DOCSLIB.ORG

Cryptographic Hash Functions: Cryptanalysis, Design and Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptographic Hash Functions: Cryptanalysis, Design and Applications Cryptographic Hash Functions: Cryptanalysis, Design and Applications by Praveen Gauravaram Bachelor of Technology in Electrical and Electronics Engineering Sri Venkateswara University College of Engineering, Tirupati, India, 2000 Master of Information Technology Queensland University of Technology, Brisbane, Australia, 2003 Thesis submitted in accordance with the regulations for Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology 2007 ii Keywords Cryptography, hash functions, cryptanalysis, design, applications, Merkle-Damg˚ard construction, CAVE, 3CG, 3C, GOST-L, F-Hash, NMAC, HMAC, O-NMAC, M-NMAC, NMAC-1, Iterated Halving, digital signatures, side-channel attacks, practical and legal implications. iii iv Abstract Cryptographic hash functions are an important tool in cryptography to achieve certain security goals such as authenticity, digital signatures, digital time stamp- ing, and entity authentication. They are also strongly related to other important cryptographic tools such as block ciphers and pseudorandom functions. The stan- dard and widely used hash functions such as MD5 and SHA-1 follow the design principle of Merkle-Damg˚ard iterated hash function construction which was pre- sented independently by Ivan Damg˚ard and Ralph Merkle at Crypto’89. It has been established that neither these hash functions nor the Merkle-Damg˚ard con- struction itself meet certain security requirements. This thesis aims to study the attacks on this popular construction and propose schemes that offer more resistance against these attacks as well as investigating alternative approaches to the Merkle-Damg˚ard style of designing hash functions. This thesis aims at analysing the security of the standard hash function Cellular Authentication and Voice Encryption Algorithm (CAVE) used for authentication and key-derivation in the second generation (2G) North American IS-41 mobile phone system. In addition, this thesis studies the analysis issues of message authentication codes (MACs) designed using hash functions. With the aim to propose some efficient and secure MAC schemes based on hash functions. This thesis works on three aspects of hash functions: design, cryptanalysis and applications with the following significant contributions: • Proposes a family of variants to the Damg˚ard-Merkle construction called 3CG for better protection against specific and generic attacks. Analysis of the linear variant of 3CG called 3C is presented including its resistance to some of the known attacks on hash functions. • Improves the known cryptanalytical techniques to attack 3C and some other v similar designs including a linear variant of GOST, a Russian standard hash function. • Proposes a completely novel approach called Iterated Halving, alternative to the standard block iterated hash function construction. • Analyses provably secure HMAC and NMAC message authentication codes (MACs) based on weaker assumptions than stated in their proofs of security. Proposes an efficient variant for NMAC called NMAC-1 to authenticate short messages. Proposes a variant for NMAC called M-NMAC which offers better protection against the complete key-recovery attacks than NMAC. As well it is shown that M-NMAC with hash functions also resists side- channel attacks against which HMAC and NMAC are vulnerable. Proposes a new MAC scheme called O-NMAC based on hash functions using just one secret key. • Improves the open cryptanalysis of the CAVE algorithm. • Analyses the security and legal implications of the latest collision attacks on the widely used MD5 and SHA-1 hash functions. vi Contents Keywords iii Abstract v Declaration xvii Previously Published Material xix Acknowledgements xxiii 1 Hash Functions in Cryptology 1 1.0.1 SecurityGoalsinCryptography . 2 1.1 CryptographicHashFunctions. 3 1.1.1 Position of Hash Functions in Cryptology . 4 1.2 Design, Analysis and Applications of Hash Functions . .... 7 1.2.1 HashFunctionDesigns . 7 1.2.2 Hash Function Analysis . 8 1.2.3 Applications of Hash Functions . 9 1.3 AimsandObjectives ......................... 10 1.4 ResearchResults ........................... 11 2 An Overview of Merkle-Damg˚ard Hash Function Construction 15 2.1 DefinitionandProperties. 16 2.2 IteratedHashFunctions . 17 2.2.1 Merkle-Damg˚ardConstruction . 18 2.2.2 Hash Functions following the Merkle-Damg˚ard Structure . 20 2.2.3 Differences between Damg˚ard’s Design and Practical Hash Functions ........................... 22 vii 2.2.4 Compression Functions of Hash Functions . 23 2.3 AttacksonHashFunctions. 24 2.3.1 BruteforceAttacks. 24 2.3.2 CryptanalyticalAttacks . 25 2.3.3 Collision Attacks on the Compression Functions . 27 2.3.4 Collision finding Algorithms . 28 2.4 Generic Attacks on the Merkle-Damg˚ard Construction . .... 29 2.4.1 LengthExtensionAttacks . 30 2.4.2 JouxGenericAttacks. 31 2.4.3 Generic 2nd preimageAttacks . 33 2.4.4 HerdingAttack ........................ 35 2.5 Multi-block Collision Attacks on Hash Functions . .... 37 2.5.1 New Observations on Multi-block Collision Attacks . .. 37 2.6 Conclusion............................... 40 3 New Modes of Operation for Hash Functions 41 3.1 The 3CG Construction: An Enhancement to the Merkle-Damg˚ard Scheme................................. 43 3.1.1 The 3C construction: A Linear Variant of 3CG . 43 3.2 Analysis of 3C against Collision Attacks . 44 3.3 Security Analysis of 3C against Known Generic Attacks . 49 3.3.1 Analysis Against Joux’s Attacks . 49 3.3.2 Analysis against 2nd-preimageAttacks . 50 3.3.3 Analysis against Herding Attack . 51 3.3.4 Analysis against Length Extension Attacks . 51 3.3.5 Analysis against 2nd-collisionAttacks . 52 3.4 Comparison of 3C with Related Hash Function Proposals . 54 3.5 Hybrid Hash Function Constructions using 3C . 57 3.6 The 3C+ Construction........................ 58 3.6.1 SomeVariantsfor3Cand3C+ . 59 3.7 ImplementationIssues . 61 3.8 Conclusion............................... 61 4 Cryptanalysis of a Class of Cryptographic Hash Functions 65 4.1 Linear checksum variants of Merkle-Damg˚ard . .. 66 viii 4.1.1 GOSTanditsVariants. 66 4.1.2 F-HashHashFunction . 67 4.1.3 3C-GOST-LDesign. 68 4.2 Inapplicability of Known Generic Attack Techniques on GOST-L, F-Hashand3C-GOST-L . 69 4.2.1 2nd-preimageAttack ..................... 69 4.2.2 HerdingAttack ........................ 70 4.3 New Cryptanalytical Techniques . 71 4.3.1 Combining Multi-block Collisions and Multicollisions ... 71 4.3.2 Building 2t 2-block multicollisions on 3C .......... 71 4.3.3 Defeating the Linear Checksum in a 2t 2-block Multicolli- sion on 3C .......................... 72 4.3.4 Building a 2b 1-block Multicollision on GOST-L . 75 4.3.5 Defeating the Linear Checksum in 2b 1-block Multicollision onGOST-L .......................... 76 4.3.6 Defeating the Checksum in 2t Multicollision on F-Hash . 77 4.3.7 Defeating the Linear Checksum in 3C-GOST-L ...... 79 4.4 Generic Attacks on 3C, GOST-L, F-Hash and 3C-GOST-L . 82 4.4.1 Long-message 2nd-preimage Attack on 3C ......... 82 4.4.2 Herding Attack on 3C .................... 85 4.4.3 The Generic Attacks on Better Linear Checksums . 87 4.4.4 Making Meaningful Messages in the Attacks . 88 4.4.5 Some Other Techniques to Perform the Generic Attacks . 88 4.5 Collision Attacks on GOST-L, 3C andF-Hash. 89 4.6 Finding Multiple 2nd preimages for Hash Functions in less than 2t Work.................................. 91 4.6.1 Multi-2nd preimage Attack on the Cascade Constructions . 94 4.7 Conclusion............................... 95 5 Iterated Halving- A New Approach for Hash Function Design 97 5.1 IteratedHalvingStructure . 99 5.2 WorkingdetailsofanIHhashfunction . 102 5.3 Performance and Security of the IH Process . 103 5.4 SecurityAnalysis . .. .. 105 5.5 CRUSH: A Hash Function Proposal based on IH Technique . 108 ix 5.5.1 NotationandDefinitions . 108 5.5.2 WorkingDetailsofCRUSH . 111 5.6 Conclusion............................... 112 6 Improved Cryptanalysis of the CAVE Algorithm 117 6.1 NotationandDefinitions:. 118 6.2 TheCAVEAlgorithmDescription . 121 6.3 PracticalUsageofCAVE. 124 6.4 PropertiesoftheCAVEAlgorithm . 126 6.5 PreviousAnalysisofCAVE . 130 6.5.1 Millan’s Reconstruction Attack on CAVE . 131 6.6 Improved Cryptanalysis of CAVE . 134 6.7 Conclusion............................... 138 7 An Update on MACs based on Hash Functions 141 7.1 A Review of MACs based on Hash Functions . 143 7.1.1 NMAC and HMAC Functions . 150 7.1.2 Analysis of NMAC and HMAC . 152 7.1.3 SummaryoftheReviewonMACs. 154 7.2 Analysis of NMAC using Weaker Assumptions on the Hash Functions156 7.2.1 SecurityAnalysis . 156 7.3 AnEfficientVariantforNMAC . 159 7.3.1 SpecificationofNMAC-1 . 159 7.3.2 PerformanceAspectsofNMAC-1 . 160 7.3.3 Security Analysis of NMAC-1 . 161 7.3.4 Comparison of NMAC-1 with Other Efficient MACs based onHashFunctions . .. 163 7.4 M-NMAC:ANewVariantofNMAC . 166 7.4.1 Security Analysis of M-NMAC . 168 7.5 Pseudorandomness of NMAC and HMAC Functions . 168 7.6 On designing a MAC using a Hash Function with a Single Secret Key .................................. 172 7.6.1 TheO-NMACFunction . 173 7.6.2 AnalysisofO-NMAC. 174 7.6.3 Comparison with NMAC, HMAC and ACSC Constructions 178 x 7.7 Conclusion............................... 179 8 Side-Channel Cryptanalysis of MACs using Hash Functions 183 8.1 Side-channel Attacks on NMAC and HMAC . 185 8.1.1 DPAandReverseDPASettings . 185 8.1.2 Side-channel Attacks on NMAC and HMAC with 12 PGV Schemes ............................ 186 8.2 Side-channel Attacks on M-NMAC . 187 8.2.1 Target Compression Functions in M-NMAC . 187 8.2.2 Key Recovery Attacks on M-NMAC with 12 PGV Schemes 188 8.2.3 Extending Side-channel Analysis on M-NMAC to Forgery Attacks ............................ 190 8.2.4 Comparison with NMAC and HMAC . 190 8.3 Conclusion............................... 191 9 Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? 195 9.1 Practical and Legal Implication of Collision Attacks on MD5 and SHA-1 ................................. 196 9.1.1 DigitalSignaturesonMessages . 197 9.1.2 Digital Signatures on Digital Certificates .
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Cryptographic Hash Functions and Message Authentication Code
    Cryptographic Hash Functions and Message Authentication Code Thierry Sans Cryptographic hashing H m1 m2 x1 m3 x2 H(m) = x is a hash function if • H is one-way function • m is a message of any length • x is a message digest of a fixed length ➡ H is a lossy compression function necessarily there exists x, m1 and m2 | H(m1) = H(m2) = x Computational complexity m H x • Given H and m, computing x is easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible Preimage resistance and collision resistance m H x PR - Preimage Resistance (a.k.a One Way) ➡ given H and x, hard to find m e.g. password storage 2PR - Second Preimage Resistance (a.k.a Weak Collision Resistance) ➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x e.g. virus identification CR - Collision Resistance (a.k.a Strong Collision Resistance) ➡ given H, hard to find m and m’ such that H(m) = H(m’) = x e.g. digital signatures CR → 2PR and CR → PR Hash functions in practice IV n’ bits n bits n’ bits Common hash functions m H x Name SHA-2 SHA-3 MD5 SHA-1 Variant SHA-224 SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Guido Bertoni, Joan Daemen, Michaël Designer Rivest NSA NSA Peeters, and Gilles Van Assche Input 512 512 512 512 1024 1024 1152 1088 832 576 n bits Output 128 160 224 256 384 512 224 256 384 512 n’ bits Speed 6.8 11.4 15.8 17.7 12.5 cycle/byte Considered Broken yes yes no no How to hash long messages ? Merkle–Damgård construction m split m in blocks of n bits and add padding p n bits m1
    [Show full text]
  • An Advance Visual Model for Animating Behavior of Cryptographic Protocols
    An Advance Visual Model for Animating Behavior of Cryptographic Protocols Mabroka Ali Mayouf Maeref1*, Fatma Alghali2, Khadija Abied2 1 Sebha University, Faculty of Science, Department of Computer Science, P. O. Box 18758 Sebha, Libya, Libyan. 2 Sebha University of Libya, Sebha, Libya. * Corresponding author. Tel.: 00218-925132935; email: [email protected] Manuscript submitted February 13, 2015; accepted July 5, 2015. doi: 10.17706/jcp.10.5.336-346 Abstract: Visual form description benefits from the ability of visualization to provide precise and clear description of object behavior especially if the visual form is extracted from the real world. It provides clear definition of object and the behavior of that object. Although the current descriptions of cryptographic protocol components and operations use a different visual representation, the cryptographic protocols behaviors are not actually reflected. This characteristic is required and included within our proposed visual model. The model uses visual form and scenario-based approach for describing cryptographic protocol behavior and thus increasing the ability to describe more complicated protocol in a simple and easy way. Key words: Animation, cryptographic protocols, interactive tool, visualization. 1. Introduction Cryptographic protocols (CPs) mostly combine both theory and practice [1], [2]. These cause protocol complexity describing and understanding. Therefore, separating the mathematical part from the protocol behavior should provide feeling of how the protocol works, thus increasing the ability to describe and to gain confidence in reflecting more complicated information about CPs, as well as to generate interest to know about other more complex protocol concepts. Several researchers realized the use of visual model and animation techniques to reflect the explanation of the learning objectives and their benefits [3]-[11].
    [Show full text]
  • Grøstl – a SHA-3 Candidate∗
    Grøstl – a SHA-3 candidate∗ http://www.groestl.info Praveen Gauravaram1, Lars R. Knudsen1, Krystian Matusiewicz1, Florian Mendel2, Christian Rechberger2, Martin Schl¨affer2, and Søren S. Thomsen1 1Department of Mathematics, Technical University of Denmark, Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark 2Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria January 15, 2009 Summary Grøstl is a SHA-3 candidate proposal. Grøstl is an iterated hash function with a compression function built from two fixed, large, distinct permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family. The two permutations are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function. Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl. Grøstl is a so-called wide-pipe construction where the size of the internal state is signifi- cantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult. Grøstl has good performance on a wide range of platforms, and counter-measures against side-channel attacks are well-understood from similar work on the AES.
    [Show full text]
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor
    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
    [Show full text]
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS
    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
    [Show full text]
  • (1) Hash Functions (2) MAC MDC OWHF CRHF UOWHF
    Hash functions (1) are secure; they can be reduced to @ @ 2 classes based on linear transfor- @ @ mations of variables. The properties @ of these 12 schemes with respect to @ @ Hash Functions: Past, Present and Future weaknesses of the underlying block @ @ cipher are studied. The same ap- proach can be extended to study keyed hash functions (MACs) based - -63102392168 on block ciphers and hash functions h Bart Preneel based on modular arithmetic. Fi- nally a new attack is presented on a scheme suggested by R. Merkle. Katholieke Universiteit Leuven This slide is now shown at the Asi- acrypt 2005 in the beautiful city of bartDOTpreneel(AT)esatDOTkuleuvenDOTbe Chennai during a presentation on the state of hash functions. http://homes.esat.kuleuven.be/ preneel ∼ 5 December 2005 3 Outline Hash functions (2) Definitions • cryptographic hash function Z Z Applications Z Z • Z Z General Attacks = ZZ~ • MAC MDC Constructions @ @ • @ @ Custom Designed Hash Functions @ • © @R Hash Functions Based on Block Ciphers OWHF ? CRHF • Hash Functions Based on Algebraic Operations UOWHF • Pseudo-randomness • This talk: only MDCs (Manipulation Detection Codes), which are Conclusions often called `hash functions' • 2 4 Informal definitions (1) Informal definitions (3) preimage resistant 2nd preimage resistant 6) take a preimage resistant hash function; add an input bit b and • replace one input bit by the sum modulo 2 of this input bit and b 2nd preimage resistant preimage resistant 6) if h is OWHF, h is 2nd preimage resistant but not preimage • resistant
    [Show full text]
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS
    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
    [Show full text]
  • The First Collision for Full SHA-1
    The first collision for full SHA-1 Marc Stevens1, Elie Bursztein2, Pierre Karpman1, Ange Albertini2, Yarik Markov2 1 CWI Amsterdam 2 Google Research [email protected] https://shattered.io Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks. Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes. A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack. In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents. We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 263:1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years. As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.
    [Show full text]
  • FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications
    FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications Luca Henzen and Wolfgang Fichtner Integrated Systems Laboratory, ETH Zurich, Switzerland E-mail: {henzen, fw}@iis.ee.ethz.ch Abstract—The forthcoming IEEE 802.3ba Ethernet standard Exploiting the parallelization of four cores plus the extensive will provide data transmission at a bandwidth of 100 Gbit/s. Cur- utilization of pipelining, we were able to design three different rently, the fastest cryptographic primitive approved by the U.S. National Institute for Standard and Technology, that combines 100G AES-GCM implementations for Xilinx Virtex-5 FPGAs. data encryption and authentication, is the Galois/Counter Mode (GCM) of operation. If the feasibility to increase the speed of the II. GCM AUTHENTICATED ENCRYPTION GCM up to 100 Gbit/s on ASIC technologies has already been The GCM is a block cipher mode of operation that is demonstrated, the FPGA implementation of the GCM in secure able to encrypt or decrypt data, providing at the same time 100G Ethernet network systems arises some important structural issues. In this paper, we report on an efficient FPGA architecture authentication and data integrity . In practice, it combines a of the GCM combined with the AES block cipher. With the block cipher in the counter mode with universal hashing over parallelization of four pipelined AES-GCM cores we were able the binary field GF(2128). In this work, we used the Advanced to reach the speed required by the new Ethernet standard. Encryption Standard (AES) [4] for encryption and decryption, Furthermore, the time-critical binary field multiplication of the authentication process relies on four pipelined 2-step Karatsuba- supporting key sizes of 128, 192 and 256bits.
    [Show full text]