Cryptographic Hash Functions

Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function

 The hash value represents

concisely the longer message
 may called the message digest

 A message digest is as a
``digital fingerprint'' of the
original document

condenses arbitrary message to fixed size

h = H(M)

3
Chewing functions

 Hashing function as “chewing” or “digest” function

Hashing V.S. Encryption
Hello, world. k NhbXBsZSBzZW50ZW5jZS
A sample sentence to E B0byBzaG93IEVuY3J5cHR
show encryption. pb24KsZSBzZ

Hello, world. k NhbXBsZSBzZW50ZW5jZS

A sample sentence to D B0byBzaG93IEVuY3J5cHR
show encryption. pb24KsZSBzZ

 Encryption is two way, and requires a key to encrypt/decrypt

This is a clear text that

can easily read 52f21cf7c7034a20
without using the key. 17a21e17e061a863
The sentence is longer
than the text above.

 Hashing is one-way. There is no 'de-hashing’

Motivation for Hash Algorithms
 Intuition
 Limitation on non-cryptographic checksum
 Very possible to construct a message that matches the
checksum
 Goal
 Design a code where the original message can not be inferred
based on its checksum
 such that an accidental or intentional change to the message
will change the hash value
Hash Function Applications
 Used Alone
 Fingerprint -- file integrity verification, public key fingerprint
 Password storage (one-way encryption)

 Combined with encryption functions

 Hash based Message Authentication Code (HMAC)
 protects both a message's integrity and confideltaility
 Digital signature
 Ensuring Non-repudiation
 Encrypt hash with private (signing) key and verify with public
(verification) key
Integrity

 to create a one-way password file

 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
Password Verification
Store Hashing Password Verification an input password against the stored hash

Iam#4VKU Iam#4VKU
Password
store

h h

661dce0da2bcb2d8 661dce0da2bcb2d8 661dce0da2bcb2d8

2884e0162acf8194 2884e0162acf8194 2884e0162acf8194

Hash Matching
Exactly?
Password
Yes No
store Deny
Grant
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function Usages (I)

Message encrypted : Confidentiality and authentication

Message unencrypted: Authentication

Hash Function Usages (II)

Message encrypted : Authentication (no encryption needed!)

Message unencrypted: Authentication, confidentiality

Hash Function Usages (III)

Authentication, digital signature

Authentication, digital signature, confidentiality

Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function Properties
 Arbitrary-length message to fixed-length digest

 Preimage resistant (One-way property)

 Second preimage resistant (Weak collision resistant)

 Collision resistant (Strong collision resistance)

Properties : Fixed length

Hello, world 661dce0da2bcb2d8

2884e0162acf8194

Fixed length L
This is a clear text that
can easily read without 52f21cf7c7034a20
using the key. The 17a21e17e061a863
sentence is longer than
the text above.

 Arbitrary-length message to fixed-length digest

Preimage resistant
 This measures how difficult to devise a message which hashes to the known digest
 Roughly speaking, the hash function must be one-way.

Given only a message digest, can’t find any message

(or preimage) that generates that digest.
Weak vs Strong collision resistance
Weak collision resistance –real time application
 A good example where we are actually only interested in
weak collision resistance would be a simple password
storage scheme. Assume we store user-provided
passwords in a database by storing their hash. If an
attacker were capable of solving the "second preimage"
problem efficiently, he could obtain an x' whose hash
value is the same as that of the original x, and would
thus be authenticated successfully.
Strong collision resistance-real time application
 A different scenario where our concern is strong collision resistance instead is for example an
application where you want to be able to look up arbitrary data stored in a database with the help
of unique ids. Instead of issuing queries on the original data (which would often be very slow due
to the potentially unbounded size of the data), you would compute hashes of the data instead.
 Hashes are very compact, limited in their size and can thus be queried much more efficiently. As a
matter of fact, in these cases you often don't mind the (second) pre-image resistance property of a
hash function at all, mostly because the preimages themselves are no secret.
 What you do care about, though, is that you would absolutely want to avoid two distinct data sets
to hash to the same value, which is essentially a collision. You don't care about any collision in
particular, but you want this property to hold universally - i.e. you don't want any two data sets
hash to the same value (imagine there is a 'unique constraint' defined on that column). Because
security is often no issue in these applications, we often use non-cryptographic hashes, mostly
because they perform bette
Hash Functions Family
 MD (Message Digest)
 Designed by Ron Rivest
 Family: MD2, MD4, MD5
 SHA (Secure Hash Algorithm)
 Designed by NIST
 Family: SHA-0, SHA-1, and SHA-2
 SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
 SHA-3: New standard in competition
 RIPEMD (Race Integrity Primitive Evaluation Message
Digest)
 Developed by Katholieke University Leuven Team
 Family : RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
Secure Hash Algorithm
Secure Hash Algorithm

 SHA originally designed by NIST & NSA in 1993

 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 nb. the algorithm is SHA, the standard is SHS
 based on design of MD5 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications
How SHA Works?

 Digest Length=160 bit

 I/P Text=512 bit
 Sub Block size=32bit
 512/32=16 total Sub blocks
 No. Of Rounds=4
 Iteration per round=20
 Chaining Variable = 5*32=160
 K[t] constant= Where t=0 to 79
 O/P-> four 32 bit blocks
 SHA Overview

1. Padding: Length of the message is 64 bits short of

multiple of 512 after padding.
2. Append a 64-bit length value of original message is taken.
3. Divide the input into 512-bit blocks
4. Initialise CV 5-word (160-bit) buffer (A,B,C,D,E) to
(A=01 23 45 67,
B=89 AB CD EF,
C=FE DC BA 98,
D=76 54 32 10,
E=C3 D2 E1 F0)
Continue…

5. Process Blocks now the actual algorithm begins.

message in 16-word (512-bit) chunks:
 Copy CV into single register for storing temporary
intermediate as well as the final results.
 Divide the current 512-bit blocks into 16 sub-blocks,
each consisting of 32 bits.
 Has No. Of Rounds=4, each round consisting of 20 bit
/step iteration operations on message block & buffer
 expand 16 words into 80 words(20*4) by mixing &
shifting.K[t] constant= Where t=0 to 79
 Form new buffer value by adding output to input.
6. output hash value is the final buffer value
SHA-1 Compression Function

ABCDE=(F[t]+E+S5(A)+W[t]+K[t]),>>>Shift right by 1 bit for next iteration

SHA-1 Compression Function terms
 each round has 20 steps which replaces the 5 buffer
words thus:
(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,
(B<<30),C,D)
 ABCDE refer to the 5 words of the buffer
 t is the step number
 f(t,B,C,D) is nonlinear function for round
 W is derived from the message block
t

 Kt is a constant value
 S^t circular left shift of 32 bit sub-block by t bits
SHA round constants
 Process F(t) in each SHA-1 round

 where g can be expressed as:

ROUND 1: (b AND c) OR ((NOT b) AND (d)) same as MD5

ROUND 2: b XOR c XOR d

ROUND 3: (b AND c) OR (b AND d) OR (c AND d)

ROUND 4: b XOR c XOR d

MD5
MD5 Overview

2. Append
length
(64bits)

1. Append padding
bits
(to 448 mod 512)

3. Initialize MD buffer (4x32 bits Word)

Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10
MD5
MD5
MD5
MD5
MD5 vs SHA
MD5, SHA-1, and RIPEMD-160

40
Attacks on Hash Functions
 brute-force attacks and cryptanalysis
 cryptanalytic attacks exploit some property of algorithm so faster than brute-
force
 a preimage or second preimage attack
 find y such that H(y)equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x) = H(y)

"md5 and sha1 are both clearly broken (in terms of collision-resistance”
Ron Rivest

http://mail.python.org/pipermail/python-dev/2005-December/058850.html
The need of new Hash standard
 MD5 should be considered cryptographically broken and
unsuitable for further use, US CERT 2010
 In 2004, a collision for the full SHA-0 algorithm was
announced

 SHA-1 not yet fully “broken”

 but similar to the broken MD5 & SHA-0
 so considered insecure and be fade out
 SHA-2 (esp. SHA-512) seems secure
 shares same structure and mathematical operations as
predecessors so have concern
Summary
 Hash functions are keyless
 Applications for digital signatures and in message authentication codes
 The three security requirements for hash functions are
 one-wayness, second preimage resistance and collision resistance
 MD5 and SHA-0 is insecure
 Serious security weaknesses have been found in SHA-1
 should be phased out
 SHA-2 appears to be secure
 May use SHA-512 and use the first 256 bytes
 The ongoing SHA-3 competition will result in new standardized
hash functions in a next year