Cryptograph

y and
Network
Security
Sixth Edition
by William Stallings
 Chapter 11
Cryptographic Hash Functions
“Each of the messages, like each one he had ever read of Stern's
commands, began with a number and ended with a number or row
of numbers. No efforts on the part of Mungo or any of his experts
had been able to break Stern's code, nor was there any clue as to
what the preliminary number and those ultimate numbers signified.”

—Talking to Strange Men,

Ruth Rendell
“The Douglas Squirrel has a distinctive eating habit. It usually eats

pine cones from the bottom end up. Partially eaten cones can
indicate the presence of these squirrels if they have been attacked
from the bottom first. If, instead, the cone has been eaten from
the top end down, it is more likely to have been a crossbill finch
that has been doing the dining.”

—Talking to Strange Men,

Ruth Rendell
 Hash Functions
• A hash function H accepts a variable-length
block of data M as input and produces a fixed-
size hash value
• h = H(M)
• Principal object is data integrity

• Cryptographic hash function

• An algorithm for which it is computationally
infeasible to find either:
(a) a data object that maps to a pre-specified hash
result (the one-way property)

(b) two data objects that map to the same hash

result (the collision-free property)
Message Authentication
Code (MAC)
• Also known as a keyed hash function

• Typically used between two parties that share a

secret key to authenticate information
exchanged between those parties

Takes as input a secret key and a data block and

produces a hash value (MAC) which is associated
with the protected message
• If the integrity of the message needs to be checked,
the MAC function can be applied to the message
and the result compared with the associated MAC
value
• An attacker who alters the message will be unable
to alter the associated MAC value without
knowledge of the secret key
 Digital Signature
• Operation is similar to that of the MAC

• The hash value of a message is encrypted

with a user’s private key
• Anyone who knows the user’s public key can
verify the integrity of the message
• An attacker who wishes to alter the message
would need to know the user’s private key
• Implications of digital signatures go beyond
just message authentication
Other Hash Function Uses
Can be used to
construct a
Commonly used to Can be used for pseudorandom
create a one-way intrusion and virus function (PRF) or a
password file detection pseudorandom
number generator
When a user enters
(PRNG)
Store H(F) for each
a password, the file on a system and
hash of that secure the hash
password is values
compared to the
stored hash value A common
for verification One can later
application for a
determine if a file
hash-based PRF is
has been modified
for the generation
by recomputing H(F)
of symmetric keys
This approach to
password protection An intruder would
is used by most need to change F
operating systems without changing
H(F)
 Two Simple Hash
Functions
• Consider two simple insecure hash functions that operate
using the following general principles:
• The input is viewed as a sequence of n-bit blocks
• The input is processed one block at a time in an iterative
fashion to produce an n-bit hash function

• Bit-by-bit exclusive-OR (XOR) of every block

• Ci = bi1 xor bi2 xor . . . xor bim
• Produces a simple parity for each bit position and is known as
a longitudinal redundancy check
• Reasonably effective for random data as a data integrity
check

• Perform a one-bit circular shift on the hash value after each

block is processed
• Has the effect of randomizing the input more completely and
overcoming any regularities that appear in the input
 Two
Simple
Hash
Functions
 Requirements and
Security
Preimage Collision
• x is the preimage of h • Occurs if we have x
for a hash value h = ≠ y and H(x) = H(y)
H(x)
• Because we are
• Is a data block whose
using hash functions
hash function, using
the function H, is h
for data integrity,
collisions are clearly
• Because H is a many- undesirable
to-one mapping, for
any given hash value h,
there will in general be
multiple preimages
 Table 11.1
Requirements for a Cryptographic Hash Function
H

(Table can be found on page 323 in textbook.)

 Table 11.2
Hash Function Resistance Properties Required for
Various Data Integrity Applications

* Resistance required if attacker is able to mount a chosen message attack

 Attacks on Hash
Functions
Brute-Force
Attacks Cryptanalysis
• Does not depend on the • An attack based on
specific algorithm, only weaknesses in a
depends on bit length particular
• In the case of a hash cryptographic
function, attack algorithm
depends only on the bit
length of the hash value • Seek to exploit some
property of the
• Method is to pick values algorithm to perform
at random and try each some attack other
one until a collision
than an exhaustive
occurs
search
 Birthday Attacks
• For a collision resistant attack, an adversary wishes to find two
messages or data blocks that yield the same hash function
• The effort required is explained by a mathematical result referred to as
the birthday paradox

• How the birthday attack works:

• The source (A) is prepared to sign a legitimate message x by
appending the appropriate m-bit hash code and encrypting that hash
code with A’s private key
• Opponent generates 2m/2 variations x’ of x, all with essentially the same
meaning, and stores the messages and their hash values
• Opponent generates a fraudulent message y for which A’s signature is
desired
• Two sets of messages are compared to find a pair with the same hash
• The opponent offers the valid variation to A for signature which can
then be attached to the fraudulent variation for transmission to the
intended recipient
• Because the two variations have the same hash code, they will produce
the same signature and the opponent is assured of success even though
 A Letter
in 237
Variation

(Letter is located on page 326 in textbook)

 Hash Functions
Based on Cipher
Block Chaining
• Can use block ciphers as hash functions
• Using H0 initial value
• Compute: Hi = E(Mi Hi-1)
• Use final block Hn as the hash value
• Similar to CBC but without a key

• Resulting hash is too small (64-bit)

• Both due to direct birthday attack
• And “meet-in-the-middle” attack

• Other variants also susceptible to attack

Secure Hash Algorithm
(SHA)
• SHA was originally designed by the National
Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1

• Based on the hash function MD4 and its design

closely models MD4
• Produces 160-bit hash values

• In 2002 NIST produced a revised version of the

standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
 Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.

 Table 11.4
SHA-512 Constants

(Table
can be
found on
page 333
in
textbook
 SHA-
512
Logic

(Figure can be found on

page 337 in textbook)
 SHA-3
SHA-1 has not yet been
"broken”
• No one has demonstrated a
technique for producing
collisions in a practical
amount of time
• Considered to be insecure and
has been phased out for SHA-2

SHA-2 shares the same

NIST announced in 2007 a structure and mathematical
competition for the SHA-3 operations as its
next generation NIST hash predecessors so this is a
function cause for concern
• Winning design was • Because it will take years
announced by NIST in to find a suitable
October 2012 replacement for SHA-2
• SHA-3 is a cryptographic should it become
hash function that is vulnerable, NIST decided
intended to complement to begin the process of
SHA-2 as the approved developing a new hash
 The Sponge
Construction
• Underlying structure of SHA-3 is a scheme referred to
by its designers as a sponge construction
• Takes an input message and partitions it into fixed-size
blocks
• Each block is processed in turn with the output of each
iteration fed into the next iteration, finally producing an
output block
• The sponge function is defined by three parameters:
• f = the internal function used to process each input
block
• r = the size in bits of the input blocks, called the bitrate
• pad = the padding algorithm
 Table 11.5
SHA-3 Parameters
 SHA-3
Iteration
Function f
Table
11.6

Step
Function
s
in SHA-3
 Summary
• Applications of • Hash functions
cryptographic hash based on cipher
functions block chaining
• Message
authentication • Secure hash
• Digital signatures algorithm (SHA)
• Other applications • SHA-512 logic
• SHA-512 round
• Requirements and function
security
• SHA-3
• Security requirements
for cryptographic hash • The sponge
functions construction
• Brute-force attacks • The SHA-3
Iteration Function f
• Cryptanalysis