CNS(R16) B.

Tech(CSE) IV Year I Sem

UNIT-IV

Data Integrity, Digital Signature Schemes & Key Management

Message Integrity and Message Authentication, Cryptographic Hash Functions,

DigitalSignature, Key Management.

Message Integrity and Message Authentication

1. Message Integrity:
The cryptography systems that we have studied so far provide secrecy, or confidentiality, but not
integrity.
However, there are occasions where we may not even need secrecy but instead must have
integrity(Data will not changed).

Document and Fingerprint:

One way to preserve the integrity of a document is through the use of a fingerprint.
If Alice needs to be sure that the contents of her document will not be changed, she can put her
fingerprint at the bottom of the document.

Message and Message Digest:

The electronic equivalent of the document and fingerprint pair is the message and digests
pair.To preserve the integrity of a message, the message is passed through an algorithm
called a cryptographic hash function.

Difference:
The two pairs (document / fingerprint) and (message / message digest) are similar, with some
differences.
The document and fingerprint are physically linked together. The messa ge and message
digest can be unlinked separately, and, most importantly, the message digest needs to be

100
CNS(R16) B.Tech(CSE) IV Year I Sem

safe from change.

Note: The message digests needs to be safe from change.

Checking Integrity:

Cryptographic Hash Function Criteria:

A cryptographic hash function must satisfy three criteria

1. Pre-image Resistance
2. Second Pre-image Resistance
3. Collision Resistance.
Preimage Resistance: The hash function must be a one-way function: For any given code h, it is
computationally infeasible to find h-1 .

Second Preimage Resistance: In this criterion, an adversary is provided with the value of

101
CNS(R16) B.Tech(CSE) IV Year I Sem

x and is asked to compute the value of x1 ≠ x, such that h(x) = h(x1).

If it difficult for the attacker to perform this computation we claim that the hash
function is second pre-image resistant.

Collision Resistance: Collision of a hash function is the event when two values x and
x1, such that x1 ≠ x hash to the same value, i.e., h(x) = h(x1).

102
 CNS(R16) B.Tech(CSE) IV Year I Sem

Random Oracle Model:

2. Message Authentication:
 A message digest guarantees the integrity of a message. It guarantees that the
message has not been changed.
 A message digest does not authenticate the sender of the message.
 When Alice sends a message to Bob, Bob needs to know if the messageis
coming from Alice.
 To provide message authentication, Alice needs to provide proof that it is Alice
sending the message and not a fraud.
 The digest created by a cryptographic hash function is normally called a
Modification Detection Code (MDC). This code can detect any
modifications in the message.
 What we need for message authentication is a Message Authentication Code
(MAC).

Modification Detection Code (MDC):

 A modification detection code (MDC) is a message digest that can prove the
integrity of the message: that message has not been changed.
 If Alice needs to send a message to Bob and be sure that the messagewill
not change during transmission,
 Alice can create a message digest, MDC, and send both the message and the MDC to
Bob. Bob can create a new MDC from the message and compare the received MDC and
thenew MDC. If they are the same, the message has not been changed.

103
 CNS(R16) B.Tech(CSE) IV Year I Sem

Message Authentication Code (MAC):

 To ensure the integrity of a message and the data origin authentication – weneed
to change a modification detection code (MDC) to a Message Authentication
Code (MAC).
 The difference between MDC and MAC is that the second include a
secrete key between Alice and Bob.

MAC Security
How can Eve forge a message without having the key?
1. If size of the key allows exhaustive search, Eve may try all possible
keys to digest the message.
2. Use preimageattack.
3. Given some pairs of messages and their MACs, Eve can
manipulate them to come up with a new message and its digest
Note: The security of a MAC depends on the security of the underlying hash
algorithm.

