CPSC 418/MATH 318 Introduction to Cryptography Message - - PowerPoint PPT Presentation

CPSC 418/MATH 318 Introduction to Cryptography

Message Authentication Codes Randy Yee

Department of Computer Science University of Calgary

March 4, 2020

Outline

1

Password hashing

2

SHA-3 Design strategy Details

3

MACs Properties of MACs Design strategies

4

Authenticated Encryption

Recall from last time:

Basic definition of hash function Three special properties. Well-known examples of hash functions Visit Menti for a short recap

Password hashing

Password Hashing

When a system stores a password, oftentimes these are stored as hash values. When entering login information, the password is hashed and compared to the stored data. If found to be matching, the user is authenticated. While the quality of the hash function is important, password hashes can still be attacked.

One can always apply a brute force search or dictionary attack.

Password hashing

Rainbow tables

Rainbow tables are databases used to crack (invert) password hashes. They are large dictionaries of pre-computed plaintext passwords and hash values

Used to identify passwords which produce a particular hash value.

Since these tables can be reused to crack multiple passwords, this precomputation can save a lot of time. See Project RainbowCrack

Password hashing

Time-memory tradeoff

Use a method due to Oechslin (2004), which improves on the idea of time-memory tradeoff.

The method’s success depends on the amount of time and memory available.

The basic idea: select a subset of possible passwords and successively apply the hash function followed by a reduction function.

The reduction function creates a shorter character string out

• f the hash value, to be used as input for the next round.

Password hashing

Finding matches

Create several chains of the form M1

H

− →

R

− → M2 · · ·

H

− →

R

− → Mt storing only the beginning and end values (M1, Mt). Suppose an attacker has the hash value x and wants to find a preimage. Starting with x, they create a chain using the above procedure. If x matches with any of the values appearing in our chains, eventually this chain will match Mt for one of the computed chains.

Password hashing

Some issues

Since the last value has been stored along with the first value of our chain, we can regenerate the whole chain.

This gives us a value M′ that hashes to x, which is all one needs to authenticate.

Longer chains improve storage, but increase lookup time Ideally, if we compute m chains, they should not collide with each other, otherwise it reduces the expected number

• f distinct hashes we can find.

One can get false alarms: situations where x does not appear in any computed chain, but collides with an endpoint value.

Password hashing

Improvements

Oechslin’s improvement is to use different reduction function at each step of the chain. This decreases the likelihood of merging chains, and allows for the detection of such cases. See the original paper for more details.

Password hashing

Defense

Rainbow tables can be thwarted by the use of salts The salt, which need not be secret, ensures a user’s password is hashed uniquely. This limits the effectiveness of precomputed tables, since

• ne would (essentially) need a table for each salt value.

Most existing rainbow tables do not consider password lengths longer than 14 characters.

SHA-3 Design strategy

Sponge Function

The latest standard hash function, SHA-3 (Bertoni, Daemen, Peeters, Van Assche, 2012) used a new kind of design strategy. It is based on the idea of a sponge function, which can be though of a generalization of a hash function.

Sponge functions take in arbitrary length inputs, while the length of its output is user specified.

Motivated by the search for a function that better simulates a random oracle.

SHA-3 Design strategy

Construction

Key ingredients are a fixed length permutation f : {0, 1}b → {0, 1}b, where b is called the width, and a padding rule. Pick two values r and c such that r + c = b. We call these the bitrate and the capacity respectively. The value r affects the efficiency of the algorithm, while the value c affects the security level.

SHA-3 Design strategy

Let P be a plaintext. Our first step will be to pad the plaintext so that its length is a multiple of the bitrate r. The construction of the function is comprised of two phases, the absorption phase and the squeezing phase. We then break it up into chunks P0, P1, . . . Pn−1

Think of the absorption phase as taking in the message (like a sponge takes water) The second phase like releasing the hash (letting water out)

SHA-3 Design strategy

Diagram

Figure: Obtained from https://en.wikipedia.org/wiki/Sponge_function

SHA-3 Design strategy

A verbal description

For the absorbtion phase, one initializes the first state S0 as the zero bitstring 0b. Taking the first r bits of the plaintext, XOR with the first r bits of S0, then pass it into f to get S1. Repeat this until the whole plaintext P has been XORed into the state.

