Hashes and Message Digests

A hash or message digest, is a one-way function since it is not practical to reverse. 

A function is cryptographically secure if it is computationally infeasible to find:

ü A message that has a given message digest.

ü A different message with the same message digest.

ü Two messages that have the same message digest.

 

ê   Major Algorithms:

 

§  Ron Rivest Message Digest MD-family (MD2, MD4 and MD5): 128-bit.

§  NIST  Secure Hash Algorithm SHA-1: 160-bit.

ü They take an arbitrary-length string and map it to a fixed-length quantity that appears to be randomly chosen.

For example, two inputs that differ by only one bit should have outputs that look like completely independently chosen random numbers.

ü Ideally, the message digest function should be easy to compute.

ü Like secret key algorithms, digest algorithms tends to be computed in rounds. The designers finds the smallest number of rounds necessary before the output passes various randomness tests and then add few more to be safe.

 

The Birthday Problem

What is the minimum number of persons in a room so that

the odds are better than 50% that two of them will have the same birthday?

Answer: 23 persons

 Why?

Let n be the number of persons and k be the number of birth dates (k = 365).
There are m = n(n-1)/2 pairs of persons.
The probability that a given pair have the same birth date is 1/k.
Therefore for at least 50% probability to find a match:

m * (1/k) > 1/2
m > k/2
n(n-1)/2 > k/2
n(n-1) > k
n2 > k 

 

or

n ~   
 

In general:

If the message digest is d  bits then k=2d  and  we need to examine 2d/2 messages
to have 50% chance to  find two message with the same digest.

 

Example 1: if d = 4 we need

 

22    = 4 messages instead of 24  = 16 messages.


Example 2: if d = 64 we need

 

232   (= 4.109      or  4 billion) messages instead of 264  (= 18.1018  or 18 bilion billion) messages.

 

 

Suppose that the first authenticated message M of a transaction is always the same

 Are you ready to receive a transaction?

If two transactions use the same authentication key K,

Then the MAC value (message digest of K | M) of their first message will also be the same.

 

ü The Birthday Attacks

By knowing that the two MAC values are the same (i.e. K is the same), the attacker can insert a different recorded message from an older transaction into the newer transaction.

 

ü Meet-in-the-Middle Attacks

Instead of waiting for a key to repeat, you can build a table of  2d/2 random keys and for each of these keys compute the MAC of the “Are you ready to receive a transaction?”. Eavesdropping on each transaction may reveal the key and then the attacker may insert arbitrary message into the new transaction.

 

 

ê   Things to do with a Hash

 

ü Authentication: Alice authenticating Bob:

     Alice                        Bob

 

  challenge:      r     >>>>>>>      r


  response:          <<<<<<<     d =MD{K|r}

 

     -   r        is a random number,


     MD{K|r}  is the message digest of K concatenated with r.


    Alice computes MD{K|r} and if  = d, then Bob must know K.
 

ü Computing a MAC: Using Secret Key K between Alice & Bob

 

            Alice                                        Bob  

 

m,d where d = MD(K|m)  >>   m,d , OK if d = MD (K|m)

 

K   is the shared secret between Alice and Bob

 

Message Append Attack:

 

This works for some MD algorithms that have the following property:

 

if d=MD(x)  then  for some y, d'=MD(x|y) = d+MD(y)

 

Traudy may intercepts <m, d> and replace it with <m', d'>,
  

       where m'=m|y and d'=d+MD(y).

 

Bob receives <m', d'> and will compute:

 

MD(K|m')=MD(K|m|y)=MD(K|m)+MD(y)=d+MD(y)=d'


      Thinking that Alice send  m' !      

 

How to avoid this flow?

-        Compute MD ( m | K ) instead of MD ( K | m ).

-        Compute MD ( K | m | K ).

-        Compute MD ( K | MD (K | m) ).

 

ü Encryption:

Generating one-time pad:

     Both Alice and Bob know the shared secret K and generate:

      b1= MD (K)


      bi = MD ( K | bi-1), i=2,3, ....

              

                     Alice                                       Bob  


      send  ci  = mi ® bi             >>      recv  ci  and  compute  mi = ci ® bi


 

ü Using Secret Key for a Hash:

 

      Unix Password Hash

      Unix uses a modified DES to compute the hash of a password.

       (to prevent DES hardware from cracking Unix passwords!).

 

§  DES secret Key: 

Pack the 7-bit ASCII associated with each of the first eight characters of the password into 56-bit DES key.

§  Salt:

A 12-bit random number (salt) is stored with the hashed password to prevent dictionary attack. The salt is used to modify the DES data expansion algorithm.

§  Hashed password:

The modified DES is used with the secret key to encrypt the constant 0. 

The result is stored with the salt as the user's hashed password.

 

Example:

%  ypcat passwd | grep wahab

wahab:stg/i.0xxJ1zU:51:13:Dr. wahab:/home/wahab:/usr/local/bin/tcsh

 

st is the salt, g/i.0xxJ1zU is the 64 bit encryption of 8 char key

(In base-64 encoding 64 bit block requires 64/6=11 char).

 

Note that you may have the same passwords on different UNIX sites

(e.g., ODU and UNC) but the passwd entries will be different!

 

MD2

 

It takes a message of arbitrary length and produces 128-bit   message digest.

 

ü   Padding: 

The message must be multiple of 16 octets (128-bit).


If the message is already multiple of 16 octets,

         16 octets of padding are added.


Otherwise p octets (1<= p <=15) are added.


Each pad octet contains the value n of padding, 1<=n<=16.


Note that there must always be padding.

 

      Example:


       Consider a message m of 10 bytes:  "abcdefghij"
       the padding length is 6  and the padded message is: 

 

"abcdefghij666666"

 

ü Checksum:  Fig. 5-4

A 16-byte checksum is appended to the message before computing the MD.

Description: http://www.cs.odu.edu/~cs772/fall06/lectures/fig5-4.gif

   Fig. 5-5 is used for pi substitution

 

Is it the binary representation of pi, one octet at a time? No!).
 

 

Description: http://www.cs.odu.edu/~cs772/fall06/lectures/fig5-5.gif

 

 

ü Final Pass:  Fig. 5-6

 

Description: http://www.cs.odu.edu/~cs772/fall06/lectures/fig5-6.gif

 

MD4

Was designed to be a 32-bit word oriented so it can be computed faster on 32-bit CPUs  than  an octet-oriented MD2.

 

MD5

Was designed to be more concerned with security than speed.

 

All the MD family produces 128-bit digest.

 

SHA-1

Designed by NIST to produce 160-bit digests

It is more secure than MD5 but  little slower.

 

HMAC (hash-based MAC)   Fig, 5-10 :

 

HMAC prepends the key to the data, digests it, and then prepends the key to the result and digests that:

MD ( K | MD ( K | m ) )

It takes a variable-length key and a variable-sized message and produces a fixed-size output of the same size as the underlying digest algorithm. 

The key is padded with 0s to be 512 bits.

 

Description: http://www.cs.odu.edu/~cs772/fall06/lectures/fig5-10.gif