Hash Functions Ver2

7/21/2019 Hash Functions Ver2

1/25

1

Cryptography and Network

Security(Various Hash Algorithms)Fourth Edition

by illiam Stallings

!ecture slides by !awrie "rown

(Changed by Somesh #ha)


2/25

2

"irthday Attacks

$ might think a %&'bit hash is secure$ but by Birthday Paradoxis not$ birthday attack works thus

opponent generates *m+*,ariations o- a ,alid message all withessentially the same meaning

opponent also generates *m+*,ariations o- a desired-raudulent message

two sets o- messages are compared to -ind pair with samehash (probability . /01 by birthday parado2)

ha,e user sign the ,alid message3 then substitute the -orgerywhich will ha,e a ,alid signature

$ conclusion is that need to use larger 4ACs


3/25

3

Hash Function 5roperties

$ a Hash Function produces a -ingerprinto- some -ile+message+datah = H(M)

condenses a ,ariable'length message 4

to a -i2ed'si6ed -ingerprint

$ assumed to be public


4/25

4

7e8uirements -or Hash Functions90 can be applied to any si6ed message M

*0 produces -i2ed'length output h

:0 is easy to compute h=H(M)-or any message M

&0 gi,en his in-easible to -ind xs0t0 H(x)=h

$ one'way property10 gi,en xis in-easible to -ind ys0t. H(y)=H(x)

$ weak collision resistance

%0 is in-easible to -ind anyx,y

s0t. H(y)=H(x)

$ strong collision resistance


5/25

5

"lock Ciphers as Hash Functions

$ can use block ciphers as hash -unctions using H/;/ and 6ero'pad o- -inal block

compute Hi; E4imeet'in'the'middle? attack

$ other ,ariants also susceptible to attack


6/25

6

Hash Algorithms

$ similarities in the e,olution o- hash-unctions @ block ciphers increasing power o- brute'-orce attacks

leading to e,olution in algorithms -rom ES to AES in block ciphers -rom 4& @ 41 to SHA'9 @ 7B5E4'9%/

in hash algorithms$ likewise tend to use common iterati,estructure as do block ciphers


7/25

7

41

$ designed by 7onald 7i,est(the >7? in 7SA)

$ latest in a series o- 4*3 4&

$ produces a 9*'bit hash ,alue$ until recently was the most widely usedhash algorithm in recent times ha,e both brute'-orce @

cryptanalytic concerns

$ speci-ied as Bnternet standard 7FC9:*9


8/25

8

41 D,er,iew

90 pad message so its length is && mod 19**0 append a %&'bit length ,alue to message:0 initialise &'word (9*'bit) 4 bu--er

(A3"3C3)&0 process message in 9%'word (19*'bit) blocks

using & rounds o- 9% bit operations on messageblock @ bu--er

add output to bu--er input to -orm new bu--er,alue

10 output hash ,alue is the -inal bu--er ,alue


9/25

9

41 D,er,iew


10/25

10

41 Compression Function

$ each round has 9% steps o- the -orma = b+((a+g(b,c,d)+X[k]+T[i])


11/25

11

41 Compression Function


12/25

12

4&

$ precursor to 41

$ also produces a 9*'bit hash o- message

$ has : rounds o- 9% steps ,ersus & in 41

$ design goals collision resistant (hard to -ind collisions)

direct security (no dependence on GhardG

problems) -ast3 simple3 compact

-a,ors little'endian systems (eg 5Cs)


13/25

13

Strength o- 41

$ 41 hash is dependent on all message bits

$ 7i,est claims security is good as can be

$ known attacks are "erson * attacked any 9 round using di--erential

cryptanalysis (but canIt e2tend)

"oer @ "osselaers : -ound a pseudo collision(again unable to e2tend)

obbertin % created collisions on 4 compression-unction (but initial constants pre,ent e2ploit)

$ conclusion is that 41 looks ,ulnerable soon


14/25

14

Secure HashAlgorithm (SHA'9)

$ SHA was designed by NBS @ NSA in 9:3re,ised 91 as SHA'9

$ JS standard -or use with SA signature

scheme standard is FB5S 9/'9 913 also Bnternet7FC:9K&

note:the algorithm is SHA3 the standard is SHS

$ produces 9%/'bit hash ,alues$ now the generally pre-erred hash algorithm$ based on design o- 4& with key di--erences


15/25

15

SHA D,er,iew90 pad message so its length is && mod 19*

*0 append a %&'bit length ,alue to message:0 initialise 1'word (9%/'bit) bu--er (A3"3C33E)to(%K&1*:/93e-cdab3badc-e39/:*1&K%3c:d*e9-/)

&0 process message in 9%'word (19*'bit) chunks e2pand 9% words into / words by mi2ing @ shi-ting

use & rounds o- */ bit operations on message block@ bu--er

add output to input to -orm new bu--er ,alue

10 output hash ,alue is the -inal bu--er ,alue


16/25

16

SHA'9 Compression Function

$ each round has */ steps which replaces the1 bu--er words thus(A,B,C,D,E)


17/25

17

SHA'9 Compression Function


18/25

18

SHA'9 ,erses 41

$ brute -orce attack is harder (9%/ ,s 9*bits -or 41)

$ not ,ulnerable to any known attacks

(compared to 4&+1)$ a little slower than 41 (/ ,s %& steps)

$ both designed as simple and compact

$ optimised -or big endian C5JLs (,s 41which is optimised -or little endian C5JIs)


19/25

19

7e,ised Secure HashStandard

$ NBS has issued a re,ision FB5S 9/'*

$ adds : additional hash algorithms

$ SHA'*1%3 SHA':&3 SHA'19*$ designed -or compatibility with

increased security pro,ided by the AES

cipher$ structure @ detail is similar to SHA'9

$ hence analysis should be similar


20/25

20

Meyed Hash Functions as 4ACs

$ ha,e desire to create a 4AC using a hash-unction rather than a block cipher because hash -unctions are generally -aster

not limited by e2port controls unlike block ciphers$ hash includes a key along with the message

$ original proposal

$ydHash = Hash($yMssag) some weaknesses were -ound with this

$ e,entually led to de,elopment o- H4AC


21/25

21

H4AC

$ speci-ied as Bnternet standard 7FC*9/&

$ uses hash -unction on the messageHMAC$= Hash[($+X* ad)

Hash[($+X* iad)M)]]

$ where MNis the key padded out to si6e

$ and opad3 ipadare speci-ied padding constants

$ o,erhead is Oust : more hash calculations thanthe message needs alone

$ any o- 413 SHA'93 7B5E4'9%/ can be used


22/25

22

H4AC D,er,iew


23/25

23

H4AC Security

$ know that the security o- H4AC relatesto that o- the underlying hash algorithm

$ attacking H4AC re8uires either brute -orce attack on key used

birthday attack (but since keyed would needto obser,e a ,ery large number o- messages)

$ choose hash -unction used based onspeed ,erses security constraints


24/25

24

Summary

$ ha,e considered some current hash algorithms

$ 413 SHA'93 7B5E4'9%/

H4AC authentication using a hash -unction


25/25

25

Documents

Hash Functions Ver2