Cryptography and Network Security Chapter 11

Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 11Chapter 11

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Chapter 11 – Chapter 11 – Cryptographic Hash Cryptographic Hash FunctionsFunctions

At cats' green on the Sunday he took the message from At cats' green on the Sunday he took the message from the inside of the pillar and added Peter Moran's name to the inside of the pillar and added Peter Moran's name to the two names already printed there in the "Brontosaur" the two names already printed there in the "Brontosaur" code. The message now read: “Leviathan to Dragon: code. The message now read: “Leviathan to Dragon: Martin Hillman, Trevor Allan, Peter Moran: observe and Martin Hillman, Trevor Allan, Peter Moran: observe and tail.” What was the good of it John hardly knew. He felt tail.” What was the good of it John hardly knew. He felt better, he felt that at last he had made an attack on Peter better, he felt that at last he had made an attack on Peter Moran instead of waiting passively and effecting no Moran instead of waiting passively and effecting no retaliation. Besides, what was the use of being in retaliation. Besides, what was the use of being in possession of the key to the codes if he never took possession of the key to the codes if he never took advantage of it?advantage of it?

——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth Rendell

Swiss army knife in Swiss army knife in cryptographycryptography

One of the most useful mathematical concept One of the most useful mathematical concept that has been invented in the contemporary that has been invented in the contemporary cryptology in the last 20 years.cryptology in the last 20 years.

Main use:Main use: Part of digital signature schemasPart of digital signature schemas

Used in dig.

signatures

schemes

Passw

ord

P

asswo

rd

pro

tection

pro

tection

Swiss army knife Swiss army knife in cryptography in cryptography and information and information securitysecurity

Hash Hash functionsfunctions

What is a cryptographic hash What is a cryptographic hash function?function?

Intuitive requirementsIntuitive requirements A function that maps a message of an arbitrary length to a n-bit A function that maps a message of an arbitrary length to a n-bit

output (the message digest)output (the message digest) output to act as a output to act as a fingerprintfingerprint if the message digest is transmitted if the message digest is transmitted securelysecurely, then changes , then changes

to the message to be detected with overwhelming probabilityto the message to be detected with overwhelming probability


Informal definitionInformal definition

A function A function hh:{0,1}* → {0,1}:{0,1}* → {0,1}nn, for a given , for a given nnN is called cryptographic hash N is called cryptographic hash function if it isfunction if it is1.1. One wayOne way

2.2. Collision resistantCollision resistant


One way:One way:

Preimage resistantPreimage resistant i.e. i.e. it should has the property that it is “easy” it should has the property that it is “easy” to compute to compute hh(M)(M)=y=y for a given for a given MM{0,1}*{0,1}*, but it should be “hard” , but it should be “hard” (or “infeasible”) to compute any (or “infeasible”) to compute any M’M’ if just the value of if just the value of yy is given.is given.


One wayOne way

Second preimage resistant Second preimage resistant i.e. i.e. it should has the property that for a it should has the property that for a given given MM it is “easy” to compute it is “easy” to compute hh((MM), but it should be “hard”' (or ), but it should be “hard”' (or “infeasible”) to find another “infeasible”) to find another M’M’ ≠≠ MM such that such that hh((M’M’)=)=hh((MM).).


Collision resistantCollision resistantIt should be “hard” (or “infeasible”) to find two values It should be “hard” (or “infeasible”) to find two values MM ≠≠ M’M’ such that such that hh((MM)=)=hh((M’M’))..

Conflict theory vs. practiceConflict theory vs. practice

The first explicit note for the need of one-way The first explicit note for the need of one-way functions in cryptography was given by Diffie and functions in cryptography was given by Diffie and Hellman in 1976.Hellman in 1976.

Several significant theoretical works by Yao in 1982 Several significant theoretical works by Yao in 1982 and Levin in 1985 (connected with even older ideas and Levin in 1985 (connected with even older ideas of by Kolmogorov from mid and late 1960s)of by Kolmogorov from mid and late 1960s)

The existence of one-way functions was connected The existence of one-way functions was connected with the famous question from the complexity with the famous question from the complexity theory is P = NP ?theory is P = NP ?

