CS408 Cryptography & Internet Security

Similar documents
Data Integrity. Modified by: Dr. Ramzi Saifan

Message Authentication Codes and Cryptographic Hash Functions

Integrity of messages

Spring 2010: CS419 Computer Security

Lecture 1 Applied Cryptography (Part 1)

Message authentication codes

Data Integrity & Authentication. Message Authentication Codes (MACs)

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Data Integrity & Authentication. Message Authentication Codes (MACs)

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Introduction to Software Security Hash Functions (Chapter 5)

COMP4109 : Applied Cryptography

Cryptographic Hash Functions

Introduction to Cryptography. Lecture 6

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Cryptographic hash functions and MACs

CSCE 715: Network Systems Security

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Cryptography. Summer Term 2010

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Symmetric Crypto MAC. Pierre-Alain Fouque

ENEE 459-C Computer Security. Message authentication

Lecture 1: Course Introduction

CS155. Cryptography Overview

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Cryptographic Hash Functions

Message Authentication and Hash function

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Multiple forgery attacks against Message Authentication Codes

Security Requirements

S. Erfani, ECE Dept., University of Windsor Network Security

Lecture 4: Cryptography III; Security. Course Administration

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 11 Message Integrity and Message Authentication

1 Defining Message authentication

CS 161 Computer Security

Lecture 4: Authentication and Hashing

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

CS Computer Networks 1: Authentication

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Public-key Cryptography: Theory and Practice

CIS 4360 Secure Computer Systems Symmetric Cryptography

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

Lecture 10. Data Integrity: Message Authentication Schemes. Shouhuai Xu CS4363 Cryptography Spring

Course Administration

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

P2_L8 - Hashes Page 1

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

CSC574: Computer & Network Security

CS 161 Computer Security

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Unit 8 Review. Secure your network! CS144, Stanford University

Feedback Week 4 - Problem Set

Generic collision attacks on hash-functions and HMAC

Cryptography: More Primitives

Other Topics in Cryptography. Truong Tuan Anh

Jaap van Ginkel Security of Systems and Networks

Cryptographic Checksums

CS155. Cryptography Overview

symmetric cryptography s642 computer security adam everspaugh

Message authentication

Winter 2011 Josh Benaloh Brian LaMacchia

Hash functions & MACs

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Network and System Security

Computer Security: Principles and Practice

CSE 127: Computer Security Cryptography. Kirill Levchenko

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Hashing, One-Time Signatures, and MACs. c Eli Biham - March 21, Hashing, One-Time Signatures, and MACs

Cryptographic Hash Functions. William R. Speirs

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Symmetric Encryption 2: Integrity

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Crypto Background & Concepts SGX Software Attestation

UNIT - IV Cryptographic Hash Function 31.1

Introduction to Cryptography

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Lecture 4: Hashes and Message Digests,

CPSC 467b: Cryptography and Computer Security

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

COMP4109 : Applied Cryptography

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Summary on Crypto Primitives and Protocols

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Transcription:

CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is a relation which uniquely associates members of set X with members of set Y. Terminology X is called domain Y is called range, image, or co-domain. For y = f(x) where x X and y Y, y is called the image of x and x is called the pre-image of y. CS 408 Lecture 18 / Spring 2015 3 1

Cryptographic Hash Functions Takes as input a string of any size and outputs a fixed-size string (usually output is much smaller than input) E.g., output can be 160 bits regardless of input size A hash is a many-to-one function, so collisions can happen (but should be unlikely to happen). Two fundamental properties: compression and easy to compute. CS 408 Lecture 18 / Spring 2015 4 Cryptographic Hash Functions (continued) Informal requirements One-way (non-invertible) Produces different outputs for different inputs (with high likelihood) CS 408 Lecture 18 / Spring 2015 5 2

Cryptographic Hash Functions (continued) Formally: First pre-image resistance: given h(x), cannot find x Second pre-image resistance: given x and h(x), cannot find y x s.t. h(y) = h(x) Collision resistance: cannot find any pair x,y, with x y s.t. h(x) = h(y) It is an unkeyed cryptographic primitive (publicly computable, no secret involved) Examples: SHA-1 (160 bits output), SHA-256 (256 bits output), SHA-512 (512 bits output), MD5 (128 bits output) CS 408 Lecture 18 / Spring 2015 6 Data Integrity with Hash Functions Imperfect channel M, H Alice Bob Let h be a cryptographic hash function Alice computes H = h(m) Alice sends to Bob M and H Bob receives M, H, computes H1 = h(m) and checks if H1 = H If the check is true, then Bob accepts message; otherwise, reject message Why does this guarantee integrity? Because of the second pre-image resistance property of h! Given M, h(m), cannot find another M s.t. h(m )=h(m). This only provides integrity for a benign channel that can corrupt bits CS 408 Lecture 18 / Spring 2015 7 3

