4 Hash Function, Message Digest and Message Authentication Code As digital signature technology becomes more widely understood and utilised, many countries world-wide are competitively developing their own signature standards for their use and applications. Some electronic applications utilising digital signatures in electronic commerce (e- commerce) include e-mail and financial transactions. E-mail may need to be digitally signed, where sensitive information is being transmitted and security services such as sender authentication, message integrity and non-repudiation are desired. Financial trans- actions, in which money is being transferred directly or in exchange for services and goods, could also benefit from the use of digital signatures. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller than the message. In e-commerce, it is often necessary for communication parties to verify each other’s identity. One practical way to do this is with the use of cryptographic authentication protocols employing a one-way hash function. Division into fixed-bit blocks can be accom- plished by mapping the variable-length message on to the suitable-bit value by padding with all zeros, including one bit flag and the original message length in hex. Appropriate padding is needed to force the message to divide conveniently into certain fixed lengths. Several algorithms are introduced in order to compute message digests by employing several hash functions. The hash functions dealt with in this chapter are DMDC (1994), MD5 (1992) and SHA-1 (1995). 4.1 DMDC Algorithm DES-like Message Digest Computation (DMDC) uses a DES variant as a one-way hash function. In 1994, this scheme was introduced to compute the 18-bit authentication data Internet Security. Edited by M.Y. Rhee  2003 John Wiley & Sons, Ltd ISBN 0-470-85285-2 124 INTERNET SECURITY with CDMA cellular mobile communications system. DMDC divides messages into blocks of 64 bits. The DMDC hash function generates message digests with variable sizes – 18, 32, 64 or 128 bits. This scheme is appropriate for the use of digital signatures and hence it can be employed to increase Internet security. The message to be signed is first divided into a sequence of 64-bit blocks: M 1 ,M 2 , ,M t Appropriate padding rules need to be devised for messages that do not divide conveniently. The adjacent message blocks are hashed together with a self-generated key. A better approach is to use one block (64 bits) of the correct message length as the key. Figure 4.1 shows a typical scheme for hash code computation for M = 192 bits using DMDC. 4.1.1 Key Schedule One authentication problem in the CDMA mobile system is how to confirm the iden- tity of the mobile station by exchanging information between a mobile station and base station. When the authentication field of the access parameters message is set to ‘01’, the mobile station attempts to register by sending a registration request message on the access channel; and the authentication procedure will be performed. Computing the authentication data of mobile station registrations, it is necessary to have a 152-bit mes- sage value which complies with RAND (32 bits), ESN (32 bits), MIN (24 bits) and SSD-A (64bits): RAND: Authentication random challenge value ESN: Electronic serial number MIN: Mobile station identification number SSD-A: Shared secret data to support the authentication procedure. The 192-bit value is composed of 152-bit message length and 40-bit padding. Suppose M 1 , M 2 and M 3 are decompositions of a 192-bit padded message. M 1 = 64 bits will be used as input to the key generation scheme in Figure 4.1. The Permuted Choice 2 operation will produce the 48-bit key that is arranged into a 6 × 8 array as shown below: Input (column by column) ⇓ 1 7 13 19 25 31 37 43 2 8 14 20 26 32 38 44 3 9 15 21 27 33 39 45 410162228344046 511172329354147 612182430364248 HASH FUNCTION, MESSAGE DIGEST AND HMAC 125 M = 192 bits M = 64 bits M = 64 bits M = 64 bits C 0 = 28 bits D 0 = 28 bits <<< 1 <<< 1 C 1 D 1 PC-1 (56 bits) PC-2 (48 bits) L 1 = 32 bits R 1 = 32 bits L 1 = 32 bits R 1 = 32 bits E(L 1 ) = 48 bits E(L 1 ) = 48 bits E(L 1 ) = 48 bits E(L 1 ) = 48 bits IP IP <<< 3 <<< 1 RWP CWP <<< 2 <<< 5 <<< 10 Message digest (64 bits) PC: Permuted choice IP: Initial permutation RWP: Row-wise permutation CWP: Column-wise permutation : Concatenation : Addition of 32-bit integers module 2 32 : Multiplication of 32-bit integers module 2 32 + 1 K = 48 bits K 2 K 3 K 4 K 1 Key generation scheme Γ 1 = E(L 1 )⊕K 1 Γ 2 = E(R 1 )⊕K 2 Γ 3 = E(L 2 )⊕K 3 Γ 4 = E(R 2 )⊕K 4 (S-box) 1 (S-box) 2 (S-box) 3 (S-box) 4 Ω 1 (32 bits) Ω 2 (32 bits) Ω 3 (32 bits) Ω 4 (32 bits) P(Ω 1 ) (32 bits) P(Ω 2 ) (32 bits) P(Ω 3 ) (32 bits) P(Ω 4 ) (32 bits) Figure 4.1 DMDC algorithm for M = 192 bits. 126 INTERNET SECURITY Row-wise permutation 511172329354147 1 7 13 19 25 31 37 43 3 9 15 21 27 33 39 45 612182430364248 2 8 14 20 26 32 38 44 410162228344046 Column-wise permutation 113554717412923 73114313372519 93334516392721 123664818423024 83224414382620 103444616402822 → output (row by row) Thus, a 48-bit key generation from M 1 is computed as shown in Table 4.1. Example 4.1 Assume that division of the 192-bit padded message into 64 bits con- sists of: M 1 = 7a138b2524af17c3 M 2 = 17b439a12f51c5a8 M 3 = 51cb360000000000 Note that no one-bit flag and no message length in hex are inserted in this example. The 48-bit key generation using row/column permutations is given below. Assume that thefirstdatablock M 1 is used as the key input. Using Table 3.1 (PC-1), M 1 splits into two blocks: C 0 = a481394,D 0 = e778253 As shown in Table 3.2, C 1 and D 1 are obtained from C 0 and D 0 by shifting one bit to the left, respectively. C 1 = 4902729,D 1 = cef04a7 Table 4.1 A 48-bit key generation by row/column permutations 113554717 412923 731 14313372519 9 33 3 45 15 39 27 21 12 36 6 48 18 42 30 24 83224414 3/826201034 44616402822 HASH FUNCTION, MESSAGE DIGEST AND HMAC 127 Using Table 3.3 (PC-2), the 48-bit compressed key is computed as: K 0 = 058c4517a7a2. Finally, using Table 4.1, the 48-bit key with the row/column permutations is computed as: K = 5458c42bcc07 This is the key block to be provided for M 2 and M 3 , as shown in Example 4.2. Example 4.2 Referring to Figure 4.1, M 2 = 17b439a12f51c5a8 and M 3 = 51cb360000000000 are processed as follows: Using Table 3.4, M 2 and M 3 are divided into L 1 = 6027537d,R 1 = ca9e9411 and L 2 = 03050403,R 2 = 02040206. Expansion of these four data blocks using Table 3.5 yields E (L 1 ) = b0010eaa6bfa, E(R 1 ) = e554fd4a80a3 and E(L 2 ) = 80680a808006 E(R 2 ) = 00400800400c The 48-bit key, K = 5458c42bcc07, obtained through row/column permutations, should be shifted 0, 2, 1 and 3 bits to the left such that K 1 = 5458c42bcc07 (zero shift) K 2 = a8b18857970e (two shifts) K 3 = 516310af301d (one shift) K 4 = a2c6215e603a (three shifts) These four keys are used for XORing with expanded blocks such that  1 = E(L 1 ) ⊕ K 1 = e459ca81a7fd  2 = E(R 1 ) ⊕ K 2 = b437ede5b0be  3 = E(L 2 ) ⊕ K 3 = 28d982d71808  4 = E(R 2 ) ⊕ K 4 = a286295e2036 These four  i , 1 ≤ i ≤ 4, are inputs to the (S-box) i , respectively. Using Table 3.6, the outputs  i of S-boxes are computed as:  1 = a4064766  2 = 1d1dabb8  3 = f89d0b16  4 = dabaae4d 128 INTERNET SECURITY Applying the operation of Table 3.7 to each  i yields: P ( 1 ) = 00f63638 P( 2 ) = 9f2874d3 P( 3 ) = 96aab362 P( 4 ) = 5df889ee These four data blocks resulting from Table 3.7 are used for the computation of message digests (or hash codes), as shown in Example 4.3. 4.1.2 Computation of Message Digests Example 4.3 Compute the hash codes as follows: 32-bit hash code computation: Figure 4.2 shows the processing scheme for the computation of a 32-bit hash code. In this figure, the following symbols are used:  : Multiplication of 16-bit integers modulo 2 16 + 1 = 65537 + : Addition of 16-bit integers modulo 2 16 = 65536 P(Ω 1 )P(Ω 2 )P(Ω 3 )P(Ω 4 ) 4839 c6cc e99a fd20 h = (H 1 || H 2 ) = 3beca1a3 Y 1 Y 2 Y 3 Y 4 H 1 H 2 X 1 Z 1 Z 2 Z 3 Z 4 X 2 X 3 X 4 Figure 4.2 32-bit hash code computation scheme. HASH FUNCTION, MESSAGE DIGEST AND HMAC 129 ⊕ : Bit-by-bit XORing of 16-bit subblocks : Concatenation Since we have already calculated P(  i ) in Example 4.2, the message digest of 32 bits is ready to be computed from Figure 4.2: Y 1 = c6cc Y 2 = e99a Y 3 = fd20 Y 4 = 4839 H 1 = 3bec H 2 = a1a3 Concatenation of H 1 with H 2 results in the 32-bit hash code h such that h = (H 1 ||H 2 ) = 3beca1a3 64-bit hash code computation: Referring to Figure 4.3, the 64-bit message digest is computed as follows: Y 1 = 97a0e99a Y 2 = 371d4fc8 H 1 = f41d3352 H 2 = 753f20dc The 64-bit hash code is thus computed as: h = (H 1 ||H 2 ) = f41d3352753f20dc Note that:  : Multiplication of 32-bit blocks modulo 2 32 + 1 = 4294967297 + : Addition of 32-bit blocks modulo 2 32 = 4294967296 <<< m : Shifting m bits to the left 18-bit hash code computation: Utilising the 64-bit message digest h obtained above, the 18-bit hash code can be computed from the decimation process as shown in Figure 4.4. h = f41d3352753f20dc (64 bits) 130 INTERNET SECURITY <<< 5 P(Ω 1 ) P(Ω 2 ) P(Ω 3 ) P(Ω 4 ) <<< 10 | | h = (H 1 || H 2 ) = f41d3352753f20dc 97a0e99a 371d4fc8 Y 1 Y 2 H 1 H 2 Figure 4.3 64-bit hash code computation scheme. f41d3352753f20dc Decimation h = 001110011101110001 Figure 4.4 18-bit hash code computation scheme. Discard six bits from both ends of the 64-bit message digest h and then pick one bit every three bits by the rule of decimation such that h = 001110011101110001 (18 bits) 128-bit hash code computation (using left shift): Referring to Figure 4.5, each P(  i )isshiftedm bits to the left. Then concatenating them will produce the 128-bit message digest: H 1 = 7b1b1c00 H 2 = a1d34e7c TEAMFLY Team-Fly ® HASH FUNCTION, MESSAGE DIGEST AND HMAC 131 P(Ω 1 ) <<< 7 | | P(Ω 2 )P(Ω 3 )P(Ω 4 ) <<< 10 <<< 15 <<< 5 h = (H 1 || H 2 || H 3 || H 4 ) = 7b1b1c00 a1d34e7c 59b14b55 bf113dcb 7b1b1c00 a1d34e7c 59b14b55 bf113dcbH 1 H 4 H 2 H 3 Figure 4.5 128-bit hash code computation using a shift left. H 3 = 59b14b55 H 4 = bf113dcb Thus, the 128-bit hash code will be h = (H 1 ||H 2 ||H 3 ||H 4 ) = 7 b1b1c00a1d34e7c59b14b55bf113dcb 128-bit hash code computation (using inverse): Based on Figure 4.6, another 128-bit message digest can be computed as follows: X 1 = 00f6 X 2 = 3638 X 3 = 9f28 X 4 = 74d3 X −1 1 = 9b24 −X 2 = c9c8 −X 3 = 60d8 X −1 4 = 8e12 Z 1 = 96aa Z 2 = b362 Z 3 = 5df8 Z 4 = 89ee Z −1 1 = bf34 −Z 2 = 4c9e −Z 3 = a208 Z −1 4 = b652 Thus, the 128-bit hash code is computed from the concatenation of inverse values: h = (X −1 1 || − X 2 || − X 3 ||X −1 4 ||Z −1 1 || − Z 2 || − Z 3 ||Z −1 4 ) = 9 d24c9c860d88e12bf344c9ea208b652 128-bit hash code computation (using addition and multiplication): Taking a look at Figure 4.7, computation for the 128-bit message digest proceeds as follows: P ( 1 ) + P( 3 ) = 97a0e99a <<< 5 = f41d3352 P( 2 )P( 4 ) = 371d4fc8 <<< 10 = 753f20dc 132 INTERNET SECURITY X 1 X 2 P(Ω 1 ) X 1 −1 −X 2 X 3 X 4 P(Ω 2 ) −X 3 X 4 −1 Z 1 Z 2 P(Ω 3 ) Z 1 −1 −Z 2 Z 3 Z 4 P(Ω 4 ) −Z 3 Z 4 −1 00f6 3638 9f28 74d3 96aa b362 5df8 89ee 9d24 c9c8 60d8 8e12 bf34 4c9e a208 b652 | | 9d24c9c8 60d88e12 bf344c9e a208b652 Figure 4.6 128-bit hash code computation using inverse operation. <<< 5 P(Ω 1 )P(Ω 2 )P(Ω 3 )P(Ω 4 ) <<<10 | | f41d3352 753f20dc a41fd83f 2405fd5b 128-bit hash code 97a0e99a 371d4fc8 <<<10 <<<5 56c9017f fd20fec1 Figure 4.7 128-bit hash code computation using addition and multiplication. P( 1 )P( 3 ) = 56c9017f <<< 10 = 2405fd5b P ( 2 ) + P( 4 ) = fd20fec1 <<< 5 = a41fd83f h = (P( 1 ) + P( 3 )) <<< 5||(P( 2 )P( 4 )) <<< 10|| ( P( 2 ) + P( 4 )) <<< 5||(P( 2 )P( 3 )) <<< 10 = f41d3352 753f20dc a41fd83f 2405fd5b(128bits) [...]... 814dbccf 814dbccf ebc0a7cd ebc0a7cd ebc0a7cd ebc0a7cd 65cbb221 65cbb221 65cbb221 65cbb221 0f04df 84 0f04df 84 0f04df 84 14f356d2 14f356d2 1dcb 542 4 1dcb 542 4 1dcb 542 4 1dcb 542 4 fc5d488d fc5d488d fc5d488d fc5d488d 9da76 743 9da76 743 9da76 743 9da76 743 9fb3bb46 b374ac1a b374ac1a b374ac1a b374ac1a 2307ce67 2307ce67 2307ce67 2307ce67 e801a803 e801a803 e801a803 e801a803 40 0fe907 0111 7 148 INTERNET SECURITY [15] d4921a8b... d62f105d 0 244 145 3 d8a1e681 e7d3fbc8 21e1cde6 c33707d6 f4d50d87 45 5a14ed a9e3e905 fcefa3f8 676f02d9 8d2a4c8a T[33] T[ 34] T[35] T[36] T[37] T[38] T[39] T [40 ] T [41 ] T [42 ] T [43 ] T [44 ] T [45 ] T [46 ] T [47 ] T [48 ] Team-Fly® = = = = = = = = = = = = = = = = fffa3 942 8771f681 69d96122 fde5380c a4beea 44 4bdecfa9 f6bb4b60 bebfbc70 289b7ec6 eaa127fa d4ef3085 048 81d05 d9d4d039 e6db99e5 1fa27cf8 c4ac5665 T [49 ] T[50]... c110d2 24 f0515be5 a9136fa9 7bc 144 b8 fcf1516a 2de32873 e8f5bbf5 30e202bf e897f425 c898fa72 73608 340 26092eb4 567812f3 edd607f4 5fbedb89 46 345 60f d09967dd 1 54 INTERNET SECURITY t A B Register output C D E 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 8fae2fc9 5337d670 7 044 d0fe 78304e61 2c5ca6b0 f304b895 e89d0d8b 79f30210 f37223c6... 9bf173ff bae46f3c e8be 148 1 4a0bb5b8 6d99dcd5 5e0e5623 42 2c7e52 e6ca43ae 835bd439 32a7862d 250ada00 a46d627b 588823a 2d9bba2e 8d8fb303 860d6a4f 14b 347 33 7f486fbe 7d3d3 745 d17b4506 2e4967ee cc1e45de b3f80c20 f1 248 37a 56ed70b1 d8b0d990 1d 849 b17 842 57988 9eec3055 fff4a467 e816170c 63eb8bf2 14cdf59c 9c11 343 f 5e0c1398 b1729ac 7cc12e25 fa2 743 62 1e7cc0 84 bcdc88f1 fd4ef 749 2c73dd4f f 640 c3a6 e6fc5cff 2eb91bcf... bae46f3c e8be 148 1 4a0bb5b8 6d99dcd5 5e0e5623 42 2c7e52 e6ca43ae 835bd439 32a7862d 250ada00 a46d627b 0588823a 2d9bba2e 8d8fb303 860d6a4f 14b 647 33 7f486fbe 7d3d3 745 d17b4506 2e4967ee cc1e45de b3f80c20 f1 248 37a 56ed70b1 d8b0d990 1d 849 b17 842 57988 9eec3055 6 240 e72c a0585c33 8fae2fc9 5337d670 7 044 d0fe 78304e61 2c5ca6b0 f304b895 e89d0d8b 79f30210 f37223c6 f53bdd27 b1cf753c d9030e9b 9bf173ff bae46f3c e8be 148 1... cd820d01 9824bad0 59e04bcd b7581fd3 7efb6e25 18d1583d 42 659f77 22b4bfef a9390191 ffd2919f a0585c33 6 745 2301 ba 346 dee f9be8ae4 84e1fdf6 1b82edab 531f1a75 926052f7 c71cfaac 341 b3a4b 79a59326 d47fe3c4 185db57b 3569d479 6b01c 842 5d3c5387 044 348 93 c 145 6f97 a44dbea6 ef0512e1 f3c 545 ab b78ca1cc a3d6efd7 c3880afc a25fd097 2263e9cb cd820d01 9824bad0 59e04bcd b7581fd3 7efb6e25 18d1583d 42 659f77 22b4bfef a9390191... 7bf36ae2 59d 148 c0 ae8d1b7b 3e6fa2b9 a1387f7d c6e0bb6a 54c7c69d e49814bd 31c73eab cd06ce92 9e6964c9 351ff8f1 c6176d5e 4d5a751e 9ac07210 d74f14e1 c110d2 24 f0515be5 a9136fa9 7bc 144 b8 fcf1516a 2de32873 e8f5bbf5 30e202bf e897f425 c898fa72 73608 340 26092eb4 567812f3 edd607f4 5fbedb89 46 345 60f d09967dd c8ad2ffb 6a4e40 64 98badcfe 7bf36ae2 59d 148 c0 ae8d1b7b 3e6fa2b9 a1387f7d c6e0bb6a 54c7c69d e49814bd 31c73eab... 63f9c8 04 63f9c8 04 63f9c8 04 63f9c8 04 bae75a5e bae75a5e bae75a5e bae75a5e e292ec26 e292ec26 e292ec26 e292ec26 fbc16051 fbc16051 fbc16051 fbc16051 29e295 54 29e295 54 29e295 54 39 049 458 39 049 458 39 049 458 39 049 458 279f19dc 279f19dc 279f19dc 279f19dc 67e9dd0d 67e9dd0d 67e9dd0d 67e9dd0d 814dbccf 2e6d799d 2e6d799d 3 840 8ad2 3 840 8ad2 3 840 8ad2 3 840 8ad2 02788da0 02788da0 02788da0 02788da0 784ef22d 784ef22d 784ef22d 784ef22d... 60d6f50e 4ca9e18b 0 942 b680 e91b589e 8162208e 8b66ee8b e363ecc0 e1835a93 c52cd1cc 9fd21bef 5f4f4dd1 b45ed 141 8b9259fb b3079177 2cfe0308 bc4920de 55bb5c2c 362c36 64 c76126c5 c8ad2ffb 6a4e40 64 fff4a467 e816170c 63eb8bf2 14cdf59c 9c11 343 f 5e0c1398 0b1729ac 7cc12e25 fa2 743 62 1e7cc0 84 bcdc88f1 fd4ef 749 2c73dd4f f 640 c3a6 e6fc5cff 2eb91bcf 7a2f8520 1282ed6e 5b667735 d7839588 908b1f 94 b9b290eb 60d6f50e 4ca9e18b 0 942 b680... 1032 547 6 H4 = c392e1f0 The hex values of A, B, C, D and E after pass t (0 ≤ t ≤ 79) are computed as follows: t A B Register output C D E 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ba 346 dee f9be8ae4 84e1fdf6 1b82edab 531f1a75 926052f7 c71cfaac 341 b3a4b 79a59326 d47fe3c4 185db57b 3569d479 6b01c 842 5d3c5387 044 348 93 c 145 6f97 a44dbea6 ef0512e1 f3c 545 ab . INTERNET SECURITY Row-wise permutation 5111723293 541 47 1 7 13 19 25 31 37 43 3 9 15 21 27 33 39 45 61218 243 03 642 48 2 8 14 20 26 32 38 44 41 0162228 344 046 Column-wise permutation 1135 547 1 741 2923 731 143 13372519 933 345 16392721 1236 648 1 842 30 24 832 244 143 82620 10 344 461 640 2822 →. permutations 1135 547 17 41 2923 731 143 13372519 9 33 3 45 15 39 27 21 12 36 6 48 18 42 30 24 832 244 14 3/8262010 34 446 1 640 2822 HASH FUNCTION, MESSAGE DIGEST AND HMAC 127 Using Table 3.3 (PC-2), the 48 -bit compressed. b50606d1 3 34 36ae1c4b 03b 945 06 893 044 64 2 845 7cce 335 c530fa5f f48260b2 1f8e5c7f 814a2152 336 48 7df0b3 e 046 c2c9 999e1066 f27ba5d3 337 58804c4c 223ee9ae fd265d3a 7894aa4c 338 ee0fd67d fda0da6a df5c7095 942 87b6c Table