1
Lecture 5CryptographicHashFunctions
Read:Chapter5inKPS
Purpose• CHF – one of the most important tools in moderncryptography and security
• In crypto, CHF instantiates a Random Oracle paradigm
• In security, used in a variety of authentication andintegrity applications
• Not the same as “hashing” used in DB or CRCs incommunications
2
3
CryptographicHASHFunctions• Purpose: produce a fixed-size “fingerprint” or digest of arbitrarily
long input data
• Why? To guarantee integrity
• Properties of a “good” cryptographic HASH function H():1. Takes on input of any size2. Produces fixed-length output3. Easy to compute (efficient)4. Given any h, computationally infeasible to find any x such that H(x) = h5. For a given x, computationally infeasible to find y such that H(y) = H(x) and
y≠x6. Computationally infeasible to find any (x, y) such that H(x) = H(y) and x ≠ y
4
SamePropertiesRe-stated:• Cryptographic properties of a “good” HASH function:• One-Way-ness (#4)• Weak Collision-Resistance (#5)• Strong Collision-Resistance (#6)
• Non-cryptographic properties of a “ good ” HASHfunction• Efficiency (#3)• Fixed Output (#2)• Arbitrary-Length Input (#1)
5
Construction• Ahashfunctionistypicallybasedonaninternalcompressionfunction
f()thatworksonfixed-sizeinputblocks(Mi)
• SortoflikeaChainedBlockCipher
• Producesahashvalueforeachfixed-sizeblockbasedon(1)itscontentand(2)hashvalueforthepreviousblock
• “Avalanche”effect:1-bitchangeininputproduces“catastrophic”andunpredictablechangesinoutput
fIV
M1
f fh1 h
M2 Mn
h2 hn-1…
6
SimpleHashFunctions• Bitwise-XOR
• Notsecure,e.g.,forEnglishtext(ASCII<128)thehigh-orderbitisalmostalwayszero
• CanbeimprovedbyrotatingthehashcodeaftereachblockisXOR-edintoit• Ifmessageitselfisnotencrypted,itiseasytomodifythemessageand
appendoneblockthatwouldsetthehashcodeasneeded• Anotherweakhashexample:IPHeaderCRC
AnotherExample• IPv4headerchecksum• One’scomplementoftheone’scomplementsumoftheIP
header's16-bitwords
7
8
TheBirthdayParadox
• probabilityofnocollisions:• P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n))==e(k(1-k)/2n)
• probabilityofatleastone:• P1=1-P0
• SetP1tobeatleast0.5andsolvefork:• k==1.17*SQRT(n)• k=22.3forn=365
So,what’sthepoint?
• Examplehashfunction:y=H(x)where:x=personandH()isBday()• yrangesoversetY=[1…365],letn=sizeofY,i.e.,numberofdistinctvaluesin
therangeofH()• Howmanypeopledoweneedto‘hash’tohaveacollision?• Or:whatistheprobabilityofselectingatrandomkDISTINCTnumbersfrom
Y?
9
TheBirthdayParadox
m = log(n) = size of H ()
2m = 2m/2 trials mustbe computationallyinfeasible!
10
HowLongShouldaHashbe?
• Manyinputmessagesyieldthesamehash• e.g.,1024-bitmessage,128-bithash• Onaverage,2896messagesmapintoonehash
• Withm-bithash,ittakesabout2m/2 trialstofindacollision(with≥0.5probability)
• Whenm=64,ittakes232 trialstofindacollision(doableinverylittletime)
• Today,needatleastm=160,requiringabout280trials
11
HashFunctionExamplesSHA-1(weak)
MD5(defunct)
RIPEMD-160(unloved)J
Digestlength 160bits 128bits 160bits
Blocksize 512bits 512bits 512bits
#ofsteps 80(4roundsof20)
64(4rounds of 16)
160(5pairedroundsof16)
Maxmsgsize 264-1bits ∞ ∞
Other(stronger)variantsofSHAareSHA-256andSHA-512See:http://en.wikipedia.org/wiki/SHA_hash_functions
12
MD5• Author:R.Rivest,1992
• 128-bithash
• basedonearlier,weakerMD4(1990)
• Collisionresistance(B-dayattackresistance)
• only64-bit
• Outputsizenotlongenoughtoday (duetovariousattacks)
13
MD5:MessageDigestVersion5
InputMessage
Output:128-bitDigest
14
OverviewofMD5
15
MD5Padding
• GivenoriginalmessageM,addpaddingbits“100…”suchthatresultinglengthis64bitslessthanamultipleof512bits.
