Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 18: One-Way Hash Functions Based on Schneier.

Published byMarianna Wilkinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 18: One-Way Hash Functions Based on Schneier."— Presentation transcript:

1 Chapter 18: One-Way Hash Functions Based on Schneier

2 Background M, message of arbitrary size Hash function H(M) returns a value h of m bits: h = H(M) Characteristics of H(M) –Easy to compute h –Hard to compute M given h –Hard to find another message, M’ such that H(M) = H(M’) Birthday attack –Find any two messages M and M’ such that H(M) = H(M’) To survive a birthday attack, most one-way hash functions produce 128-bit or larger hashes

3 Overview of One-way Hash Functions Built-on idea of compression function Divide a message into blocks Hash of block M i is h i = f(M i, h i-1 ) Hash of the last block is the hash of the entire message

4 MD5 Message digest version 5, an extension of MD4 Produces 128-bit hash Conjectured that it is computationally infeasible to produce two messages having the same message digest Intended for digital signature applications

5 Terminology and Notation "word“ –A 32-bit quantity, a group of four bytes with the low- order (least significant) byte given first “+” –Denotes addition of words, mod 2 32 X << s –Circular shifting (rotating) bits of X by s positions

6 MD5 Algorithm Description Message of b bits as m 0, m 1,... m b-1 Step 1. Append Padding Bits –A single “1” bit appended and then “0” bits are appended so that the length in bits of the padded message becomes congruent to 448 mod 512 –Padding is always performed, even if the length is already congruent to 448 mod 512 –In all at least one bit and at most 512 bits are appended

7 MD5 Algorithm Description (cont’d) Step 2. Append Length –Append a 64-bit representation of b to the padded message of the previous step –Resulting message has length, exactly multiple of 512 bits (16 words) –Let M[0... N-1] denote the words, where N is a multiple of 16 Step 3. Initialize MD Buffer –Initialize a four-word buffer (A, B, C, D) with low-order bytes first in each word A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10

8 MD5 Algorithm Description (cont’d) Step 4. Process Message in 16-Word Blocks –Define four auxiliary functions as: F(X,Y,Z) = (X and Y) or (not(X) and Z) G(X,Y,Z) = (X and Z) or (Y and (not (Z)) H(X,Y,Z) = X xor Y xor Z I(X, Y, Z) = Y xor (X or (Not (Z)) where X, Y, and Z are 32-bit words –Use a 64-bit element table T[1... 64] constructed from the sine function. Let T[i] = integer part of 4294967296 * abs(sin(i)) where i is in radians

9 MD5 Algorithm Description (cont’d) –Do the following /* Process each 16-word block. */ For i = 0 to N/16-1 do /* Copy block i into X. */ For j = 0 to 15 do Set X[ j] to M[i*16+j]. end /* of loop on j */ /* Save A as AA, B as BB, C as CC, and D as DD. */ AA = A BB = B CC = C DD = D

10 MD5 Algorithm Description (cont’d) /* Round 1. */ /* Let [abcd k s i] denote the operation a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16] /* Round 2. */ /* Let [abcd k s i] denote the operation a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32]

11 MD5 Algorithm Description (cont’d) /* Round 3. */ /* Let [abcd k s t] denote the operation a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48] /* Round 4. */ /* Let [abcd k s t] denote the operation a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64]

12 MD5 Algorithm Description (cont’d) /* Then perform the following additions. (That is increment each of the four registers by the value it had before this block was started.) */ A = A + AA B = B + BB C = C + CC D = D + DD end /* of loop on i */ Step 5. Output –Output is (A, B, C, D) beginning with the lower-byte of A and end with the high-order byte of D

13 Security of MD5 Check these sites: http://www.schneier.com/blog/archives/20 05/06/more_md5_collis.htmlhttp://www.schneier.com/blog/archives/20 05/06/more_md5_collis.html http://www.schneier.com/blog/archives/20 05/06/more_md5_collis.htmlhttp://www.schneier.com/blog/archives/20 05/06/more_md5_collis.html http://userpages.umbc.edu/~mabzug1/cs/ md5/md5.htmlhttp://userpages.umbc.edu/~mabzug1/cs/ md5/md5.html

14 Secure Hash Algorithm (SHA-1) Message length < 2 64 bits Produces a 160-bit message digest NIST and NSA involved in designing the algorithm Computationally infeasible –to find a message which corresponds to a given message digest, or –to find two different messages which produce the same message digest

15 SHA-1 RFC Convention OPERATIONS ON WORDS Bitwise logical word operations X ^ Y = bitwise logical "and" of X and Y X \/ Y = bitwise logical "inclusive-or" of X and Y X XOR Y = bitwise logical "exclusive-or" of X and Y ~ X = bitwise logical "complement" of X. The operation X + Y is defined as follows: –words X and Y represent integers x and y, where 0 <= x < 2 32 and 0 <= y < 2 32 –For positive integers n and m, let n mod m be the remainder upon dividing n by m –Compute z = (x + y) mod 2 32. Then 0 <= z < 2 32. Convert z to a word, Z, and define Z = X + Y.

16 SHA-1 RFC Convention (cont’d) OPERATIONS ON WORDS Circular left shift operation S n (X), where X is a word and n is an integer with 0 <= n <= 32, is defined by S n (X) = (X > 32-n). In the above, X > n is obtained by discarding the right-most n bits of X and then padding the result with n zeroes on the left. Thus S n (X) is equivalent to a circular shift of X by n positions to the left.

17 SHA-1 Description Message Padding –make the total length of a padded message a multiple of 512 –Padding process is exactly same as in MD5 –The padded message will contain 16 * n words for some n > 0 –The padded message is regarded as a sequence of n blocks M1, M2,..., Mn, where each Mi contains 16 words and M1 contains the first characters (or bits) of the message

18 SHA-1 Description (cont’d) Functions Used –A sequence of logical functions f 0, f 1,..., f 79 is used –With B, C, D 32-bit inputs, f t (B,C,D) is defined as: f t (B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19) f t (B,C,D) = B XOR C XOR D (20 <= t <= 39) f t (B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <= 59) f t (B,C,D) = B XOR C XOR D (60 <= t <= 79).

19 SHA-1 Description (cont’d) Constants Used –A sequence of constant words K(0), K(1),..., K(79) –In hex these are given by K(t) = 5A827999 ( 0 <= t <= 19) K(t) = 6ED9EBA1 (20 <= t <= 39) K(t) = 8F1BBCDC (40 <= t <= 59) K(t) = CA62C1D6 (60 <= t <= 79)

20 SHA-1 Description (cont’d) Computing –Computed using the final padded message –Uses two buffers, each consisting of five 32-bit words, and a sequence of eighty 32-bit words –The words of the first 5-word buffer are labeled A,B,C,D,E –The words of the second 5-word buffer are labeled H0, H1, H2, H3, H4. –The words of the 80-word sequence are labeled W0, W1,..., W79 –A single word buffer TEMP is also employed. –To generate the message digest, the 16-word blocks M1, M2,..., Mn are processed in order –The processing of each Mi involves 80 steps

21 SHA-1 Description (cont’d) Before processing any blocks, the {Hi} are initialized as follows: in hex, H0 = 67452301 H1 = EFCDAB89 H2 = 98BADCFE H3 = 10325476 H4 = C3D2E1F0

22 SHA-1 Description (cont’d) Now M1, M2,..., Mn are processed. To process Mi, we proceed as follows: –Divide Mi into 16 words W 0, W 1,..., W 15, where W 0 is the left- most word. –For t = 16 to 79 let W t = S 1 (W t-3 XOR W t-8 XOR W t- 14 XOR W t-16 ). –Let A = H 0, B = H 1, C = H 2, D = H 3, E = H 4. –For t = 0 to 79 do TEMP = S 5 (A) + f t (B,C,D) + E + W t + K t ; E = D; D = C; C = S 30 (B); B = A; A = TEMP; –Let H 0 = H 0 + A, H 1 = H 1 + B, H 2 = H 2 + C, H 3 = H 3 + D, H 4 = H 4 + E.

23 SHA-1 Description (cont’d) After processing Mn, the message digest is the 160-bit string represented by the 5 words –H0 H1 H2 H3 H4.

24 Security of SHA-1 Check these sites –http://www.schneier.com/blog/archives/2005/0 2/sha1_broken.htmlhttp://www.schneier.com/blog/archives/2005/0 2/sha1_broken.html –http://www.schneier.com/blog/archives/2009/0 6/ever_better_cry.htmlhttp://www.schneier.com/blog/archives/2009/0 6/ever_better_cry.html –New hash algorithm: SHA2 published by NIST

Download ppt "Chapter 18: One-Way Hash Functions Based on Schneier."

Similar presentations

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Introduction to Practical Cryptography

Introduction to Practical Cryptography
SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements:  Masquerade – Insertion of message from.

SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements:  Masquerade – Insertion of message from.
By: Matthew Ng. AND, XOR, OR, Complement, Circular Left shift, and Addition Modulo Circular Left Shift is done with s positions (0 ≤ s ≤ 31) – Denoted.

By: Matthew Ng. AND, XOR, OR, Complement, Circular Left shift, and Addition Modulo Circular Left Shift is done with s positions (0 ≤ s ≤ 31) – Denoted.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.

Outline Project 1 Hash functions and its application on security Modern cryptographic hash functions and message digest –MD5 –SHA.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
SMUCSE 5349/49 Message Authentication MAC and Hash.

SMUCSE 5349/49 Message Authentication MAC and Hash.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash and MAC Algorithms

Hash and MAC Algorithms
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

Similar presentations

Ads by Google