Tải bản đầy đủ

Chapter 12. Hash and MAC Algorithms

Chapter 12. Hash and MAC Algorithms

any of his experts had been able to break Stern's code, nor was there any clue as to what

the preliminary number and those ultimate numbers signified.

Talking to Strange Men, Ruth Rendell

The Douglas Squirrel has a distinctive eating habit. It usually eats pine cones from the

bottom end up. Partially eaten cones can indicate the presence of these squirrels if they

have been attacked from the bottom first. If, instead, the cone has been eaten from the

top end down, it is more likely to have been a crossbill finch that has been doing the

dining.

Squirrels: A Wildlife Handbook, Kim Long

Key Points

●

●

●

Virtually all secure hash algorithms have the general structure shown in Figure 11.9.

The compression function used in secure hash algorithms falls into one of two

categories: a function specifically designed for the hash function or a symmetric

block cipher. SHA and Whirlpool are examples of these two approaches, respectively.

Message authentication codes also fall into two categories; those based on the use

of a secure hash algorithm and those based on the use of a symmetric block cipher.

HMAC and CMAC are examples of these two approaches, respectively.

In this chapter, we look at important examples of both secure hash algorithms and message

authentication codes (MACs). Most important modern hash functions follow the basic structure of Figure

11.9. This has proved to be a fundamentally sound structure, and newer designs simply refine the

structure and add to the hash code length. Within this basic structure, two approaches have been

followed in the design of the compression function, which is the basic building block of the hash function.

Traditionally, most hash functions that have achieved widespread use rely on a compression function

specifically designed for the hash function. Typically, the compression function makes use of modular

arithmetic and logical binary operations. Another approach is to use a symmetric block cipher as the

compression function. In this chapter, we examine perhaps the most important example of each

approach: the Secure Hash Algorithm (SHA) and Whirlpool.

MACs also conveniently fall into two categories based on their fundamental building block. One popular

approach is to use a hash algorithm such as SHA as the core of the MAC algorithm. Another approach is

to use a symmetric block cipher in a cipher block chaining mode. Again, we look at perhaps the most

important example of each approach: HMAC and CMAC.

[Page 353]

file:///D|/1/0131873164/ch12.html (2 von 2) [14.10.2007 09:41:16]

Section 12.1. Secure Hash Algorithm

[Page 353 (continued)]

12.1. Secure Hash Algorithm

The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology

(NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version

was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. The actual standards document

is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models

MD4. SHA-1 is also specified in RFC 3174, which essentially duplicates the material in FIPS 180-1, but

adds a C code implementation.

SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard,

FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits,

known as SHA-256, SHA-384, and SHA-512 (Table 12.1). These new versions have the same underlying

structure and use the same types of modular arithmetic and logical binary operations as SHA-1. In

2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the

other SHA versions by 2010. Shortly thereafter, a research team described an attack in which two

separate messages could be found that deliver the same SHA-1 hash using 269 operations, far fewer

than the 280 operations previously thought needed to find a collision with an SHA-1 hash [WANG05].

This result should hasten the transition to the other versions of SHA.

Table 12.1. Comparison of SHA Parameters

SHA-1

SHA-256

SHA-384

SHA-512

Message digest size

160

256

384

512

Message size

<264

<264

<2128

<2128

Block size

512

512

1024

1024

Word size

32

32

64

64

Number of steps

80

64

80

80

Security

80

128

192

256

Notes: 1. All sizes are measured in bits.

2. Security refers to the fact that a birthday attack on a message digest of size n produces a collision

n/2

with a workfactor of approximately 2

In this section, we provide a description of SHA-512. The other versions are quite similar.

SHA-512 Logic

file:///D|/1/0131873164/ch12lev1sec1.html (1 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

The algorithm takes as input a message with a maximum length of less than 2128 bits and produces as

output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure 12.1 depicts the

overall processing of a message to produce a digest.

[Page 354]

Figure 12.1. Message Digest Generation Using SHA-512

[View full size image]

This follows the general structure depicted in Figure 11.9. The processing consists of the following steps:

●

●

Step 1: Append padding bits. The message is padded so that its length is congruent to 896

modulo 1024 [length

896 (mod 1024)]. Padding is always added, even if the message is

already of the desired length. Thus, the number of padding bits is in the range of 1 to 1024. The

padding consists of a single 1-bit followed by the necessary number of 0-bits.

Step 2: Append length. A block of 128 bits is appended to the message. This block is treated

as an unsigned 128-bit integer (most significant byte first) and contains the length of the original

message (before the padding).

The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in

length. In Figure 12.1, the expanded message is represented as the sequence of 1024-bit blocks

M1, M2,..., MN, so that the total length of the expanded message is N x 1024 bits.

●

Step 3: Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of

the hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).

These registers are initialized to the following 64-bit integers (hexadecimal values):

a = 6A09E667F3BCC908

file:///D|/1/0131873164/ch12lev1sec1.html (2 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

b = BB67AE8584CAA73B

c = 3C6EF372FE94F82B

c = A54FF53A5F1D36F1

e = 510E527FADE682D1

f = 9B05688C2B3E6C1F

g = 1F83D9ABFB41BD6B

h = 5BE0CDI9137E2179

[Page 355]

These values are stored in big-endianformat, which is the most significant byte of a word in the

low-address (leftmost) byte position. These words were obtained by taking the first sixty-four

bits of the fractional parts of the square roots of the first eight prime numbers.

●

Step 4: Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a

module that consists of 80 rounds; this module is labeled F in Figure 12.1. The logic is illustrated

in Figure 12.2.

Figure 12.2. SHA-512 Processing of a Single 1024-Bit Block

file:///D|/1/0131873164/ch12lev1sec1.html (3 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the

buffer. At input to the first round, the buffer has the value of the intermediate hash value, H -1.

i

Each round t makes use of a 64-bit value Wt derived from the current 1024-bit block being

processed (Mi) These values are derived using a message schedule described subsequently. Each

round also makes use of an additive constant Kt where 0

t

79 indicates one of the 80

rounds. These words represent the first sixty-four bits of the fractional parts of the cube roots of

the first eighty prime numbers. The constants provide a "randomized" set of 64-bit patterns,

which should eliminate any regularities in the input data.

file:///D|/1/0131873164/ch12lev1sec1.html (4 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

The output of the eightieth round is added to the input to the first round (H -1)to produce Hi. The

i

addition is done independently for each of the eight words in the buffer with each of the

corresponding words in H -1 using addition modulo 264.

i

●

[Page 356]

Step 5: Output. After all N 1024-bit blocks have been processed, the output from the Nth stage

is the 512-bit message digest.

We can summarize the behavior of SHA-512 as follows:

H0 = IV

Hi = SUM64(H -1, abcdefgh )

i

i

MD = HN

where

IV

= initial value of the abcdefgh buffer, defined in step 3

abcdefghi = the output of the last round of processing of the ith message block

N

= the number of blocks in the message (including padding and length fields)

SUM64

= Addition modulo 264 performed separately on each word of the pair of inputs

MD

= final message digest value

SHA-512 Round Function

Let us look in more detail at the logic in each of the 80 steps of the processing of one 512-bit block

(Figure 12.3). Each round is defined by the following set of equations:

file:///D|/1/0131873164/ch12lev1sec1.html (5 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

where

t

=step number; 0

Ch(e, f, g)

= (e AND f)

Maj(a, b, c)

t

79

(NOT e AND g) the conditional function: If e then f else g

(a AND c)

(b AND c) the function is true only of the majority (two or

= (a AND b)

three) of the arguments are true.

[Page 357]

n

ROTR (x) = circular right shift (rotation) of the 64-bit argument x by n bits

Wt

= a 64-bit word derived from the current 512-bit input block

Kt

= a 64-bit additive constant

+

= addition modulo 264

file:///D|/1/0131873164/ch12lev1sec1.html (6 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Figure 12.3. Elementary SHA-512 Operation (single round)

It remains to indicate how the 64-bit word values Wt are derived from the 1024-bit message. Figure

12.4 illustrates the mapping. The first 16 values of Wt are taken directly from the 16 words of the

current block. The remaining values are defined as follows:

where

n

ROTR (x) = circular right shift (rotation) of the 64-bit argument x by n bits

n

SHR (x)

= left shift of the 64-bit argument x by n bits with padding by zeros on the right

Figure 12.4. Creation of 80-word Input Sequence for SHA-512 Processing of

file:///D|/1/0131873164/ch12lev1sec1.html (7 von 8) [14.10.2007 09:41:17]

Section 12.1. Secure Hash Algorithm

Single Block

(This item is displayed on page 358 in the print version)

[View full size image]

Thus, in the first 16 steps of processing, the value of W is equal to the corresponding word in the

t

message block. For the remaining 64 steps, the value of W consists of the circular left shift by one bit of

t

the XOR of four of the preceding values of W , with two of those values subjected to shift and rotate

t

operations. This introduces a great deal of redundancy and interdependence into the message blocks

that are compressed, which complicates the task of finding a different message block that maps to the

same compression function output.

[Page 358]

file:///D|/1/0131873164/ch12lev1sec1.html (8 von 8) [14.10.2007 09:41:17]

Section 12.2. Whirlpool

[Page 358 (continued)]

12.2. Whirlpool[1]

[1]

Most of the material in this section originally appeared in [STAL O6].

In this section, we examine the hash function Whirlpool [BARR03], one of whose designers is also coinventor of Rijndael, adopted as the Advanced Encryption Standard (AES). Whirlpool is one of only two

hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption).

[2]

The NESSIE project is a European Unionsponsored effort to put forward a portfolio of strong

cryptographic primitives of various types.

[2]

The other endorsed scheme consists of three variants of SHA: SHA-256, SHA-384, and SHA-512.

Whirlpool is based on the use of a block cipher for the compression function. As was mentioned in

Chapter 11, there has traditionally been little interest in the use of block-cipher-based hash functions

because of the demonstrated security vulnerabilities of the structure. The following are potential

drawbacks:

1.

Block ciphers do not possess the properties of randomizing functions. For example, they are

invertible. This lack of randomness may lead to weaknesses that can be exploited.

2.

Block ciphers typically exhibit other regularities or weaknesses. For example, [MIYA90]

demonstrates how to compromise many hash schemes based on properties of the underlying

block cipher.

3.

Typically, block-cipher-based hash functions are significantly slower than hash functions based

on a compression function specifically designed for the hash function.

4.

A principal measure of the strength of a hash function is the length of the hash code in bits. For

block-cipher-based hash codes, proposed designs have a hash code length equal to either the

cipher block length or twice the cipher block length. Traditionally, cipher block length has been

limited to 64 bits (e.g., DES, triple DES), resulting in a hash code of questionable strength.

[Page 359]

However, since the adoption of AES, there has been renewed interested in developing a secure hash

function based on a strong block cipher and exhibiting good performance. Whirlpool is a block-cipherfile:///D|/1/0131873164/ch12lev1sec2.html (1 von 13) [14.10.2007 09:41:19]

Section 12.2. Whirlpool

based hash function intended to provide security and performance that is comparable, if not better, than

that found in non-block-cipher based hash functions, such as SHA. Whirlpool has the following features:

1.

The hash code length is 512 bits, equaling the longest hash code available with SHA.

2.

The overall structure of the hash function is one that has been shown to be resistant to the usual

attacks on block-cipher-based hash codes.

3.

The underlying block cipher is based on AES and is designed to provide for implementation in

both software and hardware that is both compact and exhibits good performance.

The design of Whirlpool sets the following security goals: Assume we take as hash result the value of

any n-bit substring of the full Whirlpool output.

●

●

●

n

The expected workload of generating a collision is of the order of 2 /2 executions of Whirlpool.

Given an n-bit value, the expected workload of finding a message that hashes to that value is of

the order of 2n executions of Whirlpool.

Given a message and its n-bit hash result, the expected workload of finding a second message

n

●

that hashes to the same value is of the order of 2 executions of Whirlpool.

It is infeasible to detect systematic correlations between any linear combination of input bits and

any linear combination of bits of the hash result, or to predict what bits of the hash result will

change value when certain input bits are flipped (this means resistance against linear and

differential attacks).

The designers assert their confidence that these goals have been met with a considerable safety margin.

However, the goals are not susceptible to a formal proof.

We begin with a discussion of the structure of the overall hash function, and then examine the block

cipher used as the basic building block.

Whirlpool Hash Structure

Background

The general iterated hash structure proposed by Merkle (Figure 11.9) is used in virtually all secure hash

functions. However, as was pointed out, there are difficulties in designing a truly secure iterated hash

function when the compression function is a block cipher. Preneel [PREN93a, PREN93b] performed a

systematic analysis of block-cipher-based hash functions, using the model depicted in Figure 12.5. In

this model, the hash code length equals the cipher block length. Additional security problems are

introduced and the analysis is more difficult if the hash code length exceeds the cipher block length.

Preneel devised 64 possible permutations of the basic model, based on which input served as the

encryption key and which served as plaintext and on what input, if any, was combined with the

ciphertext to produce the intermediate hash code. Based on his analysis, he concluded that only

schemes in which the plaintext was fed forward and combined with the ciphertext were secure. Such an

arrangement makes the compression function difficult to invert. [BLAC02] confirmed these results, but

pointed out the security problem of using an established block cipher such as AES: The 128-bit hash

file:///D|/1/0131873164/ch12lev1sec2.html (2 von 13) [14.10.2007 09:41:19]

## Stallings cryptography and network security

## Chapter 2. Classical Encryption Techniques

## Chapter 3. Block Ciphers and the Data Encryption Standard

## Chapter 5. Advanced Encryption Standard

## Chapter 6. More on Symmetric Ciphers

## Chapter 7. Confidentiality Using Symmetric Encryption

## Chapter 8. Introduction to Number Theory

## Chapter 9. Public-Key Cryptography and RSA

## Chapter 10. Key Management; Other Public-Key Cryptosystems

## Chapter 11. Message Authentication and Hash Functions

## Chapter 13. Digital Signatures and Authentication Protocols

Tài liệu liên quan