giuseppe bianchi message authentication: hash functions and hash-based constructions
TRANSCRIPT
Giuseppe Bianchi
Message Authentication:Message Authentication:hash functions and hash-hash functions and hash-
based constructionsbased constructions
Giuseppe Bianchi
Hash FunctionHash Function
Any length message X
Fixed size digest Ye.g. 128 bits for MD5
Y = H(X)
Cannot be inverted, as not uniqueX = x bitsY = y bitsAssuming ideal mapping, Y is the result for 2x-y possible X messagesExample:
x=5 bits 32 messagesy=2 bits 4 digests32/4 = 8= 23
Giuseppe Bianchi
Properties of a good hash Properties of a good hash functionfunction
Preimage resistance (one way)Given Y = result of a hash, it is hard to find X such as
H(X)=YSecond preimage resistance (weak
collision resistance)Given X, it is hard to find another X’ such that
H(X) = H(X’)Collision resistance (strong collision
resistance)It is hard to find two generic X1 and X2 such that
H(X1) = H(X2)
Giuseppe Bianchi
Birthday paradoxBirthday paradox
1. What is the probability that none of you N=22 is born in my same day?
2. What is the probability that no two+ of us N=23 are born the same day?
%1.94365
364
365
11
2222
HHuman being X birthday
%3.49365
)!23365(/!365365
)22365()1365(365
365
221
365
21
365
111
23
23
!!
Giuseppe Bianchi
Birthday paradox againBirthday paradox again
Digest = D bitsNumber of messages = K
2
2
2
1
2
11
DK
DK
1. How many messages K to observe to get 50% probability to have my same digest?
2. How many messages K to observe to get 50% probability to have two same digest?
2/22177.1
2
1
2
)!2(/!2 DDKD
DD
KK
Giuseppe Bianchi
nknk
eee
eeee
n
i
n
k
nn
n
kn
n
n
n
n
n
knn
nknk
nknkkn
ik
i
ni
k
i
k
k
i
177.1)2log(2
2
1
11
12
11
1
)1(1)!(/!
2
)2log(2/2/
2/2/)1(1
1
/
1
1
22
2
1
1
Ricordando che per x piccolo1-x approx e^(-x)
Giuseppe Bianchi
Message digest sizeMessage digest sizeMust be considered against
birthday paradox!32 bits (RAND)
50% collision after 216 msg60.000 (very little!)
56 bits (DES)50% collision after 228 msg250M (still little!)
128 bits (MD5)50% collision after 264 msg1.8x1019 (OK!)
160 bits SHA-1
Giuseppe Bianchi
The «best» hash function: The «best» hash function: Random OracleRandom Oracle
«oracle» = black box
Random oracle:Given any distinct input x,
H(x) = truly random valueBut for same x, same output
Fact: NO practical hash function can be a random oracleDigest cannot be a «truly» random value
Giuseppe Bianchi
MD5 iterative constructionMD5 iterative construction
Merkle-Damgard approach
Message (any size)
Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)
10000
Padding
LengthK mod 264
K bits
N x 512 bits
Initialization Vector(known)
F 128 bits F128 bits 128 bits F 128 bits F 128 bits
Hash
Compression function (if it is resistant, also iteration is)
Giuseppe Bianchi
Message Integrity vs Message Integrity vs EncryptionEncryption
Integrity: prevent attacker from tampering with message
Encryption may NOT guarantee integrity!In many encryption schemes, attacker may modify encrypted message
One time pad (one time key K): » encrypted M C = MK» CM’= MKM’ encrypted MM’!
RC4: same as aboveHomomorphic encryption: modifiable by design!
» including RSAIn general, don’t trust encryption mechanisms for integrityunless they are explicitly designed ALSO for it (authenticated
encryption, e.g. AES-CCM or AES-GCM) Integrity may be the only requirement
Why “also” encrypt (extra effort) if not needed by scenario?!
Giuseppe Bianchi
Message authenticationMessage authentication
Sender Receiver
k kmessage m tag
Generate tag
messageK
tag
Generate tag
Generate tag
messageK
Verify Tag
=?
Giuseppe Bianchi
Requires secret key!Requires secret key!message m CRC(m)
message m* CRC(m*)
CRC meant to DETECT random errors!Not meant to prevent attacks!
Attacker can trivially recompute «valid» CRC
Giuseppe Bianchi
Message Authentication Message Authentication CodeCode
ingredient 1: good hashingredient 1: good hashGood
MessageM
HASH(M)
BadMessage
M’
VERY HARD to find message M’ whose Hash is the same of M (collision resistant hash)
Giuseppe Bianchi
Message Authentication Message Authentication CodeCode
ingredient 2: secret in the hashingredient 2: secret in the hashGood
MessageM
HASH(Secret, M)
BadMessage
M’
Since secret not know by attacker, very hard to construct a valid
message authentication code
HASH(????, M)
Giuseppe Bianchi
Integrity checkIntegrity check
Weaker than digital signatureWhy?
But fast, practical, and OK for two-party session
Issues: Must use good hashMust use shared secret among parties
Pay 100 dollars Pay 1000 dollars
Pay 100 dollars Pay 1000 dollarsH(S,M) H(S,M)
H(S, “Pay 1000 dollars”) != H(S,M)Message modified!
