unit iii authentication requirements · 2019. 7. 8. · cs6660 cryptography and network security...
TRANSCRIPT
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
UNIT III
AUTHENTICATION REQUIREMENTS
In the context of communication across a network, the following attacks can be
identified:
Disclosure – releases of message contents to any person or process not
possessing the appropriate cryptographic key.
Traffic analysis – Discovery of the pattern of traffic between parties. In a
connection oriented application, the frequency and duration of connections
could be determined. In either a connection-oriented or connectionless
environment, the number and length of messages between parties could be
determined.
Masquerade – Discovery of the pattern of traffic between parties. In a
connection oriented application, the frequency and duration of connections
could be determined. In either a connection-oriented or connectionless
environment, the number and length of messages between parties could be
determined.
Content modification – changes to the content of the message,
including insertion deletion, transposition and modification.
Sequence modification – any modification to a sequence of messages
between parties, including insertion, deletion and reordering.
Timing modification – Delay or replay of messages. In a connection-
orientated application, an entire session or sequence of messages could be a
replay of some previous valid session, or individual messages in the sequence
could be delayed or replayed.
Repudiation – Denial of receipt of message by destination or denial of
transmission of message by source.
Measures to deal with first two attacks are in the realm of message confidentiality.
Measures to deal with 3 through 6 are regarded as message authentication. Item 7 comes
under digital signature and dealing with item 8 may require a combination of digital
signature and a protocol to counter this attack.
AUTHENTICATION FUNCTIONS
Any message authentication or digital signature mechanism can be viewed as
having fundamentally two levels. At the lower level, there may be some sort of function
that produces an authenticator: a value to be used to authenticate a message. This lower
layer function is then used as primitive in a higher-layer authentication protocol that
enables a receiver to verify the authenticity of a message.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
The different types of functions that may be used to produce an authenticator
are as follows:
Message encryption – the cipher text of the entire message serves as its
authenticator.
Message authentication code (MAC) – a public function of the message and a
secret key that produces a fixed length value serves as the authenticator.
Hash function – a public function that maps a message of any length into a fixed
length hash value, which serves as the authenticator.
Message encryption
Message encryption by itself can provide a measure of authentication. The
analysis differs from symmetric and public key encryption schemes.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Suppose the message can be any arbitrary bit pattern. In that case, there is no way to
determine automatically, at the destination whether an incoming message is the ciphertext
of a legitimate message. One solution to this problem is to force the plaintext to have
some structure that is easily recognized but that cannot be replicated without recourse to
the encryption function. We could, for example, append an error detecting code, also
known as Frame Check Sequence (FCS) or checksum to each message before encryption
„A‟ prepares a plaintext message M and then provides this as input to a function F
that produces an FCS. The FCS is appended to M and the entire block is then encrypted.
At the destination, B decrypts the incoming block and treats the result as a message with
an appended FCS. B applies the same function F to attempt to reproduce the FCS. If the
calculated FCS is equal to the incoming FCS, then the message is considered authentic.
In the internal error control, the function F is applied to the plaintext, whereas in
external error control, F is applied to the ciphertext (encrypted message).
MESSAGE AUTHENTICATION CODE (MAC)
An alternative authentication technique involves the use of secret key to generate
a small fixed size block of data, known as cryptographic checksum or MAC that is
appended to the message. This technique assumes that two communication parties say A
and B, share a common secret key „k‟. When A has to send a message to B, it calculates
the MAC as a function of the message and the key.
MAC = CK(M) Where M – input message
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
C – MAC function
K – Shared secret key
+MAC - Message Authentication Code
The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the shared secret key, to
generate a new MAC. The received MAC is compared to the calculated MAC. If it is
equal, then the message is considered authentic.
A MAC function is similar to encryption. One difference is that MAC algorithm
need not be reversible, as it must for decryption. In general, the MAC function is a many-
to-one function.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Requirements for MAC:
When an entire message is encrypted for confidentiality, using either symmetric or
asymmetric encryption, the security of the scheme generally depends on the bit length of
the key. Barring some weakness in the algorithm, the opponent must resort to a brute-
force attack using all possible keys. On average, such an attack will require 2(k-1)
attempts
for a k-bit key.
In the case of a MAC, the considerations are entirely different. Using brute-force
methods, how would an opponent attempt to discover a key?
If confidentiality is not employed, the opponent has access to plaintext messages and
their associated MACs. Suppose k > n; that is, suppose that the key size is greater than
the MAC size. Then, given a known M1 and MAC1, with MAC1 = CK (M1), the
cryptanalyst can perform MACi = CKi (M1) for all possible key values Ki.
At least one key is guaranteed to produce a match of MACi = MAC1.
Note that a total of 2k
MACs will be produced, but there are only 2n
< 2k
different MAC
values. Thus, a number of keys will produce the correct MAC and the opponent has no
way of knowing which is the correct key. On average, a total of 2k/2
n = 2
(k-n) keys will
produce a match. Thus, the opponent must iterate the attack:
Round 1
Given: M1, MAC1 = CK( M1)
Compute MACi = CKi (M1) for all 2k
keys
Number of matches ≈2(k-n)
Round 2
Given: M2, MAC2 = CK( M2)
Compute MACi = CKi (M2) for the 2(k-n)
keys resulting from Round 1
Number of matches ≈2(k-2xn)
On average, a rounds will be needed if k = a x n. For example, if an 80-bit key is used
and the MAC is 32 bits long, then the first round will produce about 248
possible keys.
The second round will narrow the possible keys to about 216
possibilities. The third round
should produce only a single key, which must be the one used by the sender.
If the key length is less than or equal to the MAC length, then it is likely that a first round
will produce a single match.
Thus, a brute-force attempt to discover the authentication key is no less effort and may be
more effort than that required to discover a decryption key of the same length. However,
other attacks that do not require the discovery of the key are possible.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Consider the following MAC algorithm. Let M = (X1||X2||...||Xm) be a message that is
treated as a concatenation of 64-bit blocks Xi. Then define
Δ(M)= X1 X2 … Xm
Ck(M)=Ek(Δ(M)
where is the exclusive-OR (XOR) operation and the encryption algorithm is DES in
electronic codebook mode. Thus, the key length is 56 bits and the MAC length is 64 bits.
If an opponent observes {M||C(K, M)}, a brute-force attempt to determine K will require
at least 256
encryptions. But the opponent can attack the system by replacing X1 through
Xm-1 with any desired values Y1 through Ym-1 and replacing Xm with Ym where Ym is
calculated as follows:
Ym = Y1 Y2 ... Ym1 Δ(M)
The opponent can now concatenate the new message, which consists of Y1 through Ym,
with the original MAC to form a message that will be accepted as authentic by the
receiver. With this tactic, any message of length 64 x (m-1) bits can be fraudulently
inserted.
Then the MAC function should satisfy the following requirements:
The MAC function should have the following properties:
If an opponent observes M and CK(M), it should be computationally infeasible for
the opponent to construct a message M‟ such that CK(M‟) = CK(M)
CK(M) should be uniformly distributed in the sense that for randomly chosen
messages, M and M‟, the probability that CK(M) = CK(M‟) is 2-n
where n is the
number of bits in the MAC.
Let M‟ be equal to some known transformation on M. i.e., M‟ = f(M).
MAC based on DES
One of the most widely used MACs, referred to as Data Authentication Algorithm
(DAA) is based on DES.
The algorithm can be defined as using cipher block chaining (CBC) mode of
operation of DES with an initialization vector of zero. The data to be authenticated are
grouped into contiguous 64-bit blocks: D1, D2 … Dn. if necessary, the final block is
padded on the right with zeros to form a full 64-bit block.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Using the DES encryption algorithm and a secret key, a data authentication code (DAC)
is calculated as follows:
O1 = EK(D1)
O2 = EK(D2 O1)
O3 = EK(D3 O2) …
ON = EK(DN ON-1)
HASH FUNCTIONS
A variation on the message authentication code is the one way hash function. As
with MAC, a hash function accepts a variable size message M as input and produces a
fixed-size output, referred to as hash code H(M). Unlike a MAC, a hash code does not
use a key but is a function only of the input message. The hash code is also referred to as
a message digest or hash value.
There are varieties of ways in which a hash code can be used to provide message
authentication, as follows:
a) The message plus the hash code is encrypted using symmetric encryption. This is
identical to that of internal error control strategy. Because encryption is applied to
the entire message plus the hash code, confidentiality is also provided.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
b) Only the hash code is encrypted, using symmetric encryption. This reduces the
processing burden for those applications that do not require confidentiality.
c) Only the hash code is encrypted, using the public key encryption and using the
sender‟s private key. It provides authentication plus the digital signature.
d) If confidentiality as well as digital signature is desired, then the message plus the
public key encrypted hash code can be encrypted using a symmetric secret key.
e) This technique uses a hash function, but no encryption for message
authentication. This technique assumes that the two communicating parties share
a common secret value „S‟. The source computes the hash value over the
concatenation of M and S and appends the resulting hash value to M.
f) Confidentiality can be added to the previous approach by encrypting the entire
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
message plus the hash code.
A hash value h is generated by a function H of the form
h = H(M)
where M is a variable-length message and H(M) is the fixed-length hash value. The hash
value is appended to the message at the source at a time when the message is assumed or
known to be correct. The receiver authenticates that message by recomputing the
hash value.
Requirements for a Hash Function
1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and
software implementations practical.
4. For any given value h, it is computationally infeasible to find x such that H(x) =
h. This is sometimes referred to in the literature as the one-way property.
5. For any given block x, it is computationally infeasible to find y x such that
H(y) = H(x). This is sometimes referred to as weak collision resistance.
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). This
is sometimes referred to as strong collision resistance.
The first three properties are requirements for the practical application of a hash function
to message authentication. The fourth property, the one-way property, states that it is
easy to generate a code given a message but virtually impossible to generate a message
given a code. The fifth property guarantees that an alternative message hashing to the
same value as a given message cannot be found.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
The sixth property refers to how resistant the hash function is to a type of attack known as the
birthday attack, which we examine shortly.
Simple Hash Functions
All hash functions operate using the following general principles. The input (message,
file, etc.) is viewed as a sequence of n-bit blocks. The input is processed one block at a
time in an iterative fashion to produce an n-bit hash function.
One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block.
This can be expressed as follows:
Ci = bi1 bi1 ... bim
where
Ci = ith bit of the hash code, 1 ≤i ≤n
m = number of n-bit blocks in the input
bij = ith bit in jth block
= XOR operation
Thus, the probability that a data error will result in an unchanged hash value is 2n. With
more predictably formatted data, the function is less effective. For example, in most
normal text files, the high-order bit of each octet is always zero. So if a 128-bit hash
value is used, instead of an effectiveness of 2128
, the hash function on this type of data has
an effectiveness of 2112
.
