Hash Functions

1 / 21

# Hash Functions - PowerPoint PPT Presentation

Hash Functions. Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction. Cryptographic hash functions Input – any length Output – fixed length H(x) – easy H(x) – one way “hard to invert” H(x) collision free. Purposes for hash functions. Data Integrity Ex: Tripwire Message digest

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Hash Functions' - havily

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Hash Functions

Nathanael Paul

Oct. 9, 2002

Hash Functions: Introduction
• Cryptographic hash functions
• Input – any length
• Output – fixed length
• H(x) – easy
• H(x) – one way
• “hard to invert”
• H(x) collision free
Purposes for hash functions
• Data Integrity
• Ex: Tripwire
• Message digest
• y = h(x). y is called the message digest.
• 160 bits in size – “birthday attack”
• Message Source
• Digital Signatures
• Message Authentication Codes (MAC)
• Suppose Alice and Bob share a secret key k which determines hash function hk
• Alice sends (x, y) to Bob where y = hk(x)
• Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.
Hash Family
• (X,Y,K,H)
• For each k in K, there exists an h in H, such that hk(x)  y
• Assume |X| >= |Y| (even better, 2|X| >= |Y|)
• Unkeyed hash function
• |K| = 1
• Ex. SHA-1 (successor of MD4)
Conditions of a secure hash function
• Preimage
• Find x such that h(x) = y, given y and the function f().
• one-way
• Second Preimage
• Find x’ != x, such that h(x) = h(x’), given x and the function h().
• weak collision resistance
• Collision
• Find h(x) = h(x’) such that x != x’, given function h()
• strong collision resistance
Iterated hash function overview
• compression function
• Given input of length m, produce output of length n
• inputs to compression function:
• message block, mi
• output of previous blocks of text
• hi = f(mi, hi-1)
• MD-strengthening (Merkle-Damgard)
• pre-image contains length of entire message
Modes of operation
• Modes of operation
• ECB, CBC, CFB, OFB
• different characteristics:
• error propagation
• efficiency
• increase in data size
• NIST document on modes of operation
• http://csrc.nist.gov/encryption/tkmodes.html
• Next slide shows CBC mode of operation...
Message Authentication Codes
• produce a pair (x,y) that is valid, but the key k is not known
• Oscar knows
• valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)}
• forgery
• Oscar outputs an (x,y) where x is not in Pairs
Review of types of attacks
• Ciphertext-only
• Oscar possesses a string of ciphertext, y
• Known plaintext
• has ciphertext, y, corresponding to a message, x
• Chosen plaintext
• Chosen ciphertext
• choose y, get x
Ways of creating a MAC
• Base MAC on block cipher
• block cipher already implemented, so part of implementation is done
• MAC from an unkeyed hash
• just add a key to output of unkeyed hash
• requires careful analysis
• Create a customized MAC
CBC MAC
• use block cipher in CBC mode with fixed IV
• best general attack is birthday attack
Nested MACs
• Nested MAC
• composition of 2 keyed hash families
• G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x))
• Secure if the following holds (given unknown key):
• G is collision-resistant
• H is secure as a MAC
Types of attacks on nested MACs
• forger for nested MAC
• forger for the little MAC
• attack on component MAC H
• unknown-key collision attack
Attack 1: Forger on nested MAC
• pair of keys (k,l) are kept secret
• Oscar:
• chooses an x
• oracle – “magic box”
• given x, oracle computes z = hl(gk(x))
• tries to find (x’, z) where x’ was not any x given to oracle
• key l is chosen and kept secret (l is in keyspace of H family of hashes)
• Oscar:
• chooses y
• given y, oracle computes z = hl(y)
• tries to output (y’,z) where y’ was not in one of its previous queries to oracle
Attack 3: Collision Finder for a hash family
• key k in K is kept secret
• Oscar:
• chooses an x
• given x, oracle computes gk(x)
• tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)
HMAC
• nested MAC algorithm (proposed standard)
• based on SHA-1
• uses 512-bit key k