Вы находитесь на странице: 1из 60

Unit III – Syllabus


SIGNATURES (8 hours)
Authentication requirement
Authentication function
MAC – Hash function – Security of hash function and
Digital signature and authentication protocols –
EI Gamal –
Day 19 & 20
Authentication requirement
Authentication function
MAC – Hash function – Security of hash function
and MAC
Message Authentication Requirements
• Disclosure
• Sequence modification
– Release of message contents to
any person or process not – Any modification to a
possessing the appropriate sequence of messages
cryptographic key between parties, including
insertion, deletion, and
• Traffic analysis reordering
– Discovery of the pattern of • Timing modification
traffic between parties
– Delay or replay of messages
• Masquerade
• Source repudiation
– Insertion of messages into the
network from a fraudulent – Denial of transmission of
source message by source

• Content modification • Destination repudiation

– Changes to the contents of a – Denial of receipt of message
message, including insertion, by destination
deletion, transposition, and
Message Authentication Functions
• Two levels of functionality: – Hash function
– A function that maps a
message of any length into a
Lower level fixed-length hash value which
• There must be some sort of function
serves as the authenticator
that produces an authenticator
– Message encryption
– The ciphertext of the entire
message serves as its

– Message authentication code

– A function of the message
Higher-level and a secret key that produces
• Uses the lower-level function as a primitive in an a fixed-length value that
authentication protocol that enables a receiver to serves as the authenticator
verify the authenticity of a message
Public-Key Encryption
• The straightforward use of public-key
encryption provides confidentiality but not
• To provide both confidentiality and
authentication, A can encrypt M first using its
private key which provides the digital
signature, and then using B’s public key,
which provides confidentiality
• Disadvantage is that the public-key algorithm
must be exercised four times rather than two
in each communication
MAC concept
Requirements for MACs

The final
The first requirement requirement
deals with message The second dictates that the
replacement attacks,
in which an opponent requirement authentication
Taking into account the deals with the algorithm should
types of attacks, the is able to construct a
MAC needs to satisfy
new message to need to thwart a not be weaker
match a given MAC, brute-force with respect to
the following: even though the
opponent does not attack based on certain parts or
know and does not chosen plaintext bits of the
learn the key message than
Message Digest 5 – (MD-5)
Input : blocks of 512 bits
Initial Vector: 128 bits
Output: 128 bits
For each 512 bits input: 4 rounds performed
MD5: Message Digest Version 5
input Message

Output 128 bits Digest

• Until recently the most widely used hash algorithm

– in recent times have both brute-force & cryptanalytic
• Specified as Internet standard RFC1321
MD5 Overview
MD5 Overview
1. Pad message so its length is 448 mod 512
2. Append a 64-bit original length value to message
3. Initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. Process message in 16-word (512-bit) blocks:
– Using 4 rounds of 16 bit operations on message block
& buffer
– Add output to buffer input to form new buffer value
5. Output hash value is the final buffer value
Padding Twist
• Given original message M, add padding bits
“10*” such that resulting length is 64 bits less
than a multiple of 512 bits.
• Append (original length in bits mod 264),
represented in 64 bits to the padded message
• Final message is chopped 512 bits a block
MD5 Process
• As many stages as the number of 512-bit blocks
in the final padded message
• Digest: 4 32-bit words: MD=A|B|C|D
• Every message block contains 16 32-bit words:
– Digest MD0 initialized to:
– Every stage consists of 4 passes over the message
block, each modifying MD
• Each block 4 rounds, each round 16 steps
Processing of Block mi - 4 Passes
mi MDi




+ + + +
MD i+1
Different Passes...
Each step t (0 <= t <= 79):
• Input:
– mt – a 32-bit word from the message
With different shift every round
– Tt – int(232 * abs(sin(i))), 0<i<65
Provided a randomized set of 32-bit patterns, which
eliminate any regularities in the input data
– ABCD: current MD
• Output:
– ABCD: new MD
MD5 Compression Function
• Each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but
used in varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function
in each round (F,G,H,I)
MD5 Compression Function

• X[k] –
• T[i] –
Functions and Random Numbers
• F(B,C,D) == (BC)(~B  D)
– selection function
• G(B,C,D) == (B  D) (C ~ D)
• H(B,C,D) == BCD
• I(B,C,D) == C(B  ~D)
Secure Hash Algorithm (SHA)

• SHA was originally designed by the National

Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1
• Based on the hash function MD4 and its design
closely models MD4
• Produces 160-bit hash values
• In 2002 NIST produced a revised version of the
standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.

