Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vitaly Shmatikov CS 361S Cryptographic Hash Functions.

Published byRhoda McKenzie Modified over 8 years ago

Similar presentations

Presentation on theme: "Vitaly Shmatikov CS 361S Cryptographic Hash Functions."— Presentation transcript:

1 Vitaly Shmatikov CS 361S Cryptographic Hash Functions

2 slide 2 Reading Assignment uRead Kaufman 5.1-2 and 5.6-7

3 slide 3 Hash Functions: Main Idea bit strings of any length n-bit strings..... x’ x’’ x y’ y hash function H uHash function H is a lossy compression function Collision: H(x)=H(x’) for some inputs x≠x’ uH(x) should look “random” Every bit (almost) equally likely to be 0 or 1 uA cryptographic hash function must have certain properties “message digest” message

4 slide 4 One-Way uIntuition: hash should be hard to invert “Preimage resistance” Given a random, it should be hard to find any x such that h(x)=y –y is an n-bit string randomly chosen from the output space of the hash function, ie, y=h(x’) for some x’ uHow hard? Brute-force: try every possible x, see if h(x)=y SHA-1 (a common hash function) has 160-bit output –Suppose we have hardware that can do 2 30 trials a pop –Assuming 2 34 trials per second, can do 2 89 trials per year –Will take 2 71 years to invert SHA-1 on a random image

5 Birthday Paradox uT people uSuppose each birthday is a random number taken from K days (K=365) – how many possibilities? K T - samples with replacement uHow many possibilities that are all different? (K) T = K(K-1)…(K-T+1) - samples without replacement uProbability of no repetition? (K) T /K T  1 - T(T-1)/2K uProbability of repetition? O(T 2 )

6 slide 6 Collision Resistance uShould be hard to find x≠x’ such that h(x)=h(x’) uBirthday paradox Let T be the number of values x,x’,x’’… we need to look at before finding the first pair x≠x’ s.t. h(x)=h(x’) Assuming h is random, what is the probability that we find a repetition after looking at T values? Total number of pairs? –n = number of bits in the output of hash function Conclusion: uBrute-force collision search is O(2 n/2 ), not O(2 n ) For SHA-1, this means O(2 80 ) vs. O(2 160 ) O(T 2 ) O(2 n ) T  O(2 n/2 )

7 slide 7 One-Way vs. Collision Resistance uOne-wayness does not imply collision resistance Suppose g() is one-way Define h(x) as g(x’) where x’ is x except the last bit –h is one-way (cannot invert h without inverting g) –Collisions for h are easy to find: for any x, h(x0)=h(x1) uCollision resistance does not imply one-wayness Suppose g() is collision-resistant Define h(x) to be 0x if x is (n-1)-bit long, else 1g(x) –Collisions for h are hard to find: if y starts with 0, then there are no collisions; if y starts with 1, then must find collisions in g –h is not one way: half of all y’s (those whose first bit is 0) are easy to invert (how?), thus random y is invertible with prob. 1/2

8 slide 8 Weak Collision Resistance uGiven a randomly chosen x, hard to find x’ such that h(x)=h(x’) Attacker must find collision for a specific x… by contrast, to break collision resistance, enough to find any collision Brute-force attack requires O(2 n ) time uWeak collision resistance does not imply collision resistance (why?)

9 slide 9 Hashing vs. Encryption uHashing is one-way. There is no “uh-hashing”! A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption” uHash(x) looks “random”, but can be compared for equality with Hash(x’) Hash the same input twice  same hash value Encrypt the same input twice  different ciphertexts uCryptographic hashes are also known as “cryptographic checksums” or “message digests”

10 slide 10 Application: Password Hashing uInstead of user password, store hash(password) uWhen user enters a password, compute its hash and compare with the entry in the password file System does not store actual passwords! Cannot go from hash to password! uWhy is hashing better than encryption here? uDoes hashing protect weak, easily guessable passwords?

11 slide 11 Application: Software Integrity goodFile Software manufacturer wants to ensure that the executable file is received by users without modification… Sends out the file to users and publishes its hash in the NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) BigFirm™User VIRUS badFile The Times hash(goodFile)

12 slide 12 Which Property Is Needed? uPasswords stored as hash(password) One-wayness: hard to recover entire password Passwords are not random and thus guessable uIntegrity of software distribution Weak collision resistance? But software images are not random… maybe need full collision resistance uAuctions: to bid B, send H(B), later reveal B One-wayness… but does not protect B from guessing Collision resistance: bidder should not be able to find two bids B and B’ such that H(B)=H(B’)

13 slide 13 Common Hash Functions uMD5 Completely broken by now uRIPEMD-160 160-bit variant of MD-5 uSHA-1 (Secure Hash Algorithm) Widely used US government (NIST) standard as of 1993-95 –Also the hash algorithm for Digital Signature Standard (DSS)

14 Overview of MD5 uDesigned in 1991 by Ron Rivest uIterative design using compression function M1M1 M2M2 M3M3 M4M4 IHV 0 Com- press IHV 4 slide 14

15 slide 15 History of MD5 Collisions u2004: first collision attack The only difference between colliding messages is 128 random-looking bytes u2007: chosen-prefix collisions For any prefix, can find colliding messages that have this prefix and differ up to 716 random-looking bytes u2008: rogue SSL certificates Talk about this in more detail when discussing PKI u2012: MD5 collisions used in cyberwarfare Flame malware uses an MD5 prefix collision to fake a Microsoft digital code signature

16 slide 16 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks Compression function Applied to each 512-bit block and current 160-bit buffer This is the heart of SHA-1 160-bit buffer (5 registers) initialized with magic values

17 slide 17 Block Ciphers Block of plaintext SSSS SSSS SSSS Key repeat for several rounds Block of ciphertext For hashing, there is no KEY. Use message as the key and a fixed string as the plaintext (for example, Unix password hash is DES applied to NULL with password as the key)

18 slide 18 SHA-1 Compression Function Current message block Current buffer (five 32-bit registers A,B,C,D,E) Buffer contains final hash value Similar to a block cipher, with message itself used as the key for each round Four rounds, 20 steps in each Let’s look at each step in more detail… Fifth round adds the original buffer to the result of 4 rounds

19 slide 19 AEBCDAEBCD + + ftft 5 bitwise left-rotate WtWt KtKt One Step of SHA-1 (80 steps total) Special constant added (same value in each 20-step round, 4 different constants altogether) Logic function for steps (B  C)  (  B  D) 0..19 B  C  D 20..39 (B  C)  (B  D)  (C  D) 40..59 B  C  D 60..79 Current message block mixed in For steps 0..15, W 0..15 =message block For steps 16..79, W t =W t-16  W t-14  W t-8  W t-3 + + Multi-level shifting of message blocks 30 bitwise left-rotate

20 slide 20 How Strong Is SHA-1? uEvery bit of output depends on every bit of input Very important property for collision-resistance uBrute-force inversion requires 2 160 ops, birthday attack on collision resistance requires 2 80 ops uSome weaknesses discovered in 2005 Collisions can be found in 2 63 ops

21 slide 21 NIST Competition uA public competition to develop a new cryptographic hash algorithm Organized by NIST (read: NSA) u64 entries into the competition (Oct 2008) u5 finalists in 3 rd round (Dec 2010) uWinner: Keccak (Oct 2012) Will be standardized as SHA-3

22 slide 22 Integrity and Authentication Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message Alice Bob KEY message MAC (message authentication code) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message

23 slide 23 HMAC uConstruct MAC from a cryptographic hash function Invented by Bellare, Canetti, and Krawczyk (1996) Used in SSL/TLS, mandatory for IPsec uWhy not encryption? Hashing is faster than encryption Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption

24 slide 24 Structure of HMAC Embedded hash function “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message))

Download ppt "Vitaly Shmatikov CS 361S Cryptographic Hash Functions."

Similar presentations

Hashes and Message Digests

Hashes and Message Digests
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Slide 1 Vitaly Shmatikov CS 378 Hash Functions. slide 2 We’ve Already Seen Hashes In… Every lecture so far! uIntegrity checking in SSL uAs one of applications.

Slide 1 Vitaly Shmatikov CS 378 Hash Functions. slide 2 We’ve Already Seen Hashes In… Every lecture so far! uIntegrity checking in SSL uAs one of applications.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Overview of Cryptography What is Cryptography?

Overview of Cryptography What is Cryptography?
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google