Cryptographic Hash Function
Uploaded by
s.b.v.seshagiri1407Cryptographic Hash Function
Uploaded by
s.b.v.seshagiri1407Computer Security
CS 426
Lecture 5
Cryptography: Cryptographic Hash
Function
CS426 Fall 2010/Lecture 5 1
Data Integrity and Source
A thentication
Authentication
• Encryption does not protect data from modification
by another party.
• Need a way to ensure that data arrives at destination
in its original form as sent by the sender and it is
coming from an authenticated source.
CS426 Fall 2010/Lecture 5 2
Cryptographic
yp g p Hash Functions
• A hash function maps a message of an
arbitrary length to a m-bit output
– output known as the fingerprint or the message
digest
– if the message digest is transmitted securely, then
changes to the message can be detected
• A hash function is a many-to-one function, so
collisions can happen.
CS426 Fall 2010/Lecture 5 3
Security Requirements for
Cryptographic Hash Functions
Given a function h:X Y,Y then we say that h is:
• preimage resistant (one-way):
if given y Y it is computationally infeasible to find a
value x X s.t. h(x) = y
• 2
2-ndnd preimage resistant (weak collision resistant):
if given x X it is computationally infeasible to find a
value x’ X,, s.t. x’x and h(x’)
( ) = h(x)
( )
• collision resistant (strong collision resistant):
if it is computationally infeasible to find two distinct
values x’,x X, s.t. h(x’) = h(x)
CS426 Fall 2010/Lecture 5 4
Uses of hash functions
• Software
S ft integrity
i t it
– E.g., tripwire
• Timestamping
– How?
• Message authentication
• One-time Passwords
• Digital
Di it l signature
i t
CS426 Fall 2010/Lecture 5 5
Bruteforce Attacks on Hash Functions
• Attacking one-wayness
one wayness
– Goal: given h:XY, yY, find x such that h(x)=y
– Algorithm:
• pick a random value x in X, check if h(x)=y, if
h(x)=y,
h(x) y, returns x; otherwise iterate
• after failing q iterations, return fail
– The average
average-case
case success probability is
q
1 1 | Y |
1 q
|Y |
– Let |Y|=2m, to get to be close to 0.5, q 2m-1
CS426 Fall 2010/Lecture 5 6
Bruteforce Attacks on Hash Functions
• Attacking
Att ki collision
lli i resistance
i t
– Goal: given h, find x, x’ such that h(x)=h(x’)
– Algorithm: pick a random set X0 of q values in X
for each xX0, computes yx=h(x)
x x then return (x
if yx=yx’ for some x’x (x,x
x’)) else fail
q ( q 1)
– The average success probability is
1 e 2|Y |
– Let |Y|=2m, to get to be close to 0.5, q 2m/2
– This is known as the birthday attack
attack.
CS426 Fall 2010/Lecture 5 7
Well Known Hash Functions
• MD5
– output
t t 128 bits
bit
– collision resistance completely broken by researchers in China
• SHA1
– output 160 bits
– no collision found y yet,, but method exist to find collisions in less
than 2^80
– considered insecure for collision resistance
– one-wayness still
till h
holds
ld
• SHA2 (SHA-224, SHA-256, SHA-384, SHA-512)
– outputs 224,
224 256
256, 384,
384 and 512 bits,
bits respectively
• NIST is having an ongoing competition of new standard
hash algorithms,
algorithms 14 algorithms currently considered
CS426 Fall 2010/Lecture 5 8
Choosing
g the length
g of Hash outputs
p
• B
Because off the
th birthday
bi thd attack,
tt k th
the llength
th off
hash outputs in general should double the key
l
length
th off block
bl k ciphers
i h
– SHA-224 matches the 112-bit strength of triple-DES
– SHA-256, SHA-384, SHA-512 match the new key
lengths (128,192,256) in AES
CS426 Fall 2010/Lecture 5 9
Readings
g for This Lecture
• Wikipedia
• Cryptographic Hash
F
Function
ti
CS426 Fall 2010/Lecture 5 10
Coming
g Attractions …
• C
Cryptography:
t h Message
M
Authentication Code.