ryptographic Hash Functions

Information Security

1

UNIT – 3

Cryptographic Hash Functions: Applications of Cryptographic Hash functions, Requirements

and security, Hash functions based on Cipher Block Chaining, Secure Hash Algorithm (SHA)

Message Authentication Codes: Message Authentication Requirements, Message Authentication

Functions, Requirements for Message Authentication Codes, Security of MACs, HMAC, MACs

based on Block Ciphers, Authenticated Encryption

Digital Signatures – RSA with SHA & DSS

Cryptographic Hash Functions

Hash functions are extremely useful and appear in almost all information security applications.

A hash function is a mathematical function that converts a numerical input value into another

compressed numerical value. The input to the hash function is of arbitrary length but output is always

of fixed length.

Values returned by a hash function are called message digest or simply hash values. The

following picture illustrated hash function

Features of Hash Functions

The typical features of hash functions are

Fixed Length Output (Hash Value)

Hash function coverts data of arbitrary length to a fixed length. This process is often

referred to as hashing the data.

In general, the hash is much smaller than the input data, hence hash functions are

sometimes called compression functions.

Since a hash is a smaller representation of a larger data, it is also referred to as a digest.

Hash function with n bit output is referred to as an n-bit hash function. Popular hash

functions generate values between 160 and 512 bits.

Efficiency of Operation

Generally for any hash function h with input x, computation of h(x) is a fast operation.

Computationally hash functions are much faster than a symmetric encryption.


2

APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS:

There are two direct applications of hash function based on its cryptographic properties.

1. Password Storage

Hash functions provide protection to password storage.

Instead of storing password in clear, mostly all logon processes store the hash values of

passwords in the file.

The Password file consists of a table of pairs which are in the form (user id, h(P)).

The process of logon is depicted in the following illustration −

An intruder can only see the hashes of passwords, even if he accessed the password. He can

neither logon using hash nor can he derive the password from hash value since hash function possesses

the property of pre-image resistance.

2. Data Integrity Check

Data integrity check is a most common application of the hash functions. It is used to generate the

checksums on data files. This application provides assurance to the user about correctness of the data.

The process is depicted in the following illustration –

The integrity check helps the user to detect any changes made to original file. It however, does


3

not provide any assurance about originality. The attacker, instead of modifying file data, can change

the entire file and compute all together new hash and send to the receiver. This integrity check

application is useful only if the user is sure about the originality of file.

REQUIREMENTS & SECURITY:

Requirements for a hash function:

The purpose of a hash function is to produce a “fingerprint” of a file, message or other block of

data. To be useful for message authentication, a hash function H must have the following properties:

1. H van be applied to a block of data of any size

2. H produces a fixed length output.

3. H(x) is relatively easy to compute for any given x, making both hardware and software

implementations practical.

4. One-way property:- for any given value h, it is computationally infeasible to find x such that

H(x)=h. this sometimes referred to in the literature as the one way property.

5. Weak collision resistance:- for any given block x. it is computationally infeasible to find y≠x

with H(y)=H(x). this is referred as weak collision resistance.

6. Strong collision resistance:- it is computationally infeasible to find any pair (X,Y) such that

H(x)=H(y). this referred as strong collision resistance.

Security of Hash Functions:

In order to be an effective cryptographic tool, the hash function is desired to possess following

properties

Pre-Image Resistance

o This property means that it should be computationally hard to reverse a hash function.

o In other words, if a hash function h produced a hash value z, then it should be a difficult

process to find any input value x that hashes to z.

o This property protects against an attacker who only has a hash value and is trying to

find the input.

Second Pre-Image Resistance


4

o This property means given an input and its hash, it should be hard to find a different

input with the same hash.

o In other words, if a hash function h for an input x produces hash value h(x), then it

should be difficult to find any other input value y such that h(y) = h(x).

o This property of hash function protects against an attacker who has an input value and

its hash, and wants to substitute different value as legitimate value in place of original

input value.

Collision Resistance

o This property means it should be hard to find two different inputs of any length that

result in the same hash. This property is also referred to as collision free hash function.

o In other words, for a hash function h, it is hard to find any two different inputs x and y

such that h(x) = h(y).

o Since, hash function is compressing function with fixed hash length, it is impossible for

a hash function not to have collisions. This property of collision free only confirms that

these collisions should be hard to find.

o This property makes it very difficult for an attacker to find two input values with the

same hash.

o Also, if a hash function is collision-resistant then it is second pre-image resistant.

HASH FUNCTIONS BASED ON CIPHER BLOCK CHAINING

A number of proposals have been made for hash functions based on using a cipher block

chaining technique, but without using the secret key. One of the first such proposals was that of Rabin

[RABI78]. Divide a message M into fixed-size blocks M1, M2, Á , MN and use a symmetric encryption

system such as DES to compute the hash code G as

This is similar to the CBC technique, but in this case, there is no secret key. As with any

hash code, this scheme is subject to the birthday attack, and if the encryption algorithm is DES and only a 64

-bit hash code is produced, then the system is vulnerable.

Furthermore, another version of the birthday attack can be used even if the opponent has access to

only one message and its valid signature and cannot obtain multiple signings. Here is the scenario: We

assume that the opponent intercepts a message with a signature in the form of an encrypted hash code

and that the unencrypted hash code is m bits long.

Use the algorithm defined at the beginning of this subsection to calculate the unencrypted hash

code G.

Construct any desired message in the form Q1, Q2, ………, QN - 2.

Compute Hi = E(Qi, Hi - 1) for 1 … i … (N - 2).

Generate 2m/2 random blocks; for each block X, compute E(X, HN ,2). Generate an additional 2m/

2 random blocks; for each block Y, compute D(Y, G), where D is the decryption function correspond

ing to E.

Based on the birthday paradox, with high probability there will be an X and Y such that

E(X, HN - 2) = D(Y, G).

Form the message Q1, Q2, Á , QN - 2, X, Y. This message has the hash code G and therefore can be


5

used with the intercepted encrypted signature.

This form of attack is known as a meet-in-the-middle

attack. A number of researchers have proposed refinements

intended to strengthen the basic block chaining

approach. For example, Davies and Price [DAVI89] describe the variation:

However, both of these schemes have been shown to be vulnerable to a variety of

attacks [MIYA90]. More generally, it can be shown that some form of birthday

attack will succeed against any hash scheme involving the use of cipher block chain-

ing without a secret key, provided that either the resulting hash code is small enough (e.g., 64 bits or less)

or that a larger hash code can be decomposed into independent subcodes

SECURE HASH ALGORITHM

Introduction:

The Secure Hash Algorithm is a family of cryptographic hash functions developed by the

NIST (National Institute of Standards & Technology).

SHA is based on the MD4 algorithm and its design closely models MD5.

SHA-1 is specified in RFC 3174.

Purpose: Authentication, not encryption.

SHA-1 logic:

o The algorithm takes a message with maximum of length of less than 264 bits.

o Produce output is 160 bits message digest.

o The input is processed 512 bits block.

Processed Steps:

Algorithm processing Steps:

Step1: Append Padding Bits

Step 2: Append Length

Step 3: Initialize MD Buffer

Step 4: Process Message in 512 bit (16-Word) Blocks

Step 5: Output

Step-1: Appending Padding Bits.

The original message is "padded" (extended) so that its length (in bits) is congruent to 448,

modulo 512. The padding rules are:


6

The original message is always padded with one bit "1" first.

Then zero or more bits "0" are padded to bring the length of the message up to 64 bits fewer

than a multiple of 512.

Step-2: append length:

a block of 64 bits is appended to the message. This block is treated as unsigned 64 bit integers

(most significant byte first) and contains the length of the original message.

Step-3: Initialize MD buffer:

160 bit buffer is used to hold intermediate and final results of the hash function. This buffer

can be represented as five 32 bit registers (A, B,C,D,E). the register are initialized to the following 32

bit integers

Word A is initialized to: 0x67452301.

Word B is initialized to: 0xEFCDAB89.

Word C is initialized to: 0x98BADCFE.

Word D is initialized to: 0x10325476.

Word E is initialized to: 0xC3D2E1F0

Step 4: Process Message in 512 bits:

this algorithm consist 4 rounds of 20 steps each. Four rounds have similar structures, but each

uses a different primitive logical function, we refer it as f1, f2, f3 and f4. Each round takes input the

current 512 bit blocks being processed ( Yq ) and the 160 bit buffer value a ABCDE and updates the

contents of the buffer. Each round also make use of an additive constant Kt where 0 ≤ t ≤ 79 indicates

one of the 80 steps across four rounds.

The output of 4th round added to the input to the 1st round (CVq) to produce CVq+1.


7

Step-5: output:

after all L 512 bits block have been processed, the output from the Lth stage is the 160 bit

message digest.

The behavior of SHA-1can be summarized as:

CV0=IV

CVq+1=SUM32 (CVq, ABCDEq)

MD=CVL

IV initialize value of the ABCDE buffer define in step-3

ABCDEQ output of last round of qth message block.

Lnumber of block (512 bit) in message

SUM32addition modulo 232

MD final message Digest Value.


8

SHA-1 Compression Function:

The logic in each of the 80 steps of the processing of one 512 bit block each round is of the form

(Figure 12.6)

o A,B,C,D,E(E+f(t,B,C,D)+S5(a)+Wt+Kt),A,S30(B),C,D

o A,B,C,D,E The five words of the buffer

o t Step number; 0 ≤ t ≤ 79

o f(t,B,C,D) Primitive logical function for step t

o SK circular left shift(rotation of the 32 bit argument by k bits

o Wt a 32 bit word derived from the current 512 bit input block

o Kt an additive constant; four distinct values are used, as defined previously

o + addition modulo 232

Message Authentication Codes

MESSAGE AUTHENTICATION Message authentication is a procedure to verify that received messages come from the

alleged source and have not been altered. Message authentication may also verify sequencing

and timeliness. It is intended against the attacks like content modification, sequence

modification, timing modification and repudiation. For repudiation, concept of digital

signatures is used to counter it. There are three classes by which different types of functions

that may be used to produce an authenticator. They are:

1. Message encryption–the cipher text serves as authenticator

2. Message authentication code (MAC)–a public function of the message and a secret

key producing a fixed-length value to serve as authenticator. This does not provide a

digital signature because A and B share the same key.

3. Hash function–a public function mapping an arbitrary length message into a fixed-

A,B,C,D,E(E +f(t,B,C,D) +S5(A)+Wt+Kt),A,S30(B),C,D


9

length hash value to serve as authenticator. This does not provide a digital signature

because there is no key.

MESSAGE ENCRYPTION:

Message encryption by itself can provide a measure of authentication. The analysis

differs for conventional and public-key encryption schemes. The message must have come

from the sender itself, because the cipher text can be decrypted using his (secret or public) key.

Also, none of the bits in the message have been altered because an opponent does not know

how to manipulate the bits of the cipher text to induce meaningful changes to the plaintext.

Often one needs alternative authentication schemes than just encrypting the message.

Sometimes one needs to avoid encryption of full messages due to legal requirements.

Encryption and authentication may be separated in the system architecture.

The different ways in which message encryption can provide authentication,

confidentiality in both symmetric and asymmetric encryption techniques is explained with the

table below:

MESSAGE AUTHENTICATION CODE

An alternative authentication technique involves the use of a secret key to generate a

small fixed-size block of data, known as cryptographic checksum or MAC, which is appended

to the message. This technique assumes that both the communicating parties say A and B share a

common secret key K. When A has a message to send to B, it calculates MAC as a function C of

key and message given as:

MAC=Ck(M)

The message and the MAC are transmitted to the intended recipient, who upon receiving

performs the same calculation on the received message, using the same secret key to generate a

new MAC. The received MAC is compared to the calculated MAC and only if they match, then:

The receiver is assured that the message has not been altered: Any alternations been

done the MAC’s do not match.

The receiver is assured that the message is from the alleged sender: No one except the

sender has the secret key and could prepare a message with a proper MAC.

If the message includes a sequence number, then receiver is assured of proper sequence

as an attacker cannot successfully alter the sequence number.

Basic uses of Message Authentication Code (MAC) are shown in the figure:


10

There are three different situations where use of a MAC is desirable:

If a message is broadcast to several destinations in a network (such as a military control

center), then it is cheaper and more reliable to have just one node responsible to evaluate the

authenticity –message will be sent in plain with an attached authenticator.

If one side has a heavy load, it cannot afford to decrypt all messages –it will just check the

authenticity of some randomly selected messages.

Authentication of computer programs in plaintext is very attractive service as they need not be

decrypted every time wasting of processor resources. Integrity of the program can always be checked

by MAC.

MESSAGE AUTHENTICATION CODE BASED ON DES

The Data Authentication Algorithm, based on DES, has been one of the most widely used

MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB 113) and an

ANSI standard (X9.17). But, security weaknesses in this algorithm have been discovered and it is

being replaced by newer and stronger algorithms. The algorithm can be defined as using the

cipher block chaining (CBC) mode of operation of DES shown below with an initialization vector

of zero.

The data (e.g., message, record, file, or program) to be authenticated are grouped into

contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final block is padded on the right with

zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and a secret key, K, a

data authentication code (DAC) is calculated as follows:


11

The DAC consists of either the entire block ON or the leftmost M bits of the block, with

16≤ M ≤ 64. Use of MAC needs a shared secret key between the communicating parties and also

MAC does not provide digital signature. The following table summarizes the confidentiality and

authentication implications of the approaches shown above.

