Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Published byDuncan Merriwether Modified over 9 years ago

Similar presentations

Presentation on theme: "Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”"— Presentation transcript:

1 Hash Function

2 What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest” Why would you want to do this? – Short, fixed-size better than long, variable-size True also for non-crypto hash functions – Digest can be added for redundancy – Digest hides possible structure in message

3 Typically using Merkle-Damgård iteration: 1.Start from a “compression function” – h: {0,1} b+n  {0,1} n 2.Iterate it How are they built? h c =160 bits |M|=b=512 bits d=h(c,M) = 160 bits hhhh … M1M1 M2M2 M L-1 MLML IV=d 0 d1d1 d2d2 d L-1 dLdL d=H(M) But not always…

4 The Merkle-Damgard iterated construction Thm: h collision resistant ⇒ H collision resistant Can we use H(.) to directly build a MAC? No,Given H( k ll m) can compute H( k ll m ll PB ll w ) for any w. hhh m[0]m[1]m[2]m[3] ll PB h IV (fixed) H(m)

5 What are they good for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.”

6 Important Properties of Cryptographic Hash Functions First pre-image resistance Second pre-image resistance Strong collision resistance Efficient

7 First pre-image resistance: Given y in Y, it is “computationally infeasible” to compute a value x in X such that h(x) = y Hard to invert Why we need this property? – If hash function is invertible, then it is not useful for crypto applications n E.g., password – authentication will be broken

8 Second pre-image resistance: Given x in X, it is “computationally infeasible” to compute a different value x’ in X with x!=x’ such that h(x) = h(x’) Weak collision-resistance (sometimes also called target collision resistance) Why we need this property? – If hash function is not weak collision-resistant, then it is not useful for crypto applications n E.g., password authentication will be broken because even if the attacker doesn’t get your actual password, he can still get another string of bits that “collides with” and is as good as your actual password

9 Strong collision-resistance: It is “computationally infeasible” to find distinct inputs x, x’ with x!=x’ such that h(x) = h(x’) Why we need this property? – Usability of hash functions – Security of hash-then-sign schemes Given h, attacker computes m,m’ such that h(m) = h(m’) Attacker gives m to Alice to hash-then-sign Alice produces Attacker replaces it with and claims Alice signed it Strong collision resistance implies weak collision resistance

10 Birthday Paradox

11 Two variants: ƒ when drawing elements randomly (with replacement) from a set of N elements, with high probability a repeated element will be encountered after ~sqrt(N) selections ƒ if we have a set of N elements, and we randomly select two subsets of size ~sqrt(N) each, then with high probability, the intersection of the two subsets will not be empty These facts have a profound impact on the design of hash functions (and other cryptographic algorithms and protocols)!

12 Birthday Paradox ƒ Given a set of N elements, from which we draw k elements randomly (with replacement). What is the probability of encountering at least one repeating element? ƒ first, compute the probability of no repetition: – the first element x1 can be anything – when choosing the second element x2, the probability of x2 ≠ x1 is 1-1/N – when choosing x3, the probability of x3 ≠ x2 and x3 ≠ x1 is 1-2/N – … – when choosing the k-th element, the probability of no repetition is 1-(k-1)/N – the probability of no repetition is (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N) – when x is small, (1-x) ≈ e-x – (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N) = e-1/Ne-2/N … e-(k-1)/N = e-k(k-1)/2N ƒ the probability of at least one repetition after k drawing is 1 – e-k(k-1)/2N

13 Birthday Paradox How many drawings do you need, if you want the probability of at least one repetition to be ε ? ƒ solve the following for k: ε = 1 – e-k(k-1)/2N k(k-1) = 2N ln(1/1-ε) k ≈ sqrt(2N ln(1/1-ε)) ƒ examples: ε = ½ -> k ≈ 1.177 sqrt(N) ε = ¾ -> k ≈ 1.665 sqrt(N) ε = 0.9 -> k ≈ 2.146 sqrt(N) ƒ origin of the name “birthday paradox”: – elements are dates in a year (N = 365) – among 1.177 sqrt(365) ≈ 23 randomly selected people, there will be at least two that have the same birthday with probability ½

14 Choosing the output size of hash function good hash functions can be modeled as follows: – given a hash value y, the probability that a randomly chosen input x maps to y is ~2-n – the probability that two randomly chosen inputs x and x’ map into the same hash value is also ~2-n Æ n should be at least 64, but 80 is even better ƒ birthday attacks – among ~sqrt(2n) = 2n/2 randomly chosen messages, with high probability there will be a collision pair – it is easier to find collisions than to find preimages or 2nd preimages for a given hash value - in order to resist birthday attacks, n should be at least 128, but 160 is even better

15 Standardized method: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: HMAC: S( k, m ) = H ( k  opad ll H( k  ipad ll m ) )

16 HMAC in pictures Similar to the NMAC PRF. main difference: the two keys k 1, k 2 are dependent hh m[0]m[1]m[2] ll PB h h tag > > > h kipad IV (fixed) > > IV (fixed) h > kopad

17 Warning: verification timing attacks [L’09] Example: Keyczar crypto library (Python) [simplified] def Verify(key, msg, sig_bytes): return HMAC(key, msg) == sig_bytes The problem: ‘==‘ implemented as a byte-by- byte comparison Comparator returns false when first inequality found

18 Warning: verification timing attacks [L’09] Timing attack: to compute tag for target message m do: Step 1: Query server with random tag Step 2: Loop over all possible first bytes and query server. stop when verification takes a little longer than in step 1 Step 3: repeat for all tag bytes until valid tag found m, tag k accept or reject target msg m

19 Make string comparator always take same time (Python) : return false if sig_bytes has wrong length result = 0 for x, y in zip( HMAC(key,msg), sig_bytes): result |= ord(x) ^ ord(y) return result == 0 Or def Verify(key, msg, sig_bytes): mac = HMAC(key, msg) return HMAC(key, mac) == HMAC(key, sig_bytes)

20 Lesson Don’t implement crypto yourself !

Download ppt "Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.

Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google