1. Applied Cryptography Spring 2015 Hash functions

2. Hash functions - Passwords httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh Password length up to 8 characters, encrypted by 1-way hash function crypt(3). Are they safe?

3. Hash functions - Digital signatures

4. Hash functions – Message authentication Alice Bob Eve Authentication and integrity needed! Let’s go to Christopher’s tonight! Love, Alice Let’s order a Fatty Joe’s cheese pizza! Love, Alice [From Andreas Klappenecker]

5. Hash functions - Data integrity

6. Hash Functions are Versatile Hash functions are used for message and file integrity secure login fingerprints of keys authentication digital signatures [From Andreas Klappenecker]

7. Hash functions – Some desired properties Produces a fixed length value from a variable length source One-way : it is easy to compute H=f(M), but for a given H it is hard to find a message M, such that f(M)=h (cryptographically secure hash functions) MAC (Message Authentication Code) – essentially a hash function, which additionally depends from a key f(M,K)=H

8. Hash functions - definition A hash function is a function f:{0,1}*  {0,1} n. The size of the output, n, is a property of the function. Common values are 128, 160 and 256. Commonly used hash functions are MD5, SHA-1 (SHA), SHA-2 (SHA-224, SHA-256, SHA-376, SHA- 512)

9. Hash functions - example SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3

10. Hash Functions A transformation of a message of arbitrary length into a fixed-length number is called a hash function Alternate names are fingerprint or digest [From Andreas Klappenecker]

11. Hash function — examples f(m) = first 40 bits of m f(m) = last 40 bits of m f(m) = XOR of the bytes of m

12. Desired properties of hash functions Let H be a hash function One-way –Given x, unfeasible to compute an v such that H(v) = x Collision-free –Unfeasible to find x 1 and x 2 such that H(x 1 ) = H(x 2 ) and x 1  x 2

13. 1)It should be possible to efficiently compute the hash value z=H(m) of a message m. 2)Given the hash value z=H(m), it should be computationally infeasible to find m. A function with this property is called a one-way function. 3)Given a message m, it should be infeasible to find another message m’ such that H(m)=H(m’). 4)It should be infeasible to find two messages m and m’ such that H(m)=H(m’). Property 3) is known as weak collision resistance, and Property 4) is known as strong collision resistance. [From Andreas Klappenecker] Desirable properties of hash function

14. Length of hash value? Birthday paradox: What should be the size k of a group of people, such that with probablity 1/2 at least two persons from the group will have birthday on the same day?

15. Length of hash value?

17. Birthday Attacks Any function H: {0,1}* ->{0,1} n must have infinitely many collisions. It requires O(2 n/2 ) evaluations of H to find two messages m and m’ that have a collision, H(m)=H(m’). This means n must be reasonably large, otherwise it cannot be collision resistant. [From Andreas Klappenecker]

18. Example Suppose a hash function H produces n bit values. Compose a document nice treaty and about 2 n/2+1 semantically equivalent versions. Similarly, compose an evil treaty and about 2 n/2+1 semantically equivalent versions. With probability ½ or more there will be a version of the nice treaty and a version of the evil treaty that have the same hash value. [From Andreas Klappenecker]

19. Unix passwords httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh Password length up to 8 characters, encrypted by 1-way hash function crypt(3). Are they safe?

20. Unix passwords Entries of the form: smithj:Ep6mckrOLChF.:10193:0:99999:5::: Where the password is followed by: The date when the password was last changed, measured in elapsed days since Jan. 1st, 1970. The number of days before the password can be changed again The number of days after which the password must be changed The number of days to warn user of an expiring password The number of days after password expires that account is disabled The number of days since January 1, 1970 that an account has been disabled A reserved field for possible future use [From B.Madeiros]

21. 86% of users are dumb Single ASCII character0.5% Two characters2% Three characters14% Four alphabetic letters14% Five same-case letters21% Six lowercase letters18% Words in dictionaries or names15% Other (possibly good passwords)14% [From David Evans]

22. UNIX Password System Uses modified DES as if it were a hash function –Encrypt NULL string using password as the key Truncates passwords to 8 characters! –Artificial slowdown: run DES 25 times –Can instruct modern UNIXes to use MD5 hash function Problem: passwords are not truly random –With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 94 8  6 quadrillion possible 8- character passwords –Humans like to use dictionary words, human and pet names  1 million common passwords [From A. Nascimento]

23. Dictionary Attack Password file /etc/passwd is world-readable –Contains user IDs and group IDs which are used by many system programs Dictionary attack is possible because many passwords come from a small dictionary –Attacker can compute H(word) for every word in the dictionary and see if the result is in the password file –With 1,000,000-word dictionary and assuming 10 guesses per second, brute-force online attack takes 50,000 seconds (14 hours) on average This is very conservative. Offline attack is much faster! [From A. Nascimento]

24. Typical password dictionary – 1,000,000 entries of common passwords people's names, common pet names, and ordinary words. –Suppose you generate and analyze 10 guesses per second This may be reasonable for a web site; offline is much faster –Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average If passwords were random –Assume six-character password Upper- and lowercase letters, digits, 32 punctuation characters 689,869,781,056 password combinations. Exhaustive search requires 1,093 years on average Dictionary Attack – some numbers [From J.Mitchell]

25. Salt fURxfg,4hLBX salt (chosen randomly when password is first set) crypt(pwd,salt) Password –Users with the same password have different entries in the password file –Dictionary attack is still possible! Basically, DES on NULL plaintext [From A. Nascimento]

26. Unix passwords - salt httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh 13 characters (Base64 - 6 bit),78 bits 64 bit hashed value 12 bits of "salt"

27. Unix passwords - crypt(3) The salt introduces disorder in the DES algorithm in one of 16777216 or 4096 possible ways (ie. with 24 or 12 bits: if bit i of the salt is set, then bits i and i+24 are swapped in the DES E-box output). The DES key is used to encrypt a 64-bit constant using count iterations of DES. The value returned is a null-terminated string, 20 or 13 bytes (plus null) in length, consisting of the setting followed by the encoded 64-bit encryption.

28. Unix crypt(3) Modifications to use larger passwords were adopted. These separate the password in groups of 8 characters, generating the first key from the first group, and then XOR-ing keys for subsequent groups into the DES encryption of the current key using itself as a key. [From B.Madeiros]

29. [From Henric Johnson] DES

30. DES: IP and FP stand for initial and final permutations, respectively. F: Round function E: Expansion function 32  48 bits, is changed on crypt3() using the salt. The salt introduced disorder as follows: if the ith bit of the salt is set (non-zero), then the bits i and i+24 of the output of the expansion function are swapped. crypt(3) [From B.Madeiros]

31. UNIX Password security Overview of Unix encrypted passwords using crypt(3) 13 character encrypted password sX5/Fhl9yCMNK

32. Key stretching (strengthening) Short key Long "random" key (128 bits) Repeated hash function

33. Authentication - S-Key Alice picks random number R S-Key program generates f(R), f (f(R)), f (f ((f(R)) ),..., f 100 (R). Alice prints out these numbers and stores somewhere secure Host stores f 101 (R). (Doesn’t need to be secure) [From David Evans] Supported by Linux-es (via Pluggable \ authentication modules) OpenBSD, NetBSD, and FreeBSD

34. Authentication - S-Key Alice enters f 100 (R). Host calculates f (f 100 (R)). Compares to stored f 101 (R). If they match, allows login and replaces old value with f 100 (R). Alice crosses off f 100 (R), enters f 99 (R) next time. What is f ? –One-way function: given f(x) hard to find x. –S/Key uses MD4 (not secure) [From David Evans]

35. Whish hash algorithms to use? The message digest algorithm MD5 by Ron Rivest with 128 bit hash values. The secure hash algorithm SHA-1. It was developed by NSA and standardized by NIST. This algorithm uses 160 bit hash values encoded in 5 x 32 bit words. The family SHA-256, SHA-384, SHA-512 of hash functions that are supposed to be used with AES. They will be part of the NIST Cryptographic Toolkit. Why are these bit lengths used? [From Andreas Klappenecker] Collisions in SHA-1 can be found by 2 63 attempts Collision in MD5 can be found in 8 hours using a notebook PC...

36. Merkle-Damgard hash algorithms

37. Hash Algorithms - general structure At the end of the four rounds, the result is added to the previous values of ABCD. [From Andreas Klappenecker]

38. MD5 Message Digest Algorithm It compresses messages of 512 bits length into a hash of length 128 bits. A message of arbitrary length is padded to length k = 448 mod 512 A 64 bit string describing the length of the message is added. The message length is now a multiple of 512. The hashing is done block-by-block. [From Andreas Klappenecker]

39. MD5 Message Digest Algorithm Step 1: Append padding bits –Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits) –Padding is always added, even if the message is already of the desired length (1 to 512 bits) –Padding bits: 1000 ….0 (a single 1-bit followed by the necessary number of 0-bits) [From H. Yoon]

40. MD5 Message Digest Algorithm Step 2: Append length –64-bit length: contains the length of the original message modulo 2 64 –The expanded message is Y 0, Y 1, …, Y L-1 ; the total length is L  512 bits –The expanded message can be thought of as a multiple of 16 32-bit words –Let M[0 … N-1] denote the word of the resulting message, where N = L  16 [From H. Yoon]

41. MD5 Message Digest Algorithm Developed by Ron Rivest at MIT Input: a message of arbitrary length Output: 128-bit message digest 32-bit word units, 512-bit blocks Son of MD2, MD4 [From H. Yoon]

42. MD5 - Initialisation Vector A buffer containing four words A,B,C,D of 32 bits is used to compute the hash value. Initializations are: A = 01 23 45 67 B = 89 ab cd ef C = fe dc ba 98 D = 76 54 32 10 [From Andreas Klappenecker]

43. MD5 Message Digest Algorithm MD5 processing of a single 512-bit block (MD5 compression function)    [From H. Yoon]

44. Elementary MD5 Operation (Single Step) MD5 Message Digest Algorithm [From H. Yoon]

45. The procedure uses four boolean functions that operate bitwise on 32 bit words: F(X,Y,Z) = (X  Y)  (  X  Z) G(X,Y,Z) = (X  Z)  (Y   Z) H(X,Y,Z) = X  Y  Z I(X,Y,Z) = Y  (X   Z) MD5 - functions [From Andreas Klappenecker] x y z F G H I 0 0 0 0 0 0 1 0 0 1 1 0 1 0 0 1 0 0 1 1 0 0 1 1 1 0 0 1 1 0 0 0 0 1 1 1 0 1 0 1 0 1 1 1 0 1 1 0 0 1 1 1 1 1 1 0 Truth table

46. MD - X[k] MD5 Message Digest Algorithm The array of 32-bit words X[0..15] holds the value of current 512-bit input block being processed Within a round, each of the 16 words of X[i] is used exactly once, during one step –The order in which these words is used varies from round to round –In the first round, the words are used in their original order –For rounds 2 through 4, the following permutations are used  2 (i) = (1 + 5i) mod 16  3 (i) = (5 + 3i) mod 16  4 (I) = 7i mod 16 [From H. Yoon]

47. MD5 - T[i] MD5 Message Digest Algorithm Table T, constructed from the sine function: T[i] = integer part of 2 32  abs(sin(i)), where i is in radians [From H. Yoon]

48. MD5 - CL s MD5 Message Digest Algorithm <<< s- circular left shift (rotation) of the 32-bit arguments by s bits Values of s: Round 1:7121722 Round 2:591420 Round 3:4111623 Round 4:6101521 [From H. Yoon]

49. MD5 Reference A detailed description of MD5 is contained in RFC1321. Hans Dobbertin has shown that MD5 is not collision resistant, so it is not advisable to use this algorithm. It is used in IPSec and other protocols. Widely used for storing passwords. [From Andreas Klappenecker] Because MD5 makes only one pass over the data, if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more reasonable.

50. MD5 security  [From wikipedia.org] Collisions can be found in time 2 24.1 (i.e. within seconds...) Chosen prefix collisions – in time 2 39 Pre-image attack – in time 2 123.4 (well, still kind of OK )

51. MD4 MD5 Message Digest Algorithm Precursor to MD5 Design goals of MD4 (which are carried over to MD5) –Security –Speed –Simplicity and compactness –Favor little-endian architecture [From H. Yoon]

52. MD4 MD5 Message Digest Algorithm Main differences between MD5 and MD4 1.A fourth round has been added. 2.Each step now has a unique additive constant. 3.The function g in round 2 was changed from (bc v bd v cd) to (bd v c d ’ ) to make g less symmetric. 4.Each step now adds in the result of the previous step. This promotes a faster "avalanche effect". 5.The order in which input words are accessed in rounds 2 and 3 is changed, to make these patterns less like each other. 6.The shift amounts in each round have been approximately optimized, to yield a faster "avalanche effect." The shifts in different rounds are distinct. [From H. Yoon]

53. Secure Hash Algorithm (SHA) Secure Hash Algorithm Developed by NIST (National Institute of Standards and Technology) –Published as a FIPS PUB 180 in 1993 –A revised version is issued as FIPS PUB 180-1 –Generally referred to as SHA-1 Input: a message with a maximum length of less than 2 64 bits Output: 160-bit message digest 32-bit word units, 512-bit blocks 4 rounds  20 steps per block Closely models MD4 Slower, stronger than MD5 [From H. Yoon]

54. Secure Hash Algorithm (SHA) The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as SHA-0. It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as SHA-1. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security.

55. SHA-1 logic The overall structure and logic is similar to MD5 Step 1: Append padding bits Step 2: Append length Step 3: Initialize MD buffer –160-bit buffer (five 32-bit registers A,B,C,D,E) is used to hold intermediate and final results of the hash function –A,B,C,D,E are initialized to the following values A,B,C,D = same as in MD5, E = C3D2E1F0 Stored in big-endian format (most significant byte of a word in the low-address byte position) –E.g. word E: C3 D2 E1 F0 (low address … high address) [From H. Yoon]

56. SHA-1 logic Step 4: Process message in 512-bit (16-word) blocks –Heart of the algorithm called a compression function –Consists of 4 rounds of processing of 20 steps each –The 4 rounds have a similar structure, but each uses a different primitive logical functions, referred to as f 1, f 2, f 3, and f 4 –Each round takes as input the current 512-bit block (Y q ), 160-bit buffer value ABCDE and updates the contents of the buffer –Each round also uses the additive constants K t, where 0  t  79 indicates one of the 80 steps across 4 rounds –In fact only 4 constants are used: –The output of 4 th round (80 th step) is added to the CV q to produce CV q+1 Step Number Hexadecimal Inetger Paqrt of 0  t  19K t = 5A827999[2 30   2] 20  t  39K t = 6ED9EBA1[2 30   3] 40  t  59K t = 8F1BBCDC[2 30   5] 60  t  79K t = CA62C1D6[2 30   10] [From H. Yoon]

57. SHA-1 processing of a single 512-bit block (SHA-1 compression function) SHA-1 logic [From H. Yoon]

58. Elementary SHA operation (single step) [From H. Yoon]

59. SHA-1 primitive logical functions Each primitive function takes three 32-bit words as input and produces a 32-bit word output Each function performs a set of bitwise logical operations Truth table B C D f 1 f 2 f 3 f 4 0 0 0 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 0 1 0 1 1 1 0 1 0 1 0 0 0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0 1 0 1 1 1 1 1 1 1 [From H. Yoon] Step Function Name Function Value ( 0  t  19) f 1 = f(t,B,C,D) (B  C)  (B’  D) (20  t  39) f 2 = f(t,B,C,D) B  C  D (40  t  59) f 3 = f(t,B,C,D) (B  C)  (B  D)  (C  D) (60  t  79) f 4 = f(t,B,C,D) B  C  D

60. SHA-1 - Usage SHA-1 is employed in several widely used security applications and protocols, including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It was considered to be the successor to MD5, an earlier, widely-used hash function.

61. SHA-2 family

62. SHA algorithms Algorithm Output size (bits) Internal state size (bits) Block size (bits) Max message size (bits) Word size (bits)RoundsOperationsCollision SHA-0160 5122 64 − 13280+,and,or,xor,rotlYes SHA-1160 5122 64 − 13280+,and,or,xor,rotl2 63 attack SHA-256/224256/2242565122 64 − 13264 +,and,or,xor,shr,rotr None yet SHA-512/384512/38451210242 128 − 16480 +,and,or,xor,shr,rotr None yet

63. SHA-3 NIST has selected five SHA-3 candidate algorithms to advance to the third (and final) round: BLAKE Grøstl (Knudsen et al.) JH Keccak (Keccak team, Daemen et al.) (the winner, 02.10.2012) Skein (Schneier et al.)

64. SHA-3 NIST noted some factors that figured into its selection as it announced the finalists: Performance: "A couple of algorithms were wounded or eliminated by very large [hardware gate] area requirement – it seemed that the area they required precluded their use in too much of the potential application space." Security: "We preferred to be conservative about security, and in some cases did not select algorithms with exceptional performance, largely because something about them made us 'nervous,' even though we knew of no clear attack against the full algorithm." Analysis: "NIST eliminated several algorithms because of the extent of their second-round tweaks or because of a relative lack of reported cryptanalysis – either tended to create the suspicion that the design might not yet be fully tested and mature." Diversity: The finalists included hashes based on different constructions, including the HAIFA and sponge hash constructions, and hashes with different sources of nonlinearity, including S-boxes and the interaction between addition and XOR.

65. SHA-3 - Skein

66. SHA-3 - Keccak The sponge construction for hash functions. p i are input, z i are hashed output. The unused "capacity" c should be twice the desired resistance to collision or preimage attacks. Designed by: G.Bertoni, J.Daemen, M.Peeters, G.Assche. Built upon RadioGatún. Selected as SHA-3 on 2.10.2012. Hash sizes:224,256,384,512

67. SHA-3 - Keccak

81. Hash functions from block ciphers? A,B,C can be: M i, H i–1, (M i  H i–1 ) or constant (0)

82. Hash functions from block ciphers? 64 possibilities 15 trivially weak (result does not depend from inputs) 37 shown to be insecure 12 remaining are reasonably secure (first 4 to be preferred)

83. Hash functions from block ciphers?

84. CBC-MAC

85. HMAC opad - the outer padding: 0x5c5c5c…5c5c (one-block-long constant) ipad - the inner padding: 0x363636…3636 (one-block-long constant )