Cryptographic Hash Functions

Cryptography and System Security

Suvarna Chaure
Assistant Professor
Dept. of Computer Engineering,
SIES Graduate School of Technology

Suvarna Chaure
Message Integrity
• The cryptography systems that we have studied so far provide
secrecy, or confidentiality, but not integrity. However, there are
occasions where we may not even need secrecy but instead must have
integrity
• One way to preserve the integrity of a document is through the use of
a fingerprint. If Alice needs to be sure that the contents of her
document will not be changed, she can put her fingerprint at the
bottom of the document.

Suvarna Chaure
Message and message digest

The electronic equivalent of the document and fingerprint

pair is the message and digest pair.

Fig 1. Message and Message Digest

Suvarna Chaure
Checking Integrity

Fig 2 Checking Integrity

Suvarna Chaure
Properties of Secure Hash Functions

A cryptographic hash function must

satisfy three criteria:
1. Preimage Resistance.
2. Second Preimage Resistanc
3. Collision Resistance.

Suvarna Chaure
Preimage Resistance

The hash function must be a one-way

function: For any given code h, it is
computationally infeasible to find h-1.

Suvarna Chaure
Second Preimage Resistance

Suvarna Chaure
Collision Resistance

Suvarna Chaure
MESSAGE AUTHENTICATION
• A message digest does not authenticate the sender of the
message.
• To provide message authentication, Alice needs to provide
proof that it is Alice sending the message and not an impostor.
• The digest created by cryptographic hash function is normally
called as modification detection code (MDC).
• What we need for message authentication is a message
authentication code (MAC).

Suvarna Chaure
Modification Detection Code (MDC)
A modification detection code (MDC) is a message digest that can
prove the integrity of the message: that message has not been changed.
If Alice needs to send a message to Bob and be sure that the message
will not change during transmission, Alice can create a message
digest MDC and send both the message and the MDC to Bob. Bob can
create a new MDC from the message and compare the received MDC
and the new MDC. If they are the same, the message has not been
changed.

Suvarna Chaure
Modification detection code (MDC)

Suvarna Chaure
Message Authentication Code
(MAC)
The difference between MDC and MAC is that the second
include A secrete between Alice and Bob.

Message authentication code

Suvarna Chaure
MAC Security
How can Eve forge a message without having the key?
1. If size of the key allows exhaustive search, Eve may try all
possible keys to digest the message.
2. Use preimage attack.
3. Given some pairs of messages and their MACs, Eve can
manipulate them to come up with a new message and its digest.

Note

The security of a MAC depends on the security

of the underlying hash algorithm.

Suvarna Chaure
Nested MAC
To improve MAC security, nested MACs were designed in which
hashing is performed twice.
Nested MAC

Suvarna Chaure
HMAC (Hashed MAC)

Suvarna Chaure
CMAC

Suvarna Chaure
Cryptographic Hash Functions
A cryptographic hash function takes a message of arbitrary length and
creates a message digest of fixed length. The ultimate goal of this
chapter is to discuss the details of the two most promising
cryptographic hash algorithms¾ SHA-512 and MD-5.

Suvarna Chaure
SHA-512
SHA-512 is the version of SHA with a 512-bit message digest. This
version, like the others in the SHA family of algorithms, is based on the
Merkle-Damgard scheme.

Suvarna Chaure
Introduction
Message digest creation SHA-
512

12.19
Suvarna Chaure
Message Preparation
SHA-512 insists that the length of the original message be less than 2128 bits.

Note

SHA-512 creates a 512-bit message digest out of a message less than 2128.

12.20
Suvarna Chaure
Exampl
e
This example shows that the message length limitation of SHA-512 is not a serious
problem. Suppose we need to send a message that is 2128 bits in length. How long
does it take for a communications network with a data rate of 264 bits per second to
send this message?

Solution
A communications network that can send 264 bits per second is not yet available.
Even if it were, it would take many years to send this message. This tells us that we
do not need to worry about the SHA-512 message length restriction.

12.21
Suvarna Chaure
Exampl
e
This example also concerns the message length in SHA-512. How many pages are
occupied by a message of 2128 bits?

Solution
Suppose that a character is 32, or 26, bits. Each page is less than 2048, or
approximately 212, characters. So 2128 bits need at least 2128 / 218, or 2110, pages. This
again shows that we need not worry about the message length restriction.

12.22
Suvarna Chaure
 Padding and length field in SHA-
512

12.23
Suvarna Chaure
Exampl
e
What is the number of padding bits if the length of the original
message is 2590 bits?

Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0’s.

12.24
Suvarna Chaure
Exampl
e
Do we need padding if the length of the original message is
already a multiple of 1024 bits?

Solution
Yes we do, because we need to add the length field. So
padding is needed to make the new block a multiple of 1024
bits.

