Hashes and Message Digests 1 Hash Message of arbitrary length Hash h A fixed-length short message • Also known as – Message digest – One-way function • Function: input message -> output • One-way: d=h(m), but not h’(d) = m – Computationally infeasible find the message given the digest • Cannot find m1 and m2, where d1 = d2 • Randomness: – Any bit in the output ‘1’ half the time – Each output: 50% ‘1’ bits 2 Birthday Paradox • What is the minimum value of n such that the probability is greater than 0.5 that at least two people in a group of n people have the same birthday? – Ignore Feb. 29 and assume each birthday is equally likely • Probability of n people having n different birthdays: • Probability that at least two people have the same birthdays: – 1- • n is about 23 3 Generalization of Birthday Problem • Compute probability of different birthdays • Random samples of n people (birthdays) taken from d (365) days • What is the minimum value of n such that the probability is greater than 0.5 that there is at least one duplicate? – P(n, d) = 1 – • For large n and d, we have • – n = 1.2 * d1/2 Implication – We expect to obtain the same output after about 1.2 * d1/2 http://www.rsasecurity.com/rsalabs/node.asp?id=2205 trials 4 How many bits for hash? • m bits, takes 2m/2 to find two with the same hash • 64 bits, takes 232 messages to search (doable) • Need at least 128 bits • Example use – Fingerprint a program/document: attackers cannot find a different program with the same message digest 5 Hash used for Authentication • Alice and Bob share a secret KAB Alice rA Bob MD(KAB|rA) rB MD(KAB|rB) 6 Computing a MAC with a HASH • Cannot just compute MD(m) – Anyone can compute MD(m) • MAC: MD(KAB|m) – Allows concatenation with additional message: MD(KAB|m|m’) • MD through chunk n depends on MD through chunks n-1 and the data in chunk n • 512-bit blocks, append (message length, pad) • How to solve? – Put secret at the end of message: • MD(m| KAB) – Use only half the bits of the message digest as the MAC – Concatenate the secret to both the front and the back of the message 7 Encryption with a Message Digest • One-time pad: – compute bit streams using MD, K, and IV • b1=MD(KAB|IV), bi=MD(KAB|bi-1), … – with message blocks • Mixing in the plaintext – similar to cipher feedback mode (CFB) • b1=MD(KAB|IV), c1= p1 b1 • b2=MD(KAB| c1), c2= p2 b2 • …. 8 Modern Hash Functions • MD5 – Previous versions (MD2, MD4) have weaknesses • SHA-1 – Secure Hash Algorithms 9 MD2 • 128-bit message digest – Arbitrary number of octets – Message is padded to be a multiple of 16 octets – Append MD2 checksum (16 octets) (a strange function of the padded message) to the end – Process the whole message 16 octets at a time • Each intermediate value depends on – Previous intermediate value – The value of the 16 octets of the message being processed 10 MD2 Padding 11 MD2 Checksum 12 MD2 Substitution Table 13 MD2 Checksum • • • • One byte at a time, k 16 steps mnk: byte nk of message cn=(mnk cn-1) cn : 0 41, 1 46, … – Substitution on 0-255 (value of the byte) 14 MD2 Final Pass 15 MD2 Final Pass • Operate on 16-byte chunks • 48-byte quantity q: – (current digest|chunk|digestchunk) • 18 passes of massaging over q, and one byte at a time: – cn=(cn-1) cn for n = 0, … 47; c-1 = 0 for pass 0; c-1 = (c47 + pass #) mod 256 • After pass 17, use first 16 bytes as new digest – 16 8 = 128 16 Overview of MD4, MD5, and SHA-1 MD of MD4/MD5: 128 bit, MD of SHA-1: 160-bit 17 Padding for MD4, MD5, and SHA-1 18 MD5 Process • As many stages as the number of 512-bit blocks in the final padded message • Digest: 4 32-bit words: MD=d0|d1|d2|d3 • Every message block contains 16 32-bit words: m0|m1|m2…|m15 – Digest MD0 initialized to: d0=67452301,d1=efcdab89,d2=98badcfe, d3=10325476 – Every stage consists of 4 passes over the message block, each modifying MD • operations 19 Constants of MD5 Ti = 232sin i 20 MD5 Message Digest Pass 1 • For each integer i from 0 through 15 (i) 21 MD5 Message Digest Pass 2 • For each integer i from 0 through 15 22 MD5 Message Digest Pass 3 • For each integer i from 0 through 15 23 MD5 Message Digest Pass 4 • For each integer i from 0 through 15 24 SHA-1 • Developed by NIST • SHA is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST • Take a message of length at most 264 bits and produces a 160-bit output. • SHA design is similar to MD5, but a lot stronger • Make five passes over each block of data 25 SHA-1 cont’d • Step 1: Message Padding – same as MD5 • Step 2: Initialize MD buffer 5 32-bit words A|B|C|D|E A = 67452301 B = efcdab89 C = 98badcfe D = 10325476 E = c3d2e1f0 26 SHA-1 operation on a 512-bit Block • Step 3: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each. Each step t (0 <= t <= 79): – Input: • Wt – a 32-bit word from the message • Kt – a constant. • ABCDE: current MD. – Output: • ABCDE: new MD • Only 4 per-round distinctive additive constants 0 <=t<= 19 Kt = 5A827999 20<=t<=39 Kt = 6ED9EBA1 40<=t<=59 Kt = 8F1BBCDC 60<=t<=79 Kt = CA62C1D6 • Only 3 different functions Round 0 <=t<= 19 20<=t<=39 40<=t<=59 60<=t<=79 Function ft(B,C,D) (BC)(~B D) BCD (BC)(BD)(CD) BCD 27 SHA-1 cont’d Inner Loop of SHA-1 – 80 Iterations per Block 28 HMAC 29