Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC

Home , Birthday attack, Message authentication

Chapter 5

Message Integrity

1 Outline • Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC

• For passive attacks: encryption • For active attacks: message authentication Message authentication can verify the authenticity and integrity of received messages, and also can verify the order and timeliness of messages.

The authentication mechanism needs to generate an authenticator/tag. Authenticator/tag: The value used to authenticate the message. The methods of generating the authenticator are: message authentication code (MAC) and hash function

3 Message authentication code

A fixed-length value used as an authenticator/tag generated from the message by a key-controlled public function, or a cryptographic checksum.

Shared k

ktag message m k Alice: m Bob

Generate tag: Verify tag: tag  S(k, m) V(k, m, tag) = ‘yes’ ?

4 Remarks

If only Alice and the Bob know k, and the MAC of Bob is consistent with the received MAC. 1. Bob believes that the message sent by Alice has not been tampered. 2. Bob believes that Alice is not impersonating.

The MAC algorithm is similar to the encryption algorithm except that the MAC algorithm does not have to be reversible, and thereby it is less susceptible to attacks than the encryption algorithm.

MAC provides authentication without confidentiality. Examples: Protecting public binaries on disk. Protecting banner ads on web pages. 5 sender Remarks receiver compare

(a) Message authentication

compare

(b) Authenticity and confidentiality: Authentication on plaintext

compare

(1) The cost of the exhaustive search attack for MAC is greater than the exhaustive search for encryption algorithm with the same length key.

Given M||CK(M) =MAC, to find K (2) Some attack methods do not need to find the key used to generate the MAC. An attacker can fake a message for the given authentication tag.

7 Attack MAC (Find K)

Round 1: Given M1 and MAC1, where MAC1 = CK(M1), calculate MACi = CKi (M1) for all 2k possible keys to yield 2k-n possible keys.

Round 2: Given M2 and MAC2, where MAC2 = CK (M2), calculate MACi=CKi(M2) for 2k-n possible keys obtained in round 1, to obtain 2k-2×n possible keys. In this way, if k = αn, the above attack mode requires α rounds on average. For example, if the key length is 80 bits and the MAC length is 32 bits, then about 248 possible keys will be generated in round 1, 216 possible keys will be generated in round 2, and the correct K can be found in round 3.

8 Attack MAC (Fake Message)

Let M=(X1‖X2‖...‖Xm), where Xi (i=1,...,m) is 64-bit block,

(MXX ) 1 2  X m

CMK() E K   () M  The encryption algorithm is ECB-DES. Thus, the key size is 56 bits and the

MAC size is 64 bits. If the adversary gets M‖CK(M), then the adversary will need to do 256 encryptions using exhaustive search. However, the adversary can also hack the system in the following way:

X1 ,, X m1  Y1 ,,Ym1 Ym Y 1Y2 Ym1  (M ) X  Y m m M and M’ has the same MAC 伪造一新消息：Forge a new message

 9 M  Y1 Y2  Ym1 Ym Requirement of MAC

MAC should satisfy the following requirements, assuming that the adversary knows the MAC algorithm C but does not know the key K:

• If the adversary gets M and CK(M), constructing a new message M' that satisfies CK(M') = CK(M) is computationally infeasible.

• CK(M) is uniformly distributed in the following sense: Two messages M -n and M‘ are randomly selected, Pr[CK(M)=CK(M')]=2 where n is the size of MAC. • If M' is a permutation of M, i.e., M' = f (M), for example, f is to insert one -n or more bits, then Pr[CK(M) = CK(M')] = 2 .

10 Data Authentication Algorithm One of the most widely used message authentication codes.

• The algorithm is based on the DES algorithm with the CBC mode, • Its initial vector takes a zero vector.

• The data is divided into 64-bit blocks D1, D2, ..., DN. • If the last block is less than 64 bits, some 0s can be padded on the right.

11 Data Authentication Algorithm

O1 EDK ( 1 )

O2 EDK ( 2  O 1 )

O3 EDK ( 3  O 2 ) 

ON ED KN(  O N 1 )

The data authentication code is ON or the leftmost m bits of ON, where 16 ≤ m ≤ 64.

12 Outline • Message Authentication Code • Hash Function and Birthday Attack • SHA-1 and SHA-3 • HMAC

13 Definition

A hash family is a four-tuple I=(M, T, K, H), where the following conditions are satisfied: 1. M is a set of possible messages; 2. T is a finite set of possible message digests or authentication tags; 3. K, the key space, is a finite set of possible keys;

4. For each k K, there is a hash function Hk  H, each Hk: M → T. • Unkeyed Hash Function H: M → T

• Keyed hash function (Message Authentication Code) Hk: M → T

14 Hash Function

By a hash function, it means a map H: {0,1}*{0,1}n, n  N. hash function maps arbitrarily long strings to strings of fixed length.

