Unit-2: Cryptographic Primitives

Includes OPENSSL tools for lab

MRN Tagore
Dept of CSE(CIC)
Secret-Key Encryption
Introduction
• Encryption is the process of encoding a message in such a way that
only authorized parties can read the content of the original message
• History of encryption dates back to 1900 BC
• Two types of encryption
• secret-key encryption : same key for encryption and decryption
• pubic-key encryption : different keys for encryption and decryption

• We focus on secret-key encryption in this chapter

Substitution Cipher
• Encryption is done by replacing units of plaintext with ciphertext,
according to a fixed system.
• Units may be single letters, pairs of letters, triplets of letters, mixtures
of the above, and so forth
• Decryption simply performs the inverse substitution.
• Two typical substitution ciphers:
• monoalphabetic - fixed substitution over the entire message
• Polyalphabetic - a number of substitutions at different positions in the
message
Monoalphabetic Substitution Cipher
• Encryption and decryption
Data Encryption Standard (DES)
• DES is a block cipher - can only encrypt a block of data
• Block size for DES is 64 bits
• DES uses 56-bit keys although a 64-bit key is fed into the algorithm
• Theoretical attacks were identified. None was practical enough to
cause major concerns.
• Triple DES can solve DES’s key size problem
Advanced Encryption Standard (AES)
• AES is a block cipher
• 128-bit block size.
• Three different key sizes: 128, 192, and 256 bits
Encryption Modes
Encryption Modes
• Encryption mode or mode of operation refers to the many ways to
make the input of an encryption algorithm different.
• Examples include:
• Electronic Codebook (ECB)
• Cipher Block Chaining (CBC)
• Propagating CBC (PCBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter (CTR)
Electronic Codebook (ECB) Mode
Electronic Codebook (ECB) Mode
• Using openssl enc command:

• We use the 128-bit (key size) AES algorithm

• The -aes-128-ecb option specifies ECB mode
• The -e option indicates encryption
• The -d option indicate decryption
• The -K option is used to specify the encryption/decryption key
Cipher Block Chaining (CBC) Mode

• The main purpose of IV is to

ensure that even if two
plaintexts are identical, their
ciphertexts are still different,
because different IVs will be
used.
• Decryption can be parallelized
• Encryption cannot be parallelized
Cipher Block Chaining (CBC) Mode
• Using openssl enc command to encrypt the same plaintext, same key, different IV:

• We use the 128-bit (key size) AES algorithm

• The -aes-128-cbc option specifies CBC mode
• The -e option indicates encryption
• The -iv option is used to specify the Initialization Vector (IV)
Cipher Feedback (CFB) Mode
• A block cipher is turned into a stream
cipher.
• Ideal for encrypting real-time data.
• Padding not required for the last
block.
• decryption using the CFB mode can be
parallelized, while encryption can only
be conducted sequentially
Comparing encryption with CBC and CFB

• Plaintext size is 21 bytes

• CBC mode: ciphertext is 32 bytes due padding
• CFB mode: ciphertext size is same as plaintext size (21 bytes)
Output Feedback (OFB) Mode
• Similar to CFB
• Used as stream cipher
• Does not need padding
• Decryption can parallelized

• Encryption in the OFB mode can be

parallelized
Counter (CTR) Mode
• It basically uses a counter to generate the
key streams
• no key stream can be reused, hence the
counter value for each block is prepended
with a randomly generated value called
nonce
• This nonce serves the same role as the IV
does to the other encryption modes.
• both encryption and decryption can be
parallelized
• the key stream in the CTR mode can be
calculated in parallel during the encryption
Modes for Authenticated Encryption
• None of the Encryption modes discussed so far cannot be used to
achieve message authentication
• A number of modes of operation have been designed to combine
message authentication and encryption.
• Examples include
• GCM (Galois/Counter Mode)
• CCM (Counter with CBC-MAC)
• OCB mode (Offset Codebook Mode)
Padding
• Block cipher encryption modes divide plaintext into blocks and the
size of each block should match the cipher’s block size.
• No guarantee that the size of the last block matches the cipher’s
block size.
• Last block of the plaintext needs padding i.e. before encryption, extra
data needs to be added to the last block of the plaintext, so its size
equals to the cipher’s block size.
• Padding schemes need to clearly mark where the padding starts, so
decryption can remove the padded data.
• Commonly used padding scheme is PKCS#5
Padding Experiment

• Plaintext size is 9 bytes.

• Size of ciphertext (cipher.bin) becomes 16 bytes
Padding Experiment
• How does decryption software know where padding starts?

7 bytes of 0x07 are added

as the padding data
 Padding Experiment – Special case
• What if the size of the plaintext is already a multiple of the block size
(so no padding is needed), and its last seven bytes are all 0x07

• Size of plaintext (plain3.txt) is 16 bytes

• Size of decryption output (plaint3_new.txt) is 32 bytes ( a full block is added as the padding).
• Therefore, in PKCS#5, if the input length is already an exact multiple of the block size B, then B bytes of
value B will be added as the padding.
Initial Vector and Common Mistakes
• Initial vectors have the following requirements:
• IV is supposed to be stored or transmitted in plaintext
• IV should not repeat (uniqueness).
• IV should not be predictable.
Experiment - IV should not be predictable
• Eve calculates the next IV
Experiment - IV should not be predictable
• Eve guesses that Bob voted for John Smith, so she creates P1_guessed and XOR it with IV_bob and
IV_next, and finally constructs the name for a write-in candidate.
Experiment - IV should not be predictable
• Eve gives her write-in candidate’s name (stored in P2) to the voting
machine, which encrypts the name using IV_next as the IV. The result
is stored in C2.
• If C1 (Bob’s encrypted vote) == C2, then Eve knows for sure that Bob
has voted for “John Smith”.
Programming using Cryptography APIs
• We use PyCryptodome
package’s APIs.
• Line:
1. Initialize cipher
2. Encrypts first 32 bytes of data
3. Encrypts the rest of the data
4. Initialize cipher (start new
chain)
5. Encrypt the entire data
6. Initialize cipher for decryption
7. Decrypt
Programming using Cryptography APIs
• Modes that do not need padding include CFB, OFB, and CTR.
• For these modes, the data fed into the encrypt() method can have an
arbitrary length, and no padding is needed.
• Example below shows OFB encryption
Attack on ciphertext’s integrity
• Attacker makes changes to ciphertext (Line 2)

• Result
Authenticated Encryption
• To protect the integrity, the sender needs to generate a Message
Authentication Code (MAC) from the ciphertext using a secret shared
by the sender and the receiver.
• The MAC and the ciphertext will be sent to the receiver, who will
compute a MAC from the received ciphertext.
• If the MAC is the same as the one received, the ciphertext is not
modified.
• Two operations are needed to achieve integrity of ciphertext: one for
encrypting data and other for generating MAC.
• Authenticated encryption combines these two separate operations
into one encryption mode. E.g GCM, CCM, OCB
The GCM Mode
Programming using the GCM Mode
The unique part of the above code is the tag
generation and verification.
In Line 3 , we use the digest() to get the
authentication tag, which is generated from
the ciphertext.
Programming using the GCM Mode

In Line 6 , after feeding the ciphertext to the

cipher, we invoke verify() to verify
whether the tag is still valid.
Experiment - GCM Mode
• We modify the ciphertext by changing the 10th byte to (0x00)
• Decrypt the modified ciphertext and verify tag
Public Key Cryptography
Introduction
• Foundation of today’s secure communication
• Allows communicating parties to obtain a shared secret key
• Public key (for encryption) and Private key (for decryption)
• Private key (for digital signature) and Public key (to verify signature)
Brief History Lesson
• Historically same key was used for encryption and decryption
• Challenge: exchanging the secret key (e.g. face-to-face meeting)
• 1976: Whitfield Diffie and Martin Hellman
• key exchange protocol
• proposed a new public-key cryptosystem
• 1978: Ron Rivest, Adi Shamir, and Leonard Adleman (all from MIT)
• attempted to develop a cryptosystem
• created RSA algorithm
Outline
• Public-key algorithms
• Diffie-Hellman key exchange
• RSA algorithm
• Digital signature

• Public-key infrastructure
• SSL/TLS protocol
Diffie-Hellman Key Exchange
• Allows communicating parties with no prior knowledge to exchange
shared secret keys over an insecure channel
• Alice and Bob want to communicate
• Alice and Bob agree on:
• Number p: big prime number (such as a 2048-bit number)
• Generator g: small prime number (such as 2 and 3)
• Alice picks a random positive integer x < p
• Bob picks a random positive integer y < p
Diffie-Hellman Key Exchange (Contd.)
Turn DH Key Exchange into a Public-Key
Encryption Algorithm
• DH key exchange protocol allows exchange of a secret
• Protocol can be tweaked to turn into a public-key encryption
scheme
• Need:
• Public key: known to the public and used for encryption
• Private key: known only to the owner, and used for decryption
• Algorithm for encryption and decryption
Turn DH Key Exchange into a Public-Key
Encryption Algorithm (Contd.)
RSA Algorithm
We will cover:

• Modulo Operation
• Euler’s Theorem
• Extended Euclidean Algorithm
• RSA Algorithm
• Algorithm example on small and large number
Modulo Operation
• The RSA algorithm is based on modulo operations
• a mod n is the remainder after division of a by the modulus n
• Second number is called modulus
• For example, (10 mod 3) equals to 1 and (15 mod 5) equals to 0
• Modulo operations are distributive:
Euler’s Theorem
• Euler’s totient function φ(n) counts the positive integers up to a
given integer n that are relatively prime to n
• φ(n) = n − 1, if n is a prime number.
• Euler’s totient function property:
• if m and n are relatively prime, φ(mn) = φ(m) ∗ φ(n)
• Euler’s theorem states:
• a φ(n) = 1 (mod n)
Euler’s Theorem (Contd.)
Example: to calculate 4 100003 mod 33
• φ(33) = φ(3) ∗ φ(11) = (3 − 1) ∗ (11 − 1) = 20
• 100003 = 5000φ(33) + 3
Extended Euclidean Algorithm
• Euclid’s algorithm: efficient method for computing GCD
• Extended Euclidean algorithm:
• computes GCD of integers a and b
• finds integers x and y, such that: ax + by = gcd(a, b)
• RSA uses extended Euclidean algorithm:
• e and n are components of public key
• Find solution to equation:
e ∗ x + φ(n) ∗ y = gcd(e, φ(n)) = 1
• x is private key (also referred as d)
• Equation results: e ∗ d mod φ(n) = 1
RSA Algorithm
We will cover:

• Key generation
• Encryption
• Decryption
RSA: Key Generation
• Need to generate: modulus n, public key exponent e, private key
exponent d
• Approach
• Choose p,q (large random prime numbers)
• n = pq (should be large)
• Choose e, 1 < e < φ(n) and e is relatively prime to φ(n)
• Find d, ed mod φ(n) = 1
• Result
• (e,n) is public key
• d is private key
RSA: Encryption and Decryption
• Encryption
• treat the plaintext as a number
• assuming M < n
• C = Me mod n
• Decryption
• M = Cd mod n
RSA Exercise: Small Numbers
• Choose two prime numbers p = 13 and q = 17
• Find e:
• n = pq = 221
• φ(n) = (p − 1)(q − 1) = 192
• choose e = 7 (7 is relatively prime to φ(n))
• Find d:
• ed = 1 mod φ(n)
• Solving the above equation is equivalent to: 7d + 192y = 1
• Using extended Euclidean algorithm, we get d = 55 and y = −2
RSA Exercise: Small Numbers (Contd.)
Encrypt M = 36

Cipher text ( C ) = 179

RSA Exercise: Small Numbers (Contd.)
Hybrid Encryption
• High computation cost of public-key encryption
• Public key algorithms used to exchange a secret session key
• Key (content-encryption key) used to encrypt data using a
symmetric-key algorithm
Using OpenSSL Tools to Conduct RSA
Operations
We will cover:

