UNIT-2

PRINCIPLES OF PUBLIC-KEY CRYPTOSYSTEMS

Symmetric Key Encryption: Encryption is a process to change the form of any message is
order to protect it from reading by anyone. In Symmetric-Key encryption the message is
encrypted by using a key and the same key is used to decrypt the message which makes it easy
to use but less secure. It also requires a safe method to transfer the key from one party to
another.

Asymmetric Key Encryption: Asymmetric Key Encryption is based on public and private key
encryption techniques. It uses two different key to encrypt and decrypt the message. It is more
secure that the symmetric key encryption techniques but is much slower.

Conventional(Symmetric) Public-Key (Asymmetric)

1. Same algorithm and key used for encryption 1. Same algorithm but different keys used
and decryption. for encryption and decryption.

2. Parties share algorithm and key. 2. Parties share algorithm but each has one
key from a matched pair.

3. Key must be kept secret 3. One key must be kept secret

4. Cipher must be strong 4. Cipher must be strong
5. Plaintext/cipher-text pairs must not weaken 5. Plaintext/cipher-text pairs plus one of the
the security of the key. keys must not weaken the other key.

KEY MANAGEMENT
In cryptography, it is a very tedious task to distribute the public and private keys between
sender and receiver. If the key is known to the third party (forger/eavesdropper) then the
whole security mechanism becomes worthless. So, there comes the need to secure the
exchange of keys.
There are two aspects for Key Management:
1. Distribution of public keys.
2. Use of public-key encryption to distribute secrets.
Distribution of Public Key:
The public key can be distributed in four ways:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to everyone. The major
weakness of this method is a forgery. Anyone can create a key claiming to be someone else
and broadcast it. Until forgery is discovered can masquerade as claimed user.

2. Publicly Available Directory: In this type, the public key is stored in a public directory.
Directories are trusted here, with properties like Participant Registration, access and allow to
modify values at any time, contains entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening
control over the distribution of keys from the directory. It requires users to know the public
key for the directory. Whenever the keys are needed, real-time access to the directory is
made by the user to obtain any desired public key securely.
4. Public Certification : This time authority provides a certificate (which binds an identity
to the public key) to allow key exchange without real-time access to the public authority each
time. The certificate is accompanied by some other info such as period of validity, rights of
use, etc. All of this content is signed by the private key of the certificate authority and it can
be verified by anyone possessing the authority’s public key.
First sender and receiver both request CA for a certificate which contains a public key and
other information and then they can exchange these certificates and can start
communication.
 THE RSA ALGORITHM
Introduction

The RSA stands for Rivest Shamir Adalman

. The RSA algorithm is the most popular and proven asymmetric key cryptographic algorithm.
A prime number is the one that is divisible only by 1 and itself. For instance, 3 is a prime
number, because it can be divided only by 1 or 3. Similarly, 5, 7, 11, 13, 17 ,... are prime
numbers.

The RSA algorithm is based on the mathematical fact that it is easy to find and multiply large
prime numbers together, but it is extremely difficult to factor their product. The private and
public keys in RSA are based on very large (made up of 100 or more digits) prime numbers.
 The RSA Algorithm

Choose two large prime numbers P and Q.

2. Calculate N = P x Q.

Select the public key (i.e. the encryption key) E such that it is not a factor of (P-1) and (Q - 1).

4. Select the private key (i.e. the decryption key) D such that the following equation is true:

(D × E) mod (P - 1) x (Q - 1) = 1

5. For encryption, calculate the cipher text CT from the plain text PT as follows:

CT = PTE mod N

6. Send CT as the cipher text to the receiver.

7. For decryption, calculate the plain text PT from the cipher text CT as follows:

PT = CTD mod N

Example of RSA

Let us take an example of this process to understand the concepts. For ease of reading, we shall
write the example values along with the algorithm steps.

1. Choose two large prime numbers P and Q.

Let P=47, Q=17.

2. Calculate N = P X Q.

We have, N = 7 x 17 = 119.
3. Select the public key (i.e. the encryption key) E such that it is not a factor of (P - 1) x (Q - 1).

 Let us find (7 - 1) x (17 - 1) = 6 x 16 = 96.

