Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing Hash functions SHA-3 Competition: The Quest for Long-Term Security inin CryptographicCryptographic HashingHashing Bart Preneel • MDC (manipulation detection code) COSIC – Katholieke UniverUniversiteitsiteit Leuven, Belgium bart.preneel(AT)esat.kuleuven.be • Protect short hash value rather than long text BeNeLux OWASP Day 2 December 2009 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a www.ecrypt.eu.org preimage) or to find two colliding inputs (a collision). 2 Hash function flavours Outline • definitions and background cryptographic hash function • generic attacks this talk • attacks on iterated constructions: the rise and fall of MD MAC MDC • MD4, MD5, SHA-0, SHA-1 • SHA-2 • SHA-3: the NIST AHS competition OWHF CRHF UOWHF • SHA-4 (TCR) • conclusions 3 4 Informal definitions (1) Security requirements (n-bit result) • no secret parameters preimage 2nd preimage collision • input string x of arbitrary length ⇒ output h(x) of fixed bitlength n ? x ≠ ? ≠ ? • computation “easy” ? • One Way Hash Function (OWHF) h h h h h — preimage resistance — 2nd preimage resistance h(x) h(x) h(x’) h(x) h(x’) • Collision Resistant Hash Function (CRHF): OWHF + = = — collision resistant 2n 2n 2n/2 5 birthday paradox6 Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing Applications Applications (2) • digital signatures: OWHF/CRHF, `destroy algebraic structure‘ • Collision resistance is not always necessary • information authentication: protect authenticity of hash result • protection of passwords: preimage resistant • Other properties are needed: • confirmation of knowledge/commitment: OWHF/CRHF — pseudo-randomness if keyed (with secret key) — near-collision resistance • pseudo-random string generation/key derivation — partial preimage resistance • micropayments (e.g., micromint) — multiplication freeness • construction of MAC algorithms, stream ciphers, block ciphers — indifferentiable from random oracle • (redundancy: hash result appended to data before encryption) • Hard to formalize Until 2005: 800 uses of MD5 in Windows 7 8 Brute force (2nd) preimage Brute force attacks in practice • Finding a single second preimage: 2n • parallel (2nd) preimage search • Multiple (2t) target second preimage (1 out of many): 2n-t — n = 128: 90 M$ for 1 year if one out of 248 targets 38 • Multiple target second preimage (many out of many) [Hellman’80] — n = 128: 90 B$ for 1 year if one out of 2 targets • Precomputation: 2n • parallel collision search • Storage: 22n/3 — n = 128: 1 M$ for 12 hours (or 1 year on 60K PCs) • inversion of one message in time: 22n/3 — n = 160: 90 M$ for 1 year • answer: randomize hash function — need 256-bit result for long term security (25 years or more) —salt, spice, “key”: parameter to index family of functions 9 10 Quantum computers Outline • In principle exponential parallelism • definitions and background • generic attacks • Inverting a one-way function: 2n reduced to 2n/2 [Grover’96] • attacks on iterated constructions: the rise and fall of MD • Collision search: 2n/2 no improvement in spite of claims • MD4, MD5, SHA-0, SHA-1 • SHA-2 • SHA-3: the NIST AHS competition • SHA-4 • conclusions 11 13 Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing Hash function: iterated structure Security relation between f and h • Iterating f can degrade its security nd IV H1 H2 H3 — trivial example: 2 preimage f f f f g IV H H H 1 2 3 g x1 x2 x3 x4 f f f f Split messages into blocks of fixed length and hash x1 x2 x3 x4 them block by block with a compression function f IV = H1 H2 H3 Efficient and elegant f f f g But many problems… x2 x3 x4 14 15 Security relation between f and h Attacks on MD: 1999-2006 • Solution: Merkle-Damgard (MD) strengthening (popular!) • multi-collision attack [Joux’04] fix IV, use unambiguous padding and insert length at the end — the concatenation of 2 iterated hash functions is as most as strong as the strongest of the two (even if both are independent) — cost of collision attack against g at most n1 . 2n2/2 + 2n1/2 << 2(n1 + n2)/2 • [MD’89] f is collision resistant ⇒ h is collision resistant • [Lai-Massey’92] f is 2nd preimage resistant ⇔ h is 2nd preimage resistant ? h1 h2 g(x) = h1(x) || h2(x) • other problems: — long message 2nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier’05] — herding attack [Kelsey-Kohno’06] 16 17 Improving MD iteration Summary • degradation with use: salting (family of functions, randomization) • strong output transformation g (which includes total length and salt) • counter in every iteration • larger internal memory: known as wide pipe Many concrete proposals in the SHA-3 competition 18 19 Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing Outline MDx-type hash function history • definitions and background MD4 Ext. MD4 90 • generic attacks MD5 91 • attacks on iterated constructions: the rise and fall of MD 92 • MD4, MD5, SHA-0, SHA-1 HAVAL RIPEMD • SHA-2 SHA(-0) 93 • SHA-3: the NIST AHS competition SHA-1 94 • SHA-4 RIPEMD-160 95 • conclusions SHA-2 02 20 SHA-3 12 21 The complexity of collision attacks MD5 [Rivest’91] Brute force: 4 million PCs or US$ 100K hardware (1 year) • 4 rounds (64 steps) 90 • pseudo-collisions [denBoer-Bosselaers’93] 80 • collisions for compression function [Dobbertin’96] 70 MD4 • collisions for hash function 60 MD5 — [Wang+’04] – 15 minutes 50 — … SHA-0 40 — [Stevens+’09] – milliseconds SHA-1 — brute force (264): 1M$ 10 hours in ’09 30 •2nd preimage in 2123 [Sasaki-Aoki’09] 20 Brute force 10 • Popularity: 0 — License-free — 10 times faster than DES 92 92 00 02 04 06 08 — Export restrictions in the 90s less stringent for hash functions than for block ciphers 19 19 1994 1996 1998 20 20 20 20 20 22 23 MD5 SHA-1 [NIST’95] • Advice (RIPE since ‘92, RSA • fix to SHA-0 (published ’93, today collisions in 1 hour) since ‘96): stop using MD5 • Largely ignored by industry • collisions for SHA-1 (click on a cert...) • 70 steps in 244 – highly structured [De Cannière-Rechberger’06]: • 70 steps 239 (4 days on a PC) [Joux-Peyrin’07] • 269 [Wang+’05] • Can this be improved? [Wang+’05 - unpublished], [Sugita+’06 ], Mendel+’08 - unpublished], [McDonald+’09 - unpublished] • preimages for 48/80 steps in 2160-ε [Aoki-Sasaki’09] Prediction: collision for SHA-1 in the next 12-18 months 24 25 Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing SHA-1 90 brute force 80 70 [Wang+’05] [Mendel+’08] 60 [Wang+’04] [Manuel’09] 50 [McDonald+’09] SHA-1 40 [Sugita+’06] 30 20 Most attacks 10 unpublished/withdrawn 0 2003 2004 2005 2006 2007 2008 2009 2010 26 27 Rogue CA attack Impact of collisions [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger ’08] • collisions for MD5, SHA-0, SHA-1 — 2 messages differ in a few bits in 1 to 3 512-bit input blocks • request user cert; by special Self-signed collision this results in a fake CA root key — limited control over message bits in these blocks cert (need to predict serial — but arbitrary choice of bits before and after them number + validity period) CA1 CA2 Rogue CA impact: rogue CA • what is achievable for MD5? that can issue certs User1 User2 User x — 2 colliding executables/postscript/gif/…[Lucks-Daum’05] that are trusted by — 2 colliding RSA public keys – thus with colliding X.509 certificates [Lenstra+’04] all browsers — chosen prefix attack: different IDs, same certificate [Stevens+’07] — 2 arbitrary colliding files (no constraints) in 12 hours • 6 CAs have issued certificates signed with MD5 in 2008: — Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), TC for 1 M$ TrustCenter AG, RSA Data Security, Verisign.co.jp 28 TrustCenter AG, RSA Data Security, Verisign.co.jp 29 Other ways to fool CAs Impact of collisions (3) • [Moxie Marlinspike’09] Black Hat • digital signatures: only an issue if for non-repudiation — browsers may accept bogus SSL certs • none for signatures computed before attacks were — CAs may sign malicious certs public (1 August 2004) • certificate for www.paypal.com\0.kuleuven.be will be issued if the • none for certificates if public keys are generated at request comes from a kuleuven.be admin random in a controlled environment • response by PayPal: suspend Moxie’s account • substantial for signatures after 1 August 2005 (cf. traffic tickets in Australia) — http://www.theregister.co.uk/2009/10/06/paypal_banishes_ssl_hacker/ • Related (independent) work at Financial Cryptography 2010 30 31 Bart Preneel December 2009 SHA-3 Competition: The Quest for Long-Term Security in Cryptographic Hashing And (2nd) preimages? HMAC • security degrades with number of applications • HMAC keys through the IV (plaintext) [Kim+’06] — collisions for MD5 invalidate current security proof of HMAC-MD5 • for large messages even with the number of blocks (cf. — new attacks on reduced version of HMAC-MD5 and HMAC-SHA-1 supra) K x • specific results: Rounds in f2 Rounds in f1 Data complexity 1 73 MD4 48 48 272 CP + 277 time — MD2: 2 [Knudsen+09] f1 126.1 102 MD5 64 33 of 64 2 CP — MD4: 2 [Leurent’08] K2 MD5 64 64 251 CP & 2100 time (RK) — MD5: 2123 [Sasaki-Aoki’09] SHA-1 80 53 of 80 298.5