CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Similar documents
Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Jaap van Ginkel Security of Systems and Networks

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSC 580 Cryptography and Computer Security

ENEE 459-C Computer Security. Message authentication

CSCE 715: Network Systems Security

Cryptography. Summer Term 2010

Data Integrity & Authentication. Message Authentication Codes (MACs)

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Message Authentication Codes and Cryptographic Hash Functions

Winter 2011 Josh Benaloh Brian LaMacchia

Data Integrity. Modified by: Dr. Ramzi Saifan

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

Spring 2010: CS419 Computer Security

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Introduction to Cryptography. Lecture 6

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Keccak discussion. Soham Sadhu. January 9, 2012

Statistical Analysis of the SHA-1 and SHA-2 Hash Functions

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Network and System Security

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

S. Erfani, ECE Dept., University of Windsor Network Security

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Security Requirements

Integrity of messages

Keccak specifications

Lecture 1 Applied Cryptography (Part 1)

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cryptographic Hash Functions. William R. Speirs

CSE 127: Computer Security Cryptography. Kirill Levchenko

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Lecture 4: Authentication and Hashing

P2_L8 - Hashes Page 1

CS408 Cryptography & Internet Security

CS Computer Networks 1: Authentication

Cryptographic Hash Functions

Introduction to Software Security Hash Functions (Chapter 5)

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Encryption. INST 346, Section 0201 April 3, 2018

Cryptography and Network Security

Cryptographic Checksums

Lecture 1: Course Introduction

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Permutation-based symmetric cryptography

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Message Authentication and Hash function

Generic collision attacks on hash-functions and HMAC

MD5 Message Digest Algorithm. MD5 Logic

Appendix K SHA-3. William Stallings

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Goals of Modern Cryptography

Practical Aspects of Modern Cryptography

CSC574: Computer & Network Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

V.Sorge/E.Ritter, Handout 6

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

UNIT - IV Cryptographic Hash Function 31.1

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Tuesday, January 17, 17. Crypto - mini lecture 1

Computer Security: Principles and Practice

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

UNIT III 3.1DISCRETE LOGARITHMS

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC/ECE 774 Advanced Network Security

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Cryptographic hash functions and MACs

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Observations and Attacks On The SHA-3 Candidate Blender

Ref:

Symmetric Encryption 2: Integrity

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

1.264 Lecture 28. Cryptography: Asymmetric keys

Message Authentication and Hash function 2

SHA3 Core Specification. Author: Homer Hsing

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

The Customizeable Shake Function (Cshake)

Kurose & Ross, Chapters (5 th ed.)

About notation. Outline. Keying material and algorithm abstraction. T Cryptosystems. Symmetric algorithms

CIS 4360 Secure Computer Systems Symmetric Cryptography

CSC 474/574 Information Systems Security

Security: Cryptography

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

Other Topics in Cryptography. Truong Tuan Anh

Transcription:

CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions

Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code (HMAC) 2

Hash Function Properties

Hash Function Message of arbitrary length Hash A fixed-length short message Also known as Message digest One-way transformation One-way function Hash Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits 4

Desirable Properties of Hash Functions Consider a hash function H Performance: Easy to compute H(m) One-way property (preimage resistant): Given H(m) but not m, it s computationally infeasible to find m Weak collision resistant (2-nd preimage resistant): Given H(m), it s computationally infeasible to find m such that H(m ) = H(m). Strong collision resistant (collision resistant): Computationally infeasible to find m 1, m 2 such that H(m 1 ) = H(m 2 ) 5

Question Length of Hash Image Why do we have 128 bits or 160 bits in the output of a hash function? If it is too long Unnecessary overhead If it is too short Birthday paradox Loss of strong collision property 6

Birthday Paradox Question: What is the smallest group size k such that The probability that at least two people in the group have the same birthday is greater than 0.5? Assume 365 days a year, and all birthdays are equally likely P(k people having k different birthdays): Q(365,k) = 365!/(365-k)!365 k P(at least two people have the same birthday): P(365,k) = 1-Q(365,k) 0.5 k is about 23 7

