Hashing

1
Hashing

• Sandy Kutin
• CSPP 532
• 7/10/01

2
Cryptographic Protocols

• What is a cryptographic protocol?
• Example Alice sends Bob a message M
• 1. Alice generates a secret key K
• 2. Alice computes C1 EpB(K)
• 3. Alice computes C2 EsK(M)
• 4. Alice sends Bob C1, C2
• 5. Bob computes K Dpb(C1)
• 6. Bob computes M DsK(C2)
• Ep, Dp public-key Es, Ds symmetric. Why?

3
A sample protocol

• 1. Alice generates K
• 2. Alice C1 EpB(K)
• 3. Alice C2 EsK(M)
• 4. Alice sends Bob C1,C2
• 5. Bob K Dpb(C1)
• 6. Bob M DsK(C2)

4
Cryptographic Primitives

• How do we pick K? (pseudo-random number
  generator)
• What are Ep, Dp? (e.g., RSA)
• What are Es, Ds? (e.g., DES or AES, ECB or CBC
  mode)

5
Implementation

• Where does Alice store K?
• How does Alice acquire Bobs B?
• How is the message sent?
• Where does Bob store K, b, M?

6
Overall Plan

• Before the break math
• After the break
• Primitives
• Protocols
• Implementation issues
• Specific products

7
Old School Authentic

• Confidentiality Eve cant recover M
• Authentication only Alice, Bob know K, so Bob
  knows Alice sent M
• Someone could tamper with order solve this with
  time stamps and sequencing info

8
New Wave Not Authentic

• Confidentiality Eve cant recover M
• No authentication how does Bob know who sent
  the message?
• Same problems of tampering with order

9
Solution 1 E(D(M))

• Alice signs message with her private key
• Bob decrypts S with Alices public key
• Only Alice could have signed M
• Communication is authenticated
• Too slow

10
Solution 2 D(E(M))

• Alice signs encrypted message
• Bob recovers M
• Only Alice could have sent the message
• Communication is authenticated
• Too slow
• Better? Worse?

11
Repudiation

• Authentication can Bob prove to himself that
  Alice sent the message?
• Non-repudiation can Bob prove, in court, that
  Alice sent the message?
• In military applications, not really relevant
• In e-commerce essential
• Digital signature

12
DES, I rebuke thee

• Classical Crypto Bob wants to prove M came from
  Alice
• Bob would have to reveal K
• Even that isnt good enough Bob couldve
  encrypted M himself
• No defense against repudiation

13
Repudiation E(D(M))

• Bob can produce M and S in court
• Anyone can verify that M EpA(S)
• Only Alice could have created S
• Hence, Alice must have sent M
• Success!

14
Repudiation D(E(M))

• Bob can produce M, C2, and S in court
• Judge can verify that Alice signed C2
• To prove connection between C2 and M, Bob must
  reveal K
• Even that might not be good enough
• Lesson design matters

15
A general protocol

• E(D(M)) defends against repudiation
• Its too slow to be useful
• Another problem Bob always needs to convert S
  to M. Maybe he doesnt always want to
  authenticate.
• Solution Alice appends signature to M,
  encrypts, sends to Bob.
• Should be something Alice can do, others can
  verify. E.g. Dpa(M)

16
Digital Signature Schemes

• s(M) is a digital signature if only Alice can
  compute it, anyone else can verify it
• Used for communication
• Also, data integrity compute signature every
  night, see if it matches
• Dpa(M) would work, but its too slow, and too big
• Solution Dpa(H(M)), where H is a hash function

17
Hash functions

• What makes H a hash function?
• Takes any size input
• Produces fixed-size output
• H(M) is easy to compute
• Given h, it is hard to solve H(M) h for M
• Given N, it is hard to solve H(M) H(N) for M
  (weak collision resistance)
• It is hard to find M, N such that H(M) H(N)
  (strong collision resistance)

18
Hashing Non-repudiation

• Say Bob takes Alice to court he produces M and S
  Dpa(H(M))
• Judge checks that EpA(S) H(M), confirms that
  Alice sent (someone) a message hashing to H(M)
• Alice says Bob must have found a message M to
  match something I signed
• Weak collision resistance Shes lying

19
Strong Collision Resistance

• Why require solving H(M) H(N) to be hard?
• Say Alice can find M, N so H(M) H(N)
• She sends Bob M, signs it
• When Bob takes Alice to court, she claims No, I
  didnt sign M, I signed N
• Repudiation would be possible
• Solution strong collision resistance

20
Hashing Secretary Attack

• Related problem Secretary constructs messages
  M, N where H(M) H(N)
• M is the annual report, N says Give my secretary
  a raise
• Alice computes S Dpa(H(M)), tells secretary to
  send out M and S
• Secretary substitutes N instead
• Need strong collision resistance

21
How many bits of security?

• Let H be a secure hash with n-bit output
• Solving H(M) h for M should take 2n tries
• Given N, H(M) H(N) should be the same just
  try 2n possible values of M
• What about finding M, N with H(M) H(N)?
• If we just pick pairs at random, its 2n
• But, we can get it down to 2n/2
• e.g., for a 128-bit hash only 264

22
Happy Birthday

• How do we do this? Birthday Attack
• Make a list of 2n/2 possible Ms (e.g., vary
  spacing), sort by value of H
• Try roughly 2n/2 possible Ns, look for H(N)
• Given Mi, Nj, chance H(Mi) H(Nj) is 1/2n
• 2n/2 Mis, 2n/2 Njs, so 2n/2 ? 2n/2 2n pairs
• So, odds are good theres one pair
• If there is a pair, finding it is fast

23
They say its your birthday

• Why is this called the birthday attack?
• Among 23 people, chances of two with the same
  birthday are gt 50
• Why? (23 ? 22)/2 253 pairs of people
• Each has probability roughly 1/365
• Theres a good chance some pair matches
• Other factors only increase the odds
• Birthday Paradox

24
Hash, Paper, Scissors

• An example of the power of a secure hash
• Alice, Bob want to play rock, paper, scissors
• Alice constructs M indicating her choice
• e.g., 23419382 Good Old Rock
• Alice sends Bob H(M)
• Bob makes his choice, sends it to Alice
• Alice reveals M. She has to tell the truth.
• Bit commitment scheme
• Applications to auctions, voting

25
How do we hash?

• Most hashes are built using a one-way compression
  function mn bits to n bits
• Divide message into k blocks of m bits
• hi (Mi, hi-1) (h0 is a fixed initial
  value)
• Output is H(M) hk

26
Hashing out the details

• Pad message length to be a multiple of m
• Include message length within M
• Need to pick a one-way function
• (Not like public-key no trapdoor needed)

27
A MoDESt Proposal

• One idea use encryption (e.g., DES)
• h0 IV
• hi (Mi, hi-1) EMi(hi-1)
• Problem 1 slow
• Problem 2 export restrictions