09.02.10.HashingPasswords Class.csci4621

7/30/2019 09.02.10.HashingPasswords Class.csci4621

1/5

Computer Security, CSCI 4621 Fall 20

Daniel Bilar, CS, UNO

HashFunctions,BirthdayParadox

CSCI4621:ComputerSecurity

Week02,Lecture04:Thursday,09/02/2010

DanielBilar

UniversityofNewOrleans

DepartmentofComputerScience

Fall20101

Goalstoday

Review

Controlsfor

Security

properties

ConfidentialityControl:(Symmetric)Cryptography

n egr y u en c y: eye

MessageAuthentication Code(MAC)

Hashfunctions

Birthdayparadox

Application:Unixpasswords

SomeslidesgratefullyadaptedfromShmatikov (UTAustin)andZhao(ClevelandState)

2

Review:SomedesirableSecurity

Properties

1. Confidentiality isconcealmentofinformation

2. Authenticity isidentificationandassuranceoforiginofinformation

3. Integrity ispreventionofunauthorizedchanges

4. Availability isabilitytouseinformationorresourcesdesired

First,welookedatwaystocontrolfor1) acontrolcalled(symmetric)cryptography

SeeMenezes (2006)

ch1,

Table

1.1

for

more

3

MoreSecurityProperties

4FromMenezes (2006)OverviewofCryptography

Review:CryptographyControl

Encryptionistheprocessofencodingamessagesothatitsmeaningisnotobvious

Decryptionisthereverseprocess,transforminganencryptedmessagebackintoitsnormal,originalform

Plaintext:messagetobeencrypted

Ciphertext:encryptedmessage

Isssues Computationalvs perfectsecrecy

Stream vs Blockcipher

Propertiesofencryptionschemesstrivefor

Diffusion Distributeinformationfromsingleplaintext

lettersovertheentireoutput

Confusion Complexfunctionalrelationshipbetweenthe

plaintext/keypairandtheciphertext

5

Motivation:Integrity

goodFile

VIRUS

badFile

The Times

Softwaremanufacturerwantstoensurethattheexecutablefile

isreceivedbyuserswithoutmodification.

ItsendsoutthefiletousersandpublishesitshashinNYTimes.

Thegoalisintegrity,notconfidentiality

Idea:givengoodFile andhash(goodFile),

veryhardtofindbadFile suchthathash(goodFile)=hash(badFile)

BigFirm Userhash(goodFile)

6


2/5



Integrityvs.Secrecy

Integrity

Attackercannottamperundetectedwithmessage

Authenticity

Attackercannotfakeundetectedthemessage

ncrypt onperse oesnotguarantee ntegr ty cou workforauthenticity)

Attackermayabletomodifymessageunderencryptionwithoutlearningwhatitis

Onetimepad:GivenkeyK,encryptMasMK

Thisguaranteesperfectsecrecy,butattackercaneasilychangeunknownMunderencryptiontoMMforanyM

AndersonsHanghitler vs Heilhitler

WellseenowsomeIntegritycontrols:MACandHMAC7

Motivation:Authentication

msg, hash(KEY,msg)

KEYKEY

Alicewantstomakesurethatnobodymodifiesmessageintransit

Wanttoensuresboth integrityandauthenticity why?

Idea:givenmsg,veryhardtocomputehash(KEY,msg) withoutKEY;veryeasywithKEY

Alice Bob

8

goodFile

BigFirm User

VIRUS

badFile

The Times

hash(goodFile)

Integrity:Canhashwithoutkey

msg, hash(KEY,msg)

Alice Bob

KEYKEY

Integrity withAuthenticity:Hashwithkey

9

MessageAuthentication

MessageAuthenticationCode(MAC) Smallblockofdatathatisappendedto

themessage

MACisgeneratedbyusingasecretkey

AssumesbothpartiesA,BsharecommonsecretkeyKAB

Codeisfunctionofmessageandkey

M AB, .aretransmitted

Ifreceivedcodematchescalculatedcodethen Receiverissuremessagehasnotbeen

altered Messageisfromsendersinceonly

sendersharesthekey

Differentfromencryption MACdoesnothavetobereversible(and

mostlikelyisnot) why? unlikecipher

text

which

has

to

be

reversible

in

encryption

10

HashFunctions:MainIdea

..

