Hashes and Message Digests Alex X. Liu & Haipeng Dai

Similar documents
Introduction to Information Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Introduction to Cryptography Lecture 4

Asymmetric Encryption

CPSC 467: Cryptography and Computer Security

Week 12: Hash Functions and MAC

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

CPSC 467: Cryptography and Computer Security

Network Security: Hashes

Cryptographic Hash Functions

Leftovers from Lecture 3

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Foundations of Network and Computer Security

Question: Total Points: Score:

Notes for Lecture 9. 1 Combining Encryption and Authentication

CPSC 467: Cryptography and Computer Security

Lecture 1. Crypto Background

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Exam Security January 19, :30 11:30

Authentication. Chapter Message Authentication

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Foundations of Network and Computer Security

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

Symmetric Crypto Systems

SPCS Cryptography Homework 13

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Breaking H 2 -MAC Using Birthday Paradox

An introduction to Hash functions

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Public-key Cryptography: Theory and Practice

Attacks on hash functions. Birthday attacks and Multicollisions

CPSC 467b: Cryptography and Computer Security

5199/IOC5063 Theory of Cryptology, 2014 Fall

RSA RSA public key cryptosystem

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

4. Hash Functions Contents. 4. Hash Functions Message Digest

HASH FUNCTIONS 1 /62

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Introduction to Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Chapter 8 Public-key Cryptography and Digital Signatures

Symmetric Crypto Systems

Foundations of Network and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 10: HMAC and Number Theory

HASH FUNCTIONS. Mihir Bellare UCSD 1

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

New Attacks on the Concatenation and XOR Hash Combiners

Solution of Exercise Sheet 7

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Attacks on hash functions: Cat 5 storm or a drizzle?

One-way Hash Function Based on Neural Network

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

ECS 189A Final Cryptography Spring 2011

DTTF/NB479: Dszquphsbqiz Day 26

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

DTTF/NB479: Dszquphsbqiz Day 27

Introduction to Cybersecurity Cryptography (Part 4)

2: Iterated Cryptographic Hash Functions

Message Authentication Codes (MACs) and Hashes

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

ASYMMETRIC ENCRYPTION

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Introduction to Modern Cryptography. Benny Chor

1 Cryptographic hash functions

SMASH - A Cryptographic Hash Function

Public Key Algorithms

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

Message Authentication Codes (MACs)

CPSC 467: Cryptography and Computer Security

Lecture 10: NMAC, HMAC and Number Theory

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Public Key Cryptography

New Proofs for NMAC and HMAC: Security without Collision-Resistance

March 19: Zero-Knowledge (cont.) and Signatures

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

On the Big Gap Between p and q in DSA

Avoiding collisions Cryptographic hash functions. Table of contents

10 Public Key Cryptography : RSA

STORY of SQUARE ROOTS. and QUADRATIC RESIDUES. Part I. Public-key cryptosystems II. Other cryptosystems and cryptographic primitives

Transcription:

Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University

Integrity vs. Secrecy Integrity: attacker cannot change message without being detected Encryption: attacker cannot read message correctly without key Note: encryption does not guarantee integrity. Reason: attacker can change ciphertext arbitrarily and any ciphertext can be decrypted to get the corresponding plaintext (although possibly garbage). M network M M Alice Bob Learns M attack on secrecy Changes M attack on integrity 2

Integrity Protection VIRUS goodfile badfile BigFirm The Times hash(goodfile) User Software manufacturer wants to ensure that the executable file is received by users without modification Sends out the file to users and publishes its hash in NY Times The goal is integrity, not secrecy Idea: given goodfile and hash(goodfile), very hard to find badfile such that hash(goodfile)=hash(badfile) 3

Authentication Authenticity is identification and assurance of origin of information We ll see many specific examples in different scenarios network 4

Authentication with Shared Secrets SECRET SECRET msg, H( SECRET, msg ) Alice Bob Alice wants to ensure that nobody modifies message in transit (both integrity and authentication) Idea: given msg, very hard to compute H(SECRET, msg) without SECRET; easy with SECRET 5

Hash Functions: Main Idea Hash is also called message digest Arbitrary-length message to fixed-length digest. x message x. x bit strings of any length n-bit strings H is a lossy compression function. hash function H message digest Collisions: h(x)=h(x ) for some inputs x, x Result of hashing should look random (make this precise later) Intuition: half of digest bits are 1 ; any bit in digest is 1 half the time Cryptographic hash function needs a few properties.. y y 6

Hashes and Message Digest One-wayness: given h(x), hard to find x Also called pre-image resistance Collision resistance: hard to find x, x such that h(x)=h(x ) Also called strong collision resistance Brute-force collision search is only O(2 n/2 ), not 2 n Birthday Paradox n needs to be at least 128. Weak collision resistance: given x, hard to find x such that h(x)=h(x ) Also called second pre-image resistance Brute-force attack requires O(2 n ) time 7

One-Way Intuition: hash should be hard to invert Preimage resistance Let h(x ) = y {0,1} n for a random x Given y, it should be hard to find x such that h(x)=y How hard? Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160-bit output Assuming 2 64 trials per second, can do 2 89 trials per year Will take 2 71 years to invert SHA-1 on a random image 8

Collision Resistance (CR) Should be hard to find x, x such that h(x)=h(x ) Brute-force collision search is only O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) 9

Birthday Paradox Problem Birthday Problem: What is the minimum number of persons in a room so that the odds are better than 50% that two of them will have the same birthday? 23 persons. General Problem: Given a random variable that is an integer with uniform distribution between 1 and n and a selection of k instances (k n) of the random variable, what is the probability, P(n, k), that there is at least one duplicate? How many possibilities? n k (samples with duplicate) n(n-1) (n-k+1) (samples without duplicate) n ( n 1)... ( n k+ 1) Probability of no repetition? k n n ( n 1)... ( n k+ 1) Thus n 1 n 2 n k + 1 1 2 k 1 P( n, k) = 1 = 1... = 1 1 1... 1 k n n n n n n n Because 1-x e -x (x 0), we have What value of k is required such that P(n, k)>0.5? k ( k 1)/2n P(n, k)= 1 e > 1/2 k ( k 1)/2n e < 1/2 k( k 1)/2 n< ln2 k( k 1)/2 n> ln2 Note: for large k, k(k-1) k 2 2 k /2n> ln2 k> 2(ln2) n 1. 18 n If n=365, we get k> 1.18 365= 22.54 10

Weak Collision Resistance (WCR) Given randomly chosen x, hard to find x such that h(x)=h(x ) Attacker must find collision for a specific x. By contrast, to break collision resistance, it is enough to find any collision. Brute-force attack requires O(2 n ) time 11

One-Way vs. Strong/Weak Collision Resistance One-wayness does not imply collision resistance (neither strong nor weak). Suppose g is one-way Define h(x) as g(x ) where x is x except the last bit i.e., x =x with last bit chopped off, define h(x) as g(x ). h is one-way (to invert h, must invert g) Collisions for h are easy to find: for any x, h(x0)=h(x1) Both strong and weak collisions are easy to find. Collision resistance does not imply one-wayness. Suppose g is collision-resistant Define h(x) = 0 x 1 g(x) if x is n-bit long otherwise Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g h is not one way: half of all y s (those whose first bit is 0) are easy to invert (how?). Random y is invertible with probability 1/2 12

CR vs. WCR (1/5) Collision resistance implies weak collision resistance. Proof: Given h; h is collision resistant. Suppose h is not weak collision resistant. Given x, we can find x such that h(x) = h(x ). So h is not collision resistant because we found a pair x and x where h(x) = h(x ). This is contradictory to our assumption. 13

CR vs. WCR (2/5) Weak collision resistance does not imply collision resistance. Proof: It is sufficient to construct a function, which is weak collision resistant and not collision resistant. Let g be one way and collision resistant function. Let g (i) (x) denote the result of applying g to x for i times. For example g (3) (x) = g(g(g(x))) Define hash function h to work on a pair of values x, y. h(x, y) = ( g (i) (x), g (j) (y), i + j ) Here i 0 is the least value to make g (i) (x) end with 4 zeroes. If x {0, 1} n and x ends with 4 zeroes, then i = 0. Similary j 0 is the least value to make g (j) (y) end with 4 zeroes. If y {0, 1} n and y ends with 4 zeroes, then j = 0. We fix an upper bound, say 100, on these values, just to handle the case that this iteration would otherwise loop forever. 14

h(x, y) is weak collision resistant. CR vs. WCR (3/5) Given x 1, y 1, and h(x 1, y 1 ) = ( g (i 1) (x 1 ), g (j 1) (y 1 ), i 1 + j 1 ) Suppose we can find x 2, y 2 such that (x 2, y 2 ) (x 1, y 1 ), i.e. x 2 x 1 or y 2 y 1 but h(x 2, y 2 ) = ( g (i 2) (x 2 ), g (j 2) (y 2 ), i 2 + j 2 ) = h(x 1, y 1 ) = ( g (i 1) (x 1 ), g (j 1) (y 1 ), i 1 + j 1 ) g (i 1) (x 1 ) = g (i 2) (x 2 ) g (j 1) (y 1 ) = g (j 2) (y 2 ) i 1 + j 1 = i 2 + j 2 g (i 1) (x 1 ) = g (i 2) (x 2 ) means that we can invert g or find a collision in g, i.e., g(g(.g(x 1 ) )) = g( g(.g(x 2 ) ) ) i 1 i 2 If i 1 = 0 but i 2 0, then x 1 =g (i 2) (x 2 ), which means that we can invert g. Similarly for i 2 = 0 but i 1 0. If both i 1 = 0 and i 2 = 0, then x 2 =x 1. Note that x 2 x 1 or y 2 y 1. If i 1 0 and i 2 0, then g(g(.g(x 1 ) ) )=g(g(.g(x 2 ) ) ), which means finding collision x 4 x 3 15

CR vs. WCR (4/5) h(x, y) is not collision resistant. Because h(x, g(y)) if often equal to h(g(x), y). {0,1} * {0,1} n x h(x, g(y)) = (g (6) (x), g (3) (y), 6+2) h(g(x), y) = (g (6) (x), g (3) (y), 5+3) y 0000 16

Why often and not always? CR vs. WCR (5/5) Case 1: If x {0, 1} n and ends with 4 zeros and g(x) ends with 4 zeros then, h(x, g(y)) = (x, g (j) (y), 0+j-1) (g(x), g (j) (y), 0+j)= h(g(x), y) Case 2:for x, hashing 100 times still never get a value ending with 0000. x {0,1} n g 100 (x) The condition of 4 zeroes is variable, you can choose 2 or 3 or 5 zeroes. Also the condition to apply function g a maximum of 100 times is again variable. You can select 10, 200,. 17

Relationship among Hash Function Properties 18

Which Property Do We Need? UNIX passwords stored as hash(password) One-wayness: hard to recover password Integrity of software distribution Weak collision resistance Intrusion Detection For each file F, store h(f), for example on a CD-R. Keep the CD-R secure. Later, one can see if the file has been modified by recomputing h(f) for each file. Needs weak collision resistance Auction bidding Alice wants to bid B, sends H(B), later reveals B One-wayness: rival bidders should not recover B Collision resistance: Alice should not be able to change her mind to bid B such that H(B)=H(B ) 19

Hash Function Genealogy (1/2) Ron Rivest Message Digest MD-family (MD2, MD4 and MD5): 128-bit NIST Secure Hash Algorithm SHA. SHA designed by NIST & NSA in 1993 and revised in 1995 as SHA-1 SHA-1 is based on design of MD4 and produces 160-bit hash values Regarding its use in future applications, NIST added 3 additional versions of SHA in 2002 SHA-256, SHA-384, SHA-512 Structure & detail is similar to SHA-1 Security levels are rather higher They take an arbitrary-length string and map it to a fixed-length quantity that appears to be randomly chosen. For example, two inputs that differ by only one bit should have outputs that look like completely independently chosen random numbers. 20

Hash Function Genealogy (2/2) MD2, 1989 MD4, 1990 MD5, 1991 SHA-0, 1993 SHA-1, 1995 All (except MD2) have same basic structure SHA-2 (224, 256, 384, 512), 2001 21

MD5 Common Hash Functions 128-bit output Designed by Ron Rivest, used very widely Specified as Internet standard RFC1321 Collision-resistance broken (summer of 2004) SHA-1 160-bit output Input length: at most 2 64 bits Developed by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993 SHA is specified as the hash algorithm in the Digital Signature Standard (DSS) by NIST 22

SHA-1 vs. MD5 Brute force attack is harder for SHA-1(160 vs 128 bits for MD5) SHA-1 is not vulnerable to any known cryptanalytic attacks (compared to MD5) SHA-1 is a little slower than MD5 Both designed as simple and compact for implementation 23

Revised Secure Hash Standard NIST have issued a revision FIPS 180-2 Added 3 additional hash algorithms SHA-256, SHA-384, SHA-512 Designed for compatibility with increased security provided by the AES cipher Structure & detail are similar to SHA-1 24

How Strong is SHA-1? Every bit of output depends on every bit of input Very important property for collision-resistance Brute-force inversion requires 2 160 ops, birthday attack on collision resistance requires 2 80 ops Some very recent weaknesses (2005) Collisions can be found in 2 63 ops 25

How Many Bits for Hash? If the message digest is m bits, then k=2 m We need to examine 2 m/2 to likely find two with the same hash If m = 128, takes 2 64 messages to search Need at least 128 bits 26

Authentication Without Encryption KEY MAC (message authentication code) KEY message, MAC(KEY,message) Alice message =? Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute MAC for a given message 27

Message Authentication Code with Hash Message Authentication Code (MAC) It is used to protect the integrity of a message Can we just compute h(m)? No Authentication Several choices to compute MAC with a key Prefix: MAC k (m) = h(k m) It is not secure The hashes are usually computed by repeatedly hashing blocks and combining with previously computed value: h(h(h(k m 1 ) m 2 ) m 3 ) Attackers can append to the message without knowing key k Suffix: MAC k (m) = h(m k) Envelope: MAC k (m) = h(k 1 m k 2 ) HMAC: MAC k (m) = h(k 1 h(m k 2 )) provably secure; slower, popular in Internet standards. 28

One-time pad Encryption with Hash compute bit streams using h, k, and IV b 1 = h(k IV), b i = h(k b i-1 ), with message blocks Or mixing in the plaintext similar to cipher feedback mode (CFB) b 1 = h(k IV), c 1 = p 1 b 1 b 2 = h(k c 1 ), c 2 = p 2 b 2 29

Hash Algorithm Structure This structure is referred to as an iterated hash function It takes an input message and partitions it into L b-bit blocks. The final block is padded to b bits. It repeatedly uses a compression function, f, that takes two inputs: an n-bit input from the previous step and a b-bit block, and produces an n-bit output. CV 0 = IV = initial n-bit value CV i = f(cv i-1, Y L-1 ) H(M) = CV L Theorem: If f is collision resistant, then H is collision resistant. 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback