SlideShare a Scribd company logo

Hashfunction

Download as PPTX, PDF
J
James Wong

The document discusses hash functions and message authentication codes (MACs). It begins by defining hash functions and MACs, noting that hash functions generate a fingerprint for a message without a key while MACs use a keyed hash function. It then covers security requirements for hash functions like one-wayness and collision resistance. Popular hash functions are described like MD5, SHA-1, and the SHA-2 family. Constructions for hash functions based on block ciphers and iterated hash functions are also outlined. The document concludes by comparing hash functions and MACs and describing common MAC constructions.

Technology
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Lect. 16- 17: Hash Functions and MAC
2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
3 1. Hash Functions vs. MAC
4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
10 2. Hash Functions
11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
X.509v3 Real and Fake Certificates 34
SHA-3 Project 35

More Related Content

PDF
A Comparative Analysis between SHA and MD5 algorithms
Er Piyush Gupta IN ⊞⌘
 
PPTX
Computing on Encrypted Data
New York Technology Council
 
PDF
Rsa Signature: Behind The Scenes
acijjournal
 
PPTX
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
PDF
Codes and Isogenies
Priyanka Aash
 
PPT
Chapter 03 cyclic codes
Manoj Krishna Yadavalli
 
PPTX
Partial Homomorphic Encryption
securityxploded
 
PDF
CRC JAVA CODE
sandeep101026
 
A Comparative Analysis between SHA and MD5 algorithms
Er Piyush Gupta IN ⊞⌘
 
Computing on Encrypted Data
New York Technology Council
 
Rsa Signature: Behind The Scenes
acijjournal
 
Broadcasting and low exponent rsa attack
Ankita Kapratwar
 
Codes and Isogenies
Priyanka Aash
 
Chapter 03 cyclic codes
Manoj Krishna Yadavalli
 
Partial Homomorphic Encryption
securityxploded
 
CRC JAVA CODE
sandeep101026
 

What's hot (14)

PPTX
Public Key Algorithms
Bit Hacker
 
PPTX
Cryptography
David Evans
 
PPTX
Introduction to Cryptography
David Evans
 
PPTX
Homomorphic Encryption
Victor Pereira
 
PPTX
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
ShivangiSingh241
 
PDF
Tele4653 l11
Vin Voro
 
PPTX
Bch codes
Gaurav Thakur
 
PDF
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Madhumita Tamhane
 
PDF
A survey on Fully Homomorphic Encryption
iosrjce
 
DOC
Information Theory and Coding Question Bank
miraclebabu
 
PPTX
RSA-W7(rsa) d1-d2
Fahad Layth
 
PPT
Rsa diffi-network security-itt
rameshvvv
 
PDF
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
iosrjce
 
PPT
Hamming codes
GIGI JOSEPH
 
Public Key Algorithms
Bit Hacker
 
Cryptography
David Evans
 
Introduction to Cryptography
David Evans
 
Homomorphic Encryption
Victor Pereira
 
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
ShivangiSingh241
 
Tele4653 l11
Vin Voro
 
Bch codes
Gaurav Thakur
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Madhumita Tamhane
 
A survey on Fully Homomorphic Encryption
iosrjce
 
Information Theory and Coding Question Bank
miraclebabu
 
RSA-W7(rsa) d1-d2
Fahad Layth
 
Rsa diffi-network security-itt
rameshvvv
 
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
iosrjce
 
Hamming codes
GIGI JOSEPH
 
Ad

Viewers also liked (20)

PPTX
Decision tree
Harry Potter
 
PPTX
Overview prolog
James Wong
 
PPTX
Overview prolog
David Hoen
 
PPT
Prolog programming
David Hoen
 
PPTX
Building a-database
Young Alista
 
PPTX
Datamining with nb
David Hoen
 
PPT
Computer security
David Hoen
 
PPTX
Nlp naive bayes
Harry Potter
 
PPT
Hash mac algorithms
Young Alista
 
PPTX
Cryptography
David Hoen
 
PPT
Text classification
David Hoen
 
PPTX
Decision tree
Young Alista
 
PPTX
Crypto passport authentication
Harry Potter
 
PPT
Text classification
Luis Goldster
 
PPT
Basic dns-mod
David Hoen
 
PPT
Computer security
James Wong
 
PDF
Text categorization as a graph
David Hoen
 
PPT
Database constraints
David Hoen
 
PPTX
Hashfunction
David Hoen
 
PPT
Database concepts
Luis Goldster
 
Decision tree
Harry Potter
 
Overview prolog
James Wong
 
Overview prolog
David Hoen
 
Prolog programming
David Hoen
 
Building a-database
Young Alista
 
Datamining with nb
David Hoen
 
Computer security
David Hoen
 
Nlp naive bayes
Harry Potter
 
Hash mac algorithms
Young Alista
 
Cryptography
David Hoen
 
Text classification
David Hoen
 
Decision tree
Young Alista
 
Crypto passport authentication
Harry Potter
 
Text classification
Luis Goldster
 
Basic dns-mod
David Hoen
 
Computer security
James Wong
 
Text categorization as a graph
David Hoen
 
Database constraints
David Hoen
 
Hashfunction
David Hoen
 
Database concepts
Luis Goldster
 
Ad

Similar to Hashfunction (20)

PPT
Hash crypto
Harry Potter
 
PPT
Hash crypto
Luis Goldster
 
PPT
Hash crypto
David Hoen
 
PPT
Hash crypto
Tony Nguyen
 
PPT
Hash crypto
James Wong
 
PPT
Hash crypto
Young Alista
 
PPT
Hash crypto
Fraboni Ec
 
PDF
cryptography summary hash function slides
sarala9
 
PPTX
Hash Techniques in Cryptography
Basudev Saha
 
PPT
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
PPT
Hash_Crypto.ppt
ssuser5297f5
 
PPT
Hash Function & Analysis
Pawandeep Kaur
 
PPT
secure hash function for authentication in CNS
NithyasriA2
 
PPT
ch11_hashing Function.ppthdhdjdjdidjebehehejeueu
dilludhanush420
 
PDF
Public Key Encryption & Hash functions
Dr.Florence Dayana
 
PPTX
Cryptography-Hash-Functions.pptx
AngeloChangcoco
 
PDF
Sha
ha123
 
PPTX
Hash Function
ssuserdfb2da
 
PPTX
cryptography module-5 cyber securityantipatterns ,
shaziasulthana2
 
PPTX
Message Digest message digest ppttsx.pptx
LaxmipujaBiradar
 
Hash crypto
Harry Potter
 
Hash crypto
Luis Goldster
 
Hash crypto
David Hoen
 
Hash crypto
Tony Nguyen
 
Hash crypto
James Wong
 
Hash crypto
Young Alista
 
Hash crypto
Fraboni Ec
 
cryptography summary hash function slides
sarala9
 
Hash Techniques in Cryptography
Basudev Saha
 
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
Hash_Crypto.ppt
ssuser5297f5
 
Hash Function & Analysis
Pawandeep Kaur
 
secure hash function for authentication in CNS
NithyasriA2
 
ch11_hashing Function.ppthdhdjdjdidjebehehejeueu
dilludhanush420
 
Public Key Encryption & Hash functions
Dr.Florence Dayana
 
Cryptography-Hash-Functions.pptx
AngeloChangcoco
 
Sha
ha123
 
Hash Function
ssuserdfb2da
 
cryptography module-5 cyber securityantipatterns ,
shaziasulthana2
 
Message Digest message digest ppttsx.pptx
LaxmipujaBiradar
 

More from James Wong (20)

PPT
Data race
James Wong
 
PPT
Multi threaded rtos
James Wong
 
PPT
Recursion
James Wong
 
PPTX
Business analytics and data mining
James Wong
 
PPTX
Data mining and knowledge discovery
James Wong
 
PPTX
Cache recap
James Wong
 
PPTX
Big picture of data mining
James Wong
 
PPTX
How analysis services caching works
James Wong
 
PPTX
Optimizing shared caches in chip multiprocessors
James Wong
 
PPTX
Directory based cache coherence
James Wong
 
PPT
Abstract data types
James Wong
 
PPTX
Abstraction file
James Wong
 
PPTX
Hardware managed cache
James Wong
 
PPTX
Object model
James Wong
 
PPT
Abstract class
James Wong
 
PPTX
Object oriented analysis
James Wong
 
PPTX
Concurrency with java
James Wong
 
PPTX
Data structures and algorithms
James Wong
 
PPTX
Cobol, lisp, and python
James Wong
 
PPTX
Inheritance
James Wong
 
Data race
James Wong
 
Multi threaded rtos
James Wong
 
Recursion
James Wong
 
Business analytics and data mining
James Wong
 
Data mining and knowledge discovery
James Wong
 
Cache recap
James Wong
 
Big picture of data mining
James Wong
 
How analysis services caching works
James Wong
 
Optimizing shared caches in chip multiprocessors
James Wong
 
Directory based cache coherence
James Wong
 
Abstract data types
James Wong
 
Abstraction file
James Wong
 
Hardware managed cache
James Wong
 
Object model
James Wong
 
Abstract class
James Wong
 
Object oriented analysis
James Wong
 
Concurrency with java
James Wong
 
Data structures and algorithms
James Wong
 
Cobol, lisp, and python
James Wong
 
Inheritance
James Wong
 

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Teaching material agriculture food technology
LiaRayya
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 

Hashfunction

  • 1. Lect. 16- 17: Hash Functions and MAC
  • 2. 2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
  • 4. 4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
  • 5. 5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
  • 6. 6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
  • 7. 7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
  • 8. 8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
  • 9. 9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
  • 11. 11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
  • 12. 12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
  • 13. 13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
  • 14. 14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
  • 15. 15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
  • 16. 16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
  • 17. 17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
  • 18. 18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
  • 19. 19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
  • 20. 20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
  • 21. 21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
  • 22. 22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
  • 23. 23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
  • 24. 24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
  • 25. 25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
  • 26. 26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
  • 27. 27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
  • 28. 28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
  • 29. 29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
  • 30. 30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
  • 31. 31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
  • 32. Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
  • 33. Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
  • 34. X.509v3 Real and Fake Certificates 34