160702 Information Security (IS)

Q 1.

Unit-5 Message Authentication and Hash functions

What is the need for message authentication? List various techniques used for authentication. Explain any
one.
Following attacks are possible which are the reason why authentication is needed:
o Disclosure: Release of message contents to any person not knowing the secret key.
o Traffic analysis: Discovery of the pattern of traffic between parties. Traffic analysis reveals information
like the frequency and length of messages between parties and the communicating parties could be
determined.
o Masquerade: Impersonating other person and sending messages.
o Content modification: Changes are made to the contents of a message. Changes may include insertion,
deletion, transposition, and modification.
o Sequence modification: Sequence of messages between parties is modified. This attack may include
insertion, deletion, and reordering.
o Timing modification: Delay or replay of messages.
o Source repudiation: Denial of transmission of message by source.
o Destination repudiation: Denial of receipt of message by destination.
Message authentication verifies that received messages come from the alleged source and have not been
altered.
Message authentication may also verify sequencing and timeliness.

Authentication Techniques
Following techniques are used for authentication:
o Hash function: Hash function maps a message of any length into a fixed-length hash value, which serves
as the authenticator.
o Message encryption: The ciphertext of the entire message serves as its authenticator.
o Message authentication code (MAC): A MAC is a function of the message and a secret key that
produces a fixed-length value that serves as the authenticator.
Authentication using message encryption is explained below:

Message Encryption

Symmetric Encryption: A message M transmitted from source A to destination B is encrypted using a secret
key K shared by A and B.

Confidentiality and authentication with symmetric encryption

No other party knows the key, and hence confidentiality is provided as no other party can recover the
plaintext of the message without the knowledge of key.
The message must have come from A because A is the only other party that possesses K and therefore the
only other party which can construct ciphertext that can be decrypted with K. Thus, authentication is
provided.
Furthermore, if M is recovered, B knows that none of the bits of M have been altered, because an opponent
that does not know K would not know how to alter bits in the ciphertext to produce desired changes in the
plaintext. Thus, data integrity is also provided.
If the message contains regular language, then the legitimacy of the message can be determined.
But if the message contains arbitrary data like binary object file, digitized X-ray, then alteration in the
message cannot be determined by simply looking at the messages.
In that case, plaintext must have some structure like some message based function (one example is
checksum) or add TCP header if TCP/IP is being used.

Darshan Institute of Engineering & Technology

Page 1

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Public-Key Encryption: The source (A) uses the public key PUb of the destination (B) to encrypt M. Because
only B has the corresponding private key PRb, only B can decrypt the message. But this scheme provides
confidentiality but not authentication because any opponent could also use B's public key to encrypt a
message, claiming to be A.

Confidentiality using public key encryption

To provide authentication, A uses its private key to encrypt the message, and B uses A's public key to
decrypt it. The message must have come from A because A is the only party that possesses PRa. Anyone with
PUa can decrypt the message. This scheme also provides digital signature because only A could have
constructed the ciphertext by encrypting it with PRa.

Authentication using public key encryption

If both authentication and confidentiality is needed, then message is encrypted using both PUa and PRa. by
using its private key to encrypt. Note that this scheme does not provide confidentiality.

Confidentiality and Authentication using public key encryption

Q 2.

This scheme also requires some structure in plaintext if it contains arbitrary data.

What is cryptographic checksum or message authentication code? Describe the three situations in which
message authentication code is used.
Cryptographic checksum or MAC is a function of the message and a secret key that produces a fixed-length
value that serves as the authenticator.
A MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible, as
in the case of decryption.
A MAC function is generally a many-to-one function.
Three situations in which a message authentication code is used are:
1. Many applications need to broadcast message to a number of destinations.
Examples are notification to users that the network is now unavailable or an alarm signal in a
military control center.
Instead of decrypting message at every node it is cheaper and more reliable to have only one
destination responsible for monitoring authenticity.
The message is broadcasted in plaintext with an associated message authentication code. The
responsible system has the secret key and performs authentication.

Darshan Institute of Engineering & Technology

Page 2

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

If a violation occurs, the other destination systems are alerted by a general alarm.
2. One side in the communication has a heavy load and cannot afford the time to decrypt all incoming
messages.
Authentication is carried out on a selective basis. Messages are chosen at random for checking.
3. Authentication of a computer program in plaintext.
The computer program can be executed without having to decrypt it every time.
However, if a message authentication code were attached to the program, it could be checked
whenever assurance is required about the integrity of the program.
Q 3.

Explain briefly basic uses of MAC.

A MAC is an authentication technique involves the use of a secret key to generate a small fixed-size block of
data, known as a cryptographic checksum or MAC. The MAC is then appended to the message.
Here, sender and receiver share a secret key.
When A has to send a message to B, it calculates the MAC as a function of the message and the key:

MAC = MAC(K, M)

where M is plaintext
C is the MAC function
K is the secret key and
MAC is the message authentication code.
The message plus MAC are transmitted to the intended recipient.
The recipient performs the same calculation on the received message, using the same secret key, to
generate a new MAC. The received MAC is compared to the calculated MAC.

Authentication using MAC, no confidentiality

Since only the receiver and the sender know the secret key, and if the received MAC matches the calculated
MAC, then
o The receiver is assured that the message has not been altered. If an attacker alters the message but
does not alter the MAC, then the receivers calculation of the MAC will differ from the received MAC.
o The receiver is assured that the message is from the alleged sender. Because no one else knows the
secret key.
Confidentiality can be provided by performing message encryption either after or before the MAC
algorithm.
In both these cases, two separate keys are needed, each of which is shared by the sender and the receiver.
MAC can be calculated with the message as input and then concatenated to the message. The entire block is
then encrypted.

Authentication and confidentiality using MAC

It is preferable to tie the authentication directly to the plaintext, hence the above method is typically
preferred.
Alternately, the message is encrypted first. Then the MAC is calculated using the resulting ciphertext and is

Darshan Institute of Engineering & Technology

Page 3

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

concatenated to the ciphertext.

Authentication and confidentiality using MAC

Q 4.

Explain different characteristics of hash function.

OR
Explain the following properties of hash function:
(i) One way property
(ii) Weak collision resistance
(iii) Compression function in hash algorithm.
The purpose of a hash function is to produce a "fingerprint" of a file, message, or other block of data.
Various requirements and characteristics of hah function are given below:
o H can be applied to a block of data of any size.
o H produces a fixed-length output.
o H(x) is relatively easy to compute for any given x, making both hardware and software implementations
practical. Also for any given value h, it is computationally infeasible to find x such that H(x) = h. This is
referred to as the one-way property.
o For any given block x, it is computationally infeasible to find y, such that H(y) = H(x). This is referred to
as weak collision resistance.
o It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). This is referred to as strong
collision Resistance.
A hash function generally has a compression function. A compression produces output of size less than the
input data.
A compression function takes two inputs (an n -bit input from the previous step, called the chaining
variable, and a b-bit block) and produces an n-bit output.
The final value of the chaining variable is the hash value.
Often, b > n; hence the term compression.

Q 5.

Illustrate variety of ways in which hash code can be used to provide message authentication.

A hash function accepts a variable-size message M as input and produces a fixed-size output, known as a
hash code H(M).
A hash code does not use a key.
The hash code is also called a message digest or hash value.
A hash function provides an error-detecting capability because change to any bit or bits in the message
results in a change to the hash code.
Variety of ways in which a hash code can be used to provide message authentication are:
1. The message plus concatenated hash code is encrypted using symmetric encryption.
Since only A and B share the secret key, the message must have come from A and has not been
altered.
Because encryption is applied to the entire message plus hash code, confidentiality is also
provided.

Darshan Institute of Engineering & Technology

Page 4

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Confidentiality and authentication (symmetric encryption)

2. Only the hash code is encrypted, using symmetric encryption.
This reduces the processing burden for those applications that do not require confidentiality.

Authentication (symmetric encryption)

3. Only the hash code is encrypted, using public-key encryption and using the sender's private key.
This provides only authentication. It also provides a digital signature, because only the sender could
have produced the encrypted hash code.

