1 / 44

Session 5

Session 5. Hash functions and digital signatures. Contents. Hash functions Definition Requirements Construction Security Applications. Contents. Digital signatures Definition Digital signatures – procedure Digital signature with RSA Signing enciphered messages Signing and hashing.

blake
Télécharger la présentation

Session 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 5 Hash functions and digital signatures

  2. Contents • Hash functions • Definition • Requirements • Construction • Security • Applications

  3. Contents • Digital signatures • Definition • Digital signatures – procedure • Digital signature with RSA • Signing enciphered messages • Signing and hashing

  4. Hash functions - definition • Let k, n be positive integers • A function f with n bit output and k bit key is called a hash function if • f is a deterministic function • f takes 2 inputs, the first is of arbitrary length and the second is of length k • f outputs a binary string of length n • Formally:

  5. Hash functions - definition • The key k is assumed to be known/fixed, unlike in cipher systems • If k is known/fixed, the hash function is unkeyed • If k is secret the hash function is keyed • k is known/fixed in most of the applications (e.g. digital signature schemes) • k is kept secret in Message Authentication Codes (MACs)

  6. Hash functions – security requirements • In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1) • One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk(x )=w.

  7. Hash functions – security requirements • Security requirements (2) • Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk(x )=fk(y ).

  8. Hash functions – security requirements • Security requirements (3): • (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such thatfk(x )=fk(y ).

  9. Hash functions – security requirements • The collision resistance implies the second preimage resistance. • The second preimage resistance and one-wayness are incomparable • The properties do not follow from one another • Still, a hash function that would be one-way but not second preimage resistant would be quite artificial

  10. Hash functions – security requirements • In practice, collision resistance is the strongest security requirement of all the three requirements • the most difficult to satisfy • the easiest to breach • Breaking the collision resistance property is the goal of most attacks on hash functions.

  11. Hash functions – other requirements • Certificational weakness • A good hash function should possess avalanche property • changing a bit of input would approximately change a half of the output bits • No input bits can be reliably guessed based on the hash function’s local output (local one-wayness) • Failure to satisfy these (and some other) properties is called certificational weakness.

  12. Hash functions – other requirements • It is also required that a hash function is feasible to compute, given x (and k ). • This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.

  13. Hash functions – other requirements • Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography • Shamir’s function (factoring) • Chaum-vanHeijst-Pfitzmann’s function (discrete log) • Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers)

  14. Hash functions - construction • The Merkle-Damgård construction • A classical hash function design • Iterates a compression function • A compression function • takes a fixed length input • outputs a fixed length (shorter) output.

  15. Hash functions - construction • In practice, symmetric cipher systems are used as compression functions (usually block ciphers). • Let g =(x,k) be a block cipher, where x is the plaintext message, and k is the key. • The length of the block x is n bits and the length of the key k is m bits, m >n.

  16. Hash functions - construction • The hash function f to be constructed • has the (theoretically) unlimited input length • has the output bit length n • The input string to the hash function f is y.

  17. Hash functions - construction • Hash function iterations • Pad y such that the length of the padded input y ’ is the least possible multiple of m. • Let where yi{0,1}m . • Let f0 be a fixed initialization vector of length n (in bits). • Then, for i=1,..., r, fi=g (fi-1, ). • Finally, f =fr.

  18. Hash functions - construction • Remark: • The padding algorithm and f0 depend on the particular hash function. • Schematic of the Merkle-Damgård design

  19. Hash functions - construction • Advantages of using block ciphers as compression functions • Efficient, i.e. fast • Usually already implemented • Disadvantage • Employing a strong block cipher in hash function design does not guarantee a good hash function.

  20. Hash functions - construction • Examples of Merkle-Damgård designs • The MD (Message Digest) family of hash functions (MD4, MD5), n =128. • The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)). • They all use custom block cipher rounds.

  21. Hash functions - construction • The speed of such a design depends on the number of rounds of the block cipher involved. • Example • MD4 – 3 rounds • MD5 – 4 rounds – more secure • But MD5 is 30% slower than MD4.

  22. Hash functions - security • Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found. • They are now considered insecure. • Consequence: the SHA-3 contest, the proposals are due October 2008.

  23. Hash functions - applications • Data integrity protection • Digital signature schemes • Authentication • Message authentication codes (MACs) • If MAC uses a hash function it is called HMAC • HMAC standard RFC2104 (Bellare-Canetti-Krawczyk, 1996).

  24. Digital signatures - definition • Digital signature • A number dependent on some secret known only to the signer and on the contents of the signed message • Must be verifiable in case of • a signer repudiating a signature • a fraudulent claimant

  25. Digital signatures - definition • Applications • Authentication • Data integrity protection and non-repudiation • Certification of public keys in large networks.

  26. Digital signatures - procedure • Basic elements (1) • M – the set of messages that can be signed • S – the set of signatures, e.g. binary strings of fixed length • SA – signing transformation for the entity A • SA is kept secret by A • Used to create signatures from M

  27. Digital signatures - procedure • Basic elements (2) • VA – verification transformation for the A’s signatures • Publicly known • Used by other entities to verify signatures created by A

  28. Digital signatures - procedure • Both SA and VA should be feasible to compute • It should not be computationally feasible to forge a digital signature y on a message x • Given x, only A (i.e. Alice) should be able to compute the signature y such that VA(x,y)=true.

  29. Digital signatures - procedure • Signing a message x • Alice uses the algorithm SA to compute the signature over the message x • Alice publishes (or sends to some recipient) the message x, together with the signature y =SA(x )

  30. Digital signatures - procedure • Verifying a signature of a message published/sent by Alice • Upon receiving the pair (x,y), the verifier uses the algorithm VA (publicly known) to verify the integrity of the received message x • If VA (x,y)=true, the signature is verified.

  31. Digital signatures - procedure • It can be shown that asymmetric ciphers can be used for digital signature purposes • To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.

  32. Digital signature with RSA • Alice signs the message x by using the deciphering transformation • Alice is the only one that can sign, since dA is kept secret.

  33. Digital signature with RSA • Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e. • If c =x, then the signature y is verified.

  34. Digital signature with RSA - security • Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature). • Eve does not know dA, she only knows Alice’s public key (eA,nA).

  35. Digital signature with RSA - security • Direct verification, if Eve’s signed document (x ’,y ) is to be verified • This will fail, since c ≠x ’. • Thus, what Eve needs is another signature, y ’, such that • Getting y ’ is a difficult problem.

  36. Digital signature with RSA - security • Another possibility for Eve – she can choose y ’ first and then generate the message • y ’ will then be easily verified, i.e. such a forgery is successful. • But then the probability that x ’ is meaningful is very small.

  37. Signing enciphered messages • Suppose Alice wants to send a signed enciphered message x to Bob. • Alice computes her signature y =SA (x ) • Then Alice enciphers both x and y by means of Bob’s public key • The ciphertext z is transmitted to Bob.

  38. Signing enciphered messages • Deciphering and verification • Bob deciphers z by means of his private key and thus obtains (x,y) • Then Bob uses Alice’s public verification function VA to verify the Alice’s signature y.

  39. Signing and hashing • Usually, public key ciphers are used in digital signature schemes • If the original message is signed, the signature is at least as long as the message – inefficient

  40. Signing and hashing • Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability. • Solution: sign hashed message.

  41. Signing and hashing • The hash function f is made public • Starting with a message x, Alice first computes f (x ), which is significantly smaller than x • Alice then computes y =SA(f (x )) • Alice then sends (x,y) to Bob.

  42. Signing and hashing • Verification process • Bob computes f (x ) • Bob also computes VA (f (x ),y ) • If VA (f (x ),y ) =true, then Alice’s signature is verified.

  43. Signing and hashing - security • Suppose Eve has (x,y=SA(f (x )) • Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it) • So she needs SA(f (x ’))=SA(f (x )), which means she needs f (x ’)=f (x ). This is difficult iff (x ) is second preimage resistant.

  44. Signing and hashing - security • Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant. • So it is difficult for Eve to choose the signature first and then get the corresponding message.

More Related