SCHOOL OF COMPUTING

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Academic Year 2023-24 : Summer Semester

10212CS119 – Cryptography and Network Security

Pre-requisites

Sl. No Course Code Course Name

1 10211CS105 Computer Networks

Mr.T.Venketbabu,
Assistant Professor, Slot : S1 & S3
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 1
Department of CSE.
 Course Outcomes
Level of learning
CO
Course Outcomes domain (Based on
Nos.
revised Bloom’s)
Understand the encryption and decryption techniques using
CO1 K2
block ciphers.

Apply key exchange and management schemes using public

CO2 K3
key cryptography.

Demonstrate techniques to sign and verify messages using

CO3 K3
signature generation and verification algorithms.
Implement cryptographic algorithm for various network
CO4 K3
security applications.

Illustrate the technologies to protect cyberspace against

CO5 K3
security threats.

Knowledge Level (Based on Revised Bloom’s Taxonomy)

K1-Remember K2-Understand K3-Apply K4-Analyze K5-Evaluate K6-Create
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 2
 Correlation of COs with POs and PSOs

PO PO PO PO PO PO PO PO
COs PO9 PO10 PO11 PO12 PSO 1 PSO 2 PSO 3
1 2 3 4 5 6 7 8

CO1 3 3 2

CO2 3 2 3 2 3

CO3 3 2 3 2 2

CO4 2 1 2 3

CO5 2 3 2 2

High-3; Medium-2; Low-1

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 3

 Syllabus Contents
Unit – I Introduction to Cryptography 9L+3T Hours
OSI Security Architecture - Classical Encryption techniques – Cipher
Principles – Data Encryption Standard – Block Cipher Design Principles and
Modes of Operation - Evaluation criteria for AES –AES Cipher – Triple DES –
Placement of Encryption Function – Traffic Confidentiality-Case study on
Barclays Bank
Unit – II Public Key Cryptography 9L+3T Hours
Number Theory concepts: Primes and Prime Factorization – Congruent
modulo n, equivalent class modulo n, Integer modulo n, Multiplicative inverse,
Relatively prime, Euler's theorem, Fermat's little theorem, Extended Euclidean
Algorithm, Chinese Remainder Theorem. Confidentiality using Asymmetric
Encryption – Public Key Cryptography and RSA- Key Management - Diffie-
Hellman key Exchange – Elliptic Curve Architecture and Cryptography – Case
study on Elan Financial Services

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 4

 Syllabus Contents
Unit – III Authentication and Hash Function 9L+3T Hours
Authentication requirements – Authentication functions – Message
Authentication Codes – Hash Functions – Security of Hash Functions and
MACs – MD5 message Digest algorithm – Secure Hash Algorithm – RIPEMD
– HMAC Digital Signatures – Authentication Protocols – Digital Signature
Standard- Case study on Swedbank
Unit – IV Network Security Applications 9L+3T Hours
Authentication Applications: Kerberos – X.509 Authentication Service –
Electronic Mail Security –PGP – S/MIME - IP Security- Policy, Encapsulating
Security Payload, Combining Security Associations, Internet Key Exchange,
Authentication Header.
Unit – V Security Management 9L+3T Hours
Intrusion Detection - Password Management - Viruses and related Threats -
Virus Countermeasures- Worms Security Risks – Firewall Design Principles -
Trusted Systems -Systems- Log Management. Case study on Biometric
deployment for secure password management.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 5
 Learning Resources
i) Text Books
1. William Stallings, ― Cryptography And Network Security – Principles and
Practices, Prentice Hall of India, Eighth Edition, 2020 [Unit 1-5].
2. David Kim and Michael G.Solomon, “Fundamentals of Information
Systems Security”, Jones and Bartlett Publishers, Third Edition, 2018 [Unit
1-5].
ii) References Books:
1. Atul Kahate, ―Cryptography and Network Security, Tata McGraw-Hill,
2011.
2. Bruce Schneier, ―Applied Cryptography, John Wiley & Sons Inc, 2011.
3. Charles B. Pfleeger, Shari Lawrence Pfleeger, ―Security in Computing,
Third Edition, Pearson Education, 2010.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 6

