Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Transcription

1 Chair for Network Architectures ad Services Departmet of Iformatics TU Müche Prof. Carle Network Security Chapter 2 Cryptography 2.2 Cryptographic Hash Fuctios Motivatio Cryptographic Hash Fuctios SHA-1, SHA-3, Skei Message Autheticatio Codes (MACs)

2 Ackowledgmets This course is based to a sigificat exted o slides provided by Güter Schäfer, author of the book "Netzsicherheit - Algorithmische Grudlage ud Protokolle", available i Germa from dpukt Verlag. The Eglish versio of the book is etitled Security i Fixed ad Wireless Networks: A Itroductio to Securig Data Commuicatios ad is published by Wiley is also available. We gratefully ackowledge his support. The slides by Güter Schäfer have bee partially reworked by Corelius Diekma, Heiko Niedermayer, Ali Fessi, Ralph Holz ad Georg Carle. Network Security, WS 2013/14, Chapter 2.2 2

3 Motivatio (1) Data itegrity is a essetial security service Upo receivig a message m, we eed to detect whether m has bee modified itetioally by a attacker Commo practice i data commuicatios: error detectio code over messages, to idetify if errors were itroduced durig trasmissio Examples: Parity, Bit-Iterleaved Parity, Cyclic Redudacy Check (CRC) Uderlyig idea of these codes: add redudacy to a message for beig able to detect, or eve correct trasmissio errors The error detectio/correctio code of choice ad its parameters: trade-off betwee computatioal overhead icrease of message legth Probability/characteristics of errors o the trasmissio medium Network Security, WS 2013/14, Chapter 2.2 3

4 Motivatio (2) It is a differet (ad much harder!) problem to determie if m has bee modified o purpose! Cosequetly, we eed to add a Modificatio Detectio Code (MDC) that fulfills some additioal properties which should make it computatioally ifeasible for a attacker to tamper with messages This property is fulfilled by so-called cryptographic hash fuctios Network Security, WS 2013/14, Chapter 2.2 4

5 Overview Cryptographic Hash Fuctio Network Security, WS 2013/14, Chapter 2.2 5

6 Cryptographic Hash Fuctios: Defiitio Defiitio: A fuctio h is called a hash fuctio if Compressio: h maps a iput x of arbitrary fiite bit legth to a output h(x) of fixed bit legth : h: {0,1} * {0,1} Ease of computatio: Give h ad x it is easy to compute h(x) Defiitio: A fuctio h is called a oe-way fuctio if h is a hash fuctio for essetially all pre-specified outputs y, it is computatioally ifeasible to fid a x such that h(x) = y Example: give a large prime umber p ad a primitive root g i Z * p Let h(x) = g x mod p The h is a oe-way fuctio Network Security, WS 2013/14, Chapter 2.2 6

7 Cryptographic Hash Fuctios: Defiitio Defiitio: A fuctio H is called a cryptographic hash fuctio if 1. H is a oe-way fuctio Also called 1 st pre-image resistace: For essetially all pre-specified outputs y, it is computatioally ifeasible to fid a x such that H(x) = y 2. 2 d pre-image resistace: Give x it is computatioally ifeasible to fid ay secod iput x with x x such that H(x) = H(x ) Note: This property is very importat for digital sigatures. 3. Collisio resistace: It is computatioally ifeasible to fid ay pair (x, x ) with x x such that H(x) = H(x ) 4. Radom oracle property: It is computatioally ifeasible to distiguish H(m) from radom -bit value Network Security, WS 2013/14, Chapter 2.2 7

8 Geeral Remarks (1) Computatioal ifeasibility I a mathematical sese, the otio of computatioal ifeasibility is directly related to complexity theory. It meas that o polyomial complexity algorithm for the give problem exists However, cryptographic hash fuctios, which are actually used i practice, e.g. SHA-1 or SHA-3, are ot directly based o such mathematical problems Radom output The algorithm for calculatig the hash value of a strig is determiistic However, the output of a cryptographic hash fuctio should look radom [Ferg03] I particular, a cryptographic hash fuctio should map two similar strigs to completely ucorrelated outputs (similar i the sese of a small Hammig distace) [Cos06] I particular, a cryptographic hash fuctio should ot be additive If x = x Δ, the H(x ) should be differet from H(x) H(Δ) Network Security, WS 2013/14, Chapter 2.2 8

