Cryptography Lecture 5 Stefan Dziembowski stefan@dziembowski.net.

Post on 04-Jan-2016

223 Views

Category:

Documents

1 Downloads

Preview:

Click to see full reader

Transcript

Cryptography

Lecture 5

Stefan Dziembowskiwww.dziembowski.net

stefan@dziembowski.net

2

Plan

1. Introduciton to authentication

2. CBC-MAC

3. Introduction to the collision-resistant hash functions

4. NMAC and HMAC

5. Authentication + Encryption

3

Message Authentication

Integrity:

M

interferes with the transmissionAlice Bob

How can Bob be sure that M really comes from Alice?

4

Sometimes: more imprtant than secrecy!

Alice Banktransfer 1000 $ to Eve

transfer 1000 $ to Bob

Of course: usually we want both secrecy and integrity.

5

Does encryption guarantee message integrity?

Idea:

1. Alice encrypts m and sends c=Enc(k,m) to Bob.2. Bob computes Dec(k,m), and if it “makes sense” accepts it.

Intuiton: only Alice knows k, so nobody else can produce a valid

ciphertext.

It does not work!

Example: one-time pad.

transfer 1000 $ to Bob

key K

ciphertext C

transfer 1000 $ to Eve

“Eve” xor “Bob”

plaintext

xor

6

Message authentication

Alice Bob

(m, t=Tagk(m))

Eve can see (m, t=Tagk(m))

She should not be able to compute a valid tag t’ on any other message m’.

k k

mverifies ift=Tagk(m)

7

Message authentication – multiple messages

Alice Bob

(m1, t=Tagk(m1))

Eve should not be able to compute a valid tag t’ on any other message m’.

k k

(m2, t=Tagk(m2))m2

m1

(m1, t=Tagk(mt))mt

. . .

. . .

8

Alice Bob

(m, t=Tagk(m))

k k

m є {0,1}*

Gen(1n)

Vrfyk(m) є {yes,no}

1n

Message Authentication Codes – the idea

9

Message Authentication CodesA message authentication code (MAC) is a tuple

(Gen,Mac,Vrfy) of poly-time algorithms, such that

• the key-generation algorithm Gen takes as input a security parameter 1n and outputs a key k,

• the tagging algorithm Mac takes as input a key k and a message mє{0,1}* and outputs a tag t,

• the verification algorithm Vrfy takes as input a key k, a message m and a tag t, and outputs a bit b є {yes, no}.

If Vrfyk(m,t) = yes then we say that t is a valid tag on the message m.

If Mac is deterministic, then Vrfy just computes Mac and compares the result.

10

Correctness

We require that it always holds that:

Vrfyk(m,Mack(m)) = yes

What remains is to define security of a MAC.

11

How to define security?We need to specify:

1. how the messages m1,...,mt are chosen,

2. what is the goal of the adversary.

Good tradition: be as pessimistic as possible!

Therefore we assume that

1. The adversary is allowed to chose m1,...,mt.

2. The goal of the adversary is to produce a valid tag on some m’ such that m’ ≠ m1,...,mt.

12

security parameter1n

selects random k = Gen(1n)

oracle

m1

mt

. . .

(m1, t=Tagk(m1))

(m1, t=Tagk(m1))

We say that the adversary breaks the MAC scheme at the end she outputs (m’,t’) such that

1. Vrfy(m’,t’) = yes2. m’ ≠ m1,...,mt

adversary

13

The security definition

We say that (Gen,Mac,Vrfy) is secure if

A

polynomial-timeadversary A

P(A breaks it) is negligible (in n)

14

Aren’t we too paranoid? [1/2]No! Sometimes the adversary may have influence on the

messages that the parties are sending.

(remember the story about Midway?)

Another example: routing

(m, t=Tagk(m))

mt

k k

15

Aren’t we too paranoid? [2/2]

Maybe it would be enough to require that:

the adversary succeds only if he forges a message that “makes sense”.

