Scribd Logo
Importer

Bienvenue sur Scribd !

  • CS 285 Network Security: Hash Algorithm

    Transféré par

    SandraPerera
    16 vues22 pages
    This document discusses hash algorithms and their properties and applications in network security. It begins by explaining the motivation for hash algorithms in providing data integrity and authentication. It then outlines the requirements for cryptographic hash functions, including the one-way property, collision resistance, and properties like MD5 and SHA. Application areas are also summarized, including message authentication codes, digital signatures, and other forms of authentication. Specific hash algorithm designs and security issues like collision attacks are then briefly described.

    Description originale:

    Hash Functions

    Titre original

    Cs285f13 Lecture8 Hash

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPT, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    This document discusses hash algorithms and their properties and applications in network security. It begins by explaining the motivation for hash algorithms in providing data integrity and authentication. It then outlines the requirements for cryptographic hash functions, including the one-way property, collision resistance, and properties like MD5 and SHA. Application areas are also summarized, including message authentication codes, digital signatures, and other forms of authentication. Specific hash algorithm designs and security issues like collision attacks are then briefly described.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    16 vues22 pages

    CS 285 Network Security: Hash Algorithm

    Transféré par

    SandraPerera
    This document discusses hash algorithms and their properties and applications in network security. It begins by explaining the motivation for hash algorithms in providing data integrity and authentication. It then outlines the requirements for cryptographic hash functions, including the one-way property, collision resistance, and properties like MD5 and SHA. Application areas are also summarized, including message authentication codes, digital signatures, and other forms of authentication. Specific hash algorithm designs and security issues like collision attacks are then briefly described.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 22

    CS 285 Network Security

    Hash Algorithm

    Yuan Xue
    Fall 2013

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285: Network Security


    Message authentication code
    Message authentication code
     Use a shared secret key

     Provide data integrity protection + source authentication

    Limitations
     CBC-based MAC generation still involves high

    computation overhead

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Motivation for Hash Algorithms
    Intuition
     Re-examine the non-cryptographic checksum.
     Main Limitation
     An attack is able to construct a message that matches the
    checksum
    Goal
     Design a code where the original message can not be
    inferred based on its checksum  design of hash
    algorithms.

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Requirements for Hash function
    A hash function H takes a message M of variable length and
    transforms it into a fixed-length value h
     h = H(M) -- (cryptographic) hash value, message digest, digest.
     such that an accidental or intentional change to the
    message will change the hash value.
    A hash function H must have the following
    properties:
     One-way property: for any given value h, it is computationally
    infeasible to find x such that H(x) = h.
     Weak collision resistance: for any given message x, it is
    computationally infeasible to find y ≠ x with H(y) = H(x)
     Strong collision resistance: it is computationally infeasible to find any
    pair (x,y), such that H(x) = H(y).
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Hash Function Applications
    Used Alone
     Ordinary hash functions – index data in hash table

     Fingerprint -- file integrity verification, public key

    fingerprint
     Password storage (one-way encryption)

    Combined with encryption functions


     Message authentication code

     Digital signature

     Other authentication forms

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Confidentiality and authentication

    Authentication

    Authentication,
    digital signature

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Authentication, digital signature, confidentiality

    Authentication (no encryption needed!)

    Authentication, confidentiality

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    HMAC
    Hash function works with a symmetric key to provide
    message authentication
    Two methods

    MAC

    (1) MAC = E [K, H(M)]

    (2) MAC = H [M||S]  Idea for HMAC

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    HMAC Structure
    36 in hex repeated • K+ = K padded with 0
    on the left (b bits in total)
    • ipad = 00110110
    repeated b/8 times
    • opad = 01011100
    repeated b/8 times
    5C in hex repeated

    HMAC(K,M) = H[(K+opad)||H[(K+ipad)||M]]

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Overview of Hash Algorithms
    There is a long list of cryptographic hash functions. Two popular
    examples:

    MD5
     Message-Digest algorithm 5
     By Ronald Rivest in 1991 based on MD4
     Digest length: 128-bit
     Weak collision resistance
     Vulnerable to collision attack (no strong collision resistance)
    SHA hash functions (all by NSA)
     SHA-0 in 1993; 160-bit hash value
     SHA-1 in 1995; 160-bit hash value
     widely used, once considered as the successor to MD5
     SHA-2
     SHA-224, SHA-256; SHA384; SHA512
     Digest length (based on name)
     SHA-0 and SHA-1 are vulnerable to collision attacks
     Recent result on SHA-1: collision attack on SHA-1 that would allow an attacker to
    select at least parts of the message.
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Hash Algorithm Design
    Iterative use of compression function
    Compression function
     Specifically designed for the hash function
     Based on symmetric block cipher