SHA-3 Design strategy

Security

The sponge function is designed with the intent that the birthday attack is the most effective attack. Recall problem 3 of A1, where you were asked to show that given n numbers, to ensure a roughly 50% chance of getting a collision, we require close to 1.77 √n ‘participants’. In the context of hash collisions, n is the size of our image space, namely 2n, and the participants is the number of distinct strings we compute the hash of.

SHA-3 Design strategy

A collision attack on the sponge function

Currently, this is the best known attack on the sponge construction, and its effectiveness is given by 2c/2 It is achieved by finding a collision internally If we have time, we will illustrate this attack in detail.

SHA-3 Details

Specifications

SHA-3 allows for 4 different output lengths, denoted by m.

We can have m = 224, 256, 384, 512.

the width b can be specified a by a value ℓ = 0, 1, . . . 6.

b = 5 × 5 × 2ℓ (i.e. 25, 50, 100, 200, 400, 800, 1600). c = 2m

The states are stored as a 3-dimensional array, where the above equations indicates the dimensions of the array. The default value is ℓ = 6.

SHA-3 Details

The permutation f

SHA-3 uses multi-round permutation function. The number of rounds is equal to Nrounds = 12 + 2ℓ. Each round of f applies 5 functions in succession to the state S. That is, it computes ι ◦ χ ◦ π ◦ ρ ◦ θ(S) where θ, ρ, π, χ are identical each round, and ι incorporates a round constant.

SHA-3 Details

Summary:

Input: a bitstring S of length b Output: a bitstring S′ of length b Convert S into an array with dimension 5 × 5 × 2ℓ For i = 0, . . . Nrounds − 1 do S = ι ◦ χ ◦ π ◦ ρ ◦ θ(S) Convert S back into a string of length b Output S′ = S

SHA-3 Details

Summary:

The details of these functions can be found in several references located in the handouts section. At a very rough level:

the first 3 functions θ, ρ and π, provide diffusion. The map χ is a non-linear map. The map ι disrupts symmetry.

SHA-3 Details

Recall

Last time, we talked about: Attacking password hashes using rainbow tables The sponge construction used to design SHA-3 Specifications of SHA-3:

Options for output length and width Some of the inner details of the function f

Visit www.menti.com for a short recap

MACs

Motivation

Alice and Bob are communicating, but they need to be sure that the messages they are receiving from each other have not been altered. They need a function f which incorporates a message M and which only they know how to compute. Then for a message M, they can send (M, f(M)).

Upon receiving a pair (M′, T), if the verification f(M′) = T is successful, they can be sure the message was not altered.

MACs

Definition: Message Authentication Code (MAC)

The primary symmetric primitive for data integrity. MACs can be thought of as keyed hash functions. Their

• utputs are typically referred to as tags.

Formally, this means that a MAC is a set of functions MACK : M → {0, 1}n indexed by K ∈ K

Similar to how an encryption scheme is a set of functions EK indexed by keys K. Usually we have M = {0, 1}∗

MACs

Informally

You can think of MACs as hash functions that also require a key as input.

Hence unlike hash functions, MACs have some element of secrecy.

In fact, a common way to construct these was to include a secret key as part of the message of a hash function.

This must be done with care as some of the ‘obvious’ ways to do this are insecure.

MACs Properties of MACs

Main properties

MACs have two main properties that they should satisfy: Assuming that the key is known, then the MAC should be easy to compute. For any fixed but unknown key K, it should be computationally infeasible to compute a a new message/MAC pair (M, MACK(M)), even if provided with many pairs (Mi, MACK(Mi)).

This property is called computation resistance.

MACs Properties of MACs

Computation resistance

Note that MACs do not provide any form of encryption, and so anyone can view M and MACK(M) when sent. Computation resistance captures the scenario where even if Eve has observed many communications (i.e. collected many message/MAC pairs) between Alice and Bob, she cannot validate a message that was not already sent. Eve can potentially resend messages she has seen. What can we do to stop this?

