View
217
Download
0
Category
Preview:
Citation preview
Hashing, MACs, RSA
Sandy KutinCSPP 5327/17/01
Rehash: Why do we hash?
Hash functions: boil long message down to a few bits
Alice signs hash with public key: Authentication (Bob knows Alice sent it) Non-repudiation (Bob can prove Alice sent it)
Data integrity; no one else can alter dataBit commitment; used in many protocols
Rehash: What is a hash?
What makes H a hash function? Takes any size input Produces fixed-size output (n bits) H(M) is easy to compute Given h, it is hard to solve H(M) = h for M Given N, it is hard to solve H(M) = H(N) for M
(weak collision resistance) (2n steps) It is hard to find M, N such that H(M) = H(N)
(strong collision resistance) (2n/2 steps)
Rehash: How do we hash?
Most hashes are built using a one-way compression function: m+n bits to n bits
Divide message into k blocks of m bitshi = ƒ(Mi, hi-1) (h0 is a fixed initial value)
Output is H(M) = hk
ƒ ƒ ƒ ƒIV
M1 M2
h1
M3
h2
Mk
hk-1
H(M)
hk
A MoDESt Proposal
One idea: use encryption (e.g., DES)h0 = IV
hi = ƒ(Mi, hi-1) = EMi(hi-1)
Problem 1: slowProblem 2: export restrictions
ƒ ƒ ƒ ƒIV
M1 M2
h1
M3
h2
Mk
hk-1
H(M)
hk
Problem 3: Insecure
Can construct 2 blocks XY, H(XY) = hNeed X, Y so that EY(EX(h0)) = h
Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) = DY(h)
Birthday attack; works on DES, AES, …Could pick M1,…,Mk-2, solve EX(hk-2) = DY(h)
ƒ ƒ ƒ ƒIV
M1 M2
h1
M3
h2
Mk
hk-1
H(M)
hk
Specific Hashes: MD5
MD5 (Rivest, 1992): 128-bit hash, 512-bit blocks (similar to MD4, 1990)
(MD = Message Digest)Simplified versions have been
cryptanalyzed, but not MD5 itselfBut: strong collision resistance only 64-bitNot really long enough nowadaysLike DES: now being phased out
Specific Hashes: SHA
SHA (or SHA-1): NIST, NSA, 1995160-bit hash, 512-bit blocksUsed in DSS (Digital Signature Standard)May 30, 2001: NIST announced 3 more:
algorithm bit length block size max message security
SHA-1 160 512 2^64 80 bits
SHA-256 256 512 2^64 128 bits
SHA-384 384 1024 2^128 192 bits
SHA-512 512 1024 2^128 256 bits
Specific Hashes: RIPEMD
RIPE-MD developed in Europe (1996-7)RIPEMD-160: 160-bit hash, 512-bit blocks
(same as SHA-1)Comparable to SHA-1 in speed, securityBoth are roughly half the speed of MD5American standard is SHA-1 (for now)SHA-256, SHA-384, SHA-512 match key
lengths in AES
Message Authentication Codes
A hash is public; anyone can compute itWe used digital signatures; only Alice can
compute Dpa(H(M)), anyone can check
Another idea: CK(M) using secret key
Message Authentication Code (MAC)Authentication (but not non-repudiation)Data integrity
What makes a MAC?
What makes CK(M) a MAC? Any size M, easy-to-compute fixed-size output Given K, N, hard to solve CK(M) = CK(N)
(weak collision resistance for Alice, Bob)
Given K, it is hard to solve CK(M) = CK(N)
(strong collision resistance for Alice, Bob)
Given signed pairs (M, CK(M)), but not K, it is hard to find more
(Eve can’t solve for K, find collisions, or otherwise construct a message and a valid MAC)
Encryption-Based MACs
Simplest idea: CK(M) = EK(H(M))
Only as good as “weakest link”Better: Encrypt in CBC mode
C1 = EK(M1)
Ci = EK(Mi Ci-1)
CK(M) is last Ci
DES-CBC is current FIPS-approved MACSpeed, export issues; wrong tool for job
Hash-based MACs
One idea: CK(M) = H(K | M)
Effectively a hash with secret initial valueProblem: Given M, CK(M), can find CK(M | N)
Solution: HMAC (Bellare, Canetti, Krawczyk, 1996; NIST 1/01)
ƒ ƒ ƒ ƒIV
K M1
h1
M2
h2
Mk
hk-1
H(M)
hk
HMAC
Pad n-bit key K up to m bits, if necessarySi = K 00110110..., So = K 01011010…
First, compute x = H(Si | M), pad x to m bits
HMACK(M) = H(So | x)
Only three extra calls to ƒ
x
ƒƒIV
Si M1
h1
ƒ
Mk
hk-1
ƒIV
Soƒ
HMACK(M)
HMAC Attack
We can precompute 2 of the 3 extra callsUse any H we want (MD5, SHA-1, …)HMAC is secure as long as H is secureBirthday attack fails if K is unknownMD5 is fine
x
ƒƒIV
Si M1
h1
ƒ
Mk
hk-1
ƒIV
Soƒ
HMACK(M)
What’s next?
We’ve discussed several primitives: Symmetric Encryption Hashes Message Authentication Codes
There’s one primitive we haven’t discussed:
Public Key
Infrastructure
The Key Idea
Public key uses asymmetric encryptionBob has a public encryption function EB
Trapdoor one-way function Easy to compute Invertible, and Bob knows secret Db = EB
-1
For Eve to invert EB, she’d need to guess b
Alice computes EB(M); only Bob can decrypt
Diffie, 1975. Question: how do we do it?
VeRSAtile Solution
RSA (Rivest, Shamir, Adleman, 1977):Bob computes primes p, q, and N=pqBob computes d,e, so de 1 mod (N)Public key: (N, e). Private key: (N, d)Encryption (Alice): C = EB(M) Me mod N
Decryption (Bob): M = Db(C) Cd mod N
By Euler’s Theorem: Med M mod NSo, Db(EB(M)) = M, Bob can read M
Vice VeRSA
Note that, M, Mde Med M mod NOrder doesn’t matterOnly Bob can compute S Md mod NAnyone else can verify M Se mod NDigital SignatureGives us authenticity, non-repudiation(As we’ve said: usually applied to H(M))
Factoring in Attacks
Say Eve knows N, e, C, wants to read MCould factor N, solving for p and qThen easy to compute (N), solve for dHow hard is it to factor?Best known method: Number Field SieveBetween polynomial and exponential timeOf course, no one can prove anything
How hard is factoring?
From Schneier’s Applied Cryptography:MIPS-year: 100 MHz Pentium for a weekRivest, 1977: 125 digits should take 40
quadrillion years8/1999: 512-bit prime(155 decimal digits)Distributed computingTook 8000 MIPS-years7 months (3.7 sieving)
Bit-length MIPS-years
512 3 x 10^4
768 2 x 10^8
1024 3 x 10^11
1536 3 x 10^16
2048 3 x 10^20
An ERSAtz Attack
Can Eve find (N)? Then, d e-1 mod (N).Say we knew N = pq, (N) = (p-1)(q-1).Then let Z = N - (N) + 1: we know ZZ = pq - (pq - p - q + 1) + 1 = p + q(x - p)(x - q) = x2 - Zx + N; this is solvableSo, if we knew (N), we’d know p, qTherefore, finding (N) is as hard as factoringThis is called a reduction
Other AdveRSArial Strategies
Can Eve find d without finding (N)?She knows ed - 1 = Q(N) for some QSince (N) is roughly N, she’d know (N)Another reductionCan Eve find t, so, M, Mte M mod N?Yes, if p and q are chosen poorlyFor good p, q: about as hard as factoring“good p, q” means gcd(p-1, q-1) is small
Key Management
Pre-1970s, problem was key distributionNow, Alice can look up Bob’s public keyHow does she get it? Key managementOriginal solution: “phone book”
Who prints the book? What if it’s compromised, or intercepted? How do you look someone up? Unique ID? What if Bob has multiple names, keys? Do keys expire? What if a key is compromised?
Solution #1: DispeRSAL
One idea: Carol meets Bob face-to-faceCarol says “This is Bob’s key”, signs itTed knows Carol, says “This is Carol’s key, and I
trust her”, signs itAlice knows Ted; verifies chain of signaturesFlaw #1: “weakest link”Flaw #2: >6 degrees of separationFlaw #3: Unique IDs, expiration, ...
#2: Certificate Authorities
Next class (7/24/01)
Recommended Reading
From Stallings: Fermat’s Theorem, Euler’s Theorem, and the
function: Section 7.3 RSA: Sections 6.1 - 6.3 (particularly 6.2,
which includes fast modular exponentiation) Hashing, MACs: Chapter 8 Birthday attacks: Appendix 8A HMAC: Section 9.4
Recommended