Birthday Paradox (Cont d) Generalization of birthday paradox Given a random integer with uniform distribution between 1 and n, and a selection of k instances of the random variables, What is the least value of k such that There will be at least one duplicate with probability P(n,k) > 0.5,? 8

Birthday Paradox (Cont d) Generalization of birthday paradox P(n,k) 1 e -k*(k-1)/2n For large n and k, to have P(n,k) > 0.5 with the smallest k, we have Example k = 2(ln2)n =1.18 n n 1.18*(365) 1/2 = 22.54 9

Birthday Paradox (Cont d) Implication for hash function H of length m With probability at least 0.5 If we hash about 2 m/2 random inputs, Two messages will have the same hash image Birthday attack Conclusion Choose m 128 10

Hash Function Applications

Application: File Authentication Want to detect if a file has been changed by someone after it was stored Method Compute a hash H(F) of file F Store H(F) separately from F Can tell at any later time if F has been changed by computing H(F ) and comparing to stored H(F) Why not just store a duplicate copy of F??? 12

Application: User Authentication Alice wants to authenticate herself to Bob assuming they already share a secret key K Protocol: Alice I m Alice Bob computes Y=H(R K) time! R Y picks random number R verifies that Y=H(R K) 13

User Authentication (cont d) Why not just send K, in plaintext? H(K)?, i.e., what s the purpose of R? 14

Application: Commitment Protocols Ex.: A and B wish to play the game of odd or even over the network 1. A picks a number X 2. B picks another number Y 3. A and B simultaneously exchange X and Y 4. A wins if X+Y is odd, otherwise B wins If A gets Y before deciding X, A can easily cheat (and vice versa for B) How to prevent this? 15

Commitment (Cont d) Proposal: A must commit to X before B will send Y Protocol: A picks X and computes Z=H(X) A Z = H(X) Can either A or B successfully cheat now? Y X B Picks Y verifies that H(X) = Z 16

Commitment (Cont d) Why is sending H(X) better than sending X? Why is sending H(X) good enough to prevent A from cheating? Why is it not necessary for B to send H(Y) (instead of Y)? What problems are there if: 1. The set of possible values for X is small? 2. B can predict the next value X that A will pick? 17

Application: Message Encryption Assume A and B share a secret key K but don t want to just use encryption of the message with K A sends B the (encrypted) random number R1, B sends A the (encrypted) random number R2 And then 18

Key Key Initialization R1 R2 Vector 64 64 C+H = Concatenate, then Hash one-time pad one-time pad C+H E C+H E C+H E C+H E M 11 M 22 M 33 M 44 64 64 64 64 64 64 46 46 + + padding 64 64 64 64 64 64 64 64 C 11 C 22 C 33 C 44 R1 R2 is used like the IV of OFB mode, but C+H replaces encryption; as good as encryption? 19

Application: Message Authentication A wishes to authenticate (but not encrypt) a message M (and A, B share secret key K) 1. picks random number R A B 2. computes Y = H(M K R) M, R, Y verifies that Y = H(M K R) Why is R needed? Why is K needed? 20

Application: Digital Signatures Generating a signature Message m H(m) Hash Sign Bob s Private key Verifying a signature Message m Hash H(m) Verify Signature Bob s Public key Only one party (Bob) knows the private key Signature (encrypted hash) Valid / Not Valid 21

Is Encryption a Good Hash Function? constant M1 E M2 E M3 E M4 E 64 Hash Building hash using block chaining techniques Encryption block size may be too short (DES=64) Birthday attack Can construct a message with a particular hash fairly easily Extension attacks 22

Hash Using Block Chaining Techniques Meet-in-the-middle attack Get the correct hash value G Construct any message in the form Q 1, Q 2,, Q n-2 Compute H i =E Qi (H i-1 ) for 1 i (n-2). Generate 2 m/2 random blocks; for each block X, compute E X (H n-2 ). Generate 2 m/2 random blocks; for each block Y, compute D Y (G). With high probability there will be an X and Y such that E X (H n-2 )= D Y (G). Form the message Q 1, Q 2,, Q n-2, X, Y. It has the hash value G. 23

Modern Hash Functions MD5 Previous versions (i.e., MD2, MD4) have weaknesses. Broken; collisions published in August 2004 Too weak to be used for serious applications SHA (Secure Hash Algorithm) Weaknesses were found SHA-1 Broken, but not yet cracked Collisions in 2 69 hash operations, much less than the brute-force attack of 2 80 operations Results were circulated in February 2005, and published in CRYPTO 05 in August 2005 SHA-2 (SHA-256, SHA-384, ) 24

MD5 Hash Function

MD5: Message Digest Version 5 MD5 at a glance Message of arbitrary length MD5 (multiple passes) 128-bit message digest 26

Processing of A Single Block 512-bit message block (sixteen 32-bit words) 128-bit input message digest (four 32-bit words) MD5 128-bit output message digest (four 32-bit words) Called a compression function 27

MD5: A High-Level View K bits Padding (1 to 512 bits) Message Length (K mod 2 64 ) Message 100 0 512 bits 512 bits 512 bits Y 0 Y 1 Y L-1 128 bits IV 128 bits 128 bits 128 bits MD5 MD5 MD5 CV 1 CV L-1 stage 1 stage 2 stage L 128-bit digest 28

Padding There is always padding for MD5, and padded messages must be multiples of 512 bits To original message M, add padding bits 10 0 enough 0 s so that resulting total length is 64 bits less than a multiple of 512 bits Append L (original length of M), represented in 64 bits, to the padded message Footnote: the bytes of each 32-bit word are stored in little-endian order (LSB to MSB) 29

Padding (cont d) How many 0 s if length of M = n * 512? n * 512 64? n * 512 65? 30

Preliminaries The four 32-bit words of the output (the digest) are referred to as d0, d1, d2, d3 Initial values (in little-endian order) d0 = 0x67452301 d1 = 0xEFCDAB89 d2 = 0x98BADCFE d3 = 0x10325476 The sixteen 32-bit words of each message block are referred to as m0,, m15 (16*32 = 512 bits in each block) 31

Notation ~x = bit-wise complement of x x y, x y, x y = bit-wise AND, OR, XOR of x and y x<<y = left circular shift of x by y bits x+y = arithmetic sum of x and y (discarding carry-out from the msb) x = largest integer less than or equal to x 32

Processing a Block-Overview Every message block Yi contains 16 32-bit words: m 0 m 1 m 2 m 15 A block is processed in 4 consecutive passes, each modifying the MD5 buffer d 0,, d 3. Called F, G, H, I Each pass uses one-fourth of a 64-element table of constants, T[1 64] T[i] = 2 32 *abs(sin(i)), represented in 32 bits Output digest = input digest + output of 4th pass 33

Overview (Cont d) Message Block Yi 512 bits Input Digest CV i 128 bits d0 d1 d2 d3 32 32 32 32 F, T[1..16], Y i 1 st pass G, T[17..32], Y i 2 nd pass H, T[33..48], Y i I, T[49..64], Y i 3 rd pass 4 th pass + + + + 128 bits Output Digest CV i+1 34

1 st Pass of MD5 F(x,y,z) def = (x y) (~x z) 16 processing steps, producing d 0..d 3 output: d i = d j + (d k + F(d l,d m,d n ) + m o + T p ) << s values of subscripts, in this order i j k l m n o p s 0 1 0 1 2 3 0 1 7 3 0 3 0 1 2 1 2 12 2 3 2 3 0 1 2 3 17 1 2 1 2 3 0 3 4 22 0 1 0 1 2 3 4 5 7 35

Logic of Each Step d 0 d 1 d 2 d 3 + g m k T[i] + + <<s g: F, G, H, or I + d 0 d 1 d 2 d 3 36

Logic of Each Step (Cont d) Within each pass, each of the 16 words of m i is used exactly once Round 1, m i are used in the order of i Round 2, in the order of ρ2(i), where ρ2(i)=(1+5i) mod 16 Round 3, in the order or ρ3(i), where ρ3(i)=(5+3i) mod 16 Round 4, in the order or ρ4(i), where ρ4(i)=7i mod 16 Each word of T[i] is used exactly once throughout all passes Number of bits s to rotate to get d i Round 1, s(d 0 )=7, s(d 1 )=22, s(d 2 )=17, s(d 3 )=12 Round 2, s(d 0 )=5, s(d 1 )=20, s(d 2 )=14, s(d 3 )=9 Round 3, s(d 0 )=4, s(d 1 )=23, s(d 2 )=16, s(d 3 )=11 Round 4, s(d 0 )=6, s(d 1 )=21, s(d 2 )=15, s(d 3 )=10 37

2 nd Pass of MD5 G(x,y,z) def = (x z) (y ~z) Form of processing (16 steps): d i = d j + (d k + G(d l,d m,d n ) + m o + T p ) << s i j k l m n o p s 0 1 0 1 2 3 1 17 5 3 0 3 0 1 2 6 18 9 2 3 2 3 0 1 11 19 14 1 2 1 2 3 0 0 20 20 0 1 0 1 2 3 5 21 5 38

3 rd Pass of MD5 def H(x,y,z) (x y z) = Form of processing (16 steps): d i = d j + (d k + H(d l,d m,d n ) + m o + T p ) << s i j k l m n o p s 0 1 0 1 2 3 5 33 4 3 0 3 0 1 2 8 34 11 2 3 2 3 0 1 11 35 16 1 2 1 2 3 0 14 36 23 0 1 0 1 2 3 1 37 4 39

4 th Pass of MD5 I(x,y,z) def = y (x ~z) Form of processing (16 steps): d i = d j + (d k + I(d l,d m,d n ) + m o + T p ) << s i j k l m n o p s 0 1 0 1 2 3 0 49 6 3 0 3 0 1 2 7 50 10 2 3 2 3 0 1 14 51 15 1 2 1 2 3 0 5 52 21 0 1 0 1 2 3 12 53 6 Output of this pass added to input MD 40

(In)security of MD5 A few recently discovered methods can find collisions in a few hours A few collisions were published in 2004 Can find many collisions for 1024-bit messages More discoveries afterwards In 2005, two X.509 certificates with different public keys and the same MD5 hash were constructed This method is based on differential analysis 8 hours on a 1.6GHz computer Much faster than birthday attack 41

SHA-1 Hash Function

Secure Hash Algorithm (SHA) Developed by NIST, specified in the Secure Hash Standard, 1993 SHA is specified as the hash algorithm in the Digital Signature Standard (DSS) SHA-1: revised (1995) version of SHA 43

SHA-1 Parameters Input message must be < 2 64 bits Input message is processed in 512-bit blocks, with the same padding as MD5 Message digest output is 160 bits long Referred to as five 32-bit words A, B, C, D, E IV: A = 0x67452301, B = 0xEFCDAB89, C = 0x98BADCFE, D = 0x10325476, E = 0xC3D2E1F0 Footnote: bytes of words are stored in bigendian order 44

Big Endian vs. Little Endian A 32-bit word can be saved in 4 bytes For instance, 90AB12CD 16 Big Endian Little Endian 45

Preprocessing of a Block Let 512-bit block be denoted as sixteen 32-bit words W 0..W 15 Preprocess W 0..W 15 to derive an additional sixty-four 32-bit words W 16..W 79, as follows: for 16 t 79 W t = (W t-16 W t-14 W t-8 W t-3 ) << 1 46

