Download Cryptographic Hash Functions and more Exercises Cryptography and System Security in PDF only on Docsity!
*Slides borrowed from Vitaly Shmatikov
Cryptographic Hash Functions
Hash Functions: Main Idea
bit strings of any length (^) n-bit strings
x’ x’’ x y’ y hash function H ◆ Hash function H is a lossy compression function
- Collision: H(x)=H(x’) for some inputs x≠x’ ◆ H(x) should look “random”
- Every bit (almost) equally likely to be 0 or 1 ◆ A cryptographic hash function must have certain properties “message digest” message
Birthday Paradox
◆ T people
◆ Suppose each birthday is a random number taken
from K days (K=365) – how many possibilities?
• K
T
◆ How many possibilities that are all different?
• (K)
T = K(K-1)…(K-T+1) - samples without replacement
◆ Probability of no repetition?
• (K)
T
/K
T ≈ 1 - T(T-1)/2K
◆ Probability of repetition?
• O(T
2 )
Collision Resistance
◆ Should be hard to find x≠x’ such that h(x)=h(x’)
◆ Birthday paradox
- Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x≠x’ s.t. h(x)=h(x’)
- Assuming h is random, what is the probability that we find a repetition after looking at T values?
- Total number of pairs?
- n = number of bits in the output of hash function
- Conclusion:
◆ Brute-force collision search is O(
n/
), not O(
n
- For SHA-1, this means O( 80 ) vs. O( 160 )
O(T
2 ) O( n ) T ≈ O( n/ )
Weak Collision Resistance
◆ Given a randomly chosen x, hard to find x’
such that h(x)=h(x’)
- Attacker must find collision for a specific x… by contrast, to break collision resistance, enough to find any collision
- Brute-force attack requires O( n ) time
◆ Weak collision resistance does not imply
collision resistance (why?)
Hashing vs. Encryption
◆ Hashing is one-way. There is no “uh-hashing”!
- A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption”
◆ Hash(x) looks “random”, but can be compared
for equality with Hash(x’)
- Hash the same input twice → same hash value
- Encrypt the same input twice → different ciphertexts
◆ Cryptographic hashes are also known as
“cryptographic checksums” or “message
digests”
Application: Software Integrity
goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™ User VIRUS badFile The Times hash(goodFile)
Which Property Is Needed?
◆ Passwords stored as hash(password)
- One-wayness: hard to recover entire password
- Passwords are not random and thus guessable
◆ Integrity of software distribution
- Weak collision resistance?
- But software images are not random… maybe need full collision resistance
◆ Auctions: to bid B, send H(B), later reveal B
- One-wayness… but does not protect B from guessing
- Collision resistance: bidder should not be able to find two bids B and B’ such that H(B)=H(B’)
Overview of MD
◆ Designed in 1991 by Ron Rivest
◆ Iterative design using compression function
M 1 M 2 M 3 M 4 IHV 0 Com- press Com- press Com- press Com- press IHV 4
History of MD5 Collisions
◆ 2004: first collision attack
- The only difference between colliding messages is 128 random-looking bytes
◆ 2007: chosen-prefix collisions
- For any prefix, can find colliding messages that have this prefix and differ up to 716 random-looking bytes
◆ 2008: rogue SSL certificates
- Talk about this in more detail when discussing PKI
◆ 2012: MD5 collisions used in cyberwarfare
- Flame malware uses an MD5 prefix collision to fake a Microsoft digital code signature
SHA-1 Compression Function
Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Similar to a block cipher, with message itself used as the key for each round Four rounds , 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds
A B C D E
A B C D E
f t 5 bitwise left-rotate W t K t
One Step of SHA-1 (80 steps total)
Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps
- (B∧C)∨(¬B∧D) 0..
- B⊕C⊕D 20..
- (B∧C)∨(B∧D)∨(C∧D) 40..
- B⊕C⊕D 60.. Current message block mixed in
- For steps 0..15, W0..15=message block
- For steps 16..79, Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3 + + Multi-level shifting of message blocks 30 bitwise left-rotate
NIST Competition
◆ A public competition to develop a new
cryptographic hash algorithm
- Organized by NIST (read: NSA)
◆ 64 entries into the competition (Oct 2008)
◆ 5 finalists in 3
rd
round (Dec 2010)
◆ Winner: Keccak (Oct 2012)
Integrity and Authentication
Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message Alice Bob KEY KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message