Post on 12-Mar-2020
transcript
Cryptography Primer
ChesterRebeiroIITMadras
Cryptography
• Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality
Allowsonlyauthorizedusersaccesstodata
2
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity
Cryptographycanbeusedtoensurethatonlyauthorizeduserscanmakemodifications(forinstancetoabankaccountnumber)
3
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity• Authentication
Cryptographyhelpsproveidentities
4
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity• Authentication• Non-repudiation
Thesenderofamessagecannotclaimthatshedidnotsendit
Ididnotsendthat
5
SchemeforConfidentiality
Alice Bob
messageAttackatDawn!!
untrustedcommunicationlink
MalloryProblem:AlicewantstosendamessagetoBob(andonlytoBob)throughanuntrustedcommunicationlink
6
Encryption
Alice Bob
message“AttackatDawn!!”
untrustedcommunicationlink
MallorySecrets• OnlyAliceknowstheencryptionkeyKE• OnlyBobknowsthedecryptionkeyKD
E D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34^$(ciphertext)
Onlyseesciphertext.cannotgettheplaintextmessagebecauseshedoesnotknowthekeys7
EncryptionAlgorithms
Alice BobuntrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34($(ciphertext)
• ShouldbeeasytocomputeforAlice/Bob(whoknowthekey)• ShouldbedifficulttocomputeforMallory(whodoesnotknowthekey)• Whatis‘difficult’?
• Idealcase:ProvethattheprobabilityofMallorydeterminingtheencryption/decryptionkeyisnobetterthanarandomguess
• Computationally:ShowthatitisdifficultforMallorytodeterminethekeysevenifshehasmassivecomputationalpower
8
Ciphers
• SymmetricAlgorithms• EncryptionandDecryptionusethesamekey• i.e.KE=KD• Examples:
• BlockCiphers:DES,AES,PRESENT,etc.• StreamCiphers:A5,Grain,etc.
• AsymmetricAlgorithms• EncryptionandDecryptionkeysaredifferent• KE≠KD• Examples:
• RSA• ECC
9
E D
EncryptionKeys
• Howarekeysmanaged• HowdoesAlice&Bobselectthekeys?• Needalgorithmsforkeyexchange
10
Alice BobuntrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34($(ciphertext)
AlgorithmicAttacks
• CanMalloryusetrickstobreakthealgorithm
• Therebyreducingthe‘difficulty’ofgettingthekey.
11
E
CiphersDesignChallenges
Wewantcryptoalgorithmstobefastandsmall
Forsecurity,thealgorithmsarecomputationallyintensive.Typicallyuselargenumbers,complexoperations
Needtoprotectagainstsidechannelattacks.
TradeoffsbetweenSecurity,Speed,Side-ChannelAttacks
Block Ciphers ChesterRebeiro
IITMadras
STINSON:chapters3
Block Cipher
14
Alice Bob
message“AttackatDawn!!”
untrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34^$(ciphertext)
Encryptionkeyisthesameasthedecryptionkey(KE=KD)
Block Cipher : Encryption
BlockCipher(Encryption)
SecretKeyPlaintext Ciphertext
BlockLength
KeyLength
• Ablockcipherencryptionalgorithmencryptsnbitsofplaintextatatime• Mayneedtopadtheplaintextifnecessary• y=ek(x)
15
Block Cipher : Decryption
• Ablockcipherdecryptionalgorithmrecoverstheplaintextfromtheciphertext.• x=dk(y)
BlockCipher(Decryption)
SecretKeyCiphertext Plaintext
BlockLength
KeyLength
16
Inside the Block Cipher (an iterative cipher)
17
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
key1
key2
key3
keyn
• Eachroundhasthesameendomorphiccryptosystem,whichtakesakeyandproducesanintermediateouput• Sizeofthekeyishuge…muchlargerthantheblocksize.
Inside the Block Cipher (the key schedule)
18
SecretKey
RoundKey1
RoundKey2
RoundKey3
RoundKeyn
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
KeyExpansion
• Asinglesecretkeyoffixedsizeusedtogenerate‘roundkeys’foreachround
Inside the Round Function • AddRoundkey:Mixingoperationbetweentheroundinputandtheroundkey.typically,anex-oroperation
• Confusionlayer:Makestherelationshipbetweenroundinputandoutputcomplex.
• Diffusionlayer:dissipatetheroundinput.Avalancheeffect:Asinglebitchangeintheroundinputshouldcausehugechangesintheoutput.
Makesitdifficultfortheattackertopickoutsomebitsovertheothers(thinkHillcipher)
19
AddRoundKey
ConfusionLayer
DiffusionLayer
RoundInput
RoundOutput
The Advanced Encryption Standard (AES)
20
Advanced Encryption Standard (AES) • NIST’sstandardforblockciphersinceOctober2000.
• SPNnetworkwitheachroundhaving
• RandomnessLayer:Roundkeyaddition• ConfusionLayer:ByteSubstitution• DiffusionLayer:ShiftrowandMixcolumn(thelastrounddoesnothavemixcolumnstep)
KeyLength No.ofrounds
AES-128 16bytes 10
AES-192 24bytes 12
AES-256 32bytes 14
21
The AES State Representation
• 16bytesarrangedina4x4matrixofbytes
mieanjfbokgcplhd
ponmlkjihgfedcba16byteplaintext
MIEANJFBOKGCPLHD
16byteciphertext
AES
22
AES-128 Encryption
SecretKey
XORkey
ByteSubstitution
CiphertextBlock
ShiftRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10tim
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
23
4Operations• ByteSubstitution• ShiftRows• MixColumns• AddRoundKey
AES-128 Encryption
SecretKey
XORkey
ByteSubstitution
CiphertextBlock
ShiftRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10tim
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
24
confusion
diffusion
AES Operations
• AllAESoperationsareperformedinthefieldGF(28).• Thefield’sirreduciblepolynomialisx8+x4+x3+x+1
inbinarynotation(100011011)2inhexnotation(11B)16
25
Byte Substitution
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
F
efgh
f
Sbox
7 7
6 6
5 5
4 4
3 3
2 2
1 1
0 0
1 1 1 1 1 0 0 0 00 1 1 1 1 1 0 0 10 0 1 1 1 1 1 0 10 0 0 1 1 1 1 1 01 0 0 0 1 1 1 1 01 1 0 0 0 1 1 1 01 1 1 0 0 0 1 1 11 1 1 1 0 0 0 1 1
b ab ab ab ab ab ab ab a
⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢= ⊕⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢
⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦⎣ ⎦ ⎣ ⎦
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥
• Makesanon-linearsubstitutionforeverybyteinthe4x4matrix
AffineTransformation
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θθ
AAffineAAAffine
ASbox
26
AES S-box Design Rationale
• Thiss-boxconstructionwasproposedbyKaiserNybergin1993• Steps:
1. InverseinGF(28)• Provideshighdegreesofnon-linearity• Knowntohavegoodresistanceagainstdifferentialandlinearcryptanalysis
2. Affinetransformation• ensuresnofixedpoints:i.e.Fixedpoints:S(x)=x• ComplicatesAlgebraicattacks
27
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θθ
AAffineAAAffine
ASbox
S-box Encryption Table
• Useatabletodothebytesubstitution• eg. 2c Sbox[42]=
28
Shift Rows
• ShiftRows• LeavetheFirstrowuntouched• LeftRotate(2ndRowby8bits)• LeftRotate(3rdRowby16bits)• LeftRotate(4thRowby24bits)
• AlongwithMixColumnsprovideshighdiffusion• Bitsflipinat-least25s-boxesafter4rounds
a e i mb f j nc g k od h l p
a e i mf j n bk o c gp d h l
mnop
abcdefghijkl
mbgl
afkpejodinch
29
Mix Columns The4x4matrixismultipliedwiththematrix
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
e
f
g
h
E
F
G
H
h g f e H h g f e G
h g f e F h g f e E
2332
3232
+++=
+++=
+++=
+++=
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
×
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
plhdokgcnjfbmiea
2113321113211132
30
NotethatmultiplicationsareinGF(28)field
Mix Columns Rationale Whyusethismatrix?• ItisanMDSmatrix(MaximumDistanceSeparablecodes)
• Iftheinputofacolumnchangesthenalloutputschange• Thismaximizesthebranchnumber• ForAES,thebranchnumberis5
