Hashing
27
Hashing Sandy Kutin CSPP 532 7/10/01
description
Hashing. Sandy Kutin CSPP 532 7/10/01. Cryptographic Protocols. What is a cryptographic protocol? Example: Alice sends Bob a message M 1. Alice generates a secret key K 2. Alice computes C 1 = E p B (K) 3. Alice computes C 2 = E s K (M) 4. Alice sends Bob C 1 , C 2 - PowerPoint PPT Presentation
Transcript of Hashing
Hashing
Sandy KutinCSPP 5327/10/01
Cryptographic ProtocolsWhat is a cryptographic protocol?Example: Alice sends Bob a message M
1. Alice generates a secret key K 2. Alice computes C1 = Ep
B(K) 3. Alice computes C2 = Es
K(M) 4. Alice sends Bob C1, C2
5. Bob computes K = Dpb(C1)
6. Bob computes M = DsK(C2)
Ep, Dp public-key; Es, Ds symmetric. Why?
A sample protocol1. Alice generates K2. Alice: C1 = Ep
B(K)
3. Alice: C2 = EsK(M)
4. Alice sends Bob C1,C2
5. Bob: K = Dpb(C1)
6. Bob: M = DsK(C2)
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Cryptographic PrimitivesHow do we pick K?
(pseudo-random number generator)
What are Ep, Dp? (e.g., RSA)
What are Es, Ds? (e.g., DES or AES, ECB or CBC mode)
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
ImplementationWhere does Alice
store K?How does Alice
acquire Bob’s B?How is the message
sent?Where does Bob
store K, b, M?
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Overall PlanBefore the break: mathAfter the break:
Primitives Protocols Implementation issues Specific products
Old School: AuthenticConfidentiality: Eve
can’t recover MAuthentication: only
Alice, Bob know K, so Bob knows Alice sent M
Someone could tamper with order; solve this with time stamps and sequencing info
Alice:
Bob:
M Es C
K
C Ds M
K
Alice and Bob sharea secret key K
New Wave: Not AuthenticConfidentiality: Eve
can’t recover MNo authentication:
how does Bob know who sent the message?
Same problems of tampering with order
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Solution #1: E(D(M))Alice “signs” message
with her private keyBob “decrypts” S with
Alice’s public keyOnly Alice could have
signed MCommunication is
authenticatedToo slow
Alice:
Bob:
K Ep C1
B
M Dp S
a
S Ep M
A
C2 Ds
K
S Es C2
K
Solution #2: D(E(M))Alice signs encrypted
messageBob recovers MOnly Alice could have
sent the messageCommunication is
authenticatedToo slowBetter? Worse?
Alice:
Bob:
K Ep C1
B
M Es C2
K
C2 Ds M
K
S Ep
A
C2 Dp S
a
RepudiationAuthentication: can Bob prove to himself
that Alice sent the message?Non-repudiation: can Bob prove, in court,
that Alice sent the message?In military applications, not really relevantIn e-commerce: essential“Digital signature”
DES, I rebuke theeClassical Crypto: Bob
wants to prove M came from Alice
Bob would have to reveal K
Even that isn’t good enough; Bob could’ve encrypted M himself
No defense against repudiation
Alice:
Bob:
M Es C
K
C Ds M
K
Alice and Bob sharea secret key K
Repudiation: E(D(M))Bob can produce M
and S in courtAnyone can verify that
M = EpA(S)
Only Alice could have created S
Hence, Alice must have sent M
Success!
Alice:
Bob:
K Ep C1
B
M Dp S
a
S Ep M
A
C2 Ds
K
S Es C2
K
Repudiation: D(E(M))Bob can produce M, C2, and
S in courtJudge can verify that Alice
signed C2
To prove connection between C2 and M, Bob must reveal K
Even that might not be good enough
Lesson: design matters
Alice:
Bob:
K Ep C1
B
M Es C2
K
C2 Ds M
K
S Ep
A
C2 Dp S
a
A general protocolE(D(M)) defends against repudiationIt’s too slow to be usefulAnother problem: Bob always needs to convert S
to M. Maybe he doesn’t always want to authenticate.
