Cryptographic Hash Functions

Similar documents
Message Authentication Codes and Cryptographic Hash Functions

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Integrity of messages

Introduction to Cryptography. Lecture 6

Lecture 1 Applied Cryptography (Part 1)

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Data Integrity. Modified by: Dr. Ramzi Saifan

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic hash functions and MACs

CS408 Cryptography & Internet Security

Data Integrity & Authentication. Message Authentication Codes (MACs)

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

ENEE 459-C Computer Security. Message authentication

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Security: Cryptography

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Cryptographic Hash Functions

Lecture 1: Course Introduction

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Winter 2011 Josh Benaloh Brian LaMacchia

Cryptography. Summer Term 2010

Cryptographic Hash Functions. William R. Speirs

CS155. Cryptography Overview

Lecture 4: Authentication and Hashing

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

COMP4109 : Applied Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Cryptographic Hash Functions

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

CSCE 715: Network Systems Security

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Some Stuff About Crypto

CPSC 467b: Cryptography and Computer Security

Information Security CS526

Chapter 11 Message Integrity and Message Authentication

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Symmetric Encryption 2: Integrity

CSC/ECE 774 Advanced Network Security

Lecture 6 - Cryptography

P2_L8 - Hashes Page 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Spring 2010: CS419 Computer Security

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Introduction to Software Security Hash Functions (Chapter 5)

CSC 774 Network Security

Message authentication codes

Lecture 4: Hashes and Message Digests,

Message authentication

Generic collision attacks on hash-functions and HMAC

Appendix A: Introduction to cryptographic algorithms and protocols

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

CS 161 Computer Security

CS Computer Networks 1: Authentication

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

RSA. Public Key CryptoSystem

Encryption. INST 346, Section 0201 April 3, 2018

n-bit Output Feedback

Jaap van Ginkel Security of Systems and Networks

S. Erfani, ECE Dept., University of Windsor Network Security

CS155. Cryptography Overview

CSC 580 Cryptography and Computer Security

CSC 5930/9010 Modern Cryptography: Digital Signatures

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Security Requirements

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Message Authentication and Hash function

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Ref:

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSC 474/574 Information Systems Security

V.Sorge/E.Ritter, Handout 6

Computer Security: Principles and Practice

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Cryptography: More Primitives

CS408 Cryptography & Internet Security

Computer Security CS 526

Permutation-based symmetric cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Study Guide for the Final Exam

Outline. Block cipher, basic idea. From last time. Pseudorandom permutation. Confusion and diffusion. Block ciphers and modes of operation

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

UNIT - IV Cryptographic Hash Function 31.1

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Computer Security Spring Hashes & Macs. Aggelos Kiayias University of Connecticut

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Transcription:

ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh)

Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and stream ciphers! Motivations for public-key cryptography! Basic number x theory needed for public-key crypto! Diffie-Hellman key exchange protocol! RSA public key encryption scheme! RSA digital signature scheme! Topics to be covered under cryptography: Hash functions, MACs, IND-CPA, IND-CCA, IND-CCA2, randomized encryption, Hash-then-sign, authenticated encryption

Today s Lecture: Cryptographic Hash Functions! Basic definition of a hash function (MD2, MD4, MD5, SHA1, SHA256, )! Important x properties of hash functions E.g., strong collision resistance! Uses of hash functions! How hash functions like SHA1 etc. work E.g., Merkle-Damagard construction

Basic Definitions: Cryptographic Hash Functions Arbitrary x Length Input Passwords, files Cryptographic hash function (e.g., SHA1, MD5, SHA256, ) Fixed Length Output Message digest (e.g. 160 bits) Different from classic hash functions used in hash tables etc. Different from provably-secure cryptographic hash functions

Uses of Cryptographic Hash Functions! User Authentication (e.g., passwords)! Message Authenticity (e.g., Hash MACs)! Compact file identifiers (e.g., in Git, )! Used in digital signatures! Certain obfuscation schemes rely on provablysecure hash functions

Important Properties of Cryptographic Hash Functions! Compression! First pre-image resistance! Second pre-image resistance! Strong collision resistance! Efficient! Deterministic (?)

