Scribd
Upload
24 views

Hash Functions: EJ Jung

The document discusses hash functions and their properties including one-wayness, collision resistance, and weak collision resistance. It describes common cryptographic hash functions like MD5, SHA-1, and RIPEMD-160. It also covers how to use hash functions for authentication through HMAC and sharing secrets.

Uploaded by

Puran Nagda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

Hash Functions: EJ Jung

The document discusses hash functions and their properties including one-wayness, collision resistance, and weak collision resistance. It describes common cryptographic hash functions like MD5, SHA-1, and RIPEMD-160. It also covers how to use hash functions for authentication through HMAC and sharing secrets.

Uploaded by

Puran Nagda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Hash Functions

EJ Jung

slide 1

Integrity checks

Integrity vs. Confidentiality


! Integrity: attacker cannot tamper with message
! Encryption may not guarantee integrity!
Intuition: attacker may able to modify message under
encryption without learning what it is
Given one-time key K, encrypt M as M!K Perfect secrecy, but
can easily change M under encryption to M!M for any M
Online auction: halve competitors bid without learning its value

This is recognized by industry standards (e.g., PKCS)


RSA encryption is intended primarily to provide
confidentiality It is not intended to provide integrity

Many encryption schemes provide secrecy AND integrity


slide 3

More on Integrity
VIRUS

badFile
goodFile

BigFirm

The Times

hash(goodFile)

User

Software manufacturer wants to ensure that the executable file


is received by users without modification
Sends out the file to users and publishes its hash in NY Times
The goal is integrity, not confidentiality
Idea: given goodFile and hash(goodFile),
very hard to find badFile such that hash(goodFile)=hash(badFile)
slide 4

Where to use hash functions


! Cookie
H(servers secret, clients unique information,
timestamp)

! Password storage
safe against server problems

Hash Functions
! Purpose of the HASH function is to produce
a fingerprint.
! But, what do you mean by fingerprint??

Henric Johnson

Secure Hash Functions


! Properties of a HASH function H :
1.
2.
3.
4.

H can be applied to a block of data at any size


H produces a fixed length output
H(x) is easy to compute for any given x.
For any given block x, it is computationally
infeasible to find x such that H(x) = h
5. For any given block x, it is computationally
infeasible to find y ! x with H(y) = H(x).
6. It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y)

Henric Johnson

Simple hash function

Example

Hash Functions: Main Idea

hash function H

message

. x .

bit strings of any length

message
digest

.y
. y

n-bit bit strings

! H is a lossy compression function


Collisions: h(x)=h(x) for some inputs x, x
Result of hashing should look random (make this precise later)
Intuition: half of digest bits are 1; any bit in digest is 1 half the time

! Cryptographic hash function needs a few properties


slide 10

One-Way
! Intuition: hash should be hard to invert
Preimage resistance
Let h(x)=y"{0,1}n for a random x
Given y, it should be hard to find any x such that
h(x)=y

! How hard?
Brute-force: try every possible x, see if h(x)=y
SHA-1 (common hash function) has 160-bit output
Suppose have hardware thatll do 230 trials a pop
Assuming 234 trials per second, can do 289 trials per year
Will take 271 years to invert SHA-1 on a random image
slide 11

Birthday Paradox
! T people
! Suppose each birthday is a random number taken
from K days (K=365) how many possibilities?
KT (samples with replacement)

! How many possibilities that are all different?


(K)T = K(K-1)(K-T+1) samples without replacement

! Probability of no repetition?
(K)T/KT # 1 - T(T-1)/2K

! Probability of repetition?
O(T2)

Collision Resistance
! Should be hard to find x, x such that h(x)=h(x)
! Brute-force collision search is O(2n/2), not O(2n)
n = number of bits in the output of hash function
For SHA-1, this means O(280) vs. O(2160)

! Reason: birthday paradox


Let T be the number of values x,x,x we need to look
at before finding the first pair x,x s.t. h(x)=h(x)
Assuming h is random, what is the probability that we
find a repetition after looking at T values? O(T2)
Total number of pairs? O(2n)
Conclusion: T # O(2n/2)
slide 13

One-Way vs. Collision


Resistance
! One-wayness does not imply collision resistance
Suppose g is one-way
Define h(x) as g(x) where x is x except the last bit
h is one-way (to invert h, must invert g)
Collisions for h are easy to find: for any x, h(x0)=h(x1)

! Collision resistance does not imply one-wayness


Suppose g is collision-resistant
Define h(x) to be 0x if x is n-bit long, 1g(x) otherwise
Collisions for h are hard to find: if y starts with 0, then there
are no collisions, if y starts with 1, then must find collisions in g
h is not one way: half of all ys (those whose first bit is 0) are
easy to invert (how?); random y is invertible with probab. 1/2
slide 14

Weak Collision Resistance


! Given randomly chosen x, hard to find x such
that h(x)=h(x)
Attacker must find collision for a specific x. By
contrast, to break collision resistance, enough to
find any collision.
Brute-force attack requires O(2n) time

! Weak collision resistance does not imply


collision resistance (why?)

slide 15

Which Property Do We Need?


! UNIX passwords stored as hash(password)
One-wayness: hard to recover password

! Integrity of software distribution


Weak collision resistance
But software images are not really random maybe
need full collision resistance

! Auction bidding
Alice wants to bid B, sends H(B), later reveals B
One-wayness: rival bidders should not recover B
Collision resistance: Alice should not be able to change
her mind to bid B such that H(B)=H(B)
slide 16

Common Hash Functions


! MD5
128-bit output
Still used very widely
Completely broken by now

! RIPEMD-160
160-bit variant of MD-5

! SHA-1 (Secure Hash Algorithm)


160-bit output
US government (NIST) standard as of 1993-95
Also the hash algorithm for Digital Signature Standard (DSS)
slide 17

Basic Structure of SHA-1


Against padding attacks

Split message into 512-bit blocks

160-bit buffer (5 registers)


initialized with magic values

Compression function
Applied to each 512-bit block
and current 160-bit buffer
This is the heart of SHA-1

slide 18

Block Ciphers
Block of plaintext
S

Key
For hashing, there is no KEY.
Use message as key and replace
plaintext with a fixed string.
(for example, Unix password hash is DES
applied to NULL with password as the key)

repeat for several rounds

Block of ciphertext
slide 19

SHA-1 Compression Function


Current buffer (five 32-bit registers A,B,C,D,E)
Current message block
Four rounds, 20 steps in each

Lets look at each step


in more detail

Very similar to a block cipher,


with message itself used
as the key for each round

Fifth round adds the original


buffer to the result of 4 rounds

Buffer contains final hash value


slide 20

One Step of SHA-1


A

Logic function for steps

5 bitwise
left-rotate

(B$C)%(B$D)
B!C!D
(B$C)%(B$D)%(C$D)
B!C!D

ft

0..19
20..39
40..59
60..79

+
Current message block mixed in

Multi-level shifting of message blocks

For steps 0..15, W0..15=message block


For steps 16..79,
Wt =Wt-16!Wt-14!Wt-8!Wt-3

Special constant added

30 bitwise
left-rotate

(80 steps total)

(same value in each 20-step round,


4 different constants altogether)

Wt
Kt

E
slide 21

How Strong Is SHA-1?


! Every bit of output depends on every bit of input
Very important property for collision-resistance

! Brute-force inversion requires 2160 ops, birthday


attack on collision resistance requires 280 ops
! Some recent weaknesses (2005)
Collisions can be found in 263 ops

slide 22

SHA-512 big picture

SHA-512 zoom in

Authentication
! Authenticity is identification and assurance of
origin of information
Well see many specific examples in different scenarios

network

slide 25

Authentication with Shared


Secrets
SECRET

SECRET

msg, H(SECRET,msg)

Alice

Bob

Alice wants to ensure that nobody modifies message in transit


(both integrity and authentication)
Idea: given msg,
very hard to compute H(SECRET, msg) without SECRET;
easy with SECRET
slide 26

Authentication Without
Encryption
KEY

MAC

KEY

(message authentication code)

message, MAC(KEY,message)

Alice

message

?
=

Bob

Recomputes MAC and verifies whether it is


equal to the MAC attached to the message

Integrity and authentication: only someone who knows KEY can


compute MAC for a given message
slide 27

HMAC
! Construct MAC by applying a cryptographic hash
function to message and key

Could also use encryption instead of hashing, but


Hashing is faster than encryption in software
Library code for hash functions widely available
Can easily replace one hash function with another
There used to be US export restrictions on encryption

! Invented by Bellare, Canetti, and Krawczyk (1996)


! Mandatory for IP security, also used in SSL/TLS
slide 28

Structure of HMAC
magic value (flips half of key bits)
Secret key padded
to block size

another magic value


(flips different key bits)

Block size of embedded hash function

Embedded hash function


(strength of HMAC relies on
strength of this hash function)

Black box: can use this HMAC


construction with any hash function
(why is this important?)

Amplify key material


(get two keys out of one)

Very common problem:


given a small secret, how to
derive a lot of new keys?

hash(key,hash(key,message))

slide 29

You might also like