Foundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #8Sep 15th2005CSCI 6268/TLEN 5831, Fall 2005Announcements• No class next time (Tuesday)• No OH on Weds, but I’m back on Thurs• Short lecture todayMore cryptographic properties1. Collision resistance given a hash function it is hard to find two colliding inputs3. Preimage resistance given a hash function andgiven an hash outputit is hard to invert that output2. Second-preimage given a hash function andresistance given a first input, it is hard to find a second inputthat collides with the first3Merkle-Damgard constructionIVM1M2M3h1h2h3= H (M)nkFixed initial valueChaining valueCompression functionf ffkMD Theorem: if f is CR, then so is HMiT ← A << 5 + gt(B, C, D) + E + Kt+ Wt...M1M2Mmfor i = 1 to m doWt= {t-th word of Mi0 ≤ t ≤ 15( Wt-3⊕ Wt-8⊕ Wt-14⊕ Wt-16 ) << 1 16 ≤ t ≤ 79A ← H0i-1; B ← H1i-1; C ← H2i-1; D ← H3i-1; E ← H4i-1for t = 1 to 80 doE ← D; D ← C; C ← B >> 2; B ← A; A ← TH0i← A + H0i-1; H1i← B + H1i-1; H2i← C+ H2i-1; H3i← D + H3i-1; H4i← E + H4i-1endendreturn H0mH1mH2mH3mH4m512 bits160 bitsH0..4i-1160 bits160 bitsHash Function Security• Consider best-case scenario (random outputs)• If a hash function output only 1 bit, how long would we expect to avoid collisions?– Expectation: 1× 0 + 2 × ½ + 3 × ½ = 2.5• What about 2 bits?– Expectation: 1 × 0 + 2 × ¼ + 3 × ¾ ½ + 4 × ¾ ½ ¾ + 5 × ¾ ½ ¼ ≈ 3.22• This is too hard…Birthday Paradox• Need another method– Birthday paradox: if we have 23 people in a room, the probability is > 50% that two will share the same birthday• Assumes uniformity of birthdays– Untrue, but this only increases chance of birthday match• Ignores leap years (probably doesn’t matter much)– Try an experiment with the class…Birthday Paradox (cont)• Let’s do the math– Let n equal number of people in the class– Start with n = 1 and count upward• Let NBM be the event that there are No-Birthday-Matches• For n=1, Pr[NBM] = 1• For n=2, Pr[NBM] = 1 × 364/365 ≈ .997• For n=3, Pr[NBM] = 1 × 364/365 × 363/365 ≈ .991•…• For n=22, Pr[NBM] = 1 × … × 344/365 ≈ .524• For n=23, Pr[NBM] = 1 × … × 343/365 ≈ .493– Since the probability of a match is 1 – Pr[NBM] we see that n=23 is the smallest number where the probability exceeds 50%Occupancy Problems• What does this have to do with hashing?– Suppose each hash output is uniform and random on {0,1}n– Then it’s as if we’re throwing a ball into one of 2nbins at random and asking when a bin contains at least 2 balls• This is a well-studied area in probability theory called “occupancy problems”– It’s well-known that the probability of a collision occurs around the square-root of the number of bins• If we have 2nbins, the square-root is 2n/2Birthday Bounds• This means that even a perfect n-bit hash function will start to exhibit collisions when the number of inputs nears 2n/2– This is known as the “birthday bound”– It’s impossible to do better, but quite easy to do worse• It is therefore hoped that it takes Ω(264) work to find collisions in MD5 and Ω(280) work to find collisions in SHA-1The Birthday Bound1.0Probability0.00.52nNumber of Hash Inputs2n/2Latest News• At CRYPTO 2004 (August)– Collisions found in HAVAL, RIPEMD, MD4, MD5, and SHA-0 (240operations)• Wang, Feng, Lai, Yu• Only Lai is well-known– HAVAL was known to be bad– Dobbertin found collisions in MD4 years ago– MD5 news is big!• CU team has lowered time-to-collision to 3 mins (July 2005)– SHA-0 isn’t used anymore (but see next slide)Collisions in SHA-0T ← A << 5 + gt(B, C, D) + E + Kt+ WtWt= {t-th word of Mi0 ≤ t ≤ 15( Wt-3⊕ Wt-8⊕ Wt-14⊕ Wt-16 ) << 1 16 ≤ t ≤ 79A ← H0i-1; B ← H1i-1; C ← H2i-1; D ← H3i-1; E ← H4i-1for t = 1 to 80 doE ← D; D ← C; C ← B >> 2; B ← A; A ← TH0i←Α+ H0i-1; H1i← A + H1i-1; H2i← C+ H2i-1; H3i← D + H3i-1; H4i← E + H4i-1endH0..4i-165not in SHA-0M1,M1’Collision!What Does this Mean?•Who knows– Methods are not yet understood– Will undoubtedly be extended to more attacks– Maybe nothing much more will happen– But maybe everything will come tumbling down?!• But we have OTHER ways to build hash functionsA Provably-Secure Blockcipher-Based Compression FunctionE Mihi-1hin bitsn bitsn bitsThe Big (Partial) PicturePrimitivesBlock CiphersHash FunctionsHard ProblemsStream CiphersFirst-LevelProtocolsSymmetric EncryptionDigital SignaturesMAC SchemesAsymmetric EncryptionSecond-LevelProtocolsSSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting(Can do proofs)(Can do proofs)(No one knows how to prove security; make