William Stallings, Cryptography and Network Security 5/e

1
Cryptography and Network SecurityChapter 11
Fifth Edition by William Stallings Lecture
slides by Lawrie Brown
2
Chapter 11 Cryptographic Hash Functions
Each of the messages, like each one he had ever
read of Stern's commands, began with a number and
ended with a number or row of numbers. No efforts
on the part of Mungo or any of his experts had
been able to break Stern's code, nor was there
any clue as to what the preliminary number and
those ultimate numbers signified. Talking to
Strange Men, Ruth Rendell
3
Hash Functions

• condenses arbitrary message to fixed size
• h H(M)
• usually assume hash function is public
• hash used to detect changes to message
• want a cryptographic hash function
• computationally infeasible to find data mapping
  to specific hash (one-way property)
• computationally infeasible to find two data to
  same hash (collision-free property)

4
Cryptographic Hash Function
Note that the length L is appended to the
message to be hashed
Why do this?
What other ways are there to accomplish this
objective?
5
Hash Function Uses

• Message Integrity Check (MIC)
• send hash of message (digest)
• MIC always encrypted, message optionally
• Message Authentication Code (MAC)
• send keyed hash of message
• MAC, message optionally encrypted
• Digital Signature (non-repudiation)
• Encrypt hash with private (signing) key
• Verify with public (verification) key

6
Hash Functions Message Authentication

• Symmetric Key
• Unkeyed Hash
• Message
• encrypted
• b) Message
• unencrypted

7
Hash Functions Message Authentication

• Symmetric Key
• Keyed Hash
• Message
• unencrypted
• d) Message
• encrypted

8
Hash Functions Digital Signatures - PKCS
9
Other Hash Function Uses

• pseudorandom function (PRF)
• Generate session keys, nonces
• Produce key from password
• Derive keys from master key cooperatively
• pseudorandom number generator (PRNG)
• Vernam Cipher/OTP
• S/Key, proof of what you have via messages

10
More Hash Function Uses

• to create a one-way password file
• store hash of password not actual password
• e.g., Unix, Windows NT, etc.
• salt to deter precomputation attacks
• Rainbow tables
• for intrusion detection and virus detection
• keep check hash of files on system
• e.g., Tripwire
• for membership detection
• Blum filter

11
Lamport One-time Passwords

• Password safety in distributed system
• server compromise does not compromise P
• interception of authentication exchange does not
  compromise password either
• Alice picks Password PA
• Hashes password N times, HN(PA)
• Server stores (Alice, N, HN(PA))
• Attacker cant get PA from HN(PA)

12
Lamport One-time Passwords

• Assumptions
• Authentication protocol over insecure channel
• Attacker can see all messages
• Server memory may also be read
• Goal Attacker still cant authenticate as Alice
• Alice must be able to prove she knows something
  that Darth can't
• Even after reading server files and observing
  earlier exchanges

13
Lamport One-time Passwords

• Initialization
• Alice chooses password PA
• Alice hashes PA M times
• Server stores ltAlice, M, HM(PA)gt
• Even if server compromised
• Attacker can't get PA from H(PA)

14
Lamport One-time Passwords

• Protocol
• Alice sends Im Alice
• Server sends it current count N
• Alice sends X where XHN-1(PA)
• Server verifies H(X) HN(PA)
• Server updates to (Alice, N-1, X)
• Attacker fails
• cant get HN-1(PA) from HN(PA)
• can't authenticate as Alice via replay

15
Homework

• What can happen if Alice has to authenticate to
  multiple servers with single sign-on (same
  password)?
• How can you modify the protocol so that it works
  with multiple servers, without requiring the
  servers to stay in synch?