MACs Properties of MACs

Computation resistance

The definition actually covers the case where Eve is somehow able to choose a set of message/MAC pairs to

• bserve.

This is sometimes referred to as existential unforgeability under chosen message attack (EUF-CMA), and is analogous to the concept of chosen-ciphertext attack on encryption schemes. We also note that the security requirements for MACs are quite distinct from hash functions.

MACs Properties of MACs

MACs in practice

To achieve data integrity, Alice and Bob must have a shared key K. Alice transmits the pair M, MACK(M). Bob receives (M ′, T), computes MACK(M ′) and checks that this matches T.

Computation resistance implies that only someone with the key can construct a correct tag.

MACs Design strategies

MACs from Block Ciphers

Figure: CBC-MAC diagram. Obtained from Wikipedia

MACs Design strategies

Security of CBC-MAC

CBC-MAC is secure only with fixed length messages. Suppose we can query an oracle to give us two message/MAC pairs.

Show that CBC-MAC is insecure if variable message lengths are allowed.

MACs Design strategies

MACs from Hash functions

We might also try to incorporate a key into a normal hash function and try to get a MAC. Using the iterated hash function design, the ‘obvious’ ways to do this (putting the key at the front or back) are insecure.

Exercise

MACs Design strategies

Secure MAC constructions

There are secure constructions, see HMAC and Sandwich MAC.

Sandwich MAC simply says to both prepend and append the key at the same time.

Sponge function based constructions are not susceptible to the same type of attacks.

KMAC, a MAC based on this idea is believed to be secure.

Authenticated Encryption

Authenticated Encryption

In many instances, one may desire both secrecy and data integrity Can we combine an encryption scheme with a MAC to achieve both simultaneously? Three ways to combine:

Encrypt-then-MAC: Send C||MACK′(C) , where C = EK(M)(Used in IPsec) MAC-then-Encrypt: Send EK(M||MACK′(M)) (Used in SSL/TLS) Encrypt-and-MAC: Send EK(M)||MACK′(M) (Used in SSH)

Authenticated Encryption

Nuances

Under standard assumptions (EK is IND-CPA and MAC is EUF-CMA), then encrypt-then-MAC is secure, while the

• thers may not be (Bellare-Namprempre 2000).

MAC-then-encrypt can be secure provided certain extra assumptions.

See analysis done in Krawzcyk, 2001 Certain implementations have been susceptible to padding

• racle attacks

Encrypt-and-MAC is not generically secure even under stronger assumptions, and thus not recommended.

Authenticated Encryption

Notes

SSH (employs encrypt-and-MAC) has not been shown to be insecure, but it lacks theoretical guarantees. In A1, Bob used the ‘hash-then-encrypt’ paradigm. This falls into a similar category as MAC-then-Encrypt.

Here, data integrity is completely tied to the encryption

• scheme. This is general bad cryptographic practice.

Once the encryption scheme is compromised the authentication mechanism is useless.

Authenticated Encryption

Authenticated encryption schemes

There has been a move away from composing primitives in the above way to achieve authenticated encryption. Instead, it is now common to see cipher modes of

• peration with built in authentication.

See TLS 1.3 ciphersuites.

One such mode is the Galois Counter Mode (GCM)

Short video explanation

Authenticated Encryption

Research trends

Some current topics related to MACs: Light-weight MACs (used in resource constrained environments). Security of MACs in the quantum setting. Homomorphic MACs

Authenticated Encryption

Symmetric cryptography complete!

We have covered the major symmetric key primitives! Symmetric key cryptography is fast and can achieve many

• f our cryptographic goals. However, it often assumes that

two parties have already shared a key.

One might seek a way to accomplish tasks without this condition.

You have already seen the protocol of Diffie and Hellman, which paved the way for public-key cryptography. As we move onto this new area, we’ll see how mathematics plays an increasingly important role in cryptographic systems.