Extending Hash Functions & Secure Password Techniques, Slides of Cryptography and System Security

This document from lecture 17 of cpsc 467b at yale university, delivered by michael j. Fischer, discusses extending hash functions to build stronger ones, secure password storage methods, and the risks of dictionary attacks. The document also covers the use of salt to make dictionary attacks more difficult.

Typology: Slides

2010/2011

Uploaded on 10/06/2011

christina
christina 🇺🇸

4.6

(23)

393 documents

1 / 38

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Outline Hash Passwords
CPSC 467b: Cryptography and Computer Security
Lecture 17
Michael J. Fischer
Department of Computer Science
Yale University
March 24, 2010
Michael J. Fischer CPSC 467b, Lecture 17 1/34
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26

Partial preview of the text

Download Extending Hash Functions & Secure Password Techniques and more Slides Cryptography and System Security in PDF only on Docsity!

Outline Hash Passwords

CPSC 467b: Cryptography and Computer Security

Lecture 17

Michael J. Fischer

Department of Computer Science Yale University

March 24, 2010

Outline Hash Passwords

(^1) Hash Function Constructions Extending a hash function A General Chaining Method Hash Functions Do Not Always Look Random Birthday Attack on Hash Functions Hash from Cryptosystem

2 Authentication Using Passwords Passwords Secure Password Storage Dictionary Attacks

Extending a hash function

Suppose we are given a strong collision-free hash function

h : 256-bits → 128-bits.

How can we use h to build a strong collision-free hash function

H : 512-bits → 128-bits?

We consider several methods. In the following, m is 512 bits long. We write M = m 1 m 2 , where m 1 and m 2 are 256 bits each.

Method 1

First idea. Let M = m 1 m 2 and define

H(M) = H(m 1 m 2 ) = h(m 1 ) ⊕ h(m 2 ).

Unfortunately, this fails to be either strong or weak collision-free. Let M′^ = m 2 m 1. (M, M′) is always a colliding pair for H except in the special case that m 1 = m 2. Recall that (M, M′) is a colliding pair iff H(M) = H(M′) and M 6 = M′.

Correctness proof for Method 2

Proof. Assume H has a colliding pair (M = m 1 m 2 , M′^ = m′ 1 m′ 2 ). Then H(M) = H(M′) but M 6 = M′. Case 1: h(m 1 ) 6 = h(m 1 ′) or h(m 2 ) 6 = h(m′ 2 ). Let u = h(m 1 )h(m 2 ) and u′^ = h(m′ 1 )h(m′ 2 ). Then h(u) = H(M) = H(M′) = h(u′), but u 6 = u′. Hence, (u, u′) is a colliding pair for h. Case 2: h(m 1 ) = h(m 1 ′) and h(m 2 ) = h(m′ 2 ). Since M 6 = M′, then m 1 6 = m′ 1 or m 2 6 = m′ 2 (or both). Whichever pair is unequal is a colliding pair for h. In each case, we have found a colliding pair for h. Hence, H not strong collision-free ⇒ h not strong collision-free. Equivalently, h strong collision-free ⇒ H strong collision-free.

A general chaining method

Let h : r -bits → t-bits be a hash function, where r ≥ t + 2. (In the above example, r = 256 and t = 128.) Define H(m) for m of arbitrary length. Divide m after appropriate padding into blocks m 1 m 2... mk , each of length r − t − 1. Compute a sequence of t-bit states: s 1 = h(0t^0 m 1 ) s 2 = h(s 11 m 2 ) .. . sk = h(sk− 11 mk ).

Then H(m) = sk.

Correctness proof

Proof. Assume H has a colliding pair (m, m′). We find a colliding pair for h. Let m = m 1 m 2... mk give state sequence s 1 ,... , sk. Let m′^ = m 1 ′m′ 2... m′ k′ give state sequence s 1 ′,... , s k′′. Assume without loss of generality that k ≤ k′. Because m and m′^ collide under H, we have sk = s k′′. Let r be the largest value for which sk−r = s k′′−r. Let i = k − r , the index of the first such equal pair si = s k′′−k+i. We proceed by cases. (continued... )

Correctness proof (case 1)

Proof. Case 1: i = 1 and k = k′. Then sj = s j′ for all j = 1,... , k. Because m 6 = m′, there must be some such that m 6 = m′ . If = 1, then (0t^0 m 1 , 0 t^0 m 1 ′) is a colliding pair for h. If > 1, then (s− 11 m, s′− 11 m `′) is a colliding pair for h. (continued... )

Correctness proof (case 3)

Proof. Case 3: i > 1. Then u = k′^ − k + i > 1. By choice of i, we have si = s u′ , but si− 1 6 = s u′− 1. Hence, h(si− 11 mi ) = si = s′ u = h(s′ u− 11 m′ u ), so (si− 11 mi , s u′− 11 m′ u ) is a colliding pair for h. (continued... )

Correctness proof (conclusion)

Proof. In each case, we found a colliding pair for h. The contradicts the assumption that h is strong collision-free. Hence, H is also strong collision-free.

Example of a non-random-looking hash function

Suppose h is a strong collision-free hash function. Define H(x) = 0 · h(x). If (x, x′) is a colliding pair for H, then (x, x′) is also a colliding pair for h. Thus, H is strong collision-free, despite the fact that the string H(x) always begins with 0. Later on, we will talk about how to make functions that truly do appear to be random (even though they are not).

Bits of security for hash functions

MD5 hash function produces 128-bit values, whereas the SHA–xxx family produces values of 160-bits or more. How many bits do we need for security? Both 128 and 160 are more than large enough to thwart a brute force attack that simply searches randomly for colliding pairs. However, the Birthday Attack reduces the size of the search space to roughly the square root of the original size. MD5’s effective security is at most 64 bits. (

2128 = 2^64 .)

SHA–1’s effective security is at most 80-bits. (

2160 = 2^80 .)

Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu describe an attack that reduces this number to only 69-bits (Crypto 2005).

Birthday attack on hash functions

The birthday paradox can be applied to hash functions to yield a much faster way to find colliding pairs than simply choosing pairs at random.

Method: Choose a random set of k messages and see if any two messages in the set collide.

Thus, with only( k evaluations of the hash function, we can test k 2

= k(k − 1)/2 different pairs of messages for collisions.

Of course, these

(k 2

pairs are not uniformly distributed, so one needs a birthday-paradox style analysis of the probability that a colliding pair will be found. The general result is that the probability of success is at least 1/ when k ≈

n, where n is the size of the hash value space.

Practical difficulties of birthday attack

Two problems make this attack difficult to use in practice. (^1) One must find duplicates in the list of hash values. This can be done in time O(k log k) by sorting (^2) The list of hash values must be stored and processed.