280 likes | 430 Vues
Hashing, MACs, RSA. Sandy Kutin CSPP 532 7/17/01. Rehash: Why do we hash?. Hash functions: boil long message down to a few bits Alice signs hash with public key: Authentication (Bob knows Alice sent it) Non-repudiation (Bob can prove Alice sent it)
E N D
Hashing, MACs, RSA Sandy Kutin CSPP 532 7/17/01
Rehash: Why do we hash? • Hash functions: boil long message down to a few bits • Alice signs hash with public key: • Authentication (Bob knows Alice sent it) • Non-repudiation (Bob can prove Alice sent it) • Data integrity; no one else can alter data • Bit commitment; used in many protocols
Rehash: What is a hash? • What makes H a hash function? • Takes any size input • Produces fixed-size output (n bits) • H(M) is easy to compute • Given h, it is hard to solve H(M) = h for M • Given N, it is hard to solve H(M) = H(N) for M (weak collision resistance) (2n steps) • It is hard to find M, N such that H(M) = H(N) (strong collision resistance) (2n/2 steps)
M1 M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Rehash: How do we hash? • Most hashes are built using a one-way compression function: m+n bits to n bits • Divide message into k blocks of m bits • hi = ƒ(Mi, hi-1) (h0 is a fixed initial value) • Output is H(M) = hk
M1 M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk A MoDESt Proposal • One idea: use encryption (e.g., DES) • h0 = IV • hi = ƒ(Mi, hi-1) = EMi(hi-1) • Problem 1: slow • Problem 2: export restrictions
M1 M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Problem 3: Insecure • Can construct 2 blocks XY, H(XY) = h • Need X, Y so that EY(EX(h0)) = h • Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) = DY(h) • Birthday attack; works on DES, AES, … • Could pick M1,…,Mk-2, solve EX(hk-2) = DY(h)
Specific Hashes: MD5 • MD5 (Rivest, 1992): 128-bit hash, 512-bit blocks (similar to MD4, 1990) • (MD = Message Digest) • Simplified versions have been cryptanalyzed, but not MD5 itself • But: strong collision resistance only 64-bit • Not really long enough nowadays • Like DES: now being phased out
Specific Hashes: SHA • SHA (or SHA-1): NIST, NSA, 1995 • 160-bit hash, 512-bit blocks • Used in DSS (Digital Signature Standard) • May 30, 2001: NIST announced 3 more:
Specific Hashes: RIPEMD • RIPE-MD developed in Europe (1996-7) • RIPEMD-160: 160-bit hash, 512-bit blocks (same as SHA-1) • Comparable to SHA-1 in speed, security • Both are roughly half the speed of MD5 • American standard is SHA-1 (for now) • SHA-256, SHA-384, SHA-512 match key lengths in AES
Message Authentication Codes • A hash is public; anyone can compute it • We used digital signatures; only Alice can compute Dpa(H(M)), anyone can check • Another idea: CK(M) using secret key • Message Authentication Code (MAC) • Authentication (but not non-repudiation) • Data integrity
What makes a MAC? • What makes CK(M) a MAC? • Any size M, easy-to-compute fixed-size output • Given K, N, hard to solve CK(M) = CK(N) (weak collision resistance for Alice, Bob) • Given K, it is hard to solve CK(M) = CK(N) (strong collision resistance for Alice, Bob) • Given signed pairs (M, CK(M)), but not K, it is hard to find more (Eve can’t solve for K, find collisions, or otherwise construct a message and a valid MAC)
Encryption-Based MACs • Simplest idea: CK(M) = EK(H(M)) • Only as good as “weakest link” • Better: Encrypt in CBC mode • C1 = EK(M1) • Ci = EK(Mi Ci-1) • CK(M) is last Ci • DES-CBC is current FIPS-approved MAC • Speed, export issues; wrong tool for job
K M1 M2 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Hash-based MACs • One idea: CK(M) = H(K | M) • Effectively a hash with secret initial value • Problem: Given M, CK(M), can find CK(M | N) • Solution: HMAC (Bellare, Canetti, Krawczyk, 1996; NIST 1/01)
HMACK(M) ƒ Si M1 So Mk ƒ ƒ ƒ ƒ IV IV h1 hk-1 x HMAC • Pad n-bit key K up to m bits, if necessary • Si = K 00110110..., So = K 01011010… • First, compute x = H(Si | M), pad x to m bits • HMACK(M) = H(So | x) • Only three extra calls to ƒ
HMAC Attack • We can precompute 2 of the 3 extra calls • Use any H we want (MD5, SHA-1, …) • HMAC is secure as long as H is secure • Birthday attack fails if K is unknown • MD5 is fine HMACK(M) ƒ Si So M1 Mk ƒ ƒ ƒ ƒ IV IV h1 hk-1 x
What’s next? • We’ve discussed several primitives: • Symmetric Encryption • Hashes • Message Authentication Codes • There’s one primitive we haven’t discussed:
Public Key Infrastructure
The Key Idea • Public key uses asymmetric encryption • Bob has a public encryption function EB • Trapdoor one-way function • Easy to compute • Invertible, and Bob knows secret Db = EB-1 • For Eve to invert EB, she’d need to guess b • Alice computes EB(M); only Bob can decrypt • Diffie, 1975. Question: how do we do it?
VeRSAtile Solution • RSA (Rivest, Shamir, Adleman, 1977): • Bob computes primes p, q, and N=pq • Bob computes d,e, so de 1 mod (N) • Public key: (N, e). Private key: (N, d) • Encryption (Alice): C = EB(M) Me mod N • Decryption (Bob): M = Db(C) Cd mod N • By Euler’s Theorem: Med M mod N • So, Db(EB(M)) = M, Bob can read M
Vice VeRSA • Note that, M, Mde Med M mod N • Order doesn’t matter • Only Bob can compute S Md mod N • Anyone else can verify M Se mod N • Digital Signature • Gives us authenticity, non-repudiation • (As we’ve said: usually applied to H(M))
Factoring in Attacks • Say Eve knows N, e, C, wants to read M • Could factor N, solving for p and q • Then easy to compute (N), solve for d • How hard is it to factor? • Best known method: Number Field Sieve • Between polynomial and exponential time • Of course, no one can prove anything
How hard is factoring? • From Schneier’s Applied Cryptography: • MIPS-year: 100 MHz Pentium for a week • Rivest, 1977: 125 digits should take 40 quadrillion years • 8/1999: 512-bit prime • (155 decimal digits) • Distributed computing • Took 8000 MIPS-years • 7 months (3.7 sieving)
An ERSAtz Attack • Can Eve find (N)? Then, d e-1 mod (N). • Say we knew N = pq, (N) = (p-1)(q-1). • Then let Z = N - (N) + 1: we know Z • Z = pq - (pq - p - q + 1) + 1 = p + q • (x - p)(x - q) = x2 - Zx + N; this is solvable • So, if we knew (N), we’d know p, q • Therefore, finding (N) is as hard as factoring • This is called a reduction
Other AdveRSArial Strategies • Can Eve find d without finding (N)? • She knows ed - 1 = Q(N) for some Q • Since (N) is roughly N, she’d know (N) • Another reduction • Can Eve find t, so, M, Mte M mod N? • Yes, if p and q are chosen poorly • For good p, q: about as hard as factoring • “good p, q” means gcd(p-1, q-1) is small
Key Management • Pre-1970s, problem was key distribution • Now, Alice can look up Bob’s public key • How does she get it? Key management • Original solution: “phone book” • Who prints the book? • What if it’s compromised, or intercepted? • How do you look someone up? Unique ID? • What if Bob has multiple names, keys? • Do keys expire? What if a key is compromised?
Solution #1: DispeRSAL • One idea: Carol meets Bob face-to-face • Carol says “This is Bob’s key”, signs it • Ted knows Carol, says “This is Carol’s key, and I trust her”, signs it • Alice knows Ted; verifies chain of signatures • Flaw #1: “weakest link” • Flaw #2: >6 degrees of separation • Flaw #3: Unique IDs, expiration, ...
#2: Certificate Authorities • Next class (7/24/01)
Recommended Reading • From Stallings: • Fermat’s Theorem, Euler’s Theorem, and the function: Section 7.3 • RSA: Sections 6.1 - 6.3 (particularly 6.2, which includes fast modular exponentiation) • Hashing, MACs: Chapter 8 • Birthday attacks: Appendix 8A • HMAC: Section 9.4