KEAMANAN INFORMASI DAN JARINGAN CRYPTO
PART 3 : CRYPTOGRAPHIC
DATA INTEGRITY ALGORITHMS
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
CHAPTER 12
MESSAGE AUTHENTICATION CODES
CHAPTER 13
DIGITAL SIGNATURES
MADIS SARALITA – 5112100038
Keamanan Informasi dan Jaringan (C)
CHAPTER 11
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
Hash function is labeled by H. H has input a variable-length block of ata M and the
output is a fixed-size hash value h = H(M). The puprose of a hash function is data integrity.
Cryptographic hash function is an algorithm that can solve infeasible computational. Because
of that, hash function are often used to determine data changes.
11.1 APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS
Message Authentication
Message authentication is a system to verify integrity of message. It ensures that message
received are real and contain no modification. In message authentication, the hash function have
value that is referred as message digest. Some method do not provide encrypt system because :
Encryption software is relatively slow.
High costs for encryption hardware.
Encryption hardware is not optimized for small blocks of data.
Cost for the licensed encryption algorithms.
Message Authentication Code (MAC) is the most commonly function of message
authentication. It also known as a keyed hash function which are used to authenticate information
exchanged between two parties.
Digital Signatures
Digital signature is a system that is simiar to MAC. Hash value in this system is encrypted with a
user’s private key. If anyone know the user’s public key, the message can be verified. This is step how
a hash code provide digital signature:
The hash code is encrypted using public key encryption with the sender’s private key.
Then, the message plus the private key encrypted hash code can be encrypted using a
symmetric secret key.
Other Applications
Hash function are commonly purposed to make a one-way password file.
Hash function can be used for intrusion detection.
Hash function also can be used for virus detection.
Pseudorandom Function (PRF) or a Pseudorandom Number Generator (PRNG) can be
constructed by a cryptogrpahic hash function.
11.2 TWO SIMPLE HASH FUNCTIONS
All hash function has general principles that the input is viewed as a sequence of n-bit blocks.
The input is processed to produce an n-bit hash function. The simplest hash function is using XOR of
every block that can be expressed as
That operation will produce a simple parity for each bit position. It also known as a longitudinal
redundancy check.
Other simplest hash function is using rotated XOR(RXOR). This procedure has effect to
randomize the input more completely. Message M that is consists of a sequence of 64-bit block define
hash code by
Then, the message plus hash code is encrypted using CBC mode to produce encrypted
message.
But XN+1 is the hash code :
The hash code would not change if the ciphertext blocks were permuted.
11.3 REQUIREMENTS AND SECURITY
Security Requirements for Cryptographic Hash Functions
h = H(x)
x is the preimage of h which is consist of data block. Because H is a many-to-one mapping, a collision
occurs if we have x ≠ y and H(x) = H(y). This collisions are clearly undesirable.
Requirements for a Cryptographic Hash Function H :
Variable input size
Fixed output size
Efficiency
Preimage resistant (one-way property)
Second preimage resistant (weak collision resistant)
Collision resistant (strong collision resistant)
Pseudorandomness
This picture ilustrate relationship among hash function properties
Brute-Force Attacks
Brute-force attack depend only on bit length of the hash value.
Brute-force attack does not depend on the specific algorithm.
Hash function resistance properties required for various data integrity applications
Cryptanalysis
Cryptanalytic on hash function attack by exploiting some property of the algorithm.
Ideal hash algorithm require more effort than or equal to the brute-force effort.
The hash algorithm use a compression function repeatedly.
The function takes two inputs, chaining variable and a b-bit block.
The function produces an n-bit output.
Cryptanalytic attacks focuse on the internal structure of the compression function.
Cryptanalytic attacks attempt to find efficient techniques for producing collisions for a single
execution of compression function.
The hash function can be summarized as
11.4 HASH FUNCTIONS BASED ON CIPHER BLOCK CHAINING
Based on CBC, hash function divide a message M into fixed size blocks and use a symmetric
encryption system to compute the hash code G as
The differences is no secret key in this case.
Step of the algorithm :
o Calculate the unencrypted hash code G.
o Construct any desired message in the form Q1, Q2, . . . , QN-2.
o Compute Hi = E(Qi, Hi-1) for 1 ≤ i ≤ (N-2).
o Generate random blocks.
o Based on the birthday paradox, with high probability there will be an X and Y such that
E(X, HN-2) = D(Y, G).
o Form the message Q1, Q2, . . . , QN-2, X, Y. This message has the hash code that can be
used with the intercepted encrypted signature.
11.5 SECURE HASH ALGORITHM (SHA)
Secure Hash Algorithm (SHA) is the most widely used hash function.