A simple way to improve matters is to perform a one-bit circular shift, or rotation, on
the hash value after each block is processed. The procedure can be summarized as
follows:
1. Initially set the n-bit hash value to zero.
2. Process each successive n-bit block of data as follows:
a. Rotate the current hash value to the left by one bit.
b. XOR the block into the hash value.
Birthday Attacks
Suppose that a 64-bit hash code is used. One might think that this is quite secure. For
example, if an encrypted hash code C is transmitted with the corresponding unencrypted
message M, then an opponent would need to find an M' such that H(M') = H(M) to
substitute another message and fool the receiver.
On average, the opponent would have to try about 263
messages to find one that matches
the hash code of the intercepted message
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
However, a different sort of attack is possible, based on the birthday paradox The
source, A, is prepared to "sign" a message by appending the appropriate m-bit hash code
and encrypting that hash code with A's private key.
1. The opponent generates 2m/2
variations on the message, all of which convey
essentially the same meaning. (fraudulent message
2. The two sets of messages are compared to find a pair of messages that produces
the same hash code. The probability of success, by the birthday paradox, is greater
than 0.5. If no match is found, additional valid and fraudulent messages are
generated until a match is made.
3. The opponent offers the valid variation to A for signature. This signature can then
be attached to the fraudulent variation for transmission to the intended recipient.
Because the two variations have the same hash code, they will produce the same
signature; the opponent is assured of success even though the encryption key is
not known.
Thus, if a 64-bit hash code is used, the level of effort required is only on the order of 232
.
Block Chaining Techniques Divide a message M into fixed-size blocks M1,M2,..., MN and use a symmetric encryption
system such as DES to compute the hash code G as follows:
Ho = initial value
Hi = EMi [Hi-1 ]
G = HN
This is similar to the CBC technique, but in this case there is no secret key. As with any
hash code, this scheme is subject to the birthday attack, and if the encryption algorithm is
DES and only a 64-bit hash code is produced, then the system is vulnerable.
Furthermore, another version of the birthday attack can be used even if the opponent has
access to only one message and its valid signature and cannot obtain multiple signings.
Here is the scenario; we assume that the opponent intercepts a message with a signature
in the form of an encrypted hash code and that the unencrypted hash code is m bits long:
1. Use the algorithm defined at the beginning of this subsection to calculate the
unencrypted hash code G.
2. Construct any desired message in the form Q1, Q2,..., QN2.
3. Compute for Hi = EQi [Hi-1 ]for 1 ≤i ≤(N-2).
4. Generate 2m/2
random blocks; for each block X, compute EX[HN-2.] Generate
an additional 2m/2
random blocks; for each block Y, compute DY[G], where D is
the decryption function corresponding to E.
5. Based on the birthday paradox, with high probability there will be an X and Y
such that EX [HN-2 ] = DY[ G].
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
6. Form the message Q1, Q2,..., QN-2, X, Y. This message has the hash code G and
therefore can be used with the intercepted encrypted signature.
This form of attack is known as a meet-in-the-middle attack.
Security of Hash Functions and MACs Just as with symmetric and public-key encryption, we can group attacks on
hash functions and MACs into two categories: brute-force attacks and cryptanalysis.
Brute-Force Attacks The nature of brute-force attacks differs somewhat for hash functions and MACs.
Hash Functions The strength of a hash function against brute-force attacks depends solely on the length
of the hash code produced by the algorithm. Recall from our discussion of hash
functions that there are three desirable properties:
One-way: For any given code h, it is computationally infeasible to find x such that
H(x) = h.
Weak collision resistance: For any given block x, it is computationally
infeasible to find y x with H(y) = H(x).
Strong collision resistance: It is computationally infeasible to find any pair (x, y)
such that H(x) = H(y).
For a hash code of length n, the level of effort required, as we have seen
is proportional to the following:
One way 2n
Weak collision resistance 2n
Strong collision resistance 2n/2
Message Authentication Codes
A brute-force attack on a MAC is a more difficult undertaking because it requires known
message-MAC pairs.. To attack a hash code, we can proceed in the following way. Given
a fixed message x with n-bit hash code h = H(x), a brute-force method of finding a
collision is to pick a random bit string y and check if H(y) = H(x). The attacker can do
this repeatedly off line. To proceed, we need to state the desired security property of a
MAC algorithm, which can be expressed as follows:
Computation resistance: Given one or more text-MAC pairs (xi, CK[xi]), it is
computationally infeasible to compute any text-MAC pair (x, CK( x)) for any new
input x ≠xi.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
In other words, the attacker would like to come up with the valid MAC code for a given
message x. There are two lines of attack possible: Attack the key space and attack the
MAC value. We examine each of these in turn.
To summarize, the level of effort for brute-force attack on a MAC algorithm can be
expressed as min(2k, 2
n). The assessment of strength is similar to that for symmetric
encryption algorithms. It would appear reasonable to require that the key length and
MAC length satisfy a relationship such as min(k, n) ≥N, where N is perhaps in the range
of 128 bits.
Cryptanalysis
As with encryption algorithms, cryptanalytic attacks on hash functions and MAC
algorithms seek to exploit some property of the algorithm to perform some attack other
than an exhaustive search.
