Nathaniel McHugh
February 13, 2015
30

Hash Functions - and how not to use them

Internals of collisions and finding collisions.

Nathaniel McHugh

February 13, 2015

Transcript

1. Hash Functions And how not to use them @natmchugh Thursday,

12 February 15

6. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

Thursday, 12 February 15
7. Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST

CRC City Hash Joaat Thursday, 12 February 15
8. Cryptographic Hash Functions 1. Pre image resistance (one way) given

hash cannot ﬁnd m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance Thursday, 12 February 15

10. MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0 Thursday, 12 February 15
11. Why do we need MAC? secretMessage = ‘09e1c5f70a65ac519458e7e53f36’; plainText =

‘attack at dawn’ key = plainText XOR secretMessage newText = ‘attack at dusk' newSecretMessage = key XOR newText Thursday, 12 February 15

15
14. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

padding || new-message) Thursday, 12 February 15
15. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' Thursday, 12 February 15
16. MAC from hash functions HASH(key || message) HASH(key|| orig-message ||

padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' http:/ /vnhacker.blogspot.co.uk/2009/09/ﬂickrs-api- signature-forgery.html Thursday, 12 February 15
17. HMAC hash_hmac (\$algo, \$data, \$key); HMAC(K, m) = H (

(K ^opad) | H((K ^ ipad) | m)) Thursday, 12 February 15
18. Password Storage Different Security Criteria Needs special construction e.g. KDF,

salt and iterations \$2y\$10\$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But just use a library Thursday, 12 February 15
19. Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute ﬁles different behaviors, predict future not HMAC not pre- image Thursday, 12 February 15
20. Birthday Problem n ≈ √(-2 * ln(1-p) * √d Thursday,

12 February 15

M’ with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1 Thursday, 12 February 15
22. Wang MD4 M = M − M’ = (Δm0, Δm1,

......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216 Thursday, 12 February 15
23. Wang Preﬁx Wang works with any initial value. Can use

to build ﬁles with different behaviors but same hash using if construct. Thursday, 12 February 15

26. Links http:/ /cryptopals.com/ https:/ /marc-stevens.nl/research/ http:/ /natmchugh.blogspot.co.uk/ http:/ /www.win.tue.nl/hashclash/rogue-ca/ Thursday,

12 February 15