Cryptography and Network Security

Cryptography and

Cryptography and

Network Security

Network Security

Chapter 11

Chapter 11

Fifth Edition

Fifth Edition

by William Stallings

by William Stallings

Chapter 11 – Cryptographic

Chapter 11 – Cryptographic

Hash Functions

Hash Functions

Each of the messages, like each one he had ever Each of the messages, like each one he had ever

read of Stern's commands, began with a number read of Stern's commands, began with a number and ended with a number or row of numbers. No and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts efforts on the part of Mungo or any of his experts

had been able to break Stern's code, nor was had been able to break Stern's code, nor was

there any clue as to what the preliminary number there any clue as to what the preliminary number

and those ultimate numbers signified. and those ultimate numbers signified.

—

Hash Functions

Hash Functions



_{condenses arbitrary message to fixed size}

_{condenses arbitrary message to fixed size}

h = H(M)

h = H(M)



_{usually assume hash function is public}

_{usually assume hash function is public}



_{hash used to detect changes to message}

_{hash used to detect changes to message}



_{want a cryptographic hash function}

_{want a cryptographic hash function}

computationally infeasible to find data mapping _{computationally infeasible to find data mapping} to specific hash (one-way property)

to specific hash (one-way property)

computationally infeasible to find two data to _{computationally infeasible to find two data to} same hash (collision-free property)

Hash Function Uses

Hash Function Uses



_{Message Integrity Check (MIC)}

_{Message Integrity Check (MIC)}

_{send hash of message (digest)send hash of message (digest)}

MIC always encrypted, message optionally_{MIC always encrypted, message optionally}



_{Message Authentication Code (MAC)}

_{Message Authentication Code (MAC)}

_{send keyed hash of message send keyed hash of message}

_{MAC, message optionally encryptedMAC, message optionally encrypted}



_{Digital Signature (non-repudiation)}

_{Digital Signature (non-repudiation)}

Encrypt hash with private (signing) key_{Encrypt hash with private (signing) key}

Hash Functions & Message

Hash Functions & Message

Authentication

Authentication

Unkeyed Hash

a) Message encrypted

Hash Functions & Message

Hash Functions & Message

Authentication

Authentication

Keyed Hash

a) Message unencrypted

Hash Functions & Digital

Hash Functions & Digital

Signatures - PKCS

Other Hash Function Uses

Other Hash Function Uses



_{pseudorandom function (PRF)}

_{pseudorandom function (PRF)}

_{Generate session keys, noncesGenerate session keys, nonces} Produce key from password_{Produce key from password}

Derive keys from master key cooperatively_{Derive keys from master key cooperatively}



_{pseudorandom number generator}

_{pseudorandom number generator}

(PRNG)

(PRNG)

Vernam Cipher/OTP_{Vernam Cipher/OTP}

More Hash Function Uses

More Hash Function Uses



_{to create a one-way password file}

_{to create a one-way password file}

store hash of password not actual _{store hash of password not actual} passwordpassword

e.g., Unix, Windows NT, etc._{e.g., Unix, Windows NT, etc.}

salt to deter precomputation attacks_{salt to deter precomputation attacks}

_{Rainbow tablesRainbow tables}



_{for intrusion detection and virus detection}

_{for intrusion detection and virus detection}

keep & check hash of files on system_{keep & check hash of files on system}

Lamport One-time Passwords

Lamport One-time Passwords



_{Password safety in distributed system}

_{Password safety in distributed system}

_{server compromise does not compromise Pserver compromise does not compromise P} interception of authentication exchange does _{interception of authentication exchange does}

not compromise password either not compromise password either



Alice picks Password P

Alice picks Password P

Hashes password N times, HHashes password N times, HNN(P_(P A

A))

Server stores (Alice, N, HServer stores (Alice, N, HNN(P_(P A

A))))

Attacker can’t get PAttacker can’t get P_AA from H from HNN(P_(P A

Lamport One-time Passwords

Lamport One-time Passwords



_Protocol

_Protocol

_{Alice sends “I’m Alice”Alice sends “I’m Alice”} Server sends “N-1”_{Server sends “N-1”}

Alice sends “X” where X=HAlice sends “X” where X=HN-1N-1(P_(P A

A))

Server verifies H(X) = HServer verifies H(X) = HNN(P_(P A

A))

Server updates to (Alice, N-1, X)_{Server updates to (Alice, N-1, X)}



Attacker still can’t get P

Attacker still can’t get P

or

or

authenticate as Alice

Two Simple Insecure Hash

Two Simple Insecure Hash

Functions

Functions



_{consider two simple insecure hash functions}

_{consider two simple insecure hash functions}



_{bit-by-bit exclusive-OR (XOR) of every block}

_{bit-by-bit exclusive-OR (XOR) of every block}

CC_ii = b = b_i1i1 xor b xor b_i2i2 xor . . . xor b xor . . . xor b_imim

a longitudinal redundancy check_{a longitudinal redundancy check}

reasonably effective as data integrity check_{reasonably effective as data integrity check}



_{one-bit circular shift on hash value}

_{one-bit circular shift on hash value}

for each successive _{for each successive} n-bit n-bit blockblock

• rotate current hash value to left by1bit and XOR block_{rotate current hash value to left by1bit and XOR block}

Hash Function Requirements

Attacks on Hash Functions

Attacks on Hash Functions



_{have brute-force attacks and cryptanalysis}

_{have brute-force attacks and cryptanalysis}



_{a preimage or second preimage attack}

_{a preimage or second preimage attack}

find _{find yy} s.t. s.t. _{H(y) H(y)} equals a given hash value equals a given hash value



_{collision resistance}

_{collision resistance}

_{find two messages find two messages xx & & yy with same hash so with same hash so}

H(x) = H(y)

H(x) = H(y)



_{hence value 2}

_{hence value 2}

determines strength of

_{determines strength of}

hash code against brute-force attacks

hash code against brute-force attacks

Birthday Attacks

Birthday Attacks

 _{might think a 64-bit hash is securemight think a 64-bit hash is secure}  but by _{but by} Birthday ParadoxBirthday Paradox is not is not

 birthday attack _{birthday attack} works thus:works thus:

 given user prepared to sign a valid message x_{given user prepared to sign a valid message x}

 _{opponent generates 2opponent generates 2}mm//_{22variations x’ of x, all with variations x’ of x, all with}

essentially the same meaning, and saves them

essentially the same meaning, and saves them

 _{opponent generates 2opponent generates 2}mm//_{22variations y’ of a desired variations y’ of a desired}

fraudulent message y

fraudulent message y

 two sets of messages are compared to find pair with _{two sets of messages are compared to find pair with}

same hash (probability > 0.5 by birthday paradox)

same hash (probability > 0.5 by birthday paradox)

 have user sign the valid message, then substitute the _{have user sign the valid message, then substitute the}

forgery which will have a valid signature

forgery which will have a valid signature

Birthday Attacks

Birthday Attacks

y _{y’y’11 y’y’22} … _y’y’jj … _y’y’NN x

x ≠ ≠ ≠ ≠ ≠

x’

x’₁₁ ≠ ≠ ≠ ≠ ≠

x’

x’₂₂ ≠ ≠ ≠ ≠ ≠

… x’

x’_ii ≠ ≠ ≠

=

… x’

x’_NN ≠ ≠ ≠ ≠ ≠

Find i and j such that H(y’_j)=H(x’_i)

Table takes O(N2_{) time}

Faster …

Sorted lists

Birthday Attacks

Birthday Attacks



_{What are chances we get a match?}

_{What are chances we get a match?}



_{N distinct values, k randomly chosen ones}

_{N distinct values, k randomly chosen ones}

P(N,i) = prob(i randomly selected values from _{P(N,i) = prob(i randomly selected values from} 1..N have at least one match)

1..N have at least one match)

P(N,2) = 1/N_{P(N,2) = 1/N}

P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)_{P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)}



_{For P(N,k)>0.5, need k}

_{For P(N,k)>0.5, need k}

_≈

_≈

_N

_N

Hash Function Cryptanalysis

Hash Function Cryptanalysis



_{cryptanalytic attacks exploit some property}

_{cryptanalytic attacks exploit some property}

of alg so faster than exhaustive search

of alg so faster than exhaustive search



_{hash functions use iterative structure}

_{hash functions use iterative structure}

_{process message in blocks (incl length)process message in blocks (incl length)}

Block Ciphers as Hash

Block Ciphers as Hash

Functions

Functions



_{can use block ciphers as hash functions}

_{can use block ciphers as hash functions}

using Husing H₀₀=0 and zero-pad of final block=0 and zero-pad of final block

compute: Hcompute: H_ii = E = E_MMii [H [H_i-1i-1]]

and use final block as the hash value_{and use final block as the hash value}

similar to CBC but without a key_{similar to CBC but without a key}



_{resulting hash is too small (64-bit)}

_{resulting hash is too small (64-bit)}

both due to direct birthday attack_{both due to direct birthday attack}

and to “meet-in-the-middle” attack_{and to “meet-in-the-middle” attack}

Block Ciphers as Hash

Block Ciphers as Hash

Functions

Functions

Block cipher key length B

Pad Message M to multiple of B Break padded M into L blocks L = |M|/B

M = M₁ M₂ … M_L

Use blocks of M as keys in block

cipher, iteratively encrypt state value starting with constant H₀ resulting in hash value

Secure Hash Algorithm

Secure Hash Algorithm

 _{SHA originally designed by NIST & NSA in 1993SHA originally designed by NIST & NSA in 1993}  was revised in 1995 as SHA-1_{was revised in 1995 as SHA-1}

 US standard for use with DSA signature scheme _{US standard for use with DSA signature scheme}

 standard is FIPS 180-1 1995, also Internet RFC3174_{standard is FIPS 180-1 1995, also Internet RFC3174}

 nb. the algorithm is SHA, the standard is SHS _{nb. the algorithm is SHA, the standard is SHS}

 based on design of MD4 with key differences _{based on design of MD4 with key differences}

 produces 160-bit hash values _{produces 160-bit hash values}

Revised Secure Hash

Revised Secure Hash

Standard

Standard



_{NIST issued revision FIPS 180-2 in 2002}

_{NIST issued revision FIPS 180-2 in 2002}



adds 3 additional versions of SHA

_{adds 3 additional versions of SHA}

SHA-256, SHA-384, SHA-512_{SHA-256, SHA-384, SHA-512}



_{designed for compatibility with increased}

_{designed for compatibility with increased}

security provided by the AES cipher

security provided by the AES cipher



structure & detail is similar to SHA-1

_{structure & detail is similar to SHA-1}



hence analysis should be similar

_{hence analysis should be similar}

SHA-512 Compression

SHA-512 Compression

Function

Function



_{heart of the algorithm}

_{heart of the algorithm}



_{processing message in 1024-bit blocks}

_{processing message in 1024-bit blocks}



_{consists of 80 rounds}

_{consists of 80 rounds}

_{updating a 512-bit buffer updating a 512-bit buffer}

using a 64-bit value Wt derived from the _{using a 64-bit value Wt derived from the} current message block

current message block

_{and a round constant based on cube root of and a round constant based on cube root of}

SHA-512

SHA-3

SHA-3



_{SHA-1 not yet "broken”}

_{SHA-1 not yet "broken”}

but similar to broken MD5 & SHA-0_{but similar to broken MD5 & SHA-0}

so considered insecure_{so considered insecure}



_{SHA-2 (esp. SHA-512) seems secure}

_{SHA-2 (esp. SHA-512) seems secure}

shares same structure and mathematical _{shares same structure and mathematical}

operations as predecessors so have concern operations as predecessors so have concern



_{NIST announced in 2007 a competition for}

_{NIST announced in 2007 a competition for}

the SHA-3 next gen NIST hash function

the SHA-3 next gen NIST hash function

SHA-3 Requirements

SHA-3 Requirements



_{replace SHA-2 with SHA-3 in any use}

_{replace SHA-2 with SHA-3 in any use}

so use same hash sizes_{so use same hash sizes}



_{preserve the online nature of SHA-2}

_{preserve the online nature of SHA-2}

so must process small blocks (512 / 1024 bits)_{so must process small blocks (512 / 1024 bits)}



_{evaluation criteria}

_{evaluation criteria}

security close to theoretical max for hash sizes_{security close to theoretical max for hash sizes}

cost in time & memory _{cost in time & memory}

Summary

Summary



_{have considered:}

_{have considered:}

hash functions_{hash functions}

• uses, requirements, security_{uses, requirements, security}