Module 3.

1
 Approaches to Message
Authentication
• A message is authentic when
• It is not altered(Genuine)
• It has come from the alleged source
• It has not be artificially delayed and replayed

Two approaches for Message authentication

• Authentication using conventional Encryption
• Message Authentication without Message Encryption
 Message Authentication
• Bob Receives a message from Alice, he wants to
know
• Whether the message was really sent by Alice(Data
Origin Authentication)
• Whether the message has been modified(Data Integrity)
• Solutions
• Alice attaches a MAC to message
• She may either attach digital signature to the message

3
 Authentication using conventional
Encryption
• Symmetric encryption- genuine sender would be able to encrypt a
message

• The receiver can recognize a valid message. Furthermore, if the message

includes an error-detection code and a sequence number, the receiver is
assured that no alterations have been made and that sequencing is proper.

• If the message also includes a timestamp, the receiver is assured that the
message has not been delayed beyond that normally expected for
network transit.
• Symmetric encryption alone is not a suitable tool for data authentication.
• To give one simple example, in the ECB mode of encryption, if an
attacker reorders the blocks of ciphertext, then each block will still
decrypt successfully.
 Message Authentication without
Message Encryption
• An authentication tag is generated and appended to each message for transmission.
• The message itself is not encrypted and can be read at the destination independent
of the authentication function at the destination.
• Message encryption by itself does not provide a secure form of authentication.
• Message authentication is provided as a separate function from message encryption
• It is possible to combine authentication and confidentiality in a single algorithm by
encrypting a message plus its authentication tag.
 Message Authentication without
Method 1
Message Encryption
• The message must be broadcast in plaintext with an associated message
authentication tag.
• The responsible system performs authentication.
• If a violation occurs, the other destination systems are alerted by a general alarm
• This is a cheaper method
Method 2
• One side(generally receiver) has a heavy load and cannot afford the time to decrypt
all incoming messages.
• Authentication is carried out on a selective basis with messages being chosen at
random for checking.
 Message Authentication without
Message Encryption
Method 3
• If a message authentication tag were attached to the
program, it could be checked whenever assurance is
required of the integrity of the program
 Authentication Functions
• Message Encryption: Cipher text of the entire
message
• Message Authentication Code (MAC):A function
of the message and a secret key that produces a
fixed-length value that serves as the authenticator
• Hash Function: A function that maps a message of
any length into a fixed-length hash value, which
serves as the authenticator
Message Encryption
 Message Authentication code(MAC)
• One authentication technique involves the use of a secret key to generate a small block of data, known as a
message authentication code (MAC), that is appended to the message.
• This technique assumes that two communicating parties, say A and B, share a common secret key KAB.
• When A has a message to send to B, it calculates the message authentication code
MACM F(KAB, M).T
• The message plus code are transmitted to the intended recipient.
• The recipient performs the same calculation on the received message, using the same secret key, to generate a
new message authentication code.
• The received code is compared to the calculated code
• The receiver is assured that the message has not been altered. If an attacker alters the message but does not
alter the code, then the receiver’s calculation of the code will differ from the received code.
• If the message includes a sequence number (such as is used with HDLC and TCP), then the receiver can be
assured of the proper sequence.
MAC
 MAC
• The domain of the function consists of messages of some arbitrary length, whereas
the range consists of all possible MACs and all possible keys
• For example, suppose that we are using 100-bit messages and a 10-bit MAC.
• Then, there are a total of 2100 different messages but only 210 different MACs.
• So, on average, each MAC value is generated by a total of 2 100 /2 10 = 290 different
messages.
5
• If a 5-bit key is used, then there are 2 = 32 different mappings from the set of
messages to the set of MAC values
 Limitation of MAC
• Establishment of Shared Secret.
• It can provide message authentication among pre-decided
legitimate users who have shared key.
• This requires establishment of shared secret prior to use of MAC.
• Inability to Provide Non-Repudiation
• Non-repudiation is the assurance that a message originator cannot
deny any previously sent messages and commitments or actions.
• MAC technique does not provide a non-repudiation service. If the
sender and receiver get involved in a dispute over message
origination, MACs cannot provide a proof that a message was
indeed sent by the sender.

