DOCSLIB.ORG

Graphical Passwords Challenge-Response Biometrics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Graphical Passwords Challenge-Response Biometrics Authentication slide 1 Topics today Background: Hash Functions Password Graphical passwords Challenge-Response Biometrics slide 2 HASH FUNCTIONS slide 3 Hash Functions: Main Idea hash function H message “message x. digest” .y x’’. .y’ x’. bit strings of any length n-bit bit strings Hash function H is a lossy compression function H(x) should look “random” • Every bit (almost) equally likely to be 0 or 1 slide 4 Collisions Collision: H(x)=H(x’) for some inputs x≠x’ Collisions must happen • Length of x unlimited, length of H(x) is n-bits ! • Even if length of x is bounded |x| = b, and b > n, there will be collisions "עקרון שובך היונים" ”Pigeonhole principle“ • A hash function cannot be 1-to-1 Cryptographic hash function must have certain properties slide 5 Property 1: One-Way Intuition: hash should be hard to invert • “Preimage resistance” • Given random y, it should be “hard” to find any x such that h(x)=y How hard? • Brute-force: try every possible x, see if h(x)=y • SHA-1 (common hash function) has 160-bit output – Suppose have hardware that’ll do 230 trials a pop – Assuming 234 trials per second, can do 289 trials per year – Will take 271 years to invert SHA-1 on a random image slide 6 Probability background: “Birthday Paradox” How likely is it that some people have the same birthday in a class of T students? If there are T=366 people in class then • Prob(not all different birthdays | T people) = 0 How big should T be so • Prob(not all different birthdays | T people) >= ½ ?? Let’s experiment ! “Birthday Paradox” analysis How many possibilities that are all different? • (K)T = K(K-1)…(K-T+1) - samples without replacement Probability of no repetition? 푘 ∗ 푘 − 1 ∗ 푘 − 2 ∗ ⋯ (푘 − 푡 + 1) = 푘 ∗ 푘 ∗ 푘 … ∗ 푘 푘 푘 − 1 푘 − 푡 + 1 1 2 푡 − 1 ∗ ∗ ⋯ ∗ = 1 ∗ 1 − ∗ 1 − ∗ ⋯ ∗ 1 − ≤ 푘 푘 푘 푘 푘 푘 1 2 3 푡−1 푡2 푒−푘 ∗ 푒−푘 ∗ 푒−푘 ∗ ⋯ ∗ 푒− 푘 ≅ 푒−2푘 Birthday Paradox continued 푡2 2 − 1 푡 푒 2푘 ≤ ≥ ln 2 2 2푘 푡2 ≥ 2 (ln 2)푘 = 1.38푘 푡 ≥ 1.38푘 Bottom line: For k=365, t=23 suffices In general 푡 = 훀( 푘) suffices slide 9 Property 2: Collision Resistance Hard to find some x≠x’ such that h(x)=h(x’) Brute-force collision search is O(2n/2), not O(2n) • n = number of bits in the output of hash function • For SHA-1, this means O(280) vs. O(2160) Reason: birthday paradox • Let T be the number of values x1, x2, x3, … we need to look at before finding the first pair xi≠xj s.t. h(xi)=h(xj) • Assuming h is random, how big should T be so the probability of finding a repetition >= ½ ? • Total number of possible values? K=2n • Conclusion: T 2n/2 slide 10 Property 3: Weak Collision Resistance Given a randomly chosen x, hard to find x’ such that h(x)=h(x’) • Attacker must find collision for a specific x… • by contrast, to break collision resistance, enough to find any collision • Brute-force attack requires O(2n) time Weak collision resistance does not imply collision resistance (why?) slide 11 Hashing vs. Encryption Hashing is one-way. There is no “uh-hashing”! • In contrast, encryption is two-way: can decrypt a ciphertext with the decryption key • Hashes have no equivalent of “decryption” Hash(x) looks “random”… but can be compared for equality with Hash(x’) Hashes are also known as “cryptographic checksums” slide 12 Application: Password Hashing Instead of user password, store H(password) When user enters password, compute its hash and compare with entry in password file • System does not store actual passwords! • Difficult to go from hash to password! System cannot “restore” your password! slide 13 Application: Software Integrity VIRUS badFile goodFile The Times BigFirm™ hash(goodFile) User Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) slide 14 Which Property Do We Need? UNIX passwords stored as hash(password) • One-wayness: hard to recover entire password • Are passwords random? Integrity of software distribution • Weak collision resistance • But software images are not really random… maybe need full collision resistance slide 15 Common Hash Functions MD5 • 128-bit output • Still used very widely • Completely broken by now RIPEMD-160 • 160-bit variant of MD-5 SHA-1 (Secure Hash Algorithm) • 160-bit output • US government (NIST) standard as of 1993-95 – Also the hash algorithm for Digital Signature Standard (DSS) slide 16 Overview of MD5 Designed in 1991 by Ron Rivest Iterative design using compression function M1 M2 M3 M4 IHV0 Com- Com- Com- Com- press press press press IHV4 slide 17 