1 / 58

Attacks on hash functions: Cat 5 storm or a drizzle?

Attacks on hash functions: Cat 5 storm or a drizzle?. Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005. Outline. Hash functions : Definitions Constructions Attacks What to do. Outline. Hash functions : Definitions Constructions Attacks What to do.

israel
Download Presentation

Attacks on hash functions: Cat 5 storm or a drizzle?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks on hash functions: Cat 5 storm or a drizzle? Ilya MironovMicrosoft Research, Silicon Valley Campus September 15, 2005

  2. Outline Hash functions: • Definitions • Constructions • Attacks • What to do

  3. Outline Hash functions: • Definitions • Constructions • Attacks • What to do

  4. Functions of Hash Functions • Entropy extractors • Randomization • Cryptography • Signatures • Authentication

  5. a g b g compute gab compute gab Entropy extraction Alice g G, ord g = p Bob random a random b shared key =gab H( )

  6. Enrtopy extraction IP, time, name, MAC address GUID H

  7. Randomization • Scenario: hash table 3 12 78 40 67 15

  8. Cryptography RSA signature: parameters: N = pq, ed = 1 mod φ(N) signC=Me mod N, verifyCd=M mod N Attack: signM1, M2, obtainC1, C2 (C1C2)d=M1M2 signC=H(M)emod N, verifyCd=H(M)mod N (C1C2)d=H(M1)H(M2)

  9. Authentication Alice Bob sharedK M HK(M)

  10. What is a hash function? H: {0,1}*→{0,1}n

  11. What is a hash function? Hk: {0,1}*→{0,1}n

  12. What is cryptographically strong hash function? • Collision resistant: Findx,y, so thatH(x)=H(y) • Second preimage-resistant: Given: x Find: y, so thatH(x)=H(y) • One-way: Given: z=H(x) Find: y, so thatH(y)=z

  13. Collision resistant x y

  14. Second preimage-resistant x y

  15. One-way x z y

  16. Attacks • Collision-resistance: - Compute M1, M2, so thatH(M1) = H(M2) - SignM1 - M2 is signed as well! • Second preimage-resistance: - Find signature onM1 - ComputeM2, so thatH(M1) = H(M2) - M2 is signed too!

  17. Birthday paradox 23

  18. Theoretical boundaries • Collisions • Always exist • Birthday paradox: 2n/2 • Second preimage2n • One-wayness 2n Dan Simon’98

  19. Outline Hash functions: • Definitions • Constructions • Attacks • What to do

  20. Constructions Two main ingredients • Fixed compression function • Domain extender

  21. Compression function 512 bits 160 bits

  22. Compression function 512 bits 160 bits

  23. Compression function «key» M «message» H  Davies-Meyerconstruction (~1979)

  24. Domain extender M0 M1 M2 M3 H0 H1 H2 H3 IV Merkle-Damgårdconstruction (1989)

  25. Proof? length M0 M1 M2 M3 H3 H4 H0 H1 H2 IV

  26. Overview of construction M H(M)

  27. Overview of construction length M0 M1 M2 M3 H3 H4 H0 H1 H2 IV

  28. Overview of construction M   

  29. Overview of construction    … 

  30. Outline Hash functions: • Definitions • Constructions • Attacks • What to do

  31. Authentication MAC: Hk(M) = H(k || M) k M1 M2 M3 H0 H1 H2 H3 IV Hk(M || M3) = C(Hk(M), M3)

  32. Cascading hash-functions F(M) = G1(M)|| G2(M) – cascade «If G1and G2 are independent, then finding a collision for F requires finding a collision for bothsimultaneously (i.e., on the same input), which one could hope would require the product ofthe efforts to attack them individually.» Handbook of Applied Cryptography

  33. Joux attack M0, N0 M1, N1 M2, N2 M3, N3 H0 H1 H2 H3 IV k 2n/2 effort to find2k collisions

  34. Joux attack • Withk·2n/2 effort, find2kcollisions forG1 • Ifk = n/2, we may find among themcollision M, N forG2 • G1(M) = G1(N) andG2(M) = G2(N)

  35. «Poisoned block» M0 M3 M1 M2, N2 H0 H1 H2 H3 IV

  36. Attacking Postscript if (R1 == R1) then print(“Dr. Jekyll”) else print(“Mr. Hyde”) if (R2 == R1) then print(“Dr. Jekyll”) else print(“Mr. Hyde”)

  37. Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier … RSA modulo … signature

  38. Lenstra et al.: colliding X.509 X.509 certificate: version, serial number, signature algorithm identifier … RSA modulo … signature N1 = <collision 1> 24519253 N2 = <collision 2>24519253

  39. Practice (second millennium)

  40. Practice (third millennium)

  41. Speed InCPU cycles/byte on PIII: MD5 3.7 SHA1 8.3 SHA-256 21 SHA-512 40 Whirlpool 36

  42. Attacks onMD4-MD5

  43. Attacks onMD4-MD5

  44. Attack onSHA-0,1

  45. Detailed structure of MD4 M a + b Round 1 Round 2 Round 3 + c + d +

  46. Detailed structure of MD4 a b c d + + + + <<<s2 <<<s0 <<<s1 <<<si F F F F t t t ti M0 M1 M2 Mi

  47. Introducing differentials M a + b Round 1 Round 2 Round 3 + c + d +

  48. Outline Hash functions: • Definitions • Constructions • Attacks • What to do

  49. What is safe? • Entropy extraction • Randomization • Cryptography • Signatures • Authentication

  50. secure secure Entropy extraction • ScenarioI: H(gab) • ScenarioII: IP, time, name, ...  GUID

More Related