CryptographicCryptographic HashHash FunctionsFunctions andand theirtheir manymany applicationsapplications ShaiShai HaleviHalevi –– IBMIBM ResearchResearch USENIX Security – August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk WhatWhat areare hashhash functions?functions? JustJust aa methodmethod ofof compressingcompressing stringsstrings –– E.g.,E.g., HH :: {0,1}*{0,1}* {0,1}{0,1}160 –– InputInput isis calledcalled ““messagemessage””,, outputoutput isis ““digestdigest”” WhyWhy wouldwould youyou wantwant toto dodo this?this? –– Short,Short, fixedfixed--sizesize betterbetter thanthan long,long, variablevariable--sizesize True also for non-crypto hash functions –– DigestDigest cancan bebe addedadded forfor redundancyredundancy –– DigestDigest hideshides possiblepossible structurestructure inin messagemessage But not HowHow areare theythey built?built? always… TypicallyTypically usingusing MerkleMerkle--DamgDamgåårdrd iteration:iteration: 1.1. StartStart fromfrom aa ““compressioncompression functionfunction”” –– h:h: {0,1}{0,1}b+n{0,1}{0,1}n |M|=b=512 bits =160 bits 160 bits 2.2. IterateIterate itit M1 M2 ML-1 ML d d d IV=d0 d1 2 L-1 L … d=H(M) WhatWhat areare theythey goodgood for?for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.” ““RequestRequest forfor CandidateCandidate AlgorithmAlgorithm NominationsNominations””,, ---- NIST,NIST, NovemberNovember 20072007 SomeSome examplesexamples Signatures:Signatures: sign(Msign(M)) == RSARSA-1(( H(M)H(M) )) MessageMessage--authentication:authentication: tag=tag=H(key,MH(key,M)) Commitment:Commitment: commit(Mcommit(M)) == H(M,H(M,……)) KeyKey derivation:derivation: AESAES--keykey == H(DHH(DH--value)value) RemovingRemoving interactioninteraction [Fiat-Shamir, 1987] A B –– TakeTake interactiveinteractive identificationidentification protocolprotocol smthng –– ReplaceReplace oneone sideside byby aa hashhash functionfunction challenge response Challenge = H(smthng, context) –– GetGet nonnon--interactiveinteractive signaturesignature schemescheme smthng, response PartPart I:I: RandomRandom functionsfunctions vs.vs. hashhash functionsfunctions RandomRandom functionsfunctions WhatWhat wewe reallyreally wantwant isis HH thatthat behavesbehaves ““justjust likelike aa randomrandom functionfunction””:: DigestDigest d=H(M)d=H(M) chosenchosen uniformlyuniformly forfor eacheach MM –– DigestDigest d=H(M)d=H(M) hashas nono correlationcorrelation withwith MM –– ForFor distinctdistinct MM1,M,M2,,……,, digestsdigests ddi==H(MH(Mi)) areare completelycompletely uncorrelateduncorrelated toto eacheach otherother –– CannotCannot findfind collisions,collisions, oror eveneven nearnear--collisionscollisions –– CannotCannot findfind MM toto ““hithit”” aa specificspecific dd –– CannotCannot findfind fixedfixed--pointspoints (d(d == H(dH(d)))) –– etc.etc. TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure VeryVery successfulsuccessful paradigm,paradigm, manymany schemesschemes –– E.g.,E.g., OAEPOAEP encryption,encryption, FDH,PSSFDH,PSS signaturessignatures Also all the examples from before… –– SchemesSchemes seemseem toto ““withstandwithstand testtest ofof timetime”” RandomRandom oracles:oracles: rationalerationale isis somesome cryptocrypto schemescheme (e.g.,(e.g., signatures),signatures), thatthat usesuses aa hashhash functionfunction HH provenproven securesecure whenwhen HH isis randomrandom functionfunction AnyAny attackattack onon realreal--worldworld mustmust useuse somesome ““nonrandomnonrandom propertyproperty”” ofof HH WeWe shouldshould havehave chosenchosen aa betterbetter HH –– withoutwithout thatthat ““nonrandomnonrandom propertyproperty”” Caveat:Caveat: howhow dodo wewe knowknow whatwhat ““nonrandomnonrandom propertiesproperties”” areare important?important? ThisThis rationalerationale isnisn’’tt soundsound [Canetti-Goldreich-H 1997] ExistExist signaturesignature schemesschemes thatthat are:are: 1.1. ProvablyProvably securesecure wrtwrt aa randomrandom functionfunction 2.2. EasilyEasily brokenbroken forfor EVERYEVERY hashhash functionfunction Idea:Idea: hashhash functionsfunctions areare computablecomputable –– ThisThis isis aa ““nonrandomnonrandom propertyproperty”” byby itselfitself ExhibitExhibit aa schemescheme whichwhich isis securesecure onlyonly forfor ““nonnon--computablecomputable HH’’ss”” –– SchemeScheme isis (very)(very) ““contrivedcontrived”” ContrivedContrived exampleexample StartStart fromfrom anyany securesecure signaturesignature schemescheme – Denote signature algorithm by SIG1H(key,msg) ChangeChange SIG1SIG1 toto SIG2SIG2 asas follows:follows: Some Technicalities SIG2H(key,msg): interprate msg as code Π – If Π(i)=H(i) for i=1,2,3,…,|msg|, then output key – Else output the same as SIG1H(key,msg) IfIf HH isis random,random, alwaysalways thethe ““ElseElse”” casecase IfIf HH isis aa hashhash function,function, attemptingattempting toto signsign thethe codecode ofof HH outputsoutputs thethe secretsecret keykey CautionaryCautionary notenote ROMROM proofsproofs maymay notnot meanmean whatwhat youyou thinkthink…… –– StillStill theythey givegive valuablevaluable assurance,assurance, rulerule outout ““almostalmost allall realisticrealistic attacksattacks”” WhatWhat ““nonrandomnonrandom propertiesproperties”” areare importantimportant forfor OAEPOAEP // FDHFDH // PSSPSS // ……?? HowHow wouldwould thesethese schemescheme bebe affectedaffected byby aa weaknessweakness inin thethe hashhash functionfunction inin use?use? ROMROM maymay leadlead toto carelesscareless implementationimplementation MerkleMerkle--DamgDamgåårdrd vs.vs. randomrandom functionsfunctions … Recall:Recall: wewe oftenoften constructconstruct ourour hashhash functionsfunctions fromfrom compressioncompression functionsfunctions –– EvenEven ifif compressioncompression isis random,random, hashhash isis notnot E.g., H(key|M) subject to extension attack – H(key | M|M’) = h( H(key|M), M’) –– MinorMinor changeschanges toto MDMD fixfix thisthis But they come with a price (e.g. prefix-free encoding) CompressionCompression alsoalso builtbuilt fromfrom lowlow--levellevel blocksblocks –– E.g.,E.g., DaviesDavies--MeyerMeyer construction,construction, h(c,Mh(c,M)=)=EEM(c)(c)cc –– ProvideProvide yetyet moremore structure,structure, cancan leadlead toto attacksattacks onon provableprovable ROMROM schemesschemes [H[H--KrawczykKrawczyk 2007]2007] PartPart II:II: UsingUsing hashhash functionsfunctions inin applicationsapplications UsingUsing ““imperfectimperfect”” hashhash functionsfunctions ApplicationsApplications shouldshould relyrely onlyonly onon ““specificspecific securitysecurity propertiesproperties”” ofof hashhash functionsfunctions –– TryTry toto makemake thesethese propertiesproperties asas ““standardstandard”” andand asas weakweak asas possiblepossible IncreasesIncreases thethe oddsodds ofof longlong--termterm securitysecurity –– WhenWhen weaknessesweaknesses areare foundfound inin hashhash function,function, applicationapplication moremore likelylikely toto survivesurvive –– E.g.,E.g., MD5MD5 isis badlybadly broken,broken, butbut HMACHMAC--MD5MD5 isis barelybarely scratchedscratched SecuritySecurity requirementsrequirements DeterministicDeterministic hashinghashing Stronger –– AttackerAttacker chooseschooses M,M, d=H(M)d=H(M) HashingHashing withwith aa randomrandom saltsalt –– AttackerAttacker chooseschooses M,M, thenthen goodgood guyguy chooseschooses publicpublic salt,salt, d=d=H(H(saltsalt,M,M)) HashingHashing randomrandom messagesmessages –– MM random,random, d=H(M)d=H(M) HashingHashing withwith aa secretsecret keykey –– AttackerAttacker chooseschooses M,M, d=d=H(H(keykey,M,M)) Weaker DeterministicDeterministic hashinghashing CollisionCollision ResistanceResistance –– AttackerAttacker cannotcannot findfind M,MM,M’’ suchsuch thatthat H(M)=H(MH(M)=H(M’’)) AlsoAlso manymany otherother propertiesproperties –– HardHard toto findfind fixedfixed--points,points, nearnear--collisions,collisions, MM s.ts.t.. H(M)H(M) hashas lowlow HammingHamming weight,weight,