BCSE-309L: Cryptography

and Network Security

PREPARED BY
DR.L.MARY SHAMALA
SCOPE/VIT
Module 5: Message Authentication
Codes and Digital Signatures
▪ Message Authentication
o Message Authentication Requirements
o Message Authentication Functions
o Message Authentication Codes
o MACs Based on Hash Functions: HMAC
▪ Digital Signatures
o RSA Digital Signature
o Elgamal-based Digital Signature
o Digital Signature Standards

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 2
Message Authentication
Code

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 3
Network Attacks
Disclosure Sequence modification
▪ Release of message contents to any ◦ Any modification to a sequence of
person or process not possessing the messages between parties, including
appropriate cryptographic key insertion, deletion, and reordering
Traffic analysis Timing modification
▪ Discovery of the pattern of traffic ◦ Delay or replay of messages
between parties
Source repudiation
Masquerade ◦ Denial of transmission of message by
▪ Insertion of messages into the network source
from a fraudulent source
Destination repudiation
Content modification ◦ Denial of receipt of message by
▪ Changes to the contents of a message, destination
including insertion, deletion,
transposition, and modification

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 4
Message Authentication
▪ Message authentication is a procedure to verify that received
messages come from the alleged source and have not been altered.
▪ Message authentication may also verify sequencing and timeliness.
▪ More commonly, message authentication is achieved using a
message authentication code (MAC), also known as a keyed hash
function.

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 5
Message Authentication Functions
Two levels of functionality: ◦ Hash function
◦ A function that maps a message of
Lower level any length into a fixed-length hash
• There must be some sort of function value which serves as the
that produces an authenticator authenticator
◦ Message encryption
◦ The ciphertext of the entire
message serves as its authenticator
◦ Message authentication code
(MAC)
◦ A function of the message and a
Higher-level
secret key that produces a fixed-
• Uses the lower-level function as a length value that serves as the
primitive in an authentication protocol
that enables a receiver to verify the
authenticator
authenticity of a message VIT/SCOPE/BCSE-309L/CNS/MODULE 5 6
Basic Uses of
Message
Encryption

7
 Message Authentication Code (MAC)
▪ Also known as a keyed hash function
▪ Typically used between two parties that share a secret key to authenticate
information exchanged between those parties
A MAC function takes as input a secret key and a data block and produces a
hash value (MAC) which is associated with the protected message
• If the integrity of the message needs to be checked, the MAC function can
be applied to the message and the result compared with the associated
MAC value
• An attacker who alters the message will be unable to alter the associated
MAC value without knowledge of the secret key

© 2020 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

Message Authentication Code
▪ A small fixed-length value that serves as the authenticator
▪ Generated from message + secret key
MAC = C(K,M)
▪ Appended to message when sent
▪ A MAC function is similar to encryption.
▪ One difference is that the MAC algorithm need not be reversible, as
it must be for decryption.
▪ It is a many-to-one function.

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 9
Basic Uses of
MAC
• MAC provides
authentication
• Can also use encryption
for secrecy
• Generally, use
separate keys for
each
• Can compute MAC
either before or after
encryption

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 10
Message Authentication Code…
▪ Why use a MAC?
o sometimes only authentication is needed
o sometimes need authentication to persist longer than the
encryption
▪ Note that a MAC is not a digital signature
• Does NOT provide non-repudiation

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 11
MAC requirements
▪ A MAC, also known as a cryptographic checksum, is generated by a function
MAC of the form
T = MAC(K, M)
where M is a variable-length message
K is a secret key shared only by sender and receiver
MAC(K, M) is the fixed-length authenticator, sometimes called a tag
▪ Assume that an opponent knows the MAC function but does not know K.
▪ Then the MAC function should satisfy the following requirements:
1. Knowing a message and MAC, is infeasible to find another message with
same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 12
Security of MACs
▪ Brute-Force Attack requires known message-tag pairs
o A brute-force method of finding a collision is to pick a random bit string y
and check if H(y) = H(x)

Two lines of attack:

• Attack the key space
• If an attacker can determine the MAC key, then it is
possible to generate a valid MAC value for any input x
• Attack the MAC value
• The objective is to generate a valid tag for a given
message or to find a message that matches a given tag

