1 chapter 5 hashes and message digests instructor: 孫宏民 [email protected]...

1

Chapter 5 Hashes and Message Digests

Instructor: 孫宏民[email protected]

Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694

mailto:[email protected]

2

Introduction

• A hash (also known as a message digest) is a one-way function. It is considered a one-way because it’s not practical to figure out what input corresponds to a given output.

• We will use the term hash and message digest interchangeably. The NIST message digest function is called SHA-1, which stands for secure hash algorithm, whereas the MD in the MD2,MD4,MD5 algorithm stands for message digest.

3

• There certainly will be many message that yield the same message digest, because a message can be of arbitrary length and the message digest will be fixed length, for instance 128bits.

• By trying lots of messages, one would eventually find two that mapped to the same message digest.

• The problem is that “lots” is so many that it is essentially impossible.

4

• Assume a good 128-bit message digest function, it would take trying approximately 264 message before finding two that had the same digest. (see the birthday problem)

• An example use of a message digest is to fingerprint a program or document to detect modification of it.

5

The Birthday Problem

• If there are 23 or more people in a room, the odds are better than 50% that two of them will have the same birthday.

• Let’s assume n inputs and k possible outputs, and an unpredictable mapping from input to output. With n inputs, there are n(n-1)/2 pairs of inputs. For each pair there’s a probability of 1/k of both input s producing the same output value, so need about k/2 pairs in order for the probability 50%.

6

• So n(n-1)>k that means if n is greater than , there‘s good chance of finding a matching pair.

k

7

• How many bits does the output of a message digest function have to be in order to prevent someone from being able to find two message with the same message digest.– If the message digest has m bits, then it would take

only about 2m/2 message, chosen at random, before one would find two with the same value.

– That is why message digest function have outputs of at least 128 bits, because it is no considered feasible to search 264 message given the current state of the art.

8

Nifty Thing to Do with a Hash

• The significant difference between a secret key algorithm and a message digest algorithm is that a secret key algorithm is designed to be reversible and a message digest algorithm is designed to be impossible to reverse.

• In this section we’ll use MD as a “generic” message digest algorithm.

9

Authentication

10

Computing a MAC with a Hash

• The obvious thought is that MD(m) is a MAC for message m. But it isn’t. anyone can compute MD(m).

• We concatenate a shared secret KAB with the message m, and use MD(KAB|m) as the MAC.

• Some proposals with no known weaknesses are:– Put the secret at the end of the message instead of at

the beginning.– Use only half the bits of the message digest as the M

AC

11

– Concatenate the secret to both the front and the back of the message.

• We call any hash combining the secret key and the data a keyed hash.

12

Encryption with a Message Digest• Generating a one-time pad

– Just as OFB generates a pseudorandom bit stream which then encrypts a message by simply being ⊕ed with the message, we can use a message digest algorithm to generate a pseudorandom bit stream.

13

KAB

MD

M1⊕

C1

KAB

MD

⊕

KAB

MD

M2

C2

⊕M3

C3

Alice and Bob share a secure key KAB

14

• It is not secure to use the same bit stream twice, so, as with OFB, Alice starts with an IV. The first block is than MD(KAB|IV).

15

• Mixing in the Plaintext– Similar to CFB.

KAB

MD

M1⊕

C1

KAB

MD

⊕

KAB

MD

M2

C2

⊕M3

C3

IV

16

Using Secret Key for a Hash• What we want to generate is a function with the

properties of a hash algorithm. It should not require a secret. It should be publishable. It should be noninvertible.

• Unix password hash

………password

1 2 3 4 5 6 7 8

7 bits ASCII

56bits key

DESPlaintext:0 Hashed password

17

• Hashing large messages

18

• There is a serious problem with this, which is that the typical message block length b is 64 bits, which is too short to use as a message digest.

• If we want to find a message with a particular message digest, a technique similar to the one in sector 4.4.1.2 could find a message with a particular 64-bit message digest in about 233 iteration.