Conflict theory vs. practiceConflict theory vs. practice It was shown that if one-way functions exist then It was shown that if one-way functions exist then

P P ≠ ≠ NP NP Or vice versa, if P = NP then there are no one-way Or vice versa, if P = NP then there are no one-way

functions.functions. The first conflict:The first conflict:

It is well known that so far no one has succeeded either It is well known that so far no one has succeeded either to prove or to disprove the claim P = NP, to prove or to disprove the claim P = NP,

Nevertheless the practical requirements to the Nevertheless the practical requirements to the designers of the cryptographic hash functions are to designers of the cryptographic hash functions are to construct functions that look like one-way.construct functions that look like one-way.


Trivial theoretical fact (the pigeonhole Trivial theoretical fact (the pigeonhole principle). Since h:{0,1}* principle). Since h:{0,1}* → → {0,1}{0,1}nn, then there , then there are infinite number of colliding pairs Mare infinite number of colliding pairs M11,M,M22 {0,1}* such that h(M{0,1}* such that h(M11)=h(M)=h(M22). ).

The second conflict:The second conflict: although there are infinite numbers of colliding although there are infinite numbers of colliding

pairs, practical requirements to the designer of the pairs, practical requirements to the designer of the cryptographic hash function are that it is cryptographic hash function are that it is infeasible infeasible in practicein practice to find at least one colliding pair. to find at least one colliding pair.

Conflicts theory vs. practiceConflicts theory vs. practice

The conflicts between our theoretically limited The conflicts between our theoretically limited knowledge for one-way functions and the practical knowledge for one-way functions and the practical requirements, requirements, make the construction of make the construction of cryptographic hash functions extremely hard.cryptographic hash functions extremely hard.

The task for designers is additionally hardened by The task for designers is additionally hardened by additional security requirements:additional security requirements: pseudo-randomness when it is keyed with a secret keypseudo-randomness when it is keyed with a secret key near-collision resistancenear-collision resistance partial preimage resistancepartial preimage resistance indifferentiable from random oracleindifferentiable from random oracle


Another point of view to Another point of view to cryptographic hash functionscryptographic hash functions

The The “Random-Oracle paradigm”“Random-Oracle paradigm”, Bellare and , Bellare and Rogaway, 1993Rogaway, 1993

Hash functions are random functionsHash functions are random functions Digest d=h(M) are chosen uniformly for each message MDigest d=h(M) are chosen uniformly for each message M Digest d=h(M) has no correlation with MDigest d=h(M) has no correlation with M For distinct MFor distinct M11,M,M22,…, digests d,…, digests dii=h(M=h(Mii) are completely ) are completely

uncorrelated to each otheruncorrelated to each other Cannot find collisions, or even near-collisionsCannot find collisions, or even near-collisions Cannot find M to “hit” a specific dCannot find M to “hit” a specific d Cannot find fixed-points d = h(d)Cannot find fixed-points d = h(d) ……

Random oracle paradigmRandom oracle paradigm The The “Random-Oracle paradigm”“Random-Oracle paradigm” works like works like

this:this:1.1. Assume that in your system (protocol, algorithm, ...) the hash function Assume that in your system (protocol, algorithm, ...) the hash function

that you are using is really that good (as a random function)that you are using is really that good (as a random function)

2.2. Try to prove the security of your system with that assumption.Try to prove the security of your system with that assumption.

3.3. Replace the ideal hash function with a particularly specified function.Replace the ideal hash function with a particularly specified function.

In practice – very useful paradigm (OAEP encryption, In practice – very useful paradigm (OAEP encryption, Full Domain Hash i.e. FDH-RSA, Probabilistic Full Domain Hash i.e. FDH-RSA, Probabilistic Signature Schemes i.e. PSS signatures, …)Signature Schemes i.e. PSS signatures, …)

BUTBUT

Random oracle paradigmRandom oracle paradigm

• Canetti, Goldreich and Halevi: “The random oracle methodology, revisited”, 1998.• There exists a protocol (pretty artificial, but still theoretically sound) which is provably secure in the random oracle model, but becomes insecure when the hash function used in the protocol is replaced by any concretely specified hash function.

Random oracle paradigmRandom oracle paradigm

• Stinson 2001: 1. A proof in the random oracle model is therefore no more than plausible

evidence of security when the random oracle model is replaced by a particular hash function.

2. This was the “thesis” proposed by Bellare and Rogaway when they introduced the random oracle model.

3. In favor of this thesis, it should be noted that no practical protocol proven secure in the random oracle model has been broken when used with a “good” hash function.

4. On the other hand, the Canneti-Goldreich-Halevi result indicates that there is not likely to be any proof that this thesis is always valid.

