Message Authentication

and Hash Functions

- Dr. G.S. Rawat

Message Authentication and Hash Functions

• Authentication Requirements
• Authentication Functions
• Message Authentication Codes
• Hash Functions
• Security of Hash Functions and MACs
Authentication Requirements

Disclosure:
Release of message contents to any person or process not possessing the appropriate
cryptographic key
Traffic analysis:
Discovery of the pattern of traffic between parties
frequency and duration of connections
number and length of messages between parties
Masquerade:
fraudulent acknowledgments of message receipt or nonreceipt
Insertion of messages into the network from a fraudulent source
Authentication Requirements…
Content modification:
Changes to the contents of a message, including insertion, deletion,
transposition, and modification
Sequence modification:
Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering
Timing modification:
Delay or replay of messages
Authentication Requirements…
Source repudiation:
Denial of transmission of message by source

Destination repudiation:
Denial of receipt of message by destination
Authentication Requirements …
• Disclosure Message Confidentiality
• Traffic analysis
• Masquerade
• Content Modification Message Authentication
• Sequence modification
• Timing modification
• Source repudiation Digital Signature
• Destination repudiation
Message Authentication
verify received messages come from the alleged source (unaltered)
verify sequencing and timeliness
Digital Signature
authentication technique
counter repudiation by the source
Authentication Functions
Two levels of functionality:
function that produces an authenticator (low level)
verify the authenticity of a message (high level)
Authentication Functions …

• Message encryption

• Message authentication code (MAC) Produces

authenticator
• Hash function
Message Encryption
ciphertext of the entire message serves as its authenticator
message encryption by itself can provide a measure of authentication
Case: Symmetric Encryption

Confidentiality : no other party can recover the plaintext

B is assured that the message was generated by A ?

symmetric encryption provides authentication as well as confidentiality

Case: Symmetric Encryption
• Provides confidentiality
Only A and B share K
• Provides authentication
Could come only from A
Has not been altered in transit
Issue??
Receiver could forge message
Sender could deny message
Why ??
no Signature
Case: Public-Key Encryption

Provides confidentiality : Only B has key to decrypt

Issue ??
Provides no authentication
Any party could use PUb to encrypt message and claim to be A
…

Only A has PRb to encrypt

Has not been altered in transit

Any party can use PUa to verify signature

…

Provides confidentiality because of PUb

Provides authentication and signature because of PRa

Message Authentication Code
(MAC)
A function of the message and a secret key that produces a fixed-length
value that serves as the authenticator -> MAC
cryptographic checksum
Example
Two communicating parties, say A and B
K = shared secret key
M = input message

function (K,M) => message authentication code

M + MAC is transmitted
Only A and B share K
Provides authentication: Only A and B share K1

Provides confidentiality: Only A and B share K2

 Provides authentication Using K1

Provides confidentiality Using K2

NOTE: MAC does not provide a digital signature (sender and receiver share the same key)
Message Authentication Code ! Why
?
Scenario 1: Same message is broadcast to number of destinations

cheaper and more reliable ( single destination monitoring authenticity)

message broadcast in plaintext + associated message authentication code

responsible system (secret key) performs authentication

violation => other destination systems are alerted

MAC ! Why ?
Scenario 2: heavy load and cannot afford the time to decrypt all
incoming messages

authentication is carried out on a selective basis

messages being chosen at random for checking
MAC ! Why ?
Scenario 3: Authentication of a computer program in plaintext
computer program can be executed without having to decrypt every
time
If assurance was required of the integrity of the program
message authentication code can be attached to the program
MAC Properties
MAC is a cryptographic checksum
• Condenses a variable length M to a fixed length authenticator
MAC is a many-to-one function
• potentially many messages have same MAC
• finding these is difficult
MAC : Requirements
• MACs should be uniformly distributed
• MAC should depend equally on all bits of the message
• knowing a message and MAC, should be computationally infeasible to
find another message with same MAC
Hash Function
• a hash function accepts a variable-size message M as input and produces a fixed size
output
• hash code H(M)
• Unlike a MAC, a hash code does not use a key but is a function only of the input
message

Other names: message digest or hash value

error-detection capability: A change to any bit or bits in the message results in a
change to the hash code
Provides confidentiality : Only A and B share K

Provides authentication : H(M) is cryptographically protected

Provides authentication: H(M) is cryptographically
protected
Only hash code is encrypted, no confidentiality
hash function but no encryption for message authentication
cannot modify an intercepted message and cannot generate a false message

Provides authentication : Only A and B share S

Confidentiality : encrypting the entire message plus the hash code
Encryption or NOT
growing interest in techniques that avoid encryption;
Encryption software is relatively slow
Encryption hardware costs are not negligible
Encryption hardware is optimized toward large data sizes
Encryption algorithms may be covered by patents
Digital Signatures

Authentication + signature
confidentiality + digital signature
Hash Function : Requirements
• H can be applied to a block of data of any size
• H produces a fixed-length output
• H(x) is relatively easy to compute for any given x, making both hardware
and software implementations practical
• For any given value h, it is computationally infeasible to find x such that
H(x) = h (one-way property)
• For any given block x, it is computationally infeasible to find y != x such
that H(y) = H(x) (weak collision resistance)
• It is computationally infeasible to find any pair (x, y) such that H(x) =
H(y) (strong collision resistance)
Hash Function : Requirements
Relationship among properties
Properties for various hash
function apps
Security : BRUTE FORCE ATTACK

for a hash code of length m, the level of effort required

Security : BRUTE FORCE ATTACK

A brute-force attack on a MAC is a more difficult (requires known

message-MAC pairs)
the attacker will require chosen text-MAC pairs or knowledge of the key
the level of effort for brute-force attack on a MAC algorithm can be
expressed as min(2^k , 2^n )
key size is k bits
MAC length is n bits
General Structure of Secure
Hash Code

hash algorithm involves repeated use of a compression function

Security : Cryptanalysis
• Cryptanalysis of hash functions focuses on the internal structure of f
• on attempts to find efficient techniques for producing collisions for a
single execution of f
• attack must take into account the fixed value of IV
• attacks that have been mounted on hash functions are rather complex
Security : Cryptanalysis
• There is much more variety in the structure of MACs than in hash
functions
• difficult to generalize about the cryptanalysis of MACs
Cryptographic Hash Functions
takes a message of arbitrary length and creates a message digest of fixed
length

Iterated Hash Function

- a function with fixed-size input ( compression function)
- iterated over number of times

Example : Merkle-Damgard Scheme

Merkle-Damgard Scheme
Two Groups of Compression
Functions
• compression function is made from scratch
• a symmetric-key block cipher as CF

Hash Functions Made from Scratch (MD and SHA)

Hash Functions Based on Block Cipher (Rabin scheme, Davis-Mayer
Scheme etc.)
Secure Hash Algorithm (SHA)
• Developed by National Institute of Standards and Technology (NIST)
• Published as a Federal Information Processing standard (FIP 180)
• Secure Hash Standard (SHS)

• SHA-1, SHA-256, SHA-384, and SHA-512

Comparison of SHA parameters
SHA -512
• SHA-512 is the version of SHA with a 512-bit message digest
• based on the Merkle-Damgard scheme
SHA-512: Message Preparation
128
SHA-512 creates a 512-bit message digest out of a message less than 2

2128 bits is probably larger than the total storage capacity of

any system

need not to worry about the SHA-512 message length

restriction
SHA- 512 : Length Field and Padding

(|M| + |P| + 128) = 0 mod 1024 → |P| = (− |M| − 128) mod 1024
SHA- 512 : Length Field and Padding

What is the number of padding bits if the length of the original message
is 2590 bits?

The padding consists of one 1 followed by 353 0’s

SHA- 512 : Words

• SHA-512 operates on words; it is word oriented

• A word is defined as 64 bits
SHA- 512 : Words Expansion
SHA- 512 : Words Expansion …
Example : how W60 is made ?
Each word in the range W16 to W79 is made from four previously-made
words
SHA-512 : Message Digest
Initialization

• values are calculated from the first eight prime numbers (2, 3, 5, 7, 11,
13, 17, and 19)
• square root (19)^1/2 = 4.35889894354
SHA- 512
:
Compres
sion
Function
SHA- 512: Structure of each round …

• B,C,D,F,G,H are created from previous buffers

See Next See Next

• For A and E it is a bit complex

 SHA-
512:
Structur
e of each
round ….
SHA- 512: Structure of each
round …
• Majority Function

• Conditional Function

• Rotate Function
SHA- 512: Majority Function
Example : Majority function on buffers A, B, and C
• If the leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?

• The digits in binary are 0111, 1010, and 1110.

• The first bits are 0, 1, and 1. The majority is 1.
• The second bits are 1, 0, and 1. The majority is 1.
• The third bits are 1, 1, and 1. The majority is 1.
• The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal
SHA- 512: Conditional Function
Example : Conditional function on E, F, and G buffers
If the leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?

The digits in binary are 1001, 1010, and 1111.

The first bits are 1, 1, and 1. The result is F1, which is 1.
The second bits are 0, 0, and 1. The result is G2, which is 1.
The third bits are 0, 1, and 1. The result is G3, which is 1.
The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.
SHA- 512: Structure of each round …
80 constants, K0 to K79, each of 64 bit
SHA-512 : Analysis
• With a message digest of 512 bits, SHA-512 expected to be resistant to
all attacks, including collision attacks.
• more efficient and more secure than the previous versions
• more research and testing are needed to confirm this claim
WHIRLPOOL
• iterated cryptographic hash function
• uses a symmetric-key block cipher in place of the compression
function
Message Digest : MD5
• Designed by Ron Rivest
• MD5 last version
• message into blocks of 512 bits and creates a 128-bit digest
• message digest of size 128 bits is too small to resist collision attack
MD5: Logic
MD5:

• Original Message + Pad Message + 64-bit original length message value

• “Padded” to ensure length is 448 mod 512
MD5: Initialization
• entire string is converted into multiple blocks of 512 bits
each
• initialize MD buffer
A, B, C, D ( 4 words each 32 bit)
Initialized to word A : 01 23 45 67
word B : 89 ab cd ef
word C : fe dc ba 98
word C : 76 54 32 10
MD5: Process
• Process the message in 16-word blocks of 32-bit each (512-bit)
• Four functions : each takes three 32-bit words , produces 32-bit word
output
• Non-Linear Process
• F(X,Y,Z) = (X and Y) or (not (X) and Z)
• G(X,Y,Z) = (X and Z) or (Y not (Z))
• H(X,Y,Z) = X xor Y xor Z
• I(X,Y,Z) = Y xor (X or not (Z))
MD5: Process …

Each block 4 rounds and each round has 16 steps

MD5: Single Round
a = b + (( a + g(b,c,d) + X[k] + T[i])
<<< s
• a,b,c,d refer to 4 words of the
buffer
• g(b,c,d) different non-linear
functions in each round (F,G,H,I)
• X[k] is sub-block (0,15) – 32-bit
message
• T[i] is const value (1,64) – 32-bit
constant
• + is add modulo 2^32

Good Read : The MD5 algorithm (with examples) | Comparitech

MD5: Summary
• Simpler and faster
• Low memory requirements
• Storing passwords
• Provides poor security over SHAs
• Insecure algorithm