Outline
Hashes and Message Digests (Chapter 5)
Spring 2012
EE5723/EE4723
Introduction to Hash
MD2
MD5
SHA-1
EE5723/EE4723
Hashes
Spring 2012
How Many Bits for Hash?
Hash is also called message digest One-way y function: d=h(m) ( ) but no h’(d)=m ( )
Cannot
E.g., E
find the message given a digest
Cannot find m1, m2, where d1=d2 Arbitrary-length message mapped to fixedlength digest Randomness
bit in the outputs: ‘1’ half of the time each output: 50% ‘1’ bits
Many messages yield the same digest 1000 bit message, 128-bits 1000-bits 128 bit digest di t
m bits hashes, takes about 2m/2 to find two with the same hash (>= 50% prob.)
64 bits, bits takes 232 messages to search (doable)
Need at least 128 bits, 264 search
any
EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
1
Using Hash for Authentication
Birthday Problem Compute probability of different birthdays Random sample of n people (birthdays) taken from k (365) days There are n(n-1)/2 pairs of input Prob. of 1/k of both inputs maps to the same output p ((not a pparticular one though) g ) K/2 pairs are needed for the prob. of 50% to find the matching pair n greater than k will do.
Spring 2012
EE5723/EE4723
Using Hash to Compute MAC: integrity Cannot just compute MD(m) Keyed Hash:
MAC:
Bob to Alice: MD(KAB|rA)
Bob to Alice: rB (e.g., “I am Bob”)
Alice to Bob: MD(KAB|rB)
Only need to compare MD results
Using Hash to Encrypt : confidentiality
Challenge: Decryption
One-time p pad: similar to OFB compute
1: Put secret at the end of message:
Proposal
EE5723/EE4723
b1=MD(KAB|IV), bi=MD(KAB|bi-1), …
with message blocks
Or mixing in the plaintext similar
2: HMAC
MD ( KAB | MD (KAB |m) ) Spring 2012
pseudorandom bit streams using MD,
K, and IV
MD through chunk n depends on MD through chunks n-1 and the data in chunk n
MD (m| KAB)
Spring 2012
EE5723/EE4723
MD(KAB|m), almost work, however…
Proposal
Alice to Bob: challenge rA (e.g., “I am Alice”)
Allows concatenation with additional message: MD( KAB|m|m’ )
to cipher feedback mode (CFB)
b1=MD(KAB|IV), c1= p1 b1 b2=MD(KAB| c1), c2= p2 b2
Decryption EE5723/EE4723
w/ the same order as encryption Spring 2012
2
General k-bit Cipher Feedback Mode (CFB)
Output Feedback Mode (OFB) IV (n bits) Like a Random Number Generator...
k
k
IV k ENC
ENC
ENC
ENC M1
M2
M3
M4
C2
C3
ENC
C4
message w/ as many bits of pseudo-random stream as necessary
M2
K bits
ENC
K bits
K bits
M1 C1
k
ENC
K bits
C1
K bits
M3 K bits
C2
C3
OFB is a stream cipher EE5723/EE4723
Spring 2012
Spring 2012
MD2 Padding
MD2
EE5723/EE4723
128-bit message digest: Arbitrary
number of bytes of message pad to multiple of 16 bytes Append MD2 checksum (16 bytes) to the end First
The checksum is almost a MD, but not cryptographically secure by itself.
Final Fi l
pass: process whole h l message,16 16 bytes b t att a
time
If the message is multiple of 16 octets, 16 bytes to be added Otherwise, 1~15 bytes to be added
EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
3
MD2 Checksum (start w/ 0) K=1
K=2
K=4
K=3
K=5
One byte at a time, k 16 steps (in total) mnk: nkth byte of message, n: 1~16 cn= (mnk cn-1) cn : 0 41, 1 46, …
Substitution on 0-255 (value of the byte)
EE5723/EE4723
MD2 Final Process
Spring 2012
MD5: Message Digest Version 5
Operate on 16-byte chunks 48-byte quantity q:
18 passes of massaging over q, and one byte at a time:
cn= (cn-1) cn for n = 0, … 47;
c-1 = 0 for pass 0;
c-1 = (c47 + pass #) mod 256
After pass 17, use first 16 bytes as new digest
(current digest| message chunk | digestchunk)
16 8 = 128
Repeat till the entire padded message is processed EE5723/EE4723
Spring 2012
Overview of MD5
Input Message
Output 128 bits Digest More “Conservative” than MD4: Less concerned w/ speed, more concerned w/ security EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
4
MD 5 Padding
MD5: Padding 1
2
3
4
inp t Message input
Given original message M, add padding bits “10*” such that resulting length is 64 bits less than a multiple of 512 bits.
512 bit block
Initial Value
264),
Append (original length in bits mod represented in 64 bits to the padded message
Final message is chopped 512 bits a block
MD5
Transformation block by block
Output 128 bits Digest
Spring 2012
EE5723/EE4723
Padding
EE5723/EE4723
MD5 Blocks
Final Output
Spring 2012
MD5 Box
512: B1
512-bit message chunks (16 words) 512: B2
MD5
F: (xy)(~x z) G: (x z) (y ~ z) H: xy z I: y(x ~z) +:: binary sum xy: x left rotate y bits
Initial 128-bit vector
512: B3 MD5 512: B4 MD5 MD5
128-bit result
Result EE5723/EE4723
Spring 2012
EE5723/EE4723
Spring 2012
5
MD5 Process
As many stages as the number of 512-bit blocks in the final padded message
Digest: 4 32-bit words: MD=A|B|C|D
Every message block contains 16 32-bit words: m0|m1|m2…|m15 MD0 initialized i iti li d tto: A=01234567,B=89abcdef,C=fedcba98, D=76543210 Every stage consists of 4 passes over the message block, each modifying MD; each pass involves different operation
Different Passes...
Different functions and constants are used
Different set of mi is used, i=0, 1, …15 Each
pass goes through all 16 message words ((each is 32-bit))
Digest Di t
EE5723/EE4723
Spring 2012
Functions and Random Numbers F(x,y,z) == (xy)(~x z) G(x,y,z) == (x z) (y ~ z) H(x,y,z) == xy z I(x,y,z) == y(x ~z) Ti = int(232 * abs(sin(i))), 0