V.Sorge/E.Ritter, Handout 6
|
|
- Emil Hunt
- 6 years ago
- Views:
Transcription
1 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 6 Summary of this handout: Cryptographic Hash Functions Merkle-Damgård MD4 MD5 SHA-1 Message Authentication Codes HMAC CBC-MAC PMAC In the previous sections we were primarily interested in enciphering messages to make them secure against eavesdropping. We also briefly discussed attacks such as deletion and insertion attacks for modes of operations, where an attacker actively alters the message that is being s. In general, none of the techniques discussed so far can guarantee that a message has not been tampered with and thus def against forms of malicious modification of content. In this handout we will look at some cryptographic techniques that aim to guarantee the authenticity of messages: Cryptographic hash functions and message authentication codes (MACs for short). II.4 Cryptographic Hash Functions Cryptographic hash functions provide a tool to test the integrity of messages. A cryptographic hash function takes an arbitrarily long message as input and produces, a generally much shorter, fixed length string, called hash value (or simply hash) or fingerprint, as output. Hash functions are used in principle in the following way: Suppose Alice wants to give Bob some means to check if he has received her message intact. She does this by taking a hash function to compute the fingerprint for here message and ss it alongside the (possibly encrypted) message. Upon receiving the message Bob can now use the same hash function as Alice to compute a second hash for the decrypted plaintext and compare his value with the one provided by Alice. Are the values the same, then the message is intact. If the values differ, then Bob knows that the message has been mutilated during transmission. In addition, Alice also wants to avoid that Eve can infer the message from the hash value (e.g., if the message was sent encrypted) or that Mallory can generate and s Bob a different message that has the same hash value as Alice s original message. In summary, a cryptographic hash functionhshould have the following properties: 1. The input can be of any length. 2. The output has a fixed length. 3. For any message or stringx,h(x) is easy to compute. 4. h is one-way, i.e., it is hard to invert, in the sense that for any y it is computationally infeasible to find an x such that y = h(x) 5. h is collision-free, i.e., for anyxit is computationally infeasible to find anx such ash(x) = h(x ). 48. One-way Functions A one-way function is one that is easy to compute but hard to invert. Or, in other words, given the output of the function it is difficult to find any input which yields this output. Good candidate one-way functions should be computable in polynomial time, but the best known algorithm to compute their inverse should take at least exponential time. Functions of this nature are, for instance, the prime-factorisation of large integers (multiplication is obviously easy, the factorisation is not) and the discrete logarithm problem. We will learn about these at a later point in the term. But to get an impression what the concept means, we consider a simple example from modular arithmetic. Suppose we know the value c a number is congruent to modulo some n. We are then faced with the problem to find the x such that x c(modn) holds. While it is computationally still easy 58
2 to compute the inverse, i.e., the possible candidate values for x, it is not necessarily easy to determine what the original value of x was. For example, it is easy to compute 17 2(mod3). However, finding the original value for x in x 2(mod3) is not that straightforward as x can be in {..., 4, 1,2,5,8,11,14,17,20,...}. 49. The Birthday Paradox Obviously no cryptographic hash function can be collision free. But we want at least that computing finding x and x with h(x ) = h(x) should be very hard. It is therefore important to know to what extent a function resists finding collisions. Suppose that the values h(x) are uniformly and unpredictably distributed. We observe a little example that illustrates how difficult it is to find good, collision free functions. The birthday paradox is that for a surprisingly small number of randomly chosen people (in fact, 23 people), the probability is more than 50% that at least two of them have the same birthday. For 60 or more people, the probability is greater than 99%. Obviously it cannot be 100% unless there are at least 366 people. The full distribution is given on the right. 50. Cryptographic Hash Functions vs. Hash (Table) Functions Cryptographic Hash Functions should not be confused with hash functions used to implement a hash table data structure! The latter are used to map a data object to a value that assigns it a particular place in a hash table for easy storage and retrieval. There is a certain similarity between cryptographic hash functions and hash table functions in that both map long bit strings to small values. However, in general hash table functions are easy to invert and, while a minimum of collisions is desirable, they do not have negative effects as there exist different strategies to deal with them in hash tables. II.4.1 Merkle-Damgård Construction We will first look at a general methodology to construct hash functions and then discuss some particular examples of hash functions. The Merkle-Damgård construction is a method to ext a fixed size compression function to an arbitrary size compression function. The compression function can either be specially designed for hashing or be built from a block cipher. The Merkle-Damgård approach is to break the input into blocks, and process them one at a time with the compression function, each time combining a block of the input with the output of the previous round. If the length of the original message is not a multiple of the block size of the compression functionf, we apply padding to ext the message length. However, simply padding with 0 bits is a potential security risk, since consider two bit strings of the form 0110 and If f works with blocks of size 8 then padding both bit strings with 0 would yield the same message and therefore the same result for f. To avoid this, one pads the message with a bit representation of the length of the message, which leads to different hashes in our example and leads to additional security for Bob as he can now also check for the right message length. This method is called Merkle-Damgård strengthening. To harden the hash further the last result is then often fed through a finalisation function g. The finalisation function can have several purposes such as compressing a bigger internal state (the last result) into a 59
3 smaller output hash size or to guarantee a better mixing and avalanche effect on the bits in the hash sum. The finalisation function is often built by using the compression function. Finally the whole procedure is kicked off by an initialisation value IV (similar to stream ciphers or some modes of operations for block ciphers), which is generally publicly available. The algorithm corresponds to the following operations, whereh i are intermediate hash values. H 1 = f(iv,x 1 ) H i = f(h i 1,x i ),i = 2,...,l H(x) = g(h l ) II.4.2 Example Hash Functions We have a look at a family of hash functions called the Message Digest algorithms or MD for short and its successors Secure Hash Algorithms or SHA. The algorithms not only vary in block size and number of layers of compression functions but also in speed and security. Generally one can say that the more secure a hash functions is the more time is needed to compute it. Here are some basic facts about some algorithms in the MD/SHA family: MD4 128-bits hash length, hashes roughly 270 MB per second. Collisions can be found in a matter of seconds. MD5 128-bits hash length, hashes roughly 216 MB per second. Collisions can be found in less than an hour on an ordinary PC. SHA bits hash length, hashes roughly 68 MB per second. Has been theoretically broken and a new, not brute-force attack has been published in However, it is still infeasible in practise. SHA bits hash length, hashes roughly 44.5 MB per second. Still considered secure. 51. Basic Structure of the MD and SHA Algorithms All MD and SHA algorithms are essentially round based, where in each round a different non-linear logical function is used for hashing. Each round in turn is broken down into a number of steps that iteratively apply the non-linear function of that round. Additionally, deping on round and step, different constants and/or parts of the message block are used during the hashing. The strengthening method is similar to all algorithms. First a 1 bit is apped to signal the of the message. Then0bits are added to pad to a multiple of the block length. Finally the number of bits of the message is added as a separate final block. 52. MD4 We first look at the MD4 algorithm, from which many algorithms in the MD and SHA family are derived. Variants of MD4 are still used in Peer-to-Peer networks to provide unique file identifiers, for instance in the ED2K URI scheme of emule. MD4 has 3 rounds of 16 steps for hashing message blocks of 512 bit length. Its final hash is 128-bits. I will not go into the gory details of the algorithm but rather present an overview. Throughout its computations MD4 maintains the 128 bit hash state as four chunks of 32 bit words (A,B,C,D). (A,B,C,D) is initialised with a fixed initialisation vector IV and, after hashing one block, is passed as initialisation to the hash function applied to the next block. 60
4 The message is partitioned into 512 bit blocks, which in turn are broken down into 16 chunks of 32 bits each, M 0,...,M 15. Each message chunk is used for hashing once in each round, however, the order in which messages are used deps on the round. The three non-linear functionf,g,h for rounds1,2,3, respectively, take three32 bit variables as input and produce a32 bit output each. In detail the functions are: F(X,Y,Z) = (X Y) ( X Z) G(X,Y,Z) = (X Z) (Y Z) H(X,Y,Z) = X Y Z After the three rounds have been executed the four 32 bit chunks of the initial hash values are added to the resulting hash values and the concatenation of the result is returned as hash. Here is an overview of the algorithm and its first round: (H 1,H 2,H 3,H 4 ) := (A,B,C,D) Round 1 fori := 0 to15 do t := A+F(B,C,D)+M i +K 1 (A,B,C,D) := (D,t s i,b,c) Round 2 fori := 16 to31 do t := A+G(B,C,D)+M z(i) +K 2 (A,B,C,D) := (D,t s i,b,c) Round 3 fori := 32 to47 do t := A+H(B,C,D)+M z(i) +K 3 (A,B,C,D) := (D,t s i,b,c) (A,B,C,D) := (H 1 +A,H 2 +B,H 3 +C,H 4 +D) Observe that in MD4 several elements vary from round to round or from step to step of the algorithm: K 1,K 2,K 3 are three constants of a known, fixed value. The operants s i of the left rotations vary from step to step. They are odd numbers between 3 and 19. z(i) is a function mapping a step value to a value between 0 and 15 in order to select a message. Observe that in the first round z is the identity mapping. Finally, the addition is on 32 bit numbers or modulo MD5 MD5 is an extension of MD4. It has the same basic parameters, i.e. it works on works on512 bit message blocks and produces 128 bit hashes. It also uses the same initialisation vector as MD4. But while MD4 operates in3rounds, MD5 performs4rounds of 16 steps. Rounds one to three are the same as those in MD4, including the constants and rotation operants. Round 4 is of a similar structure as the other rounds, however, it employs a different non-linear function, namely I(X,Y,Z) = Y (X Z). Round 4 fori := 48 to63 do t := A+I(B,C,D)+M z(i) +K 4 (A,B,C,D) := (D,t s i,b,c) 61
5 MD5 is widely used to ensure file integrity for software downloads, in particular for software distribution packages on UNIX systems. It is also used for password storage. The following is an example of MD5 hashes for two simple texts that vary in one letter only (the quotation marks are NOT part of the string and thus do not affect the hash value). We can see the avalanche effect, i.e. how much a small change in the input affects the output hash. MD5( School of Computer Science ) = 0x27E6E DF33AC499909E886BE19 MD5( School Of Computer Science ) = 0x1AF64C0CDC566FCFE2101EF221D62B SHA-1 While MD5 strengthened MD4 by adding one more round of hashing with a new non-linear function, SHA-1 exts the hash size by one more 32 bit block to 160 bit. Although SHA-1 uses 4 rounds of 20 steps each, it can nevertheless be seen as an extension of MD4 since it reuses the MD4 s non-linear functions, F in round 1, G in round 3, and H in rounds 2 and 4. It also reuses the constants and initial valueiv of MD4, but exts it by one more32 bit block. On the other hand SHA-1 has a different approach to using the message blocks. Instead of reusing the same message blocks throughout all steps of the algorithm and only permuting the order of their use, SHA-1 uses the initially 16 blocks of 32 bits to compute another 64 different blocks with the following scheme: forj := 16 to79 do X j := ((X j 3 X j 8 X j 14 X j 16 ) 1) SHA-1 also works with slightly changed permutations and rotations in the actual functions. For example the first round of the algorithm looks like this: SHA-1 is employed in many applications, such as TSL, SSL, SSH, or BitTorrent. Here is our example text as an SHA-1 hash: SHA-1( School of Computer Science ) = 0xC413EE5FA5A7F89B30FD576852A76DC5320F142B SHA-1( School Of Computer Science ) = 0x2202ED5DBE2A59D7F07EB1888D0F99B453F1F SHA-2 Since SHA-1 will be fully broken in a matter of time, the new generation are the SHA-2 algorithms, which are named after their hash length, e.g., SHA-256, SHA-384, SHA-512. They increase the security by introducing more different bitwise operations as well as working with longer block sizes. II.4.3 Building Hashes from Block Ciphers We can also construct hash functions from block ciphers. We will have a brief look at three of these schemes, all of which use a constant public initial value IV to kick off hashing. In addition some of 62
6 the schemes employ a function to compute keys from message blocks. In the following let E be the encryption function of ann-bit block cipher. And let g be a function that mapsn-bit inputs to keys. Davies-Meyer H 0 = IV H i = E mi (H i 1 ) H i 1 Matyas-Meyer-Oseas H 0 = IV H i = E g(hi 1 )(m i ) m i Miyaguchi-Preneel H 0 = IV H i = E g(hi 1 )(m i ) H i 1 m i 56. Example An example of a hash function built from a block cipher is Whirlpool. It is based on a modified version of the AES block cipher and computes a 512-bit hash from bits input. It hashes roughly 12.1 MB per second. II.5 Message Authentication Codes (MAC) A message together with its fingerprint computed by a cryptographic hash function, ensures that data has not been tampered with during transmission if Bob can successfully recompute the same hash value Alice has attached to her message. However, using a hash function in this way requires the hash value itself to be protected in some way, as otherwise the hash itself could be tampered with. To avoid this problem one can use a form of keyed hash function called a message authentication code, or MAC. This is a symmetric key algorithm where both Alice and Bob need to share a key. Alice can then protect the integrity of her message by sing the keyed MAC that only Bob can reproduce from the message. For a message M and a key K we denote the MAC value by MAC K (M). The message from Alice to Bob is then of the form M MAC K (M) We do not assume that the message M is encrypted. In fact, if Alice and Bob want to keep the message secret as well, they can s a MAC for the ciphertext C rather than the message: C MAC K (C) Note that the MAC key K can be different from the encryption key K used ine K = C. There are various ways to build MACs from hash functions or from block ciphers. We will have a look at three of them. II.5.1 HMAC HMAC is a method to build MACs from a hash function. Let h be the hash function that operates on block lengthn, where the length of keyk is less or equal ton. We also have two publicly known padding constantsp 1 andp 2 both of lengthn. An HMAC is then computed by: ( ( HMAC K (M) = h (K P 1 ) h (K P 2 ) M) ), This method looks awfully complicated. However, just concatenating the key and the message and then applying the hash function to it can be easily broken if the hash function is known and the message is sent plaintext. 63
7 II.5.2 CBC-MAC CBC-MAC is a method to build a MAC from a block cipher using the Code Book Chaining mode of operation. It produces an m-bit MAC from ann-bit block cipher, wherem n by 1. padding M to be divisible into n-bit blocks, 2. encryptm with the block cipher in CBC mode with initial value 0, 3. take the final block as MAC. Schematically the CBC-MAC method works as follows: II.5.3 PMAC The problem with CBC-MAC is that it needs to encrypt the entire message with a computationally expensive block cipher before we obtain the MAC both when sing the MAC and when verifying it. While this is very secure, it is also rather slow. The PMAC method addresses this problem by introducing parallelisation. PMAC makes use of the following components: The messagem = M 1 M 2... M r 1 M r partitioned into r blocks of sizen. Two keys K andl A special efficient functionp that takesk and the block number1 i r and computesk x i in a finite field of order 2 n. Here n is the block size of the block cipher and K is viewed as a polynomial of order at mostn. We computeb i := E(K,M i P(K,i)) fori = 1,...,r. Finally we computepmac = E(L,b 1... b r ). In overview PMAC looks like this: M 1 M 2... M r 1 M r P(K,1) P(K,2) P(K,r 1) P(K,r) K E K E K E K E L E result One can show for PMAC that the MAC function is as secure as the underlying block cipher used. 57. Other MACs Various other approaches of constructing MACs for arbitrary length messages from block ciphers or hashes include UMAC, OMAC, CMAC. 64
8 III. Security definitions In this section we give formal definitions and proofs of security for hash functions and message authentication codes. III.1 Security of hash functions The Merkle-Damgård-construction will only work if the size of the input is a multiple of the size of the input of the compression function used. Hence suitable padding is needed. It is important to get the padding right, otherwise security will not be maintained. A suitable padding scheme consists of adding 10 0 msglen, wheremsglen is the length of the message (as a 64 bit binary number). If necessary, an extra block is added to the message. Theorem 24 Ifhis a collision-resistant compression function, and messages are padded as above, then the Merkle-Damgåard construction without a finalisation function produces a collision-resistant hash function. Proof. Let H be the result of applying the above padding followed by the Merkle-Damgård construction. Let h be the compression function used in the Merkle-Damgård construction. We show that a collision forh implies the existence of a collision forh. Assume M and M are two messages such that M M and H(M) = H(M ). Let PB and PB be the padding for M and M respectively. Let M 1,...,M k and M 1,...,M k be the blocks of M PB and M PB respectively. Let t 1,...,t k and t 1,...,t k be the result of applying h to M 1,...,M k and M 1,...,M k respectively. Now consider the length of the bitstrings M and M. There are two cases. Firstly, ifm andm have different length, by the construction of the padding scheme, the last blocksm k andm k ofm andm respectively are different. Hence the last step of the Merkle-Damgård construction produces a collision forh. Secondly, assume that M and M have the same length. Hence the padding PB of M and M is the same. Let k be the number of blocks in M PB. Let M i and M i be the first block where M PB and M PB differ. We show by induction over j that if M k j M k j or t k j 1 t k j 1, where t 0 = t 0 is the initialisation vector for the Merkle-Damgård construction, then there exists a collision of h. j = 0 : By assumptiont k = t k but M k M k or t k 1 t k 1. Hence Hence there is a collision forh. h(t k 1,M k ) = t k = t k = h(t k 1,M k ) j > 0 : We assume the induction hypothesis holds forj 1 and show that it holds forj. Hence assume that M k j M k j or t k j 1 t k j 1. There are two cases. Firstly, if h(t k j 1,M k j 1 ) = t k j = t k j = h(t k j 1,M k j 1 ) we have a collision for h. Secondly, if t k j t k j, we apply the induction hypothesis and obtain a collision for h as well. Figure 2 illustrates this step. 65
9 j j 1 M k j M k j+1 t k j 1 t k j t k j+1 Figure 2: Illustration for proof of theorem 24 66
Integrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationCryptographic Hash Functions
Cryptographic Hash Functions Cryptographic Hash Functions A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length. Iterated Hash Function A (compression)
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationComputer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Hashes & Macs Aggelos Kiayias University of Connecticut What is a hash function? A way to produce the fingerprint of a file what are the required properties: 1. Efficiency.
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationCryptography. Summer Term 2010
Summer Term 2010 Chapter 2: Hash Functions Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2 Contents Definition and basic properties Basic design principles
More informationInformation Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1
Information Security message M one-way hash fingerprint f = H(M) 4/19/2006 Information Security 1 Outline and Reading Digital signatures Definition RSA signature and verification One-way hash functions
More informationNetwork and System Security
Network and System Security Lecture 5 2/12/2013 Hashes and Message Digests Mohammad Almalag 1 Overview 1. What is a cryptographic hash? 2. How are hashes used? 3. One-Way Functions 4. Birthday Problem
More informationECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key
ECE 646 Lecture 11 Hash functions & MACs Digital Signature Alice Message Signature Message Signature Bob Hash function Hash function Hash value Public key algorithm yes Hash value 1 Hash value 2 no Public
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationSome Stuff About Crypto
Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationS. Erfani, ECE Dept., University of Windsor Network Security
4.11 Data Integrity and Authentication It was mentioned earlier in this chapter that integrity and protection security services are needed to protect against active attacks, such as falsification of data
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationAppendix A: Introduction to cryptographic algorithms and protocols
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ Appendix A: Introduction to cryptographic algorithms and protocols 2007 Levente Buttyán and Jean-Pierre Hubaux symmetric and asymmetric
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationIntroduction to Software Security Hash Functions (Chapter 5)
Introduction to Software Security Hash Functions (Chapter 5) Seong-je Cho Spring 2018 Computer Security & Operating Systems Lab, DKU Sources / References Textbook, Chapter 5. An Illustrated Guide to Cryptographic
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationSymmetric Encryption 2: Integrity
http://wwmsite.wpengine.com/wp-content/uploads/2011/12/integrity-lion-300x222.jpg Symmetric Encryption 2: Integrity With material from Dave Levin, Jon Katz, David Brumley 1 Summing up (so far) Computational
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationDistributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 26. Cryptographic Systems: An Introduction Paul Krzyzanowski Rutgers University Fall 2015 1 Cryptography Security Cryptography may be a component of a secure system Adding cryptography
More informationChapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you see the animations; and can add,
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationSecurity Requirements
Message Authentication and Hash Functions CSCI 454/554 Security Requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationLecture IV : Cryptography, Fundamentals
Lecture IV : Cryptography, Fundamentals Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012 Basic Principles
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcements Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography
More information1.264 Lecture 28. Cryptography: Asymmetric keys
1.264 Lecture 28 Cryptography: Asymmetric keys Next class: Anderson chapters 20. Exercise due before class (Reading doesn t cover same topics as lecture) 1 Asymmetric or public key encryption Receiver
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography! Is n A tremendous tool n The basis for many security mechanisms! Is not n The solution to all security problems n Reliable unless implemented properly n Reliable
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationAlgorithms (III) Yijia Chen Shanghai Jiaotong University
Algorithms (III) Yijia Chen Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationLecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422
Lecture 20 Public key Crypto Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422 Review: Integrity Problem: Sending a message over an untrusted
More informationCOMP 4109 Applied Cryptography
COMP 4109 Applied Cryptography Cryptosystems (P,C,K,E,D) 1. P is the finite set of possible plaintexts 2. C is a finite set of possible ciphertexts 3. K is the keyspace, a finite set of possible keys 4.
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationChapter 11 Message Integrity and Message Authentication
Chapter 11 Message Integrity and Message Authentication Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 11.1 Chapter 11 Objectives To define message integrity
More informationn-bit Output Feedback
n-bit Output Feedback Cryptography IV Encrypt Encrypt Encrypt P 1 P 2 P 3 C 1 C 2 C 3 Steven M. Bellovin September 16, 2006 1 Properties of Output Feedback Mode No error propagation Active attacker can
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationAlgorithms (III) Yu Yu. Shanghai Jiaotong University
Algorithms (III) Yu Yu Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the assumed
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationAlgorithms (III) Yijia Chen Shanghai Jiaotong University
Algorithms (III) Yijia Chen Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationOverview. Public Key Algorithms I
Public Key Algorithms I Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State
More informationHomework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08
Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08 This homework assignment is due Wednesday, February 13 at the beginning of lecture. Please bring a hard copy to class; either
More informationNetwork Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services
Chair for Network Architectures and Services Technische Universität München Network Security Cryptographic Hash Functions Add-on Benjamin s slides are authoritative Motivation (1) Common practice in data
More information