IX' Hash Algorithms - PowerPoint PPT Presentation

1 / 61
About This Presentation
Title:

IX' Hash Algorithms

Description:

Table 9.5a: the permutation used for each round in each line ... The permutation has the effect that 2 message words close in one round are ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 62
Provided by: emfrozu
Category:

less

Transcript and Presenter's Notes

Title: IX' Hash Algorithms


1
IX. Hash Algorithms
  • Look at three important hash functions (MD5,
    SHA-1, RIPEND-160) then look an Internet-standard
    message authentication code (HMAC)

2
CONTENTS
  • MD5 Message Digest Algorithm
  • Secure Hash Algorithm
  • RIPEMD-160
  • HMAC

3
1. MD5 Message Digest Algorithm
  • Developed by Ron Rivest at MIT
  • -RFC 1321
  • MD5 Logic
  • Input arbitrary length message
  • Processed in 512-bit blocks
  • Output 128-bit message digest

4
1. MD5 Message Digest Algorithm
5
1. MD5 Message Digest Algorithm
  • Processing Steps
  • Append padding bits
  • Append length
  • Initialize MD buffer
  • Process message in 512-bit blocks
  • output

6
1. MD5 Message Digest Algorithm
  • Append padding bits1/5
  • pad message so its length is 448 mod 512
  • Padding is always added.
  • the number of padding bits is in the range of 1
    to 512
  • ex) 448(message) 512(padding bit)960bits
  • 447(message) 1(padding bit) 448bits
  • 449(message) 511(padding bit)960bits
  • Padding consists of a single 1-bit followed by
    0-bits

7
1. MD5 Message Digest Algorithm
  • Append length2/5
  • Append 64 bit length of the original message to
    the result step 1.
  • If original length is greater than 264 only
    low-order 64 bits of the length are used.
  • The length of expanded message is L512 bits
  • -gt of block L, of word N 16L

8
1. MD5 Message Digest Algorithm
  • Initialize MD buffer3/5
  • 128-bit buffer,
  • used to hold intermediate and final results of
    the hash function.
  • 4 32-bit registers (A, B, C, D)
  • IV A67452301,BEFCDAB89, C98BADCFE,
  • D10325476
  • Stored in little-endian format
  • AB CD 0123456789ABCDEF FEDCBA9876543210

9
1. MD5 Message Digest Algorithm
  • Process message in 512bit blocks4/5
  • Module that consists of 4 rounds of processing of
    16 steps each
  • 4 rounds have a similar structure, but each uses
    a different primitive logical function(F,G,H,I)
  • INPUT 512-bit block Yq, 128-bit CVq
  • 64-element table T164, Table9.1
  • OUTPUT CVq1 (addition is mod 232)

10
1. MD5 Message Digest Algorithm
11
1. MD5 Message Digest Algorithm
  • Output5/5
  • The output from the Lth stage is the 128-bit
    message digest.
  • Summary of Logic
  • CV0 IV
  • CVq1SUM32(CVq,RFIYq,RFHYq,RFGYq,RFFYq,CVq
    )
  • MDCVL

12
1. MD5 Message Digest Algorithm
  • MD5 Compression Function
  • Each round consists of a sequence of 16 steps of
    the form
  • a lt- b((ag(b,c,d)XkTiltltlts)

13
1. MD5 Message Digest Algorithm
  • Figure 9.4
  • adapted from RFC1321, defines the processing
    algorithm of step 4.
  • X015 holds the value of the current 512-bit
    input
  • Within a round, each of the 16 words of Xi is
    used once, during one step
  • ?2(i) (15i)mod 16
  • ?3(i) (53i)mod 16
  • ?4(i) 7imod 16

14
1. MD5 Message Digest Algorithm
  • MD4
  • Precursor to MD5 RFC1320
  • Goals
  • Security, Speed, Simplicity and compactness,
    Favor little-endian architecture
  • Differences
  • Uses three rounds of 16 steps each
  • No additive constant is used in 1st round
  • Uses three primitive logical functions
  • Did not include final addition

15
1. MD5 Message Digest Algorithm
  • Strength of MD5ominous trend in the attacks on
    MD5
  • using differential cryptanalysis it is possible
    to find 2 messages producing the same digest for
    a 1-round, not the full 4-round MD5
  • Pseudocollision, not seem to be any way to extend
    this approach to a success
  • Collision for the MD5 compression function works
    on a single 512-bit block of input, no way has
    been found to generalize this attack to a full
    message using the MD5 IV.

