Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.

Slides:



Advertisements
Similar presentations
Hashes and Message Digests
Advertisements

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash and MAC Algorithms
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
HASH Functions.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
Hash and MAC Functions CS427 – Computer Security
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
Cryptographic Hash Functions
CSCE 815 Network Security Lecture 8 SHA Operation and Kerberos.
Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.
Chapter 18: One-Way Hash Functions Based on Schneier.
Cryptographic Hash Functions and Protocol Analysis
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
Chapter 11 Message Authentication and Hash Functions.
MESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11 MESSAGE AUTHENTICATION and HASH FUNCTIONS - Chapter 11 Masquerade – message insertion, fraud, ACK.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall
1 Message Authentication using Message Digests and the MD5 Algorithm Message authentication is important where undetected manipulation of messages can.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Information and Network Security Dr. Hadi AL Saadi Message Authentication and Hash Functions.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
Cryptographic Hash Function
CRYPTOGRAPHY & NETWORK SECURITY
The Secure Hash Function (SHA)
Presentation transcript:

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions

Computer Science CSC 474Dr. Peng Ning2 Hash Function Also known as –Message digest –One-way transformation –One-way function –Hash Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits Message of arbitrary length Hash A fixed-length short message

Computer Science CSC 474Dr. Peng Ning3 Requirements for a Hash Function Consider a hash function H –Flexibility: Can be applied to a block of data of any size –Convenience (for check): produce a fixed-length short output. –Performance: Easy to compute H(m) –One-way property: Given H(m) but not m, it’s difficult to find m –Weak collision resistance (free): Given H(m), it’s difficult to find m’ such that H(m’) = H(m). –Strong collision resistance (free): Computationally infeasible to find m 1, m 2 such that H(m 1 ) = H(m 2 )

Computer Science CSC 474Dr. Peng Ning4 Birthday Paradox Question: –What is the minimum value of k such that the probability is greater than 0.5 that at least two people in a group of k people have the same birthday? Ignore February 29 and assume each birthday is equally likely. –Probability of k people having k different birthdays: Q(365,k)=365!/(365-k)!365 k –Probability that at least two people have the same birthday: P(365,k)=1-Q(365,k) –K is about 23.

Computer Science CSC 474Dr. Peng Ning5 Generalization of Birthday Paradox Given a random variable that is an integer with uniform distribution between 1 and n and a selection of k instances of the random variables, what is the least value of k such that the probability P(n,k) is greater than 0.5 that there is at least one duplicate? –P(n,k) > 1 – e -k*(k-1)/2n –For large n and k, we have –Intuition: How many k do we need to have a collision with P=0.5? Implication –For a hash function H with 2 m possible outputs, if we apply H to k=(2 m ) 1/2 =2 m/2 random inputs, the probability that there is at least one duplicate is greater than 0.5.

Computer Science CSC 474Dr. Peng Ning6 Birthday Attack The source, A, is prepared to sign a message The opponent generates 2 m/2 variations on the message, and prepares 2 m/2 variations on the fraudulent message. The opponent compares the two sets of messages to find a pair of messages that produces the same hash value. The probability of success is greater than 0.5. The opponent repeats generating variations until a match is found. The opponent offers the valid variation to A for signature, but attaches the signature to the fraudulent variation.

Computer Science CSC 474Dr. Peng Ning7 How Many Bits for Hash? m bits, takes 2 m/2 to find two with the same hash at the probability bits, takes 2 32 messages to search duplicate Need at least 128 bits

Computer Science CSC 474Dr. Peng Ning8 Building Hash Using Block Chaining Techniques Divide M into fixed-size blocks M 1, M 2, …, M n Compute the hash as follows –H 0 =Initial value –H i =E Mi (H i-1 ) –Hash value G=H n Weakness –Birthday attack (reason: hash value is too short) –Meet-in-the-middle attack

Computer Science CSC 474Dr. Peng Ning9 Building Hash Using Block Chaining Techniques (Cont’d) Meet-in-the-middle attack –Get the correct hash value G –Construct any message in the form Q 1, Q 2, …, Q n-2 –Compute H i =E Qi (H i-1 ) for 1 ≤i ≤(n-2). –Generate 2 m/2 random blocks; for each block X, compute E X (H n-2 ). –Generate 2 m/2 random blocks; for each block Y, compute D Y (G). –With high probability there will be an X and Y such that E X (H n-2 )= D Y (G). –Form the message Q 1, Q 2, …, Q n-2, X, Y. It has the hash value G.

Computer Science CSC 474Dr. Peng Ning10 Modern Hash Functions MD5 –Previous versions (i.e., MD2, MD4) have weaknesses. SHA (Secure Hash Algorithm) SHA-1 RIPEMD-160

Computer Science CSC 474Dr. Peng Ning11 MD5: Message Digest Version 5 input Message Output 128 bits Digest

Computer Science CSC 474Dr. Peng Ning12 MD5: A High-Level View Message100…0 K bits Message Length (K mod 2 64 ) Padding (1 to 512 bits) Y0Y0 512 bits Y1Y1 … Y L bits MD5 IV 128 bits CV 1 MD5 CV L bit digest

Computer Science CSC 474Dr. Peng Ning13 Padding Given original message M, add padding bits “10 * ” such that resulting length is 64 bits less than a multiple of 512 bits. Append (original length in bits mod 2 64 ), represented in 64 bits to the padded message Final message is chopped 512 bits a block Exercise: –How to add padding bits to a message that is already a multiple of 512 bits?

Computer Science CSC 474Dr. Peng Ning14 MD5 (Intermediate) Buffer Used to hold intermediate and final result of MD bits Represented as four 32-bit words –(A,B,C,D) –Initially, A=0x , B=0xEFCDAB89, C=0x98BADCFE, D=0x –Stored in little-endian format, A=0x , B=0x89ABCDEF, C=0xFEDCBA98, D=0x

Computer Science CSC 474Dr. Peng Ning15 Processing of A Single Block 128-bit vector (Initial or from the previous block) 512-bit message block (16 words) 128-bit result F(x,y,z)= (x  y)  (~x  z) G(x,y,z)=(x  z)  (y  ~ z) H(x,y,z)=x  y  z I(x,y,z)= y  (x  ~z) +: addition mod 2 32 x  y: x left rotate y bits MD5 Primitive operations used in MD5:

Computer Science CSC 474Dr. Peng Ning16 Processing of A Single Block (Cont’d) Every message block contains bit words: –X[0] X[1] X[2] … X[15] Every stage consists of 4 rounds over the message block, each modifying the MD5 buffer (A,B,C,D). –The four rounds use functions F, G, H, I, respectively. Each round uses one-fourth of a 64-element table T[1…64]. –T[i] = 2 32 *abs(sin(i)) represented in 32 bits. The output of the fourth round is added to the input to the first round.

Computer Science CSC 474Dr. Peng Ning17 Processing of Block m i : 4 Rounds F, T[1..16], X[i] G, T[17..32], X[  2 i] H, T[33..48], X[  3 i] I, T[49..64], X[  4 i] X[i] ++++ A B CD MD i MD i+1 A B CD A B CD A B CD

Computer Science CSC 474Dr. Peng Ning18 Logic of Each Round Each round consists of 16 steps Each step is of the form –A  B+((A+g(B,C,D)+X[k]+T[i])<<<s) Function g is one of F, G, H, I X[k] is the word in the input T[i] is the ith word in T <<<s: circular left shift by s bits. –Followed by a word level circular right shift of one word.

Computer Science CSC 474Dr. Peng Ning19 Logic of Each Step ABCDABCD g <<<s X[k] T[i]

Computer Science CSC 474Dr. Peng Ning20 Logic of Each Step Within a round, each of the 16 words of X[i] is used exactly –First round, X[i] are used in the order of I –Round 2, in the order of  2(i), where  2(i)=(1+5i)mod 16; –Round 3, in the order or  3(i), where  3(i)=(5+3i)mod 16; –Round 4, in the order or  4(i), where  2(i)=7imod 16; Each word of T[i] is used exactly once.

Computer Science CSC 474Dr. Peng Ning21 Security of MD5 A recently discovered method can find a collision in a few hours –A few collisions were published on 8/17/04 –Exact method has not been published yet –Can find many collisions for two 1024-bit messages Birthday attack –2 64