CSCI321 Project Proposal

Project Group SS14/1C

Project Topic : DSS-14-S1-12: Hash Kit

Project Members: Sim Aik Chun 4234716 Ian Chua Zhi Ying 4442416 Ng Yuet Yong 4235320 Ong Wei Liang Eugene 4235289 Weng Xian 4443822

acsim001@mymail.sim.edu.sg zyichua001@mymail.sim.edu.sg yyng011@mymail.sim.edu.sg wleong004@mymail.sim.edu.sg xweng0041@mymail.sim.edu.sg

Page 1

CSCI321 Project Proposal

Project Group SS14/1C

Table of Contents
Introduction .............................................................................................................................. 4 Definitions ................................................................................................................................ 5 Hashing .................................................................................................................................. 5 Cryptographic Hash function .................................................................................................. 5 Project Description .................................................................................................................. 6 Requirements ......................................................................................................................... 6 Functional Requirements .................................................................................................... 6 Non-Functional Requirements............................................................................................. 6 Justification of the requirements ............................................................................................. 7 Software development methodology ...................................................................................... 8 Rational unified Process (RUP) .............................................................................................. 8 Four phases ........................................................................................................................... 8 Why Rational Unified Process (RUP)?.................................................................................... 8 Currently available Hash kits .................................................................................................. 9 Market Survey ........................................................................................................................ 9 Screenshots ..........................................................................................................................10 Cryptool 2 ..........................................................................................................................10 Hash analyzer ....................................................................................................................11 Hash Collision Probability Calculator..................................................................................13 Advantages/Disadvantages ...................................................................................................14 Cryptool 2 ..........................................................................................................................14 Hash Analyzer ...................................................................................................................14 Hash Collision Probability Calculator..................................................................................14 Comparison ...........................................................................................................................15 Technical Details.......................................................................................................................15 Software coding languages ...................................................................................................15 Framework ............................................................................................................................16 Software development applications .......................................................................................16 Database ...............................................................................................................................16

Page 2

CSCI321 Project Proposal

Project Group SS14/1C

Techniques ............................................................................................................................16 Project Summary ......................................................................................................................18 References ..............................................................................................................................19

Page 3

CSCI321 Project Proposal

Project Group SS14/1C

Introduction
Our project is to produce a tool for analysing hash functions, cryptographic and otherwise. There are various tests that can be applied to test for the occurrence of collisions for example, and these should be implemented. While some properties are required for cryptographic functions, some other properties are required for other purposes. Hash functions with small enough message digests, should be possible to completely analysed, rather than just statistically analyse them. When you hash the result of a hash you continue to stay in the message digest space. Continuing this process will eventually result in a cycle in this hash chain. For hash functions with small message digests is should be possible to construct complete resolution of the cycle structures of the hash chain and to represent it in an interesting way. Our scope of this project is to provide users with an online hash kit application to do analysis of hash functions. This application is to generate informative properties such as collision rates, pre-image and second pre-image attack resistance.

Page 4

CSCI321 Project Proposal

Project Group SS14/1C

Definitions
Hashing
A transformation of a string of characters into a usually shorter fixed length value or key that represents the original string.It is used for index and retrieve items in a database because it is faster to find the item using a shorter hashed key than to find it using the original value but in our case, we will using it for our encryption [1].

Cryptographic Hash function

A hash function that takes an arbitrary block of data and return a fixed-size bit string, the cryptographic hash value (sometimes, it is called message digest) and it should not be easily decrypted into plain text and also to protect the integrity and confidentiality of the transmitted message. There are variety of usable functions which can serve the same purposes but there might be broken functions which may jeopardise the communication of both parties. Below is a table of hash functions that interest us:

Page 5

CSCI321 Project Proposal

Project Group SS14/1C

Project Description
Requirements
Functional Requirements
GUI Implementation User can input message digest into the application. User can upload a text file for processing as well Compute collision resistance Compute pre-image resistance Compute 2nd pre-image resistance Output collision rate, etc. Give User option to save output as text file. Online interactive website. The website will allow users to sign up, login in and do their relevant testing Comparison between hash functions Notifications will be sent to users once the hash functions have produced results

Non-Functional Requirements
User-friendly, consistent GUI Multi-threading Processing. Compatibility (E.g. Chrome, IE FireFox Browsers.)(Backward) Fault Tolerance (Exception Handling/memory leaks) Good Documentation for users

Page 6

CSCI321 Project Proposal

Project Group SS14/1C

For developers that require security implementation to reference and determine which are the suitable algorithms available that they can applied to their projects. Computer-security students would also benefit from clear depiction of the various hash functions and their properties.

Justification of the requirements

The functional requirements are determined from the perspective of our target audience. Online hash kit application would have to have a simple and clear interface for the user to derive the results that he/she wants. Since developers and/or IT-security students could have large amount of data to be processed for either their projects or personal learning, by including a feature to upload a text file will be a useful feature for them. We also decided to add informative notes about IT-security so that students can learn while using our application. The non-functional requirements are derived to facilitate an enjoyable user experience that isnt clunky, slow or hard to navigate.

Page 7

CSCI321 Project Proposal

Project Group SS14/1C

Software development methodology

Rational unified Process (RUP)
A comprehensive process framework that provides industry-tested practices for software and systems delivery and implementation and for effective project management.it promotes iterative development of software and systems into four phases, each consisting of one or more excutable iterations of the software at the stage of development.[5]

Four phases
Inception - to scope the system adequately as a basis for validating initial costing and budgets) Elaboration - to mitigate the key risk items identified by analysis up to the end of this phase) Construction - to build the software system) Transition - to transit the system from development to production)

Why Rational Unified Process (RUP)?

After much consideration, Rational Unified Process stands out the most, and is most suitable for this project. It encourages concurrent workflows across the entire cycle and it mainly focus on the scope thus the group will not sidetrack instead of using a project backlog after every iteration. It is also due to time constraint that the concurrent workflow property of RUP could help us in completing the project punctually.Rational Unified Process is also recommended for long-term projects with medium-to-high complexity instead of scrum, quick organizations that are not dependent on deadline.

Page 8

CSCI321 Project Proposal

Project Group SS14/1C

Currently available Hash kits

Market Survey
Here are some hash kits which we found online: Hash kit (Offline) Cryptool (1/2) [2] Capabilities - Able to analyze different hashes *(screenshots of the software will be available below) - Informative and user-friendly user interface which allow users to drag and drop function objects to create their own hybrid hash functions/etc - Determine the hash type based on the users input - Compute (unknown)hash collision probability

(Online) hash analyzer[3] (Online) Hash collision probability calculator[4]

Page 9

CSCI321 Project Proposal

Project Group SS14/1C

Screenshots
Cryptool 2

When the software starts up, the cryptool 2 will display a start page which is comprised of different categories such as the wizard, news, templates and etc what we are interested in will be the example of how the collision can be detect. Hence, the next screenshot will be md5 collision detector which has already pre-built in the templates.

Page 10

CSCI321 Project Proposal

Project Group SS14/1C

MD5 Collider function GUI has time, match between both inputs and number of tries.

Hash analyzer
The website gives users to input hash(message digest) and a button to calculate and tabulate the results.

Page 11

CSCI321 Project Proposal

Project Group SS14/1C

Example: A md5 hash is inserted and Once the button is pressed, it will provide the below results:

Page 12

CSCI321 Project Proposal

Project Group SS14/1C

Hash Collision Probability Calculator

Page 13

CSCI321 Project Proposal

Project Group SS14/1C

Advantages/Disadvantages
Cryptool 2
Advantages Comprehensive tool for cryptographic uses Disadvantages It can be complex to navigate or to find a certain object if the user does not read the manual guide It is not a lightweight software hence requires more resources to load. It is only available on Windows (not cross platform) Offline (their online kit does not have any function.)

Free for all users. Open-source Project. Still in active development. Most current update is (23/01/2014)

Hash Analyzer
Advantages Able to identify the hash type Quick to compute the hash type Disadvantages It does not have any hash generator so it requires outside sources of hash. It does not have additional information on the the hash type. It only list the possible hash functions which can be not so accurate.

Hash Collision Probability Calculator

Advantages Simple user interface Disadvantages Hash function it is calculating for is not clear. Accuracy unverifiable

Page 14

CSCI321 Project Proposal

Project Group SS14/1C

Not sufficient information

Comparison

Hash kit

Cryptool

Hash Analyser

Hash collision probability calculator

Cross platform Online availability Compute collision resistance Compute preimage Compute second preimage Account management Hash function comparison Educational

x x x x x x

x x

x x

x x x

Technical Details
Software coding languages
Java, PHP, JAVASCRIPT

Page 15

CSCI321 Project Proposal

Project Group SS14/1C

Framework
CakePHP

Software development applications

Git - revisioning software Eclipse/NetBeans - IDE environment Apache - local webserver

Database
MySQL

Techniques
Collision resistance techniques Birthday paradox - For a set of n randomly chosen people, with a keyspace of 365 days a year. The probability of same person having the same birthday reaches 100% when n people reaches 366(exceed n value) which means the more people, the higher the probability. This birthday paradox logic will be used to test hash function collision rate. The larger the dataset is being test which is the n value, the higher the collision percentage which helps users to determine the effectiveness of the specific hash function collision resistance. Weakness - Birthday paradox places an upper bound on collision resistance: if a hash function
produces N bits of output, an attacker who computes "only" 2 ( ) hash operations on random input is likely to find two matching outputs. If there is an easier method than this bru te force attack, it is typically considered a flaw in the hash function
N/2

Rainbow table - A huge database filled with unique words to test against a chosen hash function algorithm. The message digest output of the chosen hash function will be store in a database. A collision occur when different dataset produce the same message digest. The collision resistance percentage will be (number of collision)/(number of dataset tested). To produce a accurate collision resistance graph of a list of hash functions, the same database must be used. Strength - Easy to implement and understand. Given enough time, it is able to produce very accurate collision resistance rate. Weakness - A very huge database is needed to provided an accurate collision resistance rate.

Page 16

CSCI321 Project Proposal

Project Group SS14/1C

Page 17

CSCI321 Project Proposal

Project Group SS14/1C

Project Summary
This online application would be a different kind of product on among the available crypto/hash tool kits. From its online availability, which ensures compatibility across platforms, our hash kit would have the best combination of the current market tools that encourages students and/or developers in other industries to be able to understand the technical aspects of IT security.

Page 18

CSCI321 Project Proposal

Project Group SS14/1C

References
1. Margaret Rouse. (2005). What is hashing?. Available: http://searchsqlserver.techtarget.com/definition/hashing. Last accessed 27th January 2014 2. Cryptool portal - cryptography and cryptanalysis. Available: https://www.cryptool.org/en/. Last accessed 29th January 2014 3. Hash Analyzer. Available: http://tools.question-defense.com/hash-analyzer. Last accessed: January 29, 2014 4. What's the probability of a hash collision? David Johnstone. Available: http://davidjohnstone.net/pages/hash-collision-probability. Last accessed: January 29, 2014 5. IBM Rational Unified Process (RUP). Available: http://www-01.ibm.com/software/rational/rup/. Last accessed: January 29,2014 6.Pass, R."Lecture 21: Collision-Resistant Hash Functions and General Digital Signature Scheme". Course on
Cryptography, Cornell University, 2009. Available:

https://www.cs.cornell.edu/courses/cs6830/2009fa/scribes/lecture21.pdf
Last accessed: January 29,2014 7.W. W. Rouse Ball (1960) Other Questions on Probability, in Mathematical Recreations and Essays, Macmillan, New York, pp 45. Last accessed: January 29,2014

Page 19