Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 MACs, Digital Signatures, Hash Functions and Digital Certificates Digital Signatures are used to “Sign” messages to validate the source and integrity.

Published byOctavia Alyson Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "1 MACs, Digital Signatures, Hash Functions and Digital Certificates Digital Signatures are used to “Sign” messages to validate the source and integrity."— Presentation transcript:

1 1 MACs, Digital Signatures, Hash Functions and Digital Certificates Digital Signatures are used to “Sign” messages to validate the source and integrity of the contents.

2 2 Digital signatures provide Message Authentication Secure communication includes  Privacy/Secrecy/Confidentiality  Authenticity  Integrity  Non-repudiation Digital signatures provide last three of these security services. Message authentication and integrity check plays an important role in a variety of applications:  Internet protocols  Network management  Wherever undetected manipulation of messages can have disastrous effects

3 3 Digitized Written Signature?? Simply taking a digital picture of a written signature does not provide adequate security. Such a digitized written signature could easily be copied from one electronic document to another with no way to determine whether it is legitimate. Electronic signatures, on the other hand, are unique to the message being signed and will not verify if they are copied to another document.

4 4 Digital signatures are used just like handwritten signatures Digital signatures are used just like handwritten signatures. When you add them to a document, you are “signing” that document as a way of endorsing or agreeing with what the document says. Unlike handwritten signatures, digital signatures are used only with computers. They are electronic signatures that can be used to sign electronic documents, like word processing files or spreadsheets.

5 5 What is a digital signature? A digital signature is a kind of ID. You can use it on the Internet to identify yourself in a secure manner. This is extremely useful in areas such as electronic commerce. For instance, when making a credit card purchase on the Internet, you can use your digital signature to “sign” that purchase. This helps to ensure that only you can make purchases with your credit card number.

6 6 Importance of Digital Signatures Digital Signatures are a central component of modern cryptographic systems. In analogy to handwritten signatures on paper documents digital signatures are used to guarantee the authenticity of electronic documents. Thus they play an important role for example in secure and reliable systems for electronic commerce.

7 7 Requirements for a Digital Signature 1. The signature must be a bit pattern that depends on the message being signed 2. The signature must use some information unique to the sender, to prevent both forgery and denial. 3. It must be relatively easy to produce digital signature. 4. It must be relatively easy to recognize and verify the digital signature. 5. It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. 6. It must be practical to retain a copy of the digital signature in storage.

8 8 Message Authentication Using Plain Encryption

9 9 Conventional Encryption for Signatures and MACs There is no shortage of good message authentication codes, beginning with DES-MAC, as defined in FIPS PUB 113. Conventional (symmetric) encryption could be used for digital signatures - DESMAC specified by FIPS However, message authentication codes based on encryption functions such as DES, which were designed for hardware implementation, may be somewhat limited in performance for soft-ware, and there is also the question of U.S. export restrictions on encryption functions.

10 10 Conventional Encryption for MACs When secret key cryptography is used, a message authentication code (MAC) is calculated from and appended to the data. To verify that the data has not been modified at a later time, any party with access to the correct secret key can recalculate the MAC. The new MAC is compared with the original MAC, and if they are identical, the verifier has confidence that the data has not been modified by an unauthorized party. FIPS 113, Computer Data Authentication, specifies a standard technique for calculating a MAC for integrity verification.

11 11 DESMAC or DAA

12 12 Use of Encryption for MAC Message Encryption Algorithm MAC Message MAC Message MAC K Encryption Algorithm K MAC Compare

13 13 Why not base MACs on Encryption Message authentication codes based on encryption functions are a bad idea because:  Inefficiency of encryption algorithm in software  US export restrictions Solution  Use Message Digests or Use a one-way hash function to create a fixed size finger print of the variable sized message. AliceBobP, D A (MD(P))

14 14 What is a hash function? A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with just this property have a variety of general computational uses, but when employed in cryptography, the hash functions are usually chosen to have some additional properties.

15 15 Cryptographic Hash Functions Cryptographic hash functions are intended to resist inversion -- finding a message with a given hash value -- and collision -- finding two messages with the same hash value. Message authentication codes, on the other hand, are intended to resist forgery -- computing a message authentication code without knowledge of a secret key.

16 16 Requirements for Cryptographic Hash Functions The basic requirements for a cryptographic hash function are as follows.  The input can be of any length.  The output has a fixed length.  H(x) is relatively easy to compute for any given x.  H(x) is one-way.  H(x) is collision-free.

17 17 H(x) is one-way... A hash function H is said to be one-way if it is hard to invert, where “hard to invert” means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h.

18 18 H(x) is collision-free... If, given a message x, it is computationally infeasible to find a message y not equal to x such that H(x) = H(y), then H is said to be a weakly collision-free hash function. A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y).

19 19 Hash Functions as Message Digests The hash value represents concisely the longer message or document from which it was computed; this value is called the message digest. One can think of a message digest as a ``digital fingerprint'' of the larger document. Examples of well known hash functions are MD2 and MD5 and SHA

20 20 Compression Function Damgard and Merkle greatly influenced cryptographic hash function design by defining a hash function in terms of what is called a compression function. A compression function takes a fixed-length input and returns a shorter, fixed-length output. Given a compression function, a hash function can be defined by repeated applications of the compression function until the entire message has been processed.

