Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | robert-boone |
View: | 228 times |
Download: | 0 times |
Chapter 7 Cryptographic Hashing
Cryptography-Principles and PracticeHarbin Institute of TechnologySchool of Computer Science and Technology
Zhijun Lihttp://cst.hit.edu.cn/~lizhijun
Zhijun Li S1034040/Autumn08/HIT 2
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 3
Security Goals
• Confidentiality/secrecy/privacy:– How to keep a message secret so it can be
read only by a chosen person– Use encryption
• Integrity:– How to determine a string of symbols has not
been changed since it was created– Use ?
Zhijun Li S1034040/Autumn08/HIT 4
Message Authentication
• Is a procedure to verify that received message
come from the alleged source
and
have not been altered
Zhijun Li S1034040/Autumn08/HIT 5
Naïve Idea
• Alice encrypt the message using a key K• Oscar does NOT know K
• BUT, Oscar can modify the ciphertext– What Bob can get?
Alice Bob
Oscar
Zhijun Li S1034040/Autumn08/HIT 6
Message Encryption
• Using symmetric encryption:
• If M is meaning, B can verify that Y=DK(X) is legitimate
• But if M is: binary file, compressed file
Zhijun Li S1034040/Autumn08/HIT 7
Improved Model
error detection code
• Method: for the plaintext, build some well-formed structure
• Example: Error detection code
Zhijun Li S1034040/Autumn08/HIT 8
Hash code provide a structure for the message
Keyed hash (MAC)
Encrypt (Message + Hash)
Zhijun Li S1034040/Autumn08/HIT 9
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 10
0
1
2
3
4
5
6
7
8
9
“neanderthal”“dog”
H(char s[]) = (s[0] – ‘a’) mod 10
“horse”
Conventional Hashing
Zhijun Li S1034040/Autumn08/HIT 11
Definition of Hashing
• A hash function is a function h s.t. the following two properties:– 1. compression – h: * n
• Many-to-one mapping• So collisions can happen
– 2. ease of computation – given h and an input x,h(x) is easy to compute
• Example: – Checksums in communication protocols
Zhijun Li S1034040/Autumn08/HIT 12
Alice Bob
Judge
I owe you
I owe you
An Example Using Hashing
• Alice wants to send Bob an “I owe you” message• Bob should be able to show the message to a ju
dge to compel Alice to pay up
Zhijun Li S1034040/Autumn08/HIT 13
IOU Protocol
Alice{KUA, KRA}
M EKRA[H(M)]
Judge
M EKRA[H(M)]
knows KUA
knows KUA
Bob cannot forge (M, EKRA
[H(M)]) pair
without knowing KRA
Alice Bob
Judge
Bob can verify H(M)
Zhijun Li S1034040/Autumn08/HIT 14
But If Collision Resistance
• Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10
• Alice sends Bob:“I, Alice, owe Bob $2.”, EKRA
[H (M)]
• Bob sends Judge:“I, Alice, owe Bob $200000000000.”, EKRA
[H (M)]
• Judge validates EKUA [ EKRA
[H (M)]] = H(“I, Alice, owe Bob $200000000000.”) and makes Alice pay
Zhijun Li S1034040/Autumn08/HIT 15
For Cryptographic Hash Function
• Preimage resistant (one-wayness):– Given y Y, it is computationally infeasible to find a val
ue x X s.t. h(x) = y
• 2-nd preimage resistant (weak collision resistant):– Given x X it is computationally infeasible to find a val
ue x’ X, s.t. x’x and h(x’) = h(x)
• Collision resistant (strong collision resistant):– It is computationally infeasible to find two distinct value
s x’,x X, s.t. h(x’) = h(x)
Zhijun Li S1034040/Autumn08/HIT 16
Strong Collision Resistance
• Strong collision resistance Weak collision resistance – CollisionToSecondPreimage(h)
{ select xX;if(2ndPreimage(h,x)=x’) then return (x,x’)}
• Strong collision resistance One-wayness– CollisionToPreimage(h)
{ select xX; y=h(x);if((Preimage(h,y)=x’) and (xx’)) then return (x,x’)}
Zhijun Li S1034040/Autumn08/HIT 17
CollisionToPreimage
• A Las Vegas algorithm– Pr[CollisionToPreimage(h)=success]=?– [x]={x’X| h(x)=h(x’)}– C={[x]|xX} and |C|=|Y|
– Pr[success]=(1/|X|)xX(|[x]|-1)/|[x]|
=(1/|X|)cCxc(|c|-1)/|c|
=(1/|X|)cC(|c|-1)
=(1/|X|)(cC|c|-cC1)
=(1/|X|)(|X|-|Y|) assume |X|2|Y|
(1/|X|)(|X|-1/2|X|)1/2
Zhijun Li S1034040/Autumn08/HIT 18
Using Hash Functions
• Message Authentication• Software Integrity• Digital Signature• One-time Passwords• ……
Zhijun Li S1034040/Autumn08/HIT 19
A digital signature
Example: Digital Signature
Zhijun Li S1034040/Autumn08/HIT 20
Example: UNIX Password
• UNIX keep the passwords in a file /etc/passwd• /etc/passwd can be accesses by anyone
• Is not the password itself• But the result of a hash of password
– Brute force attacker can create a dictionary– To improve the security, UNIX adds a random
number(salt) to the password before hashing
Zhijun Li S1034040/Autumn08/HIT 21
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 22
Birthday Problem
• Problem:
In a group of persons (q persons), the probability p of finding two different persons with same birthday
Zhijun Li S1034040/Autumn08/HIT 23
Solution
• The probability that q persons have different birthdays is
(365/365)(364/365)(363/365)…((365-q-1)/365)
• p=1-(1-1/365)(1-2/365)(1-3/365)…(1-(q-1)/365)
• If q23, p 0.5 • 23 is so small!
Zhijun Li S1034040/Autumn08/HIT 24
General Solution
• Considering the M – For n-bits output hashing, M=2n
• p=1-(1-1/M)(1-2/M)…(1-(q-1)/M)– For very little x, 1-x e-x
– e-x = 1 - x +x2/2! - x3/3!+…
• p 1-e-(1/M+2/M+…+k-1/M) 1-e-(q(q-1)/2M)
• q2-q 2M ln(1/(1-p))• q (2Mln(1/(1-p)))1/2
Zhijun Li S1034040/Autumn08/HIT 25
General Solution
• For any p
q CM
• p=0.5
q 1.17M
• M=365, p=0.5
q 22.3
Zhijun Li S1034040/Autumn08/HIT 26
For Cryptographic Hashing
• For strong collision resistance:– The length of hash outputs should double the
key length of block ciphers
– 64-bits is too short– normally 128~512 bits
– SHA-256, SHA-384, SHA-512
Zhijun Li S1034040/Autumn08/HIT 27
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 28
From Compression Function
• Construct a hash function h: {0,1}*→ {0,1}m from a compression function f: {0,1}m+t → {0,1}m
• Compression function should follow properties– preimage resistance (one-way)– 2nd preimage resistance (weak collision resist
ance)– collision resistance (strong collision resistanc
e)– Same for hash function
Zhijun Li S1034040/Autumn08/HIT 29
Model for Iterated Hashing
Zhijun Li S1034040/Autumn08/HIT 30
Merkle-Damgard Construction
• A compression function f: {0,1}m+t+1 → {0,1}m
• Construct a hash function h: {0,1}*→ {0,1}m
Zhijun Li S1034040/Autumn08/HIT 31
Merkle-Damgard: Example
• Compression function f: {0,1}128+512+1 → {0,1}128
• Message x has 1000 bits:
– y1 = first 512 bits of x
– y2 = last 488 bits of x || 024
– y3 = 0480 || 32-bit binary representation of 24
– z1 = f(0129 || y1) z1 has 128 bits
– z2 = f(z1 || 1 || y2)
– z3 = f(z2 || 1 || y3)
– z3 is the message digest
