ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Vocabulary. hash value message digest hash total. m message.

Transcription

1 ECE 646 Lecture 11 Alice Message Digital Signature Signature Message Signature Bob & s Has Has Has value 1 Has value yes no Public key algoritm Has value 2 Public key algoritm Alice s private key Alice s public key Has Vocabulary arbitrary lengt m message as message digest as value message digest as total as fingerprint imprint (m) as value cryptograpic cecksum compressed encoding fixed lengt MDC, Message Digest Code Basic requirements 1. Public description, NO key 2. Compression arbitrary lengt input fixed lengt output 3. Ease of computation 1. Preimage resistance 2. 2nd preimage resistance Security requirements It is computationally infeasible Given y x and y=(x) To Find x, suc tat (x) = y x x, suc tat (x ) = (x) = y 3. Collision resistance x x, suc tat (x ) = (x)

2 Dependence between requirements (unkeyed) 2nd preimage resistant collision resistant One-Way Has Functions OWHF Collision-Resistant Has Functions CRHF preimage resistance 2nd preimage resistance collision resistance Given y Brute force attack against One-Way Has Function m i i=1..2 n 2 n messages wit te contents required by te forger I Creating multiple versions of te required message state confirm $10,000 ten tousand dollars Gaj on tereby - November 17, 11 / 17 / from tat I Tis borrowed received Kris Krzysztof money sum of money n - bits? (m i ) = y sould is required to by te 8 t 9 t be day of returned given back December Dec. to Gaj Brute force attack against Collision Resistant Has Function Yuval Creating multiple versions of te required message r messages acceptable for te signer m i i=1..r r messages required by te forger m j j=1..r I state confirm $10,000 ten tousand dollars tereby - from tat I borrowed received Kris Krzysztof Gaj on November 17, 11 / 17 / Tis money sum of money (m i ) n - bits (m i ) = (m j ) (m j ) n - bits sould is required to by te 8 t 9 t be day of returned given back December Dec. to Gaj

3 Message acceptable for te signer Birtday paradox on I I state confirm borrowed received sould is required to be tereby - from bencmarking in software. Bencmarking in ardware. tat on returned given back Kris Krzysztof December 1, 12 / 1 / to Tis a text item Gaj 2009 paper manuscript How many students must be in a class so tat tere is a greater tan 50% cance tat 1. one of te students sares te teacer s birtday (up to te day and mont)? 2. any two of te students sare te same birtday (up to te day and mont)? by te 8 t 9 t day of December Dec Birtday paradox How many students must be in a class so tat tere is a greater tan 50% cance tat 1. one of te students sares te teacer s birtday (day and mont)? ~ 366/2 = any two of te students sare te same birtday (day and mont)? Brute force attack against Collision Resistant Has Function Probability p tat two different messages ave te same as value: p = 1 exp ( r2 2 n ) For r = 2 n/2 p = 63% ~ Brute force attack against Collision Resistant Has Function J.J. Quisquater Storage requirements collision searc algoritm Number of operations: 2 π/2 2 n/ n/2 Storage: Negligible Has value size One-Way Collision-Resistant Older algoritms: n 64 n bytes 16 bytes Current algoritms: n 80 n bytes 20 bytes Newly proposed algoritms: n = 128, 192, 256 n = 256, 384, , 24, 32 bytes 32, 48, 64 bytes

