CSC4601 F04Louisiana State University 7- Hashes - 1
Hashes and Message DigestsHashes and Message Digests
Dr. Arjan Durresi Louisiana State UniversityBaton Rouge, LA 70810
These slides are available at:http://www.csc.lsu.edu/~durresi/CSC4601-04/
CSC4601 F04Louisiana State University 7- Hashes - 2
OverviewOverview
HashesAuthenticationMD2MD5SHA
CSC4601 F04Louisiana State University 7- Hashes - 3
HashesHashesHash is also called message digestOne-way function: d=h(m) but no h’(d)=m
Cannot find the message given a digestCannot find m1, m2, where d1=d2Arbitrary-length message to fixed-length digestRandomness
any bit in the outputs ‘1’ half the timeeach output: 50% ‘1’ bits
CSC4601 F04Louisiana State University 7- Hashes - 4
Birthday ProblemBirthday ProblemCompute probability of different birthdaysRandom sample of n people (birthdays) taken from k (365) daysn people ⇒ n(n-1)/2 pairskn samples with replacement(k)n=k(k-1)…(k-n+1) sample without replacementProbability of no repetition:
p = (k)n/kn ≈ 1 - n(n-1)/2kProbability of repetition : n(n-1)/2k = 0.5 ⇒ n k≈
CSC4601 F04Louisiana State University 7- Hashes - 5
Birthday ProblemBirthday Problem
CSC4601 F04Louisiana State University 7- Hashes - 6
How Many Bits for Hash?How Many Bits for Hash?m bits, takes 2m/2 to find two with the same hash64 bits, takes 232 messages to search (doable)Need at least 128 bits
CSC4601 F04Louisiana State University 7- Hashes - 7
A letter in A letter in 223737
variationsvariations
CSC4601 F04Louisiana State University 7- Hashes - 8
Birthday AttackBirthday Attack
1. Source A is prepared to sign a message by appending the appropriate m-bit hash code and encrypt it with its private key
2. The opponent find a fraudulent message that generates the same m-bit hash:
Prepares 2m/2 good and 2m/2 fraudulent messages3. The opponent changes the intended message with the fraudulent
one
CSC4601 F04Louisiana State University 7- Hashes - 9
Using Hash for AuthenticationUsing Hash for AuthenticationAlice to Bob: challenge rABob to Alice: MD(KAB|rA)Bob to Alice: rBAlice to Bob: MD(KAB|rB)Only need to compare MD results
CSC4601 F04Louisiana State University 7- Hashes - 10
Using Hash to Compute MICUsing Hash to Compute MICCannot just compute MD(m) – Why? MIC: MD(KAB|m)
Allows concatenation with additional message: MD(KAB|m|m’)
MD through chunk n depends on MD through chunks n-1 and the data in chunk n
Put secret at the end of message: MD(m| KAB)HMAC - MD(KAB|MD(KAB|m))
CSC4601 F04Louisiana State University 7- Hashes - 11
Using Hash to EncryptUsing Hash to EncryptOne-time pad:
compute bit streams using MD, K, and IVb1=MD(KAB|IV), bi=MD(KAB|bi-1), …
⊕ with message blocksSender can generate the one-time pad in advance but receiver cannot. Why?
Or mixing in the plaintext to provide integritysimilar to cipher feedback mode (CFB)
b1=MD(KAB|IV), c1= p1 ⊕ b1b2=MD(KAB| c1), c2= p2 ⊕ b2
lose pre-computation capability, gain (some) integrity protection
CSC4601 F04Louisiana State University 7- Hashes - 12
Integrity Protection with HashIntegrity Protection with HashMAC(again) – message authentication code – used to protect the integrity of a messagecan we just hash the message (without using key) to produce the MAC? approaches to hash-based MACprefix: MACK(x) = H(K || x)
not secure; extension attack:the hashes are usually computed by repeatedly hashing blocks andcombining with previously computed value intruder can append to the message without knowing key
suffix: MACK(x) = H(x || K)mostly ok; problematic if H is not collision resistant:
two messages with the same hash will have the same MAC, why? envelope: MACK(x) = H(K1 || x || K2)HMAC: MACK(x) = H(K1 || H(x || K2))
provably secure; slower, popular in Internet standards.
CSC4601 F04Louisiana State University 7- Hashes - 13
Using Secret Key for a HashUsing Secret Key for a HashUnix password algorithm:
Compute hash of user password, store the hash (not the password), and compare the hash of user-input password.
First 8 bytes of password used to form a secret key.Encrypt 0 with a DES-like algorithm.
Salt: 12-bit random number formed from time and process ID. Determine bits to duplicate in the mangler when expanding from 32 to 48 bits.Salt stored with hashed result.
How to deal with passwords longer than 8 characters Could ignore all but 1st 8 chars
done in old Unixes
CSC4601 F04Louisiana State University 7- Hashes - 14
MD2MD2128-bit message digest:
Arbitrary number of bytes of messageFirst pad to multiple of 16 bytesAppend MD2 checksum (16 bytes) to the end
The checksum is almost a MD, but not cryptographically secure by itself.
Process whole message
CSC4601 F04Louisiana State University 7- Hashes - 15
MD2 PaddingMD2 PaddingThere must always be paddingIf the message is multiple of 16 bytes, 16 bytes of padding are addedOtherwise the number of bytes (1-15) are addedEach pad byte specifies the number of bytes of padding that was added
CSC4601 F04Louisiana State University 7- Hashes - 16
MD2 ChecksumMD2 ChecksumOne byte at a time, k × 16 stepsmnk: byte nk of messagecn=π(mnk ⊕ cn-1) ⊕ cn
Cn = (n mod 16)th byteπ : 0 → 41, 1 → 46, …
Substitution on 0-255 (value of the byte)
CSC4601 F04Louisiana State University 7- Hashes - 17
MD2 Final PassMD2 Final Pass
CSC4601 F04Louisiana State University 7- Hashes - 18
MD2 Final PassMD2 Final PassOperate on 16-byte chunks48-byte quantity q:
(current digest|chunk|digest⊕chunk)18 passes of massaging over q, and one byte at a time:
cn=π(cn-1) ⊕ cn for n = 0, … 47; c-1 = 0 for pass 0; c-1= (c47 + pass #) mod 256
After pass 17, use first 16 bytes as new digest16 × 8 = 128
CSC4601 F04Louisiana State University 7- Hashes - 19
MD5: Message Digest Version 5MD5: Message Digest Version 5
input Message
Output 128 bits Digest
CSC4601 F04Louisiana State University 7- Hashes - 20
MD5 BoxMD5 Box
Initial 128-bit vector
512-bit message chunks (16 words of 32 bits)
128-bit result
F: (x∧y)∨(~x ∧ z)G:(x ∧ z) ∨(y ∧~ z)H:x⊕y⊕ zI: y⊕(x ∧ ~z)+: binary sumx↵y: x left rotate y bits
CSC4601 F04Louisiana State University 7- Hashes - 21
MD5: PaddingMD5: Padding
input Message
Output 128 bits Digest
Padding512 bit block
Initial Value
1 2 3 4
Final Output
MD5 Transformation block by block
CSC4601 F04Louisiana State University 7- Hashes - 22
MD5MD5
CSC4601 F04Louisiana State University 7- Hashes - 23
Padding TwistPadding TwistGiven original message M, add padding bits “10*”such that resulting length is 64 bits less than a multiple of 512 bits.Append (original length in bits mod 264), represented in 64 bits to the padded messageFinal message is chopped 512 bits a block
CSC4601 F04Louisiana State University 7- Hashes - 24
MD5 ProcessMD5 ProcessAs many stages as the number of 512-bit blocks in the final padded messageDigest: 4 32-bit words: MD=A|B|C|DEvery message block contains 16 32-bit words: m0|m1|m2…|m15
Digest MD0 initialized to: A=01234567,B=89abcdef,C=fedcba98, D=76543210Every stage consists of 4 passes over the message block, each modifying MD
CSC4601 F04Louisiana State University 7- Hashes - 25
MD5 BlocksMD5 Blocks
MD5
MD5
MD5
MD5
512: B1512: B2
512: B3512: B4
Result
CSC4601 F04Louisiana State University 7- Hashes - 26
Processing of Block Processing of Block mmi i -- 4 Passes4 Passes
ABCD=fF(ABCD,mi,T[1..16])
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
mi
+ + + +
A B C D
MDi
MD i+1
CSC4601 F04Louisiana State University 7- Hashes - 27
Different Passes...Different Passes...Different functions and constants are usedDifferent set of mi is usedDifferent set of shift amount is used
CSC4601 F04Louisiana State University 7- Hashes - 28
MD5 Compression FunctionMD5 Compression Function
X[k] = M[q x 16 + k] = kth 32-bit word in the qth 512 bit block of the message
CSC4601 F04Louisiana State University 7- Hashes - 29
Functions and Random NumbersFunctions and Random NumbersF(x,y,z) == (x∧y)∨(~x ∧ z)
selection functionG(x,y,z) == (x ∧ z) ∨(y ∧~ z)H(x,y,z) == x⊕y⊕ zI(x,y,z) == y⊕(x ∧ ~z)Ti = int(232 * abs(sin(i))), 0
CSC4601 F04Louisiana State University 7- Hashes - 31
Table TTable T
CSC4601 F04Louisiana State University 7- Hashes - 32
MD5MD5Every bit of the hash code is function of every bit in the inputThe complex repetition of the basic functions F, G, H, I produces results that are well mixed – It is very unlikely that two messages chosen at random will have the same hashMD5 is as strong as a 128-bit hash can be – birthday attack 264
CSC4601 F04Louisiana State University 7- Hashes - 33
Secure Hash AlgorithmSecure Hash AlgorithmDeveloped by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993SHA is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST
CSC4601 F04Louisiana State University 7- Hashes - 34
General LogicGeneral LogicInput message must be < 264 bits
not really a problemMessage is processed in 512-bit blocks sequentiallyMessage digest is 160 bitsSHA design is similar to MD5, but a lot stronger
CSC4601 F04Louisiana State University 7- Hashes - 35
SHASHA--11
CSC4601 F04Louisiana State University 7- Hashes - 36
Basic StepsBasic StepsStep1: PaddingStep2: Appending length as 64 bit unsigned and
contains the length of the message before paddingStep3: Initialize MD buffer 5 32-bit words
A|B|C|D|EA = 67452301B = efcdab89C = 98badcfeD = 10325476E = c3d2e1f0
CSC4601 F04Louisiana State University 7- Hashes - 37
Basic Steps...Basic Steps...Step 4: the 80-step processing of 512-bit blocks – 4
rounds, 20 steps each.Each step t (0
CSC4601 F04Louisiana State University 7- Hashes - 39
Basic Steps Basic Steps -- The Heart Of The The Heart Of The MatterMatter
AA EEBB CC DD
AA EEBB CC DD
++
++
++
++
fftt
CLS30CLS30
CLS5CLS5WWtt
KKtt
CSC4601 F04Louisiana State University 7- Hashes - 40
Basic Logic FunctionsBasic Logic FunctionsOnly 3 different functions
Round Function ft(B,C,D)0
CSC4601 F04Louisiana State University 7- Hashes - 41
Truth Table for Functions of SHATruth Table for Functions of SHA--11
CSC4601 F04Louisiana State University 7- Hashes - 42
Twist With WTwist With Wtt’’ssAdditional mixing used with input message 512-bit blockW0|W1|…|W15 = m0|m1|m2…|m15For 15 < t
CSC4601 F04Louisiana State University 7- Hashes - 43
Creation of 80Creation of 80--word input for SHAword input for SHA--11
CSC4601 F04Louisiana State University 7- Hashes - 44
SHA Versus MD5SHA Versus MD5SHA is a stronger algorithm:
Brute-force birthday attacks requires on the order of 280 operations vs. 264 for MD5
SHA’s 80 steps and 160 bits hash (vs. 128) requires a little more computation
CSC4601 F04Louisiana State University 7- Hashes - 45
Revised SHARevised SHA
CSC4601 F04Louisiana State University 7- Hashes - 46
History of Hash AlgorithmsHistory of Hash AlgorithmsAlgorithms
MD – proprietary, never published, not widely usedMD2 – first public algorithm, oriented towards 8-bit processing, little memory, good for embedded devicesMD3 – immediately superceded by MD4 (never published)MD4 – runs faster than MD2, uses 32-bit operations, became suspectMD5 – slightly slower, more conservativeSHA-1 – NIST standard, similar to MD5 even more conservativeEventually MD2 and MD4 are “broken” – two messages with the same hash are foundMDs produce 128-bit digests, SHA-1 – 160-bit digest
CSC4601 F04Louisiana State University 7- Hashes - 47
SummarySummary
HashesAuthenticationMD2MD5SHA