Zhijun Li S1034040/Autumn08/HIT 32
Merkle-Damgard: Example
• Suppose message x’ has 488 bits and h(x)=h(x’)
– y1’ = x’ || 024
– y2’ = 0480 || 32-bit binary representation of 24
– z1’ = f(0129 || y1’)
– z2’ = f(z1’ || 1 || y2’) z2’=h(x’)=h(x)=z3
• Then f(z1’ || 1 || y2’) = f(z2 || 1 || y3) and y3=y2’
– if z1’ z2 then a collision is found for f
– if z1’=z2 then f(0129 || y1’) =f(z1 || 1 || y2), there is also a collision for f
Zhijun Li S1034040/Autumn08/HIT 33
Security of Merkle-Damgard
• Theorem: If f: {0,1}m+t+1 → {0,1}m is collision resistant, then the Merkle-Damgard construction h: {0,1}*→{0,1}m is collision resistant
• Proof: – Idea: suppose we find xx’ such that h(x)=h(x’), we show that we can find collision on f – Let y(x) = y1 || y2 || … || yk+1
– Let z1, z2, …, zk+1 be the intermediate results of h(x)
h(x) = zk+1= f(zk || 1 || yk+1)– Let y(x’) = y1’ || y2’ || … || yn+1’ – h(x) = f(zk || 1 || yk+1) = h(x’) = zn+1’ = f(zn’ || 1 || yn+1’)
Zhijun Li S1034040/Autumn08/HIT 34
Security of Merkle-Damgard
• f(zk || 1 || yk+1) = f(zn’ || 1 || yn+1’)• Case 1: |x| |x’| mod t
– the number of padding bits are different– yk+1 yn+1’– A collision has been found
• Case 2a: |x| = |x’| and k=n– zk zk’, a collision has been found– zk = zk’
• f(zk-1 || 1 || yk) = zk = zk’ = f(zk-1’ || 1 || yk’)• if yk yk’, then a collision has been found• Otherwise consider zk-1 and zk-1’… if find collision• yi=yi’ then y=y’ then x=x’
Zhijun Li S1034040/Autumn08/HIT 35
Security of Merkle-Damgard
• f(zk || 1 || yk+1) = f(zn’ || 1 || yn+1’)
• Case 2b: |x| = |x’| mod t and |x| |x’|– yk+1 = yn+1’
– If zk zn’, a collision has been found
– If zk = zn’
• f(zk-1 || 1 || yk) = zk = zn’ = f(zn-1’ || 1 || yn’)
• if yk yn’, then a collision has been found
• Otherwise consider zk-1 and zn-1’… if find collision
– f(0m+1 || y1) = f(zj’ || 1 || yj+1’)
– A collision has been found
Zhijun Li S1034040/Autumn08/HIT 36
Merkle-Damgard2 Construction
• A compression function f: {0,1}m+1 → {0,1}m
• Construct a hash function h: {0,1}*→ {0,1}m
Define f: f(0)=0; f(1)=01
n=|x|
y=11||f(x1)||f(x2)||…||f(xn)
y=y1||y2||…|yk
g1=compress(0m||y1)
for i=1 to k-1
gi+1=compress(gi||yi+1)
return gk
Zhijun Li S1034040/Autumn08/HIT 37
Security of Merkle-Damgard2
• Suppose xx’ such that h(x)=h(x’)
• y(x)=y1y2…yk; y(x’)=y1’y2’…yl’
• f(gk || yk) = f(gl’ || yl’)
• Case1: k=l– If the collision is not found, otherwise y=y’ (x=x’)
• Case2: kl (l>k)– If the collision is not found, otherwise
– yk=yl’; yk-1=y’l-1; …; y1=y’l-k+1
– f(0)=0; f(1)=01; y1=11… (contradiction)
Zhijun Li S1034040/Autumn08/HIT 38
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 39
Structure of Hash Algorithms
b
Y0
n f
b
Y1
n f
b
YL-1
n
CVL-1
f
CV1
n n
IV = Initial VectorCV = Chain VectorYi = The ith Message Blockf = Compress Functionn = Hash Value Lengthb = Block Length
CVL
CV0=IV= initial n-bit valueCVi=f(CVi-1, Yi-1) (1 i L)H(M) = CVL
CV0
Zhijun Li S1034040/Autumn08/HIT 40
Message
K bitsL512 bits=N 32bits
Length of Message (K mod 264)
100…0
Y0
512 bits
Y1
512 bits
Yq
512 bits
YL-1
512 bits
HMD5IV
128HMD5
CV1
128HMD5
CVq
128HMD5
CVL-1
128
512
128-bit digest
padding(1 to 512 bits)
512512512
MD5 Overview
Zhijun Li S1034040/Autumn08/HIT 41
MD5 Details
• Step 1) Padding the message with 1 and following some 0 so that length 448 mod 512
