hashes and message digests - interdisciplinarysidhanti/classes/csc4601/7_4601_04.pdflouisiana state...

CSC4601 F04Louisiana State University 7- Hashes - 1

Hashes and Message DigestsHashes and Message Digests

Dr. Arjan Durresi Louisiana State UniversityBaton Rouge, LA 70810

[email protected]

These slides are available at:http://www.csc.lsu.edu/~durresi/CSC4601-04/


OverviewOverview

HashesAuthenticationMD2MD5SHA


HashesHashesHash is also called message digestOne-way function: d=h(m) but no h’(d)=m

Cannot find the message given a digestCannot find m1, m2, where d1=d2Arbitrary-length message to fixed-length digestRandomness

any bit in the outputs ‘1’ half the timeeach output: 50% ‘1’ bits


Birthday ProblemBirthday ProblemCompute probability of different birthdaysRandom sample of n people (birthdays) taken from k (365) daysn people ⇒ n(n-1)/2 pairskn samples with replacement(k)n=k(k-1)…(k-n+1) sample without replacementProbability of no repetition:

p = (k)n/kn ≈ 1 - n(n-1)/2kProbability of repetition : n(n-1)/2k = 0.5 ⇒ n k≈


Birthday ProblemBirthday Problem


How Many Bits for Hash?How Many Bits for Hash?m bits, takes 2m/2 to find two with the same hash64 bits, takes 232 messages to search (doable)Need at least 128 bits


A letter in A letter in 223737

variationsvariations


Birthday AttackBirthday Attack

1. Source A is prepared to sign a message by appending the appropriate m-bit hash code and encrypt it with its private key

2. The opponent find a fraudulent message that generates the same m-bit hash:

Prepares 2m/2 good and 2m/2 fraudulent messages3. The opponent changes the intended message with the fraudulent

one


Using Hash for AuthenticationUsing Hash for AuthenticationAlice to Bob: challenge rABob to Alice: MD(KAB|rA)Bob to Alice: rBAlice to Bob: MD(KAB|rB)Only need to compare MD results


Using Hash to Compute MICUsing Hash to Compute MICCannot just compute MD(m) – Why? MIC: MD(KAB|m)

Allows concatenation with additional message: MD(KAB|m|m’)

MD through chunk n depends on MD through chunks n-1 and the data in chunk n

Put secret at the end of message: MD(m| KAB)HMAC - MD(KAB|MD(KAB|m))


Using Hash to EncryptUsing Hash to EncryptOne-time pad:

compute bit streams using MD, K, and IVb1=MD(KAB|IV), bi=MD(KAB|bi-1), …

⊕ with message blocksSender can generate the one-time pad in advance but receiver cannot. Why?

Or mixing in the plaintext to provide integritysimilar to cipher feedback mode (CFB)

b1=MD(KAB|IV), c1= p1 ⊕ b1b2=MD(KAB| c1), c2= p2 ⊕ b2

lose pre-computation capability, gain (some) integrity protection


Integrity Protection with HashIntegrity Protection with HashMAC(again) – message authentication code – used to protect the integrity of a messagecan we just hash the message (without using key) to produce the MAC? approaches to hash-based MACprefix: MACK(x) = H(K || x)

not secure; extension attack:the hashes are usually computed by repeatedly hashing blocks andcombining with previously computed value intruder can append to the message without knowing key

suffix: MACK(x) = H(x || K)mostly ok; problematic if H is not collision resistant:

two messages with the same hash will have the same MAC, why? envelope: MACK(x) = H(K1 || x || K2)HMAC: MACK(x) = H(K1 || H(x || K2))

provably secure; slower, popular in Internet standards.


Using Secret Key for a HashUsing Secret Key for a HashUnix password algorithm:

Compute hash of user password, store the hash (not the password), and compare the hash of user-input password.

First 8 bytes of password used to form a secret key.Encrypt 0 with a DES-like algorithm.

Salt: 12-bit random number formed from time and process ID. Determine bits to duplicate in the mangler when expanding from 32 to 48 bits.Salt stored with hashed result.

How to deal with passwords longer than 8 characters Could ignore all but 1st 8 chars

done in old Unixes


MD2MD2128-bit message digest:

Arbitrary number of bytes of messageFirst pad to multiple of 16 bytesAppend MD2 checksum (16 bytes) to the end

The checksum is almost a MD, but not cryptographically secure by itself.

Process whole message


MD2 PaddingMD2 PaddingThere must always be paddingIf the message is multiple of 16 bytes, 16 bytes of padding are addedOtherwise the number of bytes (1-15) are addedEach pad byte specifies the number of bytes of padding that was added


MD2 ChecksumMD2 ChecksumOne byte at a time, k × 16 stepsmnk: byte nk of messagecn=π(mnk ⊕ cn-1) ⊕ cn

Cn = (n mod 16)th byteπ : 0 → 41, 1 → 46, …

Substitution on 0-255 (value of the byte)


MD2 Final PassMD2 Final Pass


MD2 Final PassMD2 Final PassOperate on 16-byte chunks48-byte quantity q:

(current digest|chunk|digest⊕chunk)18 passes of massaging over q, and one byte at a time:

cn=π(cn-1) ⊕ cn for n = 0, … 47; c-1 = 0 for pass 0; c-1= (c47 + pass #) mod 256

After pass 17, use first 16 bytes as new digest16 × 8 = 128


MD5: Message Digest Version 5MD5: Message Digest Version 5

input Message

Output 128 bits Digest


MD5 BoxMD5 Box

Initial 128-bit vector

512-bit message chunks (16 words of 32 bits)

128-bit result

F: (x∧y)∨(~x ∧ z)G:(x ∧ z) ∨(y ∧~ z)H:x⊕y⊕ zI: y⊕(x ∧ ~z)+: binary sumx↵y: x left rotate y bits


MD5: PaddingMD5: Padding

input Message

Output 128 bits Digest

Padding512 bit block

Initial Value

1 2 3 4

Final Output

MD5 Transformation block by block


MD5MD5


Padding TwistPadding TwistGiven original message M, add padding bits “10*”such that resulting length is 64 bits less than a multiple of 512 bits.Append (original length in bits mod 264), represented in 64 bits to the padded messageFinal message is chopped 512 bits a block


MD5 ProcessMD5 ProcessAs many stages as the number of 512-bit blocks in the final padded messageDigest: 4 32-bit words: MD=A|B|C|DEvery message block contains 16 32-bit words: m0|m1|m2…|m15

Digest MD0 initialized to: A=01234567,B=89abcdef,C=fedcba98, D=76543210Every stage consists of 4 passes over the message block, each modifying MD


MD5 BlocksMD5 Blocks

MD5

MD5

MD5

MD5

512: B1512: B2

512: B3512: B4

Result


Processing of Block Processing of Block mmi i -- 4 Passes4 Passes

ABCD=fF(ABCD,mi,T[1..16])

ABCD=fG(ABCD,mi,T[17..32])

ABCD=fH(ABCD,mi,T[33..48])

ABCD=fI(ABCD,mi,T[49..64])

mi

+ + + +

A B C D

MDi

MD i+1


Different Passes...Different Passes...Different functions and constants are usedDifferent set of mi is usedDifferent set of shift amount is used


MD5 Compression FunctionMD5 Compression Function

X[k] = M[q x 16 + k] = kth 32-bit word in the qth 512 bit block of the message


Functions and Random NumbersFunctions and Random NumbersF(x,y,z) == (x∧y)∨(~x ∧ z)

selection functionG(x,y,z) == (x ∧ z) ∨(y ∧~ z)H(x,y,z) == x⊕y⊕ zI(x,y,z) == y⊕(x ∧ ~z)Ti = int(232 * abs(sin(i))), 0


Table TTable T


MD5MD5Every bit of the hash code is function of every bit in the inputThe complex repetition of the basic functions F, G, H, I produces results that are well mixed – It is very unlikely that two messages chosen at random will have the same hashMD5 is as strong as a 128-bit hash can be – birthday attack 264


Secure Hash AlgorithmSecure Hash AlgorithmDeveloped by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993SHA is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST


General LogicGeneral LogicInput message must be < 264 bits

not really a problemMessage is processed in 512-bit blocks sequentiallyMessage digest is 160 bitsSHA design is similar to MD5, but a lot stronger


SHASHA--11


Basic StepsBasic StepsStep1: PaddingStep2: Appending length as 64 bit unsigned and

contains the length of the message before paddingStep3: Initialize MD buffer 5 32-bit words

A|B|C|D|EA = 67452301B = efcdab89C = 98badcfeD = 10325476E = c3d2e1f0


Basic Steps...Basic Steps...Step 4: the 80-step processing of 512-bit blocks – 4

rounds, 20 steps each.Each step t (0


Basic Steps Basic Steps -- The Heart Of The The Heart Of The MatterMatter

AA EEBB CC DD

AA EEBB CC DD

++

++

++

++

fftt

CLS30CLS30

CLS5CLS5WWtt

KKtt


Basic Logic FunctionsBasic Logic FunctionsOnly 3 different functions

Round Function ft(B,C,D)0


Truth Table for Functions of SHATruth Table for Functions of SHA--11


Twist With WTwist With Wtt’’ssAdditional mixing used with input message 512-bit blockW0|W1|…|W15 = m0|m1|m2…|m15For 15 < t


Creation of 80Creation of 80--word input for SHAword input for SHA--11


SHA Versus MD5SHA Versus MD5SHA is a stronger algorithm:

Brute-force birthday attacks requires on the order of 280 operations vs. 264 for MD5

SHA’s 80 steps and 160 bits hash (vs. 128) requires a little more computation


Revised SHARevised SHA


History of Hash AlgorithmsHistory of Hash AlgorithmsAlgorithms

MD – proprietary, never published, not widely usedMD2 – first public algorithm, oriented towards 8-bit processing, little memory, good for embedded devicesMD3 – immediately superceded by MD4 (never published)MD4 – runs faster than MD2, uses 32-bit operations, became suspectMD5 – slightly slower, more conservativeSHA-1 – NIST standard, similar to MD5 even more conservativeEventually MD2 and MD4 are “broken” – two messages with the same hash are foundMDs produce 128-bit digests, SHA-1 – 160-bit digest


SummarySummary

HashesAuthenticationMD2MD5SHA

hashes and message digests - interdisciplinarysidhanti/classes/csc4601/7_4601_04.pdflouisiana state...

Documents