16
2. Secure Hash Algorithm
  • Developed by the National Institute of Standards
    and Technology (NIST)
  • Published as a federal information processing
    standard in 1993
  • Revised version was issued as SHA-1
  • SHA-1 is based on the MD4 algorithm, its design
    closely models MD4

17
2. Secure Hash Algorithm
  • SHA-1 Logic
  • INPUT a message with a maximum length of less
    than 264 bits
  • Overall processing shown for MD5 in Figure 9.1,
    with a block length of 512 bits and a hash length
    of 160 bits
  • OUTPUT 160-bit message digest

18
2. Secure Hash Algorithm
  • Processing Steps
  • Append padding bits
  • Append length
  • Initialize MD buffer
  • Process message in 512-bit blocks
  • output

19
2. Secure Hash Algorithm
  • Append padding bits1/5
  • pad message so its length is 448 mod 512
  • Padding is always added.
  • the number of padding bits is in the range of 1
    to 512
  • Padding consists of a single 1-bit followed by
    0-bits

20
2. Secure Hash Algorithm
  • Append length2/5
  • Append 64bit length of the original message to
    the result step 1.
  • Treated as an unsigned 64-bit integer
  • Contains the length of the original message

21
2. Secure Hash Algorithm
  • Initialize MD buffer3/5
  • 160-bit buffer
  • 5 32-bit registers (A, B, C, D, E)
  • IV A67452301,BEFCDAB89,C98BADCFE,
  • D10325476,EC3D2E1F0
  • Stored in big-endian format
  • ABCDE 67452301 EFCDAB89 98BADCFE
  • 10325476 C3D2E1F0

22
2. Secure Hash Algorithm
  • Process Message in 512bit blocks4/5
  • Module that consists of 4 rounds of processing of
    20 steps each
  • 4 rounds have a similar structure, but each uses
    a different primitive logical function(f1,f2,f3,f4
    )
  • INPUT 512-bit block Yq, 160-bit CVq
  • Each round uses an additive constant Kt where
    0t79 (for 80 steps)
  • OUTPUT CVq1 (addition is mod 232)

23
2. Secure Hash Algorithm
24
2. Secure Hash Algorithm
  • Output5/5
  • The output from the Lth stage is the 160-bit
    message digest.
  • Summary of Logic
  • CV0 IV
  • CVq1 SUM32(CVq, ABCDEq)
  • MD CVL

25
2. Secure Hash Algorithm
  • SHA-1 Compression Function
  • Each round is of the formFigure 9.6
  • Each primitive function
  • takes 3 32-bit words as input
  • Performs a set of bitwise logical operation
  • Produces a 32-bit word output

26
2. Secure Hash Algorithm
27
2. Secure Hash Algorithm
28
2. Secure Hash Algorithm
  • Comparison of SHA-1 and MD5
  • Security against brute-force attacks
  • 32 bits longer than the MD5
  • Producing any message having a given message
    digest is on the order 2160 for SHA-1
  • Producing 2 messages having the same message
    digest is on the order 280 for SHA-1
  • Stronger against brute-force attack

29
2. Secure Hash Algorithm
  • Security against cryptanalysis
  • Less vulnerable against cryptanalytic attacks
    discovered since MD5s design
  • Speed
  • Both algorithms rely heavily on addition modulo
    232 SHA-1 involves more steps and must process a
    160-bit buffer.
  • SHA-1 should execute more slowly than MD5

30
2. Secure Hash Algorithm
  • Simplicity and Compactness
  • Both are simple to describe and simple to
    implement
  • Not require large programs nor substitution
    tables
  • Little-endian vs Big-endian architecture
  • There appears to be no advantage to either
    approach

31
3. RIPEMD-160
  • Developed under the European RACE Integrity
    Primitives Evaluation project
  • By a group of researchers launching partially
    successful attacks on MD4 and MD5
  • Originally a 128-bit RIPEMD

32
3. RIPEMD-160
  • RIPEMD-160 Logic
  • INPUT a message of arbitrary length
  • Overall processing shown for MD5 in Figure 9.1,
    with a block length of 512 bits and a hash length
    of 160 bits
  • Output 160-bit message digest

33
3. RIPEMD-160
  • Processing Steps
  • Append padding bits
  • Append length
  • Initialize MD buffer
  • Process message in 512-bit blocks
  • output

34
3. RIPEMD-160
  • Append padding bits1/5
  • pad message so its length is 448 mod 512
  • Padding is always added.
  • the number of padding bits is in the range of 1
    to 512
  • Padding consists of a single 1-bit followed by
    0-bits

35
3. RIPEMD-160
  • Append Length2/5
  • Append 64bit length of the original message to
    the result step 1.
  • Treated as an unsigned 64-bit integer
  • Contains the length of the original message
  • As with MD5, and in contrast to SHA-1, RIPEMD-160
    uses a little-endian convention

36
3. RIPEMD-160
  • Initialize MD buffer3/5
  • 160-bit buffer
  • 5 32-bit registers (A, B, C, D, E)
  • IV A67452301,BEFCDAB89,C98BADCFE,
  • D10325476,EC3D2E1F0
  • Stored in little-endian format

37
3. RIPEMD-160
  • Process message in 512bit blocks4/5
  • Module that consists of 10 rounds of processing
    of 16 steps each
  • 10 rounds are arranged as 2 parallel lines of 5
    rounds
  • 4 rounds have a similar structure, but each uses
    a different primitive logical function(f1,f2,f3,f4
    ,f5)
  • INPUT 512-bit block Yq, 160-bit CVq ABCDE(L),
    ABCDE(R)
  • Each round uses an additive 9 constants
  • OUTPUT CVq1 (addition is mod 232)

38
3. RIPEMD-160
  • CVq1(0)CVq(1)CD
  • CVq1(1)CVq(2)DE
  • CVq1(2)CVq(3)EA
  • CVq1(3)CVq(4)AB
  • CVq1(4)CVq(0)BC

39
3. RIPEMD-160
  • Output5/5
  • The output from the Lth stage is the 160-bit
    message digest

40
3. RIPEMD-160
  • Compression Function
  • Each round consists of a sequence of 16 steps
    Figure 9.9
  • The processing algorithm of one round
  • ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
    CVq(4)
  • ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
    CVq(4)
  • for j0 to 79 do
  • Trols(j)(Af(j,B,C,D)Xr(j)K(j))E
  • AEEDD rol10(C)CBBT
  • Trols(j)(Af(79-j,B,C,D)Xr(j)K(j))E
  • AEEDD rol10(C)CBBT
  • enddo
  • CVq1(0)CVq(1)CD CVq1(1)CVq(2)DE
    CVq1(2)CVq(3)EA CVq1(3)CVq(4)AB
    CVq1(4)CVq(0)BC

41
3. RIPEMD-160
42
3. RIPEMD-160
5 primitive logical functions
43
3. RIPEMD-160
  • The array of 32-bit words X0..15 holds the
    value of the current 512-bit input block being
    processed.
  • Within a round, each of the 16 words of Xi is
    used exactly twice during one step on each line
  • Table 9.5a the permutation used for each round
    in each line
  • Table 9.5b the circular left shifts used in each
    round

44
3. RIPEMD-160
45
3. RIPEMD-160
  • Design Decision
  • 2 parallel lines are used to increase the
    complexity of finding collisions between rounds
  • For simplicity, the 2 lines use essentially the
    same logic
  • It will become possible to attack one of the 2
    lines and up to 3 rounds of the 2 parallel lines

46
3. RIPEMD-160
  • The combination of the 2 lines will resist
    attacks because of their differences
  • The additive constants for the 2 lines are
    different
  • The order of the primitive logical functions is
    reversed
  • The order of processing of the 32-bit words in
    the message block is different
  • The step operation is identical to MD5s
  • The rotation of C word avoids an MD5 attack that
    focuses on the most significant bit
  • The permutation has the effect that 2 message
    words close in one round are relatively far apart
    in the next

