Internet.Security
.pdf
150 |
INTERNET SECURITY |
4.4.2 Initialise 160-bit Buffer
The 160-bit buffer consists of five 32-bit registers (A, B, C, D and E). Before processing any blocks, these registers are initialised to the following hexadecimal values:
H0 |
= |
67 |
45 |
23 |
01 |
H1 |
= |
ef |
cd |
ab |
89 |
H2 |
= |
98 |
ba |
dc |
fe |
H3 |
= |
10 |
32 |
54 |
76 |
H4 |
= c3 d2 e1 f0 |
||||
Note that the first four values are the same as those used in MD5. The only difference is the use of a different rule for expressing the values, i.e. high-order octets first for SHA and low-order octets first for MD5.
Each operation performs a nonlinear operationFof three of A, B, C and D, and then does
4.4.3 Functions Used |
|
Y |
|
|
A sequence of logical functions f0 |
, f1 |
|
||
, . . . , f79 is used in SHA-1. Each function ft , 0 |
||||
|
|
L |
|
|
t 79, operates on three 32-bit words B, C and D, and produces a 32-bit word as output. |
||||
shifting and adding as in MD5. The set of SHA primitive functions, ft (B, C, D) is defined
as follows: |
|
|
|
|
|
|
|
M |
|
|
|||
ft (B, C, D) |
|
(B • C) |
|
(B • D), 0 |
|
|
|
||||||
|
|
|
t |
19 |
|
|
|
|
|||||
|
= |
|
+ |
|
|
A |
|
|
|
|
|||
|
|
|
|
|
|
|
|
||||||
ft (B, C, D) = B C D, 20Et 39 |
D), 40 |
|
t |
|
59 |
||||||||
ft (B, C, D) |
= |
(B • C) |
|
(B • D) |
(C |
· |
|
|
|||||
|
|
+T+ |
|
|
|
|
|
|
|||||
ft (B, C, D) = B C D, 60 t 79
where B • C = bitwise logical ‘AND’ of B and C B C = bitwise logical XOR of B and C
B = bitwise logical ‘complement’ of B + = addition modulo 232
As you can see, only three different functions are used. For 0 ≤ t ≤ 19, the function ft acts as a conditional: if B then C else D. For 20 ≤ t ≤ 39 and 60 ≤ t ≤ 79, the function ft is true if two or three of the arguments are true. Table 4.7 is a truth table of these functions.
4.4.4Constants Used
Four distinct constants are used in SHA-1. In hexadecimal, these values are given by
Kt = 5a827999, |
0 ≤ t ≤ 19 |
Kt = 6ed9eba1, |
20 ≤ t ≤ 39 |
Kt = 8fbbcdc, |
40 ≤ t ≤ 59 |
Kt = ca62c1d6, 60 ≤ t ≤ 79
Team-Fly®
HASH FUNCTION, MESSAGE DIGEST AND HMAC |
151 |
Table 4.7 Truth table of four nonlinear functions for SHA-1
B |
C |
D |
f0,1,...,19 |
f20,21,...,39 |
f40,41,...,59 |
f60,61,...,79 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
1 |
1 |
0 |
1 |
0 |
1 |
0 |
0 |
1 |
0 |
1 |
0 |
1 |
1 |
1 |
0 |
1 |
0 |
1 |
0 |
0 |
0 |
1 |
0 |
1 |
1 |
0 |
1 |
0 |
0 |
1 |
0 |
1 |
1 |
0 |
1 |
0 |
1 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
1 |
|
|
|
|
|
|
|
4.4.5Computing the Message Digest
The message digest is computed using the final padded message. To generate the message digest, the 16-word blocks (M0 to M15) are processed in order. The processing of each Mi involves 80 steps. That is, the message block is transformed from 16 32-bit words (M0 to M15) to 80 32-bit words (W0 to W79) using the following algorithm.
Divide Mi into 16 words W0, W1, . . . , W15, where W0 is the leftmost word. For t = 0 to 15, Wt = Mt . For t = 16 to 79, Wt = S1(Wt−16 Wt−14 Wt−8 Wt−3).
