Introduction to Practical Cryptography - PowerPoint PPT Presentation

1 / 96
About This Presentation
Title:

Introduction to Practical Cryptography

Description:

Introduction to Practical Cryptography Hash Functions Agenda Hash Functions Properties Uses General Design Examples: MD4, MD5, SHA-0, SHA-1, SHA-256 Collision Attacks ... – PowerPoint PPT presentation

Number of Views:152
Avg rating:3.0/5.0
Slides: 97
Provided by: debbi59
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Practical Cryptography


1
Introduction to Practical Cryptography
  • Hash Functions

2
Agenda
  • Hash Functions
  • Properties
  • Uses
  • General Design
  • Examples MD4, MD5, SHA-0, SHA-1, SHA-256
  • Collision Attacks General Method
  • SHA3 competition

3
Hash Properties
  • Map bit strings of arbitrary length to
    fixed-length outputs
  • h hash(m), h is fixed-length, short
  • Not injective, but collisions unlikely
  • Example 2160 possible values
  • Computationally infeasible to generate collisions
  • Computationally infeasible to invert

4
Hash Properties
  • Preimage resistant given h, hard to find m such
    that h  hash(m)
  • Second preimage resistant given m1, hard to
    find m2 (? m1) such that hash(m1)  hash(m2)
  • Collision-resistant hard to find m1 and m2, m2 ?
    m1, such that hash(m1)  hash(m2)

5
In Practice
  • Heuristics
  • Simple operations, performance
  • Iterative, series of rounds
  • Diffusion through logical operations, addition,
    shifts, rotates

6
Uses
  • Data integrity
  • Error detection
  • Attacker can still modify file and recompute hash
  • Forgery, modification - MAC
  • Shorten data for signing
  • Data Structures
  • Hash list
  • Hash (Merkle) Tree
  • Hash Table

7
Hash - Uses
  • Integrity Error Detection
  • Hash file/message
  • Attacker can still modify file and recompute hash
  • Integrity prevent forgery, modification
  • MAC (keyed hash)
  • Authentication
  • Signature hash data to shorten (for efficiency)
    then encrypt with public key algorithm
  • Append shared secret to unencrypted data then
    hash
  • Random bits
  • Data Structures
  • Hash list
  • Hash (Merkle) Tree
  • Hash Table

8
MAC
  • Message Authentication Code keyed hash
  • Examples
  • Encrypt hash with symmetric key cipher
  • HMAC H(H(K ? c1) H((K ? c2) m))

9
CBC-MAC
(tag)
Need to be careful in designing a MAC
Without knowing the key k, can ask to calculate
the CBC-MAC tag of any message Produce a MAC for
a new message use two message-tag pairs (m,t)
and (m',t), m and m' single blocks (can be
random) (m (t ? m), t) valid message-tag
pair CBC-MAC of m (t ? m) is t (see
next slide)
10
CBC-MAC
  • two message-tag pairs (m,t) and (m',t),
  • m and m' single blocks (can be random)
  • CBC-MAC of m (t ? m) is also t
  • when computing CBC, result from m is t
    (ciphertext from block cipher)
  • then continuing CBC mode
  • t is XORed with t ? m
  • t ? m ? t m and the result is the next
    input to the block cipher
  • thus the output is t
  • therefore, (m t ? m, t) is a valid
    message-tag pair

11
MAC
  • MAC H(Key message)
  • Append attack
  • With most current hashes that chain blocks can
    get a valid MAC for H(Key message message)
  • Put the secret at the end of the message
  • Dont use all the output bits as the MAC

12
HMAC
  • Append 0s to key until have 512 bits
  • XOR with constant and prepend to data
  • Hash
  • XOR key with different constant and prepend to
    result
  • Hash again

H( (key ? const1) H( ((key 0..0) ? const2)
data) )
  • If H is secure, so is HMAC
  • Collision resistant
  • If given HMAC(key,x), cant compute HMAC(key,y)
    without knowing key

13
Generating Random Bits
  • Hash together information containing some
    randomness
  • Copy of every keystroke, mouse event
  • Time between keystrokes
  • Disk seek latency, sector number, etc.
  • Contents of the display
  • Audio input
  • Packet inter-arrival latency, CPU load
  • Hash all this information together
  • Allows generation of pseudo-random data

14
Challenge-Response without Encryption
  • Alice Bob
  • Ra ---------------gt
  • lt--------------- H(K Ra), Rb
  • H(K Rb) -----------------gt

H is a hash function K is a shared secret Ra,Rb
are random values
15
Storing Passwords
  • Idea hash password and store result
  • When user enters password, hash and compare with
    stored value

16
Password Storing
  • Old Unix password algorithm
  • Store hash of user password
  • Hash typed password, compare with stored hash
  • First 8 bytes of password are the secret key
  • Then encrypt all-zeroes block with DES-like
    algorithm
  • Salt 12-bit random number, (used in modified
    DES)
  • Salt stored with hashed result
  • Later versions used MD5, Blowfish

17
Hash List
h21
h11
h12
h13
h14
h15
h16
h17
h18
m1
m3
m4
m5
m7
m8
m2
m6
18
Hash Tree
h41
h31
h32
h21
h22
h23
h24
h11
h12
h13
h14
h15
h16
h17
h18
m1
m3
m4
m5
m7
m8
m2
m6
19
General Structure
Message m padded to M, a multiple of a
fixed-length block M is divided into segments
m1,m2, mn
m1
m2
mn



hash value
IV
F
F
F

Merkle-Damgard, 1989 F is called the compression
function Takes inputs mi and output of previous
iteration Typically a series of rounds Output
called a chaining variable Typically, a
function operates on chaining variables then adds
to mi
20
General Structure
  • Padding
  • 1000
  • MD4, MD5 last 64 bits depend on first block
  • SHA last bits depend on length of message

21
General Structure
m1
m2
mn



hash value
IV
F
F
F

Avalanche All output bits depend on all input
bits Diffusion ideally want change to one input
bit to change each output bit
with prob. ½
22
MD4
  • Rivest, RFC 1320
  • Fast in software
  • Simple to program
  • Memory efficient - no large data structures

23
MD4 Notation
  • word 32 bits
  • Message m
  • XY X AND Y
  • X v Y X OR Y

24
MD4
  • m m100 0
  • Pad m until it is 64 bits short of a multiple of
    512
  • Message is always padded (i.e. even 448 bits are
    padded)
  • Append a 1 followed by 0s
  • M0 ... N-1 m with low order 64 bits of m
    appended to it
  • N is a multiple of 16
  • Four-word buffer (A,B,C,D) initialize to
  • A 01 23 45 67
  • B 89 ab cd ef
  • C fe dc ba 98
  • D 76 54 32 10

just counts 0 to 15 and back
25
MD4 Internal Functions
  • F(X,Y,Z) XY v not(X) Z
  • Bitwise conditional if X then Y else Z.
  • G(X,Y,Z) XY v XZ v YZ
  • Bitwise majority function bit positions in which
    2 or more bits are 1, output has a 1, else output
    has a 0
  • H(X,Y,Z) X ? Y ? Z
  • Bit positions with odd number of 1s are 1, rest
    are 0
  • Note if bits of X, Y, and Z are independent and
    unbiased, each bit of F(X,Y,Z) and each bit of
    G(X,Y,Z) also will be independent and unbiased.

26
MD4
  • for (i 0 to N/16-1)
  • / Copy block i into X. /
  • For (j 0 to 15) Xj Mi16j
  • / Save A, B, C,D /
  • AA A BB B CC C DD D
  • / Combine Message blocks with A,B,C,D /
  • Round 1
  • Round 2
  • Round 3
  • Increment A,B,C,D by their values (AA,BB,CC,DD)
    at start of iteration
  • / end for i /
  • Output A,B,C,D

compression function
A,B,C,D is chaining variable
27
MD4 Round 1
Function operates on chaining variable, adds in
message block
  • / abcd k s denotes a (a F(b,c,d) Xk)
    ltltlt s. /
  • / 16 operations. /
  • ABCD 0 3 DABC 1 7 CDAB 2 11 BCDA 3
    19
  • ABCD 4 3 DABC 5 7 CDAB 6 11 BCDA 7
    19
  • ABCD 8 3 DABC 9 7 CDAB 10 11 BCDA 11
    19
  • ABCD 12 3 DABC 13 7 CDAB 14 11 BCDA 15
    19

Note each word rotates through each of the four
positions for each value of s Xk (M) combined
with A,B,C,D Words sequential in round 1 (i.e. k
1,2,3,. 15 in order)
28
MD4 Round 2
  • / abcd k s denotes
  • a (a G(b,c,d) Xk 0x5A827999) ltltlt s.
    /
  • / 16 operations. /
  • ABCD 0 3 DABC 4 5 CDAB 8 9 BCDA 12 13
  • ABCD 1 3 DABC 5 5 CDAB 9 9 BCDA 13 13
  • ABCD 2 3 DABC 6 5 CDAB 10 9 BCDA 14
    13
  • ABCD 3 3 DABC 7 5 CDAB 11 9 BCDA 15
    13

Word ordering altered from round 1
29
MD4 Round 3
  • / Let abcd k s denotes
  • a (a H(b,c,d) Xk 0x6ED9EBA1) ltltlt s.
    /
  • / 16 operations. /
  • ABCD 0 3 DABC 8 9 CDAB 4 11 BCDA 12 15
  • ABCD 2 3 DABC 10 9 CDAB 6 11 BCDA 14
    15
  • ABCD 1 3 DABC 9 9 CDAB 5 11 BCDA 13
    15
  • ABCD 3 3 DABC 11 9 CDAB 7 11 BCDA 15
    15

Word ordering partially altered from round 2
30
MD4 End of Loop Addition
  • / increment each of A,B,C,D by the value it had
    before this block was started. /
  • A A AA
  • B B BB
  • C C CC
  • D D DD

31
MD4 Constants
  • 5A827999 32-bit constant, represents the square
    root of 2. The octal value is 013240474631.
  • 6ED9EBA1 32-bit constant, represents the square
    root of 3. The octal value is 015666365641.

32
MD5
  • Designed to replace MD4
  • First two and last two rounds of MD4 attacked
  • RFC 1321, Rivest
  • for (i 0 to N/16-1)
  • / Copy block i into X /
  • For (j 0 to 15) Xj Mi16j
  • / Save A, B, C,D /
  • AA A BB B CC C DD D
  • / Combine Message blocks with A,B,C,D /
  • Round 1
  • Round 2
  • Round 3
  • Round 4
  • Increment A,B,C,D by value at start of iteration
  • / end for i /
  • Output A,B,C,D

33
MD5 Changes to MD4
  1. Fourth round added
  2. Each step now has a unique additive constant
  3. The function G changed from (XY v XZ v YZ) to (XZ
    v Y not(Z)) (less symmetric)
  4. The order in which input words are accessed in
    rounds 2 and 3 is changed, to make these less
    like similar to each other.
  5. The shift amounts in each round have been changed
    to produce a faster avalanche effect. The shifts
    in different rounds are distinct.

34
MD5 Internal Functions
  • F(X,Y,Z) XY v not(X) Z
  • G(X,Y,Z) XZ v Y not(Z)
  • H(X,Y,Z) X ? Y ? Z
  • I(X,Y,Z) Y ? (X v not(Z))

35
MD5
  • Uses a 64-element table T1 ... 64 constructed
    from the sine function
  • Ti equals the integer part of
  • 4294967296 times abs(sin(i)), where i is in
    radians

36
MD5 Round 1
  • / abcd k s i denotes
  • a b ((a F(b,c,d) Xk Ti) ltltlt s). /
  • / 16 operations. /
  • ABCD 0 7 1 DABC 1 12 2 CDAB 2 17 3 BCDA 3
    22 4
  • ABCD 4 7 5 DABC 5 12 6 CDAB 6 17 7 BCDA 7
    22 8
  • ABCD 8 7 9 DABC 9 12 10 CDAB 10 17 11 BCDA
    11 22 12
  • ABCD 12 7 13 DABC 13 12 14 CDAB 14 17 15
    BCDA 15 22 16

Constant added, varies
37
MD5 Round 2
  • / abcd k s i denotes
  • a b ((a G(b,c,d) Xk Ti) ltltlt s). /
  • /16 operations. /
  • ABCD 1 5 17 DABC 6 9 18 CDAB 11 14 19 BCDA
    0 20 20
  • ABCD 5 5 21 DABC 10 9 22 CDAB 15 14 23
    BCDA 4 20 24
  • ABCD 9 5 25 DABC 14 9 26 CDAB 3 14 27 BCDA
    8 20 28
  • ABCD 13 5 29 DABC 2 9 30 CDAB 7 14 31 BCDA
    12 20 32

not reusing shift amounts across rounds
38
MD5 Round 3
  • / Let abcd k s t denotes
  • a b ((a H(b,c,d) Xk Ti) ltltlt s). /
  • / Do the following 16 operations. /
  • ABCD 5 4 33 DABC 8 11 34 CDAB 11 16 35
    BCDA 14 23 36
  • ABCD 1 4 37 DABC 4 11 38 CDAB 7 16 39 BCDA
    10 23 40
  • ABCD 13 4 41 DABC 0 11 42 CDAB 3 16 43
    BCDA 6 23 44
  • ABCD 9 4 45 DABC 12 11 46 CDAB 15 16 47
    BCDA 2 23 48

Word ordering altered from round 2 to greater
extent than in MD4
39
MD5 Round 4
  • / abcd k s t denotes
  • a b ((a I(b,c,d) Xk Ti) ltltlt s).
    /
  • / 16 operations. /
  • ABCD 0 6 49 DABC 7 10 50 CDAB 14 15 51
  • BCDA 5 21 52 ABCD 12 6 53 DABC 3 10 54
  • CDAB 10 15 55 BCDA 1 21 56 ABCD 8 6 57
  • DABC 15 10 58 CDAB 6 15 59 BCDA 13 21 60
  • ABCD 4 6 61 DABC 11 10 62 CDAB 2 15 63
    BCDA 9 21 64

One more round than MD4
40
MD5 Addition
  • A A AA
  • B B BB
  • C C CC
  • D D DD

Same as MD4
41
RIPEMD, Haval
  • RIPEMD - modified MD4
  • Rotation changed
  • Order of message words altered
  • Two instances run in parallel with different
    constants at end of each block, output of each
    added to chaining variables
  • Haval modified MD5
  • Processes 1024-bit message blocks instead of 512
  • Internal functions take 7 variables, nonlinear
  • Permutes input to round
  • Chaining variable 8 segments instead of 4
  • Different constants

42
SHA-0
  • Input m ? 264 bits
  • Output 160 bits
  • Padded, processed in 512-bit blocks
  • Each iteration takes 160-bit chaining variable
    and 512-bit block, outputs 160-bit chaining value
  • First chaining value is a fixed constant (IV)
  • Last chaining value is the output

43
SHA-0
  • Pad m to multiples of 512 bits
  • Append 1, 0s, length of m
  • N 512-bit blocks
  • For (j0 to N-1)
  • 512-bit block divided into 32-bit segments
    m0,m1, m16
  • Expand to 80 32-bit segments
  • for i 16 to 79 mi mi-3 ? mi-8 ? mi-14 ?
    mi-16
  • 80 32-bit words processed by round function

44
SHA-0 Round
function operating on chaining variables
Rotating segments of chaining variable
a,b,c,d,e are the chaining variable ki is a
round constant Function f varies per round on
next slide
45
SHA-0 Round Function
46
SHS
  • NIST FIPS 180-2, Secure Hash Standard (SHS) 2002
  • SHA-1 message lt 264 bits, 160-bit output
  • SHA-256 message lt 264 bits, 256-bit output
  • SHA-384 message lt 2128 bits, 384-bit output
  • SHA-512 message lt 2128 bits, 512-bit output

47
SHA-1 and SHA-256 Padding
  • Message M of l bits
  • Pad to a multiple of 512 bits
  • Append a 1
  • Append k 0s where l 1 k 448 mod 512
  • Append 64 bits equal to the binary representation
    of l

48
SHA-1 and SHA-256 Processing
  • N 512-bit blocks
  • Block denoted by M(i)
  • 32-bit segment of block denoted by Mj(i)
  • i ith block
  • j jth 32-bit segment of ith block, j 0,1 16

49
SHA-1
Internal functions, each operating on three
32-bit words
50
SHA-1
Constants used in the rounds
51
SHA-1
Initialization of array containing the hash
value Five 32-bit words
52
SHA-1 Algorithm
  • Pad the message M
  • Break into N 512-bit blocks
  • Initialize H
  • for i 1 to N
  • Populate W with block i and rotate
  • Initialize intermediate variables a,b,c,d,e
  • 80 rounds
  • Update H
  • Output H

53
SHA-1
for i 1 to N
Change from SHA-0, rotate 1 bit
54
SHA-1
Operating on chaining variable then adding in
message block
55
SHA-1
Update chaining variable
end of for i loop Output
56
SHA-256
  • Pad the message M
  • Break into N 512-bit blocks
  • Initialize H
  • for i 1 to N
  • Populate W with block i and rotate
  • Initialize intermediate variables a,b,c,d,e,f,g,h
  • 64 rounds
  • Update H
  • Output H

57
SHA-256
logical functions, inputs are 32-bit words
Change from SHA1
58
SHA-256
Constants used in the rounds 64 32-bit constants
K0, K1 .. K63
Change from SHA1
59
SHA-256
Initialization of chaining variable Eight 32-bit
words
60
SHA-256
for i 1 to N
Change from SHA1
61
SHA-256
Operating on chaining variable then adding in
message block
Change from SHA1
62
SHA-256
Update chaining variable
end of for i loop Output
63
Collisions - Uses
  • Generate meaningful files with the same hash
  • Example Code download replace code, hash file
    remains unchanged

64
Birthday Paradox
  • ? 23 people in a room
  • probability 2 have same birthday is ? 50
  • In general
  • Given random mapping H(xi) yi
  • n inputs, k possible outputs
  • n(n-1)/2 possible input pairs
  • probability H(xi) H(xj) is 1/k
  • Approximation
  • need k/2 pairs for 50 probability so want n gt
    (k) ½ (for match)
  • Hash functions want low probability of a match
  • Larger k is, the more inputs an attacker must try

65
Collisions - Uses
  • Generate certificates with same hash
  • X.509 certificate
  • Name, usage, extension
  • RSA public key (n, e)
  • Signature of CA
  • Attack
  • Two certificates identical except for RSA
    modulus n1, n2 n1 ?n2
  • MD5(n1) MD5(n2)
  • Lenstra, Wang, Weger, Colliding X.509
    Certificates, eprint March 2005
  • Certificates available at http//www.win.tue.nl/b
    deweger/CollidingCertificates/
  • The CA certificate is self-signed
  • MD5 hashes are not identical when include 4 byte
    ASN.1 header


certificate image from Yin, ACNS 2005
66
Collisions Differentials
  • Recall differential cryptanalysis from block
    ciphers
  • Look at ? of inputs, ? of outputs after each
    round
  • In block ciphers, 1 to1 mapping,
  • Never have ?in ? 0 ? ?out 0
  • In hash functions, round output shorter than
    input
  • There exists ?in ? 0 ? ?out 0
  • Need to find these ?s

67
Collisions - Differentials
  • ?m ? 0 for two inputs can produce ?0 in an
    intermediate value of the hash
  • MD4, MD5, SHA are of the form
  • M m0,m1, mn
  • For (i0 to n)
  • Process mi, produce Hi (the chaining
    variable)
  • Process mi1, combine with Hi to get Hi1
  • Furthermore, mi is only added into chaining
    variables

68
Collisions Differentials
  • M m0,m1, mn
  • M m0,m1, mn
  • Find m0, m0 that produce same chaining variable,
  • Set mi mi for remaining blocks
  • In MD4, MD5 issue of padding includes bits from
    unpadded message
  • In SHA - length is append

69
Collisions - Differentials
  • Processing block M in blocks
  • M m0,m1, mn
  • M m0,m1, mn
  • Find messages that produce ?x through block i
    with high probability
  • Set jth block of messages to cancel ?x
  • Remaining blocks of both messages can be

70
Existing Hashes General Structure
Message m padded to M, a multiple of a
fixed-length block M is divided into segments
m1,m2, mn
m1
m2
mn



hash value
IV
F
F
F

F is called the compression function Takes inputs
mi and output of previous iteration Typically a
series of rounds Output called a chaining
variable
71
Collisions
  • Find M1 ? M2 that produce ?x through block i with
    high probability
  • Set subsequent blocks of m1, m2 to cancel ?x
  • Remaining blocks of m1, m2 can be

m1n
m1i1
m1i2
m11
m1i
x1i1 Z
IV

x1i


H
F
F
F
F
F
m1n
m2i1
m21
m1i2
m2i
x2i1 Z
IV
x2i



H
F
F
F
F
F
x1i ? x2i ?x
x1i1 x2i1
72
Workload of Known Attacks (2005)
Hash function Expected strength Known attacks
MD4 264 O(3)
MD5 264 O(230)
SHA-0 280 O(239)
SHA-1 280 O(263)
73
Collisions
  • Wang, Feng, Lai, Yu, 2004
  • Collisions for MD4, MD5, Haval-256, RIPEMD
  • Message Modification
  • Find differential path that produces possible
    collision
  • Identify conditions for path to hold
  • Modify message words to follow path in first
    round (and second round as much as possible)
  • Setting messages in this manner increases chance
    collision holds

74
MD4 Collisions
M M ?C ?C (0,231,-228231,0,0,0,0,0,0,0,0,0
,-216,0,0,0) MD4(M) MD4(M) mi for i 1,2,12
differ between M and M
75
MD4 Collision Example
  • m016
  • 0xa8b1b641, 0x88d2ecaf, 0xb7d7c1a1, 0x99044241,
  • 0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
  • 0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
  • 0x701d8b69, 0x045095eb, 0x92012e03, 0x71ed419e
  • m116
  • 0xa8b1b641, 0x08d2ecaf, 0x27d7c1a1, 0x99044241,
  • 0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
  • 0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
  • 0x701c8b69, 0x045095eb, 0x92012e03, 0x71ed419e

76
MD5 Prior Collisions
  • Bert den Boer and Bosselaers pseudo-collision
    for MD5 - same message with different IVs
  • Dobbertin two different 512-bit messages with a
    chosen initial value different from that in MD5

77
MD5 Collisions
M,N each 512 bits
N,N cancels differential from M,M
Uses initial IV of MD5 Two 1024-bit messages 1
hour to find Ms, 5-15 minutes to find Ns
78
SHA-0 Collisions
  • 2004 Joux pair of 2048 bit inputs
  • 80K CPU hours (3 weeks)
  • Work equivalent of 251 hashes
  • Local differentials of 6 steps

79
SHA-0 Collisions
  • Wang, Yu, Yin 2005
  • Full collision in equivalent work of 239 hashes
  • Impossible differential in rounds 2-4
  • Local collisions in round 1
  • Conditions that this differential path holds

80
SHA-0 Local Collisions
  • Wang 1997
  • Let mi,j ith message word, jth bit
  • 6 step local collision that can start at any step
    i
  • used to construct full collisions
  • If a message difference in bit j first occurs in
    step i
  • Difference will affect chaining variables
    a,b,c,d,e consecutively in the next five steps
  • To offset these differences and reach a local
    collision, differences introduced in subsequent
    message words
  • Probability associated with the local collision
    depends on the boolean function, j, and
    conditions on the message bits
  • One attack
  • j 2
  • Conditions mi,2 mi1,7 and mi,2 mi2,2

81
SHA-0 Local Collision
nc no carry
82
SHA-0 Collisions
  • Biham and Chen 2004
  • started at i gt 17
  • start at i 22, work O(256) hashes
  • near collisions with work O(240) hashes
  • Biham and Chen (2004), Joux (2004), Wang and Yu
    (2005)
  • Multi-block collisions
  • Use near collisions in several blocks to produce
    overall collision
  • Used with above, Joux had first full collision,
    work O(251) hashes

83
SHA-1 Collisions
  • Rijmen and Oswald 2005 collisions for 53
    reduced-round version
  • Wang, Yin, Yu 2005 Collisions without padding
    on full 80 rounds, work ? O(269) hashes
  • Wang, Yao, Yao 2005 Improved above attack to
    work ? O(263) hashes
  • Rechberger and De Cannière 2006 way to choose
    part of the message

84
SHA-256
  • Round function has local collision with
    probability in the range 2-9 to 2-39
  • Message expansion is more complicated than SHA-0,
    SHA-1
  • Expansion block from 16 to 64 words

85
Colliding Certificates
  • Fill in all fields except for
  • RSA public key modulus, n
  • signature (except for first zero byte - to
    prevent bit string from being a negative integer)
  • Three requirements
  • compliant to X.509 and the ASN.1 DER
  • byte lengths of modulus, n, and public exponent,
    e, fixed in advance
  • Can fix e as Fermat-4 number e 65537. Same
    e used in both certificates.
  • position where public key modulus starts is an
    exact multiple of 64 bytes after the beginning of
    the to be signed part do by adding dummy
    information to the subject Distinguished Name.
    i.e. want part prior to n to be an integral
    number of message blocks to which the message
    blocks containing n are appended when computing
    the MD5 hash
  • Run MD5 on the first portion of the to be
    signed part, truncated at the position where n
    starts This input to MD5 is an exact multiple of
    512 bits. Suppress the padding normally used in
    MD5, use output as IV to for the next step. i.e.
    this would be the chaining variable input to the
    iteration in which n starts to be processed
  • Construct two different 1024 bit strings b1 and
    b2 for which the MD5 compression function with
    the IV from the previous step produces a
    collision

86
Colliding Certificates
  • Construct two RSA moduli from b1 and b2 by
    appending to each the same 1024-bit string b
  • Generate random primes p1 and p2 of 512 bits,
    such that e is coprimeto p1 - 1 and p2 - 1
  • Compute b0 between 0 and p1p2 such that
    p1b121024 b0 and p2b221024 b0
  • For k 0, 1, 2, . . .,
  • compute b b0 kp1p2
  • Check if both q1 (b121024 b)/p1 and q2
    (b221024 b)/p2 are primes
  • Check if e is coprime to both q1 - 1 and q2 - 1
  • If k is such that b ? 21024, restart with new
    random primes p1, p2
  • Stop when q1 and q2 have been found output
  • n1 b121024 b
  • n2 b221024 b
  • p1, p2, q1, q2
  • Expect that this algorithm will produce in a
    reasonable time, two RSA moduli n1 p1q1 and n2
    p2q2, that will form an MD5-collision with the
    specified IV
  • p1 and p2 are around 500 bits in size, usually
    takes a few minutes
  • few days when 512 bit p1, p2 and 1536 bit q1, q2
    (search space for k nearly empty)

87
Colliding Certificates
  • Insert the modulus n1 into the certificate - to
    be signed part is complete
  • Compute the MD5 hash of the entire to be signed
    part (including MD5-padding, standard MD5-IV)
  • Apply PKCS1v1.5-padding3, and perform a modular
    exponentiation using the issuing Certification
    Authoritys private key.
  • This gives the signature, which is added to the
    certificate.
  • First certificate now is complete.
  • Second certificate use n2 as the public key
    modulus and signature still valid

88
NIST Hash Workshop
  • Proposed competition SHA3
  • Call for proposals Nov. 2007
  • Allow time for public comments on hash function
    requirements
  • Review submissions starting in 2009
  • Select winner end of 2011
  • Standard released in 2012
  • Then time to integrate into applications
  • 6 years before standard replacement

89
SHA3 Requirements
  • NIST does not currently plan to withdraw SHA-2
  • SHA-3 can be directly substituted for SHA-2 in
    current applications
  • must provide message digests of 224, 256, 384 and
    512-bits to allow substitution for the SHA-2
    family
  • 160-bit hash value produced by SHA-1 is becoming
    too small to use for digital signatures
  • a 160-bit replacement hash algorithm is not
    contemplated.

90
SHA3 Requirements
  • Certain properties of the SHA-2 hash functions
    must be preserved
  • input parameters, output sizes
  • collision resistance, preimage resistance,
    second-preimage resistance
  • one-pass streaming mode of execution
  • successful attack on the SHA-2 hash functions is
    unlikely to be applicable to SHA-3.
  • be suitably flexible for a wide variety of
    implementations,
  • May offer additional properties
  • randomized hashing
  • parallelizable
  • more efficient to implement on some platforms
  • more suitable for certain applications
  • may avoid some of the incidental generic
    properties (such as length extension) of the
    Merkle-Damgard construct that often result in
    insecure applications
  • For interoperability, prefer a single hash
    algorithm family (different size message digests
    be internally generated in as similar a manner as
    possible)

91
Approaches
  • Augment existing hash functions
  • Add bit count to input part of chaining value
  • Padding 1, 0s, hash size, message length
  • New algorithms, with approach similar to past
    hashes chaining
  • New approaches that avoid Merkle-Damgard chaining
  • Algorithm related to mathematically hard problems

92
Alternatives
  • CMC mode
  • Forward and backward diffusion
  • Use last block
  • Inefficient memory requirements
  • gt double computational work
  • Binary tree
  • Block cipher, PRP construct as nodes
  • double computational work

m4
m1
m3
m2
T
X1
X4
M
M
M
M
T
hash
m4
m1
m2
m3
hash
93
Alternatives
  • Hybrid
  • CMC mode or chaining on segments
  • Subset of output forms next layer

m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
m blocks
94
Segment Processing
  • CMC mode
  • forward and backward diffusion across blocks
  • collision implies weakness in block cipher

m4
m3
m1
m2
T
X1
X4
M
M
M
M
T
segment output
95
Segment Processing

128
128
128
IV
input

128
128
128
128
128
128


128
128
128
128
128
128
segment output
128
  • Elastic Chaining mode
  • Only forward diffusion
  • but less memory/intermediate state than CMC
    mode
  • If key is based on first block, collision implies
    weakness in block cipher
  • Use elastic version of 128-bit cipher or a
    256-bit cipher

96
Segment Processing
  • Dont use existing forward chaining in segment
    differential attack applies to segment

m1l
m13
m14
m11
m12
x13 Z
IV

x12


segment output
F
F
F
F
F
m2l
m23
m24
m21
m22
x23 Z
IV

x22


segment output
F
F
F
F
F
x12 ? x22 ?x
Write a Comment
User Comments (0)
About PowerShow.com