Tweet
Tweet

Slide 1

Slide 1 text

Hash Functions And how not to use them @natmchugh Thursday, 12 February 15

Slide 2

Slide 2 text

Flame Thursday, 12 February 15

Slide 3

Slide 3 text

e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

Slide 4

Slide 4 text

e06723d4961a0a3f950e7786f3766338 Thursday, 12 February 15

Slide 5

Slide 5 text

Hash Functions Thursday, 12 February 15

Slide 6

Slide 6 text

Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST Thursday, 12 February 15

Slide 7

Slide 7 text

Hash Functions SHA1 SHA2 MD5 RIPEMD TIGER Whirpool HAVAL GOST CRC City Hash Joaat Thursday, 12 February 15

Slide 8

Slide 8 text

Cryptographic Hash Functions 1. Pre image resistance (one way) given hash cannot find m 2.Second pre-image resistance (weak collision resistance) 3.Collision resistance Thursday, 12 February 15

Slide 9

Slide 9 text

Stolen from: https:/ /www.coursera.org/course/crypto Thursday, 12 February 15

Slide 10

Slide 10 text

MD4 in detail MD4 ("") = 31d6cfe0d16ae931b73c59d7e0c089c0 a = 0x67452301 b = 0xefcdab89 c = 0x98badcfe d = 0x10325476 F(b, c, d) = (((c ^ d) & b) ^ d) a = 0x31d6cfe0 b = 0xd16ae931 c = 0xb73c59d7 d = 0xe0c089c0 Thursday, 12 February 15

Slide 11

Slide 11 text

Why do we need MAC? secretMessage = ‘09e1c5f70a65ac519458e7e53f36’; plainText = ‘attack at dawn’ key = plainText XOR secretMessage newText = ‘attack at dusk' newSecretMessage = key XOR newText Thursday, 12 February 15

Slide 12

Slide 12 text

MAC Thursday, 12 February 15

Slide 13

Slide 13 text

MAC from hash functions HASH(key || message) Thursday, 12 February 15

Slide 14

Slide 14 text

MAC from hash functions HASH(key || message) HASH(key|| orig-message || padding || new-message) Thursday, 12 February 15

Slide 15

Slide 15 text

MAC from hash functions HASH(key || message) HASH(key|| orig-message || padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' Thursday, 12 February 15

Slide 16

Slide 16 text

MAC from hash functions HASH(key || message) HASH(key|| orig-message || padding || new-message) plainText = ‘attack at dawn\x0c...\x00tomorrow' http:/ /vnhacker.blogspot.co.uk/2009/09/flickrs-api- signature-forgery.html Thursday, 12 February 15

Slide 17

Slide 17 text

HMAC hash_hmac ($algo, $data, $key); HMAC(K, m) = H ( (K ^opad) | H((K ^ ipad) | m)) Thursday, 12 February 15

Slide 18

Slide 18 text

Password Storage Different Security Criteria Needs special construction e.g. KDF, salt and iterations $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a 3 choices bcrypt, scrypt & PBKDF2 But just use a library Thursday, 12 February 15

Slide 19

Slide 19 text

Collisions When H(m1) = H(m2) and m1≠m2 Plenty in MD4, MD5, SHA0 None in SHA1, SHA2 Forge Signatures, distribute files different behaviors, predict future not HMAC not pre- image Thursday, 12 February 15

Slide 20

Slide 20 text

Birthday Problem n ≈ √(-2 * ln(1-p) * √d Thursday, 12 February 15

Slide 21

Slide 21 text

Wang Attack 1. Start with random message 2.Create another message M’ with small diffs 3.Modify message so that certain bitwise conditions hold in intermediate state 4.Test for collision if not found go to 1 Thursday, 12 February 15

Slide 22

Slide 22 text

Wang MD4 M = M − M’ = (Δm0, Δm1, ......, Δm15) Δm1 = 231, Δm2 = 2^31 − 228, Δm12 = −216 Thursday, 12 February 15

Slide 23

Slide 23 text

Wang Prefix Wang works with any initial value. Can use to build files with different behaviors but same hash using if construct. Thursday, 12 February 15

Slide 24

Slide 24 text

Chosen Prefix Collision Thursday, 12 February 15

Slide 25

Slide 25 text

Flame Stolen from: https:/ /www.trailofbits.com/resources/flame-md5.pdf Thursday, 12 February 15

Slide 26

Slide 26 text

Links http:/ /cryptopals.com/ https:/ /marc-stevens.nl/research/ http:/ /natmchugh.blogspot.co.uk/ http:/ /www.win.tue.nl/hashclash/rogue-ca/ Thursday, 12 February 15