How Are Cryptographic Algorithms Broken??? Bhavana Tapde Presented By

Download Report

Transcript How Are Cryptographic Algorithms Broken??? Bhavana Tapde Presented By 

How Are Cryptographic
Algorithms Broken???
Presented By
Bhavana Tapde
June 19, 2006
Outline
Cryptographic Algorithms
Cryptographic Hash Algorithms
Applications of Hash Functions
Properties of Hash Functions
Case Study of MD5
 Wang’s Method
 Klima’s Method
 Demo
 Case Study of SHA-1
 Conclusion





What is Cryptographic Algorithm?
 Cryptography – process of scrambling information in
a manner that is difficult to unscramble, and making
scrambled information intelligible.
 Cryptographic Algorithm – any algorithm written to
achieve cryptography, and consequently confidentiality,
integrity, and authentication.
 Types of Cryptographic Algorithms



Symmetric Key Algorithms – DES, Triple DES
Asymmetric Key Algorithms – RSA
Cryptographic Hash Algorithms – MD5, SHA-1
Cryptographic Hash Algorithm
 Hashing Algorithm – a protocol for using the hash
function, specifying how the message will be broken up and
how the results from previous message blocks are chained
together.

Hash Function
 is effectively computable.
 compresses information of arbitrary length to some
information of fixed length (“digital fingerprint”).
 possesses Avalanche (Ripple Effect) – when a input is
changed slightly, output changes significantly.
Hash function
0101
How hashes are used?
 Digitally Signed Documents
How hashes are used?
 Hashing Passwords
(…cont)
How hashes are used?
(…cont)
 Verifying File Integrity
 If you have just downloaded a large piece of software
from a website, how do you know that you've
received it correctly and that it has not been
tampered with?
 The website publishes the hash values of its
download bundles, and you can compare a published
hash (e.g.MD5 sum) with checksum of downloaded
file.
 Utilities
Unix OS – includes MD5 utilities in their distribution
packages.
Windows – third party applications like FastSum
(http://www.fastsum.com/)
When a Cryptographic Hash Function
is Secured?
When it satisfies following three properties
 Preimage-resistance:
“Given V, find M such that h(M)= V” is infeasible.
 2nd-preimage-resistance:
“Given M, find M’
infeasible.
M such that h(M’)=h(M)” is
 Collision-resistance:
“Find M’ M such that h(M’)=h(M)” is infeasible.
Case Study of MD5
MD5
Description of MD5
 MD5 (message digest algorithm) – developed
at RSA Data Security, Inc.
 Improved version of MD4.
 Takes any message and outputs an 128-bit
hash.
 A message is padded so the length is multiple
of 512.
 Each 512-bit block is processed individually.
MD5
Description of MD5
(…cont)
 The 512-bit block is divided into 16 32-bit
words.
 There are 4 32-bit registers A, B, C and D.
These are initially loaded with IV0 and carry
the hash values from one 512-bit block to
the next.
 It works in an iterative (chaining) process:
Hi+1 = f(Hi,Mi) IV0=H0
where Mi is a 512-bit block.
MD5
Hash Chaining
M1
H0=IV0
fixed
Mi
Hi
M2
f
f
H1
H2
512 bits
128 bits
Mn
…
f
Hn = H
MD5
One Small Step


A,B,C,D – 4 registers.
F – nonlinear function; there
are total 4 functions and
one function is used in each
round.

Each round has 16 steps
(so, total 64 steps).

Mi – 32-bit block of the
message input. (512/16=32)

Ki – 32-bit constant,
different for each step.

s – Left bit rotation by s
places; s varies for each
operation.

– Addition modulo 232.
MD5
The Rounds and Non-Linear Functions
 Mi=(w0,…,w15)
 For fixed i, 4 consecutive steps will yield
ai+4 =bi +((ai +Fi (bi,ci,di)+wi+ki)<<<si)
di+4=ai+((di+Fi+1 (ai,bi,ci)+wi+1+ki+1)<<<si+1)
ci+4=di+((ci+Fi+2 (di,ai,bi)+wi+2+ki+2)<<<si+2)
bi+4=ci+((bi+Fi+3 (ci,di,ai)+wi+3+ki+3)<<<si+3)
ki and si are predefined step dependant constants

Fi changes every 16 steps
Fi(X,Y,Z)=(X^Y)ν(~X^Z)
Fi(X,Y,Z)=(X^Z)ν(Y^~Z)
Fi(X,Y,Z)=X  Y  Z
Fi(X,Y,Z)=Y  (X ν ~Z)
0 ≤ i ≤ 15
16 ≤ i ≤ 31
32 ≤ i ≤ 47
48 ≤ i ≤ 63
MD5
Finding Collisions
 MD5 does 64 rounds of scrambling, so a brute force
attack to find a collision requires at most 264
operations.
Brute Force Attack – method of defeating cryptographic
scheme by exhaustively working through all possible
keys.
 Xiaoyun Wang and her team – have an attack that
requires 239 operations. This attack takes at most
an hour and 5 minutes on a IBM P690
(supercomputer).
 Vlastimil Klima and his team – have an attack that
can find collisions on a Notebook PC within a
minute.
MD5 - Wang
Wang’s Method
(August 2004)
 Use of Differential Cryptanalysis: find a
statistical correlation between key values
and cipher transformations (typically
Exclusive-OR of text pairs), then use
sufficient defined plaintext to develop the
key.
 Find a particular M such that a particular
H occurs with high probability.
 In collision case, want
H=0.
MD5 - Wang
Differentials
 The attack uses two types of differentials
 XOR differential: ΔX=X  X’
 Modular differential: ΔX=X-X’ mod 232
 For M=(m0,…,mn-1) and M’=(m’0,…m’n-1) the full hash
differential is for a message of length 512n bits
ΔH0 -> ΔH1 ->…-> ΔHn= ΔH
If M and M’ are a collision pair ΔH=0
 Round Differentials
 ΔHi -> ΔHi+1 can be split into round differentials as well
 ΔHi
ΔR0
ΔR1
ΔR2
ΔR3 = ΔHi+1
P0
P1
P2
P3
MD5 - Wang
Probability
 Each of these differentials has a probabilistic
relationship with the next.
 Ideally, we’d like to be able to set up 2 messages
where we can guarantee with probability 1 that
ΔH=0.
 This can be assured by modifying M so the first
round differential will be what you want.
 More modifications will improve the probability for
the second, third and fourth round differentials.
MD5 - Wang
The Attack with Message Modification
 Find M=(M0,M1 ) and M’=(M’0,M’1)
 ΔM0=M’0-M0=(0,0,0,0,231,0,0,0,0,0,0,215,0,0,231,0)
 ΔM1=M’1-M1=(0,0,0,0,231,0,0,0,0,0,0,-215,0,0,231,0)
 M’0 differ in the 5th, 12th and 15th words only.
 Same for M1 and M’1.
 Message Modification Method – modify a message
word so that the first non-zero step differential (after
5th step) is anything you want with probability 1.
 Modify multiple words to guarantee the round
differentials with high probability.
MD5 - Wang
Results - Actual Collisions
M0 = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f
ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483
5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780
M1 = d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335
cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822
5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35
M0’ = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612
3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a41f125
e8255108 9fc9cdf7 72bd1dd9 5b3c3780
M1’ = d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335
cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822
5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35
Hash: 9603161f a30f9dbf 9f65ffbc f41fc7ef
MD5 - Klima
Klima’s Method
(March 2006)
 “Tunnels in Hash Functions: MD5 Collisions
Within a Minute”
 Tunnel – a complex function written to find
collision which takes into account individual bit
of message instead of word.
 Tunnels replaces multi-message modification
method, and exponentially accelerate collision
search.
 Several tunnels are written in MD5 hash
function.
 Also uses ‘differential path’ – the effect of a
single bit change tracked through the hash
algorithm.
MD5 - Klima
Speed Comparison to Find MD5 Collisions
Machine Specification
Avg.
Time
Min.
Time
Max.
Time
Collisions
CPU Intel Pentium III (1 GHz),
512MB RAM, Windows 2000
53.077
0.90
299.00
200
CPU Intel Pentium 4 (3 GHz),
512MB RAM, Windows XP
17.542
0.20
93.30
200
Pentium M (1.7 GHz),
512MB RAM, debian 2.6.14
29.104
1.03
147.54
102
AMD Athlon XP2000+(1.67 GHz),
256MB RAM, Windows XP
29.733
0.30
165.70
1000
Time in seconds.
Software - http://cryptography.hyperlink.cz/2006/web_version_1.zip
MD5 - Klima
Demo of Pack3
 Pack3 – software developed by one of the team members of
Klima.
 “Give me three files and I will give you another three with the
same MD5 hash!”
 The program serves as a toy example of how to get around
the necessity of creating the second preimage.
 Usage: pack3 file1 file2 file3 file4 file5 file6
Will create two packages – package1.exe package2.exe,
having same MD5 sum.
package1 extracts files 1-3.
package2 extracts files 4-6.
 Pack3 is available at
http://cryptography.hyperlink.cz/MD5_collisions.html
 Verification tool used is FastSum.
http://www.fastsum.com/download.php
Screen Shots : FastSum Utility
C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\FileA.txt“
MD5 Checksum calculation and verification utility. [1.9.0.149] EN
(C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com
C:\Demo\pack3\selfextract-md5_coll\FileA.txt 12FABF28FF61D4AE9F7080F524CC3130
Calculation summary:
Processed 1 files in 0 folders with total size 0.04 Kb.
Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec.
C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\FileB.txt"
MD5 Checksum calculation and verification utility. [1.9.0.149] EN
(C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com
C:\Demo\pack3\selfextract-md5_coll\FileB.txt 6DE787E2B6255B94B73DC39D32FC135C
Calculation summary:
Processed 1 files in 0 folders with total size 0.04 Kb.
Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec.
Screen Shots : Pack3
C:\Demo\pack3\selfextract-md5_coll>pack3 file1.txt file2.txt file3.txt
file4.txt file5.txt file6.txt
Screen Shots : Pack3 (…cont)
 Verify results of Pack3 with FastSum
C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\package1.exe"
MD5 Checksum calculation and verification utility. [1.9.0.149] EN
(C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com
C:\Demo\pack3\selfextract-md5_coll\package1.exe 0DAACC367624034BD6B4345E72241315
Calculation summary:
Processed 1 files in 0 folders with total size 23.05 Kb.
Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec.
C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\package2.exe"
MD5 Checksum calculation and verification utility. [1.9.0.149] EN
(C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com
C:\Demo\pack3\selfextract-md5_coll\package2.exe 0DAACC367624034BD6B4345E72241315
Calculation summary:
Processed 1 files in 0 folders with total size 23.05 Kb.
Elapsed time: 00:00:00 Average speed: 23.05 Mb\Sec.
Case Study of SHA-1
SHA-1
Description of SHA-1
 SHA-1 (Secure Hash Algorithm) – developed
by NIST (National Institute of Standards and
Technology).
 Improved version of SHA-0.
 Takes any message of length of less than 264
bits and outputs 160 bit hash.
 A message is padded so the length is
multiple of 512.
 Each 512-bit block is processed individually.
SHA-1
Description of SHA-1
(…cont)
 The 512-bit block is divided into 16 32 bit
words.
 There are 5 32-bit registers A, B, C, D and
E. These are initially loaded with IV0 and
carry the hash value from one 512-bit block
to the next.
 It works in an iterative process.
SHA-1
Hash Chaining
512 bit blocks
Expansion Function
Initialization vector
(fixed)
2560 bits
Compression Function
160 bit hash
SHA-1
One Small Step








There are 4 rounds and
each round has 20 steps
(so, total 80 steps).
A,B,C,D,E – 5 registers.
F – Non-linear function.
Wt – 32-bit word derived
from current 512-bit
input block.
t – Round number,
0 ≤ t ≤ 79.
Kt – 32-bit constant,
different for each step.
s – left bit rotation by s
places; s varies for each
step.
– Addition modulo 232.
SHA-1
SHA-1 Functions
 Expansion Function:
Wi = (Wi-3  Wi-8  Wi-14  Wi-16) << 1
16 ≤i ≤79
 F Functions:
Ft(B,C,D)=(B^C)v(~B^D)
Ft(B,C,D)=B  C  D
Ft(B,C,D)=(B^C)v(B^D)v(C^D)
Ft(B,C,D)= B  C  D
0 ≤ t ≤ 19
20 ≤ t ≤ 39
40 ≤ t ≤ 59
60 ≤ t ≤ 79
SHA-1
Finding Collisions
 SHA-1 does 80 rounds of scrambling, so
a brute force attack to find a collision
requires at most 280 operations.
 Xiaoyun Wang and her team – have an
attack that requires 269 operations (i.e.
2000 times faster than 280 brute force).
SHA-1
Wang’s Method
(February 2005)
Wang found following short-comings in SHA-1
 The message expansion does not offer enough
avalanche effect in terms of spreading the
input differences.
 The structure of all the step functions is
unexpectedly weak. Because of the simple step
operation, the certain step properties of some
Boolean functions combined with the carry
effect actually facilitate, rather than prevent,
differential attack.
SHA-1
Final Attack
 Wang’s attack on SHA-1 consisted
following techniques:




Message Modification Method
Differential Attack
Local Collision Attack
Use of Differential Path (effect of a single bit
change tracked through the hash algorithm) and
Disturbance Vector (set of bit changes to the hash
input designed to create a set of changes to the hash
sequence).
SHA-1
Differential Attack
 Differential Cryptanalysis : the study of how
differences in an input can affect the resultant
difference at the output.
 Fundamental Observations made by the team:
A change in a bit j of word Wi can be corrected by
complementary changes in the following bits –
 bit (j+6) mod 32 of word Wi+1
 bit j of word Wi+2
 bit (j+30) mod 32 of word Wi+3
 bit (j+30) mod 32 of word Wi+4
 bit (j+30) mod 32 of word Wi+5
SHA-1
Local Collision Attack
 Local Collision – a collision within a
single message (or within a few steps of
hash function), including intermediate
hash results.
 SHA-1 has a 6-step local collision that
can start at any step.
SHA-1
Local Collision Attack
(…cont)
Δm
Δa
Δb
Δc
Δd
Δe
i
0000 0001
0000 0001
0000 0000
0000 0000
0000 0000
0000 0000
i+1
0000 0020
0000 0000
0000 0001
0000 0000
0000 0000
0000 0000
i+2
0000 0001
0000 0000
0000 0000
4000 0000
0000 0000
0000 0000
i+3
4000 0000
0000 0000
0000 0000
0000 0000
4000 0000
0000 0000
i+4
4000 0000
0000 0000
0000 0000
0000 0000
0000 0000
4000 0000
i+5
4000 0000
0000 0000
0000 0000
0000 0000
0000 0000
0000 0000
Collision
Conclusion




MD5 is breakable – 239 complexity
SHA-1 is breakable – 269 complexity
So, it’s time to switch from MD5 and SHA-1.
What next?
Longer variants published by NIST




SHA-224
SHA-256
SHA-384
SHA-512
 Because “Attacks always get better; they never
get worse…”
References
 Xiaoyun Wang et. al. “Finding Collisions in the Full SHA-1”,
http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2yao.pdf
 Xiaoyun Wang et. al. “Collisions for Hash Functions MD4, MD5,
HAVAL-128 and RIPEMD”, http://eprint.iacr.org/2004/199.pdf
 Vlastimil Klima “Tunnels in Hash Functions: MD5 Collisions
Within a Minute” http://eprint.iacr.org/2006/105.pdf
 Steve Friedl , “An Illustrated Guide to Cryptographic Hashes ”,
http://unixwiz.net/techtips/iguide-crypto-hashes.html#digestonly
 Hashing Function Lounge


http://paginas.terra.com.br/informatica/paulobarreto/hflounge.html
http://en.wikipedia.org/wiki/SHA1
http://en.wikipedia.org/wiki/MD5
Thank You!
Questions?
What is she
talking about?
mmm…
Z Z z…