Foundation of Information

Security
Lecture-6: Confidentiality & Integrity
Today’s Content…

• Confidentiality
• Modern Cryptography
• Block Cipher
• Stream Cipher
• Integrity
• Hash Function
 Confidentiality can be achieved using
encryption/decryption

Encryption Decryption
Secure Network

E ^d@#*^

D
&!h^*hi ^d@#*^
&!h^*hi

Message
(I love you) Message
(I love you)

E: Encryption- Charlie cannot see what is being sent over the channel
D: Decryption- Bob can successfully decrypt the message
Modern Cryptography

Symmetric Cipher

Block Cipher Stream Cipher

Block Cipher
• Encrypts data in blocks
• Message 𝑃 = 𝑃1 , 𝑃2 , … . , 𝑃𝑛
• Each 𝑃𝑖 is encrypted separately
Plaintext (n bits)

Key (k bits) E Ciphertext (n bits)

• Popular block ciphers: DES, AES, RC5, Blowfish, FEAL etc.

Typical block size – 64-, 128-bits
Typical key size – 128, 192, 256-bits
Block Cipher
• Encrypts data in blocks
• Message P = 𝑃1 , 𝑃2 , … . , 𝑃𝑛
Iterative Block Cipher
• Constructed by repeating a simple function
called the round function (F) multiple times
• Parameters
• No. of rounds
• Block size n
• Keysize k
• Idea is to make a strong encryption function
out of a weaker round function (that is easy
to implement ) by repeatedly using it
• Iterated block cipher is represented as:
• 𝐸𝑘 ⋅ = 𝐹𝑖 𝐾𝑖 ,⋅ ∘ 𝐹𝑖−1 𝐾𝑖−1 ,⋅ ∘ … .∘ 𝐹1 (𝐾1 )
Inside the Block Cipher
• Key Schedule algorithm (KSA)
• Round keys (k i ) are generated from the
master secret key using KSA
• E.g., Master Key – 128 bits
Round keys – 64-bits
• For every subkey, the round function should
be invertible, otherwise decryption is not
possible
DES and Triple-DES
• Data Encryption Standard (DES) is the most widely used encryption
scheme adopted in 1977
- uses 64 bit plaintext block and 56 bit key to produce a 64 bit
ciphertext block
• key size 56 bits (vulnerable to brute-force attacks) is not sufficient!!!

Triple DES (3DES)

• Repeats basic DES algorithm three times using 2 or 3 unique keys,
• Effective key length= 112 bits
• Much more secure but much slow on software
Advanced Encryption Standard(AES)
• In 1997, NIST (National Institute of Standards and Technology) issued
a call for a new proposal
• Security strength ≥ Triple DES
• Block length of 128-bits
• Means better replacement for DES
• 2001: Rijndael selected as the winner
- Designed by Belgian researchers Joan Daemen and Vincent Rijmen
• uses 128 bit data & 128/192/256 bit keys
• Now widely available commercially
Advanced Encryption Standard(AES)
• None of the attacks break AES much better than brute force
• Except side channel attack (SCA)
• However, it is applicable to specific scenario only
• Intel chips have special instruction sets for AES. Allows extremely
efficient implementation. Can resist many SCA as well.
• Every famous Cryptographic library used on the web has an
implementation of AES in it.
• OpenSSL, cryptlib, Crypto++, etc.
Stream Ciphers
• Type of symmetric encryption in which input data is encrypted one bit
(sometimes one byte) at a time
Stream Ciphers
• Type of symmetric encryption in which input data is encrypted one bit
(sometimes one byte) at a time

BLOCK CIPHER vs. STREAM CIPHER

Block Cipher Stream Cipher
1. In one process cycle, a whole block of 1. In one process cycle, a single bit of
data (e.g., 128-bits) is encrypted together data (i.e., 1-bit) is only encrypted
2. The same key is used to encrypt 2. Different key is used to encrypt each of
different blocks the bit
3. Usually more complex and slower in 3. Much simpler in design and faster
speed speed
4. Same key can be used to encrypt one 4. Different keys have been used to
or more plaintexts encrypt more than one plaintext
Stream Ciphers
• E.g., RC4, A5, SEAL etc.

