Cs8792 cns - unit iv

A
Prepared by
Dr. R. Arthy,
Assistant Professor,
Kamaraj College of Engineering and Technology
(Autonomous)
CS8792 - CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT IV
MESSAGE AUTHENTICATION AND
INTEGRITY
Outline
 Authentication requirement
 Authentication function
 MAC
 Hash function
 Security of hash function and MAC
 SHA
 Digital signature and authentication protocols
 DSS
AUTHENTICATION REQUIREMENT
Security Requirements
• Disclosure of message contents
• Traffic analysis (discover the pattern)
• Masquerade (insert a msg from a fraudulent source)
• Content modification
• Sequence modification (insert, delete, reorder)
• Timing modification (delay or replay)
• Source repudiation (denial of a transmission)
• Destination repudiation (denial of a receipt)
AUTHENTICATION FUNCTION
• Message authentication is concerned with:
 Protecting the integrity of a message
 Validating identity of originator
 Non-repudiation of origin (dispute resolution)
• Will consider the security requirements
• Then three alternative functions used:
 Message encryption
 Message authentication code (MAC)
 Hash function
Message Authentication
Message Encryption
• Message encryption by itself also provides a measure of
authentication.
• If symmetric encryption is used then:
 Receiver know sender must have created it since only
sender and receiver know the key used
 Content of the message cannot be altered if the message
has a suitable structure, redundancy or a checksum to
detect any changes
Message Encryption
• If public-key encryption is used:
 Encryption provides no confidence of sender, since anyone
potentially knows public-key.
 However, if sender signs message using their private-key,
then encrypts with recipients public key, provides both
secrecy and authentication.
 Again need to recognize corrupted messages.
 But at cost of two public-key uses on message.
Basic Use of Message Encryption
Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption
Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption
Message Authentication Code
MESSAGE AUTHENTICATION
CODE
Message Authentication Code (MAC)
• Generated by an algorithm that creates a small fixed-sized
block
 Depending on both message and some key.
 Like encryption though need not be reversible.
• Appended to message as a signature.
• Receiver performs same computation on message and checks
it matches the MAC.
• Provides assurance that message is unaltered and comes from
sender.
Message Authentication Code (MAC)
• A message authentication code (MAC), also known as a
cryptographic checksum, is an authentication technique
involves the use of a secret key to generate a small fixed-size
block of data.
Message Authentication Code (MAC)
Message Authentication Code (MAC)
Message Authentication Codes (MACs)
• As shown the MAC provides confidentiality.
• Can also use encryption for secrecy:
 Generally use separate keys for each.
 Can compute MAC either before or after encryption.
 Is generally regarded as better done before.
• Why use a MAC?
 Sometimes only authentication is needed.
 Sometimes need authentication to persist longer than the
encryption (e.g., archival use).
• Note that a MAC is not a digital signature.
MAC Properties
• A MAC is a cryptographic checksum.
MAC = CK(M)
• Condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator.
• It is a many-to-one function
 Potentially many messages have same MAC.
 Finding these needs to be very difficult.
Requirements for MACs
• Taking into account the types of attacks.
• Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find
another message with same MAC.
2. MACs should be uniformly distributed.
3. MAC should depend equally on all bits of the message.
Message Authentication Code Based on DES
• Can use any block cipher chaining mode and use final block as
a MAC.
• Data Authentication Algorithm (DAA) is a widely used MAC
based on DES-CBC.
 Using IV=0 and zero-pad of final block.
 Encrypt message using DES in CBC mode.
 Send just the final block as the MAC or the leftmost M bits
(16≤M≤64) of final block.
• But final MAC is now too small for security.
Message Authentication Code Based on DES
HASH FUNCTION
Hash Functions
• A hash function h is generated by a function H of the form:
h = H(M)
• Condenses arbitrary message to fixed size; usually assume that
the hash function is public and not keyed as compared to MAC
which is keyed.
• Hash used to detect changes to message.
• Can use in various ways with message.
• Most often to create a digital signature.
Cs8792   cns - unit iv
Hash Functions and Digital Signatures
Basic Use of Hash Function.
Hash Functions and Digital Signatures
Basic Use of Hash Function.
Hash Functions and Digital Signatures
Basic Use of Hash Function H.
Hash Function Properties
• A Hash Function produces a fingerprint of some
file/message/data
h = H(M)
 Condenses a variable-length message M to a fixed-sized
fingerprint.
• Assumed to be public.
Other Hash Function Uses
 to create a one-way password file
 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
 pseudorandom function (PRF) or pseudorandom number
generator (PRNG)
Requirements for Hash Functions
1. Can be applied to any sized message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given h is infeasible to find x (H(x)=h)
• One-way property
5. Given x is infeasible to find y (H(y)=H(x))
• Weak collision resistance
6. It is infeasible to find any x, y (H(y)=H(x))
• Strong collision resistance
 consider two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block
 Ci = bi1 xor bi2 xor . . . xor bim
 a longitudinal redundancy check
 reasonably effective as data integrity check
 one-bit circular shift on hash value
 for each successive n-bit block
 rotate current hash value to left by1bit and XOR block
 good for data integrity but useless for security
Simple Hash Functions
Simple Hash Function Using Bitwise XOR
Bit 1 Bit 2 … Bit n
Block 1 b11 b21 … bn1
Block 2 b12 b22 … Bn2
… … … … …
Block m b1m b2m … bnm
Hash Code C1 C2 … Cn
Cs8792   cns - unit iv
Simple Hash Functions
Two Simple Hash Functions
Requirements for Hash Functions
 have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x)
= H(y)
 hence value 2m/2 determines strength of hash code
against brute-force attacks
 128-bits inadequate, 160-bits suspect
Attack on Hash Function
Birthday Attacks
• Might think a 64-bit hash is secure, but by Birthday Paradox is
not
• Birthday attack works thus:
 given user prepared to sign a valid message x
 opponent generates 2
m/2 variations x’ of x, all with
essentially the same meaning, and saves them
 opponent generates 2
m/2 variations y’ of a desired
fraudulent message y
 two sets of messages are compared to find pair with same
hash (probability > 0.5 by birthday paradox)
 have user sign the valid message, then substitute the
forgery which will have a valid signature
 conclusion is that need to use larger MAC/hash
General Structure of Secure Hash code
L
 cryptanalytic attacks exploit some property of alg so faster
than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f
Block Ciphers as Hash Functions
• Can use block ciphers as hash functions
 Using H0=0 and zero-pad of final block
 compute: Hi = EMi
[Hi-1]
 Use final block as the hash value
 Similar to CBC but without a key
• Resulting hash is too small (64-bit)
 Due to direct birthday attack
 Due to “meet-in-the-middle” attack
• Other variants also susceptible to attack
Hash Functions and MAC Security
• Brute-force attacks exploiting:
 Strong collision resistance hash have cost 2
m/2.
 Have proposal for hardware MD5 cracker.
 128-bit hash looks vulnerable, 160-bits better.
 MACs with known message-MAC pairs
 Can either attack keyspace (key search) or MAC.
 At least 128-bit MAC is needed for security.
• Cryptanalytic attacks exploit structure
 Like block ciphers want brute-force attacks to be the best
alternative.
• Have a number of analytic attacks on iterated hash functions.
CVi = f[CVi-1, Mi]; H(M)=CVN
 Typically focus on collisions in function f.
 Like block ciphers is often composed of rounds.
 Attacks exploit properties of round functions.
Hash Functions and MAC Security
MD5 ALGORITHM
MD5
 designed by Ronald Rivest (the “R” in RSA)
 latest in a series of MD2, MD4
 produces a 128-bit hash value
 until recently was the most widely used hash algorithm
 in recent times have both brute-force & cryptanalytic
concerns
 specified as Internet standard RFC1321
MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
 using 4 rounds of 16 bit operations on message block
& buffer
 add output to buffer input to form new buffer value
5. output hash value is the final buffer value
MD5 Overview
Implementation Steps
 Step 1: Append padding bits
 The message is Padded so that its bit length ≡ 448 mod
512 (i.e., the length of padded message is 64 bits less
than an integer multiple of 512 bits)
 Padding is always added, even if the message is already
of the desired length (1 to 512 bits)
 Padding bits: 1000….0 (a single 1-bit followed by the
necessary number of 0-bits)
Implementation Steps
 Step 2: Append length A 64-bit length
 contains the length of the original message modulo
264
 The expanded message is Y0, Y1, …, YL-1; the total
length is L × 512 bits
 The expanded message can be thought of as a multiple
of 16 32-bit words
 Let M[0 … N-1] denote the word of the resulting
message, where N = L × 16
Implementation Steps
 Step 3: Initialize MD buffer
 128-bit buffer (four 32-bit registers A,B,C,D) is used to hold
intermediate and final results of the hash function
 A,B,C,D are initialized to the following values
 A = 67452301
 B = EFCDAB89
 C = 98BADCFE
 D = 10325476
 Stored in little-endian format (least significant byte of a word
in the low-address byte position)
 word A : 01 23 45 67 (low address … high address)
 word B : 89 AB CD EF
 word C : FE DC BA 98
 word D : 76 54 32 10
Implementation Steps
 Step 4: Process message in 512-bit (16-word) blocks
 Heart of the algorithm called a compression function Consists
of 4 rounds
 The 4 rounds have a similar structure, but each uses a different
primitive logical functions, referred to as F, G, H, and I
 Each round takes as input the current 512-bit block (Yq), 128-
bit buffer value ABCD and updates the contents of the buffer
 Each round also uses the table T[1 … 64], constructed from
the sine function; T[i] = 232 × abs(sin(i))
 The output of 4th round is added to the CVq to produce
CVq+1
Cs8792   cns - unit iv
Implementation Steps
 Step 5: Output
 After all L 512-bit blocks have been processed, the output
from the Lth stage is the 128- bit message digest
 CV0 = IV
 CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])
 MD = CVL
Where
 IV = initial value of the ABCD buffer, defined in step 3
 Yq = the qth 512-bit block of the message
 L = the number of blocks in the message (including padding and
length fields)
 CVq = chaining variable processed with the qth block of the message
 RFx = round function using primitive logical function x
 MD = final message digest value
 SUM32 = addition modulo 232 performed separately on each word
MD5 Compression Function
 Each round consists of a sequence of 16 steps operating on the buffer
ABCD
 Each step is of the form
 a ← b + (( a + g(b, c, d) + X[k] + T[i] <<< s )
 where a,b,c,d = the 4 words of the buffer, in a specified order that varies across
steps g = one of the primitive functions F, G, H, I
 <<s = circular left shift (rotation) of the 32-bit arguments by s bits
 X[k] = M[q × 16 + k] = the kth 32-bit word in the qth 512-bit block of the
message
 T[i] = the ith 32-bit word in table T
 + = addition modulo 232 `
MD5 Compression Function
MD5 Operation
 One of the 4 primitive logical functions is used in each
4 rounds of the algorithm
 Each primitive function takes three 32-bit words as
input and produces a 32-bit word output
 Each function performs a set of bitwise logical
operations
MD4
 precursor to MD5
 also produces a 128-bit hash of message
 has 3 rounds of 16 steps versus 4 in MD5
 design goals:
 collision resistant (hard to find collisions)
 direct security (no dependence on "hard" problems)
 fast, simple, compact
 favors little-endian systems (eg PCs)
Strength of MD5
 MD5 hash is dependent on all message bits
 Rivest claims security is good as can be
 known attacks are:
 Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
 Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
 Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
 conclusion is that MD5 looks vulnerable soon
SHA
Overview
 Developed by NIST (National Institute of Standards and Technology)
 Published as a FIPS 180 in 1993
 A revised version is issued as FIPS 180-1 IN 1995
 Generally referred to as SHA-1
 SHA is based on the hash function MD4 and its design closely models
MD4.
