Professional Documents
Culture Documents
Authentication requirement – MAC – Hash function –MD5 - SHA - HMAC – Merkle Hash
Tree - Digital signature and authenticationprotocols – DSS
AUTHENTICATION REQUIREMENT
1. Disclosure: Release of message contents to any person or process not possessing the
appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-
oriented application, the frequency and duration of connections could be determined. In
either a connection- oriented or connectionless environment, the number and length of
messages between parties could be determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source. This
includes the creation of messages by an opponent that are purported to come from an
authorized entity.
4. Content modification: Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between parties,
including insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In a connection-oriented application,
an entire session or sequence of messages could be a replay of some previous valid
session, or individual messages in the sequence could be delayed or replayed. In a
connectionless application, an individual message (e.g., datagram) could be delayed or
replayed.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.
HASH FUNCTION
Hash function accepts a variable size message M as input and produces a fixed size
output, referred to as hash code H(M). The hash code does not use any key. The hash code is
also referred to as message digest or hash value. The hash code is a function of all the bits of
the message and provides an error detection capability.
Figures below illustrate a variety of ways in which a hash code can be used to provide
message authentication.
5
a) The message plus concatenated hash code is encrypted using symmetric encryption. The
encryption is applied to the entire message plus hash code, confidentiality is also provided.
b) Only the hash code is encrypted, using symmetric encryption. This reduces the processing
burden for those applications that do not require confidentiality.
c) Only the hash code is encrypted, using public-key encryption and using the sender's private
key. This provides authentication.
d) If confidentiality as well as a digital signature is desired, then the message plus the private-
key- encrypted hash code can be encrypted using a symmetric secret key.
e) The technique assumes that the two communicating parties share a common secret value S.
A computes the hash value over the concatenation of M and S and appends the resulting hash
value to M. Because B possesses S, it can recompute the hash value to verify.
f) Confidentiality can be added to the approach of (e) by encrypting the entire message plus
the hash code.
6
MESSAGE ENCRYPTION
Message encryption by itself can provide a measure of authentication. The analysis differs for
symmetric and public-key encryption schemes.
Symmetric Encryption
Conventional encryption provides authentication as well as confidentiality. Message M
transmitted from source A to destination B is encrypted using a secret key K shared by A and B.
If no other party knows the key, then confidentiality is provided: No other party can recover the
plaintext of the message.
Given a decryption function D and a secret key K, the destination will accept any input Y and
produce output X = D(K, Y). If Y is the ciphertext of a legitimate message M produced by the
corresponding encryption function, then X is some plaintext message M. Otherwise, X will
likely be a meaningless sequence of bits.
7
Public-Key Encryption
• The straightforward use of public-key encryption provides confidentiality but not
authentication. The source (A) uses the public key PUb of the destination (B) to
encrypt M. Because only B has the corresponding private key PRb, only B can
decrypt the message.
• To provide authentication, A uses its private key to encrypt the message, and B uses
A's public key to decrypt.
• To provide both confidentiality and authentication, A can encrypt M first using its
private key, which provides the digital signature, and then using B's public key, which
provides confidentiality.
• Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic
checksum or MAC) that is appended to the message.
MAC = CK(M)
Where M is a variable-length message, K is a secret key shared only by sender and
receiver, and CK(M) is the fixed-length authenticator.
• The MAC is appended to the message at the source at a time when the message is
assumed or known to be correct.
• The receiver authenticates that message by recomputing the MAC.
• A MAC function is similar to encryption. One difference is that the MAC algorithm need
not be reversible, as it must for decryption.
9
a) In the first case, the MAC is calculated with the message as input and then concatenated to
the message.
b) In the second case, the MAC is calculated with the message as input and is then
concatenated to the message. The entire block is then encrypted.
c) In the third case, the message is encrypted first. Then the MAC is calculated using the
resulting ciphertext and is concatenated to the ciphertext to form the transmitted block.
The MD5 message-digest algorithm was developed by Ron Rivest at MIT. MD5 was the most
widely used secure hash algorithm.
MD5 logic
The algorithm takes as input a message of arbitrary length and produces as output a 128- bit
message digest. The input is processed in 512-bit blocks. The processing consists of the
following steps:
10
Message digest generation using
MD5
The outcome of the first two steps yields a message that is an integer multiple of 512 bits in
length. In figure below, expended message is represented as the sequence of 512-bit blocks Y0
, Y1 ,… , YL−1, so that the total length of the expanded message is L × 512 bits. Equivalently,
the result is a multiple of 16 32-bit words. Let M [0… N − 1] denote the words of the
resulting message, with n integer multiple of
16. Thus, N = L × 16.
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
11
MD5 processing of a single 512-bit block
Step 4: Process message in 512-bit (16-word) blocks
The heart of the algorithm is a compression algorithm that consists of four “rounds” of
processing; this module is labeled HMD5. The four rounds have the similar structure, but
each uses a different primitive logical function, referred to as F, G, H, and I in the
specification.