(e.g.: forging a message that consists of random noise should not count)

Bad idea:

• hard to define,• is application-dependent.

16

Warning: MACs do not offer protection against the “replay attacks”.

Alice Bob

(m, t)

(m, t

)

(m, t

)

(m, t

)

. . .Since Vrfy has no state (or

“memory”) there is no way to detect that (m,t) is not fresh!

This problem has to be solved by the higher-level application(methods: time-stamping, sequence numbers...).

17

Constructing a MAC

1. There exist MACs that are secure even if the adversary is infinitely-powerful.(we discussed them on the first lecture)These constructions are not practical.

2. MACs can be constructed from the block-ciphers. We will now discuss to constructions:– simple (and not practical),– a little bit more complicated (and practical) – a CBC-MAC

1. MACs can also be constructed from the hash functions (NMAC, HMAC).

18

A simple construction from a block cipher

Let F : {0,1}n × {0,1}n → {0,1}n

be a block cipher.

We can now define a MAC scheme that works only for messages m ε {0,1}n as follows:

• Gen(1n) simply chose a random key from {0,1}n.• Mac(k,m) = F(k,m)

It can be proven that it is a secure MAC.

How to generalize it to longer messages?

Fkk

m

F(k,m)

19

Idea 1

Fk

m1

F(k,m1)

Fk

md

F(k,md)

. . .

• divide the message in blocks m1,...,md

• and authenticate each block separately

This doesn’t work!

20

t = Tagk(m):

m:

t’ = perm(t):

m’ = perm(m):

perm

Then t’ is a valid tag on m’.

What goes wrong?

21

Idea 2

Fk

m1

F(k,x1)

Fk

md

F(k,xd)

. . .

Add a counter to each block.

This doesn’t work either!

1 d

x1 xd

22

xi

m:

t = Tagk(m):

m’ = a prefix of m:

t’ = a prefix of t:

Then t’ is a valid tag on m’.

mii

23

Idea 3

Fk

m1

F(k,x1)

Fk

md

F(k,xd)

. . .

Add l := |m| to each block

This doesn’t work either!

1 dl l

x1 xd

24

What goes wrong? xi

m:

t = Tagk(m):

m’:

t’ = Tagk(m’):

m’’ = first half from m || second half from m’

t’’ = first half from t || second half from t’

Then t’’ is a valid tag on m’’.

m1 1l

25

Idea 4

Fk

F(k,x1)

Fk

md

F(k,xd)

. . .

Add a fresh random value to each block!

This works!

dl

x1 xd

r md dlr

27pad with zeroes if needed

Fk

F(k,x1)

m

1lr

Fk

F(k,x2)

m22r

Fk

F(k,xd)

mddr

m1 m2 md. . .

. . .

. . .

m1

l

ll

x1x2 xd

|mi| = n/4

r is chosen randomly

r

tagk(m)

000

n – block length

28

This construction can be proven secure

TheoremAssuming that

F : {0,1}n × {0,1}n → {0,1}n is a pseudorandom permutation

the construction from the previous slide is a secure MAC.

Proof idea:Suppose it is not a secure MAC. Let A be an adversary that breaks it with a non-negligible

probability.We construct a distinguisher D that distinguishes F from

a random permutation.

29

This construction is not practical

Problem:

The tag is 4 times longer than the message...

We can do much better!

30

CBC-MAC

m

m1 m2 m3 md. . .

pad with zeroes if needed

0000

|m|

Fk Fk Fk Fk Fk

tagk(m)

F : {0,1}n × {0,1}n → {0,1}n - a block cipher

Gen just chooses a random key k ← {0,1}n.

Other variants exist!

31

m1 m2 m3 md. . . |m|

Fk Fk Fk Fk Fk

Why is this needed?

