25-02-2025

Authentication Protocols

Module 4

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

HASH Function
• A hash function H
• It accepts a variable-length block of data M as input and produces
a fixed-size hash value
• h = H(M)
• What is the output look like?
• Change in a bit or bits will change the output.
• Hash functions are used to determine whether or not data has changed
• Integrity – (CIA)
• The property a good hash function
• A large set of inputs will produce output
• Evenly distributed
• Apparently random

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

1
 25-02-2025

Cryptographic hash function

• Hash function needed for security applications
• It is an algorithm
• It is computationally infeasible to find message
• One-way property
• A data object that maps to a pre-specified hash result
• Collision-free property
• Two data objects does NOT map to the same hash result
• The input is padded out to an integer multiple of
• Some fixed length - 1024 bits
• Padding includes the length of the original message in bits

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

Usage of hash function

• It is used in a wide variety of security applications and Internet
protocols
• Message authentication
• Message authentication is a mechanism or service
• Used to verify the integrity of a message
• It assures the data received are exactly as sent.
• It has NO Modification  insertion, deletion
• If a hash function is used to provide message authentication
• The hash function value is often referred to as a message digest
• The authentication mechanism assures that
• purported identity of the sender is valid

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

2
 25-02-2025

Authentication

The hash function must be transmitted in a secure fashion.

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

MIM

If an adversary alters or replaces the message, it is not feasible for adversary to

alter the hash value also to fool the receiver.
SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

3
 25-02-2025

Secure hash

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

Secure hash

without preimage resistant the attacker can find the S value.

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

4
 25-02-2025

Message authentication
• A procedure to verify the received messages has
• Come from the alleged source (masquerade, MIM)
• Not been altered (modification)
• Sequencing (insertion, deletion, and reordering of message)
• Timeliness
• Non-repudiation
• A digital signature is an authentication technique with
• Measures to counter repudiation by the source.

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

Message authentication
• Hash function
• A function that maps a message of any length into a fixed length
hash value, which serves as the authenticator
• Message encryption
• The ciphertext of the entire message serves as its authenticator
CMAC
• Message authentication code MAC:
• A function of the message and a secret key
• It produces a fixed-length value that serves as the authenticator

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

5
 25-02-2025

Message Authentication Code (MAC)

• A MAC function takes as input
• A secret key
• A data block and produces a hash value
• It is used between two parties that share a secret key
• To authenticate information exchanged between those parties
• Input – Secret Key, Data
• Output – Hash value (MAC) related to protect message.
• If the integrity of the message needs to be checked,
• The MAC function can be applied to the message and the result
compared with the associated MAC value.

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

Message Authentication Code (MAC)

• An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key
• The verifying party also knows who is the sending party, because no one else
knows the secret key
• The combination of following results in an MAC function
• Hashing
• Encryption
• A keyed hash function
• E(K,H(M)) -> hash -> MAC
• Is M variable here?
• Specific MAC algorithms are designed that are generally more efficient than an
encryption algorithm.
SWE 3002 Information & System Security
Prof. Rajesh Kumar VIT Chennai

6
 25-02-2025

CBC - cipher block chaining - Hash

• Simple XOR applied to 64-bit blocks of the message

• An encryption of the entire message that used the (CBC) mode.
• Given a message M
• A sequence of 64-bit blocks X1, X2, … , XN,
• Hash code h = H(M) as the
• Block-by block XOR of all blocks
• h = XN+1 = X1 ⊕ X2 ⊕ …. ⊕ XN
• Append the hash code as the final block
• Rotate the X after the XOR

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

CBC - cipher block chaining - Hash

• CV0 = IV = initial n-bit value

CVi = f(CVi - 1, Yi - 1) 1 ≤ i ≤ L What can be an f?
H(M) = CVL

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

7
 25-02-2025

Digital Signature
• The hash value of a message is encrypted with a user’s
private key.
• Who has the private key?
• Who can decrypt it
• Does it ensure non-repudiation?
• Does is ensure sender?
• Can the attacker use the public key to encrypt the hash value and
do MIM?
• An attacker who wishes to alter the message would need
to know the user’s private key.

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

Digital
• The Signature
hash value of a message is encrypted with a user’s private key.
• Only the sender could have produced the encrypted hash value
hash code.

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

8
 25-02-2025

Encryption and hash

• Encryption software is relatively slow.
• Even though the amount of data to be encrypted per message is small, there
may be a steady stream of messages into and out of a system.
• Encryption hardware costs are not negligible.
• Low-cost chip implementations of DES are available, but the cost adds up if
all nodes in a network must have this capability.
• Encryption hardware is optimized toward large data sizes.
• For small blocks of data, a high proportion of the time is spent in
initialization/invocation overhead.
• Encryption algorithms may be covered by patents, and there is a cost
associated with licensing their use
SWE 3002 Information & System Security
Prof. Rajesh Kumar VIT Chennai

SHA – Secure Hash Algorithm

• SHA originally designed by NIST and NSA in 1993
• FIPS 180
• The design closely models MD4.
• Revised in 1995 as SHA-1.
• It was called Secure Hash Standard (SHS)
• 160 bit hash
• FIPS 180-1, 1995
• Internet standard IETF  RFC3174
• 2005 results on security of SHA-1 have raised concerns on its use in future
applications.
• Research team needed 269 messages in place of 280 messages to find a hash collision.
• Phased out SHA-1

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

9
 25-02-2025

SHA – Secure Hash Algorithm

• NIST issued revision FIPS 180-2 in 2002
• Collectively known as SHA-2
• 3 versions of SHA
• SHA-256, SHA-384, SHA-512
• It is designed for compatibility with increased security provided by the
AES cipher
• These new versions have the same underlying structure
• Use the same types of modular arithmetic and
• Logical binary operations as SHA-1
• Hence, analysis should be similar
• But security levels are rather higher
• FIP PUB 180-3 in 2008
• 224-bit version
• IETF - RFC 4634
SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

SHA-3
• NIST announced in 2007 a competition to produce the next
generation NIST hash function
• Called SHA-3.
• The winning design for SHA-3 was announced by NIST in
October 2012.
• SHA-3 is a cryptographic hash function that is intended to
complement SHA-2.

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

10
 25-02-2025

SHA-512
• The processing consists of the following steps:
• Step 1: Append padding bits,
• consists of a single 1-bit followed by the necessary number of 0-bits,
• The length is congruent to 896 modulo 1024
• Step 2: Append length of message as unsigned 128-bit integer
• Big-endian
• Padded with 0
• Step 3: Initialize hash buffer to a set of 64-bit integer constants
• Step 4: Process the message in 1024-bit
• 128-word blocks, which forms the heart of the algorithm.
• Each round takes as input the 512-bit buffer value
• updates the contents of that buffer.
• 80 rounds of processing
• Step 5: Output the final state value as the resulting hash

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

SHA-512

a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

11
 25-02-2025

SHA-512
80 rounds of processing
For message and IV
1. 512 bit buffer (IV/Hi-1)
2. wt – 64 bit,
part of message or H0 = IV
Derived – message schedule Hi = SUM64(H i-1, abcdefghi)
3. Kt – Constant value MD = HN

Output of 80th round is input

To next block as IV

Last block of message and

Processing is SHA-512

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

SHA-512
One of the 80 round comprise of following

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

12
 25-02-2025

SHA-512

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

SHA-512

ROTR – circular right shift

SHR - Left shift, pad with 0
SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

13
 25-02-2025

SHA-512 algorithm
• It has the property that every bit of the hash code is a
• Function of every bit of the input.
• The complex repetition of the basic function F produces results that are well
mixed.
• It is unlikely that two messages chosen at random,
• Even if they exhibit similar regularities, will have the same hash code.
• Unless there is some hidden weakness in SHA-512
• It has not so far been published.
• The difficulty of coming up with two messages having the same MD
• on the order of 2256 operations
• The difficulty of finding a message with a given digest is
• on the order of 2512 operations
SWE 3002 Information & System Security
Prof. Rajesh Kumar VIT Chennai

Password Storage
• Should the admin be allowed to see user’s passwd.
• How can this be prevented?
• What if the hacker gets the passwd file.
• Can this be prevented?
• With given mechanism, is the CIA is ensured for the user

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

14
 25-02-2025

Virus detection/ Intrusion detection

• Store H(F) for each file on a system and
• Secure the hash values on a CD-R/ alternate secure storage that is kept
secure.
• One can later determine if a file has been modified by recomputing H(F).
• An intruder / virus would need to change file on the system without
changing H(F)

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

Pseudorandom Number Generator PRNG

• A cryptographic hash function can be used to construct

• A pseudorandom function (PRF) or
• A pseudorandom number generator (PRNG).
• The property a good hash function
• A large set of inputs will produce output
• Evenly distributed
• Apparently random

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

15
 25-02-2025

MAC by Message Encryption

Authentication by encryption.

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

MAC by Message Encryption

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

16
 25-02-2025

Keyed HASH function as MAC

• Hash execute faster in software than symmetric block ciphers
• code for cryptographic hash functions is widely available
• A MAC based on a hash function is better choice
• A hash function such as SHA was not designed for use
• As a MAC
• Cannot be used directly for MAC
• because it does not rely on a secret key.
• Keyed Hash means Pre-pending a key with Message
• KeyedHash = Hash(Key|Message)
• Some weaknesses were found with this
• Eventually led to development of HMAC
SWE 3002 Information & System Security
Prof. Rajesh Kumar VIT Chennai

HMAC
• HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
• where K+ is the key left padded to size b with
zero
• opad, ipad are specified padding constants
• Any hash function can be used
• eg. MD5, SHA-1, RIPEMD-160, Whirlpool
• ipad = 00110110 (36 in hexadecimal)
repeated b/8 times
opad = 01011100 (5C in hexadecimal)
repeated b/8 times
• How to make HMAC more efficient?

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

17
 25-02-2025

HMAC
1. Append zeros to the left end of K to
create a b-bit string
2. XOR (bitwise exclusive-OR) K + with ipad
to produce the b-bit block Si.(Half flip)
3. Append M to Si.
4. Apply H to the stream generated in step 3
5. XOR K + with opad to produce the b-bit
block So (Half flip)
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6
and output the result

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

HMAC Security
• Designer of HMAC have proved security of HMAC relates to that of the
underlying hash algorithm
• In given time make message – MAC pairs with same key
• Attacking HMAC requires either:
• Brute force attack on key used – 2n
• Birthday attack 2n/2
• HAMC is keyed would need to observe a 2n number of messages with same key
• For a hash code (MD5) length of 128 bits,
• 264 observed blocks (272 bits) generated using the same key.
• On a 1-Gbps link, one would need to observe a continuous stream of messages
with no change in key for about 150,000 years in order to succeed. (MD5)
• Choose hash function based on speed verses security constraints

SWE 3002 Information & System Security

Prof. Rajesh Kumar VIT Chennai

18
 25-02-2025

HMAC - efficient
f(IV, (K + ⊕ ipad))
f(IV, (K + ⊕ opad))
n bits equal to IV
f(cv, block) is the compression function
for the hash function
Input : a chaining variable of n bits and a
block of b bits and produces a chaining
variable of n bits.

SWE 3002 Information & System Security Ref: Cryptography and Network Security Principles and Practice – William Stallings
Prof. Rajesh Kumar VIT Chennai

19