Hash Functions Nathanael Paul Oct. 9, 2002
Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x) – easy –H(x) – one way “hard to invert” –H(x) collision free
Purposes for hash functions Data Integrity –Ex: Tripwire –Message digest y = h(x). y is called the message digest. 160 bits in size – “birthday attack” Message Source Digital Signatures Message Authentication Codes (MAC)
Digital Signatures and Message Authentication Code (MAC) overview Suppose Alice and Bob share a secret key k which determines hash function h k Alice sends (x, y) to Bob where y = h k (x) Bob receives (x,y) and verifies with y = h k (x). If condition holds, neither x nor y was modified in transit.
Hash Family (X,Y,K,H) –For each k in K, there exists an h in H, such that h k (x) y Assume |X| >= |Y| (even better, 2|X| >= |Y|) Unkeyed hash function –|K| = 1 –Ex. SHA-1 (successor of MD4)
Conditions of a secure hash function Preimage –Find x such that h(x) = y, given y and the function f(). –one-way Second Preimage –Find x’ != x, such that h(x) = h(x’), given x and the function h(). –weak collision resistance Collision –Find h(x) = h(x’) such that x != x’, given function h() –strong collision resistance
Iterated hash function overview compression function –Given input of length m, produce output of length n –inputs to compression function: message block, m i output of previous blocks of text h i = f(m i, h i-1 ) MD-strengthening (Merkle-Damgard) –pre-image contains length of entire message –initialization vector (padding function)
Modes of operation –ECB, CBC, CFB, OFB –different characteristics: error propagation efficiency increase in data size –NIST document on modes of operation –Next slide shows CBC mode of operation...
Message Authentication Codes Oscar’s (adversary) goal: –produce a pair (x,y) that is valid, but the key k is not known Oscar knows –valid pairs Pairs = {(x 1,y 1 ),(x 2,y 2 ),...,(x q,y q )} forgery –Oscar outputs an (x,y) where x is not in Pairs
Review of types of attacks Ciphertext-only –Oscar possesses a string of ciphertext, y Known plaintext –has ciphertext, y, corresponding to a message, x Chosen plaintext –access to encryption. choose x, get y Chosen ciphertext –choose y, get x
Ways of creating a MAC Base MAC on block cipher –block cipher already implemented, so part of implementation is done MAC from an unkeyed hash –just add a key to output of unkeyed hash –requires careful analysis Create a customized MAC
CBC MAC use block cipher in CBC mode with fixed IV best general attack is birthday attack
Nested MACs Nested MAC –composition of 2 keyed hash families G o H = {g o h : g is in G, h is in H} where (g o h) (k,l) (x) = h l (g k (x)) –Secure if the following holds (given unknown key): G is collision-resistant H is secure as a MAC
Types of attacks on nested MACs forger for nested MAC forger for the little MAC –attack on component MAC H unknown-key collision attack
Attack 1: Forger on nested MAC pair of keys (k,l) are kept secret Oscar: –chooses an x –oracle – “magic box” –given x, oracle computes z = h l (g k (x)) –tries to find (x’, z) where x’ was not any x given to oracle
Attack 2: Forger on smaller MAC component of nested MAC (H family) key l is chosen and kept secret (l is in keyspace of H family of hashes) Oscar: –chooses y –given y, oracle computes z = h l (y) –tries to output (y’,z) where y’ was not in one of its previous queries to oracle
Attack 3: Collision Finder for a hash family key k in K is kept secret Oscar: –chooses an x –given x, oracle computes g k (x) –tries to find x’ and x’’ where x’ != x’’ and g k (x’) = g k (x’’)
HMAC nested MAC algorithm (proposed standard) –based on SHA-1 –uses 512-bit key k –2 512-bit constants, ipad and opad 160-bit MAC –HMAC k (x) = SHA-1((k opad) || SHA-1((K ipad) || x)) ipad component resistant against unknown-key collision attack
Further Reading Applied Cryptography, Bruce Schneier Cryptography: Theory and Practice, Douglas Stinson Handbook of Applied Cryptography, Alfred Menezes, et. al. –available for download at: –