Birthday Attacks
Suppose
that a 64-bit hash code is used. One might think that this is quite secure. For
example, if an encrypted hash code C is transmitted with the corresponding
unencrypted message M, then an opponent would need to find an M' such that
H(M') = H(M) to substitute another message and fool the receiver.
On
average, the opponent would have to try about 263 messages to find
one that matches the hash code of the intercepted message. However, a different
sort of attack is possible, based on the
birthday paradox The source, A, is prepared to "sign" a message
by appending the appropriate m-bit
hash code and encrypting that hash code with A's private key.
1. The
opponent generates 2m/2 variations on the message, all of which
convey essentially the same meaning. (fraudulent message
2. The two
sets of messages are compared to find a pair of messages that produces the same
hash code. The probability of success, by the birthday paradox, is greater than
0.5. If no match is found, additional valid and fraudulent messages are
generated until a match is made.
3. The
opponent offers the valid variation to A for signature. This signature can then
be attached to the fraudulent variation for transmission to the intended
recipient. Because the two variations have the same hash code, they will
produce the same signature; the opponent is assured of success even though the
encryption key is not known.
Thus, if
a 64-bit hash code is used, the level of effort required is only on the order
of 232 .
Block Chaining Techniques
Divide a
message M into fixed-size blocks M1,M2,..., MN
and use a symmetric encryption system such as DES to compute the hash code G as
follows:
Ho =
initial value
Hi = EMi
[Hi-1 ]
G = HN
This is
similar to the CBC technique, but in this case there is no secret key. As with
any hash code, this scheme is subject to the birthday attack, and if the
encryption algorithm is DES and only a 64-bit hash code is produced, then the
system is vulnerable.
Furthermore,
another version of the birthday attack can be used even if the opponent has
access to only one message and its valid signature and cannot obtain multiple
signings.
Here is
the scenario; we assume that the opponent intercepts a message with a signature
in the form of an encrypted hash code and that the unencrypted hash code is m
bits long:
1.
Use the algorithm defined at the beginning of this
subsection to calculate the unencrypted hash code G.
2.
Construct any desired message in the form Q1,
Q2,..., QN2.
3.
Compute for Hi = EQi [Hi-1
]for 1 ≤i ≤(N-2).
4.
Generate 2m/2 random blocks; for each
block X, compute EX[HN-2.] Generate an additional 2m/2
random blocks; for each block Y, compute DY[G], where D is the
decryption function corresponding to E.
5.
Based on the birthday paradox, with high
probability there will be an X and Y such that EX [HN-2 ]
= DY[ G].
6.
Form the message Q1, Q2,...,
QN-2, X, Y. This message has the hash code G and therefore can be
used with the intercepted encrypted signature.
This form
of attack is known as a meet-in-the-middle attack.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.