4/10/2011

Authentication Requirements
 Kind of attacks (threats) in the context of communications across
a network
1. Disclosure
2. Traffic analysis (discover the pattern)
3. Masquerade (insert a message from a fraudulent source)
4. Content modification
5. Sequence modification (insert, delete, reorder)
6. Timing modification (delay or replay)
7. Source Repudiation (denial of a transmission)
8. Destination Repudiation (denial of a receipt)

 Measures to deal with first two attacks:

 In the realm of message confidentiality, and are addressed with
encryption
 Measures to deal with items 3 thru 6
 Message authentication
 Measures to deal with items 7 and 8
 Digital signature

Authentication Requirements
 Message authentication
 A procedure to verify that messages come from the alleged
source and have not been altered
 Message authentication may also verify sequencing and
timeliness

 Digital signature
 An authentication technique that also includes measures to counter
repudiation by either source or destination

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 1

 4/10/2011

Authentication Functions
 Message authentication or digital signature mechanism can be
viewed as having two levels
 authenticator and High level authentication protocol

 Three classes of functions can be used to produce an

authenticator
 Message encryption
 Ciphertext itself serves as authenticator
 Message authentication code (MAC)
 A public function of the message and a secret key that produces
a fixed-length value that serves as the authenticator
 Hash function
 A public function that maps a message of any length into a fixed-
length hash value, which serves as the authenticator

Message Encryption
 Conventional encryption can serve as authenticator
 Conventional encryption provides authentication as well as
confidentiality
 if symmetric encryption is used then:
 receiver knows sender must have created it
 knows content cannot be altered, if message has suitable structure,
redundancy or a checksum to detect any changes
 if public-key encryption is used:
 encryption provides confidentiality, but not authentication
 can provide authentication as well as signature, but at the cost of
two public key uses on the message.

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 2

 4/10/2011

Basic Uses of Message Encryption

Ways of Providing Structure

 Append an error-detecting code (frame check sequence
(FCS)) to each message

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 3

 4/10/2011

Implications of Message Encryption

Message Authentication Code

 Uses a shared secret key to generate a fixed-size block of data
(known as a cryptographic checksum or MAC) that is
appended to the message
 MAC = CK(M)
 Assurances:
 Message has not been altered
 Message is from alleged sender
 Message sequence is unaltered (requires internal sequencing)
 Similar to encryption but MAC algorithm need not be
reversible

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 4

 4/10/2011

Basic Uses of MAC

Basic Uses of MAC

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 5

 4/10/2011

Where MAC’s are used??

 In applications where the same message is broadcast to a
number of destinations, it is sent in plaintext with associated
MAC to prove authentication.

 Situations where authentication cannot be done for every

message, but on selective messages

 Authentication of a computer program in plaintext is very

attractive and also proves integrity

 In applications where the message need not be kept secret,

but it is very important to authenticate messages

Hash Function
 Accepts a variable-size message M as input and produces a fixed-
size hash code H(M){ some times called message digest} as output
 The hash code is a function of all the bits of the message and
provides an error-detection capability.
 Can be used with encryption for authentication
 E(M || H)
 M || E(H)
 M || signed H
 E( M || signed H ) gives confidentiality
 M || H( M || K )
 E( M || H( M || K ) )

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 6

 4/10/2011

Basic Uses of Hash Function

Basic Uses of Hash Function

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 7

 4/10/2011

Basic Uses of Hash Function

Requirements for MAC Functions

 Assume that an opponent knows the MAC function C but does
not know K. Then the MAC function should have the following
properties
MAC= CK(M)
1. Given M and Ck(M), it must be computationally infeasible to
construct M’ s.t. Ck(M’) = Ck(M)
2. CK(M) should be uniformly distributed in the sense that for any
M and M’, Pr[Ck(M) = Ck(M’)] should be 2-n, where n is
the length of the MAC
3. Let M’ be equal to some known transformation on M. That is,
M’ = f(M).
In that case, Pr[Ck(M) = Ck(M’)] = 2-n,

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 8

 4/10/2011

MAC Based on DES

 Uses CBC mode of operation of DES with IV = 0
 Referred to as Data Authentication Algorithm (FIPS PUB 113 and ANSI
standard (X9.17))
ON = EK(DN XOR ON-1)
 Data Authentication Code (DAC) consists of 16 to 64 leftmost bits of ON

Hash Functions

 h = H(M)
 M is a variable-length message, h is a fixed-length hash value,
H is a hash function
 The hash value is appended at the source
 The receiver authenticates the message by recomputing the
hash value
 Because the hash function itself is not considered to be
secret, some means is required to protect the hash value

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 9

 4/10/2011

Hash Function Requirements

1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally infeasible to
find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is computationally
infeasible to find any y  x s.t. H(x) = H(y)
6. H is strongly collision resistant: it is computationally infeasible
to find any x and y s.t. H(x) = H(y)

Hash Function Requirements

 One-way property is essential for authentication

 Weak collision resistance is necessary to prevent forgery
 Strong collision resistance is important for resistance to
birthday attack

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 10

 4/10/2011

HASH Algorithms

 MD5 Message Digest Algorithm

 Secure Hash Algorithm (SHA-1 and SHA-512)
 RIPEMD-160
 HMAC

Hash Algorithm Structure

 The hash algorithm involves repeated use of a compression
function, f, that takes two inputs(an n-bit input from the
previous step and a b-bit block) and produces an n-bit output
 The final value of the chaining variable is the hash value.

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 11

 4/10/2011

MD5 Message Digest Algorithm

 Developed by Ron Rivest at MIT
 Input: a message of arbitrary length
 Output: 128-bit message digest
 32-bit word units, 512-bit blocks

MD5 Logic
 Step 1: Append padding bits
 Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64
bits less than an integer multiple of 512 bits)
 Padding is always added, even if the message is already of the desired length
(1 to 512 bits)
 Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits)

 Step 2: Append length

 64-bit length: contains the length of the original message modulo 2 64

 The expanded message is Y0, Y1, …, YL-1; the total length is L  512 bits
 The expanded message can be thought of as a multiple of 16 32-bit words
 Let M[0 … N-1] denote the word of the resulting message, where N = L  16

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 12

 4/10/2011

MD5 Logic
 Step 3: Initialize MD buffer
 128-bit buffer (four 32-bit registers A,B,C,D) is used to hold intermediate and
final results of the hash function
 A,B,C,D are initialized to the following values
 A = 67452301, B = EFCDAB89, C = 98BADCFE, D = 10325476
 Stored in little-endian format (least significant byte of a word in the low-
address byte position)
 E.g. word A: 01 23 45 67 (low address … high address)

 Step 4: Process message in 512-bit (16-word) blocks

 Heart of the algorithm called a compression function
 Consists of 4 rounds
 The 4 rounds have a similar structure, but each uses a different primitive logical
functions, referred to as F, G, H, and I
 Each round takes as input the current 512-bit block (Yq), 128-bit buffer value
ABCD and updates the contents of the buffer
 Each round also uses the table T[1 … 64], constructed from the sine function;
T[i] = 232  abs(sin(i))
 The output of 4th round is added to the CVq to produce CVq+1

MD5 processing of a single 512- bit block

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 13

 4/10/2011

MD5 Logic
 Table T, constructed from the sine function
– T[i] = integer part of 232  abs(sin(i)), where i is in radians

MD5 Logic
 Step 5: Output
 After all L 512-bit blocks have been processed, the output from the Lth stage is
the 128-bit message digest

 CV0 = IV
CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])
MD = CVL
where
IV = initial value of the ABCD buffer, defined in step 3
Yq = the qth 512-bit block of the message
L = the number of blocks in the message (including padding and
length fields)
CVq = chaining variable processed with the qth block of the message
RFx = round function using primitive logical function x
MD = final message digest value
SUM32 = addition modulo 232 performed separately on each word

