Unit 3

1. Explain MACs based on Hash functions.

MACs Based on Hash Functions (HMAC) – Easy Explanation

What is a MAC (Message Authentication Code)?

A MAC (Message Authentication Code) is a security technique used to ensure that:

1. The message is not altered (Integrity).

2. The sender is genuine (Authentication).

Think of a MAC as a digital seal that verifies a message is secure and untampered.

What is HMAC (MAC Using Hash Functions)?

HMAC (Hash-based Message Authentication Code) is a special type of MAC that uses hash functions (like SHA-256) along
with a secret key to generate a secure code.

Example:
Imagine you send an email with a digital seal. If someone changes the message, the seal will no longer match, alerting the
receiver of tampering.

How HMAC Works?

1. The sender has a message (M) and a secret key (K).

2. The sender applies a hash function (H) to the message combined with the key:
HMAC = H(K ⊕ opad || H(K ⊕ ipad || M))

where opad & ipad are padding values to strengthen security.

3. The sender sends both M and HMAC to the receiver.

4. The receiver also generates an HMAC using the received message and the same secret key.
5. If the HMAC values match, the message is authentic. If not, the message was modified.

Why Use HMAC?

• Protects Data Integrity – Ensures the message was not changed.

• Provides Authentication – Only someone with the secret key can generate the correct HMAC.
• Stronger Security – Hash functions like SHA-256 or SHA-512 make it hard to tamper with messages.

Real-World Example

• Online Banking: HMAC ensures that your transaction details are secure and cannot be altered.
• API Security: Many websites and services (like Amazon, Google) use HMAC for API authentication.
• Wi-Fi Security: WPA2 encryption uses HMAC to protect passwords.

Summary

• HMAC = Hash Function + Secret Key = Secure Message Verification

• Used for authentication & integrity in banking, secure communication, and APIs
• Even if a hacker intercepts the message, they cannot generate the correct HMAC without the secret key.

2. Discuss SHA-1 with a proper diagram.

What is SHA-1?

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that converts an input message into a 160-bit (20-byte)
hash value. This hash is often represented as a 40-digit hexadecimal number and is known as a message digest.

• Developed by: National Security Agency (NSA)

• Used for: Data integrity, digital signatures, and security applications
• Considered insecure since 2005 – Major browsers (Google, Microsoft, Apple) stopped accepting SHA-1 SSL
certificates in 2017.

How SHA-1 Works? (Step-by-Step)

1. Input Message (M)

o Any text or data that needs hashing (e.g., "Hello World").
2. Message Padding
o The message is padded to ensure its length is a multiple of 512 bits.
o The last 64 bits store the original length of the message.
3. Dividing into Blocks
o The padded message is split into 512-bit blocks.
o Each block is further divided into 16 words (32 bits each) and expanded into 80 words.
4. Initialize Hash Variables
o SHA-1 uses five 32-bit buffers: A, B, C, D, and E.
o These buffers are initialized with predefined constant values.
5. Processing 80 Rounds
o The algorithm performs 80 rounds of bitwise operations and logical functions.
o It uses four constant values in different rounds:
▪ K1 (0-19 rounds)
▪ K2 (20-39 rounds)
▪ K3 (40-59 rounds)
▪ K4 (60-79 rounds)
6. Final Addition
o After 80 rounds, the new values of A, B, C, D, and E are added to their original values.
o This results in the final 160-bit hash value.

3. Explain HMAC with a diagram.

What is HMAC?

HMAC is a cryptographic technique that ensures data integrity and authentication by using:

1. A secret key (shared between sender & receiver).

2. A hash function (like SHA-256).

It is widely used in secure communications like HTTPS, API security, and online banking.

How HMAC Works? (Step-by-Step)

1. Client and Server Share a Secret Key

o Both sender and receiver have a shared private key (K).
2. Client Creates HMAC
o The client hashes the message with the secret key using a hash function.
o The formula: HMAC=hashFunc(secretkey+message)HMAC = hashFunc(secret key +
message)HMAC=hashFunc(secretkey+message)
3. Client Sends the HMAC with the Message
o Along with the actual data, the client sends the HMAC.
4. Server Verifies HMAC
o The server recomputes the HMAC using the received message and the secret key.
o If the server’s HMAC matches the received HMAC, the message is valid.
 o If they don’t match, the message has been tampered with.

