SHA-1

1. INTRODUCTION

The Secure Hash Algorithm (SHA-1) is required for use with the Digital Signature Algorithm
(DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash
algorithm is required for federal applica- tions. For a message of length < 2^64 bits, the SHA-1
produces a 160-bit condensed representation of the message called a message digest. The
message digest is used during generation of a signature for the message. The SHA-1 is also used
to compute a message digest for the received version of the message during the process of
verifying the signature. Any change to the message in transit will, with very high probability,
result in a different message digest, and the signature will fail to verify.

The SHA-1 is designed to have the following properties: it is computationally infeasible to find a
message which corresponds to a given message digest, or to find two different messages which
produce the same message digest.

Applications: The SHA-1 may be used with the DSA in electronic mail, electronic funds
transfer, software distribution, data storage, and other applications which require data integrity
assurance and data origin authentication. The SHA-1 may also be used whenever it is necessary
to generate a condensed version of a message.

The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and
Technology (NIST) and published as a federal information processing standard (FIPS 180) in
1993; a revised version was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1.
The actual standards document is entitled Secure Hash Standard. SHA is based on the hash
function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In
2005, a research team described an attack in which two separate messages could be found that
deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations
previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result should
hasten the transition to newer, longer versions of SHA.

2. BIT STRINGS AND INTEGERS

The following terminology related to bit strings and integers will be used:
a. A hex digit is an element of the set {0, 1, ... , 9, A, ... , F}. A hex digit is the
representation of a 4-bit string. Examples: 7 = 0111, A = 1010.

b. A word equals a 32-bit string which may be represented as a sequence of 8 hex digits.

c. An integer between 0 and 232 - 1 inclusive may be represented as a word. The least
significant four bits of the integer are represented by the right-most hex digit of the word
representation.
 d. block = 512-bit string. A block (e.g., B) may be represented as a sequence of 16 words.

STEPS USED IN SHA-1 TO GENERATE MESSAGE DIGEST

1. MESSAGE PADDING

The SHA-1 is used to compute a message digest for a message or data file that is provided as
input. The message or data file should be considered to be a bit string. The length of the message
is the number of bits in the message (the empty message has length 0). If the number of bits in a
message is a multiple of 8, for compactness we can represent the message in hex. The purpose of
message padding is to make the total length of a padded message a multiple of 512. The SHA-1
sequentially processes blocks of 512 bits when computing the message digest. The following
specifies how this padding shall be performed. As a summary, a "1" followed by m "0"s
followed by a 64-bit integer are appended to the end of the message to produce a padded
message of length 512 * n. The 64-bit integer is l, the length of the original message. The padded
message is then processed by the SHA-1 as n 512-bit blocks.

Suppose a message has length l < 264. Before it is input to the SHA-1, the message is padded on
the right as follows:
a. "1" is appended. Example: if the original message is "01010000", this is padded to
"010100001".

b. "0"s are appended. The number of "0"s will depend on the original length of the
message. The last 64 bits of the last 512-bit block are reserved for the length l of the
original message.

2. ADD LENGTH

append a 64-bit length value to message

 3. INITIALIZE BUFFER

A sequence of logical functions f0, f1,..., f79 is used in the SHA-1. Each ft, 0 <= t <= 79, operates
on three 32-bit words B, C, D and produces a 32-bit word as output. ft(B,C,D) is defined as
follows: for words B, C, D,
ft(B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)

ft(B,C,D) = B XOR C XOR D (20 <= t <= 39)

ft(B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <= 59)

ft(B,C,D) = B XOR C XOR D (60 <= t <= 79).

A sequence of constant words K(0), K(1), ... , K(79) is used in the SHA-1. In hex these are given
by
K = 5A827999 ( 0 <= t <= 19)
 Kt = 6ED9EBA1 (20 <= t <= 39)

Kt = 8F1BBCDC (40 <= t <= 59)

Kt = CA62C1D6 (60 <= t <= 79).

4. COMPUTING THE MESSAGE DIGEST

The message digest is computed using the final padded message. The computation uses two
buffers, each consisting of five 32-bit words, and a sequence of eighty 32-bit words. The words
of the first 5-word buffer are labeled A,B,C,D,E. The words of the second 5-word buffer are
labeled H0, H1, H2, H3, H4. The words of the 80-word sequence are labeled W0, W1,..., W79. A
single word buffer TEMP is also employed.

To generate the message digest, the 16-word blocks M1, M2,..., Mn defined in Section 4 are
processed in order. The processing of each Mi involves 80 steps.

Before processing any blocks, the {Hi} are initialized as follows: in hex,
H0 = 67452301

H1 = EFCDAB89

H2 = 98BADCFE

H3 = 10325476

H4 = C3D2E1F0.

Now M1, M2, ... , Mn are processed. To process Mi, we proceed as follows:
a. Divide Mi into 16 words W0, W1, ... , W15, where W0 is the left-most word.

b. For t = 16 to 79 let Wt = S1(Wt-3 XOR Wt-8 XOR Wt- 14 XOR Wt-16).

c. Let A = H0, B = H1, C = H2, D = H3, E = H4.

d. For t = 0 to 79 do
 TEMP = S5(A) + ft(B,C,D) + E + Wt + Kt;

E = D; D = C; C = S30(B); B = A; A = TEMP;

e. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, H4 = H4 + E.

After processing Mn, the message digest is the 160-bit string represented by the 5 words
H0 H1 H2 H3 H4.

SHA-512
SHA-512 Overview

Now examine the structure of SHA-512, noting that the other versions are quite similar.
SHA-512 follows the structure depicted in Stallings Figure 12.1. The processing consists of the
following steps:
• Step 1: Append padding bits
• Step 2: Append length
• Step 3: Initialize hash buffer
• Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the
algorithm
• Step 5: Output the final state value as the resulting hash
SHA-512 Compression Function

 heart of the algorithm

 processing message in 1024-bit blocks
 consists of 80 rounds
 updating a 512-bit buffer
 using a 64-bit value Wt derived from the current message block
 and a round constant based on cube root of first 80 prime numbers
 The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it
processes the message in 1024-bit (128-word) blocks, using a module that consists of 80
rounds, labeled F in Stallings Figure 12, as shown in Figure 12.2. Each round takes as
input the 512-bit buffer value, and updates the contents of the buffer. Each round t makes
use of a 64-bit value Wt derived using a message schedule from the current 1024-bit
block being processed. Each round also makes use of an additive constant Kt, based on
the fractional parts of the cube roots of the first eighty prime numbers. The output of the
eightieth round is added to the input to the first round to produce the final hash value for
this message block, which forms the input to the next iteration of this compression
function, as shown on the previous slide.

SHA-512 Round Function

The structure of each of the 80 rounds is shown in Stallings Figure 12.3. Each 64-bit word
shuffled along one place, and in some cases manipulated using a series of simple logical
functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche &
completeness properties of the hash function. The elements are:
Ch(e,f,g) = (e AND f) XOR (NOT e AND g)
Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)
∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)
+ = addition modulo 2^64
Kt = a 64-bit additive constant
Wt = a 64-bit word derived from the current 512-bit input block.

Stallings Figure 12.4 details how the 64-bit word values Wt are derived from the 1024-bit
message. The first 16 values of Wt are taken directly from the 16 words of the current block. The
remaining values are defined as a function of the earlier values using ROTATES, SHIFTs and
XORs as shown. The function elements are:
∂0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)
∂1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6).
HMAC

Providing a way to check the integrity of information transmitted over or stored in an

unreliable medium is a prime necessity in the world of open computing and
communications. Mechanisms that provide such integrity checks based on a secret key
are usually called message authentication codes (MACs). Typically, message
authentication codes are used between two parties that share a secret key in order to
authenticate information transmitted between these parties. This standard defines a MAC
that uses a cryptographic hash function in conjunction with a secret key. This mechanism
is called HMAC

The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the
original proposals. It involves hashing padded versions of the key concatenated with the
message, and then with another outer hash of the result prepended by another padded variant of
the key. The hash function need only be used on 3 more blocks than when hashing just the
original message (for the two keys + inner hash). HMAC can use any desired hash function, and
has been shown to have the same security as the underlying hash function. Can choose the hash
function to use based on speed/security concerns.

HMAC shall be used in combination with an Approved cryptographic hash function.

HMAC uses a secret key for the calculation and verification of the MACs. The main
goals behind the HMAC construction are:

To use available hash functions without modifications; in particular, hash

functions that perform well in software, and for which code is freely and widely
available,
To preserve the original performance of the hash function without incurring a
significant degradation,
To use and handle keys in a simple way,
To have a well-understood cryptographic analysis of the strength of the
authentication mechanism based on reasonable assumptions on the underlying
hash function, and
To allow for easy replaceability of the underlying hash
HMAC SPECIFICATION

To compute a MAC over the data ‘text’ using the HMAC function, the following
operation is performed:
MAC(text)t = HMAC(K, text)t = H((K0 opad )|| H((K0 ipad) || text))t
STEPS STEP-BY-STEP DESCRIPTION

Step 1 If the length of K = B: set K0 = K. Go to step 4.

Step 2 If the length of K > B: hash K to obtain an L byte string, then append (B-L)
zeros to create a B-byte string K0 (i.e., K0 = H(K) || 00...00). Go to step 4.

Step 3 If the length of K < B: append zeros to the end of K to create a B-byte string K0
(e.g., if K is 20 bytes in length and B = 64, then K will be appended with 44
zero bytes 0x00).

Step 4 Exclusive-Or K0 with ipad to produce a B-byte string: K0 ipad.

Step 5 Append the stream of data 'text' to the string resulting from step 4:
(K0 ipad) || text.

Step 6 Apply H to the stream generated in step 5: H((K0 ipad) || text).

Step 7 Exclusive-Or K0 with opad: K0 opad.

Step 8 Append the result from step 6 to step 7:

(K0 opad) || H((K0 ipad) || text).

Step 9 Apply H to the result from step 8:

H((K0 opad )|| H((K0 ipad) || text)).

Step 10 Select the leftmost t bytes of the result of step 9 as the MAC.
HMAC Security

 proved security of HMAC relates to that of the underlying hash algorithm

 attacking HMAC requires either:
 brute force attack on key used
 birthday attack (but since keyed would need to observe a very large number of
messages)
 choose hash function used based on speed verses security constraints
The appeal of HMAC is that its designers have been able to prove an exact relationship between
the strength of the embedded hash function and the strength of HMAC. The security of a MAC
function is generally expressed in terms of the probability of successful forgery with a given
amount of time spent by the forger and a given number of message-MAC pairs created with the
same key. Have two classes of attacks: brute force attack on key used which has work of order
2^n; or a birthday attack which requires work of order 2^(n/2) - but which requires the attacker
to observe 2^n blocks of messages using the same key - very unlikely. So even MD5 is still
secure for use in HMAC given these constraints.

RIPEMD-160

• RIPEMD-160 was developed in Europe as part of RIPE project in 96

• by researchers involved in attacks on MD4/5
• initial proposal strengthen following analysis to become RIPEMD-160
• somewhat similar to MD5/SHA
• uses 2 parallel lines of 5 rounds of 16 steps
• creates a 160-bit hash value
• slower, but probably more secure, than SHA

RIPEMD-160 Overview

1. pad message so its length is 448 mod 512

2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
1. process message in 16-word (512-bit) chunks:
– use 10 rounds of 16 bit operations on message block & buffer – in 2 parallel lines
of 5
– add output to input to form new buffer value
2. output hash value is the final buffer value

RIPEMD-160 Round
RIPEMD-160 Compression Function

RIPEMD-160 Design Criteria

• use 2 parallel lines of 5 rounds for increased complexity

• for simplicity the 2 lines are very similar
• step operation very close to MD5
• permutation varies parts of message used
• circular shifts designed for best results

RIPEMD-160 verses MD5 & SHA-1

• brute force attack harder (160 like SHA-1 vs 128 bits for MD5)
• not vulnerable to known attacks, like SHA-1 though stronger (compared to MD4/5)
• slower than MD5 (more steps)
• all designed as simple and compact
• SHA-1 optimised for big endian CPU's vs RIPEMD-160 & MD5 optimised for little
endian CPU’s