Hashing, MACs, RSA Sandy Kutin CSPP 532 7/17/01 Rehash: Why do we hash? zHash functions: boil long message down to a few bits zAlice signs hash with.

Hashing, MACs, RSA

Sandy KutinCSPP 5327/17/01

Rehash: Why do we hash?

Hash functions: boil long message down to a few bits

Alice signs hash with public key: Authentication (Bob knows Alice sent it) Non-repudiation (Bob can prove Alice sent it)

Data integrity; no one else can alter dataBit commitment; used in many protocols

Rehash: What is a hash?

What makes H a hash function? Takes any size input Produces fixed-size output (n bits) H(M) is easy to compute Given h, it is hard to solve H(M) = h for M Given N, it is hard to solve H(M) = H(N) for M

(weak collision resistance) (2n steps) It is hard to find M, N such that H(M) = H(N)

(strong collision resistance) (2n/2 steps)

Rehash: How do we hash?

Most hashes are built using a one-way compression function: m+n bits to n bits

Divide message into k blocks of m bitshi = ƒ(Mi, hi-1) (h0 is a fixed initial value)

Output is H(M) = hk

ƒ ƒ ƒ ƒIV

M1 M2

h1

M3

h2

Mk

hk-1

H(M)

hk

A MoDESt Proposal

One idea: use encryption (e.g., DES)h0 = IV

hi = ƒ(Mi, hi-1) = EMi(hi-1)

Problem 1: slowProblem 2: export restrictions

ƒ ƒ ƒ ƒIV

M1 M2

h1

M3

h2

Mk

hk-1

H(M)

hk

Problem 3: Insecure

Can construct 2 blocks XY, H(XY) = hNeed X, Y so that EY(EX(h0)) = h

Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) = DY(h)

Birthday attack; works on DES, AES, …Could pick M1,…,Mk-2, solve EX(hk-2) = DY(h)

ƒ ƒ ƒ ƒIV

M1 M2

h1

M3

h2

Mk

hk-1

H(M)

hk

Specific Hashes: MD5

MD5 (Rivest, 1992): 128-bit hash, 512-bit blocks (similar to MD4, 1990)

(MD = Message Digest)Simplified versions have been

cryptanalyzed, but not MD5 itselfBut: strong collision resistance only 64-bitNot really long enough nowadaysLike DES: now being phased out

Specific Hashes: SHA

SHA (or SHA-1): NIST, NSA, 1995160-bit hash, 512-bit blocksUsed in DSS (Digital Signature Standard)May 30, 2001: NIST announced 3 more:

algorithm bit length block size max message security

SHA-1 160 512 2^64 80 bits

SHA-256 256 512 2^64 128 bits

SHA-384 384 1024 2^128 192 bits

SHA-512 512 1024 2^128 256 bits

Specific Hashes: RIPEMD

RIPE-MD developed in Europe (1996-7)RIPEMD-160: 160-bit hash, 512-bit blocks

(same as SHA-1)Comparable to SHA-1 in speed, securityBoth are roughly half the speed of MD5American standard is SHA-1 (for now)SHA-256, SHA-384, SHA-512 match key

lengths in AES

Message Authentication Codes

A hash is public; anyone can compute itWe used digital signatures; only Alice can

compute Dpa(H(M)), anyone can check

Another idea: CK(M) using secret key

Message Authentication Code (MAC)Authentication (but not non-repudiation)Data integrity

What makes a MAC?

What makes CK(M) a MAC? Any size M, easy-to-compute fixed-size output Given K, N, hard to solve CK(M) = CK(N)

(weak collision resistance for Alice, Bob)

Given K, it is hard to solve CK(M) = CK(N)

(strong collision resistance for Alice, Bob)

Given signed pairs (M, CK(M)), but not K, it is hard to find more

(Eve can’t solve for K, find collisions, or otherwise construct a message and a valid MAC)

Encryption-Based MACs

Simplest idea: CK(M) = EK(H(M))

Only as good as “weakest link”Better: Encrypt in CBC mode

C1 = EK(M1)

Ci = EK(Mi Ci-1)

CK(M) is last Ci

DES-CBC is current FIPS-approved MACSpeed, export issues; wrong tool for job

Hash-based MACs

One idea: CK(M) = H(K | M)

Effectively a hash with secret initial valueProblem: Given M, CK(M), can find CK(M | N)

Solution: HMAC (Bellare, Canetti, Krawczyk, 1996; NIST 1/01)

