Outline

Hashes and Message Digests (Chapter 5)

Spring 2012

EE5723/EE4723

Introduction to Hash



MD2



MD5



SHA-1

EE5723/EE4723

Hashes

Spring 2012

How Many Bits for Hash?

Hash is also called message digest  One-way y function: d=h(m) ( ) but no h’(d)=m ( ) 

 Cannot





 E.g., E

find the message given a digest

Cannot find m1, m2, where d1=d2  Arbitrary-length message mapped to fixedlength digest  Randomness 

bit in the outputs: ‘1’ half of the time  each output: 50% ‘1’ bits

Many messages yield the same digest 1000 bit message, 128-bits 1000-bits 128 bit digest di t



m bits hashes, takes about 2m/2 to find two with the same hash (>= 50% prob.)



64 bits, bits takes 232 messages to search (doable)



Need at least 128 bits, 264 search

 any

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

1

Using Hash for Authentication

Birthday Problem Compute probability of different birthdays  Random sample of n people (birthdays) taken from k (365) days  There are n(n-1)/2 pairs of input  Prob. of 1/k of both inputs maps to the same output p ((not a pparticular one though) g )  K/2 pairs are needed for the prob. of 50% to find the matching pair  n greater than k will do. 

Spring 2012

EE5723/EE4723

Using Hash to Compute MAC: integrity Cannot just compute MD(m)  Keyed Hash: 

 MAC: 



Bob to Alice: MD(KAB|rA)



Bob to Alice: rB (e.g., “I am Bob”)



Alice to Bob: MD(KAB|rB)



Only need to compare MD results

Using Hash to Encrypt : confidentiality 

Challenge: Decryption



One-time p pad: similar to OFB  compute

1: Put secret at the end of message:

 Proposal





EE5723/EE4723



b1=MD(KAB|IV), bi=MD(KAB|bi-1), …

with message blocks

Or mixing in the plaintext  similar

2: HMAC



MD ( KAB | MD (KAB |m) ) Spring 2012

pseudorandom bit streams using MD,

K, and IV

MD through chunk n depends on MD through chunks n-1 and the data in chunk n

MD (m| KAB)

Spring 2012

EE5723/EE4723

MD(KAB|m), almost work, however…

 Proposal



Alice to Bob: challenge rA (e.g., “I am Alice”)

Allows concatenation with additional message: MD( KAB|m|m’ ) 







to cipher feedback mode (CFB)

b1=MD(KAB|IV), c1= p1  b1 b2=MD(KAB| c1), c2= p2  b2

 Decryption EE5723/EE4723

w/ the same order as encryption Spring 2012

2

General k-bit Cipher Feedback Mode (CFB)

Output Feedback Mode (OFB) IV (n bits) Like a Random Number Generator...

k

k

IV k ENC

ENC

ENC

ENC M1

M2

M3

M4

C2

C3

ENC

C4

 message w/ as many bits of pseudo-random stream as necessary

M2

K bits

ENC

K bits

K bits

M1 C1

k

ENC

K bits

C1

K bits

M3 K bits

C2

C3

OFB is a stream cipher EE5723/EE4723

Spring 2012

Spring 2012

MD2 Padding

MD2 

EE5723/EE4723

128-bit message digest:  Arbitrary

number of bytes of message pad to multiple of 16 bytes  Append MD2 checksum (16 bytes) to the end  First



The checksum is almost a MD, but not cryptographically secure by itself.

 Final Fi l

pass: process whole h l message,16 16 bytes b t att a

time

 If the message is multiple of 16 octets, 16 bytes to be added  Otherwise, 1~15 bytes to be added

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

3

MD2 Checksum (start w/ 0) K=1

   

K=2

K=4

K=3

K=5

One byte at a time, k  16 steps (in total) mnk: nkth byte of message, n: 1~16 cn= (mnk  cn-1)  cn  : 0  41, 1  46, … 

Substitution on 0-255 (value of the byte)

EE5723/EE4723

MD2 Final Process

Spring 2012

MD5: Message Digest Version 5



Operate on 16-byte chunks 48-byte quantity q:



18 passes of massaging over q, and one byte at a time:



 



cn= (cn-1)  cn for n = 0, … 47;

c-1 = 0 for pass 0;

c-1 = (c47 + pass #) mod 256

After pass 17, use first 16 bytes as new digest 



(current digest| message chunk | digestchunk)

16  8 = 128

Repeat till the entire padded message is processed EE5723/EE4723

Spring 2012

Overview of MD5

Input Message

Output 128 bits Digest  More “Conservative” than MD4: Less concerned w/ speed, more concerned w/ security EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

4

MD 5 Padding

MD5: Padding 1

2

3

4

inp t Message input



Given original message M, add padding bits “10*” such that resulting length is 64 bits less than a multiple of 512 bits.

512 bit block

Initial Value

264),



Append (original length in bits mod represented in 64 bits to the padded message



Final message is chopped 512 bits a block

MD5

Transformation block by block

Output 128 bits Digest

Spring 2012

EE5723/EE4723

Padding

EE5723/EE4723

MD5 Blocks

Final Output

Spring 2012

MD5 Box

512: B1

512-bit message chunks (16 words) 512: B2

MD5

F: (xy)(~x  z) G: (x  z) (y ~ z) H: xy z I: y(x  ~z) +:: binary sum xy: x left rotate y bits

Initial 128-bit vector

512: B3 MD5 512: B4 MD5 MD5

128-bit result

Result EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

5

MD5 Process 

As many stages as the number of 512-bit blocks in the final padded message



Digest: 4 32-bit words: MD=A|B|C|D



Every message block contains 16 32-bit words: m0|m1|m2…|m15 MD0 initialized i iti li d tto: A=01234567,B=89abcdef,C=fedcba98, D=76543210  Every stage consists of 4 passes over the message block, each modifying MD; each pass involves different operation

Different Passes... 

Different functions and constants are used



Different set of mi is used, i=0, 1, …15  Each

pass goes through all 16 message words ((each is 32-bit))

 Digest Di t

EE5723/EE4723

Spring 2012

Functions and Random Numbers F(x,y,z) == (xy)(~x  z)  G(x,y,z) == (x  z) (y ~ z)  H(x,y,z) == xy z  I(x,y,z) == y(x  ~z)  Ti = int(232 * abs(sin(i))), 0