Sie sind auf Seite 1von 96

Introduction to Practical

Cryptography
Hash Functions
Agenda
• Hash Functions
– Properties
– Uses
– General Design
– Examples: MD4, MD5, SHA-0, SHA-1, SHA-
256
– Collision Attacks – General Method
– SHA3 competition
Hash Properties
• Map bit strings of arbitrary length to fixed-
length outputs
h = hash(m), h is fixed-length, short
• Not injective, but collisions unlikely
– Example: 2160 possible values
• Computationally infeasible to generate
collisions
• Computationally infeasible to invert
Hash Properties
• Preimage resistant: given h, hard to find m
such that h = hash(m)
• Second preimage resistant: given m1, hard
to find m2 (≠ m1) such that
hash(m1) = hash(m2)
• Collision-resistant: hard to find m1 and m2,
m2 ≠ m1, such that hash(m1) = hash(m2)
In Practice
• Heuristics
• Simple operations, performance:
– Iterative, series of rounds
– Diffusion through logical operations, addition,
shifts, rotates
Uses
• Data integrity:
– Error detection
• Attacker can still modify file and recompute hash
– Forgery, modification - MAC
• Shorten data for signing
• Data Structures:
– Hash list
– Hash (Merkle) Tree
– Hash Table
Hash - Uses
• Integrity – Error Detection
– Hash file/message
– Attacker can still modify file and recompute hash
• Integrity – prevent forgery, modification
– MAC (keyed hash)
• Authentication
– Signature: hash data to shorten (for efficiency) then encrypt with public
key algorithm
– Append shared secret to unencrypted data then hash
• Random bits
• Data Structures:
– Hash list
– Hash (Merkle) Tree
– Hash Table
MAC
• Message Authentication Code – keyed
hash
• Examples:
– Encrypt hash with symmetric key cipher
– HMAC H(H(K  c1) || H((K  c2) || m))
CBC-MAC

(tag)
Need to be careful in designing a MAC:

Without knowing the key k, can ask to calculate the CBC-MAC tag of any message
Produce a MAC for a new message:
use two message-tag pairs (m,t) and (m',t’),
m and m' : single blocks (can be random)
(m || (t  m’), t’) : valid message-tag pair
CBC-MAC of m || (t  m’) is t’ (see next slide)
CBC-MAC
• two message-tag pairs (m,t) and (m',t’),
• m and m' : single blocks (can be random)
• CBC-MAC of m || (t  m’) is also t’
• when computing CBC, result from m is t (“ciphertext” from
block cipher)
• then continuing CBC mode:
• t is XORed with t  m’
• t  m’  t = m’ and the result is the next input to the
block cipher
• thus the output is t’
• therefore, (m || t  m’, t’) is a valid message-tag pair
MAC
• MAC: H(Key | message)
• Append attack
– With most current hashes that “chain” blocks
can get a valid MAC for H(Key | message |
message’)
• Put the secret at the end of the message
• Don’t use all the output bits as the MAC
HMAC
• Append 0’s to key until have 512 bits
• XOR with constant and prepend to data
• Hash
• XOR key with different constant and prepend to result
• Hash again

H( (key  const1) || H( ((key || 0..0)  const2) || data) )

• If H is secure, so is HMAC:
• Collision resistant
• If given HMAC(key,x), can’t compute HMAC(key,y) without
knowing key
Generating “Random” Bits

• Hash together information containing some


randomness
– Copy of every keystroke, mouse event
– Time between keystrokes
– Disk seek latency, sector number, etc.
– Contents of the display
– Audio input
– Packet inter-arrival latency, CPU load
• Hash all this information together
• Allows generation of pseudo-random data
Challenge-Response without
Encryption

Alice Bob
Ra --------------->
<--------------- H(K | Ra), Rb
H(K | Rb) ----------------->

H is a hash function
K is a shared secret
Ra,Rb are random values
Storing Passwords

• Idea: hash password and store result


• When user enters password, hash and
compare with stored value
Password Storing
• Old Unix password algorithm:
– Store hash of user password
– Hash typed password, compare with stored hash
– First 8 bytes of password are the secret key
– Then encrypt all-zeroes block with DES-like algorithm
– Salt: 12-bit random number, (used in modified DES)
– Salt stored with hashed result
• Later versions used MD5, Blowfish
Hash List

h21

h11 h12 h13 h14 h15 h16 h17 h18

m1 m2 m3 m4 m5 m6 m7 m8
Hash Tree
h41

h31 h32

h21 h22 h23 h24

h11 h12 h13 h14 h15 h16 h17 h18

m1 m2 m3 m4 m5 m6 m7 m8
General Structure
Message m padded to M, a multiple of a fixed-length block
M is divided into segments m1,m2, … mn

m1 m2 …… mn

IV F F F hash value

Merkle-Damgard, 1989
F is called the compression function
Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”
Typically, a function operates on chaining variables then adds to mi
General Structure
• Padding
– “100…0”
– MD4, MD5: last 64 bits depend on first block
– SHA*: last bits depend on length of message
General Structure

m1 m2 …… mn

IV F F F hash value

Avalanche: All output bits depend on all input bits


Diffusion: ideally want change to one input bit to change each
output bit with prob. ½
MD4
• Rivest, RFC 1320
• Fast in software
• Simple to program
• Memory efficient - no large data structures
MD4 Notation
• word = 32 bits
• Message m
• XY = X AND Y
• X v Y = X OR Y
MD4
• m’ = m100 … 0
– Pad m until it is 64 bits short of a multiple of 512
– Message is always padded (i.e. even 448 bits are padded)
– Append a 1 followed by 0’s :
• M[0 ... N-1] = m’ with low order 64 bits of m appended to it
– N is a multiple of 16
• Four-word buffer (A,B,C,D) initialize to:
– A: 01 23 45 67
– B: 89 ab cd ef just counts 0 to 15 and back
– C: fe dc ba 98
– D: 76 54 32 10
MD4 – Internal Functions
• F(X,Y,Z) = XY v not(X) Z
– Bitwise conditional: if X then Y else Z.
• G(X,Y,Z) = XY v XZ v YZ
– Bitwise majority function: bit positions in which 2 or
more bits are 1, output has a 1, else output has a 0
• H(X,Y,Z) = X  Y  Z
– Bit positions with odd number of 1’s are 1, rest are 0
• Note: if bits of X, Y, and Z are independent and
unbiased, each bit of F(X,Y,Z) and each bit of
G(X,Y,Z) also will be independent and unbiased.
MD4
for (i = 0 to N/16-1) {
/* Copy block i into X. */
For (j = 0 to 15) { X[j] = M[i*16+j] }

/* Save A, B, C,D */
AA = A BB = B CC = C DD = D

/* Combine Message blocks with A,B,C,D */


Round 1
Round 2
Round 3
Increment A,B,C,D by their values (AA,BB,CC,DD) at start of iteration
} /* end for i */

Output A,B,C,D
compression function

A,B,C,D is chaining variable


MD4 Round 1
Function operates on chaining variable,
adds in message block

/* [abcd k s] denotes a = (a + F(b,c,d) + X[k]) <<< s. */


/* 16 operations. */
[ABCD 0 3]; [DABC 1 7]; [CDAB 2 11] ; [BCDA 3 19];
[ABCD 4 3]; [DABC 5 7] ; [CDAB 6 11]; [BCDA 7 19];
[ABCD 8 3]; [DABC 9 7]; [CDAB 10 11]; [BCDA 11 19]
[ABCD 12 3]; [DABC 13 7]; [CDAB 14 11]; [BCDA 15 19];

Note: each word rotates through each of the four positions for each value of s
X[k] (M) combined with A,B,C,D

Words sequential in round 1 (i.e. k = 1,2,3,…. 15 in order)


MD4 Round 2
/* [abcd k s] denotes
a = (a + G(b,c,d) + X[k] + 0x5A827999) <<< s. */
/* 16 operations. */
[ABCD 0 3]; [DABC 4 5]; [CDAB 8 9]; [BCDA 12 13];
[ABCD 1 3]; [DABC 5 5]; [CDAB 9 9]; [BCDA 13 13];
[ABCD 2 3]; [DABC 6 5]; [CDAB 10 9]; [BCDA 14 13];
[ABCD 3 3]; [DABC 7 5]; [CDAB 11 9]; [BCDA 15 13];

Word ordering altered from round 1


MD4 Round 3
/* Let [abcd k s] denotes
a = (a + H(b,c,d) + X[k] + 0x6ED9EBA1) <<< s. */
/* 16 operations. */
[ABCD 0 3]; [DABC 8 9]; [CDAB 4 11]; [BCDA 12 15]
[ABCD 2 3]; [DABC 10 9]; [CDAB 6 11]; [BCDA 14 15]
[ABCD 1 3]; [DABC 9 9]; [CDAB 5 11]; [BCDA 13 15];
[ABCD 3 3]; [DABC 11 9]; [CDAB 7 11]; [BCDA 15 15]

Word ordering partially altered from round 2


MD4 – End of Loop Addition
/* increment each of A,B,C,D by the value it
had before this block was started. */
A = A + AA
B = B + BB
C = C + CC
D = D + DD
MD4 Constants
• 5A827999: 32-bit constant, represents the
square root of 2. The octal value is
013240474631.
• 6ED9EBA1: 32-bit constant, represents
the square root of 3. The octal value is
015666365641.
MD5
• Designed to replace MD4
– First two and last two rounds of MD4 attacked
• RFC 1321, Rivest

for (i = 0 to N/16-1) {
/* Copy block i into X */
For (j = 0 to 15) { X[j] = M[i*16+j] }

/* Save A, B, C,D */
AA = A BB = B CC = C DD = D

/* Combine Message blocks with A,B,C,D */


Round 1
Round 2
Round 3
Round 4
Increment A,B,C,D by value at start of iteration
} /* end for i */
Output A,B,C,D
MD5 Changes to MD4
1. Fourth round added
2. Each step now has a unique additive constant
3. The function G changed from (XY v XZ v YZ) to
(XZ v Y not(Z)) (less symmetric)
4. The order in which input words are accessed in
rounds 2 and 3 is changed, to make these less
like similar to each other.
5. The shift amounts in each round have been
changed to produce a faster avalanche effect.
The shifts in different rounds are distinct.
MD5 Internal Functions
• F(X,Y,Z) = XY v not(X) Z
• G(X,Y,Z) = XZ v Y not(Z)
• H(X,Y,Z) = X  Y  Z
• I(X,Y,Z) = Y  (X v not(Z))
MD5
• Uses a 64-element table T[1 ... 64]
constructed from the sine function
• T[i] equals the integer part of
4294967296 times abs(sin(i)), where i is in
radians
MD5 Round 1
/* [abcd k s i] denotes
a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
/* 16 operations. */
[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]

Constant added, varies


MD5 Round 2
/* [abcd k s i] denotes
a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
/*16 operations. */
[ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20]
[ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24]
[ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28]
[ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]

not reusing shift amounts across rounds


MD5 Round 3
/* Let [abcd k s t] denotes
a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
/* Do the following 16 operations. */
[ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36]
[ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40]
[ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44]
[ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48]

Word ordering altered from round 2 to greater extent than in MD4


MD5 Round 4
/* [abcd k s t] denotes
a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
/* 16 operations. */
[ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51]
[BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54]
[CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57]
[DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60]
[ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]

One more round than MD4


MD5 Addition
A = A + AA
B = B + BB
C = C + CC
D = D + DD

Same as MD4
RIPEMD, Haval
• RIPEMD - modified MD4
– Rotation changed
– Order of message words altered
– Two instances run in parallel with different constants; at end of
each block, output of each added to chaining variables

• Haval – modified MD5


– Processes 1024-bit message blocks instead of 512
– Internal functions take 7 variables, nonlinear
– Permutes input to round
– Chaining variable: 8 segments instead of 4
– Different constants
SHA-0
• Input m  264 bits
• Output 160 bits
• Padded, processed in 512-bit blocks
• Each iteration takes 160-bit chaining
variable and 512-bit block, outputs 160-bit
chaining value
– First chaining value is a fixed constant (IV)
– Last chaining value is the output
SHA-0
• Pad m to multiples of 512 bits
– Append 1, 0’s, length of m
• N 512-bit blocks
For (j=0 to N-1) {
512-bit block divided into 32-bit segments: m0,m1, … m16
Expand to 80 32-bit segments:
for i = 16 to 79: mi = mi-3  mi-8  mi-14  mi-16
80 32-bit words processed by round function
}
SHA-0 Round

Rotating segments
function operating on chaining variables
of chaining variable

a,b,c,d,e are the chaining variable


ki is a round constant
Function f varies per round – on next slide
SHA-0 Round Function
SHS
• NIST FIPS 180-2, Secure Hash Standard
(SHS) 2002
• SHA-1: message < 264 bits, 160-bit output
• SHA-256: message < 264 bits, 256-bit output
• SHA-384: message < 2128 bits, 384-bit output
• SHA-512: message < 2128 bits, 512-bit output
SHA-1 and SHA-256 Padding
• Message M of l bits
• Pad to a multiple of 512 bits
– Append a 1
– Append k 0’s where l + 1 + k = 448 mod 512
– Append 64 bits equal to the binary
representation of l
SHA-1 and SHA-256 Processing
• N 512-bit blocks
• Block denoted by M(i)
• 32-bit segment of block denoted by Mj(i)
• i = ith block
• j = jth 32-bit segment of ith block, j = 0,1… 16
SHA-1
Internal functions, each operating on three 32-bit words
SHA-1
Constants used in the rounds:
SHA-1
Initialization of array containing the hash value
Five 32-bit words
SHA-1 Algorithm
Pad the message M
Break into N 512-bit blocks
Initialize H
for i = 1 to N {
Populate W with block i and rotate
Initialize intermediate variables a,b,c,d,e
80 rounds
Update H
}
Output H
SHA-1
for i = 1 to N:

Change from SHA-0, rotate 1 bit


SHA-1

Operating on chaining variable then


adding in message block
SHA-1

Update chaining variable

end of for i loop

Output :
SHA-256
Pad the message M
Break into N 512-bit blocks
Initialize H
for i = 1 to N {
Populate W with block i and rotate
Initialize intermediate variables a,b,c,d,e,f,g,h
64 rounds
Update H
}
Output H
SHA-256
logical functions, inputs are 32-bit words

Change from SHA1


SHA-256

Constants used in the rounds: 64 32-bit constants K0, K1 .. K63

Change from SHA1


SHA-256
Initialization of chaining variable
Eight 32-bit words
SHA-256
for i = 1 to N:

Change from SHA1


SHA-256
Operating on chaining variable
then adding in message block

Change from SHA1


SHA-256

Update chaining variable

end of for i loop

Output :
Collisions - Uses
• Generate meaningful files with the same
hash
• Example: Code download – replace code,
hash file remains unchanged
Birthday Paradox
•  23 people in a room
• probability 2 have same birthday is  50%

In general:
• Given “random” mapping H(xi) = yi
• n inputs, k possible outputs
• n(n-1)/2 possible input pairs
• probability H(xi) = H(xj) is 1/k
• Approximation:
– need k/2 pairs for 50% probability so want n > (k) ½ (for match)

• Hash functions: want low probability of a match


• Larger k is, the more inputs an attacker must try
Collisions - Uses
• Generate certificates with same hash
• X.509 certificate:
– Name, usage, extension…
– RSA public key: (n, e)
– Signature of CA

• Attack
– Two certificates identical except for RSA modulus: n1, n2 n1
≠n2
– MD5(n1) = MD5(n2)

• Lenstra, Wang, Weger, Colliding X.509 Certificates, eprint


March 2005
• Certificates available at
http://www.win.tue.nl/~bdeweger/CollidingCertificates/
• The CA certificate is self-signed
• MD5 hashes are not identical when include 4 byte ASN.1
header

*certificate image from Yin, ACNS 2005


Collisions Differentials
• Recall differential cryptanalysis from block
ciphers
– Look at  of inputs,  of outputs after each round
• In block ciphers, 1 to1 mapping,
– Never have in ≠ 0  out = 0
• In hash functions, round output shorter than
input
– There exists in ≠ 0  out = 0
– Need to find these ‘s
Collisions - Differentials
• m ≠ 0 for two inputs can produce =0 in an
intermediate value of the hash
• MD4, MD5, SHA* … are of the form:
M = [m0,m1, … mn]
For (i=0 to n) {
Process mi, produce Hi (the chaining variable)
Process mi+1, combine with Hi to get Hi+1 …
}
Furthermore, mi is only added into chaining variables
Collisions Differentials
• M = [m0,m1, … mn]
• M’ = [m’0,m’1, … m’n]
• Find m0, m’0 that produce same chaining
variable,
• Set mi = m’i for remaining blocks
• In MD4, MD5 – issue of padding includes
bits from unpadded message
• In SHA* - length is append
Collisions - Differentials
• Processing block M in blocks
M = [m0,m1, … mn]
M’ = [m’0,m’1, … m’n]
• Find messages that produce x through
block i with high probability
• Set jth block of messages to cancel x
• Remaining blocks of both messages can
be =
Existing Hashes: General Structure

Message m padded to M, a multiple of a fixed-length block


M is divided into segments m1,m2, … mn

m1 m2 …… mn

IV F F F hash value

F is called the compression function


Takes inputs mi and output of previous iteration
Typically a series of rounds
Output called a “chaining variable”
Collisions

• Find M1 ≠ M2 that produce x through block i with high probability


• Set subsequent blocks of m1, m2 to cancel x
• Remaining blocks of m1, m2 can be =

m11 m1i m1i+1 m1i+2 m1n


x1i+1
=Z
IV x1i
F F F F F H

m21 m2i m2i+1 m1i+2 m1n


x2i+1
IV x2i =Z
F F F F F H

x1i  x2i = x x1i+1 = x2i+1


Workload of Known Attacks (2005)
Hash function Expected strength Known attacks

MD4 264 O(3)

MD5 264 O(230+)

SHA-0 280 O(239)

SHA-1 280 O(263)


Collisions
• Wang, Feng, Lai, Yu, 2004
• Collisions for MD4, MD5, Haval-256, RIPEMD
• Message Modification
– Find differential path that produces possible collision
– Identify conditions for path to hold
– Modify message words to follow path in first round
(and second round as much as possible)
• Setting messages in this manner increases
chance collision holds
MD4 Collisions
M’ = M + C
C = (0,231,-228+231,0,0,0,0,0,0,0,0,0,-216,0,0,0)

MD4(M) = MD4(M’)

mi for i = 1,2,12 differ between M and M’


MD4 Collision Example
m0[16] = {
0xa8b1b641, 0x88d2ecaf, 0xb7d7c1a1, 0x99044241,
0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
0x701d8b69, 0x045095eb, 0x92012e03, 0x71ed419e
}

m1[16] = {
0xa8b1b641, 0x08d2ecaf, 0x27d7c1a1, 0x99044241,
0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4,
0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0,
0x701c8b69, 0x045095eb, 0x92012e03, 0x71ed419e
}
MD5 – Prior Collisions
• Bert den Boer and Bosselaers: pseudo-
collision for MD5 - same message with
different IVs
• Dobbertin: two different 512-bit messages
with a chosen initial value different from
that in MD5
MD5 Collisions

M,N each 512 bits

N,N’ cancels differential from M,M’

Uses initial IV of MD5


Two 1024-bit messages
~ 1 hour to find M’s, 5-15 minutes to find N’s
SHA-0 Collisions
• 2004 Joux pair of 2048 bit inputs
• 80K CPU hours (3 weeks)
• Work equivalent of 251 hashes
• Local differentials of 6 steps
SHA-0 Collisions
• Wang, Yu, Yin 2005
• Full collision in equivalent work of 239
hashes
• Impossible differential in rounds 2-4
• Local collisions in round 1
• Conditions that this differential path holds
SHA-0 Local Collisions
• Wang 1997
• Let mi,j = ith message word, jth bit
• 6 step local collision that can start at any step i
– used to construct full collisions
• If a message difference in bit j first occurs in step i
– Difference will affect chaining variables a,b,c,d,e consecutively in
the next five steps
– To offset these differences and reach a local collision,
differences introduced in subsequent message words
• Probability associated with the local collision depends on
the boolean function, j, and conditions on the message
bits
• One attack:
– j=2
– Conditions mi,2 = ⌐mi+1,7 and mi,2 = ⌐mi+2,2
SHA-0 Local Collision

nc = no carry
SHA-0 Collisions
• Biham and Chen 2004
– started at i > 17
– start at i = 22, work O(256) hashes
– near collisions with work O(240) hashes
• Biham and Chen (2004), Joux (2004), Wang and
Yu (2005)
– Multi-block collisions
– Use near collisions in several blocks to produce
overall collision
– Used with above, Joux had first full collision, work
O(251) hashes
SHA-1 Collisions
• Rijmen and Oswald 2005: collisions for 53
reduced-round version
• Wang, Yin, Yu 2005: Collisions without
padding on full 80 rounds, work  O(269)
hashes
• Wang, Yao, Yao 2005: Improved above
attack to work  O(263) hashes
• Rechberger and De Cannière 2006: way
to choose part of the message
SHA-256
• Round function has local collision with
probability in the range 2-9 to 2-39
• Message expansion is more complicated
than SHA-0, SHA-1
– Expansion block from 16 to 64 words
Colliding Certificates
• Fill in all fields except for
– RSA public key modulus, n
– signature (except for first zero byte - to prevent bit string from being a negative
integer)
• Three requirements:
– compliant to X.509 and the ASN.1 DER
– byte lengths of modulus, n, and public exponent, e, fixed in advance
• Can fix e as “Fermat-4” number e = 65537. Same e used in both certificates.
– position where public key modulus starts is an exact multiple of 64 bytes after the
beginning of the “to be signed” part – do by adding dummy information to the
subject Distinguished Name. i.e. want part prior to n to be an integral number of
message blocks to which the message blocks containing n are appended when
computing the MD5 hash
• Run MD5 on the first portion of the “to be signed” part, truncated at the
position where n starts This input to MD5 is an exact multiple of 512 bits.
Suppress the padding normally used in MD5, use output as IV to for the
next step. i.e. this would be the chaining variable input to the iteration in
which n starts to be processed
• Construct two different 1024 bit strings b1 and b2 for which the MD5
compression function with the IV from the previous step produces a collision
Colliding Certificates
• Construct two RSA moduli from b1 and b2 by appending to each the same
1024-bit string b
– Generate random primes p1 and p2 of ~512 bits, such that e is coprimeto p1 − 1
and p2 − 1
– Compute b0 between 0 and p1p2 such that p1|b121024 + b0 and p2|b221024 + b0
For k = 0, 1, 2, . . .,
• compute b = b0 + kp1p2;
• Check if both q1 = (b121024 + b)/p1 and q2 = (b221024 + b)/p2 are primes
• Check if e is coprime to both q1 − 1 and q2 − 1
• If k is such that b  21024, restart with new random primes p1, p2
Stop when q1 and q2 have been found; output
• n1 = b121024 + b
• n2 = b221024 + b
• p1, p2, q1, q2
• Expect that this algorithm will produce in a reasonable time, two RSA moduli
n1 = p1q1 and n2 = p2q2, that will form an MD5-collision with the specified IV
– p1 and p2 are around 500 bits in size, usually takes a few minutes
– few days when 512 bit p1, p2 and 1536 bit q1, q2 (search space for k nearly
empty)
Colliding Certificates
• Insert the modulus n1 into the certificate - “to be signed”
part is complete
• Compute the MD5 hash of the entire “to be signed” part
(including MD5-padding, standard MD5-IV)

• Apply PKCS#1v1.5-padding3, and perform a modular


exponentiation using the issuing Certification Authority’s
private key.
– This gives the signature, which is added to the certificate.
– First certificate now is complete.

• Second certificate – use n2 as the public key modulus


and signature still valid
NIST Hash Workshop
• Proposed competition – SHA3
– Call for proposals – Nov. 2007
– Allow time for public comments on hash function
requirements
– Review submissions starting in 2009
– Select winner end of 2011
– Standard released in 2012
• Then time to integrate into applications
• 6+ years before standard replacement
SHA3 Requirements
• NIST does not currently plan to withdraw SHA-2
• SHA-3 can be directly substituted for SHA-2 in
current applications
– must provide message digests of 224, 256, 384 and
512-bits to allow substitution for the SHA-2 family
• 160-bit hash value produced by SHA-1 is
becoming too small to use for digital signatures
– a 160-bit replacement hash algorithm is not
contemplated.
SHA3 Requirements
• Certain properties of the SHA-2 hash functions must be preserved
– input parameters, output sizes
– collision resistance, preimage resistance, second-preimage resistance
– “one-pass” streaming mode of execution
– successful attack on the SHA-2 hash functions is unlikely to be applicable to
SHA-3.
– be suitably flexible for a wide variety of implementations,
• May offer additional properties
– randomized hashing
– parallelizable
– more efficient to implement on some platforms
– more suitable for certain applications
– may avoid some of the incidental “generic” properties (such as length extension)
of the Merkle-Damgard construct that often result in insecure applications
• For interoperability, prefer a single hash algorithm family (different size
message digests be internally generated in as similar a manner as possible)
Approaches
• Augment existing hash functions:
– Add bit count to input – part of chaining value
– Padding: 1, 0’s, hash size, message length
• New algorithms, with approach similar to
past hashes – chaining
• New approaches that avoid Merkle-
Damgard chaining
• Algorithm related to mathematically hard
problems
Alternatives
• CMC mode m1 m2 m3 m4
– Forward and backward
diffusion T
– Use last block
– Inefficient – memory X1 X4
requirements M M M M
– > double computational
work
T
hash

m1 m2 m3 m4
• Binary tree
– Block cipher, PRP construct
as nodes
– double computational work

hash
Alternatives
• Hybrid
– CMC mode or chaining on segments
– Subset of output forms next layer

m blocks m blocks m blocks m blocks m blocks m blocks m blocks m blocks m blocks


Segment Processing
• CMC mode:
m1 m2 m3 m4
– forward and backward
diffusion across blocks T

– collision implies X1 X4
weakness in block cipher M M M M

T
segment
output
Segment Processing
IV 128 128
… 128 input

128 128 128 128


… 128 128


128 128 128 128
… 128 128

segment
128
output
• Elastic Chaining mode:
– Only forward diffusion
… but less memory/intermediate state than CMC mode
– If key is based on first block, collision implies weakness in block cipher
– Use elastic version of 128-bit cipher or a 256-bit cipher
Segment Processing
• Don’t use existing forward chaining in segment –
differential attack applies to segment
m11 m12 m13 m14 m1l
x13
=Z
IV x12 segment
F F F F F output

m21 m22 m23 m24 m2l


x23
=Z
IV x22 segment
F F F F F output

x12  x22 = x

Das könnte Ihnen auch gefallen