History of MD5 Collisions 2004: first collision attack • Only difference between colliding messages is 128 random-looking bytes 2007: chosen-prefix collisions • For any prefix, can find colliding messages have this prefix and differ up to 716 random-looking bytes 2008: rogue certificates • End of MD5 • Talk about this in more detail when discussing PKI slide 18 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks 160-bit buffer (5 registers) Compression function initialized with magic values • Applied to each 512-bit block and current 160-bit buffer • This is the heart of SHA-1 slide 19 How Strong Is SHA-1? Every bit of output depends on every bit of input • Very important property for collision-resistance Brute-force inversion requires 2160 ops, birthday attack on collision resistance requires 280 ops • Some recent weaknesses (2005) • Collisions can be found in 263 ops slide 20 AUTHENTICATION: PASSWORDS AND SECURITY QUESTIONS slide 21 Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem slide 22 Many Ways to Prove Who You Are What you know • Passwords • Answers to questions that only you know Where you are • IP address What you are • Biometrics What you have • Secure tokens slide 23 Password-Based Authentication User has a secret password. System checks it to authenticate the user. How is the password communicated? • Eavesdropping risk How is the password stored? • In the clear? Encrypted? Hashed? How does the system check the password? How easy is it to guess the password? • Easy-to-remember passwords tend to be easy to guess • Password file is difficult to keep secret slide 24 Passwords and Computer Security Physical intrusion: install sniffer or keylogger to steal passwords Run cracking tools on password files • Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) In Mitnick’s “Art of Intrusion”, 8 out of 9 exploits involve password stealing and/or cracking slide 25 Default Passwords Pennsylvania ice cream shop phone scam • Voicemail PIN defaults to last 4 digits of phone number; criminals change message to “I accept collect call”, make $8600 on a 35-hour call to Saudi Arabia Examples from Mitnick’s “Art of Intrusion” • U.S. District Courthouse server: “public” / “public” • NY Times employee database: pwd = last 4 SSN digits • “Dixie bank”: break into router (pwd=“administrator”), then into IBM AS/400 server (pwd=“administrator”), install keylogger to snarf other passwords – “99% of people there used ‘password123’ as their password” slide 26 Storing Passwords “cypherpunk” user system password file t4h97t4m43 hash fa6326b1c2 function N53uhjr438 Hgg658n53 … slide 27 Password Hashing Instead of user password, store Hash(password) When user enters password, compute its hash and compare with entry in password file • System does not store actual passwords! • Difficult to go from hash from password! Hash function H must have some properties • Given H(password), hard to find string X such that H(X)=H(password) - why? slide 28 UNIX Password System Uses DES encryption as if it were a hash function • Encrypt NULL string using password as the key – Truncates passwords to 8 characters! • Artificial slowdown: run DES 25 times (why?) • Can instruct modern UNIXes to use MD5 hash function Problem: passwords are not truly random • With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 948 6 quadrillion possible 8-character passwords • Humans like to use dictionary words, human and pet names 1 million common passwords slide 29 Dictionary Attack Password file /etc/passwd is world-readable • Contains user IDs and group IDs which are used by many system programs Dictionary attack is possible because many passwords come from a small dictionary • Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once!! – This is an offline attack – Once password file is obtained, cracking is instantaneous • With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average slide 30 Old Password Surveys Klein (1990) and Spafford (1992) • 2.7% guessed in 15 minutes, 21% in a week • Much more computing power is available now! U. of Michigan: 5% of passwords were “goblue” • (cheer for their football team) Zviran and Haga (1999) • Password usage at a DoD facility in California • 80% of passwords were 4-7 characters in length, 80% used alphabetic characters only, 80% of the users had never changed their password slide 31 Password Guessing Techniques Dictionary with words spelled backwards First and last names, streets, cities Same with upper-case initials All valid license plate numbers in your state Room numbers, telephone numbers, etc.
