1 / 28

280 likes | 430 Vues

Hashing, MACs, RSA. Sandy Kutin CSPP 532 7/17/01. Rehash: Why do we hash?. Hash functions: boil long message down to a few bits Alice signs hash with public key: Authentication (Bob knows Alice sent it) Non-repudiation (Bob can prove Alice sent it)

Télécharger la présentation
## Hashing, MACs, RSA

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Hashing, MACs, RSA**Sandy Kutin CSPP 532 7/17/01**Rehash: Why do we hash?**• Hash functions: boil long message down to a few bits • Alice signs hash with public key: • Authentication (Bob knows Alice sent it) • Non-repudiation (Bob can prove Alice sent it) • Data integrity; no one else can alter data • Bit commitment; used in many protocols**Rehash: What is a hash?**• What makes H a hash function? • Takes any size input • Produces fixed-size output (n bits) • H(M) is easy to compute • Given h, it is hard to solve H(M) = h for M • Given N, it is hard to solve H(M) = H(N) for M (weak collision resistance) (2n steps) • It is hard to find M, N such that H(M) = H(N) (strong collision resistance) (2n/2 steps)**M1**M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Rehash: How do we hash? • Most hashes are built using a one-way compression function: m+n bits to n bits • Divide message into k blocks of m bits • hi = ƒ(Mi, hi-1) (h0 is a fixed initial value) • Output is H(M) = hk**M1**M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk A MoDESt Proposal • One idea: use encryption (e.g., DES) • h0 = IV • hi = ƒ(Mi, hi-1) = EMi(hi-1) • Problem 1: slow • Problem 2: export restrictions**M1**M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Problem 3: Insecure • Can construct 2 blocks XY, H(XY) = h • Need X, Y so that EY(EX(h0)) = h • Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) = DY(h) • Birthday attack; works on DES, AES, … • Could pick M1,…,Mk-2, solve EX(hk-2) = DY(h)**Specific Hashes: MD5**• MD5 (Rivest, 1992): 128-bit hash, 512-bit blocks (similar to MD4, 1990) • (MD = Message Digest) • Simplified versions have been cryptanalyzed, but not MD5 itself • But: strong collision resistance only 64-bit • Not really long enough nowadays • Like DES: now being phased out**Specific Hashes: SHA**• SHA (or SHA-1): NIST, NSA, 1995 • 160-bit hash, 512-bit blocks • Used in DSS (Digital Signature Standard) • May 30, 2001: NIST announced 3 more:**Specific Hashes: RIPEMD**• RIPE-MD developed in Europe (1996-7) • RIPEMD-160: 160-bit hash, 512-bit blocks (same as SHA-1) • Comparable to SHA-1 in speed, security • Both are roughly half the speed of MD5 • American standard is SHA-1 (for now) • SHA-256, SHA-384, SHA-512 match key lengths in AES**Message Authentication Codes**• A hash is public; anyone can compute it • We used digital signatures; only Alice can compute Dpa(H(M)), anyone can check • Another idea: CK(M) using secret key • Message Authentication Code (MAC) • Authentication (but not non-repudiation) • Data integrity**What makes a MAC?**• What makes CK(M) a MAC? • Any size M, easy-to-compute fixed-size output • Given K, N, hard to solve CK(M) = CK(N) (weak collision resistance for Alice, Bob) • Given K, it is hard to solve CK(M) = CK(N) (strong collision resistance for Alice, Bob) • Given signed pairs (M, CK(M)), but not K, it is hard to find more (Eve can’t solve for K, find collisions, or otherwise construct a message and a valid MAC)**Encryption-Based MACs**• Simplest idea: CK(M) = EK(H(M)) • Only as good as “weakest link” • Better: Encrypt in CBC mode • C1 = EK(M1) • Ci = EK(Mi Ci-1) • CK(M) is last Ci • DES-CBC is current FIPS-approved MAC • Speed, export issues; wrong tool for job**K**M1 M2 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Hash-based MACs • One idea: CK(M) = H(K | M) • Effectively a hash with secret initial value • Problem: Given M, CK(M), can find CK(M | N) • Solution: HMAC (Bellare, Canetti, Krawczyk, 1996; NIST 1/01)**HMACK(M)**ƒ Si M1 So Mk ƒ ƒ ƒ ƒ IV IV h1 hk-1 x HMAC • Pad n-bit key K up to m bits, if necessary • Si = K 00110110..., So = K 01011010… • First, compute x = H(Si | M), pad x to m bits • HMACK(M) = H(So | x) • Only three extra calls to ƒ**HMAC Attack**• We can precompute 2 of the 3 extra calls • Use any H we want (MD5, SHA-1, …) • HMAC is secure as long as H is secure • Birthday attack fails if K is unknown • MD5 is fine HMACK(M) ƒ Si So M1 Mk ƒ ƒ ƒ ƒ IV IV h1 hk-1 x**What’s next?