1 / 21

Hash Functions

Hash Functions. Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction. Cryptographic hash functions Input – any length Output – fixed length H(x) – easy H(x) – one way “hard to invert” H(x) collision free. Purposes for hash functions. Data Integrity Ex: Tripwire Message digest

havily
Télécharger la présentation

Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash Functions Nathanael Paul Oct. 9, 2002

  2. Hash Functions: Introduction • Cryptographic hash functions • Input – any length • Output – fixed length • H(x) – easy • H(x) – one way • “hard to invert” • H(x) collision free

  3. Purposes for hash functions • Data Integrity • Ex: Tripwire • Message digest • y = h(x). y is called the message digest. • 160 bits in size – “birthday attack” • Message Source • Digital Signatures • Message Authentication Codes (MAC)

  4. Digital Signatures and Message Authentication Code (MAC) overview • Suppose Alice and Bob share a secret key k which determines hash function hk • Alice sends (x, y) to Bob where y = hk(x) • Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.

  5. Hash Family • (X,Y,K,H) • For each k in K, there exists an h in H, such that hk(x)  y • Assume |X| >= |Y| (even better, 2|X| >= |Y|) • Unkeyed hash function • |K| = 1 • Ex. SHA-1 (successor of MD4)

  6. Conditions of a secure hash function • Preimage • Find x such that h(x) = y, given y and the function f(). • one-way • Second Preimage • Find x’ != x, such that h(x) = h(x’), given x and the function h(). • weak collision resistance • Collision • Find h(x) = h(x’) such that x != x’, given function h() • strong collision resistance

  7. Iterated hash function overview • compression function • Given input of length m, produce output of length n • inputs to compression function: • message block, mi • output of previous blocks of text • hi = f(mi, hi-1) • MD-strengthening (Merkle-Damgard) • pre-image contains length of entire message • initialization vector (padding function)

  8. Modes of operation • Modes of operation • ECB, CBC, CFB, OFB • different characteristics: • error propagation • efficiency • increase in data size • NIST document on modes of operation • http://csrc.nist.gov/encryption/tkmodes.html • Next slide shows CBC mode of operation...

  9. Message Authentication Codes • Oscar’s (adversary) goal: • produce a pair (x,y) that is valid, but the key k is not known • Oscar knows • valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)} • forgery • Oscar outputs an (x,y) where x is not in Pairs

  10. Review of types of attacks • Ciphertext-only • Oscar possesses a string of ciphertext, y • Known plaintext • has ciphertext, y, corresponding to a message, x • Chosen plaintext • access to encryption. choose x, get y • Chosen ciphertext • choose y, get x

  11. Ways of creating a MAC • Base MAC on block cipher • block cipher already implemented, so part of implementation is done • MAC from an unkeyed hash • just add a key to output of unkeyed hash • requires careful analysis • Create a customized MAC

  12. CBC MAC • use block cipher in CBC mode with fixed IV • best general attack is birthday attack

  13. Nested MACs • Nested MAC • composition of 2 keyed hash families • G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x)) • Secure if the following holds (given unknown key): • G is collision-resistant • H is secure as a MAC

  14. Types of attacks on nested MACs • forger for nested MAC • forger for the little MAC • attack on component MAC H • unknown-key collision attack

  15. Attack 1: Forger on nested MAC • pair of keys (k,l) are kept secret • Oscar: • chooses an x • oracle – “magic box” • given x, oracle computes z = hl(gk(x)) • tries to find (x’, z) where x’ was not any x given to oracle

  16. Attack 2: Forger on smaller MAC component of nested MAC (H family) • key l is chosen and kept secret (l is in keyspace of H family of hashes) • Oscar: • chooses y • given y, oracle computes z = hl(y) • tries to output (y’,z) where y’ was not in one of its previous queries to oracle

  17. Attack 3: Collision Finder for a hash family • key k in K is kept secret • Oscar: • chooses an x • given x, oracle computes gk(x) • tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)

  18. HMAC • nested MAC algorithm (proposed standard) • based on SHA-1 • uses 512-bit key k • 2 512-bit constants, ipad and opad • 160-bit MAC • HMACk(x) = SHA-1((k  opad) || SHA-1((K  ipad) || x)) • ipad component resistant against unknown-key collision attack

  19. Further Reading • Applied Cryptography,Bruce Schneier • Cryptography: Theory and Practice, Douglas Stinson • Handbook of Applied Cryptography, Alfred Menezes, et. al. • available for download at: • http://www.cacr.math.uwaterloo.ca/hac/

More Related