CS3009 –

Cryptography and
Network Security
Week 9-11
MESSAGE INTEGRITY

The cryptography systems that we have studied so far

provide secrecy, or confidentiality, but not integrity.
However, there are occasions where we may not even
need secrecy but instead must have integrity.
 Document and Fingerprint

One way to preserve the integrity of a document is

through the use of a fingerprint. If Alice needs to be
sure that the contents of her document will not be
changed, she can put her fingerprint at the bottom of
the document.
 Message and Message Digest

The electronic equivalent of the document and

fingerprint pair is the message and digest pair.

Message and digest

 Difference

The two pairs (document / fingerprint) and (message /

message digest) are similar, with some differences. The
document and fingerprint are physically linked together.
The message and message digest can be unlinked
separately, and, most importantly, the message digest needs
to be safe from change.

Note

The message digest needs to be safe from change.

Checking Integrity

Checking integrity
 Cryptographic Hash Function Criteria

A cryptographic hash function must satisfy three criteria:

preimage resistance, second preimage resistance, and
collision resistance.

Criteria of a cryptographic hash function

Preimage Resistance

Preimage
 Example 11.1

Can we use a conventional lossless compression method such as

StuffIt as a cryptographic hash function?

Solution
We cannot. A lossless compression method creates a compressed
message that is reversible.

Example 11.2

Can we use a checksum function as a cryptographic hash function?

Solution
We cannot. A checksum function is not preimage resistant, Eve
may find several messages whose checksum matches the given
one.
Second Preimage Resistance

Second preimage
Collision Resistance

Collision
RANDOM ORACLE MODEL

The Random Oracle Model, which was introduced in

1993 by Bellare and Rogaway, is an ideal mathematical
model for a hash function.
 Example 11.3

Assume an oracle with a table and a fair coin. The table has two
columns.

a. The message AB1234CD8765BDAD is given for digest

calculation. The oracle checks its table.
 Example 11.3

b. The message 4523AB1352CDEF45126 is given for digest

calculation. The oracle checks its table and finds that there is a
digest for this message in the table (first row). The oracle simply
gives the corresponding digest (13AB).
 Example 11.4

The oracle in Example 11.3 cannot use a formula or algorithm to

create the digest for a message. For example, imagine the oracle
uses the formula h(M) = M mod n. Now suppose that the oracle
has already given h(M1) and h(M2). If a new message is
presented as M3 = M1 + M2, the oracle does not have to calculate
the h(M3). The new digest is just [h(M1) + h(M2)] mod n since

This violates the third requirement that each digest must be

randomly chosen based on the message given to the oracle.
 Pigeonhole Principle

If n pigeonholes are occupied by n + 1 pigeons, then at

least one pigeonhole is occupied by two pigeons. The
generalized version of the pigeonhole principle is that if
n pigeonholes are occupied by kn + 1 pigeons, then at
least one pigeonhole is occupied by k + 1 pigeons.
 Example 11.5

Assume that the messages in a hash function are 6 bits long and
the digests are only 4 bits long. Then the possible number of
digests (pigeonholes) is 24 = 16, and the possible number of
messages (pigeons) is 26 = 64. This means n = 16 and kn + 1 = 64,
so k is larger than 3. The conclusion is that at least one digest
corresponds to four (k + 1) messages.
 Attacks on Random Oracle Model

Preimage Attack
 Example 11.6
A cryptographic hash function uses a digest of 64 bits. How many
digests does Eve need to create to find the original message with
the probability more than 0.5?

Solution
The number of digests to be created is k ≈ 0.69 × 2n ≈ 0.69 × 264.
This is a large number. Even if Eve can create 230 (almost one
billion) messages per second, it takes 0.69 × 234 seconds or more
than 500 years. This means that a message digest of size 64 bits
is secure with respect to preimage attack, but, as we will see
shortly, is not secured to collision attack.
Second Preimage Attack.
Collision Attack
 Example 11.7
A cryptographic hash function uses a digest of 64 bits. How many
digests does Eve need to create to find two messages with the
same digest with the probability more than 0.5?

Solution
The number of digests to be created is k ≈ 1.18 × 2n/2 ≈ 1.18 ×
232. If Eve can test 220 (almost one million) messages per second,
it takes 1.18 × 212 seconds, or less than two hours. This means
that a message digest of size 64 bits is not secure against the
collision attack.
Alternate Collision Attack
Summary of Attacks
Table 11.4 shows the level of difficulty for each attack if the digest is
n bits.
 Example 11.8

Originally hash functions with a 64-bit digest were believed to be

immune to collision attacks. But with the increase in the
processing speed, today everyone agrees that these hash functions
are no longer secure. Eve needs only 264/2 = 232 tests to launch an
attack with probability 1/2 or more. Assume she can perform 220
(one million) tests per second. She can launch an attack in
232/220 = 212 seconds (almost an hour).
 Example 11.9

