Hashes and Message Digests

A hash or message digest, is a one-way function since it is not practical to reverse. 

A function is cryptographicaly secure if it is computationally infeasible to find:

§     A message that has a given message digest.

§     A different message with the same message digest.

§     Two messages that have the same message digest.

 

Ø          Major Algorithms:

 

§     Ron Rivest Message Digest MD-family (MD2, MD4 and MD5): 128-bit.

 

§     NIST  Secure Hash Algorithm SHA-1: 160-bit.

 

They take an arbitrary-length string and map it to a fixed-length quantity that appears to be randomly chosen.

For example, two inputs that differ by only one bit should have outputs that look like completely independently chosen random numbers.

Ideally, the message digest function should be easy to compute.

Like secret key algorithms, digest algorithms tends to be computed in rounds. The designers finds the smallest number of rounds necessary before the output passes various randomness tests and then add few more to be safe.

 

 

Ø          Things to do with a Hash

 

v         Authentication: Alice authenticating Bob:

 

     Alice                        Bob

 

  challenge:      r     >>>>>>>      r

  response:       d    <<<<<<<     d =MD{K|r}

 

     -   r        is a random number,

     -  MD{K|r}  is the message digest of K concatenated with r.

    Alice computes MD{K|r} and if  = d, then Bob must know K.
 

v         Computing a MAC: Using Secret Key K between Alice & Bob

 

            Alice                                        Bob  

 

m,d where d = MD(K|m)  >>   m,d , OK if d = MD (K|m)

 

K   is the shared secret between Alice and Bob

 

Message Append Attack:

 

This works for some  MD algorithms that have the following property:

 

if d=MD(x)  then  for some y, d'=MD(x|y) = d+MD(y)

 

Traudy may intercepts <m,d> and replace it with <m',d'>,
  

       where m'=m|y and d'=d+MD(y).

 

Bob receives <m',d'> and will  compute:

 

MD(K|m')=MD(K|m|y)=MD(K|m)+MD(y)=d+MD(y)=d'

      Thinking that Alice send  m' !   

How to avoid this flow?

-       Compute MD ( m | K ) instead of MD ( K | m ).

 

-       Compute MD ( K | m | K ).

 

-       Compute MD ( K | MD (K | m) ).

 

v        Encryption:

 

Generating one-time pad:

     Both Alice and Bob knows the shared secret K and generates:

      b₁= MD(K)

      b_i = MD(K|b_i-1), i=2,3, ....

              

                     Alice                                       Bob  

      send c_i = m_i ® b_i             >>      recv c_i and compute m_i= c_i ® b_i

 

v        Using Secret Key for a Hash:

 

      Unix Password Hash

      Unix uses a modified DES to compute the hash of a password.

       (to prevent DES hardware from cracking Unix passwords).

§    DES secret Key: 

Pack the 7-bit ASCII associated with each of the first eight characters of the password into 56-bit DES key.

 

§    Salt:

A 12-bit random number (salt) is stored with the hashed password (to prevent dictionary attack). The salt is used to modify the DES data expansion algorithm.

 

§    Hashed password:

The modified DES is used with the secret key to encrypt the constant 0.  The result is stored with the salt as the user's hashed password.

 

Example:

%  ypcat passwd | grep wahab

wahab:stg/i.0xxJ1zU:51:13:Dr. wahab:/home/wahab:/usr/local/bin/tcsh

st is the salt, g/i.0xxJ1zU is the 64 bit encryption of 8 char key

(In base-64 encoding 64 bit block requires 64/6=11 char).

 

MD2

It takes a message of arbitrary length and produces 128-bit   message digest.

 

v         Padding:
 

The message must be multiple of 16 octets (128-bit).

If the message is already multiple of 16 octets,

         16 octets of padding are added.

Otherwise p octets (1<= p <=15) are added.

Each pad octet contains the value n of padding, 1<=n<=16.

Note that there must always be padding.

 

      Example:

       consider a message m of 10 bytes:  "abcdefghij"
       the padding length is 6  and the padded message is: 

 

"abcdefghij666666"

 

v         Checksum:  Fig. 5-4

 

A 16-byte checksum is appended to the message before computing the MD.

 
Figure Fig. 5-5 is used for Pi substitution

 

Is it the binary representation of pi, one octet at a time? No!).
 

 

 

 

v         Final Pass:  Fig. 5-6

 

 

 

MD4

Was designed to be a 32-bit word oriented so it can be computed faster on 32-bit CPUs  than  an octet-oriented MD2.

 

MD5

Was designed to be more concerned with security than speed.

 

All the MD family produces 128-bit digest.

 

SHA-1

Designed by NIST to produce 160-bit digests

It is more secure than MD5 but  little slower.

 

HMAC (hash-based MAC)   Fig, 5-10 :

 

HMAC prepends the key to the data, digests it,

and then prepends the key to the result and digests that:

MD ( K | MD ( K | m ) )

It takes a varaible-length key and a varaible-sized message and produces a fixed-size output  of the same size as the underlying digest algorithm. 

The key is padded with 0s to be  512 bits.