Information Security Technologies

Providing Integrity and Authentication

Dr Bobby Mee Loong Yang

Dr Bobby Yang 1/25

 Data Integrity protection
• Alice sends a message M to Bob over an insecure
channel.
• The integrity of the message M may be compromised –
• corrupted due to noise or errors,
• tampered with (content modified) by an attacker
• Bob receives the message as M’. How can Bob be sure of
the integrity of M’, i.e. that it is same as the original M?
• Methods:
• Checksums, Cyclic Redundancy Codes (CRC)
• Message digest – output of cryptographic hash functions

Dr Bobby Yang 2/25

 Cryptographic hash functions
• A cryptographic hash function h(·) can be used to protect
data integrity
• Properties of a cryptographic hash function h(·):
- Given any x , easy to compute, y = h(x )
- Fixed length output y from arbitrary length input x
- Avalanche effect – a small change in x causes a large
change in y
• Security requirements
- Preimage resistance(one-way, irreversible) –cannot find x
given y
- Collision resistance – 2 kinds: weak, strong

Dr Bobby Yang 3/25

 Security requirements of hash
functions
• Preimage resistance (one-way)
Given hash function h(·), and z = h(x), cannot obtain
x = h−1 (z)
• Second preimage (Weak collision) resistance
Given x1 it is infeasible to find x2 , where x2 6= x1 such that
h(x1 ) = h(x2 )
• Collision resistance (or strong collision resistance):
Infeasible to find 2 any pairs x1 and x2 such that
h(x1 ) = h(x2 )
• Commonly used hash functions: MD5, SHA-1, SHA-256,
RIPEMD

Dr Bobby Yang 4/25

 Quiz
1 If a message M is hashed, the hash output h(M) cannot
reveal the content of the message.
# True # False
2 The hash function can also be used to protect the
confidentiality of messages
# True # False
3 The hash function can also be used for encrypting
messages between Alice and Bob.
4 If Alice computes y = h(x). Oscar obtains y and manage
to find another x ′ such that h(x ′ ) = y. This is an example
of .
5 Collisions happen with
cryptographically hash functions.
# cannot # always # rarely

Dr Bobby Yang 5/25

 Birthday attack
• In a population which can take N possible values, it is
always possible to find, in a sample of size of t members,
at least one pair which have the same value.
• Example. Consider the birthday of a person consisting of
only the day and month excluding year. There are only
N = 365 possible values. It can be shown that in a sample
size of t = 23 persons, the probability of finding 2 persons
with the same birthday is ≈ 50%.
• For an n-bit hash, for any input x, the number of possible
outputs is 2n . It is always possible to find t samples of x
such that a pair of them have the same hash output. This
is called the birthday attack.

Dr Bobby Yang 6/25

 Probability of collisions
• Probability of finding no collision PnoCollision among t samples chosen from N
t−1
Y i

PnoCollision = (1)(1 − N1 )(1 − N2 ) · · · (1 − t−1
N
)= 1−
i=1
N
i
Since ≪ 1, from calculus, e−x ≈ 1 − x
N
t−1 t−1
Y i
Y −i 1 2 t −1
Hence PnoCollision ≈ 1− ≈ e N = e− N · e− N · · · e− N
N
i=1 i=1
1+2+···+t −1 t (t −1)
i.e. PnoCollision ≈ e− N = e− 2N
• Hence probability of finding collision/s in t samples is
t (t −1)
λ = 1 − Pno ≈ 1 − e− 2N
t (t −1)
e− 2N ≈ 1−λ
t (t −1) 1
e 2N ≈
1−λ
t(t − 1)  1 
≈ ln
2N 1−λ
 1 
if t ≫ 1, t 2 ≈ 2N ln
1−λ
s
 1 
i.e. t ≈ 2N ln
1−λ
Dr Bobby Yang 7/25
 Birthday attack
• The number of samples t taken from N possible values has
a probablity
q λ of collision is given by:
1


t ≈ 2N ln 1−λ
p
• If N = 365, λ = 0.5, then t ≈ 2 × 365 ln(2) = 22.5 ≈ 23
• Birthday attack (also, called birthday paradox): In a group
of 23 people, there is a 50% chance of finding 2 persons
born on the same day and month (same birthday).
• For n bit hashes, if n is large, the number of hashes to find
collision with 50% probability is
n n
t ≈ 1.177 × 2 2 ≈ 2 2

Dr Bobby Yang 8/25

 Hash from block ciphers

• Several methods e.g.

Davies-Meyer method
• AES used to build hash
functions
Hi = Hi−1 ⊕ ex1 (Hi−1 )

Dr Bobby Yang 9/25

 MD5 hash
MD5 hash
• Input is any text or binary file of any arbitrary length
• Output is a file of 128 bits length
• Operates as a complex sequence of simple binary
operations such as XORs, rotations, etc.
• Example:
x="hello", h(x)= b1946ac92492d2347c6235b4d2611184
x="hello.", h(x)= 8563c2a9b1b1593b4b576bf7e1e32366
• Widely used in Internet security protocols, checksums,
storing passwords.
• Security: Now considered weak. Only 128 bits and has
been broken. Collision resistance is 264 .
• Rainbow table attack.

Dr Bobby Yang 10/25

 Example: building a simple rainbow
table
• Consider passwords made up of 4 lower case characters,
hashed using MD5
1. Choose password: “abcd”, hash =
f5ac8127b3b6b85cdc13f237c6005d80
2. Define our “reduction function”: Choose next password
from 1st 4 letters from hash, i.e facb,
3. Hash “facb”, choose next password as in [2.],
• Do [3.] nine times, store first password and last hash. This
is one chain (row) in the table
4. Repeat from [1.] for each possible password of 4 letters to
get another chain in the table.
• Each chain stores 1 password and 1 hash, but hidden in it
are actually 9 more hashes

Dr Bobby Yang 11/25

 Attack
• Given the hash h′ of a password. Choose a 4 letter
password, hash and compare h′ with the hashes in the
table. If not found, hash and check again, repeatedly. After
10 hashes try another password.
• If h′ is found in the table, the correct password is
somewhere in the chain. Now, hash from the password at
the front of the chain until the hash matches h′ . The
password is found.
Find the password whose hash is:
671e218796d4122296c7be57a4663cbc

Dr Bobby Yang 12/25

 SHA

• Hash computation
• 4 stages, each 20
rounds of
compression

Dr Bobby Yang 13/25

 SHA-1

• Based on the
Merkle-Damgard
construction
• Padding – message
padded to multiples of 512
bits
• Divided into 512-bit blocks
and compressed
• Compression function
consists of 80 rounds
• Each round has 4 stages
of 20 rounds each.

Dr Bobby Yang 14/25

 SHA-1 hash function family
• SHA-1, output is 160 bits length. Collision resistance is 280
• SHA-256, SHA-384, SHA-512 with outputs of 256, 384,
and 512 bits length resp.
• Comparison (source: Christopher Paar, pg 305)

• Security consider very strong, recommended for current

use.

Dr Bobby Yang 15/25

 Storing passwords
• Access by users to servers, etc. is controlled by passwords
which are stored in the server
• How to prevent an intruder (even administrators) from
viewing the stored passwords?
• Solution: During registration, user provides plaintext
password P.
• Server generates a salt s, computes Pe = h(s k P)
• stores username, salt s, "encrypted" password Pe and
discards P
• salt s, a random string:
• prevent 2 users with the same plaintext password from
having the same encrypted password
• makes it harder to crack if the password file is stolen
• Key stretching: In practice, the hashing is done many times
to make it slower to login to discourage brute force attacks

Dr Bobby Yang 16/25

 Hash functions for storing passwords

• Example: stored passwords in Apache web server using

MD5:
akbar:$apr1$FNuDwy1Q$EINqkasXFg00vPdzAG5aA.
Format of each line:
userID:method :Salt:Hashed password
Method apr 1 is Apache-specific algorithm using 1000
iterations of MD5 disgest of salt and password.
Dr Bobby Yang 17/25
 Protecting Message Integrity
• Alice sends message x and h(x) to Bob.
• Bob receives message as x ′ . He checks: if h(x ′ ) = h(x),
then x ′ = x, i.e. message is intact.
This is used for checking downloaded files:

Dr Bobby Yang 18/25

 Protection Message Integrity and
Authenticity
Problem: Even if Bob can verify that the received message
claiming to be from Alice is intact, how can Bob be sure that it
is really from Alice and not from some imposter?
Need to incorporate an authentication mechanism.
• Authentication mechanisms: –
• what you know – shared key, password, etc,
• what you have – token, certificate, public key, etc.
• what you are – appearance, voice, fingerprint, etc.
• Message authentication using shared password or key

Dr Bobby Yang 19/25

 Message Authentication Code – MAC

• Bob has a plaintext message x for Alice

• Message is encrypted using AES or DES using CBC or
CFB mode
• MAC=m, the last output block
• Bob sends hx, mi to Alice
• Alice computes m′ from x. Checks, if x = x ′ then the
message is intact and authentic.

Dr Bobby Yang 20/25

 MACs from Block Ciphers: CBC-MAC

• The MAC is the output of the last block. Its value depends
on all other previous blocks and the shared secret key.

Dr Bobby Yang 21/25

 MAC properties
Properties of MAC
1. Cryptographic checksum is the authentication tag
2. Symmetric key crypto algorithm using shared secret key
3. Arbitrary message size
4. Fixed length authentication tag
5. Provides for message Integrity
6. Provides for message Authenticity
7. Cannot provide for non-repudiation since secret key is
shared
8. The message itself is not encrypted.

Dr Bobby Yang 22/25

 Hashed Message Authentication Code
(HMAC)

• Uses a hash function on

the message appended (or
pospended) with the
shared key, ks
Basic idea:
• HMAC = h(x k Ks ) or
• HMAC = h(Ks k x )
In practice, both have
weaknesses, not used
directly.

Dr Bobby Yang 23/25

 HMAC Implementation
More secure implementation by Bellare, Canetti and Krawczyk:
HMAC = h[(Ks+ ⊕ opad ) k h[(Ks+ ⊕ ipad ) k x]]
where,
• ipad = 00110110, · · · , 00110110
• opad =
01011100, · · · , 01011100
• Ks+ is the expanded symmetric
key Ks padded with zeros on the
left to b bits in length.

Dr Bobby Yang 24/25

 Conclusion
• Integrity of messages protected using message digest
generated from hash functions
• Hash functions – any length input, fixed length output,
irreversible, collision resistant, avalanche effect.
• Hash used for storing passwords, usually with salt.
• Authenticity protection of messages requires shared key:
using MAC, HMAC
• MAC uses symmetric block cipher and shared key.
• HMAC uses hash function and shared key
• MAC, HMAC do not provide non-repudiation as both
parties know the shared key

Dr Bobby Yang 25/25