COMPUTER SECURITY

SEGMENT-5
Hash Function

 A hash function H accepts a variable-length block

of data M as input and produces a fixed-size hash
value h = H(M). A “good” hash function has the
property that the results of applying the function to
a large set of inputs will produce outputs that are
evenly distributed and apparently random. In
general terms, the principal object of a hash
function is data integrity. A change to any bit or bits
in M results, with high probability, in a change to the
hash value.
Hash Function

 The kind of hash function needed for security

applications is referred to as a cryptographic hash
function. A cryptographic hash function is an algorithm
for which it is computationally infeasible (because no
attack is significantly more efficient than brute force) to
find either (a) a data object that maps to a pre-specified
hash result (the one-way property) or (b) two data
objects that map to the same hash result (the collision-
free property). Because of these characteristics, hash
functions are often used to determine whether or not
data has changed.
Applications of Cryptographic Hash
Function.
 Message Authentication is a mechanism or service
used to verify the integrity of a message. Message
authentication assures that data received are
exactly as sent (i.e., there is no modification,
insertion, deletion, or replay). In many cases, there is
a requirement that the authentication mechanism
assures that purported identity of the sender is
valid. When a hash function is used to provide
message authentication, the hash function value is
often referred to as a message digest.
Applications of Cryptographic Hash
Function.
 The essence of the use of a hash function for
message integrity is as follows. The sender computes
a hash value as a function of the bits in the message
and transmits both the hash value and the message.
 The receiver performs the same hash calculation on
the message bits and compares this value with the
incoming hash value.
 If there is a mismatch, the receiver knows that the
message (or possibly the hash value) has been
altered (Figure 11.2a).
Applications of Cryptographic Hash
Function.
 The hash value must be protected so that if an adversary
alters or replaces the message, it is not feasible for adversary
to also alter the hash value to fool the receiver.
 This type of attack is shown in Figure 11.2b. In this example,
Alice transmits a data block and attaches a hash value. Darth
intercepts the message, alters or replaces the data block, and
calculates and attaches a new hash value.
 Bob receives the altered data with the new hash value and
does not detect the change. hash value generated by Alice
must be protected.
Applications of Cryptographic Hash
Function.
 Hash functions are commonly used to create a one-
way password file. Chapter 21 explains a scheme in
which a hash of a password is stored by an operating
system rather than the password itself. Thus, the actual
password is not retrievable by a hacker who gains
access to the password file. In simple terms, when a
user enters a password, the hash of that password is
compared to the stored hash value for verification.
This approach to password protection is used by most
operating systems.
Applications of Cryptographic Hash
Function.
 Hash functions can be used for intrusion detection and
virus detection. Store H(F) for each file on a system
and secure the hash values. One can later determine
if a file has been modified by recomputing H(F). An
intruder would need to change F without changing
H(F).
A Simple Hash Function
Secure Hashing Algorithm- 3 (SHA-3)

 A central requirement by NIST for the SHA-3 hash

function was the support of the following output lengths:
224 bits,256 bits, 384 bits, 512 bits.
 SHA-2 Replacement Mode: In this mode, SHA-3
produces a fixed-length output of 224, 256, 384, or 512
bits, as described above.
 Variable-length Output Mode: This mode allows to use
SHA-3 for the generation of arbitrarily many output bits.
Secure Hashing Algorithm- 3 (SHA-3)

 The hash function is based on what is called a sponge

construction. After the pre-processing (which divides the
message into blocks and provides padding),
 The sponge construction consists of two phases:
Absorbing (or input) phase: The message blocks xi
are passed to the algorithm and processed.
 Squeezing (or output) phase: An output of
configurable length is computed.
 You can initialize b as a string of 0 bits.
 Security Level- N bit security level for a cryptographic
hash function means that the attacker would have to
perform 2N operations to break the hash function.
 For cipher, you would call it 2N operations to break
the cipher.
Padding
Keccak Function f
Keccak Function f
Message Authentication Requirements
 In the context of communications across a network, the
following attacks can be identified.
 1. Disclosure: Release of message contents to any person or
process not possessing the appropriate cryptographic key.
 2. Traffic analysis: Discovery of the pattern of traffic
between parties.
 3. Masquerade: Insertion of messages into the network from
a fraudulent source.
 4. Content modification: Changes to the contents of a
message, including insertion, deletion, and modification.
 5. Sequence modification: Any modification to a sequence of
messages between parties, including insertion, deletion, and
reordering.
Message Authentication Requirements
 6. Timing modification: Delay or replay of messages.
 7. Source repudiation: Denial of transmission of message by
source.
 8. Destination repudiation: Denial of receipt of message by
destination.
Message Authentication Requirements
 Message authentication is a procedure to verify that received
messages come from the alleged source and have not been
altered. Message authentication may also verify sequencing
and timeliness. A digital signature is an authentication
technique that also includes measures to counter repudiation
by the source.
Message Authentication Functions
 ■ Hash function: A function that maps a message of any
length into a fixed-length hash value, which serves as the
authenticator
 ■ Message encryption: The ciphertext of the entire
message serves as its authenticator
 ■ Message authentication code (MAC): A function of the
message and a secret key that produces a fixed-length value
that serves as the authenticator
Digital Signature
 Digital Signature Standard (DSS): This Standard
specifies a suite of algorithms that can be used to
generate a digital signature.
Kerberos
Kerberos
Kerberos
Kerberos
Digital Certificate
Digital Certificate
X.509 Certificates
 X.509 is a standard format for public key certificates,
digital documents that securely associate cryptographic
key pairs with identities such as websites, individuals, or
organizations.
X.509 Certificates
Pretty Good Privacy (PGP)
 See PGP sheet 1.
S/MIME
 Secure/Multipurpose Internet Mail Extension (S/MIME)
is a security enhancement to the MIME Internet email
format standard based on technology from RSA Data
Security.
S/MIME Authentication
S/MIME Confidentiality
S/MIME Confidentiality+
Authentication
S/MIME Confidentiality +
Authentication
S/MIME Confidentiality +
Authentication
References and disclaimer
 All resources used here are properties of the respective owners. Those are
used here for educational purpose.
 References:
 1. Cryptography and Network Security, Principles and Practice (7th Edition)
 -William Stallings.
 2. [Link]
data-integrity-with-hash-
codes#:~:text=A%20hash%20value%20is%20a,than%20signing%20the%
20larger%20value.
 3. [Link]
ad896365a0c1
 4. [Link]
 5. [Link]
 [Link]://[Link]/en/design/technical-documents/app-
notes/7/[Link]
 8. [Link]
 9. [Link]
 [Link]