cryptographic hash functionssconce.ics.uci.edu/134-w18/slides/lec5.pdf · 2018. 1. 23. · 6 simple...
Post on 28-Feb-2021
11 Views
Preview:
TRANSCRIPT
1
Lecture5CryptographicHashFunctions
Read:Chapter5inKPS
Purpose• CHF – one of the most important tools in moderncryptographyandsecurity
• CHF-s are used for many authentication, integrity,digitalsignaturesandnon-repudiationpurposes
• Not the same as “hashing” used in DB or CRCs incommunications
2
3
CryptographicHASHFunctions• Purpose:produceafixed-size“fingerprint”ordigestofarbitrarilylong
inputdata
• Why?Toguaranteeintegrityofinput
• Propertiesofa“good”cryptographicHASHfunctionH():
1. Takesoninputofanysize2. Producesfixed-lengthoutput3. Easytocompute(efficient)4. Givenanyh,computationallyinfeasibletofindanyxsuchthatH(x)=h5. Foragivenx,computationallyinfeasibletofindy:H(y)=H(x)andy≠x6. Computationallyinfeasibletofindany(x,y)suchthatH(x)=H(y)andx≠y
4
SamePropertiesRe-stated:• Cryptographicpropertiesofa“good”HASHfunction:• One-Way-ness(#4)• WeakCollision-Resistance(#5)• StrongCollision-Resistance(#6)
• Non-cryptographic properties of a “good” HASHfunction• Efficiency(#3)• FixedOutput(#2)• Arbitrary-LengthInput(#1)
5
Construction• Ahashfunctionistypicallybasedonaninternalcompressionfunction
f()thatworksonfixed-sizeinputblocks(Mi)• Merkle-Damgardconstruction:• Afixed-size“compressionfunction”.• Eachiterationmixesaninputblockwiththepreviousblock’soutput
• SortoflikeaChainedBlockCipher
• Producesahashvalueforeachfixed-sizeblockbasedon(1)itscontentand(2)hashvalueforthepreviousblock
• “Avalanche”effect:1-bitchangeininputproduces“catastrophic”andunpredictablechangesinoutput
fIV
M1
f fh1 h
M2 Mn
h2 hn-1…
6
SimpleHashFunctions• Bitwise-XOR
• Notsecure,e.g.,forEnglishtext(ASCII<128)thehigh-orderbitisalmostalwayszero
• CanbeimprovedbyrotatingthehashcodeaftereachblockisXOR-edintoit• Ifmessageitselfisnotencrypted,itiseasytomodifythemessageand
appendoneblockthatwouldsetthehashcodeasneeded• Anotherweakhashexample:IPHeaderCRC
AnotherExample• IPv4headerchecksum• One’scomplementoftheone’scomplementsumoftheIP
header's16-bitwords
7
8
TheBirthdayParadox
• probabilityofnocollisions:• P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n))==e(k(1-k)/2n)
• probabilityofatleastone:• P1=1-P0
• SetP1tobeatleast0.5andsolvefork:• k==1.17*SQRT(n)• k=22.3forn=365
So,what’sthepoint?
• Examplehashfunction:y=H(x)where:x=personandH()isBday()• yrangesoversetY=[1…365],letn=sizeofY,i.e.,numberofdistinctvaluesin
therangeofH()• Howmanypeopledoweneedto‘hash’tohaveacollision?• Or:whatistheprobabilityofselectingatrandomkDISTINCTnumbersfromY?
9
“Birthday Paradox” Example: N = 106
10
TheBirthdayParadox
m = log(n) = size of H ()
2m = 2m/2 trials mustbe computationallyinfeasible!
11
HowLongShouldaHashbe?
