Cryptography and Network Security Chapter 11
description
Transcript of Cryptography and Network Security Chapter 11
Cryptography and Cryptography and Network SecurityNetwork Security
Chapter 11Chapter 11
Fifth EditionFifth Edition
by William Stallingsby William Stallings
Chapter 11 – Chapter 11 – Cryptographic Hash Cryptographic Hash FunctionsFunctions
At cats' green on the Sunday he took the message from At cats' green on the Sunday he took the message from the inside of the pillar and added Peter Moran's name to the inside of the pillar and added Peter Moran's name to the two names already printed there in the "Brontosaur" the two names already printed there in the "Brontosaur" code. The message now read: “Leviathan to Dragon: code. The message now read: “Leviathan to Dragon: Martin Hillman, Trevor Allan, Peter Moran: observe and Martin Hillman, Trevor Allan, Peter Moran: observe and tail.” What was the good of it John hardly knew. He felt tail.” What was the good of it John hardly knew. He felt better, he felt that at last he had made an attack on Peter better, he felt that at last he had made an attack on Peter Moran instead of waiting passively and effecting no Moran instead of waiting passively and effecting no retaliation. Besides, what was the use of being in retaliation. Besides, what was the use of being in possession of the key to the codes if he never took possession of the key to the codes if he never took advantage of it?advantage of it?
——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell
Swiss army knife in Swiss army knife in cryptographycryptography
One of the most useful mathematical concept One of the most useful mathematical concept that has been invented in the contemporary that has been invented in the contemporary cryptology in the last 20 years.cryptology in the last 20 years.
Main use:Main use: Part of digital signature schemasPart of digital signature schemas
Used in dig.
signatures
schemes
Passw
ord
P
asswo
rd
pro
tection
pro
tection
Swiss army knife Swiss army knife in cryptography in cryptography and information and information securitysecurity
Hash Hash functionsfunctions
What is a cryptographic hash What is a cryptographic hash function?function?
Intuitive requirementsIntuitive requirements A function that maps a message of an arbitrary length to a n-bit A function that maps a message of an arbitrary length to a n-bit
output (the message digest)output (the message digest) output to act as a output to act as a fingerprintfingerprint if the message digest is transmitted if the message digest is transmitted securelysecurely, then changes , then changes
to the message to be detected with overwhelming probabilityto the message to be detected with overwhelming probability
What is a cryptographic hash What is a cryptographic hash function?function?
Informal definitionInformal definition
A function A function hh:{0,1}* → {0,1}:{0,1}* → {0,1}nn, for a given , for a given nnN is called cryptographic hash N is called cryptographic hash function if it isfunction if it is1.1. One wayOne way
2.2. Collision resistantCollision resistant
What is a cryptographic hash What is a cryptographic hash function?function?
One way:One way:
Preimage resistantPreimage resistant i.e. i.e. it should has the property that it is “easy” it should has the property that it is “easy” to compute to compute hh(M)(M)=y=y for a given for a given MM{0,1}*{0,1}*, but it should be “hard” , but it should be “hard” (or “infeasible”) to compute any (or “infeasible”) to compute any M’M’ if just the value of if just the value of yy is given.is given.
What is a cryptographic hash What is a cryptographic hash function?function?
One wayOne way
Second preimage resistant Second preimage resistant i.e. i.e. it should has the property that for a it should has the property that for a given given MM it is “easy” to compute it is “easy” to compute hh((MM), but it should be “hard”' (or ), but it should be “hard”' (or “infeasible”) to find another “infeasible”) to find another M’M’ ≠≠ MM such that such that hh((M’M’)=)=hh((MM).).
What is a cryptographic hash What is a cryptographic hash function?function?
Collision resistantCollision resistantIt should be “hard” (or “infeasible”) to find two values It should be “hard” (or “infeasible”) to find two values MM ≠≠ M’M’ such that such that hh((MM)=)=hh((M’M’))..
Conflict theory vs. practiceConflict theory vs. practice
The first explicit note for the need of one-way The first explicit note for the need of one-way functions in cryptography was given by Diffie and functions in cryptography was given by Diffie and Hellman in 1976.Hellman in 1976.
Several significant theoretical works by Yao in 1982 Several significant theoretical works by Yao in 1982 and Levin in 1985 (connected with even older ideas and Levin in 1985 (connected with even older ideas of by Kolmogorov from mid and late 1960s)of by Kolmogorov from mid and late 1960s)
The existence of one-way functions was connected The existence of one-way functions was connected with the famous question from the complexity with the famous question from the complexity theory is P = NP ?theory is P = NP ?
Conflict theory vs. practiceConflict theory vs. practice It was shown that if one-way functions exist then It was shown that if one-way functions exist then
P P ≠ ≠ NP NP Or vice versa, if P = NP then there are no one-way Or vice versa, if P = NP then there are no one-way
functions.functions. The first conflict:The first conflict:
It is well known that so far no one has succeeded either It is well known that so far no one has succeeded either to prove or to disprove the claim P = NP, to prove or to disprove the claim P = NP,
Nevertheless the practical requirements to the Nevertheless the practical requirements to the designers of the cryptographic hash functions are to designers of the cryptographic hash functions are to construct functions that look like one-way.construct functions that look like one-way.
Conflict theory vs. practiceConflict theory vs. practice
Trivial theoretical fact (the pigeonhole Trivial theoretical fact (the pigeonhole principle). Since h:{0,1}* principle). Since h:{0,1}* → → {0,1}{0,1}nn, then there , then there are infinite number of colliding pairs Mare infinite number of colliding pairs M11,M,M22 {0,1}* such that h(M{0,1}* such that h(M11)=h(M)=h(M22). ).
The second conflict:The second conflict: although there are infinite numbers of colliding although there are infinite numbers of colliding
pairs, practical requirements to the designer of the pairs, practical requirements to the designer of the cryptographic hash function are that it is cryptographic hash function are that it is infeasible infeasible in practicein practice to find at least one colliding pair. to find at least one colliding pair.
Conflicts theory vs. practiceConflicts theory vs. practice
The conflicts between our theoretically limited The conflicts between our theoretically limited knowledge for one-way functions and the practical knowledge for one-way functions and the practical requirements, requirements, make the construction of make the construction of cryptographic hash functions extremely hard.cryptographic hash functions extremely hard.
The task for designers is additionally hardened by The task for designers is additionally hardened by additional security requirements:additional security requirements: pseudo-randomness when it is keyed with a secret keypseudo-randomness when it is keyed with a secret key near-collision resistancenear-collision resistance partial preimage resistancepartial preimage resistance indifferentiable from random oracleindifferentiable from random oracle
Conflict theory vs. practiceConflict theory vs. practice
Another point of view to Another point of view to cryptographic hash functionscryptographic hash functions
The The “Random-Oracle paradigm”“Random-Oracle paradigm”, Bellare and , Bellare and Rogaway, 1993Rogaway, 1993
Hash functions are random functionsHash functions are random functions Digest d=h(M) are chosen uniformly for each message MDigest d=h(M) are chosen uniformly for each message M Digest d=h(M) has no correlation with MDigest d=h(M) has no correlation with M For distinct MFor distinct M11,M,M22,…, digests d,…, digests dii=h(M=h(Mii) are completely ) are completely
uncorrelated to each otheruncorrelated to each other Cannot find collisions, or even near-collisionsCannot find collisions, or even near-collisions Cannot find M to “hit” a specific dCannot find M to “hit” a specific d Cannot find fixed-points d = h(d)Cannot find fixed-points d = h(d) ……
Random oracle paradigmRandom oracle paradigm The The “Random-Oracle paradigm”“Random-Oracle paradigm” works like works like
this:this:1.1. Assume that in your system (protocol, algorithm, ...) the hash function Assume that in your system (protocol, algorithm, ...) the hash function
that you are using is really that good (as a random function)that you are using is really that good (as a random function)
2.2. Try to prove the security of your system with that assumption.Try to prove the security of your system with that assumption.
3.3. Replace the ideal hash function with a particularly specified function.Replace the ideal hash function with a particularly specified function.
In practice – very useful paradigm (OAEP encryption, In practice – very useful paradigm (OAEP encryption, Full Domain Hash i.e. FDH-RSA, Probabilistic Full Domain Hash i.e. FDH-RSA, Probabilistic Signature Schemes i.e. PSS signatures, …)Signature Schemes i.e. PSS signatures, …)
BUTBUT
Random oracle paradigmRandom oracle paradigm
• Canetti, Goldreich and Halevi: “The random oracle methodology, revisited”, 1998.• There exists a protocol (pretty artificial, but still theoretically sound) which is provably secure in the random oracle model, but becomes insecure when the hash function used in the protocol is replaced by any concretely specified hash function.
Random oracle paradigmRandom oracle paradigm
• Stinson 2001: 1. A proof in the random oracle model is therefore no more than plausible
evidence of security when the random oracle model is replaced by a particular hash function.
2. This was the “thesis” proposed by Bellare and Rogaway when they introduced the random oracle model.
3. In favor of this thesis, it should be noted that no practical protocol proven secure in the random oracle model has been broken when used with a “good” hash function.
