Cryptographic Hash Functions Message Authentication Digital Signatures

Transcription

1 Cryptographic Hash Functions Message Authentication Digital Signatures

2 Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2

3 Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 3

4 Message Authentication Bob receives a message m from Alice, he wants to now i (Data origin authentication) whether the message was i really sent by Alice; (Data integrity) whether the message has been modified. Solutions: i Alice attaches a message authentication code (MAC) to the message. i Or she attaches a digital signature to the message. 4

5 Hash function A hash function maps from a domain to a smaller range, typically many-to-one. Properties required of a hash function depend on its applications. Applications: i Fast looup (hash tables) i Error detection/correction i Cryptography: cryptographic hash functions i Others 5

6 Cryptographic hash function Hash functions: h: X Y, X > Y. * n For example, h :{0,1} {0,1} h:{0,1} * l h:{0,1} {0,1}, > l. If X is finite, h is also called a compression function. A classical application: users/clients passwords are stored in a file Z n ( ) ( h(password) ) using some not as username, password, but as username, cryptographic hash function h. 6

7 Security requirements Pre-image: if hm ( ) = y, mis a pre-image of y. Each hash value typically has multiple pre-images. Collision: a pair of ( mm, ), m m, s.t. hm ( ) = hm ( ). A hash function is said to be: Pre-image resistant if it is computationally infeasible to find a pre-image of a hash value. Collision resistant if it is computationally infeasible to find a collision. A hash function is a cryptographic hash function if it is collision resistant. 7

8 Collision-resistant hash functions can be built from collision-resistant compression functions using Merle-Damgard construction. 8

9 Merle-Damgard construction * n Construct a cryptographic hash function h :{0,1} {0,1} n+ b n from a compression function f :{0,1} {0,1}. * 1. For m {0,1}, add padding to m so that m' is a multiple of b. Let padded m' = mm m, each m of length b. 1 2 (padding = m, where m is the length of m) 3. Let v = IV and v = f ( v m ) for 1 i. 0 i i 1 i 4. The hash value h( m) = v. i Theorem. If f is collision-resistant, then h is collision-resistant.

10 Merle-Damgard Construction m 1 m 2 m 3 m IV v 0 v 1 v 2 v f f f f h(m) n+ b Compression function f :{0,1} {0,1} n

11 The Secure Hash Algorithm (SHA-1) an NIST standard. using Merle-Damgard construction. input message m is divided into blocs with padding. padding = , where 64 {0,1} indicates in 64 thus, message length limited to m 2 1. bloc = 512 bits = 16 words = W0 W15. IV = a constant of 160 bits = 5 words = H0 H4. resulting hash value: 160 bits. m binary underlying compression function f :{0,1} {0,1}, a series (80 rounds) of,,,, +, and Rotate on words W ' s & H 's. i i

12 Is SHA-1 secure? An attac is to produce a collision. Birthday attac: randomly generate a set of messages { },,,, hoping to produce a collision. m1 m2 m n = 160 is big enough to resist birthday attacs for now. There is no mathematical proof for its collision resistancy. In 2004, a collision for a "58 rounds" SHA-1 was produced. (The compression function of SHA-1 has 80 rounds.) Newer SHA's have been included in the standard: SHA-256, SHA-384, SHA

13 Birthday problem: In a group of people, what is the probability that at least two people have the same birthday? i Having the same birthday is a collision? Birthday paradox: p 1 2 with as small as 23. n Consider a hash function h :{0,1} {0,1}. If we randomly generate messages, the probability of having a collision depends on n. To resist birthday attac, we choose n to be sufficiently large that it will tae an infeasibly large to have a non-negligible probability of collision.

14 Applications of cryptographic hash functions Storing passwords Used to produce modification detection codes (MDC) i hm ( ), called an MDC, is stored in a secure place; i if m is modified, we can detect it; i protecting the integrity of m. We will see some other application s. 14

15 Message Authentication Bob receives a message m from Alice, he wants to now i (Data origin authentication) whether the message was i really sent by Alice; (Data integrity) whether the message has been modified. Solutions: i Alice attaches a message authentication code (MAC) to the message. i Or she attaches a digital signature to the message. 15

16 MAC Message authentication protocol: 1. Alice and Bob share a secret ey. 2. Alice sends m MAC ( m) to Bob. 3. Bob authenticates the received m MAC by checing if MAC = MAC ( m )? MAC ( m) is called a message authentication cd o e. Security requirement: infeasible to produce a valid pair ( x, MAC()) x without nowing the ey. 16

17 Constructing MAC from a hash A common way to construct a MAC is to incorporate a secret ey into a fixed hash function h (e.g. SHA-1). Insecure: i MAC ( m) = h ( m) = h( m) with IV = i MAC ( m) = h ( m) = h( m) 17

18 Insecure: MAC ( m) = h( m) with IV =. (For simplicity, without padding) X m = m 1 m 2 m 3 m s IV f f f f h(m) X h (m) Easy to forge: ( m, h ( m )), where m = m m s + 1 m s+1 f h (m) h (m m s+1 )

19 HMAC (Hash-based MAC) A FIPS standard for constructing MAC from a hash function h. Conceptually, ( h ) m = h 2 1 m HMAC ( ) ( ) where 1 and 2 are two eys generated from. Various hash functions (e.g., SHA-1, MD5) may be used for h. If we use SHA-1, then HMAC is as follows: ( SHA-1 ) HMAC ( m) = SHA-1 opad ( ipad m) where i is padded with 0's to 512 bits i ipad = (x036 repeated 64 times) i opad = 5c5c 5c (x05c repeated 64 times)

20 CBC-MAC A FIPS and ISO standard. One of the most popular MACs in use. Use a bloc cipher in CBC mode with a fixed, public IV. Called DES CBC-MAC if the bloc cipher is DES. n n Let E :{0,1} {0,1} be a bloc cipher. CBC-MAC( m, ) m= m m m, where m = n. 1 2 n c0 IV (typically 0 ) for i 1 to l do ci E( ci 1 mi) return( c ) l l i 20

21 Cipher Bloc Chaining (CBC) 21

22 CMAC (Cipher-based MAC) A refined version of CBC-MAC. Adopted by NIST for use with AES and 3DES. Use two eys:, (assuming mis a multiple of n). n Let E :{0,1} n {0,1} be a bloc cipher. CMAC( m, ) m= m m m, where m = n. 1 2 n c0 IV (typically 0 ) for i 1 to l 1 do ci E( ci 1 mi) cl E( cl 1 ml ) return( c ) l l i 22

23 Digital Signatures RSA can be used for digital signatures. A digital signature is the same as a MAC except that the tag (signature) is produced using a public-ey cryptosystem. Digital signatures are used to provide message authentication and non-repudiation. Message m MAC (m) Message m Sig pr (m)

24 Digital signature protocol: 1. Bob has a ey pair ( pr, pu). 2. Bob sends m Sig ( m) to Alice. 3. Alice verifies the received m s by checing if s = Verify ( m ). Sig ( m) is called a signature for m. pr pr Security requirement: infeasible to forge a valid pair ( m, Sig ( m)) without nowing pr. pr pu

25 Encryption (using RSA): Alice PU Bob PR Bob Bob M E C D M Digital signature (using RSA -1 ): Alice E(S) =M? PU Bob PR Bob E S D Verify Sign Bob M

26 RSA Signature Keys are generated as for RSA encryption: Public ey: PU = ( n, e). Private ey: PR = ( n, d). Signing = * d a message m Zn: σ DPR( m) = m mod n. Verifying That is, σ = a signature ( m, σ ) : 1 RSA ( m). e chec if m= E ( σ) = σ mod n, or m= RSA( σ). PU Only the ey's owner can sign, but anybody can verify.

27 Security of RSA Signature Existential forgeries: * 1. Every message is a valid signature for m Z n its ciphertext c: = RSA( m). Encryption (using Bob's public ey): Sign ( if using Bob's private ey): RSA m c 1 RSA m c 2. If Bob signed m and m, then the signature for mm can be easily forged: σ( mm ) = σ( m) σ( m ). Counterm easure: hash and sign: σ = Sign ( hm ( )), using some collision resistant hash function h. PR

28 Question: Does hash-then-sign mae RSA signature secure against all chosen-message attacs? Answer: i i h is a Yes, if h is a full-domain random oracle, i.e., random oracle mapping {0,1} ( Z is the full domain of RSA) n * Z n

29 160 For instance, the range of SHA-1 is {0,1}, { n } Problem with full-domain hash: In practice, h is not full-domain. while Z = 0,1,...,2 1, with n n Desired: a secure signature scheme require a full-domain hash. that does not

30 Probabilistic signature scheme * l Hash function h :{0,1} {0,1} Z N (not full domain). l < n = N. (E.g., SHA-1, l = 160; RSA, n = 1024.) Idea: pad m m r {0,1} * w h( m r) {0,1} hash = y = w r G w expand 1 1 ( 0 n l n ) ( ) {0,1} l σ = RSA ( y) sign 1 Z N where r {0,1} G l n 1 l :{0,1} {0,1} (pseudorandom generator)

31 Signing * a message m {0,1} : 1. choose a random r {0,1} ; compute w= h( m r); 2. compute y = w r G ( w) G ( w) ; // G = G G // 3. The signatu 1 re is = RSA ( y). σ

32 Remars PSS is secure against chosen-message attacs in the random oracle model (i.e., if h and G are random oracles). PSS is adopted in PKCS #1 v.2.1. Hash functions such as SHA-1 are used for h and G. For instance, let n= 1024, and l = = 160 let h = SHA-1 ( G, G )( w) = G( w) = h( w 0) h( w 1) h( w 2),