Chapter 11 and 13
a algorithm for which it is computationally unfeasible has:
(a) a data object that maps to a pre-specified hash result (the one-way property) (b) two data objects that map to the same hash result (the collision-free property)
Elgamal encryption scheme
- is designed to enable encryption by a user's public key with decryption by the user's private key. - involves the use of the private key for encryption and the public key for decryption
Cryptanalysis
-An attack based on weaknesses in a particular cryptographic algorithm -Seek to exploit some property of the algorithm to perform some attack other than an exhaustive search
Brute Force Attacks
-Does not depend on the specific algorithm, only depends on bit length -In the case of a hash function, attack depends only on the bit length of the hash value -Method is to pick values at random and try each one until a collision occurs
Bit-by-bit exclusive-OR (XOR) of every block
-Produces a simple parity for each bit position and is known as a longitudinal redundancy check -Reasonably effective for random data as a data integrity check -each n bit hash value is equally likely. therefore the probability that a data error will result in a unchanged hash value s 2^(-n)
Requirements and Security
-Security requirements for cryptographic hash functions -Brute-force attacks -Cryptanalysis
Birthday Attacks--How does one work?
-The source (A) is prepared to sign a legitimate message x by appending the appropriate m-bit hash code and encrypting that hash code with A's private key -Opponent generates 2m/2 variations x' of x, all with essentially the same meaning, and stores the messages and their hash values -Opponent generates a fraudulent message y for which A's signature is desired -Two sets of messages are compared to find a pair with the same hash -The opponent offers the valid variation to A for signature which can then be attached to the fraudulent variation for transmission to the intended recipient -Because the two variations have the same hash code, they will produce the same signature and the opponent is assured of success even though the encryption key is not known
SHA-3 things to remember:
-The sponge construction -The SHA-3 Iteration Function f
SHA-3
-is a cryptographic hash function that is intended to complement SHA-2 as the approved standard for a wide range of applications -created because it will take years to find a suitable replacement for SHA-2 should it become vulnerable, NIST decided to begin the process of developing a new hash standard -sponge construction
SHA-3 Iteration Function
-is executed once for each input block of the message to be hashed -takes the 1600 bit state variable as input and converts it into a 5x5 matrix of 64 bit lanes -this matrix then goes through 24 rounds of processing -each round has five steps and each step updates the matrix by permutation or substitution operations
Message Authentication Code (MAC) or (keyed hash function)
-one way to achieve message authentication - used between two parties that share a secret key to authenticate information exchanged between those parties -input: secret key and data block -output: hash value, which is referred to as MAC, associated with the protected message
Secure Hash Algorithm (SHA)
-originally designed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993 -based on the hash function MD4 -Produces 160-bit hash values -until 2005, no one had found any substantial cryptanalytic weaknesses
The Sponge Construction
-underlying structure of SHA-3, Takes an input message and partitions it into fixed-size blocks -Each block is processed in turn with the output of each iteration fed into the next iteration, finally producing an output block -allows both variable length input and output, making it a flexible structure that can be used for a hash function (fixed-length output), a pseudorandom number generator (fixed-length input), and other cryptographic functions.
Aspects Brute Force Attacks on Hash functions:
1 does not depend on the specific algorithm only depends on bit length 2. in the case of a hash function, attacks depend only on the bit length of the hash value 3. method to pick values at random and try each one until a collision occurs
Consider two simple insecure hash functions that operate using the following general principles: a. The input is viewed as a sequence of n-bit blocks b. The input is processed one block at a time in an iterative fashion to produce an n-bit hash function
1. Bit-by-bit exclusive-OR (XOR) of every block 2. Perform a one-bit circular shift on the hash value after each block is processed
Digital Signature Properties
1. It must verify the author and the date and time of the signature 2. It must authenticate the contents at the time of the signature 3. It must be verifiable by third parties, to resolve disputes
Two simple Hash functions
1. XOR with one bit rotation to the right, 2. XOR of every 16 bit block
message digest generation in steps using SHA-512
1. append padding bits to the message 2. append length (block of 128 bits added to the message) 3. Initialize the hash buffer 4. process message in blocks (80 rounds) 5. Output
Step funciton in SHA-3
1. subsitution 2. permutation (circular bit shift) 3. permutation (matrix) 4. substitution 5. substition (xor)
weak hash function satisfies these five properties:
1. variable input size 2. fixed output size 3. efficiency/practical 4. preimage resistant (one way property) 5. second preimage resistant (weak collision resistant)
strong hash function satisfies these six properties
1. variable input size 2. fixed output size 3. efficiency/practical 4. preimage resistant (one way property) 5. second preimage resistant (weak collision resistant) 6. COLLISION RESISTANT
Seven requirements for a Cryptographic Hash Function
1. variable input size 2. fixed output size 3. efficiency/practical 4. preimage resistant (one way property) 5. second preimage resistant (weak collision resistant) 6. Collision resistant (strong collision resistant) 7. pseudorandomness
A Letter in 2^37 Variation
Alternatively, the opponent could simply reword the message but retain the meaning.
a generic model of the process of making and using digital signatures
Bob can sign a message using a digital signature generation algorithm. The inputs to the algorithm are the message and Bob's private key. Any other user, say Alice, can verify the signature using a verification algorithm, whose inputs are the message, the signature, and Bob's public key.
Total break
C determines A's private key.
Universal forgery
C finds an efficient signing algorithm that provides an equivalent way of constructing signatures on arbitrary messages
Selective forgery
C forges a signature for a particular message chosen by C
Existential forgery
C forges a signature for at least one message. C has no control over the message. Consequently, this forgery may only be a minor nuisance to A.
Simple padding:
Denoted by pad10*, appends a single bit 1 followed by the minimum number of bits 0 such that the length of the result is a multiple of the block length.
Multirate padding:
Denoted by pad10*1, appends a single bit 1 followed by the minimum number of bits 0 followed by a single bit 1 such that the length of the result is a multiple of the block length. This is the simplest padding scheme that allows secure use of the same f with different rates r .
the global elements of ________________________ are a prime number q and a, which is a primitive root of q
Elgamal digital signature
Birthday Attack
For a collision resistant attack, an adversary wishes to find two messages or data blocks that yield the same hash function -exploits the birthday paradox-the chance that in a group of people two will share the same birthday
Perform a one-bit circular shift on the hash value after each block is processed
Has the effect of randomizing the input more completely and overcoming any regularities that appear in the input
The result of performing a one-bit circular shift on the hash value after each block is processed in a hash function is:
Has the effect of randomizing the input more completely and overcoming any regularities that appear in the input
SHA-2
In 2002 NIST produced a revised version of the standard that defined three new versions of SHA with hash value lengths of 256, 384, and 512 -2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on SHA-2 by 2010. -shares the same structure and mathematical operations as its predecessors so this is a cause for concern
Applications of cryptographic hash functions
Message authentication Digital signatures Other applications
Pseudorandom function (PRF)
PSEUDORANDOM NUMBER GENERATOR (PRNG)
SHA-1
Revised version of SHA in 1995 -SHA-1 has not yet been "broken" -No one has demonstrated a technique for producing collisions in a practical amount of time -Considered to be insecure and has been phased out for SHA-2
overall processing of a message to produce a digest
SHA methodology
Directed chosen message attack
Similar to the generic attack, except that the list of messages to be signed is chosen after the attacker knows the user's (whose signature method is being attacked) public key but before any signatures are seen.
Generic chosen message attack
The attacker chooses a list of messages before attempting to breaks the user's (whose signature method is being attacked) signature scheme, independent of the user's public key. the attacker then obtains from the user's (whose signature method is being attacked) valid signatures for the chosen messages. The attack is generic, because it does not depend on A's public key; the same attack is used against everyone.
Adaptive chosen message attack
The attacker is allowed to use the user's as an "oracle." This means that the attacker may request from the user's signatures of messages that depend on previously obtained message-signature pairs.
XOR with one bit rotation to the right and XOR of every 16 bit block operate with the following principles:
The input is viewed as a sequence of n-bit blocks and is processed one block at a time in an iterative fashion to produce an n-bit hash function.
Collision
a pair such that H(x) = H(y)
Hash Function Uses
a. commonly used to create a one-way password file b. can be used for intrusion and virus detection c. can be used to construct a pseudorandom function (PRF) or a pseudorandom number generator (PRNG)
hash functions can be used for
a. intrusion detection b. virus detection
There are two ways the hash code is used to provide a digital signature
a. the hash code is encrypted, using public-key encryption with the sender's private key. This provides authentication and a digital signature, because only the sender could have produced the encrypted hash code. b. If confidentiality as well as digital signature is desired, then the message plus the private-key-encrypted hash code can be encrypted using a symmetric secret key. This is common.
hash function
accepts a variable-length block of data as input and produces a fixed-size hash value
Cryptographic hash funciton
an algorithm for which it is computationally infeasible (because no attack is significantly more efficient than brute force) to find either: a. a data object that maps to a pre-specified hash result (one-way property) b. two data objects that map to the same hash result (the collision free property)
A strong hash function protects against
an attack in which one party generates a message for another party to sign
Key-only attack
attacker only known user's public key (whose signature method is being attacked)
There are two types of attacks on hash functions
brute-force attacks and cryptanalysis
the principal object of a hash function is
data integrity (does not protect against confidentiality)
Collision resistance is
desirable for a general-purpose secure hash code
Confidentiality can be provided by
encrypting the entire message plus signature with a shared secret key (symmetric encryption). -it is important to perform the signature function first and then an outer confidentiality function
SHA 512
every bit of the hash code is a function of every bit of the input. -The complex repetition of the basic function F produces results that are well mixed;
Aspects of Cryptanalysis on hash functions
exploit known aspects of hash function
The sponge function is defined by three parameters:
f = the internal function used to process each input block r = the size in bits of the input blocks, called the bitrate which reflects the fact that r is the number of bits processed at each iteration, the larger r, the greater rate at which message bits are processed by the sponge construction pad = the padding algorithm -operates on a state variable s of b = r + c bits, which is initialized to all zeros and modified at each iteration.
A common application for a hash-based PRF is the
generation of symmetric keys
second preimage resistant (weak collision resistant)
guarantees that it is impossible to find an alternative message with the same hash value as a given message. This prevents forgery when an encrypted hash code is used
the approach used to password protection is used by most operating systems
hash functions used to create a one-way password file
Preimage
is a data block whose hash function, using the function H, is h there will be multiple values of a message that will result in a hash value
preimage resistant
is the one-way property: it is easy to generate a code given a message, but virtually impossible to generate a message given a code. This property is important if the authentication technique involves the use of a secret value. The secret value itself is not sent.
Collision Resistance
it is ensured that there is no way two different inputs, once going through the hash function, can result in the same output. I.e. H(x) != H(y)
collision
occurs if we have x!=y and H(x)=H(y)
Intrusion detection and virus detection using hash function requires
on hand to keep the hash values and hash function for each file. Later by recomputing the hash function one can tell if it has been modified.
pseudorandomness
output of H meets standard tests for pseudorandomness
one way to improve the BIT-BY-BIT XOR hash function is to
perform a one-bit circular shift, or rotation, on the hash value after each block is processed this would look like: 1. initially set the n-bit hash value to zero 2. Process each successive n-it block of data as follows: rotate the current hash value to the left by one bit and then XOR the block into the hash value Results in "randomizing" the input and overcoming any irregularities in the input. Useless with an encrypted hash code.
for a hash code of length m, the level of effort required, as we have seen, is proportional to the following:
preimage resistant 2^(m) second preimage resistant 2^(m) collision resistant 2^(m/2)
A secure hash function
provides a basis for satisfying these requirements. However, care must be taken in the design of the details of the scheme.
Direct digital signature
refers to a digital signature scheme that involves only the communicating parties (source, destination). It is assumed that the destination knows the public key of the source.
a common application of a hash-based PRF is for the generation of:
symmetric keys
compression function
takes two inputs: an n-bit input, called the chaining variable, and the b-bit block produces: a b-bit output chaining variable is produced by the algo. the final value of the chaining value = the hash value. called the compression function since the length of hte input block is less than the length of the hash code
Known message attack
the attacker is given access to a set of messages and their signatures
Digital Signature
the hash value of the message is encrypted with a user's private key. This allows the receiver to verify that the sender authentically sent the message, if they know the private key.
Secure Hash Algorithm (SHA) family
the most important and widely used family of cryptographic hash functions
A "good" hash function has the property that
the results of applying the function to a large set of inputs will produce outputs that are evenly distributed and apparently random.
The validity of the scheme depends on
the security of the sender's private key
message digest
when a hash function is used to provide message authentication the hash funciton value
one-way password file
when a user enters a password, the hash of that password is compared to the stored hash value for verification. Used by most Operating Systems. Prevents the hacker from gaining password if they have access to the password file.
x is the preimage of h
x is the data block whose hash function, using the hash function H, is h
the following requirements for a digital signature
• The signature must be a bit pattern that depends on the message being signed. • The signature must use some information unique to the sender to prevent both forgery and denial. • It must be relatively easy to produce the digital signature. • It must be relatively easy to recognize and verify the digital signature. • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. • It must be practical to retain a copy of the digital signature in storage.
