221 likes | 536 Views
Hash Functions. Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction. Cryptographic hash functions Input – any length Output – fixed length H(x) – easy H(x) – one way “hard to invert” H(x) collision free. Purposes for hash functions. Data Integrity Ex: Tripwire Message digest
E N D
Hash Functions Nathanael Paul Oct. 9, 2002
Hash Functions: Introduction • Cryptographic hash functions • Input – any length • Output – fixed length • H(x) – easy • H(x) – one way • “hard to invert” • H(x) collision free
Purposes for hash functions • Data Integrity • Ex: Tripwire • Message digest • y = h(x). y is called the message digest. • 160 bits in size – “birthday attack” • Message Source • Digital Signatures • Message Authentication Codes (MAC)
Digital Signatures and Message Authentication Code (MAC) overview • Suppose Alice and Bob share a secret key k which determines hash function hk • Alice sends (x, y) to Bob where y = hk(x) • Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.
Hash Family • (X,Y,K,H) • For each k in K, there exists an h in H, such that hk(x) y • Assume |X| >= |Y| (even better, 2|X| >= |Y|) • Unkeyed hash function • |K| = 1 • Ex. SHA-1 (successor of MD4)
Conditions of a secure hash function • Preimage • Find x such that h(x) = y, given y and the function f(). • one-way • Second Preimage • Find x’ != x, such that h(x) = h(x’), given x and the function h(). • weak collision resistance • Collision • Find h(x) = h(x’) such that x != x’, given function h() • strong collision resistance
Iterated hash function overview • compression function • Given input of length m, produce output of length n • inputs to compression function: • message block, mi • output of previous blocks of text • hi = f(mi, hi-1) • MD-strengthening (Merkle-Damgard) • pre-image contains length of entire message • initialization vector (padding function)
Modes of operation • Modes of operation • ECB, CBC, CFB, OFB • different characteristics: • error propagation • efficiency • increase in data size • NIST document on modes of operation • http://csrc.nist.gov/encryption/tkmodes.html • Next slide shows CBC mode of operation...
Message Authentication Codes • Oscar’s (adversary) goal: • produce a pair (x,y) that is valid, but the key k is not known • Oscar knows • valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)} • forgery • Oscar outputs an (x,y) where x is not in Pairs
Review of types of attacks • Ciphertext-only • Oscar possesses a string of ciphertext, y • Known plaintext • has ciphertext, y, corresponding to a message, x • Chosen plaintext • access to encryption. choose x, get y • Chosen ciphertext • choose y, get x
Ways of creating a MAC • Base MAC on block cipher • block cipher already implemented, so part of implementation is done • MAC from an unkeyed hash • just add a key to output of unkeyed hash • requires careful analysis • Create a customized MAC
CBC MAC • use block cipher in CBC mode with fixed IV • best general attack is birthday attack
Nested MACs • Nested MAC • composition of 2 keyed hash families • G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x)) • Secure if the following holds (given unknown key): • G is collision-resistant • H is secure as a MAC
Types of attacks on nested MACs • forger for nested MAC • forger for the little MAC • attack on component MAC H • unknown-key collision attack
Attack 1: Forger on nested MAC • pair of keys (k,l) are kept secret • Oscar: • chooses an x • oracle – “magic box” • given x, oracle computes z = hl(gk(x)) • tries to find (x’, z) where x’ was not any x given to oracle
Attack 2: Forger on smaller MAC component of nested MAC (H family) • key l is chosen and kept secret (l is in keyspace of H family of hashes) • Oscar: • chooses y • given y, oracle computes z = hl(y) • tries to output (y’,z) where y’ was not in one of its previous queries to oracle
Attack 3: Collision Finder for a hash family • key k in K is kept secret • Oscar: • chooses an x • given x, oracle computes gk(x) • tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)
HMAC • nested MAC algorithm (proposed standard) • based on SHA-1 • uses 512-bit key k • 2 512-bit constants, ipad and opad • 160-bit MAC • HMACk(x) = SHA-1((k opad) || SHA-1((K ipad) || x)) • ipad component resistant against unknown-key collision attack
Further Reading • Applied Cryptography,Bruce Schneier • Cryptography: Theory and Practice, Douglas Stinson • Handbook of Applied Cryptography, Alfred Menezes, et. al. • available for download at: • http://www.cacr.math.uwaterloo.ca/hac/