Presentation is loading. Please wait.

Presentation is loading. Please wait.

Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.

Published byHarry McDonald Modified over 9 years ago

Similar presentations

Presentation on theme: "Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions."— Presentation transcript:

1 Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions

2 Giuseppe Bianchi Hash Function Any length message X Fixed size digest Y e.g. 128 bits for MD5 Y = H(X) Cannot be inverted, as not unique X = x bits Y = y bits Assuming ideal mapping, Y is the result for 2 x-y possible X messages Example: x=5 bits  32 messages y=2 bits  4 digests 32/4 = 8= 2 3

3 Giuseppe Bianchi Properties of a good hash function  Preimage resistance (one way)  Given Y = result of a hash, it is hard to find X such as H(X)=Y  Second preimage resistance (weak collision resistance)  Given X, it is hard to find another X’ such that H(X) = H(X’)  Collision resistance (strong collision resistance)  It is hard to find two generic X1 and X2 such that H(X1) = H(X2)

4 Giuseppe Bianchi Birthday paradox 1.What is the probability that none of you N=22 is born in my same day? 2.What is the probability that no two+ of us N=23 are born the same day? H Human being X  birthday !!

5 Giuseppe Bianchi Birthday paradox again  Digest = D bits  Number of messages = K 1.How many messages K to observe to get 50% probability to have my same digest? 2.How many messages K to observe to get 50% probability to have two same digest?

6 Giuseppe Bianchi Ricordando che per x piccolo 1-x approx e^(-x)

7 Giuseppe Bianchi Message digest size  Must be considered against birthday paradox!  32 bits (RAND)  50% collision after 2 16 msg  60.000 (very little!)  56 bits (DES)  50% collision after 2 28 msg  250M (still little!)  128 bits (MD5)  50% collision after 2 64 msg  1.8x10 19 (OK!)  160 bits SHA-1

8 Giuseppe Bianchi The «best» hash function: Random Oracle  «oracle» = black box  Random oracle:  Given any distinct input x, H(x) = truly random value  But for same x, same output  Fact: NO practical hash function can be a random oracle  Digest cannot be a «truly» random value

9 Giuseppe Bianchi MD5 iterative construction  Merkle-Damgard approach Message (any size) Chunk (512 bits) 10000 Padding Length K mod 2 64 K bits N x 512 bits Initialization Vector (known) F 128 bits F F F Hash Compression function (if it is resistant, also iteration is)

10 Giuseppe Bianchi Message Integrity vs Encryption  Integrity: prevent attacker from tampering with message  Encryption may NOT guarantee integrity!  In many encryption schemes, attacker may modify encrypted message  One time pad (one time key K): »encrypted M  C = M  K »C  M’= M  K  M’  encrypted M  M’!  RC4: same as above  Homomorphic encryption: modifiable by design! »including RSA  In general, don’t trust encryption mechanisms for integrity  unless they are explicitly designed ALSO for it (authenticated encryption, e.g. AES-CCM or AES-GCM)  Integrity may be the only requirement  Why “also” encrypt (extra effort) if not needed by scenario?!

11 Giuseppe Bianchi Message authentication SenderReceiver kk message mtag Generate tag messageK tag Generate tag messageK Verify Tag =?

12 Giuseppe Bianchi Requires secret key! message mCRC(m) message m*CRC(m*) CRC meant to DETECT random errors! Not meant to prevent attacks! Attacker can trivially recompute «valid» CRC

13 Giuseppe Bianchi Message Authentication Code ingredient 1: good hash Good Message M HASH(M) Bad Message M’ VERY HARD to find message M’ whose Hash is the same of M (collision resistant hash)

14 Giuseppe Bianchi Message Authentication Code ingredient 2: secret in the hash Good Message M HASH(Secret, M) Bad Message M’ Since secret not know by attacker, very hard to construct a valid message authentication code HASH(????, M)

15 Giuseppe Bianchi Integrity check  Weaker than digital signature  Why?  But fast, practical, and OK for two-party session  Issues:  Must use good hash  Must use shared secret among parties Pay 100 dollarsPay 1000 dollars Pay 100 dollarsPay 1000 dollars H(S,M) H(S, “Pay 1000 dollars”) != H(S,M) Message modified!

