1 / 13

Agenda

CS G513 / SS G513 Network Security. Agenda. Integrity – Hash Codes (Keyed and Unkeyed). Integrity. M is created (say by A) and sent (to B) or stored (in C). The message M’ received (by B) must be same as M. (Message Integrity)

gazit
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS G513 / SS G513 Network Security Agenda Integrity – Hash Codes (Keyed and Unkeyed)

  2. Integrity • M is created (say by A) and sent (to B) or stored (in C). • The message M’ received (by B) must be same as M. (Message Integrity) • Alternatively, The data M’ retrieved from C must be the same as M (Data Integrity) • Integrity is often achieved • By using an “essence” of the message (or the data) – also referred to as a message signature. Sundar B.

  3. Integrity • How do we extract such an “essence”? • How do we ensure the message cannot be forged given its “essence”? • Ideally, we need a one-way function (from message to its essence). • Typical solution: • A hash function: a function h, that is easy to compute and maps an input of arbitrary finite bitlength to an output of fixed bitlength. Sundar B.

  4. Hash Functions - Definitions • Two functional categories: • Modification Detection Codes (MDCs) • a.k.a Manipulation Detection Codes or Message Integrity Codes • Purpose: provide a representative image or “hash” of a message satisfying additional properties for meeting integrity requirements • 2 sub-categories: 1-way hash functions, collision-resistant hash functions. • Message Authentication Codes (MACs) • Purpose: to facilitate (message) authentication i.e. Sender Identification + Integrity Sundar B.

  5. Hash Functions - Definitions • Two operational categories: • Keyed Hash functions • A cryptographic (typically secret) key is used for hashing • Message Authentication Codes (MACs) are a subclass of keyed hash functions • Un-Keyed Hash functions: • Hash function does not depend on a key (or a secret). • MDCs are a subclass of un-keyed hash functions. Sundar B.

  6. Hash Functions - Properties • 3 potential properties for an unkeyed hash function h with inputs x, x’ and outputs y, y’ : • Preimage resistance: • computationally infeasible to find a preimage x’ s.t h(x’) = y given any y for which a corresponding input is not known. • 2nd Preimage resistance: • computationally infeasible to find x’ s.t. x != x’ and h(x) = h(x’) for any given x. (a.k.a weak collision resistance) • Collision resistance: • computationally infeasible find two distinct inputs x,x’ s.t h(x) = h(x’) Sundar B.

  7. Hash Functions - Definitions • A 1-way hash function is a hash function offering preimage resistance and 2nd preimage resistance. • a.k.a weak 1-way hash functions • A collision-resistant hash function is a hash function offering 2nd-preimage resistance and collision resistance. • a.k.a Strong 1-way hash functions • Most of the definitions above are easily adapted for keyed hashing: • A keyed hash function is a family of hash functions hk, parameterized by secret key k. Sundar B.

  8. Attack Objectives: on MDCs • To attack a 1-way hash function: • Given a hash value y, find a preimage x s.t. h(x) = y • Given a pair (x, h(x)) find another preimage x’ s.t. h(x) = h(x’) • To attack a collision-resistant hash function • Find any two inputs x, x’ s.t. h(x) = h(x’) Sundar B.

  9. Attack Objectives: on MACs • To attack a MAC (without prior knowledge of key): • Compute a new text-MAC pair (x, hk(x)) for some text x<>xi given one or more pairs (xi, hk(xi)). • Computation Resistance sub-categories: • Known-text attack: one or more text-MAC pairs avail. • Chosen-text attack: one or more text-MAC pairs avail. for texts chosen by adversary. • Adaptive chosen-text: texts chosen by adversary as above, now allowing successive choices to based on the results of prior queries. Sundar B.

  10. MAC forgery – degrees • Selective forgery • Attacks where an adversary is able to produce a new text-MAC pair for a text of his choice • Existential forgery • Attacks where an adversary is able to produce a new text-MAC pair but with no control over the value of the text. Sundar B.

  11. One-way functions • No known instances of 1-way functions • A proof of existence would establish P != NP. • There are known hash functions provably as secure as NP-complete problems. • E.g. g(x) = x*x (mod n) where n=pq for appropriate primes p and q kept secret. • Computing a preimage for g, i.e computing a square root mod n is computationally equivalent to factoring. Sundar B.

  12. Hash functions - construction Fig. From Menezes Sundar B.

  13. Hash functions - construction Fig. From Menezes H0 = IV; Hi = f(Hi-1, xi-1)

More Related