IX' Hash Algorithms

1
IX. Hash Algorithms

• Look at three important hash functions (MD5,
  SHA-1, RIPEND-160) then look an Internet-standard
  message authentication code (HMAC)

2
CONTENTS

• MD5 Message Digest Algorithm
• Secure Hash Algorithm
• RIPEMD-160
• HMAC

3
1. MD5 Message Digest Algorithm

• Developed by Ron Rivest at MIT
• -RFC 1321
• MD5 Logic
• Input arbitrary length message
• Processed in 512-bit blocks
• Output 128-bit message digest

4
1. MD5 Message Digest Algorithm
5
1. MD5 Message Digest Algorithm

• Processing Steps
• Append padding bits
• Append length
• Initialize MD buffer
• Process message in 512-bit blocks
• output

6
1. MD5 Message Digest Algorithm

• Append padding bits1/5
• pad message so its length is 448 mod 512
• Padding is always added.
• the number of padding bits is in the range of 1
  to 512
• ex) 448(message) 512(padding bit)960bits
• 447(message) 1(padding bit) 448bits
• 449(message) 511(padding bit)960bits
• Padding consists of a single 1-bit followed by
  0-bits

7
1. MD5 Message Digest Algorithm

• Append length2/5
• Append 64 bit length of the original message to
  the result step 1.
• If original length is greater than 264 only
  low-order 64 bits of the length are used.
• The length of expanded message is L512 bits
• -gt of block L, of word N 16L

8
1. MD5 Message Digest Algorithm

• Initialize MD buffer3/5
• 128-bit buffer,
• used to hold intermediate and final results of
  the hash function.
• 4 32-bit registers (A, B, C, D)
• IV A67452301,BEFCDAB89, C98BADCFE,
• D10325476
• Stored in little-endian format
• AB CD 0123456789ABCDEF FEDCBA9876543210

9
1. MD5 Message Digest Algorithm

• Process message in 512bit blocks4/5
• Module that consists of 4 rounds of processing of
  16 steps each
• 4 rounds have a similar structure, but each uses
  a different primitive logical function(F,G,H,I)
• INPUT 512-bit block Yq, 128-bit CVq
• 64-element table T164, Table9.1
• OUTPUT CVq1 (addition is mod 232)

10
1. MD5 Message Digest Algorithm
11
1. MD5 Message Digest Algorithm

• Output5/5
• The output from the Lth stage is the 128-bit
  message digest.
• Summary of Logic
• CV0 IV
• CVq1SUM32(CVq,RFIYq,RFHYq,RFGYq,RFFYq,CVq
  )
• MDCVL

12
1. MD5 Message Digest Algorithm

• MD5 Compression Function
• Each round consists of a sequence of 16 steps of
  the form
• a lt- b((ag(b,c,d)XkTiltltlts)

13
1. MD5 Message Digest Algorithm

• Figure 9.4
• adapted from RFC1321, defines the processing
  algorithm of step 4.
• X015 holds the value of the current 512-bit
  input
• Within a round, each of the 16 words of Xi is
  used once, during one step
• ?2(i) (15i)mod 16
• ?3(i) (53i)mod 16
• ?4(i) 7imod 16

14
1. MD5 Message Digest Algorithm

• MD4
• Precursor to MD5 RFC1320
• Goals
• Security, Speed, Simplicity and compactness,
  Favor little-endian architecture
• Differences
• Uses three rounds of 16 steps each
• No additive constant is used in 1st round
• Uses three primitive logical functions
• Did not include final addition

15
1. MD5 Message Digest Algorithm

• Strength of MD5ominous trend in the attacks on
  MD5
• using differential cryptanalysis it is possible
  to find 2 messages producing the same digest for
  a 1-round, not the full 4-round MD5
• Pseudocollision, not seem to be any way to extend
  this approach to a success
• Collision for the MD5 compression function works
  on a single 512-bit block of input, no way has
  been found to generalize this attack to a full
  message using the MD5 IV.

