0% found this document useful (0 votes)
52 views20 pages

Cryptographic Hash Functions: Purpose

Cryptographic hash functions are important tools in modern cryptography and security. They produce a fixed-size digest or fingerprint of arbitrarily long input data to guarantee integrity. A good cryptographic hash function is easy to compute, produces different hashes for different inputs, and makes it computationally infeasible to find collisions or inputs that hash to the same value. MD5 is a 128-bit cryptographic hash function that takes variable-length data and produces a 128-bit hash value. It operates by padding the input, dividing it into 512-bit blocks, and then processing each block through four rounds that use different functions and constants to modify the running hash value.

Uploaded by

Chris Harris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
52 views20 pages

Cryptographic Hash Functions: Purpose

Cryptographic hash functions are important tools in modern cryptography and security. They produce a fixed-size digest or fingerprint of arbitrarily long input data to guarantee integrity. A good cryptographic hash function is easy to compute, produces different hashes for different inputs, and makes it computationally infeasible to find collisions or inputs that hash to the same value. MD5 is a 128-bit cryptographic hash function that takes variable-length data and produces a 128-bit hash value. It operates by padding the input, dividing it into 512-bit blocks, and then processing each block through four rounds that use different functions and constants to modify the running hash value.

Uploaded by

Chris Harris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Lecture 6

Cryptographic
Hash
Functions

Purpose
Ø One of the most important tools in
modern cryptography and security

Ø In crypto, instantiates a Random Oracle

Ø In security, used in a variety of


authentication and integrity applications

Ø Not the same as hashing used in DB or


CRCs in communications 2

1
Cryptographic HASH Functions
Ø  Purpose: produce a fixed-size “fingerprint” or digest of
arbitrarily long input data

Ø  Why? To guarantee integrity

Ø  Properties of a “good” cryptographic HASH function H():


1.  Takes on input of any size
2.  Produces fixed-length output
3.  Easy to compute (efficient)
4.  Given any h, computationally infeasible to find any x such that
H(x) = h
5.  For a given x, computationally infeasible to find y such that
H(y) = H(x) and y<>x
6.  Computationally infeasible to find any (x, y) such that
H(x) = H(y) and x<>y
3

Same properties re-stated:


v  Cryptographic properties of a “good” HASH
function:
v  One-way-ness (#4)
v  Weak Collision-Resistance (#5)
v  Strong Collision-Resistance (#6)

v  Non-cryptographic properties of a “good”


HASH function
v  Efficiency (#3)
v  Fixed output (#1)
v  Arbitrary-length input (#2)
4

2
Construction
Ø  A hash function is typically based on an internal compression
function f() that works on fixed-size input blocks (Mi)

M1 M2 Mn

h1 h2 hn-1
IV f f … f h

Ø  Sort of like a Chained Block Cipher

v  Produces a hash value for each fixed-size block based on (1) its
content and (2) hash value for the previous block

v  “Avalanche” effect: 1-bit change in input produces


“catastrophic” and unpredictable changes in output
5

Simple Hash Functions


Ø  Bitwise-XOR

Ø  Not secure, e.g., for English text (ASCII<128) the high-order bit is
almost always zero
Ø  Can be improved by rotating the hash code after each block is
XOR-ed into it
Ø  If message itself is not encrypted, it is easy to modify the message
and append one block that would set the hash code as needed
6
Ø  Another weak hash example: IP Header CRC

3
Another example
Ø  IPv4 header checksum
Ø  One’s complement of the ones' complement sum of the IP
header's 16-bit words

The Birthday Paradox

v  Example hash function: y=H(x) where: x=person and H() is Bday()
v  y ranges over set Y=[1…365], let n = size of Y, i.e., number of
distinct values in the range of H()
v  How many people do we need to ‘hash’ to have a collision?
v  Or: what is the probability of selecting at random k DISTINCT
numbers from Y?

v  P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n)) == e(k(1-k)/2n)


v  P1=1-P0 ---> probability of at least one collision
v  Set P1 to be at least 0.5 and solve for k
v  k == 1.17 * SQRT(n)
v  k = 22.3 for n=365

So, what’s the point? 8

4
The Birthday Paradox

m = log(n) = size of H ()
2 m = 2 m/2 trials must
be computationally
infeasible!

How long should a hash be?

Ø Many input messages yield the same hash


v e.g., 1024-bit message, 128-bit hash
v On average, 2896 messages map into one hash
Ø With m-bit hash, it takes about 2m/2 trials
to find a collision (with >=50% probability)
Ø When m=64, it takes 232 trials to find a
collision (doable in very little time)
Ø Today, need at least m=160, requiring
about 280 trials
10

5
Hash Function Examples
SHA-1 (or MD5 RIPEMD-160
SHA-160) (defunct) (unloved) J
Digest length 160 bits 128 bits 160 bits
Block size 512 bits 512 bits 512 bits

# of steps 80 64 160
(4 rounds of (4 rounds (5 paired
20) of 16) rounds of
16)

Max message 264-1 bits ∞ ∞


size
Other (stronger) variants of SHA are SHA-256 and SHA-512
See: http://en.wikipedia.org/wiki/SHA_hash_functions 11

MD5
Ø  Author: R. Rivest, 1992
Ø  128-bit hash
based on earlier, weaker MD4 (1990)
Ø Collision resistance (B-day attack resistance)
only 64-bit    
Ø  Output size not long enough today  (due to various attacks)

12

6
MD5: Message Digest Version 5

Input message

Output: 128-bit digest

13

Overview of MD5

14

7
MD5 Padding

Ø  Given original message M, add padding bits “100…” such


that resulting length is 64 bits less than a multiple of
512 bits.
Ø  Append original length in bits to the padded message
Ø  Final message chopped into 512-bit blocks
15

MD5: Padding

1 2 3 4

input Message

512 bit block Padding

Initial Value
MD5 Transformation block by block

Final Output
Output: 128-bit digest
16

8
MD5 Blocks

512: B1

512:B2
MD5
512: B3
MD5
512: B4
MD5

MD5

Result
17

MD5 Box
512-bit message chunks (16 words)

Initial F: (x ∧ y) ∨ (~x ∧ z)
128-bit vector G: (x ∧ z) ∨ (y ∧~ z)
H: x ⊕ y ⊕ z
I: y ⊕ (x ∧ ~z)

x↵y: x left rotate y bits

128-bit result
18

9
MD5 Process
Ø As many stages as the number of 512-bit blocks
in the final padded message

Ø Digest: 4 32-bit words: MD=A|B|C|D

Ø Every message block contains 16 32-bit words:


m0|m1|m2…|m15
v Digest MD0 initialized to:
A=01234567,B=89abcdef,C=fedcba98, D=76543210
v Every stage consists of 4 passes over the message
block, each modifying MD; each pass involves
different operation
19

Processing of Block mi - 4 Passes


mi MDi

ABCD=fF(ABCD,mi,T[1..16])
A B C D
ABCD=fG(ABCD,mi,T[17..32])

ABCD=fH(ABCD,mi,T[33..48])

Convention:
ABCD=fI(ABCD,mi,T[49..64])
A – d0 ; B – d1
C – d2 ; B – d3
Ti :diff. constant + + + +
MD i+1 20

10
Different Passes...

Ø Different functions and constants

Ø Different set of mi-s

Ø Different sets of shifts

21

Functions and Random Numbers

Ø F(x,y,z) == (x∧y)∨(~x ∧ z)
Ø G(x,y,z) == (x ∧ z) ∨(y ∧~ z)
Ø H(x,y,z) == x⊕y⊕ z
Ø I(x,y,z) == y⊕(x ∧ ~z)
Ø Ti = int(232 * abs(sin(i))), 0<i<65

22

11
Secure Hash Algorithm (SHA)
Ø  SHA-0 was published by NIST in 1993

Ø  Revised in 1995 as SHA-1


v  Input: Up to 264 bits
v  Output: 160 bit digest
v  80-bit collision resistance
Ø  Pad with at least 64 bits to
resist padding attack
v  1000…0 || <message length>

Ø  Processes 512-bit block


v  Initiate 5x32bit MD registers
v  Apply compression function
Ø  4 rounds of 20 steps each
Ø  each round uses different
non-linear function
Ø  registers are shifted and
switched

23

Digest Generation with SHA-1

24

12
SHA-1 of a 512-Bit Block

25

General Logic

Ø Input message must be < 264 bits


v  not a realistic limitation
Ø Message processed in 512-bit blocks
sequentially
Ø Message digest (hash) is 160 bits
Ø SHA design is similar to MD5, but a lot
stronger

26

13
Basic Steps

Step1: Padding
Step2: Appending length as 64-bit unsigned
Step3: Initialize MD buffer: 5 32-bit
words: A|B|C|D|E
A = 67452301
B = efcdab89
C = 98badcfe
D = 10325476
E = c3d2e1f0
27

Basic Steps...

Step 4: the 80-step processing of 512-bit


blocks: 4 rounds, 20 steps each
Each step t (0 <= t <= 79):
v Input:
Ø Wt – 32-bit word from the message
Ø Kt – constant
Ø ABCDE: current MD
v Output:
Ø ABCDE: new MD

28

14
Basic Steps...

Ø Only 4 per-round distinctive additive


constants:
0 <= t <= 19 Kt = 5A827999
20<=t<=39 Kt = 6ED9EBA1
40<=t<=59 Kt = 8F1BBCDC
60<=t<=79 Kt = CA62C1D6

29

Basic Steps – Zooming in

A B C D E

+
ft
+
CLS5
Wt
+

CLS30 Kt
+

A B C D E 30

15
Basic Logic Functions

Ø Only 3 different functions

Round Function ft(B,C,D)


0 <=t<= 19 (B∧C)∨(~B ∧D)
20<=t<=39 B⊕C⊕D
40<=t<=59 (B∧C)∨(B∧D)∨(C∧D)
60<=t<=79 B⊕C⊕D

31

Twist With Wt’s

Ø Additional mixing used with input


message 512-bit block
W0|W1|…|W15 = m0|m1|m2…|m15
For 15 < t <80:
Wt = Wt-16 ⊕Wt-14 ⊕Wt-8 ⊕Wt-3

Ø XOR is a very efficient operation, but


with multilevel shifting, it produces very
extensive and random mixing!

32

16
SHA Versus MD5

Ø SHA is a stronger algorithm:


v A birthday attack requires on the order of
280 operations, in contrast to 264 for MD5

Ø SHA has 80 steps and yields a 160-bit


hash (vs. 128) - involves more
computation

33

Summary:
What are hash functions
good for?

34

17
Message Authentication Using a Hash Function

Use symmetric encryption such as AES or 3-DES

•  Generate H(M) of same size as E() block

•  Use EK(H(M)) as the MAC (instead of, say, DES MAC)

•  Alice sends EK(H(M)) , M


•  Bob receives C,M’ decrypts C with k, hashes result
H(DK(C)) =?= H(M’)

Collision è MAC forgery! 35

Using Hash for Authentication

Ø Alice to Bob: random challenge rA


Ø Bob to Alice: H(KAB||rA)
Ø Bob to Alice: random challenge rB
Ø Alice to Bob: H(KAB||rB)
Ø Only need to compare H() results

36

18
Using Hash to Compute MAC: integrity
Ø Cannot just compute and append H(m)
Ø Need “Keyed Hash”:
v  Prefix:
Ø  MAC: H(KAB | m), almost works, but…
Ø  Allows concatenation with arbitrary message:
H( KAB | m | m’ )
v  Suffix:
Ø  MAC: H(m | KAB), works better, but what if m’ is
found such that H(m)=H(m’)?
v  HMAC:
Ø  H ( KAB | H (KAB | m) )
37

Hash Function MAC (HMAC)


Ø  Main Idea: Use a MAC derived from any cryptographic
hash function
v Note that hash functions do not use a key, and therefore
cannot serve directly as a MAC
Ø  Motivations for HMAC:
v Cryptographic hash functions execute faster in software than
encryption algorithms such as DES
v No need for the reverseability of encryption
v No US government export restrictions (was important in the
past)
Ø  Status: designated as mandatory for IP security
v Also used in Transport Layer Security (TLS), which will
replace SSL, and in SET

38

19
HMAC Algorithm
Ø  Compute H1 = H() of the
concatenation of M and K1
Ø  To prevent an “additional
block” attack, compute
again H2= H() of the
concatenation of H1 and K2
Ø  K1 and K2 each use half
the bits of K
Ø  Notation:
v  K+ = K padded with 0’s
v  ipad=00110110 x b/8
v  opad=01011100 x b/8
Ø  Execution:
v  Same as H(M), plus 2
blocks

39

Just for fun…


Using a Hash to Encrypt
Ø (Almost) One-time pad: similar to OFB
v compute bit streams using H(), K, and IV
Ø b1=H(KAB | IV) , …, bi=H(KAB | bi-1), …
Ø c1= p1 ⊕ b1 , … , ci= pi ⊕ bi , …

Ø Or, mix in the plaintext


v similar to cipher feedback mode (CFB)
Ø b1=H(KAB | IV), …, bi=H(KAB | ci-1), …
Ø c1= p1 ⊕ b1 , … , ci= pi ⊕ bi , …

40

20

You might also like