LECTURE # 6

HASH FUNCTIONS AND DIGITAL SIGNATURES

 Introduction to Cryptographic Hash Functions

 Definition: A hash function is a mathematical algorithm that transforms an input (or

"message") into a fixed-size string of bytes, typically representing the data in a unique and
irreversible way.
 Key properties:
• Deterministic: The same input will always produce the same hash.
• Fixed size: Regardless of input size, the output is always of fixed size.
• Efficient: Quick to compute the hash value for any input.
• Pre-image resistance: It should be computationally infeasible to reverse the hash (i.e.,
given a hash output, find the input).
• Collision resistance: It should be computationally infeasible to find two different inputs
that produce the same hash value.
• Avalanche effect: A small change in the input (e.g., a single bit) should drastically change
the output.

01 | Sikandar Abbasi
 Message Integrity and Role of Hash Functions

Message integrity:
 Hash functions are widely used to verify message integrity. By hashing a message
and sending both the message and its hash, the recipient can check if the message
has been altered during transmission by comparing the computed hash value of the
received message to the original.
 Used in file verification, digital signatures, and HMAC (discussed later).

Common attack:
 Collision attacks: When an attacker finds two different inputs that produce the same
hash value, it undermines message integrity.
01 | Sikandar Abbasi
 Cryptographic Hash Functions

MD5 (Message Digest Algorithm 5):

 MD5 produces a 128-bit hash value and is considered insecure today due to
vulnerabilities discovered in collision resistance.
 Despite weaknesses, MD5 was widely used in the past for verifying data integrity and
ensuring message authentication.
 Example: The hash of "Hello" using MD5 results in

8b1a9953c4611296a827abf8c47804d7
 Weaknesses: Vulnerable to collision attacks, leading to phased-out usage in favor
of more secure alternatives like SHA.

01 | Sikandar Abbasi
 Cryptographic Hash Functions

Steps of MD5 Algorithm

1.Padding:
1. The input message is padded so that its length is 64 bits fewer than a multiple of
512. Padding is done by adding a single '1' bit followed by the necessary number
of '0' bits.
2.Appending Length:
1. The length of the original message is appended to the padded message, resulting
in a message length that is a multiple of 512 bits.
3.Processing:
1. The padded message is divided into 512-bit blocks.
2. MD5 processes each block in a 4-round operation. Each round uses different
constants, bitwise operations, and mathematical functions to transform the data.
3. The final result is a 128-bit hash value.
01 | Sikandar Abbasi
 Cryptographic Hash Functions

 Consider the string “hello”

 Binary representation of “hello”
01101000 01100101 01101100 01101100 01101111
 This binary string is padded to make the length 448 bits, then the length of the
original string is added as a 64-bit value to make the final string 512 bits long.
 Step 2 (Process blocks): MD5 processes this message block by block.
 Step 3 (Output hash):
• MD5 output for “hello”
8b1a9953c4611296a827abf8c47804d7

01 | Sikandar Abbasi
 Cryptographic Hash Functions

SHA (Secure Hash Algorithm):

 SHA-1 produces a 160-bit hash value and is no longer considered secure due to
discovered collision vulnerabilities.
 SHA-2 family includes SHA-256, SHA-384, and SHA-512, producing hash values of 256,
384, and 512 bits respectively.
 SHA-256: The most widely used, part of SHA-2, known for its high security and
widespread usage in digital signatures, certificate verification, and blockchain technology.
 Example: The hash of "Hello" using SHA-256 results in

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

01 | Sikandar Abbasi
 Cryptographic Hash Functions

Steps of SHA-256 Algorithm

1. Padding:
 The input message is padded to a length that is a multiple of 512 bits (with an
additional 64 bits to record the original message length). The padding starts with a '1'
bit followed by '0' bits until the total length of the message reaches a multiple of 512.
2. Processing:
 The padded message is divided into 512-bit blocks.
 Each block is processed through 64 rounds, with each round performing complex
mathematical operations including bitwise operations and modular additions.
 A set of 8 32-bit registers are continuously updated through each round.
3. Final Output:
 After processing all the blocks, SHA-256 produces a 256-bit (32-byte) hash value.

