Hash Functions and Data IntegritySection 9.5-9.7

Handbook of Applied Cryptography

Information Security & Intelligent IoT Lab

Asep M Awaludin

2017.11.20

Content

목차

2

9.5 Keyed hash function

9.6 Data integrity and message authentication

9.7 Advanced attacks on hash functions

9.5 Keyed hash function

Message Authentication Codes (MACs)

4

9.5.1 MACs based on block ciphers

5

9.5.1 MACs based on block ciphers

6

ISO9797-1

MAC Algorithm 3 (Retail MAC)

9.5.1 MACs based on block ciphers

7

9.5.1 MACs based on block ciphers

E

𝑥1

𝐻1

0

(𝑥1 , 𝐻1)

E

0

E

𝑥1 𝑧

𝑀

𝐻1

E

0

E

𝑥2 𝐻1⊕𝑧⊕𝐻2

𝑀

𝐻2

E

𝐻2

0

𝑥2 = 𝐻1

(𝑥2 , 𝐻2) ((𝑥1||𝑧) , 𝑴) (𝑥2||𝐻1⊕𝑧⊕𝐻2 , 𝑴)

9.5.1 MACs based on block ciphers

• Consider a message 𝑥 = 𝑥1, 𝑥2, 𝑥3,…, 𝑥𝑡 and an iterated MDC ℎwith compression function 𝑓, with definition:

• 𝐻0 = 𝐼𝑉;

• 𝐻𝑖 = 𝑓 𝐻𝑖−1, 𝑥𝑖 ;

• ℎ(x) = 𝐻𝑡.

• Secret Prefix Method

• 𝑀 = ℎ(𝑘||𝑥)

• Secret Suffix Method

• 𝑀 = ℎ(𝑥||𝑘)

• Envelope method with padding

• 𝑀 = ℎ(𝑘| 𝑝 |𝑥||𝑘)

9.5.2 Constructing MACs from MDCs

9.5.3 Customized MACs

9.5.3 Customized MACs

9.5.3 Customized MACs

9.5.3 Customized MACs

9.5.4 MACs for stream ciphers

9.5.4 MACs for stream ciphers

9.5.4 MACs for stream ciphers

𝑅0 reg1bit

𝑝1

𝐵𝑖

𝑝2 𝑝3 𝑝𝑚−1

𝑅1 reg1bit

𝑅2 reg1bit

𝑅𝑚−1 reg1bit

m-bit

MAC

𝑅 𝑥 = 𝐵 𝑥 𝑥𝑚 𝑚𝑜𝑑 𝑝(𝑥)1 1 1

1

m𝑅 𝑥

𝑘

m

m

CRC-Based MACLinear Feedback Shift Register (LFSR)

9.6 Data integrity and message

authentication

9.6.1 Background and definitions

9.6.1 Background and definitions

9.6.2 Non-malicious vs. malicious threats to data integrity

• The techniques required to provide data integrity on noisy channels differ substantially from those required on channels subject to manipulation by adversaries.

• Checksums provide protection against accidental or non-malicious errors on channels which are subject to transmission errors. The protection is non-cryptographic.

• Data integrity mechanisms based on (cryptographic) hash functions are specifically designed to preclude undetectable intentional modification.

9.6.3 Data integrity using a MAC alone

Message Authentication Codes (MACs) are designed specifically for applications where data integrity (but not necessarily privacy) is required.

9.6.4 Data integrity using an MDC and an authentic channel

• The use of a secret key is not essential in order to provide data integrity.

• It may be eliminated by hashing a message and protecting the authenticity of the hash via an authentic channel.

9.6.5 Data integrity combined with encryption

• Whereas digital signatures provide assurances regarding both integrity and authentication, in general, encryption alone provides neither.

• This issue is first examined, and then the question of how hash functions may be employed in conjunction with encryption to provide data integrity

9.7 Advanced attacks on hash

functions

9.7.1 Birthday attacks

• Yuval’s birthday attack was one of the first (and perhaps the most well-known) of many cryptographic applications of the birthday paradox arising from the classical occupancy distribution (2.1.5)

9.7.2 Pseudo-collisions and compression function attacks

9.7.3 Chaining attacks

• Chaining attacks are those which are based on the iterative nature of hash functions and, in particular, the use of chaining variables.

9.7.3 Chaining attacks

9.7.3 Chaining attacks

9.7.4 Attacks based on properties of underlying cipher

9.7.4 Attacks based on properties of underlying cipher

Weak keys Semi-weak keys

9.7.4 Attacks based on properties of underlying cipher

Thank you!