Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Cryptography
Hash Functions
Agenda
• Hash Functions
– Properties
– Uses
– General Design
– Examples: MD4, MD5, SHA-0, SHA-1, SHA-
256
– Collision Attacks – General Method
– SHA3 competition
Hash Properties
• Map bit strings of arbitrary length to fixed-
length outputs
h = hash(m), h is fixed-length, short
• Not injective, but collisions unlikely
– Example: 2160 possible values
• Computationally infeasible to generate
collisions
• Computationally infeasible to invert
Hash Properties
• Preimage resistant: given h, hard to find m
such that h = hash(m)
• Second preimage resistant: given m1, hard
to find m2 (≠ m1) such that
hash(m1) = hash(m2)
• Collision-resistant: hard to find m1 and m2,
m2 ≠ m1, such that hash(m1) = hash(m2)
In Practice
• Heuristics
• Simple operations, performance:
– Iterative, series of rounds
– Diffusion through logical operations, addition,
shifts, rotates
Uses
• Data integrity:
– Error detection
• Attacker can still modify file and recompute hash
– Forgery, modification - MAC
• Shorten data for signing
• Data Structures:
– Hash list
– Hash (Merkle) Tree
– Hash Table
Hash - Uses
• Integrity – Error Detection
– Hash file/message
– Attacker can still modify file and recompute hash
• Integrity – prevent forgery, modification
– MAC (keyed hash)
• Authentication
– Signature: hash data to shorten (for efficiency) then encrypt with public
key algorithm
– Append shared secret to unencrypted data then hash
• Random bits
• Data Structures:
– Hash list
– Hash (Merkle) Tree
– Hash Table
MAC
• Message Authentication Code – keyed
hash
• Examples:
– Encrypt hash with symmetric key cipher
– HMAC H(H(K c1) || H((K c2) || m))
CBC-MAC
(tag)
Need to be careful in designing a MAC:
Without knowing the key k, can ask to calculate the CBC-MAC tag of any message
Produce a MAC for a new message:
use two message-tag pairs (m,t) and (m',t’),
m and m' : single blocks (can be random)
(m || (t m’), t’) : valid message-tag pair
CBC-MAC of m || (t m’) is t’ (see next slide)
CBC-MAC
• two message-tag pairs (m,t) and (m',t’),
• m and m' : single blocks (can be random)
• CBC-MAC of m || (t m’) is also t’
• when computing CBC, result from m is t (“ciphertext” from
block cipher)
• then continuing CBC mode:
• t is XORed with t m’
• t m’ t = m’ and the result is the next input to the
block cipher
• thus the output is t’
• therefore, (m || t m’, t’) is a valid message-tag pair
MAC
• MAC: H(Key | message)
• Append attack
– With most current hashes that “chain” blocks
can get a valid MAC for H(Key | message |
message’)
• Put the secret at the end of the message
• Don’t use all the output bits as the MAC
HMAC
• Append 0’s to key until have 512 bits
• XOR with constant and prepend to data
• Hash
• XOR key with different constant and prepend to result
• Hash again
• If H is secure, so is HMAC:
• Collision resistant
• If given HMAC(key,x), can’t compute HMAC(key,y) without
knowing key
Generating “Random” Bits
Alice Bob
Ra --------------->
<--------------- H(K | Ra), Rb
H(K | Rb) ----------------->
H is a hash function
K is a shared secret
Ra,Rb are random values
Storing Passwords
h21
m1 m2 m3 m4 m5 m6 m7 m8
Hash Tree
h41
h31 h32
m1 m2 m3 m4 m5 m6 m7 m8
General Structure
Message m padded to M, a multiple of a fixed-length block
M is divided into segments m1,m2, … mn
m1 m2 …… mn
IV F F F hash value
…
Merkle-Damgard, 1989
F is called the compression function
Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”
Typically, a function operates on chaining variables then adds to mi
General Structure
• Padding
– “100…0”
– MD4, MD5: last 64 bits depend on first block
– SHA*: last bits depend on length of message
General Structure
m1 m2 …… mn
IV F F F hash value
…
/* Save A, B, C,D */
AA = A BB = B CC = C DD = D
Output A,B,C,D
compression function
Note: each word rotates through each of the four positions for each value of s
X[k] (M) combined with A,B,C,D
for (i = 0 to N/16-1) {
/* Copy block i into X */
For (j = 0 to 15) { X[j] = M[i*16+j] }
/* Save A, B, C,D */
AA = A BB = B CC = C DD = D
Same as MD4
RIPEMD, Haval
• RIPEMD - modified MD4
– Rotation changed
– Order of message words altered
– Two instances run in parallel with different constants; at end of
each block, output of each added to chaining variables
Rotating segments
function operating on chaining variables
of chaining variable
Output :
SHA-256
Pad the message M
Break into N 512-bit blocks
Initialize H
for i = 1 to N {
Populate W with block i and rotate
Initialize intermediate variables a,b,c,d,e,f,g,h
64 rounds
Update H
}
Output H
SHA-256
logical functions, inputs are 32-bit words
Output :
Collisions - Uses
• Generate meaningful files with the same
hash
• Example: Code download – replace code,
hash file remains unchanged
Birthday Paradox
• 23 people in a room
• probability 2 have same birthday is 50%
In general:
• Given “random” mapping H(xi) = yi
• n inputs, k possible outputs
• n(n-1)/2 possible input pairs
• probability H(xi) = H(xj) is 1/k
• Approximation:
– need k/2 pairs for 50% probability so want n > (k) ½ (for match)
• Attack
– Two certificates identical except for RSA modulus: n1, n2 n1
≠n2
– MD5(n1) = MD5(n2)
m1 m2 …… mn
IV F F F hash value
…
MD4(M) = MD4(M’)
m1[16] = {
0xa8b1b641, 0x08d2ecaf, 0x27d7c1a1, 0x99044241,
0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
0x701c8b69, 0x045095eb, 0x92012e03, 0x71ed419e
}
MD5 – Prior Collisions
• Bert den Boer and Bosselaers: pseudo-
collision for MD5 - same message with
different IVs
• Dobbertin: two different 512-bit messages
with a chosen initial value different from
that in MD5
MD5 Collisions
nc = no carry
SHA-0 Collisions
• Biham and Chen 2004
– started at i > 17
– start at i = 22, work O(256) hashes
– near collisions with work O(240) hashes
• Biham and Chen (2004), Joux (2004), Wang and
Yu (2005)
– Multi-block collisions
– Use near collisions in several blocks to produce
overall collision
– Used with above, Joux had first full collision, work
O(251) hashes
SHA-1 Collisions
• Rijmen and Oswald 2005: collisions for 53
reduced-round version
• Wang, Yin, Yu 2005: Collisions without
padding on full 80 rounds, work O(269)
hashes
• Wang, Yao, Yao 2005: Improved above
attack to work O(263) hashes
• Rechberger and De Cannière 2006: way
to choose part of the message
SHA-256
• Round function has local collision with
probability in the range 2-9 to 2-39
• Message expansion is more complicated
than SHA-0, SHA-1
– Expansion block from 16 to 64 words
Colliding Certificates
• Fill in all fields except for
– RSA public key modulus, n
– signature (except for first zero byte - to prevent bit string from being a negative
integer)
• Three requirements:
– compliant to X.509 and the ASN.1 DER
– byte lengths of modulus, n, and public exponent, e, fixed in advance
• Can fix e as “Fermat-4” number e = 65537. Same e used in both certificates.
– position where public key modulus starts is an exact multiple of 64 bytes after the
beginning of the “to be signed” part – do by adding dummy information to the
subject Distinguished Name. i.e. want part prior to n to be an integral number of
message blocks to which the message blocks containing n are appended when
computing the MD5 hash
• Run MD5 on the first portion of the “to be signed” part, truncated at the
position where n starts This input to MD5 is an exact multiple of 512 bits.
Suppress the padding normally used in MD5, use output as IV to for the
next step. i.e. this would be the chaining variable input to the iteration in
which n starts to be processed
• Construct two different 1024 bit strings b1 and b2 for which the MD5
compression function with the IV from the previous step produces a collision
Colliding Certificates
• Construct two RSA moduli from b1 and b2 by appending to each the same
1024-bit string b
– Generate random primes p1 and p2 of ~512 bits, such that e is coprimeto p1 − 1
and p2 − 1
– Compute b0 between 0 and p1p2 such that p1|b121024 + b0 and p2|b221024 + b0
For k = 0, 1, 2, . . .,
• compute b = b0 + kp1p2;
• Check if both q1 = (b121024 + b)/p1 and q2 = (b221024 + b)/p2 are primes
• Check if e is coprime to both q1 − 1 and q2 − 1
• If k is such that b 21024, restart with new random primes p1, p2
Stop when q1 and q2 have been found; output
• n1 = b121024 + b
• n2 = b221024 + b
• p1, p2, q1, q2
• Expect that this algorithm will produce in a reasonable time, two RSA moduli
n1 = p1q1 and n2 = p2q2, that will form an MD5-collision with the specified IV
– p1 and p2 are around 500 bits in size, usually takes a few minutes
– few days when 512 bit p1, p2 and 1536 bit q1, q2 (search space for k nearly
empty)
Colliding Certificates
• Insert the modulus n1 into the certificate - “to be signed”
part is complete
• Compute the MD5 hash of the entire “to be signed” part
(including MD5-padding, standard MD5-IV)
m1 m2 m3 m4
• Binary tree
– Block cipher, PRP construct
as nodes
– double computational work
hash
Alternatives
• Hybrid
– CMC mode or chaining on segments
– Subset of output forms next layer
– collision implies X1 X4
weakness in block cipher M M M M
T
segment
output
Segment Processing
IV 128 128
… 128 input
…
128 128 128 128
… 128 128
segment
128
output
• Elastic Chaining mode:
– Only forward diffusion
… but less memory/intermediate state than CMC mode
– If key is based on first block, collision implies weakness in block cipher
– Use elastic version of 128-bit cipher or a 256-bit cipher
Segment Processing
• Don’t use existing forward chaining in segment –
differential attack applies to segment
m11 m12 m13 m14 m1l
x13
=Z
IV x12 segment
F F F F F output
x12 x22 = x