Hash Functions. Integrity checks



Similar documents
Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Cryptographic Hash Functions Message Authentication Digital Signatures

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Introduction to Computer Security

Message Authentication

Authentication requirement Authentication function MAC Hash function Security of

Public Key Cryptography Overview

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CIS433/533 - Computer and Network Security Cryptography

Fundamentals of Computer Security

Lecture 9: Application of Cryptography

Cryptography and Network Security Chapter 11

SECURITY IN NETWORKS

CSE/EE 461 Lecture 23

Cryptography Lecture 8. Digital signatures, hash functions

Overview of Symmetric Encryption

2. Cryptography 2.4 Digital Signatures

Message authentication and. digital signatures

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

One-Way Encryption and Message Authentication

Message Authentication Codes

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Introduction to Cryptography CS 355

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Cryptography and Network Security Chapter 12

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Lecture 6 - Cryptography

Authentication, digital signatures, PRNG

Practice Questions. CS161 Computer Security, Fall 2008

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Message Authentication Codes. Lecture Outline

Computer Security: Principles and Practice

Signature Schemes. CSG 252 Fall Riccardo Pucella

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

Cryptography & Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Chapter 7: Network security

The Misuse of RC4 in Microsoft Word and Excel

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Cryptography and Network Security Digital Signature

Data integrity and data origin authentication

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Chapter 10. Network Security

Lukasz Pater CMMS Administrator and Developer

Lecture 15 - Digital Signatures

Network Security Technology Network Management

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Security Protocols/Standards

Chapter 7 Transport-Level Security

CS 361S - Network Security and Privacy Spring Homework #1

IT Networks & Security CERT Luncheon Series: Cryptography

What is network security?

Recommendation for Applications Using Approved Hash Algorithms

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Secure Network Communications FIPS Non Proprietary Security Policy

How To Protect Your Data From Attack

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Transport Level Security

Symmetric Crypto MAC. Pierre-Alain Fouque

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

CRYPTOGRAPHY IN NETWORK SECURITY

Client Server Registration Protocol

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security. HIT Shimrit Tzur-David

Computer Security CS 426. CS426 Fall 2010/Lecture 40 1

An Introduction to Cryptography as Applied to the Smart Grid

Application Layer (1)

Hash Function JH and the NIST SHA3 Hash Competition

CS155. Cryptography Overview

Recommendation for Applications Using Approved Hash Algorithms

A Standards-based Approach to IP Protection for HDLs

Authenticity of Public Keys

Lecture 9 - Network Security TDTS (ht1)

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Table of Contents. Bibliografische Informationen digitalisiert durch

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Length extension attack on narrow-pipe SHA-3 candidates

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

CSCE 465 Computer & Network Security

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Overview of Public-Key Cryptography

CS 758: Cryptography / Network Security

Modes of Operation of Block Ciphers

Network Security Essentials Chapter 5

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Transcription:

Hash Functions EJ Jung slide 1 Integrity checks

Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify message under encryption without learning what it is Given one-time key K, encrypt M as M!K Perfect secrecy, but can easily change M under encryption to M!M for any M Online auction: halve competitor s bid without learning its value This is recognized by industry standards (e.g., PKCS) RSA encryption is intended primarily to provide confidentiality It is not intended to provide integrity Many encryption schemes provide secrecy AND integrity slide 3 More on Integrity VIRUS goodfile badfile BigFirm The Times hash(goodfile) User Software manufacturer wants to ensure that the executable file is received by users without modification Sends out the file to users and publishes its hash in NY Times The goal is integrity, not confidentiality Idea: given goodfile and hash(goodfile), very hard to find badfile such that hash(goodfile)=hash(badfile) slide 4

Where to use hash functions! Cookie H(server s secret, client s unique information, timestamp)! Password storage safe against server problems Hash Functions! Purpose of the HASH function is to produce a fingerprint.! But, what do you mean by fingerprint?? Henric Johnson 6

Secure Hash Functions! Properties of a HASH function H : 1. H can be applied to a block of data at any size 2. H produces a fixed length output 3. H(x) is easy to compute for any given x. 4. For any given block x, it is computationally infeasible to find x such that H(x) = h 5. For any given block x, it is computationally infeasible to find y! x with H(y) = H(x). 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y) Henric Johnson 7 Simple hash function

Example Hash Functions: Main Idea x message x... x hash function H message digest.. y y bit strings of any length! H is a lossy compression function n-bit bit strings Collisions: h(x)=h(x ) for some inputs x, x Result of hashing should look random (make this precise later) Intuition: half of digest bits are 1 ; any bit in digest is 1 half the time! Cryptographic hash function needs a few properties slide 10

One-Way! Intuition: hash should be hard to invert Preimage resistance Let h(x )=y"{0,1} n for a random x Given y, it should be hard to find any x such that h(x)=y! How hard? Brute-force: try every possible x, see if h(x)=y SHA-1 (common hash function) has 160-bit output Suppose have hardware that ll do 2 30 trials a pop Assuming 2 34 trials per second, can do 2 89 trials per year Will take 2 71 years to invert SHA-1 on a random image slide 11 Birthday Paradox! T people! Suppose each birthday is a random number taken from K days (K=365) how many possibilities? K T (samples with replacement)! How many possibilities that are all different? (K) T = K(K-1) (K-T+1) samples without replacement! Probability of no repetition? (K) T /K T # 1 - T(T-1)/2K! Probability of repetition? O(T 2 )

Collision Resistance! Should be hard to find x, x such that h(x)=h(x )! Brute-force collision search is O(2 n/2 ), not O(2 n ) n = number of bits in the output of hash function For SHA-1, this means O(2 80 ) vs. O(2 160 )! Reason: birthday paradox Let T be the number of values x,x,x we need to look at before finding the first pair x,x s.t. h(x)=h(x ) Assuming h is random, what is the probability that we find a repetition after looking at T values? O(T 2 ) Total number of pairs? O(2 n ) Conclusion: T # O(2 n/2 ) slide 13 One-Way vs. Collision Resistance! One-wayness does not imply collision resistance Suppose g is one-way Define h(x) as g(x ) where x is x except the last bit h is one-way (to invert h, must invert g) Collisions for h are easy to find: for any x, h(x0)=h(x1)! Collision resistance does not imply one-wayness Suppose g is collision-resistant Define h(x) to be 0x if x is n-bit long, 1g(x) otherwise Collisions for h are hard to find: if y starts with 0, then there are no collisions, if y starts with 1, then must find collisions in g h is not one way: half of all y s (those whose first bit is 0) are easy to invert (how?); random y is invertible with probab. 1/2 slide 14

Weak Collision Resistance! Given randomly chosen x, hard to find x such that h(x)=h(x ) Attacker must find collision for a specific x. By contrast, to break collision resistance, enough to find any collision. Brute-force attack requires O(2 n ) time! Weak collision resistance does not imply collision resistance (why?) slide 15 Which Property Do We Need?! UNIX passwords stored as hash(password) One-wayness: hard to recover password! Integrity of software distribution Weak collision resistance But software images are not really random maybe need full collision resistance! Auction bidding Alice wants to bid B, sends H(B), later reveals B One-wayness: rival bidders should not recover B Collision resistance: Alice should not be able to change her mind to bid B such that H(B)=H(B ) slide 16

Common Hash Functions! MD5 128-bit output Still used very widely Completely broken by now! RIPEMD-160 160-bit variant of MD-5! SHA-1 (Secure Hash Algorithm) 160-bit output US government (NIST) standard as of 1993-95 Also the hash algorithm for Digital Signature Standard (DSS) slide 17 Basic Structure of SHA-1 Against padding attacks Split message into 512-bit blocks 160-bit buffer (5 registers) initialized with magic values Compression function Applied to each 512-bit block and current 160-bit buffer This is the heart of SHA-1 slide 18

Block Ciphers Block of plaintext S S S S S S S S Key For hashing, there is no KEY. Use message as key and replace plaintext with a fixed string. (for example, Unix password hash is DES applied to NULL with password as the key) repeat for several rounds S S S S Block of ciphertext slide 19 SHA-1 Compression Function Current message block Current buffer (five 32-bit registers A,B,C,D,E) Four rounds, 20 steps in each Let s look at each step in more detail Very similar to a block cipher, with message itself used as the key for each round Fifth round adds the original buffer to the result of 4 rounds Buffer contains final hash value slide 20

One Step of SHA-1 (80 steps total) A B C D E 5 bitwise left-rotate Logic function for steps (B$C)%( B$D) 0..19 B!C!D 20..39 (B$C)%(B$D)%(C$D) 40..59 B!C!D 60..79 Multi-level shifting of message blocks f t + + Current message block mixed in For steps 0..15, W 0..15 =message block For steps 16..79, W t =W t-16!w t-14!w t-8!w t-3 + W t 30 bitwise left-rotate Special constant added (same value in each 20-step round, 4 different constants altogether) + K t A B C D E slide 21 How Strong Is SHA-1?! Every bit of output depends on every bit of input Very important property for collision-resistance! Brute-force inversion requires 2 160 ops, birthday attack on collision resistance requires 2 80 ops! Some recent weaknesses (2005) Collisions can be found in 2 63 ops slide 22

SHA-512 big picture SHA-512 zoom in

Authentication! Authenticity is identification and assurance of origin of information We ll see many specific examples in different scenarios network slide 25 Authentication with Shared Secrets SECRET SECRET msg, H(SECRET,msg) Alice Bob Alice wants to ensure that nobody modifies message in transit (both integrity and authentication) Idea: given msg, very hard to compute H(SECRET, msg) without SECRET; easy with SECRET slide 26

Authentication Without Encryption KEY MAC (message authentication code) KEY message, MAC(KEY,message) Alice message =? Bob Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute MAC for a given message slide 27 HMAC! Construct MAC by applying a cryptographic hash function to message and key Could also use encryption instead of hashing, but Hashing is faster than encryption in software Library code for hash functions widely available Can easily replace one hash function with another There used to be US export restrictions on encryption! Invented by Bellare, Canetti, and Krawczyk (1996)! Mandatory for IP security, also used in SSL/TLS slide 28

Structure of HMAC magic value (flips half of key bits) Secret key padded to block size Block size of embedded hash function another magic value (flips different key bits) Embedded hash function (strength of HMAC relies on strength of this hash function) Amplify key material (get two keys out of one) Black box : can use this HMAC construction with any hash function (why is this important?) Very common problem: given a small secret, how to derive a lot of new keys? hash(key,hash(key,message)) slide 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information