0% found this document useful (0 votes)
53 views26 pages

Lecture 18 Hash Functions

this is it

Uploaded by

aaggarwal5be21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
53 views26 pages

Lecture 18 Hash Functions

this is it

Uploaded by

aaggarwal5be21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

Hash Functions

Cryptology (UCT723)
Lecture 18
What Problems are We Trying to Solve?
• Authentication
– The process of reliably verifying the identity of someone or
something
• In particular, did a message indeed come from its specified sender?
• Need to guard against:
– Disclosure of a message to any unauthorized person or system
– Messages masquerading as being from a source
– Content modification
• Was the message changed between sender and recipient?)
– Source or destination repudiation
• Can the sender or recipient deny they sent/received the message?

2
Authentication Functions
• Three main classes:
– Message Encryption
• Ciphertext of entire message serves as its authenticator
– Message Authentication Code (MAC)
• Function of the message and a secret key which produces a fixed-length
authenticator value
– Hash Function
• Function which maps a message of any length into a fixed-size hash
authenticator value

3
Message Encryption
• We've already seen various encryption options:
– Symmetric Encryption – provides both confidentiality and authentication
– Public Key Encryption:
C E KU b ( P ) ; P DKRb (C )  provides confidentiality only

C E KRb ( P ) ; P DKU b (C )  provides authentication & signature

C E KU a ( E KRb ( P ) )  provides confidentiality, authentication,


P DKRa ( DKU b (C )) and signature

4
Message Authentication Code (MAC)
• Uses a secret key to generate a small fixed-size block of
data: a Cryptographic Checksum, or MAC

• If Alice and Bob share a common secret key, K, then:


MAC = FK(P)
where:
P is the input plaintext
F is the MAC function
K is the shared secret key
MAC is the resulting message authentication code

5
Message Authentication Code (MAC)
• The MAC is sent to the recipient along with its associated
message
– The recipient uses the same MAC function and key on the message
and compares the result with the transmitted MAC.
– If the two MACs match, the recipient is assured that:
• The message has not been altered, and
• The message is from the alleged sender
– If the message contains a sequence number (e.g. TCP header), then
the recipient is assured of the proper sequencing of messages

6
Message Authentication Code (MAC)
• A MAC function is similar to an encryption function, except
that the MAC function need not be reversible.
• A MAC function is typically a many-to-one function:
– The input messages can be of any length, but
– The output is of fixed length (n bits)
• If an n-bit MAC function (that is, a MAC function that
generates a fixed-size n-bit block) is used, how many
possible MAC values are there?

2 n
7
Message Authentication Code (MAC)
• For example, assume:
– We are using a 10-bit MAC function
– We are using 100-bit messages

• There are:
– 2100 (~ 1.27 * 1030) different possible messages:
– only 210 (1024) different possible MACs
so, on average, each MAC value is generated by a total of
2100 90 27
2 1 . 24 10
210
different messages

8
Message Authentication Code (MAC)
• Here are some basic uses of MACs: P = Plaintext
C = Ciphertext
M = P || FK(P) E = Encryption function
• Plaintext concatenated with MAC F = MAC function
• Provides authentication only K = Key
M = Message sent
M EK 2 ( P || FK1 ( P))
• Symmetric key encrypted ciphertext concatenated with plaintext MAC
• Provides authentication and confidentiality
• Authentication tied to plaintext

C EK 2 ( P) ; M C || FK1 (C ))
• Symmetric key encrypted ciphertext concatenated with ciphertext MAC
• Provides authentication and confidentiality
• Authentication tied to ciphertext

9
Message Authentication Code (MAC)
• Why use MACs for authentication, instead of symmetric
encryption?
– Performance – MAC functions are faster than encryption functions
– Some applications don't care about secrecy/confidentiality, but care a
lot about authentication (e.g. SNMP)
– Separation of authentication and confidentiality provides greater
flexibility.
– Certain applications may wish to prolong the period of
authentication so that a message can undergo several phases of
processing which rely on that authentication.
• As soon as the message is decrypted, the message is no longer protected
against modification
• A MAC can be kept with the message to retain this protection.

10
Message Authentication Code (MAC)
• One of the most widely used MACs is the Data
Authentication Algorithm (DAA), based on on DES
– DAA is both a FIPS publication (FIPS PUB 113*) and an ANSI
standard (X9.17)
– It uses the Cipher Block Chaining (CBC) mode of operation with an
initialization vector of zero.
– The data are grouped into contiguous 64-bit blocks; if necessary, the
final block is padded on the right with zeroes to form a full 64-bit
block.
– Using the DES encryption algorithm, E, and a secret key, K, a Data
Authentication Code (DAC) is calculated...

11
Digital Authentication Algorithm

12
One-Way Hash Functions
• Can be viewed as a variation on a MAC function:
– A Hash Function accepts a variable-size message, M, as input and
produces a fixed-size output, referred to as a Hash Code, or
Message Digest:
h = H(M)
– Unlike a MAC function, a hash code:
• does not use a key, and so
• is a function only of the input message
– A change to any bit (or bits) of the message results in a change to the
hash code, which can provide an error-detection capability.
– A message digest can be used as a fingerprint for a message, to
allow detection of message modification

13
One-Way Hash Functions
• Requirements for a hash function are:
– Can be applied to a block of data of any size
– Produces a fixed-length output
– H(M) is relatively easy to compute for any given M, allowing for
both software and hardware implementations
– For any given value h, it is computationally infeasible to find M such
that h = H(M). This is the One-way Property.
– For any given block, M, it is computationally infeasible to find
M' != M with H(M') = H(M).
• This is called Weak Collision Resistance.
– It is computationally infeasible to find any pair (M, M') such that
H(M) = H(M').
• This is called Strong Collision Resistance.

14
One-Way Hash Functions
• Here are some basic uses of hash functions:

M EK ( P || H ( P))
– Provides confidentiality and authentication

M P || EK ( H ( P))
– Provides authentication (amounts to a MAC)

M P || EKR a ( H ( P))
– Provides authentication
– Also provides a digital signature (because only the sender could have
produced the encrypted hash code)

15
One-Way Hash Functions
• ...and some more:

M E K ( P || E KRa H ( P ))
– Provides confidentiality, authentication and digital signature

M P || H ( P || S ))
– Provides authentication, using a shared secret, S

M EK ( P || H ( P || S ))
– Adds confidentiality to the above mechanism.

16
One-Way Hash Functions
• The drive for hash/message digest algorithms began with
public key cryptography
– RSA was invented, but it was slow enough at that time to make it
impractical when used alone.
– A cryptographically secure message digest algorithm with high
performance would make RSA much more useful.

17
One-Way Hash Functions
• Thus, MD (unpublished) and MD2 (defined in RFC 13191) were
invented by Ron Rivest (of RSA fame)
– MD2 is a 128-bit one-way hash function
• Ralph Merkle (of Xerox at the time, but who had worked at Stanford
with Diffie & Hellman) came up with a message digest algorithm called
SNEFRU2
– It was several times faster than MD2
– It is a 128-bit or 256-bit one-way hash function
• This prompted Rivest to respond with MD4 (defined in RFC 13203)
– MD4 produces a 128-bit hash

18
One-Way Hash Functions
• Weaknesses were found in the MD4 algorithm, so Rivest
came up with MD5 (defined in RFC 13211)
– MD5 is similar to MD4, but improved.
– More complex than MD4, but similar in design
– Also produces a 128-bit hash

19
One-Way Hash Functions
• The NSA designed the Secure Hash Algorithm (SHA)
• The National Institute of Standards and Technology (NIST),
made it a standard.
– They revised it very late in the game, because of some (unspecified)
weakness that had been found, and changed its name to SHA-11.
– SHA-1 is a 160-bit hash function based on MD4
– Shares much in common with MD5, but has a much more
conservative design.
– 2 or 3 times slower than MD5

20
One-Way Hash Functions
• Because of improving computing environments, the 160-bit
hash of SHA-1 is now becoming a liability
• So NIST produced SHA-256, SHA-384, and SHA-5121.
– Designed to be used with the 128-, 192- and 256-bit key sizes of
AES.
– Structure similar to SHA-1, but much slower.
– According to Ferguson & Schneier, they are too new to have
experienced significant cryptanalysis attacks, and so are not yet
proven. But they also say that MD5 and SHA-1 are not sufficiently
secure, so you may have little choice.

21
Typical Usage of Digests
• Here's an example of the use of SHA-1 in a real application – Java JAR files:
– In the jce.jar (Java Cryptography Extension) JAR file, the manifest
contains the following:
Manifest-Version: 1.0
Created-By: 1.4.1-internal (Sun Microsystems Inc.)

Name: javax/crypto/SealedObject.class
SHA1-Digest: R+GWl6Zuqgtty1zOaP5RrRSGfQo=

Name: javax/crypto/KeyAgreementSpi.class
SHA1-Digest: fdmlqpiTKMzV65+93O4tJ3Uo6wg=

Name: javax/crypto/spec/DESedeKeySpec.class
SHA1-Digest: Q7UJvLuk8GST42GW6xDlXHe3Xv8=

Name: javax/crypto/spec/DHParameterSpec.class
SHA1-Digest: y0oY9yd/BQQxEc/2q1Cytta/r2E=

Name: javax/crypto/interfaces/DHPrivateKey.class
SHA1-Digest: jwgw7pakTyKOlLBNivsp6V6Ad4k=

...

22
One-Way Hash Functions
• Ferguson & Schneier recommend the following:
– They don't feel that any of the existing hash functions is sufficiently
secure when used as is.
– So, they define a double hash function, hd = h(h(m))
– They recommend the use of SHAd-256, or, for higher security levels,
SHAd-512

23
HMAC
• HMAC is an attempt to use a hash function to build a MAC.
• Note that:
– Hash functions provide only n/2 bits of security against some attacks
– A MAC function is expected to provide n bits of security.
– Defining:
MAC(K, m) = h(K || m), or h(m || K), or h(K || m || K)
is not secure if you use one of the standard hash functions.
• HMAC was proven to be secure if the underlying hash
function's underlying compression function was secure.

24
HMAC
• HMAC takes a variable length key and a
variable length message, and produces a
fixed-size output that is the same size as the
underlying hash function.
– It first pads the key with 0 bits to 512 bits
– If the key is larger than 512 bits, it first hashes
the key, resulting in 128 or 160 bits, and then
pads the result out to 512 bits.
– It then XORs the padded key with a constant
string of octets of value 36 (hex), then
concatenates the result with the message, and
computes a hash (digest)
– It XORs the padded key with a different
constant string of octets of value 5C (hex),
concatenates that with the result of the of the
first hash, and computes a second hash on that.

25
HMAC
• Examples of HMAC algorithms are:
– HmacMD5 – uses the MD5 hash algorithm
– HmacSHA1 – uses the SHA-1 hash algorithm

26

You might also like