@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012

@Yuan Xue 285 Network Security Message authentication code Use a shared secret key Provide data integrity protection + source authentication Limitations CBC-based MAC generation still involves high computation overhead

@Yuan Xue 285 Network Security Motivation for Hash Algorithms Intuition Re-examine the non-cryptographic checksum. Main Limitation  An attack is able to construct a message that matches the checksum Goal Design a code where the original message can not be inferred based on its checksum  design of hash algorithms.

@Yuan Xue 285 Network Security Requirements for Hash function A hash function H takes a message M of variable length and transforms it into a fixed-length value h h = H(M) -- (cryptographic) hash value, message digest, digest. such that an accidental or intentional change to the message will change the hash value. A hash function H must have the following properties: One-way property: for any given value h, it is computationally infeasible to find x such that H(x) = h. Weak collision resistance: for any given message x, it is computationally infeasible to find y ≠ x with H(y) = H(x) Strong collision resistance: it is computationally infeasible to find any pair (x,y), such that H(x) = H(y).

@Yuan Xue 285 Network Security Hash Function Applications Used Alone Ordinary hash functions – index data in hash table Fingerprint -- file integrity verification, public key fingerprint Password storage (one-way encryption) Combined with encryption functions Message authentication code Digital signature Other authentication forms

@Yuan Xue 285 Network Security Confidentiality and authentication Authentication Authentication, digital signature

@Yuan Xue 285 Network Security Authentication, digital signature, confidentiality Authentication (no encryption needed!) Authentication, confidentiality

@Yuan Xue 285 Network Security HMAC Hash function works with a symmetric key to provide message authentication Two methods MAC (1) MAC = E [K, H(M)] (2) MAC = H [M||S]  Idea for HMAC

@Yuan Xue 285 Network Security HMAC Structure 36 in hex repeated 5C in hex repeated HMAC(K,M) = H[(K +  opad)||H[(K+  ipad)||M]] K + = K padded with 0 on the left (b bits in total) ipad = repeated b/8 times opad = repeated b/8 times

@Yuan Xue 285 Network Security Overview of Hash Algorithms There is a long list of cryptographic hash functions. Two popular examples: MD5 Message-Digest algorithm 5  By Ronald Rivest in 1991 based on MD4 Digest length: 128-bit Weak collision resistance Vulnerable to collision attack (no strong collision resistance) SHA hash functions (all by NSA) SHA-0 in 1993; 160-bit hash value SHA-1 in 1995; 160-bit hash value  widely used, once considered as the successor to MD5 SHA-2  SHA-224, SHA-256; SHA384; SHA512  Digest length (based on name) SHA-0 and SHA-1 are vulnerable to collision attacks  Recent result on SHA-1: collision attack on SHA-1 that would allow an attacker to select at least parts of the message.

@Yuan Xue 285 Network Security Hash Algorithm Design Iterative use of compression function Compression function Specifically designed for the hash function Based on symmetric block cipher

@Yuan Xue 285 Network Security Hash Algorithm Design – MD5 1. Append padding bits (to 448 mod 512) 2. Append length (64bits) 3. Initialize MD buffer Word A = Word B = 89 AB CD EF Word C = FE DC BA 98 Word D =

@Yuan Xue 285 Network Security Hash Algorithm Design – MD5 16 steps Constructed from sine function X[k] = M [q*16+k] (32 bit)

@Yuan Xue 285 Network Security The ith 32-bit word in matrix T, constructed from the sine function M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg Single step

@Yuan Xue 285 Network Security Put into practice

@Yuan Xue 285 Network Security Security of Hash Algorithms Why collision is bad? preimage attacks (one-way property) preimage attacks second preimage attacks (weak collision resistance) second preimage attacks birthday attack (strong collision resistance) birthday attack Length-extension attacks given h(m) and len(m) but not m, by choosing a suitable m' an attacker can calculate h (m || m'). This property can be used to break naive authentication schemes based on hash functions. The HMAC construction works around these problems.

@Yuan Xue 285 Network Security Preimage and Second Preimage Attacks Preimage attack: Given a hash value h, an attacker wishes to find a message x such that H(x) = h. (violate One-way property) Second preimage attack: Given a message y with hash value h = H(y), an attacker wishes to find another message x ≠ y such that H(x) = h. (violate Weak collision resistance) Bruce-force attack complexity: how many messages/attempts (on average) an attacker has to prepare in order to find a message x such that H(x) – h? Let the number of messages/attempts that an attacker has to prepare in order to find a collision to be a random variable N. N follows geometric distribution with parameter 1/2 h. The mean value of N is 2 h. Thus h has to be long enough

@Yuan Xue 285 Network Security Birthday Attack Alice wants to get Bob’s signature on a fraudulent contract. Suppose that h-bit hash is used On average, how many fraudulent contracts Alice needs to try to find one that matches the hash code of the fair contact? [recall second preimage attack: 2 h ] A better approach – birthday attack Alice prepares a fair contract m and a fraudulent one m'. She then finds a number of positions where m can be changed without changing the meaning  By combining these changes, she can create a huge number of variations on m which are all fair contracts. In a similar manner, Alice also creates a huge number of variations on the fraudulent contract m'. She then applies the hash function to all these variations until she finds a version of the fair contract and a version of the fraudulent contract which have the same hash value, f(m) = f(m'). She presents the fair version to Bob for signing. After Bob has signed, Alice takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Bob signed the fraudulent contract. How many contracts Alice need to try this time?

@Yuan Xue 285 Network Security Birthday Problem Birthday problem ( For h-bit hash value, the bruce-force attack complexity is 2 h/2.

@Yuan Xue 285 Network Security Birthday Attack To avoid birthday attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible About twice as many bits as are needed to prevent a preimage or second preimage attack.

@Yuan Xue 285 Network Security Security of Hash Algorithms When we say a hash algorithm is broken by cryptographic analysis, the time to identify collisions using the analysis is less than the time by a brute force attack. Many hash algorithms have been found to be vulnerable and should not be used. In August 2004 weaknesses were found in a number of hash functions that were popular at the time, including SHA-0, RIPEMD, and MD5. As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been broken; an attack against it was used to break SSL in In February 2005, a successful attack on SHA-1 was reported, finding collisions in about 2 69 hashing operations, rather than the 2 80 expected for a 160-bit hash function. In August 2005, another successful attack on SHA-1 was reported, finding collisions in 2 63 operations.MD5SHA-1SSL

@Yuan Xue 285 Network Security Readings Required Reading [WS] [KPS] Recommended Reading [WS] 11.6 [KPS]