UNIT –2

Symmetric Public key Cryptography Principles, RSA algorithm, Key Management, Diffie-
Hellman Key Exchange, Elliptic Curve Cryptography. Message authentication and Hash
Functions, Authentication Requirements and Functions, Message Authentication, Hash Functions
and MACs Hash and MAC Algorithms SHA-512, HMAC.

Public Key Cryptography

The development of public-key cryptography is the greatest and perhaps the only true
revolution in the entire history of cryptography. It is asymmetric, involving the use of two
separate keys, in contrast to symmetric encryption, which uses only one key. Public key
schemes are neither more nor less secure than private key (security depends on the key size
for both). Public-key cryptography complements rather than replaces symmetric
cryptography. Both also have issues with key distribution, requiring the use
of some suitable protocol. The concept of public-key cryptography evolved from an attempt
to attack two of the most difficult problems associated with symmetric encryption:
1.) key distribution – how to have secure communications in general without having to trust a
KDC with your key

2.) digital signatures – how to verify a message comes intact from the claimed sender
Public-key/two-key/asymmetric cryptography involves the use of two keys:
 a public-key, which may be known by anybody, and can be used to encrypt
messages, and verify signatures
 a private-key, known only to the recipient, used to decrypt messages, and sign
(create) signatures.
 is asymmetric because those who encrypt messages or verify signatures cannot
decrypt messages or create signatures

Public-Key algorithms rely on one key for encryption and different but related key for
decryption. These algorithms have the following important characteristics:
 it is computationally infeasible to find decryption key knowing only algorithm &
encryption key
 it is computationally easy to en/decrypt messages when the relevant (en/decrypt)
key is known
 either of the two related keys can be used for encryption, with the other used for
decryption (for some algorithms like RSA)

The following figure illustrates public-key encryption process and shows that a public-key
encryption scheme has six ingredients: plaintext, encryption algorithm, public & private keys,
cipher text & decryption algorithm.

48
The essential steps involved in a public-key encryption scheme are given below:
1.) Each user generates a pair of keys to be used for encryption and decryption.

2.) Each user places one of the two keys in a public register and the other key is kept private.

3.) If B wants to send a confidential message to A, B encrypts the message using A’s public
key.

4.) When A receives the message, she decrypts it using her private key. Nobody else can
decrypt the message because that can only be done using A’s private key (Deducing a private
key should be infeasible).

5.) If a user wishes to change his keys –generate another pair of keys and publish the public
one: no interaction with other users is needed. Notations used in Public-key cryptography:
 The public key of user A will be denoted KUA.
 The private key of user A will be denoted KRA.
 Encryption method will be a function E.
 Decryption method will be a function D.
 If B wishes to send a plain message X to A, then he sends the cryptotext
Y=E(KUA,X)
 The intended receiver A will decrypt the message: D(KRA,Y)=X

The first attack on Public-key Cryptography is the attack on Authenticity. An attacker may
impersonate user B: he sends a message E(KUA,X) and claims in the message to be B –A has no
guarantee this is so. To overcome this, B will encrypt the message using his private key:
Y=E(KRB,X). Receiver decrypts using B’s public key KRB. This shows the authenticity of the
sender because (supposedly) he is the only one who knows the private key. The entire encrypted
message serves as a digital signature. This scheme is depicted in the following figure:

49
But, a drawback still exists. Anybody can decrypt the message using B’s public key. So, secrecy
or confidentiality is being compromised. One can provide both authentication and confidentiality
using the public-key scheme twice:

B encrypts X with his private key: Y=E(KRB,X)

B encrypts Y with A’s public key: Z=E(KUA,Y)

A will decrypt Z (and she is the only one capable of doing it): Y=D(KRA,Z)

A can now get the plaintext and ensure that it comes from B (he is the only one who knows
his private key): decrypt Y using B’s public key: X=E(KUB,Y).

50
Applications For Public-Key Cryptosystems:
1.) Encryption/decryption: sender encrypts the message with the receiver’s public key.

2.) Digital signature: sender “signs” the message (or a representative part of the message)
using his private key

3.) Key exchange: two sides cooperate to exchange a secret key for later use in a secret-key
cryptosystem.

The main requirements of Public-key cryptography are:

1. Computationally easy for a party B to generate a pair (public key KUb, privatekey
KRb).
2. Easy for sender A to generate cipher text:
3. Easy for the receiver B to decrypt cipher text using private key:
4. Computationally infeasible to determine private key (KRb) knowing public key
(KUb)
5. Computationally infeasible to recover message M, knowing KUb and cipher text C
6. either of the two keys can be used for encryption, with the other used for
decryption:
M= DKRb[EKUb(M)]=DKUb[EKRb(M)]
Easy is defined to mean a problem that can be solv ing polynomial time as a function of
input length. A problem is infeasible if the effort to solve it grows faster than polynomial time as
a function of input size. Public-key cryptosystems usually rely on difficult math functions rather
than -P networks as classical cryptosystems. One-way function is one, easy to calculate in one
direction, infeasible to calculate in the other direction (i.e., the inverse is infeasible to
compute). Trap-door function is a difficult function that becomes easy if some extra
information is known. Our aim to find a trap-door one-way function, which is easy to
calculate in one direction and infeasible to calculate in the other direction unless certain
additional information is known.
Security of Public-key schemes:
 Like private key schemes brute force exhaustive search attack is always
theoretically possible. But keys used are too large (>512bits).
 Security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalysis) problems. More generally the hard problem
is known, it’s just made too hard to do in practice.

51
  Requires the use of very large numbers, hence is slow compared to private key
schemes

Rsa Algorithm
RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78].
Since that time RSA has reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption. The RSA scheme is a block cipher in
which the plaintext and the ciphertext are integers between 0 and n-1 for some fixed n and
typical size for n is 1024 bits (or 309 decimal digits). It is based on exponentiation in a finite
(Galois) field over integers modulo a prime, using large integers (eg. 1024 bits). Its security is
due to the cost of factoring large numbers. RSA involves a public-key and a private-key
where the public key is known to ll and is used to encrypt data or message. The data or
message which has been encrypted using a public key can only be decryted by using its
corresponding private-k y. Each user generates a key pair i.e. public and private key using the
following steps:
 each user selects two large primes at random - p, q
 compute their system modulus n=p.q
 calculate ø(n), where ø(n)=(p-1)(q- 1)
 selecting at random the encry tion key e, where 1<e<ø(n),and gcd(e,ø(n))=1
 solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
 publish their public encr ption key: KU={e,n}
 keep secret private decryption key: KR={d,n}

Both the sender and receiver must know the values of n and e, and only the receiver knows
the value of d. Encryption and Decryption are done using the following equations. To encrypt
a message M the sender:
– obtains public key of recipient KU={e,n}
– computes: C=Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:
– uses their private key KR={d,n}
– computes: M=Cd mod n = (Me) d mod n = Med mod n

52
For this algorithm to be satisfactory, the following requirements are to be met.
a) Its possible to find values of e, d, n such that Med = M mod n for all M<n
b) It is relatively easy to calculate Me and C for all values of M < n.
c) It is impossible to determine d given e and n

The way RSA works is based on Number theory: Fermat’s little theorem: if p is
prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For any
positive integer a and prime p, ap ≡ a mod p.
Fermat’s theorem, as useful as will turn out to be does not provide us with integers d,e we
are looking for –Euler’s theorem (a refinement of Fermat’s) does. Euler’s function associates to
any positive integer n, a number φ(n): the number of positive integers smaller than n and
relatively prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any prime p. For any two
primes p,q, φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively prime integers a,n we have
aφ(n)≡1 mod n. Corollary: For ny integers a,n we have aφ(n)+1≡a mod n Corollary: Let p,q
be two odd primes and n=pq. Then: φ(n)=(p-1)(q-
1) For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with
0<m<n, mk(p-1)(q-1)+1 ≡ m mod n Euler’s theorem provides us the numbers d, e such that
Med=M mod n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-1mod φ(n)

An example of RSA can be given as,

Select primes: p=17 & q=11
Compute n = pq =17×11=187
Compute ø(n)=(p–1)(q-1)=16×10=160
Select e : gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1
Publish public key KU={7,187}
Keep secret private key KR={23,187}
Now, given message M = 88 (nb. 88<187)
encryption: C = 887 mod 187 = 11
decryption: M = 1123 mod 187 = 88

53
Another example of RSA is given as,
Let p = 11, q = 13, e = 11, m = 7
n = pq i.e. n= 11*13 = 143
ø(n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120
e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1; so d
= 11 public key :{11,143} and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106
M=Cd mod n, plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7

For RSA key generation,

Users of RSA must:
– Determine two primes at random - p, q

– select either e or d and compute the other

– means must be sufficiently large

– typically guess and use probabilistic test

Security of RSA
There are three main approaches of attacking RSA algorithm.
Brute force key search (infeasible given size of numbers) As explained before, involves
trying all possible private keys. Best defense is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)
There are several approaches, all equivalent in effect to factoring the product of two primes.
Some of them are given as:

54
– factor N=p.q, hence find ø(N) and then d

– determine ø(N) directly and find d

– find d directly

The possible defense would be using large keys and also choosing large numbers for p and q,
which should differ only by a few bits and are also on the order of magnitude 10 75 to 10100.
And gcd (p-1, q-1) should be small.

Diffie-Hellman Key Exchange

Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications

using a symmetric key cipherMedia.TheD-Hlgorithm depends for its effectiveness on the

difficulty of computing discrete logar thms.

First, a primitive root of a prime number p, can be fined as one whose powers generate all the
integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers, a mod
p, a2 mod p,..., ap-1 mod p, are distinct and consist of the integers from 1 through p 1 in some
permutation.
For any integer b and a primitive root a of prime number p, we can find a unique exponent

i such that .The exponent i is referred to as the discrete

logarithm of b for the base a, mod p. We express this value as dloga,p (b). The algorithm is
summarized below:

55
For this scheme, there are two publicly known numbers: a prime number q and an integer α
that is a primitive root of q. suppose the users A and B wish to exchange a key. User A
selects a random integer XA < q and computes YA = αXA mod q. Similarly, user B
independently selects a random integer XA < q and computes YB = αXB mod q. Each side
keeps the X value private and makes the Y value available publicly to the other side. User A
computes the key as K = (YB)XA mod q and user B computes the key as K = (YA)XB mod
q. These two calculations produce identical results.
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a
modulus p, calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem is
fairly easy and can be calculated "quickly" using fast-exponentiation. The discrete log
problem is the inverse problem: Given a base a, a result c (0 ≤ c < p) and a modulus p,

56
Calculate the exponent b such that ab ≡ c (mod p). It turns out that no one has found a
quick way to solve this problem With DLP, if P had 300 digits, Xa and Xb have more than
100 digits, it would take longer than the life of the universe to crack the method.
Examples for D-H key distribution scheme:
1) Let p = 37 and g = 13.

Let Alice pick a = 10. Alice calculates 1310 (mod 37) which is 4 and sends that to Bob. Let Bob
pick b = 7. Bob calculates 137 (mod 37) which is 32 and sends that to Alice. (Note: 6 and 7 are
secret to Alice and Bob, respectively, but both 4 and 32 are known by all.)
10 (mod 37) which is 30, the secret key.

7 (mod 37) which is 30, the same secret key.

2) Let p = 47 and g = 5. Let Alice pick a = 18. Alice calculates 5 18 (mod 47) which is 2 and
sends that to Bob. Let Bob pick b = 22. Bob calculates 5 22 (mod 47) which is 28 and sends
that to Alice.
18 (mod 47) which is 24, the secret key.
22 (mod 47) which is 24, the same secret key

Man-in-the-Middle Attack on D-H Protocol

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.

2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA) XD2mod q.

4. Bob receives YD1 and calculates K1 = (YD1)XE mod q.

5. Bob transmits XA to Alice.

6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB) XD1 mod q.

7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.

57
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.

3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth
simply wants to eavesdrop on the communication without altering it. In the second case,
Darth wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants. This vulnerability can be overcome with the use of digital signatures and public-
key certificates.

Elliptic Curve Cryptography (Ecc)

Elliptic curve cryptography (ECC) is an approach to publ c-key cryptography based on the
algebraic structure of elliptic curves over finite fiel s. The use of elliptic curves in
cryptography was suggested independently by N al Koblitz and Victor S. Miller in 1985. The
principal attraction of ECC compared to RSA is that it appears to offer equal security for a far
smaller bitSkyupssize,therebyreducing the processing overhead.
Elliptic Curve over GF(p)
Let GF(p) be a finite field, > 3, and let a, b
4a3 + 27b2 ≡ 0 (mod p). An elliptic curve, E(a,b)(GF(p)),

is defined as the set of points (x,y) ᴄ GF(p) * GF(p) which satisfy the equation
y2 ≡ x3 + ax + b (mod p), together with a special point, O, called the point at infinity. Let P
and Q be two points on E(a,b)(GF(p)) and O is the point at infinity.
• P+O = O+P = P

• If P = (x1,y1) then -P = (x1 ,-y1) and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3) where

x3 = ƛ 2 - x1 - x2
86

58
y3 = ƛ (x1 - x3) - y1 and
ƛ = (y2-y1)/(x2-x1) if P ≠ Q
ƛ = (3x12+a)/ 2y1 if P = Q
An elliptic curve may be defined over any finite field GF(q). For GF(2m), the curve has a
different form:- y2 + xy = x3 + ax2 + b, where b !=0.
Cryptography with Elliptic Curves
The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple
additions are the counterpart of modular exponentiation. To form a cryptographic system using
elliptic curves, some kind of hard problem such as discrete logarithm or factorization of prime
numbers is needed. Considering the equation, Q=kP, where Q,P are points in an elliptic curve, it
is “easy” to compute Q given k,P , but “hard” to find k given Q,P. This is known as the elliptic
curve logarithm problem. K could be so large as to make brute-force fail.

Pick a prime number p= 2180 and elliptic curve parameters and b for the equation
y2 ≡ x3 + ax + b (mod p) which defines the elliptic group of points Ep(a,b). Select generator
point G=(x1,y1) in Ep(a,b) uch that the smallest value for which nG=O
be a very large prime number. Ep(a,b) and G are parameters of the
ECC Key Exchange
cryptosystem known to all participants. The following steps take place:
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• Compute shared key: K=nA×PB, K=nB×PA {same since K=nA×nB×G }
ECC Encryption/Decryption As with key exchange system, an encryption/decryption
system requires a point G and and elliptic group Ep(a,b) as parameters. First thing to be done
is to encode the plaintext message m to be sent as an x-y point Pm. Each user chooses private
key nA<n and computes public key PA=nA×G. To encrypt and send a message to Pm to B, A
chooses a random positive integer k and produces the ciphertext Cm consisting of the pair of
points Cm={kG, Pm+kPb}. here, A uses B’s public key. To

59
decrypt the ciphertext, B multiplies the first point in the pair by B’s secret key and subtracts
the result from the second point Pm+kPb – nB(kG) = Pm+k(nBG) – nB(kG) = Pm A has
masked the message Pm by adding kPb to it. Nobody but A knows the value of k, so even
though Pb is a public key, nobody can remove the mask kPb. For an attacker to recover the
message, he has to compute k given G and kG, which is assumed hard.
Security of ECC To protect a 128 bit AES key it would take a RSA Key Size of 3072 bits
whereas an ECC Key Size of 256 bits.

Hence for similar security ECC offers significant computational advantages.

Applications of ECC:
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the power, storage and
computational power that is necessary for our current cryptosystems

Key Management
One of the major roles of public-key encryption has been to address the problem of key
distribution. Two distinct aspects to use of public key encryption are present.
 The distribution of public keys. 
 Use of public-key encryption to distribute secret keys. 

Distribution of Public Keys The most general schemes for distribution of public keys are
given below

60
Public Announcement Of Public Keys
Here any participant can send his or her public key to any other participant or broadcast the key to
the community at large. For example, many PGP users have adopted the practice of appending
their public key to messages that they send to public forums.

Though this approach seems convenient, it has a major drawback. Anyone can forge such a

public announcement. Some user could pretend to be user and send a public key to another

participant or broadcast such a public key. Until the time when A discovers about the forgery

and alerts other participants, the forger is able to read all encrypted messages intended for A

and can use the forged keys for authentication.

Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys. Maintenance and distribution of the public directory would have to
be the responsibility of some trusted entity or organization. It includes the following
elements:
1. The authority maintains a directory with a {name, public key} entry for each participant.
2. Each participant registers a public key with the directory authority. Registration would
have to be in person or by some form of secure authenticated communication.

61
 89

3. A participant may replace the existing key with a new one at any time, either because
of the desire to replace a public key that has already been used for a large amount of
data, or because the corresponding private key has been compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is
Mandatory. This scheme has still got some vulnerability. If an adversary succeeds in
obtaining or computing the private key of the directory authority, the adversary could
authoritatively a out counterfeit public keys and subsequently impersonate any participant
and eavesdrop on messages sent to any participant. Or else, the adversary may tam er
with the records kept by the authority.

Public-Key Authority
Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory. This scenario assumes the
existence of a public authority (whoever that may be) that maintains a dynamic directory of
public keys of all users. The public authority has its own (private key, public key) that it is
using to communicate to users. Each participant reliably knows a public key for the authority,
with only the authority knowing the corresponding private key. For example, consider that
Alice and Bob wish to communicate with each other and the following steps take place and
are also shown in the figure below:

62
1.) Alice sends a timestamped message to the central authority with a request for Bob’s
public key (the time stamp is to mark the moment of the request)

2.) The authority sends back a message encrypted w th its private key (for authentication) –
message contains Bob’s public k y and the original message of Alice – this way Alice knows
this is not a reply to an old request;

3.) Alice starts the communication to Bob by sending him an encrypted message containing
her identity IDA and a nonce N 1 (to identify uniquely this transaction)

4.) Bob requests Alice’s public key in the same way (step 1)

5.) Bob acquires Alice’s public key in the same way as Alice did. (Step-2)

6.) Bob replies to Alice by sending an encrypted message with N1 plus a new generated
nonce N2 (to identify uniquely the transaction)

7.) Alice replies once more encrypting Bob’s nonce N2 to assure bob that its correspondent is
Alice
Thus, a total of seven messages are required. However, the initial four messages need be used
only infrequently because both A and B can save the other's public key for future use, a
technique known as caching. Periodically, a user should request fresh copies of the public
keys of its correspondents to ensure currency.

63
Public-Key Certificates
The above technique looks attractive, but still has some drawbacks. For any
communication between any two users, the central authority must be consulted by both users
to get the newest public keys i.e. the central authority must be online 24 hours/day. If the
central authority goes offline, all secure communications get to a halt. This clearly leads to an
undesirable bottleneck. A further improvement is to use certificates, which can be used to
exchange keys without contacting a public-key authority, in a way that is as reliable as if the
keys were obtained directly from a public-key authority. A certificate binds an identity to
public key, with all contents signed by a trusted Public-Key or Certificate Authority (CA). A
user can present his or her public key to the authority in a secure manner, and obtain a
certificate. The user can then publish the certificate. Anyone needed this user's public key can
obtain the certificate and verify that it is valid by way of the attached trusted signature. A
participant can also convey its key information to another by transmitting its certificate.
Other participants can verify that the certificate was created by the authority. This certificate
issuing scheme does have the following requirements:
1. Any participant can read a certificate to determine the n me and public key of the
certificate's owner.

2. Any participant can verify that the certificate originate from the certificate authority and is
not counterfeit.

3. Only the certificate authority can create and update certificates.

4. Any participant can verify the currency of the certificate.

64
Application must be in person or by some form of secure authenticated communication. For
participant A, the authority provides a certificate of the form
CA = E(PRauth, [T||IDA||PUa]) where PRauth is the private key used by the authority and T is
a timestamp. A may then pass this certificate on to any other participant, who reads and
verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) =
(T||IDA||PUa) The recipient uses the authority's public key, PUauth to decrypt the certificate.
Because the certificate is readable only using the authority's public key, this verifies that the
certificate came from the certificate authority. The elements IDA and PUa provide the
recipient with the name and public key of the certificate's holder. The timestamp T validates
the currency of the certificate. The timestamp counters the following scenario. A's private key
is learned by an adversary. A generates a new private/public key pair and applies to the
certificate authority for a new certificate. Meanwhile, the adversary replays the old certificate
to B. If B then encrypts messages using the compromised old public key, the adversary can re
d those messages. In this context, the compromise of a private key is comparable to the loss
of a credit card. The owner cancels the credit card number but is at risk until all possible
communicants are aware that the old credit card is obsolete. Thus, the timestamp serves as
something like an expiration date. If a certificate is sufficiently old, it is assumed to be
expired.
One scheme has becomeSkyupsuniversallyaccepted for formatting public-key certificates: the
X.509 standard. X.509 certificates are ed in most network security applications, including IP
security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME.
Secret Key Distribution With Confidentiality And Authentication

It is assumed that A and B have exchanged public keys by one of the schemes described earlier.
Then the following steps occur:

65
 1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA)
and a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B (N2) Because only B could have decrypted message (1),
the presence of N1 in message (2) assures A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's
private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.
The result is that this scheme ensures both confidentiality and authentication in the
exchange of a secret key.

Message Authentication
Message authentication is a procedure to verify that received messages come from the
alleged source and have not been altered. Message authentication may also verify sequencing
and timeliness. It is intended against the attacks like content modification, sequence
modification, timing modification and repudiation. For repudiation, concept of digital
signatures is used to counter it. There are three classes by which different types of functions
that may be used to produce an authenticator. They re:
 Message encryption–the ciphertext serves as auth nticator

 Message authentication code (MAC)–a public function of the message and a secret
key producing a fixed-length value to erve as authenticator. This does not provide a
digital signature because A and B share the same key.

 Hash function–a public function mapping an arbitrary length message into a fixed-
length hash value to serve as authenticator. This does not provide a digital signature
because there is no key.

MESSAGE ENCRYPTION:
Message encryption by itself can provide a measure of authentication. The analysis differs for
conventional and public-key encryption schemes. The message must have come from the
sender itself, because the ciphertext can be decrypted using his (secret or public) key. Also,
none of the bits in the message have been altered because an opponent does not know how to
manipulate the bits of the ciphertext to induce meaningful changes to the plaintext. Often one
needs alternative authentication schemes than just encrypting the message.
 Sometimes one needs to avoid encryption of full messages due to legal requirements.

66
 Encryption and authentication may be separated in the system architecture.

The different ways in which message encryption can provide authentication, confidentiality
in both symmetric and asymmetric encryption techniques is explained with the table below:

MESSAGE AUTHENTICATION CODE

An alternative authentication technique involves the use of a secret key to generate a
small fixed-size block of data, known as cryptographic checksum or MAC, which is
appended to the message. This technique assumes that both the communicating parties say A
and B share a common secret key K. When A has a message to send to B, it calculates MAC
as a function C of key and message given as: MAC=Ck(M) The message

67
and the MAC are transmitted to the intended recipient, who upon receiving performs the same
calculation on the received message, using the same secret key to generate a new MAC. The
received MAC is compared to the calculated MAC and only if they match, then:
1. The receiver is assured that the message has not been altered: Any alternations been done
the MAC’s do not match.
2. The receiver is assured that the message is from the alleged sender: No one except the
sender has the secret key and could prepare a message with a proper MAC.
3. If the message includes a sequence number, then receiver is assured of proper sequence as
an attacker cannot successfully alter the sequence number.
Basic uses of Message Authentication Code (MAC) are shown in the figure:

There are three different situations where use of a MAC is desirable:

 If a message is broadcast to several destinations in a network (such as a military control

center), then it is cheaper and more reliable to have just one node responsible to evaluate
the authenticity –message will be sent in plain with an attached authenticator.
 If one side has a heavy load, it cannot afford to decrypt all messages –it will just check

the authenticity of some randomly selected messages.

68
 Authentication of computer programs in plaintext is very attractive service as they need

not be decrypted every time wasting of processor resources. Integrity of the program can
always be checked by MAC.

MESSAGE AUTHENTICATION CODE BASED ON DES

The Data Authentication Algorithm, based on DES, has been one of the most widely used
MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB 113) and
an ANSI standard (X9.17). But, security weaknesses in this algorithm have been discovered
and it is being replaced by newer and stronger algorithms. The algorithm can be defined as
using the cipher block chaining (CBC) mode of operation of DES shown below with an
initialization vector of zero.

The data (e.g., message, record, file, or program) to be authenticated are grouped into
contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final block is padded on the right
with zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and a secret
key, K, a data authentication code (DAC) is calculated as follows:

69
The DAC consists of either the entire block ON or the leftmost M bits of the block, with 16 ≤
M ≤ 64
Use of MAC needs a shared secret key between the communicating parties and also MAC
does not provide digital signature. The following table summarizes the confidentiality and
authentication implications of the approaches shown above.

HASH FUNCTION
A variation on the message authentication code is the one-way hash function. As with
the message authentication code, the hash function accepts a variable-size message M as
input and produces a fixed-size hash code H(M), sometimes called a message digest, as
output. The hash code is a function of all bits of the message and provides an error-detection
capability: A change to any bit or bits in the message results in a change to the hash code. A
variety of ways in which a hash code can be used to provide message authentication is shown
below and explained stepwise in the table.

70
71
 In cases where confidentiality is not required, methods b and c have an advantage over
those that encrypt the entire message in that less computation is required. Growing interest for
techniques that avoid encryption is due to reasons like, Encryption software is quite slow and
may be covered by patents. Also encryption hardware costs are not negligible and the algorithms
are subject to U.S export control. A fixed-length hash value h is generated by a function H that
takes as input a message of arbitrary length: h=H(M).
 A sends M and H(M)

 B authenticates the message by computing H(M) and checking the match

Requirements for a hash function: The purpose of a hash function is to produce a

“fingerprint” of a file, message, or other block of data. To be used for message
authentication, the hash function H must have the following properties
 H can be applied to a message of any size

 H produces fixed-length output

 Computationally easy to compute H(M) for any given M

72
  Computationally infeasible to find M such that H(M)=h, for a given h, referred to
as the one-way property
 Computationally infeasible to find M’ such that H(M’)=H(M), for a given M,
referred to as weak collision resistance.
 Computationally infeasible to find M,M’ with H(M)=H(M’) (to resist to birthday
attacks), referred to as strong collision resistance. 
Examples of simple hash functions are:
 Bit-by-bit XOR of plaintext blocks: h= D1⊕D2⊕…⊕DN

 Rotated XOR –before each addition the hash value is rotated to the left with 1 bit

 Cipher block chaining technique without a secret key.

MD5 MESSAGE DIGEST ALGORITHM

The MD5 message-digest algorithm was developed by Ron Rivest at MIT and it remained as
the most popular hash algorithm until recently. The algorithm takes as input, a message of
arbitrary length and produces as output, 128-bit message digest. The input is processed in
512-bit blocks. The processing consists of the following steps:
1.) Append Padding bits: The message is padded so that its length in bits is congruent to 448
modulo 512 i.e. the length of the padded message is 64 bits less than an integer multiple of 512
bits. Padding is always added, even if the message is already of the desired length. Padding
consists of a single 1-bit followed by the necessary number of 0-bits.
2.) Append length: A 64-bit representation of the length in bits of the original message
(before the padding) is appended to the result of step-1. If the length is larger than 264, the 64
least representative bits are taken.
3.) Initialize MD buffer: A 128-bit buffer is used to hold intermediate and final results of the
hash function. The buffer can be represented as four 32-bit registers (A, B, C, D) and are
initialized with A=0x01234567, B=0x89ABCDEF, C=0xFEDCBA98, D=0x76543210 i.e.
32-bit integers (hexadecimal values).

73
4.) Process Message in 512-bit (16-word) blocks : The h art of algorithm is the compression
function that consists of four rounds of processing and this module is labeled HMD5 in the above
figure and logic is illustrated in the following figure. The four rounds have a similar structure, but
each uses a different primitive logical function, referred to as F, G, H and I in the specification.
Each block takes as input the current 512-bit block being processed Yq and the 128-bit buffer
value ABCD and updates the contents of the buffer. Each round also makes use of one-fourth of a
64- element table T*1….64+, constructed
from the sine function. The ith element of T, denoted T[i], has the value equal to the integer
part of 232 * abs(sin(i)), where i is in radians. As the value of abs(sin(i)) is a value between 0
and 1, each element of T is an integer that can be represented in 32-bits and would eliminate
any regularities in the input data. The output of fourth round is added to the input to the first
round (CVq) to produce CVq+1. The addition is done independently for each of the four
words in the buffer with each of the corresponding words in CVq, using addition modulo 232.
This operation is shown in the figure below:

74
5.) Output: After all L 512-bit blocks have been proc ssed, the output from the Lth stage is
the 128- bit message digest. MD5 can be summarized as follows:
CV0 = IV CVq+1 = SUM32(CVq,RFIYqRFH[Yq,RF G[Yq,RFF[Yq,CVq]]]]) MD
= CVL Where,
IV = initial value of ABCD buffer, defined in step 3.
Yq = the qth 512-bit block of the message
L = the number of blocks in the message
CVq = chaining variable processed with the qth block of the message.
RFx = round function using primitive logical function x.
MD = final message digest value
SUM32 = Addition modulo 232 performed separately.
MD5 Compression Function:
Each round consists of a sequence of 16 steps operating on the buffer ABCD. Each step is of
the form, a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
where a, b, c, d refer to the four words of the buffer but used in varying permutations. After
16 steps, each word is updated 4 times. g(b,c,d) is a different nonlinear function in each
round (F,G,H,I). Elementary MD5 operation of a single step is shown below.

76
The primitive function g of the F,G,H,I is given as:

Where the logical operators (AND, OR, NOT, XOR) are represented by the symbols
(ᴧ,ᴠ, ~,(+)).
Each round mixes the buffer input with the next "word" of the message in a complex, non-
linear manner. A different non-linear function is used in each of the 4 rounds (but the same
function for all 16 steps in a round). The 4 buffer words (a,b,c,d) are rotated from step to step
so all are used and updated. g is one of the primitive functions F,G,H,I for the 4 rounds
respectively. X[k] is the kth 32-bit word in the current message block. T[i] is the ith entry in
the matrix of constants T. The addition of varying constants T and the use of different shifts
helps ensure it is extremely difficult to compute collisions. The array of 32-bit words
X[0..15] holds the value of current 512-bit input block being processed. Within a round, each
of the 16 words of X[i] is used exactly once, during one step. The order in which these words
is used varies from round to round. In the first round, the

77
words are used in their original order. For rounds 2 through 4, the following permutations are
used
 ƿ2(i) = (1 + 5i) mod 16

 ƿ3(i) = (5 + 3i) mod 16

 ƿ4(I) = 7i mod 16

MD4
 Precursor to MD5
 Design goals of MD4 (which are carried over to MD5)
 Security
 Speed
 Simplicity and compactness
 Favor little-endian architecture
 Main differences between MD5 and MD4
 A fourth round has been added.
 Each step now has a unique additive constant.
 The function g in round 2 was changed from (bc v bd v cd) to (bd v cd’) to make g
less symmetric.
 Each step now adds in the result of the previous step. This promotes a faster
"avalanche effect".
 The order in which input words are accessed in rounds 2 and 3 is changed, to
make these patterns less like each other.
 The shift amounts in each round have been approximately optimized, to yield a
faster "avalanche effect." The shifts in different rounds are distinct.

SECURE HASH ALGORITHM

The secure hash algorithm (SHA) was developed by the National Institute of Standards and
Technology (NIST). SHA-1 is the best established of the existing SHA hash functions, and is
employed in several widely used security applications and protocols. The algorithm takes as
input a message with a maximum length of less than 264 bits and produces as output a 160-
bit message digest.

78
The input is processed in 512-bit blocks. The overall processing of a message follows the
structure of MD5 with block length of 512 bits and hash length and chaining variable length
of 160 bits. The processing consists of following steps:
1.) Append Padding Bits: The message is padded so that length is congruent to 448 modulo
512; padding always added –one bit 1 followed by the necessary number of 0 bits.
2.) Append Length: a block of 64 bits containing the length of the original message is added.

3.) Initialize MD buffer:A160-bitbufferisued to hold intermediate and final results on the

hash function. This is formed by 32-bit registers A,B,C,D,E. Initial values: A=0x67452301,
B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0. Stores in big-endian
format i.e. the most significant bit in low address.
4.) Process message in bloc 512-bit (16-word) blocks: The processing of a single 512-bit
block is shown above. It consists of four rounds of processing of 20 steps each. These four
rounds have similar structure, but uses a different primitive logical function, which we refer
to as f1, f2, f3 and f4. Each round takes as input the current 512-bit block being processed
and the 160-bit buffer value ABCDE and updates the contents of the buffer. Each round also
makes use of four distinct additive constants Kt. The output of the fourth round i.e. eightieth
step is added to the input to the first round to produce CVq+1.
5.) Output: After all L 512-bit blocks have been processed, the output from the Lth stage is
the 160-bit message digest.

79
The behavior of SHA-1 is as follows: CV0 = IV CVq+1 = SUM32(CVq, ABCDEq) MD =
CVL Where, IV = initial value of ABCDE buffer ABCDEq = output of last round of
processing of qth message block L = number of blocks in the message SUM32 = Addition
modulo 232 MD = final message digest value.

SHA-1 Compression Function:

Each round has 20 steps which replaces the 5 buffer words. The logic present in each one of
the 80 rounds present is given as (A,B,C,D,E) <- (E + f(t,B,C,D) + S5(A)+ Wt+
Kt),A,S30(B),C,D Where, A, B, C, D, E = the five words of the buffer t = step number; 0< t
< 79 f(t,B,C,D) = primitive logical function for step t Sk = circular left shift of the 32-bit
argument by k bits Wt = a 32-bit word derived from current 512-bit input block. Kt = an
additive constant; four distinct values are used + = modulo addition.

80
SHA shares much in common with MD4/5, but with 20 instead of 16 steps in each of the 4
rounds. Note the 4 constants are based on sqrt(2,3,5,10).Note also that instead of just splitting the
input block into 32-bit words and using them d recently, SHA-1 shuffles and
mixes them using rotates & XOR’s to form more complex input, and greatly increases the
difficulty of finding collisions. A sequence of logical functions f0, f1,..., f79 is used in the SHA-
1. Each ft, 0<=t<=79, operates on three 32-bit words B, C, D and produces a 32-bit word as
output. ft(B,C,D) is defined as follows: for words B, C, D, ft(B,C,D) = (B AND C) OR
((NOT B) AND D) ( 0 <= t <= 19) ft(B,C,D) = B XOR C XOR D (20 <= t <= 39) ft(B,C,D)
= (B AND C) OR (B AND D) OR (C AND D) (40 <= t <= 59) ft(B,C,D) = B XOR C XOR
D (60 <= t <= 79).

HMAC
Interest in developing a MAC, derived from a cryptographic hash code has been increasing
mainly because hash functions are generally faster and are also not limited by export
restrictions unlike block ciphers. Additional reason also would be that the library code for
cryptographic hash functions is widely available. The original proposal is for incorporation of
a secret key into an existing hash algorithm and the approach that received most support is
HMAC. HMAC is specified as Internet standard RFC2104. It

81
makes use of the hash function on the given message. Any of MD5, SHA-1, RIPEMD-160
can be used.

HMAC Design Objectives

 To use, without modifications, available hash functions

 To allow for easy replaceability of the embedded hash function

 To preserve the original performance of the hash function

 To use and handle keys in a simple way

 To have a well understood cryptographic analysis of the strength of the MAC based on

reasonable assumptions on the embedded hash function

The first two objectives are very important for the acceptability of HMAC. HMAC treats the
hash function as a “black box”, which has two benefits. First is that an existing
implementation of the hash function can be used for implementing HMAC making the bulk
of HMAC code readily available without modificat on. Second is that if ever an existing hash
function is to be replaced, the existing hash funct on module is removed and new module is
dropped in. The last design obj ctive provides the main advantage of HMAC over other
proposed hash-based schemes. HMAC can be proven secure provided that the embedded
hash function has ome reasonable cryptographic strengths.
Steps involved in HMAC algorithm:
1. Append zeroes to the left end of K to create a b-bit string K+ (ex: If K is of length 160-bits
and b = 512, then K will be appended with 44 zero bytes).
2. XOR(bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Now apply H to the stream generated in step-3
5. XOR K+ with opad to produce the b-bit block S0.
6. Append the hash result from step-4 to S0.
7. Apply H to the stream generated in step-6 and output the result.

82
HMAC Algorithm

HMAC Structure

The XOR with ipad results in flipping one-half of the bits of K. Similarly, XOR with opad
results in flipping one-half of the bits of K, but different set of bits. By passing S i and S0
through the compression function of the hash algorithm, we have pseudorandomly generated
two keys from K.

83
HMAC should execute in approximately the same time as the embedded hash function for
long messages. HMAC adds three executions of the hash compression function (for S0, Si,
and the block produced from the inner hash)
A more efficient implementation is possible. Two quantities are precomputed.
f(IV, (K+
f(IV, (K+
where f is the compression function for the hash function which takes as arguments a chaining
variable of n bits and a block of b-bits and produces a chaining variable of n bits.

As shown in the above figure, the values are needed to be computed initially and every time a
key changes. The precomputed quantities substitute for the initial value (IV) in the hash
function. With this implementation, only one additional instance of the compression function
is added to the processing normally produced by the hash function. This implementation is
worthwhile if most of the messages for which a MAC is computed are short.
Security of HMAC:
The appeal of HMAC is that its designers have been able to prove an exact relationship
between the strength of the embedded hash function and the strength of HMAC. The

84
security of a MAC function is generally expressed in terms of the probability of successful
forgery with a given amount of time spent by the forger and a given number of message-
MAC pairs created with the same key. Have two classes of attacks on the embedded hash
function:
1. The attacker is able to compute an output of the compression function even with an IV that
is random, secret and unknown to the attacker.
2. The attacker finds collisions in the hash function even when the IV is random and secret.
These attacks are likely to be caused by brute force attack on key used which has work of
order 2n; or a birthday attack which requires work of order 2 (n/2) - but which requires the
attacker to observe 2n blocks of messages using the same key - very unlikely. So even MD5
is still secure for use in HMAC given these constraints.

CMAC
In cryptography, CMAC (Cipher-based Message Authentication Code) [1] is a block cipher-based
message authentication code algorithm. It may be used to provide assurance of the authenticity
and, hence, the integrity of binary data. This mode of operation fixes security deficiencies of
CBC-MAC (CBC-MAC is secure only for fixed-length messages).
The core of the CMAC algorithm is variation of CBC-MAC that Black and Rogaway
proposed and analyzed under the name XCBC[2] and submitted to NIST.[3] The XCBC
algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three
keys. Iwata and Kurosawa proposed an improvement of XCBC and named the resulting
algorithm One-Key CBC-MAC (OMAC) in their papers.[4][5] They later submitted
OMAC1[6], a refinement of OMAC, and additional security analysis. [7] The OMAC algorithm
reduces the amount of key material required for XCBC. CMAC is equivalent to OMAC1.

85
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a
secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm
(this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the
standard left-shift operator and ⊕denote exclusive or:

1. Calculate a temporary value k0 = Ek(0).

2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕C; where C is a certain constant
that depends only on b. (Specifically, C is the non-leading coefficients of the
lexicographically first irreducible degree-b binary polynomial with the minimal
number of ones.)
3. If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕C.
4. Return keys (k1, k2) for the MAC generation process.

As a small example, suppose b = 4, C = 00112, and k0 = Ek(0) = 01012. Then k1 = 10102 and k2
= 0100 ⊕0011 = 01112.

The CMAC tag generation process is as follows:

1. Divide message into b-bit blocks m = m1 ∥ ... ∥ mn−1 ∥ mn where m1, ..., mn−1 are
complete blocks. (The empty me age is treated as 1 incomplete block.)
2. If mn is a complete block then mn′ = k1 ⊕mn else mn′ = k2 ⊕(mn∥ 10...02).
3. Let c0 = 00…02.
4. For i = 1, ..., n-1, calculate ci = Ek(ci−1 ⊕mi).
5. cn = Ek(cn−1 ⊕mn′)
6. Output t = msbℓ(cn).

The verification process is as follows:

1. Use the above algorithm to generate the tag.

2. Check that the generated tag is equal to the received tag.

86