01 | Sikandar Abbasi
 Cryptographic Hash Functions

 Consider the string “hello”

 Step 1: Binary representation of “hello” is padded as necessary, similar to MD5 but
based on the SHA-256 structure.
 Step 2 (Process blocks): SHA-256 processes each 512-bit block in 64 rounds,
using mathematical functions like bitwise AND, OR, XOR, modular arithmetic, etc.
 Step 3 (Output hash): SHA-256 output for “hello”

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

01 | Sikandar Abbasi
 Digital Signatures

What is a digital signature?

 A digital signature is a cryptographic mechanism used to verify the authenticity and
integrity of a message, software, or digital document. It ensures that:
• The message was created by a known sender (authentication).
• The message was not altered (integrity).
• The sender cannot deny sending the message (non-repudiation).

01 | Sikandar Abbasi
 Digital Signatures

How digital signatures work:

 The sender hashes the message using a hash function (e.g., SHA-256).
 The sender then encrypts the hash using their private key (this is the digital
signature).
 The signature and the message are sent to the recipient.
 The recipient decrypts the signature using the sender’s public key to retrieve the
hash.
 The recipient hashes the message received and compares the two hash values. If
they match, the message is authentic and unaltered.
01 | Sikandar Abbasi
 Digital Signatures

Use cases:
 Digital signatures are used in SSL certificates, software distribution, and
electronic contracts.
 Digital certificates (issued by a certificate authority) are often used to associate a
public key with the identity of a person or organization.

Algorithms used:
 RSA (Rivest-Shamir-Adleman): Commonly used for signing and verifying digital
signatures.
 ECDSA (Elliptic Curve Digital Signature Algorithm): An elliptic curve-based
algorithm known for stronger security with smaller key sizes than RSA.

01 | Sikandar Abbasi
 HMAC (Hash-based Message Authentication Code)

What is HMAC?
 HMAC is a specific type of message authentication code (MAC) involving a
cryptographic hash function combined with a secret key. It ensures both the
integrity and authenticity of a message.
 Unlike simple hash functions, HMAC also uses a secret key along with the message
to generate the hash, making it resistant to modification or tampering by unauthorized
parties.

01 | Sikandar Abbasi
 HMAC (Hash-based Message Authentication Code)

How HMAC works:

 The sender combines the message with a secret key.
 The result is then hashed using a cryptographic hash function (e.g., SHA-256).
 The hash (HMAC) is sent along with the message.
 The recipient, who knows the secret key, recomputes the HMAC on the received
message.
 If the computed HMAC matches the received one, the message is considered
authentic and unaltered.
Use cases:
 HMAC is widely used in HTTPS for securing communication, VPNs, and token-
based authentication systems like JSON Web Tokens (JWTs).

01 | Sikandar Abbasi
 Case Studies and Applications

Case Study 1: MD5 Collision Attacks:

 In 2004, researchers found two distinct inputs producing the same MD5 hash
(collision), proving MD5 vulnerable to attacks. This led to the phase-out of MD5 in
security protocols.
Case Study 2: SHA-1 Vulnerabilities:
 Google, in 2017, demonstrated a practical collision in the SHA-1 algorithm. This led
to the industry-wide deprecation of SHA-1, especially in digital certificates and
signatures.
Case Study 3: Digital Signatures in E-Commerce:
 Digital signatures are fundamental in e-commerce transactions, ensuring that orders
and payments are securely signed and authenticated, preventing fraud and
tampering.

01 | Sikandar Abbasi
 KEY MANAGEMENT AND DISTRIBUTION

01 | Sikandar Abbasi
 Key Management and Distribution

Introduction:
 Key management is one of the critical aspects of cryptographic systems. Without
proper key management, even the most secure cryptographic algorithms can be
compromised. Key distribution refers to the process of securely delivering
cryptographic keys to communicating parties.

Key Points:
 Keys: Secret data used in encryption to ensure that messages are protected from
unauthorized access.
 Distribution Challenge: How to securely share these keys with others without them
being intercepted by attackers.

01 | Sikandar Abbasi
 Public Key Infrastructure (PKI)

Overview:
• Public key infrastructure (PKI) is a system that manages the creation, distribution,
and revocation of public keys.
• It includes Certification Authorities (CAs), which issue digital certificates that
verify the identity of the key holders.
• Public key: Shared openly and used by anyone to encrypt a message.
• Private key: Kept secret and used to decrypt the message.

Applications:
• Used in securing websites (HTTPS), email encryption, and digital signatures.

01 | Sikandar Abbasi
 Public Key Infrastructure (PKI)

Key Elements of PKI:

 Digital Certificates: These are issued to verify the ownership of a public key.
They contain the public key, owner’s details, and are signed by a trusted entity.
 Certificate Authority (CA): The entity that issues digital certificates.
 Registration Authority (RA): Acts as a verifier for the CA, confirming the identity
of the entity requesting a certificate.
 Certificate Revocation List (CRL): A list of certificates that are no longer valid,
ensuring that compromised or expired certificates aren’t trusted.

01 | Sikandar Abbasi
 Digital Certificates

Definition: A digital certificate is like an electronic passport. It allows one entity to prove
its identity to others. The certificate includes:
 Public key of the entity.
 Identity information: Who the certificate belongs to (name, organization, etc.).
 Signature of the CA: Proves the certificate has been issued by a trusted source.
Types of Digital Certificates:
 Self-signed certificates: These are signed by the same entity to which they belong.
They are often used in internal networks but not ideal for public trust.
 CA-signed certificates: Trusted more widely because a CA verifies the identity
before issuing the certificate.

01 | Sikandar Abbasi
 Digital Certificates

Certificate Lifecycle:
 Creation: The certificate is generated and issued.
 Validation: It remains valid for a specific period.
 Revocation: If compromised, the certificate is revoked.

01 | Sikandar Abbasi
 Certificate Authorities

Definition: A CA is a trusted organization that verifies the identity of entities requesting

certificates. It plays a crucial role in the trust model of PKI. When a CA signs a digital
certificate, it is essentially vouching for the authenticity of the entity.
Responsibilities of a CA:
 Issuing certificates: After validating the identity of the requesting party.
 Revoking certificates: If the certificate is no longer trustworthy.
 Maintaining CRL: Ensuring revoked certificates are not trusted.

Example: Let’s Encrypt is a widely known CA that provides free digital certificates.

01 | Sikandar Abbasi
 Trust Models

Definition: A trust model defines how parties in a PKI system establish and manage
trust. The model dictates how certificates are verified and how the trust chain works.
Types of Trust Models:
 Hierarchical Trust Model: A single root CA is at the top of the hierarchy, and it
delegates trust to subordinate CAs. This structure creates a clear, centralized trust
path.
• Advantage: Clear chain of trust.
• Disadvantage: If the root CA is compromised, the entire system is at risk.
 Web of Trust: Used in systems like PGP (Pretty Good Privacy). Instead of a central
CA, trust is built between users who mutually certify each other's keys.
• Advantage: Decentralized, no need for a central authority.
• Disadvantage: Can become complex as the number of users grows.

01 | Sikandar Abbasi
 Trust Models

 Bridge CA: A hybrid model where multiple CAs trust each other through a "bridge"
CA. This model allows different organizations or entities to interoperate.
• Advantage: Flexible and scalable.
• Disadvantage: Complexity in managing trust relationships between CAs.

01 | Sikandar Abbasi
 Trust Chain

• The trust chain works by verifying the certificate issued by one CA based on the
certificates it trusts (higher-level CA).
• A certificate signed by a trusted CA is trusted by users because they already trust the
CA’s signature.

01 | Sikandar Abbasi
THANK YOU