Theory of Computation II

Topic presented by:

Alberto Aguilar Gonzalez

Problem

You are designing a banking application that will be accessed by thousands of users.

Security of passwords is a key factor. Protect from people outside and inside the

organization

How do you store passwords in the database?

One Approach Encrypt passwords using a key. When the information is needed, decrypt it

using same key!

Example (very simple): Given a character, encrypt it by replacing it with

other. What is the idea?

Character ASCII CODE Encrypted

A 01000001 10110010

B 01000010 10100101

IDEA: “hi” = decrypt(encrypt(“hi”))

What is the problem with this approach?

If someone accesses this database and knows the key (even people from IT or support), all passwords would be revealed!

User Pwd (encrypted using a key)

aagui003 bbhrt

aaoni001 jhlkhj

A better approach

One-way hash functions(The talk is about this)

ONE WAY

One way function

A function y = f(x) is one way if it is easy to compute y from x but “hard” to compute x from y

However, nobody has proved that such function exist!

A possible definition is: f(x) can be obtained in polynomial time f -1(x) is NP-hard

An example of one-way functions

Unique factorization Theorem: Every integer has a unique factorization as product of primes.

Factoring

Given two large prime numbers u, v, consider y = f(u, v) = u * v. It is polynomial time computable.

However, given y, can we calculate u and v easily?

NO

Hash function

Map a message of variable length m to a fingerprint of fixed n bits, and m >= n

Fundamental properties: Compression Easy to compute

Can be used to detect changes since a modification (even a bit) would change the hash value.

One-way hash functions

y = h(x) where Given x, calculating h(x) is

easy Given y, calculating any x

such that y=h(x) is hard, AND

y is fixed length independent of the size of x (a compression function is needed for large inputs)

Input

Output

Two questions Is it easy to come up with new one-

way hash functions?

What do we need to build such functions? Easy to compute (in general, it is a public

algorithm) Hard to invert (2n different output!) Compression function Collision resistant

Collision

Given x1, x2, and a hash function h, a collision exists if

h(x1) = h(x2) Is this possible?

YES, why? It is a many-to-one function! The input domain is

greater that the output domain. Therefore, good one-way hash functions

should be collision resistant!Collision resistant?

The Birthday paradox Consider the probability Q1(n, d) that no two people out

of a group of n will have matching birthdays out of d equally possible birthdays.

http://mathworld.wolfram.com/BirthdayProblem.html

ndnd

ddnQ

)!(

!),(1

In general, let Qi(n, d) denote the probability that a birthday is shared by i people out of a group of n people, then the probability that a birthday is shared by k or more people.

),(1),( 12 dnQdnP

),(1),(1

1dnQdnP

i

k

ik

Probabilty that two do have same birthday

…birthday paradox

An approximation for the minimum number of people needed to get 50-50 chance that two have a match within k days out of d possible is given by:

122.1),(

k

dkdn

93.221)0(2

3652.1)0,365(

n

How many people do we need in this classroom for a 50-50 chance?

(Sevast'yanov 1972, Diaconis and Mosteller 1989).

What aboutOWHFs?

Birthday attacks for OWHFs Given y = h(x), where y is length-fixed of n

bits, 2n outputs can be obtained. Since x is of variable length, and |x| > |y| in

some cases. h(x) is a many-to-one function!

How many attempts are necessary so that h(x1)=h(x2) (probability of success >= 0.5)? Use the formula we just explained! Let d = 2n, and k = 0

ddn 2.1)( 2/2/122.122.1 nn

To be collision resistant, how big should n be?

64-bits is now regarded as too small, 128-512 proposed

Output length n(d)

64 bits

128 bits

160 bits

322642802

General structure of OWHF’s

arbitrarylength input

iteratedcompression

function

fixed length output

optionaltransformation

output

Input

Output

Details

append padding bits

append length block

g

Hi

H0=IV

xi

preprocessing

Ht

Hi-1

original input x

formattedinput x1, x2... xt

iteratedprocessingcompression

function f

output h(x)=g(Ht)

Two known OWHF’s

MD5 From Ronald Rivest (the R from RSA) [1992] Produce a 128-bit hash value MD5 is widely used, however collisions were

detected (Wang, 2004). SHA1

Designed by the National Institute of Standards and Technology (NIST), as an “upgrade” from MD5

Produces 160-bit hash values

Going back to our problem Save a pair <user, hash_of_passw>

<user01, 9dd4e461268c8034f5c8564e155c67a6>

Now, if somebody (inside or outside) access passwords table each entry should be attacked individually!

An authentication algorithm would look as follows:

if MD5(passw_typed) == hash_of_passwCorrectPassword = true

elseCorrectPassword = false

Other uses

Digital signatures Antivirus Software validation

Used to store passwords in some Linux implementations

Thank you

What #$!@ is he

talking about?

mmm…

Z Z z…

Questions?