lecture 18 –message integrity - checkoway
TRANSCRIPT
Lecture 18 – Message IntegrityStephen Checkoway
University of Illinois at ChicagoCS 487 – Fall 2017
Slides from Miller & Bailey’s ECE 422
Cryptography is the study/practice of techniques for secure communication, even in the presence of powerful adversaries who have control over the underlying channel
Alice Bob
Eve (or Mallory)
Wiretaps the channelDrops messagesTampers with messages
Send messages to each other over a channel (e.g., a shoe string, a
copper wire, a TCP socket)
Learning goals of cryptography module
- Understand the interfaces of basic crypto primitives
Hashes, MACs, symmetric encryption, public key encryption, digital signatures, key exchange
- Apply the adversarial mindset to crypto protocols
- Appreciate the following warning:
“Don’t roll your own Crypto!” …….
- Familiarity with concepts, vocabulary
Lectures are for breadth
Cryptography can help ensure:
- Confidentiality: secrecy, privacy
- Integrity: tamper resilience
- Availability
- Non-repudiability, or deniability
…. many more properties
Cryptography is not just encryption!
Alice Bob
Threat model: Mallory can see, forge, tamper with messages
Goal:SecureFileTransferAlicewantstosendfilem toBob(let’ssay,a4Gigabytemovie)MallorywantstotrickBobintoacceptingafileAlicedidn’tsend
m m’
Threat model: Mallory can see, forge, tamper with messages
Goal:SecureFileTransferAlicewantstosendfilem toBob(let’ssay,a4Gigabytemovie)MallorywantstotrickBobintoacceptingafileAlicedidn’tsend
m m’
Alice Bob
Setup assumption: Securely transfer a short message!
Shortmessage v
Solution:CollisionResistantHashFunction(CRHF)HashFunctionh:{0,1}*→{0,1}256 (orotherfixednumber)
1.Alicecomputesv :=h(m)2.Alicetransfersv oversecurechannel,m overinsecurechannel
3.Bobverifiesthatv=h(mʹ),acceptsfileiff thisistrue
Functionh? We’resunkifMallorycancomputem’ ≠mwhereh(m)=h(m’)! Acollision!
Contrastwith:“checksums”e.g.CRC32....defendagainstrandomerrors,notadeliberateattacker!
mBob
mʹAlice Mallory
v
HashfunctionpropertiesGoodhashfunctionsshouldhavethefollowingproperties
Firstpre-image resistance:
Givenh(m),itiscomputationallyinfeasibletofindm’s.t. h(m’) =h(m)
Secondpre-image resistance:
Given m1, itiscomputationallyinfeasibleto findm2 ≠m1 s.t. h(m1)=h(m2)
Collision resistance:
Itiscomputationallyinfeasibletofind anym1≠m2 s.t. h(m1)=h(m2)
Which of these properties implies which others?
Hashfunctionconstruction
• Merkle–Damgård construction• Padmessagetoamultipleofblocksize• Runacompressionfunctionovereachblockandtheoutputoftheprevious
compressedblock(seenextslide)• UsedforMD5,SHA-1,SHA-2
• Spongeconstruction• Padmessagetoamultipleofafixedsize(thebitrater)• “Absorb”themessagerbitsatatimebyXORing withpartoftheinternalstate,
andpermutingthewholestatebypermutationf• “Squeeze”outtheoutputrbitsatatime,applyingfinbetween• SHA-3
h
h
h
H(M)
IV
…
b0
M pad b1
bn-1
…
Merkle–Damgård Construction- Arbitrary-lengthinput- Fixed-lengthoutput- Builtfromfixed-size“compressionfunction”
Arbitrarylengthinput
Fixed-lengthinputs/outputs
Fixedlengthoutput
Spongeconstruction
• Internalstateinitially0r+c totalbits
• Pi aremessageblocks• Zi aretheoutputblocks
TheSHA256 compressionfunction,h
CryptographichashInput:arbitrarylengthdata(Nokey)Output:256bits
Builtwithcompressionfunction,h(256bits,512bits)in→256bitsoutDesignedtobereallyhairy(64roundsofthis)!
ConfusionandDiffusion
WhatisSHA256?$ sha256sum file.dat
“One round of the algorithm takes 16 minutes, 45 seconds which works out to a hash rate of 0.67 hashes per day.”
https://www.youtube.com/watch?v=y3dqhixzGVo
Otherhashfunctions:MD5
OnceubiquitousBrokenin2004Turnsouttobeeasytofindcollisions(pairsofmessageswithsameMD5hash)
SHA-1Currentlywidelyused,butgoingawayBrokenin2017Don’tuseinnewapplications
SHA-3Differentconstruction:“Sponge”Notsusceptibletolength-extension
Howdoyoufindacollision?- Pigeonholeprinciple: collisionsmustexist
Inputspace{0,1}*largerthanoutput{0,1}256
- Birthdayattack: buildatablewith2128 entriesWith~50%probability,haveacollision
- Cyclefinding:“Tortoiseandhare”algorithmh(x),h(h(x)),h(h(h(x),..,hi(x)
- Thesearegeneric—actualattacksrelyonstructure oftheparticularfunction
MostcryptographicprimitivescomewithasecurityparameterUsuallyk,orλ
- Oftencorrespondstoakeysize- Cryptographyprotocolsruninpolynomial time
i.e.,asafunctionofλ, O(poly(λ ))- Ideally,wecanshowthatthechanceoffailureisnegligible,orvanishingly smallasafunctionofλ
O(negl(λ ))
ConcreteParameterizationHowlargeofadigestsizeshouldwechoose?1.Estimateanattacker’sbudget
E.g.,theentireNSA2.ConsiderthebestknownattacksReductionfromprotocoltowell-studiedproblem3.AddasafetymarginIfallgoeswell,adding1bitincreasessearchspaceby2x
Alice Bob
Threat model: Mallory can see, forge, tamper with messages
Goal:MessageIntegrityAlicewantstosendmessagem toBobMallorywantstotrickBobintoacceptingamessageAlicedidn’tsend
m m’
Alice, x Bob, x
Threat model: Mallory can see, forge, tamper with messages
Goal:MessageIntegrity
Setup assumption: shared secret
Alicewantstosendmessagem toBobMallorywantstotrickBobintoacceptingamessageAlicedidn’tsend
m m’
Solution:MessageAuthenticationCode(MAC)1.Alicecomputesv :=f(m)
2.
3.Bobverifiesthatvʹ =f(mʹ),acceptsmessageiff thisistrue
Functionf?EasilycomputablebyAliceandBob;not computablebyMallory
(Idea:SecretonlyAlice&Bobknow)We’resunkifMallorycanlearnf(m’)foranym ≠m’!
e.g.“Attackatdawn”,628369867…
m,vBob
mʹ,vʹAlice Mallory
Candidatef:Randomfunction
Input: AnysizeuptohugemaximumOutput: Fixedsize(e.g.256bits)Definedbyagiantlookuptablethat’sfilledinbyflippingcoins
Completelyimpractical
Provablysecure
… …
0 → 0011111001010001…1 → 1110011010010100…2 → 0101010001010000…
[Why?]
[Why?]
Wantafunctionthat’spracticalbut“looksrandom”…Pseudorandomfunction(PRF)
Let’sbuildone:Startwithabigfamilyoffunctions
f0,f1,f2,… allknowntoMallory
Usefk,wherek isasecretvalue(or“key”)knownonlytoAlice/Bob
k is(say)256bits,chosenrandomly
Kerckhoffs’s PrincipleDon’trelyonsecretfunctionsUseasecretkey,tochoosefromafunctionfamily
[Why?]
MoreformaldefinitionofasecurePRF:GameagainstMallory1. Weflipacoinsecretlytogetbitb2. Ifb=0,letg bearandomfunction
Ifb=1,letg =fk,wherek isarandomlychosensecret
3. RepeatuntilMallorysays“stop”:Mallorychoosesx;weannounceg(x)
4. Malloryguessesb
Wesayf isasecurePRFifMallorycan’tdobetterthanrandomguessing*
i.e.,fk isindistinguishableinpracticefromarandomfunction,unlessyouknowk
Importantfact:There’sanalgorithmthatalwayswinsforMallory
[Whatisit?][Howtofixit?]
AsolutionforAliceandBob:1. Letf byasecurePRF2. Inadvance,choosearandomk knownonlytoAliceandBob3. Alicecomputesv :=fk(m)
4. Bobverifiesthatvʹ =fk(mʹ),acceptsmessageiff thisistrue
[Importantassumptions?]
WhatifAliceandBobwanttosendmorethanonemessage?
[Attacks?][Solutions?]
m,vBob
mʹ,vʹAlice Malloryk k
h
h
h
H(M)
IV
…
b0
M pad b1
bn-1
…
Merkle–DamgårdConstruction- Arbitrary-lengthinput- Fixed-lengthoutput- Builtfromfixed-size“compressionfunction”
Arbitrarylengthinput
Fixed-lengthinputs/outputs
Fixedlengthoutput
RecommendedApproach:Hash-basedMAC(HMAC)HMAC-SHA256 seeRFC2104
HMACk(m)=
0x3636… 0x5c5c…Concatenation
XOR
SHA256functiontakesarbitrarylengthinput,returns256-bitoutput
MessageAuthenticationCode (MAC)e.g.HMAC-SHA256vs.Cryptographichashfunctione.g.SHA256not astrongPRF
Usedtothinkthedistinctiondidn’tmatter,nowwethinkitdoes
e.g.,lengthextensionattacks
BettertouseaMAC/PRF(notahash)$ openssl dgst -sha256 -hmac <key>
MAC Crypto Game
Game against Mallory
1. Give Mallory MAC(k, mi) for all mi in M In other words, Mallory has an oracle
Mallory can choose next mi after seeing answer
2. Mallory tries to discover MAC(k, m’) for a new m’ not in M
We can show the MAC game reduces to the PRF game. Mallory wins MAC game → she wins PRF game.
This is a Security Proof
WhatisaSecurityProof?- Areduction fromanattackonyourprotocol toanattackonawidelystudied,hardproblem- Excludeslargeclassesofattacks,guidescomposition
- Proofsareinmodels.So,attackoutsidethemodel!- ItdoesNOT prove thatyourprotocolissecure- Wedon’tknowifthereareanyhardproblems!- ThefieldofModern Cryptography isbasedonproofs- Mostwidelyusedprimitives(SHA-256,AES,DSA)havenosecurityproof.Werelyonthembecausethey’rewidelystudied