AUTHENTICATION &

INTEGRITY
DR. NOR FADZILAH ABDULLAH
JKEES, FKAB

Contents adopted from William Stallings “Cryptography & Network Security” 6th Edition
(Chapter 11, 12, 13, 14 & 15) & other online sources
 MOTIVATION

• Block ciphers (including CBC and CTR modes) insufficient for

most application
• Only protect against eavesdropping (passive attack)

• Need also to defend against active attacks

• Authentication & integrity

2
 AUTHENTICATION TYPES

1. Message Encryption
2. Hash functions
3. Message authentication code (MAC)

3
 AUTHENTICATION LEVELS
• Message encryption
• The ciphertext of the entire message
• Two levels functionality: serves as its authenticator

Lower level
• Hash function
• There must be some sort of function that produces
an authenticator • A function that maps a message of
any length into a fixed-length hash
value which serves as the
authenticator

• Message authentication code (MAC)

• A function of the message and a
secret key that produces a fixed-
length MAC value that serves as the
Higher-level
authenticator
• Uses lower-level function as a primitive in authentication
protocol (enables a receiver to verify the authenticity
of a message)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 RECALL:
MESSAGE
ENCRYPTION
• authentication
achieved in (a),
(c) and (d)

5
 CRYPTOGRAPHIC HASH FUNCTION

A hash function H accepts a variable-length

block of data M as input and produces a fixed-
size hash value, h = H(M)

Message authentication: verify the integrity of a message

(i.e. no modification, insertion, deletion, or replay)
 CRYPTOGRAPHIC HASH FUNCTION

• Deterministic: any input will produce the same output

• Fast: bitwise operation, multiple rounds can be computed very quickly &
efficiently
• Irreversible: message cannot be retrieved from has code (not decryption)
• Utilize the ‘avalance effect’: due to looping cascading concept  provides
data integrity
• Collision-resistant: odds of finding 2 hash inputs that result in the same hash
code is probabilistically impossible
• Unbreakable without using brute-force approach

7
REQUIREMENTS FOR A CRYPTOGRAPHIC HASH
FUNCTION H
 CRYPTOGRAPHIC HASH FUNCTIONS

Computationally infeasible to find either:

• pre-image resistant: due to one-way property i.e. 1 object that maps to a
pre-specified hash result  infeasible to determine M (i.e. input) from H(M)
(i.e. output @ hash code)
• Second pre-image resistant: even if given M1, H & H(M1), still infeasible to
find another input M2 that result in H2(M)=H1(M)

• collision-free property: 2 data objects that map to the same hash result  can’t
find any M1, M2 such that H(M1)=H(M2)
 ONE-WAY HASH FUNCTIONS

• accepts a variable-size message M as input and produces a fixed-size

message digest h=H(M) as output
• NO secret key as input
• to authenticate a message, the message digest is sent with the message
in such a way that the message digest is authentic
 REQUIREMENTS AND SECURITY

• x is the preimage of h for a • Occurs if we have x ≠ y and

hash value h = H(x) H(x) = H(y)
• x = a data block whose hash • Because we are using hash
function, using the function H, is functions for data integrity,
h collisions are clearly
undesirable
• Because H is a many-to-one
mapping, for any given hash
value h, there will in general
be multiple preimages
RELATIONSHIP AMONG HASH FUNCTION
PROPERTIES
A function that is collision resistant is also second
preimage resistant, but the reverse is not
necessarily true.
 HASH FUNCTION RESISTANCE
PROPERTIES REQUIRED FOR VARIOUS
DATA INTEGRITY APPLICATIONS

* Resistance required if attacker is able to mount a chosen message attack

USE OF HASH FUNCTIONS

a) authentication &
confidentiality

b) authentication only

c) Secret value, S
provides protection to
hash value. No
encryption (faster)

d) Option (c) with

plaintext encryption
ATTACK AGAINST HASH FUNCTION
(a) Use of hash function:
• sender computes a hash value as a
function of the bits in the message &
transmits both the hash value and the
message.
• receiver performs the same hash
calculation on the message bits and
compares this value with the incoming
hash value.
• If there is a mismatch, receiver knows
that message (or possibly hash value)
has been altered
(b) Attack on hash function:
• Alice transmits a data block and attaches
a hash value.
• Darth intercepts message, alters/
replaces the data block, calculates &
attaches new hash value.
• Bob receives altered data with new hash
value & doesn’t detect change.
Conclusion: hash value generated by Alice
must be protected.
 ATTACKS ON HASH FUNCTIONS
• Does not depend on the
specific algorithm, only
depends on bit length
• In the case of a hash function,
attack depends only on the bit
length of the hash value
• Method is to pick values at
random and try each one until
a collision occurs
• An attack based on weaknesses
in a particular cryptographic
algorithm
• Seek to exploit some property of
the algorithm to perform some
attack other than an exhaustive
search
 To break pre-image
resistance: 2(n-1)
 BRUTE FORCE: BIRTHDAY ATTACKS

• Inherent characteristic of hash functions: vulnerable to collision resistant

attack i.e. adversary finds 2 messages or data blocks with the same hash
function
• Assume n inputs (people, messages,…) & k outputs (birthdays, digests, …)

• Supposedly n×(n‐1)/2 input pairs. If n×(n‐1)/2 > k  the chance of having

at least one match is pretty good

• How many students do you need in a class before the probability of

having two people with the same birthday exceeds ½ ? Answer: 23!
To break collision resistance:2(n/2)
• k = 64‐bit digest  n > 232 is enough
• In other words: one can change here and there a few bits so that the 2 hashes
do not match due to reduction in dimension of initial message
 CRYPTANALYTIC ATTACK:
COMPRESSION ALGORITHM, F
• attempts to find efficient techniques for producing collisions for a single execution of f

18
 SECURE HASH ALGORITHM (SHA)
• SHA was originally designed by the National Institute of Standards
and Technology (NIST) and published as a federal information
processing standard (FIPS 180) in 1993
• SHA-1: revised 1995
• Designed & published by NSA
• Commonly used in the Internet until 2005
• Based on the hash function MD4 and its design closely models MD4
• Produces 160-bit hash values, collisions can be found in ~261 hashes
• No longer considered secure

• SHA-2 (1999): consists of 3 revised versions (different hash value

lengths) of SHA-256, SHA-384, and SHA-512
• Minor attacks, but still good

• SHA3: new NIST standard, no known attacks

 COMPARISON OF SHA PARAMETERS

SHA-2

Note: All sizes are measured in bits.

 SHA-512 LOGIC ‘1’ end of string & 0’s padding

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 SHA-512 PROCEDURE

• Step 1: Append padding bits i.e. 896 (mod 1024)

• Step 2: Append length (i.e. L info in 128 bits)
• Step 3: Initialize hash buffer
• eight 64-bit registers (a, b, c, d, e, f, g, h).

• Step 4: Process message in 1024-bit (128-word) blocks (i.e. F

= 80 rounds)
• Step 5: Output (i.e. 512 bit message digest after N blocks 22

processed)
23
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
SHA-512 Constants
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 EXAMPLE: SHA-512

• 1 block message: ‘abc’, L=24

• After padding (hexademical format):

• Assigned to words:

28
• Buffer variables (only 2 rounds shown. Note: 6 copied from previous round)

• Output after 80 rounds:

• Hash value:

• Test: avalanche effect ‘cbc’ (253-bit changes)

 SHA-3
SHA-1 has not yet been "broken”
• No one has demonstrated a technique for
producing collisions in a practical amount of time
• Considered to be insecure and has been phased
out for SHA-2

SHA-2 shares the same structure &

In 2007, NIST announced a competition for next
generation SHA-3:
• Winning design announced in Oct. 2012
• SHA-3 is a cryptographic hash function that is
intended to complement SHA-2 as the
approved standard for a wide range of
applications
mathematical operations as SHA1 is a
cause for concern
• Because it will take years to find a
suitable replacement for SHA-2 should it
become vulnerable, NIST decided to
begin the process of developing a new
hash standard
 APPLICATIONS OF HASH FUNCTIONS
• Message Authentication (message digest): hashing with a key (hashing
can only created or verified by someone with a key)
• used in SSL and IPSec

• Digital Signatures: solution to man-in-the-middle attack

• Other Applications
• Detect errors in file transfers e.g. BitTorrent
• Creation of one-way password file e.g. PBKDF (password-based key
derivation function)
• Intrusion and virus detection
• Construction of pseudorandom function (PRF) or pseudorandom number
generator (PRNG)
31
APPLICATION: FILE TRANSMISSION

32
APPLICATION: PASSWORD STORAGE

33
MESSAGE AUTHENTICATION CODE (MAC)
• Typically used between 2 parties that share a secret key to
authenticate information exchanged between those parties
• Based on crypto checksum

