1 / 23

Hash and MAC Algorithms - PowerPoint PPT Presentation

Hash and MAC Algorithms. MD5 in detail Overview of SHA and RIPEMD-160 HMAC. Introduction. There is a general structure used practically in all cryptanalytically srtong hash-function fig. 8.10 analogous to the Feistel cipher as a general structure of block-ciphers

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about ' Hash and MAC Algorithms ' - meghan

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Hash and MAC Algorithms

MD5 in detail

Overview of SHA and RIPEMD-160

HMAC

• There is a general structure used practically in all cryptanalytically srtong hash-function fig. 8.10

• analogous to the Feistel cipher as a general structure of block-ciphers

• it is safe to base new improved algorithms on a known proven structure

• Developed by Ron Riverst in 1992

• based on MD4 by Ron Riverst 1990 to increase the level of security

• Has been the most widely used and is still in wide use

• The algorithm takes as input a message of arbitrary length and produces a 128-bit message digest

• The input is processed in 512-bit blocks

• Some concerns about the safety of MD5

• brute-force attack: with a 128-bit message digest the birthday attack needs an effort of 264, which can not be considered safe.

• cryptanalytic attacks exist that break MD5 partly. The succes of current attacs is too close to breaking MD5, that from a cryptanalytic point of view it must be considered vulnerable.

• Step 1: Append padding bits

• the message is padded so that its length in bits is 448 mod 512

• Step 2: Append length

• A 64-bit representation of the length of the original message (before padding in step 1) is appended to the message, thus yielding a message that is an integer multiple of 512 bits in length.

• The message is represented as 512-bit blocks Y0, Y1, … ,YL-1 the length of the message being L blocks.

• The length of the message is an integer multiple of 16 32-bit words. Thus N=16*L.

• Step 3: Initialize MD buffer

• a 128-bit buffer is used to hold the intermediate and final value of the message digest.

• this MD buffer is represented as four 32-bit registers (A,B,C,D), wich are initialized with A=67452301, B=EFCDAB89, C=98BADCFE and D=10325476 in hexadecimal values.

• Step 4: Process message in 512-bit blocks:

• The core of the algorithm is a compression function consisting of four ”rounds” of processing. The module is labeled HMD5 in fig. 9.1. and its inner logic is shown in fig. 9.2.

• The four rounds have a similar structure, but each uses a different primitive logical function, referred as F, G, H and I.

• The input of each round is the 512-bit block being processed Yq and the four register values (A,B,C,D) of the MD buffer.

• Also each round uses one-fourth of a table T[1...64] containing a randomized set 32-bit patterns. The goal of this table is to eliminate any regularities in the input data.

• As a result each round updates the four register values (A,B,C,D) of the MD buffer. The register values is the output of the round.

• The output of the fourth round is added to the input of the first round CVq to produce CVq+1. The addition is done independently for each of the four 32-bit words in the buffer in modulo 232.

• Step 5: Output

• After all the L 512-bit blocks have been processed, the output from the Lth stage is the 128-bit message digest.

to summarise:

CV0 = IV

CVq+1= SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]]] )

MD = CVL.

where

IV = initial value of the ABCD buffer

Yq = the qth 512-block of the message.

L = the number of blocks

CVq= chaining variable processed with the the qth block of the message

RFX= round function using primitive logical function X

MD = final message digest value

SUM32= Addition module 232 performed separatedly on each pair of words of the two inputs.

• Each round consists of a sequence of 16 steps operating on the register buffer (A,B,C,D)

• Each step is has the form:

a  b + (( a + g(b,c,d) + X[k] + T[i] ) <<< s )

where

a,b,c,d = the four words of the buffer, in a specified order that varies from step to step

g = one of the primitive functions F, G, H, I

<<< s = circular left shift (rotation) of the 32-bit argument by s bits.

X[k] = M[q  16  k] = the kth 32-bit word in the qth 512-bit block of the message

T[i] = the ith 32-bit word in matrix T

• The step operation is illustrated in fig 9.3.

• the order in which the four words (a,b,c,d) are used produces a word-level circular right shift of one word for each step.

• Each primive function performs a set of bitwise logical operations, i.e. the nth bit of the output is a function of the three other nth bits in the input words.

• The primitive functions are as follows:

• One 512-bit block consists of 16 32-bit words. Each word of a block is used exactly once in a round, during one step. The order in which these words are used varies from round to round.

• Also four different circular left shift (CLS) amounts are used within each round.

• Developed by NIST and published as a FIPS-standard in 1993

• A revised version, SHA-1, was published as a FIPS-standard in 1995

• The design closely models MD4

• Produces a 160-bit message digest to resist brute-force attacks

• thus MD-buffer contains 5 words.

• The complexity of the algorithm is greater than in MD4

• The algorithm has four rounds each consisting of 20 steps

• The basic structure is illustrated in fig. 9.5 and 9.6.

• Wt is a word derived from the 512-bit block in a complex manner that varies from step to step across rounds.

• Kt is a additive constant varying across rounds.

• The comparision is according to the design goals of MD5

• Security against brute force attacks

• 32-bits longer MD is the main advantage of SHA-1. The difficulty of producing two messages with the same MD is 264 in MD5 and 280 in SHA-1, thus SHA-1 is considerable stronger.

• Security against cryptanalysis

• MD5 is somewhat vulnerable whereas SHA-1 is generally believed to be resistant to cryptanalysis. However the design criteria of SHA-1 are not public, so the security is difficult to judge.

• Speed

• Both algorithms execute fast on a 32-bit architecture. SHA-1 has more steps and a longer buffer, so it will execute slowlier.

• Simplcity and compactness

• Both algorithms are simle to describe and implement and do not require large program-code or substitution tables

• Developed by the European project RIPE in 1996

• Right after the release the developers found attacks on two round of RIPEMD, and also on MD4 and MD5.

• 1997 the algorithm was upgraded to RIPEMD-160

• The desing follows MD5

• The MD is 160-bits, th e input block is 512-bits

• There are two parallel lines of round, each consisting of five rounds

• there are two MD buffers, one for each round

• Each round has 16 steps

• The design is illustrated in Fig. 9.8 and 9.9

• The comparision is according to the design goals of MD5

• Security against brute force attacks

• 32-bits longer MD is the main advantage of SHA-1 and RIPEMD-160. The difficulty of producing two messages with the same MD (birthday attack) is 264 in MD5 and 280 in SHA-1 and RIPE-MD160 making them considerable stronger.

• Security against cryptanalysis

• MD5 is somewhat vulnerable whereas SHA-1 is generally believed to be resistant to cryptanalysis. However the design criteria of SHA-1 are not public, so the security is difficult to judge. Resistance to cryptanalysis has been one of the main design objectives. The use of two parallel lines of round should make cryptanalysis more difficult compared to SHA-1.

• Speed

• All algorithms execute fast on a 32-bit architecture. SHA-1 and RIPEMD-160 have more steps and a longer buffer leading to slowdown in execution.

• Simplcity and compactness

• All algorithms are simle to describe and implement and do not require large program-code or substitution tables.

• HMAC is a MAC derived from a cryptographically safe hash-function

• hash fuctions (MD5, SHA-1) execute faster in software than symmetric block ciphers

• library code for cryptographic hash functions is widely available

• there are export restrictions from the USA for some block ciphers, bot none for hash-functions

• HMAC is the ”mandatory-to-implement” MAC for IP Security.

• HMAC is used widely, e.g. in SSL

• Basically HMAC is a way to incorporate a secret key into an existing hash function.

• To use, without modification existing hash functions.

• To allow easy replaceability of the embedded hash function in case faster or more secure functions are found or required

• To preserve the original performance of the hash function in terms of security and speed

• To use and handle keys in a simple way

• To have a well understood cryptographic analysis of the strength of the authentication mechanism based on a reasonable assumptions on the embedded hash function.

• Illustrated in Fig 9.10. Explanation:

• H = embedded hash function

• M = message input to HMAC

• Yi = ith block of M

• L = number of blocks in M.

• b = number of bits in a block

• n = length of hash code produced by H

• K = secret key

• K+ = K padded with zeroes so that the result is b bits in length

• ipad = 00110110 repeated b/8 times

• opad = 01011010 repeated b/8 times