20

MD2

• MD2 takes a message equal to an arbitrary number of octets and produces a 128-bit message digest.

• The basic idea behind MD2is as follows:– The input message to MD2 is an arbitrary length. – The message is padded to be multiple of 16 octets.– A 16-octets quantity, which MD2 calls checksum, is

appended to the end.– Final pass: the message is processed, 16 octets at a

time, each time producing an intermediate result for message digest.

21

MD2 Padding

22

MD2 Checksum Computation

24

MD2 Final Pass

25

MD4 The message to be fed into the message digest computation must be a multiple of 512 bits (sixteen 32-bit words)

26

Overview of MD4 Message Digest Computation

27

• Each stage stars with a 16-word message block and a 4-word message digest value.

15210 ,...,,, mmmmmessage called :

message digest : 3210 ,,, dddd

The message digest initialized to :

163162

161160

10325476,98

89,67452301

dbadcfed

efcdabdd

Equivalent to the octet string10|32|54|76|98|||||||89|67|45|23|01 badcfeefcdab

28

• The following operations we are able to use:

29

MD4 Message Digest Pass 1

• A function F(x,y,z) is defined as (x⋀y) ( x z).⋁ ∼ ⋀ This function is sometimes known as the selection function

• A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.

3,7,11,15 valuesover the cycle theso,43

3)),,((

1

133323133

SiiS

iSmdddFdd iiiiii

30

3)),,((

15)),,((

11)),,((

7)),,((

3)),,((

:follows as pass theof steps fewfirst out the can write we

432100

303211

210322

121033

032100

mdddFdd

mdddFdd

mdddFdd

mdddFdd

mdddFdd

31


15. through 0 from Ieach For message. theof

words16 theofeach for done is setp separateA 16

30 827999522

constant a useIt function.majority theasknown

sometimes isfunction This .

as defined is z)y,G(x,function A

a

z) (yz) (xy) (x

3,5,9,13 valueover the cycle

theso ,133,92,51,30 and,154

3)8279995),,((

2222

216)(33323133

SSSSSiix

iSamdddGdd ixiiiii

32

3)8279995),,((

13)8279995),,((

9)8279995),,((

5)8279995),,((

3)8279995),,((


16432100

16303211

16210322

16121033

16032100

amdddGdd

amdddGdd

amdddGdd

amdddGdd

amdddGdd

33


1630 19632

isconstant The 3.root square the

on basedconsyant dtrangedifferent a has 3 Pass

. as defined is z)y,H(x,function A

ebaed

z yx


words16 theofeach for done is setp separateA

3,9,11,15 valueover the cycle theso ,153

,112,91,30 and,8/34/62/128

3)196),,((

3

333

316)(33323133

SS

SSSiiiiiR

iSebaedmdddHdd iRiiiii

34

3)196),,((

15)196),,((

11)196),,((

9)196),,((

3)196),,((


16432100

16303211

16210322

16121033

16032100

ebaedmdddHdd

ebaedmdddHdd

ebaedmdddHdd

ebaedmdddHdd

ebaedmdddHdd

35

MD5

• The major differences are:– MD4 make three passes over each 16-octet chunk of

the message. MD5 makes four passes over each 16-octet chunk.

– The functions are slightly, as are the number of its in the shifts.

– MD4 has one constant which is used for each message word in pass 2, and a different constant in pass 3. no constant is used in pass 1. MD5 using 64 32-bit constant.

37

MD5 Message Padding

38

Overview of MD5 Message Digest Computation

39

• Each stage stars with a 16-word message block and a 4-word message digest value.

15210 ,...,,, mmmmmessage called :

message digest : 3210 ,,, dddd

The message digest initialized to :

163162

161160

10325476,98

89,67452301

dbadcfed

efcdabdd

Equivalent to the octet string10|32|54|76|98|||||||89|67|45|23|01 badcfeefcdab

40


• A function F(x,y,z) is defined as (x⋀y) ( x z).⋁ ∼ ⋀ This function is sometimes known as the selection function

• A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.

7,12,17,22 valuesover the cycle theso,57

3)),,((

1

1133323133)1(3

SiiS

iSTmdddFddd iiiiiiii

41

7)),,((

22)),,((

17)),,((

12)),,((

7)),,((


54321010

43032121

32103232

21210303

10321010

TmdddFddd

TmdddFddd

TmdddFddd

TmdddFddd

TmdddFddd

42


.~ as defined is z)y,G(x,function A z) (yz) (x



5,9,14,20 valueover the cycle theso ,52/)7(

3)),,((

2

21715)15(33323133)1(3

SiiiS

iSTmdddGddd iiiiiiii

43

5)),,((

20)),,((

14)),,((

9)),,((

5)),,((


215321010

200032121

1911103232

186210303

171321010

TmdddGddd

TmdddGddd

TmdddGddd

TmdddGddd

TmdddGddd

44


. as defined is z)y,H(x,function A z yx



4,11,16,23 valueover the cycle theso

,233,162,111,40

3)),,((

3333

33315)53(33323133)1(3

S

SSSS

iSTmdddHddd iiiiiiii

45

4)),,((

23)),,((

16)),,((

11)),,((

4)),,((


371321010

3614032121

3511103232

348210303

335321010

TmdddHddd

TmdddHddd

TmdddHddd

TmdddHddd

TmdddHddd

46


.)~( as defined is z)y,I(x,function A zxy



6,10,15,21 valueover the cycle theso ,2/)4)(3(

3)),,((

4

44915)7(33323133)1(3

SiiiS

iSTmdddIddd iiiiiiii

47

6)),,((

21)),,((

15)),,((

10)),,((

6)),,((


5312321010

525032121

5114103232

507210303

490321010

TmdddIddd

TmdddIddd

TmdddIddd

TmdddIddd

TmdddIddd

48

SHA-1

• SHA-1 (secure hash algorithm) was proposed by NIST as a message digest function, and takes a message of length at most 264 bits and produces a 160-bit output.

• Message padding– SHA-1 pads messages in the same manner as MD4

and MD5, except that SHA-1 is not defined for a message is longer than 264 bits.

49

SHA-1 message padding

50

Overview of SHA-1 Message Digest Computation

51

• The 160-bit message digest consists of five 32-bit words. Let’s call them A,B,C,D, and E.

• The message digest is initialize as

16

1616

1616

10325476

10325476,98

89,67452301

E

DbadcfeC

efcdabBA

52

SHA-1 Operation on a 512-bit Block

SHA. original thefromn mdificatioonly theis

thisn; wordas stored beforebit oneleft rotated is

16 and1483 wordsof the1,-SHAIn n-,,n-,n-n-

53

79)t(60 6162102

59)t(40 1852

39)t(20 19632

19)t(0 827999522

5

D old E C, oldD, 30B oldC , old

:follows as ED,C,B,A,modify 79, through 0For t

,...,,, bit words-32eighty thecall sLet'

512bits)5bit words(-32eighty ofbuffer a have weNow

1630

1630

1630

1630

79210

dccaK

bbcdcfK

ebaedK

aK

f(t,B,C,D)KW)(AEA

AB

WWWW

t

t

t

t

tt

54

79)t(60

59)t(40 )()()(

39)t(20

19)t(0 )(~)(

:on workingreyou' dseighty wor theofwhich

toaccording hat variesfunction t a is

DCBf(t,B,C,D)

DCDBCBf(t,B,C,D)

DCBf(t,B,C,D)

DBCBf(t,B,C,D)

f(t,B,C,D)

55

HMAC

• HMAC result from an effect to find a MAC algorithm that could be proven to be secure if the underlying message digest’s compression function was secure.

• They defined secure as having two properties:– Collision resistance– An attacker doesn’t know the key K cannot compute t

he proper digest(K,x) for data x, even if the attacker can see the value of digest(K,y) , for arbitrary numbers of inputs y, with y no equal to x.

1 chapter 5 hashes and message digests instructor: 孫宏民 [email protected]...

Documents