CNIT 141: 6. Hash Functions

CNIT 141: 6. Hash Functions

• 1.
  CNIT 141 Cryptography forComputer Networks 6. Hash Functions Updated 10-1-2020
• 2.
  Topics • Secure HashFunctions • Building Hash Functions • The SHA Family • BLAKE2 • How Things Can Go Wrong
• 3.
  Use Cases ofHash Functions • Digital signatures • Public-key encryption • Message authentication • Integrity verification • Password storage
• 4.
  Fingerprinting • Hash functioncreates a fixed-length "fingerprint" • From input of any length • Not encryption • No key; cannot be reversed
• 5.
  Non-Cryptographic Hash Functions • Provideno security; easily fooled by crafted input • Used in hash tables • To make table lookups faster • To detect accidental errors • Ex: CRC (Cyclic Redundancy Check) • Used at layer 2 by Ethernet and Wi-Fi
• 6.
  Secure Hash Functions
• 7.
  Digital Signature • Mostcommon use case for hashing • Message M hashed, then the hash is signed • Hash is smaller so the signature computation is faster • But the hash function must be secure
• 8.
  Unpredictability • Two differentinputs must always have different hashes • Changing one bit in the input makes the hash totally different
• 9.
  Non-Uniqueness • Consider aninput message 1024 bits long • And a hash 256 bits long • There are 21024 different messages • But only are 2256 different hashes • So many different messages have the same hash
• 10.
  One-Wayness • Hashing cannotbe reversed • An attacker cannot find M from H • In principle, always true • Many different messages have the same hash
• 11.
  Preimage Resistance • Anattacker given H cannot find any M with that hash • This is preimage resistance • Also called first preimage resistance
• 12.
  The Cost ofPreimages • Attacker hashes many messages • Hunting for a match • Will take 2N guesses for hash of length N bits • For n = 256, that's forever
• 13.
  Second Preimage • GivenM1 and H1 • Attacker tries to find another message M2 • That hashes to the same H • Essentially the same as first preimage resistance • Unless the hash function has a certain type of mathematical defect • Like length extension attacks
• 14.
  Collision Resistance • Everyhash function has collisions • Two messages with the same hash • Because there are more possible messages than hashes • Pigeonhole principle • If you have 10 holes and 11 pigeons, at least one hole contains more than one pigeon
• 15.
  Collision Resistance • Collisionsshould be hard to find • In practice, impossible
• 16.
  Birthday Attack • Geteach person in a group to say the month and day they were born • With 23 people, the probability of two having the same birthday is 51%
• 17.
  Finding Collisions • Ifyou search for collsions • And have enough RAM to remember each hash you calculate • It only takes 2N/2 hashes to find a collision • N is the number of bits in the hash
• 18.
  Naive Birthday Attack •Requires 2N/2 calculations to create the list • And 2N/2 units of storage to hold it • Sorting the list takes even more calculations
• 19.
  MD5 Example
• 20.
  Preimage Attack • MD5is 128 bits long • Given an MD5 hash, can we find an input with that hash value? • Calculating every possible hash (nearly) would require 2128 calculations • But we don't need to store them: we just compare each one with the target • How hard is that?
• 21.
  72 Bit Brute-Force •RSA Security made several challenges to test brute-force attacks • Distributed.net has been attacking these challenges since 1997 • Cracked a 56-bit key in 250 days in 1997 • Cracked a 64-bit key in 5 years in 2002 • 72-bit key attack is in progress • So far they'te tested 5.6% of the keyspace • It will take 127 years to test all keys
• 22.
  • Link Ch6g
• 23.
  MD5 Preimage Attack SafetyMargin • Max. computing available to any attacker is 296 calculations • Preimage attack requires 2128 calculations • Safety margin is 230 units of RAM • 210 is 1024 • 230 is 1024 x 1024 x 1024 = 1 billion
• 24.
  Naive Birthday Attackon MD5 • Take 264 inputs, such as counting numbers from 1 to 264 • Calculating the hashes, requiring 264 calculations • Store them, using 264 units of RAM • What's the safety margin?
• 25.
  Requirements for Naive BirthdayAttack on MD5 • 264 calculations is not impossible • But 264 units of RAM? • 1GB = 109 = 230 • 1TB = 240 • 1 million TB = 260 • 16 million TB = 264 = 16,000 PB • (1 PB (petabyte) = 1000 TB = 1 million GB)
• 26.
  Worldwide Data CenterStorage Capacity
• 27.
  MD5 Naive BirthdayAttack Safety Margin • Attack requires 16,000 PB • Whole world has less than 3,000 PB • Safety margin is a factor of 5 • Not very large
• 28.
  Preimage Attack • MD5is 128 bits long • Calculating every possible hash (nearly) would require 2128 calculations • Storing them would take 2128 units of RAM • What's the safety margin?
• 29.
  Low-Memory Collision Search: TheRho Method • Don't just choose sequential inputs to hash • Calculate the hash of the previous hash • Start with any random seed s • H1 = hash(s) • H2 = hash(H1) • H3 = hash (H2) • etc...
• 30.
  Rho Method
• 31.
  Rho Method • Tailand circle are approximately 2N/2 long • Since the hashes are going in a circle • You don't need to store all the hash values in memory to detect a collision • You store only hashes starting with many zeroes ("Distinguished Points") • This requires more calculations but less storage -- time-memory trade-off
• 32.
  • Link Ch6k Rho Method
• 33.
  Rho Method for16-bit Hash
• 35.
  Building Hash Functions
• 36.
  Iterative Hashing • Along messages is broken into blocks • Each block is processed consecutively using compression or permutation
• 37.
  Compression-Based Hash Functions: theMerkle-Damgard Construction • Used in MD5, MD5, SHA-1, and SHA-2 • Also RIPEMD and Whirlpool • H0 is an initial value • H1, H2, ... are chaining values • The final H is the output
• 38.
  Padding Blocks • Padwith 1, then zeroes, finally the message length • SHA-256 uses 512-bit blocks • To hash the eight-bit message 10101010
• 39.
  Building Compression Functions: TheDavies-Meyer Construction • Uses a block cipher to build a compression function • Use message blocks as keys • The XOR feedback makes it secure against decryption
• 40.
  Other Compression Functions • Lesspopular because • They are more complex, or • Require message block to be same length as chaining value
• 41.
  Permutation-Based Hash Functions: SpongeFunctions • Simpler than using a cipher • No key • Keccak is the most famous sponge function • Also known as SHA-3
• 43.
  The SHA Family
• 44.
  MD5 • Broken in2005 • Fast attacks now to generate MD5 collisions • It still cannot be reversed in general
• 45.
  SHA-0 • Approved byNIST in 1993 • Replaced in 1995 by SHA-1 • To fix an unidentified security issue • 160 bits long, so it should take 280 calculations to find a collision • In 1998 an attack was found requiring only 260 calculations to find a SHA-0 collision • Later attacks work in 233 calculations--less than an hour of computing (for SHA-0)
• 46.
  SHA-1 • Uses anencryption function called SHACAL • Repeats this calculation for every 512-bit block in the message M
• 47.
  Compression Function • 160-bitchaining value broken into 5 32-bit words a b c d e
• 48.
  Attacks on SHA-1 •In 2005 an attack was found that would find a collision in 263 calculations instead of 280 • In 2017 a SHA-1 collision was found • No longer trusted
• 49.
  SHA-2 • Four versions •SHA-224, SHA-256, SHA-384, SHA-512 • SHA-256 uses • Eight 32-bit words • 64 rounds of calculation with a more complex expand function
• 50.
  Security of SHA-2 •All four SHA-2 algorithms are still considered strong • But researchers and NIST grew concerned because its algorithm is close to SHA-1's
• 51.
  SHA-3 Finalists • BLAKE •Grøstl • JH • Keccak • Skein
• 52.
  Keccak (SHA-3) • Completelydifferent from SHA-1 and SHA-2 • Sponge function with a 1600-bit state • Includes four hashes: • SHA3-224, SHA3-256, SHA3-384, SHA3-512 • And two Extendible output functions • Can produce hashes of any length • Called SHAKE128 and SHAKE256
• 53.
  BLAKE2
• 54.
  Speed • BLAKE2 isa secure as SHA-3 • But much faster to compute • Faster than MD5 or SHA-1 • Two functions • BLAKE2 (also called BLAKE2b) optimized for 64-bit platforms, produces digests from 1 to 64 bytes • BLAKE2s optimized for 8-bit to 32-bit platforms, produces digests from 1 to 32 bytes
• 56.
  Usage • BLAKE2 isthe fastest secure hash available today • The most popular non-NIST-standard hash • Used in many apps and in major libraries such as openSSL and Sodium
• 57.
  BLAKE's Compression Function • Parameters:a counter and a flag • Block cipher is based on ChaCha • Which is based on Salsa20
• 58.
  BLAKE2b's Core Operations • Transformsthe state of four 64-bit words • a b c d • Using two message words • Mi Mj
• 59.
  How Things CanGo Wrong
• 60.
  Misuse • Using weakchecksum algorithms like CRC32 for file integrity • Instead of a cryptographic hash algorithm
• 61.
  The Length-Extension Attack • Ifyou know the hash H(M) • You can add more data to the right and calculate the hash of the longer message • Without knowing the original message
• 62.
  Padding • If theoriginal message is properly padded, it's actually M1 || M2 • M1 is message; M2 is padding • || means concatenating text • The extended message is M1 || M2 || M3 • Won't affect most applications • But some applications do get fooled
• 63.
  SHA-2 Length Extension •SHA-2 is vulnerable • Could have easily been avoided by making the last compression function different • BLAKE2 does that
• 64.
  Fooling Proof-of-Storage Protocols • Acloud server verifies that it has stored a message M
• 65.
  • Server cancheat by keeping only the chain value from hashing the message • And discarding the message • Server can still calculate the respose by length extension • Works for SHA-1, SHA-2, SHA-3, and BLAKE • Cure: hash C||M instead of M||C Fooling Proof-of-Storage Protocols