Chapter Four

Cryptographic Hash Functions

By Bereket S.

1
Main Points of the chapter are:
➢ Hash Function
➢ Message Authentication
➢ Message Authentication Code (MAC)
➢ Hashing Algorithms with applications areas (Given as
Group Assignment)

2
Hash Function:
➢ A hash function H accepts a variable-length block of data
M as input and produces a fixed-size hash value h = H(M).
➢ The principal object of a hash function is data integrity.
➢ A change to any bit or bits in M results, with high
probability, in a change to the hash code.

3
 ➢Figure 1 depicts the general
operation of a cryptographic
hash function.
➢Typically, the input is
padded out to an integer
multiple of some fixed
length and the padding
includes the value of the
length of the original
message in bits.

Figure 1. Cryptographic Hash Function; h = H(M)

4
Message Authentication
➢ Message authentication is a mechanism or service used to
verify the integrity of a message.
➢ Message authentication assures that data received are
exactly as sent (i.e., contain no modification, insertion,
deletion, or replay).
➢ When a hash function is used to provide message
authentication, the hash function value is often referred to
as a message digest.

5
Message Authentication…
The essence of the use of a hash function for message
authentication is as follows.
➢ The sender computes a hash value as a function of the bits
in the message and transmits both the hash value and the
message.
➢ The receiver performs the same hash calculation on the
message bits and compares this value with the incoming
hash value.
➢ If there is a mismatch, the receiver knows that the message
(or possibly the hash value) has been altered (see the
following figure 2).
6
Message Authentication…

Figure 2. Hash function for data integrity

7
Message Authentication…
The hash function must be transmitted in a secure fashion. See figure 3 in next
slide.
➢ That is, the hash function must be protected so that if an adversary alters or
replaces the message, it is not feasible for adversary to also alter the hash
value to fool the receiver.
➢ In this example,
✓ Alice transmits a data block and attaches a hash value.
✓ Darth intercepts the message, alters or replaces the data block, and calculates and
attaches a new hash value.
✓ Bob receives the altered data with the new hash value and does not detect the
change.
➢ To prevent this attack, the hash value generated by Alice must be protected.

8
Message Authentication…

Figure 3. Attack Against Hash Function

9
Figure 4a illustrates a variety of ways in which a hash code can be
used to provide message authentication, as follows:

10
Explanations for the above diagrams under figure 4.
a) Figure 4a
➢ The message plus concatenated hash code is encrypted using
symmetric encryption.
➢ Because only A and B share the secret key, the message must have
come from A and has not been altered.
➢ The hash code provides the structure or redundancy required to
achieve authentication.
➢ Because encryption is applied to the entire message plus hash code,
confidentiality is also provided.

11
Figure 4b illustrates a variety of ways in which a hash code can be
used to provide message authentication, as follows…

➢ Only the hash code is encrypted, using symmetric encryption.

➢ This reduces the processing burden for those applications that do
not require confidentiality.

12
Figure 4c illustrates a variety of ways in which a hash code can be
used to provide message authentication, as follows…

13
Explanations for the above diagrams under figure 4.
c) Figure 4c
➢ It is possible to use a hash function but no encryption for message
authentication.
➢ The technique assumes that the two communicating parties share a
common secret value S.
➢ A computes the hash value over the concatenation of M and S and
appends the resulting hash value to M.
➢ Because B possesses S, it can recompute the hash value to verify.
➢ Because the secret value itself is not sent, an opponent cannot modify an
intercepted message and cannot generate a false message.

14
Figure 4d illustrates a variety of ways in which a hash code can be
used to provide message authentication, as follows…

➢ Confidentiality can be added to the approach of method (c) by

encrypting the entire message plus the hash code.

15
Message authentication code (MAC):
➢ A function of the message and a secret key that produces a fixed-
length value that serves as the authenticator.
➢ An alternative authentication technique involves the use of a secret
key to generate a small fixed-size block of data, known as a
cryptographic checksum or MAC, that is appended to the message.

16
Message authentication code (MAC)…
➢ This technique assumes that two communicating parties,
✓ say A and B, share a common secret key K.
✓ When A has a message to send to B, it calculates the MAC as a
function of the message and the key:
MAC = C(K, M)
Where M = input message, C = MAC function, K = shared secret
key, MAC = message authentication code

17
Message authentication code (MAC)…
➢ The message plus MAC are transmitted to the intended recipient.
➢ The recipient performs the same calculation on the received
message, using the same secret key, to generate a new MAC.
➢ The received MAC is compared to the calculated MAC.

18
Message authentication code (MAC)…
If we assume that only the receiver and the sender know the identity of
the secret key, and if the received MAC matches the calculated MAC,
then
a) The receiver is assured that the message has not been altered.
➢ If an attacker alters the message but does not alter the MAC, then
the receiver’s calculation of the MAC will differ from the
received MAC.
➢ Because the attacker is assumed not to know the secret key, the
attacker cannot alter the MAC to correspond to the alterations in
the message.
19
Message authentication code (MAC)…
b) The receiver is assured that the message is from the alleged sender.
➢ Because no one else knows the secret key, no one else could prepare a
message with a proper MAC.
c)If the message includes a sequence number, then the receiver can be
assured of the proper sequence because an attacker cannot successfully
alter the sequence number.

20
Basic Uses of Message Authentication code (MAC)

21
 Secure Hash Algorithm (SHA)
➢ SHA was developed by the National Institute of Standards and
Technology (NIST) and published as a federal information
processing standard (FIPS 180) in 1993.
➢ When weaknesses were discovered in SHA, now known as SHA-0,
a revised version was issued as FIPS 180-1 in 1995 and is referred
to as SHA-1.
➢ The actual standards document is entitled “Secure Hash Standard.”
SHA is based on the hash function MD4, and its design closely
models MD4.

22
Fig. 4.5: Comparison of SHA Parameters

23
 SHA-512 Logic
➢ The algorithm takes as input a message with a maximum length of
less than 2128 bits and produces as output a 512-bit message digest.
➢ The input is processed in 1024-bit blocks.
➢ Figure 4.6 depicts the overall processing of a message to produce a
digest.

24
IV=Initialization Vector, F=round function, H0, H1=intermediate results

Fig. 4.6: Message Digest Generation Using SHA-512 Initialization Vector:

25
26
 SHA-512 Logic…
Step 1 Append padding bits.
➢ Padding is always added, even if the message is already of the desired length.
➢ Thus, the number of padding bits is in the range of 1 to 1024.
➢ The padding consists of a single 1 bit followed by the necessary number of 0
bits.
Step 2 Append length. A block of 128 bits is appended to the message.
➢ This block is treated as an unsigned 128-bit integer (most significant byte first)
and contains the length of the original message (before the padding).
➢ The outcome of the first two steps yields a message that is an integer multiple
of 1024 bits in length.

27
 SHA-512 Logic…
Step 3 Initialize hash buffer.
➢ A 512-bit buffer is used to hold intermediate and final results of the hash
function.
➢ The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
➢ These registers are initialized to the following 64-bit integers (hexadecimal
values):

28
 SHA-512 Logic…
Step 4 Process message in 1024-bit (128-word) blocks
➢ The heart of the algorithm is a module that consists of 80 rounds.
➢ Each round takes as input the 512-bit buffer value, abcdefgh, and updates the
contents of the buffer.
➢ At input to the first round, the buffer has the value of the intermediate hash
value, Hi-1.
➢ Each round makes use of a 64-bit value Wt, derived from the current 1024-bit
block being processed (Mi ).
➢ These values are derived using a message schedule described subsequently.

29
 SHA-512 Logic…
➢ Each round also makes use of an additive constant Kt, where 0<t<79 indicates
one of the 80 rounds.
➢ These words represent the first 64 bits of the fractional parts of the cube roots of
the first 80 prime numbers.
➢ The constants provide a “randomized” set of 64-bit patterns, which should
eliminate any regularities in the input data.
➢ The output of the eightieth round is added to the input to the first round (Hi-1) to
produce Hi.
➢ The addition is done independently for each of the eight words in the buffer with
each of the corresponding words in Hi-1 , using addition modulo 264.

30
Fig. 4.7: SHA-512 Processing of a Single 1024-Bit Block
31
 SHA-512 Logic…
Step 5 Output. After all N 1024-bit blocks have been processed, the output from the
Nth stage is the 512-bit message digest.
➢ We can summarize the behavior of SHA-512 as follows:

32
 SHA-3
➢ As of this writing, SHA-1 has not yet been “broken.”
➢ That is, no one has demonstrated a technique for producing collisions in less than
brute-force time.
➢ However, because SHA-1 is very similar in structure and in the basic mathematical
operations used to MD5 and SHA-0, both of which have been broken, SHA-1 is
considered insecure and has been phased out for SHA-2.
➢ SHA-2, particularly the 512-bit version, would appear to provide unassailable
security.
➢ However, SHA-2 shares the same structure and mathematical operations as its
predecessors, and this is a cause for concern.
➢ Because it will take years to find a suitable replacement for SHA-2, should it
become vulnerable, NIST decided to begin the process of developing a new hash
standard.
33
 SHA-3…
➢ Accordingly, NIST announced in 2007 a competition to produce the next generation
NIST hash function, to be called SHA-3.
➢ NIST would like to have a new standard in place by the end of 2012, but emphasizes
that this is not a fixed timeline and that the schedule could slip well beyond that date.
➢ The basic requirements that must be satisfied by any candidate for SHA-3 are the
following.
1. It must be possible to replace SHA-2 with SHA-3 in any application by a simple
drop-in substitution. Therefore, SHA-3 must support hash value lengths of 224, 256,
384, and 512 bits.
2. SHA-3 must preserve the online nature of SHA-2.
That is, the algorithm must process comparatively small blocks (512 or 1024 bits) at a time
instead of requiring that the entire message be buffered in memory before processing it.

34
 SHA-3…
➢ The evaluation criteria for the new hash function, in decreasing order of importance,
are as follows.
Security:
➢ SHA-3 algorithms must be designed to resist any potentially successful attack on
SHA-2 functions.
➢ In practice, this probably means that SHA-3 must be fundamentally different than the
SHA-1, SHA-2, and MD5 algorithms in either structure, mathematical functions, or
both.
Cost: SHA-3 should be both time and memory efficient over a range of hardware
platforms.

35
 SHA-3…
Algorithm and implementation characteristics:
➢ Consideration will be given to such characteristics as flexibility (e.g., tunable
parameters for security/performance tradeoffs, opportunity for parallelization, and so
on) and simplicity.

36
 Practical Session
➢ Implement SHA-families in your lab session by using any programming tool which
you more know. Then compare how the algorithms work in context of our lecture
class.

37