 # Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

## Presentation on theme: "Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)"— Presentation transcript:

Hash Functions Nathanael Paul Oct. 9, 2002

Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x) – easy –H(x) – one way “hard to invert” –H(x) collision free

Purposes for hash functions Data Integrity –Ex: Tripwire –Message digest y = h(x). y is called the message digest. 160 bits in size – “birthday attack” Message Source Digital Signatures Message Authentication Codes (MAC)

Digital Signatures and Message Authentication Code (MAC) overview Suppose Alice and Bob share a secret key k which determines hash function h k Alice sends (x, y) to Bob where y = h k (x) Bob receives (x,y) and verifies with y = h k (x). If condition holds, neither x nor y was modified in transit.

Hash Family (X,Y,K,H) –For each k in K, there exists an h in H, such that h k (x)  y Assume |X| >= |Y| (even better, 2|X| >= |Y|) Unkeyed hash function –|K| = 1 –Ex. SHA-1 (successor of MD4)

Conditions of a secure hash function Preimage –Find x such that h(x) = y, given y and the function f(). –one-way Second Preimage –Find x’ != x, such that h(x) = h(x’), given x and the function h(). –weak collision resistance Collision –Find h(x) = h(x’) such that x != x’, given function h() –strong collision resistance

Iterated hash function overview compression function –Given input of length m, produce output of length n –inputs to compression function: message block, m i output of previous blocks of text h i = f(m i, h i-1 ) MD-strengthening (Merkle-Damgard) –pre-image contains length of entire message –initialization vector (padding function)

Modes of operation –ECB, CBC, CFB, OFB –different characteristics: error propagation efficiency increase in data size –NIST document on modes of operation http://csrc.nist.gov/encryption/tkmodes.html –Next slide shows CBC mode of operation...

Message Authentication Codes Oscar’s (adversary) goal: –produce a pair (x,y) that is valid, but the key k is not known Oscar knows –valid pairs Pairs = {(x 1,y 1 ),(x 2,y 2 ),...,(x q,y q )} forgery –Oscar outputs an (x,y) where x is not in Pairs

Review of types of attacks Ciphertext-only –Oscar possesses a string of ciphertext, y Known plaintext –has ciphertext, y, corresponding to a message, x Chosen plaintext –access to encryption. choose x, get y Chosen ciphertext –choose y, get x

Ways of creating a MAC Base MAC on block cipher –block cipher already implemented, so part of implementation is done MAC from an unkeyed hash –just add a key to output of unkeyed hash –requires careful analysis Create a customized MAC

CBC MAC use block cipher in CBC mode with fixed IV best general attack is birthday attack

Nested MACs Nested MAC –composition of 2 keyed hash families G o H = {g o h : g is in G, h is in H} where (g o h) (k,l) (x) = h l (g k (x)) –Secure if the following holds (given unknown key): G is collision-resistant H is secure as a MAC

Types of attacks on nested MACs forger for nested MAC forger for the little MAC –attack on component MAC H unknown-key collision attack

Attack 1: Forger on nested MAC pair of keys (k,l) are kept secret Oscar: –chooses an x –oracle – “magic box” –given x, oracle computes z = h l (g k (x)) –tries to find (x’, z) where x’ was not any x given to oracle

Attack 2: Forger on smaller MAC component of nested MAC (H family) key l is chosen and kept secret (l is in keyspace of H family of hashes) Oscar: –chooses y –given y, oracle computes z = h l (y) –tries to output (y’,z) where y’ was not in one of its previous queries to oracle

Attack 3: Collision Finder for a hash family key k in K is kept secret Oscar: –chooses an x –given x, oracle computes g k (x) –tries to find x’ and x’’ where x’ != x’’ and g k (x’) = g k (x’’)

HMAC nested MAC algorithm (proposed standard) –based on SHA-1 –uses 512-bit key k –2 512-bit constants, ipad and opad 160-bit MAC –HMAC k (x) = SHA-1((k  opad) || SHA-1((K  ipad) || x)) ipad component resistant against unknown-key collision attack

Further Reading Applied Cryptography, Bruce Schneier Cryptography: Theory and Practice, Douglas Stinson Handbook of Applied Cryptography, Alfred Menezes, et. al. –available for download at: –http://www.cacr.math.uwaterloo.ca/hac/

Download ppt "Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)"

Similar presentations