cryptography
play

Cryptography [Message Authentication Codes and Hash Functions] Fall - PowerPoint PPT Presentation

Nov 07, 2023 •233 likes •488 views

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Message Authentication Codes and Hash Functions] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Message Authentication Codes and Hash Functions] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. So Far: Achieving Privacy Encryption schemes: A tool for protecting privacy. M C M Encrypt Decrypt K K Alice Bob K K Message = M Ciphertext = C Adversary 10/21/17 CSE 484 / CSE M 584 - Spring 2015 2

  3. Now: Achieving Integrity Message authentication schemes: A tool for protecting integrity. MAC: message authentication code KEY KEY (sometimes called a “tag”) message, MAC(KEY,message) ? message = Bob Alice Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 10/21/17 CSE 484 / CSE M 584 - Spring 2015 3

  4. Reminder: CBC Mode Encryption plaintext Å Å Å Å Initialization vector key key key key (random) block block block block cipher cipher cipher cipher ciphertext • Identical blocks of plaintext encrypted differently • Last cipherblock depends on entire plaintext • Still does not guarantee integrity 10/21/17 CSE 484 / CSE M 584 - Spring 2015 4

  5. CBC-MAC plaintext Å Å Å Å key key key key block block block block cipher cipher cipher cipher TAG • Not secure when system may MAC messages of different lengths. • NIST recommends a derivative called CMAC [FYI only] 10/21/17 CSE 484 / CSE M 584 - Spring 2015 5

  6. Another Tool: Hash Functions 10/21/17 CSE 484 / CSE M 584 - Spring 2016 6

  7. Hash Functions: Main Idea hash function H . message message “digest” x .. y . . x’’ y’ x’ bit strings of any length n-bit bit strings • Hash function H is a lossy compression function – Collision: h(x)=h(x’) for distinct inputs x, x’ • H(x) should look “random” – Every bit (almost) equally likely to be 0 or 1 • Cryptographic hash function needs a few properties… 10/21/17 CSE 484 / CSE M 584 - Spring 2016 7

  8. Property 1: One-Way • Intuition: hash should be hard to invert – “Preimage resistance” – Let h(x’) = y � {0,1} n for a random x’ – Given y, it should be hard to find any x such that h(x)=y • How hard? – Brute-force: try every possible x, see if h(x)=y – SHA-1 (common hash function) has 160-bit output • Expect to try 2 159 inputs before finding one that hashes to y. 10/21/17 CSE 484 / CSE M 584 - Spring 2016 8

  9. Property 2: Collision Resistance • Should be hard to find x≠x’ such that h(x)=h(x’) 10/21/17 CSE 484 / CSE M 584 - Spring 2016 9

  10. Birthday Paradox • Are there two people in the first 1/3 of this classroom that have the same birthday? – 365 days in a year (366 some years) • Pick one person. To find another person with same birthday would take on the order of 365/2 = 182.5 people • Expect birthday “collision” with a room of only 23 people. • For simplicity, approximate when we expect a collision as sqrt(365). • Why is this important for cryptography? – 2 128 different 128-bit values • Pick one value at random. To exhaustively search for this value requires trying on average 2 127 values. • Expect “collision” after selecting approximately 2 64 random values. • 64 bits of security against collision attacks, not 128 bits. 10/21/17 CSE 484 / CSE M 584 - Spring 2016 10

  11. Property 2: Collision Resistance • Should be hard to find x≠x’ such that h(x)=h(x’) • Birthday paradox (informal) – Let t be the number of values x,x’,x’’… we need to look at before finding the first pair x,x’ s.t. h(x)=h(x’) 1/2 n – What is probability of collision for each pair x,x’? – How many pairs would we need to look at before finding the O(2 n ) first collision? Choose(t,2)=t(t-1)/2 � O(t 2 ) – How many pairs x,x’ total? 2 n/2 – What is t, the number of values we need to look at? • Brute-force collision search is only O(2 n/2 ), not O(2 n ) – For SHA-1, this means O(2 80 ) vs. O(2 160 ) 10/21/17 CSE 484 / CSE M 584 - Spring 2016 11