• Step 2) Padding the original message length
• Step 3) Initialize 4 word (128 bits) buffer (A, B, C, D) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476
• Step 4) The message is processed in 512-bits data blocks(Y0,Y1,…,YL-1) 4 rounds of 16 steps
Zhijun Li S1034040/Autumn08/HIT 42
F,T[1…16],X[i]16 steps
G,T[17…32],X[2i]16 steps
H,T[33…48],X[3i]16 steps
I,T[49…64],X[4i]16 steps
+ + + +
A B C D
A B C D
A B C D
A B C D
CVq 128Yq
512
CVq+1128
+ is mod 232
512-bit Message
HMD5
4 Rounds
Zhijun Li S1034040/Autumn08/HIT 43
A B C D
A B C D
+
+
+
CLSs
+
g
X[k]
T[i]
MD5 Compression Function
Zhijun Li S1034040/Autumn08/HIT 44
MD5 Compression Function
• Each round has 16 steps of the form
ab + (( a + g(b,c,d) + X[k] +T[i])<<<s) a,b,c,d = 4 words of buffer g = different nonlinear function in each round (F,G,H,I) F(X,Y,Z) = (XY)((¬X)Z) G(X,Y,Z) = (XZ)(Y(¬Z)) H(X,Y,Z) = XYZ I(X,Y,Z) = Y(X(¬Z))
X[k] = the kth word in the qth 512-bits data block T[i] = the ith 32-bits word in T table (T[i]=232abs(sin(i))
)
Zhijun Li S1034040/Autumn08/HIT 45
MD5 Cryptanalysis
• Berson (1992): – For a single-round MD5, he finds collision using differential crypt
analysis – Attack does not work for 4-round MD5
• Boer & Bosselaers(1993): – Found a pseudo collision (same message, two different IV’s)
• Dobbertin (1996):– Created collisions on MD5 compression function with chosen IV
• Wang, Feng, Lai, Yu(2005): – Works on any IV – Easy to find multiple collisions
Zhijun Li S1034040/Autumn08/HIT 46
Message
K bitsL512 bits=N 32bits
Length of Message (K mod 264)
100…0
Y0
512 bits
Y1
512 bits
Yq
512 bits
YL-1
512 bits
SHAIV
128
SHACV1
128
SHACVq
128
SHACVL-1
128
512
160-bit digest
padding(1 to 512 bits)
512512512
SHA Overview
Zhijun Li S1034040/Autumn08/HIT 47
SHA1 Details
• Step 1) As in MD5 message is padded such as its length is a multiple of 512 bits
• Step 2) Initialize 5 word (160 bits) buffer (A, B, C, D, E) A = 67452301 B = EFCDAB89 C = 98BADCFE D = 10325476 E = C3D2E1F0
• Step 3) The message is processed in 512-bits data– expand 16 words into 80 words by mixing & shifting– use 4 rounds of 20 operations on message block and buffer
Zhijun Li S1034040/Autumn08/HIT 48
4 Rounds of SHA
4 differentfunctions:Totally 80steps
5 32- bit words
Zhijun Li S1034040/Autumn08/HIT 49
SHA1 Compression Function
From 512-bitinput block
Fixed constant
Circular left shift 5 bits
Zhijun Li S1034040/Autumn08/HIT 50
SHA1 Compression Function
• Each round consists of 20 steps – (A,B,C,D,E) (E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<3
0),C,D)– t is the step number– f(t,B,C,D) is a non-linear function for round
– Wt is derived from the message block
– Wt=S1(Wt-16Wt-14Wt-8Wt-3)
– Kt is a constant value derived from the sin function
– Sk is circular left shift by k bits
Zhijun Li S1034040/Autumn08/HIT 51
f(t,A,B,C,D) in SHA1
Step Function Value Comment
0 t 19 (BC)((¬B)D) If B then C
else D
20 t 39
BCD Parity bit of B,C, and D
40 t 59
(BC)(BD)(CD) 2 or 3 of B,C,D is true
60 t 79
BCD Parity bit of B,C, and D
Zhijun Li S1034040/Autumn08/HIT 52
SHA1 Cryptanalysis
• Brute force:– Brute force attack is harder (160 vs 128 bits for MD5)
• Remark of SHA1 operation:– SHA1 shuffles using rotates & XOR’s – Form a more complex output – Make finding collisions more difficult.
