Hashing Sandy Kutin CSPP 532 7/10/01. Cryptographic Protocols zWhat is a cryptographic protocol? zExample: Alice sends Bob a message M y1. Alice generates.

Hashing

Sandy KutinCSPP 5327/10/01

Cryptographic Protocols

What is a cryptographic protocol?Example: Alice sends Bob a message M

1. Alice generates a secret key K 2. Alice computes C1 = Ep

B(K)

3. Alice computes C2 = EsK(M)

4. Alice sends Bob C1, C2

5. Bob computes K = Dpb(C1)

6. Bob computes M = DsK(C2)

Ep, Dp public-key; Es, Ds symmetric. Why?

A sample protocol

1. Alice generates K

2. Alice: C1 = EpB(K)

3. Alice: C2 = EsK(M)

4. Alice sends Bob C1,C2

5. Bob: K = Dpb(C1)

6. Bob: M = DsK(C2)

Alice:

Bob:

K Ep C1

B

M Es C2

K

C1 Dp K

b

C2 Ds M

K

Cryptographic Primitives

How do we pick K? (pseudo-random number generator)

What are Ep, Dp? (e.g., RSA)

What are Es, Ds? (e.g., DES or AES, ECB or CBC mode)

Alice:

Bob:

K Ep C1

B

M Es C2

K

C1 Dp K

b

C2 Ds M

K

Implementation

Where does Alice store K?

How does Alice acquire Bob’s B?

How is the message sent?

Where does Bob store K, b, M?

Alice:

Bob:

K Ep C1

B

M Es C2

K

C1 Dp K

b

C2 Ds M

K

Overall Plan

Before the break: mathAfter the break:

Primitives Protocols Implementation issues Specific products

Old School: Authentic

Confidentiality: Eve can’t recover M

Authentication: only Alice, Bob know K, so Bob knows Alice sent M

Someone could tamper with order; solve this with time stamps and sequencing info

Alice:

Bob:

M Es C

K

C Ds M

K

Alice and Bob sharea secret key K

New Wave: Not Authentic

Confidentiality: Eve can’t recover M

No authentication: how does Bob know who sent the message?

Same problems of tampering with order

Alice:

Bob:

K Ep C1

B

M Es C2

K

C1 Dp K

b

C2 Ds M

K

Solution #1: E(D(M))

Alice “signs” message with her private key

Bob “decrypts” S with Alice’s public key

Only Alice could have signed M

Communication is authenticated

Too slow

Alice:

Bob:

K Ep C1

B

M Dp S

a

S Ep M

A

C2 Ds

K

S Es C2

K

Solution #2: D(E(M))

Alice signs encrypted message

Bob recovers MOnly Alice could have

sent the messageCommunication is

authenticatedToo slowBetter? Worse?

Alice:

Bob:

K Ep C1

B

M Es C2

K

C2 Ds M

K

S Ep

A

C2 Dp S

a

Repudiation

Authentication: can Bob prove to himself that Alice sent the message?

Non-repudiation: can Bob prove, in court, that Alice sent the message?

In military applications, not really relevantIn e-commerce: essential“Digital signature”

DES, I rebuke thee

Classical Crypto: Bob wants to prove M came from Alice

Bob would have to reveal K

Even that isn’t good enough; Bob could’ve encrypted M himself

No defense against repudiation

Alice:

Bob:

M Es C

K

C Ds M

K

Alice and Bob sharea secret key K

Repudiation: E(D(M))

Bob can produce M and S in court

Anyone can verify that M = Ep

A(S)

Only Alice could have created S

Hence, Alice must have sent M

Success!

Alice:

Bob:

K Ep C1

B

M Dp S

a

S Ep M

A

C2 Ds

K

S Es C2

K

Repudiation: D(E(M))

Bob can produce M, C2, and S in court

Judge can verify that Alice signed C2

To prove connection between C2 and M, Bob must reveal K

Even that might not be good enough

Lesson: design matters

Alice:

Bob:

K Ep C1

B

M Es C2

K

C2 Ds M

K

S Ep

A

C2 Dp S

a

A general protocol

E(D(M)) defends against repudiationIt’s too slow to be usefulAnother problem: Bob always needs to convert S

to M. Maybe he doesn’t always want to authenticate.

Solution: Alice appends “signature” to M, encrypts, sends to Bob.

Should be something Alice can do, others can verify. E.g.: Dp

a(M)

Digital Signature Schemes

s(M) is a digital signature if only Alice can compute it, anyone else can verify it

Used for communicationAlso, data integrity: compute signature every

night, see if it matchesDp

a(M) would work, but it’s too slow, and too big

Solution: Dpa(H(M)), where H is a hash function

Hash functions

What makes H a hash function? Takes any size input Produces fixed-size output H(M) is easy to compute Given h, it is hard to solve H(M) = h for M Given N, it is hard to solve H(M) = H(N) for M

(weak collision resistance) It is hard to find M, N such that H(M) = H(N)

(strong collision resistance)

Hashing: Non-repudiation

Say Bob takes Alice to court; he produces M and S = Dp

a(H(M))

Judge checks that EpA(S) = H(M), confirms

that Alice sent (someone) a message hashing to H(M)

Alice says: “Bob must have found a message M to match something I signed”

Weak collision resistance: She’s lying

Strong Collision Resistance

Why require solving H(M) = H(N) to be hard?Say Alice can find M, N so H(M) = H(N)She sends Bob M, signs itWhen Bob takes Alice to court, she claims

“No, I didn’t sign M, I signed N”Repudiation would be possibleSolution: strong collision resistance

Hashing: Secretary Attack

Related problem: Secretary constructs messages M, N where H(M) = H(N)

M is the annual report, N says “Give my secretary a raise”

Alice computes S = Dpa(H(M)), tells

secretary to send out M and SSecretary substitutes N insteadNeed strong collision resistance

How many bits of security?

Let H be a secure hash with n-bit outputSolving “H(M) = h” for M should take 2n triesGiven N, “H(M) = H(N)” should be the same:

just try 2n possible values of MWhat about finding M, N with H(M) = H(N)?If we just pick pairs at random, it’s 2n

But, we can get it down to 2n/2

e.g., for a 128-bit hash; only 264

Happy Birthday

How do we do this? “Birthday Attack”Make a list of 2n/2 possible M’s (e.g., vary

spacing), sort by value of HTry roughly 2n/2 possible N’s, look for H(N)Given Mi, Nj, chance H(Mi) = H(Nj) is 1/2n

2n/2 Mi’s, 2n/2 Nj’s, so 2n/2 2n/2 = 2n pairs

So, odds are good there’s one pairIf there is a pair, finding it is fast

They say it’s your birthday

Why is this called the “birthday attack”?Among 23 people, chances of two with the

same birthday are > 50%Why? (23 22)/2 = 253 pairs of peopleEach has probability roughly 1/365There’s a good chance some pair matchesOther factors only increase the odds“Birthday Paradox”

Hash, Paper, Scissors

An example of the power of a secure hashAlice, Bob want to play rock, paper, scissors

Alice constructs M indicating her choicee.g., “23419382 Good Old Rock”

Alice sends Bob H(M) Bob makes his choice, sends it to Alice Alice reveals M. She has to tell the truth.

“Bit commitment scheme”Applications to auctions, voting

How do we hash?

Most hashes are built using a one-way compression function: m+n bits to n bits

Divide message into k blocks of m bitshi = ƒ(Mi, hi-1) (h0 is a fixed initial value)

Output is H(M) = hk

ƒ ƒ ƒ ƒIV

M1 M2

h1

M3

h2

Mk

hk-1

H(M)

hk

Hashing out the details

Pad message length to be a multiple of mInclude message length within MNeed to pick a one-way function ƒ(Not like public-key; no trapdoor needed)

ƒ ƒ ƒ ƒIV

M1 M1

h1

M2

h2

Mk

hk-1

H(M)

hk

A MoDESt Proposal

One idea: use encryption (e.g., DES)h0 = IV

hi = ƒ(Mi, hi-1) = EMi(hi-1)

Problem 1: slowProblem 2: export restrictions

ƒ ƒ ƒ ƒIV

M1 M1

h1

M2

h2

Mk

hk-1

H(M)

hk