21 21 Compression Function In this process, a message of arbitrary length is broken into blocks whose length depends on the compression function, and “padded” (for security reasons) so the size of the message is a multiple of the block size. The blocks are then processed sequentially, taking as input the result of the hash so far and the current message block, with the final output being the hash value for the message.

22 22 MD5 Hash Function MD5 designed by Ron Rivest, MIT Laboratory for Computer Science and RSA Data Security, Inc. MD5 documented in Request for Comments: 1321 dated April 1992

23 23 MD5 Steps The following five steps are performed to compute the message digest of the message. Step 1. Append Padding Bits Step 2. Append Length Step 3. Initialize MD Buffer Step 4. Process Message in 16-Word Blocks Step 5. Output

24 24 Step 1. Append Padding Bits The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512. Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended.

25 25 Step 2. Append Length A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.)

26 26 Step 3. Initialize MD Buffer A four-word buffer (A,B,C,D) is used to compute the message digest. Here each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal, low-order bytes first):

27 27 Step 4. Process Message in 16-Word Blocks (4 Rounds)

28 28 Step 4. Continued (4 Rounds)  2 (i) = (1 + 5i)mod 16  3 (i) = (5 + 3i)mod 16  4 (i) = 7i mod 16

29 29 Step 4. Round 1 and 2

30 30 Step 4. Round 3 and 4

31 31 Step 4. Continued

32 32 Step 4. Continued

33 33 The MD5 Boolean Functions The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs.

34 34 Truth table of logical functions

35 35 Table T, constructed from the sine function This step uses a 64-element table T[1... 64] constructed from the sine function. Let T[i] denote the i-th element of the table, which is equal to the integer part of 4294967296 times abs(sin(i)), where i is in radians. The elements of the table are given in the following slide.

36 36 Table T, constructed from the sine function

37 37 Step 5. Output The message digest produced as output is A, B, C, D. That is, we begin with the low-order byte of A, and end with the high-order byte of D.

38 Strength of MD5 MD5 hash is dependent on all message bits Rivest claims security is good as can be known attacks are:  Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)  Boer & Bosselaers 93 found a pseudo collision (again unable to extend)  Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit) conclusion is that MD5 looks vulnerable soon

39 39 Other Message Digest Algorithms MD4 SHA-1 RIPEMD-160

40 Secure Hash Algorithm (SHA-1) SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1 US standard for use with DSA signature scheme  standard is FIPS 180-1 1995, also Internet RFC3174  nb. the algorithm is SHA, the standard is SHS produces 160-bit hash values now the generally preferred hash algorithm based on design of MD4 with key differences

41 SHA Overview 1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0) 4. process message in 16-word (512-bit) chunks:  expand 16 words into 80 words by mixing & shifting  use 4 rounds of 20 bit operations on message block & buffer  add output to input to form new buffer value 5. output hash value is the final buffer value

42 SHA-1 Compression Function each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <- (E+f(t,B,C,D)+(A<<5)+W t +K t ),A,(B<<30),C,D) a,b,c,d refer to the 4 words of the buffer t is the step number f(t,B,C,D) is nonlinear function for round W t is derived from the message block K t is a constant value derived from sin

43 SHA-1 Compression Function

44 Revised Secure Hash Standard NIST have issued a revision FIPS 180-2 adds 3 additional hash algorithms SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar

45 SHA-1 verses MD5 brute force attack is harder (160 vs 128 bits for MD5) not vulnerable to any known attacks (compared to MD4/5) a little slower than MD5 (80 vs 64 steps) both designed as simple and compact optimised for big endian CPU's (vs MD5 which is optimised for little endian CPU’s)

46 46 Relative Performance of Several Hash Functions (coded in C++ on a 266 MHz Pentium)

47 47 Secret Key Electronic Signatures Issues If two parties share a secret key, and one party receives data with a MAC that is correctly verified using the shared key, that party may assume that the other party signed the data. This assumes, however, that the two parties trust each other. Thus, through the use of a MAC, in addition to data integrity, a form of electronic signature is obtained. Using additional controls, such as key notarization and key attributes, it is possible to provide an electronic signature even if the two parties do not trust each other.

48 48 Digital Signatures with Conventional Encryption and Hash Functions Message Signature K Hash Function Message Digest Message Signature Message Signature Hash Function Message Digest K Compare

49 49 Big Brother - If parties do not share a secret key Alice BB Bob A, K A (B, R A, t, P) K B (A, R A, t, P, K BB (A, t, P))

50 50 Digital Signatures with a Secret Shared Value and Hash Functions Message Signature Hash Function Message Signature Message Signature Hash Function Compare Shared Secret Value

51 51 Public Key Electronic Signatures Another type of electronic signature is implemented using public key cryptography. Data is electronically signed by applying the originator's private key to the data. To increase the speed of the process, the private key is applied to a shorter form of the data, called a "hash" or "message digest," rather than to the entire set of data. The resulting digital signature can be stored or transmitted along with the data.

