hash functions
Download
Skip this Video
Download Presentation
Hash Functions

Loading in 2 Seconds...

play fullscreen
1 / 21

Hash Functions - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

Hash Functions. Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction. Cryptographic hash functions Input – any length Output – fixed length H(x) – easy H(x) – one way “hard to invert” H(x) collision free. Purposes for hash functions. Data Integrity Ex: Tripwire Message digest

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Hash Functions' - havily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hash functions

Hash Functions

Nathanael Paul

Oct. 9, 2002

hash functions introduction
Hash Functions: Introduction
  • Cryptographic hash functions
    • Input – any length
    • Output – fixed length
    • H(x) – easy
    • H(x) – one way
      • “hard to invert”
    • H(x) collision free
purposes for hash functions
Purposes for hash functions
  • Data Integrity
    • Ex: Tripwire
    • Message digest
      • y = h(x). y is called the message digest.
      • 160 bits in size – “birthday attack”
  • Message Source
  • Digital Signatures
  • Message Authentication Codes (MAC)
digital signatures and message authentication code mac overview
Digital Signatures and Message Authentication Code (MAC) overview
  • Suppose Alice and Bob share a secret key k which determines hash function hk
  • Alice sends (x, y) to Bob where y = hk(x)
  • Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.
hash family
Hash Family
  • (X,Y,K,H)
    • For each k in K, there exists an h in H, such that hk(x)  y
  • Assume |X| >= |Y| (even better, 2|X| >= |Y|)
  • Unkeyed hash function
    • |K| = 1
    • Ex. SHA-1 (successor of MD4)
conditions of a secure hash function
Conditions of a secure hash function
  • Preimage
    • Find x such that h(x) = y, given y and the function f().
    • one-way
  • Second Preimage
    • Find x’ != x, such that h(x) = h(x’), given x and the function h().
    • weak collision resistance
  • Collision
    • Find h(x) = h(x’) such that x != x’, given function h()
    • strong collision resistance
iterated hash function overview
Iterated hash function overview
  • compression function
    • Given input of length m, produce output of length n
    • inputs to compression function:
      • message block, mi
      • output of previous blocks of text
      • hi = f(mi, hi-1)
  • MD-strengthening (Merkle-Damgard)
    • pre-image contains length of entire message
    • initialization vector (padding function)
modes of operation
Modes of operation
  • Modes of operation
    • ECB, CBC, CFB, OFB
    • different characteristics:
      • error propagation
      • efficiency
      • increase in data size
    • NIST document on modes of operation
      • http://csrc.nist.gov/encryption/tkmodes.html
    • Next slide shows CBC mode of operation...
message authentication codes
Message Authentication Codes
  • Oscar’s (adversary) goal:
    • produce a pair (x,y) that is valid, but the key k is not known
  • Oscar knows
    • valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)}
  • forgery
    • Oscar outputs an (x,y) where x is not in Pairs
review of types of attacks
Review of types of attacks
  • Ciphertext-only
    • Oscar possesses a string of ciphertext, y
  • Known plaintext
    • has ciphertext, y, corresponding to a message, x
  • Chosen plaintext
    • access to encryption. choose x, get y
  • Chosen ciphertext
    • choose y, get x
ways of creating a mac
Ways of creating a MAC
  • Base MAC on block cipher
    • block cipher already implemented, so part of implementation is done
  • MAC from an unkeyed hash
    • just add a key to output of unkeyed hash
    • requires careful analysis
  • Create a customized MAC
cbc mac
CBC MAC
  • use block cipher in CBC mode with fixed IV
  • best general attack is birthday attack
nested macs
Nested MACs
  • Nested MAC
    • composition of 2 keyed hash families
      • G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x))
    • Secure if the following holds (given unknown key):
      • G is collision-resistant
      • H is secure as a MAC
types of attacks on nested macs
Types of attacks on nested MACs
  • forger for nested MAC
  • forger for the little MAC
    • attack on component MAC H
  • unknown-key collision attack
attack 1 forger on nested mac
Attack 1: Forger on nested MAC
  • pair of keys (k,l) are kept secret
  • Oscar:
    • chooses an x
    • oracle – “magic box”
    • given x, oracle computes z = hl(gk(x))
    • tries to find (x’, z) where x’ was not any x given to oracle
attack 2 forger on smaller mac component of nested mac h family
Attack 2: Forger on smaller MAC component of nested MAC (H family)
  • key l is chosen and kept secret (l is in keyspace of H family of hashes)
  • Oscar:
    • chooses y
    • given y, oracle computes z = hl(y)
    • tries to output (y’,z) where y’ was not in one of its previous queries to oracle
attack 3 collision finder for a hash family
Attack 3: Collision Finder for a hash family
  • key k in K is kept secret
  • Oscar:
    • chooses an x
    • given x, oracle computes gk(x)
    • tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)
slide20
HMAC
  • nested MAC algorithm (proposed standard)
    • based on SHA-1
    • uses 512-bit key k
    • 2 512-bit constants, ipad and opad
  • 160-bit MAC
    • HMACk(x) = SHA-1((k  opad) || SHA-1((K  ipad) || x))
      • ipad component resistant against unknown-key collision attack
further reading
Further Reading
  • Applied Cryptography,Bruce Schneier
  • Cryptography: Theory and Practice, Douglas Stinson
  • Handbook of Applied Cryptography, Alfred Menezes, et. al.
    • available for download at:
    • http://www.cacr.math.uwaterloo.ca/hac/
ad