Suppose we don’t prepend |m|...

tagk(m)

32

m1

Fk

t1=tagk(m1)

m2

Fk

t2=tagk(m2)

m1 m2 xor t1

Fk Fk

t’= tagk(m’)

m’

t’ = t2

t1

the adversarychooses:

now she can compute:

33

Some practictioners don’t like the CBC-MAC

We don’t want to authenticate using the block ciphers!

What do you want to use instead?

Because:1. they are more efficient,2. they are not protected by the

export regulations.

Why?

Hash functions!

34

Collision-resistant hash functions

a hash functionH : {0,1}* → {0,1}L

short H(m)

long m

Requirement: it should be hard to find a pair (m,m’) such that H(m) =H(m’)

a “collision”colision-resistance

35

Collisions always exist

domainrange

m

m’

Since the domain is larger than the range the

collisions have to exist.

36

Hash functions – an example of an application

Alice Boba long message m

H(m)

a fast insecure link

(e.g. internet)

a voice phone link

If Bob can recognize Alice’s voice then the integrity of m is guranteed.

37

Another example

File F can be downloaded by an insecure connection.

If we can learn H(F) in a secure way, we can verify authenticity of F.

38

Hash functions are a bit simillar to the error-correcting codes

Difference between the hash functions and the error correcting codes:

• error-correcting codes are secure against the random errors.

• collision-resistant hash functions are secure against the intentional errors.

A bit like: pseudorandom generators

vs. cryptographic pseudorandom generators.

39

“Practical definition”

H is a collision-resistant hash function if it is “practically impossible to find collisions in H”.

Popular hash funcitons:

• MD5 (now cosidered broken)• SHA1• ...

40

How to formally define “collision resitance”?

Idea

Say something like: H is a collision-resistant hash function ifA

efficientadversary A

P(A finds a collision in H) is small

Problem

For a fixed H there always exist a constant-time algorithm that “finds a collision in H” in constant time.

It may be hard to find such an algorithm, but it always exists!

41

Solution

When we prove theorems we will always consider

families of hash functionsindexed by a key s.

{Hs} s є keys

42

H

H

H

Hs

Hs

Hs

s

formal model:

informal description:“knows H”

s is chosenrandomly

a protocol

a protocol

43

H

H

H

SHA1

SHA1

SHA1

real-life implementation (example):

informal description:“knows H”

“knows SHA1”

H

a protocol

a protocol

44

Hash functions – the functional definition

A hash function is a pair of probabilistic polynomial-time algorithms (Gen,H) where

• Gen takes as input a security parameter 1n and outputs a key s.

• H takes as input a key s and a message x є {0,1}* and outputs a string

Hs(x) є {0,1}L(n),

where L(n) is some fixed function.

45

Hash functions – the security definition [1/2]

1n

s ← Gen(1n)s

outputs (m,m’)

We say that adversary A breaks the function (Gen,H) if Hs(m) = Hs(m’).

46

(Gen, H) is a collision-resistant hash function if

Hash functions – the security definition [2/2]

Apolynomial-time

adversary A

P(A breaks (Gen,H)) is negligible

48

A common method for constructing hash functions

1. Construct a “fixed-input-length” collision-resistant hash function

Call it: a collision-resistant compression function.

2. Use it to construct a hash function.

h : {0,1}2·L → {0,1}L

h(m)

m

L

2·L

49

An idea

m

h h

m1

h

m2 mB

IV

0000

pad with zeroesif needed

. . .

t

mi є {0,1}L

H(m)

can be arbitrary

This doesn’t work...

. . .

50

Why is it wrong?

m

m1 m2 mB

0000

t

If we set m’ = m || 0000 then H(m’) = H(m).

Solution: add a block encoding “t”.

m

m1 m2 mB

0000

t

mB+1 := t

. . .

. . .