 SHA- 1 produces a hash value of 160 bits.
 Revised version of the standard, FIPS 180-2, that defined three new
versions of SHA, with hash value lengths of 256, 384 and 512 bits,
known as SHA-256, SHA-384 and SHA-512.
SHA Overview
1. pad message so its length is 896 mod 1024
2. append a 128-bit length value to message
3. initialise 8-word (512-bit) buffer (A,B,C,D,E,F,G,H)
4. process message in 128-word (1024-bit) chunks:
5. output hash value is the final buffer value
Overview
Implementation Steps
 Step 1: Append padding bits
 The message is Padd d so that its bit length is congruent
to 896 modulo 1024 [length K ≡ 896 mod 1024]
 Padding is always added, even if the message is already
of the desired length.
 Thus, the number of padding bits is in the range of 1 to
1024.
 The padding consists of a single 1-bit followed by the
necessary number of 0-bits.
Implementation Steps
 Step 2: Append length
 A block of 128-bits is appended to the message.
 This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the
original message (before the padding).
 The outcome of the first two steps yields a message that
is an integer multiple of 1024 bits in length.
 In Figure, the expanded message is represented as the
sequence of 1024-bit blocks M1, M2,.., Mn, so that the
total length of the expanded message is N x 1024 bits.
Implementation Steps
 Step 3: Initialize hash buffer
 A 512-bit buffer is used to hold intermediate and final results of the hash
function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g and h).
 These registers are initialized to the following 64-bit integers (hexadecimal
values):
 These values are stored in big-endian format, which is the most significant byte
of a word in the low-address (leftmost) byte position.
 These words were obtained by taking the first sixty-four bits of the fractional
parts of the square roots of the first eight prime numbers.
Implementation Steps
 Step 4: Process message in 1024-bit (128-word)
blocks
 The heart of the algorithm is a module that consists of 80 rounds; this
module is labeled F in above figure.
 Each round takes as input the 512-bit buffer value, abcdefgh, and updates
the contents of the buffer.
 At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
 Each round t makes use of a 64-bit value Wt, derived from the current
1024-bit block being processed (Mi).
 Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79
indicates one of the 80 rounds.
 The output of the eightieth round is added to the input to the first round
(Hi-1) to produce Hi. The addition is done independently for each of the
eight words in the buffer with each of the corresponding words in Hi-1,
using addition modulo 264.
Cs8792   cns - unit iv
Implementation Steps
 Step 5: Output
 After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.
 H0 = IV,Hi = SUM64 (Hi-1, abcdefghi)
 MD = HN
where,
 IV = initial value of the abcdefgh buffer, defined in step 3.
 abcdefghi = the output of the last round of processing of the ith
message block.
 N = the number of blocks in the message (including padding and
length fields).
 SUM64 = Addition modulo 264 performed separately on each word of
the pair of inputs.
 MD = final message digest value.
Compression Function
Cs8792   cns - unit iv
Generation of Input Sequence
HMAC
HMAC Design Principles
 To use, without modifications, in available hash functions.
In particular, to use hash functions that perform well in
software and for which code is freely and widely available.
 To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions are
found or required.
 To preserve the original performance of the hash function
without incurring a significant degradation.
 To use and handle keys in a simple way.
 To have a well understood cryptographic analysis of the
strength of the authentication mechanism based on
reasonable assumptions about the embedded hash function.
Algorithm
 HMAC defines the following terms.
 H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) IV
= initial value input to hash function
 M = message input to HMAC (including the padding specified in the
embedded hash function)
 Yi = i th block of M, 0 ≤ i ≤ (L - 1)
 L = number of blocks in M
 b = number of bits in a block
 n = length of hash code produced by embedded hash fu ction
 K = secret key; recommended length is ≥ n; if key length s greater
than b, the key is input to the hash function to produce an n-bit key
 K+ = K padded with zeros on the left so that the result is b bits in
length ipad = 00110110 (36 in hexadecimal) repeated b/8 times opad
= 01011100 (5C in hexadecimal) repeated b/8 times
Cs8792   cns - unit iv
Algorithm
 The algorithm is as follows:
 1. Append zeros to the left end of K to create a b-bit string K+ (e.g.,
if K is of length 160 bits and b = 512, then K will be appended with
44 zeroes).
 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
 3. Append M to Si.
 4. Apply H to the stream generated in step 3.
 5. XOR K+ with opad to produce the b-bit block So.
 6. Append the hash result from step 4 to So.
 7. Apply H to the stream generated in step 6 and output the result.
CMAC
DIGITAL SIGNATURE STANDARD
Cs8792   cns - unit iv
Cs8792   cns - unit iv
Elgamal Digital Signature
Cs8792   cns - unit iv
Cs8792   cns - unit iv
Schnorr Digital Signature
Cs8792   cns - unit iv
Cs8792   cns - unit iv
Cs8792   cns - unit iv
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 14
Entity Authentication
14-1 INTRODUCTION
Entity authentication is a technique designed to let one
party prove the identity of another party.
An entity can be a person, a process, a client, or a server.
The entity whose identity needs to be proved is called
the claimant; the party that tries to prove the identity
of the claimant is called the verifier.
14.1.1 Data-Origin Versus Entity Authentication
Message Authentication Entity Authentication
Does not happen in real time Happen in real time
Authenticates one message
and repeated for each new
message
Authenticates the claimant for
the entire duration of a session
14.1.2 Verification Categories
Something known
Something possessed
Something inherent
14-2 PASSWORDS
Password-based authentication, where the password is
something that the claimant knows.
Two Groups
Fixed password
One – Time password
14.2.1 Fixed Password
First Approach
Figure 14.1 User ID
and password file
Attacks on the first approach
Eavesdropping
Stealing a password
Accessing a password file
guessing
Second Approach
[contd…]
Figure 14.2 Hashing
the password
Dictionary attack
Create a list of password, calculate the hash value,
and search the second-column entries to find a
match.
Third Approach
[contd…]
Figure 14.3 Salting
the password
When the password is created, a random string, called
the salt, is concatenated to the password. The salted
password is then hashed.
The Unix OS uses a variation of this method.
Fourth Approach
• Two identification techniques are combined.
• A good example of this type of authentication is the use of
an ATM card (something possessed) with a PIN (personal
identification number) (something known).
[contd…]
14.2.2 One-Time Password
 A one-time password is a password that is used only
once.
 In the first approach, the user and the system agree upon
a list of passwords.
 In the second approach, the user and the system agree to
sequentially update the password.
 In the third approach, the user and the system create a
sequentially updated password using a hash function.
[contd…]
Figure 14.4 the third approach -- Lamport one-time password
 Alice and Bob agree upon an
original password P0 and a counter n.
 The system stores the identity of
Alice, the value of n and the hash.
14-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her
identity by demonstrating that she knows a secret,
the password.
In challenge-response authentication, the claimant
proves that she knows a secret without sending it.
[contd…]
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
Note
14.3.1 Using a Symmetric-Key Cipher
First Approach Figure 14.5 Nonce challenge
1. ID of claimant
2. The challenge: RB is the nonce randomly chosen by the Bob to
challenge Alice
3. Alice encrypts the nonce using the shared secret key known only
to Alice and Bob. Bob decrypts the message. If the nonce
obtained from decryption is the same as the one sent by Bob.
Second Approach
[contd...]
Figure 14.6 Timestamp challenge
The challenge message is the current time sent
from the verifier to the claimant.
The claimant encrypt Alice ID and time with
Alice-Bob secret key.
Third Approach.
