Message

Authentication
Codes & Hash
Functions
Message Authentication
▪ Message authentication is a procedure to verify that received
message came from the genuine source and has not been altered.
▪ Message authentication may also verify sequencing and
timeliness.
▪ Message authentication is a mechanism or service used to verify
the integrity of a message.
▪ Message authentication assures that data received are exactly
same as sent (i.e., message contains no modification, no insertion,
no deletion, or no replay).
Message Authentication Requirements
1. Disclosure: Release of message contents.
2. Traffic analysis: Analyses the traffic and observe the pattern of
traffic between parties.
3. Masquerade: Insertion of messages into the network from a
fraudulent source.
4. Content modification: Changes to the contents of a message.
5. Sequence modification: Any modification to a sequence of
messages between parties.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by
destination.
Message Authentication Requirements
1. Disclosure Requires Message
2. Traffic analysis Confidentiality
3. Masquerade
4. Content modification Requires Message
Authentication
5. Sequence modification
6. Timing modification
7. Source repudiation Requires Digital
Signature
8. Destination repudiation
Authentication Functions
Types of functions that may be used to produce an authenticator.
1) Message Encryption: Ciphertext of the entire message serves as
its authenticator
2) Message Authentication Code(MAC): A function of the message
and a secret key that produces a fixed length value that serves as
the authenticator.
3) Hash Function: A function that maps a message of any length
into a fixed-length hash value, which serves as the authenticator.
Message Encryption
Source A Destination B

M E D M

K 𝑬(𝑲, 𝑴) K
(a) Symmetric encryption : confidentiality and authentication

M E D M

PUb 𝑬(PUb, 𝑴) PRb

(b) Public-key encryption : confidentiality

Message Encryption
M E D M

PRa 𝑬(PR𝒂, 𝑴) PUa

(c) Public-key encryption : authentication and signature

M E E D D M

PRa 𝑬(PR𝒂, 𝑴) PUb E(PUb ,E(PR𝒂, 𝑴)) PRb E(PR𝒂, 𝑴) PUa

(d) Public-key encryption : confidentiality, authentication, and signature

Message Authentication Code
▪ An alternative authentication technique involves the use of a
secret key to generate a small fixed-size block of data, known as a
cryptographic checksum or MAC.
▪ MAC is appended to the message. This technique assumes that
two communicating parties, say A and B, share a common secret
key K.
▪ When A has a message to send to B, it calculates the MAC as a
function of the message and the key.

MAC = C ( K , M )
Message Authentication Code
Source A Destination B
C
M K ll M
Compare
K
C
C(K, M)
(a) Message authentication
▪ The receiver is assured that the message has not been altered.
▪ If an attacker alters the message but does not alter the MAC, then
the receiver’s calculation of the MAC will differ from the received
MAC.
Message Authentication Code
▪ The receiver is assured that the message is from the alleged
sender.
▪ Because no one else knows the secret key, no one else could
prepare a message with a proper MAC.
▪ A MAC function is similar to encryption. One difference is that the
MAC algorithm need not be reversible, as it must be for
decryption.
Message Authentication Code
Source A Destination B
C
M K1 ll E D M
Compare
K1
C K2 K2
E(K2, [M||C(K1, M)]) C(K1, M)
(b) Message authentication and confidentiality; authentication tied to plaintext
E(K2, M)
D
E ll C
M K1 M
Compare K2
K2 K1
C

C(K1, E(K2, M))

(c) Message authentication and confidentiality; authentication tied to ciphertext
Hash Function
▪ A hash function H accepts a
variable-length block of data M
as input and produces a fixed-
size hash value h = H(M).
▪ A “good” hash function has the
property that the results of
applying a change to any bit or
bits in M results, with high
probability, in a change to the
hash code.
Input-Output behaviour of hash functions
Message Message
digest
Alice was beginning to get very tired of
sitting by her sister on the bank, and have H DFDC349A
nothing to do.