 The factors of 96 are 2. 2, 2, 2, 2, and 3 (because 96 = 2 x 2 x 2 x 2 x 2 x 3).
 Thus, we have to choose E such that none of the factors of E is 2 and 3. As a few
examples. we cannot choose E as 4 (because it has 2 as a factor). 15 (because it has 3 as
a factor), 6 (because it has 2 and 3 both as factors).
 Let us choose E as 5 (it could have been any other number that does not its factors as 2
and 3).

4. Select the private key (i.e. the decryption key) D such that the following equation is true:

(D x E) mod (P-1) x (Q - 1) = 1

 Let us substitute the values of E. P and Q in the equation.

 We have: (D x 5) mod (7 - 1) x (17 - 1) = 1
 That is, (D x 5) mod (6) x (16) = 1
 That is, (D x 5) mod (96) = 1
 After some calculations, let us take D = 77. Then the following is true:
(77 x 5) mod (96) = 385 mod 96 = 1, which is what we wanted.

5. For encryption, calculate the cipher text CT from the plain text PT as follows:

CT = PTE mod N

Let us assume that we want to encrypt plain text 10. Then we have.

CT = 105 mod 119=100000 mod 119 = 40

6. Send CT as the cipher text to the receiver.

Send 40 as the cipher text to the receiver.

7. For decryption, calculate the plain text PT from the cipher text CT as follows:

PT = CTD mod N

 We perform the following:

 PT = CTD mod N
 That is, PT = 4077 mod 119 = 10, which was the original plain text of step 5.
 DIFFIE-HELLMAN KEY EXCHANGE AND CRYPTANALYSIS
Whitefield Diffie and Martin Hellman devised an amazing solution to the problem of key agreement or
key exchange in 1976. This solution is called as the Diffie-Hellman Key Exchange/ Agreement
Algorithm. The beauty of this scheme is that the two parties, who want to communicate securely, can
agree on a symmetric key using this technique. This key can then be used for encryption/ decryption.
However, we must note that Diffie-Hellman key exchange algorithm can be used only for key
agreement, but not for encryption or decryption of messages. Once both the parties agree on the key to
be used, they need to use other symmetric key encryption algorithms (we shall discuss some of those
subsequently) for actual encryption or decryption of messages.

Diffie-Hellman key exchange algorithm is based on mathematical principles.

Description of the Algorithm Let us assume that Alice and Bob want to agree upon a key to be used
for encrypting/decrypting messages that would be exchanged between them.

1. Firstly, Alice and Bob agree on two large prime numbers, n and g. These two integers need not be
kept secret. Alice and Bob can use an insecure channel to agree on them.

2. Alice chooses another large random number x, and calculates A such that:

A=gx mod n

3. Alice sends the number A to Bob.

4. Bob independently chooses another large random integer y and calculates B such that:

B=gy mod n

5. Bob sends the number B to Alice.

6. A now computes the secret key K1 as follows:

K1=Bx mod n

7. B now computes the secret key K2 as follows:

K2=Ay mod n

Diffie-Hellman Key Exchange illustrated

It might come as a surprise, but K1 is actually equal to K2! This means that K1 K2 = K is the symmetric
key.

Example of Diffie-Hellman Key Exchange:

1. Firstly, Alice and Bob agree on two large prime numbers, n and g. These two integers need
not be kept secret. Alice and Bob can use an insecure channel to agree on them.

Let n=11, g=7.

2.Alice chooses another large random number x, and calculates A such that:

Let x=3. Then, we have, A=73 mod 11=343 mod 11=2

3. Alice sends the number A to Bob.

Alice sends 2 to Bob.

4. Bob independently chooses another large random integer y and calculates B such that:

B=gy mod n

Let y=6. Then, we have, A=76 mod 11=117649 mod 11=4.

5. Bob sends the number B to Alice.

Bob sends 4 to Alice

6. A now computes the secret key K1 as follows:

K1=Bx mod n

We have, k1=43 mod 11=64 mod 11=9

7. B now computes the secret key K2 as follows:

K2=AY mod n

We have, K2=26 mod 11=64 mod 11=9

AUTHENTICATION FUNCTIONS
 A mechanism of source used to notify the integrity of messages

 Assures the data required are exactly are sent i.e. no modification, no deletion or no
insertion.

 Assures that identify of the sender is valid.

 When hash function is used to provide message authentication the hash function value
is often as a message digest

Authentication Function is of two levels of functionality:

 Lower value:- Provides an Authentication value used to authentication a message.

 Higher value:- Indicates a receiver to verify the authenticity of message.

Grouped into three classes:

 Message Encryption:- One cipher text of entire message serves as authenticator

 Message Authentication code (MAC):- The function of message, secret key that
produces a fixed length value that serves as that authenticator.

 Hash Function: - A function that maps a message of any length into fixed length hash
value which serves as the authenticator.
 MESSAGE AUTHENTICATION CODE (MAC)
An alternative authentication technique involves the use of a secret key to generate a
small fixed-size block of data, known as a cryptographic checksum or MAC, that is
appended to the message. This technique assumes that two communicating parties, say
A and B, share a common secret key K. When A has a message to send to B, it calculates
the MAC as a function of the message and the key:

MAC = MAC(K,M)

Where,

M= input message

C= MAC function

K= shared secret key

MAC = message authentication code

The message plus MAC are transmitted to the intended recipient. The recipient per-
forms the same calculation on the received message, using the same secret key,
to generate a new MAC. The received MAC is compared to the calculated MAC. If we
assume that only the receiver and the sender know the identity of the secret key, and if
the received MAC matches the calculated MAC, then

1. The receiver is assured that the message has not been altered. If an attacker alters
the message but does not alter the MAC, then the receiver’s calculation of the MAC will
differ from the received MAC. Because the attacker is respond to the alterations in the
message. Assumed not to know the secret key, the attacker cannot alter the MAC to
correspond to the alterations in the message.

2. The receiver is assured that the message is from the alleged sender.

3. If the message includes a sequence number (such as is used with HDLC, X.25, attacker
cannot successfully alter the sequence number. and TCP), then the receiver can be
assured of the proper sequence because an attacker cannot successfully alter the
sequence number.

A MAC function is similar to encryption. One difference is that the MAC algorithm
need not be reversible, as it must be for decryption. In general, the MAC function is a
many-to-one function. The domain of the function consists of messages of some
arbitrary length.

For example, suppose that we are using 100-bit messages and a 10-bit MAC. Then, there
are a total of 2100 different messages but only 210 different MACs. So, on average, each
MAC value is generated by a total of 2100/210 = 290 different messages. If a 5-bit key is
used, then there are 25 =32 different mappings from the set of messages to the set of
MAC values.
 HASH FUNCTIONS
 A hash function maps a variable-length message into a fixed-length hash value, or
message digest.
 Virtually all cryptographic hash functions involve the iterative use of a compression
function.
 The compression function used in secure hash algorithms falls into one of two
categories: a function specifically designed for the hash function or an algorithm based
on a symmetric block cipher. SHA and Whirlpool are examples of these two approaches,
respectively.

A hash function H accepts a variable-length block of data M as input and produces a fixed-size
hash value h = H(M). A “good” hash function has the property that the results of applying the
function to a large set of inputs will produce outputs that are evenly distributed and apparently
random. In general terms, the principal object of á hash function is data integrity.

Typically, the input is padded out to an integer multiple of some fixed length (e.g., 1024 bits),
and the padding includes the value of the length of the original message in bits. The length field
is a security measure to increase the difficulty for an attacker to produce an alternative
message with the same hash value.

Message Authentication

Message authentication is a mechanism or service used to verify the integrity of a message.

Message authentication assures that data received are exactly as sent (i.e., contain no
modification, insertion, deletion, or replay). In many cases, there is a requirement that the
authentication mechanism assures that purported identity of the sender is valid. When a hash
function is used to provide message authentication, the hash function value is often referred to
as a message digest.
a. The message plus concatenated hash code is encrypted using symmetric encryption. Because
only A and B share the secret key, the message must have come from A and has not been
altered. The hash code provides the structure or redundancy required to achieve
authentication. Because encryption is applied to the entire message plus hash code,
confidentiality is also provided.

b. Only the hash code is encrypted, using symmetric encryption. This reduces the processing
burden for those applications that do not require confidentiality.

c. It is possible to use a hash function but no encryption for message authentication. The
technique assumes that the two communicating parties share a common secret value S. A
computes the hash value over the concatenation of M and S and appends the resulting hash
value to M. Because B possesses S, it can recomputed the hash value to verify. Because the
secret value itself is not sent, an opponent cannot modify an intercepted message and cannot
generate a false message.

d. Confidentiality can be added to the approach of method (c) by encrypting the entire message
plus the hash code.
Message authentication is achieved using a message authentication code (MAC), also known as
a keyed hash function. Typically, MACS are used between two parties that share a secret key to
authenticate information exchanged between those parties. A MAC function takes as input a
secret key and a data block and produces a hash value, referred to as the MAC. This can then be
transmitted with or stored with the protected message. If the integrity of the message needs to
be checked, the MAC function can be applied to the message and the result compared with the
stored MAC value. An attacker who alters the message will be unable to alter the MAC value
without knowledge of the secret key.

In fact, a MAC, that is, E(K, H(M)) is a function of a variable-length message M and a secret key
K, and it produces a fixed-size output that is secure against an opponent who does not know
the secret key.

Cryptographic Hash Function

Variable Length Message

Half Function

Half Value (Fixed length value)

Half value is a fixed length value that uniquely identifies the data.

The following figure i.e. E(K, H(M)) is a function of a variable length message M and secret key K and
produces a fixed size output.

s
M iI M H
I
1 K Compare
1
E(K,H(M)) D
H E
 MD5 ALGORITHM
 Original number is 7391743

Operation Result

Multiply 7 by 3 21

Discard first digit 1

Multiply 1 by 9 9

Multiply 9 by 1 9

Multiply 9 by 7 63

Discard first digit 3

Multiply 3 by 4 12

Discard first digit 2

Multiply 2 by 3 6
Example of message digest

Let us assume that we want to calculate the message digest of a number

7391753. Then, we multiply each digit in the number with the next digit (excluding it if it is

0) and disregarding the first digit of the multiplication operation, if the result is a two-digit
number.

Requirements of a Hash function (Message digest):

1. It should be a one way function. That means given the message it should be easy to find out
its digest, and the reverse should be impossible.(getting back the message from its digest must
be infeasible)

2. No two different messages should produce a same digest. This requirement is stated as
collision free property.
 MD5
MD 5 is a message digest algorithm developed by Ron Rivest. MD5 is quite fast and produces
128-bit message digests. Over the years, researchers have developed potential weaknesses in
MDS. However, so far, MD5 has been able to successfully defend itself against collisions. This
may not be guaranteed for too long, though.

After some initial processing, the input text is processed in 512-bit blocks (which are further
divided into 16 32-bit sub-blocks). The output of the algorithm is a set of four 32-bit blocks.
Which make up the 128-bit message digest.

How MD5 Works?

Step 1: Padding: The first step in MD5 is to add padding bits to the original message. The aim of
this step is to make the length of the original message equal to a value, which is 64 bits less
than an exact multiple of 512. For example, if the length of the original message is 1000 bits, we
add a padding of 472 bits to make the length of the message 1472 bits. This is because, if we
add 64 to 1472, we get 1536, which is a multiple of 512 (because 1536 = 512 x 3).

Thus, after padding, the original message will have a length of 448 bits (64 bits less than 512),
960 bits (64 bits less than 1024), 1472 bits (64 bits less than 1536), etc. The padding consists of
a single 1-bit, followed by as many 0-bits, as required. Note that padding is always added, even
if the message length is already 64 bits less than a multiple of 512. Thus, if the message were
already of length say 448 bits, we will add a padding of 512 bits to make its length 960 bits.
Thus, the padding length is any value between 1 and 512.
Step 2: Append length after padding bits are added, the next step is to calculate the original
length of the message and add it to the end of the message, after padding. The length of the
message is calculated, excluding the padding bits. This length of the original message is now
expressed as a 64-bit value and these 64 bits are appended to the end of the original message +
padding.

Step 3: Divide the input into 512-bit blocks Now, we divide the input message into blocks, each
of length 512 bits.

Step 4: Initialize chaining variables In this step, four variables (called as chaining variables) are
initialized. They are called as A, B, C and D. Each of these is a 32-bit number. The initial
hexadecimal values of these chaining variables are shown below.

ep 5: Process blocks:

Copy the four chaining variables into four corresponding variables, a, b, c and d. After all the
initializations, the real algorithm begins. There is a loop that runs for as many 512-bit blocks as
are in the message. Now, we have four rounds. In each round, we process all the 16 sub-blocks
belonging to a block. The inputs to each round are: (a) all the 16 sub- blocks, (b) the variables a,
b, c, d and (c) some constants, designated as t.

All the four rounds vary in one major way: Step 1 of the four rounds has different
processing. The other steps in all the four rounds are the same. In each round, we have 16 input
sub-blocks, named M[0], M[1],..., M[15] or in general, M[i], where i varies from 0 to 15. As we
know, each sub-block consists of 32 bits.

Also, t is an array of constants. It contains 64 elements, with each element consisting of 32

bits. We denote the elements of this array t as t[1], t[2]. ... t[64] or in general as t[k], where k
varies from 1 to 64. Since there are four rounds, we use 16 out of the 64 values oft in each
round.
Let us summarize these iterations of all the four rounds. In each case, the output of the
intermediate as well as the final iteration is copied into the register abcd. Note that we have 16
such iterations in each round.

1. A process P is first performed on b, c and d. This process P is different in all the four

rounds.

2. The variable a is added to the output of the process P (i.e. to the register abcd).

3. The message sub-block M[i] is added to the output of Step 2 (i.e. to the register abcd).

4. The constant t[k] is added to the output of Step 3 (i.e. to the register abcd).

5. The output of Step 4 (i.e. the contents of register abcd) is circular-left shifted by s bits.

(The value of s keeps changing).

6. The variable b is added to the output of Step 5 (i.e. to the register abcd).

7. The output of Step 6 becomes the new abcd for the next step.
 SECURITY OF HASH FUNCTIONS AND MAC

Introduction:

We can group attacks on the basis of hash functions and MACs: brute-force attacks and
cryptanalysis.

Brute-Force Attacks: The nature of brute-force attacks differs somewhat for hash functions and
MACs.

Hash Functions:-The strength of a hash function against brute-force attacks depends on the
length of the hash code produced by the algorithm. There are three desirable properties:

 One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h.
 Weak collision resistance: For any given block x, it is computationally infeasible to find y ≠x
with H(y) = H(x).
 Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that
H(x) = H(y).

For a hash code of length n, the level of effort required, as we have seen is proportional to the
following:

If strong collision resistance is required, then the value 2n/2 determines the strength of the hash
code against brute-force attacks. Thus a 128-bit code may be viewed as inadequate. The next
step up, if a hash code is treated as a sequence of 32 bits, is a 160-bit hash length. With a hash
length of 160 bits, the same search machine would require over four thousand years to find a
collision. However, even 160 bits is now considered weak.

Message Authentication Codes:-A brute-force attack on a MAC is a more difficult undertaking

because it requires known message-MAC pairs. To attack a hash code, we can proceed in the
following way. Given a fixed message x with n-bit hash code h = H(x), a brute-force method of
finding a collision is to pick a random bit string y and check if H(y) = H(x). The attacker can do
this repeatedly off line. Whether an off-line attack can be used on a MAC algorithm depends on
the relative size of the key and the MAC.

To proceed, we need to state the desired security property of a MAC algorithm, which can be
expressed as follows:
Computation resistance: Given one or more text-MAC pairs [xi, C(K, xi)], it is computationally
infeasible to compute any text-MAC pair [x, C(K, x)] for any new input x ≠ x i.In other words, the
attacker would like to come up with the valid MAC code for a given message x. There are two
lines of attack possible: Attack the key space and attack the MAC value.

General Structure of Secure Hash Code

Cryptanalysis-The way to measure the resistance of a hash or MAC algorithm to cryptanalysis is

to compare its strength to the effort required for a brute-force attack. That is, an ideal hash or
MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort.

Hash Functions:-In past few years there has been considerable effort, and some successes, in
developing cryptanalytic attacks on hash functions. To understand these, we need to look at
the overall structure of a typical secure hash function, This structure, referred to as an iterated
hash function and is the structure of most hash functions in use today, including SHA and
Whirlpool. The hash function takes an input message and partitions it into L fixed-sized blocks
of b bits each. If necessary, the final block is padded to b bits. The final block also includes the
value of the total length of the input to the hash function. The inclusion of the length makes the
job of the opponent more difficult.

Message Authentication Codes:-There is much more variety in the structure of MACs than in
hash functions, so it is difficult to generalize about the cryptanalysis of MACs. Far less work has
been done on developing such attacks.

SECURE HASH ALGORITHM(SHA)

The most widely used hash function has been the Secure Hash Algorithm (SHA). Indeed,
because virtually every other widely used hash function had been found to have substantial
cryptanalytic weakness. SHA was more or less the last remaining standardized hash algorithm
by 2005. SHA was developed by the National Institute of Standards and Technology (NIST) and
published as a federal information processing standard (FIPS 180) in 1993. The actual standards
document is entitled "Secure Hash Standard," SHA is based on the hash function MD4, and its
design closely models MD4. SHA-1 is also specified in RFC 3174, which essentially duplicates the
material in FIPS 180-1 but adds a C code implementation.

SHA-1 produces a hash value of 160 bits, In 2002, NIST produced a revised version of the
standard, With hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and
SHA 512, respectively. Structure and use the same types of modular arithmetic and logical
binary operations as SHA-1.A revised document Was issued as FIP PUB 180-3 in 2008, which
added a 224-bit version.

SHA-512 Logic

The algorithm takes as input a message with a maximum length of less than 2 128 bits and
produces as output a 512-bit message digest. The input is processed in 1024-bit blocks.
Comparison of SHA parameters:
Step 1: Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length = 896(mod 1024)]. Padding is always added, even if the message is already
of the desired length. Thus, the number of bit followed by the necessary number of 0 bits.
Padding bits is in the range of 1 to 1024.

Step 2: Append length. A block of 128 bits is appended to the message. This block is treated as
an unsigned 128-bit integer and contains the length of original message.

Step 3: Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of
the hash function. These values are stored in big-endian format, which is the most significant
byte of a word in the low-address (leftmost) byte position. These words were obtained by
taking the first sixty-four bits of the fractional parts of the square roots of the first eight prime
numbers.

Step 4: Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a module
that consists of 80 rounds this module is labeled F. Each round takes as input the 512-bit buffer
value, abcdefgh, and updates the contents of the buffer. At input to the first round, the buffer
has the value of the intermediate hash value, H-1. Each round t makes use of a 64-bit value W1,
derived from the current.

SHA-512 Processing of a single 1024-Bit Block

Step 5: output After all N 1024-bit blocks have been processed; the output from the Nth stage
is the 512-bit message digest.

HMAC
HMAC stands for Hash-based Message Authentication Code. HMAC has been chosen as a
mandatory security implementation for the Internet Protocol (IP) security and is also used in
the Secure Socket Layer (SSL) protocol, widely used on the Internet. The fundamental idea
behind HMAC is to reuse the existing message digest algorithms, such as MD5 or SHA-1.It treats
the message digest as a black box. Additionally, it uses the shared symmetric key to encrypt the
message digest, which produces the output MAC. This is shown in figure below.

How HMAC Works?

Let us now take a look at the internal working of HMAC. For this, let us start with the various
variables that will be used in our HMAC discussion. MD - The message digest/hash function
used (e.g. MD5, SHA-1, etc.) M= The input message whose MAC is to be calculated L = The
number of blocks in the message Mb = The number of bits in each block K = The shared
symmetric key to be used in HMAC ipad = A string 00110110 repeated b/8 times opad - A string
01011010 repeated b/8 times.
Step 1: Make the length of k equal to b.

Step 2: XOR K with ipad to produce S1 We XOR K (the output of Step 1) and ipad to produce a
variable called as $1.

Step 3: Append M to SI we now take the original message (M) and simply append it to the end
of S1 (which was calculated in Step 2).

Step 4: Message digest algorithm Now, the selected message digest algorithm (e.g. MD5. SHA-
1, etc) is applied to the output of Step 3 (i.e. to the combination of S1 and M). Let us call the
output of this operation as H.

Step 5: XOR K with opad to produce S2 Now, we XOR K (the output of Step 1) with opad to
produce a variable called as $2.

Step 6: Append H to S2 In this step, we take the message digest calculated in step 4 (i.e. H) and
simply append it to the end of $2 (which was calculated in Step 5).

Step 7: Message digest algorithm Now, the selected message digest algorithm (e.g. MD5. SHA-
1, etc) is applied to the output of Step 6 (i.e. to the concatenation of S2 and H). This is the final
MAC that we want.
Complete HMAC Operation

***************************************