Hashing, MACs, RSA - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Hashing, MACs, RSA

Description:

hi = (Mi, hi-1) (h0 is a fixed initial value) Output is H(M) = hk. . . ... Comparable to SHA-1 in speed, security. Both are roughly half the speed of MD5 ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 29
Provided by: csinstruct
Category:
Tags: rsa | hashing | hispeed | macs

less

Transcript and Presenter's Notes

Title: Hashing, MACs, RSA


1
Hashing, MACs, RSA
  • Sandy Kutin
  • CSPP 532
  • 7/17/01

2
Rehash Why do we hash?
  • Hash functions boil long message down to a few
    bits
  • Alice signs hash with public key
  • Authentication (Bob knows Alice sent it)
  • Non-repudiation (Bob can prove Alice sent it)
  • Data integrity no one else can alter data
  • Bit commitment used in many protocols

3
Rehash What is a hash?
  • What makes H a hash function?
  • Takes any size input
  • Produces fixed-size output (n bits)
  • H(M) is easy to compute
  • Given h, it is hard to solve H(M) h for M
  • Given N, it is hard to solve H(M) H(N) for M
    (weak collision resistance) (2n steps)
  • It is hard to find M, N such that H(M) H(N)
    (strong collision resistance) (2n/2 steps)

4
Rehash How do we hash?
  • Most hashes are built using a one-way compression
    function mn bits to n bits
  • Divide message into k blocks of m bits
  • hi Æ’(Mi, hi-1) (h0 is a fixed initial
    value)
  • Output is H(M) hk

5
A MoDESt Proposal
  • One idea use encryption (e.g., DES)
  • h0 IV
  • hi Æ’(Mi, hi-1) EMi(hi-1)
  • Problem 1 slow
  • Problem 2 export restrictions

6
Problem 3 Insecure
  • Can construct 2 blocks XY, H(XY) h
  • Need X, Y so that EY(EX(h0)) h
  • Try 2n/2 Xs, 2n/2 Ys, see if EX(h0) DY(h)
  • Birthday attack works on DES, AES,
  • Could pick M1,,Mk-2, solve EX(hk-2) DY(h)

7
Specific Hashes MD5
  • MD5 (Rivest, 1992) 128-bit hash, 512-bit blocks
    (similar to MD4, 1990)
  • (MD Message Digest)
  • Simplified versions have been cryptanalyzed, but
    not MD5 itself
  • But strong collision resistance only 64-bit
  • Not really long enough nowadays
  • Like DES now being phased out

8
Specific Hashes SHA
  • SHA (or SHA-1) NIST, NSA, 1995
  • 160-bit hash, 512-bit blocks
  • Used in DSS (Digital Signature Standard)
  • May 30, 2001 NIST announced 3 more

9
Specific Hashes RIPEMD
  • RIPE-MD developed in Europe (1996-7)
  • RIPEMD-160 160-bit hash, 512-bit blocks (same
    as SHA-1)
  • Comparable to SHA-1 in speed, security
  • Both are roughly half the speed of MD5
  • American standard is SHA-1 (for now)
  • SHA-256, SHA-384, SHA-512 match key lengths in
    AES

10
Message Authentication Codes
  • A hash is public anyone can compute it
  • We used digital signatures only Alice can
    compute Dpa(H(M)), anyone can check
  • Another idea CK(M) using secret key
  • Message Authentication Code (MAC)
  • Authentication (but not non-repudiation)
  • Data integrity

11
What makes a MAC?
  • What makes CK(M) a MAC?
  • Any size M, easy-to-compute fixed-size output
  • Given K, N, hard to solve CK(M) CK(N)
  • (weak collision resistance for Alice, Bob)
  • Given K, it is hard to solve CK(M) CK(N)
  • (strong collision resistance for Alice, Bob)
  • Given signed pairs (M, CK(M)), but not K, it is
    hard to find more
  • (Eve cant solve for K, find collisions, or
    otherwise construct a message and a valid MAC)

12
Encryption-Based MACs
  • Simplest idea CK(M) EK(H(M))
  • Only as good as weakest link
  • Better Encrypt in CBC mode
  • C1 EK(M1)
  • Ci EK(Mi ? Ci-1)
  • CK(M) is last Ci
  • DES-CBC is current FIPS-approved MAC
  • Speed, export issues wrong tool for job

13
Hash-based MACs
  • One idea CK(M) H(K M)
  • Effectively a hash with secret initial value
  • Problem Given M, CK(M), can find CK(M N)
  • Solution HMAC (Bellare, Canetti, Krawczyk,
    1996 NIST 1/01)

14
HMAC
  • Pad n-bit key K up to m bits, if necessary
  • Si K ? 00110110..., So K ? 01011010
  • First, compute x H(Si M), pad x to m bits
  • HMACK(M) H(So x)
  • Only three extra calls to Æ’

15
HMAC Attack
  • We can precompute 2 of the 3 extra calls
  • Use any H we want (MD5, SHA-1, )
  • HMAC is secure as long as H is secure
  • Birthday attack fails if K is unknown
  • MD5 is fine

HMACK(M)
Æ’
Si
So
M1
Mk
Æ’
Æ’
Æ’
Æ’
IV
IV
x
h1
hk-1
16
Whats next?
  • Weve discussed several primitives
  • Symmetric Encryption
  • Hashes
  • Message Authentication Codes
  • Theres one primitive we havent discussed

17
Public Key
Infrastructure
18
The Key Idea
  • Public key uses asymmetric encryption
  • Bob has a public encryption function EB
  • Trapdoor one-way function
  • Easy to compute
  • Invertible, and Bob knows secret Db EB-1
  • For Eve to invert EB, shed need to guess b
  • Alice computes EB(M) only Bob can decrypt
  • Diffie, 1975. Question how do we do it?

19
VeRSAtile Solution
  • RSA (Rivest, Shamir, Adleman, 1977)
  • Bob computes primes p, q, and Npq
  • Bob computes d,e, so de ? 1 mod ?(N)
  • Public key (N, e). Private key (N, d)
  • Encryption (Alice) C EB(M) ? Me mod N
  • Decryption (Bob) M Db(C) ? Cd mod N
  • By Eulers Theorem Med ? M mod N
  • So, Db(EB(M)) M, Bob can read M

20
Vice VeRSA
  • Note that, ?M, Mde ? Med ? M mod N
  • Order doesnt matter
  • Only Bob can compute S ? Md mod N
  • Anyone else can verify M ? Se mod N
  • Digital Signature
  • Gives us authenticity, non-repudiation
  • (As weve said usually applied to H(M))

21
Factoring in Attacks
  • Say Eve knows N, e, C, wants to read M
  • Could factor N, solving for p and q
  • Then easy to compute ?(N), solve for d
  • How hard is it to factor?
  • Best known method Number Field Sieve
  • Between polynomial and exponential time
  • Of course, no one can prove anything

22
How hard is factoring?
  • From Schneiers Applied Cryptography
  • MIPS-year 100 MHz Pentium for a week
  • Rivest, 1977 125 digits should take 40
    quadrillion years
  • 8/1999 512-bit prime
  • (155 decimal digits)
  • Distributed computing
  • Took 8000 MIPS-years
  • 7 months (3.7 sieving)

23
An ERSAtz Attack
  • Can Eve find ?(N)? Then, d ? e-1 mod ?(N).
  • Say we knew N pq, ?(N) (p-1)(q-1).
  • Then let Z N - ?(N) 1 we know Z
  • Z pq - (pq - p - q 1) 1 p q
  • (x - p)(x - q) x2 - Zx N this is solvable
  • So, if we knew ?(N), wed know p, q
  • Therefore, finding ?(N) is as hard as factoring
  • This is called a reduction

24
Other AdveRSArial Strategies
  • Can Eve find d without finding ?(N)?
  • She knows ed - 1 Q?(N) for some Q
  • Since ?(N) is roughly N, shed know ?(N)
  • Another reduction
  • Can Eve find t, so, ?M, Mte ? M mod N?
  • Yes, if p and q are chosen poorly
  • For good p, q about as hard as factoring
  • good p, q means gcd(p-1, q-1) is small

25
Key Management
  • Pre-1970s, problem was key distribution
  • Now, Alice can look up Bobs public key
  • How does she get it? Key management
  • Original solution phone book
  • Who prints the book?
  • What if its compromised, or intercepted?
  • How do you look someone up? Unique ID?
  • What if Bob has multiple names, keys?
  • Do keys expire? What if a key is compromised?

26
Solution 1 DispeRSAL
  • One idea Carol meets Bob face-to-face
  • Carol says This is Bobs key, signs it
  • Ted knows Carol, says This is Carols key, and I
    trust her, signs it
  • Alice knows Ted verifies chain of signatures
  • Flaw 1 weakest link
  • Flaw 2 gt6 degrees of separation
  • Flaw 3 Unique IDs, expiration, ...

27
2 Certificate Authorities
  • Next class (7/24/01)

28
Recommended Reading
  • From Stallings
  • Fermats Theorem, Eulers Theorem, and the ?
    function Section 7.3
  • RSA Sections 6.1 - 6.3 (particularly 6.2, which
    includes fast modular exponentiation)
  • Hashing, MACs Chapter 8
  • Birthday attacks Appendix 8A
  • HMAC Section 9.4
Write a Comment
User Comments (0)
About PowerShow.com