HASH FUNCTION

A variation on the message authentication code is the one-way hash function. As with

the message authentication code, the hash function accepts a variable-size message M as

input and produces a fixed-size hash code H(M), sometimes called a message digest, as

output. The hash code is a function of all bits of the message and provides an error- detection

capability: A change to any bit or bits in the message results in a change to the hash code. A

variety of ways in which a hash code can be used to provide message authentication is shown

below and explained stepwise in the table.


12


13

MESSAGE AUTHENTICATION REQUIREMENTS

Disclosure: Release of message contents to any person or process not possessing the appropriate

cryptographic key.

Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented

application, the frequency and duration of connections

could be determined. In either a connection-oriented or connectionless environ-

ment, the number and length of messages between parties could be determined.

Masquerade: Insertion of messages into the network from a fraudulent source. This includes the

creation of messages by an opponent that are purported to come from an authorized entity.

Also included are fraudulent acknowledgments of message receipt or non-receipt by someone

other than the message recipient.

Content modification: Changes to the contents of a message, including insertion,

deletion, transposition, and modification.

Sequence modification: Any modification to a sequence of messages between parties, including

insertion, deletion, and reordering.

Timing modification: Delay or replay of messages. In a connection-

oriented application, an entire session or sequence of messages could be a replay of some

previous valid session, or individual messages in the sequence could be delayed or replayed. In a c

onnectionless application, an individual message (e.g., data- gram) could be delayed or replayed.

Source repudiation: Denial of transmission of message by source.

Destination repudiation: Denial of receipt of message by destination.


14

MESSAGE AUTHENTICATION FUNCTIONS Message Authentication :

A mechanism of source used to notify the integrity of message

Assures the data received are exactly as sent (i.e. contain no modification,

insertion ,deletion or replay)

Assures that identity of the sender is valid

When a hash function is used to provide message authentication, the hash

function value is often referred to as a message digest.

Authentication function is of two levels of functionality :

Lower Value produces an authenticator value used to authenticate a message.

Higher Value : indicates a receiver to verify the authenticity of message.

SECURITY OF MACs

With encryption algorithms and hash functions, we can group attacks on MACs into two

categories: brute-force attacks and cryptanalysis.

Brute-Force Attacks

A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack on a

hash function because it requires known message-tag pairs. Let us see

why this is so. To attack a hash code, we can proceed in the following way. Given a fixed

message x with n-bit hash code h = H(x), a brute-force method of finding a

collision is to pick a random bit string y and check if H(y) = H(x). The attacker can

do this repeatedly off line. Whether an off-

line attack can be used on a MAC algorithm depends on the relative size of the key and the tag.

To proceed, we need to state the desired security property of a MAC algorithm, which can be

expressed as follows.

Computation resistance: Given one or more text-MAC pairs [xi, MAC(K, xi)],

it is computationally infeasible to compute any text-MAC pair [x, MAC(K, x)] for any new

input x |=xi.

In other words, the attacker would like to come up with the valid MAC code for a given

message x. There are two lines of attack possible: attack the key space and attack the MAC value. We

examine each of these in turn.

If an attacker can determine the MAC key, then it is possible to generate a

valid MAC value for any input x. Suppose the key size is k bits and that the attacker has one known text–

tag pair. Then the attacker can compute the n-bit tag on the

known text for all possible keys. At least one key is guaranteed to produce the cor-

rect tag, namely, the valid key that was initially used to produce the known text–tag pair. This phase of

the attack takes a level of effort proportional to 2k (that is, one

operation for each of the 2k possible key values). However, as was described earlier,

because the MAC is a many-to-one mapping, there may be other keys that produce

the correct value. Thus, if more than one key is found to produce the correct value, additional text–tag


15

pairs must be tested. It can be shown that the level of effort drops off rapidly with each additional

text–MAC pair and that the overall level of effort is roughly 2k [MENE97].

An attacker can also work on the tag without attempting to recover the key. Here, the objective

is to generate a valid tag for a given message or to find a message that matches a given tag. In either

case, the level of effort is comparable to that for attacking the one-way or weak collision-resistant

property of a hash code, or 2n. In the case of the MAC, the attack cannot be conducted off line without

further input; the attacker will require chosen text–tag pairs or knowledge of the key.

Cryptanalysis

As with encryption algorithms and hash functions, cryptanalytic attacks on MAC algorithms

seek to exploit some property of the algorithm to perform some attack other than an exhaustive search.

The way to measure the resistance of a MAC algorithm to cryptanalysis is to compare its strength to

the effort required for a brute-force attack. That is, an ideal MAC algorithm will require a

cryptanalytic effort greater than or equal to the brute-force effort.

HMAC HMAC (Hash-based Message Authentication Code) is a type of a message authentication code

(MAC) that is acquired by executing a cryptographic hash function on the data (that is) to be

authenticated and a secret shared key. Like any of the MAC, it is used for both data integrity and

authentication. Checking data integrity is necessary for the parties involved in communication.

HTTPS, SFTP, FTPS, and other transfer protocols use HMAC. The cryptographic hash function may

be MD-5, SHA-1, or SHA-256. Digital signatures are nearly similar to HMACs i.e they both employ a

hash function and a shared key. The difference lies in the keys i.e HMACs use symmetric key(same

copy) while Signatures use asymmetric (two different keys).

History

Processes and decisions pertinent to business are greatly dependent on integrity. If attackers

tamper this data, it may affect the processes and business decisions. So while working online over the

internet, care must be taken to ensure integrity or least know if the data is changed. That is when

HMAC comes into use.

Applications

Verification of e-mail address during activation or creation of an account.

Authentication of form data that is sent to the client browser and then submitted back.

HMACs can be used for Internet of things (IoT) due to less cost.

Whenever there is a need to reset the password, a link that can be used once is sent without

adding a server state.

It can take a message of any length and convert it into a fixed-length message digest. That is

even if you got a long message, the message digest will be small and thus permits maximizing

bandwidth.

Working of HMAC


16

HMACs provides client and server with a shared private key that is known only to them. The

client makes a unique hash (HMAC) for every request. When the client requests the server, it hashes

the requested data with a private key and sends it as a part of request. Both the message and key are

hashed in separate steps making it secure. When the server receives request, it makes its own HMAC.

Both the HMACS are compared and if both are equal, the client is considered legitimate.

Formula for HMAC:

HMAC = hashFunc(secret key + message)

There are three types of authentication functions. They are message encryption, Message

authentication code, and hash functions. Major difference between MAC and hash (HMAC here) is the

dependence of a key. In HMAC we have to apply the hash function along with a key on the plain text.

The hash function will be applied to the plain text message. But before applying, we have to compute

S bits and then append it to plain text and after that apply hash function. For generating those S bits we

make use of a key that is shared between the sender and receiver.

Using key K (0 < K < b), K+ is generated by padding O’s on left side of key K until length

becomes b bits. The reason why it’s not padded on right is change(increase) in the length of key. b bits

because it is the block size of plain text. There are two predefined padding bits called ipad and opad.

All this is done before applying hash function to the plain text message.

ipad - 00110110

opad - 01011100

Now we have to calculate S bits

K+ is EXORed with ipad and the result is S1 bits which is equivalent to b bits since both K+

and ipad are b bits. We have to append S1 with plain text messages. Let P be the plain text message.

S1, p0, p1 upto Pm each is b bits. m is the number of plain text blocks. P0 is plain text block and b is

plain text block size. After appending S1 to Plain text we have to apply HASH algorithm (any variant).


17

Simultaneously we have to apply initialisation vector (IV) which is a buffer of size n-bits. The result

produced is therefore n-bit hashcode i.e H( S1 || M ).

Similarly, n-bits are padded to b-bits And K+ is EXORed with opad producing output S2 bits. S2 is

appended to the b-bits and once again hash function is applied with IV to the block. This further

results into n-bit hashcode which is H( S2 || H( S1 || M )).

Advantages

1. HMACs are ideal for high-performance systems like routers due to the use of hash functions

which are calculated and verified quickly unlike the public key systems.

2. Digital signatures are larger than HMACs, yet the HMACs provide comparably higher

security.

3. HMACs are used in administrations where public key systems are prohibited.

Disadvantages

HMACs uses shared key which may lead to non-repudiation. If either sender or receiver’s key

is compromised then it will be easy for attackers to create unauthorized messages.

MACs BASED ON BLOCK CIPHERS : DAA & CMAC

We begin with an older algorithm, the Data Authentication Algorithm (DAA), which is now

obsolete. Then we examine CMAC, which is designed to overcome the deficiencies of DAA.

Data Authentication Algorithm

The Data Authentication Algorithm (DAA), based on DES, has been one of the

most widely used MACs for a number of years. The algorithm is both a FIPS publi-

cation (FIPS PUB 113) and an ANSI standard (X9.17). However, as we discuss subsequently, security

weaknesses in this algorithm have been discovered, and

it is being replaced by newer and stronger algorithms.

The algorithm can be defined as using the cipher block chaining (CBC) mode of

operation of DES (Figure 6.4) with an initialization vector of zero. The data (e.g., mes-

sage, record, file, or program) to be authenticated are grouped into contiguous 64-bit

blocks: D1, D2, .... , DN. If necessary, the final block is padded on the right with zeroes to form a full 64-

bit block. Using the DES encryption algorithm E and a secret key K,

a data authentication code (DAC) is calculated as follows (Figure 12.7).