16
2. Secure Hash Algorithm

• Developed by the National Institute of Standards
  and Technology (NIST)
• Published as a federal information processing
  standard in 1993
• Revised version was issued as SHA-1
• SHA-1 is based on the MD4 algorithm, its design
  closely models MD4

17
2. Secure Hash Algorithm

• SHA-1 Logic
• INPUT a message with a maximum length of less
  than 264 bits
• Overall processing shown for MD5 in Figure 9.1,
  with a block length of 512 bits and a hash length
  of 160 bits
• OUTPUT 160-bit message digest

18
2. Secure Hash Algorithm

• Processing Steps
• Append padding bits
• Append length
• Initialize MD buffer
• Process message in 512-bit blocks
• output

19
2. Secure Hash Algorithm

• Append padding bits1/5
• pad message so its length is 448 mod 512
• Padding is always added.
• the number of padding bits is in the range of 1
  to 512
• Padding consists of a single 1-bit followed by
  0-bits

20
2. Secure Hash Algorithm

• Append length2/5
• Append 64bit length of the original message to
  the result step 1.
• Treated as an unsigned 64-bit integer
• Contains the length of the original message

21
2. Secure Hash Algorithm

• Initialize MD buffer3/5
• 160-bit buffer
• 5 32-bit registers (A, B, C, D, E)
• IV A67452301,BEFCDAB89,C98BADCFE,
• D10325476,EC3D2E1F0
• Stored in big-endian format
• ABCDE 67452301 EFCDAB89 98BADCFE
• 10325476 C3D2E1F0

22
2. Secure Hash Algorithm

• Process Message in 512bit blocks4/5
• Module that consists of 4 rounds of processing of
  20 steps each
• 4 rounds have a similar structure, but each uses
  a different primitive logical function(f1,f2,f3,f4
  )
• INPUT 512-bit block Yq, 160-bit CVq
• Each round uses an additive constant Kt where
  0t79 (for 80 steps)
• OUTPUT CVq1 (addition is mod 232)

23
2. Secure Hash Algorithm
24
2. Secure Hash Algorithm

• Output5/5
• The output from the Lth stage is the 160-bit
  message digest.
• Summary of Logic
• CV0 IV
• CVq1 SUM32(CVq, ABCDEq)
• MD CVL

25
2. Secure Hash Algorithm

• SHA-1 Compression Function
• Each round is of the formFigure 9.6
• Each primitive function
• takes 3 32-bit words as input
• Performs a set of bitwise logical operation
• Produces a 32-bit word output

26
2. Secure Hash Algorithm
27
2. Secure Hash Algorithm
28
2. Secure Hash Algorithm

• Comparison of SHA-1 and MD5
• Security against brute-force attacks
• 32 bits longer than the MD5
• Producing any message having a given message
  digest is on the order 2160 for SHA-1
• Producing 2 messages having the same message
  digest is on the order 280 for SHA-1
• Stronger against brute-force attack

29
2. Secure Hash Algorithm

• Security against cryptanalysis
• Less vulnerable against cryptanalytic attacks
  discovered since MD5s design
• Speed
• Both algorithms rely heavily on addition modulo
  232 SHA-1 involves more steps and must process a
  160-bit buffer.
• SHA-1 should execute more slowly than MD5

30
2. Secure Hash Algorithm

• Simplicity and Compactness
• Both are simple to describe and simple to
  implement
• Not require large programs nor substitution
  tables
• Little-endian vs Big-endian architecture
• There appears to be no advantage to either
  approach

31
3. RIPEMD-160

• Developed under the European RACE Integrity
  Primitives Evaluation project
• By a group of researchers launching partially
  successful attacks on MD4 and MD5
• Originally a 128-bit RIPEMD

32
3. RIPEMD-160

• RIPEMD-160 Logic
• INPUT a message of arbitrary length
• Overall processing shown for MD5 in Figure 9.1,
  with a block length of 512 bits and a hash length
  of 160 bits
• Output 160-bit message digest

33
3. RIPEMD-160

• Processing Steps
• Append padding bits
• Append length
• Initialize MD buffer
• Process message in 512-bit blocks
• output

34
3. RIPEMD-160

• Append padding bits1/5
• pad message so its length is 448 mod 512
• Padding is always added.
• the number of padding bits is in the range of 1
  to 512
• Padding consists of a single 1-bit followed by
  0-bits

35
3. RIPEMD-160

• Append Length2/5
• Append 64bit length of the original message to
  the result step 1.
• Treated as an unsigned 64-bit integer
• Contains the length of the original message
• As with MD5, and in contrast to SHA-1, RIPEMD-160
  uses a little-endian convention

36
3. RIPEMD-160

• Initialize MD buffer3/5
• 160-bit buffer
• 5 32-bit registers (A, B, C, D, E)
• IV A67452301,BEFCDAB89,C98BADCFE,
• D10325476,EC3D2E1F0
• Stored in little-endian format

37
3. RIPEMD-160

• Process message in 512bit blocks4/5
• Module that consists of 10 rounds of processing
  of 16 steps each
• 10 rounds are arranged as 2 parallel lines of 5
  rounds
• 4 rounds have a similar structure, but each uses
  a different primitive logical function(f1,f2,f3,f4
  ,f5)
• INPUT 512-bit block Yq, 160-bit CVq ABCDE(L),
  ABCDE(R)
• Each round uses an additive 9 constants
• OUTPUT CVq1 (addition is mod 232)

38
3. RIPEMD-160

• CVq1(0)CVq(1)CD
• CVq1(1)CVq(2)DE
• CVq1(2)CVq(3)EA
• CVq1(3)CVq(4)AB
• CVq1(4)CVq(0)BC

39
3. RIPEMD-160

• Output5/5
• The output from the Lth stage is the 160-bit
  message digest

40
3. RIPEMD-160

• Compression Function
• Each round consists of a sequence of 16 steps
  Figure 9.9
• The processing algorithm of one round
• ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
  CVq(4)
• ACVq(0)BCVq(1)CCVq(2)DCVq(3)E
  CVq(4)
• for j0 to 79 do
• Trols(j)(Af(j,B,C,D)Xr(j)K(j))E
• AEEDD rol10(C)CBBT
• Trols(j)(Af(79-j,B,C,D)Xr(j)K(j))E
  
• AEEDD rol10(C)CBBT
• enddo
• CVq1(0)CVq(1)CD CVq1(1)CVq(2)DE
  CVq1(2)CVq(3)EA CVq1(3)CVq(4)AB
  CVq1(4)CVq(0)BC

41
3. RIPEMD-160
42
3. RIPEMD-160
5 primitive logical functions
43
3. RIPEMD-160

• The array of 32-bit words X0..15 holds the
  value of the current 512-bit input block being
  processed.
• Within a round, each of the 16 words of Xi is
  used exactly twice during one step on each line
• Table 9.5a the permutation used for each round
  in each line
• Table 9.5b the circular left shifts used in each
  round

44
3. RIPEMD-160
45
3. RIPEMD-160

• Design Decision
• 2 parallel lines are used to increase the
  complexity of finding collisions between rounds
• For simplicity, the 2 lines use essentially the
  same logic
• It will become possible to attack one of the 2
  lines and up to 3 rounds of the 2 parallel lines

46
3. RIPEMD-160

• The combination of the 2 lines will resist
  attacks because of their differences
• The additive constants for the 2 lines are
  different
• The order of the primitive logical functions is
  reversed
• The order of processing of the 32-bit words in
  the message block is different
• The step operation is identical to MD5s
• The rotation of C word avoids an MD5 attack that
  focuses on the most significant bit
• The permutation has the effect that 2 message
  words close in one round are relatively far apart
  in the next

47
3. RIPEMD-160

• The circular left shifts were chosen based on
• The shift range from 5 to 15
• Every message word is rotated over different
  amounts for the 5 rounds
• The shifts applied to each word should not have a
  special pattern
• Not too many shift constants should be divisible
  by 4

48
3. RIPEMD-160

• Comparison with MD5 and SHA-1

49
3. RIPEMD-160

• Resistance to brute-force attack
• All 3 algorithms are invulnerable to attacks
  against weak collision resistance
• MD5 is highly vulnerable to birthday attack on
  strong collision resistance
• SHA-1 and RIPEMD-160 are safe for the foreseeable
  future
• Resistance to cryptanalysis
• Designed specifically to resist known
  cryptanalytic attacks
• The use of two lines of processing
• gives RIPEMD-160 added complexity
• should make cryptanalysis more difficult than
  SHA-1

50
3. RIPEMD-160

• Speed
• All 3 algorithms rely on addition modulo 232 and
  simple bitwise logical operations
• The added complexity and number of steps of SHA-1
  and RIPEMD-160 does lead to slowdown compared to
  MD5 Table 9.7
• Little-endian vs big-endian architecture
• There is no strong advantage to either approach
• MD5 and RIPEMD-160 use a little-endian scheme

51
3. RIPEMD-160
52
4. HMAC

• there has been increased interest in developing a
  MAC derived from a cryptographic hash code
• Motivations
• generally execute faster in software than
  symmetric block ciphers
• Library code is widely available
• No export restrictions from US or other countries
  for cryptographic hash code

53
4. HMAC

• Incorporation of a secret key into an existing
  hash algorithm
• issued as RFC 2104
• chosen as the mandatory-to-implement MAC for IP
  security
• used in other Internet protocols, such as SSL

54
4. HMAC

• HMAC Design Objectives RFC2104
• To use available hash functions.
• To allow for easy replaceability of the embedded
  hash function
• To preserve the original performance
• To use and handle keys in simple way
• To have a well understood cryptographic analysis
  of the strength of the authentication mechanism

55
4. HMAC

• HMAC Algorithm
• Append zeros to the left end of K to create a
  b-bit string K
• XOR K with ipad to produce the b-bit block Si
• Append M to Si
• Apply H to the stream generated in step 3

56
4. HMAC

• XOR K with opad to produce the b-bit block So
• Append the hash result from step 4 to So
• Apply H to the stream generated in step 6 and
  output the result

57
4. HMAC

• Having pseudorandomly generated 2 keys from K
• XOR with ipad/opad results in flipping one-half
  of the bits of K -gt Si/So
• Figure 9.11 show More efficient implementation is
  possible. 2 quantities are precomputed

58
4. HMAC

• f(cv,block)
• The compression function for the hash function
• INPUT chaining variable of n bits, a block of b
  bits
• OUTPUT chaining variable of n bits
• Only needed initially or every time the key
  changes

59
4. HMAC

• Security of HMAC
• Depends in some way on the cryptographic strength
  of the underlying hash function
• Generally expressed in terms of prob. of
  successful forgery with a given amount of time
  and number of message-MAC pairs

60
4. HMAC

• The Probability of successful attack on HMAC
• The attacker is able to compute an output of the
  compression function even with an IV that is
  random, secret, and unknown to the attacker
• The attacker finds collisions in the hash
  function even when the IV is random and secret

61
4. HMAC

• for a hash code length of 128 bits
• 264 observed blocks (273 bits) generated using
  the same key
• On a 1-Gbps link
• One would need to observe a continuous stream of
  messages with no change in key for about 250,000
  years in order to succeed
• If speed is a concern
• It is fully acceptable to use MD5 rather than
  SHA-1 or RIPEMD-160 as embedded hash function for
  HMAC