UNIT III - HASH FUNCTIONS AND DIGITAL SIGNATURES

Authentication requirement – MAC – Hash function –MD5 - SHA - HMAC – Merkle Hash
Tree - Digital signature and authenticationprotocols – DSS

AUTHENTICATION REQUIREMENT
1. Disclosure: Release of message contents to any person or process not possessing the
appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-
oriented application, the frequency and duration of connections could be determined. In
either a connection- oriented or connectionless environment, the number and length of
messages between parties could be determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source. This
includes the creation of messages by an opponent that are purported to come from an
authorized entity.
4. Content modification: Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between parties,
including insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In a connection-oriented application,
an entire session or sequence of messages could be a replay of some previous valid
session, or individual messages in the sequence could be delayed or replayed. In a
connectionless application, an individual message (e.g., datagram) could be delayed or
replayed.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.

MESSAGE AUTHENTICATION FUNCTION

Message Authentication Function can be grouped into three classes.

• Hash function: A function that maps a message of any length into a fixed length hash
value, which serves as the authenticator
• Message encryption: The cipher text of the entire message serves as its authenticator
• Message authentication code (MAC): A function of the message and a secret key that
produces a fixed-length value that serves as the authenticator

HASH FUNCTION
Hash function accepts a variable size message M as input and produces a fixed size
output, referred to as hash code H(M). The hash code does not use any key. The hash code is
also referred to as message digest or hash value. The hash code is a function of all the bits of
the message and provides an error detection capability.
Figures below illustrate a variety of ways in which a hash code can be used to provide
message authentication.

5
a) The message plus concatenated hash code is encrypted using symmetric encryption. The
encryption is applied to the entire message plus hash code, confidentiality is also provided.
b) Only the hash code is encrypted, using symmetric encryption. This reduces the processing
burden for those applications that do not require confidentiality.
c) Only the hash code is encrypted, using public-key encryption and using the sender's private
key. This provides authentication.
d) If confidentiality as well as a digital signature is desired, then the message plus the private-
key- encrypted hash code can be encrypted using a symmetric secret key.
e) The technique assumes that the two communicating parties share a common secret value S.
A computes the hash value over the concatenation of M and S and appends the resulting hash
value to M. Because B possesses S, it can recompute the hash value to verify.
f) Confidentiality can be added to the approach of (e) by encrypting the entire message plus
the hash code.

6
MESSAGE ENCRYPTION

Message encryption by itself can provide a measure of authentication. The analysis differs for
symmetric and public-key encryption schemes.

Symmetric Encryption
Conventional encryption provides authentication as well as confidentiality. Message M
transmitted from source A to destination B is encrypted using a secret key K shared by A and B.
If no other party knows the key, then confidentiality is provided: No other party can recover the
plaintext of the message.
Given a decryption function D and a secret key K, the destination will accept any input Y and
produce output X = D(K, Y). If Y is the ciphertext of a legitimate message M produced by the
corresponding encryption function, then X is some plaintext message M. Otherwise, X will
likely be a meaningless sequence of bits.

7
Public-Key Encryption
• The straightforward use of public-key encryption provides confidentiality but not
authentication. The source (A) uses the public key PUb of the destination (B) to
encrypt M. Because only B has the corresponding private key PRb, only B can
decrypt the message.
• To provide authentication, A uses its private key to encrypt the message, and B uses
A's public key to decrypt.
• To provide both confidentiality and authentication, A can encrypt M first using its
private key, which provides the digital signature, and then using B's public key, which
provides confidentiality.

Ways of Providing Structure

• Append an error-detecting code (frame check sequence (FCS)) to each message.
• User A prepares a plaintext message M and provides this as input to a function F that
produces an FCS.
• The FCS is appended to M and the entire block is then encrypted.
• At the destination, User B decrypts the incoming block and treats the results as a
84
 message with an appended FCS. B applies the same function F to attempt to reproduce
the FCS.
• If the calculated FCS is equal to the incoming FCS, then the message is considered
authentic.

