Top Banner
troduction to Modern Cryptograp Makeup Cla Symmetric Encryption : Stream & Block Ciphers AES Modes of Operation Symmetric Authentication
75

Introduction to Modern Cryptography Makeup Class Symmetric Encryption:

Jan 02, 2016

Download

Documents

Owen Ross

Introduction to Modern Cryptography Makeup Class Symmetric Encryption: Stream & Block Ciphers AES Modes of Operation Symmetric Authentication. Stream Ciphers. Start with a secret key (“seed”) Generate a keying stream - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Introduction to Modern Cryptography

Makeup Class

Symmetric Encryption :Stream & Block Ciphers

AESModes of Operation

Symmetric Authentication

Page 2: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Stream Ciphers

• Start with a secret key (“seed”)

• Generate a keying stream

• i-th bit/byte of keying stream is a function of the key and the first i-1 ciphertext bits.

• Combine the stream with the plaintext to produce the ciphertext (typically by XOR)

Page 3: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

=

Example of Stream Encryption

Key

Ciphertext

Stream

Plaintext

Page 4: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Example of Stream Decryption

=

Key

Plaintext

Stream

Ciphertext

Page 5: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Real Cipher Streams

• Most pre-WWII machines

• German Enigma

• Linear Feedback Shift Register

• A5 – encrypting GSM handset to base station communication

• RC-4 (Ron’s Code)

Page 6: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Terminology

Stream cipher is called synchronous if keystream does not depend on the

plaintext (depends on key alone).

Otherwise cipher is called asynchronous.

Page 7: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Current Example: RC-4

• Part of the RC family• Claimed by RSA as their IP• Between 1987 and 1994 its internal was

not revealed – little analytic scrutiny • Preferred export status • Code released anonymously on the Internet• Used in many systems: Lotus Notes, SSL,

etc.

Page 8: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

RC4 Properties•Variable key size stream cipher with byte oriented operations. •Based on using a random looking permutation.•8-16 machine operations per output byte.•Very long cipher period (over 10100).•Widely believed to be secure. Used for encryption in SSL web protocol.

Page 9: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

RC-4 Initialization

1. j=0

2. S0=0, S1=1, …, S255=255

3. Let the key be (bytes) k0,…,k255 (repeating bits if necessary)

4. For i=0 to 255• j = (j + Si+ ki) mod 256

• Swap Si and Sj

Page 10: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

RC-4 Key-stream Creation

Generate an output byte B by:• i = (i+1) mod 256

• j = (j +Si) mod 256

• Swap Si and Sj

• t = (Si + Sj) mod 256

• B = St

B is XORed with next plaintext byte

Page 11: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Block Ciphers

• Encrypt a block of input to a block of output• Typically, the two blocks are of the same

length• Most symmetric key systems block size is 64• In AES block size is 128• Different modes for encrypting plaintext

longer than a block

Page 12: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Real World Block Ciphers

• DES, 3-DES

• AES (Rijndael)

• RC-2

• RC-5

• IDEA

• Blowfish, Cast

• Gost

Page 13: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

ECB Mode Encryption(Electronic Code Book)

P1

Ek

C1

P2

Ek

C2

P3

Ek

C3

encrypt each plaintext block separately

Page 14: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Properties of ECB

• Simple and efficient

• Parallel implementation possible

• Does not conceal plaintext patterns

• Active attacks are possible (plaintext can be

easily manipulated by removing, repeating,

or interchanging blocks).

Page 15: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

CBC Mode Encryption(Cipher Block Chaining)

P1

Ek

C1

P2

Ek

C2

P3

Ek

C3

S0

Previous ciphertext is XORed with current plaintext before encrypting current block.

An initialization vector S0 is used as a “seed” for the process.Seed can be “openly” transmitted.

Page 16: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Properties of CBC

• Asynchronous stream cipher

• Errors in one ciphertext block propagate

• Conceals plaintext patterns

• No parallel implementation known

• Plaintext cannot be easily manipulated.

• Standard in most systems: SSL, IPSec etc.

Page 17: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

OFB Mode(Output FeedBack)

An initialization vector s0 is use as a ``seed'’ for a sequence of data blocks si

Page 18: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Properties of OFB

• Synchronous stream cipher

• Errors in ciphertext do not propagate

• Pre-processing is possible

• Conceals plaintext patterns

• No parallel implementation known

• Active attacks by manipulating plaintext are possible

Page 19: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Proposed Modes

• CTR (Counter) mode (OFB modification): Parallel implementation, offline pre-processing, provable security, simple and efficient

• OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity

Page 20: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Strengthening a Given Cipher

• Design multiple key lengths – AES

• Whitening - the DESX idea

• Iterated ciphers – Triple DES (3-DES), triple IDEA and so on

Page 21: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Triple Cipher - DiagramP

Ek1

C

Ek2

Ek3

Page 22: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Iterated Ciphers

• Plaintext undergoes encryption repeatedly by underlying cipher

• Ideally, aach stage uses a different key

• In practice triple cipher is usually C= Ek1(Ek2(Ek1(P))) [EEE mode] or

C= Ek1(Dk2(Ek1(P))) [EDE mode]

EDE is more common in practice

Page 23: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Necessary Condition

• For some block ciphers iteration does not enhance security

• Example – substitution cipher

• Consider a block cipher: blocks of size b bits, and key of size k

• The number of all possible functions mapping b bits to b bits is (2b)2b

Page 24: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Necessary Condition (cont.)

• The number of all possible encryption functions (bijections) is 2b!

• The number of encryption functions in our cipher is at most 2k.

• Claim: The bijections are a group G under the operation (composition)

• Claim: If the encryptions of a cipher form a sub-group of G then iterated cipher does not increases security.

Page 25: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Meet in the Middle Attack

• Double ciphers are rarely used due to this attack

• Attack requires– Known plaintext– 2k+1 encryptions and decryptions

– |k|2|k| storage space

• A square root of trivial attacking time at the expense of storage

Page 26: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Meet in the Middle (cont.)

• Given a plaintext-ciphertext pair (p,c) – Compute & store the table of Dk2(c) for all k2

takes 2k decryptions, |k|2|k| storage.

– For every k1, test if Ek1(p) is in table

– Every hit gives a possible k1,k2 pair

– May have to repeat several times

• Meet in the middle is applicable to any iterated cipher, reducing the trivial processing time by 2k encryptions

Page 27: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Two or Three Keys

• Sometimes only two keys are used in 3-DES

• Identical key must be at beginning and end

• Legal advantage (export license) due to smaller overall key size

• Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standard

Page 28: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Adversary’s Goals

• Final goal: recover key• Intermediate goals:

– Reduce key space– Discover plaintext patterns– Recover portions of plaintext– Change ciphertext to produce meaningful

plaintext, without breaking the system (active attack)

Page 29: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Generic Attacks

• Exhaustive search– Type: ciphertext only– Time: 2|k| decryptions per ciphertext– Storage: constant

• Table lookup– Type: chosen plaintext– Time: offline 2|k| decryptions, online constant– Storage: 2|k| ciphertexts

Page 30: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

The Problem

• Break ECB mode (known fixed cleartext header)

• The idea:– Define f(k) = Enck(constant)

– Invert f(k)

• New Problem: Invert f

Page 31: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Time/Space Tradeoffs

• 1st Simple solution: – Time 2|k| - exhaustive search per message

• 2nd Simple solution:– Precompute all 2|k| values of f(k)– Store in lookup table (hash table)– Requires O(1) time per inversion– Requires space O(2|k|)

Page 32: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Hellman (again): can we do better?

• If it so happened that f is a permutation:– Choose L=2|k|/2 random start points s1, …, sL

– For every such point, compute ti=f(f(…f(si)…)), repeated L times.

– Store a lookup table of values (ti,si), i=1, …, L, indexed by ti.

Page 33: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Searching for k given f(k)

• Let s=x = f(k)

• Repeat until f(x) = s, if f(x) = s then x = k– If x = ti for some i, let x = si

– otherwise let x = f(x)

• Claim: for an arbitrary permutation and arbitrary k, the probability that this inverts k is constant

Page 34: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Why?• Values of f(k) on a small cycle will be inverted• Consider what happens when we add the i’th chain

(si, ti):– If we cover a constant times L new values then we’re

done

– If not, assume that the previous chains have covered less than a constant of the L2 values

• The uncovered values must themselves lie on chains whose average length is a constant times L (as all values lie on some chain)

• Thus, we have a constant probability of covering at least a constant fraction of L new values

Page 35: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

All this does not work when f is not a permutation

• Hellman’s ingenious idea:– Don’t invert f(x), invert g(f(x)) for some known

random function g. – Obviously, if you can invert g(f(x)) then you

can invert f(x).– Note that if f is not a permutation then g(f) is

not a permutation either

Page 36: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Inverting g(f(x))• Not a permutation:

– Choose L=2|k|/3 random start points s1, …, sL

– For every such point, compute ti=f(f(…f(si)…)), repeated L times.

– Store a lookup table of values (ti,si), i=1, …, L, indexed by ti.

• Claim: we cover by chains at least a constant fraction of L2 = 22|k|/3

• Consider the last chain added, we’ve covered at most 22|k|/3 values until now, so with constant probability, the new L=2|k|/3 values on the new chain will be entirely new.

Page 37: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Hellman’s next idea

• Use many different g’s – Every g will cover a random 22|k|/3 set of values.– So, choose L=2|k|/3 g’s

• Space required: L2 = 22|k|/3

• Time required: L2 = 22|k|/3

Page 38: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES - Advanced Encryption Standard

• Symmetric block cipher• Key lengthes: 128, 192, or 256 bits• Approved US standard (2001)

Page 39: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Design Rationale

• Resistance to all known attacks.

• Speed and code compactness.

• Simplicity.

Page 40: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Specifications• Input & output block length: 128 bits.

• State: 128 bits, arranged in a 4-by-4 matrix of bytes.

A0,0A0,1A0,2A0,3

A1,0A1,1A1,2A1,3

A2,0A2,1A2,2A2,3

A3,0A3,1A3,2A3,3

Each byte is viewedas an element in GF(28)

Input/Output: A0,0, A1,0, A2,0, A3,0, A0,1…,

Page 41: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Specifications• Key length: 128, 196, 256 bits.

Cipher Key Layout: n = 128, 196, 256 bits, arranged in a 4-by-n/32 matrix of bytes.

K0,0K0,1K0,2K0,3K0,4K0,5

K1,0K1,1K1,2K1,3K1,4K1,5

K2,0K2,1K2,2K2,3K2,4K2,5

K3,0K3,1K3,2K3,3K3,4K3,5

Initial layout: K0,0, K1,0, K2,0, K3,0, K0,1…,

Page 42: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Specifications

• High level code:

• AES(State,Key)– KeyExpansion(Key,ExpandKey)– AddRoundKey(State,ExpandKey[0])– For (i=1; i<R; i++) Round(State,ExpandKey[i]);– FinalRound(State,ExpandKey[R]);

Page 43: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Encryption: Carried out in rounds

input block( 128 bits)

output block( 128 bits)

Secret key (128 bits)

Page 44: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Rounds in AES128 bits AES uses 10 rounds, no shortcuts

known for 6 rounds

• The secret key is expanded from 128 bits to 10 round keys, 128 bits each.• Each round changes the state, then XORS the round key. (For longer keys, addOne round for every extra 32 bits)

Each rounds complicates things a little .Overall it seems infeasible to invert without the secret key (but easy given the key).

Page 45: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

AES Specifications: One Round

A0,0A0,1A0,2A0,3

A1,0A1,1A1,2A1,3

A2,0A2,1A2,2A2,3

A3,0A3,1A3,2A3,3

Transform the state by applying:

1. Substitution.2. Shift rows3. Mix columns

4. XOR round key

Page 46: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Substitution operates on every Byteseparately: Ai,j <-- Ai,j

-1 (multiplicative inverse in GF(28)

which is highly non linear.)

Substitution (S-Box)

If Ai,j =0, don’t change Ai,j .

Clearly, the substitution is invertible.

Page 47: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Cyclic Shift of Rows

A0,0A0,1A0,2A0,3

A1,3A1,0A1,1A1,2

A2,2A2,3A2,0A2,1

A3,1A3,2A3,3A3,0

no shift shift 1 position

shift 2 positions shift 3 positions

Clearly, the shift is invertible.

Page 48: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Mixing Columns Every state column is considered as a Polynomial over GF(28)

Multiply with an invertible polynomial03 x3 + 01x2 + 01x + 02 (mod x4 + 1)

Inv = 0B x3 + 0D x2 +09 x + 0E

Round: Subbytes(State) ShiftRows(State)

MixColumns(State) AddRoundKey(State,ExpandedKey[i])

Page 49: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Key Expansion

• Generate a “different key” per round• Need a 4 x 4 matrix of values (over GF(28))

per round• Based upon a non-linear transformation of

the original key.• Details available:• The Design of Rijndael, Joan Daemen and

Vincent Rijmen, Springer

Page 50: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Breaking AES

Breaking 1 or 2 rounds is easy.

It is not known how to break 5 rounds.

Breaking the full 10 rounds AES efficiently( say 1 year on existing hardware, or in

less than 2128 operations) is considered impossible ! (a good, tough challenge…)

Page 51: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

87 F2 4D 97 47 40 A3 4C 6E 4C 90 EC => 37 D4 70 9F 46 E7 4A C3 94 E4 3A 42 A6 8C D8 95 ED A5 A6 BC

02 03 01 01 S00 S01 S02 S03 S00’ S01’ S02’ S03’ 01 02 03 01 * S10 S11 S12 S13 = S10’ S11’ S12’ S13’ 01 01 02 03 S20 S21 S22 S23 S20’ S21’ S22’ S23’ 03 01 01 02 S30 S31 S32 S33 S30’ S31’ S32’ S33’

Column Mixing in AES

Page 52: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

{02){87}+{03}{6E}+{46}+{A6} = {47} {87}+{02}{6E}+{03}{46}+{A6} = {37} {87}+{6E}+{02}{46}+{03}{A6} = {94} {03}{87}+{6E}+{46}+{02}{A6} = {ED} {02}{87}=(0000 0010)(1000 0111)=

8 47 432 8 3 2 2m( 1) ( ) od 1( 1)x x x x x x x x xx x x xx = (0001 0101)={15}

{03}{6E}=(0000 0011)(0110 1110)= 6 5 3 2 7 5 4( 1)( )x x x x x x x x x x =

(1011 0010) = {B2} {02){87}+{03}{6E}+{46}+{A6}={15}+{B2}+{46}+{A6}= (0001 0101)+(1011 0010)+(0100 0110)+(1010 0110)= (0100 0111)={47}

Page 53: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

0E 0B 0D 09 S00 S01 S02 S03 S00’ S01’ S02’ S03’

09 0E 0B 0D * S10 S11 S12 S13 = S10’ S11’ S12’ S13’

0D 09 0E 0B S20 S21 S22 S23 S20’ S21’ S22’ S23’

0B 0D 09 0E S30 S31 S32 S33 S30’ S31’ S32’ S33’

S00’=(0E}{02}+{0B}{01}+{0D}{01}+{09}{03}=(0E}{02}+{0B}+{0D}+{09}{03} {0E}{02}=(0000 1110)(0000 0010)=

3 2 4 3 2( )x x x x x x x =(0001 1100)={1C} {09}{03}=(0000 1001)(0000 0011)=

3 4 3( 1)( 1) 1x x x x x =(0001 1011)={1B} (0E}{02}+{0B}+{0D}+{09}{03}={1C}+{0B}+{0D}+{1B}= (0001 1100)+(0000 1011)+(0000 1101)+(0001 1011)= (0000 0001)={01}

Page 54: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Authentication

Alice(sender)

Fran(forger)

Bob(reciever)

Ensure integrity of messages, even in presence ofan active adversary who sends own messages.

Remark: Authentication is orthogonal to secrecy, yetsystems often required to provide both.

Page 55: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Definitions

• Authentication algorithm - A• Verification algorithm - V (“accept”/”reject”)• Authentication key – k• Message space (usually binary strings)• Every message between Alice and Bob is a

pair (m, Ak(m))

• Ak(m) is called the authentication tag of m

Page 56: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Definition (cont.)

• Requirement – Vk(m,Ak(m)) = “accept”– The authentication algorithm is called

MAC (Message Authentication Code)

– Ak(m) is frequently denoted MACk(m)

– Verification is by executing authentication on m and comparing with MACk(m)

Page 57: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Properties of MAC Functions

• Security requirement – adversary can’t construct a new legal pair (m, MACk(m))

even after seeing (mi, MACk(mi)) (i=1,2,

…,n)

• Output should be as short as possible • The MAC function is not 1-to-1

Page 58: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Adversarial Model

• Available Data:– The MAC algorithm– Known plaintext– Chosen plaintext

• Note: chosen MAC is unrealistic• Goal: Given n legal pairs (m1, MACk(m1)), …, (mn, MACk(mn))

find a new legal pair (m, MACk(m))

Page 59: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

We will say that the adversary succeededeven if the message Fran forged is “meaningless”. The reason is that it is hard

to predict what has and what does not have a meaning in an unknown context, and how

willBob, the reciever, react to such successful forgery.

Adversarial Model

Page 60: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Efficiency• Adversary goal: given n legal pairs (m1, MACk(m1)), …, (mn, MACk(mn)) find a new

legal pair (m, MACk(m)) efficiently and with non negligible probability.

• If n is large enough then n pairs (mi, MACk(mi)) determine the key k uniquely (with high prob.). Thus a non-deterministic machine can guess k

and verify it. But doing this in poly time should be computationally hard.

Page 61: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

MACs Used in Practice

We describe a MAC based on CBC Mode Encryption, and a MAC based on cryptographic hash functions.

Page 62: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Reminder: CBC Mode Encryption(Cipher Block Chaining)

P1

Ek

C1

P2

Ek

C2

P3

Ek

C3

S0

Previous ciphertext is XORed with current plaintext before encrypting current block.

An initialization vector S0 is used as a “seed” for the process.Seed can be “openly” transmitted.

Page 63: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

• Start with the all zero seed.

• Given a message consisting of n blocks M1,M2,

…,Mn, apply CBC (using the secret key k).

CBC Mode MACs

M1

Ek

C1

M2

Ek

C2

Mn

Ek

Cn

0000000

•Produce n “cipertext” blocks C1,C2,…,Cn , discard first n-1. •Send M1,M2,…,Mn & the authentication tag MACk(M)=Cn .

Page 64: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Security of CBC MAC [BKR]

• Claim: If Ek is a pseudo random function, then CBC MACis resilient to forgery.

• Proof outline: Assume CBC MAC can be

forged efficiently. Transform the forging

algorithm into an algorithm distinguishing

Ek from random function efficiently.

Page 65: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

• Given a message consisting of n blocks M1,M2,…,Mn, apply CBC (using the secret key

k1) to produce MACk1(M).

Combined Secrecy & MAC

•Produce n cipertext blocks C1,C2,…,Cn under a different key, k2. •Send C1,C2,…,Cn & the authentication tag MACk1(M).

Page 66: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Hash Functions

• Map large domains to smaller ranges

• Example h: {0,1,…,p2} {0,1,…,p-1} defined by h(x) = ax+b mod p

• Used extensively for searching (hash tables)

• Collisions are resolved by several possible means – chaining, double hashing, etc.

Page 67: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Collision Resistance

• A hash function h: D R is called weakly collision resistant for xD if it is hard to find x’x such that h(x’)=h(x)

• A function h: DR is called strongly collision resistant if it is hard to find x, x’ such that x’x but h(x)=h(x’)

Page 68: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Cryptographic Hash Functions

Cryptographic hash functions are hash functions that are strongly collision resistant.

• Notice: No secret key.• Should be very fast to compute, yet hard to find coliding pairs (impossible if P=NP).• Usually defined by:

– Compression function mapping n bits (e.g. 512) to m bits (e.g 160), m < n.

Page 69: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Extending to Longer Strings

H H H

M1 M2 Mk

Seed

h(M)

D --> R (fixed sets, typically {0,1}n and {0,1}m )

Page 70: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Extending the Domain (cont.)

• The seed is usually constant

• Typically, padding (including text length of original message) is used to ensure a multiple of n.

• Claim: if the basic function H is collision resistant, then so is its extension.

Page 71: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Lengths

• Input message length should be arbitrary. In practice it is usually up to 264, which is good enough for all practical purposes.

• Block length is usually 512 bits.

• Output length should be at least 160 bits

to prevent birthday attacks.

Page 72: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Real-World Hash Functions

• MD family (“message digest”) – MD-2– MD-4 (full description in Stinson’s book)– MD-5

• SHA and SHA-1 (secure hash standard, 160 bits) (www.itl.nist.gov/fipspubs/fip180-1.htm)

• RIPE-MD• SHA-256, 384 and 512 (proposed standards, longer digests)

Page 73: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

Basing MACs on Hash Functions

• First goal: combine message and secret key, hash and produce MAC

• Second goal: work with any cryptographic hash function

• First attempt: MACk(m)=h(k,m)• Second attempt: MACk(m)=h(m,k)

Page 74: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

HMAC• Proposed in 1996 by [Bellare Canetti Krawczyk]

– Internet engineering task force RFP

• Receives as input a message m, a key k and a hash function h

• Outputs a MAC by: – HMACk(m,h)= h(kopad, h(kipad,m))

• Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found).

• FIPS Standard: The keyed hash message authentication code

Page 75: Introduction to Modern Cryptography Makeup Class                       Symmetric Encryption:

HMAC in Practice

• SSL / TLS

• WTLS

• IPSec:– AH– ESP