Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial...

Cryptography Primer

ChesterRebeiroIITMadras

Cryptography

• Acrucialcomponentinallsecuritysystems•  Fundamentalcomponenttoachieve

•  Confidentiality

Allowsonlyauthorizedusersaccesstodata

2

Cryptography (its use) • Acrucialcomponentinallsecuritysystems•  Fundamentalcomponenttoachieve

•  Confidentiality•  DataIntegrity

Cryptographycanbeusedtoensurethatonlyauthorizeduserscanmakemodifications(forinstancetoabankaccountnumber)

3


•  Confidentiality•  DataIntegrity•  Authentication

Cryptographyhelpsproveidentities

4


•  Confidentiality•  DataIntegrity•  Authentication•  Non-repudiation

Thesenderofamessagecannotclaimthatshedidnotsendit

Ididnotsendthat

5

SchemeforConfidentiality

Alice Bob

messageAttackatDawn!!

untrustedcommunicationlink

MalloryProblem:AlicewantstosendamessagetoBob(andonlytoBob)throughanuntrustedcommunicationlink

6

Encryption

Alice Bob

message“AttackatDawn!!”

untrustedcommunicationlink

MallorySecrets• OnlyAliceknowstheencryptionkeyKE• OnlyBobknowsthedecryptionkeyKD

E D

KE KD

“AttackatDawn!!”encryption decryption

#%AR3Xf34^$(ciphertext)

Onlyseesciphertext.cannotgettheplaintextmessagebecauseshedoesnotknowthekeys7

EncryptionAlgorithms

Alice BobuntrustedcommunicationlinkE D

KE KD


#%AR3Xf34($(ciphertext)

•  ShouldbeeasytocomputeforAlice/Bob(whoknowthekey)•  ShouldbedifficulttocomputeforMallory(whodoesnotknowthekey)•  Whatis‘difficult’?

•  Idealcase:ProvethattheprobabilityofMallorydeterminingtheencryption/decryptionkeyisnobetterthanarandomguess

•  Computationally:ShowthatitisdifficultforMallorytodeterminethekeysevenifshehasmassivecomputationalpower

8

Ciphers

•  SymmetricAlgorithms•  EncryptionandDecryptionusethesamekey•  i.e.KE=KD•  Examples:

•  BlockCiphers:DES,AES,PRESENT,etc.•  StreamCiphers:A5,Grain,etc.

•  AsymmetricAlgorithms•  EncryptionandDecryptionkeysaredifferent•  KE≠KD•  Examples:

•  RSA•  ECC

9

E D

EncryptionKeys

• Howarekeysmanaged•  HowdoesAlice&Bobselectthekeys?•  Needalgorithmsforkeyexchange

10

Alice BobuntrustedcommunicationlinkE D

KE KD


#%AR3Xf34($(ciphertext)

AlgorithmicAttacks

• CanMalloryusetrickstobreakthealgorithm

•  Therebyreducingthe‘difficulty’ofgettingthekey.

11

E

CiphersDesignChallenges

Wewantcryptoalgorithmstobefastandsmall

Forsecurity,thealgorithmsarecomputationallyintensive.Typicallyuselargenumbers,complexoperations

Needtoprotectagainstsidechannelattacks.

TradeoffsbetweenSecurity,Speed,Side-ChannelAttacks

Block Ciphers ChesterRebeiro

IITMadras

STINSON:chapters3

Block Cipher

14

Alice Bob

message“AttackatDawn!!”

untrustedcommunicationlinkE D

KE KD


#%AR3Xf34^$(ciphertext)

Encryptionkeyisthesameasthedecryptionkey(KE=KD)

Block Cipher : Encryption

BlockCipher(Encryption)

SecretKeyPlaintext Ciphertext

BlockLength

KeyLength

•  Ablockcipherencryptionalgorithmencryptsnbitsofplaintextatatime•  Mayneedtopadtheplaintextifnecessary•  y=ek(x)

15

Block Cipher : Decryption

•  Ablockcipherdecryptionalgorithmrecoverstheplaintextfromtheciphertext.•  x=dk(y)

BlockCipher(Decryption)

SecretKeyCiphertext Plaintext

BlockLength

KeyLength

16

Inside the Block Cipher (an iterative cipher)

17

KeyWhitening

Round1

Round2

Round3

Roundn

PlaintextBlock

CiphertextBlock

key1

key2

key3

keyn

•  Eachroundhasthesameendomorphiccryptosystem,whichtakesakeyandproducesanintermediateouput•  Sizeofthekeyishuge…muchlargerthantheblocksize.

Inside the Block Cipher (the key schedule)

18

SecretKey

RoundKey1

RoundKey2

RoundKey3

RoundKeyn

KeyWhitening

Round1

Round2

Round3

Roundn

PlaintextBlock

CiphertextBlock

KeyExpansion

•  Asinglesecretkeyoffixedsizeusedtogenerate‘roundkeys’foreachround

Inside the Round Function •  AddRoundkey:Mixingoperationbetweentheroundinputandtheroundkey.typically,anex-oroperation

•  Confusionlayer:Makestherelationshipbetweenroundinputandoutputcomplex.

•  Diffusionlayer:dissipatetheroundinput.Avalancheeffect:Asinglebitchangeintheroundinputshouldcausehugechangesintheoutput.

Makesitdifficultfortheattackertopickoutsomebitsovertheothers(thinkHillcipher)

19

AddRoundKey

ConfusionLayer

DiffusionLayer

RoundInput

RoundOutput

The Advanced Encryption Standard (AES)

20

Advanced Encryption Standard (AES) • NIST’sstandardforblockciphersinceOctober2000.

•  SPNnetworkwitheachroundhaving

•  RandomnessLayer:Roundkeyaddition•  ConfusionLayer:ByteSubstitution•  DiffusionLayer:ShiftrowandMixcolumn(thelastrounddoesnothavemixcolumnstep)

KeyLength No.ofrounds

AES-128 16bytes 10

AES-192 24bytes 12

AES-256 32bytes 14

21

The AES State Representation

•  16bytesarrangedina4x4matrixofbytes

mieanjfbokgcplhd

ponmlkjihgfedcba16byteplaintext

MIEANJFBOKGCPLHD

16byteciphertext

AES

22

AES-128 Encryption

SecretKey

XORkey

ByteSubstitution

CiphertextBlock

ShiftRows

MixColumns(exceptforthelastround)

AddRoundKey

Loop

10tim

es

PlaintextBlock

KeyExpansion

RK1RK2RK3

RK10

23

4Operations• ByteSubstitution• ShiftRows• MixColumns• AddRoundKey

AES-128 Encryption

SecretKey

XORkey

ByteSubstitution

CiphertextBlock

ShiftRows

MixColumns(exceptforthelastround)

AddRoundKey

Loop

10tim

es

PlaintextBlock

KeyExpansion

RK1RK2RK3

RK10

24

confusion

diffusion

AES Operations

• AllAESoperationsareperformedinthefieldGF(28).•  Thefield’sirreduciblepolynomialisx8+x4+x3+x+1

inbinarynotation(100011011)2inhexnotation(11B)16

25

Byte Substitution

a i mb j nc k od l p

A E I MB F J NC G K OD H L P

F

efgh

f

Sbox

7 7

6 6

5 5

4 4

3 3

2 2

1 1

0 0

1 1 1 1 1 0 0 0 00 1 1 1 1 1 0 0 10 0 1 1 1 1 1 0 10 0 0 1 1 1 1 1 01 0 0 0 1 1 1 1 01 1 0 0 0 1 1 1 01 1 1 0 0 0 1 1 11 1 1 1 0 0 0 1 1

b ab ab ab ab ab ab ab a

⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢= ⊕⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢

⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦⎣ ⎦ ⎣ ⎦

⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥

•  Makesanon-linearsubstitutionforeverybyteinthe4x4matrix

AffineTransformation

⎩⎨⎧

=

≠=

−

0)( if)0(0)( if)(

)(1

θθ

AAffineAAAffine

ASbox

26

AES S-box Design Rationale

•  Thiss-boxconstructionwasproposedbyKaiserNybergin1993•  Steps:

1.  InverseinGF(28)•  Provideshighdegreesofnon-linearity•  Knowntohavegoodresistanceagainstdifferentialandlinearcryptanalysis

2.  Affinetransformation•  ensuresnofixedpoints:i.e.Fixedpoints:S(x)=x•  ComplicatesAlgebraicattacks

27

⎩⎨⎧

=

≠=

−

0)( if)0(0)( if)(

)(1

θθ

AAffineAAAffine

ASbox

S-box Encryption Table

• Useatabletodothebytesubstitution•  eg. 2c Sbox[42]=

28

Shift Rows

•  ShiftRows•  LeavetheFirstrowuntouched•  LeftRotate(2ndRowby8bits)•  LeftRotate(3rdRowby16bits)•  LeftRotate(4thRowby24bits)

•  AlongwithMixColumnsprovideshighdiffusion•  Bitsflipinat-least25s-boxesafter4rounds

a e i mb f j nc g k od h l p

a e i mf j n bk o c gp d h l

mnop

abcdefghijkl

mbgl

afkpejodinch

29

Mix Columns The4x4matrixismultipliedwiththematrix



e

f

g

h

E

F

G

H

h g f e H h g f e G

h g f e F h g f e E

2332

3232

+++=

+++=

+++=

+++=

⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢

⎣

⎡

×

⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢

⎣

⎡

plhdokgcnjfbmiea

2113321113211132

30

NotethatmultiplicationsareinGF(28)field

Mix Columns Rationale Whyusethismatrix?•  ItisanMDSmatrix(MaximumDistanceSeparablecodes)

•  Iftheinputofacolumnchangesthenalloutputschange•  Thismaximizesthebranchnumber•  ForAES,thebranchnumberis5

• Values[2,3,1,1],arethesmallestwhichresultinMDSmatrixthatisalsocirculant

• HasaninverseintheAESfield

⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢

⎣

⎡

2113321113211132

31

AES Operations (Add Round Key)

AdditionhereisadditioninGF(28),whichistheex-oroperation


k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10 k14

k15k11k7k3

a+k0 e+k4 i+k8 m+k12b+k1 f+k5 j+k9 n+k13c+k2 g+k6 k+k10 o+k14

p+k15l+k11h+k7d+k3

32

AES-128 Decryption

SecretKey

XORRK10

InverseByteSubstitution

InverseShiftRows

AddRoundKey

InverseMixColumns(exceptforthelastround)

Loop

10tim

es

PlaintextBlock

CiphertextBlock

KeyExpansion

RK9RK8

RK1key

33

Inverse S-box

34

•  SimplytheAESs-boxruninreverse•  Aswiththes-boxoperation,alookuptablecanbeused

Inverse Shift Rows

•  ShiftRows•  LeavetheFirstrowuntouched•  RightRotate(2ndRowby8bits)•  RightRotate(3rdRowby16bits)•  RightRotate(4thRowby24bits)

a e i mf j n bk o c gp d h l

mbgl

afkpejodinch

mnop

abcdefghijkl


35

Inverse Mix Column

h g f e H h gfe G h g f e F h g f e E

E9DBDE9DDBE99DBE

+++=

+++=

+++=

+++=


e

f

g

h


E

F

G

H

•  The4x4matrixismultipliedwiththematrix

•  Thehardwareimplementationcanbedoneinasimilarwayasmixcolumns

⎥⎥⎥⎥

⎦

⎤

⎢⎢⎢⎢

⎣

⎡

E9DBBE9DDBE99DBE

36

AES Key Schedule

37

•  Howtoexpandthesecretkey•  DesignCriteria

o  Efficiento  Non-symmetric:Ensuredbyroundconstantso  Efficientdiffusionpropertiesofsecretkeyintoroundkeyso  Itshouldexhibitenoughnon-linearitytoprohibitthefulldeterminationofdifferences

intheexpandedkeyfromcipherkeydifferencesonly.

SecretKey

KeyExpansion

RK1RK2RK3

RK10

AES Key Schedule

38

K0,0

K0,4

K0,8

K0,12

K0,1

K0,5

K0,9

K0,13

K0,2

K0,6

K0,10

K0,14

K0,3

K0,7

K0,11

K0,15

rotword

S-boxoperation

roundconstantxor

K1,0

K1,4

K1,8

K1,12

secretkey

1stroundkey

K1,1

K1,5

K1,9

K1,13

K1,2

K1,6

K1,10

K1,14

K1,3

K1,7

K1,11

K1,15

2i-1000

39

Implementation Aspects of AES

Software Implementations of AES Encryption •  S-boximplementedasalookup-table(256bytes)•  ShiftrowscombinedwithMixcolumns• MultiplicationwithMDSmatrixeasilyachieved

•  x2,donebyleftshift.Ifthereisanoverflowanex-orwith0x1Bisneeded•  x3=x2+x

40

AES on 32 bit Systems (A Round of AES)

41

T Tables

42

CombiningOperations(foracolumn)

Define4T-Tables

OneRoundofAESusingT-Tables

OpenSSL Implementation of AES (with T-tables)

43

Last Round of AES

• Usesadifferenttable(Te4)

44

AES NI

• AcceleratingAESonmodernIntelandAMDprocessorswithdedicatedinstructions

45

Compact Implementations of AES

• HowshouldtheS-boxbeimplemented?•  Lookuptable(256bytes)

•  Thismaybetoolargeforsomedevices•  Findingtheinverse(usingItoh-TsujiiortheextendedEuclideanalgorithm)andthenaffinetransformation

•  Againexpensive(toobig!!!)•  Thirdalternative

•  Usecompositefields

46

Composite Fields for AES •  TheAESFieldisGF(28)/x8+x4+x3+x+1

•  Hasorder256• ManycompositefieldsforAESexists

•  GF(24)2•  Requirestwoirreduciblepolynomials

Onehastheformx4+....,wherecoefficientsareinGF(2)Thesecondhastheformx2+ax+b,wherea,bareinGF(24)

•  GF((22)2)2•  Requiresthreeirreduciblepolynomials

Firstoftheformx2+a1x+b1,wherea1,b1inGF(2)Secondhastheformx2+a2x+b2,wherea2,b2inGF(22)Thirdhastheformx2+a3x+b3,wherea3,b3inGF(22)2

47

Mapping between GF(28) and Composite Fields

48https://drive.google.com/file/d/0BwxUBZXYoUKCTEJmNUozMl9xM3M/edit?usp=sharing

}andreturn

']'[']'[

)GF(2fieldtheination(Multiplic''))GF(2fieldtheination(Multiplic''

2551For1';1'

)2(fieldofrootprimitiveaFind)2(fieldofrootprimitiveaFind0]0[and0]0[Initilize

FindMap(){

24

8

24

8

REVMAPMAPREVMAPMAP

toi

GFGF

REVMAPMAP

αββα

βββ

ααα

βαβ

α

=

=

⋅=

⋅=

=

==

==

Implementing the AES S-box in Composite Fields

49

MapInverseinComposite

Fieldeg.InGF((24)2)

ReverseMapx Sbox(x)

AffineTransform

S-box Based on Composite Fields -boxApproach

S-boxApproach No.ofSlices

CriticalPath

GateCount

Lookuptablebased

64 11.9ns 1128

CompositeFieldbased

30 18.3ns 312

PerformanceofS-boxesonFPGA*XOR NAND NOR TotalGatesintermsof

NAND(usingstdcelllib)

80 34 6 180

GateCountforcompositeSbox#

# D. Canright, A Very Compact S-box for AES, CHES-2005 * Simulation Results using Xilinx ISE

Overhead of Composite Field s-boxes

• Compositefields-boxesrequiremappingandreversemappingtoandfromthecompositefieldsineachround

• Analternateapproachistoconvertallotherroundoperationsintocompositefieldoperations.

•  Thiswouldrequirejustonemappingandonereversemappingfortheentireencryption

•  OperationsAddRoundKeyandShiftRowsarenotaltered.• MixColumnswillneedtobere-implemented

Modes of Operation

52

What are Modes of Operation? •  Blockcipheralgorithmsonlyencryptasingleblockofmessage•  Amodeofoperationdescribeshowtorepeatedlyapplyacipher'ssingle-blockoperationtosecurelytransformamountsofdatalargerthanablock

•  ModesofOperation•  Electroniccodebookmode(ECBMode)•  Cipherfeedbackmode(CFBMode)•  Cipherblockchainingmode(CBCmode)•  Outputfeedbackmode(OFBmode)•  Countermode

53

ECB Mode

•  Everyblockinthemessageisencryptedindependentlywiththesamekey•  Drawback1:Ifpi=pj(i≠j)thenci=cj

•  Encryptionshouldprotectagainstknownplaintextattacks(sincetheattackercouldguesspartsofthemessage…..Likestereotypebeginnings)

•  Drawback2:Aninterceptormayaltertheorderoftheblocksduringtransmission

•  Notrecommendedforencryptionofmorethanoneblock

54

eK

p0

c0

eK

p1

c1

eK

p2

c2

eK

p3

c3

eK

p4

c4

CBC Mode

•  CipherBlockChaining•  Advantage1:Encryptiondependentontheciphertextofapreviousblock,therefore

•  ci≠cj(i≠j)evenifpi=pj

•  Advantage2:Intrudercannotaltertheorderoftheblocksduringtransmission

•  Ifanerrorispresentinonereceivedblock(sayci)•  Thenciandci+1willnotbedecryptedcorrectly•  Allremainingblockswillbecorrectlydecrypted

55

eK

p0

c0

eK

p1

c1

eK

p2

c2

eK

p3

c3

eK

p4

c4

IV

CBC Mode Decryption

56

eK

p0

c0

eK

p1

c1

eK

p2

c2

eK

p3

c3

eK

p4

c4

IV

dK

c0

p0

dK

c1

p1

dK

c2

p2

dK

c3

p3

dK

c4

p4

IV

CFB (Cipher feedback Mode)

Cantransformablockcipherintoastreamcipher.•  i.e.Eachblockencryptedwithadifferentkey

UsesashiftregisterthatisinitializedwithanIV

57

IV

eK

register

messagestream(8bitsatatime) ciphertextstream

(8bitstransmittedatatime)

EncryptionScheme

CFB - Error Propagation

UsesashiftregisterthatisinitializedwithanIVPreviousciphertextblockfedintoshiftregister

58

eK

register

Ciphertextstream(8bitsatatime) Plaintextstream

(8bitsdecryptedatatime)

DecryptionScheme

Output Feedback Mode (OFB) •  VerysimilartoCFBbutfeedbacktakenfromoutputofek

•  Anerrorinonebyteoftheciphertextsaffectsonlyonedecryption

59

eK

shiftreg

messagestream(8bitsatatime) ciphertextstream

(8bitstransmittedatatime)

EncryptionScheme(Decryptionschemeissimilar)

Counter Mode

•  Arandomlyinitializedcounterisincrementedwitheveryencryption•  Canbeparallelized

•  Ie.Multipleencryptionenginescansimultaneouslyrun

•  AswithOFB,anerrorinasingleciphertextblockaffectsonlyonedecryptedplaintext

60

eK

counter

c0

eK

counter+1

c1

eK

counter+2

c2

eK

counter+3

c3

eK

counter+4

c4

p0 p1 p2 p3 p4

Cryptographic Hash Functions

STINSON:chapter4

Issues with Integrity

Alice Bob

Message“AttackatDawn!!”

HowcanBobensurethatAlice’smessagehasnotbeenmodified?Note….Wearenotconcernedwithconfidentialityhere

“AttackatDusk!!”

62

Change‘Dawn’to‘Dusk’

unsecurechannel

Hashes Alice Bob


“AttackatDawn!!”

63

“AttackatDawn!!”

“Messagedigest”securechannel

Alicepassesthemessagethroughahashfunction,whichproducesafixedlengthmessagedigest.• ThemessagedigestisrepresentativeofAlice’smessage.• Evenasmallchangeinthemessagewillresultinacompletelynewmessagedigest• Typicallyof160bits,irrespectiveofthemessagesize.

Bobre-computesamessagehashandverifiesthedigestwithAlice’smessagedigest.

y=h(x)h

unsecurechannel h

=

Integrity with Hashes

64

y=h(x)y=h(x’)

Mallorydoesnothaveaccesstothedigesty.Hertask(tomodifyAlice’smessage)ismuchmoredifficult.Ifshemodifiesxtox’,themodificationcanbedetectedunlessh(x)=h(x’)Hashfunctionsarespeciallydesignedtoresistsuchcollisions

Alice Bob


“AttackatDawn!!”“AttackatDawn!!”

“Messagedigest”securechannel

y=h(x)h

insecurechannelh

=

Message Authentication Codes (MAC)

Alice Bob


65

“AttackatDawn!!”MessageDigest

MACsallowthemessageandthedigesttobesentoveraninsecurechannelHowever,itrequiresAliceandBobtoshareacommonkey

y=hK(x)

hK

unsecurechannel hK

=K

K

Avalanche Effect

Hashfunctionsprovideuniquedigestswithhighprobability.EvenasmallchangeinMwillresultinanewdigest

MessageM

HashFunction

Shortfixedlength

digestalsocalled‘hash’

Hash functions in Security •  Digitalsignatures•  Randomnumbergeneration•  Keyupdatesandderivations•  Onewayfunctions•  MAC•  Detectmalwareincode•  Userauthentication(storingpasswords)

67

Hash Family

•  Thehashfamilyisa4-tupledefinedby(X,Y,K,H)•  Xisasetofmessages(maybeinfinite)•  Yisafinitesetofmessagedigests(akaauthenticationtags)•  Kisafinitesetofkeys•  EachKƐK,definesakeyedhashfunctionhKƐH

68

X Y

hK

Hash Family : some definitions

• ValidpairunderK:(x,y)ƐXxysuchthat,x=hK(y)•  Sizeofthehashfamily:isthenumberoffunctionspossiblefromsetXtosetY;

|Y| = Mand|X| = NthenthenumberofmappingspossibleisMN

•  Thecollectionofallsuchmappingsaretermed(N,M)-hashmapping.

69

X Y

hK

Unkeyed Hash Function

•  Thehashfamilyisa4-tupledefinedby(X,Y,K,H)•  Xisasetofmessages(maybeinfinite,weassumetheminimumsizeisatleast2|Y|)

•  Yisafinitesetofmessagedigests•  Inanunkeyedhashfunction:|K|=1• Wethushaveonlyonemappingfunctioninthefamily

70

X Y

h

Security Aspects of Unkeyed Hash Functions

h=XàYy=h(x)----->noshortcutsincomputing.Theonlyvalidwayifcomputingyistoinvokethehashfunctionhonx•  Threeproblemsthatdefinesecurityofahashfunction*PreimageResistance*SecondPreimageResistance*CollisionResistance

71

Hash function Requirement 1 Preimage Resistant

•  Alsoknowasone-waynessproblem•  IfMalloryhappenstoknowthemessagedigest,sheshouldnotbeabletodeterminethemessage

•  Givenahashfunctionh:XàYandanelementyƐY. FindanyxƐX suchthat,h(x)=y

72X Y

h

Hash function Requirement 2 (Second Preimage)

•  Malloryhasxandcancomputeh(x),sheshouldnotbeabletofindanothermessagex’whichproducesthesamehash.

•  Itwouldbeeasytoforgenewdigitalsignaturesfromoldsignaturesifthehashfunctionusedweren’tsecondpreimageresistant

•  Givenahashfunctionh:XàYandanelementxƐX,find,x’ƐX suchthat,h(x)=h(x’)

73X Y

h

Hash Function Requirement (Collision Resistant)

• Malloryshouldnotbeabletofindtwomessagesxandx’whichproducethesamehash

• Givenahashfunctionh:XàYandanelementxƐX, find,x,x’ƐX andx≠x’suchthat,h(x)=h(x’)

74

X Y

h

ThereisnocollisionFreehashFunctionbuthash

functionscanbedesignedsothat

collisionsaredifficulttofind.

Finding Collisions

75

Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}

∏−

=

⎟⎠

⎞⎜⎝

⎛ −−=1

1

11)(PrQ

i MiisobabilitySuccess εε

Birthday Paradox •  Findtheprobabilitythatat-leasttwopeopleinaroomhavethesamebirthday

76

∏

∏−

=

−

=

⎟⎠

⎞⎜⎝

⎛ −−=

⎟⎠

⎞⎜⎝

⎛ −=

⎟⎠

⎞⎜⎝

⎛ −−⎟

⎠

⎞⎜⎝

⎛ −×⎟⎠

⎞⎜⎝

⎛ −×⎟⎠

⎞⎜⎝

⎛ −×=

−=

1

1

1

1

36511]Pr[

3651

36511

36531

36521

365111]'Pr[

]'Pr[1]Pr[:':

Q

i

Q

i

iA

i

QA

AAbirthdaysamethehaveroomtheinpeopletwonoAEvent

birthdaysamethehaveroomtheinpeopletwoatleastAEvent

!!

Birthday Paradox •  Ifthereare23peopleinaroom,thentheprobabilitythattwobirthdayscollideis1/2

77

Collisions in Birthdays to Collisions in Hash Functions

78

Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}

∏−

=

⎟⎠

⎞⎜⎝

⎛ −−=1

1

11)(PrQ

i MiisobabilitySuccess εε |Y|=M

RelationshipbetweenQ,M,andsuccess

MQthenIf

MQ

17.15.011ln2

≈=

−≈

ε

ε

QalwaysproportionaltosquarerootofM.Ɛonlyaffectstheconstantfactor

Birthday Attacks and Message Digests

•  Ifthesizeofamessagedigestis40bits• M=240

• Abirthdayattackwouldrequire220queries

•  Thustoachieve128bitsecurityagainstcollisionattacks,hashesoflengthat-least256isrequired

79

MQ 17.1≈

Iterated Hash Functions •  Sofar,we’velookedathashfunctionswherethemessagewaspickedfromafinitesetX

• Whatifthemessageisofaninfinitesize?• Weuseaniteratedhashfunction

•  Thecoreinaniteratedhashfunctionisafunctioncalledcompress•  Compress,hashesfromm+tbittombit

80

1}1,0{}1,0{:

≥

→+

tcompress mtm compress

m+tbit

mbit

Iterated Hash Function (given m and t)

81

AppendPad

PadLength

compress

g

inputmessage(x)(maybeofanylength)

m

t

m

•  Inputmessageispaddedsothatitslengthisamultipleoft

•  Numberofbitsinthepadappended

•  Thecompressfunctionisinvokediterativelyforeachtbitblockinthemessage.Forthefirstoperation,an

initializationvectorisused

•  Afteralltbitblocksareprocessed,thereisapostprocessingstep,andfinallythehashisobtained.Thisstepisoptional.

h(y)

IV y

concatenate

compress

•  Concatenatepreviousmbitoutputwithnexttbitblock(IVusedonlyduringinitialization)

• mustbeat-leastm+t+1inlength

Iterated Hash Function (Principle)

• Anotherperspective

82

Hash Functions in Practice •  MD5•  NISTspecified“securehashalgorithm”

•  SHA0:publishedin1993.160bithash.•  Therewereunpublishedweaknessesinthisalgorithm•  Thefirstpublishedweaknesswasin1998,whereacollisionattackwasdiscoveredwithcomplexity261

•  SHA1:publishedin1995.160bithash.•  SHA0replacedwithSHA1whichresolvedseveraloftheweaknesses•  SHA1usedinseveralapplicationsuntil2005,whenanalgorithmtofindcollisionswithacomplexityof269was

developed•  In2010,SHA1wasnolongersupported.AllapplicationsthatusedSHA1neededtobemigratedtoSHA2

•  SHA2:publishedin2001.Supports6functions:224,256,384,512,andtwotruncatedversionsof512bithashes

•  NocollisionattacksonSHA2asyet.Thebestattacksofarassumesreducedroundsofthealgorithm(46rounds)

•  SHA3:publishedin2015.AlsoknownasKecchak

83

MD5

84

AppendPad

PadLength

inputmessagex

•  Appendedwith1andthen0ssothatlengthisamultipleof512–64=448

•  Messagelengthappended(in64bits)andsplitintoblocksof512bits

1

Round1

Round2

Round3

Round4

A B C D

•  Eachroundhas16similaroperationsofthismodifiedFeistelform

512bits

32bitsx16

eachlimbisof32bits

round1round2round3round4

roundoperations32bit

messageparts

constants

128bithash

Collisions in MD5 (Timeline) •  AbirthdayattackonMD5hascomplexityof264

•  Smallenoughtobruteforcecollisionsearch•  1996,collisionsontheinnerfunctionsofMD5found•  2004,collisionsdemonstratedpractically•  2007,chosen-prefixcollisionsdemonstrated

•  2008,rogueSSLcertificatesgenerated•  2012,MD5collisionsusedincyberwarfare

•  FlamemalwareusesanMD5prefixcollisiontofakeaMicrosoftdigitalcodesignature

85

Given two different prefixes p1, p2 find two appendages m1 and m2 such that hash(p1 || m1) = hash(p2 || m2)

MD5Collisionsdemos:http://www.mscs.dal.ca/~selinger/md5collision/

Collision attack on MD5 like hash functions

•  Analyzedifferentialtrails•  Abitdifferentfromblockciphers

•  Nosecretkeyinvolved•  WecanchooseMandNaswewant

• WehaveavalidattackifprobabilityoftrailisP>2-N/2

86

M,N

ΔH=0

Collision attack on MD5 like hash functions

WangandYumadeitpossibletofindtwopairsofblocks(mi,mi+1)and(ni,ni+1)suchthatF(F(s,mi),mi+1)=F(F(s,ni),ni+1)Wheresissomestateofthehashfunction(canbeanything)Themethodmakesitpossibletoconstructtwostringsm0,m1,m2,…..mi,mi+1,…......mk,m0,m1,m2,…..ni,ni+1,…......mk,whichhavethesameMD5hash.

87

M,N

ΔH=0

Example of an MD5 collision

88

Block1

Block2

A Visualization of the Collision

http://www.links.org/?p=6

A Visualization (Difference in just one MSB of the two blocks)

90

SHA1

91

inputmessage(x)(maybeofanylengthlessthan264)

IVeachwordis32bits(512/16=32)

expandto79words

32*5=160bithashoutput

Kacchak and the SHA3

• Usesaspongeconstruction•  Achievesvariablelengthhashfunctions

92

securityparameter

bitrate

SuccessofanattackagainstKecchak<N2/2c+1whereNisnumberofcallstof

Message Authentication Codes (Keyed Hash Functions)

93

Alice Bob


“AttackatDawn!!”MessageDigest

y=hK(x)hK

unsecurechannel hK

=K

K

ProvidesIntegrityandAuthenticityIntegrity:MessagesarenottamperedAuthenticity:BobcanverifythatthemessagecamefromAlice(Doesnotprovidenon-repudiation)

CBC-MAC

94

eK

m0

eK

m1

eK

m2

eK

m3

hK(m0||m1||…||m4)

IV

Birthday Attack on CBC MAC

95

ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.

ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1

Birthday Attack on CBC MAC

96

ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.

ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1

M1 =m1 ||m2 || ... ||mi || ... ||mn

M2 =m1 ||m2 || ... || (mi ⊕ ca−1⊕ ca−2 ) || ... ||mn

HMAC •  FIPSstandardforMAC•  Basedonunkeyedhashfunction(SHA-1)

97

HMACk (x) = SHA1((K ⊕ opad) || SHA1(K ⊕ ipad) || x))Ipadandopadarepredefinedconstants

Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial...

Documents

Transcript of Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial...