7/21/2019 Hash Functions Ver2
1/25
1
Cryptography and Network
Security(Various Hash Algorithms)Fourth Edition
by illiam Stallings
!ecture slides by !awrie "rown
(Changed by Somesh #ha)
7/21/2019 Hash Functions Ver2
2/25
2
"irthday Attacks
$ might think a %&'bit hash is secure$ but by Birthday Paradoxis not$ birthday attack works thus
opponent generates *m+*,ariations o- a ,alid message all withessentially the same meaning
opponent also generates *m+*,ariations o- a desired-raudulent message
two sets o- messages are compared to -ind pair with samehash (probability . /01 by birthday parado2)
ha,e user sign the ,alid message3 then substitute the -orgerywhich will ha,e a ,alid signature
$ conclusion is that need to use larger 4ACs
7/21/2019 Hash Functions Ver2
3/25
3
Hash Function 5roperties
$ a Hash Function produces a -ingerprinto- some -ile+message+datah = H(M)
condenses a ,ariable'length message 4
to a -i2ed'si6ed -ingerprint
$ assumed to be public
7/21/2019 Hash Functions Ver2
4/25
4
7e8uirements -or Hash Functions90 can be applied to any si6ed message M
*0 produces -i2ed'length output h
:0 is easy to compute h=H(M)-or any message M
&0 gi,en his in-easible to -ind xs0t0 H(x)=h
$ one'way property10 gi,en xis in-easible to -ind ys0t. H(y)=H(x)
$ weak collision resistance
%0 is in-easible to -ind anyx,y
s0t. H(y)=H(x)
$ strong collision resistance
7/21/2019 Hash Functions Ver2
5/25
5
"lock Ciphers as Hash Functions
$ can use block ciphers as hash -unctions using H/;/ and 6ero'pad o- -inal block
compute Hi; E4imeet'in'the'middle? attack
$ other ,ariants also susceptible to attack
7/21/2019 Hash Functions Ver2
6/25
6
Hash Algorithms
$ similarities in the e,olution o- hash-unctions @ block ciphers increasing power o- brute'-orce attacks
leading to e,olution in algorithms -rom ES to AES in block ciphers -rom 4& @ 41 to SHA'9 @ 7B5E4'9%/
in hash algorithms$ likewise tend to use common iterati,estructure as do block ciphers
7/21/2019 Hash Functions Ver2
7/25
7
41
$ designed by 7onald 7i,est(the >7? in 7SA)
$ latest in a series o- 4*3 4&
$ produces a 9*'bit hash ,alue$ until recently was the most widely usedhash algorithm in recent times ha,e both brute'-orce @
cryptanalytic concerns
$ speci-ied as Bnternet standard 7FC9:*9
7/21/2019 Hash Functions Ver2
8/25
8
41 D,er,iew
90 pad message so its length is && mod 19**0 append a %&'bit length ,alue to message:0 initialise &'word (9*'bit) 4 bu--er
(A3"3C3)&0 process message in 9%'word (19*'bit) blocks
using & rounds o- 9% bit operations on messageblock @ bu--er
add output to bu--er input to -orm new bu--er,alue
10 output hash ,alue is the -inal bu--er ,alue
7/21/2019 Hash Functions Ver2
9/25
9
41 D,er,iew
7/21/2019 Hash Functions Ver2
10/25
10
41 Compression Function
$ each round has 9% steps o- the -orma = b+((a+g(b,c,d)+X[k]+T[i])
7/21/2019 Hash Functions Ver2
11/25
11
41 Compression Function
7/21/2019 Hash Functions Ver2
12/25
12
4&
$ precursor to 41
$ also produces a 9*'bit hash o- message
$ has : rounds o- 9% steps ,ersus & in 41
$ design goals collision resistant (hard to -ind collisions)
direct security (no dependence on GhardG
problems) -ast3 simple3 compact
-a,ors little'endian systems (eg 5Cs)
7/21/2019 Hash Functions Ver2
13/25
13
Strength o- 41
$ 41 hash is dependent on all message bits
$ 7i,est claims security is good as can be
$ known attacks are "erson * attacked any 9 round using di--erential
cryptanalysis (but canIt e2tend)
"oer @ "osselaers : -ound a pseudo collision(again unable to e2tend)
obbertin % created collisions on 4 compression-unction (but initial constants pre,ent e2ploit)
$ conclusion is that 41 looks ,ulnerable soon
7/21/2019 Hash Functions Ver2
14/25
14
Secure HashAlgorithm (SHA'9)
$ SHA was designed by NBS @ NSA in 9:3re,ised 91 as SHA'9
$ JS standard -or use with SA signature
scheme standard is FB5S 9/'9 913 also Bnternet7FC:9K&
note:the algorithm is SHA3 the standard is SHS
$ produces 9%/'bit hash ,alues$ now the generally pre-erred hash algorithm$ based on design o- 4& with key di--erences
7/21/2019 Hash Functions Ver2
15/25
15
SHA D,er,iew90 pad message so its length is && mod 19*
*0 append a %&'bit length ,alue to message:0 initialise 1'word (9%/'bit) bu--er (A3"3C33E)to(%K&1*:/93e-cdab3badc-e39/:*1&K%3c:d*e9-/)
&0 process message in 9%'word (19*'bit) chunks e2pand 9% words into / words by mi2ing @ shi-ting
use & rounds o- */ bit operations on message block@ bu--er
add output to input to -orm new bu--er ,alue
10 output hash ,alue is the -inal bu--er ,alue
7/21/2019 Hash Functions Ver2
16/25
16
SHA'9 Compression Function
$ each round has */ steps which replaces the1 bu--er words thus(A,B,C,D,E)
7/21/2019 Hash Functions Ver2
17/25
17
SHA'9 Compression Function
7/21/2019 Hash Functions Ver2
18/25
18
SHA'9 ,erses 41
$ brute -orce attack is harder (9%/ ,s 9*bits -or 41)
$ not ,ulnerable to any known attacks
(compared to 4&+1)$ a little slower than 41 (/ ,s %& steps)
$ both designed as simple and compact
$ optimised -or big endian C5JLs (,s 41which is optimised -or little endian C5JIs)
7/21/2019 Hash Functions Ver2
19/25
19
7e,ised Secure HashStandard
$ NBS has issued a re,ision FB5S 9/'*
$ adds : additional hash algorithms
$ SHA'*1%3 SHA':&3 SHA'19*$ designed -or compatibility with
increased security pro,ided by the AES
cipher$ structure @ detail is similar to SHA'9
$ hence analysis should be similar
7/21/2019 Hash Functions Ver2
20/25
20
Meyed Hash Functions as 4ACs
$ ha,e desire to create a 4AC using a hash-unction rather than a block cipher because hash -unctions are generally -aster
not limited by e2port controls unlike block ciphers$ hash includes a key along with the message
$ original proposal
$ydHash = Hash($yMssag) some weaknesses were -ound with this
$ e,entually led to de,elopment o- H4AC
7/21/2019 Hash Functions Ver2
21/25
21
H4AC
$ speci-ied as Bnternet standard 7FC*9/&
$ uses hash -unction on the messageHMAC$= Hash[($+X* ad)
Hash[($+X* iad)M)]]
$ where MNis the key padded out to si6e
$ and opad3 ipadare speci-ied padding constants
$ o,erhead is Oust : more hash calculations thanthe message needs alone
$ any o- 413 SHA'93 7B5E4'9%/ can be used
7/21/2019 Hash Functions Ver2
22/25
22
H4AC D,er,iew
7/21/2019 Hash Functions Ver2
23/25
23
H4AC Security
$ know that the security o- H4AC relatesto that o- the underlying hash algorithm
$ attacking H4AC re8uires either brute -orce attack on key used
birthday attack (but since keyed would needto obser,e a ,ery large number o- messages)
$ choose hash -unction used based onspeed ,erses security constraints
7/21/2019 Hash Functions Ver2
24/25
24
Summary
$ ha,e considered some current hash algorithms
$ 413 SHA'93 7B5E4'9%/
H4AC authentication using a hash -unction
7/21/2019 Hash Functions Ver2
25/25
25
Top Related