Cryptographic Hash Functions. William R. Speirs

Similar documents
Cryptography. Summer Term 2010

ENEE 459-C Computer Security. Message authentication

Cryptographic Hash Functions

Cryptographic Hash Functions

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

COMP4109 : Applied Cryptography

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Integrity of messages

Message Authentication Codes and Cryptographic Hash Functions

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Data Integrity. Modified by: Dr. Ramzi Saifan

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Cryptographic Hash Functions

Jaap van Ginkel Security of Systems and Networks

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSCE 715: Network Systems Security

Message Authentication and Hash function

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Ref:

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Lecture 1: Course Introduction

Cryptography and Network Security

Network and System Security

Encryption I. An Introduction

CSC 580 Cryptography and Computer Security

CS408 Cryptography & Internet Security

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

S. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:

Keccak discussion. Soham Sadhu. January 9, 2012

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Winter 2011 Josh Benaloh Brian LaMacchia

Building a 256-bit hash function on a stronger MD variant

CIT 480: Securing Computer Systems. Hashes and Random Numbers

NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.

Computer Security: Principles and Practice

Chapter 11 Message Integrity and Message Authentication

CSE 127: Computer Security Cryptography. Kirill Levchenko

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Spring 2010: CS419 Computer Security

Some Stuff About Crypto

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Enhancing the Security Level of SHA-1 by Replacing the MD Paradigm

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Data Integrity & Authentication. Message Authentication Codes (MACs)

UNIT - IV Cryptographic Hash Function 31.1

Some thoughts on Collision Attacks in the Hash Functions MD5, SHA-0 and SHA-1

Jaap van Ginkel Security of Systems and Networks

Demise of MD5 and SHA-1. Designing the New Hash. Stanis law Pawe l Radziszowski Department of Computer Science Rochester Institute of Technology

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Generic collision attacks on hash-functions and HMAC

Encryption. INST 346, Section 0201 April 3, 2018

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Multiple forgery attacks against Message Authentication Codes

Lecture 1 Applied Cryptography (Part 1)

S. Erfani, ECE Dept., University of Windsor Network Security

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Statistical Analysis of the SHA-1 and SHA-2 Hash Functions

Kurose & Ross, Chapters (5 th ed.)

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Permutation-based symmetric cryptography

Public Key Cryptography

Hash functions & MACs

Cryptanalysis on Hash Functions. Xiaoyun Wang Tsinghua University & Shandong University

AUTHENTICATION. Slides are from Andreas Pfitzmann, Andreas Westfeld, Sebastian Clauß, Mike Bergmann and myself (Stefan Köpsell)

Message Authentication with MD5 *

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

P2_L8 - Hashes Page 1

MasterMath Cryptology /2 - Cryptanalysis

Chapter 6. New HASH Function. 6.1 Message Authentication. Message authentication is a mechanism or service used for verifying

Introduction to Software Security Hash Functions (Chapter 5)

MTAT Applied Cryptography

Computer Security: Hashing

Data & Network Security By. Samiullah Khan. Week 11. Hash Algorithm/Message Digest MD2 MD4

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

CS Computer Networks 1: Authentication

Cryptography MIS

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Cryptography V: Digital Signatures

18733: Applied Cryptography S17. Mini Project. due April 19, 2017, 11:59pm EST. φ(x) := (x > 5) (x < 10)

Data Encryption Standard

Collision and Preimage Resistance of the Centera Content Address

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Cryptography V: Digital Signatures

Observations and Attacks On The SHA-3 Candidate Blender

Evolution of Sha-176 Algorithm

Transcription:

Cryptographic Hash Functions William R. Speirs

What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash function and an input it should be easy to calculate the output Often used to create a hash table where the hash function computes the index into the table

Types of Cryptographic Hash Functions Hash Function Unkeyed Hash Function (Modification Detection Code) Keyed Hash Function (Message Authentication Code) One-Way Collision Resistant

Math Background Domain & Range: y = f(x), y Y, x X Y is called the range of f X is called the domain of f y is the image of x, and x is the preimage of y There are Y X functions from X to Y If X > Y then x 1, x 2 X such that f(x 1 ) = f(x 2 )

Properties of a Hash Function Preimage Resistance (One Way): For essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output. Second Preimage Resistance (Weak Col. Res.): It is computationally infeasible to find any second input which has the same output as any specified input. Collision Resistance (Strong Col. Res.): It is computationally infeasible to find any two distinct inputs which hash to the same output.

