1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.

Slides:



Advertisements
Similar presentations
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Chapter 12
Cryptography and Network Security Hash Algorithms.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Network Security Essentials Fifth Edition by William Stallings Fifth Edition by William Stallings.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Hash and MAC Algorithms Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther Aldwairi.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Cryptographic Hash Functions June Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure 
IS 302: Information Security and Trust Week 5: Integrity 2012.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Chapter 21 Public-Key Cryptography and Message Authentication.
Hash and MAC Functions CS427 – Computer Security
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.
A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Hash Algorithms see similarities in the evolution of hash functions & block ciphers –increasing power of brute-force attacks –leading to evolution in algorithms.
Cryptographic Hash Functions and Protocol Analysis
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Chapter 3 Encryption Algorithms & Systems (Part D)
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Chapter 2 (C) –Advanced Encryption Standard. Origins clearly a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
1 Chapter 12: Hash and MAC Algorithms Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal, U of Kentucky)
11 Authentication Algorithms Discussions CCSDS Security WG Winter 2007 Colorado Springs, Colorado USA Howard Weiss NASA/JPL/SPARTA
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd
Hash Algorithms Ch 12 of Cryptography and Network Security - Third Edition by William Stallings Modified from lecture slides by Lawrie Brown CIM3681 :
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
ENGR 101 Compression and Encryption. Todays Lecture  Encryption  Symmetric Ciphers  Public Key Cryptography  Hashing.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
ICS 454 Principles of Cryptography
Cryptography Lecture 19.
Hash and MAC Algorithms
ICS 454 Principles of Cryptography
Presentation transcript:

1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005

2 Overview ● How We Got Here ● Impact of Recent Attacks ● Short-Term Reactions ● Long-Term: New Algorithms?] ● The Workshop (Oct 31-Nov 1, 2005)

3 How We Got Here: Recent Attacks ● Crypto 2004 – Wang rump session talk (aka mass die-off of hash functions) – Joux, Biham/Chen analyses of SHA0/1 – Joux multicollision result ● In 2005 (so far): – Wang announced break of SHA1 – Many clever applications of MD5 collisions – 2 nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published

4 Impact of Attacks ● MD5 Attack: – Attack is practical, and MD5 still widely used – Huge need to quickly migrate to something stronger! – But NIST never had recommended MD5.... ● SHA1 Attack: – Attack not (yet) very practical (about 2 69 ) – Need to migrate to something stronger, but not urgent. – SHA1's life was almost over anyway.... –...but NIST got burned!

5 Impact of Attacks(2) ● Damgard-Merkle Construction attacks – Joux multicollisions – 2 nd preimages – More to come.... ● Impact: – When can we trust n-bit iterated hash with attacker who can do 2 n/2 work? – HMAC unaffected – How much do we really know about our hash constructions?

6 Impact of Attacks: Summary ● Urgent need to migrate from MD5 ● Less urgent need to migrate from SHA1 ● SHA1 result may undermine confidence in SHA256 – Same organization designed it (NSA) – Same organization standardized on it (NIST) – Similar enough design to raise concerns ●...but is public crypto community doing any better? – How well do we understand hash functions?

7 How to React to Attacks? ● Short-Term: – Migration to SHA256 and truncated SHA256 – A few special-purpose workarounds – Evaluate SHA256/512 for security ● Long-Term: – Existing alternatives to SHA family? – Developing new algorithms?

8 Short-Term Reaction: Migration and Workarounds ● Migration to SHA256 – Urgent need for cryptanalysis before mass migration – Truncated SHA256 (SHA-x): Drop in replacement for SHA1 and maybe MD5 ● Change certificate signing and other protocols to minimize impact of collisions on applications. ● Problems: – SHA256 confidence? – Hard to migrate twice. – MD5 and SHA1 apps in very different situations.

9 Long-Term Reaction: New Algorithms? ● SHA256/512 already in protocols and products – Won't be withdrawn unless a real attack appears – Do we need another algorithm? ● Few existing choices with required parameters – {256, 384, 512} bit output for {128, 192, 256} bit collision resistance ● A few possibilities: – Whirlpool (256/384/512) – GOST hash (256) – Existing generic block cipher constructions w/ AES

10 New Algorithms: Requirements We Know About ● Drop-in Replacement for SHA family ● Output size = {224,256,384,512} – (Truncation OK) – n-bit output must correspond to n/2-bit collision (Needed for DSA, ECDSA) ● Usable in other common hash places – Pseudorandom Bit Generation – Key Derivation ● Public, unpatented, full disclosure of analysis and design process

11 New Algorithms: Requirements/Ideas to Discuss ● Possible security requirements – Block multicollisions and 2 nd preimage attacks? – Fixing the length-extension property? ● What should be the performance requirements? – Parallelizeability? – 8/32/64 bit architectures? – Side channels? (S-boxes, multiplies, etc.) ● Should we have multiple standards? – Block cipher construction from AES? – Special purpose provable hash functions?

12 Big Questions about New Algorithms ● Where will they come from? – NSA (like SHA family)? – Existing/published designs? – Other standards? ● Should there be an AES-like contest? – Not clear we can do this within our budget/manpower constraints! – Is hash function design/analysis mature enough field to do this? – Nailing down requirements up front

13 The Workshop: Oct 31-Nov 1 This is where we'll discuss all these issues and try to get some consensus! ● Assess SHA1 and SHA256/512 strength ● Discuss short-term workarounds ● Long-term strategy – Use SHA256/512? – Use existing alternative? – Contest/process for designing new hash? – Requirements on new hash?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.