Hash and MAC Algorithms MD5 in detail Overview of SHA and RIPEMD-160 HMAC

Introduction There is a general structure used practically in all cryptanalytically srtong hash-function fig. 8.10 analogous to the Feistel cipher as a general structure of block-ciphers it is safe to base new improved algorithms on a known proven structure

MD5 Algorithm Developed by Ron Riverst in 1992 based on MD4 by Ron Riverst 1990 to increase the level of security Has been the most widely used and is still in wide use The algorithm takes as input a message of arbitrary length and produces a 128-bit message digest The input is processed in 512-bit blocks Some concerns about the safety of MD5 brute-force attack: with a 128-bit message digest the birthday attack needs an effort of 264, which can not be considered safe. cryptanalytic attacks exist that break MD5 partly. The succes of current attacs is too close to breaking MD5, that from a cryptanalytic point of view it must be considered vulnerable.

MD5 Algorithm Step 1: Append padding bits Step 2: Append length the message is padded so that its length in bits is 448 mod 512 Step 2: Append length A 64-bit representation of the length of the original message (before padding in step 1) is appended to the message, thus yielding a message that is an integer multiple of 512 bits in length. The message is represented as 512-bit blocks Y0, Y1, … ,YL-1 the length of the message being L blocks. The length of the message is an integer multiple of 16 32-bit words. Thus N=16*L. Step 3: Initialize MD buffer a 128-bit buffer is used to hold the intermediate and final value of the message digest. this MD buffer is represented as four 32-bit registers (A,B,C,D), wich are initialized with A=67452301, B=EFCDAB89, C=98BADCFE and D=10325476 in hexadecimal values.

MD5 Algorithm Step 4: Process message in 512-bit blocks: The core of the algorithm is a compression function consisting of four ”rounds” of processing. The module is labeled HMD5 in fig. 9.1. and its inner logic is shown in fig. 9.2. The four rounds have a similar structure, but each uses a different primitive logical function, referred as F, G, H and I. The input of each round is the 512-bit block being processed Yq and the four register values (A,B,C,D) of the MD buffer. Also each round uses one-fourth of a table T[1...64] containing a randomized set 32-bit patterns. The goal of this table is to eliminate any regularities in the input data. As a result each round updates the four register values (A,B,C,D) of the MD buffer. The register values is the output of the round. The output of the fourth round is added to the input of the first round CVq to produce CVq+1. The addition is done independently for each of the four 32-bit words in the buffer in modulo 232.

MD5 Algorithm Step 5: Output After all the L 512-bit blocks have been processed, the output from the Lth stage is the 128-bit message digest. to summarise: CV0 = IV CVq+1= SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]]] ) MD = CVL. where IV = initial value of the ABCD buffer Yq = the qth 512-block of the message. L = the number of blocks CVq= chaining variable processed with the the qth block of the message RFX= round function using primitive logical function X MD = final message digest value SUM32= Addition module 232 performed separatedly on each pair of words of the two inputs.

MD5 Algorithm – compression function Each round consists of a sequence of 16 steps operating on the register buffer (A,B,C,D) Each step is has the form: a  b + (( a + g(b,c,d) + X[k] + T[i] ) <<< s ) where a,b,c,d = the four words of the buffer, in a specified order that varies from step to step g = one of the primitive functions F, G, H, I <<< s = circular left shift (rotation) of the 32-bit argument by s bits. X[k] = M[q  16  k] = the kth 32-bit word in the qth 512-bit block of the message T[i] = the ith 32-bit word in matrix T + = addition modulo 232. The step operation is illustrated in fig 9.3. the order in which the four words (a,b,c,d) are used produces a word-level circular right shift of one word for each step.

MD5 Algorithm – primitive functions Each primive function performs a set of bitwise logical operations, i.e. the nth bit of the output is a function of the three other nth bits in the input words. The primitive functions are as follows: One 512-bit block consists of 16 32-bit words. Each word of a block is used exactly once in a round, during one step. The order in which these words are used varies from round to round. Also four different circular left shift (CLS) amounts are used within each round. Round Primitive function g g(b,c,d) 1 F(b,c,d) (b  c)  (b  d) 2 G(b,c,d) (b  d)  (c  d) 3 H(b,c,d) b  c  d 4 I(b,c,d) c  (b  d)

SHA-1 Developed by NIST and published as a FIPS-standard in 1993 A revised version, SHA-1, was published as a FIPS-standard in 1995 The design closely models MD4 Produces a 160-bit message digest to resist brute-force attacks thus MD-buffer contains 5 words. The complexity of the algorithm is greater than in MD4 The algorithm has four rounds each consisting of 20 steps The basic structure is illustrated in fig. 9.5 and 9.6. Wt is a word derived from the 512-bit block in a complex manner that varies from step to step across rounds. Kt is a additive constant varying across rounds.

Comparision of SHA-1 and MD5 The comparision is according to the design goals of MD5 Security against brute force attacks 32-bits longer MD is the main advantage of SHA-1. The difficulty of producing two messages with the same MD is 264 in MD5 and 280 in SHA-1, thus SHA-1 is considerable stronger. Security against cryptanalysis MD5 is somewhat vulnerable whereas SHA-1 is generally believed to be resistant to cryptanalysis. However the design criteria of SHA-1 are not public, so the security is difficult to judge. Speed Both algorithms execute fast on a 32-bit architecture. SHA-1 has more steps and a longer buffer, so it will execute slowlier. Simplcity and compactness Both algorithms are simle to describe and implement and do not require large program-code or substitution tables

RIPEMD-160 Developed by the European project RIPE in 1996 Right after the release the developers found attacks on two round of RIPEMD, and also on MD4 and MD5. 1997 the algorithm was upgraded to RIPEMD-160 The desing follows MD5 The MD is 160-bits, th e input block is 512-bits There are two parallel lines of round, each consisting of five rounds there are two MD buffers, one for each round Each round has 16 steps The design is illustrated in Fig. 9.8 and 9.9

Comparision of RIPEMF-160, SHA-1 and MD5 The comparision is according to the design goals of MD5 Security against brute force attacks 32-bits longer MD is the main advantage of SHA-1 and RIPEMD-160. The difficulty of producing two messages with the same MD (birthday attack) is 264 in MD5 and 280 in SHA-1 and RIPE-MD160 making them considerable stronger. Security against cryptanalysis MD5 is somewhat vulnerable whereas SHA-1 is generally believed to be resistant to cryptanalysis. However the design criteria of SHA-1 are not public, so the security is difficult to judge. Resistance to cryptanalysis has been one of the main design objectives. The use of two parallel lines of round should make cryptanalysis more difficult compared to SHA-1. Speed All algorithms execute fast on a 32-bit architecture. SHA-1 and RIPEMD-160 have more steps and a longer buffer leading to slowdown in execution. Simplcity and compactness All algorithms are simle to describe and implement and do not require large program-code or substitution tables.

Comparision of RIPEMF-160, SHA-1 and MD5

HMAC HMAC is a MAC derived from a cryptographically safe hash-function hash fuctions (MD5, SHA-1) execute faster in software than symmetric block ciphers library code for cryptographic hash functions is widely available there are export restrictions from the USA for some block ciphers, bot none for hash-functions HMAC is the ”mandatory-to-implement” MAC for IP Security. HMAC is used widely, e.g. in SSL Basically HMAC is a way to incorporate a secret key into an existing hash function.

HMAC – Design objectives To use, without modification existing hash functions. To allow easy replaceability of the embedded hash function in case faster or more secure functions are found or required To preserve the original performance of the hash function in terms of security and speed To use and handle keys in a simple way To have a well understood cryptographic analysis of the strength of the authentication mechanism based on a reasonable assumptions on the embedded hash function.

HMAC – Algorithm Illustrated in Fig 9.10. Explanation: H = embedded hash function M = message input to HMAC Yi = ith block of M L = number of blocks in M. b = number of bits in a block n = length of hash code produced by H K = secret key K+ = K padded with zeroes so that the result is b bits in length ipad = 00110110 repeated b/8 times opad = 01011010 repeated b/8 times HMACK = H[(K+  opad) || H[(K+  ipad) || M ]]

HMAC – Security The exact relationship between the strength of the HMAC and the strength of the embedded hash function has been proved The security is at least as strong as the underlying hash function HMAC is more resistant to birthday attack the use of MD5 is also safe, if speed is important