Cryptograph

y and
Network
Security
Seventh Edition, Global Edition
by William Stallings

© 2017 Pearson Education, Ltd., All rights reserved.

 Chapter 11
Cryptographic Hash Functions

© 2017 Pearson Education, Ltd., All rights reserved.

 Hash Functions
• A hash function H accepts a variable-length
block of data M as input and produces a fixed-
size hash value
• h = H(M)
• Principal object is data integrity

• Cryptographic hash function

• An algorithm for which it is computationally
infeasible to find either:
(a) a data object that maps to a pre-specified hash
result (the one-way property)

(b) two data objects that map to the same hash

result (the collision-free property)
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Message Authentication
Code (MAC)
• Also known as a keyed hash function

• Typically used between two parties that share a

secret key to authenticate information
exchanged between those parties

Takes as input a secret key and a data block and

produces a hash value (MAC) which is associated
with the protected message
• If the integrity of the message needs to be checked,
the MAC function can be applied to the message
and the result compared with the associated MAC
value
• An attacker who alters the message will be unable
to alter the associated MAC value without
knowledge
© 2017 Pearson Education, of the secret key
Ltd., All rights reserved.
 Digital Signature
• Operation is similar to that of the MAC

• The hash value of a message is encrypted

with a user’s private key
• Anyone who knows the user’s public key can
verify the integrity of the message
• An attacker who wishes to alter the message
would need to know the user’s private key
• Implications of digital signatures go beyond
just message authentication
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
Other Hash Function Uses
Can be used to
construct a
Commonly used to Can be used for pseudorandom
create a one-way intrusion and virus function (PRF) or a
password file detection pseudorandom
number generator
When a user enters
(PRNG)
Store H(F) for each
a password, the file on a system and
hash of that secure the hash
password is values
compared to the
stored hash value A common
for verification One can later
application for a
determine if a file
hash-based PRF is
has been modified
for the generation
by recomputing H(F)
of symmetric keys
This approach to
password protection An intruder would
is used by most need to change F
operating systems without changing
H(F)

© 2017 Pearson Education, Ltd., All rights reserved.

 Two Simple Hash
Functions
• Consider two simple insecure hash functions that operate
using the following general principles:
• The input is viewed as a sequence of n-bit blocks
• The input is processed one block at a time in an iterative
fashion to produce an n-bit hash function

• Bit-by-bit exclusive-OR (XOR) of every block

• Ci = bi1 xor bi2 xor . . . xor bim
• Produces a simple parity for each bit position and is known as
a longitudinal redundancy check
• Reasonably effective for random data as a data integrity
check

• Perform a one-bit circular shift on the hash value after each

block is processed
• Has the effect of randomizing the input more completely and
overcoming any regularities that appear in the input
© 2017 Pearson Education, Ltd., All rights reserved.
 Two
Simple
Hash
Functions

© 2017 Pearson Education, Ltd., All rights reserved.

 Requirements and
Security
Preimage
Collision
• x is the preimage of h
for a hash value h = • Occurs if we have x
H(x) ≠ y and H(x) = H(y)

• Is a data block whose • Because we are

hash function, using using hash functions
the function H, is h for data integrity,
collisions are clearly
• Because H is a many-
undesirable
to-one mapping, for
any given hash value
h, there will in general
be multiple preimages
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 11.1
Requirements for a Cryptographic Hash Function
H

© 2017 Pearson Education, Ltd., All rights reserved.

(Table can be found on page 323 in textbook.)
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 11.2
Hash Function Resistance Properties Required for
Various Data Integrity Applications

* Resistance required if attacker is able to mount a chosen message attack

© 2017 Pearson Education, Ltd., All rights reserved.

 Attacks on Hash
Functions
Brute-Force
Attacks Cryptanalysis
• Does not depend on the • An attack based on
specific algorithm, only weaknesses in a
depends on bit length
particular
• In the case of a hash cryptographic
function, attack algorithm
depends only on the bit
length of the hash value • Seek to exploit some
property of the
• Method is to pick values algorithm to perform
at random and try each some attack other
one until a collision than an exhaustive
occurs search
© 2017 Pearson Education, Ltd., All rights reserved.
 Collision Resistant
Attacks
• For a collision resistant attack, an adversary wishes to find two messages or
data blocks that yield the same hash function
• The effort required is explained by a mathematical result referred to as the
birthday paradox

• Yuval proposed the following strategy to exploit the birthday paradox in a

collision resistant attack:
• The source (A) is prepared to sign a legitimate message x by appending the
appropriate m-bit hash code and encrypting that hash code with A’s private key
• Opponent generates 2m/2 variations x’ of x, all with essentially the same
meaning, and stores the messages and their hash values
• Opponent prepares a fraudulent message y for which A’s signature is desired
• Opponent generates minor variations y’ of y, all of which convey essentially the
same meaning. For each y’, the opponent computes H (y’), checks for matches
with any of the H (x’) values, and continues until a match is found. That is, the
process continues until a y’ is generated with a hash value equal to the hash
value of one of the x’ values
• The opponent offers the valid variation to A for signature which can then be
attached to the fraudulent variation for transmission to the intended recipient
• Because the two variations have the same hash code, they will produce the same signature and
© 2017 Pearson Education, Ltd., Allisrights
the opponent reserved.
assured of success even though the encryption key is not known
 A Letter
in 238
Variation
(Letter is located on page 334 in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Hash Functions
Based on Cipher
Block Chaining
• A number of proposals have been made for hash functions based on
using a cipher block chaining technique, but without using the secret key
• One of the first proposals was that of Rabin
• Divide a message M into fixed-size blocks M1, M2, . . . , MN and use a
symmetric encryption system such as DES to compute the hash code G as
H0= initial value
Hi = E(Mi, Hi-1)
G = HN
• Similar to the CBC technique, but in this case, there is no secret key
• As with any hash code, this scheme is subject to the birthday attack
• If the encryption algorithm is DES and only a 64-bit hash code is produced, the
system is vulnerable
• Meet-in-the-middle-attack
• Another version of the birthday attack used even if the opponent has access to
only one message and its valid signature and cannot obtain multiple signings
• It can be shown that some form of birthday attack will succeed against
any hash scheme involving the use of cipher block chaining without a
secret key, provided that either the resulting hash code is small enough
orEducation,
© 2017 Pearson that aLtd.,
larger hash
All rights code can be decomposed into independent
reserved.
 Secure Hash Algorithm
(SHA)
• SHA was originally designed by the National
Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1

• Based on the hash function MD4 and its design

closely models MD4
• Produces 160-bit hash values

• In 2002 NIST produced a revised version of the

standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.

© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 11.4 ---- SHA-512 Constants

(Table
can be
found
on page
© 2017 Pearson Education, Ltd., All rights reserved. 341 in
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 (Figure can be
found on page
345 in textbook)
© 2017 Pearson Education, Ltd., All rights reserved.
 SHA-3
SHA-1 has not yet been
"broken”
• No one has demonstrated a
technique for producing
collisions in a practical
amount of time
• Considered to be insecure and
has been phased out for SHA-2

NIST announced in 2007 a

competition for the SHA-3 SHA-2 shares the same
next generation NIST hash structure and mathematical
function operations as its
predecessors so this is a
• Winning design was cause for concern
announced by NIST in
• Because it will take years
October 2012
• SHA-3 is a cryptographic to find a suitable
replacement for SHA-2
hash function that is
should it become
intended to complement
vulnerable, NIST decided
SHA-2 as the approved
to begin the process of
standard for a wide range
developing a new hash
of applications
© 2017 Pearson Education, Ltd., All rights reserved.
standard
 The Sponge
Construction
• Underlying structure of SHA-3 is a scheme referred to
by its designers as a sponge construction
• Takes an input message and partitions it into fixed-size
blocks
• Each block is processed in turn with the output of each
iteration fed into the next iteration, finally producing an
output block
• The sponge function is defined by three parameters:
• f = the internal function used to process each input
block
• r = the size in bits of the input blocks, called the bitrate
• pad = the padding algorithm

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 11.5
SHA-3 Parameters

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 SHA-3
Iteration
Function f

© 2017 Pearson Education, Ltd., All rights reserved.

 Table
11.6

Step
Function
s
in SHA-3

© 2017 Pearson Education, Ltd., All rights reserved.

 Theta and CHI
Function
Substitution

© 2017 Pearson Education, Ltd., All

rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Rho Function
Permutation

© 2017 Pearson Education, Ltd., All

rights reserved.
 Rho Function
Permutation

© 2017 Pearson Education, Ltd., All

rights reserved.
 Rho Function
Permutation

© 2017 Pearson Education, Ltd., All

rights reserved.
 Pi Function
(Permutation)

© 2017 Pearson Education, Ltd., All

rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 IOTA Function

© 2017 Pearson Education, Ltd., All

rights reserved.
 IOTA Function

© 2017 Pearson Education, Ltd., All

rights reserved.
 Table 11.8
Round Constants in SHA-3

© 2017 Pearson Education, Ltd., All rights reserved.

 Summary
• Applications of • Hash functions
cryptographic hash based on cipher
functions block chaining
• Message
authentication • Secure hash
• Digital signatures algorithm (SHA)
• Other applications • SHA-512 logic
• SHA-512 round
• Requirements and function
security
• SHA-3
• Security requirements
for cryptographic hash • The sponge
functions construction
• Brute-force attacks • The SHA-3
Iteration Function f
• Cryptanalysis
© 2017 Pearson Education, Ltd., All rights reserved.