18

The DAC consists of either the entire block ON or the leftmost M bits of the block, with

16 <= M <= 64.

Cipher-Based Message Authentication Code (CMAC)

As was mentioned, DAA has been widely adopted in government and industry.

[BELL00] demonstrated that this MAC is secure under a reasonable set of security

criteria, with the following restriction. Only messages of one fixed length of mn bits

are processed, where n is the cipher block size and m is a fixed positive integer. As a simple example,

notice that given the CBC MAC of a one-block message X, say T = MAC(K, X), the adversary

immediately knows the CBC MAC for the two- block message X || (X { T) since this is once again T.

Black and Rogaway [BLAC00] demonstrated that this limitation could be overcome using

three keys: one key of length K to be used at each step of the cipher block chaining and two keys of

length n, where k is the key length and n is the cipher block length. This proposed

construction was refined by Iwata and Kurosawa so that the two n-bit keys could be derived

from the encryption key, rather than being provided separately [IWAT03]. This refinement,

adopted by NIST, is the Cipher-based Message Authentication Code (CMAC) mode of operation for

use with AES and triple DES. It is specified in NIST Special Publication 800-38B.

First, let us define the operation of CMAC when the message is an

integer multiple n of the cipher block length b. For AES, b = 128, and for triple DES, b = 64.

The message is divided into n blocks (M1, M2, . . . , Mn). The algorithm makes use of a k-bit

encryption key K and an n-bit constant, K1. For AES, the key

size k is 128, 192, or 256 bits; for triple DES, the key size is 112 or 168 bits. CMAC is

calculated as follows (Figure 12.8).


19

If the message is not an integer multiple of the cipher block length, then the final block is

padded to the right (least significant bits) with a 1 and as many 0s as necessary so that the final block

is also of length b. The CMAC operation then pro- ceeds as before, except that a different n-bit

key K2 is used instead of K1.

The two n-bit keys are derived from the k-bit encryption key as follows.

where multiplication ( . ) is done in the finite field GF(2n) and x and x2 are first- and second-

order polynomials that are elements of GF(2n). Thus, the binary representation of x consists of n -

2 zeros followed by 10; the binary representation of x2 consists of n - 3 zeros followed by 100. The

finite field is defined with respect to an irreducible polynomial that is lexicographically first among all

such polynomials with the minimum possible number of nonzero terms. For the two approved block

sizes, the polynomials are x64 + x4 + x3 + x + 1 and x128 + x7 + x2 + x + 1.


20

To generate K1 and K2, the block cipher is applied to the block that consists entirely of 0 bits. The first

subkey is derived from the resulting cipher text by a left

shift of one bit and, conditionally, by XORing a constant that depends on the block size. The second

subkey is derived in the same manner from the first sub key. This property of finite

fields of the form GF(2n).

AUTHENTICATED ENCRYPTION By far the oldest and perhaps also the best-known goal of cryptographic methods is the

protection of secrecy, or confidentiality, of data. This goal is achieved by employing encryption

techniques. Decryption can only be performed by someone possessing the right decryption key.

Of far greater relevance in most commercial applications is the protection of the correctness, or

authenticity, of data. This goal is achieved by means of digital signatures, or message authentication

codes (MACs). Both digital signatures and MACs compute a tag, which can be seen as a kind of

checksum computed over the message and using a secret key. Without the secret key, it is not possible

to compute a valid tag - hence all modifications applied to the data after the computation of the tag can

be detected easily.

Separation of the concepts confidentiality and authenticity is relatively new. Historically,

cryptographers believed that by using a strong encryption algorithm, they could ensure the authenticity

of data as well. And indeed, when we are talking about human-readable messages, this assumption is

justified. However, in the case of digital input data, both theory and practice have shown that the two

goals are quite different.

Hence, next to encryption algorithms, cryptographers developed authentication algorithms. For

example, the CBC-MAC algorithm operates by 'encrypting' the message with a block cipher in the

Cipher Block Chaining (CBC) mode of operation, and then outputs the last block of ciphertext

(possibly truncated) as tag. There are many variants on this scheme, most of them attempting to solve

the problems that arise when a legacy block cipher like the DES is used as the underlying block cipher.

When using the AES, even the simplest CBC-MAC construction is secure.

When the length of the message to be protected is relatively large compared to the block length

of the block cipher, the performance of the authentication step can be improved by using alternative

constructions. Most widely used is HMAC, which produces a tag by hashing a message and a key

together, operating at the speed of the underlying hash algorithm (e.g. SHA-256).

For applications that need to protect both confidentiality and authentication, the most

straightforward approach is to process the input twice: once to encrypt the data and once to compute

the authentication tag. This is called making two passes over the data. Recently, this approach has lost

its appeal, for several reasons. The first observation that can be made is that there seems to be room for

performance optimizations. Implementations may use the CBC mode of operation both for encryption

and authentication, and it may appear a bit odd to run essentially the same process twice, each time

with a different key. Secondly, and more importantly, there is the issue of ordering. Should we first

encrypt the message and subsequently authenticate the ciphertext, or should we authenticate the

message and subsequently encrypt both message and tag, or should we apply both in parallel on the

message? Thirdly, can we use any encryption algorithm together with any authentication algorithm, or

should we worry about mutual side-effects?


21

In order to solve these matters, cryptographers have been looking with increased interest at a

different approach: the use of authenticated encryption modes. Here, a block cipher is used in a special

mode of operation, which simultaneously provides confidentiality and authentication. The most

efficient authenticated encryption modes provide authentication at a negligible additional cost

compared to encryption only. These modes all appear to be patented or patent-pending. The second

class of authenticated encryption modes offers no performance advantages compared to separate

encryption and authentication passes, but still solves the ordering issue and avoids worrying about

side-effects.

Digital Signatures

Digital signatures are the public-key primitives of message authentication. In the physical

world, it is common to use handwritten signatures on handwritten or typed messages. They are used to

bind signatory to the message. Similarly, a digital signature is a technique that binds a person/entity to

the digital data. This binding can be independently verified by receiver as well as any third party.

Digital signature is a cryptographic value that is calculated from the data and a secret key known only

by the signer.In real world, the receiver of message needs assurance that the message belongs to the

sender and he should not be able to repudiate the origination of that message. This requirement is very

crucial in business applications, since likelihood of a dispute over exchanged data is very high.

Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key cryptography. The

model of digital signature scheme is depicted in the following illustration −

The following points explain the entire process in detail −

Each person adopting this scheme has a public-private key pair.

Generally, the key pairs used for encryption/decryption and signing/verifying are different. The

private key used for signing is referred to as the signature key and the public key as the

verification key.

Signer feeds data to the hash function and generates hash of data.

Hash value and signature key are then fed to the signature algorithm which produces the digital

signature on given hash. Signature is appended to the data and then both are sent to the verifier.


22

Verifier feeds the digital signature and the verification key into the verification algorithm. The

verification algorithm gives some value as output.

Verifier also runs same hash function on received data to generate hash value.

For verification, this hash value and output of verification algorithm are compared. Based on

the comparison result, verifier decides whether the digital signature is valid.

Since digital signature is created by ‘private’ key of signer and no one else can have this key;

the signer cannot repudiate signing the data in future.

Digital Signature Requirements

1. The signature must be a bit pattern that depends on the message being signed.

2. The signature must use some information unique to the sender to prevent both forgery and

denial.

3. It must be relatively easy to produce the digital signature.

4. It must be relatively easy to recognize and verify the digital signature.

5. It must be computationally infeasible to forge a digital signature, either by constructing a new

message for an existing digital signature or by constructing a fraudulent digital signature for a

given message.

6. It must be practical to retain a copy of the digital signature in storage.

Approaches for Digital Signature:

Direct Digital Signature

Arbitrated Digital Signature

Direct Digital Signature:

The term direct digital signature refers to a digital signature scheme that involves only the

communicating parties (source, destination).

The validly of scheme depends on the security of the sender’s private key.

The sender later wishes to deny sending a particular message by claiming the private key was lost or

stolen or some other reason.

There is chance in stole the private key of a sender at some time T.

Arbitrated Digital Signature:

In this every signed message from a sender X to a receiver Y goes first to an arbiter A, who subjects

the message and its signature to a number of tests to check it origin and content. The message is then

dated and sent to Y.

This process is an indication that has been verified to the satisfaction of the arbiter.

By this process, it solves the direct Digital signature problem.

Sender X,

Arbiter A,

Receiver Y,

X construct message M and compute hash value H(M) then X transmitted “M+ Digital

Signature” to A.

Signature consists identity “IDx of X +hash value” of all encrypted using KXA (it is common

shared key between Sender X and Arbiter A).

A A decrypts the signature & checks the hash value to validate the message. Then transmit it

to Y by encryption it with KAY (it is common shared key between Arbiter A and Receiver Y).

the message include IDx and M & time Stam.

Y Decrypt it by using KAY

XA: M||EKXA[IDx||H(M)]

AY: EKAY[IDx||M|| EKXA[IDx||H(M)]||T]


23

DIGITAL SIGNATURE STANDARD The National Institute of Standards and Technology (NIST) has published Federal Information

Processing Standard FIPS 186, known as the Digital Signature Standard

(DSS). The DSS makes use of the Secure Hash Algorithm (SHA) described in Chapter 12 and presen

ts a new digital signature technique, the Digital

Signature Algorithm (DSA). The DSS was originally proposed in 1991 and revised

in 1993 in response to public feedback concerning the security of the scheme. There

was a further minor revision in 1996. In 2000, an expanded version of the standard

was issued as FIPS 186-2, subsequently updated to FIPS 186-3 in 2009. This latest

version also incorporates digital signature algorithms based on RSA and on elliptic

curve cryptography. In this section, we discuss the original DSS algorithm.

The DSS Approach

The DSS uses an algorithm that is designed to provide only the digital signature function.

Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key

technique.

Figure 13.3 contrasts the DSS approach for generating digital signatures to that used with RSA.

In the RSA approach, the message to be signed is input to a hash function that produces a secure hash

code of fixed length. This hash code is then encrypted using the sender’s private key to form the

signature. Both the message and the signature are then transmitted. The recipient takes the message

and produces a hash code. The recipient also decrypts the signature using the sender’s public key. If

the calculated hash code matches the decrypted signature, the signature is accepted as valid. Because

only the sender knows the private key, only the sender could have produced a valid signature.

The DSS approach also makes use of a hash function. The hash code is pro-

vided as input to a signature function along with a random number k generated for

this particular signature. The signature function also depends on the sender’s private key (PRa) and a set

of parameters known to a group of communicating principals.

We can consider this set to constitute a global public key (PUG).1 The result is a signature

consisting of two components, labeled s and r.


24

At the receiving end, the hash code of the incoming message is generated. This plus the signature

is input to a verification function. The verification function also

depends on the global public key as well as the sender’s public key (PUa), which is paired with the

sender’s private key. The output of the verification function is a

value that is equal to the signature component r if the signature is valid. The signa-

ture function is such that only the sender, with knowledge of the private key, could

have produced the valid signature.

The Digital Signature Algorithm

The DSA is based on the difficulty of computing discrete logarithms (see Chapter 8) and is based

on schemes originally presented by ElGamal [ELGA85] and Schnorr [SCHN91].

Figure 13.4 summarizes the algorithm. There are three parameters that are pub-

lic and can be common to a group of users. A 160-bit prime number q is chosen. Next, a prime number p is

selected with a length between 512 and 1024 bits such that q divides (p -

1). Finally, g is chosen to be of the form h(p - 1)/q mod p, where h is an integer between 1 and (p - 1) with

the restriction that g must be greater than 1.2 Thus, the global public-

key components of DSA have the same for as in the Schnorr signature scheme.

With these numbers in hand, each user selects a private key and generates a

public key. The private key x must be a number from 1 to (q - 1) and should be cho-

sen randomly or pseudorandomly. The public key is calculated from the private key

as y = gx mod p. The calculation of y given x is relatively straightforward. However,

given the public key y, it is believed to be computationally infeasible to determine x,

which is the discrete logarithm of y to the base g, modp .


25

To create a signature, a user calculates two quantities, r and s, that are functions of the public

key components (p, q, g), the user’s private key (x), the hash code of the message H(M), and an

additional integer k that should be generated randomly or pseudo-randomly and be unique for each

signing.At the receiving end, verification is performed using the formulas shown

in Figure 13.4.The receiver generates a quantity v that is a function of the public key com-

ponents, the sender’s public key, and the hash code of the incoming message. If this quantity matches the

r component of the signature, then the signature is validated.

Figure 13.5 depicts the functions of signing and verifying.The structure of the algorithm, as revealed in

Figure 13.5, is quite interesting. Note that the test at the end is on the value r, which does not depend

on the message at all. Instead, r is a function of k and the three global public-key

components. The multiplicative inverse of k (mod q) is passed to a function that also has as inputs

the message hash code and the user’s private key. The structure of this function is such that the

receiver can recover r using the incoming message and signature, the public key of the user, and the

global public key. It is certainly not obvious from Figure 13.4 or Figure 13.5 that such a scheme would

work. A proof is provided in Appendix K. Given the difficulty of taking discrete logarithms, it is

infeasible for an opponent to recover k from r or to recover x from s.

Another point worth noting is that the only computationally demanding task

in signature generation is the exponential calculation gk mod p. Because this value does not depend on

the message to be signed, it can be computed ahead of time.


26

Indeed, a user could pre-calculate a number of values of r to be used to sign documents as

needed. The only other somewhat demanding task is the determination of a multiplicative inverse, k-

1. Again, a number of these values can be pre-calculated.

Documents

ryptographic Hash Functions