Hashing Sandy Kutin CSPP 532 7/10/01
Dec 21, 2015
Hashing
Sandy KutinCSPP 5327/10/01
Cryptographic Protocols
What is a cryptographic protocol?Example: Alice sends Bob a message M
1. Alice generates a secret key K 2. Alice computes C1 = Ep
B(K)
3. Alice computes C2 = EsK(M)
4. Alice sends Bob C1, C2
5. Bob computes K = Dpb(C1)
6. Bob computes M = DsK(C2)
Ep, Dp public-key; Es, Ds symmetric. Why?
A sample protocol
1. Alice generates K
2. Alice: C1 = EpB(K)
3. Alice: C2 = EsK(M)
4. Alice sends Bob C1,C2
5. Bob: K = Dpb(C1)
6. Bob: M = DsK(C2)
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Cryptographic Primitives
How do we pick K? (pseudo-random number generator)
What are Ep, Dp? (e.g., RSA)
What are Es, Ds? (e.g., DES or AES, ECB or CBC mode)
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Implementation
Where does Alice store K?
How does Alice acquire Bob’s B?
How is the message sent?
Where does Bob store K, b, M?
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Overall Plan
Before the break: mathAfter the break:
Primitives Protocols Implementation issues Specific products
Old School: Authentic
Confidentiality: Eve can’t recover M
Authentication: only Alice, Bob know K, so Bob knows Alice sent M
Someone could tamper with order; solve this with time stamps and sequencing info
Alice:
Bob:
M Es C
K
C Ds M
K
Alice and Bob sharea secret key K
New Wave: Not Authentic
Confidentiality: Eve can’t recover M
No authentication: how does Bob know who sent the message?
Same problems of tampering with order
Alice:
Bob:
K Ep C1
B
M Es C2
K
C1 Dp K
b
C2 Ds M
K
Solution #1: E(D(M))
Alice “signs” message with her private key
Bob “decrypts” S with Alice’s public key
Only Alice could have signed M
Communication is authenticated
Too slow
Alice:
Bob:
K Ep C1
B
M Dp S
a
S Ep M
A
C2 Ds
K
S Es C2
K
Solution #2: D(E(M))
Alice signs encrypted message
Bob recovers MOnly Alice could have
sent the messageCommunication is
authenticatedToo slowBetter? Worse?
Alice:
Bob:
K Ep C1
B
M Es C2
K
C2 Ds M
K
S Ep
A
C2 Dp S
a
Repudiation
Authentication: can Bob prove to himself that Alice sent the message?
Non-repudiation: can Bob prove, in court, that Alice sent the message?
In military applications, not really relevantIn e-commerce: essential“Digital signature”
DES, I rebuke thee
Classical Crypto: Bob wants to prove M came from Alice
Bob would have to reveal K
Even that isn’t good enough; Bob could’ve encrypted M himself
No defense against repudiation
Alice:
Bob:
M Es C
K
C Ds M
K
Alice and Bob sharea secret key K
Repudiation: E(D(M))
Bob can produce M and S in court
Anyone can verify that M = Ep
A(S)
Only Alice could have created S
Hence, Alice must have sent M
Success!
Alice:
Bob:
K Ep C1
B
M Dp S
a
S Ep M
A
C2 Ds
K
S Es C2
K
Repudiation: D(E(M))
Bob can produce M, C2, and S in court
Judge can verify that Alice signed C2
To prove connection between C2 and M, Bob must reveal K
Even that might not be good enough
Lesson: design matters
Alice:
Bob:
K Ep C1
B
M Es C2
K
C2 Ds M
K
S Ep
A
C2 Dp S
a
A general protocol
E(D(M)) defends against repudiationIt’s too slow to be usefulAnother problem: Bob always needs to convert S
to M. Maybe he doesn’t always want to authenticate.
Solution: Alice appends “signature” to M, encrypts, sends to Bob.
Should be something Alice can do, others can verify. E.g.: Dp
a(M)
Digital Signature Schemes
s(M) is a digital signature if only Alice can compute it, anyone else can verify it
Used for communicationAlso, data integrity: compute signature every
night, see if it matchesDp
a(M) would work, but it’s too slow, and too big
Solution: Dpa(H(M)), where H is a hash function
Hash functions
What makes H a hash function? Takes any size input Produces fixed-size output H(M) is easy to compute Given h, it is hard to solve H(M) = h for M Given N, it is hard to solve H(M) = H(N) for M
(weak collision resistance) It is hard to find M, N such that H(M) = H(N)
(strong collision resistance)
Hashing: Non-repudiation
Say Bob takes Alice to court; he produces M and S = Dp
a(H(M))
Judge checks that EpA(S) = H(M), confirms
that Alice sent (someone) a message hashing to H(M)
Alice says: “Bob must have found a message M to match something I signed”
Weak collision resistance: She’s lying
Strong Collision Resistance
Why require solving H(M) = H(N) to be hard?Say Alice can find M, N so H(M) = H(N)She sends Bob M, signs itWhen Bob takes Alice to court, she claims
“No, I didn’t sign M, I signed N”Repudiation would be possibleSolution: strong collision resistance
Hashing: Secretary Attack
Related problem: Secretary constructs messages M, N where H(M) = H(N)
M is the annual report, N says “Give my secretary a raise”
Alice computes S = Dpa(H(M)), tells
secretary to send out M and SSecretary substitutes N insteadNeed strong collision resistance
How many bits of security?
Let H be a secure hash with n-bit outputSolving “H(M) = h” for M should take 2n triesGiven N, “H(M) = H(N)” should be the same:
just try 2n possible values of MWhat about finding M, N with H(M) = H(N)?If we just pick pairs at random, it’s 2n
But, we can get it down to 2n/2
e.g., for a 128-bit hash; only 264
Happy Birthday
How do we do this? “Birthday Attack”Make a list of 2n/2 possible M’s (e.g., vary
spacing), sort by value of HTry roughly 2n/2 possible N’s, look for H(N)Given Mi, Nj, chance H(Mi) = H(Nj) is 1/2n
2n/2 Mi’s, 2n/2 Nj’s, so 2n/2 2n/2 = 2n pairs
So, odds are good there’s one pairIf there is a pair, finding it is fast
They say it’s your birthday
Why is this called the “birthday attack”?Among 23 people, chances of two with the
same birthday are > 50%Why? (23 22)/2 = 253 pairs of peopleEach has probability roughly 1/365There’s a good chance some pair matchesOther factors only increase the odds“Birthday Paradox”
Hash, Paper, Scissors
An example of the power of a secure hashAlice, Bob want to play rock, paper, scissors
Alice constructs M indicating her choicee.g., “23419382 Good Old Rock”
Alice sends Bob H(M) Bob makes his choice, sends it to Alice Alice reveals M. She has to tell the truth.
“Bit commitment scheme”Applications to auctions, voting
How do we hash?
Most hashes are built using a one-way compression function: m+n bits to n bits
Divide message into k blocks of m bitshi = ƒ(Mi, hi-1) (h0 is a fixed initial value)
Output is H(M) = hk
ƒ ƒ ƒ ƒIV
M1 M2
h1
M3
h2
Mk
hk-1
H(M)
hk
Hashing out the details
Pad message length to be a multiple of mInclude message length within MNeed to pick a one-way function ƒ(Not like public-key; no trapdoor needed)
ƒ ƒ ƒ ƒIV
M1 M1
h1
M2
h2
Mk
hk-1
H(M)
hk
A MoDESt Proposal
One idea: use encryption (e.g., DES)h0 = IV
hi = ƒ(Mi, hi-1) = EMi(hi-1)
Problem 1: slowProblem 2: export restrictions
ƒ ƒ ƒ ƒIV
M1 M1
h1
M2
h2
Mk
hk-1
H(M)
hk