Cryptography and Network

Security
UNIT V

Dr. Nandhini Vineeth

Dr. Nandhini Vineeth 1

 MESSAGE AUTHENTICATION
• MESSAGE AUTHENTICATION
• Proof of source cannot be obtained
through Message Digest
• MD helps in knowing the
correctness of the data not
authenticate
• Modification Detection Code
• Message Digest can only detect
modifications in the message
• If both Message and MDC are sent
through the insecure channel, then
Eve can change both and send

Dr. Nandhini Vineeth 2

 MESSAGE AUTHENTICATION
• Message Authentication
Code (MAC)
• Ensures integrity and
authentication both
• Secret key
• Prefix MAC -K|M –
concatenation done and
sent to hash function
• Postfix MAC – M|K
• Combination has two keys

Dr. Nandhini Vineeth 3

MESSAGE AUTHENTICATION
• Security of a MAC
• Suppose Eve has intercepted the message M and the digest h(K|M).
• There are three possible cases for forging:
• 1. If the size of the key allows exhaustive search, Eve may prepend all possible
keys at the beginning of the message and make a digest of the (K|M) to find
the digest
• 2. The size of the key is normally very large in a MAC, but Eve can use another
tool: the preimage attack. She uses the algorithm until she finds X such that
h(X) is equal to the MAC she has intercepted.
• 3. Given some pairs of messages and their MACs, Eve can manipulate them to
comeup with a new message and its MAC

Dr. Nandhini Vineeth 4

MESSAGE AUTHENTICATION
• Nested MAC

MESSAGE AUTHENTICATION

Dr. Nandhini Vineeth 5

MESSAGE AUTHENTICATION
HMAC: Hashed MAC
1. The message is divided into N blocks, each of b bits.
2. The secret key is left-padded with 0’s to create a b-bit key. Note that it is
recommended that the secret key (before padding) be longer than n bits,
where n is the size of the HMAC.
3. The result of step 2 is exclusive-ored with a constant called ipad (input
pad) to create a b-bit block. The value of ipad is the b/8 repetition of the
sequence 00110110 (36 in hexadecimal).
4. The resulting block is prepended to the N-block message. The result is N +
1 blocks.
5. The result of step 4 is hashed to create an n-bit digest. We call the digest
the intermediate HMAC.

Dr. Nandhini Vineeth 6

MESSAGE AUTHENTICATION
6. The intermediate n-bit HMAC is left padded with 0s to make a b-bit
block.
7. Steps 2 and 3 are repeated by a different constant opad (output
pad). The value of opad is the b/8 repetition of the sequence 01011100
(5C in hexadecimal).
8. The result of step 7 is prepended to the block of step 6.
9. The result of step 8 is hashed with the same hashing algorithm to
create the final n-bit HMAC.

Dr. Nandhini Vineeth 7

HMAC
NIST has issued a standard (FIPS 198)
for a nested MAC that is often
referred to as HMAC

Dr. Nandhini Vineeth 8

 CMAC
CBCMAC- Cipher Block Chaining MAC

NIST has also defined a standard (FIPS 113) called

Data Authentication Algorithm, or CMAC, or
CBCMAC

CBC – Used for confidentiality every block output

influences CT.

Here they are used only with next block

idea is to create one block of MAC from N blocks

of plaintext using a symmetric-key cipher N times

Procedure followed as shown

If padding is applied to last block, x^2 is used for

multiplication, if there is no padding, x is used.

Multiplication is in GF(2m) with irreducible

Dr. Nandhini Vineeth 9
polynomial of degree m
Cryptographic Hash Functions
• Digital Signature
• Signature is for authenticity- Ex. A signature in a bank cheque
• Electronic signature done by the sender as a proof to the recipient that the document comes from correct entity
(proof of source)

• COMPARISON
• Inclusion
• CONV S: Cheque and signature are together
• DIGI S: document / message and signature are separate
• Verification Method:
• Method of verifying the signature
• CS: once a document is received, signature is verified with the signature in file
• DS: a verification algorithm is used to verify a signature and the signature is not stored anywhere
• Relationship:
• CS: one to many rel- same signatures in many documents
• Digital sign: one to one – each message has a different signature
• Duplicity:
• CS: sign in copy of the signed document and the original may be slightly different
• DS: no change among the two

Dr. Nandhini Vineeth 10

Cryptographic Hash Functions
PROCESS

Dr. Nandhini Vineeth 11

 Cryptographic Hash Functions
• Need for Keys
• CS is like private key which is
avai only with the owner of
document
• Public key is available in a
file and anyone can use it to
verify
• Asymm key crypto - but keys
used are completely diff
from regular procedure
• One single key cannot be
used – ends in forgery
• For every session, a new
pair is required

Dr. Nandhini Vineeth 12

• Summary:
• A digital signature needs a public-key system. The signer signs with
her private key; the verifier verifies with the signer’s public key.
• A cryptosystem uses the private and public keys of the receiver: a
digital signature uses the private and public keys of the sender.

Dr. Nandhini Vineeth 13

 Cryptographic Hash Functions
• Signing the Digest
• Asymm key cryp not
for long messages
• In DS sys, messages
are generally long
• Soln: sign a digest of
the message(shorter)

Dr. Nandhini Vineeth 14

Cryptographic Hash Functions
• SERVICES
• Message Authentication
• Like CS, provide message authentication
• As Alice public key is used by Bob to verify the message, it is proved

• Message Integrity
• If the message is changed, the same signature cannot be obtained.
• Hash functions are used in signing and verifying algorithms
• Nonrepudiation
• Denial of the transmission of a message by the source
• Though Alice may prove that the docu can be opened with the public key of Alice,
Alice would have changed both the keys
Dr. Nandhini Vineeth 15
• Solution:
• Trusted third party
• Explanation of the
figure
• Later if Alice denies,
Trusted centre shows
the copy of the saved
message.

Dr. Nandhini Vineeth 16

Cryptographic Hash Functions
• Confidentiality
• Not provided
directly
• If required,
explanation
as per the
figure

Dr. Nandhini Vineeth 17

Cryptographic Hash Functions
• ATTACKS ON DIGITAL SIGNATURE
• Attack Types
• Key-Only Attack
• Eve has access to only public key
• To forge, Eve needs to create Alice’s signature
• Like ciphertext-only attack

• Known-Message Attack
• Eve has access to some M,S Pairs
• With this tries to create a message and tries to sign
• Like known- PT attack

• Chosen-Message Attack
• Eve somehow makes Alice sign one or more messages
• Eve now has a chosen message/ signature pair
• Chosen plaintext attack

Dr. Nandhini Vineeth 18

Cryptographic Hash Functions
• Forgery Types
• Existential Forgery
• Eve may create a valid M,S pair but not the one she can use
• These could be syntactically or semantically unintelligible
• Selective Forgery
• Eve may be able to forge Alice Signature on a message with the content selectively
chosen by eve
• Probability is very low, but not negligible

Dr. Nandhini Vineeth 19

Cryptographic Hash Functions
• DIGITAL SIGNATURE SCHEMES
• RSA Digital Signature Scheme

Dr. Nandhini Vineeth 20

Cryptographic Hash Functions
• Key Generation

Dr. Nandhini Vineeth 21

Cryptographic Hash Functions
• Attacks on RSA Signature
• Key-Only Attack
• Has only Alice pub key
• Creates another message- M’== Se mod n
• Not very easy to solve
• Like disc log attack
• Known-Message Attack
• Eve uses multiplicative property of RSA
• If (M1,S1) and (M2,S2) is intercepted – created using same private key

• Chosen Message Attack

• Uses Multiplicative property
• If Eve choses two messages and gets it signed from Alice
• Very serious attack
• Multiplicative attack Dr. Nandhini Vineeth 22
Cryptographic Hash Functions

Dr. Nandhini Vineeth 23

Cryptographic Hash Functions
• Attacks on RSA Signed Digests
• Key-Only Attack
• A)
• Intercepts (S,M)
• Try to find M’ which gives the same hash h(M)=h(M’)
• If hash algo is second preimage resistant, attack is diff
• B)
• Finds M and M’ with same signature.
• Makes Alice sign M- has two pairs with same sign
• If hash algo is colli resis then this is difficult
• C)
• Random D found which matches with random sign S. Finds Message D=h(M)
• If preimage resis this is difficult

Dr. Nandhini Vineeth 24

Cryptographic Hash Functions
• Known-Message Attack
• Eve has two - (M1,S1) and (M2,S2) – same private key
• Calculates S≡S1 XS2
• IF can find an mess M such that h(M) ≡ h(M1) X h(M2) she had forged a new
message
• Finding M is difficult if HA is preimage resistant
• Chosen Known-Message Attack
• Eve can ask Alice to sign two legitimate mess M1 and M2 for her
• Eve creates a new signature S ≡ S1 X S2
• Calculates h(M) ≡ h(M1)x h(M2)- if a message M can be found given h(M) the
new message is forgery
• Diff if HA is preimage resistant
Dr. Nandhini Vineeth 25
Key Management
• Key Distribution Centre

Dr. Nandhini Vineeth 26

Dr. Nandhini Vineeth 27
Ticket
• Contains the identitites of Alice, Bob and the session key
• Encrypted with Bob’s key

Dr. Nandhini Vineeth 28

Kerberos
• Simple protocol had a flaw - Eve can use the replay attack ie. she can
save the message in step 3 and replay it later
• Kerberos is an authentication protocol, and at the same time a KDC,
that has become very popular.
• named after the three-headed dog in Greek mythology that guards
the gates of Hades
• Three servers are involved in the Kerberos protocol: an authentication
server (AS), a ticket-granting server (TGS), and a real (data) server that
provides services to others.
• Bob is the real server and Alice is the user requesting service

Dr. Nandhini Vineeth 29

Dr. Nandhini Vineeth 30
AS and TGS
• Authentication Server (AS)
• The authentication server (AS) is the KDC in the Kerberos protocol. Each user
registers with the AS and is granted a user identity and a password. The AS has a
database with these identities and the corresponding passwords. The AS verifies the
user, issues a session key to be used between Alice and the TGS, and sends a ticket
for the TGS.
• Ticket-Granting Server (TGS)
• The ticket-granting server (TGS) issues a ticket for the real server (Bob). It also
provides the session key (KAB) between Alice and Bob. Kerberos has separated user

• Kerberos has separated user verification from the issuing of tickets.

• Alice verifies her ID just once with the AS, she can contact the TGS multiple
times to obtain tickets for different real servers.

Dr. Nandhini Vineeth 31

Real Server
• The real server (Bob) provides services for the user (Alice).
• Kerberos is designed for a client-server program, such as FTP, in which
a user uses the client process to access the server process. Kerberos is
not used for person-to-person authentication.

Dr. Nandhini Vineeth 32

Dr. Nandhini Vineeth 33
Using Different Servers
• Note that if Alice needs to receive services from different servers, she
need repeat only the last four steps. The first two steps have verified
Alice’s identity and need not be repeated. Alice can ask TGS to issue
tickets for multiple servers by repeating steps 3 to 6

Dr. Nandhini Vineeth 34

SYMMETRIC-KEY AGREEMENT
• Symmetric-key agreement :
• Sender and Rx can make a session key without the help of a Key Distribution
Centre.
• Diffie-Hellman Key Agreement:
• Diffie-Hellman protocol:
• Choose two numbers p and g.
• p- large prime number (300 decimal digits /1024 bits).
• g-is a generator of order p − 1 in the group <Zp*,x> .
• p and g can be made public

Dr. Nandhini Vineeth 35

Diffie-Hellman protocol

Dr. Nandhini Vineeth 36

Dr. Nandhini Vineeth 37
Diffie-Hellman

Dr. Nandhini Vineeth 38

Diffie-Hellman

Dr. Nandhini Vineeth 39

Diffie-Hellman
• Analysis of Diffie-Hellman
• Secret Key - three parts: g, x, and y.
• First part is public
• Both Alice and Bob know 2/3 of secret
• They get the key with the received value and their own secret key
• gxy = gyx helps in generation of the key
• Alice cannot find the value y used by Bob because the calculation is done in
modulo p; Alice receives gy mod p from Bob, not gy

Dr. Nandhini Vineeth 40

Diffie-Hellman

Dr. Nandhini Vineeth 41

DHKE- Security- Discrete Logarithm Attack
• Security of Diffie-Hellman
• The Diffie-Hellman key exchange is susceptible to two attacks: the discrete
logarithm attack and the man-in-the-middle attack.
• Discrete Logarithm Attack:
• Eve can intercept R1 and R2. If she can find x from R1 = gx mod p and y from R2 = gy mod
p, then she can calculate the symmetric key K = gxy mod p
• the following are recommended.
1. The prime p must be very large (more than 300 decimal digits).
2. The prime p must be chosen such that p − 1 has at least one large prime factor (more
than 60 decimal digits).
3. The generator must be chosen from the group .
4. Bob and Alice must destroy x and y after they have calculated the symmetric key. The
values of x and y must be used only once.

Dr. Nandhini Vineeth 42

DHKE- Man in the middle attack
• Man-in-the-Middle Attack:
• Eve need not find x and y.
• Can generate two keys – one to be used with Alice and another with Bob – fooling
them
• These keys can be kept secret.
• The following can happen:
1. Alice chooses x, calculates R1 = gx mod p, and sends R1 to Bob.
2. Eve, the intruder, intercepts R1. She chooses z, calculates R2 = gz mod p, and sends
R2 to both Alice and Bob.
3. Bob chooses y, calculates R3 = gy mod p, and sends R3 to Alice. R3 is intercepted by
Eve and never reaches Alice.
4. Alice and Eve calculate K1 = gxz mod p, which becomes a shared key between Alice
and Eve. Alice, however, thinks that it is a key shared between Bob and herself.

Dr. Nandhini Vineeth 43

DHKE- Man in the middle attack
• In other words, two keys, instead of one, are created
• She can even change the message or send a totally new message.
• Bob is fooled into believing that the message has come from Alice. A
similar scenario can happen to Alice in the other direction. This
situation is called a man-in-the-middle attack because Eve comes in
between and intercepts R1, sent by Alice to Bob, and R3, sent by Bob
to Alice. It is also known as a bucket brigade attack because it
resembles a short line of volunteers passing a bucket of water from
person to person. The next method, based on the Diffie-Hellman uses
authentication to thwart this attack.

Dr. Nandhini Vineeth 44

DHKE- Man in the middle attack

Dr. Nandhini Vineeth 45

PUBLIC-KEY DISTRIBUTION
• Public Announcement
•

Dr. Nandhini Vineeth 46

Trusted Center

Dr. Nandhini Vineeth 47

Controlled Trusted Center

Dr. Nandhini Vineeth 48

Certification authority

Dr. Nandhini Vineeth 49

X.509

Dr. Nandhini Vineeth 50

• Certificate Renewal - AUTOMATIC like credit cards
• Certificate Revocation
• In some cases a certificate must be revoked before its expiration. Here are some
examples:

a. The user’s (subject’s) private key (corresponding to the public key listed in the
certificate) might have been comprised.

b.The CA is no longer willing to certify the user. For example, the user’s certificate
relates to an organization that she no longer works for.
c. The CA’s private key, which can verify certificates, may have been
compromised. In this case, the CA needs to revoke all unexpired certificates.
Dr. Nandhini Vineeth 51
Dr. Nandhini Vineeth 52
Delta Revocation
• To make revocation more efficient, the delta certificate revocation list
(delta CRL) has been introduced. A delta CRL is created and posted on
the directory if there are
• changes after this update date and next update date. For example, if
CRLs are issued every month, but there are revocations in between,
the CA can create a delta CRL when there is a change during the
month. However, a delta CRL contains only the changes made after
the last CRL.

Dr. Nandhini Vineeth 53