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 14

 4/10/2011

MD5 Compression Function

 Each round consists of a sequence of 16 steps operating on the
buffer ABCD
 Each step is of the form
a  b + (( a + g(b, c, d) + X[k] + T[i] <<< s )
Where,
a,b,c,d = the 4 words of the buffer, in a specified order that
varies across steps
g = one of the primitive functions F, G, H, I
<<< s = circular left shift (rotation) of the 32-bit arguments by s
bits
X[k] = M[q  16 + k] = the kth 32-bit word in the qth 512-bit
block of the message
T[i] = the ith 32-bit word in table T
+ = addition modulo 232

Elementary MD5 Operation (Single Step)

a  b + (( a + g(b, c, d) + X[k] + T[i] <<< s )

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 15

 4/10/2011

MD5 Primitive Logical Functions

 One of the 4 primitive logical functions is used in each 4 rounds of
the algorithm
 Each primitive function takes three 32-bit words as input and
produces a 32-bit word output
 Each function performs a set of bitwise logical operations

Truth table

Round Primitive function g g(b, c, d) b c d F G H I

1 F(b, c, d) (b  c)  (b’  d) 0 0 0 0 0 0 1
2 G(b, c, d) (b  d)  (c  d’) 0 0 1 1 0 1 0
3 H(b, c, d) bcd 0 1 0 0 1 1 0
4 I(b c, d) c  (b  d’) 0 1 1 1 0 0 1
1 0 0 0 0 1 1
1 0 1 0 1 0 1
1 1 0 1 1 0 0
1 1 1 1 1 1 0

X[k]
 The array of 32-bit words X[0..15] holds the value of current
512-bit input block being processed
 Within a round, each of the 16 words of X[i] is used exactly
once, during one step
 The order in which these words is used varies from round to
round
 In the first round, the words are used in their original order
 For rounds 2 through 4, the following permutations are used
 2(i) = (1 + 5i) mod 16
 3(i) = (5 + 3i) mod 16
 4(I) = 7i mod 16

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 16

 4/10/2011

MD4
 Precursor to MD5
 Design goals of MD4 (which are carried over to MD5)
 Security
 Speed
 Simplicity and compactness
 Favor little-endian architecture
 Main differences between MD5 and MD4
1. A fourth round has been added.
2. Each step now has a unique additive constant.
3. The function g in round 2 was changed from (bc v bd v cd) to
(bd v cd’) to make g less symmetric.
4. Each step now adds in the result of the previous step. This
promotes a faster "avalanche effect".
5. The order in which input words are accessed in rounds 2 and 3 is
changed, to make these patterns less like each other.
6. The shift amounts in each round have been approximately
optimized, to yield a faster "avalanche effect." The shifts in
different rounds are distinct.

Secure Hash Algorithm

 SHA originally designed by NIST & NSA in 1993
 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
 based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 17

 4/10/2011

Revised Secure Hash Standard

 NIST issued revision FIPS 180-2 in 2002

 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
 designed for compatibility with increased security
provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher

SHA-512 Overview

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 18

 4/10/2011

SHA-512 Algorithm Steps

 Now examine the structure of SHA-512, noting that the other versions are
quite similar.
 The processing consists of the following steps:
 Step 1: Append padding bits:- The message is padded so that its length
is congruent to 896 modulo 1024 [length =896 (mod 1024)]
 Step 2: Append length:- A block of 128 bits is appended to the message
 Step 3: Initialize hash buffer:-A 512-bit buffer is used to hold
intermediate and final results of the hash function. The buffer can be
represented as eight 64-bit registers(a, b, c, d, e, f, g, h) and are
initialised as follows
a = 6A09E667F3BCC908
b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B
h = 5BE0CDI9137E2179 {Stored in big endian format}

Algorithm Steps
 Step 4: Process the message in 1024-bit (128-word) blocks:-
The heart of the algorithm is a module that consists of 80
rounds.Each round takes as input the 512-bit buffer value
abcdefgh, and updates the contents of the buffer.
 Step 5: Output the final state value as the resulting hash:-After
all N 1024-bit blocks have been processed, the output from
the Nth stage is the 512-bit message digest.

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 19

 4/10/2011

SHA-512 Processing of a single 1024-Bit Block

Elementary SHA-512 Operation(Single

Round)

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 20

 4/10/2011

SHA-512 Round Function

 Each round is defined by the following set of equations

SHA-512 Round Function (contd)

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 21

 4/10/2011

Wt
 The first 16 values of Wt are taken directly from the 16 words of
the current block. The remaining values are defined as follows

HMAC
 Increased Interest in recent years in developing a MAC based on a hash function
 MD5 and SHA-1 run faster than symmetric block ciphers such as DES
 Code for hash functions widely available
 No export restrictions for cryptographic hash functions
 Cryptographic functions (even those used in MAC) restricted

 Hash values not intended for MAC –they are not protected by secret keys
 Some protection needs to be built on top of the hash value

 The one approach that gained wide support is HMAC (RFC 2104) included in IP
security and SSL

 Requirements for HMAC

 Use existing hash functions
 The hash function can be easily replaced by another one –treat the hash
function as a black box
 Preserve the performance of the hash function
 Use and handle keys in a simple way
 Well understood cryptographic analysis of the strength of the authentication
mechanism

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 22

 4/10/2011

HMAC Algorithm
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this
 eventually led to development of HMAC
 specified as Internet standard RFC2104
 Idea: append a secret key to the message and compute the hash
value
To avoid a brute-force attack, apply the hash twice to mangle
thoroughly the bits of the key with those of the message


HMAC Algorithm
 H=embedded hash function
 IV=initial value to the has function
 M=message input to HMAC (including the padding specific to the
hash function)
 Yi=i-th block of M
 L=number of blocks in M
 b=number of bits in a block
 n=length of the hash code
 K=secret key, if its length is greater than b –will be given as input
to the hash function to produce n-bit key
 K+=K padded with 0 on the left to make a b-bit key, if the
original length of K is smaller than b
 ipad= 00110110 (36 in hexadecimal)repeated b/8 times
 opad=01011100 (5C in hexadecimal)repeated b/8 times

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 23

 4/10/2011

HMAC Overview

HMAC Algorithm
1. Append zeros to the left end of K to create a b-bit string
K+(e.g., if K is of length 160 bits and b = 512 then K will be
appended with 44 zero bytes 0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-
bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So
7. Apply H to the stream generated in step 6 and output the
result.

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 24

 4/10/2011

A more efficient implementation

The following two values are

Precomputed:

HMAC Security
 proved security of HMAC relates to that of the underlying
hash algorithm
 attacking HMAC requires either:
 Brute-force attack requires an effort on the level 2n-1for a
key of length n
 Birthday attack:-
 The main idea in this attack is that attacker can compute the
hash values of many messages and try to find a match
 In HMAC, he is unable to do that because the hash is protected
by a secret key
 attacker will have to rely on messages that he observes on the
link:- for MD5 she will have to wait in average for 264messages
generated using the same key
On a 1 Gbps-link she needs to observe a continuous stream of
messages with no change in the key for about 150 000 years
With SHA-1 280messages are needed
For HMAC, using MD5 is secure (and fast)

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 25

 4/10/2011

Assignment
1. Explain with neat diagrams the cipher block
modes of operations for block ciphers
2. Differentiate between symmetric block ciphers
and symmetric stream ciphers
3. Explain various Key distribution methods
4. Describe the various steps of encryption and
decryption in an AES algorithm
5. Write about Message authentication
6. Explain various steps involved in HMAC
algorithm

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 26