Solution: Alice appends “signature” to M, encrypts, sends to Bob.
Should be something Alice can do, others can verify. E.g.: Dp
a(M)
Digital Signature Schemess(M) is a digital signature if only Alice can
compute it, anyone else can verify itUsed for communicationAlso, data integrity: compute signature every
night, see if it matchesDp
a(M) would work, but it’s too slow, and too bigSolution: Dp
a(H(M)), where H is a hash function
Hash functionsWhat makes H a hash function?
Takes any size input Produces fixed-size output H(M) is easy to compute Given h, it is hard to solve H(M) = h for M Given N, it is hard to solve H(M) = H(N) for M
(weak collision resistance) It is hard to find M, N such that H(M) = H(N)
(strong collision resistance)
Hashing: Non-repudiationSay Bob takes Alice to court; he produces M
and S = Dpa(H(M))
Judge checks that EpA(S) = H(M), confirms
that Alice sent (someone) a message hashing to H(M)
Alice says: “Bob must have found a message M to match something I signed”
Weak collision resistance: She’s lying
Strong Collision ResistanceWhy require solving H(M) = H(N) to be hard?Say Alice can find M, N so H(M) = H(N)She sends Bob M, signs itWhen Bob takes Alice to court, she claims
“No, I didn’t sign M, I signed N”Repudiation would be possibleSolution: strong collision resistance
Hashing: Secretary AttackRelated problem: Secretary constructs
messages M, N where H(M) = H(N)M is the annual report, N says “Give my
secretary a raise”Alice computes S = Dp
a(H(M)), tells secretary to send out M and S
Secretary substitutes N insteadNeed strong collision resistance
How many bits of security?Let H be a secure hash with n-bit outputSolving “H(M) = h” for M should take 2n triesGiven N, “H(M) = H(N)” should be the same: just
try 2n possible values of MWhat about finding M, N with H(M) = H(N)?If we just pick pairs at random, it’s 2n
But, we can get it down to 2n/2
e.g., for a 128-bit hash; only 264
Happy BirthdayHow do we do this? “Birthday Attack”Make a list of 2n/2 possible M’s (e.g., vary
spacing), sort by value of HTry roughly 2n/2 possible N’s, look for H(N)Given Mi, Nj, chance H(Mi) = H(Nj) is 1/2n
2n/2 Mi’s, 2n/2 Nj’s, so 2n/2 2n/2 = 2n pairsSo, odds are good there’s one pairIf there is a pair, finding it is fast
They say it’s your birthdayWhy is this called the “birthday attack”?Among 23 people, chances of two with the same
birthday are > 50%Why? (23 22)/2 = 253 pairs of peopleEach has probability roughly 1/365There’s a good chance some pair matchesOther factors only increase the odds“Birthday Paradox”
Hash, Paper, ScissorsAn example of the power of a secure hashAlice, Bob want to play rock, paper, scissors
Alice constructs M indicating her choicee.g., “23419382 Good Old Rock”
Alice sends Bob H(M) Bob makes his choice, sends it to Alice Alice reveals M. She has to tell the truth.
“Bit commitment scheme”Applications to auctions, voting
How do we hash?Most hashes are built using a one-way
compression function: m+n bits to n bitsDivide message into k blocks of m bitshi = ƒ(Mi, hi-1) (h0 is a fixed initial value)Output is H(M) = hk
ƒ ƒ ƒ ƒIV
M1 M2
h1
M3
h2
Mk
hk-1
H(M)
hk
Hashing out the detailsPad message length to be a multiple of mInclude message length within MNeed to pick a one-way function ƒ(Not like public-key; no trapdoor needed)
ƒ ƒ ƒ ƒIV
M1 M1
h1
M2
h2
Mk
hk-1
H(M)
hk
A MoDESt ProposalOne idea: use encryption (e.g., DES)h0 = IVhi = ƒ(Mi, hi-1) = EMi
(hi-1)Problem 1: slowProblem 2: export restrictions
ƒ ƒ ƒ ƒIV
M1 M1
h1
M2
h2
Mk
hk-1
H(M)
hk