• Both these limitations can be overcome by using the public key

based digital signatures
 Hash Function
• A hash function is a mathematical function that converts a
numerical input value into another compressed numerical
value. The input to the hash function is of arbitrary length but
output is always of fixed length.
• Values returned by a hash function are called message
digest or simply hash values.
 One Way Hash Functions
• Like message authentication code, a hash function
accepts a variable-size message M as input and produces
a fixed-size message digest H(M) as output.
• Unlike the MAC, a hash function does not take a secret
key as input.
• To authenticate a message, the message digest is sent
with the message in such a way that the message digest
is authentic.
One way Hash Functions
Hash function
• MD5
Popular Hash Functions
• was most popular and widely used hash function for quite some years.
• The MD family comprises of hash functions MD2, MD4, MD5 and MD6..It is a 128-bit
hash function.

• Secure Hash Function (SHA)

• Family of SHA comprise of four SHA algorithms; SHA-0, SHA-1, SHA-2, and SHA-3.
• The original version is SHA-0, a 160-bit hash function, was published by the National
Institute of Standards and Technology (NIST) in 1993. It had few weaknesses and did not
become very popular. Later in 1995, SHA-1 was designed to correct alleged weaknesses of
SHA-0.
• SHA-1 is the most widely used of the existing SHA hash functions. It is employed in
several widely used applications and protocols including Secure Socket Layer (SSL)
security.
• SHA-2 family has four further SHA variants, SHA-224, SHA-256, SHA-384, and SHA-512
depending up on number of bits in their hash value.
 Popular Hash Functions
• RIPEMD
• The RIPEMD is an acronym for RACE Integrity Primitives
Evaluation Message Digest. This set of hash functions was
designed by open research community and generally known
as a family of European hash functions.
• Original RIPEMD (128 bit) is based upon the design
principles used in MD4
• Whirlpool
• This is a 512-bit hash function.
• Three versions of Whirlpool have been released; namely
WHIRLPOOL-0, WHIRLPOOL-T, and WHIRLPOOL.
 Features of Hash Functions
• Fixed Length Output (Hash Value)
• Hash function coverts data of arbitrary length to a fixed
length. This process is often referred to as hashing the data.
• The hash is much smaller than the input data, hence hash
functions are sometimes called compression functions.
• Since a hash is a smaller representation of a larger data, it is
also referred to as a digest.
• Popular hash functions generate values between 160 and 512
bits.
• Efficiency of Operation
• Generally for any hash function h with input x, computation
of h(x) is a fast operation.
• Computationally hash functions are much faster than a
symmetric encryption.
 Properties of Hash Functions
• Pre-Image Resistance
• This property means that it should be computationally hard to reverse a hash
function.
• If a hash function h produced a hash value z, then it should be a difficult process
to find any input value x that hashes to z.
• This property protects against an attacker who only has a hash value and is
trying to find the input.

• Second Pre-Image Resistance

• This property means given an input and its hash, it should be hard to find a
different input with the same hash.
• If a hash function h for an input x produces hash value h(x), then it should be
difficult to find any other input value y such that h(y) = h(x).
• This property of hash function protects against an attacker who has an input
value and its hash, and wants to substitute different value as legitimate value in
place of original input value.
• It is also known as weak collision resistant
 Properties of Hash Functions
• Collision Resistance
• This property means it should be hard to find two different inputs of
any length that result in the same hash. This property is also referred
to as collision free hash function.
• For a hash function h, it is hard to find any two different inputs x and
y such that h(x) = h(y).
• Since, hash function is compressing function with fixed hash length,
it is impossible for a hash function not to have collisions. This
property of collision free only confirms that these collisions should
be hard to find.
• This property makes it very difficult for an attacker to find two input
values with the same hash.
• If a hash function is collision-resistant then it is second pre-image
resistant.
Preimage resistant
This measures how difficult to devise a message which hashes to the known
digest
Roughly speaking, the hash function must be one-way.

Given only a message digest, can’t find any message

(or preimage) that generates that digest.
Second preimage resistant
This measures how difficult to devise a message which hashes to the known
digest and its message

Given one message, can’t find another message that has the same message digest. An attack that
finds a second message with the same message digest is a second pre-image attack.
It would be easy to forge new digital signatures from old signatures if the hash function used
weren’t second preimage resistant
Collision Resistant

Can’t find any two different messages with the same message digest
Collision resistance implies second preimage resistance
Collisions, if we could find them, would give signatories a way to repudiate their signatures
Hash function property-Summary
Deterministic
Fast computation
Pre Image Resistance
Avalanche Effect
Collision resistance
Simple hash function
 Simple hash function
• All hash functions operate using the following
general principles.
• The input (message, file, etc.) is viewed as a
sequence of n-bit blocks.
• The input is processed one block at a time in an
iterative fashion to produce an n-bit hash function.
• The two simple techniques are given.
 Simple Hash Function
One of the simplest hash function is the bit by bit
X-OR operation.
Ci = bi1 bi2 ….. bim
Ci = ith bit of the hash code, 1 ≤ i ≤ n
M = number of n-bit blocks of the input
b ij = ith bit in jth block
 Two way Hash function
• A simple way to improve is to perform a one bit circular
shift , or rotation, on the hash value after each block is
processed.
• The procedure can be summarized as follows:
1. Initially set the n-bit hash value to zero
2. Process each successive n-bit block of data as
follows
• Rotate the current hash value to the left by each bit.
• X-OR the block into the Hash value
 Simple hash function
• bit-by-bit exclusive-OR (XOR) of every block
• Ci = bi1 xor bi2 xor . . . xor bim
• a longitudinal redundancy check
• reasonably effective as data integrity check
• one-bit circular shift on hash value
• for each successive n-bit block
• rotate current hash value to left by1bit and XOR block
• good for data integrity but useless for security
• The second procedure provides a good measure of data integrity, it is virtually useless for data
security when an encrypted hash code is used with a plaintext message.
• Given a message, it is an easy matter to produce a new message that yields that hash code:
Simply prepare the desired alternate message and then append an n-bit block that forces the
combined new message plus block to yield the desired hash code.
MD5 Overview
2. Append
length
(64bits)

1. Append padding
bits
(to 448 mod 512)

3. Initialize MD buffer (4x32 bits Word)

Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10
Hash Algorithm Design – MD5

16 steps

X[k] = M [q*16+k] (32 bit)

Constructed from sine function

The ith 32-bit word in matrix T, constructed from the sine function
M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg

Single step
 Secure Hash functions
Requirements of secure hash functions are
1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and software
implementations practical.
4. For any given code h, it is computationally infeasible to find x such that H(x) = h. A hash
function with this property is referred to as one-way or preimage resistant.3
5. For any given block x, it is computationally infeasible to find y ≠ x with H(y)= H(x). A
hash function with this property is referred to as second preimage resistant. This is
sometimes referred to as weak collision resistant.
6. It is computationally infeasible to find any pair (x, y) such that H(x) H(y).A hash function
with this property is referred to as collision resistant. This is sometimes referred to as
strong collision resistant. It is resistant against birthday attacks
SHA-512 Overview
 Secure Hash Algorithms (SHAs)
• (SHA) was developed by the National Institute of Standards and
Technology (NIST) and published as a federal information processing
standard (FIPS 180) in 1993.
• A revised version was issued in 1995 and is generally referred to as
SHA-1.
• SHA is based on the hash function MD4 and its design closely
models MD4
• Several Hash Algorithms (SHA) were designed by Ron Rivest.
• These are referred to as MD2, MD4 and MD5 where MD stands for
message digest.
• MD5 is the strengthened version of MD4 and uses messages of
blocks of 512 bits and creates a 128 bits digest.
Secure Hash Algorithms (SHAs)
SHA