Nested MAC:

 To improve MAC security, nested MACs were designed in which hashing is performed
twice.
 In 1st step, the key is concatenated with the message and is hashed tocreate
an intermediate digest.
 In 2nd step, the key is concatenated with the intermediate digest to create the final digest.
104
 CNS(R16) B.Tech(CSE) IV Year I Sem

HMAC (Hashed MAC):

 HMAC algorithm stands for Hashed or Hash based Message Authentication Code
 it uses the Hashing concept twice, so great resistant to attacker
 HMAC consists of twin benefits of Hashing and MAC
 The working of HMAC starts with taking a message M containing blocks of length bbits.

 An input signature is padded to the left of the message and the whole is given asinput
to a hash function which gives us a intermediate HMAC.

 Intermediate HMAC again is appended to an output signature and the whole is applieda
hash function again, the result is our final HMAC of n bits

105
 CNS(R16) B.Tech(CSE) IV Year I Sem

CMAC (Cipher based MAC)

• This is similar to CBC(Cipher Block Chaining),

• It takes N blocks of message but creates one block of MAC
• The message is divided into N blocks of m-bit size. If last block is not m-bit
size,then
padded with start 1 then 0000…, like 100000…
• The block is encrypted with key K then its output is XOR with the next block for
2 nd
encryption, so on.
• The last block is encrypted with some addtional k value for more scurity.

Cryptographic Hash Functions

A cryptographic hash function takes a message of arbitrary length and

creates a message digest of fixed length, also called hash.
A cryptographic hash function H accepts a variable-length block of data M as input
andproduces a fixed-size hash value.
There are two most promising cryptographic hash algorithms –

 SHA-512

106
 CNS(R16) B.Tech(CSE) IV Year I Sem

 Whirlpool

Iterated Hash Function

All cryptographic functions need to create a fixed size digest out of a variable-size
message. Actually, the hash function is fixed size input function, but performs
number oftimes.
This fixed-size hash function is referred to as a compression function, it compresses m-bit string input to n bit
string.

Merkle-Damgard Scheme

 This is an iterated hash function that is collision resistant

 This is the basis for many cryptographic hash functions today.

107
 CNS(R16) B.Tech(CSE) IV Year I Sem

 Message is divided into t-blocks of n-bit size. If necessary some bits are padded
 The blocks are M1,M2,…Mt and the digest created at each compression function are
H1,H2,…Ht
 Before starting the iteration, the digest H0 is set to fixed Value called IV(initial valueor
initial vector)
The compression function operates on Hi-1 and Mi to create a new Hi. Hi=f(Hi-1,Mi) where f is acompression
function

Hash Functions Invention

 Several Hash functions were designed by Ron Rivest.
 These are MD(Message Digest), MD2, MD4, and MD5
 MD5 takes blocks of size 512-bits and creates 128-bit digest.
 The 128-bit size digest is too small to resist collision attack.

Secure Hash Algorithm(SHA)

 SHA originally designed by NIST & NSA in 1993

 SHA was revised in 1995 as SHA-1
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512structure & detail is similar to SHA-1

SHA – 512
108
 CNS(R16) B.Tech(CSE) IV Year I Sem

 SHA-512 is family of Secure Hash Algorithm

 SHA-512 creates a 512 bit message digest .
 The original message divided into multiple blocks of size 1024bits.
 The Processing of each block involves 80 rounds
 Each block of size(1024bits) can be assumed as 16 words of size 64bits
 The maximum size of message is less than 2128. This means that if the length of a
message equal to or greater than 2128, it will not be processed by SHA-512
 SHA-512 based on Merkle-Damgard scheme.

The Following Figure shows internal logic of the SHA-512

109
 CNS(R16) B.Tech(CSE) IV Year I Sem

STEPS:

1. Append padding bits:

The message is padded with 1000000…. To make the message multiples of 1024.
2. Append length of the message:

A block of 128 bits is appended to the message. Contains the length of the original message.
Before addition of the length of message , we need to pad as specified in the first step.
The size of padding bits is
calculatedas: (|M|+|P|+128)=0
mod 1024
|P|=-|M|-128 mod 1024
Example: What is the number of padding bits if the length of the original message is 2590
Solution: |P|=-2590-128 mod 1024
=-2718 mod 1024 = -670 mod 1024
=(1024-670) mod 1024 = 354
The padding consists of one 1 followed by 353 0’s
Length Field and Padding:
Before the message digest can be created, SHA-512 requires the addition of a 128-bit length field (0-
(2128 -1)to the message that defines the length of the message in bits.

110
 CNS(R16) B.Tech(CSE) IV Year I Sem

Compression Function

The heart of the algorithm is a module that consists of 80 rounds; this module is labeled as F in Block
Diagram.
Each round t takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the
buffer.Each round t makes use of a 64-bit value Wt, derived from the current 1024-bit block
being processed (Mi).
Each round t also makes use of an additive constant Kt (64-bit)
The output of the 80th round is added to the input to the first round (Hi-1) to produce Hi.

80-Word Input Sequence

111
 CNS(R16) B.Tech(CSE) IV Year I Sem

Constants

…..

Initialize hash buffer

112
CNS(R16) B.Tech(CSE) IV Year I Sem

113
 CNS(R16) B.Tech(CSE) IV Year I Sem

DIGITAL SIGNATURE

 A digital signature is a technique used to validate the authenticity and integrity of a

message.
 In the physical world, A person signs a document to show that it originated from himor
was approved by him. The signature is proof to recipient that the document comes from
the correct entity.
 Similarly, a digital signature is a technique that binds a person/entity to the
digital data. This binding can be independently verified by receiver as well asany
third party.
 Digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.

COMPARISON of conventional signature & DIGITAL SIGNATURE

Inclusion
A conventional signature is included in the document; it is part of the document.
But when we sign a document digitally, we send the signature as a separate document.

Verification Method
For a conventional signature, when the recipient receives a document, he compares the signature on the
document with the signature on file.
For a digital signature, the recipient receives the message and the signature. The recipient needs to apply
averification technique to the combination of the message and the signature to verify the authenticity.

Relationship
For a conventional signature, there is normally a one-to-many relationship between a signature
anddocuments. For a digital signature, there is a one-to-one relationship between a signature
and a message.

114
 CNS(R16) B.Tech(CSE) IV Year I Sem
Duplicity
In conventional signature, a copy of the signed document can be distinguished from the original one on
file. In digital signature, there is no such distinction unless there is a factor of time on the document.

PROCESS OF DIGITAL SIGNATURE

Figure shows the digital signature process. The sender uses a signing algorithm to sign the message.
The message and the signature are sent to the receiver. The receiver receives the message and the
signature and applies the verifying algorithm to the combination. If the result is true, the message is
accepted; otherwise, it is rejected.

SIGNING THE DIGEST

The drawback of Asymmetric key cryptosystems that is “inefficient for long messages” .t In a digital
signature system can be overcome by “signing the digest of the message”.

SERVICES

The services in cryptography are:

115
 CNS(R16) B.Tech(CSE) IV Year I Sem
Message confidentiality, authentication, Integrity and Non-repudiation.
• A digital signature system can provide Message authentication, Integrity and Non-
repudiation, but still need encryption/decryption for message confidentiality.

Message Authentication
• A secure digital signature scheme, like a secure conventional signature can
provide message authentication
• Example, Bob can verify that the message is sent by Alice because Alice’s public key is used in
verification.
Message Integrity
The integrity of the message is preserved even if we sign the whole message because we cannot get
thesame signature if the message is changed.

Nonrepudiation
Nonrepudiation can be provided using a trusted party.

Confidentiality

A digital signature does not provide privacy.

If there is a need for privacy, another layer of encryption/decryption must be applied.