• Generating RSA keys

• Extracting the public key
• Encryption and Decryption
OpenSSL Tools: Generating RSA keys
Example: generate a 1024-bit public/private key pair
• openssl genrsa -aes128 -out private.pem 1024
• private.pem: Base64 encoding of DER generated binary output
OpenSSL Tools: Generating RSA keys (Contd.)
Actual content of private.pem
OpenSSL Tools: Extracting Public Key
• openssl rsa -in private.pem -pubout > public.pem
• Content of public.pem:
OpenSSL Tools: Encryption and Decryption
• Plain Text

• Encryption

• Decryption
Paddings for RSA
• Secret-key encryption uses encryption modes to encrypt plaintext
longer than block size.
• RSA used in hybrid approach (Content key length << RSA key length)
• To encrypt:
• short plaintext: treat it a number, raise it to the power of e (modulo n)
• large plaintext: use hybrid approach (treat the content key as a number and
raise it to the power of e (modulo n)
• Treating plaintext as a number and directly applying RSA is called
plain RSA or textbook RSA
Attacks Against Textbook RSA
• RSA is deterministic encryption algorithm
• same plaintext encrypted using same public key gives same ciphertext
• secret-key encryption uses randomized IV to have different ciphertext for
same plaintext
• For small e and m
• if me < modulus n
• e-th root of ciphertext gives plaintext
• If same plaintext is encrypted e times or more using the same e but
different n, then it is easy to decrypt the original plaintext message
via the Chinese remainder theorem
Paddings: PKCS#1 v1.5 and OAEP
• Simple fix to defend against previous attacks is to add randomness
to the plaintext before encryption
• Approach is called padding
• Types of padding:
• PKCS#1 (up to version 1.5): weakness discovered since 1998
• Optimal Asymmetric Encryption Padding (OAEP): prevents attacks on PKCS

• rsautl command provides options for both types of paddings

(PKCS#1 v1.5 is default)
PKCS Padding
• Plaintext is padded to 128 bytes
• Original plaintext is placed at the end of the block
• Data inside the block (except the first two bytes) are all random
numbers
• First byte of the padding is always 00 (so that padded plaintext as
integer is less than modulus n)
• Second byte is 00, 01, and 02 (different strings used for padding for
different types)
PKCS Padding (Contd.)
OAEP Padding
• Original plaintext is not directly copied into the encryption block
• Plaintext is XORed with a value derived from random padding data
Digital Signature
• Goal: provide an authenticity proof by signing digital documents
• Diffie-Hellman authors proposed the idea, but no concrete solution
• RSA authors developed the first digital signature algorithm
Digital Signature using RSA
• Apply private-key operation on m using private key, and get a
number s, everybody can get the m back from s using our public key
• For a message m that needs to be signed:
Digital signature = md mod n
• In practice, message may be long resulting in long signature and
more computing time
• Instead, we generate a cryptographic hash value from the original
message, and only sign the hash
Digital Signature using RSA (Contd.)
Generate message hash
Digital Signature using RSA (Contd.)
Generate and verify the signature
Attack Experiment on Digital Signature
• Attackers cannot generate a valid signature from a modified
message because they do not know the private key
• If attackers modifies the message, the hash will change and it will
not be able to match with the hash produced from the signature
verification
• Experiment: modify 1 bit of signature file msg.sig and verify the
signature
Attack Experiment on Digital Signature
(Contd.)
After applying the RSA public key on the signature, we get a block of
data that is significantly different
Programming using Public-Key Cryptography
APIs
• Languages, such as Python, Java, and C/C++, have well-developed
libraries that implement the low-level cryptographic primitives for
public-key operations
• Python:
• no built-in cryptographic library
• use Python packages (e.g. PyCryptodome)
• We will cover:
• Key Generation
• Encryption and Decryption
• Digital Signature
Public-Key Cryptography APIs:
Key Generation
• Python example (next slide) using Python Crypto APIs to generate a
RSA key and save it to a file
• Lines in code:
• Line (1): generate a 2048-bit RSA key
• Line (2): export key() API serializes the key using the ASN.1 structure
• Line (3): extract public-key component
Public-Key Cryptography APIs:
Key Generation (Contd.)
Public-Key Cryptography APIs: Encryption
• To encrypt a message using public keys, we need to decide what
padding scheme
• For better security, it is recommended that OAEP is used
• Lines in code (example on next slide):
• Line (1): import the public key from the public-key file
• Line (2): create a cipher object using the public key
Public-Key Cryptography APIs: Encryption
(Contd.)
Public-Key Cryptography APIs: Decryption
Uses the private key and the decrypt() API
Public-Key Cryptography APIs: Digital
Signature
• In Python code, one canuse PyCryptodome library’s
Crypto.Signature package
• Four supported digital signature algorithms:
• RSASSA-PKCS1-v1_5
• RSASSA-PSS
• DSA
• RSASSA-PSS
• Show example with RSASSA-PSS
Public-Key Cryptography APIs: Digital
Signature using PSS
• Probabilistic Signature Scheme (PSS) is a cryptographic signature
scheme designed by Mihir Bellare and Phillip Rogaway
• RSA-PSS is standardized as part of PKCS#1 v2.1
• Sign a message in combination with some random input.
• For same input:
• two signatures are different
• both can be used to verify
Public-Key Cryptography APIs: Digital
Signature using PSS (Contd.)
• Lines in code example:
• line (1): create a signature object
• line (2): generate the signature for the hash of a message
Applications
We will cover:

