Lecture 9: Hash House Harriers David Evans CS551: Security and Privacy
advertisement
Lecture 9:
Hash House Harriers
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• “Quiz” Results
• Hashing
27 July 2016
University of Virginia CS 551
2
Quiz Results
• Six people got everything right
• Most common mistake:
e * d 1 mod n
should be:
e * d (mod (p – 1)(q – 1))
Why is e * d 1 mod n a bad guess?
• Little correlation between how well
you said you understood RSA and
correctness of answers
27 July 2016
University of Virginia CS 551
3
Selected Quiz Comments
• “Wondering if we just have to understand
the algorithms or do we have to memorize
them.”
• “On both of the problem sets, I’ve felt like
its the first time I’ve seen the material
applied this way.”
• “I feel like we’ve hit the surface of many
topics, but haven’t spent enough time to
get really in depth in many of the topics.”
27 July 2016
University of Virginia CS 551
4
Selected Quiz Comments
• “Need TA’s”
– Siddarth Dalai
– Office hours on Tuesdays 3:30-4:30 and
Fridays 2:00-3:00 in the CS department
library or 113g.
– My office hours: Mondays 1:30-2:30,
Wednesdays after class.
27 July 2016
University of Virginia CS 551
5
Using RSA to Encrypt
• Use 1024-bit modulus (RSA
recommends at least 768 bits)
• Encrypt 1M file
• Why does no one use RSA like this?
– About 100-1000 times slower than DES
– Can speed up encryption by choosing e
that is an easy number to multiply by (e.g.,
3 or 216 + 1)
27 July 2016
University of Virginia CS 551
6
Alternatives
• Use RSA to establish a shared secret
key for symmetric cipher (DES, RC6, ...)
– Lose external authentication, nonrepudiation properties of public-key
cryptosystems
• Sign (encrypt with private key) a hash of
the message
– A short block that is associated with the
message
27 July 2016
University of Virginia CS 551
7
0
Hashing
1
2
3
“dog”
“neanderthal”
4
5
6
7
“horse”
8
9
H (char s[]) = (s[0] – ‘a’) mod 10
27 July 2016
University of Virginia CS 551
8
Regular Hash Functions
1. Many-to-one: maps a large number of
values to a small number of buckets
2. Even distribution: for typical data sets,
buckets are similarly full
3. Efficient: H(x) is easy to compute.
How well does
H (char s[]) = (s[0] – ‘a’) mod 10
satisfy these properties?
27 July 2016
University of Virginia CS 551
9
Cryptographic Hash Functions
4. One-way: for given h, it is hard to find x
such that H(x) = h.
5. Collision resistance:
Weak collision resistance: given x, it is hard
to find y x such that H(y) = H(x).
Strong collision resistance: it is hard to find
any x and y x such that H(y) = H(x).
27 July 2016
University of Virginia CS 551
10
Using Hashes
• Alice wants to send Bob and “I owe you”
message.
• Bob should be able to show the
message to a judge to compel Alice to
pay up.
• Bob should not be able to make his own
“I owe you” from Alice, or change the
contents of the one she sent him.
27 July 2016
University of Virginia CS 551
11
IOU Protocol (Attempt 1)
M
H(M)
Bob
Alice
M
H(M)
Hmmm...Bob can just make
up M and H(M)!
Judge
27 July 2016
University of Virginia CS 551
12
IOU Protocol (Attempt 2)
M
EKA[H(M)]
Bob
Alice
secret key KA
Use Diffie-Hellman
to establish shared
secret KA
27 July 2016
M
Judge
knows KA
EKA[H(M)]
Can Bob cheat?
Can Alice cheat?
Yes, send Bob: M, junk.
Judge will think Bob cheated!
University of Virginia CS 551
13
IOU Protocol (Attempt 3)
M
EKRA[H(M)]
Bob
knows KUA
Alice
{KUA, KRA}
27 July 2016
M
Judge
knows KUA
EKRA[H(M)]
Bob can verify H(M) by
decrypting, but cannot forge
M, EKRA[H(M)] pair without
knowing KRA.
University of Virginia CS 551
14
Weak Collision Resistance
• Suppose we use: H (char s[]) = (s[0] – ‘a’) mod
10
• Alice sends Bob:
“I, Alice, owe Bob $2.”, EKRA[H (M)]
• Bob sends Judge:
“I, Alice, owe Bob $2000000000000000.”, EKRA[H
(M)]
• Judge validates EKUA [ EKRA[H (M)]] = H(“I, Alice,
owe Bob $2000000000000000.”) and makes
Alice pay.
27 July 2016
University of Virginia CS 551
15
Weak Collision Resistance
• Given x, it should be hard to find y x
such that H(y) = H(x).
• Similar to a block cipher except no need
for secret key:
– Changing any bit of x should change most
of H(x).
– The mapping between x and H(x) should
be confusing (complex and non-linear).
27 July 2016
University of Virginia CS 551
16
A Better Hash Function?
• H(x) = DES (x, 0)
• Weak collision resistance?
– Given x, it should be hard to find y x such
that H(y) = H(x).
– Yes – DES is one-to-one. (These is no
such y.)
• A good hash function?
– No, its output is as big as the message!
27 July 2016
University of Virginia CS 551
17
What we need:
• Produce small number of bits (say 64)
that depend on the whole message in a
confusing, non-linear way.
• Have we seen anything like this?
Cipher Block Chaining
P1
P2
IV
K
DES
C1
to receiver
30 Aug 2000
27 July 2016
University of Virginia CS 551
K
DES
...
C2
to receiver
University of Virginia CS 551
8
18
Cipher Block Chaining
IV
K
P1
P2
Pn
DES
C1
K
DES
...
K
DES
Cn
C2
Use last ciphertext block as
hash. Depends on all plaintext
blocks.
27 July 2016
University of Virginia CS 551
19
Actual Hashing Algorithms
• Based on cipher block chaining
• No need for secret key or IV (just use 0)
• Don’t use DES
– Performance
– Better to use bigger blocks
• MD5 [Rivest92] – 512 bit blocks, produces
128-bit hash
• SHA [NIST95] – 512 bit blocks, 160-bit
hash
27 July 2016
University of Virginia CS 551
20
Why big hashes?
• 3DES is (probably) secure with 64-bit
blocks, why do secure hash functions
need at least 128 bit digests?
• 64 bits is fine for weak collision
resistance, but we need strong collision
resistance too.
27 July 2016
University of Virginia CS 551
21
Strong Collision Resistance
• It is hard to find any x and y x such
that H(y) = H(x).
• Difference from weak:
– Attacker gets to choose both x and y, not
just y.
• Scenario:
– Suppose Bob gets to write IOU message,
send it to Alice, and she signs it.
27 July 2016
University of Virginia CS 551
22
IOU Request Protocol
x
EKRA[H(x)]
Bob
knows KUA
Alice
{KUA, KRA}
y
EKRA[H(x)]
Bob picks x and y such that
H(x) = H(y).
27 July 2016
Judge
knows KUA
University of Virginia CS 551
23
Finding x and y
Bob generates 210 different agreeable
(to Alice) xi messages:
I, { Alice | Alice Hacker | Alice P. Hacker
| Ms. A. Hacker }, { owe | agree to pay }
Bob { the sum of | the amount of } { $2 |
$2.00 | 2 dollars | two dollars } { by |
before } { January 1st | 1 Jan | 1/1 | 1-1 }
{ 2001 | 2001 AD}.
27 July 2016
University of Virginia CS 551
24
Finding x and y
Bob generates 210 different agreeable (to
Bob) yi messages:
I, { Alice | Alice Hacker | Alice P. Hacker |
Ms. A. Hacker }, { owe | agree to pay } Bob
{ the sum of | the amount of } { $2
quadrillion | $2000000000000000 | 2
quadrillion dollars | two quadrillion dollars }
{ by | before } { January 1st | 1 Jan | 1/1 | 11 } { 2001 | 2001 AD}.
27 July 2016
University of Virginia CS 551
25
Bob the Quadrillionaire!?
• For each message xi and yi, Bob
computes hxi = H(xi) and hyi = H(yi).
• If hxi = hyj for some i and j, Bob sends
Alice xi, gets EKRA[H(x)] back.
• Bob sends the judge yj and EKRA[H(x)].
27 July 2016
University of Virginia CS 551
26
Chances of Success
• Hash function generate 64-bit digest (n = 264)
• Hash function is good (randomly distributed
and diffuse)
• Chance a randomly chosen message maps
to a given hash value: 1 in n = 2-64
• By hashing m good messages, chance that a
randomly chosen message maps to one of
the m different hash values: m * 2-64
• By hashing m good messages and m bad
messages: m * m * 2-64
27 July 2016
University of Virginia CS 551
27
Is Bob a Quadrillionaire?
•
•
•
•
•
m = 210
210 * 210 * 2-64 = 2-44 (doesn’t look good...)
Try m = 232
232 * 232 * 2-64 = 20 = 1 (yippee!)
Flaw: some of the messages might
hash to the same value, might need
more than 232 to find match.
27 July 2016
University of Virginia CS 551
28
Dealing with duplicates
• For a particular yi:
– p(H(yi) = H(x)) = 1/n
– p(H(yi) H(x)) = 1 - 1/n
• Probability that none of m different yi’s
match = p(H(yi) H(x))m = (1 - 1/n)m
• Probability that there is at least one
match = 1 - (1 - 1/n)m
27 July 2016
University of Virginia CS 551
29
Binomial Theorem
(1 – a)k = 1 – ka + (k(k – 1) / 2!) a2
– (k(k – 1)(k – 2) / 3!) a3 ...
For small a: (1 – a)k 1 – ka
Probability that there is at least one match
= 1 - (1 - 1/n)m 1 – (1 – m/n) = m/n
For m = 232 and n = 264: 232/264 2-32
27 July 2016
University of Virginia CS 551
30
Birthday “Paradox”
• What is the probability that a group of k
people have 2 with the same birthday?
27 July 2016
University of Virginia CS 551
31
Birthday Paradox
Ways to assign k different birthdays
without duplicates:
N = 365 * 364 * ... * (365 – k + 1)
= 365! / (365 – k)!
Ways to assign k different birthdays with
possible duplicates:
D = 365 * 365 * ... * 365 = 365k
27 July 2016
University of Virginia CS 551
32
Birthday “Paradox”
Assuming real birthdays assigned
randomly:
N/D = probability there are no duplicates
1 - N/D = probability there is a duplicates
= 1 – 365! / ((365 – k!)(365)k )
For k = 48:
> 95%
27 July 2016
University of Virginia CS 551
33
Generalizing Birthdays
P(n, k) = 1 –
n!
(n – k)!nk
Given k random selections from n possible
values, P(n, k) gives the probability that there is
at least 1 duplicate.
P(n, k) > 1 – e-k*(k-1)/2n
Derived using (1 – x) e-x. (see book)
27 July 2016
University of Virginia CS 551
34
Applying Birthdays
P(n, k) > 1 – e-k*(k-1)/2n
• For n = 365, k = 48:
•
•
•
•
P(365, 48) > 1 – e-48*(47)/2*365
P(365, 48) > .954
For n = 264, k = 232: P (264, 232) > .39
For n = 264, k = 233: P (264, 233) > .86
For n = 264, k = 234: P (264, 234) > .9996
For n = 2128, k = 240: P (2128, 240) > 10-15
27 July 2016
University of Virginia CS 551
35
Conclusion
• If you’re Alice, don’t sign a hash for an
IOU from Bob, unless the hash is at
least 128 bits.
27 July 2016
University of Virginia CS 551
36
Charge
• Full Project Proposals due Oct 4
• Next time:
$$$$
KUA
chainmailinc.com
Guest lecture C = E
A
KRchainmail[Time1, IDA, KUA]
Paco Hope,
chainmailinc.com
Alice
27 July 2016
University of Virginia CS 551
37
