David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people (out of 4) have voted that notes are useful. I won’t make notes (regularly) until at least 10 people do.

15 February 2005University of Virginia CS 5882 Remote Coin Flipping (Ch 1) Alice Bob Picks random x f (x) Picks “odd” or “even” “odd” or “even” x Checks f (x) matches value received in step 1 Alice wins if x does not match Bob’s pick

15 February 2005University of Virginia CS 5883 Magic Function f One Way: –For every integer x, easy to compute f(x) –Given f (x), hard to find any information about x Collision Resistant: –“Impossible” to find pair ( x, y ) where x  y and f (x) = f (y)

15 February 2005University of Virginia CS 5884 Normal CS Hashing “neanderthal” “dog” H (char s[]) = (s[0] – ‘a’) mod 10 “horse”

15 February 2005University of Virginia CS 5885 Regular Hash Functions 1.Many-to-one: maps a large number of values to a small number of hash values 2.Even distribution: for typical data sets, P(H(x) = n) = 1/N where N is the number of hash values and n = 0.. N – 1. 3.Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] – ‘a’) mod 10 satisfy these properties?

15 February 2005University of Virginia CS 5886 Cryptographic Hash Functions 4.One-way: for given h, it is hard to find x such that H(x) = h. 5.Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x).

15 February 2005University of Virginia CS 5887 Fair Remote Coin Flipping? Alice Bob Picks random x f (x) Picks “odd” or “even” “odd” or “even” x Checks f (x) matches value received in step 1 Alice wins if x does not match Bob’s pick What goes wrong if f is not one-way? What goes wrong if f is not weak collision resistant? What goes wrong if f is not strong collision resistant?

15 February 2005University of Virginia CS 5888 Using Hashes Alice wants to send Bob and “I owe you” message. Bob should be able to show the message to a judge to compel Alice to pay up. Bob should not be able to make his own “I owe you” from Alice, or change the contents of the one she sent him.

15 February 2005University of Virginia CS 5889 IOU Protocol (Attempt 1) Alice Bob MH(M)H(M) Judge MH(M)H(M) Hmmm...Bob can just make up M and H(M)!

15 February 2005University of Virginia CS IOU Protocol (Attempt 2) Alice Bob secret key K A M E K A [H(M)] Judge M E K A [H(M)] knows K A Shared secret K A Can Bob cheat? Can Alice cheat? Yes, send Bob: M, junk. Judge will think Bob cheated!

15 February 2005University of Virginia CS IOU Protocol (Attempt 3) Alice Bob {KU A, KR A } M E KR A [H(M)] Judge M E KR A [H(M)] knows KU A Bob can verify H(M) by decrypting, but cannot forge M, E KR A [H(M)] pair without knowing KR A. Why not just use E KR A [M]? Known public-key encyrption algorithms are slow

15 February 2005University of Virginia CS No Collision Resistance Suppose we use: H (char s[]) = (s[0] – ‘a’) mod 10 Alice sends Bob: “I, Alice, owe Bob $2.”, E KR A [H (M)] Bob sends Judge: “I, Alice, owe Bob $ ”, E KR A [H (M)] Judge validates E KU A [ E KR A [H (M)]] = H(“I, Alice, owe Bob $ ”) and makes Alice pay.

15 February 2005University of Virginia CS Weak Collision Resistance Given x, it should be hard to find y  x such that H(y) = H(x). Similar to a block cipher except no need for secret key: –Changing any bit of x should change most of H(x). –The mapping between x and H(x) should be confusing (complex and non-linear).

15 February 2005University of Virginia CS A Better Hash Function? H(x) = DES (x, 0) Weak collision resistance? –Given x, it should be hard to find y  x such that H(y) = H(x). –Yes – DES is one-to-one. (These is no such y.) A good hash function? –No, its output is as big as the message!

15 February 2005University of Virginia CS What we need: Produce small number of bits (say 64) that depend on the whole message in a confusing, non-linear way. Have we seen anything like this?

15 February 2005University of Virginia CS Cipher Block Chaining DES IV K  P1P1 C1C1 DES K  P2P2 C2C2... Use last ciphertext block as hash. Depends on all plaintext blocks. DES K  PnPn CnCn

15 February 2005University of Virginia CS Actual Hashing Algorithms Based on cipher block chaining No need for secret key or IV (just use 0) Don’t use DES –Performance –Better to use bigger blocks MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash SHA [NIST95] – 512 bit blocks, 160-bit hash

15 February 2005University of Virginia CS Why big hashes? 3DES is (probably) secure with 64-bit blocks, why do secure hash functions need at least 128 bit digests? 64 bits is fine for weak collision resistance, but we need strong collision resistance too.

15 February 2005University of Virginia CS Strong Collision Resistance It is hard to find any x and y  x such that H(y) = H(x). Difference from weak: –Attacker gets to choose both x and y, not just y. Scenario: –Suppose Bob gets to write IOU message, send it to Alice, and she signs it.

15 February 2005University of Virginia CS Cryptographic Hash Functions 1.Many-to-one: compresses 2.Even distribution: P(H(x) = n) = 1/N 3.Efficient: H(x) is easy to compute. 4.One-way: given H(x), hard to find x 5.Collision resistance: Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x).

15 February 2005University of Virginia CS IOU Request Protocol Alice Bob {KU A, KR A } E KR A [H(x)] Judge y E KR A [H(x)] knows KU A Bob picks x and y such that H(x) = H(y). x

15 February 2005University of Virginia CS Finding x and y Bob generates 2 10 different agreeable (to Alice) x i messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1 st | 1 Jan | 1/1 | 1-1 } { 2006 | 2006 AD}.

15 February 2005University of Virginia CS Finding x and y Bob generates 2 10 different agreeable (to Bob) y i messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $ | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1 st | 1 Jan | 1/1 | 1- 1 } { 2006 | 2006 AD}.

15 February 2005University of Virginia CS Bob the Quadrillionaire!? For each message x i and y i, Bob computes hx i = H(x i ) and hy i = H(y i ). If hx i = hy j for some i and j, Bob sends Alice x i, gets E KR A [H(x)] back. Bob sends the judge y j and E KR A [H(x i )]. Is this different from when Alice chooses x ?

15 February 2005University of Virginia CS Chances of Success Hash function generate 64-bit digest ( n = 2 64 ) Hash function is good (randomly distributed and diffuse) Chance a randomly chosen message maps to a given hash value: 1 in n = By hashing m good messages, chance that a randomly chosen bad message maps to one of the m different hash values: m * By hashing m good messages and m bad messages: m * m * (approximation)

15 February 2005University of Virginia CS Is Bob a Quadrillionaire? m = * 2 10 * = (still a pauper) Try m = * 2 32 * = 2 0 = 1 (yippee!) Flaw: some of the messages might hash to the same value, might need more than 2 32 to find match.

15 February 2005University of Virginia CS Birthday “Paradox” What is the probability that two people in this room have the same birthday? Text, Chapter 3.6

15 February 2005University of Virginia CS Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 *... * (365 – k + 1) = 365! / (365 – k )! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 *... * 365 = 365 k

15 February 2005University of Virginia CS Birthday “Paradox” Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicate = 1 – 365! / ((365 – k )!(365) k )

15 February 2005University of Virginia CS Generalizing Birthdays n! (n – k)! n k P(n, k) = 1 – Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate.

15 February 2005University of Virginia CS Birthday Probabilities P(no two match) = 1 – P(all are different) P(2 chosen from N are different) = 1 – 1/N P(3 are all different) = (1 – 1/N)(1 – 2/N) P(n trials are all different) = (1 – 1/N)(1 – 2/N)... (1 – (n – 1)/N) ln (P) = ln (1 – 1/N) + ln (1 – 2/N) +... ln (1 – (k – 1)/N)

15 February 2005University of Virginia CS Happy Birthday Bob! ln (P) = ln (1 – 1/N) ln (1 – (k – 1)/N) For 0 < x < 1:ln (1 – x)  x ln (P)  – (1/N + 2/N (n – 1)/N) Gauss says: (n – 1) + n = ½ n (n + 1) So, ln (P)  ½ (k-1) k/N P  e ½ (k-1)k / N Probability of match  1 – e ½ (k-1)k / N

15 February 2005University of Virginia CS Applying Birthdays P( n, k ) > 1 – e -k*(k-1)/2n For n = 365, k = 20: P(365, 20) > 1 – e -20*(19)/2*365 P(365, 20) >.4058 For n = 2 64, k = 2 32 : P ( 2 64, 2 32 ) >.39 For n = 2 64, k = 2 33 : P ( 2 64, 2 33 ) >.86 For n = 2 64, k = 2 34 : P ( 2 64, 2 34 ) >.9996

15 February 2005University of Virginia CS Is 128 bits enough? For n = 2 128, k = 2 40 : P ( 2 128, 2 40 ) > If your guesses are random, need to try 2 40 inputs to have a chance of finding a collision Assumes you hash function is perfect

15 February 2005University of Virginia CS #!/usr/bin/perl -w use strict; use Digest::MD5 qw(md5_hex); # Create a stream of bytes from hex. = map {chr(hex($_))} qw(d1 31 dd 02 c5 e6 ee c4 69 3d 9a af f9 5c 2f ca b e ab e b8 fb 7f ad f4 b e a e8 f7 cd c9 9f d9 1d bd f c 5b d8 82 3e f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 b4 87 da 03 fd d2 48 cd a0 e9 9f f 57 7e e8 ce 54 b a8 0d 1e c bc b6 a f9 65 2b 6f f7 2a 70); = map {chr(hex($_))} qw(d1 31 dd 02 c5 e6 ee c4 69 3d 9a af f9 5c 2f ca b e ab e b8 fb 7f ad f4 b e f1 41 5a e8 f7 cd c9 9f d9 1d bd c 5b d8 82 3e f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e da 03 fd d2 48 cd a0 e9 9f f 57 7e e8 ce 54 b d 1e c bc b6 a f9 65 ab 6f f7 2a 70); # Print MD5 hashes print "\n ", "\n"; A Most Disturbing Program! fb1a26e4bc422aef54eb4 From

15 February 2005University of Virginia CS Hash Collisions Collisions announced in SHA-0 at Crypto 2004 No collisions yet found in SHA-1 (which replaced SHA-0 as a standard in 1994) NIST is nervous

15 February 2005University of Virginia CS NIST Comments “At the recent Crypto2004 conference, researchers announced that they had discovered a way to "break" a number of hash algorithms, including MD4, MD5, HAVAL-128, RIPEMD and the long superseded Federal Standard SHA-0 algorithm. The current Federal Information Processing Standard SHA-1 algorithm, which has been in effect since it replaced SHA-0 in 1994, was also analyzed, and a weakened variant was broken, but the full SHA-1 function was not broken and no collisions were found in SHA-1. The results presented so far on SHA-1 do not call its security into question. However, due to advances in technology, NIST plans to phase out of SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA- 384 and SHA-512) by 2010.”

15 February 2005University of Virginia CS Charge We’ll cover SSL after Spring Break… but, this should make you nervous… Wednesday 3:30 Chenxi Wang Seminar “Defending against Large Scale Attacks on the Internet” Thursday 9:30 (please arrive on time for class, not like usual!) Chenxi Wang guest lecture Using hashes to provide censorship-resistant publishing