Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Message Digests

Published byDwight Flynn Modified over 6 years ago

Similar presentations

Presentation on theme: "Security of Message Digests"— Presentation transcript:

1 Security of Message Digests
CSCI 5857: Encoding and Encryption

2 Outline Attacks on message digests Properties of a good hash function
Preimage attacks Collision attacks Properties of a good hash function Mathematical background Pigeonhole principle Birthday problem Requirements for message digest size

3 Attacks on Message Digests
Goal of message digest: Detect when fake message M´ has been substituted for original message M Adversary goal: Substitute fake message M´ for original message M without being detected This is the case if they have the same digest h(M´) = h(M)

4 Preimage Attack Adversary finds message M´ with same digest h(M´) = h(M) Impossible to detect or prove changes!

5 Tweaking Messages for Preimage Attack
Adversary can “tweak” new message M´ until h(M´) = h(M) Example: Give Darth a salary increase of $1000 Award Mr. Vader some raise … $2000 Present Darth Vader … bonus $3000 … … … $ … “I’ll find some combination of these so they can’t detect the difference!”

6 Preimage Attack and XOR
Simple XOR-based hash function vulnerable to preimage attack Darth generates own message M′ Darth adds some block bm to end so h(M′)  bm = h(M) Problem: XOR is reversible Can work backwards from desired message to create one with same hash as original message

7 Collision Attack Adversary finds two messages M1 and M2 with same message digest h(M1) = h(M2) M1 is harmless message “We like kittens” M2 has advantage for adversary “Give Darth a $5000 raise”

8 Collision Attack Example
Darth gets job in organization Presents M1 to boss for approval Boss stores h(M1) Darth actually stores/sends M2 Boss has no way to prove he didn’t approve M2

9 Good Properties of a Hash
Must be “one way” Easy to compute h(M) No easy way to determine what other messages M would give same digest (h(M) = h(M )) Otherwise adversary could easily create different messages with same hash Must produce hash large enough to prevent brute force attacks Testing possible alternative messages to find ones with same hash value

10 Pigeonhole Principle Pigeonhole Principle:
Given n pigeons and m birdhouses, with n > m At least one birdhouse with more than one pigeons Digest size |h(M)| < message size |M | Fewer possible digests h(M) than possible messages M 2|h(M)| possible digests < 2|M| possible messages Must exist messages M1 and M2 with same digest h(M1) = h(M2) That is, cannot avoid collisions between different messages Example: 1 MB messages, 512 bit digest 2999,488 different messages with same digest!

11 Random Oracle Model Best case: Hash function is random oracle model
h(M) like “random” function over all possible digests Each possible digest equally likely for a given M Minimizes likelihood that h(M1) = h(M2) for given M1, M2 Assumption used in birthday problem analysis

12 Birthday Problems In general:
What is minimum number of students in class so that at least one probably has same birthday as instructor? What is minimum number of students in class so that at least two probably have same birthday? In general: k students and N (that is, 365) possible birthdays Minimum k such that probability  50%: k  0.69  N  253 for birthdays k  1.18  N1/2  23 for birthdays

13 Birthday Problems and Digests
Birthday problems define vulnerability of message digests to exhaustive search attacks Assume best case random oracle model N = number of possible message digests k = number of false messages tested by adversary in attacks How many false messages must adversary to have at least 50% of finding message with desired digest?

14 Preimage Attack as Birthday Problem
First birthday problem = Preimage Attack Probability h(M´) = h(M) for any M´given some M Number of tests k  0.69  N (proportional to number of possible digests)

15 Collision Attack as Birthday Problem
Second birthday problem = Collision Attack Probability h(M1) = h(M2) for any M1 , M2 Number of tests k  1.18  N1/2 (proportional to square root of possible digests)

16 Birthday Problems and Digest Size
Number of possible message digests N must be large enough to make attacks impractical Difficulty of preimage attack proportional to N Difficulty of collision attack proportional to N1/2 Message digest of n bits  N = 2n 2n/2 must be large enough to prevent exhaustive search to find collision Current standard: 512 bits

17 What’s Next Let me know if you have any questions
Continue on to the next lecture on Hash Functions

Download ppt "Security of Message Digests"

Similar presentations

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
Hashing (Message Digest). ............ ............ Hello There.

Hashing (Message Digest) Hello There.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.

History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
CSCI 5857: Encoding and Encryption

CSCI 5857: Encoding and Encryption
HASH Functions.

HASH Functions.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester 2008-2009 ITGD 2202 University of Palestine.

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.

Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Chapter 21 Public-Key Cryptography and Message Authentication.

Chapter 21 Public-Key Cryptography and Message Authentication.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.

CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.

Similar presentations

Ads by Google