刘振 上海交通大学 计算机科学与工程系 电信群楼3-509

Slides:



Advertisements
Similar presentations
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advertisements

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
Key Exchange References: Applied Cryptography, Bruce Schneier
Message Integrity and Message Authentication
Information Security message M one-way hash fingerprint f = H(M)
Computer Security CS 526 Topic 4
Cryptographic Hash Functions
Cryptographic Hash Function
CSCE 715: Network Systems Security
Public Key Encryption and Digital Signatures
Message Authentication and Hash Functions
Cryptographic Hash Functions
Information Security message M one-way hash fingerprint f = H(M)
Cryptography Lecture 13.
MAC: Message Authentication Code
ICS 454 Principles of Cryptography
Public Key Cryptography Diffie-Hellman, Discrete Log, RSA
Introduction to Symmetric-key and Public-key Cryptography
Information Security message M one-way hash fingerprint f = H(M)
Cryptography: Basics (2)
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
ICS 454 Principles of Cryptography
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Hash Functions Motivation Hash Functions: collision, pre-images SHA-1
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Chapter 3 - Public-Key Cryptography & Authentication
One Way Functions Motivation Complexity Theory Review, Motivation
Cryptography Lecture 14.
Cryptography Lecture 13.
Cryptography Lecture 13.
Security: Integrity, Authentication, Non-repudiation
CRYPTOGRAPHY & NETWORK SECURITY
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

刘振 上海交通大学 计算机科学与工程系 电信群楼3-509 liuzhen@sjtu.edu.cn 网络安全技术 刘振 上海交通大学 计算机科学与工程系 电信群楼3-509 liuzhen@sjtu.edu.cn

Digital Signature Hash Function Message Authentication Code

Digital Signature There is an electronic document to be sent from Alice to Bob. Is there a functional equivalence to a handwritten signature? Easy for Alice to sign on the document But hard for anyone else to forge Easy for Bob or anyone to verify Answer: digital signature Sign using Alice’s private key Verify using Alice’s public key Verify Public key Message Signature Valid/Invalid Message rfwekfs Sign Private key (fixed-length signature) Only the signer (who has a private key) can generate a valid signature Anyone (since the corresponding public key is published) can verify if a signature with respect to a message is valid

RSA Signature Scheme Setup: Signature Generation: n = pq where p, q are large prime (say 512 bits long each) ed = 1 mod (p-1)(q-1) Signing (Private) Key : d Verification (Public) Key : (e, n) Signature Generation: S = Md mod n where M is some message Signature Verification: If Se mod n = M, output valid; otherwise, output invalid

Hash Function Motivation Consider the RSA Signature Scheme, if M > n, how to sign M? Solution: instead of signing M directly, Alice signs a hash of M denoted by h(M) Alice sends M and S = Sign(SKAlice, h(M)) to Bob Bob verifies that Verify(PKAlice, h(M), S) = valid h is called a hash function h maps a binary string to a non-zero integer smaller than n h(M) is called the message digest

Hash Function A cryptographic hash function h(x) should provide Compression  output length is small and fixed One-way  given a value y it is infeasible to find an x such that h(x) = y collision resistance  infeasible to find x and y, with x  y such that h(x) = h(y) Note: As h is a compression algorithm, there should have a lot of collisions. Collision resistance require that it is hard to find any collision

Hash Function Security vs. Hash Output Length If a hash function is collision resistant, then it is also one-way. There is a fixed output length for every collision resistant hash function h. To break h against collision resistance using bruteforce attack, the adversary repeatedly chooses random value x, compute h(x) and check if the hash function is equal to any of the hash values of all previously chosen random values. If the output of h is N bits long, what is the expected number of times that the adversary needs to try before finding a collision?

Birthday Problem How many people must be in a room before probability is  1/2 that two or more have same birthday? 1  365/365  364/365   (365K+1)/365 Set equal to 1/2 and solve: K = 23 Surprising? A paradox? since we compare all pairs x and y K is about sqrt(365) This problem is related to collision resistance. Question: suppose h’s output is 80 bits long, how many values must the adversary try before having the probability of compromising collision resistance be at least 1/2? Implication: secure N bit hash requires 2N/2 work to “break” (with respect to collision resistance).

Bruteforce Attack Against the Collision-resistance of a Hash Function Finding collisions of a hash function using Birthday Paradox. randomly chooses K messages, m1, m2, …, mk search if there is a pair of messages, say mi and mj such that h(mi) = h(mj). If so, one collision is found. This birthday attack imposes a lower bound on the size of message digests. E.g. 10-bit message digest is very insecure, since one collision can be found with probability at least 0.5 after doing slightly over 25 (i.e. 32) random hashes. E.g. 40-bit message digest is also insecure, since a collision can be found with probability at least 0.5 after doing slightly over 220 (about a million) random hashes.

General Design of Hash Algorithms Partition the input message into fixed-sized blocks. (e.g. 512 bits per block) The remaining bits of the input are padded with the value of the message length. … M1 M2 ML-1 ML||pad||Len b bits b bits The hash algorithm involves iterated use of a compression function, f. It is initialized by an initial value IV (i.e. a magic number). Note: Hash algorithms are usually designed heuristically. M1 M2 ML f f f IV

Popular Crypto Hashes MD5  designed by Ronald Rivest 128 bit output Available at http://www.ietf.org/rfc/rfc1321 Note: MD5 collisions found (easily) SHA-1  A US government standard (similar to MD5) 160 bit output Available at http://www.itl.nist.gov/fipspubs/fip180-1.htm Note: A collision found in 2017 SHA-2 (SHA 256/384/512) Based on SHA-1 with a longer hash value

Security Updates of Hash Functions MD5 In Aug 2004, Wang, et al. showed that it is “easy” to find collisions in MD5. They found many collisions in very short time (in minutes) http://eprint.iacr.org/2004/199.pdf SHA-1 In Feb 2005, Wang et al. showed that collisions can be found in SHA-1 with an estimated effort of 269 hash computations. Less than 280 hash computations by birthday attack. http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Impacts Hurts digital signatures For applications require underlying hash functions should be collision resistant, it’s time to migrate away from SHA-1. Start using new standards SHA-256 and SHA-512. http://csrc.nist.gov/CryptoToolkit/tkhash.html

Block Ciphers as Hash Functions Can use block ciphers as hash functions Set H0=0 compute: Hi = AESMi [Hi-1] and use the final block as the hash value If the length of message is not the multiple of the key size, zero-pad the last segment of message

What are the applications of cryptographic hash functions?

Message Authentication

Message Authentication make sure what is sent is what is received detect unauthorized modification of data Example: Inter-bank fund transfers Confidentiality is nice, but integrity is critical Encryption provides confidentiality (prevents unauthorized disclosure) Encryption alone does not assure message authentication (a.k.a. data integrity)

MAC How MAC Works Sender and receiver share a secret key K Sender computes a MAC tag using the message and K; then sends the MAC tag along with the message Receiver computes a MAC tag using the message and K; then compares it with the MAC tag received. If they are equal, then the receiver concludes that the message is not changed Note: only sender and receiver can compute and verify a MAC tag

Message Authentication Code Message authentication using digital signature Method: Sender signs message using a private key Disadvantage: digital signature is costly MAC does not provide non-repudiation Since both sender and receiver share the same symmetric key, Use digital signature for non-repudiation Alice Bob T’ Eve T’ =? T’’ M M’ T’’ M, T MAC cryptanalysis MAC K Secure channel key

A MAC Algorithm MAC can be constructed from a block cipher operated in CBC mode (with IV=0). Suppose a plaintext has 4 plaintext blocks P=P0, P1, P2, P3 Suppose K is the secret key shared between sender and receiver. C0 = E(K, P0), C1 = E(K, C0  P1), C2 = E(K, C1  P2),… CN1 = E(K, CN2  PN1) = MAC tag

Why does a MAC work? C0 = E(K, P0), C1 = E(K, C0P1), Suppose Alice has 4 plaintext blocks Alice computes the MAC by doing the following operations: C0 = E(K, P0), C1 = E(K, C0P1), C2 = E(K, C1P2), C3 = E(K, C2P3) = MAC tag Alice sends P0,P1,P2,P3 and MAC tag to Bob Suppose Trudy changes P1 to X Bob computes C0 = E(K, IVP0), C1 = E(K, C0X), C2 = E(K, C1P2), C3 = E(K,C2P3) = MAC tag  MAC tag Hence, Trudy can’t change MAC tag to MAC tag without key K Note: The MAC algorithm above may not be secure if the messages are in variable length.

The Insecurity of Block Cipher Based MAC Algorithm E.g. Given two pairs of (message, MAC tag) (P’, T’) and (P’’, T’’) where P’ = P1, P2 P’’ = P1 Attack: anyone can forge another pair of message and MAC tag: (P’’’,T’’’) by setting P’’’ = P2 T’’ and T’’’ = T’.

Message Authentication - HMAC Message Authentication Code: A  CK (M) M: message A: authentication tag for integrity and authenticity HMAC: Keyed-hashing for Message Authentication Used extensively in IPSec (IP Security) IPSec is widely used for establishing Virtual Private Networks (VPNs) H  M K ipad opad HMACK(M) = H( K  opad || H((K  ipad) || M) ) Let B be the block length of hash, in bytes (B = 64 for MD5 and SHA-1) ipad = 0x36 repeated B times opad = 0x5C repeated B times

Summary Signature Hash MAC RSA Signature Definitions Find Collusion Difference from Signature