Jaap van Ginkel - SNE/OS3 Homepage [OS3 Website] van Ginkel. Crypto Hash Function ... Cyclic Redundancy Check (CRC) ... Stream cipher based on one-time pad

  • View
    215

  • Download
    0

Embed Size (px)

Text of Jaap van Ginkel - SNE/OS3 Homepage [OS3 Website] van Ginkel. Crypto Hash Function ... Cyclic...

  • Security of Systems and Networks

    November 3, 2014 Part 3 Modern Crypto Hashes

    Jaap van Ginkel

  • Crypto Hash Function Crypto hash function h(x) must provide

    Compression output length is small Efficiency h(x) easy to compute for any x One-way given a value y it is infeasible to find an x

    such that h(x) = y Weak collision resistance given x and h(x), infeasible

    to find y x such that h(y) = h(x) Strong collision resistance infeasible to find any x

    and y, with x y such that h(x) = h(y) Lots of collisions exist, but hard to find any

  • Pre-Birthday Problem Suppose N people in a room How large must N be before the

    probability someone has same birthday as me is 1/2 ?

    Solve: 1/2 = 1 (364/365)N for N We find N = 253

  • Birthday Problem How many people must be in a room before

    probability is 1/2 that any two (or more) have same birthday?

    1 365/365 364/365 (365N+1)/365 Set equal to 1/2 and solve: N = 23

    Surprising? A paradox? Maybe not: Should be about sqrt(365)

    since we compare all pairs x and y And there are 365 possible birthdays

  • Non-crypto Hash (1) Data X = (X0,X1,X2,,Xn-1), each Xi is a byte Define h(X) = X0+X1+X2++Xn-1 Is this a secure cryptographic hash? Example: X = (10101010, 00001111) Hash is h(X) = 10111001 If Y = (00001111, 10101010) then h(X) =

    h(Y) Easy to find collisions, so not secure

  • Non-crypto Hash (2) Cyclic Redundancy Check (CRC) Essentially, CRC is the remainder in a long

    division calculation Good for detecting burst errors

    Random errors unlikely to yield a collision But easy to construct collisions CRC has been mistakenly used where crypto

    integrity check is required (e.g., WEP)

  • Popular Crypto Hashes MD5 invented by Rivest

    128 bit output Note: MD5 collisions easy to find

    SHA-1 A U.S. government standard, inner workings similar to MD5

    160 bit output Many other hashes, but MD5 and SHA-1

    are the most widely used Hashes work by hashing message in blocks

  • Crypto Hash Design Desired property: avalanche effect

    Change to 1 bit of input should affect about half of output bits

    Crypto hash functions consist of some number of rounds

    Want security and speed Avalanche effect after few rounds But simple rounds

    Analogous to design of block ciphers

  • Cryptographic Hash

    Different from parity or CRC ! Also known as Message Digest Input always delivers fixed length output Hash properties

    Easy to compute

    One-way (Can't go back)

    Collision-resistant (No two inputs result in same hash)

    Output should be as random as possible (Avalanche) (cryptool demo)

  • Merkle-Damgrd Construction

  • HASH Algorithms

    MD MD2 MD4 MD5 (IETF RFC1321), SHA SHA-1 (NIST) SHA-2 (Collection) (SHA-256/224 512/384) SHA-3 (New NIST competition) 2012

  • Demo fraud exam results

    Birthday AttackExam Results for the course SSN of the master education SNE=====================================================

    Course: MSNSSNP6 [Security of Systems and Networks]Exam date: December 18, 2013Credits: 6 ECTSTeacher: Jaap van Ginkel

    Student First Last Result======= ===== ==== ======10255443 Yonne de Bruijn 6.210297138 Adriaan Dens 7.910286500 Florian Ecard 5.910220348 Peter van Dongen 8.110268707 Jeroen van Kessel 5.610257314 James Gratchoff 4.110289585 Carlo Rengo 7.3

  • Hash Brute force Attacks

    Exhaustive search Collision Attacks

    Find m1 and m2 where hash(m1) = hash(m2) Preimage Attacks

    Find m for hash(m) = h Second Preimage Attacks

    Find m2 for given m1 where hash(m2) = hash(m1)

  • MD5

    128 bit Hash Broken since at least

    2005 Still used a lot :-(

  • MD5 Algorithm

    128 bit hash 512 bit block processing Padding with 1 then 0 64 Rounds in 4 groups Mi is Message block Ki is Constant F is nonlinear function

  • SHA

    Secure Hash Algorithm 1993 NIST FIPS SHA-0/SHA-1 Similar to MD5 160 bit Lots of research From 2^80 to 2^69 Move to SHA-2

    256 and 512 bit SHA-3 challenge

  • SHA-2

  • SHA-3 BLAKE Blue Midnight Wish CubeHash (Bernstein) ECHO (France Telecom) Fugue (IBM) Grstl (Knudsen et al.) Hamsi JH Keccak (Keccak team, Daemen et al.) Luffa Shabal SHAvite-3 SIMD Skein (Schneier et al.)

  • HMAC

    Keyed-hash message authentication code MAC + Encryption HMAC-MD5 HMAC-SHA-1 Cryptool demo

  • Symmetric Encryption

  • Symmetric Encryption

  • One Time Pad OTP

    Proven Secure by Shannon Implemented in the Vernam Cipher XOR data stream with pad Truly random pad data needed Hardware noise sources

  • Secret Key Encryption

    Symmetric Encryption DES (Triple DES) IDEA AES (Rijndael) RC6 Blowfish

  • Key Distribution

    Expensive Vulnerable Difficult to scale

  • Taxonomy of Cryptography Symmetric Key

    Same key for encryption and decryption Two types: Stream ciphers, Block ciphers

    Public Key (or asymmetric crypto) Two keys, one for encryption (public), and one for

    decryption (private) And digital signatures nothing comparable in

    symmetric key crypto Hash algorithms

    Can be viewed as one way crypto

  • Taxonomy of Cryptanalysis From perspective of info available to Trudy

    Ciphertext only Known plaintext Chosen plaintext

    Lunchtime attack Protocols might encrypt chosen data

    Adaptively chosen plaintext Related key Forward search (public key crypto) And others

  • Part 1 Cryptography 27

    Symmetric Key Crypto Stream cipher based on one-time pad

    Except that key is relatively short Key is stretched into a long keystream Keystream is used just like a one-time pad

    Block cipher based on codebook concept Block cipher key determines a codebook Each key yields a different codebook Employs both confusion and diffusion

  • Part 1 Cryptography 28

    Stream Ciphers

  • Stream Ciphers

  • Part 1 Cryptography 30

    A5/1: Shift Registers A5/1 uses 3 shift registers

    X: 19 bits (x0,x1,x2, ,x18) Y: 22 bits (y0,y1,y2, ,y21) Z: 23 bits (z0,z1,z2, ,z22)

  • A5/1: Keystream At each step: m = maj(x8, y10, z10)

    Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 If x8 = m then X steps

    t = x13 x16 x17 x18 xi = xi1 for i = 18,17,,1 and x0 = t

    If y10 = m then Y steps t = y20 y21 yi = yi1 for i = 21,20,,1 and y0 = t

    If z10 = m then Z steps t = z7 z20 z21 z22 zi = zi1 for i = 22,21,,1 and z0 = t

    Keystream bit is x18 y21 z22

  • A5/1

    Each variable here is a single bit Key is used as initial fill of registers Each register steps (or not) based on maj(x8, y10,

    z10) Keystream bit is XOR of rightmost bits of registers

    y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21

    z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

    X

    Y

    Z

    x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

  • A5/1

    Each variable here is a single bit Key is used as initial fill of registers Each register steps (or not) based on maj(x8, y10,

    z10) Keystream bit is XOR of rightmost bits of registers

    y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21

    z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

    X

    Y

    Z

    x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18

  • Shift Register Crypto Shift register crypto efficient in hardware Often, slow if implement in software In the past, very popular Today, more is done in software due to

    fast processors Shift register crypto still used some

    Resource-constrained devices

  • RC4

    A self-modifying lookup table Table always contains a permutation of the

    byte values 0,1,,255 Initialize the permutation using key At each step, RC4 does the following

    Swaps elements in current lookup table Selects a keystream byte from table

    Each step of RC4 produces a byte Efficient in software

    Each step of A5/1 produces only a bit Efficient in hardware

  • RC4 Initialization S[]ispermutationof0,1,...,255 key[]containsNbytesofkey

    fori=0to255S[i]=iK[i]=key[i(modN)]

    nextij=0fori=0to255

    j=(j+S[i]+K[i])mod256swap(S[i],S[j])

    nextii=j=0

  • RC4 Keystream For each keystream byte, swap elements in

    table and select bytei=(i+1)mod256j=(j+S[i])mod256swap(S[i],S[j])t=(S[i]+S[j])mod256keystreamByte=S[t]

    Use keystream bytes like a one-time pad Note: first 256 bytes should be

    discarded Otherwise, related key attack exists

  • Block Ciphers

  • (Iterated) Block Cipher Plaintext and ciphertext consist of fixed-sized blocks

    Ciphertext obtained from plaintext by it