Information Integrity and Message Digests

CSCI 5857: Encoding and Encryption

Outline• Information integrity issues • Message digests

– Hash functions– Insuring information integrity

• Attacks on message digests– Preimage attacks– Collision attacks

• Properties of a good hash function• Mathematical background

– Pigeonhole principle– Birthday problem

3

Information Integrity Problems

• Content Modification: Adversary inserts/modifies/deletes message content

Insert new record for Darth’s salary of $1,000,000

Salary Database

E D

E

4

Information Integrity Problems

• Masquerade:Adversary sends message claimed to be from someone else

Masquerading as Alice

“Give Darth a $10,000 raise-- Alice”

E

5

Information Integrity Problems

• Timing ModificationAdversary intercepts message and replays it later

“Open the front gate.-- Alice”

E

6

Modification Detection• Simplest case: Detecting modification

– Message M stored in public location– M not encrypted

• How can we prove/detect whether adversary has replaced message M with fake message M´ ?

Public storage

M M ´

7

Modification Detection

• One solution: store protected copy of M– Compare M to copy to detect changes– Implausible if M very large

Public storage

M

M

8

Message Digests • Created from message M using hashing function

y = h(M)

• Like “fingerprint” for messages– Different messages different fingerprints– Much more compact than messages:

size of y << size of M– Plausible for secure storage/transmission

9

Message Digests• Same concept as error detection in network

transmission

• Error detection bits = function of message– Example: parity bit depends on even/odd of 1’s in message

• If error detection bits do not match message, request message resend

• Key difference: Unlike noise, adversary intelligent

Message Error detection bits

10

Message Digests• Used to detect modification

– Apply hash to message in storage to get h(M´ )– Compare with stored h(M)– If h(M´ ) h(M) message has been modified

Public storage

M ´h(M´ )

hcompare

h(M)

11

Simple Example Hash Function

• Break message M into blocks bi

• Digest = XOR of all blocksh(b1, b2, b3 … bn) = b1 b2 b3 … bn

• Possible improvement: Rotate each block one bit before XOR(diffusion)

Attacks on Message Digests• Goal of message digest:

Detect when fake message Mʼ has been substituted for original message M

• Adversary goal:Substitute fake message Mʼ for original message M without being detected

• Types:– Preimage attack– Collision attack

12

13

Preimage Attack• Adversary finds message M´ with same digest

h(M´) = h(M) • Impossible to detect or prove changes!

Public storage

Mh(M´)

hSame!

h(M)

M ´

14

Preimage Attack• Adversary can “tweak” new message M´

until h(M´) = h(M)

• Example:Give Darth a salary increase of $1000Award Mr. Vader some raise … $2000Present Darth Vader … bonus $3000… … … $4000 …

“I’ll find some combination of these so they can’t detect the difference!”

15

Preimage Attack

• Simple XOR-based hash function vulnerable to preimage attack

– Darth generates own message M′– Darth adds some block bm to end so that

h(M′) bm = h(M)

• Problem: XOR is reversible– Can work backwards from desired message to

create one with same hash as original message

16

Collision Attack

• Adversary finds two messages M1 and M2 with same message digest h(M1) = h(M2)

• M1 is harmless message“We like kittens”

• M2 has advantage for adversary“Give Darth a $5000 raise”

17

Collision Attack• Darth gets job in organization

– Presents M1 to boss for approval– Boss stores h(M1)– Darth actually stores/sends M2

• Boss has no way to prove he didn’t approve M2

“We like kittens” h(“We like kittens”)

“Give Darth a $5000 raise”

18

Good Properties of a Hash

• Must be “one way”– Easy to compute h(M)– No easy way to determine what other messages

M would give same digest (h(M) = h(M ))– Otherwise adversary could easily create different

messages with same hash• Must produce hash large enough to prevent

brute force attacks– Testing all possible alternative messages to find

ones with same hash value

19

Mathematics of Message Digests• Pigeonhole Principle:

– Given n pigeons and m birdhouses, with n > m– At least one birdhouse with more than one pigeons

• Digest size |h(M)| < message size |M |• Fewer possible digests h(M) than possible messages M

– 2|h(M)| possible digests < 2|M| possible messages

• Must exist messages M1 and M2 with same digest h(M1) = h(M2) – That is, cannot avoid collisions between different messages

• Example: 1 GB messages, 512 bit digest– Over 2,000,000 different messages with same digest!

20

Mathematics of Message Digests• Best case:

Hash function is random oracle model– h(M) like “random” function over all possible MDCs– Each possible MDC equally likely for a given M

• Minimizes likelihood that h(M1) = h(M2) for given M1, M2

• Assumption used in birthday problem analysis

21

Birthday Problems and Digests1. What is minimum number of students in class so that at least

one has same birthday as instructor?2. What is minimum number of students in class so that at least

two have same birthday?

In general: • k students and N (that is, 365) possible birthdays• Minimum k such that probability 50%:

1. k 0.69 N 253 for birthdays2. k 1.18 N1/2 23 for birthdays

22

Birthday Problems and Digests• Birthday problems define vulnerability of message

digests to exhaustive search attacks– Assume best case random oracle model

N = number of possible message digestsk = number of false messages tested by

adversary in attacks

• How many false messages must adversary to have at least 50% of finding message with desired digest?

23

Birthday Problems and Digests

First birthday problem = Preimage Attack• Probability h(M´) = h(M) for any M´given some M • Number of tests k 0.69 N

(proportional to number of possible digests)

24

Birthday Problems and Digests

Second birthday problem = Collision Attack• Probability h(M1) = h(M2) for any M1 , M2

• Number of tests k 1.18 N1/2 (proportional to square root of possible digests)

25

Birthday Problems and Digests• Number of possible message digests N must be large

enough to make attacks impractical – Difficulty of preimage attack proportional to N– Difficulty of collision attack proportional to N1/2

• Message digest of n bits N = 2n

• 2n/2 must be large enough to prevent exhaustive search to find collision

• Current standard: 512 bits