Network Security

Essentials

Fifth Edition

by William Stallings
 Chapter 3
Public Key Cryptography and
Message Authentication
In addition to message confidentiality, message authentication is
an important network security function.
This chapter examines three aspects of message authentication.
•message authentication codes and hash functions to provide
message authentication.
•public-key encryption principles and two specific public-key
algorithms and the exchange of conventional encryption keys.
•public-key encryption to produce digital signatures, which
provides an enhanced form of message Authentication.
 Approaches to Message
Authentication
• Conventional encryption
• Message authentication code (MAC)
• One-way Hash Functions
 Approaches to Message
Authentication
• Using conventional encryption

• Without message encryption

 Using conventional
encryption
• Symmetric encryption alone is not a suitable tool for data
authentication
• We assume that only the sender and receiver share a key, so
only the genuine sender would be able to encrypt a message
successfully
• The receiver assumes that no alterations have been made and
that sequencing is proper if the message includes an error
detection code and a sequence number
• If the message includes a timestamp, the receiver assumes
that the message has not been delayed beyond that normally
expected for network transit
 Continued

Although sequence numbers may be used at some level

(e.g., each IP packet), it is typically not the case that a
separate sequence number will be associated with each b -
bit block of plaintext. Thus, block reordering is a threat.
 Without message encryption
• An authentication tag is generated and appended to each
message for transmission
• The message itself is not encrypted and can be read at the
destination independent of the authentication function at
the destination
• Because the message is not encrypted, message
confidentiality is not provided
 MAC

• One authentication technique involves

the use of a secret key to generate a
small block of data, known as a
message authentication code (MAC) ,
that is appended to the message.
 MAC
• This technique assumes that two communicating parties, say A
and B, share a common secret key KAB.

• When A has a message to send to B, it calculates the

message authentication code as a function of the message
and the key: MACM = F(KAB , M ).

• The message plus code are transmitted to the intended

recipient.

• The recipient performs the same calculation on the received

message, using the same secret key, to generate a new
message authentication code. The received code is compared
to the calculated code (Figure 3.1).
 MAC
• If we assume that only the receiver and the sender know the
identity of the secret key, and if the received code matches the
calculated code, then the following statements apply:

1. The receiver is assured that the message has not been

altered

2. The receiver is assured that the message is from the alleged

sender.

3. If the message includes a sequence number (such as is used

with HDLC and TCP), then the receiver can be assured of the
proper sequence
 MAC
• A number of algorithms could be used to generate
the code.
• The NIST specification FIPS PUB 113, recommends
the use of DES.
• DES is used to generate an encrypted version of
the message, and the last number of bits of
ciphertext are used as the code.
• A 16- or 32-bit code is typical.
 One-way Hash Functions
• Accepts a variable-size message M as input and produces
a fixed-size message digest H(M) as output
• Does not take a secret key as input

• To authenticate a message, the message digest is sent with

the message in such a way that the message digest is
authentic

M MD
variable-size H fixed-size
 Secure Hash Functions
• Is important not only • H can be applied to a block of data of any size.
1.
in message
authentication but in • H produces a fixed-length output.
digital signatures 2.

• H(x) is relatively easy to compute for any given x, making both hardware
• Purpose is to produce and software implementations practical.
3.
a “fingerprint” of a
file, message, or other • For any given code h, it is computationally infeasible to find x such that
H(x) = h. A hash function with this property is referred to as one-way or
block of data 4. preimage resistant.

• To be useful for • For any given block x, it is computationally infeasible to find y x with
message H(y) = H(x). A hash function with this property is referred to as second
5. preimage resistant. This is sometimes referred to as weak collision resistant.
authentication, a hash
function H must have • It is computationally infeasible to find any pair (x, y) such that H(x) =
the following H(y).
• A hash function with this property is referred to as collision resistant. This
6.
properties: is sometimes referred to as strong collision resistant.
 Security of Hash Functions
• There are two approaches to attacking a secure hash
function:
• Cryptanalysis
• Involves exploiting logical weaknesses in the algorithm
• Brute-force attack
• The strength of a hash function against this attack depends
solely on the length of the hash code produced by the algorithm
The sha Secure Hash function
• SHA was developed by NIST and published as a federal
information processing standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1 and published as FIPS 180-1
• The actual standards document is entitled “Secure Hash Standard”

• Based on the hash function MD4 and its design closely models
MD4
• Produces 160-bit hash values

• In 2005 NIST announced the intention to phase out approval of

SHA-1 and move to a reliance on SHA-2 by 2010
 Table 3.1
Comparison of SHA Parameters

Note: All sizes are measured in bits.

 Sha-3

2. SHA-3 must preserve the

1. It must be possible to online nature of SHA-2. That
replace SHA-2 with SHA-3 is, the algorithm must
in any application by a process comparatively small
simple drop-in substitution. blocks (512 or 1024 bits) at a
Therefore, SHA-3 must time instead of requiring that
support hash value lengths of the entire message be
224, 256, 384, and 512 bits. buffered in memory before
processing it.

Basic
requirements
that must be
satisfied by any
candidate for
SHA-3
 HMAC
• There has been an increased interest in developing a MAC derived from
a cryptographic hash code, such as SHA-1
• Cryptographic hash functions generally execute faster in software than
conventional encryption algorithms such as DES
• Library code for cryptographic hash functions is widely available
• A hash function such as SHA-1 was not designed for use as a MAC and
cannot be used directly for that purpose because it does not rely on a secret
key

• There have been a number of proposals for the incorporation of a secret

key into an existing hash algorithm
• The approach that has received the most support is HMAC
HMAC
• Has been issued as RFC 2104
• Has been chosen as the mandatory-to-implement MAC for IP Security
• Is used in other Internet protocols, such as Transport Layer Security
(TLS) and Secure Electronic Transaction (SET)
 HMAC Design Objectives
• To use, without modifications, available hash functions --- in
particular, hash functions that perform well in software, and for
which code is freely and widely available
• To allow for easy replaceability of the embedded hash function in
case faster or more secure hash functions are found or required
• To preserve the original performance of the hash function
without incurring a significant degradation
• To use and handle keys in a simple way

• To have a well understood cryptographic analysis of the strength

of the authentication mechanism based on reasonable
assumptions on the embedded hash function
 Public-Key
encryption structure
• First publicly proposed by Diffie and Hellman in 1976

• Based on mathematical functions rather than on simple

operations on bit patterns
• Is asymmetric, involving the use of two separate keys
Misconceptions:

• Public-key encryption is more secure from cryptanalysis

than conventional encryption
• Public-key encryption is a general-purpose technique that
has made conventional encryption obsolete
• There is a feeling that key distribution is trivial when using
public-key encryption, compared to the rather cumbersome
handshaking involved with key distribution centers for
conventional encryption
 Applications for
public-key cryptosystems
• Public-key systems are characterized by the use of a
cryptographic type of algorithm with two keys, one held
private and one available publicly
• Depending on the application, the sender uses either the
sender’s private key, the receiver’s public key, or both to
perform some type of cryptographic function
The sender encrypts a
Encryption/decryption message with the
recipient’s public key

The use of public-key

The sender “signs” a
cryptosystems can be
Digital signature message with its private
classified into three
key
categories:

Two sides cooperate to

Key exchange
exchange a session key
 Table 3.2
applications for public-key cryptosystems
 RSA
• By Rivest, Shamir & Adleman of MIT in 1977
• Best known & widely used public-key scheme
• Based on exponentiation in a finite (Galois) field over
integers modulo a prime
• nb. modular exponentiation takes O((log n)3) operations (easy)

• Uses large integers (eg. 1024 bits)

• Security due to cost of factoring large numbers
• nb. factorization takes O(e log n log log n) operations (hard)
Diffie-Hellman Key Exchange
• First published public-key algorithm

• A number of commercial products employ this key

exchange technique
• Purpose of the algorithm is to enable two users to
exchange a secret key securely that then can be used for
subsequent encryption of messages
• The algorithm itself is limited to the exchange of the keys

• Depends for its effectiveness on the difficulty of

computing discrete logarithms
 Diffie-Hellman Example
• Users Alice & Bob who wish to swap keys:
• Agree on prime q=353 and a=3
• Select random secret keys:
• A chooses xA=97, B chooses xB=233

• Compute respective public keys:

• yA=397 mod 353 = 40 (Alice)
• yB=3233 mod 353 = 248 (Bob)

• Compute shared session key as:

• KAB= yBxA mod 353 = 24897 = 160 (Alice)
• KAB= yAxB mod 353 = 40233 = 160 (Bob)
Digital Signature standard (DSS)
• FIPS PUB 186

• Makes use of the SHA-1 and presents a new digital

signature technique, the Digital Signature Algorithm (DSA)
• Originally proposed in 1991 and revised in 1993 and again
in 1996
• Uses an algorithm that is designed to provide only the
digital signature function
• Unlike RSA, it cannot be used for encryption or key
exchange
 Elliptic-curve cryptology
(ECC)
• Technique is based on the use of a mathematical construct
known as the elliptic curve
• Principal attraction of ECC compared to RSA is that it
appears to offer equal security for a far smaller bit size,
thereby reducing processing overhead
• The confidence level in ECC is not yet as high as that in
RSA
 Summary
• Approaches to message • Message authentication codes
authentication • HMAC
• Authentication using • MACs based on block ciphers
conventional encryption
• Public-key cryptography principles
• Message authentication • Public-key encryption structure
without message encryption
• Applications for public-key
cryptosystems
• Secure hash functions
• Requirements for public-key
• Hash function requirements cryptography
• Security of hash functions
• Public-key cryptography algorithms
• Simple hash functions
• The RSA public-key encryption
• The SHA secure hash algorithm
function SHA-3 • Diffie-Hellman key exchange
• Other public-key cryptography
• Digital signatures algorithms