Secure Hash Algorithms Kevin Casey, Adam Cohen, Ju Kim Overview • General Overview of Cryptography • Variations of Hash Algorithms • Differences between Secure Hash Algorithms • Cryptanalysis of SHA • Applications • Conclusion Cryptography Variations • UNIX Crypt – The UNIX hashing algorithm – crypt is relatively obscure and rarely used for e-mail attachments nor as a file format – crypt is considered far too cryptographically weak to withstand brute force attacks by modern computing systems • MD4 – A one-way hash function that produces a 128-bit hash, or message digest. – If as little as a single bit value in the file is modified, the MD4 checksum for the file will change. – Forgery of a file in a way that will cause MD4 to generate the same result as that for the original file is considered extremely difficult. • MD5 – An improved, and more complex, version of MD4 – circa 1992 – 128-bit hash – "almost broken" by Hans Dobbertin circa 1995 – Fully broken by collision attack Wang et. al. 2004 • Data Encryption Standard (DES) – Symmetric, feistel cipher – Key size (in bits): 112 or 168 – Time to crack (assume a machine could try 255 keys per second - NIST): 4.6 billion years • Advanced Encryption Standard (AES) – Symmetric, block cipher – Key size (in bits): 128, 192, 256 – Time to crack (assume a machine could try 255 keys per second - NIST): 149 trillion years • Secure Hash Algorithm (SHA) – produces a 160-bit hash, longer than MD5. – The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks. Flavors of SHA • SHA-0 • SHA-1* • SHA-224* • SHA-256* • SHA-384* • SHA-512* *FIPS-approved algorithm for generating a condensed representation of a message (message digest) SHA History • 1993 – The hash function SHA-0 was issued as a federal standard by NIST • 1995 – SHA-1 published as the successor to SHA-0 • 2002 – SHA-2 variants • SHA-256, SHA-384, and SHA-512 published • 2004 – SHA-224 published * No known weaknesses have been found with the SHA-2 variants (at this time) SHA-0 vs SHA-1 • 160 bit output, 160 bit internal state • SHA-1 (as well as SHA-0) produces a 160-bit digest from a message with a maximum length of 264-1 bits and is based on design principles of MD4 • The only difference between the two hash functions is the additional rotation operation in the message expansion of SHA-1, which is supposed to provide more security • On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, lowering the complexity required for finding a collision in SHA-1 to 263 Secure Hash Algorithm • SHA-1, SHA-256, SHA-384, and SHA-512 • All four of the algorithms are iterative, one-way hash functions • process a message to produce a condensed representation called a message digest • These algorithms enable the determination of a message’s integrity – any change to the message will, with a very high probability, result in a different message digest – This property is useful in the generation and verification of digital signatures and message authentication codes, and in the generation of random numbers (bits). The Algorithm • Each algorithm can be described in two stages: – preprocessing • Preprocessing involves padding a message, parsing the padded message into m-bit blocks, and setting initialization values to be used in the hash computation – hash computation • The hash computation generates a message schedule from the padded message and uses that schedule, along with functions, constants, and word operations to iteratively generate a series of hash values – The final hash value generated by the hash computation is used to determine the message digest. 9 Algorithm – cont’d • The four algorithms differ most significantly in the number of bits of security that are provided for the data being hashed – this is directly related to the message digest length • The four algorithms also differ in terms of the size of the blocks and words of data that are used during hashing. 10 10 Comparison between SHA’s Output size Internal state Block size Max message Word size Algorithm (bits) size (bits) (bits) size (bits) (bits) Rounds Operations Collision SHA-0 160 160 512 264 − 1 32 80 +,and,or,xor,rotl Yes 2^63 SHA-1 160 160 512 264 − 1 32 80 +,and,or,xor,rotl attack SHA- +,and,or,xor,shr,r 256/224 256/224 256 512 264 − 1 32 64 otr None yet SHA- +,and,or,xor,shr,r 512/384 512/384 512 1024 2128 − 1 64 80 otr None yet • SHA-1 consists of 80 steps of operation – Each step is also called a "round." Usually, more rounds imply more security, and hence harder to break. • In this context, “security” refers to the fact that a birthday attack [HAC] on a message digest of size n produces a collision with a workfactor of approximately 2(n/2). How Secure are SHA? This depends on your view of “secure” Cryptanalysis • Since a brute force attack would take approximately 2^80 operations to break a secure hash function, the algorithm is not considered “as secure” or “broken” if an attack is found that produces collisions in less than 2^80 operations. 14 Definitions • Collisions – when 2 distinctly different inputs produce the same hash output • Birthday Attack – if f(x) = H number of outputs with the same p and H is sufficiently large, then after 1.2*sqrt(H) different arguments, we expect a collision (x1=x2 with f(x1)=f(x2)) 15 Brute Force Attacks 16 Question??? • Assume that you have a 4ghz processor that is capable of doing around 4 billion ops/sec • How long would it take to “break” the SHA-1 algorithm using the method published by Wang, Yin, and Yu (2^63 ops or less)? 17 Answer • Using a single processor this would take approx 2^37 seconds (or 4000 years) of CPU time (which obviously is no big deal) • But consider a distributed attack that uses a large number of CPU’s…….. 18 Applications Pretty good privacy (PGP) • PGP Encryption (Pretty Good Privacy) is a computer program that provides cryptographic privacy and authentication. • Public key cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key • It was originally created by Philip Zimmermann in 1991. 20 SSH • Secure Shell or SSH is a set of standards and an associated network protocol that allows establishing a secure channel between a local and a remote computer. It uses public-key cryptography to authenticate the remote computer and to allow the remote computer to authenticate the user. SSH provides confidentiality and integrity of data exchanged between the two computers using encryption and message authentication codes . 21 TLS and SSL • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. 22 IPSec • A set of protocols developed by the internet Engineering Task Force, the main standards organization for the Internet to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). 23 IPSec • IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. 24 S/MIME • S/MIME was originally developed by RSA Data Security Inc • S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the Rivest-Shamir-Adleman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). An alternative to S/MIME is PGP/MIME, which has also been proposed as a standard. 25 Questions ???