Hashes, Macs & Passwords Today's Lecture Signatures Hashes Uses Of

Today’s Lecture

• Hashes and Message Authentication Codes Hashes, MACs & Passwords • Properties of Hashes and MACs • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC Computer Security Lecture 5 • Password protection • Password cracking.

Signatures Hashes

Alice has a and a signing key Ks  A hash of any message is a short string and wants to sign message M generated from that message. Plain Text  The hash of a message is always the same.

Signature: Dks(H(M))  Any small change makes the hash totally different. RSA decrypt with key ks SHA hash  It is very hard to go from the hash to the message. Clear-signed: M,Dks(H(M))  It is very unlikely that any two different messages have the same hash.

Uses of Hashing Attacks on hashes

• Download/Message verification • Preimage Attack: Find a message for a given hash: very hard. • Tying parts of a message together (hash the whole message) • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • Hash message, then sign the hash. the message. • Collision Attack: Find two “random” • Protect Passwords messages with the same hash. – Store the hash, not the password Birthday Paradox Message Authentication Codes

• How many people do you need to ask before you find 2 that have the same • MACs are hashes with a key. birthday? – Written MACKey(M)

• 23 people, gives (23*22)/2 = 253 pairs. • You can only make or check the hash, if you know the key. • Prob. that two people have a different birthday is: 364/365 • Stops guessing attacks.

• (364/365)(23*22/2) = 0.4995

Message Authentication Codes How can we make a MAC?

• MACs are sometimes used for Must have:

authentication:  A Key – E.g. in Alice and Bank share keyA, Alice sends to the bank:  Short string from long message. “Pay Bob £10”,MAC (“Pay Bob £10”)  Single bit change in message = totally different keyA hash.

Possible attack on MAC: “Length  Hard to go from the hash to the message.

extension attack” add data to a MAC  Unlikely that any two different messages have the without knowing the key same hash.

CBC Encryption CBC MAC

0000000000000

MACKey(M)

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation An Inefficient Hash Function The SHA Family of Hash

• The most common (and best) hashes are the SHA hashes.

0000000000000 • 1993, The US National Institute of 0000 0000 0000 Standards and Technology (NIST), developed a new hash SHA-0 #(M) • 1995, the NSA stepped in and “fixed” it: SHA-1 (160-bit hash).

SHA1 SHA2

• A birthday attack on SHA-1 should need • SHA2 is an improved version of SHA1 2^80 hash tests with a longer hash.

• In 2005 a 2^63 attack was found. • 256 or 512 bits: also called SHA256, SHA512. • Not really practical, but no-one trusts SHA-1 any more. • Based on SHA-1 it has some of the same weaknesses. So, even though it seems secure the cryptographers aren’t • So … SHA-2 happy.

The SHA-3 Competition The SHA-3 Competition

• Submissions opened on October 31, 2008, • Winner announced on October 2, 2012 as • Round 1 – Keccak, (Daemen et al. the AES guy) – 13 submissions rejected without comment. – 10 withdrawn by authors. – 16 rejected for design or performance. • This is too soon for it to be in standard • Inc. Sony’s APIs • Conference in Feb 2009. 14 scheme picked to go through to round 2. – Dropped schemes include • Expect this to be the standard soon. • Ron Rivest’s, • Lockheed Martin Merkle–Damgård (MD) Hashes Broken Hash to MAC

• The MD family of hashes is also popular. • If we had a Hash we could try to make a MAC by: • MD4 & MD5 used, but weak. – Only useful when we only care about MACKey(M) = H(Key,M) preimage attacks or Integrity. • But this might allow a length extension • MD6: Ron Rivest’s candidate for SHA3. attack. – Seems good & fast.

Broken Hash to MAC Broken Hash to MAC

Key Pay Bob £10 Key Pay Bob £10 Pay Elvis £10

0000000000000 0000000000000

0000 0000 0000 0000 0000 0000

MAC (Pay Bob £10, MACKey(Pay Bob £10) MACKey(Pay Bob £10) Key Pay Elvis £10)

Only Alice and the Bank know “Key” Only Alice and the Bank know “Key” Alice sends “Pay Bob £10,MACKey(Pay Bob £10)” to Bank Alice sends “Pay Bob £10,MACKey(Pay Bob £10)” to Bank Attacker Elvis can add to the message without the key

HMAC Password Protection

• To stop this (and other attacks) we use • People reuse passwords and sys admins, can HMACs: be attackers.

• To protect passwords, only the hash is • Given a hash function H we define: stored.

HMAC (M) = (K xor opad), • When a user enters a password the system K H( hashes this, and compares it to the true H( (K xor ipad), M) ) value. • If an attacker gets the password file, they opad= 0x5c5c….5c ipad= 0x3636..36 don’t get the passwords. Password Cracking Linux\Unix password file

• But: if an attacker gets the password • Password hashes use to be in shadow file /etc/passwd and public readable! – they can try to guess a password – and check if the hash of their guess is • Now in the list. – /etc/passwd user info – /etc/shadow password hashes • Truly random passwords are safe. • shadow can only be read with root level • Dictionary words are not. access.

Windows Password Hashes John The Ripper

• Windows stores its password hashes in: • State of the art, free, password cracker. system32/config/SAM • http://www.openwall.com/john/ This file requires Admin level to read. • See demo. It is locked and encrypted with a key, – More shadow based on other key values. – ./john shadow – This adds no real security

HashCat Better Security: Salt

• Claims to be the fastest password • Add some random public data to the cracker hash.

• Very good parallelisation and some • Result: pre-computed tables don’t help. good guessing tactics. • Stops rainbow tables, does nothing to • Free but closed source. stop brute force attacks.

• http://hashcat.net Slowing down the hashing. Conclusion

• Instead of applying the hash function • Computer Security people had a clever just once you can apply it 1000 times. idea to protect passwords.

• This slows down brute force attacks • They then had a even cleverer idea to 1000 times. crack passwords.

• Very small delay to log on, makes cost • Results: Passwords are a weak point. If much higher for attacker. you have physical access to a computer you can probably crack the password.

Conclusion Today’s Lecture

• Use the strongest possible hash for • Hash functions: passwords • Generates a unique short code from a large file • Uses of hashes • Enforce strong passwords. • MD5, SHA1, SHA2 • Message Authentication Codes • Salt the password list • Password protection • Password cracking. • Use access control to protect the password list from remote attackers.