Discrete Logarithms – Computing discrete logs – Diffie-Hellman key exchange – ElGamal Public key cryptosystems – Hash functions – Secure Hash – Birthday attacks - MD5 – Digital signatures – RSA – ElGamal – DSA.

1. IT2352 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – III
Dr.A.Kathirvel, Professor and Head, Dept of IT
Anand Institute of Higher Technology, Chennai

2. Unit - III
Discrete Logarithms – Computing discrete logs – Diffie-
Hellman key exchange – ElGamal Public key
cryptosystems – Hash functions – Secure Hash –
Birthday attacks - MD5 – Digital signatures – RSA –
ElGamal – DSA.

3. DISCRETE LOGARITHMS IN FINITE FIELDS
Alice Bob
Pick secret, random
X from F
Pick secret, random
Y from F
gy mod p
gx mod p
Compute k=(gy)x=gxy mod p
Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
F={1,2,3,…,p-1}

4. 4
DIFFIE-HELLMAN
The Diffie–Hellman (DH) key exchange technique was first
defined in their seminal paper in 1976.
DH key exchange is a method of exchanging public (i.e.
non-secret) information to obtain a shared secret.
DH is not an encryption algorithm.
DH key exchange has the following important properties:
1. The resulting shared secret cannot be computed by
either of the parties without the cooperation of the other.
2. A third party observing all the messages transmitted
during DH key exchange cannot deduce the resulting
shared secret at the end of the protocol.

5. 5
PRINCIPLE BEHIND DH
•DH key exchange was first proposed before there were any known
public key algorithms, but the idea behind it motivated the hunt for
practical public key algorithms.
•DH key exchange is not only a useful and practical key
establishment technique, but also a significant milestone in the
history of modern cryptography.
Assume that Alice and Bob are the parties who wish to establish a
shared secret, and let their public and private keys in the public key
cipher system be denoted by (PA , SA) and (PB , SB) respectively.
The basic principle behind Diffie–Hellman key exchange is as
follows:

6. 1. Alice and Bob exchange their public keys PA
and PB.
2. Alice computes F(SA , PB)
3. Bob computes F(SB, PA)
4. The special property of the public key cipher
system, and the choice of the function F, are
such that F(SA , PB) = F(SB, PA). If this is the
case then Alice and Bob now share a secret.
5. This shared secret can easily be converted by
some public means into a bit string suitable for
use as, for example, a DES key.

7. 7
DIFFIE-HELLMAN KEY EXCHANGE
The most commonly described implementation of DH
key exchange uses the keys of the ElGamal cipher system
and a very simple function F.
The system parameters (which are public) are:
• a large prime number p – typically 1024 bits in
length
• a primitive element g

8. 1. Alice generates a private random value a,
calculates g
a
(mod p) and sends it to Bob.
Meanwhile Bob generates a private random
value b, calculates g
b
(mod p) and sends it to
Alice.
2. Alice takes g
b
and her private random value a
to compute (g
b
)
a
= g
ab
(mod p).
3. Bob takes g
a
and his private random value b
to compute (g
a
)
b
= g
ab
(mod p).
4. Alice and Bob adopt g
ab
(mod p) as the
shared secret.

9. 9
DH QUESTIONS
1. What is the hard problem on which the DH key exchange
algorithm is based?
2. Suppose that DH key exchange is used to generate a symmetric
key. Why might that key be derived (but different from) the DH
shared secret?
3. The example of DH key exchange that we described is based on
ElGamal keys. Can you use the public and private keys of any
established public key encryption algorithm to implement DH key
exchange?

10. DIFFIE-HELLMAN KEY EXCHANGE
• first public-key type scheme proposed
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
– note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange of a
secret key
• used in a number of commercial products

11. DIFFIE-HELLMAN KEY EXCHANGE
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and their
private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing discrete
logarithms (similar to factoring) – hard

12. DIFFIE-HELLMAN SETUP
• all users agree on global parameters:
– large prime integer or polynomial q
– a being a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
– compute their public key: yA = a
xA
mod q
• each user makes public that key yA

13. DIFFIE-HELLMAN (DH) KEY EXCHANGE

14. DIFFIE-HELLMAN KEY EXCHANGE
• shared session key for users A & B is KAB:
KAB = a
xA.xB
mod q
= yA
xB
mod q (which B can compute)
= yB
xA
mod q (which A can compute)
• KAB is used as session key in private-key encryption
scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will
have the same key as before, unless they choose
new public-keys
• attacker needs an x, must solve discrete log

15. DIFFIE-HELLMAN EXAMPLE
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and a=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute respective public keys:
– yA=3
97
mod 353 = 40 (Alice)
– yB=3
233
mod 353 = 248 (Bob)
• compute shared session key as:
– KAB= yB
xA
mod 353 = 248
97
= 160
(Alice)
– KAB= yA
xB
mod 353 = 40
233
= 160(Bob)

16. KEY EXCHANGE PROTOCOLS
• users could create random private/public D-H keys
each time they communicate
• users could create a known private/public D-H key
and publish in a directory, then consulted and used
to securely communicate with them
• both of these are vulnerable to a meet-in-the-Middle
Attack
• authentication of the keys is needed

17. MAN-IN-THE-MIDDLE ATTACK
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to Bob.
Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared key (with
Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to
Alice. Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key (with Darth
instead of Bob)
 Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bob

18. 18
ELGAMAL
• To show that RSA is not the only public key
system
• To exhibit a public key system based on a
different one way function
• ElGamal is the basis for several well-known
cryptographic primitives
We will also take a look at the ElGamal public
key cipher system for a number of reasons:

19. 19
SETTING UP ELGAMAL
• Let p be a large prime
– By “large” we mean here a prime rather typical
in length to that of an RSA modulus
• Select a special number g
– The number g must be a primitive element
modulo p.
• Choose a private key x
– This can be any number bigger than 1 and
smaller than p-1
• Compute public key y from x, p and g
– The public key y is g raised to the power of the
private key x modulo p. In other words:
y = gx mod p

20. 20
SETTING UP ELGAMAL: EXAMPLE
Step 1: Let p = 23
Step 2: Select a primitive element g = 11
Step 3: Choose a private key x = 6
Step 4: Compute y = 116 (mod 23)
= 9
Public key is 9
Private key is 6

21. 21
ELGAMAL ENCRYPTION
The first job is to represent the plaintext as a
series of numbers modulo p. Then:
1. Generate a random number k
2. Compute two values C1 and C2, where
C1 = gk mod p and C2 = Myk mod
p
3. Send the ciphertext C, which consists of
the two separate values C1 and C2.

22. 22
ELGAMAL ENCRYPTION: EXAMPLE
To encrypt M = 10 using Public key 9
1 - Generate a random number k = 3
2 - Compute C1= 113 mod 23 = 20
C2= 10 x 93 mod 23
= 10 x 16 = 160 mod 23 = 22
3 - Ciphertext C = (20 , 22 )

23. 23
ELGAMAL DECRYPTION
C1 = gk mod p C2 = Myk mod p
1 - The receiver begins by using their private key x to
transform C1 into something more useful:
C1
x = (gk)x mod p
NOTE: C1
x = (gk)x = (gx)k = (y)k = yk mod p
2 - This is a very useful quantity because if you divide
C2 by it you get M. In other words:
C2 / yk = (Myk) / yk = M mod p

24. 24
ELGAMAL DECRYPTION: EXAMPLE
To decrypt C = (20 , 22 )
1 - Compute 206 = 16 mod 23
2 - Compute 22 / 16 = 10 mod 23
3 - Plaintext = 10

25. 25
SECURITY OF ELGAMAL
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
Recall the two different strategies for trying to
“break” RSA:
What hard problems do you come across if you try to follow
these two different strategies to break ElGamal?

