CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

Slides:



Advertisements
Similar presentations
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptographic Hash Functions July Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure  Attack on.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Cryptographic Hash Functions June Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure 
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Slide 1 EJ Jung Hash Functions. Integrity checks.
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.
Cryptographic Hash Functions and Protocol Analysis
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Chapter 11 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Message Authentication and Hash Functions K. U. Khimani Asst. Prof. IT Dept. VVP Engineering College.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography and Network Security
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Computer Security CS 526 Topic 4
Cryptographic Hash Functions
Cryptographic Hash Function
Computer Security CS 526 Topic 4
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Lecture 4.1: Hash Functions, and Message Authentication Codes
Computer Security CS 526 Topic 5
Presentation transcript:

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication Code

Announcements HW1 due on Sept 5 Quiz 1 will be on Sept 10, covering topics 1-5 Both projects will be allow a team of two –May want to start forming teams Mid-term exam tentatively scheduled to be Tuesday Oct 15, during lecture time CS526Topic 5: Hash Functions and Message Authentication 2

CS526Topic 5: Hash Functions and Message Authentication 3 Readings for This Lecture Wikipedia Cryptographic Hash FunctionsCryptographic Hash Functions Message Authentication CodeMessage Authentication Code

CS526Topic 5: Hash Functions and Message Authentication 4 Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives at destination in its original form as sent by the sender and it is coming from an authenticated source.

Hash Functions A hash function maps a message of an arbitrary length to a m-bit output –output known as the fingerprint or the message digest What is an example of hash functions? –Give a hash function that maps Strings to integers in [0,2^{32}-1] Cryptographic hash functions are hash functions with additional security requirements CS526Topic 5: Hash Functions and Message Authentication 5

CS526Topic 5: Hash Functions and Message Authentication 6 Using Hash Functions for Message Integrity Method 1: Uses a Hash Function h, assuming an authentic (adversary cannot modify) channel for short messages –Transmit a message M over the normal (insecure) channel –Transmit the message digest h(M) over the secure channel –When receiver receives both M’ and h, how does the receiver check to make sure the message has not been modified? This is insecure. How to attack it? A hash function is a many-to-one function, so collisions can happen.

CS526Topic 5: Hash Functions and Message Authentication 7 Security Requirements for Cryptographic Hash Functions Given a function h:X  Y, then we say that h is: preimage resistant (one-way): if given y  Y it is computationally infeasible to find a value x  X s.t. h(x) = y 2-nd preimage resistant (weak collision resistant): if given x  X it is computationally infeasible to find a value x’  X, s.t. x’  x and h(x’) = h(x) collision resistant (strong collision resistant): if it is computationally infeasible to find two distinct values x’,x  X, s.t. h(x’) = h(x)

CS526Topic 5: Hash Functions and Message Authentication 8 Usages of Cryptographic Hash Functions Software integrity –E.g., tripwire Timestamping –How to prove that you have discovered a secret on an earlier date without disclosing it? Covered later –Message authentication –One-time passwords –Digital signature

CS526Topic 5: Hash Functions and Message Authentication 9 Bruteforce Attacks on Hash Functions Attacking one-wayness –Goal: given h:X  Y, y  Y, find x such that h(x)=y –Algorithm: pick a random value x in X, check if h(x)=y, if h(x)=y, returns x; otherwise iterate after failing q iterations, return fail –The average-case success probability is –Let |Y|=2 m, to get  to be close to 0.5, q  2 m-1

CS526Topic 5: Hash Functions and Message Authentication 10 Bruteforce Attacks on Hash Functions Attacking collision resistance –Goal: given h, find x, x’ such that h(x)=h(x’) –Algorithm: pick a random set X 0 of q values in X for each x  X 0, computes y x =h(x) if y x =y x’ for some x’  x then return (x,x’) else fail –The average success probability is –Let |Y|=2 m, to get  to be close to 0.5, q  2 m/2 –This is known as the birthday attack.

