Message Authentication

and Hash Functions – MD5 & SHA

Dr.Vetrivelan.P
VIT - Chennai
 Outline
 Authentication Requirements
 Authentication Functions
 Hash and MAC Algorithms

2
 What is Authentication?
 A procedure to verify that received messages come
from the alleged sourced and have not been
altered.
 Digital Signature is one of the techniques including
countermeasure of repudiation by either source or
destination.

3
 Authentication Requirements
 Possible attacks
1. Disclosure
2. Traffic Analysis
3. Masquerade
4. Content Modification
5. Sequence Modification
6. Timing Modification
7. Repudiation: source and destination repudiation
 Attacks#1-2 -> Confidentiality
 Attacks#3-7 -> Authentication
 Especially #7 is related to Digital Signature

4
 Authentication Functions
 3 Types of cryptographic operations related to
authentication:
 Message Encryption
 Message Authentication Code (MAC)
 Hash Function

5
 Message Encryption
 Conventional Encryption

6
 Conventional Encryption (cont.)
 Conventional encryption provides a weak form of
authentication
 If Bob can recover a message encrypted with a shared key
between Alice and Bob, Bob knows that Alice sent this
message.
 If the message has been altered, Bob would not be able to
read it.

7
 Message Encryption (cont.)
 Public-key
Encryption

8
Confidentiality and Authentication Implications
of Message Encryption

9
Confidentiality and Authentication
Implications of Msg Encryption (cont.)

10
 Message Authentication Codes (MACs)

 MAC involves the use of a secret key to generate a small fixed-size

block of data.
 A MAC is known as a cryptographic checksum:
MAC = CK(M)
where M is a variable-length message,
K is a secret key shared between sender and receiver, and
CK is fixed-length authenticator
 MAC is appended to the message and sent over to receiver.

11
 Message Authentication Code
 MAC is irreversible, but encryption isn’t.
1. Alice and Bob share the secret K1.
2. Alice calculates MAC1 = CK1(M)
AliceBob: {M, MAC1}
3. Bob calculates MAC2 = CK1(M)
If MAC2 = MAC1, M is sent from Alice and not altered

 Confidentiality can be provided by encryption with

another shared key.
AliceBob: {M, MAC1}K2

12
 Requirements for MACs
1. If an opponent observes M and CK(M), it should be computationally
infeasible to construct M’ such that CK(M’) = CK(M).
2. CK(M) should be uniformly distributed in the sense that for
randomly chosen messages, M and M’, the probability that CK(M) =
CK(M’) is 2-n, where n is the number of bits in the MAC.
3. Let M’ be equal to some known transformation on M. That is, M’ =
f(M). E.g. f may involve inverting one or more specific bits.

In that case, Pr[CK(M) = CK(M’)] = 2-n.

13
 Using Symmetric Ciphers for MACs
 can use any block cipher chaining mode and use final
block as a MAC
 Data Authentication Algorithm (DAA) is a widely used MAC
based on DES-CBC
 using IV=0 and zero-pad of final block
 encrypt message using DES in CBC mode
 and send just the final block as the MAC
 or the leftmost M bits (16≤M≤64) of final block
 but final MAC is now too small for security

14
Data Authentication Algorithm

15
 Hash Functions
 A (one-way) hash function accepts a variable-size
message M as input and produces a fixed-size hash code
H(M) as output (called Message Digest)
 Hash code provides error detection -> a change in one bit
of message results in a change to the hash code.

16
 Requirements for a Hash Functions
1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. It is easy to compute H(x) from any given x.
4. For any given h, computationally infeasible to find x, where H(x) = h
(“one-way property”)
5. For any x, computationally infeasible to find y, y≠x, H(y) = H(x) (“weak
collision resistance”)
6. Computationally infeasible to find any pair of (x, y) such than H(x) =
H(y) (“strong collision resistance”)

17
 Simple Hash Function
 Bit-by-bit exclusive-OR (XOR)
Ci = bi1  bi2  …  bim
where Ci = ith bit of the hash code, 1 ≤ i ≤ n
m = no. of n-bit blocks in the input
bij = ith bit in jth block
 = XOR operation

18
Basic Uses of Hash Functions

Digital Signature

19
Basic Uses of Hash Functions
(cont.)

S is shared btw sender and receiver

20
 Hash and MAC Algorithms
 Hash Functions
 condense arbitrary size message to fixed size
 by processing message in blocks
 through some compression function
 either custom or block cipher based
 Message Authentication Code (MAC)
 fixed sized authenticator for some message
 to provide authentication for message
 by using block cipher mode or hash function

21
 Roadmap
 Authentication Requirements
 Authentication Functions
 Hash and MAC Algorithms
 MD5
 SHA-1
 HMAC

22
General Structure of Hash Function

f: compression function taking two inputs and

producing n-bit output
CV0 = IV = initial n-bit value
CVi = f(CVi-1, Yi-1), 1 ≤ i ≤ L
H(M) = CVL

23
MD5 Message Digest Algorithm

24
 MD5 Steps
1. Append padding bits: up to 64 bits less than multiple of 512 bits
2. Append length: 64-bit representation of the length in bits. If message is longer
than 264 bits, only low-order 64 bits of the length are used.
 Message length = K mod 264. K is the message represented in
decimal number.
 The message is represented as a sequence of 512-bit blocks Y0, Y1,
…, YL-1
 So, we have L blocks of 512 bits
 Each block is divided into 16 32-bit words.
 Total number of words in the message is N represented by M[0,…, N-
1]

N = L x 16

25
 MD5 Steps (cont.)

3. Initialize MD buffer
 The buffer is represented as
4 32-bit registers (A, B, C, D)
 Initialization value (in HEX)
A: 01 23 45 67 (32 bits)
B: 89 AB CD EF
C: FE DC BA 98
D: 76 54 32 10

26
27
 MD5 Steps (cont.)

4. Process message in
512-bit (16-word) blocks

28
29
 MD5 Steps (cont.)
5. Output
CV0 = IV
CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])
MD = CVL

IV = initial value of ABCD buffer

Yq = the qth 512-bit block of the message
L = the number of blocks in the message
CVq = chaining variable processed with qth message block
RFx = round function using primitive function x
MD = final message digest value
SUM32 = Addition modulo 232 performed separately on each word of the pair of
inputs

30
MD5
Compression
Function

S-bit circular left shift

Addition modulo

31
 MD5 Compression Function (cont.)
 Each step is in the form:

a <- b + ((a + g(b,c,d)) + X[k] + T[i] <<< s)

a,b,c,d = four words of the buffer

g = one of the primitive functions F,G,H,I
<<<s = s-bit circular left shift
X[k] = M[q x 16 + k] = the kth 32-bit word in the qth 512-bit-block of the
message
T[i] = the ith 32-bit word in matrix T
+ = addition modulo 232

32
MD5 Update Algorithm

L = N/16
1 block = 16 words

33
 SHA-1
 MD5 accepts arbitrary length of input and produces 128-bit
output.
 SHA-1 accepts arbitrary length (less than 264 bits) of input
and produces 160-bit output.

34
 SHA-1 Steps
1. Append padding bits to 64 bits less than multiple of 512 bit (length
 448 mod 512)
2. Append length: length of original message in binary (64 bits)
3. Initialize MD buffer (160 bits)
Initialization value
A: 67 45 23 01
B: EF CD AB 89
C: 98 BA DC FE
D: 10 32 54 76
E: C3 D2 E1 F0

35
 SHA-1 Steps (cont.)
4. Process message in 512-bit (16-word) blocks: for each
512-bit message to be processed,
 4 rounds, 20 steps each (compared to 16 steps each in MD5)
 So, 80 steps for 4 rounds

36
SHA-1 Steps
(cont.)

37
 SHA-1 Steps (cont.)
5. Output
 After all 512-bit blocks have been processed, the output from Lth
stage is the 160-bit message digest.

CV0 = IV
CVq+1 = SUM32(CVq, ABCDEq)

IV = initial value of ABCDE buffer

ABCDEq = the output of the last round of processing of the qth message blocks
L = no. of message blocks
SUM32 = Addition modulo 232

38
 SHA-1 Compression Function
 In each of the 80 rounds of processing one 512-bit message block

A,B,C,D,E <- (E + f(t, B, C, D) + S5(A) + Wt + Kt), A, S30(B), C, D

A,B,C,D,E = words of the buffer

t = step number, 0 ≤ t ≤ 79
f(t,B,C,D) = primitive function for step t
Sk = k-bit circular shift of the 32-bit argument
Wt = a 32-bit word derived from the current 512-bit input block
Kt = an additive constant for step t
+ = addition modulo 232

39
SHA-1 Compression Function (cont.)

40
SHA-1 Compression Function
(cont.)
Wt = S1(Wt-16  Wt-14  Wt-8  Wt-3)

41
 SHA-1 VS MD5
 Security against brute-force attacks
 Length of SHA-1 output is longer than that of MD5
 Security against cryptanalysis
 Both MD5 and SHA-1 are reported collision
 Speed
 SHA-1 is slower than MD5  80 versus 64 steps each
round
 Simplicity and compactness
 Both are simple

42
 SHA-2
 NIST issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased security
provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher

43
SHA-512 Overview

44
 Keyed Hash Functions as MACs
 want a MAC based on a hash function
 because hash functions are generally faster
 code for crypto hash functions widely available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this
 eventually led to development of HMAC

45
 HMAC (Hashed MAC)
 A MAC based on a cryptographic hash code
 Motivations:
 Executing a hash function faster than a symmetric encryption
 Library code for hash functions is widely available.
 No export restrictions from the US to other countries

46
 HMAC
 specified as Internet standard RFC2104
 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
 where K+ is the key padded out to size
 and opad, ipad are specified padding constants
 overhead is just 3 more hash calculations than the
message needs alone
 any hash function can be used
 eg. MD5, SHA-1, RIPEMD-160, Whirlpool

47
 HMAC Algorithm
H = hash function
M = Message
Yi = ith block of M, 0 ≤ i ≤ L-1
L = no. of blocks in M
b = no. of bits in a block (based
on chosen hash fn)
n = length of hash code
K = secret key
K+ = K padded with zeros on the
left so that the length is b bits
ipad = 00110110 repeated b/8
times
opad = 01011010 repeated b/8
times

HMACK = H[(K+  opad)||H[(K+  ipad)||M]]

48
 Advantages of HMAC
 Existing hash function can be implemented in HMAC
 Easy to replace with more secure or updated hash algorithm
 HMAC is proven more secure than hash algorithms

49
 HMAC Security
 proved security of HMAC relates to that of the
underlying hash algorithm
 attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need to observe
a very large number of messages)
 choose hash function used based on speed verses
security constraints

50
Questions?
 Quiz
1. Describe the difference between hash functions
and MACs in terms of security and their usages
2. Can we product a MAC using:
2.1 symmetric encryption?
2.2 public-key encryption?

Then compare them with HMAC

52