26. PUBLIC-KEY CRYPTOSYSTEMS
Secrecy: Only B can Decrypt
the messageAuthentication: Only A can
generate the encrypted message

27. Public-Key Cryptography

28. Public-Key Cryptography

29. ELGAMAL CRYPTOGRAPHY
• public-key cryptosystem related to D-H
• so uses exponentiation in a finite (Galois)
• with security based difficulty of computing discrete
logarithms, as in D-H
• each user (eg. A) generates their key
– chooses a secret key (number): 1 < xA < q-1
– compute their public key: yA = a
xA
mod q

30. ELGAMAL MESSAGE EXCHANGE
• Bob encrypt a message to send to A computing
– represent message M in range 0 <= M <= q-1
• longer messages must be sent as blocks
– chose random integer k with 1 <= k <= q-1
– compute one-time key K = yA
k
mod q
– encrypt M as a pair of integers (C1,C2) where
• C1 = a
k
mod q ; C2 = KM mod q
• A then recovers message by
– recovering key K as K = C1
xA mod q
– computing M as M = C2 K-1 mod q
• a unique k must be used each time
– otherwise result is insecure

31. ELGAMAL EXAMPLE
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=5 & computes yA=10
5
mod 19 = 3
• Bob send message m=17 as (11,5) by
– chosing random k=6
– computing K = yA
k
mod q = 3
6
mod 19 = 7
– computing C1 = a
k
mod q = 10
6
mod 19= 11;
C2 = KM mod q = 7.17 mod 19 = 5
• Alice recovers original message by computing:
– recover K = C1
xA mod q = 11
5
mod 19 = 7
– compute inverse K-1 = 7-1 = 11
– recover M = C2 K-1 mod q = 5.11 mod 19=17

32. ELLIPTIC CURVE CRYPTOGRAPHY
• majority of public-key crypto (RSA, D-H) use either
integer or polynomial arithmetic with very large
numbers/polynomials
• imposes a significant load in storing and processing
keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes
• newer, but not as well analysed

33. REAL ELLIPTIC CURVES
• an elliptic curve is defined by an equation in two
variables x & y, with coefficients
• consider a cubic elliptic curve of form
– y2 = x3 + ax + b
– where x,y,a,b are all real numbers
– also define zero point O
• consider set of points E(a,b) that satisfy
• have addition operation for elliptic curve
– geometrically sum of P+Q is reflection of the
intersection R

34. REAL ELLIPTIC CURVE EXAMPLE

35. FINITE ELLIPTIC CURVES
• Elliptic curve cryptography uses curves whose
variables & coefficients are finite
• have two families commonly used:
– prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
– binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware

36. ELLIPTIC CURVE CRYPTOGRAPHY
• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo
exponentiation
• need “hard” problem equiv to discrete log
– Q=kP, where Q,P belong to a prime curve
– is “easy” to compute Q given k,P
– but “hard” to find k given Q,P
– known as the elliptic curve logarithm problem
• Certicom example: E23(9,17)

37. ECC DIFFIE-HELLMAN
• can do key exchange analogous to D-H
• users select a suitable curve Eq(a,b)
• select base point G=(x1,y1)
– with large order n s.t. nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nAG, PB=nBG
• compute shared key: K=nAPB, K=nBPA
– same since K=nAnBG
• attacker would need to find k, hard

38. ECC ENCRYPTION/DECRYPTION
• several alternatives, will consider simplest
• must first encode any message M as a point on the
elliptic curve Pm
• select suitable curve & point G as in D-H
• each user chooses private key nA<n
• and computes public key PA=nAG
• to encrypt Pm : Cm={kG, Pm+kPb}, k random
• decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

39. ECC SECURITY
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much smaller key
sizes than with RSA etc
• for equivalent key lengths computations are roughly
equivalent
• hence for similar security ECC offers significant
computational advantages

40. COMPARABLE KEY SIZES FOR
EQUIVALENT SECURITY
Symmetric
scheme
(key size in
bits)
ECC-based
scheme
(size of n in
bits)
RSA/DSA
(modulus size
in bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360

41. PSEUDORANDOM NUMBER GENERATION
(PRNG) BASED ON ASYMMETRIC CIPHERS
 asymmetric encryption algorithm produce
apparently random output
 hence can be used to build a pseudorandom number
generator (PRNG)
 much slower than symmetric algorithms
 hence only use to generate a short pseudorandom
bit sequence (eg. key)