CS526Topic 5: Hash Functions and Message Authentication 11 Well Known Hash Functions MD5 –output 128 bits –collision resistance completely broken by researchers in China in 2004 SHA1 –output 160 bits –no collision found yet, but method exist to find collisions in less than 2^80 –considered insecure for collision resistance –one-wayness still holds SHA2 (SHA-224, SHA-256, SHA-384, SHA-512) –outputs 224, 256, 384, and 512 bits, respectively –No real security concerns yet

Merkle-Damgard Construction for Hash Functions CS526Topic 5: Hash Functions and Message Authentication 12 Message is divided into fixed-size blocks and padded Uses a compression function f, which takes a chaining variable (of size of hash output) and a message block, and outputs the next chaining variable Final chaining variable is the hash value M=m 1 m 2 …m n ; C 0 =IV, C i+1 =f(C i,m i ); H(M)=C n

NIST SHA-3 Competition NIST is having an ongoing competition for SHA-3, the next generation of standard hash algorithms 2007: Request for submissions of new hash functions 2008: Submissions deadline. Received 64 entries. Announced first- round selections of 51 candidates. 2009: After First SHA-3 candidate conference in Feb, announced 14 Second Round Candidates in July. 2010: After one year public review of the algorithms, hold second SHA-3 candidate conference in Aug. Announced 5 Third-round candidates in Dec. 2011: Public comment for final round 2012: October 2, NIST selected SHA3 –Keccak (pronounced “catch-ack”) created by Guido Bertoni, Joan Daemen and Gilles Van Assche, Michaël Peeters CS526Topic 5: Hash Functions and Message Authentication 13

The Sponge Construction: Used by SHA-3 CS526Topic 5: Hash Functions and Message Authentication 14 Each round, the next r bits of message is XOR’ed into the first r bits of the state, and a function f is applied to the state. After message is consumed, output r bits of each round as the hash output; continue applying f to get new states SHA-3 uses 1600 bits for state size

CS526Topic 5: Hash Functions and Message Authentication 15 Choosing the length of Hash outputs The Weakest Link Principle: –A system is only as secure as its weakest link. Hence all links in a system should have similar levels of security. Because of the birthday attack, the length of hash outputs in general should double the key length of block ciphers –SHA-224 matches the 112-bit strength of triple-DES (encryption 3 times using DES) –SHA-256, SHA-384, SHA-512 match the new key lengths (128,192,256) in AES

CS526Topic 5: Hash Functions and Message Authentication 16 Limitation of Using Hash Functions for Authentication Require an authentic channel to transmit the hash of a message –Without such a channel, it is insecure, because anyone can compute the hash value of any message, as the hash function is public –Such a channel may not always exist How to address this? –use more than one hash functions –use a key to select which one to use

CS526Topic 5: Hash Functions and Message Authentication 17 Hash Family A hash family is a four-tuple (X,Y,K,H ), where –X is a set of possible messages –Y is a finite set of possible message digests –K is the keyspace –For each K  K, there is a hash function h K  H. Each h K : X  Y Alternatively, one can think of H as a function K  X  Y

CS526Topic 5: Hash Functions and Message Authentication 18 Message Authentication Code A MAC scheme is a hash family, used for message authentication MAC(K,M) = H K (M) The sender and the receiver share secret K The sender sends (M, H k (M)) The receiver receives (X,Y) and verifies that H K (X)=Y, if so, then accepts the message as from the sender To be secure, an adversary shouldn’t be able to come up with (X’,Y’) such that H K (X’)=Y’.

Security Requirements for MAC Resist the Existential Forgery under Chosen Plaintext Attack –Challenger chooses a random key K –Adversary chooses a number of messages M 1, M 2,.., M n, and obtains t j =MAC(K,M j ) for 1  j  n –Adversary outputs M’ and t’ –Adversary wins if  j M’≠M j, and t’=MAC(K,M’) Basically, adversary cannot create the MAC for a message for which it hasn’t seen an MAC CS526Topic 5: Hash Functions and Message Authentication 19

Constructing MAC from Hash Functions Let h be a one-way hash function MAC(K,M) = h(K || M), where || denote concatenation –Insecure as MAC –Because of the Merkle-Damgard construction for hash functions, given M and t=h(K || M), adversary can compute M’=M||Pad(M)||X and t’, such that h(K||M’) = t’ CS526Topic 5: Hash Functions and Message Authentication 20

CS526Topic 5: Hash Functions and Message Authentication 21 HMAC: Constructing MAC from Cryptographic Hash Functions K + is the key padded (with 0) to B bytes, the input block size of the hash function ipad = the byte 0x36 repeated B times opad = the byte 0x5C repeated B times. HMAC K [M] = Hash[(K +  opad) || Hash[(K +  ipad)||M)]] At high level, HMAC K [M] = H(K || H(K || M))

CS526Topic 5: Hash Functions and Message Authentication 22 HMAC Security If used with a secure hash functions (e.g., SHA-256) and according to the specification (key size, and use correct output), no known practical attacks against HMAC

CS526Topic 5: Hash Functions and Message Authentication 23 Coming Attractions … Cryptography: Public Key Cryptography

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.