Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is."— Presentation transcript:

1

2 Hash Functions 1 Hash Functions

3 Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is small o Efficiency  h(x) easy to compute for any x o One-way  given a value y it is infeasible to find an x such that h(x) = y o Weak collision resistance  given x and h(x), infeasible to find y  x such that h(y) = h(x) o Strong collision resistance  infeasible to find any x and y, with x  y such that h(x) = h(y)  Many collisions exist, but cannot find any

4 Hash Functions 3 Non-crypto Hash (1)  Data X = (X 0,X 1,X 2,…,X n-1 ), each X i is a byte  Spse hash(X) = X 0 +X 1 +X 2 +…+X n-1  Is this secure?  Example: X = (10101010,00001111)  Hash is 10111001  But so is hash of Y = (00001111,10101010)  Easy to find collisions, so not secure…

5 Hash Functions 4 Non-crypto Hash (2)  Data X = (X 0,X 1,X 2,…,X n-1 )  Suppose hash is o h(X) = nX 0 +(n-1)X 1 +(n-2)X 2 +…+1  X n-1  Is this hash secure? At least h(10101010,00001111)  h(00001111,10101010)  But hash of (00000001,00001111) is same as hash of (00000000,00010001)  Not secure, but it is used in the (non-crypto) application rsyncrsync

6 Hash Functions 5 Non-crypto Hash (3)  Cyclic Redundancy Check (CRC)  Essentially, CRC is the remainder in a long division calculation  Good for detecting burst errors  Easy for Trudy to construct collisions  CRC sometimes mistakenly used in crypto applications (WEP)

7 Hash Functions 6 Popular Crypto Hashes  MD5  invented by Rivest o 128 bit output o Note: MD5 collision recently found  SHA-1  A US government standard (similar to MD5) o 160 bit output  Many others hashes, but MD5 and SHA-1 most widely used  Messages are hashed in blocks

8 Hash Functions 7 Public Key Notation  Sign message M with Alice’s private key: [M] Alice  Encrypt message M with Alice’s public key: {M} Alice  Then {[M] Alice } Alice = M [{M} Alice ] Alice = M

9 Hash Functions 8 Crypto Hash Motivation: Digital Signatures  Suppose Alice signs M o Alice sends M and S = [M] Alice to Bob o Bob verifies that M = {S} Alice  If M is big, [M] Alice is costly to compute  Suppose instead, Alice signs h(M), where h(M) is much smaller than M o Alice sends M and S = [h(M)] Alice to Bob o Bob verifies that h(M) = {S} Alice

10 Hash Functions 9 Digital Signatures  Digital signatures provide integrity o Like MAC and HMAC  Why?  Alice sends M and S = [h(M)] Alice to Bob  If M changed to M or S changed to S (accident or intentional) Bob detects it: h(M)  {S} Alice, h(M)  {S} Alice, h(M)  {S} Alice

11 Hash Functions 10 Non-repudiation  Digital signature also provides for non-repudiation  Alice sends M and S = [h(M)] Alice to Bob  Alice cannot “repudiate” signature o Alice cannot claim she did not sign M  Why does this work?  Is the same true of MAC?

12 Hash Functions 11 Non-non-repudiation  Alice orders 100 shares of stock from Bob  Alice computes MAC using symmetric key  Stock drops, Alice claims she did not order  Can Bob prove that Alice placed the order?  No! Since Bob also knows symmetric key, he could have forged message  Problem: Bob knows Alice placed the order, but he cannot prove it

13 Hash Functions 12 Non-repudiation  Alice orders 100 shares of stock from Bob  Alice signs order with her private key  Stock drops, Alice claims she did not order  Can Bob prove that Alice placed the order?  Yes! Only someone with Alice’s private key could have signed the order  This assumes Alice’s private key is not stolen (revocation problem)

14 Hash Functions 13 Hashing and Signatures  Alice signs h(M), sends M and S = [h(M)] Alice to Bob and Bob verifies h(M) = {S} Alice  Security depends on public key system and hash function  Suppose Trudy can find collision: M  M with h(M) = h(M)  Then Trudy can replace M with M and signature scheme is broken

15 Hash Functions 14 Crypto Hash Function Design  Desired property: avalanche effect o Any change to input affects lots of output bits  Crypto hash functions consist of some number of rounds o Analogous to block cipher in CBC mode  Want security and speed o Avalanche effect after few rounds o But simple rounds

16 Hash Functions 15 Crypto Hash Function Design  Input data split into blocks  Compression function applied to blocks o Current block and previous block output o Output for last block is the hash value  For hashes we consider o Block size is 512 bits o Compression function output is 128 bits

