Cryptographic Hash Functions, Exercises of Cryptography and System Security

Weak collision resistance does not imply collision resistance (why?) Page 8. slide 8. Hashing vs. Encryption. ◇ Hashing is ...

Typology: Exercises

2022/2023

Uploaded on 05/11/2023

bairloy
bairloy 🇺🇸

4.2

(6)

247 documents

1 / 82

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
*Slides borrowed from Vitaly Shmatikov
Cryptographic Hash Functions
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52

Partial preview of the text

Download Cryptographic Hash Functions and more Exercises Cryptography and System Security in PDF only on Docsity!

*Slides borrowed from Vitaly Shmatikov

Cryptographic Hash Functions

Hash Functions: Main Idea

bit strings of any length (^) n-bit strings

x’ x’’ x y’ y hash function H ◆ Hash function H is a lossy compression function

  • Collision: H(x)=H(x’) for some inputs x≠x’ ◆ H(x) should look “random”
  • Every bit (almost) equally likely to be 0 or 1 ◆ A cryptographic hash function must have certain properties “message digest” message

Birthday Paradox

◆ T people

◆ Suppose each birthday is a random number taken

from K days (K=365) – how many possibilities?

• K

T

  • samples with replacement

◆ How many possibilities that are all different?

• (K)

T = K(K-1)…(K-T+1) - samples without replacement

◆ Probability of no repetition?

• (K)

T

/K

T ≈ 1 - T(T-1)/2K

◆ Probability of repetition?

• O(T

2 )

Collision Resistance

◆ Should be hard to find x≠x’ such that h(x)=h(x’)

◆ Birthday paradox

  • Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x≠x’ s.t. h(x)=h(x’)
  • Assuming h is random, what is the probability that we find a repetition after looking at T values?
  • Total number of pairs?
    • n = number of bits in the output of hash function
  • Conclusion:

◆ Brute-force collision search is O(

n/

), not O(

n

  • For SHA-1, this means O( 80 ) vs. O( 160 )

O(T

2 ) O( n ) T ≈ O( n/ )

Weak Collision Resistance

◆ Given a randomly chosen x, hard to find x’

such that h(x)=h(x’)

  • Attacker must find collision for a specific x… by contrast, to break collision resistance, enough to find any collision
  • Brute-force attack requires O( n ) time

◆ Weak collision resistance does not imply

collision resistance (why?)

Hashing vs. Encryption

◆ Hashing is one-way. There is no “uh-hashing”!

  • A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption”

◆ Hash(x) looks “random”, but can be compared

for equality with Hash(x’)

  • Hash the same input twice → same hash value
  • Encrypt the same input twice → different ciphertexts

◆ Cryptographic hashes are also known as

“cryptographic checksums” or “message

digests”

Application: Software Integrity

goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™ User VIRUS badFile The Times hash(goodFile)

Which Property Is Needed?

◆ Passwords stored as hash(password)

  • One-wayness: hard to recover entire password
  • Passwords are not random and thus guessable

◆ Integrity of software distribution

  • Weak collision resistance?
  • But software images are not random… maybe need full collision resistance

◆ Auctions: to bid B, send H(B), later reveal B

  • One-wayness… but does not protect B from guessing
  • Collision resistance: bidder should not be able to find two bids B and B’ such that H(B)=H(B’)

Overview of MD

◆ Designed in 1991 by Ron Rivest

◆ Iterative design using compression function

M 1 M 2 M 3 M 4 IHV 0 Com- press Com- press Com- press Com- press IHV 4

History of MD5 Collisions

◆ 2004: first collision attack

  • The only difference between colliding messages is 128 random-looking bytes

◆ 2007: chosen-prefix collisions

  • For any prefix, can find colliding messages that have this prefix and differ up to 716 random-looking bytes

◆ 2008: rogue SSL certificates

  • Talk about this in more detail when discussing PKI

◆ 2012: MD5 collisions used in cyberwarfare

  • Flame malware uses an MD5 prefix collision to fake a Microsoft digital code signature

SHA-1 Compression Function

Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Similar to a block cipher, with message itself used as the key for each round Four rounds , 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds

A B C D E

A B C D E

f t 5 bitwise left-rotate W t K t

One Step of SHA-1 (80 steps total)

Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps

  • (B∧C)∨(¬B∧D) 0..
  • B⊕C⊕D 20..
  • (B∧C)∨(B∧D)∨(C∧D) 40..
  • B⊕C⊕D 60.. Current message block mixed in
    • For steps 0..15, W0..15=message block
    • For steps 16..79, Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3 + + Multi-level shifting of message blocks 30 bitwise left-rotate

NIST Competition

◆ A public competition to develop a new

cryptographic hash algorithm

  • Organized by NIST (read: NSA)

◆ 64 entries into the competition (Oct 2008)

◆ 5 finalists in 3

rd

round (Dec 2010)

◆ Winner: Keccak (Oct 2012)

  • standardized as SHA-

Integrity and Authentication

Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message Alice Bob KEY KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message