1 / 37

Hashing and RSA Encryption in Computer Science

This lecture discusses the concepts of hashing, RSA encryption, and their applications in computer science. It also covers alternative encryption methods and the properties of cryptographic hash functions.

lars
Télécharger la présentation

Hashing and RSA Encryption in Computer Science

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 9: Hash House Harriers David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science

  2. Menu • “Quiz” Results • Hashing University of Virginia CS 551

  3. Quiz Results • Six people got everything right • Most common mistake: e * d  1 mod n should be: e * d  (mod (p – 1)(q – 1)) Why is e * d  1 mod n a bad guess? • Little correlation between how well you said you understood RSA and correctness of answers University of Virginia CS 551

  4. Selected Quiz Comments • “Wondering if we just have to understand the algorithms or do we have to memorize them.” • “On both of the problem sets, I’ve felt like its the first time I’ve seen the material applied this way.” • “I feel like we’ve hit the surface of many topics, but haven’t spent enough time to get really in depth in many of the topics.” University of Virginia CS 551

  5. Selected Quiz Comments • “Need TA’s” • Siddarth Dalai • Office hours on Tuesdays 3:30-4:30 and Fridays 2:00-3:00 in the CS department library or 113g. • My office hours: Mondays 1:30-2:30, Wednesdays after class. University of Virginia CS 551

  6. Using RSA to Encrypt • Use 1024-bit modulus (RSA recommends at least 768 bits) • Encrypt 1M file • Why does no one use RSA like this? • About 100-1000 times slower than DES • Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1) University of Virginia CS 551

  7. Alternatives • Use RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...) • Lose external authentication, non-repudiation properties of public-key cryptosystems • Sign (encrypt with private key) a hash of the message • A short block that is associated with the message University of Virginia CS 551

  8. Hashing “dog” “neanderthal” “horse” H (char s[]) = (s[0] – ‘a’) mod 10 University of Virginia CS 551

  9. Regular Hash Functions • Many-to-one: maps a large number of values to a small number of buckets • Even distribution: for typical data sets, buckets are similarly full • Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] – ‘a’) mod 10 satisfy these properties? University of Virginia CS 551

  10. Cryptographic Hash Functions • One-way: for given h, it is hard to find x such that H(x) = h. • Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x). University of Virginia CS 551

  11. Using Hashes • Alice wants to send Bob and “I owe you” message. • Bob should be able to show the message to a judge to compel Alice to pay up. • Bob should not be able to make his own “I owe you” from Alice, or change the contents of the one she sent him. University of Virginia CS 551

  12. IOU Protocol (Attempt 1) M H(M) Bob Alice M H(M) Hmmm...Bob can just make up M and H(M)! Judge University of Virginia CS 551

  13. IOU Protocol (Attempt 2) M EKA[H(M)] Bob Alice secret key KA M EKA[H(M)] Can Bob cheat? Use Diffie-Hellman to establish shared secret KA Can Alice cheat? Yes, send Bob: M, junk. Judge will think Bob cheated! Judge knows KA University of Virginia CS 551

  14. IOU Protocol (Attempt 3) M EKRA[H(M)] Bob Alice knows KUA {KUA, KRA} M EKRA[H(M)] Bob can verify H(M) by decrypting, but cannot forge M, EKRA[H(M)] pair without knowing KRA. Judge knows KUA University of Virginia CS 551

  15. Weak Collision Resistance • Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10 • Alice sends Bob: “I, Alice, owe Bob $2.”, EKRA[H (M)] • Bob sends Judge: “I, Alice, owe Bob $2000000000000000.”, EKRA[H (M)] • Judge validates EKUA[EKRA[H (M)]] = H(“I, Alice, owe Bob $2000000000000000.”)and makes Alice pay. University of Virginia CS 551

  16. Weak Collision Resistance • Given x, it should be hard to find y  x such that H(y) = H(x). • Similar to a block cipher except no need for secret key: • Changing any bit of x should change most of H(x). • The mapping between x and H(x) should be confusing (complex and non-linear). University of Virginia CS 551

  17. A Better Hash Function? • H(x) = DES (x, 0) • Weak collision resistance? • Given x, it should be hard to find y  x such that H(y) = H(x). • Yes – DES is one-to-one. (These is no such y.) • A good hash function? • No, its output is as big as the message! University of Virginia CS 551

  18. What we need: • Produce small number of bits (say 64) that depend on the whole message in a confusing, non-linear way. • Have we seen anything like this? University of Virginia CS 551

  19. Cipher Block Chaining Pn P2 P1   IV  ... DES K DES DES K K Cn C2 C1 Use last ciphertext block as hash. Depends on all plaintext blocks. University of Virginia CS 551

