Hash function and Data Integrity Data Integrity • Data integrity: data are intact during the period of storage or transmission • Two possibilities of losing data integrity: – error occurs during transmission or storage – modified by attacker during storage or transmission • Solutions to them – error detection/correction, such as CRC (Cyclic Redundancy Code) in every IP packet – Hash function, Message digest, or Message authentication code (MAC) Types of Functions in Cryptography One-way function Trapdoor one-way function Hash function One-way function One way function • One-way function is a function y = f(x) s.t.: – Knowing x, easy to compute y, i.e., f(x) is easy to compute – Knowing y, it is very difficult to compute x, i.e., inverse f –1 is very difficult to compute • Where to use? – User passwords are stored after passing a oneway function Example - DLP (Discrete Logarithm Problem) • X = Zp*, p is a prime and α∈ Zp* is a generator, • f(x) = αx mod p • Given x, easy to compute f(x), but given f(x), difficult to find x • Ex: • p = 17, X = {1,2,…,16} α = 3, f(x) = 3x mod 17 Example • p = 264 - 59, f(x) = 24+17 x + a1 24+3 x + a2x3 + a3x2 + a4x + a5 mod p where are arbitrary 19-digit integers Trap-door one-way function • Definition – One way function – But if you know the trap-door, i.e., a specific secret value, then the inverse of the function becomes easy • Where to use: – Public-key systems Example • n = pq =2624653723, p = 48611, q = 53993 are primes, X = {1, 2, …, n – 1}, f(x) = x3 mod n • In RSA, eK(x) = xb mod n is a one-way trap-door function, its inverse dK(y) = ya mod n is difficult to compute unless you know the trap-door a Hash function Output transformation Typical hash functions • MD4, MD5 • SHA (Secure Hash Algorithm), SHA-1 Secure Hash Algorithm (SHA) Secure Hash Algorithm (SHA) • • • • • f functions: f0, f1, …, f79 Global constants: k0, k1, …, k79 Divide message x into n blocks of length 512 Initial values H0, H1, H2, H3, H4, each 32 bits Repeat to compute new H0,H1, H2, H3, H4 for each block • Return H0|| H1|| H2|| H3|| H4 • 160-bit message disgest ? ? ? History of SHA • MD4 (1990) MD5 (1992) SHA (1993) • Collisions in the compression functions of MD4 and MD5 were discovered in the mid-1990s • A collision for SHA-0 was actually found by Joux and reported at CRYPTO 2004 • Three new hash functions, which are known as SHA-256, SHA-384 and SHA-512 Message Authentication Code (MAC) Message Authentication Code (MAC) • Since hash function is public, unkeyed hash value is not secure • Combine secret key information into hash function, called MAC • Two ways: – Incorporate a secret key into unkeyed hash function • Add the key at the beginning of message (problem?) • Add the key to the end – Keyed hash function • E.g., CBC-MAC (DES CBC mode) Where to add key At the beginning: M Key M Key H(Key+M) M' H(Key+M+M') When H(H(Key+M)+M')= H(Key+M+M') To the end: M key H(M+key) Generally, H(M'+H(M+Key))≠ H(M'+M+Key) CBC-MAC The end MD5 • Fixed length of 128-bit message digest represented as four 32-bit words (e.g., A, B, C, D) • A message is divided into 512-bit message blocks with the possible padding in the last block ? MD5 • Each round contains sixteen operations • A message block is further divided into sixteen 32-bit words (e.g., M1 ~ M16); 512 = 16 * 32 • F is a round-dependent function Ki (indexed from ~ 64) is a constant Example of one operation within a round1 http://en.wikipedia.org/wiki/Md5 ... Ex: • p = 17, X = {1,2,…,16} α = 3, f(x) = 3x mod 17 Example • p = 2 64 - 59, f(x) = 24+ 17 x + a1 24+ 3 x + a2x3 + a3x2 + a4x + a5 mod p where are arbitrary 19-digit integers Trap-door one-way... Iterated Hash Functions • Steps: Preprocessing Processing Output transformation Preprocessing step Processing step Output transformation Typical hash functions • MD4, MD5 • SHA (Secure Hash Algorithm),... values H0, H1, H2, H3, H4, each 32 bits Repeat to compute new H0,H1, H2, H3, H4 for each block • Return H0|| H1|| H2|| H3|| H4 • 160-bit message disgest ? ? ? History of SHA • MD4 (1990) MD5 (1992)