Unit 5:

MDS5 Algorithm:

• MD5 algorithm was developed by Professor Ronald L. Rivest in 1991.

According to RFC 1321, “MD5 message-digest algorithm takes as input a
message of arbitrary length and produces as output a 128-bit "fingerprint" or
"message digest" of the input …The MD5 algorithm is intended for digital
signature applications, where a large file must be "compressed" in a secure
manner before being encrypted with a private (secret) key under a public-
key cryptosystem such as RSA.”
Implementation Steps
• Step1 Append padding bits
The input message is "padded" (extended) so that its length (in bits) equals
to 448 mod 512. Padding is always performed, even if the length of the message is
already 448 mod 512.
Padding is performed as follows: a single "1" bit is appended to the message,
and then "0" bits are appended so that the length in bits of the padded message
becomes congruent to 448 mod 512. At least one bit and at most 512 bits are
appended.
• Step2. Append length
A 64-bit representation of the length of the message is appended to the result
of step1. If the length of the message is greater than 2^64, only the low-order 64
bits will be used.
The resulting message (after padding with bits and with b) has a length that
is an exact multiple of 512 bits. The input message will have a length that is an
exact multiple of 16 (32-bit) words.
• Step3. Initialize MD buffer
A four-word buffer (A, B, C, D) is used to compute the message digest.
Each of A, B, C, D is a 32-bit register. These registers are initialized to the
following values in hexadecimal, low-order bytes first):
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
• Step4. Process message in 16-word blocks
Four functions will be defined such that each function takes an input of three
32-bit words and produces a 32-bit word output.

F (X, Y, Z) = XY or not (X) Z

G (X, Y, Z) = XZ or Y not (Z)
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or not (Z))
Round 1.
[abcd k s i] denote the operation a = b + ((a + F (b, c, d) + X [k] + T [i]) <<< s).

Do the following 16 operations.

[ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4]
[ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8]
[ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12]
[ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16]
Performance

Key Extrapolated PRB

size/hash
Speed Optimized
size(bits)
(Kbytes/sec.) (Kbytes/sec.)

TEA 128 700 -

 DES 56 350 7746

Triple-DES 112 120 2842

IDEA 128 700 4469

RSA 512 7 -

SHA 160 750 25162

MD5 128 1740 62425

Secure Hash Function (SHA)

Family of SHA comprise of four SHA algorithms; SHA-0, SHA-1, SHA-2, and
SHA-3. Though from same family, there are structurally different.
 The original version is SHA-0, a 160-bit hash function, was published by the
National Institute of Standards and Technology (NIST) in 1993. It had few
weaknesses and did not become very popular. Later in 1995, SHA-1 was
designed to correct alleged weaknesses of SHA-0.
 SHA-1 is the most widely used of the existing SHA hash functions. It is
employed in several widely used applications and protocols including Secure
Socket Layer (SSL) security.
 In 2005, a method was found for uncovering collisions for SHA-1 within
practical time frame making long-term employability of SHA-1 doubtful.
 SHA-2 family has four further SHA variants, SHA-224, SHA-256, SHA-384,
and SHA-512 depending up on number of bits in their hash value. No
successful attacks have yet been reported on SHA-2 hash function.
 Though SHA-2 is a strong hash function. Though significantly different, its
basic design is still follows design of SHA-1. Hence, NIST called for new
competitive hash function designs.
 In October 2012, the NIST chose the Keccak algorithm as the new SHA-3
standard. Keccak offers many benefits, such as efficient performance and good
resistance for attacks.

RIPEMD
The RIPEMD is an acronym for RACE Integrity Primitives Evaluation Message
Digest. This set of hash functions was designed by open research community and
generally known as a family of European hash functions.
 The set includes RIPEMD, RIPEMD-128, and RIPEMD-160. There also exist
256, and 320-bit versions of this algorithm.
 Original RIPEMD (128 bit) is based upon the design principles used in MD4
and found to provide questionable security. RIPEMD 128-bit version came as
a quick fix replacement to overcome vulnerabilities on the original RIPEMD.
 RIPEMD-160 is an improved version and the most widely used version in the
family. The 256 and 320-bit versions reduce the chance of accidental collision,
but do not have higher levels of security as compared to RIPEMD-128 and
RIPEMD-160 respectively.

HMAC:

Hash-based message authentication code (or HMAC) is a cryptographic

authentication technique that uses a hash function and a secret key.

With HMAC, you can achieve authentication and verify that data is correct and
authentic with shared secrets, as opposed to approaches that use signatures and
asymmetric cryptography.

How HMAC Works

Two parties want to communicate, but they want to ensure that the contents of their
connection remain private. They also distrust the internet, and they need a way to
verify that the packets they receive haven't been tampered with. HMAC is a valid
solution.

HMAC keys consist of two parts. These are:

1. Cryptographic keys. An encryption algorithm alters data, and a recipient

needs a specific code (or key) to make it readable once more. HMAC relies
on a shared sets of secret keys.
2. Hash function. A hash algorithm alters or digests the message once more.
HMAC uses generic cryptographic hash functions, such as SHA-1, MD5, or
RIPEMD-128/60.
A pair using this system must agree on:

 Secret keys. They must have a way to decode messages they get. A secret
key handles this task, and it's meant to stay secret and hidden.
 Algorithm. They must pick one hash function that all of their messages will
move through.

When complete, the message is considered irreversible, and it's also resistant to
hacking. Someone who intercepts this message won't even be able to guess at its
length. The work renders the message contents absolutely useless to anyone
without a key or a code.

HMAC tester tools can help demonstrate how something like this works. Imagine
you're dealing with these inputs:

 Potential message: I would like to buy 100 units.

 Secret key: 666
 Algorithm: MD5

The resulting message reads: " fd9f18089206e67b163771a3883185ab."

A dense layer of mathematics underlies what seems like an easy translation

process. When we attempt to display what HMAC looks like mathematically, we
use diagrams like this.

Understanding the math is critical for developers. If you're asked to explain your
work and the protections you offer, a diagram can often showcase things better
than your words ever can.

But the average computer user may never need to understand the math. To them,
knowing that their messages are protected may be all they require.
How to Implement HMAC

To use HMAC, either as an individual or a web developer, you'll need three

important things. And you'll need an agreement about those items with your
recipients, so you're all using the same tools at the same time.

These are the two items you'll need:

1. A shared secret
2. A hashing tool

Only your server should know all three items for all of your users. And that data
should be fiercely protected. Anyone who knows the secret keys for your members
can take over your server and/or send fraudulent data.

Every website and coding environment is different, but walking through an

example might be helpful. Imagine that you'd like to use HMAC on traffic that
comes to your website via dynamic ads from Google. You will:

 Build your token in Ad Manager. You'll specify details about the visit and
the time. You'll use Google's authentication key to create your "secret key."
  Implement. You can put your new token within your authorization request
header, or you can pass it as a query string or form data parameter.

Google makes this process quick and easy. Developers can access a simple tutorial
and copy code within minutes.

Notice that you're not asking your Google Ads visitors to memorize a code or do
any decoding. The user's server understands the coding requirements within your
website, and all of the token setting and translation is invisible to the user.

Even so, you should test this environment often before you deploy it. If you
encounter a coding error, you could block people from accessing your site, as it
will seem as though they're fraudulent actors. It pays to test any system like this on
multiple devices before you set it loose on the wider world.

Digital Signature

A digital signature is a mathematical technique which validates the authenticity and

integrity of a message, software or digital documents. It allows us to verify the author
name, date and time of signatures, and authenticate the message contents. The digital
signature offers far more inherent security and intended to solve the problem of
tampering and impersonation (Intentionally copy another person's characteristics) in
digital communications.

Digital Signature in Cryptography is a value calculated from the data along with a
secret key that only the signer is aware of. The receiver needs to be assured that the
message belongs to the sender. This is crucial in businesses as the chances of
disputes over data exchange are high.
Application of Digital Signature

The important reason to implement digital signature to communication is:

o Authentication
o Non-repudiation
o Integrity
Authentication

Authentication is a process which verifies the identity of a user who wants to access
the system. In the digital signature, authentication helps to authenticate the sources
of messages.

Non-repudiation

Non-repudiation means assurance of something that cannot be denied. It ensures that

someone to a contract or communication cannot later deny the authenticity of their
signature on a document or in a file or the sending of a message that they originated.

Integrity

Integrity ensures that the message is real, accurate and safeguards from unauthorized
user modification during the transmission.

Algorithms in Digital Signature

A digital signature consists of three algorithms:

1. Key generation algorithm

The key generation algorithm selects private key randomly from a set of possible
private keys. This algorithm provides the private key and its corresponding public
key.

2. Signing algorithm

A signing algorithm produces a signature for the document.

3. Signature verifying algorithm

A signature verifying algorithm either accepts or rejects the document's

authenticity.
How digital signatures work
The model of digital signature scheme is depicted in the following illustration −
The following points explain the entire process in detail −
 Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and signing/verifying
are different. The private key used for signing is referred to as the signature
key and the public key as the verification key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which
produces the digital signature on given hash. Signature is appended to the data
and then both are sent to the verifier.
 Verifier feeds the digital signature and the verification key into the verification
algorithm. The verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are
compared. Based on the comparison result, verifier decides whether the digital
signature is valid.
 Since digital signature is created by ‘private’ key of signer and no one else can
have this key; the signer cannot repudiate signing the data in future.

Types of Authentication Protocols

User authentication is the first most priority while responding to the request made
by the user to the software application. There are several mechanisms made which
are required to authenticate the access while providing access to the data.
1. Kerberos :
Kerberos is a protocol that aids in network authentication. This is used for
validating clients/servers during a network employing a cryptographic key. It is
designed for executing strong authentication while reporting to applications. The
overall implementation of the Kerberos protocol is openly available by MIT and
is used in many mass-produced products.

Some advantages of Kerberos :

 It supports various operating systems.
 The authentication key is shared much efficiently than public sharing.
Some disadvantages of Kerberos :
 It is used only to authenticate clients and services used by them.
 It shows vulnerability to soft or weak passwords.
2. Lightweight Directory Access Protocol (LDAP) :
LDAP refers to Lightweight Directory Access Protocol. It is a protocol that is
used for determining any individuals, organizations, and other devices during a
network regardless of being on public or corporate internet. It is practiced as
Directories-as-a-Service and is the grounds for Microsoft building Activity
Directory.
Some advantages of LDAP :
 It is an automated protocol which makes it modernizing easier.
 It supports existing technologies and allows multiple directories.
Some disadvantages of LDAP :
 It requires the experience of deployment.
 The directory servers are required to be LDAP obedient for deployment.
3. OAuth2 :
OAuth as the name suggests it is an authorization framework that promotes
granting limited access to the user on its account through an HTTP service. When
a user requests access to resources an API call is made and after the
authentication token is passed.
Some advantages of OAuth2 :
 It is a simple protocol and is easy to implement.
 It provides server-side authorization of code.
Some disadvantages of OAuth2 :
 It is vulnerable to manage different sets of code.
 It shows serious effects on sites connected to another affected system.
4. SAML :
SAML stands for Security Assertion Markup Language which is based on XML-
based authentication data format which provides the authorization between an
identity provider and service provider. It serves as a product of the OASIS
Security Services Technical Committee.
Some advantages of SAML :
 It reduced the administrative costs for the end-users.
 It provides a single sign-in for authenticating across service providers.
Some disadvantages of SAML :
 It is dependent on the identity provider.
 All the data is managed in a single XML format.
5. RADIUS :
RADIUS stands for Remote Authentication Dial-In User Service. It is a network
protocol that provides sufficient centralized Authentication, Accounting, and
Authorization for the users that use and network services. The functioning of the
protocol occurs when the user requests access to network resources, where the
RADIUS server encrypts the credentials which are entered by the user. After this,
the user credentials are mapped through the local database and provide access.
Some advantages of RADIUS :
 It is a great mechanism for providing multiple access for Admins.
 It provides a unique identity to each user in a session.
Some disadvantages of RADIUS :
 Initial implementation for this mechanism is hard on hardware.
 It has a variety of models that may require a special team which is cost
consuming.
Differentiating between the protocols will not make justice to the protocols
because it depends on the use of the application and for what purpose it is being
used.

DSS:
Digital Signature Standard (DSS) is a Federal Information Processing
Standard(FIPS) which defines algorithms that are used to generate digital
signatures with the help of Secure Hash Algorithm(SHA) for the authentication of
electronic documents. DSS only provides us with the digital signature function
and not with any encryption or key exchanging strategies.
Sender Side : In DSS Approach, a hash code is generated out of the message and
following inputs are given to the signature function –
1. The hash code.
2. The random number ‘k’ generated for that particular signature.
3. The private key of the sender i.e., PR(a).
4. A global public key(which is a set of parameters for the communicating
principles) i.e., PU(g).
These input to the function will provide us with the output signature containing
two components – ‘s’ and ‘r’. Therefore, the original message concatenated with
the signature is sent to the receiver.
Receiver Side : At the receiver end, verification of the sender is done. The hash
code of the sent message is generated. There is a verification function which
takes the following inputs –
1. The hash code generated by the receiver.
2. Signature components ‘s’ and ‘r’.
3. Public key of the sender.
4. Global public key.
The output of the verification function is compared with the signature component
‘r’. Both the values will match if the sent signature is valid because only the
sender with the help of it private key can generate a valid signature.
Benefits of advanced signature:
1.A computerized signature gives better security in the exchange. Any
unapproved individual can’t do fakeness in exchanges.
2.You can undoubtedly follow the situation with the archives on which the
computerized mark is applied.
3.High velocity up record conveyance.
4.It is 100 percent lawful it is given by the public authority approved ensuring
authority.
5.In the event that you have marked a report carefully, you can’t deny it.
6.In this mark, When a record is get marked, date and time are consequently
stepped on it.
7.It is preposterous to expect to duplicate or change the report marked carefully.
8.ID of the individual that signs.
9.Disposal of the chance of committing misrepresentation by a sham.

Burdens of computerized signature:

1.You really want to investigate all the similarity issues. In there are a great deal
of similarity settings like a refreshed rendition of driver and programming.
2.Programming is one of the main pressing concerns while utilizing a
computerized signature testament.
3.On the off chance that you are having a place with the corporate world and
running a commodity import association, you want to create a computerized
signature for E-tagging.
4.In this signature, Lost or burglary of keys and the utilization of weak storage
spaces.
5.There is a more grounded need for a norm through which these various
strategies can cooperate.
In this period of quick mechanical headway, a considerable lot of these tech items
have a short timeframe of realistic usability.
6.To successfully utilize a computerized signature, the two shippers and
beneficiaries might need to purchase computerized endorsements.
7.To work with computerized endorsements, the shipper and beneficiaries need to
purchase check programming at an expense.
8.A computerized signature includes the essential road for any business is cash.