Unit 3- DIGITAL SIGNATURE AND AUTHENTICATION

Cryptographic Hash Functions:

 A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash
value h = H(M).
 A “good” hash function has the property that the results of applying the function to a large set of inputs
will produce outputs that are evenly distributed and apparently random. In general terms, the principal
object of a hash function is data integrity. A change to any bit or bits in M results, with high
 Probability, in a change to the hash value.
 The kind of hash function needed for security applications is referred to as a cryptographic hash
function.
 A cryptographic hash function is an algorithm for which it is computationally infeasible (because no
attack is significantly more efficient than brute force) to find either
o a data object that maps to a pre-specified hash result (the one-way property) or
o Two data objects that map to the same hash result (the collision-free property).
 Because of these characteristics, hash functions are often used to determine whether or not data has
changed.

Cryptographic Hash function h=H(M)

The above figure depicts the general operation of a cryptographic hash function.
 Typically, the input is padded out to an integer multiple of some fixed length (e.g., 1024 bits), and the
padding includes the value of the length of the original message in bits.
 The length field is a security measure to increase the difficulty for an attacker to produce an alternative
message with the same hash value.

Applications of Cryptographic Hash Functions:

The most versatile cryptographic algorithm is the cryptographic hash function. It is used in a wide variety of
security applications and Internet protocols. The following are various applications where it is employed.
Message Authentication:
 Message authentication is a mechanism or service used to verify the integrity of a message.
 Message authentication assures that data received are exactly as sent (i.e., there is no modification,
insertion, deletion, or replay).
 When a hash function is used to provide message authentication, the hash function value is often referred
to as a message digest.
 The essence of the use of a hash function for message integrity is as follows.
o The sender computes a hash value as a function of the bits in the message and transmits both the hash
value and the message.
o The receiver performs the same hash calculation on the message bits and compares this value with
the incoming hash value.
o If there is a mismatch, the receiver knows that the message (or possibly the hash value) has been
altered (Figure a).
o The hash value must be transmitted in a secure fashion. That is, the hash value must be protected so
that if an adversary alters or replaces the message, it is not feasible for adversary to also alter the hash
value to fool the receiver. This type of attack is shown in Figure b.

Attach against Hash function

The following are a variety of ways in which a hash code can be used to provide message authentication.
a. The message plus concatenated hash code is encrypted using symmetric encryption. Because only A
and B share the secret key, the message must have come from A and has not been altered. The hash code
provides the structure or redundancy required to achieve authentication. Because encryption is applied
to the entire message plus hash code, confidentiality is also provided.
b. Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden for
those applications that do not require confidentiality.
 c. It is possible to use a hash function but no encryption for message authentication. The technique assumes
that the two communicating parties share a common secret value S. A computes the hash value over the
concatenation of M and S and appends the resulting hash value to M. Because B possesses S, it can re-
compute the hash value to verify. Because the secret value itself is not sent, an opponent cannot modify
an intercepted message and cannot generate a false message.
d. Confidentiality can be added to the approach of method (c) by encrypting the entire message
plus the hash code.

 More commonly, message authentication is achieved using a message authentication code (MAC), also
known as a keyed hash function.
 Typically, MACs are used between two parties that share a secret key to authenticate information
exchanged between those parties.
 A MAC function takes as input a secret key and a data block and produces a hash value, referred to as the
MAC, which is associated with the protected message.
 If the integrity of the message needs to be checked, the MAC function can be applied to the message and
the result compared with the associated MAC value.
 An attacker who alters the message will be unable to alter the associated MAC value without knowledge
of the secret key.
Message Authentication Requirements:
In the context of communications across a network, the following attacks can beidentified.
1. Disclosure: Release of message contents to any person or process not possessing
2. the appropriate cryptographic key.
3. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented
application, the frequency and duration of connections could be determined. In either a connection-
oriented or connectionless environment, the number and length of messages between parties could be
determined.
4. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the
creation of messages by an opponent that are purported to come from an authorized entity. Also
included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the
message recipient.
5. Content modification: Changes to the contents of a message, including insertion, deletion,
transposition, and modification.
6. Sequence modification: Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering.
7. Timing modification: Delay or replay of messages. In a connection-oriented application, an entire
session or sequence of messages could be a replay of some previous valid session, or individual
messages in the sequence could be delayed or replayed. In a connectionless application, an individual
message (e.g., datagram) could be delayed or replayed.
8. Source repudiation: Denial of transmission of message by source.
9. Destination repudiation: Denial of receipt of message by destination.

