Tải bản đầy đủ
Chapter 12.  Hash and MAC Algorithms

Chapter 12.  Hash and MAC Algorithms

Tải bản đầy đủ

Chapter 12. Hash and MAC Algorithms

any of his experts had been able to break Stern's code, nor was there any clue as to what
the preliminary number and those ultimate numbers signified.
Talking to Strange Men, Ruth Rendell
The Douglas Squirrel has a distinctive eating habit. It usually eats pine cones from the
bottom end up. Partially eaten cones can indicate the presence of these squirrels if they
have been attacked from the bottom first. If, instead, the cone has been eaten from the
top end down, it is more likely to have been a crossbill finch that has been doing the
dining.
Squirrels: A Wildlife Handbook, Kim Long

Key Points

Virtually all secure hash algorithms have the general structure shown in Figure 11.9.
The compression function used in secure hash algorithms falls into one of two
categories: a function specifically designed for the hash function or a symmetric
block cipher. SHA and Whirlpool are examples of these two approaches, respectively.
Message authentication codes also fall into two categories; those based on the use
of a secure hash algorithm and those based on the use of a symmetric block cipher.
HMAC and CMAC are examples of these two approaches, respectively.

In this chapter, we look at important examples of both secure hash algorithms and message
authentication codes (MACs). Most important modern hash functions follow the basic structure of Figure
11.9. This has proved to be a fundamentally sound structure, and newer designs simply refine the
structure and add to the hash code length. Within this basic structure, two approaches have been
followed in the design of the compression function, which is the basic building block of the hash function.
Traditionally, most hash functions that have achieved widespread use rely on a compression function
specifically designed for the hash function. Typically, the compression function makes use of modular
arithmetic and logical binary operations. Another approach is to use a symmetric block cipher as the
compression function. In this chapter, we examine perhaps the most important example of each
approach: the Secure Hash Algorithm (SHA) and Whirlpool.
MACs also conveniently fall into two categories based on their fundamental building block. One popular
approach is to use a hash algorithm such as SHA as the core of the MAC algorithm. Another approach is
to use a symmetric block cipher in a cipher block chaining mode. Again, we look at perhaps the most
important example of each approach: HMAC and CMAC.

[Page 353]

file:///D|/1/0131873164/ch12.html (2 von 2) [14.10.2007 09:41:16]

Section 12.1. Secure Hash Algorithm

[Page 353 (continued)]

12.1. Secure Hash Algorithm
The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology
(NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version
was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. The actual standards document
is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models
MD4. SHA-1 is also specified in RFC 3174, which essentially duplicates the material in FIPS 180-1, but
adds a C code implementation.
SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard,
FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits,
known as SHA-256, SHA-384, and SHA-512 (Table 12.1). These new versions have the same underlying
structure and use the same types of modular arithmetic and logical binary operations as SHA-1. In
2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the
other SHA versions by 2010. Shortly thereafter, a research team described an attack in which two
separate messages could be found that deliver the same SHA-1 hash using 269 operations, far fewer
than the 280 operations previously thought needed to find a collision with an SHA-1 hash [WANG05].
This result should hasten the transition to the other versions of SHA.

Table 12.1. Comparison of SHA Parameters
SHA-1

SHA-256

SHA-384

SHA-512

Message digest size

160

256

384

512

Message size

<264

<264

<2128

<2128

Block size

512

512

1024

1024

Word size

32

32

64

64

Number of steps

80

64

80

80

Security

80

128

192

256

Notes: 1. All sizes are measured in bits.
2. Security refers to the fact that a birthday attack on a message digest of size n produces a collision
n/2

with a workfactor of approximately 2

In this section, we provide a description of SHA-512. The other versions are quite similar.

SHA-512 Logic

file:///D|/1/0131873164/ch12lev1sec1.html (1 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

The algorithm takes as input a message with a maximum length of less than 2128 bits and produces as
output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure 12.1 depicts the
overall processing of a message to produce a digest.

[Page 354]

Figure 12.1. Message Digest Generation Using SHA-512
[View full size image]

This follows the general structure depicted in Figure 11.9. The processing consists of the following steps:

Step 1: Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length
896 (mod 1024)]. Padding is always added, even if the message is
already of the desired length. Thus, the number of padding bits is in the range of 1 to 1024. The
padding consists of a single 1-bit followed by the necessary number of 0-bits.
Step 2: Append length. A block of 128 bits is appended to the message. This block is treated
as an unsigned 128-bit integer (most significant byte first) and contains the length of the original
message (before the padding).
The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. In Figure 12.1, the expanded message is represented as the sequence of 1024-bit blocks
M1, M2,..., MN, so that the total length of the expanded message is N x 1024 bits.

Step 3: Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of
the hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to the following 64-bit integers (hexadecimal values):
a = 6A09E667F3BCC908

file:///D|/1/0131873164/ch12lev1sec1.html (2 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B
h = 5BE0CDI9137E2179

[Page 355]
These values are stored in big-endianformat, which is the most significant byte of a word in the
low-address (leftmost) byte position. These words were obtained by taking the first sixty-four
bits of the fractional parts of the square roots of the first eight prime numbers.

Step 4: Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a
module that consists of 80 rounds; this module is labeled F in Figure 12.1. The logic is illustrated
in Figure 12.2.

Figure 12.2. SHA-512 Processing of a Single 1024-Bit Block

file:///D|/1/0131873164/ch12lev1sec1.html (3 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the
buffer. At input to the first round, the buffer has the value of the intermediate hash value, H -1.
i

Each round t makes use of a 64-bit value Wt derived from the current 1024-bit block being
processed (Mi) These values are derived using a message schedule described subsequently. Each
round also makes use of an additive constant Kt where 0

t

79 indicates one of the 80

rounds. These words represent the first sixty-four bits of the fractional parts of the cube roots of
the first eighty prime numbers. The constants provide a "randomized" set of 64-bit patterns,
which should eliminate any regularities in the input data.

file:///D|/1/0131873164/ch12lev1sec1.html (4 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

The output of the eightieth round is added to the input to the first round (H -1)to produce Hi. The
i
addition is done independently for each of the eight words in the buffer with each of the
corresponding words in H -1 using addition modulo 264.
i

[Page 356]
Step 5: Output. After all N 1024-bit blocks have been processed, the output from the Nth stage
is the 512-bit message digest.
We can summarize the behavior of SHA-512 as follows:
H0 = IV
Hi = SUM64(H -1, abcdefgh )
i
i
MD = HN

where
IV

= initial value of the abcdefgh buffer, defined in step 3

abcdefghi = the output of the last round of processing of the ith message block
N

= the number of blocks in the message (including padding and length fields)

SUM64

= Addition modulo 264 performed separately on each word of the pair of inputs

MD

= final message digest value

SHA-512 Round Function
Let us look in more detail at the logic in each of the 80 steps of the processing of one 512-bit block
(Figure 12.3). Each round is defined by the following set of equations:

file:///D|/1/0131873164/ch12lev1sec1.html (5 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

where
t

=step number; 0

Ch(e, f, g)

= (e AND f)

Maj(a, b, c)

t

79

(NOT e AND g) the conditional function: If e then f else g

(a AND c)
(b AND c) the function is true only of the majority (two or
= (a AND b)
three) of the arguments are true.

[Page 357]

n
ROTR (x) = circular right shift (rotation) of the 64-bit argument x by n bits

Wt

= a 64-bit word derived from the current 512-bit input block

Kt

= a 64-bit additive constant

+

= addition modulo 264

file:///D|/1/0131873164/ch12lev1sec1.html (6 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Figure 12.3. Elementary SHA-512 Operation (single round)

It remains to indicate how the 64-bit word values Wt are derived from the 1024-bit message. Figure
12.4 illustrates the mapping. The first 16 values of Wt are taken directly from the 16 words of the
current block. The remaining values are defined as follows:

where

n
ROTR (x) = circular right shift (rotation) of the 64-bit argument x by n bits
n

SHR (x)

= left shift of the 64-bit argument x by n bits with padding by zeros on the right

Figure 12.4. Creation of 80-word Input Sequence for SHA-512 Processing of
file:///D|/1/0131873164/ch12lev1sec1.html (7 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Single Block
(This item is displayed on page 358 in the print version)
[View full size image]

Thus, in the first 16 steps of processing, the value of W is equal to the corresponding word in the
t

message block. For the remaining 64 steps, the value of W consists of the circular left shift by one bit of
t

the XOR of four of the preceding values of W , with two of those values subjected to shift and rotate
t

operations. This introduces a great deal of redundancy and interdependence into the message blocks
that are compressed, which complicates the task of finding a different message block that maps to the
same compression function output.

[Page 358]

file:///D|/1/0131873164/ch12lev1sec1.html (8 von 8) [14.10.2007 09:41:17]

Section 12.2. Whirlpool

[Page 358 (continued)]

12.2. Whirlpool[1]
[1]

Most of the material in this section originally appeared in [STAL O6].

In this section, we examine the hash function Whirlpool [BARR03], one of whose designers is also coinventor of Rijndael, adopted as the Advanced Encryption Standard (AES). Whirlpool is one of only two
hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption).
[2]
The NESSIE project is a European Unionsponsored effort to put forward a portfolio of strong
cryptographic primitives of various types.
[2]

The other endorsed scheme consists of three variants of SHA: SHA-256, SHA-384, and SHA-512.

Whirlpool is based on the use of a block cipher for the compression function. As was mentioned in
Chapter 11, there has traditionally been little interest in the use of block-cipher-based hash functions
because of the demonstrated security vulnerabilities of the structure. The following are potential
drawbacks:
1.
Block ciphers do not possess the properties of randomizing functions. For example, they are
invertible. This lack of randomness may lead to weaknesses that can be exploited.
2.
Block ciphers typically exhibit other regularities or weaknesses. For example, [MIYA90]
demonstrates how to compromise many hash schemes based on properties of the underlying
block cipher.
3.
Typically, block-cipher-based hash functions are significantly slower than hash functions based
on a compression function specifically designed for the hash function.
4.
A principal measure of the strength of a hash function is the length of the hash code in bits. For
block-cipher-based hash codes, proposed designs have a hash code length equal to either the
cipher block length or twice the cipher block length. Traditionally, cipher block length has been
limited to 64 bits (e.g., DES, triple DES), resulting in a hash code of questionable strength.

[Page 359]
However, since the adoption of AES, there has been renewed interested in developing a secure hash
function based on a strong block cipher and exhibiting good performance. Whirlpool is a block-cipherfile:///D|/1/0131873164/ch12lev1sec2.html (1 von 13) [14.10.2007 09:41:19]

Section 12.2. Whirlpool

based hash function intended to provide security and performance that is comparable, if not better, than
that found in non-block-cipher based hash functions, such as SHA. Whirlpool has the following features:
1.
The hash code length is 512 bits, equaling the longest hash code available with SHA.
2.
The overall structure of the hash function is one that has been shown to be resistant to the usual
attacks on block-cipher-based hash codes.
3.
The underlying block cipher is based on AES and is designed to provide for implementation in
both software and hardware that is both compact and exhibits good performance.
The design of Whirlpool sets the following security goals: Assume we take as hash result the value of
any n-bit substring of the full Whirlpool output.

n

The expected workload of generating a collision is of the order of 2 /2 executions of Whirlpool.
Given an n-bit value, the expected workload of finding a message that hashes to that value is of
the order of 2n executions of Whirlpool.
Given a message and its n-bit hash result, the expected workload of finding a second message
n

that hashes to the same value is of the order of 2 executions of Whirlpool.
It is infeasible to detect systematic correlations between any linear combination of input bits and
any linear combination of bits of the hash result, or to predict what bits of the hash result will
change value when certain input bits are flipped (this means resistance against linear and
differential attacks).

The designers assert their confidence that these goals have been met with a considerable safety margin.
However, the goals are not susceptible to a formal proof.
We begin with a discussion of the structure of the overall hash function, and then examine the block
cipher used as the basic building block.

Whirlpool Hash Structure
Background
The general iterated hash structure proposed by Merkle (Figure 11.9) is used in virtually all secure hash
functions. However, as was pointed out, there are difficulties in designing a truly secure iterated hash
function when the compression function is a block cipher. Preneel [PREN93a, PREN93b] performed a
systematic analysis of block-cipher-based hash functions, using the model depicted in Figure 12.5. In
this model, the hash code length equals the cipher block length. Additional security problems are
introduced and the analysis is more difficult if the hash code length exceeds the cipher block length.
Preneel devised 64 possible permutations of the basic model, based on which input served as the
encryption key and which served as plaintext and on what input, if any, was combined with the
ciphertext to produce the intermediate hash code. Based on his analysis, he concluded that only
schemes in which the plaintext was fed forward and combined with the ciphertext were secure. Such an
arrangement makes the compression function difficult to invert. [BLAC02] confirmed these results, but
pointed out the security problem of using an established block cipher such as AES: The 128-bit hash

file:///D|/1/0131873164/ch12lev1sec2.html (2 von 13) [14.10.2007 09:41:19]