1
Chapter 5 Hashes and Message Digests
Instructor: 孫宏民[email protected]
Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694
2
Introduction
• A hash (also known as a message digest) is a one-way function. It is considered a one-way because it’s not practical to figure out what input corresponds to a given output.
• We will use the term hash and message digest interchangeably. The NIST message digest function is called SHA-1, which stands for secure hash algorithm, whereas the MD in the MD2,MD4,MD5 algorithm stands for message digest.
3
• There certainly will be many message that yield the same message digest, because a message can be of arbitrary length and the message digest will be fixed length, for instance 128bits.
• By trying lots of messages, one would eventually find two that mapped to the same message digest.
• The problem is that “lots” is so many that it is essentially impossible.
4
• Assume a good 128-bit message digest function, it would take trying approximately 264 message before finding two that had the same digest. (see the birthday problem)
• An example use of a message digest is to fingerprint a program or document to detect modification of it.
5
The Birthday Problem
• If there are 23 or more people in a room, the odds are better than 50% that two of them will have the same birthday.
• Let’s assume n inputs and k possible outputs, and an unpredictable mapping from input to output. With n inputs, there are n(n-1)/2 pairs of inputs. For each pair there’s a probability of 1/k of both input s producing the same output value, so need about k/2 pairs in order for the probability 50%.
6
• So n(n-1)>k that means if n is greater than , there‘s good chance of finding a matching pair.
k
7
• How many bits does the output of a message digest function have to be in order to prevent someone from being able to find two message with the same message digest.– If the message digest has m bits, then it would take
only about 2m/2 message, chosen at random, before one would find two with the same value.
– That is why message digest function have outputs of at least 128 bits, because it is no considered feasible to search 264 message given the current state of the art.
8
Nifty Thing to Do with a Hash
• The significant difference between a secret key algorithm and a message digest algorithm is that a secret key algorithm is designed to be reversible and a message digest algorithm is designed to be impossible to reverse.
• In this section we’ll use MD as a “generic” message digest algorithm.
9
Authentication
10
Computing a MAC with a Hash
• The obvious thought is that MD(m) is a MAC for message m. But it isn’t. anyone can compute MD(m).
• We concatenate a shared secret KAB with the message m, and use MD(KAB|m) as the MAC.
• Some proposals with no known weaknesses are:– Put the secret at the end of the message instead of at
the beginning.– Use only half the bits of the message digest as the M
AC
11
– Concatenate the secret to both the front and the back of the message.
• We call any hash combining the secret key and the data a keyed hash.
12
Encryption with a Message Digest• Generating a one-time pad
– Just as OFB generates a pseudorandom bit stream which then encrypts a message by simply being ⊕ed with the message, we can use a message digest algorithm to generate a pseudorandom bit stream.
13
KAB
MD
M1⊕
C1
KAB
MD
⊕
KAB
MD
M2
C2
⊕M3
C3
Alice and Bob share a secure key KAB
14
• It is not secure to use the same bit stream twice, so, as with OFB, Alice starts with an IV. The first block is than MD(KAB|IV).
15
• Mixing in the Plaintext– Similar to CFB.
KAB
MD
M1⊕
C1
KAB
MD
⊕
KAB
MD
M2
C2
⊕M3
C3
IV
16
Using Secret Key for a Hash• What we want to generate is a function with the
properties of a hash algorithm. It should not require a secret. It should be publishable. It should be noninvertible.
• Unix password hash
………password
1 2 3 4 5 6 7 8
7 bits ASCII
56bits key
DESPlaintext:0 Hashed password
17
• Hashing large messages
18
• There is a serious problem with this, which is that the typical message block length b is 64 bits, which is too short to use as a message digest.
• If we want to find a message with a particular message digest, a technique similar to the one in sector 4.4.1.2 could find a message with a particular 64-bit message digest in about 233 iteration.
19
20
MD2
• MD2 takes a message equal to an arbitrary number of octets and produces a 128-bit message digest.
• The basic idea behind MD2is as follows:– The input message to MD2 is an arbitrary length. – The message is padded to be multiple of 16 octets.– A 16-octets quantity, which MD2 calls checksum, is
appended to the end.– Final pass: the message is processed, 16 octets at a
time, each time producing an intermediate result for message digest.
