Presentation is loading. Please wait.

Presentation is loading. Please wait.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof.

Published byVictor Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof."— Presentation transcript:

1 The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof. Dr. Peng Ning Dr. Shai Halevi Network Security Dr. Attila Altay Yavuz1Spring 2015

2 The School of Electrical Engineering and Computer Science (EECS) Advanced Network Security Dr. Attila Altay Yavuz2 Hash Function Properties

3 OSU EECS 3 Hash Function Also known as –Message digest –One-way transformation –One-way function –Hash Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits Message of arbitrary length Hash A fixed-length short message

4 Typically using Merkle-Damgård iteration: 1.Start from a “compression function” –h: {0,1} b+n  {0,1} n 2.Iterate it How are they built? h c =160 bits |M|=b=512 bits d=h(c,M) = 160 bits hhhh … M1M1 M2M2 M L-1 MLML IV=d 0 d1d1 d2d2 d L-1 dLdL d=H(M) But not always…

5 What are they good for? “Request for Candidate Algorithm Nominations”, -- NIST, November 2007 “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.”

6 Some things that we want  Collision resistance (commitment, signatures) –Hard to find M  M’ for which H(M)=H(M’)  One-way (commitment) –Given d, hard to find M such that H(M)=d  Unpredictability (authentication) –M  H(R,M) unpredictable when R is secret  Extraction (key derivation) –If M has high entropy then H(M) is ~ uniform

7 OSU EECS 7 Desirable Properties of Hash Functions Consider a hash function H –Performance: Easy to compute H(m) –One-way property: Given H(m) but not m, it’s computationally infeasible to find m –Weak collision resistance: Given H(m), it’s computationally infeasible to find m’ such that H(m’) = H(m). –Strong collision resistance: Computationally infeasible to find m 1, m 2 such that H(m 1 ) = H(m 2 )

8 OSU EECS 8 Length of Hash Image Question –Why do we have 128 bits or 160 bits in the output of a hash function? –If it is too long Unnecessary overhead –If it is too short Birthday paradox Loss of strong collision property

9 OSU EECS 9 Birthday Paradox (Cont’d) Implication for hash function H of length m –With probability at least 0.5 –If we hash about 2 m/2 random inputs, –Two messages will have the same hash image –Birthday attack Conclusion –Choose m  128, preferable m  160

10 The School of Electrical Engineering and Computer Science (EECS) Network Security Dr. Attila Altay Yavuz10 Hash Function Use and Applications

11 Using “imperfect” hash functions  Applications should rely only on “specific security properties” of hash functions –Try to make these properties as “standard” and as weak as possible  Increases the odds of long-term security –When weaknesses are found in hash function, application more likely to survive –E.g., MD5 is badly broken, but HMAC-MD5 is barely scratched

12 Security requirements  Deterministic hashing –Attacker chooses M, d=H(M)  Hashing with a random salt –Attacker chooses M, then good guy chooses public salt, d=H(salt,M)  Hashing random messages –Given M, d=H(M’) e.g., M’=M||r  Hashing with a secret key –Attacker chooses M, d=H(key,M) Stronger Weaker

13 Deterministic hashing  Collision Resistance –Attacker cannot find M,M’ such that H(M)=H(M’)  Also many other properties –Hard to find fixed-points, near-collisions, M s.t. H(M) has low Hamming weight, etc.

14 Hashing with public salt  Target-Collision-Resistance (TCR) –Attacker chooses M, then given random salt, cannot find M ’ such that H(salt,M)=H(salt,M ’ )  enhanced TRC (eTCR) –Attacker chooses M, then given random salt, cannot find M ’,salt ’ s.t. H(salt,M)=H(salt ’,M ’ )

15 Hashing random messages  Second Preimage Resistance –Given random M, attacker cannot find M ’ such that H(M)=H(M ’ )  One-wayness –Given d=H(M) for random M, attacker cannot find M’ such that H(M’)=d  Extraction* –For random salt, high-entropy M, the digest d=H(salt,M) is close to being uniform * Combinatorial, not cryptographic

16 Hashing with a secret key  Pseudo-Random Functions –The mapping M  H(key,M) for secret key looks random to an attacker  Universal hashing* –For all M,M ’, Pr key [ H(key,M)=H(key,M ’ ) ]<  * Combinatorial, not cryptographic

17 OSU EECS 17 Application: Digital Signatures Message m Hash H(m) Sign Bob’s Private key Signature (encrypted hash) Generating a signature Message m Hash H(m) Verify Bob’s Public key Signature Valid / Not Valid Verifying a signature Only one party (Bob) knows the private key

18 Application 1: Digital signatures  Hash-then-sign paradigm –First shorten the message, d = H(M) –Then sign the digest, s = SIGN(d)  Relies on collision resistance –If H(M)=H(M’) then s is a signature on both  Attacks on MD5, SHA-1 threaten current signatures –MD5 attacks can be used to get bad CA cert [Stevens et al. 2009]

19 Collision resistance is hard  Attacker works off-line (find M,M’) –Can use state-of-the-art cryptanalysis, as much computation power as it can gather, without being detected !!  Helped by birthday attack (e.g., 2 80 vs 2 160 )  Well worth the effort –One collision  forgery for any signer

20  Use randomized hashing –To sign M, first choose fresh random salt –Set d= H(salt, M), s= SIGN( salt || d )  Attack scenario (collision game): –Attacker chooses M –Signer chooses random salt –Attacker must find M' s.t. H(salt,M) = H(salt,M')  Attack is inherently on-line –Only rely on target collision resistance Signatures without CRHF [Naor-Yung 1989, Bellare-Rogaway 1997] same salt (since salt is explicitly signed)

