1

Hashes and Message Digests

2

Hash

• Also known as– Message digest– One-way function

• Function: input message -> output• One-way: d=h(m), but not h’(d) = m

– Computationally infeasible find the message given the digest

• Cannot find m1 and m2, where d1 = d2

• Randomness:– Any bit in the output ‘1’ half the time– Each output: 50% ‘1’ bits

Message ofarbitrary length

Hash h A fixed-lengthshort message

3

Birthday Paradox

• What is the minimum value of n such that the probability is greater than 0.5 that at least two people in a group of n people have the same birthday?– Ignore Feb. 29 and assume each birthday is equally likely

• Probability of n people having n different birthdays:

• Probability that at least two people have the same birthdays: – 1 -

• n is about 23

4

Generalization of Birthday Problem

• Compute probability of different birthdays• Random samples of n people (birthdays) taken from d

(365) days• What is the minimum value of n such that the probability is

greater than 0.5 that there is at least one duplicate?

– P(n, d) = 1 –

• For large n and d, we have– n = 1.2 * d1/2

• Implication

– We expect to obtain the same output after about 1.2 * d1/2 trials

http://www.rsasecurity.com/rsalabs/node.asp?id=2205

5

How many bits for hash?

• m bits, takes 2m/2 to find two with the same hash

• 64 bits, takes 232 messages to search (doable)

• Need at least 128 bits

• Example use– Fingerprint a program/document: attackers cannot

find a different program with the same message digest

6

Hash used for Authentication

• Alice and Bob share a secret KAB

Alice Bob

MD(KAB|rA)

rA

rB

MD(KAB|rB)

7

Computing a MAC with a HASH

• Cannot just compute MD(m)– Anyone can compute MD(m)

• MAC: MD(KAB|m)– Allows concatenation with additional message: MD(KAB|m|m’)

• MD through chunk n depends on MD through chunks n-1 and the data in chunk n• 512-bit blocks, append (message length, pad)

• How to solve?– Put secret at the end of message:

• MD(m| KAB)

– Use only half the bits of the message digest as the MAC– Concatenate the secret to both the front and the back of the message

8

Encryption with a Message Digest• One-time pad:

– compute bit streams using MD, K, and IV• b1=MD(KAB|IV), bi=MD(KAB|bi-1), …

with message blocks

• Mixing in the plaintext– similar to cipher feedback mode (CFB)

• b1=MD(KAB|IV), c1= p1 b1

• b2=MD(KAB| c1), c2= p2 b2

• ….

9

Modern Hash Functions

• MD5– Previous versions (MD2, MD4) have weaknesses

• SHA-1– Secure Hash Algorithms

10

MD2

• 128-bit message digest– Arbitrary number of octets– Message is padded to be a multiple of 16 octets– Append MD2 checksum (16 octets) (a strange

function of the padded message) to the end – Process the whole message 16 octets at a time

• Each intermediate value depends on– Previous intermediate value

– The value of the 16 octets of the message being processed

11

MD2 Padding

12

MD2 Checksum

13

MD2 Substitution Table

14

MD2 Checksum

• One byte at a time, k 16 steps

• mnk: byte nk of message

• cn=(mnk cn-1) cn

: 0 41, 1 46, …– Substitution on 0-255 (value of the byte)

15

MD2 Final Pass

16

MD2 Final Pass

• Operate on 16-byte chunks

• 48-byte quantity q: – (current digest|chunk|digestchunk)

• 18 passes of massaging over q, and one byte at a time:– cn=(cn-1) cn for n = 0, … 47; c-1 = 0 for pass 0; c-

1 = (c47 + pass #) mod 256

• After pass 17, use first 16 bytes as new digest– 16 8 = 128

17

Overview of MD4, MD5, and SHA-1

MD of MD4/MD5: 128 bit, MD of SHA-1: 160-bit

18

Padding for MD4, MD5, and SHA-1

19

MD5 Process• As many stages as the number of 512-bit blocks in the

final padded message

• Digest: 4 32-bit words: MD=d0|d1|d2|d3

• Every message block contains 16 32-bit words: m0|m1|m2…|m15

– Digest MD0 initialized to: d0=67452301,d1=efcdab89,d2=98badcfe, d3=10325476

– Every stage consists of 4 passes over the message block, each modifying MD

• operations

20

Constants of MD5

Ti = 232sin i

21

MD5 Message Digest Pass 1• For each integer i from 0 through 15

(i)

22

MD5 Message Digest Pass 2

• For each integer i from 0 through 15

23

MD5 Message Digest Pass 3

• For each integer i from 0 through 15

24

MD5 Message Digest Pass 4• For each integer i from 0 through 15

25

SHA-1

• Developed by NIST• SHA is specified as the hash algorithm in the Digital

Signature Standard (DSS), NIST• Take a message of length at most 264 bits and

produces a 160-bit output.• SHA design is similar to MD5, but a lot stronger• Make five passes over each block of data

26

SHA-1 cont’d

• Step 1: Message Padding – same as MD5

• Step 2: Initialize MD buffer 5 32-bit wordsA|B|C|D|E

A = 67452301

B = efcdab89

C = 98badcfe

D = 10325476

E = c3d2e1f0

27

SHA-1 operation on a 512-bit Block• Step 3: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each.

Each step t (0 <= t <= 79):– Input:

• Wt – a 32-bit word from the message• Kt – a constant.• ABCDE: current MD.

– Output:• ABCDE: new MD

• Only 4 per-round distinctive additive constants0 <=t<= 19 Kt = 5A82799920<=t<=39 Kt = 6ED9EBA140<=t<=59 Kt = 8F1BBCDC60<=t<=79 Kt = CA62C1D6

• Only 3 different functionsRound Function ft(B,C,D)0 <=t<= 19 (BC)(~B D)20<=t<=39 BCD40<=t<=59 (BC)(BD)(CD)60<=t<=79 BCD

28

SHA-1 cont’d

Inner Loop of SHA-1 – 80 Iterations per Block

29

HMAC