Post on 02-Jan-2016
2
Hash
• Also known as– Message digest– One-way function
• Function: input message -> output• One-way: d=h(m), but not h’(d) = m
– Computationally infeasible find the message given the digest
• Cannot find m1 and m2, where d1 = d2
• Randomness:– Any bit in the output ‘1’ half the time– Each output: 50% ‘1’ bits
Message ofarbitrary length
Hash h A fixed-lengthshort message
3
Birthday Paradox
• What is the minimum value of n such that the probability is greater than 0.5 that at least two people in a group of n people have the same birthday?– Ignore Feb. 29 and assume each birthday is equally likely
• Probability of n people having n different birthdays:
• Probability that at least two people have the same birthdays: – 1 -
• n is about 23
4
Generalization of Birthday Problem
• Compute probability of different birthdays• Random samples of n people (birthdays) taken from d
(365) days• What is the minimum value of n such that the probability is
greater than 0.5 that there is at least one duplicate?
– P(n, d) = 1 –
• For large n and d, we have– n = 1.2 * d1/2
• Implication
– We expect to obtain the same output after about 1.2 * d1/2 trials
http://www.rsasecurity.com/rsalabs/node.asp?id=2205
5
How many bits for hash?
• m bits, takes 2m/2 to find two with the same hash
• 64 bits, takes 232 messages to search (doable)
• Need at least 128 bits
• Example use– Fingerprint a program/document: attackers cannot
find a different program with the same message digest
6
Hash used for Authentication
• Alice and Bob share a secret KAB
Alice Bob
MD(KAB|rA)
rA
rB
MD(KAB|rB)
7
Computing a MAC with a HASH
• Cannot just compute MD(m)– Anyone can compute MD(m)
• MAC: MD(KAB|m)– Allows concatenation with additional message: MD(KAB|m|m’)
• MD through chunk n depends on MD through chunks n-1 and the data in chunk n• 512-bit blocks, append (message length, pad)
• How to solve?– Put secret at the end of message:
• MD(m| KAB)
– Use only half the bits of the message digest as the MAC– Concatenate the secret to both the front and the back of the message
8
Encryption with a Message Digest• One-time pad:
– compute bit streams using MD, K, and IV• b1=MD(KAB|IV), bi=MD(KAB|bi-1), …
with message blocks
• Mixing in the plaintext– similar to cipher feedback mode (CFB)
• b1=MD(KAB|IV), c1= p1 b1
• b2=MD(KAB| c1), c2= p2 b2
• ….
9
Modern Hash Functions
• MD5– Previous versions (MD2, MD4) have weaknesses
• SHA-1– Secure Hash Algorithms
10
MD2
• 128-bit message digest– Arbitrary number of octets– Message is padded to be a multiple of 16 octets– Append MD2 checksum (16 octets) (a strange
function of the padded message) to the end – Process the whole message 16 octets at a time
• Each intermediate value depends on– Previous intermediate value
– The value of the 16 octets of the message being processed
14
MD2 Checksum
• One byte at a time, k 16 steps
• mnk: byte nk of message
• cn=(mnk cn-1) cn
: 0 41, 1 46, …– Substitution on 0-255 (value of the byte)
16
MD2 Final Pass
• Operate on 16-byte chunks
• 48-byte quantity q: – (current digest|chunk|digestchunk)
• 18 passes of massaging over q, and one byte at a time:– cn=(cn-1) cn for n = 0, … 47; c-1 = 0 for pass 0; c-
1 = (c47 + pass #) mod 256
• After pass 17, use first 16 bytes as new digest– 16 8 = 128
19
MD5 Process• As many stages as the number of 512-bit blocks in the
final padded message
• Digest: 4 32-bit words: MD=d0|d1|d2|d3
• Every message block contains 16 32-bit words: m0|m1|m2…|m15
– Digest MD0 initialized to: d0=67452301,d1=efcdab89,d2=98badcfe, d3=10325476
– Every stage consists of 4 passes over the message block, each modifying MD
• operations
25
SHA-1
• Developed by NIST• SHA is specified as the hash algorithm in the Digital
Signature Standard (DSS), NIST• Take a message of length at most 264 bits and
produces a 160-bit output.• SHA design is similar to MD5, but a lot stronger• Make five passes over each block of data
26
SHA-1 cont’d
• Step 1: Message Padding – same as MD5
• Step 2: Initialize MD buffer 5 32-bit wordsA|B|C|D|E
A = 67452301
B = efcdab89
C = 98badcfe
D = 10325476
E = c3d2e1f0
27
SHA-1 operation on a 512-bit Block• Step 3: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each.
Each step t (0 <= t <= 79):– Input:
• Wt – a 32-bit word from the message• Kt – a constant.• ABCDE: current MD.
– Output:• ABCDE: new MD
• Only 4 per-round distinctive additive constants0 <=t<= 19 Kt = 5A82799920<=t<=39 Kt = 6ED9EBA140<=t<=59 Kt = 8F1BBCDC60<=t<=79 Kt = CA62C1D6
• Only 3 different functionsRound Function ft(B,C,D)0 <=t<= 19 (BC)(~B D)20<=t<=39 BCD40<=t<=59 (BC)(BD)(CD)60<=t<=79 BCD