Hash Functions and Digital Signatures: ECE 646 Lecture 11 - Prof. Krzysztof Gaj, Study notes of Cryptography and System Security

The concepts of hash functions, message authentication codes (macs), and digital signatures. It covers the basics of hash functions, their security requirements, and various algorithms such as md2, md4, md5, and sha-1. The document also explains the role of hash functions in digital signatures and macs, and provides information on collision resistance and preimage resistance.

Typology: Study notes

Pre 2010

Uploaded on 02/10/2009

koofers-user-oi2
koofers-user-oi2 🇺🇸

10 documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Hash functions & MACs
ECE 646 Lecture 11
Message
Hash
function
Public key
algorithm
Alice
Signature
Alice’s private key
Bob
Hash
function
Alice’s public key
Digital Signature
Hash value 1
Hash value 2
Hash value
Public key
algorithm
yes no
Message Signature
Hash function
arbitrary length
message
hash
function
hash valueh(m)
h
m
fixed length
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Hash Functions and Digital Signatures: ECE 646 Lecture 11 - Prof. Krzysztof Gaj and more Study notes Cryptography and System Security in PDF only on Docsity!

Hash functions & MACs

ECE 646 Lecture 11

Message

Hash function

Public key algorithm

Alice Signature

Alice’s private key

Bob

Hash function

Alice’s public key

Digital Signature

Hash value 1

Hash value 2

Hash value

Public key algorithm

yes no

Message Signature

Hash function

arbitrary length

message

hash

function

h(m) hash value

h

m

fixed length

Vocabulary

hash function

message digest

hash value

hash total

fingerprint

imprint

cryptographic checksum

compressed encoding

MDC, Message Digest Code

message digest

Hash functions

Basic requirements

1. Public description, NO key

2. Compression

arbitrary length input → fixed length output

3. Ease of computation

Hash functions

Security requirements

1. Preimage resistance

It is computationally infeasible Given To Find

y x , such that h(x) = y

2. 2nd preimage resistance

x and y=h(x)

x ’ ≠ x , such that h(x’) = h(x) = y

3. Collision resistance x ’ ≠ x , such that h(x’) = h(x)

Creating multiple versions of

the required message

I state confirm

thereby

  • that I^

borrowed received

$10, ten thousand dollars from Mr. Dr.

Kris Krzysztof

Gaj on November 15, 11 / 15 / 2005.^ This^

money sum of money

should is required to be^

returned given back to^

Mr. Dr. Gaj

by the 22 nd 23 rd^ day of^

November December 2005.

Brute force attack against

Collision Resistant Hash Function

Yuval

m i

h

n - bits

h(m i)

r messages acceptable for the signer m j’

h

n - bits

h(m j’)

r messages required by the forger

h(m i) = h(m j’)

i=1.. r j=1.. r

Message required by the forger

I state confirm

thereby

  • that I^

borrowed received

$10, ten thousand dollars from Mr. Dr.

Kris Krzysztof

Gaj on November 15, 11 / 15 /

  1. This

money sum of money

should is required to be^

returned given back to^

Mr. Dr. Gaj

by the 22 nd 23 rd^ day of^

November December 2005.

I

state confirm

thereby

  • that on borrowed received from^

Mr. Dr.

Kris Krzysztof

on

November 15, 11 / 15 / 2005

This text item

should is required to be^

returned given back to^

Mr. Dr. Gaj

Message acceptable for the signer

I a^ book manuscript security in wireless networks. fast implementations of cryptography.

by the 22 nd 23 rd^ day of^

November December 2005.

Birthday paradox

How many students must be in a class so that

there is a greater than 50% chance that

2. any two of the students share the same

birthday (up to the day and month)?

1. one of the students shares the teacher’s

birthday (up to the day and month)?

Birthday paradox

How many students must be in a class so that

there is a greater than 50% chance that

1. one of the students shares the teacher’s

birthday (day and month)?

2. any two of the students share the same

birthday (day and month)?

~ √√√√ 366 ≈≈≈≈^^19

Hash function algorithms

Customized (dedicated)

Based on block ciphers

Based on modular arithmetic

MDC- MDC- IBM, Brachtl, Meyer, Schilling, 1988

MASH- 1988-

MD2 (^) Rivest 1988

MD4 (^) Rivest 1990

MD Rivest 1990

SHA-

SHA-

RIPEMD-

RIPEMD-

European RACE Integrity Primitives Evaluation Project, 1992

NSA, 1992

NSA, 1995 SHA-256, SHA-384, SHA-512 NSA, 2000

Security of dedicated hash functions

MD

MD

MD5 (^) SHA-

SHA-

RIPEMD-

RIPEMD-

partially broken

broken , H. Dobbertin, 1995 (one hour on PC, 20 free bytes at the start of the message)

partially broken, collisions for the compression function, Dobbertin, 1996 (10 hours on PC)

weakness discovered, 1995 NSA, 1998 France

reduced round version broken, Dobbertin 1995

SHA-256, SHA-384, SHA-

Hash functions

Applications (1)

1. Digital Signatures

Advantages

  1. Shorter signature
  2. Much faster computations
  3. Larger resistance to manipulation (one block instead of several blocks of signature)
  4. Resistance to the multiplicative attacks
  5. Avoids problems with different sizes of the sender and the receiver moduli

Hash functions

Applications (2)

2. Fingerprint of a program or a document

(e.g., to detect a modification by a virus

or an intruder)

program

hash

fingerprint original_fingerprint

safe place

Hash functions

Applications (3)

3. Storing passwords

password

hash

hash(password)

Instead of:

ID, password

System stores:

ID, hash(password)

UNIX password scheme

password

password

password

hash(password, salt)

DES

DES

DES

salt

salt

salt

ID, salt ,

hash(password, salt)

salt modifies the expansion function E of DES

Hash padding

message 100000000000 length

length of the entire message in bits

X X X 0 0 0 0 0

64-bits

All zero padding:

X X X 0 0 0 0 0

Correct padding: X X X 0 0 1 0 0 X X X 1 0 0 0 0

Parameters of dedicated hash functions

name # bits of hash value

# bits of message block

no. of rounds (steps)

speed relative to MD

MD

MD

SHA-

RIPEMD-

RIPEMD-

128

128

160

128

160

512

512

512

512

512

3 x 16

4 x 16

4 x 20

4 x 16

5 x 16

0.

0.

SHA-1 SHA-256 SHA-384 SHA-

Size of hash 160 256 384 512 value

Complexity of 280 2128 2192 2256 the best attack

Equivalently secure Skipjack AES-128 AES-192 AES- secret-key cipher

Message size < 2^64 < 2^64 < 2^128 < 2^128

Parameters of new hash functions

Features affecting security and functionality

Message block 512 512 1024 1024 size Number of 80 64 80 80 digest rounds

SHA-1 SHA-256 SHA-384 SHA-

Parameters of new hash functions

Features affecting implementation speed

SHA-512, SHA-

SHA-

SHA-

Speed

Area

Results of conceptual comparison

0

100

200

300

400

500

600

700

462

616

Speed in hardware [Mbit/s]

SHA-1 (^) SHA-

Results of the prototype FPGA implementation

Complexity of the best attack 280 2256 the same as^ Skipjack^ AES-

GMU, 2002

MAC functions

Security requirements

Given zero or more pairs mi, MACK(mi) (^) i = 1..k

it is computationally impossible to find any new pair

m’, MACK(m’)

Such that m’ ≠ mi i = 1..k

MAC functions

Security requirements

Resistance against

  1. Known-text attack
  2. Chosen-text attack
  3. Adaptive chosen-text attack

CBC-MAC (1)

E

K

m 1

E

K

m 2

E

K

mt

H 1 H 2

Ht

Ht-

D

E

K’

K

MAC

MAC

FIPS-

CBC-MAC (1)

H 0 = IV = 0

Hi = DESK(mi ⊕ Hi-1) i = 1..t

MAC(m) = Ht[1..32]

or

MAC(m) = EK(EK’-1(Ht))[1..32]

MAC functions

Based on block ciphers

CBC-MAC

CFB-MAC

RIPE-MAC

HMAC

MD5-MAC

MAA CRC-MAC

Dedicated

Based on hash functions

Based on stream ciphers

RIPE-MAC

Hi = DESK(mi ⊕ Hi-1) ⊕ mi i = 1..t

MAC(m) = EK(EK’-1(Ht))[0..31]

H 0 = IV = 0

K’ = K ⊕ 0xf0f0…f