Department of CSE

III Year B.Tech. II-Sem

Regulation: R18
Subject: Information Security (18PE0CS2C)

Prepared By:
Dr.B.Veeramallu
Dept. of CSE ,GNITC
1

By Arun Singh Kaurav-Asst. Professor- CSE

Unit 3 contents
• Message Authentication Algorithms and hash Functions:
• Authentication requirements,
• Functions,
• Message Authentication codes (MAC)
• Hash Functions algorithm,
— SHA-1,Whirlpool, HMAC, CMAC
• Digital Signatures,
• Knapsack algorithms.
• Authentication Applications:
— Kerberos,
— X. 509 Authentication Service,
— Public –Key Infrastructure,
— Biometric Authentication.
2
 Message Authentication
• Message authentication is the mechanism or service to verify the integrity of
the message.

• Message authentication is concerned with following:

– Protecting the integrity of a message.

– Validating identity of originator.

– Non-repudiation of origin (dispute resolution).

– It assures that message received exactly(without any modification,

insertion, deletion or replay) as sent

– Also assures that identity of sender is valid.

 Message Authentication Requirements
• During communication across the network , following
attacks can be identified:
• Disclosure: Release of message contents to any person.

• Traffic analysis: Discovery of pattern of traffic between

parties i.e frequency, duration, number, length of message
can be determined.

• Masquerade: Insertion of message in network from a

fraud source.
• Content modification: Changes to the contents of a
message, including insertion, deletion, transposition,
modification.
 Message Authentication Requirements
• Sequence modification: Any modification to a sequence
of message

• Timing modification: Delay or replay of messages.

• Source repudiation: Denial of transmission of message by

source.

Destination repudiation: Denial of receipt of message by

destination.
Measures to deal with first two attacks regarded as message
confidentiality.

Measures to deal with next four attacks are regarded as message

authentication.

Second last comes under digital signatures.

Last may require combination of digital signature and protocol to counter

this attack.

In summary, message authentication is a procedure to verify that

received message come from the original source and have not been altered.

It also verify sequencing and timeliness.

 Message Authentication functions
(Approaches of Message Authentication):
 Any message authentication has two levels of functions.

 At lower level the function produce an authenticator.

 At higher level, the authentication protocol enables the receiver to verify

the authenticity of a message.

 So firstly, following are the functions that produces an authenticator.

 They are grouped in three classes:

1. Message Encryption
2. Message Authentication Code.(MAC)
3. Hash function
Message Encryption approach for message authentication
Encryption itself can also provide authentication.
 Symmetric Encryption:
 If symmetric encryption is used then: Message M is transmitted from Source A to
B and encrypted using a secret(symmetric) key shared by A & B.
 If no other party knows key, then confidentiality is provided.
 Also Receiver B is Sure that message generated by A because secret key used by
only A and B ,so authenticity is provided.
 B knows that message have not been altered, because attacker does not know key
to alter the message.
 So we may say that symmetric encryption provides authentication and
confidentiality.
 Public-Key Encryption
If public-key encryption is used:
– The public key encryption provides confidentiality but not authentication.

– Source A uses public key of B to encrypt message M.

– Since B has its private key, only B can decrypt the message.

– No authentication because any attacker can use public key of B to encrypt the
message and claim to be A.

– To provide authentication, A uses its private key to encrypt and B uses A’s
public key to decrypt.

– So it provides authentication that message have come from A because A is the

only party that have its private key.
– And A is the only party which can produce cipher text.

– It also provides digital signature as A has signed the message by using its
private key to encrypt.
 Note that ,it does not provide confidentiality, as anyone having A’s public key can
decrypt the cipher text.

So, to provide both confidentiality and authentication,

A can encrypt message M first using its private key, which provides authentication or
digital signature, and then encrypt using B’s public key which provides confidentiality.

Now B can decrypt using its own private key, and then public key of A.

The disadvantage of this is that the algorithm must be exercised four times rather than
two times.
 Message Authentication Code (MAC)
• An alternative authentication technique.
• Involves the use of secret key.
• It takes a variable length message and a secret key to generate a
small fixed size block.
• This block of data is called cryptographic checksum or MAC that is
appended to the message.
• Assumes two communicating parties A and B share a common secret
key K.
• When A has to send message to B, it calculates MAC which is the
function of message and key as
• MAC = C(K,M)
• Message plus MAC is sent to the receiver.
• Receiver performs same computation on message using same secret
key and generate new MAC.
• Then received MAC is compared with calculated MAC.
 If received MAC matches with calculated MAC ,then :

1. Receiver is assured that message is unaltered or unchanged.

2. Receiver is assured that message comes from original sender.

3. Also if message include sequence number, receiver is assured of

proper sequence.

MAC Depends on message and some key.

It is like encryption but having one difference that MAC algorithm
need not to be reversible as for decryption.
 So far , it provides authentication but not confidentiality.

 Confidentiality can be provided by performing message encryption

either after or before the MAC algorithm.

 In both cases, two separate keys needed, shared by sender receiver.

