Collision Resistance � Preimage Resistance � Second Preimage Resistance ❀ HMAC - DocsLib

sign in sign up

<<

10/27/14

Chapters 20.1 -- 20.3

❀ Information Security Authentication Integrity Confidentiality Non-repudiation Outline ❀ Hash functions Collision resistance Preimage resistance Second preimage resistance ❀ HMAC

1 10/27/14

Authentication

❀ Identification and assurance of the origin of information, resources and people

Trudy

Bob Alice

Integrity

Tempered File Good File

Hash(Good File)

❀ Software distribution protection: For a Good File and Hash(Good File), it is infeasible to find a Tempered File such that Hash(Good File) = Hash(Tempered File)

2 10/27/14

Authentication and Integrity using Shared Secret

msg, Hash(SECRET, msg)

❀ Bob wants to ensure that nobody modifies message in transit using both integrity and authentication ❀ It is infeasible to compute Hash(SECRET, msg) without SECRET

❀ Information Security Authentication Integrity Confidentiality Non-repudiation Outline ❀ Hash functions Collision resistance Preimage resistance Second preimage resistance ❀ HMAC

3 10/27/14

Hash Functions

Message Message x Digest y

x’’ y’’ x’ y’

❀ H is a one-way function used to produce a message digest Input x: variable length message Output y: fixed length hash (“Message Digest”) of input ❀ One-way property: infeasible to invert the digest to message Given y, it should be infeasible find any x such that h(x) = y

Hash Function History

MD2, 1989

MD4, 1990

MD5, 1991 Secure Hash Algorithm 128-bit output SHA-0, 1993

SHA-1, 1995 160 bit output Race Integrity Primitive Evaluation MD RIPEMD(160, 256, 320), 2003 SHA-2 (224, 256, 384, 512), 2001

SHA-3 selection

4 10/27/14

Hash Functions in standards

❀ MD5 (Message-Digest algorithm 5) 128-bit output Designed by Ron Rivest, and used widely Security broken (summer of 2004) ❀ RIPEMD-160 160-bit variant of MD-5 RIPEMD-128, RIPEMD-256, and RIPEMD-320 ❀ SHA-1 (Secure Hash Algorithm) 160-bit output US government (NIST) standard as of 1995 - 2003 µ Also the hash algorithm for Digital Signature Standard (DSS) µ Close to be broken too (2005) ❀ SHA-256, -384 and -512 should be used

Basic Structure of SHA-1

Against padding attacks Message length (K mod 264) L x 512 bits = n x 32 bits K bits

Message 100…0

Split message into 512-bit blocks Padding 64 (1 to 512 bits) bits 512 bits 512 bits 512 bits 512 bits

Y0 Y1 ….. Yi ….. YL-1

IV 160 160 160 160 160 H H ….. H ….. H H1 Hi HL-1

Initialization Vector Hash function 160-bit 160-bit buffer (5 registers) initialized with magic values Applied to each 512-bit block digest and current 160-bit buffer.

5 10/27/14

Example: Hash Algorithms

❀ Plaintext Phishing Explained Phishing scams are typically fraudulent e-mail messages appearing to come from legimate sources like your bank, your Internet Service Provider, eBay, or PayPal, for example. These messages usually direct you to a fake web site and ask you for private informaon (e.g., password, credit card, or other account updates). The perpetrators then use this private informaon to commit identy the. Warning Signs There are oen signs that can p you oﬀ that a message may not be what it appears. The hints below can help you avoid "taking the bait." Urgent Language - Phishing aempts oen use language meant to alarm. They contain threats, urging you to take immediate acon. “You MUST click on the link below or your account will be canceled.” The Greeng - If the message doesn't speciﬁcally address you by name, be wary. Fake messages use general greengs like “Dear eBay Member” or “Aenon Cibank Customer” or no greeng at all. URLs Don’t Match - Place your mouse over the link in the e-mail message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, run. It’s probably a fake. Somemes the URLs do match and the URL is sll a fake. ❀ Digest MD5: b9af1a0d4fb4d1dcba270eae4221d5ca RipeMD160: 5f275d5517e602adc6bec1be9711094aa9a48b17 SHA-1: aca15428ff95289088b8acd46fc518a46e99af2c ❀ Online hash tool http://www.fileformat.info/tool/hash.htm

Diffusion/Avalanche Effect

❀ Plaintext: only change the first letter from P to Q Qhishing Explained Phishing scams are typically fraudulent e-mail messages appearing to come from legimate sources like your bank, your Internet Service Provider, eBay, or PayPal, for example. These messages usually direct you to a fake web site and ask you for private informaon (e.g., password, credit card, or other account updates). The perpetrators then use this private informaon to commit identy the. Warning Signs There are oen signs that can p you oﬀ that a message may not be what it appears. The hints below can help you avoid "taking the bait." Urgent Language - Phishing aempts oen use language meant to alarm. They contain threats, urging you to take immediate acon. “You MUST click on the link below or your account will be canceled.” The Greeng - If the message doesn't speciﬁcally address you by name, be wary. Fake messages use general greengs like “Dear eBay Member” or “Aenon Cibank Customer” or no greeng at all. URLs Don’t Match - Place your mouse over the link in the e-mail message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, run. It’s probably a fake. Somemes the URLs do match and the URL is sll a fake.