12.25
Suvarna Chaure
 Exampl
e
What is the minimum and maximum number of padding bits that
can be added to a message?

Solution

a. The minimum length of padding is 0 and it happens when

(−M − 128) mod 1024 is 0. This means that |M| = −128 mod
1024 = 896 mod 1024 bits. In other words, the last block in
the original message is 896 bits. We add a 128-bit length
field to make the block complete.

12.26
Suvarna Chaure
Exampl Continue
e The maximum
b) d length of padding is 1023 and it happens
when (−|M| −128) = 1023 mod 1024. This means that the
length of the original message is |M| = (−128 −1023) mod
1024 or the length is |M| = 897 mod 1024. In this case, we
cannot just add the length field because the length of the
last block exceeds one bit more than 1024. So we need to
add 897 bits to complete this block and create a second
block of 896 bits. Now the length can be added to make this
block complete.

12.27
Suvarna Chaure
Exampl
e
What is the padding for SHA-512 if the length of message is
1. 5120 2. 5121 3. 6143 ?

12.28
Suvarna Chaure
Words

A message block and the digest as

words

12.29
Suvarna Chaure
Word Expansion

Word expansion in SHA-

512

12.30
Suvarna Chaure
Exampl
e
Show how W60 is made.

Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as

12.31
Suvarna Chaure
Message Digest Initialization

12.32
Suvarna Chaure
 Compression function in SHA-
512

12.33
Suvarna Chaure
 Structure of each round in SHA-
512

12.34
Suvarna Chaure
 Majority Function

Conditional Function

Rotate Functions

12.35
Suvarna Chaure
12.36
Suvarna Chaure
There are 80 constants, K0 to K79, each of 64 bits. Similar These values are calculated from the first 80
prime numbers (2, 3,…, 409). For example, the 80th prime is 409, with the cubic root (409)1/3 =
7.42291412044. Converting this number to binary with only 64 bits in the fraction part, we get

The fraction part: (6C44198C4A475817)16

12.37
Suvarna Chaure
 Exampl
e apply the Majority function on buffers A, B, and C. If the
We
leftmost hexadecimal digits of these buffers are 0x7, 0xA, and
0xE, respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.

The result is 1110, or 0xE in hexadecimal.

12.38
Suvarna Chaure
 Exampl
e apply the Conditional function on E, F, and G buffers. If the
We
leftmost hexadecimal digits of these buffers are 0x9, 0xA, and
0xF respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.

The result is 1110, or 0xE in hexadecimal.

12.39
Suvarna Chaure
MD5
• Takes as input a message of arbitrary length and produces as output a 128
bit “fingerprint” or “message digest” of the input.
• It is conjectured that it is computationally infeasible to produce two
messages having the same message digest.
• Intended where a large file must be “compressed” in a secure manner
before being encrypted with a private key under a public-key
cryptosystem such as PGP.

Suvarna Chaure
MD5 Algorithm
• Suppose a b-bit message as input, and that we need to find its message digest.
Step 1 – append padded bits: –
1. Padding means adding extra bits to the original message. So in MD5
original message is padded such that its length in bits is congruent to 448
modulo 512. Padding is done such that the total bits are 64 less, being a
multiple of 512 bits length.
2. Padding is done even if the length of the original message is already
congruent to 448 modulo 512. In padding bits, the only first bit is 1, and
the rest of the bits are 0.
• Step 2 – append length: – A 64 bit representation of b is appended to the result
of the previous step. – The resulting message has a length that is an exact
multiple of 512 bits.

Suvarna Chaure
MD5 Algorithm continue..
Step 3 – Initialize MD Buffer • A four-word buffer (A,B,C,D) is used to compute
the message digest. – Here each of A,B,C,D, is a 32 bit register.
These registers are initialized to the following values in hexadecimal:
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10

Suvarna Chaure
MD5 Algorithm continue..
Step 4 – Process message in 16-word blocks. – Four auxiliary functions that take
as input three 32-bit words and produce as output one 32-bit word.

Suvarna Chaure
MD5 Algorithm continue..
Step 5 – output – The message digest produced as output is A, B, C, D. –
That is, output begins with the low-order byte of A, and end with the high-
order byte of D.

Suvarna Chaure
MD5 Algorithm

Suvarna Chaure
MD5 Overview

2. Append
length
(64bits)

1. Append padding
bits
(to 448 mod 512)

3. Initialize MD buffer (4x32 bits Word)

Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10 Suvarna Chaure
Hash Algorithm Design – MD5

16 steps

X[k] = M [q*16+k] (32 bit)

Constructed from sine function

Suvarna Chaure
The ith 32-bit word in matrix T, constructed from the sine function

M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg

Single step

Suvarna Chaure
Thank You!
(suarnac@sies.edu.in)

49
Suvarna Chaure