You are on page 1of 170

Hash Functions,

the MD5 Algorithm


and the Future (SHA-3)
Dylan Field, Fall ’08
SSU Math Colloquium
What is a
hash?
First, Consider Humpty
Dumpty...
Humpty Dumpty sat on a wall.
Humpty Dumpty had a great fall.
All the king’s horses and all the king’s men
Couldn’t put Humpty together again.
X
h(x)
BUT h(x) is a one way function
... so they can’t put Humpty together again.
x hash function h(x)

Humpty falls
‘ hello’ MD5

x hash function h(x)

Humpty falls
5d41402abc4b
‘ hello’ MD5 2a76b9719d91
1017c592

x hash function h(x)

Humpty falls
- going backwards -

- sdrawkcab gniog -
- going backwards -

- sdrawkcab gniog -
- going backwards -

NO!!!

- sdrawkcab gniog -
- going backwards -

5d41402abc4b
2a76b9719d91
1017c592

- sdrawkcab gniog -
- going backwards -

5d41402abc4b
2a76b9719d91
1017c592
‘ hello’

- sdrawkcab gniog -
Requirements
h(x)
Requirements
h(x)

Given h(x)
cannot find x

1
Requirements
h(x)

Given h(x) h(x) is


cannot find x constant

1 2
Requirements
h(x)

Given h(x) h(x) is Can’t find x2


cannot find x constant so h(x2)=h(x1)

1 2 3
Requirement #3 -
Humpty Dumpty Style
Requirement #3 -
Humpty Dumpty Style


Requirement #3 -
Humpty Dumpty Style

≠ ≠

≠ ≠ .........
so how does it
work?
‘ hello’
5d41402abc4b2a76b9719d911017c592
we’re going to focus on MD5
1. Convert ‘x’ to binary
‘ hello’ 0110100001100101011011000110110001101111
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
‘hello’ in binary 0110100001100101011011000110110001101111

0000000000 0000000000 0000000000 0000000000 0000000000


0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
00000

0000000000101000
‘hello’ in binary 0110100001100101011011000110110001101111

1 add ‘1’

0000000000 0000000000 0000000000 0000000000 0000000000


0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
00000

0000000000101000
‘hello’ in binary 0110100001100101011011000110110001101111

1 add ‘1’

0000000000 0000000000 0000000000 0000000000 0000000000


0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0’s until
0000000000 0000000000 0000000000 0000000000 0000000000
x mod 512 = 496
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
00000

0000000000101000
‘hello’ in binary 0110100001100101011011000110110001101111

1 add ‘1’

0000000000 0000000000 0000000000 0000000000 0000000000


0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0’s until
0000000000 0000000000 0000000000 0000000000 0000000000
x mod 512 = 496
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
00000

add 16 bit binary


0000000000101000
representation of x
xpadded =
0110100001100101011011000110110001101111 1 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 00000
0000000000101000
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
3. Break ‘x’ into 512 bit sub parts and 32 bit words
0110100001100101011011000110110001101111 1 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 0000000000
0000000000 0000000000 0000000000 0000000000 00000
0000000000101000

W1 = 01101000011001010110110001101100
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
3. Break ‘x’ into 512 bit sub parts and 32 bit words
4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
w[g] = Word number (0 – 15)
k[i] = |sin(i+1)| x 232 where ‘i’ is in radians
r[i] = Various round shift amounts
w[g] = Word number (0 – 15)
h0 = a = 0x67452301
h1 = b = 0xEFCDAB89
h2 = c = 0x98BADCFE
h3 = d = 0x10325476
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
3. Break ‘x’ into 512 bit sub parts and 32 bit words
4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.
5. Perform 64 rounds on each sub part
But first... binary operations!


(AKA ‘AND’)
p q ∧
T T
p q ∧
T T T
p q ∧
T T T
T F
p q ∧
T T T
T F F
p q ∧
T T T
T F F
F T
p q ∧
T T T
T F F
F T F
p q ∧
T T T
T F F
F T F
F F
p q ∧
T T T
T F F
F T F
F F F
In binary:
T=1
F=0
p q ∧
T T T
T F F
F T F
F F F
p q ∧ bit 1 bit 2 ∧
T T T 1 1 1
T F F 1 0 0
F T F 0 1 0
F F F 0 0 0


bit 1 bit 2 ∨
1 1 1
1 0 1
0 1 1
0 0 0

“XOR is a type of logical disjunction on two operands that results
in a value of “true” if and only if exactly one of the operands has a
value of ‘true’”
bit 1 bit 2 ∨ bit 1 bit 2 ⊕
1 1 1 1 1 F
1 0 1 1 0 T
0 1 1 0 1 T
0 0 0 0 0 F
¬
¬
(not)
¬1=0
¬0=1
<<
(bit shift)
1 0 1 0 1 0
0 1 0 1 0