Birthday Paradox What is the probability that that in a set of n randomly chosen people, two people have the same birthday? For a group of 23 people, the probability that two people have the same birthday is 50%! For a group of 57 people, the probability that two people have the same birthday is 99%! CS 408 Lecture 18 / Spring 2015 8 Birthday Attack on Collision Resistance Goal: break collision resistance (find a collision) Let h be a hash function with the size of the output of m bits Birthday attack runs in O(2 m/2 ) and works against all the unkeyed hash functions Because of the birthday attack, the length of hash outputs in general should double the key length of block ciphers SHA-256, SHA-384, SHA-512 to match the key lengths (128,192,256) in AES CS 408 Lecture 18 / Spring 2015 9 4

Which Hash Function to Use? In 2004, MD5 was shown not to be collision resistant Attack was subsequently improved between 2005-2007 Thus, MD5 should not be used if the goal is to have collision resistance Instead, the SHA-2 family of hash functions (SHA-256, SHA-384, SHA-512) is recommended CS 408 Lecture 18 / Spring 2015 10 Why Hash is Not Enough? Hash functions can provide data integrity, but no indication about where is data coming from or who generated the hash output (hash function is public) Data source authentication (also referred as message authentication) is needed, otherwise anybody can inject traffic Mechanism? Involve a secret key CS 408 Lecture 18 / Spring 2015 11 5

Message Authentication Code (MAC) Alice and Bob already have a trust relationship (i.e., they share a secret key K) (the dotted line) Then, they can exchange messages securely secure channel K K M, T Alice generate MAC T = MAC K (M) Bob verify MAC? VMAC K (M,T) = valid CS 408 Lecture 18 / Spring 2015 12 Message Authentication Code (continued) (informal) Requirements for MAC: Involve a secret key Computation is easy if secret key k is known Similar to hash functions requirements: Compression: M has n bits, MAC k (M) has fixed length m bits, m < n Knowing a message and its MAC, it is infeasible to find another message with same MAC Unforgeability: Given a valid MAC on a message, it is infeasible to find another valid MAC (on a different message), without knowing K: Given (M 1, MAC K (M 1 )), it is hard to find (M 2, MAC K (M 2 )), with M 1 M 2 MACs should be uniformly distributed MAC should depend equally on all bits of the message CS 408 Lecture 18 / Spring 2015 13 6

Message Authentication Code (continued) A message authentication code is a collection of three algorithms (G, MAC, VMAC) Key generation algorithm G: generates a key K Authentication tag generation algorithm MAC: T = MAC K (M) Authentication tag verification algorithm VMAC: result = VMAC K (M,T), where result is valid or invalid The following should always hold true: VMAC K (M,T) = valid, if T = MAC K (M) = invalid, otherwise Provides: authentication, integrity Does not provide: confidentiality, non-repudiation It is a keyed cryptographic primitive Example: HMAC-SHA1, HMAC-SHA256 CS 408 Lecture 18 / Spring 2015 14 Keyed Hash Functions as MACs Create a MAC using a hash function Uses a public hash function and a secret symmetric key Current standard is HMAC, specified in FIPS 198 (2002) CS 408 Lecture 18 / Spring 2015 15 7

HMAC (Hash-based Message Authentication Code) Let h be a cryptographic hash function (Simplified) definition of HMAC: HMAC K (m) = h(k h(k m)) (Full) definition of HMAC: HMAC K (m) = h((k + opad) h((k + ipad) m)) where: denotes concatenation opad and ipad are fixed, public strings K + is the key padded with extra 0 s to the input block size of the hash function A hash function also has a input block size (similar with block ciphers) CS 408 Lecture 18 / Spring 2015 16 HMAC Security Security of HMAC depends on the security of the underlying hash function this has been formally proven What is the output length of HMAC? It depends on which hash function is used Is the same as the output length of the underlying hash function If used with a secure hash function (like SHA1) and according to the specification (key size, and use correct output), there are no known practical attacks against HMAC If HMAC is used with SHA1, it is referred to as HMAC-SHA1 CS 408 Lecture 18 / Spring 2015 17 8

What About Integrity of Communication in a Non-malicious Environment? Goal: protect against accidental or non-malicious errors on noisy channels subject to transmission errors This is different than the insecure channel we have been considering so far Error detection codes and error correction codes NOTE: with these methods, the requirement is different and anybody can forge packets Why? Methods: Checksum CRC (cyclic redundancy codes) CS 408 Lecture 18 / Spring 2015 18 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback