cryptography hash functions macs finish asymmetric
play

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography - PowerPoint PPT Presentation

Nov 22, 2022 •171 likes •567 views

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan

  1. CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Hash Functions 10/28/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Hash Functions: Main Idea hash function H . message message “digest” x . y . . . x’’ y’ x’ bit strings of any length n-bit bit strings • Hash function H is a lossy compression function – Collision: h(x)=h(x’) for distinct inputs x, x’ • H(x) should look “random” – Every bit (almost) equally likely to be 0 or 1 • Cryptographic hash function needs a few properties… 10/28/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Properties of a Cryptographic Hash Function • One-wayness – Given h(x): hard to find x • Collision resistance – Hard to find x ≠ x’ s.t. h(x) == h(x’) • Weak collision resistance – Hard to find x ≠ x’ s.t. h(x) == h(x’) for specific, random x 10/28/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Properties of a Cryptographic Hash Function • One-wayness – Hard to find inputs that match outputs • Collision resistance – Hard to find 2 inputs with the same hash • Weak collision resistance – If I give you a random input, it’s hard to find another input with the same hash. 10/28/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Property 1: One-Way • The hash should be hard to invert – “Preimage resistance” – Let h(x’) = y ∈ {0,1} n for a random x’ – Given y, it should be hard to find any x such that h(x)=y 10/28/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Property 2: Collision Resistance • Should be hard to find x≠x’ such that h(x)=h(x’) • Birthday paradox means that brute-force collision search is only O(2 n/2 ), not O(2 n ) – For SHA-1, this means O(2 80 ) vs. O(2 160 ) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. One-Way vs. Collision Resistance • One-wayness does not imply collision resistance – Suppose g is one-way – Define h(x) as g(x’) where x’ is x with last bit removed • h is one-way (to invert h, must invert g) • Collisions for h are easy to find: for any x, h(x|0)=h(x|1) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. One-Way vs. Collision Resistance • One-wayness does not imply collision resistance • Collision resistance does not imply one-wayness – Exercise for the reader (on HW#2) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. Property 3: Weak Collision Resistance • Given randomly chosen x, hard to find x’ such that h(x)=h(x’) – Attacker must find collision for a specific x. (By contrast, to break collision resistance it is enough to find any collision.) – Brute-force attack requires O(2 n ) time • Weak collision resistance does not imply collision resistance. 10/28/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. Does Collision Resistance imply Weak Collision Resistance? • p: Hard to find x≠x’ such that h(x)=h(x’) • q: Random x, hard to find x’ s.t. h(x)=h(x’) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Does Collision Resistance imply Weak Collision Resistance? • p: Hard to find x≠x’ such that h(x)=h(x’) • q: Random x, hard to find x’ s.t. h(x)=h(x’) • Contrapositive: p → q same as ¬q → ¬p • If you can find a collision against a random x, can you find a collision in general? 10/28/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. Does Collision Resistance imply Weak Collision Resistance? • p: Hard to find x≠x’ such that h(x)=h(x’) • q: Random x, hard to find x’ s.t. h(x)=h(x’) • If h is not weakly collision resistant, then there exists an algorithm which takes an input x and “quickly” finds x’ which collides • Call this adversarial algorithm A, so for random x, A(x) = x’ (where x’ collides with x) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. Does Collision Resistance imply Weak Collision Resistance? • p: Hard to find x≠x’ such that h(x)=h(x’) • q: Random x, hard to find x’ s.t. h(x)=h(x’) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Hashing vs. Encryption • Hashing is one-way. There is no “un-hashing” – A ciphertext can be decrypted with a decryption key… hashes have no equivalent of “decryption” • Hash(x) looks “random” but can be compared for equality with Hash(x’) – Hash the same input twice à same hash value – Encrypt the same input twice à different ciphertexts • Crytographic hashes are also known as “cryptographic checksums” or “message digests” 10/28/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Application: Password Hashing • Instead of user password, store hash(password) • When use submits password, hash it and compare to the stored hash • User “alice” sets password “thisismypassword” • Server stores hash(“thisismypassword”) = a0e863aba2d508b6e4744f07d7c260cd • When alice logs in, server hashes the server she provides and compares it to the stored hash. 10/28/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Application: Password Hashing • Instead of user password, store hash(password) • When use submits password, hash it and compare to the stored hash • Let’s say you break into a server and steal 100 million password hashes. What are the problems with this server’s approach? (Q1) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Application: Password Hashing • How to store password hashes: salt and hash. • Instead of storing hash(password), store “salt, hash(salt | password)” • Salt is a random value per password 10/28/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Application: Password Hashing • Username : ahaha • Hash function : SHA512 • Salt : FlItSjGy • Hashed password : 54IaMBy6ThxAbvnUztWzrl4FjtE wn1sX81/8Ll7PtMpPAiy57QM4q. oyUD2cHFL4nwhguDk7eP7c3t0Ar Kep. 10/28/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Application: Software Integrity VIRUS badFile goodFile The NYTimes BigFirm™ User hash(goodFile) Goal: Software manufacturer wants to ensure file is received by users without modification. Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Which Property Do We Need? • Auction bidding – Alice wants to bid B, sends H(B), later reveals B – One-wayness: rival bidders should not recover B (this may mean that she needs to hash some randomness with B too) – Collision resistance: Alice should not be able to change her mind to bid B’ such that H(B)=H(B’) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Common Hash Functions • MD5 – 128-bit output – Designed by Ron Rivest, used very widely – Collision-resistance broken (summer of 2004) • RIPEMD-160 – 160-bit variant of MD5 • SHA-1 (Secure Hash Algorithm) – 160-bit output – US government (NIST) standard as of 1993-95 – Also recently broken! (Theoretically -- not practical.) • SHA-256, SHA-512, SHA-224, SHA-384 • SHA-3: standard released by NIST in August 2015 10/28/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Basic Structure of SHA-1 [FYI only] Against padding attacks Split message into 512-bit blocks Compression function 160-bit buffer (5 registers) • Applied to each 512-bit block initialized with magic values and current 160-bit buffer • This is the heart of SHA-1 10/28/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. How Strong is SHA-1? • Every bit of output depends on every bit of input – Very important property for collision-resistance • Brute-force inversion requires 2 160 ops, birthday attack on collision resistance requires 2 80 ops • Some weaknesses, e.g., collisions can be found in 2 63 ops (2005) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Recall: Achieving Integrity Message authentication schemes: A tool for protecting integrity. MAC: message authentication code KEY KEY (sometimes called a “tag”) message, MAC(KEY,message) ? message = Bob Alice Recomputes MAC and verifies whether it is equal to the MAC attached to the message Integrity and authentication: only someone who knows KEY can compute correct MAC for a given message. 10/28/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. HMAC • Construct MAC from a cryptographic hash function – Invented by Bellare, Canetti, and Krawczyk (1996) – Used in SSL/TLS, mandatory for IPsec • Why not encryption? – Hashing is faster than block ciphers in software – Can easily replace one hash function with another – There used to be US export restrictions on encryption 10/28/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. Structure of HMAC [FYI only] magic value (flips half of key bits) Secret key padded to block size Block size of embedded hash function another magic value (flips different key bits) Embedded hash function “ Black box ” : can use this HMAC construction with any hash function hash(key,hash(key,message)) 10/28/16 CSE 484 / CSE M 584 - Fall 2016 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptography: Hash Functions and MACs [continued] Asymmetric

Cryptography: Hash Functions and MACs [continued] Asymmetric

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions and MACs [continued] Asymmetric Cryptography [start] Spring 2015

707 views • 23 slides
Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska

Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Finish Hash Functions; Start Asymmetric Cryptography] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

406 views • 19 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

828 views • 28 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter

813 views • 43 slides
Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

529 views • 34 slides
Cryptography [Finish Asymmetric Cryptography] Spring 2020 Earlence Fernandes

Cryptography [Finish Asymmetric Cryptography] Spring 2020 Earlence Fernandes

CS 642: Computer Security and Privacy Cryptography [Finish Asymmetric Cryptography] Spring 2020 Earlence Fernandes earlence@cs.wisc.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

670 views • 20 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar & Pelzl. & Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
CPSC 418/MATH 318 Introduction to Cryptography Hash Functions Randy Yee Department of Computer

CPSC 418/MATH 318 Introduction to Cryptography Hash Functions Randy Yee Department of Computer

CPSC 418/MATH 318 Introduction to Cryptography Hash Functions Randy Yee Department of Computer Science University of Calgary February 28, 2020 Outline Hash functions 1 Properties Some applications Examples Design Strategies 2 Other 3

714 views • 53 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018

K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018

K Pre-Post Cloud Tutorial for accessing the K Global File Storage RIKEN R-CCS JULY 2, 2018 Access the GFS using SFTP (1/2) Users can access the K global file storage (GFS) via GFS-GW (GFS-gateway). In this slide, we explain a way to

51 views • 4 slides
Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and

Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and Multi-linear Maps agan 1 and Ferucio Laurent iplea 2 Constantin C at alin Dr iu T 1 CNRS, LORIA, 54506 Vandoeuvre-l` es-Nancy Cedex France

623 views • 18 slides
Entanglement and secret-key-agreement capacities of bipartite quantum interactions and read-only

Entanglement and secret-key-agreement capacities of bipartite quantum interactions and read-only

Entanglement and secret-key-agreement capacities of bipartite quantum interactions and read-only memory devices Siddhartha Das 1* auml 2 Mark M. Wilde 1 Stefan B 1 Louisiana State University, USA 2 Delft University of Technology, Netherlands

859 views • 52 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

800 views • 10 slides
RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 25.09.2007

RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 25.09.2007

RSA-PSS in XMLDSig Position Paper W3C Workshop Mountain View 1 25.09.2007 Konrad.Lanz@iaik.tugraz.at Konrad Lanz Digital Signature Services OASIS-DSS - IAIK (Inst. f. angew. Informationsverarbeitung und Kommunikation) - SIC

669 views • 15 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides

More recommend