1 / 27

Information Integrity and Message Digests

Information Integrity and Message Digests. CSIS 5857: Encoding and Encryption. Information Integrity Problems. Content Modification : Adversary inserts/modifies/deletes message content. Salary Database. E. D. Insert new record for Darth’s salary of $1,000,000. E.

brede
Télécharger la présentation

Information Integrity and Message Digests

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Integrity and Message Digests CSIS 5857: Encoding and Encryption

  2. Information Integrity Problems • Content Modification: Adversary inserts/modifies/deletes message content Salary Database E D Insert new record for Darth’s salary of $1,000,000 E

  3. Information Integrity Problems • Masquerade:Adversary sends message claimed to be from someone else “Give Darth a $10,000 raise-- Alice” E Masquerading as Alice

  4. Information Integrity Problems • Timing ModificationAdversary intercepts message and replays it later “Open the front gate.-- Alice” E

  5. Information Integrity Problems • Simplest case: Detecting modification • Message M stored in public location • M not encrypted • How can we prove/detect whether adversary has replaced message M with fake message M´ ? Public storage M ´ M

  6. Information Integrity Problems • One solution: store protected copy of M • Compare M to copy to detect changes • Implausible if Mvery large Public storage M M

  7. Message Digest • Created from message M using hashing functiony = h(M) • Like “fingerprint” for messages • Different messages  different fingerprints • Much more compact than messages: size of y < size of M • Plausible for secure storage

  8. Message Digest • Same concept as error detection in network transmission • Error detection bits = function of message • Example: parity bit depends on even/odd of 1’s in message • If error detection bits do not match message, request message resend • Key difference: Unlike noise, adversary intelligent Message Error detection bits

  9. Message Description Code • Used to detect modification • Apply hash to message in storage to get h(M´) • Compare with stored h(M) • If h(M)  h(M) message has been modified • Message Description Code (MDC) h(M´) Public storage compare h M ´ h(M)

  10. Simple Example Hash Functions • Break message M into blocks bi • Digest = XOR of all blocksh(b1, b2, b3 … bn) = b1b2b3 …bn • Possible improvement: Rotate each block one bit before XOR(diffusion)

  11. Message Authentication Code • Hash applied to message by sender and recipient • If no match, message has been tampered with • Problem: Requires MDC sent securelyOtherwise, adversary could modify it as well! h(M) h(M)

  12. Message Authentication Code • Using secret key to prevent adversary from creating message digest to match false message • Creates MAC as h(M, k) • Can also encrypt message, but not necessary

  13. Solving Integrity Problems • Content ModificationIf adversary modifies message, will no longer match message digest • AuthenticationAdversary cannot send false message since cannot generate corresponding digest (without proper key) • Timing ModificationSender can add timestamp or nonce to message which adversary cannot modify without generating corresponding message digest

  14. Good Properties of a Hash • Must be “one way” • Easy to compute h(M) • No easy way to determine what other messages M would give same digest (h(M) = h(M )) • Otherwise adversary could easily create different messages with same hash

  15. Good Properties of a Hash • Must depend on every bit of message • Otherwise adversary could change any bit not used to compute hash • Must produce hash large enough to prevent brute force attacks • Testing all possible alternative messages to find ones with same hash value

  16. Preimage Attack • Adversary finds message M´ with same MDCh(M´) =h(M) • Impossible to detect or prove changes! h(M´) Public storage Same! h M M ´ h(M)

  17. Preimage Attack • Adversary can “tweak” new message M´ until h(M´) =h(M) • Example:Give Darth a salary increase of $1000Award Mr. Vader some raise … $2000Present Darth Vader … bonus $3000… … … $4000 … “I’ll find some combination of these so they can’t detect the difference!”

  18. Preimage Attack • Simple XOR-based hash function vulnerable to preimage attack • Darth generates own message M′ • Darth adds some block bmto end so that h(M′)  bm = h(M) • Problem: XOR is reversible • Can work backwards from desired message to create one with same hash as original message

  19. Collision Attack • Adversary finds two messages M1and M2 with same MDCh(M1) =h(M2) • M1 is harmless message“We like kittens” • M2 has advantage for adversary“Give Darth a $5000 raise”

  20. Collision Attack • Darth gets job in organization • Presents M1 to boss for approval • Boss stores h(M1) • Darth actually stores/sends M2 • Boss has no way to prove he didn’t approve M2 h(“We like kittens”) “We like kittens” “Give Darth a $5000 raise”

  21. Mathematics of Message Digests • Pigeonhole Principle: • Given n pigeons and m birdhouses, with n > m • At least one birdhouse with more than one pigeons • MDC size |h(M)| < message size |M | • Fewer possible MDCs h(M) than possible messages M • 2h(M)possible digests < 2Mpossible messages • There must exist messages M1and M2 with same MDCh(M1) =h(M2) • That is, cannot avoid collisions between two different messages

  22. Mathematics of Message Digests • Best case: Hash function is random oracle model • h(M) like “random” function over all possible MDCs • Each possible MDC equally likely for a given M • Minimizes likelihood that h(M1) =h(M2) for given M1,M2 • Assumption used in birthday problem analysis

  23. Birthday Problems and Digests • What is minimum number of students in class so that at least one has same birthday as instructor? • What is minimum number of students in class so that at least two have same birthday? In general: • k students and N (that is, 365) possible birthdays • Minimum k such that probability  50%: • k  0.69  N 253 for birthdays • k  1.18  N1/2 23 for birthdays

  24. Birthday Problems and Digests • Birthday problems define vulnerability of message digests to exhaustive search attacks • Assume best case random oracle model N = number of possible message digests k = number of false messages tested by adversary in attacks • How many false messages must adversary to have at least 50% of finding message with desired digest?

  25. Birthday Problems and Digests First birthday problem = Preimage Attack • Probability h(M´) =h(M) for any M´given some M • Number of tests k  0.69  N(proportional to number of possible digests)

  26. Birthday Problems and Digests Second birthday problem = Collision Attack • Probability h(M1) =h(M2)for any M1,M2 • Number of tests k  1.18  N1/2(proportional to square root of possible digests)

  27. Birthday Problems and Digests • Number of possible message digests N must be large enough to make attacks impractical • Difficulty of preimage attack proportional to N • Difficulty of collision attack proportional to N1/2 • Message digest of n bits  N = 2n • 2n/2must be large enough to prevent exhaustive search to find collision • Current standard: 512 bits

More Related