Lecture 4: Authentication and Hashing

Transcription

1 Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, These slides are based on Benny Chor s slides.

2 Some Changes in Grading Procedures From: Subject: Exam in Crypto Course - Clarification Date: November 14, :33:23 AM GMT+02:00 To: @listserv.tau.ac.il Reply-To: bennyap@tau.tau.ac.il To all students in the course, I decided to change the regular exam procedure. You will be able to take a a normal exam, or opt not to take one. In the later case, your final grade in the course will be your average courses grade (up to the exam date) plus 10 points (if this exceeds 100, the grade will be just 100). If you decide to take the exam, which I d like to encourage you to do, your final grade will be the maximum of the exam grade and your average plus 10 (as above). Please note that this is a numeric grade and not a pass/fail one, which was banished by the university senate. In addition, this arrangement has been explicitly approved by the Dean and the Rector. Sincerely, Benny Applebaum Would you believe this message? Do you really think it was originated from bennyap@post.tau.ac.il (your lecturer)? How can you tell? How many of you can actually forge such message and distribute it to the course mailing list? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

3 Authentication Goal Ensure integrity of messages, even in presence of an active adversary who hears previous genuine messages (in a worst case scenario, these could possibly include messages she chose), and then sends own forged message(s). Bob (receiver) should be able to tell genuine messages from forged ones. Important Remark: Authentication is orthogonal to secrecy, yet systems often required to provide both. However, the two are typically handled separately, then combined to one message. Secrecy alone usually does not guarantee integrity. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

4 Sol: Message Authentication Code (MAC) Idea: Alice and Bob share a secret key. Alice append to each message m an authentication tag MAC k (m) = tag. Bob verifies authenticity by comparing MAC k (m) to tag. Definition (Message Authentication Code) Message space M (usually long binary strings, e.g., {0, 1} ) Secret authentication key k {0, 1} n Authentication algorithm MAC k (m) tag Typically, tag {0, 1} l where l is relatively short Remark: the MAC function is not 1-to-1 (why?) Security: Intuitively, should be hard to forge a valid tag even after seeing many legal tags Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

5 Security Definition (Existential Forgery under Chosen Plaintext Attack) A MAC is (t, ɛ)-secure if every t-bounded adversary A which is allowed to ask for t legal pairs (m i, MAC k (m i )) (i = 1, 2,..., t) outputs a new valid pair (m, MAC k (m)) with probability < ɛ. The probability is taken over the choice of a random key Adversary can choose the messages The adversary succeeds even if the message being forged is meaningless. The reason is that it is hard to predict what has and what does not have a meaning in an unknown context, and how will Bob, the receiver, react to such successful forgery. Want: large t and small ɛ (asymptotically, both are super-polynomial, or even exponential, in the key length.) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

6 Trivial Attacks Definition (Existential Forgery under Chosen Plaintext Attack) A MAC is (t, ɛ)-secure if every t-bounded adversary A which is allowed to ask for t legal pairs (m i, MAC k (m i )) (i = 1, 2,..., t) outputs a new valid pair (m, MAC k (m)) with probability < ɛ. Exhaustive search the key space: complexity 2 n. If t is large enough, then t pairs determine the key k uniquely (with high prob.). Choose a new message m and guess its tag, very efficient but correct with probability 2 l where l is the length of the tag. Conclusion: key and tag should not be too short Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

7 MACs for Short Messages What would Shannon do? Claim: If MAC : {0, 1} n {0, 1} l is a random function then it s (t, ɛ = 2 l )-secure even if the adversary is computationally unbounded. Can you see why? In a computational setting can use pseudorandom function (i.e., block-cipher) Theorem: A (t, ɛ)-secure PRF is (t t, ɛ = ɛ + 2 l )-MAC. Proof idea: If the PRF was truly random function then hard to forge, hence an adversary that breaks the MAC can distinguish the PRF from truly random function. Problem: Block-ciphers are defined for a fixed length ( block ), but we would like to support long messages! Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

8 How to authenticate Long Messages? Suggestions: MAC k (M 1,..., M l ) = (E k (M 1 ),..., E k (M l )) MAC k (M 1,..., M l ) = E k (M 1 )... E k (M l ) MAC k (M 1,..., M l ) = E k (M 1, 1)... E k (M l, l) None of the above is secure! Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

9 MACs for Long Messages We will describe two approaches based on CBC Mode Encryption, and based on cryptographic hash functions. Reminder: CBC Mode Encryption. In CBC mode (Cipher Block Chaining), previous ciphertext is XORed with current plaintext before encrypting current block. The initialization vector S 0 is used as a seed for the process. It can be transmitted openly. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

10 CBC Mode MACs Start with the all zero seed. Given a message consisting of n blocks, M 1, M 2,..., M n, apply CBC mode encryption (using the secret key k). Produce n cipertext blocks, C 1, C 2,..., C n. Discard first n 1 blocks. Send M 1, M 2,..., M n and the tag MAC k (M) = C n. Q: Can we use replace the all-zero seed with a random public string? Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

11 Security of Fixed Length CBC MAC [BKR, 2000] Theorem: If E k is a pseudo random function, then the fixed length CBC MAC is resilient to forgery when authenticating messages of the same length, n. Proof via reduction: Assume CBC MAC can be forged efficiently. Transform the forging algorithm into an algorithm distinguishing E k from a random function efficiently. Warning: Construction is not secure if messages are of varying lengths, namely number of blocks varies among messages. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

12 Insecurity of Variable Length CBC MAC Here is a simple, chosen plaintext example of forgery: Get C 1 = CBC MAC k (M 1 ) = E k ( 0 M 1 ) Ask for MAC of C 1, i.e., C 2 = CBC MAC k (C 1 ) = E k ( 0 C 1 ) Observe that E k (C 1 0) = E k (E k ( 0 M 1 ) 0) = CBC MAC k (M 1 0) (where denotes concatenation) One can efficiently design, for every n, two messages, one with 1 block, the other with n + 1 blocks, that have the same MAC k ( ). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

13 CBC-MAC for Variable Length Messages Solution 1: The first block of the message is set to be its length. Namely, to authenticate M 1,..., M n apply CBC-MAC to (n, M 1,..., M n ). Works since now message space is prefix-free. Drawback: The message length, n, must be known in advance. Solution 2 : apply CBC-MAC to (M 1,..., M n, n) Message length does not have to be known is advance. Looks good, but this scheme was broken (see, M. Bellare, J. Kilian, P. Rogaway, The Security of Cipher Block Chaining, 1984) Solution 3: (recommended) Use a second key secret k 2. Compute MAC k1,k 2 (M 1,..., M n ) = E k2 (MAC k1 (M 1,..., M n )) This is called ECBC MAC (Encrypted CBC). Essentially the same overhead as CBC-MAC. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

14 Combining Authentication and Secrecy It is a good idea to use two different keys: one for authentication and one for encryption. But How? Suggestions: Encrypt-and-Authenticate: E k1 (M), MAC k2 (M) secure? No (some MACs may leak information on M) Authenticate-then-Encrypt: E k1 (M, MAC k2 (M)) secure? No Encrypt-then-Authenticate: E k1 (M), MAC k2 (E k1 (M)) secure? Yes Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

15 Detour: Hash Functions Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

16 Hash Functions: Reminder Hash functions map large domains X to smaller ranges Y. Example: h : {0, 1,..., p 2 } {0, 1,..., p 1}, where h(x) = a x + b mod p. A collision is a pair x y for which h(x) = h(y). Collisions are inevitable as Y < X A good hash function should create few collisions for most subsets of the domain ( few is relative to size of subset). In data structures, collisions are resolved by several possible means chaining, double hashing, etc. Hash functions, including cryptographic ones, have no secret key. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

17 Security Requirements from Cryptographic Hash Functions 1 Pre-image resistance: for a random y, it is hard to find x such that h(x) = y. 2 Weak collision resistance: for a random x 1 X, it is hard to find x 2 x 1 such that h(x 1 ) = h(x 2 ). (This requirement is also known as universal one-way hash, or second preimage resistance ). 3 Strong collision resistance, aka claw freeness : it is hard to find any pair x 1, x 2 X such that h(x 1 ) = h(x 2 ). Under reasonable assumptions (e.g., h is regular), strong collision resistance implies the two other properties. (Why?) Thus in general it will be harder to satisfy. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

18 The Birthday Paradox If 23 people are chosen at random, the probability that two of them have the same birthday is greater than 0.5. Compare to: the prob. that one or more of them has the same birthday as Claude Shannon is 23/365 (more precisely, 1 ( ) 23 ). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

19 Generic Birthday Attack Claim Let h : X Y be a random mapping. If we chose 1.17 Y 1/2 elements of X at random, the probability that two of them are mapped to the same image is greater than 0.5. Hence strong collision resistance is easier to violate than weak (targeted) collision resistance. If Y = 2 n, then about 2 n/2 random elements of X suffice, whp, for a random collision x 1 x 2 such that h(x 1 ) = h(x 2 ). Complexity: 2 n/2 time/space. Can you improve space to O(1)? But to find an x such that h(x) = h(0), we need approximately 2 n random elements of X. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

20 Cryptographic Hash Functions Hash functions h : {0, 1} n {0, 1} m, satisfying: Strong collision resistance. Very fast to compute. Recall: no secret key. h(x) is often called the digest of x. In real life, input block length is usually n = 512 bits ( X = ). Output length is at least m = 160 bits (to foil birthday attacks). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

21 Extending to Variable Length Messages Suppose h : {0, 1} 512 {0, 1} 160. The input message is M = M 1 M 2... M s. The length of each M i is = 352 (what if 352 does not divide M?). Define y 0 = seed = 0 160, y i = h(y i 1, m i ); y s+1 = h(y s, m s+1 ), h(m) = y s+1. Is this secure? What about input messages of different lengths? Claim: collisions in H imply collisions in h. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

22 How to build a good hash function? Suggestions: Let E be a block cipher. h(x, y) = E x (y), secure? No h(x, y) = E x (y) y? Seems better, but no proof of security... Open question: General construction of hash function from block cipher (equivalently, from one-way function). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

23 Real World Cryptographic Hash Functions MD family ( message digest ) MD-2 MD-4 (full description in Stinson s book) MD-5 MD-5 hashes to 128 bit strings. This relatively small size was exploited to find collisions, and MD-5 is now considered broken. See SHA and SHA-1 (secure hash standard, 160 bits) ( (Apparently for SHA-0, just 2 39 applications are now required to find a collision, and 2 63 are required for SHA-1.) RIPE-MD SHA-256, 384 and 512 (proposed standards, longer digests) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

24 Real World Cryptographc Hash Functions, cont. Interestingly, these very days (fall 2011), NIST is conducting a public competition to develop a new cryptographic hash algorithm. The five finalists are: BLAKE, Grøstl, JH, Keccak and Skein. The winner will be announced in The competition is NIST s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called SHA-3. Criteria are speed and some proof of security. See Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

25 Applications of Hash Function password verification compare-by-hash virus protection Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

26 Using Cryptographic Hash Function to Build MACs Hash functions are not keyed. MAC k does use a key. Best attack should not succeed with probability greater than max ( 2 k, 2 MAC( ) ). Idea: Combine message and the secret key, then hash them with a collision resistant hash function. Nice idea, but how? The devil is in the details. Two possible implementations: 1 MAC k (M) = h(k, M). 2 MAC k (M) = h(m, k). Both turn out to be insecure. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

27 HMAC Proposed in 1996 by [BCK]. Receives as input a message M, a key k and a hash function, h. Outputs a MAC by: HMAC k (M, h) = h(k opad, h(k ipad, M)). The two strings opad and ipad are 64 byte long fixed strings. k is 64 byte long (if shorter, append 0s to get 64 bytes). Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found). HMAC is extensively used (e.g. SSL, IPSec). Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

28 The Random Oracle (RO) Methodology Intuitively, A hash function should behave like a public random function. This gives rise to the following methodology: Construct a protocol that employs a function H and prove its security assuming that H is a random function. All parties (Alice, Bob and the adversary) have an access to the random function. Instantiate the function H with a hash function and hope that security still holds. Rational: If the protocol becomes insecure then we found an aspect in which the hash function does not behave like a random function. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

29 The Random Oracle (RO) Methodology The Random Oracle methodology is a heuristic argument and it is highly contrived. Theoretically the methodology is not sound. There are counter-examples: protocols which are secure when H is random but insecure when H is (any) hash function. Practically Real world constructions (based on RO) have not been broken so far. Overall, this methodology typically achieves efficiency together with some indication of security, and thus it may be useful as an intermediate solution between ad-hoc constructions with high efficiency but no proof of security and theoretical inefficient solutions which are provably-secure. Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30

30 Random Oracle vs. Pseudorandom Functions Q: Why can t we instantiate the Random Oracle with a pseudorandom function (PRF)? A: PRFs are secure (look random) as long as the key is not available, while the RO model assumes a random public function with no secret key. (All parties can access its code and evaluate it.) Benny Applebaum (Tel-Aviv University) Modern Cryptography Lecture 4 Fall Semester, / 30