Hash functions
1 / 21

Hash Functions - PowerPoint PPT Presentation

  • Uploaded on

Hash Functions. Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction. Cryptographic hash functions Input – any length Output – fixed length H(x) – easy H(x) – one way “hard to invert” H(x) collision free. Purposes for hash functions. Data Integrity Ex: Tripwire Message digest

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Hash Functions' - havily

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hash functions

Hash Functions

Nathanael Paul

Oct. 9, 2002

Hash functions introduction
Hash Functions: Introduction

  • Cryptographic hash functions

    • Input – any length

    • Output – fixed length

    • H(x) – easy

    • H(x) – one way

      • “hard to invert”

    • H(x) collision free

Purposes for hash functions
Purposes for hash functions

  • Data Integrity

    • Ex: Tripwire

    • Message digest

      • y = h(x). y is called the message digest.

      • 160 bits in size – “birthday attack”

  • Message Source

  • Digital Signatures

  • Message Authentication Codes (MAC)

Digital signatures and message authentication code mac overview
Digital Signatures and Message Authentication Code (MAC) overview

  • Suppose Alice and Bob share a secret key k which determines hash function hk

  • Alice sends (x, y) to Bob where y = hk(x)

  • Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.

Hash family
Hash Family overview

  • (X,Y,K,H)

    • For each k in K, there exists an h in H, such that hk(x)  y

  • Assume |X| >= |Y| (even better, 2|X| >= |Y|)

  • Unkeyed hash function

    • |K| = 1

    • Ex. SHA-1 (successor of MD4)

Conditions of a secure hash function
Conditions of a secure hash function overview

  • Preimage

    • Find x such that h(x) = y, given y and the function f().

    • one-way

  • Second Preimage

    • Find x’ != x, such that h(x) = h(x’), given x and the function h().

    • weak collision resistance

  • Collision

    • Find h(x) = h(x’) such that x != x’, given function h()

    • strong collision resistance

Iterated hash function overview
Iterated hash function overview overview

  • compression function

    • Given input of length m, produce output of length n

    • inputs to compression function:

      • message block, mi

      • output of previous blocks of text

      • hi = f(mi, hi-1)

  • MD-strengthening (Merkle-Damgard)

    • pre-image contains length of entire message

    • initialization vector (padding function)

Modes of operation
Modes of operation overview

  • Modes of operation

    • ECB, CBC, CFB, OFB

    • different characteristics:

      • error propagation

      • efficiency

      • increase in data size

    • NIST document on modes of operation

      • http://csrc.nist.gov/encryption/tkmodes.html

    • Next slide shows CBC mode of operation...

Message authentication codes
Message Authentication Codes overview

  • Oscar’s (adversary) goal:

    • produce a pair (x,y) that is valid, but the key k is not known

  • Oscar knows

    • valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)}

  • forgery

    • Oscar outputs an (x,y) where x is not in Pairs

Review of types of attacks
Review of types of attacks overview

  • Ciphertext-only

    • Oscar possesses a string of ciphertext, y

  • Known plaintext

    • has ciphertext, y, corresponding to a message, x

  • Chosen plaintext

    • access to encryption. choose x, get y

  • Chosen ciphertext

    • choose y, get x

Ways of creating a mac
Ways of creating a MAC overview

  • Base MAC on block cipher

    • block cipher already implemented, so part of implementation is done

  • MAC from an unkeyed hash

    • just add a key to output of unkeyed hash

    • requires careful analysis

  • Create a customized MAC

Cbc mac
CBC MAC overview

  • use block cipher in CBC mode with fixed IV

  • best general attack is birthday attack

Nested macs
Nested MACs overview

  • Nested MAC

    • composition of 2 keyed hash families

      • G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x))

    • Secure if the following holds (given unknown key):

      • G is collision-resistant

      • H is secure as a MAC

Types of attacks on nested macs
Types of attacks on nested MACs overview

  • forger for nested MAC

  • forger for the little MAC

    • attack on component MAC H

  • unknown-key collision attack

Attack 1 forger on nested mac
Attack 1: Forger on nested MAC overview

  • pair of keys (k,l) are kept secret

  • Oscar:

    • chooses an x

    • oracle – “magic box”

    • given x, oracle computes z = hl(gk(x))

    • tries to find (x’, z) where x’ was not any x given to oracle

Attack 2 forger on smaller mac component of nested mac h family
Attack 2: Forger on smaller MAC component of nested MAC (H family)

  • key l is chosen and kept secret (l is in keyspace of H family of hashes)

  • Oscar:

    • chooses y

    • given y, oracle computes z = hl(y)

    • tries to output (y’,z) where y’ was not in one of its previous queries to oracle

Attack 3 collision finder for a hash family
Attack 3: Collision Finder for a hash family family)

  • key k in K is kept secret

  • Oscar:

    • chooses an x

    • given x, oracle computes gk(x)

    • tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)

Hash functions
HMAC family)

  • nested MAC algorithm (proposed standard)

    • based on SHA-1

    • uses 512-bit key k

    • 2 512-bit constants, ipad and opad

  • 160-bit MAC

    • HMACk(x) = SHA-1((k  opad) || SHA-1((K  ipad) || x))

      • ipad component resistant against unknown-key collision attack

Further reading
Further Reading family)

  • Applied Cryptography,Bruce Schneier

  • Cryptography: Theory and Practice, Douglas Stinson

  • Handbook of Applied Cryptography, Alfred Menezes, et. al.

    • available for download at:

    • http://www.cacr.math.uwaterloo.ca/hac/