51

Merkle-Damgård transform

m

h h h

m1

h

m2 mB mB+1 := t

IV

0000

. . .

t

given h : {0,1}2L → {0,1}L

we construct H : {0,1}*→ {0,1}L

mi є {0,1} L

H(m)

doesn’t need to be know in advance

(nice!)

52

This construction is secure

We would like to prove the following:

Theorem

If h : {0,1}2L → {0,1}L

is a collision-resistant compression functionthen

H : {0,1}*→ {0,1}L

is a collision-resistant hash function.

But wait….It doesn’t make sense…

53

We need to consider the hash function families

Suppose (gen,h) is a collision-resistant hash function such that for every s ← gen(1n) we have

hs : {0,1}2L(n) → {0,1}L(n)

h

h(m)

m

L(n)

2·L(n)

54

We now show how to transform such a (gen,h) into a hash function (Gen,H).

How?

1. Gen(1n) ← gen(1n)

2. Use the same construction as before

55

Merkle-Damgård transform

m

h h h

m1

h

m2 mB mB+1 := t

IV

0000

. . .

t

given h : {0,1}2L(n) → {0,1}L(n)

we construct H : {0,1}* → {0,1}L(n)

mi є {0,1} L(n)

H(m)

56

This construction is secure

TheoremIf

(gen,h)is a collision-resistant hash functionthen

(Gen,H)is a collision-resistant hash function.

ProofSuppose A is a polynomial-time adversary that

breaks (Gen,H) with a non-negligible probability. We construct a polynomial-time adversary a that

breaks (gen,h) with a non-negligible probability.

57

A breaks Hs

a breaks hs by simulating A

s ← gen(1n)

s

s

(m,m’)

a collision in Hsnow a should output a collision (x,y) in h

58

How to compute a collision (x,y) in h from a collision (m,m’) in H?

We consider two options:

1. |m| = |m’|

2. |m| ≠ |m’|

59

Option 1: |m| = |m’|

m

m1 m2 mB mB+1 := t

0000

t

m

m1 m2 mB mB+1 := t

0000

t

60

|m| = |m’|

m

h h h

m1

h

m2 mB mB+1 := t

z2IV

0000

. . .

H(m)z1 z3 zB+1zB

Some notation:

61

|m| = |m’|

m’

h h h

m’1

h

m’2 m’B m’B+1 := t

z’2IV

0000

. . .

H(m’)z’1 z’3 z’B+1z’B

For m’:

62z1 = IVm1

z2m2

zBmB

zB+1mB+1

. . .

z’1 = IVm’1

z’2m’2

z’Bm’B

z’B+1m’B+1

. . .equalzB+2=H(m)

Let i* be the largest i such that

(mi,zi) = (m’i,z’i)

(because m ≠ m’ such i* > 1

always exists!)

zB+2=H(m’)

63

So, we have found a collision!

zi*-1mi*-1

zi*

z’i*-1m’i*-1

z’i*

not equal

equal

h h

64

Option 2: |m| ≠ |m’|

zB+1mB+1 z’B’+1m’B’+1

equalH(m) H(m’)

. . .

. . .

the last block encodesthe length on the message

so these valuescannot be equal!

So, again we have found a collision!

65

Finlizng the proof

So, if A breaks H with probability ε(n), then a breaks h with probability ε(n).

If A runs in polynomial time, then a also runs in polynomial time.

QED

66

Generic attacks on hash functions

Remember the brute-force attacks on the encryption schemes?

For the hash functions we can do something slightly smarter...

It is called a “birthday attack”.

67

The birthday paradoxSuppose we have a random function

H : A → BTake q values

x1,...,xq

Let p(q) be the probability that there exist distinct i,j such thatH(xi) = H(xj).

If q ≥ |A| then trivially p(q) = 1.

68

Why is it called “a birthday paradox”?

Set:H : people → birthdays

Q: How many random people you need to take to know that with probability 0.5 at least 2 of them have birthday on the same day?

A: 23 is enough!

Counterintuitive...

69

How does the birthday attack work?

