CPSC 418/MATH 318 Introduction to Cryptography Message - PowerPoint PPT Presentation

CPSC 418/MATH 318 Introduction to Cryptography Message Authentication Codes Randy Yee Department of Computer Science University of Calgary March 4, 2020

Outline Password hashing 1 SHA-3 2 Design strategy Details MACs 3 Properties of MACs Design strategies Authenticated Encryption 4

Recall from last time: Basic definition of hash function Three special properties. Well-known examples of hash functions Visit Menti for a short recap

Password hashing Password Hashing When a system stores a password, oftentimes these are stored as hash values. When entering login information, the password is hashed and compared to the stored data. If found to be matching, the user is authenticated. While the quality of the hash function is important, password hashes can still be attacked. One can always apply a brute force search or dictionary attack.

Password hashing Rainbow tables Rainbow tables are databases used to crack (invert) password hashes. They are large dictionaries of pre-computed plaintext passwords and hash values Used to identify passwords which produce a particular hash value. Since these tables can be reused to crack multiple passwords, this precomputation can save a lot of time. See Project RainbowCrack

Password hashing Time-memory tradeoff Use a method due to Oechslin (2004), which improves on the idea of time-memory tradeoff. The method’s success depends on the amount of time and memory available. The basic idea: select a subset of possible passwords and successively apply the hash function followed by a reduction function. The reduction function creates a shorter character string out of the hash value, to be used as input for the next round.

Password hashing Finding matches Create several chains of the form H R H R M 1 − → − → M 2 · · · − → − → M t storing only the beginning and end values ( M 1 , M t ). Suppose an attacker has the hash value x and wants to find a preimage. Starting with x , they create a chain using the above procedure. If x matches with any of the values appearing in our chains, eventually this chain will match M t for one of the computed chains.

Password hashing Some issues Since the last value has been stored along with the first value of our chain, we can regenerate the whole chain. This gives us a value M ′ that hashes to x , which is all one needs to authenticate. Longer chains improve storage, but increase lookup time Ideally, if we compute m chains, they should not collide with each other, otherwise it reduces the expected number of distinct hashes we can find. One can get false alarms: situations where x does not appear in any computed chain, but collides with an endpoint value.

Password hashing Improvements Oechslin’s improvement is to use different reduction function at each step of the chain. This decreases the likelihood of merging chains, and allows for the detection of such cases. See the original paper for more details.

Password hashing Defense Rainbow tables can be thwarted by the use of salts The salt, which need not be secret, ensures a user’s password is hashed uniquely. This limits the effectiveness of precomputed tables, since one would (essentially) need a table for each salt value. Most existing rainbow tables do not consider password lengths longer than 14 characters.

SHA-3 Design strategy Sponge Function The latest standard hash function, SHA-3 (Bertoni, Daemen, Peeters, Van Assche, 2012) used a new kind of design strategy. It is based on the idea of a sponge function , which can be though of a generalization of a hash function. Sponge functions take in arbitrary length inputs, while the length of its output is user specified. Motivated by the search for a function that better simulates a random oracle.

SHA-3 Design strategy Construction Key ingredients are a fixed length permutation f : { 0 , 1 } b → { 0 , 1 } b , where b is called the width , and a padding rule. Pick two values r and c such that r + c = b . We call these the bitrate and the capacity respectively. The value r affects the efficiency of the algorithm, while the value c affects the security level.

SHA-3 Design strategy Let P be a plaintext. Our first step will be to pad the plaintext so that its length is a multiple of the bitrate r . The construction of the function is comprised of two phases, the absorption phase and the squeezing phase. We then break it up into chunks P 0 , P 1 , . . . P n − 1 Think of the absorption phase as taking in the message (like a sponge takes water) The second phase like releasing the hash (letting water out)

SHA-3 Design strategy Diagram Figure: Obtained from https://en.wikipedia.org/wiki/Sponge_function

SHA-3 Design strategy A verbal description For the absorbtion phase, one initializes the first state S 0 as the zero bitstring 0 b . Taking the first r bits of the plaintext, XOR with the first r bits of S 0 , then pass it into f to get S 1 . Repeat this until the whole plaintext P has been XORed into the state.