  12. Property 2: Collision Resistance • Should be hard to find x≠x’ such that h(x)=h(x’) • Birthday paradox means that brute-force collision search is only O(2 n/2 ), not O(2 n ) – For SHA-1, this means O(2 80 ) vs. O(2 160 ) 10/21/17 CSE 484 / CSE M 584 - Spring 2016 12

  13. One-Way vs. Collision Resistance • One-wayness does not imply collision resistance – Suppose g is one-way – Define h(x) as g(x’) where x’ is x except the last bit • h is one-way (to invert h, must invert g) • Collisions for h are easy to find: for any x, h(x0)=h(x1) • Collision resistance does not imply one-wayness – Suppose g is collision-resistant – Define y=h(x) to be 0x if x is n-bit long, 1g(x) otherwise • Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g • h is not one way: half of all y’s (those whose first bit is 0) are easy to invert (how?); random y is invertible with probab. ½ 10/21/17 CSE 484 / CSE M 584 - Spring 2016 13

  14. Property 3: Weak Collision Resistance • Given randomly chosen x, hard to find x’ such that h(x)=h(x’) – Attacker must find collision for a specific x. By contrast, to break collision resistance it is enough to find any collision. – Brute-force attack requires O(2 n ) time • Weak collision resistance does not imply collision resistance. 10/21/17 CSE 484 / CSE M 584 - Spring 2016 14

  15. Hashing vs. Encryption • Hashing is one-way. There is no “un-hashing” – A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption” • Hash(x) looks “random” but can be compared for equality with Hash(x’) – Hash the same input twice à same hash value – Encrypt the same input twice à different ciphertexts • Crytographic hashes are also known as “cryptographic checksums” or “message digests” 10/21/17 CSE 484 / CSE M 584 - Spring 2016 15

  16. Application: Password Hashing • Instead of user password, store hash(password) • When user enters a password, compute its hash and compare with the entry in the password file – System does not store actual passwords! – Cannot go from hash to password! • Why is hashing better than encryption here? 10/21/17 CSE 484 / CSE M 584 - Spring 2016 16

  17. Application: Software Integrity VIRUS badFile goodFile The NYTimes BigFirm™ User hash(goodFile) Goal: Software manufacturer wants to ensure file is received by users without modification. Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) 10/21/17 CSE 484 / CSE M 584 - Spring 2016 17

  18. Which Property Do We Need? • UNIX passwords stored as hash(password) – One-wayness: hard to recover the/a valid password • Integrity of software distribution – Weak collision resistance – But software images are not really random… may need full collision resistance if considering malicious developers • d 10/21/17 CSE 484 / CSE M 584 - Spring 2016 18

  19. Common Hash Functions • MD5 – 128-bit output – Designed by Ron Rivest, used very widely – Collision-resistance broken (summer of 2004) • RIPEMD-160 – 160-bit variant of MD5 • SHA-1 (Secure Hash Algorithm) – 160-bit output – US government (NIST) standard as of 1993-95 – Theoretically broken 2005; practical attack 2017! • SHA-256, SHA-512, SHA-224, SHA-384 • SHA-3: standard released by NIST in August 2015 10/21/17 CSE 484 / CSE M 584 - Spring 2016 20

  20. SHA-1 Broken in Practice (2017) https://shattered.io 10/21/17 CSE 484 / CSE M 584 - Fall 2017 21

  21. Recall: Achieving Integrity Message authentication schemes: A tool for protecting integrity. MAC: message authentication code KEY KEY (sometimes called a “tag”) message, MAC(KEY,message) ? message = Bob Alice Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 10/21/17 CSE 484 / CSE M 584 - Spring 2016 22

  22. HMAC • Construct MAC from a cryptographic hash function – Invented by Bellare, Canetti, and Krawczyk (1996) – Used in SSL/TLS, mandatory for IPsec • Why not encryption? – Hashing is faster than block ciphers in software – Can easily replace one hash function with another – There used to be US export restrictions on encryption 10/21/17 CSE 484 / CSE M 584 - Spring 2016 23

  23. Authenticated Encryption • What if we want both privacy and integrity? • Natural approach: combine encryption scheme and a MAC. • But be careful! – Obvious approach: Encrypt-and-MAC – Problem: MAC is deterministic! same plaintext à same MAC FIRE FIRE M 1 DON’T FIRE M 2 FIRE FIRE M 3 Encrypt Ke MAC Km Encrypt Ke MAC Km Encrypt Ke MAC Km C’ 1 T 1 T 1 C’ 2 T 2 C’ 3 T 3 T 3 10/21/17 CSE 484 / CSE M 584 - Spring 2016 24

  24. Authenticated Encryption M • Instead: Encrypt then MAC. Encrypt Ke C’ • (Not as good: MAC Km MAC-then-Encrypt) C’ T Ciphertext C Encrypt-then-MAC 10/21/17 CSE 484 / CSE M 584 - Spring 2016 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -> C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

453 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography ("secret writing"): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 CCA Security SIM-CCA Security (PKE) Recv Send PK/Enc SK/Dec Replay Filter Secure (and correct) if: s.t. output of is distributed

1.26k views • 101 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

421 views • 7 slides
Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography

Homomorphic Cryptography & Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography Bike lock of Internet Provides many important building blocks for security For example, encryption or

699 views • 31 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 15 November, 2012 Handout 8 Summary of this handout: Asymmetric Cryptography Public Key Cryptography Diffie-Hellman Key

207 views • 8 slides
123&4% @,$%+A#4 #%%#-5B.C 8#'A(& -(11,.,('. 3!$.<. &!#','D)<1 -(11,.,('.

123&4% @,$%+A#4 #%%#-5B.C 8#'A(& -(11,.,('. 3!$.<. &!#','D)<1 -(11,.,('.

123&4% @,$%+A#4 #%%#-5B.C 8#'A(& -(11,.,('. 3!$.<. &!#','D)<1 -(11,.,('. !"#$%&%'"()( *+ ,%(- ./&0$)*&( ,E!$!'%,#1 -$4"%#'#14.,. !"# $% &'()#*' @1(-5 -,"+!$. F#.+

332 views • 9 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | > 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
DTTF/NB479: Dszquphsbqiz Day 28 Announcements: Choosing presentation dates (at end)

DTTF/NB479: Dszquphsbqiz Day 28 Announcements: Choosing presentation dates (at end)

DTTF/NB479: Dszquphsbqiz Day 28 Announcements: Choosing presentation dates (at end) Questions? This week: Hash functions, SHA Birthday attacks Digital signatures (Monday) 1-2 Birthday paradox Whats the chances that

278 views • 14 slides
From spontaneous symmetry breaking to quantum turbulence W F Vinen School of Physics and

From spontaneous symmetry breaking to quantum turbulence W F Vinen School of Physics and

International Symposium in Honour of Professor Nambu for the 10th Anniversary of his Nobel Prize in Physics From spontaneous symmetry breaking to quantum turbulence W F Vinen School of Physics and Astronomy, University of Birmingham

2.03k views • 20 slides
New Distinguishing Attack on MAC Using Secret- Prefix Method 1,2 , Wei Wang Wang 1,2 , Wei Wang 2

New Distinguishing Attack on MAC Using Secret- Prefix Method 1,2 , Wei Wang Wang 1,2 , Wei Wang 2

New Distinguishing Attack on MAC Using Secret- Prefix Method 1,2 , Wei Wang Wang 1,2 , Wei Wang 2 2 , Xiaoyun Wang , Xiaoyun 2 and 2 Keting Jia Jia 2 and Meiqin Meiqin Wang Wang 2 Keting 1 Tsinghua Tsinghua University University 1 2

410 views • 30 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
rt rt rt

rt rt rt

rt rt rt rst trs r s

1.77k views • 152 slides
Chapter 11 Cryptographic Hash Cryptography and Network Functions Security Chapter 11 Each of

Chapter 11 Cryptographic Hash Cryptography and Network Functions Security Chapter 11 Each of

4/19/2010 Chapter 11 Cryptographic Hash Cryptography and Network Functions Security Chapter 11 Each of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or row of numbers. No efforts

50 views • 4 slides

More recommend