CNS Unit 3

7/17/2019 CNS Unit 3

1/38

Unit 3

7/17/2019 CNS Unit 3

2/38

IntroductionA hash function H accepts a variable-length block of data M

as input and produces a fxed-size hash value h = H(M).

A good hash unction has the property that the results o applyingthe unction to a large set o inputs will produce outputs that areevenly distriuted and apparently rando!.

In general ter!s" the principal o#ect o a hash unction is data

integrity. A change to any it or its in $ results" with highproaility" in a change to the hash code.

%he &ind o hash unction needed or security applications is reerredto as a cryptographic hash function.

A cryptographic hash unction is an algorith! or which it isco!putationally ineasile to fnd eitherdata o#ect that !aps to a pre-specifed hash result 'the one-way

property( ortwo data o#ects that !ap to the sa!e hash result 'the collision-ree

property(.

)ecause o these characteristics" hash unctions are oten used to

deter!ine whether or not data has changed.

7/17/2019 CNS Unit 3

3/38

*ryptographic +ash ,unction

7/17/2019 CNS Unit 3

4/38

APPLICATI!" # C$%PT&$APHIC HA"H#'!CTI!"

It is used in a wide variety o securityapplications and Internet protocols. ange oapplications in which it is e!ployed are asollows

/. $essage Authentication

0. 1igital 2ignatures

3. create a one-way password fle

. or intrusion detection and virus detection4. pseudorando! unction '5,( or

pseudorando! nu!er generator '567(

7/17/2019 CNS Unit 3

5/38

Authentication

7/17/2019 CNS Unit 3

6/38

$essage authentication is a !echanis! or service usedto veriy the integrity o a !essage" y assuring that thedata received are exactly as sent.

,igure illustrates a variety o ways in which a hash code

can e used to provide !essage authentication" asollows

a.%he !essage plus concatenated hash code is encryptedusing sy!!etric encryption. 2ince only A and ) share thesecret &ey" the !essage !ust have co!e ro! A and has

not een altered. %he hash code provides the structure orredundancy re9uired to achieve authentication.

.:nly the hash code is encrypted" using sy!!etricencryption. %his reduces the processing urden or those

applications not re9uiring confdentiality.

7/17/2019 CNS Unit 3

7/38

c. 2hows the use o a hash unction ut no encryption or!essage authentication. %he techni9ue assu!es that the

two co!!unicating parties share a co!!on secret value2. A co!putes the hash value over the concatenation o

$ and 2 and appends the resulting hash value to $.

)ecause ) possesses 2" it can reco!pute the hash valueto veriy. )ecause the secret value itsel is not sent" anopponent cannot !odiy an intercepted !essage and

cannot generate a alse !essage.

d. *onfdentiality can e added to the approach o 'c( yencrypting the entire !essage plus the hash code.

.;hen confdentiality is not re9uired" !ethod '( has anadvantage over !ethods 'a( and 'd(" which encrypts the

entire !essage" in that less co!putation is re9uired.

7/17/2019 CNS Unit 3

8/38

+ash ,unctions 8 1igital 2ignaturesAnother i!portant application" which is si!ilar to the !essage

authentication application" is the digital signature.

%he operation o the digital signature is si!ilar to that o the$A*. In the case o the digital signature" the hash value o a!essage is encrypted with a user

7/17/2019 CNS Unit 3

9/38

7/17/2019 CNS Unit 3

10/38

:ther +ash ,unction Usesto create a one-way password flea hash o a password is stored y an operating syste! rather than

the password itsel. %hus" the actual password is not retrievale ya hac&er who gains access to the password fle. In si!ple ter!s"when a user enters a password" the hash o that password isco!pared to the stored hash value or verifcation. %his approachto password protection is used y !ost operating syste!s. orintrusion detection and virus detection

&eep 8 chec& hash o fles on syste!+ash unctions can e used or intrusion detection and virus

detection. 2tore +',( or each fle on a syste! and secure the hashvalues 'e.g." on a *1- that is &ept secure(. :ne can laterdeter!ine i a fle has een !odifed y reco!puting +',(. An

intruder would need to change , without changing +',(.pseudorando! unction '5,( or pseudorando! nu!er

generator '567(A cryptographic hash unction can e used to construct a

pseudorando! unction '5,( or a pseudorando! nu!er

generator '567(. A co!!on application or a hash-ased 5, isor the generation o sy!!etric &eys.

7/17/2019 CNS Unit 3

11/38

%wo 2i!ple Insecure +ash ,unctions

consider two si!ple insecure hash unctionsit-y-it exclusive-: '=:( o every loc&

Ci= bi1xor bi2xor . . . xor bim

a longitudinal redundancy chec&reasonaly e>ective as data integrity chec&

one-it circular shit on hash valueor each successive n-bit loc&

rotate current hash value to let y/it and =: loc&good or data integrity ut useless or security

7/17/2019 CNS Unit 3

12/38

$()'I$(M(!T" A!* "(C'$IT%%ale lists the generally accepted re9uire!ents or a cryptographic hash

unction.

%he frst three properties are re9uire!ents or the practical application oa hash unction.

%he ourth property" prei!age 'or a hash value h = H(x), we say that x is

the prei+age oh( resistant" is the one-way property it is easy togenerate a code given a !essage" ut virtually i!possile to generate a!essage given a code. %his property is i!portant i the authentication

techni9ue involves the use o a secret value .%he fth property" second prei!age resistant" guarantees that it is

i!possile to fnd an alternative !essage with the sa!e hash value as a

given !essage. %his prevents orgery when an encrypted hash code is

used.

A hash unction that satisfes the frst fve properties in %ale is reerred

to as a wea& hash unction.

I the sixth property" collision resistant" is also satisfed" then it is reerred

to as a strong hash unction. A strong hash unction protects against anattac& in which one party generates a !essage or another party to sign.

%he fnal re9uire!ent" pseudorando+ness" has not traditionally een

listed as a re9uire!ent o cryptographic hash unctions" ut is !ore orless i!plied

7/17/2019 CNS Unit 3

13/38

+ash ,unction e9uire!ents

7/17/2019 CNS Unit 3

14/38

Attac&s on +ash ,unctionsAs with encryption algorith!s" there are two

categories o attac&s on hash unctionsrute-orce attac&s and

cryptanalysis.

A rute-orce attac& does not depend on thespecifc algorith! ut depends only on itlength. In the case o a hash unction" a rute-orce attac& depends only on the it length othe hash value.

A cryptanalysis" in contrast" is an attac& asedon wea&nesses in a particular cryptographicalgorith!

7/17/2019 CNS Unit 3

15/38

rute-orce attac&sPREIMAGE AND SECOND PREIMAGE

ATTACKS: ,or a prei!age or second prei!ageattac&" an adversary wishes to fnd a value ysuch that +' y( is e9ual to a given hash ?alue h .

%he rute-orce !ethod is to pic& values o y atrando! and try each value until a collisionoccurs.

,or an !-it hash value" the level o e>ort isproportional to 0!. 2pecifcally" the adversarywould have to try" on average 0!-/" values oyto fnd one that generates a given hash value .

7/17/2019 CNS Unit 3

16/38

COLLISION RESISTANT ATTACKS: ,or a collisionresistant attac&" an adversary wishes to fnd two!essages or data loc&s"x and , that yield the samehash unction +'x) = H(y).

%he e>ort re9uired is explained y a !athe!aticalresult reerred to as the birthday parado,.

In essence" i we choose rando! variales ro! aunior! distriution in the range @ through N 1 then

the proaility that a repeated ele!ent is encounteredexceeds @.4 ater root o 6 choices have een !ade.%hus" or an !-it hash value" i we pic& data loc&s at

rando!" we can expect to fnd two data loc&s with thesa!e hash value within root o 0m = 2m/2

7/17/2019 CNS Unit 3

17/38

strategy to exploit the irthday paradox in a collisionresistant attac&%he source" A" is prepared to sign a legiti!ate !essage x

y appending the appropriate !-it hash code and

encrypting that hash code with As private &eyopponent generates 0!B0variations x o x" all withessentially the sa!e !eaning" and saves the!

opponent generates 0!B0variations y o a desiredraudulent !essage y

two sets o !essages are co!pared to fnd pair with

sa!e hash 'proaility C @.4 y irthday paradox(have user sign the valid !essage" then sustitute the

orgery which will have a valid signature%he generation o !any variations that convey the

sa!e !eaning is not diDcult

7/17/2019 CNS Unit 3

18/38

7/17/2019 CNS Unit 3

19/38

%o su!!arize" or a hash code o length ! " thelevel o e>ort re9uired" as we have seen" isproportional to the ollowing.5rei!age resistant 0m

2econd prei!age resistant 0m*ollision resistant 0m/2

conclusion is that need to use larger $A*Bhash

7/17/2019 CNS Unit 3

20/38

+ash ,unction *ryptanalysisAs with encryption algorith!s" cryptanalytic

attac&s on hash unctions see& to exploit so!eproperty o the algorith! to peror! so!eattac& other than an exhaustive search.