116
 CNS(R16) B.Tech(CSE) IV Year I Sem

Figure Adding confidentiality to a digital signature scheme

ATTACKS ON DIGITAL SIGNATURE

Attack Types
1. Key-Only Attack
In key-only attack, the public key of A is available to every one and C makes use of this fact and try to
recreate the signature of A and digitally sign the documents that A does not intend to do.
2. Known-Message Attack
In the known message attack, C has few previous messages and signatures of A. Now C tries to
forge the signature of A on to the documents that A does not intend to sign by using the brute force
method by analyzing the previous data to recreate the signature of A
3.Chosen-Message Attack
In this method C has the knowledge about A’s public key and obtains A’s signature on the messages and
replaces the original message with the message C wants A to sign with having A’s signature on them
unchanged.

Forgery Types

1. Existential Forgery
Adversary can create a pair (message, signature), such that the signature of the message is valid.
Adversary has no control on the messages whose signature is forged
2. Selective Forgery
Adversary is able to create valid signatures on a message
chosen by someone else, with a significant probability.

117
 CNS(R16) B.Tech(CSE) IV Year I Sem

Adversary controls the messages whose signature is forged

DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during the last few decades. Some of them have been
implemented.

1. RSA Digital Signature Scheme

2. ElGamal Digital Signature Scheme
3. Schnorr Digital Signature Scheme
4. Digital Signature Standard (DSS)
5. Elliptic Curve Digital Signature Scheme

RSA DIGITAL SIGNATURE SCHEMES

Figure : General idea behind the RSA digital signature scheme

The sender uses his own private key tosign the documemnet, the receivr uses the senders public key to
verify it

RSA DIGITAL SIGNATURE SCHEMES – Key Generation

Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA.
1. Sender chooses two prime numbers p and q
2. Calculate n=pxq
3. Calculate f(n) = (p-1) x (q-1)
4. Chooses the public exponent e and calculates d (private exponent) such that e x d = 1 modf(n)
In the RSA digital signature scheme, d is private; e and n are public. RSA

DIGITAL SIGNATURE SCHEMES – Signing and verifying

118
 CNS(R16) B.Tech(CSE) IV Year I Sem

Signing: Alice create a signature out of the message using her private exponent,
S=Md mod n and sends the signature to Bob
Verifying: Bob receives M and S. Bob applies A lice public exponent to the signature to create a copy
ofthe message M1 = Se mod n. Bob compares M and M1 . If both are congruent, accepts the message.
M1 M (mod n) Se M (mod n) Mdxe M (mod n)

RSA DIGITAL SIGNATURE SCHEMES – EXAMPLE

As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = 784319.
The value of f(n) is 782544. Now she chooses e = 313 and calculates d = 160009. At this point key
generation is complete. Now imagine that Alice wants to send a message with the value of M =
19070 toBob. She uses her private exponent, 160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the message and the signature. He
calculates

Bob accepts the message because he has verified Alice’s signature

ElGamal Digital Signatures

• signature variant of ElGamal, related to D-H

– so uses exponentiation in a finite Galois field
– security based difficulty of computing discrete logarithms, as in D-H
• use private key for encryption (signing)

119
 CNS(R16) B.Tech(CSE) IV Year I Sem

• uses public key for decryption (verification)

• each user (eg. A) generates their key

 Alice signs a message M to Bob by computing

 the hash m = H(M), 0 <= m <= (q-1)
 chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
 compute temporary key: S1 = ak mod q
 compute K-1 the inverse of K mod (q-1)
 compute the value: S2 = K-1(m-xAS1) mod (q-1)
 signature is:(S1,S2)
 any user B can verify the signature by computing

ElGamal Signature Example

 use field GF(19) q=19 and a=10
 Alice computes her key:
 A chooses xA=16 & computes yA=1016 mod 19 = 4
 Alice signs message with hash m=14 as (3,4):
 choosing random K=5 which has gcd(18,5)=1
 computing S1 = 105 mod 19 = 3
 finding K-1 mod (q-1) = 5-1 mod 18 = 11
 computing S2 = 11(14-16.3) mod 18 = 4
 any user B can verify the signature by computing
 V1 = 1014 mod 19 = 16
 V2 = 43.34 = 5184 = 16 mod 19
since 16 = 16signature is valid

