 Data Integrity. So let's first define our agenda. We will start with what is a hash function. You will see it's something really important for the Integrity check. Then we'll discuss about Integrity and Security. And in the last part, we define what is a message authentication and we'll see how it's addressed with Symmetry Cryptography and Asymmetry Cryptography. So let's start with a hash function. What is the purpose of a hash function? A hash function should generate a fixed size value based on an unknown size input data. So imagine you've got a huge file of gigabyte of data. It's an input for your hash function. And the output of this should be a fixed size digest value. This function has some IDOL properties. What are they? First, any modification in the input should change the digest value. That means if you've got one bit that have been modified in the input file, you should have a new digest. The other one is if you just have the digest, you can't find any idea of what is the input of this function. And the last one, two different inputs should generate different digest value. So I say that it was IDOL because in reality, all algorithms could have some weakness. And it's why some algorithm are considered as broken and some other not. Or not yet, I would say, unfortunately. Let's come back to Bob and Alice. So Alice writes this letter. She will use our hash function and will generate the digest. She will send this digest to Bob. And she will also send this letter to Bob. So Bob could ensure the text has not been modified because he will hash it again. And he should find exactly the same digest that have been computed by Alice. If it's okay, that means the text has not been modified. Quite simple. From the security point of view, we will discuss this later. Now the main algorithm about hash. You've got the MD5. So message digest 5. You've got the output size and the status is broken. As I say, it's serious. And high IDOL properties for all those algorithms. And sometimes, unfortunately, some hackers managed to find some weakness. You've got the SHA1 with an output size of 160 bits. The status is broken also. SHA2, it's considered as secured, sorry, started from the output size of 256 bits. And you've got SHA3 with different output size also. Here, this one is okay. Now I propose we continue with short hands on just to fix our ID. Really, by this one, just compute some hash. So here, some hands on with digest. Quite trivial, but okay. I think it's important to go through all those things. So always my same example. But I will also provide you another one where I just modify one bit. Oh, this one. You can look here. You've got a C regarding B before. So everything is the same except one bit. So let's compute some digest. It's quite trivial, but okay. So open SSL, digest. And then you say which digest you want to use. So for example, MD5, even if it's complicated, it could be used for other topics. So with example.bin, you've got, I would say, this output, which is a digest. And if I do exactly the same with a one bit modifier, the value is completely different. So I would say you can replace the MD5 by all the value of the different algorithm possible. And that is a valuable in this version of open SSL. You can use SHA-1 if you want. You can use SHA-256 or 512. Okay. And if I do it with the version that is one bit modified, the value is quite different. So quite trivial, but it's possible to experiment this with open SSL. And sometimes it could be useful when you receive something on the net. Sometimes you can find the MD5 just to check that you have properly downloaded and you can use open SSL to check this. Integrity and security. We have seen together how to use a hash value to generate, I would say, some digest. But from the security point of view, it's not very useful. Why? Imagine Eve. She gets a message from Alice. She modifies it. She can recompute the digest. And she will send these letters and this new digest to Bob. So I would say it's not useful from a security point of view. You can be sure. It's just something you can use for. I would say some integrity check, but without any insurance that nobody regenerates the digest. So a solution would be to do a combination with encryption. This is the message authentication. Message authentication is a combination of hash function and some symmetric cryptography and asymmetric cryptography. For the symmetric cryptography, we will see hash mark, average DCM, and for the asymmetric one, signature error sound, SCC. The propose ensures that an attacker can't alter the data and the digest without being detected. In fact, we don't want Eve to manage to modify the data. With the symmetric cryptography, first let's start with hash mark. Symmetric, that means you already have a common secret between Bob and Alice, our golden key. This time, Alice will write this letter and we just send these letters as it is. It was not encrypted in this case because she's not shy at all. So she will combine these letters with the key. Frankly speaking, it's not really an encryption. It's just a concatenation of those information. And she will put this as input of the hash function. So she will get a digest. She will send this digest to Bob. And Bob will do the same algorithm. He will concatenate the same way the key with the file, put it as input of the hash, and compare the digest value. If we imagine Eve, she can cut the text, but she don't have this common secret. So she can't regenerate exactly the same digest or she will generate some things that is not correct. So Bob will detect that it's not the same digest. So that's it. Quite simple. Another algorithm is IOS GCM, Galois-Kunter mode. You remember when we see together the different algorithms in symmetric encryption? I'd already told you this IOS GCM, but I don't want to address it before. Why? In fact, if