• Encryption
𝑌𝑖 = 𝑋𝑖 ⊕ 𝑠𝑖
• Decryption
𝑋𝑖 = 𝑌𝑖 ⊕ 𝑠𝑖
• The keystream is denoted by the symbol “s”
How is the keystream generated ?
• Truly random keystream
• Generated by a true random number generator
• Keystream generated looks totally random
• Occurrence of equal no. of 0’s and 1’s
• Equal no. of 01, 11, 10, 00
• No distinguishable pattern etc.
How is the keystream generated ?
• Truly random keystream
• Generated by a true random number generator
• Keystream generated looks totally random
• Occurrence of equal no. of 0’s and 1’s
• Equal no. of 01, 11, 10, 00
• No distinguishable pattern etc.
• Examples of TRNGs – stem from random physical process
• Coin toss
• Timing of keystroke clicks, mouse movement
• Thermal noise
• Rolling of dice etc.
How is the keystream generated ?
• Truly random keystream
• Generated by a true random number generator
• Keystream generated looks totally random
• Occurrence of equal no. of 0’s and 1’s
• Equal no. of 01, 11, 10, 00
• No distinguishable pattern etc.
• Examples of TRNGs – stem from random physical process
• Coin toss
• Timing of keystroke clicks, mouse movement
• Thermal noise
• Rolling of dice etc.
• But generating random keystream from such sources is very slow !!
Pseudorandom number generator (PRNG)
• PRNG’s uses computational algorithms that can produce long sequences of
apparently random results
• Keystream “looks like” random but is not random
Pseudorandom number generator (PRNG)
• PRNG’s uses computational algorithms that can produce long sequences of
apparently random results
• Keystream “looks like” random but is not random
• E.g., 001100010001011100110001000101110011000100010111 …….
• Looks random but on a closer look, stream 0011000100010111 is repeating
continuously
• The key stream has a period of 16 , i.e., every 17th bit is same
• We are interested in PRNG which has a large period (e.g., period = 280)
Pseudorandom number generator (PRNG)
• PRNG’s uses computational algorithms that can produce long sequences of
apparently random results
• Keystream “looks like” random but is not random
• E.g., 001100010001011100110001000101110011000100010111 …….
• Looks random but on a closer look, stream 0011000100010111 is repeating
continuously
• The key stream has a period of 16 , i.e., every 17th bit is same
• We are interested in PRNG which has a large period (e.g., period = 280)
• PRNGs generate keystreams that are deterministic
• Often, they are computed with a function.
Pseudorandom number generator (PRNG)
𝑠0 = 𝑠𝑒𝑒𝑑
𝑠𝑖+1 = 𝑓(𝑠𝑖 )

• Seed is a short initial value (mostly generated by TRNGs)

• If the seed value is known, the entire seemingly random sequence
can be reproduced
Pseudorandom number generator (PRNG)
𝑠0 = 𝑠𝑒𝑒𝑑
𝑠𝑖+1 = 𝑓(𝑠𝑖 )

• Seed is a short initial value (mostly generated by TRNGs)

• If the seed value is known, the entire seemingly random sequence
can be reproduced
• The security of PRNG depends on the seed(key) length
• Usually taken to be 128-bits or longer S0 PRNG PRNG S0

Si Yi Si
Xi ⊕ ⊕ Xi
Design Considerations for Stream Ciphers
• A pseudorandom number generator uses a function that produces a
deterministic stream of bits that eventually repeats. The longer the period
of repeat the more difficult it will be to do cryptanalysis.
• The keystream should approximate the properties of a true random
number stream as close as possible. For example, there should be an
approximately equal number of 1s and 0s. If the keystream is treated as a
stream of bytes, then all of the 256 possible byte values should appear
approximately equally often. The more random-appearing the keystream
is, the more randomized the ciphertext is, making cryptanalysis more
difficult.
• The output of the pseudorandom number generator is conditioned on the
value of the input key. To guard against brute-force attacks, the key needs
to be sufficiently long. A key length of at least 128 bits is desirable.
CIA goals

