Information Integrity and Message Digests CSCI 5857: Encoding and Encryption.
Information Integrity and Message Digests
description
Transcript of Information Integrity and Message Digests
Information Integrity and Message Digests
CSCI 5857: Encoding and Encryption
Outline• Information integrity issues • Message digests
– Hash functions– Insuring information integrity
• Attacks on message digests– Preimage attacks– Collision attacks
• Properties of a good hash function• Mathematical background
– Pigeonhole principle– Birthday problem
3
Information Integrity Problems
• Content Modification: Adversary inserts/modifies/deletes message content
Insert new record for Darth’s salary of $1,000,000
Salary Database
E D
E
4
Information Integrity Problems
• Masquerade:Adversary sends message claimed to be from someone else
Masquerading as Alice
“Give Darth a $10,000 raise-- Alice”
E
5
Information Integrity Problems
• Timing ModificationAdversary intercepts message and replays it later
“Open the front gate.-- Alice”
E
6
Modification Detection• Simplest case: Detecting modification
– Message M stored in public location– M not encrypted
• How can we prove/detect whether adversary has replaced message M with fake message M´ ?
Public storage
M M ´
7
Modification Detection
• One solution: store protected copy of M– Compare M to copy to detect changes– Implausible if M very large
Public storage
M
M
8
Message Digests • Created from message M using hashing function
y = h(M)
• Like “fingerprint” for messages– Different messages different fingerprints– Much more compact than messages:
size of y << size of M– Plausible for secure storage/transmission
9
Message Digests• Same concept as error detection in network
transmission
• Error detection bits = function of message– Example: parity bit depends on even/odd of 1’s in message
• If error detection bits do not match message, request message resend
• Key difference: Unlike noise, adversary intelligent
Message Error detection bits
10
Message Digests• Used to detect modification
– Apply hash to message in storage to get h(M´ )– Compare with stored h(M)– If h(M´ ) h(M) message has been modified
Public storage
M ´h(M´ )
hcompare
h(M)
11
Simple Example Hash Function
• Break message M into blocks bi
• Digest = XOR of all blocksh(b1, b2, b3 … bn) = b1 b2 b3 … bn
• Possible improvement: Rotate each block one bit before XOR(diffusion)
Attacks on Message Digests• Goal of message digest:
Detect when fake message Mʼ has been substituted for original message M
• Adversary goal:Substitute fake message Mʼ for original message M without being detected
• Types:– Preimage attack– Collision attack
12
13
Preimage Attack• Adversary finds message M´ with same digest
h(M´) = h(M) • Impossible to detect or prove changes!
Public storage
Mh(M´)
hSame!
h(M)
M ´
14
Preimage Attack• Adversary can “tweak” new message M´
until h(M´) = h(M)
• Example:Give Darth a salary increase of $1000Award Mr. Vader some raise … $2000Present Darth Vader … bonus $3000… … … $4000 …
“I’ll find some combination of these so they can’t detect the difference!”
15
Preimage Attack
• Simple XOR-based hash function vulnerable to preimage attack
– Darth generates own message M′– Darth adds some block bm to end so that
h(M′) bm = h(M)
• Problem: XOR is reversible– Can work backwards from desired message to
create one with same hash as original message
16
Collision Attack
• Adversary finds two messages M1 and M2 with same message digest h(M1) = h(M2)
• M1 is harmless message“We like kittens”
• M2 has advantage for adversary“Give Darth a $5000 raise”
17
Collision Attack• Darth gets job in organization
– Presents M1 to boss for approval– Boss stores h(M1)– Darth actually stores/sends M2
• Boss has no way to prove he didn’t approve M2
“We like kittens” h(“We like kittens”)
“Give Darth a $5000 raise”
18
Good Properties of a Hash
• Must be “one way”– Easy to compute h(M)– No easy way to determine what other messages
M would give same digest (h(M) = h(M ))– Otherwise adversary could easily create different
messages with same hash• Must produce hash large enough to prevent
brute force attacks– Testing all possible alternative messages to find
ones with same hash value
19
Mathematics of Message Digests• Pigeonhole Principle:
– Given n pigeons and m birdhouses, with n > m– At least one birdhouse with more than one pigeons
• Digest size |h(M)| < message size |M |• Fewer possible digests h(M) than possible messages M
– 2|h(M)| possible digests < 2|M| possible messages
• Must exist messages M1 and M2 with same digest h(M1) = h(M2) – That is, cannot avoid collisions between different messages
• Example: 1 GB messages, 512 bit digest– Over 2,000,000 different messages with same digest!
20
Mathematics of Message Digests• Best case:
Hash function is random oracle model– h(M) like “random” function over all possible MDCs– Each possible MDC equally likely for a given M
• Minimizes likelihood that h(M1) = h(M2) for given M1, M2
• Assumption used in birthday problem analysis
21
Birthday Problems and Digests1. What is minimum number of students in class so that at least
one has same birthday as instructor?2. What is minimum number of students in class so that at least
two have same birthday?
In general: • k students and N (that is, 365) possible birthdays• Minimum k such that probability 50%:
1. k 0.69 N 253 for birthdays2. k 1.18 N1/2 23 for birthdays
22
Birthday Problems and Digests• Birthday problems define vulnerability of message
digests to exhaustive search attacks– Assume best case random oracle model
N = number of possible message digestsk = number of false messages tested by
adversary in attacks
• How many false messages must adversary to have at least 50% of finding message with desired digest?
23
Birthday Problems and Digests
First birthday problem = Preimage Attack• Probability h(M´) = h(M) for any M´given some M • Number of tests k 0.69 N
(proportional to number of possible digests)
24
Birthday Problems and Digests
Second birthday problem = Collision Attack• Probability h(M1) = h(M2) for any M1 , M2
• Number of tests k 1.18 N1/2 (proportional to square root of possible digests)
25
Birthday Problems and Digests• Number of possible message digests N must be large
enough to make attacks impractical – Difficulty of preimage attack proportional to N– Difficulty of collision attack proportional to N1/2
• Message digest of n bits N = 2n
• 2n/2 must be large enough to prevent exhaustive search to find collision
• Current standard: 512 bits