PUBLIC-KEY

CRYPTOGRAPHY AND
MESSAGE
AUTHENTICATION
C RY P TO G R A P H I C A N D N E T W O R K S E C U R I T Y
CHAPTER-3
M E S S A G E A U T H E N T I C AT I O N
 APPROACHES TO MESSAGE
AUTHENTICATION
Encryption protects against passive attack (eavesdropping).
A different requirement is to protect against active attack (falsification of data and transactions).Protection against
such attacks is known as message authentication.
A message, file, document, or other collection of data is said to be authentic when it is genuine and comes from its
alleged source.
Message authentication is a procedure that allows communicating parties to verify that received messages are
authentic.
The two important aspects are
To verify that the contents of the message have not been altered and
The source is authentic.

We may also wish to verify a message’s timeliness (it has not been artificially delayed and replayed) and sequence
relative to other messages flowing between two parties.
All of these concerns come under the category of data integrity.
First Approach: Authentication Using
Conventional Encryption
It would seem possible to perform authentication simply by the use of symmetric encryption.
If we assume that only the sender and receiver share a key (which is as it should be), then only
the genuine sender would be able to encrypt a message successfully for the other participant,
provided the receiver can recognize a valid message.
Furthermore, if the message includes an error-detection code and a sequence number, the
receiver is assured that no alterations have been made and that sequencing is proper.
If the message also includes a timestamp, the receiver is assured that the message has not
been delayed beyond that normally expected for network transit.
Issues in Authentication Using
Conventional Encryption
Symmetric encryption alone is not a suitable tool for data authentication.
To give one simple example, in the ECB mode of encryption, if an attacker reorders the blocks
of ciphertext, then each block will still decrypt successfully.
However, the reordering may alter the meaning of the overall data sequence.
Although sequence numbers may be used at some level (e.g., each IP packet), it is typically not
the case that a separate sequence number will be associated with each b-bit block of plaintext.
Thus, block reordering is a threat.
Second Approach: Message Authentication
without Message Encryption
In this section, we examine several approaches to message authentication that do not rely on
encryption.
In all of these approaches, an authentication tag is generated and appended to each message
for transmission.
The message itself is not encrypted and can be read at the destination independent of the
authentication function at the destination.
It is possible to combine authentication and confidentiality in a single algorithm by encrypting a
message plus its authentication tag.
Message Authentication without
Message Encryption
The following methods are used for Message Authentication without encryption:
 1) MESSAGE AUTHENTICATION CODE
 2) ONE-WAY HASH FUNCTION
1) Message Authentication Code
One authentication technique involves the use of a secret key to generate a small block of data,
known as a message authentication code (MAC), that is appended to the message.
This technique assumes that two communicating parties, say A and B, share a common secret
key KAB.
When A has a message to send to B, it calculates the message authentication code as a
function of the message and the key: MACM = F(KAB,M).
The message plus code are transmitted to the intended recipient.
The recipient performs the same calculation on the received message, using the same secret
key, to generate a new message authentication code.
The received code is compared to the calculated code. If we assume that only the receiver and
the sender know the identity of the secret key.
Message Authentication Using a
Message Authentication Code (MAC)
Continued…
If the received code matches the calculated code, then the following statements apply:
The receiver is assured that the message has not been altered.
The receiver is assured that the message is from the alleged sender.
Method to Generate MAC
A number of algorithms could be used to generate the code.
The NIST specification, FIPS PUB 113, recommends the use of DES.
DES is used to generate an encrypted version of the message, and the last number of bits of
ciphertext are used as the code.
A 16- or 32-bit code is typical. The process just described is similar to encryption.
One difference is that the authentication algorithm need not be reversible, as it must for
decryption.
Because of the mathematical properties of the authentication function, it is less vulnerable to
being broken than encryption
2) ONE-WAY HASH FUNCTION
An alternative to the message authentication code is the one-way hash function.
As with the message authentication code, a hash function accepts a variable-size message M
as input and produces a fixed-size message digest H(M) as output.
Unlike the MAC, a hash function does not take a secret key as input.
 Three ways in which the message can be authenticated.
Using Conventional Encryption
Using Pubic Key Encryption
Using Secret Key
These two approaches also have an advantage over approaches that encrypt the entire message in that
less computation is required.
Using Conventional Encryption
Using Pubic Key Encryption
Using Secret Key
Using Secret Key: Description
This technique uses a hash function but no encryption for message authentication.
This technique assumes that two communicating parties, say A and B, share a common secret value
SAB.
When A has a message to send to B, it calculates the hash function over the concatenation of the
secret value and the message: MDM = H(SAB||M).
=t then sends [M ||MDM] to B. Because B possesses SAB, it can recompute H(SAB||M) and verify MDM.
Because the secret value itself is not sent, it is not possible for an attacker to modify an intercepted
message. As long as the secret value remains secret, it is also not possible for an attacker to generate a
false message.
A variation on the third technique, called HMAC, is the one adopted for IP security (described in
Chapter 8);it also has been specified for SNMPv3 (Chapter 12).
SECURE HASH FUNCTIONS
The purpose of a hash function is to produce a “fingerprint” of a file, message, or other block of data.
Properties of Hash Function:
1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and software implementations
practical.
4. For any given code h, it is computationally infeasible to find x such that H(x) = h. A hash function with this
property is referred to as one-way or preimage resistant.
5. For any given block x, it is computationally infeasible to find y != x with H(y)=H(x). A hash function with this
property is referred to as second preimage resistant. This is sometimes referred to as weak collision resistant.
6. It is computationally infeasible to find any pair (x, y), such that H(x)=H(y). A hash function with this property
is referred to as collision resistant. This is sometimes referred to as strong collision resistant.
Continued…
Weak collision resistance: After User B creates some message x1, it is "computationally
infeasible" for an attacker M to compute some other message x2 such that h(x1) == h(x2).
Strong collision resistance: It is "computationally infeasible" for an attacker M to find any two
messages x1 and x2 such that h(x1) == h(x2).
Example of Weak collision resistance /
2ND Preimage Attack:
Assume Bob sends a message X1 message to bank:
X1=“Transfer 10$ in Oscar’s Account”
Oscar (Malicious User) captures the X1, prepares a fake message X2, and forwards it to the bank
X2= “Transfer 100000$ in Oscar’s Account”
And h(X1)=h(X2).
Banker verifies the message by recomputing the hash code and compares it with the received
hash code which confirms that the message is genuine.
We want to built a hash function where 2nd preimage attack is not possible.
Pigeon Hole Problem

