|
 


  
 

| 
Fourth Edition
by William Stallings
 |  
|
 

!

  
 
  
  
  
   
   

     
 
  
  
       
 
  
˜Æ
 
 
 

| 
 ash Functions
" condense arbitrary size message to
fixed size
" by processing message in blocks
" through some compression function
" either custom or block cipher based
 Message Authentication Code (MAC)
" fixed sized authenticator for some
message
" to provide authentication for message
" by using block cipher mode or hash
function
   
  
 SA originally designed by NIST & NSA in
1993
 was revised in 1995 as SA-1
 US standard for use with DSA signature
scheme
" standard is FIPS 180-1 1995, also Internet
RFC3174
" nb. the algorithm is SA, the standard is SS
 based on design of MD4 with key
differences
 produces 160-bit hash values
 recent 2005 results on security of SA-1
have raised concerns on its use in future
Ý
 


 NIST issued revision FIPS 180-2 in

2002
 adds 3 additional versions of SA
" SA-256, SA-384, SA-512
 designed for compatibility with
increased security provided by the
AES cipher
 structure & detail is similar to SA-
1
 hence analysis should be similar
 but security levels are rather higher
 
|    

 heart of the algorithm

 processing message in 1024-bit
blocks
 consists of 80 rounds
" updating a 512-bit buffer
" using a 64-bit value Wt derived from
the current message block
" and a round constant based on cube
root of first 80 prime numbers
Ý
  
Ý
  
j 

 now examine the Whirlpool hash

function
 endorsed by European NESSIE
project
 uses modified AES internals as
compression function
 addressing concerns on use of block
ciphers seen previously
 with performance comparable to
dedicated algorithms like SA
j  
j !| j

 designed specifically for hash

function use
 with security and efficiency of AES
 but with 512-bit block size and
hence hash
 similar structure & functions as AES
but
" input is mapped row wise
" has 10 rounds
" a different primitive polynomial for
GF(2^8)
j !| j
j " #  $ 

 Whirlpool is a very new proposal

 hence little experience with use
 but many AES findings should apply
 does seem to need more h/w than
SA, but with better resulting
performance
 w

   |
 want a MAC based on a hash function
" because hash functions are generally faster
" code for crypto hash functions widely
available
 hash includes a key along with message
 original proposal:
w
 w

  
" some weaknesses were found with this
 eventually led to development of MAC
|
 specified as Internet standard RFC2104
 uses hash function on the message:
w  w  


 w 

 
 where K+ is the key padded out to size
 and opad, ipad are specified padding
constants
 overhead is just 3 more hash calculations
than the message needs alone
 any hash function can be used
" eg. MD5, SA-1, RIPEMD-160, Whirlpool
| 
| 

 proved security of MAC relates to
that of the underlying hash
algorithm
 attacking MAC requires either:
" brute force attack on key used
" birthday attack (but since keyed would
need to observe a very large number of
messages)
 choose hash function used based on
speed verses security constraints
||

 previously saw the DAA (CBC-MAC)

 widely used in govt & industry
 but has message size limitation
 can overcome using 2 keys &
padding
 thus forming the Cipher-based
Message Authentication Code
(CMAC)
 adopted by NIST SP800-38B
|| 


 have considered:
" some current hash algorithms
 SA-512 & Whirlpool
" MAC authentication using hash
function
" CMAC authentication using a block
cipher