Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

Published byGloria Black Modified over 7 years ago

Similar presentations

Presentation on theme: "@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012

2 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Message authentication code Use a shared secret key Provide data integrity protection + source authentication Limitations CBC-based MAC generation still involves high computation overhead

3 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Motivation for Hash Algorithms Intuition Re-examine the non-cryptographic checksum. Main Limitation  An attack is able to construct a message that matches the checksum Goal Design a code where the original message can not be inferred based on its checksum  design of hash algorithms.

4 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Requirements for Hash function A hash function H takes a message M of variable length and transforms it into a fixed-length value h h = H(M) -- (cryptographic) hash value, message digest, digest. such that an accidental or intentional change to the message will change the hash value. A hash function H must have the following properties: One-way property: for any given value h, it is computationally infeasible to find x such that H(x) = h. Weak collision resistance: for any given message x, it is computationally infeasible to find y ≠ x with H(y) = H(x) Strong collision resistance: it is computationally infeasible to find any pair (x,y), such that H(x) = H(y).

5 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Hash Function Applications Used Alone Ordinary hash functions – index data in hash table Fingerprint -- file integrity verification, public key fingerprint Password storage (one-way encryption) Combined with encryption functions Message authentication code Digital signature Other authentication forms

6 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Confidentiality and authentication Authentication Authentication, digital signature

7 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Authentication, digital signature, confidentiality Authentication (no encryption needed!) Authentication, confidentiality

8 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security HMAC Hash function works with a symmetric key to provide message authentication Two methods MAC (1) MAC = E [K, H(M)] (2) MAC = H [M||S]  Idea for HMAC

9 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security HMAC Structure 36 in hex repeated 5C in hex repeated HMAC(K,M) = H[(K +  opad)||H[(K+  ipad)||M]] K + = K padded with 0 on the left (b bits in total) ipad = 00110110 repeated b/8 times opad = 01011100 repeated b/8 times

10 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Overview of Hash Algorithms There is a long list of cryptographic hash functions. Two popular examples: MD5 Message-Digest algorithm 5  By Ronald Rivest in 1991 based on MD4 Digest length: 128-bit Weak collision resistance Vulnerable to collision attack (no strong collision resistance) SHA hash functions (all by NSA) SHA-0 in 1993; 160-bit hash value SHA-1 in 1995; 160-bit hash value  widely used, once considered as the successor to MD5 SHA-2  SHA-224, SHA-256; SHA384; SHA512  Digest length (based on name) SHA-0 and SHA-1 are vulnerable to collision attacks  Recent result on SHA-1: collision attack on SHA-1 that would allow an attacker to select at least parts of the message.

11 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Hash Algorithm Design Iterative use of compression function Compression function Specifically designed for the hash function Based on symmetric block cipher

12 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Hash Algorithm Design – MD5 1. Append padding bits (to 448 mod 512) 2. Append length (64bits) 3. Initialize MD buffer Word A = 01 23 45 67 Word B = 89 AB CD EF Word C = FE DC BA 98 Word D = 76 54 32 10

13 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Hash Algorithm Design – MD5 16 steps Constructed from sine function X[k] = M [q*16+k] (32 bit)

14 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security The ith 32-bit word in matrix T, constructed from the sine function M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg Single step

15 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Put into practice

16 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Security of Hash Algorithms Why collision is bad? preimage attacks (one-way property) preimage attacks second preimage attacks (weak collision resistance) second preimage attacks birthday attack (strong collision resistance) birthday attack Length-extension attacks given h(m) and len(m) but not m, by choosing a suitable m' an attacker can calculate h (m || m'). This property can be used to break naive authentication schemes based on hash functions. The HMAC construction works around these problems.

17 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Preimage and Second Preimage Attacks Preimage attack: Given a hash value h, an attacker wishes to find a message x such that H(x) = h. (violate One-way property) Second preimage attack: Given a message y with hash value h = H(y), an attacker wishes to find another message x ≠ y such that H(x) = h. (violate Weak collision resistance) Bruce-force attack complexity: how many messages/attempts (on average) an attacker has to prepare in order to find a message x such that H(x) – h? Let the number of messages/attempts that an attacker has to prepare in order to find a collision to be a random variable N. N follows geometric distribution with parameter 1/2 h. The mean value of N is 2 h. Thus h has to be long enough

18 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Birthday Attack Alice wants to get Bob’s signature on a fraudulent contract. Suppose that h-bit hash is used On average, how many fraudulent contracts Alice needs to try to find one that matches the hash code of the fair contact? [recall second preimage attack: 2 h ] A better approach – birthday attack Alice prepares a fair contract m and a fraudulent one m'. She then finds a number of positions where m can be changed without changing the meaning  By combining these changes, she can create a huge number of variations on m which are all fair contracts. In a similar manner, Alice also creates a huge number of variations on the fraudulent contract m'. She then applies the hash function to all these variations until she finds a version of the fair contract and a version of the fraudulent contract which have the same hash value, f(m) = f(m'). She presents the fair version to Bob for signing. After Bob has signed, Alice takes the signature and attaches it to the fraudulent contract. This signature then "proves" that Bob signed the fraudulent contract. How many contracts Alice need to try this time?

19 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Birthday Problem Birthday problem (http://en.wikipedia.org/wiki/Birthday_problem)http://en.wikipedia.org/wiki/Birthday_problem For h-bit hash value, the bruce-force attack complexity is 2 h/2.

20 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Birthday Attack To avoid birthday attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible About twice as many bits as are needed to prevent a preimage or second preimage attack.

21 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Security of Hash Algorithms When we say a hash algorithm is broken by cryptographic analysis, the time to identify collisions using the analysis is less than the time by a brute force attack. Many hash algorithms have been found to be vulnerable and should not be used. In August 2004 weaknesses were found in a number of hash functions that were popular at the time, including SHA-0, RIPEMD, and MD5. As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been broken; an attack against it was used to break SSL in 2008. In February 2005, a successful attack on SHA-1 was reported, finding collisions in about 2 69 hashing operations, rather than the 2 80 expected for a 160-bit hash function. In August 2005, another successful attack on SHA-1 was reported, finding collisions in 2 63 operations.MD5SHA-1SSL

22 @Yuan Xue (yuan.xue@vanderbilt.edu)CS 285 Network Security Readings Required Reading [WS] 11.1-11.5 [KPS] 5.5 http://en.wikipedia.org/wiki/MD5 http://en.wikipedia.org/wiki/Birthday_attack Recommended Reading [WS] 11.6 [KPS] 5.1-5.2

Download ppt "@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptographic Hash Functions July 2011. Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure  Attack on.

Cryptographic Hash Functions July Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure  Attack on.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Similar presentations

Ads by Google