Secure Hash
Algorithm
 Secure Hash Algorithm
• SHA originally designed by NIST & NSA in 1993
• was revised in 1995 as SHA-1
• It has following version
• SHA-0
• SHA-1
• SHA-224
• SHA-256
• SHA-512
 SHA-1
• It works for any input message that is less than 264 bits.
• The output of SHA-1 is a message digest of 160 bits in
length.
• This is designed to be computationally infeasible to:
• Obtain the original message, given its message digest.
• Find two messages producing the same message
digest.
 How SHA-1 Works?
• Digest Length=160 bit
• Input Text Length=512 bit
• Sub Block size=32bit
• 512/32=16 total Sub blocks
• No. Of Rounds=4
• Iteration per round=20
• Chaining Variable = 5*32=160
• K[t] constant= Where t=0 to 79
• O/P-> four 32 bit blocks
 How SHA-1 Works?
Step1: Padding: Length of the message is
64 bits short of multiple of 512 after
padding.
 How SHA-1 Works?
Step 2: Append a 64-bit length value of original
message is taken.
Step 3: Divide the input into 512-bit blocks
Step 4: Initialise CV 5-word (160-bit) buffer
(A,B,C,D,E) to
A=01 23 45 67,
B=89 AB CD EF,
C=FE DC BA 98,
D=76 54 32 10,
E=C3 D2 E1 F0)
 Continue…
Step 5: Process Blocks now the actual algorithm begins. message in
16-word (512-bit) chunks:
• Copy chaining variable A-E into variables a-e.

• Divide the current 512-bit blocks into 16 sub-blocks, each consisting of 32 bits.

No. Of Rounds=4, each round consisting of 20 iterations (thus total 80 iterations)

Each round takes 3 inputs

512 bit block
The register abcde
K[t] constant= Where t=0 to 79

expand 16 words into 80 words(20*4) by mixing & shifting.

Step 6: output hash value is the final buffer value

SHA-1 Compression Function

ABCDE=(E+F[t]+S5(A)+W[t]+K[t]), A , S30(B), C, D
 SHA-1 Compression Function terms
• First 16 words are 16 subblocks of message.
• (W(0),W(1),...,W(15)) = M[k] /* Divide M[k] into 16 words */
• For t = 16 to 79 do:
W(t) = (W(t-3) XOR W(t-8) XOR W(t-14) XOR W(t-16)) <<< 1

<<<1 means left circular shift by 1 bit

 SHA-1 Compression Function terms
• each round has 20 steps which replaces the 5 buffer words thus:
(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+W +K t),A,(B<<30),C,D)
t

• ABCDE refer to the 5 words of the buffer

• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value
• S^t circular left shift of 32 bit sub-block by t bits
 Process F(t) in each SHA-1 round
◻ where g can be expressed as:
ROUND 1: (b AND c) OR ((NOT b) AND (d)) same as
MD5

ROUND 2: b XOR c XOR d

ROUND 3: (b AND c) OR (b AND d) OR (c AND d)

ROUND 4: b XOR c XOR d

Creation of 80-word input Wt
• Adds redundancy and interdependence among message
blocks
 SHA-1 verses MD5
• brute force attack is harder (160 vs 128 bits for MD5)
• not vulnerable to any known attacks (compared to
MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (SUN) vs MD5 for
little endian CPU’s (PC)
 HMAC
• Hash-based message authentication code (HMAC) provides the server and the client each with a private
key that is known only to that specific server and that specific client.
• The client creates a unique HMAC, or hash, per request to the server by hashing the request data with
the private keys and sending it as part of a request.
• What makes HMAC more secure than Message Authentication Code is that the key and the message are
hashed in separate steps.
• HMAC(key, msg) = H(mod1(key) || H(mod2(key) || msg))
• This ensures the process is not susceptible to extension attacks that add to the message and can cause
elements of the key to be leaked as successive MACs are created.
• Once the server receives the request and regenerates its own unique HMAC, it compares the two
HMACs. If they're equal, the client is trusted and the request is executed. This process is often called a
secret handshake
• Ipad value is 00110110
• Opad value is 01011100
HMAC
HMAC Algorithm
• Does Message encryption by itself provide a secure
form of authentication. Justify
• Differentiate between encryption and hashing