Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions
Giuseppe Bianchi Hash Function Any length message X Fixed size digest Y e.g. 128 bits for MD5 Y = H(X) Cannot be inverted, as not unique X = x bits Y = y bits Assuming ideal mapping, Y is the result for 2 x-y possible X messages Example: x=5 bits 32 messages y=2 bits 4 digests 32/4 = 8= 2 3
Giuseppe Bianchi Properties of a good hash function Preimage resistance (one way) Given Y = result of a hash, it is hard to find X such as H(X)=Y Second preimage resistance (weak collision resistance) Given X, it is hard to find another X’ such that H(X) = H(X’) Collision resistance (strong collision resistance) It is hard to find two generic X1 and X2 such that H(X1) = H(X2)
Giuseppe Bianchi Birthday paradox 1.What is the probability that none of you N=22 is born in my same day? 2.What is the probability that no two+ of us N=23 are born the same day? H Human being X birthday !!
Giuseppe Bianchi Birthday paradox again Digest = D bits Number of messages = K 1.How many messages K to observe to get 50% probability to have my same digest? 2.How many messages K to observe to get 50% probability to have two same digest?
Giuseppe Bianchi Ricordando che per x piccolo 1-x approx e^(-x)
Giuseppe Bianchi Message digest size Must be considered against birthday paradox! 32 bits (RAND) 50% collision after 2 16 msg (very little!) 56 bits (DES) 50% collision after 2 28 msg 250M (still little!) 128 bits (MD5) 50% collision after 2 64 msg 1.8x10 19 (OK!) 160 bits SHA-1
Giuseppe Bianchi The «best» hash function: Random Oracle «oracle» = black box Random oracle: Given any distinct input x, H(x) = truly random value But for same x, same output Fact: NO practical hash function can be a random oracle Digest cannot be a «truly» random value
Giuseppe Bianchi MD5 iterative construction Merkle-Damgard approach Message (any size) Chunk (512 bits) Padding Length K mod 2 64 K bits N x 512 bits Initialization Vector (known) F 128 bits F F F Hash Compression function (if it is resistant, also iteration is)
Giuseppe Bianchi Message Integrity vs Encryption Integrity: prevent attacker from tampering with message Encryption may NOT guarantee integrity! In many encryption schemes, attacker may modify encrypted message One time pad (one time key K): »encrypted M C = M K »C M’= M K M’ encrypted M M’! RC4: same as above Homomorphic encryption: modifiable by design! »including RSA In general, don’t trust encryption mechanisms for integrity unless they are explicitly designed ALSO for it (authenticated encryption, e.g. AES-CCM or AES-GCM) Integrity may be the only requirement Why “also” encrypt (extra effort) if not needed by scenario?!
Giuseppe Bianchi Message authentication SenderReceiver kk message mtag Generate tag messageK tag Generate tag messageK Verify Tag =?
Giuseppe Bianchi Requires secret key! message mCRC(m) message m*CRC(m*) CRC meant to DETECT random errors! Not meant to prevent attacks! Attacker can trivially recompute «valid» CRC
Giuseppe Bianchi Message Authentication Code ingredient 1: good hash Good Message M HASH(M) Bad Message M’ VERY HARD to find message M’ whose Hash is the same of M (collision resistant hash)
Giuseppe Bianchi Message Authentication Code ingredient 2: secret in the hash Good Message M HASH(Secret, M) Bad Message M’ Since secret not know by attacker, very hard to construct a valid message authentication code HASH(????, M)
Giuseppe Bianchi Integrity check Weaker than digital signature Why? But fast, practical, and OK for two-party session Issues: Must use good hash Must use shared secret among parties Pay 100 dollarsPay 1000 dollars Pay 100 dollarsPay 1000 dollars H(S,M) H(S, “Pay 1000 dollars”) != H(S,M) Message modified!
Giuseppe Bianchi Security Attacker is given a number of past message/tag pairs (m 1,t 1 ), (m 2,t 2 ), (m 3,t 3 ), … Even more powerful: «chosen message» attack Now sees message m Must NOT be able to forge tag t Even more powerful: must NOT be able to forge ANY valid pair (m,t) for any chosen new msg Formally: probability to forge valid pair must be NEGLIGIBLE
Giuseppe Bianchi Short tags? 1 byte tags No way for attacker to guess tag from msg, beyond pure random choice Is this secure? NO! Probability of guessing = 1/256 Not nearly negligible!! Note the crucial difference with encryption security definitions!
Giuseppe Bianchi Message authentication using hash functions SenderReceiver kk message mtag Hash function messageK tag Generate tag Hash function messageK Verify Tag =?
Giuseppe Bianchi But devil is in details… Where to put secret in hash? H(S,M)? H(M,S)? Some other way? Do we care? What’s the matter? Matter is: Hash functions are not black boxes!
Giuseppe Bianchi Hash constructions: iterative Merkle-Damgard construction Applies to MD5, SHA-1, etc Example: MD5 case Message (any size) Chunk (512 bits) Padding Length K mod 2 64 K bits N x 512 bits Initialization Vector (known) MD5: 128 bit SHA-1: 160 bit F 128 bits F F F Hash Compression function (if it is resistant, also iteration is) The heart of the specific hash function used
Giuseppe Bianchi Secret Suffix: H(M,S)? Message (any size) Chunk (512 bits) Padding K bits N x 512 bits F 128 bits F F F Hash Secret State precomputation, once!! Dictionary attack to secret Len
Giuseppe Bianchi Secret Prefix: H(S,M)? Expansion attack Message extension does not require knowledge of secret Secret already “used” in the (now known) hash state May not be practical (yet), because of MD-strengthening. But significant construction shortcoming!!! Message (any size) Chunk (512 bits) PAD N x 512 bits F 128 bits F F F Hash SecretMessage extension
Giuseppe Bianchi Expansion attack! Trivial to “extend” the message! Especially critical if secret at the beginning Example: start from MD5(k | x), k unknown secret Append y To compute MD5(k | x | y) use iterative Merkle construction! No need to know k!!! Length (Damgard) strengthening: helps but does not solve the problem A strong reason to use different constructs (HMAC)
Giuseppe Bianchi Why HMAC? How to insert a secret in the hash is a fundamental issue! Secret prefix H(S | M) expansion attacks? Secret suffix H(M | S) hash state precomputation? Envelope H(S1 | M | S2) two secrets needed »Proven that if secret divided in two, robustness weakened!! 1996: problem solved, with HMAC! Best possible construction
Giuseppe Bianchi HMAC RFC 2104, february 2007 HMAC K (M) = H(K + XOR opad || H(K + XOR ipad || M)) K + = shared key padded to hash basic block size »When H=MD5, padding to 512 bits opad = 0x36 = repeated as needed ipad = 0x5C = repeated as needed
Giuseppe Bianchi HMAC - diagram Source: V. Shmatikov Embedded hash function (strength of HMAC relies on strength of this hash function) “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message)) “Amplify” key material (get two keys out of one) Very common problem: given a small secret, how to derive a lot of new keys?
Giuseppe Bianchi HMAC security quantitatively proven robustness: as secure as its underlying hash is see Bellare, Canetti, Krawczyk, Keying Hash Functions for Message Authentication, 1996 Actually more secure (surprise!) Bellare 2006: collision resistence NOT necessary Pseudorandomness only requirement You can use HMAC with MD5 or SHA-1 even if there are algorithms to compute collision Practical and flexible (you may change the underying hash with more robust one) Efficient computation
Giuseppe Bianchi Collisions without HMAC Collision in hash = collision in MAC H(M,S) construction: Obvious find collision on first part of the message, then expand H(S,M) construction: less obvious, but same problem Start from H(S,x) IV Find collision H*(IV,X1)=H*(IV,X2) Mi = x | pad(x) | Xi | pad (Xi) Hence H(S,M1)=H(S,M2)