Cryptography and Network

Security
Fifth Edition
by William Stallings

Chapter 11
Cryptographic Hash Functions
 Hash Functions
condenses arbitrary message to fixed size
h = H(M)
usually assume hash function is public
hash used to detect changes to message
want a cryptographic hash function
computationally infeasible to find data mapping to specific hash (one-way property)
computationally infeasible to find two data to same hash (collision-free property)
Cryptographic Hash Function
Hash Functions
& Message
Authent-ication
Hash Functions & Digital Signatures
Other Hash Function Uses

• to create a one-way password file

• store hash of password not actual password
• for intrusion detection and virus detection
• keep & check hash of files on system
• pseudorandom function (PRF) or pseudorandom number generator
(PRNG)
 Two Simple Insecure Hash Functions

• consider two simple insecure hash functions

• bit-by-bit exclusive-OR (XOR) of every block
• Ci = bi1 xor bi2 xor . . . xor bim
• a longitudinal redundancy check
• reasonably effective as data integrity check
• one-bit circular shift on hash value
• for each successive n-bit block
• rotate current hash value to left by1bit and XOR block
• good for data integrity but useless for security
Hash Function Requirements
 Attacks on Hash Functions
have brute-force attacks and cryptanalysis
a preimage or second preimage attack
find y s.t. H(y) equals a given hash value
collision resistance
find two messages x & y with same hash so H(x) = H(y)
hence value 2m/2 determines strength of hash code against brute-force
attacks
128-bits inadequate, 160-bits suspect
 Birthday Attacks
• might think a 64-bit hash is secure
• but by Birthday Paradox is not
• birthday attack works thus:
• given user prepared to sign a valid message x
m
• opponent generates 2 /2 variations x’ of x, all with essentially the same meaning,
and saves them
m
• opponent generates 2 /2 variations y’ of a desired fraudulent message y
• two sets of messages are compared to find pair with same hash (probability > 0.5
by birthday paradox)
• have user sign the valid message, then substitute the forgery which will have a
valid signature
• conclusion is that need to use larger MAC/hash
 Hash Function Cryptanalysis
cryptanalytic attacks exploit some property of alg so faster than
exhaustive search
hash functions use iterative structure
process message in blocks (incl length)
attacks focus on collisions in function f
 Block Ciphers as Hash Functions
• can use block ciphers as hash functions
• using H0=0 and zero-pad of final block
• compute: Hi = EMi [Hi-1]
• and use final block as the hash value
• similar to CBC but without a key
• resulting hash is too small (64-bit)
• both due to direct birthday attack
• and to “meet-in-the-middle” attack
• other variants also susceptible to attack
Secure Hash Algorithm
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications
Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002

adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided by the
AES cipher
structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher
 SHA Versions
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
Message
digest size 160 224 256 384 512

Message size < 264 < 264 < 264 < 2128 < 2128
Block size 512 512 512 1024 1024
Word size 32 32 32 64 64
Number of
steps 80 64 64 80 80
SHA-512 Overview
SHA-512 Compression Function

heart of the algorithm

processing message in 1024-bit blocks
consists of 80 rounds
updating a 512-bit buffer
using a 64-bit value Wt derived from the current message block
and a round constant based on cube root of first 80 prime numbers
SHA-512 Round Function
SHA-512 Round Function
 SHA-3
• SHA-1 not yet "broken”
• but similar to broken MD5 & SHA-0
• so considered insecure
• SHA-2 (esp. SHA-512) seems secure
• shares same structure and mathematical operations as predecessors so have
concern
• NIST announced in 2007 a competition for the SHA-3 next gen NIST hash
function
• goal to have in place by 2012 but not fixed
 SHA-3 Requirements
replace SHA-2 with SHA-3 in any use
so use same hash sizes
preserve the online nature of SHA-2
so must process small blocks (512 / 1024 bits)
evaluation criteria
security close to theoretical max for hash sizes
cost in time & memory
characteristics: such as flexibility & simplicity
Summary

• have considered:
• hash functions
• uses, requirements, security
• hash functions based on block ciphers
• SHA-1, SHA-2, SHA-3
Cryptography and Network
Security
Fifth Edition
by William Stallings

Chapter 12
Message Authentication Codes
Message Authentication

• message authentication is concerned with:

• protecting the integrity of a message
• validating identity of originator
• non-repudiation of origin (dispute resolution)
• will consider the security requirements
• then three alternative functions used:
• hash function (see Ch 11)
• message encryption
• message authentication code (MAC)
Message Security Requirements