• Values[2,3,1,1],arethesmallestwhichresultinMDSmatrixthatisalsocirculant
• HasaninverseintheAESfield
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
2113321113211132
31
AES Operations (Add Round Key)
AdditionhereisadditioninGF(28),whichistheex-oroperation
a e i mb f j nc g k od h l p
k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10 k14
k15k11k7k3
a+k0 e+k4 i+k8 m+k12b+k1 f+k5 j+k9 n+k13c+k2 g+k6 k+k10 o+k14
p+k15l+k11h+k7d+k3
32
AES-128 Decryption
SecretKey
XORRK10
InverseByteSubstitution
InverseShiftRows
AddRoundKey
InverseMixColumns(exceptforthelastround)
Loop
10tim
es
PlaintextBlock
CiphertextBlock
KeyExpansion
RK9RK8
RK1key
33
Inverse S-box
34
• SimplytheAESs-boxruninreverse• Aswiththes-boxoperation,alookuptablecanbeused
Inverse Shift Rows
• ShiftRows• LeavetheFirstrowuntouched• RightRotate(2ndRowby8bits)• RightRotate(3rdRowby16bits)• RightRotate(4thRowby24bits)
a e i mf j n bk o c gp d h l
mbgl
afkpejodinch
mnop
abcdefghijkl
a e i mb f j nc g k od h l p
35
Inverse Mix Column
h g f e H h gfe G h g f e F h g f e E
E9DBDE9DDBE99DBE
+++=
+++=
+++=
+++=
a i mb j nc k od l p
e
f
g
h
A E I MB F J NC G K OD H L P
E
F
G
H
• The4x4matrixismultipliedwiththematrix
• Thehardwareimplementationcanbedoneinasimilarwayasmixcolumns
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
E9DBBE9DDBE99DBE
36
AES Key Schedule
37
• Howtoexpandthesecretkey• DesignCriteria
o Efficiento Non-symmetric:Ensuredbyroundconstantso Efficientdiffusionpropertiesofsecretkeyintoroundkeyso Itshouldexhibitenoughnon-linearitytoprohibitthefulldeterminationofdifferences
intheexpandedkeyfromcipherkeydifferencesonly.
SecretKey
KeyExpansion
RK1RK2RK3
RK10
AES Key Schedule
38
K0,0
K0,4
K0,8
K0,12
K0,1
K0,5
K0,9
K0,13
K0,2
K0,6
K0,10
K0,14
K0,3
K0,7
K0,11
K0,15
rotword
S-boxoperation
roundconstantxor
K1,0
K1,4
K1,8
K1,12
secretkey
1stroundkey
K1,1
K1,5
K1,9
K1,13
K1,2
K1,6
K1,10
K1,14
K1,3
K1,7
K1,11
K1,15
2i-1000
39
Implementation Aspects of AES
Software Implementations of AES Encryption • S-boximplementedasalookup-table(256bytes)• ShiftrowscombinedwithMixcolumns• MultiplicationwithMDSmatrixeasilyachieved
• x2,donebyleftshift.Ifthereisanoverflowanex-orwith0x1Bisneeded• x3=x2+x
40
AES on 32 bit Systems (A Round of AES)
41
T Tables
42
CombiningOperations(foracolumn)
Define4T-Tables
OneRoundofAESusingT-Tables
OpenSSL Implementation of AES (with T-tables)
43
Last Round of AES
• Usesadifferenttable(Te4)
44
AES NI
• AcceleratingAESonmodernIntelandAMDprocessorswithdedicatedinstructions
45
Compact Implementations of AES
• HowshouldtheS-boxbeimplemented?• Lookuptable(256bytes)
• Thismaybetoolargeforsomedevices• Findingtheinverse(usingItoh-TsujiiortheextendedEuclideanalgorithm)andthenaffinetransformation
• Againexpensive(toobig!!!)• Thirdalternative
• Usecompositefields
46
Composite Fields for AES • TheAESFieldisGF(28)/x8+x4+x3+x+1
• Hasorder256• ManycompositefieldsforAESexists
• GF(24)2• Requirestwoirreduciblepolynomials
Onehastheformx4+....,wherecoefficientsareinGF(2)Thesecondhastheformx2+ax+b,wherea,bareinGF(24)
• GF((22)2)2• Requiresthreeirreduciblepolynomials
Firstoftheformx2+a1x+b1,wherea1,b1inGF(2)Secondhastheformx2+a2x+b2,wherea2,b2inGF(22)Thirdhastheformx2+a3x+b3,wherea3,b3inGF(22)2
47
Mapping between GF(28) and Composite Fields
48https://drive.google.com/file/d/0BwxUBZXYoUKCTEJmNUozMl9xM3M/edit?usp=sharing
}andreturn
']'[']'[
)GF(2fieldtheination(Multiplic''))GF(2fieldtheination(Multiplic''
2551For1';1'
)2(fieldofrootprimitiveaFind)2(fieldofrootprimitiveaFind0]0[and0]0[Initilize
