As mentioned previously, one of the things cryptography offers its users is the capability to verify integrity and authentication. Integrity ensures that the information remains unchanged and is in its true original form.
Authentication provides the capability to ensure that messages were sent from those you believed sent them and that the message is sent to its intended recipient.
Message digests are produced by using one-way hashing functions. They are not intended to be used to reproduce the data. The purpose of a digest is to verify the integrity of data and messages. A well-designed message digest examines every bit of the data while it is being condensed, and even a slight change to the data will result in a large change in the message hash.
All of the MD algorithms were developed by Ron Rivest. These have progressed through the years as technology has advanced. The original was MD2, which was optimized for 8-bit computers and is somewhat outdated. It has also fallen out of favor because MD2 has been found to suffer from collisions. MD4 was the next to be developed. The message is processed in 512-bit blocks, and a 64-bit binary representation of the original length of the message is added to the message. As with MD2, MD4 was found to be subject to possible attacks. That's why MD5 was developed: It could be considered an MD4 with additional safety mechanisms. MD5 processes a variable-size input and produces a fixed 128-bit output. As with MD4, it processes the data in blocks of 512 bits. MD5 has also been broken.
Collisions occur when two message digests produce the same hash value. This is undesirable because it can mask the fact that someone might have changed the contents of a file or message.
SHA-1 is a secure hashing algorithm (SHA) that is similar to MD5. It is considered the successor to MD5 and produces a 160-bit message digest. SHA-1 processes messages in 512-bit blocks and adds padding, if needed, to get the data to add up to the right number of bits. SHA-1 has only 111-bit effectiveness. SHA-1 is part of a family of SHA algorithms, including SHA-0, SHA-1, and SHA-2. SHA-0 is no longer considered secure, and SHA-1 is also now considered vulnerable to attacks. Safe replacements are SHA-256 and SHA-512.
HAVAL is another one-way hashing algorithm that is similar to MD5. Unlike MD5, HAVAL is not tied to a fixed message-digest value. HAVAL-3-128 makes three passes and produces a 128-bit fingerprint, and HAVAL-4-256 makes four passes and produces a 256-bit fingerprint length.
The Hashed Message Authentication Code (HMAC) was designed to be immune to the multicollision attack. This functionality was added by including a shared secret key. In simple terms, HMAC functions by using a hashing algorithm such as MD5 or SHA-1 and altering the initial state by adding a password. Even if someone can intercept and modify the data, it's of little use if that person does not possess the secret key. There is no easy way for the person to re-create the hashed value without it.
Digital signatures are based on public key cryptography and are used to verify the authenticity and integrity of a message. Digital signatures are created by passing a message's contents through a hashing algorithm. The hashed value is encrypted with the sender's private key. Upon receiving the message, the recipient decrypts the encrypted sum and then recalculates the expected message hash. These values should match to ensure the validity of the message and prove that it was sent by the party believed to have sent it because only that party has access to the private key.
Message Authentication Code (MAC)
A Message Authentication Code (MAC) is similar to a digital signature, except that it uses symmetric encryption. MACs are created and verified with the same secret (symmetric) key. Four types of MACs exist: unconditionally secure, hash functionbased, stream cipherbased, and block cipherbased.
Digital Signature Algorithm (DSA)
Things are much easier when we have standards, and that is what the Digital Signature Algorithm (DSA) was designed for. The DSA standards were proposed by NIST in 1991 to standardize Digital Signature Standards (DSS). The DSA digital signature algorithm involves key generation, signature generation, and signature verification. It uses SHA-1 in conjunction with public key encryption to create a 160-bit hash. Signing speeds are equivalent to RSA signing, but signature verification is much slower. The DSA digital signature is a pair of large numbers represented as binary digits.
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2