Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
7 views

HashFunctions Ok

Uploaded by

kdhwani28
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
7 views

HashFunctions Ok

Uploaded by

kdhwani28
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 22

Cryptographic Hash

Functions
Hash Functions
 condenses arbitrary message to fixed size
h = H(M)
 usually assume hash function is public
 hash used to detect changes to message
 want a cryptographic hash function
 computationally infeasible to find data mapping
to specific hash (one-way property)
 computationally infeasible to find two data to
same hash (collision-free property)
Cryptographic Hash Function
Hash
Functions
& Message
Authent-
ication
Hash Functions & Digital
Signatures
Other Hash Function Uses
 to create a one-way password file
 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
 pseudorandom function (PRF) or
pseudorandom number generator (PRNG)
Two Simple Insecure Hash
Functions
 consider two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block
 Ci = bi1 xor bi2 xor . . . xor bim
 a longitudinal redundancy check
 reasonably effective as data integrity check
 one-bit circular shift on hash value
 for each successive n-bit block
• rotate current hash value to left by1bit and XOR block
 good for data integrity but useless for security
Hash Function Requirements
Attacks on Hash Functions
 have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so
H(x) = H(y)
 hence value 2m/2 determines strength of
hash code against brute-force attacks
 128-bits inadequate, 160-bits suspect
Birthday Attacks
 might think a 64-bit hash is secure
 but by Birthday Paradox is not
 birthday attack works thus:
 given user prepared to sign a valid message x
m/

opponent generates 2 2 variations x’ of x, all with
essentially the same meaning, and saves them
m/

opponent generates 2 2 variations y’ of a desired
fraudulent message y
 two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)
 have user sign the valid message, then substitute the
forgery which will have a valid signature
 conclusion is that need to use larger MAC/hash
Hash Function Cryptanalysis
 cryptanalytic attacks exploit some property
of alg so faster than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f
Block Ciphers as Hash
Functions
 can use block ciphers as hash functions
 using H0=0 and zero-pad of final block
 compute: Hi = EMi [Hi-1]
 and use final block as the hash value
 similar to CBC but without a key
 resulting hash is too small (64-bit)
 both due to direct birthday attack
 and to “meet-in-the-middle” attack
 other variants also susceptible to attack
Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993
 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 nb. the algorithm is SHA, the standard is SHS
 based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
Revised Secure Hash
Standard
 NIST issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased
security provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher
SHA Versions
SHA-512 Overview
SHA-512 Compression
Function
 heart of the algorithm
 processing message in 1024-bit blocks
 consists of 80 rounds
 updating a 512-bit buffer
 using a 64-bit value Wt derived from the
current message block
 and a round constant based on cube root of
first 80 prime numbers
SHA-512 Round Function
SHA-512 Round Function
SHA-3
 SHA-1 not yet "broken”
 but similar to broken MD5 & SHA-0
 so considered insecure
 SHA-2 (esp. SHA-512) seems secure
 shares same structure and mathematical
operations as predecessors so have concern
 NIST announced in 2007 a competition for
the SHA-3 next gen NIST hash function
 goal to have in place by 2012 but not fixed
SHA-3 Requirements
 replace SHA-2 with SHA-3 in any use
 so use same hash sizes
 preserve the online nature of SHA-2
 so must process small blocks (512 / 1024 bits)
 evaluation criteria
 security close to theoretical max for hash sizes
 cost in time & memory
 characteristics: such as flexibility & simplicity
Summary
 have considered:
 hash functions
• uses, requirements, security
 hash functions based on block ciphers
 SHA-1, SHA-2, SHA-3

You might also like