This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Cryptography and Network Security Chapter 11
Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 11 Cryptographic Hash Functions
Each of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or row of numbers. No efforts on the part of Mungo or any of his experts had been able to break Stern's code, nor was there any clue as to what the preliminary number and those ultimate numbers signified. Talking to Strange Men, Ruth Rendell Outline will consider: hash functions uses, requirements, security Hash Functions condenses arbitrary message to fixed size h = H(M) usually assume hash function is public hash used to detect changes to message want a cryptographic hash function computationally infeasible to find data mapping to specific hash (oneway property) computationally infeasible to find two different data with same hash (collisionfree property) hash functions based on block ciphers SHA1, SHA2, SHA3 Cryptographic Hash Function
Hash Functions & Message Authentication Hash Functions & Digital Signatures Other Hash Function Uses to create a oneway password file store hash of password not actual password for intrusion detection and virus detection keep & check hash of files on system pseudorandom function (PRF) or pseudorandom number generator (PRNG) Two Simple Insecure Hash Functions consider two simple insecure hash functions bitbybit exclusiveOR (XOR) of every block Ci = bi1 XOR bi2 XOR ... XOR bim a longitudinal redundancy check reasonably effective as data integrity check onebit circular shift on hash value for each successive nbit block rotate current hash value left by 1 bit and XOR block good for data integrity but useless for security 06/03/10 Hash Function Requirements Attacks on Hash Functions have bruteforce attacks and cryptanalysis a preimage or second preimage attack find y s.t. H(y) equals a given hash value collision resistance find two messages x and y with same hash H(x) = H(y) hence value 2m/2 determines strength of hash code against bruteforce attacks 128bits inadequate, 160bits suspect Birthday Attacks might think a 64bit hash is secure but by Birthday Paradox is not birthday attack works thus: given user prepared to sign a valid message x m opponent generates 2 /2 variations x' of x, all with x' essentially the same meaning, and saves them m opponent generates 2 /2 variations y' of a desired y' fraudulent message y two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature
06/03/10 conclusion is that need to use larger MAC/hash 06/03/10 06/03/10 Hash Function Cryptanalysis cryptanalytic attacks exploit some property of alg, so faster than exhaustive search hash functions use iterative structure process message in blocks (incl length) attacks focus on collisions in function f Block Ciphers as Hash Functions can use block ciphers as hash functions using H0 = 0 and zeropad of final block compute: Hi = Emi(Hi1) and use final block as the hash value similar to CBC but without a key Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA1 US standard for use with DSA signature scheme standard is FIPS 1801 1995, also Internet RFC3174 180 nb. the algorithm is SHA, the standard is SHS nb. resulting hash is too small (64bit) both due to direct birthday attack and to "meetinthemiddle" attack other variants also susceptible to attack based on design of MD4 with key differences produces 160bit hash values recent 2005 results on security of SHA1 have raised concerns on its use in future applications Revised Secure Hash Standard NIST issued revision FIPS 1802 in 2002 adds 3 additional versions of SHA SHA256, SHA384, SHA512 SHA Versions designed for compatibility with increased security provided by the AES cipher structure and detail is similar to SHA1 hence analysis should be similar but security levels are rather higher SHA512 Compression Function heart of the algorithm processing message in 1024bit blocks consists of 80 rounds per block updating a 512bit buffer using a 64bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers SHA512 Overview Hi Initial Values
Processing one 1024 bit block 06/03/10 06/03/10 Ki SHA512 Round Function
Bitw. Ifte Bitw. Maj vote XOR of 3 ROTR Addition mod 264 06/03/10 SHA512 Round Function SHA3 In hashes, nothing secret, easier to attack SHA1 not yet "broken", but similar to MD5 and SHA0, so considered insecure SHA2 (esp. SHA512) seems secure XOR of 3 ROTR/SHR shares same structure and mathematical operations as predecessors so have concern
Addition mod 264 NIST announced in 2007 a competition for the SHA3 next gen NIST hash function goal to have in place by 2012 but not fixed SHA3 Requirements replace SHA2 with SHA3 in any use so use same hash sizes preserve the online nature of SHA2 so must process small blocks (512 / 1024 bits) evaluation criteria security close to theoretical max for hash sizes cost in time and memory characteristics: such as flexibility and simplicity ...
View Full
Document
 Spring '10
 BIJU

Click to edit the document details