Input: a secret key & a data block

Output: a hash value (MAC) associated with protected message
• If the integrity of the message needs to be checked, the MAC
function can be applied to the message and the result
compared with the associated MAC value
• An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key
SHA VS. MAC

35
 USE OF MESSAGE AUTHENTICATION CODE
(MAC)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 MAC: BRUTE-FORCE ATTACK
• requires known message-tag pairs
• a brute-force method of finding a collision is to pick a random bit string y and
check if H(y) = H(x)
• brute-force attack on MAC is more difficult compared to hash function

Two lines of attack:

• Attack the key space

• If an attacker can determine the MAC key then it is
possible to generate a valid MAC value for any input x
• Attack the MAC value
• Objective is to generate a valid tag for a given message
or to find a message that matches a given tag

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 MAC: CRYPTANALYSIS
• cryptanalytic attacks seek to exploit some property of the algorithm to
perform some attack other than an exhaustive search
• an ideal MAC algorithm will require a cryptanalytic effort greater
than or equal to the brute-force effort
• there is much more variety in the structure of MACs than in hash
functions, so it is difficult to generalize about the cryptanalysis of
MACs

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 HMAC
• Increased interest in developing a MAC derived from a cryptographic
hash code, such as SHA-1
 - cryptographic hash functions generally execute faster in software than
conventional encryption algorithms such as DES
 - library code for cryptographic hash functions is widely available
 - hash function not originally designed for use as a MAC and cannot be used
directly for that purpose because it does not rely on a secret key

• HMAC is the most supported proposal to incorporate secret key into an

existing hash algorithm

HMAC

• Has been issued as RFC 2104

• Has been chosen as the mandatory-to-implement MAC for IP
Security
• Is used in other Internet protocols, such as Transport Layer Security
(TLS) and Secure Electronic Transaction (SET)
 HMAC DESIGN OBJECTIVES

RFC 2104 lists the following objectives for HMAC:

To have a
To allow for well
easy understood
replaceability To preserve cryptographic
To use, of the the original analysis of
without embedded performance To use and the strength
modification hash function of the hash handle keys of the
function authentication
s, available in case faster without in a simple mechanism
hash or more incurring a way based on
functions secure hash significant reasonable
functions are degradation assumptions
found or about the
required embedded
hash function

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 HMAC
STRUCTURE
MAC based on Hash Functions

41
 MAC BASED ON BLOCK CIPHERS

• Data Authentication Algorithm (DAA)

• security problems  obsolete

• Cipher-Based Message Authentication Code (CMAC)

• Only provides integrity (message sent as plaintext)

42
 DATA AUTHENTICATION ALGORITHM
(DAA)
- based on DES-CBC (IV=0 & zero-pad of final block)

43

(Data Authentication Code)

 CIPHER-BASED MESSAGE
AUTHENTICATION CODE (CMAC)
- Adopted by NIST SP800-38B
- Use 3 keys (K, K1, K2)  2 n-bit keys from k-bit encryption key
- L = E(K,0b); K1 = L . X; K2 = L . X2
i.e. multiplication with GF(2n) using irreducible polynomial
x64+x4+x3+x+1 for 64 bits (software implementation)
x128+x7+x2+x+1 for 128 bits (hardware implementation)
- K1: if message length is integer multiple of block size (b), K2: if needs padding (10…)
- b=128 with AES (128/192/256 bits key) or b=64 with 3DES (112/168 bits key)

(Tag)
 AUTHENTICATED ENCRYPTION (AE)
Authentication Encryption (AE) = confidentiality + integrity

1. Hash-then-encrypt: E(K,(M||H(M))
e.g. Used in WEP
2. MAC-then-encrypt: E(K2,(M||MAC(K1,M))
e.g. Used in SSL/TLS
3. Encrypt-then-MAC: (C=E(K2,M),T=MAC(K1,C))
e.g. Used in IPSec
4. Encrypt-and-MAC: (C=(E(K2,M),T=MAC(K1,M))
e.g. Used in SSH
 COUNTER WITH CIPHER BLOCK
CHAINING-MAC (CCM)
- NIST SP 800-38C for WiFi
- Algorithmic ingredients:
- AES
- CTR mode of operation
- CMAC authentication
algorithm
- Single key for both
encryption & MAC
- 2 passes over plaintext i.e.
once for MAC & once for
encryption (AE: E&M)
- Used in IEEE 802.11i