Load more

Recommended publications
  • Hash Functions and Thetitle NIST of Shapresentation-3 Competition
    The First 30 Years of Cryptographic Hash Functions and theTitle NIST of SHAPresentation-3 Competition Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash functions decoded Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). Hash function history 101 DES RSA 1980 single block ad hoc length schemes HARDWARE MD2 MD4 1990 SNEFRU double MD5 block security SHA-1 length reduction for RIPEMD-160 factoring, SHA-2 2000 AES permu- DLOG, lattices Whirlpool SOFTWARE tations SHA-3 2010 Applications • digital signatures • data authentication • protection of passwords • confirmation of knowledge/commitment • micropayments • pseudo-random string generation/key derivation • construction of MAC algorithms, stream ciphers, block ciphers,… Agenda Definitions Iterations (modes) Compression functions SHA-{0,1,2,3} Bits and bytes 5 Hash function flavors cryptographic hash function this talk MAC MDC OWHF CRHF UOWHF (TCR) Security requirements (n-bit result) preimage 2nd preimage collision ? x ? ? ? h h h h h h(x) h(x) = h(x‘) h(x) = h(x‘) 2n 2n 2n/2 Informal definitions (1) • no secret parameters
    [Show full text]
  • Hash Functions
    11 Hash Functions Suppose you share a huge le with a friend, but you are not sure whether you both have the same version of the le. You could send your version of the le to your friend and they could compare to their version. Is there any way to check that involves less communication than this? Let’s call your version of the le x (a string) and your friend’s version y. The goal is to determine whether x = y. A natural approach is to agree on some deterministic function H, compute H¹xº, and send it to your friend. Your friend can compute H¹yº and, since H is deterministic, compare the result to your H¹xº. In order for this method to be fool-proof, we need H to have the property that dierent inputs always map to dierent outputs — in other words, H must be injective (1-to-1). Unfortunately, if H is injective and H : f0; 1gin ! f0; 1gout is injective, then out > in. This means that sending H¹xº is no better/shorter than sending x itself! Let us call a pair ¹x;yº a collision in H if x , y and H¹xº = H¹yº. An injective function has no collisions. One common theme in cryptography is that you don’t always need something to be impossible; it’s often enough for that thing to be just highly unlikely. Instead of saying that H should have no collisions, what if we just say that collisions should be hard (for polynomial-time algorithms) to nd? An H with this property will probably be good enough for anything we care about.
