New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
|
|
- Barrie Leonard
- 6 years ago
- Views:
Transcription
1 New Key-Recovery Attacks on MAC/NMAC-MD4 and NMAC-MD5 Lei Wang, Kazuo Ohta and Noboru Kunihiro* The University o Electro-Communications * The University o Tokyo at present. 1
2 Motivation o This Research MAC has been widely applied in many protocols including SSL, TLS, SS, IPSec and so on. NMAC is theoretical oundation o MAC: attacks on NMAC (without related-key setting) can be applied to MAC. In this presentation, we will pick NMAC as an example. 2
3 Structure o NMAC M k 2 k 1 M: massage; k 1 : the outer key; One structural weakness o NMAC based on iterating hash unctions: k 1 k 2 : the inner key; and k 2 can be recovered separately. Corresponding hash unctions will be the inner and outer hash unctions. 3
4 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 k 1 1. Obtain one pair messages (M, M ) cause collision o NMAC. k 2 M collision 2. Randomly generate r, and check whether (M r, M r) collide. I collision does not happen, repeat steps 1 and 2. k 1 4
5 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 To recover k 2 : k 1 1. guess the value o k 2. k 2 M collision 2. check whether the guessed k 2 can satisy that (M, M ) cause the inner collision. k 1 5
6 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 To recover k 1 ater k 2 has been recovered: recovered k 1 1. guess the value o k 1. k 2 M 2. check whether the guessed k 1 can satisy that NMAC(M) using guessed k 1 is the same with orginal value. k 1 6
7 Security Boundary o NMAC M Suppose bit-length o hash value and secret keys is n: Whatever is, k 2 NMAC One collision can I underlying be ound by hash 2 n/2 queries unction with is weak, more a high probability powerul using the key-recovery birthday attack. attack is possible. k 1 Both secret keys o NMAC can be recovered with 2 n/2 online queries and 2 n+1 oline computations. 7
8 Key-Recovery Attacks on NMAC Wang et al. revealed weakness o several hash unctions rom MD4 amily, which leaded to key-recovery attacks on NMAC based on speciic weak hash unctions: At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SA-1. At Crypto 2007, Fouque, Leurent and Nguyen proposed ull-key recovery attacks on NMAC-MD4 and NMAC-MD5. At Financial Crypt 2007, Rechberger and Rijmen proposed ull-key recovery attacks on NMAC-MD5 and NMAC-SA-1. 8
9 Key-Recovery Attacks on NMAC Wang et al. revealed weakness o several hash unctions rom MD4 amily, which leaded to key-recovery attacks on NMAC based on speciic weak hash unctions: At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SA-1. At Crypto 2007, Fouque, Leurent and Nguyen proposed ull-key recovery attacks on NMAC-MD4 and NMAC-MD5. At Financial Crypt 2007, Rechberger and Rijmen proposed ull-key recovery attacks on NMAC-MD5 and NMAC-SA-1. Related to our research. 9
10 Framework o Key-Recovery Attacks 1. Online work. Secret key will be partially recovered by online queries. 2. Oline work. Theoretically interesting! In this presentation, we only ocus on online work. The remaining part o secret key will be recovered by the exhaustive search. 10
11 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on MAC/NMAC-MD4 and NMAC-MD5: NMAC M 1 : the value is known based on the knowledge o k 2. 2 : detect whether collision happens. k 2 1 MD4: set conditions on k 1 or collision attack. k 1 2 I collision happens with expected number o pair queries, k 1 can satisy the conditions; Otherwise, k 1 can not satisy the conditions. 11
12 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on MAC/NMAC-MD4 and NMAC-MD5: NMAC M 1 : the value is known based on the knowledge o k 2. 2 : detect whether collision happens. k 2 1 MD5: recover internal states in outer MD5, and then inverse calculate k 1. k 1 2 modiying the value at point conditions on internal states. 1 to set I collision happens with expexted number o queries, internal states satisy conditions. 12
13 Analysis o previous work k 2 NMAC M We will reduce the complexity or these two cases! k The outer-key recovery attack is much more expensive than the inner key recovery attack. Main reason: control ability and reedom lost at point. 1 MD4: pre-determined pair dierence should be generated. MD5: partially pre-ixed pair values should be generated during modiiying inner hash values. 13
14 Advantages o Our Attack (MD4) MAC/NMAC-MD4: Previous work: Point 1 : generate pre-determined pair dierence. Dierential attack: real collision. Our work: Point 1 : the same with previous work. Dierential attack: near collision attack, which reduces the complexity, since generating one near-collision needs less pair queries. Moreover it can recover more bit- values. 14
15 Advantages o Our Attack (MD4) [FLN 07] Our Work Online complexity #bits by online Oline comlexity Total complexity MAC/NMAC-MD4: both online and oline complexities have been improved. 15
16 Advantages o Our Attack (MD5) NMAC-MD5: Previous work: Point 1 the number o pre-ixed values will increase with the number o recovered bits. : generate partially pre-ixed values. Dierential attack: real collision (FLN work), near-collision (RR work). Our work: Point 1 : not necessary (online work). k 1 can be recovered partially without the knowledge o k 2 at all. Dierential attack: near-collision. 16
17 NMAC-MD5: Previous work: Point Advantages o Our Attack (MD5) 1 : generate partially pre-ixed values. Dierential attack: real collision (FLN work), near-collision (RR work). Up to 53 bits can be recovered. Our work: Point 1 Complexity becomes higher than the exhaustive search to recover remaining bits ater 28 bits recovered. : not necessary (online work). k 1 can be recovered partially without the knowledge o k 2. Dierential attack: near collision attack. 17
18 Usage o Near-collision attacks In Financial Cryptography 2007, Rechberger and Rijmen utilized near-collisions on MD5 to recover the outer key o NMAC-MD5, which might be the irst usage o near-collision to attack MAC and NMAC. 18
19 Advantages o Our Attack (MD5) [FLN 07] [RR 07] Our Work Online complexity #bits by online Oline comlexity Total complexity NMAC-MD5: more bit-values can be recovered by online work. The outer key can be partially recovered without the knowledge o the inner key. 19
20 One Novelty o Our Attack k 2 NMAC M k 1 A new approach o key-recovery technique: utilizing eed-orward operation. The inner hash value ater padding is only one block: CF: compression unction. M 0 M 1 M n IV CF CF CF 20
21 One Novelty o Our Attack k 2 NMAC M k 1 A new approach o key-recovery technique: utilizing eed-orward operation. The inner hash value ater padding is only one block: CF: compression unction. h in k 1 CF NMAC value 21
22 CFs o MD4 and MD5 CFs o MD5 and MD4 : h in E denotes n-step updating unctions: n is 64 and 48 or MD5 and MD4 respectively. CF k 1 E + NMAC value We will obtain output o E, then recover k 1. 22
23 Our outer key-recovery attacks on MAC/NMAC-MD4 We will omit description o NMAC-MD5 case because o limited time. 23
24 Procedure o Our Attack 1. Obtain output o E in the outer MD4. h in E k 1 + NMAC value 24
25 Obtain Output o E or MD4 Case 1. Determine message dierence and dierential path or nearcollision attack: Model o near-collision attack: Local collisions. The other dierences only exist in last several steps. 25
26 Our Near-Collision on MD4 Message dierences: m 3 = 2 i Dierential path: The local Collision rom step 1 until step 29; The other dierences only exist in the last 4 steps in third round. 26
27 3R o MD4 a 32 b 32 c 32 d 32 a 36 b 36 c 36 d 36 a 40 b 40 c 40 d 40 a 44 b 44 c 44 d 44 m 0 m 2 m 1 2 i m 3 <<< 3 <<< 3 <<< 3 <<< 3 a 33 b 33 c 33 d 33 a 37 b 37 c 37 d 37 a 41 b 41 c 41 d 41 a 45 b 45 c 45 d 45 m 8 m 10 m 9 m 11 <<< 9 <<< 9 <<< 9 <<< 9 a 34 b 34 c 34 d 34 a 38 b 38 c 38 d Local collision 38 a 42 b 42 c 42 d 42 a 46 b 46 c 46 d 46 m 4 m 6 m 5 m 7 <<< 11 <<< 11 <<< 11 <<< 11 a 35 b 35 c 35 d 35 a 39 b 39 c 39 d 39 a 43 b 43 c 43 d 43 a 47 b 47 c 47 d 47 m 12 m 14 Local m 13 collision <<< 15 <<< 15 <<< 15 <<< 15 m 15 a 36 b 36 c 36 d 36 a 40 b 40 c 40 d 40 a 44 b 44 c 44 d 44 a 48 b 48 c 48 d 48 27
28 Obtain Output o E or MD4 Case 1. Determine message dierence and dierential path or nearcollision attack 2. Obtain output o E by detecting near-colliding shape. 28
29 One Weakness o Feed-Forward Operation (k a, k b, k c, k d ): 128-bit k 1 divided into our 32-bit values. (a 48, b 48, c 48, d 48 ): output o E in the outer MD4 divied into our 32- bit values. (h a, h b, h c, h d ): inal output o NMAC divided into our 32-bit values. (h a, h b, h c, h d ) = (k a + a 48, k b + b 48, k c + c 48, k d + d 48 ) Consequently, we can obtain output o E by detecting dierence propagation in last 4 steps. h a = a 48 h b = b 48 h c = c 48 h d = d 48 29
30 a 44 b 44 c 44 d 44 One Toy Example collision a 44 b 44 c 44 d 44 m 3 m 11 <<< 3 <<< a 45 b 45 c 45 d 45 9 a 46 b 46 c 46 d 46 m 3 m 3 = 2 i+3 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; h d = 2 i+12 ; m 3 m 11 <<< 3 a 45 b 45 c 45 d 45 <<< 9 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 a 48 = 2 i+3 ; c 48 = 2 i i i+23 ; d 48 = 2 i+12 ; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 30
31 a 44 b 44 c 44 d 44 One Toy Example collision a 44 b 44 c 44 d 44 m 3 m 11 <<< 3 <<< a 45 b 45 c 45 d 45 9 a 46 b 46 c 46 d 46 m 3 m 3 = 2 i+3 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; h d = 2 i+12 ; m 3 m 11 <<< 3 a 45 b 45 c 45 d 45 <<< 9 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 a 48 = 2 i+3 ; c 48 = 2 i i i+23 ; d 48 = 2 i+12 ; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 31
32 m 3 a 44 b 44 c 44 d 44 <<< 3 One Toy Example collision a 44 b 44 c 44 d 44 m 3 <<< 3 m 11 a 45 b 45 c 45 d 45 <<< 9 b 45 = a 48 = 2 i+3 ; m 11 a 45 b 45 c 45 d 45 <<< 9 m 7 a 46 b 46 c 46 d 46 b 46 = d 48 = 2 i+12 ; m 7 a 46 b 46 c 46 d 46 <<< 11 a 47 b 47 c 47 d 47 b 47 = c 48 = 2 i i i+23 ; <<< 11 a 47 b 47 c 47 d 47 m 15 <<< 15 m 15 <<< 15 a 48 b 48 c 48 d 48 a 48 b 48 c 48 d 48 32
33 m 3 a 44 b 44 c 44 d 44 <<< 3 One Toy Example collision a 44 b 44 c 44 d 44 m 3 <<< 3 m 11 a 45 b 45 c 45 d 45 <<< 9 b 45 = a 48 = 2 i+3 ; m 11 a 45 b 45 c 45 d 45 <<< 9 m 7 a 46 b 46 c 46 d 46 b 46 = d 48 = 2 i+12 ; m 7 a 46 b 46 c 46 d 46 <<< 11 a 47 b 47 c 47 d 47 b 47 = c 48 = 2 i i i+23 ; <<< 11 a 47 b 47 c 47 d 47 m 15 <<< 15 m 15 <<< 15 a 48 b 48 c 48 d 48 a 48 b 48 c 48 d 48 33
34 One Toy Example a 46 b 46 c 46 d 46 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 a 47 b 47 c 47 d 47 b 47 should be caused by b 46 and c 46 : c 46 = 2 i+3 ; b 46 = 2 i+12 ; b 47 = 2 i i i+23 ; unction works bit-independently a 47 b 47 c 47 d 47 Both 2 i+14 and 2 i+15 are caused by 2 i+3 o c
35 One Toy Example a 46 b 46 c 46 d 46 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 a 47 b 47 c 47 d 47 a 47 b 47 c 47 d 47 Both 2 i+14 and 2 i+15 are caused by 2 i+3 o c 46. unction works bit-independently c 46 : + 2 i+3 : c 46 : i
36 One Toy Example a 44 b 44 c 44 d 44 m 3 <<< 3 a 45 b 45 c 45 d 45 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; m 11 h d = 2 i+12 ; <<< 9 m 7 a 46 b 46 c 46 d 46 <<< 11 a 48,i+3 = c 46, i+3 =1; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 By similar way, we will obtain many messages such that bit-values o output o E has been recovered. 36
37 Procedure o Our Attack 1. Obtain output o E o the outer MD4. 2. Recover the outer key using output o E o the outer MD4. 37
38 The Toy Example We obtained one message such that a 48, i+3 =1, and its corresponding MAC value: 31 ~ i+4 i+3 i+2 ~ 0 k a : + a 48 : 1 h a : Carry inluence rom bits i+2 to i+3? Can be calculated! Known h a,(i+2)~0 k a, (i+2)~0 : no carry during k a, (i+2)~0 +a 48, (i+2)~0 h a,(i+2)~0 <k a, (i+2)~0 : a carry during k a, (i+2)~0 +a 48, (i+2)~0 38
39 The Toy Example We obtained one message such that a 48, i+3 =1, and its corresponding MAC value: 1. Guess the values k a, (i+2)~0. By similar way, we can recover the outer key 2. Compare k a, (i+2)~0 partially with using h a, (i+2)~0 the. obtained messages. h a,(i+2)~0 k a, (i+2)~0 : no carry during k a, (i+2)~0 +a 48, (i+2)~0 h a,(i+2)~0 <k a, (i+2)~0 : a carry during k a, (i+2)~0 +a 48, (i+2)~0 3. Calculate the bit-value o k a, i+3. 39
40 Experiment 2 i m 3 a 44 b 44 c 44 d 44 <<< 3 It is impossible to apply the real experiment because o complexity. m 11 a 45 b 45 c 45 d 45 Instead, we did two separate experiments: <<< 9 m 7 <<< 11 m 15 a 46 b 46 c 46 d 46 a 47 b 47 c 47 d 47 Conirm the correctness o dierential path o the local collision in irst and second rounds. Conirm the correctness o key-recovery technique: randomly generate chaining variables in step 44. <<< 15 a 48 b 48 c 48 d 48 40
41 Conclusion We proposed new outer-key recovery attacks on MAC/NMAC- MD4 and NMAC-MD5: There might be two interesting points: New approach o key-recovery attack: using eedorward operation o MD4 and MD5. One near-collision model: local collisions + the other dierence propagation in last several steps. 41
42 Complexity Comparison Standard Attack Related-Key Attack 42
43 Thank you & Question 43
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, and Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05,
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationNew Generic Attacks Against Hash-based MACs
New Generic Attacks Against Hash-based MACs Gaëtan Leurent 1, Thomas Peyrin 2, and Lei Wang 2 1 Université Catholique de Louvain, Belgium gaetan.leurent@uclouvain.be 2 Nanyang Technological University,
More informationGeneric Related-Key Attacks for HMAC
Generic Related-Key Attacks for HMAC Thomas Peyrin 1,, Yu Sasaki 2,andLeiWang 1,3 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore
More informationA Novel Rainbow Table Sorting Method
A Novel Rainbow Table Sorting Method Hwei-Ming Ying, Vrizlynn L. L. Thing Cryptography & Security Department Institute for Infocomm Research, Singapore {hmying,vriz}@i2r.a-star.edu.sg Abstract As users
More informationImproved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 30, 1789-1806 (014) Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl Hash Function * JIAN ZOU 1,, WENLING WU 1, SHUANG
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationA new key recovery attack on the ANSI retail MAC
A new key recovery attack on the ANSI retail MAC Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK c.mitchell@rhul.ac.uk 13th November 2002 Abstract
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationAn Enhanced Hash-based Message Authentication Code using BCrypt
An Enhanced Hash-based Message Authentication Code using BCrypt Jerone B. Alimpia 1, Dr. Ariel M. Sison 2, and Dr. Ruji P. Medina 3 1, 2, 3 Technological Institute of the Philippines - Quezon City, Philippines
More informationPractical attacks on the Maelstrom-0 compression function
Practical attacks on the Maelstrom-0 compression function Stefan Kölbl, Florian Mendel Graz University of Technology, A-8010 Graz, Austria stefan.koelbl@student.tugraz.at Abstract. In this paper we present
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationCryptanalysis of the Dedicated Hash Functions
Cryptanalysis of the Dedicated Hash Functions Ali Doğanaksoy, Onur Özen, Fatih Sulak, Kerem Varıcı, Emre Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey, {aldoks,
More informationInternet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational. IECA P. Hoffman VPN Consortium March 2011
Internet Engineering Task Force (IETF) Request for Comments: 6194 Category: Informational ISSN: 2070-1721 T. Polk L. Chen NIST S. Turner IECA P. Hoffman VPN Consortium March 2011 Security Considerations
More informationMessage authentication
Message authentication -- Reminder on hash unctions -- MAC unctions hash based block cipher based -- Digital signatures (c) Levente Buttyán (buttyan@crysys.hu) Hash unctions a hash unction is a unction
More informationPractical Electromagnetic Template Attack on HMAC
Practical Electromagnetic Template Attack on HMAC Pierre Alain Fouque 1 Gaétan Leurent 1 Denis Réal 2,3 Frédéric Valette 2 1ENS,75Paris,France. 2CELAR,35Bruz,France. 3INSA-IETR,35Rennes,France. September
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationNew attacks on the MacDES MAC Algorithm. 1st July Two new attacks are given on a CBC-MAC algorithm due to Knudsen and Preneel, [2],
New attacks on the MacDES MAC Algorithm Don Coppersmith IBM Research T. J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Chris J. Mitchell Information Security Group Royal
More informationUpdate on Tiger. Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium
Update on Tiger Florian Mendel 1, Bart Preneel 2, Vincent Rijmen 1, Hirotaka Yoshida 3, and Dai Watanabe 3 1 Graz University of Technology Institute for Applied Information Processing and Communications
More informationMessage Authentication with MD5 *
Message Authentication with MD5 * Burt Kaliski and Matt Robshaw RSA Laboratories 100 Marine Parkway, Suite 500 Redwood City, CA 94065 USA burt@rsa.com matt@rsa.com Message authentication is playing an
More informationPractical Electromagnetic Template Attack on HMAC
Author manuscript, published in "Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop 5747 (2009) 66-80" DOI : 10.1007/978-3-642-04138-9_6 Practical Electromagnetic Template
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationPractical key-recovery attack against APOP, an MD5 based challenge-response authentication
Practical key-recovery attack against APOP, an MD5 based challenge-response authentication Gaëtan Leurent Laboratoire d Informatique de l École Normale Supérieure, Département d Informatique, 45 rue d
More informationThe JAMBU Lightweight Authentication Encryption Mode (v2)
The JAMBU Lightweight Authentication Encryption Mode (v2) 29 Aug, 2015 Designers: Hongjun Wu, Tao Huang Submitters: Hongjun Wu, Tao Huang Contact: wuhongjun@gmail.com Division of Mathematical Sciences
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationResearch Article Security Analysis of HMAC/NMAC by Using Fault Injection
Applied Mathematics Volume 2013, Article ID 101907, 6 pages http://dx.doi.org/10.1155/2013/101907 Research Article Security Analysis of HMAC/NMAC by Using Fault Injection Kitae Jeong, 1 Yuseop Lee, 1 Jaechul
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationAn Overview of Cryptographic Hash Functions
An Overview of Cryptographic Hash Functions Alok Ojha Indian Institute of Technology, Dept. of Mathematics Kharagpur 721302, India Email : ojha_iitkgp@yahoo.co.in, Sugata Sanyal Tata Institute of Fundamental
More information(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography
Code No: RR410504 Set No. 1 1. Write short notes on (a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography 3. (a) Illustrate Diffie-hellman Key Exchange scheme for GF(P) [6M] (b) Consider
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationPermutation-based Authenticated Encryption
Permutation-based Authenticated Encryption Gilles Van Assche 1 1 STMicroelectronics COST Training School on Symmetric Cryptography and Blockchain Torremolinos, Spain, February 2018 1 / 44 Outline 1 Why
More informationSymmetric Crypto MAC. Pierre-Alain Fouque
Symmetric Crypto MAC Pierre-Alain Fouque Message Authentication Code (MAC) Warning: Encryption does not provide integrity Eg: CTR mode ensures confidentiality if the blockcipher used is secure. However,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationSecurity Analysis of a Design Variant of Randomized Hashing
Security Analysis of a Design Variant of Randomized ashing Praveen Gauravaram 1, Shoichi irose 2, Douglas Stebila 3 1 Tata Consultancy Services, Australia 2 University of Fukui, Japan 3 McMaster University,
More informationHow to Break EAP-MD5
How to Break EAP-MD5 Fanbao Liu and Tao Xie School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China liufanbao@gmail.com Abstract. We propose an efficient attack
More informationAttacks on Double Block Length Hash Functions
Attacks on Double Block Length Hash Functions Xuejia Lai 1 and Lars R. Knudsen 2 1 R 3 Security Engineering Aathal, Switzerland 2 Aarhus University, Denmark Abstract. Attacks on double block length hash
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 14: Folklore, Course summary, Exam requirements Ion Petre Department of IT, Åbo Akademi University 1 Folklore on
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationCryptanalysis on Hash Functions. Xiaoyun Wang Tsinghua University & Shandong University
Cryptanalysis on Hash Functions Xiaoyun Wang Tsinghua University & Shandong University 05-10-2006 Outline Introduction to hash function Hash function and signature Dedicated hash function Modular differential
More informationOn the Strength of the Concatenated Hash Combiner when All the Hash Functions are Weak
On the Strength of the Concatenated Hash Combiner when All the Hash Functions are Weak Jonathan J. Hoch and Adi Shamir Department of Computer Science and Applied Mathematics, The Weizmann Institute of
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Cryptographic Hash Functions A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length. Iterated Hash Function A (compression)
More informationAnalysis of Involutional Ciphers: Khazad and Anubis
Analysis of Involutional Ciphers: Khazad and Anubis Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Leuven, Belgium abiryuko@esat.kuleuven.ac.be Abstract. In this paper we study structural
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationCRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK
CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK UNIT-1 1. Answer the following: a. What is Non-repudiation b. Distinguish between stream and block ciphers c. List out the problems of one time pad d. Define
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationMobile Robot Static Path Planning Based on Genetic Simulated Annealing Algorithm
Mobile Robot Static Path Planning Based on Genetic Simulated Annealing Algorithm Wang Yan-ping 1, Wubing 2 1. School o Electric and Electronic Engineering, Shandong University o Technology, Zibo 255049,
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationApplying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack
Applying Time-Memory-Data Trade-Off to Meet-in-the-Middle Attack Jiali Choy, Khoongming Khoo, and Chuan-Wen Loe DSO National Laboratories 20 Science Park Drive, Singapore 118230 Email: cjiali,kkhoongm,lchuanwe@dso.org.sg
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationNEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.
NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES. 1 ZAKARIA KADDOURI, 2 FOUZIA OMARY, 3 ABDOLLAH ABOUCHOUAR, 4 MOHSSIN DAARI, 5 KHADIJA ACHKOUN. LRI Laboratory (Ex: Networks and Data
More informationAssignment 3: Block Ciphers
Assignment 3: Block Ciphers CSCI3381-Cryptography Due October 3, 2014 1 Solutions to the Written Problems 1. Block Cipher Modes of Operation 6 points per part, 30 total. Parts (a)-(d) refer to the cipherblock
More informationNeighbourhood Operations
Neighbourhood Operations Neighbourhood operations simply operate on a larger neighbourhood o piels than point operations Origin Neighbourhoods are mostly a rectangle around a central piel Any size rectangle
More informationAn Efficient MAC for Short Messages
An Efficient MAC for Short Messages Sarvar Patel Bell Labs, Lucent Technologies 67 Whippany Rd, Whippany, NJ 07981, USA sarvar@bell-labs.com Abstract. HMAC is the internet standard for message authentication
More informationSufficient conditions for sound hashing using a truncated permutation
Sufficient conditions for sound hashing using a truncated permutation Joan Daemen 1, Tony Dusenge 2, and Gilles Van Assche 1 1 STMicroelectronics 2 Université Libre de Bruxelles Abstract. In this paper
More informationEnhancing the Security Level of SHA-1 by Replacing the MD Paradigm
Journal of Computing and Information Technology - CIT 21, 2013, 4, 223 233 doi:10.2498/cit.1002181 223 Enhancing the Security Level of SHA-1 by Replacing the MD Paradigm Harshvardhan Tiwari and Krishna
More informationAll Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach
All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationReducing the collision probability of Alleged. Abstract. Wagner, Goldberg and Briceno have recently published an
Reducing the collision probability of Alleged Comp128 Helena Handschuh handschuh@gemplus.com Pascal Paillier paillier@gemplus.com ENST GEMPLUS Computer Science Department Cryptography Department 46, rue
More informationIntroduction. Secret Key Cryptography. Outline. Secrets? (Cont d) Secret Keys or Secret Algorithms? Introductory Remarks Feistel Cipher DES AES
Outline CSCI 454/554 Computer and Network Security Introductory Remarks Feistel Cipher DES AES Topic 3.1 Secret Key Cryptography Algorithms 2 Secret Keys or Secret Algorithms? Introduction Security by
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 8 (and maybe 9) secret-key primitives Message Authentication Codes Pseudorandom number generators 2
More informationKANGAL REPORT
Individual Penalty Based Constraint handling Using a Hybrid Bi-Objective and Penalty Function Approach Rituparna Datta Kalyanmoy Deb Mechanical Engineering IIT Kanpur, India KANGAL REPORT 2013005 Abstract
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationPiecewise polynomial interpolation
Chapter 2 Piecewise polynomial interpolation In ection.6., and in Lab, we learned that it is not a good idea to interpolate unctions by a highorder polynomials at equally spaced points. However, it transpires
More informationProtect Yourself Against Security Challenges with Next-Generation Encryption
Protect Yourself Against Security Challenges with Next-Generation Encryption agrieco@cisco.com mcgrew@cisco.com How to detect attacks? Malware Broken encryption 2 How to detect attacks? Malware Host Process
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationThe question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 2 M.M:50 The question paper contains 40 multiple choice questions with four choices and students will have to pick the
More informationP2_L8 - Hashes Page 1
P2_L8 - Hashes Page 1 Reference: Computer Security by Stallings and Brown, Chapter 21 In this lesson, we will first introduce the birthday paradox and apply it to decide the length of hash, in order to
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationResearch on Image Splicing Based on Weighted POISSON Fusion
Research on Image Splicing Based on Weighted POISSO Fusion Dan Li, Ling Yuan*, Song Hu, Zeqi Wang School o Computer Science & Technology HuaZhong University o Science & Technology Wuhan, 430074, China
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More information