6.857 Computer and Network Security Fall Term, 1997

Lecture 9 : Octob er 2, 1997

Lecturer: Ron Rivest Scribe: Jesse Kornblum

Topics

 Hashing in Digital Signatures

 Hashing Security

 MD5

 BirthdayAttacks

 SHA

 CvHP

 MACs and Hashing

1 Digital Signatures

When messages get very long, encrypting them to use as a digital signature with

algorithms such as RSA can be very exp ensive. We'd like to sign our messages

with something much shorter, a \ ngerprint" of the message, also called a \message

digest."

To create the ngerprint, we use a function  ngerprint function, MD-function, cryp-

tographic hash function, etc. that compresses messages of arbitrary length into a

preset set. This function, hx, normally pro duces a ngerprint either 128 or 160 bits

long. This shorter value is much easier to sign than the full message. Our goal is

that:

 The function h is ecient

 The length of hx is short

 The function hx is secure i.e. it has strong collision-resistance, de ned b elow 1

2 3 MESSAGE DIGEST 5 MD5

2 Hashing Security

The security of hash functions is measured by the existence of col lisions. A collision

is when two di erent messages pro duce the same hash. i.e. hm  = hm  Here

1 2

are some terms used in describing the security hash functions:

0

Strong Collision-Resistance: It is infeasible for an attacker to nd x and x forming

0

a collision. i.e. hx=hx

0

Weak Collision-Resistance: Given an x and hx, it is infeasible to nd x such

0 0

that hx = hx . This implies that given hx, it is infeasible to nd any x such

0

that hx=hx. i.e. That h is a one-way function.

3 Message Digest 5 MD5

MD5 is a hashing function develop ed by Ron Rivest. Amuch more detailed descrip-

1

tion can b e found in handout 8 or RFC 1321.

MD5 works by rst padding the message until it is a multiple of 512 bits long. Padding

is done as follows:

1. App end a '1' bit to the message.

2. App end '0' bits until the message is 64 bits shorter than amultiple of 512 bits

3. App end a 64-bit representation of the message's original length

The state of MD5 is kept in four 32-bit words, A, B , C , and D , all of which are

initialized to magic constant values. MD5 pro cesses the message in 512-bit blo cks.

As we pro cess the ith blo ck of message, we up date A , B , C , and D to A ,

i1 i1 i1 i1 i

B , C , and D . The output of MD5, a 128 bit value, is the nal state of A, B , C ,

i i i

and D concatenated.

For each blo ck of message, we have four rounds of up dates. Each round up dates one

of the four 32-bit words A, B , C ,orD four times. For a total of sixteen up dates p er

blo ck of message. Initially on each round, A  A , B  B , etc. Each of the

i i1 i i1

up dates is something similar to A  B +A +F B ;C ;D +M +T <<< s, where

i i i i i i i i

1

Which actually comes from Applied Cryptography byB.Schneier

3

2

F is a function, M is the ith blo ck of the message, and T and s are magic constants.

i i

The symbol <<< means \rotate left". At the end of each round, we nish by

up dating all of the values one last time, namely: A  A + A , B  B + B ,

i i i1 i i i1

etc.

4 Secure Hash Algoritm SHA

SHA is a hash function develop ed by the US government. It's similar to MD5, but

uses ve 32-bit words and ve rounds per message blo ck to pro duce a 160-bit hash,

using linear transformations of the message in each blo ck.

5 Birthday Attacks

A birthday attack on a hash function attempts to use the birthday paradox to nd

collisions in a hash function. i.e. creating random messages, taking their hash

value, and checking if that hash value has b een encountered b efore. For MD5, as an

64

example, an attacker could exp ect to nd collisions after trying 2 messages. Given

to day's computing power, this is a dicult, but not imp ossible problem. Hence the

move to stronger hashing algorithms, like SHA.

6 CvHP

Yet another hash function is CvHP. It's full name is the Chaum-vanHeijst-P tzmann

hash function. First, we need to cho ose prime numb ers p and q such that p =2q+1.

q

Next, we need an and a that are b oth an element of order q i.e. 1 mo d p

and that 6= . For security, it must b e dicult to compute log .

m

1

The hash function splits the message into two parts m and m . hm ;m = 

1 2 1 2

m

2

modp. It is necessary that 1 jm j;jm j q.

1 2

The heart of CvHP is that it's infeasible to nd and . As an example, let's say

that we have a collision:

m m m m

1 2 3 4

 =  modp

2

As an example, F a; b; c= a^b_a ^ c

4 7 MACS AND HASH FUNCTIONS

We can transform this to b e

m m m m

1 3 4 2

= modp

If we set r = m m and s = m m , we get

1 3 4 2

r s

= modp

1

If then we cho ose t such that t = s modq, we can use

rt st

= modp

rt

to get = mo dp. Since we said it's dicult to compute log , an attacker

cannot get past this stage.

7 MACs and Hash Functions

A hash function can b e used to pro duce a Message Authentication Co de. For example,

a prop osal by IBM for Internet messages is that a MAC for each packet should be

formed as follows:

HM AC = MD5k ;MD5k ;M, where k and k are two parts of a shared secret

1 2 1 2

key.