Game Definitions An attacker is provided information and must find other information that meets certain criteria Preimage Resistance Given: H(M) Find: M Second Preimage Resistance Given: H(M) and M Find: M such that H(M) = H(M ) and M M Collision Resistance Given: nothing Find: M and M such that H(M) = H(M ) and M M

Applications for Hash Functions Data Integrity Downloading of large files often include the MD5 digest to verify the integrity of the file Proof of Ownership Publish the digest of a document describing a patent idea in the New York Times ( All the news that is fit to print ) Digital Signatures Digitally sign the digest of a message instead of the message to save computational time

Building Secure Hash Functions Merkle-Damgård Construction Defines a method for padding a message Creates a hash function from a fixed input size compression function A compression function g takes a fixed size binary string as input and creates a smaller fixed size binary string If the compression function is preimage resistant and collision resistant the hash function is preimage resistant and collision resistant Other Constructions HAIFA, EMD, RMX, Dynamic Construction

The Merkle-Damgård Padding Append a single 1 bit to the end of the message Append as many 0 bits to the end of the message as is required to make the message a multiple of the input size of the compression function, minus 64 bits Append the bit length of the message as a 64-bit integer to the end of the message Message 1 00 00 Size of Message (64 bits)

The Merkle-Damgård Construction Construction, where M = m 1 m 2 m n H(M) := H 0 = g(iv, m 1 ) H i = g(h i-1, m i ) for i = 2, 3, n H(M) = H n m 1 m 2 m 3 m n IV g H 0 g H 1 g H n-1 H 2 H(M) g

Notation For both MD5 and SHA-1 all variables are 32-bit quantities and all operations are bitwise

The MD5 Function Specifies the compression function to use Processes 512-bit message blocks Produces a 128-bit digest Is derived from MD4 to address security concerns Created by Ronald Rivest and described in RFC 1321

The MD5 Compression Function Each iteration consists of 4 rounds of 16 steps each, each step processing 32-bits of the message Each round processes all 512 of the input bits 4 round functions, 1 per round: F(X, Y, Z) 4 internal 32-bit registers store the current state of the algorithm The internal registers are initialized to fixed constants

An MD5 Step A D are the 32-bit internal registers F is 1 of 4 functions M i is the i th message block K i is the i th round constant <<< s is an s-bit rotation to the left

The SHA-1 Function Processes 512-bit message blocks Produces a 160-bit digest Is also derived from MD4 A slight modification of SHA-0 to fix a technical error Created by NIST with the aid of the NSA Defined in FIPS PUB 180-2

The SHA-1 Compression Function Message expansion round expanding 16 32-bit message words to 80 32-bit message words Consists of 4 rounds of 20 steps each, each step processing 32-bits of the expanded message Each round processes 20 of the 80 expanded words 3 round functions, 1 used twice 5 internal 32-bit registers store the current state of the algorithm The internal registers are initialized to fixed constants

SHA-1 Expansion Round Expands 512-bit (16 32-bit words) to 2,560 bits (80 32-bit words) Defined by the recurrence: Differs from SHA-0 by the 1-bit rotation to the left

An SHA-1 Step A E are the 32-bit internal registers F is one of the following W t is the t th expanded message word K t is the t th round constant <<< is a rotation to the left

Real World Examples Let M = 0000 0000 and M = 0000 00001 MD5(M) = 0x93b885adfe0da089cdf634904fd59f71 MD5(M ) = 0x55a54008ad1ba589aa210d2629c1df41 SHA-1(M) = 0x5ba93c9db0cff93f52b521d7420e43f6eda2784f SHA-1(M ) = 0xbf8b4530d8d246dd74ac53a13471bba17941dff7 On average changing 1 input bit will change 50% of the output bits Avalanche condition

Current State of Hash Functions Researchers try to break hash functions in 1 of 2 ways 1. Finding two messages (usually single message blocks) hash to the same digest 2. Find the message that creates the digest of all zeros or all ones (essentially finding a preimage) Collisions and preimages can be found for MD4 Collisions can be constructed for MD5 and SHA-0 Theoretic collisions discovered for SHA-1 SHA-256 & SHA-512 has no known attacks

References Handbook of Applied Cryptography, Menezes, van Oorshot, Vanstone FIPS PUB 180-2, NIST RFC 1321 Pictures from http://en.wikipedia.org/wiki/image:md5.png http://en.wikipedia.org/wiki/image:sha-1.png

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback