2. • Issues addressed
• Alice receives a message from Bob
• Is it authentic?
• Is it really from Bob?
• How to ‘electronically’ ensure authenticity?
• Authenticity of source
• Authenticity of message
• How to ‘electronically’ sign a message ?
3. • Hash value of a message unique tag of message
• its fingerprint
• Alternate terms message digest / Message Integrity
Check (MIC) / Message Detection Code (MDC)
• widely known as ‘hash value’ of message
• Typically hash value is 160 bits long
• message can be much longer
• ‘hashing function’ function used to generate hash
value
• Hash smaller in length than message
• hashing function also called a ‘compression
function’
4. • Need for Alice : ‘send a message to Bob ensure
it is not corrupted’
• Hashing schemes provide means of
establishing such credibility of message
• Hash value generated from message itself
• Alice attaches it to message & sends the pair to
Bob
• Bob knows functional scheme used to generate
hash value
• Bob regenerates hash
• Same as hash from Alice?
• Yes Bob confirms ‘message is authentic’
5. • Causes galore for corruption!
• length of message/ noisy nature of
transmitting / recording media / presence of
ill-intentioned Eve on the way / possible
corruption in archive
• hash a much shorter stamp (say 160 bits
long)
• More easily preserved & transmitted faithfully
• Facilitates Bob’s check Bob can regenerate
hash from message stream itself & use it to
verify its genuineness
6. • CD – an archive stores a long message – for later
use
• On retrieval, how to ascertain ‘it is uncorrupted?’
• Generate hash & store separately / more reliable
way
• Use it along with freshly generated hash value
• They tally ? message remains uncorrupted
• security / confidentiality / integrity of source etc.
. Not involved here
• x message of i bits
• y hash value of n bits
• i >> n 160 bits representative value for
hash length n
7. • y = f(x) hashing function
• function of selected bits of message
(involving AND, OR, INVERT, & XOR
operations)
• x to y relation of many-to-one type
• multiple values for x lead to same value for
y
• Such identification defeats purpose of
hashing – namely providing authenticity
• need to define scope of hashing function
&identify criteria it has to satisfy
8. random oracle model
• abstraction of a black-box type of function.
• Outputs a random number y (x) for every input x
• repetition of a query elicits same answer
• functional relation in I / O process not
discernible
• random Oracle model idealization of hashing
function.
• query oracle with a new x
• It doles out a fresh hash value y
• x1, x2, x3, . . . sequence of messages
• y1, y2, y3, . . . corresponding hash values
9. • Knowledge of the pairs (x1, y1), (x2, y2), . . .
• No clue to hash value for next query
• independence property
• Let M be the collection of all possible messages and Y the
collection of all possible hash values. Let {x1, x2, . . } be
the set of messages for which the hash values have
already been obtained as {y1, y2, . . }. The hash value for
a new message x which is not in the set is equally likely to
be anyone of the possible hash values. The probability of
it being a specific value yp is 1/│Y│.
10. Pre-image resistance
• Knowing hash value y1 can we find message x1?
• Make q queries to oracle
• oracle returns y1 as hash value to any one of these
queries ineffective hashing function
• (1- 1/│Y│)q P(failure to return y1 in q successive queries)
• P of success is 1 - (1- 1/│Y│)q
• Probability value, its approximation, & variation with
relative values of q discussed earlier
• q << │Y│ P of success = q/│Y│
• a reasonable chance of success q ~│Y│
11. • hashing schemes -- SHA-1 & RIPEMD160 --
use 160-bit hash values
• No. of trials for success ~ 2160 too high to
be computationally feasible
• A ‘pre-image resistant’ hashing function
12. Second Pre-Image Resistance
• With message x1 we get hash value y1 – given hashing
function f
• Can we identify x2 different from x1 with hash value y1 ?
• Yes fingerprint not ‘unique’ to x1
• P of success = 1 - (1- 1/│Y│)q-1
• q << │Y│ P of success (q-1)/│Y│
• a ‘second pre-image resistant’ hashing function
• also known as a ‘weak collision resistant’ hashing
function.
• A hashing function with three properties
• ease of computation, pre-image resistant, & second
pre-image resistant ‘one-way hash function’.
13. • Carefully selected hashing function satisfies
• Easy realisability, pre-image resistance, second pre-
image resistance, & collision resistance
• An attacker may still identify & exploit weakness in
function
• Important criteria for prevention:
• Hash value for any message should be a random bit
sequence exhibit correlation immunity
• Change in one message bit should affect as many bits
in hash value as possible
• Ideally all output bits should be affected
• ‘avalanche’ effect
• If hashing function does not exhibit avalanche effect,
specific bit positions in message affect only a limited
number of bit positions in hash value
• Can be exploited as a weakness by an attacker
14. • Iterated hashing scheme specifies
• Initial hash value (an initial vector) h0 &
• hashing function
• length of h0 same as final hash value
• output of hashing with first message block M0 h1
• h1 a bit sequence of length h0 itself
• h1 appended to the next message block M1
• The set hashed again
• . . .
• Repeat until all preprocessed message blocks are hashed
• Scheme block diagram Figure
• Merkle and Damgard
• a compression function is collision resistant
• iterative function using it is also collision resistant
• justification for iterative hashing using a suitably
selected hashing function
15. Hashing Schemes
• MD5 –upgrade of predecessor MD4
• in wide use over past few years
• Now vulnerable given way to SHA-1 &RIPEMD-160
• Both are its enhancements
• Both in wide use today
• likely to be in use for next few years
• The respective standards also specify scaled up
versions
• Users expected to migrate to scaled up versions As
enhanced computing power & analysis techniques
make them vulnerable to attacks
16. pre-processing stage
• Identical for both
• message length block of i bits with 0 i < 264
• Message segmented into blocks of 512 bits each
• total number of blocks N
• Procedure
• To message of i bits append a 1-bit
• Follow it by k zero bits such that i + 1 + k ≡ 448 (mod 512)
• k smallest number of zeros possible
• Represent i as a 64-bit binary number
• Append it to the i + 1 + k set of bits
• padded message 512N bits long
• N total number of message blocks
17. SHA – 1
• SHA-1 (Acronym for ‘Secure Hashing Algorithm’)
• A NIST approved hashing algorithm
• Generates a hash of 160 bits
• message block is a pre-processed
• Then hashing processing stage An iterative process
• Hashing starts with 160-bit seed as hash value
• A sequence of non-linear operations carried out on first
message block of 512 bits
• Sequence cyclically repeated 80 times
• A 160-bit hash value generated
• Use this as seed & repeat cyclic sequence for second
message block of 512 bits
18. • Continue & hash all N message blocks 160-bit hash value
• The various constants used & steps involved in hashing:
• Initial hash value (‘seed value’) is taken as sequence of five
32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89;
H[2][0] = 0x98badcfe;H[3][0] = 0x10325476;
• H[4][0] = 0xc3d2e1f0;
• A set of constants kt for t values from 0 to 79 is defined
• Used successively in 80 rounds of processing done on each
message block
• kt = 0x5a827999: 0 t 19
• = 0x6ed9eba1: 20 t 39
• = 0x8f1bbcdc: 40 t 59
• = 0xca62c1d6: 60 t 79
19. 4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1],
H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D,
and E as
• A= H[0][t-1]; B = H[1][t-1]; C = H[2][t-1]
• D= H[3][t-1]; E= H[4][t-1]
5. do for 0 t 79
• {
• T = (A << 5) + ft(B, C, D) + E + k[t] + W[t]
• where ft(x, y, z) function defined #above.
• (A << signifies circular left shift of A by five bit
positions. All additions are to be of mod (232) type.
• E = D; D = C; C = (B <<30); B = A; A = T
• }
• (B << 30) signifies circular left shift of B by thirty bit
positions
20. • 6. Compute the next hash value set as
• H[0][t]= A + H[0][t-1]
• H[1][t]= B + H[1][t-1]
• H[2][t]= C + H[2][t-1]
• H[3][t]= D + H[3][t-1]
• H[4][t]= E + H[4][t-1]
• All additions are to be of mod (232) type.
• 7. After completing sequence N times – (with all N
message blocks) form hash value – i.e., the 160-bit
message digest – as
• {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N]}
• Example See text
21. SHA Family
• SHA five sizes specified by NIST
• cyclic scheme SHA-1 with minor differences
• Sizes & all related info. Table
Algorithm Message
size-bits
block size
– bits
word size-
bits
message digest
size-bits
SHA-1 <264 512 32 160
SHA-224 <2^64 512 32 224
SHA-256 <264 512 32 256
SHA-384 <2128 1024 64 384
SHA-512 <2128 1024 64 512
22. RIPEMD-160
• Start hashing with a 160-bit initial hash value (initial vector)
• – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]}
• H[0][0] = 0x67452301; H[1][0] = 0xefcdab89;
• H[2][0] = 0x98badcfe; H[3][0] = 0x10325476;
• H[4][0] = 0xc3d2e1f0;
• values same as for SHA-1
• N message blocks are processed in succession from 1 to N
• Hash values after processing ith block 22
• – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i]
• Hash values after completion of processing with all N blocks
H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N]
• Final hash value 160-bit concatenated value of these
23. • Each message block of 512 bits composed of a
sequence of sixteen words
• put through two 80-cycle operational sequences in
parallel Figure
• ‘left (80-cycle) sequence’ &
• ‘right (80-cycle) sequence’
• 80-cycles arranged as a sequence of five rounds
• Each round a sequence of sixteen cycles
• Each uses one of sixteen words of message block
• Each message word used ten times
• once in each round on left sequence &
• once in each round on right sequence
24. • A pre-defined permutation of words in message
block decides instant of use of each word
• Step-by-step hashing procedure follows
1. {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]}
• message block set of sixteen 32-bit words
• Permute conforming to row-1 in Table
• Form the sequence – {zl[0], zl[1], zl[2], . . . ., zl[15]}
• [for this specific case permutation is not done]
• Use permuted word values and complete sixteen
cycles of operation
• first round for left sequence
25. Index of message word used in the round in the
left sequence
Round 1(t:0 –
15)
0 1 2 3 4 5 6 7 8 9 10 1112 1
3
1415
Round 2(t:16
– 31)
7 4 13 1 10 6 15 3 12 0 9 5 2 1
4
11 8
Round 3(t:32
– 47)
3 10 14 4 9 15 8 1 2 7 0 6 1311 5 12
Round 4(t:48
– 63)
1 9 11 10 0 8 12 4 13 3 7 1514 5 6 2
Round 5(t:64
– 79)
4 0 5 9 7 12 2 10 14 1 3 8 11 6 1513
Permutation details of message words for left sequence
26. 2. {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]}
• message block set of sixteen 32-bit
words
• Permute conforming to row-1 in Table
• Form the sequence – {zr[0], zr[1], zr[2], . . . .,
zr[15]}
• [for this specific case permutation is not done]
• Use permuted word values and complete
sixteen cycles of operation
• first round for right sequence
27. Index of message word used in the round in the
right sequence
Round 1(t:0
– 15)
5 14 7 0 9 2 11 4 13 6 15 8 1 10 3 12
Round 2(t:16
– 31)
6 11 3 7 0 13 5 10 14 15 8 12 4 9 1 2
Round 3(t:32
– 47)
15 5 1 3 7 14 6 9 11 8 12 2 10 0 4 13
Round 4(t:48
– 63)
8 6 4 1 3 11 15 0 5 12 2 13 9 7 1014
Round 5(t:64
– 79)
12 15 10 4 1 5 8 7 6 2 13 14 0 3 9 11
Permutation details of message words for right sequence
28. 3. Permute– {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]} –
conforming to row-2 in ‘Left-Table ’
• Form sequence – {zl[16], zl[17], zl[18], . . . ., zl[31]}
• Use permuted word values & complete 16 cycles of
operation of second round for left sequence
4. Permute– {M[0][ i], M[1][ i], M[2][ i], . . M[15][ i]} –
conforming to row-2 in ‘Right-Table ’
• Form sequence – {zr[16], zr[17], zr[18], . . . ., zr[31]}
• Use permuted word values & complete 16 cycles of
operation of second round for left sequence
5. Proceed as above & complete rounds 3, 4, & 5
• use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables
29. • Operational sequence of eighty cycles completed
• Left word set {Al, Bl, Cl, Dl, El}
• Right word set {Ar, Br, Cr, Dr, Er}
• Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],&
H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1],
H[3][i+1],& H[4][i+1]}
• Use following algebra
• H[0][i+1]= H[1][i]+ Cl + Dr
• H[1][i+1]= H[2][i]+ Dl + Er
• H[2][i+1]= H[3][i]+ El + Ar
• H[3][i+1] = H[4][i]+ Al + Br
• H[4][i+1] = H[0][i] + Bl,+ Cr
30. • Assign values afresh
• Al =H[0][i], Bl =H[1][i], Cl =H[2][i] , Dl =H[3][i] , El =H[4][i ]
• Ar =H[0][i], Br =H[1][i], Cr =H[2][i] , Dr =H[3][i] , Er =H[4][i ]
• T 80-cycle operation :
• do for 0 t 79
• {
• T = ((Al + ft(Bl, Cl, Dl) + zl[t] + El ) >> rl[t])+ kl [t]
• where
• ft(x, y, z) function for left sequence defined in Table
• (>> rl[t]) signifies circular right shift by rl[t] bit positions as
in Table
31. Cycles in left
sequence
Function used
– name
Function
description
Cycles in
right
sequence
0 t 15 f1(x, y, z) x y z 64 t 79
16 t 31 f2(x, y, z) (x y) (~ x
z)
48 t 63
32 t 47 f3(x, y, z) (x ~y) z) 32 t 47
48 t 63 f4(x, y, z) (x z) (y
~z)
16 t 31
64 t 79 f5(x, y, z) x (y ~z) 0 t 15
Functions used in the different cycles
32. rl[t]: Number of bits by which the specified word is to be
circularly shifted right
Round 1(t:0
– 15)
11 14 15 12 5 8 7 9 11 13 14 15 6 7 9 8
Round 2(t:16
– 31)
7 6 8 13 11 9 7 15 7 12 15 9 11 7 13 12
Round 3(t:32
– 47)
11 13 6 7 14 9 13 15 14 8 13 6 5 12 7 5
Round 4(t:48
– 63)
11 12 14 15 14 15 9 8 9 14 5 6 8 6 5 12
Round 5(t:64
– 79)
9 15 5 11 6 8 13 12 5 12 13 14 11 8 5 6
Details of circular shift for the function in the left sequence
33. kl [t] values are as specified in Table
All additions to be of mod (232) type
Al = El ; El = Dl ; Dl = (Cl >>10); Cl = Bl; Bl = Tl
>>10signifies circular right shift by ten bit positions
Cycle Left sequence – kl[t] Right sequence– kr[t]
0 t 15 0 50a28be6
16 t 31 5a827999 5c4dd124
32 t 47 6ed9eba1 6d703ef3
48 t 63 8f1bbcdc 7a6d76e9
64 t 79 a953fd4e 0
Additive constants used in different rounds -- Values given
are in hex form
34. • T = ((Ar + ft(Br, Cr, Dl) + zr[t] + Er ) >> rr[t])+ kr [t]
• where
• ft(x, y, z) is the function for right sequence defined in
Table
• (>> rr[t]) signifies circular right shift by rr[t] bit
positions as specified in Table
• kr [t] values are as specified in Table
• All additions are to be of mod (232) type
• Ar = Er ; Er = Dr ; Dr = (Cr >>10) ;Cr = Br ; Br = T
• >>10signifies circular right shift by ten bit positions
• }
• Final hashed output formed after processing all N
message blocks
• {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N]}.
35. rr[t]: Number of bits by which the specified word
is to be circularly shifted right
Round 1(t:0
– 15)
8 9 9 11 13 15 15 5 7 7 8 11 14 14 12 6
Round
2(t:16 – 31)
9 13 15 7 12 8 9 11 7 7 12 7 6 15 1311
Round
3(t:32 – 47)
9 7 15 11 8 6 6 14 12 13 5 14 13 13 7 5
Round
4(t:48 – 63)
15 5 8 11 14 14 6 14 6 9 12 9 12 5 15 8
Round
5(t:64 – 79)
8 5 12 9 12 5 14 6 8 13 6 5 15 13 1 11
Details of circular shift for function in right sequence
36. Observations
• Modular algebra based hashing schemes
• → prone to easy attacks → no longer in use
• SHA-1 & RIPEMD-160 of comparable security level
• Initial 160-bit hash value is same for SHA-1 & RIPEMD-
160.
• b0 at left end in SHA-1 & at right end in RIPEMD-160
• We use b0 at left end
• All constants, tabular entries & associated
descriptions changed accordingly
• Other hashing schemes like MD5 in vogue until recently
• Now all of them considered vulnerable
• Not recommended for newer applications
37. • SHA-1 selects a set of previous words in schedule
• → sums up & forms message schedule
• → difficult to restrict effect of change in message to
a ‘local area’ of hash value
• → avalanche effect an additional deterrent to
attacks
• Both SHA-1 & RIPEMD-160 closely follow structure of
MD5
• Dual sequence scheme in RIPEMD-160 adds to
collision resistance
• Permutation in RIPEMD-160 → two words which are
close in one round are farther apart in the next
• constants used in different rounds in both SHA-1 &
RIPEMD-160 are 32-bit approximations of irrational
numbers derived from simple integers → Table ↓
38. • Similar disparity present between left & right sides in
each round
• → Adds to the strength of scheme
• CRC check ~ hash value
• CRC value binary number to identify error --
within a specific limit -- data stream
• CRC check not satisfied data stream definitely in
error
• CRC check satisfied data stream taken as being
received correctly
•
39. • number of errors > CRC limit but CRC check
satisfied
• distinct possibility (though remote) exists.
• data stream erroneously taken as correct
• One can always find a second message having
same CRC check value as original one!
• Add selected bit streams to message for this
• Hashing function second pre-image resistant
• Identifying a second data stream for given hash
value is difficult
• This adds substantially to authenticity of hashing
40. Applications of hashing functions
• Combine hashing, public key cryptography, & private key
cryptography various application possibilities
• Scheme in Figure
• Alice conveys confidential message to Bob
• Alice uses kub – public key of Bob – to encrypt message
• Encrypted message sent to Bob
• Bob uses his private key – krb – to decrypt & recover
message
• Public key cryptography costly
• slows down communication rate conspicuously
• used essentially to share private key (Alice selects it
and sends it to Bob)
41. • Scheme in Figure
• Alice uses her private key – kra, encrypts message, &
sends Bob
• Bob ( & others ) in the know of public key of Alice – kua –
can decrypt and retrieve message
• Since private key of Alice – kra – is known only to Alice
• Bob & others sure of source – that it is Alice
• Scheme establishes authenticity of message & message
source
• Alice telling Bob (& others who know kua) ‘I am the
author of the message, take it from me’
• Analogous to Alice posting signed document to Bob &
others
• digital signature by Alice
42. • Scheme prevents Alice disowning message
later
• She has already ‘signed’ it
• This meets need of ‘non-repudiation’ by Alice
• Public key cryptography slow & costly
• Scheme becomes less attractive as
message length increases
• Direct applicability of scheme for digital
signing is of limited scope
• However it forms basis of digital signature
schemes
43. • Combine hashing & cryptography
• Scope of schemes widens
• A number of other application possibilities
• Hashing provides message authenticity
• Alice prepares hash value
• Encrypts with key – k (private or public)
• Appends encrypted hash value to message,
• Sends the pair to Figure
44. • Bob decodes encrypted version of hash value
& recovers hash value proper
• Knowing hashing scheme he generates hash
value locally
• Compares two hash values
• Two tally Bob sure of source
authenticity & message authenticity
• Scheme does not offer confidentiality
• If confidentiality is called for,
• Interpose another level of encryption /
decryption with a second key
45. MAC
• Business a store services established customers
• Accept on-line orders & executes
• Process:
• Use D-H key exchange scheme & share a key
• One key per customer ‘customer registered’
• Customer prepares order list, hashes, & encrypts hash
• The pair sent to store
• Store decrypts & recovers hash value
• Verifies by local generation & comparison
• Integrity of order & authenticity of customer
confirmed
• Scope of Message Authentication Codes (MACs)
46. • MAC → hashing scheme with a key incorporated
• Attach a key to message
• Hash concatenated combination {kM}
• Eve can corrupt hash value & mislead receiver (Bob)
• → uses an additional message – Me & carries out one
more cycle of hashing
• he = h(h(kM) Me) where h(M) is hash value of M
• Eve sends he to Bob
• Eve can do this even without knowing – k – used by Alice
• Alternative - append key to message as {Mk} & hash
combination → encrypting hash value at final iteration
• Scheme still remains susceptible
• Safer approach → compute key-based hash as in HMAC ↓
47. HMAC
• Hash based Message Authentication Code(HMAC)
• Specified by NIST as FIPS PUB198
• HMAC(K, m) = H((K opad) H ((K ipad ) m))
• K – secret key – (padded with zeros to right to make it B
bytes (say 512 bits) long
• m – text message
• ipad – an inner padding– 0x3636. . 36–repeated B times
• - XOR operation
• - Concatenation operation
• opad– outer padding – 0x5c5c. . . 5c – repeated B times
• H –hashing scheme used – typically SHA-1
• HMAC is shown schematically in Figure ↓
48. • Observations:
• (K opad) flips half of the bits in key K
• (K ipad ) flips another selected lot of half the bits in key
• These together → pseudo-random generation of two keys
from K
• Cryptographic strength of HMAC decided by three factors
– Cryptographic strength of underlying hashing scheme
– Size and quality of key
– Size of hash output
• alternatives– like H (K m), H (m K), H (K m K) →
vulnerabilities investigated in detail
• Above scheme held as acceptable
• (K opad) & (K ipad ) values do not change with the text
document
• pre-compute & store these once key K is selected
• Use along with message & speed up HMAC generation
49. Block Cipher-Based MAC
• A possible MAC use private key cryptography
iteratively & generate a MAC value
• Scheme using DES is a NIST standard but not in use any
longer
• Other private key cryptography (like AES) can be used for
necessary security
• Split message → succession of blocks M1, M2, . . , & MN
• Add padding if necessary → aall blocks of same size
• With zero as initial vector encrypt M1 & generate hash
value H1
• Iteratively encrypt M2, . . , & MN → get HN → MAC value
• scheme is conspicuously slower than HMAC
50. Digital SignatureAlgorithm(DSA)
• ElGamel → signature length ~ 2log2p bits
• Security demands underlying DLP to be computationally
infeasible → No. of bits in p > 1000
• signature will be twice in length
• DSA → ingenious & simplified version of ElGamel
scheme FIPS standard
• DSA signature -- much smaller in length
• Well suited for implementations in limited sized schemes
• Domain still remains ℤp
• q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders
less than p – selected
51. • Digital signature (DS) satisfies a set of basic needs:
• DS to be identified with Alice who signs it
• encryption operation private to Alice.
• Verifiable by Bob / third party (if challenged)
• result of verification process ‘yes’ or ‘no’ answer
• Verification to be done using public key
• DS to be implemented using public key
cryptosystem
• Alice signs document – x – using her private key kra
• generates digital signature
• She sends DS to Bob
• Bob uses public key – kua – of Alice & decrypts
received digital signature
• Verification that ‘it is Alice’s DS’
52. • Similar decryption & verification possible by third party
• roles of key-pair reversed in contrast to those in
cryptography
• Implicitly assumption ‘document’ is of restricted size
– typically 160 bits long
• Documents to be signed much longer in practice
• Adapt public key cryptography scheme for DS
• Suitably tie document to signing & verification
• Attacker should not be able to forge signature
• Neither Bob nor any other party can tamper with it
• Encryption process automatically takes care of this
requirement
• Only Alice knows private key & without knowledge of
that, such encryption cannot be carried out
53. • Signed cheque used only once & no reuse!
• DS a similar need
• Incorporate time & date of signing or other
previously agreed nonces in message prior to
signing for DS
• need to make document tamper proof & secure
along with DS
• Alice encrypts {document: DS} Figure
• Bob decrypts -- received encrypted message cum
signature – twice
• First to recover document & digital signature.
• Second to decrypt DS with public key of Alice
• Follow by verification process
54. • tamper-proofing two possible approaches
• Alice generates DS, append to document, &
encrypt the pair before sending to Bob
• Alternately Alice can encrypt message & send it
along with DS to Bob
• Her Eve can play ‘spoil sport’ once again
• If she gets access to document she can remove
Alice’s DS & replace it with her DS
• Bob believes that document originated from Eve
• scheme is not recommended for use
55. • Documents to be signed too long for DS
• Use SHA-1 /RIPEMD-128 & Hash document
• do DS on hash
• Ensure security of hashing
• Using hash as token representing document
• Considered secure for signing purposes
• Adapt public key cryptosystems – RSA / ElGamel
scheme
56. RSA digital signature scheme
• Alice uses her private key & signs
• Her public key–known to Bob & others–is used to verify DS
• Formally :
• Alice selects primes p & q: Computes product N = pq
• Selects verification exponent v such that gcd(v, (p-1)(q-1))
= 1
• Publishes N & v
• Signing:
• Alice computes exponent s such that sv ≡ 1 (mod (p-1)(q-1))
• v ≡ s-1(mod (p-1)(q-1))
57. • Using SHA-1 she computes hash value – H – of
document --
• She signs document by computing S ≡ Hs (mod N) &
• Sends pair {document, S} to Bob (/ others)
• Verification:
• Bob (/ others) uses same hashing function as Alice
• Computes hash value – H – of document
• Using received value of S, he computes Sv (mod N)
• verification is successful if H = H’,
• proof already dealt with
58. • Example
• hash value of message to be signed – H = 1000
• Alice selects p = 257 & q = 233
• pq = 59881 & (p-1)(q-1) = 59392
• Alice selects private key kr = 1957
• ku ≡ kr
-1(mod 59392) ≡ 57389 (mod 59392)
• DS 10001957≡ 29967(mod 59392)
• Verification:
• 2996757389 ≡ 1000(mod 59392)
59. • Observations:
• Eve can send any bit combination to Bob
• Bob takes extracted version as ‘message’
• This prevented at Alice’s end by ensuring that
only meaningful messages (with enough
redundancy built in) are sent
• The scheme can be used equally effectively
with other hashing functions like RIPEMD-160
60. ElGamel DS scheme
• Scheme differs from corresponding public key
cryptosystem
• Alice selects prime number p & g as its primitive element
• Alice also selects a ℤp as private key & computes
• b ≡ ga(mod p)
• Set {p, g, b} forms public key of Alice & a is her private key
• Alice selects a random number – k (ephemeral key) – and
computes k-1 (mod p)
• She computes c ≡ gk (mod p)
• H – hash value of document to be signed using SHA-1
61. • Example : hash value of message H = 199
• Alice selects p = 233 & primitive element g ≡ 3 (mod p)
• Alice chooses private key a ≡ 187
• Signing:
• b ≡ ga(mod p) ≡ 77
• Let k ≡ 211 ephemeral key selected by her
• Apply extended Euclidean algorithm
• 211 × 11 – 232 × 10 = 1 211-1 ≡ 11 (mod 232)
• c ≡ 3211 (mod 233) ≡ 94(mod 233)
• d ≡ (199 – 187 × 94)11 (mod 232) ≡ 231(mod 233)
• signature is {94, 231}
• Verification: 7794 ≡ 219(mod 233) & 94231≡ 176(mod 233)
• 219176 ≡ 99(mod 233) & 3199 ≡ 99 (mod 233) → verified
62. Digital SignatureAlgorithm(DSA)
• ElGamel → signature length ~ 2log2p bits
• Security demands underlying DLP to be computationally
infeasible → No. of bits in p > 1000
• signature will be twice in length
• DSA → ingenious & simplified version of ElGamel
scheme FIPS standard
• DSA signature -- much smaller in length
• Well suited for implementations in limited sized schemes
• Domain still remains ℤp
• q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders
less than p – selected
63. • Computations done in sub-group ℤq
• g1 with order q in ℤp is used
• signature generation & verification procedure:
• Signing:
• Choose primes p & q such that ql =p-1 where l is an integer
• G → a primitive element of ℤp
• gql ≡ 1 (mod p) gl has order q in ℤp
• Let g1 = gl
• with a p of 1024 bits, q is selected to be of 160 bits
• in line with need to generate signature with a 160-bit
hash value (obtained using SHA-1 or RIPEMD-160)
representing document to be signed.
• Select private key – a ℤq – and compute
64. • Example: p =239 with g = 7 as primitive element in ℤp
• With 119 2 = 238 → q =119 →
• g1 ≡ 49 primitive element in ℤq
• Signing:
• a = 87 ℤq → private key of Alice
• b ≡ 4987 (mod 239) ≡ 144 (mod 239)
• ephemeral key k = 101 ℤq
• Apply extended Euclidean algorithm
• 101 33 – 119 28 =1 → 101-1 ≡ 33 (mod 119)
• c ≡ (49101 (mod 239))(mod 119) ≡ 88
• Let H = 99
• d ≡ (99 + 87 88) 33 (mod 119) ≡ 65 (mod 119)
• signature is {88, 65}
66. • Observations:
• In above Example q & p same order
• In practice order of q much smaller thanthat of p
• (p -- 1024 bits or more ↔ q 160-bit)
• Signing & verification procedures
• DSA scheme closely follows ElGamel DS scheme
• Computations in DSA scheme in a small sub-group of
ℤp
• level of security provided - practically on par with that
of ElGamel scheme
• Reason → DL problem as infeasible as in ℤp
• DSA scheme directly extended to ECC
• Available as approved Electronic Curve Digital
Signature Algorithm (ECDSA) standard