SHA-512 Logic
Has input a message with maximum length is less than 2128 bits.
The input is processed in 1024-bit blocks.
Produce output a 512-bit message digest.
Comparison of SHA Parameters
Step of the algorithm :
o Append padding bits.
o Append length.
o Initialize hash buffer.
o Process message in 1024-bit (128-word) blocks.
o Output.
We can summarize the behavior of SHA-512 as follows:
SHA-512 Round Function
Each round is defined by the following set of equations :
The remaining values are defined as :
11.6 SHA-3
Beyond on the basic requirements, NIST has defined a set of evaluation criteria that are
designed to include digital signatures, hashed message authentication codes, key generation, and
pseudorandom number generation. It is known as SHA-3.
SHA-3 algorithms are designed to resist any potentially successful attack on SHA-2
functions.
SHA-3 should be efficient over a range of hardware platforms (time and memory).
SHA-3 is more flexible.
Pertanyaan : Berdasarkan sumber yang saya baca di internet, ketika menggunakan SHA12,
ditambahkan sejumlah bit pengganjal sehingga panjang pesan kongruen dengan 896 mod 1024.
Bagaimana caranya untuk meng-kongruen-kan pesan tersebut? Dan mengapa harus kongruen dengan
896 mod 1024?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
CHAPTER 12
CHAPTER 12
MESSAGE AUTHENTICATION CODES
12.1 MESSAGE AUTHENTICATION REQUIREMENTS
Disclosure
Release content of message to any person or process that do not have appropriate
cryptographoc key.
Traffic analysis
Discovery the pattern of traffic.
Masquerade
Modify the message into the network from an authorized source.
Content modification
Changes contents of a message.
Sequence modification
Modify sequence of message.
Timing modification
Delay or replay of message
Source repudiation
Message transmision is denied by souce.
Destination repudiation
Message receipt is denied by destination.
12.2 MESSAGE AUTHENTICATION FUNCTIONS
Types of functions that may be used to produce an authenticator :
Hash function
Message encryption
Message authentication code (MAC)
Message Encryption
Symmetric Encryption
Symmetric encryption provides authentication as well as confidentiality.
It may be difficult to determine if incoming ciphertext decrypts to intelligible plaintext.
The solution is by forcing the plaintext to have some structure that is easily
recognized.
The plaintext could not be replicated without resource to the encryption function.
With internal error control, authentication is provided to complicate producing of
ciphertext which have valid error control bits when decrypted.
Public-Key Encryption
Public-key encryption is used to provide confidentiality.
Public-key encryption can not used to provide authentication.
To provide authentication, a sender should use its private key to encrypt the message
and a receiver uses sender’s public key to decrypt.
To provide both confidentiality and authentication, sender can encrypt the message
first using its private key which provides the digital signature, then using receiver
public key which provides confidentiality.
The disadvantages is complexity of the public-key algorithm.
Message Authentication Code
Message Authentication Code (MAC) also known as cryptographic checksum is an alternative
technique of autentication that use a secret key to generate a small fixed-size block of data.
MAC function
MAC algorithm need not be reversible.
MAC function is a many-to-one function.
In the first case, MAC is calculated with the message as input, and them the entire
block is encrypted.
In the second case, the message is encrypted first, then MAC is calculated using the
result of ciphertext.
MAC does not provide a digital signature because both sender and receiver share the
same key.
12.3 REQUIREMENTS FOR MESSAGE AUTHENTICATION CODES
Consider the following MAC algorithm. Let M = (X1 || X2 || . . . || Xm) be a message that is
treated as a concatenation of 64-bit blocks Xi .Then define
The opponent can attack the system by replacing X through Y which is calculated as
If an opponent observes M and MAC(K,M), it should be computationally infeasible
for the opponent to construct a message M’ such that MAC(K, M’) = MAC(K, M).
MAC(K, M) should be uniformly distributed in the sense that for randomly chosen
messages, M and M’, the probability that MAC(K, M) = MAC(K,M’) is 2-n ,where n is
the number of bits in the tag.
Let M’ be equal to some known transformation on M.That is, M’ = f(M).
12.4 SECURITY OF MACS
Brute-Force Attacks
Brute-force attack on MAC is more difficult than on a hash function because it requires known
message-tag pairs. If an attacker can determine the MAC key, so a valid MAC value is possible
generated for any input x. And if more than one key is found, so additional text-tag pairs must be
tested.
Attacker can also work without attempting to recover the key. The objective is to find a
message that matches a given tag. The attack cannot be conducted off line without further input. So,
the attacker will require chosen text-tag pairs.
Cryptanalysis
12.5
Cryptanalysis attacks on MAC by complicating some property of algorithm.
