960 likes | 969 Views
Introduction to Practical Cryptography. Hash Functions. Agenda. Hash Functions Properties Uses General Design Examples: MD4, MD5, SHA-0, SHA-1, SHA-256 Collision Attacks – General Method SHA3 competition. Hash Properties. Map bit strings of arbitrary length to fixed-length outputs
E N D
Introduction to Practical Cryptography Hash Functions
Agenda • Hash Functions • Properties • Uses • General Design • Examples: MD4, MD5, SHA-0, SHA-1, SHA-256 • Collision Attacks – General Method • SHA3 competition
Hash Properties • Map bit strings of arbitrary length to fixed-length outputs h = hash(m), h is fixed-length, short • Not injective, but collisions unlikely • Example: 2160 possible values • Computationally infeasible to generate collisions • Computationally infeasible to invert
Hash Properties • Preimage resistant: given h, hard to find m such that h = hash(m) • Second preimage resistant: given m1, hard to find m2 (≠ m1) such that hash(m1) = hash(m2) • Collision-resistant: hard to find m1 and m2, m2 ≠ m1, such that hash(m1) = hash(m2)
In Practice • Heuristics • Simple operations, performance: • Iterative, series of rounds • Diffusion through logical operations, addition, shifts, rotates
Uses • Data integrity: • Error detection • Attacker can still modify file and recompute hash • Forgery, modification - MAC • Shorten data for signing • Data Structures: • Hash list • Hash (Merkle) Tree • Hash Table
Hash - Uses • Integrity – Error Detection • Hash file/message • Attacker can still modify file and recompute hash • Integrity – prevent forgery, modification • MAC (keyed hash) • Authentication • Signature: hash data to shorten (for efficiency) then encrypt with public key algorithm • Append shared secret to unencrypted data then hash • Random bits • Data Structures: • Hash list • Hash (Merkle) Tree • Hash Table
MAC • Message Authentication Code – keyed hash • Examples: • Encrypt hash with symmetric key cipher • HMAC H(H(K c1) || H((K c2) || m))
CBC-MAC (tag) Need to be careful in designing a MAC: Without knowing the key k, can ask to calculate the CBC-MAC tag of any message Produce a MAC for a new message: use two message-tag pairs (m,t) and (m',t’), m and m' : single blocks (can be random) (m || (t m’), t’) : valid message-tag pair CBC-MAC of m || (t m’) is t’ (see next slide)
CBC-MAC • two message-tag pairs (m,t) and (m',t’), • m and m' : single blocks (can be random) • CBC-MAC of m || (t m’) is also t’ • when computing CBC, result from m is t (“ciphertext” from block cipher) • then continuing CBC mode: • t is XORed with t m’ • t m’ t = m’ and the result is the next input to the block cipher • thus the output is t’ • therefore, (m || t m’, t’) is a valid message-tag pair
MAC • MAC: H(Key | message) • Append attack • With most current hashes that “chain” blocks can get a valid MAC for H(Key | message | message’) • Put the secret at the end of the message • Don’t use all the output bits as the MAC
HMAC • Append 0’s to key until have 512 bits • XOR with constant and prepend to data • Hash • XOR key with different constant and prepend to result • Hash again H( (key const1) || H(((key || 0..0) const2)|| data) ) • If H is secure, so is HMAC: • Collision resistant • If given HMAC(key,x), can’t compute HMAC(key,y) without knowing key
Generating “Random” Bits • Hash together information containing some randomness • Copy of every keystroke, mouse event • Time between keystrokes • Disk seek latency, sector number, etc. • Contents of the display • Audio input • Packet inter-arrival latency, CPU load • Hash all this information together • Allows generation of pseudo-random data
Challenge-Response without Encryption Alice Bob Ra ---------------> <--------------- H(K | Ra), Rb H(K | Rb) -----------------> H is a hash function K is a shared secret Ra,Rb are random values
Storing Passwords • Idea: hash password and store result • When user enters password, hash and compare with stored value
Password Storing • Old Unix password algorithm: • Store hash of user password • Hash typed password, compare with stored hash • First 8 bytes of password are the secret key • Then encrypt all-zeroes block with DES-like algorithm • Salt: 12-bit random number, (used in modified DES) • Salt stored with hashed result • Later versions used MD5, Blowfish
Hash List h21 h11 h12 h13 h14 h15 h16 h17 h18 m1 m3 m4 m5 m7 m8 m2 m6
Hash Tree h41 h31 h32 h21 h22 h23 h24 h11 h12 h13 h14 h15 h16 h17 h18 m1 m3 m4 m5 m7 m8 m2 m6
General Structure Message m padded to M, a multiple of a fixed-length block M is divided into segments m1,m2, … mn m1 m2 mn … … hash value IV F F F … • Merkle-Damgard, 1989 • F is called the compression function • Takes inputs mi and output of previous iteration • Typically a series of rounds • Output called a “chaining variable” • Typically, a function operates on chaining variables then adds to mi
General Structure • Padding • “100…0” • MD4, MD5: last 64 bits depend on first block • SHA*: last bits depend on length of message
General Structure m1 m2 mn … … hash value IV F F F … Avalanche: All output bits depend on all input bits Diffusion: ideally want change to one input bit to change each output bit with prob. ½
MD4 • Rivest, RFC 1320 • Fast in software • Simple to program • Memory efficient - no large data structures
MD4 Notation • word = 32 bits • Message m • XY = X AND Y • X v Y = X OR Y
MD4 • m’ = m100 … 0 • Pad m until it is 64 bits short of a multiple of 512 • Message is always padded (i.e. even 448 bits are padded) • Append a 1 followed by 0’s : • M[0 ... N-1] = m’ with low order 64 bits of m appended to it • N is a multiple of 16 • Four-word buffer (A,B,C,D) initialize to: • A: 01 23 45 67 • B: 89 ab cd ef • C: fe dc ba 98 • D: 76 54 32 10 just counts 0 to 15 and back
MD4 – Internal Functions • F(X,Y,Z) = XY v not(X) Z • Bitwise conditional: if X then Y else Z. • G(X,Y,Z) = XY v XZ v YZ • Bitwise majority function: bit positions in which 2 or more bits are 1, output has a 1, else output has a 0 • H(X,Y,Z) = X Y Z • Bit positions with odd number of 1’s are 1, rest are 0 • Note: if bits of X, Y, and Z are independent and unbiased, each bit of F(X,Y,Z) and each bit of G(X,Y,Z) also will be independent and unbiased.
MD4 for (i = 0 to N/16-1) { /* Copy block i into X. */ For (j = 0 to 15) { X[j] = M[i*16+j] } /* Save A, B, C,D */ AA = A BB = B CC = C DD = D /* Combine Message blocks with A,B,C,D */ Round 1 Round 2 Round 3 Increment A,B,C,D by their values (AA,BB,CC,DD) at start of iteration } /* end for i */ Output A,B,C,D compression function A,B,C,D is chaining variable
MD4 Round 1 Function operates on chaining variable, adds in message block /* [abcd k s] denotes a = (a + F(b,c,d) + X[k]) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 1 7]; [CDAB 2 11] ; [BCDA 3 19]; [ABCD 4 3]; [DABC 5 7] ; [CDAB 6 11]; [BCDA 7 19]; [ABCD 8 3]; [DABC 9 7]; [CDAB 10 11]; [BCDA 11 19] [ABCD 12 3]; [DABC 13 7]; [CDAB 14 11]; [BCDA 15 19]; Note: each word rotates through each of the four positions for each value of s X[k] (M) combined with A,B,C,D Words sequential in round 1 (i.e. k = 1,2,3,…. 15 in order)
MD4 Round 2 /* [abcd k s] denotes a = (a + G(b,c,d) + X[k] + 0x5A827999) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 4 5]; [CDAB 8 9]; [BCDA 12 13]; [ABCD 1 3]; [DABC 5 5]; [CDAB 9 9]; [BCDA 13 13]; [ABCD 2 3]; [DABC 6 5]; [CDAB 10 9]; [BCDA 14 13]; [ABCD 3 3]; [DABC 7 5]; [CDAB 11 9]; [BCDA 15 13]; Word ordering altered from round 1
MD4 Round 3 /* Let [abcd k s] denotes a = (a + H(b,c,d) + X[k] + 0x6ED9EBA1) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 8 9]; [CDAB 4 11]; [BCDA 12 15] [ABCD 2 3]; [DABC 10 9]; [CDAB 6 11]; [BCDA 14 15] [ABCD 1 3]; [DABC 9 9]; [CDAB 5 11]; [BCDA 13 15]; [ABCD 3 3]; [DABC 11 9]; [CDAB 7 11]; [BCDA 15 15] Word ordering partially altered from round 2
MD4 – End of Loop Addition /* increment each of A,B,C,D by the value it had before this block was started. */ A = A + AA B = B + BB C = C + CC D = D + DD
MD4 Constants • 5A827999: 32-bit constant, represents the square root of 2. The octal value is 013240474631. • 6ED9EBA1: 32-bit constant, represents the square root of 3. The octal value is 015666365641.
MD5 • Designed to replace MD4 • First two and last two rounds of MD4 attacked • RFC 1321, Rivest for (i = 0 to N/16-1) { /* Copy block i into X */ For (j = 0 to 15) { X[j] = M[i*16+j] } /* Save A, B, C,D */ AA = A BB = B CC = C DD = D /* Combine Message blocks with A,B,C,D */ Round 1 Round 2 Round 3 Round 4 Increment A,B,C,D by value at start of iteration } /* end for i */ Output A,B,C,D
MD5 Changes to MD4 • Fourth round added • Each step now has a unique additive constant • The function G changed from (XY v XZ v YZ) to (XZ v Y not(Z)) (less symmetric) • The order in which input words are accessed in rounds 2 and 3 is changed, to make these less like similar to each other. • The shift amounts in each round have been changed to produce a faster avalanche effect. The shifts in different rounds are distinct.
MD5 Internal Functions • F(X,Y,Z) = XY v not(X) Z • G(X,Y,Z) = XZ v Y not(Z) • H(X,Y,Z) = X Y Z • I(X,Y,Z) = Y (X v not(Z))
MD5 • Uses a 64-element table T[1 ... 64] constructed from the sine function • T[i] equals the integer part of 4294967296 times abs(sin(i)), where i is in radians
MD5 Round 1 /* [abcd k s i] denotes a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ /* 16 operations. */ [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16] Constant added, varies
MD5 Round 2 /* [abcd k s i] denotes a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ /*16 operations. */ [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32] not reusing shift amounts across rounds
MD5 Round 3 /* Let [abcd k s t] denotes a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48] Word ordering altered from round 2 to greater extent than in MD4
MD5 Round 4 /* [abcd k s t] denotes a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ /* 16 operations. */ [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64] One more round than MD4
MD5 Addition A = A + AA B = B + BB C = C + CC D = D + DD Same as MD4
RIPEMD, Haval • RIPEMD - modified MD4 • Rotation changed • Order of message words altered • Two instances run in parallel with different constants; at end of each block, output of each added to chaining variables • Haval – modified MD5 • Processes 1024-bit message blocks instead of 512 • Internal functions take 7 variables, nonlinear • Permutes input to round • Chaining variable: 8 segments instead of 4 • Different constants
SHA-0 • Input m 264 bits • Output 160 bits • Padded, processed in 512-bit blocks • Each iteration takes 160-bit chaining variable and 512-bit block, outputs 160-bit chaining value • First chaining value is a fixed constant (IV) • Last chaining value is the output
SHA-0 • Pad m to multiples of 512 bits • Append 1, 0’s, length of m • N 512-bit blocks For (j=0 to N-1) { 512-bit block divided into 32-bit segments: m0,m1, … m16 Expand to 80 32-bit segments: for i = 16 to 79: mi = mi-3 mi-8 mi-14 mi-16 80 32-bit words processed by round function }
SHA-0 Round function operating on chaining variables Rotating segments of chaining variable a,b,c,d,e are the chaining variable ki is a round constant Function f varies per round – on next slide
SHS • NIST FIPS 180-2, Secure Hash Standard (SHS) 2002 • SHA-1: message < 264 bits, 160-bit output • SHA-256: message < 264 bits, 256-bit output • SHA-384: message < 2128 bits, 384-bit output • SHA-512: message < 2128 bits, 512-bit output
SHA-1 and SHA-256 Padding • Message M of l bits • Pad to a multiple of 512 bits • Append a 1 • Append k 0’s where l + 1 + k = 448 mod 512 • Append 64 bits equal to the binary representation of l
SHA-1 and SHA-256 Processing • N 512-bit blocks • Block denoted by M(i) • 32-bit segment of block denoted by Mj(i) • i = ith block • j = jth 32-bit segment of ith block, j = 0,1… 16
SHA-1 Internal functions, each operating on three 32-bit words
SHA-1 Constants used in the rounds: