1 / 27

Hashing

Hashing. Sandy Kutin CSPP 532 7/10/01. Cryptographic Protocols. What is a cryptographic protocol? Example: Alice sends Bob a message M 1. Alice generates a secret key K 2. Alice computes C 1 = E p B (K) 3. Alice computes C 2 = E s K (M) 4. Alice sends Bob C 1 , C 2

kristy
Download Presentation

Hashing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hashing Sandy Kutin CSPP 532 7/10/01

  2. Cryptographic Protocols • What is a cryptographic protocol? • Example: Alice sends Bob a message M • 1. Alice generates a secret key K • 2. Alice computes C1 = EpB(K) • 3. Alice computes C2 = EsK(M) • 4. Alice sends Bob C1, C2 • 5. Bob computes K = Dpb(C1) • 6. Bob computes M = DsK(C2) • Ep, Dp public-key; Es, Ds symmetric. Why?

  3. Alice: K Ep C1 B M Es C2 K Bob: C1 Dp K b C2 Ds M K A sample protocol 1. Alice generates K 2. Alice: C1 = EpB(K) 3. Alice: C2 = EsK(M) 4. Alice sends Bob C1,C2 5. Bob: K = Dpb(C1) 6. Bob: M = DsK(C2)

  4. How do we pick K? (pseudo-random number generator) What are Ep, Dp? (e.g., RSA) What are Es, Ds? (e.g., DES or AES, ECB or CBC mode) Alice: K Ep C1 B M Es C2 K Bob: C1 Dp K b C2 Ds M K Cryptographic Primitives

  5. Where does Alice store K? How does Alice acquire Bob’s B? How is the message sent? Where does Bob store K, b, M? Alice: K Ep C1 B M Es C2 K Bob: C1 Dp K b C2 Ds M K Implementation

  6. Overall Plan • Before the break: math • After the break: • Primitives • Protocols • Implementation issues • Specific products

  7. Confidentiality: Eve can’t recover M Authentication: only Alice, Bob know K, so Bob knows Alice sent M Someone could tamper with order; solve this with time stamps and sequencing info Alice and Bob share a secret key K M Es C K Alice: Bob: C Ds M K Old School: Authentic

  8. Confidentiality: Eve can’t recover M No authentication: how does Bob know who sent the message? Same problems of tampering with order Alice: K Ep C1 B M Es C2 K Bob: C1 Dp K b C2 Ds M K New Wave: Not Authentic

  9. Alice: K Ep C1 B M Dp S a S Es C2 K Bob: C2 Ds S Ep M A K Solution #1: E(D(M)) • Alice “signs” message with her private key • Bob “decrypts” S with Alice’s public key • Only Alice could have signed M • Communication is authenticated • Too slow

  10. Alice: K Ep C1 B M Es C2 K C2 Dp S a Bob: S Ep C2 Ds M K A Solution #2: D(E(M)) • Alice signs encrypted message • Bob recovers M • Only Alice could have sent the message • Communication is authenticated • Too slow • Better? Worse?

  11. Repudiation • Authentication: can Bob prove to himself that Alice sent the message? • Non-repudiation: can Bob prove, in court, that Alice sent the message? • In military applications, not really relevant • In e-commerce: essential • “Digital signature”

  12. Alice and Bob share a secret key K M Es C K Alice: Bob: C Ds M K DES, I rebuke thee • Classical Crypto: Bob wants to prove M came from Alice • Bob would have to reveal K • Even that isn’t good enough; Bob could’ve encrypted M himself • No defense against repudiation

  13. Alice: K Ep C1 B M Dp S a S Es C2 K Bob: C2 Ds S Ep M A K Repudiation: E(D(M)) • Bob can produce M and S in court • Anyone can verify that M = EpA(S) • Only Alice could have created S • Hence, Alice must have sent M • Success!

  14. Alice: K Ep C1 B M Es C2 K C2 Dp S a Bob: S Ep C2 Ds M K A Repudiation: D(E(M)) • Bob can produce M, C2, and S in court • Judge can verify that Alice signed C2 • To prove connection between C2 and M, Bob must reveal K • Even that might not be good enough • Lesson: design matters

  15. A general protocol • E(D(M)) defends against repudiation • It’s too slow to be useful • Another problem: Bob always needs to convert S to M. Maybe he doesn’t always want to authenticate. • Solution: Alice appends “signature” to M, encrypts, sends to Bob. • Should be something Alice can do, others can verify. E.g.: Dpa(M)

  16. Digital Signature Schemes • s(M) is a digital signature if only Alice can compute it, anyone else can verify it • Used for communication • Also, data integrity: compute signature every night, see if it matches • Dpa(M) would work, but it’s too slow, and too big • Solution: Dpa(H(M)), where H is a hash function

  17. Hash functions • What makes H a hash function? • Takes any size input • Produces fixed-size output • H(M) is easy to compute • Given h, it is hard to solve H(M) = h for M • Given N, it is hard to solve H(M) = H(N) for M (weak collision resistance) • It is hard to find M, N such that H(M) = H(N) (strong collision resistance)

  18. Hashing: Non-repudiation • Say Bob takes Alice to court; he produces M and S = Dpa(H(M)) • Judge checks that EpA(S) = H(M), confirms that Alice sent (someone) a message hashing to H(M) • Alice says: “Bob must have found a message M to match something I signed” • Weak collision resistance: She’s lying

  19. Strong Collision Resistance • Why require solving H(M) = H(N) to be hard? • Say Alice can find M, N so H(M) = H(N) • She sends Bob M, signs it • When Bob takes Alice to court, she claims “No, I didn’t sign M, I signed N” • Repudiation would be possible • Solution: strong collision resistance

  20. Hashing: Secretary Attack • Related problem: Secretary constructs messages M, N where H(M) = H(N) • M is the annual report, N says “Give my secretary a raise” • Alice computes S = Dpa(H(M)), tells secretary to send out M and S • Secretary substitutes N instead • Need strong collision resistance

  21. How many bits of security? • Let H be a secure hash with n-bit output • Solving “H(M) = h” for M should take 2n tries • Given N, “H(M) = H(N)” should be the same: just try 2n possible values of M • What about finding M, N with H(M) = H(N)? • If we just pick pairs at random, it’s 2n • But, we can get it down to 2n/2 • e.g., for a 128-bit hash; only 264

  22. Happy Birthday • How do we do this? “Birthday Attack” • Make a list of 2n/2 possible M’s (e.g., vary spacing), sort by value of H • Try roughly 2n/2 possible N’s, look for H(N) • Given Mi, Nj, chance H(Mi) = H(Nj) is 1/2n • 2n/2 Mi’s, 2n/2 Nj’s, so 2n/2 2n/2 = 2n pairs • So, odds are good there’s one pair • If there is a pair, finding it is fast

  23. They say it’s your birthday • Why is this called the “birthday attack”? • Among 23 people, chances of two with the same birthday are > 50% • Why? (23  22)/2 = 253 pairs of people • Each has probability roughly 1/365 • There’s a good chance some pair matches • Other factors only increase the odds • “Birthday Paradox”

  24. Hash, Paper, Scissors • An example of the power of a secure hash • Alice, Bob want to play rock, paper, scissors • Alice constructs M indicating her choice • e.g., “23419382 Good Old Rock” • Alice sends Bob H(M) • Bob makes his choice, sends it to Alice • Alice reveals M. She has to tell the truth. • “Bit commitment scheme” • Applications to auctions, voting

  25. M1 M2 M3 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk How do we hash? • Most hashes are built using a one-way compression function: m+n bits to n bits • Divide message into k blocks of m bits • hi = ƒ(Mi, hi-1) (h0 is a fixed initial value) • Output is H(M) = hk

  26. M1 M1 M2 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk Hashing out the details • Pad message length to be a multiple of m • Include message length within M • Need to pick a one-way function ƒ • (Not like public-key; no trapdoor needed)

  27. M1 M1 M2 Mk H(M) ƒ ƒ ƒ ƒ IV h1 h2 hk-1 hk A MoDESt Proposal • One idea: use encryption (e.g., DES) • h0 = IV • hi = ƒ(Mi, hi-1) = EMi(hi-1) • Problem 1: slow • Problem 2: export restrictions

More Related