2 Definition and Properties cryptographic hash (message digest) – a function that maps an arbitrary length input into a fixed output (called hash or digest)hash propertiesone-way – computationally infeasible to find the input for a particular hash valuepseudorandom – intruder should not be able to deduce information about the input out of the hashcollision resistant – cannot find two inputs that generate the same hash
3 Pseudorandomness in Detail Each hash value seen in practice should have about 1/2 the bits onChanging one bit out input should change about 1/2 the bits (unpredictable which)Two outputs should be uncorrelated, regardless of how closely related the inputsany subset of the bits should be a good hash
4 Collision Resistance in Detail Birthday Problem (“paradox”): When √N elements or more are chosen randomly from a domain of N, the probability of collision is above 50%how many people do you need to get so that at least one pair shares a birthday?why is collision resistance necessary?if intruder is able to pick text to match his task is simplified due to birthday paradoxwith probability more than 50%? more than 23, the answer is computed by inverting the problem – what’s the probability of people not sharing a birthday – total possibilities 356*356first person picks b-day 354, second person picks 354, etc. so for n people it will be 356!/(356^N * (356-N)!) for N>23 the inverse comes up to greater than 50%
5 Hash Uses Sign hash (digest) instead of message Store digests of files, to look for changes (e.g., viruses). (Tripwire does this)Why wouldn’t CRC work?With secret, can do anything a secret key algorithm can do (authenticate, encrypt, integrity-protect)irreversible password hash databasewhy must be irreversible?
6 Authentication with Hash how was authentication with secret key cryptography done?both know secret KAliceBobI’m AliceRhash(R||K)
7 Stream Cipher with Hash Create pad. First send IV in clearb1=hash(K || IV)b2=hash(K || b1)bi=hash(K || bi-1)Note, with IV, Alice can precompute pad, but Bob can’tcan mix in plaintext for pad generation – lose pre-computation capability, gain (some) integrity protectionb1=hash(K || IV) c1= c1 b1b2=hash(K || c1) c2= c2 b2bi=hash(K || ci-1) ci= ci bi
8 Integrity Protection with Hash MAC(again) – message authentication code – used to protect the integrity of a messagecan we just hash the message (without using key) to produce the MAC?approaches to hash-based MACprefix: MACK(x) = H(K || x)not secure; extension attack:the hashes are usually computed by repeatedly hashing blocks and combining with previously computed valueintruder can append to the message without knowing keysuffix: MACK(x) = H(x || K)mostly ok; problematic if H is not collision resistant:two messages with the same hash will have the same MAC, why?envelope: MACK(x) = H(K1 || x || K2)HMAC: MACK(x) = H(K1 || H(x || K2))provably secure; slower, popular in Internet standards.MAC – message authentication code, used to protect integrity of the messagemessage hash will not work, because anyone can do it knowing the hash algorithmtwo messages with the same hash will have the same MAC, why? – because the key is just appended to the message – se the argument for the extension attack
9 Unix Password Hash used only one way for authentication DES-like, plain DES is not used to prevent hardware-based DES encoders from being used in password guessingpassword converted to a DES – keyfirst 8 7-bit ASCII characters of the password used to create 56-bit keyused to encrypt the number 0problem: same passwords hash to the same value (dictionary attack possible)solution: use salt an arbitrary 12-bit valuesalt controls what bits are duplicated in R at every DES roundsalt is appended to hash in the clear
10 Unix Password Hash (cont.) how to deal with passwords longer than 8 characterscould ignore all but 1st 8 charsdone in old Unixestypical: store crypt(1st 8 bytes), crypt(2nd 8 bytes)what’s wrong with this?if the second half is short – can break it and try guessing the first half
11 MD2: outlinetakes an arbitrary message, operates on octets and produces a 128-bit (16-octet) digeststepsinput the message, break into octets, pad to a multiple of 16 octetscompute a 16-octet checksum and append it to the messagefinal pass: compute the digestthese three steps can be done in one passvery limited memory requirements – can be done on resource constrained machine
12 MD2:Paddingthe padded message must be a multiple of 16 octets (128 bits)always padded (even if original message is already a multiple)the padding octets contain the number of padding octets
13 MD2: Checksum Calculation checksum is an intermediate 16-octet value appended to the message for before final digest calculationchecksum is computed one padded message octet at a timethe current octet of the message is:XORed with previous octet of the checksumthe result substituted according to fixed octet substitution table (-substitution)the result is XORed with current value of checksum and stored
14 MD2: Final Passpadded message with checksum is processed one 16-octet block at a timeeach timea 48-octet value is computed as: message digest || current message block || XOR of the two18 passes over this value-1th bit contains sum of 47th octet + pass numbereach pass – current octet XORed with a -substitution of the previous octetafter 18 passes, the first 16 octets are used as MD for the next 16-octet block of the message
15 History of Hash Algorithms MD – proprietary, never published, not widely usedMD2 – first public algorithm, oriented towards 8-bit processing, little memory, good for embedded devicesMD3 – immediately superceded by MD4 (never published)MD4 – runs faster than MD2, uses 32-bit operations, became suspectMD5 – slightly slower, more conservativeSHA-1 – NIST standard, similar to MD5 even more conservativeeventually MD2 and MD4 are “broken” – two messages with the same hash are foundMDs produce 128-bit digests, SHA-1 – 160-bit digestif the second half is short – can break it and try guessing the first half
Your consent to our cookies if you continue to use this website.