Module - IV

Cryptographic Hash
Functions

Arif Mohammad Abdul

• Encryption does not protect data from modification
by another party.
• Why?
• Need a way to ensure that data arrives at destination
in its original form as sent by the sender and it is
coming from an authenticated source.
 Hash Functions
• A hash function maps a message of a variable
length to an m-bit fixed output.
h = H(M)
 Hash Functions Properties
• H can be applied to a block of data of any size.
• H produces a fixed-length output.
• Preimage resistant (one-way property):
If given value h, finding a value x s.t. H(x) = h is
computationally infeasible.
• 2-nd preimage resistant (weak collision resistant):
If given x, it is computationally infeasible to find
y =! x with H(y) = H(x)
• Collision resistant (strong collision resistant):
If it is computationally infeasible to find two distinct values
x, y s.t. H(x) = H(y)
Hash Functions
 APPLICATIONS OF CRYPTOGRAPHIC
HASH FUNCTIONS
• Message authentication
• Digital signature
• One-way password file
• Intrusion detection and
• Virus detection.
• Pseudorandom function (PRF) or a
pseudorandom number generator (PRNG).
 Message Authentication
• Message authentication is a mechanism or service
used to verify the integrity of a message.
• Message authentication assures that data received
are exactly as sent (i.e., no modification, insertion,
deletion, or replay).
• When a hash function is used to provide message
authentication, the hash function value is often
referred to as a message digest.
 Message
Authentication
Hash
Functions
&
Message
Authentication
Digital Signature
 One-way password file
Authentication

User Device

1 Identity Table containing

I entries
I, H(P)
2
Password
P H = Hash
3

H
4
H(P)
=?

Decision
 Other Hash Function Uses

• for intrusion detection and virus detection

– keep & check the hash of files on the system
• pseudorandom function (PRF) or
pseudorandom number generator (PRNG)
 Secure Hash Algorithm
• SHA originally designed by NIST & NSA in 1993
• was revised in 1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
• based on design of MD4 with key differences
• produces 160-bit hash values
• recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
 Revised Secure Hash Standard
• NIST issued revision FIPS 180-2 in 2002
• adds 3 additional versions of SHA
– SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
• but security levels are rather higher
 SHA Versions
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
Message
digest size 160 224 256 384 512

Message size < 264 < 264 < 264 < 2128 < 2128
Block size 512 512 512 1024 1024
Word size 32 32 32 64 64
Number of
steps 80 64 64 80 80
 SHA-512

• Heart of the algorithm

• Processing message in 1024-bit blocks
• Consists of 80 rounds
– updating a 512-bit buffer
– and a round constant based on cube root of first
80 prime numbers
 SHA-512
Message digest creation SHA-512

12.18
 SHA-512
SHA-512 insists that the length of the original message be
less than 2128 bits.

Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.
SHA-512
 SHA-512

• The length of the padding field can be

calculated by

(|M| + |P| + 128) = 0 mod 1024

|P| = (-|M| - 128) mod 1024
 SHA-512
Example
What is the number of padding bits if the length of the original
message is 2590 bits?

Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0’s.

 SHA-512
Words

The values are calculated from first eight prime numbers 2, 3, 5, 7, 11, 13, 17, 19
Square root of all Prime numbers.
Convert the result into binary and keep only first 64 bits
64 binary bits convert into Hex.

Example: Sqt (19) = 4.35889894354

100.0101 1011 1110……1001 = 4.5BE0CD19137E2179
SHA 512 keep only fraction part i.e., .5BE0CD19137E2179
 SHA-512
Message Digest Initialization
 SHA-512
Word Expansion
 SHA-512
Example

Show how W60 is made.

Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as

Wi = W i-16
Compression function in SHA-512
SHA-512
Structure of each round in SHA-512 SHA-512
 SHA-512
Majority Function

Conditional Function

Rotate Functions
SHA-512
 SHA-512
There are 80 constants, K0 to K79, each of 64 bits. Similar
These values are calculated from the first 80 prime
numbers (2, 3,…, 409). For example, the 80th prime is
409, with the cubic root (409)1/3 = 7.42291412044.
Converting this number to binary with only 64 bits in the
fraction part, we get

The fraction part: (6C44198C4A475817)16

Message Authentication Code (MAC)
 Message Authentication

• Authentication Requirements
• Authentication Functions
• Message Authentication Codes
• Security of Hash Functions and
MACs
 Authentication Requirements

• Kind of attacks (threats) in the context of

communications across a network
1.Disclosure (Release of message content)
2.Traffic analysis
3.Masquerade
4.Content modification
5.Sequence modification (Replay attack)
6.Timing modification (DoS)
7.Repudiation
 Authentication Requirements
• Measures to deal with first two attacks:

– In the realm of message confidentiality, and

are addressed with encryption
• Measures to deal with items 3 thru 6
– Message authentication
• Measures to deal with items 7
– Digital signature
 Authentication Requirements

• Message authentication
– A procedure to verify that messages come from
the alleged source and have not been altered
– Message authentication may also verify
sequencing and timeliness
• Digital signature
– An authentication technique that also includes
measures to counter repudiation by either
source or destination
 Authentication Functions
• Three classes of functions that may be used to
produce an authenticator
– Message encryption
• Ciphertext itself serves as authenticator
– Message authentication code (MAC)
• A public function of the message and a secret
key that produces a fixed-length value that
serves as the authenticator
– Hash function
• A public function that maps a message of any
length into a fixed-length hash value, which
serves as the authenticator
 Message Encryption
• Conventional encryption can serve as
authenticator
– Conventional encryption provides authentication
as well as confidentiality
– Requires recognizable plaintext or other structure
to distinguish between well-formed legitimate
plaintext and meaningless random bits
• e.g., ASCII text, an appended checksum, or use of
layered protocols
Basic Uses of Message
Encryption
 Internal & External Error Control
• Append an error-detecting code (frame check
sequence (FCS)) to each message
 TCP Segment
• Suppose all the datagrams except the IP header is
encrypted.
• If an opponent substituted some arbitrary bit pattern for
the encrypted TCP segment, the resulting plaintext
would not include a meaningful header

41
 Symmetric Message Encryption
• Encryption can also provides authentication
• If symmetric encryption is used then:
– Receiver know sender must have created it
– Since only sender and receiver now key used
– If message has suitable structure, redundancy or a checksum to
detect any changes
 Asymmetric Message Encryption
• If public-key encryption is used:
• Anyone potentially knows public-key
However if
• Sender signs message using their private-key
• Then encrypts with recipient's public key
• Have both secrecy and authentication
– Again need to recognize corrupted messages
– But at cost of two public-key uses on message
 Message Authentication Code
• Uses a shared secret key to generate a fixed-size
block of data (known as a cryptographic checksum
or MAC) that is appended to the message
• MAC = CK(M)
• Assurances:
– Message has not been altered
– Message is from alleged sender
– Message sequence is unaltered (requires internal
sequencing)
• Similar to encryption but MAC algorithm needs not
be reversible
Basic Uses of MAC
 Why Use MACs?
– i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from
message use
 Requirements for MACs

Need the MAC to satisfy the following:

1. Knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
 Requirements for MACs

• A message is encrypted for confidentiality

using encryption algorithm.
• The security is depending on the length of the
key.
• Barring some weakness in the algorithm, the
opponent must be resort to a brute-force attack
using all possible keys.
• On average, such an attack will require 2(k-1)
attempts for a k-bit key.
 Requirements for MACs
• In case of MAC, MAC function is a Many-
to-One function(Single plaintext maps
many MACs).
• If confidentiality is not employed (msg and
MAC knows), then there are two cases
where opponent has access to plaintext
messages to their associated MACs.

k>n (more k<=n (Single

iterations) attempt)
 Requirements for MACs
• If k>n, the opponent need number of
iterations to break MAC.
• k>n i.e., the key size is greater than MAC
size.
MAC1 = Ck1(M1)
• Opponent perform MACi = Cki(Mi) for all
possible key values ki.
• At least one key is guaranteed to produce a
match of MACi = MAC1
 Requirements for MACs
• Due to large key size, a number of keys will
produce the correct MAC and the opponent has
no way of knowing which is the correct key.
• On average, a total of 2k / 2n = 2(k-n) keys will
produce a match.
• If 80-bit key and 32-bit
MAC then no. of matches
is 248 in round 1.
• In round 2, 216 matches
• In round 3 remains single
key, which must be one
used by the sender.
MAC based on DES using CBC
CMAC using CBC
 HMAC Design Objectives
➢Use, without modifications, hash functions
➢Allow for easy replaceability of embedded hash
function
➢Preserve original performance of hash function
without significant degradation
➢Use and handle keys in a simple way.
➢Have well understood cryptographic analysis of
authentication mechanism strength
 HMAC
• Specified as Internet standard RFC2104
• Uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) || M)]
]
– where K+ is the key padded out to size
– Opad = 5C, ipad = 36 are specified padding
constants
• overhead is just 3 more hash calculations than the
message needs alone
• any hash function can be used
 HMAC
Overview
 A more efficient implementation

where f(cv, block) is the

compression function for
the hash function, which
takes as arguments a
chaining variable of n bits
and a block of b bits and
produces a chaining
variable of n bits
 Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
Digital Signature Model
 Digital
Signature
Model
 Attacks and Forgeries
• attacks
– key-only attack
– known message attack
– generic chosen message attack
– directed chosen message attack
– adaptive chosen message attack
• break success levels
– total break
– selective forgery
– existential forgery
Digital Signature Requirements
➢ must depend on the message signed
➢ must use information unique to sender
⚫ to prevent both forgery and denial
➢ must be relatively easy to produce
➢ must be relatively easy to recognize & verify
➢ be computationally infeasible to forge
⚫ with new message for existing digital signature
⚫ with fraudulent digital signature for given message
➢ be practical save digital signature in storage
 Direct Digital Signatures
• involve only sender & receiver
• assumed receiver has sender’s public-key
• digital signature made by sender signing
entire message or hash with private-key
• can encrypt using receivers public-key
• important that sign first then encrypt
message & signature
• security depends on sender’s private-key
 Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS is the standard, DSA is the algorithm
• FIPS 186-2 (2000) includes alternative RSA &
elliptic curve signature variants
• DSA is digital signature only unlike RSA
• is a public-key technique
Digital Signature Algorithm (DSA)
➢creates a 320 bit signature
➢with 512-1024 bit security
➢smaller and faster than RSA
➢a digital signature scheme only
➢security depends on difficulty of computing
discrete logarithms
➢variant of ElGamal & Schnorr schemes
DSS vs RSA Signatures
 Example

• H(M)= 5, p=29, q=7, h=5, x=5, k=4

 Elgamal Digital Signature

• Elgamal encryption scheme is designed to

enable encryption by a user’s public key
with decryption by the user’s private key.
• The Elgamal signature scheme involves the
use of the private key for digital signature
generation and the public key for digital
signature verification.
 Elgamal Digital Signature

• q is a prime number , if is a primitive root

of q,
then
Elgamal Digital Signature
Elgamal Digital Signature
 Key Management and
Distribution
⚫ Symmetric key distribution using symmetric
encryption
⚫ Symmetric key distribution using public-key
encryption
⚫ Distribution of public keys
•announcement, directory, authority, CA
⚫ X.509 authentication and certificates
 Distribution of Public Keys
➢ Can be considered as using one of:
⚫ Public Announcement
⚫ Publicly Available Directory
⚫ Public-key Authority
⚫ Public-key Certificates
 Public Announcement
➢ Users distribute public keys to recipients
or broadcast to the community at large
⚫ eg. append PGP keys to email messages or
post to newsgroups or email list
➢ Major weakness is forgery
⚫ anyone can create a key claiming to be
someone else and broadcast it
⚫ until forgery is discovered can masquerade as
claimed user
Public Announcement
 Publicly Available Directory
➢ Can obtain greater security by registering
keys with a public directory
➢ Directory must be trusted with properties:
⚫ contains {name, public-key} entries
⚫ Participants register securely with the
directory
⚫ participants can replace key at any time
⚫ directory is periodically published
⚫ directory can be accessed electronically
➢ Still vulnerable to tampering or forgery
Publicly Available Directory
 Public-Key Authority
➢ Improve security by tightening control over
the distribution of keys from a directory
➢ has properties of a directory
➢ and requires users to know public key for
the directory
➢ then users interact with directory to obtain
any desired public key securely
⚫ does require real-time access to directory
when keys are needed
⚫ may be vulnerable to tampering
Public-Key Authority
Public-Key Authority
 Road Map

⚫ symmetric key distribution using symmetric

encryption
⚫ symmetric key distribution using public-key
encryption
⚫ distribution of public keys
•announcement, directory, authrority, CA
⚫ X.509 authentication and certificates
⚫ public key infrastructure (PKIX)
 Public-Key Certificates
➢ certificates allow key exchange without
real-time access to public-key authority
➢ a certificate binds identity to public key
⚫ usually with other info such as period of
validity, rights of use etc
➢ with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
➢ can be verified by anyone who knows the
public-key authorities public-key
Public-Key Certificates
 X.509 Authentication Service
➢ part of CCITT X.500 directory service standards
⚫ distributed servers maintaining user info database
➢ defines framework for authentication services
⚫ directory may store public-key certificates
⚫ with public key of user signed by certification authority
➢ also defines authentication protocols
➢ uses public-key crypto & digital signatures
⚫ algorithms not standardised, but RSA recommended
➢ X.509 certificates are widely used
⚫ have 3 versions
 X.509
Certificate
Use
X.509 Public Key Certificate
 X.509 Certificates
➢ issued by a Certification Authority (CA), containing:
⚫ version V (1, 2, or 3)
⚫ serial number SN (unique within CA) identifying certificate
⚫ signature algorithm identifier AI
⚫ issuer X.500 name CA)
⚫ period of validity TA (from - to dates)
⚫ subject X.500 name A (name of owner)
⚫ subject public-key info Ap (algorithm, parameters, key)
⚫ issuer unique identifier (v2+)
⚫ subject unique identifier (v2+)
⚫ extension fields (v3)
⚫ signature (of hash of all fields in certificate)
➢ notation CA<<A>> denotes certificate for A signed by CA
X.509 Certificates
 Obtaining a Certificate
➢ User certificates generated by a CA have
the following characteristics:
➢ ■ Any user with access to the public key
of the CA can verify the user public key
that was certified.
➢ ■ No party other than the certification
authority can modify the certificate without
this being detected.
 CA Hierarchy
➢ If all users subscribe to the same CA, then there
is a common trust of that CA
➢ otherwise CA's must form a hierarchy
➢ use certificates linking members of hierarchy to
validate other CA's
⚫ each CA has certificates for clients (forward) and
parent (backward)
➢ each client trusts parents certificates
➢ enable verification of any certificate from one CA
by users of all other CAs in hierarchy
 CA Hierarchy
➢ Now suppose that A has obtained a certificate
from certification authority X 1.
➢ B has obtained a certificate from CA X 2 .
➢ If A does not securely know the public key of X 2
, then B’s certificate, issued by X 2 , is useless to
A.
➢ A can read B’s certificate, but A cannot verify the
signature. However, if the two CAs have
securely exchanged their own public keys,
 CA Hierarchy
➢ The following procedure will enable A to obtain
B’s public key.B has obtained a certificate from
CA X 2 .
CA Hierarchy Use
 Certificate Revocation
➢ certificates have a period of validity
➢ may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
➢ CA’s maintain list of revoked certificates
⚫ the Certificate Revocation List (CRL)
➢ users should check certificates with CA’s CRL
 X.509 Version 3
➢ has been recognised that additional
information is needed in a certificate
⚫ email/URL, policy details, usage constraints
➢ ratherthan explicitly naming new fields
defined a general extension method
➢ extensions consist of:
⚫ extension identifier
⚫ criticality indicator
⚫ extension value
 Certificate Extensions
➢ key and policy information
⚫ convey info about subject & issuer keys, plus
indicators of certificate policy
➢ certificate subject and issuer attributes
⚫ support alternative names, in alternative
formats for certificate subject and/or issuer
➢ certificate path constraints
⚫ allow constraints on use of certificates by
other CA’s