giuseppe bianchi message authentication: hash functions and hash-based constructions

28
Giuseppe Bianchi Message Authentication: Message Authentication: hash functions and hash- hash functions and hash- based constructions based constructions

Upload: harry-mcdonald

Post on 18-Jan-2016

228 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message Authentication:Message Authentication:hash functions and hash-hash functions and hash-

based constructionsbased constructions

Page 2: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Hash FunctionHash Function

Any length message X

Fixed size digest Ye.g. 128 bits for MD5

Y = H(X)

Cannot be inverted, as not uniqueX = x bitsY = y bitsAssuming ideal mapping, Y is the result for 2x-y possible X messagesExample:

x=5 bits 32 messagesy=2 bits 4 digests32/4 = 8= 23

Page 3: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Properties of a good hash Properties of a good hash functionfunction

Preimage resistance (one way)Given Y = result of a hash, it is hard to find X such as

H(X)=YSecond preimage resistance (weak

collision resistance)Given X, it is hard to find another X’ such that

H(X) = H(X’)Collision resistance (strong collision

resistance)It is hard to find two generic X1 and X2 such that

H(X1) = H(X2)

Page 4: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Birthday paradoxBirthday paradox

1. What is the probability that none of you N=22 is born in my same day?

2. What is the probability that no two+ of us N=23 are born the same day?

%1.94365

364

365

11

2222

HHuman being X birthday

%3.49365

)!23365(/!365365

)22365()1365(365

365

221

365

21

365

111

23

23

!!

Page 5: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Birthday paradox againBirthday paradox again

Digest = D bitsNumber of messages = K

2

2

2

1

2

11

DK

DK

1. How many messages K to observe to get 50% probability to have my same digest?

2. How many messages K to observe to get 50% probability to have two same digest?

2/22177.1

2

1

2

)!2(/!2 DDKD

DD

KK

Page 6: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

nknk

eee

eeee

n

i

n

k

nn

n

kn

n

n

n

n

n

knn

nknk

nknkkn

ik

i

ni

k

i

k

k

i

177.1)2log(2

2

1

11

12

11

1

)1(1)!(/!

2

)2log(2/2/

2/2/)1(1

1

/

1

1

22

2

1

1

Ricordando che per x piccolo1-x approx e^(-x)

Page 7: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message digest sizeMessage digest sizeMust be considered against

birthday paradox!32 bits (RAND)

50% collision after 216 msg60.000 (very little!)

56 bits (DES)50% collision after 228 msg250M (still little!)

128 bits (MD5)50% collision after 264 msg1.8x1019 (OK!)

160 bits SHA-1

Page 8: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

The «best» hash function: The «best» hash function: Random OracleRandom Oracle

«oracle» = black box

Random oracle:Given any distinct input x,

H(x) = truly random valueBut for same x, same output

Fact: NO practical hash function can be a random oracleDigest cannot be a «truly» random value

Page 9: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

MD5 iterative constructionMD5 iterative construction

Merkle-Damgard approach

Message (any size)

Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)

10000

Padding

LengthK mod 264

K bits

N x 512 bits

Initialization Vector(known)

F 128 bits F128 bits 128 bits F 128 bits F 128 bits

Hash

Compression function (if it is resistant, also iteration is)

Page 10: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message Integrity vs Message Integrity vs EncryptionEncryption

Integrity: prevent attacker from tampering with message

Encryption may NOT guarantee integrity!In many encryption schemes, attacker may modify encrypted message

One time pad (one time key K): » encrypted M C = MK» CM’= MKM’ encrypted MM’!

RC4: same as aboveHomomorphic encryption: modifiable by design!

» including RSAIn general, don’t trust encryption mechanisms for integrityunless they are explicitly designed ALSO for it (authenticated

encryption, e.g. AES-CCM or AES-GCM) Integrity may be the only requirement

Why “also” encrypt (extra effort) if not needed by scenario?!

Page 11: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message authenticationMessage authentication

Sender Receiver

k kmessage m tag

Generate tag

messageK

tag

Generate tag

Generate tag

messageK

Verify Tag

=?

Page 12: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Requires secret key!Requires secret key!message m CRC(m)

message m* CRC(m*)

CRC meant to DETECT random errors!Not meant to prevent attacks!

Attacker can trivially recompute «valid» CRC

Page 13: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message Authentication Message Authentication CodeCode

ingredient 1: good hashingredient 1: good hashGood

MessageM

HASH(M)

BadMessage

M’

VERY HARD to find message M’ whose Hash is the same of M (collision resistant hash)

Page 14: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message Authentication Message Authentication CodeCode

ingredient 2: secret in the hashingredient 2: secret in the hashGood

MessageM

HASH(Secret, M)

BadMessage

M’

Since secret not know by attacker, very hard to construct a valid

message authentication code

HASH(????, M)

Page 15: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Integrity checkIntegrity check

Weaker than digital signatureWhy?

But fast, practical, and OK for two-party session

Issues: Must use good hashMust use shared secret among parties

Pay 100 dollars Pay 1000 dollars

Pay 100 dollars Pay 1000 dollarsH(S,M) H(S,M)

H(S, “Pay 1000 dollars”) != H(S,M)Message modified!