MD5 which was one of the standard hash functions for a long
time, creates digests of 128 bits. To launch a collision attack, the
adversary needs to test 264 (2128/2) tests in the collision algorithm.
Even if the adversary can perform 230 (more than one billion) tests
in a second, it takes 234 seconds (more than 500 years) to launch
an attack. This type of attack is based on the Random Oracle
Model. It has been proved that MD5 can be attacked on less than
264 tests because of the structure of the algorithm.
 Example 11.10

SHA-1, a standard hash function developed by NIST, creates

digests of 160 bits. The function is attacks. To launch a collision
attack, the adversary needs to test 2160/2 = 280 tests in the collision
algorithm. Even if the adversary can perform 230 (more than one
billion) tests in a second, it takes 250 seconds (more than ten
thousand years) to launch an attack. However, researchers have
discovered some features of the function that allow it to be
attacked in less time than calculated above.
 Example 11.11

The new hash function, that is likely to become NIST standard, is

SHA-512, which has a 512-bit digest. This function is definitely
resistant to collision attacks based on the Random Oracle Model.
It needs 2512/2 = 2256 tests to find a collision with the probability
of 1/2.
MESSAGE AUTHENTICATION

A message digest does not authenticate the sender of the

message. To provide message authentication, Alice
needs to provide proof that it is Alice sending the
message and not an impostor. The digest created by a
cryptographic hash function is normally called a
modification detection code (MDC). What we need for
message authentication is a message authentication
code (MAC).
 Modification Detection Code (MDC)

A modification detection code (MDC) is a message

digest that can prove the integrity of the message: that
message has not been changed. If Alice needs to send a
message to Bob and be sure that the message will not
change during transmission, Alice can create a message
digest, MDC, and send both the message and the MDC
to Bob. Bob can create a new MDC from the message
and compare the received MDC and the new MDC. If
they are the same, the message has not been changed.
Modification detection code (MDC)
Message Authentication Code (MAC)

Message authentication code

Note

The security of a MAC depends on the security of the

underlying hash algorithm.
Nested MAC
Nested MAC
 Message Authentication
➢ message authentication is concerned with:
⚫ protecting the integrity of a message
⚫ validating identity of originator
⚫ non-repudiation of origin (dispute resolution)
➢ will consider the security requirements
➢ then three alternative functions used:
⚫ hash function
⚫ message encryption
⚫ message authentication code (MAC)
Message Security Requirements
➢ disclosure
➢ traffic
analysis
➢ masquerade
➢ content modification
➢ sequence modification
➢ timing modification
➢ source repudiation
➢ destination repudiation
Symmetric Message Encryption
➢ encryption can also provide authentication
➢ if symmetric encryption is used then:
⚫ receiver know sender must have created it
⚫ since only sender and receiver know key used
⚫ know content cannot have been altered...
⚫ ... if message has suitable structure,
redundancy or a suitable checksum to detect
any changes
Public-Key Message Encryption
➢ if public-key encryption is used:
⚫ encryption provides no confidence of sender
•since anyone potentially knows public-key
⚫ however if
•sender signs message using their private-key
•then encrypts with recipients public key
•have both secrecy and authentication
⚫ again need to recognize corrupted messages
⚫ but at cost of two public-key uses on message
Public-Key Message Encryption
➢ Dirty little detail on PKCS
•Every time you encrypt, size expands
•Due to protections in PKCS#1
➢ So signing (by encryption) then encrypting,
the size is more than doubled!
 Message Authentication Code
(MAC)
➢ generated by an algorithm that creates a
small fixed-sized block
⚫ depending on both message and secret key
⚫ like encryption though need not be reversible
➢ appended to message as a “signature”
➢ receiver performs same computation on
message and checks it matches the MAC
➢ provides assurance that message is
unaltered and comes from sender
Message Authentication Code
➢asmall fixed-sized block of data
➢ generated from message + secret key
➢ MAC = C(K,M)
➢ appended to message when sent
 Message Authentication
Codes
➢ asshown the MAC provides authentication
➢ can also use encryption for secrecy
⚫ generally use separate keys for each
⚫ can compute MAC either before or after
encryption
 Message Authentication
Codes
➢ why use a MAC?
⚫ sometimes only authentication is needed

⚫ sometimes need authentication to persist longer

than the encryption (e.g. archival use)

➢ note that a MAC is not a digital signature
•Does NOT provide non-repudiation
 MAC Properties
➢a MAC is a cryptographic checksum
MAC = CK(M)
⚫ condenses a variable-length message M
⚫ using a secret key K
⚫ to a fixed-sized authenticator
➢ is a many-to-one function
⚫ potentially many messages have same MAC
⚫ but finding these needs to be very difficult
 Requirements for MACs
➢ taking into account the types of attacks
➢ need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
 Security of MACs
➢ likeblock ciphers have:
➢ brute-force attacks exploiting
m/
⚫ strong collision resistance hash have cost 2 2
•128-bit hash looks vulnerable, 160-bits better
⚫ MACs with known message-MAC pairs
•can either attack keyspace (cf. key search) or MAC
•at least 128-bit MAC is needed for security
 Security of MACs
➢ cryptanalytic attacks exploit structure
⚫ like block ciphers want brute-force attacks to
be the best alternative
➢ morevariety of MACs so harder to
generalize about cryptanalysis
Keyed Hash Functions as MACs
➢ want a MAC based on a hash function
⚫ because hash functions are generally faster
⚫ crypto hash function code is widely available
➢ hash includes a key along with message
➢ original proposal:
KeyedHash = Hash(Key|Message)
⚫ some weaknesses were found with this
➢ eventually led to development of HMAC
 Problem with Keyed Hash
➢ KeyedHash = Hash(Key|Message)
➢ Recall hash function works on blocks
➢ Let M = Key | Message | Padding and M
M=M1 M2 … ML, where |Mi| = Blocksize
Hash=H(H(…H(H(IV,M1),M2),…,ML)
➢ But can add extra block(s) ML+1 by
Hash’=H(Hash,ML+1)
HMAC

Details of HMAC

ipad = block size * 0x5c

opad = block size * 0x36
 HMAC Design Objectives
➢ use, without modifications, hash functions
➢ allow for easy replacement of embedded
hash function
➢ preserve original performance of hash
function without significant degradation
➢ use and handle keys in a simple way.
➢ have well understood cryptographic analysis
of authentication mechanism strength
 HMAC
➢ specified as Internet standard RFC2104
➢ uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
⚫ where K
+ is the key padded out to block size

⚫ opad, ipad are specified padding constants

➢ overhead is just 3 more hash block calculations

than the message needs alone
➢ any hash function can be used
⚫ eg. MD5, SHA-1, RIPEMD-160, Whirlpool
 HMAC
Overview
 HMAC Security
➢ proved security of HMAC relates to that of
the underlying hash algorithm
➢ attacking HMAC requires either:
⚫ brute force attack on key used
⚫ birthday attack (but since keyed would need
to observe a very large number of messages)
➢ choosehash function used based on
speed verses security constraints
 Hash Functions
➢ condenses arbitrary message to fixed size
h = H(M)
➢ usuallyassume hash function is public
➢ hash used to detect changes to message
➢ want a cryptographic hash function
⚫ computationally infeasible to find data mapping to
specific hash (one-way property)
⚫ computationally infeasible to find two data to same
hash (collision-free property)
Cryptographic Hash Function
 Hash Function Uses
➢ Message Integrity Check (MIC)
⚫ send hash of message (digest)
⚫ MIC always encrypted, message optionally
➢ Message Authentication Code (MAC)
⚫ send keyed hash of message
⚫ MAC, message optionally encrypted
➢ Digital Signature (non-repudiation)
⚫ Encrypt hash with private (signing) key
⚫ Verify with public (verification) key
 Hash Functions & Message
Authentication
Symmetric Key
Unkeyed Hash

a) Message
encrypted

b) Message
unencrypted
 Hash Functions & Message
Authentication
Symmetric Key
Keyed Hash

