Internet.Security

Figure 4.12 Basic MD5 operation.

FF[c, d, a, b, M[6], 17, 7], FF[b, c, d, a, M[7], 22, 8], FF[a, b, c, d, M[8], 7, 9],

FF[d, a, b, c, M[9], 12, 10], FF[c, d, a, b, M[10], 17, 11], FF[b, c, d, a, M[11], 22, 12], FF[a, b, c, d, M[12], 7, 13], FF[d, a, b, c, M[13], 12, 14], FF[c, d, a, b, M[14], 17, 15], FF[b, c, d, a, M[15], 22, 16]

The basic MD5 operation for FF transformations of round 1 is plotted as shown in Figure 4.12. GG, HH and II transformations for rounds 2, 3 and 4 are similarly sketched.

Round 2

Let GG[a, b, c, d, M[k], s, i] denote the operation

a = b + ((a + G(b, c, d) + M[k] + T[i]) <<< s).

Then the following 16 operations are computed:

GG[a, b, c, d, M[1], 5, 17], GG[d, a, b, c, M[6], 9, 18], GG[c, d, a, b, M[11], 14, 19], GG[b, c, d, a, M[0], 20, 20], GG[a, b, c, d, M[5], 5, 21], GG[d, a, b, c, M[10], 9, 22], GG[c, d, a, b, M[15], 14, 23], GG[b, c, d, a, M[4], 20, 24], GG[a, b, c, d, M[9], 5, 25], GG[d, a, b, c, M[14], 9, 26], GG[c, d, a, b, M[3], 14, 27], GG[b, c, d, a, M[8], 20, 28], GG[a, b, c, d, M[13], 5, 29], GG[d, a, b, c, M[2], 9, 30], GG[c, d, a, b, M[7], 14, 31], GG[b, c, d, a, M[12], 20, 32],

Round 3

Let HH[a, b, c, d, M[k], s, i] denote the operation

a = b + ((a + H(b, c, d) + M[k] + T[i]) <<< s).

Then the following 16 operations are computed:

HH[a, b, c, d, M[5], 4, 33], HH[d, a, b, c, M[8], 11, 34], HH[c, d, a, b, M[11], 16, 35], HH[b, c, d, a, M[14], 23, 36], HH[a, b, c, d, M[1], 4, 37], HH[d, a, b, c, M[4], 11, 38],

HH[c, d, a, b, M[7], 16, 39], HH[b, c, d, a, M[10], 23, 40], HH[a, b, c, d, M[13], 4, 41], HH[d, a, b, c, M[0], 11, 42], HH[c, d, a, b, M[3], 16, 43], HH[b, c, d, a, M[6], 23, 44], HH[a, b, c, d, M[9], 4, 45], HH[d, a, b, c, M[12], 11, 46], HH[c, d, a, b, M[15], 16, 47], HH[b, c, d, a, M[2], 23, 48],

Round 4

Let II[a, b, c, d, M[k], s, i] denote the operation

a = b + ((a + I(b, c, d) + M[k] + T[i]) <<< s).

Then the following 16 operations are computed:

II[a, b, c, d, M[0], 6, 49], II[d, a, b, c, M[7], 10, 50], II[c, d, a, b, M[14], 15, 51], II[b, c, d, a, M[5], 21, 52], II[a, b, c, d, M[12], 6, 53], II[d, a, b, c, M[3], 10, 54], II[c, d, a, b, M[10], 15, 55], II[b, c, d, a, M[1], 21, 56], II[a, b, c, d, M[8], 6, 57], II[d, a, b, c, M[15], 10, 58], II[c, d, a, b, M[6], 15, 59], II[b, c, d, a, M[13], 21, 60], II[a, b, c, d, M[4], 6, 61], II[d, a, b, c, M[11], 10, 62], II[c, d, a, b, M[2], 15, 63], II[b, c, d, a, M[9], 21, 64],

After all of the above steps, A, B, C and D are added to their respective increments AA, BB, CC and DD, as follows:

A = A + AA, B = B + BB

C = C + CC, D = D + DD

and the algorithm continues with the resulting block of data. The final output is the concatenation of A, B, C and D.

Example 4.4 The message digest problem related to the CDMA cellular system will be discussed in this example.

Set the initial buffer contents as follows:

The 512-bit padded message is produced from the 152-bit CDMA message by appending the 360-bit padding as shown below.

Padded message (512bits) = Original message(152bits) + Padding(360bits):

I. Round 1 Computation for FF[a, b, c, d, M[k], s, i] a = b + ((a + F(b, c, d) + M[k] + T[i]) <<< s) = b + U <<< s, 0 k 15, 1 i 16 where U <<< s denotes the 32bit value obtained by circularly shifting U left by s bit positions.

Compute U = (a + F(b, c, d) + M[0] + T[1]) <<< s, s = 7

a: 67452301 F(b, c, d): 98badcfe

M[0]: 7a138b25

T[1]: d76aa478

U: 517e2f9c

U = 517e2f 9c <<< 7

From a = b + U , we have

b: efcdab89 U : bf17ce28

a: aee579b1

Hence, FF[a, b, c, d, M(0), 7, 1] of NO.1 operation can be computed as aee579b1, efcdab89, 98badcfe, 10325476.

(2) Second-word block process (M[1], T[2], s = 12)

Using the outcome from operation (1), the second-word block is processed as follows:

d: 10325476 F[a, b, c]: bedfadcf

M[1]: 24af17c3 T[2]: e8c7b756

U: dc88d15e

U = U <<< 12 : 8d15edc8

From d = a + U , we have

a: aee57961 U : 8d15edc8

d: 3bfb6779

Hence, the result of operation (2) for the second-word block becomes FF[d, a, b, c, M[1], 12, 2] = (aee57961, efcdab89, 98badcfe, 3bfb6779).

All FF transformations for Round 1 are similarly computed, and consist of the following results from the 16 operations:

II. Round 2 Computation for GG

(1) First-word block operation:

a = b + ((a + G(b, c, d) + M[1] + T[17]) <<< s)

Let V = a + G(b, c, d) + M[1] + T[17] where a = 7dccd1ee, b = 10821d51, c = bff77632, d = 0359415c,

M[1] = 24af17c3, and T[17] = f61e2562.

Using Table 4.5, G(b, c, d) is computed as follows:

Compute V = a + G(b, c, d) + M[1] + T[17]

a: 7dccd1ee G(b, c, d): bca63772 M[1]: 24af17c3 T[17]: f61e2562

V: 55404685

a: b88aedfb

Thus, GG[a, b, c, d, M[1], T[17], 5] of operation (1) is computed as:

b88aedfb, 10821d51, bff77632, 0359415c

Through the 16 operations, GG transformation for round 2 can be accomplished as shown below:

III. Round 3 Computation for HH

(1) First-word block operation:

a = b + ((a + H(b, c, d) + M[5] + T[33]) <<< 4)

where a = 5b8a2ae8, b = 29e29554, c = 2e6d799d, d = af92e3c8, M[5] = 00000000, T[33] = fffa3942, and s = 4.

a: 63f9c804

Thus, HH[a, b, c, d, M[5], T[33], 4] of operation (1) is obtained as 63f9c804 29e29554 2e6d799d af92e3c8. Through 16 operations, HH transformation for round 3 can be computed as shown below:

IV. Round 4 Computation for II

(1) First-word block operation:

a = b + ((a + I(b, c, d) + M[0] + T[49]) <<< 6)

where a = fbc16051, b = 814dbccf, c = 14f356d2, d = 9fb3bb46, M[0] = 7a138b25, T[49] = f4292244, and s = 6.

Using Table 4.5, I(b, c, d) can be computed as follows:

Compute Z = a + I(b, c, d) + M[0] + T[49]

a: fbc16051 I(b, c, d): f5beaa2d M[0]: 7a138b25 T[49]: f4292244

Z : 5fbcb7e7

Z = 0101 1111 1011 1100 1011 0111 1110 0111

Since Z = Z <<< 6, we have

From a = b + Z , a is computed as:

b: 814dbccf Z : ef2df9d7

a: 707bb6a6

Thus, operation (1) of II[a, b, c, d, M[0], T[49], 6] is obtained as:

707bb6a6 814dbccf 14f356d2 9fb3bb46

The results from 16 operations are listed in the following:

A buffer containing four 32-bit registers A, B, C and D is used to compute the 128-bit message digest. These registers are initialised to the following values:

The last operation of this transformation is:

After this, the following additions are finally performed to produce the message digest.

A = a + aa

B = b + bb

C = c + cc

D = d + dd

The message digest produced as an output of A, B, C and D is the concatenation of A, B, C and D.

The concatenation of the four outputs of A, B, C and D is the 128-bit message digest such that A|| B|| C|| D = 3bd73d8c 145de697 8c944855 50423d7d

In CDMA cellular mobile communications, a shared secret data (SSD) is a 128-bit pattern stored in semi-permanent memory in the mobile station. SSD is partitioned into two 64-bit distinct subsets, SSD-A and SSD-B. SSD-A is used to support the authentication process, while SSD-B is used to support voice privacy and message confidentiality.

SSD data subsets are generated from the message digest as follows:

SSD-A: 3bd73d8c145de697,

SSD-B: 8c94485550423d7d.

4.4 Secure Hash Algorithm (SHA-1)

The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) for use with the Digital Signature Algorithm (DSA) and published as a Federal Information Processing Standards (FIPS PUB 180) in 1993. The Secure Hash Standard (SHS) specifies a SHA-1 for computing the hash value of a message or a data file. When a message of any length of less than 264 bits is input, the SHA-1 produces a 160-bit output called a message digest (or a hash code). The message digest can then be input to the DSA, which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller than the message.

The SHA-1 (FIPS 180-1, 1995) is a technical revision of SHA (FIPS 180, 1993). The SHA-1 is secure because it is computationally impossible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will result in a different message digest, and the signature will fail to verify. The SHA-1 is based on the MD4 message digest algorithm and its design is closely modelled on that algorithm.

4.4.1 Message Padding

The message padding is provided to make a final padded message a multiple of 512 bits. The SHA-1 sequentially processes blocks of 512 bits when computing the hash value (or message digest) of a message or data file that is provided as input. Padding is exactly the same as in MD5. The following specifies how this padding is performed. As a summary, first append a ‘1’ followed by as many ‘0’s as necessary to make it 64 bits short of a multiple of 512 bits, and finally a 64-bit integer is appended to the end of the zeroappended message to produce a final padded message of length n × 512 bits. The 64-bit integer ‘I’ represents the length of the original message. Now, the padded message is then processed by the SHA-1 as n × 512 bit blocks.

Example 4.5 Suppose the original message is the bit string

01100001 01100010 01100011

This message has length I = 24. After ‘1’ is appended, we have 01100001 01100010 011000111. The number of bits of this bit string is 25 because I = 24. Therefore, we should append 423 ‘0’s and the two-word representation of 24, i.e. 00000000 00000018 (in hexs) for forming the final padded message as follows:

This final padded message consisting of one block contains 16 words = 16 × 8 × 4 = 512 bits for n = 1 in this case.