ECS726P: Security and

Authentication
Week 4: Hash functions, MAC, digital
signatures, freshness, dynamic password
schemes

Pasquale Malacaria

EECS, QMUL
Table of contents

1. Data Integrity

2. Cryptographic Hash Functions

3. Message authentication codes (MAC)

4. Digital signatures

5. Entity authentication

1
Learning Outcomes

Data Integrity
Cryptographic Hash Functions

• Properties
• Applications
• Birthday Attack
• Well-known Hash functions

2
Learning Outcomes

• Appreciate there are different levels of data integrity.

• Identify the different properties of a cryptographic
hash function.
• Recognise the significance of the length of the output
of a hash function.
• Explain how to use a MAC to provide data origin
authentication.
• Compare different ways of providing both
confidentiality and data origin authentication.

3
Learning Outcomes

• Explain general requirements for a digital signature

scheme.
• Explain methods of creating a digital signature
scheme based on RSA.
• Compare different techniques for providing freshness.
• Recognise a number of different approaches to
providing entity authentication
• Appreciate the limitations of password-based
approaches to providing entity authentication.
• Explain the principle behind dynamic password
schemes.
4
Data Integrity
Data Integrity - Introduction

Data Integrity is the assurance that data has not been

altered in an unauthorised manner after its creation.

• Data integrity is not about prevention of alteration of

data,
• Data integrity is about detecting whether data has
been manipulated in an unauthorised way.

5
Data Integrity: Different levels

levels of Data Integrity:

• Accidental errors: for example caused by noise in a

communication channel/storage;
• mitigations: simple parity checks, CRC...
• Active attacks: prevent an attacker from creating a
“valid” integrity digest on some data for which they
have not seen an integrity digest of.
• mitigations typically require data origin authentication
to bind data to its source e.g. provided by Message
Authentication Codes (MAC)

6
Cryptographic Hash Functions
(Cryptographic) Hash Functions

A hash function accepts a variable-size message m and

produces a fixed-size message digest h(m) as output.

• Hash functions are publicly computable. We assume

an attacker knows the details of a hash function
• Practically: the hash function should be easy to
compute.
• a very simple naive example of file digest: first 256
bits of the file xor with second 256 bits of the file xor
with third 256 bits etc etc, this results in a 256 bits
digest of the file (don’t use this as a hash function!!)

7
(Cryptographic) Hash Functions

Some use of Hash functions

• a strong one-way function (e.g. digest of passwords)

• component for crypto primitive (MAC, digital
signatures, etc...)
• to bind documents (certify sender sent D1 and D2)
• source of pseudorandomness
• bitcoin (proof of work)

8
(Cryptographic) Hash Functions: Requirements

Security requirements of a cryptographic hash function:

• Preimage Resistance: Given an output (hash) z and
the function h, it should be computationally
impossible to find any input x such that h(x) = z. (the
output h(x) of a function h is often called the image of
x, and hence x is referred to as a pre-image of h(x)).
• Second Preimage Resistance: Given an input x1
and its output (hash) value h(x1 ), it should be a
computationally impossible operation to find any
other input x2 (x2 ̸= x1 ) such that h(x1 ) = h(x2 ).
• Collision Resistance: Given the function h, it should
be computationally impossible to find a collision, that
is, two inputs x1 ̸= x2 such that h(x1 ) = h(x2 ). 9
(Cryptographic) Hash Functions: Requirements

”first 256 bits of the file xor with second 256 bits of the file
xor with third 256 bits etc etc”
why this simple xor 256 bits blocks function is bad as a
hash function?
Preimage Resistance: ?
Second Preimage Resistance:?
Collision Resistance:?

10
(Cryptographic) Hash Functions: Applications

There are clear reasons why we want those properties,

i.e. there are applications requiring:

• Preimage Resistance
• Second Preimage Resistance
• Collision Resistance

11
(Cryptographic) Hash Functions: Applications

Application Requiring Preimage Resistance: Password

check and storage
When you login (high-level workflow):

• you enter username and password on the sever

• the server compute the hash of your password
• server check the hash of your password matches the
hash it has stored for that username
• if it matches you are authenticated
• An attacker stealing the hashed passwords’ file from
the server shouldn’t be able to recover the passwords

12
(Cryptographic) Hash Functions: Applications

Application Requiring Second Preimage Resistance:

Software downloading
your system wants to be sure the software you download
has not been altered

• it computes a hash of the software file

• check the hash with the (trusted) vendor hash
• if they don’t match the software downloaded is not
correct
• an attacker shouldn’t be able to create a false
software with the same hash as the original

13
(Cryptographic) Hash Functions: Applications

Application Requiring Collision Resistance: contractual

committment

• Bob finds two messages with the same hash, one of

which requires Alice to pay a small amount and one
that requires a large payment.
• Alice signs the first message, and Bob is then able to
claim that the second message is authentic (as they
have the same hash).

14
Hash security: The birthday paradox

Consider a group of N people. What is the probability that

at least two of them have the same birthday?
How many people are needed to get a probability of at
least 0.5?
• it may looks surprising but it only needs 23 people so
that the probability of two people having the same
birthday is at least 0.5!
• if there are 50 people the probability of two people
sharing the same birthday is almost certain! (over
0.95)
how is this related to hash functions?
15
Hash security: The birthday paradox

• it may looks surprising but it only needs 23 people so

that the probability of two people having the same
birthday is at least 0.5!
• if there are 50 people the probability of two people
sharing the same birthday is almost certain! (over
0.95)
number of people who have a different birthday is given
by the formula below
365!
1−
(365 − n)! · 365n

how is this related to hash functions?

16
Hash security: The birthday paradox

Suppose an attacker wants to create a collision for a

cryptographically strong hash function that creates
hashes of length L bits. How many random inputs should
the attacker try to get a collision with a probability of at
least 0:5?
• the attacker needs 2L/2 , i.e., only the square root of
the number of possible distinct hashes.
• this results suggests some lower bound on the
number of bits required for a strong hash function.
• for example for a 256 bits length hash function one
would need around 2128 attempts to find a collision
with probability 0.5
17
Some hash functions

• MD5: The hash function MD5 has been one of the

most widely deployed hash functions, and was
adopted as Internet Standard RFC 1321. It is a
128-bit hash function and is often used for file
integrity checking. In 2004, collisions were found in
MD5, and MD5 is no longer recommended for use.
• SHA-1 family: The Secure Hash Algorithm was
published by NIST in 1993 as a 160-bit hash function.
It has been the “default” hash function of the late
1990s and the early 2000s and used in numerous
security applications, including SSL/TLS and
S/MIME. In 2005, a technique was proposed for
finding collisions for SHA-1 after 263 computations,
18
much faster than a birthday attack.
Some hash functions

• SHA-2 family: NIST published four further SHA

variants, each of which is labelled by the number of
bits of the hash output: SHA-224, SHA- 256,
SHA-384, and SHA-512 (collectively they are referred
to as SHA- 2). SHA-256 is the minimum security level
recommended for many applications.
• SHA-3: In 2006 NIST initiated an AES style SHA-3
competition for new hash functions which would
provide a genuine alternative to the SHA- 2 family
(2012 winner: KECCAK).

19
Message authentication codes
(MAC)
Message authentication codes (MAC)

• MAC provides data origin authentication which, as we

mentioned earlier, is a stronger notion than data
integrity.
• MAC is a cryptographic checksum which is sent
along with a message in order to provide an
assurance of data origin authentication.

20
Message authentication codes (MAC)

21
Message authentication codes (MAC)

Message Authentication involves generating a small block

of data (the MAC) that is appended to the message.
• The MAC depends on the contents of the message
and a secret key MAC(m) = f (kAB , m), where m is the
plaintext, f is a function (see some choices in the next
slides) and kAB is the shared key between users A
and B
• The message plus MAC are transmitted to the
receiver.
• The receiver calculates the MAC of the message and
compares it with the MAC just received.
• mismatch= something wrong
22
Message authentication codes (MAC)

If the received MAC matches the calculated MAC then

The receiver is assured that the message

• has not been altered (integrity of the message)

because only sender and receiver shared the key kAB .
• is from the alleged sender (originator identity
validation).

23
Message authentication codes (MAC)

MAC algorithms

• Can we use Symmetric Encryption algorithms to

construct MAC?
• After all, the sender and receiver need to share a
secret key?

24
Message authentication codes (MAC)

MAC algorithms: CBC-MAC

25
Message authentication codes (MAC)

MAC algorithms: CBC-MAC

• The MAC in CBC-MAC is the last ciphertext block of

a computation using the CBC mode of operation.
• For CBC-MAC, the process is started by using the
first message block instead of creating an IV.
• In CBC-MAC we discard all the intermediate
ciphertext blocks!

26
Message authentication codes (MAC)

MAC algorithms: HMAC (Hash-based Message

Authentication Code)
• HMAC is a MAC derived from a cryptographic hash
function, that is, it incorporates a secret key into an
existing hash algorithm.
• Let h be a hash function, and let K1 and K2 be two
symmetric keys.Then the MAC on message M is
computed as follows:
1. compute the hash of K2 concatenated with the
message; in other words compute h(K2 ||M); and
2. compute the hash of K1 concatenated with the
output of step 1; in other words compute:
h(K1 ||h(K2 ||M)). 27
Message authentication codes (MAC)

Security of HMAC. The security of HMAC depends on:

• The security of the keys. HMAC employs two

symmetric keys. Thus, the length of an HMAC key
can be regarded as the sum of the lengths of these
two keys.
• The security of the underlying hash function.
• The length of the MAC output.

28
Message authentication codes (MAC)

Security of HMAC. The security of HMAC depends on:

• The security of the keys. HMAC employs two

symmetric keys. Thus, the length of an HMAC key
can be regarded as the sum of the lengths of these
two keys.
• The security of the underlying hash function.
• The length of the MAC output.

29
Message authentication codes (MAC)

So far, we look at data origin authentication without

confidentiality. Not a reasonable assumption!
In most cases, we require confidentiality as well as data
origin authentication. We will refer to this combination of
security services as authenticated encryption.
How to achieve it?

• MAC-then-encrypt
• Encrypt-then-MAC
• Authenticated-Encryption Primitives (e.g. Galois
counter mode of operation)

30
Message authentication codes: non-repudiation

Can message authentication codes provide

non-repudiation?

• Alice send Bob “I owe you 10 pounds” and

associated MAC using their shared key
• Alice can then say: I never wrote that, Bob wrote as
he has that same key

31
Digital signatures
Digital Signatures scheme

a digital signature scheme is a cryptographic primitive

providing:

• Data origin authentication of the signer. A digital

signature validates the underlying data in the sense
that assurance is provided about the integrity of the
data and the identity of the signer.
• Non-repudiation. A digital signature can be stored by
anyone who receives it as evidence of who signed
the document.

32
Digital Signatures

A digital signature on some data is computed from:

• the Data (i.e. the document to sign)

• A secret parameter known only by the signer.

33
Digital Signatures

Basic requirements of a Digital Signature Scheme

• Easy for the signer to sign data.

• Easy for anyone to verify a message.
• Hard for anyone to forge a digital signature.

34
Digital Signatures

A digital signature on some data is computed from:

• the Data (i.e. the document to sign)

• A secret parameter known only by the signer.

35
Digital Signatures

Digital signature schemes based on RSA. One could

• compute the hash of the document

• send (X , Y ) where X = the document and Y =
encryption, with sender private key of the hash of the
document
• the receiver computes the hash of the document
received and check whether it matches the
decryption of Y using the sender public key

36
Example Digital Signatures

Alice wants to send Bob the data P signed so Bob can be

secure P comes from Alice. (n, e) is Alice’s public key and
d is Alice’s private key.

• Alice computes h = the hash of P

• Alice computes s = hd (mod n) and send (P, s) to
Bob
• Bob receive (P, s) and computes t = the hash of P.
• Bob checks se (mod n) = t? if so he accept the
signature otherwise signature not valid

37
Example Digital Signatures

Notice that in public signatures the role of public and

private keys are “inverted” with respect to RSA.

• Alice uses the private key d for signing (step s = hd

(mod n))
• Bob uses Alice public key to verify the signature (step
se (mod n) = t)

Inverting the role of RSA public and private key works

because x yz = x zy i.e.

P de = P ed ≡ P(modn)

38
Toy Example Digital Signatures

Alice wants to sign the number 13. Alice public key is

(221,67) and her private key is 43

• Alice computes 1343 mod221 = 208 and send to Bob

13||208 (in crypto || stands for concatenation)
• Bob computes 20867 mod221 = 13 so he has verified
that 208 is the signature of the message 13

39
Digital Signatures: confidentiality

As in the case of MAC public signatures do not provide

confidentiality. To add confidentiality:

• Alice encrypt the data P and signature s with Bob’s

public key
• Moreover Alice should add to the encryption a
message with her identity
• and add to the signature Bob’s identity
• these two steps (adding sender and receiver
identities) are to avoid impersonators’ attacks

40
Entity authentication
Entity authentication

Entity authentication is the assurance that a given entity is

involved and currently active in a communication session.
Are you talking to me?

• Replay attack: an adversary capture a message, and

then later replays it at some advantageous time.
• Freshness mechanisms are techniques which can be
used to provide assurance a given message is new,
in the sense that it is not a replay of a message sent
at a previous time.

41
Freshness Mechanisms

Clock-based mechanisms

• relies on the generation of some data that identifies

the time the data was created. This is sometimes
referred to as a timestamp.
• Suppose Alice and Bob both have such a clock, and
Alice includes the time on the clock when she sends
a message to Bob. When Bob receives the message,
he checks the time on his clock, and if it matches
Alice’s timestamp, then he accepts the message as
fresh.
• Requires clocks and synchronisation.

42
Freshness Mechanisms

Sequence numbers

• Logical time maintains a notion of the order in which

messages or sessions occur and is normally
instantiated by a counter or sequence number.
• Communicating parties need to maintain a database
of the latest sequence numbers

43
Freshness Mechanisms

Nonce-based mechanisms
• Nonces (numbers used only once): randomly
generated numbers for one-off use.
• Alice generates a nonce at some stage in a
communication session (protocol). If Alice receives a
subsequent message containing this nonce, then
Alice has assurance the new message is fresh,
where by fresh we mean the received message must
have been created after the nonce was generated.
• Need to set a window of acceptance beyond which a
nonce will no longer be regarded as fresh.
• Requires random generator
44
Passwords

Once upon a time, passwords were stored in some file on

the server. When a user wanted to authenticate the
server would check whether the user provided passwords
matched the one on the server and if it matched it would
grant access.
No serious website does this anymore. Why?
because if an attacker steals the passwords file
everything is compromised!!
(and this has happened over and over!)

45
Passwords

How passwords are managed today.

• The server doesn’t store passwords

• it stores a (repeated) hash of the password with some
salt (salt= random number), e.g.
f2ded9a441688b83fbd7e5102e8e6958aa96ea0142bcf28cd
328ec33848cd7cc
• if an attacker steals the file from the server he doesn’t
have the passwords, he would still need to ”invert” the
hashes (hard to do because pre-image resistance)

46
Passwords

Attackers may try to ”precompute” hashes of common

passwords e.g. ”password1”, but the same password with
different salts will result in totally different hashes!
e.g. consider the password ”password1”
hashed ”password1” with salt 000000000000000ab =
f2ded9a441688b83fbd7e5102e8e6958aa96ea0142bcf28cd
328ec33848cd7cc
hashed ”password1” with salt 10rdt000000000000 =
4c3e7f2788621d9f802d134d65dd2158430247f7e27a33837a
a859a44ca32e54

47
Passwords

Passwords are used to prove identity. Typical problems

with passwords:

• Length
• Complexity
• Repeatability
• Vulnerability

48
Dynamic Password Scheme

To mitigate these issues one can combine passwords and

freshness, e.g. using the password to generate dynamic
data which changes on each authentication attempt, thus
preventing repeatability:

• Limits the exposure of the password, thus reducing

vulnerability.
• Widely deployed in token-based technologies for
accessing services such as internet banking or
telephone banking.

49
Dynamic Password Scheme

How to achieve these dynamic passwords:

• use some time-synchronization between the server

and the client providing the password
• use an algorithm creating a new password based on
a challenge (the challenge can be a nonce sent by
the server)
• use an algorithm to generate a new password based
on a counter

50