An Overview of Cryptography

(Part II)
 Message Authentication
偽造
• Protection against falsification of data and
transactions
• Message authentication is a procedure that allows
communicating parties to verify that the received
messages are authentic
– Source is authentic
– Contents of the message have not been altered
– Sequence relative to other messages flowing between
two parties
– Message’s timeliness
• Avoid replay attack

2
 – Replay attack
• A user sends a hashed password to the server for
authentication
• The attacker sniffs the hashed password
• Some time later, the attacker pretends to be the user and send
the sniffed hashed password to the server

Image source: https://en.wikipedia.org/wiki/Replay_attack#/media/File:Replay_attack_on_hash.svg

• The following introduces different ways for

message authentication
3
• Encrypt the Whole Message
– Assume that only the sender and the receiver share the
secret key for conventional encryption (e.g., AES)
– Only the true sender would be able to encrypt a
message successfully
– Include an error-detection code
• Ensure that no alternations have been made
– Include a sequence number
• Ensure that the sequencing is proper
– Include a timestamp
• Ensure that the message has not been delayed to avoid the
replay attack
– Drawback
• Time consuming to encrypt and decrypt all messages

4
• Authentication Tag
– Generated and appended to each message
– The message itself is not encrypted and can be read at
the destination independent of the authenticating
function
– Advantage: Save execution time for decryption
• E.g., one side has a heavy load and cannot afford the time to
decrypt all incoming messages
• E.g., a sender sends a broadcast message to many receivers
– Disadvantage: Message confidentiality is not provided
• May not be a problem for broadcast messages
– Here introduces two kinds of authentication tag
1. Message Authentication Code (MAC)
2. Using one-way hash function

5
• Message Authentication Code (MAC)
– A small block of data generated by the secret key
– Both parties (A and B) share a common secret key KAB
– When A sends a message M to B
• A calculates the message authentication code MACM

MACM = F(KAB, M)

• A sends M and MACM to B

• B performs the same calculation to obtain MACM
• The calculated code is compared with the received code
• If they are the same, the message is authentic
– However, it may not be efficient if the size of M is very
large

6
Message Authentication using a Message Authentication Code (MAC)

KAB

Transmit
MAC
Message
Algorithm

Compare

MAC
MAC
Algorithm

7
KAB
• One-way Hash Function H
– Accept a variable-size message M as input
– Produce a fixed-size message digest h as output
– One-way hash function H(M) = h:
• Given M, it is computationally easy to generate h
• Given h, it is computationally infeasible to find M
– Example
• The SHA256 hash of “a” (without quote) is
– CA978112CA1BBDCAFAC231B39A23DC4DA786EFF8147C4E72B9
807785AFEE48BB
• The SHA256 hash of “a…a” (1000 a’s) is
– 41EDECE42D63E8D9BF515A9BA6932E1C20CBC9F5A5D134645AD
B5DB1B9737EA3

8
– In our daily life, when we download a file from the
Internet, sometimes it is accompanied by a hash value
• It is used as the checksum to ensure the integrity of the
downloaded file
• Every bit of the downloaded file is the same as that of the file
on the server side
– Back to our case, unlike the MAC function, the one-
way hash function H does not take a secret key as
input.
– To authenticate a message, the message digest h is
computed and sent together with the message in such a
way that h is authentic, such as
a) Using Conventional Encryption
b) Using Public-key Encryption
c) Using Secret Value
9
 (a) Using Conventional Encryption

receiver
Transmit
Message H

Compare
KAB

D
sender
H
KAB
Authentication: Yes
digest E
Encrypted digest Nonrepudiation: No
不可否認性
The sender can deny that he/she sent the message.
It is because the receiver also knows KAB. 10
It is possible that the receiver pretends to be the sender to send the message to himself/herself.
 (b) Using Public-key Encryption

Transmit
Message H

Compare
Kpublic

D
H
Kprivate
Authentication: Yes
Nonrepudiation: Yes
E

Encryption: sender's private key

Decryption: sender's public key 11
The receiver does not have the sender's private key  ensure nonrepudiation
 (c) Using Secret Value (Shared by the Sender and the Receiver)
Secret Secret
value value

Transmit
Message H

Compare

H
Authentication: Yes
Nonrepudiation: No

12
The advantage is that no encryption or decryption are required.
 Secure Hash Functions
• One-way hash function
• Produce a “fingerprint” for a file, a message, or a
block of data.
• Important for
– Password hashing
– File integrity checking
– Message authentication
– Digital signatures

13
• Requirements (for hash function H)
– The following three requirements are for the
convenience and efficiency of practical
applications.
1. H can be applied to a block of data of any
size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any
given x, making both hardware and software
implementations practical.

– The next three requirements are for security

issues.
14
4. Suppose H(x) = h. For any given digest h, it
is computationally infeasible to find x.
• Preimage Resistance
• The one-way property
• If this requirement is not satisfied
– Our passwords in plaintext can be deduced from the
hashed passwords stored in /etc/shadow in Linux
– For method (c), the attacker can deduce the secret value
and can pretend to be the sender to send any message

15
5. Suppose H(x) = H(y), where x  y. For any given
block x, it is computationally infeasible to find y.
• Second Preimage Resistance
• Also called Weak Collision Resistance
• A collision occurs when H(x) = H(y), where x  y
– A collision must exist for hash functions
» The number of possible combinations of the input far exceeds the
number of possible combinations of the output
» There must exist some inputs having the same output (the
Pigeonhole principle)
• Even though collisions exist, this and the next requirements
require that they are difficult to be found
• If this requirement is not satisfied, in methods (a) / (b)
– M is exposed
– Easy for the attacker to find another message M’, where H(M) = H(M’)
– It follows that Encrypted H(M) = Encrypted H(M’)
– Since Encrypted H(M) is also exposed, the attacker does not need to
know the secret key / the private key to obtain the encrypted digest for
M’
– The attacker can append Encrypted H(M) to M’, and pretend to be the
sender to send M’. 16
6. It is computationally infeasible to find any
pair of (x, y) such that H(x) = H(y).
• Strong Collision Resistance
– In general, if we simply use the term “collision
resistance”, we are referring to strong collision resistance
• A hash function having this property is a strong hash
function.
• Otherwise, it is a weak hash function.
• This property is used to protect against the birthday
attack

17
• Birthday Paradox
– It gets its name from the surprising result that the
probability that two or more people in a group of 23
share the same birthday is greater than 0.5.
– If a function, when supplied with a random input,
returns one of k equally-likely values, then by
repeatedly evaluating the function for different inputs,
the chance to have the same output is 50% after about
1.2k0.5 samples.
– For the above birthday paradox, replace k with 365.
• For simplicity, we exclude leap year and assume that the 365
possible birthdays are equally-likely.
• The chance of two or more people having the same birthday:
– 100% for a group of 366 people
– 99.9% for a group of 70 people
– 50.7% for a group of 23 people
18
• Birthday Attack
– To sign a message, the sender has to append a m-bit
signature (encrypted digest)
– The signature can be obtained by applying a hash
function to the message and then encrypt the digest
using the private key
• i.e., method (b)
– But if the hash function does not satisfy the 6th property,
an attacker can trick a victim to sign a fraudulent
message by the steps on the next page

19
– The attacker generates a set of 2m/2 normal messages, all conveying
the same meaning.
– The attacker generates another set of 2m/2 fraudulent messages, all
conveying another meaning in the same way.
– The attacker matches the two sets to find a pair of messages (one
normal and one fraudulent) with the same digest.
• By birthday paradox, there is a chance to find such a pair.
– The attacker offers the victim the paired normal message to sign to
obtain the signature (encrypted digest of the paired normal
message)
– Encrypted digest of the paired normal message = Encrypted digest
of the paired fraudulent message
– The attacker attaches the signature with the paired fraudulent
message and claims that the victim has signed the paired
fraudulent message
Normal Messages Fraudulent Messages
Yes No
Yes! No!
Yes!! No!!
YES NO
Sure No way
No problem Negative 20
… …
• MD5 (Message Digest Algorithm 5)
– Developed by Ron Rivest in 1992.
– Input: arbitrary length.
– Output: 128-bit message digest.
– On paper, finding a message with a given digest is on
the order of 2128 operations.
– On paper, finding a collision (two messages having the
same message digest) is on the order of 264 operations.
– The following diagrams highlight the MD5 algorithm

21
 22
Source:http://cwx.prenhall.com/bookbind/pubbooks/stallings8/chapter0/deluxe.html
 23
Source:http://cwx.prenhall.com/bookbind/pubbooks/stallings8/chapter0/deluxe.html
– However, MD5 is now considered broken in
terms of collision resistance
– A practical collision attack with the complexity
of 218 operations was presented in 2013
• Can be done by modern computers within a
second
– Hence, MD5 should not be used for the
applications that rely on the collision resistance,
such as digital signatures and digital certificates

24
– The preimage resistance of MD5 still holds
– There is only a theoretical preimage attack with
the complexity of 2123.4 operations, presented in
2009
• Nvidia GeForce RTX 4090 GPU: 164.1GH/s  237.26H/s
• Nvidia GeForce RTX 3090Ti GPU: 79738.8MH/s  236.21H/s
• 8x Nvidia GeForce GTX 1080 Ti GPUs: 307.2GH/s 
238.16H/s
• Estimate: 2123.4 / 238.16 seconds  1018 years
– But some still suggest that MD5 is not
considered as a good password hashing
function nowadays
• The computation of MD5 is “too fast”
• In practice, not all the users are using strong
passwords, it is possible to crack the passwords that
are weak (e.g., simple variations based on dictionary
25
words)
• Other Secure Hash Functions
– As was the case with symmetric block ciphers,
designers of secure hash functions have been reluctant
to depart from a proven structure.
• DES : Feistel cipher
– Many subsequent block ciphers follow the Feistel design.
– Similarly, most important modern hash functions
follow the basic structure of Merkle–Damgård (MD)
construction.
• See next page
– The structure can produce a secure hash function.
– Concentrate to design a collision-resistant compression
function.

26
27
• SHA-1 (Secure Hash Algorithm 1)
– Developed by the National Institute of Standard and
Technology (NIST).
– Published as a Federal Information Processing Standard
(FIPS PUB 180) in 1993.
– The revised version was issued in 1995 and is generally
referred to as SHA-1.
– Structure: Merkle–Damgård (MD) construction
– Input message with max length of 264 – 1 bits.
– Output a 160-bit message digest.
– The following diagram shows the compression function
used by SHA-1

28
 29
Source:http://cwx.prenhall.com/bookbind/pubbooks/stallings8/chapter0/deluxe.html
– However, SHA-1 is deprecated in 2011 by NIST due to
fundamental security weaknesses demonstrated in
various analyses and theoretical attacks
– The first practical freestart collision attack with
complexity of 257.5 on SHA-1 was presented in 2015
• Freestart collision: the attacker can choose the IV
• A collision can be found in about 10 days on
64x Nvidia GeForce GTX 970 GPUs
– The first practical concrete collision attack with
complexity 263 on SHA-1 was presented in 2017
• It took 1 year for 110x GPUs

30
• SHA-2 (Secure Hash Algorithm 2)
– A family of 6 hash functions developed by National
Security Agency (NSA) in US first published in 2001
• SHA-224
– Digest size: 224 bit
• SHA-256
– Digest size: 256 bit
– Popular, faster than SHA-512 on 32-bit machines
• SHA-384
– Digest size: 384 bit
• SHA-512
– Digest size: 512 bit
– Popular, faster than SHA-256 on 64-bit machines
• SHA-512/224
– Truncate SHA-512 to digest size with 224 bit
• SHA-512/256
– Truncate SHA-512 to digest size with 256 bit
31
 32
Image source: Stallings, Cryptography and Network Security: Principles and Practice (6 th Edition)
 Ref

33
Image source: Stallings, Cryptography and Network Security: Principles and Practice (6 th Edition)
 MD5 SHA-1 RIPEMD- SHA-2 SHA-3
160 Prepare for future
Digest 128 160 160 224 / 256 / 384 / 224 / 256 / 384
Length 512 / 512 /
(in bits) arbitrary

Block Size 512 512 512 512 / 1024 1152 / 1088 /

(in bits) 832 / 576 /
1344 / 1088

Number of 64 80 160 64 / 80 24
Rounds (4 round of (4 rounds of (5 paired
16) 20) rounds of 16)

Maximum  264-1  264-1 / 2128-1 

Message Size

Remark Collisions Collisions Used in PGP Widely used A new hashing

found found and Bitcoin standard in
(allowing 2015
shorter
Bitcoin
address)
34