– SHA-1 is still secure as today, but it may fall soon
Zhijun Li S1034040/Autumn08/HIT 53
Outline
• Message Authentication
• Cryptographic Hashing
• Birthday Attack
• Cryptographic Hashing Construction
• Hashing Algorithms
• Message Authentication Code
Zhijun Li S1034040/Autumn08/HIT 54
Keyed Hashing Review
MAC
Zhijun Li S1034040/Autumn08/HIT 55
Message Authentication Code
• MAC is a cryptographic checksum– Condenses a variable-length message M– Using a secret key K– To a fixed-sized authenticator
– MAC=CK(M)
Zhijun Li S1034040/Autumn08/HIT 56
Requirements for MAC
• We can not find M and M’, CK(M)=CK(M’) without know the K (Forgery Attack)
M’||??? ???=CK(M’)
Zhijun Li S1034040/Autumn08/HIT 57
MAC Security
• The pair (x, z) is called a forgery if z=MACK(x)
• A (,q) forger– Can produce a forgery with probability , after
making q queries
• From a cryptographic (iterative) hash function h
– CK(M)=h(M) with K as IV
– There is a (1,1) forger
Zhijun Li S1034040/Autumn08/HIT 58
CK(M)=h(M) with K as IV
• Is this secure?– Given a message x and its MAC CK(x) – The adversary can construct x’ and CK(x’)– Let pad(x) be the padding added to x– Let x’=x || pad(x) || w, y’=x’ || pad(x’) – zr+1 = compress(CK(x) || yr+1)– zr+1 = compress(zr+1 || yr+2)– … – CK(x’)=zn we need NOT know K
Zhijun Li S1034040/Autumn08/HIT 59
HMAC
K+ is the key padded out to input block size of the hash function
ipad=3636…36opad=5C5C…5C
HMACK=Hash[(K+opad)||Hash[(K+ipad)||M)]]
Zhijun Li S1034040/Autumn08/HIT 60
HMAC Security
• HMACK=Hash[(K+opad)||Hash[(K+ipad)||M)]]
– Nested MAC– If using SHA1, NO known practical attacks ag
ainst HMAC
Zhijun Li S1034040/Autumn08/HIT 61
CBC-MAC
DES
IV
K
P1
C1
DESK
P2
C2
... DESK
Pn
Cn
Cn is the MAC
IV=00…0
Zhijun Li S1034040/Autumn08/HIT 62
CBC-MAC Security
• If the block cipher is secure• CBC-MAC is secure for messages of fixed blocks• NOT secure with variable lengths
– Given three pairs of MACs
– (x1, y1) (x2, y2), (x1||z, y3)
– y1 = EK[IVx1]
– y2 = EK[IVx2]
– y3 = EK[y1z] = EK[y2(zy1y2)]
– Let z’=(zy1y2), (x2||z’,y3) is also a valid pair
Zhijun Li S1034040/Autumn08/HIT 63
Improvement for CBC-MAC
• MAC of M:– z0=IV=0m
– zi = EK1(zi-1Mi) for 1 i n
– MAC=EK1DK2[zn]
• Defends against the previous attack• Reduces threat of exhaustive key search
Zhijun Li S1034040/Autumn08/HIT 64
Summary
• Message Authentication
• Cryptographic Hash Functions– Birthday attack– Hashing structures
• Hash Algorithms– MD5– SHA
• MAC