FindMap(){
24
8
24
8
REVMAPMAPREVMAPMAP
toi
GFGF
REVMAPMAP
αββα
βββ
ααα
βαβ
α
=
=
⋅=
⋅=
=
==
==
Implementing the AES S-box in Composite Fields
49
MapInverseinComposite
Fieldeg.InGF((24)2)
ReverseMapx Sbox(x)
AffineTransform
S-box Based on Composite Fields -boxApproach
S-boxApproach No.ofSlices
CriticalPath
GateCount
Lookuptablebased
64 11.9ns 1128
CompositeFieldbased
30 18.3ns 312
PerformanceofS-boxesonFPGA*XOR NAND NOR TotalGatesintermsof
NAND(usingstdcelllib)
80 34 6 180
GateCountforcompositeSbox#
# D. Canright, A Very Compact S-box for AES, CHES-2005 * Simulation Results using Xilinx ISE
Overhead of Composite Field s-boxes
• Compositefields-boxesrequiremappingandreversemappingtoandfromthecompositefieldsineachround
• Analternateapproachistoconvertallotherroundoperationsintocompositefieldoperations.
• Thiswouldrequirejustonemappingandonereversemappingfortheentireencryption
• OperationsAddRoundKeyandShiftRowsarenotaltered.• MixColumnswillneedtobere-implemented
Modes of Operation
52
What are Modes of Operation? • Blockcipheralgorithmsonlyencryptasingleblockofmessage• Amodeofoperationdescribeshowtorepeatedlyapplyacipher'ssingle-blockoperationtosecurelytransformamountsofdatalargerthanablock
• ModesofOperation• Electroniccodebookmode(ECBMode)• Cipherfeedbackmode(CFBMode)• Cipherblockchainingmode(CBCmode)• Outputfeedbackmode(OFBmode)• Countermode
53
ECB Mode
• Everyblockinthemessageisencryptedindependentlywiththesamekey• Drawback1:Ifpi=pj(i≠j)thenci=cj
• Encryptionshouldprotectagainstknownplaintextattacks(sincetheattackercouldguesspartsofthemessage…..Likestereotypebeginnings)
• Drawback2:Aninterceptormayaltertheorderoftheblocksduringtransmission
• Notrecommendedforencryptionofmorethanoneblock
54
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
CBC Mode
• CipherBlockChaining• Advantage1:Encryptiondependentontheciphertextofapreviousblock,therefore
• ci≠cj(i≠j)evenifpi=pj
• Advantage2:Intrudercannotaltertheorderoftheblocksduringtransmission
• Ifanerrorispresentinonereceivedblock(sayci)• Thenciandci+1willnotbedecryptedcorrectly• Allremainingblockswillbecorrectlydecrypted
55
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
CBC Mode Decryption
56
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
dK
c0
p0
dK
c1
p1
dK
c2
p2
dK
c3
p3
dK
c4
p4
IV
CFB (Cipher feedback Mode)
Cantransformablockcipherintoastreamcipher.• i.e.Eachblockencryptedwithadifferentkey
UsesashiftregisterthatisinitializedwithanIV
57
IV
eK
register
messagestream(8bitsatatime) ciphertextstream
(8bitstransmittedatatime)
EncryptionScheme
CFB - Error Propagation
UsesashiftregisterthatisinitializedwithanIVPreviousciphertextblockfedintoshiftregister
58
eK
register
Ciphertextstream(8bitsatatime) Plaintextstream
(8bitsdecryptedatatime)
DecryptionScheme
Output Feedback Mode (OFB) • VerysimilartoCFBbutfeedbacktakenfromoutputofek
• Anerrorinonebyteoftheciphertextsaffectsonlyonedecryption
59
eK
shiftreg
messagestream(8bitsatatime) ciphertextstream
(8bitstransmittedatatime)
EncryptionScheme(Decryptionschemeissimilar)
Counter Mode
• Arandomlyinitializedcounterisincrementedwitheveryencryption• Canbeparallelized
• Ie.Multipleencryptionenginescansimultaneouslyrun
• AswithOFB,anerrorinasingleciphertextblockaffectsonlyonedecryptedplaintext
60
eK
counter
c0
eK
counter+1
c1
eK
counter+2
c2
eK
counter+3
c3
eK
counter+4
c4
p0 p1 p2 p3 p4
Cryptographic Hash Functions
STINSON:chapter4
Issues with Integrity
Alice Bob
Message“AttackatDawn!!”
HowcanBobensurethatAlice’smessagehasnotbeenmodified?Note….Wearenotconcernedwithconfidentialityhere
“AttackatDusk!!”
62
Change‘Dawn’to‘Dusk’
unsecurechannel
Hashes Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”
63
“AttackatDawn!!”
“Messagedigest”securechannel
Alicepassesthemessagethroughahashfunction,whichproducesafixedlengthmessagedigest.• ThemessagedigestisrepresentativeofAlice’smessage.• Evenasmallchangeinthemessagewillresultinacompletelynewmessagedigest• Typicallyof160bits,irrespectiveofthemessagesize.
Bobre-computesamessagehashandverifiesthedigestwithAlice’smessagedigest.
y=h(x)h
unsecurechannel h
=
Integrity with Hashes
64
y=h(x)y=h(x’)
Mallorydoesnothaveaccesstothedigesty.Hertask(tomodifyAlice’smessage)ismuchmoredifficult.Ifshemodifiesxtox’,themodificationcanbedetectedunlessh(x)=h(x’)Hashfunctionsarespeciallydesignedtoresistsuchcollisions
Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”“AttackatDawn!!”
“Messagedigest”securechannel
y=h(x)h
insecurechannelh
=
Message Authentication Codes (MAC)
Alice Bob
Message“AttackatDawn!!”
65
“AttackatDawn!!”MessageDigest
MACsallowthemessageandthedigesttobesentoveraninsecurechannelHowever,itrequiresAliceandBobtoshareacommonkey
y=hK(x)
hK
unsecurechannel hK
=K
K
Avalanche Effect
Hashfunctionsprovideuniquedigestswithhighprobability.EvenasmallchangeinMwillresultinanewdigest
MessageM
HashFunction
Shortfixedlength
digestalsocalled‘hash’
Hash functions in Security • Digitalsignatures• Randomnumbergeneration• Keyupdatesandderivations• Onewayfunctions• MAC• Detectmalwareincode• Userauthentication(storingpasswords)
67
Hash Family
• Thehashfamilyisa4-tupledefinedby(X,Y,K,H)• Xisasetofmessages(maybeinfinite)• Yisafinitesetofmessagedigests(akaauthenticationtags)• Kisafinitesetofkeys• EachKƐK,definesakeyedhashfunctionhKƐH
68
X Y
hK
Hash Family : some definitions
• ValidpairunderK:(x,y)ƐXxysuchthat,x=hK(y)• Sizeofthehashfamily:isthenumberoffunctionspossiblefromsetXtosetY;
|Y| = Mand|X| = NthenthenumberofmappingspossibleisMN
• Thecollectionofallsuchmappingsaretermed(N,M)-hashmapping.
69
X Y
hK
Unkeyed Hash Function
• Thehashfamilyisa4-tupledefinedby(X,Y,K,H)• Xisasetofmessages(maybeinfinite,weassumetheminimumsizeisatleast2|Y|)
• Yisafinitesetofmessagedigests• Inanunkeyedhashfunction:|K|=1• Wethushaveonlyonemappingfunctioninthefamily
70
X Y
h
Security Aspects of Unkeyed Hash Functions
h=XàYy=h(x)----->noshortcutsincomputing.Theonlyvalidwayifcomputingyistoinvokethehashfunctionhonx• Threeproblemsthatdefinesecurityofahashfunction*PreimageResistance*SecondPreimageResistance*CollisionResistance
71
Hash function Requirement 1 Preimage Resistant
• Alsoknowasone-waynessproblem• IfMalloryhappenstoknowthemessagedigest,sheshouldnotbeabletodeterminethemessage
• Givenahashfunctionh:XàYandanelementyƐY. FindanyxƐX suchthat,h(x)=y
72X Y
h
Hash function Requirement 2 (Second Preimage)
• Malloryhasxandcancomputeh(x),sheshouldnotbeabletofindanothermessagex’whichproducesthesamehash.
• Itwouldbeeasytoforgenewdigitalsignaturesfromoldsignaturesifthehashfunctionusedweren’tsecondpreimageresistant
• Givenahashfunctionh:XàYandanelementxƐX,find,x’ƐX suchthat,h(x)=h(x’)
73X Y
h
Hash Function Requirement (Collision Resistant)
• Malloryshouldnotbeabletofindtwomessagesxandx’whichproducethesamehash
• Givenahashfunctionh:XàYandanelementxƐX, find,x,x’ƐX andx≠x’suchthat,h(x)=h(x’)
74
X Y
h
ThereisnocollisionFreehashFunctionbuthash
functionscanbedesignedsothat
collisionsaredifficulttofind.
Finding Collisions
75
Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}
∏−
=
⎟⎠
⎞⎜⎝
⎛ −−=1
1
11)(PrQ
i MiisobabilitySuccess εε
Birthday Paradox • Findtheprobabilitythatat-leasttwopeopleinaroomhavethesamebirthday
76
∏
∏−
=
−
=
⎟⎠
⎞⎜⎝
⎛ −−=
⎟⎠
⎞⎜⎝
⎛ −=
⎟⎠
⎞⎜⎝
⎛ −−⎟
⎠
⎞⎜⎝
⎛ −×⎟⎠
⎞⎜⎝
⎛ −×⎟⎠
⎞⎜⎝
⎛ −×=
−=
1
1
1
1
36511]Pr[
3651
36511
36531
36521
365111]'Pr[
]'Pr[1]Pr[:':
Q
i
Q
i
iA
i
QA
AAbirthdaysamethehaveroomtheinpeopletwonoAEvent
birthdaysamethehaveroomtheinpeopletwoatleastAEvent
!!
Birthday Paradox • Ifthereare23peopleinaroom,thentheprobabilitythattwobirthdayscollideis1/2
77
Collisions in Birthdays to Collisions in Hash Functions
78
Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}
∏−
=
⎟⎠
⎞⎜⎝
⎛ −−=1
1
11)(PrQ
i MiisobabilitySuccess εε |Y|=M
RelationshipbetweenQ,M,andsuccess
MQthenIf
MQ
17.15.011ln2
≈=
−≈
ε
ε
QalwaysproportionaltosquarerootofM.Ɛonlyaffectstheconstantfactor
Birthday Attacks and Message Digests
• Ifthesizeofamessagedigestis40bits• M=240
• Abirthdayattackwouldrequire220queries
• Thustoachieve128bitsecurityagainstcollisionattacks,hashesoflengthat-least256isrequired
79
MQ 17.1≈
Iterated Hash Functions • Sofar,we’velookedathashfunctionswherethemessagewaspickedfromafinitesetX
• Whatifthemessageisofaninfinitesize?• Weuseaniteratedhashfunction
• Thecoreinaniteratedhashfunctionisafunctioncalledcompress• Compress,hashesfromm+tbittombit
80
1}1,0{}1,0{:
≥
→+
tcompress mtm compress
m+tbit
mbit
Iterated Hash Function (given m and t)
81
AppendPad
PadLength
compress
g
inputmessage(x)(maybeofanylength)
m
t
m
• Inputmessageispaddedsothatitslengthisamultipleoft
• Numberofbitsinthepadappended
• Thecompressfunctionisinvokediterativelyforeachtbitblockinthemessage.Forthefirstoperation,an
initializationvectorisused
• Afteralltbitblocksareprocessed,thereisapostprocessingstep,andfinallythehashisobtained.Thisstepisoptional.
h(y)
IV y
concatenate
compress
• Concatenatepreviousmbitoutputwithnexttbitblock(IVusedonlyduringinitialization)
• mustbeat-leastm+t+1inlength
Iterated Hash Function (Principle)
• Anotherperspective
82
Hash Functions in Practice • MD5• NISTspecified“securehashalgorithm”
• SHA0:publishedin1993.160bithash.• Therewereunpublishedweaknessesinthisalgorithm• Thefirstpublishedweaknesswasin1998,whereacollisionattackwasdiscoveredwithcomplexity261
• SHA1:publishedin1995.160bithash.• SHA0replacedwithSHA1whichresolvedseveraloftheweaknesses• SHA1usedinseveralapplicationsuntil2005,whenanalgorithmtofindcollisionswithacomplexityof269was
developed• In2010,SHA1wasnolongersupported.AllapplicationsthatusedSHA1neededtobemigratedtoSHA2
• SHA2:publishedin2001.Supports6functions:224,256,384,512,andtwotruncatedversionsof512bithashes
• NocollisionattacksonSHA2asyet.Thebestattacksofarassumesreducedroundsofthealgorithm(46rounds)
• SHA3:publishedin2015.AlsoknownasKecchak
83
MD5
84
AppendPad
PadLength
inputmessagex
• Appendedwith1andthen0ssothatlengthisamultipleof512–64=448
• Messagelengthappended(in64bits)andsplitintoblocksof512bits
1
Round1
Round2
Round3
Round4
A B C D
• Eachroundhas16similaroperationsofthismodifiedFeistelform
512bits
32bitsx16
eachlimbisof32bits
round1round2round3round4
roundoperations32bit
messageparts
constants
128bithash
Collisions in MD5 (Timeline) • AbirthdayattackonMD5hascomplexityof264
• Smallenoughtobruteforcecollisionsearch• 1996,collisionsontheinnerfunctionsofMD5found• 2004,collisionsdemonstratedpractically• 2007,chosen-prefixcollisionsdemonstrated
• 2008,rogueSSLcertificatesgenerated• 2012,MD5collisionsusedincyberwarfare
• FlamemalwareusesanMD5prefixcollisiontofakeaMicrosoftdigitalcodesignature
85
Given two different prefixes p1, p2 find two appendages m1 and m2 such that hash(p1 || m1) = hash(p2 || m2)
MD5Collisionsdemos:http://www.mscs.dal.ca/~selinger/md5collision/
Collision attack on MD5 like hash functions
• Analyzedifferentialtrails• Abitdifferentfromblockciphers
• Nosecretkeyinvolved• WecanchooseMandNaswewant
• WehaveavalidattackifprobabilityoftrailisP>2-N/2
86
M,N
ΔH=0
Collision attack on MD5 like hash functions
WangandYumadeitpossibletofindtwopairsofblocks(mi,mi+1)and(ni,ni+1)suchthatF(F(s,mi),mi+1)=F(F(s,ni),ni+1)Wheresissomestateofthehashfunction(canbeanything)Themethodmakesitpossibletoconstructtwostringsm0,m1,m2,…..mi,mi+1,…......mk,m0,m1,m2,…..ni,ni+1,…......mk,whichhavethesameMD5hash.
87
M,N
ΔH=0
Example of an MD5 collision
88
Block1
Block2
A Visualization of the Collision
http://www.links.org/?p=6
A Visualization (Difference in just one MSB of the two blocks)
90
SHA1
91
inputmessage(x)(maybeofanylengthlessthan264)
IVeachwordis32bits(512/16=32)
expandto79words
32*5=160bithashoutput
Kacchak and the SHA3
• Usesaspongeconstruction• Achievesvariablelengthhashfunctions
92
securityparameter
bitrate
SuccessofanattackagainstKecchak<N2/2c+1whereNisnumberofcallstof
Message Authentication Codes (Keyed Hash Functions)
93
Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”MessageDigest
y=hK(x)hK
unsecurechannel hK
=K
K
ProvidesIntegrityandAuthenticityIntegrity:MessagesarenottamperedAuthenticity:BobcanverifythatthemessagecamefromAlice(Doesnotprovidenon-repudiation)
CBC-MAC
94
eK
m0
eK
m1
eK
m2
eK
m3
hK(m0||m1||…||m4)
IV
Birthday Attack on CBC MAC
95
ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.
ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1
Birthday Attack on CBC MAC
96
ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.
ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1
M1 =m1 ||m2 || ... ||mi || ... ||mn
M2 =m1 ||m2 || ... || (mi ⊕ ca−1⊕ ca−2 ) || ... ||mn
HMAC • FIPSstandardforMAC• Basedonunkeyedhashfunction(SHA-1)
97
HMACk (x) = SHA1((K ⊕ opad) || SHA1(K ⊕ ipad) || x))Ipadandopadarepredefinedconstants