1. 1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 hmsun@cs.nthu.edu.tw hmsun@cs.nthu.edu.tw Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694

2. 2 Introduction A hash (also known as a message digest) is a one-way function. It is considered a one-way because it’s not practical to figure out what input corresponds to a given output. We will use the term hash and message digest interchangeably. The NIST message digest function is called SHA-1, which stands for secure hash algorithm, whereas the MD in the MD2,MD4,MD5 algorithm stands for message digest.

3. 3 There certainly will be many message that yield the same message digest, because a message can be of arbitrary length and the message digest will be fixed length, for instance 128bits. By trying lots of messages, one would eventually find two that mapped to the same message digest. The problem is that “lots” is so many that it is essentially impossible.

4. 4 Assume a good 128-bit message digest function, it would take trying approximately 2 64 message before finding two that had the same digest. (see the birthday problem) An example use of a message digest is to fingerprint a program or document to detect modification of it.

5. 5 The Birthday Problem If there are 23 or more people in a room, the odds are better than 50% that two of them will have the same birthday. Let’s assume n inputs and k possible outputs, and an unpredictable mapping from input to output. With n inputs, there are n(n-1)/2 pairs of inputs. For each pair there’s a probability of 1/k of both input s producing the same output value, so need about k/2 pairs in order for the probability 50%.

6. 6 So n(n-1)>k that means if n is greater than, there‘s good chance of finding a matching pair.

7. 7 How many bits does the output of a message digest function have to be in order to prevent someone from being able to find two message with the same message digest. –If the message digest has m bits, then it would take only about 2 m/2 message, chosen at random, before one would find two with the same value. –That is why message digest function have outputs of at least 128 bits, because it is no considered feasible to search 2 64 message given the current state of the art.

8. 8 Nifty Thing to Do with a Hash The significant difference between a secret key algorithm and a message digest algorithm is that a secret key algorithm is designed to be reversible and a message digest algorithm is designed to be impossible to reverse. In this section we’ll use MD as a “generic” message digest algorithm.

9. 9 Authentication

10. 10 Computing a MAC with a Hash The obvious thought is that MD(m) is a MAC for message m. But it isn’t. anyone can compute MD(m). We concatenate a shared secret K AB with the message m, and use MD(K AB |m) as the MAC. Some proposals with no known weaknesses are: –Put the secret at the end of the message instead of at the beginning. –Use only half the bits of the message digest as the MAC

11. 11 –Concatenate the secret to both the front and the back of the message. We call any hash combining the secret key and the data a keyed hash.

12. 12 Encryption with a Message Digest Generating a one-time pad –Just as OFB generates a pseudorandom bit stream which then encrypts a message by simply being ⊕ed with the message, we can use a message digest algorithm to generate a pseudorandom bit stream.

13. 13 K AB MD M1M1 ⊕ C1C1 K AB MD ⊕ K AB MD M2M2 C2C2 ⊕ M3M3 C3C3 Alice and Bob share a secure key K AB

14. 14 It is not secure to use the same bit stream twice, so, as with OFB, Alice starts with an IV. The first block is than MD(K AB |IV).

15. 15 Mixing in the Plaintext –Similar to CFB. K AB MD M1M1 ⊕ C1C1 K AB MD ⊕ K AB MD M2M2 C2C2 ⊕ M3M3 C3C3 IV

16. 16 Using Secret Key for a Hash What we want to generate is a function with the properties of a hash algorithm. It should not require a secret. It should be publishable. It should be noninvertible. Unix password hash ……… password 12345678 7 bits ASCII 56bits key DES Plaintext:0Hashed password

17. 17 Hashing large messages

18. 18 There is a serious problem with this, which is that the typical message block length b is 64 bits, which is too short to use as a message digest. If we want to find a message with a particular message digest, a technique similar to the one in sector 4.4.1.2 could find a message with a particular 64-bit message digest in about 2 33 iteration.

19. 19

20. 20 MD2 MD2 takes a message equal to an arbitrary number of octets and produces a 128-bit message digest. The basic idea behind MD2is as follows: –The input message to MD2 is an arbitrary length. –The message is padded to be multiple of 16 octets. –A 16-octets quantity, which MD2 calls checksum, is appended to the end. –Final pass: the message is processed, 16 octets at a time, each time producing an intermediate result for message digest.

21. 21 MD2 Padding

22. 22 MD2 Checksum Computation

23. 23

24. 24 MD2 Final Pass

25. 25 MD4 The message to be fed into the message digest computation must be a multiple of 512 bits (sixteen 32-bit words)

26. 26 Overview of MD4 Message Digest Computation

27. 27 Each stage stars with a 16-word message block and a 4-word message digest value. message called : message digest : The message digest initialized to : Equivalent to the octet string

28. 28 The following operations we are able to use:

29. 29 MD4 Message Digest Pass 1 A function F(x,y,z) is defined as (x ⋀ y) ⋁(∼x⋀z). This function is sometimes known as the selection function A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.

30. 30

31. 31 MD4 Message Digest Pass 2

32. 32

33. 33 MD4 Message Digest Pass 3

34. 34

35. 35 MD5 The major differences are: –MD4 make three passes over each 16-octet chunk of the message. MD5 makes four passes over each 16- octet chunk. –The functions are slightly, as are the number of its in the shifts. –MD4 has one constant which is used for each message word in pass 2, and a different constant in pass 3. no constant is used in pass 1. MD5 using 64 32-bit constant.

36. 36

37. 37 MD5 Message Padding

38. 38 Overview of MD5 Message Digest Computation

39. 39 Each stage stars with a 16-word message block and a 4-word message digest value. message called : message digest : The message digest initialized to : Equivalent to the octet string

40. 40 MD5 Message Digest Pass 1 A function F(x,y,z) is defined as (x ⋀ y) ⋁(∼x⋀z). This function is sometimes known as the selection function A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.

41. 41

42. 42 MD5 Message Digest Pass 2

43. 43

44. 44 MD5 Message Digest Pass 3

45. 45

46. 46 MD5 Message Digest Pass 4

47. 47

48. 48 SHA-1 SHA-1 (secure hash algorithm) was proposed by NIST as a message digest function, and takes a message of length at most 2 64 bits and produces a 160-bit output. Message padding –SHA-1 pads messages in the same manner as MD4 and MD5, except that SHA-1 is not defined for a message is longer than 2 64 bits.

49. 49 SHA-1 message padding

50. 50 Overview of SHA-1 Message Digest Computation

51. 51 The 160-bit message digest consists of five 32- bit words. Let’s call them A,B,C,D, and E. The message digest is initialize as

52. 52 SHA-1 Operation on a 512-bit Block

53. 53

54. 54

55. 55 HMAC HMAC result from an effect to find a MAC algorithm that could be proven to be secure if the underlying message digest’s compression function was secure. They defined secure as having two properties: –Collision resistance –An attacker doesn’t know the key K cannot compute the proper digest(K,x) for data x, even if the attacker can see the value of digest(K,y), for arbitrary numbers of inputs y, with y no equal to x.

56. 56