Schnorr Digital Signatures

 also uses exponentiation in a finite (Galois)
 security based on discrete logarithms, as in D-H
 minimizes message dependent computation
 multiplying a 2n-bit integer with an n-bit integer
 main work can be done in idle time
 have using a prime modulus p
 p–1 has a prime factor q of
appropriate size typically p 1024-bit and q 160-bit
numbers

Schnorr Key Setup

 choose suitable primes p , q
120
CNS(R16) B.Tech(CSE) IV Year I Sem
 choose a such that aq = 1 mod p

121
 CNS(R16) B.Tech(CSE) IV Year I Sem

 (a,p,q) are global parameters for all

 each user (eg. A) generates a key
 chooses a secret key (number): 0 < sA < q
 compute their public key: vA = a-sA mod q

 user signs message by

 choosing random r with 0<r<q and computing x = ar mod p
 concatenate message with x and hash result to computing: e = H(M || x)
 computing: y = (r + se) mod q
 signature is pair (e, y)
 any other user can verify the signature as follows:
 computing: x' = ayve mod p
 verifying that: e = H(M || x’)
Digital Signature Standard (DSS)
 US Govt approved signature scheme
 designed by NIST & NSA in early 90's
 published as FIPS-186 in 1991
 revised in 1993, 1996 & then 2000
 uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm
 FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants
 DSA is digital signature only unlike RSA is a public-key technique

Digital Signature Algorithm (DSA)

 creates a 320 bit signature
 with 512-1024 bit security
 smaller and faster than RSA
 a digital signature scheme only
 security depends on difficulty of computing discrete logarithms
 variant of ElGamal & Schnorr schemes
DSA Key Generation
 have shared global public key values (p,q,g):
 choose 160-bit prime number q
 choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
 choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
 users choose private & compute public key:
 choose random private key: x<q
 compute public key: y = gx mod p
DSA Signature Creation
 to sign a message M the sender:
 generates a random signature key k, k<q
 nb. k must be random, be destroyed after use, and never be reused
 then computes
signature pair: r = (gk mod
p)mod q
122
 CNS(R16) B.Tech(CSE) IV Year I Sem
s = [k-1(H(M)+ xr)] mod q
 sends signature (r,s) with message M
 having received M & signature (r,s)

123
 CNS(R16) B.Tech(CSE) IV Year I Sem

 to verify a signature, recipient

DSS Overview

124
 CNS(R16) B.Tech(CSE) IV Year I Sem

KEY MANAGEMENT

SYMMETRIC-KEY DISTRIBUTION
• Symmetric-key cryptography is more efficient than asymmetric-key
cryptography for enciphering large messages.
• Symmetric-key cryptography, however, needs a shared secret key between two parties.
• Example: If Alice needs to exchange confidential messages with N people, she need N
different keys and if N people need to exchange with each other, they need N(N-1) keys. If
1 million people need to communicate with each other , they need more than trillions of
keys.
• This proble normally referred as N2 problem, because the number of required
keys for N entitesis N2
• We also has a problem of the distribution of keys through the internet which is unsecure.

Key-Distribution Center: KDC

A practical solution for the above problem is the use of a trusted thord party, referred as Key-Distribution
Center( KDC )

1. Alice sends a request to the KDC stating that she needs a session secrete key between herand
Bob
2. KDC inform Bob about Alice request
If Bob agrees, a session key is created between the two.

125
 CNS(R16) B.Tech(CSE) IV Year I Sem

Flat Multiple KDCs

When the number of people using a KDC increases, the system becomes
unmanageable.To solve the problem, we use multiple KDCs. We devide the world
into domains

Hierarchical Multiple KDCs

In this, KDCs are arranged in hierarchical model, the international KDC are at root, then national next
and local KDCs at lower level.

Session Keys

A KDC creates a secret key for each member. This secret key can be used only between the member
andthe KDC, not between two members.
A session symmetric key between two parties is used only once.

Simple protocol Using a KDC

Figure shows first approach using KDC

126
 CNS(R16) B.Tech(CSE) IV Year I Sem

1. Alice sends request to KDC

2. KDC creates ticket to Bob which is encrypted using Bob’s key KB. The ticket contains the
session key (KAB).
3. Alice extracts the Bob’s ticket
4. Alice sends ticket to Bob. Bob opens the ticket and knows that Alice want to send
message to him by using KAB.
Drawback: Eve can use the replay attack at step 3.

127
 CNS(R16) B.Tech(CSE) IV Year I Sem

Needham-Schroeder Protocol

1. Alice sends message to KDC that include her nonce, RA

2. KDC sends encrypted ticket for Bob to Alice which contains session key
3. Alice sends Bobs ticket to him
4. Bob sends his challenge (RB) to Alice which contains session key
5. Alice responds to Bobs challenge

KERBEROS
Kerberos is an authentication protocol, and at the same time a KDC, that has become very
popular. Several systems, including Windows 2000, use Kerberos.
Originally designed at MIT, it has gone through several versions.

KERBEROS Servers

Three servers are involved in the Kerberos protocol.

Authentication Server (AS)
 The authentication server (AS) is the KDC in the Kerberos protocol.
 Each user registers with AS and is granted a user identity and a password.
 AS verifies the user, issues a session key to be used b/t Alice and TGS.
 and sends a ticket for TGS.

128
 CNS(R16) B.Tech(CSE) IV Year I Sem

Ticket-Granting Server (TGS)

 The ticket-granting server (TGS) issues a ticket for the real server (Bob).
 Also provides the session key b/t Alice and Bob.
 Kerberos has a separated user verification from issuing of tickets.
 Alice can contact the TGS multiple times to obtained tickets for different real servers.
Real
Server  The real server (Bob) provides services for the user (Alice).
 Kerberos is designed for client-server programs.
 Kerberos is not used for person – to – person authentication

129
 CNS(R16) B.Tech(CSE) IV Year I Sem

SYMMETRIC-KEY AGREEMENT

Alice and Bob can create a session key between themselves without using a
KDC. This method of session-key creation is referred to as the symmetric-key
agreement. Example: Diffie-Hellman Key Agreement

Diffie-Hellman Key Agreement

In this two parties are creating symmetric key without the need of a KDC.
Before establishing, the two parties need to choose two numbers p
and g.The p is a large number on the order of 300 digits.

Steps:
1. Alice chooses a large random integer number x and calculates R1=gx mod p
2. Bob chooses another large number y and calculates R2=gy mod p
3. Alice sends R1 to Bob and Bob sends R2 to Alice
4. Alice calculates key K=(R2)x mod p
5. Bob calculates key K=(R1)y
mod p Where K is the symmetric key
for the session
The symmetric key in the Diffie-Hellman method is K=gxy mod p

Diffie-Hellman Key Agreement- EXAMPLE

Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note
thatin a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as
follows:

1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.

2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.

130
 CNS(R16) B.Tech(CSE) IV Year I Sem

6. Bob calculates the symmetric key K = 216 mod 23 = 18.

7. The value of K is the same for both Alice and Bob;
g mod p = 718 mod 35 = 18.
xy

PUBLIC-KEY DISTRIBUTION

In asymmetric-key cryptography, people do not need to know a symmetric shared key; everyone shields
aprivate key and advertises a public key.
In public key key cryptography, everyone have access to every one’s public key: public keys are
available to the public.
So, public keys need to be distributed.

1. Public Announcement
2. Trusted Center
3. Controlled Trusted Center
4. Certification Authority

5. X.509
6. Public-Key Infrastructures (PKI)

Public Announcement
The normal method is to announce public keys publicly, but is not secure

Figure Announcing a public key

Trusted Center
A more secure approach is to have a trusted center retain a directory of public keys

131
CNS(R16) B.Tech(CSE) IV Year I Sem

132
 CNS(R16) B.Tech(CSE) IV Year I Sem

Controlled Trusted Center

A higher level security can be achieved when there are added controls on

133