Nathaniel McHugh
June 26, 2015
12k

# Hash Functions and how not to use them

DPC 2015-06-26

June 26, 2015

## Transcript

2. ### Advice Don’t use MD5 Don’t use SHA1 Don’t use cryptographic

hash functions Don’t use any cryptographic primitives
3. ### Some Hash Functions • SHA1 • SHA2 • MD5 •

RIPEMD • TIGER • Whirpool • HAVAL • GOST • CRC • City Hash • Joaat
4. ### Cryptographic Hash Functions 1.Pre image resistance (one way) given hash

cannot ﬁnd m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance
5. ### What are crypto hash functions used for? • Password storage

• Duplicate Data detection • Git • Crypto currencies • Digital Signatures • MAC

7. ### MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301

b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) ... a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0

11. ### Password Storage • Different Security Criteria • Needs special construction

e.g. KDF, salt and iterations \$2y\$10\$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But please just use a library
12. ### Comparing Hashes <?php var_dump( md5('240610708') == md5('QNKCDZO'), md5('240610708'), md5('QNKCDZO') );

bool(true) string(32) "0e462097431906509019562988736854" string(32) "0e830400451993494058024219903391"
13. ### Comparing Hashes p = 1 / 255 * (100 /

255) ^ 15= 3 * 10 ^ -9 var_dump('0e462097431906509019562988736854' == '0e830400451993494058024219903391');
14. ### Magic Hashes Algo. Plain Text Hash MD5 240610708 0e462097431906509019562988736854 MD5

QNKCDZO 0e830400451993494058024219903391 MD5 Password147186970! 0e153958235710973524115407854157 SHA1 aaroZmOk 0e665070199694271348945674943051855 66735
15. ### Comparing Hashes Solution: • Use hash_equals > php 5.6 •

Use === • Use strcmp()
16. ### Bcrypt & Null Bytes • crypt uses common C null-terminated

string • Passwords won’t contain null byte • If combined with another hash then may have

18. ### Bcrypt Null Bytes • Never feed binary data to bcrypt

• Don’t use multiple hash functions • If you must feed crypt output of another hash use hex or base64 Starts with \0 p =1 / 255 = 0.0039

20. ### Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4,

MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute ﬁles different behaviours, predict future not HMAC not pre-image
21. ### Brute Force n ≈ √(-2 * ln(1-p) * √d If

p=0.5 then n= 1.177 * √d √365 = 19 √(2^128) = 2^64
22. ### Wang Attack 1.Start with random message 2.Create another message M’

with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1
23. ### Wang MD4 M = M − M’ = (Δm0, Δm1,

......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216

26. ### Flame • Collision in X509 Certiﬁcate • TSL certiﬁcate issued

with no restrictions therefore anyone could sign code • Did not work on Vista or Windows 7 Stolen from: https://www.trailofbits.com/resources/ﬂame-md5.pdf
27. ### Links • http://cryptopals.com/ • https://github.com/natmchugh/longEgg • https://marc-stevens.nl/research/ • http://natmchugh.blogspot.co.uk/ •

http://www.win.tue.nl/hashclash/rogue-ca/