Computer Security:

Principles and Practice

Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown

Chapter 21
Public-Key Cryptography and
Message Authentication
 Secure Hash Algorithm
(SHA)
• SHA was originally developed by NIST
• Published as FIPS 180 in 1993
• Was revised in 1995 as SHA-1
• Produces 160-bit hash values
• NIST issued revised FIPS 180-2 in 2002
• Adds 3 additional versions of SHA
• SHA-256, SHA-384, SHA-512
• With 256/384/512-bit hash values
• Same basic structure as SHA-1 but greater security
• The most recent version is FIPS 180-4 which
added two variants of SHA-512 with 224-bit and
256-bit hash sizes
 Table 21.1
Comparison of SHA Parameters

Notes: 1. All sizes are measured in bits.

2. Security refers to the fact that a birthday attack on a message digest of
size n produces a collision with a work factor of approximately 2n/2.
 SHA-3
• SHA-2 shares same structure and mathematical
operations as its predecessors and causes concern
• Due to time required to replace SHA-2 should it become
vulnerable, NIST announced in 2007 a competition to
produce SHA-3

Requirements:
• Must support hash value lengths of 224, 256,384, and 512
bits
• Algorithm must process small blocks at a time instead of
requiring the entire message to be buffered in memory
before processing it
 HMAC
• Interest in developing a MAC derived from a
cryptographic hash code
• Cryptographic hash functions generally execute faster
• Library code is widely available
• SHA-1 was not deigned for use as a MAC because it does not
rely on a secret key
• Issued as RFC2014
• Has been chosen as the mandatory-to-
implement MAC for IP security
• Used in other Internet protocols such as Transport Layer
Security (TLS) and Secure Electronic Transaction (SET)
 HMAC Design Objectives
To preserve the original
To use, without modifications, performance of the hash
available hash functions function without incurring a
significant degradation

To allow for easy

replaceability of the embedded
hash function in case faster or
more secure hash functions are
found or required

To have a well-understood
cryptographic analysis of the
To use and handle keys in a strength of the authentication
simple way mechanism based on
reasonable assumptions on the
embedded hash function
 Security of HMAC
• Security depends on the cryptographic strength of the underlying
hash function
• The appeal of HMAC is that its designers have been able to prove an
exact relationship between the strength of the embedded hash
function and the strength of HMAC
• For a given level of effort on messages generated by a legitimate
user and seen by the attacker, the probability of successful attack on
HMAC is equivalent to one of the following attacks on the
embedded hash function:
• The attacker is able to compute an output of the compression function even with an IV
that is random, secret, and unknown to the attacker

• The attacker finds collisions in the hash function even when the IV is random and secret
RSA Public-Key Encryption
• By Rivest, Shamir & Adleman of MIT in 1977
• Best known and widely used public-key algorithm
• Uses exponentiation of integers modulo a prime
• Encrypt: C = Me mod n
• Decrypt: M = Cd mod n = (Me)d mod n = M
• Both sender and receiver know values of n and e
• Only receiver knows value of d
• Public-key encryption algorithm with public key PU =
{e, n} and private key PR = {d, n}
 Security of RSA
Brute force

• Involves trying all possible private keys

Mathematical attacks

• There are several approaches, all equivalent in effort to factoring the

product of two primes

Timing attacks

• These depend on the running time of the decryption algorithm

Chosen ciphertext attacks

• This type of attack exploits properties of the RSA algorithm

Table 21.2

Progress in
Factorization
 Timing Attacks
• Paul Kocher, a cryptographic consultant, demonstrated
that a snooper can determine a private key by keeping
track of how long a computer takes to decipher messages
• Timing attacks are applicable not just to RSA, but also to
other public-key cryptography systems
• This attack is alarming for two reasons:
• It comes from a completely unexpected direction
• It is a ciphertext-only attack
 Timing Attack
Countermeasures
Constant
Random delay Blinding
exponentiation time

•Better performance could •Multiply the ciphertext

•Ensure that all be achieved by adding a by a random number
exponentiations random delay to the before performing
take the same exponentiation algorithm exponentiation
to confuse the timing •This process prevents
amount of time attack the attacker from
before returning a •If defenders do not add knowing what
result enough noise, attackers ciphertext bits are being
could still succeed by processed inside the
•This is a simple fix collecting additional computer and therefore
but does degrade measurements to prevents the bit-by-bit
performance compensate for the analysis essential to the
random delays timing attack
 Diffie-Hellman Key
Exchange
• First published public-key algorithm
• By Diffie and Hellman in 1976 along with the
exposition of public key concepts
• Used in a number of commercial products
• Practical method to exchange a secret key
securely that can then be used for subsequent
encryption of messages
• Security relies on difficulty of computing
discrete logarithms
 Diffie-Hellman Example
A
t
t
a
c
k
e
r

m
u
s
t

s
o
l
v
e
:
• 3
a

m
o
d

3
5
3

4
0

w
h
i
c
h

i
s

h
a
r
d
• D
e
s
i
r
e
d

a
n
s
w
e
r

i
s

9
7
,

t
h
e
n

c
o
m
p
u
t
e

k
e
y

a
s

d
o
e
s
Man-in-the-Middle Attack
• Attack is:
1. Darth generates private keys XD1 and XD2, and their
public keys YD1 and YD2
2. Alice transmits YA to Bob
3. Darth intercepts YA and transmits YD1 to Bob. Darth
also calculates K2
4. Bob receives YD1 and calculates K1
5. Bob transmits XA to Alice
6. Darth intercepts XA and transmits YD2 to Alice. Darth
calculates K1
7. Alice receives YD2 and calculates K2
• All subsequent communications compromised
Other Public-Key Algorithms
Digital Signature
Elliptic-Curve
Standard (DSS) Cryptography (ECC)

• FIPS PUB 186 • Equal security for smaller bit size

than RSA
• Makes use of SHA-1 and the
Digital Signature Algorithm (DSA) • Seen in standards such as IEEE
P1363
• Originally proposed in 1991,
• Confidence level in ECC is not
revised in 1993 due to security yet as high as that in RSA
concerns, and another minor
revision in 1996 • Based on a mathematical
construct known as
• Cannot be used for encryption or the elliptic
key exchange curve

• Uses an algorithm that is designed

to provide only the digital
signature function
 Summary
• Authenticated
• Secure hash functions encryption
• Simple hash functions
• The SHA secure hash • The RSA public-
function key encryption
• SHA-3
algorithm
• Diffie-Hellman and • Description of the
other asymmetric algorithm

algorithms • The security of RSA

• Diffie-Helman key exchange • HMAC

• Other public-key • HMAC design
cryptography algorithms objectives
• HMAC algorithm
• Security of HMAC