  20. Actual Hashing Algorithms • Based on cipher block chaining • No need for secret key or IV (just use 0) • Don’t use DES • Performance • Better to use bigger blocks • MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash • SHA [NIST95] – 512 bit blocks, 160-bit hash University of Virginia CS 551

  21. Why big hashes? • 3DES is (probably) secure with 64-bit blocks, why do secure hash functions need at least 128 bit digests? • 64 bits is fine for weak collision resistance, but we need strong collision resistance too. University of Virginia CS 551

  22. Strong Collision Resistance • It is hard to find any x and y  x such that H(y) = H(x). • Difference from weak: • Attacker gets to choose both x and y, not just y. • Scenario: • Suppose Bob gets to write IOU message, send it to Alice, and she signs it. University of Virginia CS 551

  23. IOU Request Protocol x EKRA[H(x)] Bob Alice knows KUA {KUA, KRA} y EKRA[H(x)] Bob picks x and y such that H(x) = H(y). Judge knows KUA University of Virginia CS 551

  24. Finding x and y Bob generates 210 different agreeable (to Alice) xi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2001 | 2001 AD}. University of Virginia CS 551

  25. Finding x and y Bob generates 210 different agreeable (to Bob) yi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $2000000000000000 | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2001 | 2001 AD}. University of Virginia CS 551

  26. Bob the Quadrillionaire!? • For each message xi and yi, Bob computes hxi = H(xi) and hyi = H(yi). • If hxi = hyj for some i and j, Bob sends Alice xi, gets EKRA[H(x)]back. • Bob sends the judge yj and EKRA[H(x)]. University of Virginia CS 551

  27. Chances of Success • Hash function generate 64-bit digest (n = 264) • Hash function is good (randomly distributed and diffuse) • Chance a randomly chosen message maps to a given hash value: 1 in n = 2-64 • By hashing m good messages, chance that a randomly chosen message maps to one of the m different hash values: m * 2-64 • By hashing m good messages and m bad messages: m * m * 2-64 University of Virginia CS 551

  28. Is Bob a Quadrillionaire? • m = 210 • 210 * 210 * 2-64 = 2-44 (doesn’t look good...) • Try m = 232 • 232 * 232 * 2-64 = 20 = 1 (yippee!) • Flaw: some of the messages might hash to the same value, might need more than 232 to find match. University of Virginia CS 551

  29. Dealing with duplicates • For a particular yi: • p(H(yi) =H(x)) = 1/n • p(H(yi) H(x)) = 1 -1/n • Probability that none of m different yi’s match = p(H(yi) H(x))m = (1 -1/n)m • Probability that there is at least one match = 1 - (1 -1/n)m University of Virginia CS 551

  30. Binomial Theorem (1 – a)k = 1 – ka + (k(k – 1) / 2!) a2 – (k(k – 1)(k – 2) / 3!) a3 ... For small a: (1 – a)k 1 – ka Probability that there is at least one match = 1 - (1 -1/n)m 1 – (1 – m/n) = m/n For m = 232 and n = 264: 232/264 2-32 University of Virginia CS 551

  31. Birthday “Paradox” • What is the probability that a group of k people have 2 with the same birthday? University of Virginia CS 551

  32. Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 * ... * (365 – k + 1) = 365! / (365 – k)! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 * ... * 365 = 365k University of Virginia CS 551

  33. Birthday “Paradox” Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicates = 1 – 365! / ((365 – k!)(365)k ) For k = 48: > 95% University of Virginia CS 551

  34. Generalizing Birthdays n! (n – k)!nk P(n, k) = 1 – Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate. P(n, k) > 1 – e-k*(k-1)/2n Derived using (1 – x)  e-x. (see book) University of Virginia CS 551

  35. Applying Birthdays P(n, k) > 1 – e-k*(k-1)/2n • For n = 365, k = 48: P(365, 48) > 1 – e-48*(47)/2*365 P(365, 48) > .954 • For n = 264, k = 232: P (264, 232) > .39 • For n = 264, k = 233: P (264, 233) > .86 • For n = 264, k = 234: P (264, 234) > .9996 • For n = 2128, k = 240: P (2128, 240) > 10-15 University of Virginia CS 551

  36. Conclusion • If you’re Alice, don’t sign a hash for an IOU from Bob, unless the hash is at least 128 bits. University of Virginia CS 551

  37. CA = EKRchainmail[Time1, IDA, KUA] Charge • Full Project Proposals due Oct 4 • Next time: Guest lecture Paco Hope, chainmailinc.com chainmailinc.com KUA $$$$ Alice University of Virginia CS 551

More Related