Professional Documents
Culture Documents
CO1508 Computer Systems & Security - Week 07 Cryptography - Hash Functions & Digital Signatures
CO1508 Computer Systems & Security - Week 07 Cryptography - Hash Functions & Digital Signatures
Summary
You are going to learn a new hash algorithm called Hash Message Authentication Code
(HMAC) and practice some examples of other hash functions such as MD5 and SHA-1 using
Cryptool 1. You’ll also learn about digital signatures, RSA signature and mount attacks
against the hash value of a digital signature.
Activities
Keyed Hash Message Authentication Code (HMAC) ensures integrity and authentication of a
message. It requires a common key for both sender and recipient. It follows similar principle
of other hash algorithms but adds a secret key to the process.
Open Cryptool 1 and select Indiv. Procedures > Hash > Generation of HMACs. Read the
description carefully before proceeding.
Enter your key “cowabunga”. The HMAC code generated from the message and the key is
72 28 A5 7D 50 11 86 09 2E C2 C4 76 2C 98 9A 49 AA C9 E5 6A
Now, select from Indiv. Procedures > Hash > Hash Demonstration.
Select a hash function from Selection of hash function (any hash function you want).
Add a space after ‘CrypTool’ in the plaintext. You will see at least 47% to 53% bits differ. A
good hash function reacts highly sensitively to even the smallest change in the plaintext:
Avalanche effect (small change, big impact).
Now, for the following exercises you can select either SHA-1, HMAC, or MD5.
Exercise 1
Use an example to show that Hash function can help to protect the integrity of your
message. You can encrypt your plaintext message, tamper the ciphertext and use hash
function to check whether the decrypted messaged is changed.
Exercise 2
Use an example to show that if you tamper both ciphertext and hash value properly, you
can escape from the integrity check of the hash function.
Show your tutor your solutions before moving on to the next stage.
Click OK and you’ll see the digital signature generated using RSA and SHA-1 (as hash
algorithm) for the document startingexample-en.txt
Close the signature window before moving on to the next stage.
Now, close all the windows and make sure the startingexample-en.txt is open. We’ll sign
this document as follows:
Select Digital Signatures/PKI > Sign Message and enter the following details:
Choose hash function: SHA-1
Choose signature algorithm: RSA
Choose a key/PSE to be used when signing: Your key
PIN code: cryptool
And click on Sign button.
Now, examine the signature. You’ll notice the signature is at the beginning of the document
to be signed.
To get a clearer idea, choose Digital Signature/PKI > Extract Signature to see clearly the
signature value and document that is signed.
Click on Verify to verify the signature and choose the right originator from the list. If it’s
correct, you’ll receive a message saying, “Correct signature!”
Try to modify the text by adding/deleting something and try Digital Signature/PKI > Verify
Signature again. You should receive a negative result this time “Invalid signature!”
This is how digital signatures can guarantee the integrity of the message to make sure it’s
not altered or tampered with.
Before we start, remember that hash collision occurs when two different messages produce
the same hash value. We’ll try to exploit this vulnerability to break the digital signature.
Select Analysis > Hash > Attack on the Hash Value of the Digital Signature. Click Options
and select MD5 under Hash function and 40 for Significant bit length and click Apply.
After that, click Start search and wait ☺ You should then receive a message saying the
attack was successful. Click OK to move on. You should see something like this:
Close this window and have a look at the two messages: harmless message and dangerous
message. It’s two different messages with the same hash value, which means you can get
the original message (ordering a typewriter), modify it (to order Porsche!), sign it again
(using the receiver’s public key) and it’ll be undetected!!!
You can try larger numbers than 40 for the Significant bit length. However, beware that the
larger you go the longer it’ll take to find a successful attack (it might take days if you put 128
bits). Don’t try this now ☺ unless you want to sleep here for the next few days waiting!
Exercise 3
Generate a new key pair and a digital signature for a file you choose. Then, export the public
key and the signature to two different files.
Verify the digital signature by importing the public key and the signature that is alleged to
be the signature of the specified data file (you’ve chosen) and to verify the authenticity of
the signature.
Exercise 4
List the frequencies for the top 4 characters found in the following ciphertext then break it:
MKLAJZHAIUQWKHJABZNXBVHAGKFASDFGALQPIWRYIOQYWIERMASVZMNBZXCKJASDFGLK
JFHWQERYIOQWTYIOASUDYFLASKJDHFZMZVBCXMVQLWERYIQRASDFQIWUERYIHKMFMAK
HLSDFYUIOQWYREIORYIWQEUFHAKDFHLKASHFKVBBBNASMDFSADFWQEUYRUUEYRUUUQ
KASJHFKJDSHFSNBNBNBNBABABAAASKJFHLKJSADHFIDUASFOYDASIYFQWERBQWBRKLJLKAS
SADFDFDASDA.
Exercise 5
OTWEWNGWCBPQABIZVQAPMLJGZWTTQVOBQUMAPMIDGZCAB
EQVBMZLZIXMLAXZQVOQVLMMXAVWEIVLLIZSNZWAB
JQZLWNLMTQOPBVIUMLGWCBPAEQNBTGTMNBBPMVMAB
ITIAKWCTLVBBQUMQBEPQTMQBEIAQVUGBZCAB