• disclosure
• traffic analysis
• masquerade
• content modification
• sequence modification
• timing modification
• source repudiation
• destination repudiation
Symmetric Message Encryption
encryption can also provides authentication
if symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
know content cannot of been altered
if message has suitable structure, redundancy or a checksum to detect any
changes
Public-Key Message Encryption
• if public-key encryption is used:
• encryption provides no confidence of sender
• since anyone potentially knows public-key
• however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
• again need to recognize corrupted messages
• but at cost of two public-key uses on message
Message Authentication Code (MAC)

• generated by an algorithm that creates a small fixed-sized block

• depending on both message and some key
• like encryption though need not be reversible
• appended to message as a signature
• receiver performs same computation on message and checks it
matches the MAC
• provides assurance that message is unaltered and comes from sender
Message Authentication Code
asmall fixed-sized block of data
 generated from message + secret key
 MAC = C(K,M)
 appended to message when sent
Message Authentication Codes

• as shown the MAC provides authentication

• can also use encryption for secrecy
• generally use separate keys for each
• can compute MAC either before or after encryption
• is generally regarded as better done before
• why use a MAC?
• sometimes only authentication is needed
• sometimes need authentication to persist longer than the encryption (eg.
archival use)
• note that a MAC is not a digital signature
MAC Properties

• a MAC is a cryptographic checksum

MAC = CK(M)
• condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator
• is a many-to-one function
• potentially many messages have same MAC
• but finding these needs to be very difficult
Requirements for MACs

• taking into account the types of attacks

• need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with
same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
Security of MACs

• like block ciphers have:

• brute-force attacks exploiting
m/
• strong collision resistance hash have cost 2 2

• 128-bit hash looks vulnerable, 160-bits better

• MACs with known message-MAC pairs
• can either attack keyspace (cf key search) or MAC
• at least 128-bit MAC is needed for security
Security of MACs

• cryptanalytic attacks exploit structure

• like block ciphers want brute-force attacks to be the best alternative
• more variety of MACs so harder to generalize about cryptanalysis
 Keyed Hash Functions as MACs
want a MAC based on a hash function
because hash functions are generally faster
crypto hash function code is widely available
hash includes a key along with message
original proposal:
KeyedHash = Hash(Key|Message)
some weaknesses were found with this
eventually led to development of HMAC
 HMAC Design Objectives
use, without modifications, hash functions
allow for easy replaceability of embedded hash function
preserve original performance of hash function without significant
degradation
use and handle keys in a simple way.
have well understood cryptographic analysis of authentication mechanism
strength
HMAC

• specified as Internet standard RFC2104

• uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)] ]
• where K+ is the key padded out to size
• opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than the message needs
alone
• any hash function can be used
• eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC Overview
HMAC Security

• proved security of HMAC relates to that of the underlying hash

algorithm
• attacking HMAC requires either:
• brute force attack on key used
• birthday attack (but since keyed would need to observe a very large number
of messages)
• choose hash function used based on speed verses security
constraints
Using Symmetric Ciphers for MACs

• can use any block cipher chaining mode and use final block as a MAC
• Data Authentication Algorithm (DAA) is a widely used MAC based on
DES-CBC
• using IV=0 and zero-pad of final block
• encrypt message using DES in CBC mode
• and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security
Data Authentication Algorithm
CMAC

• previously saw the DAA (CBC-MAC)

• widely used in govt & industry
• but has message size limitation
• can overcome using 2 keys & padding
• thus forming the Cipher-based Message Authentication Code (CMAC)
• adopted by NIST SP800-38B
CMAC Overview
 Authenticated Encryption
simultaneously protect confidentiality and authenticity of communications
often required but usually separate
approaches
Hash-then-encrypt: E(K, (M || H(M))
MAC-then-encrypt: E(K2, (M || MAC(K1, M))
Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
 decryption /verification straightforward
but security vulnerabilities with all these
Pseudorandom Number Generation (PRNG)
Using Hash Functions and MACs

• essential elements of PRNG are

• seed value
• deterministic algorithm
• seed must be known only as needed
• can base PRNG on
• encryption algorithm (Chs 7 & 10)
• hash function (ISO18031 & NIST SP 800-90)
• MAC (NIST SP 800-90)
 PRNG using a Hash Function
hash PRNG from SP800-90 and
ISO18031
take seed V
repeatedly add 1
hash V
use n-bits of hash as random value
secure if good hash used
 PRNG using a MAC
MAC PRNGs in SP800-90,
IEEE 802.11i, TLS
use key
input based on last hash in
various ways
Summary

• have considered:
• message authentication requirements
• message authentication using encryption
• MACs
• HMAC authentication using a hash function
• CMAC authentication using a block cipher
• Pseudorandom Number Generation (PRNG) using Hash Functions and MACs
Cryptography and Network
Security
Fifth Edition
by William Stallings