Formal definition of hash Formal definition of hash functions and basic attacksfunctions and basic attacks

Formalization used by Stinson in: “Some Formalization used by Stinson in: “Some observations on the theory of cryptographic observations on the theory of cryptographic hash functions”, 2001 (based on Bellare-hash functions”, 2001 (based on Bellare-Rogaway random oracle model)Rogaway random oracle model)

An An ((NN, , MM)) hash function is any function hash function is any function ff: : XX →→ YY, where , where XX and and YY are finite sets with | are finite sets with |XX||==NN, and |, and |YY|=|=MM. These hash functions with . These hash functions with finite domains are also called compression finite domains are also called compression functions.functions.

Formal definition of hash Formal definition of hash functions and basic attacks (cont.)functions and basic attacks (cont.)


For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈0.69·2n


For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈0.69·2n + 1


For an n-bit hash function (i.e. M=2n) in order ԑ≥0.5, q≈1.18·2n/2

Choosing the length of Hash Choosing the length of Hash outputsoutputs

Because of the birthday attack, the length Because of the birthday attack, the length of hash outputs in general should double of hash outputs in general should double the key length of block ciphersthe key length of block ciphers From 2010 recommended hash functions and From 2010 recommended hash functions and

hash output lengths are: SHA-224, SHA-256, hash output lengths are: SHA-224, SHA-256, SHA-384, SHA-512 with projected collision SHA-384, SHA-512 with projected collision security of 112, 128, 192 and 256 bits.security of 112, 128, 192 and 256 bits.

1 E Flops

10 E Flops

100 E Flops

1 Z Flops

25 years in the future

10 E Flops

~280 computations in one year

~2100 computations in one year

2010 - Exact match with NIST recommendation to

stop using SHA-1 (designed for 80 bits of security)

Iterative Construction of Hash Functions Iterative Construction of Hash Functions ((Merkle-Damgård Construction)Merkle-Damgård Construction)

A hash function needs to map a message of an arbitrary length to a A hash function needs to map a message of an arbitrary length to a nn-bit output-bit output

hh: {0,1}*: {0,1}*{0,1}{0,1}nn

The iterative constructionThe iterative construction use a compression function that takes a fixed-length input string use a compression function that takes a fixed-length input string

and output a shorter stringand output a shorter string• ff:{0,1}:{0,1}n n + + tt {0,1}{0,1}nn

a message is divided into fixed length blocks and processed a message is divided into fixed length blocks and processed block by blockblock by block

Merkle and Damgård in 1989 (independently) showed that given Merkle and Damgård in 1989 (independently) showed that given a collision resistant compression function, a collision resistant a collision resistant compression function, a collision resistant hash function could be constructedhash function could be constructed

Iterative Construction of Hash Iterative Construction of Hash Functions (Functions (Merkle-Damgård Merkle-Damgård

Construction)Construction)

A short history of practical hash functions A short history of practical hash functions constructions (and their failures)constructions (and their failures)

MDMDx familyx family Proposed by Proposed by RonaldRonald RivestRivest for for

RSARSA Labs Labs MD2: MD2: 1989, 1989, BrokenBroken MD4MD4, 1990, , 1990, BrokenBroken MD5MD5, 1992, , 1992, BrokenBroken

• Inspired by MDx family– RIPEMD: 1995, Broken– RIPEMD-160: 1996– Haval: 1992, Broken

SHA family, (SHA: Secure Hash Algorithm) – also inspired by MDx family− Developed by NSA (National Security Agency)

SHA-0, 1993, FIPS-180, US Gov., BrokenSHA-1, 1995, FIPS-180-1, US Gov., Theoretically broken in 2005SHA-2, 2002, FIPS-180-2, US Gov., SHA-224/256/384/512

A short history of practical hash functions A short history of practical hash functions constructions (and their failures)constructions (and their failures)

Merkle-Damgård Construction Merkle-Damgård Construction does not act as Random Oracledoes not act as Random Oracle Length extension attack on Length extension attack on Merkle-DamgårdMerkle-Damgård For a message M = MFor a message M = M11 M M22 … M … MNN, and the compression function , and the compression function

f(A, B) used in f(A, B) used in Merkle-Damgård construction, the hash functionMerkle-Damgård construction, the hash function is is defined as:defined as:

h(M)=C(C(…C(IV,Mh(M)=C(C(…C(IV,M11),M),M22),…M),…MNN),P),PMM))

where Pwhere PMM is the proper padding. is the proper padding.

The attacker does not M, but can guess its length i.e. he knows The attacker does not M, but can guess its length i.e. he knows the block Pthe block PMM..

He can easily construct a message M’=PHe can easily construct a message M’=PMM||M’||M’11, such that he , such that he

knows the hash of the message M||M’ i.e. he knows how to knows the hash of the message M||M’ i.e. he knows how to computecompute

H(M||M’) = C(C(H(M),MH(M||M’) = C(C(H(M),M11),P),PM’M’))

Merkle-Damgård Construction Merkle-Damgård Construction does not act as Random Oracledoes not act as Random Oracle Multi-collisions (Joux 2004)Multi-collisions (Joux 2004)

1.1. Set i=0Set i=0

2.2. Set IV=hSet IV=hii

3.3. After 2After 2n/2n/2 computations of the compression function f() find a computations of the compression function f() find a colliding pair of different messages (mcolliding pair of different messages (m ii

11, m, mii22) such that ) such that

hhi+1i+1= f(h= f(hii, m, mii11)=f(h)=f(hii, m, mii

22))

4.4. i=i+1i=i+1

5.5. Repeat steps 3 and 4 while i<rRepeat steps 3 and 4 while i<r From the pairs (mFrom the pairs (m00

11, m, m0022) x (m) x (m11

11, m, m1122) x…x (m) x…x (mr-1r-1

11, m, mr-1r-122) construct 2) construct 2rr

messages all giving 2messages all giving 2rr collisions. collisions. Thus the complexity of finding 2Thus the complexity of finding 2rr collisions is just O(r2 collisions is just O(r2rr)) If the function f is random oracle, finding 2If the function f is random oracle, finding 2 rr collisions has collisions has

complexity complexity ΘΘ(2(2nr(r-1)/2nr(r-1)/2))

Slide, from Shai Halevi Slide, from Shai Halevi

Constructions of iterative hash functions that Constructions of iterative hash functions that do not suffer from attacks on MDdo not suffer from attacks on MD

Wide pipe (Lucks 2005)Wide pipe (Lucks 2005)


Sponge design (Bertoni, Daemen, Peeters and Van Assche, 2007)Sponge design (Bertoni, Daemen, Peeters and Van Assche, 2007)


HAIFA (Biham, Dunkelman, 2006)HAIFA (Biham, Dunkelman, 2006)

Description of the main Description of the main applications of hash functionsapplications of hash functions

Digital signaturesDigital signatures

Private RSA or EC or DSA keyPrivate RSA or EC or DSA key Public RSA or EC or DSA keyPublic RSA or EC or DSA key


MAC and HMACMAC and HMAC


Modification Detection Codes (MDC)Modification Detection Codes (MDC)


Uses hash functions, via

HMAC

Uses hash functions, via

HMAC

Block Ciphers as Hash Block Ciphers as Hash FunctionsFunctions

can use block ciphers as hash functionscan use block ciphers as hash functions using Husing H00=0 and zero-pad of final block=0 and zero-pad of final block

compute: Hcompute: Hii = E = EMMii [H [Hi-1i-1]]

and use final block as the hash valueand use final block as the hash value similar to CBC but without a keysimilar to CBC but without a key

resulting hash is too small (64-bit)resulting hash is too small (64-bit) both due to direct birthday attackboth due to direct birthday attack and to “meet-in-the-middle” attackand to “meet-in-the-middle” attack

other variants also susceptible to attackother variants also susceptible to attack

Building blocks in the hash Building blocks in the hash functionsfunctions

Based on block ciphersBased on block ciphers

Building blocks in the hash Building blocks in the hash functionsfunctions

Based on block ciphersBased on block ciphers Govaerts, Preneel and Vandewalle: “Hash functions based on block ciphers: A synthetic approach”, 1993Govaerts, Preneel and Vandewalle: “Hash functions based on block ciphers: A synthetic approach”, 1993 12 secure schemes (PGV1-12)12 secure schemes (PGV1-12) Strict black-box analysis done by Rogaway, Black and Shrimpton I 2002.Strict black-box analysis done by Rogaway, Black and Shrimpton I 2002.

Secure Hash AlgorithmSecure Hash Algorithm

SHA originally designed by NIST & NSA in 1993SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1was revised in 1995 as SHA-1 US standard for use with DSA signature scheme US standard for use with DSA signature scheme

standard is FIPS 180-1 1995, also Internet RFC3174standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS nb. the algorithm is SHA, the standard is SHS

based on design of MD4 with key differences based on design of MD4 with key differences produces 160-bit hash values produces 160-bit hash values recent 2005 results on security of SHA-1 have recent 2005 results on security of SHA-1 have

raised concerns on its use in future applicationsraised concerns on its use in future applications

Revised Secure Hash Revised Secure Hash StandardStandard

NIST issued revision FIPS 180-2 in 2002NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA adds 3 additional versions of SHA

SHA-256, SHA-384, SHA-512SHA-256, SHA-384, SHA-512 designed for compatibility with increased designed for compatibility with increased

security provided by the AES ciphersecurity provided by the AES cipher structure & detail is similar to SHA-1structure & detail is similar to SHA-1 hence analysis should be similarhence analysis should be similar but security levels are rather higherbut security levels are rather higher

SHA-512 OverviewSHA-512 Overview

Complete pseudo-code for SHA-512Complete pseudo-code for SHA-512

SHA-512 Compression SHA-512 Compression FunctionFunction

heart of the algorithmheart of the algorithm processing message in 1024-bit blocksprocessing message in 1024-bit blocks consists of 80 roundsconsists of 80 rounds

updating a 512-bit buffer updating a 512-bit buffer using a 64-bit value Wt derived from the using a 64-bit value Wt derived from the

current message blockcurrent message block and a round constant based on cube root of and a round constant based on cube root of

first 80 prime numbersfirst 80 prime numbers

SHA-512 Round FunctionSHA-512 Round Function

SHA-512 SHA-512 Round FunctionRound Function

NIST worldwide hash competition NIST worldwide hash competition for SHA-3for SHA-3

SHA-3 RequirementsSHA-3 Requirements

224, 256, 384 and 512 bits of output224, 256, 384 and 512 bits of output Collision resistance of n/2 bitsCollision resistance of n/2 bits (Second)Preimage resistance of n bits(Second)Preimage resistance of n bits Resistant against length-extension attackResistant against length-extension attack Significantly faster than SHA-2Significantly faster than SHA-2

SHA-3 Competition timelineSHA-3 Competition timeline

SHA-3 Competition timelineSHA-3 Competition timeline64 submissions64 submissions

51 candidates51 candidates

3Q | Announce the Second Round candidates.

14 candidates14 candidates


Delayed for 4Q.Delayed for 4Q.

AdditionAdditionRotationRotationeXoringeXoring

mostly mostly AESAES

like like SerpentSerpent




On 9 Dec 2010 NIST announced 5 SHA-3 finalists




On 9 Dec 2010 NIST announced 5 SHA-3 finalists

2 October 2012, NIST announced that SHA-3 is Keccak

2 October 2012, NIST announced that SHA-3 is Keccak


What does it mean “significantly improved efficiency” (over SHA-2)?What does it mean “significantly improved efficiency” (over SHA-2)? Let us take the following “definition”: Significantly improved Let us take the following “definition”: Significantly improved

efficiency over SHA-2 means at least 2 times faster than SHA-2.efficiency over SHA-2 means at least 2 times faster than SHA-2. Then, if a function is 2 times slower than SHA-2, it means that it has Then, if a function is 2 times slower than SHA-2, it means that it has

significantly worse efficiency.significantly worse efficiency. This convention seems to be accepted by many in cryptography This convention seems to be accepted by many in cryptography

(see “(see “Classication of the SHA-3 CandidatesClassication of the SHA-3 Candidates”, ”, Fleischmann, Forler, Fleischmann, Forler, and Gorski, eprint 2008, report 511)and Gorski, eprint 2008, report 511)


Why NIST expected SHA-3 to be “with significantly improved Why NIST expected SHA-3 to be “with significantly improved efficiency” (over SHA-2)?efficiency” (over SHA-2)?

Because of their experience with serious software vendors that are still using MD5 instead of SHA-1

(and now instead of SHA-2) due to the more than 1:3 speed ratio in

favor to MD5 vs sha256.

SummarySummary

have considered:have considered: hash functionshash functions SHA-3SHA-3 SHA-512SHA-512

Cryptography and Network Security Chapter 11

Documents

Transcript of Cryptography and Network Security Chapter 11