UNIT III

Authentication requirement – Authentication function – MAC –

Hash function – Security of hash function and MAC –MD5 -
SHA - HMAC –CMAC - Digital signature and authentication
protocols – DSS – EI Gamal – Schnorr.
Authentication requirement
• In the communication across networks following attacks are identified.
 Disclosure
 Not Processing the Cryptographic Key.
 Traffic analysis
 Discovery of the pattern of traffic between parties.
 Masquerade
 One entity pretends to be different entity.
 Content modification
 Changes to the contents of a message
 Sequence modification
 Any modification to a sequence of messages between parties
 Timing modification
 Delay or replay of messages.
 Source repudiation
 Denial of transmission of message by source.
 Destination repudiation
 Denial of receipt of message by destination.
Authentication requirement
• In the communication across networks following attacks are identified.

 Not Processing the Cryptographic Key.

 Discovery of the pattern of traffic between parties.

 One entity pretends to be different entity.

 Changes to the contents of a message

 Any modification to a sequence of messages between parties

 Delay or replay of messages.

 Denial of transmission of message by source.

 Denial of receipt of message by destination.
Draw mind map
2.
3.
1.

Authentication 4.
requirements
8.

5.
7. 6.
Authentication Functions
• Two levels of functionality.
 Lower Level
 A value to be used to authenticate a message.
 Higher Level
 A receiver to verify the authenticity of a message.
 Types of functions
1) Message encryption
2) Hash function
3) Message authentication code (MAC)
Authentication Functions
• Two levels of functionality.

 A value to be used to authenticate a message.
 Higher Level

 Types of functions
1)
2)
3)
Message encryption
 Message encryption by itself can provide a measure of authentication.
 The analysis differs for symmetric and public-key encryption schemes.
 Symmetric
 Symmetric Encryption provides the confidentiality and authentication.

 But this is not say that the received message are exactly sent from sender.

 It is difficult to determine the decrypt message as what sender sent.

 One solution append error detecting code or Frame Check Sequence (FCS).

 FCS and Encryption functions are performed by two ways

 Internal Error Control

 External Error Control

(b) External error control
 Public key Encryption


PUb E(PUb, M) PRb

(a) Public-key encryption: confidentiality

PRa E(PRa, M) PUa

(b) Public-key encryption: authentication and signature

PRa E(PRa, M) PUb E(PUb, E(PRa, M)) PRb E(PRa, M) PUa

Public-key encryption: confidentiality, authentication, and signature

Message Authentication Code
 A secret key to generate a small fixed-size block of data, known as a cryptographic
checksum or MAC, that is appended to the message.

 When A has a message to send to B, it calculates the MAC as a function of the

message and the key:
MAC = C(K, M)
where
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
 (a) Message authentication

(b) Message authentication and confidentiality; authentication tied to

plaintext

(c) Message authentication and confidentiality; authentication tied to

ciphertext
Hash Function
 A hash function H accepts a variable-length block of data M as input and produces
a fixed-size hash value h = H(M).

 When a hash function is used to provide message authentication, the hash function
value is often referred to as a message digest.

 The sender computes a hash value as a function of the bits in the message and
transmits both the hash value and the message.

 The receiver performs the same hash calculation on the message bits and compares
this value with the incoming hash value.

 If there is a mismatch, the receiver knows that the has been altered.
SHA
 SHA Stands for Secure Hash Algorithm.
 The first version of SHA is SHA0. The revised version of SHA is SHA1 in
1995.
 The Actual Standards are
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

Message Digest Size 160 224 256 384 512

Message Size <264 <264 <264 <2128 <2128

Block Size 512 512 512 1024 1024
Word Size 32 32 32 64 64
Number of Steps 80 64 64 80 80
SHA 512
 Input Message – Maximum length <2128 bits
 Output – 512 message digest
 Input is processed as 512 bit message digest.
 This algorithm has 5 steps
 Append padding bits.
 Append length.
 Initialize hash buffer.
 Process message in 1024-bit (128-word) blocks.
 Output.
Step 1 Append padding bits.
 The message is padded so that its length is congruent to 896 modulo 1024
[length ≡ 896(mod 1024)].
 Thus, the number of padding bits is in the range of 1 to 1024.
 The padding consists of a single 1bit followed by the necessary number of 0
bits.
Step 2 Append length.
 A block of 128 bits is appended to the message.
 It contains the length of the original message.
 The outcome of the first two steps yields a message that is an integer
multiple of 1024 bits in length.
Step 3 Initialize hash buffer.
 A 512-bit buffer is used to hold intermediate and final results of the hash
function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
 These registers are initialized to the following 64-bit integers (hexadecimal
values):
a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179
Step 4 Process message in 1024-bit (128-word) blocks.
 The Heart of the algorithm is module it has 80 rounds.
 Each round takes as input
 512-bit buffer value, abcdefgh
 1024-bit block being processed (Mi)
 constant Kt where 0 … t … 79 indicates one of the 80 rounds
 The output of the eightieth round is added to the input to the first round (Hi-
1) to produce Hi.
Step 5 Output
 The output from the Nth stage is the 512-bit message digest.
We can summarize the behavior of SHA-512 as follows:
H0 = IV
Hi = SUMi-1 (Hi-1, abcdefghi)
MD = HN
where
IV = initial value of the abcdefgh buffer, defined in step 3 abcdefghi = the
output of the last round of processing of the ith message block
N = the number of blocks in the message (including padding and length
fields)
SUM64 = addition modulo 264 performed separately on each word of the pair
of inputs
MD = final message digest value
SHA 512 – Round Function
SHA 512 – Round Function
Word Generation
MD5
 MD5 Stands for Message Digest Version 5.
 designed by Ronald Rivest (the “R” in RSA)
 Latest in a series of MD2, MD5
 Produces a 128-bit hash value
 Until recently was the most widely used hash algorithm
 in recent times have both brute-force & cryptanalytic concerns
MD5 LOGIC
 Input – 512 bits Block Size
 Output – 128 bit md value
 Step 1 Append Padding Bits
The message is padded so that the length is congruent to 448 mod 512.
The padded consists of 1bit followed by zero.
 Step 2 Append Length
The 64 bit representation length of the original message is append to padded bits.
 Step 3 Initialize MD Buffer
A buffer has 4 Registers (A,B,C,D)
32 bit
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
Step 4 Process Message in 512 bit.
using 4 rounds of 16 bit operations on message block & buffer
add output to buffer input to form new buffer value
 Output 128 bit MD
We can summarize the behaviour of MD5 as follows:
CV0 = IV
CVq+1 = SUM32(CVq,RFI[Yq,RFH[Yq,RFG[Yq,RFF[Yq,CVq]]]])
MD = CVL

where

IV - initial value of the ABCD buffer, defined in step 3

Yq - the qth 512-bit block of the message

L - the number of blocks in the message (including padding and length fields)

CVq - chaining variable processed with the qth block of the message

RFx - round function using primitive logical function x

MD- final message digest value

SUM32 - addition modulo 232 performed separately on each word of the pair of

inputs
MD5 Compression Function

33
MD5 Compression Function
Each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
a,b,c,d refer to the 4 words of the buffer, but used in varying permutations
note this updates 1 word only of the buffer
after 16 steps each word is updated 4 times
where
g(b,c,d) - different nonlinear function in each round (F,G,H,I)
T[i] - ith entry in the matrix of constants T
<<<s - Circular left shift
+ - addition modulo

34
ROUND Primitive Function G(b.c.d)

1. F(b,c,d) (b˄c)˅(b˄d)

2. G(b,c,d) (c˄d)˅(c˄d)

3. H(b,c,d) b⊕c⊕d

4. I(b,c,d) c⊕(b˄d)
MD5 VS SHA
 Brute force attack is harder (160 vs 128 bits for MD5)
 Not vulnerable to any known attacks (compared to
MD4/5)
 A little slower than MD5 (80 vs 64 steps)
 Both designed as simple and compact
 Optimised for big endian CPU's (vs MD5 which is
optimised for little endian CPU’s)
MAC Based Hash Function : HMAC
HMAC Design Objectives
To use, without modifications, available hash functions which are free in use.

To allow for easy replaceability of the embedded hash function

To preserve the original performance of the hash function
To use and handle keys in a simple way.

 HMAC Executes Approximately same time taken for hash function.

HMAC adds three executions of the hash compression function (for Si, So, and the block
produced from the inner hash).
+

⊕
HMAC Algorithm
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC (including the padding specified in the
embedded hash function)
Yi = i th block of M, 0 ≤ i ≤ (L - 1)
L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded hash function
K = secret key; recommended length is Ú n; if key length is greater than b,
the key is input to the hash function to produce an n-bit key
K+ = K padded with zeros on the left so that the result is b bits in length
ipad = 00110110 (36 in hexadecimal) repeated b/8 times
opad = 01011100 (5C in hexadecimal) repeated b/8 times
Algorithm Expression
 HMAC(K, M) = H[(K + ⊕ opad) || H[(K + ⊕ ipad) || M]]
Algorithm Description
1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is of
length 160 bits and b = 512, then K will be appended with 44 zeroes).
2. XOR (bitwise exclusive-OR) K + with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K + with opad to produce the b-bit block So.
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.
Algorithm Compression
 A more efficient implementation is possible,
f(IV, (K+ ⊕ ipad))
f(IV, (K+ ⊕ opad))
Security of HMAC

 An attack on this hash function requires either a brute-force attack on the key.

 The attacker is looking for two messages M and M′ that produce the same

hash: H(M) = H(M′). This is the birthday attack.

+

⊕
Cipher-Based Message Authentication Code
(CMAC)
 Messages of one fixed length of mn bits are processed, where n is the cipher
block size and m is a fixed positive integer.
 Three keys are used :
 One key K of length k to be used at each step of the cipher block chaining
 Two keys of length b, where b is the cipher block length.
 The operation of CMAC when the message is an integer multiple n of the
cipher block length b.
 The message is divided into n blocks (M1, M2, …, Mn).
 The algorithm makes use of a k-bit encryption key K and a b-bit constant, K1.
 CMAC is calculated as follows
C1 = E(K, M1)
C2 = E(K, [M2⊕ C1])
C3 = E(K, [M3⊕ C2])
.
.
.
Cn = E(K, [Mn⊕ Cn-1 ⊕ K1])
T = MSBTlen (Cn)
Where
T = Message authentication code also referred as Tag
Tlen = Bit length of T
MSB(x) = The s leftmost bits of the bit string
 If the message is not an integer multiple of the cipher block length, then the
final block is padded to the right (least significant bits) with a 1 and as many 0s
as necessary so that the final block is also of length b.
 The CMAC operation then proceeds as before, except that a different b-bit key
K2.
The two b-bit keys are derived from the k-bit encryption key as follows.
L = E(K, 0b )
K1 = L . x
K2 = L . x2 = (L . x) . x

where multiplication ( . ) is done in the finite field GF(2b ) and x and x2 are first
and second-order polynomials that are elements of GF(2b).
(b) Message length is not integer multiple of block size
DIGITAL SIGNATURE
 Digital signatures are the public-key primitives of message authentication.
 A digital signature is a technique that binds a person/entity to the digital data
 This binding can be independently verified by receiver as well as any third
party.
 Digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.
PROPERTIES
 It must verify the author and the date and time of the signature.
 It must authenticate the contents at the time of the signature.
 It must be verifiable by third parties, to resolve disputes.
 Destination
Destination BB

(a) E(PRa, H(M))

a
(b)

Figure 11.4 Simplified Examples of Digital Signatures

1.
ELGAMAL DIGITAL SIGNATURE SCHEME
 The Elgamal signature scheme involves the use of the private key for
encryption and the public key for decryption.
 Elgamal encryption, the global elements of Elgamal digital signature are a
prime number q and a, which is a primitive root of q.
 User A generates a private/public key pair as follows.
[Link] a random integer XA, such that 1 < X < q - 1.
[Link] YA = aXA mod q.
3.A’s private key is XA; A’s pubic key is {q, a, YA}.
To sign a message M,
user A first computes the hash m = H(M)
[Link] a random integer K such that 1≤ K ≤ q - 1 and gcd(K, q - 1) = 1.
That is, K is relatively prime to q - 1.
[Link] S1 = aK mod q.
[Link] K-1 mod (q - 1). That is, compute the inverse of K modulo q - 1.
[Link] S2 = K-1 (m - XA S1) mod (q - 1).
[Link] signature consists of the pair (S1, S2).
Any user B can verify the signature as follows.
1. Compute V1 = am mod q.
2. Compute V2 = (YA)S1 (S1)S2 mod q.
The signature is valid if V1 = V2.
SCHNORR DIGITAL SIGNATURE SCHEME
 The Schnorr signature scheme is based on discrete logarithms.
 The Schnorr scheme minimizes the message-dependent amount of computation
required to generate a signature.
 The scheme is based on using a prime modulus p, with p - 1 having a prime factor q
of appropriate size;
p - 1 ≡ (mod q).
 p is a 1024-bit number, and q is a 160-bit number.
 The first part of this scheme is the generation of a private/public key pair
1) Choose primes p and q, such that q is a prime factor of p - 1.
2)Choose an integer a, such that aq = 1 mod p. The values a, p, and q comprise a
global public key that can be common to a group of users.
3)Choose a random integer s with 0 < s < q. This is the user’s private key.
4)Calculate v = a-s mod p. This is the user’s public key.
A user with private key s and public key v generates a signature as follows.
1. Choose a random integer r with 0 < r < q and compute x = ar mod p.
2. Concatenate the message with x and hash the result to compute the value e:
e = H(M || x)
[Link] y = (r + se) mod q. The signature consists of the pair (e, y).
Any other user can verify the signature as follows.
1. Compute x′ = ay ve mod p.
2. Verify that e = H(M || x′).

Hence H(M||x′) = H(M||x) .

A user with private key s and public key v generates a signature as follows.
1. Choose a random integer r with 0 < r < q and compute x = ar mod p.
2. Concatenate the message with x and hash the result to compute the value e:
e = H(M || x)
[Link] y = (r + se) mod q. The signature consists of the pair (e, y).
Any other user can verify the signature as follows.
1. Compute x′ = ay ve mod p.
2. Verify that e = H(M || x′).

Hence H(M||x′) = H(M||x) .