ƒ ƒ ƒ ƒIV

K M1

h1

M2

h2

Mk

hk-1

H(M)

hk

HMAC

Pad n-bit key K up to m bits, if necessarySi = K 00110110..., So = K 01011010…

First, compute x = H(Si | M), pad x to m bits

HMACK(M) = H(So | x)

Only three extra calls to ƒ

x

ƒƒIV

Si M1

h1

ƒ

Mk

hk-1

ƒIV

Soƒ

HMACK(M)

HMAC Attack

We can precompute 2 of the 3 extra callsUse any H we want (MD5, SHA-1, …)HMAC is secure as long as H is secureBirthday attack fails if K is unknownMD5 is fine

x

ƒƒIV

Si M1

h1

ƒ

Mk

hk-1

ƒIV

Soƒ

HMACK(M)

What’s next?

We’ve discussed several primitives: Symmetric Encryption Hashes Message Authentication Codes

There’s one primitive we haven’t discussed:

Public Key

Infrastructure

The Key Idea

Public key uses asymmetric encryptionBob has a public encryption function EB

Trapdoor one-way function Easy to compute Invertible, and Bob knows secret Db = EB

-1

For Eve to invert EB, she’d need to guess b

Alice computes EB(M); only Bob can decrypt

Diffie, 1975. Question: how do we do it?

VeRSAtile Solution

RSA (Rivest, Shamir, Adleman, 1977):Bob computes primes p, q, and N=pqBob computes d,e, so de 1 mod (N)Public key: (N, e). Private key: (N, d)Encryption (Alice): C = EB(M) Me mod N

Decryption (Bob): M = Db(C) Cd mod N

By Euler’s Theorem: Med M mod NSo, Db(EB(M)) = M, Bob can read M

Vice VeRSA

Note that, M, Mde Med M mod NOrder doesn’t matterOnly Bob can compute S Md mod NAnyone else can verify M Se mod NDigital SignatureGives us authenticity, non-repudiation(As we’ve said: usually applied to H(M))

Factoring in Attacks

Say Eve knows N, e, C, wants to read MCould factor N, solving for p and qThen easy to compute (N), solve for dHow hard is it to factor?Best known method: Number Field SieveBetween polynomial and exponential timeOf course, no one can prove anything

How hard is factoring?

From Schneier’s Applied Cryptography:MIPS-year: 100 MHz Pentium for a weekRivest, 1977: 125 digits should take 40

quadrillion years8/1999: 512-bit prime(155 decimal digits)Distributed computingTook 8000 MIPS-years7 months (3.7 sieving)

Bit-length MIPS-years

512 3 x 10^4

768 2 x 10^8

1024 3 x 10^11

1536 3 x 10^16

2048 3 x 10^20

An ERSAtz Attack

Can Eve find (N)? Then, d e-1 mod (N).Say we knew N = pq, (N) = (p-1)(q-1).Then let Z = N - (N) + 1: we know ZZ = pq - (pq - p - q + 1) + 1 = p + q(x - p)(x - q) = x2 - Zx + N; this is solvableSo, if we knew (N), we’d know p, qTherefore, finding (N) is as hard as factoringThis is called a reduction

Other AdveRSArial Strategies

Can Eve find d without finding (N)?She knows ed - 1 = Q(N) for some QSince (N) is roughly N, she’d know (N)Another reductionCan Eve find t, so, M, Mte M mod N?Yes, if p and q are chosen poorlyFor good p, q: about as hard as factoring“good p, q” means gcd(p-1, q-1) is small

Key Management

Pre-1970s, problem was key distributionNow, Alice can look up Bob’s public keyHow does she get it? Key managementOriginal solution: “phone book”

Who prints the book? What if it’s compromised, or intercepted? How do you look someone up? Unique ID? What if Bob has multiple names, keys? Do keys expire? What if a key is compromised?

Solution #1: DispeRSAL

One idea: Carol meets Bob face-to-faceCarol says “This is Bob’s key”, signs itTed knows Carol, says “This is Carol’s key, and I

trust her”, signs itAlice knows Ted; verifies chain of signaturesFlaw #1: “weakest link”Flaw #2: >6 degrees of separationFlaw #3: Unique IDs, expiration, ...

#2: Certificate Authorities

Next class (7/24/01)

Recommended Reading

From Stallings: Fermat’s Theorem, Euler’s Theorem, and the

function: Section 7.3 RSA: Sections 6.1 - 6.3 (particularly 6.2,

which includes fast modular exponentiation) Hashing, MACs: Chapter 8 Birthday attacks: Appendix 8A HMAC: Section 9.4