Summer 2006
Digital Signature and Hashing Functions
Prepared by: Maher Abu Hamdeh & Adel Hamdan
Supervised by: Dr. Lo’ai Tawallbeh
1

• 11.1 Message authentication
• 11.2 Hash function
• 11.3 Message Authentication Code MAC
• 12.1 Secure hash algorithm
– SHA-512
• 13.1 Digital signature
– Direct digital signature
– Arbitrated digital signature
• 13.3 Digital signature standard DSS
2

• Message authentication is a mechanism or service used to verify the integrity of a message. Message authentication assures that data received exactly as sent.
• The two most common cryptography techniques for message authentication are a message authentication code ( MAC ) and a secure hash function .
• A hash function maps a variable-length message into a fixed hash value, or message digest. For message authentication, a secure hash function must be combined in some fashion with a secret key.
3

• A hash function accepts a variable-size message M as input and produces a fixedsize output, referred to as a hash code.
• Unlike MAC, a hash code does not use a key but a function only of the input message.
• The hash code is also referred to as a message digest or hash value .
4

Only the hash code is encrypted, using public key encryption and using the sender’s private key. This provide authentication. It also provides a digital signature, because only the sender could have produced the encrypted hash code. In fact, this is the essence of the digital signature technique
• turns variable-length message M into fixed-size block H(M)
• produces “fingerprint” of a file, “message digest”
• hash function is “one way”, does not use secret key
• various uses, e.g., integrity, digital signature
5

• The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each.
• If necessary, the final block is padded to b bits.
• The final block also includes the value of the total length of the input to the hash function.
• The hash algorithm involves repeated use of a compression function, f, that takes two inputs( an n-bit input from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit output.
• At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm
6

11.3 Message Authentication Code MAC
• Use of secret key to generate a small fixed size block of data, known as a cryptographic checksum or MAC that is appended to the message.
• This technique assumes that the two communicating parties, say A and B, share a common secret key K.
• When A has a message to send to B, it calculates the
MAC as a function of the message and the key, where the message plus MAC are transmitted to the intended recipient.
• The recipient performs the same calculation on the received message, using the same secret key, to generate a new MAC.
• The received MAC is compared to the calculated MAC.
7

MAC=C(K,M)
M: input message
C: MAC Functionn
K: shared secret key
MAC: Message Authentication Code
8

• The Secure Hash Algorithm (SHA) was developed by the national institute of standards and technology (NIST)
• SHA- 512 logic
– The algorithm takes as input a message with a maximum length of less than 2 128 bits and produces as output a 512-bit message digest.
– The input is processed in 1024-bit blocks
9

Table 12.1. Comparison of SHA Parameters
SHA-1 SHA-256 SHA-384 SHA-512
Message digest size 160
Message size <2 64
256
<2 64
384
<2 128
512
<2 128
Block size
Word size
Number of steps
512
32
80
512
32
64
1024
64
80
1024
64
80
10

1.
pad message so its length is 896 mod 1024
2.
A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit integer (most significant byte first) and contain the length of the original message (before the padding)
3.
initialize 512-bit buffer (see textbook for values)
Intermediate hash value a = 6A09E667F3BCC908 b = BB67AE8584CAA73B c = 3C6EF372FE94F82B c = A54FF53A5F1D36F1 e = 510E527FADE682D1 f = 9B05688C2B3E6C1F g = 1F83D9ABFB41BD6B h = 5BE0CDI9137E2179
These values are stored in big-endian format, which is the most significant byte of a word in the low address byte position.
11

4- process message in 1024-bit blocks (128-word):
– The heart of the algorithm is a module that consists of 80 rounds
– Each round takes as input the 512-bit buffer value abcefgh, and updates the content of the buffer
– At input to the first round, the buffer has the value of the intermediate hash value , H i-1
– expand 1024-bit block into 80 round, 64-bit blocks by mixing & shifting
– use 80 rounds of 64-bit operations on message block & buffer
– add output to input to form new buffer value
5- output hash value is the final buffer value
12

13

14

see textbook for details
15

16

• A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature.
• The signature is formed by taking the hash of the message and encrypting the message with the creator’s private key.
The signature guarantees the source and integrity of the message
17

• The direct digital signature involve only sender & receiver (source & destination)
• It is assumed that receiver has sender’s publickey
• digital signature may be formed by encrypting the entire message with the sender’s private key. or by encrypting a hash code of the message with the sender’s private key.
• security depends on sender’s private-key
18

19

• Weakness
– The validity of the scheme depends on the security of the sender’s private key . If a sender later wishes to deny sending a particular message, the sender can claim that the private key lost or stolen.
– Another threat is that some private key might actually be stolen from X at time T. the opponent can then send a message signed with X’s signature and stamped with a time before or equal to T.
20

• The problem associated with direct digital signature can be addressed by using an arbiter.
• Every signed message from a sender X to a receiver Y goes first to an arbiter A. who subjects the message and its signature to a number of tests to check its origin and content. The message is then dated and sent to Y with an indication that it has been verified to the satisfaction of the arbiter.
• The presence of A solves the problem faced by direct signature schemes: that X might disown the message
• requires suitable level of trust in arbiter
• can be implemented with either private or public-key algorithms
• arbiter may or may not see message
21

• Conventional encryption (table13.1)
• X  A : M || E ( K xa
• A  Y : E( K ay
,[ ID x
,[ ID x
|| H (M) ] )
|| M || E (K xa
,[ ID x
||H(M))] ) || T ])
– It is assumed that the sender X and the arbiter A share a secret key K xa and that A and Y share secret key K ay
. X constructs a message M and computes its hash value H(m) . Then X transmits the message plus a signature to A. the signature consists of an identifier ID x of X plus the hash value, all encrypted using K xa
.
– A decrypts the signature and checks the hash value to validate the message. Then A transmits a message to Y, encrypted with K ay message includes ID x a timestamp.
. The
, the original message from X, the signature, and
– Arbiter sees message
– Problem : the arbiter could form an alliance with sender to deny a signed message, or with the receiver to forge the sender’s signature.
22

• Public Key encryption (table 13.1)
• X 
A : ID x
||E( PR x
,[ ID x
|| E ( PU y
, E( PR x
, M))])
• A 
Y : E( PR a
, [ ID x
||E (PU y
, E (PR x
, M))|| T] )
– X double encrypts a message M first with X’s private key,PR and then with Y’s public key,PU y x
,
. This is a signed, secret version identifier , is encrypted again with PR x and, together with ID x
, is sent t A. the inner, double encrypted message is secure from the arbiter ( and everyone else except Y)
– A can decrypt the outer encryption to assure that the message must have come from X( because only X has PR x transmits a message to Y, encrypted with PR a includes ID x
– Arbiter does not see message
). Then A
. The message
, the double encrypted message, and a timestamp.
23

• The DSS makes use of the secure hash algorithm (SHA) .
• The DSS uses an algorithm that is designed to provide only the digital signature function.
– RSA approach
– DSS approach
24

25

• The message to be signed is input to a hash function that produce a secure hash code of fixed length. This hash code is then encrypted using the sender’s private key to form the signature
• Both the message and the signature are then transmitted.
• The recipient takes the message and produces a hash code.
• If the calculated hash code matches the decrypted signature, the signature is accepted as valid.
26

PR a sender’s private key
PU
G global public key
See algorithm 3 page 391
Signing r= (g k mod p) mod q s= [k -1 (H(M) + xr)] mod q
Signature = (r, s) 27

• The DSS approach make use of a hash function.
The hash code is provided as input to a signature function along with a random number k generated for this particular signature.
• The signature function also depends on the sender’s private key (PR a
) and a set of parameters known to a group of communicating principals. We can consider this set to constitute a global public key (Pu
G
).
• have shared global public key values (p,q,g):
• The result is a signature consisting of two components, labeled s and r .
28

• At the receiving end, the hash code of the incoming message is generated. This plus the signature is input to a verification function.
• The verification function also depends on the global public key as well the sender’s public key
(PU a
), which is paired with sender’s private key.
• The output of the verification function is a value that is equal to the signature component r if the signature is valid
29

• Global public key component:
• have shared global public key values (p,q,g):
– p prime number where 2 L-1 < P < 2 L
• where L= 512 to 1024 bits and is a multiple of 64
– q prime divisor of p-1 where 2 159 < q < 2 160
– g = h (p-1) /q mod p
• where h is any integer with 1 < h < (p-1)
• Such that h (p-1)/q mod p > 1
30

• having received M & signature (r,s)
• to verify a signature, recipient computes: w = s’ -1 (mod q) u1= [H(M’).w]mod q u2= (r’.w)mod q v = [g u1 .y
u2 (mod p)] mod q
• if v=r then signature is verified
• see book web site for details.
31