Cryptography and Network Security Chapter 11
31
Cryptography and Cryptography and Network Security Network Security Chapter 11 Chapter 11 Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by Lawrie Lecture slides by Lawrie Brown Brown
description
Cryptography and Network Security Chapter 11. Fifth Edition by William Stallings Lecture slides by Lawrie Brown. Chapter 11 – Cryptographic Hash Functions. - PowerPoint PPT Presentation
Transcript of Cryptography and Network Security Chapter 11
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 11Chapter 11
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 11 – Cryptographic Chapter 11 – Cryptographic Hash FunctionsHash Functions
Each of the messages, like each one he had ever Each of the messages, like each one he had ever read of Stern's commands, began with a number read of Stern's commands, began with a number and ended with a number or row of numbers. No and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts efforts on the part of Mungo or any of his experts had been able to break Stern's code, nor was had been able to break Stern's code, nor was there any clue as to what the preliminary number there any clue as to what the preliminary number and those ultimate numbers signified.and those ultimate numbers signified.——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell
Hash FunctionsHash Functions
condenses arbitrary message to fixed sizecondenses arbitrary message to fixed sizeh = H(M)h = H(M)
usually assume hash function is publicusually assume hash function is public hash used to detect changes to messagehash used to detect changes to message want a cryptographic hash functionwant a cryptographic hash function
computationally infeasible to find data mapping computationally infeasible to find data mapping to specific hash (one-way property)to specific hash (one-way property)
computationally infeasible to find two data to computationally infeasible to find two data to same hash (collision-free property)same hash (collision-free property)
Cryptographic Hash FunctionCryptographic Hash Function
Hash Function UsesHash Function Uses Message Integrity Check (MIC)Message Integrity Check (MIC)
send hash of message (digest)send hash of message (digest) MIC always encrypted, message optionallyMIC always encrypted, message optionally
Message Authentication Code (MAC)Message Authentication Code (MAC) send keyed hash of message send keyed hash of message MAC, message optionally encryptedMAC, message optionally encrypted
Digital Signature (non-repudiation)Digital Signature (non-repudiation) Encrypt hash with private (signing) keyEncrypt hash with private (signing) key Verify with public (verification) keyVerify with public (verification) key
Hash Functions & Message Hash Functions & Message AuthenticationAuthentication
Symmetric KeyUnkeyed Hash
a) Messageencrypted
b) Message unencrypted
Hash Functions & Message Hash Functions & Message AuthenticationAuthentication
Symmetric Key Keyed Hash
a) Message unencrypted
d) Message encrypted
Hash Functions & Digital Hash Functions & Digital Signatures - PKCSSignatures - PKCS
Other Hash Function UsesOther Hash Function Uses pseudorandom function (PRF) pseudorandom function (PRF)
Generate session keys, noncesGenerate session keys, nonces Produce key from passwordProduce key from password Derive keys from master key cooperativelyDerive keys from master key cooperatively
pseudorandom number generator pseudorandom number generator (PRNG)(PRNG) Vernam Cipher/OTPVernam Cipher/OTP S/Key, proof of “what you have” via messagesS/Key, proof of “what you have” via messages
More Hash Function UsesMore Hash Function Uses to create a one-way password fileto create a one-way password file
store hash of password not actual store hash of password not actual passwordpassword e.g., Unix, Windows NT, etc.e.g., Unix, Windows NT, etc. salt to deter precomputation attackssalt to deter precomputation attacks Rainbow tablesRainbow tables
for intrusion detection and virus detectionfor intrusion detection and virus detection keep & check hash of files on systemkeep & check hash of files on system e.g., Tripwiree.g., Tripwire
Lamport One-time PasswordsLamport One-time Passwords Password safety in distributed systemPassword safety in distributed system
server compromise does not compromise Pserver compromise does not compromise P interception of authentication exchange does interception of authentication exchange does
not compromise password eithernot compromise password either
Alice picks Password PAlice picks Password PAA
Hashes password N times, HHashes password N times, HNN(P(PAA))
Server stores (Alice, N, HServer stores (Alice, N, HNN(P(PAA))))
Attacker can’t get PAttacker can’t get PAA from H from HNN(P(PAA))
Lamport One-time PasswordsLamport One-time Passwords ProtocolProtocol
Alice sends “I’m Alice”Alice sends “I’m Alice” Server sends “N-1”Server sends “N-1” Alice sends “X” where X=HAlice sends “X” where X=HN-1N-1(P(PAA))
Server verifies H(X) = HServer verifies H(X) = HNN(P(PAA)) Server updates to (Alice, N-1, X)Server updates to (Alice, N-1, X)
Attacker still can’t get PAttacker still can’t get PA A or or
authenticate as Aliceauthenticate as Alice
Two Simple Insecure Hash Two Simple Insecure Hash FunctionsFunctions
consider two simple insecure hash functionsconsider two simple insecure hash functions bit-by-bit exclusive-OR (XOR) of every blockbit-by-bit exclusive-OR (XOR) of every block
CCii = b = bi1i1 xor b xor bi2i2 xor . . . xor b xor . . . xor b imim a longitudinal redundancy checka longitudinal redundancy check reasonably effective as data integrity checkreasonably effective as data integrity check
one-bit circular shift on hash valueone-bit circular shift on hash value for each successive for each successive n-bit n-bit blockblock
• rotate current hash value to left by1bit and XOR blockrotate current hash value to left by1bit and XOR block good for data integrity but useless for securitygood for data integrity but useless for security
Hash Function RequirementsHash Function Requirements
Attacks on Hash FunctionsAttacks on Hash Functions
have brute-force attacks and cryptanalysishave brute-force attacks and cryptanalysis a preimage or second preimage attacka preimage or second preimage attack
find find yy s.t. s.t. H(y) H(y) equals a given hash value equals a given hash value collision resistancecollision resistance
find two messages find two messages xx & & yy with same hash so with same hash so H(x) = H(y)H(x) = H(y)
hence value 2hence value 2m/2 m/2 determines strength of determines strength of hash code against brute-force attackshash code against brute-force attacks 128-bits inadequate, 160-bits suspect128-bits inadequate, 160-bits suspect
Birthday AttacksBirthday Attacks
might think a 64-bit hash is securemight think a 64-bit hash is secure but by but by Birthday ParadoxBirthday Paradox is not is not birthday attack birthday attack works thus:works thus:
given user prepared to sign a valid message xgiven user prepared to sign a valid message x opponent generates 2opponent generates 2
mm//22 variations x’ of x, all with variations x’ of x, all with essentially the same meaning, and saves themessentially the same meaning, and saves them
opponent generates 2opponent generates 2mm//22 variations y’ of a desired variations y’ of a desired
fraudulent message yfraudulent message y two sets of messages are compared to find pair with two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the have user sign the valid message, then substitute the
forgery which will have a valid signatureforgery which will have a valid signature conclusion is that need to use larger MAC/hashconclusion is that need to use larger MAC/hash
Birthday AttacksBirthday Attacks
y y’y’11 y’y’22 … y’y’jj … y’y’NNxx ≠ ≠ ≠ ≠ ≠
x’x’11 ≠ ≠ ≠ ≠ ≠
x’x’22 ≠ ≠ ≠ ≠ ≠
…
x’x’ii ≠ ≠ ≠ = ≠
…
x’x’NN ≠ ≠ ≠ ≠ ≠
Find i and j such thatH(y’j)=H(x’i)
Table takes O(N2) time
Faster …
Sorted lists take O(NlogN) time
Birthday AttacksBirthday Attacks
What are chances we get a match?What are chances we get a match? N distinct values, k randomly chosen onesN distinct values, k randomly chosen ones
P(N,i) = prob(i randomly selected values from P(N,i) = prob(i randomly selected values from 1..N have at least one match)1..N have at least one match)
P(N,2) = 1/NP(N,2) = 1/N P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)
For P(N,k)>0.5, need k For P(N,k)>0.5, need k ≈≈ N N1/2 1/2 Need double # bits in hash value Need double # bits in hash value
Hash Function CryptanalysisHash Function Cryptanalysis cryptanalytic attacks exploit some property cryptanalytic attacks exploit some property
of alg so faster than exhaustive searchof alg so faster than exhaustive search hash functions use iterative structurehash functions use iterative structure
process message in blocks (incl length)process message in blocks (incl length) attacks focus on collisions in function fattacks focus on collisions in function f
Block Ciphers as Hash Block Ciphers as Hash FunctionsFunctions
can use block ciphers as hash functionscan use block ciphers as hash functions using Husing H00=0 and zero-pad of final block=0 and zero-pad of final block
compute: Hcompute: Hii = E = EMMii [H [Hi-1i-1]]
and use final block as the hash valueand use final block as the hash value similar to CBC but without a keysimilar to CBC but without a key
resulting hash is too small (64-bit)resulting hash is too small (64-bit) both due to direct birthday attackboth due to direct birthday attack and to “meet-in-the-middle” attackand to “meet-in-the-middle” attack
other variants also susceptible to attackother variants also susceptible to attack
Block Ciphers as Hash Block Ciphers as Hash FunctionsFunctions
EM1
H0
EM2
EML
HL
Block cipher key length B
Pad Message M to multiple of B
Break padded M into L blocks
L = |M|/B
M = M1 M2 … ML
Use blocks of M as keys in block
cipher, iteratively encrypt state value
starting with constant H0 resulting in
hash value
H = HL = E(ML,….E(M2,E(M1,H0))…)
Secure Hash AlgorithmSecure Hash Algorithm
SHA originally designed by NIST & NSA in 1993SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1was revised in 1995 as SHA-1 US standard for use with DSA signature scheme US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences based on design of MD4 with key differences produces 160-bit hash values produces 160-bit hash values 2005 results on security of SHA-1 raised 2005 results on security of SHA-1 raised
concerns on its use in future applicationsconcerns on its use in future applications
Revised Secure Hash Revised Secure Hash StandardStandard
NIST issued revision FIPS 180-2 in 2002NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512SHA-256, SHA-384, SHA-512 designed for compatibility with increased designed for compatibility with increased
security provided by the AES ciphersecurity provided by the AES cipher structure & detail is similar to SHA-1structure & detail is similar to SHA-1 hence analysis should be similarhence analysis should be similar but security levels are rather higherbut security levels are rather higher
SHA VersionsSHA Versions
SHA-512 OverviewSHA-512 Overview
SHA-512 Compression SHA-512 Compression FunctionFunction
heart of the algorithmheart of the algorithm processing message in 1024-bit blocksprocessing message in 1024-bit blocks consists of 80 roundsconsists of 80 rounds
updating a 512-bit buffer updating a 512-bit buffer using a 64-bit value Wt derived from the using a 64-bit value Wt derived from the
current message blockcurrent message block and a round constant based on cube root of and a round constant based on cube root of
first 80 prime numbersfirst 80 prime numbers
SHA-512 Round FunctionSHA-512 Round Function
SHA-512 SHA-512 Round FunctionRound Function
SHA-3SHA-3
SHA-1 not yet "broken”SHA-1 not yet "broken” but similar to broken MD5 & SHA-0but similar to broken MD5 & SHA-0 so considered insecureso considered insecure
SHA-2 (esp. SHA-512) seems secureSHA-2 (esp. SHA-512) seems secure shares same structure and mathematical shares same structure and mathematical
operations as predecessors so have concernoperations as predecessors so have concern NIST announced in 2007 a competition for NIST announced in 2007 a competition for
the SHA-3 next gen NIST hash functionthe SHA-3 next gen NIST hash function Keccak winner Oct 2012 – std in Q2,2014Keccak winner Oct 2012 – std in Q2,2014
SHA-3 RequirementsSHA-3 Requirements
replace SHA-2 with SHA-3 in any usereplace SHA-2 with SHA-3 in any use so use same hash sizesso use same hash sizes
preserve the online nature of SHA-2preserve the online nature of SHA-2 so must process small blocks (512 / 1024 bits)so must process small blocks (512 / 1024 bits)
evaluation criteriaevaluation criteria security close to theoretical max for hash sizessecurity close to theoretical max for hash sizes cost in time & memory cost in time & memory characteristics: such as flexibility & simplicitycharacteristics: such as flexibility & simplicity
SummarySummary
have considered:have considered: hash functionshash functions
• uses, requirements, securityuses, requirements, security hash functions based on block ciphershash functions based on block ciphers SHA-1, SHA-2, SHA-3SHA-1, SHA-2, SHA-3
