Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

Size: px

Start display at page:

Download "Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut"

Marjory Price
5 years ago
Views:

1 Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut

2 What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency. 2. One-wayness. 3. Collision Resistance.

3 Applications A short representation of a file. Can be used for detection of channel errors or malicious errors. Can be used for source authentication. Can be used to produce randomly looking data. Can be used to ensure that certain events happen after others.

4 One-way Hashes General Problem statement: Given recover Also termed pre-image resistance Important, e.g., for password hashing, and other applications

5 Collisions Second Pre-image attack Given Find Collision attack Find

6 Hashing for modification detection At time t, Alice gives h=h(msg) to Bob. At a later time, Alice presents Bob msg; Bob can be convinced that it was the one Alice had in mind used in the computation of h. be careful though :

7 Hash as Commitment? Sealed bid Auctions : Implementation : bidders submit Hash(bid) publicly Is this a good idea? Second pre-image attack ensures a binding property. One-wayness does not necessarily ensure a hiding property.

8 The birthday paradox How many people should be in a room so that the probability that two of them share a birthday becomes larger than 50%?

9 The paradox explained

10 Finding Collisions Random sampling Store N such pairs in a table. Sort the table according to the second coordinate. Linear pass to find if any entries have equal second coordinate.

11 Complexity Storage : N Time : ~ 2N + N log N How to choose N for 50% probability of success: This is why the length of hash function output is typically selected double the length of the key of a current symmetric cipher.

12 Designing Hash Functions General design principles similar to block ciphers. High diffusion is important.

13 Merkle Damgård Design Suppose that you have a compression function. IV HASH

14 Observation If the previous construction is used then given One can easily find the hash of some message of the form: How? Hash functions constructed as above they are called Iterated Hash Functions A basic design paradigm (and one that has lead to frequent problems).

15 MACs Keyed hash functions: Required Property Computational Resistance: Given any sequence of pairs It is hard to produce an additional pair:

16 Usage of MACs Data Origin Authentication. Sender and Receiver share k. All messages have a MAC appended.

17 Constructing MACs Generic construction based on a hash function: Not good: if an iterated hash function is employed this will allow an attack.

18 Design from Cipher CBC MAC: E E E

19 Hash functions MD4: 128 bits, Broken MD5: 128 bits Wide Usage. Broken in SHA-1: 160 bits Wide Usage. Broken in SHA-256, SHA New standards. Still concerns about design methodology. Tiger 192 bits 1995, Whirlpool 512 bits (2000)

20 The SHA Family SHA-0 was made a standard by NIST in It was designed by NSA. In 1995 a technical revision was added that added an additional rotation operation. This was SHA-1. In 1998 collisions against SHA-0 were demonstrated in Crypto 1998) steps (Chabaud - Joux

21 The SHA Family, II SHA-1 was thought to be secure but evidence to the contrary was emerging (near-collisions, collisions on reduced round versions etc.) Finally: Collisions were found in steps Wang, Yin, Yu, Crypto SHA-1 is considered broken and its usage will be discontinued.

22 The SHA Family, III Isn t still too high? [Wang-Yao-Yao 05] announced new collision attacks of complexity: [De Caniere and Rechberger 06] - towards more structured collisions for SHA-1

23 Still... The above results do not necessarily mean that current products that use SHA-1 are insecure [remember our definition of security]. Moreover There are ways to employ hash functions so that collision finding is made harder(e.g., salting techniques). Modify hash functions in a modular way.

24 URLs to check The story of Alice and her Boss. MD5 collisions. Colliding X.509 certificates.

25 Assigned Reading I. Mironov, Hash functions: Theory attacks and applications.

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ). CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value