17 Hash Functions 16 Hash Function  Input or “message” blocks M 0,M 1,…,M N  1  Addition is mod 2 32 per 32-bit word  This is known as Merkle-Damgard construction

18 Hash Functions 17 Crypto Hash: Fun Facts  If msg is one 512-bit block: h(M) = f(IV,M) where f and IV known to Trudy  For 2 blocks: h(M) = f(f(IV,M 0 ),M 1 ) = f(h(M 0 ),M 1 )  In general h(M) = f(h(M 0,M 1,…,M n  2 ),M n  1 ) o If h(M) = h(M) then h(M,X) = h(M,X) for any X o Implications for design of “hashed MAC”…

19 Hash Functions 18 HMAC  MAC: block cipher for integrity  Can we use a hash function instead?  A “hashed MAC”, HMAC, of M with key K o Why is a key necessary?  How to compute HMAC?  Two obvious choices: h(K,M) and h(M,K)  Which (if either) is better?

20 Hash Functions 19 How to Compute HMAC?  Should we compute HMAC as h(K,M) ?  Hashes computed in blocks  Recall h(M 0,M 1 ) = f(h(M 0 ),M 1 )  Let M = (M,X) o Then h(K,M) = f(h(K,M),X) o Trudy can compute HMAC of M without K o Defeats the purpose of HMAC

21 Hash Functions 20 How to Compute HMAC?  Should we compute HMAC as h(M,K) ? o Is this better than h(K,M) ?  If h(M) = h(M) then h(M,K) = f(h(M),K) = f(h(M),K) = h(M,K)  In this case, Trudy can compute HMAC without knowing the key K o But collision must be known o Better than h(K,M), but we can do better

22 Hash Functions 21 The Right Way to HMAC  Described in RFC 2104  Let B be the block length of hash, in bytes  For popular hash functions, B = 64 o SHA-1, MD5, Tiger, etc.  Define ipad = 0x36 repeated B times opad = 0x5C repeated B times  Then HMAC(M,K) = h(K  opad, h(K  ipad, M))

23 Hash Functions 22 Hashing and Birthdays  The “birthday problem” arises in many crypto contexts  We discuss it in hashing context o And “birthday attack” on digital signature  Then Nostradamus attack o Learn how to predict the future! o Works against any hash that uses Merkle- Damgard construction

24 Hash Functions 23 Pre-Birthday Problem  Suppose N people in a room  How large must N be before the probability someone has same birthday as me is at least 1/2 o Solve: 1/2 = 1  (364/365) N for N o Find N = 253

25 Hash Functions 24 Birthday Problem  How many people must be in a room before probability is at least 1/2 that any two or more have same birthday? o 1  365/365  364/365    (365  N+1)/365 o Set equal to 1/2 and solve: N = 23  Surprising? A paradox?  No, it “should be” about sqrt(365) since compare pairs x and y

26 Hash Functions 25 Of Hashes and Birthdays  If h(x) is N bits, 2 N hash values  Note that sqrt(2 N ) = 2 N/ 2  So, hash 2 N/ 2 inputs and find a collision o “Birthday attack” — an exhaustive search  An N -bit symmetric cipher key requires at most 2 N  1 work to “break”  An N -bit hash: at most 2 N/ 2 work to “break”

27 Hash Functions 26 Signature Birthday Attack  Suppose hash output is n bits  Trudy selects evil message E o Wants to get Alice’s signature on E  Trudy creates innocent message I o Alice willing to sign message I  How can Trudy use birthday problem?

28 Hash Functions 27 Signature Birthday Attack  Trudy creates 2 n/ 2 variants of I o All have same meaning as I o Trudy hashes each: h(I 0 ),h(I 1 ),…  Trudy creates 2 n/ 2 variants of E o All have same meaning as E o Trudy hashes each: h(E 0 ),h(E 1 ),…  By birthday problem, h(I j )= h(E k ), some j,k

29 Hash Functions 28 Signature Birthday Attack  Alice signs innocent message I j  Then Trudy has [h(I j )] Alice  But [h(I j )] Alice = [h(E k )] Alice  Alice unwittingly “signed” evil msg E k  Attack relies only on birthday problem

30 Hash Functions 29 Online Bid Example  Suppose Alice, Bob, Charlie are bidders  Alice plans to bid A, Bob B and Charlie C o They do not trust that bids will be secret o Nobody willing to submit their bid  Solution? o Alice, Bob, Charlie submit hashes h(A), h(B), h(C) o All hashes received and posted online o Then bids A, B and C revealed  Hashes do not reveal bids (one way)  Cannot change bid after hash sent (collision)