9 Geeral Remarks (2) I etworkig there are codes for error detectio. Cyclic redudacy checks (CRC) CRC is commoly used i etworkig eviromets CRC is based o biary polyomial divisio with Iput / CRC divisor (divisor depeds o CRC variat). The remaider of the divisio is the resultig error detectio code. CRC is a fast compressio fuctio. Why ot use CRC? CRC is ot a cryptographic hash fuctio CRC does ot provide 2 d pre-image resistace ad collisio resistace CRC is additive If x = x Δ, the CRC(x ) = CRC(x) CRC(Δ) CRC is useful for protectig agaist oisy chaels But ot agaist itetioal maipulatio Network Security, WS 2013/14, Chapter 2.2 9

10 Overview MAC ad other applicatios Network Security, WS 2013/14, Chapter

11 Applicatio of Cryptographic Hash Fuctios for Data Itegrity Case: No attacker Alice (A) m, H(m) Bob (B) ok Case: With attacker Alice (A) m, H(m) m, H(m ) Bob (B) ok Applyig a hash fuctio is ot sufficiet to secure a message. H(m) eeds to be protected. Network Security, WS 2013/14, Chapter

12 Applicatio of Cryptographic Hash Fuctios for Data Itegrity Cryptographic hash fuctios are used to detect whether a message has bee modified by a attacker As see o the last slide: However, the use of a cryptographic hash fuctio is ot sufficiet to detect whether a message has bee modified. if Alice seds a message (x, H(x)) to Bob, with H a cryptographic hash fuctio, it holds: The computatio of H(x) is usually based o a well-kow algorithm The computatio of H(x) does ot iclude a secret key or aythig else boud to the idetity of Alice A attacker ca modify x to x, calculate H(x ) easily ad seds (x, H(x )) to Bob pretedig that this message would be origiatig from Alice Network Security, WS 2013/14, Chapter

13 Applicatio of Cryptographic Hash Fuctios for Data Itegrity Potetial workarouds: Alice might sed the cryptographic hash value via a out-of-bad (trusted) chael to Bob. Examples: by phoe call by a letter the hash value may be published o a (trusted) web server. Alice ad Bob might use a physically-protected chael where attackers ca oly liste, but ot sed. Use cryptography ad secret keys Message Autheticatio Code (MAC) that depeds o key k ad message m. Network Security, WS 2013/14, Chapter

14 Applicatio of Cryptographic Hash Fuctios for Data Itegrity Case: No attacker share symmetric key K Alice (A) m, MAC K (m) Bob (B) ok Case: With attacker Alice (A) Bob (B) m, MAC K (m) m', MAC K (m) ot ok Sice the secret key k is ukow to the attacker, the attacker caot compute MAC K (m ) Network Security, WS 2013/14, Chapter

15 Message Autheticatio Codes (MACs) Defiitio: Let H k be a family of fuctios parameterized by a secret key k. The H k is called a Message Autheticatio Code (MAC) algorithm if it satisfies the followig properties: 1. Compressio: H k maps a iput x of arbitrary fiite bitlegth to a output H k (x) of fixed bitlegth, called the MAC 2. Ease of computatio: give k, x ad a kow fuctio family H k the value H k (x) is easy to compute 3. Computatio-resistace: for every fixed, allowed, but ukow value of k, give zero or more text- MAC pairs (x i, H k (x i )) it is computatioally ifeasible to compute a text-mac pair (x, H k (x)) for ay ew iput x x i Network Security, WS 2013/14, Chapter

16 Message Autheticatio Codes (MACs) Note that computatio-resistace implies key o-recovery k ca ot be recovered from pairs (x i, H k (x i )), but computatio-resistace ca ot be deduced from key o-recovery, as the key k eeds ot always to be recovered to forge ew MACs (as show i subsequet example) Network Security, WS 2013/14, Chapter

