ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for...

ìCryptographic Hash Functions

Fall2017SecureSoftwareSystems

Cryptographic Hash Functions

ì Input:Messageofarbitrarysize

ì Output:“Digest”(hashedoutput)offixedsize

Loreum ipsum 23sdfw83x8mjyacd6HashFunction

(messageofarbitrarysize) (digestoffixedsize)

ì DesignGoalsì Computinghashshouldbecomputationallycheapì Reversinghashshouldbecomputationally

expensive(“impossible”)– One-wayfunction

Loreum ipsum 23sdfw83x8mjyacd6HashFunction

(messageofarbitrarysize) (digestoffixedsize)

ì DesignGoalsì Changingthemessageasmallamountshould

producealargechangeinthedigestì Eachbitindigesthas50%chanceofflipping

Loreum ipsum 4ddf71e68243fb48HashFunction

Loreum Ipsum ce9c25cef29a8ea2HashFunction

ì DesignGoalsì Itshouldbevery(veryveryVERY)hardtofindtwo

differentmessagesthathavethesamedigest

Cryptographic Hash Uses

ì Securityì Digitalsignaturesì Messageauthentication

ì Generalcomputingì Detectduplicatefilesì Detectfilechanges/corruptionì Indexdatainhashtables

ì MD5– Don’tuse!ì Input→128bitdigest

ì SHA-1– Don’tuse!ì Input→160-bitdigestì Google,Apple,Microsoft,Mozillaretiredsupportfor

SHA-1signedSSL/TSL certificatesin‘16-’17

ì Vulnerabletocollisionattacksì AttackershavemadefakeSSLcertificates

https://shattered.io/February2017

Googleproducedtwodifferent PDFswithsameSHA-1hash asproofofdangerRequired9,223,372,036,854,775,808SHA1computations110yearsofSingle-GPUcomputation(butGooglehasmorethanoneGPU...)

https://shattered.io/February2017

ì SHA-2family– Safe(exceptforlengthextension)ì SHA-256(256-bitdigest,optimizedfor32-bitCPUs)ì SHA-512(512-bitdigest,optimizedfor64-bitCPUs)

ì SHA-3– Safe(including againstlengthextension)ì NIST Hashfunctioncompetition(2007-2012)

ì 51entriesround1,14round2,5finalistsì Winner:Keccakalgorithm

ì Efficientinhardwarebutslowinsoftwareì SHA3-256,SHA3-512,…

ì Blake2– Safeì AnotherSHA-3finalist

Length Extension Attacks

ì Olderhashalgorithmsoutputtheirentireinternalstateasthehashdigestì Attack:Pickupexactlywheretheyleftoff!

(Reconstructinternalstatefromhashdigest)

Plaintext Hash(md5,SHA-1,SHA-2)FundsXfer:Account123456:Amount:123

4ddf71e68243fb48ce9c25cef29a8ea2

FundsXfer:Account123456:Amount:123000

Load hashfunctionwithstateof4ddf71e68243fb48ce9c25cef29a8ea2Continuerunninghashfunctionoverextensionattackdigits 000Newhash:30c6ae0de5369c2637d5c541ef0095d8

Length Extension Attacks

ì HashPump:Atooltoexploitthehashlengthextensionattackinvarioushashingalgorithms.ì Currentlysupportedalgorithms:MD5,SHA1,

SHA256,SHA512(i.e.SHA2variants)ì https://github.com/bwall/HashPump

ì Real-worldattacksrequireabitofbruteforcing(trialanderror)toreconstructhashstatebutnothingimpossible

ìPassword Storage

Password Storage

Weagreethatit’shorrible tostoreplaintextpasswordsinadatabase,yes?

ì DatabasetheftinstantlygivesattackeralluserpasswordsLì Attackercouldberoguesystemadministrator…L

ì Humansre-usepasswordsacrossmanysitesL

ì Doesawebsitepasswordresettoolemailyouyouroriginalpassword?RUN!!!

Password Storage

ì Encryptingtheentiredatabasedoesn’thelpì Attackercouldeasilystealencryptionkeysalong

withdatabasedata– keysmustbeinthesystemsomewhere

ì Encryptingindividualpasswordsisasimilarheadacheì Wheretostorethekeys?ì Howtokeepthekeyssafe?ì Somanykeys!!

Warning!

Warning:CryptographicHashesforpasswordstoragearewrong!

Canhasheshelpus?

Password Storage

“Swordfish” 4ddf71e68243fb4HashFunction

alice@abc.compassword:🙋

ì Alice’splaintextpasswordcan’tbeinstantlyreversedfromthehashifdatabasestolen✔

ì ButwhatifBobhasthesamepassword?HewillhavethesamehashL

Password Storage

ì Humanschooseterrible passwords:ì password,swordfish,

passw0rd,etc…

ì Thereareonlyafewplausiblehashfunctionsinwidespreaduse

ì Attackerscanpre-compute hashesforlikelypasswords(dictionarywordsandpermutations)ì Savein“rainbowtable”ì Searchforaquickmatch!

Password Lists

ì Largelistsoflikelypasswordsareassembledbyattackersfrompriorpasswordleaks(real-worlddata)

ì Free/cheapoptionforyourdownloadingconvenienceì https://crackstation.net/buy-crackstation-wordlist-

password-cracking-dictionary.htmì 15GBuncompressedì Startingguessingat“password123”insteadof

“aaaaaaaa”

Password Storage

ì Improvement:Don’thash{password}ì Insteadhash{salt|password}

ì “Salt”islarge(160bit)cryptographicallyrandomnumberappended/prependedtopassword

ì Bestpracticeì Uniquesaltperuser,notper-systemì Storethisindatabasealongwithhash

ì Rainbowtablesnowworthlessì Wouldneedarainbowtableforeach

2160 saltvalues)

Password Storage

ì Manysystemsusejustasinglesalt,soanattackeronlyneedstocomputeonerainbowtableL

ì Per-usersaltsarestillfundamentallybroken,justharder tocrackLì Cryptographichashfunctionsareintendedtobefastì Attackersthatstealyourdatabasealsohaveyour

salt.WithGPUs theycanbrute-forceallpossiblepasswords(followingthepasswordlistandpermutations)

ì Broken? Notinstantly.Butvulnerable?Yes

Password Storage

“Pleasestophashingpasswords”https://blog.tjll.net/please-stop-hashing-passwords/

Password Storage

ì PasswordstorageshoulduseaKeyDerivationFunction (KDF)insteadì Itlookslikeahashfunction,buthasacompletely

differentdesigngoal

ì Designgoalsì KDF:hard tocompute

ì Ideally,asslowasyouruserswilltoleratewithoutswitchingtoacompetitorproduct!

ì Cryptographichash:Easytocompute

Key Derivation Functions

ì Bcrypt – goodì Tunabletime-hard– youcanconfigurehowmuch

CPUtimeittakestocalculateahash keyì CPUsgettingfaster?Tunebcrypt totakemoretime!

ì Scrypt – goodì Tunabletime(CPU)andspace(memory)hardì GPUsbrute-forcingishamperedduetomemory

requirements

ì Important:StillusesaltwithKDF algorithms

https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON

overHTTPStogetinteractivegraphtoappear…)

Comparinghashfunctionsbytimetogeneratedigestmd5,sha1,sha2,sha3,pbkdf2

Howdoyouthinkbcrypt andscrypt willcompare?

https://blog.tjll.net/please-stop-hashing-passwords/(CORS policyrequireschangingJavaScripttoloadJSON

overHTTPStogetinteractivegraphtoappear…)

Originalhashes(md5,sha1,sha2,sha3,pbkdf2)arenotevenvisibleatthebottom!

Y-axis (original):0.00– 0.25sY-axis(new):0-600s

ì Rubyscripttogenerateyourowndatasetì https://gist.github.com/tylerjl/10802499

ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for...

Documents

Transcript of ì Cryptographic Hash Functions · Cryptographic Hash Functions ì SHA-2 family –Safe (except for...

Abacus: A Candidate for SHA-3 - Cryptographic hash function · Abacus: A Candidate for SHA-3 Neil Sholer WaveStrong, Inc. neil@wavestrong.com Version 1.0 - October 29th, 2008 Abstract.

The rst collision for full SHA-1 - SHAttered · The rst collision for full SHA-1 Marc Stevens1, Elie Bursztein2, ... Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash

Implementing SHA-1 and SHA-2 Standards on the Eve of SHA-3 ...mason.gmu.edu/~mrogawsk/arch/cryptoarchi2009_talk.pdf · SHA-1 and SHA-2 facts SHA-1 SHA-256 SHA-512 publication in year

Network Security - Central Washington University · Message digests (also called cryptographic hash) can “stand for” messages in protocols, e.g., authentication • Example: SHA-1

Cryptographic Assumptions: A Position Paper · PDF fileCryptographic Assumptions: A Position Paper Sha Goldwasser Yael Tauman Kalai y Abstract The mission of theoretical cryptography

Migrating to SHA-2 Certificates - Secure Transactions · Secure Hash Algorithm (SHA) is a type of cryptographic hash function that ensures data has not been modified. ... SHA-512,

Amélioration des adresses CGA et du protocole SEND pour un ...and the SEND protocol, cryptographic algorithm selection mechanism, address sha-ring, ...) we proved that these modi

Descriptions of SHA-256, SHA-384, and SHA-512 from NIST

SHA-1 Cryptographic Hash Unit - Harvey Mudd Collegepages.hmc.edu/harris/class/e158/10/proj2/baranbuik.pdf · 2020. 3. 2. · The SHA-1 cryptographic hash algorithm operates on 32-bit

MD5 RIPEMD-160 SHA-1 1 Abstract Cryptographic hash functions have been designed in the first place to protect the authenticity of information.. As a practical cryptographic hash functions,

Cryptographic Hash Functionssuman/security_1/crypto_summary.pdf · SHA-1 (Secure Hash Algorithm) • Recently broken & deprecated SHA-256, SHA-3 • Still secure and recommended .

Cryptography and Network Security Sicurezza delle …SSL, RC2 was also used. • For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used for TLS, MD5 and SHA for SSL, while

ความผูกพันใน SHA SHA Engagement¸.ดวงสมร SHA...ประเมินค่าความผูกพันอย่างถูกต้อง

Cryptographic Hash Funcitonsjain/cse571-17/ftp/l_11chf.pdf · Cryptographic Hash Functions 2. Applications of Crypto Hash Functions 3. Birthday Problem 4. Secure Hash Algorithm (SHA)

The cryptography of Bitcoin - Amazon S3 · ("mining") Cryptographic ingredients Bitcoin ledger Hash functions (SHA-256, RIPEMD-160) Cryptographic puzzles (Hashcash with SHA-256) Digital

Attacks on Cryptographic Hash Functions with Special Focus ... · Referat Attacker på kryptograﬁska hashfunktioner Med särskilt fokus på MD5 och SHA-0 ... In the case of digital

TRUSTED COMPUTING - TUD · 2020. 1. 14. · TPM is cryptographic coprocessor: RSA (encryption, signatures), AES (encryption), SHA-1 (cryptographic hashes) Other crypto schemes (e.g.,

MIGRATE TO SHA-2: IMPLICATIONS & NEXT STEPS...Migrate to SHA-2: implications and next steps WHAT IS SHA? • Hashing algorithm Cryptographic hash function to transform an input (message)

Finding Near-Optimum Message Scheduling Settings for SHA ...The Secure Hash Algorithm (SHA) is a series of cryptographic hash functions pub-lished by the US National Institute of Standards

Dynamic SHA-2 - IACRDynamic SHA-2 Zijie Xu E-mail: xuzijiewz@gmail.com Abstract. In this paper I describe the construction of Dynamic SHA-2 family of cryptographic hash functions.