Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

Published byValentine Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena."— Presentation transcript:

1 Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena

2 Course Admin HW1 graded and distributed – Any questions regarding the grades, please contact the TA – If you haven’t picked up your graded submissions, please do so 1/26/2016 Lecture 4.1: Hash Functions, and MACs 2

3 Course Administration Expect HW2 coming out tomorrow – Covers mostly Public Key Cryptography – Due Mar 6 Official make-up – April 12 (Saturday) No class next Thursday – I am at the NDSS conference in San Diego Mid-term Mar 13 Mar 6 lecture: review (partly) 1/26/2016 Lecture 4.1: Hash Functions, and MACs 3

4 Course Administration Mid-Term Exam – On March 13 (Thursday) – In class, from 5pm-7pm Covers lectures up to lectures 4.* (Mar 6)) In-class review on Mar 06 (Thursday) Strictly closed-book (no cheat-sheets are allowed) A sample exam will be provided as we near the exam date 1/26/2016 4 Lecture 4.1: Hash Functions, and MACs

5 Outline of Today’s lecture Hash Functions – Properties – Birthday Paradox – Generic Design Message Authentication Codes – Based on block cipher designs – Based on hash functions 1/26/2016 Lecture 4.1: Hash Functions, and MACs 5

6 Cryptographic Hash Functions Requirements of cryptographic hash functions: – Can be applied to data of any length. – Output is fixed length, usually very short – Relatively easy to compute h(x), given x – Function is deterministic – Infeasible to get x, given h(x). One-wayness property – Given x, infeasible to find y such that h(x) = h(y). Weak-collision resistance property – Infeasible to find any pair x and y (x ≠ y) such that h(x) = h(y). Strong-collision resistance property or just collision resistance 1/26/2016 Lecture 4.1: Hash Functions, and MACs 6

7 Some Applications of Hash Functions In general, can be used as a checksum for large amounts of data Password hashing Digital signatures Message authentication codes (will study later) Used also in RSA-OAEP, and many other cryptographic constructions 1/26/2016 Lecture 4.1: Hash Functions, and MACs 7

8 Hash Output Length How long should be the output (n bits) of a cryptographic hash function? To find collision - randomly select messages and check if hash matches any that we know. Throwing k balls in N = 2 n bins. How large should k be, before probability of landing two balls in the same becomes greater than ½? Birthday paradox - a collision can be found in roughly sqrt(N) = 2 (n/2) trials for an n bit hash – In a group of 23 (~ sqrt(365)) people, at least two of them will have the same birthday (with a probability > ½) Hence n should be at least 160 1/26/2016 Lecture 4.1: Hash Functions, and MACs 8

9 Birthday Paradox Probability that hash values of k random messages are distinct is (that is, no collisions) is: 1/26/2016 Lecture 4.1: Hash Functions, and MACs 9

10 Generic Hash Function – Merkle- Damgard Construction This design for H() is collision-resistant given that h() is collision resistant Intuitively, this is because there is a avalanche effect – even if the inputs differ in just 1 bit, the outputs will be completely different IV is a known public constant 10 1/26/2016 Lecture 4.1: Hash Functions, and MACs

11 An Illustrative Example from Wikipedia 1/26/2016 Lecture 4.1: Hash Functions, and MACs 11

12 Practical Examples SHA-1 – Output 160 bits – B’day attack requires 2 80 calls – Faster attacks 2 69 calls http://infosec.sdu6.edu.cn/uploadfile/papers/Finding%20Collisions%20in %20the%20Full%20SHA-1.pdf MD5 – Output is 128 bits, so B’day attack requires 2 64 calls only – Faster attacks to find a collision: http://eprint.iacr.org/2004/199.pdf Better use stronger versions, such as SHA-256 Although, these attacks are still not practical – they only find two random messages that collide 12 1/26/2016 Lecture 4.1: Hash Functions, and MACs

13 Further Reading Stallings Chapter 11 HAC Chapter 9 1/26/2016 Lecture 4.1: Hash Functions, and MACs 13

14 Message Authentication Codes Provide integrity as well as authentication Send (m, MAC); MAC is created on m using the key shared between two parties Has to be deterministic to enable verification – Unlike encryption schemes We want MAC to be as small and as secure as possible Can not provide non-repudiation – Why not? 14 1/26/2016 Lecture 4.1: Hash Functions, and MACs

15 MAC – Functions KeyGen – outputs a key MAC – creates a checksum on m using key K Verify – validates whether the checksum on m is computed correctly – Just create MAC and compare 1/26/2016 Lecture 4.1: Hash Functions, and MACs 15

16 Security Notion for MAC Very similar to the security notion for a digital signature scheme Existential forgery under (adaptively) chosen message attack 16 1/26/2016 Lecture 4.1: Hash Functions, and MACs

17 Can encryption be used as a MAC? No, not in general Intuitively because encryption achieves properties different from MAC See a counter-example: – One-time pad as a MAC – bad idea! However, you can use 3-DES or AES as a building block for MAC 1/26/2016 Lecture 4.1: Hash Functions, and MACs 17

18 MAC Based on Block Cipher in the CBC mode – CBC-MAC 18 1/26/2016 Lecture 4.1: Hash Functions, and MACs

19 CBC-MAC Note that this is deterministic – IV = [0] – Unlike CBC encryption Only the last block of the output is used as a MAC This is secure under CMA attack – For pre-decided fixed-length messages – Intuitively because of the presence of an avalanche effect 1/26/2016 Lecture 4.1: Hash Functions, and MACs 19

20 HMAC: MAC using Hash Functions Developed as part of IPSEC - RFC 2104. Also used in SSL etc. Key based hash but almost as fast as non-key based hash functions. Avoids export restrictions unlike DES based MAC. Provable security Can be used with different hash functions like SHA-1,MD5, etc. 20 1/26/2016 Lecture 4.1: Hash Functions, and MACs

21 HMAC Block size b bits. K + - K padded with bits on the left to make b bits. ipad – 0110110 (ox36) repeated b/8 times. opad – 1011100 (0x5c) repeated b/8 times. Essentially HHMAC K = H[(K + xor opad) || H[(K + xor ipad) || M]] 21 1/26/2016 Lecture 4.1: Hash Functions, and MACs

22 Security of HMAC Security related to the collision resistance of the underlying hash function http://www.cse.ucsd.edu/~mihir/papers/hma c.html 22 1/26/2016 Lecture 4.1: Hash Functions, and MACs

23 HMAC – An Efficient Implementation 23 1/26/2016 Lecture 4.1: Hash Functions, and MACs

24 Further Reading Stallings Chapter 12 (MAC) HAC Chapter 9 (MAC) 24 1/26/2016 Lecture 4.1: Hash Functions, and MACs

Download ppt "Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 4: Cryptography III; Email Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.

Lecture 4: Cryptography III; Security CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 13 Message Signing

Lecture 13 Message Signing
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.

Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google