47
3. RIPEMD-160
  • The circular left shifts were chosen based on
  • The shift range from 5 to 15
  • Every message word is rotated over different
    amounts for the 5 rounds
  • The shifts applied to each word should not have a
    special pattern
  • Not too many shift constants should be divisible
    by 4

48
3. RIPEMD-160
  • Comparison with MD5 and SHA-1

49
3. RIPEMD-160
  • Resistance to brute-force attack
  • All 3 algorithms are invulnerable to attacks
    against weak collision resistance
  • MD5 is highly vulnerable to birthday attack on
    strong collision resistance
  • SHA-1 and RIPEMD-160 are safe for the foreseeable
    future
  • Resistance to cryptanalysis
  • Designed specifically to resist known
    cryptanalytic attacks
  • The use of two lines of processing
  • gives RIPEMD-160 added complexity
  • should make cryptanalysis more difficult than
    SHA-1

50
3. RIPEMD-160
  • Speed
  • All 3 algorithms rely on addition modulo 232 and
    simple bitwise logical operations
  • The added complexity and number of steps of SHA-1
    and RIPEMD-160 does lead to slowdown compared to
    MD5 Table 9.7
  • Little-endian vs big-endian architecture
  • There is no strong advantage to either approach
  • MD5 and RIPEMD-160 use a little-endian scheme

51
3. RIPEMD-160
52
4. HMAC
  • there has been increased interest in developing a
    MAC derived from a cryptographic hash code
  • Motivations
  • generally execute faster in software than
    symmetric block ciphers
  • Library code is widely available
  • No export restrictions from US or other countries
    for cryptographic hash code

53
4. HMAC
  • Incorporation of a secret key into an existing
    hash algorithm
  • issued as RFC 2104
  • chosen as the mandatory-to-implement MAC for IP
    security
  • used in other Internet protocols, such as SSL

54
4. HMAC
  • HMAC Design Objectives RFC2104
  • To use available hash functions.
  • To allow for easy replaceability of the embedded
    hash function
  • To preserve the original performance
  • To use and handle keys in simple way
  • To have a well understood cryptographic analysis
    of the strength of the authentication mechanism

55
4. HMAC
  • HMAC Algorithm
  • Append zeros to the left end of K to create a
    b-bit string K
  • XOR K with ipad to produce the b-bit block Si
  • Append M to Si
  • Apply H to the stream generated in step 3

56
4. HMAC
  • XOR K with opad to produce the b-bit block So
  • Append the hash result from step 4 to So
  • Apply H to the stream generated in step 6 and
    output the result

57
4. HMAC
  • Having pseudorandomly generated 2 keys from K
  • XOR with ipad/opad results in flipping one-half
    of the bits of K -gt Si/So
  • Figure 9.11 show More efficient implementation is
    possible. 2 quantities are precomputed

58
4. HMAC
  • f(cv,block)
  • The compression function for the hash function
  • INPUT chaining variable of n bits, a block of b
    bits
  • OUTPUT chaining variable of n bits
  • Only needed initially or every time the key
    changes

59
4. HMAC
  • Security of HMAC
  • Depends in some way on the cryptographic strength
    of the underlying hash function
  • Generally expressed in terms of prob. of
    successful forgery with a given amount of time
    and number of message-MAC pairs

60
4. HMAC
  • The Probability of successful attack on HMAC
  • The attacker is able to compute an output of the
    compression function even with an IV that is
    random, secret, and unknown to the attacker
  • The attacker finds collisions in the hash
    function even when the IV is random and secret

61
4. HMAC
  • for a hash code length of 128 bits
  • 264 observed blocks (273 bits) generated using
    the same key
  • On a 1-Gbps link
  • One would need to observe a continuous stream of
    messages with no change in key for about 250,000
    years in order to succeed
  • If speed is a concern
  • It is fully acceptable to use MD5 rather than
    SHA-1 or RIPEMD-160 as embedded hash function for
    HMAC
Write a Comment
User Comments (0)
About PowerShow.com