Computer science and engineering Network Security and Cryptography

UNIT-IV

Cryptographic Hash Functions

Data Encryption techniques are used to provide the data security and
confidentiality where as hash functions are used to provide Data Integrity.

A hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value
h = H (M).

Data integrity gives assurance that there is no modification or alteration in the bit(bits) of the original
message(i.e. we receive exactly senders sending message)

Hash function needed for security applications is referred to as a cryptographic hash function.
A cryptographic hash function is an algorithm for which it is computationally infeasible to find either

(a) A data object that maps to a pre-specified hash result (the one-way property)
(b) Two data objects that map to the same hash result (the collision-free property).

Because of these characteristics, hash functions are often used to determine data integrity i.e whether
data has changed or not.

Cryptographic Hash Function:

The general operation of a cryptographic hash function. Typically, the input is padded out to
an integer multiple of some fixed length (e.g., 1024 bits) and the padding includes the value of the

1
ACOE
Computer science and engineering Network Security and Cryptography

length of the original message in bits. The length field is a security measure to increase the difficulty
for an attacker to produce an alternative message with the same hash value.

Applications of Cryptographic Hash Functions (CHF):

CHFs are used in various security applications and Internet protocols

CHF Applications are
1. Message Authentication
2. Digital signatures
3. Other Applications
Message Authentication:
Message authentication is a mechanism or service used to verify the integrity of a message, by assuring
that the data received are exactly as sent.
Various of ways in which a hash code can be used to provide message authentication. Those are

2
ACOE
Computer science and engineering Network Security and Cryptography

Above diagram illustrates a variety of ways in which a hash code can be used to provide message
authentication, as follows:
a. The message plus concatenated hash code is encrypted using symmetric encryption. Since only
A and B share the secret key, the message must have come from A and has not been altered.
The hash code provides the structure or redundancy required to achieve authentication.
b. Only the hash code is encrypted, using symmetric encryption. This reduces the processing
burden for those applications not requiring confidentiality.
c. Shows the use of a hash function but no encryption for message authentication. The technique
assumes that the two communicating parties share a common secret value S. A computes the
hash value over the concatenation of M and S and appends the resulting hash value to M.
Because B possesses S, it can recompute the hash value to verify. Because the secret value itself
is not sent, an opponent cannot modify an intercepted message and cannot generate a false
message.
d. Confidentiality can be added to the approach of (c) by encrypting the entire message plus the
hash code.
When confidentiality is not required, method (b) has an advantage over methods (a) and (d), which
encrypts the entire message, in that less computation is required.
Digital Signatures :
• Digital signatures are used to provide authentication.
• In the case of the digital signature, the hash value of a message is encrypted with
a user's private key.
• Anyone who knows the user's public key can verify the integrity of the message
that is associated with the digital signature.
• In this case an attacker who wishes to alter the message would need to know the
user's private key

3
ACOE
Computer science and engineering Network Security and Cryptography

In the case of the digital signature, the hash value of a message is encrypted with a user's private key.
Anyone who knows the user's public key can verify the integrity of the message that is associated with
the digital signature. In this case an attacker who wishes to alter the message would need to know the
user's private key.
The implications of digital signatures go beyond just message authentication. Above
diagram illustrates, in a simplified fashion, how a hash code is used to provide a digital signature:
a. The hash code is encrypted, using public-key encryption and using the sender's private key. As
with above diagram, this provides authentication. It also provides a digital signature, because
only the sender could have produced the encrypted hash code. In fact, this is the essence of the
digital signature technique.
b. If confidentiality as well as a digital signature is desired, then the message plus the private-key
encrypted hash code can be encrypted using a symmetric secret key. This is a common
technique.

Other Applications:
Hash functions are commonly used to create a one-way password file. We have special a
scheme in which a hash of a password is stored by an operating system rather than the password
itself. Thus, the actual password is not retrievable by a hacker who gains access to the password
file. In simple terms, when a user enters a password, the hash of that password is compared to
the stored hash value for verification. This approach to password protection is used by most
operating systems.
4
ACOE
Computer science and engineering Network Security and Cryptography

Hash functions can be used for intrusion detection and

virus detection. Store H(F) for each file on a system and secure the hash values (e.g., on a CD-R
that is kept secure). One can later determine if a file has been modified by recomputing H(F).
An intruder would need to change F without changing H(F).

A cryptographic hash function can be used to construct a

pseudorandom function (PRF) or a pseudorandom number generator (PRNG). A common
application for a hash-based PRF is for the generation of symmetric keys.

Hash Function Requirements:

Attacks on Hash Functions :

As with encryption algorithms, there are two categories of attacks on hash functions:
1. Brute-Force Attacks
2. Cryptanalysis.
A brute-force attack does not depend on the specific algorithm but depends only on bit length.
(also known as brute force cracking) is a trial and error method used by application programs to

5
ACOE
Computer science and engineering Network Security and Cryptography

decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through
exhaustive effort (using brute force) rather than employing intellectual strategies.
A cryptanalysis, in contrast, is an attack based on weaknesses in a particular cryptographic
algorithm.
For a preimage or second preimage attack, an adversary wishes to find a value y such that H(y)
is equal to a given hash value h. The brute force method is to pick values of y at random and try
each value until a collision occurs.
BIRTHDAY ATTACK :
A birthday attack is a cryptanalytic technique. Birthday attacks can be used to find
collisions in a cryptographic hash function. For instance, suppose we have a hash
function which, when supplied with a random input, returns one of k equally
likely values. By repeatedly evaluating the function on ..

Secure Hash Algorithm (SHA) :

In recent years, the most widely used hash
function has been the Secure Hash Algorithm (SHA). The Secure Hash Algorithm
(SHA) was developed by the National Institute of Standards and Technology
(NIST) in 1993.Revised version in 1995 and is generally referred to as SHA-1.
SHA is based on the hash function .SHA-1 produces a hash value of 160 bits.
In 2002, NIST produced a revised version of SHA, with hash
value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-
512. Collectively, these hash algorithms are known as SHA-2.

SHA Versions:

SHA- SHA- SHA- SHA-

SHA-1 224 256 384 512
Message 160 224 256 384 512

6
ACOE
Computer science and engineering Network Security and Cryptography

digest
size
Message
size < 264 < 264 < 264 < 2128 < 2128
Block
size 512 512 512 1024 1024
Word
size 32 32 32 64 64
Number
of steps 80 64 64 80 80

SHA-512 Algorithm:

7
ACOE
Computer science and engineering Network Security and Cryptography

The structure of SHA-512, noting that the other versions are quite similar.
SHA-512 follows the structure depicted in above figure.
The processing consists of the following steps:

Step 1: Consider given message and make it as total number of bits in that
message should be multiple of 1024,in such way that initially we add length of
the message as „L‟ in 128 bit format.
Step 2: Append padding bits, consists of a single 1-bit followed by the necessary
number of 0-bits, so that its length is congruent to 896 modulo 1024.
Step 3: Initialize hash buffer of size 512 bits, which is organized as eight 64-bit
registers which are initialized (with 16 hexadecimal digits) as follows

Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart
of the algorithm. Each round takes as input the 512-bit buffer value Hi, and
updates the contents of that buffer.
Step 5: Output the final state value as the resulting hash code.

8
ACOE
Computer science and engineering Network Security and Cryptography

SHA-512 Compression Function:

The SHA-512 Compression Function is the heart of the algorithm.

In this Step , it processes the message in 1024-bit (128-word) blocks, using a
module that consists of 80 rounds, labeled F in the above figure .
Each round takes as input the 512-bit buffer value, and updates the
contents of the buffer. At input to the first round, the buffer has the value of the
intermediate hash value. Each round t makes use of a 64-bit value Wt derived
using a message schedule from the current 1024-bit block being processed. Each
round also makes use of an additive constant Kt, based on the fractional parts of
the cube roots of the first eighty prime numbers. The constants provide a
“randomized” set of 64-bit patterns, which should eliminate any regularities in the
input data. The output of the eightieth round is added to the input to the first round

9
ACOE
Computer science and engineering Network Security and Cryptography

to produce the final hash value for this message block, which forms the input to
the next iteration of this compression function.

SHA-512 Round Function:

In the each round 64-bit word is shuffled along one place, and in some cases
manipulated using a series of simple logical functions (ANDs, NOTs, ORs, XORs,
ROTates).
The elements n the Round function are:
Ch(e,f,g) = (e AND f) XOR (NOT e AND g)
Ch indicates conditiona hashing i.e
if e is true then f
else g;
Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)
Maj indicates Majarity function which select majority true combinations in
ab, ac,bc.
∑(a) = circular right shift on a
∑(e) = circular right shift on e
+ = addition modulo 2^64
10
ACOE
Computer science and engineering Network Security and Cryptography

Kt = a 64-bit additive constant

Wt = a 64-bit word derived from the current 1024-bit input block.
Six of the eight words of the output of the round function involve simply permutation (b,
c, d, f, g, h) by means of rotation. This is indicated by shading in the above Figure .

Only two of the output words (a, e) are generated by substitution.

Word e is a function of input variables d, e, f, g, h, as well as the round word W t and
the constant Kt.
Word a is a function of all of the input variables, as well as the round word W t and the
constant Kt.
Words derivation in SHA-512 Round Function

Above Figure illustrates how the 64-bit word values Wt are derived from the 1024-bit message. The
first 16 values of Wt are taken directly from the 16 words of the current block. The remaining vaues are
defined as follws

Thus, in the first 16 steps of processing, the value of Wt is equal to the corresponding word in the
message block. For the remaining 64 steps, the value of Wt consists of the circular left shift by one bit
of the XOR of four of the preceding values of Wt, with two of those values subjected to shift and rotate

11
ACOE
Computer science and engineering Network Security and Cryptography

operations. This introduces a great deal of redundancy and interdependence into the message blocks
that are compressed, which complicates the task of finding a different message block that maps to the
same compression function output.

Message Authentication:
One of the most fascinating and complex an area of
cryptography is that of message authentication and the related area of digital signatures.
We now consider how to protect message integrity (ie protection from modification), as
well as confirming the identity of the sender.
Message Authentication is concerned with:
 Protecting the integrity of a message
 Validating identity of originator
 Non-repudiation of origin (dispute resolution).
There are three types of functions that may be used to produce an authenticator:
1. hash function.
2. message encryption
3. message authentication code (MAC).
Message Security Requirements:

 Disclosure : Release of message contents

 Traffic analysis : Discovery of the pattern of traffic between parties

 Masquerade : Insertion of messages into the network from a

fraudulent source
 Content modification : modification of the contents of a message
 Sequence modification : modification to a sequence of messages between
parties.
 Timing modification : Delay or replay of messages
 Source repudiation : Denial of transmission of message by source
 Destination repudiation : Denial of receipt of message by destination

12
ACOE
Computer science and engineering Network Security and Cryptography

The first two requirements (Disclosure, Traffic analysis) belong in the realm
of message confidentiality, and are handled using the encryption techniques.
Measures to deal with items 3 through 6 (Masquerade, Content
modification, Sequence modification, Timing modification) are generally regarded as
message authentication.
Mechanisms for dealing specifically with item 7 (Source repudiation) come
under the heading of digital signatures.
Generally, a digital signature technique will also counter some or all of the attacks listed
under items 3 through 6. Dealing with item 8 (Destination repudiation) may require a
combination of the use of digital signatures and a protocol designed to counter this
attack.
Message Authentication Code:
An alternative authentication technique involves the use of a secret key to generate a
small fixed- size block of data, known as a cryptographic checksum or MAC that is
appended to the message.
This technique assumes that two communicating parties, say A and B, share a common
secret key K. When A has a message to send to B, it calculates the MAC as a function of
the message and the key:
MAC = C(K, M).

13
ACOE
Computer science and engineering Network Security and Cryptography

The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the same secret key, to
generate a new MAC. The received MAC is compared to the calculated MAC .
If we assume that only the receiver and the sender know the identity of the secret key,
and if the received MAC matches the calculated MAC, then the receiver is assured that
the message has not been altered, is from the alleged sender, and if the message includes
a sequence number then the receiver can be assured of the proper sequence because an
attacker cannot successfully alter the sequence number. A MAC function is similar to
encryption. One difference is that the MAC algorithm need not be reversible, as it must
for decryption. In general, the MAC function is a many-to-one function.

MAC Properties:
1. a MAC is a cryptographic checksum
MAC = CK(M)
 condenses a variable-length message M
 using a secret key K
 to a fixed-sized authenticator
2.Mac is a many-to-one function
 potentially many messages have same MAC
 but finding these needs to be very difficult

Keyed Hash Functions as MACs:

In recent years, there has been increased interest in developing a MAC derived from a cryptographic
hash function, because they generally execute faster in software than symmetric block ciphers, and
because code for cryptographic hash functions is widely available. A hash function such as SHA was
not designed for use as a MAC and cannot be used directly for that purpose because it does not rely on
a secret key. There have been a number of proposals for the incorporation of a secret key into an
existing hash algorithm, originally by just pre-pending a key to the message. Problems were found with
these earlier, simpler proposals, but they resulted in the development of HMAC.

14
ACOE
Computer science and engineering Network Security and Cryptography

HMAC Design Objectives:

RFC 2104 lists the following design objectives for HMAC:
• To use, without modifications, available hash functions. In particular, hash functions that perform
well in software, and for which code is freely and widely available.
• To allow for easy replaceability of the embedded hash function in case faster or more secure hash
functions are found or required.
• To preserve the original performance of the hash function without incurring a significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the authentication mechanism
based on reasonable assumptions about the embedded hash function.

HMAC:

15
ACOE
Computer science and engineering Network Security and Cryptography

Above diagram illustrates the overall operation of HMAC:

HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]
where:
K+ is K padded with zeros on the left so that the result is b bits in length
ipad is a pad value is 00110110 it is of 36 hex repeated to fill block
opad is a pad value is 01010110it isof 5C hex repeated to fill block
M is the message input to HMAC (including the padding specified in the embedded hash function)
Note that the XOR with ipad results in flipping one-half of the bits of K. Similarly, the XOR with opad
results in flipping one-half of the bits of K, but a different set of bits. In effect, pseudo randomly
generated two keys from K.

HMAC should execute in approximately the same time as the embedded hash
function for long messages. HMAC adds three executions of the hash compression function (for Si, So,
and the block produced from the inner hash). A more efficient implementation is possible by
precomputing the internal hash function on (K+ XOR opad) and (K+ XOR ipad) and inserting the
results into the hash processing at start & end. With this implementation, only one additional instance
of the compression function is added to the processing normally produced by the hash function. This is
especially worthwhile if most of the messages for which a MAC is computed are short.

Using Symmetric Ciphers for MACs:

We have two Cipher based MACs Those are
1. Data Authentication Algorithm (DAA)
2. cipher-based message authentication code (CMAC)

Data Authentication Algorithm:

16
ACOE
Computer science and engineering Network Security and Cryptography

The Data Authentication Algorithm, based on DES, has been one of the most widely used MACs for a
number of years.
Security weaknesses in this algorithm have been discovered and it is being replaced by newer and
stronger algorithms. The algorithm is shown in the above, and can be defined as using the cipher block
chaining (CBC) mode of operation of DES, with an initialization vector of zero, and 0-pad of the final
block if needed. Resulting MAC can be 16-64 bits of the final block. But this is now too small for
security.
cipher-based message authentication code (CMAC):

17
ACOE
Computer science and engineering Network Security and Cryptography

Above Figure shows the structure of CMAC. It uses the block size of the underlying cipher (ie 128-bits
for AES or 64-bits for triple-DES). The message is divided into n blocks M1..Mn, padded if necessary.
The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on
whether the message was padded or not). For AES, the key size k is 128,192, or 256 bits; for triple
DES, the key size is 112 or 168 bits. The two constants K1 & K2 are derived from the original key K
using encryption of 0 and multiplication in GF(2^n), described as follows

18
ACOE
Computer science and engineering Network Security and Cryptography

Where x is (n-2) zeros followed by 10.

Digital Signatures:
The most important development from the work on public-key cryptography is the digital signature.
Message authentication protects two parties who exchange messages from any third party. However, it
does not protect the two parties against each other either fraudulently creating, or denying creation, of a
message. A digital signature is analogous to the handwritten signature, and provides a set of security
capabilities that would be difficult to implement in any other way.
It must have the following properties:
• It must verify the author and the date and time of the signature
• It must to authenticate the contents at the time of the signature
• It must be verifiable by third parties, to resolve disputes
Thus, the digital signature function includes the authentication function.

Digital Signature Model:

19
ACOE
Computer science and engineering Network Security and Cryptography

This is a generic model of the process of making and using digital signatures. Bob can sign a message
using a digital signature generation algorithm. The inputs to the algorithm are the message and Bob's
private key. Any other user, say Alice, can verify the signature using a verification algorithm, whose
inputs are the message, the signature, and Bob's public key.

Attacks and Forgeries:

[GOLD88] lists the following types of attacks, in order of increasing severity. Here A denotes the user
whose signature is being attacked and C denotes the attacker.
• Key-only attack: C only knows A's public key.
• Known message attack: C is given access to a set of messages and signatures.
• Generic chosen message attack: C chooses a list of messages before attempting to breaks A's
signature scheme, independent of A's public key. C then obtains from A valid signatures for the chosen
messages. The attack is generic because it does not depend on A's public key; the same attack is used
against everyone.
• Directed chosen message attack: Similar to the generic attack, except that the list of messages is
chosen after C knows A's public key but before signatures are seen.
• Adaptive chosen message attack: C is allowed to use A as an "oracle." This means the A may
request signatures of messages that depend on previously obtained message-signature pairs.

20
ACOE
Computer science and engineering Network Security and Cryptography

[GOLD88] then defines success as breaking a signature scheme as an outcome in which C can do any
of the following with a non-negligible probability:
• Total break: C determines A's private key. • Universal forgery: C finds an efficient signing algorithm
that provides an equivalent way of constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a particular message chosen by C.
• Existential forgery: C forges a signature for at least one message. C has no control over the message.
Consequently this forgery may only be a minor nuisance to A.

Digital Signature Requirements:

 must depend on the message signed
 must use information unique to sender
 to prevent both forgery and denial
 must be relatively easy to produce
 must be relatively easy to recognize & verify
 be computationally infeasible to forge
 with new message for existing digital signature
 with fraudulent digital signature for given message
 be practical save digital signature in storage

Digital Signature Standard (DSS):

DSA is the US Govt approved signature scheme, which is designed to provide strong signatures
without allowing easy use for encryption. The National Institute of Standards and Technology (NIST)
published Federal Information Processing Standard FIPS 186, known as the Digital Signature Standard
(DSS). The DSS makes use of the Secure Hash Algorithm (SHA) and presents a new digital signature
technique, the Digital Signature Algorithm (DSA).
The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback
concerning the security of the scheme. This latest version also incorporates digital signature algorithms
based on RSA and on elliptic curve cryptography. In this section, we discuss the original DSS
algorithm. The DSS uses an algorithm that is designed to provide only the digital signature function.
Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key
technique.

21
ACOE
Computer science and engineering Network Security and Cryptography

Digital Signature Algorithm (DSA)

DSS approach also makes use of a hash function. The hash code is provided as
input to a signature function along with a random number k generated for this particular signature. The
signature function also depends on the sender's private key (PR a) and a set of parameters known to a
group of communicating principals.
We can consider this set to constitute a global public key (PUG). The result is a signature consisting
of two components, labeled s and r. At the receiving end, the hash code of the incoming message is
generated. This plus the signature is input to a verification function. The verification function also
depends on the global public key as well as the sender's public key (PUa), which is paired with the
sender's private key. The output of the verification function is a value that is equal to the signature
component r if the signature is valid. The signature function is such that only the sender, with
knowledge of the private key, could have produced the valid signature.

DSA Key Generation:

 DSA uses shared global public key values (p,q,g):
 choose 160-bit prime number q
 choose a large prime p with 2L-1 < p < 2L
 where L= 512 to 1024 bits and is a multiple of 64
 such that q is a 160 bit prime divisor of (p-1)
 choose g = h(p-1)/q

22
ACOE
Computer science and engineering Network Security and Cryptography

 where 1<h<p-1 and h(p-1)/q mod p > 1

 users choose private & compute public key:
 choose random private key: x<q
 compute public key: y = gx mod p

DSA Signature Creation

To create a signature, a user calculates two quantities, r and s, that are functions of the
public key components (p,q,g), the user‟s private key (x), the hash code of the message
H(M), and an additional integer k that should be generated randomly or pseudo-
randomly and be unique for each signing.
 to sign a message M the sender:
 generates a random signature key k, k<q
 k must be random, be destroyed after use, and never be reused
 then computes signature pair as follows:

23
ACOE
Computer science and engineering Network Security and Cryptography

r = (gk mod p)mod q

s = [k-1(H(M)+ xr)] mod q
signature (r,s)i.e combination of r and s is send with message M

DSA Signature Verification

 After received M & signature (r,s)

 to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
 if v=r then signature is verified otherwise message is modified.

24
ACOE