Download - ECE454/CS594 Computer and Network Security
![Page 1: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/1.jpg)
1
ECE454/CS594Computer and Network Security
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2011
![Page 2: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/2.jpg)
2
Hashes and Message Digests• What hashes can do• MD2• MD4, MD5, SHA-1• HMAC
![Page 3: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/3.jpg)
3
Hash FunctionsAka: message digests, one-way transformationsTake a message m of arbitrary length
(transformed into a string of bits) and computes from it a fixed-length (short) number h(m)
Properties:- easy-to-compute: for any message m, it is relatively easy to compute h(m)- non-reversible: given h(m), there is no way to find an m that hashes to h(m) except trying all possibilities of m- computationally infeasible to find m and m’ such that h(m)=h(m’) and m!=m’
![Page 4: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/4.jpg)
4
Notion of RandomnessAny particular bit in the outputs should
have 50% chance to be onEach output should have about half the
bits on, w.h.pAny two outputs should be completely
uncorrelated, no matter how similar the inputs are
![Page 5: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/5.jpg)
5
General Structure
• Repeated use of a compression function, f, that takes two inputs (the chaining variable and input block), and produces an n-bit output
![Page 6: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/6.jpg)
6
Birthday Paradox• If there are 23 or more people in a room, there is better than 50% chance that two of them will have the same birthday• Assume n inputs (number of people) and k possible outputs (365 days)• If n > k1/2, there is a good chance of finding a matching pair• Exact math on board…
![Page 7: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/7.jpg)
7
Length of DigestIf the length of the digest is n-bit long:• It takes O(2n) to find a message with a given digest• It takes O(2n/2) to find two messages with the same digest (the length of digest should be sufficient to resist this attack)
![Page 8: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/8.jpg)
8
Length of Digest (Cont’d)• Due to birthday attack, the length of the digest in general should be twice the length of the key in block ciphers• For example, SHA-256, SHA-384, and SHA-512 to match the key lengths 128, 192, and 256 in AES
![Page 9: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/9.jpg)
9
What Hashes Can Do• Authentication• Integrity check (MAC)• Encryption
![Page 10: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/10.jpg)
10
Authentication
Authentication with SKC (previous example)
Authentication with message digest
![Page 11: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/11.jpg)
11
Message Authentication Code (MAC)• MD (KAB|m): only those knowing the secret KAB can compute/verify the MAC (Problem?)• Solutions?
![Page 12: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/12.jpg)
12
MAC: Problem With Keyed Hash Keyed hash: h(key|m)An attacker gets m and h(key|m)First pads m according to the used
hash function, and then adds another message m’ at the end, the result is m|pad|m’
h(key|m|pad|m’) can be calculated from h(key|m|pad) which is the intermediate digest
![Page 13: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/13.jpg)
13
MAC: Solutions Use h(m|key)Use only half the bits of h(key|m) Use h(key|m|key)HMAC
![Page 14: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/14.jpg)
14
HMAC
![Page 15: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/15.jpg)
15
Encryption: Replacing SKC with Hash• Generate one-time pad: (similar to OFB)
b1 = MD(KAB|IV), b2 = MD(KAB|b1), b3 = MD(KAB|b2), …
• XOR the message with the one-time pad bit sequence (Problem with one-time pad? Recall OFB)• Mixing in the plaintext: (similar to CFB)
b1 = MD(KAB|IV), c1 = m1 XOR b1, b2 = MD(KAB|c1), c2 = m2 XOR b2,b3 = MD(KAB|c2), … c3 = m3 XOR b3, …
![Page 16: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/16.jpg)
16
Replacing Hash with SKC• Unix password hash: password is converted into a secret key, which is input into DES to encrypt the constant 0, producing a hashed password• Hashing large messages: (Problem? Solution?)
![Page 17: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/17.jpg)
17
Replacing Hash with SKC-Improved
• Problem still? And solution?
![Page 18: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/18.jpg)
18
MD2, MD4, MD5, SHA-1Message digest (MD), designed by Ron Rivest• MD2: 1989, operates on 8-bit octets• MD4: 1990, operates on 32-bit words• MD5: 1991, operates on 32-bit words
Secure hash algorithm (SHA), proposed by NIST• SHA-1: 1995, operates on 32-bit words
![Page 19: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/19.jpg)
19
MD2• Input: arbitrary number of octets• Output: 128-bit message digest• Step 1: Pad the message to be a multiple of 16 octets• Step 2: Append a 16-octet checksum to the message• Step 3: Process the message, 16 octets at a time, to produce the message digest
![Page 20: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/20.jpg)
20
Step 1: Padding• 16 octets of padding are added if the message is initially a multiple of 16 octets• Otherwise, r octets of padding are added to make the message a multiple of 16 octets
![Page 21: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/21.jpg)
21
Step 2: Checksum Computation• Checksum: 16-octet quantity, appended to the message m• m|checksum is processed by MD2 to obtain the actual message digest
![Page 22: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/22.jpg)
22
Substitution Table
![Page 23: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/23.jpg)
23
Final Pass: Producing Digest
![Page 24: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/24.jpg)
24
MD4, MD5, SHA-1Input: arbitrary number of bitsOutput: 128 bits for MD4 and MD5,
160 bits for SHA-1Step 1: Pad the message to be a
multiple of 512 bits (16 words, 64 octets)
Step 2: Process the message, 512 bits at a time, to produce the message digest
![Page 25: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/25.jpg)
25
Step 1: Padding
Padding for MD4, MD5, SHA-1
![Page 26: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/26.jpg)
26
Step 2: Producing Message Digest
Overview of MD4, MD5, SHA-1
![Page 27: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/27.jpg)
27
SHA-1
Inner Loop of SHA-1: 80 Iterations per block
Initially (in hex):A=67452301, B=efcdab89, C=98badcfe, D=10325476, E=c3d2e1f0
![Page 28: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/28.jpg)
28
SHA-1 (Cont’d)Update: For t=0 through 79 (each of the 80
iterations)
In total: needs 80*(# of message blocks) iterationsA|B|C|D|E from the last iteration is the message
digest
![Page 29: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/29.jpg)
29
SHA-1 vs. MD5 SHA-1 has 160-bit digest and MD5 128-
bit, making SHA-1 more secure against brute-force
SHA-1 involves more stages and bigger buffer, and thus executes more slowly than MD5
MD5 is considered broken in 2004SHA-1 is considered broken in 2005SHA-2: four digest sizes 224, 256, 384,
512 bits
![Page 30: ECE454/CS594 Computer and Network Security](https://reader036.vdocuments.net/reader036/viewer/2022062411/56816664550346895dd9f6b7/html5/thumbnails/30.jpg)
30
Reading Assignments
[Kaufman] Chapter 5