Cryptographic hashing
H(mn) = m’n’ is a hash function if
• H is one-way function
• n (bit length) is unbounded
• n’ is short (and usually fixed)
➡ H is a lossy compression function
Two families of hash functions
• Non-keyed a.k.a message digest
e.g. password protection, digital signatures
• Keyed a.k.a MAC - Message Authentication Code
e.g. message integrity
H(mn) = m’n’
Hk(mn) = m’n’
H
m1
m2
m3
x1
x2
Slide 3
Slide 3 text
Computational complexity
• Given H and m, computing x is easy (polynomial or linear)
• Given H and x, computing m is hard (exponential)
➡ H is not invertible
H
m x
Slide 4
Slide 4 text
Preimage resistance and collision resistance
PR - Preimage Resistance
➡ given H and x, hard to find m
e.g. password storage
2PR - Second Preimage Resistance
➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x
e.g. virus resistance (Tripwire tool)
CR - Collision Resistance
➡ given H, hard to find m and m’ such that H(m) = H(m’) = x
e.g. digital signatures
CR 㱺 2PR 㱺 PR
H
m x
Slide 5
Slide 5 text
Hash functions in practice
Slide 6
Slide 6 text
Non-keyed vs Keyed hash functions
Most hash functions require an IV (Initialization Vector)
• Non keyed
the IV (Initialization Vector) is fixed
• Keyed
the key is supplied as the IV
➡ The commonly used standards are non keyed
H(mn) = m’n’
Hk(mn) = m’n’
n bits n’ bits
H
m x
IV
n’ bits
Slide 7
Slide 7 text
Common hash functions
Name
MD5 SHA-1
SHA-2 SHA-3
Variant SHA-224 SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512
Year 1992 1993 2001 2012
Designer Rivest NSA NSA Guido Bertoni, Joan Daemen, Michaël
Peeters, and Gilles Van Assche
Input
n bits
512 512 512 512 1024 1024 1152 1088 832 576
Output
n’ bits
128 160 224 256 384 512 224 256 384 512
Speed
cycle/byte
6.8 11.4 15.8 17.7 12.5
Considered
Broken
yes yes no no
n bits n’ bits
H
m x
IV
n’ bits
Slide 8
Slide 8 text
How to hash long messages ?
Merkle–Damgård construction
Property : if H is CR then Merkel-Damgard is CR
x
H
IV
m1 m2 m3 m4 m4 p
H H H H
m
split m in blocks of n bits and add padding p
n
n’ n’
n bits
n’
Slide 9
Slide 9 text
Security of hash functions
Slide 10
Slide 10 text
Brute-forcing a hash function
CR - Collision Resistance
➡ given H, hard to find m and m’ such that H(m) = H(m’) = x
Given a hash function H of n bits input output
• Reaching all possibilities
• On average, an attacker should try half of them
H
m x
2n cases
2n-1 cases
Slide 11
Slide 11 text
Birthday Paradox
“There are 50% chance that 2
people have the same birthday in
a room of 23 people”
N-bits security
➡ Given a hash function H of n bits output,
a collision can be found in around 2n/2 evaluations
e.g SHA-256 is 128 bits security
Slide 12
Slide 12 text
Broken hash functions beyond the birthday paradox
Year Collision
MD5 2013 224 evaluations (239 with prefix)
SHA-1 2015 257 evaluations
Slide 13
Slide 13 text
Playing with cryptography
beyond confidentiality
Slide 14
Slide 14 text
Security goals
Let us consider 3 new security goals (beyond confidentiality)
• Integrity : protecting the content of a message
• Authentication : protecting the origin of a message
• Non-repudiation : protecting the identity of the originator
Slide 15
Slide 15 text
Security mechanisms
Hash MAC Digital Signature
Integrity
Authentication
Non-
repudiation
Keys None Symmetric Asymmetric
Slide 16
Slide 16 text
Hashing (Integrity)
m || H(m)
Integrity
Slide 17
Slide 17 text
MAC - Message Authentication Code
Alice an Bob share a key k
➡ Option 1 : using a keyed hash function on the message
MACk
(m) = Hk
(m)
➡ Option 2 : using a non-keyed hash function on the message (HMAC)
MACk
(m) = H(k || m)
m || MACk(m)
k MAC key k
Integrity
Authentication
Slide 18
Slide 18 text
Length extension attack
MACk
(m || m’) = H(MACk
(m) || m’)
Vulnerable : MD5, SHA-1 and SHA-2 (but not SHA-3)
➡ Assignment 3 - Part 3
Slide 19
Slide 19 text
Good MAC with non-keyed hash
Alice an Bob share a key k
➡ Option 1 : envelope method
MACk
(m) = H(k || m || k)
➡ Option 2 : padding method
pad(k,m) returns a message with a length factor of the hash input
a = H(pad(k,m) || m)
MACk
(m) = H(pad(k,a) || a)
m || MACk(m)
k MAC key k
Integrity
Authentication
Slide 20
Slide 20 text
MAC with symmetric encryption
k MAC key
m || MACk(m)
k
Integrity
Authentication
Alice an Bob share a key k
➡ Encrypt the hash using symmetric encryption (DES, AES …)
MACk(m) = Ek(H(m))
Slide 21
Slide 21 text
MAC and Confidentiality
Alice an Bob share two keys Ke and Km
Option 1 EKe(m) || HKm(m) e.g SSH
Option 2 EKe(m || HKm(m)) e.g SSL
Option 3 EKe(m) || HKm(EKe(m)) e.g IPsec
Ke encryption key
Km MAC key
ke
km
Integrity
Authentication
Confidentiality
Slide 22
Slide 22 text
Digital Signatures
Ksa Alice’s Secret Key Ksb
Kpa, Kpb public keys
m || SIGKsa(m)
Integrity
Authentication
Non-repudiation
Alice an Bob have a pair of asymmetric keys
➡ Use public cryptography to sign and verify
SIGKsa(m) = EKsa(H(m))
VERKpa(m, s) = (DKpa(s) == H(m))
VERKpa(m, SIGKsa(m))
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
Digital Signatures and Confidentiality
Ksa Alice’s Secret Key Ksb
Kpa, Kpb public keys
Integrity
Authentication
Non-repudiation
Confidentiality
Alice an Bob have a pair of asymmetric keys
➡ Use public cryptography to encrypt, sign and verify
EKpb(m) || SIGKsa(m)
๏ Too slow to encrypt long message
Slide 25
Slide 25 text
Digital Signatures and Confidentiality
Ksa Alice’s Secret Key Ksb
Kpa, Kpb public keys
Integrity
Authentication
Non-repudiation
Confidentiality
1. Alice generates an asymmetric session key k
2. Use both symmetric and asymmetric cryptography to
encrypt, sign and verify the message and the key
EKpb(k) || Ek(m || EKsa(H(m))
Slide 26
Slide 26 text
Hey, this how GPG works !
source “GNU_Privacy_Guard” on Wikipedia
Slide 27
Slide 27 text
✓ HTTPS = HTTP + TLS
➡ TLS - Transport Layer Security (a.k.a SSL) provides
• confidentiality : end-to-end secure channel
• integrity : authentication handshake
Hey, this how HTTPS works !
example.com
HTTPS request
HTTPS response
Who are you?
I am example.com
Slide 28
Slide 28 text
Are we done with cryptography yet ? NO !
Problem 1
The mechanics of mutual authentication and keys exchange is
prone to attacks (e.g. replay attack, man-in-the-middle attack)
➡ Cryptography Protocols
Problem 2
Alice has never seen Bob, how can she trust his identity
➡ Trust Models
Slide 29
Slide 29 text
Cryptography Protocols
Slide 30
Slide 30 text
Definition
Protocol
Expected behaviors when engaging in communication
Computer(-to-computer) protocol
• Communication protocols (Ethernet, TCP, IP, Email, Web…)
• Security protocols
• Authentication protocol
• Key-exchange protocol
Slide 31
Slide 31 text
Protocol Goal
Assumptions
• 3 principals Alice, Bob, Mallory have published public keys
• They can talk to each using the same protocol
Goal
When two parties engage in the communication, they want to
1. make sure that they talk to the right person (authentication)
2. exchange a symmetric session key
Slide 32
Slide 32 text
The attacker model
The attacker has the same privileges as the other principals
1. send and receive messages
2. encrypt and decrypt with known keys
In addition, the attacker has full control over the network
3. intercept messages
Slide 33
Slide 33 text
Authentication, key exchange and message exchange
EKpb(“Hi, I am Alice!”, Kab)
“Hi, Alice!”
EKab(mb)
EKab(ma)
Slide 34
Slide 34 text
Replay attack
EKpm(A, Kab)
EKpb(A, Kab)
“Hi, Alice!”
๏ Bob believes he is talking to Alice !
Slide 35
Slide 35 text
Challenge-Response using a password and pkey
EKpb(A, Kab)
“Hi, Alice!”
“What is your password?”
EKpb(pwd)
Slide 36
Slide 36 text
Eavesdrop and replay attack
EKpb(A, Kab)
“Hi, Alice!”
“What is …?”
EKpb(pwd)
๏ Bob believes he is talking to Alice !
Slide 37
Slide 37 text
Challenge-Response using a nonce
EKpb(A, Kab)
“Hi, Alice!”
EKpa(n)
EKpb(n)
Slide 38
Slide 38 text
The attacker pretends to be Bob
EKpb(A, Kab)
“Hi, Alice!”
EKpa(n)
EKpb(n)
๏ No Mutual Authentication
Two trust models
How to establish the authenticity of the binding between
someone and its public key ?
Centralized trust model
➡ PKI - Public Key Infrastructure
Decentralized trust model
➡ Web of Trust
Slide 43
Slide 43 text
Do you trust the GPG key ?
Alice should verify Bob’s public key fingerprint
• either by communicating with Bob over another channel
• or by trusting someone that already trusts Bob
➡ the web of trust
Alice Bob
I am Bob!
Pkm
Slide 44
Slide 44 text
The web of trust
Alice
Dan
Erin
Carol
Bob
trust
i.e has_signed Pk
transitive trust
Slide 45
Slide 45 text
Do you trust the network ?
example.com
I am example.com!
The browser should verify the certificate
➡ PKI - Public Key Infrastructure
Slide 46
Slide 46 text
Generating and using (self-signed) certificates
Who are you?
I am example.com
I don’t know
Slide 47
Slide 47 text
Self-signed certificates
are not trusted by
your browser
Slide 48
Slide 48 text
Signed Certificate Certificate Authority (CA)
Who are you?
I am example.com
I trust so
Slide 49
Slide 49 text
The Chain of Trust Root CA
Intermediate
CA
Intermediate
CA
I trust
so ⇒ ⇒ ⇒