4. On the other hand, the Canneti-Goldreich-Halevi result indicates that there is not likely to be any proof that this thesis is always valid.
Formal definition of hash Formal definition of hash functions and basic attacksfunctions and basic attacks
Formalization used by Stinson in: “Some Formalization used by Stinson in: “Some observations on the theory of cryptographic observations on the theory of cryptographic hash functions”, 2001 (based on Bellare-hash functions”, 2001 (based on Bellare-Rogaway random oracle model)Rogaway random oracle model)
An An ((NN, , MM)) hash function is any function hash function is any function ff: : XX →→ YY, where , where XX and and YY are finite sets with | are finite sets with |XX||==NN, and |, and |YY|=|=MM. These hash functions with . These hash functions with finite domains are also called compression finite domains are also called compression functions.functions.
Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)
Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)
For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈0.69·2n
Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)
For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈0.69·2n
Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)
For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈0.69·2n + 1
Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)
For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈1.18·2n/2
Choosing the length of Hash Choosing the length of Hash outputsoutputs
Because of the birthday attack, the length Because of the birthday attack, the length of hash outputs in general should double of hash outputs in general should double the key length of block ciphersthe key length of block ciphers From 2010 recommended hash functions and From 2010 recommended hash functions and
hash output lengths are: SHA-224, SHA-256, hash output lengths are: SHA-224, SHA-256, SHA-384, SHA-512 with projected collision SHA-384, SHA-512 with projected collision security of 112, 128, 192 and 256 bits.security of 112, 128, 192 and 256 bits.
1 E Flops
10 E Flops
100 E Flops
1 Z Flops
25 years in the future
10 E Flops
~280 computations in one year
~2100 computations in one year
2010 - Exact match with NIST recommendation to
stop using SHA-1 (designed for 80 bits of security)
Iterative Construction of Hash Functions Iterative Construction of Hash Functions ((Merkle-Damgård Construction)Merkle-Damgård Construction)
A hash function needs to map a message of an arbitrary length to a A hash function needs to map a message of an arbitrary length to a nn-bit output-bit output
hh: {0,1}*: {0,1}*{0,1}{0,1}nn
The iterative constructionThe iterative construction use a compression function that takes a fixed-length input string use a compression function that takes a fixed-length input string
and output a shorter stringand output a shorter string• ff:{0,1}:{0,1}n n + + tt {0,1}{0,1}nn
a message is divided into fixed length blocks and processed a message is divided into fixed length blocks and processed block by blockblock by block
Merkle and Damgård in 1989 (independently) showed that given Merkle and Damgård in 1989 (independently) showed that given a collision resistant compression function, a collision resistant a collision resistant compression function, a collision resistant hash function could be constructedhash function could be constructed
Iterative Construction of Hash Iterative Construction of Hash Functions (Functions (Merkle-Damgård Merkle-Damgård
Construction)Construction)
A short history of practical hash functions A short history of practical hash functions constructions (and their failures)constructions (and their failures)
MDMDx familyx family Proposed by Proposed by RonaldRonald RivestRivest for for
RSARSA Labs Labs MD2: MD2: 1989, 1989, BrokenBroken MD4MD4, 1990, , 1990, BrokenBroken MD5MD5, 1992, , 1992, BrokenBroken
• Inspired by MDx family– RIPEMD: 1995, Broken– RIPEMD-160: 1996– Haval: 1992, Broken
SHA family, (SHA: Secure Hash Algorithm) – also inspired by MDx family− Developed by NSA (National Security Agency)
SHA-0, 1993, FIPS-180, US Gov., BrokenSHA-1, 1995, FIPS-180-1, US Gov., Theoretically broken in 2005SHA-2, 2002, FIPS-180-2, US Gov., SHA-224/256/384/512
A short history of practical hash functions A short history of practical hash functions constructions (and their failures)constructions (and their failures)
Merkle-Damgård Construction Merkle-Damgård Construction does not act as Random Oracledoes not act as Random Oracle Length extension attack on Length extension attack on Merkle-DamgårdMerkle-Damgård For a message M = MFor a message M = M11 M M22 … M … MNN, and the compression function , and the compression function
f(A, B) used in f(A, B) used in Merkle-Damgård construction, the hash functionMerkle-Damgård construction, the hash function is is defined as:defined as:
h(M)=C(C(…C(IV,Mh(M)=C(C(…C(IV,M11),M),M22),…M),…MNN),P),PMM))
where Pwhere PMM is the proper padding. is the proper padding.
The attacker does not M, but can guess its length i.e. he knows The attacker does not M, but can guess its length i.e. he knows the block Pthe block PMM..