I am not a crook H FB93E283

I am not a cook H A3F4439B

Applications of Cryptographic Hash Functions
1. Message authentication
2. Digital Signature
3. One-way password file
1. Message Authentication
▪ Message authentication is a mechanism or service used to verify
the integrity of a message.
▪ Message authentication assures that data received are exactly as
sent (i.e., contain no modification, insertion, deletion, or replay).
▪ When a hash function is used to provide message authentication,
the hash function value is often referred to as a message digest.
Message authentication method - 1
Source A Destination B
H
M ll E D M
Compare
H K K
H(M)
E (K, [ M || H(M)])
▪ Only A and B share the secret key, the message must have come
from A and has not been altered.
▪ The hash code provides the structure required to achieve
authentication.
▪ Because encryption is applied to the entire message plus hash
code, confidentiality is also provided.
Message authentication method - 2
Source A Destination B
H
M ll M Compare
K K

H E D
E(K, H(M))

▪ Only the hash code is encrypted, using symmetric encryption.

▪ This reduces the processing burden for those applications that do
not require confidentiality.
Message authentication method - 3
Source A Destination B
ll H
M ll M S
Compare

S ll H
H(M || S)
▪ It is possible to use a hash function but no encryption for message
authentication.
▪ A and B share a common secret value S.
▪ A computes the hash value over the concatenation of M and S
and appends the resulting hash value to M. Because B possesses
S, it can recompute the hash value to verify the message.
▪ An opponent cannot modify an intercepted message.
Message authentication method - 4
Source A Destination B
ll H
E D M S
M ll
Compare

ll H K K
S
H(M || S)
E (K, [ M || H(M || S)])

▪ Confidentiality can be added to the approach of method (3) by

encrypting the entire message plus the hash code.
MAC (Message Authentication Code)
▪ More commonly, message authentication is achieved using a MAC
also known as keyed hash function.
▪ MACs are used between two parties that share a secret key to
authenticate information exchanged between those parties.
▪ A MAC function takes as input a secret key and a data block and
produces a hash value, referred to as the MAC.
▪ The combination of hashing and encryption results in an overall
function that is a MAC (Method -2 in previous slide).

MAC = C ( K , M )
Digital Signature
▪ A digital signature is a mathematical technique used to validate
the authenticity and integrity of a message, software or digital
document.
▪ The operation of the digital signature is similar to that of the MAC.
▪ In the case of the digital signature, the hash value of a message is
encrypted with a user’s private key.
▪ Anyone who knows the user’s public key can verify the integrity of
the message that is associated with the digital signature.
Digital Signature
▪ How are we going to efficiently compute signatures of large
messages?
X1 X2 … XN

Kpr Sig Kpr Sig Kpr Sig

S1 S2 … SN

Three Problems
▪ Computational overhead
▪ Message overhead
▪ Security limitations
• Attacker could re-order or re-use signed blocks.
Digital Signature
Solution:
▪ Instead of signing the whole message, sign only a digest (=hash)
Also secure, but much faster.
▪ Needed: Hash Functions
X1 X2 … XN

Kpr Sig

S
Digital Signature method - 1
Source A Destination B
H
M ll M Compare
PRa PUa

H E D
E(PRa, H(M))

▪ The hash code is encrypted, using public-key encryption with the

sender’s private key.
▪ This provides authentication.
▪ It also provides a digital signature, because only the sender could
have produced the encrypted hash code.
Digital Signature method - 2
Source A Destination B
H
M ll E D M
PRa PUa Compare

H E K K D
E(PRa, H(M))
E (K, [ M || E(PRa, H(M)])

▪ If confidentiality as well as a digital signature is desired, then the

message plus the private-key-encrypted hash code can be
encrypted using a symmetric secret key.
Requirements for hash functions
1. Can be applied to any length of message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given hash value h is infeasible to find y such that (H(y) = h)
• One-way property (In other words, given a fingerprint, we
cannot derive a matching message).
5. For given block x, it is computationally infeasible to find
y ≠ x with H(y) = H(x)
• Weak collision resistance
6. It is computationally infeasible to find messages m1 and m2 with
H(m1) = H(m2)
• Strong collision resistance
MAC Based on Hash Functions - HMAC
▪ Cryptographic hash functions such as MD5 and SHA generally
execute faster in software than symmetric block ciphers such as
DES.
▪ Library code for cryptographic hash functions is widely available.
Design objectives for HMAC
▪ To use available hash functions without modifications.
▪ To allow for easy replaceability of the embedded hash function in
case faster or more secure hash functions are found or required.
▪ To preserve the original performance of the hash function without
incurring a significant degradation..
▪ To use and handle keys in a simple way.
▪ To have a well understood cryptographic analysis of the strength
of the authentication mechanism based on reasonable
assumptions about the embedded hash function.
K+ ipad
HMAC Structure
b bits b bits b bits

Si Y0 Y1 … YL-1 1. Append zeros to the left end of K to

create a b-bit string K+
n bits 2. XOR K+ with ipad to produce the b-
IV Hash
bit block Si.
n bits
3. Append M to Si.
K+ opad 𝐻(𝑆𝑖||𝑀) 4. Apply H to the stream generated in
Pad to b bits
step 3.
n bits 5. XOR K+ with opad to produce the b-
So bit block S0.
6. Append the hash result from step 4
IV
n bits
Hash to S0.
n bits 7. Apply H to the stream generated in
𝐻𝑀𝐴𝐶(𝐾, 𝑀) step 6 and output the result.
HMAC Structure
▪ H = Embedded hash function (e.g. MD5, SHA-1, RIPEMD-160).
▪ IV = Initial value that is input to hash function.
▪ M = Message input to HMAC.
▪ Yi = i th block of M.
▪ L = Number of blocks in M.
▪ N = Length of hash code produced by embedded hash function.
▪ K + = K padded with zeros on the left so that the result is b bits in
length.
▪ ipad = 00110110 (36 in hexadecimal) repeated b/8 times.
▪ opad = 01011100 (5C in hexadecimal) repeated b/8 times.
MAC based on Block Ciphers
▪ The Data Authentication Algorithm (DAA) based on DES, has been
one of the most widely used MACs for a number of years.
▪ The algorithm can be defined as using the cipher block chaining
(CBC) mode of operation of DES with an initialization vector of
zero.
P1 P2 PN
IV CN-1
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN
 Data Authentication Algorithm (DAA)
Time = 1 Time = 2 Time = N
D1
D2 DN
(64 bits)

K DES DES DES

K K
(56 bits) Encrypt Encrypt
… Encrypt

O1
O2 ON
(64 bits)
Data Authentication Algorithm (DAA)

𝑂1 = 𝐸 𝐾, 𝐷1
𝑂2 = 𝐸 𝐾, 𝐷2 ⊕ 𝑂1
𝑂3 = 𝐸(𝐾, 𝐷3 ⊕ 𝑂2 )
.
.
𝑂𝑁 = 𝐸(𝐾, 𝐷𝑁 ⊕ 𝑂𝑁−1 )
Data Authentication Algorithm (DAA)
▪ The data (e.g. message, record, file, or program) to be
authenticated are grouped into contiguous 64-bit blocks D1, D2, …,
Dn.
▪ If necessary, the final block is padded on the right with zeroes to
form a full 64-bit block.
▪ Using the DES encryption algorithm E and a secret key K, a data
authentication code (DAC) is calculated.
Simple Hash Function
▪ The input (message, file, etc.) is viewed as a sequence of n-bit
blocks.
▪ The input is processed one block at a time in an iterative fashion
to produce an n-bit hash function.
▪ One of the simplest hash functions is the bit-by-bit exclusive-OR
(XOR) of every block.
𝑪𝒊 = 𝒃𝒊𝟏 ⊕ 𝒃𝒊𝟐 ⊕ … ⊕ 𝒃𝒊𝒎
Where,
𝐶𝑖 = ith bit of the hash code 1 ≤ i ≤ n
m = number of n-bit blocks in the input
𝑏𝑖𝑗 = ith bit in jth block
SHA - Secure Hash Algorithm
SHA - 1 SHA - 224 SHA - 256 SHA - 384 SHA - 512
Message
160 224 256 384 512
Digest Size
Message Size < 264 < 264 < 264 < 2128 < 2128
Block Size 512 512 512 1024 1024
Word Size 32 32 32 64 64
Number of
80 64 64 80 80
Steps
SHA - 512
▪ The algorithm takes input as a message with a maximum length of
less than 2128 bits and produces output as a 512-bit message
digest.
▪ The input is processed in 1024-bit blocks.
Message Digest Generation using SHA - 512

Message (L bit) 10000…0 L

M1 (1024 bits) M2 (1024 bits) MN (1024 bits)

F F F

+ + +

IV=H0 H1 (512 H2 (512 HN (512

bits) bits) bits)
Step - 1 Append Padding Bits
▪ The message is padded so that its length is congruent to 896
modulo 1024 [length ≡ 896(mod 1024)].
▪ Padding is always added, even if the message is already of the
desired length.
▪ Thus, the number of padding bits is in the range of 1 to 1024.
▪ The padding consists of a single 1 bit followed by the necessary
number of 0 bits.
Step - 2 Append Length
▪ A block of 128 bits is appended to the message.
▪ This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the original
message (before the padding).
Step-1 and Step-2 Example
Example:
▪ Given is the message “abc” consisting of three 8-bit ASCII
characters with a total length of l =24 bits.
A B C
01100001 01100010 01100011

▪ We append a “1” followed by k = 871 zero bits, where k is

determined by
k≡ 896−(l+1)=896−25=871 mod 1024.
▪ Finally, we append the 128-bit value which contains the binary
representation of the length l =2410 =110002.
▪ The padded message is then given by
A B C Append Length
01100001 01100010 01100011 10000..0 00..011000
Step - 3 Initialize hash buffer
▪ The outcome of the first two steps produces a message that is an
integer multiple of 1024 bits in length.
▪ The expanded message is represented as the sequence of 1024-bit
blocks M1 , M2, … , MN, so that the total length of expanded
message is N X 1024 bits.
▪ A 512-bit buffer is used to hold intermediate and final results of
the hash function. The buffer can be represented as eight 64-bit
registers (a, b, c, d, e, f, g, h).
Step - 4 Process message in 1024-bit (128-word) blocks

▪ The heart of the algorithm is a module that consists of 80 rounds

and this module is labelled as F function.
SHA - 512 Processing of a Single 1024-Bit Block
Mi Hi-1

Message
schedule
a b c d e f g e 64
W0 K0
Round 0

a b c d e f g e 64
W79 K79
Round 79

+ + + + + + + +

Hi
SHA - 512 Processing of a Single 1024-Bit Block
▪ Each round takes as input the 512-bit buffer value, abcdefgh, and
updates the contents of the buffer.
▪ At input to the first round, the buffer has the value of the
intermediate hash value, Hi-1.
▪ Each round t makes use of a 64-bit value Wt, derived from the
current 1024-bit block being processed.
▪ The output of the eightieth round is added to the input to the first
round (Hi-1) to produce Hi.
Step – 5 Output
▪ After all Nth block of 1024-bit have been processed, the output
from the Nth stage is the 512-bit message digest.
SHA - 512 Round Function
SHA - 512 Round Function – Cont…
a b c d e f g h

Ch +
Ʃ Maj

+ Ʃ +

+ +
+ Wt

+ Kt

a b c d e f g h
 ℎ=𝑔
𝑔=𝑓
𝑓=𝑒
𝑒 = 𝑑 + 𝑇1
𝑑=𝑐
𝑐=𝑏
𝑏=𝑎
𝑎 = 𝑇1 + 𝑇2

512
𝑇1 = ℎ + Ch 𝑒, 𝑓, 𝑔 + ෍ 𝑒 + 𝑊𝑡 + 𝐾𝑡
1
512
𝑇2 = ෍ 𝑎 + Maj 𝑎, 𝑏, 𝑐
0
SHA - 512 Round Function Elements
▪ Maj(a,b,c) = (a AND b) XOR (b AND c) XOR (a AND c) Majority of
arguments are true.
▪ Conditional function = (e AND f) XOR (NOT e and g)
▪ ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
▪ ∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)
▪ + = addition modulo 264
▪ Kt = a 64-bit additive constant.
▪ Wt = a 64-bit word derived from plaintext.
▪ ROTR = Circular right shift rotataion