31 Hash Functions 30 Online Bid  This protocol is not secure!  A forward search attack is possible o Bob computes h(A) for likely bids A  How to prevent this?  Alice computes h(A,R), R is random o Then Alice must reveal A and R o Trudy cannot try all A and R

32 Hash Functions 31 Online Bid  Spse B = $1000 and Bob submits h(B,R)  When revealed, A = $1 and C = $2  Bob wants to change his bid: B = $3  Bob computes h(B,R) for different R until he finds h(B,R) = h(B,R) o How much work? o Apparently, about 2 n hashes required

33 Hash Functions 32 Weak Collision Attack  Hash often used to commit to something o For example, online bid example  Attack on weak collision resistance requires work of about 2 n hashes  Collision attack is only about 2 n /2  Nostradamus attack solves weak collision problem with only about 2 n /2 hashes o For some cases, such as online bid example o Applicable to any Merkle-Damgard hash

34 Hash Functions 33 Trudy Predicts Future?  Trudy claims she can predict future  Jan 1, 2008, she publishes y, claiming y = h(x) o Where x includes final S&P 500 index for 2008 and other predictions for 2009 and beyond  Jan 1, 2009, Trudy reveals x, with y = h(x) o And x has S&P 500 index for Dec. 31, 2008 along with other rambling predictions for 2009  Does this prove Trudy can predict future?

35 Hash Functions 34 Trudy Predicts Future?  Trudy specifies y in advance  Let P be S&P 500 for Dec 31, 2008  Assuming Trudy cannot predict future, she must find S so that y = h(P,S)  Trudy can hash 2 n different S o But, we assume this is too much work  Is there any shortcut?

36 Hash Functions 35 Nostradamus Attack  Nostradamus (1503-1566) was a prophet o Some claim he predicted recent events o His predictive powers work best in retrospect  Nostradamus attack o Trudy can “predict” the future o Convert 2 n pre-image problem into about 2 n /2 collision attack (essentially) o Applies to any Merkle-Damgard hash function

37 Hash Functions 36 Nostradamus Attack  Computing collisions: each 2  2 n /2 work o Comparing one set to another set  Pre-compute collisions in clever way  This determines y, the hash value  When we specify prefix P, we can “herd” collisions into hash value y o Suffix S determined in this process

38 Hash Functions 37 Diamond Structure  Choose M 0 randomly  Compute d 00 = f(IV,M 0 )  And M 1,…,M 7  Then find M 00,M 01 that give collision: d 10 = f(d 00,M 00 ) = f(d 01,M 01 )  Continue: y = d 30 is “predicted” hash

39 Hash Functions 38 Nostradamus Attack  Pre-computation o Compute diamond structure of “height” 2 k o Choose y = d k0 as hash of prediction  When “prediction” is known, Trudy will o Let P be “prediction” o Select S at random, where (P,S) one block o Until she finds f(IV,P,S) = d 0j for some j

40 Hash Functions 39 Nostradamus Attack  Once such S is found, Trudy has result o Follow directed path from d 0j to d k0  In previous diamond structure example, suppose Trudy finds f(IV,P,S) = d 02  Then h(P,S,M 02,M 11,M 20 ) = d 30 = y o Recall that y is hash of Trudy’s “prediction”  Let x = (P,S,M 02,M 11,M 20 )  And x is Trudy’s “prediction”: P is S&P 500 index, S,M 02,M 11,M 20 are future predictions

41 Hash Functions 40 Nostradamus Attack  How much work?  Assuming diamond structure is of height 2 k and hash output is n bits  Primary: 2  2 n /2 (2 k  1) ≈ 2 n /2+ k +1 o Can reduce this to 2 n /2+ k /2+1  Secondary: 2 n  k

42 Hash Functions 41 Nostradamus Attack  To minimize work, set primary work equal to secondary work, solve for k  We have n/ 2 + k/ 2 + 1 = n  k which implies k = (n  4) / 3  For MD4 or MD5, n = 128, so k = 41  Diamond structure of height 2 41  Total work is about 2 87

43 Hash Functions 42 Nostradamus: Bottom Line  Generic attack on any hash that uses Merkle-Damgard construction  Not practical for 128-bit hash o Almost practical with small success prob  Using hash to commit to something is not quite as strong as it seems  Next, MD4 and MD5 o Must look at inner workings of these…

Download ppt "Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Part 1  Cryptography 1 Chapter 5: Hash Functions++ “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.”

Part 1  Cryptography 1 Chapter 5: Hash Functions++ “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.”
Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

Similar presentations

Ads by Google