190 likes | 311 Vues
ICS 454 Principles of Cryptography. Secure Hashing and DSS Sultan Almuhammadi. Outline. One-way functions Secure Hash function Authentication (example) Digital Signature Standards (DSS). Definitions. One-way function f :A B Given x A, it is easy to compute f ( x )
E N D
ICS 454Principles of Cryptography Secure Hashing and DSS Sultan Almuhammadi
Outline • One-way functions • Secure Hash function • Authentication (example) • Digital Signature Standards (DSS)
Definitions • One-way function f :AB • Given x A, it is easy to compute f (x) • Given f (x), it is hard to compute x • Trapdoor one-way function • A one-way function f :A B with a secret s, such that • Given x A, it is easy to compute f (x) • Given f (x), it is hard to compute x • Given f (x) and s, it is easy to compute x
Examples • One-way function • Multipicative group Zp* with generator g • f (x) = gx mod p • Trapdoor one-way function • Multiplicative group Zn* where n = p.q for primes p,q • f (x) = x2 mod n • The secret is:(p and q)
Hash Function • Definition: one-way hash function h(x) • A one-way hash function operates on an input message x of arbitrary length, and outputs a fixed-length hash value h(x). • Given x, it is easy to compute h(x) • Given h(x), it is infeasible to compute x
Hash Function Properties • h can be applied to an input of any size • h produces a fixed-length output • One-way property:Easy to compute h(x), but infeasible to compute x given h(x) (Preimage resistance) • Collision resistance property: • Weakly collision-free: Given x, it is infeasible to find y x, such that h(x) = h(y) (Second preimage resistance) • Strongly collision-free: It is infeasible to find any pair (x, y) such that y x and h(x) = h(y) (Collision resistance)
Secure Hashing • Definition: h is cryptographically secure if it is a one-way collision-free hash function. • Note: Strong/weak collision resistance depends on the sensitivity of the application • Given a message M, h(M) is called the hash value of M , hash code, or the message digest. • Examples: SHA, MD4, MD5, Whirlpool
Security of Hash Functions • Effort Required for Brute-Force Attack (on average)
Secure Hash Algorithm (SHA) • Developed by National Institute of Standards and Technology (NIST) in 1993. • In 1995, NIST published SHA-1 • Based on MD4 • Output: 160-bit hash value • In 2002, NIST defined 3 versions (SHA-256, SHA-384, SHA-512) with hash value lengths: 256, 384, and 512. • In 2005, NIST approved the phase out of SHA-1 and moving to other versions of SHA by 2010.
MD4 • MD stands for Message Digest and designed by Ron Rivest • Output: 128-bit hash values • Design goals (claimed by Rivest) • Strongly collision-free (no attack is better than brute-foce) • The security is based on no assumption (like hardness of factorization) • MD4 was cryptanalyzed shortly after publishing and some parts were successfully attacked.
MD5 • MD5 is an improved version of MD4 • Output: 128-bit hash values • Ron Rivest made several improvements of MD5 over MD4 • MD5 was cryptanalyzed but there is no practical impact on the security of the hash function
Whirlpool • Based on the use of a block cipher for the compression function (initially DES, later AES) • General drawbacks of using block cipher: • Block ciphers are invertible lack of randomness • Low performance due to slow block ciphers • Weakness due to regularities of block ciphers • Hash value length restriction due to block sizes: h 2b • Since the adoption of AES, Whirlpool overcomes the above drawbacks.
Whirlpool • Advantages of using AES • Hash code length is 512 bits (same as SHA) • Resistant to usual attacks on block-cipher hashing • Good performance and compact implementation on software and hardware
Applications of Secure Hashing • Authentication • Digital Signature
Example: Authentication • Alice logs into a host computer • She identifies herself by a username and a password • The host computer stores a all username-password in a a database and check for a match. • Authentication using secure hash functions • Alice sends her password to the host • The host hashes the password and compares the hash value to the value it previously stored • If Eve steals the hash values, she still cannot log in, since the hash function is one-way and collision-free.
Digital Signature Standard (DSS) • Proposed by the National Institute of Standards and Technology (NIST) in 1991 • DSS uses a digital signature algorithm (DSA): • Designed to provide only the digital signature function • Cannot be used for encryption or key exchange • Must be a public-key technique (publicly verifiable) • Use the SHA for hashing the message • Example of digital signature approaches: • RSA Approach • DSS Approach
Digital Signature Algorithm (DSA) • NIST adopted DSA based on ElGamal digital signature with the following parameters: • Prime p of length 512-1024 bits • 160-bit prime q such that q | (p – 1) • g is of the form g = h(p-1)/q mod p • Private key: x, Public key: y = gx mod p • The signature (a, b) is computed by: a = (gr mod p) mod q, for random r < q b = (r-1 (SHA(M) + x.a)) mod q • The length of the signature (a, b) = 2 x 160 bits