1 / 17

Agenda

CS G513 / SS G513 Network Security. Agenda. Integrity – Hash Codes Construction Basics MD5 MD5 MAC. MDC - construction. Fig. From Menezes. MDC Construction. Merkle’s meta-method for hashing: Input: Collision-resistant compression function f

nika
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS G513 / SS G513 Network Security Agenda Integrity – Hash Codes Construction Basics MD5 MD5 MAC

  2. MDC - construction Fig. From Menezes Sundar B.

  3. MDC Construction • Merkle’s meta-method for hashing: • Input: Collision-resistant compression function f • Output: Collision-resistant unkeyed hash function h • Algo: • Let f map (n+r) bit strings into n bit strings • Break x (of length b) into t blocks x1, x2, … xt of length r each. • Pad the last block if needed to make it r bits long • Define h(x) = Ht where H is defined by • H0 = 0n for some initial value IV • Hi = f(Hi-1 ||xi) for 1 <= i <= t Sundar B.

  4. MDC Construction • Weakness of Merkle’s meta-method: • Consider messages x and (x||y) • What is the common part? • Merkle-Damgard strengthening: • After padding but before hashing, add a length block: • r bit representation of b (the length of x) • Assumption: b < 2r • Does this solve the weakness? • Verify. Sundar B.

  5. MDC Construction • Padding • Padding with all 0s leads to ambiguity • Decoder would need the length of text (before hashing) • Alternate solution: • Pad a 1 (always) and a sequence of 0s to make the length a multiple of r Sundar B.

  6. MDC Constructions • MDCs may be designed using Encryption functions • E.g. Matyas-Meyer-Oseas hash: • ki = g(Hi-1) and Hi = E(ki , xi) XOR xi • MDC-2 and MDC-4 • Variation of MME hash with 2 and 4 block cipher encryptions respectively. • For instance, DES could be the block cipher. Sundar B.

  7. MDC Constructions – MD5 • Custom hash functions • Built from scratch • E.g. MD4 and MD5 • MD5: • Input: bit string x of arbitrary length b • Output: 128 bit hashcode of x • Algo: • (x0,x1, … xt) = Preprocess(x, b) • Init (H1, H2, H3,H4) – partial hash codes with initial vals. • Process t rounds and update partial codes after each round • H1 || H2 || H3 ||H4 is the final hash code. Sundar B.

  8. MDC Construction – MD5 • Preprocessing • Input: A bit string of arbitrary length b • Output: x0, x1, … x16t-1 for some t; xi is 32 bits • Algo.: • Padding • Append a 1 to x, • then append r-1 0’s, for some r > 0 • Then append the 64-bit length (b mod 264) • Such that b+ r + 64 = 512t for some t. • Splitting • Split the result into 32 bit blocks. Sundar B.

  9. Processing Input: x0, x1, … x16t-1 for some t; xi is 32 bits (H0, H1, H2, H3) with initial values Output: (H0, H1, H2, H3 ) Algo: For each k from 0 to t-1 { Initialize X[j] with x16k+j for each j from 0 to 15 (A,B,C,D) := (H0, H1, H2, H3) For each r from 1 to 4: (A,B,C,D) := round(X, r, A, B, C, D) (H0, H1, H2, H3) := (H0+A, H1+B, H2+C, H3+D) } [Note: + is modulo 232. End of Note.] MDC Construction – MD5

  10. MDC Construction – MD5 round(X, r, A, B, C, D) { for j from 0 to 15 { temp := A + fr(B,C,D) + X[Permr[j]] + Consr[j]; (A,B,C,D) := (D, B+(temp << Sr[j]), B, C); } return (A,B,C,D); } f1(u, v, w) = (u AND v) OR ((NOT u) AND w) f2(u, v, w) = (u AND w) OR (v AND (NOT w)) f3(u, v, w) = u XOR v XOR w f4(u, v, w) = v XOR ( u OR (NOT W))

  11. MDC Construction – MD5 • Consr[j] • first 32 bits of binary value of sin((r-1)*16+j+1) where j is in radians • Permr[j] • Is a permutation (different for each r) of numbers 0 to 15. Sundar B.

  12. Constructing MACs from MDCs • Secret Prefix method: • If h is an MDC hash function, then the proposed MAC M is obtained by prefixing a secret key k: • M(x) = h(k||x) • Relatively easy to obtain M(x||y) • h(k||x||y) • Despite MD strengthening • Secret Suffix method: • M(x) = h(x||k) • h(y||x||k) is not as easy to guess from h(x||k) as h(k||x||y) is from h(k||x) – Why? • Birthday attack possible with O(2^(n/2)) ops. Sundar B.

  13. Constructing MACs from MDCs • Envelope with padding • M(x) = h(k||p||x||k) • p is padding to make it at least two blocks • Hash based macs • M(x) = h(k || p1 || h(k || p2 || x)) Sundar B.

  14. Constructing MACs from MDCs • MD5-MAC • Input: • bit string x of arbit. length b, key k of length <= 128 bits • Output: • 64 bit MAC value of x • Algo: • Let MD5Proc be the processing stage of MD5 (i.e. w/o padding and length suffix) • Key-expansion (results in three 128 bit keys k1, k2, k3 ) • Configure MD5Proc parameters using expanded keys k1, k2 • Preprocess x using expanded key k3 (results in bit string x’) • Apply new MD5Proc on x’; Take the leftmost 64 bit values from the 128 bit MDC obtained.

  15. Constructing MACs from MDCs • MD5-MAC • Key-expansion (results in 128 bit key k’) • If k is shorter than 128 bits concatenate k to itself enough times to make it 128 bits or longer. • Redefine k to be the leftmost 128 bits • Define for i = 1 to 3, ki = MD5Proc(k || Ui || k) where Ui is a 96-byte constant • Split k1 into 32-bit substrings k1[r] for r=0 to 3 • Split k2 into 32-bit substrings k2[r] for r=0 to 3

  16. Constructing MACs from MDCs • MD5-MAC • Preprocessing • Pad x and add length info. as in MD5 preprocessing step • Then append k3 || (k3 XOR T0) || (k3 XOR T1) || (k3 XOR T2) to the padded x value to get x’ • Here Ti are 16-byte constants • Configure MD5Proc • Initial Vectors: Hj = k1[j] for j = 0 to 3 • Cons[j] = Cons[j] + k2[r] mod 232 in round r

  17. Constructing MACs • Other MAC algorithms: • Eg. Block Cipher based MACs • CBC-MAC: • Hj = Ek(Hj-1 XOR xi) • Can be strengthened by double/triple encryptions as well. • DES is often used as E. Sundar B.

More Related