S. Erfani, ECE Dept., University of Windsor 4.14 0688-590-18 Network Security Simple Hash Functions All hash functions operate using the following general principles: a) The input string is viewed as a sequence of n-byte blocks. b) The input is processed one block at a time in an iterative fashion to produce an n-bit hash function. The simplest hash function is the list-by-list XOR of every block, expressed as following: Ci=bi1 bi2 · · · bim Where Ci=ith list of the hash code, 1in M=number of n-bit blocks in the input Bij=ith list in jth block =XOR operation. This is shown in Fig. 7. bit 1 Block1 Block2 b11 bit 2 b21 b12 …. bit n bn1 bn2 : : Block m b1m C1 bnm C2 Cn Hash code Figure 7: Simple Hash Function using Bitwise XOR. Note1: Fig.7 produces a simple parity for each bit position, and is known as a longitudinal redundancy check. It is reasonably effective for random data as a data integrity check. Oct. 9, 2003 1 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security Another scheme, originally proposed by NIST, used the simple XOR applied to 64 bit blocks of the message and then an encryption of the entire message that used the cipher block-chaining (CBC) mode. In other words, given a message consisting of a sequence of 64 bit blocks X1, X2, …., XN, define the hash code C as the block and append the hash code as the final block: C = XN+1 = X1 X2 …. XN Next, encrypt the entire message plus hash code, using CBC mode to produce the encrypted message Y1, Y2, …., YN+1. Note 2: It was shown that the above scheme to produce a hash code is not secure. 4.15 Secure Hash Algorithm A cryptographic hash function uses a cryptographic function as part of the hash function. An intruder or opponent would presumably not have access to the cryptographic function. The intruder could modify the data or the hash value or both but without knowing the Cryptographic relationship between the data and the hash value, the intruder would be unlikely to be able to modify both in such a way that they match. Thus, modifications could be detected at the recipient’s end, with a probability depending on the strength of the cryptographic algorithm and on the degree to which the data was reduced. The secure hash algorithm ( SHA ) was developed by NIST in 1993 (FIPS PUB180). A revised version referred to as SHA-1 was issued in 1995 ( FIPS PUB 180-1). The algorithm takes as input a message with a maximum length of less than 2 64 bits Figure 8: Message Digest Generating Using SHA-1 Oct. 9, 2003 2 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security And produces as output a 160-bit message digest. The input is processed in 512 – bit blocks. Figure 8 shows the overall processing of a message to produce a digest. The processing consists of the following steps: Step 1 - Append Padding bits The (plaintext message is padded so that its length is congruent to 448 module 512. Padding is always added, even if the message is already of the desired length. Thus the number of padding bits is in the range of 1 to 512. The padding consists of a single 1-bit followed by the necessary number of 0-bits. Step 2 - Append Length A block of 64 bits is appended to the message. This block is treated as an unsigned 64-bit integer and contains the length of the original message before the padding. The outcome of these two steps yields a message that is an integer multiple of 512 bits in length. In Figure 8 the expanded message is represented as the sequence of 512-bit blocks Y0, Y1, ….., Y2-1, so that the total length of the expanded message is L x 512 bits. Equivalently, the result is a multiple of 16 32-bit words. Let M [0…….N-1] denote the words of the resulting message, with N an integer multiple of 16. Thus, N=Lx16. Step 3 - Initialize MD Buffer 160-bit buffer is used to hold intermediate and final results of the hash function. The buffer can be represented as five 32-bit registers (A,B,C,D,E). These registers are initialized to the following 32-bit integers (hexadecimal values): A = 67452301 B = EFCDAB89 C = 98BADCFF D = 10325476 E = C3D2E1F0 Step 4 – Process Message in 512-bit (16-Word) Blocks The heart of the algorithm is a module, known as compression function, that consists of four rounds of processing 20 steps each. The logic is illustrated in Figure 9 (on the next page). The four rounds have a similar structure, but each uses a different primitive logical function, which we call f1, f2, f3, and f4. Each round takes as input the current 512-bit block being processed, Yq and the 160-bit buffer value ABCDE and updates the contents of the buffer. Each round Oct. 9, 2003 3 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security also uses an additive constant Kt, where 0<= t <= 79 indicates one of the 80 steps across five rounds. Figure 9: SHA-1 Processing of a Single 512-Bit Block (SHA-1 Compression Function) In fact, only four distinct constants are used. The values, in hexadecimal and decimal, are as follows: Step number Hexadecimal Take integer part 0<= t <= 19 Kt = 5A827999 [ 230 x 2 ½ ] 20<= t <= 39 Kt = 6ED9EBA1 [ 230 x 3 ½ ] 40<= t <= 59 Kt = 8F1BBCDC [ 230 x 5 ½ ] 60<= t <= 79 Kt = CA62C1D6 [ 230 x 10½ ] Oct. 9, 2003 4 S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security The output of the fourth round (eightieth step) is added to the input to the first round, CVq , to produce CVq+1. The addition is done independently for each of the five words in the buffer with each of the corresponding words in CV q , using addition module 232. Step 5 – Output After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit message digest. Note 1 The SHA-1 algorithm has the property that every bit of the hash code is a function of every bit of the input. The complex repetition of the basic function of ft produces results that are well mixed. It is unlikely that two messages chosen at random will have the same hash code. Note 2 The difficulty of coming up with two messages having the same message digest is on the order of 280 operations. The difficulty of finding a message with a given digest is on the order of 2160 operations. Note 3 There are other secure hash algorithms: 1) MD5 - 2) RIPEMD -160 - Oct. 9, 2003 The MD5 message-digest algorithm was developed by Ron Rivest. It takes as input a message of arbitrary length and produces as output a 128-bit message-digest. The input is processed in 512-bit blocks. It is shown that MD5 is vulnerable to cryptanalysis. This algorithm was developed under the European RACE Integrity Primitive Evaluation (RIPE) project, by a group of researchers, who launched partially successful attacks on MD4 and MD5. RIPEMD160 is quite similar to SHA-1. The algorithm takes as input a message of arbitrary length and produces as output a 160-bit message digest. The input is processed in 512-bit blocks. 5