21
MD2 Padding
22
MD2 Checksum Computation
23
24
MD2 Final Pass
25
MD4 The message to be fed into the message digest computation must be a multiple of 512 bits (sixteen 32-bit words)
26
Overview of MD4 Message Digest Computation
27
• Each stage stars with a 16-word message block and a 4-word message digest value.
15210 ,...,,, mmmmmessage called :
message digest : 3210 ,,, dddd
The message digest initialized to :
163162
161160
10325476,98
89,67452301
dbadcfed
efcdabdd
Equivalent to the octet string10|32|54|76|98|||||||89|67|45|23|01 badcfeefcdab
28
• The following operations we are able to use:
29
MD4 Message Digest Pass 1
• A function F(x,y,z) is defined as (x⋀y) ( x z).⋁ ∼ ⋀ This function is sometimes known as the selection function
• A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.
3,7,11,15 valuesover the cycle theso,43
3)),,((
1
133323133
SiiS
iSmdddFdd iiiiii
30
3)),,((
15)),,((
11)),,((
7)),,((
3)),,((
:follows as pass theof steps fewfirst out the can write we
432100
303211
210322
121033
032100
mdddFdd
mdddFdd
mdddFdd
mdddFdd
mdddFdd
31
MD4 Message Digest Pass 2
15. through 0 from Ieach For message. theof
words16 theofeach for done is setp separateA 16
30 827999522
constant a useIt function.majority theasknown
sometimes isfunction This .
as defined is z)y,G(x,function A
a
z) (yz) (xy) (x
3,5,9,13 valueover the cycle
theso ,133,92,51,30 and,154
3)8279995),,((
2222
216)(33323133
SSSSSiix
iSamdddGdd ixiiiii
32
3)8279995),,((
13)8279995),,((
9)8279995),,((
5)8279995),,((
3)8279995),,((
:follows as pass theof steps fewfirst out the can write we
16432100
16303211
16210322
16121033
16032100
amdddGdd
amdddGdd
amdddGdd
amdddGdd
amdddGdd
33
MD4 Message Digest Pass 3
1630 19632
isconstant The 3.root square the
on basedconsyant dtrangedifferent a has 3 Pass
. as defined is z)y,H(x,function A
ebaed
z yx
15. through 0 from Ieach For message. theof
words16 theofeach for done is setp separateA
3,9,11,15 valueover the cycle theso ,153
,112,91,30 and,8/34/62/128
3)196),,((
3
333
316)(33323133
SS
SSSiiiiiR
iSebaedmdddHdd iRiiiii
34
3)196),,((
15)196),,((
11)196),,((
9)196),,((
3)196),,((
:follows as pass theof steps fewfirst out the can write we
16432100
16303211
16210322
16121033
16032100
ebaedmdddHdd
ebaedmdddHdd
ebaedmdddHdd
ebaedmdddHdd
ebaedmdddHdd
35
MD5
• The major differences are:– MD4 make three passes over each 16-octet chunk of
the message. MD5 makes four passes over each 16-octet chunk.
– The functions are slightly, as are the number of its in the shifts.
– MD4 has one constant which is used for each message word in pass 2, and a different constant in pass 3. no constant is used in pass 1. MD5 using 64 32-bit constant.
36
37
MD5 Message Padding
38
Overview of MD5 Message Digest Computation
39
• Each stage stars with a 16-word message block and a 4-word message digest value.
15210 ,...,,, mmmmmessage called :
message digest : 3210 ,,, dddd
The message digest initialized to :
163162
161160
10325476,98
89,67452301
dbadcfed
efcdabdd
Equivalent to the octet string10|32|54|76|98|||||||89|67|45|23|01 badcfeefcdab
40
MD5 Message Digest Pass 1
• A function F(x,y,z) is defined as (x⋀y) ( x z).⋁ ∼ ⋀ This function is sometimes known as the selection function
• A separate setp is done for each of the 16 words of the message. For each I from 0 through 15.