Authentication (public key encryption)

4. If confidentiality as well as a digital signature is desired, then the message plus the private-keyencrypted hash code is encrypted using a symmetric secret key.

Digital signature, authentication and confidentiality

5. It is possible to use a hash function but no encryption for message authentication. The technique uses a
secret value S that the two communicating parties share.
A computes the hash value of M||S and appends the resulting hash value to M.
B possesses S, so it can recompute the hash value to verify.
The secret value itself is not sent, so an opponent cannot modify an intercepted message.

Darshan Institute of Engineering & Technology

Page 5

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Authentication without encryption

6. Confidentiality can be added to the above approach by encrypting the entire message plus the hash
code.

Authentication and confidentiality (secret value S is used)

Q 6.

Explain the general structure of secure hash functions.

Generally, hash functions have a structure where a compression function is repeated and such functions are
referred to as iterated hash functions.
Most hash functions like SHA, MD5 etc. have this structure.
In this hash function,
o The input message is partitioned into L fixed-sized blocks of b bits each.
o If necessary, the final block is padded to b bits. The final block also includes the value of the total length
of the input message.
o The hash algorithm involves repeated use of a compression function, f, that takes two inputs (an n -bit
input from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit
output.
o At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm.
o The final value of the chaining variable is the hash value. Often, b > n; hence the term compression.

General structure of secure hash algorithms

The hash function can be summarized as follows:

CVo = IV ;
( initial n-bit value)
CVi = f(CVi-1, Yi-1);
1iL
H(M) = CVL
The inclusion of the length in the final block of message makes the job of the opponent more difficult
because
o The opponent must find two messages of equal length that have same hash value.
o The opponent must find two messages of differing lengths that, together with their length values, have
same hash value.

Darshan Institute of Engineering & Technology

Page 6

160702 Information Security (IS)

Q 7.

Unit-5 Message Authentication and Hash functions

If the compression function is collision resistant, then the resultant iterated hash function is also collision
resistant and hence secure.
Thus, the problem of designing a secure hash function is that of designing a collision-resistant compression
function operates on inputs of some fixed size.

Explain in detail:
a) SHA
b) MD5
c) RIPEMD 160
d) HMAC

Secure Hash Algorithm (SHA)

SHA is based on the hash function MD4.

The algorithm takes as input a message of maximum length of less than 2128 bits and produces a 512-bit
message digest.
The input is processed in 1024-bit blocks.
The processing consists of the following steps:
1. Append padding bits.
The message is padded so that its length is congruent to 896 modulo 1024.
The padding consists of a single 1-bit followed by the necessary number of 0-bits.
2. Append length.
A block of 128 bits is appended to the message. This block contains the length of the original
message (before the padding).
The message is now an integer multiple of 1024 bits in length.
In the figure below, expanded message is represented as the sequence of 1024-bit blocks M1, M2,..., MN and
the total length of the expanded message is N x 1024 bits.

3. Initialize hash buffer.

A 512-bit buffer is used to hold intermediate and final results of the hash function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to the 64-bit integers (hexadecimal values) obtained by taking the
first sixty-four bits of the fractional parts of the square roots of the first eight prime numbers.
4. Process message in 1024-bit (128-word) blocks.
The heart of the algorithm is a module F that consists of 80 rounds.

Darshan Institute of Engineering & Technology

Page 7

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

SHA has 80 rounds.

Each round takes as input:
o 512-bit buffer value (Hi-1)
o 64-bit words Wt obtained from the current data block by message schedule.
o Additive constant Kt which represent the first sixty-four bits of the fractional parts of the cube roots of
the first eighty prime numbers.
The contents of the buffer are updated after every round.

SHA algorithm
The output of the eightieth round is added modulo 264 to the input to the first round (Hi-1) to produce Hi.
5. Output.
After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit
message digest.
SHA-512 Round Function
Each round updates the buffer in the following way:

Darshan Institute of Engineering & Technology

Page 8

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

where

The figure of the round function is shown below.

