3/23/2020 1 Security of Hash Functions and MACs Security of Hash Functions and MACs Two categories: brute-force attacks and cryptanalysis. Brute-Force Attacks The nature of brute-force attacks differs somewhat for hash functions and MACs.
Hash Functions:
One-way: For any given code h, it is computationally infeasible to
find x such that H(x) = h. ● Weak collision resistance: For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x). ● Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
Muthukumar.A / ASP/ ECE / CNS / UNIT III /
3/23/2020 2 Security of Hash Functions and MACs Security of Hash Functions and MACs
For a hash code of length n, the level of effort required is
Message Authentication Codes:
A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs. To attack a hash code, we can proceed in the following way. Security of Hash Functions and Macs fixed message x with n-bit hash code h = H(x), a brute-force method of finding a collision is to pick a random bit string y and check if H(y) = H(x). The attacker can do this repeatedly off line. Muthukumar.A / ASP/ ECE / CNS / UNIT III / 3/23/2020 3 Security of Hash Functions and MACs Security of Hash Functions and MACs
Security property of a MAC algorithm:
Computation resistance: Given one or more text-MAC
pairs [xi, C(K, xi)], it is computationally infeasible to compute any text-MAC pair [x, C(K, x)] for any new input x≠xi. In other words, the attacker would like to come up with the valid MAC code for a given message x. There are two lines of attack possible: Attack the key space and attack the MAC value. If an attacker can determine the MAC key, then it is possible to generate a valid MAC value for any input x. Suppose the key size is k bits and that the attacker has one known text-MAC pair. Then the attacker can compute the n-bit MAC on the known text for all possible keys. At least one key is guaranteed to produce the correct MAC, namely, the valid key that was initially used to produce the known text-MAC pair. Muthukumar.A / ASP/ ECE / CNS / UNIT III / 3/23/2020 4 Security of Hash Functions and MACs Security of Hash Functions and MACs
Security property of a MAC algorithm (Cont):
This phase of the attack takes a level of effort proportional
to 2k However, as was described earlier, because the MAC is a many-to-one mapping, there may be other keys that produce the correct value. Thus, if more than one key is found to produce the correct value, additional text-MAC pairs must be tested. It can be shown that the level of effort drops off rapidly with each additional text-MAC pair and that the overall level of effort is roughly 2k.
Muthukumar.A / ASP/ ECE / CNS / UNIT III /
3/23/2020 5 Security of Hash Functions and MACs Cryptanalysis
As with encryption algorithms, cryptanalytic attacks on hash
functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search. The way to measure the resistance of a hash or MAC algorithm to cryptanalysis is to compare its strength to the effort required for a brute-force attack. That is, an ideal hash or MAC algorithm will require a cryptanalytic effort greater than or equal to the brute- force effort.
Muthukumar.A / ASP/ ECE / CNS / UNIT III /
3/23/2020 6 Security of Hash Functions and MACs Hash Functions
The hash algorithm involves repeated use of a compression
function, f, that takes two inputs and produces an n-bit output. At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm. The final value of the chaining variable is the hash value. Often, b > n; hence the term compression. Muthukumar.A / ASP/ ECE / CNS / UNIT III / 3/23/2020 7 Security of Hash Functions and MACs Hash Functions
CVo = IV = initial n-bit value
CVi = f(CVi1, Yi1) 1≤ i ≤L H(M) = CVL. where the input to the hash function is a message M consisting of the blocks Yo, Y1,..., YL1.
Message Authentication Codes
There is much more variety in the structure of MACs than in
hash functions, so it is difficult to generalize about the cryptanalysis of MACs. Further, far less work has been done on developing such attacks.
Muthukumar.A / ASP/ ECE / CNS / UNIT III /
3/23/2020 8 Security of Hash Functions and MACs Summarize
Transformation of Cryptography: Fundamental concepts of Encryption, Milestones, Mega-Trends and sustainable Change in regard to Secret Communications and its Nomenclatura