A cryptographic hash function compresses arbitrarily long messages to digests of a short and fixed length. Most of existing hash functions are designed to evaluate a compression function with a finite domain in a mode of operation, and the compression function itself is often designed from block ciphers or permutations. This modular design approach allows for a rigorous security analysis via means of both cryptanalysis and provable security. We present a survey on the state of the art in hash function security and modular design analysis. We focus on existing security models and definitions, as well as on the security aspects of designing secure compression functions (indirectly) from either block ciphers or permutations. In all of these directions, we identify open problems that, once solved, would allow for an increased confidence in the use of cryptographic hash functions.