Upload
bhavana16686
View
240
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Hashing, SHA 1
Citation preview
7/17/2019 CNS Unit 3
1/38
Unit 3
7/17/2019 CNS Unit 3
2/38
IntroductionA hash function H accepts a variable-length block of data M
as input and produces a fxed-size hash value h = H(M).
A good hash unction has the property that the results o applyingthe unction to a large set o inputs will produce outputs that areevenly distriuted and apparently rando!.
In general ter!s" the principal o#ect o a hash unction is data
integrity. A change to any it or its in $ results" with highproaility" in a change to the hash code.
%he &ind o hash unction needed or security applications is reerredto as a cryptographic hash function.
A cryptographic hash unction is an algorith! or which it isco!putationally ineasile to fnd eitherdata o#ect that !aps to a pre-specifed hash result 'the one-way
property( ortwo data o#ects that !ap to the sa!e hash result 'the collision-ree
property(.
)ecause o these characteristics" hash unctions are oten used to
deter!ine whether or not data has changed.
7/17/2019 CNS Unit 3
3/38
*ryptographic +ash ,unction
7/17/2019 CNS Unit 3
4/38
APPLICATI!" # C$%PT&$APHIC HA"H#'!CTI!"
It is used in a wide variety o securityapplications and Internet protocols. ange oapplications in which it is e!ployed are asollows
/. $essage Authentication
0. 1igital 2ignatures
3. create a one-way password fle
. or intrusion detection and virus detection4. pseudorando! unction '5,( or
pseudorando! nu!er generator '567(
7/17/2019 CNS Unit 3
5/38
Authentication
7/17/2019 CNS Unit 3
6/38
$essage authentication is a !echanis! or service usedto veriy the integrity o a !essage" y assuring that thedata received are exactly as sent.
,igure illustrates a variety o ways in which a hash code
can e used to provide !essage authentication" asollows
a.%he !essage plus concatenated hash code is encryptedusing sy!!etric encryption. 2ince only A and ) share thesecret &ey" the !essage !ust have co!e ro! A and has
not een altered. %he hash code provides the structure orredundancy re9uired to achieve authentication.
.:nly the hash code is encrypted" using sy!!etricencryption. %his reduces the processing urden or those
applications not re9uiring confdentiality.
7/17/2019 CNS Unit 3
7/38
c. 2hows the use o a hash unction ut no encryption or!essage authentication. %he techni9ue assu!es that the
two co!!unicating parties share a co!!on secret value2. A co!putes the hash value over the concatenation o
$ and 2 and appends the resulting hash value to $.
)ecause ) possesses 2" it can reco!pute the hash valueto veriy. )ecause the secret value itsel is not sent" anopponent cannot !odiy an intercepted !essage and
cannot generate a alse !essage.
d. *onfdentiality can e added to the approach o 'c( yencrypting the entire !essage plus the hash code.
.;hen confdentiality is not re9uired" !ethod '( has anadvantage over !ethods 'a( and 'd(" which encrypts the
entire !essage" in that less co!putation is re9uired.
7/17/2019 CNS Unit 3
8/38
+ash ,unctions 8 1igital 2ignaturesAnother i!portant application" which is si!ilar to the !essage
authentication application" is the digital signature.
%he operation o the digital signature is si!ilar to that o the$A*. In the case o the digital signature" the hash value o a!essage is encrypted with a user
7/17/2019 CNS Unit 3
9/38
7/17/2019 CNS Unit 3
10/38
:ther +ash ,unction Usesto create a one-way password flea hash o a password is stored y an operating syste! rather than
the password itsel. %hus" the actual password is not retrievale ya hac&er who gains access to the password fle. In si!ple ter!s"when a user enters a password" the hash o that password isco!pared to the stored hash value or verifcation. %his approachto password protection is used y !ost operating syste!s. orintrusion detection and virus detection
&eep 8 chec& hash o fles on syste!+ash unctions can e used or intrusion detection and virus
detection. 2tore +',( or each fle on a syste! and secure the hashvalues 'e.g." on a *1- that is &ept secure(. :ne can laterdeter!ine i a fle has een !odifed y reco!puting +',(. An
intruder would need to change , without changing +',(.pseudorando! unction '5,( or pseudorando! nu!er
generator '567(A cryptographic hash unction can e used to construct a
pseudorando! unction '5,( or a pseudorando! nu!er
generator '567(. A co!!on application or a hash-ased 5, isor the generation o sy!!etric &eys.
