360 likes | 608 Views
Hash Function. Contents. Hash Functions Dedicated Hash Functions Useful for lightweight authentication in RFID system Message Authentication Codes CBC-MAC Nested MAC Collusion Search Attacks. Hash function. {0,1} d. Compress a binary string with an arbitrary
E N D
Contents • Hash Functions • Dedicated Hash Functions • Useful for lightweight authentication in RFID system • Message Authentication Codes • CBC-MAC • Nested MAC • Collusion Search Attacks
Hash function {0,1}d Compress a binary string with an arbitrary length into a fixed short message Used for digital signature, integrity, authentication, etc. d > r h() hash, hash code/value/result message digest,checksum,MIC, authentication tag, seal,compression digital fingerprint, imprint {0,1}r
Configuration original input, x hash function, h preprocessing append padding bits append length block formatted input x=x1,x2,…,xt iterative processing compression ft, f xi f Hi-1 H0=IV Hi Ht g g : output transformation mapping, e.g., identity mapping output h(x)=g(Ht)
Requirements • Compression • One-wayness • Preimage resistance: Given y, it is computationally infeasible to compute x with y=h(x) • Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x’ with h(x)=h(x’) • Collision-free (Prevent internal misuse) : It is computational infeasible to find a pair (x, x’), x x’ satisfying h(x)=h(x’). • Efficiency • Easy to computeh(x) for a given x.
Relationship • Collision resistance (which means collusion can’t be efficiently solved) implies 2nd-preimage resistance • Collision resistance does not guarantee preimage resistance • Let g be a collision resistance hash function to n-bit output • h= 1 || x, if x has bitlength n • h= 0 || g(x), otherwise • h is collision resistant with n+1 bit hash • not preimage resistant to find an image easily
Classification (I) • Keyed hash : MAC (Message Authentication Code) • Unkeyed hash : MDC (Manipulation Detection Code) • OWHF(One Way Hash Function) • CFHF(Collision-Free Hash Function)
Classification (II) • MDC • Dedicated Hash Functions (MD class, SHS, HAVAL) • Block Cipher-Based (MDC-2, MDC-4) • Modular Arithmetic: MASH-1, MASH-2 • MAC • Block Cipher-Based (DES-CBC MAC) • Hash Function-Based(HMAC)
Random Oracle Model (ROM) • Model for ideal hash function • H() behave like a random function • If H() is fixed, invalid assumption • Whenever H() is used, we call oracle for the random function (black box containing random ft.) • Good for screening insecure solutions • Security under ROM implies to many (not all !) attack • Not a complete proof of security, but a good argument / evidence of security : vs. standard model
MAC forgery • Universal forgery : Adversary can find the equivalent algorithm as MAC function • Selective forgery : Adversary can create a pair of new text-MAC. • Existential forgery : Even if adversary can’t adjust the value of text, he can create a pair of new text-MAC.
Birthday Paradox Probability that 2 persons have the same birthday among r persons : pr (Assumption) each birthday is independent and uniform in the range 1 to m. pr=1-(m)r/mr =1- m!/mr(m-r)! e-r2/(2m) where,(m)r = m(m-1)…(m-r+1) If r= m, pr 0.5 e.g., m=365, r=23, pr>0.5 n-bit hash function will collide with probability 0.5 after (2n) times operation
Design Criteria • All input value must affect to compute the hashed value. (Ex) Crytanalysis of Snefru • No trapdoor • The length of hashed value must be greater than 128 bit guarantee breaking complexity 264 by brute force attack. • 1 month with 10M $ machine in ‘94 • Expected cost today : less than 100,000$ • Maximum error propagation from input to output.
x1 x2 xt padding H0 hashed code f f f Merkle-Damgard Construction • Extend Compression ft to Hash ft so that the resulting hash ft to be collusion resistant if compression does. • H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht f : h’s primitive hash function (a compression function) Hi : connection variable from i-1 to I
xi Hi-1 xi Hi-1 Hi-1 xi E E g E g Hi Hi Hi Hash ft (MDC) by block cipher Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel H0=IV Hi=Exi(Hi-1 ) Hi-1 H0=IV Hi=Eg(Hi-1)(xi ) xi H0=IV Hi=Eg(Hi-1)(xi ) xi Hi-1
Comparison • Yield m-bit hash using n-bit block cipher with k-bit key • All of them are secure assuming a block cipher satisfies required randomness properties
Hash by modular operation • MASH: Modular Arithmetic Secure Hash algorithm • Weakness: Efficiency (and Insecurity) • Quadratic Congruential • Hi = (xi + Hi-1)2 mod N, H0=0 • where N=Mersenne prime 231-1 • Hi = (xi Hi-1)2 mod N xi • Hi = (xi Hi-1)e mod N
Round 1 in MD4 1. A=(A+f(B,C,D)+X[0])<<<3 2. D=(D+f(A,B,C)+X[1])<<<7 3. C=(C+f(D,A,B)+X[2])<<<11 4. B=(B+f(C,D,A)+X[3])<<<19 5. A=(A+f(B,C,D)+X[5])<<< 3 . . 16. B=(B+f(C,D,A)+X[15])<<<19 where, f(X,Y,Z) = (X Y) ((X) Z) , : OR, : AND, :complement, <<<s : circular left rotate by s
MD4(I) • Preprocessing a message, x 1. Padding: d =(447 -|x|) mod 512 2. Length of a message: n= |x| mod 264,|n|=64 bit 3. M = x ||1||0d||n multiple of 512 where || denotes concatenation * little-endian : W=224B4+216B3+28B2+B1 (B1: lowest address)
MD4(II) Message Block A B C D Round 2 Round 1 Round 3 A B C D
MD4(III) • Preprocess: M is 512 * N bits (512 bits=16 words) • Define 32 bits constants: A=67452301h, B=efcdab89h, C=98badcfeh, D=10325476h 3. for i=0 to N/16 -1 do (N mod 16=0) 3-1 for j=0 to 15 do X[j] =M[16i+j] (M[i] : 32 bit string) 3-2 AA=A, BB=B, CC=C, DD=D 3-3 Round 1(for j=0..15), Round 2(for j=16..31), Round 3(j=32..47) 3-4 A=A+AA, B=B+BB, C=C+CC, D=D+DD where + is modular addition over 232. 4. output A||B||C||D||
MD5(I) • Add 4-th rounds (16 steps) • Change g function in 2 round from symmetric ft (XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z)) • Modify the access order for message words in Rounds 2 and 3 • Modify the shift amounts • Use unique constants in each of the 416 steps • Each step is added to the output of a previous step to achieve avalanche effect as earlier as possible.
MD5(II) Message Block A B C D Round 1 Round 2 Round 3 Round 4 A B C D
ti Mj a b nonlinear operation c <<<s d FF(a,b,c,d,Mj,ti,s) MD5’s primitive ft
ei-1 ei di-1 di ci-1 ci bi-1 bi ai-1 ai SHA-1(I) Kt W t nonlinear operation <<<30 <<<5 FF(a,b,c,d,Mj,ti,s)
SHA-1(II) • 160 bit hashed value (5 words), Big-endian • 4 round hash, each round has 20 step • Change internal primitive ft and constants (B C) v ((B) D) 0 ≤ t ≤19 Ft(B,C,D) = B C D 20 ≤t ≤39 (B C) v ((B) D) 40 ≤t ≤59 B C D 60 ≤t ≤79 • Secure Hash Standard(SHS), FIPS Pub 180-1, 1995. • For details, refer to p.138 of your textbook
Performance 486SX(33MHZ) Algorithm Length Speed (Kb/s) Davies-Meyer with DES HAVAL (3 pass) HAVAL (4 pass) HAVAL (5 pass) MD2 MD4 MD5 N-Hash(12 round) N-Hash(15 round) RIPEMD SHA-1 64 variable variable variable 128 128 128 128 128 128 160 9 168 118 95 23 236 174 29 24 182 75
HMAC • Nested MAC algorithm from the composition of two (keyed) hash family • The Keyed-Hash Message Authentication Code(HMAC), FIPS Pub 198, 2002 • HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)] where ipad = 3636 …. 36, opad = 5C5C … 5C K : 512 bit key x: message to be authenticated • Secure against unknown-key collusion attack
Dedicated Hash Functions SHS: Secure Hash Standard RIPE: Race Integrity Primitive Evaluation
Previous Work on SHA-0/1 • Chaubaud and Joux [Cr98] • SHA-0, 261, local collision and disturbance vector • Biham and Chen [Cr04] • Near collision attack on SHA-0, 240 • Biham, Joux and Chen [Cr04 rump, EC05] • First real collision on SHA-0 (4 message blocks) found • Collision attack on SHA-1 reduces to 50+ steps • Rijmen and Osward [RSA-CT05] • Collision attack on SHA-1 reduces to 53 steps.
Publications • X. Wang, Y.L. Yin and H.Yu, “Finding Collusions in the Full SHA-1”, Proc. of Crypto2005, pp.17-36, LNCS3621 • X. Wang, H.Yu and Y.L. Yin, “Efficient Collusions Search Attacks on SHA-0”, Proc. of Crypto2005, pp.1-16, LNCS3621 • X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, “Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND”, IACR eprint, 2004/199 and Crypto2005 Rump Session
Flow of Collusion Search • Find disturbance vector with low Hamming weights (difference for subtractions mod 232) • Construct differential paths by specifying conditions so that the differential path will occur with high probabilities. • Generate a message randomly, modify it using message modification techniques, and find a collusion
Summary • Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269 • More complex message preprocessing can provide more security • But SHA-1, message expansion does not seem to have enough avalanche effect • All step functions have unexpected weakness • Addition and Boolean function can faciliate the attack • More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug
Example and HW Message collusion of 58 steps SHA-1 Verification: DIY !!