 Mostly it is preferable to tie the authentication directly to plaintext,

so method of figure (b) is used.
 MAC
• A MAC is also known as cryptographic checksum.
• It is generated by a function C
MAC = C(k,M)
– Where M is a variable-length message .
– K is a secret key shared by sender and receiver.
– C(k,M) is fixed length authenticator, sometimes called
Tag.
– Tag is appended to message at source and sent.
– Receiver authenticate that message by re-computing and
comparing the tag.
 MAC Properties
• Applications of MAC :
• Applications in which same message is broadcast to number of destinations like
notifications or military control center.
• Exchange in which one side has a heavy load and cannot afford the time to decrypt
all the incoming messages.
• Some applications secrecy is not a concern, but authentication is important like
SNMP.
• as shown the MAC provides authentication
• can also use encryption for secrecy
– generally use separate keys for each
– can compute MAC either before or after encryption
– is generally regarded as better done before
• why use a MAC?
– sometimes only authentication is needed
– sometimes need authentication to persist longer than the
encryption (eg. archival use)
• note that a MAC is not a digital signature
 Requirements for MACs
• Consider following MAC algorithm . Let M = (X1 || X2 || …|| Xm) is a
message that is treated as concatenation of 64 bit block X.
• Therefore , ΔM = (X1 xor X2 xor…….Xm)
• MAC(K,M) = E(K, ΔM)
• Here xor will perform XOR operation and encryption algorithm is DES
Electronic code book.
• Key length = 56 bits , tag length = 64 bits , attacker need 2 56 encryption.

MAC should satisfy the following:

1. knowing a message and MAC, is infeasible to find another message
with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
 HMAC(MAC based on hash functions)
 HMAC stands for Hash-based Message Authentication Code.

 The implementation of HMAC is complex than Nested MAC with

additional features like padding

 Traditionally , MAC is constructed based on symmetric block cipher.

 But In recent years, the MAC is derived from a cryptographic hash
function due to following motivations :
 Because hash algorithm such as MD5 and SHA are generally faster
as compared to DES or AES.
 Cryptographic hash function code is widely available.

 HMAC is issued as a NIST standard (FIPS 198) published in RFC 2104.

 HMAC is chosen as the mandatory to implement MAC for IP security
and used in other protocols like SSL.
 HMAC(MAC based on hash functions)
 HMAC Design Objectives :

 To use available hash functions, without modifications.

 To allow for easy replace ability of hash function in case more secure
faster hash functions are required.

 To preserve original performance of hash function without

degradation.

 To have well understood cryptographic analysis of authentication

mechanism
 HMAC structure
• Figure shows the overall operation of HMAC :
• H = Embedded hash function (MD5, SHA-1)
• IV = Initial value input to hash function
• M = message input to HMAC (including the padding in
hash function)
• Yi = ith block of M, 0 <= I <= (L-1)
• L= number of blocks in M.
• b = number of bits in a block
• n = length of hash code produced by hash function.
• K = secret key; recommended length >= n; if key length is
greater than b, the key is input to the hash function to
produce an n-bit key
• K+ = secret key K is padded with zeros on the left so that
the resulted key is b-bit key.
• ipad (input pad)= 00110110 (36 in hexadecimal) repeated
b/8 times
• opad (output pad) = 01011100 (5C in hexadecimal)
repeated b/8 times

• HMAC (K,M) = H[(K+ XOR opad) ll H[(K+ XOR ipad) ll M]]

 HMAC Algorithm :

 The HMAC algorithm is expressed as :

 HMAC (K,M) = H[(K+ XOR opad) ll H[(K+ XOR ipad) ll M]]

 The steps are described as follows :

 1. The message is divided into L blocks , each of b bits.

 2. Append 0’s to the left end of the secret key K to create a b-bit string K+
(e.g. ,if K is of length 160 bits and b = 512, then K will be appended with
44 0’s in hexadecimal form)

 3. The result of step 2 i.e. K+ is XORed (bitwise X-OR) with a constant called
ipad(input pad) to produce b- bit block Si.
 HMAC Algorithm :

 5. Apply hash function H to the stream generated in step 4 to produce

an n-bit hash code called as intermediate HMAC H(Si ll M).

 6. The intermediate n- bit HMAC is left padded with 0’s to make a b-

bits block.

 7. XOR K+ with opad to produce the b-bit block So.

 8. The result of step 6 is appended to the block of step 7.

 9. Apply the hash function H with same hashing algorithm in step 8 to

create the final n-bit HMAC.
 HMAC security
 The security of any MAC function based on embedded hash
function depends on strength of underlying hash function.

 It is proved that the probability of successful attack on HMAC is

equivalent to one of the following attacks on the embedded
hash function :

 1. The attacker is able to compute an output of compression

function even with an IV that is random, secret, and unknown to
the attacker.

 2. The attacker finds collisions in the hash function even when the
IV is random and secret.
 HMAC security
 Attacking HMAC requires either :

 For the first attack , the IV is replaced by secret value of n-bits.

 So either Brute force attack on the key used requires 2n effort.

 In the second attack , the attacker is looking for two messages M and M’ that
produce the same hash; H(M) = H(M’)

 This is birthday attack.

 It requires 2n/2 for a hash length of n bits.

 If speed is concern , MD5 is accepted rather than SHA-1 as the embedded hash
function for HMAC.
 DAA , CMAC (MAC based on block ciphers)
• Can use any block cipher chaining mode and use final block as a MAC
• Data Authentication Algorithm (DAA) is a widely used MAC based on DES-
CBC.
• Using IV=0 and final block is padded on right with 0’s to form 64 bit block.
– Encrypt message using DES and secret key K in CBC mode.
– And then send just the final block ON as the MAC.
• Or the leftmost M bits (16≤M≤64) of final block.
• But final MAC is now too small for security.
• Figure: Data Authentication Algorithm
 CMAC
 Previously saw the DAA (CBC-MAC)
 Widely used in govt. & industry.

 But has message size limitation.

 And final MAC is too small for security.

 Overcame by using 2 n-bit keys & padding.

 This refinement by NIST forming the Cipher-based Message Authentication Code (CMAC) for use
with AES or triple DES.

 Adopted by NIST and specified in Special Publication 800-38B.

 The idea for CMAC is to create one block of MAC from N blocks of plaintext message using a
symmetric key block cipher N times.
 CMAC
 Firstly, we define the operation of CMAC when message is an integer multiple n of
cipher block length b ,i.e. length of each block of message is b-bits.

 For AES, b = 128 and for triple DES , b = 64.

 The message is divided into n blocks (M1, M2 , ….Mn) each of b-bits.

 The algorithm use k-bit encryption key K and an n-bit constant key K1 applied only at
the last block.

 For AES, the key size k is 128,192,256 bits, for triple DES, the key size is 128 or 168 bits.
CMAC Overview
 Then CMAC is calculated as :

 The CMAC operation is processed as CBC mode

 First block of message is encrypted with symmetric key to create an b-bit block.
 This block is XORed with next message block and encrypted again.
 The process is continued till last message block is encrypted.
 The n leftmost bits (MSB) from last block is the CMAC.
 The algorithm also use an n-bit constant key K1 applied only at the last block.
 CMAC
 Secondly, If message is not an integer multiple of cipher block length i.e. length of
the last message block is not b-bits, then final block is padded to the right with a 1
and remaining 0’s to make final block also of b bits.
 The CMAC operation is processed as before except that a different n-bit key K2 is
used instead of K1.
 The two n-bit keys are derived from the k-bit encryption key as follows:
 L = E(K, 0n)
 K1 = L·x
 K2 = L· x2 = (L·x)·x
 Where, L is the encryption algorithm on plaintext of b 0-bits using cipher key K.
 (·) is the multiplication in finite field GF(2n) and x and x2 are first and second order
polynomials of GF(2n ).
 Binary representation of x is n -2 0’s followed by 10.
 Binary representation of x2 is n -3 0’s followed by 100.
 Note that CMAC is different from CBC because here intermediate encrypted blocks
are not sent as cipher text ; they are only used to be XORed with the next block.
 Hash Functions
 what is hash function in cryptography ?
 A cryptographic hash function is a hash function which takes an input (or
'message') and returns a fixed-size alphanumeric string.
 The string is called the 'hash value', 'message digest', 'digital fingerprint', 'digest' or
'checksum').
 In 2007 the National Institute of Standards and Technology announced a contest to
design a hash function which will be given the name SHA-3 and be the subject of a
FIPS standard.
Block diagram of Cryptographic
Hash Function
 Hash Functions
 A hash function is any function that can be used to map data
of arbitrary size to data of fixed size.

 The values returned by a hash function are called hash

value, hash code, hash sum, or simply hash.

 They are also useful in cryptography.

 A hash function is a mathematical function that converts a
numerical input value into compressed numerical value.

 The input to the hash function is of arbitrary length but

output is always of fixed length.
 Hash Functions
 Values returned by a hash function are called message
digest or simply hash values.

 This is used for assuring integrity of transmitted data, and is

the building block for HMACs, which provide message
authentication.

 What is the meaning of hash value?

 A hash value is a numeric value of a fixed length that
uniquely identifies data.
 Hash values represent large amounts of data as much
smaller numeric values, so they are used with digital
signatures.
 Hash Functions
 The ideal hash function has three main properties:
 It is extremely easy to calculate a hash for any given
message.

 It is extremely difficult to calculate message when hash is

given.

 It is extremely unlikely (not possible) that two different

messages will have the same hash.
 Hash Functions
 Practical applications include : message integrity checks,
digital signatures, authentication, and various information
security applications.

 A hash function takes a string of any length as input and

produces a fixed length string which acts as a kind of
"signature" for the data provided.

 A person knowing the "hash value" is unable to know the

original message.

 But the person who knows the original message can prove
the "hash value" is created from that message.
 Hash Functions
 It should be impossible to find two different messages
whose digests ("hash values") are similar.

 In various standards and applications, the two most

commonly used hash functions are MD5 and SHA-1.

 A hash function takes an input message M and

computes a fixed size string known as hash h = H(M).
 M is a variable length message
 H(M) = fixed length Hash code.
 It is also known as hash value or message digest.
 Unlike a MAC hash code does not use a key but it is a
function of only input message.
 Hash Functions
 So main objective of hash function is message integrity.
 A change to any bit in the message results in a change to hash value.
 Hash function for security applications is called cryptographic hash
function.

 The sender appends the hash code H(M) with the original message M
for authentication check and sent to the receiver.

 At the receiving side , receiver compute the hash code for the received
message M.
 The new hash code is compared with the received hash function H(M)

 If both are equal, the receiver is assured that message come from the
authenticated person.
 Hash Function Requirements and properties
To be useful for message authentication, hash function H must have
following Properties:
The Left of table shows the requirements, and right side lists the
properties of hash function.
 Hash Function Requirements and properties
 Two terms need to be defined :
 Pre-image: For a hash value h = H(x), x is the pre-image of h i.e. the
message itself .
 That is, x is the message block whose hash function is h using the
function H.
 H is many to one function, means a single hash value can have
multiple pre-images.
 Collision: It occurs if message block x ≠ y and H(x) = H(y). i.e.
 So, collisions are undesirable because we use hash function for data
integrity.
 Hash Function Requirements and properties
 The first three properties are requirements for practical
application of hash function.

 The fourth property of hash function, pre-image resistant, is one

way property :

 It means, it is easy to generate a hash code from a message, but

virtually impossible to generate a message from a hash code.

 This property is important when authentication done by secret

value . Fig.1(c)

 If hash function is not one way ,attacker easily gets secret value.
 Hash Function Requirements and properties
 The fifth property is second pre-image resistant (weak collision
resistant);
 It means it is impossible to find an alternative message from the
same hash value as given message is having.

 It prevents forgery when an encrypted hash code is used.(Fig. 1(b)

and Fig.2(a))

 If this property is not true, attacker will be able to do following:

 First, he observe the message plus its encrypted hash code;

 Second, he generates an unencrypted hash code from message ;

 Third, he generates an alternative message with the same hash
code.
 Hash Function Requirements and properties
 A hash function satisfies first five properties of table, it is called a
weak hash function.

 The sixth property is Collision resistant (strong collision resistant).

 If hash function also satisfies sixth property, it is called strong hash

function.

 A strong hash function protects against an attack in which one

party generates a message for another party to sign.
 Applications of Hash Function
 1. Message authentication:
 It is a mechanism used to verify the integrity of message i.e. Message
Integrity Check (MIC).

 We know that message authentication assures that message received

exactly as sent (i.e. contain no modification, insertion, deletion, or
replay)

 When a hash function is used to provide message authentication,

hash value is called as message digest.

 Following figures describe the ways in which a hash code can be used
to provide message authentication.
 Examples of use of Hash Functions for Message Authentication :

 In figure 1(a), the message plus hash code is encrypted using symmetric encryption.
 Encryption applied to message and hash code provides confidentiality.
 Hash code provides authentication.
 Only A and B share secret key, message must have come from A without any modification.
 In figure 1(b), only hash code is encrypted using symmetric encryption.
 So in this, encrypted hash code and shared secret key is used.
 It reduce processing for those applications that does not require confidentiality.
 Examples of use of Hash Functions for Message Authentication continued ….

 In figure 1(c), only hash function is used for authentication but no encryption .
 It assumes that two parties share a common secret value S.
 A computes hash value for combination of M and S and append it to M.
 Only B has S, it re- compute hash value to verify.
 Since, secret value S is not sent, attacker can not modify or generate false message.
 In figure 1(d), confidentiality is added to the method (c), by encrypting the message plus hash code.
 When confidentiality is not required ,Method (b) is better than method (a) and (d) which encrypts
the message in less computation.
 Applications of Hash Function
 2. Digital signatures( Non - repudiation):
 It is another important application similar to message authentication.
 Encrypt hash with private (signing) key Verify with public (verification)
key
 The operation of digital signature is similar to MAC.
 But In case of digital signature, the hash value of a message is
encrypted with sender’s private key.
 The receiver who knows the sender’s public key can verify the
integrity of the message which is having digital signature.
 So attacker who wants to alter the message must know the sender’s
private key.

 Following figures shows how the hash code is used to provide digital
signature :
 In figure 2(a) , the hash code is encrypted, using public key encryption with
sender’s private key which provides authentication.
 It provides digital signature, because only sender have produced encrypted hash
code.
 Figure 2(b) provides both confidentiality as well as digital signature because in
this , message plus private key encrypted hash code is encrypted again using a
symmetric secret key.
 Other Hash Function Applications (Uses)
 Used to create a one-way password file
 Operating system stores hash of a password not actual

password
 So actual password can not be retrieved by hacker who has

access to the password file.

 When user enters a password, the hash of that password is

compared with the stored hash value for verification. Used by

Unix, Windows, etc.

 Used for intrusion detection and virus detection

 Keep H(F) for each file on the system & secure hash values (e.g.

on a CD-R that is kept secure).

 One can easily know if file is modified by re-computing H(F).

 An intruder need to change F without changing H(F).

 Other Hash Function Applications (Uses)
 Used to construct: Pseudorandom function (PRF)
 Generate session keys, Nonce(N)

 Produce key from password.

 Derive keys from master key cooperatively

 Pseudorandom number) generator (PRNG)

 Vernam Cipher/OTP

 Symmetric Key
 Advantages of hash function:

 It is easy to compute the hash value for any message

 It is impossible to find a message for any hash value

 It is impossible to modify a message without changing its hash

 It is impossible to find two different messages with same hash

value
 Secure Hash Algorithm
 The most widely used hash function has been Secure Hash Algorithm(SHA)
 Till 2005 , SHA was last remaining standardized hash algorithm because every
other used hash function found cryptanalytic weaknesses.
 Originally designed by NIST & NSA in 1993 and published as (FIPS 180) standard.
 Due to some weaknesses found in SHA ,It was revised in 1995 and published as
(FIPS 181) referred as SHA-1 .
 SHA- 1 is based on design of hash function MD4.
 SHA-1 produces a hash value of 160 bits.
 NIST issued revised version of SHA -1 in (FIPS 180-2 ) in 2002 as SHA-2.
 It Defined 3 additional versions of SHA , with 256,384,512 bits hash lengths.
 Namely , SHA-256, SHA-384, SHA-512 respectively.

 These algorithms collectively known as SHA-2 .