Let A = H0, B = H1, C = H2, D = H3, E = H4. For t = 0 to 79 do TEMP = S5(A) + Ft (B, C, D) + E + Wt + Kt ;
E = D; D = C; C = S30(B); B = A; A = TEMP
where:
A, B, C, D, E: Five words of the buffer t: Round number, 0 ≤ t ≤ 79
Si : Circular left shift by i bits
Wt : A 32-bit word derived from the current 512-bit input block Kt : An additive constant
+ : Addition modulo 232
After all N 512-bit blocks have been processed, the output from the N th stage is the 160-bit message digest, represented by the five words H0, H1, H2, H3 and H4.
The SHA-1 operation looking at the logic in each of 80 rounds of one 512-bit block is shown in Figure 4.13.
Example 4.6 Show how to derive |
the 32-bit words Wt , 0 t 79, from the 512- |
|||
bit message. |
|
|
|
|
|
|
|
|
|
|
t |
|
Wt |
|
|
|
|
|
|
0 |
W0 |
= M0 |
||
1 |
W1 |
= M1 |
||
. . . . . . . . . . . . . .
152 INTERNET SECURITY
t |
|
Wt |
15 |
|
M |
W15 |
= 115 |
|
16 |
W16 = S1 (W0 W2 W8 W13) |
|
17 |
W17 = S (W1 W3 W9 W14) |
|
.. . . . . . . . . . . . . . . . . . . . . . . .
|
1 |
(W14 W16 W22 W27) |
30 |
W30 = S1 |
|
31 |
W31 = S |
(W15 W17 W23 W28) |
.. . . . . . . . . . . . . . . . . . . . . . . .
|
1 |
(W43 W45 W51 W56) |
59 |
W59 = S1 |
|
60 |
W60 = S |
(W44 W46 W52 W57) |
.. . . . . . . . . . . . . . . . . . . . . . . .
|
1 |
(W62 W64 W70 W75) |
78 |
W78 = S1 |
|
79 |
W79 = S |
(W63 W65 W71 W76) |
A |
S5 |
A |
B |
S30 |
B |
C |
ft |
C |
D |
|
D |
E |
|
E |
|
Wt |
Kt |
Figure 4.13 SHA-1 operation.
Example 4.7 Let the original message be 1a7fd53b4c. Then, the final padded message consists of the following 16 words:
1a7fd53b |
4c800000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000028 |
The initial hex values of {Hi } are
H0 = 67452301
H1 = efcdab89
HASH FUNCTION, MESSAGE DIGEST AND HMAC |
153 |
H2 = 98badcfe
H3 = 10325476
H4 = c392e1f0
The hex values of A, B, C, D and E after pass t (0 ≤ t ≤ 79) are computed as follows:
|
|
|
Register output |
|
|
t |
A |
B |
C |
D |
E |
|
|
|
|
|
|
0 |
ba346dee |
67452301 |
7bf36ae2 |
98badcfe |
10325476 |
1 |
f9be8ae4 |
ba346dee |
59d148c0 |
7bf36ae2 |
98badcfe |
2 |
84e1fdf6 |
f9be8ae4 |
ae8d1b7b |
59d148c0 |
7bf36ae2 |
3 |
1b82edab |
84e1fdf6 |
3e6fa2b9 |
ae8d1b7b |
59d148c0 |
4 |
531f1a75 |
1b82edab |
a1387f7d |
3e6fa2b9 |
ae8d1b7b |
5 |
926052f7 |
531f1a75 |
c6e0bb6a |
a1387f7d |
3e6fa2b9 |
6 |
c71cfaac |
926052f7 |
54c7c69d |
c6e0bb6a |
a1387f7d |
7 |
341b3a4b |
c71cfaac |
e49814bd |
54c7c69d |
c6e0bb6a |
8 |
79a59326 |
341b3a4b |
31c73eab |
e49814bd |
54c7c69d |
