Professional Documents
Culture Documents
# HASH Algorithm:-
A hash algorithm is a mathematical function that takes an input (or ‘message’) and returns a fixed-
size string of characters, which is typically a sequence of letters and numbers. The output string is
called the hash value or message digest. Hash algorithms are used extensively in cryptography for
encrypting keys or messages.
Hashing algorithms are designed to be one-way functions, meaning that once they’re transformed into
their respective hash values, it’s virtually impossible to transform them back into the original data 2.
This makes them useful for verifying the integrity of data, as any changes to the original data will
result in a different hash value. Hashing algorithms are also used to encrypt passwords, as the server
side only needs to keep track of a specific user’s hash value, rather than the actual password. This is
helpful in case an attacker hacks the database, as they will only find the hashed functions and not the
actual passwords, so if they were to input the hashed value as a password, the hash function will
convert it into another string and subsequently deny access .
Some popular cryptographic hashing algorithms include:
MD2 , MD4 , MD5 , SHA-1 , SHA-2 , SHA-3
Each of these algorithms was successively designed with increasingly stronger encryption in response
to hacker attacks . SHA-0, for instance, is now obsolete due to the widely exposed vulnerabilities.
# Authentication Requirements:-
In the context of communications across a network, the following attacks can be iden tified:
UNIT 4 Hash and MAC Algorithms
1. Disclosure: Release of message contents to any person or process not possessing the appropriate
cryptographic key.
2. Trafficanalysis: Discoveryofthepattern of traffic between parties. In a connection oriented
application, the frequency and duration of connections could be deter mined. In either a connection-
oriented or connectionless environment, the num ber and length of messages between parties could be
determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the
creation of messages by an opponent that are purported to come from an authorized entity. Also
included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the
message recipient.
4. Content Modification: Changes to the contents of a message, including insertion, deletion,
transposition, or modification.
5. Sequence modification: Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In a connection-orientated application, an
entire session or sequence of messages could be a replay of some previous valid session, or individual
messages in the sequence could be delayed or replayed.
7. Repudiation: Denial of receipt of message by destination or denial of transmis sion of message by
source.
Message authentication is a procedure to verify that received messages come from the alleged source
and have not been altered. Message authentication may also verify sequencing and timeliness. A
digital signature is an authentication technique that also includes measures to counter repudiation by
either source or destination.
This section is concerned with the types of functions that may be used to produce an authenticator.
These functions may be grouped into three classes, as follows:
1. Message Encryption: The ciphertext of the entire message serves as its authenticator.
2. Message Authentication Code1 (MAC): A public function of the message and a secret key that
produces a fixed length value that serves as the authenticator.
3. Hash Functions: A public function that maps a message of any length into a f ixed length hash
value, which serves as the authenticator
# Hash Functions
Hashing is the process of generating a value from a text or a list of numbers using a mathematical
function known as a hash function.
A Hash Function is a function that converts a given numeric or alphanumeric key to a small practical
integer value. The mapped integer value is used as an index in the hash table. In simple terms, a hash
function maps a significant number or string to a small integer that can be used as the index in the
hash table.
The pair is of the form (key, value), where for a given key, one can find a value using some kind of a
“function” that maps keys to values. The key for a given object can be calculated using a function
called a hash function. For example, given an array A, if i is the key, then we can find the value by
simply looking up A.
UNIT 4 Hash and MAC Algorithms
There is much more variety in the structure of MACs than in hash functions, so it is difficult to
generalize about the cryptanalysis of MACs. Further, far less work has been done on developing such
attacks.
SECURE HASH ALGORITHM
1. SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1
2. US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
3. based on design of MD4 with key differences
4. produces 160-bit hash values
5. recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
# Digital Signature
Message and Message Digest
Digest created using a hash function is also called modification detection code (MDC).
MDC uses a keyless hash function.
To provide authentication use message authentication code (MAC).
MAC uses keyed hash function i.e uses a symmetric key between sender and receiver site.
DIGITAL SIGNATURE
MAC(Message Authentication Code) was used to provide Message Integrity and Message
Authentication but it needs symmetric key established between sender and receiver. A digital
signature on other hand uses pair of asymmetric keys.
A valid digital signature helps the receiver to know the message comes from the authentic sender and
is not altered in between.
What is a Signature?
We sign a document to show that is approved by us or created by us. The signature is proof to the
recipient that this document is coming from the correct source. The signature on the document simply
means the document is authentic.
When A sends a message to B, B needs to check the authenticity of the message and confirm it comes
from A and not C. So B can ask A to sign the message electronically. The electronic signature proves
the identity of A is also called a digital signature.
Public announcement
Publicly available directory
Public-key authority
Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this
method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until
forgery is discovered can masquerade as claimed user.
2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories
are trusted here, with properties like Participant Registration, access and allow to modify values at any
time, contains entries like {name, public-key}. Directories can be accessed electronically still
vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening control over
the distribution of keys from the directory. It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is made by the user to obtain any
desired public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public
key) to allow key exchange without real-time access to the public authority each time. The certificate
is accompanied by some other info such as period of validity, rights of use, etc. All of this content is
signed by the private key of the certificate authority and it can be verified by anyone possessing the
authority’s public key.
# Kerberos
Kerberos provides a centralized authentication server whose function is to authenticate users to
servers and servers to users. In Kerberos Authentication server and database is used for client
authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center
(KDC). Each user and service on the network is a principal.
The main components of Kerberos are:
Authentication Server (AS): The Authentication Server performs the initial authentication
and ticket for Ticket Granting Service.
Database: The Authentication Server verifies the access rights of users in the database.
Ticket Granting Server (TGS): The Ticket Granting Server issues the ticket for the Server
Applications
UNIT 4 Hash and MAC Algorithms
User Authentication: User Authentication is one of the main applications of Kerberos. Users
only have to input their username and password once with Kerberos to gain access to the
network. The Kerberos server subsequently receives the encrypted authentication data and
issues a ticket granting ticket (TGT).
Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that enables users to
log in once to access a variety of network resources. A user can access any network resource
they have been authorized to use after being authenticated by the Kerberos server without
having to provide their credentials again.
Mutual Authentication: Before any data is transferred, Kerberos uses a mutual authentication
technique to make sure that both the client and server are authenticated. Using a shared secret
key that is securely kept on both the client and server, this is accomplished. A client asks the
Kerberos server for a service ticket whenever it tries to access a network resource. The client
must use its shared secret key to decrypt the challenge that the Kerberos server sends via
encryption. If the decryption is successful, the client responds to the server with evidence of
its identity.
Authorization: Kerberos also offers a system for authorization in addition to authentication.
After being authenticated, a user can submit service tickets for certain network resources.
Users can access just the resources they have been given permission to use thanks to
information about their privileges and permissions contained in the service tickets.
Network Security: Kerberos offers a central authentication server that can regulate user
credentials and access restrictions, which helps to ensure network security. In order to prevent
unwanted access to sensitive data and resources, this server may authenticate users before
granting them access to network resources.
Kerberos Overview:
Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.
Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket
and session key. Results are encrypted using the Password of the user.
Step-3:
The decryption of the message is done using the password then send the ticket to Ticket Granting
Server. The Ticket contains authenticators like user names and network addresses.
Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then
creates the ticket for requesting services from the Server.
Step-5:
The user sends the Ticket and Authenticator to the Server.
Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After this User
can access the services.