Challenge: Make collision very hard to find.

Security of Hash Function
The strength of a hash function against brute-force attacks depends on the length of the hash
code produced by the algorithm.
Van and Wiener [VANO94] presented a design for a $10 million collision search machine for
MD5, which has a 128-bit hash length, that could find a collision in 24 days.
Thus, a 128-bit code may be viewed as inadequate. The next step up, if a hash code is treated
as a sequence of 32 bits, is a 160-bit hash length.
With a hash length of 160 bits, the same search machine would require over four thousand
years to find a collision.
With today’s technology, the time would be much shorter, so that 160 bits now appears
suspect.
2nd Preimage Attack with brute force
Collision resistance attack with brute force
requires 2n/2 steps
Simple Hash Functions
All hash functions operate using the following general principles.
The input (message, file, etc.) is viewed as a sequence of n-bit blocks.
The input is processed one block at a time in an iterative fashion to produce an n-bit hash
function.
One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block.
This can be expressed as
Simple Hash Function Using Bitwise
XOR
Simple Hash Function (A Little
Variation)
A simple way to improve matters is to perform a 1-bit circular shift, or rotation, on the hash
value after each block is processed.
The procedure can be summarized as:
1. Initially set the n-bit hash value to zero.
2. Process each successive n-bit block of data:
◦ a. Rotate the current hash value to the left by one bit.
◦ b. XOR the block into the hash value.

This has the effect of “randomizing” the input more completely and overcoming any regularities
that appear in the input.
Issues
Although the second procedure provides a good measure of data integrity, it is virtually useless
for data security when an encrypted hash code is used with a plaintext message, as in Figures
3.2a and b.
Given a message, it is an easy matter to produce a new message that yields that hash code:
Simply prepare the desired alternate message and then append an n-bit block that forces the
combined new message plus block to yield the desired hash code.
Solution
Although a simple XOR or rotated XOR (RXOR) is insufficient if only the hash code is encrypted,
you may still feel that such a simple function could be useful when the message as well as the
hash code are encrypted.
But one must be careful. A technique originally proposed by the National Bureau of Standards
used the simple XOR applied to 64-bit blocks of the message and then an encryption of the
entire message using the cipher block chaining (CBC) mode. We can define the scheme as
follows: Given a message consisting of a sequence of 64-bit blocks X1, X2, . . .,XN, define the
hash code C as the block-by-block XOR or all blocks and append the hash code as the final block: