0% found this document useful (0 votes)
84 views49 pages

Ch11 Crypto7e

Uploaded by

nawalsharif403
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
84 views49 pages

Ch11 Crypto7e

Uploaded by

nawalsharif403
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 49

Cryptograph

y and
Network
Security
Seventh Edition, Global Edition
by William Stallings

© 2017 Pearson Education, Ltd., All rights reserved.


Chapter 11
Cryptographic Hash Functions

© 2017 Pearson Education, Ltd., All rights reserved.


Hash Functions
• A hash function H accepts a variable-length
block of data M as input and produces a fixed-
size hash value
• h = H(M)
• Principal object is data integrity

• Cryptographic hash function


• An algorithm for which it is computationally
infeasible to find either:
(a) a data object that maps to a pre-specified hash
result (the one-way property)

(b) two data objects that map to the same hash


result (the collision-free property)
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Message Authentication
Code (MAC)
• Also known as a keyed hash function

• Typically used between two parties that share a


secret key to authenticate information
exchanged between those parties

Takes as input a secret key and a data block and


produces a hash value (MAC) which is associated
with the protected message
• If the integrity of the message needs to be checked,
the MAC function can be applied to the message
and the result compared with the associated MAC
value
• An attacker who alters the message will be unable
to alter the associated MAC value without
knowledge
© 2017 Pearson Education, of the secret key
Ltd., All rights reserved.
Digital Signature
• Operation is similar to that of the MAC

• The hash value of a message is encrypted


with a user’s private key
• Anyone who knows the user’s public key can
verify the integrity of the message
• An attacker who wishes to alter the message
would need to know the user’s private key
• Implications of digital signatures go beyond
just message authentication
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Other Hash Function Uses
Can be used to
construct a
Commonly used to Can be used for pseudorandom
create a one-way intrusion and virus function (PRF) or a
password file detection pseudorandom
number generator
When a user enters
(PRNG)
Store H(F) for each
a password, the file on a system and
hash of that secure the hash
password is values
compared to the
stored hash value A common
for verification One can later
application for a
determine if a file
hash-based PRF is
has been modified
for the generation
by recomputing H(F)
of symmetric keys
This approach to
password protection An intruder would
is used by most need to change F
operating systems without changing
H(F)

© 2017 Pearson Education, Ltd., All rights reserved.


Two Simple Hash
Functions
• Consider two simple insecure hash functions that operate
using the following general principles:
• The input is viewed as a sequence of n-bit blocks
• The input is processed one block at a time in an iterative
fashion to produce an n-bit hash function

• Bit-by-bit exclusive-OR (XOR) of every block


• Ci = bi1 xor bi2 xor . . . xor bim
• Produces a simple parity for each bit position and is known as
a longitudinal redundancy check
• Reasonably effective for random data as a data integrity
check

• Perform a one-bit circular shift on the hash value after each


block is processed
• Has the effect of randomizing the input more completely and
overcoming any regularities that appear in the input
© 2017 Pearson Education, Ltd., All rights reserved.
Two
Simple
Hash
Functions

© 2017 Pearson Education, Ltd., All rights reserved.


Requirements and
Security
Preimage
Collision
• x is the preimage of h
for a hash value h = • Occurs if we have x
H(x) ≠ y and H(x) = H(y)

• Is a data block whose • Because we are


hash function, using using hash functions
the function H, is h for data integrity,
collisions are clearly
• Because H is a many-
undesirable
to-one mapping, for
any given hash value
h, there will in general
be multiple preimages
© 2017 Pearson Education, Ltd., All rights reserved.
Table 11.1
Requirements for a Cryptographic Hash Function
H

© 2017 Pearson Education, Ltd., All rights reserved.


(Table can be found on page 323 in textbook.)
© 2017 Pearson Education, Ltd., All rights reserved.
Table 11.2
Hash Function Resistance Properties Required for
Various Data Integrity Applications

* Resistance required if attacker is able to mount a chosen message attack

© 2017 Pearson Education, Ltd., All rights reserved.


Attacks on Hash
Functions
Brute-Force
Attacks Cryptanalysis
• Does not depend on the • An attack based on
specific algorithm, only weaknesses in a
depends on bit length
particular
• In the case of a hash cryptographic
function, attack algorithm
depends only on the bit
length of the hash value • Seek to exploit some
property of the
• Method is to pick values algorithm to perform
at random and try each some attack other
one until a collision than an exhaustive
occurs search
© 2017 Pearson Education, Ltd., All rights reserved.
Collision Resistant
Attacks
• For a collision resistant attack, an adversary wishes to find two messages or
data blocks that yield the same hash function
• The effort required is explained by a mathematical result referred to as the
birthday paradox

• Yuval proposed the following strategy to exploit the birthday paradox in a


collision resistant attack:
• The source (A) is prepared to sign a legitimate message x by appending the
appropriate m-bit hash code and encrypting that hash code with A’s private key
• Opponent generates 2m/2 variations x’ of x, all with essentially the same
meaning, and stores the messages and their hash values
• Opponent prepares a fraudulent message y for which A’s signature is desired
• Opponent generates minor variations y’ of y, all of which convey essentially the
same meaning. For each y’, the opponent computes H (y’), checks for matches
with any of the H (x’) values, and continues until a match is found. That is, the
process continues until a y’ is generated with a hash value equal to the hash
value of one of the x’ values
• The opponent offers the valid variation to A for signature which can then be
attached to the fraudulent variation for transmission to the intended recipient
• Because the two variations have the same hash code, they will produce the same signature and
© 2017 Pearson Education, Ltd., Allisrights
the opponent reserved.
assured of success even though the encryption key is not known
A Letter
in 238
Variation
(Letter is located on page 334 in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.


© 2017 Pearson Education, Ltd., All rights reserved.
Hash Functions
Based on Cipher
Block Chaining
• A number of proposals have been made for hash functions based on
using a cipher block chaining technique, but without using the secret key
• One of the first proposals was that of Rabin
• Divide a message M into fixed-size blocks M1, M2, . . . , MN and use a
symmetric encryption system such as DES to compute the hash code G as
H0= initial value
Hi = E(Mi, Hi-1)
G = HN
• Similar to the CBC technique, but in this case, there is no secret key
• As with any hash code, this scheme is subject to the birthday attack
• If the encryption algorithm is DES and only a 64-bit hash code is produced, the
system is vulnerable
• Meet-in-the-middle-attack
• Another version of the birthday attack used even if the opponent has access to
only one message and its valid signature and cannot obtain multiple signings
• It can be shown that some form of birthday attack will succeed against
any hash scheme involving the use of cipher block chaining without a
secret key, provided that either the resulting hash code is small enough
orEducation,
© 2017 Pearson that aLtd.,
larger hash
All rights code can be decomposed into independent
reserved.
Secure Hash Algorithm
(SHA)
• SHA was originally designed by the National
Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1

• Based on the hash function MD4 and its design


closely models MD4
• Produces 160-bit hash values

• In 2002 NIST produced a revised version of the


standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
© 2017 Pearson Education, Ltd., All rights reserved.
Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.


© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Table 11.4 ---- SHA-512 Constants

(Table
can be
found
on page
© 2017 Pearson Education, Ltd., All rights reserved. 341 in
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
(Figure can be
found on page
345 in textbook)
© 2017 Pearson Education, Ltd., All rights reserved.
SHA-3
SHA-1 has not yet been
"broken”
• No one has demonstrated a
technique for producing
collisions in a practical
amount of time
• Considered to be insecure and
has been phased out for SHA-2

NIST announced in 2007 a


competition for the SHA-3 SHA-2 shares the same
next generation NIST hash structure and mathematical
function operations as its
predecessors so this is a
• Winning design was cause for concern
announced by NIST in
• Because it will take years
October 2012
• SHA-3 is a cryptographic to find a suitable
replacement for SHA-2
hash function that is
should it become
intended to complement
vulnerable, NIST decided
SHA-2 as the approved
to begin the process of
standard for a wide range
developing a new hash
of applications
© 2017 Pearson Education, Ltd., All rights reserved.
standard
The Sponge
Construction
• Underlying structure of SHA-3 is a scheme referred to
by its designers as a sponge construction
• Takes an input message and partitions it into fixed-size
blocks
• Each block is processed in turn with the output of each
iteration fed into the next iteration, finally producing an
output block
• The sponge function is defined by three parameters:
• f = the internal function used to process each input
block
• r = the size in bits of the input blocks, called the bitrate
• pad = the padding algorithm

© 2017 Pearson Education, Ltd., All rights reserved.


© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Table 11.5
SHA-3 Parameters

© 2017 Pearson Education, Ltd., All rights reserved.


© 2017 Pearson Education, Ltd., All
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
SHA-3
Iteration
Function f

© 2017 Pearson Education, Ltd., All rights reserved.


Table
11.6

Step
Function
s
in SHA-3

© 2017 Pearson Education, Ltd., All rights reserved.


Theta and CHI
Function
Substitution

© 2017 Pearson Education, Ltd., All


rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Rho Function
Permutation

© 2017 Pearson Education, Ltd., All


rights reserved.
Rho Function
Permutation

© 2017 Pearson Education, Ltd., All


rights reserved.
Rho Function
Permutation

© 2017 Pearson Education, Ltd., All


rights reserved.
Pi Function
(Permutation)

© 2017 Pearson Education, Ltd., All


rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
IOTA Function

© 2017 Pearson Education, Ltd., All


rights reserved.
IOTA Function

© 2017 Pearson Education, Ltd., All


rights reserved.
Table 11.8
Round Constants in SHA-3

© 2017 Pearson Education, Ltd., All rights reserved.


Summary
• Applications of • Hash functions
cryptographic hash based on cipher
functions block chaining
• Message
authentication • Secure hash
• Digital signatures algorithm (SHA)
• Other applications • SHA-512 logic
• SHA-512 round
• Requirements and function
security
• SHA-3
• Security requirements
for cryptographic hash • The sponge
functions construction
• Brute-force attacks • The SHA-3
Iteration Function f
• Cryptanalysis
© 2017 Pearson Education, Ltd., All rights reserved.

You might also like