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Hash Algorithm Design – MD5
    2. Append
    length
    (64bits)

    1. Append padding
    bits
    (to 448 mod 512)

    3. Initialize MD buffer
    Word A = 01 23 45 67
    Word B = 89 AB CD EF
    Word C = FE DC BA 98
    Word D = 76 54 32 10
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Hash Algorithm Design – MD5

    16 steps

    X[k] = M [q*16+k] (32 bit)

    Constructed from sine function

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    The ith 32-bit word in matrix T, constructed from the sine function
    M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg

    Single step

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Put into practice

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Security of Hash Algorithms

    Why collision is bad?


    preimage attacks (one-way property)
     second preimage attacks (weak collision resistance)

     birthday attack (strong collision resistance)

    Length-extension attacks
     given h(m) and len(m) but not m, by choosing a suitable

    m' an attacker can calculate h (m || m') . This property


    can be used to break naive authentication schemes
    based on hash functions.
     The HMAC construction works around these problems.

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Preimage and Second Preimage Attacks
    Preimage attack: Given a hash value h, an attacker wishes
    to find a message x such that H(x) = h. (violate One-way
    property)
    Second preimage attack: Given a message y with hash
    value h = H(y), an attacker wishes to find another message
    x ≠ y such that H(x) = h. (violate Weak collision resistance)
    Bruce-force attack complexity:
     how many messages/attempts (on average) an attacker has to
    prepare in order to find a message x such that H(x) – h?
     Let the number of messages/attempts that an attacker has to
    prepare in order to find a collision to be a random variable N.
     N follows geometric distribution with parameter 1/2h. The mean
    value of N is 2h.
     Thus h has to be long enough
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Birthday Attack
    Alice wants to get Bob’s signature on a fraudulent contract.
    Suppose that h-bit hash is used
     On average, how many fraudulent contracts Alice needs to try to find one that
    matches the hash code of the fair contact? [recall second preimage attack: 2h]
    A better approach – birthday attack
     Alice prepares a fair contract m and a fraudulent one m'. She then finds a
    number of positions where m can be changed without changing the meaning
     By combining these changes, she can create a huge number of variations
    on m which are all fair contracts.
     In a similar manner, Alice also creates a huge number of variations on the
    fraudulent contract m'. She then applies the hash function to all these
    variations until she finds a version of the fair contract and a version of the
    fraudulent contract which have the same hash value, f(m) = f(m').
     She presents the fair version to Bob for signing. After Bob has signed, Alice
    takes the signature and attaches it to the fraudulent contract. This signature
    then "proves" that Bob signed the fraudulent contract.
     How many contracts Alice need to try this time?
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Birthday Problem

    Birthday problem
    (http://en.wikipedia.org/wiki/Birthday_problem)
    For h-bit hash value, the bruce-force attack complexity is
    2h/2.

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Birthday Attack
    To avoid birthday attack, the output length of the
    hash function used for a signature scheme can be
    chosen large enough so that the birthday attack
    becomes computationally infeasible

    About twice as many bits as are needed to prevent


    a preimage or second preimage attack.

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security


    Security of Hash Algorithms
    When we say a hash algorithm is broken by cryptographic analysis, the
    time to identify collisions using the analysis is less than the time by a
    brute force attack.
    Many hash algorithms have been found to be vulnerable and should not
    be used.
     In August 2004 weaknesses were found in a number of hash
    functions that were popular at the time, including SHA-0, RIPEMD,
    and MD5.
     As of 2009, the two most commonly used cryptographic hash

    functions are MD5 and SHA-1. However, MD5 has been broken; an
    attack against it was used to break SSL in 2008. In February 2005, a
    successful attack on SHA-1 was reported, finding collisions in about
    269 hashing operations, rather than the 280 expected for a 160-bit
    hash function. In August 2005, another successful attack on SHA-1
    was reported, finding collisions in 263 operations.
    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security
    Readings
    Required Reading
     [WS] 11.1-11.5
     [KPS] 5.5
     http://en.wikipedia.org/wiki/MD5
     http://en.wikipedia.org/wiki/Birthday_attack
    Recommended Reading
     [WS] 11.6
     [KPS] 5.1-5.2

    @Yuan Xue (yuan.xue@vanderbilt.edu) CS 285 Network Security

    Vous aimerez peut-être aussi