Important Properties of Cryptographic Hash Functions! Let h: X è Y denote a hash function! First pre-image resistance: Given y in Y, it is computationally infeasible to compute a value x in X such that h(x) = y! Hard to invert! Why we need this property? If hash function is invertible, then it is not useful for crypto applications E.g., password authentication will be broken

Important Properties of Cryptographic Hash Functions! Let h: X è Y denote a hash function! Second pre-image resistance: Given x in X, it is computationally infeasible to compute a different value x in X such that h(x) = h(x )! Weak collision-resistance (sometimes also called target collisionresistance)! Why we need this property? If hash function is not weak collision-resistant, then it is not useful for crypto applications E.g., password authentication will be broken because even if the attacker doesn t get your actual password, he can still get another string of bits that collides with and is as good as your actual password

Important Properties of Cryptographic Hash Functions! Let h: X è Y denote a hash function! Strong collision-resistance: It is computationally infeasible to find distinct inputs x, x such that h(x) = h(x )! Why we need this property? Usability of hash functions Security of hash-then-sign schemes w Given h, attacker computes m,m such that h(m) = h(m ) w Attacker gives m to Alice to hash-then-sign w Alice produces <m, Sign(h(m))> w Attacker replaces it with <m, Sign(h(m))>, and claims Alice signed it

Relationship between Properties of Cryptographic Hash Functions! Strong collision resistance implies weak collision resistance in the Random Oracle Model (ROM) Proof by contradiction Assume h is strongly collision-resistant but not weakly collision-resistant What does it mean to be not weakly collision-resistant: Given a value m we can quickly find a different value m such that h(m) = h(m ) Present <m,m > as a counter-example for the strong collision-resistant claim. QED.! Similarly, show that strong collision resistance implies first preimage attack resistance

Birthday Paradox and the Cardinality of Hash Function s Range! Birthday Paradox When iteratively sampling (with replacement) elements from a set of cardinality N, it is highly likely to sample the same element twice after sqrt(n) attempts! Cardinality of Hash function s range = 2 (# of bits of digest)! Hence, hash function digest size should be as large as possible

How do common hash functions work?! Most common hash functions such as MD5, etc. use what is called a Merkle-Damagard (MD) construction! It is an iterative algorithm, where each iteration is called a round! Takes an input of arbitrary length, and pads it so that it can be split into equal-size blocks (e.g., 512 bits)! MD internally uses a proper one-way compression function (Davies-Meyer, MDC-2/Meyer Schilling, )

The Merkle-Damgard iterated construction m[0] m[1] m[2] m[3] ll PB IV (fixed) h h h h H(m) Thm: h collision resistant H collision resistant Goal: construct compression function h: T X T

Internals of the Merkle-Damagard Construction! Questions What is h? w h is a compression function whose input and output both are fixed-length strings Does the construction have the various properties we require of hash functions? Intuitively, why is it collision-resistant? Proofs of security?

Security of the Merkle-Damagard Construction! Theorem: If h is a collision-resistant compression function, then H is a collision-resistant hash function! Proof Sketch: (We prove the contrapositive of the above statement) Suppose you can find x x such that H(x) = H(x ), i.e., H is not collisionresistant. Then we can show that we can find collision on h What are the different ways in which we get H(x) = H(x )? w The last call of h produces the same output for different inputs. We found a collision in h, violating the assumption that h is collision-resistant w The last call of h for x, x have the same input. This means that some previous call of h produces the same output for different inputs, given that x and x are different at least in 1 bit w Hence, we found a collision in h.

Avalanche Effect: Merkle-Damagard (MD) Construction! Changing 1 bit of the input can change large number of (upwards of 50%) of the output bits! A design heuristic for hash functions and block ciphers! Ensures that similar looking inputs do not produce similar looking outputs! Essential for security provided by hash-based login! Difficult to define theoretically and prove

The Merkle-Damgard iterated construction m[0] m[1] m[2] m[3] ll PB IV (fixed) h h h h H(m) Thm: h collision resistant H collision resistant Goal: construct compression function h: T X T

Compr. func. from a block cipher E: K {0,1} n {0,1} n a block cipher. The Davies-Meyer compression function: h(h, m) = E(m, H) H m i H i > E Thm: Suppose E is an ideal cipher (collection of K random perms.). Finding a collision h(h,m)=h(h,m ) takes O(2 n/2 ) evaluations of (E,D). Best possible!!

Substitution Permutation Network Source: Wikipedia

Suppose we define h(h, m) = E(m, H) Then the resulting h(.,.) is not collision resistant: to build a collision (H,m) and (H,m ) choose random (H,m,m ) and construct H as follows: H =D(m, E(m,H)) H =E(m, D(m,H)) H =E(m, E(m,H)) H =D(m, D(m,H))

Other block cipher constructions Let E: {0,1} n {0,1} n {0,1} n for simplicity Miyaguchi-Preneel: h(h, m) = E(m, H) H m h(h, m) = E(H m, m) m total of 12 variants like this Other natural variants are insecure: h(h, m) = E(m, H) m (HW)

Case study: SHA-256! Merkle-Damgard function! Davies-Meyer compression function! Block cipher: SHACAL-2 512-bit key 256-bit block > SHACAL-2 256-bit block

Provable compression functions Choose a random 2000-bit prime p and random 1 u, v p. For m,h {0,,p-1} define h(h,m) = u H v m (mod p) Fact: finding collision for h(.,.) is as hard as solving discrete-log modulo p. Problem: slow.

Recalling MACs: Hash Length Extension Attacks! Goal: message integrity and Authenticity.! No confidentiality. ex: Protecting public binaries on disk. k Message m tag k Alice Bob Generate tag: tag S(k, m) Verify tag:? V(k, m, tag) = `yes note: non-keyed checksum (CRC) is an insecure MAC!!

Recalling MACs: Length Extension Attacks Source: Wikipedia

Length Extension Attacks Explained! Alice sends data and signature (the MAC) to Bob. Recall that signature = Hash(secret data padding). Padding has a standard format that includes the length of secret data! Attacker intercepts data and signature! Attacker s goal is to append stuff to data and appropriately modify signature! The attacker sends the new data attacker extension and the appropriate signature to Bob! When Bob receives data attacker extension verifies against the new signature, it matches. Attacker doesn t need to know the secret to launch attack. He only needs to know the length of the secret used.

Internals of Hash Functions: Merkle-Damagard Construction Initialization Vector Source: Wikipedia

Length Extension Attacks Explained! Fact: When calculating H(secret data), the string (secret data) is padded with a '1' bit and some number of '0' bits, followed by the length of the string! Fact: The MD construction operates on fixed-sized blocks, and saves the output for the subsequent iteration. I.e., the signature somehow captures all of the input data secret padding! Fact: Attacker knows the data, because Alice sent it along with the signature (MAC)! We assume attacker knows the length of the secret

Length Extension Attacks Explained! The Attack:! Step 1: Compute the padding New-pad for secret data pad (secret data) attacker extension w Note that attacker already knows the length of data and length of his own attacker extension w All he needs is the length of secret to compute New-pad! Step 2: Attacker initializes the hash function H with signature and computes the H(attacker extension New-pad)! Step 3: He has a new verifiable signature for New-data = secret data pad(secret + data) attacker extension New-pad! Step 4: Send the pair <New-data, New-signature> to Bob

MAC Construction: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: Standardized method: HMAC S( k, m ) = H( k opad H( k ipad m ))

Hash MAC (HMAC-SHA256)

Why HMAC is Secure Against Length Extension Attack! The Attacker knows data, length(secret), hashsum2 (aka signature), and of course his own extension! The trouble is that he needs to know hashsum1 in order to seed the second call to hash! Let us try a length extension attack with HMAC: The attacker knows the length of the input to the second hash call, and his own extension Computes new tag by seeding hash call with hashsum2, and hash(attacker extension New-pad) = signature This won t verify properly at Bob s end, who is matching signature hash(secret data attacker-extension)

Use of Cryptographic Salt in Hash-based User Authentication! Login Program: Computes hash of password, and compares against stored hash. If match, the user is authenticated. Otherwise, authentication attempt is rejected.! Stored hashes are susceptible to theft! If passwords are easy, then they are susceptible to dictionary attacks! Dictionary attacks: Large store of easy passwords Compute hash and compare against stolen stored hashes

Use of Cryptographic Salt in Hash-based User Authentication! Login Program: Computes hash of password + random seed, and compares against stored hash. If match, the user is authenticated. Otherwise, authentication attempt is rejected.! Sometimes store even hash(intermediate hashes, password, salt)! Forces attacker who doesn t know the salt a priori to compute all possible easy password + salt combinations! Modern systems use salts upto 128 bits long Infeasible for attackers to store that large a dictionary

Cryptography Module: Putting it All Together! Which security problems can cryptography help to solve? Confidentiality through encryption schemes Integrity and Authenticity through MACs and digital signatures User authentication through hash functions! We studied two forms of encryption schemes Symmetric: Parties must share same key w One-time Pad w Stream and Block Ciphers Asymmetric: Parties need not share the same key w Motivation: Parties don t want to secretly share keys ahead of time w RSA public-key encryption

Cryptography Module: Putting it All Together! Which security problems can cryptography help to solve? Confidentiality through encryption schemes Integrity and Authenticity through MACs and digital signatures User authentication through hash functions! Digital signature schemes Motivation: Parties want to authenticate messages RSA public-key digital signature schemes! Hash functions User authentication MACs Integrity

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback