Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHAPTER 4 TJADEN plus Chapters 13 & 14 Crytography Decrypted Hashing Functions, Message Digests, Message Authentication Codes (MACs) Dr. Suzanne Buchele.

Published byPierce Harvey Modified over 6 years ago

Similar presentations

Presentation on theme: "CHAPTER 4 TJADEN plus Chapters 13 & 14 Crytography Decrypted Hashing Functions, Message Digests, Message Authentication Codes (MACs) Dr. Suzanne Buchele."— Presentation transcript:

1 CHAPTER 4 TJADEN plus Chapters 13 & 14 Crytography Decrypted Hashing Functions, Message Digests, Message Authentication Codes (MACs) Dr. Suzanne Buchele (Some content borrowed from Ed Crowley at The University of Houston)

2 Overview: Hash Functions, Message Digests, and MACs
Cryptographic hash functions are functions that: Map an arbitrary-length (but finite) input to a fixed-size output Are one-way (hard to invert) Are collision-resistant (difficult to find two values that produce the same output) Examples: Message digest functions Protect the integrity of data by creating a fingerprint of a digital document Message Authentication Codes (MAC) Protect both the integrity and authenticity of data by creating a fingerprint based on both the digital document and a secret key

3 Checksums vs. Message Digests
Used to produce a compact representation of a message If the message changes the checksum will probably not match Good: accidental changes to a message can be detected Bad: relatively easy to purposely alter a message without changing the checksum Message digests: Used to produce a compact representation (called the fingerprint or digest) of a message If the message changes the digest will probably not match Good: difficult to alter a message without changing the digest

4 Compression Programs Vs. Message Digests
made to compress and restore files general mode of operation: compress store or transmit decompress Message Digests made to compress only can’t restore the original message/file from the digest

5 Hash Functions Message digest functions are hash functions
A hash function, H(M)=h, takes an arbitrary-length input, M, and produces a fixed-length output, h Example hash function: H = sum all the letters of an input word modulo 26 Input = a word Output = a number between 0 and 25, inclusive Example: H(“Elvis”) = ((‘E’ + ‘L’ + ‘V’ + ‘I’ + ‘S’) mod 26) H(“Elvis”) = (( ) mod 26) H(“Elvis”) = (67 mod 26) H(“Elvis”) = 15

6 Collisions For the hash function:
H = sum all the letters of an input word modulo 26 There are more inputs (words) than possible outputs (numbers 0-25) Some different inputs must produce the same output A collision occurs when two different inputs produce the same output: The values x and y are not the same, but H(x) = H(y) E.g. H(“Elvis”) = 15 and H(“Lives”) = 15

7 Collisions - Example So H(“Jumpsuit”) = H(“TCB”) H(“Jumpsuit”):
(‘J’ + ‘U’ + ‘M’ + ‘P’ + ‘S’ + ‘U’ + ‘I’ + ‘T’) mod 26 = ( ) mod 26 = 129 mod 26 = 25 H(“TCB”): (‘T’ + ‘C’ + ‘B’) mod 26 = (20+3+2) mod 26 = 25 mod 26 = So H(“Jumpsuit”) = H(“TCB”)

8 Collision-Resistant Hash Functions
Hash functions for which it is difficult to find collisions are called collision-resistant A collision-resistant hash function, H(M)=h has the properties that: For any message, M1 It is difficult to find another message, M2 such that: M1 and M2 are not the same H(M1) and H(M2) are the same

9 One-Way Hash Functions
A function, H(M)=h, is one-way if: Forward direction: given M it is easy to compute h So, for a given message, easy to compute the hash of the message Backward direction: given h it is difficult to compute M So, for a given message, hard to determine what message produced a given hash value Example: For the hash function: H = sum all the letters of an input word modulo 26 Easy to compute H(M) = h for a given message M Hard (impossible?) to determine M from h = H(M) E.g. what is message if h=H(M) is 15?

10 Message Digest Functions
Message digest functions are collision-resistant, one- way hash functions: Given a message it is easy to compute its digest Hard to find any message that produces a given digest (one-way) Weak Collision Resistance: for a particular message M, difficult to find another message M’ that has the same digest Hard to find any two messages that have the same digest (collision-resistant) Strong Collision Resistance: difficult to find any two messages, M and M’ that have the same digest Cryptography Decrypted calls them Message Integrity Codes (MICs) or Message Detection Codes (MDCs)

11 Using Message Digest Functions
Message digest functions protect data integrity: A company makes some software available for download over the World Wide Web Users want to be sure that they receive a copy that has not been tampered with Solution: The company creates a message digest The digest is transmitted (securely) to users Users compute their own digest for software they receive If the digests match, the software probably has not been altered

12 Using Message Digest Functions (Cont)
Message digests allow you to protect against certain kinds of intentional modifications of a message, but not others Alice writes and distributes a newsletter, and also sends a message digest of it When Bob receives the newsletter, he computes his own message digest of it using the same algorithm Bob then compares his message digest against the one sent to him by Alice if they don’t match, Bob knows that the newsletter was altered Not robust against man-in-the-middle attacks if “Black Hat” intercepts Alice’s message, he can substitute his own newsletter and message digest

13 Using Message Digest Functions (Cont)
Message digests allow you to share and secure data without revealing contents: Alice wants her attorney to hold a copy of a prenuptial agreement without knowing the contents Solution: Alice has a plaintext version that she keeps, and computes a message digest and gives the digest to her attorney The attorney has no way of knowing what is in the plaintext from the message digest If Alice and Bob divorce, Alice sends the plaintext prenuptial and s/he performs a message digest to ensure it is the same as previously submitted Bob cannot easily make up another plaintext agreement that will have the same digest (weak collision resistance)

14 Attacks on Message Digests
Brute-force search for a collision: Goal: Find a message that produces a given digest, d Assume: The message digest function creates n-bit digests The message digest function has good weak collision resistance Approach: Generate random messages and compute digests for them until one is found with digest d Approximately 2n random messages must be tried to find one that hashes to d

15 Attacks on Message Digests (cont)
Birthday Attack (based on the Birthday Paradox) Goal: Find any two messages that produces the same (any) digest Assume: The message digest function creates n-bit digests The message digest function has good strong collision resistance Approach: Generate random messages and compute digests for them until two are found with the same digest Approximately 2n/2 random messages must be tried to find two that hash to the same value

16 Attacks on Message Digests (cont)
Alice and prenuptial agreement example: If trying to fake the prenuptial, Bob has to create one that matches the pre-determined digest submitted to the attorney years before -> hard Alice could have created many different prenuptial agreements initially: A bunch that said, “Bob gets half” A bunch that said, “Bob gets nothing” Then she could search for any two whose digests match Still hard, but easier than Bob’s problem Once she found two that matched, she could submit the one of the two that says, “Bob gets half” and later if they divorce claim the one that says, “Bob gets nothing” was the genuine one. Bob’s protection – before signing the one that says “Bob gets half” he should make a small and inconsequential change to it – it will change the message digest and therefore Alice has as difficult a time as Bob in attempting to find another plaintext one that hashes to the same digest.

17 Message Digest Functions in Use
Two main message digest algorithms are based on MD4, (developed by Ron Rivest of RSA public key cryptography fame). MD5 Outputs a 128-bit digest of an arbitrarily long input Known to be susceptible to certain birthday-style attacks Not considered secure SHA-1 Outputs a 160-bit digest of an arbitrarily long input Some (mostly theoretical) cryptanalysis reveals possible somewhat better than brute-force birthday-attack possible, although no known attacks against it Still appears to be secure and is the most popular

18 The Secure Hash Algorithm (SHA-1)
Federal Information Processing Standard (FIPS 180-1) 1995 adopted by U.S. government Based on MD4 message digest function Developed by NIST and the NSA SHA-2 has 256, 384, and 512-bit versions SHA-3 being developed Input: a message of b bits Output: a 160-bit message digest Fast Typically faster than symmetric-key encryption

19 SHA-1 Overview Pad the message
Initialize constants used in the algorithm For each 512-bit block (B1, B2, B3, . . ., Bn): Divide Bi into bit words (W0 – W15) Compute 64 new 32-bit words (W16, W17, . . ., W79) Copy H0 -H4 into A, B, C, D, and E For each Wj (W0 – W79) compute TEMP and update A-E Update H0 - H4 Repeat for next block The 160-bit message digest is: H0 H1 H2 H3 H4

20 SHA-1 Padding The input message must be padded to a multiple of 512 bits Padding bits consist of: A single 1 bit As many 0’s as necessary to make the final block 448 bits long A 64-bit integer representing the length of the original message, in bits = 512 For example, if the message is 500 bits, then the padded message would be 1024 bits: = 1024

21 SHA-1: Initialize Constants
Five 32-bit words H0 – H4 are initialized to: H0 = H1 = EFCDAB8916 H2 = 98BADCFE16 H3 = H4 = C3D2E1F016 Eighty 32-bit words K0 – K79 are initialized to: K0 – K19 = 5A K20 – K39 = 6ED9EBA116 K40 – K59 = 8F1BBCDC16 K60 – K79 = CA62C1D616

22 SHA-1: Compute W’s Divide this 512-bit block Bi into 16 32-bit words
(W0 – W15) Compute 64 new 32-bit words (W16 – W79): For 16 ≤ j ≤79, to compute word j Wj, XOR together words Wj-3, Wj-8, Wj-14, and Wj-16 and then circularly left shift the result one bit In pseudo-code: for j = 16 to 79 Wj = Circular_Left_Shift_1(Wj-3 Wj-8 Wj-14 Wj-16 )

23 SHA-1: Copy H’s to A-E and Update
Copy H0 -H4 into A, B, C, D, and E A=H0, B=H1, C=H2, D=H3, E=H4, Define functions fj: fj(B,C,D) = (B AND C) OR ((NOT) B) AND D), for 0 ≤ j ≤ 19 fj(B,C,D) = (B  C  D), for 20 ≤ j ≤ 39 and for 60 ≤ j ≤ 79 fj(B,C,D) = (B AND C) OR (B AND D) OR (C AND D), for 40 ≤ j ≤ 59 For each Wj (W0 – W79) compute TEMP and update A-E: for j = 0 to 79 TEMP = Circular_Left_Shift_5(A) + fj(B,C,D) + E + Wj + Kj E=D; D=C; C= Circular_Left_Shift_30(B); B=A; A=TEMP Note: here “+” means binary add but ignore overflow

24 SHA-1: Final Step Update values of H’s and form output: H0 = H0 + A;
H1 = H1 + B; H2 = H2 + C; H3 = H3 + D; H4 = H4 + E; Once all these steps have been performed on all blocks of the input message, the output of the SHA-1 hash algorithm is: H0 H1 H2 H3 H4

25 SHA-1 Review Pad the message
Initialize constants used in the algorithm For each 512-bit block (B1, B2, B3, . . ., Bn): Divide Bi into bit words (W0 – W15) Compute 64 new 32-bit words (W16, W17, . . ., W79) Copy H0 -H4 into A, B, C, D, and E For each Wj (W0 – W79) compute TEMP and update A-E Update H0 - H4 Repeat for next block The 160-bit message digest is: H0 H1 H2 H3 H4 Questions?

26 Need for Message Authentication Codes
Want to use a message digest function to protect files on our computer from viruses: Calculate digests for important files and store them in a table Recompute and check from time to time to verify that the files have not been modified Good: if a virus modifies a file the change will be detected since the digest of that file will be different Bad: a smart virus could just compute new digests for modified files and install them in the table

27 Message Authentication Codes
Message authentication code (MAC) key-dependent message digest function MAC(M, K) = h Output, h, is a function of both the hash function and a secret key, K The MAC can only be created or verified by someone who knows K Can turn a one-way hash function into a MAC by encrypting the hash value with a symmetric-key cryptosystem

28 Using Message Authentication Codes
From Wikipedia

29 Using MACs A MAC protects both data integrity and authenticity:
Want to use a MAC to protect files on our computer from viruses: Calculate MAC values for important files and store them in a table on your computer using a key known only to you Recompute the MACs and check them against the values in the table from time to time to verify that the files haven’t been modified Good: if a virus modifies a file, the MAC of that file will be different Good: virus doesn’t know the proper key so it can’t install new MACs in the table to cover its tracks

30 Implementing a MAC Algorithm
Can use a block cipher algorithm: Pad the message (if necessary) so that its length is a multiple of the cipher’s block size Divide the message into n blocks equal in length to the cipher’s block size: m1, m2, . . ., mn Choose a key, k Encrypt m1 with k using the block cipher algorithm XOR the resulting ciphertext of m1 (c1) with m2 Encrypt the result of the XOR using k XOR the result with m3

31 Implementing a MAC (cont)
Result in this case is output of last Encryption (64-bits if using DES, 128/192/256 bits if using AES).

32 Using Message Authentication Codes
Message authentication codes allow you to protect against many intentional modifications of a message Alice writes and distributes a newsletter, and also sends a signed message digest of it When Bob receives the newsletter, he computes his own message digest of it using the same algorithm. He then uses the secret key he shares with Alice to decrypt the signed message digest sent to him by Alice Bob then compares his message digest against the one sent to him by Alice if they don’t match, Bob knows there is a problem Robust against man-in-the-middle attacks even if “Black Hat” intercepts Alice’s message, he can’t substitute his own newsletter and digest since he doesn’t know the secret key

33 Using MACs Message authentication are robust against man-in-the- middle attacks even if “Black Hat” intercepts Alice’s message, he can’t substitute his own newsletter and digest since he doesn’t know the secret key since he would have to sign his digest with the secret key he doesn’t know, Bob would know that the newsletter did not come from Alice Message authentication are not robust against replay attacks if “Black Hat” intercepts Alice’s message, he could substitute a previous newsletter and digest signed by Alice typical protection against this type of attack is for Alice to timestamp her newsletter

34 HMACs HMAC = keyed-Hash Message Authentication Code
The secret key is hashed together with the message no encryption used integrity and authenticity guaranteed via the use of the secret key Many variants… for message M and secret key K Hash( K || M) Hash (M || K) Hash (K || Hash( K || M)) and others… Hash function used could be SHA-1, MD5, or any other HMAC-SHA1 and HMAC-MD5 used in certain protocols

35 Message Digests Vs. MACs Vs. HMACs
Questions?

36 Next… 10 Min break, then Lab

Download ppt "CHAPTER 4 TJADEN plus Chapters 13 & 14 Crytography Decrypted Hashing Functions, Message Digests, Message Authentication Codes (MACs) Dr. Suzanne Buchele."

Similar presentations

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Similar presentations

Ads by Google