Cryptography-Hash-Functions.pptx

Topics
▶ Overview of Cryptography Hash Function
▶ Usages
▶ Properties
▶ Hashing Function Structure
▶ Attack on Hash Function
▶ The Road to new Secure Hash Standard

3
Hash Function
▶ The hash value represents
concisely the longer message
▶ may called the message digest
▶ A message digest is as a
``digital fingerprint'' of the
original document
condenses arbitrary message to fixed size
h = H(M)

Chewing functions
▶ Hashing function as “chewing” or “digest” function

Hashing V.S. Encryption
▶ Hashing is one-way. There is no 'de-hashing’
52f21cf7c7034a20
17a21e17e061a863
This is a clear text that
can easily read without
using the key. The
sentence is longer than
the text above.
Hello, world.
A sample sentence to
show encryption.
E
NhbXBsZSBzZW50ZW5jZS
B0byBzaG93IEVuY3J5cHR
pb24KsZSBzZ
Hello, world.
A sample sentence to
show encryption.
D
NhbXBsZSBzZW50ZW5jZS
B0byBzaG93IEVuY3J5cHR
pb24KsZSBzZ
k
k
▶ Encryption is two way, and requires a key to encrypt/decrypt

Motivation for Hash Algorithms
▶ Intuition
▶ Re-examine the non-cryptographic checksum
▶ Main Limitation
▶ An attack is able to construct a message that matches the checksum
▶ Goal
▶ Design a code where the original message can not be inferred
based on its checksum
▶ such that an accidental or intentional change to the message
will change the hash value

Hash Function Applications
▶ Used Alone
▶ Fingerprint -- file integrity verification, public key fingerprint
▶ Password storage (one-way encryption)
▶ Combined with encryption functions
▶ Message Authentication Code (MAC)
▶ protects both a message's integrity as well as its authenticity
▶ Digital signature
▶ Ensuring Non-repudiation
▶ Encrypt hash with private (signing) key and verify with public
(verification) key
▶

Integrity
▶ to create a one-way password file
▶ store hash of password not actual password
▶ for intrusion detection and virus detection
▶ keep & check hash of files on system

Password Verification
h
661dce0da2bcb2d8
2884e0162acf8194
Password
store
h
661dce0da2bcb2d8
2884e0162acf8194
661dce0da2bcb2d8
2884e0162acf8194
Grant Deny
Hash Matching
Exactly?
Yes No
Store Hashing Password Verification an input password against the stored hash
Iam#4VKU Iam#4VKU
Password
store

Authentication
▶ protects both a message's integrity as well as its authenticity ,
by allowing verifiers (who also possess the secret key) to
detect any changes to the message content

Hash Function Usages (I)
Message encrypted : Confidentiality and authentication
Message unencrypted: Authentication

Hash Function Usages (II)
Message encrypted : Authentication (no encryption needed!)
Message unencrypted: Authentication, confidentiality

Hash Function Usages (III)
Authentication, digital signature
Authentication, digital signature, confidentiality

Hash Function Properties
▶ Arbitrary-length message to fixed-length digest
▶ Preimage resistant (One-way property)
▶ Second preimage resistant (Weak collision resistant)
▶ Collision resistant (Strong collision resistance)

Properties : Fixed length
▶ Arbitrary-length message to fixed-length digest
52f21cf7c7034a20
17a21e17e061a863
Fixed length Digest : L
Hello, world
This is a clear text that
can easily read without
using the key. The
sentence is longer than
the text above.
661dce0da2bcb2d8
2884e0162acf8194

Preimage resistant
▶ This measures how difficult to devise a message which hashes to the
known digest
Roughly speaking, the hash function must be one-way.
▶
Given only a message digest, can’t find any message
(or preimage) that generates that digest.

Exam Questions
▶ Can we use a conventional lossless compression method
such as zip as a cryptographic hash function?
Answer : No, a lossless compression method creates a
compressed message that is reversible.
▶ Can we use a checksum function as a cryptographic hash
function?
Answer : No, a checksum function
resistant, Eve may find several
is not preimage
messages whose
checksum matches the given one.

Second preimage resistant
▶ Given one message, can’t find another message that has the same message digest. An attack that
finds a second message with the same message digest is a second pre-image attack.
▶ It would be easy to forge new digital signatures from old signatures if the hash function used
weren’t second preimage resistant
▶ This measures how difficult to devise a message which hashes to the
known digest and its message

Collision Resistant
▶ Can’t find any two different messages with the same message digest
▶
▶
Collision resistance implies second preimage resistance
Collisions, if we could find them, would give signatories a way to repudiate their signatures

Merkle-Damgard Scheme
▶
▶
Well-known method to build cryptographic has function
A message of arbitrary length is broken into blocks
▶
▶
▶
length depends on the compression function f
padding the size of the message into a multiple of the block size.
sequentially process blocks , taking as input the result of the hash so far and the current
message block, with the final fixed length output

Two Group of Compression Functions
▶ The compression function is made from scratch
▶ Message Digest
▶ A symmetric-key block cipher serves as a compression
function
▶ Whirlpool

Hash Functions Family
▶ MD (Message Digest)
▶
▶
Designed by Ron Rivest
Family: MD2, MD4, MD5
▶ SHA (Secure Hash Algorithm)
▶
▶
Designed by NIST
Family: SHA-0, SHA-1, and SHA-2
▶
▶
SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
SHA-3: New standard in competition
▶ RIPEMD (Race Integrity Primitive Evaluation Message
Digest)
▶
▶
Developed by Katholieke University Leuven Team
Family : RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320,

MD2, MD4 and MD5
▶ Family of one-way hash functions by Ronald Rivest
▶ All produces 128 bits hash value
▶ MD2: 1989
▶
▶
Optimized for 8 bit computer
Collision found in 1995
▶ MD4: 1990
▶ Full round collision attack found in 1995
▶ MD5: 1992
▶
▶
▶
▶
Specified as Internet standard in RFC 1321
since 1997 it was theoretically not so hard to create a collision
Practical Collision MD5 has been broken since 2004
CA attack published in 2007

Topics
▶ Overview of Cryptography Hash Function
▶ Usages
▶ Properties
▶ Hashing Function Structure
▶ MD5
▶ SHA
▶ Attack on Hash Function
▶ The Road to new Secure Hash Standard

MD5 Overview
1. Append padding
bits
(to 448 mod 512)
2. Append
length
(64bits)
3. Initialize MD buffer
Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10

Hash Algorithm Design – MD5
16 steps
Constructed from sine function
X[k] = M [q*16+k] (32 bit)

The ith 32-bit word in matrix T, constructed from the sine function
M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg
Single step

Secure Hash Algorithm
➢ SHA originally designed by NIST & NSA in 1993
➢ was revised in 1995 as SHA-1
➢ US standard for use with DSA signature scheme
● standard is FIPS 180-1 1995, also Internet RFC3174
➢ based on design of MD4 with key differences
➢ produces 160-bit hash values
➢ recent 2005 results on security of SHA-1 have raised concerns
on its use in future applications

Revised SHA
➢NIST issued revision FIPS 180-2 in 2002
➢adds 3 additional versions of SHA
● SHA-256, SHA-384, SHA-512
➢designed for compatibility with increased security
provided by the AES cipher
➢structure & detail is similar to SHA-1
➢hence analysis should be similar
➢but security levels are rather higher

Sample Processing
▶ Mac Intel 2.66 Ghz core i7
▶ 1024 bytes block of data
Type bits data processed
md5 128 469.7MB/s
sha1 160 339.4MB/s
sha512 512 177.7MB/s

Padding and length field in SHA-512
▶ What is the number of padding bits if the length of the original message
is 2590 bits?
We can calculate the number of padding bits as follows:
▶
▶ The padding consists of one 1 followed by 353 0’s.

Hash Function Cryptanalysis
➢cryptanalytic attacks exploit some property of alg so
faster than exhaustive search
➢hash functions use iterative structure
● process message in blocks (incl length)
➢attacks focus on collisions in function f

Attacks on Hash Functions
➢have brute-force attacks and cryptanalysis
➢a preimage or second preimage attack
● find y s.t. H(y) equals a given hash value
➢collision resistance
● find two messages x & y with same hash so H(x) = H(y)

Birthday Attack
▶ How many people do you need so that the probability of
having two of them share the same birthday is > 50% ?
▶ N distinct values, k randomly chosen ones
▶ P(N,i) = prob(i randomly selected values from 1..N have at least one
match)
P(N,2) = 1/N
P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)
▶
▶
▶ For P(N,k)>0.5, need k ≈ N1/2
➢ For m bits hash code, hence value 2m/2determines strength of
hash code against brute-force attacks
● 128-bits inadequate, 160-bits suspect

The need of new Hash standard
➢MD5 and SHA-0 already broken
➢SHA-1 not yet fully “broken”
● but similar to broken MD5 & SHA-0
● so considered insecure and be fade out
➢SHA-2 (esp. SHA-512) seems secure
● shares same structure and mathematical operations as
predecessors so have concern
➢NIST announced in 2007 a competition for the SHA-3 next
gen hash function
● goal to have in place by 2012

SHA-3 Requirements
▶ replace SHA-2 with SHA-3 in any use
▶ so use same hash sizes
▶ preserve the nature of SHA-2
▶ so must process small blocks (512 / 1024 bits)
▶ evaluation criteria
▶ security close to theoretical max for hash sizes
▶ cost in time & memory
▶ characteristics: such as flexibility & simplicity

Timeline Competition
▶ Nov 2007: Announce public competition
▶ Oct 2008:
▶ Dec 2008:
▶ Jul 2009:
▶ Dec 2010:
▶ Jan 2011:
64 Entries
51 Entries as 1stRound
14 Entries as 2ndRound
4 Entries as 3rdRound
Final packages submission and then one year
public comment
▶ 2012: SHA-3 Winner Announcement

Five SHA-3 Finalists
▶ BLAKE
▶ Grøstl
▶ JH
▶ Keccak
▶ Skien
http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html

Summary
▶ Hash functions are keyless
▶ Applications for digital signatures and in message authentication codes
▶ The three security requirements for hash functions are
▶ one-wayness, second preimage resistance and collision resistance
▶
▶
MD5 is insecure
Serious security weaknesses have been found in SHA-1
▶
▶
▶
▶
should be phased out
SHA-2 appears to be secure
But slow..
Use SHA-512 and use the first 256 bytes
▶ The ongoing SHA-3 competition will result in new standardized hash
functions in a next year

Cryptography-Hash-Functions.pptx

More Related Content

What's hot

Similar to Cryptography-Hash-Functions.pptx

Recently uploaded

In this document

Cryptography-Hash-Functions.pptx