He can easily construct a message M’=PHe can easily construct a message M’=PMM||M’||M’11, such that he , such that he
knows the hash of the message M||M’ i.e. he knows how to knows the hash of the message M||M’ i.e. he knows how to computecompute
H(M||M’) = C(C(H(M),MH(M||M’) = C(C(H(M),M11),P),PM’M’))
Merkle-Damgård Construction Merkle-Damgård Construction does not act as Random Oracledoes not act as Random Oracle Multi-collisions (Joux 2004)Multi-collisions (Joux 2004)
1.1. Set i=0Set i=0
2.2. Set IV=hSet IV=hii
3.3. After 2After 2n/2n/2 computations of the compression function f() find a computations of the compression function f() find a colliding pair of different messages (mcolliding pair of different messages (m ii
11, m, mii22) such that ) such that
hhi+1i+1= f(h= f(hii, m, mii11)=f(h)=f(hii, m, mii
22))
4.4. i=i+1i=i+1
5.5. Repeat steps 3 and 4 while i<rRepeat steps 3 and 4 while i<r From the pairs (mFrom the pairs (m00
11, m, m0022) x (m) x (m11
11, m, m1122) x…x (m) x…x (mr-1r-1
11, m, mr-1r-122) construct 2) construct 2rr
messages all giving 2messages all giving 2rr collisions. collisions. Thus the complexity of finding 2Thus the complexity of finding 2rr collisions is just O(r2 collisions is just O(r2rr)) If the function f is random oracle, finding 2If the function f is random oracle, finding 2 rr collisions has collisions has
complexity complexity ΘΘ(2(2nr(r-1)/2nr(r-1)/2))
Slide, from Shai Halevi Slide, from Shai Halevi
Constructions of iterative hash functions that Constructions of iterative hash functions that do not suffer from attacks on MDdo not suffer from attacks on MD
Wide pipe (Lucks 2005)Wide pipe (Lucks 2005)
Constructions of iterative hash functions that Constructions of iterative hash functions that do not suffer from attacks on MDdo not suffer from attacks on MD
Sponge design (Bertoni, Daemen, Peeters and Van Assche, 2007)Sponge design (Bertoni, Daemen, Peeters and Van Assche, 2007)
Constructions of iterative hash functions that Constructions of iterative hash functions that do not suffer from attacks on MDdo not suffer from attacks on MD
HAIFA (Biham, Dunkelman, 2006)HAIFA (Biham, Dunkelman, 2006)
Description of the main Description of the main applications of hash functionsapplications of hash functions
Digital signaturesDigital signatures
Private RSA or EC or DSA keyPrivate RSA or EC or DSA key Public RSA or EC or DSA keyPublic RSA or EC or DSA key
Description of the main Description of the main applications of hash functionsapplications of hash functions
MAC and HMACMAC and HMAC
Description of the main Description of the main applications of hash functionsapplications of hash functions
MAC and HMACMAC and HMAC
Description of the main Description of the main applications of hash functionsapplications of hash functions
Modification Detection Codes (MDC)Modification Detection Codes (MDC)
Description of the main Description of the main applications of hash functionsapplications of hash functions
Uses hash functions, via
HMAC
Uses hash functions, via
HMAC
Block Ciphers as Hash Block Ciphers as Hash FunctionsFunctions
can use block ciphers as hash functionscan use block ciphers as hash functions using Husing H00=0 and zero-pad of final block=0 and zero-pad of final block
compute: Hcompute: Hii = E = EMMii [H [Hi-1i-1]]
and use final block as the hash valueand use final block as the hash value similar to CBC but without a keysimilar to CBC but without a key
resulting hash is too small (64-bit)resulting hash is too small (64-bit) both due to direct birthday attackboth due to direct birthday attack and to “meet-in-the-middle” attackand to “meet-in-the-middle” attack
other variants also susceptible to attackother variants also susceptible to attack
Building blocks in the hash Building blocks in the hash functionsfunctions
Based on block ciphersBased on block ciphers
Building blocks in the hash Building blocks in the hash functionsfunctions
Based on block ciphersBased on block ciphers Govaerts, Preneel and Vandewalle: “Hash functions based on block ciphers: A synthetic approach”, 1993Govaerts, Preneel and Vandewalle: “Hash functions based on block ciphers: A synthetic approach”, 1993 12 secure schemes (PGV1-12)12 secure schemes (PGV1-12) Strict black-box analysis done by Rogaway, Black and Shrimpton I 2002.Strict black-box analysis done by Rogaway, Black and Shrimpton I 2002.
