280 likes | 484 Views
Information Integrity and Message Digests. CSIS 5857: Encoding and Encryption. Information Integrity Problems. Content Modification : Adversary inserts/modifies/deletes message content. Salary Database. E. D. Insert new record for Darth’s salary of $1,000,000. E.
E N D
Information Integrity and Message Digests CSIS 5857: Encoding and Encryption
Information Integrity Problems • Content Modification: Adversary inserts/modifies/deletes message content Salary Database E D Insert new record for Darth’s salary of $1,000,000 E
Information Integrity Problems • Masquerade:Adversary sends message claimed to be from someone else “Give Darth a $10,000 raise-- Alice” E Masquerading as Alice
Information Integrity Problems • Timing ModificationAdversary intercepts message and replays it later “Open the front gate.-- Alice” E
Information Integrity Problems • Simplest case: Detecting modification • Message M stored in public location • M not encrypted • How can we prove/detect whether adversary has replaced message M with fake message M´ ? Public storage M ´ M
Information Integrity Problems • One solution: store protected copy of M • Compare M to copy to detect changes • Implausible if Mvery large Public storage M M
Message Digest • Created from message M using hashing functiony = h(M) • Like “fingerprint” for messages • Different messages different fingerprints • Much more compact than messages: size of y < size of M • Plausible for secure storage
Message Digest • Same concept as error detection in network transmission • Error detection bits = function of message • Example: parity bit depends on even/odd of 1’s in message • If error detection bits do not match message, request message resend • Key difference: Unlike noise, adversary intelligent Message Error detection bits
Message Description Code • Used to detect modification • Apply hash to message in storage to get h(M´) • Compare with stored h(M) • If h(M) h(M) message has been modified • Message Description Code (MDC) h(M´) Public storage compare h M ´ h(M)
Simple Example Hash Functions • Break message M into blocks bi • Digest = XOR of all blocksh(b1, b2, b3 … bn) = b1b2b3 …bn • Possible improvement: Rotate each block one bit before XOR(diffusion)
Message Authentication Code • Hash applied to message by sender and recipient • If no match, message has been tampered with • Problem: Requires MDC sent securelyOtherwise, adversary could modify it as well! h(M) h(M)
Message Authentication Code • Using secret key to prevent adversary from creating message digest to match false message • Creates MAC as h(M, k) • Can also encrypt message, but not necessary
Solving Integrity Problems • Content ModificationIf adversary modifies message, will no longer match message digest • AuthenticationAdversary cannot send false message since cannot generate corresponding digest (without proper key) • Timing ModificationSender can add timestamp or nonce to message which adversary cannot modify without generating corresponding message digest
Good Properties of a Hash • Must be “one way” • Easy to compute h(M) • No easy way to determine what other messages M would give same digest (h(M) = h(M )) • Otherwise adversary could easily create different messages with same hash
Good Properties of a Hash • Must depend on every bit of message • Otherwise adversary could change any bit not used to compute hash • Must produce hash large enough to prevent brute force attacks • Testing all possible alternative messages to find ones with same hash value
Preimage Attack • Adversary finds message M´ with same MDCh(M´) =h(M) • Impossible to detect or prove changes! h(M´) Public storage Same! h M M ´ h(M)
Preimage Attack • Adversary can “tweak” new message M´ until h(M´) =h(M) • Example:Give Darth a salary increase of $1000Award Mr. Vader some raise … $2000Present Darth Vader … bonus $3000… … … $4000 … “I’ll find some combination of these so they can’t detect the difference!”
Preimage Attack • Simple XOR-based hash function vulnerable to preimage attack • Darth generates own message M′ • Darth adds some block bmto end so that h(M′) bm = h(M) • Problem: XOR is reversible • Can work backwards from desired message to create one with same hash as original message
Collision Attack • Adversary finds two messages M1and M2 with same MDCh(M1) =h(M2) • M1 is harmless message“We like kittens” • M2 has advantage for adversary“Give Darth a $5000 raise”
Collision Attack • Darth gets job in organization • Presents M1 to boss for approval • Boss stores h(M1) • Darth actually stores/sends M2 • Boss has no way to prove he didn’t approve M2 h(“We like kittens”) “We like kittens” “Give Darth a $5000 raise”
Mathematics of Message Digests • Pigeonhole Principle: • Given n pigeons and m birdhouses, with n > m • At least one birdhouse with more than one pigeons • MDC size |h(M)| < message size |M | • Fewer possible MDCs h(M) than possible messages M • 2h(M)possible digests < 2Mpossible messages • There must exist messages M1and M2 with same MDCh(M1) =h(M2) • That is, cannot avoid collisions between two different messages
Mathematics of Message Digests • Best case: Hash function is random oracle model • h(M) like “random” function over all possible MDCs • Each possible MDC equally likely for a given M • Minimizes likelihood that h(M1) =h(M2) for given M1,M2 • Assumption used in birthday problem analysis
Birthday Problems and Digests • What is minimum number of students in class so that at least one has same birthday as instructor? • What is minimum number of students in class so that at least two have same birthday? In general: • k students and N (that is, 365) possible birthdays • Minimum k such that probability 50%: • k 0.69 N 253 for birthdays • k 1.18 N1/2 23 for birthdays
Birthday Problems and Digests • Birthday problems define vulnerability of message digests to exhaustive search attacks • Assume best case random oracle model N = number of possible message digests k = number of false messages tested by adversary in attacks • How many false messages must adversary to have at least 50% of finding message with desired digest?
Birthday Problems and Digests First birthday problem = Preimage Attack • Probability h(M´) =h(M) for any M´given some M • Number of tests k 0.69 N(proportional to number of possible digests)
Birthday Problems and Digests Second birthday problem = Collision Attack • Probability h(M1) =h(M2)for any M1,M2 • Number of tests k 1.18 N1/2(proportional to square root of possible digests)
Birthday Problems and Digests • Number of possible message digests N must be large enough to make attacks impractical • Difficulty of preimage attack proportional to N • Difficulty of collision attack proportional to N1/2 • Message digest of n bits N = 2n • 2n/2must be large enough to prevent exhaustive search to find collision • Current standard: 512 bits