Cryptographic hash function

Defined:

The hash function h takes the variable-length data block M as input, producing a fixed-length hash value h = h (m).

Called M is the original image of H. Because H is a many-to-one mapping, there are multiple primitives for any given hash value H. If x≠y is met and H (x) =h (y), it is called a collision .

Application:

Used to verify the integrity of the data, that is, to determine whether the data has been tampered with.

the definition of cryptographic Hash function :

A Hash function used in a security application .

Cryptography Hash function application:

　　1. Message Authentication

Hash codes can be used to provide message authentication by the following different methods

　　　　

A) Use symmetric password E to encrypt messages and hash codes, because only A and B share the key k, so the message must be from a, and can verify the hash code to prove that the data has not been changed during transmission.

b) Use a symmetric password to encrypt only the hash code. This scheme greatly reduces the burden of cryptographic operations because plaintext is not required for cryptographic applications.

c) Do not use cryptographic algorithms, only use the hash function to implement message validation. In this scheme, the communicating parties share the same secret value s, and sender a computes its hash value after concatenating the message m and the secret value s, and sends the resulting hash value after the message m. Because receiver B has the S value at the same time, it is able to recalculate the hash value for verification.

D) Encrypt the entire message and hash value on the basis of scenario C to provide confidentiality.

In terms of cost and speed, people are increasingly interested in methods that do not contain cryptographic functions, so B and C schemes are more favored, but a and d still have practical implications if the entire message is encrypted.

In practical applications, message authentication is usually implemented using message authentication codes (MACS). The Mac function takes the key and block of data shared by both parties as input, generates a hash value as a Mac code, and then passes or stores the MAC code along with the protected message. When you need to check the integrity of the message, use the Mac function to recalculate the message and compare the results to the stored Mac code. The MAC provides security against attackers who do not know the key. In implementation, Mac functions that are more efficient than cryptographic algorithms are often used.

2. Digital signature

　　Digital signatures are more widely used than message authentication. There are two main options:

　　

A) Use the sender's private key to encrypt the hash code using the public key cryptography algorithm. This method can also provide authentication, because only the sender can produce encrypted hash code, so this method also provides a digital signature.

b) If you want to guarantee the confidentiality and want to have a digital signature, then use the sender's private key to encrypt the hash code, and then use the symmetric Password key object message and public key algorithm encryption results encryption, this technology is more commonly used.

　　3. Other applications

For hash functions, it is often used to generate a one-way password file. In the operating system, the hash value of the password is stored instead of the password itself, and when the user enters the password, the operating system will authenticate the user with the hash value of the input password and the hash value stored in the password file.

Hash functions can also be used for intrusion detection and virus detection. The hash value H (f) For each file is stored in a security system (such as a CD-R), which can then be recalculated by recalculating H (f) To determine if the file has been modified. Intruders can only change F, not change H (f)

Cryptographic hash functions can be used to construct a random function PRF or as a pseudo-random number generator. A PRF based on hash function can be used to generate a key in a symmetric cipher.

The security requirement of cryptographic hash function

　　

　　weak hash function: Only the hash function satisfies the first five requirements above.

　　Strong hash function: The hash function satisfies the first six requirements above.

The strong hash function is guaranteed to protect against the following attacks: Suppose Bob writes a promissory note and sends Alice,alice a signature endorsement on the IOU. If Bob can find two messages with the same hash value, one of which requires Alice to return a small amount and a large amount, then let Alice sign the first small IOU, Bob can claim that the second IOU is true (the signature of Alice in the first IOU is attached to the second IOU).

Demonstrates the relationship between antigen-like attacks, anti-weak collision attacks, and strong collision attacks

　　

In the traditional concept, pseudo-randomness is not used as the security requirement of cryptographic hash function, but it is more or less required in practical application. Cryptographic hash functions are commonly used for key generation, pseudo-random number generators, and message integrity applications, and the above three applications require that the output of a hash function be random.

　　

The attack on the hash function

　　1. Exhaustive attack

A) image attack and second original image attack

The attacker attempts to find the Y that satisfies h (y) = h for the given hash value H. The method of exhaustive attack is to randomly select Y, and try to calculate its hash value to know the collision occurs. For the M-bit hash value, the size of the exhaustive is approximately 2m, and the average number of attempts by an attacker is 2m-1 to find a Y value that satisfies the H (Y) =h.

　　b) Collision attack

For a collision attack, the attacker tries to find two messages or blocks x and y, satisfying H (x) =h (y), which is relatively small in size compared to the original attack and the second image attack, which is confirmed by the mathematical birthday paradox. In essence, if we select random integer variables within a uniformly distributed range of 0 to N-1, then the probability of repetition occurring after N1/2 is more than 0.5. Therefore, for the M-bit hash value, if we randomly select a block of data, we expect to find two blocks with the same hash value after 2M/2 attempts.

Yuval proposes the following strategies for collision attacks:

1, sender A is ready to sign the text message x (not yet signed, but can be expected to sign the contents of the file), its use is: A's private key to the M-bit hash code encryption and the encrypted hash code appended to the message.

2, the attacker produces the message x 2M/2 type variable x ', each variable expression of the same meaning, the message and the corresponding hash value stored.

It is not difficult to produce multiple variable with the same meaning, for example, an attacker could insert several "space-space-backspace" character pairs between the words and words of a file, and then replace them with "space-backspace-space" in the instance, resulting in various types of variation. An attacker could also simply change some words in the message without changing the meaning of the message.

3, the attacker is prepared to forge a message y, and want to obtain a signature, only need to forge Y's variable y ', and then calculate H (Y '), and with all H (X ') is compared, until the collision occurs.

4, the attacker will crash the message X ' provided to a signature, and then attach the signature to the forged message y '. In this way, the attacker obtains a digitally signed message y without knowing the a key and can make a profit.

2. Password analysis

The password analysis attack on the hash function is also an attack by using some nature of the algorithm rather than by means of a poor lifting. The ideal hash function algorithm requires that the cost of a password analysis attack be greater than or equal to the cost of a brute-lift attack.

　　

Cryptographic hash function