1 / 90

Chapter VII

Chapter VII. Hashing, Authentication, and Signature Schemes. Issues addressed  Alice receives a message from Bob Is it authentic? Is it really from Bob? How to ‘electronically’ ensure authenticity? Authenticity of source Authenticity of message How to ‘electronically’ sign a message ?.

gaetan
Télécharger la présentation

Chapter VII

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter VII Hashing, Authentication, and Signature Schemes

  2. Issues addressed  • Alice receives a message from Bob • Is it authentic? • Is it really from Bob? • How to ‘electronically’ ensure authenticity? • Authenticity of source • Authenticity of message • How to ‘electronically’ sign a message ?

  3. Hash value of a message  unique tag of message •  its fingerprint • Alternate terms  message digest / Message Integrity Check (MIC) / Message Detection Code (MDC) • widely known as ‘hash value’ of message • Typically hash value is 160 bits long • message can be much longer • ‘hashing function’  function used to generate hash value • Hash smaller in length than message •  hashing function also called a ‘compression function’

  4. Need for Alice : ‘send a message to Bob  ensure it is not corrupted’ • Hashing schemes  provide means of establishing such credibility of message • Hash value  generated from message itself • Alice attaches it to message & sends the pair to Bob • Bob knows functional scheme used to generate hash value • Bob regenerates hash • Same as hash from Alice? • Yes  Bob confirms ‘message is authentic’

  5. Causes galore for corruption! • length of message/ noisy nature of transmitting / recording media / presence of ill-intentioned Eve on the way / possible corruption in archive • hash  a much shorter stamp (say 160 bits long) • More easily preserved & transmitted faithfully • Facilitates Bob’s check  Bob can regenerate hash from message stream itself & use it to verify its genuineness

  6. CD – an archive stores a long message – for later use • On retrieval, how to ascertain ‘it is uncorrupted?’ • Generate hash & store separately / more reliable way • Use it along with freshly generated hash value • They tally ?  message remains uncorrupted • security / confidentiality / integrity of source etc. . Not involved here • x message of i bits • y  hash value of nbits •  i >> n  160 bits  representative value for hash length n

  7. y = f(x)  hashing function •  function of selected bits of message (involving AND, OR, INVERT, & XOR operations) • x to y relation of many-to-one type •  multiple values for x lead to same value for y • Such identification  defeats purpose of hashing – namely providing authenticity •  need to define scope of hashing function &identify criteria it has to satisfy

  8. random oracle model • abstraction of a black-box type of function. • Outputs a random number y (x) for every input x • repetition of a query elicits same answer • functional relation in I / O process  not discernible • random Oracle model  idealization of hashing function. • query oracle with a new x •  It doles out a fresh hash value y • x1, x2, x3, . . .  sequence of messages • y1, y2, y3, . . .  corresponding hash values

  9. Knowledge of the pairs (x1, y1), (x2, y2), . . . •  No clue to hash value for next query •  independence property • Let M be the collection of all possible messages and Y the collection of all possible hash values. Let {x1, x2, . . } be the set of messages for which the hash values have already been obtained as {y1, y2, . . }. The hash value for a new message x which is not in the set is equally likely to be anyone of the possible hash values. The probability of it being a specific value yp is 1/│Y│.

  10. SHA-1  hashing function • message length 264 bits  • possible message values • - (more precisely ) • Hash value =160 bits - 2160 possible hash values • P (hash value of a new message) is anyone of these = 2-160 • Hashing function – requirements • Pre-image resistance • Second Pre-Image Resistance • Collision Resistance

  11. Pre-image resistance • Knowing hash value y1 can we find message x1? • Make q queries to oracle • oracle returns y1 as hash value to any one of these queries  ineffective hashing function • (1- 1/│Y│)qP(failure to return y1 in q successive queries)  • P of success is 1 - (1- 1/│Y│)q • Probability value, its approximation, & variation with relative values of qdiscussed earlier • q<< │Y│  Pof success = q/│Y│ •  a reasonable chance of success  q ~│Y│

  12. hashing schemes -- SHA-1 & RIPEMD160 -- use 160-bit hash values • No. of trials for success ~ 2160 too high to be computationally feasible •  A ‘pre-image resistant’ hashing function

  13. Second Pre-Image Resistance • With message x1 we get hash value y1 – given hashing function f • Can we identify x2different from x1with hash value y1 ? • Yes  fingerprint not ‘unique’ to x1 • P of success = 1 - (1- 1/│Y│)q-1 • q<< │Y│P of success (q-1)/│Y│ •  a ‘second pre-image resistant’ hashing function • also known as a ‘weak collision resistant’ hashing function. • A hashing function with three properties • ease of computation, pre-image resistant, & second pre-image resistant  ‘one-way hash function’.

  14. Collision Resistance • collision problem  Identify a pair of messages (x1, x2) • query  oracle returns same hash value • number of queries to be made ~ for a collision to occur • SHA-1 & RIPEMD-160  ~ 260 queries to identify collision • By today’s standards computationally infeasible • Let f -- a collision resistant hashing function  not second pre-image resistant •  identify messages x1 & x2 such that f(x1) = f(x2) = y • function is not collision resistant •  a collision resistant hashing function  second pre-image resistant

  15. Carefully selected hashing function satisfies • Easy realisability, pre-image resistance, second pre-image resistance, & collision resistance • An attacker may still identify & exploit weakness in function • Important criteria for prevention: • Hash value for any message should be a random bit sequence  exhibit correlation immunity • Change in one message bit should affect as many bits in hash value as possible •  Ideally all output bits should be affected •  ‘avalanche’ effect • If hashing function does not exhibit avalanche effect, specific bit positions in message affect only a limited number of bit positions in hash value •  Can be exploited as a weakness by an attacker

  16. Iterated Hashing Functions • hashing functions  all iterated hashing functions • hash length  l bits & Message  i bits • a selected bit sequence padded to the message • No. of bits after padding  a multiple of l • Pad has total No. of bits in message as a 64-bit binary number at right end • padding and the segmentation schemes  Figure 

  17. Padding and segmentation prior to hashing

  18. Iterated hashing scheme specifies • Initial hash value (an initial vector) h0 & • hashing function • length of h0 same as final hash value • output of hashing with first message block M0 h1 • h1  a bit sequence of length h0 itself • h1 appended to the next message block M1 • The set hashed again • . . . • Repeat until all preprocessed message blocks are hashed • Scheme block diagram  Figure  • Merkle and Damgard • a compression function is collision resistant •  iterative function using it is also collision resistant •  justification for iterative hashing using a suitably selected hashing function

  19. Iterative hashing scheme

  20. Hashing Schemes • MD5 –upgrade of predecessor MD4 • in wide use over past few years • Now vulnerable  given way to SHA-1 &RIPEMD-160 • Both are its enhancements • Both in wide use today • likely to be in use for next few years • The respective standards also specify scaled up versions • Users expected to migrate to scaled up versions  As enhanced computing power & analysis techniques make them vulnerable to attacks

  21. pre-processing stage • Identical for both • message length  block of i bits with 0 i < 264 • Message segmented into blocks of 512 bits each •  total number of blocks  N • Procedure  • To message of i bits append a 1-bit • Follow it by k zero bits such that i+ 1 + k ≡ 448 (mod 512) • k smallest number of zeros possible • Represent i as a 64-bit binary number • Append it to the i + 1 + k set of bits •  padded message  512Nbits long • Ntotal number of message blocks

  22. SHA – 1 • SHA-1 (Acronym for ‘Secure Hashing Algorithm’) • A NIST approved hashing algorithm • Generates a hash of 160 bits • message block is a pre-processed • Then hashing processing stage  An iterative process • Hashing starts with 160-bit seed as hash value • A sequence of non-linear operations carried out on first message block of 512 bits • Sequence cyclically repeated 80 times • A 160-bit hash value generated • Use this as seed & repeat cyclic sequence for second message block of 512 bits

  23. Continue & hash all N message blocks  160-bit hash value • The various constants used & steps involved in hashing: • Initial hash value (‘seed value’) is taken as sequence of five 32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe;H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • A set of constants kt for t values from 0 to 79 is defined • Used successively in 80 rounds of processing done on each message block • kt = 0x5a827999: 0 t 19 • = 0x6ed9eba1: 20 t 39 • = 0x8f1bbcdc: 40 t 59 • = 0xca62c1d6: 60 t 79

  24. Step by Step Procedure for Hashing • Define the function ft(x, y, z) as • # 2. ithmessage block set of sixteen 32-bit words – {M[0][i], M[1][i], M[2][i], . . M[15][i]} Carry out following sequence of operations – up to (and including) step 6 – for all message blocks from i = 1 toi = N

  25. 3. Using ith message block prepare ‘ message schedule’ – W – as Do for 0 t  15 W [t] = M[t][i] Do for 16 t  79 W[t]=(W[t-3]W[t-8] W[t-14] W[t-16]) <<1 Creation of message schedule from message block in SHA-1

  26. 4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1], H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D, and E as • A= H[0][t-1]; B= H[1][t-1]; C= H[2][t-1] • D= H[3][t-1]; E= H[4][t-1] 5. do for 0 t 79 • { • T = (A << 5) + ft(B, C, D) + E + k[t] + W[t] • where ft(x, y, z)  function defined #above. • (A << signifies circular left shift of A by five bit positions. All additions are to be of mod (232) type. • E = D; D = C; C= (B <<30); B= A; A= T • } • (B << 30) signifies circular left shift of B by thirty bit positions • Flow of operations Figures

  27. Cyclic operation in SHA-1

  28. Cyclic processing scheme of each message block in SHA-1

  29. 6. Compute the next hash value set as • H[0][t]= A + H[0][t-1] • H[1][t]= B + H[1][t-1] • H[2][t]= C + H[2][t-1] • H[3][t]= D + H[3][t-1] • H[4][t]= E + H[4][t-1] • All additions are to be of mod (232) type. • 7. After completing sequence N times – (with all Nmessage blocks) form hash value – i.e., the 160-bit message digest – as • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]} • Example  See text

  30. SHA Family • SHA  five sizes specified by NIST • cyclic scheme  SHA-1 with minor differences • Sizes & all related info.  Table 

  31. RIPEMD-160 • Start hashing with a 160-bit initial hash value (initial vector) • – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]} • H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; • H[2][0] = 0x98badcfe; H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • values same as for SHA-1 • N message blocks are processed in succession from 1 to N • Hash values after processing ith block 31 • – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i] • Hash values after completion of processing with all N blocks  H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N] • Final hash value  160-bit concatenated value of these

  32. Each message block of 512 bits  composed of a sequence of sixteen words • put through two 80-cycle operational sequences in parallel  Figure  • ‘left (80-cycle) sequence’ & • ‘right (80-cycle) sequence’ • 80-cycles  arranged as a sequence of five rounds • Each round  a sequence of sixteen cycles • Each uses one of sixteen words of message block •  Each message word  used ten times • once in each round on left sequence & • once in each round on right sequence

  33. A pre-defined permutation of words in message block decides instant of use of each word • Step-by-step hashing procedure follows 1. {M[0][i], M[1][i], M[2][i], . . M[15][i]} •  message block  set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zl[0], zl[1],zl[2], . . . .,zl[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation •  first round for left sequence

  34. Permutation details of message words for left sequence

  35. 2. {M[0][i], M[1][i], M[2][i], . . M[15][i]} •  message block  set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zr[0], zr[1],zr[2], . . . .,zr[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation •  first round for right sequence

  36. Permutation details of message words for right sequence

  37. 3. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Left-Table ’ • Form sequence – {zl[16], zl[17],zl[18], . . . .,zl[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 4. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Right-Table ’ • Form sequence – {zr[16], zr[17],zr[18], . . . .,zr[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 5. Proceed as above & complete rounds 3, 4, & 5 •  use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables

  38. Operational sequence of eighty cycles completed • Leftword set  {Al, Bl, Cl, Dl, El} • Right word set  {Ar, Br, Cr, Dr, Er} • Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],& H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1], H[3][i+1],& H[4][i+1]} • Use following algebra  • H[0][i+1]= H[1][i]+ Cl + Dr • H[1][i+1]= H[2][i]+ Dl +Er • H[2][i+1]= H[3][i]+ El + Ar • H[3][i+1] = H[4][i]+ Al + Br • H[4][i+1] = H[0][i] + Bl,+ Cr

  39. Assign values afresh • Al =H[0][i], Bl =H[1][i], Cl =H[2][i] , Dl =H[3][i] , El =H[4][i ] • Ar=H[0][i], Br =H[1][i], Cr =H[2][i] , Dr =H[3][i] , Er =H[4][i ] • T 80-cycle operation : • do for 0 t 79 • { • T = ((Al + ft(Bl, Cl, Dl) + zl[t] + El ) >> rl[t])+ kl [t] • where • ft(x, y, z)  function for left sequence defined in Table  • (>> rl[t]) signifies circular right shift by rl[t] bit positions as in Table  

  40. Functions used in the different cycles

  41. Details of circular shift for the function in the left sequence

  42. kl [t] values are as specified in Table  • All additions to be of mod (232) type • Al= El ; El = Dl ; Dl = (Cl >>10); Cl = Bl; Bl = Tl • >>10signifies circular right shift by ten bit positions Additive constants used in different rounds -- Values given are in hex form

  43. T = ((Ar + ft(Br, Cr, Dl) + zr[t] + Er ) >> rr[t])+ kr [t] • where • ft(x, y, z) is the function for right sequence defined in Table   • (>> rr[t]) signifies circular right shift by rr[t] bit positions as specified in Table  • kr [t] values are as specified in Table  • All additions are to be of mod (232) type • Ar= Er;Er = Dr ; Dr = (Cr >>10) ;Cr = Br ; Br = T • >>10signifies circular right shift by ten bit positions • } • Final hashed output formed after processing all N message blocks  • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]}.

  44. Details of circular shift for function in right sequence

  45. Operational sequence of RIPEMD-160

  46. One cycle of operation in RIPEMD-160

  47. Observations • Modular algebra based hashing schemes • → prone to easy attacks → no longer in use • SHA-1 & RIPEMD-160  of comparable security level • Initial 160-bit hash value is same for SHA-1 & RIPEMD-160. • b0  at left end in SHA-1 & at right end in RIPEMD-160 • We use b0 at left end •  All constants, tabular entries & associated descriptions changed accordingly • Other hashing schemes like MD5 in vogue until recently • Now all of them considered vulnerable • Not recommended for newer applications

  48. SHA-1 selects a set of previous words in schedule • → sums up & forms message schedule • → difficult to restrict effect of change in message to a ‘local area’ of hash value • → avalanche effect  an additional deterrent to attacks • Both SHA-1 & RIPEMD-160 closely follow structure of MD5 • Dual sequence scheme in RIPEMD-160 adds to collision resistance • Permutation in RIPEMD-160 → two words which are close in one round are farther apart in the next • constants used in different rounds in both SHA-1 & RIPEMD-160 are 32-bit approximations of irrational numbers derived from simple integers → Table ↓

  49. Different constants used in SHA-1 and RIPEMD-160

  50. Similar disparity present between left & right sides in each round • → Adds to the strength of scheme • CRC check ~ hash value • CRC value  binary number to identify error -- within a specific limit -- data stream • CRC check not satisfied  data stream definitely in error • CRC check satisfied  data stream taken as being received correctly

More Related