ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Similar documents
ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Hash functions & MACs

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Vocabulary. hash value message digest hash total. m message.

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptographic Hash Functions

Cryptography. Summer Term 2010

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CSCE 715: Network Systems Security

Jaap van Ginkel Security of Systems and Networks

CS408 Cryptography & Internet Security

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Message Authentication Codes and Cryptographic Hash Functions

Data Integrity. Modified by: Dr. Ramzi Saifan

Lecture 4: Hashes and Message Digests,

Winter 2011 Josh Benaloh Brian LaMacchia

Data Integrity & Authentication. Message Authentication Codes (MACs)

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 1 Applied Cryptography (Part 1)

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Cryptographic Hash Functions

CSE 127: Computer Security Cryptography. Kirill Levchenko

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

COMP4109 : Applied Cryptography

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Cryptographic hash functions and MACs

Message authentication codes

ENEE 459-C Computer Security. Message authentication

Hardware Architectures

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Cryptographic Hash Functions. William R. Speirs

Multiple forgery attacks against Message Authentication Codes

Lecture 4: Authentication and Hashing

Federal standards NIST FIPS 46-1 DES FIPS 46-2 DES. FIPS 81 Modes of. operation. FIPS 46-3 Triple DES FIPS 197 AES. industry.

Integrity of messages

Use of Embedded FPGA Resources in Implementa:ons of 14 Round 2 SHA- 3 Candidates

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Network and System Security

COMP4109 : Applied Cryptography

ECE 646 Lecture 12. Cryptographic Standards. Secret-key cryptography standards

Lecture 1: Course Introduction

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Chapter 11 Message Integrity and Message Authentication

Spring 2010: CS419 Computer Security

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

S. Erfani, ECE Dept., University of Windsor Network Security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CSC 580 Cryptography and Computer Security

Introduction to Cryptography. Lecture 6

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CS155. Cryptography Overview

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

UNIT - IV Cryptographic Hash Function 31.1

Encryption. INST 346, Section 0201 April 3, 2018

Stream Ciphers and Block Ciphers

Jaap van Ginkel Security of Systems and Networks

Ref:

Cryptography and Network Security

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

P2_L8 - Hashes Page 1

Summary on Crypto Primitives and Protocols

Computer Security: Principles and Practice

Introduction to Software Security Hash Functions (Chapter 5)

APNIC elearning: Cryptography Basics

Symmetric Crypto MAC. Pierre-Alain Fouque

CSC574: Computer & Network Security

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Kurose & Ross, Chapters (5 th ed.)

Some Stuff About Crypto

Encryption I. An Introduction

Cryptographic Hash Functions

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

ECE 545 Lecture 8b. Hardware Architectures of Secret-Key Block Ciphers and Hash Functions. George Mason University

CS Computer Networks 1: Authentication

symmetric cryptography s642 computer security adam everspaugh

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

IDEA, RC5. Modes of operation of block ciphers

Stream Ciphers and Block Ciphers

n-bit Output Feedback

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

V.Sorge/E.Ritter, Handout 6

Cryptography MIS

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

The SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013

David Wetherall, with some slides from Radia Perlman s security lectures.

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Transcription:

ECE 646 Lecture 12 Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 11 Cryptographic Hash Functions & MACs Appendix 11A Mathematical Basis of Birthday Attack Chapter 12 Message Authentication Codes Recommended Reading SHA-3 Competition 2007-2012 http://csrc.nist.gov/groups/st/hash/sha-3 Digital Signature Hash function Alice Message Hash function Signature Message Hash function Signature Bob arbitrary length m message Hash value yes Hash value 1 no h hash function Public key algorithm Hash value 2 Public key algorithm h(m) hash value Alice s private key Alice s public key fixed length Vocabulary hash function hash value message digest message digest hash total fingerprint imprint cryptographic checksum compressed encoding MDC, Message Digest Code Basic requirements 1. Public description, NO key 2. Compression arbitrary length input fixed length output 3. Ease of computation 1

1. Preimage resistance 2. 2nd preimage resistance Security requirements It is computationally infeasible Given y x and y=h(x) To Find x, such that h(x) = y x x, such that h(x ) = h(x) = y Dependence between requirements 2nd preimage resistant collision resistant 3. Collision resistance x x, such that h(x ) = h(x) One-Way Hash Functions OWHF (unkeyed) Collision-Resistant Hash Functions CRHF Given y Brute force attack against One-Way Hash Function m i h i=1..2 n 2 n messages with the contents required by the forger preimage resistance 2nd preimage resistance collision resistance n - bits? h(m i ) = y I Creating multiple versions of the required message state confirm $10,000 ten thousand dollars thereby - from that I Mr. Dr. borrowed received Kris Krzysztof Brute force attack against Collision Resistant Hash Function r messages acceptable for the signer m i i=1..r Yuval r messages required by the forger m j j=1..r Gaj on December 1, 12 / 01 / 2015. This money sum of money h h should is required to by the be 15 th fifteenth day of returned given back December Dec. to 2015. Mr. Dr. Gaj h(m i) n - bits h(m i) = h(m j ) h(m j ) n - bits 2

Creating multiple versions of the required message Message acceptable for the signer I state confirm thereby - that I borrowed received I state confirm thereby - that on December 1, 12 / 01 / 2015 $10,000 ten thousand dollars Gaj on should is required to by the December 1, 12 / 01 / be 15 th fifteenth day of from Mr. Dr. 2015. This returned given back December Dec. to 2015. Kris Krzysztof money sum of money Mr. Dr. Gaj on I borrowed received from Mr. Dr. security of bitcoins. security of EMV transactions. should is required to by the be 15 th fifteenth day of returned given back December Dec. Kris Krzysztof to This a Mr. Dr. 2015. paper manuscript text item Gaj Birthday paradox Birthday paradox How many students must be in a class so that there is a greater than 50% chance that 1. one of the students shares the teacher s birthday (up to the day and month)? 2. any two of the students share the same birthday (up to the day and month)? How many students must be in a class so that there is a greater than 50% chance that 1. one of the students shares the teacher s birthday (day and month)? ~ 366/2 = 183 2. any two of the students share the same birthday (day and month)? ~ 366 19 Brute force attack against Collision Resistant Hash Function Probability p that two different messages have the same hash value: p = 1 exp ( r2 2 n ) For r = 2 n/2 p = 63% Brute force attack against Collision Resistant Hash Function J.J. Quisquater Storage requirements collision search algorithm Number of operations: 2 π/2 2 n/2 2.5 2 n/2 Storage: Negligible 3

Hash value size One-Way Collision-Resistant Older algorithms: n 64 n 128 8 bytes 16 bytes Old standards (e.g., SHA-1): n 80 n 160 10 bytes 20 bytes Current standards (e.g., SHA-2, SHA-3): n = 128, 192, 256 n = 256, 384, 512 16, 24, 32 bytes 32, 48, 64 bytes Customized (dedicated) MD2 Rivest 1988 MD4 Rivest 1990 MD5 Rivest 1990 Hash function algorithms Based on block ciphers MDC-2 MDC-4 IBM, Brachtl, Meyer, Schilling, 1988 SHA-0 NSA, 1992 SHA-1 NSA, 1995 Based on modular arithmetic RIPEMD RIPEMD-160 SHA-256, SHA-384, SHA-512 NSA, 2000 MASH-1 1988-1996 European RACE Integrity Primitives Evaluation Project, 1992 Attacks against dedicated hash functions known by 2004 MD2 MD4 partially broken broken, H. Dobbertin, 1995 (one hour on PC, 20 free bytes at the start of the message) MD4 What was discovered in 2004-2005? broken; Wang, Feng, Lai, Yu, Crypto 2004 (manually, without using a computer) MD5 partially broken, collisions for the compression function, Dobbertin, 1996 (10 hours on PC) weakness SHA-0 discovered, RIPEMD 1995 NSA, 1998 France SHA-1 RIPEMD-160 reduced round version broken, Dobbertin 1995 attack with broken; MD5 2 40 operations Wang, Feng, broken; SHA-0 Crypto 2004 RIPEMD Lai, Yu, Crypto 2004 Wang, Feng, Lai, Yu attack with (manully, without Crypto 2004 (1 hr on a PC) SHA-1 2 63 operations using a computer) Wang, Yin, RIPEMD-160 Yu, Aug 2005 SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512 In hardware: 2 63 operations Schneier, 2005 Machine similar to the one used to break DES: Cost = $50,000-$70,000 or Cost = $0.9-$1.26M In software: Time: 18 days Time: 24 hours Computer network similar to distributed.net used to break DES (~331,252 computers) : Cost = ~ $0 Time: 7 months Recommendations of NIST (1) NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1 Feb 2005 The new attack is applicable primarily to the use of hash functions in digital signatures. In many cases applications of digital signatures introduce additional context information, which may make attacks impracticle. Other applications of hash functions, such as Message Authentication Codes (MACs), are not threatened by the new attacks. 4

Recommendations of NIST (2) NIST was already earlier planning to withdraw SHA-1 in favor of SHA-224, SHA-256, SHA-384 & SHA-512 by 2010. New implementations should use new hash functions. NIST encourages government agancies to develop plans for gradually moving towards new hash functions, taking into account the sensitivity of the systems when setting the timetables. SHA-3 Contest Timeline 2007 publication of requirements 29.X. 2007: request for candidates 2008 31.X.2008: deadline for submitting candidates 9.XII.2008: announcement of 51 candidates accepted for Round 1 2009 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium 24.VII.2009: 14 Round 2 candidates announced 2010 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA 9.XII.2010: 5 Round 3 candidates announced 2012 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C. 2.X.2012: selection of the winner 2014: 28.V.2014: draft version of the standard published 2015: 5.VIII.2015: final version of the standard published Number of Submissions Number of submissions received by NIST: 64 Number of submissions publicly available: 56 Number of submissions qualified to the first round: 51 Basic Requirements for a new hash function Must support hash values of 224, 256, 384 and 512 bits Available worldwide without licensing fees Secure over tens of years Suitable for use in - digital signatures FIPS 186 - message authentication codes, HMAC, FIPS 198 - key agreement schemes, SP 800-56A - random number generators, SP 800-90 At least the same security level as SHA-2 with increased efficiency Applications (1) 1. Digital Signatures Advantages 1. Shorter signature 2. Much faster computations 3. Larger resistance to manipulation (one block instead of several blocks of signature) 4. Resistance to the multiplicative attacks 5. Avoids problems with different sizes of the sender and the receiver moduli Applications (2) 2. Fingerprint of a program or a document (e.g., to detect a modification by a virus or an intruder) program hash fingerprint =? safe place original_fingerprint 5

3. Storing passwords password hash hash(password) Applications (3) Instead of: ID, password System stores: ID, hash(password) password password password UNIX password scheme 00000000 DES DES.... DES hash(password, salt) salt salt salt ID, salt, hash(password, salt) salt modifies the expansion function E of DES 4. Fast encryption Applications (4) PRNG General scheme for constructing a secure hash function Message m Padding, appending bit length, M m i k i c i M 1 M 2... M t k 0 = hash(k AB IV ) k 1 = hash(k AB k 0)................. k n = hash(k AB k n-1) or k 0 = hash(k AB IV) k 1 = hash(k AB c 0)................. k n = hash(k AB c n-1) IV H 0 H 1 H 2 f f... compression function H t g h(m) output transformation Merkle-Damgard Scheme Parameters of the Merkle-Damgard Scheme Compression function H i-1 n Entire hash M i f H 0 = IV H i = f(h i-1, M i ) h(m) = g(h t ) r n H i In SHA-1 n=160 r=512 In SHA-256 n=256 r=512 In SHA-512 n=512 r=1024 6

Sponge Scheme Hash padding SHA-1 & SHA-256 64-bits message 100000000000 length length of the entire message in bits All zero padding: X X X 0 0 0 0 0 X X X 0 0 0 0 0 Correct padding: X X X 0 0 1 0 0 X X X 1 0 0 0 0 Hash padding SHA-3 Candidates BLAKE256 1000... 0001 Grøstl D 1000... 0000 JH42 Keccak SHA 2 (256) 1000... 0001 1000... 0001 Skein D 0000... 0000 D Data M D D D D Minimum Padding 1000... 0000 P Padding len64 #blocks len128 len64 C Counter Parameters of new hash functions Features affecting security and functionality SHA-1 SHA-256 SHA-384 SHA-512 Size of hash 160 256 384 512 value Complexity of 2 80 2 128 2 192 2 256 the birthday attack Equivalently secure Skipjack AES-128 AES-192 AES-256 secret-key cipher Message size < 2 64 < 2 64 < 2 128 < 2 128 Parameters of new hash functions Features affecting implementation speed SHA-1 SHA-256 SHA-384 SHA-512 Speed Hardware implementations Conceptual comparison Message block 512 512 1024 1024 size SHA-512, SHA-384 Number of 80 64 80 80 digest rounds SHA-1 SHA-256 Area 7

Results of the prototype FPGA implementation Speed in hardware [Mbit/s] GMU, 2002 700 616 600 500 462 400 300 200 100 0 Complexity SHA-1 SHA-512 of the best attack 2 80 2 256 the same as Skipjack AES-256 15 years ago Present U.S. Governemnt standards: U.S. Governemnt standards: SHA-1 Other popular hash functions: MD5, RIPEMD Security status: MD4 broken (1995) SHA-1 replaced SHA-0 (1995) MD5 partially broken (collisions in compression function, 1996) SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 SHA-3 (draft FIPS) Other popular hash functions: Whirlpool winner of NESSIE Security status: MD5 broken (1 hr on PC) SHA-0 broken RIPEMD broken (without a need for computer) SHA-1 practically broken, best attack 2 63 operations only 128 x more than breaking DES U.S. Government standards: SHA-1 Contests: Attacks: MD5 collisions for compression func tion, 10 hrs on PC Timeline FIPS 180 II. 2003 SHA-256, 384, 512 SHA-224 I. 2000 XII. 2002 SHA-256, SHA-384, SHA-512, NESSIE Whirlpool VIII. 1998 SHA-0 attack with 2 61 operations FIPS 180-2 FIPS 180-2 FIPS 180-2 II. 2004 VIII. 2004 broken: MD4, MD5, SHA-0, RIPEMD II-VIII. 2005 attack on SHA-1 2 69 2 63 operacji Alice K AB Secret key of Alice and Bob Message Secret key algorithm Authentication MAC K AB Secret key of Alice and Bob yes Message Secret key algorithm MAC MAC no Bob MAC 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 MAC - Message Autentication Codes (keyed hash functions) secret key K arbitrary length m MAC function message MAC functions Basic requirements 1. Public description, SECRET key parameter 2. Compression arbitrary length input fixed length output 3. Ease of computation MAC fixed length 8

Given zero or more pairs MAC functions Security requirements m i, MAC K(m i) i = 1..k it is computationally impossible to find any new pair Such that m, MAC K(m ) m m i i = 1..k Resistance against MAC functions Security requirements 1. Known-text attack 2. Chosen-text attack 3. Adaptive chosen-text attack CBC-MAC (1) CBC-MAC (1) m 1 m 2 m t 0 K E H t-1.... E E H K K t H 1 H 2 MAC FIPS-113 H 0 = IV = 0 H i = DES K(m i H i-1) i = 1..t MAC(m) = H t[1..32] or MAC(m) = E K(E K -1 (H t))[1..32] K D K E MAC MAC functions CMAC Based on block ciphers Based on hash functions Dedicated Based on stream ciphers CBC-MAC CFB-MAC RIPE-MAC HMAC MD5-MAC MAA CRC-MAC 9

