Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Hash Functions Cryptographic Hash Functions 1. Applications of Cryptographic Hash Functions 2. Secure Hash Algorithm 3. Message Authentication.

Published byBernice Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptographic Hash Functions Cryptographic Hash Functions 1. Applications of Cryptographic Hash Functions 2. Secure Hash Algorithm 3. Message Authentication."— Presentation transcript:

1 Cryptographic Hash Functions Cryptographic Hash Functions 1. Applications of Cryptographic Hash Functions 2. Secure Hash Algorithm 3. Message Authentication Codes: Message Authentication Requirements and Functions, HMAC, 4. Digital signatures, Digital Signature Schemes, Authentication Protocols, Digital Signature Standards.

2 Hash Functions condenses arbitrary message to fixed size h = H(M) usually assume hash function is public hash used to detect changes to message want a cryptographic hash function ◦ computationally infeasible to find data mapping to specific hash (one-way property) ◦ computationally infeasible to find two data to same hash (collision-free property)

3 Cryptographic Hash Function

4 Hash Functions & Message Authent- ication

5 Hash Functions & Digital Signatures

6 Other Hash Function Uses to create a one-way password file ◦ store hash of password not actual password for intrusion detection and virus detection ◦ keep & check hash of files on system pseudorandom function (PRF) or pseudorandom number generator (PRNG)

7 Two Simple Insecure Hash Functions consider two simple insecure hash functions bit-by-bit exclusive-OR (XOR) of every block ◦ C i = b i1 xor b i2 xor... xor b im ◦ a longitudinal redundancy check ◦ reasonably effective as data integrity check one-bit circular shift on hash value ◦ for each successive n-bit block  rotate current hash value to left by1bit and XOR block ◦ good for data integrity but useless for security

8 Hash Function Requirements

9 Attacks on Hash Functions have brute-force attacks and cryptanalysis a preimage or second preimage attack ◦ find y s.t. H(y) equals a given hash value collision resistance ◦ find two messages x & y with same hash so H(x) = H(y) hence value 2 m/2 determines strength of hash code against brute-force attacks ◦ 128-bits inadequate, 160-bits suspect

10 Birthday Attacks might think a 64-bit hash is secure but by Birthday Paradox is not birthday attack works thus: ◦ given user prepared to sign a valid message x ◦ opponent generates 2 m / 2 variations x’ of x, all with essentially the same meaning, and saves them ◦ opponent generates 2 m / 2 variations y’ of a desired fraudulent message y ◦ two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) ◦ have user sign the valid message, then substitute the forgery which will have a valid signature conclusion is that need to use larger MAC/hash

11 Hash Function Cryptanalysis cryptanalytic attacks exploit some property of alg so faster than exhaustive search hash functions use iterative structure ◦ process message in blocks (incl length) attacks focus on collisions in function f

12 Block Ciphers as Hash Functions can use block ciphers as hash functions ◦ using H 0 =0 and zero-pad of final block ◦ compute: H i = E M i [H i-1 ] ◦ and use final block as the hash value ◦ similar to CBC but without a key resulting hash is too small (64-bit) ◦ both due to direct birthday attack ◦ and to “meet-in-the-middle” attack other variants also susceptible to attack

13 Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme ◦ standard is FIPS 180-1 1995, also Internet RFC3174 ◦ nb. the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

14 Revised Secure Hash Standard NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA ◦ SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher

15 SHA Versions

16 SHA-512 Overview

17 SHA-512 Compression Function heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds ◦ updating a 512-bit buffer ◦ using a 64-bit value Wt derived from the current message block ◦ and a round constant based on cube root of first 80 prime numbers

18 SHA-512 Round Function

19

20 SHA-3 SHA-1 not yet "broken” ◦ but similar to broken MD5 & SHA-0 ◦ so considered insecure SHA-2 (esp. SHA-512) seems secure ◦ shares same structure and mathematical operations as predecessors so have concern NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function ◦ goal to have in place by 2012 but not fixed

21 Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block ◦ depending on both message and some key ◦ like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender

22 Message Authentication Code

23 23 Basic Uses of MAC Authentication Functions

24 Message Authentication Codes as shown the MAC provides confidentiality can also use encryption for secrecy ◦ generally use separate keys for each ◦ can compute MAC either before or after encryption ◦ is generally regarded as better done before why use a MAC? ◦ sometimes only authentication is needed ◦ sometimes need authentication to persist longer than the encryption (eg. archival use) note that a MAC is not a digital signature

25 MAC Properties a MAC is a cryptographic checksum MAC = C K (M) ◦ condenses a variable-length message M ◦ using a secret key K ◦ to a fixed-sized authenticator is a many-to-one function ◦ potentially many messages have same MAC ◦ but finding these needs to be very difficult

26 Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: 1.knowing a message and MAC, is infeasible to find another message with same MAC 2.MACs should be uniformly distributed 3.MAC should depend equally on all bits of the message

27 Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC ◦ using IV=0 and zero-pad of final block ◦ encrypt message using DES in CBC mode ◦ and send just the final block as the MAC  or the leftmost M bits (16≤M≤64) of final block but final MAC is now too small for security

28 HMAC Design Objectives  use, without modifications, hash functions  allow for easy replaceability of embedded hash function  preserve original performance of hash function without significant degradation  use and handle keys in a simple way.  have well understood cryptographic analysis of authentication mechanism strength

29 HMAC specified as Internet standard RFC2104 uses hash function on the message: HMAC K (M)= Hash[(K + XOR opad) || Hash[(K + XOR ipad) || M)] ] ◦ where K + is the key padded out to size ◦ opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any hash function can be used ◦ eg. MD5, SHA-1, RIPEMD-160, Whirlpool

30 HMAC Overview

31 HMAC Security proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either: ◦ brute force attack on key used ◦ birthday attack (but since keyed would need to observe a very large number of messages) choose hash function used based on speed verses security constraints

32 Hash Functions condenses arbitrary message to fixed size usually assume that the hash function is public and not keyed ◦ cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature

33 Hash Functions & Digital Signatures

34 Digital Signatures have looked at message authentication ◦ but does not address issues of lack of trust digital signatures provide the ability to: ◦ verify author, date & time of signature ◦ authenticate message contents ◦ be verified by third parties to resolve disputes hence include authentication function with additional capabilities

35 Digital Signature Model

36

37 Attacks and Forgeries attacks ◦ key-only attack ◦ known message attack ◦ generic chosen message attack ◦ directed chosen message attack ◦ adaptive chosen message attack break success levels ◦ total break ◦ selective forgery ◦ existential forgery

38 Digital Signature Requirements  must depend on the message signed  must use information unique to sender to prevent both forgery and denial  must be relatively easy to produce  must be relatively easy to recognize & verify  be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message  be practical save digital signature in storage

39 Direct Digital Signatures involve only sender & receiver assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender’s private-key

40 ElGamal Digital Signatures signature variant of ElGamal, related to D-H ◦ so uses exponentiation in a finite (Galois) ◦ with security based difficulty of computing discrete logarithms, as in D-H use private key for encryption (signing) uses public key for decryption (verification) each user (eg. A) generates their key ◦ chooses a secret key (number): 1 < x A < q-1 ◦ compute their public key: y A = a x A mod q

41 ElGamal Digital Signature ElGamal Digital Signature Alice signs a message M to Bob by computing ◦ the hash m = H(M), 0 <= m <= (q-1) ◦ chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 ◦ compute temporary key: S 1 = a k mod q ◦ compute K -1 the inverse of K mod (q-1) ◦ compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) ◦ signature is: (S 1,S 2 ) any user B can verify the signature by computing ◦ V 1 = a m mod q ◦ V 2 = y A S 1 S 1 S 2 mod q ◦ signature is valid if V 1 = V 2

42 ElGamal Signature Example use field GF(19) q=19 and a=10 Alice computes her key: ◦ A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4) : ◦ choosing random K=5 which has gcd(18,5)=1 ◦ computing S 1 = 10 5 mod 19 = 3 ◦ finding K -1 mod (q-1) = 5 -1 mod 18 = 11 ◦ computing S 2 = 11(14-16.3) mod 18 = 4 any user B can verify the signature by computing ◦ V 1 = 10 14 mod 19 = 16 ◦ V 2 = 4 3.3 4 = 5184 = 16 mod 19 ◦ since 16 = 16 signature is valid

43 Schnorr Digital Signatures also uses exponentiation in a finite (Galois) ◦ security based on discrete logarithms, as in D-H minimizes message dependent computation ◦ multiplying a 2n-bit integer with an n-bit integer main work can be done in idle time have using a prime modulus p ◦ p–1 has a prime factor q of appropriate size ◦ typically p 1024-bit and q 160-bit numbers

44 Schnorr Key Setup choose suitable primes p, q choose a such that a q = 1 mod p (a,p,q) are global parameters for all each user (eg. A) generates a key ◦ chooses a secret key (number): 0 < s A < q ◦ compute their public key: v A = a -s A mod q

45 Schnorr Signature Schnorr Signature user signs message by ◦ choosing random r with 0<r<q and computing x = a r mod p ◦ concatenate message with x and hash result to computing: e = H(M || x) ◦ computing: y = (r + se) mod q ◦ signature is pair (e, y) any other user can verify the signature as follows: ◦ computing: x' = a y v e mod p ◦ verifying that: e = H(M || x’)

46 Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants DSA is digital signature only unlike RSA is a public-key technique

47 DSS vs RSA Signatures

48 Digital Signature Algorithm (DSA)  creates a 320 bit signature  with 512-1024 bit security  smaller and faster than RSA  a digital signature scheme only  security depends on difficulty of computing discrete logarithms  variant of ElGamal & Schnorr schemes

49 DSA Key Generation have shared global public key values (p,q,g): ◦ choose 160-bit prime number q ◦ choose a large prime p with 2 L-1 < p < 2 L  where L= 512 to 1024 bits and is a multiple of 64  such that q is a 160 bit prime divisor of (p-1) ◦ choose g = h (p-1)/q  where 1 1 users choose private & compute public key: ◦ choose random private key: x<q ◦ compute public key: y = g x mod p

50 DSA Signature Creation  to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused  then computes signature pair: r = (g k mod p)mod q s = [k -1 (H(M)+ xr)] mod q  sends signature (r,s) with message M

51 DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(g u1 y u2 )mod p ]mod q if v=r then signature is verified see Appendix A for details of proof why

52 DSS Overview

Download ppt "Cryptographic Hash Functions Cryptographic Hash Functions 1. Applications of Cryptographic Hash Functions 2. Secure Hash Algorithm 3. Message Authentication."

Similar presentations

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google