1 / 97

Computer and Information Security

Computer and Information Security. Chapter 5 Hash Functions. Chapter 5: Hash Functions++. “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.” “It's a poor sort of memory that only works backwards,” the Queen remarked.

hayley
Download Presentation

Computer and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer and Information Security Chapter 5 Hash Functions

  2. Chapter 5: Hash Functions++ “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.” “It's a poor sort of memory that only works backwards,” the Queen remarked. “What sort of things do you remember best?" Alice ventured to ask. “Oh, things that happened the week after next," the Queen replied in a careless tone.  Lewis Carroll, Through the Looking Glass Part 1  Cryptography 2

  3. Chapter 5: Hash Functions++ A boat, beneath a sunny sky Lingering onward dreamily In an evening of July  Children three that nestle near, Eager eye and willing ear, ...  Lewis Carroll, Through the Looking Glass Part 1  Cryptography 3

  4. Hash Function Motivation • Suppose Alice signs M • Alice sends M and S = [M]Alice to Bob • Bob verifies that M = {S}Alice • Can Alice just send S? • If M is big, [M]Alice costly to compute & send • Suppose instead, Alice signs h(M), where h(M) is much smaller than M • Alice sends M and S = [h(M)]Alice to Bob • Bob verifies that h(M) = {S}Alice Part 1  Cryptography 4

  5. Hash Function Motivation • So, Alice signs h(M) • That is, Alice computes S = [h(M)]Alice • Alice then sends (M, S) to Bob • Bob verifies that h(M) = {S}Alice • What properties must h(M) satisfy? • Suppose Trudy finds M’ so that h(M) = h(M’) • Then Trudy can replace (M, S) with (M’, S) • Does Bob detect this tampering? • No, since h(M’) = h(M) = {S}Alice Part 1  Cryptography 5

  6. Crypto Hash Function • Crypto hash function h(x) must provide • Compression output length is small • Efficiencyh(x) easy to compute for any x • One-way given a value y it is infeasible to find an x such that h(x) = y • Weak collision resistance given x and h(x), infeasible to find y  x such that h(y) = h(x) • Strong collision resistance infeasible to find anyx and y, with x  y such that h(x) = h(y) • Lots of collisions exist, but hard to find any Part 1  Cryptography 6

  7. Pre-Birthday Problem • Suppose N people in a room • How large must N be before the probability someone has same birthday as me is 1/2 ? • Solve: 1/2 = 1  (364/365)N for N • We find N = 253 Part 1  Cryptography 7

  8. Birthday Problem • How many people must be in a room before probability is 1/2 that any two (or more) have same birthday? • 1  365/365  364/365   (365N+1)/365 • Set equal to 1/2 and solve: N = 23 • Surprising? A paradox? • Maybe not: “Should be” about sqrt(365) since we compare all pairsx and y • And there are 365 possible birthdays Part 1  Cryptography 8

  9. Of Hashes and Birthdays • If h(x) is N bits, 2N different hash values are possible • So, if you hash about 2N/2 random values then you expect to find a collision • Since sqrt(2N) = 2N/2 • Implication: secure N bit symmetric key requires 2N1 work to “break” while secure N bit hash requires 2N/2 work to “break” • Exhaustive search attacks, that is Part 1  Cryptography 9

  10. Non-crypto Hash (1) • Data X = (X0,X1,X2,…,Xn-1), each Xi is a byte • Define h(X) =X0+X1+X2+…+Xn-1 • Is this a secure cryptographic hash? • Example: X = (10101010, 00001111) • Hash is h(X) = 10111001 • If Y = (00001111, 10101010) then h(X) = h(Y) • Easy to find collisions, so notsecure… Part 1  Cryptography 10

  11. Non-crypto Hash (2) • Data X = (X0,X1,X2,…,Xn-1) • Suppose hash is defined as h(X) = nX0+(n1)X1+(n2)X2+…+1Xn-1 • Is this a secure cryptographic hash? • Note that h(10101010, 00001111)  h(00001111, 10101010) • But hash of (00000001, 00001111) is same as hash of (00000000, 00010001) • Not “secure”, but this hash is used in the (non-crypto) application rsync Part 1  Cryptography 11

  12. Non-crypto Hash (3) • Cyclic Redundancy Check (CRC) • Essentially, CRC is the remainder in a long division calculation • Good for detecting burst errors • Random errors unlikely to yield a collision • But easy to construct collisions • CRC has been mistakenly used where crypto integrity check is required (e.g., WEP) Part 1  Cryptography 12

  13. Popular Crypto Hashes • MD5 invented by Rivest • 128 bit output • Note: MD5 collisions easy to find • SHA-1 A U.S. government standard, inner workings similar to MD5 • 160 bit output • Many other hashes, but MD5 and SHA-1 are the most widely used • Hashes work by hashing message in blocks Part 1  Cryptography 13