In recent years" have !uch e>ort" and so!esuccesses" in developing cryptanalytic attac&son hash unctions. $ust consider the overallstructure o a typical secure hash unction"

reerred to as an iterated hash unction" asindicated in the diagra!.

7/17/2019 CNS Unit 3

21/38

7/17/2019 CNS Unit 3

22/38

%he hash unction ta&es an input !essage and partitions itinto fxed-sized loc&s o b its each.

I necessary" the fnal loc& is padded to b its. %he fnalloc& also includes the value o the total length o theinput to the hash unction.

%he inclusion o the length !a&es the #o o the opponent!ore diDcult. %he hash algorith! involves repeated use oa co!pression unction" !" that ta&es two inputs 'an n-itinput ro! the previous step" called the chaining variale"

and a b-it loc&( and produces an n-it output.At the start o hashing" the chaining variale has an initial

value that is specifed as part o the algorith!. %he fnalvalue o the chaining variale is the hash value. :ten" bCnE hence the ter! co!pression

7/17/2019 CNS Unit 3

23/38

%hereore" the structure can e used toproduce a secure hash unction to operate on a!essage o any length.

*ryptanalysis o hash unctions ocuses on the

internal structure o and is ased on atte!ptsto fnd eDcient techni9ues or producingcollisions or a single execution o . :nce thatis done" the attac& !ust ta&e into account the

fxed value o I?.%he attac& on depends on exploiting its

internal structure. %he attac&s that have een!ounted on hash unctions are rather co!plexand eyond our scope here.

7/17/2019 CNS Unit 3

24/38

HA"H #'!CTI!" A"(* ! CIPH($LC CHAI!I!&

A nu!er o proposals have een !ade or hash unctions ased on using a

cipher loc& chaining techni9ue" ut without the secret &ey 'instead usingthe !essage loc&s as &eys(.

:ne o the frst such proposals was that o ain" which divided a !essage$ into fxed-size loc&s" and usde a sy!!etric encryption syste! such as1F2 to co!pute the hash code 7 as shown.

%his is si!ilar to the *)* techni9ue" ut in this case there is no secret &ey.

As with any hash code" this sche!e is su#ect to the irthday attac&" and ithe encryption algorith! is 1F2 and only a G-it hash code is produced"then the syste! is vulnerale.

,urther!ore" another version o the irthday attac& can e used even i theopponent has access to only one !essage and its valid signature and cannototain !ultiple signings" &nown as a !eet-in-the-!iddle attac& 'see text(.

It can e shown that so!e or! o irthday attac& will succeed against anyhash sche!e involving the use o cipher loc& chaining without a secret &eyprovided that either the resulting hash code is s!all enough 'e.g." G its orless( or that a larger hash code can e deco!posed into independentsucodes.

%hus" attention has een directed at fnding other approaches to hashing.

7/17/2019 CNS Unit 3

25/38

2ecure +ash Algorith!In recent years" the !ost widely used hash unction has een the

2ecure +ash Algorith! '2+A(.

%he 2ecure +ash Algorith! '2+A( was developed y the 6ationalInstitute o 2tandards and %echnology '6I2%( and pulished as aederal inor!ation processing standard ',I52 /H@( in /3E a

revised version was issued as ,I52 /H@-/ in /4 and is generallyreerred to as 2+A-/.

%he actual standards docu!ent is entitled 2ecure +ash 2tandard.

2+A-/ produces a hash value o /G@ its. In 0@@4" a researchtea! descried an attac& in which two separate !essages could

e ound that deliver the sa!e 2+A-/ hash using 0JGoperations" ar ewer than the 0JH@ operations previouslythought needed to fnd a collision with an 2+A-/ hash.

%his result has hastened the transition to newer" longer versionso 2+A.

7/17/2019 CNS Unit 3

26/38

evised 2ecure +ash2tandard

In 0@@0" 6I2% produced a revised version o thestandard" ,I52 /H@-0" that defned three newversions o 2+A" with hash value lengths o 04G"3H" and 4/0 its" &nown as 2+A-04G" 2+A-3H"

and 2+A-4/0. *ollectively" these hash algorith!sare &nown as 2+A-0.

%hese new versions have the sa!e underlyingstructure and use the sa!e types o !odular

arith!etic and logical inary operations as 2+A-/.In 0@@4" 6I2% announced the intention to phase

out approval o 2+A-/ and !ove to a reliance onthe other 2+A versions y 0@/@.

7/17/2019 CNS Unit 3

27/38

2tandard

6I2% issued revision ,I52 /H@-0 in 0@@0adds 3 additional versions o 2+A2+A-04G" 2+A-3H" 2+A-4/0

designed or co!patiility with increased

security provided y the AF2 cipherstructure 8 detail is si!ilar to 2+A-/hence analysis should e si!ilarut security levels are rather higher

7/17/2019 CNS Unit 3

28/38

2+A ?ersions

"HA-/"HA-001

"HA-023

"HA-451

"HA-2/0

Messagedigest

si6e /G@ 00 04G 3H 4/0Messagesi6e K 0G K 0G K 0G K 0/0H K 0/0H

lock si6e 4/0 4/0 4/0 /@0 /@0

7ord si6e 30 30 30 G G

!u+berof steps H@ G G H@ H@

7/17/2019 CNS Unit 3

29/38

2+A-4/0 :verview

7/17/2019 CNS Unit 3

30/38

6ow exa!ine the structure o 2+A-4/0" noting that the otherversions are 9uite si!ilar. 2+A-4/0 processing consists o theollowing steps

L 2tep / Append padding its" consists o a single /-it ollowed ythe necessary nu!er o @-its" so that its length is congruent toHG !odulo /@0

L 2tep 0 Append length as an unsigned /0H-it integer

L 2tep 3 Initialize hash u>er to a set o G-it integer constants.

A 4/0-it u>er is used to hold inter!ediate and fnal results o thehash unction. %he u>er can e represented as eight G-it registers'a" " c" d" e" " g" h(. %hese registers are initialized to the ollowing

G-it integers 'hexadeci!al values(a M GA@FGGN,3)**@H e M 4/@F40N,A1FGH01/ M ))GNAFH4H*AAN3) M )@4GHH*0)3FG*/,c M 3*GF,3N0,F,H0) g M /,H31A),)/)1G)d M A4,,43A4,/13G,/ h M 4)F@*1//3NF0/N

%hese words were otained y ta&ing the frst sixty-our its o the

ractional parts o the s9uare roots o the frst eight pri!e nu!ers.

7/17/2019 CNS Unit 3

31/38

L 2tep 5rocess the !essage in /@0-it '/0H-word( loc&s" which or!s the heart o thealgorith!. Fach round ta&es as input the 4/0-itu>er value +i" and updates the contents o that

u>er. )y round unction which consist o H@rounds o processing.

L 2tep 4 :utput the fnal state value as theresulting hash

2+A 4/0 * i

7/17/2019 CNS Unit 3

32/38

2+A-4/0 *o!pression,unction

%he 2+A-4/0 *o!pression ,unction is the heart o the algorith!.In this 2tep " it processes the !essage in /@0-it '/0H-word( loc&s" using

a !odule that consists o H@ rounds" laeled ," and is shown in detail in,igure //..

Fach round ta&es as input the 4/0-it u>er value" and updates the contentso the u>er.

At input to the frst round" the u>er has the value o the inter!ediate hashvalue.

Fach round t!a&es use o a G-it value "tderived using a !essageschedule ro! the current /@0-it loc& eing processed.

Fach round also !a&es use o an additive constant #t" ased on theractional parts o the cue roots o the frst eighty pri!e nu!ers.

%he constants provide a rando!ized set o G-it patterns" which shouldeli!inate any regularities in the input data.

%he output o the eightieth round is added to the input to the frst round toproduce the fnal hash value or this !essage loc&" which or!s the input tothe next iteration o this co!pression unction" as shown on the previousslide.