4 Customized (dedicated) MD2 Rivest 1988 MD4 Rivest 1990 MD5 Rivest 1990 Has algoritms Based on block cipers MDC-2 MDC-4 IBM, Bractl, Meyer, Scilling, 1988 SHA-0 NSA, 1992 NSA, 1995 Based on modular aritmetic MASH RIPEMD European RACE Integrity Primitives Evaluation Project, 1992 RIPEMD-160 SHA-256, SHA-384, SHA-512 NSA, 2000 Attacks against dedicated as s known by 2004 MD2 MD4 MD5 partially broken, collisions for te compression, Dobbertin, 1996 (10 ours on PC) partially broken broken, H. Dobbertin, 1995 (one our on PC, 20 free bytes at te start of te message) SHA-0 weakness discovered, 1995 NSA, 1998 France SHA-256, SHA-384, SHA-512 RIPEMD RIPEMD-160 reduced round version broken, Dobbertin 1995 MD4 MD5 broken; Wang, Feng, Lai, Yu Crypto 2004 (1 r on a PC) Wat was discovered in ? broken; Wang, Feng, Lai, Yu, Crypto 2004 (manually, witout using a computer) SHA-0 attack wit 2 40 operations Crypto 2004 attack wit 2 63 operations Wang, Yin, Yu, Aug 2005 SHA-256, SHA-384, SHA-512 RIPEMD RIPEMD-160 broken; Wang, Feng, Lai, Yu, Crypto 2004 (manully, witout using a computer) In ardware: 2 63 operations Scneier, 2005 Macine similar to te one used to break DES: Cost = $50,000-$70,000 Time: 18 days or Cost = $0.9-$1.26M Time: 24 ours In software: Computer network similar to distributed.net used to break DES (~331,252 computers) : Cost = ~ $0 Time: 7 monts Recommendations of NIST (1) NIST Brief Comments on Recent Cryptanalytic Attacks on Feb 2005 Te new attack is applicable primarily to te use of as s in digital signatures. In many cases applications of digital signatures introduce additional context information, wic may make attacks impracticle. Oter applications of as s, suc as Message Autentication Codes (s), are not treatened by te new attacks. Recommendations of NIST (2) NIST was already earlier planning to witdraw in favor of SHA-224, SHA-256, SHA-384 & SHA-512 do roku 2010 New implementations sould use new as s. NIST encourages government agancies to develop plans for gradually moving towards new as s, taking into account te sensitivity of te systems wen setting te timetables.

5 SHA-3 Contest Timeline 2007 publication of requirements 29.X. 2007: request for candidates X.2008: deadline for submitting candidates 9.XII.2008: announcement of 51 candidates accepted for Round II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium 24.VII.2009: 14 Round 2 candidates announced VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA 3 Q: selection of finalists Number of Submissions Number of submissions received by NIST: 64 Number of submissions publicly available: 56 Number of submissions qualified to te first round: Q: last worksop 2 Q: selection of te winner 3 Q: draft version of te standard publised 4 Q: final version of te standard publised Basic Requirements for a new as ebash Must support as values of 224, 256, 384 and 512 bits Available worldwide witout licensing fees Secure over tens of years Suitable for use in - digital signatures FIPS message autentication codes, H, FIPS key agreement scemes, SP A - random number generators, SP At least te same security level as SHA-2 wit increased efficiency 1. Digital Signatures Advantages 1. Sorter signature Applications (1) 2. Muc faster computations 3. Larger resistance to manipulation (one block instead of several blocks of signature) 4. Resistance to te multiplicative attacks 5. Avoids problems wit different sizes of te sender and te receiver moduli Applications (2) 2. Fingerprint of a program or a document (e.g., to detect a modification by a virus or an intruder) program as fingerprint? = safe place original_fingerprint

6 3. Storing passwords password as as(password) Applications (3) Instead of: ID, password System stores: ID, as(password) password password password UNIX password sceme DES DES.... DES as(password, salt) salt salt salt ID, salt, as(password, salt) salt modifies te expansion E of DES 4. Fast encryption Applications (4) PRNG General sceme for constructing a secure as Message m Padding, appending bit lengt, M m i k i c i M 1 M 2... M t k 0 = as(k AB IV ) k 1 = as(k AB k 0 ) k n = as(k AB k n-1 ) or k 0 = as(k AB IV) k 1 = as(k AB c 0 ) k n = as(k AB c n-1 ) IV H 0 H 1 H 2 f f... compression H t g (m) output transformation Compression H i-1 General sceme for constructing a secure as n Entire as M i f H 0 = IV H i = f(h i-1, M i ) (m) = g(h t ) r n H i In n=160 r=512 In MD5 n=128 r=512 Has padding message lengt All zero padding: X X X X X X bits lengt of te entire message in bits Correct padding: X X X X X X

