Information Integrity and Message Digests CSCI 5857: Encoding and Encryption

Outline Information integrity issues Message digests –Hash functions –Insuring information integrity Attacks on message digests –Preimage attacks –Collision attacks Properties of a good hash function Mathematical background –Pigeonhole principle –Birthday problem

3 Information Integrity Problems Content Modification : Adversary inserts/modifies/deletes message content Insert new record for Darth’s salary of $1,000,000 Salary Database ED E

4 Information Integrity Problems Masquerade: Adversary sends message claimed to be from someone else Masquerading as Alice “Give Darth a $10,000 raise -- Alice” E

5 Information Integrity Problems Timing Modification Adversary intercepts message and replays it later “Open the front gate. -- Alice” E

6 Modification Detection Simplest case: Detecting modification –Message M stored in public location –M not encrypted How can we prove/detect whether adversary has replaced message M with fake message M´ ? Public storage M M ´

7 Modification Detection One solution: store protected copy of M –Compare M to copy to detect changes –Implausible if M very large Public storage M M

8 Message Digests Created from message M using hashing function y = h(M) Like “fingerprint” for messages –Different messages  different fingerprints –Much more compact than messages: size of y << size of M –Plausible for secure storage/transmission

9 Message Digests Same concept as error detection in network transmission Error detection bits = function of message –Example: parity bit depends on even/odd of 1’s in message If error detection bits do not match message, request message resend Key difference: Unlike noise, adversary intelligent Message Error detection bits

10 Message Digests Used to detect modification –Apply hash to message in storage to get h(M´ ) –Compare with stored h(M) –If h(M´ )  h(M) message has been modified Public storage M ´ h(M´ ) h compare h(M)

11 Simple Example Hash Function Break message M into blocks b i Digest = XOR of all blocks h(b 1, b 2, b 3 … b n ) = b 1  b 2  b 3 …  b n Possible improvement: Rotate each block one bit before XOR (diffusion)

Attacks on Message Digests Goal of message digest: Detect when fake message Mʼ has been substituted for original message M Adversary goal: Substitute fake message Mʼ for original message M without being detected Types: –Preimage attack –Collision attack 12

13 Preimage Attack Adversary finds message M´ with same digest h(M´) = h(M) Impossible to detect or prove changes! Public storage M h(M´) h Same! h(M) M ´

14 Preimage Attack Adversary can “tweak” new message M´ until h(M´) = h(M) Example: Give Darth a salary increase of $1000 Award Mr. Vader some raise … $2000 Present Darth Vader … bonus $3000 … … … $4000 … “I’ll find some combination of these so they can’t detect the difference!”

15 Preimage Attack Simple XOR-based hash function vulnerable to preimage attack –Darth generates own message M′ –Darth adds some block b m to end so that h(M′)  b m = h(M) Problem: XOR is reversible –Can work backwards from desired message to create one with same hash as original message

16 Collision Attack Adversary finds two messages M 1 and M 2 with same message digest h(M 1 ) = h(M 2 ) M 1 is harmless message “We like kittens” M 2 has advantage for adversary “Give Darth a $5000 raise”

17 Collision Attack Darth gets job in organization –Presents M 1 to boss for approval –Boss stores h(M 1 ) –Darth actually stores/sends M 2 Boss has no way to prove he didn’t approve M 2 “We like kittens” h(“We like kittens”) “Give Darth a $5000 raise”

18 Good Properties of a Hash Must be “one way” –Easy to compute h(M) –No easy way to determine what other messages M would give same digest (h(M) = h(M )) –Otherwise adversary could easily create different messages with same hash Must produce hash large enough to prevent brute force attacks –Testing all possible alternative messages to find ones with same hash value

19 Mathematics of Message Digests Pigeonhole Principle: –Given n pigeons and m birdhouses, with n > m –At least one birdhouse with more than one pigeons Digest size |h(M)| < message size |M | Fewer possible digests h(M) than possible messages M –2 |h(M)| possible digests < 2 |M| possible messages Must exist messages M 1 and M 2 with same digest h(M 1 ) = h(M 2 ) –That is, cannot avoid collisions between different messages Example: 1 GB messages, 512 bit digest –Over 2,000,000 different messages with same digest!

20 Mathematics of Message Digests Best case: Hash function is random oracle model –h(M) like “random” function over all possible MDCs –Each possible MDC equally likely for a given M Minimizes likelihood that h(M 1 ) = h(M 2 ) for given M 1, M 2 Assumption used in birthday problem analysis

21 Birthday Problems and Digests 1.What is minimum number of students in class so that at least one has same birthday as instructor? 2.What is minimum number of students in class so that at least two have same birthday? In general: k students and N (that is, 365) possible birthdays Minimum k such that probability  50%: 1. k  0.69  N  253 for birthdays 2. k  1.18  N 1/2  23 for birthdays

22 Birthday Problems and Digests Birthday problems define vulnerability of message digests to exhaustive search attacks –Assume best case random oracle model N = number of possible message digests k = number of false messages tested by adversary in attacks How many false messages must adversary to have at least 50% of finding message with desired digest?

23 Birthday Problems and Digests First birthday problem = Preimage Attack Probability h(M´) = h(M) for any M´given some M Number of tests k  0.69  N (proportional to number of possible digests)

24 Birthday Problems and Digests Second birthday problem = Collision Attack Probability h(M 1 ) = h(M 2 ) for any M 1, M 2 Number of tests k  1.18  N 1/2 (proportional to square root of possible digests)

25 Birthday Problems and Digests Number of possible message digests N must be large enough to make attacks impractical –Difficulty of preimage attack proportional to N –Difficulty of collision attack proportional to N 1/2 Message digest of n bits  N = 2 n 2 n/2 must be large enough to prevent exhaustive search to find collision Current standard: 512 bits