HASH FUNCTIONS AND DIGITAL SIGNATURES
Authentication requirement – Authentication function – MAC – Hash function – Security of hash function and MAC –MD5 – SHA – HMAC – CMAC – Digital signature and authentication protocols – DSS – EI Gamal – Schnorr.
In cryptography, a block cipher is a deterministic algorithm operating on ... Systems as a means to effectively improve security by combining simple operations such as .... Finally, the cipher should be easily cryptanalyzable, such that it can be ...
In cryptography, a block cipher is a deterministic algorithm operating on ... Systems as a means to effectively improve security by combining simple operations such as .... Finally, the cipher should be easily cryptanalyzable, such that it can be ...
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
UNIT II E-MAIL SECURITY & FIREWALLS
PGP – S/MIME – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions.
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
UNIT II E-MAIL SECURITY & FIREWALLS
PGP – S/MIME – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
SECURITY PRACTICE & SYSTEM SECURITY
Authentication applications – Kerberos – X.509 Authentication services – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions. Intruder – Intrusion detection system – Virus and related threats – Countermeasures – Firewalls design principles – Trusted systems – Practical implementation of
cryptography and security.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
This material covers Authentication requirement, Authentication function, MAC, Hash function, Security of hash function and MAC, SHA, Digital signature and authentication protocols, DSS, Authentication protocols like Kerberos and X.509, entity authentication
This material covers Authentication requirement, Authentication function, MAC, Hash function, Security of hash function and MAC, SHA, Digital signature and authentication protocols, DSS, Authentication protocols like Kerberos and X.509, entity authentication
Information and network security 38 birthday attacks and security of hash fun...Vaibhav Khanna
Birthday attack can be used in communication abusage between two or more parties. ... The mathematics behind this problem led to a well-known cryptographic attack called the birthday attack, which uses this probabilistic model to reduce the complexity of cracking a hash function
A Modified approach for implementation of an efficient padding scheme in a di...dannyijwest
In order to provide secure transaction of documents over an insecure channel, Digital Signature Systems are made
use of and Hash function is an eternal component of it. The requirement of devising an improved approach to
reduce the impact of attacks in Cryptanalysis formed a driving force behind the emergence of changes in padding
and parsing schemes used from time to time. However, it has been found that these schemes have not proved to be
completely as efficient as this critical application demands. Therefore, there is always a scope for their
improvement. The paper is organized into parts; in the first ones we give an overview of hash functions and a brief
presentation of its use in Digital Signature. However the rest of parts are consecrated for our proposed
improvement for padding structure and comparative results drawn from correlation coefficients obtained, finishing
the paper by a conclusion and future extension of this work.
MODULE III Parallel Processors and Memory Organization 15 Hours
Parallel Processors: Introduction to parallel processors, Concurrent access to memory and cache
coherency. Introduction to multicore architecture. Memory system design: semiconductor memory
technologies, memory organization. Memory interleaving, concept of hierarchical memory
organization, cache memory, cache size vs. block size, mapping functions, replacement
algorithms, write policies.
Case Study: Instruction sets of some common CPUs - Design of a simple hypothetical CPU- A
sequential Y86-64 design-Sun Ultra SPARC II pipeline structure
MODULE II Control unit, I/O systems and Pipelining 15 Hours
CPU control unit design: Hardwired and micro-programmed design approaches, Peripheral
devices and their characteristics: Input-output subsystems, I/O device interface, I/O transfersprogram controlled, interrupt driven and DMA, privileged and non-privileged instructions, software
interrupts and exceptions. Programs and processes-role of interrupts in process state transitions,
I/O device interfaces - SCII, USB. Basic concepts of pipelining, throughput and speedup, pipeline
hazards.
Functional Blocks of a Computer: Functional blocks and its operations. Instruction set architecture of a CPU - registers, instruction execution cycle, Data path, RTL interpretation of
instructions, instruction set. Performance metrics. Addressing modes. Data Representation:
Signed number representation, fixed and floating point representations, character representation.
