UNIT IV INTEGRITY AND

AUTHENTICATION ALGORITHMS
Authentication requirement – Authentication function
– MAC – Hash function – Security of hash function
and MAC – SHA –Digital signature and authentication
protocols – DSS- Entity Authentication: Biometrics,
Passwords, Challenge Response protocols-
Authentication applications - Kerberos, X.509
Message Authentication Requirements
• Disclosure
– Release of message contents to
any person or process not
possessing the appropriate
cryptographic key
• Traffic analysis
– Discovery of the pattern of
traffic between parties
• Masquerade
– Insertion of messages into the
network from a fraudulent
source
• Content modification
– Changes to the contents of a
message, including insertion,
deletion, transposition, and
modification
• Sequence modification
– Any modification to a
sequence of messages
between parties, including
insertion, deletion, and
reordering
• Timing modification
– Delay or replay of messages
• Source repudiation
– Denial of transmission of
message by source
• Destination repudiation
– Denial of receipt of message
by destination
 Message Authentication Functions
• Two levels of functionality: – Hash function
– A function that maps a
message of any length into a
Lower level fixed-length hash value which
serves as the authenticator
• There must be some sort of function
that produces an authenticator
– Message encryption
– The ciphertext of the entire
message serves as its
authenticator

– Message authentication code

(MAC)
– A function of the message
Higher-level and a secret key that produces
• Uses the lower-level function as a primitive in an a fixed-length value that
authentication protocol that enables a receiver to serves as the authenticator
verify the authenticity of a message
 Public-Key Encryption
• The straightforward use of public-key
encryption provides confidentiality but not
authentication
• To provide both confidentiality and
authentication, A can encrypt M first using its
private key which provides the digital
signature, and then using B’s public key,
which provides confidentiality
• Disadvantage is that the public-key algorithm
must be exercised four times rather than two
in each communication
MAC concept
 Requirements for MACs

The final
The first requirement requirement
deals with message The second dictates that the
replacement attacks,
in which an opponent requirement authentication
Taking into account the deals with the algorithm should
is able to construct a
types of attacks, the
MAC needs to satisfy
new message to need to thwart a not be weaker
match a given MAC, brute-force with respect to
the following: even though the
opponent does not attack based on certain parts or
know and does not chosen plaintext bits of the
learn the key message than
others
 Message Digest 5 – (MD-5)
Input : blocks of 512 bits
Initial Vector: 128 bits
Output: 128 bits
For each 512 bits input: 4 rounds performed
 MD5: Message Digest Version 5
input Message

Output 128 bits Digest

• Until recently the most widely used hash algorithm

– in recent times have both brute-force & cryptanalytic
concerns
• Specified as Internet standard RFC1321
MD5 Overview
 MD5 Overview
1. Pad message so its length is 448 mod 512
2. Append a 64-bit original length value to message
3. Initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. Process message in 16-word (512-bit) blocks:
– Using 4 rounds of 16 bit operations on message block
& buffer
– Add output to buffer input to form new buffer value
5. Output hash value is the final buffer value
 Padding Twist
• Given original message M, add padding bits
“10*” such that resulting length is 64 bits less
than a multiple of 512 bits.
• Append (original length in bits mod 264),
represented in 64 bits to the padded message
• Final message is chopped 512 bits a block
 MD5 Process
• As many stages as the number of 512-bit blocks
in the final padded message
• Digest: 4 32-bit words: MD=A|B|C|D
• Every message block contains 16 32-bit words:
m0|m1|m2…|m15
– Digest MD0 initialized to:
A=01234567,B=89abcdef,C=fedcba98,
D=76543210
– Every stage consists of 4 passes over the message
block, each modifying MD
• Each block 4 rounds, each round 16 steps
Processing of Block mi - 4 Passes
mi MDi

ABCD=fF(ABCD,mi,T[1..16])
A B C D
ABCD=fG(ABCD,mi,T[17..32])

ABCD=fH(ABCD,mi,T[33..48])

ABCD=fI(ABCD,mi,T[49..64])

+ + + +
MD i+1
 Different Passes...
Each step t (0 <= t <= 79):
• Input:
– mt – a 32-bit word from the message
With different shift every round
– Tt – int(232 * abs(sin(i))), 0<i<65
Provided a randomized set of 32-bit patterns, which
eliminate any regularities in the input data
– ABCD: current MD
• Output:
– ABCD: new MD
 MD5 Compression Function
• Each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but
used in varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function
in each round (F,G,H,I)
MD5 Compression Function
Functions and Random Numbers
• F(B,C,D) == (BC)(~B  D)
– selection function
• G(B,C,D) == (B  D) (C ~ D)
• H(B,C,D) == BCD
• I(B,C,D) == C(B  ~D)
 Secure Hash Algorithm (SHA)

• SHA was originally designed by the National

Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1
• Based on the hash function MD4 and its design
closely models MD4
• Produces 160-bit hash values
• In 2002 NIST produced a revised version of the
standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
 Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.

 SHA – 512 Processing Steps
• Step 1: Append padding bits. The message is padded so that its length is
congruent to 896 modulo 1024 [length K 896(mod 1024)].
• Step 2: Append length. A block of 128 bits is appended to the message. The
outcome of the first two steps yields a message that is an integer multiple of
1024 bits in length. I.e. every block is 1024 and last block also 896+128 bits =
1024 bits block
• Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate
and final results of the hash function. The buffer can be represented as eight
64-bit registers (a, b, c, d, e, f, g, h)
• Step 4 Process message in 1024-bit (128-word) blocks. The heart of the
algorithm is a module that consists of 80 rounds; this module is labelled F in
Figure 11.9 The logic is illustrated in Figure 11.10.
• Step 5 Output. After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.
 SHA-
512
Logic

(Figure can be found on

page 337 in textbook)
Digital signature and authentication protocols
 General Model
 Properties of Digital Signature
 Attack Possibilities in DS
Digital Signature Standard Algorithm
 EIGamal
 Schnorr.
DSS
 Digital Signature Properties

It must
It must verify the It must be
authenticate the
author and the verifiable by third
contents at the
date and time of parties, to
time of the
the signature resolve disputes
signature
 Attacks

• C chooses a list
Known of messages Directed chosen • C may
message before message attack request
attack attempting to from A
break A’s signatures
• C only • Similar to the
• C is given signature of
knows A’s generic attack,
access to a scheme, messages
public key except that the
set of independent of that
list of messages
messages A’s public key; C depend on
to be signed is
and their then obtains previously
chosen after C
Key-only signatures from A valid obtained
knows A’s public
attack signatures for message-
key but before
the chosen signature
any signatures
messages pairs
are seen
Adaptive
chosen
Generic chosen
message
message attack
attack
 Forgeries
Universal
forgery Selective Existential
forgery forgery
Total break
• C finds an
•C efficient • C forges a • C forges a
determines signing signature for signature for
A’s private algorithm that a particular at least one
key provides an message message; C
equivalent chosen by C has no control
way of over the
constructing message
signatures on
arbitrary
messages
 Digital Signature Requirements
• The signature must be a bit pattern that depends on
the message being signed
• The signature must use some information unique to
the sender to prevent both forgery and denial
• It must be relatively easy to produce the digital
signature
• It must be relatively easy to recognize and verify the
digital signature
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for
an existing digital signature or by constructing a
fraudulent digital signature for a given message
• It must be practical to retain a copy of the digital
signature in storage
 Direct Digital Signature
• Refers to a digital signature scheme that involves only the
communicating parties
– It is assumed that the destination knows the public key of the source

– Confidentiality can be provided by encrypting the entire message plus

signature with a shared secret key
– It is important to perform the signature function first and then an outer
confidentiality function
– In case of dispute some third party must view the message and its signature

– The validity of the scheme depends on the security of the sender’s private
key
– If a sender later wishes to deny sending a particular message, the sender can
claim that the private key was lost or stolen and that someone else forged his or
her signature
– One way to thwart or at least weaken this ploy is to require every signed message
to include a timestamp and to require prompt reporting of compromised keys to a
central authority
 ElGamal Digital Signature
• Scheme involves the use of the private key for
encryption and the public key for decryption
• Global elements are a prime number q and a,
which is a primitive root of q
• Use private key for encryption (signing)
• Uses public key for decryption (verification)
Elgamal digital signature
 Select a prime number q and a, where a is
primitive root of q.
.
Verification at Receiver Side
Example: Choose q = 19 & a = 10.
 Schnorr Digital Signature

• Scheme is based on discrete logarithms

• Minimizes the message-dependent amount
of computation required to generate a
signature
– Multiplying a 2n-bit integer with an n-bit integer
• Main work can be done during the idle time
of the processor
• Based on using a prime modulus p, with p – 1
having a prime factor q of appropriate size
– Typically p is a 1024-bit number, and q is a 160-
bit number
NIST Digital Signature Algorithm

• Published by NIST as Federal Information

Processing Standard FIPS 186
• Makes use of the Secure Hash Algorithm
(SHA)
• The latest version, FIPS 186-3, also
incorporates digital signature algorithms
based on RSA and on elliptic curve
cryptography
DSA
Signing
and
Verifying
Elliptic Curve Digital Signature Algorithm
(ECDSA)
All those participating in the digital
signature scheme use the same
A signer must first generate a public,
global domain parameters, which
define an elliptic curve and a point of private key pair
origin on the curve

Four elements are

involved:

To verify the signature, the verifier

A hash value is generated for the
uses as input the signer’s public key,
message to be signed; using the
the domain parameters, and the
private key, the domain parameters,
integer s; the output is a value v that
and the hash value, a signature is
is compared to r ; the signature is
generated
verified if the v = r
Authentication
Applications

Kerberos
X.509

Henric Johnson 1
 Security Concerns
• key concerns are confidentiality and
timeliness
• to provide confidentiality must encrypt
identification and session key info
• which requires the use of previously shared
private or public keys
• need timeliness to prevent replay attacks
• provided by using sequence numbers or
timestamps or challenge/response

Henric Johnson 2
 KERBEROS

In Greek mythology, a many headed dog,

the guardian of the entrance of Hades
3
 KERBEROS
• Users wish to access services on
servers.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a
workstation.
– User eavesdrop on exchanges and use a
replay attack.
4
 KERBEROS
• Provides a centralized authentication
server to authenticate users to
servers and servers to users.
• Relies on conventional encryption,
making no use of public-key
encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
5
 Kerberos Version 4
• Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenationHenric Johnson 6
 A Simple Authentication
Dialogue
(1) C 🡲 AS: IDc || Pc || IDv
(2) AS 🡲 C: Ticket
(3) C 🡲 V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

7
 Version 4 Authentication
Dialogue
• Problems:
– Lifetime associated with the ticket-granting
ticket
– If too short 🡲 repeatedly asked for password
– If too long 🡲 greater opportunity to replay
• The threat is that an opponent will steal the
ticket and use it before it expires

8
Version 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C 🡲 AS: IDc || IDtgs ||TS1
(2) AS 🡲 C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket

(3) C 🡲 TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS 🡲 C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service

(5) C 🡲 V: Ticketv || Authenticatorc
(6) V 🡲 C: EKc,v[TS5 +1]
9
Overview of Kerberos

Henric Johnson 10
Request for Service in
Another Realm

Henric Johnson 11
 Difference Between
Version 4 and 5
• Encryption system dependence (V.4 DES)
• Internet protocol dependence
• Message byte ordering
• Ticket lifetime
• Authentication forwarding
• Interrealm authentication

12
Kerberos Encryption Techniques

Henric Johnson 13
PCBC Mode

Henric Johnson 14
 Kerberos - in practice
• Currently have two Kerberos versions:
• 4 : restricted to a single realm
• 5 : allows inter-realm authentication, in beta test
• Kerberos v5 is an Internet standard
• specified in RFC1510, and used by many utilities
• To use Kerberos:
• need to have a KDC on your network
• need to have Kerberised applications running on all
participating systems
• major problem - US export restrictions
• Kerberos cannot be directly distributed outside the
US in source format (& binary versions must obscure
crypto routine entry points and have no encryption)
• else crypto libraries must be reimplemented locally
15
 X.509 Certificates

• Part of the X.500 series of recommendations that define a directory

service
– The directory is, in effect, a server or distributed set of servers that
maintains a database of information about users
• X.509 defines a framework for the provision of authentication
services by the X.500 directory to its users
– Was initially issued in 1988 with the latest revision in 2000
– Based on the use of public-key cryptography and digital signatures
– Does not dictate the use of a specific algorithm but recommends RSA
– Does not dictate a specific hash algorithm
• Each certificate contains the public key of a user and is signed with
the private key of a trusted certification authority
• X.509 defines alternative authentication protocols based on the use
of public-key certificates
 – Version
– Serial number
Certificates – Signature algorithm
identifier
– Issuer name
Created by a – Period of validity
trusted – Subject name
Certification – Subject’s public-key
Authority (CA) information
and have the – Issuer unique identifier
following – Subject unique
elements: identifier
– Extensions
– Signature
 Obtaining a Certificate

User certificates • Any user with access to the public key of

generated by a the CA can verify the user public key that
was certified
CA have the • No party other than the certification
following authority can modify the certificate
characteristics: without this being detected

– Because certificates are unforgeable, they can be placed in a directory

without the need for the directory to make special efforts to protect
them
– In addition, a user can transmit his or her certificate directly to other
users

– Once B is in possession of A’s certificate, B has confidence that

messages it encrypts with A’s public key will be secure from
eavesdropping and that messages signed with A’s private key are
unforgeable
 Certificate Revocation

• Each certificate includes a period of validity

– Typically a new certificate is issued just before the expiration
of the old one
• It may be desirable on occasion to revoke a certificate
before it expires, for one of the following reasons:
– The user’s private key is assumed to be compromised
– The user is no longer certified by this CA
– The CA’s certificate is assumed to be compromised

– Each CA must maintain a list consisting of all revoked but not

expired certificates issued by that CA
– These lists should be posted on the directory
 X.509 Version 3

• Version 2 format does not convey all

of the information that recent design
and implementation experience has Each extension consists of:
shown to be needed
• Rather than continue to add fields to
a fixed format, standards developers
felt that a more flexible approach
was needed An An
– Version 3 includes a number of extension extension
optional extensions value identifier
– The certificate extensions fall into
three main categories:
– Key and policy information A criticality
– Subject and issuer attributes indicator
– Certification path constraints