a) Message
unencrypted

d) Message
encrypted
Hash Functions & Digital
Signatures - PKCS
 Other Hash Function Uses
➢ pseudorandom function (PRF)
⚫ Generate session keys, nonces
⚫ Produce key from password
⚫ Derive keys from master key cooperatively
➢ pseudorandom number generator
(PRNG)
⚫ Vernam Cipher/OTP
⚫ S/Key, proof of “what you have” via messages
 More Hash Function Uses
➢ to create a one-way password file
⚫ store hash of password not actual password
⚫ e.g., Unix, Windows NT, etc.
⚫ salt to deter precomputation attacks
⚫ Rainbow tables
➢ for intrusion detection and virus detection
⚫ keep & check hash of files on system
⚫ e.g., Tripwire
Lamport One-time Passwords
➢ Password safety in distributed system
⚫ server compromise does not compromise P
⚫ interception of authentication exchange does
not compromise password either
➢ Alice picks Password PA
⚫ Hashes password N times, HN(PA)
⚫ Server stores (Alice, N, HN(PA))
⚫ Attacker can’t get PA from HN(PA)
Lamport One-time Passwords
➢ Protocol
⚫ Alice sends “I’m Alice”
⚫ Server sends “N-1”
⚫ Alice sends “X” where X=HN-1(PA)
⚫ Server verifies H(X) = HN(PA)
⚫ Server updates to (Alice, N-1, X)
➢ Attackerstill can’t get PA or
authenticate as Alice
 Two Simple Insecure Hash
Functions
➢ consider two simple insecure hash functions
➢ bit-by-bit exclusive-OR (XOR) of every block
⚫ Ci = bi1 xor bi2 xor . . . xor bim
⚫ a longitudinal redundancy check
⚫ reasonably effective as data integrity check
➢ one-bit circular shift on hash value
⚫ for each successive n-bit block
•rotate current hash value to left by1bit and XOR block
⚫ good for data integrity but useless for security
Hash Function Requirements
 Birthday Attacks
➢ might think a 64-bit hash is secure
➢ but by Birthday Paradox is not
➢ birthday attack works thus:
⚫ given user prepared to sign a valid message x
m
⚫ opponent generates 2 /2 variations x’ of x, all with
essentially the same meaning, and saves them
m
⚫ opponent generates 2 /2 variations y’ of a desired
fraudulent message y
⚫ two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)
⚫ have user sign the valid message, then substitute the
forgery which will have a valid signature
➢ conclusion is that need to use larger MAC/hash
 Birthday Attacks
➢ What are chances we get a match?
➢ N distinct values, k randomly chosen ones
⚫ P(N,i) = prob(i randomly selected values from
1..N have at least one match)
⚫ P(N,2) = 1/N
⚫ P(N,i+1) = P(N,i)+(1-P(N,i))(i/N)
➢ ForP(N,k)>0.5, need k ≈ N1/2
➢ Need double # bits in hash value
Hash Function Cryptanalysis
➢ cryptanalytic attacks exploit some property
of algo so faster than exhaustive search
➢ hash functions use iterative structure
⚫ process message in blocks (incl length)
➢ attacks focus on collisions in function f
 Block Ciphers as Hash
Functions
➢ can use block ciphers as hash functions
⚫ using H0=0 and zero-pad of final block
⚫ compute: Hi = EMi [Hi-1]
⚫ and use final block as the hash value
⚫ similar to CBC but without a key
➢ resulting hash is too small (64-bit)
⚫ both due to direct birthday attack
⚫ and to “meet-in-the-middle” attack
➢ other variants also susceptible to attack
 Block Ciphers as Hash
Functions H
0
Block cipher key length B
Pad Message M to multiple of B M1 E
Break padded M into L blocks
L = |M|/B M2 E
M = M1 M2 … ML
Use blocks of M as keys in block
cipher, iteratively encrypt state value
starting with constant H0 resulting in ML E
hash value
H = HL = E(ML,….E(M2,E(M1,H0))…) HL
 Secure Hash Algorithm
➢ SHA originally designed by NIST & NSA in 1993
➢ was revised in 1995 as SHA-1
➢ US standard for use with DSA signature scheme
⚫ standard is FIPS 180-1 1995, also Internet RFC3174
⚫ nb. the algorithm is SHA, the standard is SHS
➢ based on design of MD4 with key differences
➢ produces 160-bit hash values
➢ 2005 results on security of SHA-1 raised
concerns on its use in future applications
 Revised Secure Hash
Standard
➢ NIST issued revision FIPS 180-2 in 2002
➢ adds 3 additional versions of SHA
⚫ SHA-256, SHA-384, SHA-512
➢ designed for compatibility with increased
security provided by the AES cipher
➢ structure & detail is similar to SHA-1
➢ hence analysis should be similar
➢ but security levels are rather higher
SHA-512 Overview
 SHA-512 Compression
Function
➢ heartof the algorithm
➢ processing message in 1024-bit blocks
➢ consists of 80 rounds
⚫ updating a 512-bit buffer
⚫ using a 64-bit value Wt derived from the
current message block
⚫ and a round constant based on cube root of
first 80 prime numbers
SHA-512 Round Function
Structure of each round in SHA-512
 Majority Function

Conditional Function

Rotate Functions
Compression Function
There are 80 constants, K0 to K79, each of 64 bits. Similar These values are calculated
from the first 80 prime numbers (2, 3,…, 409). For example, the 80th prime is 409,
with the cubic root (409)1/3 = 7.42291412044. Converting this number to binary with
only 64 bits in the fraction part, we get

The fraction part: (6C44198C4A475817)16

 Example 12.7
We apply the Majority function on buffers A, B, and C. If the leftmost
hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.

The result is 1110, or 0xE in hexadecimal.

 Example 12.8

We apply the Conditional function on E, F, and G buffers. If the

leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.

The result is 1110, or 0xE in hexadecimal.

Words

A message block and the digest as words

Word Expansion

Word expansion in SHA-512

SHA-512 Round Function
Show how W60 is made.

Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as
Message Digest Initialization
 Message digest creation SHA-512

12.89
 Message Preparation
SHA-512 insists that the length of the original message
be less than 2128 bits.

Note

SHA-512 creates a 512-bit message digest out of a

message less than 2128.

12.90
 Example 12.1

This example shows that the message length limitation of SHA-

512 is not a serious problem. Suppose we need to send a
message that is 2128 bits in length. How long does it take for a
communications network with a data rate of 264 bits per second
to send this message?

Solution
A communications network that can send 264 bits per second is
not yet available. Even if it were, it would take many years to
send this message. This tells us that we do not need to worry
about the SHA-512 message length restriction.
 Example 12.2

This example also concerns the message length in SHA-512. How

many pages are occupied by a message of 2128 bits?

Solution
Suppose that a character is 32, or 26, bits. Each page is less than
2048, or approximately 212, characters. So 2128 bits need at least
2128 / 218, or 2110, pages. This again shows that we need not
worry about the message length restriction.
Padding and length field in SHA-512
 Example 12.3

What is the number of padding bits if the length of the original

message is 2590 bits?

Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0’s.

 Example 12.4

Do we need padding if the length of the original message is

already a multiple of 1024 bits?

Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.
 Example 12.5

What is the minimum and maximum number of padding bits that

can be added to a message?

Solution

The minimum length of padding is 0 and it happens when

a. (−M − 128) mod 1024 is 0. This means that |M| = −128 mod
1024 = 896 mod 1024 bits. In other words, the last block in
the original message is 896 bits. We add a 128-bit length field
to make the block complete.
 Example 12.5

b) The maximum length of padding is 1023 and it happens when

(−|M| −128) = 1023 mod 1024. This means that the length of
the original message is |M| = (−128 −1023) mod 1024 or the
length is |M| = 897 mod 1024. In this case, we cannot just
add the length field because the length of the last block
exceeds one bit more than 1024. So we need to add 897 bits
to complete this block and create a second block of 896 bits.
Now the length can be added to make this block complete.
 SHA-3
➢ SHA-1 not yet "broken”
⚫ but similar to broken MD5 & SHA-0
⚫ so considered insecure
➢ SHA-2 (esp. SHA-512) seems secure
⚫ shares same structure and mathematical
operations as predecessors so have concern
➢ NIST announced in 2007 a competition for
the SHA-3 next gen NIST hash function
➢ Keccak winner Oct 2012 – std in Q2,2014
 SHA-3 Requirements
➢ replace SHA-2 with SHA-3 in any use
⚫ so use same hash sizes
➢ preserve the online nature of SHA-2
⚫ so must process small blocks (512 / 1024 bits)
➢ evaluation criteria
⚫ security close to theoretical max for hash sizes
⚫ cost in time & memory
⚫ characteristics: such as flexibility & simplicity
Two Groups of Compression Functions

1. The compression function is made from scratch.

Message Digest (MD)

2. A symmetric-key block cipher serves as a compression function.

Whirlpool
Iterated Hash Function

Merkle-Damgard Scheme
Rabin Scheme
Davies-Meyer Scheme
Miyaguchi-Preneel Scheme
Secure Hash Algorithm (SHA-1)

• SHA was designed by NIST & NSA in 1993,

revised 1995 as SHA-1
• US standard for use with DSA signature scheme
• standard is FIPS 180-1 1995, also Internet RFC3174
• note: the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences

106
SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
1. process message in 16-word (512-bit) chunks:
• expand 16 words into 80 words by mixing & shifting
• use 4 rounds of 20 bit operations on message block &
buffer
• add output to input to form new buffer value
2. output hash value is the final buffer value

107
SHA-1 Compression Function
• each round has 20 steps which replaces the 5 buffer words
thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
• a,b,c,d,e refer to the 5 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin

108
SHA-1 Compression Function

109
MD5

• designed by Ronald Rivest (the “R” in RSA)

• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash algorithm
• in recent times have both brute-force & cryptanalytic concerns
• specified as Internet standard RFC1321

110
MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
• using 4 rounds of 16 bit operations on message
block & buffer
• add output to buffer input to form new buffer value
5. output hash value is the final buffer value

111
MD5 Overview

112
MD5 Compression Function
• each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but
used in varying permutations
• note this updates 1 word only of the buffer
• after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in
each round (F,G,H,I)
• T[i] is a constant value derived from sin

113
MD5 Compression Function

114
MD4
• precursor to MD5
• also produces a 128-bit hash of message
• has 3 rounds of 16 steps versus 4 in MD5
• design goals:
• collision resistant (hard to find collisions)
• direct security (no dependence on "hard" problems)
• fast, simple, compact
• favors little-endian systems (eg PCs)

115
Strength of MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
• Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
• Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
• Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
• conclusion is that MD5 looks vulnerable soon
116
SHA-1 verses MD5
• brute force attack is harder (160 vs 128 bits for MD5)
• SHA-1 is not vulnerable to any known attacks (compared to MD4/5)
• SHA-1 is a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• SHA-1 is optimised for big endian CPU's (vs MD5 which is optimised
for little endian CPU’s)

