Secure Hash

Algorithms
Kevin Casey, Adam Cohen, Ju
Kim
 Overview
• General Overview of Cryptography
• Variations of Hash Algorithms
• Differences between Secure Hash
Algorithms
• Cryptanalysis of SHA
• Applications
• Conclusion
Cryptography Variations
• UNIX Crypt
– The UNIX hashing algorithm
– crypt is relatively obscure and rarely used for e-mail attachments nor as a file format
– crypt is considered far too cryptographically weak to withstand brute force attacks by modern computing systems
• MD4
– A one-way hash function that produces a 128-bit hash, or message digest.
– If as little as a single bit value in the file is modified, the MD4 checksum for the file will change.
– Forgery of a file in a way that will cause MD4 to generate the same result as that for the original file is considered
extremely difficult.
• MD5
– An improved, and more complex, version of MD4
– circa 1992
– 128-bit hash
– "almost broken" by Hans Dobbertin circa 1995
– Fully broken by collision attack Wang et. al. 2004
• Data Encryption Standard (DES)
– Symmetric, feistel cipher
– Key size (in bits): 112 or 168
– Time to crack (assume a machine could try 255 keys per second - NIST): 4.6 billion years
• Advanced Encryption Standard (AES)
– Symmetric, block cipher
– Key size (in bits): 128, 192, 256
– Time to crack (assume a machine could try 255 keys per second - NIST): 149 trillion years
• Secure Hash Algorithm (SHA)
– produces a 160-bit hash, longer than MD5.
– The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-
force collision and inversion attacks.
 Flavors of SHA
• SHA-0
• SHA-1*
• SHA-224*
• SHA-256*
• SHA-384*
• SHA-512*

*FIPS-approved algorithm for generating a condensed representation of a message

(message digest)
 SHA History
• 1993
– The hash function SHA-0 was issued as a federal standard by
NIST

• 1995
– SHA-1 published as the successor to SHA-0

• 2002
– SHA-2 variants
• SHA-256, SHA-384, and SHA-512 published

• 2004
– SHA-224 published

* No known weaknesses have been found with the SHA-2 variants

(at this time)
 SHA-0 vs SHA-1
• 160 bit output, 160 bit internal state

• SHA-1 (as well as SHA-0) produces a 160-bit digest from a

message with a maximum length of 264-1 bits and is based
on design principles of MD4

• The only difference between the two hash functions is the

additional rotation operation in the message expansion of
SHA-1, which is supposed to provide more security

• On 17 August 2005, an improvement on the SHA-1 attack

was announced on behalf of Xiaoyun Wang, Andrew Yao
and Frances Yao at the CRYPTO 2005 rump session,
lowering the complexity required for finding a collision in
SHA-1 to 263
 Secure Hash Algorithm

• SHA-1, SHA-256, SHA-384, and SHA-512

• All four of the algorithms are iterative, one-way hash functions

• process a message to produce a condensed representation called

a message digest

• These algorithms enable the determination of a message’s

integrity
– any change to the message will, with a very high probability,
result in a different message digest
– This property is useful in the generation and verification of
digital signatures and message authentication codes, and in
the generation of random numbers (bits).
 The Algorithm

• Each algorithm can be described in two stages:

– preprocessing
• Preprocessing involves padding a message, parsing the
padded message into m-bit blocks, and setting
initialization values to be used in the hash computation

– hash computation
• The hash computation generates a message schedule from
the padded message and uses that schedule, along with
functions, constants, and word operations to iteratively
generate a series of hash values

– The final hash value generated by the hash computation is

used to determine the message digest.

9
 Algorithm – cont’d

• The four algorithms differ most significantly

in the number of bits of security that are
provided for the data being hashed – this is
directly related to the message digest length

• The four algorithms also differ in terms of

the size of the blocks and words of data that
are used during hashing.
10

10
 Comparison between SHA’s
Algorithm Output size Internal state Block size Max message Word size Rounds Operations Collision
(bits) size (bits) (bits) size (bits) (bits)

SHA-0 160 160 512 264 − 1 32 80 +,and,or,xor,rotl Yes

SHA-1 160 160 512 264 − 1 32 80 +,and,or,xor,rotl 2^63

attack

SHA-256/224 256/224 256 512 264 − 1 32 64 +,and,or,xor,shr,rot None yet

r

SHA-512/384 512/384 512 1024 2128 − 1 64 80 +,and,or,xor,shr,rot None yet

r

• SHA-1 consists of 80 steps of operation

– Each step is also called a "round." Usually, more rounds imply more security,
and hence harder to break.

• In this context, “security” refers to the fact that a birthday attack [HAC] on a
message digest of size n produces a collision with a workfactor of approximately 2(n/2).
How Secure are SHA?
This depends on your
view of “secure”
 Cryptanalysis

• Since a brute force attack would take

approximately 2^80 operations to
break a secure hash function, the
algorithm is not considered “as
secure” or “broken” if an attack is
found that produces collisions in less
than 2^80 operations.

14
 Definitions
• Collisions – when 2 distinctly different
inputs produce the same hash output

• Birthday Attack – if f(x) = H number of

outputs with the same p and H is
sufficiently large, then after 1.2*sqrt(H)
different arguments, we expect a collision
(x1=x2 with f(x1)=f(x2))

15
Brute Force Attacks

16
 Question???
• Assume that you have a 4ghz processor
that is capable of doing around 4 billion
ops/sec

• How long would it take to “break” the SHA-

1 algorithm using the method published by
Wang, Yin, and Yu (2^63 ops or less)?

17
 Answer
• Using a single processor this would
take approx 2^37 seconds (or 4000
years) of CPU time (which obviously
is no big deal)

• But consider a distributed attack that

uses a large number of CPU’s……..

18
Applications
 Pretty good privacy (PGP)
• PGP Encryption (Pretty Good Privacy) is a
computer program that provides
cryptographic privacy and authentication.
• Public key cryptography, also known as
asymmetric cryptography, is a form of
cryptography in which a user has a pair of
cryptographic keys - a public key and a
private key
• It was originally created by
Philip Zimmermann in 1991.

20
 SSH
• Secure Shell or SSH is a set of standards
and an associated network protocol that
allows establishing a secure channel
between a local and a remote computer. It
uses public-key cryptography to
authenticate the remote computer and to
allow the remote computer to authenticate
the user. SSH provides confidentiality and
integrity of data exchanged between the
two computers using encryption and
message authentication codes .

21
 TLS and SSL
• Transport Layer Security (TLS)
and its predecessor, Secure
Sockets Layer (SSL), are
cryptographic protocols which
provide secure communications on
the Internet for such things as
web browsing, e-mail, Internet faxing
, instant messaging and other data
transfers.
22
 IPSec
• A set of protocols developed by the
internet Engineering Task Force, the
main standards organization for the
Internet to support secure exchange of
packets at the IP layer. IPsec has been
deployed widely to implement
Virtual Private Networks (VPNs).

23
 IPSec
• IPsec supports two encryption
modes: Transport and Tunnel.
Transport mode encrypts only the
data portion (payload) of each
packet, but leaves the header
untouched. The more secure Tunnel
mode encrypts both the header and
the payload. On the receiving side,
an IPSec-compliant device decrypts
each packet.
24
 S/MIME
• S/MIME was originally developed by
RSA Data Security Inc
• S/MIME (Secure Multi-Purpose Internet Mail
Extensions) is a secure method of sending e-mail
that uses the Rivest-Shamir-Adleman encryption
system. S/MIME is included in the latest versions
of the Web browsers from Microsoft and Netscape
and has also been endorsed by other vendors
that make messaging products. RSA has
proposed S/MIME as a standard to the Internet
Engineering Task Force (IETF). An alternative to
S/MIME is PGP/MIME, which has also been
proposed as a standard.
25
Questions

???