52 52 Public Key Electronic Signatures The signature can be verified by any party using the public key of the signer. This feature is very useful, for example, when distributing signed copies of virus-free software. Any recipient can verify that the program remains virus- free. If the signature verifies properly, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer.

53 53 Digital Signatures with Hash Functions and Public Key Encryption Message Signature K PRIVATE Hash Function Message Digest Message Signature Message Signature Hash Function Message Digest K PUBLIC Compare

54 54 Steps in making a digital signature

55 55 Steps in making a digital signature 1. Joe runs a one-way hash function to create a fixed length message digest from the message to be sent 2. Joe encrypts the message digest with his private key to create a digital signature. 3. Joe sends the signature and the message to Alice 4. Alice decrypts the signature with Joe’s public key to reveal the message digest 5. Alice then applies the same one-way function to the message she received from Joe to produce a message digest 6. Alice compares the message digest she created with the message digest sent by Joe. If they compare the integrity of the messages is verified.

56 56 Steps in making a digital signature

57 57 Steps in making a digital signature P Alice’s private key D A Bob’s public key E B Alice’s Computer D A (P) E B (D A (P)) Bob’s private key D B Bob’s public key E A Bob’s Computer D A (P) P Transmission Line

58 58 Digital Signature Process Steps Involved in Creating a Digital Signature 1. Sender generates a digest of the message (M) using a one- way hash function (SHA-1, MD5, etc) 2. Sender encrypts the digest with his/her Private Key appends to the message and transmits 3. Receiver decrypts using sender’s Public Key and compares with the digest of the message computed at receiving end 4. A match verifies the signature and vice versa H(M) || INTERNET M || E KRA (H(M)) M E KRA D KUA (E KRA (H(M)))H(M) Match? 1 2 3 4 Alice Bob

59 59 Digital Signature Standard (DSS) US Govt approved signature scheme FIPS 186 uses the SHA hash algorithm designed by NIST & NSA in early 90's DSS is the standard, DSA is the algorithm a variant on ElGamal and Schnorr schemes creates a 320 bit signature, but with 512-1024 bit security security depends on difficulty of computing discrete logarithms

60 60 DSA Key Generation have shared global public key values (p,q,g):  a large prime p = 2 L  where L= 512 to 1024 bits and is a multiple of 64  choose q, a 160 bit prime factor of p-1  choose g = h (p-1)/q  where h 1 users choose private & compute public key:  choose x<q  compute y = g x (mod p)

61 61 DSA Signature Creation to sign a message M the sender:  generates a random signature key k, k<q  nb. k must be random, be destroyed after use, and never be reused then computes signature pair: r = (g k (mod p))(mod q) s = (k -1.SHA(M)+ x.r)(mod q) sends signature (r,s) with message M

62 62 DSA Signature Verification having received M & signature (r,s) to verify a signature, recipient computes: w = s -1 (mod q) u1= (SHA(M).w)(mod q) u2= (r.w)(mod q) v = (g u1.y u2 (mod p)) (mod q) if v=r then signature is verified see book web site for details of proof why

63 DSS Proof Let p and q be primes so that q divides p - 1, h a positive integer less than p, and g = h(p-1)/q mod p. Then gq mod p = 1, and if m mod q = n mod q, then gm mod p = gn mod p. Proof: We have gq mod p = (h(p-1)/q mod p)q mod p = h(p-1) mod p = 1 63

64 by Fermat's Little Theorem. Now let m mod q = n mod q, i.e., m = n + kq for some integer k. Then gm mod p = gn+kq mod p = (gn gkq) mod p = ((gn mod p) (gq mod p)k) mod p = gn mod p since gq mod p = 1. n We are now ready to prove the main result. 64

65 THEOREM. If M’ = M, r’ = r, and s’ = s in the signature verification, then v = r’. Proof: We have w = (s’) -1 mod q = s -1 mod q u1 = ((SHA-1(M’))w) mod q = ((SHA-1(M))w) mod q u2 = ((r’)w) mod q = (rw) mod q. 10 Now y = gx mod p, so that by the lemma, v = ((g u1 y u2 ) mod p) mod q = ((g SHA-1(M)w y rw ) mod p) mod q = ((g SHA-1(M)w g xrw ) mod p) mod q = ((g (SHA-1(M)+xr)w ) mod p) mod q. 65

66 Also s = (k -1 (SHA-1(M) + xr)) mod q. Hence w = (k(SHA-1(M) + xr) -1 ) mod q (SHA-1(M) + xr)w mod q = k mod q. Thus by the lemma, v = (gk mod p) mod q = r = r’ 66

67 Summary have considered:  Authentication functions  MAC  Hash functions  digital signatures  authentication protocols (mutual & one-way)  digital signature standard

Download ppt "1 MACs, Digital Signatures, Hash Functions and Digital Certificates Digital Signatures are used to “Sign” messages to validate the source and integrity."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Computer Science&Technology School of Shandong University Instructor: Hou Mengbo Email: houmb AT sdu.edu.cn Office: Information Security Research Group.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Similar presentations

Ads by Google