• Authentication
• HTTPS and TLS/SSL
• Chip Technology Used in Credit Cards
Applications: Authentication
• Typical way to conduct authentication is to use passwords
• Disadvantage:
• A sends password to B: B can get hacked and A may use same password for
multiple accounts
• cannot be used for many parties to authenticate a single party

• Fundamental problem: password authentication depends on a

shared secret
Applications: Authentication (Contd.)
Solution:
• Making the encryption and decryption keys different
• generate the authentication data using one key, and verify the data using a
different key
Applications: Authentication (Contd.)
SSH Case Study
• SSH uses public-key based authentication to authenticate users
• Generate a pair of public and private keys: ssh-keygen -t rsa
• private key: /home/seed/.ssh/id_rsa
• public key: /home/seed/.ssh/id_rsa.pub
• For Server:
• send the public key file to the remote server using a secure channel
• add public key to the authorization file~/.ssh/authorized_keys
• Server can use key to authenticate clients
Applications: HTTPS and TLS/SSL
• HTTPS protocol is used to secure web services
• HTTPS is based on the TLS/SSL protocol (uses both public key
encryption and signature
• encryption using secret-key encryption algorithms
• public key algorithms are mainly used for key exchange
Applications: HTTPS and TLS/SSL (Contd.)
Applications: Credit Card Chip
• Past: cards store card information in magnetic stripe (easy to clone)
• With Chip:
• chips can conduct computations and store data (not disclosed to outside)
• EMV standard (Europay, MasterCard, and Visa)
• We will cover how public key technologies are used for:
• Card authentication
• Transaction authentication
Applications: Credit Card Chip Authentication
• Card contains a unique public and private key pair
• Private key is protected and will never be disclosed to the outside
• Public key is digitally signed by the issuer, so its authenticity can be verified
by readers
Applications: Credit Card Transaction
Authentication
• Issuer needs to know whether the transaction is authentic
• Transaction needs to be signed by the card using its private key
• Verified Signature:
• To issuers: card owner has approved the transaction
• To honest vendor: enables the vendor to save the transactions and submit
them later
Summary
We covered:
• the basics of public key cryptography
• both theoretical and practical sides of public key cryptography
• RSA algorithm and the Diffie-Hellman Key Exchange
• tools and programming libraries to conduct public-key operations
• how public key is used in real-world applications
One-Way Hash Functions
Overview of One-way Hash Functions
• Essential building block in cryptography
• One-way and collision resistant properties
• Usage example:
• Password authentication
• Integrity preservation
• Blockchain
• Possible Attacks:
• Length extension attack
• Collision attack
Properties of One-way Hash Function
• Difference from Hash Function
• Hash function: maps arbitrary size data to data of fixed size
• Example: f(x) = x mod 1000
• One-way Hash Properties:
• One-way: hash(m) = h, difficult to find m
• Collision resistant: Difficult to find m1 and m2 s.t. hash(m1) = hash(m2)
• Common One-way Hash Functions:
• MD series
• SHA series
MD One-Way Hash Functions
• MD stands for Message Digest
• Developed by Ron Rivest
• Includes MD2, MD4, MD5,and MD6
• Status of Algorithms:
• MD2, MD4 - severely broken (obsolete)
• MD5 - collision resistance property broken, one-way property not broken
• MD6 - developed in response to proposal by NIST
SHA
• Published by NIST
• Includes SHA-0, SHA-1, SHA-2, and SHA-3
• Status of Algorithms:
• SHA-0: withdrawn due to flaw
• SHA-1: Designed by NSA; Collision attack found in 2017
• SHA-2: Designed by NSA; Includes SHA-256 and SHA-512; Other truncated
versions; No significant attack found yet
• SHA-3: Released in 2015; Has different construction structure (compared to
SHA-1 and SHA-2)
How One-Way Hash Algorithm Works
• Construction method called Merkle–Damgard (Figure)
• Used by algorithms like MD5, SHA-1, and SHA-2
One-Way Hash Commands
Linux utility programs
• Example: md5sum, sha224sum, sha256sum, sha384sum and
sha512sum
One-Way Hash Commands (Contd.)
Using openssl command to calculate hash
Computing One-Way Hash in Programs
• Different languages including C/C++, Python, SQL, PHP provide
support
• Language specific:
• MySQL - SHA2 function
• Python - Use hashlib package
• C - Use functions from openssl/sha.h header
Applications of One-Way Hash Functions
We will cover:
• Integrity Verification
• Committing a Secret Without Telling It
• Password Verification
• Trusted Timestamping
Integrity Verification
• Changing one bit of the original data changes hash value

• Usage examples:
• Detect change in system files
• Detect if file downloaded from website is corrupted
Committing a Secret Without Telling It
• One-way property
• Disclosing the hash does not disclose the original message
• Useful to commit secret without disclosing the secret itself
• Usage Example - Stock Market
• Need to make prediction about the stock market about a certain day
• Publish the hash of the secret on your website
• On the particular day, release the secret
• Your audience can verify it against the hash
Password Verification
• To login into account, user needs to tell a secret (password)
• Cannot store the secrets in their plaintext
• Need for:
• Password storage where nobody can know what the password is
• If provided with a password, it verified against the stored password
• Solution: one-way hash function
• Example: Linux stores passwords in the /etc/shadow file
Case Study: Linux Shadow File
• Password field has 3 parts: algorithm used, salt, password hash
• Salt and password hash are encoded into printable characters
• Multiple rounds of hash function (slow down brute-force attack)
Purpose of Salt
• Using salt, same input can result in different hashes
• Password hash = one-way hash rounds (password || random string)
• Random string is the salt
Attacks Prevented by Salt
• Dictionary Attack
• Put candidate words in a dictionary
• Try each against the targeted password hash to find a match
• Rainbow Table Attack
• Precomputed table for reversing cryptographic hash functions
• Why Salt Prevents them ?
• If target password is same as precomputed data, the hash will be the same
• If this property does not hold, all the precomputed data are useless
• Salt destroys that property
Trusted Timestamping
• Need: How to prove that a document existed prior to certain date ?
• Timestamping Approaches:
• Approach # 1: Publish one-way hash (instead of document) in a newspaper
or a magazine
• Approach # 2: Time Stamping Authority (TSA) can sign the document hash
using private key
• Approach # 3:
• Use Blockchain i.e. a growing list of record (blocks)
• Publish document hash in a block
• Blockchain depends on one-way hash
Message Authentication Code (MAC)
• Network communication can encounter MITM attacks
• MITM can intercept and modify data
• Receiver needs to verify integrity of data
• Attach tag to data
• Using one-way hash as tag won’t work because MITM can recompute hash
• Use a shared secret (key) between sender and receiver in the hash
• MITM cannot compute hash without secret key
Length Extension Attack on MAC
• Key and message need to be mixed properly before computing hash
• Simple concatenation (K || M) does not work
Keyed-Hash MAC (HMAC)
• Uses hash function H (compression function block size B) and a
secret key K
• ipad = 0x36 (B times), opad = 0x5c (B times)
• Can be used with any one-way hash function
Blockchain and Bitcoins
• Continuously growing list of records, called blocks
• Managed by ledgers in a peer-to-peer network
• Accepted ledger block is difficult to modify because it requires
alteration of all subsequent blocks
• Popular application is Bitcoin
• We will cover:
• Hash Chain and Blockchain
• Make Chaining Difficult
• Adding Incentives and Bitcoin
Hash Chain
• Successive application of a one-way hash function to a piece of data
• If a block gets modified, it will fall off from the chain, and will not be
considered as part of the chain
• If original data is changed, then the entire chain needs to be
regenerated
Blockchain
• Similar to hash chain, but has additional information in each block
• Bitcoin example: information about bitcoin transactions in blocks
• Create Chain: Hash value of a block is inside the next block
• If one block is modified:
• All the chains after this block are broken
• Require need to re-chain all the subsequent blocks
Blockchain: Make Chaining Difficult
• Nonce is added to each block
• Block hash must satisfy requirement (e.g. 20 leading zeros)
• Since computation power will increase over time, number of leading
zeros is intentionally increased over time
Blockchain Incentives and Bitcoin
• Provide bitcoins to anyone who can find nonce to chain blocks
• Companies / individuals who search for the nonce are “miners”
Hash Collision Attacks
• Popular one-way hash functions have trouble maintaining the
collision-resistance property
• We will cover:
• Security Impact of Collision Attacks
• Generating Two Different Files with the Same MD5 Hash
• Generating Two Programs with the Same MD5 Hash
Security Impact of Collision Attacks
• Forging public-key certificates
• Assume two certificate requests for www.example.com and
www.attacker.com have same hash due to collision
• CA signing of either request would be equivalent
• Attacker can get certificate signed for www.example.com without owning it
• Integrity of Programs
• Ask CA to sign a legitimate program’s hash
• Attacker creates a malicious program with same hash
• The certificate for legitimate program is also valid for malicious version
• These two examples are theoretical with questionable feasibility
Generating Two Different Files with the Same
MD5 Hash
• md5collgen tool generates two files with same prefix
Length Extension
• Generate two files with same prefix and same suffix
• Focus on MD5, SHA-1, SHA-2 using Merkle-Damgard construction
• If Hash (M) = Hash (N), then for any input T, Hash (M || T) = Hash (N || T)
Length Extension (Contd.)
Example using out1.bin and out2.bin generated by md5collgen
Generating Two Programs with the Same
MD5 Hash
Create two versions of program below with different value for xyz
Two Programs with Same Hash (Contd.)
• Program will be compiled into binary (fill xyz with fixed value)
• Portion of binary containing xyz will be divided into three parts
Two Programs with Same Hash (Contd.)
• Use md5collgen on prefix:
• generate two files with same hash
• last 128 bit of each generated file is P and Q
• MD5 (prefix || P) = MD5 (prefix || Q)
• MD5 (prefix || P || suffix) = MD5 (prefix || Q || suffix)
Two Programs with Same Hash (Contd.)
Summary
• One-way hash function is an essential building block in cryptography
• Important Properties: One-way and Collision resistant
• Applications
• Password authentication
• Trusted Timestamping
• Blockchain and Bitcoin
• MAC used to preserve integrity of communication
• One-way hash are subject to length extension and collision attacks