Example The map that sends * b1∙∙∙bk in {0, 1} to

b1∙∙∙ bk is a hash function.

15 Preimage Preimage A hash function H: M → T and an element yT Find: m M such that H(m)=y Preimage-resistance: it is infeasible to find mM such that H(m)=y

Second Preimage A hash function H: M → T and an element mM Find: m’ M such that m’≠m and H(m’)=H(m) Second Preimage-resistance: It is infeasible to find m’ M such that m’≠m and H(m’)=H(m) 16 Collision Resistance Let H: M T be a hash function ( |M| >> |T| )

A collision for H is a pair m0 , m1  M such that: H(m0) = H(m1) and m0  m1 A function H is collision resistant if for all (explicit) “eff” algs. A: AdvCR[A, H] = Pr[A outputs collision for H] is “neg”. Example: SHA-256 (outputs 256 bits) • Weaker than preimage resistance?

• Stronger than second preimage resistance? 17 Collision Resistance

A collision of H is a pair (m, m)M 2 for which m  m and H(m) = H(m). There are collisions of all hash functions and compression functions because they are not injective. The function H(m) is called weak collision resistant if it is infeasible to compute a collision (m, m) for a given mM. The function H(m) is called (strong) collision resistant if it is infeasible to compute any collision (m, m) of H.

18 Birthday Attack We describe a simple attack on hash functions H: *n called the birthday attack. It attacks the strong collision resistance of H. The attack is based on the birthday paradox.

19 Birthday Paradox Birthday paradox: Suppose a group of people are in a room. What is the probability that two of them have the same birthday?

Suppose there are n birthdays and that there are k people in the room. An k elementary event is a tuple (b1, …, bk)  {1, 2, …, n} . k The birthday of the ith person is bi, 1  i  k, so we have n elementary events. We assume that those elementary events are equally probable. Then the probability of an elementary events is 1/ nk. Let p be the probability that two people in the room have the same birthday. Then with probability q = 1 - p any two people have different birthdays.

20 Birthday Paradox

k Let E be the set of all vectors (g1, …, gk)  {1, 2, …, n} , whose entries are pairwise different. Then E models the Birthday paradox. Let |E| denote the number of element in E. Then k1 |E| = (n - 0) (n - 1) … (n -(k - 1)) =  i  0 ( n  i ) and q = (n - 0) (n - 1) … (n -(k - 1)) / nk 1 k1 k1 i =  i  0 ( n  i ) =  i  1 ( 1  .) nk n Since 1 + x  ex holds for all real numbers, therefore (e-x = 1-x+x2/2!-x3/3!+…) k1 k1 i /n  i / n -k(k-1)/2n q  i1 e = e i  1 = e .

21 Birthday Paradox Assume that q = 0.5, then we have q = 0.5  e-k(k-1)/2n  ln (2-1) = ln e-k(k-1)/2n  ln 2 = k(k-1)/2n  k(k-1) = 2n ln 2 (ln 2 = 0.693)  k2 - k - 2n ln 2 = 0  k = [1 + (1 + 8n ln 2)0.5)] / 2

If k  (1 + (1 + 8n ln 2)0.5) / 2, then q  0.5.

22 Birthday Paradox We describe a simple attack on hash functions H: *n (hence the result consists of ||n possible strings) called the birthday attack. It attacks the strong collision resistance of H. The attack is based on the birthday paradox. Assume that  is an alphabet. Then strings from * can be chosen such that the distribution on the corresponding hash values is the uniform distribution. If k strings in x * are chosen, where k  (1 + (1 + 8 ||n ln 2)0.5) / 2, then the probability of two hash values being equal exceeds 0.5. 23 Birthday Paradox Assume  = {0,1}, then k  (1 + (1 + 8 ∙ 2n ∙ ln 2)0.5) / 2 is sufficient to find two strings having the same hash value with probability greater than 0.5. By the table below, if we compute a little more than 2n/2 hash values, then the birthday attack will succeed with probability > 0.5. Today, n  128 or even n  160 is required to prevent the birthday attack. n (bit length of the hash values) 50 100 150 200

n/2 log2 k  n/2 (k  2 ) 25.24 50.24 75.24 100.24 24 Acknowledge

Dan Boneh, David Brumley, and Shaoquan Jiang for PowerPoint Slides and figures