MESSAGE AUTHENTICATION CODE

• Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic
checksum or MAC) that is appended to the message.
MAC = CK(M)
Where M is a variable-length message, K is a secret key shared only by sender and
receiver, and CK(M) is the fixed-length authenticator.
• The MAC is appended to the message at the source at a time when the message is
assumed or known to be correct.
• The receiver authenticates that message by recomputing the MAC.
• A MAC function is similar to encryption. One difference is that the MAC algorithm need
not be reversible, as it must for decryption.

9
 a) In the first case, the MAC is calculated with the message as input and then concatenated to
the message.
b) In the second case, the MAC is calculated with the message as input and is then
concatenated to the message. The entire block is then encrypted.
c) In the third case, the message is encrypted first. Then the MAC is calculated using the
resulting ciphertext and is concatenated to the ciphertext to form the transmitted block.

MD5 - MESSAGE DIGEST ALGORITHM

The MD5 message-digest algorithm was developed by Ron Rivest at MIT. MD5 was the most
widely used secure hash algorithm.

MD5 logic
The algorithm takes as input a message of arbitrary length and produces as output a 128- bit
message digest. The input is processed in 512-bit blocks. The processing consists of the
following steps:

Step 1: Appending padding bits.

The message is padded so that its length in bits is congruent to 448 modulo 512 (length ≡ 448
mod 512). That is, the length of the padded message is 64 bits less than an integer multiple of
512 bits. Padding is always is added, even if the message is already of the desired length. For
example, if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits. Thus,
the number of padding bits is in the range of 1 to 512. The padding consists of a single 1-bit
followed by the necessary number of 0-bits.

10
 Message digest generation using
MD5

Step 2: Append length

A 64-bit representation of the length in bits of the original message (before the padding) is
appended to the result of step 1 (least significant byte first). If the original length is greater
than 264, then only the low-order 64 bits of the length are used. Thus, field contains the
length of the original message, modulo 264.

The outcome of the first two steps yields a message that is an integer multiple of 512 bits in
length. In figure below, expended message is represented as the sequence of 512-bit blocks Y0
, Y1 ,… , YL−1, so that the total length of the expanded message is L × 512 bits. Equivalently,
the result is a multiple of 16 32-bit words. Let M [0… N − 1] denote the words of the
resulting message, with n integer multiple of
16. Thus, N = L × 16.

Step 3: Initialize MD buffer.

A 128-bit buffer is used to hold intermediate and final results of the hash function. The
buffer can be represented as four 32-bit registers (A, B, C, D). These registers are
initialized to the following 32-bit integers (hexadecimal values):

A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476

11
 MD5 processing of a single 512-bit block
Step 4: Process message in 512-bit (16-word) blocks
The heart of the algorithm is a compression algorithm that consists of four “rounds” of
processing; this module is labeled HMD5. The four rounds have the similar structure, but
each uses a different primitive logical function, referred to as F, G, H, and I in the
specification.
Each round takes as input the current 512-bit block being processed (Yq) and the 28-bit
buffer value ABCD and updates the contents of the buffer.

Step 5: Output
After all L 512-bit blocks have been processed, the output from the Lth stage is the 128-
bit message digest.
CV0 = IV
CVq +1 = SUM 32 (CVq , RFI [Yq , RFH [Yq , RFG [Yq , RFF [Yq , CVq ]]]])
MD = CVL
IV - initial value of the ABCD buffer, defined in step 3
Yq - the qth 512-bit block of the message
L - the number of blocks in the message (including padding and length fields)
CVq - chaining variable processed with the qth block of the message
RFx - round function using primitive logical function
12
 x MD - final message digest value

MD5 Compression function

A=D,
B=B+(A+G(B,C,D)+x[k]+t[i]<<
s), C=B,
D=C
Where A,B,C,D are the four words of buffer g is the primitive logic function
<<<s circular left shift by s bit
The primitive function takes the following
operation 1 F(B, C, D)= (B ^ C) v (B ^ D)
2 G(B, C, D) =(B ^ D) v (C ^ D)
3 H(B, C, D) =B ⊕ C ⊕ D
4 I(B, C, D) =C ⊕ (B v D)

SECURE HASH ALGORITHM (SHA)

The most widely used hash function has been the Secure Hash Algorithm (SHA). SHA was
developed by the National Institute of Standards and Technology (NIST) and published as a
federal information processing standard (FIPS 180) in 1993. SHA is based on the hash function
MD4, and its design closely models MD4. Three new versions of SHA, with hash value lengths
of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512, respectively.
Collectively, these hash algorithms are known as SHA-2.

SHA-512 Logic
Message Digest Generation Using SHA-512
The algorithm takes as input a message with a maximum length of less than bits 2128 bits and
produces as output a 512-bit message digest. The input is processed in 1024-bit blocks. The
processing consists of the following steps.

Step 1 Append padding bits

The message is padded so that its length is congruent to 896 modulo 1024. The number of bits
used for padding is in the range 1 to 1024. The padding consists of a single 1 bit followed by the
necessary number of 0 bits.
13
Step 2 Append length
A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit
integer (most significant byte first) and contains the length of the original message (before the
padding).

The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. The expanded message is represented as the sequence of 1024-bit blocks M1, M2, … ,
MN , so that the total length of the expanded message is N * 1024 bits.

Step 3 Initialize hash buffer

A 512-bit buffer is used to hold intermediate and final results of the hash function. The buffer
can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). These registers are initialized to
the following 64-bit integers (hexadecimal values). These values are stored in big-endian
format, which is the most significant byte of a word in the low-address (leftmost) byte position.

Step 4 Process message in 1024-bit (128-word) blocks

The heart of the algorithm is a module that consists of 80 rounds. Each round takes as input the
512-bit buffer value, ABCDEFGH, and updates the contents of the buffer. At input to the first
round, the buffer has the value of the intermediate hash value, Hi-1.
SHA-512 Processing of a Single 1024-Bit Block

14
 Compression Function
Step 5 Output
After all 1024-bit blocks have been processed, the output from the Nth stage is the 512- bit
message digest. Thus, in the first 16 steps of processing, the value of Wt is equal to the
corresponding word in the message block. For the remaining 64 steps, the value of Wt consists
of the circular left shift by one bit of the XOR of four of the preceding values of Wt , with two of
those values subjected to shift and rotate operations.

HMAC- MAC based Hash Function

HMAC has been issued as RFC 2104, has been chosen as the mandatory-to-implement MAC
for IP security, and is used in other Internet protocols, such as SSL. HMAC has also been issued
as a NIST standard
HMAC Design Objectives
• To use, without modifications, available hash functions. In particular, hash functions
that perform well in software, and for which code is freely and widely available.
• To allow for easy replaceability of the embedded hash function in case faster or more
secure hash functions are found or required.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the authentication
mechanism based on reasonable assumptions about the embedded hash function.

HMAC Algorithm
Figure below illustrates the overall operation of HMAC. Define the following terms:
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC(including the padding specified in the embedded hash
function)
Y = ith block of M, 0 ≤i ≤(L - 1)
L = number of blocks in M
b = number of bits in a block
n= length of hash code produced by embedded hash function
K= secret key recommended length is ≥n; if key length is greater than b; the key is input to the
15
 hash function to produce an n-bit key
K+= K padded with zeros on the left so that the result is b bits in length
ipad = 00110110 (36 in hexadecimal) repeated b/8 times
opad = 01011100 (5C in hexadecimal) repeated b/8 times

HMAC can be expressed as follows

HMAC(K,M) = H[(K+ ⊕opad)||H[(K+ ⊕ipad)||M]]
Working of HMAC
1. Append zeros to the left end of K to create a b-bit string K+(e.g., if K is of length 160
bits and b = 512 then K will be appended with 44 zero bytes 0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So.
6. Append the hash result from step 4 to So
7. Apply H to the stream generated in step 6 and output the result.

