bachelor

Recommendations

Info

28 Attacks on Rejsekortet and cumbersome to search in. Having more than one table also makes it easier to distribute the calculations needed to mount the attack properly. Hellman tables are prone to a very serious flaw, however. A property of hash functions is that they are collision resistant, however this does not hold for reduction functions, meaning they can give the same reduction value for two different hashes. If two hash chains in the table have the same value at any point, the two chains will merge, see Figure 3.3. This will result in two chains more likely than not cover much of the same area of the plaintext space. rejsekort H f74eed6e R ewaisnshw H 491b2cb4 R irundian movia H 93f03506 R ewaisnshw H 491b2cb4 R irundian Figure 3.3: Two hash chains merging. For the sake of clarity the one-way function and reduction functions have different boxes in this figure. The colliding parts are highlighted in red. To make up for this, Ronald Rivest proposed in 1982 that chains in Hellman tables end in a distinguished point. There could be many definitions for the point, but they have to have some property not happening too often, for example the first n bits of the value of the ending point be zero, like on 3.2. This is done to reduce the probability of chains merging; if two chains end in the same distinguished point, they will have merged for some period of the chain length. Either of the chains will be thrown out, and a new chain will be calculated in its stead. Not only can Hellman tables merge, they can also create a cycle. This happens when a reduction function reduces a hash to a value already in the same chain. This leads to the chain cycling and never reaching a distinguished point. To detect this one could look at how long the chains would be on average, and determine if the current chain is too far from this average to be realistic. The chains tend to get so long that it would be unfeasible to keep them in memory while they are being calculated to accurately determine if there is a cycle. Therefore one must rely on the length of the chain to determine the likelihood of it containing a cycle. To search for some hash value h in a Hellman table with distinguished points, one first reduces h with the reduction function: h′ = R(h). If h′ constitutes a distinguished point, the table is checked for any chains ending with h′. If such a chain exists, it is rebuilt and the preimage for h is found to be the value immediately preceding h in the chain. If the reduced h is not a distinguished
3.2 Attacking the MAC 29 point, then the f function is run over and over again on h′ so as to build a chain “on top of” h′. If at any point the function outputs a distinguished point, it is checked in the same manner as before. However, if there is no match once a distinguished point has been found, h can be guaranteed not to be in the table. This is because the deterministic properties of the f; if some distinguished point is reached after h, one can be sure that for past reconstructions of the chain that, indeed, the chain would end in the same distinguished point. rejsekort H f74eed6e R ewaisnshw H 491b2cb4 R bveiytoo (continued) H 3b7b7c75 R ewaisnshw H 491b2cb4 R bveiytoo Figure 3.4: A cycle in a Hellman chain. The two hash values that produce the same reduction are highlighted in red. Finally, Hellman tables have the undesired property of causing false alarms. This phenomenon is a corollary of Helman tables’ inherent misfeature of merging. It can be explained by a chain in the table merging with the temporary chain that is being constructed when a hash value is tried. The two chains will have the same end value, but the stored chain will not contain the sought hash. Therefore one cannot be sure that a preimage can be recovered before the chain is rebuilt, unless the R(h) is a distinguished point. Applying any number of f operations to R(h) might lead to merges with some chain in the Hellman table before the preimage, leading to a false alarm. 3.2.1.2 Rainbow tables In 2003 Philippe Oechslin presented a new approach for these time-memory trade-offs that did away with some of the problems of the older algorithm [9]; he narrowed down the undesired probabilities to the reduction function—Hellman tables uses the same function for all reductions, and this causes collisions, resulting in chains merging and cycling. Oechslin proposed a new kind of tables, namely rainbow tables. Rainbow tables work like the older TMTO in the sense that they facilitate reverse lookups in hashes and other one-way functions, but they use different reduction functions for every column in the table, resulting in merges only if two plaintexts are the same and appear at the exact same element index of two chains. For long chains the proability of this happening is minuscle. To look up values in a rainbow table the attacker would take the reduce the
Page 1 and 2: Cryptanalysis of Rejsekortet Jens C
Page 3: 3 Abstract. This bachelor thesis an
Page 7: Resumé Denne bachelorafhandling er
Page 10 and 11: vi Glossary Rejsekort(et) Danish fo
Page 12 and 13: viii
Page 14 and 15: x CONTENTS 4.3 Other improvements .
Page 16 and 17: 2 On Rejsekortet Disclaimer: This r
Page 18 and 19: 4 On Rejsekortet are even capable o
Page 20 and 21: 6 On Rejsekortet 1.2.3 Mifare Mifar
Page 22 and 23: 8 On Rejsekortet 1. Reader sends a
Page 24 and 25: 10 On Rejsekortet Time of transacti
Page 26 and 27: 12 On Rejsekortet Figure 1.3: The C
Page 28 and 29: 14 On Rejsekortet 1.3.2.1 CBC-MAC C
Page 30 and 31: 16 On Rejsekortet
Page 32 and 33: 18 Security analysis and threat mod
Page 38 and 39: 24 Attacks on Rejsekortet 3.1 Rollb
Page 40 and 41: 26 Attacks on Rejsekortet 3.2 Attac
Page 44 and 45: 30 Attacks on Rejsekortet hash valu
Page 46 and 47: 32 Attacks on Rejsekortet 3.2.4 Int
Page 48 and 49: 34 Attacks on Rejsekortet 3.2.5 App
Page 50 and 51: 36 Attacks on Rejsekortet 3.2.6.2 T
Page 52 and 53: 38 Attacks on Rejsekortet Language
Page 54 and 55: 40 Attacks on Rejsekortet It is not
Page 56 and 57: 42 Attacks on Rejsekortet specifica
Page 58 and 59: 44 Attacks on Rejsekortet might pro
Page 60 and 61: 46 Attacks on Rejsekortet that the
Page 62 and 63: 48 Attacks on Rejsekortet
Page 64 and 65: 50 Improvements 4.1.1 New MAC algor
Page 66 and 67: 52 Improvements functions tend to b
Page 68 and 69: 54 Improvements
Page 70 and 71: 56 Conclusion of the pre-computatio
Page 72 and 73: 58 Related research Sector 04 - UNK
Page 74 and 75: 60 Mail correspondence enquire abou
Page 76 and 77: 62 Mail correspondence * Kodningspr
Page 78 and 79: 64 Mail correspondence Som ingeniø
Page 80: 66 BIBLIOGRAPHY [9] Philippe Oechsl

bachelor

Create successful ePaper yourself

Delete template?

Save as template?