1 / 46

Chapter 9: hash function

Definition. unrestricted notion of hash function h(x)compression (e.g., h(x) fixed bit length)ease of computationkeyed and unkeyed. Classification. MDC (manipulation detection codes) or MIC (message integrity codes), unkeyedOne-Way Hash Functions (OWHFs)Collision Resistant Hash Functions (CRHF

tamira
Télécharger la présentation

Chapter 9: hash function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Chapter 9: hash function Slides by Daniele Mazzocchi

    2. Definition unrestricted notion of hash function h(x) compression (e.g., h(x) fixed bit length) ease of computation keyed and unkeyed

    3. Classification MDC (manipulation detection codes) or MIC (message integrity codes), unkeyed One-Way Hash Functions (OWHFs) Collision Resistant Hash Functions (CRHFs) MAC (message authentication codes) both authentication and integrity keyed requires no additional mechanism

    4. Properties Preimage resistance: given y its computationally infeasible to find a value x s.t. h(x)=y 2-nd preimage resistance: given x and y=h(x) its computationally infeasible to find a value x?x s.t. h(x)=h(x) collision resistance: its computationally infeasible to find any two distinct values x,x s.t. h(x)=h(x)

    5. Classification

    6. Properties of MAC MAC is a family of functions hk (parameterized by the secret key k) ease of computation (if k is known !!) compression, x is of arbitrary length, hk(x) has fixed length computation resistance, given some pairs (xi,hk(xi)) is infeasible to compute a new pair (x, hk(x)) for any new x? xi

    7. Attacks against MDC OWHF: given y find x s.t. h(x)=y; or given (x,h(x)) find x ?x s.t. h(x)=h(x) CHRF: find any two inputs x ?x s.t. h(x)=h(x) (birthday attack) against MAC without knowing k compute (x, hk(x)) given (xi,hk(xi)) with xi ?x known-text attack, chosen text-attack, adaptive chosen text-attack selective and existential forgery

    8. Hash properties in application

    9. Relations between properties collision resistance?2nd preimage resistance collision resistance does not guarantee preimage resistance let hk a MAC. Then hk against chosen-text attack is both: 2nd preimage and collision resistant preimage resistant

    10. General model for iterated hash functions

    11. Detailed view

    12. Merkles meta-method any collision resistant compression function f can be extended to a CRHF Merkles meta-method provides an efficient way to construct CRHF from f n bit ouput, r bit chain variable collision for h would imply collision for f for some stage i with inclusion of the length no encoded input is a prefix of another encoded input Merkle-Damgard strengthening

    13. Padding Ambiguous Padding: Append to the message as few 0-bits as necessary to obtain a string to make its length a multiple of block-size Unambiguous Padding Append a 1 to the message Do Ambiguous Padding

    14. Security objectives

    15. Basic attack basic hash attack (repeated attempts) a n-bit unkeyed hash function has ideal security if satisfy the upper bounds for OWHF and CHRF MAC key exhaustive key search (known-text attack),requires 2t operations MAC guessing must require requires 2n operations

    16. Basic attack (ctd.) precomputation of hash values (memory-time tradeoff) parallelization of 2nd-preimage long message attack for 2nd-preimage. If h is iterated and no MD strengthening. 2nd-preimage can be found in time (2n/s)+s, space n(s+log s) bits, for 1?s?min(t, 2n/2 ) birthday attack on intermediate results

    17. Bitsize required OWHF n>=80 CHRF n>=160 (birthday attack) MAC n>=64 with key of at least 64 bits off-line attacks possible given text-MAC pairs, but properties derive from secrecy of the key (so t is important) try to limit the number of queries for on-line attacks

    18. Hash function derived from block ciphers block cipher are already available (not starting from scratch) single-length (n bit) or double-length (2n bit) single for OWHF construction double for CHRF construction (usually n=64, so for collision resistance you need 128 bit)

    19. Single length MDCs

    20. Double length MDC MDC-2 and MDC-4 require respectively 2 and 4 block cipher operation per block of input

    21. MD4 designed from scratch specifically for software implementation on 32-bit machines define f,g,h auxiliary function starting point for MD5, SHA-1 and RIPEMD 128 bit output broken construction as a CRHF, Dobbertin found collision for meaningful messages

    22. MD4 details pad the messages adding the encoding of the length. m block of 512 bit =16m 32 bit words x0,x1,...x16m-1

    23. MD5 additional 4th round of 16 step, and another function k change round 2 function modification of access order modification of shift amounts no collision for the iterated construction, collision for the compression function

    24. SHA-1 160 bits, five 32-bit variable used four rounds, f,g,h the same as in MD4 every round has 20 steps expansion: each 16-word message block is expanded to an 80-word block modification in rotation stronger than MD5

    25. RIPEMD-160 compression function maps 21-words input (5-word chaining variable, 16-word message block, 32 bit words) to 5 words output more rounds than MD-4 security comparable with SHA-1

    26. Keyed-hash functions (MAC) birthday attack on MACs. Let h a MAC based on an iterated compression function which has a n bits chaining variable. Forgery is possible using O(2n/2) known text-MAC pairs plus a number v of chosen text MAC-pairs 1?v? 2n-m

    27. CBC-MAC

    28. Security of CBC-MAC the optional step prevents chosen-text existential forgery without impacting intermediate stages existential forgery: the basic CBC-MAC is secure only for messages of a fixed number of blocks. Having (x1,H1) and (x2,H2) and requesting ((x1 ||z),M) its possible to construct a new message s.t. (x2 ||(H1?z? H2),M) is valid. MD strengthening doesnt help

    29. MAC derived from MDC the most widely used construction (e.g., IPSec, SSL) three different strategies secret prefix method secret suffix method enveloping method

    30. Secret prefix method MDC h with compression function f: H0=IV, Hi=f(Hi-1, xi), h(x)= Ht H0=IV construction: simple prepending secret key k and MAC is M=h(k||x) its possible to forge the scheme appending y and deducing h(k||x||y) form h(k||x) without knowing k !! even MD-strengthening doesnt help (its possible to take into account x size) insecure also the approach of using k as H0

    31. Secret suffix method the MAC on x is M=h(x||k) possible a birthday attack, an adversary that can choose x can construct x for which h(x)=h(x) in O(2n/2) the adversary can construct the pair (x,M) the method essentially calculates hash and encrypt it in the final stage not a good method

    32. Enveloping method with padding hk(x)=h(k||p||x||k) p is a string used to pad k to length of one block: at least two iterations better than the other two but not the best one STATE OF THE ART: hash-based MAC HMAC(x)=h(k||p1||h(k|| p2||x)) p1 and p2 are padding string. Quit efficient, the outer hash operates on an input of two blocks

    33. Integrity and authentication Data integrity=data has not been altered since creation time Data origin authentication=a party is corroborated as the source of specified data (includes data integrity) message authentication= analogous to data origin authentication MAC doesnt provide non-repudiation for guarantees about timeliness and uniqueness additional techniques are needed

    34. Methods for data integrity

    35. Transaction Authentication Message Authentication does not provide Transaction authentication. eg. Replay Attack Use of TVPs RNs in challenge-response protocols Sequence Numbers Time stamps

    36. Does encryption alone guarantee data integrity ? if the message has enough redundancy integrity will derive directly from correct decryption (need of knowing the key) ECB re-ordering encryption of random data bit manipulation in additive stream cipher (especially known-plaintext) bit manipulation in DES ciphertext blocks

    37. MDC & encryption C=Ek(x||h(x)) security is strictly related with that of the encryption algorithm regardless od the strength of MDC never use with additive stream-cipher if known-plaintext are possible variations (x, Ek(h(x)). h must be CRHF (Ek(x),h(x))

    38. MAC & encryption use a MAC instead of MDC even if someone breaks the encryption the MAC still provides integrity main drawback: two key to manage precludes exhaustive attacks on MAC key care in choosing the combination of MAC and encryption algorithm bad choice: MAC-CBC with CBC encryption

    39. Advanced attacks Birthday attacks Pseudo-collisions and compression function attacks Chaining attacks Attacks based on properties of the underlying cipher

    40. Birthday attack based on birthday paradox running time O(2n/2) usable against all the unkeyed hash function

    41. Yuvals birthday attack INPUT: legitimate message x1, fraudulent message x2, m-bit hash function h OUTPUT; x1 and x2 s.t. h(x1)=h(x2) generate t=2m/2 minor modifications x1 of x1 hash each x1 and store hash values h(x1) generate minor modifications x2 of x2, calculate h(x2) and compare it with values h(x1), until a match is found the collision are real and of direct practical consequences if meaningful messages are constructed

    42. Memoryless variation deterministic mapping used to approximate random walk (Floyds algorithm) let g(x1,H)= x1 a function that expresses the way in which modification are obtained. If x1 is fixed g x1(H)= x1 we define collision search is then applied to r if h behaves as a random mapping the parity of H and H will differ when collision is found in this case h(g x1(H))=h(g x2(H)) the colliding pair of variations is x1 = g x1(H) and x2 = g x2(H)

    43. Pseudo-collisions collisions allowing different IVs for the different message inputs theoretical and not pratical notion trivial collision for random IVs h(IV,x1x2)=f(f(IV, x1), x2) IV=f(IV, x1 ) h(IV, x2)= h(IV,x1x2) (collision !!) MD strengthening avoid it

    44. Attacks on compression function f chaining variable act as IV, f as h and a single input block xi in place of message x attacks on compression function can be extended to similar attack on the iterated hash function (same complexity)

    45. Chaining attacks correcting-block meet-in-the-middle similar to Yuval attack but seek collision on intermediate result necessary to invert the compression function fixed point a pair (Hi-1,xi) s.t. f(Hi-1, xi)= Hi-1 insertion of arbitrary number of identical block xi at this chain point use MD strengthening differential chaining attacks

    46. Attacks based on underlyng cipher y=Ek(x)?y=Ek(x) f(Hi-1, xi)=E Hi-1?xi(xi)? xi produce same output for xi and xi Ek(Ek(x))=x for all x two-step fixed point Ek(x)=x Ek(x)= Ek(x)

More Related