Message Authentication Functions:

 Any message authentication or digital signature mechanism has two levels of functionality.
 At the lower level, there must be some sort of function that produces an authenticator: a value to be used
to authenticate a message.
 This lower-level function is then used as a primitive in a higher-level authentication protocol that
enables
 a receiver to verify the authenticity of a message.
 We are concerned with the types of functions that may be used to produce an authenticator. These may
be grouped into three classes.
o Hash function: A function that maps a message of any length into a fixed-length hash value,
which serves as the authenticator
o Message encryption: The ciphertext of the entire message serves as its authenticator
o Message authentication code (MAC): A function of the message and a secret key that produces
a fixed-length value that serves as the authenticator

Message Encryption:
Message encryption by itself can provide a measure of authentication. The analysis differs for
symmetric and public-key encryption schemes.
Symmetric Encryption:
Consider the straightforward use of symmetric encryption (Figure a).
 A message M transmitted from source A to destination B is encrypted using a secret key K shared by
A and B. If no other party knows the key, then confidentiality is provided: No other party can recover
the plaintext of the message.
 Measures to deal with the first two attacks are in the realm of message confidentiality and are dealt with
in Encryption techniques.
 Measures to deal with items (3) through (6) in the foregoing list are generally regarded as message
authentication.
 Mechanisms for dealing specifically with item (7) come under the heading of digital signatures.
 Generally, a digital signature technique will also counter some or all of the attacks listed under items (3)
through (6). Dealing with item (8) may require a combination of the use of digital signatures and a
protocol designed to counter this attack.
 In summary, message authentication is a procedure to verify that received messages come from the alleged
source and have not been altered.
 Message authentication may also verify sequencing and timeliness.
 A digital signature is an authentication technique that also includes measures to counter repudiation by
the source.
Public-Key Encryption:
 The straightforward use of public-key encryption (Figure b) provides confidentiality but not
authentication.
 The source (A) uses the public key PUb of the destination (B) to encrypt M. Because only B has the
corresponding private key PRb, only B can decrypt the message. This scheme provides no
authentication, because any opponent could also use B’s public key to encrypt a message and claim to
be A.
 To provide authentication, A uses its private key to encrypt the message, and B uses A’s public key to
decrypt (Figure c). This provides authentication using the same type of reasoning as in the symmetric
encryption case: The message must have come from A because A is the only party that possesses PRa
and therefore the only party with the information necessary to construct ciphertext that can be decrypted
with PUa.
 There must be some internal structure to the plaintext so that the receiver can distinguish between
 well-formed plaintext and random bits.
 Assuming there is such structure, then the scheme of Figure c does provide authentication. It also
provides what is known as digital signature.
 Only A could have constructed the ciphertext because only A possesses PRa. Not even B, the recipient,
could have constructed the ciphertext. Therefore, if B is in possession of the ciphertext, B has the means
to prove that the message must have come from A.
 In effect, A has “signed” the message by using its private key to encrypt.
 Note that this scheme does not provide confidentiality. Anyone in possession of A’s public key can
decrypt the cipher text.
 To provide both confidentiality and authentication, A can encrypt M first using its private key, which
provides the digital signature, and then using B’s public key, which provides confidentiality (Figure d).
 The disadvantage of this approach is that the public-key algorithm, which is complex, must be exercised
four times rather than two in each communication.

Message Authentication Code

 An alternative authentication technique involves the use of a secret key to generate a small fixed-size
block of data, known as a cryptographic checksum or MAC, that is appended to the message.
 This technique assumes that two communicating parties, say A and B, share a common secret key K.
 When A has a message to send to B, it calculates the MAC as a function of the message and the key:
MAC = C(K, M)
where
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
 The message plus MAC are transmitted to the intended recipient.
 The recipient performs the same calculation on the received message, using the same secret key, to
generate a new MAC.
 The received MAC is compared to the calculated MAC (Figure a). If we assume that only the receiver
and the sender know the identity of the secret key, and if the received MAC matches the calculated MAC,
then
1. The receiver is assured that the message has not been altered. If an attacker alters the message but
does not alter the MAC, then the receiver’s calculation of the MAC will differ from the received
MAC. Because the attacker is assumed not to know the secret key, the attacker cannot alter the MAC
to correspond to the alterations in the message.
2. The receiver is assured that the message is from the alleged sender. Because no one else knows the
secret key, no one else could prepare a message with a proper MAC.
3. If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the
receiver can be assured of the proper sequence because an attacker cannot successfully alter the
sequence number.
 A MAC function is similar to encryption. One difference is that the MAC algorithm need not be
reversible, as it must be for decryption.
 In general, the MAC function is a many-to-one function.
 The domain of the function consists of messages of some arbitrary length, whereas the range consists of
all possible MACs and all possible keys.
 If an n-bit MAC is used, then there are 2n possible MACs, whereas there are N possible messages with
N >> 2n. Furthermore, with a k-bit key, there are 2k possible keys.
  For example, suppose that we are using 100-bit messages and a 10-bit MAC. Then, there are a total of
2100 different messages but only 210 different MACs. So, on average, each MAC value is generated by
a total of 2100/210 = 290 different messages. If a 5-bit key is used, then there are 25 = 32 different
mappings from the set of messages to the set of MAC values.




  The process depicted in Figure (a) provides authentication but not confidentiality, because the
message as a whole is transmitted in the clear.
 Confidentiality can be provided by performing message encryption either after (Figure b) or before
(Figure c) the MAC algorithm.
 In both these cases, two separate keys are needed, each of which is shared by the sender and the receiver.
In the first case, the MAC is calculated with the message as input and is then concatenated to the message.
 The entire block is then encrypted. In the second case, the message is encrypted first.
 Then the MAC is calculated using the resulting ciphertext and is concatenated to the ciphertext to form
the transmitted block.
 Typically, it is preferable to tie the authentication directly to the plaintext, so the method of Figure b is
used.
MACs based on hash functions: HMAC
HMAC Design Objectives
RFC 2104 lists the following design objectives for HMAC.
• To use, without modifications, available hash functions. In particular, to use hash functions that perform
well in software and for which code is freely and widely available.
• To allow for easy replaceability of the embedded hash function in case faster or more secure hash
functions are found or required.
• To preserve the original performance of the hash function without incurring a significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the authentication mechanism based
 on reasonable assumptions about the embedded hash function.

HMAC Algorithm
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC (including the padding specified in the embeddedhash function)
Yi _ i th block of M, 0 ≤i ≤(L – 1)
L _ number of blocks in M
b _ number of bits in a block
n _ length of hash code produced by embedded hash function
K _ secret key; recommended length is ≥n; if key length is greater than b,
the key is input to the hash functionto produce an n-bit key
K+ _ K padded with zeros on the left so that the result is b bits in length
ipad _ 00110110 (36 in hexadecimal) repeated b/8 times
opad _ 01011100 (5C in hexadecimal) repeated b/8 times

fig: HMAC Structure

HMAC can be expressed as: HMAC(K, M) = H[(K+ ⊕ opad) || H[(K+ ⊕ ipad) || M]]

The algorithm is as follows:

1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is
of length 160 bits and , then will be appended with 44 zeroes).
2. XOR (bitwise exclusive-OR) with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
 6. Append the hash result from step 4 to So.
7.Apply H to the stream generated in step 6 and output the result.
. MD5 :

MD5 is a message digest algorithm developed by Ron Rivest. MD5 is quite fast and produces
128-bit message digests. Over the years, researchers have developed potential weaknesses in
MD5. However, so far, MD5 has been able to successfully defend itself against collisions.
This may not be guaranteed for too long, though.
After some initial processing, the input text is processed in 512-bit blocks (which are further
divided into 16 32-bit sub-blocks). The output of the algorithm is a set of four 32-bit blocks,
which make up the 128-bit message digest.

3.5.4 How MD5 Works?

Step 1: Padding :The first step in MD5 is to add padding bits to the original message. The aim
of this step is to make the length of the original message equal to a value, which is 64bits
less than an exact multiple of 512. For example, if the length of the original message is 1000
bits, we add a padding of 472 bits to make the length of the message 1472 bits. This is
because, if we add 64 to 1472, we get 1536, which is a multiple of 512 (because 1536 = 512 x
3).

Thus, after padding, the original message will have a length of 448 bits (64 bits less than
512), 960 bits (64 bits less than 1024), 1472 bits (64 bits less than 1536), etc. The padding
consists of a single 1-bit, followed by as many 0-bits, as required. Note that padding is
always added, even if the message length is already 64 bits less than a multiple of 512. Thus,
if the message were already of length say 448 bits, we will add a padding of 512 bits to make
its length 960 bits. Thus, the padding length is any value between 1 and 512.
Step 2: Append length After padding bits are added, the next step is to calculate the original
length of the message and add it to the end of the message, after padding. The length of the
message is calculated, excluding the padding bits. This length of the original message is now
expressed as a 64-bit value and these 64 bits are appended to the end of the original message
+ padding.

Step 3: Divide the input into 512-bit blocks Now, we divide the input message into blocks, each
of length 512 bits. (Refer fig )

Step 4: Initialize chaining variables In this step, four variables (called as chaining variables) are
initialized. They are called as A, B, C and D. Each of these is a 32-bit number. The initial
hexadecimal values of these chaining variables are shown in Fig. below.
 Fig 3.10: Chaining Variables

Step 5: Process blocks:

Copy the four chaining variables into four corresponding variables, a, b, c and d.
After all the initializations, the real algorithm begins. There is a loop that runs for as many
512-bit blocks as are in the message. Now, we have four rounds. In each round, we process
all the 16 sub-blocks belonging to a block. The inputs to each round are: (a) all the 16 sub-
blocks, (b) the variables a, b, c, d and (c) some constants, designated as t.

All the four rounds vary in one major way: Step 1 of the four rounds has different
processing. The other steps in all the four rounds are the same. • In each round, we have 16
input sub-blocks, named M[0], M[1], …, M[15] or in general, M[i], where i varies from 0 to
15. As we know, each sub-block consists of 32 bits.

• Also, t is an array of constants. It contains 64 elements, with each element

consisting of 32 bits. We denote the elements of this array t as t[1], t[2], … t[64] or in general
as t[k], where k varies from 1 to 64. Since there are four rounds, we use 16 out of the 64
values of t in each round.