SHA-3 Design strategy Security The sponge function is designed with the intent that the birthday attack is the most effective attack. Recall problem 3 of A1, where you were asked to show that given n numbers, to ensure a roughly 50% chance of getting a collision, we require close to 1.77 √ n ‘participants’. In the context of hash collisions, n is the size of our image space, namely 2 n , and the participants is the number of distinct strings we compute the hash of.

SHA-3 Design strategy A collision attack on the sponge function Currently, this is the best known attack on the sponge construction, and its effectiveness is given by 2 c/ 2 It is achieved by finding a collision internally If we have time, we will illustrate this attack in detail.

SHA-3 Details Specifications SHA-3 allows for 4 different output lengths, denoted by m . We can have m = 224 , 256 , 384 , 512 . the width b can be specified a by a value ℓ = 0 , 1 , . . . 6 . b = 5 × 5 × 2 ℓ (i.e. 25, 50, 100, 200, 400, 800, 1600). c = 2 m The states are stored as a 3-dimensional array, where the above equations indicates the dimensions of the array. The default value is ℓ = 6 .

SHA-3 Details The permutation f SHA-3 uses multi-round permutation function. The number of rounds is equal to N rounds = 12 + 2 ℓ . Each round of f applies 5 functions in succession to the state S . That is, it computes ι ◦ χ ◦ π ◦ ρ ◦ θ ( S ) where θ, ρ, π, χ are identical each round, and ι incorporates a round constant .

SHA-3 Details Summary: Input: a bitstring S of length b Output: a bitstring S ′ of length b Convert S into an array with dimension 5 × 5 × 2 ℓ For i = 0 , . . . N rounds − 1 do S = ι ◦ χ ◦ π ◦ ρ ◦ θ ( S ) Convert S back into a string of length b Output S ′ = S

SHA-3 Details Summary: The details of these functions can be found in several references located in the handouts section. At a very rough level: the first 3 functions θ, ρ and π , provide diffusion. The map χ is a non-linear map. The map ι disrupts symmetry.

SHA-3 Details Recall Last time, we talked about: Attacking password hashes using rainbow tables The sponge construction used to design SHA-3 Specifications of SHA-3: Options for output length and width Some of the inner details of the function f Visit www.menti.com for a short recap

MACs Motivation Alice and Bob are communicating, but they need to be sure that the messages they are receiving from each other have not been altered. They need a function f which incorporates a message M and which only they know how to compute . Then for a message M , they can send ( M, f ( M )) . Upon receiving a pair ( M ′ , T ) , if the verification f ( M ′ ) = T is successful, they can be sure the message was not altered.

MACs Definition: Message Authentication Code (MAC) The primary symmetric primitive for data integrity . MACs can be thought of as keyed hash functions. Their outputs are typically referred to as tags. Formally, this means that a MAC is a set of functions MAC K : M → { 0 , 1 } n indexed by K ∈ K Similar to how an encryption scheme is a set of functions E K indexed by keys K . Usually we have M = { 0 , 1 } ∗

MACs Informally You can think of MACs as hash functions that also require a key as input. Hence unlike hash functions, MACs have some element of secrecy. In fact, a common way to construct these was to include a secret key as part of the message of a hash function. This must be done with care as some of the ‘obvious’ ways to do this are insecure.

MACs Properties of MACs Main properties MACs have two main properties that they should satisfy: Assuming that the key is known, then the MAC should be easy to compute . For any fixed but unknown key K , it should be computationally infeasible to compute a a new message/MAC pair ( M, MAC K ( M )) , even if provided with many pairs ( M i , MAC K ( M i ) ). This property is called computation resistance .

MACs Properties of MACs Computation resistance Note that MACs do not provide any form of encryption, and so anyone can view M and MAC K ( M ) when sent. Computation resistance captures the scenario where even if Eve has observed many communications (i.e. collected many message/MAC pairs) between Alice and Bob, she cannot validate a message that was not already sent . Eve can potentially resend messages she has seen. What can we do to stop this?