 Designed for compatibility with increased security provided by the AES cipher
 Structure & Detail of these hash algorithms is similar to SHA-1.
 Hence analysis should be similar.
 But security levels are rather higher.
53
 Secure Hash Algorithm
 In 2005, NIST phase out approval of SHA-1 and moved to SHA-2.
 Shortly thereafter , an attack was described in which two messages delivered the
same SHA-1 hash using 269 operations which was less than previous 280
operations needed to find a collision in SHA-1.
 This reason resulted transition to SHA-2.
 Firstly we discuss SHA-1 :
 Revised version of SHA published in 1995 as (FIPS -181).
 Actual document is named “ Secure hash standard”.
 Design is very similar to the hash function MD4.
 Algorithm takes message of less than 264 bits length.
 It produces 160 bits hash value or message digest.
 It is slightly slower than MD5, but larger message digest makes it more secure.
 Encipher the starting values using the 80 sub keys for message block.
 Add each of 32 bit pieces of cipher text to the starting value, modulo 232 and use
that result as the starting value for handling next message block.
Message Digest Generation
Using SHA-1

55
Diagram of ShA-1
 Steps or process of SHA-1 Hash Algorithm
 Overall processing of message to produce a message digest or hash value is :
 Step 1 Padding bits : Padding bits are added to the original message such that
length of padded message is 64 bits less than a multiple of 512 bits. i.e
448mod512
 The input message block including padded message is of 512 bits only.
 The padded message consists of single 1 bit followed by number of 0 – bits.
 Step 2 Appending Length : Append 64 bit length value to the end of padded
message of the . These bits hold the binary format of 64 bits indicating the length
of the original message.
 Step 3 Initialize buffer : To hold all intermediate results and the final result of the
hash function , we can use a 160-bit buffer.
 It ca be made of 5 buffer registers of 32-bit size each (32*5 = 160) called
A,B,C,D,E.
 These registers are initialized with following hexadecimal values :
 A = 67452301, B = EFCDAB89 , C = 98BADCFE , D = 10325476 , E = C3D2E1F0
 All these five buffer register values are stored in big endian format means MSB of
a word is in low address (leftmost) position where as in MD5 algorithm these
buffer register values are stored in little endian format.
 Steps or process of SHA-1 Hash Algorithm
 A = 67 45 23 01
 B = EF CD AB 89
 C = 98 BA DC FE
 D = 10 32 54 76
 E = C3 D2 E1 F0
 Step 4 Processing message : The plaintext message and padded message plus
length field goes trough four rounds each having 20 steps.
 To do this , we use four separate compression function f1, f2, f3, f4.
 Each function takes plaintext message block of 512 bits Yq and the values of A, B,
C, D, and E.
 It also takes an additive constant Kt.
 So total processing will require 20*4 = 80 steps.
 Step 5 : Now the output obtained after last step is added with initial values of
160-bits buffer Cyq to produce 160 bit message.
 SHA-512
 The algorithm takes a message with maximum length of less than 2128 bits as input
and produces 512- bit message digest or hash value as output.
 The input is processed in 1024 bit blocks.
 Now we examine the structure of SHA-512 ,and other versions are quite similar.
 SHA-512 follows the structure shown in following figure.
 The processing consists of the following steps :
 Step 1 Append padding bits : Append padding bits so that its length =
896mod1024
 The padding bits is always added ,even if the message is already of desired length.
 Padding consists of a single 1 bit followed by necessary number of 0 bits.
 Step 2 Append length : A block of 128 bits is appended to the message.
 The output of these two steps gives the message which is an integer multiple of
1024 bits in length.
 In figure, the expanded message is a sequence of 1024- bit blocks M 1 , M2 ,…MN.
 So total length of the expanded message is N*1024 bits.
 SHA-512
 Step 3 Initialize hash buffer : To hold intermediate and final results of hash
function a 512-bit buffer is used.
 The buffer is made up of eight 64- bit registers (a,b,c,d,e,f,g,h).
 These registers are initialized to the following 64 bit integers (hexadecimal values) :

 These values are stored in big endian format, which is the most significant byte of a
word in the left-most byte position.
 These words are obtained by taking first 64 bits of the fractional parts of square
root of first eight prime numbers.
 Step 4 Process the message in 1024- bit (128 words) :
 This step is the heart of algorithm
SHA-512 Overview
 SHA-512
 It consist of 80 rounds; it is represented as F in above diagram.
 Each round takes 512- bit buffer values a,b,c,d,e,f,g,h, as input and updates the
contents of buffer.
 At the first round, the buffer has the value of intermediate hash value Hi-1.
 Each round ‘t’ use 64 bit value Wt,derived from current 1024- bit block (Mi)
 Each round also make use of an additive constant Kt ,where (0 <=t <= 79) indicates
one of the 80 rounds.
 These words are the first 64 bits of the fractional parts of cube roots of first 80
prime numbers, provides random set of 64- bit patterns, which eliminate regularity.
 The output of last round is added to the input to the first round Hi-1 to produce Hi.
 The addition is done independently for each of the eight words in the buffer with
each of the corresponding words in Hi-1 using addition modulo 264.
 Step 5 Output : After all N 1024- bit blocks have been processed , the output from
the last stage is 512- bit hash value or message digest.
 We can summarize the behavior of SHA-512 as follows :
 Ho = IV , Hi = SUM64 (Hi-1 , abcdefghi ) , MD = HN
 SHA-512
 Where, IV = initial value of the abcdefgh buffer shown in step 3
 abcdefghi = the output of the last round of processing of the ith message block
 N = the number of blocks in the message (including padding and length fields)
 SUM64 = addition modulo 264 performed separately on each word of the pair of inputs.
 MD = final message digest value or hash value.
SHA-512 Round Function
 SHA-512 Compression Function
 Heart of the algorithm
 Processing message in 1024-bit blocks
 Consists of 80 rounds
 Updating a 512-bit buffer
 Using a 64-bit value Wt derived from the current message block
 and a round constant based on cube root of first 80 prime numbers
 The structure of each of the 80 rounds is shown in above figure.
 Each 64-bit word is shuffled along one place, and in some cases manipulated
using a series of simple logical functions (ANDs, NOTs, ORs, XORs, ROTates), in
order to provide the avalanche & completeness properties of the hash
function.
 Ch(e,f,g) = (e AND f) XOR (NOT e AND g)
 Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)
 ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
 ∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)
 + = addition modulo 2^64
 SHA-512 Compression Function
 Kt = a 64-bit additive constant
 Wt = a 64-bit word derived from the current 512-bit input block.
 ROTR (n,x) = circular right shift (rotation of 64 bit argument x by n bits)
 Six of the eight words of the output of the round function involve simply
permutation (b, c, d, f, g, h) by means of rotation.
 This is indicated by shading in next figure.
 Only two of the output words (a, e) are generated by substitution.
 Word e is a function of input variables d, e, f, g, h, as well as the round word W
t and the constant Kt.
 Word a is a function of all of the input variables, as well as the round word W t
and the constant Kt.
 SHA-512
 Next Figure illustrates how the 64-bit word values Wt are derived from the 1024-
bit message.
 The first 16 values of Wt are taken directly from the 16 words of the current block.
 The remaining values are defined as a function of the earlier values using ROTates,
SHIFTs and XORs as shown.
 The function elements are:
 ∂0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)
 ∂1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6)
 Thus, in the first 16 steps of processing, the value of Wt is equal to the
corresponding word in the message block.
 For the remaining 64 steps, the value of Wt consists of the circular left shift by one
bit of the XOR of four of the preceding values of Wt, with two of those values
subjected to shift and rotate operations.
 This introduces a great deal of redundancy and interdependence into the message
blocks that are compressed, which complicates the task of finding a different
message block that maps to the same compression function output.
SHA-512 Round Function
 The Whirlpool Secure Hash Function