Secure Hash AlgorithmSecure Hash Algorithm
SHA originally designed by NIST & NSA in 1993SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1was revised in 1995 as SHA-1 US standard for use with DSA signature scheme US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences based on design of MD4 with key differences produces 160-bit hash values produces 160-bit hash values recent 2005 results on security of SHA-1 have recent 2005 results on security of SHA-1 have
raised concerns on its use in future applicationsraised concerns on its use in future applications
Revised Secure Hash Revised Secure Hash StandardStandard
NIST issued revision FIPS 180-2 in 2002NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512SHA-256, SHA-384, SHA-512 designed for compatibility with increased designed for compatibility with increased
security provided by the AES ciphersecurity provided by the AES cipher structure & detail is similar to SHA-1structure & detail is similar to SHA-1 hence analysis should be similarhence analysis should be similar but security levels are rather higherbut security levels are rather higher
SHA-512 OverviewSHA-512 Overview
Complete pseudo-code for SHA-512Complete pseudo-code for SHA-512
SHA-512 Compression SHA-512 Compression FunctionFunction
heart of the algorithmheart of the algorithm processing message in 1024-bit blocksprocessing message in 1024-bit blocks consists of 80 roundsconsists of 80 rounds
updating a 512-bit buffer updating a 512-bit buffer using a 64-bit value Wt derived from the using a 64-bit value Wt derived from the
current message blockcurrent message block and a round constant based on cube root of and a round constant based on cube root of
first 80 prime numbersfirst 80 prime numbers
SHA-512 Round FunctionSHA-512 Round Function
SHA-512 SHA-512 Round FunctionRound Function
NIST worldwide hash competition NIST worldwide hash competition for SHA-3for SHA-3
SHA-3 RequirementsSHA-3 Requirements
224, 256, 384 and 512 bits of output224, 256, 384 and 512 bits of output Collision resistance of n/2 bitsCollision resistance of n/2 bits (Second)Preimage resistance of n bits(Second)Preimage resistance of n bits Resistant against length-extension attackResistant against length-extension attack Significantly faster than SHA-2Significantly faster than SHA-2
SHA-3 Competition timelineSHA-3 Competition timeline
SHA-3 Competition timelineSHA-3 Competition timeline64 submissions64 submissions
51 candidates51 candidates
3Q | Announce the Second Round candidates.
14 candidates14 candidates
SHA-3 Competition timelineSHA-3 Competition timeline
Delayed for 4Q.Delayed for 4Q.
SHA-3 Competition timelineSHA-3 Competition timeline
AdditionAdditionRotationRotationeXoringeXoring
mostly mostly AESAES
like like SerpentSerpent
AdditionAdditionRotationRotationeXoringeXoring
mostly mostly AESAES
like like SerpentSerpent
On 9 Dec 2010 NIST announced 5 SHA-3 finalists
AdditionAdditionRotationRotationeXoringeXoring
mostly mostly AESAES
like like SerpentSerpent
On 9 Dec 2010 NIST announced 5 SHA-3 finalists
2 October 2012, NIST announced that SHA-3 is Keccak
2 October 2012, NIST announced that SHA-3 is Keccak
NIST worldwide hash competition NIST worldwide hash competition for SHA-3for SHA-3
What does it mean “significantly improved efficiency” (over SHA-2)?What does it mean “significantly improved efficiency” (over SHA-2)? Let us take the following “definition”: Significantly improved Let us take the following “definition”: Significantly improved
efficiency over SHA-2 means at least 2 times faster than SHA-2.efficiency over SHA-2 means at least 2 times faster than SHA-2. Then, if a function is 2 times slower than SHA-2, it means that it has Then, if a function is 2 times slower than SHA-2, it means that it has
significantly worse efficiency.significantly worse efficiency. This convention seems to be accepted by many in cryptography This convention seems to be accepted by many in cryptography
(see “(see “Classication of the SHA-3 CandidatesClassication of the SHA-3 Candidates”, ”, Fleischmann, Forler, Fleischmann, Forler, and Gorski, eprint 2008, report 511)and Gorski, eprint 2008, report 511)
NIST worldwide hash competition NIST worldwide hash competition for SHA-3for SHA-3
Why NIST expected SHA-3 to be “with significantly improved Why NIST expected SHA-3 to be “with significantly improved efficiency” (over SHA-2)?efficiency” (over SHA-2)?
Because of their experience with serious software vendors that are still using MD5 instead of SHA-1
(and now instead of SHA-2) due to the more than 1:3 speed ratio in
favor to MD5 vs sha256.
SummarySummary
have considered:have considered: hash functionshash functions SHA-3SHA-3 SHA-512SHA-512