Académique Documents
Professionnel Documents
Culture Documents
The final
The first requirement requirement
deals with message The second dictates that the
replacement attacks,
in which an opponent requirement authentication
Taking into account the deals with the algorithm should
types of attacks, the is able to construct a
MAC needs to satisfy
new message to need to thwart a not be weaker
match a given MAC, brute-force with respect to
the following: even though the
opponent does not attack based on certain parts or
know and does not chosen plaintext bits of the
learn the key message than
others
Message Digest 5 – (MD-5)
Input : blocks of 512 bits
Initial Vector: 128 bits
Output: 128 bits
For each 512 bits input: 4 rounds performed
MD5: Message Digest Version 5
input Message
ABCD=fF(ABCD,mi,T[1..16])
A B C D
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
+ + + +
MD i+1
Different Passes...
Each step t (0 <= t <= 79):
• Input:
– mt – a 32-bit word from the message
With different shift every round
– Tt – int(232 * abs(sin(i))), 0<i<65
Provided a randomized set of 32-bit patterns, which
eliminate any regularities in the input data
– ABCD: current MD
• Output:
– ABCD: new MD
MD5 Compression Function
• Each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but
used in varying permutations
– note this updates 1 word only of the buffer
– after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function
in each round (F,G,H,I)
MD5 Compression Function
• X[k] –
message
word
• T[i] –
round
constant
Functions and Random Numbers
• F(B,C,D) == (BC)(~B D)
– selection function
• G(B,C,D) == (B D) (C ~ D)
• H(B,C,D) == BCD
• I(B,C,D) == C(B ~D)
Secure Hash Algorithm (SHA)
It must
It must verify the It must be
authenticate the
author and the verifiable by third
contents at the
date and time of parties, to
time of the
the signature resolve disputes
signature
Attacks
• C chooses a list
Known of messages Directed chosen • C may
message before message attack request
attack attempting to from A
break A’s signatures
• C only • Similar to the
• C is given signature of
knows A’s generic attack,
access to a scheme, messages
public key except that the
set of independent of that
list of messages
messages A’s public key; C depend on
to be signed is
and their then obtains previously
chosen after C
Key-only signatures from A valid obtained
knows A’s public
attack signatures for message-
key but before
the chosen signature
any signatures
messages pairs
are seen
Adaptive
chosen
Generic chosen
message
message attack
attack
Forgeries
Universal
forgery Selective Existential
forgery forgery
Total break
• C finds an
•C efficient • C forges a • C forges a
determines signing signature for signature for
A’s private algorithm that a particular at least one
key provides an message message; C
equivalent chosen by C has no control
way of over the
constructing message
signatures on
arbitrary
messages
Digital Signature Requirements
• The signature must be a bit pattern that depends on
the message being signed
• The signature must use some information unique to
the sender to prevent both forgery and denial
• It must be relatively easy to produce the digital
signature
• It must be relatively easy to recognize and verify the
digital signature
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for
an existing digital signature or by constructing a
fraudulent digital signature for a given message
• It must be practical to retain a copy of the digital
signature in storage
Direct Digital Signature
• Refers to a digital signature scheme that involves only the
communicating parties
– It is assumed that the destination knows the public key of the source
– The validity of the scheme depends on the security of the sender’s private
key
– If a sender later wishes to deny sending a particular message, the sender can
claim that the private key was lost or stolen and that someone else forged his or
her signature
– One way to thwart or at least weaken this ploy is to require every signed message
to include a timestamp and to require prompt reporting of compromised keys to a
central authority
ElGamal Digital Signature
• Scheme involves the use of the private key for
encryption and the public key for decryption
• Global elements are a prime number q and a,
which is a primitive root of q
• Use private key for encryption (signing)
• Uses public key for decryption (verification)
Elgamal digital signature
Select a prime number q and a, where a is
primitive root of q.
.
Verification at Receiver Side
Example: Choose q = 19 & a = 10.
Schnorr Digital Signature