• Confidentiality
• Integrity
• Availability
• Encryption does not protect data from modification by another party
• Need a way to ensure that data arrives at destination in its original
form as sent by the sender
• Ensured by hash functions and message authentication code
• And it is coming from an authenticated source
• Ensured by message authentication code
Hash Function
Properties of cryptographic hash function
 Properties of cryptographic hash function

Attack Complexity: 2n 2n 2n/2

A cryptographic hash function must be resistant to different types of attacks. The three
fundamental security properties related to hash functions are:

1. Preimage Resistance (One-Way Property)

Definition: Given a hash value h=H(x)h = H(x)h=H(x), it should be computationally infeasible

to find the original input xxx.

Why Important? Given hash, no one shoulde be able to get the original input x
• Prevents attackers from reversing the hash function.

• Protects sensitive data like passwords (stored as hashes).

Example:

• Suppose SHA-256("password123") produces:

ef92b778bafe771e89245b89ecbc61b0d4d8b2839f4f1a1e97e2a83392cd7d9b

• An attacker should not be able to compute "password123" from this hash.

Real-World Attack:

• Brute-force attack: Try all possible inputs until a matching hash is found (very slow for
strong hash functions).

• Defense: Use salted hashes to make brute-force attacks harder.

2. Second Preimage Resistance

Definition: Given an input x1x_1x1 and its hash H(x1)H(x_1)H(x1), it should be computationally
infeasible to find another input x2x_2x2 such that:
Given a hash and it's input, it should be computationally
H(x1)=H(x2)H(x_1) = H(x_2)H(x1)=H(x2)
infeasible to find another input that produces same hash
(i.e., two different inputs should not produce the same hash.)

Why Important?

• Ensures data integrity—if a document’s hash is signed, an attacker should not be able to
replace it with another document having the same hash.

Example:

• Suppose a contract file A has hash H(A).

• An attacker should not be able to create a fraudulent document B with the same H(A).

Real-World Attack:

• If second preimage resistance is weak, an attacker can create different data with the same
hash, allowing fraudulent file replacements.
3. Collision Resistance

Definition: It should be computationally infeasible to find any two different inputs x1x_1x1
and x2x_2x2 such that:

H(x1)=H(x2)H(x_1) = H(x_2)H(x1)=H(x2)

(A collision occurs when two different inputs produce the same hash.)
It shoulbe compuatationally infeasible to find to inputs that produces
Why Important?
same hash
• Prevents fraudulent document substitution (digital signatures, certificates).

• Ensures unique file identification in security applications (blockchain, version control).

Example:

• If a hash function has a collision, an attacker could replace a legitimate transaction with a
fake one having the same hash.

Real-World Attack:

• MD5 and SHA-1 are broken because researchers have found collisions.

• SHA-256 is still secure against collision attacks.

Attack Example
• E.g., Passwords
• Do not store the passwords in cleartext on the
server
• Store the hash of the password
• Aim of the attacker is to find the original
password from the hashed data
Attack Example
Example
• Let us suppose Bob who works for Microsoft
has a binary code of Microsoft Windows
security patch: b
Attack Example
Example
• Let us suppose Bob who works for Microsoft
has a binary code of Microsoft Windows
security patch: b
• He is also able to get another binary b’ such
that h(b) = h(b’) and b’ is a malware
Attack Example
Example
• Let us suppose Bob who works for Microsoft has a
binary code of Microsoft Windows security patch: b
• He is also able to get another binary b’ such that
h(b) = h(b’) and b’ is a malware
• Bob sends his security patch up the chain of
command, where they sign the code (by attaching
hash of b) and allow to ship the binary to Windows
users around the world to fix a flaw
• Bob can now contact and infect all windows
computers around the world with b’ and the
signature that Microsoft computed for b
Attack Example
• E.g., Digital Signature Forgery
Attack Example
• E.g., Digital Signature Forgery
Attack Example
• E.g., Digital Signature Forgery
• Prepare a contract
and sign with its
hash value
• Attacker should not
get a collision for
this contract
Question
• Let message m be denoted as m=m1||m2
• Is the hash function: h m = 𝑚1 ⊕ 𝑚2 a cryptographic hash
function ?
• Why or why not ?
No, the hash function h(m) = ml W m2 (where ® denotes the bitwise XOR operation) is not a
cryptographic hash function. It violates several crucial properties required for cryptographic
security.

