-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
Md2Digest.cs
224 lines (195 loc) · 9.14 KB
/
Md2Digest.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
using System;
namespace Algorithms.Crypto.Digests;
/// <summary>
/// MD2 is a cryptographic hash function that takes an input message and produces a 128-bit output, also called a message
/// digest or a hash.
/// <para>
/// A hash function has two main properties: it is easy to compute the hash from the input, but it is hard to find the
/// input from the hash or to find two different inputs that produce the same hash.
/// </para>
/// <para>
/// MD2 works by first padding the input message to a multiple of 16 bytes and adding a 16-byte checksum to it. Then, it
/// uses a 48-byte auxiliary block and a 256-byte S-table (a fixed permutation of the numbers 0 to 255) to process the
/// message in 16-byte blocks.
/// </para>
/// <para>
/// For each block, it updates the auxiliary block by XORing it with the message block and then applying the S-table 18
/// times. After all blocks are processed, the first 16 bytes of the auxiliary block become the hash value.
/// </para>
/// </summary>
public class Md2Digest
{
// The S-table is a set of constants generated by shuffling the integers 0 through 255 using a variant of
// Durstenfeld's algorithm with a pseudorandom number generator based on decimal digits of pi.
private static readonly byte[] STable =
{
41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19,
98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202,
30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18,
190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122,
169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33,
128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3,
255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198,
79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241,
69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2,
27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15,
85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38,
44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82,
106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74,
120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57,
242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10,
49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20,
};
// The X buffer is a 48-byte auxiliary block used to compute the message digest.
private readonly byte[] xBuffer = new byte[48];
// The M buffer is a 16-byte auxiliary block that keeps 16 byte blocks from the input data.
private readonly byte[] mBuffer = new byte[16];
// The checksum buffer
private readonly byte[] checkSum = new byte[16];
private int xBufferOffset;
private int mBufferOffset;
/// <summary>
/// Computes the MD2 hash of the input byte array.
/// </summary>
/// <param name="input">The input byte array to be hashed.</param>
/// <returns>The MD2 hash as a byte array.</returns>
public byte[] Digest(byte[] input)
{
Update(input, 0, input.Length);
// Pad the input to a multiple of 16 bytes.
var paddingByte = (byte)(mBuffer.Length - mBufferOffset);
for (var i = mBufferOffset; i < mBuffer.Length; i++)
{
mBuffer[i] = paddingByte;
}
// Process the checksum of the padded input.
ProcessCheckSum(mBuffer);
// Process the first block of the padded input.
ProcessBlock(mBuffer);
// Process the second block of the padded input, which is the checksum.
ProcessBlock(checkSum);
// Copy the first 16 bytes of the auxiliary block to the output.
var digest = new byte[16];
xBuffer.AsSpan(xBufferOffset, 16).CopyTo(digest);
// Reset the internal state for reuse.
Reset();
return digest;
}
/// <summary>
/// Resets the engine to its initial state.
/// </summary>
private void Reset()
{
xBufferOffset = 0;
for (var i = 0; i != xBuffer.Length; i++)
{
xBuffer[i] = 0;
}
mBufferOffset = 0;
for (var i = 0; i != mBuffer.Length; i++)
{
mBuffer[i] = 0;
}
for (var i = 0; i != checkSum.Length; i++)
{
checkSum[i] = 0;
}
}
/// <summary>
/// Performs the compression step of MD2 hash algorithm.
/// </summary>
/// <param name="block">The 16 bytes block to be compressed.</param>
/// <remarks>
/// the compression step is designed to achieve diffusion and confusion, two properties that make it hard to reverse
/// or analyze the hash function. Diffusion means that changing one bit of the input affects many bits of the output,
/// and confusion means that there is no apparent relation between the input and the output.
/// </remarks>
private void ProcessBlock(byte[] block)
{
// Copying and XORing: The input block is copied to the second and third parts of the internal state, while XORing
// the input block with the first part of the internal state.
// By copying the input block to the second and third parts of the internal state, the compression step ensures
// that each input block contributes to the final output digest.
// By XORing the input block with the first part of the internal state, the compression step introduces a non-linear
// transformation that depends on both the input and the previous state. This makes it difficult to deduce the input
// or the state from the output, or vice versa.
for (var i = 0; i < 16; i++)
{
xBuffer[i + 16] = block[i];
xBuffer[i + 32] = (byte)(block[i] ^ xBuffer[i]);
}
var tmp = 0;
// Mixing: The internal state is mixed using the substitution table for 18 rounds. Each round consists of looping
// over the 48 bytes of the internal state and updating each byte by XORing it with a value from the substitution table.
// The mixing process ensures that each byte of the internal state is affected by every byte of the input block and
// every byte of the substitution table. This creates a high degree of diffusion and confusion, which makes it hard
// to find collisions or preimages for the hash function.
for (var j = 0; j < 18; j++)
{
for (var k = 0; k < 48; k++)
{
tmp = xBuffer[k] ^= STable[tmp];
tmp &= 0xff;
}
tmp = (tmp + j) % 256;
}
}
/// <summary>
/// Performs the checksum step of MD2 hash algorithm.
/// </summary>
/// <param name="block">The 16 bytes block to calculate the checksum.</param>
/// <remarks>
/// The checksum step ensures that changing any bit of the input message will change about half of the bits of the
/// checksum, making it harder to find collisions or preimages.
/// </remarks>
private void ProcessCheckSum(byte[] block)
{
// Assign the last element of checksum to the variable last. This is the initial value of the checksum.
var last = checkSum[15];
for (var i = 0; i < 16; i++)
{
// Compute the XOR of the current element of the mBuffer array and the last value, and uses it as an index
// to access an element of STable. This is a substitution operation that maps each byte to another byte using
// the STable.
var map = STable[(mBuffer[i] ^ last) & 0xff];
// Compute the XOR of the current element of checkSum and the substituted byte, and stores it back to the
// checksum. This is a mixing operation that updates the checksum value with the input data.
checkSum[i] ^= map;
// Assign the updated element of checksum to last. This is to keep track of the last checksum value for the
// next iteration.
last = checkSum[i];
}
}
/// <summary>
/// Update the message digest with a single byte.
/// </summary>
/// <param name="input">The input byte to digest.</param>
private void Update(byte input)
{
mBuffer[mBufferOffset++] = input;
}
/// <summary>
/// Update the message digest with a block of bytes.
/// </summary>
/// <param name="input">The byte array containing the data.</param>
/// <param name="inputOffset">The offset into the byte array where the data starts.</param>
/// <param name="length">The length of the data.</param>
private void Update(byte[] input, int inputOffset, int length)
{
// process whole words
while (length >= 16)
{
Array.Copy(input, inputOffset, mBuffer, 0, 16);
ProcessCheckSum(mBuffer);
ProcessBlock(mBuffer);
length -= 16;
inputOffset += 16;
}
while (length > 0)
{
Update(input[inputOffset]);
inputOffset++;
length--;
}
}
}