Security of HMAC
• The security of HMAC is expressed as probability of successful forgery with a given
amount of time spent by the forger and a given number of messages, MAC pairs created
with the same key.
• The probability of successful attack on HMAC is equivalent to the following attack on
embedded hash function.
• The attacker is able to compute an output of compression function even when
initialization vector is random, unknown.
• The attacker finds collision in the hash function even when the Initialization Vector
random and secret.

16
DIGITAL SIGNATURE STANDARD (DSS)

Digital Signature Standard is an US Govt approved signature scheme FIPS 186. It uses the SHA
hash algorithm. It is designed by NIST & NSA in early 90's. It creates a 320 bit signature, but
with 512-1024 bit security.
Two approaches of Digital signature
• RSA approach
• DSS approach

RSA APPROACH
• In the RSA approach, the message to be signed is input to a hash function that produces
a secure hash code of fixed length.
• This hash code is then encrypted using the sender’s private key to form the signature.
Both the message and the signature are then transmitted.

• The recipient takes the message and produces a hash code.

• The recipient also decrypts the signature using the sender’s public key.
• If the calculated hash code matches the decrypted signature, the signature is accepted as
valid. Because only the sender knows the private key, only the sender could have
produced a valid signature.
M – Message
H(M) – Hash function of
M C – Cipher text
C = M ||
EPRa[H(M)]
V1=DPUa[H(M)]
V2= H(M)
If V1= V2 Then signature is verified

DSS APPROACH
• DSS uses an algorithm that is designed to provide only digital signature function. Unlike
RSA, it cannot be used for encryption or key exchange.
• The DSS approach makes use of a hash function.
• The hash code is provided as input to a signature function along with a random number
k generated for this particular signature.
• The signature function also depends on the sender’s private key (PRa) and the global
public key (PUG).
• The result is a signature consisting of two components, labeled s and r.

17
 • At the receiving end, the hash code of the incoming message is generated. This plus the
signature is input to a verification function.

• The verification function also depends on the global public key as well as the sender’s
public key (PUa), which is paired with the sender’s private key.
• The output of the verification function is a value that is equal to the signature
component if the signature is valid.
• The signature function is such that only the sender, with knowledge of the private key,
could have produced the valid signature.

Digital Signature Algorithm

1. Global Public key Components
p- prime number where 2L-1 < p < 2 L for 512 ≤L ≤1024
q – prime divisor of ( p-1 )
g = h (p-1)/q mod p
where h is any integer with 1 < h < (p-1) such that h (p-1)/q mod p

2. User’s Private key

18
 x - random or pseudo random integer with 0 < x < q
3. User’s Public key
y = g x mod p
4. User’s Per Message Secret Number
k = random or pseudo random integer with 0 < k < q
5. DSA Signature Creation
To sign a message M the sender: the sender generates a random signature key k, k<q
Computes signature pair (r,s):
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
6. DSA Signature Verification
After receiving M & signature (r,s), to verify the signature, recipient computes:
w = (s)-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p]mod q
If v = r then signature is verified.

Example:

With p = 11, q = 5, h = 2 and H(M) = 2, calculate and verify the digital signature.
Solution:

Global public key components:

p = 11, q = 5, h = 2
g = h (p-1)/q mod p = 4
User’s Private key: x = 1
x
User’s Public key: y = g mod p = 4
Per message secret key k: k =1
Signature Creation (r,s):
r = (gk mod p)mod q = 4
s = [k-1(H(M)+ xr)] mod q = 1
Signature Verification v= r:
w = (s)-1 mod q = 6
u1 = [H(M)w ]mod q = 2
u2 = (rw)mod q = 4
v = [(gu1 yu2)mod p]mod q = 4
v = r => 4 = 4 Thus signature is verified.

19