42. PRNG BASED ON RSA
have Micali-Schnorr PRNG using RSA
in ANSI X9.82 and ISO 18031

43. PRNG BASED ON ECC
• dual elliptic curve PRNG
– NIST SP 800-9, ANSI X9.82 and ISO 18031
• some controversy on security /inefficiency
• algorithm
for i = 1 to k do
set si = x(si-1 P )
set ri = lsb240 (x(si Q))
end for
return r1 , . . . , rk
• only use if just have ECC

44. SUMMARY
• have considered:
– Diffie-Hellman key exchange
– ElGamal cryptography
– Elliptic Curve cryptography
– Pseudorandom Number Generation (PRNG) based
on Asymmetric Ciphers (RSA & ECC)

45. 45
HASH FUNCTIONS – SECURE HASH
• Approaches to Message Authentication
• Secure Hash Functions and HMAC
• Public-Key Cryptography Principles
• Public-Key Cryptography Algorithms
• Digital Signatures
• Key Management

46. 46
AUTHENTICATION
• Requirements - must be able to verify that:
1. Message came from apparent source or author,
2. Contents have not been altered,
3. Sometimes, it was sent at a certain time or
sequence.
• Protection against active attack (falsification of data
and transactions)

47. 47
APPROACHES TO MESSAGE
AUTHENTICATION
• Authentication Using Conventional Encryption
– Only the sender and receiver should share a key
• Message Authentication without Message
Encryption
– An authentication tag is generated and appended
to each message
• Message Authentication Code
– Calculate the MAC as a function of the message
and the key. MAC = F(K, M)

48. 48

49. 49
ONE-WAY HASH FUNCTION

50. 50
ONE-WAY HASH FUNCTION
• Secret value is added before the hash and removed
before transmission.

51. 51
SECURE HASH FUNCTIONS
• Purpose of the HASH function is to produce a
”fingerprint.
• Properties of a HASH function H :
1. H can be applied to a block of data at any size
2. H produces a fixed length output
3. H(x) is easy to compute for any given x.
4. For any given value h, it is computationally
infeasible to find x such that H(x) = h
5. For any given block x, it is computationally
infeasible to find with H(y) = H(x).
6. It is computationally infeasible to find any
pair (x, y) such that H(x) = H(y)
xy 

52. 52
SIMPLE HASH FUNCTION
• One-bit circular shift on the hash value after each
block is processed would improve the code

53. 53
MESSAGE DIGEST GENERATION
USING SHA-1

54. 54
SHA-1 PROCESSING OF SINGLE
512-BIT BLOCK

55. 55
OTHER SECURE HASH FUNCTIONS
SHA-1 MD5 RIPEMD-160
Digest length 160 bits 128 bits 160 bits
Basic unit of
processing
512 bits 512 bits 512 bits
Number of steps 80 (4 rounds of
20)
64 (4 rounds
of 16)
160 (5 paired
rounds of 16)
Maximum message
size
264-1 bits  

56. 56
HMAC
• Use a MAC derived from a cryptographic hash code,
such as SHA-1.
• Motivations:
– Cryptographic hash functions executes faster in
software than encryption algorithms such as DES
– Library code for cryptographic hash functions is
widely available
– No export restrictions from the US (Not a problem
anymore)

57. 57
HMAC STRUCTURE

58. 58
PUBLIC-KEY CRYPTOGRAPHY PRINCIPLES
• The use of two keys has consequences in: key
distribution, confidentiality and authentication.
• The scheme has six ingredients
– Plaintext
– Encryption algorithm
– Public and private key
– Ciphertext
– Decryption algorithm

59. 59
APPLICATIONS FOR PUBLIC-KEY
CRYPTOSYSTEMS
• Three categories:
– Encryption/decryption: The sender encrypts a
message with the recipient’s public key.
– Digital signature: The sender ”signs” a message
with its private key.
– Key echange: Two sides cooperate two exhange a
session key.

60. 60
ENCRYPTION USING PUBLIC-KEY
SYSTEM

61. 61
AUTHENTICATION USING PUBLIC-
KEY SYSTEM

62. 62
REQUIREMENTS FOR PUBLIC-KEY
CRYPTOGRAPHY
1. Computationally easy for a party B to generate a
pair (public key KUb, private key KRb)
2. Easy for sender to generate ciphertext:
3. Easy for the receiver to decrypt ciphertect using
private key:
)(MEC KUb
)]([)( MEDCDM KUbKRbKRb 

63. 63
REQUIREMENTS FOR PUBLIC-KEY
CRYPTOGRAPHY
4. Computationally infeasible to determine private
key (KRb) knowing public key (KUb)
5. Computationally infeasible to recover message M,
knowing KUb and ciphertext C
6. Either of the two keys can be used for encryption,
with the other used for decryption:
)]([)]([ MEDMEDM KRbKUbKUbKRb 

64. ATTACKS ON HASH FUNCTIONS
• have brute-force attacks and cryptanalysis
• a preimage or second preimage attack
– find y s.t. H(y) equals a given hash value
• collision resistance
– find two messages x & y with same hash so
H(x) = H(y)
• hence value 2m/2 determines strength of hash code
against brute-force attacks
– 128-bits inadequate, 160-bits suspect

65. HASH FUNCTION REQUIREMENTS

66. BIRTHDAY ATTACKS
• might think a 64-bit hash is secure
• but by Birthday Paradox is not
• birthday attack works thus:
– given user prepared to sign a valid message x
– opponent generates 2
m/2 variations x’ of x, all with
essentially the same meaning, and saves them
– opponent generates 2
m/2 variations y’ of a desired
fraudulent message y
– two sets of messages are compared to find pair
with same hash (probability > 0.5 by birthday
paradox)
– have user sign the valid message, then substitute
the forgery which will have a valid signature
• conclusion is that need to use larger MAC/hash

67. 67
BIRTHDAY ATTACKS
 Birthday paradox
 In a group of 23 randomly chosen people, at
least two will share a birthday with probability
at least 50%. If there are 30, the probability is
around 70%.
 Finding two people with the same birthday is
the same thing as finding a collision for this
particular hash function.

68. 68
BIRTHDAY ATTACKS
 The probability that all 23 people have
different birthdays is
Therefore, the probability of at least two
having the
same birthday is 1- 0.493=0.507
 More generally, suppose we have N objects,
where N is large. There are r people, and
each chooses an object. Then
493.0)
365
22
1)...(
365
2
1)(
365
1
1(1 
Nr
eP 2/2
1)matchaisthere( 


69. 69
BIRTHDAY ATTACKS
 Choosing r2/2N = ln2, we find that if r≈1.177 ,
then the probability is 50% that at least two
people choose the same object.
 If there are N possibilities and we have a list of
length , then there is a good chance of a
match.
 If we want to increase the chance of a match,
we can make a list of length of a constant times
N
N
N

70. 70
BIRTHDAY ATTACKS
(Example) We have 40 license plates, each
ending in a 3-digit number. What is the
probability that two of the license plates end
in the same 3 digits?
(Solution) N=1000, r=40
1. Approximation:
2. The exact answer:
551.01 10002/402
 
e
546.0)
1000
39
1)...(
1000
2
1)(
1000
1
1(1 

71. 71
BIRTHDAY ATTACKS
 What is the probability that none of these 40
license plates ends in the same 3 digits as
yours?
 The reason the birthday paradox works is
that we are not just looking for matches
between one fixed plate and the other plates.
We are looking for matches between any two
plates in the set, so there are more
opportunities for matches.
961.0)
1000
1
1( 40


72. 72
BIRTHDAY ATTACKS
 The birthday attack can be used to find collisions
for hash functions if the output of the hash
function is not sufficiently large.
 Suppose h is an n-bit hash function. Then there
are N = 2n possible outputs. We have the
situation of list of length r≈ “people” with N
possible “birthdays,” so there is a good chance
of having two values with the same hash value.
 If the hash function outputs 128-bit values, then
the lists have length around 264 ≈1019, which is
too large, both in time and in memory.
N

73. 73
BIRTHDAY ATTACKS
 Suppose there are N objects and there are
two groups of r people. Each person from
each group selects an object. What is the
probability that someone from the first group
choose the same object as someone from
the second group?
 Eg. If we take N=365 and r=30, then
Nr
e
P
/2
1
)groupsobetween twmatchaisthere(


915.01
groups)obetween twmatchaisthere(
365/302
 
e
P

74. 74
BIRTHDAY ATTACKS
• A birthday attack on discrete logarithm
– We want to solve αx≡β (mod p).
– Make two lists, both of length around
1st list: αk (mod p) for random k.
2nd list: βα-h (mod p) for random h.
– There is a good chance that there is a match
αk ≡ βα-h (mod p), hence x=k+h.
Compared with BSGS:
BSGS algorithm is deterministic while the
birthday
attack algorithm is probabilistic.
p

75. HASH ALGORITHMS
Each of the messages, like each one he had ever read of
Stern's commands, began with a number and ended
with a number or row of numbers. No efforts on the
part of Mungo or any of his experts had been able to
break Stern's code, nor was there any clue as to what
the preliminary number and those ultimate numbers
signified.
—Talking to Strange Men, Ruth Rendell

76. HASH ALGORITHMS
• see similarities in the evolution of hash
functions & block ciphers
– increasing power of brute-force attacks
– leading to evolution in algorithms
– from DES to AES in block ciphers
– from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash
algorithms
• likewise tend to use common iterative
structure as do block ciphers

77. MD5
• designed by Ronald Rivest (the R in RSA)
• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash
algorithm
– in recent times have both brute-force &
cryptanalytic concerns
• specified as Internet standard RFC1321

78. MD5 OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
– using 4 rounds of 16 bit operations on message block &
buffer
– add output to buffer input to form new buffer value
5. output hash value is the final buffer value

79. MD5 OVERVIEW

80. MD5 COMPRESSION FUNCTION
• each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but used in
varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in
each round (F,G,H,I)
• T[i] is a constant value derived from sin

81. MD5 Compression Function

82. MD4
• precursor to MD5
• also produces a 128-bit hash of message
• has 3 rounds of 16 steps vs 4 in MD5
• design goals:
– collision resistant (hard to find collisions)
– direct security (no dependence on "hard"
problems)
– fast, simple, compact
– favours little-endian systems (eg PCs)

83. STRENGTH OF MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision
(again unable to extend)
– Dobbertin 96 created collisions on MD
compression function (but initial constants
prevent exploit)
• conclusion is that MD5 looks vulnerable soon

84. SECURE HASH ALGORITHM (SHA-1)
• SHA was designed by NIST & NSA in 1993, revised
1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet
RFC3174
– nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences

85. SHA OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing &
shifting
– use 4 rounds of 20 bit operations on message
block & buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value

86. SHA-1 Compression Function
• each round has 20 steps which replaces the 5
buffer words thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin

87. SHA-1 COMPRESSION FUNCTION

88. SHA-1 VERSES MD5
• brute force attack is harder (160 vs 128 bits
for MD5)
• not vulnerable to any known attacks
(compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5 which
is optimised for little endian CPU’s)

89. REVISED SECURE HASH STANDARD
• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar

90. DIGITAL SIGNATURES
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities

91. DIGITAL SIGNATURE PROPERTIES
• must depend on the message signed
• must use information unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce
• must be relatively easy to recognize & verify
• be computationally infeasible to forge
– with new message for existing digital signature
– with fraudulent digital signature for given message
• be practical save digital signature in storage

92. DIGITAL SIGNATURE STANDARD (DSS)
• US Govt approved signature scheme FIPS 186
• uses the SHA hash algorithm
• designed by NIST & NSA in early 90's
• DSS is the standard, DSA is the algorithm
• a variant on ElGamal and Schnorr schemes
• creates a 320 bit signature, but with 512-1024 bit
security
• security depends on difficulty of computing discrete
logarithms

93. DSA KEY GENERATION
• have shared global public key values (p,q,g):
– a large prime p = 2L
• where L= 512 to 1024 bits and is a multiple of
64
– choose q, a 160 bit prime factor of p-1
– choose g = h(p-1)/q
• where h<p-1, h(p-1)/q (mod p) > 1
• users choose private & compute public key:
– choose x<q
– compute y = gx (mod p)

94. DSA SIGNATURE CREATION
• to sign a message M the sender:
– generates a random signature key k, k<q
– nb. k must be random, be destroyed after use,
and never be reused
• then computes signature pair:
r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)
• sends signature (r,s) with message M

95. DSA SIGNATURE VERIFICATION
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
• if v=r then signature is verified
• see book web site for details of proof why

96. 96
PUBLIC-KEY CRYPTOGRAPHIC
ALGORITHMS
• RSA - Ron Rives, Adi Shamir and Len Adleman at MIT,
in 1977.
– RSA is a block cipher
– The most widely implemented
• Diffie-Hellman
– Exchange a secret key securely
– Compute discrete logarithms

97. 97
THE RSA ALGORITHM – KEY
GENERATION
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
)1)(1()(  qpn
)(1;1)),(gcd( neen 
)(mod1
ned  

98. 98
THE RSA ALGORITHM -
ENCRYPTION
• Plaintext: M<n
• Ciphertext: C = Me (mod n)

99. 99
THE RSA ALGORITHM -
DECRYPTION
• Ciphertext: C
• Plaintext: M = Cd (mod n)

100. 100
EXAMPLE OF RSA ALGORITHM

101. 101
DIGITAL SIGNATURE
• Construct that authenticated origin and contents of
message in a manner provable to a disinterested
third party (“judge”)
• Sender cannot deny having sent message (service is
“nonrepudiation”)
– Limited to technical proofs
• Inability to deny one’s cryptographic key was
used to sign
– One could claim the cryptographic key was stolen
or compromised
• Legal proofs, etc., probably required; not dealt
with here

102. GENERİC DIGITAL SIGNATURE
MODEL

103. 103
COMMON ERROR
• Classical: Alice, Bob share key k
– Alice sends m || { m }k to Bob
This is a digital signature. (?)
WRONG!!
• This is not a digital signature.
– Why? Third party cannot determine whether Alice
or Bob generated the message.

104. 104
CLASSICAL DIGITAL SIGNATURES
• Require trusted third party
– Alice, Bob each share keys with trusted party
Cathy
• To resolve dispute, judge gets { m }kAlice, { m }kBob,
and has Cathy decipher them; if messages
matched, contract was signed.
• Question: Otherwise, who had cheated?
Alice Bob
Bob Cathy
Cathy Bob
{ m }kAlice
{ m }kAlice
{ m }kBob

105. 105
PUBLIC KEY DIGITAL SIGNATURES
• Alice’s keys are dAlice, eAlice
• Alice sends Bob
m || { m }dAlice
• In case of dispute, judge computes
{ { m }dAlice }eAlice
• and if it is m, Alice signed message
– She’s the only one who knows dAlice!

106. 106
RSA DIGITAL SIGNATURES
• Use private key to encipher message
– Protocol for use is critical
• Key points:
– Never sign random documents, and when signing,
always sign hash and never document
• Mathematical properties can be turned against signer
– Sign message first, then encipher
• Changing public keys causes forgery

107. 107
Attack #1
• Example: Alice, Bob communicating
– nA = 95, eA = 59, dA = 11
– nB = 77, eB = 53, dB = 17
• 26 contracts, numbered 00 to 25
– Alice has Bob sign 05 and 17:
• c = mdB mod nB = 0517 mod 77 = 3
• c = mdB mod nB = 1717 mod 77 = 19
– Alice computes 0517 mod 77 = 08; corresponding
signature is 0319 mod 77 = 57; claims Bob signed 08
– Judge computes ceB mod nB = 5753 mod 77 = 08
• Signature validated; Bob is toast

108. csci5233 Computer Security 108
ATTACK #2: BOB’S REVENGE
• Bob, Alice agree to sign contract 06
• Alice enciphers, then signs:
(meB mod 77)dA mod nA = (0653 mod 77)11 mod 95
= 63
• Bob now changes his public key
– Computes r such that 13r mod 77 = 6; say, r =
59
– Computes r eB mod (nB) = 5953 mod 60 = 7
– Replace public key eB with 7, private key dB = 43
• Bob claims contract was 13. Judge computes:
– (6359 mod 95)43 mod 77 = 13
– Verified; now Alice is toast