Let us summarize these iterations of all the four rounds. In each case, the output
of the intermediate as well as the final iteration is copied into the register abcd. Note that we
have 16 such iterations in each round.
1. A process P is first performed on b, c and d. This process P is different in all the four
rounds.
2. The variable a is added to the output of the process P (i.e. to the register abcd).
3. The message sub-block M[i] is added to the output of Step 2 (i.e. to the register abcd).
4. The constant t[k] is added to the output of Step 3 (i.e. to the register abcd).
5. The output of Step 4 (i.e. the contents of register abcd) is circular-left shifted by s bits.
(The value of s keeps changing).
6. The variable b is added to the output of Step 5 (i.e. to the register abcd).
7. The output of Step 6 becomes the new abcd for the next step
 Fig 3.11: One MD5 operation

1. 5 : SECURE HASH ALGORITHM (SHA):

The National Institute of Standards and Technology (NIST) along with NSA
developed the Secure Hash Algorithm (SHA). In 1993. SHA is a modified version of

MD5 and its design closely resembles MD5. SHA works with any input message that isless
than 2

64 bits in length. The output of SHA is a message digest, which is 160 bits in length (32bits
more than the message digest produced by MD5). The word Secure in SHA was
decided based on two features. SHA is designed to be computationally infeasible to:

(a) Obtain the original message, given its message digest and

(b) Find two messages producing the same message digest

Step1 to 3 MD5 and SHA are same. In step 4 and process SHA differs from MD5.

Step 4: Initialize chaining variables Now, five chaining variables A through E are initialized.
Remember that we had four chaining variables, each of 32 bits in MD5 (whichmade the
total length of the variables 4 x 32 = 128 bits). Recall that we stored the intermediate as
well as the final results into the combined register made up of these four

chaining variables, i.e. abcd. Since in the case of SHA, we want to produce a message digest
of length 160 bits, we need to have five chaining variables here (5x32 = 160 bits). In
SHA, the variables A through D have the same values as they had in MD5. Additionally,
 E is initialized to Hex C3 D2 E1 F0.

Step 5: Process blocks Now the actual algorithm begins. Here also, the steps are quitesimilar
to those in MD5. SHA has four rounds, each round consisting of 20 steps. Each round
takes the current 512- bit block, the register abcde and a constant K[t] (wheret = 0 to 79)
as the three inputs. It then updates the contents of the register abcde using the SHA
algorithm steps. Also notable is the fact that we had 64 constants defined as t in MD5.
Here, we have only four constants defined for K[t], one used in each of the four rounds.

Fig. 3.12: Single SHA-1 iteration

Table 3.1: Comparison of MD5 and SHA-1
 Digital Signatures:
 Another important application, which is similar to the message authentication application, is the digital
signature.
 The operation of the digital signature is similar to that of the MAC.
 In the case of the digital signature, the hash value of a message is encrypted with a user’s private key.
 Anyone who knows the user’s public key can verify the integrity of the message that is associated with
the digital signature.
 In this case, an attacker who wishes to alter the message would need to know the user’s private key.
 Following figures illustrates, in a simplified fashion, how a hash code is used to provide a digital signature.
b. The hash code is encrypted, using public-key encryption with the sender’s private key. As with
Figure b, this provides authentication. It also provides a digital signature, because only the sender
could have produced the encrypted hash code. In fact, this is the essence of the digital signature
technique.
c. If confidentiality as well as a digital signature is desired, then the message plus the private-key-
encrypted hash code can be encrypted using a symmetric secret key. This is a common technique.

Other Applications:
 Hash functions are commonly used to create a one-way password file.
 Hash functions can be used for intrusion detection and virus detection.
 A cryptographic hash function can be used to construct a pseudorandom function (PRF) or a
pseudorandom number generator (PRNG).

Two-Simple Hash Functions:

 To get the understanding of security considerations involved in cryptographic hash functions, we present
two simple, insecure hash functions in this section.
 All hash functions operate using the following general principles.
o The input (message, file, etc.) is viewed as a sequence of n -bit blocks.
o The input is processed one block at a time in an iterative fashion to produce an n-bit hash function.
 One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block. This can be
expressed as:
 Ci = bi1 ⊕bi2 ⊕ … ⊕bim
where
Ci = i bit of the hash code, 1 … i … n
th