17 A Simple Attack Agaist a Isecure MAC For illustrative purposes, cosider the followig MAC defiitio: Iput: message m = (x 1, x 2,..., x ) with x i beig 128-bit values, ad key K Compute (m) := x 1 x 2... x with deotig XOR Output: MAC K (m) := Ec K ((m)) with Ec K (x) deotig AES ecryptio The key legth is 128 bit ad the MAC legth is 128 bit, so we would expect a effort of about operatios to break the MAC (beig able to forge messages). Ufortuately the MAC defiitio is isecure: Attacker Eve wats to forge messages. Eve does ot kow K Alice ad Bob exchage a message (m, MAC K (m)), Eve eavesdrops it Eve ca costruct a message m that yields the same MAC: Let y 1, y 2,..., y -1 be arbitrary 128-bit values Defie y := y 1 y 2... y -1 (m) This y allows to costruct the ew message m := (y 1, y 2,..., y ) Therefore, MAC K (m ) = Ec((m )) = Ec k (y 1 y 2... y -1 y )) = Ec k (y 1 y 2... y -1 y 1 y 2... y -1 (m))) = Ec k ((m))) = MAC k (m) Therefore, MAC k (m) is a valid MAC for m Whe Bob receives (m, MAC K (m)) from Eve, he will accept it as beig origiated Network Security, WS 2013/14, Chapter

18 Applicatios of Cryptographic Hash Fuctios Pricipal applicatio which led origial desig: Message itegrity: Usig a shared secret key: A MAC over a message m directly certifies that the seder of the message possesses the secret key k ad the message could ot have bee modified without kowledge of that key Usig public key cryptography: The cryptographic hash value represets a digital figerprit, which ca be siged with a private key usig public key cryptography (like RSA, ECC, ElGamal) Give a cryptographic hash fuctio it is computatioally ifeasible to costruct two messages with the same figerprit. Therefore, a give siged figerprit ca ot be re-used by a attacker. Note: Sigatures i public key cryptography are ofte used i settigs where the security has to be guarateed a log time, e.g. digitallig sigig a cotract. Network Security, WS 2013/14, Chapter

19 Other Applicatios which require some Cautio Pseudo-radom umber geeratio The output of a cryptographic hash fuctio is assumed to be uiformly distributed Although this property has ot bee prove i a mathematical sese for commo cryptographic hash fuctios, such as MD5, SHA-1, it is ofte used Start with radom seed, the hash b 0 = seed b i+1 = H (b i seed) Ecryptio Remember: Output Feedback Mode (OFB) ecryptio performed by geeratig a pseudo radom stream, ad performig XOR with plai text Geerate a key stream as follow: k 0 = H(K A,B IV) k i+1 = H (K A,B k i ) The plai text is XORed with the key stream to obtai the cipher text. Network Security, WS 2013/14, Chapter

20 Other Applicatios of Cryptographic Hash Fuctios Autheticatio with a challege-respose mechaism r A Alice Bob Network Security, WS 2013/14, Chapter

21 Other Applicatios of Cryptographic Hash Fuctios Autheticatio with a challege-respose mechaism Alice Bob: radom umber r A Bob Alice: H(K A,B, r A ) Based o the assumptio that oly Alice ad Bob kow the shared secret K A,B, Alice ca coclude that a attacker would ot be able to compute H(K A,B, r A ), ad therefore that the respose is actually from Bob Mutual autheticatio ca be achieved by a 2 d exchage i opposite directio This autheticatio is based o a well-established autheticatio method called challege-respose This type of autheticatio is used, e.g., by HTTP digest autheticatio It avoids trasmittig the trasport of the shared key (e.g. password) i clear text Aother type of a challege-respose would be, e.g., if Bob sigs the challege r A with his private key Note that this kid of autheticatio does ot iclude egotiatio of a sessio key. Protocols for key egotiatio will be discussed i subsequet chapters. Network Security, WS 2013/14, Chapter

22 Other Applicatios of Cryptographic Hash Fuctios Cryptographic hash values ca also be used for error detectio, but they are geerally computatioally more expesive tha simple error detectio codes such as CRC Network Security, WS 2013/14, Chapter

23 Overview Commo Structures of Hash Fuctios Merkle-Damgård costructio SHA-1 SHA-3 ad Skei Network Security, WS 2013/14, Chapter