9 |
d47fe3c4 |
79a59326 |
cd06ce92 |
31c73eab |
e49814bd |
10 |
185db57b |
d47fe3c4 |
9e6964c9 |
cd06ce92 |
31c73eab |
11 |
3569d479 |
185db57b |
351ff8f1 |
9e6964c9 |
cd06ce92 |
12 |
6b01c842 |
3569d479 |
c6176d5e |
351ff8f1 |
9e6964c9 |
13 |
5d3c5387 |
6b01c842 |
4d5a751e |
c6176d5e |
351ff8f1 |
14 |
04434893 |
5d3c5387 |
9ac07210 |
4d5a751e |
c6176d5e |
15 |
c1456f97 |
04434893 |
d74f14e1 |
9ac07210 |
4d5a751e |
16 |
a44dbea6 |
c1456f97 |
c110d224 |
d74f14e1 |
9ac07210 |
17 |
ef0512e1 |
a44dbea6 |
f0515be5 |
c110d224 |
d74f14e1 |
18 |
f3c545ab |
ef0512e1 |
a9136fa9 |
f0515be5 |
c110d224 |
19 |
b78ca1cc |
f3c545ab |
7bc144b8 |
a9136fa9 |
f0515be5 |
20 |
a3d6efd7 |
b78ca1cc |
fcf1516a |
7bc144b8 |
a9136fa9 |
21 |
c3880afc |
a3d6efd7 |
2de32873 |
fcf1516a |
7bc144b8 |
22 |
a25fd097 |
c3880afc |
e8f5bbf5 |
2de32873 |
fcf1516a |
23 |
2263e9cb |
a25fd097 |
30e202bf |
e8f5bbf5 |
2de32873 |
24 |
cd820d01 |
2263e9cb |
e897f425 |
30e202bf |
e8f5bbf5 |
25 |
9824bad0 |
cd820d01 |
c898fa72 |
e897f425 |
30e202bf |
26 |
59e04bcd |
9824bad0 |
73608340 |
c898fa72 |
e897f425 |
27 |
b7581fd3 |
59e04bcd |
26092eb4 |
73608340 |
c898fa72 |
28 |
7efb6e25 |
b7581fd3 |
567812f3 |
26092eb4 |
73608340 |
29 |
18d1583d |
7efb6e25 |
edd607f4 |
567812f3 |
26092eb4 |
30 |
42659f77 |
18d1583d |
5fbedb89 |
edd607f4 |
567812f3 |
31 |
22b4bfef |
42659f77 |
4634560f |
5fbedb89 |
edd607f4 |
32 |
a9390191 |
22b4bfef |
d09967dd |
4634560f |
5fbedb89 |
33 |
ffd2919f |
a9390191 |
c8ad2ffb |
d09967dd |
4634560f |
34 |
a0585c33 |
ffd2919f |
6a4e4064 |
c8ad2ffb |
d09967dd |
|
|
|
|
|
|
154 INTERNET SECURITY
|
|
|
Register output |
|
|
t |
A |
B |
C |
D |
E |
|
|
|
|
|
|
35 |
8fae2fc9 |
a0585c33 |
fff4a467 |
6a4e4064 |
c8ad2ffb |
36 |
5337d670 |
8fae2fc9 |
e816170c |
fff4a467 |
6a4e4064 |
37 |
7044d0fe |
5337d670 |
63eb8bf2 |
e816170c |
fff4a467 |
38 |
78304e61 |
7044d0fe |
14cdf59c |
63eb8bf2 |
e816170c |
39 |
2c5ca6b0 |
78304e61 |
9c11343f |
14cdf59c |
63eb8bf2 |
40 |
f304b895 |
2c5ca6b0 |
5e0c1398 |
9c11343f |
14cdf59c |
41 |
e89d0d8b |
f304b895 |
b1729ac |
5e0c1398 |
9c11343f |
42 |
79f30210 |
e89d0d8b |
7cc12e25 |
b1729ac |
5e0c1398 |
43 |
f37223c6 |
79f30210 |
fa274362 |
7cc12e25 |
0b1729ac |
44 |
f53bdd27 |
f37223c6 |
1e7cc084 |
fa274362 |
7cc12e25 |
45 |
b1cf753c |
f53bdd27 |
bcdc88f1 |
1e7cc084 |
fa274362 |
46 |
d9030e9b |
b1cf753c |
fd4ef749 |
bcdc88f1 |
1e7cc084 |
47 |
9bf173ff |
d9030e9b |
2c73dd4f |
fd4ef749 |
bcdc88f1 |
48 |
bae46f3c |
9bf173ff |
f640c3a6 |
2c73dd4f |
fd4ef749 |
49 |
e8be1481 |
bae46f3c |
e6fc5cff |
f640c3a6 |
2c73dd4f |
50 |
4a0bb5b8 |
e8be1481 |
2eb91bcf |
e6fc5cff |
f640c3a6 |
51 |
6d99dcd5 |
4a0bb5b8 |
7a2f8520 |
2eb91bcf |
e6fc5cff |
52 |
5e0e5623 |
6d99dcd5 |
1282ed6e |
7a2f8520 |
2eb91bcf |
53 |
422c7e52 |
5e0e5623 |
5b667735 |
1282ed6e |
7a2f8520 |
54 |
e6ca43ae |
422c7e52 |
d7839588 |
5b667735 |
1282ed6e |
55 |
835bd439 |
e6ca43ae |
908b1f94 |
d7839588 |
5b667735 |
56 |
32a7862d |
835bd439 |
b9b290eb |
908b1f94 |
d7839588 |
57 |
250ada00 |
32a7862d |
60d6f50e |
b9b290eb |
908b1f94 |
58 |
a46d627b |
250ada00 |
4ca9e18b |
60d6f50e |
b9b290eb |
59 |
0588823a |
a46d627b |
942b680 |
4ca9e18b |
60d6f50e |
60 |
2d9bba2e |
588823a |
e91b589e |
0942b680 |
4ca9e18b |
61 |
8d8fb303 |
2d9bba2e |
8162208e |
e91b589e |
0942b680 |
62 |
860d6a4f |
8d8fb303 |
8b66ee8b |
8162208e |
e91b589e |
63 |
14b64733 |
860d6a4f |
e363ecc0 |
8b66ee8b |
8162208e |
64 |
7f486fbe |
14b34733 |
e1835a93 |
e363ecc0 |
8b66ee8b |
65 |
7d3d3745 |
7f486fbe |
c52cd1cc |
e1835a93 |
e363ecc0 |
66 |
d17b4506 |
7d3d3745 |
9fd21bef |
c52cd1cc |
e1835a93 |
67 |
2e4967ee |
d17b4506 |
5f4f4dd1 |
9fd21bef |
c52cd1cc |
68 |
cc1e45de |
2e4967ee |
b45ed141 |
5f4f4dd1 |
9fd21bef |
69 |
b3f80c20 |
cc1e45de |
8b9259fb |
b45ed141 |
5f4f4dd1 |
70 |
f124837a |
b3f80c20 |
b3079177 |
8b9259fb |
b45ed141 |
71 |
56ed70b1 |
f124837a |
2cfe0308 |
b3079177 |
8b9259fb |
72 |
d8b0d990 |
56ed70b1 |
bc4920de |
2cfe0308 |
b3079177 |
73 |
1d849b17 |
d8b0d990 |
55bb5c2c |
bc4920de |
2cfe0308 |
74 |
84257988 |
1d849b17 |
362c3664 |
55bb5c2c |
bc4920de |
75 |
9eec3055 |
84257988 |
c76126c5 |
362c3664 |
55bb5c2c |
76 |
6240e72c |
9eec3055 |
21095e62 |
c76126c5 |
362c3664 |
|
|
|
|
|
|
HASH FUNCTION, MESSAGE DIGEST AND HMAC |
155 |
|
|
|
Register output |
|
|
t |
A |
B |
C |
D |
E |
|
|
|
|
|
|
77 |
8243ecda |
6240e72c |
67bb0c15 |
21095e62 |
c76126c5 |
78 |
a8342af0 |
8243ecda |
189039cb |
67bb0c15 |
21095e62 |
79 |
e1426096 |
a8342af0 |
a090fb36 |
189039cb |
67bb0c15 |
|
|
|
|
|
|
After all 512-bit blocks have been processed, the output represented by the five words, H0, H1, H2, H3 and H4 is the 160-bit message digest as shown below:
H0: 48878397
H1: 9801d679
H2: 394bd834
H3: 28c28e41
H4: 2b8dee05
The 160-bit message digest is then the data concatenation of {Hi }:
H0||H1||H2||H3||H4 = 488783979801d679394bd83428c28e412b8dee05
As discussed previously, the digitised document or message of any length can create a 160-bit message digest which is produced using the SHA-1 algorithm.
Any change to a digitised message in transit results in a different message digest. In fact, changing a single bit of the data modifies at least half of the resulting digest bits. Furthermore, it is computationally impossible to find two meaningful messages that have the same 160-bit digest. On the other hand, given a 160-bit message digest, it is also impossible to find a meaningful message with that digest.
4.5 Hashed Message Authentication Codes (HMAC)
The keyed-hashing Message Authentication Code (HMAC) is a key-dependent one-way hash function which provides both data integrity and data origin authentication for files sent between two users. HMACs have the same properties as the one-way hash functions discussed earlier in this chapter, but they also include a secret key. HMACs can be used to authenticate data or files between two users (data authentication). They can also be used by a single user to determine whether or not his files have been altered (data integrity).
To evaluate HMAC over the message or file, the following expression is required to compute:
HMAC = H [(K opad)||H [(K ipad)||M]]
where ipad = inner padding
= 0 x 36 (repeated b times)
156 |
INTERNET SECURITY |
=00110110 (0 x 36) repeated 64 times (512 bits) opad = outer padding
=0 x 5c (repeated b times)
=01011100 (0 x 5c) repeated 64 times (512 bits)
b: Block length of 64 bytes = 512 bits
h: Length of hash values, i.e. h = 16 bytes = 128 bits for MD5 and h = 20 bytes = 160 bits for SHA-1.
K: Secret key of any length up to b = 512 bits.
H : Hash function where message is hashed by iterating a basic key K.
The HMAC equation is explained as follows:
1.Append zeros to the end of K to create a b-byte string (i.e. if K = 160 bits in length
and b = 512 bits, then K should be appended with 352 zero bits or 44 zero bytes 0x00, resulting in K = (K||0x00)
2.XOR (bitwise exclusive-OR) K with ipad to produce the b-bit block computed in step 1.
3.Append M to the b-byte string resulting from step 2.
4.Apply H to the stream generated in step 3.
5.XOR (bitwise exclusive-OR) K with opad to produce the b-byte string computed in step 1.
6.Append the hash result H from step 4 to the b-byte string resulting from step 5.
7.Apply H to the stream generated in step 6 and output the result.
Figure 4.14 illustrates the overall operation of HMAC, explaining the steps, listed above.
Example 4.8 Consider HMAC computation by using a hash function SHA-1. Assume that the message (M), the key (K) and the initialisation vector (IV) are given as follows:
M: 0x1a7fd53b4c
K: 0x31fa7062c45113e32679fd1353b71264
IV: A = 0x67452301, B = 0xefcdab89, C = 0x98badcfe,
D = 0x10325476, E = 0xc3d2e1f0
Referring to Figure 4.14, the HMAC – SHA-1 calculation proceeds with the steps shown below:
K = K||(0x00 . . . 00)(512 bits)
= 31fa7062 c45113e3 2679fd13 53b71264 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
HASH FUNCTION, MESSAGE DIGEST AND HMAC |
157 |
K
|
Padding |
|
|
|
|
|
|
|
K ′ = 512 bits |
|
M |
|
|
|
|
|
|
|
b = 512 bits |
|
b = 512 bits |
|
|
M |
|
|
|
|
|
b |
b |
b |
|
b |
|
ipad |
|
Ωi || M |
… |
|||||
|
Ωi |
M0 M1 |
ML −1 |
|||||
Ωi = K ′ ipad ≡ b |
|
|
|
|
b = 512 bits |
|
||
opad |
IV |
|
H |
|
|
|
|
|
Ωo = 512 bits |
160 bits (SHA-1) |
h = 160 bits (SHA-1) |
|
|
||||
|
128 bits (MD5) |
|
|
128 bits (MD5) |
|
|
|
|
Padding
h′ = 512 bits
||
160 bits (SHA-1) IV 
H
128 bits (MD5)
HMAC(M)
Figure 4.14 Overall operation of HMAC computation using either MD5 or SHA-1 (message length computation is based on i ||M).
i = K ipad = K (0x3636 . . . 36)
= 07cc4654 f26725d5 104fcb25 65812452 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636
M = 1a7fd53b 4c800000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000228
i ||M :
07cc4654 f26725d5 104fcb25 65812452 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 36363636 1a7fd53b 4c800000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000228
158 |
INTERNET SECURITY |
h= H (M , IVi) = Inner SHA-1
= 9691eb0c d263a12f ab7e0e2f e60ced5f 546c857a
o = K opad = K (0x5c5c . . . 5c)
= 6da62c3e |
980d4fbf |
7a25a14f |
0feb4e38 |
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c |
|||
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c |
|||
5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c |
|||
h = 9691eb0c |
d263a12f |
ab7e0e2f |
e60ced5f |
546c857a 80000000 00000000 00000000 |
|||
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
00000000 |
000002a0 |
o||h :
6da62c3e 980d4fbf 7a25a14f 0feb4e38 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c 9691eb0c d263a12f ab7e0e2f e60ced5f 546c857a 80000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 000002a0
HMAC[ o||h ] = Outer SHA-1
= c19e1236 ae346195 16594259 4c5202b3 4a85c5e
The alternative operation for computation of either HMAC-MD5 or HMAC-SHA-1 is based on the following expression:
HMAC = H [H [M, (IV)i], (IV)o]
(IV)i = f[(K ipad), IV]
(IV)o = f[(K opad), IV]
K = K||(0x00 . . . 0) (512bits)
The procedure can be explained in words as follows:
1.Append zeros to K to create a b-bit string K , where b = 512 bits.
2.XOR K (padding with zero) with ipad to produce the b-bit block.
3.Apply the compression function f(K ipad, IV) to produce (IV)i = 160 bits for SHA-1.
4.Compute the hash code h with (IV)i and Mi.
HASH FUNCTION, MESSAGE DIGEST AND HMAC |
159 |
5.Raise the hash value computed from step 4 to a b-bit string.
6.XOR K (padded with zeros) with opad to produce the b-bit block.
7.Apply the compression function f(K opad, IV) to produce (IV)o = 160 bits for SHA-1.
8.Compute the HMAC with (IV)o and the raised hash value resulted from step 5.
Figure 4.15 shows the alternative scheme based on the above steps.
Example 4.9 Consider the HMAC computation by the alternative method. Assume that the message (M), the key (K) and the initialisation vector (IV) are given as follows:
M : 0x 1a7fd53b4c |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||
K : 0x 31fa7062c45113e32679fd1353b71264 |
|
|
|
|
|
|
|
|
||||||||||||||||||||
IV: A = 0x67452301, B = 0xefcdab89, |
C = 0x98badcfe, |
|
|
|
||||||||||||||||||||||||
D = 0x10325476, E = 0xc3d2e1f0. |
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
K |
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
M |
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
b |
|
b |
b |
|
||||
|
|
|
|
|
Padding |
|
h′ = 512 bits |
|||||||||||||||||||||
|
|
|
|
|
|
|
M0 |
M1 |
· · · |
ML−1 |
||||||||||||||||||
|
|
|
|
|
K′ |
= 512 bits |
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
ipad |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mi, i = 0, 1, · · ·, L − 1 |
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
|
|
|
|
||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||
|
160 bits (SHA-1) |
|
Ωi |
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||
|
128 bits (MD5) |
|
|
|
(IV)i |
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||
|
IV |
|
|
|
|
|
|
|
|
|
f |
|
|
|
|
|
H |
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
160 bits (SHA-1) |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
128 bits (MD5) |
|
|
|
h = 160 bits (SHA-1) |
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
128 bits (MD5) |
||||||
|
|
|
|
|
K′ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
opad |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Padding |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ωo |
|
|
|
|
|
|
|
|
|
|
|
|
||
|
IV |
|
|
|
|
|
|
|
|
|
|
|
|
(IV)o |
|
|
|
|
|
|
|
h′ = 512 bits |
||||||
|
|
|
|
|
f |
|
|
|
|
|
|
|
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|||||||||||||||||||
|
160 bits (SHA-1) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
128 bits (MD5) |
|
|
|
|
|
|
|
|
|
|
H |
|
|
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
160 bits (SHA-1) |
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
128 bits (MD5) |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
HMAC(M) |
|
|
|
||||
Figure 4.15 Alternative operation of HMAC computation using MD5 or SHA-1 (message length computation is based on M only).