ICS 454 Principles of Cryptography Secure Hashing and DSS Sultan Almuhammadi Outline One-way functions Secure Hash function Authentication (example) Digital Signature Standards (DSS) Definitions One-way function f :AB Given x A, it is easy to compute f (x) Given f (x), it is hard to compute x Trapdoor one-way function A one-way function f :A B with a secret s, such that Given x A, it is easy to compute f (x) Given f (x), it is hard to compute x Given f (x) and s, it is easy to compute x Examples One-way function Multipicative group Zp* with generator g f (x) = gx mod p Trapdoor one-way function Multiplicative group Zn* where n = p.q for primes p,q f (x) = x2 mod n The secret is: (p and q) Hash Function Definition: one-way hash function h(x) A one-way hash function operates on an input message x of arbitrary length, and outputs a fixed-length hash value h(x). Given x, it is easy to compute h(x) Given h(x), it is infeasible to compute x Hash Function Properties h can be applied to an input of any size h produces a fixed-length output One-way property: Easy to compute h(x), but infeasible to compute x given h(x) (Preimage resistance) Collision resistance property: Weakly collision-free: Given x, it is infeasible to find y x, such that h(x) = h(y) (Second preimage resistance) Strongly collision-free: It is infeasible to find any pair (x, y) such that y x and h(x) = h(y) (Collision resistance) Secure Hashing Definition: h is cryptographically secure if it is a one-way collision-free hash function. Note: Strong/weak collision resistance depends on the sensitivity of the application Given a message M, h(M) is called the hash value of M , hash code, or the message digest. Examples: SHA, MD4, MD5, Whirlpool Security of Hash Functions Effort Required for Brute-Force Attack (on average) One way 2n-1 Weak collision resistance 2n-1 Strong collision resistance 2n/2 General Structure of Secure Hashing Secure Hash Algorithm (SHA) Developed by National Institute of Standards and Technology (NIST) in 1993. In 1995, NIST published SHA-1 Based on MD4 Output: 160-bit hash value In 2002, NIST defined 3 versions (SHA-256, SHA-384, SHA-512) with hash value lengths: 256, 384, and 512. In 2005, NIST approved the phase out of SHA-1 and moving to other versions of SHA by 2010. MD4 MD stands for Message Digest and designed by Ron Rivest Output: 128-bit hash values Design goals (claimed by Rivest) Strongly collision-free (no attack is better than brutefoce) The security is based on no assumption (like hardness of factorization) MD4 was cryptanalyzed shortly after publishing and some parts were successfully attacked. MD5 MD5 is an improved version of MD4 Output: 128-bit hash values Ron Rivest made several improvements of MD5 over MD4 MD5 was cryptanalyzed but there is no practical impact on the security of the hash function Whirlpool Based on the use of a block cipher for the compression function (initially DES, later AES) General drawbacks of using block cipher: Block ciphers are invertible lack of randomness Low performance due to slow block ciphers Weakness due to regularities of block ciphers Hash value length restriction due to block sizes: h 2b Since the adoption of AES, Whirlpool overcomes the above drawbacks. Whirlpool Advantages of using AES Hash code length is 512 bits (same as SHA) Resistant to usual attacks on block-cipher hashing Good performance and compact implementation on software and hardware Applications of Secure Hashing Authentication Digital Signature Example: Authentication Alice logs into a host computer She identifies herself by a username and a password The host computer stores a all username-password in a a database and check for a match. Authentication using secure hash functions Alice sends her password to the host The host hashes the password and compares the hash value to the value it previously stored If Eve steals the hash values, she still cannot log in, since the hash function is one-way and collision-free. Digital Signature Standard (DSS) Proposed by the National Institute of Standards and Technology (NIST) in 1991 DSS uses a digital signature algorithm (DSA): Designed to provide only the digital signature function Cannot be used for encryption or key exchange Must be a public-key technique (publicly verifiable) Use the SHA for hashing the message Example of digital signature approaches: RSA Approach DSS Approach Digital Signature Approaches (DSS vs. RSA) Digital Signature Algorithm (DSA) NIST adopted DSA based on ElGamal digital signature with the following parameters: Prime p of length 512-1024 bits 160-bit prime q such that q | (p – 1) g is of the form g = h(p-1)/q mod p Private key: x, Public key: y = gx mod p The signature (a, b) is computed by: a = (gr mod p) mod q, for random r < q b = (r-1 (SHA(M) + x.a)) mod q The length of the signature (a, b) = 2 x 160 bits