More on Hashing and Security
• Hashing is useful for various security
purposes
– Message authentication codes
– Hash chains
• Breaks on hash algorithms have
various bad security effects
CS 236 Online
Lecture 5
Page 1
Thinking More About Hashing
• What is a hashing function?
• Takes one value and produces another
– The output can’t be used to
determine the input
• For many hash functions
– But the output also not computable
without the input
CS 236 Online
Lecture 5
Page 2
The Basic Hash Operation
• X’ = H(X)
1. Can’t guess X based on X’
2. Can’t produce X’ without
knowing X
3. Given X’, H(), and X, can’t
produce Y such that H(Y) = X’
• So, given H(), only someone knowing
X could have produced X’
CS 236 Online
Lecture 5
Page 3
Message Authentication Codes
• MACs
• Essentially something to authenticate
that a message hasn’t changed
• A kind of digital signature
• Usually used in communications
contexts
CS 236 Online
Lecture 5
Page 4
Authenticating a Message
• Could just sign message with public
keys
• Could hash message and sign with
public key
• What if you don’t need to authenticate
originator?
– Just need to be sure it hasn’t changed
– Typical case for a MAC
CS 236 Online
Lecture 5
Page 5
Basic MAC
• Take message X
• Hash it with function H()
– Getting X’
• Attach X’ to X
• Receiver checks that X and X’ match
– By repeating hash operation H() on
X
CS 236 Online
Lecture 5
Page 6
A Little Problem
• If everyone knows H(), everyone can
create X’
• Worse, everyone can take Y and
produce “proper” Y’
• Attacker can replace X/X’ message
with Y/Y’ message
• Often need to prevent that . . .
CS 236 Online
Lecture 5
Page 7
Keyed Hashes
• Use HMACs, instead
– keyed-Hash Message Authentication Codes
• Feed secret key into input of a hash function
– H(X,K)
• Often H() is ordinary hash function
– Typically by combining key with input
– In slightly complex way
– Feed combination into hash function
• Cheaper than hashing and PK signature of hash
CS 236 Online
Lecture 5
Page 8
Security of Keyed Hash
Functions
• Attacker assumed to know H() and X’
• Often knows X
– Since hash is used as MAC
• Doesn’t know K
• If hash function is good, can’t create
proper Y’ for arbitrary Y
CS 236 Online
Lecture 5
Page 9
Hash Security Properties and
HMACs
Can’t guess X based on X’
• Important, since X “includes” key
2. Can’t produce X’ without knowing X
• Otherwise attacker can forge messages
3. Given X’, H(), and X, can’t produce Y
such that H(Y) = X’
• Otherwise attacker can create new
message with old HMAC
1.
CS 236 Online
Lecture 5
Page 10
Hash Chains
• Say I start with a value X
Now I apply hash function H()
Now I apply H() repetitively to the results
H X  H X H X  H X  H X 
X
X 
X 
X 
X 
X 
That’s a hash chain
CS 236 Online
Lecture 5
Page 11
Properties of a Hash Chain
X
X 
X 
X 
X 
X 
• Generally, the values are pseudorandom
• X and X’ are not obviously related
• If you don’t know H(), the next link is



unpredictable

• X is not derivable from X’
• Even if you do know H()
• So X can be secret, even if you know X’
and H()
CS 236 Online
Lecture 5
Page 12
Using Hash Chains
• Cryptographic key generation
– Create a key
– Use it for a while
– Then use secret hash function on that
key to create a new one
• If hash’s pseudorandom and nonreversible properties strong, relatively
safe
CS 236 Online
Lecture 5
Page 13
Reverse Hash Chains
• Generate a hash chain
– Of some chosen length
X
X 
X 
X 
X 
X 
• Then reverse it
X  X  X  X  X  X




CS 236 Online
Lecture 5
Page 14
What’s So Great About That?
• I know the entire reverse hash chain
• I can gradually tell others about it,
element by element
• When they know X , what can I now
do?
• I can tell them about X 
– They now know something useful
CS 236 Online

Lecture 5
Page 15

OK, What Do They Know?
• That I knew X when I told them
X 
• They can check that with the hash
• So both messages come from the same

source
• If they authenticated the first message,
the hash value authenticates the second
CS 236 Online
Lecture 5
Page 16
Complications
• There are serious issues with this
– Cut-and-paste attacks
– Man-in-the-middle
– We’ll discuss these later
• But proper use can allow most
authentications to pay hash costs
– Much lower than other crypto costs
CS 236 Online
Lecture 5
Page 17
What If Hash Is Broken?
• What if:
– You can guess X based on X’?
– You can produce X’ without
knowing X
– Given X’, H(), and X, you can
produce Y such that H(Y) = X’
• Which of these produce problems for
hash chains?
CS 236 Online
Lecture 5
Page 18
For Example, The SHA-1 Break
• Given X, can calculate a Y that hashes
to X’ (using SHA-1)
• Means that hash signature of X also
matches Y
• So attacker can replace X with Y
• When is that bad?
CS 236 Online
Lecture 5
Page 19