21 TCR hashing for signatures  Not every randomization works –H(M|salt) may be subject to collision attacks  when H is Merkle-Damgård –Yet this is what PSS does (and it’s provable in the ROM)  Many constructions “in principle” –From any one-way function  Some engineering challenges –Most constructions use long/variable-size randomness, don’t preserve Merkle-Damgård  Also, signing salt means changing the underlying signature schemes

22 Authentication with HMAC  Simple key-prepend/append have problems when used with a Merkle-Damgård hash –tag=H(key | M) subject to extension attacks  HMAC: Compute tag = H(key | H(key | M)) –About as fast as key-prepend for a MD hash  Relies only on PRF quality of hash –M  H(key|M) looks random when key is secret Bellare-Canetti-Krawczyk 1996 [Bellare-Canetti-Krawczyk 1996]

23 OSU EECS 23 Application: File Authentication Want to detect if a file has been changed by someone after it was stored Method –Compute a hash H(F) of file F –Store H(F) separately from F –Can tell at any later time if F has been changed by computing H(F’) and comparing to stored H(F) Why not just store a duplicate copy of F???

24 OSU EECS 24 Application: User Authentication Alice wants to authenticate herself to Bob –assuming they already share a secret key K Protocol: AliceBob time  “I’m Alice” picks random number R R computes Y=H(R|K) Y verifies that Y=H(R|K)

25 OSU EECS 25 User Authentication… (cont’d) Why not just send… –…H(K)?, i.e., what’s the purpose of R?

26 OSU EECS 26 Application: Commitment Protocols Ex.: A and B wish to play the game of “odd or even” over the network 1.A picks a number X 2.B picks another number Y 3.A and B “simultaneously” exchange X and Y 4.A wins if X+Y is odd, otherwise B wins If A gets Y before deciding X, A can easily cheat (and vice versa for B) –How to prevent this?

27 OSU EECS 27 Commitment… (Cont’d) Can either A or B successfully cheat now? A B Z = H(X) Picks Y Y X verifies that H(X) = Z A picks X and computes Z=H(X) Proposal: A must commit to X before B will send Y Protocol:

28 OSU EECS 28 Application: Message Encryption Assume A and B share a secret key K –but don’t want to just use encryption of the message with K A sends B the (encrypted) random number R1, B sends A the (encrypted) random number R2 And then…

29 OSU EECS 29 one-time pad E C1C2C3C4C1C2C3C4 M1M2M3M4M1M2M3M4 Initialization Vector E EE Key 64 46 + padding 64 one-time pad C1C2C3C4C1C2C3C4 M1M2M3M4M1M2M3M4 R1 | R2 Key 64 46 + padding 64 = Concatenate, then Hash C+H R1 | R2 is used like the IV of OFB mode, but C+H replaces encryption; as good as encryption?

30 OSU EECS 30 Application: Message Authentication A wishes to authenticate (but not encrypt) a message M (and A, B share secret key K) AB M, R, Y verifies that Y = H(M|K|R) 1.picks random number R 2.computes Y = H(M|K|R) Why is R needed? Why is K needed?

31 OSU EECS 31 E constant M1M1 64 Hash Is Encryption a Good Hash Function? Building hash using block chaining techniques –Encryption block size may be too short (DES=64) Birthday attack –Extension attacks E M2M2 E M3 E M4

32 OSU EECS 32 Modern Hash Functions MD5 –Previous versions (i.e., MD2, MD4) have weaknesses. –Broken; collisions published in August 2004 –Too weak to be used for serious applications SHA (Secure Hash Algorithm) –Weaknesses were found SHA-1 –Broken, but not yet cracked –Collisions in 2 69 hash operations, much less than the brute-force attack of 2 80 operations –Results were circulated in February 2005, and published in CRYPTO ’05 in August 2005 SHA-256, SHA-384, …

33 OSU EECS 33 (In)security of MD5 A few recently discovered methods can find collisions in a few hours –A few collisions were published in 2004 –Can find many collisions for 1024-bit messages –More discoveries afterwards –In 2005, two X.509 certificates with different public keys and the same MD5 hash were constructed This method is based on differential analysis 8 hours on a 1.6GHz computer Much faster than birthday attack

34 OSU EECS 34 Comparison: SHA-1 vs. MD5 SHA-1 is a stronger algorithm –brute-force attacks require on the order of 2 80 operations vs. 2 64 for MD5 SHA-1 is about twice as expensive to compute Both MD-5 and SHA-1 are much faster to compute than DES

35 OSU EECS 35 Security of SHA-1 SHA-1 –“Broken”, but not yet cracked –Collisions in 2 69 hash operations, much less than the brute-force attack of 2 80 operations –Results were circulated in February 2005, and published in CRYPTO ’05 in August 2005 SHA-256, SHA-384, SHA-512

36 The School of Electrical Engineering and Computer Science (EECS) Network Security Attila Altay Yavuz36 The Hashed Message Authentication Code (HMAC)

37 OSU EECS CSC/ECE 574 Dr. Peng Ning 37 HMAC Processing Key K 0x363636…36 compute message digest  pad on right with 0’s to 512 bits in length concatenate Message M 0x5c5c5c…5c HMAC(key,message)  compute message digest concatenate

38 OSU EECS 38 Summary Hashing is fast to compute Has many applications (some making use of a secret key) Hash images must be at least 128 bits long –but longer is better  256 is ideal Hash function details are tedious  HMAC protects message digests from extension attacks

Download ppt "The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google