MODULE 4

Authentication Requirements
▪In a communication network, the
following attacks can be identified:
1. Disclosure: Release of message contents to any
person or process not possessing the appropriate
cryptographic key.
2. Traffic analysis: Discovery of the pattern of
traffic between parties. In a connection-oriented
application, the frequency and duration of
connections could be determined. In either a
connection-oriented or connectionless
environment, the number and length of messages
between parties could be determined.
3. Masquerade: Insertion of messages into the
network from a fraudulent source. This includes
the creation of messages by an opponent that are
appearing to come from an authorized entity.
Also included are fraudulent acknowledgments of
message receipt or nonreceipt by someone other
than the message recipient.
4. Content modification: Changes to the contents
of a message, including insertion, deletion,
transposition, and modification.
5. Sequence modification: Any modification to a
sequence of messages between parties, including
insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In
a connection-oriented application, an entire session or
sequence of messages could be a replay of some
previous valid session, or individual messages in the
sequence could be delayed or replayed.
7. Source repudiation: Denial of transmission of
message by source
8. Destination repudiation: Denial of receipt of message
by destination

Message authentication is a procedure to verify that

received messages come from the alleged source and
have not been altered. Message authentication may
also verify sequencing and timeliness. Also includes
measures to counter repudiation.
Authentication Functions

▪Are used to verify the authenticity of a message.

▪An authenticator has to be there to authenticate the
message.
▪Types of Functions to provide authentication:
1. Message encryption: The ciphertext of the entire
message serves as its authenticator.
2. Message authentication code (MAC):A function of
the message and a secret key that produces a
fixed-length value that serves as the authenticator.
3. Hash function: A function that maps a message of
any length into a fixed-length hash value, which
serves as the authenticator.
1) Message Encryption

▪Message encryption by itself can provide

a measure of authentication.
Symmetric Encryption
Asymmetric Encryption
Asymmetric Encryption (authentication
& signature)
Asymmetric Encryption (confidentiality,
authentication & signature)
2) Message Authentication
Code
▪An alternative authentication technique
to encryption.
▪It involves the use of a secret key to generate
a small fixed-size block of data, known as a
cryptographic checksum or MAC that is
appended to the message.
▪It acts as a fixed size authenticator.
▪It is then appended to the message.
▪This technique assumes that two
communicating parties, say A and B, share
a common secret key K.
▪When A has a message to send to B, it
calculates the MAC as a function of
the message and the key.
MAC = C(K, M)
Where:
M = input message
C = MAC
function
K = shared secret
key
MAC = message
authentication
code
▪The message plus MAC are transmitted to
the intended recipient.
▪The recipient performs the same calculation
on the received message, using the same
secret key, to generate a new MAC.
▪The received MAC is compared to
the calculated MAC.
▪If only the receiver and the sender know the
identity of the secret key, and if the
received MAC matches the calculated
MAC, then:
a) The receiver is assured that the message has not
been altered. If an attacker alters the message but
does not alter the MAC, then the receiver's
calculation of the MAC will differ from the
received MAC. Because the attacker doesn’t
know the secret key, the attacker cannot alter the
MAC to correspond to the alterations in the
message.
b) The receiver is assured that the message is from
the required sender. Because no one else
knows the secret key, no one else could
prepare a message with a proper MAC.
Basic Uses of Message
Authentication Code (MAC)
▪Authenticatio
n
▪Authentication and confidentiality
Authentication tied to plaintext
▪Authentication tied to
ciphertext
Properties/ Requirements
▪A MAC function is similar to encryption. One
difference is that the MAC algorithm need not be
reversible, as it must for decryption.
▪The MAC function is a many-to-one function.
□ Potentially many messages can have the same MAC
□ But finding these needs to be very difficult
▪knowing a message and MAC, it is infeasible to
find another message with same MAC
▪MAC should be uniformly distributed ie it should
depend equally on all bits of the message.
▪It is one way function.
▪The security of the scheme generally
depends on the bit length of the key.
▪If an opponent observes M and C(K, M), it
should be computationally infeasible for the
opponent to construct a message M' such
that C(K, M') = C(K, M).
3) Hash Functions
▪A hash value h is generated by a function H of the
form
H(M)
▪where M is a variable-length message and H(M) is
the fixed-length hash value.
▪The hash is much smaller than the input data,
hence hash functions are sometimes
called compression functions.
▪The hash value is appended to the message at the
source .
▪The receiver authenticates that message by
recomputing the hash value.
▪Unlike a MAC, a hash code does not use a
key but is a function only of the input
message.
▪The hash code is also referred to as a
message digest or hash value.
▪The hash code is a function of all the bits
of the message.
▪A change to any bit or bits in the
message results in a change to the hash
code.
 ▪variety of ways in which a hash code can
be used to provide message authentication:
1. Message Confidentiality & authentication
2. Authentication and symmetric encryption to
hash code
Reduced processing burden for applications
that do not require confidentiality
3. Authentication and hash code
encrypted using asymmetric
encryption
Provides digital signature
4. Confidentiality and Digital signature
5. Computing hash value over a secret key
S No confidentiality
6. Confidentiality provided to the above
scheme
Requirements for a Hash
Function
▪A hash function H must have the
following properties:
1. H can be applied to a block of data of any
size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given
x.
4. A hash is a many-to-one function, so collisions
can happen.
5. For any given value h, it is computationally
infeasible to find x such that H(x) = h. This is
sometimes referred to as the one-way property.
5. For any given block x, it is computationally
infeasible to find y ≠ x such that H(y) = H(x).
This is referred to as weak collision resistance.
6. It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y). This is
sometimes referred to as strong collision
resistance.
Birthday Attacks

▪Birthday attack is a type of

cryptographic attack that belongs to a
class of brute force attacks.
▪It uses the mathematics behind the
birthday problem in probability theory.
Birthday paradox problem :
□ In probability theory, the birthday paradox
concerns the probability that, in a set of randomly
chosen people, some pair of them will have the
same birthday.
□ The goal is to compute the probability P(A), that at
least two people in the room have the same
birthday.
□ However, it is simpler to calculate P(A'), the
probability that no two people in the room have the
same birthday. Because A and A' are the only two
possibilities and are also mutually
exclusive, P(A) = 1 − P(A').
□ Lets assume 23 different people to be there in a
room
□ The probability, P(1), that Person 1 does not share
his/her birthday with previously analyzed people is
100%.
⇒ Probability of person 1 can also be written as
365/365

□ The only previously analyzed people are Person 1.

The probability, P(2), that Person 2 has a different
birthday than Person 1 is 364/365.

□ Similarly, if Person 3 is born on any of the 363

days of the year other than the birthdays of Persons
1 and 2, Person 3 will not share their birthday.
This makes the probability P(3) = 363/365
▪P(A') is equal to the product of these Individual
probabilities:

▪Finally P(A’) = 0.492703

▪Now as P(A)=1-P(A’) then
P(A)= 1- 0.492703= 0.507297 or 50.7%
So the possibility of 2 person in a group of 23
people have same birthday is 50.7%
▪Hash Functions and the Collision Problem
□ A hash code is a function that takes a variable
length message M and produces a fixed length
message digest.
□ Assuming the length of the digest is m then there
are 2m possible message digests.
□ Normally because the length of M will generally be
greater than m this implies that more than one
message will be mapped to the same digest.
□ According to Birthday paradox if an attacker
applies k random messages there is the probability
of 0.5 that at least one duplicate hashcode(i.e. H(x)
= H(y) will occur for some inputs x, y).
□ The opponent prepares a number of messages, all
of which are variations of the fraudulent message to
be substituted for the real one.
□ The two sets of messages are compared to find a
pair of messages that produce the same hash code.
The probability of success is greater than 0.5.
Security of Hash Functions
and MACs
▪we can group attacks on hash functions
and MACs into two categories:

□ brute-force attacks
□ cryptanalysis.
▪Brute-Force Attacks
The nature of brute-force attacks differs
somewhat for hash functions and
MACs.

▪Hash Functions
□ The strength of a hash function against brute-force
attacks depends solely on the length of the hash
code produced by the algorithm.
□ There are three desirable properties:
1. One-way
2. Weak collision resistance
3. Strong collision resistance
▪Message Authentication Codes
□ A brute-force attack on a MAC is a more difficult
because it requires known message-MAC pairs.
□ To attack a hash code, perform in the
following way. Given a fixed message x with n-bit
hash code h = H(x), a brute-force method of
finding a collision is to pick a random bit string y
and check if H(y) = H(x). The attacker can do this
repeatedly off line.
□ security property of a MAC algorithm, can be
expressed as follows:
□ Off line attack on MAC depends on the key size
also.
 □ Computation resistance: Given one or more
message-MAC pairs,it is computationally
infeasible to compute any message-MAC pair (x,
CK( x)) for any new input x ≠xi.
□ There are two attacks possible here:
1. Attack the key space
2. attack the MAC value
▪Cryptanalysis
□ cryptanalytic attacks on hash functions and MAC
algorithms tries to exploit some property of the
algorithm to perform some attack other than an
exhaustive search as in brute force attack.
Hash Algorithms

Few Hash Algorithms:

▪MD5
▪ SHA-1
MD5
MD5

▪Designed by Ronald Rivest in 1989

▪Also called as message digest algorithm
▪Initial version is MD2. Later on other
message digest algorithms have been
proposed ie. MD4 and MD5.
▪Length of input message is arbitrary.
▪Block size = 512 bits
▪Produces a 128-bit hash
value(message digest).
 MD5 Logic
1. Append padding bits
□ Padding means adding extra bits to the
original message.
□ Padding is done such that the total bits are 64
less being a multiple of 512 bits length.
□ In padding bits, the only first bit is 1 and the rest
of the bits are 0 (1000…)
2. Append Length
□ After padding, 64 bits are appended at the end
which is used to record the length of the original
input.
□ At this point, the resulting message has a
length multiple of 512 bits.
3. Initialize MD buffer
□ A 128 bit buffer is used to hold the intermediate
and final resulta of the hash function
□ A four-word buffer (A, B, C, D) is used to hold the
values for the message digest.
□ Here A, B, C, D are each 32- bit registers(128-bit)
and are initialized in the following way:
4. Processing message in 16-word
block
□ Process message in 512-bit (16-word) blocks.
□ Each block contains 32 bits each. These are
denoted as M0 ... M15.
□ Uses a compression function that consists of 4
rounds of processing.
□ All 4 rounds have similar structure.
□ Each round uses a diiferent logical function
F,G,H,I.
□ Each round consists of 16 operations(Total =64
operations)
1. Output
□ The output from the last stage is the 128-
bit message digest.
compression
function
Auxiliary Functions

▪Auxiliary functions take three inputs of 32-

bits word and gives an output of 32-bit word.
F(B, C, D) = (B ∧ C) ∨ (¬B ∧ D)
G(B, C, D) = (B ∧ D) ∨ (C ∧
¬D) H(B, C, D) = B ⊕ C ⊕ D
I(B, C, D) = C ⊕ (B ∨ ¬D)
▪Each step is of the
form

▪Where a,b,c,d – the four words of the

buffer, in a specified order that varies
across steps
▪ g – one of the primitive functions F,G,H,I
▪<<<s – circular left shift (rotation) of
the 32-bit by s bits
Strength of MD5

▪Every hash bit is dependent on all

message bits
▪ The complex repetition of the basic
functions(F,G,H,I) produces results that are
well mixed.
▪Security is as good as possible for a 128
bit hash.
Secure Hash Algorithm (SHA)
▪Was developed by National Institute of
Standards and Technology (NIST).
▪Different versions of SHA :
■ SHA-1 (Message digest size 160 bits)
■ SHA-256 (Message digest size 256 bits)
■ SHA-384 (Message digest size 384 bits)
■ SHA-512 (Message digest size 512 bits)
SHA-1 Algorithm
Introduction
▪ Algorithm takes as input message with maximum length < 2^64 bits.
▪ Plaintext Block Size= 512 bits.
▪ Output ->Message digest = 160 bits
▪ 4 stages of 20 rounds each -> 4*20= 80 rounds
▪ No: of rounds= 80
▪ Each 512 size message block contains -> 16 , 32-bit words
▪ Operates on words-> each round uses word= 32 bits.
▪ Each Round -> constant K (round constant)
▪ Uses a chaining Process.
▪ Hash Buffers-> 5 buffers each of size 32 bits -> total 160 bits
✔ Store intermediate results
✔ Store Output hashcode
✔ Size-> 32 bit
 Steps

1. Append Padding Bits

2. Append Length
3. Initialize Hash Buffer
4. Process the message in 512-bit
blocks
5. Output
Append Padding Bits and
Length
▪Prior to applying the compression function,
we need to divide the message into 512-bit
blocks ● x1,x2,... ,xn.
▪Each 512-bit block can be subdivided into
16 words of size of 32 bits.
 Message Digest Generation
512

64

512 512 512

160
Message block and hash
buffer
▪ Operates on words
▪ Each block consists of sixteen, 32-bits (512 bits)
words.
▪ 160-bit buffer is used to store intermediate and final
results.
▪ There are 5, 32 bit registers (=160 bits) named
A,B,C,D,E
Initialise the Hash buffer

▪A 160-bit buffer is used to hold the initial

hash value for the first iteration.
▪ The five 32-bit words are fixed and given
in hexadecimal notation as:
□ A = 67 45 23 01
□ B = EF CD AB 89
□ C = 98 BA DC FE
□ D = 10 32 54 76
□ E = C3 D2 E1 F0 .
Compression function

▪Heart of the algorithm.

▪Each message block xi is processed in
four stages with 20 rounds.
▪Uses a message schedule which computes a
32-bit word W0,W1,...,W79 for each of the
80 rounds.
▪The four SHA-1 stages have a similar
structure but use different internal functions ft
and constants Kt, where 1 ≤ t ≤ 4
Round Functions and Round
constants
SHA-1 Single Round Operation
Round Function
Creation of 80 word Input
sequence
Processing of Single
Block
DIGITAL SIGNATURE

▪Message authentication protects two parties

who exchange messages from any third party.
▪However, it does not protect the two
parties against each other.
▪ Several forms of dispute between the two
are possible.
▪Consider the following disputes that
could arise:
□ B may forge a different message and claim that it
came from A. B would simply have to create a
message and append an authentication code using
the key that A and B share.
□ A can deny sending the message. Because it is
possible for B to forge a message, there is no way to
prove that A did in fact send the message.
▪In situations like these where there is no
complete trust between sender and receiver,
something more than authentication is
needed.
▪The most attractive solution to this problem
is the digital signature.
▪It must have the following properties:
□ It must verify the author and the date and time of
the signature.
□ It must to authenticate the contents at the
time of the signature.
□ It must be verifiable by third parties, to resolve
disputes.
▪The digital signature function also includes
the authentication function.
▪Requirements for a digital signature:
□ The signature must be a bit pattern that depends on
the message being signed.
□ The signature must use some information unique to
the sender, to prevent both forgery and denial.
□ It must be relatively easy to produce the digital
signature.
□ It must be relatively easy to recognize and verify
the digital signature.
□ It must be computationally infeasible to forge a
digital signature,
 ▪Two approaches to digital signature:
1. direct
2. Arbitrated

1. Direct Digital Signature

▪ The direct digital signature involves only
the communicating parties (source,
destination).
▪A digital signature can be formed in 2 ways:
□ By encrypting the entire message with the sender's
private key
□ by encrypting a hash code of the message with the
sender's private key.
▪Confidentiality can be provided by further
encrypting the entire message plus signature
with either (public-key encryption) or a
shared secret key (symmetric encryption).
▪Perform the signature function first and then
an outer confidentiality function.
▪direct schemes have a common weakness:
□ The validity of the scheme depends on the security
of the sender's private key. If a sender can
deny sending a particular message, he can claim
that the private key was lost or stolen and that
someone else forged his or her signature.
□ Can be avoided by prompt reporting of
compromised keys to a central authority and the
use of Timestamp.
2. Arbitrated Digital Signature
▪ The problems associated with direct
digital signatures can be addressed by
using an arbiter.
▪ Every signed message from a sender X to
a receiver Y goes first to an arbiter A, who
subjects the message and its signature to a
number of tests to check its origin and
content.
▪ The message is then dated and sent to Y
with an indication that it has been verified
to the satisfaction of the arbiter.
▪The presence of A solves the problem faced
by direct signature schemes: that X might
disown the message.
▪All parties must have a great deal of trust
in the arbitration mechanism. Uses a
trusted system.
Arbitrated Digital
Signature Techniques
a) Conventional Encryption, Arbiter Sees Message

1. X⇒ A: M||E (Kxa, [IDX ||H(M)])

2. A ⇒ Y: E (Kay, [IDX ||M||E(Kxa, [IDX ||H(M)])||T])
▪ In this scheme, Y cannot directly check X's
signature, the signature is there to settle disputes.
▪ Y considers the message from X authentic
because it comes through A.
▪both sides must have a high degree of trust
in A:
□ X must trust A not to reveal Kxa and not to
generate false signatures.
□ Y must trust A to send E(Kay, [IDX||M||E(Kxa,
[IDX||H(M)])||T]) only if the hash value is correct
and the signature was generated by X.
□ Both sides must trust A to resolve disputes fairly.
Disadvantage
▪A is able to read messages from X to Y
and, also that any eavesdropper is able to
do so.
b) Conventional Encryption, Arbiter does not
see message
(1) X→A : IDX||E(Kxy, M)||E(Kxa, [IDX||H(E(Kxy, M))])
(2) A→Y : E(Kay,[IDX||E(Kxy, M)])||E(Kxa,
[IDX||H(E(Kxy, M))||T])
Disadvantage
▪ Arbiter could form an alliance with the sender to
deny a signed message, or with the receiver to
forge the sender's signature.
▪Public-key Encryption, Arbiter does not see
message

(1)X→A : IDX||E(PRx, [IDX||E(PUy, E(PRx,

M))])
(2)A→Y : E(PRa, [IDX||E(PUy, E(PRx,
M))||T])

Disadv:
Double encryption complexity
DIGITAL SIGNATURE STANDARD
(DSS)
▪NIST published, the DSS
▪It is one of the schemes of Digital Signature.
▪Uses the SHA hash algorithm
▪DSS is the standard, DSA is the algorithm.
▪Creates a 320 bit signature.
▪Was originally proposed in 1991 and
revised in 1993
DSS Approach

▪There are 2 approached to Digital

Signature
1. RSA Approach
2. DSS Approach
1. RSA
Approach
1. DSS Approach

Sig: Signature function

k: random number
PUG : global public
key
r and s are result of signature
Ver : verification function
Digital Signature Algorithm

▪GLOBAL PUBLIC KEY COMPONENTS

(PUG)

shared global public key values (p, q, g):

□ Select a large prime p = 2 L , where L= 512 to
1024 bits and is a multiple of 64
□ choose q, prime divisor of (p-1)
□ Compute g = h(p-1)/q mod
p, where 1 < h < p-1, g > 1
▪Choose private & compute public
key:
User’s private key(PRa)
□ choose x a random number between 0<x<q

User’s public key (PUa)

□ y = gx mod p
▪User's Per-Message Secret Number

□ generates a random integer k, with 0<k<q

□ Note: k must be random, be destroyed after use,
and never be reused
▪DSA Signature
Creation
Computes signature pair:
□ r = (gk mod p)mod q
□ s = [k-1 (H(M)+ x.r)]mod q

▪Sends signature (r,s) with message M

▪DSA Signature Verification
Having received M & signature (r, s)
□ Consider it as M’, r’, s’
To verify a signature, recipient computes:
w = (s’)-1 mod q
u1= (H(M’).w)mod q
u2= (r’.w)mod q
v = [(gu1.yu2)mod p)]
mod q
if v = r’ then
signature is verified
Authentication Protocols

▪Used to convince parties of each

others identity and to exchange
session keys.
▪Key issues are :
□ Confidentiality: to protect session keys.
□ Timeliness: to prevent replay attacks.
1. Mutual Authentication Protocol

2. One-way Authentication Protocol

1. Mutual Authentication

▪This protocol enable communicating parties

to satisfy themselves mutually about each
other’s identity and to exchange session keys.
▪Here session key information must be
communicated in encrypted form to
provide essential identification.
▪This protocol prevents replay attack
using nonces/ timestamp.
▪Mutual Authentication follows 2 approaches:
□ Symmetric Encryption approach
□ Public-Key encryption approach
Symmetric Encryption
▪This strategy involves the use of a trusted
key distribution center (KDC).
▪Each party in the network shares a secret
key with the KDC.
▪This key is called the session key to be
used for a short time
Needham and Schroeder
Protocol
▪Initially proposed by Needham and
Schroeder for secret key distribution using
KDC
▪Disadvantage
▪The protocol is still vulnerable to a form
of replay attack.
▪Suppose that an opponent, X, has been able
to compromise an old session key.
▪X can impersonate A and trick B into using
the old key by simply replaying step 3.
▪Unless B remembers indefinitely all
previous session keys used with A, B will be
unable to determine that this is a replay.
Denning Protocol

▪Denning proposes to overcome this

weakness by a modification to the Needham/
Schroeder protocol that includes the addition
of a timestamp to steps 2 and 3.
 ▪Disadv
1. Requires clock synchronisation throughout
the network and the distributed clocks can
become unsynchronised due to faults in
the clocks.
THANK YOU