117
Revised Secure Hash Standard
• NIST has issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased security provided by
the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar

118
WHIRLPOOL

Whirlpool is an iterated cryptographic hash function,

based on the Miyaguchi-Preneel scheme, that uses a
symmetric-key block cipher in place of the compression
function. The block cipher is a modified AES cipher that
has been tailored for this purpose.
Whirlpool hash function
Whirlpool Cipher
Structure of Each Round
Each round uses four
transformations.
SubBytes Like in AES, SubBytes provide a nonlinear
transformation.
SubBytes in the Whirlpool cipher
ShiftColumns
MixRows transformation in the Whirlpool cipher
AddRoundKey transformation in the Whirlpool cipher
Key expansion in the Whirlpool cipher
Round constant for the third round
 Using Symmetric Ciphers for
MACs
➢ can use any block cipher chaining mode and use
final block as a MAC
➢ Data Authentication Algorithm (DAA) is a widely
used MAC based on DES-CBC
⚫ using IV=0 and zero-pad of final block
⚫ encrypt message using DES in CBC mode
⚫ and send just the final block as the MAC
•or the leftmost M bits (16≤M≤64) of final block
➢but final MAC is now too small for security…
… can use message blocks in reverse order…
Data Authentication Algorithm
 CMAC
➢ previously saw the DAA (CBC-MAC)
➢ widely used in govt & industry
➢ but has message size limitation
➢ can overcome using 2 keys & padding
➢ thus forming the Cipher-based Message
Authentication Code (CMAC)
➢ adopted by NIST SP800-38B
CMAC Overview
CMAC
 Authenticated Encryption
➢ simultaneously protect confidentiality and
authenticity of communications
⚫ often required but usually separate
➢ approaches
⚫ Hash-then-encrypt: E(K, (M || H(M))
⚫ MAC-then-encrypt: E(K2, (M || MAC(K1, M))
⚫ Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
⚫ Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
➢ decryption /verification straightforward
➢ but security vulnerabilities with all these
 Counter with Cipher Block
Chaining-Message
Authentication Code (CCM)
➢ NIST standard SP 800-38C for WiFi
➢ variation of encrypt-and-MAC approach
➢ algorithmic ingredients
⚫ AES encryption algorithm
⚫ CTR mode of operation
⚫ CMAC authentication algorithm
➢ single key used for both encryption & MAC
 CCM
Operation
 Galois/Counter Mode (GCM)
➢ NIST standard SP 800-38D, parallelizable
➢ message is encrypted in variant of CTR
➢ ciphertext multiplied with key & length over
GF(2128) to generate authenticator tag
➢ have GMAC MAC-only mode also
➢ uses two functions:
⚫ GHASH - a keyed hash function
⚫ GCTR - CTR mode with incremented counter
GCM Functions
GCM Functions
 GCM
Mode
Overview
 Authenticated Encryption
➢Want confidentiality and integrity/authenticity
➢Use combination of encryption
– but how?
➢Generic Composition:
– “Foolproof” ways to combine (compose)
encryption and MAC to achieve AE
– Trouble is, fools are so clever!
 Generic Composition
➢ Classic result by Bellare & Namprempre
➢ Basic compositions (BN 2000)
•MAC then Encrypt
•Encrypt then MAC
•Encrypt and MAC
➢ Major result:
•Only Encrypt then MAC is always safe
•But caveats – depends on assumptions of
encrypt...
COMPARISON

Let us begin by looking at the differences between

conventional signatures and digital signatures.

Topics discussed in this section:

• Inclusion
• Verification Method
• Relationship
• Duplicity
Inclusion

A conventional signature is included in the document;

it is part of the document. But when we sign a
document digitally, we send the signature as a
separate document.
Verification Method

For a conventional signature, when the recipient

receives a document, she compares the signature on
the document with the signature on file. For a digital
signature, the recipient receives the message and the
signature. The recipient needs to apply a verification
technique to the combination of the message and the
signature to verify the authenticity.
Relationship

For a conventional signature, there is normally a one-

to-many relationship between a signature and
documents. For a digital signature, there is a one-to-
one relationship between a signature and a message.
Duplicity

In conventional signature, a copy of the signed

document can be distinguished from the original one
on file. In digital signature, there is no such distinction
unless there is a factor of time on the document.
PROCESS

The sender uses a signing algorithm to sign the

message. The message and the signature are sent to
the receiver. The receiver receives the message and
the signature and applies the verifying algorithm to
the combination. If the result is true, the message is
accepted; otherwise, it is rejected.
Digital signature process
Need for Keys

Adding key to the digital signature process

Note

A digital signature needs a public-key system.

The signer signs with her private key; the verifier
verifies with the signer’s public key.
Note
A cryptosystem uses the private and public keys of
the receiver: a digital signature uses
the private and public keys of the sender.
Signing the Digest

Signing the digest

SERVICES

We discussed several security services including

message confidentiality, message authentication,
message integrity, and nonrepudiation. A digital
signature can directly provide the last three; for
message confidentiality we still need
encryption/decryption.
Message Authentication

A secure digital signature scheme, like a secure

conventional signature can provide message
authentication.

Note
A digital signature provides message authentication.
Message Integrity

The integrity of the message is preserved even if we

sign the whole message because we cannot get the
same signature if the message is changed.

Note

A digital signature provides message integrity.

Nonrepudiation
Using a trusted center for nonrepudiation

Note

Nonrepudiation can be provided using a trusted

party.
Confidentiality
Adding confidentiality to a digital signature scheme

Note

A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
Attack Types

Key-Only Attack

Known-Message Attack

Chosen-Message Attack
Forgery Types

Existential Forgery adversary has no control on the

messages whose signature is forged

Selective Forgery adversary controls the messages

whose signature is forged

Total Break Adversary is able to compute signer's

private key
DIGITAL SIGNATURE
SCHEMES
Several digital signature schemes have evolved during
the last few decades.

• RSA Digital Signature Scheme

• ElGamal Digital Signature Scheme
• Schnorr Digital Signature Scheme
• Digital Signature Standard (DSS)
• Elliptic Curve Digital Signature Scheme
RSA Digital Signature Scheme

General idea behind the RSA digital signature scheme

Key Generation
Key generation in the RSA digital signature scheme is
exactly the same as key generation in the RSA

Note
In the RSA digital signature scheme, d is private;
e and n are public.
Signing and Verifying

RSA digital signature scheme

Example 13.1

As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n
= 784319. The value of (n) is 782544. Now she chooses e = 313 and calculates d =
160009. At this point key generation is complete. Now imagine that Alice wants to
send a message with the value of M = 19070 to Bob. She uses her private exponent,
160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the message and
the signature. He calculates

Bob accepts the message because he has verified Alice’s signature.

RSA Signature on the Message Digest
The RSA signature on the message digest
Note
When the digest is signed instead of the message
itself, the susceptibility of the RSA digital signature
scheme depends on the strength of the hash
algorithm.
ElGamal Digital Signature Scheme

General idea behind the ElGamal digital signature scheme

Key Generation
The key generation procedure here is exactly the same
as the one used in the cryptosystem.

Note
In ElGamal digital signature scheme, (e1, e2, p) is
Alice’s public key; d is her private key.
Verifying and Signing
ElGamal digital signature scheme
 Example 13.2

Here is a trivial example. Alice chooses p = 3119, e1 = 2, d = 127 and calculates e2 =

2127 mod 3119 = 1702. She also chooses r to be 307. She announces e1, e2, and p
publicly; she keeps d secret. The following shows how Alice can sign a message.

Alice sends M, S1, and S2 to Bob. Bob uses the public key to calculate V1 and V2.
 Example 13.3

Now imagine that Alice wants to send another message, M = 3000, to Ted. She
chooses a new r, 107. Alice sends M, S1, and S2 to Ted. Ted uses the public keys to
calculate V1 and V2.
Schnorr Digital Signature Scheme

General idea behind the Schnorr digital signature scheme

Key Generation
1) Alice selects a prime p, which is usually 1024 bits in length.
2) Alice selects another prime q.
3) Alice chooses e1 to be the qth root of 1 modulo p.
4) Alice chooses an integer, d, as her private key.

5) Alice calculates e2 = e1d mod p.

6) Alice’s public key is (e1, e2, p, q); her private key is (d).

Note
In the Schnorr digital signature scheme, Alice’s
public key is (e1, e2, p, q); her private key (d).
Signing and Verifying

Schnorr digital signature scheme

Signing
1. Alice chooses a random number r.
2. Alice calculates S1 = h(M|e1r mod p).
3. Alice calculates S2 = r + d × S1 mod q.
4. Alice sends M, S1, and S2.

Verifying Message
1. Bob calculates V = h (M | e1S2 e2−S1 mod p).
2. If S1 is congruent to V modulo p, the message is
accepted;
 Example 13.4

Here is a trivial example. Suppose we choose q = 103 and p = 2267. Note that p = 22 ×
q + 1. We choose e0 = 2, which is a primitive in Z2267*. Then (p −1) / q = 22, so we have
e1 = 222 mod 2267 = 354. We choose d = 30, so e2 = 35430 mod 2267 = 1206. Alice’s
private key is now (d); her public key is (e1, e2, p, q).

Alice wants to send a message M. She chooses r = 11 and calculates e2 r = 35411 = 630
mod 2267. Assume that the message is 1000 and concatenation means 1000630. Also
assume that the hash of this value gives the digest h(1000630) = 200. This means S1 =
200. Alice calculates S2 = r + d × S1 mod q = 11 + 1026 × 200 mod 103 = 35. Alice
sends the message M =1000, S1 = 200, and S2 = 35. The verification is left as an
exercise.
Digital Signature Standard (DSS)
Key Generation.
1. Alice chooses primes p and q.
1. Alice uses <Zp*, × > and <Zq*, ×>.
1. Alice creates e1 to be the qth root of 1 modulo p.
1. Alice chooses d and calculates e2 = e1d.
1. Alice’s public key is (e1, e2, p, q); her private key is
(d).
Verifying and Signing

DSS scheme
 Example 13.5

Alice chooses q = 101 and p = 8081. Alice selects e0 = 3 and calculates e1 = e0 (p−1)/q
mod p = 6968. Alice chooses d = 61 as the private key and calculates e2 = e1d mod p =
2038. Now Alice can send a message to Bob. Assume that h(M) = 5000 and Alice
chooses r = 61:

Alice sends M, S1, and S2 to Bob. Bob uses the public keys to calculate V.
DSS Versus RSA
Computation of DSS signatures is faster than
computation of RSA signatures when using the same p.

DSS Versus ElGamal

DSS signatures are smaller than ElGamal signatures
because q is smaller than p.
Elliptic Curve Digital Signature Scheme
Key Generation
Key generation follows these steps:

1. Alice chooses an elliptic curve Ep(a, b).

1. Alice chooses another prime q the private key d.
1. Alice chooses e1(…, …), a point on the curve.
1. Alice calculates e2(…, …) = d × e1(…, …).
1. Alice’s public key is (a, b, p, q, e1, e2); her private
key is d.
Signing and Verifying
The ECDSS scheme
Variations

Time Stamped Signatures

Sometimes a signed document needs to be time
stamped to prevent it from being replayed by an
adversary. This is called time-stamped digital
signature scheme.

Blind Signatures
Sometimes we have a document that we want to get
signed without revealing the contents of the
document to the signer.
INTRODUCTION

Entity authentication is a technique designed to let one

party prove the identity of another party. An entity can
be a person, a process, a client, or a server. The entity
whose identity needs to be proved is called the claimant;
the party that tries to prove the identity of the claimant
is called the verifier.
Data-Origin Versus Entity Authentication

There are two differences between message authentication

(data-origin authentication), and entity authentication.

1) Message authentication might not happen in real time;

entity authentication does.
2) Message authentication simply authenticates one
message; the process needs to be repeated for each new
message. Entity authentication authenticates the
claimant for the entire duration of a session.
Verification Categories

Something known

Something possessed

Something inherent
PASSWORDS

The simplest and oldest method of entity authentication

is the password-based authentication, where the
password is something that the claimant knows.

• Fixed Password
• One-Time Password
Fixed Password

First Approach
User ID and password file
Second Approach
Hashing the password
Third Approach
Salting the password

14.195
Fourth Approach
In the fourth approach, two identification techniques are
combined. A good example of this type of authentication
is the use of an ATM card with a PIN (personal
identification number).
One-Time Password

First Approach
In the first approach, the user and the system agree upon a
list of passwords.

Second Approach
In the second approach, the user and the system agree to
sequentially update the password.

Third Approach
In the third approach, the user and the system create a
sequentially updated password using a hash function.
Lamport one-time password
CHALLENGE-RESPONSE

In password authentication, the claimant proves her

identity by demonstrating that she knows a secret, the
password. In challenge-response authentication, the
claimant proves that she knows a secret without sending
it.

• Using a Symmetric-Key Cipher

• Using Keyed-Hash Functions
• Using an Asymmetric-Key Cipher
• Using Digital Signature
Note
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to the
verifier.

Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
Using a Symmetric-Key Cipher

First Approach

Nonce challenge
Second Approach

Timestamp challenge
Third Approach.
Bidirectional authentication
Using Keyed-Hash Functions

Instead of using encryption/decryption for entity

authentication, we can also use a keyed-hash function
(MAC).
Keyed-hash function
Using an Asymmetric-Key Cipher

First Approach

Unidirectional, asymmetric-key authentication

Second Approach
Bidirectional, asymmetric-key
Using Digital Signature

First Approach
Digital signature, unidirectional
 Second Approach
Digital signature, bidirectional authentication
ZERO-KNOWLEDGE

In zero-knowledge authentication, the claimant does not

reveal anything that might endanger the confidentiality
of the secret. The claimant proves to the verifier that she
knows a secret, without revealing it. The interactions
are so designed that they cannot lead to revealing or
guessing the secret.

• Fiat-Shamir Protocol
• Feige-Fiat-Shamir Protocol
• Guillou-Quisquater Protocol
Fiat-Shamir Protocol
Feige-Fiat-Shamir Protocol
Guillou-Quisquater Protocol