Secure Hash Algorithms

Document Sample
Secure Hash Algorithms Powered By Docstoc
					Secure Hash Algorithms
 Kevin Casey, Adam Cohen, Ju
• General Overview of Cryptography
• Variations of Hash Algorithms
• Differences between Secure Hash
• Cryptanalysis of SHA
• Applications
• Conclusion
Cryptography Variations
•   UNIX Crypt
     – The UNIX hashing algorithm
     – crypt is relatively obscure and rarely used for e-mail attachments nor as a file
     – crypt is considered far too cryptographically weak to withstand brute force
        attacks by modern computing systems
•   MD4
     – A one-way hash function that produces a 128-bit hash, or message digest.
     – If as little as a single bit value in the file is modified, the MD4 checksum for the
        file will change.
     – Forgery of a file in a way that will cause MD4 to generate the same result as that
        for the original file is considered extremely difficult.
•   MD5
     – An improved, and more complex, version of MD4
     – circa 1992
     – 128-bit hash
     – "almost broken" by Hans Dobbertin circa 1995
     – Fully broken by collision attack Wang et. al. 2004
•   Data Encryption Standard (DES)
     – Symmetric, feistel cipher
     – Key size (in bits): 112 or 168
     – Time to crack (assume a machine could try 255 keys per second - NIST): 4.6
        billion years
•   Advanced Encryption Standard (AES)
     – Symmetric, block cipher
     – Key size (in bits): 128, 192, 256
     – Time to crack (assume a machine could try 255 keys per second - NIST): 149
        trillion years
•   Secure Hash Algorithm (SHA)
     – produces a 160-bit hash, longer than MD5.
     – The algorithm is slightly slower than MD5, but the larger message digest makes
        it more secure against brute-force collision and inversion attacks.
                     Flavors of SHA
• SHA-0
• SHA-1*
• SHA-224*
• SHA-256*
• SHA-384*
• SHA-512*

*FIPS-approved algorithm for generating a condensed representation of a message
   (message digest)
                   SHA History
• 1993
   – The hash function SHA-0 was issued as a federal standard by

• 1995
   – SHA-1 published as the successor to SHA-0

• 2002
   – SHA-2 variants
       • SHA-256, SHA-384, and SHA-512 published

• 2004
   – SHA-224 published

* No known weaknesses have been found with the SHA-2 variants
  (at this time)
               SHA-0 vs SHA-1
• 160 bit output, 160 bit internal state

• SHA-1 (as well as SHA-0) produces a 160-bit digest from a
  message with a maximum length of 264-1 bits and is based
  on design principles of MD4

• The only difference between the two hash functions is the
  additional rotation operation in the message expansion of
  SHA-1, which is supposed to provide more security

• On 17 August 2005, an improvement on the SHA-1 attack
  was announced on behalf of Xiaoyun Wang, Andrew Yao
  and Frances Yao at the CRYPTO 2005 rump session,
  lowering the complexity required for finding a collision in
  SHA-1 to 263
           Secure Hash Algorithm

• SHA-1, SHA-256, SHA-384, and SHA-512

• All four of the algorithms are iterative, one-way hash functions

• process a message to produce a condensed representation called a
  message digest

• These algorithms enable the determination of a message’s
   – any change to the message will, with a very high probability,
      result in a different message digest
   – This property is useful in the generation and verification of
      digital signatures and message authentication codes, and in
      the generation of random numbers (bits).
                 The Algorithm

• Each algorithm can be described in two stages:
   – preprocessing
       • Preprocessing involves padding a message, parsing the
         padded message into m-bit blocks, and setting
         initialization values to be used in the hash computation

    – hash computation
       • The hash computation generates a message schedule from
         the padded message and uses that schedule, along with
         functions, constants, and word operations to iteratively
         generate a series of hash values

    – The final hash value generated by the hash computation is
      used to determine the message digest.

        Algorithm – cont’d

• The four algorithms differ most
  significantly in the number of bits of
  security that are provided for the data
  being hashed – this is directly related to
  the message digest length

• The four algorithms also differ in terms of
  the size of the blocks and words of data
  that are used during hashing.         10

        Comparison between SHA’s
            Output size Internal state Block size   Max message   Word size
Algorithm   (bits)       size (bits)   (bits)       size (bits)   (bits)      Rounds   Operations           Collision

SHA-0          160          160           512         264 − 1        32         80     +,and,or,xor,rotl    Yes

SHA-1          160          160           512         264 − 1        32         80     +,and,or,xor,rotl     attack

SHA-                                                                                   +,and,or,xor,shr,r
256/224     256/224         256           512         264 − 1        32         64      otr                 None yet

SHA-                                                                                   +,and,or,xor,shr,r
512/384     512/384         512          1024         2128 − 1       64         80      otr                 None yet

•    SHA-1 consists of 80 steps of operation
      – Each step is also called a "round." Usually, more rounds imply more security,
         and hence harder to break.

•    In this context, “security” refers to the fact that a birthday attack [HAC] on a
     message digest of size n produces a collision with a workfactor of approximately
How Secure are SHA?
This depends on your view of

• Since a brute force attack would
  take approximately 2^80 operations
  to break a secure hash function, the
  algorithm is not considered “as
  secure” or “broken” if an attack is
  found that produces collisions in less
  than 2^80 operations.

• Collisions – when 2 distinctly different
  inputs produce the same hash output

• Birthday Attack – if f(x) = H number of
  outputs with the same p and H is
  sufficiently large, then after 1.2*sqrt(H)
  different arguments, we expect a collision
  (x1=x2 with f(x1)=f(x2))

Brute Force Attacks

• Assume that you have a 4ghz processor
  that is capable of doing around 4 billion

• How long would it take to “break” the
  SHA-1 algorithm using the method
  published by Wang, Yin, and Yu (2^63 ops
  or less)?

• Using a single processor this would
  take approx 2^37 seconds (or 4000
  years) of CPU time (which obviously
  is no big deal)

• But consider a distributed attack
  that uses a large number of

     Pretty good privacy (PGP)

• PGP Encryption (Pretty Good Privacy) is a
  computer program that provides
  cryptographic privacy and authentication.
• Public key cryptography, also known as
  asymmetric cryptography, is a form of
  cryptography in which a user has a pair of
  cryptographic keys - a public key and a
  private key
• It was originally created by Philip
  Zimmermann in 1991.

• Secure Shell or SSH is a set of standards
  and an associated network protocol that
  allows establishing a secure channel
  between a local and a remote computer. It
  uses public-key cryptography to
  authenticate the remote computer and to
  allow the remote computer to
  authenticate the user. SSH provides
  confidentiality and integrity of data
  exchanged between the two computers
  using encryption and message
  authentication codes .

           TLS and SSL
• Transport Layer Security (TLS) and
  its predecessor, Secure Sockets
  Layer (SSL), are cryptographic
  protocols which provide secure
  communications on the Internet for
  such things as web browsing, e-mail,
  Internet faxing, instant messaging
  and other data transfers.

• A set of protocols developed by the
  internet Engineering Task Force, the
  main standards organization for the
  Internet to support secure exchange of
  packets at the IP layer. IPsec has been
  deployed widely to implement Virtual
  Private Networks (VPNs).

• IPsec supports two encryption
  modes: Transport and Tunnel.
  Transport mode encrypts only the
  data portion (payload) of each
  packet, but leaves the header
  untouched. The more secure Tunnel
  mode encrypts both the header and
  the payload. On the receiving side, an
  IPSec-compliant device decrypts
  each packet.
• S/MIME was originally developed by RSA Data
  Security Inc
• S/MIME (Secure Multi-Purpose Internet Mail
  Extensions) is a secure method of sending e-mail
  that uses the Rivest-Shamir-Adleman encryption
  system. S/MIME is included in the latest versions
  of the Web browsers from Microsoft and
  Netscape and has also been endorsed by other
  vendors that make messaging products. RSA has
  proposed S/MIME as a standard to the Internet
  Engineering Task Force (IETF). An alternative to
  S/MIME is PGP/MIME, which has also been
  proposed as a standard.