910 likes | 1.09k Views
Chapter VII. Hashing, Authentication, and Signature Schemes. Issues addressed Alice receives a message from Bob Is it authentic? Is it really from Bob? How to ‘electronically’ ensure authenticity? Authenticity of source Authenticity of message How to ‘electronically’ sign a message ?.
E N D
Chapter VII Hashing, Authentication, and Signature Schemes
Issues addressed • Alice receives a message from Bob • Is it authentic? • Is it really from Bob? • How to ‘electronically’ ensure authenticity? • Authenticity of source • Authenticity of message • How to ‘electronically’ sign a message ?
Hash value of a message unique tag of message • its fingerprint • Alternate terms message digest / Message Integrity Check (MIC) / Message Detection Code (MDC) • widely known as ‘hash value’ of message • Typically hash value is 160 bits long • message can be much longer • ‘hashing function’ function used to generate hash value • Hash smaller in length than message • hashing function also called a ‘compression function’
Need for Alice : ‘send a message to Bob ensure it is not corrupted’ • Hashing schemes provide means of establishing such credibility of message • Hash value generated from message itself • Alice attaches it to message & sends the pair to Bob • Bob knows functional scheme used to generate hash value • Bob regenerates hash • Same as hash from Alice? • Yes Bob confirms ‘message is authentic’
Causes galore for corruption! • length of message/ noisy nature of transmitting / recording media / presence of ill-intentioned Eve on the way / possible corruption in archive • hash a much shorter stamp (say 160 bits long) • More easily preserved & transmitted faithfully • Facilitates Bob’s check Bob can regenerate hash from message stream itself & use it to verify its genuineness
CD – an archive stores a long message – for later use • On retrieval, how to ascertain ‘it is uncorrupted?’ • Generate hash & store separately / more reliable way • Use it along with freshly generated hash value • They tally ? message remains uncorrupted • security / confidentiality / integrity of source etc. . Not involved here • x message of i bits • y hash value of nbits • i >> n 160 bits representative value for hash length n
y = f(x) hashing function • function of selected bits of message (involving AND, OR, INVERT, & XOR operations) • x to y relation of many-to-one type • multiple values for x lead to same value for y • Such identification defeats purpose of hashing – namely providing authenticity • need to define scope of hashing function &identify criteria it has to satisfy
random oracle model • abstraction of a black-box type of function. • Outputs a random number y (x) for every input x • repetition of a query elicits same answer • functional relation in I / O process not discernible • random Oracle model idealization of hashing function. • query oracle with a new x • It doles out a fresh hash value y • x1, x2, x3, . . . sequence of messages • y1, y2, y3, . . . corresponding hash values
Knowledge of the pairs (x1, y1), (x2, y2), . . . • No clue to hash value for next query • independence property • Let M be the collection of all possible messages and Y the collection of all possible hash values. Let {x1, x2, . . } be the set of messages for which the hash values have already been obtained as {y1, y2, . . }. The hash value for a new message x which is not in the set is equally likely to be anyone of the possible hash values. The probability of it being a specific value yp is 1/│Y│.
SHA-1 hashing function • message length 264 bits • possible message values • - (more precisely ) • Hash value =160 bits - 2160 possible hash values • P (hash value of a new message) is anyone of these = 2-160 • Hashing function – requirements • Pre-image resistance • Second Pre-Image Resistance • Collision Resistance
Pre-image resistance • Knowing hash value y1 can we find message x1? • Make q queries to oracle • oracle returns y1 as hash value to any one of these queries ineffective hashing function • (1- 1/│Y│)qP(failure to return y1 in q successive queries) • P of success is 1 - (1- 1/│Y│)q • Probability value, its approximation, & variation with relative values of qdiscussed earlier • q<< │Y│ Pof success = q/│Y│ • a reasonable chance of success q ~│Y│
hashing schemes -- SHA-1 & RIPEMD160 -- use 160-bit hash values • No. of trials for success ~ 2160 too high to be computationally feasible • A ‘pre-image resistant’ hashing function
Second Pre-Image Resistance • With message x1 we get hash value y1 – given hashing function f • Can we identify x2different from x1with hash value y1 ? • Yes fingerprint not ‘unique’ to x1 • P of success = 1 - (1- 1/│Y│)q-1 • q<< │Y│P of success (q-1)/│Y│ • a ‘second pre-image resistant’ hashing function • also known as a ‘weak collision resistant’ hashing function. • A hashing function with three properties • ease of computation, pre-image resistant, & second pre-image resistant ‘one-way hash function’.
Collision Resistance • collision problem Identify a pair of messages (x1, x2) • query oracle returns same hash value • number of queries to be made ~ for a collision to occur • SHA-1 & RIPEMD-160 ~ 260 queries to identify collision • By today’s standards computationally infeasible • Let f -- a collision resistant hashing function not second pre-image resistant • identify messages x1 & x2 such that f(x1) = f(x2) = y • function is not collision resistant • a collision resistant hashing function second pre-image resistant
Carefully selected hashing function satisfies • Easy realisability, pre-image resistance, second pre-image resistance, & collision resistance • An attacker may still identify & exploit weakness in function • Important criteria for prevention: • Hash value for any message should be a random bit sequence exhibit correlation immunity • Change in one message bit should affect as many bits in hash value as possible • Ideally all output bits should be affected • ‘avalanche’ effect • If hashing function does not exhibit avalanche effect, specific bit positions in message affect only a limited number of bit positions in hash value • Can be exploited as a weakness by an attacker
Iterated Hashing Functions • hashing functions all iterated hashing functions • hash length l bits & Message i bits • a selected bit sequence padded to the message • No. of bits after padding a multiple of l • Pad has total No. of bits in message as a 64-bit binary number at right end • padding and the segmentation schemes Figure
Iterated hashing scheme specifies • Initial hash value (an initial vector) h0 & • hashing function • length of h0 same as final hash value • output of hashing with first message block M0 h1 • h1 a bit sequence of length h0 itself • h1 appended to the next message block M1 • The set hashed again • . . . • Repeat until all preprocessed message blocks are hashed • Scheme block diagram Figure • Merkle and Damgard • a compression function is collision resistant • iterative function using it is also collision resistant • justification for iterative hashing using a suitably selected hashing function
Hashing Schemes • MD5 –upgrade of predecessor MD4 • in wide use over past few years • Now vulnerable given way to SHA-1 &RIPEMD-160 • Both are its enhancements • Both in wide use today • likely to be in use for next few years • The respective standards also specify scaled up versions • Users expected to migrate to scaled up versions As enhanced computing power & analysis techniques make them vulnerable to attacks
pre-processing stage • Identical for both • message length block of i bits with 0 i < 264 • Message segmented into blocks of 512 bits each • total number of blocks N • Procedure • To message of i bits append a 1-bit • Follow it by k zero bits such that i+ 1 + k ≡ 448 (mod 512) • k smallest number of zeros possible • Represent i as a 64-bit binary number • Append it to the i + 1 + k set of bits • padded message 512Nbits long • Ntotal number of message blocks
SHA – 1 • SHA-1 (Acronym for ‘Secure Hashing Algorithm’) • A NIST approved hashing algorithm • Generates a hash of 160 bits • message block is a pre-processed • Then hashing processing stage An iterative process • Hashing starts with 160-bit seed as hash value • A sequence of non-linear operations carried out on first message block of 512 bits • Sequence cyclically repeated 80 times • A 160-bit hash value generated • Use this as seed & repeat cyclic sequence for second message block of 512 bits
Continue & hash all N message blocks 160-bit hash value • The various constants used & steps involved in hashing: • Initial hash value (‘seed value’) is taken as sequence of five 32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe;H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • A set of constants kt for t values from 0 to 79 is defined • Used successively in 80 rounds of processing done on each message block • kt = 0x5a827999: 0 t 19 • = 0x6ed9eba1: 20 t 39 • = 0x8f1bbcdc: 40 t 59 • = 0xca62c1d6: 60 t 79
Step by Step Procedure for Hashing • Define the function ft(x, y, z) as • # 2. ithmessage block set of sixteen 32-bit words – {M[0][i], M[1][i], M[2][i], . . M[15][i]} Carry out following sequence of operations – up to (and including) step 6 – for all message blocks from i = 1 toi = N
3. Using ith message block prepare ‘ message schedule’ – W – as Do for 0 t 15 W [t] = M[t][i] Do for 16 t 79 W[t]=(W[t-3]W[t-8] W[t-14] W[t-16]) <<1 Creation of message schedule from message block in SHA-1
4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1], H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D, and E as • A= H[0][t-1]; B= H[1][t-1]; C= H[2][t-1] • D= H[3][t-1]; E= H[4][t-1] 5. do for 0 t 79 • { • T = (A << 5) + ft(B, C, D) + E + k[t] + W[t] • where ft(x, y, z) function defined #above. • (A << signifies circular left shift of A by five bit positions. All additions are to be of mod (232) type. • E = D; D = C; C= (B <<30); B= A; A= T • } • (B << 30) signifies circular left shift of B by thirty bit positions • Flow of operations Figures
6. Compute the next hash value set as • H[0][t]= A + H[0][t-1] • H[1][t]= B + H[1][t-1] • H[2][t]= C + H[2][t-1] • H[3][t]= D + H[3][t-1] • H[4][t]= E + H[4][t-1] • All additions are to be of mod (232) type. • 7. After completing sequence N times – (with all Nmessage blocks) form hash value – i.e., the 160-bit message digest – as • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]} • Example See text
SHA Family • SHA five sizes specified by NIST • cyclic scheme SHA-1 with minor differences • Sizes & all related info. Table
RIPEMD-160 • Start hashing with a 160-bit initial hash value (initial vector) • – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]} • H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; • H[2][0] = 0x98badcfe; H[3][0] = 0x10325476; • H[4][0] = 0xc3d2e1f0; • values same as for SHA-1 • N message blocks are processed in succession from 1 to N • Hash values after processing ith block 31 • – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i] • Hash values after completion of processing with all N blocks H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N] • Final hash value 160-bit concatenated value of these
Each message block of 512 bits composed of a sequence of sixteen words • put through two 80-cycle operational sequences in parallel Figure • ‘left (80-cycle) sequence’ & • ‘right (80-cycle) sequence’ • 80-cycles arranged as a sequence of five rounds • Each round a sequence of sixteen cycles • Each uses one of sixteen words of message block • Each message word used ten times • once in each round on left sequence & • once in each round on right sequence
A pre-defined permutation of words in message block decides instant of use of each word • Step-by-step hashing procedure follows 1. {M[0][i], M[1][i], M[2][i], . . M[15][i]} • message block set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zl[0], zl[1],zl[2], . . . .,zl[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation • first round for left sequence
2. {M[0][i], M[1][i], M[2][i], . . M[15][i]} • message block set of sixteen 32-bit words • Permute conforming to row-1 in Table • Form the sequence – {zr[0], zr[1],zr[2], . . . .,zr[15]} • [for this specific case permutation is not done] • Use permuted word values and complete sixteen cycles of operation • first round for right sequence
3. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Left-Table ’ • Form sequence – {zl[16], zl[17],zl[18], . . . .,zl[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 4. Permute– {M[0][i], M[1][i], M[2][i], . . M[15][i]} – conforming to row-2 in ‘Right-Table ’ • Form sequence – {zr[16], zr[17],zr[18], . . . .,zr[31]} • Use permuted word values & complete 16 cycles of operation of second round for left sequence 5. Proceed as above & complete rounds 3, 4, & 5 • use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables
Operational sequence of eighty cycles completed • Leftword set {Al, Bl, Cl, Dl, El} • Right word set {Ar, Br, Cr, Dr, Er} • Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],& H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1], H[3][i+1],& H[4][i+1]} • Use following algebra • H[0][i+1]= H[1][i]+ Cl + Dr • H[1][i+1]= H[2][i]+ Dl +Er • H[2][i+1]= H[3][i]+ El + Ar • H[3][i+1] = H[4][i]+ Al + Br • H[4][i+1] = H[0][i] + Bl,+ Cr
Assign values afresh • Al =H[0][i], Bl =H[1][i], Cl =H[2][i] , Dl =H[3][i] , El =H[4][i ] • Ar=H[0][i], Br =H[1][i], Cr =H[2][i] , Dr =H[3][i] , Er =H[4][i ] • T 80-cycle operation : • do for 0 t 79 • { • T = ((Al + ft(Bl, Cl, Dl) + zl[t] + El ) >> rl[t])+ kl [t] • where • ft(x, y, z) function for left sequence defined in Table • (>> rl[t]) signifies circular right shift by rl[t] bit positions as in Table
Details of circular shift for the function in the left sequence
kl [t] values are as specified in Table • All additions to be of mod (232) type • Al= El ; El = Dl ; Dl = (Cl >>10); Cl = Bl; Bl = Tl • >>10signifies circular right shift by ten bit positions Additive constants used in different rounds -- Values given are in hex form
T = ((Ar + ft(Br, Cr, Dl) + zr[t] + Er ) >> rr[t])+ kr [t] • where • ft(x, y, z) is the function for right sequence defined in Table • (>> rr[t]) signifies circular right shift by rr[t] bit positions as specified in Table • kr [t] values are as specified in Table • All additions are to be of mod (232) type • Ar= Er;Er = Dr ; Dr = (Cr >>10) ;Cr = Br ; Br = T • >>10signifies circular right shift by ten bit positions • } • Final hashed output formed after processing all N message blocks • {H[0][N]H[1][N]H[2][N]H[3][N]H[4][N]}.
Observations • Modular algebra based hashing schemes • → prone to easy attacks → no longer in use • SHA-1 & RIPEMD-160 of comparable security level • Initial 160-bit hash value is same for SHA-1 & RIPEMD-160. • b0 at left end in SHA-1 & at right end in RIPEMD-160 • We use b0 at left end • All constants, tabular entries & associated descriptions changed accordingly • Other hashing schemes like MD5 in vogue until recently • Now all of them considered vulnerable • Not recommended for newer applications
SHA-1 selects a set of previous words in schedule • → sums up & forms message schedule • → difficult to restrict effect of change in message to a ‘local area’ of hash value • → avalanche effect an additional deterrent to attacks • Both SHA-1 & RIPEMD-160 closely follow structure of MD5 • Dual sequence scheme in RIPEMD-160 adds to collision resistance • Permutation in RIPEMD-160 → two words which are close in one round are farther apart in the next • constants used in different rounds in both SHA-1 & RIPEMD-160 are 32-bit approximations of irrational numbers derived from simple integers → Table ↓
Similar disparity present between left & right sides in each round • → Adds to the strength of scheme • CRC check ~ hash value • CRC value binary number to identify error -- within a specific limit -- data stream • CRC check not satisfied data stream definitely in error • CRC check satisfied data stream taken as being received correctly