 Learning Resources
iii) Online Resources
1. “Cryptography techniques”, Accessed on: July 2022, [online]. Available:
http://Cryptographywilliamstallings.com/Extras/Security-Notes/
2. “Authentication algorithms”, Accessed on: July 2022 [online]. Available:
http://www.cs.bilk.ent.edu.tr/~selcuk/teaching/cs519/
3. “Network security concepts”, Accessed on: July 2022[online]. Available:
http://freevideolectures.com/Course/3027/Cryptography–andNetwork-Security

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 7

 Unit – III
Authentication and Hash Function

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 8

 1.Authentication Requirements
Different attacks identified in communication across network includes:
 Disclosure – release of message content.
 Traffic Analysis - discovery of the pattern of traffic between parties.
 Masquerade- Insertion of messages into the network from a
fraudulent source.
 Content Modification- Changes to the contents of a message.
 Sequence Modification- Any modification to a sequence of
messages between parties.
 Timing Modification- Delay or replay of messages.
 Source Repudiation- Denial of transmission of message by source.
 Destination Repudiation- Denial of receipt of message by
destination.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 9
 2.Authentication Functions
Message authentication or digital signature mechanism has two levels
of functionality.
 Lower level - a function that produces an authenticator to
authenticate a message.
 Higher level - enables a receiver to verify the authenticity of a
message.
Types of functions that may be used to produce an authenticator.
a. Message Encryption - ciphertext of the entire message serves as its
authenticator.
b. Message Authentication Code - A function of the message and a
secret key that produces a fixed-length value.
c. Hash Function - A function that maps a message of any length into a
fixed-length hash value.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 10
 Internal & External Error Control

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 11

 Internal & External Error Control

 With internal error control, authentication is provided.

 An opponent would have difficulty generating ciphertext that, when
decrypted, would also need to have valid error control bits.
 If the FCS is the outer code, an opponent can construct messages
with valid error control codes.
 Although the opponent cannot know what the decrypted plaintext
will be, he or she can still hope to create confusion and disrupt
operations.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 12

 2.a.Message Encryption
 Message encryption by itself can provide a measure of
authentication.
 The analysis differs for symmetric and public-key encryption
schemes.
I. Symmetric Encryption
 A message M transmitted from source A to destination B is
encrypted using a secret key K shared by A and B.
 If no other party knows the key, then confidentiality is provided.
 Symmetric encryption provides authentication as well as
confidentiality.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 13

 2.a.Message Encryption
 B is assured that the message was generated by A.
 Since A, is the only other party that possesses K.
 if M is recovered, B knows that none of the bits of M have been
altered, because an opponent that does not know K would not know
how to alter bits in the ciphertext.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 14

 2.a.Message Encryption
II. Public Key Encryption
 The straightforward use of public-key encryption provides
confidentiality but not authentication.
 Source (A) uses the public key PUb of the destination (B) to encrypt
message M.
 Only B has the corresponding private key PRb, only B can decrypt
the message.
 Provides no authentication because any opponent could also use B's
public key to encrypt a message, claiming to be A.
 Symmetric encryption provides authentication as well as
confidentiality.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 15

 2.a.Message Encryption
 To provide authentication, A uses its private key to encrypt the
message, and B uses A's public key to decrypt.
 Provides authentication using the same type of reasoning as in the
symmetric encryption case
 The message must have come from A because A is the only party
that possesses PRa .
 Signature - The only party with the information necessary to
construct ciphertext that can be decrypted with PUa.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 16

 2.a.Message Encryption
 A can encrypt M first using its private key, which provides the
digital signature, and then using B's public key, which provides
confidentiality.
 B knows A’s public key so this authenticates that the message is
from source A.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 17