  14. Crypto Hash Design • Desired property: avalanche effect • Change to 1 bit of input should affect about half of output bits • Crypto hash functions consist of some number of rounds • Want security and speed • Avalanche effect after few rounds • But simple rounds • Analogous to design of block ciphers Part 1  Cryptography 14

  15. Tiger Hash • “Fast and strong” • Designed by Ross Anderson and Eli Biham  leading cryptographers • Design criteria • Secure • Optimized for 64-bit processors • Easy replacement for MD5 or SHA-1 Part 1  Cryptography 15

  16. Tiger Hash • Like MD5/SHA-1, input divided into 512 bit blocks (padded) • Unlike MD5/SHA-1, output is 192 bits (three 64-bit words) • Truncate output if replacing MD5 or SHA-1 • Intermediate rounds are all 192 bits • 4 S-boxes, each maps 8 bits to 64 bits • A “key schedule” is used Part 1  Cryptography 16

  17. Tiger Outer Round a b c Xi F5 W • Input is X • X = (X0,X1,…,Xn-1) • X is padded • Each Xi is 512 bits • There are n iterations of diagram at left • One for each input block • Initial (a,b,c) constants • Final (a,b,c) is hash • Looks like block cipher! key schedule W F7 key schedule W F9    a b c a b c Part 1  Cryptography 17

  18. Tiger Inner Rounds a b c • Each Fm consists of precisely 8 rounds • 512 bit input W to Fm • W=(w0,w1,…,w7) • W is one of the input blocks Xi • All lines are 64 bits • The fm,i depend on the S-boxes (next slide) w0 fm,0 w1 fm.1 w2 fm,2 w7 fm,7 a b c Part 1  Cryptography 18

  19. Tiger Hash: One Round • Each fm,i is a function of a,b,c,wi and m • Input values of a,b,c from previous round • And wi is 64-bit block of 512 bit W • Subscript m is multiplier • And c = (c0,c1,…,c7) • Output of fm,i is • c = c  wi • a = a  (S0[c0]  S1[c2]  S2[c4]  S3[c6]) • b = b + (S3[c1]  S2[c3]  S1[c5]  S0[c7]) • b = b  m • Each Si is S-box: 8 bits mapped to 64 bits Part 1  Cryptography 19

  20. Tiger Hash Key Schedule x0 = x0  (x7  0xA5A5A5A5A5A5A5A5) x1 = x1  x0 x2 = x2  x1 x3 = x3  (x2  ((~x1) << 19)) x4 = x4 x3 x5 = x5 +x4 x6 = x6  (x5  ((~x4) >> 23)) x7 = x7  x6 x0 = x0 +x7 x1 = x1  (x0  ((~x7) << 19)) x2 = x2  x1 x3 = x3 +x2 x4 = x4  (x3  ((~x2) >> 23)) x5 = x5  x4 x6 = x6 +x5 x7 = x7 (x6  0x0123456789ABCDEF) • Input is X • X=(x0,x1,…,x7) • Small change in X will produce large change in key schedule output Part 1  Cryptography 20

  21. Tiger Hash Summary (1) • Hash and intermediate values are 192 bits • 24 (inner) rounds • S-boxes: Claimed that each input bit affects a, b and c after 3 rounds • Key schedule: Small change in message affects many bits of intermediate hash values • Multiply: Designed to ensure that input to S-box in one round mixed into many S-boxes in next • S-boxes, key schedule and multiply together designed to ensure strong avalanche effect Part 1  Cryptography 21

  22. Tiger Hash Summary (2) • Uses lots of ideas from block ciphers • S-boxes • Multiple rounds • Mixed mode arithmetic • At a higher level, Tiger employs • Confusion • Diffusion Part 1  Cryptography 22

  23. Authentication • In addition to confidentiality, message authentication is an important security function • “A message, file, document or data is said to be authentic when it is genuine and came from its alleged source.” • Encryption prevents against passive attacks (eavesdropping) • Message Authentication prevents against active attacks or falsification.

  24. Message Authentication • Message authentication is concerned with: • protecting the integrity of a message • validating identity of originator • non-repudiation of origin (dispute resolution) • The three alternative functions used: • hash function • message encryption • message authentication code (MAC)

  25. Message Authentication • Requirements - must be able to verify that: 1. Message came from apparent source or author 2. Contents have not been altered 3. Timeliness – that it was sent at a certain time or sequence. • Protection against active attack (falsification of data and transactions)

  26. Approaches to Message Authentication • Authentication Using Conventional Encryption • Only the sender and receiver should share a key • Message Authentication without Message Encryption • An authentication tag is generated and appended to each message • Message Authentication Code • Calculate the MAC as a function of the message and the key. MAC= F(K, M)

  27. Message Authentication • Using Encryption • Assume only sender and receiver share a key • Then a correctly encrypted message should be from the sender • Usually also contains error-detection code, sequence number and time stamp • Encryption alone is not suitable for authentication. Blocks could have been reordered, changing meaning

  28. Message Authentication • Without Encryption No confidentiality is preferred when: • Same message is broadcast to many destinations • Heavy load and cannot decrypt all messages – some chosen at random • No danger in sending plaintext Append authentication tag to each message

  29. Message Authentication • Message Authentication Code (MAC) • Small block of data that is appended to the message • MAC is generated by using a secret key • Assumes both parties A,B share common secret key KAB • Code is function of message and key MACM= F(KAB, M) • Message plus code are transmitted

  30. Message Authentication Code • Recipient uses key to compute new code • If received code matches calculated code then • Receiver is sure message has not been altered • Message is from sender, since only sender shares the key • If the message includes correct sequence number, that number could not have been altered by hacker

  31. Message Authentication Code • Different from encryption • MAC does not have to be reversible as the cipher text does in encryption • Because of mathematical properties, it is less vulnerable to being broken than encryption • 16 to 32 bit code is typical

  32. One-way HASH function • Alternative to Message Authentication Code • Accepts a variable size message M as input and produces a fixed-size message digest H (M) as output • Unlike the MAC, a hash function does not take a secret key as input • Message digest also provides data integrity, since if bits are accidentally altered in transit, the message digest will also be in error.

  33. One-Way Hash Function • The message can be authenticated: • Using encryption using a shared secret key • Using public-key encryption • Also provides a digital signature • Does not require key distribution • Using a secret value

  34. One-way HASH function

  35. One-Way HASH Function • Secret value is added before the hash and removed before transmission. Secret Value Secret Value

  36. One-way HASH FunctionAdvantages • Using a hash function instead of encryption has advantages: • Encryption is slow • Encryption hardware can be expensive • Encryption hardware is optimized for large data sets • An encryption algorithm may be protected by a patent

  37. Hash Function • Condenses arbitrary message to fixed size h = H(M) • Usually assume hash function is public • Hash used to detect changes to message • Want a cryptographic hash function • computationally infeasible to find data mapping to specific hash (one-way property) • computationally infeasible to find two data to same hash (collision-free property)

  38. Secure HASH Functions • Purpose of the HASH function is to produce a “fingerprint” • Properties of a HASH function H : • H can be applied to a block of data at any size • H produces a fixed length output • H(x) is easy to compute for any given x. • For any given block x, it is computationally infeasible to find x such that H(x) = h (one-way property) • For any given block x, it is computationally infeasible to find • with H(y) = H(x). (weak collision resistance) • 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) (strong collsion resistance)

  39. Simple Hash Function • A weak hash function satisfies the first 5 properties. • A strong hash function also satisfies the 6th property (strong collision resistance) • Effective against the birthday attack • Message Digest provides both authentication and integrity

  40. Simple Hash Function • A weak hash function satisfies the first 5 properties. • A strong hash function also satisfies the 6th property (strong collision resistance) • Effective against the birthday attack • Message Digest provides both authentication and integrity

  41. Hash Function Requirements

  42. Security of Hash Functions • Attacking a secure hash function can be done by using cryptanalysis or brute force. • Strength of function depends on the length of the hash code produced by the algorithm. • For example: • A search machine can find a collision for 128 bit code length in 24 days – considered inadequate • With 160 bits, finding a collision might take 4000 years ( or less with today’s speeds)

  43. Simple Hash Function • General principle • Input is a sequence of n-bit blocks • Input is processed one block at a time to produce an n-bit hash function • A simple example is the XOR of each block Ci = bi1 bi2  …  bim Ci is ith bit of hash code 1 <= i <= n m is number of n-bit block in input bij is ith bit in jth block  Is the XOR operation

  44. Simple Hash Function

  45. Simple Hash FunctionImproved • To improve- perform a one-bit circular shift on the hash value after each block is processed • Initially set the n-bit hash value to zero • Process each successive n-bit block of data by: • Rotating current hash value to the left by 1 bit • XOR the block into the hash value • This has the effect of “randomizing” the input

  46. Other Secure HASH functions

  47. HMAC • Use a MAC derived from a cryptographic hash code, such as SHA-1. • Motivations: • Cryptographic hash functions execute faster in software than encryption algorithms such as DES • Library code for cryptographic hash functions is widely available • No export restrictions from the US

  48. HMAC Design Objectives • Use, without modifications, hash functions • Allow for easy replaceability of embedded hash function • Preserve original performance of hash function without significant degradation • Use and handle keys in a simple way. • Have well understood cryptographic analysis of authentication mechanism strength

More Related