109. 109
EL GAMAL DIGITAL SIGNATURE
• Relies on discrete log problem
• Choose p prime, g, d < p; compute y = gd mod p
• Public key: (y, g, p); private key: d
• To sign contract m:
– Choose k relatively prime to p–1, and not yet
used (Note: 0 < k < p-1)
– Compute a = gk mod p
– Find b such that m = (da + kb) mod p–1
– Signature is (a, b)
• To validate, check that
– yaab mod p = gm mod p

110. 110
EXAMPLE
• Alice chooses p = 29, g = 3, d = 6
y = 36 mod 29 = 4
• Alice wants to send Bob signed contract 23
– Chooses k = 5 (relatively prime to 28 and
0<k<28)
– This gives a = gk mod p = 35 mod 29 = 11
– Then solving 23 = (611 + 5b) mod 28 gives b =
25
– Alice sends message 23 and signature (11, 25)
• Bob verifies signature: gm mod p = 323 mod 29 = 8
and yaab mod p = 4111125 mod 29 = 8
– They match, so Alice signed

111. 111
ATTACK
• Eve learns k, corresponding message m, and
signature (a, b)
– Extended Euclidean Algorithm gives d, the
private key
• Example from above: Eve learned Alice signed last
message with k = 5
m = (da + kb) mod p–1 = (11d + 525) mod 28
so Alice’s private key is d = 6

112. 112
KEY POINTS
• Key management critical to effective use of
cryptosystems
– Different levels of keys (session vs. interchange)
• Keys need infrastructure to identify holders, allow
revoking
– Digital certificates
– Key escrowing complicates infrastructure
• Digital signatures provide integrity of origin and
content
Much easier with public key cryptosystems than with
classical cryptosystems

113. APPLICATIONS OF PUBLIC-KEY
CRYPTOSYSTEMS
• 3 categories
– encryption/decryption
• to provide secrecy
– digital signatures
• to provide authentication and non-repudiation
– key exchange
• to agree on a session key
• some algorithms are suitable for all uses, others are
specific to one

114. DIGITAL SIGNATURES
• Mechanism for non-repudiation
• Basic idea
– use private key on the message to generate a piece of
information that can be generated only by yourself
• because you are the only person who knows your
private key
– public key can be used to verify the signature
• so everybody can verify
• Generally signatures are created and verified over the
hash of the message
– Why?

115. DIGITAL SIGNATURE – RSA
APPROACH
M: message to be signed H: Hash function
E: RSA Private Key Operation PRa: Sender’s Private
Key
D: RSA Public Key Operation PUa: Sender’s Public
Key
E [PRa,H(M)] Signature of A over M

116. DIGITAL SIGNATURE – DSA APPROACH
• DSA: Digital Signature Algorithm
– NIST standard – FIPS 186 - current revision is 186-3 (2009)
– Key limit 512 – 1024 bits, only for signature, no encryption
• In 186-3, increased up to 3072
– based on discrete logarithm problem
– Message hash is not restored for verification (difference
from RSA)
s, r

117. • M: message to be signed H: Hash function
• Sig: DSA Signing Operation PRa: Sender’s
Private Key
• Ver: DSA Verification Operation PUa: Sender’s
Public Key
• s, r Sender’s signature over M PUG: Global
Public Key components
DIGITAL SIGNATURE – DSA APPROACH

118. COLLISION RESISTANT HASH FUNCTIONS
AND DIGITAL SIGNATURES
• Have you seen the reason why hash functions
should be collision resistant?
– because otherwise messages would be changed
without changing the hash value used in signature
and verification
• Birthday attack
– generate two messages
• one with legitimate meaning
• one fraudulent

119. – create a set of messages from each of them that
carries the same meaning
• play with blanks, synonyms, punctuations
– calculate the hashes of those two sets
– you should have 2n/2 messages (and hashes) in
each set for 0.63 probability of a match, where n is
the hash size
– if a match is found, then the fraudulent hash could
be replaced with the legitimate one without
affecting the signature
COLLISION RESISTANT HASH FUNCTIONS
AND DIGITAL SIGNATURES