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 14
Security of MACs …
▪ Cryptanalytic attacks seek to exploit some property of the
algorithm to perform some attack other than an exhaustive search
▪ An ideal MAC algorithm will require a cryptanalytic effort greater
than or equal to the brute-force effort
▪ There is much more variety in the structure of MACs than in hash
functions, so it is difficult to generalize about the cryptanalysis of
MACs

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 16
MACs Based on Hash Functions: HMAC
▪ Want a MAC based on a hash function
o Hash functions execute faster in software than symmetric block
ciphers
o Library code for cryptographic hash functions is widely available
▪ Hash includes a key along with message
▪ Original proposal:
KeyedHash = Hash(Key|Message)
o some weaknesses were found with this
o Eventually led to the development of HMAC

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 17
HMAC Design Objectives
▪ RFC 2104 lists the following design objectives for HMAC:
1. Use the available hash functions without modifications
2. Allow for easy replacement of embedded hash function
3. Preserve original performance of hash function without
significant degradation
4. Use and handle keys in a simple way.
5. Have well understood cryptographic analysis of authentication
mechanism strength

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 19
HMAC
▪ HMAC has been chosen as the mandatory-to-implement
MAC for IP security
▪ Has also been issued as a NIST standard (FIPS 198)
▪ Uses hash function on the message
▪ Overhead is just 3 more hash block calculations than the
message needs alone
▪ Any hash function can be used
o Example: MD5, SHA-1, RIPEMD-160, Whirlpool

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 20
HMAC …
▪ H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
▪ IV = initial value input to hash function
▪ M = message input to HMAC (including the padding specified in the embedded
hash function)
▪ Yi = i th block of M, 0 ≤ i ≤ (L - 1)
▪ L = number of blocks in M
▪ b = number of bits in a block
▪ n = length of hash code produced by embedded hash function
▪ K = secret key; recommended length is ≥ n; if key length is greater than b, the
key is input to the hash function to produce an n-bit key
▪ K+ = K padded with zeros on the left so that the result is b bits in length

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 21
HMAC …
▪ ipad = 00110110 (36 in hexadecimal) repeated b/8 times
▪ opad = 01011100 (5C in hexadecimal) repeated b/8 times
▪ Then HMAC can be expressed as:
HMACK(M)= Hash[(K+ XOR opad)||
Hash[(K+ XOR ipad)|| M)]]
o where K+ is the key padded out to block size
ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill block
M is the message input to HMAC

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 22
HMAC Algorithm
1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is
of length 160 bits and b = 512, then K will be appended with 44
zeroes).
2. XOR (bitwise exclusive-OR) K + with ipad to produce the b-bit block Si
3. Append M to Si .
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block S0.
6. Append the hash result from step 4 to S0.
7. Apply H to the stream generated in step 6 and output the result.

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 23
HMAC Structure

24
Efficient
Implementation
of HMAC

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 25
Security of HMAC
▪ Depends in some way on the cryptographic strength of the
underlying hash function
▪ Appeal of HMAC is that its designers have been able to prove an
exact relationship between the strength of the embedded hash
function and the strength of HMAC
▪ Generally expressed in terms of the probability of successful forgery
with a given amount of time spent by the forger and a given
number of message-tag pairs created with the same key

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 26
Security of HMAC
▪ Proved security of HMAC relates to that of the underlying
hash algorithm
▪ Attacking HMAC requires either:
o brute force attack on key used
o birthday attack (very unlikely)
▪ Choose hash function used based on speed verses security
constraints

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 27
Digital
Signatures

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 29
Digital Signature
Model

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 30
Digital Signatures
▪ Message authentication does not address issues of lack of
trust
▪ Digital signatures provide the ability to:
verify author, date & time of signature
o
o authenticate message contents
o be verified by third parties to resolve disputes
▪ Digital signature includes authentication function with
additional capabilities → non-repudiation

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 31
Digital Signatures…
▪ A digital signature is a mathematical scheme for verifying
the authenticity of digital messages or documents
▪ Ensures non-repudiation.
▪ The hash value of a message is encrypted with a user's
private key→ Signing
▪ Anyone who knows the user's public key can verify the
integrity of the message that is associated with the digital
signature→ Verification

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 33
Digital Signature
Mechanism

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 34
Attacks
• C chooses a list
Known of messages Directed chosen • C may request
message before message attack from A
attack attempting to signatures of
break A’s • Similar to the messages
• C only that depend
• C is given signature generic attack,
knows A’s on previously
access to a scheme, except that the
public key obtained
set of independent of list of messages
messages A’s public key; C to be signed is message-
and their then obtains chosen after C signature
Key-only signatures from A valid knows A’s public pairs
attack signatures for key but before
the chosen any signatures
messages are seen
Adaptive
chosen
Generic chosen
message
message attack
attack

© 2020 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

Forgeries
Universal Selective Existential
Total break
forgery forgery forgery
• C determines • C finds an • C forges a • C forges a
A’s private key efficient signature for signature for
signing a particular at least one
algorithm that message message; C
provides an chosen by C has no control
equivalent over the
way of message
constructing
signatures on
arbitrary
messages

© 2020 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

Digital Signature Requirements
▪ The signature must be a bit pattern that depends on the message being signed
▪ The signature must use some information unique to the sender to prevent
both forgery and denial
o to prevent both forgery and denial
▪ It must be relatively easy to produce the digital signature
▪ It must be relatively easy to recognize & verify the digital signature
▪ It must be computationally infeasible to forge the digital signature
o with a new message for existing digital signature
o with fraudulent digital signature for a given message
▪ It must be practical to retain a copy of digital signature in storage

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 38
Direct Digital Signatures
▪ Involve the direct application of public-key algorithms involving only
the communicating parties.
▪ Assumes that the receiver knows the public key of the source.
▪ Digital signature is created by the sender encrypting the entire
message or hash with private-key
▪ Confidentiality can be provided by further encrypting the entire
message plus signature using either public or private key schemes
▪ Important to sign first then encrypt the message & signature
▪ Security depends on the sender’s private key

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 39
RSA Digital Signature Scheme

M′ ≡ M (mod n) → Se ≡ M (mod n) → Md × e ≡ M (mod n)

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 41
The RSA Signature on the Message Digest

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 42
Example
▪ Using the RSA scheme, let p = 11 , q=23, e = 3. Calculate
the private key d.
▪ Sign and verify a message M=111

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 43
Practice
▪ Given an RSA signature scheme with the public key (n =
9797,e = 131), which of the following signatures are valid?
1. x = 123,sig(x) = 6292
2. x = 4333,sig(x) = 4768

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 44
Elgamal Digital Signature Scheme
▪ Signature variant of ElGamal, related to D-H
o Uses exponentiation in a finite (Galois)
o Security based on the difficulty of computing discrete logarithms
▪ For a prime number q, if α is a primitive root of q, then
α, α2, …, αq-1
are distinct (mod q).
▪ It can be shown that, if α is a primitive root of q, then
1. For any integer m, α m  1 (mod q) if and only if m  0 (mod q - 1).
2. For any integers, i, j, αi  α j (mod q) if and only if i  j (mod q - 1).

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 46
ElGamal Digital Signature
▪ Uses private key for encryption (signing)
▪ Uses public key for decryption (verification)
▪ The global elements of ElGamal Digital Signature are:
o a prime number q in Zq*
o α, which is a primitive root of q

© 2020 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

Elgamal Digital Signature Scheme…
1. Key Generation
o Each user generates a private/public key pair
o Generate a random integer xA such that 1 < xA < q-1
xA
o Compute yA = α mod q
Private key: xA
Public key: {q, α , yA}

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 48
Elgamal Digital Signature Scheme…
2. Signing
o To sign a message M
• Compute the hash m = H(M), 0 ≤ m ≤ (q-1)
• Choose random integer K such that 1≤K≤(q-1)and gcd(K,q-1)=1
K
• Compute temporary key/first signature: S1 = α mod q
• Compute K-1mod(q-1),the inverse of K mod(q-1)
• Compute the value: S2 = K-1(m-xAS1)mod(q-1)
o Signature consists of the pair (S1,S2)
o User A sends M, S1, and S2 to User B.

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 49
Elgamal Digital Signature
3. Verifying
o Any user B, receives M, S1, and S2 can verify the signature by
computing
m
• V1 = α mod q
• V2 = yAS1 S1S2 mod q
o Signature is valid if V1 = V2

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 50
ElGamal digital signature scheme…

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 51
ElGamal Signature Example
▪ Use field GF(19) q=19 and α =10
▪ Alice computes her key:
16
o A chooses xA=16 & computes yA=10 mod 19 = 4
▪ Alice signs message with hash m=14 as (3,4):
o choosing random K=5 which has gcd(18,5)=1
5
o computing S1 = 10 mod 19 = 3
o finding K-1 mod (q-1) = 5-1 mod 18 = 11
o computing S2 = 11(14-16.3) mod 18 = 4
▪ Any user B can verify the signature by computing
14
o V1 = 10 mod 19 = 16
o V2 = (43)(34)mod 19 = 5184 = 16 mod 19
▪ since 16 = 16 signature is valid

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 52
Practice
▪ Alice chooses p = 23, α = 7, XA = 6
▪ Compute the public key
▪ Alice wants to sign the document M, which has a value h(M) = 7.
She chooses K = 5. Use Elgamal Digital Signature.

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 53
Digital Signature Standard (DSS)
▪ US Government approved signature scheme
▪ Designed by NIST & NSA in the early 90’s
▪ Published by NIST as Federal Information Processing
Standard FIPS 186 in 1991
▪ Presents a new digital signature technique, the Digital
Signature Algorithm(DSA).
▪ Revised in 1993, 1996, 2000, 2009 & then 2013

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 57
NIST Digital Signature Algorithm
▪ Makes use of the Secure Hash Algorithm (SHA)
▪ DSS uses a Digital Signature Algorithm (DSA) based on the
ElGamal scheme with some ideas from the Schnorr scheme
▪ The latest version, FIPS 186-4, also incorporates digital
signature algorithms based on RSA and elliptic curve
cryptography

© 2020 PEARSON EDUCATION, INC., HOBOKEN, NJ. ALL RIGHTS RESERVED.

DSA vs RSA Signatures

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 59
Digital Signature Algorithm (DSA)
▪ Creates a 320-bit signature with 512-1024 bit security
▪ Smaller and faster than RSA
▪ DSA is a digital signature only unlike RSA which is a public-
key technique
▪ Security depends on the difficulty of computing discrete
logarithms
▪ Variant of ElGamal & Schnorr schemes

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 60
 ▪ Global public key values: p, q, g
▪ Choose 160-bit prime number q
▪ Choose a large prime p with 2L-1 < p <
2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160-bit prime divisor of (p-1)
DSA Key ▪ Choose g = h(p-1)/q where 1<h<p-1
Generation and h(p-1)/q mod p > 1
▪ Users choose private key & compute
public key:
▪ Choose random private key: XA<q
▪ Compute public key: YA = gxA mod p

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 61
DSA Signature Creation
▪ To sign a message M the sender:
1. Computes the hash value of the message as m=H(M)
2. Generates a random signature key k, k<q
o k must be random, be destroyed after use, and never be reused.
3. Then computes signature pair:
r = (gk mod p)mod q
s = [k-1(m + XA r)] mod q
4. Sends signature (r,s) with message M

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 62
DSA Signature Verification
▪ Having received M & signature (r,s)
▪ To verify a signature, the recipient computes:
◦ w = s-1 mod q
◦ u1= [mw]mod q
◦ u2= (rw)mod q
◦ v = [(gu1 YAu2)mod p ]mod q
▪ If v = r, then the signature is verified

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 63
DSA Signing and Verifying

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 65
Example
▪ The parameters of DSA are given by p = 59,q = 29, g = 3, and Bob’s
private key is x = 23. Show the process of signing (Bob) and
verification (Alice) for the hash value h(M) =17 and ephemeral keys
k=25

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 66
Practice
1) Using the DSS scheme, let q = 59, p = 709, and g = 14. Find values
for x and y. Choose k= 13. Find the value of r and s if h(M) = 100.
Verify the signature.
2) The parameters of DSA are given by p = 59,q = 29, g = 3, and Bob’s
private key is x = 23. Show the process of signing (Bob) and
verification (Alice) for the following hash values h(x) and
ephemeral keys k:
a. h(x) = 2,k = 13
b. h(x) = 21,k = 8

VIT/SCOPE/BCSE-309L/CNS/MODULE 5 67