04/07/ …x[l]x[2]x[1] VIL CRHF from FIL CRHF: adding IV Build VIL CRHF h:{0,1} *  {0,1} m from FIL CRHF c:{0,1} n  {0,1} m 1 st Idea: use iterative process, compressing block by block 2 nd idea: use a fixed IV as first block y 0 =IV  {0,1} m Let the input x=x[1]||… where |x[i]|=(n-m) [i>0] For i=1,..l, let y i =c(x[i],y i-1 ); output h(x)=y l+1 Suppose h(x)=h(x’), x≠x’:  If |x|=|x’|  c(x[i],y i-1 )=c[x’[i],y’ i-1 ) for ≠  Else: collision or preimage for IV (contradiction to OWF?) c IV=y 0 c c h(x)=y l =c(x[l],y l-1 ) IV Construction, notation: IV[c](x)=c(x[2],c(x[1],IV))

04/07/ …|x| x[l]|| 10 k x[2]x[1] Merkle-Damgard VIL Construction Let pad(x)=x||1||0 k ||bin n-m (|x|) Let y 0 =IV be some fixed m bits (IV=Initialization Value) For i=1,..|pad(x)|/(n-m), let y i =c(x[i],y i-1 ) Output MD[c]( x) =IV[c](pad(x))=y l+1 c IV c c c MD[c](x)=y l+1 =c(|x|,y l ) Bounded length, but: 1.Up to |x|=2 n-m 2.Can use bin n-m (|x|/(n-m)) 3.64 bits enough (SHA) 4.Easy to extend to to unbounded length

04/07/ Example: MD5 (Message Digest #5) Developed by RSA Inc. Output is 128 bit  Collisions by birthday paradox: 2 64 time, storage Compression function: Cascade of four 128b+512b  128b compression functions Collisions found  1996: compression function (pseudo-collisions)  2004: full MD5 chosen prefix collision attack  Some results allowing two different prefixes Still widely used, but being `phased out`

04/07/ SHA-1 (Secure Hash Algorithm) Developed by NIST, published as FIPS Output is 160 bit  New versions: 256b, 384b and 512b proposed Widely used; `closed` design process, criteria  Similar design to MD5  160b chaining block  brute force collisions complexity 2 80 Chosen-prefix collisions in 2 63 guesses [W06, WYY05]  Chaining value added (mod 2 32 ) to output of compression m[i] CV[i] CV[i+1] 160b 512b 160b

04/07/06 Exploiting Chosen-Prefix Attacks Hash trees are vulnerable to collision attacks! Recall chosen prefix collision attacks  Allow attacker to chose prefix  Known for MD5, SHA0, others; suspect for SHA1 For any prefix p Attack finds two collisions c, c’ S.t. for any suffix s holds: h(p||c||s)=h(p||c’||s) Implications / exploits?  Colliding, different executables, documents (ps…)  Duplicate `tickets` (sign m=“ticket #”||n, n by subject)

04/07/06 X.509 Public Key Certificates

04/07/06 Sequence Numbers in IP-Sec Send (authenticated) sequence number with packet  Initial number = zero (when SA established)  Sender increments per outgoing packet  Not cyclic: change key before seq# reaches 2 32  Receiver advances to highest received seq# (if MAC Ok) Discard packets identified as replay [why?]  Replay = repeated seq # (within `window`) Deliver out-of-order packets (within `window`)  Since IP does not preserve order  Discard if not within window: block (very) old packets

04/07/06 AH - Authentication Header The Authentication Header AH) authenticates the entire IP packet, including the IP header (except TTL etc.), AH header itself, and the payload 32 bits SPI (Security Parameters Index) Sequence Number Protocol Authentication Data (variable length) Payload length Reserved

04/07/06 ESP – Encapsulating Security Payload SPI Sequence Number Initialization Vector (if needed for encryption) Payload Authentication Tag (MAC) Padding Pad Length Protocol 32 bits Encrypted MAC

04/07/06 Euler Theorem & Function Φ(n) The Euler function of n, denoted Φ(n), is the number of positive integers less than n and co-prime to n. For every prime p holds Φ(p)=p-1 For primes p, q holds Φ(pq)=(p-1)(q-1) Euler’s Theorem: if a, n are co-primes then a Φ(n) =1 mod n  Fermat’s Theorem: if p is primes then a p-1 =1 mod p  Also: a x mod Φ(n) =a x mod n; a 1 mod Φ(n) =a mod n  Also: a -1 =a Φ(n)-1 mod n  easy to compute inverse mod n n Φ(n )

04/07/ Turing Award RSA Public Key Cryptosystem Select two large primes p,q and let n=pq Let Φ(n)=(p-1)(q-1) [Euler function] Select random public exponent e which is prime  Or co-prime to Φ(n), i.e. no common divisor Let d=e -1 mod Φ(n), i.e. ed=1 mod Φ(n).  Find d from Φ(n) with extended Euclidean (GCD) algorithm (simple… see e.g. in Wikipedia)Wikipedia Public key is, private key is d.  Notice: given p,q it is easy to find Φ(n)=(p-1)(q-1) and from it d  Assumption: it is hard to find d (or Φ(n), or p,q ) given only RSA.E e,n (m)=m e mod n RSA.D d,n (c)=c d mod n = (m e ) d = m ed mod n  Euler: m ed = m (1 mod Φ(n)) = m mod n This is called `textbook RSA` (in practice, pad message first)

04/07/06 SSL Handshake – Overview Client Server Possible Cipher-suites, Client_random Chosen cipher-suite, Server_random,Certificate Certificate=SignCA( Encrypted shared key Confirmation (MAC of handshake messages) Client, Server change to new,computed keys (`Cipher Spec`) Confirmation (MAC of handshake messages) Confirms cipher-suites, no replay, client really sent Pre_Master_Secret In order of preference