hashes lect 4

V.E.S.I.T_M.C.A Nishi TIku 1

Hashes and Message Digests

Network Security

Lecture 4


Message Digests A message digest is a non-reversible algorithm which

reduces a message to a fixed-length “summary” The summary has the property that a change to the

original will produce a new summary The probability that the new summary is the same as the

old should be 1/(size of the digest) There are several good (but possibly no perfect)

message digest algorithms MD5 is probably the most common one in use -- 128 bit

digest (has known weaknesses) SHA-1 -- 160 bit digest (current best choice) [Another

product of NIST]


Hash functions

A hash function is a mathematical function that generally has the following three properties:

1. Condenses arbitrary long inputs into a fixed length output

– You stuff as much data as you want into the function, and it churns out an output (or hash) that is always the same fixed length.

– In general this hash is much smaller than the data that was put into the function.

– Because the hash is a smaller information that represents a larger information, it sometimes referred to as a digest, and the hash function as a message digest function.


Hash functions2. Is one-way

The hash function should be easy to compute, but given the hash of some data it should be very hard to recover the original data from the hash.

3. It is hard to find two inputs with the same output

It should be hard to find two different inputs (of any length) that when fed into the hash function result in the same hash.

This property is sometimes described as requiring a hash function to be collision free.

Note that it is impossible for a hash function not to have collisions. If arbitrarily large inputs are all being reduced to a fixed length hash then there will be lots of collisions. (For example - it is impossible to give each of 60 million people a different 4 digit PIN.) The point is that these collisions should be hard to find.


Hashes Hash is also called message digest One-way function: d=h(m) but no h’(d)=m

Cannot find the message given a digest Cannot find m1, m2, where d1=d2

Arbitrary-length message to fixed-length digest Cryptographically safe Randomness Mapping of i/p to o/p should appear to be randomly

chosen Any two o/ps should be totally uncorrelated, even if

most of the i/ps are similar Collision


An aside on hashing Length of hash <<length of message, & often fixed at 48-

128 /160

Some other names of hashing: finger printing, message

integrity check (MIC), message digest, cryptographic

checksum, manipulation detection code

Hash functions are well-known. So hashing,, is exportable;

often used to communicate programs securely over the

web

MD‹key;data› is a message authentication code (MAC) or

data authentication code (DAC); knowing key


Hashes How many bits does the o/p of MD fn . have to be in

order to prevent someone from being able to find two messages. with the same MD?

OR How Many Bits for Hash?

If the MD has m bits , then it would take about

mm bits, takes bits, takes 22m/2m/2 to find two with the to find two with the same hashsame hash

64 bits, takes 264 bits, takes 23232 messages to search messages to search

Need at least 128 bitsNeed at least 128 bits


Good cryptographic hash function h should have the following properties:

h should destroy all homomorphic structures in the underlying public key cryptosystem (be unable to compute hash value of 2 messages combined given their individual hash values)

h should be computed on the entire message h should be a one-way function so that messages are

not disclosed by their signatures it should be computationally infeasible given a

message and its hash value to compute another message with the same hash value

should resist birthday attacks (finding any 2 messages with the same hash value, perhaps by iterating through minor permutations of 2 messages)


Birthday Problem

Compute probability of different birthdays Random sample of n (i/ps) people (birthdays)

taken from k o/ps (365) days With n i/ps =>n(n-1)/2 pairs of i/ps For each pair there’s a prob. of 1/k of both I/ps

producing the same o/p value=> We’ll need k/2 pairs for the prob. to be 50%( for a matching pair)


Birthday Problem Let us assume n input and k possible output and an

unpredictable map from input to output. With n inputs there are pairs of inputs. For each pair there is a probability of 1/k of bout input producing the same output value, so you will need about k/2 pairs in order for the probability to be about 50% that you will find a matching pair, i.e. . This implies . there is a good chance of finding a matching pair.

Probability of no repetition: -p 1 - n(n-1)/2k

2

)1(2

nnCn

22

)1( knn

knknnn )1(2

•Diff. between secret key algo. and a msg. digest algo.• Why are there so many msg . digests


Security of hash functions

Suppose that we sign the message Keith owes Fred £10 by hashing it using a hash function that has a hash of just 2 bits:

there are only four possible hashes: 00, 01, 10 or 11.

Fred receives this signed message, and being a manipulative type he decides to change the message to Keith owes Fred £100. Of course Fred does not have Keith’s signature key, so he cannot digitally sign this message. But he doesn’t have to – he only has to sign the hash!

What is the probability that:

hash (Keith owes Fred £10 ) = hash (Keith owes Fred £100 )?


Security of hash functions

Suppose the hash is 10 bits long – in other words about 1000 hashes

1000 requests for £2001000 requests for £2001.1. Pay Fred Piper £200Pay Fred Piper £200 2.2. Pay F. Piper £200Pay F. Piper £200 3.3. Pay F.C. Piper two hundred Pay F.C. Piper two hundred

pounds pounds 4.4. Pay F.C. Piper two hundred Pay F.C. Piper two hundred

pounds onlypounds only 5.5. Pay two hundred pounds to Pay two hundred pounds to

Mr Fred PiperMr Fred Piper 6.6. ……..

1000 request for £80001000 request for £80001.1. Pay Fred Piper £8000Pay Fred Piper £8000 2.2. Pay F. Piper £8000Pay F. Piper £8000 3.3. Pay F.C. Piper eight thousand Pay F.C. Piper eight thousand

pounds pounds 4.4. Pay F.C. Piper eight thousand Pay F.C. Piper eight thousand

pounds onlypounds only 5.5. Pay eight thousand pounds to Mr Pay eight thousand pounds to Mr

Fred PiperFred Piper 6.6. ……..

Since there are only 1000 different possible values of the hash, there is a very good chance that there will be at least one match…


Using Hash for Authentication

Alice to Bob: challenge rA

Bob to Alice: MD(KAB|rA) Bob to Alice: rB

Alice to Bob: MD(KAB|rB) Only need to compare MD results


Using Hash to Compute MAC Cannot just compute MD(m) MD(m’)

MAC: MD(KAB|m) Allows concatenation with additional message: MD(KAB|

m|m’) MD through chunk n depends on MD

through chunks n-1 and the data in chunk n Put secret at the end of message:

MD(m| KAB) (collision) Use only ½ the bits of msg. digest as MAC (64) MD( KAB |m | KAB)

HMAC MD(MD(KAB |m )


Using Hash to Encrypt One-time pad ( similar to o/p feedback mode)

compute bit streams using MD, IV and K b1=MD(KAB|IV), b2=MD(KAB| b1) , … bi= MD(KAB| bi-1)

with message blocks Both the sender and the receiver calculate it in

advance. Or mixing in the plaintext (used for integrity

check) similar to cipher feedback mode (CFB) ( j bits of

encrypt. IV j bits of plain text) b1=MD(KAB|IV), c1= p1 b1

b2=MD(KAB| c1), c2= p2 b2


Using Secret Key for a Hash

Unix password algorithm: Compute hash of user password, store the hash (not the

password), and compare the hash of user-input password. First 8 characters of password used to form a secret

key. This key is now used with a DES-like algorithm for

encryption Off line guessing ;forgot the password?

Salt: 12-bit random number formed by the sys. and

process ID. Salt stored with hashed result.


MD2

Msg . Digest algo. developed by Ron Rivest Has its roots in its predecessor ( MD ) 128-bit message digest:

Arbitrary number of octets Padding is a multiple of 16 octets(also called as

checksum) Append MD2 checksum (16 octets) to the end

The checksum is almost a MD, but not cryptographically secure by itself.

Process whole message


MD2 padding

Original msg.Original msg. paddingpadding

Multiple of 16 octetsMultiple of 16 octets


MD2 Checksum computation A 16-byte checksum of the message is appended to the result of the previous step.This

step uses a 256-byte "random" permutation constructed from the digits of pi. Let S[i] denote the i-th element of this table. The table is given below

41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19,98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20

Do the following: /* Clear checksum. */ For i = 0 to 15 do: Set C[i] to 0. end /* of loop on i */ Set L to 0. /* Process each 16-word block. */ For i = 0 to N/16-1 do /* Checksum block i. */ For j = 0 to 15 do Set c to M[i*16+j]. Set C[j] to S[c xor L]. Set L to

C[j]. end /* of loop on j */ end /* of loop on i */


MD2 Checksum

MD2 checksum is a 16 octet quantity Checksum calculations processes one octet

at a time, k 16 steps mnk: byte nk of message cn=(mnk cn-1) cn : 0 41, 1 46, …

Substitution on 0-255 (value of the byte) explain diag. 1


MD2 Final Pass

Msg.+ padding + checksum Operate on 16-octect chunks 48-byte quantity q:

(16 octet current digest+ msg.chunk+digestchunk) 18 passes of processing cn=(cn-1) cn for n = 0, … 47; c-1 = 0 for pass 0; c-1 = (c47

+ pass #) mod 256 After pass 17, use first 16 bytes as new digest

Explain diag2


MD4

MD4 was designed to be a 32 bit –word – oriented so that it can be computed faster on 32 bit CPUs than an octet oriented scheme as in MD2

Can handle messages with an arbitrary no. of bits ( as against integral no. of octets)

Is computed in a single pass over data ( with more intermediate states)


MD4

Msg. Padding

original msg. is padded by adding a 1 bit , followed by enough o bits to leave the msg. 64 bits< multiple of 512 bits ( e;g if the original length is 1000 bits +472)

original msg. 1000…000 original length in bits original msg. 1000…000 original length in bits

Multiple of 512 bits

1-512 bits 64 bits


MD4 Message digest computation msg. Digest is a 128 bit quantity (four– 32 bit

words) msg. is processed in 512 bit ( 16 – 32 bit

word blocks) Compression fn. fn. that takes 512 bits of the msg. and

digests it with the previous 128 bit o/p


MD4 (overview of MD4, MD5 , SHA-1)

constantconstant Padded msg.Padded msg.

Msg. digestMsg. digest

digestdigest

digestdigest

digestdigest

512 bits512 bits

512 bits512 bits

512 bits512 bits

Diag.3Diag.3..

.. ....

......


MD4 Each stage starts with 16 word msg. Block (m0 ,m1 ,m2… ,m15)

4 word msg. diget value (d0 , d1 , d2, d3 , d4)

where d 0 is initialized to 67452301 to the base 16

d1 is initialized to efcdab89 to the base 16

d2 is initialized to98badcfe to the base 16

d3 is initialized to 10325476 to the base 16

written in concatenation

Each pass modifies d0 …. d3 using mo………..m15


MD4

~x is the bitwise complement of the 32 bit quantity x

xy is the bitwise and of the 32 bit quantities x and y

x y is the bitwise or of the 32 bit quantities x and y

xy is the bitwise exclusive or of the 32 bit quantities x and y

x+y is binary sum of the 32 bit quantities x and y ( carry of the higher order bit discarded )

xy is x left rotate y bits


MD4 msg. digest Pass 1

Selection formula: d(-i) 3= d(-i) 3 +F(d (1-i) 3 , d (2-i) 3 , d (3-i) 3 , +mi)S1(i 3)

d0 = ( do+F(d1,d2,d3) +m0 ) 3 d3 =( d3 +F(do,d1,d2) +m1 ) 7 d2 =( d2+F(d3,d0,d1) +m2 ) 11 d1 =( d1+F(d2,d3,d0) +m3 15 do =( do+F(d1,d2,d3) +m0 3 where

F(x,y,z) is defined as (xy ) (~ xz)



Majority fn.

G(x,y,z) is defined as (xy ) (xz) ( yz )

For each int.i from 0 thru 15

dd(-i) (-i) 3= 3= dd(-i) (-i) 3 3 +G(d +G(d (1-i) (1-i) 3 , 3 , d d (2-i) (2-i) 3 , 3 , d d (3-i) (3-i) 3 , 3 , +m +m (X(I)) (X(I)) +5a827999 +5a827999 16)16) ))

S S 22 (i (i 3)



d0 = ( do+G(d1,d2,d3) +m0 +5a827999) 3d3 =( d3 +G(do,d1,d2) +m4+5a827999 16 ) 5

d2 =( d2+G(d3,d0,d1) +m8+ 5a827999 16+ ) 9

d1 =( d1+G(d2,d3,d0) +m12+5a827999 16 ) 13

do =( do+G(d1,d2,d3) +m1 + 5a827999 16 ) 3



Fn H(x,y,z) is defined as x y z d(-i) 3= d(-i) 3 +G(d (1-i) 3 , d (2-i) 3 , d (3-i) 3 , +m (X(I)) +5a827999 16S 3(i 3)

d0 = ( do+H(d1,d2,d3) +m0 +6ed9eba1 16 ) 3

d3 =( d3 +H(do,d1,d2) +m8+ 6ed9eba1 16 ) 9

d2 =( d2+H(d3,d0,d1) +m4+ 6ed9eba1 16+ ) 11

d1 =( d1+H(d2,d3,d0) +m12+ 6ed9eba1 16 ) 15

do =( do+H(d1,d2,d3) +m2 + 6ed9eba1 16 ) 3


MD4 Algorithm Description MD4 overview

pad message so its length is 448 mod 512 append a 64-bit message length value to message initialise the 4-word (128-bit) buffer (A,B,C,D) process the message in 16-word (512-bit) chunks,

using 3 rounds of 16 bit operations each on the chunk & buffer

output hash value is the final buffer value some progress at cryptanalysing MD4 has been made,

with a small number of collisions having been found MD5 was designed as a strengthened version, using

four rounds, a little more complex than in MD4. a little progress at cryptanalysing MD5 has been made

with a small number of collisions having been found


MD5: Message Digest Version 5

Less concerned with speed ,more concerned with security

Like MD4 , MD5 msg. is processed in 512 bit blocks (sixteen 32 bit words)

MD is 128 bit quantity (four 32 bit words) Refer to diag 3 Each stage makes 4 passes over each 16

octet chunk using a different constt for each msg. word on each pass

Ti= int(232 * abs(sin(i))), i ranges between 1 and 64


MD5: Message Digest Version 5

input Message

Output 128 bits Digest


MD5 Box

Initial 128-bit vector

512-bit message chunks (16 32 bit words)

128-bit result 4 32 bit words

F: (xy)(~x z)G:(x z) (y ~ z)H:xy zI: y(x ~z)+: binary sumxy: x left rotate y bits


MD5: Padding

input Message

Output 128 bits Digest

Padding512 bit block

Initial Value

1 2 3 4

Final Output

MD5 Transformation block by block


Padding Twist

Given original message M, add padding bits such that resulting length is 64 bits less than a multiple of 512 bits.

Append (original length in bits mod 264), represented in 64 bits to the padded message

Final message is chopped 512 bits a block


MD5 Process

As many stages as the number of 512-bit blocks in the final padded message

Digest: 4 32-bit words: MD=A|B|C|D Every message block contains 16 32-bit

words: m0|m1|m2…|m15 Digest MD0 initialized to:

A=01234567,B=89abcdef,C=fedcba98, D=76543210

Every stage consists of 4 passes over the message block, each modifying MD



d0 = ( d1+d0+F(d1,d2,d3) +m0 +T1 ) 7d3 =( d0 + d3+ F(do,d1,d2) +m1 +T2 ) 12d2 =( d3+ d2+ F(d3,d0,d1) +m2 +T3 ) 17d1 =( d2+ d1+ F(d2,d3,d0) +m3 +T14) 22do =( d1+ d0+ F(d1,d2,d3) +m0 +5)1 7



d0 = d1+ ( do+G(d1,d2,d3) +m1 +T17) 5d3 = d0+ ( d3 +G(do,d1,d2) +m6+T 18 ) 9

d2 = d3+ ( d2+G(d3,d0,d1) +m11+ T19 ) 14

d1 = d2+ ( d1+G(d2,d3,d0) +m10+T 20 ) 20

do = d1+ ( do+G(d1,d2,d3) +m5 + T21 ) 5



Fn H(x,y,z) is defined as x y z

d0 = d1+( do+H(d1,d2,d3) +m5 +T 33) 4

d3 =d0+( d3 +H(do,d1,d2) +m8+T 34 ) 11

d2 =d3+( d2+H(d3,d0,d1) +m11+ T35+ ) 16

d1 =d2+( d1+H(d2,d3,d0) +m14+ T 36) 23

do =d1+( do+H(d1,d2,d3) +m1 + T37 ) 4



Fn I(x,y,z) is defined as x (x ~ z)

d0 =d1+ ( do+I (d1,d2,d3) +m0 + T49 ) 6

d3 =d0+( d3 +I(do,d1,d2) +m7+ T 150) 10

d2 =d3+( d2+I(d3,d0,d1) +m14+ T51) 15

d1 =d2+( d1+I(d2,d3,d0) +m15+ T 152) 21

do =d1+( do+I(d1,d2,d3) +m12 + T 53) 6


MD5 Blocks

MD5

MD5

MD5

MD5

512: B1

512: B2

512: B3

512: B4

Result


Processing of Block mi - 4 Passes

ABCD=fF(ABCD,mi,T[1..16])

ABCD=fG(ABCD,mi,T[17..32])

ABCD=fH(ABCD,mi,T[33..48])

ABCD=fI(ABCD,mi,T[49..64])

mi

+ + + +

A B C D

MDi

MD i+1


Process within a round

16 sub blocks16 sub blocksM[0] to M[15[M[0] to M[15[

Other constants tOther constants t64 elements64 elements

One roundOne round

aa bb cc dd


One MD5 operation

aa

addadd

addadd

addadd

Process PProcess P

addadd

addadd

T[k]T[k]

M[I]M[I]

aa bbcc

dd

aaaa bb cc dd

step1step1step2step2

step3step3

step4step4

step5step5

step6step6

step7step7


Different Passes...

Different functions and constants are used Different set of mi is used Different set of shift amount is used


MD5( strengths/weaknesses)

Two msgs. that produce same MD for each of the four msg. rounds , but not for all the rounds taken together

Pseudo collision: execution of MD5 on a single 512 bit block produces the same o/p for two diff. values in the chaining var. register abcd

Execution of MD5 on two diff. 512 bit block produces the same 128 bit o/p, but not generalized to the full msg. block


Hash stuff

Most popular hash today SHA-1 (secure hash algorithm)

Older ones (MD2, MD4, MD5) still around Popular secret-key integrity check: hash

together key and data One popular standard for that : HMAC


Secure Hash Algorithm

Developed by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993

SHA is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST

Modified version of MD4


General Logic

Input message must be < 264 bits not really a problem

Message is processed in 512-bit blocks sequentially

Message digest is 160 bits SHA design is similar to MD5, but a lot stronger SHA was designed to be infeasible to : obtain the original msg. given its MD find two msgs. producing the same MD


Basic Steps

Step1: PaddingStep2: Appending length as 64 bit unsignedStep3 : Divide the I/p into 512 bit blocksStep4: Initialize MD buffer ( chaining vars.) into

5 32-bit wordsA|B|C|D|EA = 67452301B = efcdab89C = 98badcfeD = 10325476E = c3d2e1f0


Basic Steps...

Step 5: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each.

Each step t (0 <= t <= 79): Input:

Wt – a 32-bit word from the message

Kt – a constant ABCDE: current MD. Output:

ABCDE: new MD.


Basic Steps...

Only 4 per-round distinctive additive constants ( as against 64 constants in MD5)0 <=t<= 19 Kt = 5A827999

20<=t<=39 Kt = 6ED9EBA1

40<=t<=59 Kt = 8F1BBCDC

60<=t<=79 Kt = CA62C1D6


Basic Steps - The Heart Of The Matter

AA EEBB CC DD

AA EEBB CC DD

++

++

++

++

fftt

CLS30CLS30

CLS5CLS5WWtt

KKtt


Basic Logic Functions

Only 3 different functions

Round Function ft(B,C,D)0 <=t<= 19 (BC)(~B D)20<=t<=39 BCD40<=t<=59 (BC)(BD)(CD)60<=t<=79 BCD


Twist With Wt’s

Additional mixing used with input message 512-bit blockW0|W1|…|W15 = m0|m1|m2…|m15

For 15 < t <80: Wt = s (Wt-16 Wt-14 Wt-8 Wt-3)

XOR is a very efficient operation, but with multilevel shifting, it should produce very extensive and random mixing!


MAC,HMAC

hashes lect 4

Documents