Académique Documents
Professionnel Documents
Culture Documents
Spring
2012
Text
Chapters
2
and
21
Handbook
of
Applied
Cryptography,
Menezes,
van
Oorschot,
Vanstone
Chapter
9
http://www.cacr.math.uwaterloo.ca/hac/
Slide #9-3
Nikita
Borisov
UIUC
3
Example Use
Bob receives 10111101 as bits.
Sender is using even parity; 6 1 bits, so
character was received correctly
Note: could be garbled, but 2 bits would need to have
been changed to preserve parity
Sender is using odd parity; even number of 1
bits, so character was not received correctly
Slide #9-4
Nikita
Borisov
UIUC
4
8-bit
xor
checksum
XOR
all
bytes
in
the
le/message
Good
for
detecting
accidental
errors
But
easy
for
malicious
user
to
x
up
to
match
altered
message
For
example,
change
the
4th
bit
in
one
of
the
bytes
Fix
up
by
ipping
the
4th
bit
in
the
checksum
Easy
to
nd
a
M
that
has
the
same
checksum
Similar
attack
works
against
CRC
CRC(a
xor
b)
=
CRC(a)
xor
CRC(b)
Slide #9-5
Nikita
Borisov
UIUC
5
Crytpo
Hash
or
Checksum
Unencrypted
oneway
hash
functions
Easy
to
compute
hash
Hard
to
nd
message
with
a
particular
hash
value
Use
to
verify
integrity
of
publically
available
information
E.g.,
packets
posted
on
mirror
sites
Message
Authentication
Code
(MAC)
Hash
to
pass
along
with
message
Such
a
hash
must
be
accessed
with
key
Otherwise
attacker
could
change
MAC
in
transit
Nikita
Borisov
UIUC
6
h:
AB:
For
any
x
A,
h(x)
is
easy
to
compute
For
any
y
B,
it
is
computationally
infeasible
to
nd
x
A
such
that
h(x)
=
y
Also
called
pre-image
resistant
E.g.,
computing
x3
vs
cube
root
of
x
by
hand
It
is
computationally
infeasible
to
nd
two
inputs
x,
x
A
such
that
x
x
and
h(x)
=
h(x)
Also
called
strong
collision
resistant
Alternate
form:
Given
any
x
A,
it
is
computationally
infeasible
to
nd
a
dierent
x
A
such
that
h(x)
=
h(x)
Second
pre-image
resistant
Slide #9-7
Nikita
Borisov
UIUC
7
Collisions
If x x and h(x) = h(x), x and x are a
collision
Pigeonhole principle: if there are n containers
for n+1 objects, then at least one container will
have 2 objects in it.
Application: if there are 32 files and 8 possible
cryptographic checksum values, at least one
value corresponds to at least 4 files
How many files until you are guaranteed a
collision?
Slide #9-8
Nikita
Borisov
UIUC
8
What
is
the
probability
that
someone
in
the
room
has
the
same
birthday
as
me?
What
is
the
probability
that
two
people
in
the
room
have
the
same
birthday?
P(n)
=
1
(365!/(365n*(365-n)!)
P(n)
>
for
n
=
23
Section
2.15
Handbook
of
Applied
Cryptography
http://en.wikipedia.org/wiki/Birthday_paradox
Slide #9-11
Nikita
Borisov
UIUC
11
MD5 and SHA
Most widely used keyless crypto hashes
Both are round based bit operations
Similar in spirit to AES and DES
Looking for avalanche effect to make output
appear random
MD5 is 128 bits and SHA-1 is 160 bits
MD5 is only strong collision resistant to
264 bits. Too small.
Slide #9-12
Nikita
Borisov
UIUC
12
More on SHA
Standard put forth by NIST
SHA spec
http://csrc.nist.gov/CryptoToolkit/tkhash.html
Comes in different flavors that vary based
on output size
SHA-1 outputs 160 bits
The other SHA-X flavors output X bits, 256,
512
Slide #9-13
Nikita
Borisov
UIUC
13
SHA-1 Broken
Chinese researchers had a break through
http://www.schneier.com/blog/archives/2005/02/
sha1_broken.html
Recent results show that you can find collisions in 2^69
attempts which would be less than 2^80 from brute force
Does not affect HMAC-SHA
NIST published standards promoting using of
larger SHA's
http://csrc.nist.gov/groups/ST/toolkit/
secure_hashing.html
Slide #9-14
Nikita
Borisov
UIUC
14
Modeled
after
AES
competition
Goal
is
to
dene
SHA-3
Current
nalists
BLAKE
Grstl
JH
Keccak
Skein
Overlap
with
AES
competitors
Knudsen
(Serpent,
Grstl)
Daemen
(Rijndael,
Keccak)
Schneier
+
team
(Twosh,
Skein)
Slide #9-16
Nikita
Borisov
UIUC
16
HASH
MAC
Slide #9-18
Nikita
Borisov
UIUC
18
HMAC
Make keyed cryptographic checksums from
keyless cryptographic checksums
h keyless cryptographic checksum function that
takes data in blocks of b bytes and outputs blocks
of l bytes. k is cryptographic key of length b bytes
ipad is 00110110 repeated b times
opad is 01011100 repeated b times
HMAC-h(k, m) = h(k opad || h(k ipad || m))
exclusive or, || concatenation
Slide #9-19
Nikita
Borisov
UIUC
19
Apply
HMAC
to
SHA512
to
make
a
keyed
MAC
HMAC-SHA512(k,
m)
=
SHA512(k
[01011100]8
||
SHA512(k
[00110110]8
||
m))