Module: 3- Data Integrity and Authentication
Introduction
System security depends upon the proper design of a system, and its management.
Network security monitors authorized access and it prevents misuse of network resources.
Authentication is a process that verifies the identity of the user who accesses the particular system.
It is one of the pillars for information assurance.
The authentication involves with single-level factor (user name) or multilevel factors (user name,
password, finger print).
The authentication function generates Message Authentication Code (MAC) that is derived from
message and secrete key.
Hash function is an important element of message authentication technique. It gets various size input
and produces fixed size hash value.
Hash function uses compression function repetitively to generate n-bit output. In digital signature
procedure, the hash value uses private and public keys for processing.
1
�HASH FUNCTIONS
A hash function H accepts a variable-length block of data M
as input and produces a fixed-size hash value h = H(M).
A change to any bit or bits in M results, with high probability,
in a change to the hash value.
The kind of hash function needed for security applications is
referred to as a cryptographic hash function.
When a hash function is used to provide message
authentication, the hash function value is often referred to
as a message digest.
Applications of Cryptographic Hash Functions
Figure below illustrates a variety of ways in which a hash code can be used to provide message
authentication, as follows.
2
�(a) The message plus concatenated hash code is encrypted using symmetric encryption. Encryption is
applied to the entire message plus hash code, confidentiality is also provided.
(b) Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden for
those applications that do not require confidentiality.
(c) The technique assumes that the two communicating parties share a common secret value S. A
computes the hash value over the concatenation of M and S and appends the resulting hash value to M.
Because B possesses S, it can recompute the hash value to verify.
3
�(d) Confidentiality can be added to the approach by encrypting the entire message plus the hash code.
Secure Hash Algorithms (SHA)
Secure Hash Algorithms (SHAs) are cryptographic algorithms that provide data integrity and
authentication.
4
�SHA Family
They are published by the National Institute of Standards and Technology (NIST).
The SHA algorithms differ mostly in security strengths. It also differs in block size, word size. They are
believed to have good randomized features.
It is a deterministic function that takes arbitrary length block of data (message) and performs
randomness process and returns a fixed size string called as hash value.
It takes message of any length less than 2128 bit as input and results message digest as output ranges
from 160 to 512 bit.
1. SHA-0: This is the first incarnation of SHA that is published in 1993 and withdrawn so early because
of undisclosed significant flaw.
2. SHA-1: This is the second version of SHA. It was released in 1994. It is considered as successor of
MD5 but slower than MD5. It results 160-bit hash value. The standard was not approved for most of
the applications after 2010. It is commonly used in many security protocols and applications.
3. SHA-2: The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-
224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. Security of SHA-2 is still unsure.
5
� 4. SHA-3: The SHA-3 family consists of six hash functions with digests (hash values) that are 128, 224, 256, 384 or 512 bits:
SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256.This is a hash function is also called as Keccak. It
works like other SHA family and it shows significant change in its internal structure. TLS, SSL, SSH and PGP
applications use SHA.
NOTE: The SHA algorithms specify that it is not possible to find the message from hash value. It also
ensures that two different messages do not produce the same hash value.
Properties of SHA
A cryptographic hash function must have some properties to withstand for cryptanalytic attacks
and to be useful for authentication.
1. One-way: The one-way property is defined as ‘It is infeasible to find any data mapping between
message and message digest and to find any message M that hashes to that value’.
2. Weak collision-resistant: The weak collision-resistant property is defined as ‘It should be difficult to
find another input y for an input x such a way that they both hash to the same value h(y) = h(x),
where x ≠ y’.
6
� 3. Collision resistance: The collision-free property is defined as ‘It is computationally infeasible to find
two inputs x and y in such a way that h(y) = h(x).’
SHA-512 Algorithm
The algorithm takes variable length input message and produces a fixed size output 512-bit hash value also
called the message digest. The input is processed in 1024-bit blocks.
Block Diagram of SHA-512
7
�1. Padding Process
Step 1: Append padding bits.
The message is padded so that its length is congruent to 896 modulo 1024 [length K 896(mod 1024)]. The
padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2: Append length. A block of 128 bits is appended to the message. This block is treated as an unsigned
128-bit integer (most significant byte first) and contains the length of the original message in bits (before the
padding). The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in
length. The expanded message is represented as the sequence of 1024-bit blocks M1, M2,…., MN, so that the
total length of the expanded message is N * 1024 bits.
Example -1: Consider the input message “abc”
Represent in binary: 01100001 01100010 01100011
Message_Length = 24 bits
Needed Message_Length ≡896 mod 1024
8
�Message_Length mod 1024 = 896
24 + 872 mod 1024 = 896
No. of bits padded are 872. The padding consists of 1 followed by 871 0’s.
Message Length = 24 + 872 = 896
Total length of message = 896 + 128 = 1024
No. of message blocks = 1024/1024 = 1 block
Represent in binary: 01100001 01100010 01100011
9
�Message_Length = 24
In Hex,
Example-2.The length of the original message is 2590 bits. How many padding bits are required?
Solution:
Message_Length ≡ 896 mod 1024
2590 mod 1024 = 542
2590 + 354 mod 1024 = 896
10
�The padding consists of one 1 followed by 353 0’s.
Message_Length = 2590 + 354 = 2944
Total length of message = 2944 + 128 = 3072
No. of message blocks = 3072/1024 = 3 blocks
Practice Problem: What will be the number of padding bits required in SHA 512 if the length of the original
message is 96, 1919, 2348, and 5460 bit length? Find out the message length, number of blocks, minimum
padding bits and maximum padding bits. Show their hexadecimal representation per block.
2. Use of Buffers and initialization
Step 3: Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of the hash
function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). These registers are
initialized to the following 64-bit integers (hexadecimal values):
11
�These words were obtained by taking the first sixty-four bits of the fractional parts of the square roots of
the first eight prime numbers. These values are stored in big-endian format, which is the most significant
byte of a word in the low-address (leftmost) byte position.
First prime number is 2
Square root of 2 = 1.414213562373
0. 414213562373 * 2 = 0.82842712= 0
0.845828241 * 2 = 1.65685424= 1
0. 65685424 * 2 = 1.31370848= 1
0.31370848* 2 = 0.62741696= 0
0. 62741696 *2 = 1.25483392= 1
0. 25483392* 2 = 0.50966784=0
0. 50966784 * 2 = 1.01933568= 1
0.01933568 * 2 = 0.03867136 = 0
011010110 .......... (in binary)
6A ...... (in Hex)
12
�Step 4: Process message in 1024-bit (128-byte) blocks. The heart of the algorithm is a module that
consists of 80 rounds; this module is labelled F in SHA-512 block diagram.
3. Processing of a Single Round
Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the buffer. At
input to the first round, the buffer has the value of the intermediate hash value, Hi-1. Each round t makes
use of a 64-bit value Wt, derived from the current 1024-bit block being processed (Mi). These values are
derived using a message schedule described subsequently. Each round also makes use of an additive
constant Kt, where 0 … t … 79 indicates one of the 80 rounds.
13
�SHA-512 Round Function
Each round is defined by the following set of equations:
14
�4. Word Generation:
The remaining words (Qword) from W16 to W79 are generated using the following formula:
15
�SHA-512 Constants(K): Table below shows these constants in hexadecimal format (from left to right). These
words represent the first 64 bits of the fractional parts of the cube roots of the first 80 prime numbers.
The constants provide a “randomized” set of 64-bit patterns, which should eliminate any regularities in the
input data.
Example: ROUND CONSTANT GENERATION
80th prime no. is 409
Cubic root of 409 = 7.42291412044
16
�0.42291412044 * 2 = 0.845828241 = 0
0.845828241 * 2 = 1.691656482 = 1
0.691656482 * 2 = 1.383312964 = 1
0.383312964 * 2 = 0.766625928 = 0
0.766625928 *2 = 1.533251856 = 1
0.533251856 * 2 = 1.066503712 =1
0.066503712 * 2 = 0.133007424 = 0
0.133007424 * 2 = 0.266014848 = 0
...
...
...
...
=> 01101100 ........... (in binary)
=> 6c ...... (in hexa)
17
�5. Buffer Operations per Round
18
�Example: In SHA-512, assume that the buffers ‘a’, ‘b’, ‘c’, ‘e’, ‘f’, and ‘g’ contains the hexa-decimal value
22221111BBBB2222, 22221111CCCC2222, 22221111DDDD2222 , 99991111FFFF2222, AAAA2222FFFF3333,
and AAAA333300004444 respectively. Compute and determine the value of Ch (e, f, g) and Maj (a, b, c).
Show the steps of your work.
Solution:
Ch function Calculation
19
�20
�Maj function Calculation
21
�Step 5 Output. After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-
bit message digest.
MESSAGE AUTHENTICATION
Message authentication deals the protection of message with integrity i.e. it ensures that content of the
message is not modified or altered. It also checks the identity of the message sender and non-repudiation
of the origin. . i.e. it checks whether the received messages are originated from the original sender.
Message Authentication Requirements
In the context of communications across a network, the following attacks can be identified.
Disclosure: In this type, the original data during transmission is opened by unintended users.
Traffic analysis: The pattern of data communication between two parties are observed by the attacker
to determine whether the traffic is connection oriented or connectionless. According to this constraint,
the attacker can guess the communication between the users and guess the data and the type.
Masquerade: Insertion of messages into the network from a fraudulent source. This includes the
creation of messages by an opponent that are purported to come from an authorized entity. Also
22
� included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than
the message recipient.
Content modification: Attackers can do some additions, modifications and change of contents to the
original message.
Sequence modification: Delay or replay of messages. In a connection-oriented application, an entire
session or sequence of messages could be a replay of some previous valid session, or individual
messages in the sequence could be delayed or replayed. In a connectionless application, an individual
message (e.g., datagram) could be delayed or replayed.
Example:
Original Message sequence: 10 20 30 40 50 60
Modified sequence by attacker: 10 30 50 20 40 60
Timing modification: In connection-oriented communication, the messages are going in sequence and
timely based as some live relay contents will be played. Here, the attackers do some programs to delay
the connection-oriented packets sent and make it meaningless.
Source repudiation: Denial of transmission of message by source.
Destination repudiation: Denial of receipt of message by destination.
23
�Counter Measures:
The first two attacks are in the realm of message confidentiality.
Attacks (3) through (6) in the foregoing list are generally regarded as message authentication.
Attack (7) come under the heading of digital signatures. Generally, a digital signature technique will
also counter some or all of the attacks listed under items (3) through (6). Dealing with item (8) may
require a combination of the use of digital signatures and a protocol designed to counter this attack.
To summarize, message authentication is a procedure to verify that received messages come from the
alleged source and have not been altered. Message authentication may also verify sequencing and
timeliness. A digital signature is an authentication technique that also includes measures to counter
repudiation by the source.
Message Authentication Techniques
To generate an authenticated message, any one of the following functions can be used.
1. Hash function: A function that maps a message of any length into a fixed-length hash value, which serves
as the authenticator.
24
�2. Message encryption: The ciphertext of the entire message serves as its authenticator.
3. Message authentication code (MAC): A function of the message and a secret key that produces a fixed-
length value that serves as the authenticator.
Message encryption: Message encryption by itself can provide a measure of authentication. The analysis
differs for symmetric and public-key encryption schemes.
SYMMETRIC ENCRYPTION: Consider the straightforward use of symmetric encryption (Figure 12.1a). A
message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B.
25
�No other party knows the key, then confidentiality is provided: No other party can recover the plaintext of
the message.
26
�MESSAGE AUTHENTICATION CODE (MAC)
An alternative authentication technique involves the use of a secret key to generate a small fixed-size block
of data, known as a cryptographic checksum or MAC that is appended to the message. This technique
assumes that two communicating parties, say A and B, share a common secret key K. When A has a message
to send to B, it calculates the MAC as a function of the message and the key:
MAC = C (K, M)
The message plus MAC are transmitted to the intended recipient.
The recipient performs the same calculation on the received message, using the same secret key, to
generate a new MAC.
27
� The received MAC is compared to the new MAC. If the received MAC matches the calculated MAC,
then
1. The receiver is assured that the
message has not been altered.
2. If an attacker alters the message
but does not alter the MAC, then the
receiver’s calculation of the MAC will
differ from the received MAC.
o The receiver is assured that the
message is from the alleged
sender. Because no one else
knows the secret key, no one
else could prepare a message
with a proper MAC.
28
� 3. If the message includes a sequence number (such as is used with HDLC, X.25, and TCP), then the
receiver can be assured of the proper sequence because an attacker cannot successfully alter the
sequence number.
Hash Message Authentication Code (HMAC)
Hash-based MAC is called as HMAC.
HMAC verifies both data integrity and authentication simultaneously like other MAC.
HMAC works on message and secret key with any cryptographic hash functions like MD5 and SHA-1.
The strength of HMAC depends upon the strength of cryptographic function used, size and quality of
the key and the size of the resultant hash output.
HMAC has been chosen as the mandatory-to-implement MAC for IP security, and is used in other
Internet protocols, such as SSL.
HMAC has also been issued as a NIST standard (FIPS 198).
Applications
Verification of e-mail address during activation or creation of an account.
29
� Authentication of form data that is sent to the client browser and then submitted back.
HMACs can be used for Internet of things (IoT) due to less cost.
Whenever there is a need to reset the password, a link that can be used once is sent without adding a
server state.
It can take a message of any length and convert it into a fixed-length message digest. That is even if
you got a long message, the message digest will be small and thus permits maximizing bandwidth.
Design Objectives
The following are design objectives of HMAC.
• Use existing hash functions without correction.
• Replace existing hash function with embedded hash function for the need of more secure hash
functions.
• Maintain the level of performance of the hash function without modifying its significance.
• Use and handle keys in flexible way.
30
�• Preserve a well-understood cryptographic analysis and authentication mechanism with reasonable
assumptions in the embedded hash function.
The first two objectives are important for the acceptability of HMAC. The last objective makes HMAC more
popular over other proposed hash-based algorithms as the embedded hash function has some reasonable
cryptographic strength.
HMAC Algorithm
Define the following terms.
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) RIPEMD-160 -RACE Integrity Primitives
Evaluation Message Digest
Works like SHA-1; Uses 5 rounds and 5 buffers. Operations performed are left rotation of words and
bitwise operations such as AND, NOT, Ex-OR and OR
IV = initial value input to hash function
M = message input to HMAC (including the padding specified in the embedded hash function)
31
�L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded hash function
K = secret key; recommended length is ≥ n; if key length is greater than b, the key is input to the hash
function to produce an n-bit key
K+ = K padded with zeros on the left so that the result is b bits in length HMAC Structure
32
�HMAC Structure
33
�Digital Signature
Digital signature is one of the most important inventions in modern cryptography. The necessity
behind the invention of digital signature is a user, who has to sign a message such that intended
addressee alone can verify the digital signature.
Some salient features of digital signature are enumerated as follows:
1. It depends on the message signed.
2. It must use information which is unique to sender for prevention of both forgery and
repudiation.
3. It must be relatively easy to generate and verify. A digital signature should be
computationally infeasible to regenerate by adversaries to avoid fraudulent digital
signature.
Uses of Digital Signature
Digital signatures are mainly used for authentication purpose. i.e. the receiver can be sure of sender’s
identity and that the message arrived is intact with the help of digital signature.
34
� A digital signature can be used for any form of message. Digital signatures are transportable. It cannot
be imitated by someone else. It can be automatically time-stamped.
It is used to convince communicating parties with each other’s identity and exchange their session
keys.
It is an electronic format of signature that can be used by a person to authenticate the identity of
message’s sender or identity of document’s signer.
It ensures that the original signed message reached, so that sender cannot easily repudiate it later.
Digital Signature vs. Digital Certificate
Digital signature and digital certificate are security measures, which are different in their usage and
generation aspects.
Digital signature generates checksum for information that has to be sent, which can be verified by
recipient that information is unaltered.
For example, a person has to send a signed Microsoft word as an attachment in an e-mail. The e-mail
attachment in transit can be obtained by a hacker using man-in the-middle attack and can insert
malicious piece of code with this attachment.
35
� The checksum of altered attachment will be different from checksum of sent attachment. Hence the
recipient is alerted that the content was modified in some way from the original with the aid of
checksum.
Digital certificates are used for verification of website’s trustworthiness, while digital signatures are
used to verify information authentication.
In case of digital certificates, an organization can ensure the website’s security if and only if digital
certificates are issued by organization itself or by a trusted certification source, like Verisign Inc.
Although the website has certificated from trusted source, it can be insecure because hacker can
infiltrate this website to modify its content.
1. Digital Signature Standard
Digital Signature Standard (DSS) was developed by the U.S. National Security Agency (NSA) for the
generation of digital signature to authenticate electronic documents.
In 1994, DSS was put forth by the National Institute of Standards and Technology (NIST).
36
� The US government standard for authentication of electronic documents is DSS, which is specified in
Federal Information Processing Standard (FIPS) 186.
DSS/DSA approach
The DSA uses an algorithm that is designed to provide only the digital signature function. Unlike RSA,
it cannot be used for encryption or key exchange.
Nevertheless, it is a public-key technique.
DSA uses public key and private key for generation and verification of digital signatures.
DSA key pair is based on two large prime
numbers, p and q, where (p – 1) mod q = 0.
The DSA approach also makes use of a hash
function.
The hash code is provided as input to a
signature function along with a random
number k and the sender’s private key (PRa) and a public key (PUG).
37
� The result is a signature consisting of two components, labelled s and r.
DSA Signing and Verifying
38
�The Digital Signature Algorithm (DSA)
39
�Example:
Key Generation
1. Alice chooses prime number p = 11 and q = 5, H(M) = 54, h = 2 and x = 3.
2. Calculate g = h (p –1)/q mod p = 2(11 – 1)/5 mod 11 = 20/5 mod 11 = 4 mod 11 = 4.
3. y = gx mod p = 43 mod 11 = 64 mod 11 = 9.
4. Alice publish the public key (11, 5, 4, 9).
Signature Generation
5. Alice selects k = 3 such that gcd(3, 5) = 1.
6. Alice computes Signature = (r, s)
r = (gk mod p) mod q = (43 mod 11) mod 5 = (64 mod11) mod 5 = 9 mod 5= 4.
s = [k-1 (H(M) + xr)] mod q = 3−1 (54 + 3 * 4) mod 5 = 1/3(66) mod 5 = 22 mod 5 = 2.
Alice sends the message with the signature (4, 2) to Bob.
Signature Verification:
40
�Bob verifies Alice’s signature as follows:
1. Compute w = (s′)-1 mod q = 2−1 mod 5 = 3.
2. Compute u1 = [H(M′)w] mod q = 54 * 3 mod 5 = 162 mod 5 = 2.
3. Compute u2 = (r′)w mod q = 4 * 3 mod 5 = 12 mod 5 = 2.
4. Compute
v = [(gu1yu2) mod p] mod q = (42 * 92 mod 11) mod 5 = (1296 mod 11) mod 5) = 9 mod 5 = 4 = r’
Signature has been checked and verified successfully.
Practice Problems:
1. Using DSA Signature, perform signature generation and verification for the given parameters, p=23, q=11,
H(M)=11, h=7, x=5.
2. Using DSA Signature, perform signature generation and verification for the given parameters p = 48731
and q = 443, H(M) = 343, h = 7 and x = 242.
41
�2. ElGammal Digital Signature
As with Elgamal encryption, the global elements of Elgamal digital signature are a prime number q and
α, which is a primitive root of q.
Key Generation
User A generates a private/public key pair as follows.
42
�43
�Example:
44
�Practice Problems
1. Using Elgammal Signature Scheme, perform signature generation and verification for the given
parameters, p=23, α=10, m=11 and K=5.
2. Using Elgammal Signature Scheme, perform signature generation and verification for the given
parameters p = 43 and 𝖺 = 23, m = 433 and K = 242.
3. RSA Signature Scheme
The abbreviation for RSA is the last name of three person named Ron Rivest, Adi Shamir and Leonard
Adleman, who first publicly described this algorithm in 1977. This can be used for encryption as well as
signature generation and verification.
45
� Signature
Verification
Example:
1. Alice selects p = 7, q = 13.
2. Calculate n = p * q = 7 * 13 = 91
3. Calculate ϕ (n) = (p − 1) * (q − 1) = 6 * 12 = 72.
4. Choose e = 5 such that gcd (5, 72) = 1.
5. Calculate d ≡ e−1 mod (ϕ (n)) = 5−1 mod 72 = 29.
46
� Public Key (5, 91) and Private Key (29, 91).
Signature Generation
Alice signs the message w = 35.
Calculate s = wd mod n = 3529 mod 91 = 42
Alice sends the signature, sign (w, s) = sign (35, 42) to Bob.
Signature Verification:
Bob verifies the received message by calculating w from σ as
w = σd mod n = 425 mod 91 = 35.
Practice Problems:
1. Using RSA digital signature scheme, perform digital signature and verification for the values p=17, q=31,
w= 94.
2. Perform signature and verification using RSA digital signature for the values p = 487 and q = 443, w = 343.
47