Computer arithmetic - integer addition and subtraction, ripple carry adder, carry look-ahead
adder, etc. multiplication - shift-and add, Booth multiplier, carry save multiplier, etc. Division
restoring and non-restoring techniques, floating point arithmetic.
Module II - Distributed objects and file systems:
Introduction - Communication between distributed objects - Remote procedure call - Events and notifications - case study - Operating system support - introduction - operating system layer - protection - process and threads - communication and invocation - architecture - Introduction to DFS - File service architecture - Sun network file system - Andrew file system - Enhancements and future developments.
Module 2 - Distributed Objects and File Systems
Introduction - Communication between distributed objects - Remote procedure call - Events and notifications - case study - Operating system support - introduction - operating system layer - protection - process and threads - communication and invocation - architecture - Introduction to DFS - File service architecture - Sun network file system - Andrew file system - Enhancements and future developments.
Module I
Introduction to Distributed systems - Examples of distributed systems, resource sharing and the web, challenges - System model - introduction - architectural models - fundamental models - Introduction to inter-process communications - API for Internet protocol - external data.
Module I
Introduction to Distributed systems - Examples of distributed systems, resource sharing and the web, challenges - System model - introduction - architectural models - fundamental models - Introduction to inter-process communications - API for Internet protocol - external data.
Module 6: IP and System Security
IP security overview-IP security policy-Encapsulating Security payload-intruders-intrusion detectionvirus/worms-countermeasure-need for firewalls-firewall characteristics-types of fire
Module 4: Key Management and User Authentication
X.509 certificates- Public Key infrastructure-remote user authentication principles-remote user
authentication using symmetric and asymmetric encryption-Kerberos V5
Module 1: Introduction to Cryptography and Symmetric Key Ciphers
Computer Security Concepts - OSI Security Architecture -Security Attacks - Services, Mechanisms -
Symmetric Cipher Model - Traditional Block Cipher Structure - The Data Encryption Standard -The Strength of DES - Advanced Encryption Standard.
Module 6
Advanced Networking
Security problems with internet architecture, Introduction to Software defined networking, Working of SDN, SDN in data centre, SDN applications, Data centre networking, IoT.
Module 6: Standards for Information Security Management
Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of
Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business
Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents
Module 5: Social Networking, Ethics of Information Technology Organizations
Social Networking Web Site - Business Applications of Online Social Networking-Social Networking
Ethical IssuesOnline Virtual Worlds-Key ethical issues for Organizations- Outsourcing-Whistle
Blowing-Green Computing-ICT Industry Code for Conduct.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
1. CS6701 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – III
Dr.A.Kathirvel, Professor, Dept of CSE
M N M Jain Engineering College, Chennai
1
2. Unit - III
HASH FUNCTIONS & DIGITAL SIGNATURES
Authentication requirement – Authentication function
– MAC – Hash function – Security of hash function
and MAC –MD5 – SHA – HMAC – CMAC – Digital
signature and authentication protocols – DSS – EI
Gamal – Schnorr.
2
3. Message Authentication and Hash
Functions
• Authentication Requirements
• Authentication Functions
• Message Authentication Codes
• Hash Functions
• Security of Hash Functions and MACs
3
4. Authentication Requirements
• Kind of attacks (threats) in the context of communications across
a network
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Repudiation
• Measures to deal with first two attacks:
– In the realm of message confidentiality, and are addressed with encryption
• Measures to deal with items 3 thru 6
– Message authentication
• Measures to deal with items 7
– Digital signature
4
5. • Message authentication
–A procedure to verify that messages come from
the alleged source and have not been altered
–Message authentication may also verify
sequencing and timeliness
• Digital signature
–An authentication technique that also includes
measures to counter repudiation by either source
or destination
Authentication Requirements
5
6. Authentication Functions
• Message authentication or digital
signature mechanism can be viewed as
having two levels
–At lower level: there must be some sort
of functions producing an authenticator
– a value to be used to authenticate a
message
–This lower level functions is used as
primitive in a higher level authentication
protocol
6
7. Authentication Functions
• Three classes of functions that may be used to produce
an authenticator
–Message encryption
• Ciphertext itself serves as authenticator
–Message authentication code (MAC)
• A public function of the message and a secret key
that produces a fixed-length value that serves as the
authenticator
–Hash function
• A public function that maps a message of any length
into a fixed-length hash value, which serves as the
authenticator
7
8. Message Encryption
• Conventional encryption can serve as
authenticator
–Conventional encryption provides
authentication as well as confidentiality
–Requires recognizable plaintext or other
structure to distinguish between well-formed
legitimate plaintext and meaningless random
bits
• e.g., ASCII text, an appended checksum, or use of
layered protocols
8
10. Ways of Providing Structure
• Append an error-detecting code (frame check sequence
(FCS)) to each message
10
11. Ways of Providing Structure - 2
• Suppose all the
datagrams except the
IP header is encrypted.
• If an opponent
substituted some
arbitrary bit pattern for
the encrypted TCP
segment, the resulting
plaintext would not
include a meaningful
header
11
13. Message Authentication Code
• Uses a shared secret key to generate a fixed-size
block of data (known as a cryptographic checksum
or MAC) that is appended to the message: MAC =
CK(M)
• Assurances:
– Message has not been altered
– Message is from alleged sender
– Message sequence is unaltered (requires internal
sequencing)
• Similar to encryption but MAC algorithm needs not
be reversible 13
16. Why Use MACs?
–i.e., why not just use encryption?
• Cleartext stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executable codes
• Architectural flexibility
• Separation of authentication check from
message use
16
17. Hash Function
• Converts a variable size message M into fixed size
hash code H(M) (Sometimes called a message
digest)
• Can be used with encryption for authentication
– E(M || H)
– M || E(H)
– M || signed H
– E( M || signed H ) gives confidentiality
– M || H( M || K )
– E( M || H( M || K ) )
17
21. Message Authentication Codes
• MAC= CK(M)
• Key length requirements
–Sufficient key length to
thwart brute force attack
21
22. Hash Functions
• h = H(M)
• M is a variable-length message, h is a fixed-
length hash value, H is a hash function
• The hash value is appended at the source
• The receiver authenticates the message by
recomputing the hash value
• Because the hash function itself is not
considered to be secret, some means is
required to protect the hash value
22
23. Hash Function Requirements
1. H can be applied to any size data block
2. H produces fixed-length output
3. H(x) is relatively easy to compute for any given x
4. H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)
5. H is weakly collision resistant: given x, it is
computationally infeasible to find any y x s.t. H(x) =
H(y)
6. H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
23
24. Hash Function Requirements
• One-way property is essential for
authentication
• Weak collision resistance is necessary
to prevent forgery
• Strong collision resistance is important
for resistance to birthday attack
24
25. Simple Hash Functions
• Operation of hash functions
– The input is viewed as a sequence of n-bit blocks
– The input is processed one block at a time in an
iterative fashion to produce an n-bit hash function
• Simplest hash function: Bitwise XOR of every
block
– Ci = bi1 bi2 … bim
• Ci = i-th bit of the hash code, 1 i n
• m = number of n-bit blocks in the input
• bij = i-th bit in j-th block
– Known as longitudinal redundancy check
25
26. Simple Hash Functions
• Improvement over the
simple bitwise XOR
– Initially set the n-bit hash value to
zero
– Process each successive n-bit
block of data as follows
» Rotate the current hash value
to the left by one bit
» XOR the block into the hash
value
26
27. Birthday Attack
• If the adversary can generate 2m/2 variants of a valid
message and an equal number of fraudulent messages
• The two sets are compared to find one message from each
set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is
inserted in its place
• If a 64-bit hash code is used, the level of effort is only on
the order of 232
• Conclusion: the length of the hash code must be substantial
27
28. 28
BIRTHDAY ATTACKS
Birthday paradox
In a group of 23 randomly chosen people, at
least two will share a birthday with probability
at least 50%. If there are 30, the probability is
around 70%.
Finding two people with the same birthday is
the same thing as finding a collision for this
particular hash function.
29. 29
BIRTHDAY ATTACKS
The probability that all 23 people have
different birthdays is
Therefore, the probability of at least two
having the
same birthday is 1- 0.493=0.507
More generally, suppose we have N objects,
where N is large. There are r people, and
each chooses an object. Then
493.0)
365
22
1)...(
365
2
1)(
365
1
1(1
Nr
eP 2/2
1)matchaisthere(
30. 30
BIRTHDAY ATTACKS
Choosing r2/2N = ln2, we find that if r≈1.177 ,
then the probability is 50% that at least two
people choose the same object.
If there are N possibilities and we have a list of
length , then there is a good chance of a
match.
If we want to increase the chance of a match,
we can make a list of length of a constant times
N
N
N
31. 31
BIRTHDAY ATTACKS
(Example) We have 40 license plates, each
ending in a 3-digit number. What is the
probability that two of the license plates end
in the same 3 digits?
(Solution) N=1000, r=40
1. Approximation:
2. The exact answer:
551.01 10002/402
e
546.0)
1000
39
1)...(
1000
2
1)(
1000
1
1(1
32. 32
BIRTHDAY ATTACKS
What is the probability that none of these 40
license plates ends in the same 3 digits as
yours?
The reason the birthday paradox works is
that we are not just looking for matches
between one fixed plate and the other plates.
We are looking for matches between any two
plates in the set, so there are more
opportunities for matches.
961.0)
1000
1
1( 40
33. 33
BIRTHDAY ATTACKS
The birthday attack can be used to find collisions
for hash functions if the output of the hash
function is not sufficiently large.
Suppose h is an n-bit hash function. Then there
are N = 2n possible outputs. We have the
situation of list of length r≈ “people” with N
possible “birthdays,” so there is a good chance
of having two values with the same hash value.
If the hash function outputs 128-bit values, then
the lists have length around 264 ≈1019, which is
too large, both in time and in memory.
N
34. 34
BIRTHDAY ATTACKS
Suppose there are N objects and there are
two groups of r people. Each person from
each group selects an object. What is the
probability that someone from the first group
choose the same object as someone from
the second group?
Eg. If we take N=365 and r=30, then
Nr
e
P
/2
1
)groupsobetween twmatchaisthere(
915.01
groups)obetween twmatchaisthere(
365/302
e
P
35. Generating 2m/2 Variants of Valid Messages
• Insert a number of
“space-backspace-space”
character pairs between
words throughout the
document.
Variations could then be
generated by substituting
“space-backspace-space”
in selected instances
• Alternatively, simply
reword the message but
retain the meaning
35
36. Brute-Force Attack of Hash Functions
• Three desirable properties of hash functions
– One-way: For any given code h, it is computationally infeasible to find x s.t.
H(x) = h
– Weak collision resistance: For any given block x, it is computationally
infeasible to find y x s.t. H(y) = H(x)
– Strong collision resistance: It is computationally infeasible to find any pair
(x, y) s.t. H(y) = H(x)
• Brute-force attack on n-bit hash code
– One-way and weak collision require 2n effort
– Strong collision requires 2n/2 effort
– If strong collision resistance is required (and this is desirable for a
general-purpose secure hash code), 2n/2 determines the strength of hash
code against brute-force attack
– Currently, two most popular hash codes, SHA-1 and RIPEMD-160, provide a
160-bit hash code length
36
37. MD5
• designed by Ronald Rivest (the R in RSA)
• latest in a series of MD2, MD4
• produces a 128-bit hash value
• until recently was the most widely used hash
algorithm
–in recent times have both brute-force &
cryptanalytic concerns
• specified as Internet standard RFC1321
37
38. MD5 OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
– using 4 rounds of 16 bit operations on message block &
buffer
– add output to buffer input to form new buffer value
5. output hash value is the final buffer value
38
40. MD5 COMPRESSION FUNCTION
• each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but used in
varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in
each round (F,G,H,I)
• T[i] is a constant value derived from sin
40
42. MD4
• precursor to MD5
• also produces a 128-bit hash of message
• has 3 rounds of 16 steps vs 4 in MD5
• design goals:
–collision resistant (hard to find collisions)
–direct security (no dependence on "hard"
problems)
–fast, simple, compact
–favours little-endian systems (eg PCs)
42
43. STRENGTH OF MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision
(again unable to extend)
– Dobbertin 96 created collisions on MD
compression function (but initial constants
prevent exploit)
• conclusion is that MD5 looks vulnerable soon 43
44. SECURE HASH ALGORITHM (SHA-1)
• SHA was designed by NIST & NSA in 1993, revised
1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet
RFC3174
– nb. the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
44
45. SHA OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing &
shifting
– use 4 rounds of 20 bit operations on message
block & buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value 45
46. SHA-1 Compression Function
• each round has 20 steps which replaces the 5
buffer words thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
• a,b,c,d refer to the 4 words of the buffer
• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin
46
48. SHA-1 VERSES MD5
• brute force attack is harder (160 vs 128 bits
for MD5)
• not vulnerable to any known attacks
(compared to MD4/5)
• a little slower than MD5 (80 vs 64 steps)
• both designed as simple and compact
• optimised for big endian CPU's (vs MD5 which
is optimised for little endian CPU’s)
48
49. REVISED SECURE HASH STANDARD
• NIST have issued a revision FIPS 180-2
• adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
49
50. Bob receives a message from Alice, he wants to know
(Data origin authentication) whether the message was
really sent by Alice;
(Data integrity) whether th
Message Authentication
m
message authentication code
e message has been modified.
Solutions:
Alice attaches a (MAC)
to the message.
Or she attach digital signatures a to the message.e
50
51. Message authentication protocol:
1. Alice and Bob share a secret key .
2. Alice sends MAC ( ) to Bob.
3. Bob authenticates the received MAC
by checking if MAC MAC ( )?
MAC
k
k
k
m m
m
m
MAC ( ) is called a .
Security requirement: infeasible to produce a valid pair
( , MA
message auth
C ( )) w
entication
ithout knowing the key
e
.
c dok
k
m
x x k
51
52. A common way to construct a MAC is to incorporate a
secret key into a fixed hash function (e.g. SH
Insecure:
A-1).
MAC ( ) ( ) ( ) wit IVh
Constructing MAC from a hash
k k
k h
m h m h m k
MAC ( ) ( ) ( )k km h m h k m
52
53. m = m1 m2 m3 ms
f f fIV … f h(m)
k X X hk(m)
fhk(m) hk(m||ms+1)
ms+1
1
( ) ( ) with IV .
(For simplicity, without
Insecure:
Easy to forge:
( , ( )),
padd
where
ing)
k
s
k
m
M
h m
AC m h
m m
m k
m
53
54. 2 1
1 2
A FIPS standard for constructing MAC from a hash
function . Conceptually,
HMAC ( ) ( )
where and are two keys generated from .
Various
HMAC (Hash-based MAC)
k m k k m
k
h
k k
h h
hash functions (e.g., SHA-1, MD5) may be used for .
If we use , then HMAC is as follows:
HMAC ( ) ( )
where
is padded with 0's to 512
SHA-1
SHA-1 SHA
bits
1-k
h
m k opad k ipad m
k
3636 36 (x036 repeated 64 times)
5c5c 5c (x05c repeated 64 times)
ipad
opad
54
55. A FIPS and ISO standard.
One of the most popular MACs in use.
Use a block cipher in CBC mode with a fixed, public IV.
Called DES CBC-MAC if the block cipher is DES.
Let :{0,1} {0,1
CBC-MAC
n
E
1 2
0
1
} be a block cipher.
CBC-MAC( , )
, where | | .
IV (typically 0 )
for 1 to do
( )
return( )
n
l i
n
i k i i
l
m k
m m m m m n
c
i l
c E c m
c
55
57. A refined version of CBC-MAC.
Adopted by NIST for use with AES and 3DES.
Use two keys: , (assuming is a multiple of ).
Let :{0,1} {0,1} be a block cipher.
CM
CMAC (Cipher-based MAC)
n n
k k m n
E
1 2
0
1
1
AC( , )
, where | | .
IV (typically 0 )
for 1 to 1 do
( )
( )
return( )
l i
n
i k i i
l k l l
l
m k
k
m m m m m n
c
i l
c E c m
c E c m
c
57
58. RSA can be used for digital signatures.
A digital signature is the same as a MAC except that
the tag (signature) is produced using a public-key
cryptosystem.
Digital
Digital Signatures
signatures are used to provide message
authentication an non-repudiatd ion.
Message m MACk(m)
Message m Sigpr(m)
58
59. Digital signature protocol:
1. Bob has a key pair ( , ).
2. Bob sends Sig ( ) to Alice.
3. Alice verifies the received
by checking if Verify ( ).
Sig ( ) is calle
pr
pu
pr
pr pu
m m
m s
s m
m d a .
Security requirement: infeasible to forge a valid
pair ( , S
signatu
ig ( )) without knowing
re for
.prm m pr
m
59
60. MCE D
PUBob PRBob
Alice Bob
M
MSE D
PUBob PRBob
Alice Bob
Verify Sign
Encryption (using RSA):
Digital signature (using RSA-1):
E(S)
=M?
60
61. *
are generated as for RSA encryption:
Public key: . Private key: .
a message : ( ) mod .
That is,
Keys
Signin
( , ) ( , )
g
RSA Signature
d
n PR
PU n e PR n d
m Z D m m n
1
RSA ( ).
a signature ( , ) :
check if ( ) mod , or RSA( ).
Only the key's owner can sign,
Ver
but anybody can ver
ify
ify.
ing
e
PU
m
m
m E n m
61
62. *
RSA
1. Every message is a valid signature for
its ciphertext : RSA( ).
Encryption (using Bob's public key):
Existential forgeries
Sig
:
Security of RSA Signature
nm Z
c m
m c
1
RSA
1 2 1 2
1 2 1 2
n ( using Bob's private key):
2. If Bob signed and , then the signature for
can be easily forged
if
hash a
: ( ) ( ) ( ).
Counterme nd siasure gn: :
m c
m m m m
m m m m
Sign ( ( )),
using some collision resistant hash function .
PR h m
h
62
63. Does hash-then-sign make RSA signature secure
against chosen-message attacks?
Question:
Answer:
random oracleYes, is a i.e.,
is a
all
if full-
random or
d
a
,
cle mapping {0
omainh
h *
,1}
( is the full domain of RSA)
n
n
Z
Z
63
64. 160
In practice, is full-domain.
For instance, the range of SHA-1 is {0,1} ,
while 0,1,...,2 1 , wi
Problem with full-
th 1024.
domain hash:
Desired: a sec
no
ure signature scheme
t
n
n
h
Z n
that does not
require a full-domain hash.
64
65. *
pad
Hash function :{0,1} {0,1} (not full domain).
| |. (E.g., SHA-1, 160; RSA, 1024.)
Idea:
Probabilistic signature scheme
l
Nh Z
l n N l n
m m r *
hash
expand 1
si
1
gn 1
{0,1}
( ) {0,1}
( ) {0,1}
RSA ( )
( )0n l
l
nk
r
w h m r
y w G w
y
1
where {0,1}
:{0,1} {0,1} (pseudorandom generator)
N
k
l n l
Z
r
G
65
66. *
11 2 2
1
a message {0,1} :
1. choose a random {0,1} ; compute ( );
2. compute ;( ) ( ) // //
3. The signatu
Signing
re is RSA ( ).
k
m
r w h m r
G G Gw
y
y w r G G w
66
67. PSS is secure against chosen-message attacks in the
random oracle model (i.e., if and are random oracles).
PSS is adopted in PKCS #1 v.2.1.
Hash functions such as SHA-1
Remarks
are used f
h G
1 2
or and .
For instance,
let 1024, and 160
let = SHA-1
( , )( ) ( ) ( 0) ( 1) ( 2), ...
h G
n l k
h
G G w G w h w h w h w
67
68. Digital Signatures
• have looked at message authentication
–but does not address issues of lack of trust
• digital signatures provide the ability to:
–verify author, date & time of signature
–authenticate message contents
–be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
68
72. Digital Signature Requirements
must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
72
73. Direct Digital Signatures
• involve only sender & receiver
• assumed receiver has sender’s public-key
• digital signature made by sender signing
entire message or hash with private-key
• can encrypt using receivers public-key
• important that sign first then encrypt
message & signature
• security depends on sender’s private-key
73
74. 74
ELGAMAL
• To show that RSA is not the only public key
system
• To exhibit a public key system based on a
different one way function
• ElGamal is the basis for several well-known
cryptographic primitives
We will also take a look at the ElGamal public
key cipher system for a number of reasons:
75. 75
SETTING UP ELGAMAL
• Let p be a large prime
– By “large” we mean here a prime rather typical
in length to that of an RSA modulus
• Select a special number g
– The number g must be a primitive element
modulo p.
• Choose a private key x
– This can be any number bigger than 1 and
smaller than p-1
• Compute public key y from x, p and g
– The public key y is g raised to the power of the
private key x modulo p. In other words:
y = gx mod p 75
76. 76
SETTING UP ELGAMAL: EXAMPLE
Step 1: Let p = 23
Step 2: Select a primitive element g = 11
Step 3: Choose a private key x = 6
Step 4: Compute y = 116 (mod 23)
= 9
Public key is 9
Private key is 6
77. 77
ELGAMAL ENCRYPTION
The first job is to represent the plaintext as a
series of numbers modulo p. Then:
1. Generate a random number k
2. Compute two values C1 and C2, where
C1 = gk mod p and C2 = Myk mod
p
3. Send the ciphertext C, which consists of
the two separate values C1 and C2.
78. 78
ELGAMAL ENCRYPTION: EXAMPLE
To encrypt M = 10 using Public key 9
1 - Generate a random number k = 3
2 - Compute C1= 113 mod 23 = 20
C2= 10 x 93 mod 23
= 10 x 16 = 160 mod 23 = 22
3 - Ciphertext C = (20 , 22 )
79. 79
ELGAMAL DECRYPTION
C1 = gk mod p C2 = Myk mod p
1 - The receiver begins by using their private key x to
transform C1 into something more useful:
C1
x = (gk)x mod p
NOTE: C1
x = (gk)x = (gx)k = (y)k = yk mod p
2 - This is a very useful quantity because if you divide
C2 by it you get M. In other words:
C2 / yk = (Myk) / yk = M mod p
80. 80
ELGAMAL DECRYPTION: EXAMPLE
To decrypt C = (20 , 22 )
1 - Compute 206 = 16 mod 23
2 - Compute 22 / 16 = 10 mod 23
3 - Plaintext = 10
81. 81
SECURITY OF ELGAMAL
1. Trying to decrypt a ciphertext without
knowledge of the private key
2. Trying to determine the private key
Recall the two different strategies for trying to
“break” RSA:
What hard problems do you come across if you try to follow
these two different strategies to break ElGamal?
85. ELGAMAL CRYPTOGRAPHY
• public-key cryptosystem related to D-H
• so uses exponentiation in a finite (Galois)
• with security based difficulty of computing discrete
logarithms, as in D-H
• each user (eg. A) generates their key
–chooses a secret key (number): 1 < xA < q-1
–compute their public key: yA = a
xA
mod q
85
86. ELGAMAL MESSAGE EXCHANGE
• Bob encrypt a message to send to A computing
– represent message M in range 0 <= M <= q-1
• longer messages must be sent as blocks
– chose random integer k with 1 <= k <= q-1
– compute one-time key K = yA
k
mod q
– encrypt M as a pair of integers (C1,C2) where
• C1 = a
k
mod q ; C2 = KM mod q
• A then recovers message by
– recovering key K as K = C1
xA mod q
– computing M as M = C2 K-1 mod q
• a unique k must be used each time
– otherwise result is insecure 86
87. ELGAMAL EXAMPLE
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=5 & computes yA=10
5
mod 19 = 3
• Bob send message m=17 as (11,5) by
– chosing random k=6
– computing K = yA
k
mod q = 3
6
mod 19 = 7
– computing C1 = a
k
mod q = 10
6
mod 19= 11;
C2 = KM mod q = 7.17 mod 19 = 5
• Alice recovers original message by computing:
– recover K = C1
xA mod q = 11
5
mod 19 = 7
– compute inverse K-1 = 7-1 = 11
– recover M = C2 K-1 mod q = 5.11 mod 19=17
87
88. ElGamal Digital Signatures
• signature variant of ElGamal, related to D-H
– so uses exponentiation in a finite (Galois)
– with security based difficulty of computing discrete
logarithms, as in D-H
• use private key for encryption (signing)
• uses public key for decryption (verification)
• each user (eg. A) generates their key
– chooses a secret key (number): 1 < xA < q-1
– compute their public key: yA = a
xA
mod q
88
89. ElGamal Digital Signature
• Alice signs a message M to Bob by computing
– the hash m = H(M), 0 <= m <= (q-1)
– chose random integer K with 1 <= K <= (q-1) and
gcd(K,q-1)=1
– compute temporary key: S1 = a
k
mod q
– compute K-1 the inverse of K mod (q-1)
– compute the value: S2 = K-1(m-xAS1) mod (q-1)
– signature is:(S1,S2)
• any user B can verify the signature by computing
– V1 = a
m
mod q
– V2 = yA
S1 S1
S2 mod q
– signature is valid if V1 = V2
89
90. ElGamal Signature Example
• use field GF(19) q=19 and a=10
• Alice computes her key:
– A chooses xA=16 & computes yA=10
16
mod 19 = 4
• Alice signs message with hash m=14 as (3,4):
– choosing random K=5 which has gcd(18,5)=1
– computing S1 = 10
5
mod 19 = 3
– finding K-1 mod (q-1) = 5-1 mod 18 = 11
– computing S2 = 11(14-16.3) mod 18 = 4
• any user B can verify the signature by computing
– V1 = 10
14
mod 19 = 16
– V2 = 43.34 = 5184 = 16 mod 19
– since 16 = 16 signature is valid
90
91. Schnorr Digital Signatures
• also uses exponentiation in a finite (Galois)
– security based on discrete logarithms, as in D-H
• minimizes message dependent computation
– multiplying a 2n-bit integer with an n-bit integer
• main work can be done in idle time
• have using a prime modulus p
– p–1 has a prime factor q of appropriate size
– typically p 1024-bit and q 160-bit numbers
91
92. Schnorr Key Setup
• choose suitable primes p , q
• choose a such that a
q
= 1 mod p
• (a,p,q) are global parameters for all
• each user (eg. A) generates a key
–chooses a secret key (number): 0 < sA <
q
–compute their public key: vA=a
-sA
mod q
92
93. Schnorr Signature
• user signs message by
– choosing random r with 0<r<q and computing x
= ar mod p
– concatenate message with x and hash result to
computing: e = H(M || x)
– computing: y = (r + se) mod q
– signature is pair (e, y)
• any other user can verify the signature as follows:
– computing: x' = ayve mod p
– verifying that: e = H(M || x’)
93
94. Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS is the standard, DSA is the algorithm
• FIPS 186-2 (2000) includes alternative RSA &
elliptic curve signature variants
• DSA is digital signature only unlike RSA
• is a public-key technique
94
96. Digital Signature Algorithm (DSA)
• creates a 320 bit signature
• with 512-1024 bit security
• smaller and faster than RSA
• a digital signature scheme only
• security depends on difficulty of
computing discrete logarithms
• variant of ElGamal & Schnorr schemes
96
97. DSA Key Generation
• have shared global public key values (p,q,g):
– choose 160-bit prime number q
– choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
– choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• users choose private & compute public key:
– choose random private key: x<q
– compute public key: y = gx mod p
97
98. DSA Signature Creation
• to sign a message M the sender:
• generates a random signature key k, k<q
• nb. k must be random, be destroyed after
use, and never be reused
• then computes signature pair:
• r = (gk mod p)mod q
• s = [k-1(H(M)+ xr)] mod q
• sends signature (r,s) with message M
98
99. DSA Signature Verification
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
• if v=r then signature is verified
• see Appendix A for details of proof why
99