1. 18CS2005 Cryptography and
Network Security
Module 3
Cryptographic Data Integrity Algorithms
Applications of cryptographic hash functions-requirements and security-
Secure Hash Algorithm -SHA3- Message authentication requirements,
functions & codes-HMAC-digital signatures- NIST-Digital signature Algorithm
(DSA)
Dr.A.Kathirvel, Professor,
DCSE, KITS
kathirvel@karunya.edu
2. Message Authentication and Hash
Functions
• Authentication Requirements
• Authentication Functions
• Message Authentication Codes
• Hash Functions
• Security of Hash Functions and
MACs
2
3. Authentication Requirements
• Kind of attacks (threats) in the context of communications
across a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
• Measures to deal with first two attacks:
– In the realm of message confidentiality, and are addressed with
encryption
• Measures to deal with items 3 thru 6
– Message authentication
• Measures to deal with items 7
– Digital signature
3
4. • Message authentication
–A procedure to verify that messages come
from the alleged source and have not been
altered
–Message authentication may also verify
sequencing and timeliness
• Digital signature
–An authentication technique that also
includes measures to counter repudiation by
either source or destination
Authentication Requirements
4
5. Authentication Functions
• Message authentication or digital
signature mechanism can be
viewed as having two levels
–At lower level: there must be some
sort of functions producing an
authenticator – a value to be used to
authenticate a message
–This lower level functions is used as
primitive in a higher level
authentication protocol
5
6. Authentication Functions
• Three classes of functions that may be used to
produce an authenticator
–Message encryption
• Ciphertext itself serves as authenticator
–Message authentication code (MAC)
• A public function of the message and a secret
key that produces a fixed-length value that
serves as the authenticator
–Hash function
• A public function that maps a message of any
length into a fixed-length hash value, which
serves as the authenticator
6
7. Message Encryption
• Conventional encryption can serve as
authenticator
–Conventional encryption provides
authentication as well as confidentiality
–Requires recognizable plaintext or other
structure to distinguish between well-formed
legitimate plaintext and meaningless random
bits
• e.g., ASCII text, an appended checksum, or use
of layered protocols
7
9. Ways of Providing Structure
• Append an error-detecting code (frame check sequence
(FCS)) to each message
9
10. Ways of Providing Structure - 2
• Suppose all the
datagrams except the
IP header is encrypted.
• If an opponent
substituted some
arbitrary bit pattern for
the encrypted TCP
segment, the resulting
plaintext would not
include a meaningful
header
10
12. Message Authentication Code
• Uses a shared secret key to generate a fixed-
size block of data (known as a cryptographic
checksum or MAC) that is appended to the
message: MAC = CK(M)
• Assurances:
– Message has not been altered
– Message is from alleged sender
– Message sequence is unaltered (requires internal
sequencing)
• Similar to encryption but MAC algorithm needs
not be reversible 12
15. Why Use MACs?
–i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from
message use
15
16. Hash Function
• Converts a variable size message M into fixed
size hash code H(M) (Sometimes called a
message digest)
• Can be used with encryption for authentication
– E(M || H)
– M || E(H)
– M || signed H
– E( M || signed H ) gives confidentiality
– M || H( M || K )
– E( M || H( M || K ) )
16
20. Message Authentication Codes
• MAC= CK(M)
• Key length requirements
–Sufficient key length to
thwart brute force attack
20
21. Hash Functions
• h = H(M)
• M is a variable-length message, h is a
fixed-length hash value, H is a hash
function
• The hash value is appended at the source
• The receiver authenticates the message
by recomputing the hash value
• Because the hash function itself is not
considered to be secret, some means is
required to protect the hash value 21
22. Hash Function Requirements
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t.
H(x) = H(y)
6. H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
22
23. Hash Function Requirements
• One-way property is essential for
authentication
• Weak collision resistance is
necessary to prevent forgery
• Strong collision resistance is
important for resistance to birthday
attack
23
24. Simple Hash Functions
• Operation of hash functions
– The input is viewed as a sequence of n-bit blocks
– The input is processed one block at a time in an
iterative fashion to produce an n-bit hash function
• Simplest hash function: Bitwise XOR of every
block
– Ci = bi1 bi2 … bim
• Ci = i-th bit of the hash code, 1 i n
• m = number of n-bit blocks in the input
• bij = i-th bit in j-th block
– Known as longitudinal redundancy check
24
25. Simple Hash Functions
• Improvement over the
simple bitwise XOR
– Initially set the n-bit hash value to
zero
– Process each successive n-bit
block of data as follows
» Rotate the current hash value
to the left by one bit
» XOR the block into the hash
value
25
26. Applications of cryptographic hash
functions:Birthday Attack
• If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent
messages
• The two sets are compared to find one message from
each set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is
inserted in its place
• If a 64-bit hash code is used, the level of effort is only
on the order of 232
• Conclusion: the length of the hash code must be
substantial 26
27. 27
BIRTHDAY ATTACKS
Birthday paradox
In a group of 23 randomly chosen people, at
least two will share a birthday with probability
at least 50%. If there are 30, the probability is
around 70%.
Finding two people with the same birthday is
the same thing as finding a collision for this
particular hash function.
28. 28
BIRTHDAY ATTACKS
The probability that all 23 people have
different birthdays is
Therefore, the probability of at least two
having the
same birthday is 1- 0.493=0.507
More generally, suppose we have N objects,
where N is large. There are r people, and
each chooses an object. Then
493
.
0
)
365
22
1
)...(
365
2
1
)(
365
1
1
(
1
N
r
e
P 2
/
2
1
)
match
a
is
there
(
29. 29
BIRTHDAY ATTACKS
Choosing r2/2N = ln2, we find that if r≈1.177 ,
then the probability is 50% that at least two
people choose the same object.
If there are N possibilities and we have a list of
length , then there is a good chance of a
match.
If we want to increase the chance of a match,
we can make a list of length of a constant times
N
N
N
30. 30
BIRTHDAY ATTACKS
(Example) We have 40 license plates, each
ending in a 3-digit number. What is the
probability that two of the license plates end
in the same 3 digits?
(Solution) N=1000, r=40
1. Approximation:
2. The exact answer:
551
.
0
1 1000
2
/
402
e
546
.
0
)
1000
39
1
)...(
1000
2
1
)(
1000
1
1
(
1
31. 31
BIRTHDAY ATTACKS
What is the probability that none of these 40
license plates ends in the same 3 digits as
yours?
The reason the birthday paradox works is
that we are not just looking for matches
between one fixed plate and the other plates.
We are looking for matches between any two
plates in the set, so there are more
opportunities for matches.
961
.
0
)
1000
1
1
( 40
32. 32
BIRTHDAY ATTACKS
The birthday attack can be used to find collisions
for hash functions if the output of the hash
function is not sufficiently large.
Suppose h is an n-bit hash function. Then there
are N = 2n possible outputs. We have the
situation of list of length r≈ “people” with N
possible “birthdays,” so there is a good chance
of having two values with the same hash value.
If the hash function outputs 128-bit values, then
the lists have length around 264 ≈1019, which is
too large, both in time and in memory.
N
33. 33
BIRTHDAY ATTACKS
Suppose there are N objects and there are
two groups of r people. Each person from
each group selects an object. What is the
probability that someone from the first group
choose the same object as someone from
the second group?
Eg. If we take N=365 and r=30, then
N
r
e
P
/
2
1
)
groups
o
between tw
match
a
is
there
(
915
.
0
1
groups)
o
between tw
match
a
is
there
(
365
/
302
e
P
34. Generating 2m/2 Variants of Valid Messages
• Insert a number of
“space-backspace-space”
character pairs between
words throughout the
document.
Variations could then be
generated by substituting
“space-backspace-space”
in selected instances
• Alternatively, simply
reword the message but
retain the meaning
34
35. Brute-Force Attack of Hash Functions
• Three desirable properties of hash functions
– One-way: For any given code h, it is computationally infeasible to find
x s.t. H(x) = h
– Weak collision resistance: For any given block x, it is computationally
infeasible to find y x s.t. H(y) = H(x)
– Strong collision resistance: It is computationally infeasible to find any
pair (x, y) s.t. H(y) = H(x)
• Brute-force attack on n-bit hash code
– One-way and weak collision require 2n effort
– Strong collision requires 2n/2 effort
– If strong collision resistance is required (and this is desirable for a
general-purpose secure hash code), 2n/2 determines the strength of
hash code against brute-force attack
– Currently, two most popular hash codes, SHA-1 and RIPEMD-160,
provide a 160-bit hash code length
35
36. Chapter 12 – Hash Algorithms
Each of the messages, like each one he had ever
read of Stern's commands, began with a number
and ended with a number or row of numbers. No
efforts on the part of Mungo or any of his experts
had been able to break Stern's code, nor was
there any clue as to what the preliminary
number and those ultimate numbers signified.
—Talking to Strange Men, Ruth Rendell
37. Hash Algorithms
• see similarities in the evolution of hash
functions & block ciphers
– increasing power of brute-force attacks
– leading to evolution in algorithms
– from DES to AES in block ciphers
– from MD4 & MD5 to SHA-1 & RIPEMD-160 in
hash algorithms
• likewise tend to use common iterative
structure as do block ciphers
38. MD5
• designed by Ronald Rivest (the R in RSA)
• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used
hash algorithm
– in recent times have both brute-force &
cryptanalytic concerns
• specified as Internet standard RFC1321
39. MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
– using 4 rounds of 16 bit operations on message
block & buffer
– add output to buffer input to form new buffer value
5. output hash value is the final buffer value
41. MD5 Compression Function
• each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer,
but used in varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear
function in each round (F,G,H,I)
• T[i] is a constant value derived from sin
43. Strength of MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
– Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
• conclusion is that MD5 looks vulnerable soon
44. Secure Hash Algorithm (SHA-1)
• SHA was designed by NIST & NSA in 1993,
revised 1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
45. SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing & shifting
– use 4 rounds of 20 bit operations on message block
& buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value
46. SHA-1 Compression Function
• each round has 20 steps which replaces
the 5 buffer words thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin
48. SHA-1 verses MD5
• brute force attack is harder (160 vs 128
bits for MD5)
• not vulnerable to any known attacks
(compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5
which is optimised for little endian CPU’s)
49. NIST: Revised Secure Hash
Standard
• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
50. 50
Well Known Hash Functions
• MD5
– output 128 bits
– collision resistance completely broken by researchers in China in
2004
• SHA1
– output 160 bits
– no collision found yet, but method exist to find collisions in less
than 2^80
– considered insecure for collision resistance
– one-wayness still holds
• SHA2 (SHA-224, SHA-256, SHA-384, SHA-512)
– outputs 224, 256, 384, and 512 bits, respectively
– No real security concerns yet
51. Merkle-Damgard Construction
for Hash Functions
51
• Message is divided into fixed-size blocks and padded
• Uses a compression function f, which takes a chaining variable (of
size of hash output) and a message block, and outputs the next
chaining variable
• Final chaining variable is the hash value
M=m1m2…mn; C0=IV, Ci+1=f(Ci,mi); H(M)=Cn
52. NIST SHA-3 Competition
• NIST is having an ongoing competition for SHA-3, the next
generation of standard hash algorithms
• 2007: Request for submissions of new hash functions
• 2008: Submissions deadline. Received 64 entries.
Announced first-round selections of 51 candidates.
• 2009: After First SHA-3 candidate conference in Feb,
announced 14 Second Round Candidates in July.
• 2010: After one year public review of the algorithms, hold
second SHA-3 candidate conference in Aug. Announced 5
Third-round candidates in Dec.
• 2011: Public comment for final round
• 2012: October 2, NIST selected SHA3
– Keccak (pronounced “catch-ack”) created by Guido
Bertoni, Joan Daemen ,Gilles Van Assche, Michaël Peters
52
53. Sponge construction:used by SHA3
53
• Each round, the next r bits of message is XOR’ed into the
first r bits of the state, and a function f is applied to the state.
• After message is consumed, output r bits of each round as
the hash output; continue applying f to get new states
• SHA-3 uses 1600 bits for state size
54. 54
Choosing the length of Hash outputs
• The Weakest Link Principle:
– A system is only as secure as its weakest link.
• Hence all links in a system should have
similar levels of security.
• Because of the birthday attack, the length of
hash outputs in general should double the
key length of block ciphers
– SHA-224 matches the 112-bit strength of triple-
DES (encryption 3 times using DES)
– SHA-256, SHA-384, SHA-512 match the new key
lengths (128,192,256) in AES
55. 55
Limitation of Using Hash Functions
for Authentication
• Require an authentic channel to transmit
the hash of a message
– Without such a channel, it is insecure,
because anyone can compute the hash value
of any message, as the hash function is public
– Such a channel may not always exist
• How to address this?
– use more than one hash functions
– use a key to select which one to use
56. 56
Hash Family
• A hash family is a four-tuple (X,Y,K,H ),
where
– X is a set of possible messages
– Y is a finite set of possible message digests
– K is the keyspace
– For each KK, there is a hash function hKH .
Each hK: X Y
• Alternatively, one can think of H as a
function KXY
57. 57
Message Authentication Code
• A MAC scheme is a hash family, used for
message authentication
• MAC(K,M) = HK(M)
• The sender and the receiver share secret K
• The sender sends (M, Hk(M))
• The receiver receives (X,Y) and verifies that
HK(X)=Y, if so, then accepts the message as
from the sender
• To be secure, an adversary shouldn’t be able
to come up with (X’,Y’) such that HK(X’)=Y’.
58. Security Requirements for MAC
• Resist the Existential Forgery under Chosen
Plaintext Attack
– Challenger chooses a random key K
– Adversary chooses a number of messages M1,
M2, .., Mn, and obtains tj=MAC(K,Mj) for 1jn
– Adversary outputs M’ and t’
– Adversary wins if j M’≠Mj, and t’=MAC(K,M’)
• Basically, adversary cannot create the MAC
for a message for which it hasn’t seen an
MAC 58
59. Constructing MAC from Hash
Functions
• Let h be a one-way hash function
• MAC(K,M) = h(K || M), where || denote
concatenation
– Insecure as MAC
– Because of the Merkle-Damgard construction
for hash functions, given M and t=h(K || M),
adversary can compute M’=M||Pad(M)||X and
t’, such that h(K||M’) = t’
59
60. 60
HMAC: Constructing MAC from
Cryptographic Hash Functions
• K+ is the key padded (with 0) to B bytes, the
input block size of the hash function
• ipad = the byte 0x36 repeated B times
• opad = the byte 0x5C repeated B times.
HMACK[M] = Hash[(K+ opad) || Hash[(K+ ipad)||M)]]
At high level, HMACK[M] = H(K || H(K || M))
61. 61
HMAC Security
• If used with a secure hash functions
(e.g., SHA-256) and according to the
specification (key size, and use correct
output), no known practical attacks
against HMAC
62. Keyed Hash Functions as MACs
• have desire to create a MAC using a hash
function rather than a block cipher
– because hash functions are generally faster
– not limited by export controls unlike block ciphers
• hash includes a key along with the message
• original proposal:
KeyedHash = Hash(Key|Message)
– some weaknesses were found with this
• eventually led to development of HMAC
63. HMAC
• specified as Internet standard RFC2104
• uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than
the message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used
65. HMAC Security
• know that the security of HMAC relates to
that of the underlying hash algorithm
• attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need
to observe a very large number of messages)
• choose hash function used based on
speed verses security constraints
66. Chapter 13 –Digital Signatures &
Authentication Protocols
To guard against the baneful influence exerted by
strangers is therefore an elementary dictate of savage
prudence. Hence before strangers are allowed to enter a
district, or at least before they are permitted to mingle
freely with the inhabitants, certain ceremonies are often
performed by the natives of the country for the purpose
of disarming the strangers of their magical powers, or of
disinfecting, so to speak, the tainted atmosphere by
which they are supposed to be surrounded.
—The Golden Bough, Sir James George Frazer
67. Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
68. Digital Signature Standard (DSS)
• US Govt approved signature scheme FIPS 186
• uses the SHA hash algorithm
• designed by NIST & NSA in early 90's
• DSS is the standard, DSA is the algorithm
• a variant on ElGamal and Schnorr schemes
• creates a 320 bit signature, but with 512-1024
bit security
• security depends on difficulty of computing
discrete logarithms
69. DSA Key Generation
• have shared global public key values (p,q,g):
– a large prime p = 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q, a 160 bit prime factor of p-1
– choose g = h(p-1)/q
• where h<p-1, h(p-1)/q (mod p) > 1
• users choose private & compute public key:
– choose x<q
– compute y = gx (mod p)
70. DSA Signature Creation
• to sign a message M the sender:
– generates a random signature key k, k<q
– nb. k must be random, be destroyed after
use, and never be reused
• then computes signature pair:
r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)
• sends signature (r,s) with message M
71. DSA Signature Verification
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
• if v=r then signature is verified
• see book web site for details of proof why