Cryptography and Network Security Chapter 11
Fifth Edition by William Stallings Lecture slides by Lawrie Brown
�Chapter 11 Cryptographic Hash Functions
Each of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts had been able to break Stern's code, nor was there any clue as to what the preliminary number and those ultimate numbers signified. Talking to Strange Men, Ruth Rendell
�Hash Functions
condenses
arbitrary message to fixed size
h = H(M)
usually
assume hash function is public hash used to detect changes to message want a cryptographic hash function
computationally infeasible to find data mapping to specific hash (one-way property) computationally infeasible to find two data to same hash (collision-free property)
�Cryptographic Hash Function
�Hash Functions & Message Authentication
�Hash Functions & Digital Signatures
�Other Hash Function Uses
to
create a one-way password file
store hash of password not actual password
for
intrusion detection and virus detection
keep & check hash of files on system
pseudorandom
function (PRF) or pseudorandom number generator (PRNG)
�Two Simple Insecure Hash Functions
consider
two simple insecure hash functions bit-by-bit exclusive-OR (XOR) of every block
Ci = bi1 xor bi2 xor . . . xor bim a longitudinal redundancy check reasonably effective as data integrity check
one-bit
circular shift on hash value
for each successive n-bit block
rotate current hash value to left by1bit and XOR block
good for data integrity but useless for security
�Hash Function Requirements
�Attacks on Hash Functions
have
brute-force attacks and cryptanalysis a preimage or second preimage attack
find y s.t. H(y) equals a given hash value
collision
resistance
find two messages x & y with same hash so H(x) = H(y)
hence
value 2m/2 determines strength of hash code against brute-force attacks
128-bits inadequate, 160-bits suspect
�Birthday Attacks
might think a 64-bit hash is secure but by Birthday Paradox is not birthday attack works thus:
given user prepared to sign a valid message x m/ opponent generates 2 2 variations x of x, all with essentially the same meaning, and saves them m/ opponent generates 2 2 variations y of a desired fraudulent message y two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature
conclusion is that need to use larger MAC/hash
�Hash Function Cryptanalysis
cryptanalytic
attacks exploit some property of alg so faster than exhaustive search hash functions use iterative structure
process message in blocks (incl length)
attacks
focus on collisions in function f
�Block Ciphers as Hash Functions
can
use block ciphers as hash functions
using H0=0 and zero-pad of final block compute: Hi = EMi [Hi-1] and use final block as the hash value similar to CBC but without a key
resulting
hash is too small (64-bit)
both due to direct birthday attack and to meet-in-the-middle attack
other
variants also susceptible to attack
�Secure Hash Algorithm
SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
�Revised Secure Hash Standard
NIST
issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed
for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
�SHA Versions
SHA-1 Message digest size Message size Block size Word size Number of steps 160 < 264 512 32 80 SHA-224 SHA-256 SHA-384 SHA-512 224 < 264 512 32 64 256 < 264 512 32 64 384 < 2128 1024 64 80 512 < 2128 1024 64 80
�SHA-512 Overview
�SHA-512 Compression Function
heart
of the algorithm processing message in 1024-bit blocks consists of 80 rounds
updating a 512-bit buffer using a 64-bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers
�SHA-512 Round Function
�SHA-512 Round Function
�SHA-3
SHA-1
not yet "broken
but similar to broken MD5 & SHA-0 so considered insecure
SHA-2
(esp. SHA-512) seems secure
shares same structure and mathematical operations as predecessors so have concern
NIST
announced in 2007 a competition for the SHA-3 next gen NIST hash function
goal to have in place by 2012 but not fixed
�SHA-3 Requirements
replace
SHA-2 with SHA-3 in any use the online nature of SHA-2 criteria
so use same hash sizes so must process small blocks (512 / 1024 bits) security close to theoretical max for hash sizes cost in time & memory characteristics: such as flexibility & simplicity
preserve
evaluation
�Summary
have
considered:
hash functions
uses, requirements, security
hash functions based on block ciphers SHA-1, SHA-2, SHA-3
