David Evans http://www.cs.virginia.edu/~evans Lecture 9: Hash House Harriers Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans

University of Virginia CS 551 Menu “Quiz” Results Hashing 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Quiz Results Six people got everything right Most common mistake: e * d  1 mod n should be: e * d  (mod (p – 1)(q – 1)) Why is e * d  1 mod n a bad guess? Little correlation between how well you said you understood RSA and correctness of answers 21 November 2018 University of Virginia CS 551

Selected Quiz Comments “Wondering if we just have to understand the algorithms or do we have to memorize them.” “On both of the problem sets, I’ve felt like its the first time I’ve seen the material applied this way.” “I feel like we’ve hit the surface of many topics, but haven’t spent enough time to get really in depth in many of the topics.” 21 November 2018 University of Virginia CS 551

Selected Quiz Comments “Need TA’s” Siddarth Dalai Office hours on Tuesdays 3:30-4:30 and Fridays 2:00-3:00 in the CS department library or 113g. My office hours: Mondays 1:30-2:30, Wednesdays after class. 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Using RSA to Encrypt Use 1024-bit modulus (RSA recommends at least 768 bits) Encrypt 1M file Why does no one use RSA like this? About 100-1000 times slower than DES Can speed up encryption by choosing e that is an easy number to multiply by (e.g., 3 or 216 + 1) 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Alternatives Use RSA to establish a shared secret key for symmetric cipher (DES, RC6, ...) Lose external authentication, non-repudiation properties of public-key cryptosystems Sign (encrypt with private key) a hash of the message A short block that is associated with the message 21 November 2018 University of Virginia CS 551

Hashing H (char s[]) = (s[0] – ‘a’) mod 10 “dog” “neanderthal” “horse” 1 2 3 4 5 6 7 8 9 “dog” “neanderthal” “horse” H (char s[]) = (s[0] – ‘a’) mod 10 21 November 2018 University of Virginia CS 551

Regular Hash Functions Many-to-one: maps a large number of values to a small number of buckets Even distribution: for typical data sets, buckets are similarly full Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] – ‘a’) mod 10 satisfy these properties? 21 November 2018 University of Virginia CS 551

Cryptographic Hash Functions One-way: for given h, it is hard to find x such that H(x) = h. Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x). 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Using Hashes Alice wants to send Bob and “I owe you” message. Bob should be able to show the message to a judge to compel Alice to pay up. Bob should not be able to make his own “I owe you” from Alice, or change the contents of the one she sent him. 21 November 2018 University of Virginia CS 551

IOU Protocol (Attempt 1) H(M) Bob Alice M H(M) Hmmm...Bob can just make up M and H(M)! Judge 21 November 2018 University of Virginia CS 551

IOU Protocol (Attempt 2) EKA[H(M)] Bob Alice secret key KA M EKA[H(M)] Can Bob cheat? Use Diffie-Hellman to establish shared secret KA Can Alice cheat? Yes, send Bob: M, junk. Judge will think Bob cheated! Judge knows KA 21 November 2018 University of Virginia CS 551

IOU Protocol (Attempt 3) EKRA[H(M)] Bob Alice knows KUA {KUA, KRA} M EKRA[H(M)] Bob can verify H(M) by decrypting, but cannot forge M, EKRA[H(M)] pair without knowing KRA. Judge knows KUA 21 November 2018 University of Virginia CS 551

Weak Collision Resistance Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10 Alice sends Bob: “I, Alice, owe Bob $2.”, EKRA[H (M)] Bob sends Judge: “I, Alice, owe Bob $2000000000000000.”, EKRA[H (M)] Judge validates EKUA [ EKRA[H (M)]] = H(“I, Alice, owe Bob $2000000000000000.”) and makes Alice pay. 21 November 2018 University of Virginia CS 551

Weak Collision Resistance Given x, it should be hard to find y  x such that H(y) = H(x). Similar to a block cipher except no need for secret key: Changing any bit of x should change most of H(x). The mapping between x and H(x) should be confusing (complex and non-linear). 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 A Better Hash Function? H(x) = DES (x, 0) Weak collision resistance? Given x, it should be hard to find y  x such that H(y) = H(x). Yes – DES is one-to-one. (These is no such y.) A good hash function? No, its output is as big as the message! 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 What we need: Produce small number of bits (say 64) that depend on the whole message in a confusing, non-linear way. Have we seen anything like this? 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Cipher Block Chaining Pn P1 P2  IV   ... DES DES DES K K K Cn C1 C2 Use last ciphertext block as hash. Depends on all plaintext blocks. 21 November 2018 University of Virginia CS 551

Actual Hashing Algorithms Based on cipher block chaining No need for secret key or IV (just use 0) Don’t use DES Performance Better to use bigger blocks MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash SHA [NIST95] – 512 bit blocks, 160-bit hash 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Why big hashes? 3DES is (probably) secure with 64-bit blocks, why do secure hash functions need at least 128 bit digests? 64 bits is fine for weak collision resistance, but we need strong collision resistance too. 21 November 2018 University of Virginia CS 551

Strong Collision Resistance It is hard to find any x and y  x such that H(y) = H(x). Difference from weak: Attacker gets to choose both x and y, not just y. Scenario: Suppose Bob gets to write IOU message, send it to Alice, and she signs it. 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 IOU Request Protocol x EKRA[H(x)] Bob Alice knows KUA {KUA, KRA} y EKRA[H(x)] Bob picks x and y such that H(x) = H(y). Judge knows KUA 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Finding x and y Bob generates 210 different agreeable (to Alice) xi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2001 | 2001 AD}. 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Finding x and y Bob generates 210 different agreeable (to Bob) yi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $2000000000000000 | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2001 | 2001 AD}. 21 November 2018 University of Virginia CS 551

Bob the Quadrillionaire!? For each message xi and yi, Bob computes hxi = H(xi) and hyi = H(yi). If hxi = hyj for some i and j, Bob sends Alice xi, gets EKRA[H(x)] back. Bob sends the judge yj and EKRA[H(x)]. 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Chances of Success Hash function generate 64-bit digest (n = 264) Hash function is good (randomly distributed and diffuse) Chance a randomly chosen message maps to a given hash value: 1 in n = 2-64 By hashing m good messages, chance that a randomly chosen message maps to one of the m different hash values: m * 2-64 By hashing m good messages and m bad messages: m * m * 2-64 21 November 2018 University of Virginia CS 551

Is Bob a Quadrillionaire? m = 210 210 * 210 * 2-64 = 2-44 (doesn’t look good...) Try m = 232 232 * 232 * 2-64 = 20 = 1 (yippee!) Flaw: some of the messages might hash to the same value, might need more than 232 to find match. 21 November 2018 University of Virginia CS 551

Dealing with duplicates For a particular yi: p(H(yi) = H(x)) = 1/n p(H(yi)  H(x)) = 1 - 1/n Probability that none of m different yi’s match = p(H(yi)  H(x))m = (1 - 1/n)m Probability that there is at least one match = 1 - (1 - 1/n)m 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Binomial Theorem (1 – a)k = 1 – ka + (k(k – 1) / 2!) a2 – (k(k – 1)(k – 2) / 3!) a3 ... For small a: (1 – a)k  1 – ka Probability that there is at least one match = 1 - (1 - 1/n)m  1 – (1 – m/n) = m/n For m = 232 and n = 264: 232/264  2-32 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Birthday “Paradox” What is the probability that a group of k people have 2 with the same birthday? 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 * ... * (365 – k + 1) = 365! / (365 – k)! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 * ... * 365 = 365k 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Birthday “Paradox” Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicates = 1 – 365! / ((365 – k!)(365)k ) For k = 48: > 95% 21 November 2018 University of Virginia CS 551

Generalizing Birthdays (n – k)!nk P(n, k) = 1 – Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate. P(n, k) > 1 – e-k*(k-1)/2n Derived using (1 – x)  e-x. (see book) 21 November 2018 University of Virginia CS 551

Applying Birthdays P(n, k) > 1 – e-k*(k-1)/2n For n = 365, k = 48: P(365, 48) > 1 – e-48*(47)/2*365 P(365, 48) > .954 For n = 264, k = 232: P (264, 232) > .39 For n = 264, k = 233: P (264, 233) > .86 For n = 264, k = 234: P (264, 234) > .9996 For n = 2128, k = 240: P (2128, 240) > 10-15 21 November 2018 University of Virginia CS 551

University of Virginia CS 551 Conclusion If you’re Alice, don’t sign a hash for an IOU from Bob, unless the hash is at least 128 bits. 21 November 2018 University of Virginia CS 551

Charge $$$$ Full Project Proposals due Oct 4 Next time: Guest lecture Paco Hope, chainmailinc.com chainmailinc.com $$$$ KUA CA = EKRchainmail[Time1, IDA, KUA] Alice 21 November 2018 University of Virginia CS 551