hash function

35
1 © Information Security Group, ICU Hash Function

Upload: amal

Post on 23-Jan-2016

55 views

Category:

Documents


0 download

DESCRIPTION

Hash Function. Contents. Hash Functions Dedicated Hash Functions Useful for lightweight authentication in RFID system Message Authentication Codes CBC-MAC Nested MAC Collusion Search Attacks. Hash function. {0,1} d. Compress a binary string with an arbitrary - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Hash Function

1 © Information Security Group, ICU

Hash FunctionHash Function

Page 2: Hash Function

2 © Information Security Group, ICU

Contents

Hash FunctionsDedicated Hash Functions

Useful for lightweight authentication in RFID system

Message Authentication CodesCBC-MACNested MAC

Collusion Search Attacks

Page 3: Hash Function

3 © Information Security Group, ICU

Hash function

Compress a binary string with an arbitrary

length into a fixed short message Used for digital signature, integrity, authentication, etc.

h()

{0,1}d

{0,1}r

hash, hash code/value/result message digest,checksum,MIC,authentication tag, seal,compressiondigital fingerprint, imprint

d > r

Page 4: Hash Function

4 © Information Security Group, ICU

Configuration

original input, x

append padding bits

append length block

compression ft, f

f

g

formatted input x=x1,x2,…,xt

H0=IVHi-1

xi

Hi

hash function, h

output h(x)=g(Ht)

Ht

preprocessing

iterative processing

g : output transformation mapping, e.g., identity mapping

Page 5: Hash Function

5 © Information Security Group, ICU

Requirements

CompressionOne-wayness

Preimage resistance: Given y, it is computationally infeasible to compute x with y=h(x)

Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x’ with h(x)=h(x’)

Collision-free (Prevent internal misuse): It is computational infeasible to find a pair (x, x’), x x’ s

atisfying h(x)=h(x’).

EfficiencyEasy to compute h(x) for a given x.

Page 6: Hash Function

6 © Information Security Group, ICU

Relationship

Collision resistance (which means collusion can’t be efficiently solved) implies 2nd-preimage resistance

Collision resistance does not guarantee preimage resistanceLet g be a collision resistance hash function to n-bit ou

tputh= 1 || x, if x has bitlength nh= 0 || g(x), otherwiseh is collision resistant with n+1 bit hashnot preimage resistant to find an image easily

Page 7: Hash Function

7 © Information Security Group, ICU

Classification (I)

Keyed hash : MAC (Message Authentication Code)

Unkeyed hash : MDC (Manipulation Detection Code)OWHF(One Way Hash Function)CFHF(Collision-Free Hash Function)

Page 8: Hash Function

8 © Information Security Group, ICU

Classification (II)

MDCDedicated Hash Functions (MD class, SHS, HAVAL)Block Cipher-Based (MDC-2, MDC-4)Modular Arithmetic: MASH-1, MASH-2

MACBlock Cipher-Based (DES-CBC MAC)Hash Function-Based(HMAC)

Page 9: Hash Function

9 © Information Security Group, ICU

Random Oracle Model (ROM)

Model for ideal hash functionH() behave like a random function

If H() is fixed, invalid assumptionWhenever H() is used, we call oracle for the random

function (black box containing random ft.)Good for screening insecure solutionsSecurity under ROM implies to many (not all !)

attackNot a complete proof of security, but a good

argument / evidence of security : vs. standard model

Page 10: Hash Function

10 © Information Security Group, ICU

MAC forgery

Universal forgery : Adversary can find the equivalent algorithm as MAC function

Selective forgery : Adversary can create a pair of new text-MAC.

Existential forgery : Even if adversary can’t adjust the value of text, he can create a pair of new text-MAC.

Page 11: Hash Function

11 © Information Security Group, ICU

Probability that 2 persons have the same birthday among r persons : pr

(Assumption) each birthday is independent and uniform in the range 1 to m.

pr=1-(m)r/mr =1- m!/mr(m-r)!

e-r2/(2m)

where, (m)r = m(m-1)…(m-r+1) If r= m, pr 0.5 e.g., m=365, r=23, pr>0.5 n-bit hash function will collide with probability 0.5 aft

er (2n) times operation

Birthday Paradox

Page 12: Hash Function

12 © Information Security Group, ICU

Design CriteriaAll input value must affect to compute the hashed

value.

(Ex) Crytanalysis of Snefru No trapdoorThe length of hashed value must be greater than

128 bit guarantee breaking complexity 264 by brute force attack. 1 month with 10M $ machine in ‘94 Expected cost today : less than 100,000$

Maximum error propagation from input to output.

Page 13: Hash Function

13 © Information Security Group, ICU

Merkle-Damgard Construction Extend Compression ft to Hash ft so that the

resulting hash ft to be collusion resistant if compression does.

H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht

f ffH0

x1 x2 xtpadding

hashed code

f : h’s primitive hash function (a compression function)Hi : connection variable from i-1 to I

Page 14: Hash Function

14 © Information Security Group, ICU

Hash ft (MDC) by block cipher

Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel

Eg

Hi

Hi-1

xi

H0=IVHi=Eg(Hi-1)(xi ) xi

E

Hi

xi

Hi-1

H0=IVHi=Ex

i(Hi-1 ) Hi-1

EgHi-1

xi

Hi

H0=IVHi=Eg(Hi-1)(xi ) xi Hi-1

Page 15: Hash Function

15 © Information Security Group, ICU

Comparison

Yield m-bit hash using n-bit block cipher with k-bit keyAll of them are secure assuming a block cipher

satisfies required randomness properties

Hash Function (n,k,m) Rate (k/m)Matyas-Meyer-Oseas (n,k,n) 1

Davis-Meyer (n,k,n) k/nMiyaguchi-Preneel (n,k,n) 1

MDC-2 (w/DES) (64,56,128) ½

MDC-4(w/DES) (64,56,128) 1/4

Page 16: Hash Function

16 © Information Security Group, ICU

Hash by modular operation

MASH: Modular Arithmetic Secure Hash algorithm

Weakness: Efficiency (and Insecurity)

Quadratic CongruentialHi = (xi + Hi-1)2 mod N, H0=0

where N=Mersenne prime 231-1

Hi = (xi Hi-1)2 mod N xi

Hi = (xi Hi-1)e mod N

Page 17: Hash Function

17 © Information Security Group, ICU

Dedicated Hash FunctionsDedicated Hash Functions

Page 18: Hash Function

18 © Information Security Group, ICU

Round 1 in MD4

1. A=(A+f(B,C,D)+X[0])<<<3

2. D=(D+f(A,B,C)+X[1])<<<7

3. C=(C+f(D,A,B)+X[2])<<<11

4. B=(B+f(C,D,A)+X[3])<<<19

5. A=(A+f(B,C,D)+X[5])<<< 3

.

.

16. B=(B+f(C,D,A)+X[15])<<<19

where, f(X,Y,Z) = (X Y) ((X) Z) , : OR, : AND,

:complement, <<<s : circular left rotate by s

Page 19: Hash Function

19 © Information Security Group, ICU

MD4(I)

Preprocessing a message, x

1. Padding: d =(447 -|x|) mod 512

2. Length of a message: n= |x| mod 264,|n|=64 bit

3. M = x ||1||0d||n multiple of 512

where || denotes concatenation

* little-endian : W=224B4+216B3+28B2+B1

(B1: lowest address)

Page 20: Hash Function

20 © Information Security Group, ICU

MD4(II)

Message Block

Round

1

ABCD

ABCD

Round

2Round

3

Page 21: Hash Function

21 © Information Security Group, ICU

MD4(III)

1. Preprocess: M is 512 * N bits (512 bits=16 words)

2. Define 32 bits constants: A=67452301h, B=efcdab89h, C=98badcfeh, D=10325476h

3. for i=0 to N/16 -1 do (N mod 16=0)

3-1 for j=0 to 15 do X[j] =M[16i+j] (M[i] : 32 bit string)

3-2 AA=A, BB=B, CC=C, DD=D

3-3 Round 1(for j=0..15), Round 2(for j=16..31),

Round 3(j=32..47)

3-4 A=A+AA, B=B+BB, C=C+CC, D=D+DD

where + is modular addition over 232.

4. output A||B||C||D||

Page 22: Hash Function

22 © Information Security Group, ICU

MD5(I)

Add 4-th rounds (16 steps)Change g function in 2 round from symmetric ft

(XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z))

Modify the access order for message words in Rounds 2 and 3

Modify the shift amountsUse unique constants in each of the 416 stepsEach step is added to the output of a previous step

to achieve avalanche effect as earlier as possible.

Page 23: Hash Function

23 © Information Security Group, ICU

MD5(II)

Round

2

ABCD

ABCD

Message Block

Round

1

Round

3

Round

4

Page 24: Hash Function

24 © Information Security Group, ICU

MD5’s primitive ft

a

b

c

d

nonlinearoperation

<<<s

Mj

ti

FF(a,b,c,d,Mj,ti,s)

Page 25: Hash Function

25 © Information Security Group, ICU

SHA-1(I)

nonlinearoperation

FF(a,b,c,d,Mj,ti,s)

ai-1

bi-1

ci-1

di-1

ei-1

<<<30

ai

bi

ci

di

ei

W t Kt

<<<5

Page 26: Hash Function

26 © Information Security Group, ICU

SHA-1(II)

160 bit hashed value (5 words), Big-endian 4 round hash, each round has 20 step Change internal primitive ft and constants

(B C) v ((B) D) 0 ≤ t ≤19

Ft(B,C,D) = B C D 20 ≤t ≤39

(B C) v ((B) D) 40 ≤t ≤59

B C D 60 ≤t ≤79

Secure Hash Standard(SHS), FIPS Pub 180-1, 1995.

For details, refer to p.138 of your textbook

Page 27: Hash Function

27 © Information Security Group, ICU

Performance

Algorithm Length Speed (Kb/s)

Davies-Meyer with DESHAVAL (3 pass)HAVAL (4 pass)HAVAL (5 pass)MD2MD4MD5N-Hash(12 round)N-Hash(15 round)RIPEMDSHA-1

64variablevariablevariable128128128128128128160

91681189523

2361742924

18275

486SX(33MHZ)

Page 28: Hash Function

28 © Information Security Group, ICU

HMAC

Nested MAC algorithm from the composition of two (keyed) hash family

The Keyed-Hash Message Authentication Code (HMAC), FIPS Pub 198, 2002

HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)]

where ipad = 3636 …. 36, opad = 5C5C … 5C

K : 512 bit key

x: message to be authenticated Secure against unknown-key collusion attack

Page 29: Hash Function

29 © Information Security Group, ICU

Dedicated Hash Functions

SHS: Secure Hash Standard RIPE: Race Integrity Primitive Evaluation

Name Designer Year Bit Characteristics Security

MD4Rivest

(US)1990 128

- 32 bit Op., 3 R

- Boolean ft of deg 4

Collision(‘95)

(220 Oper)

MD5Rivest

(US)1991 128

- Modified MD4

- 4 rounds

Primitive Ft

Collision(’96)

SHA-1 NIST 1993 160- Modified MD4

- Federal StandardCollusion

Search(‘05)

HAVALSeberry et. al

(Australia)1992

Var.(128~256)

- Exp. of MD5(3,4,5R)

- Boolean ft of deg 7

Collusion Search of HAVAL-128(‘05)

RIPEMD-160

RIPE

(Europe)1997 160

- Modified MD4

- Indep. 2 ftCollusion

Search(‘05)

HAS-160 KISA(Korea) 1998 160 -

Page 30: Hash Function

30 © Information Security Group, ICU

Collusion Search AttackCollusion Search Attack

Page 31: Hash Function

31 © Information Security Group, ICU

Previous Work on SHA-0/1

Chaubaud and Joux [Cr98]SHA-0, 261, local collision and disturbance vector

Biham and Chen [Cr04]Near collision attack on SHA-0, 240

Biham, Joux and Chen [Cr04 rump, EC05]First real collision on SHA-0 (4 message blocks) foun

dCollision attack on SHA-1 reduces to 50+ steps

Rijmen and Osward [RSA-CT05]Collision attack on SHA-1 reduces to 53 steps.

Page 32: Hash Function

32 © Information Security Group, ICU

Publications

X. Wang, Y.L. Yin and H.Yu, “Finding Collusions in the Full SHA-1”, Proc. of Crypto2005, pp.17-36, LNCS3621

X. Wang, H.Yu and Y.L. Yin, “Efficient Collusions Search Attacks on SHA-0”, Proc. of Crypto2005, pp.1-16, LNCS3621

X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, “Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND”, IACR eprint, 2004/199 and Crypto2005 Rump Session

Page 33: Hash Function

33 © Information Security Group, ICU

Flow of Collusion Search

1. Find disturbance vector with low Hamming weights (difference for subtractions mod 232)

2. Construct differential paths by specifying conditions so that the differential path will occur with high probabilities.

3. Generate a message randomly, modify it using message modification techniques, and find a collusion

Page 34: Hash Function

34 © Information Security Group, ICU

Summary

Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269

More complex message preprocessing can provide more security But SHA-1, message expansion does not seem to have enough

avalanche effect All step functions have unexpected weakness Addition and Boolean function can faciliate the attack

More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug

Page 35: Hash Function

35 © Information Security Group, ICU

Example and HW

Message collusion of 58 steps SHA-1

Verification: DIY !!