Hash and MAC Algorithms - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Hash and MAC Algorithms

Description:

The MD is 160-bits, th e input block is 512-bits ... HMAC is more resistant to birthday attack. the use of MD5 is also safe, if speed is important ... – PowerPoint PPT presentation

Number of Views:252
Avg rating:3.0/5.0
Slides: 24
Provided by: aja55
Category:
Tags: mac | algorithms | birthday | hash | th

less

Transcript and Presenter's Notes

Title: Hash and MAC Algorithms


1
Hash and MAC Algorithms
  • MD5 in detail
  • Overview of SHA and RIPEMD-160
  • HMAC

2
Introduction
  • There is a general structure used practically in
    all cryptanalytically srtong hash-function fig.
    8.10
  • analogous to the Feistel cipher as a general
    structure of block-ciphers
  • it is safe to base new improved algorithms on a
    known proven structure

3
MD5 Algorithm
  • Developed by Ron Riverst in 1992
  • based on MD4 by Ron Riverst 1990 to increase the
    level of security
  • Has been the most widely used and is still in
    wide use
  • The algorithm takes as input a message of
    arbitrary length and produces a 128-bit message
    digest
  • The input is processed in 512-bit blocks
  • Some concerns about the safety of MD5
  • brute-force attack with a 128-bit message digest
    the birthday attack needs an effort of 264, which
    can not be considered safe.
  • cryptanalytic attacks exist that break MD5
    partly. The succes of current attacs is too close
    to breaking MD5, that from a cryptanalytic point
    of view it must be considered vulnerable.

4
MD5 Algorithm
  • Step 1 Append padding bits
  • the message is padded so that its length in bits
    is 448 mod 512
  • Step 2 Append length
  • A 64-bit representation of the length of the
    original message (before padding in step 1) is
    appended to the message, thus yielding a message
    that is an integer multiple of 512 bits in
    length.
  • The message is represented as 512-bit blocks Y0,
    Y1, ,YL-1 the length of the message being L
    blocks.
  • The length of the message is an integer multiple
    of 16 32-bit words. Thus N16L.
  • Step 3 Initialize MD buffer
  • a 128-bit buffer is used to hold the intermediate
    and final value of the message digest.
  • this MD buffer is represented as four 32-bit
    registers (A,B,C,D), wich are initialized with
    A67452301, BEFCDAB89, C98BADCFE and D10325476
    in hexadecimal values.

5
(No Transcript)
6
MD5 Algorithm
  • Step 4 Process message in 512-bit blocks
  • The core of the algorithm is a compression
    function consisting of four rounds of
    processing. The module is labeled HMD5 in fig.
    9.1. and its inner logic is shown in fig. 9.2.
  • The four rounds have a similar structure, but
    each uses a different primitive logical function,
    referred as F, G, H and I.
  • The input of each round is the 512-bit block
    being processed Yq and the four register values
    (A,B,C,D) of the MD buffer.
  • Also each round uses one-fourth of a table
    T1...64 containing a randomized set 32-bit
    patterns. The goal of this table is to eliminate
    any regularities in the input data.
  • As a result each round updates the four register
    values (A,B,C,D) of the MD buffer. The register
    values is the output of the round.
  • The output of the fourth round is added to the
    input of the first round CVq to produce CVq1.
    The addition is done independently for each of
    the four 32-bit words in the buffer in modulo
    232.

7
MD5 Algorithm
  • Step 5 Output
  • After all the L 512-bit blocks have been
    processed, the output from the Lth stage is the
    128-bit message digest.
  • to summarise
  • CV0 IV
  • CVq1 SUM32(CVq, RFIYq, RFHYq, RFGYq,
    RFFYq, CVq )
  • MD CVL.
  • where
  • IV initial value of the ABCD buffer
  • Yq the qth 512-block of the message.
  • L the number of blocks
  • CVq chaining variable processed with the the
    qth block of the message
  • RFX round function using primitive logical
    function X
  • MD final message digest value
  • SUM32 Addition module 232 performed separatedly
    on each pair of words of the two inputs.

8
(No Transcript)
9
MD5 Algorithm compression function
  • Each round consists of a sequence of 16 steps
    operating on the register buffer (A,B,C,D)
  • Each step is has the form
  • a ? b (( a g(b,c,d) Xk Ti ) ltltlt s )
  • where
  • a,b,c,d the four words of the buffer, in a
    specified order that varies from step to step
  • g one of the primitive functions F, G, H, I
  • ltltlt s circular left shift (rotation) of the
    32-bit argument by s bits.
  • Xk Mq ? 16 ? k the kth 32-bit word in
    the qth 512-bit block of the message
  • Ti the ith 32-bit word in matrix T
  • addition modulo 232.
  • The step operation is illustrated in fig 9.3.
  • the order in which the four words (a,b,c,d) are
    used produces a word-level circular right shift
    of one word for each step.

10
MD5 Algorithm primitive functions
  • Each primive function performs a set of bitwise
    logical operations, i.e. the nth bit of the
    output is a function of the three other nth bits
    in the input words.
  • The primitive functions are as follows
  • One 512-bit block consists of 16 32-bit words.
    Each word of a block is used exactly once in a
    round, during one step. The order in which these
    words are used varies from round to round.
  • Also four different circular left shift (CLS)
    amounts are used within each round.

