Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk."— Presentation transcript:

1 CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk

2 CS470, A.SelcukHash Functions2 Cryptographic Hash Functions Maps an arbitrary length input to a fixed-size output. Was originally proposed to generate input to digital signatures. Desirable features: –one-way (preimage and second preimage resistant) –pseudorandom –collision resistant

3 CS470, A.SelcukHash Functions3 Collision Resistance But why “collision resistance”? (i.e., not just one-wayness?) –A chosen p.t. attack: Trudy is Alice’s secretary. Generates two opposite messages, each with √N (e.g., 2 32 for N = 2 64 ) different ways of putting it. –Repudiation: Alice generates two different messages and signs one of them. Later, she denies her signature and claims she in fact signed the other one. Birthday Problem (“paradox”): When √N or more are chosen randomly from a domain of N, there is a significant chance of collision. Hence, output size ≥ 128 bits is desirable.

4 CS470, A.SelcukHash Functions4 “Birthday Paradox” E.g. N = 10 6 :

5 CS470, A.SelcukHash Functions5 Internals of a Hash Function Merkle-Damgard construction: A fixed-size “compression function”. Each iteration mixes an input block with the prev. output. compression fnc. y i-1 ||x i y i-1 yiyi m = x 1 x 2... x n ynyn mH(m) xixi

6 CS470, A.SelcukHash Functions6 Merkle-Damgard Construction Input is broken into equal-sized blocks and fed into the compression function. Length padding: 100…0 || (length of message). (Why?) Finalization: Optional Provable security: If f is collusion resistant, the hash function is collusion resistant.

7 CS470, A.SelcukHash Functions7 Hash Fnc. from a Block Cipher Compression fnc. from block cipher (Rabin): Split the message into key blocks. (why not pt.?) Encrypt a constant (e.g. 0) with this seq. of keys. Ciphertext is the hash output.

8 CS470, A.SelcukHash Functions8 Hash Fnc. from a Block Cipher (cont.) Davies-Meyer Construction: H i = H i-1  E mi (H i-1 ) Compression function is provably secure (collision resistant) if E is a secure block cipher.

9 CS470, A.SelcukHash Functions9 MD5 Rivest, 1991 Based on Davies-Meyer const. Very popular until recently. –2004: First collision attacks –2008: Practical collision attack; SSL cert. with same MD5 hash. –~2010: Forged Microsoft MD5 certificates used in Flame malware Preimage resistance: Mostly ok. 64 rounds of:

10 CS470, A.SelcukHash Functions10 Flame’s MS Windows MD5 Attack Chosen-prefix coll. attack: Meaningful initial blocks, followed by random blocks to obtain collision.

11 CS470, A.SelcukHash Functions11 SHA-1 Designed by NSA; based on Rivest’s MD4 & MD5 designs SHA 1993; SHA-1 1995 160-bit output size 2005: Some flaws discovered. SHA-2: 256- and 512-bit extension; secure SHA-3: By public competition 80 rounds of:

12 CS470, A.SelcukHash Functions12 SHA-3 Public competition by NIST, similar to AES: NIST’s request for proposals (2007) 51 submissions (2008) 14 semi-finalists (2009) 5 finalists (2010) Winner: Keccak (2012) –Designed by Bertoni, Daemen, Peeters, Van Assche. –Based on “sponge construction”, a completely different structure.

13 CS470, A.SelcukHash Functions13 Speed Comparisons AlgorithmSpeed (MiByte/s.) AES-128 / CTR198 MD5335 SHA-1192 SHA-256139 SHA-3~ SHA-256 Crypto++ 5.6 benchmarks, 2.2 GHz AMD Opteron 8354 NIST expects SHA-2 to be used for the foreseeable future. SHA-3: A companion algorithm with a different structure and properties.

14 CS470, A.SelcukHash Functions14 Things to Do with a Hash Function Hash long messages for signing Authentication protocols Stream ciphers Block ciphers MACs...

15 CS470, A.SelcukHash Functions15 Authentication Protocol Challenge-response authentication instead of a password protocol: Hash is used instead of block cipher encryption E K (r a ), E K (r b ), & decryption. AliceBob hello, r a H(K || r a ), r b H(K || r b )

16 CS470, A.SelcukHash Functions16 Stream Cipher CFB: O i = H(K || C i-1 ) C i = P i  O i P i = C i  O i OFB: O i = H(K || O i-1 ) C i = P i  O i P i = C i  O i CTR: C i = P i  H(K || IV + i) P i = C i  H(K || IV + i)

17 CS470, A.SelcukHash Functions17 Block Cipher Use the hash function as the f in a Feistel structure. Luby & Rackoff (1988): Three rounds are needed for security.

18 CS470, A.SelcukHash Functions18 MACs from Hash Functions A natural relative; but how to do it best? prefix: MAC K (x) = H(K || x) –not secure; extension attack. suffix: MAC K (x) = H(x || K) –mostly ok; problematic if H is not collision resistant. envelope: MAC K (x) = H(K 1 || x || K 2 ) HMAC: MAC K (x) = H(K 2 || H(K 1 || x)) –provably secure; popular in Internet standards.

19 CS470, A.SelcukHash Functions19 VMAC Proposed by Ted Krovetz in 2006. Based on a universal hash rather than collision resistant hash. (which is fine for MAC) Extremely fast (3 GB/sec); adjustable security- speed tradeoff. VMAC-64 is about 10x faster than HMAC-MD5; has a security proof that Pr(forgery) < 2 -60. Very suitable for infrastructure (routers) or low- end (RFID, WSN) authentication.

Download ppt "CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk."

Similar presentations

Hashes and Message Digests

Hashes and Message Digests
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.

Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Similar presentations

Ads by Google