Cryptographic hash functions and MACs

Similar documents
CS155. Cryptography Overview

Cryptographic Hash Functions

Data Integrity. Modified by: Dr. Ramzi Saifan

Integrity of messages

CS155. Cryptography Overview

Cryptographic Hash Functions

CS408 Cryptography & Internet Security

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Lecture 1 Applied Cryptography (Part 1)

V.Sorge/E.Ritter, Handout 6

CIS 4360 Secure Computer Systems Symmetric Cryptography

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Message Authentication Codes and Cryptographic Hash Functions

Cryptography Overview

Data Integrity & Authentication. Message Authentication Codes (MACs)

Symmetric Crypto MAC. Pierre-Alain Fouque

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptographic Hash Functions

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Introduction to Cryptography. Lecture 6

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Cryptography Overview

Introduction to Software Security Hash Functions (Chapter 5)

Message authentication codes

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Unit 8 Review. Secure your network! CS144, Stanford University

Symmetric Encryption 2: Integrity

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 3: Public-Key Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

ENEE 459-C Computer Security. Message authentication

Multiple forgery attacks against Message Authentication Codes

Lecture 1: Course Introduction

414-S17 Crypto. Shankar. April 18, 2017

Authenticated Encryption

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

CS 161 Computer Security

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Summary on Crypto Primitives and Protocols

CSCE 715: Network Systems Security

Network and System Security

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC574: Computer & Network Security

Security: Cryptography

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Outline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation

Hash functions & MACs

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Cryptographic Systems

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

COMP4109 : Applied Cryptography

Authenticated Encryption

Solutions to exam in Cryptography December 17, 2013

Security Requirements

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CSC/ECE 774 Advanced Network Security

Lecture 4: Authentication and Hashing

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Refresher: Applied Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture 4: Cryptography III; Security. Course Administration

Lecture 4: Hashes and Message Digests,

UNIT - IV Cryptographic Hash Function 31.1

COMP4109 : Applied Cryptography

Crypto Background & Concepts SGX Software Attestation

Outline. Block cipher, basic idea. From last time. Pseudorandom permutation. Confusion and diffusion. Block ciphers and modes of operation

Ref:

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Spring 2010: CS419 Computer Security

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

S. Erfani, ECE Dept., University of Windsor Network Security

David Wetherall, with some slides from Radia Perlman s security lectures.

symmetric cryptography s642 computer security adam everspaugh

Practical Aspects of Modern Cryptography

Course Administration

Feedback Week 4 - Problem Set

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Remote E-Voting System

Lecture 8 Message Authentication. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Tuesday, January 17, 17. Crypto - mini lecture 1

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Transcription:

Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21

Introduction Encryption confidentiality against eavesdropping 2 / 21

Introduction Encryption confidentiality against eavesdropping What about authenticity and integrity against an active attacker? cryptographic hash functions and Message authentication codes this lecture 2 / 21

One-way functions (OWFs) A OWF is a function that is easy to compute but hard to invert: Definition (One-way) A function f is a one-way function if for all y there is no efficient algorithm which can compute x such that f (x) = y 3 / 21

One-way functions (OWFs) A OWF is a function that is easy to compute but hard to invert: Definition (One-way) A function f is a one-way function if for all y there is no efficient algorithm which can compute x such that f (x) = y Constant functions ARE NOT OWF: The successor function in N IS NOT a OWF given succ(n) it is easy to retrieve n = succ(n) 1 3 / 21

One-way functions (OWFs) A OWF is a function that is easy to compute but hard to invert: Definition (One-way) A function f is a one-way function if for all y there is no efficient algorithm which can compute x such that f (x) = y Constant functions ARE NOT OWF: The successor function in N IS NOT a OWF given succ(n) it is easy to retrieve n = succ(n) 1 Multiplication of large primes IS a OWF: integer factorization is a hard problem - given p q (where p and q are primes) it is hard to retrieve p and q 3 / 21

Collision-resistant functions (CRFs) A function is a CRF if it is hard to find two messages that get mapped to the same value threw this function Definition (Collision resistance) A function f is collision resistant if there is no efficient algorithm that can find two messages m 1 and m 2 such that f (m 1 ) = f (m 2 ) 4 / 21

Collision-resistant functions (CRFs) A function is a CRF if it is hard to find two messages that get mapped to the same value threw this function Definition (Collision resistance) A function f is collision resistant if there is no efficient algorithm that can find two messages m 1 and m 2 such that f (m 1 ) = f (m 2 ) Constant functions ARE NOT CRFs for all m 1 and m 2, f (m 1 ) = f (m 2 ) 4 / 21

Collision-resistant functions (CRFs) A function is a CRF if it is hard to find two messages that get mapped to the same value threw this function Definition (Collision resistance) A function f is collision resistant if there is no efficient algorithm that can find two messages m 1 and m 2 such that f (m 1 ) = f (m 2 ) Constant functions ARE NOT CRFs for all m 1 and m 2, f (m 1 ) = f (m 2 ) The successor function in N IS a CRF the predecessor of a positive integer is unique 4 / 21

Collision-resistant functions (CRFs) A function is a CRF if it is hard to find two messages that get mapped to the same value threw this function Definition (Collision resistance) A function f is collision resistant if there is no efficient algorithm that can find two messages m 1 and m 2 such that f (m 1 ) = f (m 2 ) Constant functions ARE NOT CRFs for all m 1 and m 2, f (m 1 ) = f (m 2 ) The successor function in N IS a CRF the predecessor of a positive integer is unique Multiplication of large primes IS a CRF: every positive integer has a unique prime factorization 4 / 21

Cryptographic hash functions A cryptographic hash function takes messages of arbitrary length end returns a fixed-size bit string such that any change to the data will (with very high probability) change the corresponding hash value. Definition (Cryptographic hash function) A cryptographic hash function H : M T is a function that satisfies the following 4 properties: M >> T it is easy to compute the hash value for any given message it is hard to retrieve a message from it hashed value (OWF) it is hard to find two different messages with the same hash value (CRF) Examples: MD4, MD5, SHA-1, SHA-256, Whirlpool,... 5 / 21

Cryptographic hash functions: applications Commitments - Allow a participant to commit to a value v by publishing the hash H(v) of this value, but revealing v only later. Ex: electronic voting protocols, digital signatures,... 6 / 21

Cryptographic hash functions: applications Commitments - Allow a participant to commit to a value v by publishing the hash H(v) of this value, but revealing v only later. Ex: electronic voting protocols, digital signatures,... File integrity - Hashes are sometimes posted along with files on read-only spaces to allow verification of integrity of the files. Ex: SHA-256 is used to authenticate Debian GNU/Linux software packages 6 / 21

Cryptographic hash functions: applications Commitments - Allow a participant to commit to a value v by publishing the hash H(v) of this value, but revealing v only later. Ex: electronic voting protocols, digital signatures,... File integrity - Hashes are sometimes posted along with files on read-only spaces to allow verification of integrity of the files. Ex: SHA-256 is used to authenticate Debian GNU/Linux software packages Password verification - Instead of storing passwords in cleartext, only the hash digest of each password is stored. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. 6 / 21

Cryptographic hash functions: applications Commitments - Allow a participant to commit to a value v by publishing the hash H(v) of this value, but revealing v only later. Ex: electronic voting protocols, digital signatures,... File integrity - Hashes are sometimes posted along with files on read-only spaces to allow verification of integrity of the files. Ex: SHA-256 is used to authenticate Debian GNU/Linux software packages Password verification - Instead of storing passwords in cleartext, only the hash digest of each password is stored. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. Key derivation - Derive new keys or passwords from a single, secure key or password. 6 / 21

Cryptographic hash functions: applications Commitments - Allow a participant to commit to a value v by publishing the hash H(v) of this value, but revealing v only later. Ex: electronic voting protocols, digital signatures,... File integrity - Hashes are sometimes posted along with files on read-only spaces to allow verification of integrity of the files. Ex: SHA-256 is used to authenticate Debian GNU/Linux software packages Password verification - Instead of storing passwords in cleartext, only the hash digest of each password is stored. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. Key derivation - Derive new keys or passwords from a single, secure key or password. Building block of other crypto primitives - Used to build MACs, block ciphers, PRG,... 6 / 21

Collision resistance and the birthday attack Theorem Let H : M {0, 1} n be a cryptographic hash function ( M >> 2 n ) Generic algorithm to find a collision in time O(2 n/2 ) hashes: 1. Choose 2 n/2 random messages in M: m 1,..., m 2 n/2 2. For i = 1,..., 2 n/2 compute t i = H(m i ) 3. If there exists a collision ( i, j. t i t j ) then return (t i, t j ) else go back to 1 Birthday paradox Let r 1,..., r n {1,..., N} be independent variables. For n = 1.2 N, Pr( i j. r i = r j ) 1 2 the expected number of iteration is 2 running time O(2 n/2 ) Cryptographic function used in new projects should have an output size n 256! 7 / 21

The Merkle-Damgard construction m m 0 m 1 m 2 m 3 PB IV (fixed) H 1 H 2 H 3 H 4 = H(m) h h h h Compression function: h : T X T PB: 1000... 0 mes-len (add extra block if needed) Theorem Let H be built using the MD construction to the compression function h. If H admits a collision, so does h. Example of MD constructions: MD5, SHA-1, SHA-2,... 8 / 21

Compression functions from block ciphers Let E : K {0, 1} n {0, 1} n be a block cipher 9 / 21

Compression functions from block ciphers Let E : K {0, 1} n {0, 1} n be a block cipher m i H i E(k, ) + H i+1 Davies-Meyer 9 / 21

Compression functions from block ciphers Let E : K {0, 1} n {0, 1} n be a block cipher m i m i H i E(k, ) + H i+1 H i E(k, ) + H i+1 Davies-Meyer Miyaguchi-Preneel 9 / 21

Example of cryptographic hash function: SHA-256 Structure: Merkle-Damgard Compression function: Davies-Meyer Bloc cipher: SHACAL-2 512- bit key 256- bit block SHACAL- 2 256- bit block 10 / 21

Message Authentication Codes (MACs) Myrto Arapinis School of Informatics University of Edinburgh October 11, 2016 11 / 21

Goal: message integrity k message m tag t k Alice Bob Generate tag t MDC(m) Verify tag V(m,t)= yes? A MAC is a pair of algorithms (S, V ) defined over (K, M, T ): S : K M T V : K M T {, } Consistency: V (k, m, S(k, m)) = T and such that It is hard to computer a valid pair (m, S(k, m)) without knowing k 12 / 21

Goal: message integrity k message m tag t k Alice Bob Generate tag t S(k,m) Verify tag V(k,m,t)= yes? A MAC is a pair of algorithms (S, V ) defined over (K, M, T ): S : K M T V : K M T {, } Consistency: V (k, m, S(k, m)) = T and such that It is hard to computer a valid pair (m, S(k, m)) without knowing k 13 / 21

File system protection At installation time F 1 F 2 F n t 1 = S(k, F 1 ) t 2 = S(k, F 2 ) t n = S(k, F n ) k derived from user password To check for virus file tampering/alteration: reboot to clean OS supply password any file modification will be detected 14 / 21

Block ciphers and message integrity 15 / 21

Block ciphers and message integrity Let (E, D) be a block cipher. We build a MAC (S, V ) using (E, D) as follows: S(k, m) = E(k, m) V (k, m, t) = if m = D(k, t) then return else return 15 / 21

Block ciphers and message integrity Let (E, D) be a block cipher. We build a MAC (S, V ) using (E, D) as follows: S(k, m) = E(k, m) V (k, m, t) = if m = D(k, t) then return else return But: block ciphers can usually process only 128 or 256 bits 15 / 21

Block ciphers and message integrity Let (E, D) be a block cipher. We build a MAC (S, V ) using (E, D) as follows: S(k, m) = E(k, m) V (k, m, t) = if m = D(k, t) then return else return But: block ciphers can usually process only 128 or 256 bits Our goal now: construct MACs for long messages 15 / 21

ECBC-MAC m 0 m 1 m 2 m 3 + + + E(K 1, ) E(K 1, ) E(K 1, ) E(K 1, ) E(K 2, ) t E : K {0, 1} n {0, 1} n a block cipher ECBC-MAC : K 2 {0, 1} {0, 1} n the last encryption is crucial to avoid forgeries!! Ex: 802.11i uses AES based ECBC-MAC (details on the board) 16 / 21

PMAC m 0 m 1 m 2 m 3 + + P(K 2, 0) P( K2, 1) P(K 2, 2) P(K 2,30) + + E(K 1, ) E(K 1, ) E(K 1, ) + E(K 1, ) t E : K {0, 1} n {0, 1} n a block cipher P : K N {0, 1} n any easy to compute function PMAC : K 2 {0, 1} {0, 1} n 17 / 21

HMAC MAC built from cryptographic hash functions HMAC(k, m) = H(k OP H(k IP m)) IP, OP: publicly known padding constants k XOR IP m 0 m 1 m 2 IV (fixed) h h h h k XOR OP IV (fixed) h h t Ex: SSL, IPsec, SSH,... 18 / 21

Authenticated encryption Myrto Arapinis School of Informatics University of Edinburgh October 11, 2016 19 / 21

Plain encryption is malleable Goal Simultaneously provide data confidentiality, integrity and authenticity decryption combined with integrity verification in one step The decryption algorithm never fails Changing one bit of the i th block of the ciphertext CBC decryption: will affect last blocks after the i t h of the plaintext ECB decryption: will only the i th block of the plaintext CTR decryption: will only affect one bit of the i th block of the plaintext Decryption should fail if a ciphertext was not computed using the key 20 / 21

Encrypt-then-MAC 1. Always compute the MACs on the ciphertext, never on the plaintext 2. Use two different keys, one for encryption (K E ) and one for the MAC (K M ) Encryption 1. C E AES (K E, M) 2. T HMAC-SHA(K M, C) 3. return C T Decryption 1. if T = HMAC SHA(K 2, C) 2. then return D AES (K 1, C) 3. else return Do not: Encrypt-and-MAC: E AES (K E, M) HMAC-SHA(K M, M) MAC-then-Encrypt: E AES (K E, M HMAC-SHA(K M, M)) 21 / 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback