Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez
Jan 12, 2016
Theory of Computation II
Topic presented by:
Alberto Aguilar Gonzalez
Problem
You are designing a banking application that will be accessed by thousands of users.
Security of passwords is a key factor. Protect from people outside and inside the
organization
How do you store passwords in the database?
One Approach Encrypt passwords using a key. When the information is needed, decrypt it
using same key!
Example (very simple): Given a character, encrypt it by replacing it with
other. What is the idea?
Character ASCII CODE Encrypted
A 01000001 10110010
B 01000010 10100101
IDEA: “hi” = decrypt(encrypt(“hi”))
What is the problem with this approach?
If someone accesses this database and knows the key (even people from IT or support), all passwords would be revealed!
User Pwd (encrypted using a key)
aagui003 bbhrt
aaoni001 jhlkhj
A better approach
One-way hash functions(The talk is about this)
ONE WAY
One way function
A function y = f(x) is one way if it is easy to compute y from x but “hard” to compute x from y
However, nobody has proved that such function exist!
A possible definition is: f(x) can be obtained in polynomial time f -1(x) is NP-hard
An example of one-way functions
Unique factorization Theorem: Every integer has a unique factorization as product of primes.
Factoring
Given two large prime numbers u, v, consider y = f(u, v) = u * v. It is polynomial time computable.
However, given y, can we calculate u and v easily?
NO
Hash function
Map a message of variable length m to a fingerprint of fixed n bits, and m >= n
Fundamental properties: Compression Easy to compute
Can be used to detect changes since a modification (even a bit) would change the hash value.
One-way hash functions
y = h(x) where Given x, calculating h(x) is
easy Given y, calculating any x
such that y=h(x) is hard, AND
y is fixed length independent of the size of x (a compression function is needed for large inputs)
Input
Output
Two questions Is it easy to come up with new one-
way hash functions?
What do we need to build such functions? Easy to compute (in general, it is a public
algorithm) Hard to invert (2n different output!) Compression function Collision resistant
Collision
Given x1, x2, and a hash function h, a collision exists if
h(x1) = h(x2) Is this possible?
YES, why? It is a many-to-one function! The input domain is
greater that the output domain. Therefore, good one-way hash functions
should be collision resistant!Collision resistant?
The Birthday paradox Consider the probability Q1(n, d) that no two people out
of a group of n will have matching birthdays out of d equally possible birthdays.
http://mathworld.wolfram.com/BirthdayProblem.html
ndnd
ddnQ
)!(
!),(1
In general, let Qi(n, d) denote the probability that a birthday is shared by i people out of a group of n people, then the probability that a birthday is shared by k or more people.
),(1),( 12 dnQdnP
),(1),(1
1dnQdnP
i
k
ik
Probabilty that two do have same birthday
…birthday paradox
An approximation for the minimum number of people needed to get 50-50 chance that two have a match within k days out of d possible is given by:
122.1),(
k
dkdn
93.221)0(2
3652.1)0,365(
n
How many people do we need in this classroom for a 50-50 chance?
(Sevast'yanov 1972, Diaconis and Mosteller 1989).
What aboutOWHFs?
Birthday attacks for OWHFs Given y = h(x), where y is length-fixed of n
bits, 2n outputs can be obtained. Since x is of variable length, and |x| > |y| in
some cases. h(x) is a many-to-one function!
How many attempts are necessary so that h(x1)=h(x2) (probability of success >= 0.5)? Use the formula we just explained! Let d = 2n, and k = 0
ddn 2.1)( 2/2/122.122.1 nn
To be collision resistant, how big should n be?
64-bits is now regarded as too small, 128-512 proposed
Output length n(d)
64 bits
128 bits
160 bits
322642802
General structure of OWHF’s
arbitrarylength input
iteratedcompression
function
fixed length output
optionaltransformation
output
Input
Output
Details
append padding bits
append length block
g
Hi
H0=IV
xi
preprocessing
Ht
Hi-1
original input x
formattedinput x1, x2... xt
iteratedprocessingcompression
function f
output h(x)=g(Ht)
Two known OWHF’s
MD5 From Ronald Rivest (the R from RSA) [1992] Produce a 128-bit hash value MD5 is widely used, however collisions were
detected (Wang, 2004). SHA1
Designed by the National Institute of Standards and Technology (NIST), as an “upgrade” from MD5
Produces 160-bit hash values
Going back to our problem Save a pair <user, hash_of_passw>
<user01, 9dd4e461268c8034f5c8564e155c67a6>
Now, if somebody (inside or outside) access passwords table each entry should be attacked individually!
An authentication algorithm would look as follows:
if MD5(passw_typed) == hash_of_passwCorrectPassword = true
elseCorrectPassword = false
Other uses
Digital signatures Antivirus Software validation
Used to store passwords in some Linux implementations
Thank you
What #$!@ is he
talking about?
mmm…
Z Z z…
Questions?