Block Processing Consists of 80 steps! (vs. 64 for MD5) Inputs for each step 0 t 79: W t K t a constant A,B,C,D,E: current values to this point Outputs for each step: A,B,C,D,E : new values Output of last step is added to input of first step to produce 160-bit Message Digest 47

Constants K t Only 4 values (represented in 32 bits), derived from 2 30 * i 1/2, for i = 2, 3, 5, 10 for 0 t 19: K t = 0x5A827999 (i=2) for 20 t 39: K t = 0x6ED9EBA1 (i=3) for 40 t 59: K t = 0x8F1BBCDC (i=5) for 60 t 79: K t = 0xCA62C1D6 (i=10) 48

Function f(t,b,c,d) 3 different functions are used in SHA-1 processing Round Function f(t,b,c,d) Compare with MD-5 0 t 19 (B C) (~B D) 20 t 39 B C D F = (x y) (~x z) H = x y z 40 t 59 (B C) (B D) (C D) 60 t 79 B C D H = x y z No use of MD5 s G ((x z) (y ~z)) or I (y (x ~z)) 49

Processing Per Step Everything to right of = is input value to this step for t = 0 upto 79 endfor A = E + (A << 5) + W t + K t + f(t,b,c,d) B = A C = B << 30 D = C E = D 50

Comparison: SHA-1 vs. MD5 SHA-1 is a stronger algorithm brute-force attacks require on the order of 2 80 operations vs. 2 64 for MD5 SHA-1 is about twice as expensive to compute Both MD-5 and SHA-1 are much faster to compute than DES 51

Security of SHA-1 SHA-1 output 160 bits Broken, but not yet cracked Collisions in 2 69 hash operations, much less than the brute-force attack of 2 80 operations Results were circulated in February 2005, and published in CRYPTO 05 in August 2005 Considered insecure for collision resistance One-way property still holds SHA-2(SHA-224, SHA-256, SHA-384, SHA-512 ) 52

SHA-3 is coming NIST is having an ongoing competition for SHA-3, the next generation of standard hash algorithms 2007: Request for submissions of new hash functions 2008: Submissions deadline. Received 64 entries. Announced firstround selections of 51 candidates. 2009: After First SHA-3 candidate conference in Feb, announced 14 Second Round Candidates in July. 2010: After one year public review of the algorithms, hold second SHA-3 candidate conference in Aug. Announced 5 Third-round candidates in Dec. 2011: Public comment for final round 2012: Held Final hash candidate conference on March 22-23. Draft standard, wait for comments, and submit recommendation. The winning algorithm, Keccak, was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. 53

Hashed Message Authentication Code (HMAC)

Extension Attacks Given M1, and secret key K, can easily concatenate and compute the hash: H(K M1 padding) Given M1, M2, and H(K M1 padding) easy to compute H(K M1 padding M2 newpadding) for some new message M2 Simply use H(K M1 padding) as the IV for computing the hash of M2 newpadding does not require knowing the value of the secret key K 55

Extension Attacks (Cont d) Many proposed solutions to the extension attack, but HMAC is the standard Essence: digest-inside-a-digest, with the secret used at both levels The particular hash function used determines the length of the message digest = length of HMAC output 56

HMAC Processing Key K pad on right with 0 s to 512 bits in length 0x363636 36 Message M 0x5c5c5c 5c concatenate compute message digest concatenate compute message digest HMAC(key,message) 57

Security of HMAC At high level, HMAC K [M] = H(K H(K M)) If used with a secure hash functions (e.g., SHA-256) and according to the specification (key size, and use correct output), no known practical attacks against HMAC 58

Summary Hashing is fast to compute Has many applications (some making use of a secret key) Hash images must be at least 128 bits long but longer is better Hash function details are tedious " HMAC protects message digests from extension attacks

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback