1 MODULE-3

SYMMETRIC KEY CRYPTOSYSTEM

. STREAM CIPHER:
In stream cipher, one byte is encrypted at a time while in block cipher ~128 bits are encrypted at a time.
Initially, a key(k) will be supplied as input to pseudorandom bit generator and then it produces a
random 8-bit output which is treated as keystream. The resulted keystream will be of size 1 byte, i.e., 8
bits.

E 1.Stream Cipher follows the sequence of pseudorandom number stream.

2.One of the benefits of following stream cipher is to make cryptanalysis more difficult, so the
number of bits chosen in the Keystream must be long in order to make cryptanalysis more difficult.

l 3.By making the key more longer it is also safe against brute force attacks.
4.The longer the key the stronger security is achieved, preventing any attack.
5.Keystream can be designed more efficiently by including more number of 1s and 0s, for making

e
cryptanalysis more difficult.
Encryption : For Encryption,
•Plain Text and Keystream produces Cipher Text (Same keystream will be used for decryption.).

c
•The Plaintext will undergo XOR operation with keystream bit-by-bit and produces the Cipher
Text.
Example –
Plain Text : 10011001

t Keystream : 11000011
`````````````````````
Cipher Text : 01011010

r
Decryption : For Decryption,
•Cipher Text and Keystream gives the original Plain Text (Same keystream will be used for
encryption.).

o
•The Ciphertext will undergo XOR operation with keystream bit-by-bit and produces the actual
Plain Text.
Example –
Cipher Text : 01011010

n
Keystream : 11000011
``````````````````````
Plain Text : 10011001

i
Decryption is just the reverse process of Encryption i.e. performing XOR with Cipher Text.
BLOCK CIPHER:

➢ With block ciphers, the plaintext is split into fixed size chunks called blocks, and each
block is encrypted separately.
➢ Typically all blocks in the plaintext are encrypted using the same key.
➢ Block ciphers include DES, AES, RSA, and ECC.
➢ Block sizes used in secret key cryptography are usually smaller — 64 bits in DES and
128 bits in AES.
➢ The block size in RSA is much larger — 768 or more bits, while the block size in ECC is
about 200 bits.
DATA ENCRYPTION STANDARD( DES):
History:
• IBM developed Lucifer cipher
• by team led by Feistel
• used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and others
• in 1973 NBS issued request for proposals for a national cipher standard
• IBM submitted their revised Lucifer which was eventually accepted as the DES

DES ENCRYPTION:
DES Round Structure:
plain text of 64-bit is split into two 32-bit L & R halves
Li = Ri–1
Ri = Li–1 xor F(Ri–1 , Ki )
takes 32-bit R half and 48-bit subkey and expands R to 48-bits using Expansion Permutation
and then adds to subkey then the reult passes through 8 S-boxes to get 32-bit result and finally
permutes this using 32-bit Permutation Function P.
DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the
application of the sub keys is reversed. Additionally, the initial and final permutations are reversed

Advanced Encryption Standard (AES)

AES is a specification for the encryption of electronic data established by the U.S National Institute of
Standards and Technology (NIST) in 2001. AES is widely used today as it is a much stronger than DES
and triple DES despite being harder to implement.
Points to remember
• AES is a block cipher.
• The key size can be 128/192/256 bits.
• Encrypts data in blocks of 128 bits each.
That means it takes 128 bits as input and outputs 128 bits of encrypted cipher text as output. AES relies
on substitution-permutation network principle which means it is performed using a series of linked
operations which involves replacing and shuffling of the input data.
Working of the cipher :
AES performs operations on bytes of data rather than in bits. Since the block size is 128 bits, the cipher
processes 128 bits (or 16 bytes) of the input data at a time.
The number of rounds depends on the key length as follows :
• 128 bit key – 10 rounds
• 192 bit key – 12 rounds
• 256 bit key – 14 rounds
A number of AES parameters depend on the key length, we assume a key length of 128 bits, which
is likely to be the one most commonly implemented . This block is depicted as a square matrix of
bytes. This block is copied into the State array, which is modified at each stage of encryption or
decryption. After the final stage, State is copied to an output matrix. Similarly, the 128-bit key is
depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words;
each word is four bytes and the total key schedule is 44 words for the 128-bit key. Ordering of bytes
within a matrix is by column.
Encryption :
AES considers each block as a 16 byte (4 byte x 4 byte = 128 ) grid in a column major
arrangement.Each round comprise of four sub-processes. The first round process is depicted below
Byte Substitution (SubBytes)
The 16 input bytes are substituted by looking up a fixed table (S-box)
given in design. The result is in a matrix of four rows and four columns.
Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on
the right side of row. Shift is carried out as follows
 First row is not shifted.
 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted
with respect to each other.
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This function
takes as input the four bytes of one column and outputs four completely new bytes, which replace the
original column. The result is another new matrix consisting of 16 new bytes. It should be noted that
this step is not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round
key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are
interpreted as 16 bytes and we begin another similar round.

Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the reverse order.
Each round consists of the four processes conducted in the reverse order −
 Add round key
 Mix columns
 Shift rows
 Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption and
decryption algorithm needs to be separately implemented, although they are very closely related.

Example of Some Prominent Stream Cipher:

1. RC4 Encryption Algorithm

RC4 is a stream cipher and variable-length key algorithm. This algorithm encrypts one byte at a time
(or larger units at a time). A key input is a pseudorandom bit generator that produces a stream 8-bit
number that is unpredictable without knowledge of input key, The output of the generator is called key-
stream, is combined one byte at a time with the plaintext stream cipher using X-OR operation.
Example:
RC4 Encryption
10011000 ? 01010000 = 11001000

RC4 Decryption
11001000 ? 01010000 = 10011000
Key-Generation Algorithm –A variable-length key from 1 to 256 bytes is used to initialize a 256-byte
state vector S, with elements S[0] to S[255]. For encryption and decryption, a byte k is generated from
S by selecting one of the 255 entries in a systematic fashion, then the entries in S are permuted again.
Key-Scheduling Algorithm: Initialization: The entries of S are set equal to the values from 0 to 255 in
ascending order, a temporary vector T, is created. If the length of the key k is 256 bytes, then k is
assigned to T. Otherwise, for a key with length(k-len) bytes, the first k-len elements of T as copied
from K, and then K is repeated as many times as necessary to fill T.

Features of the RC4 encryption algorithm:

1.Symmetric key algorithm:RC4 is a symmetric key encryption algorithm, which means that the
same key is used for encryption and decryption.
2.Stream cipher algorithm:RC4 is a stream cipher algorithm, which means that it encrypts and
decrypts data one byte at a time. It generates a key stream of pseudorandom bits that are XORed
with the plaintext to produce the ciphertext.
3.Variable key size:RC4 supports variable key sizes, from 40 bits to 2048 bits, making it flexible
for different security requirements.
4.Fast and efficient:RC4 is a fast and efficient encryption algorithm that is suitable for low-power
devices and applications that require high-speed data transmission.
5.Widely used:RC4 has been widely used in various applications, including wireless networks,
secure sockets layer (SSL), virtual private networks (VPN), and file encryption.
6.Vulnerabilities:RC4 has several vulnerabilities, including a bias in the first few bytes of the
keystream, which can be exploited to recover the key. As a result, RC4 is no longer recommended
for use in new applications.

Advantages:

1.Fast and efficient:RC4 is a very fast and efficient encryption algorithm, which makes it suitable
for use in applications where speed and efficiency are critical.
2.Simple to implement:RC4 is a relatively simple algorithm to implement, which means that it can
be easily implemented in software or hardware.
3.Variable key size:RC4 supports variable key sizes, which makes it flexible and adaptable for
different security requirements.
4.Widely used:RC4 has been widely used in various applications, including wireless networks,
secure sockets layer (SSL), virtual private networks (VPN), and file encryption.

Disadvantages:

1.Vulnerabilities:RC4 has several known vulnerabilities that make it unsuitable for new
applications. For example, there is a bias in the first few bytes of the keystream, which can be
exploited to recover the key.
2.Security weaknesses:RC4 has some inherent weaknesses in its design, which make it less secure
than other encryption algorithms, such as AES or ChaCha20.
3.Limited key length:The maximum key length for RC4 is 2048 bits, which may not be sufficient
for some applications that require stronger encryption.
4.Not recommended for new applications:Due to its vulnerabilities and weaknesses, RC4 is no
longer recommended for use in new applications. Other more secure stream cipher algorithms, such
as AES-CTR or ChaCha20, should be used instead
2. A5/1: A5/1 is a stream cipher used in GSM (Global System for Mobile Communications) to provide
encryption for data transmission over the air interface. It's designed to ensure privacy and
confidentiality in GSM networks.
Here's a brief overview of how the A5/1 stream cipher works:

1. Registers : A5/1 uses three shift registers:

• R1 is a 19-bit register.
• R2 is an 22-bit register.
• R3 is an 23-bit register.
2. Clocking : The clocking mechanism involves clocking the registers and generating a key
sequence:

• The bits in the registers are clocked based on a clocking bit generated by the
combination of certain bits from the three registers.
• Based on the clocking bit, the registers are shifted to produce a keystream bit.
3. Keystream Generation :

• The keystream is generated by the combination of bits from the three registers.
• For each clock cycle, the outputs of the three registers are combined (usually using
bitwise XOR operations) to produce a keystream bit.
4. Key Initialization :

• The registers are initialized with a secret key (Kc) and an initialization vector (IV) at the
start of a communication session.
5. Key Stream Utilization :

• The keystream generated by A5/1 is XORed with the plaintext data to produce the
ciphertext.
• At the receiver's end, the same keystream (generated using the same key and IV) is
XORed with the ciphertext to retrieve the original plaintext.

A5/1 has been subject to various attacks due to its design weaknesses, which have implications for the
security of GSM communications. Therefore, newer standards like A5/3 have been developed to
address these vulnerabilities.
3. Grain Family: The Grain family of stream ciphers is a series of cryptographic algorithms designed
for efficient and secure encryption of data streams. These ciphers belong to the category of stream
ciphers, which generate a pseudorandom keystream to be combined (typically via XOR) with plaintext
to produce ciphertext. The Grain ciphers are known for their compact design, good performance in
software and hardware implementations, and strong security properties.
 Grain-128 :

• Structure : Grain-128 is a stream cipher designed by Martin Hell and Thomas Johansson. It
operates with a 128-bit key and a 96-bit IV (Initialization Vector).
• Feedback Mechanism : Grain-128 uses a shift register-based feedback mechanism to produce
pseudorandom keystream bits.
• Nonlinear Operations : The cipher includes nonlinear operations (such as bitwise XOR and
rotations) to generate the keystream efficiently.

Features :

• Efficiency : Grain ciphers are designed to be efficient in terms of both speed and memory
usage, making them suitable for resource-constrained environments such as embedded systems.

• Security : The Grain family of ciphers is designed to provide strong security against various
cryptographic attacks, including linear and differential cryptanalysis.

Design Principles :

• Nonlinear Feedback : Grain ciphers utilize nonlinear feedback mechanisms, making

them resistant to linear attacks.
• Compactness : The ciphers are designed to be implemented with minimal hardware or
software resources.
• Performance : Grain ciphers are optimized for high performance in both software and
hardware implementations.
Usage :

• Grain ciphers have been used in various applications, including wireless communication
systems, RFID (Radio Frequency Identification) devices, and other embedded systems
requiring lightweight cryptographic solutions.

4. Salsa20 : The Salsa20 stream cipher is a widely recognized and extensively used cryptographic
algorithm known for its speed, security, and flexibility. It was designed by Daniel J. Bernstein to
efficiently provide encryption for a variety of applications, including secure communication protocols,
disk encryption, and more. Here's an overview of the Salsa20 stream cipher:

Key Features:
1. Structure :

• Salsa20 is based on a cryptographic primitive known as a quarter-round function, which

operates on a 4x4 matrix of 32-bit words.
 • It uses a 256-bit key and a 64-bit nonce (number used once) to generate a stream of
pseudorandom bytes.
2. Keystream Generation :

• Salsa20 operates by repeatedly applying its core function in rounds to generate a

keystream.
• The core function involves a series of simple operations like addition, XOR, and
rotations, making it highly efficient for both software and hardware implementations.
3. Security :

• Salsa20 is designed with a strong security foundation and has withstood extensive
cryptanalysis.
• The use of a large key size (256 bits) and a well-designed core function contribute to its
robustness against various types of attacks, including differential and linear
cryptanalysis.
4. Performance :

• Salsa20 is known for its exceptional performance, particularly in software

implementations.
• It is capable of high-speed encryption on modern processors due to its reliance on
simple operations that can be efficiently executed in parallel.
5. Versatility :

• Salsa20 is highly versatile and supports different variants, including Salsa20/12 (which
uses 12 rounds instead of 20 for reduced computational cost) and XSalsa20 (which
extends the nonce size to 192 bits for applications requiring a larger nonce space).
6. Applications :

• Salsa20 is used in various cryptographic protocols and applications, including the

popular authenticated encryption scheme ChaCha20-Poly1305 (based on a variant of
Salsa20 called ChaCha).
• It has been adopted by major security standards and protocols, including TLS (Transport
Layer Security) and IPsec (Internet Protocol Security).

5. ChaCha: ChaCha is a stream cipher developed by Daniel J. Bernstein, known for its simplicity,
efficiency, and strong security properties. It is a variant of the Salsa20 stream cipher and is designed to
provide high-speed encryption suitable for a wide range of applications, including secure
communication protocols, disk encryption, and more. ChaCha has gained popularity and widespread
adoption in various cryptographic systems and protocols due to its excellent performance and
robustness.
Key Features of ChaCha:
1. Structure :

• ChaCha operates by applying a series of quarter-round operations to a 4x4 matrix of 32-

bit words, similar to the Salsa20 cipher.
• It uses a 256-bit key and a 64-bit nonce (number used once) to generate a
pseudorandom keystream.
2. Key and Nonce Initialization :

• ChaCha uses a 256-bit secret key and a 64-bit nonce to initialize its internal state.
• The key and nonce are combined to set up the initial state of the ChaCha cipher.
3. Keystream Generation :

• ChaCha generates a keystream by repeatedly applying its core function, which consists
of a specified number of rounds (e.g., 20 rounds for ChaCha20).
• Each round involves a series of quarter-round operations that mix the state matrix to
produce pseudorandom output.
4. Security :

• ChaCha is designed to be highly secure against various cryptographic attacks, including

differential and linear cryptanalysis.
• The use of a large key size (256 bits) and an effective mixing function in the core
operation contribute to its strong security properties.
5. Performance :

• ChaCha is optimized for high-speed encryption and decryption operations, particularly

in software implementations.
• Its design allows for efficient parallel processing on modern CPUs, making it suitable
for applications requiring high throughput and low latency.
6. Variants :

• ChaCha has different variants, including ChaCha8, ChaCha12, and ChaCha20, which
specify the number of rounds used in the core function (e.g., 8, 12, or 20 rounds).
• The number of rounds can be adjusted based on specific performance and security
requirements.
 Modes of Operation for Block Ciphers
There are five different modes in which a block
cipher, such as DES or AES, can be used:
1. Electronic Code Book (ECB)
2. Cipher Block Chaining Mode (CBC)
3. Cipher Feedback Mode (CFB)
4. Output Feedback Mode (OFB)
5. Counter Mode (CTR)

12
Information Security Sufyan Al-Janabi 2015
 Electronic Code Book (ECB)
 Each block of plaintext is coded independently. Not very
secure for long segments of plaintext, especially plaintext
containing repetitive information.
 Used primarily for secure transmission of short pieces of
information, such as an encryption key.
 Another shortcoming of ECB is that the length of the
plaintext message must be integral multiple of the block
size. When that condition is not met, the plaintext message
must be padded appropriately.
 The rest of the modes discussed below provide enhanced
security by making the ciphertext for any block a function
of all the blocks seen previously.

13
Information Security Sufyan Al-Janabi 2015
 ECB Encryption

14
Information Security Sufyan Al-Janabi 2015
 CIPHER BLOCK CHAINING MODE (CBC)
 The input to the encryption algorithm is the XOR of the
next block of plaintext and the previous block of ciphertext.
This is obviously more secure for long segments of
plaintext.
 This mode also requires that length of the plaintext message
be an integral multiple of the block size. When that
condition is not satisfied, the message must be suitably
padded.
 To get started, the chaining scheme obviously needs what is
known as the initialization vector for the first invocation of
the encryption algorithm.
 With this chaining scheme, the ciphertext block for any
given plaintext block becomes a function of all the previous
ciphertext blocks.

15
Information Security Sufyan Al-Janabi 2015
 CBC Encryption

16
Information Security Sufyan Al-Janabi 2015
 Cipher Feedback Mode (CFB)
 Whereas the CBC mode uses all of the previous
ciphertext block to compute the next ciphertext block,
the CFB mode uses only a fraction thereof.
 Also, whereas in the CBC mode the encryption system
digests b bits of plaintext at a time (where b is the
block size used by the block cipher), now the encryption
system digests only s < b number of plaintext bits at a
time even though the encryption algorithm itself carries
out a b-bits to b-bits transformation. Since s can be
any number, including one byte, that makes CFB suitable
as a stream cipher.
 CFB uses only the encryption algorithm in both
encryption and decryption.

17
Information Security Sufyan Al-Janabi 2015
 18
Information Security Sufyan Al-Janabi 2015 CFB Encryption
 Output Feedback Mode (OFB)
The basic logic here is the same as in CFB, only the
nature of what gets fed from stage to stage is different. In
CFB, you feed s < b number of ciphertext bits from the
current stage into the b-bits to b-bits transformation
carried out by the next-stage encryption. But in OFB, you
feed s bits from the output of the transformation itself.
This mode of operation is also suitable if you want to use
a block cipher as a stream cipher.
Similarly to CFB, OFB uses only the encryption
algorithm in both encryption and decryption.
OFB is more resistant to transmission bit errors.

19
Information Security Sufyan Al-Janabi 2015
 20
Information Security Sufyan Al-Janabi 2015 OFB Encryption
 COUNTER MODE (CTR)
 Whereas the previous four modes for using a block cipher are
intuitively plausible, this new mode at first seems strange and
seemingly not secure. But it has been theoretically established
that this mode is at least as secure as the other modes.
 As for CFB and OFB, an interesting property of this mode is
that only the encryption algorithm is used at both the
encryption end and at the decryption end.
 The basic idea consists of applying the encryption algorithm
not to the plaintext directly, but to a b-bit number (and its
increments modulo 2b for successive blocks) that is chosen
beforehand. The ciphertext consists of what is obtained by
XORing the encryption of the number with a b-bit block of
plaintext.

21
Information Security Sufyan Al-Janabi 2015
 22
Information Security Sufyan Al-Janabi 2015 CTR Encryption
 Advantages of CTR
1. Fast encryption and decryption. If memory is not a
constraint, we can pre-compute the encryptions for as
many counter values as needed. Then, at the transmit
time, we only have to XOR the plaintext blocks with
the pre-computed b-bit blocks. The same applies to fast
decryption.
2. It has been shown that the CTR is at least as secure as
the other four modes for using block ciphers.
3. Because there is no block-to-block feedback, the
algorithm is highly amenable to implementation on
parallel machines.
4. For the same reason, any block can be decrypted with
random access.

23
Information Security Sufyan Al-Janabi 2015
Chapter 9: Message Authentication and Hash Functions
A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value
h = H(M). A “good” hash function has the property that the results of applying the function to a large set
of inputs will produce outputs that are evenly distributed and apparently random. In general terms, the
principal object of a hash function is data integrity. A change to any bit or bits in M results, with high
probability, in a change to the hash value.

The kind of hash function needed for security applications is referred to as a cryptographic hash function.
A cryptographic hash function is an algorithm for which it is computationally infeasible (because no attack
is significantly more efficient than brute force) to find either

(a) a data object that maps to a pre-specified hash result (the one-way property) or

(b) two data objects that map to the same hash result (the collision-free property).

Because of these characteristics, hash functions are often used to determine whether or not data has
changed.

Figure: Cryptographic Hash Function; h = H(M)

Message Authentication:

• Message authentication is a mechanism or service used to verify the integrity of a message.

• Message authentication assures that data received are exactly as sent (i.e., there is no
modification, insertion, deletion, or replay).
• In many cases, there is a requirement that the authentication mechanism assures that purported
identity of the sender is valid.
• When a hash function is used to provide message authentication, the hash function value is often
referred to as a message digest.
• The essence of the use of a hash function for message integrity is as follows.
• The sender computes a hash value as a function of the bits in the message and transmits both the
hash value and the message. The receiver performs the same hash calculation on the message
bits and compares this value with the incoming hash value.

Compiled By: Krishna Bhandari genuinenotes.com

 • If there is a mismatch, the receiver knows that the message (or possibly the hash value) has been
altered.
• The hash value must be transmitted in a secure fashion. That is, the hash value must be protected
so that if an adversary alters or replaces the message, it is not feasible for adversary to also alter
the hash value to fool the receiver. This type of attack is shown in Figure (b).
• In this example, Alice transmits a data block and attaches a hash value. Darth intercepts the
message, alters or replaces the data block, and calculates and attaches a new hash value. Bob
receives the altered data with the new hash value and does not detect the change. To prevent
this attack, the hash value generated by Alice must be protected.

Figure below illustrates a variety of ways in which a hash code can be used to provide message
authentication, as follows.

a) The message plus concatenated hash code is encrypted using symmetric encryption. Because only
A and B share the secret key, the message must have come from A and has not been altered. The
hash code provides the structure or redundancy required to achieve authentication. Because
encryption is applied to the entire message plus hash code, confidentiality is also provided.

Compiled By: Krishna Bhandari genuinenotes.com

 b) Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden
for those applications that do not require confidentiality.
c) It is possible to use a hash function but no encryption for message authentication. The technique
assumes that the two communicating parties share a common secret value S. A computes the
hash value over the concatenation of M and S and appends the resulting hash value to M. Because
B possesses S, it can recompute the hash value to verify. Because the secret value itself is not
sent, an opponent cannot modify an intercepted message and cannot generate a false message.
d) Confidentiality can be added to the approach of method (c) by encrypting the entire message plus
the hash code.

When confidentiality is not required, method (b) has an advantage over methods (a) and (d), which
encrypts the entire message, in that less computation is required. Nevertheless, there has been growing
interest in techniques that avoid encryption.

Compiled By: Krishna Bhandari genuinenotes.com

Several reasons for this interest are pointed out as:

• Encryption software is relatively slow. Even though the amount of data to be encrypted per
message is small, there may be a steady stream of messages into and out of a system.
• Encryption hardware costs are not negligible. Low-cost chip implementations of DES are available,
but the cost adds up if all nodes in a network must have this capability.
• Encryption hardware is optimized toward large data sizes. For small blocks of data, a high
proportion of the time is spent in initialization/invocation overhead.
• Encryption algorithms may be covered by patents, and there is a cost associated with licensing
their use.

Message Authentication Functions:

The message authentication function is concerned with the types of functions that may be used to pro-
duce an authenticator. These may be grouped into three classes:

• Hash function: A function that maps a message of any length into a fixed- length hash value, which
serves as the authenticator.
• Message encryption: The ciphertext of the entire message serves as its authenticator.
• Message authentication code (MAC): A function of the message and a secret key that produces a
fixed-length value that serves as the authenticator.

Message Authentication Code (MAC):

A authentication technique that involves the use of a secret key to generate a small fixed-size block of
data that is appended to the message is known as Message Authentication Code (MAC). This technique
assumes that two communicating parties, say A and B, share a common secret key K. When A has a
message to send to B, it calculates the MAC as a function of the message and the key:

MAC = C (K, M)

where

M = input message

C = MAC function

K = shared secret key

MAC = message authentication code

The message plus MAC are transmitted to the intended recipient. The recipient performs the same
calculation on the received message, using the same secret key, to generate a new MAC. The received
MAC is compared to the calculated MAC.

Compiled By: Krishna Bhandari genuinenotes.com

If we assume that only the receiver and the sender know the identity of the secret key, and if the received
MAC matches the calculated MAC, then:

• The receiver is assured that the message has not been altered. If an attacker alters the message
but does not alter the MAC, then the receiver’s calculation of the MAC will differ from the received
MAC. Because the attacker is assumed not to know the secret key, the attacker cannot alter the
MAC to correspond to the alterations in the message.
• The receiver is assured that the message is from the alleged sender. Because no one else knows
the secret key, no one else could prepare a message with a proper MAC.
• If the message includes a sequence number (such as is used with TCP), then the receiver can be
assured of the proper sequence because an attacker cannot successfully alter the sequence
number.

A MAC function is similar to encryption. One difference is that the MAC algorithm need not be reversible,
as it must be for decryption. In general, the MAC function is a many-to-one function. The domain of the
function consists of messages of some arbitrary length, whereas the range consists of all possible MACs
and all possible keys.

Cryptographic Hash Function:

• A cryptographic hash function (CHF) is a hash function that is suitable for use in cryptography.
• It is a mathematical algorithm that maps data of arbitrary size (often called the "message") to a
bit string of a fixed size (the "hash value", "hash", or "message digest") and is a one-way function,
that is, a function which is practically infeasible to invert.
• Ideally, the only way to find a message that produces a given hash is to attempt a brute-force
search of possible inputs to see if they produce a match, or use a table of matched hashes.
• Cryptographic hash functions are a basic tool of modern cryptography.

Compiled By: Krishna Bhandari genuinenotes.com

Unit-5:EM-IV [19BS1403] Number Theory & Cryptography

 The process depicted in Figure (a) provides authentication but not confidentiality, because the message
as a whole is transmitted in the clear.
 Confidentiality can be provided by performing message encryption either after (Figure b) or before
(Figure c) the MAC algorithm.
 In both these cases, two separate keys are needed, each of which is shared by the sender and the receiver.
In the first case, the MAC is calculated with the message as input and is then concatenated to the message.
 The entire block is then encrypted. In the second case, the message is encrypted first.
 Then the MAC is calculated using the resulting ciphertext and is concatenated to the ciphertext to form
the transmitted block.
 Typically, it is preferable to tie the authentication directly to the plaintext, so the method of Figure b is
used.
MACs based on hash functions: HMAC
HMAC Design Objectives
RFC 2104 lists the following design objectives for HMAC.
• To use, without modifications, available hash functions. In particular, to use hash functions that perform
well in software and for which code is freely and widely available.
• To allow for easy replaceability of the embedded hash function in case faster or more secure hash
functions are found or required.
• To preserve the original performance of the hash function without incurring a significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the authentication mechanism based
on reasonable assumptions about the embedded hash function.

HMAC Algorithm
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
Information Technology II Year II Semester
Unit-5:EM-IV [19BS1403] Number Theory & Cryptography
M = message input to HMAC (including the padding specified in the embedded
hash function)
Yi _ i th block of M, 0 ≤i ≤(L – 1)
L _ number of blocks in M
b _ number of bits in a block
n _ length of hash code produced by embedded hash function
K _ secret key; recommended length is ≥n; if key length is greater than b, the key is input to the hash function
to produce an n-bit key
K+ _ K padded with zeros on the left so that the result is b bits in length
ipad _ 00110110 (36 in hexadecimal) repeated b/8 times
opad _ 01011100 (5C in hexadecimal) repeated b/8 times

fig: HMAC Structure

HMAC can be expressed as: HMAC(K, M) = H[(K+ ⊕ opad) || H[(K+ ⊕ ipad) || M]]

The algorithm is as follows:

1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is of
length 160 bits and , then will be appended with 44 zeroes).
2. XOR (bitwise exclusive-OR) with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.

Information Technology II Year II Semester