Message Integrity and Hash Functions. TELE3119: Week4

Transcription

1 Message Itegrity ad Hash Fuctios TELE3119: Week4

2 Outlie Message Itegrity Hash fuctios ad applicatios Hash Structure Popular Hash fuctios 4-2

3 Message Itegrity Goal: itegrity (ot secrecy) Allows commuicatig parties to verify that received messages are authetic. Cotet of message has ot bee altered Source of message is who/what you thik it is Message has ot bee replayed Seuece of messages is maitaied Let s first talk about Hash fuctio 4-3

4 CRC Is this Secure? A reversible fuctio! No! Attacker ca easily modify message m ad re-compute CRC. CRC desiged to detect radom errors, ot malicious attacks. 4-4

5 Hash Fuctio Also kow as Message digest Oe-way trasformatio Oe-way fuctio Hash Legth of H(m) much shorter tha legth of m Usually fixed legths: 128 or 160 bits 4-5

6 Desirable Properties of Hash Fuctios Cosider a hash fuctio H Performace: Easy to compute H(m) Oe-way property: Give H(m), it s computatioally ifeasible to fid m (ulike ecryptio) I RSA, Z=m db is the sigature of Z eb = m Collisio resistace: Give H(m), it s computatioally ifeasible to fid m such that H(m ) = H(m). Seemigly radom output 4-6

7 Iteret checksum: poor message digest Iteret checksum has some properties of hash fuctio: produces fixed legth digest (16-bit sum) of iput is may-to-oe But give message with give hash value, it is easy to fid aother message with same hash value. Example: Simplified checksum: add 4-byte chuks at a time: Suppose Bob owes Alice $ message I O U B O B IOU BOB ASCII format 49 4F E D2 42 B2 C1 D2 AC message I O U B O B differet messages but idetical checksums! ASCII format 49 4F E D2 42 B2 C1 D2 AC IOU BOB 4-7

8 Collisio Arbitrary legth message ad fixed legth message digest 1000-bit messages 128-bit message digest O average, messages map to a particular digest! Thus, tryig lots of messages, oe would fid two with the same digest! lots is so may è impossible! 4-8

9 Legth of Hash Output What is the right size? uecessary overhead if too log loss of collisio resistace if too short (birthday problem) A hash ormally has 128 or 160 bits of output 4-9

10 Birthday Problem What s the smallest umber of people (k) i a room such that the probability of at least two of them havig the same birthday is greater tha 50%? assume 365 days/year (), ad all birthdays are eually likely P(k people havig k differet birthdays): Q(365,k) P(at least two people have the same birthday): P(365,k) = 1 Q(365,k) > 0.5 K is about # $%&. 1 ( $%&. 1 $ $%& 1 (( $%& 0.5 Probability of the secod perso havig birthday o a differet day tha the first 4-10

11 Birthday Problem (ct d) What does it to do with hashig? Birthday is a upredictable fuctio that maps a huma to oe of 365 values Collisios: with 23 items ad hash table size of 365 è 50% chace of collisio Geeralizatio of birthday problem For large ad k K(k-1)/2 pairs of iput For each pair, there s a probability of 1/ of both iputs producig the same output Therefore, you will eed /2 pairs i order for the probability to be about 50% But, pairs are ot idepedet. We caot simply add them! The smallest k to have a collisio chace of 50% K = 2 l2 = 1.18 Example i previous case =

12 HASH APPLICATIONS 4-12

13 Applicatio: File Autheticatio Wat to detect if a file has bee chaged by someoe after it was stored Method Compute a hash H(F) of file F Store H(F) separately from F Ca tell at ay later time if F has bee chaged by computig H(F ) ad comparig to stored H(F) Why ot just store a duplicate copy of F??? 4-13

14 Applicatio: User Autheticatio Alice wats to autheticate herself to Bob assumig they already share a secret key K s Protocol: Alice Bob Computes that Y=H(R K s ) picks a radom umber R (i.e. challege) cocateatio time è Verifies that Y=H(R K s ) Q: How do you use private key crypto for autheticatio? 4-14

15 User Autheticatio (ct d) Why ot just sed K s, i plaitext? H(K s )?, i.e., what s the purpose of R? 4-15

16 Applicatio: Commitmet Protocols Makig a verifiable commitmet without revealig it Example: Alice ad Bob wish to play the game of odd or eve over the etwork 1) Alice picks a umber X 2) Bob picks aother umber Y 3) Alice ad Bob simultaeously exchage X ad Y 4) Alice wis if X+Y is odd, otherwise Bob wis but, it is difficult to get the exactly same time, oe who delays util havig received the other s umber ca easily cheat! If Alice gets Y before decidig X, Alice ca easily cheat (ad vice versa for Bob) Q: How to prevet this? 4-16

17 Commitmet (ct d) Proposal: Alice must commit to X before Bob will sed Y Protocol: Picks X ad Computes Z=H(X) Alice Bob Picks Y time è Q: Ca either Alice or Bob successfully cheat ow? Verifies that Z=H(X) 4-17

18 Commitmet (ct d) Why is sedig H(X) better tha sedig X? Why is sedig H(X) good eough to prevet from cheatig? Why is it ot ecessary for Bob to sed H(Y) (istead of Y)? 4-18

19 Applicatio: Message Ecryptio Geerate a oe-time pad to be ed to the plaitext Assume Alice ad Bob share a secret key K s Alice seds Bob the (ecrypted) radom umber R 1, Bob seds Alice the (ecrypted) radom umber R 2 IV = R 1 R 2 Ad, the Remiiset of the chaiig method! 4-19

20 Message Ecryptio (ct d) Q: Why ot oly MD(K s ) oly? What is the purpose of IV (i.e. R1, R2)? 4-20

21 Message Ecryptio (ct d) We ca mix the plaitext ito the bit stream geeratio b # = MD(K < IV) c # = m # b # b ( = MD(K < c # ) c ( = m ( b ( b D = MD(K < c DE# ) c D = m D b D 4-21

22 Applicatio: Digital Sigature Public key cryptography is too slow to sig large messages geerate ad sig the cryptographic hash of the message rely o the security of the hash fuctio 4-22

23 Hash Fuctio Algorithms MD5 hash fuctio widely used (RFC 1321) computes 128-bit message digest i 4-step process. SHA-1 is also used. US stadard [NIST, FIPS PUB 180-1] 160-bit message digest 4-23

24 Commo Structure Iitialize message digest to a fixed costat Update the curret digest with the ext block of message also called the compressio fuctio (512 bits è digest legth) block by block (extesio attack) Output the fial result as the digest for the etire message 4-24

25 MD5 Pad message to a multiple of 512 bits Digest message block by block (also called stages) 4-25

26 MD5: Message Paddig Start paddig with a 1, followed by just eough 0 bits to make the message of 512* 64 bits what if the origial message has 512* bits? 512* 63? 512* 64? 512* 65? Apped 64 bit of message legth 4-26

27 MD5: A Stage Each stage takes a block of message ad itermediate digest 512-bit message block: bit words amed m0,m1,...,m bit itermediate digest: 4 32-bit words amed d0, d1, d2, d3 Each stage makes 4 passes over the block to update the digest Every pass has 16 processig steps 4*16 = 64 processig steps The output is the fial modified digest + pre-stage digest 4-27

28 SHA-1 Secure Hash Algorithm (SHA) SHA-1: revised versio of SHA (1995) Iput message must be < 2 64 bits Iput message is processed i 512-bit blocks, with the same paddig as MD5 Message digest output is 160 bits log Cosists of 80 steps! (vs. 64 for MD5) Stroger tha MD5 brute-force attacks reuire o the order of 2 80 operatios vs for MD5 4-28

29 Message Itegrity Sedig hash with plaitext does ot work attackers ca modify the message ad regeerate the hash 4-29

30 Message Autheticatio Code (MAC) K s K s = shared secret message message K s message H( ) H( ) compare Autheticates seder Verifies message itegrity No ecryptio! Also called keyed hash Notatio: MD m = H(K s m) ; sed m MD m 4-30

31 Extesio attack MAC scheme works. Except for some properties of popular message digest algorithms! (e.g. MD5, SHA-1) give m1 ad MD m1 =H(K s m1), we ca compute a loger message startig with m1 i.e. H(K s m1 m2) by usig H(K s m1) as the IV. How? Solutio: Various proposals with o kow weakesses Put secret at the ed of message istead of frot Use half of the bit of message digest as the MAC Cocateate the secret to both the frot ad the back of message Wier: Nested digest (digest-iside-a-digest) Stadard: Hash-based MAC (HMAC) 4-31

32 HMAC Popular MAC stadard Addresses some subtle security flaws 1. Cocateates secret to frot of message. 2. Hashes cocateated message 3. Cocateates the secret to frot of digest 4. Hashes the combiatio agai. 4-32

33 Summary Hashig is fast to compute Has may applicatios (some makig use of a secret key) Hash images must be at least 128 bits log but loger is better Hash fuctio details are tedious L HMAC protects message digests from extesio attacks 4-33

34 Coclusio Bruce Scheier: Hash fuctios are the least-well-uderstood cryptographic primitive, ad hashig techiues are much less developed tha ecryptio techiues. 4-34