For a hash functionH : {0,1}* → {0,1}L

Take a random X – a subset of {0,1}2L, such that |X| = 2L/2.

With probability around 0.5 there exists x,x’ є X, such thatH(x) = H(x’).

A pair (x,x’) can be found in time O(|X| log |X|) and space O(|X|).

MoralL has to be such that an attack that needs 2L/2 steps is

infeasible.

70

Concrete functions

• MD5,

• SHA-1, SHA-256,...

• ....

all use (variants of) Merkle-Damgård transformation.

71

MD5 (Message-Digest Algorithm 5)• output length: 128 bits,• designed by Rivest in 1991,• in 1996, Dobbertin found collisions in the compresing

function of MD5,• in 2004 a group of Chinese mathematicians designed a

method for finding collisions in MD5,• there exist a tool that finds collisions in MD5 with a speed

1 collision / minute (on a laptop-computer)

Is MD5 completely broken?

The attack would be practical if the colliding documents “made sense”...

In 2005 A. Lenstra, X. Wang, and B. de Weger found X.509 certificates with different public keys and the same MD5 hash.

72

SHA-1 (Secure Hash Algorithm)

• output length: 128 bits,• designed in 1993 by the NSA,• in 2005 Xiaoyun Wang, Andrew Yao and Frances

Yao presented an attack that runs in time 263.• Still rather secure, but new hash algorithms are

needed!

A US National Institute of Standards and Technology announced a competition for a new hash function (deadline: October 31, 2008).

Go to http://csrc.nist.gov/groups/ST/hash/sha-3/and submit!

73

How to authenticate with hash functions?

A simple idea:

h

h(m)

long m

a block cipherFk

k

Fk(h(m))

By the way: a similar method is used in the public-key cryptography (it is called “hash-and-sign”).

74

What the industry says?

the block cipher is still there...

Why don’t we just hash a message together with a key:

MACk(m) = H(k || m)?

It’s not secure!

75

Suppose H was constructed using the MD-transform

IVk

z2m

zBt

MACk(m)

IVk

z2m

zBt

MACk(m||t)

t + L MACk(m)

L

she can see this

she can fabricate this

76

A better idea

M. Bellare, R. Canetti, and H. Krawczyk (1996):

• NMAC (Nested MAC)• HMAC (Hash based MAC)

have some “provable properites”

They both use the Merkle-Damgård transform.

Again, let h : {0,1}2L → {0,1}L be a compression function.

77

NMAC

m

h h

m1

h

mB mB+1 := |m|

k1

0000

. . .

hk2 NMAC(k1,k2) (m)

78

What can be provenSuppose that1. h is collision-resistant2. the following function is a secure MAC:

Then NMAC is a secure MAC.

hk2 MACk2(m)

m

79

Looks better, but

1. our libraries do not permit to change the IV

2. the key is too long: (k1,k2)

HMAC is the solution!

80

HMAC

h h

k xor ipad

h

m1 mB+1 := |m|

IV

. . .

hIV HMACk (m)h

k xor opad

ipad = 0x36 repeatedopad = 0x5C repeated

81

HMAC – the properties

Looks complicated, but it is very easy to implement (given an implementation of H):

HMACk(m) = H((k xor opad) || H(k xor ipad || m))

It has some “provable properties” (slightly weaker than NMAC).

Widely used in practice.

We like it!

82

Authentication and EncryptionUsually we want to authenticate and encrypt at the same

time.

What is the right way to do it? There are several options:

• Encrypt-and-authenticate:c ← Enck1(m) and t ← Mack2 (m)

• Authenticate-then-encrypt:t ← Mack2 (m) and c ← Enck1(m||t)

• Encrypt-then-authenticate:c ← Enck1(m) and t ← Mack2 (c)

By the way: never use the same key for Enc and Mac: k1 and k2 have to be “independent”!

wrong

better

the best

top related