V.Sorge/E.Ritter, Handout 6

Transcription

1 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 6 Summary of this handout: Cryptographic Hash Functions Merkle-Damgård MD4 MD5 SHA-1 Message Authentication Codes HMAC CBC-MAC PMAC In the previous sections we were primarily interested in enciphering messages to make them secure against eavesdropping. We also briefly discussed attacks such as deletion and insertion attacks for modes of operations, where an attacker actively alters the message that is being s. In general, none of the techniques discussed so far can guarantee that a message has not been tampered with and thus def against forms of malicious modification of content. In this handout we will look at some cryptographic techniques that aim to guarantee the authenticity of messages: Cryptographic hash functions and message authentication codes (MACs for short). II.4 Cryptographic Hash Functions Cryptographic hash functions provide a tool to test the integrity of messages. A cryptographic hash function takes an arbitrarily long message as input and produces, a generally much shorter, fixed length string, called hash value (or simply hash) or fingerprint, as output. Hash functions are used in principle in the following way: Suppose Alice wants to give Bob some means to check if he has received her message intact. She does this by taking a hash function to compute the fingerprint for here message and ss it alongside the (possibly encrypted) message. Upon receiving the message Bob can now use the same hash function as Alice to compute a second hash for the decrypted plaintext and compare his value with the one provided by Alice. Are the values the same, then the message is intact. If the values differ, then Bob knows that the message has been mutilated during transmission. In addition, Alice also wants to avoid that Eve can infer the message from the hash value (e.g., if the message was sent encrypted) or that Mallory can generate and s Bob a different message that has the same hash value as Alice s original message. In summary, a cryptographic hash functionhshould have the following properties: 1. The input can be of any length. 2. The output has a fixed length. 3. For any message or stringx,h(x) is easy to compute. 4. h is one-way, i.e., it is hard to invert, in the sense that for any y it is computationally infeasible to find an x such that y = h(x) 5. h is collision-free, i.e., for anyxit is computationally infeasible to find anx such ash(x) = h(x ). 48. One-way Functions A one-way function is one that is easy to compute but hard to invert. Or, in other words, given the output of the function it is difficult to find any input which yields this output. Good candidate one-way functions should be computable in polynomial time, but the best known algorithm to compute their inverse should take at least exponential time. Functions of this nature are, for instance, the prime-factorisation of large integers (multiplication is obviously easy, the factorisation is not) and the discrete logarithm problem. We will learn about these at a later point in the term. But to get an impression what the concept means, we consider a simple example from modular arithmetic. Suppose we know the value c a number is congruent to modulo some n. We are then faced with the problem to find the x such that x c(modn) holds. While it is computationally still easy 58

2 to compute the inverse, i.e., the possible candidate values for x, it is not necessarily easy to determine what the original value of x was. For example, it is easy to compute 17 2(mod3). However, finding the original value for x in x 2(mod3) is not that straightforward as x can be in {..., 4, 1,2,5,8,11,14,17,20,...}. 49. The Birthday Paradox Obviously no cryptographic hash function can be collision free. But we want at least that computing finding x and x with h(x ) = h(x) should be very hard. It is therefore important to know to what extent a function resists finding collisions. Suppose that the values h(x) are uniformly and unpredictably distributed. We observe a little example that illustrates how difficult it is to find good, collision free functions. The birthday paradox is that for a surprisingly small number of randomly chosen people (in fact, 23 people), the probability is more than 50% that at least two of them have the same birthday. For 60 or more people, the probability is greater than 99%. Obviously it cannot be 100% unless there are at least 366 people. The full distribution is given on the right. 50. Cryptographic Hash Functions vs. Hash (Table) Functions Cryptographic Hash Functions should not be confused with hash functions used to implement a hash table data structure! The latter are used to map a data object to a value that assigns it a particular place in a hash table for easy storage and retrieval. There is a certain similarity between cryptographic hash functions and hash table functions in that both map long bit strings to small values. However, in general hash table functions are easy to invert and, while a minimum of collisions is desirable, they do not have negative effects as there exist different strategies to deal with them in hash tables. II.4.1 Merkle-Damgård Construction We will first look at a general methodology to construct hash functions and then discuss some particular examples of hash functions. The Merkle-Damgård construction is a method to ext a fixed size compression function to an arbitrary size compression function. The compression function can either be specially designed for hashing or be built from a block cipher. The Merkle-Damgård approach is to break the input into blocks, and process them one at a time with the compression function, each time combining a block of the input with the output of the previous round. If the length of the original message is not a multiple of the block size of the compression functionf, we apply padding to ext the message length. However, simply padding with 0 bits is a potential security risk, since consider two bit strings of the form 0110 and If f works with blocks of size 8 then padding both bit strings with 0 would yield the same message and therefore the same result for f. To avoid this, one pads the message with a bit representation of the length of the message, which leads to different hashes in our example and leads to additional security for Bob as he can now also check for the right message length. This method is called Merkle-Damgård strengthening. To harden the hash further the last result is then often fed through a finalisation function g. The finalisation function can have several purposes such as compressing a bigger internal state (the last result) into a 59

3 smaller output hash size or to guarantee a better mixing and avalanche effect on the bits in the hash sum. The finalisation function is often built by using the compression function. Finally the whole procedure is kicked off by an initialisation value IV (similar to stream ciphers or some modes of operations for block ciphers), which is generally publicly available. The algorithm corresponds to the following operations, whereh i are intermediate hash values. H 1 = f(iv,x 1 ) H i = f(h i 1,x i ),i = 2,...,l H(x) = g(h l ) II.4.2 Example Hash Functions We have a look at a family of hash functions called the Message Digest algorithms or MD for short and its successors Secure Hash Algorithms or SHA. The algorithms not only vary in block size and number of layers of compression functions but also in speed and security. Generally one can say that the more secure a hash functions is the more time is needed to compute it. Here are some basic facts about some algorithms in the MD/SHA family: MD4 128-bits hash length, hashes roughly 270 MB per second. Collisions can be found in a matter of seconds. MD5 128-bits hash length, hashes roughly 216 MB per second. Collisions can be found in less than an hour on an ordinary PC. SHA bits hash length, hashes roughly 68 MB per second. Has been theoretically broken and a new, not brute-force attack has been published in However, it is still infeasible in practise. SHA bits hash length, hashes roughly 44.5 MB per second. Still considered secure. 51. Basic Structure of the MD and SHA Algorithms All MD and SHA algorithms are essentially round based, where in each round a different non-linear logical function is used for hashing. Each round in turn is broken down into a number of steps that iteratively apply the non-linear function of that round. Additionally, deping on round and step, different constants and/or parts of the message block are used during the hashing. The strengthening method is similar to all algorithms. First a 1 bit is apped to signal the of the message. Then0bits are added to pad to a multiple of the block length. Finally the number of bits of the message is added as a separate final block. 52. MD4 We first look at the MD4 algorithm, from which many algorithms in the MD and SHA family are derived. Variants of MD4 are still used in Peer-to-Peer networks to provide unique file identifiers, for instance in the ED2K URI scheme of emule. MD4 has 3 rounds of 16 steps for hashing message blocks of 512 bit length. Its final hash is 128-bits. I will not go into the gory details of the algorithm but rather present an overview. Throughout its computations MD4 maintains the 128 bit hash state as four chunks of 32 bit words (A,B,C,D). (A,B,C,D) is initialised with a fixed initialisation vector IV and, after hashing one block, is passed as initialisation to the hash function applied to the next block. 60

4 The message is partitioned into 512 bit blocks, which in turn are broken down into 16 chunks of 32 bits each, M 0,...,M 15. Each message chunk is used for hashing once in each round, however, the order in which messages are used deps on the round. The three non-linear functionf,g,h for rounds1,2,3, respectively, take three32 bit variables as input and produce a32 bit output each. In detail the functions are: F(X,Y,Z) = (X Y) ( X Z) G(X,Y,Z) = (X Z) (Y Z) H(X,Y,Z) = X Y Z After the three rounds have been executed the four 32 bit chunks of the initial hash values are added to the resulting hash values and the concatenation of the result is returned as hash. Here is an overview of the algorithm and its first round: (H 1,H 2,H 3,H 4 ) := (A,B,C,D) Round 1 fori := 0 to15 do t := A+F(B,C,D)+M i +K 1 (A,B,C,D) := (D,t s i,b,c) Round 2 fori := 16 to31 do t := A+G(B,C,D)+M z(i) +K 2 (A,B,C,D) := (D,t s i,b,c) Round 3 fori := 32 to47 do t := A+H(B,C,D)+M z(i) +K 3 (A,B,C,D) := (D,t s i,b,c) (A,B,C,D) := (H 1 +A,H 2 +B,H 3 +C,H 4 +D) Observe that in MD4 several elements vary from round to round or from step to step of the algorithm: K 1,K 2,K 3 are three constants of a known, fixed value. The operants s i of the left rotations vary from step to step. They are odd numbers between 3 and 19. z(i) is a function mapping a step value to a value between 0 and 15 in order to select a message. Observe that in the first round z is the identity mapping. Finally, the addition is on 32 bit numbers or modulo MD5 MD5 is an extension of MD4. It has the same basic parameters, i.e. it works on works on512 bit message blocks and produces 128 bit hashes. It also uses the same initialisation vector as MD4. But while MD4 operates in3rounds, MD5 performs4rounds of 16 steps. Rounds one to three are the same as those in MD4, including the constants and rotation operants. Round 4 is of a similar structure as the other rounds, however, it employs a different non-linear function, namely I(X,Y,Z) = Y (X Z). Round 4 fori := 48 to63 do t := A+I(B,C,D)+M z(i) +K 4 (A,B,C,D) := (D,t s i,b,c) 61

