Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions

advertisement 
Hash Pile Ups: Using Collisions to Identify
Unknown Hash Functions
R. Joshua Tobin and David Malone
11 October 2012
Hash Functions
We are talking about hash functions for consistent assignment. For
example,
• Hash tables,
• Network balancing packets (CEF, LAG, ECMP),
• Service load balancing (BIG-IP),
• Packets to CPUs (Microsoft RSS),
• etc.
These are not usually cryptographic strength!
Collisions relatively easy to find.
Outline
1. Background motivation.
2. Idea — learning and generating collisions.
3. 3 examples
3.1 the hash,
3.2 the attack,
3.3 the results.
4. Conclusion.
There is an analysis of each attack in the paper.
Background Motivation
• Algorithmic Complexity Attacks (Crosby and Wallach, 2003).
• Some algorithms have different typical and worst case.
• Attack by choosing input to be worst case.
• Can be applied to hash tables, sorting, string matching, . . .
• Hashes are canonical examples.
Demonstration attack
60
Random Attack
Complexity Attack
Packets Forwarded (pps)
50
40
30
20
10
0
0
5
10
Time (s)
15
20
How to Fix?
• In general use algorithm with good worst case.
• Hash functions too useful though.
• Using crypto-strength hashes often too slow?
• What happens if the hash used is a secret?
Choose your hash randomly from a family on startup.
(Advisories still being released on this issues.)
Hash Costs
16
Xor
Jenkins
Pearson
Universal
MD5
SHA
SHA256
14
12
CPU Time
(us)
10
8
6
4
2
0
Geode
500MHz
Core 2 Duo
2.66GHz
Athlon 64
2.6GHz
Xeon
3GHz
Atom
1.6GHz
Idea — Learning from collisions
1. You usually can’t observe hash output.
2. You can often observe collisions (e.g. time hash lookups,
processing time, reordering, traceroute, server IDs, . . . ).
3. By design, your hashes should have different collisions.
4. Observing collisions leaks information about hash in use
Can we use this to identify the hash function or generate collisions?
Example 1: Small Hash Family
1. Often the hash is keyed by an integer or a few bits.
2. Suppose the number of hashes is small enough to iterate
through.
3. For example, Bob Jenkins’s hash in RFC 5475.
4. Use 4 bits of output (e.g. 16 routes).
Example 1: Small Hash Family
Attack:
1. Make a list of all hashes.
2. Find two colliding inputs (Birthday Paradox).
3. Remove hashes that do not collide on these inputs.
4. Repeat until one hash left.
Example 1: Small Hash Family
30
Number of Probe Strings
25
20
15
10
5
Attempts
Optimistic Estimate
Conservative Estimate
0
10
100
1000
10000
100000
1e+06
Number of Hashes
1e+07
1e+08
1e+09
Example 2: Pearson’s Hash
In 1990 Pearson proposed a neat, fast, randomly keyed hash, using
a random permutation T of a byte and xor (⊗).
To hash a string of bytes:
1. h ← 0
2. foreach (byte[i])
h ← T [byte[i] ⊕ h]
3. return h
Family is really big — 256!
Example 2: Pearson’s Hash
Attack: Recover the permutation.
1. Insert all strings x000. . . 0 and 0y00. . . 0
2. Algebra: collide in pairs (a, b) where T (a) = T (0) ⊗ b.
3. From collisions, we know pairs (using 2*256 strings).
4. T (0) is remaining unknown (small family, get in 256+small
strings).
Attack generalises to replacing bytes and xor with any group.
Example 2: Pearson’s Hash
0.7
1,000,000 trials
predicted
0.6
fraction of trials
0.5
0.4
0.3
0.2
0.1
0
1
2
3
4
5
6
number of random strings hashes to recover T
7
8
Example 3: Toeplitz Hash
Microsoft have a standard for network cards to hand off packet to
CPUs (RSS). The key K is a longish bit string.
1. r ← 0
2. foreach bit b in input
if (b == 1) r ← r ⊗ left-most 32 bits of K
shift K left 1 bit position
3. return r
In practice you use 1–7 bits and might pass through a lookup table
to choose CPU.
Example 3: Toeplitz Hash
Attack: It’s linear over Z2 , use some linear algebra.
1. Choose the bits of the input you control. Set one to zero at a
time.
2. Group the bits according to which collide (E1 , . . . , El ).
3. For any even-sized subsets E1′ , . . . , El′ of E1 , . . . , El


X
X
h(e) = h(x),
e  = h(x) +
h x +
e∈
S
Ei′
e∈
S
Ei′
4. So every even-sized subset collection gives a collision.
Can work with other linear functions too, but more effective for
low index.
Example 3: Toeplitz Hash
60000
Base Attack on Linear Indirection
Base Attack on Non-Linear Indirection
Modified Attack on Non-Linear Indirection
50000
Mean lookup time
40000
30000
20000
10000
0
0
20
40
60
80
100
Basis bits used by attacker
120
140
160
Conclusion
1. Algorithmic Complexity Attacks.
2. For hashes, choosing from a family is useful.
3. However, collisions leak information.
4. Means you need to choose family carefully.
5. Small family is bad.
6. Structure like linear or group is bad.
Related documents
Mash
Mash
Hash table
Hash table
Self-evaluation 21-5-2013
Self-evaluation 21-5-2013
Cryptography Homework #7: Hash function Search
Cryptography Homework #7: Hash function Search
HashQuiz
HashQuiz
Final Exam Review
Final Exam Review
Download
advertisement