m = number of n-bit blocks in the input

bij = ith bit in jth block
⊕ = XOR operation
 This operation produces a simple parity bit for each bit position and is known as a longitudinal
redundancy check.
 It is reasonably effective for random data as a data integrity check. Each n-bit hash value is equally
likely.
 Thus, the probability that a data error will result in an unchanged hash value is 2-n.
 With more predictably formatted data, the function is less effective.
 For example, in most normal text files, the high-order bit of each octet is always zero.
 So if a 128-bit hash value is used, instead of an effectiveness of 2-128, the hash function on this type of
data has an effectiveness of 2-112.
 A simple way to improve matters is to perform a one-bit circular shift, or rotation, on the hash value
after each block is processed. The procedure can be summarized as follows.
1. Initially set the n-bit hash value to zero.
2. Process each successive n-bit block of data as follows:
a. Rotate the current hash value to the left by one bit.
b. XOR the block into the hash value.
 This has the effect of “randomizing” the input more completely and overcoming any regularities that
appear in the input.
 Although the second procedure provides a good measure of data integrity, it is virtually useless for data
security when an encrypted hash code is used with a plaintext message.
 Although a simple XOR or rotated XOR (RXOR) is insufficient if only the hash code is encrypted, you
may still feel that such a simple function could be useful when the message together with the hash code
is encrypted
 The digital signature must have the following properties:
■ It must verify the author and the date and time of the signature.
■ It must authenticate the contents at the time of the signature.
■ It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication function
Benefits of Digital Signature are:
Ensure Authenticity
Digital Signature is like a fingerprint. Digital signature ensures the authenticity of a message or transaction
by proving that the message was created using the private key associated with the digital signature
Time Stamping
Time stamping provides the date and time of a digital signature and useful when timing is critical, such as for
stock trades, lottery ticket issuance and legal proceedings

■ Cost effective: The reduction in cost comes in effect drastically.

■ Paperless process: No paper is involved in the whole process.
■ Security: One of the advantages of Digital Signature is security.
The customers find it more secure in signing documents digitally rather than by hand signature.
■ Time savings: The importance of Digital Signature is also that it saves a lot of time. It is easy to do the
process online where within a few clicks your work can be done.
Importance of Digital Signature
1. Message Authentication
 When the verifier validates the digital signature using public key of a sender, he is assured that
signature has been created only by sender who possesses the corresponding secret key and no one else.
2.Data Integrity
In case an attacker has access to the data and modifies it, the digital signature verification at receiver
end fails. The hash modified data and the output provided by the verification algorithm will not match. Hence,
receiver can safely deny the message assuming that data integrity has been breached.
3.Non-Repudiation
Since it is assumed that only the singer has the knowledge of the signature key, he can only create unique
signature on a given data.
Digital Sgnature Requirements
On the basis of the properties and attacks just discussed, we can formulate the following requirements for a digital
signature.
o The signature must be a bit pattern that depends on the message being signed.
o The signature must use some information only known to the sender to prevent both forgery and denial.
o It must be relatively easy to produce the digital signature.
o It must be relatively easy to recognize and verify the digital signature.
o It must be computationally infeasible to forge a digital signature, either by constructing a new message for an
existing digital signature or by constructing a fraudulent digital signature for a given message.
o It must be practical to retain a copy of the digital signature in storage.
Direct Digital Signature
The term direct digital signature refers to a digital signature scheme that involves only the communicating
Parties (source, destination). It is assumed that the destination knows the public key of the source.

Confidentiality can be provided by encrypting the entire message plus signature with a shared secret key
(Symmetric encryption). Note that it is important to perform the signature function first and then an
outer confidentiality function.
In case of dispute, some third party must view the message and its signature. If the signature is
calculated on an encrypted message, then the third party also needs access to the decryption key to read the
original message. However, if the signature is the inner operation, then the recipient can store the plaintext
message and its signature for later use in dispute resolution.
The validity of the scheme just described depends on the security of the sender’s private key.
If a sender later wishes to deny sending a particular message, the sender can claim that the private key was
lost or stolen and that someone else forged his or her signature. Administrative controls relating to the
security of private keys can be employed to thwart or at least weaken this ploy, but the threat is still there,
at least to some degree. One example is to require every signed message to include a timestamp (date and
time) and to require prompt reporting of compromised keys to a central authority.
Another threat is that a private key might actually be stolen from X at time T. The opponent can then
send a message signed with X’s signature and stamped with a time before or equal to T.
Digital Signature Schemes
The Digital Signature Schemes are the mathematical cryptographic primitives used to
Achieve authentication, integrity and non-repudiation.
There are different types of Digital Signature schemes. They are
1.Elgamal Digital Signature Scheme
2.Schnorr Digital Signature Scheme

Elgamal Digital Signature scheme

Elgamal encryption scheme is designed to enable encryption by a user’s public key with decryption by the user’s
private key. The Elgamal signature scheme involves the use of the private key for digital signature generation and the
public key for digital signature verification.
Step 1.Key Generation
 Choose a prime number q, if alpha is a primitive root of q, Alpha are distinct (mod q). It can be shown that,
if alpha is a primitive root of q, then
1. Generate a random integer XA, such that 1 6 XA 6 q - 1.
2. Compute YA = aXA mod q.
 3. A’s private key is XA; A’s pubic key is {q, a, YA}.

Step 2.Signature Generation

To sign a message M, user A first computes the hash m = H(M), such that m is an integer in the range 0 … m … q - 1.
A then forms a digital signature as follows.

