10/27/14 Chapters 20.1 -- 20.3 ❀ Information Security " Authentication " Integrity " Confidentiality " Non-repudiation Outline ❀! Hash functions " Collision resistance " Preimage resistance " Second preimage resistance ❀! HMAC 1 10/27/14 Authentication ❀! Identification and assurance of the origin of information, resources and people Trudy Bob Alice Integrity Tempered File Good File Hash(Good File) ❀! Software distribution protection: " For a Good File and Hash(Good File), it is infeasible to find a Tempered File such that Hash(Good File) = Hash(Tempered File) 2 10/27/14 Authentication and Integrity using Shared Secret msg, Hash(SECRET, msg) ❀! Bob wants to ensure that nobody modifies message in transit using both integrity and authentication ❀! It is infeasible to compute Hash(SECRET, msg) without SECRET ❀! Information Security " Authentication " Integrity " Confidentiality " Non-repudiation Outline ❀! Hash functions " Collision resistance " Preimage resistance " Second preimage resistance ❀! HMAC 3 10/27/14 Hash Functions Message Message x Digest y x’’ y’’ x’ y’ ❀! H is a one-way function used to produce a message digest " Input x: variable length message " Output y: fixed length hash (“Message Digest”) of input ❀! One-way property: infeasible to invert the digest to message " Given y, it should be infeasible find any x such that h(x) = y Hash Function History MD2, 1989 MD4, 1990 MD5, 1991 Secure Hash Algorithm 128-bit output SHA-0, 1993 SHA-1, 1995 160 bit output Race Integrity Primitive Evaluation MD RIPEMD(160, 256, 320), 2003 SHA-2 (224, 256, 384, 512), 2001 SHA-3 selection 4 10/27/14 Hash Functions in standards ❀! MD5 (Message-Digest algorithm 5) " 128-bit output " Designed by Ron Rivest, and used widely " Security broken (summer of 2004) ❀! RIPEMD-160 " 160-bit variant of MD-5 " RIPEMD-128, RIPEMD-256, and RIPEMD-320 ❀! SHA-1 (Secure Hash Algorithm) " 160-bit output " US government (NIST) standard as of 1995 - 2003 µ!Also the hash algorithm for Digital Signature Standard (DSS) µ!Close to be broken too (2005) ❀! SHA-256, -384 and -512 should be used Basic Structure of SHA-1 Against padding attacks Message length (K mod 264) L x 512 bits = n x 32 bits K bits Message 100…0 Split message into 512-bit blocks Padding 64 (1 to 512 bits) bits 512 bits 512 bits 512 bits 512 bits Y0 Y1 ….. Yi ….. YL-1 IV 160 160 160 160 160 H H ….. H ….. H H1 Hi HL-1 Initialization Vector Hash function 160-bit 160-bit buffer (5 registers) initialized with magic values Applied to each 512-bit block digest and current 160-bit buffer. 5 10/27/14 Example: Hash Algorithms ❀! Plaintext Phishing Explained Phishing scams are typically fraudulent e-mail messages appearing to come from legiImate sources like your bank, your Internet Service Provider, eBay, or PayPal, for example. These messages usually direct you to a fake web site and ask you for private informaon (e.g., password, credit card, or other account updates). The perpetrators then use this private informaon to commit idenIty theQ. Warning Signs There are oQen signs that can Ip you off that a message may not be what it appears. The hints below can help you avoid "taking the bait." Urgent Language - Phishing aempts oQen use language meant to alarm. They contain threats, urging you to take immediate acIon. “You MUST click on the link below or your account will be canceled.” The GreeIng - If the message doesn't specifically address you by name, be wary. Fake messages use general greeIngs like “Dear eBay Member” or “AWenIon CiIbank Customer” or no greeIng at all. URLs Don’t Match - Place your mouse over the link in the e-mail message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, run. It’s probably a fake. SomeImes the URLs do match and the URL is sIll a fake. ❀! Digest " MD5: b9af1a0d4fb4d1dcba270eae4221d5ca " RipeMD160: 5f275d5517e602adc6bec1be9711094aa9a48b17 " SHA-1: aca15428ff95289088b8acd46fc518a46e99af2c ❀! Online hash tool http://www.fileformat.info/tool/hash.htm Diffusion/Avalanche Effect ❀! Plaintext: only change the first letter from P to Q Qhishing Explained Phishing scams are typically fraudulent e-mail messages appearing to come from legiImate sources like your bank, your Internet Service Provider, eBay, or PayPal, for example. These messages usually direct you to a fake web site and ask you for private informaon (e.g., password, credit card, or other account updates). The perpetrators then use this private informaon to commit idenIty theQ. Warning Signs There are oQen signs that can Ip you off that a message may not be what it appears. The hints below can help you avoid "taking the bait." Urgent Language - Phishing aempts oQen use language meant to alarm. They contain threats, urging you to take immediate acIon. “You MUST click on the link below or your account will be canceled.” The GreeIng - If the message doesn't specifically address you by name, be wary. Fake messages use general greeIngs like “Dear eBay Member” or “AWenIon CiIbank Customer” or no greeIng at all. URLs Don’t Match - Place your mouse over the link in the e-mail message. If the URL displayed in the window of your browser is not exactly the same as the text of the link provided in the message, run. It’s probably a fake. SomeImes the URLs do match and the URL is sIll a fake. ❀! Digest " MD5: ac62191be8b2c327b2548ce69da7a8f0 " SHA-1: b974c5315af1aebc9196a3cdf92966279c34352b ❀! Compare to: " MD5: b9af1a0d4fb4d1dcba270eae4221d5ca " SHA-1: aca15428ff95289088b8acd46fc518a46e99af2c 6 10/27/14 Hash Security: Collision Resistance ❀! It is computationally infeasible to find two different inputs, x and x’ to the hash function that have the same hash value such that hash(x) = hash(x') ❀! Collision resistance is measured by the amount of work that would be needed to find a collision for a hash function with high probability " If the amount of work is 2N, then the collision resistance is N bits " The estimated strength for collision resistance provided by a hash-function is half the length of the hash value, L, produced by a given cryptographic hash function µ!For example, SHA-256 produces a (full-length) hash value of 256 bits µ!SHA-256 provides an esImated collision resistance of 128 bits Hash Security: Preimage resistance ❀! Given y, it should be infeasible find any x such that h(x) = y ❀! Preimage resistance is measured by the amount of work that would be needed to find a preimage for a cryptographic hash function with high probability " If the amount of work is 2N, then the preimage resistance is N bits " The estimated strength for preimage resistance provided by a hash-function is the length of the hash value, L, produced by a given cryptographic hash function " For example, SHA-256 produces a (full-length) hash value of 256 bits; SHA-256 provides an estimated preimage resistance of 256 bits 7 10/27/14 Hash Security: 2nd preimage resistance ❀! Given an input x, it is computationally infeasible to find a second input x’ that is different from x, such that h(x) = h(x’) " x: Windows 7 OS; x’: Windows 7 OS with a Trojan " Measured by the amount of work that would be needed to find a second preimage for a hash function with high probability " If the amount of work is 2N, then the second preimage resistance is N bits " The estimated strength for second preimage resistance provided by a hash- function is the length of the hash value, L, produced by a given cryptographic hash function " For example, SHA-256 produces a (full-length) hash value of 256 bits; SHA-256 provides an estimated second preimage resistance of 256 bits (SP 800-107) ❀! Comparison to Collision resistance " It is computationally infeasible to find two different inputs, x and x’ to the hash function that have the same hash value such that hash(x) = hash(x') Strengths of SHA Security Properties SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 Collision Resistance < 80 (≈60) 112 128 192 256 Strength in bits Preimage Resistance 160 224 256 384 512 Strength in bits Second Preimage Resistance 105-160 201-224 201-256 384 394-512 Strength in bits 8 10/27/14 Feasible attacks to Hash ❀ MD5 is/was one of the most widely used cryptographic hash functions ❀ Attack on MD5 to find collisions efficiently " Finding a collision for MD5 is easily feasible " About 15 minutes up to an hour computation " http://www.mscs.dal.ca/~selinger/md5collision/ ❀! This attack is also able to break hash functions with certain restrictions, including HAVAL-128, MD4, RIPEMD, SHA-0 and SHA-1 ❀! SHA-1 near-collision attack needs 257.5 hashes " Marc Stevens: HashClash on 11/8/2010 " http://code.google.com/p/hashclash/ ❀! Today every new certificate is based on SHA-1 hash ❀! Information Security " Authentication " Integrity " Confidentiality " Non-repudiation Outline ❀! Hash functions " Collision resistance " Preimage resistance " Second preimage resistance ❀! HMAC 9 10/27/14 HMAC ❀! The Keyed-Hash Message Authentication Code (HMAC) ❀! Uses a cryptographic key in conjunction with a hash function " HMAC(key, message) = hash(key, hash(key,message)) " Allow the use of any hash function, e.g., SHA-256, or SHA-512 ❀! Ensures data integrity and authentication ❀! HMAC protects against attacks that modify hash values ❀! Mandatory for IP security, also used in TLS Research Topics ❀! Password-based authentication (Chapter 20.4) ❀! One-time password systems (Chapter 20.8) ❀! OpenID and Oauth – Open identification and authorization (Chapter 20.9) 10 .