...

x

x

x

y

y

hash function Hmessagedigest

message

bit strings of any length n-bit bit strings

Hisalossycompressionfunction Collisions: h(x)=h(x)forsomeinputsx,x

Unavoidable(pigeonholeprinciple)if|x|>>n

Resultofhashingshouldlookrandom Intuition:halfofdigest bitsare1;anybitindigest is1halfthetime

Cryptographichashfunction needsafewproperties

HashwithkeyiscalledaHMAC

11

HashMAC(HMAC)

InventedbyBellare,Canetti,andKrawczyk (1996)

HMACstrengthestablishedbycryptographic analysis

ConstructMACbyapplyingahashfunctionto

Couldalsouseencryptioninsteadofhashing,but

Hashingisfasterthanencryptioninsoftware

Librarycodeforhashfunctionswidelyavailable

Caneasilyreplaceonehashfunctionwithanother

ThereusedtobeUSexportrestrictions (ITAR)on

encryption..andsomestillapply12


3/5



CommonHashFunctions

MD5

128bitoutput

Designed

by

Ron

Rivest,

used

very

widely

Collisionresistancebroken(2004) Verybad canfakePKICAcertificates(usedinallbrowsersforhttpse

commerce,ebanking),seehttp://www.win.tue.nl/hashclash/rogue ca/

160bitvariantofMD5

SHA1(SecureHashAlgorithm)

160bitoutput

USgovernment (NIST)standard AlsothehashalgorithmforDigitalSignatureStandard(DSS)

Collisionresistancebroken(2005)

SHA2isrecommendedbyUSNIST

224/256/385/512bits

Nocollisionsdetectedsofar13

Concept:OneWay

Intuition:hashshouldbehardtoinvert

So

called

Preimage resistance Leth(x)=y{0,1}n forarandomx

Giveny,itshouldbehardtofindanyxsuchthatx =y

Howhard?

Bruteforce:tryeverypossiblex,seeifh(x)=y

SHA1(commonhashfunction)has160bitoutpu ..Calculemus

Supposehavehardwarethatlldo230 trialsapop

Assuming234 trialspersecond,cando289 trialsperyear

Willtake271 yearstoinvertSHA1onarandomimage14

PreludetoBirthdayParadox

T peoplesampled >wanttofindgrowthofmatchofTpeoplewithsamebirthday

SupposeeachbirthdayisarandomnumbertakenfromKdays(K=365) howmanypossibilities?

T

Howmanypossibilitiesthatarealldifferent? (K)T =K(K1)(KT+1) sampleswithoutreplacement

Probabilityofnorepetition? (K)T/K

T 1 T(T1)/2K

Probabilityofrepetition?

O(T2)15

Concept:CollisionResistance

Shouldbehardtofindanypairx,xsuchthath(x)=h(x)

BruteforcecollisionsearchisO(2n/2),not O(2n) n=numberofbitsintheoutputofhashfunction

80 160 , .

Reason:Birthdayparadox LetTbethenumberofvaluesx,x,xweneedtolook

atbeforefindingthefirstpairx,xs.t.h(x)=h(x)

Assuminghisrandom,whatistheprobabilitythatwefindarepetition afterlookingatTvalues?

Totalnumberofpairs?

Conclusion:

O(T2)

O(2n)

T O(2n/2)16

WeakCollisionResistance

Givenrandomlychosenx,hardtofindxsuch

thath(x)=h(x)

Attackermustfindcollisionforaspecific x.By

contrast,to

break

collision

resistance,

enough

to

findany collision.

BruteforceattackrequiresO(2n)time

Howdoesweakvs normalcollisionresistance

makeadifferenceforbreakingintosystems?

Figuringpasswordofspecificaccount?

Figuringpasswordofanyaccount?

17

OneWayvs.CollisionResistance

Onewayness doesnotimplycollisionresistance

Supposegisoneway

Defineh(x)asg(x)wherexisxexceptthelastbit

h

is

one

way

(to

invert

h,

must

invert

g) Co s ons or areeasyto n : oranyx, x 0 = x 1

Collisionresistancedoesnotimplyonewayness

Supposegiscollisionresistant

Defineh(x)tobe0xifxisnbitlong,1g(x)otherwise

Collisionsforharehardtofind:ifystartswith0,thentherearenocollisions,ifystartswith1,thenmustfindcollisionsing

hisnotoneway:halfofallys (thosewhosefirstbitis0)areeasytoinvert(how?);randomyisinvertiblewithprob.1/2

18


4/5



Encrypt+MAC

Goal: confidentiality + integrity + authentication

K1, K2K1, K2

MAC=Hash(K2,msg)

Can tell if messagesare the same! Why is this bad?

Alice Bob

msg

encrypt(msg), MAC(msg)

=?

Encrypt(K1,msg)

ecrypt

Verify MAC

encrypt(msg2), MAC(msg2)

MAC is deterministic: messages are equal their MACs are equal

Solution: Encrypt, then MAC19

UnixPasswordHashing

NotethatUnixpasswordsthemselvesarenotstored

Thehash isstored

ThesystemsadministratorofaUnixsystemcanresetyourpassword, buthe/sheisnotlyingtoyouwhenhe

.

Toverifypassword:

Allowusertoinputusernameandpassword

Runcryptographichashfunctionon(password+salt)

Lookupusersentryinpassword(+shadow)file

Ifthehashvaluestored==thecomputedhash,thenthepasswordmatches

20

PasswordHashing

Insteadofuserpassword,storeH(password)

SometimesH(salt,password)

Whenuserenterspassword,computeitshashandcomparewithentryinpasswordfile

Systemdoesnotstoreactualpasswords!

Difficulttogofromhashfrompassword!

Doyouseewhyhashingisbetterthanencryptionhere?

HashfunctionHmusthavesomeproperties

Oneway: givenH(password),hardtofindpassword

Noknownalgorithmbetterthantrialanderror

Iscollisionresistance needed?Notingeneral21

UNIXPasswordSystem

Problem:passwordsarenottrulyrandom

With52upper andlowercaseletters,10digits8

,

quadrillion possible8characterpasswords

Humansliketousedictionarywords,humanand

petnames 1million commonpasswords

22

DictionaryAttack

Ifyoucangetholdofhashedpasswords,so

calleddictionaryattackarestillpossiblebecausemanypasswordscomefromasmall

dictionary Nosalt:AttackercanprecomputeH(word)for

everywordinthedictionary thisonlyneedstobedoneonce

Thisisanoffline attack

Oncepasswordfileisobtained,crackingisinstantaneous

With1,000,000worddictionaryandassuming10guessespersecond,bruteforceonline attacktakes50,000seconds(14hours)onaverage 23

Salt

dbilar:fURxfg,4hLBX:14510:30:Daniel:/home/dbilar:/bin/bash

/etc/passwd entrysalt

(chosen randomly whenpassword is first set)

hash(salt,pwd)Password

Userswiththesamepasswordhavedifferententriesinthepasswordfile

Offlinedictionaryattackbecomesmuchharder 24


5/5



AdvantagesofSalting

Withoutsalt,attackercanprecomputehashesof

alldictionary

words

once

for

all password

entries

SamehashfunctiononallUNIXmachines;identical

passwordshashtoidenticalvalues

Onetableofhashvaluesworksforallpasswordfiles

Withsalt,attackermustcomputehashesofall

dictionarywordsonceforeach combinationof

saltvalueandpassword

With12bitrandomsalt,samepasswordcanhashto

4096differenthashvalues

25

PanaceaSaltedPasswords?

Sadlynobecauseofhumanbehavior.Passwordqualityintermsofrandomnessisgenerallyterrible

Then:If

universe

of

passwords

is

small,

completely

feasible

to

computedictionaryattacksofsaltedpasswords

H(salts,passwords),|salts|=2^12,|passwords|=|1000|

Jan2010:Rockyou.comsubjecttoSQLinjectionattack

32.6millionpasswordswereexposedandpostedonline

Nearly50percentofthepasswordsontheRockYou.comlistcontainednames,slangwords,dictionarywords,ortrivialcombinationsaspasswords

Mostcommonpassword being'123456',followedby'12345','123456789','Password','iloveyou','princess','rockyou','1234567','12345678',and'abc123

Othervulnerablepasswordsincludedcommonnamessuchas'Jessica'and'Ashley',orkeyboardpatterns patterns suchas 'Qwerty

Seehttp://www.thetechherald.com/article.php/201003/5124/Passwordproblemsbackinthespotlightthankstonewresearch 26

FornextTuesday

Reviewnotes

Onyourcomputer,orinthecomputerlabsonthe

thirdfloor(loginwillbeprovided)

DownloadVMWare player3.1.1atVMWare.comfor

yourplatform(LinuxorWindows)

DownloadNSTVM1.8.1atnstvm1.8.1.zip

UnzipNSTandbootitinVMWare Player

Instructionsallhere:

http://www.vmware.com/appliances/directory/1

41/

WellhavealabonThursday,Sep.9th usingthis 27

09.02.10.HashingPasswords Class.csci4621

Documents

Transcript of 09.02.10.HashingPasswords Class.csci4621