






























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This document from lecture 17 of cpsc 467b at yale university, delivered by michael j. Fischer, discusses extending hash functions to build stronger ones, secure password storage methods, and the risks of dictionary attacks. The document also covers the use of salt to make dictionary attacks more difficult.
Typology: Slides
1 / 38
This page cannot be seen from the preview
Don't miss anything!































Outline Hash Passwords
Lecture 17
Michael J. Fischer
Department of Computer Science Yale University
March 24, 2010
Outline Hash Passwords
(^1) Hash Function Constructions Extending a hash function A General Chaining Method Hash Functions Do Not Always Look Random Birthday Attack on Hash Functions Hash from Cryptosystem
2 Authentication Using Passwords Passwords Secure Password Storage Dictionary Attacks
Suppose we are given a strong collision-free hash function
h : 256-bits → 128-bits.
How can we use h to build a strong collision-free hash function
H : 512-bits → 128-bits?
We consider several methods. In the following, m is 512 bits long. We write M = m 1 m 2 , where m 1 and m 2 are 256 bits each.
First idea. Let M = m 1 m 2 and define
H(M) = H(m 1 m 2 ) = h(m 1 ) ⊕ h(m 2 ).
Unfortunately, this fails to be either strong or weak collision-free. Let M′^ = m 2 m 1. (M, M′) is always a colliding pair for H except in the special case that m 1 = m 2. Recall that (M, M′) is a colliding pair iff H(M) = H(M′) and M 6 = M′.
Proof. Assume H has a colliding pair (M = m 1 m 2 , M′^ = m′ 1 m′ 2 ). Then H(M) = H(M′) but M 6 = M′. Case 1: h(m 1 ) 6 = h(m 1 ′) or h(m 2 ) 6 = h(m′ 2 ). Let u = h(m 1 )h(m 2 ) and u′^ = h(m′ 1 )h(m′ 2 ). Then h(u) = H(M) = H(M′) = h(u′), but u 6 = u′. Hence, (u, u′) is a colliding pair for h. Case 2: h(m 1 ) = h(m 1 ′) and h(m 2 ) = h(m′ 2 ). Since M 6 = M′, then m 1 6 = m′ 1 or m 2 6 = m′ 2 (or both). Whichever pair is unequal is a colliding pair for h. In each case, we have found a colliding pair for h. Hence, H not strong collision-free ⇒ h not strong collision-free. Equivalently, h strong collision-free ⇒ H strong collision-free.
Let h : r -bits → t-bits be a hash function, where r ≥ t + 2. (In the above example, r = 256 and t = 128.) Define H(m) for m of arbitrary length. Divide m after appropriate padding into blocks m 1 m 2... mk , each of length r − t − 1. Compute a sequence of t-bit states: s 1 = h(0t^0 m 1 ) s 2 = h(s 11 m 2 ) .. . sk = h(sk− 11 mk ).
Then H(m) = sk.
Proof. Assume H has a colliding pair (m, m′). We find a colliding pair for h. Let m = m 1 m 2... mk give state sequence s 1 ,... , sk. Let m′^ = m 1 ′m′ 2... m′ k′ give state sequence s 1 ′,... , s k′′. Assume without loss of generality that k ≤ k′. Because m and m′^ collide under H, we have sk = s k′′. Let r be the largest value for which sk−r = s k′′−r. Let i = k − r , the index of the first such equal pair si = s k′′−k+i. We proceed by cases. (continued... )
Proof. Case 1: i = 1 and k = k′. Then sj = s j′ for all j = 1,... , k. Because m 6 = m′, there must be some such that m 6 = m′ . If = 1, then (0t^0 m 1 , 0 t^0 m 1 ′) is a colliding pair for h. If > 1, then (s− 11 m, s′− 11 m `′) is a colliding pair for h. (continued... )
Proof. Case 3: i > 1. Then u = k′^ − k + i > 1. By choice of i, we have si = s u′ , but si− 1 6 = s u′− 1. Hence, h(si− 11 mi ) = si = s′ u = h(s′ u− 11 m′ u ), so (si− 11 mi , s u′− 11 m′ u ) is a colliding pair for h. (continued... )
Proof. In each case, we found a colliding pair for h. The contradicts the assumption that h is strong collision-free. Hence, H is also strong collision-free.
Suppose h is a strong collision-free hash function. Define H(x) = 0 · h(x). If (x, x′) is a colliding pair for H, then (x, x′) is also a colliding pair for h. Thus, H is strong collision-free, despite the fact that the string H(x) always begins with 0. Later on, we will talk about how to make functions that truly do appear to be random (even though they are not).
MD5 hash function produces 128-bit values, whereas the SHA–xxx family produces values of 160-bits or more. How many bits do we need for security? Both 128 and 160 are more than large enough to thwart a brute force attack that simply searches randomly for colliding pairs. However, the Birthday Attack reduces the size of the search space to roughly the square root of the original size. MD5’s effective security is at most 64 bits. (
SHA–1’s effective security is at most 80-bits. (
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu describe an attack that reduces this number to only 69-bits (Crypto 2005).
The birthday paradox can be applied to hash functions to yield a much faster way to find colliding pairs than simply choosing pairs at random.
Method: Choose a random set of k messages and see if any two messages in the set collide.
Thus, with only( k evaluations of the hash function, we can test k 2
= k(k − 1)/2 different pairs of messages for collisions.
Of course, these
(k 2
pairs are not uniformly distributed, so one needs a birthday-paradox style analysis of the probability that a colliding pair will be found. The general result is that the probability of success is at least 1/ when k ≈
n, where n is the size of the hash value space.
Two problems make this attack difficult to use in practice. (^1) One must find duplicates in the list of hash values. This can be done in time O(k log k) by sorting (^2) The list of hash values must be stored and processed.