SHA – 512 Processing Steps
• Step 1: Append padding bits. The message is padded so that its length is
congruent to 896 modulo 1024 [length K 896(mod 1024)].
• Step 2: Append length. A block of 128 bits is appended to the message. The
outcome of the first two steps yields a message that is an integer multiple of
1024 bits in length. I.e. every block is 1024 and last block also 896+128 bits =
1024 bits block
• Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate
and final results of the hash function. The buffer can be represented as eight
64-bit registers (a, b, c, d, e, f, g, h)
• Step 4 Process message in 1024-bit (128-word) blocks. The heart of the
algorithm is a module that consists of 80 rounds; this module is labelled F in
Figure 11.9 The logic is illustrated in Figure 11.10.
• Step 5 Output. After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.

(Figure can be found on

page 337 in textbook)
MACs Based on Hash Functions: HMAC

• There has been increased interest in developing a

MAC derived from a cryptographic hash function
• Motivations:
• Cryptographic hash functions such as MD5 and SHA
generally execute faster in software than symmetric
block ciphers such as DES
• Library code for cryptographic hash functions is
widely available

• HMAC has been chosen as the mandatory-to-implement

MAC for IP security

• Has also been issued as a NIST standard (FIPS 198)

HMAC Design Objectives
• RFC 2104 lists the following objectives for HMAC:
• To use, without modifications, available hash
• To allow for easy replaceability of the embedded
hash function in case faster or more secure hash
functions are found or required
• To preserve the original performance of the hash
function without incurring a significant degradation
• To use and handle keys in a simple way
• To have a well understood cryptographic analysis of
the strength of the authentication mechanism based
on reasonable assumptions about the embedded
hash function
HMAC Algorithm
• HMAC Algorithm
• Figure 12.5 illustrates the overall operation of HMAC. Define the following
• H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
• IV = initial value input to hash function
• M = message input to HMAC (including the padding specified in the
embedded hash function)
• Yi = i th block of M, 0 … i … (L - 1)
• L = number of blocks in M
• b = number of bits in a block
• n = length of hash code produced by embedded hash function
• K = secret key; recommended length is Ú n; if key length is greater than b, the
key is input to the hash function to produce an n-bit key
• K+ = K padded with zeros on the left so that the result is b bits in length
• ipad = 00110110 (36 in hexadecimal) repeated b/8 times
• opad = 01011100 (5C in hexadecimal) repeated b/8 times
• Then HMAC can be expressed as
• We can describe the algorithm as follows.
• 1. Append zeros to the left end of K to create a b-bit string K+
(e.g., if K is of length 160 bits and b = 512, then K will be
appended with 44 zeroes).
• 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
• 3. Append M to Si.
• 4. Apply H to the stream generated in step 3.
• 5. XOR K+ with opad to produce the b-bit block So.
• 6. Append the hash result from step 4 to So.
• 7. Apply H to the stream generated in step 6 and output the
Security of HMAC
• Depends in some way on the cryptographic
strength of the underlying hash function
• Appeal of HMAC is that its designers have
been able to prove an exact relationship
between the strength of the embedded hash
function and the strength of HMAC
• Generally expressed in terms of the
probability of successful forgery with a given
amount of time spent by the forger and a
given number of message-tag pairs created
with the same key
Cipher Block based MAC(CMAC)
Authenticated Encryption (AE)

• A term used to describe encryption systems that

simultaneously protect confidentiality and
authenticity of communications
• Approaches:
• Hash-then-encrypt: E(K, (M || h))
• MAC-then-encrypt: T = MAC(K1, M), E(K2, [M || T])
• Encrypt-then-MAC: C = E(K2, M), T = MAC(K1, C)
• Encrypt-and-MAC: C = E(K2, M), T = MAC(K1, M)
• Both decryption and verification are
straightforward for each approach
• There are security vulnerabilities with all of these
Digital signature and authentication protocols
 General Model
 Properties of Digital Signature
 Attack Possibilities in DS
Digital Signature Standard Algorithm
 EIGamal
 Schnorr.
Digital Signature Properties

It must
It must verify the It must be
authenticate the
author and the verifiable by third
contents at the
date and time of parties, to
time of the
the signature resolve disputes

• C chooses a list
Known of messages Directed chosen • C may
message before message attack request
attack attempting to from A
break A’s signatures
• C only • Similar to the
• C is given signature of
knows A’s generic attack,
access to a scheme, messages
public key except that the
set of independent of that
list of messages
messages A’s public key; C depend on
to be signed is
and their then obtains previously
chosen after C
Key-only signatures from A valid obtained
knows A’s public
attack signatures for message-
key but before
the chosen signature
any signatures
messages pairs
are seen
Generic chosen
message attack
forgery Selective Existential
forgery forgery
Total break
• C finds an
•C efficient • C forges a • C forges a
determines signing signature for signature for
A’s private algorithm that a particular at least one
key provides an message message; C
equivalent chosen by C has no control
way of over the
constructing message
signatures on
Digital Signature Requirements
• The signature must be a bit pattern that depends on
the message being signed
• The signature must use some information unique to
the sender to prevent both forgery and denial
• It must be relatively easy to produce the digital
• It must be relatively easy to recognize and verify the
digital signature
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for
an existing digital signature or by constructing a
fraudulent digital signature for a given message
• It must be practical to retain a copy of the digital
signature in storage
Direct Digital Signature
• Refers to a digital signature scheme that involves only the
communicating parties
– It is assumed that the destination knows the public key of the source

– Confidentiality can be provided by encrypting the entire message plus

signature with a shared secret key
– It is important to perform the signature function first and then an outer
confidentiality function
– In case of dispute some third party must view the message and its signature

– The validity of the scheme depends on the security of the sender’s private
– If a sender later wishes to deny sending a particular message, the sender can
claim that the private key was lost or stolen and that someone else forged his or
her signature
– One way to thwart or at least weaken this ploy is to require every signed message
to include a timestamp and to require prompt reporting of compromised keys to a
central authority
ElGamal Digital Signature
• Scheme involves the use of the private key for
encryption and the public key for decryption
• Global elements are a prime number q and a,
which is a primitive root of q
• Use private key for encryption (signing)
• Uses public key for decryption (verification)
Elgamal digital signature
 Select a prime number q and a, where a is
primitive root of q.
Verification at Receiver Side
Example: Choose q = 19 & a = 10.
Schnorr Digital Signature

• Scheme is based on discrete logarithms

• Minimizes the message-dependent amount
of computation required to generate a
– Multiplying a 2n-bit integer with an n-bit integer
• Main work can be done during the idle time
of the processor
• Based on using a prime modulus p, with p – 1
having a prime factor q of appropriate size
– Typically p is a 1024-bit number, and q is a 160-
bit number
NIST Digital Signature Algorithm

• Published by NIST as Federal Information

Processing Standard FIPS 186
• Makes use of the Secure Hash Algorithm
• The latest version, FIPS 186-3, also
incorporates digital signature algorithms
based on RSA and on elliptic curve
Elliptic Curve Digital Signature Algorithm
All those participating in the digital
signature scheme use the same
A signer must first generate a public,
global domain parameters, which
private key pair
define an elliptic curve and a point of
origin on the curve

Four elements are


To verify the signature, the verifier

A hash value is generated for the
uses as input the signer’s public key,
message to be signed; using the
the domain parameters, and the
private key, the domain parameters,
integer s; the output is a value v that
and the hash value, a signature is
is compared to r ; the signature is
verified if the v = r
• RSA Probabilistic Signature Scheme
• Included in the 2009 version of FIPS 186
• Latest of the RSA schemes and the one that RSA Laboratories
recommends as the most secure of the RSA schemes
• For all schemes developed prior to PSS is has not been
possible to develop a mathematical proof that the signature
scheme is as secure as the underlying RSA
encryption/decryption primitive
• The PSS approach was first proposed by Bellare and Rogaway
• This approach, unlike the other RSA-based schemes,
introduces a randomization process that enables the security
of the method to be shown to be closely related to the
security of the RSA algorithm itself
Mask Generation Function (MGF)

• Typically based on a secure cryptographic

hash function such as SHA-1
– Is intended to be a cryptographically secure
way of generating a message digest, or hash,
of variable length based on an underlying
cryptographic hash function that produces a
fixed-length output
• Digital signatures • NIST digital signature
– Properties algorithm
– Attacks and forgeries • The DSA approach
– Digital signature • Elliptic curve digital
requirements signature algorithm
– Direct digital signature • Global domain
• Elgamal digital parameters
signature scheme • Key generation
• RSA-PSS • Digital signature
generation and
• Mask generation authentication
• The signing operation
• Schnorr digital
• Signature verification signature scheme