Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Published bySharon Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length."— Presentation transcript:

1 Dan Johnson

2 What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length string as its output Hashes are sometimes called a checksum or message digests

3 Cryptographic hashing functions Have four major properties: It is impossible for any given output to determine the original input. This does not mean we can’t use inference to find input that is likely correct It is easy to compute the hash of any given input. Easy means that it does not require a lot of system resources or time to compute the hash of a given input.

4 (cont…) It is infeasible to determine two inputs that produce the same output. It is infeasible to change an input and produce the same output. Infeasible means that a solution cannot be found in less time than by brute force.

5 Cryptographic Strength Determined by output length and ability to resist cryptanalytic attack Output length expressed in number of bits Attacks attempt to break one of the cryptographic properties.

6 Preimage Attacks Two types, “first-preimage” and “second-preimage” Both attempt to break the one way property of the hashing function Both are similar in nature If a hashing function is vulnerable to one form of preimage attack, it is likely vulnerable to the other form of attack Successful attack executes in less that brute force time

7 Collision Attack A collision occurs when two pieces of input produce the same output. Collision attacks take advantage of a property of probability theory called the birthday paradox or birthday problem. Collision attacks attempt to find a collision in less than O(2 n/2 )

8 MD5 Published by Ronald Rivest in 1994. Produces 128-bit output, represented by 32bit hexadecimal number. Vulnerable to collision attacks. Now mostly used for creating checksums of large files.

9 SHA-1 Created by the National Security Agency Creates a 160-bit message digest represented by a 20 character string More secure than MD5 Widely popular and used in many applications In 2005, a group of Chinese researches discovered mathematical errors that could lead to a preimage attack in less than brute force time. No known attacks based on these findings have surfaced.

10 SHA-256 Also created by NSA as a part of the SHA2 family which includes SHA224, SHA256 and SHA512. Creates a 256bit output, hence its name. Considered to be more secure than SHA1 because of increased bit size. Mathematical problems found in SHA1 are not present in SHA256. Less popular than SHA1.

11 Hash Based Authentication Works the same way as password authentication Store hashed value of password in database instead of password itself When a user attempts to authenticate, hashes input value and compares it with value stored in database “password” => [ ᆰ aä ɹ ?? ツ %lø3~æ マ Ø

12 Example implementation Consider the following PHP code snippet. From this we can clearly see that adding hash based authentication does not add a much code.

13 What an attacker sees… Without encryption: With just SHA-1 encryption: UsernamePassword Nigelpenguin Alfredpenguin UsernamePassword Nigels3\"¹\?óðt½ž…PèÔŽ Alfreds3\"¹\?óðt½ž…PèÔŽ

14 Cont… Can this be improved? Better solution: sha1( username + password) Even better solution: sha1( sha1(username) + sha1(password) ) UsernamePassword NigeläQÞË‚HBŽ{<7r‚¿i}_H Alfred4ŠT@Œ‚ ›\eV€J×ÜÇ UsernamePassword NigeläQÞË‚HBŽ{<7r‚¿i}_H Alfred4ŠT@Œ‚ ›\eV€J×ÜÇ

15 Microsoft Store India Earlier this year, the Microsoft Store web site for India was breached. Attackers stole hundreds of thousands of usernames and passwords. All passwords were stored in plaintext. Credit Card information was also not encrypted in any from. Many users had their identity compromised and fraudulent purchases charged to their credit card.

16 Sony Playstation Network and Sony Pictures customer databases were both breached in 2011. Credit card information was encrypted, but several reports indicate that encryption may have been compromised. User data was not encrypted in any way. Class action lawsuit filed over negligence.

17 Other protection methods Hashing not good for everything. Credit card information could be stored using symmetric key encryption. This allows for the input to be determined at a later date. BE SUPER CAREFUL!

18 Questions?

19 References Agarwal, A. (2012, February 27). Not just email addresses, credit card numbers also stolen from microsoft india store. Retrieved from http://www.labnol.org/india/microsoft-india- store-hacked/20891/ Gallagher, S. (2012, February 14). Microsoft's store site in india defaced; hackers find plain text passwords. Retrieved from http://arstechnica.com/business/news/2012/02/microsofts-store-site-in-india-defaced- hackers-find-plain-text-passwords.ars McGlinn, J. (2005, March 20). Password hashing. Retrieved from http://phpsec.org/articles/2005/password-hashing.html Silva, J. (2003). An overview of cryptographic hash functions and their uses. Retrieved from http://www.sans.org/reading_room/whitepapers/vpns/overview-cryptographic- hash-functions_879 Schneier, B., & Hoffman, P. (2005). attacks on cryptographic hashes in internet protocols. Retrieved from http://www.ietf.org/rfc/rfc4270.txt Schwartz, M. (2011, June 3). Sony hacked again, 1 million passwords exposed. Retrieved from http://www.informationweek.com/news/security/attacks/229900111 Stallings, W., Brown, L., & Howard, M. (2008). Computer security, principles and practice. Upper Sadddle River, NJ: Pearson Education. Ullrich, J. (2011, June 28). Hashing passwords. Retrieved from http://www.dshield.org/diary.html?storyid=11110

Download ppt "Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements:  Masquerade – Insertion of message from.

SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements:  Masquerade – Insertion of message from.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.

Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Similar presentations

Ads by Google