Download presentation

Presentation is loading. Please wait.

1
Hash Functions Nathanael Paul Oct. 9, 2002

2
Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x) – easy –H(x) – one way “hard to invert” –H(x) collision free

3
Purposes for hash functions Data Integrity –Ex: Tripwire –Message digest y = h(x). y is called the message digest. 160 bits in size – “birthday attack” Message Source Digital Signatures Message Authentication Codes (MAC)

4
Digital Signatures and Message Authentication Code (MAC) overview Suppose Alice and Bob share a secret key k which determines hash function h k Alice sends (x, y) to Bob where y = h k (x) Bob receives (x,y) and verifies with y = h k (x). If condition holds, neither x nor y was modified in transit.

5
Hash Family (X,Y,K,H) –For each k in K, there exists an h in H, such that h k (x) y Assume |X| >= |Y| (even better, 2|X| >= |Y|) Unkeyed hash function –|K| = 1 –Ex. SHA-1 (successor of MD4)

6
Conditions of a secure hash function Preimage –Find x such that h(x) = y, given y and the function f(). –one-way Second Preimage –Find x’ != x, such that h(x) = h(x’), given x and the function h(). –weak collision resistance Collision –Find h(x) = h(x’) such that x != x’, given function h() –strong collision resistance

7
Iterated hash function overview compression function –Given input of length m, produce output of length n –inputs to compression function: message block, m i output of previous blocks of text h i = f(m i, h i-1 ) MD-strengthening (Merkle-Damgard) –pre-image contains length of entire message –initialization vector (padding function)

9
Modes of operation –ECB, CBC, CFB, OFB –different characteristics: error propagation efficiency increase in data size –NIST document on modes of operation http://csrc.nist.gov/encryption/tkmodes.html –Next slide shows CBC mode of operation...

11
Message Authentication Codes Oscar’s (adversary) goal: –produce a pair (x,y) that is valid, but the key k is not known Oscar knows –valid pairs Pairs = {(x 1,y 1 ),(x 2,y 2 ),...,(x q,y q )} forgery –Oscar outputs an (x,y) where x is not in Pairs

12
Review of types of attacks Ciphertext-only –Oscar possesses a string of ciphertext, y Known plaintext –has ciphertext, y, corresponding to a message, x Chosen plaintext –access to encryption. choose x, get y Chosen ciphertext –choose y, get x

13
Ways of creating a MAC Base MAC on block cipher –block cipher already implemented, so part of implementation is done MAC from an unkeyed hash –just add a key to output of unkeyed hash –requires careful analysis Create a customized MAC

14
CBC MAC use block cipher in CBC mode with fixed IV best general attack is birthday attack

15
Nested MACs Nested MAC –composition of 2 keyed hash families G o H = {g o h : g is in G, h is in H} where (g o h) (k,l) (x) = h l (g k (x)) –Secure if the following holds (given unknown key): G is collision-resistant H is secure as a MAC

16
Types of attacks on nested MACs forger for nested MAC forger for the little MAC –attack on component MAC H unknown-key collision attack

17
Attack 1: Forger on nested MAC pair of keys (k,l) are kept secret Oscar: –chooses an x –oracle – “magic box” –given x, oracle computes z = h l (g k (x)) –tries to find (x’, z) where x’ was not any x given to oracle

18
Attack 2: Forger on smaller MAC component of nested MAC (H family) key l is chosen and kept secret (l is in keyspace of H family of hashes) Oscar: –chooses y –given y, oracle computes z = h l (y) –tries to output (y’,z) where y’ was not in one of its previous queries to oracle

19
Attack 3: Collision Finder for a hash family key k in K is kept secret Oscar: –chooses an x –given x, oracle computes g k (x) –tries to find x’ and x’’ where x’ != x’’ and g k (x’) = g k (x’’)

20
HMAC nested MAC algorithm (proposed standard) –based on SHA-1 –uses 512-bit key k –2 512-bit constants, ipad and opad 160-bit MAC –HMAC k (x) = SHA-1((k opad) || SHA-1((K ipad) || x)) ipad component resistant against unknown-key collision attack

21
Further Reading Applied Cryptography, Bruce Schneier Cryptography: Theory and Practice, Douglas Stinson Handbook of Applied Cryptography, Alfred Menezes, et. al. –available for download at: –http://www.cacr.math.uwaterloo.ca/hac/

Similar presentations

© 2020 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google