![Block Ciphers as Hash Functions
• can use block ciphers as hash functions
• using H0=0 and zero-pad of final block
• compute: Hi = EMi
[Hi-1]
• and use final block as the hash value
• similar to CBC but without a key
• resulting hash is too small (64-bit)
• both due to direct birthday attack
• and to “meet-in-the-middle” attack
• other variants also susceptible to attack](https://image.slidesharecdn.com/informationandnetworksecurity38birthdayattacksandsecurityofhashfunctions-210723173907/85/Information-and-network-security-38-birthday-attacks-and-security-of-hash-functions-13-320.jpg)
Information and network security 38 birthday attacks and security of hash functions
- 1. Information and Network Security:38 Birthday Attacks and Security of Hash Functions Prof Neeraj Bhargava Vaibhav Khanna Department of Computer Science School of Engineering and Systems Sciences Maharshi Dayanand Saraswati University Ajmer
- 2. Two Simple Insecure Hash Functions • consider two simple insecure hash functions • bit-by-bit exclusive-OR (XOR) of every block • Ci = bi1 xor bi2 xor . . . xor bim • a longitudinal redundancy check • reasonably effective as data integrity check • one-bit circular shift on hash value • for each successive n-bit block • rotate current hash value to left by1bit and XOR block • good for data integrity but useless for security
- 3. Attacks on Hash Functions have brute-force attacks and cryptanalysis a preimage or second preimage attack find y s.t. H(y) equals a given hash value collision resistance find two messages x & y with same hash so H(x) = H(y) hence value 2m/2 determines strength of hash code against brute-force attacks 128-bits inadequate, 160-bits suspect
- 4. Attacks on Hash Functions • As with encryption algorithms, there are two categories of attacks on hash functions: brute-force attacks and cryptanalysis. A brute-force attack does not depend on the specific algorithm but depends only on bit length. In the case of a hash function, a brute-force attack depends only on the bit length of the hash value. A cryptanalysis, in contrast, is an attack based on weaknesses in a particular cryptographic algorithm.
- 5. Attacks on Hash Functions • For a preimage or second preimage attack, an adversary wishes to find a value y such that H(y) is equal to a given hash value h. The brute force method is to pick values of y at random and try each value until a collision occurs. For an m-bit hash value, the level of effort is proportional to 2m. Specifically, the adversary would have to try, on average, 2m–1 values of y to find one that generates a given hash value h.
- 6. Attacks on Hash Functions • For a collision resistant attack, an adversary wishes to find two messages or data blocks, x and y, that yield the same hash function: H(x) = H(y). This requires much less effort than a preimage or second preimage attack. The effort required is explained by a mathematical result referred to as the birthday paradox (next slide).
- 7. Attacks on Hash Functions • If collision resistance is required, then the value 2m/2 determines the strength of the hash code against brute-force attacks. Van Oorschot and Wiener presented a design for a $10 million collision search machine for MD5, which has a 128-bit hash length, that could find a collision in 24 days. Thus a 128-bit code may be viewed as inadequate. The next step up, if a hash code is treated as a sequence of 32 bits, is a 160-bit hash length. With a hash length of 160 bits, the same search machine would require over four thousand years to find a collision. With today's technology, the time would be much shorter, so that 160 bits now appears suspect.
- 8. Birthday Attacks • might think a 64-bit hash is secure • but by Birthday Paradox is not • birthday attack works thus: • given user prepared to sign a valid message x • opponent generates 2 m/2 variations x’ of x, all with essentially the same meaning, and saves them • opponent generates 2 m/2 variations y’ of a desired fraudulent message y • two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) • have user sign the valid message, then substitute the forgery which will have a valid signature • conclusion is that need to use larger MAC/hash
- 9. Birthday Attacks • The Birthday Attack exploits the birthday paradox – the chance that in a group of people two will share the same birthday – only 23 people are needed for a Pr>0.5 of this. Can generalize the problem to one wanting a matching pair from any two sets, and show need 2m/2 in each to get a matching m-bit hash. • Yuval proposed the strategy shown to exploit the birthday paradox in a collision resistant attack. Note that creating many message variants is relatively easy, either by rewording or just varying the amount of white-space in the message. All of which indicates that larger MACs/Hashes are needed.
- 10. Hash Function Cryptanalysis cryptanalytic attacks exploit some property of alg so faster than exhaustive search hash functions use iterative structure process message in blocks (incl length) attacks focus on collisions in function f
- 11. • A number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key (instead using the message blocks as keys). • One of the first such proposals was that of Rabin, which divided a message M into fixed-size blocks, and usde a symmetric encryption system such as DES to compute the hash code G as shown. • This is similar to the CBC technique, but in this case there is no secret key. As with any hash code, this scheme is subject to the birthday attack, and if the encryption algorithm is DES and only a 64-bit hash code is produced, then the system is vulnerable.
- 12. • Furthermore, another version of the birthday attack can be used even if the opponent has access to only one message and its valid signature and cannot obtain multiple signings, known as a “meet-in- the-middle” attack (see text). • It can be shown that some form of birthday attack will succeed against any hash scheme involving the use of cipher block chaining without a secret key provided that either the resulting hash code is small enough (e.g., 64 bits or less) or that a larger hash code can be decomposed into independent subcodes. • Thus, attention has been directed at finding other approaches to hashing.
- 13. Block Ciphers as Hash Functions • can use block ciphers as hash functions • using H0=0 and zero-pad of final block • compute: Hi = EMi [Hi-1] • and use final block as the hash value • similar to CBC but without a key • resulting hash is too small (64-bit) • both due to direct birthday attack • and to “meet-in-the-middle” attack • other variants also susceptible to attack
- 14. Assignment • Discuss the security issues of Hash Functions and Explain Birthday Attacks