Hash Functions
In recent years, there has been considerable effort, and some successes, in developing
cryptanalytic attacks on hash functions. To understand these, we need to look at the
overall structure of a typical secure hash function, and is the structure of most hash
functions in use today, including SHA and Whirlpool.
The hash function takes an input message and partitions it into L fixed-sized blocks of b
bits each.
If necessary, the final block is padded to b bits.
The final block also includes the value of the total length of the input to the hash
function.
The inclusion of the length makes the job of the opponent more difficult.
Either the opponent must find two messages of equal length that hash to the same value
or two messages of differing lengths that, together with their length values, hash to the
same value.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
The hash algorithm involves repeated use of a compression function, f, that takes two
inputs (an n-bit input from the previous step, called the chaining variable, and a b-bit
block) and produces an n-bit output. At the start of hashing, the chaining variable has an
initial value that is specified as part of the algorithm. The final value of the chaining
variable is the hash value. Often, b > n; hence the term compression. The hash function
can be summarized as follows:
CVo = IV = initial n-bit value
CVi = f(CVi-1, Yi-1) 1 ≤i ≤L
H(M) = CVL
where the input to the hash function is a message M consisting of the blocks Yo, Y1,...,
YL-1. The structure can be used to produce a secure hash function to operate on a message
of any length.
Message Authentication Codes
There is much more variety in the structure of MACs than in hash functions, so it
is difficult to generalize about the cryptanalysis of MACs. Further, far less work has been done on
developing such attacks.
Secure Hash Algorithm
SHA was developed by the National Institute of Standards and Technology (NIST) and
published as a federal information processing standard (FIPS 180) in 1993. When weaknesses
were discovered in SHA, now known as SHA-0, a revised version was issued as FIPS 180-1 in
1995 and is referred to as SHA-1.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
SHA is based on the hash function MD4, and its design closely models MD4. SHA-1 produces a
hash value of 160 bits. In 2002, NIST produced a revised version of the standard, FIPS 180-2,
that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits,
known as SHA-256, SHA-384, and SHA-512, respectively. Collectively, these hash algorithms
are known as SHA-2.
SHA-512 Logic
The algorithm takes as input a message with a maximum length of less than 2128 bits and
produces as output a 512-bit message digest. The input is processed in 1024-bit blocks. Figure
11.9 depicts the overall processing of a message to produce a digest. The processing consists of
the following steps
Step 1 Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length K 896(mod 1024)]. Padding is always added, even if the message is already
of the desired length. Thus, the number of padding bits is in the range of 1 to 1024. The padding
consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message. This block is treated as
an unsigned 128-bit integer (most significant byte first) and contains the length of the original
message (before the padding).
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. In Figure 11.9, the expanded message is represented as the sequence of 1024-bit blocks
M1, M2, c, MN, so that the total length of the expanded message is N * 1024 bits
Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of
the hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to the following 64-bit integers (hexadecimal values):
a = 6A09E667F3BCC908 e = 510E527FADE682D1
b = BB67AE8584CAA73B f = 9B05688C2B3E6C1F
c = 3C6EF372FE94F82B g = 1F83D9ABFB41BD6B
d = A54FF53A5F1D36F1 h = 5BE0CD19137E2179
Step 4 Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a module
that consists of 80 rounds; this module is labeled F in Figure 11.9. The logic is illustrated in
Figure 11.10.
Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the
buffer. At input to the first round, the buffer has the value of the intermediate hash value, Hi-1.
Each round t makes use of a 64-bit value Wt, derived from the current 1024-bit block being
processed (Mi). These values are derived using a message schedule described subsequently.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Each round also makes use of an additive constant Kt, where 0 … t … 79 indicates one of the 80
rounds. These words represent the first 64 bits of the fractional parts of the cube roots of the first
80 prime numbers. The constants provide a “randomized” set of 64-bit patterns, which should
eliminate any regularities in the input data. Table 11.4 shows these constants in hexadecimal
format (from left to right).
The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi.
The addition is done independently for each of the eight words in the buffer with each of the
corresponding words in Hi-1, using addition modulo 264.
Step 5 Output. After all N 1024-bit blocks have been processed, the output from the Nth stage is
the 512-bit message digest.
We can summarize the behavior of SHA-512 as follows:
H0 = IV
Hi = SUM64(Hi-1, abcdefghi)
MD = HN
Where IV = initial value of the abcdefgh buffer, defined in step 3
abcdefghi = the output of the last round of processing of the ith message block
N = the number of blocks in the message (including padding andlength fields)
SUM64 = addition modulo 264 performed separately on each word of the pair of inputs
MD = final message digest value
SHA-512 Round Function Let us look in more detail at the logic in each of the 80 steps of the processing of one 512-bit
block (Figure 11.11). Each round is defined by the following set of equations:
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Two observations can be made about the round function. 1. Six of the eight words of the output of the round function involve simply permutation (b, c, d,
f , g, h) by means of rotation. This is indicated by shading in Figure 11.11. 2. Only two of the output words (a, e) are generated by substitution. Word e is a function of input
variables (d, e, f , g, h), as well as the round word Wt and the constant Kt. Word a is a function of
all of the input variables except d, as well as the round word Wt and the constant Kt.
It remains to indicate how the 64-bit word values Wt are derived from the 1024-bit message.
Figure 11.12 illustrates the mapping. The first 16 values of Wt are taken directly from the 16
words of the current block. The remaining values are defined as
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Thus, in the first 16 steps of processing, the value of Wt is equal to the corresponding word in the
message block. For the remaining 64 steps, the value of Wt consists of the circular left shift by
one bit of the XOR of four of the preceding values of Wt, with two of those values subjected to
shift and rotate operations. This introduces a great deal of redundancy and interdependence into
the message blocks that are compressed, which complicates the task of finding a different
message block that maps to the same compression function output.
MD5
Figure 10.1 shows the overall working architecture of MD5 algorithm. There are two levels of
message digest that take place in the continuous sequence for ensuring multiple-level security
policy this however reduce the way of targeting to break the security by brute-force attacks. In a
first level, the message digest is produce by two level inputs. The data is subdivide into number of
block and each block is given as input with 431-Bitwords.Applying the message digest function,
first level of encrypted message digests is produce with a length of 432-Bitwords.now, this
generated message digest is given as input to the other set of 512-Byte data Block. Applying the
message digest function again produce a new message digest of length 431-bitwords.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Architecture of MDS
10.4.1.1 Message Compression Function
This MD5 algorithm words in a safer level. It takes the input from the message and converts it into
a message digest as the output of 128-Bit length. The hash value is uniq and message is digest are
not same. Its is not possible to compute such a lengthy message digest of another. Figure 10.2
Shows Compression Function of MD5.Consider and input is given like a Bit and the message
digest is calculated as follows.
Step1: The given message is padded and made the length congruent to 448 modulo 512.In other
way, it means extending the message to 64 bit and being of 512-bits long. Then the singlen1 bit is
added to the message and also some 0 bits are added with the message input so as to produce the
length in bits equal to 448 modulo 512 bit.
Step2:Addition the length. For the given input A, the corresponding 64-bit representation is
computer and the value is appended with the result of the previous step of the resultant message got
will be the multiple of 512 bits.
Step3: In this step, buffer from the message digest is initialized and the message digest is
calculated a Four-Word buffer (A, B, C, and D) and all these are 32-Bit register and the values of
these registers will be assigned in term of hexadecimal codes.
Word A:01 23 45 67
Word B:78 ce ae de
432-Bit Words
Block Digest
Diagram
432-Bit Words
Block Digest
Diagram
432-Bit Words
Data Block(512 Bytes)
Data Block(512 Bytes)
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Word C:ba fe cd 98
Word D:10 32 54 76 CVqs
128
Yq A B C D
512 32 32 32 32 32
Round1
Round2
Round3
Round4
(a) 128 Addition Modulo 232
CVq-1 Overall processing of MD5
(b) Y [K]
S[I]
Compression function of MD5
F,S[1…16], y[1K
]
G,S[17…32],y[2K
]
I, S [49…64],y[4K
]
H, S [33…48],y[3K
]
+ + + +
+
A B C D
+
CNS
+
+
+
A B C D
h
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Step4:Now the given the input will be procedure as „W‟ 16-Word Blocks. For each Block, the
input are Yq and CVq, where Yq is the qth
input block,CVq is chaining variable, the value of q range
from 0to w-1. Initially, CV has words A, B, C, and D. The output each block is considered as value
for next block‟s CV. The compression function is shown in Figure 10.2. Each block goes through
four rounds and each composed of 16 Steps
For each round, the auxiliary function h takes three 32-bit words and then throws out the output of
a single 32-bit word, where h can be expressed as follows:
Round1:h (B, C, D) = (B^C)V (~B^D)
Round2:h (B, C, D) = (B^D) V(C^~D)
Round3:h(B, C, D) =B*C*d
Round4:h(B, C, D) =C*(BV~D)
The Given message the processed like 16 word blocks. If the bits of A,B,C and D are independent
and unbiased each bit of F(A,B,C,D),H(A,B,C,D) and I(A,B,C,D) are independent are unbiased
Y [K] - Message Word
S [I] - Round Constant
CLS - Circular Left Shift
Step5: The output A, B, C and D is now produced as output with the Starting word as the lower
and order byte. The ending word is the higher order byte.
Thus the MD algorithm is very simple to implement and produces the message digest with the
length corresponding with the input size. It is very complicated to produce the same message digest
for different inputs.
MAC BASED ON HASH FUNTIONS: HMAC In recent years, there has been increased interest in developing a MAC derived from a
cryptographic hash function. The motivations for this interest are
1. Cryptographic hash functions such as MD5 and SHA generally execute faster in software than
symmetric block ciphers such as DES.
2. Library code for cryptographic hash functions is widely available. HMAC has been issued as RFC 2104, has been chosen as the mandatory-to-implement MAC for
IP security, and is used in other Internet protocols, such as SSL. HMAC has also been issued as a
NIST standard (FIPS 198).
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
RFC 2104 lists the following design objectives for HMAC.
• To use, without modifications, available hash functions. In particular, to use hash functions that
perform well in software and for which code is freely and widely available.
• To allow for easy replace ability of the embedded hash function in case faster or more
secure hash functions are found or required.
• To preserve the original performance of the hash function without incurring a significant
degradation.
• To use and handle keys in a simple way. • To have a well understood cryptographic analysis of the strength of the authentication
mechanism based on reasonable assumptions about the embedded hash function.
HMAC Algorithm
Figure 12.5 illustrates the overall operation of HMAC. Define the following terms.
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC (including the padding specified in the embedded hash function)
Yi = i th block of M, 0 … i … (L - 1)
L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded hash function
K = secret key; recommended length is Ú n; if key length is greater than b, the
key is input to the hash function to produce an n-bit key
K+ = K padded with zeros on the left so that the result is b bits in length
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
ipad = 00110110 (36 in hexadecimal) repeated b/8 times
opad = 01011100 (5C in hexadecimal) repeated b/8 times
Then HMAC can be expressed as
HMAC(K,M)=H[(K+
XOR OPAD)||H(K+
ipad)||M]]
We can describe the algorithm as follows.
1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is of length 160 bits and
b = 512, then K will be appended with 44 zeroes).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So.
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.
Note that the XOR with ipad results in flipping one-half of the bits of K. Similarly, the XOR with
opad results in flipping one-half of the bits of K, using a different set of bits. In effect, by passing
Si and So through the compression function of the hash algorithm, we have pseudo randomly
generated two keys from K.
HMAC should execute in approximately the same time as the embedded hash function for long
messages. HMAC adds three executions of the hash compression function (for Si, So, and the
block produced from the inner hash). A more efficient implementation is possible, as shown in
Figure 12.6. Two quantities are precomputed:
f(IV, (K XOR ipad))
f(IV, (K XOR opad))
where f(cv, block) is the compression function for the hash function, which takes as arguments a
chaining variable of n bits and a block of b bits and produces a chaining variable of n bits.
MAC BASED ON BLOCK CIPHERS
Cipher-Based Message Authentication Code (CMAC)
Cipher-based Message Authentication Code (CMAC) mode of operation for use with AES and
triple DES. It is specified in NIST Special Publication 800-38B.
First, let us define the operation of CMAC when the message is an integer multiple n of the
cipher block length b. For AES, b = 128, and for triple DES, b = 64.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
The message is divided into n blocks (M1, M2,c, Mn). The algorithm makes use of a k-bit
encryption key K and a b-bit constant, K1. For AES, the key size k is 128, 192, or 256 bits; for
triple DES, the key size is 112 or 168 bits. CMAC is calculated as follows (Figure 12.8).
C1 = E(K, M1)
C2 = E(K, [M2 XOR C1])
C3 = E(K, [M3 XOR C2])
.
.
.
Cn = E(K, [Mn XOR Cn-1 XOR K1])
T = MSBTlen(Cn)
where
T = message authentication code, also referred to as the tag
Tlen = bit length of T
MSBs(X) = the s leftmost bits of the bit string X
If the message is not an integer multiple of the cipher block length, then the final block is padded
to the right (least significant bits) with a 1 and as many 0s as necessary so that the final block is
also of length b. The CMAC operation then proceeds as before, except that a different b-bit key
K2 is used instead of K1.
The two b-bit keys are derived from the k-bit encryption key as follows. L = E(K, 0b )
K1 = L * x
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
K2 = L * x2 = (L * x)* x where multiplication ( # ) is done in the finite field GF(2b) and x and x2 are first and second-
order polynomials that are elements of GF(2b). Thus, the binary representation of x consists of b
- 2 zeros followed by 10; the binary representation of x2 consists of b - 3 zeros followed by 100.
The finite field is defined with respect to an irreducible polynomial that is lexicographically first
among all such olynomials with the minimum possible number of nonzero terms. For the two
approved block sizes, the polynomials are x64
+ x4 + x
3 + x + 1 and x
128 + x
7 + x
2 + x + 1.
To generate K1 and K2, the block cipher is applied to the block that consists entirely of 0 bits.
The first subkey is derived from the resulting ciphertext by a left shift of one bit and,
conditionally, by XORing a constant that depends on the block size. The second subkey is
derived in the same manner from the first subkey.
Digital Signatures
have looked at message authentication
but does not address issues of lack of trust
digital signatures provide the ability to:
verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes
hence include authentication function with additional capabilities
Digital Signature Model
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Digital Signature Model
Stallings Figure 13.1 is a generic model of the process of making and using digital signatures.
Bob can sign a message using a digital signature generation algorithm. The inputs to the
algorithm are the message and Bob's private key. Any other user, say Alice, can verify the
signature using a verification algorithm, whose inputs are the message, the signature, and Bob's
public key.
In simplified terms, the essence of the digital signature mechanism is shown in Stallings Figure
13.2. This repeats the logic shown in Figure 11.3. On example, using RSA, is available at this
book's Web site.
We begin this chapter with an overview of digital signatures. Then, we introduce the Digital
Signature Standard (DSS).