    [Show full text]
  • The First Cryptographic Hash Workshop
    Workshop Report The First Cryptographic Hash Workshop Gaithersburg, MD Oct. 31-Nov. 1, 2005 Report prepared by Shu-jen Chang and Morris Dworkin Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899 Available online: http://csrc.nist.gov/groups/ST/hash/documents/HashWshop_2005_Report.pdf 1. Introduction On Oct. 31-Nov. 1, 2005, 180 members of the global cryptographic community gathered in Gaithersburg, MD to attend the first Cryptographic Hash Workshop. The workshop was organized in response to a recent attack on the NIST-approved Secure Hash Algorithm SHA-1. The purpose of the workshop was to discuss this attack, assess the status of other NIST-approved hash algorithms, and discuss possible near-and long-term options. 2. Workshop Program The workshop program consisted of two days of presentations of papers that were submitted to the workshop and panel discussion sessions that NIST organized. The main topics for the discussions included the SHA-1 and SHA-2 hash functions, future research of hash functions, and NIST’s strategy. The program is available at http://csrc.nist.gov/groups/ST/hash/first_workshop.html. This report only briefly summarizes the presentations, because the above web site for the program includes links to the speakers' slides and papers. The main ideas of the discussion sessions, however, are described in considerable detail; in fact, the panelists and attendees are often paraphrased very closely, to minimize misinterpretation. Their statements are not necessarily presented in the order that they occurred, in order to organize them according to NIST's questions for each session. 3.
    [Show full text]
  • Constructing Secure Hash Functions by Enhancing Merkle-Damgård
    Constructing Secure Hash Functions by Enhancing Merkle-Damg˚ard Construction Praveen Gauravaram1, William Millan1,EdDawson1, and Kapali Viswanathan2 1 Information Security Institute (ISI) Queensland University of Technology (QUT) 2 George Street, GPO Box 2434, Brisbane QLD 4001, Australia [email protected], {b.millan, e.dawson}@qut.edu.au 2 Technology Development Department, ABB Corporate Research Centre ABB Global Services Limited, 49, Race Course Road, Bangalore - 560 001, India [email protected] Abstract. Recently multi-block collision attacks (MBCA) were found on the Merkle-Damg˚ard (MD)-structure based hash functions MD5, SHA-0 and SHA-1. In this paper, we introduce a new cryptographic construction called 3C devised by enhancing the MD construction. We show that the 3C construction is at least as secure as the MD construc- tion against single-block and multi-block collision attacks. This is the first result of this kind showing a generic construction which is at least as resistant as MD against MBCA. To further improve the resistance of the design against MBCA, we propose the 3C+ design as an enhance- ment of 3C. Both these constructions are very simple adjustments to the MD construction and are immune to the straight forward extension attacks that apply to the MD hash function. We also show that 3C resists some known generic attacks that work on the MD construction. Finally, we compare the security and efficiency features of 3C with other MD based proposals. Keywords: Merkle-Damg˚ard construction, MBCA, 3C, 3C+. 1 Introduction In 1989, Damg˚ard [2] and Merkle [13] independently proposed a similar iter- ative structure to construct a collision resistant cryptographic hash function H : {0, 1}∗ →{0, 1}t using a fixed length input collision resistant compression function f : {0, 1}b ×{0, 1}t →{0, 1}t.
    [Show full text]
  • Hash Functions
    Lecture 21 Hashing 6.046J Spring 2015 Lecture 21: Cryptography: Hashing In this lecture, we will be studying some basics of cryptography. Specifically, we will be covering • Hash functions • Random oracle model • Desirable Properties • Applications to security 1 Hash Functions A hash function h maps arbitrary strings of data to fixed length output. The function is deterministic and public, but the mapping should look “random”. In other words, ∗ d h : {0, 1} →{0, 1} for a fixed d. Hash functions do not have a secret key. Since there are no secrets and the function itself is public, anyone can evaluate the function. To list some examples, Hash function MD4 MD5 SHA-1 SHA-256 SHA-512 d 128 128 160 256 512 In practice, hash functions are used for “digesting” large data. For example, if you want to check the validity of a large file (potentially much larger than a few megabytes), you can check the hash value of that file with the expected hash. There­ fore, it is desirable (especially for cryptographic hash functions covered here) that the function is collision resistant. That is, it should be “hard” to find two inputs m1 and m2 for hash function h such that h(m1)= h(m2). Most modern hash functions hope to achieve security level of 264 or better, which means that the attacker needs to test more than 264 different inputs to find a collision. Unfortunately, MD4 and MD5 aimed to provide 264 security, but has been shown to be broken using 26 and 237 inputs respectively. SHA-1 aimed to provide 280 security, but has been shown (at least theoretically) to be no more than 261 security.
    [Show full text]
  • Design and Analysis of Hash Functions What Is a Hash Function?
    Design and analysis of hash functions Coding and Crypto Course October 20, 2011 Benne de Weger, TU/e what is a hash function? • h : {0,1}* {0,1}n (general: h : S {{,}0,1}n for some set S) • input: bit string m of arbitrary length – length may be 0 – in practice a very large bound on the length is imposed, such as 264 (≈ 2.1 million TB) – input often called the message • output: bit string h(m) of fixed length n – e.g. n = 128, 160, 224, 256, 384, 512 – compression – output often called hash value, message digest, fingerprint • h(m) is easy to compute from m • no secret information, no key October 20, 2011 1 1 non-cryptographic hash functions • hash table – index on database keys – use: efficient storage and lookup of data • checksum – Example: CRC – Cyclic Redundancy Check • CRC32 uses polynomial division with remainder • initialize: – p = 1 0000 0100 1100 0001 0001 1101 1011 0111 – append 32 zeroes to m • repeat until length (counting from first 1-bit) ≤ 32: – left-align p to leftmost nonzero bit of m – XOR p into m – use: error detection • but only of unintended errors! • non-cryptographic – extremely fast – not secure at all October 20, 2011 2 hash collision • m1, m2 are a collision for h if h(m1) = h(m2) while m1 ≠ m2 I owe you € 100 I owe you € 5000 different documents • there exist a lot of identical hash collisions = – pigeonhole principle collision (a.k.a. Schubladensatz) October 20, 2011 3 2 preimage • given h0, then m is a preimage of h0 if h(m) = h0 X October 20, 2011 4 second preimage • given m0, then m is a second preimage of m0 if h(m) = h(m0 ) while m ≠ m0 ? X October 20, 2011 5 3 cryptographic hash function requirements • collision resistance: it should be computationally infeasible to find a collision m1, m2 for h – i.e.
    [Show full text]
  • Cryptographic Hash Functions
    ECE458 Winter 2013 Cryptographic Hash Functions Vijay Ganesh University of Waterloo Previous Lecture: Public-key Cryptography ! Motivations for public-key cryptography ! Diffie-Hellman key exchange protocol x ! RSA public key encryption scheme ! RSA digital signature scheme Today’s Lecture: Cryptographic Hash Functions ! Basic definition of a hash function (MD2, MD4, MD5, SHA1, SHA256,…) ! Importantx properties of hash functions n" E.g., strong collision resistance ! Uses of hash functions ! How hash functions like SHA1 etc. work n" E.g., Merkle-Damagard construction Basic Definitions: Cryptographic Hash Functions Arbitrary x Cryptographic Fixed Length Length Input hash function Output (e.g., SHA1, MD5, Passwords, SHA256,…) Message digest files (e.g. 160 bits) §" Different from classic hash functions used in hash tables etc. §" Different from “provably-secure” cryptographic hash functions Uses of Cryptographic Hash Functions ! User Authentication (e.g., passwords) ! Message Authenticity (e.g., Hash MACs) ! Compact file identifiers (e.g., in Git,…) ! Used in digital signatures ! Certain obfuscation schemes rely on “provably- secure” hash functions Important Properties of Cryptographic Hash Functions ! Compression ! First pre-image resistance ! Second pre-image resistance ! Strong collision resistance ! Efficient ! Deterministic (?) Important Properties of Cryptographic Hash Functions ! Let h: X è Y denote a hash function ! First pre-image resistance: n" Given y in Y, it is “computationally infeasible” to compute a value x in X such that
    [Show full text]
  • Are Certificate Thumbprints Unique?
    Are Certificate Thumbprints Unique? Greg Zaverucha Dan Shumow Microsoft Research Microsoft Research [email protected] [email protected] October 3, 2019 Abstract A certificate thumbprint is a hash of a certificate, computed over all certificate data and its signature. Thumbprints are used as unique identifiers for certificates, in appli- cations when making trust decisions, in configuration files, and displayed in interfaces. In this paper we show that thumbprints are not unique in two cases. First, we demon- strate that creating two X.509 certificates with the same thumbprint is possible when the hash function is weak, in particular when chosen-prefix collision attacks are possi- ble. This type of collision attack is now practical for MD5, and expected to be practical for SHA-1 in the near future. Second, we show that certificates may be mauled in a way that they remain valid, but that they have different thumbprints. While these properties may be unexpected, we believe the scenarios where this could lead to a practical attack are limited and require very sophisticated attackers. We also checked the thumbprints of a large dataset of certificates used on the Internet, and found no evidence that would indicate thumbprints of certificates in use today are not unique. 1 Introduction A certificate thumbprint, also called a fingerprint, is a hash of a certificate, computed over all certificate data and its signature. Thumbprints are used as unique identifiers for cer- tificates, in applications when making trust decisions, in configuration files, and displayed in interfaces. Due to the variety of uses for thumbprints, it is not immediately clear what, if any, their security needs are.
    [Show full text]
  • Security This PDF Document Is an Inferior Version of an OER HTML Page
    OS11: Security * Including parts of Chapter 11 and Section 9.6.3 of [Hai19] Jens Lechtenbörger Computer Structures and Operating Systems 2021 1 Introduction 1.1 OS Plan OS Overview (Wk 23) OS Introduction (Wk 23) Interrupts and I/O (Wk 24) Threads (Wk 24) Thread Scheduling (Wk 25) Mutual Exclusion (MX) (Wk 25) MX in Java (Wk 26) MX Challenges (Wk 26) Virtual Memory I (Wk 27) Virtual Memory II (Wk 27) Figure 1: OS course plan, summer 2021 Processes (Wk 28) Security (Wk 28) Table of Contents 1.2 Today's Core Questions How can I ensure that my downloaded software has not been manipulated? What is e-mail self-defense? *This PDF document is an inferior version of an OER HTML page; free/libre Org mode source repository. 1 1.3 Learning Objectives Explain condentiality and integrity as security goals Discuss dierences between end-to-end and hop-by-hop goals Explain use of hash values and digital signatures for integrity protection and discuss their dierences Create and verify digital signatures (on e-mails and les/software) 1.4 Retrieval Practice Security So far Hardware building blocks * Kernel mode vs user mode: Restrict instruction set · Protect kernel data structures · Enable access control via system call API * Timer interrupts · Transfer control periodically back to OS Process as major OS abstraction * Virtual address spaces · Isolate processes from each other * Access rights 1.5 Information Security Safety: Protection against unintended/natural/random events (Not focus here; requires proper management, involves
    [Show full text]
  • International Journal of Engineering Sciences
    [Tyag, 3.(11.): November, 2014] ISSN: 2277-9655 Scientific Journal Impact Factor: 3.449 (ISRA), Impact Factor: 2.114 IJESRT INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY Modifying SHA-512 using Padding, Tree structure and Permutation Boxes Sumita Tyagi * Computer Science & Engg., Babu Banarsi Das Institute of Technology, India Abstract In this age of technology internet has become a day to day necessity. With this growing usage of web data it has become very important to design some secure way to save this web data from various types of attacks. One of the ways to resolve this problem is hashing. Hashing takes variable length input and converts it into a fixed length output using various hash algorithms like MD4, MD5 and SHA. Despite of all these advances in the field of hashing these algorithms still have some weaknesses and many attacks on these algorithms have been discovered. In this paper we propose a new way of hashing applied to the traditional algorithms. The basic concept is same but we have modified the few steps involved in the process. We combine padding using SALT, tree structure and permutation boxes applied together in these algorithms. This helps to provide an output that is more secure and complicated making it more resistant to various collision attacks. Possibility of collision attacks, rainbow table attacks and birthday attacks is also mitigated by the complex structure of the algorithm. Keywords: SALT, Permutation Boxes, Rainbow Table Attack, Tree Structure Introduction The secure hash function algorithm (SHA) was attacks had been discovered on SHA-512. Many developed by the national institute of standard and modifications to SHA 512 have also been made to technology (NIST) in 1993.
    [Show full text]
  • Symmetric Cryptography
    CSE 484 / CSE M 584 (Spring 2012) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ... Goals for Today Cryptography (Symmetric) Physical Security, Computer Security, and Cryptography Also • Lab due on Friday • 584 reading up, due next Tuesday • HW1 out Tues or Wed Broad Class of Hash Functions hash function H message message x. “digest” .y x’’. y’ x’. bit strings of any length n-bit bit strings H is a lossy compression function • Collisions: h(x)=h(x’) for distinct inputs x, x’ • Result of hashing should “look random” (make this precise later) – Intuition: half of digest bits are “1”; any bit in digest is “1” half the time Cryptographic hash function needs a few properties… One-Way Intuition: hash should be hard to invert • “Preimage resistance” • Let h(x’)=y∈{0,1}n for a random x’ • Given y, it should be hard to find any x such that h(x) =y How hard? • Brute-force: try every possible x, see if h(x)=y • SHA-1 (common hash function) has 160-bit output – Expect to try 2159 inputs before finding one that hashes to y. Collision Resistance Should be hard to find distinct x, x’ such that h(x)=h(x’) • Brute-force collision search is only O(2n/2), not O(2n) • For SHA-1, this means O(280) vs. O(2160) Birthday paradox (informal) • Let t be the number of values x,x’,x’’… we need to look at before finding the first pair x,x’ s.t.
    [Show full text]
  • VSH, an Efficient and Provable Collision Resistant Hash Function
    VSH, an efficient and provable collision resistant hash function Scott Contini1, Arjen K. Lenstra2, Ron Steinfeld1 1 Macquarie University 2 Lucent Technologies Bell Laboratories, Technical Univ. Eindhoven Outline • Factoring background • Our new hardness assumption: NMSRVS • Very Smooth Hash: VSH • Security argument • Variants • Efficiency in practice • Conclusion Factoring background • To factor n: collect ‘relations’ 2 e(i,v) v ≡∏0≤i≤u pi mod n (pi’s could be primes; most non-zero e(i,v)’s are odd) • In practice: more than u relations ⇒ factorization • Best method so far (NFS): factoring takes time L[n, 1.923…] = exp((1.923…+o(1))(logn)1/3(loglogn)2/3) asymptotically, for n →∞ Finding a single relation • For NFS: optimal u = L[n, 0.96…], finding a single relation takes time L[n, 0.96…], asymptotically, for n →∞ • For suboptimal u = O((logn)constant), finding a relation takes time > L[n, 1.923…], asymptotically for n →∞, unless factoring can be done faster: ⇒ asymptotically the same as the full factoring time Non-asymptotic estimate • For suboptimal u = O((logn)constant), finding a relation takes time > L[n, 1.923…], asymptotically for n →∞, unless factoring can be done faster: ⇒ asymptotically the same as the full factoring time • Non-asymptotic estimate for suboptimal u: finding a single relation at least as hard as factoring n’, where L[n’, 1.923 without o(1)] = L[n, 1.923 without o(1)]/u, unless faster factoring… (note: n’ smaller than n) Hardness assumption: NMSRVS (Nontrivial modular square root of very smooth number) Hard to factor
    [Show full text]