Title: IX' Hash Algorithms
1IX. Hash Algorithms
- Look at three important hash functions (MD5,
SHA-1, RIPEND-160) then look an Internet-standard
message authentication code (HMAC)
2CONTENTS
- MD5 Message Digest Algorithm
- Secure Hash Algorithm
- RIPEMD-160
- HMAC
31. MD5 Message Digest Algorithm
- Developed by Ron Rivest at MIT
- -RFC 1321
- MD5 Logic
- Input arbitrary length message
- Processed in 512-bit blocks
- Output 128-bit message digest
41. MD5 Message Digest Algorithm
51. MD5 Message Digest Algorithm
- Processing Steps
- Append padding bits
- Append length
- Initialize MD buffer
- Process message in 512-bit blocks
- output
61. MD5 Message Digest Algorithm
- Append padding bits1/5
- pad message so its length is 448 mod 512
- Padding is always added.
- the number of padding bits is in the range of 1
to 512 - ex) 448(message) 512(padding bit)960bits
- 447(message) 1(padding bit) 448bits
- 449(message) 511(padding bit)960bits
- Padding consists of a single 1-bit followed by
0-bits
71. MD5 Message Digest Algorithm
- Append length2/5
- Append 64 bit length of the original message to
the result step 1. - If original length is greater than 264 only
low-order 64 bits of the length are used. - The length of expanded message is L512 bits
- -gt of block L, of word N 16L
81. MD5 Message Digest Algorithm
- Initialize MD buffer3/5
- 128-bit buffer,
- used to hold intermediate and final results of
the hash function. - 4 32-bit registers (A, B, C, D)
- IV A67452301,BEFCDAB89, C98BADCFE,
- D10325476
- Stored in little-endian format
- AB CD 0123456789ABCDEF FEDCBA9876543210
91. MD5 Message Digest Algorithm
- Process message in 512bit blocks4/5
- Module that consists of 4 rounds of processing of
16 steps each - 4 rounds have a similar structure, but each uses
a different primitive logical function(F,G,H,I) - INPUT 512-bit block Yq, 128-bit CVq
- 64-element table T164, Table9.1
- OUTPUT CVq1 (addition is mod 232)
101. MD5 Message Digest Algorithm
111. MD5 Message Digest Algorithm
- Output5/5
- The output from the Lth stage is the 128-bit
message digest. - Summary of Logic
- CV0 IV
- CVq1SUM32(CVq,RFIYq,RFHYq,RFGYq,RFFYq,CVq
) - MDCVL
121. MD5 Message Digest Algorithm
- MD5 Compression Function
- Each round consists of a sequence of 16 steps of
the form - a lt- b((ag(b,c,d)XkTiltltlts)
131. MD5 Message Digest Algorithm
- Figure 9.4
- adapted from RFC1321, defines the processing
algorithm of step 4. - X015 holds the value of the current 512-bit
input - Within a round, each of the 16 words of Xi is
used once, during one step - ?2(i) (15i)mod 16
- ?3(i) (53i)mod 16
- ?4(i) 7imod 16
141. MD5 Message Digest Algorithm
- MD4
- Precursor to MD5 RFC1320
- Goals
- Security, Speed, Simplicity and compactness,
Favor little-endian architecture - Differences
- Uses three rounds of 16 steps each
- No additive constant is used in 1st round
- Uses three primitive logical functions
- Did not include final addition
151. MD5 Message Digest Algorithm
- Strength of MD5ominous trend in the attacks on
MD5 - using differential cryptanalysis it is possible
to find 2 messages producing the same digest for
a 1-round, not the full 4-round MD5 - Pseudocollision, not seem to be any way to extend
this approach to a success - Collision for the MD5 compression function works
on a single 512-bit block of input, no way has
been found to generalize this attack to a full
message using the MD5 IV.
162. Secure Hash Algorithm
- Developed by the National Institute of Standards
and Technology (NIST) - Published as a federal information processing
standard in 1993 - Revised version was issued as SHA-1
- SHA-1 is based on the MD4 algorithm, its design
closely models MD4
172. Secure Hash Algorithm
- SHA-1 Logic
- INPUT a message with a maximum length of less
than 264 bits - Overall processing shown for MD5 in Figure 9.1,
with a block length of 512 bits and a hash length
of 160 bits - OUTPUT 160-bit message digest
182. Secure Hash Algorithm
- Processing Steps
- Append padding bits
- Append length
- Initialize MD buffer
- Process message in 512-bit blocks
- output
192. Secure Hash Algorithm
- Append padding bits1/5
- pad message so its length is 448 mod 512
- Padding is always added.
- the number of padding bits is in the range of 1
to 512 - Padding consists of a single 1-bit followed by
0-bits
202. Secure Hash Algorithm
- Append length2/5
- Append 64bit length of the original message to
the result step 1. - Treated as an unsigned 64-bit integer
- Contains the length of the original message
212. Secure Hash Algorithm
- Initialize MD buffer3/5
- 160-bit buffer
- 5 32-bit registers (A, B, C, D, E)
- IV A67452301,BEFCDAB89,C98BADCFE,
- D10325476,EC3D2E1F0
- Stored in big-endian format
- ABCDE 67452301 EFCDAB89 98BADCFE
- 10325476 C3D2E1F0
222. Secure Hash Algorithm
- Process Message in 512bit blocks4/5
- Module that consists of 4 rounds of processing of
20 steps each - 4 rounds have a similar structure, but each uses
a different primitive logical function(f1,f2,f3,f4
) - INPUT 512-bit block Yq, 160-bit CVq
- Each round uses an additive constant Kt where
0t79 (for 80 steps) - OUTPUT CVq1 (addition is mod 232)
232. Secure Hash Algorithm
242. Secure Hash Algorithm
- Output5/5
- The output from the Lth stage is the 160-bit
message digest. - Summary of Logic
- CV0 IV
- CVq1 SUM32(CVq, ABCDEq)
- MD CVL
252. Secure Hash Algorithm
- SHA-1 Compression Function
- Each round is of the formFigure 9.6
- Each primitive function
- takes 3 32-bit words as input
- Performs a set of bitwise logical operation
- Produces a 32-bit word output
-
262. Secure Hash Algorithm
272. Secure Hash Algorithm
282. Secure Hash Algorithm
- Comparison of SHA-1 and MD5
- Security against brute-force attacks
- 32 bits longer than the MD5
- Producing any message having a given message
digest is on the order 2160 for SHA-1 - Producing 2 messages having the same message
digest is on the order 280 for SHA-1 - Stronger against brute-force attack
292. Secure Hash Algorithm
- Security against cryptanalysis
- Less vulnerable against cryptanalytic attacks
discovered since MD5s design - Speed
- Both algorithms rely heavily on addition modulo
232 SHA-1 involves more steps and must process a
160-bit buffer. - SHA-1 should execute more slowly than MD5
302. Secure Hash Algorithm
- Simplicity and Compactness
- Both are simple to describe and simple to
implement - Not require large programs nor substitution
tables - Little-endian vs Big-endian architecture
- There appears to be no advantage to either
approach
313. RIPEMD-160
- Developed under the European RACE Integrity
Primitives Evaluation project - By a group of researchers launching partially
successful attacks on MD4 and MD5 - Originally a 128-bit RIPEMD
323. RIPEMD-160
- RIPEMD-160 Logic
- INPUT a message of arbitrary length
- Overall processing shown for MD5 in Figure 9.1,
with a block length of 512 bits and a hash length
of 160 bits - Output 160-bit message digest
333. RIPEMD-160
- Processing Steps
- Append padding bits
- Append length
- Initialize MD buffer
- Process message in 512-bit blocks
- output
343. RIPEMD-160
- Append padding bits1/5
- pad message so its length is 448 mod 512
- Padding is always added.
- the number of padding bits is in the range of 1
to 512 - Padding consists of a single 1-bit followed by
0-bits
353. RIPEMD-160
- Append Length2/5
- Append 64bit length of the original message to
the result step 1. - Treated as an unsigned 64-bit integer
- Contains the length of the original message
- As with MD5, and in contrast to SHA-1, RIPEMD-160
uses a little-endian convention
363. RIPEMD-160
- Initialize MD buffer3/5
- 160-bit buffer
- 5 32-bit registers (A, B, C, D, E)
- IV A67452301,BEFCDAB89,C98BADCFE,
- D10325476,EC3D2E1F0
- Stored in little-endian format
373. RIPEMD-160
- Process message in 512bit blocks4/5
- Module that consists of 10 rounds of processing
of 16 steps each - 10 rounds are arranged as 2 parallel lines of 5
rounds - 4 rounds have a similar structure, but each uses
a different primitive logical function(f1,f2,f3,f4
,f5) - INPUT 512-bit block Yq, 160-bit CVq ABCDE(L),
ABCDE(R) - Each round uses an additive 9 constants
- OUTPUT CVq1 (addition is mod 232)
383. RIPEMD-160
- CVq1(0)CVq(1)CD
- CVq1(1)CVq(2)DE
- CVq1(2)CVq(3)EA
- CVq1(3)CVq(4)AB
- CVq1(4)CVq(0)BC
393. RIPEMD-160
- Output5/5
- The output from the Lth stage is the 160-bit
message digest
403. RIPEMD-160
- Compression Function
- Each round consists of a sequence of 16 steps
Figure 9.9 - The processing algorithm of one round
- ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
CVq(4) - ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
CVq(4) - for j0 to 79 do
- Trols(j)(Af(j,B,C,D)Xr(j)K(j))E
- AEEDD rol10(C)CBBT
- Trols(j)(Af(79-j,B,C,D)Xr(j)K(j))E
- AEEDD rol10(C)CBBT
- enddo
- CVq1(0)CVq(1)CD CVq1(1)CVq(2)DE
CVq1(2)CVq(3)EA CVq1(3)CVq(4)AB
CVq1(4)CVq(0)BC
413. RIPEMD-160
423. RIPEMD-160
5 primitive logical functions
433. RIPEMD-160
- The array of 32-bit words X0..15 holds the
value of the current 512-bit input block being
processed. - Within a round, each of the 16 words of Xi is
used exactly twice during one step on each line - Table 9.5a the permutation used for each round
in each line - Table 9.5b the circular left shifts used in each
round -
443. RIPEMD-160
453. RIPEMD-160
- Design Decision
- 2 parallel lines are used to increase the
complexity of finding collisions between rounds - For simplicity, the 2 lines use essentially the
same logic - It will become possible to attack one of the 2
lines and up to 3 rounds of the 2 parallel lines
463. RIPEMD-160
- The combination of the 2 lines will resist
attacks because of their differences - The additive constants for the 2 lines are
different - The order of the primitive logical functions is
reversed - The order of processing of the 32-bit words in
the message block is different - The step operation is identical to MD5s
- The rotation of C word avoids an MD5 attack that
focuses on the most significant bit - The permutation has the effect that 2 message
words close in one round are relatively far apart
in the next
473. RIPEMD-160
- The circular left shifts were chosen based on
- The shift range from 5 to 15
- Every message word is rotated over different
amounts for the 5 rounds - The shifts applied to each word should not have a
special pattern - Not too many shift constants should be divisible
by 4
483. RIPEMD-160
- Comparison with MD5 and SHA-1
493. RIPEMD-160
- Resistance to brute-force attack
- All 3 algorithms are invulnerable to attacks
against weak collision resistance - MD5 is highly vulnerable to birthday attack on
strong collision resistance - SHA-1 and RIPEMD-160 are safe for the foreseeable
future - Resistance to cryptanalysis
- Designed specifically to resist known
cryptanalytic attacks - The use of two lines of processing
- gives RIPEMD-160 added complexity
- should make cryptanalysis more difficult than
SHA-1
503. RIPEMD-160
- Speed
- All 3 algorithms rely on addition modulo 232 and
simple bitwise logical operations - The added complexity and number of steps of SHA-1
and RIPEMD-160 does lead to slowdown compared to
MD5 Table 9.7 - Little-endian vs big-endian architecture
- There is no strong advantage to either approach
- MD5 and RIPEMD-160 use a little-endian scheme
513. RIPEMD-160
524. HMAC
- there has been increased interest in developing a
MAC derived from a cryptographic hash code - Motivations
- generally execute faster in software than
symmetric block ciphers - Library code is widely available
- No export restrictions from US or other countries
for cryptographic hash code
534. HMAC
- Incorporation of a secret key into an existing
hash algorithm - issued as RFC 2104
- chosen as the mandatory-to-implement MAC for IP
security - used in other Internet protocols, such as SSL
544. HMAC
- HMAC Design Objectives RFC2104
- To use available hash functions.
- To allow for easy replaceability of the embedded
hash function - To preserve the original performance
- To use and handle keys in simple way
- To have a well understood cryptographic analysis
of the strength of the authentication mechanism
554. HMAC
- HMAC Algorithm
-
- Append zeros to the left end of K to create a
b-bit string K - XOR K with ipad to produce the b-bit block Si
- Append M to Si
- Apply H to the stream generated in step 3
564. HMAC
- XOR K with opad to produce the b-bit block So
- Append the hash result from step 4 to So
- Apply H to the stream generated in step 6 and
output the result
574. HMAC
- Having pseudorandomly generated 2 keys from K
- XOR with ipad/opad results in flipping one-half
of the bits of K -gt Si/So - Figure 9.11 show More efficient implementation is
possible. 2 quantities are precomputed -
-
584. HMAC
- f(cv,block)
- The compression function for the hash function
- INPUT chaining variable of n bits, a block of b
bits - OUTPUT chaining variable of n bits
- Only needed initially or every time the key
changes
594. HMAC
- Security of HMAC
- Depends in some way on the cryptographic strength
of the underlying hash function - Generally expressed in terms of prob. of
successful forgery with a given amount of time
and number of message-MAC pairs
604. HMAC
- The Probability of successful attack on HMAC
- The attacker is able to compute an output of the
compression function even with an IV that is
random, secret, and unknown to the attacker - The attacker finds collisions in the hash
function even when the IV is random and secret
614. HMAC
- for a hash code length of 128 bits
- 264 observed blocks (273 bits) generated using
the same key - On a 1-Gbps link
- One would need to observe a continuous stream of
messages with no change in key for about 250,000
years in order to succeed - If speed is a concern
- It is fully acceptable to use MD5 rather than
SHA-1 or RIPEMD-160 as embedded hash function for
HMAC