Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr

Published bySarah Carter Modified over 5 years ago

Similar presentations

Presentation on theme: "CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr"— Presentation transcript:

1 CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof. Dr. Peng Ning Dr. Shai Halevi Dr. Attila Altay Yavuz

2 Hash Function Properties
Advanced Network Security Dr. Attila Altay Yavuz

3 Hash Function Also known as
Message of arbitrary length A fixed-length short message Hash Also known as Message digest One-way transformation One-way function Hash Length of H(m) much shorter then length of m Usually fixed lengths: 160 or 256 bits (preferred)

4 How are they built? … Typically using Merkle-Damgård iteration:
But not always… Typically using Merkle-Damgård iteration: Start from a “compression function” h: {0,1}b+n{0,1}n Iterate it |M|=b=512 bits h c =160 bits d=h(c,M)=160 bits h M1 M2 ML-1 ML IV=d0 d1 d2 dL-1 dL d=H(M)

5 What are they good for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.” “Request for Candidate Algorithm Nominations”, -- NIST

6 Desirable Properties of Hash Functions
Consider a hash function H Performance: Easy to compute H(m) One-way property: Given H(m) but not m, it’s computationally infeasible to find m Weak collision resistance: Given H(m), it’s computationally infeasible to find m’ such that H(m’) = H(m). Strong collision resistance: Computationally infeasible to find m1, m2 such that H(m1) = H(m2)

7 Length of Hash Image Question
Why do we have 160 bits or 256 bits in the output of a hash function? If it is too long Unnecessary overhead If it is too short Birthday paradox Loss of strong collision property

8 Birthday Paradox (Cont’d)
Implication for hash function H of length m With probability at least 0.5 If we hash about 2m/2 random inputs, Two messages will have the same hash image Birthday attack Conclusion Choose m  160, preferable m  256

9 Using “imperfect” hash functions
Applications should rely only on “specific security properties” of hash functions Try to make these properties as “standard” and as weak as possible Increases the odds of long-term security When weaknesses are found in hash function, application more likely to survive E.g., MD5 is badly broken, but HMAC-MD5 is barely scratched

10 Security requirements
Deterministic hashing Attacker chooses M, d=H(M) Hashing with a random salt Attacker chooses M, then good guy chooses public salt, d=H(salt,M) Hashing random messages Given M, d=H(M’) e.g., M’=M||r Hashing with a secret key Attacker chooses M, d=H(key,M) Stronger Weaker

11 Deterministic hashing
Collision Resistance Attacker cannot find M,M’ such that H(M)=H(M’) Also many other properties Hard to find fixed-points, near-collisions, M s.t. H(M) has low Hamming weight, etc.

12 Hashing with public salt
Target-Collision-Resistance (TCR) Attacker chooses M, then given random salt, cannot find M’ such that H(salt,M)=H(salt,M’) enhanced TRC (eTCR) Attacker chooses M, then given random salt, cannot find M’,salt’ s.t. H(salt,M)=H(salt’,M’)

13 Hashing random messages
Second Preimage Resistance Given random M, attacker cannot find M’ such that H(M)=H(M’) One-wayness Given d=H(M) for random M, attacker cannot find M’ such that H(M’)=d Extraction For random salt, high-entropy M, the digest d=H(salt,M) is close to being uniform

14 Hashing with a secret key
Pseudo-Random Functions The mapping MH(key,M) for secret key looks random to an attacker

15 Application 1: Digital signatures
Hash-then-sign paradigm First shorten the message, d = H(M) Then sign the digest, s = SIGN(d) Relies on collision resistance If H(M)=H(M’) then s is a signature on both  Attacks on MD5, SHA-1 threaten current signatures MD5 attacks can be used to get bad CA cert [Stevens et al. 2009]

16 Application: Digital Signatures
Generating a signature H(m) Message m Signature (encrypted hash) Hash Sign Bob’s Private key Message m Hash H(m) Verify Bob’s Public key Signature Valid / Not Valid Verifying a signature File and user authenticity in one shot! Only one party (Bob) knows the private key

17 Collision resistance is hard
Attacker works off-line (find M,M’) Can use state-of-the-art cryptanalysis, as much computation power as it can gather, without being detected !! Helped by birthday attack (e.g., 280 vs 2160) Well worth the effort One collision  forgery for any signer

18 Signatures without CRHF
[Naor-Yung 1989, Bellare-Rogaway 1997] Use randomized hashing To sign M, first choose fresh random salt Set d= H(salt, M), s= SIGN( salt || d ) Attack scenario (collision game): Attacker chooses M Signer chooses random salt Attacker must find M' s.t. H(salt,M) = H(salt,M') Attack is inherently on-line Only rely on target collision resistance same salt (since salt is explicitly signed)

19 TCR hashing for signatures
Not every randomization works H(M|salt) may be subject to collision attacks when H is Merkle-Damgård Yet this is what PSS does (and it’s provable in the ROM) Many constructions “in principle” From any one-way function Some engineering challenges Most constructions use long/variable-size randomness, don’t preserve Merkle-Damgård Also, signing salt means changing the underlying signature schemes

20 The Hashed Message Authentication Code (HMAC)
Attila Altay Yavuz

21 Authentication with HMAC
[Bellare-Canetti-Krawczyk 1996] Simple key-prepend/append have problems when used with a Merkle-Damgård hash tag=H(key | M) subject to extension attacks HMAC: Compute tag = H(key || H(key || M)) About as fast as key-prepend for a MD hash Relies only on PRF quality of hash MH(key|M) looks random when key is secret

22 HMAC Processing   Key K 0x363636…36 Message M 0x5c5c5c…5c
pad on right with 0’s to 512 bits in length 0x5c5c5c…5c HMAC(key,message) compute message digest concatenate Message M concatenate compute message digest CSC/ECE 574 Dr. Peng Ning

23 Is Encryption a Good Hash Function?
constant M1 M2 M3 M4 E E E E 64 Hash Building hash using block chaining techniques Encryption block size may be too short (DES=64) Birthday attack Extension attacks

24 Modern Hash Functions MD5 SHA-1 SHA-256, SHA-384, …
Previous versions (i.e., MD2, MD4) have weaknesses. Broken; collisions published in August 2004 Too weak to be used for serious applications SHA-1 Broken: Both in theory and with real-attack Collisions in 269 hash operations, much less than the brute-force attack of 280 operations CRYPTO ’05 SHA-256, SHA-384, … BLAKE-256/512 (good for embedded devices)

25 (In)security of MD5 A few recently discovered methods can find collisions in a few hours A few collisions were published in 2004 Can find many collisions for 1024-bit messages More discoveries afterwards In 2005, two X.509 certificates with different public keys and the same MD5 hash were constructed This method is based on differential analysis 8 hours on a 1.6GHz computer Much faster than birthday attack

Download ppt "CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr"

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptographic Hash Functions and their many applications Shai Halevi – IBM Research USENIX Security – August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk.

Cryptographic Hash Functions and their many applications Shai Halevi – IBM Research USENIX Security – August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.

CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof.

Similar presentations

Ads by Google