MODULE 4 : Authentication Protocols

Cryptographic Hash functions

Applications
Requirements
SHA 512
MAC requirements
Security
HMAC
Digital Signature
Security requirements of Hash Function
Preimage resistent
 For given any h value, it is infeasible to find y such that
 H(y) = h
 H(student) =
Second preimage resistant
H(student) =

The property of a hash function that it is computationally

infeasible to find any second input that has the same output as a
given input.
MODULE 4 : Authentication Protocols
Cryptographic Hash functions
Applications
Requirements
SHA 512
MAC requirements
Security
HMAC
Digital Signature
Introduction to Secure Hash Algorithm
 The original specification of the algorithm was published in 1993
under the title Secure Hash Standard (SHA-0) by US Government
standards agency NIST (National Institute of Standards and
Technology)
 It was withdrawn by the NSA shortly after publication and was
superseded by the version published in and commonly designated
SHA-1
 SHA-1 is a cryptographic hash function which takes an input and
produces a 160 bit hash value known as a message digest typically
rendered as a hexadecimal number, 40 digits long.
SHA - 512
 Since 2005, SHA – 1 has not been considered secure against well
funded opponents.
 As of 2010 many organizations have recommended its
replacement.
 NIST formally deprecated use of SHA-1 in 2011 and disallowed its
use for digital signature in 2013
 The SHA -2 includes significant changes from its predecessor SHA-1.
 The SHA-2 family consists of 6 hash function with hash values that
are 224, 256, 384, 512 bits. SHA -224, SHA-256, SHA-384, SHA-512,
SHA-512/224, SHA-512/256.
 SHA-256 and SHA-512 are novel hash function computed with 32 bit
and 64 bits words respectively.
Overview of SHA-512
SHA – 512 Logic
 The algorithm takes as input a message with a maximum length of less than
2128 bits and produces as output a 512 bit message digest. The input is
processed in 1024 bit blocks.
 The algorithm takes as input a message with a maximum length of less than
2128 bits and produces as output a 512 bit message digest. The input is
processed in 1024 bit blocks.
 Append padding bits.
 The message is padded so that its length is congruent to 896 modulo 1024
 Ie length 896 mod 1024.
 Padding always added, even if the message is already of the desired
length. Thus the number of padding bits in the range of 1 to 1024. The
padding consists of a single 1 bit followed by the necessary number of o
bits.
Padding example
 Consider the input message “abc”
 Represent in binary “abc” = 01100001 01100010 01100011
 Message length = 24 bits
 Required
 Message length 896 mod 1024
 Message length mod 1024 = 896
 24+872 mod 1024 = 896
 872 bits padded …. 1 bit followed by 871 zeroes.
Padding example
 6162638000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000
Append length
 Pad the original length of the message for 128 bits at the end.
 “abc” = 01100001 01100010 01100011
 Message length = 24 bits
 Hexadecimal value of 24 is 18.
 Message length represented in 128 bits in hexadecimal is 0000000000000000
0000000000000018
 6162638000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000000000 0000000000000000 0000000000000000 0000000000000018
Exercises
 Consider the message “COME” represented in binary, find padding bits and
represent as per required format in SHA-512 algorithm
 67…. 01000011
 79… 01001111
 77… 01001101
 69…. 01000101
Exercises
 Consider the message “Hi” represented in binary, find padding bits and
represent as per required format in SHA-512 algorithm
 H… 01001000
 i….. 01101001
Padding and length field in SHA-512

 The length of the padding field can be calculated as follows. Let |M| be the
length of the original message and |P| be the length of the padding field.
 (|M| + |P| + 128) = 0 mod 1024 → |P| = (− |M| − 128) mod 1024
 The format of the padding is one 1 followed by the necessary number of 0s.
Exercises
 What is the number of padding bits if the length of the
original message is 2590 bits?
 (|M| + |P| + 128) = 0 mod 1024
 |P| = (− |M| − 128) mod 1024
 |P| = (− 2590 −128) mod 1024
 = −2718 mod 1024 = 354
Exercise
How many bits you will pad for input message
length of 2348 bits?
 (|M| + |P| + 128) = 0 mod 1024
 |P| = (− |M| − 128) mod 1024
 |P| = (− 2348 −128) mod 1024
 = −2476 mod 1024 = 596
Exercise
 How many bits you will pad for input message length of
5348 bits?
 How many bits you will pad for input message length of
2048 bits?
Words
 SHA-512 operates on words; it is word oriented.
 A word is defined as 64 bits.
 This means that, after the padding and the length field are added to the
message, each block of the message consists of sixteen 64-bit words.
 The message digest is also made of 64-bit words, but the message digest is
only eight words and the words are named A, B, C, D, E, F, G, and H
Word Expansion
 Before processing, each message block must be
expanded. A block is made of 1024 bits, or sixteen 64-bit
words.
 we need 80 words in the processing phase. So the 16-
word block needs to be expanded to 80 words, from W0
to W79.
Word Expansion
Word Expansion
Generation of a word
 Show how W60 is made.
 Each word in the range W16 to W79 is made from four previously-made
words. W60 is made as
 W60 = W44 ⊕ RotShift1-8-7 (W45) ⊕ W53 ⊕ RotShift19-61-6 (W58)
Message Digest Initialization
 The algorithm uses eight constants for message digest initialization.
We call these constants A0 to H0 to match with the word naming
used for the digest

 The values are calculated from the first eight prime numbers (2, 3, 5,
7, 11, 13, 17, and 19). Each value is the fraction part of the square
root of the corresponding prime number after converting to binary
and keeping only the first 64 bits.
 (100.0101 1011 1110 . . . 1001)2 → (4.5BE0CD19137E2179)16
Compression Function
 SHA-512 creates a 512-bit (eight 64-bit words) message digest from a
multiple-block message where each block is 1024 bits. The processing of
each block of data in SHA512 involves 80 rounds
 In each round, the contents of eight previous buffers, one word from the
expanded block (Wi ), and one 64-bit constant (Ki ) are mixed together and
then operated on to create a new set of eight buffers.
 At the beginning of processing, the values of the eight buffers are saved into
eight temporary variables. At the end of the processing (after step 79),
these values are added to the values created from step 79.
Compression function
Structure of Each Round
 In each round, eight new values for the 64-bit buffers are
created from the values of the buffers in the previous
round.
 six buffers are the exact copies of one of the buffers in
the previous round as shown below:
A→BB→CC→DE→FF→GG→H
 Two of the new buffers, A and E, receive their inputs from
some complex functions that involve some of the
previous buffers, the corresponding word for this round
(Wi ), and the corresponding constant for this round (Ki ).
Structure of Each Round
Structure of Each Round
Structure of Each Round
 1. The Majority function, as we call it, is a bitwise function. It takes three
corresponding bits in three buffers (A, B, and C) and calculates
 (Aj AND Bj ) ⊕ (BjAND Cj ) ⊕ (Cj AND Aj )
 The resulting bit is the majority of three bits. If two or three bits are 1’s, the
resulting bit is 1; otherwise it is 0.

 2. The Conditional function, as we call it, is also a bitwise function. It takes

three corresponding bits in three buffers (E, F, and G) and calculates
 (EjAND Fj ) ⊕ (NOT EjAND Gj )
 The resulting bit is the logic “If Ej then Fj ; else Gj ”.
Structure of Each Round
 3. The Rotate function, as we call it, right-rotates the three instances of the
same buffer (A or E) and applies the exclusive-or operation on the results.
 Rotate (A): RotR28(A) ⊕ RotR34(A) ⊕ RotR29(A)
 Rotate (E): RotR28(E) ⊕ RotR34(E) ⊕ RotR29(E)

 4. The right-rotation function, RotRi (x), is the same as the one we used in the
word expansion process. It right-rotates its argument i bits; it is actually a
circular shift right operation.
 5. The addition operator used in the process is addition modulo 2^64. This
means that the result of adding two or more buffers is always a 64-bit word.
 6. There are 80 constants, K0 to K79, each of 64 bits Similar to the initial
values for the eight digest buffers, these values are calculated from the first
80 prime numbers (2, 3,…, 409).
Round constant
Round constant
 Each value is the fraction part of the cubic root of the corresponding prime
number after converting it to binary and keeping only the first 64 bits. For
example, the 80th prime is 409, with the cubic root
 (409)1/3 = 7.42291412044.
 (111.0110 1100 0100 0100 . . . 0111)2 → (7.6C44198C4A475817)16
Example
 We apply the Majority function on buffers A, B, and C. If the leftmost
hexadecimal digits of these buffers are 0x7, 0xA, and 0xE, respectively,
what is the leftmost digit of the result?
 Solution The digits in binary are 0111, 1010, and 1110.
 a. The first bits are 0, 1, and 1. The majority is 1. We can also prove it using
the definition of the Majority function:
 (0AND 1) ⊕ (1AND 1) ⊕ (1AND 0) = 0 ⊕ 1 ⊕ 0 = 1
 b. The second bits are 1, 0, and 1. The majority is 1.
 c. The third bits are 1, 1, and 1. The majority is 1.
 d. The fourth bits are 1, 0, and 0. The majority is 0.
 The result is 1110, or 0xE in hexadecimal.
Example
 We apply the Conditional function on E, F, and G buffers. If the leftmost
hexadecimal digits of these buffers are 0x9, 0xA, and 0xF respectively, what
is the leftmost digit of the result?
 The digits in binary are 1001, 1010, and 1111.
 a. The first bits are 1, 1, and 1. Since E1 = 1, the result is F1, which is 1.
 We can also use the definition of the Condition function to prove the result:
 (1 AND 1) ⊕ (NOT 1AND 1) = 1 ⊕ 0 = 1
 b. The second bits are 0, 0, and 1. Since E2 is 0, the result is G2, which is 1.
 c. The third bits are 0, 1, and 1. Since E3 is 0, the result is G3, which is 1.
 d. The fourth bits are 1, 0, and 1. Since E4 is 1, the result is F4, which is 0. The
result is 1110, or 0xE in hexadecimal.
Analysis
 With a message digest of 512 bits, SHA-512 expected to be resistant to all
attacks, including collision attacks.
 It has been claimed that this version’s improved design makes it more
efficient and more secure than the previous versions. However, more
research and testing are needed to confirm this claim.