Why is HMAC Secure?

• The secret key is never sent over the network.

• Even if someone intercepts the message, they cannot modify it without knowing the key.
• It prevents replay attacks (old messages being reused by attackers).

Advantages of HMAC

✔ Fast and Efficient – Works faster than digital signatures.

✔ Small Size – Takes up less space compared to encryption.

✔ Used in IoT Devices – Saves bandwidth and processing power.

✔ Prevents Message Tampering – Even if someone intercepts the message, they cannot change it.

Disadvantages of HMAC

Key Management is Difficult – Secret keys must be securely stored and shared.

Not Suitable for Large-Scale Communication – Unlike public-key encryption, HMAC needs a shared secret key between
each sender and receiver.
Short Keys are Weak – If the secret key is too short, hackers can guess it using brute-force attacks.

Where is HMAC Used?

Email Verification – Ensures email addresses are valid.

API Security – Protects web services from unauthorized access.

IoT Devices – Used in smart devices due to low power consumption.

Password Reset Links – One-time links are secured using HMAC.

Conclusion
HMAC is a powerful security method used in online authentication and data integrity. It ensures that messages are not
altered and that the sender is genuine. Due to its two-step hashing process, it provides better security than traditional
MACs and is widely used in secure web communication.

4. Explain ElGamal and Schnorr Digital Signature Algorithm with examples.

5. What is Kerberos and its requirements?

Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to
users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party
trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal.

The main components of Kerberos are:

• Authentication Server (AS): The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.

• Database: The Authentication Server verifies the access rights of users in the database.

• Ticket Granting Server (TGS): The Ticket Granting Server issues the ticket for the Server

Working of Kerberos
Step-1: User login and request services on the host. Thus user requests for ticket-granting service.
Step-2: Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session
key. Results are encrypted using the Password of the user.
Step-3: The decryption of the message is done using the password then send the ticket to Ticket Granting Server. The Ticket
contains authenticators like user names and network addresses.
Step-4: Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then creates the
ticket for requesting services from the Server.
Step-5: The user sends the Ticket and Authenticator to the Server.
Step-6: The server verifies the Ticket and authenticators then generate access to the service. After this User can access the
services.

Kerberos is a secure authentication system that allows users to securely access services on a network without repeatedly
entering their password. It uses a centralized authentication server called the Key Distribution Center (KDC) to verify
users and services.

Think of Kerberos like a movie theater ticket system:

• You buy one main ticket at the entrance (authentication server).

• That ticket allows you to get multiple entry passes inside the theater (service tickets).
• Once inside, you don’t need to show ID again—just your ticket!

Main Components of Kerberos

1. Authentication Server (AS):

o Checks if the user is allowed to access the network.
 o Issues a Ticket-Granting Ticket (TGT).
2. Database:
o Stores user information and access rights.
o Helps verify users during authentication.
3. Ticket Granting Server (TGS):
o Issues service tickets for users to access network services.

How Kerberos Works? (Step-by-Step)

1. User Login & Request Access:

o The user logs in and requests access to a service.
2. Authentication Server Verifies User:
o The AS checks the user’s credentials in the database and gives them a Ticket-Granting Ticket (TGT).
o This ticket is encrypted with the user’s password.
3. User Requests Service Ticket from TGS:
o The user decrypts the TGT and sends it to the Ticket-Granting Server (TGS).
o The TGT contains user identity and network details.
4. TGS Issues Service Ticket:
o The TGS verifies the request and generates a Service Ticket.
o The Service Ticket is encrypted and sent to the user.
5. User Sends Service Ticket to Server:
o The user sends the Service Ticket to the requested server.
6. Server Verifies & Grants Access:
o The server checks the ticket, and if it’s valid, the user gets access to the requested service.