48
49
 GALOIS/COUNTER MODE (GCM)
• NIST standard SP 800-38D
• Advantage: parallelizable
(high Throughput, low lost &
latency)
• Uses 2 functions:
• GHASH: keyed hash function;
plaintext (X) XOR with
feedback & multiplied with
key in GF(2128 ) to generate
authenticator tag
• GCTR: CTR mode with
incremental counter
• Option: use MAC only mode
(GMAC)
50
• Y in fig (a) & (b) not related
51
52
 DIGITAL SIGNATURES
The authenticity of many legal, financial, and other documents
is determined by the presence or absence of an authorized
signature. Digital signature ascertains that:
1. Receiver can verify claimed identity of sender.
2. Sender cannot later repudiate contents of message.
3. Receiver cannot have concocted (created) message
himself.
4. Message itself can be plain or encrypted!
Implications of digital signatures go beyond just message 53

authentication.
 DIGITAL SIGNATURE REQUIREMENTS

• The signature must be a bit pattern that depends on the message

being signed
• The signature must use some information unique to the sender to
prevent both forgery and denial
• It must be relatively easy to produce the digital signature
• It must be relatively easy to recognize and verify the digital
signature
• It must be computationally infeasible to forge a digital signature,
either by constructing a new message for an existing digital signature
or by constructing a fraudulent digital signature for a given message
• It must be practical to retain a copy of the digital signature in storage
 SIMPLIFIED DIGITAL SIGNATURE PROCESS

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

DIGITAL SIGNATURE STANDARD (DSS)

• FIPS PUB 186: makes use of the SHA-1 and presents a new digital
signature technique, the Digital Signature Algorithm (DSA)
• originally proposed in 1991, revised in 1993 and again in 1996

• FIPS 186-2 (2000), FIPS 186-3 (2009)

• Incorporates digital signature based on RSA and ECC

• uses an algorithm that is designed to provide only the digital signature

function
• unlike RSA, it cannot be used for encryption or key exchange
 DIGITAL SIGNATURE: RSA APPROACH

(a) Hash code encrypted using public-key encryption with the sender’s private
key to provide authentication only (digital signature) because only the sender
could have produced the encrypted hash code.

(b) If confidentiality & authentication (digital signature) is desired, message +

private-key-encrypted hash code can be encrypted using a symmetric secret
key (common technique).
DIGITAL SIGNATURE:
DSA APPROACH

58
59
 KEY DISTRIBUTION TECHNIQUE

• Means of delivering a key to two parties who wish to exchange data

without allowing others to see the key
• For symmetric encryption to work, the two parties to an exchange must
share the same key, and that key must be protected from access by
others
• Frequent key changes are desirable to limit the amount of data
compromised if an attacker learns the key

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 DISTRIBUTION OF PUBLIC KEYS

• Recall: Symmetric key

exchange using Diffie
Hellman. Another
Public Publicly
method: key distribution announcement available
directory
center (KDC), key
wrapping

• 4 types of Public Key

(PU) distribution schemes:
Public-key Public-key
authority certificates

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

(a) Public announcement

(b) Public key directory

62
 (c) Public key authority

63

Use of public key encryption, timestamp, and nonce (unique for transaction)
(d) Public key certificates

64
 X.509 CERTIFICATES
• Part of the X.500 series of recommendations that define a directory service
• A server or distributed set of servers that maintains a database of users information

• a framework for the provision of authentication services to its users

• Initial issue: 1988, latest revision: 2012
• Based on the use of public-key cryptography and digital signatures
• Does not dictate the use of a specific algorithm but recommends RSA
• Does not dictate a specific hash algorithm

• Each certificate contains the public key of a user (PUUSER) and is signed with the
private key of a trusted certification authority (PRCA)
• X.509 defines alternative authentication protocols based on the use of public-key
certificates
 CERTIFICATE REVOCATION
• Each certificate includes a period of validity
• Typically a new certificate is issued just before the expiration of the
old one
• It may be desirable on occasion to revoke a certificate before it expires,
for one of the following reasons:
• The user’s private key is assumed to be compromised
• The user is no longer certified by this CA
• The CA’s certificate is assumed to be compromised

• Each CA must maintain a list consisting of all revoked but not expired
certificates issued by that CA (CRL = certificate revocation list)
• These lists should be posted on the directory

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

X.509 FORMATS

67
 X.509 HIERARCHY

A to communicate with B: B to communicate with A:

 PUBLIC-KEY INFRASTRUCTURE

• RFC 4949 (Internet Security Glossary) defines public-key infrastructure (PKI)

= set of hardware, software, people, policies, and procedures needed to
create, manage, store, distribute, and revoke digital certificates based on
asymmetric cryptography.
• Objective of PKI: enable secure, convenient, and efficient acquisition of
public keys.
• The Internet Engineering Task Force (IETF) Public Key Infrastructure X.509
(PKIX) working group has been the driving force behind setting up a formal
(and generic) model based on X.509 that is suitable for deploying a
certificate-based architecture on the Internet

69
PKIX ARCHITECTURAL MODEL

Elements:
• End entity
• CA
• RA (registration authority)
• CRL issuer
• Repository

70
 USER-AUTHENTICATION
• the process of determining whether some user or some
application or process acting on behalf of a user is, in fact, who
or what it declares itself to be
• authentication technology provides access control for systems by
checking to see if a user’s credentials match the credentials in a
database of authorized users or in a data authentication server
• authentication enables organizations to keep their networks secure
by permitting only authenticated users (or processes) to access its
protected resources
• user authentication is distinct from message authentication
• message authentication is a procedure that allows communicating
parties to verify that the contents of a received message have not
been altered and that the source is authentic

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 MEANS OF USER AUTHENTICATION
There are 3 general means, or authentication
factors, of authenticating a user’s identity,
which can be used alone or in combination:

Knowledge factor Inherence factor

(something the individual
knows):
Requires the user to demonstrate
knowledge of secret information.
Routinely used in single-layer
authentication processes, knowledge
factors can come in the form of
passwords, passphrases, personal
identification numbers (PINs), or
answers to secret questions
Possession factor
(something the individual is
(something the individual
possesses):
Physical entity possessed by the
authorized user to connect to the client
computer or portal. This type of
authenticator used to be referred to as
a token, but that term is now
deprecated. The term hardware token is
a preferable alternative. Possession
factors fall into two categories:
or does):
Refers to characteristics, called
biometrics, that are unique or almost
unique to the individual. These include
static biometrics, such as fingerprint,
retina, and face; and dynamic
biometrics, such as voice, handwriting,
and typing rhythm

Connected hardware tokens are items
that connect to a computer logically (e.g., via
wireless) or physically in order to authenticate
identity. Items such as smart cards, wireless tags, and
USB tokens are common connected tokens used to
serve as a possession factor
Disconnected hardware tokens are items that do not
directly connect to the client computer, instead requiring input from
the individual attempting to sign in. Typically, a disconnected
hardware token device will use a built-in screen to display
authentication data that are then utilized by the user to sign in
when prompted

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 REMOTE USER-AUTHENTICATION
USING SYMMETRIC ENCRYPTION
A two-level hierarchy of symmetric keys can be
used to provide confidentiality for communication
in a distributed environment
• Strategy involves the use of a trusted key
distribution center (KDC)
• Each party shares a secret key, known as a master
key, with the KDC
• KDC is responsible for generating keys to be used
for a short time over a connection between two
parties (session key) and for distributing those keys
using the master keys to protect the distribution
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 KERBEROS
• authentication service developed as part of Project Athena at MIT
• a workstation cannot be trusted to identify its users correctly to network services
• a user may gain access to a particular workstation and pretend to be another user
operating from that workstation
• a user may alter the network address of a workstation so that the requests sent from
the altered workstation appear to come from the impersonated workstation
• a user may eavesdrop on exchanges and use a replay attack to gain entrance to a
server or to disrupt operations

• Kerberos provides a centralized authentication server whose function is to

authenticate users to servers and servers to users
• relies exclusively on symmetric encryption, making no use of public-key encryption

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 KERBEROS REQUIREMENTS
• the 1st published report on Kerberos listed the following requirements:

• A network eavesdropper should • Should be highly

not be able to obtain the reliable and should
necessary information to employ a distributed
impersonate a user server architecture with
one system able to
back up another
Secure Reliable

Scalable Transparent

• The system should be • Ideally, the user should not be

capable of supporting aware that authentication is taking
large numbers of clients and place beyond the requirement to
servers enter a password
 • Cryptographic integrity algorithms
• Cryptographic hash functions
• Message authentication codes (MAC)
• Digital signatures
SUMMARY • Mutual Trust
• Key management & distribution
• User authentication

78