Security of Message Digests CSCI 5857: Encoding and Encryption

Outline Attacks on message digests Properties of a good hash function Preimage attacks Collision attacks Properties of a good hash function Mathematical background Pigeonhole principle Birthday problem Requirements for message digest size

Attacks on Message Digests Goal of message digest: Detect when fake message M´ has been substituted for original message M Adversary goal: Substitute fake message M´ for original message M without being detected This is the case if they have the same digest h(M´) = h(M)

Preimage Attack Adversary finds message M´ with same digest h(M´) = h(M) Impossible to detect or prove changes!

Tweaking Messages for Preimage Attack Adversary can “tweak” new message M´ until h(M´) = h(M) Example: Give Darth a salary increase of $1000 Award Mr. Vader some raise … $2000 Present Darth Vader … bonus $3000 … … … $4000 … “I’ll find some combination of these so they can’t detect the difference!”

Preimage Attack and XOR Simple XOR-based hash function vulnerable to preimage attack Darth generates own message M′ Darth adds some block bm to end so h(M′)  bm = h(M) Problem: XOR is reversible Can work backwards from desired message to create one with same hash as original message

Collision Attack Adversary finds two messages M1 and M2 with same message digest h(M1) = h(M2) M1 is harmless message “We like kittens” M2 has advantage for adversary “Give Darth a $5000 raise”

Collision Attack Example Darth gets job in organization Presents M1 to boss for approval Boss stores h(M1) Darth actually stores/sends M2 Boss has no way to prove he didn’t approve M2

Good Properties of a Hash Must be “one way” Easy to compute h(M) No easy way to determine what other messages M would give same digest (h(M) = h(M )) Otherwise adversary could easily create different messages with same hash Must produce hash large enough to prevent brute force attacks Testing possible alternative messages to find ones with same hash value

Pigeonhole Principle Pigeonhole Principle: Given n pigeons and m birdhouses, with n > m At least one birdhouse with more than one pigeons Digest size |h(M)| < message size |M | Fewer possible digests h(M) than possible messages M 2|h(M)| possible digests < 2|M| possible messages Must exist messages M1 and M2 with same digest h(M1) = h(M2) That is, cannot avoid collisions between different messages Example: 1 MB messages, 512 bit digest 2999,488 different messages with same digest!

Random Oracle Model Best case: Hash function is random oracle model h(M) like “random” function over all possible digests Each possible digest equally likely for a given M Minimizes likelihood that h(M1) = h(M2) for given M1, M2 Assumption used in birthday problem analysis

Birthday Problems In general: What is minimum number of students in class so that at least one probably has same birthday as instructor? What is minimum number of students in class so that at least two probably have same birthday? In general: k students and N (that is, 365) possible birthdays Minimum k such that probability  50%: k  0.69  N  253 for birthdays k  1.18  N1/2  23 for birthdays

Birthday Problems and Digests Birthday problems define vulnerability of message digests to exhaustive search attacks Assume best case random oracle model N = number of possible message digests k = number of false messages tested by adversary in attacks How many false messages must adversary to have at least 50% of finding message with desired digest?

Preimage Attack as Birthday Problem First birthday problem = Preimage Attack Probability h(M´) = h(M) for any M´given some M Number of tests k  0.69  N (proportional to number of possible digests)

Collision Attack as Birthday Problem Second birthday problem = Collision Attack Probability h(M1) = h(M2) for any M1 , M2 Number of tests k  1.18  N1/2 (proportional to square root of possible digests)

Birthday Problems and Digest Size Number of possible message digests N must be large enough to make attacks impractical Difficulty of preimage attack proportional to N Difficulty of collision attack proportional to N1/2 Message digest of n bits  N = 2n 2n/2 must be large enough to prevent exhaustive search to find collision Current standard: 512 bits

What’s Next Let me know if you have any questions Continue on to the next lecture on Hash Functions