• Whirlpool, which is a block-cipher-based

secure hash function.
• Whirlpool produces a hash code of 512 bits for
an input message of maximum length less
than 2256 bits.
• The underlying block cipher, based on the
Advanced Encryption Standard (AES), takes a
512-bit key and operates on 512-bit blocks of
plaintext.
78
The Whirlpool Secure Hash Function

79
The Whirlpool Secure Hash Function

80
 Digital Signatures
• A digital signature is an authentication mechanism that enables the
sender of a message to attach a code that acts as a signature.`

• The signature can be formed by taking hash of the message and

encrypting message with sender’s private key.

• Digital signature guarantees the authenticity and integrity of the

message.

• In simple words , digital signature is the mathematical method for

checking the authenticity of the message or document.

• So, A digital signature is a term used for signing an electronic

document , by making use of public key cryptography.
 Digital Signatures
• Properties of digital signature :

– verify author, date & time of signature

– authenticate message contents
– be verified by third parties to resolve disputes

• Hence digital signature function includes authentication function with

additional capabilities.
 Digital Signatures
• Message authentication protects two parties from any third party.

• When A sends an authenticated message to B , using any encryption

scheme.

• Following disputes between two parties A and B are possible :

• 1. B can forge a different message and claim that it came from A by

creating a message and append an Authentication code that A and B
share.

• 2. A can deny of sending the message ,Because it is possible for B to

forge a message, there is no way to prove that A send the message.

• Example of first case can be fund transfer event.

• An example of second case is fake stockbroker transaction event.

Next Figure shows the Model of digital signature Process :
1. Sender bob sign the message using digital signature generation
algorithm using his own private key.

2. The message and signature are sent to the receiver.

3. Receiver Alice can verify the signature by applying verification

algorithm on received combination using Sender’s (Bob’s public key).

4. If signatures are verified , the message is accepted; otherwise

rejected.
Figure showing the Model of digital signature Process :
 Attacks and Forgeries
• Following are the attacks in order of increasing severity :
• A denotes user whose signature is attacked , C denotes Attacker:
– key-only attack: (C only knows A’s public key)

– known message attack: (C attack messages and their signatures)

– Generic chosen message attack :

– (C chose a list of messages independent of A’s public key before
breaking A’s signature).
– Attack is generic ,because it does not depends on A’s public key; )

– Directed chosen message attack :

– (Similar to the generic attack ,except that list of messages is
chosen after C knows A’s public key )
 Attacks and Forgeries
• Following are the success levels of breaking the
signature in which C (Attacker) can do any of the
following :
– Total break : (C determines A’s private key)

– Selective forgery : (C forges a signature for particular message

chosen by C )

– Universal forgery : (C finds an signing algorithm for finding

signatures on any messages)

– Existential forgery : (C forges a signature for at least on message,

C has no control over message.
 Digital Signature Requirements
 Following are the requirements for digital signature :
 Signature is a bit pattern and depend on the message being
signed.

 The signature must use information unique to sender:

 To prevent both forgery and denial.

 It must be easy to produce the digital signature.

 It must be easy to recognize & verify the digital signature.

 It must be impossible to forge a signature either by :

 constructing a new message for existing digital signature
 Or by constructing a fraud digital signature for a given message
The secure hash function is used in figure , satisfies these
requirements

Figure: Digital Signature Mechanism with the essential elements of Digital signature Process.
• Characteristics of Digital Signature :

• The digital signature is Authentic.

• Un-forgeable

• Not reusable

• Unalterable

• Signature can not be Repudiated

• Digital Signature schemes / Approaches :
• 1. Direct digital signature scheme :

• It refers to a digital signature scheme that involve only sender & receiver

• It is assumed that receiver has sender’s public-key.

• Signature is formed by encrypting message with sender’s private key

• Or it is formed by encrypting hash code of message with private-key.

• It is important to sign first then encrypt message & signature.

• Means signature function(Authentication) is performed first and then

encryption function (confidentiality).

• Confidentiality is provided by encrypting the message & Digital signature

with shared secret key.
• Problems with Direct Digital signature :

 1. Need trust between sender and receiver because there is no

independent verification process.

 2. Validity depends upon the Security of sender’s private-key.

• Means, If sender later on want to deny of sending the message, he

can claim that private key is lost or stolen and someone forged his
signature.

 3. Private key may be stolen from Sender at time T.

• Means attacker can send a message signed with sender’s signature

with time before T or equal to T.
 2. Arbitrated Digital signature :

• Signed message from sender X to receiver Y first goes to an arbiter.

• The arbiter performs tests on message and signature to check its

origin and contents.

• Message sent to receiver Y indicate that it is verified by the arbiter.

• Arbitrated digital signature is explained with following

steps:
• Step 1 : Sender X and an arbiter A share a secret key k1.

• Step 2 : The receiver Y and an arbiter A share a secret key k2.

• Step 3 : Sender X has a message M & computes its hash code H(M).
• Signature consists of : Identifier (ID) of sender X ,Encrypted Hash
code using secret key k2

• Arbiter A decrypts the signature and checks the hash code to

validate the message.

• If it is correct , Arbiter A sends the Message to receiver Y encrypted

with secret key K2.

• Message consists of : ID of sender X , original message from sender

X , Signature , Timestamp.

• Receiver will decrypt the message .

• Timestamp inform the Receiver Y that message is timely sent.

• Problems with Arbitrated Digital signature :

• It requires complete trust from sender and receiver on the arbiter.

• Arbiter can show preference towards one party.

 Digital Signature Standard (DSS)
or
Digital Signature Algorithm
• NIST published FIPS 186 known as Digital Signature Standard (DSS)

• It was developed in 1991 and revised in 1993, 1996 & then 2000.

• FIPS 186-2 (2000) includes alternative RSA.

• The DSS uses the Secure hash algorithm (SHA) and presents new digital
signature technique ,Digital signature Algorithm.

• DSS is the standard, DSA is the algorithm.

• It uses two approaches :

• RSA Signature approach
• DSS approach
 Digital Signature Standard (DSS)
• RSA Signature Approach :
• The message to be signed is input to the hash function(SHA)

• It produce a secure hash code of fixed length.

• Hash code is encrypted using sender’s private key to form a signature.

• Then both signature and message is sent to receiver

• Receiver takes the message and produces a hash code and decrypt the
signature using sender’s public key

• If calculated hash code matching with decrypted signature (decrypted

hash code, then signature is valid.

• Because only sender knows his private key, only he can produce a valid
signature.
DSS vs RSA Signatures approach
 Digital Signature Standard (DSS)
• DSS Approach :
• DSS is designed to provide digital signature only.

• Unlike RSA, it is not used for encryption. It is a public-key

technique.

• DSS approach also makes use of a hash function.

• Hash code with random number k is provided as input to the

signature.

• The signature function depends on two parts :

• First is the sender’s private key (PRa)

• Second is global public key (PUg)
 Digital Signature Standard (DSS)
• The result will be a signature consisting of two parts ‘s’ and ‘r’.

• This all happens at sender side.

• At receiver side , hash code of the received message is generated.

• This hash code & signature is input to the verification function.

• Verification function depend on global public key and sender’s

public key(PUa)

• If signature is valid, then output of verification function equal to

the signature component ‘r’.

• Only sender who has private key can produce the valid signature.
 Digital Signature Algorithm (DSA)
 Proposed by NIST in August 1991

 Security of DSA based on difficulty of computing discrete logarithms

 Based on ElGamal & Schnorr schemes.

 DSS is a standard but DSA is a digital signature scheme only.

 It is smaller and faster than RSA

 It creates a 320 bit signature.

 DSA Key Generation :

 Have three parameters that are public and common to a group of users
 Digital Signature Algorithm (DSA)
 A 160 bit prime number q is chosen.

 Prime number p is selected with length between 512-1024 bits such

that q divides (p-1)

 i.e. choose a large prime p with 2L-1 < p < 2L .

• where L= 512 to 1024 bits and is a multiple of 64
• q is a 160 bit prime divisor of (p-1)

 Finally , g is chosen in the form of h(p-1)/q mod p , where h is an

integer between 1 and (p-1) and g must be > 1.

– i.e. choose g = h(p-1)/q

• where 1<h<p-1 and h(p-1)/q mod p > 1
 Digital Signature Algorithm (DSA)
 Now each user choose a private key and computes a public key

 Choose Private key ‘x’ is number from 1 to (p-1) i.e. x<q and chosen
randomly

 Public key is calculated from private key as ‘y’ = gx mod p

 DSA Signature Creation :

 To sign a message M the sender:

 Generates a random signature key k, such that k<q

 k must be random, be destroyed after use, and never be reused.

 Digital Signature Algorithm (DSA)
 Now to create signature, user calculates two quantities or
signature pair ‘r’ and ‘s’.
r = (gk mod p)mod q

s = [k-1(H(M)+ x.r)] mod q

 Sends signature (r,s) with message M

 DSA Signature Verification :

 Having received M & signature (r,s),the verification is performed

using the given formulas
 Digital Signature Algorithm (DSA)
 To verify a signature, receiver computes ‘v’ as :

w = s-1 mod q

u1= [H(M)w ]mod q

u2= (rw)mod q

v = [(gu1 . yu2)mod p ]mod q

• If v=r means ‘v’ matches with ‘r’ component of signature, then signature is verified

• Having difficulty of taking discrete logarithms, it is impossible for an opponent to

recover ‘k’ from ‘r’ or to recover ‘x’ from ‘s’.
DSA Signing and verifying
 Digital signature
• Digital Signature Standard (DSS) defines a digital signature as follows:
• The result of a cryptographic transformation of data that, when properly
implemented, provides a mechanism for verifying origin authentication, data
integrity, and signatory non-repudiation.

• Thus, a digital signature is a data-dependent bit pattern, generated by an agent as

a function of a file, message, or other form of data block. Another agent can
access the data block and its associated signature and verify that
– (1) the data block has been signed by the alleged signer and that
– (2) the data block has not been altered since the signing. Further, the signer cannot repudiate the signature .

• Three digital signature algorithms:

– Digital Signature Algorithm (DSA): The original NIST-approved algorithm, which is based on the
difficulty of computing discrete logarithms.
– RSA Digital Signature Algorithm: Based on the RSA public-key algorithm.
– Elliptic Curve Digital Signature Algorithm (ECDSA): Based on elliptic curve cryptography

107
 Digital Signature
• Sender encrypts message with their private
key
• Receiver can decrypt using sneders public key
• This authenticates sender, who is only person
who has the matching key
• Does not give privacy of data
– Decrypt key is public

108
Generic Model of Digital Signature Process

109
Generic Model of Digital Signature Process

110
 Digital signature-RSA approach

• In the RSA approach, the message to be signed is input to a hash

function that produces a secure hash code of fixed length.
• This hash code is then encrypted using the sender’s private key to
form the signature.
• Both the message and the signature are then transmitted.
• The recipient takes the message and produces a hash code. The
recipient also decrypts the signature using the sender’s public key.
• If the calculated hash code matches the decrypted signature, the
signature is accepted as valid.
• Because only the sender knows the private key, only the sender
could have produced a valid signature.

111
Digital signature-RSA approach

112
 Digital signature-DSA approach

• The National Institute of Standards and Technology (NIST) has published

Federal Information Processing Standard FIPS 186, known as the Digital
Signature Algorithm (DSA).
• The DSA makes use of the Secure Hash Algorithm (SHA)

113
 Digital signature-DSA approach
• The hash code is provided as input to a signature function along with a random
number k generated for this particular signature.
• The signature function also depends on the sender’s private key (PRa) and a set
of parameters known to a group of communicating principals.
• We can consider this set to constitute a global public key (PUG).The result is a
signature consisting of two components, labeled s and r.

• At the receiving end, the hash code of the incoming message is generated. This
plus the signature is input to a verification function.
• The verification function also depends on the global public key as well as the
sender’s public key (PUa), which is paired with the sender’s private key.
• The output of the verification function is a value that is equal to the signature
component r if the signature is valid.
• The signature function is such that only the sender, with knowledge of the
private key, could have produced the valid signature.
114
 Digital signature-DSA approach
sender’s private key (PRa), sender’s public key (PUa)
a global public key (PUG), H (Secure Hash Algorithm (SHA))

115
The Digital Signature Algorithm (DSA)

116
 ElGamal Digital Signatures
• Signature variant of ElGamal, related to D-H
– Uses exponentiation in a finite (Galois)
– security is based on difficulty of computing discrete
logarithms, as in D-H

• Uses private key for encryption (signing)

• Uses public key for decryption (verification)

• Each user (eg. A) generates their key :

– chooses a secret key (number): 1 < xA < q-1
xA
– compute their public key: yA = a mod q
 ElGamal Digital Signature
• Sender Alice signs a message M to Bob by
computing as :
– the hash m = H(M), 0 <= m <= (q-1)

– chose random integer K with 1 <= K <= (q-1) and

gcd(K,q-1)=1

– Calculate Temporary key: S1 = ak mod q

– compute K-1 : the inverse of K mod (q-1)

– compute the value: S2 = K-1(m-xAS1) mod (q-1)

– Signature is :(S1,S2)
 ElGamal Digital Signature

• Any user B can verify the signature by computing :

– V1 = am mod q

– V2 = yAS1 S1S2 mod q

– Signature is valid if V1 = V2
 ElGamal Signature Example

• Use field GF(19) q=19 and a=10

• Alice computes her key:
– A chooses xA=16 & computes yA=1016 mod 19 = 4

• Alice signs message with hash , m=14 as (3,4):

– Choosing random K=5 which has gcd(18,5)=1
5
– Computing S1 = 10 mod 19 = 3
– Finding K-1 mod (q-1) = 5-1 mod 18 = 11
– Computing S2 = 11(14-16.3) mod 18 = 4

• Any user B can verify the signature by computing

– V1 = 1014 mod 19 = 16
– V2 = 43.34 = 5184 = 16 mod 19
–
 Schnorr Digital Signatures
• also uses exponentiation in a finite (Galois)
– security based on discrete logarithms, as in D-H
• minimizes message dependent computation
– multiplying a 2n-bit integer with an n-bit integer
• main work can be done in idle time
• have using a prime modulus p
– p–1 has a prime factor q of appropriate size
– typically p 1024-bit and q 160-bit numbers
 Schnorr Key Setup
• choose suitable primes p , q
q
• choose a such that a = 1 mod p
• (a,p,q) are global parameters for all
• each user (eg. A) generates a key
– chooses a secret key (number): 0 < sA < q
-sA
– compute their public key: vA = a mod q
 Schnorr Signature
• user signs message by
– choosing random r with 0<r<q and computing x
= ar mod p
– concatenate message with x and hash result to
computing: e = H(M || x)
– computing: y = (r + se) mod q
– signature is pair (e, y)
• any other user can verify the signature as follows:
– computing: x' = ayve mod p
– verifying that: e = H(M || x’)