Cryptographic Hash Functions

and Protocol Analysis

CSCE 522 - Farkas 2Lecture 8-9

Hash Functions

Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)

Accidental or intentional change to the data will change the hash value

Given h and x, h(x) is easy to compute (ease of computation)

CSCE 522 - Farkas 3Lecture 8-9

Good Hash Function

1. It is easy to compute the hash value for any given message

2. It is infeasible to find a message that has a given hash

3. It is infeasible to modify a message without changing its hash

4. It is infeasible to find two different messages with the same hash

CSCE 522 - Farkas 4Lecture 8-9

Hash functions Preimage resistant (one-way): if for all specified

outputs, it is computationally infeasible to find any input that hashes to that output

Second-preimage resistent (weak collision resistant): if it is computationally infeasible to find any second input which has the same output as any specified input

Collision resistant (strong collision resistant): if it is computationally infeasible to find any two distinct inputs that has the same output

CSCE 522 - Farkas 5Lecture 8-9

Attacks

First preimage attack: given a hash h, find a message m such that hash(m) = h

Second preimage attack: given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1)

Attack complexity: 2n (considered too high for a typical output size of n=160 bits)

Practical attacks: Collision attack

CSCE 522 - Farkas 6Lecture 8-9

Collision AttackBirthday attack:

Cryptographic attackExploits the mathematics behind the birthday

problem in probability theory Given a function ƒ, the goal of the attack is to find

two different inputs x1, x2 such that ƒ(x1) = ƒ(x2)

Method: evaluate the function ƒ for different input values that may be chosen randomly or pseudorandomly until the same result is found more than once (complexity is 2n/2)

CSCE 522 - Farkas 7Lecture 8-9

Hash Functions

Message digest Used for authenticity (sign hash value of a

message) and integrity purposesAlgorithms:

SHA-1,MD2,MD4,MD5

CSCE 522 - Farkas 8Lecture 8-9

MD5 Message Digest Algorithm

Input of arbitrary lengthOutput: 128 bitsBlock size: 512 bits1991: designed by Ron Rivest to replace MD41996, …, 2008: Weaknesses in MD5Cryptographically broken

CSCE 522 - Farkas 9Lecture 8-9

MD6

MD6 was submitted to the NIST SHA-3 competition

July 1, 2009: Rivest posted a comment at NIST that MD6 is not yet ready to be candidated for SHA-3speed issues and inability to supply a proof of security for a faster

reduced-round version

CSCE 522 - Farkas 10Lecture 8-9

MD5 Processing

Append padding bits so length 448 mod 512 (padded message 64 bits less than an integer multiplied by 512)

Append length: a 64-bit representation of the length of the original message (before the padding) total length of message k*512 bits

Initialize MD buffer: 128-bit buffer holds intermediate and final results (4 32-bit registers, ABCD)

CSCE 522 - Farkas 11Lecture 8-9

MD5 Processing

Process message in 512-bit blocks:4 rounds of processingSimilar structure but different logical functionEach round takes the 512-bit input and values

of ABCD and modifies ABCD Output: from the last stage is a 128-bit

digest

CSCE 522 - Farkas 12Lecture 8-9

Strength of MD5

Every bit of plain text influences every bit of the the hash code

Complex repetition of the basic functions unlikely that two random messages would have similar regularities

MD5 is as strong as possible for 128-bit digest (Rivest’s conjecture)Hasn’t been disproved yet

CSCE 522 - Farkas 13Lecture 8-9

Secure Hash Algorithm

SHA was developed by National Institute of Standards and Technology

1993: Published as Federal Information Processing Standard (FIPS PUB 180)

SHA-0, SHA-1, and SHA-2 SHA-1: best known and widely used

CSCE 522 - Farkas 14Lecture 8-9

SHA Security

SHA-1: in 2005 security flaws were identified A possible mathematical weakness might exist

SHA-2: no attacks have yet been reported SHA-2 variants are algorithmically similar to

SHA-1 and so efforts are underway to develop improved alternatives

SHA-3: new hash standard is currently under development

CSCE 522 - Farkas 15Lecture 8-9

SHA-1

Input length: max. (264 − 1) bitsOutput length: 160-bitBased on principles similar to those used in the

design of the MD4 and MD5

CSCE 522 - Farkas 16Lecture 8-9

SHA-2 Family

2001: first published in the draft FIPS PUB 180-2

2002, 2004: FIPS PUB 180-2 modifiedSHA-224, SHA-256, SHA-384, and SHA-512

CSCE 522 - Farkas 17Lecture 8-9

MD5 vs. SHA

Very similar Security: SHA’s digest is 32 bits longer

without algorithm flaws SHA is more secure Speed:SHA has more steps and produces 160-bit

buffer SHA slower Simplicity and compactness: MD5 has more

internal steps with varying buffer modification SHA is simpler

Protocol Analysis Exercise 1.

Assume that Jane and Paul want to efficiently send very large files to each other. They also want to provide integrity verification, third-party message authentication (i.e., a third party can verify who the originator of the message is), and limit the scope of a compromise (i.e., providing forward secrecy). You can assume that Jane and Paul have public and secret key encryption capabilities, can generate a hash function, and they have a shared secret key K0

established before the communication. They do not have access to a mutually trusted server, and no other keys but K0 are known at the beginning of the communication. Propose a security protocol to establish necessary keys and show how Jane can send a file to Paul.

CSCE 522 - FarkasLecture 8-9

Exercise 2.

Message authentication and key agreementAlice wants to establish a secure communication with Bob. They agree

to user the Yahalom protocol for mutual authentication and key agreement. The protocol uses symmetric key encryption only. Alice has a secret key shared with a trusted third party Server, KA and, similarly, Bob has a secret-key shared with Server, KB. NA and NB are nonces generated by Alice and Bob, respectively. E(M, K) indicates encryption of message M with key K, “||” means concatenation of messages. Explain after each protocol step what the recipient of the message knows based on the message and the properties of the encryption and what he/she is capable of doing. For example,

CSCE 522 - FarkasLecture 8-9

Exercise 2.

Message1: Alice Server:IDA || E(“request for session key to Bob”, KA)

Server:• The server sees that that claimed sender of the message is Alice.

• The server can decrypt the message using KA that is shared between Alice and the Server. The message must have been sent by Alice because KA is only known by Alice and the server.

• The server knows that Alice is requesting a session key to be used by Alice and Bob.

• The server can generate a session key KS to be used by Alice and Bob and send the key to …

CSCE 522 - FarkasLecture 8-9

Exercise 2. Message1: Alice Bob: IDA || NA

Bob knows/can do

Message2: Bob Server: IDB || E[(IDB || NA || NB), KB]

Server knows/can do

Message3: Server Alice: E[(IDB || KS || NA || NB), KA] || E[(IDA || KS), KB]

Alice knows/can do

Message4: Alice Bob: E[(IDA || KS), KB] || E(NB, KS)]

Bob knows/can do

CSCE 522 - FarkasLecture 8-9

Exercise 3.

Secure communication 

Consider the following protocol. Ann wants to send a message M securely to Bob but there is no shared secret key between Ann and Bob, Ann does not even know Bob’s public key. However, using the properties of RSA (in particular the commutative property), Ann proposes the following protocol, where E(M, K) indicates encryption/decryption of message M with key K, “||” means concatenation of messages, Kpub

A means the public key of A, KprivA

means private key of A.

CSCE 522 - FarkasLecture 8-9

Exercise 3.

Message1: Ann Bob: IDA || E(M, KpubA)

Message 2: Bob Ann: IDB || E[(E(M, KpubA)), Kpub

B)

Message3: Ann Bob: IDA || E(M, KpubB)

Show a man-in-the-middle attack against the above protocol.

CSCE 522 - FarkasLecture 8-9

CSCE 522 - Farkas 24Lecture 8-9

Next class

Review of cryptography and security protocols