24 Overview of Commoly Used Cryptographic Hash Fuctios ad Message Autheticatio Codes Cryptographic Hash Fuctios: Message Digest 5 (MD5): Iveted by R. Rivest, Successor to MD4. Cosidered broke. Secure Hash Algorithm 1 (SHA-1): Old NIST stadard. Iveted by the Natioal Security Agecy (NSA). Ispired by MD4. Secure Hash Algorithm 3 (SHA-3): Curret NIST stadard (sice October 2012). Keccak algorithm by G. Bertoi, J. Daeme, M. Peeters ud G. Va Assche. Message Autheticatio Codes: MACs costructed from cryptographic hash fuctios: Example HMAC, RFC 2104, details later CBC-MAC, CMAC Uses blockcipher i Cipher Block Chaiig mode (Ecryptio: XOR plai text with cipher text of previous block, the ecrypt) CMAC better tha pure CBC-MAC, details later Network Security, WS 2013/14, Chapter

25 Merkle-Damgård costructio (1) Like may of today s block ciphers follow the geeral structure of a Feistel etwork, cryptographic hash fuctios such as SHA-1 follow the Merkle-Damgård costructio: Let y be a arbitrary message. Usually, the legth of the message is appeded to the message ad padded to a multiple of some block size b. Let (y 0, y 1,..., y L-1 ) deote the resultig message cosistig of L blocks of size b The geeral structure is as depicted below: y 0 y 1 y L-1 b b b f f... f CV 0 CV 1 CV 2 CV L-1 CV L CV is a chaiig value, with CV 0 := IV ad H(y) := CV L f is a specific compressio fuctio which compresses ( + b) bit to bit Network Security, WS 2013/14, Chapter

26 Merkle-Damgård costructio (2) The hash fuctio H accordig to Merkle-Damgård costructio ca be summarized as follows: CV 0 = IV CV i = f(cv i-1, y i-1 ) 1 i L = iitial -bit value H(y) = CV L Security proofs by the authors [Mer89a] have show show that if the compressio fuctio f is collisio resistat, the the resultig iterated hash fuctio H is also collisio resistat. However, the costructio has udesirable properties like legth extesio attacks. The Merkle-Damgård costructio ca be stregtheed: by addig a block with the legth of the message (legth paddig). by usig a wide pipe costructio where the hash output has less bits tha the itermediate chaiig values CV i with i < L. Hash shorter tha state good as less ifo leaked to attacker (e.g. agaist legth extesio). However, less search space for other attacks like brute force. Network Security, WS 2013/14, Chapter

27 The Secure Hash Algorithm SHA-1 (1) Also SHA-1 follows the commo structure as described above: SHA-1 works o 512-bit blocks ad produces a 160-bit hash value Iitializatio The data is padded, a legth field is added ad the resultig message is processed as blocks of legth 512 bit The chaiig value is structured as five 32-bit registers A, B, C, D, E Iitializatio: A = 0x B = 0x EF CD AB 89 C = 0x 98 BA DC FE D = 0x E = 0x C3 D2 E1 F0 The values are stored i big-edia format Each block y i of the message is processed together with CV i i a module realizig the compressio fuctio f i four rouds of 20 steps each. The rouds have a similar structure but each roud uses a differet primitive logical fuctio f 1, f 2, f 3, f 4 Each step makes use of a fixed additive costat K t, which remais uchaged durig oe roud The text block y i which cosists of bits words is stretched with a recurret liear fuctio i order to make bits out of it, which are required for the 80 steps: t{0,..., 15} W t := y i [t] t{16,..., 79} W t := CLS 1 (W t-16 W t-14 W t-8 W t-3 ) Network Security, WS 2013/14, Chapter

28 The Secure Hash Algorithm SHA-1 (2) - Oe Step A B C D E f (t DIV 20) CLS y i [k] CLS W t K (t DIV 20) A B C D E After step 79 each register A, B, C, D, E is added modulo 2 32 with the value of the correspodig register before step 0 to compute CV i+1 Network Security, WS 2013/14, Chapter