Limitations of Kerberos

• Each service must be modified separately – Every application needs to support Kerberos authentication.
• Requires synchronized clocks – If the system clocks are out of sync, authentication may fail.
• Needs a dedicated Kerberos server – If the Kerberos server fails, no one can log in.
• Assumes workstations are secure – If a hacker steals a workstation, they can misuse the tickets.
• Scalability issues – Managing a large number of users can be challenging.

Conclusion
Kerberos is a powerful authentication system that allows secure access to network services using tickets instead of
passwords. However, it requires proper setup and security measures to work efficiently. It is widely used in corporate
networks, Windows Active Directory, and secure websites.

6. What is PGP? How are authentication and confidentiality maintained in PGP?

What is PGP?

PGP (Pretty Good Privacy) is a security tool used to protect emails, files, and digital communication by providing
encryption, authentication, and confidentiality. It ensures that only the intended recipient can read a message and
verifies that the sender is genuine.

How Does PGP Work?

PGP uses a hybrid encryption method that combines:

1. Symmetric Encryption – Uses a single secret key to encrypt and decrypt data (faster).
2. Public Key Encryption – Uses a public key for encryption and a private key for decryption (more secure).

1. Authentication in PGP

What is Authentication?

Authentication ensures that a message really comes from the claimed sender and has not been tampered with.

Real-Life Example:
Imagine receiving a signed letter from your bank. The signature proves that it’s really from your bank and not someone
pretending to be them.

How PGP Provides Authentication?

At the Sender’s End:

1. A hash function (SHA-1) generates a unique 160-bit hash of the message.

2. The hash is encrypted with the sender’s private key, creating a digital signature.
3. The message + digital signature is compressed and sent to the receiver.

At the Receiver’s End:

 1. The message is decompressed and the signature is decrypted using the sender’s public key.
2. The receiver calculates a new hash from the message.
3. If both hashes match, the message is authentic; otherwise, it may have been altered.

If the hashes match → The sender is verified.

If the hashes don’t match → The message was altered or fake.

2. Confidentiality in PGP

What is Confidentiality?

Confidentiality ensures that only the intended recipient can read the message.

Real-Life Example:
Imagine you send a locked box containing a secret letter. The recipient has the only key to open it.

How PGP Provides Confidentiality?

At the Sender’s End:

1. The message is compressed to reduce size.

2. A random session key (Ks) is generated for symmetric encryption (fast).
3. The message is encrypted using the session key (Ks).
4. The session key is then encrypted using the receiver’s public key (secure).
5. The encrypted message + encrypted session key is sent to the receiver.

At the Receiver’s End:

1. The receiver decrypts the session key using their private key.
2. The session key is used to decrypt the message.
3. The message is decompressed to restore the original content.

Even if an attacker intercepts the message, they can’t read it without the private key!

3. Authentication & Confidentiality Together in PGP

In real-world use, PGP applies authentication and confidentiality together:

 1. The sender first signs the message (authentication).
2. Then the message is encrypted (confidentiality).
3. The receiver first decrypts the message, then verifies the sender’s signature.

This ensures that the message is both secure and genuine.

Advantages of PGP

✔ Highly Secure – Uses strong encryption to protect messages.

✔ Ensures Integrity – Messages cannot be altered undetected.

✔ Protects Privacy – Only the intended recipient can read the message.

✔ Used in Cloud Security – Prevents unauthorized access to sensitive files.

✔ Prevents Government/Spy Attacks – Encrypts messages to stop surveillance.

Disadvantages of PGP

Difficult to Use – Requires users to understand key management.

No Anonymity – While messages are encrypted, the sender and recipient’s identities are still visible.

If a Key is Lost, Data is Unreadable – Losing a private key means losing access to encrypted data.
Training Required – Organizations must train employees to use PGP correctly.

Conclusion

PGP is a powerful encryption tool that provides authentication (verifies sender) and confidentiality (secures messages).
Despite its complexity, it remains one of the most trusted methods for securing emails, files, and sensitive data in
personal, corporate, and government communications.

7. Explain the authentication services of X.509.

What is X.509?

X.509 is a digital certificate standard used for authentication and secure communication on the internet. It is part of
Public Key Infrastructure (PKI) and ensures data integrity, confidentiality, and authentication.
Think of an X.509 certificate like a digital ID card that proves your identity online, just like a passport verifies your identity
in real life.

How Does X.509 Work?

1. Each user gets a digital certificate from a trusted Certificate Authority (CA).
2. The certificate contains the user’s public key and other identity details.
3. The certificate is stored in an online directory for easy access.
4. When a user wants to authenticate, they present their X.509 certificate (like showing an ID card).
5. The receiver verifies the certificate using the CA’s digital signature.
6. If the certificate is valid, secure communication is established.

This prevents unauthorized users from accessing secure systems.

Format of an X.509 Certificate

An X.509 certificate contains the following details:

1. Version Number – Specifies the X.509 version being used.

2. Serial Number – A unique ID assigned by the Certificate Authority.
3. Signature Algorithm – The algorithm used to sign the certificate.
4. Issuer Name – The Certificate Authority (CA) that issued the certificate.
5. Period of Validity – The start and expiry date of the certificate.
6. Subject Name – The identity of the certificate holder (person or website).
7. Public Key – The user's public key for encryption/decryption.
8. Extensions – Extra details like usage restrictions.
 9. Signature – A digital signature from the Certificate Authority for verification.

Applications of X.509 Certificates

✔ Website Security (SSL/TLS) – Used in HTTPS websites for secure browsing.

✔ Email Security – Ensures safe email communication.

✔ Digital Signatures – Used to sign and verify documents electronically.

✔ Code Signing – Protects software from unauthorized modifications.

✔ Secure Shell (SSH) Keys – Used for remote secure access.

✔ Digital Identities – Helps in verifying user identities online.

Why is X.509 Important?

Prevents cyber attacks like phishing and identity theft.

Enables encrypted communication on the internet.

Widely used in web security, banking, and government applications.

Conclusion

X.509 digital certificates are essential for secure communication on the internet. They help verify identities and encrypt
data, making online transactions and communications safe and trustworthy.

8. Explain the MD5 algorithm with a diagram.

What is the MD5 Algorithm?

MD5 is a cryptographic hash function algorithm that takes the message as input of any length and changes it into a fixed-
length message of 16 bytes. MD5 algorithm stands for the Message-Digest algorithm. MD5 was developed in 1991
by Ronald Rivest as an improvement of MD4, with advanced security purposes. The output of MD5 (Digest size) is
always 128 bits.MD5 is still the most commonly used message digest for non-cryptographic functions, such as used as a
checksum to verify data integrity, compressing large files into smaller ones securely, etc.
Overview Of MD5 Algorithm

Working of the MD5 Algorithm

MD5 algorithm follows the following steps

1. Append Padding Bits: In the first step, we add padding bits in the original message in such a way that the total length of
the message is 64 bits less than the exact multiple of 512.

Suppose we are given a message of 1000 bits. Now we have to add padding bits to the original message. Here we will add
472 padding bits to the original message. After adding the padding bits the size of the original message/output of the first
step will be 1472 i.e. 64 bits less than an exact multiple of 512 (i.e. 512*3 = 1536).

Length(original message + padding bits) = 512 * i - 64 where i = 1,2,3 . . .

One Round of MD5 Operation

2. Append Length Bits: In this step, we add the length bit in the output of the first step in such a way that the total number
of the bits is the perfect multiple of 512. Simply, here we add the 64-bit as a length bit in the output of the first step.

output of first step = 512 * n - 64

length bits = 64.

After adding both we will get 512 * n i.e. the exact multiple of 512.

3. Initialize MD buffer: Here, we use the 4 buffers i.e. A B, C, and D. The size of each buffer is 32 bits.

- A = 0x67425301
- B = 0xEDFCBA45
- C= 0x98CBADFE
- D = 0x13DCE476

F,G,H and I functions

4. Process Each 512-bit Block: This is the most important step of the MD5 algorithm. Here, a total of 64 operations are
performed in 4 rounds. In the 1st round, 16 operations will be performed, 2nd round 16 operations will be performed, 3rd
round 16 operations will be performed, and in the 4th round, 16 operations will be performed. We apply a different
function on each round i.e. for the 1st round we apply the F function, for the 2nd G function, 3rd for the H function, and
4th for the I function.
We perform OR, AND, XOR, and NOT (basically these are logic gates) for calculating functions. We use 3 buffers for each
function i.e. B, C, D.
Process P Operation

After applying the function now we perform an operation on each block. For performing operations we need

• add modulo 232

• M[i] – 32 bit message.

• K[i] – 32-bit constant.

• <<<n – Left shift by n bits.

Now take input as initialize MD buffer i.e. A, B, C, D. Output of B will be fed in C, C will be fed into D, and D will be fed into
J. After doing this now we perform some operations to find the output for A.

• In the first step, Outputs of B, C, and D are taken and then the function F is applied to them. We will add modulo
232 bits for the output of this with A.

• In the second step, we add the M[i] bit message with the output of the first step.

• Then add 32 bits constant i.e. K[i] to the output of the second step.

• At last, we do left shift operation by n (can be any value of n) and addition modulo by 232.

After all steps, the result of A will be fed into B. Now same steps will be used for all functions G, H, and I. After performing
all 64 operations we will get our message digest.

9. Explain the NIST Digital Signature Algorithm.

 1.
o A public key (shared with others) is derived from the private key.
2. Signing a Message:
o The sender creates a hash of the message.
o Uses the private key to generate a digital signature (two values: r, s).
o Sends the message + signature to the receiver.
3. Verifying the Signature:
o The receiver computes a hash of the message.
o Uses the sender’s public key to verify the signature (r, s).
o If the computed value matches the received signature → Valid Message.
o If not → The message may have been tampered with.

Advantages of DSA

✔ Authentication – Ensures the sender is genuine.

✔ Integrity – Verifies that the message has not been altered.

✔ Non-Repudiation – The sender cannot deny signing the message.

✔ Security – Based on complex mathematical calculations, making forgery difficult.

✔ Global Acceptance – Widely used in digital certificates, secure transactions, and software security.

Disadvantages of DSA
 Slower than RSA – Signature verification takes more time.

Key Management – Private keys must be securely stored.

Infrastructure Dependency – Requires trusted authorities for public key distribution.

Vulnerability to Key Leaks – If the private key is compromised, attackers can generate fake signatures.

Conclusion

DSA is a widely used digital signature method that ensures secure communication by verifying the sender’s identity and
protecting messages from tampering. Despite some limitations, it remains a trusted authentication method in
cybersecurity.

10. Differentiate between SHA-1 and MD5.

Difference Between SHA-1 and MD5

Feature SHA-1 (Secure Hash Algorithm 1) MD5 (Message Digest Algorithm 5)

Hash Length 160 bits (20 bytes) 128 bits (16 bytes)

Digest Output 40 hexadecimal characters 32 hexadecimal characters

Security More secure than MD5 but still weak Less secure, prone to collisions

Speed Slower due to longer hash length Faster but weaker security

Collision
Weak (collisions found) Very weak (easier to break)
Resistance

Used in digital signatures, SSL certificates (now Used for checksums and data integrity (not for
Usage
replaced) security)

SHA-1 has been deprecated due to collision MD5 is highly vulnerable and should not be
Vulnerability
attacks used for cryptographic purposes

Example Hash
f572d396fae9206628714fb2ce00f72e94f2258f 8b1a9953c4611296a827abf8c47804d7
(for "Hello")

Conclusion:

• SHA-1 is more secure than MD5 but still not recommended for security purposes.
• MD5 is faster but has serious vulnerabilities and should only be used for basic integrity checks, not for encryption.
• Both are outdated, and modern applications use SHA-256 or SHA-3 for better security.