190 likes | 196 Views
Learn about the fundamentals of hashing, its various security applications including message authentication codes and hash chains, and the potential vulnerabilities and complications associated with them.
E N D
More on Hashing and Security • Hashing is useful for various security purposes • Message authentication codes • Hash chains • Breaks on hash algorithms have various bad security effects
Thinking More About Hashing • What is a hashing function? • Takes one value and produces another • The output can’t be used to determine the input • For many hash functions • But the output also not computable without the input
The Basic Hash Operation • X’ = H(X) • Can’t guess X based on X’ • Can’t produce X’ without knowing X • Given X’, H(), and X, can’t produce Y such that H(Y) = X’ • So, given H(), only someone knowing X could have produced X’
Message Authentication Codes • MACs • Essentially something to authenticate that a message hasn’t changed • A kind of digital signature • Usually used in communications contexts
Authenticating a Message • Could just sign message with public keys • Could hash message and sign with public key • What if you don’t need to authenticate originator? • Just need to be sure it hasn’t changed • Typical case for a MAC
Basic MAC • Take message X • Hash it with function H() • Getting X’ • Attach X’ to X • Receiver checks that X and X’ match • By repeating hash operation H() on X
A Little Problem • If everyone knows H(), everyone can create X’ • Worse, everyone can take Y and produce “proper” Y’ • Attacker can replace X/X’ message with Y/Y’ message • Often need to prevent that . . .
Keyed Hashes • Use HMACs, instead • keyed-Hash Message Authentication Codes • Feed secret key into input of a hash function • H(X,K) • Often H() is ordinary hash function • Typically by combining key with input • In slightly complex way • Feed combination into hash function • Cheaper than hashing and PK signature of hash
Security of Keyed Hash Functions • Attacker assumed to know H() and X’ • Often knows X • Since hash is used as MAC • Doesn’t know K • If hash function is good, can’t create proper Y’ for arbitrary Y
Hash Security Properties and HMACs • Can’t guess X based on X’ • Important, since X “includes” key • Can’t produce X’ without knowing X • Otherwise attacker can forge messages • Given X’, H(), and X, can’t produce Y such that H(Y) = X’ • Otherwise attacker can create new message with old HMAC
Hash Chains • Say I start with a value X Now I apply hash function H() Now I apply H() repetitively to the results That’s a hash chain
Properties of a Hash Chain • Generally, the values are pseudorandom • X and X’ are not obviously related • If you don’t know H(), the next link is unpredictable • X is not derivable from X’ • Even if you do know H() • So X can be secret, even if you know X’ and H()
Using Hash Chains • Cryptographic key generation • Create a key • Use it for a while • Then use secret hash function on that key to create a new one • If hash’s pseudorandom and non-reversible properties strong, relatively safe
Reverse Hash Chains • Generate a hash chain • Of some chosen length • Then reverse it
What’s So Great About That? • I know the entire reverse hash chain • I can gradually tell others about it, element by element • When they know , what can I now do? • I can tell them about • They now know something useful
OK, What Do They Know? • That I knew when I told them • They can check that with the hash • So both messages come from the same source • If they authenticated the first message, the hash value authenticates the second
Complications • There are serious issues with this • Cut-and-paste attacks • Man-in-the-middle • We’ll discuss these later • But proper use can allow most authentications to pay hash costs • Much lower than other crypto costs
What If Hash Is Broken? • What if: • You can guess X based on X’? • You can produce X’ without knowing X • Given X’, H(), and X, you can produce Y such that H(Y) = X’ • Which of these produce problems for hash chains?
For Example, The SHA-1 Break • Given X, can calculate a Y that hashes to X’ (using SHA-1) • Means that hash signature of X also matches Y • So attacker can replace X with Y • When is that bad?