Computer Security, CSCI 4621

Fall 2010

Goalstoday
Review
ControlsforSecurityproperties ConfidentialityControl:(Symmetric)Cryptography

HashFunctions,BirthdayParadox

Integrity/Authenticity: I t it /A th ti it (keyed) (k d)HMAC

CSCI4621:ComputerSecurity Week02,Lecture04:Thursday,09/02/2010 DanielBilar UniversityofNewOrleans DepartmentofComputerScience Fall2010

MessageAuthenticationCode(MAC) Hashfunctions Birthdayparadox

Application:Unixpasswords
1

SomeslidesgratefullyadaptedfromShmatikov (UTAustin)andZhao 2 (ClevelandState)

Review:SomedesirableSecurity Properties
1. Confidentiality isconcealmentofinformation 2. Authenticity isidentificationandassuranceof originofinformation g y isp preventionofunauthorizedchanges g 3. Integrity 4. Availability isabilitytouseinformationor resourcesdesired First,welookedatwaystocontrolfor1) a controlcalled(symmetric)cryptography SeeMenezes (2006)ch1,Table1.1formore
3

MoreSecurityProperties

FromMenezes (2006)OverviewofCryptography

Review:CryptographyControl

Motivation:Integrity
VIRUS

badFile goodFile
The Times

BigFirm
Encryptionistheprocessofencoding amessagesothatitsmeaning isnot obvious Decryptionisthereverseprocess, transforminganencrypted message backintoitsnormal,original form Plaintext:messagetobeencrypted Ciphertext:encrypted message Isssues
Computationalvs perfectsecrecy Streamvs Blockcipher

hash(goodFile)

User

Propertiesofencryption schemesstrivefor Diffusion

Distributeinformationfromsingleplaintext lettersovertheentireoutput

Softwaremanufacturerwantstoensurethattheexecutablefile isreceivedbyuserswithoutmodification. ItsendsoutthefiletousersandpublishesitshashinNYTimes. Thegoalisintegrity,notconfidentiality Idea:givengoodFile andhash(goodFile), veryhardtofindbadFile suchthathash(goodFile)=hash(badFile)

Confusion
Complexfunctionalrelationshipbetween the plaintext/keypairandtheciphertext
5

Daniel Bilar, CS, UNO

Computer Security, CSCI 4621

Fall 2010

Integrityvs.Secrecy
Integrity
Attackercannottamperundetectedwithmessage
KEY

Motivation:Authentication
KEY

Authenticity
Attackercannotfakeundetectedthemessage
msg, hash(KEY,msg)

E Encryption i perse does d notguaranteeintegrity i i (could ( ld workforauthenticity)

Attackermayabletomodifymessageunderencryption withoutlearningwhatitis Onetimepad:GivenkeyK,encryptMasMK
Thisguaranteesperfectsecrecy,butattackercaneasilychange unknownMunderencryptiontoMMforanyM
AndersonsHanghitler vs Heilhitler

Alice

Bob

Alicewantstomakesurethatnobodymodifiesmessageintransit Wanttoensuresboth integrityandauthenticitywhy?

Idea:givenmsg,veryhardtocomputehash(KEY,msg)withoutKEY; veryeasywithKEY
8

WellseenowsomeIntegritycontrols:MACandHMAC7

Integrity:Canhashwithoutkey
VIRUS

MessageAuthentication
MessageAuthenticationCode(MAC)
Smallblockofdatathatisappendedto themessage MACisgenerated byusingasecretkey AssumesbothpartiesA,Bshare commonsecretkeyKAB Codeisfunctionofmessageandkey MACM=F(KAB,M). M) Messagepluscode aretransmitted

badFile goodFile
The Times

BigFirm

hash(goodFile)

User

Integrity withAuthenticity:Hashwithkey
KEY KEY

Ifreceivedcodematchescalculated codethen
Receiver issuremessagehasnotbeen altered Messageisfromsendersinceonly sendersharesthekey

Differentfromencryption
MACdoesnothavetobereversible(and mostlikelyisnot) why? unlikecipher textwhichhastobereversiblein encryption
9 10

msg, hash(KEY,msg)

Alice

Bob

HashFunctions:MainIdea
message

HashMAC(HMAC)
InventedbyBellare,Canetti,andKrawczyk (1996)
HMACstrengthestablishedbycryptographicanalysis

hash function H
message digest

. . x

.y . y

ConstructMACbyapplyingahashfunctionto messageandkey

11

bit strings of any length

n-bit bit strings

Hisalossy compressionfunction
Collisions: h(x)=h(x)forsomeinputsx,x
Unavoidable(pigeonholeprinciple)if|x|>>n

Resultofhashingshouldlookrandom
Intuition:halfofdigestbitsare1;anybitindigestis1halfthetime

Cryptographichashfunction needsafewproperties HashwithkeyiscalledaHMAC

Couldalsouseencryptioninsteadofhashing,but Hashingisfasterthanencryptioninsoftware Librarycodeforhashfunctionswidelyavailable Caneasilyreplaceonehashfunctionwithanother ThereusedtobeUSexportrestrictions(ITAR)on encryption..andsomestillapply

12

Daniel Bilar, CS, UNO

Computer Security, CSCI 4621

Fall 2010

CommonHashFunctions
MD5
128bitoutput DesignedbyRonRivest,usedverywidely Collisionresistancebroken(2004)
Verybad canfakePKICAcertificates (usedinallbrowsersforhttpse commerce,ebanking),seehttp://www.win.tue.nl/hashclash/rogueca/

Concept:OneWay
Intuition:hashshouldbehardtoinvert
SocalledPreimage resistance Leth(x)=y{0,1}n forarandomx Giveny,itshouldbehardtofindanyxsuchthat h( ) h(x)=y

RIPEMD160
160bitvariantofMD5

SHA1(SecureHashAlgorithm)
160bitoutput USgovernment(NIST)standard
AlsothehashalgorithmforDigitalSignatureStandard(DSS)

Howhard?
Bruteforce:tryeverypossiblex,seeifh(x)=y SHA1(commonhashfunction)has160bitoutpu .. Calculemus
Supposehavehardwarethatlldo230 trialsapop Assuming234 trialspersecond,cando289 trialsperyear Willtake271 yearstoinvertSHA1onarandomimage

Collisionresistancebroken(2005)

SHA2isrecommendedbyUSNIST
224/256/385/512bits Nocollisionsdetectedsofar
13

14

PreludetoBirthdayParadox
T peoplesampled>wanttofindgrowthofmatch

Concept:CollisionResistance
Shouldbehardtofindanypairx,xsuchthat h(x)=h(x) BruteforcecollisionsearchisO(2n/2),not O(2n)
n=numberofbitsintheoutputofhashfunction ForSHA1, 1 thismeansO(280)vs vs.O(2160)

ofTpeoplewithsamebirthday Supposeeachbirthdayisarandomnumbertaken fromKdays(K=365) howmanypossibilities?

KT (sampleswithreplacement) (K)T =K(K1)(KT+1)sampleswithoutreplacement

Howmanypossibilitiesthatarealldifferent? Probabilityofnorepetition?
(K)T/KT 1 T(T1)/2K O(T2)
15

Reason:Birthdayparadox
LetTbethenumberofvaluesx,x,xweneedtolook atbeforefindingthefirstpairx,xs.t.h(x)=h(x) Assuminghisrandom,whatistheprobabilitythatwe findarepetitionafterlookingatTvalues? O(T2) Totalnumberofpairs? O(2n) Conclusion: T O(2n/2)
16

Probabilityofrepetition?

WeakCollisionResistance
Givenrandomlychosenx,hardtofindxsuch thath(x)=h(x)
Attackermustfindcollisionforaspecific x.By contrast,tobreakcollisionresistance,enoughto findany collision. BruteforceattackrequiresO(2n)time

OneWayvs.CollisionResistance
Onewayness doesnotimplycollisionresistance
Supposegisoneway Defineh(x)asg(x)wherexisxexceptthelastbit
hisoneway(toinverth,mustinvertg) Collisions C lli i for f hareeasytofind: fi d for f anyx,h(x0)=h(x1) h( 0) h( 1)

Collisionresistancedoesnotimplyonewayness
Supposegiscollisionresistant Defineh(x)tobe0xifxisnbitlong,1g(x)otherwise
Collisionsforharehardtofind:ifystartswith0,thenthereare nocollisions,ifystartswith1,thenmustfindcollisionsing hisnotoneway:halfofallys (thosewhosefirstbitis0)are easytoinvert(how?);randomyisinvertiblewithprob.1/2
17 18

Howdoesweakvs normalcollisionresistance makeadifferenceforbreakingintosystems?

Figuringpasswordofspecificaccount? Figuringpasswordofanyaccount?

Daniel Bilar, CS, UNO

Computer Security, CSCI 4621

Fall 2010

Encrypt+MAC
Goal: confidentiality + integrity + authentication
Can tell if messages are the same!
K1, K2

UnixPasswordHashing
NotethatUnixpasswordsthemselvesarenotstored
Thehash isstored
Why is this bad?
K1, K2

MAC=Hash(K2,msg) msg encrypt(msg), MAC(msg) encrypt(msg2), MAC(msg2) ? = Verify MAC D Decrypt t

ThesystemsadministratorofaUnixsystemcanreset yourpassword,buthe/sheisnotlyingtoyouwhenhe saysI Idont don tknowyourpassword. password Toverifypassword:

Allowusertoinputusernameandpassword Runcryptographichashfunctionon(password+salt) Lookupusersentryinpassword(+shadow)file Ifthehashvaluestored==thecomputedhash,thenthe passwordmatches
20

Alice

Encrypt(K1,msg)

Bob

MAC is deterministic: messages are equal their MACs are equal

Solution: Encrypt, then MAC

19

PasswordHashing
Insteadofuserpassword,storeH(password)
SometimesH(salt,password)

UNIXPasswordSystem
Problem:passwordsarenottrulyrandom
With52upper andlowercaseletters,10digits and32punctuationsymbols, symbols thereare948 6 quadrillion possible8characterpasswords Humansliketousedictionarywords,humanand petnames 1million commonpasswords

Whenuserenterspassword,computeitshashand comparewithentryinpasswordfile
Systemdoesnotstoreactualpasswords! Difficulttogofromhashfrompassword!
Doyouseewhyhashingisbetterthanencryptionhere?

HashfunctionHmusthavesomeproperties
Oneway: givenH(password),hardtofindpassword
Noknownalgorithmbetterthantrialanderror

Iscollisionresistance needed?Notingeneral
21 22

DictionaryAttack
Ifyoucangetholdofhashedpasswords,so calleddictionaryattackarestillpossible becausemanypasswords comefromasmall dictionary
Nosalt:AttackercanprecomputeH(word)for everywordinthedictionary thisonlyneedstobe doneonce
Thisisanoffline attack Oncepasswordfileisobtained,crackingisinstantaneous

Salt
dbilar:fURxfg,4hLBX:14510:30:Daniel:/home/dbilar:/bin/bash salt
/etc/passwd entry

(chosen randomly when password di is fi first set) )

Password

hash(salt,pwd)

With1,000,000worddictionaryandassuming10 guessespersecond,bruteforceonline attacktakes 23 50,000seconds(14hours)onaverage

Userswiththesamepasswordhavedifferent entriesinthepasswordfile Offlinedictionaryattackbecomesmuchharder

24

Daniel Bilar, CS, UNO

Computer Security, CSCI 4621

Fall 2010

AdvantagesofSalting
Withoutsalt,attackercanprecomputehashesof alldictionarywordsonceforall passwordentries
SamehashfunctiononallUNIXmachines;identical passwordshashtoidenticalvalues Onetableofhashvaluesworksforallpasswordfiles

PanaceaSaltedPasswords?
Sadlynobecauseofhumanbehavior.Passwordqualityintermsof randomnessisgenerallyterrible Then:Ifuniverseofpasswordsissmall,completelyfeasibleto computedictionaryattacksofsaltedpasswords
H(salts,passwords),|salts|=2^12,|passwords|=|1000|

Jan2010:Rockyou.comsubjecttoSQLinjectionattack
32.6millionpasswordswereexposedandpostedonline Nearly50percentofthepasswordsontheRockYou.comlist containednames,slangwords,dictionarywords,ortrivial combinationsaspasswords Mostcommonpassword being'123456',followedby'12345', '123456789','Password','iloveyou','princess','rockyou','1234567', '12345678',and'abc123 Othervulnerablepasswordsincludedcommonnamessuchas'Jessica' and'Ashley',orkeyboardpatterns patterns suchas 'Qwerty
25

Withsalt,attackermustcomputehashesofall dictionarywordsonceforeach combinationof saltvalueandpassword

With12bitrandomsalt,samepasswordcanhashto 4096differenthashvalues

See http://www.thetechherald.com/article.php/201003/5124/Password 26 problemsbackinthespotlightthankstonewresearch

FornextTuesday
Reviewnotes Onyourcomputer,orinthecomputerlabsonthe thirdfloor(loginwillbeprovided)
DownloadVMWare player3.1.1atVMWare.comfor yourplatform(LinuxorWindows) DownloadNSTVM1.8.1atnstvm1.8.1.zip UnzipNSTandbootitinVMWare Player

Instructionsallhere: http://www.vmware.com/appliances/directory/1 41/ WellhavealabonThursday,Sep.9th usingthis 27

Daniel Bilar, CS, UNO