DOCSLIB.ORG

Attacks on Hash Functions and Applications Attacks on Hash Functions and Applications Marc Stevens Printed by Ipskamp Drukkers AMS 2000 Subj

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Attacks on Hash Functions and Applications Attacks on Hash Functions and Applications Marc Stevens Printed by Ipskamp Drukkers AMS 2000 Subj Attacks on Hash Functions and Applications PROEFSCHRIFT ter verkrijging van de graad van Doctor aan de Universiteit Leiden, op gezag van Rector Magnificus prof. mr. P.F. van der Heijden, volgens besluit van het College voor Promoties te verdedigen op dinsdag 19 juni 2012 klokke 15.00 uur door Marc Martinus Jacobus Stevens, geboren te Hellevoetsluis in 1981 Samenstelling van de promotiecommissie: Promotores: Prof. dr. R. Cramer (CWI & Universiteit Leiden) Prof. dr. A.K. Lenstra (École Polytechnique Fédérale de Lausanne) Copromotor: Dr. B.M.M. de Weger (Technische Universiteit Eindhoven) Overige leden: Prof. dr. E. Biham (Technion) Dr. B. Schoenmakers (Technische Universiteit Eindhoven) Prof. dr. P. Stevenhagen (Universiteit Leiden) Prof. dr. X. Wang (Tsinghua University) The research in this thesis has been carried out at the Centrum Wiskunde & Informatica in the Netherlands and has been funded by the NWO VICI grant of Prof. dr. R. Cramer. Attacks on Hash Functions and Applications Attacks on Hash Functions and Applications Marc Stevens Printed by Ipskamp Drukkers AMS 2000 Subj. class. code: 94A60 NUR: 919 ISBN: 978-94-6191-317-3 Copyright © M. Stevens, Amsterdam 2012. All rights reserved. Cover design by Ankita Sonone. CONTENTS i Contents I Introduction 1 1 Hash functions 3 1.1 Authenticity and confidentiality . 3 1.2 Rise of a digital world . 4 1.3 Security frameworks . 5 1.4 Cryptographic hash functions . 8 1.5 Differential cryptanalysis . 15 2 MD5 collision attack by Wang et al. 17 2.1 Preliminaries . 17 2.2 Description of MD5 . 19 2.3 Collision attack overview . 21 2.4 Two message block collision . 23 2.5 Differential paths . 23 2.6 Sufficient conditions . 24 2.7 Collision finding . 25 2.8 Tables: differential paths and sufficient conditions . 27 II Contributions 31 3 Our contributions 33 3.1 Overview . 33 3.2 Chosen-prefix collision applications . 33 3.3 Results on MD5 . 34 3.4 Results on SHA-1 . 34 3.5 General results . 36 3.6 Recommendations . 38 3.7 Directions for further research . 39 3.8 Thesis outline . 40 4 Chosen-prefix collision abuse scenarios 43 4.1 Survey . 43 4.2 Creating a rogue Certification Authority certificate . 48 4.3 Nostradamus attack . 56 4.4 Colliding executables . 58 5 Differential cryptanalysis and paths 61 5.1 Introduction . 61 5.2 Definitions and notation . 63 5.3 Fmd4cf: MD4 based compression functions . 65 ii CONTENTS 5.4 Properties of the step functions . 69 5.5 Differential paths . 74 5.6 Differential path construction . 80 6 MD5 89 6.1 Overview . 89 6.2 Differential path construction . 89 6.3 Collision finding . 98 6.4 Identical-prefix collision attack . 101 6.5 Chosen-prefix collision attack . 102 7 SHA-0 and SHA-1 115 7.1 Overview . 116 7.2 Description of SHA-0 and SHA-1 . 117 7.3 Techniques towards collision attacks . 120 7.4 Differential path construction . 128 7.5 Differential cryptanalysis . 140 7.6 SHA-1 near-collision attack . 164 7.7 Chosen-prefix collision attack . 183 8 Detecting collision attacks 187 8.1 Extra line of defense . 187 8.2 Core principle . 188 8.3 Application to MD5 . 189 8.4 Application to SHA-1 . 192 Appendices 192 A MD5 compression function constants 193 B MD5 and SHA-1 bitconditions 195 C MD5 boolean function bitconditions 197 C.1 Bitconditions applied to boolean function F ............... 198 C.2 Bitconditions applied to boolean function G ............... 199 C.3 Bitconditions applied to boolean function H ............... 200 C.4 Bitconditions applied to boolean function I ............... 201 D MD5 chosen-prefix collision birthday search cost 203 E Rogue CA Construction 209 F SHA-1 disturbance vector analysis 219 CONTENTS iii References and indices 225 References 225 Index 234 Notation 239 List of Algorithms 240 List of Figures 240 List of Tables 240 List of Theorems 241 Nederlandse samenvatting 243 Acknowledgments 245 Curriculum Vitae 247 iv 1 Part I Introduction P g . N s . M b g g g. N g s s g. S g g g b s g s. W s , 128 s s g. Recipe 1: Old Hash Recipe 2 1 Hash functions 3 1 Hash functions Contents 1.1 Authenticity and confidentiality . 3 1.2 Rise of a digital world . 4 1.3 Security frameworks . 5 1.3.1 Information theoretic approach . 6 1.3.2 Complexity theoretic approach . 6 1.3.3 System based approach . 7 1.4 Cryptographic hash functions . 8 1.4.1 One-way functions . 8 1.4.2 Cryptographic requirements of hash functions . 8 1.4.3 General attacks . 10 1.4.4 From compression function to hash function . 11 1.4.5 The MD4 style family of hash functions . 13 1.5 Differential cryptanalysis . 15 1.1 Authenticity and confidentiality Authenticity and confidentiality have been big concerns in communications for mil- lennia. One of the first known examples of confidentially sending a message goes back to around 440 BC to “The Histories” written down by Herodotus. According to Herodotus, Histiaeus sent an important message to his son-in-law Aristagoras. As this message was very sensitive he tattooed it on the shaved head of his most-trusted slave. Later, when enough hair had grown back, he sent his slave to Aristagoras with instructions to shave the head of the slave again. There is a risk with hidden messages that somebody finds the hidden message and exposes it to unfriendly parties. This is especially the case for regular communications. Eventually the idea arose to encrypt messages so that they cannot be read even if intercepted and this has led to the development of cryptology, historically known as the art of building and breaking ciphers. Ciphers allow parties to securely communicate by encrypting their messages with some secret knowledge (the secret key) into unreadable ciphertext that can only be read by parties that possess the same secret knowledge. This form of encryption using a single secret key known to both sender and receiver is called symmetric encryption. The most famous ancient cipher, the Caesar cipher, is named after Julius Caesar who encrypted his most important messages with a secret number N by cyclically substituting each letter with the N-th next letter in the alphabet (if N = 3 then A goes to D, B to E, etc.). Authentication of messages, the act of confirming that a message really has been sent by a certain party, usually was achieved by a combination of inspecting the mes- sage (e.g., verify its signature), the ‘envelope’ (e.g., is the wax seal intact) and/or 4 1 HASH FUNCTIONS Figure 1: Symmetric Encryption the messenger (e.g., is the messenger known and/or in service of either party). Sym- metric encryption also provides some form of authentication. After all, no one else knows the secret key and is able to encrypt messages with it. However, this does not prevent the encrypted message from being purposely changed or simply repeated at an opportune moment by unfriendly parties. In general, authentication of someone (or the sender/creator of something) is achieved through mutual knowledge (such as a secret password), possession of a physical token (such as the king’s seal) and/or distinguished marks (such as a known birthmark). 1.2 Rise of a digital world With the invention of electronics, a new world was born. Digital information can be very cheaply stored and copied without loss of information. The rapid development of computers opened up a huge range of new possibilities in processing information. The explosive growth of telecommunication networks has made it very easy to quickly send information over vast distances to anywhere in the world. So not surprisingly, our society has become more and more dependent on information technologies in just a few decades. The main advantage of digital information is that there is no longer a link between the information and its carrier. It can be copied endlessly without any loss of quality. The same information can be stored on, e.g., a hard disk, USB disk, mobile phone or a DVD, or sent through an Ethernet, Wi-Fi, GSM or satellite link. This also introduces a large vulnerability as now authentication of information cannot be guaranteed anymore by simply looking at the physical carrier. Also, ciphers require two parties to first agree on a secret key. Given the vast number of possible parties in the world anyone might want to communicate privately with, establishing and storing secret keys for every possible connection between two parties becomes prohibitive. Solving these security problems and many more that arose has expanded the field of cryptography. Modern cryptography has grown into a science that encompasses much more than only ciphers and has strong links with mathematics, computer sci- ence and (quantum) physics. One of the key innovations of modern cryptography that 1.3 Security frameworks 5 Figure 2: Asymmetric or Public Key Encryption gave rise to new ideas and approaches is public key encryption (also called asymmetric encryption)[DH76, Mer78, RSA78]. Instead of using one secret key for both encryp- tion and decryption, public key encryption uses a key pair consisting of a public key for encryption and a private key for decryption. Suppose everyone publishes the public key part of their properly generated key pair in a public key listing (like a phone book). Now, securely sending a message to someone is possible without first exchanging a secret key in advance anymore, as you simply encrypt your message with his public key as found in the listing. Only he can now decrypt your ciphertext using the private key known only to him. This is a remarkable invention, although it depends heavily on the fact that no one can derive the private key from the public key.
Load more

Recommended publications
  • Increasing Cryptography Security Using Hash-Based Message
    ISSN (Print) : 2319-8613 ISSN (Online) : 0975-4024 Seyyed Mehdi Mousavi et al. / International Journal of Engineering and Technology (IJET) Increasing Cryptography Security using Hash-based Message Authentication Code Seyyed Mehdi Mousavi*1, Dr.Mohammad Hossein Shakour 2 1-Department of Computer Engineering, Shiraz Branch, Islamic AzadUniversity, Shiraz, Iran . Email : [email protected] 2-Assistant Professor, Department of Computer Engineering, Shiraz Branch, Islamic Azad University ,Shiraz ,Iran Abstract Nowadays, with the fast growth of information and communication technologies (ICTs) and the vulnerabilities threatening human societies, protecting and maintaining information is critical, and much attention should be paid to it. In the cryptography using hash-based message authentication code (HMAC), one can ensure the authenticity of a message. Using a cryptography key and a hash function, HMAC creates the message authentication code and adds it to the end of the message supposed to be sent to the recipient. If the recipient of the message code is the same as message authentication code, the packet will be confirmed. The study introduced a complementary function called X-HMAC by examining HMAC structure. This function uses two cryptography keys derived from the dedicated cryptography key of each packet and the dedicated cryptography key of each packet derived from the main X-HMAC cryptography key. In two phases, it hashes message bits and HMAC using bit Swapp and rotation to left. The results show that X-HMAC function can be a strong barrier against data identification and HMAC against the attacker, so that it cannot attack it easily by identifying the blocks and using HMAC weakness.
    [Show full text]
  • Tuto Documentation Release 0.1.0
    Tuto Documentation Release 0.1.0 DevOps people 2020-05-09 09H16 CONTENTS 1 Documentation news 3 1.1 Documentation news 2020........................................3 1.1.1 New features of sphinx.ext.autodoc (typing) in sphinx 2.4.0 (2020-02-09)..........3 1.1.2 Hypermodern Python Chapter 5: Documentation (2020-01-29) by https://twitter.com/cjolowicz/..................................3 1.2 Documentation news 2018........................................4 1.2.1 Pratical sphinx (2018-05-12, pycon2018)...........................4 1.2.2 Markdown Descriptions on PyPI (2018-03-16)........................4 1.2.3 Bringing interactive examples to MDN.............................5 1.3 Documentation news 2017........................................5 1.3.1 Autodoc-style extraction into Sphinx for your JS project...................5 1.4 Documentation news 2016........................................5 1.4.1 La documentation linux utilise sphinx.............................5 2 Documentation Advices 7 2.1 You are what you document (Monday, May 5, 2014)..........................8 2.2 Rédaction technique...........................................8 2.2.1 Libérez vos informations de leurs silos.............................8 2.2.2 Intégrer la documentation aux processus de développement..................8 2.3 13 Things People Hate about Your Open Source Docs.........................9 2.4 Beautiful docs.............................................. 10 2.5 Designing Great API Docs (11 Jan 2012)................................ 10 2.6 Docness.................................................
    [Show full text]
  • Cryptanalysis of Substitution-Permutation Networks Using Key-Dependent Degeneracy*
    Cryptanalysis of Substitution-Permutation Networks Using Key-Dependent Degeneracy* Howard M. Heys Electrical Engineering, Faculty of Engineering and Applied Science Memorial University of Newfoundland St. John’s, Newfoundland, Canada A1B 3X5 Stafford E.Tavares Department of Electrical and Computer Engineering Queen’s University Kingston, Ontario, Canada K7L 3N6 * This research was supported by the Natural Sciences and Engineering Research Council of Canada and the Telecommunications Research Institute of Ontario and was completed during the first author’s doctoral studies at Queen’s University. Cryptanalysis of Substitution-Permutation Networks Using Key-Dependent Degeneracy Keywords Ð Cryptanalysis, Substitution-Permutation Network, S-box Abstract Ð This paper presents a novel cryptanalysis of Substitution- Permutation Networks using a chosen plaintext approach. The attack is based on the highly probable occurrence of key-dependent degeneracies within the network and is applicable regardless of the method of S-box keying. It is shown that a large number of rounds are required before a network is re- sistant to the attack. Experimental results have found 64-bit networks to be cryptanalyzable for as many as 8 to 12 rounds depending on the S-box properties. ¡ . Introduction The concept of Substitution-Permutation Networks (SPNs) for use in block cryp- tosystem design originates from the “confusion” and “diffusion” principles in- troduced by Shannon [1]. The SPN architecture considered in this paper was first suggested by Feistel [2] and consists of rounds of non-linear substitutions (S-boxes) connected by bit permutations. Such a cryptosystem structure, referred 1 to as LUCIFER1 by Feistel, is a simple, efficient implementation of Shannon’s concepts.
    [Show full text]
  • A Full Key Recovery Attack on HMAC-AURORA-512
    A Full Key Recovery Attack on HMAC-AURORA-512 Yu Sasaki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan [email protected] Abstract. In this note, we present a full key recovery attack on HMAC- AURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2257 queries and the off-line com- plexity is 2259 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512. This attack does not recover the outer-key of HMAC-AURORA-384, but universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks. Our attack exploits some weaknesses in the mode of operation. keywords: AURORA, DMMD, HMAC, Key recovery attack 1 Description 1.1 Mode of operation for AURORA-512 We briefly describe the specification of AURORA-512. Please refer to Ref. [2] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0;M1;:::;MN¡1). 256 512 256 In AURORA-512, compression functions Fk : f0; 1g £f0; 1g ! f0; 1g 256 512 256 512 and Gk : f0; 1g £ f0; 1g ! f0; 1g , two functions MF : f0; 1g ! f0; 1g512 and MFF : f0; 1g512 ! f0; 1g512, and two initial 256-bit chaining U D 1 values H0 and H0 are defined .
    [Show full text]
  • The First Collision for Full SHA-1
    The first collision for full SHA-1 Marc Stevens1, Elie Bursztein2, Pierre Karpman1, Ange Albertini2, Yarik Markov2 1 CWI Amsterdam 2 Google Research [email protected] https://shattered.io Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks. Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes. A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack. In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents. We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 263:1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years. As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.
    [Show full text]
  • Related-Key and Key-Collision Attacks Against RMAC
    Related-Key and Key-Collision Attacks Against RMAC Tadayoshi Kohno CSE Department, UC San Diego 9500 Gilman Drive, MC-0114 La Jolla, California 92093-0114, USA IACR ePrint archive 2002/159, 21 October 2002, revised 2 December 2002. Abstract. In [JJV02] Jaulmes, Joux, and Valette propose a new ran- domized message authentication scheme, called RMAC, which NIST is currently in the process of standardizing [NIS02]. In this work we present several attacks against RMAC. The attacks are based on a new protocol- level related-key attack against RMAC and can be considered variants of Biham’s key-collision attack [Bih02]. These attacks provide insights into the RMAC design. We believe that the protocol-level related-key attack is of independent interest. Keywords: RMAC, key-collision attacks, related-key attacks. 1 Introduction Jaulmes, Joux, and Valette’s RMAC construction [JJV02] is a new ran- domized message authentication scheme. Similar to Petrank and Rackoff’s DMAC construction [PR97] and Black and Rogaway’s ECBC construc- tion [BR00], the RMAC construction is a CBC-MAC variant in which an input message is first MACed with standard CBC-MAC and then the resulting intermediate value is enciphered with one additional block ci- pher application. Rather than using a fixed key for the last block cipher application (as DMAC and ECBC do), RMAC enciphers the last block with a randomly chosen (but related) key. One immediate observation is that RMAC directly exposes the underlying block cipher to a weak form of related-key attacks [Bih93]. We are interested in attacks that do not exploit some related-key weakness of the underlying block cipher, but rather some property of the RMAC mode itself.
    [Show full text]
  • Cryptanalysis of a Reduced Version of the Block Cipher E2
    Cryptanalysis of a Reduced Version of the Block Cipher E2 Mitsuru Matsui and Toshio Tokita Information Technology R&D Center Mitsubishi Electric Corporation 5-1-1, Ofuna, Kamakura, Kanagawa, 247, Japan [email protected], [email protected] Abstract. This paper deals with truncated differential cryptanalysis of the 128-bit block cipher E2, which is an AES candidate designed and submitted by NTT. Our analysis is based on byte characteristics, where a difference of two bytes is simply encoded into one bit information “0” (the same) or “1” (not the same). Since E2 is a strongly byte-oriented algorithm, this bytewise treatment of characteristics greatly simplifies a description of its probabilistic behavior and noticeably enables us an analysis independent of the structure of its (unique) lookup table. As a result, we show a non-trivial seven round byte characteristic, which leads to a possible attack of E2 reduced to eight rounds without IT and FT by a chosen plaintext scenario. We also show that by a minor modification of the byte order of output of the round function — which does not reduce the complexity of the algorithm nor violates its design criteria at all —, a non-trivial nine round byte characteristic can be established, which results in a possible attack of the modified E2 reduced to ten rounds without IT and FT, and reduced to nine rounds with IT and FT. Our analysis does not have a serious impact on the full E2, since it has twelve rounds with IT and FT; however, our results show that the security level of the modified version against differential cryptanalysis is lower than the designers’ estimation.
    [Show full text]
  • A New Approach in Expanding the Hash Size of MD5
    374 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 10, No. 2, August 2018 A New Approach in Expanding the Hash Size of MD5 Esmael V. Maliberan, Ariel M. Sison, Ruji P. Medina Graduate Programs, Technological Institute of the Philippines, Quezon City, Philippines Abstract: The enhanced MD5 algorithm has been developed by variants and RIPEMD-160. These hash algorithms are used expanding its hash value up to 1280 bits from the original size of widely in cryptographic protocols and internet 128 bit using XOR and AND operators. Findings revealed that the communication in general. Among several hashing hash value of the modified algorithm was not cracked or hacked algorithms mentioned above, MD5 still surpasses the other during the experiment and testing using powerful bruteforce, since it is still widely used in the domain authentication dictionary, cracking tools and rainbow table such as security owing to its feature of irreversible [41]. This only CrackingStation, Hash Cracker, Cain and Abel and Rainbow Crack which are available online thus improved its security level means that the confirmation does not need to demand the compared to the original MD5. Furthermore, the proposed method original data but only need to have an effective digest to could output a hash value with 1280 bits with only 10.9 ms confirm the identity of the client. The MD5 message digest additional execution time from MD5. algorithm was developed by Ronald Rivest sometime in 1991 to change a previous hash function MD4, and it is commonly Keywords: MD5 algorithm, hashing, client-server used in securing data in various applications [27,23,22].
    [Show full text]
  • Historical Ciphers • A
    ECE 646 - Lecture 6 Required Reading • W. Stallings, Cryptography and Network Security, Chapter 2, Classical Encryption Techniques Historical Ciphers • A. Menezes et al., Handbook of Applied Cryptography, Chapter 7.3 Classical ciphers and historical development Why (not) to study historical ciphers? Secret Writing AGAINST FOR Steganography Cryptography (hidden messages) (encrypted messages) Not similar to Basic components became modern ciphers a part of modern ciphers Under special circumstances modern ciphers can be Substitution Transposition Long abandoned Ciphers reduced to historical ciphers Transformations (change the order Influence on world events of letters) Codes Substitution The only ciphers you Ciphers can break! (replace words) (replace letters) Selected world events affected by cryptology Mary, Queen of Scots 1586 - trial of Mary Queen of Scots - substitution cipher • Scottish Queen, a cousin of Elisabeth I of England • Forced to flee Scotland by uprising against 1917 - Zimmermann telegram, America enters World War I her and her husband • Treated as a candidate to the throne of England by many British Catholics unhappy about 1939-1945 Battle of England, Battle of Atlantic, D-day - a reign of Elisabeth I, a Protestant ENIGMA machine cipher • Imprisoned by Elisabeth for 19 years • Involved in several plots to assassinate Elisabeth 1944 – world’s first computer, Colossus - • Put on trial for treason by a court of about German Lorenz machine cipher 40 noblemen, including Catholics, after being implicated in the Babington Plot by her own 1950s – operation Venona – breaking ciphers of soviet spies letters sent from prison to her co-conspirators stealing secrets of the U.S. atomic bomb in the encrypted form – one-time pad 1 Mary, Queen of Scots – cont.
    [Show full text]
  • The QARMA Block Cipher Family
    The QARMA Block Cipher Family Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes Roberto Avanzi Qualcomm Product Security, Munich, Germany [email protected], [email protected] Abstract. This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the con- struction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints de- termined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported.
    [Show full text]
  • On Recent Attacks Against Cryptographic Hash Functions
    On recent attacks against Cryptographic Hash Functions Martin Ekerå & Henrik Ygge 1 Outline ‣ First part ‣ Preliminaries ‣ Which cryptographic hash functions exist? ‣ What degree of security do they offer? ‣ An introduction to Wang’s attack ‣ Second part ‣ Wang’s attack applied to MD5 ‣ Demo 2 Part I 3 Operators Symbol Meaning x ⊞ y Addition modulo 2n x ⊟ y Subtraction modulo 2n x ⊕ y Exclusive OR x ⋀ y Bitwise AND x ⋁ y Bitwise OR ¬ x The negation of x. x ≪ s Shifting of x by s bits to the left. x ⋘ s Rotation of x by s bits to the left. 4 Bitwise Functions Function IF (x, y, z) (x ⋀ y) ⋁ ((¬ x) ⋀ z) XOR (x, y, z) x ⊕ y ⊕ z MAJ (x, y, z) (x ⋀ y) ⋁ (y ⋀ z) ⋁ (z ⋀ x) XNO (x, y, z) y ⊕ ((¬ z) ⋁ x) ‣ The functions above are all bitwise. 5 Hash Functions ‣ A hash function maps elements from a finite or infinite domain, into elements of a fixed size domain. 6 Attacks on Hash Functions ‣ Collision attack Find m and m’ ≠ m such that H(m) = H(m’). ‣ First pre-image attack Given h find m such that h = H(m). ‣ Second pre-image attack Given m find m’ ≠ m such that H(m) = H(m’). 7 Attack Complexities ‣ Collision attack Naïve complexity O(2n/2) due to the birthday paradox. ‣ First pre-image attack Naïve complexity O(2n) ‣ Second pre-image attack Naïve complexity O(2n) 8 Cryptographic Hash Functions ‣ It is desirable for a cryptographic hash function to be collision resistant, first pre-image resistant and second pre-image resistant.
    [Show full text]
  • Hashes, Macs & Authenticated Encryption Today's Lecture Hashes
    Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & • Properties of Hashes and MACs Authenticated Encryption • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC ICS Lecture 4 • Authenticated Encryption – CCM Hashes Signatures l A hash of any message is a short string • Using RSA Epub(Dpriv(M)) = M generated from that message. • This can be used to sign messages. l The hash of a message is always the same. l Any small change makes the hash totally • Sign a message with the private key and this can be different. verified with the public key. l It is very hard to go from the hash to the message. • Any real crypto suite will not use the same key for encryption and signing. l It is very unlikely that any two different messages have the same hash. – as this can be used to trick people into decrypting. Signatures Uses of Hashing Alice has a signing key Ks • Download/Message verification and wants to sign message M Plain Text • Tying parts of a message together (hash the whole message) Detached Signature: Dks(#(M)) RSA decrypt with key ks SHA hash • Hash message, then sign the hash. • Protect Passwords Signed: M,Dks(#(M)) – Store the hash, not the password 1 Attacks on hashes Birthday Paradox • Preimage Attack: Find a message for a • How many people do you need to ask given hash: very hard. before you find 2 that have the same birthday? • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • 23 people, gives (23*22)/2 = 253 pairs.
    [Show full text]