Hash Functions
CSC 482/582: Computer Security
Topics
1. Hash Functions 2. Applications of Hash Functions 3. Secure Hash Functions 4. Collision Attacks 5. Pre-Image Attacks 6. Current Hash Security 7. SHA-3 Competition 8. HMAC: Keyed Hash Functions
CSC 482/582: Computer Security
Hash (Checksum) Functions Hash Function h: M MD Input M: variable length message M Output MD: fixed length “Message Digest” of input Many inputs produce same output. Limited number of outputs; infinite number of inputs Avalanche effect: small input change -> big output change Example Hash Function Sum 32-bit words of message mod 232
M MD=h(M) h
CSC 482/582: Computer Security
1 Hash Function: ASCII Parity
ASCII parity bit is a 1-bit hash function ASCII has 7 bits; 8th bit is for “parity” Even parity: even number of 1 bits Odd parity: odd number of 1 bits Bob receives “10111101” as bits. Sender is using even parity; 6 1 bits, so character was received correctly Note: could have been garbled, but 2 bits would need to have been changed to preserve parity Sender is using odd parity; even number of 1 bits, so character was not received correctly
CSC 482/582: Computer Security
Applications of Hash Functions
Verifying file integrity How do you know that a file you downloaded was not corrupted during download? Storing passwords To avoid compromise of all passwords by an attacker who has gained admin access, store hash of passwords Digital signatures Cryptographic verification that data was downloaded from the intended source and not modified. Used for operating system patches and packages.
CSC 482/582: Computer Security
Secure Checksum Definition A function h: A B that has following 3 properties: 1. Efficiency. For any x IN A, h(x) is easy to compute. 2. Pre-image Resistance. For any y IN B, it is computationally infeasible to find x IN A such that h(x) = y. 3. Collision Resistance. It is computationally infeasible to find x, x´ IN A such that x ≠ x´ and h(x) = h(x´).
CSC 482/582: Computer Security
2 Checksum Examples
Insecure Checksums Cyclic Redundancy Check (CRC) Used as checksum in IP headers Luhn checksum for credit card numbers Secure Checksums MD4 (128 bits) MD5 (128 bits) SHA1 (160 bits) SHA2 (224, 256, 384, or 512 bits) Tiger (192 bits)
CSC 482/582: Computer Security
Checksum Value Examples
Hashing “Cryptography”: http://www.fileformat.info/tool/hash.htm MD5 (128-bit) 64ef07ce3e4b420c334227eecb3b3f4c SHA1 (160-bit) b804ec5a0d83d19d8db908572f51196505d09f98 SHA2 (256-bit) b584eec728548aced5a66c0267dd520a00871b5e7b735b2d8202f86719f61857 Hashing “Cryptography1”: MD5 (128-bit) 443d4fb1fedeb86b69582169c2719c24 SHA1 (160-bit) 838498e48147106062a64c523ddfe11bd07a5eac SHA2 (256-bit) f276b8ca2cf6591aad7d046b537b4add2b3ed5d6140aaf1c3e7a453b71bcc073
CSC 482/582: Computer Security
Attacks against Checksums Collision Attacks
Attacker finds two messages m1 and m2 such that h(m1) = h(m2) Ex: Attackers create two documents, such as SSL certificates, with the same checksum, allowing one to be substituted for the other without detection. Pre-Image Attacks Given a hash value v, attacker finds message m such that h(m) = v Ex: Attacker uses checksum of SSL certificate to create another SSL certificate with same checksum, allowing attacker to replace existing certificate w/o detection.
CSC 482/582: Computer Security
3 One-Way Functions Yield Pre-Image Resistance
One-way function f is easy to compute, hard to reverse Given x, easy to calculate f(x). Given f(x), hard to compute x.
What’s easy and what’s hard? easy: polynomial time hard: exponential time Are there any one-way functions?
CSC 482/582: Computer Security
Hash Collisions If x ≠ x´ and h(x) = h(x´), x and x´ collide. Pigeonhole principle: if there are n containers for n+1 objects, then at least one container will have 2 objects in it. Application: suppose n = 5 and k = 3. Then there are 32 elements of A and 8 elements of B, so at least one element of B has at least 4 corresponding elements of A. For an n-bit hash, there are 2n possible hash values Chance of finding a collision is 1 in 2n/2 Ex: for 160-bit SHA-1, you would expect to find one pair of identical hash values if you hashed 280 random messages A hash is not collision resistant if an attack enables a collision to be found with less than 2n/2 tries
CSC 482/582: Computer Security
Current State of Hash Functions MD5 collision attacks Can generate a pair of different executables or documents with same checksum within minutes. SHA-1 collision attacks Effort required is 263 instead of 280. What’s the impact? Attacker could create two documents. Document A requires payment of $500. Document B requires payment of $50,000. Digital signatures sign MAC, not document. Both documents have same MAC. Use SHA-2 functions of at least 256 bits for now.
CSC 482/582: Computer Security
4 National Institute of SHA-3 Competition Standards & Technology
NIST sponsored competition similar to AES Initial submissions Oct 31, 2008 14 second round candidates announced July 24, 2009
Winner to be announced in 2012 http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
CSC 482/582: Computer Security
Keyed Hash Function Hash function + secret key Why? Authentication How? Symmetric encryption algorithm Use last 64 bits of DES in CBC mode. HMAC algorithm Incorporate key into a keyless hash algorithm. Created to avoid export restrictions on encryption algorithms.
CSC 482/582: Computer Security
HMAC
HMAC = Hash Function + Key Inputs: h: keyless cryptographic checksum function that takes data in blocks of b bytes and outputs blocks of l bytes. k: cryptographic key. k´: k modified to be of length b. If short, pad with 0 bytes. If long, hash to length b.
CSC 482/582: Computer Security
5 HMAC HMAC-h(k, m) = h(k´ opad || h(k´ ipad || m)) exclusive or || concatenation ipad is 00110110 repeated b times. opad is 01011100 repeated b times. Security depends on security of hash function h.
CSC 482/582: Computer Security
Key Points 1. One-Way Hash Functions 1. Mathematical definition 2. Applications 2. Checksum attacks 1. Collision attacks 2. Pre-image attacks 3. Checksum types 1. Regular: CRC, Luhn 2. Cryptographic: MD5, SHA-1, SHA-2 4. Current state 1. Currently widely used hashes (MD5,SHA-1) broken 2. Use SHA-2 with 256 or more bits for now 3. SHA-3 competition to produce alternative by 2012 5. Keyed hash functions with HMAC
CSC 482/582: Computer Security
References
1. Matt Bishop, Introduction to Computer Security, Addison- Wesley, 2005. 2. Steven Friedl, “An Illustrated Guide to Cryptographic Hashes,” http://www.unixwiz.net/techtips/iguide-crypto-hashes.html 3. Alfred J. Menezes, Paul C. van Oorschotand Scott A. Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996. 4. NIST, Cryptographic Hash Algorithm Competition, http://csrc.nist.gov/groups/ST/hash/sha-3/index.html 5. NIST, FIPS-198a, “The Keyed-Hash Message Authentication Code (HMAC)”, http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf 6. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. 7. Peter Selinger, MD5 Collision Demo, http://www.mscs.dal.ca/~selinger/md5collision/
CSC 482/582: Computer Security
6