• Appendoriginallengthinbits tothepaddedmessage
• Finalmessagechoppedinto512-bitblocks
16
MD5:Padding
InputMessage
Output:128-bitDigest
Padding512bitBlock
InitialValue
1 2 3 4
FinalOutput
MD5 TransformationBlockbyBlock
17
MD5Blocks
MD5
MD5
MD5
MD5
512:B1
512:B2
512:B3
512:B4
Result
18
MD5Box
Initial128-bitvector
512-bitmessagechunks(16words)
128-bitresult
F(x,y,z)=(xÙ y)Ú (~xÙ z)G(x,y,z)=(xÙ z)Ú (yÙ~ z)H(x,y,z)=xÅ yÅ zI(x,y,z)=yÅ (xÙ ~z)
x¿y:xleftrotateybits
19
MD5Process
• Asmanystagesasthenumberof512-bitblocksinthefinalpaddedmessage
• Digest:432-bitwords:MD=A|B|C|D
• Everymessageblockcontains1632-bitwords:m0|m1|m2…|m15• DigestMD0 initializedto:A=01234567,B=89abcdef,C=fedcba98,D=76543210
• Everystageconsistsof4passesoverthemessageblock,eachmodifyingMD;eachpassinvolvesdifferentoperation
20
ProcessingofBlockmi- 4Passes
ABCD=fF(ABCD,mi,T[1..16])
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
mi
+ + + +
A B C D
MDi
MDi+1
Convention:
A– d0;B– d1
C– d2 ;D– d3
Ti :diff.constant
21
DifferentPasses...
• Differentfunctionsandconstants
• Differentsetofmi-s
• Differentsetsofshifts
22
FunctionsandRandomNumbers
• F(x,y,z)==(xÙy)Ú(~xÙ z)• G(x,y,z)==(xÙ z)Ú(yÙ~z)• H(x,y,z)==xÅyÅ z• I(x,y,z)==yÅ(xÙ ~z)• Ti =int(232 *abs(sin(i))),0<i<65
23
SecureHashAlgorithm(SHA)
• Revisedin1995asSHA-1• Input:Upto264 bits• Output:160bitdigest• 80-bitcollisionresistance
• Padwithatleast64bitstoresistpaddingattack• 1000…0||<messagelength>
• Processes512-bitblock• Initiate5x32bitMDregisters• Applycompressionfunction
• 4roundsof20stepseach• eachroundusesdifferentnon-
linearfunction• registersareshiftedandswitched
Ø SHA-0waspublishedbyNISTin1993
24
DigestGenerationwithSHA-1
25
SHA-1ofa512-BitBlock
26
GeneralLogic
• Inputmessagemustbe<264 bits• notareallimitation
• Messageprocessedin512-bitblockssequentially
• Messagedigest(hash)is160bits• SHAdesignissimilartoMD5,butalotstronger
27
BasicSteps
Step1:PaddingStep2:Appendinglengthas64-bitunsignedStep3:InitializeMDbuffer:532-bit
words:A|B|C|D|EA=67452301B=efcdab89C=98badcfeD=10325476E=c3d2e1f0
28
BasicSteps...
• Step4:the80-stepprocessingof512-bitblocks:4rounds,20stepseach
• Eachstept(0<=t<=79):• Input:• Wt – 32-bitwordfromthemessage• Kt – constant• ABCDE:currentMD
• Output:• ABCDE:newMD
29
BasicSteps...
• Only4per-rounddistinctiveadditiveconstants:
• 0<=t<=19 Kt =5A827999• 20<=t<=39 Kt =6ED9EBA1• 40<=t<=59 Kt =8F1BBCDC• 60<=t<=79 Kt =CA62C1D6
30
BasicSteps– ZoomingIn
A EB C D
A EB C D
+
+
+
+
ft
CLS30
CLS5Wt
Kt
31
BasicLogicFunctions
Only3differentfunctions
Round Functionft(B,C,D)0<=t<=19 (BÙC)Ú(~BÙD)20<=t<=39 BÅCÅD40<=t<=59 (BÙC)Ú(BÙD)Ú(CÙD)60<=t<=79 BÅCÅD
32
TwistWithWt’s
• Additionalmixingusedwithinputmessage512-bitblock• W0|W1|…|W15 =m0|m1|m2…|m15
• For15<t<80:• Wt =Wt-16ÅWt-14ÅWt-8ÅWt-3
• XORisaveryefficientoperation,butwithmultilevelshifting,itproducesveryextensiveandrandommixing!
33
SHA-1VersusMD5
• SHA-1isastrongeralgorithm:• Abirthdayattackrequiresontheorderof280operations,incontrastto264 forMD5
• SHA-1has80stepsandyieldsa160-bithash(vs.128)- involvesmorecomputation
34
Summary:Whatarehashfunctionsgoodfor?
35
MessageAuthenticationUsingaHashFunction
UsesymmetricencryptionsuchasAESor3-DES
• GenerateH(M)ofsamesizeasE()block
• UseEK(H(M))astheMAC(insteadof,say,DESMAC)
• AlicesendsEK(H(M)),M• BobreceivesC,M’decryptsCwithk,hashesresult
H(DK(C))=?=H(M’)
CollisionèMACforgery!
36
UsingHashforAuthentication
AliceandBobshareasecretkeyKAB
1. Aliceè Bob: randomchallengerA
2. Bobè Alice:H(KAB||rA),randomchallengerB3. Aliceè Bob:H(KAB||rB)
OnlyneedtocompareH()results
37
UsingHashtoComputeMAC:integrity
• CannotjustcomputeandappendH(m)• Need“KeyedHash”:• Prefix:• MAC:H(KAB|m),almostworks,but…• Allowsconcatenationwitharbitrarymessage:
• H(KAB|m|m’ )
• Suffix:• MAC:H(m|KAB),worksbetter,butwhatifm’isfoundsuchthatH(m)=H(m’)?
• HMAC:• H(KAB |H(KAB |m))
38
HashFunctionMAC(HMAC)• MainIdea:UseaMACderivedfromanycryptographichash
function• hashfunctionsdonotuseakey,thereforecannotbeuseddirectlyasa
MAC
• MotivationsforHMAC:• Cryptographichashfunctionsexecutefasterinsoftwarethan
encryptionalgorithmssuchasDES• Noneedforthereverseabilityofencryption• NoUSgovernmentexportrestrictions(wasimportantinthepast)
• Status:designatedasmandatoryforIPsecurity• AlsousedinTransportLayerSecurity(TLS),whichwillreplaceSSL,and
inSET
39
HMACAlgorithm
• ComputeH1=H()oftheconcatenationofMandK1
• Topreventan“additionalblock”attack,computeagainH2=H()oftheconcatenationofH1andK2
• K1andK2eachusehalfthebitsofK
• Notation:• K+ =Kpaddedwith0’s• ipad=00110110xb/8• opad=01011100xb/8
• Execution:• SameasH(M),plus2blocks
40
JustforFun…UsingaHashtoEncrypt
• (Almost)One-TimePad:similartoOFB• computebitstreamsusingH(),K,andIV• b1=H(KAB|IV),…,bi=H(KAB|bi-1),…• c1=p1Åb1,…,ci=piÅbi,…
• Or,mixintheplaintext• similartocipherfeedbackmode(CFB)• b1=H(KAB|IV),…,bi=H(KAB|ci-1),…• c1=p1Åb1,…,ci=piÅbi,…