAC scheme. A secure MAC scheme can be construc
ted from an
l n
l nM l n
l n
=•
• ( )-bit pseudorandom function. Just let , where is an ( )-bit pseudorandom
( ) :
function with key .) (k kkMA
l nC m f m f l n
k=•
26
{ }( ) ( ) More precisely, let :{0,1} {0,1} | {0,1}
be a family of pseudorandom functions.
Construct an ( )-bit MAC scheme ( , , ) as follow
s: Key
generation: On inp ut 1
l n l n nn k n N
n
F f k
l n G MAC V
∈= → ∈
Π =
•
•
( )
, (1 ) outputs a random key {0,1} .
Tag generation: For key {0,1} and message {0,1} , let : ( ) : ( ).
Verification: On input ( , ),
let ( , ) :
n
nu
n l n
k k
k
Gk
k mt MAC m f m
m t V m t
←
∈ ∈= =
Theorem:
1 if (
Such
) 0 otherw
a MAC sch eme is secu
s
.
e
re
ikf m t
•
==
27
*
*
A general MAC scheme with {0,1} can be constructed using the paradim. To compute a tag for {0,1} ,
We first hash ha
to a bsh-then-authenti
cat
e
Hash-then-Authenticate: basic idea
Mt m
m
• =
∈
( )
hash *
lock {0,1} , using a collision-resistant hash function.
Then compute a tag from , using a secure ( )-bit length-restricted MAC scheme.
{0,1}
s
l n
h
m
t m l n
m
∈
∈ →
( )-bit MAC( )( )-bit {0,1}
k
l nl nl n fm t ∈ →
28
{ }
* ( )
Let : {0,1} be a family a hash
functions, where :{0,1} {0,1} .
Let ( , , ) be a ( )-bit restric
collisi
ted
on-resistant
secur e M C
A
Hash-then-Authenticate: Formal Definitionn
s n Nl n
s
h s
h
G MAC V l n
∈∈•
→
• Π =
( ) scheme with {0,1} . Construct a general MAC scheme ( , , ) as follows:
Key generation algorithm : On input 1 , (1 ) outputs a a hash key {0,1} and a MAC key
{
l n
n n
nu G
MG MAC V
G Gs k
=Π =•
← ←
( )*,
*
0,1} . Tag generation algorithm : On input key ( , ) and message
{0,1} , Let ( ) : ( ) .
Verification algorithm : On input key ( , ), message {0,1} ,
n
ks k s
MAC s k
m MAC m MAC h m
V s k m
∈ =
∈
( ) ( ), and tag , let , : ( ), .ks k st V m t V h m t=29
{ }
Theorem: If : {0,1} is collision-resistant and
( , , ) is secure, then the MAC scheme ( , , ) as constructed above is secure (i.e existenti
Hash-then-Authenticate: Security
ns n N
h s
G MAC VG MAC V
∈∈
Π =Π =
•
ally unforgeable under an adaptive chosen-message attack).
Remarks: The MAC scheme is secure, even if the hash key is known to the adversary.
The MAC key must be kept
s
k
Π•
hash ( )-bit MAC* ( )( )-bit {0,1} {0,1}
secret
.
s
k
hf
l nl nl nm m t∈ → ∈ →
30
hash function In the hash-then-authentic paradim, we need a collision-resistant
a . In practice, people like
pseudoran
to use ju
d
st a hash function
and om
or
func
ju
ti n
o
st a
MACs in practice
•
•pseudorandom function:
HMAC (hash-based MAC) CBC-MAC (pseudorandom function based MAC)
31
*
We wish to using a hash function, say :{0,1} {0,1} , which is constructed from a compression functio
ha
n
sh t
hen aut
:
hentica
{0,1} {0,1} by Merkel-Damgard. R
te
HMAC: basic idea (1)
n
n r n
hf + →
•
•
→
{ }
ecall that involves an IV (initialization vector). Using different IVs will result in different hash functions.
Let denote the hash function with IV .
Intuitively, : {0,1} is a fas
ns
h
h s
H h s
=
= ∈
•
•
{ }
mily of hash functions.
Meanwhile, is viewed as a family of pseudorandom functions
: {0,1}
where :{0,1} {0,1} , with ( ) ( ).
ns
r ns s
f
F f s
f f x f s x
•
= ∈
→ =
32
( )1 2 1
Hash H
1
ash*
2
HMAC is based on the idea:
{0,1} ( ) : ( ) padding
Note: two different keys are used as IV: and , each of length .
Unfortun
HMAC: basic idea (2)
s s s
s s n
m h m t f h m
•
•
•
∈ → → =
0
ately, a standard hash function (e.g., SHA-1) usually has a IV, say , which you cannot fi chax ee .d ngIV
m1 m2 m3 mk
f f f … f h(m) || padding
f 2s1s
tag 33
2s
1s
m1 m2 m3 mk
f f f … f h(m)||padding
f
2k
1k
f
f
IV0
IV0
( )1 2
Hash Has1
h*1 2
Then we have HMAC with keys ( , ) :
{0,1} ( ) : ( )
k km h mk k kt h h m∈ → → =
•
tag
34
( )1 2 1
1
2
Hash Hash*
1
2
{0,1} ( ) : ( )
So, we prepend an to with the output of .
Similarly, prepend an to with the output of .
Sp
HMAC: basic idea (3)
s s s
s
s
m h m t f h m
f h s f
f f s f
•
•
∈ → →
•
=
=
=
1 0 1
2 0 2
1 2
1 2
ecifically, we randomly choose , {0,1} , and let Then we have HMAC with keys
: ( , )
( , ) :
{0,1
: ( , )
rk ks f IV ks f IV k
k km
∈
∈
•
==
( )Hash Hash1 2 1
*} ( ) : ( )k k kh m t h h m→ → =
35
( )out in
in out
A FIPS standard for constructing MAC from a hash function . Conceptually, HMAC ( ) ( ) where and are two keys generated from . Various hash funct
HMAC
k m k k mk k k
hh h
•
=
•
( )
ions (e.g., SHA-1, MD5) may be used for . If we use , then HMAC is as follows:
SHA-1
HMAC ( ) ( ) where
is padded with 0's to
SHA
512 bit
-1
s36
SHA-1k
h
m k opad k ipad m
kipad
•
= ⊕ ⊕
=
36 36 (x036 repeated 64 times)
5c5c 5c (x05c repeated 64 times)opad =
36
Loosely speaking, HMAC is secure if the underlying compression function is collision-resistant (and hence the hash function is collision-resitant) and beha
Security of HMAC
fh
f
•
ves like a pseudorandom function.
37
The following constructions a
re n .
( ) : ( )
( ) : ( ) with
ot secure
IV
Insecure construction of MAC from a hash
k
k
MAC m h k m
MAC m h m k
•
=
= =
38
m = m1 m2 m3 ms
f f f IV … f h(m) k X X hk(m)
f hk(m) hk(m||ms+1)
ms+1
1
( ) ( ) with IV . (For simplicity, without
Insecure:
Easy to forge: ( , ( )),
p
add
where
ing)
k
s
k
m
M
h m
AC m h
m m
m k
m +
•
′′ =
=
•′
=
39
( )1 2
1
in CBC*hash MAC
A FIPS and ISO standard. Use a pseudorandom in CBC mode with a fixed public IV.
{0,1}
In practice, block ciphers (ps
function
eudoran
CBC-MAC
k kf fkm E m t
••
∈ → →
• dom ) are used, and IV 0 . Called DES CBC-MAC if the pseudorandom function is DES. Let :{0,1} {0,1} {0,1} be a block cipher.
block length
permutation
key length. Ther
s
n
n r nEnr
=•
• × →==
•
e are several variants of CBC-MAC.
40
1 2
1 2
Divide the input message into blocks: , where .
Generate two keys from the main key : : (1) and
: (2)
The ,
n
One variant of CBC-MAC
s i
k k
mm m m m m n
kk E k E
•
= =
•= =
•
( )( )2 1
1
2
0
1
*
CBC-MAC ( ) : CBC- . That is,
IV (typically 0 ); for 1 to do ( );
tag : ( )
Hash-then-authenticate:
{0,1} k
k k k
n
i k i i
k s
E
m E E m
ci s c E c m
E c
m
−
=
←← ← ⊕
=
•
∈ ( )1 2
1
in CBChash MAC kE
kE m t→ →41
{ }* CBC-MAC is secure if : {0,1} is a family of
pseudorandom functions (or permutations).
Security of CBC-MAC
k uE k• ←
42