CIT 480: Securing Computer Systems. Hashes and Random Numbers

Transcription

1 CIT 480: Securing Computer Systems Hashes and Random Numbers

2 Topics 1. Hash Functions 2. Applications of Hash Functions 3. Secure Hash Functions 4. Collision Attacks 5. Pre-Image Attacks 6. Current Hash Functions 7. HMAC: Keyed Hash Functions 8. Cryptographic Key Generation 9. Random Numbers

3 Hash Functions Hash Function h: M MD Input M: variable length message M Output MD: fixed length Message Digest of input Many inputs produce same output (called a hash collision) Limited number of outputs; infinite number of inputs Avalanche effect: small input change -> big output change Example Hash Function Sum 32-bit words of message mod 2 32 M h MD=h(M)

4 Applications of Hash Functions Verifying file integrity How do you know that a file you downloaded was not corrupted during download? Storing passwords (confidentiality) To avoid compromise of all passwords by an attacker who has gained admin access, store hash of passwords. Additional features needed for secure passwords. Digital signatures (authentication) Cryptographic verification that data was downloaded from the intended source and not modified. Used for operating system patches and packages.

5 Why attack hash functions? Create forged security certificate to Make phishing site appear legitimate. Bypass code signing checks on updates. Distribute malware Replace legitimate app with malware app. Ensure both apps have legitimate hash value, so victims cannot distinguish between them. Forge digital signatures Replace contract where victim pays $50 to attacker with one where victim pays $5,000.

6 Flame Malware Cyber espionage tool discovered in 2012 Records audio, screenshots, bluetooth, and file data. Exfiltrates data via SSL encrypted channel. Bypassed code signing security in MS Windows Used hash collision to create a certificate apparently signed by Microsoft Certificate Authority. Malware digitally signed with forged certificate. Code signing accepted that malware was valid as certificate apparently signed by MS CA. Attack could be used as MITM attack on MS Update Attacker substitutes Windows patch with malware.

7 Avalanche Effect The avalanche effect is shown when a small change to the input of a block cipher or hash function makes a large change in the output. Hashing Cryptography : MD5 (128-bit) = 64ef07ce3e4b420c334227eecb3b3f4c SHA1 (160-bit) = b804ec5a0d83d19d8db908572f d09f98 Hashing Cryptography1 : MD5 (128-bit) = 443d4fb1fedeb86b c2719c24 SHA1 (160-bit) = e a64c523ddfe11bd07a5eac

8 Secure Hash Function A function h = hash(m) must have 3 properties to be secure: 1. Pre-image resistance: Given a hash h it should be difficult to find any message m such that h = hash(m). Functions that lack this property are vulnerable to preimage attacks. 2. Second pre-image resistance: Given an input m 1 it should be difficult to find another input m 2 such that m 1 m 2 and hash(m 1 ) = hash(m 2 ). Functions that lack this property are vulnerable to second-preimage attacks. 3. Collision resistance: It should be difficult to find two different messages m 1 and m 2 such that hash(m 1 ) = hash(m 2 ). Such a pair is called a cryptographic hash collision. This property is sometimes referred to as strong collision resistance. It requires a hash value at least twice as long as that required for preimage-resistance; otherwise collisions may be found by a birthday attack.

9 Pre-image Attacks A pre-image attack attempts to find a message m that has a specific hash value h, such that h=hash(m). Would allow attacker to substitute a malicious document matching hash of valid document, allowing SSL certificate or digitally signed contract forgeries. Brute force attack is possible with 2 n operations, where n is the length of the hash value. For n >= 64, brute force considered infeasible. A one-way function is pre-image resistant. No practical pre-image attacks exist against widely used hash functions. An MD5 collision can be found in operations.

10 Collision Attacks A collision attack attempts to find two different messages m 1 and m 2 such that hash(m 1 ) = hash(m 2 ). Collisions must exist because there are more inputs than fixed-sized outputs for hash functions. Pigeonhole principle: if there are n containers for n+1 objects, then at least 1 container will have 2 objects in it. Two types of collision attacks exist Birthday Attack Chosen Prefix Attack Collision attacks do not impact password hashing, but do allow for forged certificates and signatures.

11 The Birthday Paradox The birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. By the pigeonhole principle, the probability reaches 100% when the number of people reaches 367. However, 99% probability is reached with just 57 people, and 50% probability with 23 people. The birthday paradox is a violation of our intuition, not a true paradox. It arises because the chance of shared birthdays increases with the number of unique pairs of people, which is n(n-1)/2 for n people.

12 Birthday Attack A birthday attack exploits the mathematics behind the birthday problem to find hash collisions. Suppose a hash function h has a b-bit long output. Therefore there are 2 b possible hash values. Attacker generates many random messages Computes hash of each one. Searches for pairs of messages with same hash value. By similar mathematics as in the birthday problem, attacker can find a collision with about 2 b/2 messages.

13 Birthday Attack Analysis The birthday attack procedure follows these steps: 1. Randomly generate a sequence of plaintexts X 1, X 2, X 3, 2. For each X i compute y i = h(x i ) and test whether y i = y j for some j < i 3. Stop as soon as a collision has been found If there are m possible hash values, the probability that the i th plaintext does not collide with any of the previous i 1 plaintexts is 1 - (i - 1)/m The probability F k that the attack fails (no collisions) after k plaintexts is F k = (1-1/m) (1-2/m) (1-3/m) (1 - (k - 1)/m) Using the standard approximation 1 - x e -x F k e -(1/m + 2/m + 3/m + + (k-1)/m) = e -k(k-1)/2m The attack succeeds/fails with probability ½ when F k = ½, that is, e -k(k-1)/2m = ½ k 1.17 m ½ We conclude that a hash function with b-bit values provides ~b/2 bits of security.

14 Chosen Prefix Attacks A chosen prefix attack is an hash collision attack starting with two different prefixes p1, p2 and attempting to find two suffixes m1 and m2 such that hash(p1 m1) = hash(p2 m2). Such an attack allows custom creation of two completely different documents with identical hashes. Example attack Attacker creates two SSL certificate files for two different domains but with identical hashes. Attacker asks CA to sign certificate for one domain. Attacker uses certificate to create phishing site for another domain. User browser successfully validates SSL certificate signature, tells user that phishing site is real site.

15 Merkle Damgård construction Select a cryptographic hash function f(m, d). Apply repeatedly to fixed size blocks of message m i. Use output of previous stage di as second input. Start with initialization vector d 0 = IV

16 Message-Digest Algorithm 5 (MD5) Developed by Ron Rivest in 1991 Uses 128-bit hash values Merkle Damgård construction Still widely used in legacy applications even though collision vulnerabilities allow forgery of digital signatures and SSL certificates.

17 MD5 Collision Attack History 1. Initial attacks (2004) could only find collisions in files that differed only in last few bytes. 2. Early attacks (2008) used cluster of 200 PS3s for a couple of days. 3. Current attacks can find a collision in seconds on single PC. Lesson: Cryptanalytic attacks always improve. Change algorithms before they do.

18 Secure Hash Algorithm (SHA-1) Developed by NSA; approved as federal std by NIST SHA-0 (1993) and SHA-1 (1995) 160-bit hash values Merkle Damgård construction SHA-1 developed to correct insecurity of SHA-0 SHA-1 still found in legacy applications Vulnerabilities less severe than those of MD5 Can find SHA-1 collision in 2 69 operations. Can find SHA-0 collision in 2 39 operations.

19 SHA-2 Developed by NSA; approved as federal std by NIST SHA-2 (2001) 224, 256, 384, or 512-bit hash values Merkle Damgård construction Current recommended hash function for security applications like digital signatures or SSL certificates. Cryptanalysts making progress but no breaks Can only find collisions if modify hash algorithm by reducing number of rounds from 80 (SHA-512) to 46 or 64 (SHA-256) to 41.

20 SHA-3 Winner of open NIST competition ( ) Final standard expected by 2014 Q2. Keccak (2012) 224, 256, 384, or 512-bit hash values. Concerns about NIST changes to 128- and 256-bit values only. An alternative to SHA-2 Not a replacement as SHA-2 is not broken. Built on sponge-function instead of Merkle Damgård construction like MD5, SHA-1, SHA-2 so that the same cryptanalytic techniques will not work against SHA-3.

21 HMAC A keyed hash message authentication code (HMAC) is the use of a hash function for calculating a message authentication code (MAC) based on a message in combination with a secret cryptographic key. HMAC protects against threat models in which attackers have the ability to modify hash values. If attacker could modify data, then he could change both the file and its hash value, causing the victim to think that the file was downloaded correctly when in fact the attacker substituted a different file. This threat model allows an attack on hashes without finding a collision or pre-image.

22 Why not use h(k m) as HMAC? The Merkle Damgård construction is vulnerable to length-extension attacks. Length extension attacks allow attacker to append data s to end of message m and create a valid HMAC for m s. Attacker intercepts message m and h(k m). Attacker inserts s and computes new HMAC. Attacker sends m s and h(k m s). Recipient computes HMAC on m s and verifies that it matches h(k m s), believing that m s is legitimate. Most widely used hashes vulnerable to this attack MD5, SHA-1, SHA-256, SHA-512

23 HMAC Algorithm HMAC-h(k, m) = h(k opad h(k ipad m)) k is the secret key m is the message h is a hash function like SHA-2 ipad (inner padding) is repeated. opad (outer padding) is repeated. Threat can t generate HMAC for any message m without knowing key k. Algorithm prevents length extension attacks. Commonly used to protect authentication cookies.

24 Importance of RNGs We need all those brilliant Belgian cryptographers to go "alright we know that these encryption algorithms we are using today work, typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them [secure], how can we test them? -- Ed Snowden at SXSW

25 Key Generation Goal: Ensure best attack against cipher is brute force. Solution: Given set of K potential keys, choose one randomly. Selecting a random number between 0 and K 1. Ex: For a 128-bit key, select number between 0 and Difficulty: generating random numbers Hardware random number generators gather entropy from physical world but are expensive and limited in how many bits/second they product. Software generated numbers are pseudo-random (PRNGs), that is, generated by an algorithm. If starting with same seed, then PRNGs will produce the same sequence of numbers each time.

26 Linear Congruential Generator n k = (an k 1 + b) mod m m Modulus (a large prime integer), maximum period a Multiplier (integer from 2..m-1) b Increment n 0 Sequence initializer (seed)

27 LCG Period The period of an LCG is at most m, the modulus. Modulus only allows numbers 0.. m-1 to be produced. An LCG with a period of m is aid to have a full period. An LCG will have a full period for all seeds iff b and m are relatively prime, a-1 is divisible by all prime factors of m, a-1 is a multiple of 4 if m is a multiple of 4 For production LCGs, m= common a = is well studied full period multiplier LCGs are predictable, and thus not secure for crypto Knowing just one LCG output allows prediction of next.

28 Seeds for PR generation Input used to generate initial pseudo-random (PR) numbers. Seeds should be computationally infeasible to predict Generate seed from random, not PR, data. Size: 32 bits too small; only 2 32 combinations. Sequence is periodic, but starts from different point for each different seed. Identical sequences produced for identical seeds. Period needs to be large for security.

29 Secure PRNGs Cryptographically Secure PRNGs (CSPRNGs) must: 1. Statistically appear random. 2. Difficult to predict next member of sequence from previous members. 3. Difficult to extract internal state of PRNG from observing output. May be re-seeded at runtime, unlike PRNGs.

30 Classes of CSPRNGs 1. Designs based on cryptographic primitives Based on block cipher in counter mode or Use a secure hash of a counter. 2. Number theoretic designs Based on hard mathematical problems. Example: Blum Blum Shub 3. Special purpose designs May introduce extra entropy when available. Example: Yarrow (FreeBSD, Mac OS X)

31 Block cipher-based CSPRNG Operate block cipher in counter mode. Choose a random key. Nonce is a random initialization vector. Plaintext is a predictable sequence, produced by incrementing by 1 or by any aperiodic function.

32 Blum Blum Shub x n+1 = x n 2 mod M Blum Number M Seed Product of two large primes, p and q p mod 4 = 3, q mod 4 = 3 Choose random integer x, relatively prime to M. x 0 = x 2 mod M

33 Blum Blum Shub Random Output: LSB of x n+1 Can safely use log 2 M bits. Provably secure Slow Distinguishing output bits from random bits is as difficult as factoring M for large M. Requires arbitrary precision software math libraries.

34 Yarrow Yarrow is named after plant whose leaves are used in I Ching divination. Steps Used for /dev/random in FreeBSD and Mac OS X. 1. Accumulates entropy from system sources. 2. Pools are SHA-1 hash contexts, 160 bits maximum. 3. Reseeds generator with key made from pool entropy to limit state compromise attacks. 4. Generates numbers using Triple-DES in counter mode.

35 Ivy Bridge RNG Added with Ivy Bridge Core in CPUs in One RNG per die, not per core. Entropy source is thermal noise.

36 Attacks on PNRGs Direct Cryptanalytic Distinguish between PRNG output and random output with better than 50% accuracy. Input-Based Use knowledge of PRNG input to predict output, or Insert input into PRNG to control output. State Compromise Extension Extend previously successful attack that has recovered internal state to recover either or both: past unknown PRNG outputs future PRNG outputs after additional inputs given to PRNG

37 Key Points: Hashes 1. Hashes are 1-way functions h=hash(m) that 1. Produce same sized h for any input m. 2. Avalanche effect: small change in m big change in h. 2. Threats attempt to forge certificates & signatures. 1. Collision attacks 2. Pre-image attacks 3. Widely used hash functions 1. Some widely used hashes (MD5,SHA-1) broken. 2. Use SHA-2 with 256 or more bits now. 3. Use SHA-3 along with SHA-2 in future. 4. Keyed hash functions cannot be computed by attacker due to incorporation of secret k. HMAC-h(k, m) = h(k opad h(k ipad m))

38 Key Points: RNGs 1. Secure keys must be randomly generated. 2. RNG types Hardware: physical entropy software, which is often used as a seed for the software RNGs. PRNG: algorithmic generation of predictable but statistically random number sequences. Example: LCG. CSPRNG: PRNG where it is difficult to predict next number of extract PRNG state. Example: Yarrow. 3. PRNG features Periodic: sequence will eventually repeat. Seed-dependent: seed determines starting point of sequence; if seed is identical in two runs, sequence is identical.

39 References 1. Steven Friedl, An Illustrated Guide to Cryptographic Hashes, 2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, Matthew Green, How do you know if an RNG is working?, Michael Hamburg, Understanding Intel s Ivy Bridge Random Number Generator, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, NIST, FIPS-198a, The Keyed-Hash Message Authentication Code (HMAC), 7. Rogaway, P.; Shrimpton, T. "Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second- Preimage Resistance, and Collision Resistance. Fast Software Encryption (2004) (Springer-Verlag). 8. Alexander Sotirov et. Al., MD5 considered harmful today: Creating a rogue CA certificate, December 30, Peter Selinger, MD5 Collision Demo,

40 Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at