Hash and MAC Algorithms

1
Hash and MAC Algorithms

• MD5 in detail
• Overview of SHA and RIPEMD-160
• HMAC

2
Introduction

• There is a general structure used practically in
  all cryptanalytically srtong hash-function fig.
  8.10
• analogous to the Feistel cipher as a general
  structure of block-ciphers
• it is safe to base new improved algorithms on a
  known proven structure

3
MD5 Algorithm

• Developed by Ron Riverst in 1992
• based on MD4 by Ron Riverst 1990 to increase the
  level of security
• Has been the most widely used and is still in
  wide use
• The algorithm takes as input a message of
  arbitrary length and produces a 128-bit message
  digest
• The input is processed in 512-bit blocks
• Some concerns about the safety of MD5
• brute-force attack with a 128-bit message digest
  the birthday attack needs an effort of 264, which
  can not be considered safe.
• cryptanalytic attacks exist that break MD5
  partly. The succes of current attacs is too close
  to breaking MD5, that from a cryptanalytic point
  of view it must be considered vulnerable.

4
MD5 Algorithm

• Step 1 Append padding bits
• the message is padded so that its length in bits
  is 448 mod 512
• Step 2 Append length
• A 64-bit representation of the length of the
  original message (before padding in step 1) is
  appended to the message, thus yielding a message
  that is an integer multiple of 512 bits in
  length.
• The message is represented as 512-bit blocks Y0,
  Y1, ,YL-1 the length of the message being L
  blocks.
• The length of the message is an integer multiple
  of 16 32-bit words. Thus N16L.
• Step 3 Initialize MD buffer
• a 128-bit buffer is used to hold the intermediate
  and final value of the message digest.
• this MD buffer is represented as four 32-bit
  registers (A,B,C,D), wich are initialized with
  A67452301, BEFCDAB89, C98BADCFE and D10325476
  in hexadecimal values.

5
(No Transcript)
6
MD5 Algorithm

• Step 4 Process message in 512-bit blocks
• The core of the algorithm is a compression
  function consisting of four rounds of
  processing. The module is labeled HMD5 in fig.
  9.1. and its inner logic is shown in fig. 9.2.
• The four rounds have a similar structure, but
  each uses a different primitive logical function,
  referred as F, G, H and I.
• The input of each round is the 512-bit block
  being processed Yq and the four register values
  (A,B,C,D) of the MD buffer.
• Also each round uses one-fourth of a table
  T1...64 containing a randomized set 32-bit
  patterns. The goal of this table is to eliminate
  any regularities in the input data.
• As a result each round updates the four register
  values (A,B,C,D) of the MD buffer. The register
  values is the output of the round.
• The output of the fourth round is added to the
  input of the first round CVq to produce CVq1.
  The addition is done independently for each of
  the four 32-bit words in the buffer in modulo
  232.

7
MD5 Algorithm

• Step 5 Output
• After all the L 512-bit blocks have been
  processed, the output from the Lth stage is the
  128-bit message digest.
• to summarise
• CV0 IV
• CVq1 SUM32(CVq, RFIYq, RFHYq, RFGYq,
  RFFYq, CVq )
• MD CVL.
• where
• IV initial value of the ABCD buffer
• Yq the qth 512-block of the message.
• L the number of blocks
• CVq chaining variable processed with the the
  qth block of the message
• RFX round function using primitive logical
  function X
• MD final message digest value
• SUM32 Addition module 232 performed separatedly
  on each pair of words of the two inputs.

8
(No Transcript)
9
MD5 Algorithm compression function

• Each round consists of a sequence of 16 steps
  operating on the register buffer (A,B,C,D)
• Each step is has the form
• a ? b (( a g(b,c,d) Xk Ti ) ltltlt s )
• where
• a,b,c,d the four words of the buffer, in a
  specified order that varies from step to step
• g one of the primitive functions F, G, H, I
• ltltlt s circular left shift (rotation) of the
  32-bit argument by s bits.
• Xk Mq ? 16 ? k the kth 32-bit word in
  the qth 512-bit block of the message
• Ti the ith 32-bit word in matrix T
• addition modulo 232.
• The step operation is illustrated in fig 9.3.
• the order in which the four words (a,b,c,d) are
  used produces a word-level circular right shift
  of one word for each step.

10
MD5 Algorithm primitive functions

• Each primive function performs a set of bitwise
  logical operations, i.e. the nth bit of the
  output is a function of the three other nth bits
  in the input words.
• The primitive functions are as follows
• One 512-bit block consists of 16 32-bit words.
  Each word of a block is used exactly once in a
  round, during one step. The order in which these
  words are used varies from round to round.
• Also four different circular left shift (CLS)
  amounts are used within each round.

Round Primitive function g g(b,c,d)
1 F(b,c,d) (b ? c) ? (?b ? d)
2 G(b,c,d) (b ? d) ? (c ? ?d)
3 H(b,c,d) b ? c ? d
4 I(b,c,d) c ? (b ? ?d)
11
SHA-1

• Developed by NIST and published as a
  FIPS-standard in 1993
• A revised version, SHA-1, was published as a
  FIPS-standard in 1995
• The design closely models MD4
• Produces a 160-bit message digest to resist
  brute-force attacks
• thus MD-buffer contains 5 words.
• The complexity of the algorithm is greater than
  in MD4
• The algorithm has four rounds each consisting of
  20 steps
• The basic structure is illustrated in fig. 9.5
  and 9.6.
• Wt is a word derived from the 512-bit block in a
  complex manner that varies from step to step
  across rounds.
• Kt is a additive constant varying across rounds.

12
(No Transcript)
13
Comparision of SHA-1 and MD5

• The comparision is according to the design goals
  of MD5
• Security against brute force attacks
• 32-bits longer MD is the main advantage of SHA-1.
  The difficulty of producing two messages with the
  same MD is 264 in MD5 and 280 in SHA-1, thus
  SHA-1 is considerable stronger.
• Security against cryptanalysis
• MD5 is somewhat vulnerable whereas SHA-1 is
  generally believed to be resistant to
  cryptanalysis. However the design criteria of
  SHA-1 are not public, so the security is
  difficult to judge.
• Speed
• Both algorithms execute fast on a 32-bit
  architecture. SHA-1 has more steps and a longer
  buffer, so it will execute slowlier.
• Simplcity and compactness
• Both algorithms are simle to describe and
  implement and do not require large program-code
  or substitution tables

14
RIPEMD-160

• Developed by the European project RIPE in 1996
• Right after the release the developers found
  attacks on two round of RIPEMD, and also on MD4
  and MD5.
• 1997 the algorithm was upgraded to RIPEMD-160
• The desing follows MD5
• The MD is 160-bits, th e input block is 512-bits
• There are two parallel lines of round, each
  consisting of five rounds
• there are two MD buffers, one for each round
• Each round has 16 steps
• The design is illustrated in Fig. 9.8 and 9.9

15
(No Transcript)
16
Comparision of RIPEMF-160, SHA-1 and MD5

• The comparision is according to the design goals
  of MD5
• Security against brute force attacks
• 32-bits longer MD is the main advantage of SHA-1
  and RIPEMD-160. The difficulty of producing two
  messages with the same MD (birthday attack) is
  264 in MD5 and 280 in SHA-1 and RIPE-MD160 making
  them considerable stronger.
• Security against cryptanalysis
• MD5 is somewhat vulnerable whereas SHA-1 is
  generally believed to be resistant to
  cryptanalysis. However the design criteria of
  SHA-1 are not public, so the security is
  difficult to judge. Resistance to cryptanalysis
  has been one of the main design objectives. The
  use of two parallel lines of round should make
  cryptanalysis more difficult compared to SHA-1.
• Speed
• All algorithms execute fast on a 32-bit
  architecture. SHA-1 and RIPEMD-160 have more
  steps and a longer buffer leading to slowdown in
  execution.
• Simplcity and compactness
• All algorithms are simle to describe and
  implement and do not require large program-code
  or substitution tables.

17
Comparision of RIPEMF-160, SHA-1 and MD5
18
HMAC

• HMAC is a MAC derived from a cryptographically
  safe hash-function
• hash fuctions (MD5, SHA-1) execute faster in
  software than symmetric block ciphers
• library code for cryptographic hash functions is
  widely available
• there are export restrictions from the USA for
  some block ciphers, bot none for hash-functions
• HMAC is the mandatory-to-implement MAC for IP
  Security.
• HMAC is used widely, e.g. in SSL
• Basically HMAC is a way to incorporate a secret
  key into an existing hash function.

19
HMAC Design objectives

• To use, without modification existing hash
  functions.
• To allow easy replaceability of the embedded hash
  function in case faster or more secure functions
  are found or required
• To preserve the original performance of the hash
  function in terms of security and speed
• To use and handle keys in a simple way
• To have a well understood cryptographic analysis
  of the strength of the authentication mechanism
  based on a reasonable assumptions on the embedded
  hash function.

20
HMAC Algorithm

• Illustrated in Fig 9.10. Explanation
• H embedded hash function
• M message input to HMAC
• Yi ith block of M
• L number of blocks in M.
• b number of bits in a block
• n length of hash code produced by H
• K secret key
• K K padded with zeroes so that the result is b
  bits in length
• ipad 00110110 repeated b/8 times
• opad 01011010 repeated b/8 times
• HMACK H(K ? opad) H(K ? ipad) M

21
(No Transcript)
22
HMAC Security

• The exact relationship between the strength of
  the HMAC and the strength of the embedded hash
  function has been proved
• The security is at least as strong as the
  underlying hash function
• HMAC is more resistant to birthday attack
• the use of MD5 is also safe, if speed is
  important

23
(No Transcript)