Hash Functions - and how not to use them

Transcript

1. Hash Functions And how not to use them @natmchugh Thursday,

   12 February 15

2. Flame Thursday, 12 February 15

3. e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

4. e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

5. Hash Functions Thursday, 12 February 15

6. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

   Thursday, 12 February 15

7. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

   CRC City Hash Joaat Thursday, 12 February 15

8. Cryptographic Hash Functions 1. Pre image resistance (one way) given

   hash cannot find m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance Thursday, 12 February 15

9. Stolen from: https:/ /www.coursera.org/course/crypto Thursday, 12 February 15

10. MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

    b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0 Thursday, 12 February 15

11. Why do we need MAC? secretMessage = ‘09e1c5f70a65ac519458e7e53f36’; plainText =

    ‘attack at dawn’ key = plainText XOR secretMessage newText = ‘attack at dusk' newSecretMessage = key XOR newText Thursday, 12 February 15

12. MAC Thursday, 12 February 15

13. MAC from hash functions HASH(key || message) Thursday, 12 February

    15

14. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) Thursday, 12 February 15

15. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' Thursday, 12 February 15

16. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

    padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' http:/ /vnhacker.blogspot.co.uk/2009/09/flickrs-api- signature-forgery.html Thursday, 12 February 15

17. HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H (

    (K ^opad) | H((K ^ ipad) | m)) Thursday, 12 February 15

18. Password Storage Different Security Criteria Needs special construction e.g. KDF,

    salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But just use a library Thursday, 12 February 15

19. Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

    MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute files different behaviors, predict future not HMAC not pre- image Thursday, 12 February 15

20. Birthday Problem n ≈ √(-2 * ln(1-p) * √d Thursday,

    12 February 15

21. Wang Attack 1. Start with random message 2.Create another message

    M’ with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1 Thursday, 12 February 15

22. Wang MD4 M = M − M’ = (Δm0, Δm1,

    ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216 Thursday, 12 February 15

23. Wang Prefix Wang works with any initial value. Can use

    to build files with different behaviors but same hash using if construct. Thursday, 12 February 15

24. Chosen Prefix Collision Thursday, 12 February 15

25. Flame Stolen from: https:/ /www.trailofbits.com/resources/flame-md5.pdf Thursday, 12 February 15

26. Links http:/ /cryptopals.com/ https:/ /marc-stevens.nl/research/ http:/ /natmchugh.blogspot.co.uk/ http:/ /www.win.tue.nl/hashclash/rogue-ca/ Thursday,

    12 February 15