16 Giuseppe Bianchi Security  Attacker is given a number of past message/tag pairs  (m 1,t 1 ), (m 2,t 2 ), (m 3,t 3 ), …  Even more powerful: «chosen message» attack  Now sees message m  Must NOT be able to forge tag t  Even more powerful: must NOT be able to forge ANY valid pair (m,t) for any chosen new msg  Formally: probability to forge valid pair must be NEGLIGIBLE

17 Giuseppe Bianchi Short tags?  1 byte tags  No way for attacker to guess tag from msg, beyond pure random choice  Is this secure?  NO! Probability of guessing = 1/256  Not nearly negligible!!  Note the crucial difference with encryption security definitions!

18 Giuseppe Bianchi Message authentication using hash functions SenderReceiver kk message mtag Hash function messageK tag Generate tag Hash function messageK Verify Tag =?

19 Giuseppe Bianchi But devil is in details…  Where to put secret in hash?  H(S,M)?  H(M,S)?  Some other way?  Do we care? What’s the matter?  Matter is: Hash functions are not black boxes!

20 Giuseppe Bianchi Hash constructions: iterative  Merkle-Damgard construction  Applies to MD5, SHA-1, etc  Example: MD5 case Message (any size) Chunk (512 bits) 10000 Padding Length K mod 2 64 K bits N x 512 bits Initialization Vector (known) MD5: 128 bit SHA-1: 160 bit F 128 bits F F F Hash Compression function (if it is resistant, also iteration is) The heart of the specific hash function used

21 Giuseppe Bianchi Secret Suffix: H(M,S)? Message (any size) Chunk (512 bits) 10000 Padding K bits N x 512 bits F 128 bits F F F Hash Secret State precomputation, once!! Dictionary attack to secret Len

22 Giuseppe Bianchi Secret Prefix: H(S,M)?  Expansion attack  Message extension does not require knowledge of secret  Secret already “used” in the (now known) hash state  May not be practical (yet), because of MD-strengthening.  But significant construction shortcoming!!! Message (any size) Chunk (512 bits) PAD N x 512 bits F 128 bits F F F Hash SecretMessage extension

23 Giuseppe Bianchi Expansion attack!  Trivial to “extend” the message!  Especially critical if secret at the beginning  Example: start from MD5(k | x), k unknown secret  Append y  To compute MD5(k | x | y) use iterative Merkle construction!  No need to know k!!!  Length (Damgard) strengthening: helps but does not solve the problem  A strong reason to use different constructs (HMAC)  http://csrc.nist.gov/pki/HashWorkshop/2005/Nov1_Presentations/Puniya_hashDesign.pdf

24 Giuseppe Bianchi Why HMAC?  How to insert a secret in the hash is a fundamental issue!  Secret prefix  H(S | M)  expansion attacks?  Secret suffix  H(M | S)  hash state precomputation?  Envelope  H(S1 | M | S2)  two secrets needed »Proven that if secret divided in two, robustness weakened!!  1996: problem solved, with HMAC!  Best possible construction

25 Giuseppe Bianchi HMAC RFC 2104, february 2007 HMAC K (M) = H(K + XOR opad || H(K + XOR ipad || M))  K + = shared key padded to hash basic block size »When H=MD5, padding to 512 bits  opad = 0x36 = 00110110 repeated as needed  ipad = 0x5C = 01011100 repeated as needed

26 Giuseppe Bianchi HMAC - diagram Source: V. Shmatikov Embedded hash function (strength of HMAC relies on strength of this hash function) “Black box”: can use this HMAC construction with any hash function (why is this important?) Block size of embedded hash function Secret key padded to block size magic value (flips half of key bits) another magic value (flips different key bits) hash(key,hash(key,message)) “Amplify” key material (get two keys out of one) Very common problem: given a small secret, how to derive a lot of new keys?

27 Giuseppe Bianchi HMAC security  quantitatively proven robustness: as secure as its underlying hash is  see Bellare, Canetti, Krawczyk, Keying Hash Functions for Message Authentication, 1996  Actually more secure (surprise!)  Bellare 2006: collision resistence NOT necessary  Pseudorandomness only requirement  You can use HMAC with MD5 or SHA-1 even if there are algorithms to compute collision  Practical and flexible (you may change the underying hash with more robust one)  Efficient computation

28 Giuseppe Bianchi Collisions without HMAC  Collision in hash = collision in MAC  H(M,S) construction:  Obvious  find collision on first part of the message, then expand  H(S,M) construction:  less obvious, but same problem  Start from H(S,x)  IV  Find collision H*(IV,X1)=H*(IV,X2)  Mi = x | pad(x) | Xi | pad (Xi)  Hence H(S,M1)=H(S,M2)

Download ppt "Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.

By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google