Upload
dylan-field
View
6.412
Download
12
Tags:
Embed Size (px)
DESCRIPTION
This was filmed at the Sonoma State University mathematics colloquium on November 5th, 2008. In the talk, Dylan speaks about hash functions, their applications and attacks on them. He specifically focuses on the design of the MD5 algorithm. Dylan also gives a preview of what is in store for the future of hashes- the SHA-3 competition put on by the NIST. For a video of this presentation, visit http://www.vimeo.com/2409021
Citation preview
Hash Functions,the MD5 Algorithm
and the Future (SHA-3)
Dylan Field, Fall ’08SSU Math Colloquium
What is a hash?
First, Consider Humpty Dumpty...
Humpty Dumpty sat on a wall.
Humpty Dumpty had a great fall.
All the king’s horses and all the king’s men
Couldn’t put Humpty together again.
X
h(x)
BUT h(x) is a one way function
... so they can’t put Humpty together again.
x h(x)hash function
Humpty falls
x h(x)hash function
Humpty falls
‘hello’ MD5
x h(x)hash function
Humpty falls
‘hello’ MD55d41402abc4b2a76b9719d91
1017c592
- going backwards -
- going backwards -
- going backwards -
- going backwards -
- going backwards -
- going backwards -
NO!!!
- going backwards -
- going backwards -
5d41402abc4b2a76b9719d91
1017c592
- going backwards -
- going backwards -
5d41402abc4b2a76b9719d91
1017c592‘hello’
Requirements
h(x)
Requirements
h(x)
Given h(x)cannot find x
1
Requirements
h(x)
Given h(x)cannot find x
1
h(x) isconstant
2
Requirements
h(x)
Given h(x)cannot find x
1
h(x) isconstant
2
Can’t find x2
so h(x2)=h(x1)
3
Requirement #3 - Humpty Dumpty Style
Requirement #3 - Humpty Dumpty Style
≠
Requirement #3 - Humpty Dumpty Style
≠ ≠
≠ ≠ .........
so how does it work?
‘hello’
5d41402abc4b2a76b9719d911017c592
we’re going to focus on MD5
1. Convert ‘x’ to binary
‘hello’ 0110100001100101011011000110110001101111
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 0
0110100001100101011011000110110001101111
1
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 000000000000000
0000000000101000
‘hello’ in binary
0110100001100101011011000110110001101111
1
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 000000000000000
0000000000101000
‘hello’ in binary
add ‘1’
0110100001100101011011000110110001101111
1
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 000000000000000
0000000000101000
‘hello’ in binary
add ‘1’
0’s until x mod 512 = 496
0110100001100101011011000110110001101111
1
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 000000000000000
0000000000101000
‘hello’ in binary
add ‘1’
0’s until x mod 512 = 496
add 16 bit binary representation of x
xpadded = 0110100001100101011011000110110001101111 1 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 00000 0000000000101000
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 03. Break ‘x’ into 512 bit sub parts and 32 bit words
01101000011001010110110001101100
0110100001100101011011000110110001101111 1 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 00000 0000000000101000
W1 =
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 03. Break ‘x’ into 512 bit sub parts and 32 bit words4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
w[g] = Word number (0 – 15)
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
w[g] = Word number (0 – 15)
h0 = a = 0x67452301
h1 = b = 0xEFCDAB89
h2 = c = 0x98BADCFE
h3 = d = 0x10325476
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 03. Break ‘x’ into 512 bit sub parts and 32 bit words4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.5. Perform 64 rounds on each sub part
But first... binary operations!
∧
∧(AKA ‘AND’)
p q ∧T T
p q ∧T T T
p q ∧T T T
T F
p q ∧T T T
T F F
p q ∧T T T
T F F
F T
p q ∧T T T
T F F
F T F
p q ∧T T T
T F F
F T F
F F
p q ∧T T T
T F F
F T F
F F F
In binary:T = 1F = 0
p q ∧T T T
T F F
F T F
F F F
p q ∧T T T
T F F
F T F
F F F
bit 1 bit 2 ∧1 1 1
1 0 0
0 1 0
0 0 0
∨
⊕
bit 1 bit 2 ∨1 1 1
1 0 1
0 1 1
0 0 0
“XOR is a type of logical disjunction on two operands that results in a value of “true” if and only if exactly one of the operands has a
value of ‘true’”
⊕
bit 1 bit 2 ∨1 1 1
1 0 1
0 1 1
0 0 0
bit 1 bit 2 ⊕1 1 F
1 0 T
0 1 T
0 0 F
¬
¬(not)
¬1=0¬0=1
<<(bit shift)
1 0 1 0 1 0
0 1 0 1 0 0
0 1 0 1 0
0
Remember:a,b,c,d are h0-3
Operation A
f = (b ∧ c) ∨ (¬ b ∧ d)g = i
Operation B
f = (d ∧ b) ∨ ((¬ d) ∧ c)g = (5i + 1) mod 16
Operation C
f = b ⊕ c ⊕ dg = (3i + 5) mod 16
Operation D
f = c ⊕ (b ∨ (¬ d))g = (7i) mod 16
A B C D
A B C D
A B C D
B
b + {(a + f + k[i] + w[g]) << r[i]}
b + {(a + f + k[i] + w[g]) << r[i]}
h1 h0
Calculated inOperations A-D
|sin(i+1)| x 232 where ‘i’ is in radians
The gth word(32 bit chunk)
ith pre-designated shift
After all 64 rounds...
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 03. Break ‘x’ into 512 bit sub parts and 32 bit words4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.5. Perform 64 rounds on each sub part6. Add a, b, c and d to register values
h0 = h0 + ah1 = h1 + bh2 = h2 + ch3 = h3 + d
1. Convert ‘x’ to binary2. Pad ‘x’ so that size of x (mod 512) = 03. Break ‘x’ into 512 bit sub parts and 32 bit words4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.5. Perform 64 rounds on each sub part6. Add a, b, c and d to register values7. Append the register values to create digest
128 bit digest
‘hello’
5d41402abc4b2a76b9719d911017c592
So?
Applications
Applications
PasswordProtection
Applications
PasswordProtection
MessageIntegrity
Applications
PasswordProtection
MessageIntegrity
DigitalSignatures
Password Protection
‘password’MD5
When you registered...
5f4dcc3b5aa765d61d8327deb882cf99
‘password’MD5
When you registered...
5f4dcc3b5aa765d61d8327deb882cf99
Data Base
‘password’
‘password’MD5
‘password’MD5
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?
No.
Give ‘incorrect password’ error
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?
No.
Give ‘incorrect password’ error
Yes.
Let user into website
Attacks
Rainbow Tables
omgyouarenevergoingtocrackthis
123
1c9fee8bd70a5afb630fc4f38e97123f
omgyouarenevergoingtocrackthis
123
1c9fee8bd70a5afb630fc4f38e97123f
and Brute Force Attacks
Message Integrity
digest
File Verification
File Verification
Guarding against corruption
File Verification
Guarding against corruption
Proving you have something
before you release it
Attacks
Nostradamus Attack
But on November 30th 2007...
“We have used a Sony Playstation 3 to correctly predict the outcome of the 2008 US presidential elections. In order not to
influence the voters we keep our prediction secret, but commit to it by publishing its cryptographic hash on this website. The
document with the correct prediction and matching hash will be revealed after the elections.”
- Marc Stevens, Arjen Lenstra and Benne de Weger
3D515DEAD7AA16560ABA3E9DF05CBC80
But how could they have known!?!?
But how could they have known!?!?They didn’t.
3D515DEAD7AA16560ABA3E9DF05CBC80
Digital Signatures
MD5hash
hashMD5
privatekey
encrypted
hashMD5
privatekey
encryptedpublic
key
hash
hashMD5
privatekey
encryptedpublic
key
hash
MD5
hashMD5
privatekey
encryptedpublic
key
hash
MD5
✔
Attacks
Collision Attack
hash
privatekey
encryptedpublic
key
hash
MD5
✔
hash
encryptedpublic
key
hash✔
Changed Message
MD5
Very Dangerous!
Birthday Attack
Relies on ‘Birthday Paradox’
First we calculate the chance no one has the same birthday
Relies on ‘Birthday Paradox’
p(1)=100%
p(2)=(1)(1 - 1/365)
p(3)=(1)(1 - 1/365)(1 - 2/365)
To Generalize...
365! .365n(365-n)!
P(n)=
23 50% chance
30 70.6% chance
50 97% chance
We can use this property to find out how many hashes must
be calculated to find a collision.
Current State of MD5
MD5 =
MD5 = Broken
The Future of Hashes
Submissions were due on October 30th
Currently Submitted
BLAKE
Blue Midnight Wish
Boole
CubeHashEdon-R
EnRUPT
ESSENCE
Sgàil
Grøstl
Keccak
Maraca
MCSSHA-3
MD6
NaSHANKS2D
PonicSHAMATA
Skein
WaMM
Waterfall
BLAKE
Blue Midnight Wish
Boole
CubeHashEdon-R
EnRUPT
ESSENCE
Sgàil
Grøstl
Keccak
Maraca
MCSSHA-3
MD6
NaSHANKS2D
PonicSHAMATA
Skein
WaMM
Waterfall
Thank you for coming!
Any Questions?