INTRODUCTION TO

CRYPTOGRAPHY
MESSAGE INTEGRITY AND DIGITAL SIGNATURES
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• In the previous lectures we saw how encryption can be used to provide confidentiality to
two communicating entities.
• In this lecture we turn to the equally important cryptography topic of providing message
integrity (also known as message authentication).
• Along with message integrity, we will discuss two related topics in this section: digital
signatures and end-point authentication.
• Suppose Bob receives a message (which may be encrypted or may be in plaintext) and he
believes this message was sent by Alice.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• To authenticate this message, Bob needs to verify:

• 1. The message indeed originated from Alice. (Authenticity)
• 2. The message was not tampered with on its way to Bob. (Integrity)
• We can thus be convinced that the message has integrity if we can prove its authenticity.
• For Example — when router B receives a link-state message from router A,
• router B should verify that router A actually created the message and, further, that no one
tampered with the message in transit.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• In this lecture, we describe a popular message integrity technique that is used by many
secure networking protocols.
• But before doing so, we need to cover another important topic in cryptography—
cryptographic hash functions.
• Cryptographic Hash Functions
• A cryptographic hash function is a mathematical function used in cryptography.
• It is a computational method that can map an indeterminate size of data into a fixed
size of data.
• Or more plainly, it provides a number quantity that represents the input data.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• A hash function takes an input, m, and computes a fixed-size string H(m) known as a
hash.
• A cryptographic hash function is required to have the following additional property:
• 1. It is computationally infeasible to find any two different messages x and y such that
• H(x) = H(y).
• This property means that it is computationally infeasible for an intruder to substitute one
message for another message that is protected by the hash function.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Initial message and fraudulent message have the same checksum!

MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• If (m, H(m)) are the message and the hash of the message created by the sender,
• then an intruder cannot forge the contents of another message, y, that has the same hash value
as the original message.

• The messages “IOU100.99BOB” and “IOU900.19BOB” have the same checksum.

• Thus, this simple checksum algorithm violates the requirement above. Given the original
data, it is simple to find another set of data with the same checksum.
• Clearly, for security purposes, we are going to need a more powerful hash function
than a checksum.
• The MD5 hash algorithm of Ron Rivest is in wide use today. It computes a 128-bit hash
in a four-step process consisting of
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• 1. a padding step
• adding a one followed by enough zeros so that the length of the message satisfies certain
conditions,

• 2. an append step
• appending a 64-bit representation of the message length before padding,

• 3. an initialization of an accumulator, and

• 4. a final looping step in which the message’s 16-word blocks are processed (mangled)
in four rounds.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• The second major hash algorithm in use today is the Secure Hash Algorithm (SHA-1)
• This algorithm is based on principles similar to those used in the design of MD4 the
predecessor to MD5.
• SHA-1, a US federal standard, is required for use whenever a cryptographic hash
algorithm is needed for federal applications. It produces a 160-bit message digest.
• The longer output length makes SHA-1 more secure.
• Message Authentication Code
• Now that we understand hash functions, let’s take a first stab at how we might perform
message integrity:
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• 1. Alice creates message m and calculates the hash H(m) (for example with SHA-1).
• 2. Alice then appends H(m) to the message m, creating an extended message (m, H(m)),
and sends the extended message to Bob.
• 3. Bob receives an extended message (m, h) and calculates H(m). If H(m) = h, Bob
concludes that everything is fine.
• This approach is obviously flawed. Trudy can create a bogus message m´ in which she
says she is Alice, calculate H(m´), and send Bob (m´, H(m´)).
• When Bob receives the message, everything checks out in step 3, so Bob doesn’t suspect
any funny business.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• To perform message integrity, in addition to using cryptographic hash functions, Alice

and Bob will need a shared secret s.
• This shared secret, which is nothing more than a string of bits, is called the
authentication key.
• Using this shared secret, message integrity can be performed as follows:
• 1. Alice creates message m, concatenates s with m to create m + s, and calculates the hash
H(m + s) (for example with SHA-1). H(m + s) is called the message authentication
code (MAC).
• 2. Alice then appends the MAC to the message m, creating an extended message (m, H(m
+ s)), and sends the extended message to Bob.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• MAC is shown below

MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• 3. Bob receives an extended message (m, h) and knowing s, calculates the MAC H(m +
s). If H(m + s) = h, Bob concludes that everything is fine.
• A summary of the procedure is shown on the previous slide. You should note that the
MAC here (standing for “message authentication code”)
• is not the same MAC used in link-layer protocols (standing for “medium access control”!

• One nice feature of a MAC is that it does not require an encryption algorithm.
• Indeed, in many applications, including the link-state routing algorithm,
• communicating entities are only concerned with message integrity and are not concerned
with message confidentiality.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Using a MAC, the entities can authenticate the messages they send to each other without
having to integrate complex encryption algorithms into the integrity process.
• A number of different standards for MACs have been proposed over the years.
• The most popular standard today is HMAC, which can be used either with MD5 or SHA-
1.
• HMAC actually runs data and the authentication key through the hash function twice
• There still remains an important issue. How do we distribute the shared authentication
key to the communicating entities?
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• A network administrator could actually accomplish this by physically visiting each of the
routers.
• Or, if the network administrator is a lazy guy, and if each router has its own public key,
• the network administrator could distribute the authentication key to any one of the routers
by encrypting it with the router’s public key
• and then sending the encrypted key over the network to the router.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Digital Signatures
• Your signature attests to the fact that you (as opposed to someone else) have
acknowledged and/or agreed with the document’s contents.
• In a digital world, one often wants to indicate the owner or creator of a document, or to
signify one’s agreement with a document’s content.
• A digital signature is a cryptographic technique for achieving these goals in a digital
world.
• Just as with handwritten signatures, digital signing should be done in a way that is
verifiable and nonforgeable.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• That is, it must be possible to prove that a document signed by an individual was indeed
signed by that individual (the signature must be verifiable)
• and that only that individual could have signed the document (the signature cannot be forged).

• Let’s now consider how we might design a digital signature scheme.

• Bob could consider attaching a MAC for the signature, where the MAC is created by
appending his key (unique to him) to the message, and then taking the hash.
• But for Alice to verify the signature, she must also have a copy of the key, in which
case the key would not be unique to Bob. Thus, MACs are not going to get the job done
here.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Recall that with public-key cryptography, Bob has both a public and private key, with
both of these keys being unique to Bob.
• Thus, public-key cryptography is an excellent candidate for providing digital signatures.
Let us now examine how it is done.
• Suppose that Bob wants to digitally sign a document, m. We can think of the document as
a file or a message that Bob is going to sign and send.
• To sign this document, Bob simply uses his private key, K- B, to compute K - B(m).
• At first, it might seem odd that Bob is using his private key. But recall that encryption and
decryption are nothing more than mathematical operations.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Creating a digital signature for a document

MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• and recall that Bob’s goal is not to scramble or obscure the contents of the document,
• but rather to sign the document in a manner that is verifiable and nonforgeable. Bob’s digital
signature of the document is

• To prove that Bob had indeed signed the document and was the only person who could
have possibly signed the document.
• Alice takes Bob’s public key, and applies it to the digital signature, K - B(m),
associated with the document, m.
• That is, she computes and she produces m, which exactly matches the
original document!
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• One concern with signing data by encryption is that encryption and decryption are
computationally expensive.
• Given the overheads of encryption and decryption, signing data via complete
encryption/decryption can be overkill.
• A more efficient approach is to introduce hash functions into the digital signature.
• a hash algorithm takes a message, m, of arbitrary length and computes a fixed-length
“fingerprint” of the message, denoted by H(m).
• Using a hash function, Bob signs the hash of a message rather than the message itself,
that is, Bob calculates K - B(H(m)).
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Since H(m) is generally much smaller than the original message m, the
computational effort required to create the digital signature is substantially reduced.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Figure on the previous slide provides a summary of the operational procedure of creating
a digital signature.
• Bob puts his original long message through a hash function.
• He then digitally signs the resulting hash with his private key.
• The original message (in cleartext) along with the digitally signed message digest
(henceforth referred to as the digital signature) is then sent to Alice.
• Figure on the next slide provides a summary of the operational procedure of the
signature.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

Verifying a signed message

MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Let’s briefly compare digital signatures with MACs, since they have parallels, but also
have important subtle differences.
• 1. Both digital signatures and MACs start with a message (or a document).
• 2. To create a MAC out of the message, we append an authentication key to the message,
and then take the hash of the result.
• 3. Note that neither public key nor symmetric key encryption is involved in creating the
MAC.
• 4. To create a digital signature, we first take the hash of the message and then encrypt the
message with our private key (using public key cryptography).
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Thus, a digital signature is a “heavier” technique, since it requires an underlying Public

Key Infrastructure (PKI) with certification authorities
• PGP—a popular secure e-mail system—uses digital signatures for message integrity.
• OSPF uses MACs for message integrity. MACs are also used for popular transport-layer
and network-layer security protocols.
• Public Key Certification
• An important application of digital signatures is public key certification, that is,
certifying that a public key belongs to a specific entity.
• Public key certification is used in many popular secure networking protocols, including
IPsec and SSL.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• For public key cryptography to be useful, you need to be able to verify that you have
the actual public key of the entity
• (person, router, browser, and so on) with whom you want to communicate.
• For example, when Alice wants to communicate with Bob using public key cryptography,
she needs to verify that the public key that is supposed to be Bob’s is indeed Bob’s.
• Binding a public key to a particular entity is typically done by a Certification Authority
(CA), whose job is to validate identities and issue certificates.
• A CA has the following roles:
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• 1. A CA verifies that an entity (a person, a router, and so on) is who it says it is.
• When dealing with a CA, one must trust the CA to have performed a suitably rigorous
identity verification
• You can trust the identity associated with a public key only to the extent to which you can
trust a CA and its identity verification techniques.
• What a tangled web of trust we spin!
• 2. Once the CA verifies the identity of the entity, the CA creates a certificate that binds
the public key of the entity to the identity.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• The certificate contains the public key and globally unique identifying information about
the owner of the public key (for example, a human name or an IP address).
• The certificate is digitally signed by the CA.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

• Let us now see how certificates can be used to combat pizza-ordering pranksters, like
Trudy, and other undesirables.
• When Bob places his order he also sends his CA-signed certificate. Alice uses the CA’s
public key to check the validity of Bob’s certificate and extract Bob’s public key.
• Both the International Telecommunication Union (ITU) and the IETF have developed
standards for CAs.
• Table on the next slide describes some of the important fields in a certificate.
MESSAGE INTEGRITY AND DIGITAL SIGNATURES
MESSAGE INTEGRITY AND DIGITAL SIGNATURES

The End