RIPE-MAC H 0 = IV = 0 H i = DES K(m i H i-1) m i i = 1..t MAC(m) = E K(E -1 K (H t))[0..31] K = K 0xf0f0 f0 HMAC Bellare, Canetti, Krawczyk, 1996 Used in SSL and IPSec HMAC(m) = h(k ipad h(k opad m)) ipad, opad - constant padding strings of the length of the message block size in the hash function h ipad = repetitions of 0x36 = 00110110 opad = repetitions of 0x5A = 01011010 KEY opad = KEY HMAC message m Message Authentication Codes - MACs 15 years ago Present U.S. Government standards: MAC (DAC) based on DES (since 1985) U.S. Government standards: MAC (DAC) based on DES HMAC based on hash functions used in SSL and IPSec KEY ipad = KEY h American standard FIPS 198 Arbitrary hash function and key size Other MACs in use: RIPE-MAC3, CRC-MAC, MAA CMAC block cipher mode (AES, Triple DES, Skipjack) Other MACs in use: UMAC, TTMAC, EMAC winners of the NESSIE contest h HMAC Name NESSIE: Winners of the contest: 2002 Message Authentication Codes, MACs Security level Key size Output width high normal Origin 256 128 1. UMAC UC Davis 2. TTMAC K.U. Leuven 3. EMAC U. of Toronto 4. HMAC NIST & NSA 32 k 32 k U.S. standards: MAC (DAC) Contests: Attacks: Message Authentication Codes Timeline NESSIE FIPS 113 (based on DES) HMAC FIPS 198 (based on hash functions) CMAC SP 800-38C III. 2002 V. 2 0 0 5 2002 V. 2 0 0 4 Contest winners: UMAC, TTMAC, EMAC RMAC practical attack against MAC proposed by NIST and based on Triple DES 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 10

Confidentiality & Authentication Authenticated Ciphers Confidentiality & Authentication Authenticated Ciphers Bob N Message N Ciphertext Tag Alice Npub Nsec AD Message Npub Enc Nsec AD Ciphertext Tag K AB Authenticated Cipher Encryption K AB Authenticated Cipher Decryption KKey AB Encryption Npub Enc Nsec AD Ciphertext Key AB or Decryption Tag Invalid Nsec AD Message N Ciphertext Tag invalid or K AB - Secret key of Alice and Bob N Nonce or Initialization Vector Message Npub - Public Message Number Nsec - Secret Message Number Enc Nsec - Encrypted Secret Message Number AD - Associated Data K AB - Secret key of Alice and Bob Examples of Most Commonly Used Authenticated Ciphers AES-GCM AES-OCB3 AES-OCB AES-CCM AES-EAX CAESAR Contest 2013-2017 Contest Timeline 2014.03. 15: Deadline for first-round submissions 2014.04. 15: Deadline for first-round software 2015.07.07: Announcem ent of second-round candidates 2015.12. 15: Deadline for second-round Verilog/VHDL 2016.03.15: Announcem ent of third-round candidates 2016.12.15: Announcem ent of finalists 2017.12.15: Announcem ent of final portfolio IX.1997 X.2000 AES Cryptographic Standard Contests NESSIE I.2000 XII.2002 CRYPTREC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estream 51 hash functions 1 winner IV.2008 X.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners I.2013 XII.2017 CAESAR 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time 11

Evaluation Criteria Security Software Efficiency Hardware Efficiency µprocessors µcontrollers FPGAs ASICs Flexibility Simplicity Licensing 67 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback