2 Definition and Properties cryptographic hash (message digest) – a function that maps an arbitrary length input into a fixed output (called hash or digest) hash properties –one-way – computationally infeasible to find the input for a particular hash value –pseudorandom – intruder should not be able to deduce information about the input out of the hash –collision resistant – cannot find two inputs that generate the same hash
3 Pseudorandomness in Detail Each hash value seen in practice should have about 1/2 the bits on Changing one bit out input should change about 1/2 the bits (unpredictable which) Two outputs should be uncorrelated, regardless of how closely related the inputs any subset of the bits should be a good hash
4 Collision Resistance in Detail Birthday Problem (“paradox”): When √N elements or more are chosen randomly from a domain of N, the probability of collision is above 50% how many people do you need to get so that at least one pair shares a birthday? why is collision resistance necessary? if intruder is able to pick text to match his task is simplified due to birthday paradox
5 Hash Uses Sign hash (digest) instead of message Store digests of files, to look for changes (e.g., viruses). (Tripwire does this) –Why wouldn’t CRC work? With secret, can do anything a secret key algorithm can do (authenticate, encrypt, integrity-protect) irreversible password hash database –why must be irreversible?
6 Authentication with Hash how was authentication with secret key cryptography done? Alice Bob I’m Alice R hash(R || K) both know secret K
7 Stream Cipher with Hash Create pad. First send IV in clear –b 1 =hash(K || IV) –b 2 =hash(K || b 1 ) –b i =hash(K || b i-1 ) Note, with IV, Alice can precompute pad, but Bob can’t can mix in plaintext for pad generation – lose pre- computation capability, gain (some) integrity protection –b 1 =hash(K || IV) c 1 = c 1 b 1 –b 2 =hash(K || c 1 ) c 2 = c 2 b 2 –b i =hash(K || c i-1 ) c i = c i b i
8 Integrity Protection with Hash MAC(again) – message authentication code – used to protect the integrity of a message can we just hash the message (without using key) to produce the MAC? approaches to hash-based MAC prefix: MAC K (x) = H(K || x) –not secure; extension attack: the hashes are usually computed by repeatedly hashing blocks and combining with previously computed value intruder can append to the message without knowing key suffix: MAC K (x) = H(x || K) –mostly ok; problematic if H is not collision resistant: two messages with the same hash will have the same MAC, why? envelope: MAC K (x) = H(K 1 || x || K 2 ) HMAC: MAC K (x) = H(K 1 || H(x || K 2 )) –provably secure; slower, popular in Internet standards.
9 Unix Password Hash used only one way for authentication DES-like, plain DES is not used to prevent hardware-based DES encoders from being used in password guessing password converted to a DES – key –first 8 7-bit ASCII characters of the password used to create 56- bit key used to encrypt the number 0 problem: same passwords hash to the same value (dictionary attack possible) solution: use salt an arbitrary 12-bit value –salt controls what bits are duplicated in R at every DES round –salt is appended to hash in the clear
10 Unix Password Hash (cont.) how to deal with passwords longer than 8 characters could ignore all but 1st 8 chars –done in old Unixes typical: store crypt(1st 8 bytes), crypt(2nd 8 bytes) –what’s wrong with this?
11 MD2: outline takes an arbitrary message, operates on octets and produces a 128-bit (16-octet) digest steps –input the message, break into octets, pad to a multiple of 16 octets –compute a 16-octet checksum and append it to the message –final pass: compute the digest these three steps can be done in one pass very limited memory requirements – can be done on resource constrained machine
12 MD2:Padding the padded message must be a multiple of 16 octets (128 bits) always padded (even if original message is already a multiple) the padding octets contain the number of padding octets
13 MD2: Checksum Calculation checksum is an intermediate 16-octet value appended to the message for before final digest calculation checksum is computed one padded message octet at a time the current octet of the message is: –XORed with previous octet of the checksum –the result substituted according to fixed octet substitution table ( -substitution) –the result is XORed with current value of checksum and stored
14 MD2: Final Pass padded message with checksum is processed one 16-octet block at a time each time a 48-octet value is computed as: message digest || current message block || XOR of the two 18 passes over this value -1 th bit contains sum of 47 th octet + pass number each pass – current octet XORed with a -substitution of the previous octet after 18 passes, the first 16 octets are used as MD for the next 16-octet block of the message
15 History of Hash Algorithms Algorithms MD – proprietary, never published, not widely used MD2 – first public algorithm, oriented towards 8-bit processing, little memory, good for embedded devices MD3 – immediately superceded by MD4 (never published) MD4 – runs faster than MD2, uses 32-bit operations, became suspect MD5 – slightly slower, more conservative SHA-1 – NIST standard, similar to MD5 even more conservative eventually MD2 and MD4 are “broken” – two messages with the same hash are found MDs produce 128-bit digests, SHA-1 – 160-bit digest