16
Two Simple Insecure Hash Functions

• consider two simple insecure hash functions
• bit-by-bit exclusive-OR (XOR) of every block
• Ci bi1 xor bi2 xor . . . xor bim
• a longitudinal redundancy check
• reasonably effective as data integrity check
• one-bit circular shift on hash value
• for each successive n-bit block
• rotate current hash value to left by1bit and XOR
  block
• good for data integrity but useless for security

17
Hash Function Requirements
18
Attacks on Hash Functions

• have brute-force attacks and cryptanalysis
• a preimage or second preimage attack
• find y s.t. H(y) equals a given hash value
• collision resistance
• find two messages x y with same hash so H(x)
  H(y)
• hence value 2m/2 determines strength of hash code
  against brute-force attacks
• 128-bits inadequate, 160-bits suspect

19
Birthday Attacks

• might think a 64-bit hash is secure
• but by Birthday Paradox is not
• birthday attack works thus
• given user prepared to sign a valid message x
• opponent generates 2m/2 variations x of x, all
  with essentially the same meaning, and saves them
• opponent generates 2m/2 variations y of a
  desired fraudulent message y
• two sets of messages are compared to find pair
  with same hash (probability gt 0.5 by birthday
  paradox)
• have user sign the valid message, then substitute
  the forgery which will have a valid signature
• conclusion is that need to use larger MAC/hash

20
Birthday Attacks
Find i and j such that H(yj)H(xi) Table
takes O(N2) time Faster Sorted lists take
O(NlogN) time
y y1 y2 yj yN
x ? ? ? ? ?
x1 ? ? ? ? ?
x2 ? ? ? ? ?

xi ? ? ? ?

xN ? ? ? ? ?
21
Birthday Attacks

• What are chances we get a match?
• N distinct values, k randomly chosen ones
• P(N,i) prob(i randomly selected values from
  1..N have at least one match)
• P(N,2) 1/N
• P(N,i1) P(N,i)(1-P(N,i))(i/N)
• For P(N,k)gt0.5, need k N1/2
• Need double bits in hash value

Second matches first
At least one match in first i
Last matches one of i distinct
22
Hash Function Cryptanalysis

• cryptanalytic attacks exploit some property of
  algo so faster than exhaustive search
• hash functions use iterative structure
• process message in blocks (incl length)
• attacks focus on collisions in function f

23
Block Ciphers as Hash Functions

• can use block ciphers as hash functions
• using H00 and zero-pad of final block
• compute Hi EMi Hi-1
• and use final block as the hash value
• similar to CBC but without a key
• resulting hash is too small (64-bit)
• both due to direct birthday attack
• and to meet-in-the-middle attack
• other variants also susceptible to attack

24
Block Ciphers as Hash Functions
Block cipher key length B Pad Message M to
multiple of B Break padded M into L blocks L
M/B M M1 M2 ML Use blocks of M as keys in
block cipher, iteratively encrypt state value
starting with constant H0 resulting in hash
value H HL E(ML,.E(M2,E(M1,H0)))
25
Secure Hash Algorithm

• SHA originally designed by NIST NSA in 1993
• was revised in 1995 as SHA-1
• US standard for use with DSA signature scheme
• standard is FIPS 180-1 1995, also Internet
  RFC3174
• nb. the algorithm is SHA, the standard is SHS
• based on design of MD4 with key differences
• produces 160-bit hash values
• 2005 results on security of SHA-1 raised concerns
  on its use in future applications

26
Revised Secure Hash Standard

• NIST issued revision FIPS 180-2 in 2002
• adds 3 additional versions of SHA
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
  security provided by the AES cipher
• structure detail is similar to SHA-1
• hence analysis should be similar
• but security levels are rather higher

27
SHA Versions
28
SHA-512 Overview
29
SHA-512 Compression Function

• heart of the algorithm
• processing message in 1024-bit blocks
• consists of 80 rounds
• updating a 512-bit buffer
• using a 64-bit value Wt derived from the current
  message block
• and a round constant based on cube root of first
  80 prime numbers

30
SHA-512 Round Function
31
SHA-512 Round Function
32
SHA-3

• SHA-1 not yet "broken
• but similar to broken MD5 SHA-0
• so considered insecure
• SHA-2 (esp. SHA-512) seems secure
• shares same structure and mathematical operations
  as predecessors so have concern
• NIST announced in 2007 a competition for the
  SHA-3 next gen NIST hash function
• Draft standard based on Keccak in 2014

33
SHA-3 Requirements

• replace SHA-2 with SHA-3 in any use
• so use same hash sizes
• preserve the online nature of SHA-2
• so must process small blocks (512 / 1024 bits)
• evaluation criteria
• security close to theoretical max for hash sizes
• cost in time memory
• characteristics such as flexibility simplicity

34
Summary

• have considered
• hash functions
• uses, requirements, security
• hash functions based on block ciphers
• SHA-1, SHA-2, SHA-3