Download
chapter vii n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter VII PowerPoint Presentation
Download Presentation
Chapter VII

Chapter VII

152 Vues Download Presentation
Télécharger la présentation

Chapter VII

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter VII Hashing, Authentication, and Signature Schemes

  2. Issues addressed  • Alice receives a message from Bob • Is it authentic? • Is it really from Bob? • How to ‘electronically’ ensure authenticity? • Authenticity of source • Authenticity of message • How to ‘electronically’ sign a message ?

  3. Hash value of a message  unique tag of message •  its fingerprint • Alternate terms  message digest / Message Integrity Check (MIC) / Message Detection Code (MDC) • widely known as ‘hash value’ of message • Typically hash value is 160 bits long • message can be much longer • ‘hashing function’  function used to generate hash value • Hash smaller in length than message •  hashing function also called a ‘compression function’

  4. Need for Alice : ‘send a message to Bob  ensure it is not corrupted’ • Hashing schemes  provide means of establishing such credibility of message • Hash value  generated from message itself • Alice attaches it to message & sends the pair to Bob • Bob knows functional scheme used to generate hash value • Bob regenerates hash • Same as hash from Alice? • Yes  Bob confirms ‘message is authentic’

  5. Causes galore for corruption! • length of message/ noisy nature of transmitting / recording media / presence of ill-intentioned Eve on the way / possible corruption in archive • hash  a much shorter stamp (say 160 bits long) • More easily preserved & transmitted faithfully • Facilitates Bob’s check  Bob can regenerate hash from message stream itself & use it to verify its genuineness

  6. CD – an archive stores a long message – for later use • On retrieval, how to ascertain ‘it is uncorrupted?’ • Generate hash & store separately / more reliable way • Use it along with freshly generated hash value • They tally ?  message remains uncorrupted • security / confidentiality / integrity of source etc. . Not involved here • x message of i bits • y  hash value of nbits •  i >> n  160 bits  representative value for hash length n

  7. y = f(x)  hashing function •  function of selected bits of message (involving AND, OR, INVERT, & XOR operations) • x to y relation of many-to-one type •  multiple values for x lead to same value for y • Such identification  defeats purpose of hashing – namely providing authenticity •  need to define scope of hashing function &identify criteria it has to satisfy

  8. random oracle model • abstraction of a black-box type of function. • Outputs a random number y (x) for every input x • repetition of a query elicits same answer • functional relation in I / O process  not discernible • random Oracle model  idealization of hashing function. • query oracle with a new x •  It doles out a fresh hash value y • x1, x2, x3, . . .  sequence of messages • y1, y2, y3, . . .  corresponding hash values

  9. Knowledge of the pairs (x1, y1), (x2, y2), . . . •  No clue to hash value for next query •  independence property • Let M be the collection of all possible messages and Y the collection of all possible hash values. Let {x1, x2, . . } be the set of messages for which the hash values have already been obtained as {y1, y2, . . }. The hash value for a new message x which is not in the set is equally likely to be anyone of the possible hash values. The probability of it being a specific value yp is 1/│Y│.

  10. SHA-1  hashing function • message length 264 bits  • possible message values • - (more precisely ) • Hash value =160 bits - 2160 possible hash values • P (hash value of a new message) is anyone of these = 2-160 • Hashing function – requirements • Pre-image resistance • Second Pre-Image Resistance • Collision Resistance

  11. Pre-image resistance • Knowing hash value y1 can we find message x1? • Make q queries to oracle • oracle returns y1 as hash value to any one of these queries  ineffective hashing function • (1- 1/│Y│)qP(failure to return y1 in q successive queries)  • P of success is 1 - (1- 1/│Y│)q • Probability value, its approximation, & variation with relative values of qdiscussed earlier • q<< │Y│  Pof success = q/│Y│ •  a reasonable chance of success  q ~│Y│

  12. hashing schemes -- SHA-1 & RIPEMD160 -- use 160-bit hash values • No. of trials for success ~ 2160 too high to be computationally feasible •  A ‘pre-image resistant’ hashing function

  13. Second Pre-Image Resistance • With message x1 we get hash value y1 – given hashing function f • Can we identify x2different from x1with hash value y1 ? • Yes  fingerprint not ‘unique’ to x1 • P of success = 1 - (1- 1/│Y│)q-1 • q<< │Y│P of success (q-1)/│Y│ •  a ‘second pre-image resistant’ hashing function • also known as a ‘weak collision resistant’ hashing function. • A hashing function with three properties • ease of computation, pre-image resistant, & second pre-image resistant  ‘one-way hash function’.

  14. Collision Resistance • collision problem  Identify a pair of messages (x1, x2) • query  oracle returns same hash value • number of queries to be made ~ for a collision to occur • SHA-1 & RIPEMD-160  ~ 260 queries to identify collision • By today’s standards computationally infeasible • Let f -- a collision resistant hashing function  not second pre-image resistant •  identify messages x1 & x2 such that f(x1) = f(x2) = y • function is not collision resistant •  a collision resistant hashing function  second pre-image resistant

  15. Carefully selected hashing function satisfies • Easy realisability, pre-image resistance, second pre-image resistance, & collision resistance • An attacker may still identify & exploit weakness in function • Important criteria for prevention: • Hash value for any message should be a random bit sequence  exhibit correlation immunity • Change in one message bit should affect as many bits in hash value as possible •  Ideally all output bits should be affected •  ‘avalanche’ effect • If hashing function does not exhibit avalanche effect, specific bit positions in message affect only a limited number of bit positions in hash value •  Can be exploited as a weakness by an attacker

  16. Iterated Hashing Functions • hashing functions  all iterated hashing functions • hash length  l bits & Message  i bits • a selected bit sequence padded to the message • No. of bits after padding  a multiple of l • Pad has total No. of bits in message as a 64-bit binary number at right end • padding and the segmentation schemes  Figure 

  17. Padding and segmentation prior to hashing

  18. Iterated hashing scheme specifies • Initial hash value (an initial vector) h0 & • hashing function • length of h0 same as final hash value • output of hashing with first message block M0 h1 • h1  a bit sequence of length h0 itself • h1 appended to the next message block M1 • The set hashed again • . . . • Repeat until all preprocessed message blocks are hashed • Scheme block diagram  Figure  • Merkle and Damgard • a compression function is collision resistant •  iterative function using it is also collision resistant •  justification for iterative hashing using a suitably selected hashing function

  19. Iterative hashing scheme

  20. Hashing Schemes • MD5 –upgrade of predecessor MD4 • in wide use over past few years • Now vulnerable  given way to SHA-1 &RIPEMD-160 • Both are its enhancements • Both in wide use today • likely to be in use for next few years • The respective standards also specify scaled up versions • Users expected to migrate to scaled up versions  As enhanced computing power & analysis techniques make them vulnerable to attacks

  21. pre-processing stage • Identical for both • message length  block of i bits with 0 i < 264 • Message segmented into blocks of 512 bits each •  total number of blocks  N • Procedure  • To message of i bits append a 1-bit • Follow it by k zero bits such that i+ 1 + k ≡ 448 (mod 512) • k smallest number of zeros possible • Represent i as a 64-bit binary number • Append it to the i + 1 + k set of bits •  padded message  512Nbits long • Ntotal number of message blocks

  22. SHA – 1 • SHA-1 (Acronym for ‘Secure Hashing Algorithm’) • A NIST approved hashing algorithm • Generates a hash of 160 bits • message block is a pre-processed • Then hashing processing stage  An iterative process • Hashing starts with 160-bit seed as hash value • A sequence of non-linear operations carried out on first message block of 512 bits • Sequence cyclically repeated 80 times • A 160-bit hash value generated • Use this as seed & repeat cyclic sequence for second message block of 512 bits

  23. Continue & hash all N message blocks  160-bit hash value • The various constants used & steps involved in hashing: • Initial hash value (‘seed value’) is taken as sequence of five 32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe;H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • A set of constants kt for t values from 0 to 79 is defined • Used successively in 80 rounds of processing done on each message block • kt = 0x5a827999: 0 t 19 • = 0x6ed9eba1: 20 t 39 • = 0x8f1bbcdc: 40 t 59 • = 0xca62c1d6: 60 t 79

  24. Step by Step Procedure for Hashing • Define the function ft(x, y, z) as • # 2. ithmessage block set of sixteen 32-bit words – {M[0][i], M[1][i], M[2][i], . . M[15][i]} Carry out following sequence of operations – up to (and including) step 6 – for all message blocks from i = 1 toi = N

  25. 3. Using ith message block prepare ‘ message schedule’ – W – as Do for 0 t  15 W [t] = M[t][i] Do for 16 t  79 W[t]=(W[t-3]W[t-8] W[t-14] W[t-16]) <<1 Creation of message schedule from message block in SHA-1

  26. 4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1], H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D, and E as • A= H[0][t-1]; B= H[1][t-1]; C= H[2][t-1] • D= H[3][t-1]; E= H[4][t-1] 5. do for 0 t 79 • { • T = (A << 5) + ft(B, C, D) + E + k[t] + W[t] • where ft(x, y, z)  function defined #above. • (A << signifies circular left shift of A by five bit positions. All additions are to be of mod (232) type. • E = D; D = C; C= (B <<30); B= A; A= T • } • (B << 30) signifies circular left shift of B by thirty bit positions • Flow of operations Figures

  27. Cyclic operation in SHA-1

  28. Cyclic processing scheme of each message block in SHA-1

  29. 6. Compute the next hash value set as • H[0][t]= A + H[0][t-1] • H[1][t]= B + H[1][t-1] • H[2][t]= C + H[2][t-1] • H[3][t]= D + H[3][t-1] • H[4][t]= E + H[4][t-1] • All additions are to be of mod (232) type. • 7. After completing sequence N times – (with all Nmessage blocks) form hash value – i.e., the 160-bit message digest – as • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]} • Example  See text

  30. SHA Family • SHA  five sizes specified by NIST • cyclic scheme  SHA-1 with minor differences • Sizes & all related info.  Table 

  31. RIPEMD-160 • Start hashing with a 160-bit initial hash value (initial vector) • – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]} • H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; • H[2][0] = 0x98badcfe; H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • values same as for SHA-1 • N message blocks are processed in succession from 1 to N • Hash values after processing ith block 31 • – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i] • Hash values after completion of processing with all N blocks  H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N] • Final hash value  160-bit concatenated value of these

  32. Each message block of 512 bits  composed of a sequence of sixteen words • put through two 80-cycle operational sequences in parallel  Figure  • ‘left (80-cycle) sequence’ & • ‘right (80-cycle) sequence’ • 80-cycles  arranged as a sequence of five rounds • Each round  a sequence of sixteen cycles • Each uses one of sixteen words of message block •  Each message word  used ten times • once in each round on left sequence & • once in each round on right sequence

  33. A pre-defined permutation of words in message block decides instant of use of each word • Step-by-step hashing procedure follows 1. {M[0][i], M[1][i], M[2][i], . . M[15][i]} •  message block  set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zl[0], zl[1],zl[2], . . . .,zl[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation •  first round for left sequence

  34. Permutation details of message words for left sequence

  35. 2. {M[0][i], M[1][i], M[2][i], . . M[15][i]} •  message block  set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zr[0], zr[1],zr[2], . . . .,zr[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation •  first round for right sequence

  36. Permutation details of message words for right sequence

  37. 3. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Left-Table ’ • Form sequence – {zl[16], zl[17],zl[18], . . . .,zl[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 4. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Right-Table ’ • Form sequence – {zr[16], zr[17],zr[18], . . . .,zr[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 5. Proceed as above & complete rounds 3, 4, & 5 •  use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables

  38. Operational sequence of eighty cycles completed • Leftword set  {Al, Bl, Cl, Dl, El} • Right word set  {Ar, Br, Cr, Dr, Er} • Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],& H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1], H[3][i+1],& H[4][i+1]} • Use following algebra  • H[0][i+1]= H[1][i]+ Cl + Dr • H[1][i+1]= H[2][i]+ Dl +Er • H[2][i+1]= H[3][i]+ El + Ar • H[3][i+1] = H[4][i]+ Al + Br • H[4][i+1] = H[0][i] + Bl,+ Cr

  39. Assign values afresh • Al =H[0][i], Bl =H[1][i], Cl =H[2][i] , Dl =H[3][i] , El =H[4][i ] • Ar=H[0][i], Br =H[1][i], Cr =H[2][i] , Dr =H[3][i] , Er =H[4][i ] • T 80-cycle operation : • do for 0 t 79 • { • T = ((Al + ft(Bl, Cl, Dl) + zl[t] + El ) >> rl[t])+ kl [t] • where • ft(x, y, z)  function for left sequence defined in Table  • (>> rl[t]) signifies circular right shift by rl[t] bit positions as in Table  

  40. Functions used in the different cycles

  41. Details of circular shift for the function in the left sequence

  42. kl [t] values are as specified in Table  • All additions to be of mod (232) type • Al= El ; El = Dl ; Dl = (Cl >>10); Cl = Bl; Bl = Tl • >>10signifies circular right shift by ten bit positions Additive constants used in different rounds -- Values given are in hex form

  43. T = ((Ar + ft(Br, Cr, Dl) + zr[t] + Er ) >> rr[t])+ kr [t] • where • ft(x, y, z) is the function for right sequence defined in Table   • (>> rr[t]) signifies circular right shift by rr[t] bit positions as specified in Table  • kr [t] values are as specified in Table  • All additions are to be of mod (232) type • Ar= Er;Er = Dr ; Dr = (Cr >>10) ;Cr = Br ; Br = T • >>10signifies circular right shift by ten bit positions • } • Final hashed output formed after processing all N message blocks  • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]}.

  44. Details of circular shift for function in right sequence

  45. Operational sequence of RIPEMD-160

  46. One cycle of operation in RIPEMD-160

  47. Observations • Modular algebra based hashing schemes • → prone to easy attacks → no longer in use • SHA-1 & RIPEMD-160  of comparable security level • Initial 160-bit hash value is same for SHA-1 & RIPEMD-160. • b0  at left end in SHA-1 & at right end in RIPEMD-160 • We use b0 at left end •  All constants, tabular entries & associated descriptions changed accordingly • Other hashing schemes like MD5 in vogue until recently • Now all of them considered vulnerable • Not recommended for newer applications

  48. SHA-1 selects a set of previous words in schedule • → sums up & forms message schedule • → difficult to restrict effect of change in message to a ‘local area’ of hash value • → avalanche effect  an additional deterrent to attacks • Both SHA-1 & RIPEMD-160 closely follow structure of MD5 • Dual sequence scheme in RIPEMD-160 adds to collision resistance • Permutation in RIPEMD-160 → two words which are close in one round are farther apart in the next • constants used in different rounds in both SHA-1 & RIPEMD-160 are 32-bit approximations of irrational numbers derived from simple integers → Table ↓

  49. Different constants used in SHA-1 and RIPEMD-160

  50. Similar disparity present between left & right sides in each round • → Adds to the strength of scheme • CRC check ~ hash value • CRC value  binary number to identify error -- within a specific limit -- data stream • CRC check not satisfied  data stream definitely in error • CRC check satisfied  data stream taken as being received correctly