 2.b.Message Authentication Code
 Involves the use of a secret key to generate a small fixed-size block
of data.
 The generated cryptographic checksum or MAC is appended to the
message.
 This technique assumes that two communicating parties, say A and
B, share a common secret key K.
 When A has a message to send to B, it calculates the MAC as a
function of the message and the key: MAC = C(K,M), where
M = input message.
C = MAC function.
K = shared secret key.
MAC = message authentication code.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 18
 2.b.Message Authentication Code
 The message plus MAC are transmitted to the intended recipient.
 The recipient performs the same calculation on the received
message, using the same secret key, to generate a new MAC.
 The received MAC is compared to the calculated MAC.
 The receiver is assured that the message has not been altered.
 If an attacker alters the message but does not alter the MAC, then
the receiver's calculation of the MAC will differ from the received
MAC.
 Because the attacker is assumed not to know the secret key, the
attacker cannot alter the MAC to correspond to the alterations in the
message.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 19

 2.b.Message Authentication Code
 The receiver is assured that the message is from the alleged sender.
 Because no one else knows the secret key, no one else could prepare
a message with a proper MAC.

 The message includes a sequence number.

 Therefore receiver can be assured of the proper sequence because an
attacker cannot successfully alter the sequence number.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 20

 MAC Properties
 a MAC is a cryptographic checksum.
MAC = CK(M).
- condenses a variable-length message M.
- using a secret key K.
- to a fixed-sized authenticator.
 Is a many-to-one function.
- potentially many messages have same MAC.
- but finding these needs to be very difficult.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 21

 Requirements for MAC
 Taking into account the types of attacks
 Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find another message
with same MAC.
2. MACs should be uniformly distributed.
3. MAC should depend equally on all bits of the message.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 22

 2.c.Hash Function
 A variation on the message authentication code is the one-way hash
function.
 A hash function accepts a variable-size message M as input and
produces a fixed size output, referred to as a hash code H(M).
 Unlike a MAC, a hash code does not use a key but is a function only
of the input message.
 The hash code is also referred to as a message digest or hash value.
 The hash code is a function of all the bits of the message and
provides an error-detection capability:
 A change to any bit or bits in the message results in a change to the
hash code.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 23

 2.c.Hash Function
a) The message plus concatenated hash code is encrypted using
symmetric encryption.
 The hash code provides the structure or redundancy required to
achieve authentication.
 Since encryption is applied to the entire message plus hash code,
confidentiality is also provided.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 24

 2.c.Hash Function
b) Only the hash code is encrypted, using symmetric encryption.
 This reduces the processing burden for those applications that do not
require confidentiality.

c) Only the hash code is encrypted, using public-key encryption and

using the sender's private key.
 As with (b), this provides authentication and also digital signature.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 25

 2.c.Hash Function
d) If confidentiality as well as a digital signature is desired, then the
message plus the private-key encrypted hash code can be encrypted
using a symmetric secret key.

e) It is possible to use a hash function but no encryption for message

authentication.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 26

 2.c.Hash Function
f) Confidentiality can be added to the approach of (e) by encrypting the
entire message plus the hash code.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 27

 Requirements for Hash Functions
1.Can be applied to any sized message M.
2. Produces fixed-length output h.
3. Is easy to compute h=H(M) for any message M.
4. Given h is infeasible to find x such that H(x)=h.
- one-way property
5a. Given x, it is infeasible to find y such that H(y)=H(x)
- weak collision resistance
5b. Given x , it is infeasible to find any x, y such that H(y)=H(x)
- strong collision resistance

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 28

 Birthday Attacks
 Might think a 64-bit hash is secure, but by Birthday Paradox it is
not.
Birthday attack works thus:
 The source, A, is prepared to "sign" a message by appending the
appropriate m-bit hash code and encrypting that hash code with A's
private key.
 Opponent generates 2m/2 variations of a valid message all with
essentially the same meaning.
 Opponent also generates 2m/2 variations of a desired fraudulent
message.
 Two sets of messages are compared to find pair with same hash
(probability > 0.5 by birthday paradox)
 Have user sign for the valid message, then substitute the forgery
which will have a validDr.T.VenketBabu,
10/4/2024 signature. AP(SG)/CSE, Vel Tech 29
 A letter in 237 Variations.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 30

 Meet-in-the-Middle Attack
1. Use the algorithm defined at the beginning of this subsection to
calculate the unencrypted hash code G.
2. Construct any desired message in the form Q1, Q2,..., QN-2.
3. Compute for Hi = E(Qi, Hi-1) for 1<= i <=(N-2).
4. Generate 2m/2 random blocks; for each block X, compute E(X, HN-2).
Generate an additional 2m/2 random blocks; for each block Y,
compute D(Y, G), where D is the decryption function corresponding
to E.
5. Based on the birthday paradox, with high probability there will be an
X and Y such that E(X, HN-2) = D(Y, G).
6. Form the message Q1, Q2,..., QN-2, X, Y. This message has the hash
code G and therefore can be used with the intercepted encrypted
signature.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 31
 3.Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993.
 Revised in 1995 as SHA-1.
 US standard for use with DSA signature scheme
- standard is FIPS 180-1 1995, also Internet RFC3174
- nb. the algorithm is SHA, the standard is SHS
 based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised concerns on its
use in future applications.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 32

 Revised Secure Hash Standard

 NIST issued revision FIPS 180-2 in 2002.

 Adds 3 additional versions of SHA.
 SHA-256, SHA-384, SHA-512.
 Designed for compatibility with increased security provided by the
AES cipher.
 Structure & detail is similar to SHA-1.
 Analysis should be similar.
 Security levels are rather higher.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 33

 Comparison of SHA Parameters

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 34

 SHA-512 Overview

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 35

 Steps involved in SHA-512
Step 1. Append padding bits - The message is padded so that its length
is congruent to 896 modulo 1024.
- Padding is always added, even if the message is already of the
desired length.
- Thus, the number of padding bits is in the range of 1 to 1024.
- The padding consists of a single 1-bit followed by the necessary
number of 0-bits.
Step 2. Append length - A block of 128 bits is appended to the message.
- This block is treated as an unsigned 128-bit integer and contains
the length of the original message.
- The outcome of the first two steps yields a message that is an
integer multiple of 1024 bits in length.
- M1, M2,..., MN, so that the total length of the expanded message
is N x 1024 bits.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 36
 Steps involved in SHA-512
Step 3. Initialize Hash Buffer - A 512-bit buffer is used to hold
intermediate and final results of the hash function.
- The buffer can be represented as eight 64-bit registers (a, b, c, d, e,
f, g, h).
- These registers are initialized to the following 64-bit integers
(hexadecimal values):
Hexadecimal Values in Hash Buffer
a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CDI9137E2179
- Values are stored in big-endian format, which is the most
significant byte of a word in the low-address (leftmost) byte
position.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 37
 Steps involved in SHA-512 Compression Function
Step 4. Process Message in 1024 bit (128-word) blocks. Heart of the
algorithm.
- Processing message in 1024-bit blocks.
- Consists of 80 rounds.
- Updating a 512-bit buffer.
- Uses a 64-bit value Wt derived from the current message block.
- A round constant based on cube root of first 80 prime numbers.
Step 5. Output - After all N 1024-bit blocks have been processed, the
output from the Nth stage is the 512-bit message digest.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 38

 SHA-512 Processing of a Single 1024-bit block

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 39

 Round Function

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 40

 SHA-512 Round Function

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 41

 Round Function

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 42

 80 Word Input Sequence for SHA-512 Processing of
Single Block

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 43

 4.MD5 Algorithm
 Developed by Ron Rivest at MIT.
 When both brute-force and cryptanalytic concerns have arisen, MD5
was the most widely used secure hash algorithm.
 The algorithm takes as input a message of arbitrary length and
produces as output a 128-bit message digest.
 The input is processed in 512-bit blocks.
Step 1: Appending padding bits.
 The message is padded so that its length in bits is congruent to 448
modulo 512.
 The length of the padded message is 64 bits less than an integer
multiple of 512 bits.
 Padding is always is added in the range of 1 to 512.
 Single 1-bit followed by
10/4/2024
the necessary number of 0-bits.
Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 44
 Steps involved in MD5
Step 2: Append length - A 64-bit representation of the length in bits of
the original message (before the padding) is appended to the result
of step 1.
 First two steps yields a message that is an integer multiple of 512
bits in length.
 Expended message is represented as the sequence of 512-bit blocks
Y0,Y1,....YL-1.
 The total length of the expanded message is L × 512 bits.
Step 3: Initialize MD buffer - A 128-bit buffer is used to hold
intermediate and final results of the hash function.
 The buffer can be represented as four 32-bit registers (A, B, C, D).
A = 67452301 C = 98BADCFE
B = EFCDAB89 D = 10325476
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 45
 Steps involved in MD5
 These values are stored in little-endian format, which is the least
significant byte of a word in the low-address byte position.
Word A: 01 23 45 67 Word C: FE DC BA 98
Word B: 89 AB CD EF Word D: 76 54 32 10
Step 4: Process message in 512-bit (16-word) blocks - a compression
algorithm that consists of four “rounds” of processing.
 Each round has a different primitive logical function, referred to as
F, G, H, and I in the specification.
 Each round takes as input the current 512-bit block being processed
(Yq) and the 28-bit buffer value ABCD and updates the contents of
the buffer.
 Each round also makes use of one-fourth of a 64-element table
T[1…64] , constructed from the sine function.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 46
 MD5 Overview
Step 5: Output - After all L 512-bit blocks have been processed, the
output from the Lth stage is the 128-bit message digest.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 47

 MD5 Processing of a 512-bit block

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 48

 Elementary MD5 Operation

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 49

 Terminologies used in MD5

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 50

 5.RIPEMD-160
 Padding:
Given a message m0m1....mb-1 (b-bits)
Step 1: Append padding bits and get m0m1....mb-1 10....0 (b
Congruent to 448 mod 512)
Step 2: Append 64 bits to indicate length of message and get
m0m1....mb-1 10....0 b0b1....b63.
Step 3: Divide it to N words as M0,M1,....MN-1 (N is a multiple
of 16)
 Initialization:
Initialize 10 MD buffers A,B,C,D,E and A’,B’,C’,D’,E’ by
A0,B0,C0,D0,E0
A=A’=A0=67452301 D=D’=D0=10325476
B=B’=B0=EFCDAB89 E=E’=E0=C3D2E1F0
C=C’=C0=98BADCFE
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 51
 5.RIPEMD-160 –Round Function

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 52

 Round Functions
 For each 16 words, process 80 rounds
i.16 rounds
F=B XOR C XOR D
i=0,1,....15
K=00000000
s=11,14,15,12,5,8,7,9,11,13,14,15,6,7,8,9
ii.16 rounds
F=(B ^ C) V (┐B^D)
i=7,4,13,1,10,6,15,3,12,0,9,5,2,14,11,8
K=5A827999
s=7,6,8,13,11,9,7,15,7,12,15,9,11,7,13,12

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 53

 Round Functions
iii.16 rounds
F=(B V ┐C) XOR D
i=3,10,14,4,9,15,8,1,2,7,0,6,13,11,5,2
K=6ED9EBA1
s=11,13,6,7,14,9,13,15,14,8,13,6,5,12,7,5
iv.16 rounds
F=(B ^ D) V (C^┐D)
i=1,9,11,10, 0,8,12,4,13,3,7,15,14,5,6,2
K=8F1BBCDC
s=11,12,14,15,14,15,9,8,9,14, 5,6,8,6,5,12
v.16 rounds
F=B XOR (CV┐D)
i=4,0,5,9,7,12,2,10,14,1,3,8,11,6,15,13
10/4/2024
K=A953FD4E Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 54
 Parallel Round Functions

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 55

 Parallel Round Functions

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 56

 6.HMAC
Motivations for HMAC
 Cryptographic hash functions such as MD5 and SHA-1 generally
execute faster in software than Symmetric block ciphers such as
DES.
 Library code for cryptographic hash functions is widely available.
 A MAC and hash functions cannot be used directly because it does
not rely on a secret key.
 Number of proposals for the incorporation of a secret key into an
existing hash algorithm.
 HMAC has been issued as RFC 2104, has been chosen as the
mandatory-to-implement MAC for IP security

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 57

 HMAC Design Objectives
 To use, without modifications, available hash functions.
 Hash functions that perform well in software, and for which code is
freely and widely available.
 Allows easy replaceability of the embedded hash function in case
faster or more secure hash functions are found or required.
 Preserves the original performance of the hash function without
incurring a significant degradation.
 To use and handle keys in a simple way.
 To understood cryptographic analysis of the strength of the
authentication mechanism.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 58

 HMAC Algorithm

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 59

 HMAC Structure

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 60

 Steps in HMAC
1. Append zeros to the left end of K to create a b-bit string K+(e.g., if
K is of length 160 bits and b = 512 then K will be appended with
44 zero bytes 0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So
7. Apply H to the stream generated in step 6 and output the result.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 61

 Efficient Implementation of HMAC

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 62

 Security of HMAC
 Proved security of HMAC relates to that of the underlying hash
algorithm.
Attacking HMAC requires either:
 Brute force attack on key used.
 Birthday attack (but since keyed would need to observe a very large
number of messages)
 Choose hash function as a tradeoff between speed verses security
constraints.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 63

 7.Digital Signatures
 Have looked at message authentication
- but does not address issues of lack of trust
 Digital signatures provide the ability to:
- verify author, date & time of signature
- authenticate message contents
- be verified by third parties to resolve disputes
 Able to include authentication function with additional capabilities.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 64

 Digital Signature Properties
 Must depend on the message signed.
 Must use information unique to sender.
- to prevent both forgery and denial.
 Must be relatively easy to produce.
 Must be relatively easy to recognize & verify.
 Be computationally infeasible to forge.
- with new message for existing digital signature.
- with fraudulent digital signature for given message.
 Be practical to save digital signature in storage.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 65

 A.Direct Digital Signatures
 Involve only sender & receiver.
 Assumed receiver has sender’s public-key.
 Digital signature made by sender signing entire message or hash
with private-key.
 Can encrypt using receivers public-key.
 Important that sign first then encrypt message & signature.
 Security depends on sender’s private-key.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 66

 B.Arbitrated Digital Signatures
 Involves use of arbiter A.
- Validates any signed message.
- Dated and sent to recipient.
 Requires suitable level of trust in arbiter.
 Can be implemented with either private or public-key algorithms.
 Arbiter may or may not see message.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 67

 Arbitrated Digital Signature Techniques

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 68

 8.Authentication Protocols
 Used to convince parties of each others identity and to exchange
session keys.
 May be one-way or mutual.
 Key issues are
- confidentiality – to protect session keys
- timeliness – to prevent replay attacks
 Published protocols are often found to have flaws and need to be
modified.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 69

 Replay Attacks
 A valid signed message is copied and later resent.
- Simple replay.
- Repetition that can be logged.
- Repetition that cannot be detected.
- Backward replay without modification.
 countermeasures include
- Use of sequence numbers (generally impractical).
- Timestamps (needs synchronized clocks).
- Challenge / response (using unique nonce).

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 70

 Using Symmetric Key Encryption
 As discussed previously can use a two level hierarchy of keys.
 Provides confidentiality for communication in a distributed
environment.
 Usually with a trusted Key Distribution Center (KDC).
- each party shares own master key with KDC.
- KDC generates session keys used for connections between parties.
- master keys used to distribute these to them.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 71

 Needham-Schroeder Protocol
 Original third-party key distribution protocol.
 For session between A B mediated by KDC.
Protocol overview is:
 Secret keys Ka and Kb are shared between A and the KDC and B
and the KDC.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 72

 Needham-Schroeder Protocol
 Used to securely distribute a new session key for communications
between A & B.
 But is vulnerable to a replay attack if an old session key has been
compromised.
- then message 3 can be resent convincing B that is communicating
with A.
 Modifications to address this require:
- timestamps (Denning 81)
- using an extra nonce (Neuman 93)

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 73

 Denning’s AS Protocol
Denning 81 presented the following:

 note: session key is chosen by A, hence AS need not be trusted to

protect it.
 timestamps prevent replay but require synchronized clocks.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 74

 Newman 93a
 To respond to the concerns about suppress-replay attacks and at the
same time fix the problems in the Needham/Schroeder protocol.
 Provides an effective, secure means for A and B to establish a
session with a secure session key.
 Leaves A in possession of a key that can be used for subsequent
authentication to B.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 75

 Using Public Key Encryption
 Have a range of approaches based on the use of public-key
encryption.
 Need to ensure have correct public keys for other parties.
 Using a central Authentication Server (AS).
 Various protocols exist using timestamps or nonces.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 76

 Woo & Lam’s Approach

 The identifier of A, IDA, is added to the set of items encrypted with

the KDC's private key in steps 5 and
 6. This binds the session key Ks to the identities of the two parties
that will be engaged in the session.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 77
 One-Way Authentication & Symmetric Encryption
 Required when sender & receiver are not in communications at
same time (eg. email)
 Have header in clear so can be delivered by email system.
 May want contents of body protected & sender authenticated.
Symmetric Encryption
 Can refine use of KDC but can’t have final exchange of nonces, vis:
1. A->KDC: IDA || IDB || N1
2. KDC -> A: EKa [Ks || IDB || N1 || EKb [Ks ||IDA] ]
3. A -> B: EKb [Ks||IDA] || EKs [M]
 Does not protect against replays, could rely on timestamp in
message, though email delays make this problematic.
10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 78
 Public Key Approaches
Have seen some public-key approaches
 if confidentiality is major concern, can use:
A->B: EPUb [Ks] || EKs [M]
 has encrypted session key with B’s public key and message with
common secret key.
 if authentication needed use a digital signature with a digital
certificate:
A->B: M || EPRa [H(M)] || EPRas [T||IDA||PUa]
 with message, signature, certificate.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 79

 9.Digital Signature Standards
 US Govt approved signature scheme
 designed by NIST & NSA in early 90's
 published as FIPS-186 in 1991
 revised in 1993, 1996 & then 2000
 uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm
 FIPS 186-2 (2000) includes alternative RSA & elliptic curve
signature variants

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 80

 Digital Signature Algorithm
 Creates a 320 bit signature.
 Able to provide 512-1024 bit security.
 Smaller and faster than RSA.
 Follows digital signature scheme only.
 Security depends on difficulty of computing discrete logarithms.
 A variant of ElGamal & Schnorr schemes.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 81

 Digital Signature Algorithm

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 82

 DSA Key Generation
 Have shared global public key values (p, q, g):
 Choose q, a 160 bit.
 Choose a large prime p = 2L, where L= 512 to 1024 bits and is a
multiple of 64.
 q is a prime factor of (p-1).
 Choose g = h(p-1)/q, where h<p-1, h(p-1)/q (mod p) > 1.
users choose private & compute public key:
 Choose x<q.
 Compute y = gx (mod p).

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 83

 DSA Key Generation

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 84

 DSA Key Generation

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 85

 DSA Signature Creation
 to sign a message M the sender:
- generates a random signature key k, k<q.
- k must be random, be destroyed after use, and never be reused.
 Computes signature pair:
- r = (gk(mod p))(mod q).
- s = (k-1.H(M)+ x.r)(mod q).
 sends signature (r,s) with message M.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 86

 DSA Signature Verification
 Having received M & signature (r,s)
 To verify a signature, recipient computes:
w = s-1(mod q)
u1= (H(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
 if v==r then signature is verified.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 87

 10.CASE STUDY - SWEDBANK
 Centralized Key Management
- largest acquirers in Europe and managing keys for hundreds
of applications.
- securely manage keys for its card payment, acquirer network
and its payment terminal management system.
- Cryptomathic - Terminal Key Management System (TKMS)
has allowed Swedbank to benefit from better streamlined key
management processes, with more automation of procedures
and reduced administrative overhead.

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 88

 CASE STUDY - SWEDBANK

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 89

 Any Queries???

10/4/2024 Dr.T.VenketBabu, AP(SG)/CSE, Vel Tech 90