**• We’ve discussed several primitives: • Symmetric Encryption • Hashes • Message Authentication Codes • There’s one primitive we haven’t discussed:**Public Key**Infrastructure**The Key Idea**• Public key uses asymmetric encryption • Bob has a public encryption function EB • Trapdoor one-way function • Easy to compute • Invertible, and Bob knows secret Db = EB-1 • For Eve to invert EB, she’d need to guess b • Alice computes EB(M); only Bob can decrypt • Diffie, 1975. Question: how do we do it?**VeRSAtile Solution**• RSA (Rivest, Shamir, Adleman, 1977): • Bob computes primes p, q, and N=pq • Bob computes d,e, so de 1 mod (N) • Public key: (N, e). Private key: (N, d) • Encryption (Alice): C = EB(M) Me mod N • Decryption (Bob): M = Db(C) Cd mod N • By Euler’s Theorem: Med M mod N • So, Db(EB(M)) = M, Bob can read M**Vice VeRSA**• Note that, M, Mde Med M mod N • Order doesn’t matter • Only Bob can compute S Md mod N • Anyone else can verify M Se mod N • Digital Signature • Gives us authenticity, non-repudiation • (As we’ve said: usually applied to H(M))**Factoring in Attacks**• Say Eve knows N, e, C, wants to read M • Could factor N, solving for p and q • Then easy to compute (N), solve for d • How hard is it to factor? • Best known method: Number Field Sieve • Between polynomial and exponential time • Of course, no one can prove anything**How hard is factoring?**• From Schneier’s Applied Cryptography: • MIPS-year: 100 MHz Pentium for a week • Rivest, 1977: 125 digits should take 40 quadrillion years • 8/1999: 512-bit prime • (155 decimal digits) • Distributed computing • Took 8000 MIPS-years • 7 months (3.7 sieving)**An ERSAtz Attack**• Can Eve find (N)? Then, d e-1 mod (N). • Say we knew N = pq, (N) = (p-1)(q-1). • Then let Z = N - (N) + 1: we know Z • Z = pq - (pq - p - q + 1) + 1 = p + q • (x - p)(x - q) = x2 - Zx + N; this is solvable • So, if we knew (N), we’d know p, q • Therefore, finding (N) is as hard as factoring • This is called a reduction**Other AdveRSArial Strategies**• Can Eve find d without finding (N)? • She knows ed - 1 = Q(N) for some Q • Since (N) is roughly N, she’d know (N) • Another reduction • Can Eve find t, so, M, Mte M mod N? • Yes, if p and q are chosen poorly • For good p, q: about as hard as factoring • “good p, q” means gcd(p-1, q-1) is small**Key Management**• Pre-1970s, problem was key distribution • Now, Alice can look up Bob’s public key • How does she get it? Key management • Original solution: “phone book” • Who prints the book? • What if it’s compromised, or intercepted? • How do you look someone up? Unique ID? • What if Bob has multiple names, keys? • Do keys expire? What if a key is compromised?**Solution #1: DispeRSAL**• One idea: Carol meets Bob face-to-face • Carol says “This is Bob’s key”, signs it • Ted knows Carol, says “This is Carol’s key, and I trust her”, signs it • Alice knows Ted; verifies chain of signatures • Flaw #1: “weakest link” • Flaw #2: >6 degrees of separation • Flaw #3: Unique IDs, expiration, ...**#2: Certificate Authorities**• Next class (7/24/01)**Recommended Reading**• From Stallings: • Fermat’s Theorem, Euler’s Theorem, and the function: Section 7.3 • RSA: Sections 6.1 - 6.3 (particularly 6.2, which includes fast modular exponentiation) • Hashing, MACs: Chapter 8 • Birthday attacks: Appendix 8A • HMAC: Section 9.4

More Related