CS Computer Security Eleventh topic: Hashes and sign

Transcription

1 Hash functions CS Computer Security Eleventh topic: Hashes and signatures National University of Singapore School of Computing March, 2016

2 Life...

3 Outline Hash functions 1 Hash functions

4 Outline Hash functions 1 Hash functions

5 Hash functions What is a hash function? Protecting data (I and A)... A hash function maps a long message, or a large amount of data, to a (shorter) check message of some sort. We attach the hashed value to the original message, as a check. Cryptographic functions may be used to construct hash functions. Hash functions can indicate if data has been corrupted (perhaps through noisy message transmission) - i.e. integrity. They can also be used as part of a scheme to check/confirm who sent a message (a digital signature) - i.e. authenticity.

6 Error detection Hash functions Checking for errors... Transmit data: Transmit data+checksum:

7 Hash functions One-way parity for message A0DBBC Use XOR to find the parity of each bit... A D B B C Check:

8 Hash functions Two way parity for message A0DBBC Both vertical and horizontal... A D B B C Check: X

9 Simple check codes Hash functions Simple systems are OK, but... The simple sum of values is easy to calculate, but has problems with repetitive errors. The parity of bits scheme is easy to calculate, and detects all 1 bit errors, but it ignores all 2 bit errors. Horizontal and vertical parity is better, but has problems with repetitive errors.... we want a better level of error check codes

10 Cyclic redundancy check codes A scheme using remainder-after-polynomial-division... Treat the stream of transmitted bits as a polynomial with coefficients of 1: = x 4 + x 2 + x 1 = F(x) Sender data cksum Receiver data cksum F(x) T(x) T(x) g(x) = Z r0 E(x) T (x) T(x) = T (x) + E(x) Can a stream with errors have no remainder? Single bits? - No a single bit error means that E(x) will have only one term (x 1285 say). If the generator polynomial has x n it will never divide evenly. Multiple bits? - Various generator polynomials are used with different properties. Must have one factor of the polynomial being x 1 + 1, because this gets all odd numbers of bit errors.

11 Hash functions Some common generators: Used in systems all around us... CRC-12 - x 12 + x 11 + x 3 + x 2 + x CRC-16 - x 16 + x 15 + x CRC-32 - x 32 + x 26 + x 23 + x 22 + x 16 + x 12 + x 11 + x 10 + x 8 + x 7 + x 5 + x 4 + x CRC-CCITT - x 16 + x 12 + x 5 + 1

12 Polynomial long division is easy! Easy is, of course, a relative term... Generator g(x): x 5 + x (100101) and F (x): Divide F (x) by g(x), append remainder to F (x) to get T (x): ) T (x) =

13 Hash functions Polynomial long division is easy! The division can be done with very simple hardware When this stream arrives at a decoder for checking, if the stream has no errors, the division will have no remainder Clock D0 D1 D2 D3 D4 Data D C S/R Q D C S/R Q D C S/R Q D C S/R Q D C S/R Q XOR XOR

14 Hash functions Polynomial long division is easy! Step by step... Input D4 D3 D2 D1 D (At end, feed in zeroes...)

15 Hash functions Case study: ethernet Case study - use of CRC in ethernet Ethernet is used for networking computers, principally because of its speed and low cost. The maximum size of an ethernet frame: 1514 bytes a ; A 32-bit FCS (Frame Check Sequence) is calculated over the full length of the frame. The FCS used is: CRC-32 - x 32 + x 26 + x 23 + x 22 + x 16 + x 12 + x 11 + x 10 + x 8 + x 7 + x 5 + x 4 + x a 1500 bytes of data, a source and destination address each of six bytes, and a two byte type identifier. The frame also has a synchronizing header and trailer which is not checked by a CRC.

16 Outline Hash functions 1 Hash functions

17 MD5 - a 128-bit hash function Implementation of MD5 is called md5sum or md5 hugh@sf0:~[508]$ md5sum ss.c bc3cc3359e55ba33abe8983a85 ss.c hugh@sf0:~[509]$ cp ss.c XXX.c hugh@sf0:~[510]$ md5sum XXX.c bc3cc3359e55ba33abe8983a85 XXX.c hugh@sf0:~[511]$ md5sum TXT/cybercom.txt 9ec4c12949a4f31474f299058ce2b22a TXT/cybercom.txt hugh@sf0:~[512]$ The terms message digest, checksum, hash and digital fingerprint are all used for hash functions. At best they will be a one-way function, with the hope being that the only way to reverse a hash is to generate a huge number of candidate hashes.

18 MD5 Hash functions US Cyber defence!

19 MD5 weaknesses Hash functions But how secure is it? There is some suspicion that MD5 may have cryptographic weaknesses. In Crypto2004, approaches for generating an MD5 collision were demonstrated: Note that this does not reduce the effectiveness of MD5 (yet). No-one has shown how to generate a collision for an existing hash.

20 SHA Hash functions SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Originally designed by NIST in 1993 (SHA-0) but revised in 1995 as SHA-1. Revisions in 2002 led to SHA-256/384/512: higher security levels. SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 Digest (hash) size (bits) Message size < 2 64 < 2 64 < 2 64 < < Block size (bits) Number of steps

21 Hash functions Properties of cryptographic hash functions Four desirable properties... 1 The function should efficiently identify an arbitrary message using a fixed size check value h = H(m) 2 The function should be public 3 It should be computationally infeasible to find data m mapping to a specific hash h = H(m) (one-way property) 4 It should be computationally infeasible to find two data m 1,m 2 which both map to some hash h = H(m 1 ) = H(m 2 ) (collision-free property)

22 Collisions of cryptographic hash functions When two messages map to same hash... It is a collision if m 1 m 2 but H(m 1 ) = H(m 2 ). Consider the following two points: 1 Can there be no collisions at all? If the number of messages #m is greater than the number of hashes #H(...), then consider the pigeonhole principle - if there are n roosts for n + 1 pigeons, then at least one roost has two pigeons on it... 2 How likely are collisions? Consider the birthday paradox a - What is the probability that at least two of N randomly selected people have the same birthday (month and day-of-month)? It turns out it is much more likely than you would suspect. a BTW - It is not really a paradox, just an unexpected, counter-intuitive phenomenon.

23 The Birthday Paradox Likelihood versus number N of "randoms" :)

24 The Birthday Paradox explained It is NOT the likelihood that someone in a room full of people shares a specific person s birthday... It is the likelihood that amongst every pair of candidates in a room there will be (at least) one matching pair. It is easiest to calculate the likelihood that the people will not share birthdays a : If N = 2, then the likelihood the two do not share a birthday is , because the first person can have any of the 365 days, leaving 364 days available for the second person. If N = 3, then the likelihood all three do not share a birthday is For N, the likelihood none of them share a birthday is (N 1) For N = 23, this likelihood is about 0.5. a Note that the likelihood that the people will share birthdays is 1- the likelihood that the people will not share birthdays.

25 Hash functions The Birthday attack Digital signatures use hash functions... They provide an ability to verify an author, the date and time of a signature, authenticate message contents, and can be verified by third parties to resolve disputes. The 3 main security requirements are: 1 Integrity: Any modification can be detected. 2 Authenticity: Only the authentic entity can sign. 3 Non-repudiation: Signer cannot deny signature (not addressed today). We can attack some digital signatures using an attack based on the birthday paradox.

26 Reminder of digital signatures A model for signing messages

27 Reminder of digital signatures Efficiency dictates the use of a hash function...

28 The Birthday Attack Based on the previous phenomenon... Lets say someone digitally signs messages saying that they are correct, by calculating the hash function value and then signing that hash value. Assume that the hash function generates an m-bit hash, then the attacker... generates the hashes for 2 m 2 generates the hashes for 2 m 2 variations of a desired valid message variations of a desired fraudulent message The likelihood that there will be a collision is greater than 0.5 Now, the attacker gets the matched valid message signed, and later substitutes the matched fraudulent message. It will have the same hash, and that hash has been signed...

29 Reversing a hash... Hash functions Precomputed tables for helping find collisions? A precomputed table for 8 character passwords, might have (say) 72 8 = 722,204,136,308,736 entries, each containing a 16 byte value. Thats a big disk (about 11,000 TB). Indexing by hash is even worse. We do not really have names for disks that big. Password (MD5) Hash aaaaaaaa 3dbe00a aaaaaaab 2125ea8b81b... aaaaaaac ea67f32d4e6... aaaaaaad 746a8ab05d6... aaaaaaae c554d695eb0... aaaaaaaf 09eb61fd25b... aaaaaaag 68b5af

30 Reversing a hash: rainbow tables Precompute long chains, but only keep two values Precompute chains of values starting from a password guess, and using alternate hash functions h(p), and a reversing function r(h), which generates a predictable plausible guess from the hash. Compute: Chain #1 aaaaaaaaa h(p) 0a224fad.. r(h) xyuivlzrs h(p) 2399afb0.. r(h) mlacziryt Chain #2 srxx21try h(p) 4fad r(h) asbdhdf13 h(p) d001afde.. r(h) cracyl13d h(p) h(p) Only store the first and last entries from the chain. It is space efficient, and you can re-compute the intermediate values (a spacetime tradeoff). Store: f0e377b6.. f0e377b6.. aaaaaaaaa fedc fedc srxx21try

31 Reversing a hash: rainbow tables Precompute long chains, but only keep two values 1. Compute chain from hash d001afde.. 3. Recompute chain to reverse hash srxx21try h(p) 4fad r(h) cracyl13d h(p) fedc Compare candidates with chain ends f0e377b6.. aaaaaaaaa r(h) asbdhdf13 4. Password h(p) d001afde.. fedc srxx21try