7/17/2019 CNS Unit 3
11/38
%wo 2i!ple Insecure +ash ,unctions
consider two si!ple insecure hash unctionsit-y-it exclusive-: '=:( o every loc&
Ci= bi1xor bi2xor . . . xor bim
a longitudinal redundancy chec&reasonaly e>ective as data integrity chec&
one-it circular shit on hash valueor each successive n-bit loc&
rotate current hash value to let y/it and =: loc&good or data integrity ut useless or security
7/17/2019 CNS Unit 3
12/38
$()'I$(M(!T" A!* "(C'$IT%%ale lists the generally accepted re9uire!ents or a cryptographic hash
unction.
%he frst three properties are re9uire!ents or the practical application oa hash unction.
%he ourth property" prei!age 'or a hash value h = H(x), we say that x is
the prei+age oh( resistant" is the one-way property it is easy togenerate a code given a !essage" ut virtually i!possile to generate a!essage given a code. %his property is i!portant i the authentication
techni9ue involves the use o a secret value .%he fth property" second prei!age resistant" guarantees that it is
i!possile to fnd an alternative !essage with the sa!e hash value as a
given !essage. %his prevents orgery when an encrypted hash code is
used.
A hash unction that satisfes the frst fve properties in %ale is reerred
to as a wea& hash unction.
I the sixth property" collision resistant" is also satisfed" then it is reerred
to as a strong hash unction. A strong hash unction protects against anattac& in which one party generates a !essage or another party to sign.
%he fnal re9uire!ent" pseudorando+ness" has not traditionally een
listed as a re9uire!ent o cryptographic hash unctions" ut is !ore orless i!plied
7/17/2019 CNS Unit 3
13/38
+ash ,unction e9uire!ents
7/17/2019 CNS Unit 3
14/38
Attac&s on +ash ,unctionsAs with encryption algorith!s" there are two
categories o attac&s on hash unctionsrute-orce attac&s and
cryptanalysis.
A rute-orce attac& does not depend on thespecifc algorith! ut depends only on itlength. In the case o a hash unction" a rute-orce attac& depends only on the it length othe hash value.
A cryptanalysis" in contrast" is an attac& asedon wea&nesses in a particular cryptographicalgorith!
7/17/2019 CNS Unit 3
15/38
rute-orce attac&sPREIMAGE AND SECOND PREIMAGE
ATTACKS: ,or a prei!age or second prei!ageattac&" an adversary wishes to fnd a value ysuch that +' y( is e9ual to a given hash ?alue h .
%he rute-orce !ethod is to pic& values o y atrando! and try each value until a collisionoccurs.
,or an !-it hash value" the level o e>ort isproportional to 0!. 2pecifcally" the adversarywould have to try" on average 0!-/" values oyto fnd one that generates a given hash value .
7/17/2019 CNS Unit 3
16/38
COLLISION RESISTANT ATTACKS: ,or a collisionresistant attac&" an adversary wishes to fnd two!essages or data loc&s"x and , that yield the samehash unction +'x) = H(y).
%he e>ort re9uired is explained y a !athe!aticalresult reerred to as the birthday parado,.
In essence" i we choose rando! variales ro! aunior! distriution in the range @ through N 1 then
the proaility that a repeated ele!ent is encounteredexceeds @.4 ater root o 6 choices have een !ade.%hus" or an !-it hash value" i we pic& data loc&s at
rando!" we can expect to fnd two data loc&s with thesa!e hash value within root o 0m = 2m/2
7/17/2019 CNS Unit 3
17/38
strategy to exploit the irthday paradox in a collisionresistant attac&%he source" A" is prepared to sign a legiti!ate !essage x
y appending the appropriate !-it hash code and
encrypting that hash code with As private &eyopponent generates 0!B0variations x o x" all withessentially the sa!e !eaning" and saves the!
opponent generates 0!B0variations y o a desiredraudulent !essage y
two sets o !essages are co!pared to fnd pair with
sa!e hash 'proaility C @.4 y irthday paradox(have user sign the valid !essage" then sustitute the
orgery which will have a valid signature%he generation o !any variations that convey the
sa!e !eaning is not diDcult
7/17/2019 CNS Unit 3
18/38
7/17/2019 CNS Unit 3
19/38
%o su!!arize" or a hash code o length ! " thelevel o e>ort re9uired" as we have seen" isproportional to the ollowing.5rei!age resistant 0m
2econd prei!age resistant 0m*ollision resistant 0m/2
conclusion is that need to use larger $A*Bhash
7/17/2019 CNS Unit 3
20/38
+ash ,unction *ryptanalysisAs with encryption algorith!s" cryptanalytic
attac&s on hash unctions see& to exploit so!eproperty o the algorith! to peror! so!eattac& other than an exhaustive search.
In recent years" have !uch e>ort" and so!esuccesses" in developing cryptanalytic attac&son hash unctions. $ust consider the overallstructure o a typical secure hash unction"
reerred to as an iterated hash unction" asindicated in the diagra!.
7/17/2019 CNS Unit 3
21/38
7/17/2019 CNS Unit 3
22/38
%he hash unction ta&es an input !essage and partitions itinto fxed-sized loc&s o b its each.
I necessary" the fnal loc& is padded to b its. %he fnalloc& also includes the value o the total length o theinput to the hash unction.
%he inclusion o the length !a&es the #o o the opponent!ore diDcult. %he hash algorith! involves repeated use oa co!pression unction" !" that ta&es two inputs 'an n-itinput ro! the previous step" called the chaining variale"
and a b-it loc&( and produces an n-it output.At the start o hashing" the chaining variale has an initial
value that is specifed as part o the algorith!. %he fnalvalue o the chaining variale is the hash value. :ten" bCnE hence the ter! co!pression
7/17/2019 CNS Unit 3
23/38
%hereore" the structure can e used toproduce a secure hash unction to operate on a!essage o any length.
*ryptanalysis o hash unctions ocuses on the
internal structure o and is ased on atte!ptsto fnd eDcient techni9ues or producingcollisions or a single execution o . :nce thatis done" the attac& !ust ta&e into account the
fxed value o I?.%he attac& on depends on exploiting its
internal structure. %he attac&s that have een!ounted on hash unctions are rather co!plexand eyond our scope here.
7/17/2019 CNS Unit 3
24/38
HA"H #'!CTI!" A"(* ! CIPH($LC CHAI!I!&
A nu!er o proposals have een !ade or hash unctions ased on using a
cipher loc& chaining techni9ue" ut without the secret &ey 'instead usingthe !essage loc&s as &eys(.
:ne o the frst such proposals was that o ain" which divided a !essage$ into fxed-size loc&s" and usde a sy!!etric encryption syste! such as1F2 to co!pute the hash code 7 as shown.
%his is si!ilar to the *)* techni9ue" ut in this case there is no secret &ey.
As with any hash code" this sche!e is su#ect to the irthday attac&" and ithe encryption algorith! is 1F2 and only a G-it hash code is produced"then the syste! is vulnerale.
,urther!ore" another version o the irthday attac& can e used even i theopponent has access to only one !essage and its valid signature and cannototain !ultiple signings" &nown as a !eet-in-the-!iddle attac& 'see text(.
It can e shown that so!e or! o irthday attac& will succeed against anyhash sche!e involving the use o cipher loc& chaining without a secret &eyprovided that either the resulting hash code is s!all enough 'e.g." G its orless( or that a larger hash code can e deco!posed into independentsucodes.
%hus" attention has een directed at fnding other approaches to hashing.
7/17/2019 CNS Unit 3
25/38
2ecure +ash Algorith!In recent years" the !ost widely used hash unction has een the
2ecure +ash Algorith! '2+A(.
%he 2ecure +ash Algorith! '2+A( was developed y the 6ationalInstitute o 2tandards and %echnology '6I2%( and pulished as aederal inor!ation processing standard ',I52 /H@( in /3E a
revised version was issued as ,I52 /H@-/ in /4 and is generallyreerred to as 2+A-/.
%he actual standards docu!ent is entitled 2ecure +ash 2tandard.
2+A-/ produces a hash value o /G@ its. In 0@@4" a researchtea! descried an attac& in which two separate !essages could
e ound that deliver the sa!e 2+A-/ hash using 0JGoperations" ar ewer than the 0JH@ operations previouslythought needed to fnd a collision with an 2+A-/ hash.
%his result has hastened the transition to newer" longer versionso 2+A.
7/17/2019 CNS Unit 3
26/38
evised 2ecure +ash2tandard
In 0@@0" 6I2% produced a revised version o thestandard" ,I52 /H@-0" that defned three newversions o 2+A" with hash value lengths o 04G"3H" and 4/0 its" &nown as 2+A-04G" 2+A-3H"
and 2+A-4/0. *ollectively" these hash algorith!sare &nown as 2+A-0.
%hese new versions have the sa!e underlyingstructure and use the sa!e types o !odular
arith!etic and logical inary operations as 2+A-/.In 0@@4" 6I2% announced the intention to phase
out approval o 2+A-/ and !ove to a reliance onthe other 2+A versions y 0@/@.
7/17/2019 CNS Unit 3
27/38
2tandard
6I2% issued revision ,I52 /H@-0 in 0@@0adds 3 additional versions o 2+A2+A-04G" 2+A-3H" 2+A-4/0
designed or co!patiility with increased
security provided y the AF2 cipherstructure 8 detail is si!ilar to 2+A-/hence analysis should e si!ilarut security levels are rather higher
7/17/2019 CNS Unit 3
28/38
2+A ?ersions
"HA-/"HA-001
"HA-023
"HA-451
"HA-2/0
Messagedigest
si6e /G@ 00 04G 3H 4/0Messagesi6e K 0G K 0G K 0G K 0/0H K 0/0H
lock si6e 4/0 4/0 4/0 /@0 /@0
7ord si6e 30 30 30 G G
!u+berof steps H@ G G H@ H@
7/17/2019 CNS Unit 3
29/38
2+A-4/0 :verview
7/17/2019 CNS Unit 3
30/38
6ow exa!ine the structure o 2+A-4/0" noting that the otherversions are 9uite si!ilar. 2+A-4/0 processing consists o theollowing steps
L 2tep / Append padding its" consists o a single /-it ollowed ythe necessary nu!er o @-its" so that its length is congruent toHG !odulo /@0
L 2tep 0 Append length as an unsigned /0H-it integer
L 2tep 3 Initialize hash u>er to a set o G-it integer constants.
A 4/0-it u>er is used to hold inter!ediate and fnal results o thehash unction. %he u>er can e represented as eight G-it registers'a" " c" d" e" " g" h(. %hese registers are initialized to the ollowing
G-it integers 'hexadeci!al values(a M GA@FGGN,3)**@H e M 4/@F40N,A1FGH01/ M ))GNAFH4H*AAN3) M )@4GHH*0)3FG*/,c M 3*GF,3N0,F,H0) g M /,H31A),)/)1G)d M A4,,43A4,/13G,/ h M 4)F@*1//3NF0/N
%hese words were otained y ta&ing the frst sixty-our its o the
ractional parts o the s9uare roots o the frst eight pri!e nu!ers.
7/17/2019 CNS Unit 3
31/38
L 2tep 5rocess the !essage in /@0-it '/0H-word( loc&s" which or!s the heart o thealgorith!. Fach round ta&es as input the 4/0-itu>er value +i" and updates the contents o that
u>er. )y round unction which consist o H@rounds o processing.
L 2tep 4 :utput the fnal state value as theresulting hash
2+A 4/0 * i
7/17/2019 CNS Unit 3
32/38
2+A-4/0 *o!pression,unction
%he 2+A-4/0 *o!pression ,unction is the heart o the algorith!.In this 2tep " it processes the !essage in /@0-it '/0H-word( loc&s" using
a !odule that consists o H@ rounds" laeled ," and is shown in detail in,igure //..
Fach round ta&es as input the 4/0-it u>er value" and updates the contentso the u>er.
At input to the frst round" the u>er has the value o the inter!ediate hashvalue.
Fach round t!a&es use o a G-it value "tderived using a !essageschedule ro! the current /@0-it loc& eing processed.
Fach round also !a&es use o an additive constant #t" ased on theractional parts o the cue roots o the frst eighty pri!e nu!ers.
%he constants provide a rando!ized set o G-it patterns" which shouldeli!inate any regularities in the input data.
%he output o the eightieth round is added to the input to the frst round toproduce the fnal hash value or this !essage loc&" which or!s the input tothe next iteration o this co!pression unction" as shown on the previousslide.
7/17/2019 CNS Unit 3
33/38
2+A-4/0 ound ,unction
7/17/2019 CNS Unit 3
34/38
%he structure o each o the H@ rounds is shown in 2tallings ,igure //./@. Fach G-it word is shuOed along one place" and in so!e cases !anipulated using a serieso si!ple logical unctions 'A61s" 6:%s" :s" =:s" :%ates(" in order to providethe avalanche 8 co!pleteness properties o the hash unction. %he ele!ents are
*h'e""g( M 'e A61 ( =: '6:% e A61 g(
$a#'a""c( M 'a A61 ( =: 'a A61 c( =: ' A61 c(
P'a( M :%'a"0H( =: :%'a"3( =: :%'a"3(
P'e( M :%'e"/( =: :%'e"/H( =: :%'e"/(
Q M addition !odulo 0JG
Rt M a G-it additive constant
;t M a G-it word derived ro! the current 4/0-it input loc&.
2ix o the eight words o the output o the round unction involve si!ply
per!utation 'b, $, d, !, %, h( y !eans o rotation. %his is indicated y shading in,igure //./@.
:nly two o the output words 'a, e) are generated y sustitution. ;ord e is aunction o input variales d, e, !, %, h, as well as the round word ; t and theconstant Rt.
;ord a is a unction o all o the input variales" as well as the round word ; t andthe constant Rt.
7/17/2019 CNS Unit 3
35/38
2tallings ,igure //.// illustrates how the G-it word values ;tare derived ro! the /@0-it !essage. %he frst /G values o;t are ta&en directly ro! the /G words o the current loc&.
%he re!aining values are defned as a unction o the earliervalues using :%ates" 2+I,%s and =:s as shown. %he unctionele!ents areS@'x( M :%'x"/( =: :%'x"H( =: 2+'x"N(S/'x( M :%'x"/( =: :%'x"G/( =: 2+'x"G(
%hus" in the frst /G steps o processing" the value o "tis e9ual
to the corresponding word in the !essage loc&. ,or there!aining G steps" the value o "t consists o the circular let
shit y one it o the =: o our o the preceding values o "t"with two o those values su ected to shit and rotate
7/17/2019 CNS Unit 3
36/38
2+A-3As yet" 2+A-/ has not yet een Tro&enT. %hat is" no one has
de!onstrated a techni9ue or producing collisions in less than rute-orceti!e.
+owever" ecause 2+A-/ is very si!ilar in structure and in the asic!athe!atical operations used to $14 and 2+A-@" oth o which haveeen ro&en" 2+A-/ is considered insecure and has een phased out or
2+A-0.2+A-0" particularly the 4/0-it version" would appear to provide
unassailale security. +owever" 2+A-0 shares the sa!e structure and!athe!atical operations as its predecessors" and this is a cause orconcern.
)ecause it will ta&e years to fnd a suitale replace!ent or 2+A-0" shouldit eco!e vulnerale" 6I2% decided to egin the process o developing anew hash standard.
Accordingly" 6I2% announced in 0@@N a co!petition to produce the nextgeneration 6I2% hash unction" to e called 2+A-3. 6I2% would li&e tohave a new standard in place y the end o 0@/0" ut e!phasizes that
this is not a fxed ti!eline.
7/17/2019 CNS Unit 3
37/38
2+A-3 e9uire!ents
%he asic re9uire!ents that !ust e satisfed y any candidate or 2+A-3 are/.It !ust e possile to replace 2+A-0 with 2+A-3 in any application y a si!ple
drop-in sustitution. %hereore" 2+A-3 !ust support hash value lengths o00" 04G" 3H" and 4/0 its.
0.2+A-3 !ust preserve the online nature o 2+A-0. %hat is" the algorith! !ustprocess co!paratively s!all loc&s '4/0 or /@0 its( at a ti!e instead o
re9uiring that the entire !essage e u>ered in !e!ory eore.)eyond these asic re9uire!ents" 6I2% has defned a set o evaluation
criteria. %hese criteria are designed to reect the re9uire!ents or the !ainapplications supported y 2+A-0" and are
L 2ecurity %he strength o 2+A-3 should e close to the theoretical !axi!u! orthe di>erent re9uired hash sizes" and or oth prei!age resistance and collision
resistance. 2+A-3 algorith!s !ust e designed to resist any potentially successulattac& on 2+A-0 unctions
L *ost e oth ti!e and !e!ory eDcient over a range o hardware plator!s.
L Algorith! and i!ple!entation characteristics such as exiility 'e.g." tunalepara!eters or securityBperor!ance tradeo>s" opportunity or parallelization" andso on(" and si!plicity 'which !a&es it easier to analyze the security properties othe algorith!(
7/17/2019 CNS Unit 3
38/38