Computer Security CS477Lecture 7Ching-Hua ChuanSeptember 24th 2008AdministrationToday’s Outline The SHA Secure Hash Function (Chap 3.2) HMAC Secure Hash Algorithm (SHA) SHA  The first version was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard in 1993. Several versions were developed: SHA-1, SHA-256, SHA-384, SHA-512Comparisons of SHA ParametersSecurity: against birthday attackSHA-512 Input: < 2128bits, output: 512- bit message digest.Step 1: padding the message so that its length is 896 mod 1024.SHA-512Step 2: append a 128-bit block to the message.Total length = N x 1024SHA-512Step 3: initialize hash buffer.64-bit registerTotal: 512 bits5BE0CD…abcdefghSHA-512Step 4: process message in 1024-bit (128-word) blocks.SHA-512Step 4: process message in 1024-bit (128-word) blocks.SHA-512 The function:  80 rounds For each round, Wt: 64-bit from Mi Kt: an additive constant Kt:  Provides a randomized set of 64-bit patterns, eliminating any regularities in the input dataHi-1SHA-512Step 5: output is the 512-bit message digest (HN)SHA-512 Characteristics of SHA-512 Every bit of the hash code is a function of every bit of the input. The complex repetition of function F produces well-mixed results Security Strength Coming up two messages with the same hash code needs 2256operations. Finding a message with a given digest needs 2512operations.HMAC Motivations for developing a MAC from a cryptographic hash code: Hash function is faster in software than encryption Library code for has is widely available A hash function such as SHA was not designed for use as a MAC because it does not rely on a secrete keyRecall: Message Authentication Code  MAC: a small block of data generated by using a shared secrete key on the messageHMAC Objectives To use, without modifications, available hash functions. To allow easy replacement of the embedded hash function. To preserve the original performance of the hash. To use and handle keys in a simple way. To have a well-understood cryptographic analysis of the strength of the MAC based on reasonable assumptions on the embedded hash.HMAC Algorithmopad: 01011100 repeated b/8 timesK+: secrete key K padded with zero (b bits)b bitsipad: 00110110 repeated b/8 timesb bitsYi: ith block of M, 0<= i <= (L-1)b(L+1) bitsOutput: n-bit HMAC(K, M)= H[ (K+opad) || H[ (K+ipad)||M ] ]Characteristics of HMAC XOR with ipad/opad Flipping different halves of bits of K. (Randomization) So, Si Pseudorandomly generates two keys from K. Performance HMAC should execute in approximately the same time as the embedded hash.Today’s Summary The SHA Secure Hash Function (Chap 3.2) Versions, parameters, algorithm Characteristics and security strength HMAC  Motivations, objectives Algorithm