An ideal MAC algorithm will require more effort than or equal to the brute-force effort.
The structure of MACs is more variety than in hash function, so it is difficult to generelize
about the cryptanalysis of MACs.
MACS BASED ON HASH FUNCTIONS:HMAC
Cryptographic hash functions such as MD5 and SHA is faster than symmetric block ciphers
such as DES when executed in software. And there are many library code for cryptographic hash
functions can be used.
HMAC Design Objectives
The objectives for HMAC
To make hash function perform well and the code is freely available.
To make replaceability of the hash function easily.
To keep the original performance of the hash function,
To solve the key by simple way.
To have a well understood cryptographic analysis.
HMAC Algorithm
Picture above is the HMAC structure. Then, HMAC can be expressed as
H is a cryptographic hash function,
K is a secret key padded to the right with extra zeroes to the input block size of the hash
function, or the hash of the original key if it's longer than that block size,
m is the message to be authenticated,
| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Security of HMAC
The cryptographic strength of the HMAC depends upon the size of the secret key that is used.
The most common attack against HMACs is brute force to uncover the secret key. HMACs are
substantially less affected by collisions than their underlying hashing algorithms alone.
Differential distinguishers allow an attacker to devise a forgery attack on HMAC. Furthermore,
differential and rectangle distinguishers can lead to second-preimage attacks. HMAC with the full
version of MD4 can be forged with this knowledge. These attacks do not contradict the security proof
of HMAC, but provide insight into HMAC based on existing cryptographic hash functions. In
improperly-secured systems a timing attack can be performed to find out a HMAC digit by digit.
12.6 MACS BASED ON BLOCK CIPHERS: DAA AND CMAC
Data Authentication Algorithm
The Data Authentication Algorithm (DAA) is an older algorithm that used for producing
cryptographic message authentication codes. According to the standard, a code produced by the DAA
is called a Data Authentication Code (DAC). The algorithm chain encrypts the data, with the last cipher
block truncated and used as the DAC.
Cipher-Based Message Authentication Code (CMAC)
CMAC (Cipher-based Message Authentication Code) is a block cipher-based message
authentication code algorithm. It may be used to provide assurance of the authenticity and the
integrity of binary data.
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret
key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is
equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ signify a standard left-shift
operator:
1. Calculate a temporary value k0 = Ek(0).
2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that
depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first
irreducible degree-b binary polynomial with the minimal number of ones.)
3. If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕ C.
4. Return keys (k1, k2) for the MAC generation process.
12.7 AUTHENTICATED E NCRYPTION: CCM AND GCM
Four common approaches to providing both confidentiality and encryption for a message :
HtE: Hash-then-encrypt
MtE: MAC-then-encrypt
EtM: Encrypt-then-MAC
E&M: Encrypt-and-MAC
Counter with Cipher Block Chaining-Message Authentication Code
CCM is a variation of the encrypt-and-MAC. It approach to authenticated encryption. The
input to the CCM encryption process consists of three elements :
Data that will be both authenticated and encrypted.
Associated data A that will be authenticated but not encrypted.
A nonce N that is assigned to the payload and the associated data.
CCM is a complex algorithm. It requires two complete passes through the plaintext, once to
generate the MAC value, and once for encryption.
Galois/Counter Mode
Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block
ciphers that has been widely adopted because of its efficiency and performance. GCM throughput
rates for state of the art, high speed communication channels can be achieved with reasonable
hardware resources. It is an authenticated encryption algorithm designed to provide both data
authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128
bits.
The authentication tag is constructed by feeding blocks of data into the GHASH function, and
encrypting the result. This GHASH function is defined by
where variable of Xi is defined as
GCM is ideal for protecting packetized data, because it has minimum latency and minimum
operation overhead.
12.8 PSEUDORANDOM NUMBER GENERATION USING HASH FUNCTIONS AND MACS
PRNG Based on Hash function
The algorithm need input:
V = seed
Seedlen = bit length of V ≥ k + 64, where k is a desired security level expressed in bits
n = desired number of output bits
The basic operation of the algorithm is
PRNG Based on MAC function
Higher degree of confidence can be achieved by using a MAC. A MAC-based PRNG is
constructed with HMAC. This is because HMAC is widely implemented in many protocols and
applications.
There are two inputs in MAC function, a key K and a seed V. The combination of K and V will
make overall seed for the PRNG specified. If we assume that HMAC is secure, knowledge of the input
and output should not be sufficient to recover K and hence not sufficient to predict future
pseudorandom bits.
Pertanyaan : Dalam HMAC, ketika pengirim mengirim hashing, dia juga mengirim hashing key. Ketika
hasing dan hashing key ini digabung maka akan membentuk suatu nilai baru. Apa fungsi nilai yang
dihasilkan ini?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
http://en.wikipedia.org/wiki/Hash-based_message_authentication_code diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Data_Authentication_Algorithm diakses pada 27 April 2015
http://en.wikipedia.org/wiki/CMAC diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Galois/Counter_Mode diakses pada 27 April 2015
CHAPTER 13
CHAPTER 13
DIGITAL SIGNATURES
13.1 DIGITAL SIGNATURES
Properties
Picture above is generic model of digital signature process. The digital signature must have the
following properties :
The author and the date and time of the signature must be verified.
The contents at the time of the signature must be authenticated.
Must be verifiable by third parties, to resolve disputes.
Attacks and Forgeries
Key-only attack: A’s public key is known by C.
Known message attack: A set of messages and signatures are given to C.
Generic chosen message attack: C chooses a list of messages before break A’s signature
scheme.
Directed chosen message attack: Similar to the generic attack, but the list of messages is
chosen after C knows A’s public key but before any signatures are seen.
Adaptive chosen message attack: C is allowed to use A as an “oracle.”
Digital Signature Requirements
The signature must be a bit pattern.
The signature must use unique information.
Can produce the digital signature easily.
Can recognize and verify the digital signature easily.
Computationally infeasible.
Can retain a copy of the digital signature.
Direct Digital Signature
Commonly, the term of direct digital signature is dependent with the only communicating
parties. By encrypting the entire message plus signature with a shared secret key (symmetric
encryption), confidentiality is ensured.
13.2 ELGAMAL DIGITAL SIGNATURE SCHEME
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty
of computing discrete logarithms.
Let H be a collision-resistant hash function.
Let p be a large prime such that computing discrete logarithms modulo p is difficult.
Let g < p be a randomly chosen generator of the multiplicative group of integers modulo p .
Key generation
Randomly choose a secret key x with 1 < x < p − 1.
Compute y = g x mod p.
The public key is (p, g, y).
The secret key is x.
These steps are performed once by the signer.
Signature generation
To sign a message m the signer performs the following steps.
Choose a random k such that 1 < k < p − 1 and gcd(k, p − 1) = 1.
Compute
Compute
If s = 0 start over again.
Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature.
Verification
A signature (r,s) of a message m is verified as follows.
0 < r < p and 0 < s < p - 1.
The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.
Correctness
The algorithm is correct in the sense that a signature generated with the signing algorithm will
always be accepted by the verifier.
The signature generation implies
Hence Fermat's little theorem implies
13.3 SCHNORR DIGITAL SIGNATURE SCHEME
In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature
algorithm. Its security is based on the intractability of certain discrete logarithm problems. The Schnorr
signature is considered the simplest digital signature scheme to be provably secure in a random oracle
model. It is efficient and generates short signatures.
The first scheme is generate a private/public key pair by this following steps.
1.
2.
3.
4.
Choose primes p and q, such that q is a prime factor of p-1.
Choose an integer a, such that αq = 1 mod p.
Choose a random integer s with 0 < s < q.
Calculate v = a-s.
And then a user with private key s and public key v generates a signature :
1. Choose a random integer r with 0 < r < q and compute x = ar mod p.
2. Concatenate the message with x and hash the result to compute the value e :
e = H(M||x)
3. Compute y = (r + se) mod q.The signature consists of the pair (e, y).
Any other user can verify the signature as follows.
1. Compute x’ = ayvemod p.
2. Verify that e = H(M||x’).
To see that the verification works, observe
13.4 DIGITAL SIGNATURE STANDARD
The DSS Approach
Designed to provide only the digital signature.
DSS cannpt be used for encryption or key exchange.
DSS uses a public-key technique.
DSS also use hash function that is provided as input to a signature function along with a
random number k generated for this particular signature.
The signature function depends on the sender’s private key.
With knowledge of the private key, the signature function could have produced the valid
signature.
The Digital Signature Algorithm
This is the algorithm
With DSA, the entropy, secrecy, and uniqueness of the random signature value k is critical. It
is so critical that violating any one of those three requirements can reveal the entire private key to an
attacker. Using the same value twice (even while keeping k secret), using a predictable value, or
leaking even a few bits of k in each of several signatures, is enough to break DSA.
Pertanyaan : Dalam DSA, jika proses signature generation mneghasilkan nilai s = 0, mengapa
dihasilkan nilai baru k dan tanda tangannya harus dihitung ulang?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
http://en.wikipedia.org/wiki/ElGamal_signature_scheme diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Schnorr_signature diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm diakses pada 27 April 2015
DATA INTEGRITY ALGORITHMS
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
CHAPTER 12
MESSAGE AUTHENTICATION CODES
CHAPTER 13
DIGITAL SIGNATURES
MADIS SARALITA – 5112100038
Keamanan Informasi dan Jaringan (C)
CHAPTER 11
CHAPTER 11
CRYPTOGRAPHIC HASH FUNCTIONS
Hash function is labeled by H. H has input a variable-length block of ata M and the
output is a fixed-size hash value h = H(M). The puprose of a hash function is data integrity.
Cryptographic hash function is an algorithm that can solve infeasible computational. Because
of that, hash function are often used to determine data changes.
11.1 APPLICATIONS OF CRYPTOGRAPHIC HASH FUNCTIONS
Message Authentication
Message authentication is a system to verify integrity of message. It ensures that message
received are real and contain no modification. In message authentication, the hash function have
value that is referred as message digest. Some method do not provide encrypt system because :
Encryption software is relatively slow.
High costs for encryption hardware.
Encryption hardware is not optimized for small blocks of data.
Cost for the licensed encryption algorithms.
Message Authentication Code (MAC) is the most commonly function of message
authentication. It also known as a keyed hash function which are used to authenticate information
exchanged between two parties.
Digital Signatures
Digital signature is a system that is simiar to MAC. Hash value in this system is encrypted with a
user’s private key. If anyone know the user’s public key, the message can be verified. This is step how
a hash code provide digital signature:
The hash code is encrypted using public key encryption with the sender’s private key.
Then, the message plus the private key encrypted hash code can be encrypted using a
symmetric secret key.
Other Applications
Hash function are commonly purposed to make a one-way password file.
Hash function can be used for intrusion detection.
Hash function also can be used for virus detection.
Pseudorandom Function (PRF) or a Pseudorandom Number Generator (PRNG) can be
constructed by a cryptogrpahic hash function.
11.2 TWO SIMPLE HASH FUNCTIONS
All hash function has general principles that the input is viewed as a sequence of n-bit blocks.
The input is processed to produce an n-bit hash function. The simplest hash function is using XOR of
every block that can be expressed as
That operation will produce a simple parity for each bit position. It also known as a longitudinal
redundancy check.
Other simplest hash function is using rotated XOR(RXOR). This procedure has effect to
randomize the input more completely. Message M that is consists of a sequence of 64-bit block define
hash code by
Then, the message plus hash code is encrypted using CBC mode to produce encrypted
message.
But XN+1 is the hash code :
The hash code would not change if the ciphertext blocks were permuted.
11.3 REQUIREMENTS AND SECURITY
Security Requirements for Cryptographic Hash Functions
h = H(x)
x is the preimage of h which is consist of data block. Because H is a many-to-one mapping, a collision
occurs if we have x ≠ y and H(x) = H(y). This collisions are clearly undesirable.
Requirements for a Cryptographic Hash Function H :
Variable input size
Fixed output size
Efficiency
Preimage resistant (one-way property)
Second preimage resistant (weak collision resistant)
Collision resistant (strong collision resistant)
Pseudorandomness
This picture ilustrate relationship among hash function properties
Brute-Force Attacks
Brute-force attack depend only on bit length of the hash value.
Brute-force attack does not depend on the specific algorithm.
Hash function resistance properties required for various data integrity applications
Cryptanalysis
Cryptanalytic on hash function attack by exploiting some property of the algorithm.
Ideal hash algorithm require more effort than or equal to the brute-force effort.
The hash algorithm use a compression function repeatedly.
The function takes two inputs, chaining variable and a b-bit block.
The function produces an n-bit output.
Cryptanalytic attacks focuse on the internal structure of the compression function.
Cryptanalytic attacks attempt to find efficient techniques for producing collisions for a single
execution of compression function.
The hash function can be summarized as
11.4 HASH FUNCTIONS BASED ON CIPHER BLOCK CHAINING
Based on CBC, hash function divide a message M into fixed size blocks and use a symmetric
encryption system to compute the hash code G as
The differences is no secret key in this case.
Step of the algorithm :
o Calculate the unencrypted hash code G.
o Construct any desired message in the form Q1, Q2, . . . , QN-2.
o Compute Hi = E(Qi, Hi-1) for 1 ≤ i ≤ (N-2).
o Generate random blocks.
o Based on the birthday paradox, with high probability there will be an X and Y such that
E(X, HN-2) = D(Y, G).
o Form the message Q1, Q2, . . . , QN-2, X, Y. This message has the hash code that can be
used with the intercepted encrypted signature.
11.5 SECURE HASH ALGORITHM (SHA)
Secure Hash Algorithm (SHA) is the most widely used hash function.
SHA-512 Logic
Has input a message with maximum length is less than 2128 bits.
The input is processed in 1024-bit blocks.
Produce output a 512-bit message digest.
Comparison of SHA Parameters
Step of the algorithm :
o Append padding bits.
o Append length.
o Initialize hash buffer.
o Process message in 1024-bit (128-word) blocks.
o Output.
We can summarize the behavior of SHA-512 as follows:
SHA-512 Round Function
Each round is defined by the following set of equations :
The remaining values are defined as :
11.6 SHA-3
Beyond on the basic requirements, NIST has defined a set of evaluation criteria that are
designed to include digital signatures, hashed message authentication codes, key generation, and
pseudorandom number generation. It is known as SHA-3.
SHA-3 algorithms are designed to resist any potentially successful attack on SHA-2
functions.
SHA-3 should be efficient over a range of hardware platforms (time and memory).
SHA-3 is more flexible.
Pertanyaan : Berdasarkan sumber yang saya baca di internet, ketika menggunakan SHA12,
ditambahkan sejumlah bit pengganjal sehingga panjang pesan kongruen dengan 896 mod 1024.
Bagaimana caranya untuk meng-kongruen-kan pesan tersebut? Dan mengapa harus kongruen dengan
896 mod 1024?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
CHAPTER 12
CHAPTER 12
MESSAGE AUTHENTICATION CODES
12.1 MESSAGE AUTHENTICATION REQUIREMENTS
Disclosure
Release content of message to any person or process that do not have appropriate
cryptographoc key.
Traffic analysis
Discovery the pattern of traffic.
Masquerade
Modify the message into the network from an authorized source.
Content modification
Changes contents of a message.
Sequence modification
Modify sequence of message.
Timing modification
Delay or replay of message
Source repudiation
Message transmision is denied by souce.
Destination repudiation
Message receipt is denied by destination.
12.2 MESSAGE AUTHENTICATION FUNCTIONS
Types of functions that may be used to produce an authenticator :
Hash function
Message encryption
Message authentication code (MAC)
Message Encryption
Symmetric Encryption
Symmetric encryption provides authentication as well as confidentiality.
It may be difficult to determine if incoming ciphertext decrypts to intelligible plaintext.
The solution is by forcing the plaintext to have some structure that is easily
recognized.
The plaintext could not be replicated without resource to the encryption function.
With internal error control, authentication is provided to complicate producing of
ciphertext which have valid error control bits when decrypted.
Public-Key Encryption
Public-key encryption is used to provide confidentiality.
Public-key encryption can not used to provide authentication.
To provide authentication, a sender should use its private key to encrypt the message
and a receiver uses sender’s public key to decrypt.
To provide both confidentiality and authentication, sender can encrypt the message
first using its private key which provides the digital signature, then using receiver
public key which provides confidentiality.
The disadvantages is complexity of the public-key algorithm.
Message Authentication Code
Message Authentication Code (MAC) also known as cryptographic checksum is an alternative
technique of autentication that use a secret key to generate a small fixed-size block of data.
MAC function
MAC algorithm need not be reversible.
MAC function is a many-to-one function.
In the first case, MAC is calculated with the message as input, and them the entire
block is encrypted.
In the second case, the message is encrypted first, then MAC is calculated using the
result of ciphertext.
MAC does not provide a digital signature because both sender and receiver share the
same key.
12.3 REQUIREMENTS FOR MESSAGE AUTHENTICATION CODES
Consider the following MAC algorithm. Let M = (X1 || X2 || . . . || Xm) be a message that is
treated as a concatenation of 64-bit blocks Xi .Then define
The opponent can attack the system by replacing X through Y which is calculated as
If an opponent observes M and MAC(K,M), it should be computationally infeasible
for the opponent to construct a message M’ such that MAC(K, M’) = MAC(K, M).
MAC(K, M) should be uniformly distributed in the sense that for randomly chosen
messages, M and M’, the probability that MAC(K, M) = MAC(K,M’) is 2-n ,where n is
the number of bits in the tag.
Let M’ be equal to some known transformation on M.That is, M’ = f(M).
12.4 SECURITY OF MACS
Brute-Force Attacks
Brute-force attack on MAC is more difficult than on a hash function because it requires known
message-tag pairs. If an attacker can determine the MAC key, so a valid MAC value is possible
generated for any input x. And if more than one key is found, so additional text-tag pairs must be
tested.
Attacker can also work without attempting to recover the key. The objective is to find a
message that matches a given tag. The attack cannot be conducted off line without further input. So,
the attacker will require chosen text-tag pairs.
Cryptanalysis
12.5
Cryptanalysis attacks on MAC by complicating some property of algorithm.
An ideal MAC algorithm will require more effort than or equal to the brute-force effort.
The structure of MACs is more variety than in hash function, so it is difficult to generelize
about the cryptanalysis of MACs.
MACS BASED ON HASH FUNCTIONS:HMAC
Cryptographic hash functions such as MD5 and SHA is faster than symmetric block ciphers
such as DES when executed in software. And there are many library code for cryptographic hash
functions can be used.
HMAC Design Objectives
The objectives for HMAC
To make hash function perform well and the code is freely available.
To make replaceability of the hash function easily.
To keep the original performance of the hash function,
To solve the key by simple way.
To have a well understood cryptographic analysis.
HMAC Algorithm
Picture above is the HMAC structure. Then, HMAC can be expressed as
H is a cryptographic hash function,
K is a secret key padded to the right with extra zeroes to the input block size of the hash
function, or the hash of the original key if it's longer than that block size,
m is the message to be authenticated,
| denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Security of HMAC
The cryptographic strength of the HMAC depends upon the size of the secret key that is used.
The most common attack against HMACs is brute force to uncover the secret key. HMACs are
substantially less affected by collisions than their underlying hashing algorithms alone.
Differential distinguishers allow an attacker to devise a forgery attack on HMAC. Furthermore,
differential and rectangle distinguishers can lead to second-preimage attacks. HMAC with the full
version of MD4 can be forged with this knowledge. These attacks do not contradict the security proof
of HMAC, but provide insight into HMAC based on existing cryptographic hash functions. In
improperly-secured systems a timing attack can be performed to find out a HMAC digit by digit.
12.6 MACS BASED ON BLOCK CIPHERS: DAA AND CMAC
Data Authentication Algorithm
The Data Authentication Algorithm (DAA) is an older algorithm that used for producing
cryptographic message authentication codes. According to the standard, a code produced by the DAA
is called a Data Authentication Code (DAC). The algorithm chain encrypts the data, with the last cipher
block truncated and used as the DAC.
Cipher-Based Message Authentication Code (CMAC)
CMAC (Cipher-based Message Authentication Code) is a block cipher-based message
authentication code algorithm. It may be used to provide assurance of the authenticity and the
integrity of binary data.
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret
key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is
equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ signify a standard left-shift
operator:
1. Calculate a temporary value k0 = Ek(0).
2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that
depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first
irreducible degree-b binary polynomial with the minimal number of ones.)
3. If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕ C.
4. Return keys (k1, k2) for the MAC generation process.
12.7 AUTHENTICATED E NCRYPTION: CCM AND GCM
Four common approaches to providing both confidentiality and encryption for a message :
HtE: Hash-then-encrypt
MtE: MAC-then-encrypt
EtM: Encrypt-then-MAC
E&M: Encrypt-and-MAC
Counter with Cipher Block Chaining-Message Authentication Code
CCM is a variation of the encrypt-and-MAC. It approach to authenticated encryption. The
input to the CCM encryption process consists of three elements :
Data that will be both authenticated and encrypted.
Associated data A that will be authenticated but not encrypted.
A nonce N that is assigned to the payload and the associated data.
CCM is a complex algorithm. It requires two complete passes through the plaintext, once to
generate the MAC value, and once for encryption.
Galois/Counter Mode
Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block
ciphers that has been widely adopted because of its efficiency and performance. GCM throughput
rates for state of the art, high speed communication channels can be achieved with reasonable
hardware resources. It is an authenticated encryption algorithm designed to provide both data
authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128
bits.
The authentication tag is constructed by feeding blocks of data into the GHASH function, and
encrypting the result. This GHASH function is defined by
where variable of Xi is defined as
GCM is ideal for protecting packetized data, because it has minimum latency and minimum
operation overhead.
12.8 PSEUDORANDOM NUMBER GENERATION USING HASH FUNCTIONS AND MACS
PRNG Based on Hash function
The algorithm need input:
V = seed
Seedlen = bit length of V ≥ k + 64, where k is a desired security level expressed in bits
n = desired number of output bits
The basic operation of the algorithm is
PRNG Based on MAC function
Higher degree of confidence can be achieved by using a MAC. A MAC-based PRNG is
constructed with HMAC. This is because HMAC is widely implemented in many protocols and
applications.
There are two inputs in MAC function, a key K and a seed V. The combination of K and V will
make overall seed for the PRNG specified. If we assume that HMAC is secure, knowledge of the input
and output should not be sufficient to recover K and hence not sufficient to predict future
pseudorandom bits.
Pertanyaan : Dalam HMAC, ketika pengirim mengirim hashing, dia juga mengirim hashing key. Ketika
hasing dan hashing key ini digabung maka akan membentuk suatu nilai baru. Apa fungsi nilai yang
dihasilkan ini?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
http://en.wikipedia.org/wiki/Hash-based_message_authentication_code diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Data_Authentication_Algorithm diakses pada 27 April 2015
http://en.wikipedia.org/wiki/CMAC diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Galois/Counter_Mode diakses pada 27 April 2015
CHAPTER 13
CHAPTER 13
DIGITAL SIGNATURES
13.1 DIGITAL SIGNATURES
Properties
Picture above is generic model of digital signature process. The digital signature must have the
following properties :
The author and the date and time of the signature must be verified.
The contents at the time of the signature must be authenticated.
Must be verifiable by third parties, to resolve disputes.
Attacks and Forgeries
Key-only attack: A’s public key is known by C.
Known message attack: A set of messages and signatures are given to C.
Generic chosen message attack: C chooses a list of messages before break A’s signature
scheme.
Directed chosen message attack: Similar to the generic attack, but the list of messages is
chosen after C knows A’s public key but before any signatures are seen.
Adaptive chosen message attack: C is allowed to use A as an “oracle.”
Digital Signature Requirements
The signature must be a bit pattern.
The signature must use unique information.
Can produce the digital signature easily.
Can recognize and verify the digital signature easily.
Computationally infeasible.
Can retain a copy of the digital signature.
Direct Digital Signature
Commonly, the term of direct digital signature is dependent with the only communicating
parties. By encrypting the entire message plus signature with a shared secret key (symmetric
encryption), confidentiality is ensured.
13.2 ELGAMAL DIGITAL SIGNATURE SCHEME
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty
of computing discrete logarithms.
Let H be a collision-resistant hash function.
Let p be a large prime such that computing discrete logarithms modulo p is difficult.
Let g < p be a randomly chosen generator of the multiplicative group of integers modulo p .
Key generation
Randomly choose a secret key x with 1 < x < p − 1.
Compute y = g x mod p.
The public key is (p, g, y).
The secret key is x.
These steps are performed once by the signer.
Signature generation
To sign a message m the signer performs the following steps.
Choose a random k such that 1 < k < p − 1 and gcd(k, p − 1) = 1.
Compute
Compute
If s = 0 start over again.
Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every signature.
Verification
A signature (r,s) of a message m is verified as follows.
0 < r < p and 0 < s < p - 1.
The verifier accepts a signature if all conditions are satisfied and rejects it otherwise.
Correctness
The algorithm is correct in the sense that a signature generated with the signing algorithm will
always be accepted by the verifier.
The signature generation implies
Hence Fermat's little theorem implies
13.3 SCHNORR DIGITAL SIGNATURE SCHEME
In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature
algorithm. Its security is based on the intractability of certain discrete logarithm problems. The Schnorr
signature is considered the simplest digital signature scheme to be provably secure in a random oracle
model. It is efficient and generates short signatures.
The first scheme is generate a private/public key pair by this following steps.
1.
2.
3.
4.
Choose primes p and q, such that q is a prime factor of p-1.
Choose an integer a, such that αq = 1 mod p.
Choose a random integer s with 0 < s < q.
Calculate v = a-s.
And then a user with private key s and public key v generates a signature :
1. Choose a random integer r with 0 < r < q and compute x = ar mod p.
2. Concatenate the message with x and hash the result to compute the value e :
e = H(M||x)
3. Compute y = (r + se) mod q.The signature consists of the pair (e, y).
Any other user can verify the signature as follows.
1. Compute x’ = ayvemod p.
2. Verify that e = H(M||x’).
To see that the verification works, observe
13.4 DIGITAL SIGNATURE STANDARD
The DSS Approach
Designed to provide only the digital signature.
DSS cannpt be used for encryption or key exchange.
DSS uses a public-key technique.
DSS also use hash function that is provided as input to a signature function along with a
random number k generated for this particular signature.
The signature function depends on the sender’s private key.
With knowledge of the private key, the signature function could have produced the valid
signature.
The Digital Signature Algorithm
This is the algorithm
With DSA, the entropy, secrecy, and uniqueness of the random signature value k is critical. It
is so critical that violating any one of those three requirements can reveal the entire private key to an
attacker. Using the same value twice (even while keeping k secret), using a predictable value, or
leaking even a few bits of k in each of several signatures, is enough to break DSA.
Pertanyaan : Dalam DSA, jika proses signature generation mneghasilkan nilai s = 0, mengapa
dihasilkan nilai baru k dan tanda tangannya harus dihitung ulang?
SOURCE
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York:
Prentice Hall, 2011.
http://en.wikipedia.org/wiki/ElGamal_signature_scheme diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Schnorr_signature diakses pada 27 April 2015
http://en.wikipedia.org/wiki/Digital_Signature_Algorithm diakses pada 27 April 2015