Scribd
Upload
35 views27 pages

Chapter6 2020

Uploaded by

floyidtry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views27 pages

Chapter6 2020

Uploaded by

floyidtry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Chapter 6.

Hash Function and MAC

• Contents:
6.1 Introduction to Hash Functions
6.2 Hash Function SHA-3
6.3 Applications of Hash Function
6.4 MAC and its Applications

Some figures are from W. Stalling’s book “Cryptography and network security”, 7th edition. ©2017 Pearson Education, Inc

Data Security (2020F) Huapeng Wu @ U of Windsor 1


6.1. Hash Functions
• A cryptographic hash function h
o takes as input a message of arbitrary size and
o produces as output a message digest of fixed size.
o has applications in digital signature and authentications

Data Security (2020F) Huapeng Wu @ U of Windsor 2


Primary Use of Hash Functions

Data Security (2020F) Huapeng Wu @ U of Windsor 3


A Simple Hash Function
• Let’s build a simple hash function (but not very secure):
o Assume the hash function produces 160-bit output.
o If input m is less than 160 bits, append 1’s to m to make it 160 bits.
o Divide input m into blocks of 160-bit:

m = m1 || m2 || ∙∙∙ || mi || ∙∙∙

o Then h(m) = m1  m2    mi  
o where ⊕ denotes bit-wise XOR operation.
• Practical hash functions are much more complicated.

Data Security (2020F) Huapeng Wu @ U of Windsor 4


Properties for Cryptographic Hash Functions

1. Easy to compute:
o Given message m, hash function h(m) is easy to compute.

2. One-way function y = h(x):


o Given y, it is very hard to find x.

3. Collision-free: (1. strong version and 2. weak version)


1) It is very hard to find messages m1 and m2 with h(m1)=h(m2).

2) Given m1 and h(m1), it is very hard to find m2 ≠ m1 with h(m2)= h(m1).

Data Security (2020F) Huapeng Wu @ U of Windsor 5


Hash Functions in Popular Use
• MD5
o Input: an arbitrary size message
o Output: 128-bit digest
▪ First proposed by R. Rivest in 1992
▪ was broken in an attack to SSL in 2008
• SHA-1
o Input: a message of up to 264-1 bits
o Output: 160-bit digest
▪ Proposed by NSA in 1995
▪ In 2005, an attack finding collisions in 261 operations, rather than
280 as expected for a 160-bit hash result.
• SHA-2
• SHA-3 (current standard)
Data Security (2020F) Huapeng Wu @ U of Windsor 6
6.2. Hash Function SHA-3

• SHA-3 was standardized (in draft) in 2012 by NIST.


o Regarded by many as the best hash function available today.
o Sha-3 was called Keccak before 2012.
o It takes an input of any size.
o It produce an output of any desired size.
o It uses a construction called Sponge Function.

Data Security (2020F) Huapeng Wu @ U of Windsor 7


Sponge Function
• Sponge Function is a class of algorithms
o have finite internal state.
o Take input bit stream of any length.
o Produce output bit stream of any desired length.
• Sponge functions are often used
o to model or implement most cryptographic primitives, i.e.,
▪ Cryptographic hash
▪ Message authentication codes, stream ciphers
▪ Block ciphers
▪ Pseudo-random number generators
▪ Authenticated encryption.

Data Security (2020F) Huapeng Wu @ U of Windsor 8


Sponge Function: Components

o a state memory, S, containing b=r+c bits


▪ Split into two parts: r-bit R and c-bit C
o a function, f, permutes or transforms the input S.
▪ Takes b-bit input and generates an output of b-bit.
o a padding function P
▪ To make the padded input, P0, P1, …, Pi, be a multiple of r-bit.
Data Security (2020F) Huapeng Wu @ U of Windsor 9
Sponge Function: Input and Operation

1. State memory S is initialized to zero.


2. Input stream, P0, P1, …, Pi, is padded to make it a multiple of r-bit.
3. R is XORed with the first r-bit block of padded input.
4. S is replaced with f(S).
5. R is XORed with the next r-bit block of padded input (if any)
6. S is replaced by f(S).
7. etc.
8. until all the input blocks are absorbed in the sponge.
Data Security (2020F) Huapeng Wu @ U of Windsor 10
Sponge Function: Output and Operation

1. The R portion of the state memory is the first r bits of output Z0.
2. If more output bits are desired, S is replaced by f(S)
3. The R portion of the state memory is the next r bits of output Z1.
4. …etc.
5. The process is repeated until the desired number of output bits
are produced.
6. If the output length is not a multiple of r bits, it will be truncated.

Data Security (2020F) Huapeng Wu @ U of Windsor 11


SHA-3: Use of Sponge Function

o SHA-3 setting:
▪ r = 1088 and c = 512
▪ Function f permutation width: 1600
▪ security strength: 256 bits

Data Security (2020F) Huapeng Wu @ U of Windsor 12


6.3. Hash Function in Application
• Hash function has wide applications in cybersecurity:
o Message authentication
▪ see the next slide
▪ works through MAC.
o Digital signature
▪ Works in conjunction with a public key cryptosystem.
o Password Security
▪ Computer stores only the message digest of a password.
• Hash function is subject to birthday attacks
o For n-bit message digest, birthday attack reduces Hash
function security to n/2 bits.
Data Security (2020F) Huapeng Wu @ U of Windsor 13
Hash Function for Message Authentication

a) Message plus concatenated


hash code is encrypted and
sent.
b) Encryption hash code plus
plaintext message is sent.
c) Similar to b), but using a
shared secret value S.
d) Similar to a), but using a
shared secret value S.

Data Security (2020F) Huapeng Wu @ U of Windsor 14


6.4. MAC: Message Authentication Code
• A MAC is a function of a fixed-size key k and an arbitrarily
sized message m, MAC(k, m), and generates a fixed-size MAC
value.
o MAC: is like a keyed hash function

• Message authentication code is a construction that detects


tempering with messages.
• The primary use of a MAC is for message authentication.
• Based on the way how it is constructed, there are several types
of MAC:
o CBC-MAC or CMAC
o HMAC
o GMAC
Data Security (2020F) Huapeng Wu @ U of Windsor 15
CBC-MAC and CMAC
• CBC-MAC is a method of turning a block cipher into a MAC.

• Let Pi, i=1, 2, …, N, represent the message blocks and K be the key.
• Then CBC-MAC is computed as the last black of ciphertext generated with a
symmetrical key cipher in CBC mode:
1. C1 = EK(P1 IV)
2. Ci = EK(Pi Ci-1), i =2, 3, …, N.
3. MAC = CN .

• CMAC is a standard by NIST with little modification to CBC-MAC on


treating the last block.
• Advantage: CBC-MAC or CMAC code use the same type of computation to
the block cipher.
• Note on using CBC-MAC: do not use the same key for both MAC and the
block cipher.
Data Security (2020F) Huapeng Wu @ U of Windsor 16
HMAC
• HMAC is a method of turning a hash function into a MAC.
• Any iterative hash function can be used to construct a HMAC.
• Given a hash function h(m), a HMAC for message m can be computed as

1. C1 = h((K b) || m)
2. MAC = h((K a) || C1)
where K is the key, and a and b are two specified constants.

• It is recommended HMAC uses hash function of 256 bits, since HMAC is


of (n/2)-bit security, n is the size of the hash output.

Data Security (2020F) Huapeng Wu @ U of Windsor 17


GMAC
• GMAC is a recent method standardized by NIST.
• GMAC takes three inputs, instead of two, to generate the message
authentication code:
o Message, key, and a nonce
o The recipient also need to know nonce. The nonce can be used only once. It can sent
explicitly by the sender or could be implicit, i.e. packet counter.

• Computation of GMAC:
1. First it uses a special hash-like math function and generates a fixed-size output.
2. Then it encrypts the output with a block cipher.
3. The result is the MAC.
Note: The special hash-like math function, which requires much less computation than a
hash function like SHA-1, is beyond our scope.

Data Security (2020F) Huapeng Wu @ U of Windsor 18


MAC in Application

• The above diagram is from Wikipedia.com

Data Security (2020F) Huapeng Wu @ U of Windsor 19


MAC in Application

• Message authentication protocol that uses MAC,


o where M denotes the message,
o K denotes the key, and
o || denotes appending operation.

Data Security (2020F) Huapeng Wu @ U of Windsor 20


MAC in Application

• Protocol for message authentication and confidentiality (version 1)


o where E in a circle denotes encryption with a block cipher,
o D in a circle denotes decryption with the block cipher,
o K1 denotes the key used for MAC,
o and K2 denotes the key used for the block cipher.
• Authentication is tied to plaintext.

Data Security (2020F) Huapeng Wu @ U of Windsor 21


MAC in Application

• Protocol for message authentication and confidentiality (version 2)


o where E in a circle denotes encryption with a block cipher,
o D in a circle denotes decryption with the block cipher,
o K1 denotes the key used for MAC,
o and K2 denotes the key used for the block cipher.
• Authentication is tied to ciphertext.

Data Security (2020F) Huapeng Wu @ U of Windsor 22


6.5. Attacks towards Hash functions
• Efforts of cryptanalysis on Hash functions:
1. To find m for given h(m).
2. To find another pair (m’, h(m’) ) for given pair (m,h(m) )
such that h(m)=h(m’).
3. To find two messages m and m’ such that h(m)=h(m’).
▪ Birthday attacks

• Remember the properties of Hash functions


o One-way function
o Collision-free (two versions)
Data Security (2020F) Huapeng Wu @ U of Windsor 23
Birthday Attacks (I)

• Our class size is more than 30 students.


• Problem 1. Student A’s class has 30 students. What is the
probability that there is at least one other student in the class
who shares the same birthday with A?
• Problem 2. Student A’s class has 30 students. What is the
probability that there are at least two students in the class who
share the same birthday ?

Data Security (2020F) Huapeng Wu @ U of Windsor 24


Birthday Attacks (II)

• Problem 1. Student A’s class has 30 students. What is the


probability that there is at least one other student in the class
who shares the same birthday with A?
• Solution:
Probability = 1 – (364/365)29 = 0.0765 = 7.65%

Data Security (2020F) Huapeng Wu @ U of Windsor 25


Birthday Attacks (III)

• Problem 2. Student A’s class has 30 students. What is the


probability that there are at least two students in the class who
share the same birthday ?
• Solution:
The probability = for N = 365, and q> 0.7 = 70%.

(where N = 365, and q = class size )


• This idea can be used to attack hash functions
o Find collision: find two messages m and m’ such that h(m) = h(m’).

Data Security (2020F) Huapeng Wu @ U of Windsor 26


Birthday Attacks (IV)

• Find two messages m and m’ such that h(m) = h(m’):


(find collision)
o Assume the digest h(m) has 160 bits.
(cf., there are 2160 different birthdays)

o Attacker computes n pairs of (x, h(x)) .


(cf., there are n students in the class)

o A collision means there two pairs (x, h(x)) and (x’, h(x’)) such that
h(x)=h(x’). (cf., two students share the same birthday)

o The attacker can find one collision with Probability > 0.5 if n=280.
(cf. The probability that there are two students who share the same
birthday in a class of 280 students is > 0.5.)

Data Security (2020F) Huapeng Wu @ U of Windsor 27

You might also like