In the context of SSL, the purpose of hashing is to reduce the message size (e.g. a certificate) for use with a digital signature algorithm. The hash value or message digest is then signed to allow an end user to validate the certificate and ensure it was issued by a trust certification authority. In the past we used MD5 for hashing, we now primarily using SHA-1 while beginning the transition to SHA-2 and have SHA-3 when available in the future
Hash attacks are mainly the below
1) collision => Collision attack occurs when it is possible to find two different messages that hash to the same value. A collision attack against a CA happen at the time of certificate issuance. In past, attack against MD5, the attacker was able to create a pair of colliding messages, one of which represented the contents of benign end-entity certificate and the other of which formed the contents of malicious CA certificate. once the entity certificate was signed by CA, the attacker reused the digital signature to produce the fraudulent CA certificate. The attacker then used their CA cert to issue fraudulent end-entity certificate for any domain. Collision attacks can be mitigated by putting entropy into the certificate. which makes it difficult for the attacker to guess the exact contents of the certificate.
2) Second premiere : In second premiere attack, a second message can be found that hashes to the same values as the given message, This allows attacker to create fraudulent certificate at any time, not just at the time of certificate issuance. SHA-1 is currently resistant to second pre-image attack.
3) pre-image : A premiere attack is against one-way property of a hash function In a pre-image attack, a message can be determined that hashes to a given value. this could allow a password attack, where the attacker can determine the password based on hash of the password found in the database. SHA-1 is currently resistant to pre-image attacks.
Attack against hash functions are measured against the length of time required to perform a brute force attack. in which messages are selected at random and hashed until a collision or pre-image found. The time required to find a collision by brute force is approximately 2 to power n/2 where n is the bit length of the hash. to find pre-image or image, the time required is 2to power n. Based on Moors law as the devices
references
No comments:
Post a Comment