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Attacks and Forgeries
attacks
key-only attack
known message attack
generic chosen message attack
directed chosen message attack
adaptive chosen message attack
break success levels
total break
selective forgery
existential forgery
Digital Signature Requirements
must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
Direct Digital Signatures
involve only sender & receiver
assumed receiver has sender‟s public-key
digital signature made by sender signing entire message or hash with private-key
can encrypt using receivers public-key
important that sign first then encrypt message & signature
security depends on sender‟s private-key
ElGamal Digital Signatures signature variant of ElGamal, related to D-H
so uses exponentiation in a finite (Galois)
with security based difficulty of computing discrete logarithms, as in D-H
use private key for encryption (signing)
uses public key for decryption (verification)
each user (eg. A) generates their key
chooses a secret key (number): 1 < xA < q-1
compute their public key: yA = axA
mod q
Alice signs a message M to Bob by computing
the hash m = H(M), 0 <= m <= (q-1)
chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
compute temporary key: S1 = ak mod q
compute K-1
the inverse of K mod (q-1)
compute the value: S2 = K-1
(m-xAS1) mod (q-1)
signature is:(S1,S2)
any user B can verify the signature by computing
V1 = am
mod q
V2 = yAS1
S1S2
mod q
signature is valid if V1 = V2
use field GF(19) q=19 and a=10
Alice computes her key:
A chooses xA=16 & computes yA=1016
mod 19 = 4
Alice signs message with hash m=14 as (3,4):
choosing random K=5 which has gcd(18,5)=1
computing S1 = 105 mod 19 = 3
finding K-1
mod (q-1) = 5-1
mod 18 = 11
computing S2 = 11(14-16.3) mod 18 = 4
any user B can verify the signature by computing
V1 = 1014
mod 19 = 16
V2 = 43.3
4 = 5184 = 16 mod 19
since 16 = 16 signature is valid
Schnorr Digital Signatures
also uses exponentiation in a finite (Galois)
security based on discrete logarithms, as in D-H
minimizes message dependent computation
multiplying a 2n-bit integer with an n-bit integer
main work can be done in idle time
have using a prime modulus p
p–1 has a prime factor q of appropriate size
typically p 1024-bit and q 160-bit numbers
Schnorr Key Setup
choose suitable primes p , q
choose a such that aq = 1 mod p
(a,p,q) are global parameters for all
each user (eg. A) generates a key
chooses a secret key (number): 0 < sA < q
compute their public key: vA = a-sA
mod q
Schnorr Signature
user signs message by
choosing random r with 0<r<q and computing x = ar mod p
concatenate message with x and hash result to computing: e = H(M || x)
computing: y = (r + se) mod q
signature is pair (e, y)
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
any other user can verify the signature as follows:
computing: x' = ayv
e mod p
verifying that: e = H(M || x‟)
Digital Signature Standard (DSS) US Govt approved signature scheme
designed by NIST & NSA in early 90's
published as FIPS-186 in 1991
revised in 1993, 1996 & then 2000
uses the SHA hash algorithm
DSS is the standard, DSA is the algorithm
FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants
DSA is digital signature only unlike RSA
is a public-key technique
DSS vs RSA Signatures
Stallings Figure 13.3 contrasts the DSS approach for generating digital signatures to that
used with RSA. In the RSA approach, the message to be signed is input to a hash function
that produces a secure hash code of fixed length. This hash code is then encrypted using
the sender's private key to form the signature. Both the message and the signature are then
transmitted. The recipient takes the message and produces a hash code. The recipient also
decrypts the signature using the sender's public key. If the calculated hash code matches
the decrypted signature, the signature is accepted as valid. Because only the sender knows
the private key, only the sender could have produced a valid signature. The DSS
approach also makes use of a hash function. The hash code is provided as input to a
signature function along with a random number k generated for this particular signature.
The signature function also depends on the sender's private key (PR a) and a set of
parameters known to a group of communicating principals. We can consider this set to
constitute a global public key (PUG). The result is a signature consisting of two
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
components, labeled s and r. At the receiving end, the hash code of the incoming
message is generated. This plus the signature is input to a verification function. The
verification function also depends on the global public key as well as the sender's public
key (PUa), which is paired with the sender's private key. The output of the verification
function is a value that is equal to the signature component r if the signature is valid. The
signature function is such that only the sender, with knowledge of the private key, could
have produced the valid signature.
Digital Signature Algorithm (DSA) creates a 320 bit signature
with 512-1024 bit security
smaller and faster than RSA
a digital signature scheme only
security depends on difficulty of computing discrete logarithms
variant of ElGamal & Schnorr schemes
The DSA is based on the difficulty of computing discrete logarithms (see Chapter 8)
and is based on schemes originally presented by ElGamal [ELGA85] and Schnorr
[SCHN91]. The DSA signature scheme has advantages, being both smaller (320 vs
1024bit) and faster (much of the computation is done modulo a 160 bit number), over
RSA. Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is
a public-key technique
DSA Key Generation
have shared global public key values (p,q,g):
choose 160-bit prime number q
choose a large prime p with 2L-1
< p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q
mod p > 1
users choose private & compute public key:
choose random private key: x<q
compute public key: y = gx mod p
DSA typically uses a common set of global parameters (p,q,g) for a community of
clients, as shown. A 160-bit prime number q is chosen. Next, a prime number p is
selected with a length between 512 and 1024 bits such that q divides (p – 1).
Finally, g is chosen to be of the form h(p–1)/q
mod p where h is an integer between 1
and (p – 1) with the restriction that g must be greater than 1. Thus, the global public
key components of DSA have the same for as in the Schnorr signature scheme.
Then each DSA uses chooses a random private key x, and computes their public
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
key as shown. The calculation of the public key y given x is relatively
straightforward. However, given the public key y, it is computationally infeasible
to determine x, which is the discrete logarithm of y to base g, mod p.
DSA Signature Creation
to sign a message M the sender:
generates a random signature key k, k<q
nb. k must be random, be destroyed after use, and never be reused
then computes signature pair:
r = (gk mod p)mod q
s = [k-1
(H(M)+ xr)] mod q
sends signature (r,s) with message M
To create a signature, a user calculates two quantities, r and s, that are functions of the
public key components (p,q,g), the user‟s private key (x), the hash code of the message
H(M), and an additional integer k that should be generated randomly or pseudo-randomly
and be unique for each signing. This is similar to ElGamal signatures, with the use of a per
message temporary signature key k, but doing calculations first mod p, then mod q to
reduce the size of the result. The signature (r,s) is then sent with the message to the
recipient. Note that computing r only involves calculation mod p and does not depend on
message, hence can be done in advance. Similarly with randomly choosing k‟s and
computing their inverses.
DSA Signature Verification
having received M & signature (r,s)
to verify a signature, recipient computes:
w = s-1
mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1
yu2
)mod p ]mod q
if v=r then signature is verified
At the receiving end, verification is performed using the formulas shown. The
receiver generates a quantity v that is a function of the public key components, the
sender‟s public key, and the hash of the incoming message. If this quantity matches
the r component of the signature, then the signature is validated. Note that the
difficulty of computing discrete logs is why it is infeasible for an opponent to
recover k from r, or x from s. Note also that nearly all the calculations are mod q,
and hence are much faster save for the last step.
The structure of this function is such that the receiver can recover r using the
incoming message and signature, the public key of the user, and the global public
key. It is certainly not obvious that such a scheme would work
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
DSS Overview
The structure of the algorithm, as revealed here is quite interesting. Note that the test at the
end is on the value r, which does not depend on the message at all. Instead, r is a function
of k and the three global public-key components. The multiplicative inverse of k (mod q) is
passed to a function that also has as inputs the message hash code and the user's private
key. The structure of this function is such that the receiver can recover r using the
incoming message and signature, the public key of the user, and the global public key.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
UNIT II
BLOWFISH ENCRYPTION
Blowfish was designed in the year 1993 by Bruce Schneider [9]. This technique was initiated to
find an alternative for the existing algorithms like DES, AES and triple-DES by increasing the
speed of encryption and decryption operations. The speed of the Blowfish cipher is increased by
performing simple addition and XOR operations. The Blowfish is a fast and efficient symmetric
block cipher because it encrypts the plaintext data on large 32-bit microprocessors at a rate of 26
clock cycles per byte. The Blowfish cipher takes less memory, because it takes less than 5 K of
memory for running encryption and decryption algorithms.
Principle of blowfish
The blowfish is a Feistel network block cipher that encrypts 64-block of plaintext using a variable
length key size of 448 bits. Sense, the length is a variable length; it can be in the range of 32 to 448
bits. But, default key size is 28 bits. The Blowfish cipher is very much suitable for the applications
where keys are not change frequently like password management and web application. The
Blowfish cipher consists of three phases, namely key expansion phase, the user-S secret key is
expanded into several subkey arrays to produce 4168 bytes. The Blowfish encryption algorithm
encrypts the message using the subkey and the Blowfish decryption algorithm decrypts the cipher
text using the same sub key.
Key Expansion
During the key expansion phase, the original key is broken into a set of subkeys, and thereby two
arrays are used. They are P-array and S-box array. The P-array consists of 18 subkeys, where
subkey size is 32 bits. The S-box array contains 256 entries. in the S-box array, each S-box accepts
8 bits as input and produces 32 bits as output. In each round, one entry of the –array is used.
Subsequent to the final round, an XOR operation is performed with each half of the data block. To
generate the subkey, initialize the P-array and S-boxes with the fixed string. After the string
Initialization, first 32 bits of the P-array values are XOR-ed with the key bits. for example, XOR
the first 32 bits of keys with P1 and XOR the second 32 bits of key with P2.this output is denoted
as P1 and P2. Repeat this process for521 times in order to calculate the new subkeys for the P-array
and the four S-boxes. If large number of subkeys need to be generated in the Blowfish cipher, these
subkeys are computed before starting the encryption and decryption operations.
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Encryption and decryption
During the data encryption, a simple function is iterated for 16 times where each round performs a
key-depended permutation a data-depended substitution. All addition operations are performed as
an XOR operation on 32-bits words. The Blowfish encryption splits the given input into two 32-bit
halves. Its 32-bit input is further divided into 48bits, and uses them as input to the S-box. The
outputs XOR-ed and adder using arithmetic modulo to 232
to produce the final 32-bit output. The
basic structure of Blowfish encryption operation is shown in figure5.15. The basic structure of
Blowfish function F is show in figure 5.16. Algorithm5.8 explains about the Blowfish encryption
algorithm. Blowfish decryption operation is exactly same as that of encryption operation except
that P1, P2…..P18 are used in the reverse order.
32 32
8 bits 8 bits 8 bits 8b
32 32
32 32
F function of Blowfish
+ + F
+
+
+
+
+ +
F
F
13 more iterations
Ciphertext
S1-box S2-box S3-box S4-box
+
+
+
Plaintext
CS6660 Cryptography and Network Security Unit III
Department of Information Technology
Blowfish encryption
The Blowfish function can be written as given follows:
F=((S1[8 bits]+S2[8 bits]mod 232
)n S3[8 bits])+S4[8 bits]mod 232
Algorithm
Function Encryption(xL,xR)Comments
For i=1 to 16 // Left side input xL and right side input xR
{ // XOR the value xL with Pi
XL=XL+P1
XR=F(XL)+XR // Swap the two 32 bits
Swap (XL,XR)
}
XR=XR+P17
XL=XL+P18 // Combine the output
Combines (XL,XR)