Lecture 3 Hash functions, MAC, asymmetric crypto
What four concepts does this lecture provide?
- Cryptographic hash functions - Message authentication codes (MAC) - Asymmetric cryptography - Digital signatures
Where do you apply Hash functions?
A cryptographic hash function is an algorithm that can be run on data such as an individual file or a password to produce a value called a checksum. The main use of a cryptographic hash function is to verify the authenticity of a piece of data. Two files can be assumed to be identical only if the checksums generated from each file, using the same cryptographic hash function, are identical. Hash functions have many applications, e.g., integrity checks, digital signatures, message authentication codes, key derivation, pseudorandom number generators, password protection, etc.
What is a digital signature and how does it work?
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity). The message is only signed and not encrypted. 1) Alice signs a message with her private key. 2) Bob can verify that Alice sent the message and that the message has not been modified.
What is the difference between digital signature and a MAC?
A message authentication code (MAC) protects against message forgery by anyone who doesn't know the secret key (shared by sender and receiver). This means that the receiver can forge any message - thus we have both integrity and authentication (as long as the receiver doesn't have a split personality), but not non-repudiation. A (digital) signature is created with a private key, and verified with the corresponding public key of an asymmetric key-pair. Only the holder of the private key can create this signature, and normally anyone knowing the public key can verify it.. So this provides all of integrity, authentication, and non-repudiation.
What is the Diffie-Hellman (DH) key exchange?
Diffie-Hellman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. That's an important distinction: You're not sharing information during the key exchange, you're creating a key together. The basic idea works like this: - I come up with two prime numbers g and p and tell you what they are. - You then pick a secret number (a), but you don't tell anyone. Instead you compute ga mod p and send that result back to me. (We'll call that A since it came from a). - I do the same thing, but we'll call my secret number b and the computed number B. So I compute gb mod p and send you the result (called "B") - Now, you take the number I sent you and do the exact same operation with it. So that's Ba mod p. - I do the same operation with the result you sent me, so: Ab mod p. The "magic" here is that the answer I get at step 5 is the same number you got at step 4.
What is HMAC (Hash-based Message Authentication Code) and how does it work?
Hash-based message authentication code (HMAC) provides the server and the client each with a private key that is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by hashing the request data with the private keys and sending it as part of a request. What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps. "HMAC provides digital signatures using symmetric keys instead of PKI". Essentially, if you don't want to deal with complexities of public/private keys, root of trust and certificate chains, you can still have reliable digital signature with HMAC. HMAC relies on symmetric key cryptography with pre-shared secrets instead of private/public pairs.
What is CMAC (Cipher-based Message Authentication Code) and how does it work?
In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
What are the requirements for cryptographic hash functions, i.e., what they supposed to do.
In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage. - Preimage resistance (one-way): For any given output y, it is computationally infeasible to find x such that H(x) = y - Second preimage resistance (weak collision resistance): it is computationally infeasible to find any second input which has the same output as that of a specified input, i.e., given x, it is difficult to find a second preimage x′ ≠ x such that h(x) = h(x′). - (Strong) collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y), i.e. district inputs. With presage attack, you already know one X. With collision resistance, you have more freedom, for you need to find any pair that matches.
What is the Keccak (SHA3)(sponge functions)?
Keccak is based on a novel approach called sponge construction. Sponge construction is based on a wide random function or random permutation, and allows inputting ("absorbing" in sponge terminology) any amount of data, and outputting ("squeezing") any amount of data, while acting as a pseudorandom function with regard to all previous inputs. This leads to great flexibility.
SHA-1 and SHA-2 both make iterative use of a compression function (Merkle-Damgard construction). Describe it!
Merkle-Damgard construction is a method of building collision-resistant Cryptographic Hash Functions from collision-resistant one-way compression functions. Merkle-Damgard construction was used in the design of many popular hash algorithms such as MD5, SHA-1 and SHA-2. The Merkle-Damgård hash function first applies an MD-compliant padding function to create an input whose size is a multiple of a fixed number (e.g. 512 or 1024) — this is because compression functions cannot handle inputs of arbitrary size. The hash function then breaks the result into blocks of fixed size, and processes them one at a time with the compression function, each time combining a block of the input with the output of the previous round.
What is Message Authentication Codes (MAC) and how does it work?
Message Authentication Codes (MAC) are based on the use of a shared secret key (i.e., do not provide non-repudiation). Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication. The sender uses some publicly known MAC algorithm, inputs the message and the secret key K and produces a MAC value. Similar to hash, MAC function also compresses an arbitrary long input into a fixed length output. The major difference between hash and MAC is that MAC uses secret key during the compression. The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption. On receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value. The receiver now checks equality of freshly computed MAC with the MAC received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender. If the computed MAC does not match the MAC sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom-line, a receiver safely assumes that the message is not the genuine. HMAC(K,M) = Hash[(K+⨁opad) ǁ Hash[(K+⨁ipad) ǁ M]] (where K+ is K extended with 0s)
What is message authentication and what are some alternative mechanisms?
Message authentication serves to protect the integrity of a message and authenticate its originator. - Message authentication code (MAC) - Digital signature - Authenticated encryption (e.g., GCM) Digital signatures can also provide non-repudiation.
How was SHA-1 shattered?
Modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file. A hash collision refers to having two separate files with the same hash. The fact that cryptographic weaknesses in SHA-1 make certificates using the SHA-1 algorithm potentially vulnerable to collision attacks is well-known. Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1. The explanation is technologically tricky, but you can think of it as attackers who surgically alters their fingerprints in order to match yours, and then uses that to unlock your smartphone. The attack, which was in the works for two years, stems from the colliding of two PDF files. Bursztein and company claim that through the attack, it's possible to obtain the SHA-1 digital signature on the first PDF file and then use that to abuse the second PDF file by mimicking that signature.
MAC does not provide non-repudiation. Explain.
Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. MAC technique does not provide a non-repudiation service. If the sender and receiver get involved in a dispute over message origination, MACs cannot provide a proof that a message was indeed sent by the sender. Though no third party can compute the MAC, still sender could deny having sent the message and claim that the receiver forged it, as it is impossible to determine which of the two parties computed the MAC. Both these limitations can be overcome by using the public key based digital signatures.
What is non-repudiation?
Non-repudiation is the assurance that someone cannot deny the validity of something. Digital signatures (combined with other measures) can offer non-repudiation when it comes to online transactions.
What are the security levels if different symmetric key exchange algorithms?
RSA and DH is strongest, with 1014 levels for 80 bit, 2048 for 112, and 15360 for 256-bit. - A 1024-bit RSA key provides insufficient security for general use - Successful quantum computing attacks (e.g., based on Shor's algorithm) would render these asymmetric cryptosystems ineffective - For many applications it's not sufficient that a cipher is secure through its usage period, as long time data protection may be required Crypto usage Post usage data period protection period - There are ongoing efforts to establish quantum-safe asymmetric primitives.
What is RSA (symmetric)?
RSA is an asymmetric system , which means that a key pair will be generated , a public key and a private key , obviously you keep your private key secure and pass around the public one. RSA is rather slow so it's hardly used to encrypt data , more frequently it is used to encrypt and pass around symmetric keys which can actually deal with encryption at a faster speed. - Generate two large random primes p and q, and compute n=p·q - Choose integers e and d such that: e·d = 1 (mod (p-1)(q-1)) - The resulting keypair is: Public key = (e,n) and Private key = (d,n) - Encryption: C = Me (mod n) - Decryption: M = Cd (mod n)
What are some common cryptographic hash functions?
Secure Hash Standard (SHA): - SHA-1 (1995): 160 bit digest. Deprecated by NIST in 2011. 2^16 theoretical collision attack estimated, first occurrence in 2017. - SHA-2 (2002): 224 (2008), 256, 384, or 512 bit digests - SHA-3 (2015): 224, 256, 384, or 512 bit digests MD5 is insecure as it is trivial to find collisions
How does asymmetric crypto system work?
Take a plaintext P, and encrypt it using the public key PU. The cipher text is send to the receiver. The receiver decrypts the packet with the corresponding private key. The authenticity (and validity) of the public key must be assured. Because asymmetric cryptography is slow it is typically used to encrypt a secret key, that is used to encrypt the data using symmetric encryption.
What is the birthday attack?
The birthday attack is a statistical phenomenon relevant to information security that makes the brute forcing of one-way hashes easier. It's based off of the birthday paradox, which states that in order for there to be a 50% chance that someone in a given room shares your birthday, you need 253 people in the room. If, however, you are looking for a greater than 50% chance that any two people in the room have the same birthday, you only need 23 people. This works because the matches are based on pairs. If I choose myself as one side of the pair, then I need a full 253 people to get to the magic number of 253 pairs. In other words, it's me combined with 253 other people to make up all 253 sets. But if I am only concerned with matches and not necessarily someone matching me, then we only need 23 people in the room. Why? Because it only takes 23 people to form 253 pairs when cross-matched with each other. So the number 253 doesn't change. That's still the number of pairs required to reach a 50% chance of a birthday match within the room. The only question is whether each person is able to link with every other person. If so you only need 23 people; if not, and you're comparing only to a single birthday, you need 253 people. This applies to finding collisions in hashing algorithms because it's much harder to find something that collides with a given hash than it is to find any two inputs that hash to the same value.
What are some of the most common cryptographic vulnerabilities?
They are plaintext communication (disclosure), plaintext storage, inadequate SSL certificate checks, weak encryption cipher, hard-coded keys etc.
What are the practical requirements for applying a hash function?
• Can be applied to data of "any" size • Produces a fixed-length output • H(x) is relatively easy to compute You take an input, hash it, and get a fixed length hash value.