Internet Security Cryptographic Principles, Algorithms and Protocols - Chapter 4 pps

4 Hash Function, Message Digest and Message Authentication CodeAs digital signature technology becomes more widely understood and utilised, manycountries world-wide are competitively dev

4 Hash Function, Message Digest and Message Authentication Code

As digital signature technology becomes more widely understood and utilised, manycountries world-wide are competitively developing their own signature standards for theiruse and applications

Some electronic applications utilising digital signatures in electronic commerce commerce) include e-mail and financial transactions E-mail may need to be digitallysigned, where sensitive information is being transmitted and security services such assender authentication, message integrity and non-repudiation are desired Financial trans-actions, in which money is being transferred directly or in exchange for services andgoods, could also benefit from the use of digital signatures Signing the message digestrather than the message often improves the efficiency of the process because the messagedigest is usually much smaller than the message

(e-In e-commerce, it is often necessary for communication parties to verify each other’sidentity One practical way to do this is with the use of cryptographic authenticationprotocols employing a one-way hash function Division into fixed-bit blocks can be accom-plished by mapping the variable-length message on to the suitable-bit value by paddingwith all zeros, including one bit flag and the original message length in hex Appropriatepadding is needed to force the message to divide conveniently into certain fixed lengths.Several algorithms are introduced in order to compute message digests by employingseveral hash functions The hash functions dealt with in this chapter are DMDC (1994),MD5 (1992) and SHA-1 (1995)

DES-like Message Digest Computation (DMDC) uses a DES variant as a one-way hashfunction In 1994, this scheme was introduced to compute the 18-bit authentication data

Internet Security. Edited by M.Y Rhee

 2003 John Wiley & Sons, Ltd ISBN 0-470-85285-2

with CDMA cellular mobile communications system DMDC divides messages into blocks

of 64 bits The DMDC hash function generates message digests with variable sizes – 18,

32, 64 or 128 bits This scheme is appropriate for the use of digital signatures and hence

it can be employed to increase Internet security

The message to be signed is first divided into a sequence of 64-bit blocks:

M1, M2, , M t

Appropriate padding rules need to be devised for messages that do not divide conveniently.The adjacent message blocks are hashed together with a self-generated key A betterapproach is to use one block (64 bits) of the correct message length as the key

Figure 4.1 shows a typical scheme for hash code computation forM= 192bits usingDMDC

One authentication problem in the CDMA mobile system is how to confirm the tity of the mobile station by exchanging information between a mobile station and basestation When the authentication field of the access parameters message is set to ‘01’,the mobile station attempts to register by sending a registration request message onthe access channel; and the authentication procedure will be performed Computing theauthentication data of mobile station registrations, it is necessary to have a 152-bit mes-sage value which complies with RAND (32 bits), ESN (32 bits), MIN (24 bits) andSSD-A (64bits):

iden-RAND: Authentication random challenge value

ESN: Electronic serial number

MIN: Mobile station identification number

SSD-A: Shared secret data to support the authentication procedure

The 192-bit value is composed of 152-bit message length and 40-bit padding Suppose

M1, M2 and M3 are decompositions of a 192-bit padded message M1 = 64 bits will

be used as input to the key generation scheme in Figure 4.1 The Permuted Choice

2 operation will produce the 48-bit key that is arranged into a 6× 8 array as shownbelow:

Input (column by column)

L1= 32 bits R1= 32 bits L1= 32 bits R1= 32 bits

E(L1 )= 48 bits E(L1 ) = 48 bits E(L1 )= 48 bits E(L1 ) = 48 bits

Γ 1= E(L1 )⊕K 1 Γ 2= E(R1 )⊕K 2 Γ 3= E(L2 )⊕K 3 Γ 4= E(R2 )⊕K 4

(S-box)1 (S-box)2 (S-box)3 (S-box)4

Ω 1 (32 bits) Ω 2 (32 bits) Ω 3 (32 bits) Ω 4 (32 bits)

P(Ω 1 ) (32 bits) P(Ω 2 ) (32 bits) P(Ω 3 ) (32 bits) P(Ω 4 ) (32 bits)

Figure 4.1 DMDC algorithm for M = 192 bits.

→output (row by row)

Thus, a 48-bit key generation fromM1 is computed as shown in Table 4.1

Example 4.1 Assume that division of the 192-bit padded message into 64 bits sists of:

Using Table 3.3 (PC-2), the 48-bit compressed key is computed as:

K0= 058c4517a a .

Finally, using Table 4.1, the 48-bit key with the row/column permutations is computed as:

K= 5458c42bcc07

This is the key block to be provided forM2 and M3, as shown in Example 4.2

Example 4.2 Referring to Figure 4.1, M2= 17b439a12f51c a and

M3= 51cb360000000000are processed as follows:

Using Table 3.4,M2 andM3 are divided into

The 48-bit key,K= 5458c42bcc07, obtained through row/column permutations, should

be shifted 0, 2, 1 and 3 bits to the left such that

These four
i , 1 ≤ i ≤ 4, are inputs to the (S-box)i, respectively

Using Table 3.6, the outputs i of S-boxes are computed as:

1 =a4064766

2 = 1d1dabb8

3 =f89d0b16

 =dabaae4d

Applying the operation of Table 3.7 to each i yields:

Example 4.3 Compute the hash codes as follows:

32-bit hash code computation:

Figure 4.2 shows the processing scheme for the computation of a 32-bit hash code Inthis figure, the following symbols are used:

:Multiplication of 16-bit integers modulo216+ 1 = 65537

+ :Addition of 16-bit integers modulo216= 65536

⊕ : Bit-by-bit XORing of 16-bit subblocks

64-bit hash code computation:

Referring to Figure 4.3, the 64-bit message digest is computed as follows:

:Multiplication of 32-bit blocks modulo232+ 1 = 4294967297

+ :Addition of 32-bit blocks modulo232= 4294967296

<<< m :Shiftingmbits to the left

18-bit hash code computation:

Utilising the 64-bit message digesthobtained above, the 18-bit hash code can be computedfrom the decimation process as shown in Figure 4.4

h=f41d3352753f20dc (64bits)

Figure 4.4 18-bit hash code computation scheme.

Discard six bits from both ends of the 64-bit message digesthand then pick one bit everythree bits by the rule of decimation such that

h = 001110011101110001 (18bits)

128-bit hash code computation (using left shift):

Referring to Figure 4.5, each P( i) is shifted mbits to the left Then concatenating themwill produce the 128-bit message digest:

128-bit hash code computation (using inverse):

Based on Figure 4.6, another 128-bit message digest can be computed as follows:

128-bit hash code computation (using addition and multiplication):

Taking a look at Figure 4.7, computation for the 128-bit message digest proceeds asfollows:

P(1) + P(3)= 97a e99a<<< 5=f41d3352

P( )
P( )= 371d4fc8<<< 10= 753f20dc

9d24c9c8 60d88e12 bf344c9e a208b652

Figure 4.6 128-bit hash code computation using inverse operation.

Figure 4.7 128-bit hash code computation using addition and multiplication.

LSB : Least significant bit of input value

PK: 32-bit constant (ex 0x000000AE)

F(r)

Figure 4.8 State transition function F(r) for PRBS generation.

This is the 128-bit hash code found So far, we have discussed computation for the DMDCwithout appending a one-bit flag and the message length in hex digits

This section presents the secure DMDC algorithm for providing an acceptable level

of security

Figure 4.10 shows the newly devised key generation scheme The 64-bit input key reshapes

to the 56-bit key sequence through Table 3.1 (PC-1) The 56-bit keys are loaded into two28-bit registers (C0,D0) The contents of these two registers are shifted by the SLi and SRipositions to the left SLr and SRr are generated by the state transition function F(r) shown

in Figures 4.8 and 4.10 In Figure 4.10, the 64-bit input key is separated into two 32 bits.Each becomes the input Sinto F(r) SL

r and SR

r are computed from Sout(mod 23) LFSR inFigure 4.9 is the device for the generation of a pseudo-random binary sequence (PRBS),whose characteristic function is:

f(x) = x32+ x7+ x5+ x3+ x2+ x + 1of a period 232− 1

The 64-bit input key is assumed to be 7a138b2524af17c5 Using Figure 4.11, entire roundkeys are computed, as shown in Table 4.2

F(r) F(r)

mod 23 mod 23

S R 1

S L 2

S R 2

(S-box)1 (S-box)2 (S-box)3 (S-box)4

Ω 1 (32 bits) Ω 2 (32 bits) Ω 3 (32 bits) Ω 4 (32 bits)

Γ 1= E(L1 )⊕K1 Γ 2= E(R1 )⊕K2 Γ 3= E(L2 )⊕K3 Γ 4= E(R2 )⊕K4

Π(Ω 1 ) (32 bits) Π(Ω 2 ) (32 bits) Π(Ω 3 ) (32 bits) Π(Ω 4 ) (32 bits)

Figure 4.11 New DMDC algorithm for message digest.

Table 4.2 Round key generation corresponding to (S L

After the input messageMof arbitrary length appends padding, divide the padded messageinto the integer multiple of 128 bits such thatM1,M2, , M L Each M i again positions

to four 32-bit words as:

M10, M11, M12, M13, M20, M21, M22, M23, , M L0 , M L1 , M L2 , M L3

whereM r = (M r0 , M r1 , M r2 , M r3 )represents therth round 128-bit message unit as shown

in Figure 4.11 A, B, C and D denote the four 32-bit buffers in which the data computed

at the(r − 1)th round is to be stored Thus, M r0⊕A, M r1⊕B, M r2⊕C and M r3⊕Dwill become the rth round input data Notice that the output at each round is swappedsuch that the data diffusion becomes very effective

The following example demonstrates motivation, so that the reader can understand thewhole process at each round (Figure 4.11) The ASCII file structure for the input message

is assumed to be as shown below:

001: 12345678901234567890002: 23456789012345678901003: 34567890123456789012

.

198: 89012345678901234567199: 90123456789012345678200: 01234567890123456789After receiving this ASCII file as input, the 128-bit divided blocks are expressed inhexadecimal notation as follows:

Table 4.3 The swapped output A, B, C and D at each round

Table 4.4 Hash code values based on the new DMDC scheme

left The secure DMDC processes data sequentially block-by-block of a 128-bit unit whencomputing the message digest The computation uses four working registers labelled A,

B, C and D These register contents are the swapped outputs at the end of each round.The four 32-bit input unit are XORed with the register contents This process offers goodperformance and considerable flexibility

The MD5 message-digest algorithm was developed by Ronald Rivest at MIT in 1992.This algorithm takes a input message of arbitrary length and produces a 128-bit hashvalue of the message The input message is processed in 512-bit blocks which can bedivided into 16 32-bit subblocks The message digest is a set of four 32-bit blocks, whichconcatenate to form a single 128-bit hash code MD5 (1992) is an improved version ofMD4, but is slightly slower than MD4 (1990)

The following steps are carried out to compute the message digest of the input message

The message is padded so that its length (in bits) is congruent to 448 modulo 512 That

is, the padded message is just 64 bits short of being a multiple of 512 This padding

is formed by appending a single ‘ 1’ bit to the end of the message, and then ‘ 0’ bitsare appended as needed such that the length (in bits) of the padded message becomescongruent to 448( = 512 − 64), modulo 512

A 64-bit representation of the original message length is appended to the result of theprevious step If the original length is greater than 264, then only the low-order 64 bits ofthe length are used for appending two 32-bit words

The length of the resulting message is an exact multiple of 512 bits Equivalently, thismessage has a length that is an exact multiple of 16 (32-bit) words Let M[0 N− 1]denote the word of the resulting message, withN an integer multiple of 16

A four-word buffer represents four 32-bit registers (A, B, C and D) This 128-bit buffer

is used to compute the message digest These registers are initialised to the followingvalues in hexadecimal (low-order bytes first):

A= 01 23 45 67

B= 89ab cd ef

C=fe dc ba98

D= 76 54 32 10

These four variables are then copied into different variables: A as AA, B as BB, C as CCand D as DD.

F, G, H and I are four basic MD5 functions Each of these four nonlinear functions takesthree 32-bit words as input and produces one 32-bit word as output They are, one foreach round, expressed as:

These four nonlinear functions are designed in such a way that if the bits of X, Yand Z are independent and unbiased, then at each bit position the function F acts as aconditional: if X then Y else Z The functions G, H and I are similar to the function F

in that they act in ‘bitwise parallel’ to their product from the bits of X, Y and Z Noticethat the function H is the bitwise XOR function of its inputs

The truth table for the computation of four nonlinear functions (F, G, H, I) is given inTable 4.5

If M[k],0≤ k ≤ 15, denotes thekth sub-block of the message, and<<<s represents aleft shift s bits, the four operations are defined as follows:

140 INTERNET SECURITY

HH(a, b, c, d, M[k],s, i) :a=b+ ((a+H(b, c, d)+M[k]+T[i] <<<s

II(a, b, c, d, M[k],s, i) :a=b+ ((a+I(b, c, d)+M[k]+T[i] <<<sComputation uses a 64-element table T[i],i = 1, 2, , 64, which is constructed from thesine function T[i] denotes theith element of the table, which is equal to the integer part

of 4294967296 times abs(sin(i)), wherei is in radians:

T[i]= integer part of[232∗ |sin(i)|]

where0≤ |sin(i)| ≤ 1and 0
232∗ |sin(i)| ≤ 232.Computation of T[i] for1≤ i ≤ 64 is shown in Table 4.6

Each round consists of 16 operations Each operation performs a nonlinear function onthree of A, B, C and D Let us show FF, GG, HH and II transformations for rounds 1, 2,

3 and 4 in what follows

Table 4.6 Computation of T[i] For 1 ≤ i ≤ 64

Team-Fly®

The basic MD5 operation for FF transformations of round 1 is plotted as shown inFigure 4.12 GG, HH and II transformations for rounds 2, 3 and 4 are similarly sketched.

HH[c, d, a, b, M[7], 16, 39], HH[b, c, d, a, M[10], 23, 40], HH[a, b, c, d, M[13], 4, 41],HH[d, a, b, c, M[0], 11, 42], HH[c, d, a, b, M[3], 16, 43], HH[b, c, d, a, M[6], 23, 44],HH[a, b, c, d, M[9], 4, 45], HH[d, a, b, c, M[12], 11, 46], HH[c, d, a, b, M[15], 16, 47],HH[b, c, d, a, M[2], 23, 48],

Round 4

Let II[a, b, c, d, M[k], s,i] denote the operation

a=b+ ((a+I(b, c, d)+M[k]+T[i]) <<<s).

Then the following 16 operations are computed:

II[a, b, c, d, M[0], 6, 49], II[d, a, b, c, M[7], 10, 50], II[c, d, a, b, M[14], 15, 51],II[b, c, d, a, M[5], 21, 52], II[a, b, c, d, M[12], 6, 53], II[d, a, b, c, M[3], 10, 54],II[c, d, a, b, M[10], 15, 55], II[b, c, d, a, M[1], 21, 56], II[a, b, c, d, M[8], 6, 57],II[d, a, b, c, M[15], 10, 58], II[c, d, a, b, M[6], 15, 59], II[b, c, d, a, M[13], 21, 60],II[a, b, c, d, M[4], 6, 61], II[d, a, b, c, M[11], 10, 62], II[c, d, a, b, M[2], 15, 63],II[b, c, d, a, M[9], 21, 64],

After all of the above steps, A, B, C and D are added to their respective increments AA,

Example 4.4 The message digest problem related to the CDMA cellular system will

be discussed in this example

Set the initial buffer contents as follows:

A= 67452301 B=efcdab89

C= 98badcfe D= 10325476

The 512-bit padded message is produced from the 152-bit CDMA message by appendingthe 360-bit padding as shown below

Padded message(512bits)=Original message(152bits)+Padding(360bits):

I Round 1 Computation for FF[a, b, c, d, M[k], s,i] a=b+ ((a+F(b, c, d)+M[k]+

T[i]) <<<s =b+U<<<s, 0
k
15, 1
i
16 where U<<<s denotes the bit value obtained by circularly shifting U left by s bit positions