Cryptography - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptography

Description:

Message authentication Message ... CBC-MAC Introduction to the collision-resistant hash functions NMAC and HMAC Authentication + Encryption Message ... – PowerPoint PPT presentation

Number of Views:88
Avg rating:3.0/5.0
Slides: 81
Provided by: Chiara5
Category:

less

Transcript and Presenter's Notes

Title: Cryptography


1
Cryptography
  • Lecture 5Stefan Dziembowskiwww.dziembowski.net
  • stefan_at_dziembowski.net

2
Plan
  • Introduciton to authentication
  • CBC-MAC
  • Introduction to the collision-resistant hash
    functions
  • NMAC and HMAC
  • Authentication Encryption

3
Message Authentication
  • Integrity

M
Alice
Bob
interferes with the transmission
How can Bob be sure that M really comes from
Alice?
4
Sometimes more imprtant than secrecy!
transfer 1000 to Bob
transfer 1000 to Eve
Alice
Bank
Of course usually we want both secrecy and
integrity.
5
Does encryption guarantee message integrity?
  • Idea
  • Alice encrypts m and sends cEnc(k,m) to Bob.
  • Bob computes Dec(k,m), and if it makes sense
    accepts it.
  • Intuiton only Alice knows k, so nobody else can
    produce a valid ciphertext.
  • It does not work!
  • Example one-time pad.

Eve xor Bob
transfer 1000 to Bob
transfer 1000 to Eve
plaintext
key K
xor
ciphertext C
6
Message authentication
verifies if tTagk(m)
(m, tTagk(m))
m
Alice
Bob
k
k
Eve can see (m, tTagk(m)) She should not be
able to compute a valid tag t on any other
message m.
7
Message authentication multiple messages
(m1, tTagk(m1))
m1
(m2, tTagk(m2))
m2
. . .
. . .
Alice
Bob
(m1, tTagk(mt))
mt
k
k
Eve should not be able to compute a valid tag t
on any other message m.
8
Message Authentication Codes the idea
(m, tTagk(m))
m ? 0,1
Vrfyk(m) ? yes,no
Alice
Bob
k
k
Gen(1n)
1n
9
Message Authentication Codes
  • A message authentication code (MAC) is a tuple
    (Gen,Mac,Vrfy) of poly-time algorithms, such
    that
  • the key-generation algorithm Gen takes as input a
    security parameter 1n and outputs a key k,
  • the tagging algorithm Mac takes as input a key k
    and a message m?0,1 and outputs a tag t,
  • the verification algorithm Vrfy takes as input a
    key k, a message m and a tag t, and outputs a bit
    b ? yes, no.If Vrfyk(m,t) yes then we say
    that t is a valid tag on the message m.
  • If Mac is deterministic, then Vrfy just
    computes Mac and compares the result.

10
Correctness
  • We require that it always holds that
  • Vrfyk(m,Mack(m)) yes
  • What remains is to define security of a MAC.

11
How to define security?
  • We need to specify
  • how the messages m1,...,mt are chosen,
  • what is the goal of the adversary.
  • Good tradition be as pessimistic as possible!
  • Therefore we assume that
  • The adversary is allowed to chose m1,...,mt.
  • The goal of the adversary is to produce a valid
    tag on some m such that m ? m1,...,mt.

12
security parameter 1n
selects random k Gen(1n)
m1
adversary
(m1, tTagk(m1))
oracle
. . .
mt
(m1, tTagk(m1))
  • We say that the adversary breaks the MAC scheme
    at the end she outputs (m,t) such that
  • Vrfy(m,t) yes
  • m ? m1,...,mt

13
The security definition
  • We say that (Gen,Mac,Vrfy) is secure if

A
P(A breaks it) is negligible (in n)
polynomial-timeadversary A
14
Arent we too paranoid? 1/2
  • No! Sometimes the adversary may have influence
    on the messages that the parties are sending.
  • (remember the story about Midway?)
  • Another example routing

(m, tTagk(m))
k
k
m
t
15
Arent we too paranoid? 2/2
  • Maybe it would be enough to require that
  • the adversary succeds only if he forges a message
    that makes sense.
  • (e.g. forging a message that consists of random
    noise should not count)
  • Bad idea
  • hard to define,
  • is application-dependent.

16
Warning MACs do not offer protection against the
replay attacks.
(m, t)
Alice
Bob
Since Vrfy has no state (or memory) there is no
way to detect that (m,t) is not fresh!
. . .
17
Constructing a MAC
  • There exist MACs that are secure even if the
    adversary is infinitely-powerful.(we discussed
    them on the first lecture)These constructions
    are not practical.
  • MACs can be constructed from the block-ciphers.
    We will now discuss to constructions
  • simple (and not practical),
  • a little bit more complicated (and practical) a
    CBC-MAC
  • MACs can also be constructed from the hash
    functions (NMAC, HMAC).

18
A simple construction from a block cipher
  • Let
  • F 0,1n 0,1n ? 0,1n
  • be a block cipher.
  • We can now define a MAC scheme that works only
    for messages m e 0,1n as follows
  • Gen(1n) simply chose a random key from 0,1n.
  • Mac(k,m) F(k,m)
  • It can be proven that it is a secure MAC.
  • How to generalize it to longer messages?

F(k,m)
Fk
k
m
19
Idea 1
  • divide the message in blocks m1,...,md
  • and authenticate each block separately

F(k,m1)
F(k,md)
Fk
Fk
. . .
m1
md
This doesnt work!
20
What goes wrong?
m
t Tagk(m)
perm
m perm(m)
t perm(t)
Then t is a valid tag on m.
21
Idea 2
Add a counter to each block.
F(k,x1)
F(k,xd)
Fk
Fk
. . .
m1
md
1
d
x1
xd
This doesnt work either!
22
mi
i
xi
m
t Tagk(m)
m a prefix of m
t a prefix of t
Then t is a valid tag on m.
23
Idea 3
Add l m to each block
F(k,x1)
F(k,xd)
Fk
Fk
. . .
m1
md
1
d
l
l
x1
xd
This doesnt work either!
24
m1
1
l
xi
  • What goes wrong?

m
m
t Tagk(m)
t Tagk(m)
m first half from m second half from m
t first half from t second half from t
Then t is a valid tag on m.
25
Idea 4
Add a fresh random value to each block!
F(k,x1)
F(k,xd)
Fk
Fk
. . .
md
d
l
r
md
d
l
r
x1
xd
This works!
26
tagk(m)
n
n
n
F(k,x1)
F(k,x2)
F(k,xd)
r
Fk
Fk
Fk
. . .
. . .
r
1
l
m2
2
r
md
d
r
m1
l
l
x2
x1
xd
. . .
r is chosen randomly
m1
m2
m3
md
m
000
l
n block length
mi n/4
pad with zeroes if needed
27
tagk(m)
F(k,x1)
F(k,x2)
F(k,xd)
r
Fk
Fk
Fk
. . .
. . .
1
l
r
m2
2
r
md
d
r
m1
l
l
x2
x1
xd
. . .
r is chosen randomly
m1
m2
md
m
000
l
n block length
mi n/4
pad with zeroes if needed
28
This construction can be proven secure
  • Theorem
  • Assuming that
  • F 0,1n 0,1n ? 0,1n is a pseudorandom
    permutation
  • the construction from the previous slide is a
    secure MAC.
  • Proof idea
  • Suppose it is not a secure MAC.
  • Let A be an adversary that breaks it with a
    non-negligible probability.
  • We construct a distinguisher D that distinguishes
    F from a random permutation.

29
This construction is not practical
  • Problem
  • The tag is 4 times longer than the message...
  • We can do much better!

30
CBC-MAC
F 0,1n 0,1n ? 0,1n - a block
cipher Gen just chooses a random key k ? 0,1n.
tagk(m)
Fk
Fk
Fk
Fk
Fk
. . .
m1
m2
m3
md
m
m
0000
pad with zeroes if needed
Other variants exist!
31
tagk(m)
Fk
Fk
Fk
Fk
Fk
. . .
m1
m2
m3
md
m
Why is this needed?
Suppose we dont prepend m...
32
t1tagk(m1)
t2tagk(m2)
the adversarychooses
Fk
Fk
m1
m2
t tagk(m)
t1
Fk
Fk
t t2
now she can compute
m1
m2 xor t1
m
33
Some practictioners dont like the CBC-MAC
We dont want to authenticate using the block
ciphers!
What do you want to use instead?
Hash functions!
Why?
  • Because
  • they are more efficient,
  • they are not protected by the export regulations.

34
Collision-resistant hash functions
short H(m)
a hash function H 0,1 ? 0,1L
long m
colision-resistance
a collision
Requirement it should be hard to find a pair
(m,m) such that H(m) H(m)
35
Collisions always exist
domain
m
range
m
Since the domain is larger than the range the
collisions have to exist.
36
Hash functions an example of an application
a voice phone link
H(m)
a long message m
Bob
Alice
a fast insecure link (e.g. internet)
If Bob can recognize Alices voice then the
integrity of m is guranteed.
37
Another example
File F can be downloaded by an insecure
connection. If we can learn H(F) in a secure
way, we can verify authenticity of F.
38
Hash functions are a bit simillar to the
error-correcting codes
  • Difference between the hash functions and the
    error correcting codes
  • error-correcting codes are secure against the
    random errors.
  • collision-resistant hash functions are secure
    against the intentional errors.
  • A bit like
  • pseudorandom generators
  • vs.
  • cryptographic pseudorandom generators.

39
Practical definition
  • H is a collision-resistant hash function if it is
    practically impossible to find collisions in H.
  • Popular hash funcitons
  • MD5 (now cosidered broken)
  • SHA1
  • ...

40
How to formally define collision resitance?
  • Idea
  • Say something like H is a collision-resistant
    hash function if

A
P(A finds a collision in H) is small
efficientadversary A
Problem For a fixed H there always exist a
constant-time algorithm that finds a collision
in H in constant time. It may be hard to find
such an algorithm, but it always exists!
41
Solution
  • When we prove theorems we will always consider
  • families of hash functions
  • indexed by a key s.
  • Hs s ? keys

42
informal description
knows H
a protocol
H
H
H
formal model
s is chosen randomly
a protocol
s
Hs
Hs
Hs
43
informal description
knows H
a protocol
H
H
H
H
real-life implementation (example)
knows SHA1
a protocol
SHA1
SHA1
SHA1
44
Hash functions the functional definition
  • A hash function is a pair of probabilistic
    polynomial-time algorithms (Gen,H) where
  • Gen takes as input a security parameter 1n and
    outputs a key s.
  • H takes as input a key s and a message x ?
    0,1 and outputs a string
  • Hs(x) ? 0,1L(n),
  • where L(n) is some fixed function.

45
Hash functions the security definition 1/2
1n
s ? Gen(1n)
s
outputs (m,m)
We say that adversary A breaks the function
(Gen,H) if Hs(m) Hs(m).
46
Hash functions the security definition 2/2
  • (Gen, H) is a collision-resistant hash function
    if

A
P(A breaks (Gen,H)) is negligible
polynomial-timeadversary A
47
How to construct the hash functions?
  • Idea
  • Construct a fixed-input-length a hash function.
  • Use it to construct a normal hash function.

L(n)
h(m)
h
m
2L(n)
48
A common method for constructing hash functions
  1. Construct a fixed-input-length
    collision-resistant hash functionCall
    it a collision-resistant compression function.
  2. Use it to construct a hash function.

L
h(m)
h 0,12L ? 0,1L
m
2L
49
An idea
pad with zeroes if needed
t
m
0000
. . .
m1
m2
mB
mi ? 0,1L
. . .
IV
H(m)
can be arbitrary
This doesnt work...
50
Why is it wrong?
t
m
0000
. . .
m1
m2
mB
If we set m m 0000 then H(m)
H(m). Solution add a block encoding t.
t
m
0000
. . .
m1
m2
mB
mB1 t
51
Merkle-Damgård transform
given h 0,12L ? 0,1Lwe construct H
0,1? 0,1L
doesnt need to be know in advance (nice!)
t
m
0000
m1
m2
mB
mB1 t
mi ? 0,1 L
. . .
IV
H(m)
52
This construction is secure
  • We would like to prove the following
  • Theorem
  • If
  • h 0,12L ? 0,1L
  • is a collision-resistant compression function
  • then
  • H 0,1? 0,1L
  • is a collision-resistant hash function.
  • But wait.
  • It doesnt make sense

53
We need to consider the hash function families
  • Suppose (gen,h) is a collision-resistant hash
    function such that for every s ? gen(1n) we have
  • hs 0,12L(n) ? 0,1L(n)

L(n)
h(m)
h
m
2L(n)
54
  • We now show how to transform such a (gen,h) into
    a hash function (Gen,H).
  • How?
  • Gen(1n) ? gen(1n)
  • Use the same construction as before

55
Merkle-Damgård transform
given h 0,12L(n) ? 0,1L(n) we construct H
0,1 ? 0,1L(n)
t
m
0000
m1
m2
mB
mB1 t
mi ? 0,1 L(n)
. . .
IV
H(m)
56
This construction is secure
  • Theorem
  • If
  • (gen,h)
  • is a collision-resistant hash function
  • then
  • (Gen,H)
  • is a collision-resistant hash function.
  • Proof
  • Suppose A is a polynomial-time adversary that
    breaks (Gen,H) with a non-negligible probability.
  • We construct a polynomial-time adversary a that
    breaks (gen,h) with a non-negligible probability.

57
s ? gen(1n)
s
s
a breaks hs by simulating A
(m,m)
A breaks Hs
now a should output a collision (x,y) in h
a collision in Hs
58
How to compute a collision (x,y) in h from a
collision (m,m) in H?
  • We consider two options
  • m m
  • m ? m

59
Option 1 m m
t
m
0000
m1
m2
mB
mB1 t
t
m
0000
m1
m2
mB
mB1 t
60
m m
Some notation
m
0000
m1
m2
mB
mB1 t
. . .
IV
z2
z1
z3
zB1
zB
H(m)
61
m m
For m
m
0000
m1
m2
mB
mB1 t
. . .
IV
z2
z1
z3
zB1
H(m)
zB
62
equal
zB2H(m)
zB2H(m)
zB1
mB1
zB1
mB1
Let i be the largest i such that (mi,zi)
(mi,zi) (because m ? m such i gt 1 always
exists!)
zB
mB
zB
mB
. . .
. . .
z2
m2
z2
m2
z1 IV
m1
z1 IV
m1
63
So, we have found a collision!
equal
zi
zi
h
h
not equal
zi-1
mi-1
zi-1
mi-1
64
Option 2 m ? m
equal
H(m)
H(m)
zB1
mB1
zB1
mB1
. . .
. . .
the last block encodesthe length on the
messageso these valuescannot be equal!
So, again we have found a collision!
65
Finlizng the proof
  • So, if A breaks H with probability e(n), then a
    breaks h with probability e(n).
  • If A runs in polynomial time, then a also runs in
    polynomial time.
  • QED

66
Generic attacks on hash functions
  • Remember the brute-force attacks on the
    encryption schemes?
  • For the hash functions we can do something
    slightly smarter...
  • It is called a birthday attack.

67
The birthday paradox
  • Suppose we have a random function
  • H A ? B
  • Take q values
  • x1,...,xq
  • Let p(q) be the probability that there exist
    distinct i,j such that
  • H(xi) H(xj).
  • If q A then trivially p(q) 1.

68
Why is it called a birthday paradox?
  • Set
  • H people ? birthdays
  • Q How many random people you need to take to
    know that with probability 0.5 at least 2 of them
    have birthday on the same day?
  • A 23 is enough!
  • Counterintuitive...

69
How does the birthday attack work?
  • For a hash function
  • H 0,1 ? 0,1L
  • Take a random X a subset of 0,12L, such that
    X 2L/2.
  • With probability around 0.5 there exists x,x ?
    X, such that
  • H(x) H(x).
  • A pair (x,x) can be found in time O(X log X)
    and space O(X).
  • Moral
  • L has to be such that an attack that needs 2L/2
    steps is infeasible.

70
Concrete functions
  • MD5,
  • SHA-1, SHA-256,...
  • ....
  • all use (variants of) Merkle-Damgård
    transformation.

71
MD5 (Message-Digest Algorithm 5)
  • output length 128 bits,
  • designed by Rivest in 1991,
  • in 1996, Dobbertin found collisions in the
    compresing function of MD5,
  • in 2004 a group of Chinese mathematicians
    designed a method for finding collisions in MD5,
  • there exist a tool that finds collisions in MD5
    with a speed 1 collision / minute (on a
    laptop-computer)
  • Is MD5 completely broken?
  • The attack would be practical if the colliding
    documents made sense...
  • In 2005 A. Lenstra, X. Wang, and B. de Weger
    found X.509 certificates with different public
    keys and the same MD5 hash.

72
SHA-1 (Secure Hash Algorithm)
  • output length 128 bits,
  • designed in 1993 by the NSA,
  • in 2005 Xiaoyun Wang, Andrew Yao and Frances Yao
    presented an attack that runs in time 263.
  • Still rather secure, but new hash algorithms are
    needed!
  • A US National Institute of Standards and
    Technology announced a competition for a new hash
    function (deadline October 31, 2008).
  • Go to http//csrc.nist.gov/groups/ST/hash/sha-3/
  • and submit!

73
How to authenticate with hash functions?
  • A simple idea

Fk(h(m))
a block cipher Fk
k
h(m)
h
long m
By the way a similar method is used in the
public-key cryptography (it is called
hash-and-sign).
74
What the industry says?
the block cipher is still there...
Why dont we just hash a message together with a
key MACk(m) H(k m) ?
Its not secure!
75
Suppose H was constructed using the MD-transform
she can fabricate this
MACk(mt)
she can see this
MACk(m)
t L
MACk(m)
zB
t
zB
t
z2
m
z2
m
IV
k
IV
k
L
76
A better idea
  • M. Bellare, R. Canetti, and H. Krawczyk (1996)
  • NMAC (Nested MAC)
  • HMAC (Hash based MAC)
  • have some provable properites
  • They both use the Merkle-Damgård transform.
  • Again, let h 0,12L ? 0,1L be a compression
    function.

77
NMAC
m
0000
m1
mB
mB1 m
. . .
k1
k2
NMAC(k1,k2) (m)
78
What can be proven
  • Suppose that
  • h is collision-resistant
  • the following function is a secure MAC
  • Then NMAC is a secure MAC.

m
k2
MACk2(m)
79
  • Looks better, but
  • our libraries do not permit to change the IV
  • the key is too long (k1,k2)

HMAC is the solution!
80
HMAC
k xor ipad
m1
mB1 m
ipad 0x36 repeated opad 0x5C repeated
. . .
IV
IV
h
HMACk (m)
k xor opad
81
HMAC the properties
  • Looks complicated, but it is very easy to
    implement (given an implementation of H)
  • HMACk(m) H((k xor opad) H(k xor ipad m))
  • It has some provable properties (slightly
    weaker than NMAC).
  • Widely used in practice.

We like it!
82
Authentication and Encryption
  • Usually we want to authenticate and encrypt at
    the same time.
  • What is the right way to do it? There are
    several options
  • Encrypt-and-authenticate
  • c ? Enck1(m) and t ? Mack2 (m)
  • Authenticate-then-encrypt
  • t ? Mack2 (m) and c ? Enck1(mt)
  • Encrypt-then-authenticate
  • c ? Enck1(m) and t ? Mack2 (c)
  • By the way never use the same key for Enc and
    Mac
  • k1 and k2 have to be independent!

wrong
better
the best
Write a Comment
User Comments (0)
About PowerShow.com