UNIT 4 Hash and MAC Algorithms

# HASH Algorithm:-
A hash algorithm is a mathematical function that takes an input (or ‘message’) and returns a fixed-
size string of characters, which is typically a sequence of letters and numbers. The output string is
called the hash value or message digest. Hash algorithms are used extensively in cryptography for
encrypting keys or messages.
Hashing algorithms are designed to be one-way functions, meaning that once they’re transformed into
their respective hash values, it’s virtually impossible to transform them back into the original data 2.
This makes them useful for verifying the integrity of data, as any changes to the original data will
result in a different hash value. Hashing algorithms are also used to encrypt passwords, as the server
side only needs to keep track of a specific user’s hash value, rather than the actual password. This is
helpful in case an attacker hacks the database, as they will only find the hashed functions and not the
actual passwords, so if they were to input the hashed value as a password, the hash function will
convert it into another string and subsequently deny access .
Some popular cryptographic hashing algorithms include:
MD2 , MD4 , MD5 , SHA-1 , SHA-2 , SHA-3
Each of these algorithms was successively designed with increasingly stronger encryption in response
to hacker attacks . SHA-0, for instance, is now obsolete due to the widely exposed vulnerabilities.

# Message Authentication Code (MAC) Defined:-

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate the origin and
nature of a message. MACs use authentication cryptography to verify the legitimacy of data sent
through a network or transferred from one person to another.
In other words, MAC ensures that the message is coming from the correct sender, has not been
changed, and that the data transferred over a network or stored in or outside a system is legitimate and
does not contain harmful code. MACs can be stored on a hardware security module, a device used to
manage sensitive digital keys.
Types of Message Authentication Codes?
Although all MACs accomplish the same end objective, there are a few different types.
1. One-time MAC
A one-time MAC is a lot like one-time encryption in that a MAC algorithm for a single use is defined
to secure the transmission of data. One-time MACs tend to be faster than other authentication
algorithms.
2. Carter-Wegman MAC
A Carter-Wegman MAC is similar to a one-time MAC, except it also incorporates a pseudorandom
function that makes it possible for a single key to be used many times over.
3. HMAC
With a Keyed-Hash Message Authentication Code (HMAC) system, a one-way hash is used to create
a unique MAC value for every message sent. The input parameters can have various values assigned,
and making them very different from each other may produce a higher level of security.

# Authentication Requirements:-
In the context of communications across a network, the following attacks can be iden tified:
 UNIT 4 Hash and MAC Algorithms

1. Disclosure: Release of message contents to any person or process not possessing the appropriate
cryptographic key.
2. Trafficanalysis: Discoveryofthepattern of traffic between parties. In a connection oriented
application, the frequency and duration of connections could be deter mined. In either a connection-
oriented or connectionless environment, the num ber and length of messages between parties could be
determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the
creation of messages by an opponent that are purported to come from an authorized entity. Also
included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the
message recipient.
4. Content Modification: Changes to the contents of a message, including insertion, deletion,
transposition, or modification.
5. Sequence modification: Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In a connection-orientated application, an
entire session or sequence of messages could be a replay of some previous valid session, or individual
messages in the sequence could be delayed or replayed.
7. Repudiation: Denial of receipt of message by destination or denial of transmis sion of message by
source.
Message authentication is a procedure to verify that received messages come from the alleged source
and have not been altered. Message authentication may also verify sequencing and timeliness. A
digital signature is an authentication technique that also includes measures to counter repudiation by
either source or destination.
This section is concerned with the types of functions that may be used to produce an authenticator.
These functions may be grouped into three classes, as follows:
1. Message Encryption: The ciphertext of the entire message serves as its authenticator.
2. Message Authentication Code1 (MAC): A public function of the message and a secret key that
produces a fixed length value that serves as the authenticator.
3. Hash Functions: A public function that maps a message of any length into a f ixed length hash
value, which serves as the authenticator

# Hash Functions
Hashing is the process of generating a value from a text or a list of numbers using a mathematical
function known as a hash function.
A Hash Function is a function that converts a given numeric or alphanumeric key to a small practical
integer value. The mapped integer value is used as an index in the hash table. In simple terms, a hash
function maps a significant number or string to a small integer that can be used as the index in the
hash table.
The pair is of the form (key, value), where for a given key, one can find a value using some kind of a
“function” that maps keys to values. The key for a given object can be calculated using a function
called a hash function. For example, given an array A, if i is the key, then we can find the value by
simply looking up A.
 UNIT 4 Hash and MAC Algorithms

Types of Hash functions

There are many hash functions that use numeric or alphanumeric keys. This article focuses on
discussing different hash functions:
1. Division Method.
2. Mid Square Method.
3. Folding Method.
4. Multiplication Method.
Let’s begin discussing these methods in detail.
1. Division Method: This is the most simple and easiest method to generate a hash value. The hash
function divides the value k by M and then uses the remainder obtained.
Formula: h(K) = k mod M
Here, k is the key value, and , M is the size of the hash table
2. Mid Square Method: The mid-square method is a very good hashing method. It involves two steps
to compute the hash value-
Square the value of the key k i.e. k2
Extract the middle r digits as the hash value.
Formula: h(K) = h(k x k)
Here, k is the key value. , The value of r can be decided based on the size of the table.
3. Digit Folding Method: This method involves two steps:
1. Divide the key-value k into a number of parts i.e. k1, k2, k3,….,kn, where each part has the
same number of digits except for the last part that can have lesser digits than the other parts.
2. Add the individual parts. The hash value is obtained by ignoring the last carry if any.
Formula:
k = k1, k2, k3, k4, ….., kn
s = k1+ k2 + k3 + k4 +….+ kn
h(K)= s
Here, s is obtained by adding the parts of the key k
4. Multiplication Method: This method involves the following steps:
Choose a constant value A such that 0 < A < 1.
Multiply the key value with A.
Extract the fractional part of kA.
Multiply the result of the above step by the size of the hash table i.e. M.
The resulting hash value is obtained by taking the floor of the result obtained in step 4.
Formula: h(K) = floor (M (kA mod 1)
Here, M is the size of the hash table. , k is the key value. , A is a constant value.
 UNIT 4 Hash and MAC Algorithms

# Security of Hash Functions and Macs

Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs
into two categories: brute-force attacks and cryptanalysis.
Brute-Force Attacks
The nature of brute-force attacks differs somewhat for hash functions and MACs.
Hash Functions The strength of a hash function against brute-force attacks depends solely on the
length of the hash code produced by the algorithm. Recall from our discussion of hash functions that
there are three desirable properties:
· One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h.
· Weak collision resistance: For any given block x, it is computationally infeasible to find y x with
H(y) = H(x).
· Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H(x) =
H(y).
· For a hash code of length n, the level of effort required, as we have seen is proportional to the
following:
Message Authentication Codes(MAC)
A brute-force attack on a MAC is a more difficult undertaking because it requires known message-
MAC pairs.. To attack a hash code, we can proceed in the following way. Given a fixed message x
with n-bit hash code h = H(x), a brute-force method of finding a collision is to pick a random bit
string y and check if H(y) = H(x). The attacker can do this repeatedly off line. To proceed, we need to
state the desired security property of a MAC algorithm, which can be expressed as follows:
Computation resistance: Given one or more text-MAC pairs (xi, CK[xi]), it is computationally
infeasible to compute any text-MAC pair (x, CK( x)) for any new input x ≠xi.
In other words, the attacker would like to come up with the valid MAC code for a given
message x. There are two lines of attack possible: Attack the key space and attack the MAC
value. We examine each of these in turn.
To summarize, the level of effort for brute-force attack on a MAC algorithm can be expressed
as min(2k, 2n). The assessment of strength is similar to that for symmetric encryption
algorithms. It would appear reasonable to require that the key length and MAC length satisfy
a relationship such as min(k, n) ≥N, where N is perhaps in the range of 128 bits.
Cryptanalysis
As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to
exploit some property of the algorithm to perform some attack other than an exhaustive search.
# MD5( Message Digest Algorithm)
MD5 is a cryptographic hash function algorithm that takes the message as input of any length and
changes it into a fixed-length message of 16 bytes. MD5 algorithm stands for the message-digest
algorithm. MD5 was developed as an improvement of MD4, with advanced security purposes. The
output of MD5 (Digest size) is always 128 bits. MD5 was developed in 1991 by Ronald Rivest.
 UNIT 4 Hash and MAC Algorithms

Use Of MD5 Algorithm:

1. It is used for file authentication.
2. In a web application, it is used for security purposes. e.g. Secure password of users etc.
3. Using this algorithm, We can store our password in 128 bits format.

Application Of MD5 Algorithm:

 We use message digest to verify the integrity of files/ authenticates files.

 MD5 was used for data security and encryption.
 It is used to Digest the message of any size and also used for Password verification.
 For Game Boards and Graphics.
Advantages of MD5 Algorithm:

 MD5 is faster and simple to understand.

 MD5 algorithm generates a strong password in 16 bytes format. All developers like web
developers etc use the MD5 algorithm to secure the password of users.
 To integrate the MD5 algorithm, relatively low memory is necessary.
 It is very easy and faster to generate a digest message of the original message.
Disadvantages of MD5 Algorithm:

 MD5 generates the same hash function for different inputs.

 MD5 provides poor security over SHA1.
 MD5 has been considered an insecure algorithm. So now we are using SHA256 instead of
MD5
 MD5 is neither a symmetric nor asymmetric algorithm.

# Secure Hash Algorithm

HASH FUNCTIONS
The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each. If
necessary, the final block is padded to b bits. The final block also includes the value of the total length
of the input to the hash function. The inclusion of the length makes the job of the opponent more
difficult. Either the opponent must find two messages of equal length that hash to the same value or
two messages of differing lengths that, together with their length values, hash to the samevalue.
The hash algorithm involves repeated use of a compression function, f, that takes two inputs (an n-bit
input from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit
output. At the start of hashing, the chaining variable has an initial value that is specified as part of the
algorithm. The final value of the chaining variable is the hash value. Often, b > n; hence the term
compression. The hash function can be summarized as follows:
where the input to the hash function is a message M consisting of the blocks Yo, Y1,..., YL-1. The
structure can be used to produce a secure hash function to operate on a message of any length.
Message Authentication Codes
 UNIT 4 Hash and MAC Algorithms

There is much more variety in the structure of MACs than in hash functions, so it is difficult to
generalize about the cryptanalysis of MACs. Further, far less work has been done on developing such
attacks.
SECURE HASH ALGORITHM
1. SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1
2. US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 nb. the algorithm is SHA, the standard is SHS
3. based on design of MD4 with key differences
4. produces 160-bit hash values
5. recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

# Digital Signature
Message and Message Digest

 The document is called a message.

 Fingerprints are called a message digest.
 To preserve integrity hash function is applied to the message to create a message digest or
fingerprint.
Message Authentication Code (MAC)

 Digest created using a hash function is also called modification detection code (MDC).
 MDC uses a keyless hash function.
 To provide authentication use message authentication code (MAC).
 MAC uses keyed hash function i.e uses a symmetric key between sender and receiver site.
DIGITAL SIGNATURE
MAC(Message Authentication Code) was used to provide Message Integrity and Message
Authentication but it needs symmetric key established between sender and receiver. A digital
signature on other hand uses pair of asymmetric keys.
A valid digital signature helps the receiver to know the message comes from the authentic sender and
is not altered in between.
What is a Signature?
We sign a document to show that is approved by us or created by us. The signature is proof to the
recipient that this document is coming from the correct source. The signature on the document simply
means the document is authentic.
When A sends a message to B, B needs to check the authenticity of the message and confirm it comes
from A and not C. So B can ask A to sign the message electronically. The electronic signature proves
the identity of A is also called a digital signature.

# Key Management in Cryptography

In cryptography, it is a very tedious task to distribute the public and private keys between sender and
receiver. If the key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes worthless. So, there comes the need to secure the exchange of keys.
There are two aspects for Key Management:
 UNIT 4 Hash and MAC Algorithms

1. Distribution of public keys.

2. Use of public-key encryption to distribute secrets.

Distribution of Public Key:

The public key can be distributed in four ways:

 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this
method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until
forgery is discovered can masquerade as claimed user.
2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories
are trusted here, with properties like Participant Registration, access and allow to modify values at any
time, contains entries like {name, public-key}. Directories can be accessed electronically still
vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening control over
the distribution of keys from the directory. It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is made by the user to obtain any
desired public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public
key) to allow key exchange without real-time access to the public authority each time. The certificate
is accompanied by some other info such as period of validity, rights of use, etc. All of this content is
signed by the private key of the certificate authority and it can be verified by anyone possessing the
authority’s public key.

# Public Key Encryption : Asymmetric is a form of Cryptosystem in which encryption and

decryption are performed using different keys-Public key (known to everyone) and Private key
(Secret key). This is known as Public Key Encryption.

# Kerberos
Kerberos provides a centralized authentication server whose function is to authenticate users to
servers and servers to users. In Kerberos Authentication server and database is used for client
authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center
(KDC). Each user and service on the network is a principal.
The main components of Kerberos are:

 Authentication Server (AS): The Authentication Server performs the initial authentication
and ticket for Ticket Granting Service.
 Database: The Authentication Server verifies the access rights of users in the database.
 Ticket Granting Server (TGS): The Ticket Granting Server issues the ticket for the Server
Applications
 UNIT 4 Hash and MAC Algorithms

 User Authentication: User Authentication is one of the main applications of Kerberos. Users
only have to input their username and password once with Kerberos to gain access to the
network. The Kerberos server subsequently receives the encrypted authentication data and
issues a ticket granting ticket (TGT).
 Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that enables users to
log in once to access a variety of network resources. A user can access any network resource
they have been authorized to use after being authenticated by the Kerberos server without
having to provide their credentials again.
 Mutual Authentication: Before any data is transferred, Kerberos uses a mutual authentication
technique to make sure that both the client and server are authenticated. Using a shared secret
key that is securely kept on both the client and server, this is accomplished. A client asks the
Kerberos server for a service ticket whenever it tries to access a network resource. The client
must use its shared secret key to decrypt the challenge that the Kerberos server sends via
encryption. If the decryption is successful, the client responds to the server with evidence of
its identity.
 Authorization: Kerberos also offers a system for authorization in addition to authentication.
After being authenticated, a user can submit service tickets for certain network resources.
Users can access just the resources they have been given permission to use thanks to
information about their privileges and permissions contained in the service tickets.
 Network Security: Kerberos offers a central authentication server that can regulate user
credentials and access restrictions, which helps to ensure network security. In order to prevent
unwanted access to sensitive data and resources, this server may authenticate users before
granting them access to network resources.
Kerberos Overview:
Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.
Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket
and session key. Results are encrypted using the Password of the user.
Step-3:
The decryption of the message is done using the password then send the ticket to Ticket Granting
Server. The Ticket contains authenticators like user names and network addresses.
Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then
creates the ticket for requesting services from the Server.
Step-5:
The user sends the Ticket and Authenticator to the Server.
Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After this User
can access the services.