SlideShare a Scribd company logo

Hashfunction

Download as PPTX, PDF
T
Tony Nguyen

The document discusses hash functions and message authentication codes (MACs). It begins by defining hash functions and MACs, noting that hash functions generate a fingerprint for a message without a key while MACs use a keyed hash function. It then covers security requirements for hash functions like one-wayness and collision resistance. Popular hash functions are described like MD5, SHA-1, and the SHA-2 family. Constructions for hash functions based on block ciphers and iterated hash functions are also outlined. The document concludes by comparing hash functions and MACs and describing common MAC constructions.

Technology
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Lect. 16- 17: Hash Functions and MAC
2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
3 1. Hash Functions vs. MAC
4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
10 2. Hash Functions
11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
X.509v3 Real and Fake Certificates 34
SHA-3 Project 35

More Related Content

PDF
A Comparative Analysis between SHA and MD5 algorithms
Er Piyush Gupta IN ⊞⌘
 
PPTX
Computing on Encrypted Data
New York Technology Council
 
PDF
Rsa Signature: Behind The Scenes
acijjournal
 
PPTX
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
PDF
Codes and Isogenies
Priyanka Aash
 
PPT
Chapter 03 cyclic codes
Manoj Krishna Yadavalli
 
PPTX
Partial Homomorphic Encryption
securityxploded
 
PDF
CRC JAVA CODE
sandeep101026
 
A Comparative Analysis between SHA and MD5 algorithms
Er Piyush Gupta IN ⊞⌘
 
Computing on Encrypted Data
New York Technology Council
 
Rsa Signature: Behind The Scenes
acijjournal
 
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
Codes and Isogenies
Priyanka Aash
 
Chapter 03 cyclic codes
Manoj Krishna Yadavalli
 
Partial Homomorphic Encryption
securityxploded
 
CRC JAVA CODE
sandeep101026
 

What's hot (14)

PPTX
Public Key Algorithms
Bit Hacker
 
PPTX
Cryptography
David Evans
 
PPTX
Introduction to Cryptography
David Evans
 
PPTX
Homomorphic Encryption
Victor Pereira
 
PPTX
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
ShivangiSingh241
 
PDF
Tele4653 l11
Vin Voro
 
PPTX
Bch codes
Gaurav Thakur
 
PDF
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Madhumita Tamhane
 
PDF
A survey on Fully Homomorphic Encryption
iosrjce
 
DOC
Information Theory and Coding Question Bank
miraclebabu
 
PPTX
RSA-W7(rsa) d1-d2
Fahad Layth
 
PPT
Rsa diffi-network security-itt
rameshvvv
 
PDF
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
iosrjce
 
PPT
Hamming codes
GIGI JOSEPH
 
Public Key Algorithms
Bit Hacker
 
Cryptography
David Evans
 
Introduction to Cryptography
David Evans
 
Homomorphic Encryption
Victor Pereira
 
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
ShivangiSingh241
 
Tele4653 l11
Vin Voro
 
Bch codes
Gaurav Thakur
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Madhumita Tamhane
 
A survey on Fully Homomorphic Encryption
iosrjce
 
Information Theory and Coding Question Bank
miraclebabu
 
RSA-W7(rsa) d1-d2
Fahad Layth
 
Rsa diffi-network security-itt
rameshvvv
 
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
iosrjce
 
Hamming codes
GIGI JOSEPH
 
Ad

Viewers also liked (20)

PDF
Graph classification problem.pptx
Tony Nguyen
 
PPT
Computer security
Tony Nguyen
 
PPT
Prolog programming
Tony Nguyen
 
PPT
Access data connection
Tony Nguyen
 
PPTX
Cryptography
Tony Nguyen
 
PPT
Xml schema
Tony Nguyen
 
PPT
Database concepts
Tony Nguyen
 
PPT
Database introduction
Tony Nguyen
 
PPTX
Introduction to security_and_crypto
Tony Nguyen
 
PPTX
Datamining with nb
Tony Nguyen
 
PPTX
Building a-database
Tony Nguyen
 
PPT
Sql database object
Tony Nguyen
 
PPTX
Crypto passport authentication
Tony Nguyen
 
PPTX
Key exchange in crypto
Tony Nguyen
 
PPT
Basic dns-mod
Tony Nguyen
 
PPT
Xml stylus studio
Tony Nguyen
 
PPT
Introduction toprolog
Tony Nguyen
 
PPTX
Nlp naive bayes
Tony Nguyen
 
PPT
Text classification methods
Tony Nguyen
 
PPTX
Secure Hash Algorithm
Vishakha Agarwal
 
Graph classification problem.pptx
Tony Nguyen
 
Computer security
Tony Nguyen
 
Prolog programming
Tony Nguyen
 
Access data connection
Tony Nguyen
 
Cryptography
Tony Nguyen
 
Xml schema
Tony Nguyen
 
Database concepts
Tony Nguyen
 
Database introduction
Tony Nguyen
 
Introduction to security_and_crypto
Tony Nguyen
 
Datamining with nb
Tony Nguyen
 
Building a-database
Tony Nguyen
 
Sql database object
Tony Nguyen
 
Crypto passport authentication
Tony Nguyen
 
Key exchange in crypto
Tony Nguyen
 
Basic dns-mod
Tony Nguyen
 
Xml stylus studio
Tony Nguyen
 
Introduction toprolog
Tony Nguyen
 
Nlp naive bayes
Tony Nguyen
 
Text classification methods
Tony Nguyen
 
Secure Hash Algorithm
Vishakha Agarwal
 
Ad

Similar to Hashfunction (20)

PPT
Secure hashing algorithm
Karteek Paruchuri
 
PPTX
20180503_hash_based.pptx
nagalakshmig4
 
PPT
6.hash mac
Virendrakumar Dhotre
 
PPTX
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Svetlin Nakov
 
PPTX
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Svetlin Nakov
 
PPT
Message Authentication
Ram Dutt Shukla
 
PPT
SHA
SubashiniRathinavel
 
PPTX
BCH Codes
AakankshaR
 
PPTX
Cryptographic Hash Functions in Security.pptx
VivekanandaGN1
 
PPT
27-SHA1.ppt
PranjalSinha23
 
PPTX
Hash Techniques in Cryptography
Basudev Saha
 
PPT
Hash mac algorithms
James Wong
 
PPT
Hash mac algorithms
Fraboni Ec
 
PPT
Hash& mac algorithms
Harry Potter
 
PPT
Hash mac algorithms
Young Alista
 
PPT
Hash mac algorithms
Tony Nguyen
 
PPT
Hash mac algorithms
David Hoen
 
PPT
Hash mac algorithms
Luis Goldster
 
PDF
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
PPT
An Introduction to Hashing: A basic understanding
prabhatv1
 
Secure hashing algorithm
Karteek Paruchuri
 
20180503_hash_based.pptx
nagalakshmig4
 
6.hash mac
Virendrakumar Dhotre
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Svetlin Nakov
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Svetlin Nakov
 
Message Authentication
Ram Dutt Shukla
 
SHA
SubashiniRathinavel
 
BCH Codes
AakankshaR
 
Cryptographic Hash Functions in Security.pptx
VivekanandaGN1
 
27-SHA1.ppt
PranjalSinha23
 
Hash Techniques in Cryptography
Basudev Saha
 
Hash mac algorithms
James Wong
 
Hash mac algorithms
Fraboni Ec
 
Hash& mac algorithms
Harry Potter
 
Hash mac algorithms
Young Alista
 
Hash mac algorithms
Tony Nguyen
 
Hash mac algorithms
David Hoen
 
Hash mac algorithms
Luis Goldster
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
An Introduction to Hashing: A basic understanding
prabhatv1
 

More from Tony Nguyen (20)

PPTX
Object oriented analysis
Tony Nguyen
 
PPTX
Directory based cache coherence
Tony Nguyen
 
PPTX
Business analytics and data mining
Tony Nguyen
 
PPTX
Big picture of data mining
Tony Nguyen
 
PPTX
Data mining and knowledge discovery
Tony Nguyen
 
PPTX
Cache recap
Tony Nguyen
 
PPTX
How analysis services caching works
Tony Nguyen
 
PPTX
Hardware managed cache
Tony Nguyen
 
PPT
Abstract data types
Tony Nguyen
 
PPTX
Optimizing shared caches in chip multiprocessors
Tony Nguyen
 
PPT
Abstract class
Tony Nguyen
 
PPTX
Abstraction file
Tony Nguyen
 
PPTX
Object model
Tony Nguyen
 
PPTX
Concurrency with java
Tony Nguyen
 
PPTX
Data structures and algorithms
Tony Nguyen
 
PPTX
Inheritance
Tony Nguyen
 
PPTX
Object oriented programming-with_java
Tony Nguyen
 
PPTX
Cobol, lisp, and python
Tony Nguyen
 
PPTX
Extending burp with python
Tony Nguyen
 
PPTX
Api crash
Tony Nguyen
 
Object oriented analysis
Tony Nguyen
 
Directory based cache coherence
Tony Nguyen
 
Business analytics and data mining
Tony Nguyen
 
Big picture of data mining
Tony Nguyen
 
Data mining and knowledge discovery
Tony Nguyen
 
Cache recap
Tony Nguyen
 
How analysis services caching works
Tony Nguyen
 
Hardware managed cache
Tony Nguyen
 
Abstract data types
Tony Nguyen
 
Optimizing shared caches in chip multiprocessors
Tony Nguyen
 
Abstract class
Tony Nguyen
 
Abstraction file
Tony Nguyen
 
Object model
Tony Nguyen
 
Concurrency with java
Tony Nguyen
 
Data structures and algorithms
Tony Nguyen
 
Inheritance
Tony Nguyen
 
Object oriented programming-with_java
Tony Nguyen
 
Cobol, lisp, and python
Tony Nguyen
 
Extending burp with python
Tony Nguyen
 
Api crash
Tony Nguyen
 

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Hashfunction

  • 1. Lect. 16- 17: Hash Functions and MAC
  • 2. 2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
  • 4. 4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
  • 5. 5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
  • 6. 6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
  • 7. 7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
  • 8. 8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
  • 9. 9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
  • 11. 11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
  • 12. 12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
  • 13. 13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
  • 14. 14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
  • 15. 15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
  • 16. 16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
  • 17. 17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
  • 18. 18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
  • 19. 19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
  • 20. 20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
  • 21. 21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
  • 22. 22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
  • 23. 23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
  • 24. 24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
  • 25. 25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
  • 26. 26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
  • 27. 27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
  • 28. 28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
  • 29. 29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
  • 30. 30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
  • 31. 31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
  • 32. Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
  • 33. Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
  • 34. X.509v3 Real and Fake Certificates 34