1 / 12

VIL CRHF from FIL CRHF: adding IV

x[1]. x[2]. …. x[l]. VIL CRHF from FIL CRHF: adding IV. Build VIL CRHF h:{0,1} *  {0,1} m from FIL CRHF c:{0,1} n  {0,1} m 1 st Idea: use iterative process, compressing block by block 2 nd idea: use a fixed IV as first block y 0 =IV {0,1} m

watson
Download Presentation

VIL CRHF from FIL CRHF: adding IV

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. http://AmirHerzberg.com x[1] x[2] … x[l] VIL CRHF from FIL CRHF: adding IV • Build VIL CRHF h:{0,1}*{0,1}m from FIL CRHF c:{0,1}n{0,1}m • 1st Idea: use iterative process, compressing block by block • 2nd idea: use a fixed IV as first block y0=IV {0,1}m • Let the input x=x[1]||… where |x[i]|=(n-m) [i>0] • For i=1,..l, let yi=c(x[i],yi-1); output h(x)=yl+1 • Suppose h(x)=h(x’), x≠x’: • If |x|=|x’|  c(x[i],yi-1)=c[x’[i],y’i-1) for <x[i],yi-1)>≠<x’[i],y’i-1> • Else: collision or preimage for IV (contradiction to OWF?) IV Construction, notation:IV[c](x)=c(x[2],c(x[1],IV)) IV=y0 h(x)=yl=c(x[l],yl-1) c c c

  2. http://AmirHerzberg.com x[1] x[2] … x[l]||10k |x| Merkle-Damgard VIL Construction • Let pad(x)=x||1||0k||binn-m(|x|) • Let y0=IV be some fixed mbits (IV=Initialization Value) • For i=1,..|pad(x)|/(n-m),let yi=c(x[i],yi-1) • Output MD[c](x)=IV[c](pad(x))=yl+1 Bounded length, but: Up to |x|=2n-m Can use binn-m(|x|/(n-m)) 64 bits enough (SHA) Easy to extend toto unbounded length IV MD[c](x)=yl+1=c(|x|,yl) c c c c

  3. http://AmirHerzberg.com Example: MD5 (Message Digest #5) • Developed by RSA Inc. • Output is 128 bit • Collisions by birthday paradox: 264 time, storage • Compression function: Cascade of four 128b+512b128b compression functions • Collisions found • 1996: compression function (pseudo-collisions) • 2004: full MD5 chosen prefix collision attack • Some results allowing two different prefixes • Still widely used, but being `phased out`

  4. http://AmirHerzberg.com SHA-1 (Secure Hash Algorithm) • Developed by NIST, published as FIPS 180-1 • Output is 160 bit • New versions: 256b, 384b and 512b proposed • Widely used; `closed` design process, criteria • Similar design to MD5 • 160b chaining block brute force collisions complexity 280 • Chosen-prefix collisions in 263 guesses [W06, WYY05] • Chaining value added (mod 232) to output of compression CV[i+1] 160b 160b 160b CV[i] 160b 160b 512b m[i]

  5. Exploiting Chosen-Prefix Attacks • Hash trees are vulnerable to collision attacks! • Recall chosen prefix collision attacks • Allow attacker to chose prefix • Known for MD5, SHA0, others; suspect for SHA1 • For any prefix p • Attack finds two collisions c, c’ • S.t. for any suffix sholds: h(p||c||s)=h(p||c’||s) • Implications / exploits? • Colliding, different executables, documents (ps…) • Duplicate `tickets` (sign m=“ticket #”||n, n by subject)

  6. X.509 Public Key Certificates

  7. Sequence Numbers in IP-Sec • Send (authenticated) sequence number with packet • Initial number = zero (when SA established) • Sender increments per outgoing packet • Not cyclic: change key before seq# reaches 232 • Receiver advances to highest received seq# (if MAC Ok) • Discard packets identified as replay [why?] • Replay = repeated seq # (within `window`) • Deliver out-of-order packets (within `window`) • Since IP does not preserve order • Discard if not within window: block (very) old packets

  8. Protocol Payload length Reserved SPI (Security Parameters Index) Sequence Number Authentication Data (variable length) 32 bits AH - Authentication Header • The Authentication Header AH) authenticates the entire IP packet, including the IP header (except TTL etc.), AH header itself, and the payload

  9. ESP – Encapsulating Security Payload 32 bits MAC Encrypted

  10. Euler Theorem & Function Φ(n) • The Euler function of n, denoted Φ(n), is the number of positive integers less thannand co-prime ton. • For every primep holdsΦ(p)=p-1 • For primesp, q holdsΦ(pq)=(p-1)(q-1) • Euler’s Theorem:ifa, nare co-primes thenaΦ(n)=1 mod n • Fermat’s Theorem: ifpis primes thenap-1=1 mod p • Also:ax mod Φ(n)=ax mod n; a1 mod Φ(n)=a mod n • Also:a-1=aΦ(n)-1 mod neasy to compute inversemodn

  11. RSA Public Key Cryptosystem 2002Turing Award • Select two large primes p,qand let n=pq • Let Φ(n)=(p-1)(q-1)[Euler function] • Select random public exponent ewhich is prime • Or co-prime to Φ(n),i.e.no common divisor • Let d=e-1 mod Φ(n),i.e. ed=1 mod Φ(n). • Find dfrom Φ(n)with extended Euclidean (GCD) algorithm (simple… see e.g. in Wikipedia) • Public key is <n,e>, private key is d. • Notice: givenp,qit is easy to find Φ(n)=(p-1)(q-1)and from it d • Assumption: it is hard to find d(orΦ(n),or p,q)given only <n, e> • RSA.Ee,n(m)=me mod n • RSA.Dd,n(c)=cd mod n = (me)d = med mod n • Euler: med = m(1 mod Φ(n)) = m mod n • This is called `textbook RSA` (in practice, pad message first)

  12. SSL Handshake – Overview In order of preference Server Client Possible Cipher-suites, Client_random Chosen cipher-suite, Server_random,CertificateCertificate=SignCA(www.server.com,PKserver,validity,...) Encrypted shared key Client, Server change to new,computed keys (`Cipher Spec`) Confirmation (MAC of handshake messages) Confirmation (MAC of handshake messages) Confirms cipher-suites, no replay, client really sent Pre_Master_Secret

More Related