Today’s Lecture • Hashes and Message Authentication Codes Hashes, MACs & Passwords • Properties of Hashes and MACs • CBC-MAC, MAC -> HASH (slow), • SHA1, SHA2, SHA3 Tom Chothia • HASH -> MAC, HMAC Computer Security Lecture 5 • Password protection • Password cracking. Signatures Hashes Alice has a and a signing key Ks A hash of any message is a short string and wants to sign message M generated from that message. Plain Text The hash of a message is always the same. Signature: Dks(H(M)) Any small change makes the hash totally different. RSA decrypt with key ks SHA hash It is very hard to go from the hash to the message. Clear-signed: M,Dks(H(M)) It is very unlikely that any two different messages have the same hash. Uses of Hashing Attacks on hashes • Download/Message verification • Preimage Attack: Find a message for a given hash: very hard. • Tying parts of a message together (hash the whole message) • Prefix Collision Attack: a collision attack where the attacker can pick a prefix for • Hash message, then sign the hash. the message. • Collision Attack: Find two “random” • Protect Passwords messages with the same hash. – Store the hash, not the password Birthday Paradox Message Authentication Codes • How many people do you need to ask before you find 2 that have the same • MACs are hashes with a key. birthday? – Written MACKey(M) • 23 people, gives (23*22)/2 = 253 pairs. • You can only make or check the hash, if you know the key. • Prob. that two people have a different birthday is: 364/365 • Stops guessing attacks. • (364/365)(23*22/2) = 0.4995 Message Authentication Codes How can we make a MAC? • MACs are sometimes used for Must have: authentication: A Key – E.g. in Alice and Bank share keyA, Alice sends to the bank: Short string from long message. “Pay Bob £10”,MAC (“Pay Bob £10”) Single bit change in message = totally different keyA hash. Possible attack on MAC: “Length Hard to go from the hash to the message. extension attack” add data to a MAC Unlikely that any two different messages have the without knowing the key same hash. CBC Encryption CBC MAC 0000000000000 MACKey(M) http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation An Inefficient Hash Function The SHA Family of Hash • The most common (and best) hashes are the SHA hashes. 0000000000000 • 1993, The US National Institute of 0000 0000 0000 Standards and Technology (NIST), developed a new hash SHA-0 #(M) • 1995, the NSA stepped in and “fixed” it: SHA-1 (160-bit hash). SHA1 SHA2 • A birthday attack on SHA-1 should need • SHA2 is an improved version of SHA1 2^80 hash tests with a longer hash. • In 2005 a 2^63 attack was found. • 256 or 512 bits: also called SHA256, SHA512. • Not really practical, but no-one trusts SHA-1 any more. • Based on SHA-1 it has some of the same weaknesses. So, even though it seems secure the cryptographers aren’t • So … SHA-2 happy. The SHA-3 Competition The SHA-3 Competition • Submissions opened on October 31, 2008, • Winner announced on October 2, 2012 as • Round 1 – Keccak, (Daemen et al. the AES guy) – 13 submissions rejected without comment. – 10 withdrawn by authors. – 16 rejected for design or performance. • This is too soon for it to be in standard • Inc. Sony’s APIs • Conference in Feb 2009. 14 scheme picked to go through to round 2. – Dropped schemes include • Expect this to be the standard soon. • Ron Rivest’s, • Lockheed Martin Merkle–Damgård (MD) Hashes Broken Hash to MAC • The MD family of hashes is also popular. • If we had a Hash we could try to make a MAC by: • MD4 & MD5 used, but weak. – Only useful when we only care about MACKey(M) = H(Key,M) preimage attacks or Integrity. • But this might allow a length extension • MD6: Ron Rivest’s candidate for SHA3. attack. – Seems good & fast. Broken Hash to MAC Broken Hash to MAC Key Pay Bob £10 Key Pay Bob £10 Pay Elvis £10 0000000000000 0000000000000 0000 0000 0000 0000 0000 0000 MAC (Pay Bob £10, MACKey(Pay Bob £10) MACKey(Pay Bob £10) Key Pay Elvis £10) Only Alice and the Bank know “Key” Only Alice and the Bank know “Key” Alice sends “Pay Bob £10,MACKey(Pay Bob £10)” to Bank Alice sends “Pay Bob £10,MACKey(Pay Bob £10)” to Bank Attacker Elvis can add to the message without the key HMAC Password Protection • To stop this (and other attacks) we use • People reuse passwords and sys admins, can HMACs: be attackers. • To protect passwords, only the hash is • Given a hash function H we define: stored. HMAC (M) = (K xor opad), • When a user enters a password the system K H( hashes this, and compares it to the true H( (K xor ipad), M) ) value. • If an attacker gets the password file, they opad= 0x5c5c….5c ipad= 0x3636..36 don’t get the passwords. Password Cracking Linux\Unix password file • But: if an attacker gets the password • Password hashes use to be in shadow file /etc/passwd and public readable! – they can try to guess a password – and check if the hash of their guess is • Now in the list. – /etc/passwd user info – /etc/shadow password hashes • Truly random passwords are safe. • shadow can only be read with root level • Dictionary words are not. access. Windows Password Hashes John The Ripper • Windows stores its password hashes in: • State of the art, free, password cracker. system32/config/SAM • http://www.openwall.com/john/ This file requires Admin level to read. • See demo. It is locked and encrypted with a key, – More shadow based on other key values. – ./john shadow – This adds no real security HashCat Better Security: Salt • Claims to be the fastest password • Add some random public data to the cracker hash. • Very good parallelisation and some • Result: pre-computed tables don’t help. good guessing tactics. • Stops rainbow tables, does nothing to • Free but closed source. stop brute force attacks. • http://hashcat.net Slowing down the hashing. Conclusion • Instead of applying the hash function • Computer Security people had a clever just once you can apply it 1000 times. idea to protect passwords. • This slows down brute force attacks • They then had a even cleverer idea to 1000 times. crack passwords. • Very small delay to log on, makes cost • Results: Passwords are a weak point. If much higher for attacker. you have physical access to a computer you can probably crack the password. Conclusion Today’s Lecture • Use the strongest possible hash for • Hash functions: passwords • Generates a unique short code from a large file • Uses of hashes • Enforce strong passwords. • MD5, SHA1, SHA2 • Message Authentication Codes • Salt the password list • Password protection • Password cracking. • Use access control to protect the password list from remote attackers..