Each round takes as input the current 512-bit block being processed (Yq) and the 28-bit
buffer value ABCD and updates the contents of the buffer.
Step 5: Output
After all L 512-bit blocks have been processed, the output from the Lth stage is the 128-
bit message digest.
CV0 = IV
CVq +1 = SUM 32 (CVq , RFI [Yq , RFH [Yq , RFG [Yq , RFF [Yq , CVq ]]]])
MD = CVL
IV - initial value of the ABCD buffer, defined in step 3
Yq - the qth 512-bit block of the message
L - the number of blocks in the message (including padding and length fields)
CVq - chaining variable processed with the qth block of the message
RFx - round function using primitive logical function
12
x MD - final message digest value
A=D,
B=B+(A+G(B,C,D)+x[k]+t[i]<<
s), C=B,
D=C
Where A,B,C,D are the four words of buffer g is the primitive logic function
<<<s circular left shift by s bit
The primitive function takes the following
operation 1 F(B, C, D)= (B ^ C) v (B ^ D)
2 G(B, C, D) =(B ^ D) v (C ^ D)
3 H(B, C, D) =B ⊕ C ⊕ D
4 I(B, C, D) =C ⊕ (B v D)
SHA-512 Logic
Message Digest Generation Using SHA-512
The algorithm takes as input a message with a maximum length of less than bits 2128 bits and
produces as output a 512-bit message digest. The input is processed in 1024-bit blocks. The
processing consists of the following steps.
The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. The expanded message is represented as the sequence of 1024-bit blocks M1, M2, … ,
MN , so that the total length of the expanded message is N * 1024 bits.
14
Compression Function
Step 5 Output
After all 1024-bit blocks have been processed, the output from the Nth stage is the 512- bit
message digest. Thus, in the first 16 steps of processing, the value of Wt is equal to the
corresponding word in the message block. For the remaining 64 steps, the value of Wt consists
of the circular left shift by one bit of the XOR of four of the preceding values of Wt , with two of
those values subjected to shift and rotate operations.
HMAC Algorithm
Figure below illustrates the overall operation of HMAC. Define the following terms:
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC(including the padding specified in the embedded hash
function)
Y = ith block of M, 0 ≤i ≤(L - 1)
L = number of blocks in M
b = number of bits in a block
n= length of hash code produced by embedded hash function
K= secret key recommended length is ≥n; if key length is greater than b; the key is input to the
15
hash function to produce an n-bit key
K+= K padded with zeros on the left so that the result is b bits in length
ipad = 00110110 (36 in hexadecimal) repeated b/8 times
opad = 01011100 (5C in hexadecimal) repeated b/8 times
Security of HMAC
• The security of HMAC is expressed as probability of successful forgery with a given
amount of time spent by the forger and a given number of messages, MAC pairs created
with the same key.
• The probability of successful attack on HMAC is equivalent to the following attack on
embedded hash function.
• The attacker is able to compute an output of compression function even when
initialization vector is random, unknown.
• The attacker finds collision in the hash function even when the Initialization Vector
random and secret.
16
DIGITAL SIGNATURE STANDARD (DSS)
Digital Signature Standard is an US Govt approved signature scheme FIPS 186. It uses the SHA
hash algorithm. It is designed by NIST & NSA in early 90's. It creates a 320 bit signature, but
with 512-1024 bit security.
Two approaches of Digital signature
• RSA approach
• DSS approach
RSA APPROACH
• In the RSA approach, the message to be signed is input to a hash function that produces
a secure hash code of fixed length.
• This hash code is then encrypted using the sender’s private key to form the signature.
Both the message and the signature are then transmitted.
DSS APPROACH
• DSS uses an algorithm that is designed to provide only digital signature function. Unlike
RSA, it cannot be used for encryption or key exchange.
• The DSS approach makes use of a hash function.
• The hash code is provided as input to a signature function along with a random number
k generated for this particular signature.
• The signature function also depends on the sender’s private key (PRa) and the global
public key (PUG).
• The result is a signature consisting of two components, labeled s and r.
17
• At the receiving end, the hash code of the incoming message is generated. This plus the
signature is input to a verification function.
• The verification function also depends on the global public key as well as the sender’s
public key (PUa), which is paired with the sender’s private key.
• The output of the verification function is a value that is equal to the signature
component if the signature is valid.
• The signature function is such that only the sender, with knowledge of the private key,
could have produced the valid signature.
Example:
With p = 11, q = 5, h = 2 and H(M) = 2, calculate and verify the digital signature.
Solution:
19