• Manyinputmessagesyieldthesamehash• e.g.,1024-bitmessage,128-bithash• Onaverage,2896messagesmapintoonehash
• Withm-bithash,ittakesabout2m/2trialstofindacollision(with≥0.5probability)
• Whenm=64,ittakes232trialstofindacollision(doableinverylittletime)
• Today,needatleastm=160,requiringabout280trials(180isbetter)
12
CHF from a Block Cipher
Rabin’sCHF:
§ Splitinputintokeyblocks:M1,…Mp§ Encryptaconstantplaintext(e.g.,0)withthisseq.ofkeys:
Hi=E(Mi,Hi-1),Mo=0
§ FinalciphertextHpisthehashoutput
13
CHF from a Block Cipher
Davies-MeyerCHF:
§ Hi=Hi-1⊕E(Mi,Hi-1),Ho=0
§ CompressionfunctionissecureifEisasecureblockcipher
14
HashFunctionExamplesSHA-1(weak)
MD5(defunct)
RIPEMD-160(unloved)J
Digestlength 160bits 128bits 160bits
Blocksize 512bits 512bits 512bits
#ofsteps 80(4roundsof20)
64(4roundsof16)
160(5pairedroundsof16)
Maxmsgsize 264-1bits ∞ ∞
Other(stronger)variantsofSHAareSHA-256andSHA-512See:http://en.wikipedia.org/wiki/SHA_hash_functions
15
MD5• Author:R.Rivest,1992
• 128-bithash
• basedonearlier,weakerMD4(1990)
• Collisionresistance(B-dayattackresistance)
• only64-bit
• Outputsizenotlongenoughtoday(duetovariousattacks)
16
MD5:MessageDigestVersion5
InputMessage
Output:128-bitDigest
17
OverviewofMD5
18
MD5Padding
• GivenoriginalmessageM,addpaddingbits“100…”suchthatresultinglengthis64bitslessthanamultipleof512bits.
• Appendoriginallengthinbitstothepaddedmessage
• Finalmessagechoppedinto512-bitblocks
19
MD5:Padding
InputMessage
Output:128-bitDigest
Padding512bitBlock
InitialValue
1 2 3 4
FinalOutput
MD5 TransformationBlockbyBlock
20
MD5Blocks
MD5
MD5
MD5
MD5
512:B1
512:B2
512:B3
512:B4
Result
21
MD5Box
Initial128-bitvector
512-bitmessagechunks(16words)
128-bitresult
F(x,y,z)=(x∧y)∨(~x∧z)G(x,y,z)=(x∧z)∨(y∧~z)H(x,y,z)=x⊕y⊕zI(x,y,z)=y⊕(x∧~z)x↵y:xleftrotateybits
22
MD5Process
• Asmanystagesasthenumberof512-bitblocksinthefinalpaddedmessage
• Digest:432-bitwords:MD=A|B|C|D
• Everymessageblockcontains1632-bitwords: m0|m1|m2…|m15
• DigestMD0initializedto:A=01234567,B=89abcdef,C=fedcba98,D=76543210
• Everystageconsistsof4passesoverthemessageblock,eachmodifyingMD;eachpassinvolvesdifferentoperation
23
ProcessingofBlockmi-4Passes
ABCD=fF(ABCD,mi,T[1..16])
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
mi
+ + + +
A B C D
MDi
MDi+1
Convention:
A–d0;B–d1
C–d2;D–d3Ti:diff.constant
24
DifferentPasses...
• Differentfunctionsandconstants
• Differentsetofmi-s
• Differentsetsofshifts
25
FunctionsandRandomNumbers
• F(x,y,z)==(x∧y)∨(~x∧z)• G(x,y,z)==(x∧z)∨(y∧~z)• H(x,y,z)==x⊕y⊕z• I(x,y,z)==y⊕(x∧~z)• Ti=int(232*abs(sin(i))),0<i<65
26
Flame’s MS Windows MD5 Attack Chosen-prefixcoll.attack:Meaningfulinitialblocks,followedbyrandomblockstoobtaincollision
27
SecureHashAlgorithm(SHA)
• Revisedin1995asSHA-1• Input:Upto264bits• Output:160bitdigest• 80-bitcollisionresistance
• Padwithatleast64bitstoresistpaddingattack• 1000…0||<messagelength>
• Processes512-bitblock• Initiate5x32bitMDregisters• Applycompressionfunction
• 4roundsof20stepseach• eachroundusesdifferentnon-
linearfunction• registersareshiftedandswitched
Ø SHA-0waspublishedbyNISTin1993
28
DigestGenerationwithSHA-1
29
SHA-1ofa512-BitBlock
30
GeneralLogic
• Inputmessagemustbe<264bits• notareallimitation
• Messageprocessedin512-bitblockssequentially
• Messagedigest(hash)is160bits• SHAdesignissimilartoMD5,butalotstronger
31
BasicSteps
Step1:PaddingStep2:Appendinglengthas64-bitunsignedStep3:InitializeMDbuffer:532-bit words:A|B|C|D|EA=67452301B=efcdab89 C=98badcfe D=10325476 E=c3d2e1f0
32
BasicSteps...
• Step4:the80-stepprocessingof512-bitblocks:4rounds,20stepseach
• Eachstept(0<=t<=79):• Input:
• Wt–32-bitwordfromthemessage• Kt–constant• ABCDE:currentMD
• Output:• ABCDE:newMD
33
BasicSteps...