5 MD5 is widely used to ensure file integrity for software downloads, in particular for software distribution packages on UNIX systems. It is also used for password storage. The following is an example of MD5 hashes for two simple texts that vary in one letter only (the quotation marks are NOT part of the string and thus do not affect the hash value). We can see the avalanche effect, i.e. how much a small change in the input affects the output hash. MD5( School of Computer Science ) = 0x27E6E DF33AC499909E886BE19 MD5( School Of Computer Science ) = 0x1AF64C0CDC566FCFE2101EF221D62B SHA-1 While MD5 strengthened MD4 by adding one more round of hashing with a new non-linear function, SHA-1 exts the hash size by one more 32 bit block to 160 bit. Although SHA-1 uses 4 rounds of 20 steps each, it can nevertheless be seen as an extension of MD4 since it reuses the MD4 s non-linear functions, F in round 1, G in round 3, and H in rounds 2 and 4. It also reuses the constants and initial valueiv of MD4, but exts it by one more32 bit block. On the other hand SHA-1 has a different approach to using the message blocks. Instead of reusing the same message blocks throughout all steps of the algorithm and only permuting the order of their use, SHA-1 uses the initially 16 blocks of 32 bits to compute another 64 different blocks with the following scheme: forj := 16 to79 do X j := ((X j 3 X j 8 X j 14 X j 16 ) 1) SHA-1 also works with slightly changed permutations and rotations in the actual functions. For example the first round of the algorithm looks like this: SHA-1 is employed in many applications, such as TSL, SSL, SSH, or BitTorrent. Here is our example text as an SHA-1 hash: SHA-1( School of Computer Science ) = 0xC413EE5FA5A7F89B30FD576852A76DC5320F142B SHA-1( School Of Computer Science ) = 0x2202ED5DBE2A59D7F07EB1888D0F99B453F1F SHA-2 Since SHA-1 will be fully broken in a matter of time, the new generation are the SHA-2 algorithms, which are named after their hash length, e.g., SHA-256, SHA-384, SHA-512. They increase the security by introducing more different bitwise operations as well as working with longer block sizes. II.4.3 Building Hashes from Block Ciphers We can also construct hash functions from block ciphers. We will have a brief look at three of these schemes, all of which use a constant public initial value IV to kick off hashing. In addition some of 62

6 the schemes employ a function to compute keys from message blocks. In the following let E be the encryption function of ann-bit block cipher. And let g be a function that mapsn-bit inputs to keys. Davies-Meyer H 0 = IV H i = E mi (H i 1 ) H i 1 Matyas-Meyer-Oseas H 0 = IV H i = E g(hi 1 )(m i ) m i Miyaguchi-Preneel H 0 = IV H i = E g(hi 1 )(m i ) H i 1 m i 56. Example An example of a hash function built from a block cipher is Whirlpool. It is based on a modified version of the AES block cipher and computes a 512-bit hash from bits input. It hashes roughly 12.1 MB per second. II.5 Message Authentication Codes (MAC) A message together with its fingerprint computed by a cryptographic hash function, ensures that data has not been tampered with during transmission if Bob can successfully recompute the same hash value Alice has attached to her message. However, using a hash function in this way requires the hash value itself to be protected in some way, as otherwise the hash itself could be tampered with. To avoid this problem one can use a form of keyed hash function called a message authentication code, or MAC. This is a symmetric key algorithm where both Alice and Bob need to share a key. Alice can then protect the integrity of her message by sing the keyed MAC that only Bob can reproduce from the message. For a message M and a key K we denote the MAC value by MAC K (M). The message from Alice to Bob is then of the form M MAC K (M) We do not assume that the message M is encrypted. In fact, if Alice and Bob want to keep the message secret as well, they can s a MAC for the ciphertext C rather than the message: C MAC K (C) Note that the MAC key K can be different from the encryption key K used ine K = C. There are various ways to build MACs from hash functions or from block ciphers. We will have a look at three of them. II.5.1 HMAC HMAC is a method to build MACs from a hash function. Let h be the hash function that operates on block lengthn, where the length of keyk is less or equal ton. We also have two publicly known padding constantsp 1 andp 2 both of lengthn. An HMAC is then computed by: ( ( HMAC K (M) = h (K P 1 ) h (K P 2 ) M) ), This method looks awfully complicated. However, just concatenating the key and the message and then applying the hash function to it can be easily broken if the hash function is known and the message is sent plaintext. 63

