Hashing, MACs, RSA

1
Hashing, MACs, RSA

• Sandy Kutin
• CSPP 532
• 7/17/01

2
Rehash Why do we hash?

• Hash functions boil long message down to a few
  bits
• Alice signs hash with public key
• Authentication (Bob knows Alice sent it)
• Non-repudiation (Bob can prove Alice sent it)
• Data integrity no one else can alter data
• Bit commitment used in many protocols

3
Rehash What is a hash?

• What makes H a hash function?
• Takes any size input
• Produces fixed-size output (n bits)
• H(M) is easy to compute
• Given h, it is hard to solve H(M) h for M
• Given N, it is hard to solve H(M) H(N) for M
  (weak collision resistance) (2n steps)
• It is hard to find M, N such that H(M) H(N)
  (strong collision resistance) (2n/2 steps)

4
Rehash How do we hash?

• Most hashes are built using a one-way compression
  function mn bits to n bits
• Divide message into k blocks of m bits
• hi ƒ(Mi, hi-1) (h0 is a fixed initial
  value)
• Output is H(M) hk

5
A MoDESt Proposal

• One idea use encryption (e.g., DES)
• h0 IV
• hi ƒ(Mi, hi-1) EMi(hi-1)
• Problem 1 slow
• Problem 2 export restrictions

6
Problem 3 Insecure

• Can construct 2 blocks XY, H(XY) h
• Need X, Y so that EY(EX(h0)) h
• Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) DY(h)
• Birthday attack works on DES, AES,
• Could pick M1,,Mk-2, solve EX(hk-2) DY(h)

7
Specific Hashes MD5

• MD5 (Rivest, 1992) 128-bit hash, 512-bit blocks
  (similar to MD4, 1990)
• (MD Message Digest)
• Simplified versions have been cryptanalyzed, but
  not MD5 itself
• But strong collision resistance only 64-bit
• Not really long enough nowadays
• Like DES now being phased out

8
Specific Hashes SHA

• SHA (or SHA-1) NIST, NSA, 1995
• 160-bit hash, 512-bit blocks
• Used in DSS (Digital Signature Standard)
• May 30, 2001 NIST announced 3 more

9
Specific Hashes RIPEMD

• RIPE-MD developed in Europe (1996-7)
• RIPEMD-160 160-bit hash, 512-bit blocks (same
  as SHA-1)
• Comparable to SHA-1 in speed, security
• Both are roughly half the speed of MD5
• American standard is SHA-1 (for now)
• SHA-256, SHA-384, SHA-512 match key lengths in
  AES

10
Message Authentication Codes

• A hash is public anyone can compute it
• We used digital signatures only Alice can
  compute Dpa(H(M)), anyone can check
• Another idea CK(M) using secret key
• Message Authentication Code (MAC)
• Authentication (but not non-repudiation)
• Data integrity

11
What makes a MAC?

• What makes CK(M) a MAC?
• Any size M, easy-to-compute fixed-size output
• Given K, N, hard to solve CK(M) CK(N)
• (weak collision resistance for Alice, Bob)
• Given K, it is hard to solve CK(M) CK(N)
• (strong collision resistance for Alice, Bob)
• Given signed pairs (M, CK(M)), but not K, it is
  hard to find more
• (Eve cant solve for K, find collisions, or
  otherwise construct a message and a valid MAC)

12
Encryption-Based MACs

• Simplest idea CK(M) EK(H(M))
• Only as good as weakest link
• Better Encrypt in CBC mode
• C1 EK(M1)
• Ci EK(Mi ? Ci-1)
• CK(M) is last Ci
• DES-CBC is current FIPS-approved MAC
• Speed, export issues wrong tool for job

13
Hash-based MACs

• One idea CK(M) H(K M)
• Effectively a hash with secret initial value
• Problem Given M, CK(M), can find CK(M N)
• Solution HMAC (Bellare, Canetti, Krawczyk,
  1996 NIST 1/01)

14
HMAC

• Pad n-bit key K up to m bits, if necessary
• Si K ? 00110110..., So K ? 01011010
• First, compute x H(Si M), pad x to m bits
• HMACK(M) H(So x)
• Only three extra calls to ƒ

15
HMAC Attack

• We can precompute 2 of the 3 extra calls
• Use any H we want (MD5, SHA-1, )
• HMAC is secure as long as H is secure
• Birthday attack fails if K is unknown
• MD5 is fine

HMACK(M)
ƒ
Si
So
M1
Mk
ƒ
ƒ
ƒ
ƒ
IV
IV
x
h1
hk-1
16
Whats next?

• Weve discussed several primitives
• Symmetric Encryption
• Hashes
• Message Authentication Codes
• Theres one primitive we havent discussed

17
Public Key
Infrastructure
18
The Key Idea

• Public key uses asymmetric encryption
• Bob has a public encryption function EB
• Trapdoor one-way function
• Easy to compute
• Invertible, and Bob knows secret Db EB-1
• For Eve to invert EB, shed need to guess b
• Alice computes EB(M) only Bob can decrypt
• Diffie, 1975. Question how do we do it?

19
VeRSAtile Solution

• RSA (Rivest, Shamir, Adleman, 1977)
• Bob computes primes p, q, and Npq
• Bob computes d,e, so de ? 1 mod ?(N)
• Public key (N, e). Private key (N, d)
• Encryption (Alice) C EB(M) ? Me mod N
• Decryption (Bob) M Db(C) ? Cd mod N
• By Eulers Theorem Med ? M mod N
• So, Db(EB(M)) M, Bob can read M

20
Vice VeRSA

• Note that, ?M, Mde ? Med ? M mod N
• Order doesnt matter
• Only Bob can compute S ? Md mod N
• Anyone else can verify M ? Se mod N
• Digital Signature
• Gives us authenticity, non-repudiation
• (As weve said usually applied to H(M))

21
Factoring in Attacks

• Say Eve knows N, e, C, wants to read M
• Could factor N, solving for p and q
• Then easy to compute ?(N), solve for d
• How hard is it to factor?
• Best known method Number Field Sieve
• Between polynomial and exponential time
• Of course, no one can prove anything

22
How hard is factoring?

• From Schneiers Applied Cryptography
• MIPS-year 100 MHz Pentium for a week
• Rivest, 1977 125 digits should take 40
  quadrillion years
• 8/1999 512-bit prime
• (155 decimal digits)
• Distributed computing
• Took 8000 MIPS-years
• 7 months (3.7 sieving)

23
An ERSAtz Attack

• Can Eve find ?(N)? Then, d ? e-1 mod ?(N).
• Say we knew N pq, ?(N) (p-1)(q-1).
• Then let Z N - ?(N) 1 we know Z
• Z pq - (pq - p - q 1) 1 p q
• (x - p)(x - q) x2 - Zx N this is solvable
• So, if we knew ?(N), wed know p, q
• Therefore, finding ?(N) is as hard as factoring
• This is called a reduction

24
Other AdveRSArial Strategies

• Can Eve find d without finding ?(N)?
• She knows ed - 1 Q?(N) for some Q
• Since ?(N) is roughly N, shed know ?(N)
• Another reduction
• Can Eve find t, so, ?M, Mte ? M mod N?
• Yes, if p and q are chosen poorly
• For good p, q about as hard as factoring
• good p, q means gcd(p-1, q-1) is small

25
Key Management

• Pre-1970s, problem was key distribution
• Now, Alice can look up Bobs public key
• How does she get it? Key management
• Original solution phone book
• Who prints the book?
• What if its compromised, or intercepted?
• How do you look someone up? Unique ID?
• What if Bob has multiple names, keys?
• Do keys expire? What if a key is compromised?

26
Solution 1 DispeRSAL

• One idea Carol meets Bob face-to-face
• Carol says This is Bobs key, signs it
• Ted knows Carol, says This is Carols key, and I
  trust her, signs it
• Alice knows Ted verifies chain of signatures
• Flaw 1 weakest link
• Flaw 2 gt6 degrees of separation
• Flaw 3 Unique IDs, expiration, ...

27
2 Certificate Authorities

• Next class (7/24/01)

28
Recommended Reading

• From Stallings
• Fermats Theorem, Eulers Theorem, and the ?
  function Section 7.3
• RSA Sections 6.1 - 6.3 (particularly 6.2, which
  includes fast modular exponentiation)
• Hashing, MACs Chapter 8
• Birthday attacks Appendix 8A
• HMAC Section 9.4