7,12,17,22 valuesover the cycle theso,57
3)),,((
1
1133323133)1(3
SiiS
iSTmdddFddd iiiiiiii
41
7)),,((
22)),,((
17)),,((
12)),,((
7)),,((
:follows as pass theof steps fewfirst out the can write we
54321010
43032121
32103232
21210303
10321010
TmdddFddd
TmdddFddd
TmdddFddd
TmdddFddd
TmdddFddd
42
MD5 Message Digest Pass 2
.~ as defined is z)y,G(x,function A z) (yz) (x
15. through 0 from Ieach For message. theof
words16 theofeach for done is setp separateA
5,9,14,20 valueover the cycle theso ,52/)7(
3)),,((
2
21715)15(33323133)1(3
SiiiS
iSTmdddGddd iiiiiiii
43
5)),,((
20)),,((
14)),,((
9)),,((
5)),,((
:follows as pass theof steps fewfirst out the can write we
215321010
200032121
1911103232
186210303
171321010
TmdddGddd
TmdddGddd
TmdddGddd
TmdddGddd
TmdddGddd
44
MD5 Message Digest Pass 3
. as defined is z)y,H(x,function A z yx
15. through 0 from Ieach For message. theof
words16 theofeach for done is setp separateA
4,11,16,23 valueover the cycle theso
,233,162,111,40
3)),,((
3333
33315)53(33323133)1(3
S
SSSS
iSTmdddHddd iiiiiiii
45
4)),,((
23)),,((
16)),,((
11)),,((
4)),,((
:follows as pass theof steps fewfirst out the can write we
371321010
3614032121
3511103232
348210303
335321010
TmdddHddd
TmdddHddd
TmdddHddd
TmdddHddd
TmdddHddd
46
MD5 Message Digest Pass 4
.)~( as defined is z)y,I(x,function A zxy
15. through 0 from Ieach For message. theof
words16 theofeach for done is setp separateA
6,10,15,21 valueover the cycle theso ,2/)4)(3(
3)),,((
4
44915)7(33323133)1(3
SiiiS
iSTmdddIddd iiiiiiii
47
6)),,((
21)),,((
15)),,((
10)),,((
6)),,((
:follows as pass theof steps fewfirst out the can write we
5312321010
525032121
5114103232
507210303
490321010
TmdddIddd
TmdddIddd
TmdddIddd
TmdddIddd
TmdddIddd
48
SHA-1
• SHA-1 (secure hash algorithm) was proposed by NIST as a message digest function, and takes a message of length at most 264 bits and produces a 160-bit output.
• Message padding– SHA-1 pads messages in the same manner as MD4
and MD5, except that SHA-1 is not defined for a message is longer than 264 bits.
49
SHA-1 message padding
50
Overview of SHA-1 Message Digest Computation
51
• The 160-bit message digest consists of five 32-bit words. Let’s call them A,B,C,D, and E.
• The message digest is initialize as
16
1616
1616
10325476
10325476,98
89,67452301
E
DbadcfeC
efcdabBA
52
SHA-1 Operation on a 512-bit Block
SHA. original thefromn mdificatioonly theis
thisn; wordas stored beforebit oneleft rotated is
16 and1483 wordsof the1,-SHAIn n-,,n-,n-n-
53
79)t(60 6162102
59)t(40 1852
39)t(20 19632
19)t(0 827999522
5
D old E C, oldD, 30B oldC , old
:follows as ED,C,B,A,modify 79, through 0For t
,...,,, bit words-32eighty thecall sLet'
512bits)5bit words(-32eighty ofbuffer a have weNow
1630
1630
1630
1630
79210
dccaK
bbcdcfK
ebaedK
aK
f(t,B,C,D)KW)(AEA
AB
WWWW
t
t
t
t
tt
54
79)t(60
59)t(40 )()()(
39)t(20
19)t(0 )(~)(
:on workingreyou' dseighty wor theofwhich
toaccording hat variesfunction t a is
DCBf(t,B,C,D)
DCDBCBf(t,B,C,D)
DCBf(t,B,C,D)
DBCBf(t,B,C,D)
f(t,B,C,D)
55
HMAC
• HMAC result from an effect to find a MAC algorithm that could be proven to be secure if the underlying message digest’s compression function was secure.
• They defined secure as having two properties:– Collision resistance– An attacker doesn’t know the key K cannot compute t
he proper digest(K,x) for data x, even if the attacker can see the value of digest(K,y) , for arbitrary numbers of inputs y, with y no equal to x.
56