• Only4per-rounddistinctiveadditiveconstants:• 0<=t<=19 Kt=5A827999• 20<=t<=39 Kt=6ED9EBA1• 40<=t<=59 Kt=8F1BBCDC• 60<=t<=79 Kt=CA62C1D6
34
BasicSteps–ZoomingIn
A EB C D
A EB C D
+
+
+
+
ft
CLS30
CLS5Wt
Kt
35
BasicLogicFunctions
Only3differentfunctionsRound Functionft(B,C,D)0<=t<=19 (B∧C)∨(~B∧D)20<=t<=39 B⊕C⊕D40<=t<=59 (B∧C)∨(B∧D)∨(C∧D)60<=t<=79 B⊕C⊕D
36
TwistWithWt’s
• Additionalmixingusedwithinputmessage512-bitblock• W0|W1|…|W15=m0|m1|m2…|m15• For15<t<80:• Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3
• XORisaveryefficientoperation,butwithmultilevelshifting,itproducesveryextensiveandrandommixing!
37
SHA-1VersusMD5
• SHA-1isastrongeralgorithm:• Abirthdayattackrequiresontheorderof280operations,incontrastto264forMD5
• SHA-1has80stepsandyieldsa160-bithash(vs.128)-involvesmorecomputation
• TodaycanuseSHA-2,butforlonger-termsecurityuseSHA-3
38
SHA-3
§ PubliccompetitionbyNIST,similartoAES:§ NISTrequestforproposals(2007)§ 51submissions(2008)§ 14semi-finalists(2009)§ 5finalists(2010)§ Winner:Keccak(2012)
§ DesignedbyBertoni,Daemen,Peeters,VanAssche.§ Basedon“spongeconstruction”,acompletelydifferentstructure.
39
Summary:Whatarehashfunctionsgoodfor?
40
MessageAuthenticationUsingaHashFunction
UsesymmetricencryptionsuchasAESor3-DES
• GenerateH(M)ofsamesizeasE()block
• UseEK(H(M))astheMAC(insteadof,say,AES-basedMAC)
• AlicesendsEK(H(M)),M• BobreceivesC,M’decryptsCwithk,hashesresult
H(DK(C))=?=H(M’)
CollisionèMACforgery!
41
UsingHashforAuthentication
AliceandBobshareasecretkeyKAB1. AliceèBob:randomchallengerA
2. BobèAlice:H(KAB||rA),randomchallengerB3. AliceèBob:H(KAB||rB)
OnlyneedtocompareH()results
42
UsingHashtoComputeMAC:integrity
• CannotjustcomputeandappendH(m)• Need“KeyedHash”:• Prefix:
• MAC:H(KAB|m),almostworks,but…• Allowsconcatenationwitharbitrarymessage:
• H(KAB|m|m’)
• Suffix:• MAC:H(m|KAB),worksbetter,butwhatifm’isfoundsuchthatH(m)=H(m’)?
• HMAC:• H(KAB|H(KAB|m))
43
HashFunction-basedMAC(HMAC)• MainIdea:UseaMACderivedfromanyCHF
• hashfunctionsdonotuseakey,thereforecannotbeuseddirectlyasaMAC
• MotivationsforHMAC:• Cryptographichashfunctionsexecutefasterinsoftwarethan
encryptionalgorithmssuchasDES• Noneedforthereverseabilityofencryption• NoUSgovernmentexportrestrictions(wasimportantinthepast)
• Status:designatedasmandatoryforIPsecurity• AlsousedinTransportLayerSecurity(TLS),whichwillreplaceSSL,and
inSET
44
HMACAlgorithm
• ComputeH1=H()oftheconcatenationofMandK1
• Topreventan“additionalblock”attack,computeagainH2=H()oftheconcatenationofH1andK2
• K1andK2eachusehalfthebitsofK
• Notation:• K+=Kpaddedwith0’s• ipad=00110110xb/8• opad=01011100xb/8
• Execution:• SameasH(M),plus2blocks
45
JustforFun…UsingaHashtoEncrypt
• SimulatedOne-TimePad:similartoOFB• Computekey-streamusingH(),K,andIV• b1=H(KAB|IV),…,bi=H(KAB|bi-1),…• c1=p1⊕b1,…,ci=pi⊕bi,…
• Or,mixintheplaintext• similartocipherfeedbackmode(CFB)• b1=H(KAB|IV),…,bi=H(KAB|ci-1),…• c1=p1⊕b1,…,ci=pi⊕bi,…
top related