Here's why:

1. Collision Resistance: A cryptographic hash function should make it computationally

infeasible to find two different messages, m and m'f such that h(m) = h(m ). This hash
function fails miserably in this regard. Given any message m = ml 1 1 m2, you can easily create
a collision. Just flip any bits in ml and make the corresponding changes in m2 to keep the
XOR result the same. For example, if m = 1011 || 0110, then h(m) = 1101. Now, m' = 0100 || 1001
also gives h(m') = 1101. Finding collisions is trivial.
2. Preimage Resistance: Given a hash value h, it should be computationally infeasible to find a
message m such that h(m) = h. This is also broken, if you're given a hash value h1, you can
choose any ml and then simply calculate m2 = ml ® h. Then m = ml 11 m2 will hash to h.

3. Second Preimage Resistance: Given a message ml, it should be computationally infeasible to

find another message m2 # ml such that h(m1) = h(m2). This is also easily broken using the
same method as with collision resistance.
How to construct hash functions ?
2 types:
1. Iterated hash functions
2. Block Cipher based Hash Function
How to construct hash functions ?
2 types:
1. Iterated hash functions
2. Block Cipher based Hash Function
Iterated Hash Function
• Consider a compression function f
𝑐𝑜𝑚𝑝𝑟𝑒𝑠𝑠 = 0,1 𝑛+𝑑 → 0,1 𝑛

• Repeatedly iterate the compression function to construct a hash

function
• Divide the message into multiple blocks 𝑥1 , 𝑥2 , … , 𝑥𝑡
• Size of each 𝑥𝑖 = d-bits
• Iterate block by block using a compression function f and a final
transformation g 𝑥1 𝑥2 𝑥3 𝑥4

f 𝐻1 f 𝐻2 f 𝐻3 f 𝐻4
g h
IV
 Iterated Hash Function
𝑥1 𝑥2 𝑥3 𝑥4

𝐻2 𝐻3 𝐻4 g h
f 𝐻1 f f f
IV

Such construction is also called as Merkle

Damgard Construction
 Iterated Hash Function
𝑥1 𝑥2 𝑥3 𝑥4
• Mathematical Representation
• Let M = 𝑥1 , 𝑥2 , … , 𝑥𝑡
𝐻2 𝐻3 𝐻4 g h
f 𝐻1 f f f
IV • Then,
H0 = IV
Hi = f Hi−1 , xi , for 1 ≤ i ≤ t
Such construction is also called as Merkle ℎ 𝑥 = 𝑔(𝐻𝑡 )
Damgard Construction • Each Hi are called chaining variables
Iterated Hash Function
• For a given hash function, the IV once chosen should remain fixed
• Means for different messages, the IV doesn’t change, infact same IV is used
always
• Otherwise, if each message has a different IV, second preimage attack is
possible
𝑥1 𝑥2 𝑥3 𝑥4
• H(IV, x1||x2||x3||x4) =
𝐻4 H(H1, X2||X3||x4)
f 𝐻1 f 𝐻2 f 𝐻3 f g h • Can we find a second
IV
preimage corresponding to
this hash value ‘h’ ?
𝑥2 𝑥3 𝑥4 • For the second message,
choose IV as H1 and
𝐻2 𝐻3 𝐻4 g h construct a valid preimage
𝐻1 f f f
Popular Hash Function
Hash Function: Current Standard
• SHA-1: Output length = 160 bit can resist birthday attacks for now.
• No mathematical proof for its collision resistance.
• In 2004, a collision for a 58-round SHA-1 was found.
• In 2017, Google researcher announced practical collision for SHA-1:
https://security.googleblog.com/2017/02/announcing-first-sha1-
collision.html?m=1
• New standard of SHA called SHA-2 family includes:
• SHA-256, SHA-384, SHA-512
• SHA-3 (Keccak) is the standard announced in 2012.
Properties of Message Authentication Codes
• Cryptographic checksum: A MAC generates a cryptographically secure
authentication tag for a given message.
• Symmetric: MACs are based on secret symmetric keys. The signing and
verifying parties must share a secret key.
• Arbitrary message size: MACs accept messages of arbitrary length.
• Fixed output length: MACs generate fixed-size authentication tags.
• Message integrity: MACs provide message integrity. Any manipulations
of a message during transit will be detected by the receiver.
• Message authentication: The receiving party is assured of the origin of
the message.
Message Authentication Code
• A symmetric key primitive that provides
• Data integrity
• Message Authentication (or Sender Authentication)
• Keyed hash function
A Message Authentication Code (MAC) is a cryptographic checksum or tag
that's used to provide both data integrity and authentication of a message.
Think of it as a special kind of digital signature, but with some key
differences.

