ppt

advertisement
Hashes and Message Digests
1
Hash
Message of
arbitrary length
Hash h
A fixed-length
short message
• Also known as
– Message digest
– One-way function
• Function: input message -> output
• One-way: d=h(m), but not h’(d) = m
– Computationally infeasible find the message given the digest
• Cannot find m1 and m2, where d1 = d2
• Randomness:
– Any bit in the output ‘1’ half the time
– Each output: 50% ‘1’ bits
2
Birthday Paradox
• What is the minimum value of n such that the probability is
greater than 0.5 that at least two people in a group of n people
have the same birthday?
– Ignore Feb. 29 and assume each birthday is equally likely
• Probability of n people having n different birthdays:
• Probability that at least two people have the same birthdays:
– 1-
• n is about 23
3
Generalization of Birthday Problem
• Compute probability of different birthdays
• Random samples of n people (birthdays) taken from d
(365) days
• What is the minimum value of n such that the probability is
greater than 0.5 that there is at least one duplicate?
– P(n, d) = 1 –
• For large n and d, we have
•
– n = 1.2 * d1/2
Implication
–
We expect to obtain the same output after about 1.2 * d1/2
http://www.rsasecurity.com/rsalabs/node.asp?id=2205
trials
4
How many bits for hash?
• m bits, takes 2m/2 to find two with the same
hash
• 64 bits, takes 232 messages to search (doable)
• Need at least 128 bits
• Example use
– Fingerprint a program/document: attackers cannot
find a different program with the same message
digest
5
Hash used for Authentication
• Alice and Bob share a secret KAB
Alice
rA
Bob
MD(KAB|rA)
rB
MD(KAB|rB)
6
Computing a MAC with a HASH
• Cannot just compute MD(m)
– Anyone can compute MD(m)
• MAC: MD(KAB|m)
– Allows concatenation with additional message: MD(KAB|m|m’)
• MD through chunk n depends on MD through chunks n-1 and the data in chunk n
• 512-bit blocks, append (message length, pad)
• How to solve?
– Put secret at the end of message:
• MD(m| KAB)
– Use only half the bits of the message digest as the MAC
– Concatenate the secret to both the front and the back of the message
7
Encryption with a Message Digest
• One-time pad:
– compute bit streams using MD, K, and IV
• b1=MD(KAB|IV), bi=MD(KAB|bi-1), …
–  with message blocks
• Mixing in the plaintext
– similar to cipher feedback mode (CFB)
• b1=MD(KAB|IV), c1= p1  b1
• b2=MD(KAB| c1), c2= p2  b2
• ….
8
Modern Hash Functions
• MD5
– Previous versions (MD2, MD4) have weaknesses
• SHA-1
– Secure Hash Algorithms
9
MD2
• 128-bit message digest
– Arbitrary number of octets
– Message is padded to be a multiple of 16 octets
– Append MD2 checksum (16 octets) (a strange
function of the padded message) to the end
– Process the whole message 16 octets at a time
• Each intermediate value depends on
– Previous intermediate value
– The value of the 16 octets of the message being processed
10
MD2 Padding
11
MD2 Checksum
12
MD2  Substitution Table
13
MD2 Checksum
•
•
•
•
One byte at a time, k  16 steps
mnk: byte nk of message
cn=(mnk  cn-1)  cn
 : 0  41, 1  46, …
– Substitution on 0-255 (value of the byte)
14
MD2 Final Pass
15
MD2 Final Pass
• Operate on 16-byte chunks
• 48-byte quantity q:
– (current digest|chunk|digestchunk)
• 18 passes of massaging over q, and one byte at
a time:
– cn=(cn-1)  cn for n = 0, … 47; c-1 = 0 for pass 0;
c-1 = (c47 + pass #) mod 256
• After pass 17, use first 16 bytes as new digest
– 16  8 = 128
16
Overview of MD4, MD5, and SHA-1
MD of MD4/MD5: 128 bit, MD of SHA-1: 160-bit
17
Padding for MD4, MD5, and SHA-1
18
MD5 Process
• As many stages as the number of 512-bit blocks in the
final padded message
• Digest: 4 32-bit words: MD=d0|d1|d2|d3
• Every message block contains 16 32-bit words:
m0|m1|m2…|m15
– Digest MD0 initialized to:
d0=67452301,d1=efcdab89,d2=98badcfe, d3=10325476
– Every stage consists of 4 passes over the message block, each
modifying MD
• operations
19
Constants of MD5
Ti = 232sin i
20
MD5 Message Digest Pass 1
• For each integer i from 0 through 15
(i)
21
MD5 Message Digest Pass 2
• For each integer i from 0 through 15
22
MD5 Message Digest Pass 3
• For each integer i from 0 through 15
23
MD5 Message Digest Pass 4
• For each integer i from 0 through 15
24
SHA-1
• Developed by NIST
• SHA is specified as the hash algorithm in the Digital
Signature Standard (DSS), NIST
• Take a message of length at most 264 bits and
produces a 160-bit output.
• SHA design is similar to MD5, but a lot stronger
• Make five passes over each block of data
25
SHA-1 cont’d
• Step 1: Message Padding – same as MD5
• Step 2: Initialize MD buffer 5 32-bit words
A|B|C|D|E
A = 67452301
B = efcdab89
C = 98badcfe
D = 10325476
E = c3d2e1f0
26
SHA-1 operation on a 512-bit Block
•
Step 3: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each.
Each step t (0 <= t <= 79):
– Input:
• Wt – a 32-bit word from the message
• Kt – a constant.
• ABCDE: current MD.
– Output:
• ABCDE: new MD
• Only 4 per-round distinctive additive constants
0 <=t<= 19 Kt = 5A827999
20<=t<=39 Kt = 6ED9EBA1
40<=t<=59 Kt = 8F1BBCDC
60<=t<=79 Kt = CA62C1D6
• Only 3 different functions
Round
0 <=t<= 19
20<=t<=39
40<=t<=59
60<=t<=79
Function ft(B,C,D)
(BC)(~B D)
BCD
(BC)(BD)(CD)
BCD
27
SHA-1 cont’d
Inner Loop of SHA-1 – 80 Iterations per Block
28
HMAC
29
Download