Chapter 6. New HASH Function. 6.1 Message Authentication. Message authentication is a mechanism or service used for verifying

Transcription

1 Chapter 6 New HASH Function 6.1 Message Authentication Message authentication is a mechanism or service used for verifying the integrity of a message. Message authentication assures that the data received are exactly as sent by i.e., contain no modification, insertion, deletion, or replay and that the purported identity of the sender is valid. Symmetric encryption provides authentication among those who share the secret key. Encryption of a message by a sender s private key also provides a form of authentication. The two most common cryptographic techniques for message authentication are a message authentication code (MAC) and secure hash function. A MAC is an algorithm that requires the use of a secret key. A MAC takes a variable length message and a secret key as input and produces an authentication code. A recipient in possession of the secret key can generate an authentication code to verify the integrity of the message. A hash function maps a 110

2 variable length message into a fixed length hash value, or message digest. For message authentication, a secure hash function must be combined in some fashion with a secret key Authentication Requirements In the context of communication across a network, the following attacks can be identified: Disclosure: Release of message contents to any person or process not processing the appropriate cryptographic key. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented application, the frequency and duration of connections could be determined. In either a connected-oriented or connectionless environment, the number and length of the messages between the parties could be determined. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or non receipt by someone other than the message recipient. Content modification: changes to the contents of a message, 111

3 including insertion, deletion, transposition, and modification. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and recording. Timing modification: Delay or replay of messages. In a connectionoriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message could be delayed or replayed. Source repudiation: Denial of transmission of message by source. Destination repudiation: Denial of receipt of message by destination Authentication Functions Following are the commonly used functions for authentication. Message Encryption: The cipher text of the entire message serves as its authentication. A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the 112

4 plaintext of the message. In addition, we may say that B is assured that the message was generated by A. The message must have come from A because A is the only other party that possesses secret key K and therefore the only other party with the information necessary to construct ciphertext that can be decrypted with K. Furthermore, if message M is recovered, B knows that none of the bits of M have been altered, because an opponent that does not know K would not know how to alter the bits in the ciphertext to produce desired changes in the plaintext Message Authentication Code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as authentication. An alternative technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communication parties say A and B, share a common secret key K. When A has a message to be sent to B, it calculates the MAC as a function of the message and the key. The message and the MAC are transmitted to the intended recipient B. The recipient performs the same calculation on the received message, using the same secret key to generate a new MAC. The received MAC is compared to the calculated 113

5 MAC and if they match, then accept the received message. Hash Function: A function that maps a message of any length into a fixed-length hash value, which serves as an authentication. A hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). The hash code is also referred to as a message digest or hash value. The hash code is a function of all the bits of the message and provides an error-detection capability. A change to any bit or bits in the message results in a change to the hash code. Fig.6.1 a simple block diagram hash function generator. The message M Figure 6.1: Encrypt message plus hash code plus concatenated hash code H(M) is encrypted using symmetric encryption. Because only A and B share the secret key, the message must have come from A and has not been altered. The hash code provides the structure or redundancy required to achieve authentication. Because encryption is applied to the entire message plus hash code, confidentiality is also provided. Fig.6.2 shows the 114

6 block diagram of hash function generator using a shared secret key. Only the hash code is encrypted using the symmetric encryption. Figure 6.2: Encrypt hash code with shared secret key This reduces the processing burden for those applications that do not require confidentiality. Fig.6.3 shows hash function generator using sender s private key in public key cryptography Figure 6.3: Encrypt hash code with sender s Private key Only the hash code is encrypted, using the public key encryption algorithm with the sender s private key, this provides authentication. It also provides digital signature, because only the sender could have produced the encrypted hash code as shown in Fig.6.4 If confidentiality as well as the digital signature is desired then the message plus the private- key-encrypted hash code can be encrypted using a symmetric secret key. This is a common technique 115

7 Figure 6.4: Encrypt result of encrypted hash code with shared secret key used as shown in Fig.6.5 Figure 6.5: Compute hash code of message plus secret key It is possible to use a hash function but no encryption for message authentication as shown in Fig.6.6. The technique assumes that the two communicating parties share a common secret value K. A computes the hash over the communication message of M and K and appends the resulting hash value to M. Because the secret key value itself, if not sent, an opponent cannot modify an intercepted message and cannot generate a false message. 116

8 Figure 6.6: Encrypt the result of hash code of message plus secret key 6.2 Hash Functions A hash function value h is generated by a function H of the form h = H(M), where M is a variable-length message and H(M) is the fixed length hash value. The hash value is appended to the message at the source at a time when the message is assumed or known to be correct. The receiver authenticates that message by recomputing the hash value Requirements for a hash function To be useful for message authentication, a hash function H must have the following properties. H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is relatively easy to compute for any given x, making both hardware and software implementing practical. For any given value h, it is computationally unfeasible to find 117

9 x such that H(x) = h. This is referred as the one-way property. For any given block x, it is computationally unfeasible to find y x, such that H(y) = H(x). This is referred to as weak collision resistance. It is computationally unfeasible to find any pair(x, y) such that H(x) = H(y). This is referred to as strong collision resistance Security of Hash Function The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. One-way: For any given code h, it is computationally unfeasible to find x such that H(x) = h. Hence the level of effort required is 2 n. Weak collision resistance: For any given block x, it is computationally unfeasible to find y x with H(y) = H(x). The level of effort required is 2 n. Strong collision resistance: It is computationally unfeasible to find any pair (x, y) such that H(x) = H(y). The level of effort required is 2 n/2. 118

10 6.2.3 Message Digest Hash (MDH) Hash functions of the message digest family are iterated hash functions. They share a common structure of the compression function. It consists of two major parts, namely, message expansion and consecutive evaluation of number of similar steps. The Message Digest-4 (MD-4) algorithm compresses an input with a maximum length of 2 64 to a 128-bit hash value. The size of one message block in MD-4 is 512 bit. The input message is padded to fit this message block size. The padding scheme always appends a single bit 1 to the end of the message. Then, 0 s are appended until the message length is congruent to 448 modulo 512. Finally, the 64-bit representation of the message length, before the padding was applied is appended. Each 512-bit message block of the padded message is compressed by the compression function which consists of three rounds having 16 steps each. In each round a different Boolean functions is used. In MD-4 there are three Boolean functions. Because of the initial cryptanalysis that was done on MD-4 by Ralph Merkel and Eli Biham, MD-4 was improved to MD-5 by Rivest. The structure of MD-5 is quite similar to MD-4 but there are four linear Boolean functions and four rounds. However, there have been significant improvements in collision attacks on these hash functions. 119

11 6.2.4 Secure Hash Algorithm (SHA) Secure Hash Algorithm was developed by the National Institute of Standards and Technology (NIST)and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secured Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 is also specified in RFC 3174, which essentially duplicates the material in FIPS 180-1, but adds a C code implementation. SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard. FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. Table 6.1 shows the comparison of SHA parameters. These new ver- Table 6.1: Comparison of SHA parameters SHA-1 SHA-256 SHA-384 SHA-512 Message digest size Message size < 2 64 < 2 64 < < Block size Word size Number of steps Security

12 sions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by Shortly thereafter, a research team described an attack in which two separate messages could be found that they deliver the same SHA-1 hash using 2 69 operations, far fewer than the 2 80 operations previously thought needed to find a collision with an SHA-1 hash. This result should hasten the transition to the other versions of SHA. 6.3 Whirlpool Hash Function The Whirlpool Hash Algorithm is 512-bit hash function designed by Vincent Rijmen and Paulo S.L.M. Barreto. It uses a symmetrickey block cipher based on AES, known as the Whirlpool Cipher. The Whirlpool Hash Function is endorsed by New European Schemes for Signatures, Integrity and Encryption (NESSIE). It has also been adopted by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC) as part of the joint ISO/IEC international standard. The Whirlpool is based on the use of a block cipher for the compression function. The following are potential draw backs of the block cipher. 121

13 Block ciphers do not possess the properties of randomizing functions. For example they are invertible. This lack of randomness may lead to weaknesses that can be exploited Block ciphers typical exhibit other regularities or weaknesses Typically block cipher based hash functions are significantly slower than hash functions based on a compressed functions, specifically designed for the hash functions. A principal measure of the strength of a hash function is the length of the hash code in bits. For DES it is 64-bits or 128- bits, resulting in a hash code of questionable strength. However, since the adoption of AES, there has been renewed interest in developing a secure hash function based on strong block cipher and exhibiting good performance. Whirlpool is block cipher based hash function intended to provide security and performance that is comparable than that found in non block cipher based hash functions such as SHA. Whirlpool has the following features: The hash code length is 512-bits, equaling the longest hash code available with SHA. The overall structure of the hash function is one that has been shown to be resistant to the usual attacks on block cipher based hash codes. 122

14 The underlying block cipher based on AES and is designed to provide for implementation in both software and hardware i.e both compact and exhibits good performance The design of whirlpool sets the following security goals: The expected workload of generating a collision is of the order of the 2 n/2 executions of whirlpool. Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2 n executions of whirlpool. The given is a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2 n executions of Whirlpool. It is unfeasible to detect systematic correlations between any linear combinations of input bits and any linear combinations of bits of the hash results or to predict what bits of the hash result will change the value when certain input bits are flipped. This means resistance against linear and differential attacks. The Whirlpool hash structure is based on the Miyaguchi-Preneel scheme and consists of 10 rounds. Fig.6.7 shows the model of single iteration of Whirlpool function. P is Plain text or i th block of input message, C is cipher text, K is encryption key, H i is the i th intermediate hash value, F F is feed forward value 123

15 Figure 6.7: Model of Single Iteration of the Whirlpool Hash Function Hash Function Structure Given a message consisting of a sequence of blocks m 1, m 2, m t, the Whirlpool hash function is expressed as follows: H 0 = Initial Value H i = W (H i 1, m i ) + H i 1 + m i H t = Final Hash Code value. In terms of the model, the encryption key input for each iteration is the intermediate hash value from the previous iteration; the plaintext is the current message block; and the feed-forward value is the bitwise XOR of the current message block and the intermediate hash value from the previous iteration. Whirlpool Algorithm The algorithm takes as input a message with a maximum length of less than bits and produces as output a 512-bit message digest. The input is processed in 512-bit blocks. Fig.6.8 depicts 124

16 the overall processing of a message to produce a digest. Figure 6.8: Message Digest Generation using Whirlpool Message Preparation The processing consists of the following steps: Append padding bits: The message is padded so that its length in bits is an odd multiple of 256. Padding is always added, even if the message is already of the desired length. For example, if the message is = 768 bits long, it is padded by 512 bits to a length of = 1280 bits. Thus, the number of padding bits is in the range of 1 to 512. Append length: A block of 256 bits is appended to the message. This block is treated as an unsigned 256-bit integer (most significant byte first) and contains the length in bits of the original message (before the padding). The outcome of the first two steps yields a message that is an integer multiple of 512 bits in length. In Fig.6.8, the expanded message 125

17 is represented as the sequence of 512-bit blocks m 1, m 2, m t so that the total length of the expanded message is t 512 bits. These blocks are viewed externally as arrays of bytes by sequentially grouping the bits in 8-bit chunks. However, internally, the hash state H i is viewed as an 8 8 matrix of bytes. The transformation between the two is explained subsequently. Initialize hash matrix: An 8 8 matrix of bytes is used to hold intermediate and final results of the hash function. The matrix is initialized as consisting of all 0-bits. Process the message in 512-bit (64-byte) blocks. The heart of the algorithm is the block cipher W. The Block Cipher W Whirlpool uses a block cipher that is specifically designed for use in the hash function. The block cipher W, which has a similar structure and uses the same elementary functions as AES, uses a block size and a key size of 512-bits. Although W is similar to AES, it is not simply an extension. AES operates on a state of 4 4 bytes, whereas W operates on a state of 8 8 bytes. W uses a row-oriented matrix whereas AES uses a column-oriented matrix. A comparison between AES and W is presented in Table

18 Table 6.2: Comparison of AES and W Block ciphers W AES Block size(bits) Key size(bits) ,192 or 256 Matrix orientation Input is mapped row-wise Input is mapped columnwise Number of rounds 10 10, 12 and 14 Key expansion W round function Dedicated expansion algorithm GF (2 8 ) polynomial x 8 +x 4 +x 3 +x 2 +1 (0x11D) x 8 + x 4 + x 3 + x + 1 (0x11B) Origin of S-box Recursive structure Multiplicative inverse in GF (2 8 ) + affine transformation Origin of round constants Successive entries of the S- box Elements 2 i of GF (2 8 ) Diffusion layer Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Left multiplication by 4 4 circulant MDS matrix (2, 3, 1, 1) - mix columns Permutation Shift columns Shift rows 127

19 6.3.2 The Overall Structure Fig.6.9 shows the overall structure of W. The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher-text as output. The encryption algorithm involves the use of four different functions, or transformations which are used in each round are: Substitute Bytes (SB) Shift Columns (SC) Mix Rows (MR) Add Key Round (AK) W consists of a single application of AK followed by 10 rounds that involve all four functions. Each round r can be expressed as a round function RF which is a composition of the above functions: RF (K r ) = AK[K r ] MR SC SB Substitute Bytes The substitute byte function (SB) is a simple table lookup that provides a nonlinear mapping. W defines a matrix of byte values, called an S-box that contains a permutation of all possible 256, 8-bit values. Each individual byte of c-state is mapped into a new byte in the following way: 128

20 Figure 6.9: : The Whirlpool Cipher W 129

21 The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row and column values serve as indices into the S-box to select a unique 8-bit output value. For example, the hexadecimal value 95 h references row 9, column 5 of the S-box, which contains the value ba h. Accordingly, the value 95 h is mapped into the value ba h. The S-box can be generated by using a recursive structure. It consists of two nonlinear layers, each containing two 4 4 S-boxes separated by a 4 4 randomly generated box. Each of the boxes maps a 4-bit input into a 4-bit output. Shift Columns The Shift Columns cause a circular downward shift of each column of c state except the first column. For the second column, a 1-byte circular downward shift is performed; for the third column, a 2- byte circular downward shift is performed; and so on. The SC function serves as the permutation layer. Mix Rows Any Block Cipher warrants having a diffusion layer, Mix Rows serves this purpose in Whirlpool. This is achieved by having each input bit affect the value of many output bits; generally, this results in each output bit being affected by many input bits. The diffusion layer (mix rows) achieves diffusion within each row individually. 130

22 Each byte of a row is mapped into a new value that is a function of all eight bytes in that row. The transformation can be defined by the matrix multiplication: B = C A Where, A is the input matrix, B is the output matrix, and C is the transformation matrix. The C matrix used in mix row operation is given below All the elements in the C-matrix are hexadecimal numbers. Each element in the product matrix is the sum of the products of elements of one row and one column. In this case, the individual additions and multiplications are performed in GF (2 8 ) with the irreducible polynomial f(x) = x 8 + x 4 + x 3 + x 2 + 1, i.e., 11D h. Add Round Key In the Add round key layer, the 512 bits of c-state are bitwise XORed with the 512 bits of the round key. It is done byte by byte on the C state matrix. Whirlpool doesn t have a dedicated key 131

23 expansion algorithm. It uses a copy of the encryption algorithm for key expansion. The round keys for the key expansion are 10 round constants. The key-generation algorithm treats the cipherkey as plaintext and encrypts it, thus generating a round key for the encryption algorithm at the end of every round of the keyexpansion algorithm. Key Expansion for W As shown in Figure 2.3, key expansion is achieved by using the block cipher itself, with a round constant serving as the round key for the expansion. The round constant for round 1 r 10 is a matrix RC[r] in which only the first row is nonzero, and is defined as follows: RC[r] 0,j = S[8(r 1) + j], (0 j 7), (1 r 10) RC[r] i,j = 0, (1 i 7), (0 j 7), (1 r 10) Using the round constants, the key schedule expands the 512-bit cipher key K onto a sequence of round keys K 0, K 1,..., K 10 K 0 = K K r = RF [RC[r]] (K r 1 ) where RF is the round function defined earlier. Note that for the Add Round Key phase of each round, only the first row of k-state is altered. 132

24 Whirlpool Performance and Security The design of Whirlpool sets the following security goals: Assume we take as hash result the value of any n-bit substring of the full Whirlpool output, The expected workload of generating a collision is of the order of 2 n/2 executions of Whirlpool. Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2 n executions of Whirlpool. Given a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2 n executions of Whirlpool. It is unfeasible to detect systematic correlations between any linear combination of input bits and any linear combination of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks). 6.4 New Whirlpool Hash Structure In this New Whirlpool Hash Structure most of the structure is same as existing Whirlpool structure, except the S-box generation. 133

25 In this structure we introduced the dynamic S-box generated by using two keys namely, Permute Key and Auxiliary Key. Depending on the permute key initial permutation of the S-box entries are modified, Using auxiliary key, affine transformation constants A matrix, constant C and irreducible polynomial m are calculated. Now dynamic S-box is constructed by using the affine transformation y = Ax C mod m. The steps to generate the dynamic S-box are as follows: Select a permute key of variable length from 1 byte to 256 byte. Initialize an array S[256] with 00 h to ff h. Initialize another array T[256], by using the secret key. If the key length is less than 256 bytes, repeatedly copy the key bytes till the last element of the array. Initial permutation is done by using T as follows: j = 0; for i = 0 to 255; do j = (j + S[i])mod256; swap (S[i], S[j]); end; Construct an 8 x 8, non-singular A matrix entries with GF(2), depending on Auxiliary key. 134

26 Using Affine transformation y = Ax C mod m, construct an S-box. First convert S array into new S array by finding the multiplicative inverse of each element by using a key dependent irreducible polynomial m. Constant C is calculated by using key. Remaining procedure is as in existing Whirlpool Hash generation. 6.5 Advantages Over Whirlpool Hash Function The expected workload of generating a collision is of the order of the = Given an 512-bit hash value, the expected workload of finding a message that hashes to the same value is of the order of = executions of new Hash function. The given is a message and its 512-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of = executions of new Hash function. It is unfeasible to detect systematic correlations between any linear combination of input bits and any linear combination 135

27 Table 6.3: Comparison of W and New W Block ciphers W-block cipher New W-block cipher Block size(bits) Key size(bits) Matrix orienta- Input is mapped row-wise Input is mapped row-wise tion Number rounds of Key expansion W round function W round function GF (2 8 ) polynomial (11d h ) Key dependent irreducible Polynomial Origin of S-box Recursive structure Multiplicative inverse in GF (2 8 ) + Key dependent affine transformation Origin of round constants Successive entries of the S- box Successive entries of the S- box Diffusion layer Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Permutation Shift columns Shift columns 136

28 of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks). 6.6 Results The modified Hash function is constructed with the key dependent S-box and tested with different text files of different sizes. It is found that a single bit change in the text or a single bit in any one key (secret key/permute key/auxiliary key) changes hash value to great extent. Some of the results are tabulated in Table6.4 and Table6.5 Table 6.4: Hash value for a text file1 512 bit Hash value for a text of 2196 bytes Original text Last bit changed Initial bit changed Change in one key bit 83422F2B0C5C0702 B69864A4486E23F3A 3D2F0E09B6F4767B 03E8AD681FFCBEDF 4C3BD78111F5B F B6C3A1CAA7D BF6BBF286677A33 C9B963BDFA2D4AA3 5BDA54B65ECF739F AA7EB6CFC3 44BDBBD C 5A9BC39F07A359D2 C317DF9F5AD392B8 04DBBDB82B6054D1 6F5EDFCB C BB5F13BC014C1B D1396A86 864A4E4CA315DBE3 BA2DD0125E5FAC78 589F24CDEEC8EB9F AD9D8EA62AFBC49C 033CE227AF6012B7 07FC1FE7D5C1C168 70F037D0C1E4209C D0160B97D701FF54 DC165F60B04F12AE 9FEC9FDB0C96AD94 CB47C10B ADD71F13F4C 93DDEF1A2676CD38 D1A56E7E99D0DD8E 6.7 Conclusion The implementations of new Hash Algorithm with key dependent S-box are developed and tested on various kinds of data. Typically, 137

29 Table 6.5: Hash value for a text file2 512 bit Hash value for a text of 7 bytes Original text Last bit changed Initial bit changed Change in one key bit 6D0032E7FBB38BC4 3D6442E9A756C3C2 AC3BD1A4D8353D67 3A3DE4CF5E7862DE FF4F5AE3ADA6555C FAE A9A14C E9E8CB4BB000 5BC0B76FD7FE1E3A 91F9D86D0D9E08E9 D45B DF D051F0995DFD2E9E 1623D375A7705EF8 67E33192B939ED93 AF9BFA8E E C9F0CD40CF92B484 17CCEA C1C3996A69B89 C7DFD2BDB4E17F95 014D8FA5CB7B239F 0DF19D17B6216F30 09C3F8E1994DAEA0 E07431B8A BBD736B2A131E3D7 3D02E1F85B8CAA4E FCFBBD41EB7F631E BDC3C C26 3D4768D6E191DD79 EBEF046D96B7749A 6F0A9AE400120B EAB06420 C4D6019ACF1A264E data in the forms of text, image or audio is encrypted and then a corresponding message digest is generated using new hash function. In each case a single bit of data was changed and new hash was generated and found that the message digest was completely different for each case. 138