session 5 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Session 5 PowerPoint Presentation
Download Presentation
Session 5

Loading in 2 Seconds...

play fullscreen
1 / 44

Session 5 - PowerPoint PPT Presentation

  • Uploaded on

Session 5. Hash functions and digital signatures. Contents. Hash functions Definition Requirements Construction Security Applications. Contents. Digital signatures Definition Digital signatures – procedure Digital signature with RSA Signing enciphered messages Signing and hashing.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Session 5

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
session 5

Session 5

Hash functions and digital signatures

  • Hash functions
    • Definition
    • Requirements
    • Construction
    • Security
    • Applications
  • Digital signatures
    • Definition
    • Digital signatures – procedure
    • Digital signature with RSA
    • Signing enciphered messages
    • Signing and hashing
hash functions definition
Hash functions - definition
  • Let k, n be positive integers
  • A function f with n bit output and k bit key is called a hash function if
    • f is a deterministic function
    • f takes 2 inputs, the first is of arbitrary length and the second is of length k
    • f outputs a binary string of length n
  • Formally:
hash functions definition1
Hash functions - definition
  • The key k is assumed to be known/fixed, unlike in cipher systems
  • If k is known/fixed, the hash function is unkeyed
  • If k is secret the hash function is keyed
  • k is known/fixed in most of the applications (e.g. digital signature schemes)
  • k is kept secret in Message Authentication Codes (MACs)
hash functions security requirements
Hash functions – security requirements
  • In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1)
    • One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk(x )=w.
hash functions security requirements1
Hash functions – security requirements
  • Security requirements (2)
    • Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk(x )=fk(y ).
hash functions security requirements2
Hash functions – security requirements
  • Security requirements (3):
    • (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such thatfk(x )=fk(y ).
hash functions security requirements3
Hash functions – security requirements
  • The collision resistance implies the second preimage resistance.
  • The second preimage resistance and one-wayness are incomparable
    • The properties do not follow from one another
    • Still, a hash function that would be one-way but not second preimage resistant would be quite artificial
hash functions security requirements4
Hash functions – security requirements
  • In practice, collision resistance is the strongest security requirement of all the three requirements
    • the most difficult to satisfy
    • the easiest to breach
  • Breaking the collision resistance property is the goal of most attacks on hash functions.
hash functions other requirements
Hash functions – other requirements
  • Certificational weakness
    • A good hash function should possess avalanche property
      • changing a bit of input would approximately change a half of the output bits
    • No input bits can be reliably guessed based on the hash function’s local output (local one-wayness)
    • Failure to satisfy these (and some other) properties is called certificational weakness.
hash functions other requirements1
Hash functions – other requirements
  • It is also required that a hash function is feasible to compute, given x (and k ).
  • This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.
hash functions other requirements2
Hash functions – other requirements
  • Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography
    • Shamir’s function (factoring)
    • Chaum-vanHeijst-Pfitzmann’s function (discrete log)
    • Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers)
hash functions construction
Hash functions - construction
  • The Merkle-Damgård construction
    • A classical hash function design
    • Iterates a compression function
    • A compression function
      • takes a fixed length input
      • outputs a fixed length (shorter) output.
hash functions construction1
Hash functions - construction
  • In practice, symmetric cipher systems are used as compression functions (usually block ciphers).
  • Let g =(x,k) be a block cipher, where x is the plaintext message, and k is the key.
  • The length of the block x is n bits and the length of the key k is m bits, m >n.
hash functions construction2
Hash functions - construction
  • The hash function f to be constructed
    • has the (theoretically) unlimited input length
    • has the output bit length n
  • The input string to the hash function f is y.
hash functions construction3
Hash functions - construction
  • Hash function iterations
    • Pad y such that the length of the padded input y ’ is the least possible multiple of m.
    • Let where yi{0,1}m .
    • Let f0 be a fixed initialization vector of length n (in bits).
    • Then, for i=1,..., r, fi=g (fi-1, ).
    • Finally, f =fr.
hash functions construction4
Hash functions - construction
  • Remark:
    • The padding algorithm and f0 depend on the particular hash function.
  • Schematic of the Merkle-Damgård design
hash functions construction5
Hash functions - construction
  • Advantages of using block ciphers as compression functions
    • Efficient, i.e. fast
    • Usually already implemented
  • Disadvantage
    • Employing a strong block cipher in hash function design does not guarantee a good hash function.
hash functions construction6
Hash functions - construction
  • Examples of Merkle-Damgård designs
    • The MD (Message Digest) family of hash functions (MD4, MD5), n =128.
    • The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)).
  • They all use custom block cipher rounds.
hash functions construction7
Hash functions - construction
  • The speed of such a design depends on the number of rounds of the block cipher involved.
  • Example
    • MD4 – 3 rounds
    • MD5 – 4 rounds – more secure
    • But MD5 is 30% slower than MD4.
hash functions security
Hash functions - security
  • Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found.
  • They are now considered insecure.
  • Consequence: the SHA-3 contest, the proposals are due October 2008.
hash functions applications
Hash functions - applications
  • Data integrity protection
    • Digital signature schemes
  • Authentication
    • Message authentication codes (MACs)
    • If MAC uses a hash function it is called HMAC
    • HMAC standard RFC2104 (Bellare-Canetti-Krawczyk, 1996).
digital signatures definition
Digital signatures - definition
  • Digital signature
    • A number dependent on some secret known only to the signer and on the contents of the signed message
    • Must be verifiable in case of
      • a signer repudiating a signature
      • a fraudulent claimant
digital signatures definition1
Digital signatures - definition
  • Applications
    • Authentication
    • Data integrity protection and non-repudiation
    • Certification of public keys in large networks.
digital signatures procedure
Digital signatures - procedure
  • Basic elements (1)
    • M – the set of messages that can be signed
    • S – the set of signatures, e.g. binary strings of fixed length
    • SA – signing transformation for the entity A
      • SA is kept secret by A
      • Used to create signatures from M
digital signatures procedure1
Digital signatures - procedure
  • Basic elements (2)
    • VA – verification transformation for the A’s signatures
      • Publicly known
      • Used by other entities to verify signatures created by A
digital signatures procedure2
Digital signatures - procedure
  • Both SA and VA should be feasible to compute
  • It should not be computationally feasible to forge a digital signature y on a message x
    • Given x, only A (i.e. Alice) should be able to compute the signature y such that VA(x,y)=true.
digital signatures procedure3
Digital signatures - procedure
  • Signing a message x
    • Alice uses the algorithm SA to compute the signature over the message x
    • Alice publishes (or sends to some recipient) the message x, together with the signature y =SA(x )
digital signatures procedure4
Digital signatures - procedure
  • Verifying a signature of a message published/sent by Alice
    • Upon receiving the pair (x,y), the verifier uses the algorithm VA (publicly known) to verify the integrity of the received message x
    • If VA (x,y)=true, the signature is verified.
digital signatures procedure5
Digital signatures - procedure
  • It can be shown that asymmetric ciphers can be used for digital signature purposes
  • To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.
digital signature with rsa
Digital signature with RSA
  • Alice signs the message x by using the deciphering transformation
  • Alice is the only one that can sign, since dA is kept secret.
digital signature with rsa1
Digital signature with RSA
  • Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e.
  • If c =x, then the signature y is verified.
digital signature with rsa security
Digital signature with RSA - security
  • Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature).
  • Eve does not know dA, she only knows Alice’s public key (eA,nA).
digital signature with rsa security1
Digital signature with RSA - security
  • Direct verification, if Eve’s signed document (x ’,y ) is to be verified
    • This will fail, since c ≠x ’.
  • Thus, what Eve needs is another signature, y ’, such that
  • Getting y ’ is a difficult problem.
digital signature with rsa security2
Digital signature with RSA - security
  • Another possibility for Eve – she can choose y ’ first and then generate the message
  • y ’ will then be easily verified, i.e. such a forgery is successful.
  • But then the probability that x ’ is meaningful is very small.
signing enciphered messages
Signing enciphered messages
  • Suppose Alice wants to send a signed enciphered message x to Bob.
    • Alice computes her signature y =SA (x )
    • Then Alice enciphers both x and y by means of Bob’s public key
    • The ciphertext z is transmitted to Bob.
signing enciphered messages1
Signing enciphered messages
  • Deciphering and verification
    • Bob deciphers z by means of his private key and thus obtains (x,y)
    • Then Bob uses Alice’s public verification function VA to verify the Alice’s signature y.
signing and hashing
Signing and hashing
  • Usually, public key ciphers are used in digital signature schemes
  • If the original message is signed, the signature is at least as long as the message – inefficient
signing and hashing1
Signing and hashing
  • Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability.
  • Solution: sign hashed message.
signing and hashing2
Signing and hashing
  • The hash function f is made public
  • Starting with a message x, Alice first computes f (x ), which is significantly smaller than x
  • Alice then computes y =SA(f (x ))
  • Alice then sends (x,y) to Bob.
signing and hashing3
Signing and hashing
  • Verification process
    • Bob computes f (x )
    • Bob also computes VA (f (x ),y )
    • If VA (f (x ),y ) =true, then Alice’s signature is verified.
signing and hashing security
Signing and hashing - security
  • Suppose Eve has (x,y=SA(f (x ))
  • Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it)
  • So she needs SA(f (x ’))=SA(f (x )), which means she needs f (x ’)=f (x ). This is difficult iff (x ) is second preimage resistant.
signing and hashing security1
Signing and hashing - security
  • Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant.
  • So it is difficult for Eve to choose the signature first and then get the corresponding message.