Chapter 13
Digital Signatures
Digital Signatures

• have looked at message authentication

• but does not address issues of lack of trust
• digital signatures provide the ability to:
• verify author, date & time of signature
• authenticate message contents
• be verified by third parties to resolve disputes
• hence include authentication function with additional capabilities
Digital Signature Model
Digital
Signature
Model
 Attacks and Forgeries
• attacks
• key-only attack
• known message attack
• generic chosen message attack
• directed chosen message attack
• adaptive chosen message attack
• break success levels
• total break
• selective forgery
• existential forgery
Digital Signature Requirements

must depend on the message signed

must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
Direct Digital Signatures

• involve only sender & receiver

• assumed receiver has sender’s public-key
• digital signature made by sender signing entire message or hash with
private-key
• can encrypt using receivers public-key
• important that sign first then encrypt message & signature
• security depends on sender’s private-key
 ElGamal Digital Signatures
• signature variant of ElGamal, related to D-H
• so uses exponentiation in a finite (Galois)
• with security based difficulty of computing discrete logarithms, as in D-H
• use private key for encryption (signing)
• uses public key for decryption (verification)
• each user (eg. A) generates their key
• chooses a secret key (number): 1 < xA < q-1
x
• compute their public key: yA = a A mod q
 ElGamal Digital Signature
• Alice signs a message M to Bob by computing
• the hash m = H(M), 0 <= m <= (q-1)
• chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
k
• compute temporary key: S1 = a mod q
• compute K-1 the inverse of K mod (q-1)
• compute the value: S2 = K-1(m-xAS1) mod (q-1)
• signature is:(S1,S2)
• any user B can verify the signature by computing
m
• V1 = a mod q
• V2 = yAS1 S1S2 mod q
• signature is valid if V1 = V2
 ElGamal Signature Example
• use field GF(19) q=19 and a=10
• Alice computes her key:
16
• A chooses xA=16 & computes yA=10 mod 19 = 4
• Alice signs message with hash m=14 as (3,4):
• choosing random K=5 which has gcd(18,5)=1
5
• computing S1 = 10 mod 19 = 3
• finding K-1 mod (q-1) = 5-1 mod 18 = 11
• computing S2 = 11(14-16.3) mod 18 = 4
• any user B can verify the signature by computing
14
• V1 = 10 mod 19 = 16
• V2 = 43.34 = 5184 = 16 mod 19
• since 16 = 16 signature is valid
 Schnorr Digital Signatures
• also uses exponentiation in a finite (Galois)
• security based on discrete logarithms, as in D-H
• minimizes message dependent computation
• multiplying a 2n-bit integer with an n-bit integer
• main work can be done in idle time
• have using a prime modulus p
• p–1 has a prime factor q of appropriate size
• typically p 1024-bit and q 160-bit numbers
 Schnorr Key Setup
• choose suitable primes p , q
q
• choose a such that a = 1 mod p
• (a,p,q) are global parameters for all
• each user (eg. A) generates a key
• chooses a secret key (number): 0 < sA < q
-sA
• compute their public key: vA = a mod q
 Schnorr Signature
• user signs message by
• choosing random r with 0<r<q and computing x = ar mod p
• concatenate message with x and hash result to computing: e = H(M || x)
• computing: y = (r + se) mod q
• signature is pair (e, y)
• any other user can verify the signature as follows:
• computing: x' = ayve mod p
• verifying that: e = H(M || x’)
 Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS is the standard, DSA is the algorithm
• FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature
variants
• DSA is digital signature only unlike RSA
• is a public-key technique
DSS vs RSA Signatures
 Digital Signature Algorithm (DSA)
creates a 320 bit signature
with 512-1024 bit security
smaller and faster than RSA
a digital signature scheme only
security depends on difficulty of computing discrete logarithms
variant of ElGamal & Schnorr schemes
 DSA Key Generation
• have shared global public key values (p,q,g):
• choose 160-bit prime number q
• choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
• choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• users choose private & compute public key:
• choose random private key: x<q
• compute public key: y = gx mod p
DSA Signature Creation

to sign a message M the sender:

generates a random signature key k, k<q
nb. k must be random, be destroyed after use, and never be reused
then computes signature pair:
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
sends signature (r,s) with message M
DSA Signature Verification

• having received M & signature (r,s)

• to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
• if v=r then signature is verified
• see Appendix A for details of proof why
DSS Overview
Summary

• have discussed:
• digital signatures
• ElGamal & Schnorr signature schemes
• digital signature algorithm and standard