Cryptographic Hash Functions

by Hazrul Aaron.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on network security  

You are here: Categories » Electronics and communication » Network security

Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication?

The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function is an algorithm that takes a message of custom length and produces a fixed-length output, called a fingerprint or message digest. Cryptographic hash functions are also called one-way functions, because they are designed in such a way that obtaining the original plaintext is nearly impossible and truly computationally unfeasible (in theory, anyway).

A good example of practical one-way function use is packet integrity preservation. Traditional insecure packet or frame checksums are usually calculated as the bit length of a protocol data unit (PDU) divided by a prime number. A cracker can modify the data inside of the packet and easily adjust the checksum to match the new packet content. With a cryptographic hash function substituting the checksum, such a task is simply impossible as long as the hash function is strong and correctly implemented. Many packets will pass until the cracker eventually gets the job done and, most likely by that time the packet's protocol will become obsolete. An example of such improvement is Michael (MIC) in TKIP, which replaces a traditional CRC-32-style integrity check vector (ICV) used by WEP. Michael is not exactly a one-way hash; it is closer to the hash-based message authentication codes (HMACs), which we review later.

The design of a strong cryptographic hash function depends on the size of its output (the larger, the better, but using huge data fingerprints is impractical) and avoiding collisions. A collision is a condition in which you can find two different strings of data (messages) that produce the same hash function output: if x != x', hash(x) = hash(x'). If a collision is possible, then x can be successfully replaced by x', and a whole class of attacks on the function, called birthday attacks, becomes possible. Birthday attacks are based on a well-known statistical problem known as the birthday paradox. You need an estimated 253 people in the room for the chance to be greater than even that one of them shares your birthday. However, you need only 23 people in the room for the chance to be greater than even that at least two of them share the same birthday. That is because with only 23 people in the room, there are still 253 different pairs of people present!

How does one brute-force a hash function? By taking various data (usually a dictionary), hashing it with the same function, and diffing the result with the hash you brute-force until you get the same hash. If you have to brute-force 2x messages, but find two messages that hash to the same value, you have to brute-force 2^(x/2) messages, a huge difference!

Share
Leave a comment or ask a question
Total comments: 0

Network security Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Home broadband is an easy way to communicate - With the arrival of home broadband, Internet access has become really easy. The telephone line was not tied up any more and most importantly it is possible to experience high speed access to t (more...)
What is Network Monitor for - Network equipment failures can cause grave consequences, such as material and data looses, bad relations with your customers, etc. System administrators should monitor their networks constantly, de (more...)
Why is SharePoint a Strong Fit for Intranets - SharePoint is an excellent fit for Intranets as it meets: • Business Needs Across Various Departments Foro Collaboration, Content authoringo Document Management, Forms crea (more...)
Why to Deploy a VPN - The motivation behind building VPNs is spread along different sectors of human nature, be it cost reduction or privacy of the communication. The common part lies in virtualization of communicat (more...)
Suspicious Events on WLAN - Once a sufficient number of network behavior statistics are gathered, a proper wireless IDS can start looking for the suspicious events indicating the possibility of malicious attack. These eve (more...)
Reasons why Wirelwss Networks are hacked - In the "good old days," Internet access was a privilege of the few and many used to try getting access by all means possible. A common way to achieve unauthorized access was wardialing, or call (more...)
Wireless Crackers: Who Are They - Knowing what kind of individual might launch an attack against your wireless network is just as important as being aware of his or her motivations. From the motivations already outlined, it is (more...)
Wireless Security Policy - The first thing to start from when deploying and securing a corporate wireless network is a design of a proper wireless security policy. The best source of information on writing a detailed a (more...)
The Usefulness of WEP Closed ESSIDs MAC Filtering and SSH Port Forwarding - This brings us to the topic of enabling WEP, closed ESSIDs, and MAC filtering as protective measures. Such defenses are "bypassable", you know how to do it. However, there are still sound reaso (more...)
Layer 1 Wireless Security Basics - Let's build on the more technical aspects of the discussed policy considerations. We'll start from physical layer security. The physical layer security of wireless networks encompasses avoiding (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.