Slide 1 EJ Jung Hash Functions. Integrity checks.

Slides:



Advertisements
Similar presentations
Hashes and Message Digests
Advertisements

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11
Slide 1 Vitaly Shmatikov CS 378 Hash Functions. slide 2 We’ve Already Seen Hashes In… Every lecture so far! uIntegrity checking in SSL uAs one of applications.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Overview of Cryptography What is Cryptography?
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Vitaly Shmatikov CS 361S Cryptographic Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Slide 1 Vitaly Shmatikov CS 378 Cryptographic Hash Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
CSCE 815 Network Security Lecture 8 SHA Operation and Kerberos.
Cryptographic Hash Functions and Protocol Analysis
Lecture 2: Introduction to Cryptography
Chapter 11 Message Authentication and Hash Functions.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
“The quick brown fox jumps over the lazy dog”
Cryptographic Hash Function
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
Hash Function Requirements
Presentation transcript:

slide 1 EJ Jung Hash Functions

Integrity checks

slide 3 Integrity vs. Confidentiality  Integrity: attacker cannot tamper with message  Encryption may not guarantee integrity! Intuition: attacker may able to modify message under encryption without learning what it is –Given one-time key K, encrypt M as M  K… Perfect secrecy, but can easily change M under encryption to M  M’ for any M’ –Online auction: halve competitor’s bid without learning its value This is recognized by industry standards (e.g., PKCS) –“RSA encryption is intended primarily to provide confidentiality… It is not intended to provide integrity” Many encryption schemes provide secrecy AND integrity

slide 4 More on Integrity goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in NY Times The goal is integrity, not confidentiality Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™User VIRUS badFile The Times hash(goodFile)

Where to use hash functions  Cookie H(server’s secret, client’s unique information, timestamp)  Password storage safe against server problems

Henric Johnson 6 Hash Functions  Purpose of the HASH function is to produce a ”fingerprint”.  But, what do you mean by fingerprint??

Henric Johnson 7 Secure Hash Functions  Properties of a HASH function H : 1.H can be applied to a block of data at any size 2.H produces a fixed length output 3.H(x) is easy to compute for any given x. 4.For any given block x, it is computationally infeasible to find x such that H(x) = h 5.For any given block x, it is computationally infeasible to find with H(y) = H(x). 6.It is computationally infeasible to find any pair (x, y) such that H(x) = H(y)

Simple hash function

Example

slide 10 Hash Functions: Main Idea bit strings of any length n-bit bit strings..... x’ x’’ x y’ y hash function H  H is a lossy compression function Collisions: h(x)=h(x’) for some inputs x, x’ Result of hashing should “look random” (make this precise later) –Intuition: half of digest bits are “1”; any bit in digest is “1” half the time  Cryptographic hash function needs a few properties… “message digest” message

slide 11 One-Way  Intuition: hash should be hard to invert “Preimage resistance” Let h(x’)=y  {0,1} n for a random x’ Given y, it should be hard to find any x such that h(x)=y  How hard? Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160-bit output –Suppose have hardware that’ll do 2 30 trials a pop –Assuming 2 34 trials per second, can do 2 89 trials per year –Will take 2 71 years to invert SHA-1 on a random image

“Birthday Paradox”  T people  Suppose each birthday is a random number taken from K days (K=365) – how many possibilities? K T (samples with replacement)  How many possibilities that are all different? (K) T = K(K-1)…(K-T+1) samples without replacement  Probability of no repetition? (K) T /K T  1 - T(T-1)/2K  Probability of repetition? O(T 2 )

slide 13 Collision Resistance  Should be hard to find x, x’ such that h(x)=h(x’)  Brute-force collision search is O(2 n/2 ), not O(2 n ) n = number of bits in the output of hash function For SHA-1, this means O(2 80 ) vs. O(2 160 )  Reason: birthday paradox Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x,x’ s.t. h(x)=h(x’) Assuming h is random, what is the probability that we find a repetition after looking at T values? Total number of pairs? Conclusion: O(T 2 ) O(2 n ) T  O(2 n/2 )

slide 14 One-Way vs. Collision Resistance  One-wayness does not imply collision resistance Suppose g is one-way Define h(x) as g(x’) where x’ is x except the last bit –h is one-way (to invert h, must invert g) –Collisions for h are easy to find: for any x, h(x0)=h(x1)  Collision resistance does not imply one-wayness Suppose g is collision-resistant Define h(x) to be 0x if x is n-bit long, 1g(x) otherwise –Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g –h is not one way: half of all y’s (those whose first bit is 0) are easy to invert (how?); random y is invertible with probab. 1/2

slide 15 Weak Collision Resistance  Given randomly chosen x, hard to find x’ such that h(x)=h(x’) Attacker must find collision for a specific x. By contrast, to break collision resistance, enough to find any collision. Brute-force attack requires O(2 n ) time  Weak collision resistance does not imply collision resistance (why?)

slide 16 Which Property Do We Need?  UNIX passwords stored as hash(password) One-wayness: hard to recover password  Integrity of software distribution Weak collision resistance But software images are not really random… maybe need full collision resistance  Auction bidding Alice wants to bid B, sends H(B), later reveals B One-wayness: rival bidders should not recover B Collision resistance: Alice should not be able to change her mind to bid B’ such that H(B)=H(B’)

slide 17 Common Hash Functions  MD5 128-bit output Still used very widely Completely broken by now  RIPEMD bit variant of MD-5  SHA-1 (Secure Hash Algorithm) 160-bit output US government (NIST) standard as of –Also the hash algorithm for Digital Signature Standard (DSS)

slide 18 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks Compression function Applied to each 512-bit block and current 160-bit buffer This is the heart of SHA bit buffer (5 registers) initialized with magic values

slide 19 Block Ciphers Block of plaintext SSSS SSSS SSSS Key repeat for several rounds Block of ciphertext For hashing, there is no KEY. Use message as key and replace plaintext with a fixed string. (for example, Unix password hash is DES applied to NULL with password as the key)

slide 20 SHA-1 Compression Function Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Very similar to a block cipher, with message itself used as the key for each round Four rounds, 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds

slide 21 AEBCDAEBCD + + ftft 5 bitwise left-rotate WtWt KtKt One Step of SHA-1 (80 steps total) Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps (B  C)  (  B  D) B  C  D (B  C)  (B  D)  (C  D) B  C  D Current message block mixed in For steps 0..15, W =message block For steps , W t =W t-16  W t-14  W t-8  W t Multi-level shifting of message blocks 30 bitwise left-rotate

slide 22 How Strong Is SHA-1?  Every bit of output depends on every bit of input Very important property for collision-resistance  Brute-force inversion requires ops, birthday attack on collision resistance requires 2 80 ops  Some recent weaknesses (2005) Collisions can be found in 2 63 ops

SHA-512 big picture

SHA-512 zoom in

slide 25 network Authentication  Authenticity is identification and assurance of origin of information We’ll see many specific examples in different scenarios

slide 26 Authentication with Shared Secrets msg, H(SECRET,msg) Alice wants to ensure that nobody modifies message in transit (both integrity and authentication) Idea: given msg, very hard to compute H(SECRET, msg) without SECRET; easy with SECRET Alice Bob SECRET

slide 27 Authentication Without Encryption Integrity and authentication: only someone who knows KEY can compute MAC for a given message Alice Bob KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message

slide 28 HMAC  Construct MAC by applying a cryptographic hash function to message and key Could also use encryption instead of hashing, but… Hashing is faster than encryption in software Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption  Invented by Bellare, Canetti, and Krawczyk (1996)  Mandatory for IP security, also used in SSL/TLS

slide 29 Structure of HMAC Embedded hash function (strength of HMAC relies on strength of this hash function) “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message)) “Amplify” key material (get two keys out of one) Very common problem: given a small secret, how to derive a lot of new keys?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.