9.5-9.7 hash functions and data...
TRANSCRIPT
Hash Functions and Data IntegritySection 9.5-9.7
Handbook of Applied Cryptography
Information Security & Intelligent IoT Lab
Asep M Awaludin
2017.11.20
Content
목차
2
9.5 Keyed hash function
9.6 Data integrity and message authentication
9.7 Advanced attacks on hash functions
9.5 Keyed hash function
Message Authentication Codes (MACs)
4
9.5.1 MACs based on block ciphers
5
9.5.1 MACs based on block ciphers
6
ISO9797-1
MAC Algorithm 3 (Retail MAC)
9.5.1 MACs based on block ciphers
7
9.5.1 MACs based on block ciphers
E
𝑥1
𝐻1
0
(𝑥1 , 𝐻1)
E
0
E
𝑥1 𝑧
𝑀
𝐻1
E
0
E
𝑥2 𝐻1⊕𝑧⊕𝐻2
𝑀
𝐻2
E
𝐻2
0
𝑥2 = 𝐻1
(𝑥2 , 𝐻2) ((𝑥1||𝑧) , 𝑴) (𝑥2||𝐻1⊕𝑧⊕𝐻2 , 𝑴)
9.5.1 MACs based on block ciphers
• Consider a message 𝑥 = 𝑥1, 𝑥2, 𝑥3,…, 𝑥𝑡 and an iterated MDC ℎwith compression function 𝑓, with definition:
• 𝐻0 = 𝐼𝑉;
• 𝐻𝑖 = 𝑓 𝐻𝑖−1, 𝑥𝑖 ;
• ℎ(x) = 𝐻𝑡.
• Secret Prefix Method
• 𝑀 = ℎ(𝑘||𝑥)
• Secret Suffix Method
• 𝑀 = ℎ(𝑥||𝑘)
• Envelope method with padding
• 𝑀 = ℎ(𝑘| 𝑝 |𝑥||𝑘)
9.5.2 Constructing MACs from MDCs
9.5.3 Customized MACs
9.5.3 Customized MACs
9.5.3 Customized MACs
9.5.3 Customized MACs
9.5.4 MACs for stream ciphers
9.5.4 MACs for stream ciphers
9.5.4 MACs for stream ciphers
𝑅0 reg1bit
𝑝1
𝐵𝑖
𝑝2 𝑝3 𝑝𝑚−1
𝑅1 reg1bit
𝑅2 reg1bit
𝑅𝑚−1 reg1bit
m-bit
MAC
𝑅 𝑥 = 𝐵 𝑥 𝑥𝑚 𝑚𝑜𝑑 𝑝(𝑥)1 1 1
1
m𝑅 𝑥
𝑘
m
m
CRC-Based MACLinear Feedback Shift Register (LFSR)
9.6 Data integrity and message
authentication
9.6.1 Background and definitions
9.6.1 Background and definitions
9.6.2 Non-malicious vs. malicious threats to data integrity
• The techniques required to provide data integrity on noisy channels differ substantially from those required on channels subject to manipulation by adversaries.
• Checksums provide protection against accidental or non-malicious errors on channels which are subject to transmission errors. The protection is non-cryptographic.
• Data integrity mechanisms based on (cryptographic) hash functions are specifically designed to preclude undetectable intentional modification.
9.6.3 Data integrity using a MAC alone
Message Authentication Codes (MACs) are designed specifically for applications where data integrity (but not necessarily privacy) is required.
9.6.4 Data integrity using an MDC and an authentic channel
• The use of a secret key is not essential in order to provide data integrity.
• It may be eliminated by hashing a message and protecting the authenticity of the hash via an authentic channel.
9.6.5 Data integrity combined with encryption
• Whereas digital signatures provide assurances regarding both integrity and authentication, in general, encryption alone provides neither.
• This issue is first examined, and then the question of how hash functions may be employed in conjunction with encryption to provide data integrity
9.7 Advanced attacks on hash
functions
9.7.1 Birthday attacks
• Yuval’s birthday attack was one of the first (and perhaps the most well-known) of many cryptographic applications of the birthday paradox arising from the classical occupancy distribution (2.1.5)
9.7.2 Pseudo-collisions and compression function attacks
9.7.3 Chaining attacks
• Chaining attacks are those which are based on the iterative nature of hash functions and, in particular, the use of chaining variables.
9.7.3 Chaining attacks
9.7.3 Chaining attacks
9.7.4 Attacks based on properties of underlying cipher
9.7.4 Attacks based on properties of underlying cipher
Weak keys Semi-weak keys
9.7.4 Attacks based on properties of underlying cipher
Thank you!