Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation

Definition of a Hash Function Originally created to verify that a transmission was successful Originally created to verify that a transmission was successful If not, then the transmission would be re-sent If not, then the transmission would be re-sent Mainly error detection Mainly error detection Newer ones are for data integrity Newer ones are for data integrity

CRC – Cyclic Redundancy Check Checksum Checksum Detects errors after transmission or storage Detects errors after transmission or storage Problem – if you move a word in the document, but don’t delete it, the checksum remains the same Problem – if you move a word in the document, but don’t delete it, the checksum remains the same Cannot be used reliably for data integrity Cannot be used reliably for data integrity

CRC – (page 2) Several varieties, 8 bit to 64 bit, a few 128 bit checksums Several varieties, 8 bit to 64 bit, a few 128 bit checksums Polynomials Polynomials CRC-1x + 1 (Used in hardware, also known as parity bit) CRC-1x + 1 (Used in hardware, also known as parity bit)parity bitparity bit CRC-5 x5 + x2 + 1 (used in USB token packets) CRC-5 x5 + x2 + 1 (used in USB token packets)USB CRC-7 x7 + x3 + 1 (used in some telecom systems) CRC-7 x7 + x3 + 1 (used in some telecom systems) CRC-12 x12 + x11 + x3 + x2 + x + 1 (used in telecom systems) CRC-12 x12 + x11 + x3 + x2 + x + 1 (used in telecom systems)

Crytographic Hash Function Should not be able to predict the hash value of a message Should not be able to predict the hash value of a message Two messages should not have the same hash value Two messages should not have the same hash value Any change should result in a different hash value Any change should result in a different hash value

Message Digest 2 Created by Ronald Rivest in 1989 Created by Ronald Rivest in bit hash value 128 bit hash value Is still used for public key encryption and digital signatures Is still used for public key encryption and digital signatures Done at MIT Done at MIT

MD4 Developed by Rivest to address the problems with MD2 Developed by Rivest to address the problems with MD2 Created in 1990 Created in bit hash 128 bit hash 32 digit hexadecimal 32 digit hexadecimal First a message is padded to be 64 bits shy of a multiple of 512 bits First a message is padded to be 64 bits shy of a multiple of 512 bits

How MD4 works 64 bit data stream which contains the length of the original message is now appended to the padded message 64 bit data stream which contains the length of the original message is now appended to the padded message A four word (32 bits each) buffer is used to generate the message digest A four word (32 bits each) buffer is used to generate the message digest Process each 16 word block of the message Process each 16 word block of the message Output the MD Output the MD

MD5 Developed in 1991 to address weaknesses in MD4 Developed in 1991 to address weaknesses in MD4 128 bit cryptographic hash 128 bit cryptographic hash Very similar to MD4, but with some changes Very similar to MD4, but with some changes Still reliable for data integrity, but not for malicious attacks Still reliable for data integrity, but not for malicious attacks

One MD5 operation — MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit block of the message input, and Ki denotes a 32-bit constant, different for each operation.

Collisions with MD5 August 2004 collisions for the full MD5 were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu. August 2004 collisions for the full MD5 were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu. Their analytical attack was reported to take only one hour on an IBM p690 cluster. (Up to 1TB of ECC Chipkill system memory) Their analytical attack was reported to take only one hour on an IBM p690 cluster. (Up to 1TB of ECC Chipkill system memory)

SHA Group SHA-0 Developed in 1993 SHA-0 Developed in 1993 Secure Hash Algorithm Secure Hash Algorithm Pushed by the NSA Pushed by the NSA Problems arose, replaced by SHA-1 Problems arose, replaced by SHA bit digest 160 bit digest SHA-0 had near collisions with 142 of the 160 being equal SHA-0 had near collisions with 142 of the 160 being equal

One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; F is a nonlinear function that varies; <<< denotes a left bit rotation by s places; s varies for each operation. The red square denotes addition modulo K t is a constant.

Collisions with SHA-1 In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced. In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced. Xiaoyun WangYiqun Lisa Yin Hongbo Yu Xiaoyun WangYiqun Lisa Yin Hongbo Yu The attacks can find collisions in the full version of SHA-1, requiring fewer than 2^69 operations The attacks can find collisions in the full version of SHA-1, requiring fewer than 2^69 operations

What’s Next? Stronger hashes Stronger hashes SHA-256, SHA-384, SHA-512 SHA-256, SHA-384, SHA-512 Does it affect you? Does it affect you? Maybe… Maybe…

As an Expert Witness Feel free to tell what you use hashes for Feel free to tell what you use hashes for Do not attempt to describe them, simply say I am not a mathematician Do not attempt to describe them, simply say I am not a mathematician Do say, it is approved by my agency and by the NSA or NIST Do say, it is approved by my agency and by the NSA or NIST