Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hash Functions - and how not to use them

Hash Functions - and how not to use them

Internals of collisions and finding collisions.

042ad61f65b2d5518f671efd762873bb?s=128

Nathaniel McHugh

February 13, 2015
Tweet

More Decks by Nathaniel McHugh

Other Decks in Technology

Transcript

  1. Hash Functions And how not to use them @natmchugh Thursday,

    12 February 15
  2. Flame Thursday, 12 February 15

  3. e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

  4. e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

  5. Hash Functions Thursday, 12 February 15

  6. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

    Thursday, 12 February 15
  7. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

    CRC City Hash Joaat Thursday, 12 February 15
  8. Cryptographic Hash Functions 1. Pre image resistance (one way) given

    hash cannot find m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance Thursday, 12 February 15
  9. Stolen from: https:/ /www.coursera.org/course/crypto Thursday, 12 February 15

  10. MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

    b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0 Thursday, 12 February 15
  11. Why do we need MAC? secretMessage = ‘09e1c5f70a65ac519458e7e53f36’; plainText =

    ‘attack at dawn’ key = plainText XOR secretMessage newText = ‘attack at dusk' newSecretMessage = key XOR newText Thursday, 12 February 15
  12. MAC Thursday, 12 February 15

  13. MAC from hash functions HASH(key || message) Thursday, 12 February

    15
  14. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) Thursday, 12 February 15
  15. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' Thursday, 12 February 15
  16. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' http:/ /vnhacker.blogspot.co.uk/2009/09/flickrs-api- signature-forgery.html Thursday, 12 February 15
  17. HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H (

    (K ^opad) | H((K ^ ipad) | m)) Thursday, 12 February 15
  18. Password Storage Different Security Criteria Needs special construction e.g. KDF,

    salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But just use a library Thursday, 12 February 15
  19. Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

    MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute files different behaviors, predict future not HMAC not pre- image Thursday, 12 February 15
  20. Birthday Problem n ≈ √(-2 * ln(1-p) * √d Thursday,

    12 February 15
  21. Wang Attack 1. Start with random message 2.Create another message

    M’ with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1 Thursday, 12 February 15
  22. Wang MD4 M = M − M’ = (Δm0, Δm1,

    ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216 Thursday, 12 February 15
  23. Wang Prefix Wang works with any initial value. Can use

    to build files with different behaviors but same hash using if construct. Thursday, 12 February 15
  24. Chosen Prefix Collision Thursday, 12 February 15

  25. Flame Stolen from: https:/ /www.trailofbits.com/resources/flame-md5.pdf Thursday, 12 February 15

  26. Links http:/ /cryptopals.com/ https:/ /marc-stevens.nl/research/ http:/ /natmchugh.blogspot.co.uk/ http:/ /www.win.tue.nl/hashclash/rogue-ca/ Thursday,

    12 February 15