new techniques for cryptanalysis of cryptographic hash
play

New Techniques for Cryptanalysis of Cryptographic Hash Functions - PowerPoint PPT Presentation

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 p. 1/52 Talk Outline Definition and properties


  1. New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion – Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 – p. 1/52

  2. Talk Outline Definition and properties Applications Hash functions from the 90’s till today Merkle-Damgård construction and its weaknesses Differential cryptanalysis of hash functions. The multi-block technique. The neutral-bits technique. Results. Cryptoday 2011 – p. 2/52

  3. A Cryptographic Hash Function A Cryptographic hash function H takes a message of arbitrary length and generates a short fingerprint. H : { 0 , 1 } ∗ �→ { 0 , 1 } m Cryptoday 2011 – p. 3/52

  4. A Cryptographic Hash Function A Cryptographic hash function H takes a message of arbitrary length and generates a short fingerprint. H : { 0 , 1 } ∗ �→ { 0 , 1 } m H has no secret key or hidden data. Cryptographic applications that use it rely on its properties. Cryptoday 2011 – p. 3/52

  5. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * Cryptoday 2011 – p. 4/52

  6. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Cryptoday 2011 – p. 4/52

  7. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Collision-resistance ( 2 n/ 2 ): n M * = H(M ) H(M) H M * Cryptoday 2011 – p. 4/52

  8. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Collision-resistance ( 2 n/ 2 ): n M * = H(M ) H(M) H M * Easy to compute Cryptoday 2011 – p. 4/52 .

  9. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  10. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  11. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  12. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  13. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  14. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  15. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  16. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  17. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature If H ( M ) = H ( M ∗ ) then M and M ∗ have the same signature. Cryptoday 2011 – p. 5/52

  18. Applications Message Integrity: Instead of protecting the whole data, protect the hash of the data. Second preimage resistance is required. Cryptoday 2011 – p. 6/52

  19. Applications Message Integrity: Instead of protecting the whole data, protect the hash of the data. Second preimage resistance is required. Password protection. A password file holds: ( User name , salt, H ( password || salt )) . Passwords are protected in case an attacker accesses the password file. Preimage resistance is required. Cryptoday 2011 – p. 6/52

  20. Applications Commitment A who commit to M sends H ( M || salt ) to B. At the time A reveals his commitment he publishes M and the salt . B verifies the commitment by hashing and comparing. Collision resistance , preimage resistance and second preimage resistance are required. Cryptoday 2011 – p. 7/52

  21. Applications Message Authentication Code - MAC. Preimage resistance is required. Cryptoday 2011 – p. 8/52

  22. Applications Message Authentication Code - MAC. Preimage resistance is required. and there are many more... Cryptoday 2011 – p. 8/52

  23. Hash Functions from the 90’s till Today Cryptoday 2011 – p. 9/52

  24. 1990-2000 (partial list) The hash functions use Merkle-Damgård construction. Hash size 128-192 bits. Optimized for 32-bit machines (except for Tiger). Function Dig. size Designed Broken Complexity 2 12 . 5 − 2 56 . 5 Snefru 128-224 1990 1990 2 20 , 2 8 MD4 128 1990 1995,2004 2 39 , 2 16 MD5 128 1992 2004,2008 2 61 , 2 51 , 2 39 SHA-0 160 1993 1998,2004 2 63 , 2 58 SHA-1 160 1995 2005,2011 Tiger ≤ 192 1995 RIPEMD-160 160 1996 Cryptoday 2011 – p. 10/52

  25. 2000-2003 Whirlpool, Nessie(2000) and SHA-2, NIST (2002) The hash functions still use Merkle-Damgård construction. Whirlpool is based on the Square block cipher. SHA-224, SHA-256, SHA-384, SHA-512 are based on the MD/SHA concept with more complex operations. Hash size 224-512. No real motivation to upgrade till the first attacks on SHA-1 in 2005. Cryptoday 2011 – p. 11/52

  26. SHA-3 Competition (2007) The break of SHA-1 motivated NIST to establish a public competition to choose the next generation of hash functions. 64 proposals were submitted. 51 passed Round 1, 14 passed Round 2, five passed Round 3, and the final decision will be given in 2012. Cryptoday 2011 – p. 12/52

  27. Recommendations Do not use broken hash functions, not SHA-1 and certainly not MD5. Midterm solution - Upgrade to Whirlpool or SHA-2. Upgrade to SHA-3 when it is available. Cryptoday 2011 – p. 13/52

  28. Merkle-Damgård Construction and Its Weaknesses Cryptoday 2011 – p. 14/52

  29. Merkle-Damgård Construction (1989) The hash function iterates a compression function C C : { 0 , 1 } m c + b �→ { 0 , 1 } m c , on a chaining value h k − 1 and a message block M k . Cryptoday 2011 – p. 15/52

  30. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C E E E Hash Result IV h 1 h 0 h 2 h n−1 h n The first chaining value is initialized to h 0 = IV . For each M k and h k − 1 compute: h k = C ( M k , h k − 1 ) . Cryptoday 2011 – p. 15/52

  31. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C E E E Hash Result IV h 1 h 0 h 2 h n−1 h n h 1 = C ( M 1 , h 0 ) Cryptoday 2011 – p. 15/52

  32. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C E E Hash Result IV h 0 h 1 h n−1 h 2 h n h 2 = C ( M 2 , h 1 ) Cryptoday 2011 – p. 15/52

  33. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C E Hash Result IV h 0 h 1 h n−1 h 2 h n h n − 1 = C ( M n − 1 , h n − 2 ) Cryptoday 2011 – p. 15/52

  34. Merkle-Damgård Construction (1989) M padding with 1, 0 ’s, and message length M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C C Hash Result IV h 0 h 1 h n−1 h 2 h n h n = C ( M n , h n − 1 ) Cryptoday 2011 – p. 15/52

  35. Merkle-Damgård Construction (1989) M M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C C Hash Result IV h 0 h 1 h n−1 h 2 h n h n is the output of the hash function. H ( M ) = h n Cryptoday 2011 – p. 15/52

  36. Merkle-Damgård construction is the de-facto standard for hash functions. Cryptoday 2011 – p. 16/52

  37. Merkle-Damgård Construction The hash size should be long enough to prevent Yuval’s type attacks. The padding of the length prevents some long messages second preimage attacks. The compression function is not invertible to prevent meet-in the middle attacks. H ( M ) is collision free if C ( M k , h k − 1 ) is collision free. Cryptoday 2011 – p. 17/52

  38. Wang’s MD5 Collision In 2005 Wang found a collision of MD5 with a complexity 2 39 . Cryptoday 2011 – p. 18/52

  39. Wang’s MD5 Collision In 2005 Wang found a collision of MD5 with a complexity 2 39 . Wang’s novel technique was exciting. However, was it more than academic achievement? Cryptoday 2011 – p. 18/52

Recommend


More recommend