Round Primitive function g g(b,c,d)
1 F(b,c,d) (b ? c) ? (?b ? d)
2 G(b,c,d) (b ? d) ? (c ? ?d)
3 H(b,c,d) b ? c ? d
4 I(b,c,d) c ? (b ? ?d)
11
SHA-1
  • Developed by NIST and published as a
    FIPS-standard in 1993
  • A revised version, SHA-1, was published as a
    FIPS-standard in 1995
  • The design closely models MD4
  • Produces a 160-bit message digest to resist
    brute-force attacks
  • thus MD-buffer contains 5 words.
  • The complexity of the algorithm is greater than
    in MD4
  • The algorithm has four rounds each consisting of
    20 steps
  • The basic structure is illustrated in fig. 9.5
    and 9.6.
  • Wt is a word derived from the 512-bit block in a
    complex manner that varies from step to step
    across rounds.
  • Kt is a additive constant varying across rounds.

12
(No Transcript)
13
Comparision of SHA-1 and MD5
  • The comparision is according to the design goals
    of MD5
  • Security against brute force attacks
  • 32-bits longer MD is the main advantage of SHA-1.
    The difficulty of producing two messages with the
    same MD is 264 in MD5 and 280 in SHA-1, thus
    SHA-1 is considerable stronger.
  • Security against cryptanalysis
  • MD5 is somewhat vulnerable whereas SHA-1 is
    generally believed to be resistant to
    cryptanalysis. However the design criteria of
    SHA-1 are not public, so the security is
    difficult to judge.
  • Speed
  • Both algorithms execute fast on a 32-bit
    architecture. SHA-1 has more steps and a longer
    buffer, so it will execute slowlier.
  • Simplcity and compactness
  • Both algorithms are simle to describe and
    implement and do not require large program-code
    or substitution tables

14
RIPEMD-160
  • Developed by the European project RIPE in 1996
  • Right after the release the developers found
    attacks on two round of RIPEMD, and also on MD4
    and MD5.
  • 1997 the algorithm was upgraded to RIPEMD-160
  • The desing follows MD5
  • The MD is 160-bits, th e input block is 512-bits
  • There are two parallel lines of round, each
    consisting of five rounds
  • there are two MD buffers, one for each round
  • Each round has 16 steps
  • The design is illustrated in Fig. 9.8 and 9.9

15
(No Transcript)
16
Comparision of RIPEMF-160, SHA-1 and MD5
  • The comparision is according to the design goals
    of MD5
  • Security against brute force attacks
  • 32-bits longer MD is the main advantage of SHA-1
    and RIPEMD-160. The difficulty of producing two
    messages with the same MD (birthday attack) is
    264 in MD5 and 280 in SHA-1 and RIPE-MD160 making
    them considerable stronger.
  • Security against cryptanalysis
  • MD5 is somewhat vulnerable whereas SHA-1 is
    generally believed to be resistant to
    cryptanalysis. However the design criteria of
    SHA-1 are not public, so the security is
    difficult to judge. Resistance to cryptanalysis
    has been one of the main design objectives. The
    use of two parallel lines of round should make
    cryptanalysis more difficult compared to SHA-1.
  • Speed
  • All algorithms execute fast on a 32-bit
    architecture. SHA-1 and RIPEMD-160 have more
    steps and a longer buffer leading to slowdown in
    execution.
  • Simplcity and compactness
  • All algorithms are simle to describe and
    implement and do not require large program-code
    or substitution tables.

17
Comparision of RIPEMF-160, SHA-1 and MD5
18
HMAC
  • HMAC is a MAC derived from a cryptographically
    safe hash-function
  • hash fuctions (MD5, SHA-1) execute faster in
    software than symmetric block ciphers
  • library code for cryptographic hash functions is
    widely available
  • there are export restrictions from the USA for
    some block ciphers, bot none for hash-functions
  • HMAC is the mandatory-to-implement MAC for IP
    Security.
  • HMAC is used widely, e.g. in SSL
  • Basically HMAC is a way to incorporate a secret
    key into an existing hash function.

19
HMAC Design objectives
  • To use, without modification existing hash
    functions.
  • To allow easy replaceability of the embedded hash
    function in case faster or more secure functions
    are found or required
  • To preserve the original performance of the hash
    function in terms of security and speed
  • To use and handle keys in a simple way
  • To have a well understood cryptographic analysis
    of the strength of the authentication mechanism
    based on a reasonable assumptions on the embedded
    hash function.

20
HMAC Algorithm
  • Illustrated in Fig 9.10. Explanation
  • H embedded hash function
  • M message input to HMAC
  • Yi ith block of M
  • L number of blocks in M.
  • b number of bits in a block
  • n length of hash code produced by H
  • K secret key
  • K K padded with zeroes so that the result is b
    bits in length
  • ipad 00110110 repeated b/8 times
  • opad 01011010 repeated b/8 times
  • HMACK H(K ? opad) H(K ? ipad) M

21
(No Transcript)
22
HMAC Security
  • The exact relationship between the strength of
    the HMAC and the strength of the embedded hash
    function has been proved
  • The security is at least as strong as the
    underlying hash function
  • HMAC is more resistant to birthday attack
  • the use of MD5 is also safe, if speed is
    important

23
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com