7 Parameters of new as s Features affecting security and ality SHA-256 SHA-384 SHA-512 Size of as value Complexity of te best attack Equivalently secure Skipjack AES-128 AES-192 AES-256 secret-key ciper Message size < 2 64 < 2 64 < < Parameters of new as s Features affecting implementation speed SHA-256 SHA-384 SHA-512 Message block size Number of digest rounds Speed Hardware implementations Conceptual comparison SHA-256 SHA-512, SHA-384 Area Results of te prototype FPGA implementation Speed in ardware [Mbit/s] GMU, Complexity SHA-512 of te best attack te same as Skipjack AES years ago Present U.S. Governemnt standards: Oter popular as s: MD5, RIPEMD Security status: MD4 broken (1995) replaced SHA-0 (1995) MD5 partially broken (collisions in compression, 1996) U.S. Governemnt standards:, SHA-224, SHA-256, SHA-384, SHA-512 Oter popular as s: Wirlpool winner of NESSIE Security status: MD5 broken (1 r on PC) SHA-0 broken RIPEMD broken (witout a need for computer) practically broken, best attack 2 63 operations only 128 x more tan breaking DES Attacks: Timeline U.S. Government standards: II FIPS 180 FIPS SHA-256, 384, 512 FIPS SHA-224 FIPS II Contests: I XII SHA-256, SHA-384, SHA-512, NESSIE Wirlpool MD5 collisions for compression, 10 rs on PC VIII SHA-0 attack wit 2 61 operations VIII broken: MD4, MD5, SHA-0, RIPEMD II-VIII attack on operacji

8 Alice Message Autentication Message Bob - Message Autentication Codes (keyed as s) arbitrary lengt m K AB Secret key of Alice and Bob Secret key algoritm K AB Secret key of Alice and Bob yes Secret key algoritm no secret key K message fixed lengt s Basic requirements 1. Public description, SECRET key parameter 2. Compression arbitrary lengt input fixed lengt output 3. Ease of computation Given zero or more pairs s Security requirements m i, K (m i ) i = 1..k it is computationally impossible to find any new pair Suc tat m, K (m ) m m i i = 1..k s Security requirements m 1 CBC- (1) m 2 m t Resistance against 1. Known-text attack 2. Cosen-text attack 3. Adaptive cosen-text attack 0 K E E K H 1 H 2 H t K E H t FIPS-113 K D K E

9 CBC- (1) s H 0 = IV = 0 H i = DES K (m i H i-1 ) i = 1..t Based on block cipers Based on as s Dedicated Based on stream cipers (m) = H t [1..32] or (m) = E K (E K -1 (H t ))[1..32] CBC- CFB- RIPE- H MD5- MAA CRC- C RIPE- H 0 = IV = 0 H i = DES K (m i H i-1 ) m i i = 1..t (m) = E K (E -1 K (H t ))[0..31] K = K 0xf0f0 f0 H Bellare, Canetti, Krawczyk, 1996 Used in SSL and IPSec H(m) = (K ipad (K opad m)) KEY opad = KEY H message m ipad, opad - constant padding strings of te lengt of te message block size in te as ipad = repetitions of 0x36 = opad = repetitions of 0x5A = KEY ipad = KEY American standard FIPS 198 Arbitrary as and key size H

10 Message Autentication Codes - s 10 years ago Present U.S. Government standards: U.S. Government standards: NESSIE: Winners of te contest: 2002 Message Autentication Codes, s (DAC) based on DES (since 1985) Number of certified implementations: (DAC): 34 ( ) Oter s in use: RIPE-3, CRC-, MAA (DAC) based on DES H based on as s used in SSL and IPSec C block ciper mode (AES, Triple DES, Skipjack) Number of certified implementations: H: 173 (XII IV. 2006) Oter s in use: U, TT, E winners of te NESSIE contest Security level Key size Output widt Name ig normal Origin U UC Davis 2. TT K.U. Leuven 3. E U. of Toronto 4. H NIST & NSA 32 k 32 k Message Autentication Codes Timeline U.S. standards: (DAC) V FIPS 113 (based on DES) H FIPS 198 (based on as s) C SP C III V Contests: Attacks: NESSIE 2002 Contest winners: U, TT, E R practical attack against proposed by NIST and based on Triple DES