Page 16: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

SecuritySecurityAttacker is given a number of past

message/tag pairs(m1,t1), (m2,t2), (m3,t3), …Even more powerful: «chosen message» attack

Now sees message mMust NOT be able to forge tag t

Even more powerful: must NOT be able to forge ANY valid pair (m,t) for any chosen new msg

Formally: probability to forge valid pair must be NEGLIGIBLE

Page 17: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Short tags?Short tags?1 byte tagsNo way for attacker to guess tag

from msg, beyond pure random choice

Is this secure?

NO! Probability of guessing = 1/256Not nearly negligible!!

Note the crucial difference with encryption security definitions!

Page 18: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Message authentication Message authentication using hash functionsusing hash functions

Sender Receiver

k kmessage m tag

Hash function

messageK

tag

Generate tag

Hash function

messageK

Verify Tag

=?

Page 19: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

But devil is in details…But devil is in details…

Where to put secret in hash?H(S,M)?H(M,S)?Some other way?

Do we care? What’s the matter?

Matter is: Hash functions are not black boxes!

Page 20: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Hash constructions: iterativeHash constructions: iterative Merkle-Damgard construction

Applies to MD5, SHA-1, etcExample: MD5 case

Message (any size)

Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)

10000

Padding

LengthK mod 264

K bits

N x 512 bits

Initialization Vector(known)MD5: 128 bitSHA-1: 160 bit

F 128 bits F128 bits 128 bits F 128 bits F 128 bits

Hash

Compression function (if it is resistant, also iteration is)The heart of the specific hash function used

Page 21: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Secret Suffix: H(M,S)?Secret Suffix: H(M,S)?

Message (any size)

Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)

10000

PaddingK bits

N x 512 bits

F 128 bits F128 bits 128 bits F 128 bits F 128 bits

Hash

Secret

State precomputation, once!!

Dictionary attack to secret

Len

Page 22: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Secret Prefix: H(S,M)?Secret Prefix: H(S,M)? Expansion attack

Message extension does not require knowledge of secretSecret already “used” in the (now known) hash state

May not be practical (yet), because of MD-strengthening.But significant construction shortcoming!!!

Message (any size)

Chunk (512 bits) Chunk (512 bits) Chunk (512 bits) Chunk (512 bits)

PAD

N x 512 bits

F 128 bits F128 bits 128 bits F 128 bits F 128 bits

Hash

Secret Message extension

Page 23: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Expansion attack!Expansion attack!

Trivial to “extend” the message!Especially critical if secret at the

beginningExample: start from MD5(k | x), k unknown secretAppend yTo compute MD5(k | x | y) use iterative Merkle construction!

No need to know k!!!

Length (Damgard) strengthening: helps but does not solve the problem A strong reason to use different constructs (HMAC)

http://csrc.nist.gov/pki/HashWorkshop/2005/Nov1_Presentations/Puniya_hashDesign.pdf

Page 24: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Why HMAC?Why HMAC?How to insert a secret in the hash

is a fundamental issue! Secret prefix

H(S | M) expansion attacks?Secret suffix

H(M | S) hash state precomputation?Envelope

H(S1 | M | S2) two secrets needed» Proven that if secret divided in two, robustness

weakened!!1996: problem solved, with HMAC!

Best possible construction

Page 25: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

HMACHMACRFC 2104, february 2007RFC 2104, february 2007

HMACK(M) = H(K+ XOR opad || H(K+ XOR ipad || M))

K+ = shared key padded to hash basic block size» When H=MD5, padding to 512 bits

opad = 0x36 = 00110110 repeated as neededipad = 0x5C = 01011100 repeated as needed

Page 26: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

HMAC - diagram HMAC - diagram

Source: V. Shmatikov

Embedded hash function(strength of HMAC relies onstrength of this hash function)

“Black box”: can use this HMACconstruction with any hash function(why is this important?)

Block size of embedded hash function

Secret key paddedto block size

magic value (flips half of key bits)

another magic value(flips different key bits)

hash(key,hash(key,message))

“Amplify” key material(get two keys out of one)

Very common problem:given a small secret, how toderive a lot of new keys?

Page 27: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

HMAC securityHMAC security

quantitatively proven robustness: as secure as its underlying hash issee Bellare, Canetti, Krawczyk, Keying Hash Functions for Message

Authentication, 1996

Actually more secure (surprise!)Bellare 2006: collision resistence NOT necessary

Pseudorandomness only requirementYou can use HMAC with MD5 or SHA-1 even if there are algorithms to

compute collision

Practical and flexible (you may change the underying hash with more robust one)

Efficient computation

Page 28: Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

Giuseppe Bianchi

Collisions without HMACCollisions without HMACCollision in hash = collision in

MACH(M,S) construction:

Obvious find collision on first part of the message, then

expandH(S,M) construction:

less obvious, but same problemStart from H(S,x) IVFind collision H*(IV,X1)=H*(IV,X2)Mi = x | pad(x) | Xi | pad (Xi)Hence H(S,M1)=H(S,M2)