we can encrypt with the Kunter mode, it will also use a specific hash function, which will rely on Galois field multiplication to ensure the integrity of the message. So it's why I don't address it before. So it will encrypt some data to ensure confidentiality and it will also generate a tag which allows to ensure the message authentication. Let's see some details. What are the inputs? In fact, we've got data we want to encrypt, but we also have some information we don't need to encrypt, her headers or a sequencer. We also have a key, I would say a symmetric key. So the input of this algorithm will be this additional data that will be taken to a Kunter to generate the hash or the tag value, a sequencer, which will be the initialization vectors of our Kunter mode. And we've got the plain text. This one should be encrypted. And the result of this algorithm would be some encrypted data who corresponded to the plain text. We've got a tag where we'll say it would be unique if you modify anything in the data in the headers and the tags should change. And you've got the headers and the sequencer which has not been encrypted, so it needs to be transmitted, I would say, with all the information because without the headers you can generate the tag or the good tag. That is for the input and the help. Let's see the algorithm. Please don't be afraid by this. If you just look at this part, initialization vectors, Kunters, increment of the Kunters, encryption of a plain text, or encryption of the Kunter, sorry. So with the plain text and the ciphertext. This part is really the Kunter mode as we have seen before, classical one. What is new with this part? All the multiplication hash we've got here. And so we've got, as you can see, the authentication data would be the headers, for sure. So there is an hash function and we saw the result of this hash function with the ciphertext. And we will hash the result again. And we'll hash the result again. So it's not a classical hash. It's a Galois one, but yes. We just consider it as a function that could generate a new digest. And even the length of the data would be taken to a current. And finally you've got another authentication tag. So to sum up. You just un-equip like in the Kunter mode and in the same time you generate a tag who could ensure the integrity. Any modification in the input of the plain text should generate a new tag. Any modification in the IV, the length of the headers or the headers should generate a new tag. So it's really to ensure integrity of the both. The problem of this, or not the problem, or I would say the drawback, is to check the tag you need to encrypt or to decrypt. If we check the agenda, we have seen together the hash function. You remember huge input data and finally a fixed-side digest with some high-dial properties you always keep in mind. One modification of the input will modify the digest. With the digest I can find any information on the input. And two different inputs should generate two different digest. Integrity and security. Not so useful. So we have to define message authentication, a combination of a hash and some symmetric encryption. And we have seen together HMAC and IHGCM algorithm. Now let's do it with asymmetric. It will be the signatures with RSR and ACC. So with the asymmetric cryptography we are talking about signatures. Signatures is encryption of a digest thanks to asymmetric cryptography. So here I chose a word of encryption. But you remember, we don't do encryption directly. So for ACC it's a specific algorithm. I don't go into details, but let's keep the term encryption like for RSR because it just simplifies the understanding. So again we've got Bob and Alice. Each one got keepers. So the public part are green, the private part are red. So Alice will write the letters. She will send it to Bob in clear because she doesn't matter about confidentiality. She's not trying. And then she will do the hash of his letters. She will get a digest. On the digest we will encrypt it thanks asymmetric cryptography. So question now is which key should I use? You remember for the confidentiality when we want to encrypt some data we use the public key of the recipient. Do you think here it's a good idea? Let's check together. So I propose that Alice will try all the keys possible. First one, she can use a public key. So if you encrypt something with a public key you can only decrypt it with a private key associated. So only Alice could decrypt the synergies. No sense. Bob public key, like the encryption for confidentiality. So quite good. I generate my hash. I encrypt it with a Bob public key so only Bob can decrypt it. Yes, but the propose if could have access to the public key so she can compute a new digest. She can encrypt it with a Bob key. Bob decrypt and think the message is good. So it's not a good way to do it now. The last thing Alice could use her private key. So everybody could decrypt the synergies. That's good. I mean what is important is that you manage to check the synergies but don't generate a new synergies. So in this case if can't generate a new synergies she can decrypt the digest so she can just check the integrity of the message. But it's not confidential. Alice don't care about somebody have access to the content but what is sure that if can generate a new synergies. So if we come back where we are we encrypt the digest with a private key of Alice. So it's Alice that generates the signature of her message. Then she sends this message encrypted to Bob. So Bob will check this integrity things. As function of the data it will get a digest. Take the digest. We'll decrypt it with Alice public key because the digest have been encrypted with a private Alice key and then it will get a digest. Compare them. Okay. Integrity is good. So here you've got all the mechanism of the signatures. So always remember it was a private key that you will generate a synergies. And a synergies could be checked with a public key that means anybody can check a synergies. Check a synergies just check the integrity so everybody can check this but generate a synergies should be done by one people so with private key. So I really insist on this only the owner of a key pair that means the one who've got the private key can generate a synergies and everybody can check a synergies like the public key of the key pair owner. Let's do a short hands-on about this. So now I propose that we do hands-on with the synergies and first with the RSI. So first we will generate a file with some data hand-tied. For example I can put and I put all these things in a file. So if I check my file I've got some data hand-tied. So we already generate a key pairs a RSI key pairs so no need to do it again. Let's use it. Open SSL. We will need to do a digest. Remember in RSI we do a digest and then we encrypt it. So we can say which algorithm we want to use. So it will be the chart 256 in our case and we want to sign it. We will sign it with my private key. The output would be the output file name, sorry synergies.bin for example and the input was my file. I do this. Now I get the synergies. I can do an example of it. I've got to use numbers. So now let's check the synergies. So open SSL again. We say okay I want to do the digest with a chart 256. We want this time not to sign we want to verify the synergies. So we say we want to verify and we will verify with my public key this time. Okay. We say where is the synergies to check. And we also give we want to check the synergies of my file and tell it to you. Okay, verification is okay. So imagine we just take another file or if I modify just my file and say okay this time I want to be a CNTGJ and what so on and what so on. And I put it in my file too .txt. If I try to check the synergies with my file too of course it will say the verification feathers. And if I modify just one character in the first file it will be the same. So quite simple. Here you've got the example with Eresa. We can also generate synergies since elliptic curves. Okay. So it's the first time that we will use elliptic curves with OpenSSL so we will need to generate two key pairs and then we will sign and verify a file with it. So first let's check what are the curves that are available in this version of OpenSSL. So OpenSSL a C-param, cheerio, list, curve. As you can see there is many of them. Okay. So it's really a warning with elliptic curves. When you want to do something some curves are more elliptic than others. So you have to select very carefully the ones that you will use. Here I will select the secp384er1 for the next one recommended for synergies. So let's use it. I will show you a command that will give you some details about this. So quite long but you will see something that's made a link with the theory we within together. So OpenSSL a C-param So here many parameters the idea is just to show you what is exactly behind the curves that we have selected. I want to use the secp384er1. So I hope you made a link with the theory we have seen together about elliptic curves. Remember our equation the coefficient A B the prime numbers the order and the starting point with these generators. So here we've got the file or the curves that we will use now. So let's generate our CCT now. So I want to generate based on the curves secp384er1 and the gene key the output name would be my CCT. Okay. So let's extract from this key because now we are I will see more familiar with the PEM format. Here we've got the private part on the public part. So let's open SSL SSL elliptic curve cherry in my SSC PEM key and let's check if it can show me that way. Oh, sorry. I mistyped my SSL. So here we've got the private to the public. Okay. All way the same thing. So now let's extract I will see the public part of this key. So let's put the pub out and the out will be my SSC pub key. Okay. So we've got now the public part of the key the private part of the key. So we will use the same input file that for RSA and let's generate the signatures. So I would say it's nearly the same that before. Open SSL. We say which digest we want to use SHA 256. We will sign it with my SSC key. So I will sign with the private key. Okay. The input file will be my file .txt and the output will be the signatures.bin. So now I can check the signature with open SSL digest SHA 256. We verify the signatures. When we want to verify a signature when it's just a public key and the signatures is signature.bin .nin so before the mistyping but it should works and the input is my file.txt and verification is okay. If I put my file to .txt it doesn't work. Okay. So here we have user elliptic exactly the same manner that the RSA. Let's do a short sum up of the integrity. So we need to have message authentication mechanism to have a strong integrity check. For this we can combine with symmetric cryptography HMAC GCM and for the asymmetric cryptography it's signature mechanism with RSA and elliptic curves. RSA signature result from a digest encryption for the SCC so elliptic curves signatures it's algorithm a specific one which name is elliptic curve digital signatures algorithm. I don't go into details for this you've got a lot of literatures about it and the signature generation is done thanks private key signature check will be done with a public key. So if you want this in mind you can address integrity. So where are we now where do we stand we have tool to encrypt message so symmetric asymmetrics you know how we have thing together how to check the message integrity or message authentication to be exact the HMAC has GCM signature process the last point authentication how Bob could be sure that it was talking to Hallis and not to somebody else that's important so let's see this last part