0 1 0 1 0 0 0
Remember:
a,b,c,d are h0-3
Operation A

f = (b ∧ c) ∨ (¬ b ∧ d)
g=i
Operation B

f = (d ∧ b) ∨ ((¬ d) ∧ c)
g = (5i + 1) mod 16
Operation C

f=b⊕c⊕d
g = (3i + 5) mod 16
Operation D

f = c ⊕ (b ∨ (¬ d))
g = (7i) mod 16
A B C D
A B C D
A B C D
B

b + {(a + f + k[i] + w[g]) << r[i]}


b + {(a + f + k[i] + w[g]) << r[i]}

h1 h0

Calculated in The gth word


Operations A-D (32 bit chunk)

|sin(i+1)| x 232 ith pre-designated


where ‘i’ is in radians shift
After all 64 rounds...
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
3. Break ‘x’ into 512 bit sub parts and 32 bit words
4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.
5. Perform 64 rounds on each sub part
6. Add a, b, c and d to register values
h0 = h0 + a
h1 = h1 + b
h2 = h2 + c
h3 = h3 + d
1. Convert ‘x’ to binary
2. Pad ‘x’ so that size of x (mod 512) = 0
3. Break ‘x’ into 512 bit sub parts and 32 bit words
4. Assign values to k[i], r[i], w[g], h0, h1, h2 and h3.
5. Perform 64 rounds on each sub part
6. Add a, b, c and d to register values
7. Append the register values to create digest
128 bit digest
‘ hello’
5d41402abc4b2a76b9719d911017c592
So?
Applications
Applications

Password
Protection
Message
Integrity

Applications

Password
Protection
Message
Integrity

Applications

Digital
Password Signatures
Protection
Password Protection
When you registered...

MD5
‘password’ 5f4dcc3b5aa765d61d8327deb882cf99
When you registered...

MD5
‘password’ 5f4dcc3b5aa765d61d8327deb882cf99

Data Base
‘password’
MD5
‘password’
MD5
‘password’ 5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?

No.

Give ‘incorrect
password’ error
5f4dcc3b5aa765d61d8327deb882cf99
=
stored, hashed password?

No. Yes.

Give ‘incorrect Let user


password’ error into website
Attacks
Rainbow Tables
omgyouarenever
1c9fee8bd70a5afb6
goingtocrackthis
30fc4f38e97123f
123
omgyouarenever
1c9fee8bd70a5afb6
goingtocrackthis
30fc4f38e97123f
123
and Brute Force
Attacks
Message Integrity
digest
File
Verification
File
Verification
Guarding against
corruption
File
Verification
Guarding against
corruption
Proving you
have something
before you
release it
Attacks
Nostradamus Attack
But on November 30th 2007...
“We have used a Sony Playstation 3 to correctly predict the
outcome of the 2008 US presidential elections. In order not to
influence the voters we keep our prediction secret, but commit to it
by publishing its cryptographic hash on this website. The
document with the correct prediction and matching hash will be
revealed after the elections.”

- Marc Stevens, Arjen Lenstra and Benne de Weger


3D515DEAD7AA1656
0ABA3E9DF05CBC80
But how could they have known!?!?
But how could they have known!?!?
They didn’t.
3D515DEAD7AA1656
0ABA3E9DF05CBC80
Digital Signatures
MD5
hash
MD5
hash

private
key

encrypted
MD5
hash

private
key

hash encrypted
public
key
MD5
hash

private
MD5
key

hash encrypted
public
key
MD5
hash

private
MD5
key

hash ✔ encrypted
public
key
Attacks
Collision Attack
hash

private
MD5
key

hash ✔ encrypted
public
key
Changed
hash
Message

MD5

hash ✔ encrypted
public
key
Very Dangerous!
Birthday Attack
Relies on ‘Birthday Paradox’
Relies on ‘Birthday Paradox’

First we calculate the chance


no one has the same birthday
p(1)=100%
p(2)=(1)(1 - 1/365)
p(3)=(1)(1 - 1/365)(1 - 2/365)
To Generalize...
P(n)= 365! .
n
365 (365-n)!
23 50% chance
30 70.6% chance
50 97% chance
We can use this property to find
out how many hashes must
be calculated to find a collision.
Current State of MD5
MD5 =
MD5 = Broken
The Future of Hashes
Submissions were due on October 30th
Currently Submitted
Skein Maraca
BLAKE MD6
Keccak
CubeHash
Edon-R
Ponic EnRUPT
SHAMATA
MCSSHA-3 Sgàil
Blue Midnight Wish
Grøstl

ESSENCE WaMM
Boole
NaSHA
NKS2D
Waterfall
Skein
BLAKE MD6 Maraca

Keccak
CubeHash
Edon-R
Ponic EnRUPT
SHAMATA
MCSSHA-3 Sgàil
Blue Midnight Wish
Grøstl

ESSENCE WaMM
Boole
NaSHA
NKS2D
Waterfall
Thank you for coming!
Any Questions?