Remember MAC uses a secret key

Message Authentication Code
• Setting (interested only in message authentication not confidentiality):
• Alice and Bob decide upon a secret key k
Sender:
• Alice chooses a message M and computes t = 𝑀𝐴𝐶𝑘 𝑀
• Alice sends 𝑀 ∣∣ 𝑡
Message Authentication Code
• Setting (interested only in message authentication not confidentiality):
• Alice and Bob decide upon a secret key k
Sender:
• Alice chooses a message M and computes t = 𝑀𝐴𝐶𝑘 𝑀
• Alice sends 𝑀 ∣∣ 𝑡
Receiver:
• Bob receives 𝑀′ ∣∣ 𝑡
• He takes 𝑀′ and computes t’ = 𝑀𝐴𝐶𝑘 𝑀′
• If t == t’
• Bob knows M = M’, i.e., message has not been modified in transit (Data integrity)
• Bob knows message is from Alice only as only Alice knows the secret key to calculate
correct MAC (sender authentication)
Properties of MAC MAC does not provide Confidenatiality and Non-
repudiation but it provides integrity and authentication,
authentication by the act that key is secret

1. Accepts arbitrary input length

2. Produces fixed length output
3. Message Authentication
• Bob is certain that Alice sent him the message
4. Message integrity
• Manipulations in transit will be detected by Bob
5. Non-repudiation is not provided
• E.g., lets suppose Bob digitally signs a contract by appending MAC of the contract to the
contract. Later, if he denies signing the contract, Alice cannot challenge Bob in the court
because Alice can also generate exactly the same signature (MAC of the contract). So,
Bob can always claim that Alice forged Bob’s signature
• Digital signatures using public key cryptography solves the issue of non-repudiation
Security of MAC
Desired security property of a MAC algorithm:
• Computation resistance: Given one or more text-MAC pairs [xi,
MAC(K, xi)] , it is computationally infeasible to compute any text-MAC
pair [x, MAC(K, x)] for any new input x ≠ xi.
Security of MAC
Desired security property of a MAC algorithm:
• Computation resistance: Given one or more text-MAC pairs [xi,
MAC(K, xi)] , it is computationally infeasible to compute any text-MAC
pair [x, MAC(K, x)] for any new input x ≠ xi.

• The level of effort for brute-force attack on a MAC algorithm can be

expressed as:
min(2k, 2n) ≥ 128 𝑏𝑖𝑡𝑠
where k is the key length and n the tag length.
Some MAC constructions
• Based on block ciphers
• CBC-MAC
• CMAC

• Based on hash functions

• NMAC
• HMAC
Some MAC constructions
• Based on block ciphers
• CBC-MAC
• CMAC

• Based on hash functions

• NMAC
• HMAC
Why Hash Functions for MAC?
• Why not encryption?
• Hashing is faster than encryption
• Library code for hash functions widely available
• Can easily replace one hash function with another
• There used to be US export restrictions on encryption
MAC constructions based on hash functions
NMAC
• Known as Nested MACs
• 𝑁𝑀𝐴𝐶𝑘1,𝑘2 𝑥 = 𝐻𝑘1 (𝐻𝑘2 𝑥 )
• Limitation: 2 different keys need to be used
HMAC Type of MAC, provides integrity and authentication

