Đang tải... (xem toàn văn)
The contents of this chapter include all of the following: Hash functions, cryptographic hash function, hash functions & message authentication, hash functions & digital signatures, other hash function uses, two simple insecure hash functions, attacks on hash functions.
Data Security and Encryption (CSE348) Lecture # 18 Review have considered: Diffie-Hellman key exchange ElGamal cryptography Elliptic Curve cryptography Pseudorandom Number Generation (PRNG) based on Asymmetric Ciphers Chapter 11 – Cryptographic Hash Functions Each of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or row of numbers No efforts on the part of Mungo or any of his experts had been able to break Stern's code, nor was there any clue as to what the preliminary number and those ultimate numbers signified —Talking to Strange Men, Ruth Rendell Hash Functions • A hash function H accepts a variable-length block of data M as input • Produces a fixed-size hash value h = H(M) • A "good" hash function has the property that the results of applying the function to a large set of inputs will produce outputs • That are evenly distributed, and apparently random Hash Functions • In general terms, the principal object of a hash function is data integrity • A change to any bit or bits in M results, with high probability, in a change to the hash code • The kind of hash function needed for security applications is referred to as a cryptographic hash function Hash Functions • A cryptographic hash function is an algorithm for which it is computationally infeasible – because no attack is significantly more efficient than brute force • To find either (a) a data object that maps to a prespecified hash result (the one-way property) • or (b) two data objects that map to the same hash result (the collision-free property) Hash Functions • Because of these characteristics, hash functions are often used to determine whether or not data has changed Hash Functions • Condenses arbitrary message to fixed size h = H(M) • Usually assume hash function is public • Hash used to detect changes to message • Want a cryptographic hash function – computationally infeasible to find data mapping to specific hash (one-way property) – computationally infeasible to find two data to same hash (collision-free property) 10 Secure Hash Algorithm • SHA originally designed by NIST & NSA in 1993 • was revised in 1995 as SHA-1 • US standard for use with DSA signature scheme – standard is FIPS 180-1 1995, also Internet RFC3174 – nb the algorithm is SHA, the standard is SHS • Based on design of MD4 with key differences • Produces 160-bit hash values • Recent 2005 results on security of SHA-1 have raised concerns on its use in future applications 49 Revised Secure Hash Standard • NIST issued revision FIPS 180-2 in 2002 • Adds additional versions of SHA – SHA-256, SHA-384, SHA-512 • Designed for compatibility with increased security provided by the AES cipher • Structure & detail is similar to SHA-1 • Hence analysis should be similar • But security levels are rather higher 50 SHA Versions 51 SHA-512 Compression Function • Heart of the algorithm • Processing message in 1024-bit blocks • Consists of 80 rounds – updating a 512-bit buffer – using a 64-bit value derived from the current message block – and a round constant based on cube root of first 80 prime numbers 52 SHA-3 • As yet, SHA-1 has not yet been "broken“ • That is, no one has demonstrated a technique for producing collisions in less than brute-force time • However, because SHA-1 is very similar in structure • In the basic mathematical operations used to MD5 and SHA-0, both of which have been broken 53 SHA-3 • SHA-2, particularly the 512-bit version, would appear to provide unassailable security • However, SHA-2 shares the same structure and mathematical operations as its predecessors, and this is a cause for concern • Because it will take years to find a suitable replacement for SHA-2, should it become vulnerable 54 SHA-3 • NIST decided to begin the process of developing a new hash standard • Accordingly, NIST announced in 2007 a competition to produce the next generation NIST hash function, to be called SHA-3 • NIST would like to have a new standard in place by the end of 2012, but emphasizes that this is not a fixed timeline 55 SHA-3 • SHA-1 not yet "broken” – but similar to broken MD5 & SHA-0 – so considered insecure • SHA-2 (esp SHA-512) seems secure – shares same structure and mathematical operations as predecessors so have concern • NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function – goal to have in place by 2012 but not fixed 56 SHA-3 Requirements • The basic requirements that must be satisfied by any candidate for SHA-3 are: It must be possible to replace SHA-2 with SHA-3 in any application by a simple drop-in substitution • Therefore, SHA-3 must support hash value lengths of 224, 256, 384, and 512 bits 57 SHA-3 Requirements SHA-3 must preserve the online nature of SHA-2 • That is, the algorithm must process comparatively small blocks (512 or 1024 bits) at a time • Instead of requiring that the entire message be buffered in memory before 58 SHA-3 Requirements • Beyond these basic requirements, NIST has defined a set of evaluation criteria • These criteria are designed to reflect the requirements for the main applications supported by SHA-2, and are: 59 SHA-3 Requirements • Security: The strength of SHA-3 should be close to the theoretical maximum for the different required hash sizes • For both preimage resistance and collision resistance • SHA-3 algorithms must be designed to resist any potentially successful attack on SHA-2 functions 60 SHA-3 Requirements • Cost: be both time and memory efficient over a range of hardware platforms • Algorithm and implementation characteristics: such as flexibility – e.g., tunable parameters for security/performance tradeoffs, opportunity for parallelization, and so on • Simplicity (which makes it easier to analyze the security properties of the algorithm) 61 SHA-3 Requirements • Replace SHA-2 with SHA-3 in any use – so use same hash sizes • Preserve the online nature of SHA-2 – so must process small blocks (512 / 1024 bits) • Evaluation criteria – security close to theoretical max for hash sizes – cost in time & memory – characteristics: such as flexibility & simplicity 62 Summary • have considered: – hash functions • uses, requirements, security – hash functions based on block ciphers – SHA-1, SHA-2, SHA-3 63 ... system • Pseudorandom function (PRF) or pseudorandom number generator (PRNG) 32 Two Simple Insecure Hash Functions • Consider two simple insecure hash functions • bit-by-bit exclusive-OR (XOR) of... in function f 44 Block Ciphers as Hash Functions • Can use block ciphers as hash functions – using H0=0 and zero-pad of final block – compute: Hi = EMi [Hi-1] – and use final block as the hash. .. number and those ultimate numbers signified —Talking to Strange Men, Ruth Rendell Hash Functions • A hash function H accepts a variable-length block of data M as input • Produces a fixed-size hash