7 II.5.2 CBC-MAC CBC-MAC is a method to build a MAC from a block cipher using the Code Book Chaining mode of operation. It produces an m-bit MAC from ann-bit block cipher, wherem n by 1. padding M to be divisible into n-bit blocks, 2. encryptm with the block cipher in CBC mode with initial value 0, 3. take the final block as MAC. Schematically the CBC-MAC method works as follows: II.5.3 PMAC The problem with CBC-MAC is that it needs to encrypt the entire message with a computationally expensive block cipher before we obtain the MAC both when sing the MAC and when verifying it. While this is very secure, it is also rather slow. The PMAC method addresses this problem by introducing parallelisation. PMAC makes use of the following components: The messagem = M 1 M 2... M r 1 M r partitioned into r blocks of sizen. Two keys K andl A special efficient functionp that takesk and the block number1 i r and computesk x i in a finite field of order 2 n. Here n is the block size of the block cipher and K is viewed as a polynomial of order at mostn. We computeb i := E(K,M i P(K,i)) fori = 1,...,r. Finally we computepmac = E(L,b 1... b r ). In overview PMAC looks like this: M 1 M 2... M r 1 M r P(K,1) P(K,2) P(K,r 1) P(K,r) K E K E K E K E L E result One can show for PMAC that the MAC function is as secure as the underlying block cipher used. 57. Other MACs Various other approaches of constructing MACs for arbitrary length messages from block ciphers or hashes include UMAC, OMAC, CMAC. 64

8 III. Security definitions In this section we give formal definitions and proofs of security for hash functions and message authentication codes. III.1 Security of hash functions The Merkle-Damgård-construction will only work if the size of the input is a multiple of the size of the input of the compression function used. Hence suitable padding is needed. It is important to get the padding right, otherwise security will not be maintained. A suitable padding scheme consists of adding 10 0 msglen, wheremsglen is the length of the message (as a 64 bit binary number). If necessary, an extra block is added to the message. Theorem 24 Ifhis a collision-resistant compression function, and messages are padded as above, then the Merkle-Damgåard construction without a finalisation function produces a collision-resistant hash function. Proof. Let H be the result of applying the above padding followed by the Merkle-Damgård construction. Let h be the compression function used in the Merkle-Damgård construction. We show that a collision forh implies the existence of a collision forh. Assume M and M are two messages such that M M and H(M) = H(M ). Let PB and PB be the padding for M and M respectively. Let M 1,...,M k and M 1,...,M k be the blocks of M PB and M PB respectively. Let t 1,...,t k and t 1,...,t k be the result of applying h to M 1,...,M k and M 1,...,M k respectively. Now consider the length of the bitstrings M and M. There are two cases. Firstly, ifm andm have different length, by the construction of the padding scheme, the last blocksm k andm k ofm andm respectively are different. Hence the last step of the Merkle-Damgård construction produces a collision forh. Secondly, assume that M and M have the same length. Hence the padding PB of M and M is the same. Let k be the number of blocks in M PB. Let M i and M i be the first block where M PB and M PB differ. We show by induction over j that if M k j M k j or t k j 1 t k j 1, where t 0 = t 0 is the initialisation vector for the Merkle-Damgård construction, then there exists a collision of h. j = 0 : By assumptiont k = t k but M k M k or t k 1 t k 1. Hence Hence there is a collision forh. h(t k 1,M k ) = t k = t k = h(t k 1,M k ) j > 0 : We assume the induction hypothesis holds forj 1 and show that it holds forj. Hence assume that M k j M k j or t k j 1 t k j 1. There are two cases. Firstly, if h(t k j 1,M k j 1 ) = t k j = t k j = h(t k j 1,M k j 1 ) we have a collision for h. Secondly, if t k j t k j, we apply the induction hypothesis and obtain a collision for h as well. Figure 2 illustrates this step. 65

9 j j 1 M k j M k j+1 t k j 1 t k j t k j+1 Figure 2: Illustration for proof of theorem 24 66