and transmitted to the recipient along with the full message for two reasons. First, the recipient can use the same hash function to recompute the message digest from the full message. They can then compare the computed message digest to the transmitted one to ensure that the message sent by the originator is the same one received by the recipient. If the message digests do not match, it indicates that the message was somehow modified while in transit. Second, the mes- sage digest can be used to implement a digital signature algorithm. This concept is covered in “Digital Signatures” later in this chapter. The term message digest can be used interchangeably with a wide variety of other synonyms, including hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID. In most cases, a message digest is 128 bits or larger. However, a single-digit value can be used to perform the function of parity, a low-level or single-digit checksum value used to provide a single individual point of verification. In most cases, the longer the message digest, the more reli- able its verification of integrity. According to RSA Security, there are five basic requirements for a cryptographic hash function: The input can be of any length. The output has a fixed length. The hash function is relatively easy to compute for any input. The hash function is one-way meaning that it is extremely hard to determine the input when provided with the output. One-way functions and their usefulness in cryptography are described in Chapter 9. The hash function is collision free meaning that it is extremely hard to find two messages that produce the same hash value. In the following sections, we’ll look at four common hashing algorithms: SHA, MD2, MD4, and MD5. HMAC is also discussed later in this chapter. There are numerous hashing algorithms not addressed in this exam. In addi- tion to SHA, MDx, and HMAC, you should also recognize HAVAL. HAVAL HAsh of VAriable Length is a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits. SHA The Secure Hash Algorithm SHA and its successor, SHA-1, are government standard hash functions developed by the National Institute of Standards and Technology NIST and are specified in an official government publication—the Secure Hash Standard SHS, also known as Federal Information Processing Standard FIPS 180. SHA-1 takes an input of virtually any length in reality, there is an upper bound of approx- imately 2,097,152 terabytes on the algorithm and produces a 160-bit message digest. Due to the mathematical structure of the hashing algorithm, this provides 80 bits of protection against collision attacks. The SHA-1 algorithm processes a message in 512-bit blocks. Therefore, if the message length is not a multiple of 512, the SHA algorithm pads the message with additional data until the length reaches the next highest multiple of 512. Although SHA-1 is the current official standard for federal government applications, it is not quite strong enough. It was designed to work with the old Data Encryption Standard DES and its follow-on, Triple DES 3DES. The new Advanced Encryption Standard described in the preceding chapter supports key lengths of up to 256 bits. Therefore, the government is cur- rently evaluating three new hash functions to replace SHA-1 in the near future: SHA-256 produces a 256-bit message digest and provides 128 bits of protection against collision attacks. SHA-512 produces a 512-bit message digest and provides 256 bits of protection against collision attacks. SHA-384 uses a truncated version of the SHA-512 hash to produce a 384-bit digest that supports 192 bits of protection against collision attacks. Although it might seem trivial, take the time to memorize the size of the message digests produced by each one of the hash algorithms described in this chapter. MD2 The MD2 Message Digest 2 hash algorithm was developed by Ronald Rivest the same Rivest of Rivest, Shamir, and Adleman fame in 1989 to provide a secure hash function for 8-bit pro- cessors. MD2 pads the message so that its length is a multiple of 16 bytes. It then computes a 16-byte checksum and appends it to the end of the message. A 128-bit message digest is then generated by using the entire original message along with the appended checksum. Cryptanalytic attacks exist against improper implementations of the MD2 algorithm. Spe- cifically, Nathalie Rogier and Pascal Chauvaud discovered that if the checksum is not appended to the message before digest computation, collisions may occur. MD4 The next year, in 1990, Rivest enhanced his message digest algorithm to support 32-bit proces- sors and increase the level of security. This enhanced algorithm is known as MD4. It first pads the message to ensure that the message length is 64 bits smaller than a multiple of 512 bits. For example, a 16-bit message would be padded with 432 additional bits of data to make it 448 bits, which is 64 bits smaller than a 512-bit message. The MD4 algorithm then processes 512-bit blocks of the message in three rounds of com- putation. The final output is a 128-bit message digest.