29 The Secure Hash Algorithm SHA-1 (3) The SHA-1 value over a message is the cotet of the chaiig value CV after processig the fial message block Security of SHA-1: As SHA-1 produces a hash value of legth 160 bit, it offers better security tha MD5 with its 128 bits. I February 2005, 3 Chiese Scietists published a paper where they break SHA-1 collisio resistace withi 2 69 steps, which is much less tha expected from a cryptographic hash fuctio with a output of 160 bits (2 80 ). Meawhile dow to 2 52 steps (EuroCrypt 2009 Rump Sessio). Up to ow, o attacks o the pre-image resistace of SHA-1 have bee published. Network Security, WS 2013/14, Chapter

30 SHA-3 a ew hash stadard MD5 is cosidered broke ad SHA-1 is uder heavy attack. Performace of SHA-1 worse tha performace of up-to-date symmetric ciphers like AES or Twofish. NIST started a competitio for a ew hash fuctio stadard that will be called SHA-3 i NIST SHA-3 competetitio Requiremet: fast ad secure! Roud1: 51 cadidates accepted, 13 rejected. (December 2008) Roud2: 14 cadidates survivded. (July 2009) Roud3 (fial): 5 cadidates (BLAKE, Grostl, JH, Keccak, Skei) (December 2010) Wier (October 2012): Keccak Network Security, WS 2013/14, Chapter

31 SHA-3 / Keccak / Spoge Costructio SHA-3 (Keccak) Follows the spoge costructio M is padded to a multiple of the block legth r r=0, c=0 For each block i, compute f(r+mi ci) Source: Cryptographic spoge fuctios [CSF], Jauary 2011, by Keccak authors (= Absorbig phase) I squeezig phase cocateate the ri util output legth reached. Network Security, WS 2013/14, Chapter

32 SHA-3 / Keccak / Spoge Costructio The fuctio f follows a block cipher-like cocept. Iteral state: 3d state space, 5x5 64-bit words (400 Bits) 256 Bit ad 512 Bit blocks, 24 rouds with each 5 subrouds Roud operatios iclude Parity i colums of the state space Bitwise rotatio i words Permutatio of words A o-liear bitwise combiatio operatio XOR with roud costat Autheticated Ecryptio ad Tree Hash support proposed, ot stadardized. Network Security, WS 2013/14, Chapter

33 SHA-3 cadidate Skei I additio to SHA-3 fialist Skei might also get wide support i libraries ad protocols due to its promiet authors. Variats Skei- / Skei--m = size of iteral state (relates to the stregth of the hash fuctio) = 512 (default), = 1024 (coservative), = 256 (low memory) m = size of hash output Cocept Build hash fuctio out of tweakable block cipher Uses block cipher Threefish 512, 1024, 256 bits key legth ad block legth (depedig o variat) Uique Block Iteratio (UBI) as chaiig mode Variable iput ad fixed (cofigurable) output size Optioal Argumet System Key, Cofiguratio, Persoalizatio, Public Key, Key Derivatio Idetifier, Noce, Message, Output Support for Tree Hashig Optio to process large plaitexts o parallel CPUs / machies i a tree rather tha liear processig (caot be parallelized) Network Security, WS 2013/14, Chapter

34 Tweak Tweak i Skei Overall size = 128 bits 96 bits couter for message legth Icremeted for each block 6 bits type iformatio Bit idicates paddig Bit idicates first block Bit idicates last block Makes hash result for a plaitext subsequece positio-depedet E.g. harder to isert blocks that do ot chage chaiig value to ext block E.g. harder to exted message ad compute ew MAC Etc. Network Security, WS 2013/14, Chapter

35 Threefish Block size 256, 512, or 1024 bits Key size = block size Tweak size = 128 bits All operatios o 64 bit words Mix operatio uses XOR, additio (mod 2^64), costat rotatio (roud ad word-specific) 72 rouds (80 rouds for 1024 bit versio) Subkeys Are roud-specific ad derived from key (4, 8, or 16 words) ad tweak (128 bits = 2 words) Take from [FLS+08] Skei Specificatio v1.1 Network Security, WS 2013/14, Chapter

36 Uique Block Iteratio (UBI) Chaiig Mode Uique Block Iteratio (UBI) Block cipher Iput: Message Blocks Key: Tweak ad chaiig value Chaiig Value XOR of output ad iput of block cipher Tweak Couts bytes util ow (le field) Idicates first block / fialblock UBI i Skei type field Cofig 32 byte cofiguratio strig cotaiig fields like output legth Message Plaitext Out Geerates fial output, iput is 0. Take from [FLS+08] Skei Specificatio v1.1 Take from [FLS+08] Skei Specificatio v1.1 Network Security, WS 2013/14, Chapter

37 UBI i Skei Output Geeratio Icrease the output size by applyig a couter mode for the output computatio Take from [FLS+08] Skei Specificatio v1.1 Network Security, WS 2013/14, Chapter

38 Skei-MAC MAC usage Take from [FLS+08] Skei Specificatio v1.1 Skei ca be used with HMAC ad similar fuctios, requires two hashes Faster optio: use Skei with optioal argumet key The key iput are processed by a UBI block with the key as iput, 0 as costat / iitial chaiig value ad the tweak type iformatio Key This does ot suffer the same weakesses metioed before like addig a key to the plaitext as i some weaker MAC cotructios like H(k,m,k). Network Security, WS 2013/14, Chapter

39 Overview Birthday Pheomeo Network Security, WS 2013/14, Chapter

40 Attacks Based o the Birthday Pheomeo (1) Attack agaist collisio resistace of cryptographic hash fuctios The Birthday Pheomeo: How may people eed to be i a room such that the possibility that there are at least two people with the same birthday is greater tha 0.5? For simplicity, we do t care about February, 29, ad assume that each birthday is equally likely Defie P(, k) := Pr[at least oe duplicate i k items, with each item able to take oe of equally likely values betwee 1 ad ] Defie Q(, k) := Pr[o duplicate i k items, each item betwee 1 ad ] P(, k) = 1 - Q(, k) We are able to choose the first item from possible values, the secod item from - 1 possible values, etc. Hece, the umber of differet ways to choose k items out of values with o duplicates is: N = ( - 1)... ( - k + 1) =! / ( - k)! The umber of differet ways to choose k items out of values, with or without duplicates is: k So, Q(, k) = N / k =! / (( - k)! k ) Network Security, WS 2013/14, Chapter

41 Network Security, WS 2013/14, Chapter Attacks Based o the Birthday Pheomeo (2) P(, k) := Pr[at least oe duplicate i k items, with each item able to take oe of equally likely values betwee 1 ad ] We have: We will use the followig iequality: (1 - x) e -x for all x 0 So: k k k k k Q k P k k ) (... 1) ( 1 )! (! 1 ), ( 1 ), ( k k k k e e e e e k P 2 1) ( ) ( ), (

42 Attacks Based o the Birthday Pheomeo (3) I the last step, we used the equality: (k - 1) = (k 2 - k) / 2 Exercise: proof the above equality by iductio Let s go back to our origial questio: how may people k have to be i oe room such that there are at least two people with the same birthday (out of = 365 possible) with probability 0,5? So, we wat to solve: e e k( k 1) 2 k( k 1) 2 k ( k 1) l(2) 2 For large k we ca approximate k (k - 1) by k 2, ad we get: k 2l(2) For = 365, we get k = which is quite close to the correct aswer 23 Network Security, WS 2013/14, Chapter

43 Attacks Based o the Birthday Pheomeo (4) What does this have to do with cryptographic hash fuctios? We have show, that if there are possible differet values, the umber k of values oe eeds to radomly choose i order to obtai a pair of idetical values with probability 0.5, is i the order of Now, cosider the Yuval s square root attack [Yuv79a]: Eve wats Alice to sig a message m1 which Alice ormally ever would sig. Eve kows that Alice uses the fuctio H to compute a cryptographic hash value of m. The hash value has legth r bit before she sigs it with her private key yieldig her digital sigature First, Eve produces her message m1. If she would ow compute H(m1) ad the try to fid a secod harmless message m2 which leads to the same hash value her search effort i the average case would be o the order of 2 (r - 1) Istead she takes ay harmless message m2 ad starts producig variatios m1 ad m2 of the two messages, e.g. by addig <space> <backspace> combiatios or varyig with sematically idetical words Network Security, WS 2013/14, Chapter

44 Attacks Based o the Birthday Pheomeo (5) As we leared from the birthday pheomeo, Eve will just have to produce about 2 2 r r 2 variatios of each of the two messages such that the probability that she obtais two messages m1 ad m2 with the same hash value is at least 0.5 As she has to store the messages together with their hash values i order to fid a match, the memory requiremet of her attack is o the order of 2 r 2 ad its computatio time requiremet is o the same order After she has foud m1 ad m2 with H(m1 ) = H(m2 ) she asks Alice to sig m2. Eve ca the take this sigature ad claim that Alice siged m1 Network Security, WS 2013/14, Chapter

45 Attacks Based o the Birthday Pheomeo (6) Attacks followig this method are called birthday attacks Cosider ow, that Alice uses RSA with keys of legth 2048 bit ad a cryptographic hash fuctio which produces hash values of legth 96 bit. Eves average effort to produce two messages m1 ad m2 as described above is o the order of 2 48, which is feasible today. Breakig RSA keys of legth 2048 bit is far out of reach with today's algorithms ad techology Network Security, WS 2013/14, Chapter

46 Overview Costructig MACs HMAC CBC-MACs CMAC Network Security, WS 2013/14, Chapter

47 Costructig a MAC from a Cryptographic Hash Fuctios (1) Reasos for costructig MACs from cryptographic hash fuctios : Cryptographic hash fuctios geerally execute faster tha symmetric block ciphers (Note: with AES this is t much of a problem today) There are o export restrictios to cryptographic hash fuctios Basic idea: mix a secret key K with the iput ad compute a hash value The assumptio that a attacker eeds to kow K to produce a valid MAC evertheless raises some cryptographic cocer: The costructio H(K m) is ot secure The costructio H(m, K) is ot secure The costructio H(K, p, m, K) with p deotig a additioal paddig field does ot offer sufficiet security Network Security, WS 2013/14, Chapter

48 Costructig a MAC from a Cryptographic Hash Fuctios (2) The costructio H(K m K), called prefix-suffix mode, has bee used for a while. See for example [RFC 1828] It has bee also used i earlier implemetatios of the Secure Socket Layer (SSL) protocol (util SSL 3.0) However, it is ow cosidered vulerable to attack by the cryptographic commuity. The most used costructio is HMAC: H ( K opad H ( K ipad m)) The legth of the key K is first exteded to the block legth required for the iput of the hash fuctio H by appedig zero bytes. The it is xor ed respectively with two costats opad ad ipad The hash fuctio is applied twice i a ested way. Curretly o attacks have bee discovered o this MAC fuctio. (see ote 9.67 i [Me97a]) It is stadardized i RFC 2104 [Kra97a] ad is called HMAC Network Security, WS 2013/14, Chapter

49 Cipher Block Chaiig Message Autheticatio Codes (1) A CBC-MAC is computed by ecryptig a message i CBC Mode ad takig the last ciphertext block or a part of it as the MAC: y 1 y 2 y + C -1 + K Ecrypt K Ecrypt... K Ecrypt C 1 C 2 C MAC (up to b bits) This MAC eeds ot to be siged ay further, as it has already bee produced usig a shared secret K. This scheme works with ay block cipher (AES, Twofish, 3DES,...) It is used, e.g., for IEEE (WLAN) WPA2, may modes i SSL / IPSec use some CBC-MAC costructio. Network Security, WS 2013/14, Chapter

50 Cipher Block Chaiig Message Autheticatio Codes (2) CBC-MAC security CBC-MAC must NOT be used with the same key as for the ecryptio I particular, if CBC mode is used for ecryptio, ad CBC-MAC for itegrity with the same key, the MAC will be equal to the last cipher text block If the legth of a message is ukow or o other protectio exists, CBC- MAC ca be proe to legth extesio attacks. CMAC resolves the issue. CBC-MAC performace Older symmetric block ciphers (such as DES) require more computig effort tha dedicated cryptographic hash fuctios, e.g. MD5, SHA-1 therefore, these schemes are cosidered to be slower. However, ewer symmetric block ciphers (AES) is faster tha covetioal cryptographic hash fuctios. Therefore, AES-CBC-MAC is becomig popular. Network Security, WS 2013/14, Chapter

51 Cipher-based MAC (CMAC) CMAC is a modificatio of CBC-MAC Compute keys k1 ad k2 from shared key k. Withi the CBC processig XOR complete blocks before ecryptio with k1 XOR icomplete blocks before ecryptio with k2 k is used for the block ecryptio Output is the last ecrypted block or the l most sigificat bits of the last block. AES-CMAC is stadardized by IETF as RFC 4493 ad its trucated form i RFC XCBC-MAC (e.g. foud i TLS) is a predecessor of CMAC where k1 ad k2 are iput to algorithm ad ot derived from k. Network Security, WS 2013/14, Chapter

52 Overview Itegrity Check ad Digital Sigature Network Security, WS 2013/14, Chapter

53 Itegrity check with hash fuctio / MAC Alice (A) share symmetric key K m, MAC K (m) Bob (B) Alice protects her message m with a MAC fuctio Alice has to sed m ad the MAC value to Bob. Examples for potetial MAC costructios: HMAC H( K opad H( K ipad m)) CBC-MAC / CMAC Ec K (h(m)) Network Security, WS 2013/14, Chapter

54 Itegrity check with hash fuctio / MAC Alice (A) share symmetric key K m, MAC K (m) Bob (B) Alice sigs her data m with the Message Autheticatio Code. Bob ca verify the MAC code by usig the shared key. He reads Alice s MAC K (m) He ca check if his MAC K (m) matches the oe Alice siged. Oly Alice ad Bob who kow K ca do this. Take home message: for itegrity checks the receiver eeds to kow m ad a modificatio check value that it ca compare. Thik about it: Why is Ec K (m) usually ot sufficiet? Network Security, WS 2013/14, Chapter

55 Additioal Refereces I (Beyod the scope of examiatio) [Cos06] B. Cosku, N. Memo, "Cofusio/Diffusio Capabilities of Some Robust Hash Fuctios", CISS 2006: Coferece o Iformatio Scieces ad Systems, March 22-24, 2006, Priceto, NJ [Kra97a] H. Krawczyk, M. Bellare, R. Caetti. HMAC: Keyed-Hashig for Message Autheticatio. Iteret RFC 2104, February [Mer89a] R. Merkle. Oe Way Hash Fuctios ad DES. Proceedigs of Crypto 89, Spriger, [Ferg03] Niels Ferguso, Bruce Scheier, Practical Cryptography, Joh Wiley & Sos, 2003 [PSMD5] Peter Seliger, [RFC1828] P. Metzger, IP Autheticatio usig Keyed MD5, IETF RFC 1828, August 1995 [Riv92a] R. L. Rivest. The MD5 Message Digest Algorithm. Iteret RFC 1321, April [Rob96a] M. Robshaw. O Recet Results for MD2, MD4 ad MD5. RSA Laboratories' Bulleti, No. 4, November [Yiqu05] Xiaoyu Wag, Yiqu Lisa Yi, ad Hogbo Yu, "Collisio Search Attacks o SHA1", February 2005, < [Yuv79a] G. Yuval. How to Swidle Rabi. Cryptologia, July Network Security, WS 2013/14, Chapter

56 Additioal Refereces II [FLS+08] Niels Ferguso, Stefa Lucks, Bruce Scheier, et. al.: Skei Specificatio v (accessed o 31/10/2011) [Skei] [SHA-3] NIST (Natioal Istitute for Stadards ad Techology (USA)): CRYPTOGRAPHIC HASH ALGORITHM COMPETITION. [CSF] G. Bertoi, J. Daeme, M. Peeters ud G. Va Assche: Cryptographic Spoge Fuctios. [Keccak3] G. Bertoi, J. Daeme, M. Peeters ud G. Va Assche: Keccak Referece (versio 3.0). [Keccak] G. Bertoi, J. Daeme, M. Peeters ud G. Va Assche: Keccak spoge fuctio family mai documet. Network Security, WS 2013/14, Chapter