CEG5105

Cybersecurity for Computer

Systems
Authentication & Integrity

1
Outline

• Secure communication and message integrity

• Message authentication codes
• Collision-resistant hash functions
• Digital signatures

2
Secure communication and
message integrity
• What does secure communication entail beyond
private communication?
• Consider a large supermarket chain sending an
email request to purchase 10,000 crates of soda
from a supplier
• Upon receiving order, supplier has to consider:
• Is the order authentic: Did the supermarket chain really
issue the order?
• Are the details of the received order exactly those sent
by the supermarket?

3
Common misconception:
Using encryption for integrity
If ciphertext completely hides the
contents of the message, an
adversary cannot possibly modify an
encrypted message en route – all
that it sees is “random garbage”.

Let’s consider using these for integrity protection:

• Stream Ciphers
• Block Ciphers

4
Common misconception:
Using encryption for integrity

Encryption does not solve the

problem of message integrity
• We need an additional mechanism to enable
communicating parties to know whether or not a
message was tampered with.
• Such mechanisms are called message
authentication codes.

5
Message Authentication
Codes
• Prevents an adversary from modifying a message
sent by one party to another, without the parties
detecting that a modification has been made.
• Message authentication code (MAC) is an algorithm
applied to a message.
• Input: message, Output: MAC tag, or tag

6
Message Authentication
Codes
Algorithms:
• Gen: takes as input the security parameter 1n and
outputs a uniformly distributed key k:
k  Gen(1n)
• MAC: takes as input a key k ∈ {0, 1}n and m ∈ {0,
1}∗, and outputs MAC tag t ∈ {0, 1}∗ :
t  MACk(m)
• Verify (Vrfy): takes as input a key k ∈ {0, 1}n , m ∈
{0, 1}∗ and t ∈ {0, 1}∗ , and outputs a bit b ∈ {0, 1}
• For every n,k,m: Vrfyk (m,MACk(m)) = 1

7
Message Authentication
Codes
k k

MAC m, MACk(m) Verify 1 if correct

m algorithm algorithm 0 if incorrect

• m is message to be authenticated
• MAC tag is a cryptographic checksum
• We desire MAC tag to be unforgeable for a new
message (without knowing k).
• Two common methods: CBC-MAC and HMAC
8
Constructing Secure MACs

• Recall: correctly guessing the output of random

function is 2−𝑛𝑛
• We can use pseudorandom functions to generate
MAC tags
• But, pseudorandom function maps inputs of length n to
outputs of length n.
• In contrast, a MAC must be defined for all messages of
all lengths.
k

m, Fk(m)
m PRF: Fk

9
Constructing Variable-length
Secure MACs – Some (bad) Ideas
• Apply a PRF to the first block:
m1 m2 m3
m1 m2 m3
Fk (m1)
• XOR all blocks and apply PRF to result
m1 m2 m3
m1 m2 m3
Fk (m1 ⊕ m2 ⊕ m3)
• Apply a pseudorandom function to each block
separately and output the result
m1 m2 m3
m1 m2 m3
Fk (m1) Fk (m2) Fk (m3)
10
CBC-MAC

• Cipher block chaining message authentication code

• Uses CBC mode of block ciphers.
• IV set to 0 for MAC, IV is random for encryption
• Only last output is used. Encryption uses all block cipher
outputs
m m m
IV=0
k F k F k F
MAC tag

11
Hash Functions

• Maps arbitrary-length string to a shorter string.

• Used as a data structure: O(1) lookup time for
retrieving an element (hash table or hash map).
• A “good” hash function yields as few collisions as
possible, i.e., H(x) = H(x′) occurs rarely.

m H: Hash H(m)
any message Function digest

12
Collision-resistant Hash
Functions
• Also known as cryptographic hash functions.
• Infeasible for PPT adversary to find a distinct pair of
values x and x′ such that H(x) = H(x′).
• But we are only interested in functions that yield
short output: H: {0, 1}∗  {0, 1}n
• Lower levels of security in hash functions:
• Second-preimage resistance: given x hard to find x′ such
that H(x) = H(x′)
• Preimage resistance (one-way): given y, hard to find x′
such that H(x′) = y

13
Collision-resistant Hash
Functions
• How long should the output be for
• second-preimage resistance
• preimage resistance
• collision resistance?
• Assumption: best attack is random search.
• Assumption: Typically, 128-bit security is well enough.
I.e., not feasible for adversary to run 2128 cycles
• Birthday problem: if q people are in a room, what is the
probability that there exist two people with the same
birthday?
𝑛𝑛⁄
• When 𝑞𝑞 = 𝑂𝑂 2 2 collision probability > 1/2

14
Collision-resistant Hash
Functions

• Let’s consider implications of Birthday Paradox

𝑛𝑛⁄
• If 𝑂𝑂 2 2 computations is needed instead of
𝑂𝑂 2𝑛𝑛 , hash output size should be twice as large
for collision resistance: e.g., SHA256

15
Hash Function Construction –
Merkle-Damgård Transform
• Transforms fixed-length collision-resistant hash function (f)
into a general one with arbitrary length inputs.
• If f is collision-resistant hash function, so is the output.
• E.g., MD5, SHA1, SHA2 are constructed via M-D Transform

16
HMAC

• Hash-based message authentication code has the

structure H(key ∥ H(key ∥ message))
• Alternative notation: HMACk(m) = HMAC(k, m)
• HMAC can use MD5 or SHA as hash function
• Earlier: MD5 (128 bits)
• Then: SHA-1 (160 bits)
• HMAC(k, m) = H((k ⊕ opad) || H((k ⊕ ipad) || m))
• ipad = 0x3636..36, opad = 0x5C5C..5C
• Today: SHA-2 (256 or 512 bits)

17
Using CBC-MAC and HMAC
Which Scenario below describes the right use of MAC?

• Scenario 1:
• Alice and Bob share a secret k.
• Alice creates message m and calculates the MAC function: t =
MACk(m)
• Alice sends MAC tag t to Bob
• Scenario 2:
• Alice and Bob share a secret k.
• Alice creates message m and calculates the MAC function: t =
MACk(m)
• Alice sends MAC tag t and m to Bob
• Bob checks if Vrfyk (m,MACk(m)) = 1

18
Applications of Hash
Functions and MAC
• Message Authentication (obviously )
• Message authentication codes
• Digital signatures
• Hash chains, trees, commitment schemes (next)
• One-time password (not to be confused with one-
time pad) – 2FA
• Time synchronized OTP: use MACk(t)
t: current time or counter, k: shared secret
• Data integrity checks:
• Compare downloaded file against the publisher’s digest

19
Applications of Hash
Functions and MAC
• Storing passwords
• Instead of storing password, store H(password)
• Best practice: store H(password, salt)
• Prevents rainbow table attacks + identical passwords are stored
as different values

Username: Bob
Password: mypass12345 Server stores
H(mypass12345 || salt1), salt1
H(password || salt)
Username: Bob Server stores
Password: mypass12345 H(mypass12345 || salt2), salt2

20
SHA-1 Broken?

• Retires by the end of 2030

• SHA-1 has a 160-bit message
digest thus 80-bit strength

• An attack showed in 2005 that it requires only 269

operations to find a hash collision
• Down to 261 operations in 2010
• Finding two different PDF files with same SHA-1 hash value
required 9,223,372,036,854,775,808 (=263) operations
• 6,500 years of single-CPU, 110 years of single-GPU

21
Obtaining Privacy and
Message Authentication
• We may need both privacy and authentication.
• Idea: Combine secure encryption with secure MAC
• 3 Approaches:
• Encrypt-and-authenticate: encryption and message
authentication are computed and sent separately
• Authenticate-then-encrypt: MAC tag is first computed,
then message and tag are encrypted together
• Encrypt-then-authenticate: message m is first
encrypted, then a MAC tag is computed over the
encrypted message

22
 Obtaining Privacy and
Message Authentication
Encrypt-and-authenticate
c = Enc𝑘𝑘1 (m) t = MAC𝑘𝑘2 (m)
m c c t

Authenticate-then-encrypt
t = MAC𝑘𝑘2 (m) c = Enc𝑘𝑘1 (m || t)
m m t c

Encrypt-then-authenticate
c = Enc𝑘𝑘1 (m) t =MAC𝑘𝑘2 (c)
m c c t

23
Obtaining Privacy and
Message Authentication
• Encrypt-and-authenticate is insecure
• Authenticate-and-encrypt
• Secure under CPA (with appropriate selection of encryption
and MAC scheme)
• Insecure under CCA
• Encrypt-then-Authenticate
• Secure against both (as long as used encryption and MAC
schemes are secure)
• We will not dive into details, if interested:
https://eprint.iacr.org/2000/025.pdf
• Another advantage of Encrypt-then-MAC is to avoid
unnecessary decryption for garbage data received.

24
Encryption only vs Encryption
& Authentication
• Most online tasks needs to be encrypted and
authenticated.
• Obvious examples: online purchases and bank
transactions.
• How about when encrypting files on a disk?
• Best practice is to always use encryption and
authentication together.
• Authenticated encryption with associated data (AEAD):
variant of Authenticated Encryption that allows the
message to include associated data = non-confidential
data

25
Digital Signatures

• Cryptographic technique analogous to hand-written

signatures
• Public-key counterpart of message authentication
codes
• Signer who established a public key pk signs a
message so that any other party who knows pk can
verify that the message originated from Signer and
has not been modified
• Publicly verifiable, offers non-repudiation

26
Digital Signatures

Algorithms:
• Gen: takes as input the security parameter 1n and
outputs a public key and private key (pk, sk):
(pk, sk)  Gen(1n)
• Sign: takes as input private key sk ∈ {0, 1}min n and m ∈
{0, 1}∗, and outputs signature σ:
σ  Signsk(m)
• Verify (Vrfy): takes as input public key pk ∈ {0, 1}min n, m
and σ, and outputs a bit b ∈ {0, 1}
• For every n,(pk, sk),m: Vrfypk (m,Signsk(m)) = 1

27
 Digital Signatures

sk pk

plaintext signature m, σ = Signsk(m) verification

message, m algorithm algorithm Vrfypk(m,Signsk(m))

• We assume that verifier parties obtain a legitimate

copy of Sender’s public key
• Implies that Alice is able to send a message (i.e., pk) in
an authenticated manner.
• We desire signature σ to be unforgeable for a new
message (without knowing sk).
28
RSA

• Invented in 1977
• 1 year after Diffie-Helman
key exchange

Rivest Shamir Adelman

• Relies on the hardness of large prime factorization

• Given large n = pq where p and q are prime
numbers, it is infeasible to find p or q

29
Prerequisite: modular arithmetic
• x mod n = remainder of x when divided by n
• facts:
[(a mod n) + (b mod n)] = (a+b) mod n
[(a mod n) - (b mod n)] = (a-b) mod n
[(a mod n) * (b mod n)] = (a*b) mod n
• thus
(a mod n)d = ad mod n

• example: a=14, n=10, d=2:

(a mod n)d mod n = 42 mod 10 = 6
ad = 142 = 196 ad mod 10 = 6

30
RSA: Creating public/private key pair

1. choose two large prime numbers p, q.

(e.g., 1024 bits each)
2. compute n = pq, z = (p-1)(q-1)
3. choose e (with e<n) that has no common factors
with z (e, z are “relatively prime”).
4. choose d such that ed-1 is exactly divisible by z.
(in other words: ed (mod z) = 1 ).
5. public key is (n,e). private key is (n,d).
pk sk

31
RSA: Encryption, Decryption
0. given (n,e) and (n,d) as computed above
pk sk

1. to encrypt message m (<n), compute

c = me (mod n)

2. to decrypt received bit pattern, c, compute

m = c d (mod n)

magic m = (me mod n) d (mod n)

happens!
c
Why does RSA work?

 must show that cd mod n = m, where c = me mod n

 fact: for any x and y: xy (mod n) = x(y mod z) (mod n)
• where n= pq and z = (p-1)(q-1)
Fermat-Euler generalization

 thus,
cd (mod n) = (me mod n)d (mod n)
= med (mod n) Use: (a mod n) d mod n = ad mod n

= m(ed mod z) (mod n)

= m1 (mod n)
=m
33
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
encrypting 8-bit messages.

e
bit pattern m m c = me mod n
encrypt:
00001100 12 24832 17

d
c c m = cd mod n
decrypt:
17 481968572106750915091411825223071697 12

34
RSA: Encryption to Digital Signatures

Encsk(Decpk(m)) = Decsk(Encsk(m))
use public key first, use private key first,
followed by private followed by public
key key
result is the same
• Follows directly from modular arithmetic:
(me mod n)d mod n = med mod n
= mde mod n
= (md mod n)e mod n

35
Textbook RSA Signature

Gen: (𝑛𝑛, 𝑒𝑒, 𝑑𝑑)  Gen(1n). 𝑝𝑝𝑝𝑝 = 𝑛𝑛, 𝑒𝑒 , 𝑠𝑠𝑠𝑠 = (𝑛𝑛, 𝑑𝑑)
Sign: 𝜎𝜎 ∶= 𝑚𝑚𝑑𝑑 mod 𝑛𝑛 (using 𝑠𝑠𝑠𝑠)
Vrfy: 𝑚𝑚 =? 𝜎𝜎 𝑒𝑒 mod 𝑛𝑛 (using 𝑝𝑝𝑝𝑝)

• Not secure!
• No message attack:
• Choose arbitrary 𝜎𝜎
• Compute 𝑚𝑚 = 𝜎𝜎 𝑒𝑒 mod 𝑛𝑛
• Verification succeeds!

36
Hashed RSA

Gen: (𝑛𝑛, 𝑒𝑒, 𝑑𝑑)  Gen(1n). 𝑝𝑝𝑝𝑝 = 𝑛𝑛, 𝑒𝑒 , 𝑠𝑠𝑠𝑠 = (𝑛𝑛, 𝑑𝑑)
Sign: 𝜎𝜎 ∶= 𝐻𝐻(𝑚𝑚)𝑑𝑑 mod 𝑛𝑛 (using 𝑠𝑠𝑠𝑠)
Vrfy: 𝐻𝐻(𝑚𝑚) =? 𝜎𝜎 𝑒𝑒 mod 𝑛𝑛 (using 𝑝𝑝𝑝𝑝)

• Does “No message attack” work here?

• What other advantages over textbook RSA?
• A.k.a Hash-and-Sign paradigm. Not unique to RSA
• Elliptic-Curve Digital Signature Algorithm (ECDSA)

37
MAC vs Digital Signature
• Both are used for message authentication
• Both are unforgeable
MAC Digital Signature
• Lightweight • Expensive
• Good for unicast • Applicable to multicast
• Requires shared key to • Publicly verifiable
be securely distributed • Non-repudiation
• Requires public key to
be securely distributed
38