• The most popular variant of NMAC and widely adopted in practice

• Internal hash functions used – SHA-1 or MD5
• Basic layout
• t = H( k || H(k||x))

Reference this video: https://youtu.be/VhmSk57yjYI?si=qEgUM31PpknEzuZ0

HMAC
• Basic layout
• t = H( k || H(k||x))
• Actual layout
• t = h(𝑘 ⊕ 𝑜𝑝𝑎𝑑 ∣∣ ℎ(𝑘 ⊕ 𝑖𝑝𝑎𝑑 ∣∣ 𝑥))
HMAC
• The symmetric key k is first expanded with zeros
on the left such that the result 𝑘 + is b-bits in
length, where b is the input block width of the
hash function
• ipad = 00110110 (36 in hexadecimal) repeated
b/8 times
• The expanded key is XORed with the inner pad
to form the first input block to the hash function
(𝑆𝑖 )
• The subsequent input blocks are the message
blocks 𝑥1 , 𝑥2 , … , 𝑥𝑛
HMAC
• For the second outer hash, the key is again
expanded with zeros and then XORed with the
outer pad
• opad = 01011100 (5C in hexadecimal) repeated
b/8 times
• The result of the XOR operation forms the first
input block for the outer hash (𝑆𝑜 )
• The other input is the output of the inner hash
• After the outer hash has been computed, its
output is the message authentication code of x
HMAC
• In terms of computational efficiency, the
message x, which can be very long, is only
hashed once in the inner hash function
• The outer hash consists of merely two blocks,
namely the padded key and the inner hash
output
• Thus, the computational overhead introduced
through the HMAC construction is very low
Message
Authentication This method also
provides non-
repudiation
Codes
Methods Explained:
(a) Using Symmetric Encryption:
1. Hash Generation: Source A computes the hash (H) of the message using the hash
function.
2. Encryption: Source A encrypts the hash value using symmetric encryption with the
shared secret key (K). This combines confidentiality and integrity into one step.
3. Transmission: The encrypted hash is appended to the original message, and both are
sent to Destination B.
4. Decryption: Destination B decrypts the encrypted hash using the same secret key (K),
obtaining the original hash value.
5. Hash Computation: Destination B independently computes the hash of the received
message using the same hash function (H).
6. Comparison: Destination B compares the decrypted hash with the computed hash. If
they match, the message is considered authentic and untampered with.

(b) Using Public-Key Encryption:

1. Hash Generation: Source A computes the hash (H) of the message using the hash
function.
2. Encryption with Private Key: Source A encrypts the hash value using their private key
(PR). This creates a digital signature.
3. Transmission: The encrypted hash (digital signature) is appended to the original
message and sent to Destination B.
4. Decryption with Public Key: Destination B decrypts the encrypted hash using Source
A's public key (PU), obtaining the original hash value.
5. Hash Computation: Destination B independently computes the hash of the received
message using the same hash function (H).
6. Comparison: Destination B compares the decrypted hash with the computed hash. If
they match, the message is considered authentic and untampered with, and Source A is
verified as the sender (due to the use of their private key).

(c) Using Secret Value:

1. Secret Value Sharing: Source A and Destination B share a secret value (K) through a
secure channel before communication begins.
2. Hash Generation with Secret Value: Source A concatenates the message with the
secret value (K) and computes the hash (H) of this combined data. This binds the secret
value to the message.
3. Transmission: The computed hash is appended to the original message and sent to
Destination B.
4. Hash Computation with Secret Value: Destination B, knowing the secret value (K),
concatenates it with the received message and computes the hash using the same hash
function (H).
5. Comparison: Destination B compares the received hash with the computed hash. If
they match, the message is considered authentic and untampered with, as only someone
knowing the secret value could generate the correct hash.