Computer Security Integrity

Computer Security Integrity

Computer security Integrity Olivier Markowitch Hash functions A hash function, h, converts a binary string of arbi- trary size into a fixed-size n-bit string If the input size > n then collisions happen 1 Hash functions properties Compression: converts a binary string of arbitrary size into a fixed-size n-bit string computation efficiency: h(x) must be efficiently com- putable 2 Hash functions in cryptography Hash functions are used in: • manipulation detection codes (MDC): to manage data integrity • message authentication codes (MAC): to manage data integrity and source authentication MDCs are divided into two classes: one-way hash functions (OWHF) and collision resistant hash func- tions (CRHF) 3 Cryptographic hash functions Cryptographic hash functions have additional proper- ties : let x and x0 be inputs and let y and y0 be the corresponding outputs 1. preimage resistance: for at most all output y of h(), it must be computationally infeasible to find a preimage x0 such that h(x0) = y 2. second preimage resistance: given x and y = h(x), it must be computationally infeasible to find a second preimage x0 6= x such that h(x) = h(x0) 3. collision resistance: it must be computationally infeasible to find two inputs x and x0 such that h(x) = h(x0) 4 Definitions A one-way hash function (OWHF) is a hash function that respects the properties of preimage resistance and second preimage resistance One-way hash functions are also called weak one-way hash functions A collision resistant hash function (CRHF) is a hash function that respects the properties of second preim- age resistance and collision resistance Collision resistant hash functions are also called strong one-way hash functions 5 Keyed and unkeyed hash functions A message authentication code (MAC) is a functions hk() parameterized by a secret key k and that re- spects the following properties: 1. efficiency: for a known function hk(), given a value k and an input x, hk(x) is easy to compute 2. compression: hk() maps an input x of arbitrary finite soze to an output hk(x) of fixed length n 3. computation-resistance: for a value of k unknown to an adversary, given zero or more pairs (xi; hk(xi)), it is computationally infeasible to compute any pair (x; hk(x)) for any new input x 6= xi Detection manipulation code (MDC) are unkeyed hash functions 7 Iterative hash function h(x) = g(Ht) 8 <H0 = initial value :Hi = f(Hi−1; xi) with i 2 [1; t] x = x1 : : : xt with jxij = r for i 2 [1; t] 9 Hash function: ideal security An unkeyed hash function that produces n-bit outputs is said to have an ideal security if: 1. given a hash output, producing a preimage or a second preimage requires approximately 2n op- erations n 2. producing a collision requires approximately 22 operations 10 MDC in practice Manipulation detection codes can be: • build using a symmetric bloc cipher 11 MDC in practice Manipulation detection codes can be: • build using a symmetric bloc cipher • customized hash functions: MD4, MD5, SHA-1, RIPEMD-160 15 MDC in practice Manipulation detection codes can be: • build using a symmetric bloc cipher • customized hash functions: MD4, MD5, SHA-1, RIPEMD-160 • build using modular arithmetic: MASH-1 22 MAC in practice Message authentication codes can be: • build using symmetric bloc ciphers 24 CBC-MAC If the optional part is not realized: Let x a one-bloc input Let M = CBC-MAC(x) CBC-MAC(M) = CBC-MAC(x j0 ::: 0) where j is the concatenation and where the size x j0 ::: 0 is two blocs 26 MAC in practice Message authentication codes can be: • build using symmetric bloc ciphers • build using MDC 27 MAC in practice A MAC can be constructed from an MDC algorithm by including a secret key k as part of the MDC input If the MDC follows an iterative construction 8 >H0 = initial value <> Hi = f(Hi−1; xi) avec i 2 [1; t] > :h(x) = Ht Then MAC(x) where x = x1 : : : xt can be build as hk(x) = h(kjx). This construction must be avoided The construction hk(x) = h(xjk) can be dangerous if collisions can be found for the function h() Therefore, it is suggested to compute hk(x) = h(kjxjk) 28 MAC in practice: HMAC Let opad (outer padding) be a bloc = 0x5c5c5c5c5c Let ipad (inner padding) be a bloc = 0x3636363636 HMAC(k; x) = h ((k ⊕ opad) jh ((k ⊕ ipad) jx)) 29 MAC in practice Message authentication codes can be: • build using symmetric bloc ciphers • build using MDC • customized hash functions: MAA, MD5-MAC 30 Integrity Data integrity ensures that a data has not been al- tered in an unauthorized manner (no matter that the data is stored or transmitted) data source authentication is based on a shared se- cret key (but the entities that share the secret key can not be distinguished) When mechanisms that prevent reply attacks are used, we have transaction authentication 34 Integrity Integrity can be obtained with: • error detection/correction mechanisms • message authentication code (MAC) • manipulation detection code (MDC) used with an authenticated channel • encryption • MDC + encryption • MAC + encryption 35 MAC+ encryption hk(x) = Ek(xjhk0(x)) But, we have to avoid: • k = k0 • hk0 = CBC-MAC without the optional part • Ek = symmetric bloc encryption in CBC mode that is identical than the one used in the CBC- MAC • same initial value in CBC-MAC and in Ek 37 Birthday paradox When considering 23 people, the probability that at least two of them have their birthday on the same day (not taking into account the year of birth) is approxi- matively equal to 50 percent 38 Birthday paradox Let h be a hash function, h : X ! Z, where X and Z are finite sets such that jXj > jZj. Let jXj = m and jZj = n Consider k messages xi 2 X chosen randomly (with i 2 [1; k] What is the probability that two different xi have the same image (i.e. produce a collision)? zi = h(xi) for i 2 [1; k] We can consider that the zi are random values (what is reasonable when considering the output of a cryp- tographic hash function) since the xi are chosen ran- domly 39 Birthday paradox The probability that all the zi are distinct is: 1 2 k − 1 k−1 i 1 1 − 1 − ::: 1 − = Y 1 − n n n i=1 n 1 where 1 is the probability to draw z1, 1 − n is the i probability to draw z2 6= z1, ::: , 1 − n is the prob- ability to draw a zi distinct from z1; : : : ; zi−1 40 Birthday paradox k−1 k−1 Y i Y − i 1 − ≈ e n i=1 n i=1 −x x2 x3 −x because e = 1 − x + 2! − 3! ::: , and e ≈ 1 − x if x is small i k here x = n with at most x = n and k ≤ n i i −n Therefore: 1 − n ≈ e 41 Birthday paradox k−1 ( 1) Y i −1 Pk−1 i − k− k 1 − ≈ e n i=1 = e 2n i=1 n because n n(n + 1) X i = i=1 2 42 Birthday paradox Let P 0 be the probability that there is no collision, we have: k−1 i Y 1 − = P 0 i=1 n −(k−1)k P 0 ≈ e 2n 0 (k−1)k ln(P ) ≈ − 2n 2n ln(P 0) ≈ −(k − 1)k 2 ln( 1 ) 2 n P 0 ≈ k − k 2 ln( 1 ) 2 n P 0 ≈ k (by neglecting k in comparison with k2) 43 Birthday paradox q 2 ln( 1 ) 2 2 ln( 1 ) n P 0 ≈ k , donc n P 0 ≈ k Let P be the probability that there is at least one col- lission: P = 1 − P 0 q 1 2n ln(1−P ) ≈ k 1 If P = 2: q 2n ln(2) ≈ k p 1; 386n ≈ k p 1; 177 n ≈ k p k is in O( n) 44 Birthday paradox If the outputs of a cryptographic hash function are on 64 bits (jZj = 264), when testing 232 messages the 1 probability to find a collision surpasses 2 r More generally, if jZj = 2r, when testing 22 mes- 1 sages the probability to find a collision surpasses 2 This explain the ideal security of cryptographic hash functions 45 Birthday paradox If X = fhumansg and Z = every 365 days (birth- p days), jZj = 365 = n, we have: 1; 177 n = p 1; 177 365 ≈ 23 When considering 23 people, the probability to find two people out of the 23 that have their birthday the 1 same day surpasses 2 3 p With P = 4, we have k ≈ 1; 66 n,, therefore if n = 365 we have k ≈ 32 With P = 99%, we have k ≈ 58 46.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    47 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us