1

Lecture5CryptographicHashFunctions

Read:Chapter5inKPS

Purpose•  CHF – one of the most important tools in moderncryptographyandsecurity

•  CHF-s are used for many authentication, integrity,digitalsignaturesandnon-repudiationpurposes

•  Not the same as “hashing” used in DB or CRCs incommunications

2

3

CryptographicHASHFunctions•  Purpose:produceafixed-size“fingerprint”ordigestofarbitrarilylong

inputdata

•  Why?Toguaranteeintegrityofinput

•  Propertiesofa“good”cryptographicHASHfunctionH():

1.  Takesoninputofanysize2.  Producesfixed-lengthoutput3.  Easytocompute(efficient)4.  Givenanyh,computationallyinfeasibletofindanyxsuchthatH(x)=h5.  Foragivenx,computationallyinfeasibletofindy:H(y)=H(x)andy≠x6.  Computationallyinfeasibletofindany(x,y)suchthatH(x)=H(y)andx≠y

4

SamePropertiesRe-stated:•  Cryptographicpropertiesofa“good”HASHfunction:•  One-Way-ness(#4)•  WeakCollision-Resistance(#5)•  StrongCollision-Resistance(#6)

•  Non-cryptographic properties of a “good” HASHfunction•  Efficiency(#3)•  FixedOutput(#2)•  Arbitrary-LengthInput(#1)

5

Construction•  Ahashfunctionistypicallybasedonaninternalcompressionfunction

f()thatworksonfixed-sizeinputblocks(Mi)•  Merkle-Damgardconstruction:•  Afixed-size“compressionfunction”.•  Eachiterationmixesaninputblockwiththepreviousblock’soutput

•  SortoflikeaChainedBlockCipher

•  Producesahashvalueforeachfixed-sizeblockbasedon(1)itscontentand(2)hashvalueforthepreviousblock

•  “Avalanche”effect:1-bitchangeininputproduces“catastrophic”andunpredictablechangesinoutput

fIV

M1

f fh1 h

M2 Mn

h2 hn-1…

6

SimpleHashFunctions•  Bitwise-XOR

•  Notsecure,e.g.,forEnglishtext(ASCII<128)thehigh-orderbitisalmostalwayszero

•  CanbeimprovedbyrotatingthehashcodeaftereachblockisXOR-edintoit•  Ifmessageitselfisnotencrypted,itiseasytomodifythemessageand

appendoneblockthatwouldsetthehashcodeasneeded•  Anotherweakhashexample:IPHeaderCRC

AnotherExample•  IPv4headerchecksum•  One’scomplementoftheone’scomplementsumoftheIP

header's16-bitwords

7

8

TheBirthdayParadox

•  probabilityofnocollisions:•  P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n))==e(k(1-k)/2n)

•  probabilityofatleastone:•  P1=1-P0

•  SetP1tobeatleast0.5andsolvefork:•  k==1.17*SQRT(n)•  k=22.3forn=365

So,what’sthepoint?

•  Examplehashfunction:y=H(x)where:x=personandH()isBday()•  yrangesoversetY=[1…365],letn=sizeofY,i.e.,numberofdistinctvaluesin

therangeofH()•  Howmanypeopledoweneedto‘hash’tohaveacollision?•  Or:whatistheprobabilityofselectingatrandomkDISTINCTnumbersfromY?

9

“Birthday Paradox” Example: N = 106

10

TheBirthdayParadox

m = log(n) = size of H ()

2m = 2m/2 trials mustbe computationallyinfeasible!

11

HowLongShouldaHashbe?

•  Manyinputmessagesyieldthesamehash•  e.g.,1024-bitmessage,128-bithash•  Onaverage,2896messagesmapintoonehash

•  Withm-bithash,ittakesabout2m/2trialstofindacollision(with≥0.5probability)

•  Whenm=64,ittakes232trialstofindacollision(doableinverylittletime)

•  Today,needatleastm=160,requiringabout280trials(180isbetter)

12

CHF from a Block Cipher

Rabin’sCHF:

§  Splitinputintokeyblocks:M1,…Mp§  Encryptaconstantplaintext(e.g.,0)withthisseq.ofkeys:

Hi=E(Mi,Hi-1),Mo=0

§  FinalciphertextHpisthehashoutput

13

CHF from a Block Cipher

Davies-MeyerCHF:

§  Hi=Hi-1⊕E(Mi,Hi-1),Ho=0

§  CompressionfunctionissecureifEisasecureblockcipher

14

HashFunctionExamplesSHA-1(weak)

MD5(defunct)

RIPEMD-160(unloved)J

Digestlength 160bits 128bits 160bits

Blocksize 512bits 512bits 512bits

#ofsteps 80(4roundsof20)

64(4roundsof16)

160(5pairedroundsof16)

Maxmsgsize 264-1bits ∞ ∞

Other(stronger)variantsofSHAareSHA-256andSHA-512See:http://en.wikipedia.org/wiki/SHA_hash_functions

15

MD5•  Author:R.Rivest,1992

•  128-bithash

•  basedonearlier,weakerMD4(1990)

•  Collisionresistance(B-dayattackresistance)

•  only64-bit

•  Outputsizenotlongenoughtoday(duetovariousattacks)

16

MD5:MessageDigestVersion5

InputMessage

Output:128-bitDigest

17

OverviewofMD5

18

MD5Padding

•  GivenoriginalmessageM,addpaddingbits“100…”suchthatresultinglengthis64bitslessthanamultipleof512bits.

•  Appendoriginallengthinbitstothepaddedmessage

•  Finalmessagechoppedinto512-bitblocks

19

MD5:Padding

InputMessage

Output:128-bitDigest

Padding512bitBlock

InitialValue

1 2 3 4

FinalOutput

MD5 TransformationBlockbyBlock

20

MD5Blocks

MD5

MD5

MD5

MD5

512:B1

512:B2

512:B3

512:B4

Result

21

MD5Box

Initial128-bitvector

512-bitmessagechunks(16words)

128-bitresult

F(x,y,z)=(x∧y)∨(~x∧z)G(x,y,z)=(x∧z)∨(y∧~z)H(x,y,z)=x⊕y⊕zI(x,y,z)=y⊕(x∧~z)x↵y:xleftrotateybits

22

MD5Process

•  Asmanystagesasthenumberof512-bitblocksinthefinalpaddedmessage

•  Digest:432-bitwords:MD=A|B|C|D

•  Everymessageblockcontains1632-bitwords: m0|m1|m2…|m15

•  DigestMD0initializedto:A=01234567,B=89abcdef,C=fedcba98,D=76543210

•  Everystageconsistsof4passesoverthemessageblock,eachmodifyingMD;eachpassinvolvesdifferentoperation

23

ProcessingofBlockmi-4Passes

ABCD=fF(ABCD,mi,T[1..16])

ABCD=fG(ABCD,mi,T[17..32])

ABCD=fH(ABCD,mi,T[33..48])

ABCD=fI(ABCD,mi,T[49..64])

mi

+ + + +

A B C D

MDi

MDi+1

Convention:

A–d0;B–d1

C–d2;D–d3Ti:diff.constant

24

DifferentPasses...

•  Differentfunctionsandconstants

•  Differentsetofmi-s

•  Differentsetsofshifts

25

FunctionsandRandomNumbers

•  F(x,y,z)==(x∧y)∨(~x∧z)•  G(x,y,z)==(x∧z)∨(y∧~z)•  H(x,y,z)==x⊕y⊕z•  I(x,y,z)==y⊕(x∧~z)•  Ti=int(232*abs(sin(i))),0<i<65

26

Flame’s MS Windows MD5 Attack Chosen-prefixcoll.attack:Meaningfulinitialblocks,followedbyrandomblockstoobtaincollision

27

SecureHashAlgorithm(SHA)

•  Revisedin1995asSHA-1•  Input:Upto264bits•  Output:160bitdigest•  80-bitcollisionresistance

•  Padwithatleast64bitstoresistpaddingattack•  1000…0||<messagelength>

•  Processes512-bitblock•  Initiate5x32bitMDregisters•  Applycompressionfunction

•  4roundsof20stepseach•  eachroundusesdifferentnon-

linearfunction•  registersareshiftedandswitched

Ø  SHA-0waspublishedbyNISTin1993

28

DigestGenerationwithSHA-1

29

SHA-1ofa512-BitBlock

30

GeneralLogic

•  Inputmessagemustbe<264bits•  notareallimitation

•  Messageprocessedin512-bitblockssequentially

•  Messagedigest(hash)is160bits•  SHAdesignissimilartoMD5,butalotstronger

31

BasicSteps

Step1:PaddingStep2:Appendinglengthas64-bitunsignedStep3:InitializeMDbuffer:532-bit words:A|B|C|D|EA=67452301B=efcdab89 C=98badcfe D=10325476 E=c3d2e1f0

32

BasicSteps...

•  Step4:the80-stepprocessingof512-bitblocks:4rounds,20stepseach

•  Eachstept(0<=t<=79):•  Input:

• Wt–32-bitwordfromthemessage•  Kt–constant•  ABCDE:currentMD

•  Output:•  ABCDE:newMD

33

BasicSteps...

•  Only4per-rounddistinctiveadditiveconstants:•  0<=t<=19 Kt=5A827999•  20<=t<=39 Kt=6ED9EBA1•  40<=t<=59 Kt=8F1BBCDC•  60<=t<=79 Kt=CA62C1D6

34

BasicSteps–ZoomingIn

A EB C D

A EB C D

+

+

+

+

ft

CLS30

CLS5Wt

Kt

35

BasicLogicFunctions

Only3differentfunctionsRound Functionft(B,C,D)0<=t<=19 (B∧C)∨(~B∧D)20<=t<=39 B⊕C⊕D40<=t<=59 (B∧C)∨(B∧D)∨(C∧D)60<=t<=79 B⊕C⊕D

36

TwistWithWt’s

•  Additionalmixingusedwithinputmessage512-bitblock•  W0|W1|…|W15=m0|m1|m2…|m15•  For15<t<80:•  Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3

•  XORisaveryefficientoperation,butwithmultilevelshifting,itproducesveryextensiveandrandommixing!

37

SHA-1VersusMD5

•  SHA-1isastrongeralgorithm:•  Abirthdayattackrequiresontheorderof280operations,incontrastto264forMD5

•  SHA-1has80stepsandyieldsa160-bithash(vs.128)-involvesmorecomputation

•  TodaycanuseSHA-2,butforlonger-termsecurityuseSHA-3

38

SHA-3

§  PubliccompetitionbyNIST,similartoAES:§  NISTrequestforproposals(2007)§  51submissions(2008)§  14semi-finalists(2009)§  5finalists(2010)§ Winner:Keccak(2012)

§  DesignedbyBertoni,Daemen,Peeters,VanAssche.§  Basedon“spongeconstruction”,acompletelydifferentstructure.

39

Summary:Whatarehashfunctionsgoodfor?

40

MessageAuthenticationUsingaHashFunction

UsesymmetricencryptionsuchasAESor3-DES

•  GenerateH(M)ofsamesizeasE()block

•  UseEK(H(M))astheMAC(insteadof,say,AES-basedMAC)

•  AlicesendsEK(H(M)),M•  BobreceivesC,M’decryptsCwithk,hashesresult

H(DK(C))=?=H(M’)

CollisionèMACforgery!

41

UsingHashforAuthentication

AliceandBobshareasecretkeyKAB1. AliceèBob:randomchallengerA

2. BobèAlice:H(KAB||rA),randomchallengerB3. AliceèBob:H(KAB||rB)

OnlyneedtocompareH()results

42

UsingHashtoComputeMAC:integrity

•  CannotjustcomputeandappendH(m)•  Need“KeyedHash”:•  Prefix:

•  MAC:H(KAB|m),almostworks,but…•  Allowsconcatenationwitharbitrarymessage:

•  H(KAB|m|m’)

•  Suffix:•  MAC:H(m|KAB),worksbetter,butwhatifm’isfoundsuchthatH(m)=H(m’)?

•  HMAC:•  H(KAB|H(KAB|m))

43

HashFunction-basedMAC(HMAC)•  MainIdea:UseaMACderivedfromanyCHF

•  hashfunctionsdonotuseakey,thereforecannotbeuseddirectlyasaMAC

•  MotivationsforHMAC:•  Cryptographichashfunctionsexecutefasterinsoftwarethan

encryptionalgorithmssuchasDES•  Noneedforthereverseabilityofencryption•  NoUSgovernmentexportrestrictions(wasimportantinthepast)

•  Status:designatedasmandatoryforIPsecurity•  AlsousedinTransportLayerSecurity(TLS),whichwillreplaceSSL,and

inSET

44

HMACAlgorithm

•  ComputeH1=H()oftheconcatenationofMandK1

•  Topreventan“additionalblock”attack,computeagainH2=H()oftheconcatenationofH1andK2

•  K1andK2eachusehalfthebitsofK

•  Notation:•  K+=Kpaddedwith0’s•  ipad=00110110xb/8•  opad=01011100xb/8

•  Execution:•  SameasH(M),plus2blocks

45

JustforFun…UsingaHashtoEncrypt

•  SimulatedOne-TimePad:similartoOFB•  Computekey-streamusingH(),K,andIV• b1=H(KAB|IV),…,bi=H(KAB|bi-1),…•  c1=p1⊕b1,…,ci=pi⊕bi,…

•  Or,mixintheplaintext•  similartocipherfeedbackmode(CFB)• b1=H(KAB|IV),…,bi=H(KAB|ci-1),…•  c1=p1⊕b1,…,ci=pi⊕bi,…