SHA compression function

Message Schedule
The 64-bit word values Wt are derived from the 1024-bit message.
The first 16 values of Wt are taken directly from the 16 words of the current block. The remaining values are
defined as follows:
where

Darshan Institute of Engineering & Technology

Page 9

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Message schedule

The message schedule introduces a great deal of redundancy and interdependence into the message blocks
that are compressed, which complicates the task of finding a different message block that maps to the same
compression function output.

MD5

This algorithm inputs 512-bit blocks and produces a 128-bit hash code. This algorithm is used in HMAC.
The processing consists of the following steps:
1. Append padding bits.
The message is padded so that its length is congruent to 448 modulo 512.
The padding consists of a single 1-bit followed by the necessary number of 0-bits.
2. Append length.
A block of 64 bits is appended to the message. This block contains the length of the original
message (before the padding).
The message is now an integer multiple of 512 bits in length.
In the figure below, expanded message is represented as the sequence of 512-bit blocks Y0, Y1,..., YL-1 and
the total length of the expanded message is L x 512 bits.

Darshan Institute of Engineering & Technology

Page 10

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

3. Initialize hash buffer.

Initialize the 128-bit MD buffer.
The buffer can be represented as four 32-bit registers (a, b, c, d).
These registers are initialized by the following values:
A: 0 X 01 23 45 67
B: 0 X 89 ab cd ef
C: 0 X fe dc ba 98
D: 0 X 76 54 32 10
4. Process message in 512-bit blocks.
The algorithm has 4 rounds each containing 16 steps.
Each round updates the buffer value.
The output of the fourth round is added modulo 232 to the buffer value that was input to the first
round.
The final value of the buffer after the entire message has been processed is the hash code of the
message.

MD5 algorithm

Compression Function
The values of the register are updated in the following way:

a=d
b = ((a + g(b, c, d) + X[k] + T[i]) <<< s) + b
c=b
d=c
where i denotes the step number for a particular round and
k denotes the index of word that is selected on the basis of subsequent
equations

Darshan Institute of Engineering & Technology

Page 11

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

MD5 compression function

Each step updates only one word of buffer.
After 16 steps, that is in each round, every word is updated 4 times.

Strength of MD5
Hash value is dependent on all message bits. Hence, change in even one bit will change the message.
However, currently this algorithm is considered cryptographically weak.

RIPEMD 160

This algorithm has a structure similar to that of MD5 and SHA.

This algorithm runs two parallel lines of 5 steps.
Each step has 16 steps.
This algorithm processes 512-bit data blocks and produces 160-bit hash code.
The processing consists of the following steps:
1. Append padding bits.
The message is padded so that its length is congruent to 448 modulo 512.
The padding consists of a single 1-bit followed by the necessary number of 0-bits.
2. Append length.
A block of 64 bits is appended to the message. This block contains the length of the original
message (before the padding).
The message is now an integer multiple of 512 bits in length.
3. Initialize hash buffer.
Initialize the 160-bit MD buffer.
The buffer can be represented as five 32-bit words (a, b, c, d, e).
4. Process message in 512-bit data blocks.
The two outputs (buffer value of both the lines) of the fifth round are added modulo 232 to the
buffer value that was input to the first round.
The final value of the buffer after the entire message has been processed is the hash code of the
message.

Darshan Institute of Engineering & Technology

Page 12

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

RIPEMD-160 algorithm

RIPEMD-160 compression function

The buffer is updated at each step in the following way:

a=e
b = (a + fj(b, c, d) Xi + Kj) <<< Sj + e
c=b
d = c <<< 10
e=d

RIPEMD-160 compression function

Design Features
2 parallel lines increase complexity for a given data and hence it is difficult to attack.
For simplicity, the 2 parallel lines are kept quite similar.
The circular shifts designed in the algorithm are such that they produce best results.
The design is simple and compact.

Darshan Institute of Engineering & Technology

Page 13

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Security of RIPEMD-160
Brute force attack on this algorithm is harder as the hash code that it produces is 160-bits in length.
It is not vulnerable to any of the known attacks.
This algorithm is slower but more secure than SHA.

HMAC

A MAC derived from hash function is called HMAC.

The reason for developing HMAC were that hash functions incur less overhead than encryption and the code
of hash functions is easily and freely available.
The overall operation of HMAC is shown below:

o Append zeros to the left end of K to create a b-bit string K+.

o XOR K+ with ipad to produce the b-bit block Si. Value of ipad is 36 in hexadecimal.
o Append M to Si.
o Apply H to the stream generated in the above step.
o XOR K+ with opad to produce the b-bit block So. Value of opad is 5C in hexadecimal.
o Append the hash result H from step 4 to So.
o Apply H to the stream generated in the above step and output the result.
XOR with ipad results in flipping one-half of the bits of K.
Similarly, the XOR with opad results in flipping one-half of the bits of K, but a different set of bits.

Security of HMAC
The security of any HMAC function is based on the cryptographic strength of the underlying hash function.
The security of a MAC function is expressed in terms of the probability of successful forgery with a given
amount of time spent by the forger and a given number of message-MAC pairs created with the same key.
The probability of successful attack on HMAC is equivalent to one of the following attacks on the embedded
hash function:
o The attacker is able to compute an output of the compression function even with an IV that is random,
secret, and unknown to the attacker.
o The attacker finds collisions in the hash function even when the IV is random and secret.

Darshan Institute of Engineering & Technology

Page 14

160702 Information Security (IS)

Q 8.

Unit-5 Message Authentication and Hash functions

Write a short note on security of hash functions and MACs.

Security of MACS

Brute-force attack
A brute-force attack on a MAC requires more known message-MAC pairs than a brute-force attack on a hash
function.
There are two types of possible attack:
o attack the key space
o attack the MAC value
1. Attacking the key space
If an attacker can determine the MAC key, then it is possible to generate a valid MAC value for any
input .
Suppose the key size is k bits and that the attacker has one known texttag (MAC) pair.
The attacker can then compute the n-bit tag on the known text for all possible keys.
At least one key will produce the correct MAC value for the message. Till now, the level of effort is
2 k.
However, the MAC is a many-to-one mapping, so there may be other keys that produce the correct
value.
Thus, if more than one key is found to produce the correct value, additional texttag pairs must be
tested.
The level of effort becomes less with each additional textMAC pair and after 2 or 3 levels, a single
key is obtained.
2. Attacking the MAC value
The attacker will try to generate a valid MAC for a given message or to find a message that matches
a given MAC value.
Here the level of effort is that of 2n.
This attack cannot be conducted off line without further input; the attacker will require chosen text
tag pairs or knowledge of the key.
Cryptanalysis
Cryptanalytic attacks on MAC algorithms try to exploit some property of the algorithm to perform some
attack other than an exhaustive search.
The way to measure the resistance of a MAC algorithm to cryptanalysis is to compare its strength to the
effort required for a brute-force attack.
An ideal MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort.

Security of Hash Functions

Brute-force attack
To attack a hash code, we can proceed in the following way.
o Given a fixed message with n-bit hash code h = H(x), try to find a collision by picking a random bit string
and checking if H(y) = H(x) .
The attacker can do this repeatedly off line.
Thus, the strength of a hash function against brute-force attacks depends solely on the length of the hash
code produced by the algorithm.
Hash functions have three desirable properties:
o One-way
o Weak collision resistance
o Strong collision resistance
For a hash code of length n, the level of effort required is proportional to the following:
o One way: 2n
o Weak collision resistance: 2n
o Strong collision resistance: 2n/2

Darshan Institute of Engineering & Technology

Page 15

160702 Information Security (IS)

Unit-5 Message Authentication and Hash functions

Cryptanalysis
Cryptanalysis of hash functions focuses on the internal structure of compression function f.
It is based on attempts to find efficient techniques for producing collisions for a single execution of f.
Once that is done, the attacker tries to find the fixed value of IV.
The attack on f depends on exploiting its internal structure.
Typically, as with symmetric block ciphers, f consists of a series of rounds of processing, so that the attack
involves analysis of the pattern of bit changes from round to round.

Darshan Institute of Engineering & Technology

Page 16