1. Choose a random integer K such that 1 … K … q - 1 and gcd(K, q - 1) = 1.That is, K is relatively prime to q - 1.
2. Compute S1 = aK mod q. Note that this is the same as the computation of C1 for Elgamal encryption.
3. Compute K-1 mod (q - 1). That is, compute the inverse of K modulo q - 1.
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2).
Step 3.Signature Verification
Any user B can verify the signature as follows.
1. Compute V1 = am mod q.
2. Compute V2 = (YA)S1(S1)S2 mod q.
The signature is valid if V1 = V2. Let us demonstrate that this is so. Assume that the equality is true.

Schnorr Digital Signature scheme

The Schnorr scheme minimizes the message-dependent amount of computation required to generate
signature.The main work for signature generation does not depend on the message and can be done during the
idle time of the processor. The message-dependent part of the signature generation requires multiplying a
2n-bit integer with an n-bit integer.
The scheme is based on using a prime modulus p, with p - 1 having a prime factor q of appropriate size;
that is, p - 1 K 0 (mod q). Typically, we use p ≈ 21024 and q ≈ 2160. Thus, p is a 1024-bit number, and q is a
160-bit number, which is also the length of the SHA-1 hash value.
Step 1.Key Generation
The first part of this scheme is the generation of a private/public key pair, which consists of the following steps.
1. Choose primes p and q, such that q is a prime factor of p - 1.
2. Choose an integer a, such that aq = 1 mod p. The values a, p, and q comprise a global public key that can be
common to a group of users.
3. Choose a random integer s with 0 6 s 6 q. This is the user’s private key.
4. Calculate v = a-s mod p. This is the user’s public key.

Step 2.Signature Generation

A user with private key s and public key v generates a signature as follows.
1. Choose a random integer r with 0 6 r 6 q and compute x = ar mod p. This computation is a preprocessing stage
independent of the message M to be signed.
2. Concatenate the message with x and hash the result to compute the value e:
e = H(M II x)
3.Compute y = (r + se) mod q. The signature consists of the pair (e, y).

Step 3.Signature Verification

Any other user can verify the signature as follows.
1. Compute x′ = a^y ve mod p.
2. Verify that e = H (M II x′).
Hence, H (M II x′) = H (M II x).

Variants of Digital Signatures

1. Timestamped Signature
*Purpose:To prevent replay attacks
*Replay Attack: Someone trying to reuse a signed document maliciously.
*How it works:Includes a timestamp to ensure the signature’s freshness.

2. Blind Signature
*Purpose: To get a signature without revealing the message content.
*Use Case: When the sender and signer are different parties.
*Example Schemes: RSA and DSS

3. Undeniable Digital Signature

*Nature: Non self-authenticating
 *Key Components :
Signing Algorithm :Allows the Signer to sign a message.
Verification Protocol: Limits who can verify the Signature.
Disavowal Protocol: Prevents the signer from proving a signature is invalid without co-operation.

Digital Signature Algorithm

The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard that governs digital
signatures. It is used to ensure the validity and integrity of a message, software, or digital document.
Digital Signature is a verification method. Digital signatures do not provide confidential communication.
If you want to achieve confidentiality, both the message and the signature must be encrypted using either
a secret key or a public key cryptosystem. This additional layer of security can be incorporated into a basic
digital signature scheme.

The signature generation and verification process involves the following steps
1.Key Generation
The signer generates a pair of keys, a private key and a public key. The private key is kept secret and user for
signing messages,While the public key is shared with others for verifying signatures.
2.Hashing
The signer calculates a hash value of the message to be signed using a cryptographic hash function. This creates
a fixed length digest of the message that is unique to that message.
3.Signature Generation
The signer generates a signature using their private key and the hash value of the message. The signature consists of
two components r and s, which are derived from the private key, the value of the message, and a random number is called
“ephemeral key”
4.Signature verification
The recipient of the message calculates the hash value of the message using the cryptographic hash function used by
the signer. The signer public key and the signature components r and s to verify the signature.

Digital Signature Standard

Digital Signature Standard defines methods for digital signature generation that can be used for the protection of binary data.
These two are standard Approaches to implement the Digital Signature:

1.Rivest-Shamir-Adleman (RSA)
2.Digital Signature Algorithm (DSA)

1.Rivest-Shamir-Adleman (RSA) approach

In the Rivest-Shamir-Adleman approach, the message that needs to be signed is first fed into a hash function that generates
a secure hash code of fixed length. The sender’s private key is then used to encrypt the hash code which makes it signature.
The next step involves sending both the signature and the message to the intended receiver. For validation purposes, after receiving
the message, the recipient first computes its hash-code. The sender’s public key is applied by recipient to decrypt this already
encrypted signature. In case if decrypted signature corresponds to recipient-produced hashcode, that means that signature would be
considered as valid. Since only the sender has access to the private key, only they could have produced a valid signature.

You can refer the below diagram for RSA, here,

M = Message or Plaintext
H = Hash Function
|| = bundle the plantext and hash function (hash digest)
E = Encryption Algorithm
D = Decryption Algorithm
PUa = Public key of sender
PRa = Private key of sender

Digital Signature Algorithm approach

The DSA (Digital Signature Algorithm) approach involves using of a hash function to create a hash code,
Same as RSA. This hash code is combined with a randomly generated number k as an input to a signature function.
The signature function depends on the sender’s private key (PRa) as well as a set of parameters that are known to a
Group of communicating principals. This set can be considered as a global public key (PUG). The output of the signature
function is a signature with two components, s and r. When an incoming message is received, a hash code is generated
for the message. This hash code is then combined with the signature and input into a verification function.

The verification function depends on the global public key as well as the sender’s public key (PUa) which is
paired with the sender’s private key. The output of the verification function returns a value equal to the signature’s
component r, if the signature is valid. The signature function is designed in such a way that only the sender, with
knowledge of the private key, can produce a valid signature.

You can refer below diagram for DSA, where,

M = Message or Plaintext
H = Hash Function
|| = bundle the plantext and hash function (hash digest)
E = Encryption Algorithm
D = Decryption Algorithm
PUa = Public key of sender
PRa = Private key of sender

Sig = Signature function

Ver = Verification function
PUG = Global public Key

DIGITAL SIGNATURES:
These are the public-key primitives of message authentication. In the physical
world, it is common to use handwritten signatures on handwritten or typed messages. They
are used to bind signatory to the message. Similarly, a digital signature is a technique that
binds a person/entity to the digital data. This binding can be independently verified by
receiver as well as any third party. Digital signature is a cryptographic value that is calculated
from the data and a secret key known only by the signer.

The exchange of data is authenticated by signing a mutually obtainable hash;

 each party encrypts the hash with its private key. The hash is generated over important
parameters, such as user IDs and nonces. In real world, the receiver of message needs
assurance that the message belongs to the sender and he should not be able to repudiate the
origination of that message. This requirement is very crucial in business applications, since
likelihood of a dispute over exchanged data is very high.

As mentioned earlier, the digital signature scheme is based on public key cryptography. The
model of digital signature scheme is depicted in the following illustration.

Fig 3.16: A digital Signature Model

The following points explain the entire process in detail −

 Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and signing/verifying are
different. The private key used for signing is referred to as the signature key and the
public key as the verification key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which produces
the digital signature on given hash. Signature is appended to the data and then both
are sent to the verifier. Verifier feeds the digital signature and the verification key into
the verification algorithm. The verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are compared.
Based on the comparison result, verifier decides whether the digital signature is valid.
 Since digital signature is created by ‘private’ key of signer and no one else can have
this key; the signer cannot repudiate signing the data in future.
 It should be noticed that instead of signing data directly by signing algorithm, usually a hash
of data is created. Since the hash of data is a unique representation of data, it is sufficient to
sign the hash in place of data. The most important reason of using hash instead of data
directly for signing is efficiency of the scheme Let us assume RSA is used as the signing
algorithm. As discussed in public key encryption chapter, the encryption/signing process
using RSA involves modular exponentiation.

Signing large data through modular exponentiation is computationally expensive and time
consuming. The hash of the data is a relatively small digest of the data, hence signing a hash
is more efficient than signing the entire data.

Digital Signature Schemes and their Variants

: DIGITAL SIGNATURE REQUIREMENTS

We can formulate the following requirements for a digital signature.

• The signature must be a bit pattern that depends on the message being signed.

• The signature must use some information unique to the sender to prevent both forgery
and denial.

• It must be relatively easy to produce the digital signature.

• It must be relatively easy to recognize and verify the digital signature.

• It must be computationally infeasible to forge a digital signature, either by constructing

a new message for an existing digital signature or by constructing a fraudulent digital
signature for a given message.

• It must be practical to retain a copy of the digital signature in storage.

: KERBEROS

Many real-life systems use an authentication protocol called as Kerberos, to allow

the workstations to allow network resources in a secure manner. The name Kerberos signifies
a multi-headed dog in the Greek mythology (apparently used to keep outsiders away).
Version 4 of Kerberos is found in most practical. implementations. However, Version 5 is
also in use now.

How does Kerberos Work?

There are four parties involved in the Kerberos protocol:

Alice: The client workstation

 Authentication Server (AS): Verifies (authenticates) the user during login

Ticket Granting Server (TGS): Issues tickets to certify proof of identity

Bob: The server offering services such as network printing, file sharing or an application program

 The job of AS is to authenticate every use at the login time. AS shares a unique
secret password with every user.

 The job of TGS is to certify to the servers in the network that a user is really what she
claims to be. For proving this, the mechanism of tickets (which allow entry into a
Server, just as a ticket allows parking a car or entering a music concert) is used.

Step 1: Login To start with, Alice, the user, sits down at an arbitrary public workstation and
enters her name. The work station sends her name in plain text to the AS.

In response, the AS performs several actions. It first creates a package of the user name (Alice)
and a randomly generated session key (KS). It encrypts this package with the symmetric key that
the AS shares with the Ticket Granting Server (TGS). The output of this step is called as the
Ticket Granting Ticket (TGT). Note that the TGT can be opened only by the TGS, since only it
possesses the corresponding symmetric key for decryption.
The AS then combines the TGT with the session key (KS), and encrypts the two together using a
symmetric key derived from the password of Alice (KA). Note that the final output can,
therefore, be opened only by Alice.

Fig 3.17: Kerberos

Step 2: Obtaining a service granting ticket (SGT) Now, let us assume that after a successful
login, Alice wants to make use of Bob – the email server, for some email communication. For
this, Alice would inform her workstation that she needs to contact Bob. Therefore, Alice
needs a ticket to communicate with Bob. At this juncture, Alice’s workstation creates a
message intended for the Ticket Granting Server (TGS), which contains the following items:

• The TGT as in step 1

• The id of the server (Bob) whose services Alice is interested in

• The current timestamp, encrypted with the same session key (KS)

As we know, the TGT is encrypted with the secret key of the Ticket Granting Server
(TGS). Therefore, only the TGS can open it. This also serves as a proof to the TGS that the
message indeed came from Alice. Why? This is because, if you remember, the TGT was
created by the AS (remember that only the AS and the TGS know the secret key of TGS).
Furthermore, the TGT and the KS were encrypted together by the AS with the secret key
derived from the password of Alice. Therefore, only Alice could have opened that package
and retrieved the TGT. Once the TGS is satisfied of the credentials of Alice, the TGS creates
a session key KAB, for Alice to have secure communication with Bob. TGS sends it twice to
Alice: once combined with Bob’s id (Bob) and encrypted with the session key (KS) and a
second time, combined with Alice’s id (Alice) and encrypted with Bob’s secret key (KB).
This is shown in Fig. below.

Fig 3.8: Kerberos Working

Step 3: User contacts Bob for accessing the server Alice can now send KAB to Bob in order to
enter into a session with him. Since this exchange is also desired to be secure, Alice can
simply forward KAB encrypted with Bob’s secret key (which she had received from the TGS
in the previous step) to Bob. This will ensure that only Bob can access KAB. Furthermore, to
guard against replay attacks, Alice also sends the timestamp, encrypted with KAB to Bob.
Since only Bob has his secret key, he uses it to first obtain the information (Alice + KAB).
From this, it gets the key KAB, which he uses to decrypt the encrypted timestamp value.

Now how would Alice know if Bob received KAB correctly or not? In order
to satisfy this query, Bob now adds 1 to the timestamp sent by Alice, encrypts the result with
KAB and sends it back to Alice. This is shown in Fig. above. Since only Alice and Bob know
KAB, Alice can open this packet and verify that the timestamp incremented by Bob was
indeed the one sent by her to Bob in the first place. Now, Alice and Bob can communicate
securely with each other. They would use the shared secret key KAB to encrypt messages
before sending and also to decrypt the encrypted messages received from each other.

Fig.3.19: Acknowledgement
 X.509 CERTIFICATES
X.509 defines a framework for the provision of authentication services by the X.500
directory to its users. The directory may serve as a repository of public-key certificates. Each
certificate contains the public key of a user and is signed with the private key of a trusted
certification authority. In addition, X.509 defines alternative authentication protocols based
on the use of public-key certificates. X.509 is an important standard because the certificate
structure and authentication protocols defined in X.509 are used in a variety of contexts. For
example, the X.509 certificate format is used in S/MIME, IP Security, and SSL/TLS
Certificates The heart of the X.509 scheme is the public-key certificate associated with each
user. These user certificates are assumed to be created by some trusted certification authority
(CA) and placed in the directory by the CA or by the user. The directory server itself is not
responsible for the creation of public keys or for the certification function; it merely provides
an easily accessible location for users to obtain certificates

Fig 3.20: General form of a certificate

 The above figure shows the general format of a certificate, which includes the
following elements.

• Version: Differentiates among successive versions of the certificate format;

the default is version 1. If the Issuer Unique Identifier or Subject Unique
Identifier are present, the value must be version 2. If one or more extensions are
present, the version must be version 3.

• Serial number: An integer value, unique within the issuing CA, that is
unambiguously associated with this certificate.

• Signature algorithm identifier: The algorithm used to sign the certificate,

together with any associated parameters. Because this information is repeated in
the Signature field at the end of the certificate, this field has little, if any, utility.

• Issuer name: X.500 name of the CA that created and signed this certificate.

• Period of validity: Consists of two dates: the first and last on which the certificate is valid.

• Subject name: The name of the user to whom this certificate refers. That is,
this certificatecertifies the public key of the subject who holds the corresponding
private key.

• Subject’s public-key information: The public key of the subject, plus an

identifier of the algorithm for which this key is to be used, together with any
associated parameters.

• Issuer unique identifier: An optional bit string field used to identify uniquely
the issuing CA in the event the X.500 name has been reused for different entities.

• Subject unique identifier: An optional bit string field used to identify

uniquely the subject in the event the X.500 name has been reused for different
entities.

• Extensions: A set of one or more extension fields. Extensions were added in

version 3 and are discussed later in this section.

• Signature: Covers all of the other fields of the certificate; it contains the hash code
of the other fields encrypted with the CA’s private key. This field includes the
signature algorithm identifier.


 