7/17/2019 CNS Unit 3

33/38

2+A-4/0 ound ,unction

7/17/2019 CNS Unit 3

34/38

%he structure o each o the H@ rounds is shown in 2tallings ,igure //./@. Fach G-it word is shuOed along one place" and in so!e cases !anipulated using a serieso si!ple logical unctions 'A61s" 6:%s" :s" =:s" :%ates(" in order to providethe avalanche 8 co!pleteness properties o the hash unction. %he ele!ents are

*h'e""g( M 'e A61 ( =: '6:% e A61 g(

$a#'a""c( M 'a A61 ( =: 'a A61 c( =: ' A61 c(

P'a( M :%'a"0H( =: :%'a"3( =: :%'a"3(

P'e( M :%'e"/( =: :%'e"/H( =: :%'e"/(

Q M addition !odulo 0JG

Rt M a G-it additive constant

;t M a G-it word derived ro! the current 4/0-it input loc&.

2ix o the eight words o the output o the round unction involve si!ply

per!utation 'b, $, d, !, %, h( y !eans o rotation. %his is indicated y shading in,igure //./@.

:nly two o the output words 'a, e) are generated y sustitution. ;ord e is aunction o input variales d, e, !, %, h, as well as the round word ; t and theconstant Rt.

;ord a is a unction o all o the input variales" as well as the round word ; t andthe constant Rt.

7/17/2019 CNS Unit 3

35/38

2tallings ,igure //.// illustrates how the G-it word values ;tare derived ro! the /@0-it !essage. %he frst /G values o;t are ta&en directly ro! the /G words o the current loc&.

%he re!aining values are defned as a unction o the earliervalues using :%ates" 2+I,%s and =:s as shown. %he unctionele!ents areS@'x( M :%'x"/( =: :%'x"H( =: 2+'x"N(S/'x( M :%'x"/( =: :%'x"G/( =: 2+'x"G(

%hus" in the frst /G steps o processing" the value o "tis e9ual

to the corresponding word in the !essage loc&. ,or there!aining G steps" the value o "t consists o the circular let

shit y one it o the =: o our o the preceding values o "t"with two o those values su ected to shit and rotate

7/17/2019 CNS Unit 3

36/38

2+A-3As yet" 2+A-/ has not yet een Tro&enT. %hat is" no one has

de!onstrated a techni9ue or producing collisions in less than rute-orceti!e.

+owever" ecause 2+A-/ is very si!ilar in structure and in the asic!athe!atical operations used to $14 and 2+A-@" oth o which haveeen ro&en" 2+A-/ is considered insecure and has een phased out or

2+A-0.2+A-0" particularly the 4/0-it version" would appear to provide

unassailale security. +owever" 2+A-0 shares the sa!e structure and!athe!atical operations as its predecessors" and this is a cause orconcern.

)ecause it will ta&e years to fnd a suitale replace!ent or 2+A-0" shouldit eco!e vulnerale" 6I2% decided to egin the process o developing anew hash standard.

Accordingly" 6I2% announced in 0@@N a co!petition to produce the nextgeneration 6I2% hash unction" to e called 2+A-3. 6I2% would li&e tohave a new standard in place y the end o 0@/0" ut e!phasizes that

this is not a fxed ti!eline.

7/17/2019 CNS Unit 3

37/38

2+A-3 e9uire!ents

%he asic re9uire!ents that !ust e satisfed y any candidate or 2+A-3 are/.It !ust e possile to replace 2+A-0 with 2+A-3 in any application y a si!ple

drop-in sustitution. %hereore" 2+A-3 !ust support hash value lengths o00" 04G" 3H" and 4/0 its.

0.2+A-3 !ust preserve the online nature o 2+A-0. %hat is" the algorith! !ustprocess co!paratively s!all loc&s '4/0 or /@0 its( at a ti!e instead o

re9uiring that the entire !essage e u>ered in !e!ory eore.)eyond these asic re9uire!ents" 6I2% has defned a set o evaluation

criteria. %hese criteria are designed to reect the re9uire!ents or the !ainapplications supported y 2+A-0" and are

L 2ecurity %he strength o 2+A-3 should e close to the theoretical !axi!u! orthe di>erent re9uired hash sizes" and or oth prei!age resistance and collision

resistance. 2+A-3 algorith!s !ust e designed to resist any potentially successulattac& on 2+A-0 unctions

L *ost e oth ti!e and !e!ory eDcient over a range o hardware plator!s.

L Algorith! and i!ple!entation characteristics such as exiility 'e.g." tunalepara!eters or securityBperor!ance tradeo>s" opportunity or parallelization" andso on(" and si!plicity 'which !a&es it easier to analyze the security properties othe algorith!(

7/17/2019 CNS Unit 3

38/38