ece454 /599 computer and network security
DESCRIPTION
ECE454 /599 Computer and Network Security. Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012. Hashes and Message Digests. What hashes can do MD2 MD4, MD5, SHA-1 HMAC. Hash Functions. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/1.jpg)
1
ECE454/599Computer and Network Security
Dr. Jinyuan (Stella) SunDept. of Electrical Engineering and Computer ScienceUniversity of Tennessee Fall 2012
![Page 2: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/2.jpg)
2
Hashes and Message Digests• What hashes can do• MD2• MD4, MD5, SHA-1• HMAC
![Page 3: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/3.jpg)
3
Hash FunctionsAka: message digests, one-way transformationsTake a message m of arbitrary length
(transformed into a string of bits) and computes from it a fixed-length (short) number h(m)
Properties:- easy-to-compute: for any message m, it is relatively easy to compute h(m)- non-reversible: given h(m), there is no way to find an m that hashes to h(m) except trying all possibilities of m- computationally infeasible to find m and m’ such that h(m)=h(m’) and m!=m’
![Page 4: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/4.jpg)
4
Notion of RandomnessAny particular bit in the outputs should
have 50% chance to be onEach output should have about half the
bits on, w.h.pAny two outputs should be completely
uncorrelated, no matter how similar the inputs are
![Page 5: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/5.jpg)
5
General Structure
• Repeated use of a compression function, f, that takes two inputs (the chaining variable and input block), and produces an n-bit output
![Page 6: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/6.jpg)
6
Birthday Paradox• If there are 23 or more people in a room, there is better than 50% chance that two of them will have the same birthday• Assume n inputs (number of people) and k possible outputs (365 days)• If n > k1/2, there is a good chance of finding a matching pair• Exact math on board…
![Page 7: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/7.jpg)
7
Length of DigestIf the length of the digest is n-bit long:• It takes O(2n) to find a message with a given digest• It takes O(2n/2) to find two messages with the same digest (the length of digest should be sufficient to resist this attack)
![Page 8: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/8.jpg)
8
Length of Digest (Cont’d)• Due to birthday attack, the length of the digest in general should be twice the length of the key in block ciphers• For example, SHA-256, SHA-384, and SHA-512 to match the key lengths 128, 192, and 256 in AES
![Page 9: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/9.jpg)
9
What Hashes Can Do• Authentication• Integrity check (MAC)• Encryption
![Page 10: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/10.jpg)
10
Authentication
Authentication with SKC (previous example)
Authentication with message digest
![Page 11: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/11.jpg)
11
Message Authentication Code (MAC)• MD (KAB|m): only those knowing the secret KAB can compute/verify the MAC (Problem?)• Solutions?
![Page 12: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/12.jpg)
12
MAC: Problem With Keyed Hash Keyed hash: h(key|m)An attacker gets m and h(key|m)First pads m according to the used
hash function, and then adds another message m’ at the end, the result is m|pad|m’
h(key|m|pad|m’) can be calculated from h(key|m|pad) which is the intermediate digest
![Page 13: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/13.jpg)
13
MAC: Solutions Use h(m|key)Use only half the bits of h(key|m) Use h(key|m|key)HMAC
![Page 14: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/14.jpg)
14
HMAC
![Page 15: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/15.jpg)
15
Encryption: Replacing SKC with Hash• Generate one-time pad: (similar to OFB)
b1 = MD(KAB|IV), b2 = MD(KAB|b1), b3 = MD(KAB|b2), …
• XOR the message with the one-time pad bit sequence (Problem with one-time pad? Recall OFB)• Mixing in the plaintext: (similar to CFB)
b1 = MD(KAB|IV), c1 = m1 XOR b1, b2 = MD(KAB|c1), c2 = m2 XOR b2,b3 = MD(KAB|c2), … c3 = m3 XOR b3, …
![Page 16: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/16.jpg)
16
Replacing Hash with SKC• Unix password hash: password is converted into a secret key, which is input into DES to encrypt the constant 0, producing a hashed password• Hashing large messages: (Problem? Solution?)
![Page 17: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/17.jpg)
17
Replacing Hash with SKC-Improved
• Problem still? And solution?
![Page 18: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/18.jpg)
18
MD2, MD4, MD5, SHA-1Message digest (MD), designed by Ron Rivest• MD2: 1989, operates on 8-bit octets• MD4: 1990, operates on 32-bit words• MD5: 1991, operates on 32-bit words
Secure hash algorithm (SHA), proposed by NIST• SHA-1: 1995, operates on 32-bit words
![Page 19: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/19.jpg)
19
MD2• Input: arbitrary number of octets• Output: 128-bit message digest• Step 1: Pad the message to be a multiple of 16 octets• Step 2: Append a 16-octet checksum to the message• Step 3: Process the message, 16 octets at a time, to produce the message digest
![Page 20: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/20.jpg)
20
Step 1: Padding• 16 octets of padding are added if the message is initially a multiple of 16 octets• Otherwise, r octets of padding are added to make the message a multiple of 16 octets
![Page 21: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/21.jpg)
21
Step 2: Checksum Computation• Checksum: 16-octet quantity, appended to the message m• m|checksum is processed by MD2 to obtain the actual message digest
![Page 22: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/22.jpg)
22
Substitution Table
![Page 23: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/23.jpg)
23
Final Pass: Producing Digest
![Page 24: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/24.jpg)
24
MD4, MD5, SHA-1Input: arbitrary number of bitsOutput: 128 bits for MD4 and MD5,
160 bits for SHA-1Step 1: Pad the message to be a
multiple of 512 bits (16 words, 64 octets)
Step 2: Process the message, 512 bits at a time, to produce the message digest
![Page 25: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/25.jpg)
25
Step 1: Padding
Padding for MD4, MD5, SHA-1
![Page 26: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/26.jpg)
26
Step 2: Producing Message Digest
Overview of MD4, MD5, SHA-1
![Page 27: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/27.jpg)
27
SHA-1
Inner Loop of SHA-1: 80 Iterations per block
Initially (in hex):A=67452301, B=efcdab89, C=98badcfe, D=10325476, E=c3d2e1f0
![Page 28: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/28.jpg)
28
SHA-1 (Cont’d)Update: For t=0 through 79 (each of the 80
iterations)
In total: needs 80*(# of message blocks) iterationsA|B|C|D|E from the last iteration is the message
digest
![Page 29: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/29.jpg)
29
SHA-1 vs. MD5 SHA-1 has 160-bit digest and MD5 128-
bit, making SHA-1 more secure against brute-force
SHA-1 involves more stages and bigger buffer, and thus executes more slowly than MD5
MD5 is considered broken in 2004SHA-1 is considered broken in 2005SHA-2: four digest sizes 224, 256, 384,
512 bits
![Page 30: ECE454 /599 Computer and Network Security](https://reader031.vdocuments.us/reader031/viewer/2022012919/5681665c550346895dd9dd58/html5/thumbnails/30.jpg)
30
Reading Assignments
[Kaufman] Chapter 5