ch11 Hash Functions.ppt

  • View
    6

  • Download
    5

Embed Size (px)

Transcript

  • Cryptography and Network SecurityChapter 11Fifth Editionby William Stallings

    Lecture slides by Lawrie Brown

  • Chapter 11 Cryptographic Hash FunctionsEach of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts had been able to break Stern's code, nor was there any clue as to what the preliminary number and those ultimate numbers signified.Talking to Strange Men, Ruth Rendell

  • message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution)will consider the security requirementsthen three alternative functions used:message encryptionmessage authentication code (MAC)hash function

    Message Authentication*

  • disclosuretraffic analysismasqueradecontent modificationsequence modificationtiming modificationsource repudiationdestination repudiationSecurity Requirements*

  • Security Requirements ContDisclosure:Release of message contents to any person or process not possessing the appropriate cryptographic key.

    Traffic analysisDiscovery of the pattern of traffic between parties.

    MasqueradeInsertion of messages into the network from a fraudulent source.

  • Security Requirements ContContent modificationChanges to the contents of message, including insertion, deletion, transposition, and modification.

    Sequence modificationAny modification to a sequence of messages between parties, including insertion, deletion, and reordering.

    Timing modificationDelay or replay of messages.

  • Security Requirements ContSource repudiation(Denial)Denial of transmission of message by source

    Destination repudiationDenial of receipt of message by destination

  • Hash FunctionsA hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M) usually assume hash function is publichash used to detect changes to messagewant a cryptographic hash functioncomputationally infeasible to find data mapping to specific hash (one-way property)computationally infeasible to find two data to same hash (collision-free property)

  • Cryptographic Hash Function

  • Hash Functions & Message Authent-icationSymmetric encryption usedProvide authentication & confidentialityOnly hash code encryptedReduces the processing burden for those applications that do not require confidentiality.no encryption for message authenticationBecause the secret value itself is not sent, an opponent cannot modify an intercepted message and cannot generate a false message.Confidentiality can be added to the approach of (c) by encrypting the entire message plus the hash cod.

  • Hash Functions & Digital Signatures

  • Other Hash Function Usesto create a one-way password filestore hash of password not actual passwordfor intrusion detection and virus detectionkeep & check hash of files on systempseudorandom function (PRF) or pseudorandom number generator (PRNG)

  • Two Simple Insecure Hash Functionsconsider two simple insecure hash functionsbit-by-bit exclusive-OR (XOR) of every blockCi = bi1 xor bi2 xor . . . xor bim a longitudinal redundancy checkreasonably effective as data integrity checkone-bit circular shift on hash valuefor each successive n-bit blockrotate current hash value to left by1bit and XOR blockgood for data integrity but useless for security

  • Hash Function Requirements

  • Attacks on Hash Functionshave brute-force attacks and cryptanalysisa preimage or second preimage attackfind y s.t. H(y) equals a given hash value collision resistancefind two messages x & y with same hash so H(x) = H(y) hence value 2m/2 determines strength of hash code against brute-force attacks128-bits inadequate, 160-bits suspect

  • Birthday Attacksmight think a 64-bit hash is securebut by Birthday Paradox is notbirthday attack works thus:given user prepared to sign a valid message xopponent generates 2m/2 variations x of x, all with essentially the same meaning, and saves themopponent generates 2m/2 variations y of a desired fraudulent message ytwo sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)have user sign the valid message, then substitute the forgery which will have a valid signatureconclusion is that need to use larger MAC/hash

  • Hash Function Cryptanalysiscryptanalytic attacks exploit some property of alg so faster than exhaustive searchhash functions use iterative structureprocess message in blocks (incl length)attacks focus on collisions in function f

  • Block Ciphers as Hash Functionscan use block ciphers as hash functionsusing H0=0 and zero-pad of final blockcompute: Hi = EMi [Hi-1]and use final block as the hash valuesimilar to CBC but without a keyresulting hash is too small (64-bit)both due to direct birthday attackand to meet-in-the-middle attackother variants also susceptible to attack

  • Secure Hash AlgorithmSHA originally designed by NIST & NSA in 1993was revised in 1995 as SHA-1US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174nb. the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

  • Revised Secure Hash StandardNIST issued revision FIPS 180-2 in 2002adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512designed for compatibility with increased security provided by the AES cipherstructure & detail is similar to SHA-1hence analysis should be similarbut security levels are rather higher

  • SHA Versions

  • SHA-512 Overview

  • SHA-512 Compression Functionheart of the algorithmprocessing message in 1024-bit blocksconsists of 80 roundsupdating a 512-bit buffer using a 64-bit value Wt derived from the current message blockand a round constant based on cube root of first 80 prime numbers

  • SHA-512 Round Function

  • SHA-512 Round Function

  • SHA-3SHA-1 not yet "brokenbut similar to broken MD5 & SHA-0so considered insecureSHA-2 (esp. SHA-512) seems secureshares same structure and mathematical operations as predecessors so have concernNIST announced in 2007 a competition for the SHA-3 next gen NIST hash functiongoal to have in place by 2012 but not fixed

  • SHA-3 Requirementsreplace SHA-2 with SHA-3 in any useso use same hash sizespreserve the online nature of SHA-2so must process small blocks (512 / 1024 bits)evaluation criteriasecurity close to theoretical max for hash sizescost in time & memory characteristics: such as flexibility & simplicity

  • Summaryhave considered:hash functionsuses, requirements, securityhash functions based on block ciphersSHA-1, SHA-2, SHA-3

    *Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 11 Cryptographic Hash Functions.

    *Opening quote.

    *Up untill now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy. Message Authentication is concerned with: protecting the integrity of a message, validating identity of originator, & non-repudiation of origin (dispute resolution). There are three types of functions that may be used to produce an authenticator: message encryption, message authentication code (MAC), or a hash function.

    *In the context of communications across a network, the attacks listed above can be identified.The first two requirements belong in the realm of message confidentiality, and are handled using the encryption techniques already discussed.The remaining requirements belong in the realm of message authentication. At its core this addresses the issue of ensuring that a message comes from the alleged source and has not been altered. It may also address sequencing and timeliness. The use of a digital signature can also address issues of repudiation by the source. *A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M). A "good" hash function has the property that the results of applying the function to a large set of inputs will produce outputs that are evenly distributed, and apparently random. In general terms, the principal object of a hash function is data integrity. A change to any bit or bits in M results, with high probability, in a change to the hash code. The kind of hash function needed for security applications is referred to as a cryptographic hash function. A cryptographic hash function is an algorithm for which it is computationally infeasible (because no attack is significantly more efficient than brute force) to find either (a) a data object that maps to a pre-specified hash result (the one-way property) or (b) two data objects that map to the same hash result (the collision-free property). Because of these characteristics, hash functions are often used to determine whether or not data has changed. Stallings Figure 11.1 depicts the general operation of a cryptographic hash function. Typically, the input is padded out to an integer multiple of some fixed length (e.g., 1024 bits) and the padding includes the value of the length of the original message in bits. The length field is a security measure to increase the difficulty for an attacker to produce an alternati