CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Similar documents
Lecture 1 Applied Cryptography (Part 1)

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Message Authentication Codes and Cryptographic Hash Functions

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Network and System Security

Integrity of messages

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Message Authentication and Hash function

ENEE 459-C Computer Security. Message authentication

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Introduction to Cryptography. Lecture 6

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptographic Hash Functions

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

1.264 Lecture 28. Cryptography: Asymmetric keys

CSCE 715: Network Systems Security

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Computer Security: Principles and Practice

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Winter 2011 Josh Benaloh Brian LaMacchia

CS408 Cryptography & Internet Security

Cryptographic Hash Functions

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS Computer Networks 1: Authentication

Lecture 4: Authentication and Hashing

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Spring 2010: CS419 Computer Security

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

CSC 580 Cryptography and Computer Security

Encryption. INST 346, Section 0201 April 3, 2018

Lecture 1: Course Introduction

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Message authentication codes

Tuesday, January 17, 17. Crypto - mini lecture 1

Cryptographic hash functions and MACs

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Data Integrity. Modified by: Dr. Ramzi Saifan

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Security Requirements

Chapter 11 Message Integrity and Message Authentication

Cryptography. Summer Term 2010

Hash functions & MACs

Practical Aspects of Modern Cryptography

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Introduction to Software Security Hash Functions (Chapter 5)

P2_L8 - Hashes Page 1

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Lecture 4: Hashes and Message Digests,

Unit 8 Review. Secure your network! CS144, Stanford University

CIS 4360 Secure Computer Systems Symmetric Cryptography

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

APNIC elearning: Cryptography Basics

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Jaap van Ginkel Security of Systems and Networks

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

CS 161 Computer Security

S. Erfani, ECE Dept., University of Windsor Network Security

Ref:

Cryptography (Overview)

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

David Wetherall, with some slides from Radia Perlman s security lectures.

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

CPSC 467b: Cryptography and Computer Security

CSE484 Final Study Guide

Security: Cryptography

Symmetric Encryption 2: Integrity

CSC574: Computer & Network Security

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

SECURITY IN NETWORKS

Hashing (Message Digest)

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CSC 8560 Computer Networks: Network Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Kurose & Ross, Chapters (5 th ed.)

CSC 774 Network Security

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Summary on Crypto Primitives and Protocols

Cryptography MIS

Cryptographic Hash Functions. Secure Software Systems

Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Computer Security CS 526

SECURITY IN NETWORKS 1

UNIT - IV Cryptographic Hash Function 31.1

Transcription:

CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012

Reminders Graded midterm, available on bbvista Project 3 out (crypto)

Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle / Project 4 Messages

Introduction to Hash Functions If H is a hash function, m is an input bit string, and h is the output of H applied to the input m, then we write h = H(m). Some common and useful terminology: If h = H(m) then h is called the "hash" of m, m is called a "preimage" of h, for a given input m, a "second preimage" of m is a different input m' such that H(m) = H(m'), if m and m' are different inputs such that H(m) = H(m') then the pair {m,m'} is called a "collision" for H.

Collision Resistance Strong collision resistance Hard to find *any* x,y such that h(x)=h(y) Weak collision resistance / preimage attacks First preimage attack: given hash h 1, find m such that h(m) = h1 Second preimage attack : Given message m 1 find message m2 such that h(m1) = h(m2)

Exercise Explain the difference between breaking strong collision resistance and a second pre-image attack? Quantify this difference in how long it would take to brute-force the attack for a perfect hash function of n bits.

First case H( hello world ) = x find y such that H (y) =x Second case m and m s.t. H(m) = H(m )

Birthday Attacks on Collision Resistance Given function h, goal is find two inputs x,y such that h(x) = h(y) Based on the birthday paradox: A group of 23 or more people will have the same probability > 50% H different outputs, then expected 1.25*sqrt(H) to find a match so 2160 outputs for SHA-1, leads to approx 2 80 tries

Group exercise Hash functions are reasonably fast, but here's a much faster function to compute. Take your message,divide it into 128-bit chunks, and xor all the chunks together to get a 128-bit result. Do the standard hash function on the result. Is this a good hash function? Why or why not?

Types of Hash Functions MD5 128-bit output Designed by Ron Rivest, used very widely Collision-resistance broken (summer of 2004 and it keeps getting worse) RIPEMD-160 160-bit variant of MD5 SHA-1 (Secure Hash Algorithm) 160-bit output US government (NIST) standard as of 1993-95 Also the hash algorithm for Digital Signature Standard (DSS)

How Strong is SHA-1? Every bit of output depends on every bit of input Very important for collision resistance Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 2 80 Recent weaknesses (2005) Collisions can be found in 263 ops - maybe 2 60 People are losing confidence

SHA-3 (Keccak) NIST held competition for new hash algorithm (SHA-3) 2007-2012 64 entries, Winner Keccak What about SHA-2? four other functions, more similar to SHA-1 in construction larger output, believed secure

Keccak uses Sponge Function Absorbs and Squeezes Pad message into blocks Absorb - xor blocks with r bits of state and f function Squeeze - generate output blocks and f function f function is a permutation

Capacity c c is capacity of hash function bits are unused by message capacity should be c = 2n, n output size n is desired resistance to collision/preimage attacks Contest to find collisions at various capacities

Keccak-256("The quick brown fox jumps over the lazy dog") 0x 4d741b6f1eb29cb2a9b9911c82f56fa8d73b04959d3d9d222895df6c0b28aa15 Keccak-256("The quick brown fox jumps over the lazy dog.") 0x 578951e24efd62a3d63a86f7cd19aaa53c898fe287d2552133220370240b572d Details of Keccak http://keccak.noekeon.org

About SHA-3 Not so fast in software Very fast in hardware Very different from SHA-1/2, MD functions Security weaknesses minimal so far

Authentication without Encryption Integrity and Authentication: only someone who knows key can compute MAC for a given message

How to hash the key and message? Seems easy, just compute h(key message) Problems? Assume h is SHA-1 Recall that in SHA-1, the message is hashed from left to right in 512 bit chunks

Enter Carol Bob is Carol s boss, and Alice is Bob s boss Carol appends P.S. Give Carol a promotion and triple her salary to Alice s message to Bob Carol can take the original message, add some padding, then add her postscript and pass it into SHA-1

HMAC MAC that is as secure as underlying hash Strong collision resistance attacker that doesn t know key K cannot compute digest(k,x) for data x even if the attacker can see digest(k,y) for arbitrary y not equal to x Result slow but provable

HMAC Construct MAC by applying cryptographic hash function to message and key Could also use encryption instead of hashing, but Hashing is faster than encryption in software Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption Invented by Bellare, Canetti, and Krawczyk (1996) HMAC strength established by cryptographic analysis Mandatory for IP security, also used in SSL/TLS

How HMAC Works If key > 512 bits, digest(key) and pad to 512 else if key < 512 bits, pad to 512 result1 = digest ((Const1 XOR padded key). message) result2 = digest((const2 XOR padded key). result1) HMAC(message, key) = result2

HMAC

Combine encryption and MAC for confidentiality and integrity

Encrypt-and-MAC

Insecure!

Attacks Confidentiality considers indistinguishability under... Chosen Plaintext Attack (CPA) An attacker can obtain the ciphertext for any provided plaintext (but does not have the key). Chosen Ciphertext Attack (CCA) An attacker can obtain the plaintext for any provided ciphertext (but does not have the key). Integrity PTXT - Integrity of Plaintext - computationally infeasible to produce a ciphertext decrypting to a message that the sender had never encrypted. CTXT - Integrity of Ciphertext To be computationally infeasible to produce a ciphertext not previously produced by the sender.

Authenticating Users Passwords Alternatives Multi-factor Authentication

Password Security Review Summarize system Identify assets: What do you wish to protect Identify adversaries and threats Identify vulnerabilities Calculate the risks Evaluate controls/mitigation strategies Iterate

Vulnerabilities Online guessing/dictionary attack Offline guessing/dictionary attack Shared passwords Password fallback schemes

Mitigation Strategies Salts Encrypted Storage Challenge/Response

Alternatives to Passwords Graphical passwords, phrases Tokens/dongles Biometrics

Multifactor Authentication Something you forget, something you lose, and something you used to be

Public Key Authentication

X509 Certificates

Bad Certificates What to do if a bad certificate is issued? In practice...wait for it to expire In theory Revocation Services Revocation Lists

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback