- 113 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Hash Functions' - havily

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Hash Functions: Introduction

- Cryptographic hash functions
- Input – any length
- Output – fixed length
- H(x) – easy
- H(x) – one way
- “hard to invert”
- H(x) collision free

Purposes for hash functions

- Data Integrity
- Ex: Tripwire
- Message digest
- y = h(x). y is called the message digest.
- 160 bits in size – “birthday attack”
- Message Source
- Digital Signatures
- Message Authentication Codes (MAC)

Digital Signatures and Message Authentication Code (MAC) overview

- Suppose Alice and Bob share a secret key k which determines hash function hk
- Alice sends (x, y) to Bob where y = hk(x)
- Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.

Hash Family

- (X,Y,K,H)
- For each k in K, there exists an h in H, such that hk(x) y
- Assume |X| >= |Y| (even better, 2|X| >= |Y|)
- Unkeyed hash function
- |K| = 1
- Ex. SHA-1 (successor of MD4)

Conditions of a secure hash function

- Preimage
- Find x such that h(x) = y, given y and the function f().
- one-way
- Second Preimage
- Find x’ != x, such that h(x) = h(x’), given x and the function h().
- weak collision resistance
- Collision
- Find h(x) = h(x’) such that x != x’, given function h()
- strong collision resistance

Iterated hash function overview

- compression function
- Given input of length m, produce output of length n
- inputs to compression function:
- message block, mi
- output of previous blocks of text
- hi = f(mi, hi-1)
- MD-strengthening (Merkle-Damgard)
- pre-image contains length of entire message
- initialization vector (padding function)

Modes of operation

- Modes of operation
- ECB, CBC, CFB, OFB
- different characteristics:
- error propagation
- efficiency
- increase in data size
- NIST document on modes of operation
- http://csrc.nist.gov/encryption/tkmodes.html
- Next slide shows CBC mode of operation...

Message Authentication Codes

- Oscar’s (adversary) goal:
- produce a pair (x,y) that is valid, but the key k is not known
- Oscar knows
- valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)}
- forgery
- Oscar outputs an (x,y) where x is not in Pairs

Review of types of attacks

- Ciphertext-only
- Oscar possesses a string of ciphertext, y
- Known plaintext
- has ciphertext, y, corresponding to a message, x
- Chosen plaintext
- access to encryption. choose x, get y
- Chosen ciphertext
- choose y, get x

Ways of creating a MAC

- Base MAC on block cipher
- block cipher already implemented, so part of implementation is done
- MAC from an unkeyed hash
- just add a key to output of unkeyed hash
- requires careful analysis
- Create a customized MAC

CBC MAC

- use block cipher in CBC mode with fixed IV
- best general attack is birthday attack

Nested MACs

- Nested MAC
- composition of 2 keyed hash families
- G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x))
- Secure if the following holds (given unknown key):
- G is collision-resistant
- H is secure as a MAC

Types of attacks on nested MACs

- forger for nested MAC
- forger for the little MAC
- attack on component MAC H
- unknown-key collision attack

Attack 1: Forger on nested MAC

- pair of keys (k,l) are kept secret
- Oscar:
- chooses an x
- oracle – “magic box”
- given x, oracle computes z = hl(gk(x))
- tries to find (x’, z) where x’ was not any x given to oracle

Attack 2: Forger on smaller MAC component of nested MAC (H family)

- key l is chosen and kept secret (l is in keyspace of H family of hashes)
- Oscar:
- chooses y
- given y, oracle computes z = hl(y)
- tries to output (y’,z) where y’ was not in one of its previous queries to oracle

Attack 3: Collision Finder for a hash family

- key k in K is kept secret
- Oscar:
- chooses an x
- given x, oracle computes gk(x)
- tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)

HMAC

- nested MAC algorithm (proposed standard)
- based on SHA-1
- uses 512-bit key k
- 2 512-bit constants, ipad and opad
- 160-bit MAC
- HMACk(x) = SHA-1((k opad) || SHA-1((K ipad) || x))
- ipad component resistant against unknown-key collision attack

Further Reading

- Applied Cryptography,Bruce Schneier
- Cryptography: Theory and Practice, Douglas Stinson
- Handbook of Applied Cryptography, Alfred Menezes, et. al.
- available for download at:
- http://www.cacr.math.uwaterloo.ca/hac/

Download Presentation

Connecting to Server..