❀ Digest MD5: ac62191be8b2c327b2548ce69da7a8f0 SHA-1: b974c5315af1aebc9196a3cdf92966279c34352b ❀ Compare to: MD5: b9af1a0d4fb4d1dcba270eae4221d5ca SHA-1: aca15428ff95289088b8acd46fc518a46e99af2c

6 10/27/14

Hash Security: Collision Resistance

❀ It is computationally infeasible to find two different inputs, x and x’ to the hash function that have the same hash value such that hash(x) = hash(x') ❀ Collision resistance is measured by the amount of work that would be needed to find a collision for a hash function with high probability If the amount of work is 2N, then the collision resistance is N bits The estimated strength for collision resistance provided by a hash-function is half the length of the hash value, L, produced by a given cryptographic hash function µ For example, SHA-256 produces a (full-length) hash value of 256 bits µ SHA-256 provides an esmated collision resistance of 128 bits

Hash Security: Preimage resistance

❀ Given y, it should be infeasible find any x such that h(x) = y ❀ Preimage resistance is measured by the amount of work that would be needed to find a preimage for a cryptographic hash function with high probability If the amount of work is 2N, then the preimage resistance is N bits The estimated strength for preimage resistance provided by a hash-function is the length of the hash value, L, produced by a given cryptographic hash function For example, SHA-256 produces a (full-length) hash value of 256 bits; SHA-256 provides an estimated preimage resistance of 256 bits

7 10/27/14

Hash Security: 2nd preimage resistance

❀ Given an input x, it is computationally infeasible to find a second input x’ that is different from x, such that h(x) = h(x’) x: Windows 7 OS; x’: Windows 7 OS with a Trojan Measured by the amount of work that would be needed to find a second preimage for a hash function with high probability If the amount of work is 2N, then the second preimage resistance is N bits The estimated strength for second preimage resistance provided by a hash- function is the length of the hash value, L, produced by a given cryptographic hash function For example, SHA-256 produces a (full-length) hash value of 256 bits; SHA-256 provides an estimated second preimage resistance of 256 bits (SP 800-107) ❀ Comparison to Collision resistance It is computationally infeasible to find two different inputs, x and x’ to the hash function that have the same hash value such that hash(x) = hash(x')

Strengths of SHA Security Properties

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

Collision Resistance < 80 (≈60) 112 128 192 256 Strength in bits

Preimage Resistance 160 224 256 384 512 Strength in bits

Second Preimage Resistance 105-160 201-224 201-256 384 394-512 Strength in bits

8 10/27/14

Feasible attacks to Hash

❀ MD5 is/was one of the most widely used cryptographic hash functions ❀ Attack on MD5 to find collisions efficiently Finding a collision for MD5 is easily feasible About 15 minutes up to an hour computation http://www.mscs.dal.ca/~selinger/md5collision/ ❀ This attack is also able to break hash functions with certain restrictions, including HAVAL-128, MD4, RIPEMD, SHA-0 and SHA-1 ❀ SHA-1 near-collision attack needs 257.5 hashes Marc Stevens: HashClash on 11/8/2010 http://code.google.com/p/hashclash/ ❀ Today every new certificate is based on SHA-1 hash

❀ Information Security Authentication Integrity Confidentiality Non-repudiation Outline ❀ Hash functions Collision resistance Preimage resistance Second preimage resistance ❀ HMAC

9 10/27/14

HMAC

❀ The Keyed-Hash Message Authentication Code (HMAC)

❀ Uses a cryptographic key in conjunction with a hash function HMAC(key, message) = hash(key, hash(key,message)) Allow the use of any hash function, e.g., SHA-256, or SHA-512

❀ Ensures data integrity and authentication

❀ HMAC protects against attacks that modify hash values

❀ Mandatory for IP security, also used in TLS

Research Topics

❀ Password-based authentication (Chapter 20.4) ❀ One-time password systems (Chapter 20.8) ❀ OpenID and Oauth – Open identification and authorization (Chapter 20.9)

10

Web Analytics