Giuseppe Bianchi
SecuritySecurityAttacker is given a number of past
message/tag pairs(m1,t1), (m2,t2), (m3,t3), …Even more powerful: «chosen message» attack
Now sees message mMust NOT be able to forge tag t
Even more powerful: must NOT be able to forge ANY valid pair (m,t) for any chosen new msg
Formally: probability to forge valid pair must be NEGLIGIBLE
Giuseppe Bianchi
Short tags?Short tags?1 byte tagsNo way for attacker to guess tag
from msg, beyond pure random choice
Is this secure?
NO! Probability of guessing = 1/256Not nearly negligible!!
Note the crucial difference with encryption security definitions!
Giuseppe Bianchi
Message authentication Message authentication using hash functionsusing hash functions
Sender Receiver
k kmessage m tag
Hash function
messageK
tag
Generate tag
Hash function
messageK
Verify Tag
=?
Giuseppe Bianchi
But devil is in details…But devil is in details…
Where to put secret in hash?H(S,M)?H(M,S)?Some other way?
Do we care? What’s the matter?
Matter is: Hash functions are not black boxes!
Giuseppe Bianchi
Hash constructions: iterativeHash constructions: iterative Merkle-Damgard construction
Applies to MD5, SHA-1, etcExample: MD5 case
Message (any size)
Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)
10000
Padding
LengthK mod 264
K bits
N x 512 bits
Initialization Vector(known)MD5: 128 bitSHA-1: 160 bit
F 128 bits F128 bits 128 bits F 128 bits F 128 bits
Hash
Compression function (if it is resistant, also iteration is)The heart of the specific hash function used
Giuseppe Bianchi
Secret Suffix: H(M,S)?Secret Suffix: H(M,S)?
Message (any size)
Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)
10000
PaddingK bits
N x 512 bits
F 128 bits F128 bits 128 bits F 128 bits F 128 bits
Hash
Secret
State precomputation, once!!
Dictionary attack to secret
Len
Giuseppe Bianchi
Secret Prefix: H(S,M)?Secret Prefix: H(S,M)? Expansion attack
Message extension does not require knowledge of secretSecret already “used” in the (now known) hash state
May not be practical (yet), because of MD-strengthening.But significant construction shortcoming!!!
Message (any size)
Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)
PAD
N x 512 bits
F 128 bits F128 bits 128 bits F 128 bits F 128 bits
Hash
Secret Message extension
Giuseppe Bianchi
Expansion attack!Expansion attack!
Trivial to “extend” the message!Especially critical if secret at the
beginningExample: start from MD5(k | x), k unknown secretAppend yTo compute MD5(k | x | y) use iterative Merkle construction!
No need to know k!!!
Length (Damgard) strengthening: helps but does not solve the problem A strong reason to use different constructs (HMAC)
http://csrc.nist.gov/pki/HashWorkshop/2005/Nov1_Presentations/Puniya_hashDesign.pdf
Giuseppe Bianchi
Why HMAC?Why HMAC?How to insert a secret in the hash
is a fundamental issue! Secret prefix
H(S | M) expansion attacks?Secret suffix
H(M | S) hash state precomputation?Envelope
H(S1 | M | S2) two secrets needed» Proven that if secret divided in two, robustness
weakened!!1996: problem solved, with HMAC!
Best possible construction
Giuseppe Bianchi
HMACHMACRFC 2104, february 2007RFC 2104, february 2007
HMACK(M) = H(K+ XOR opad || H(K+ XOR ipad || M))
K+ = shared key padded to hash basic block size» When H=MD5, padding to 512 bits
opad = 0x36 = 00110110 repeated as neededipad = 0x5C = 01011100 repeated as needed
Giuseppe Bianchi
HMAC - diagram HMAC - diagram
Source: V. Shmatikov
Embedded hash function(strength of HMAC relies onstrength of this hash function)
“Black box”: can use this HMACconstruction with any hash function(why is this important?)
Block size of embedded hash function
Secret key paddedto block size
magic value (flips half of key bits)
another magic value(flips different key bits)
hash(key,hash(key,message))
“Amplify” key material(get two keys out of one)
Very common problem:given a small secret, how toderive a lot of new keys?
Giuseppe Bianchi
HMAC securityHMAC security
quantitatively proven robustness: as secure as its underlying hash issee Bellare, Canetti, Krawczyk, Keying Hash Functions for Message
Authentication, 1996
Actually more secure (surprise!)Bellare 2006: collision resistence NOT necessary
Pseudorandomness only requirementYou can use HMAC with MD5 or SHA-1 even if there are algorithms to
compute collision
Practical and flexible (you may change the underying hash with more robust one)
Efficient computation
Giuseppe Bianchi
Collisions without HMACCollisions without HMACCollision in hash = collision in
MACH(M,S) construction:
Obvious find collision on first part of the message, then
expandH(S,M) construction:
less obvious, but same problemStart from H(S,x) IVFind collision H*(IV,X1)=H*(IV,X2)Mi = x | pad(x) | Xi | pad (Xi)Hence H(S,M1)=H(S,M2)