[contd…]
Figure 14.7 Bidirectional authentication
1. Alice ID
2. The challenge from Bob to Alice RB
3. Alice respond and send her challenge RA
4. Bob’s response. RA and RB are switched to prevent a replay attack.
14.3.2 Using Keyed-Hash Functions
Figure 14.8 Keyed-hash function
1. The challenge message is the current time sent from the
verifier to the claimant.
2. The timestamp is sent both as plaintext and as text scrambled
by the keyed-hash function.
3. Bob compares his calculation with what he received.
14.3.3 Using an Asymmetric-Key Cipher
First Approach
Figure 14.9 Unidirectional, asymmetric-key authentication
Ownership of claimant’s private key
Second Approach
[contd…]
Figure 14.10 Bidirectional, asymmetric-key
14.3.4 Using Digital Signature
First Approach
Figure 14.11 Digital signature, unidirectional
Ownership of claimant’s private key
Second Approach
[contd…]
Figure 14.12 Digital signature, bidirectional authentication
14-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does not
reveal anything that might endanger the
confidentiality of the secret.
The claimant proves to the verifier that she knows a
secret, without revealing it.
The interactions are so designed that they cannot lead to
revealing or guessing the secret.
14.4.1 Fiat-Shamir Protocol
Figure 14.13 Fiat-Shamir protocol
c
c
c
c
xv
s
r
s
r
rs
y 


 )
(
)
( 2
2
2
2
2
2
2
y is from private key and challenge
c
xv is from public key of Alice
Cave Example
[contd…]
Figure 14.14 Cave example
1. Alice chooses to go either right or left. After Alice disappears, Bob comes to
point 2 and asks Alice to come up from either the right or left.
2. if Alice knows the magic word, she will come up from the right direction. If
she does not know the word, she comes up from the right direction with ½
probability.
3. The game will be repeated many times.
The door can only be
opened with a magic word.
Alice claims that she knows
the word and that she can
open the door. Bob and
Alice are at pint 1. Alice
enters eh case and reaches
the point 2.
14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
x
x
v
s
v
s
v
s
x
v
s
v
s
v
s
x
v
v
v
s
s
s
r
v
v
v
y
k
k
k
k
k
k
k
c
c
c
c
k
k
c
c
c
k
c
k
c
c
c
c
c
k
c
c
c
k
c
c
c
k
c
c























)
1
(
)
1
(
)
1
(
)
(
)
(
)
(
)
(
)
(
)
(
)
)(
(
)
(
)
(
)
(
)
(
2
1
2
1
2
2
1
1
2
1
2
1
2
1
2
2
2
2
1
2
1
2
2
2
2
1
2
1
2
1
2
2
2
2
1
2
2
1
2
14.4.3 Guillou-Quisquater Protocol
Figure 14.16 Guillou-Quisquater protocol
x
x
v
s
r
v
s
r
v
s
r
v
y
c
c
e
e
c
ce
e
c
e
c
c
e













1
)
(
)
(
14-5 BIOMETRICS
Biometrics is the measurement of physiological or
behavioral features that identify a person
(authentication by something inherent).
Biometrics measures features that cannot be guessed,
stolen, or shared.
Capturing devices
Processors
Storage devices..
14.5.1 Components
Corresponding feature of each person in the community
should be available in the database. This is referred to as
enrollment.
14.5.2 Enrollment
14.117
14.5.3 Authentication
Verification
Identification
14.5.4 Techniques
Figure 14.17 Techniques
USER AUTHENTICATION
User Authentication
 Fundamental security building block
Basis of access control & user accountability
 Is the process of verifying an identity claimed by or for
a system entity
 Has two steps:
Identification - specify identifier
Verification - bind entity (person) and identifier
 Distinct from message authentication
Means of User Authentication
Four means of authenticating user's identity
Based one something the individual
Knows - e.g. Password, PIN
Possesses - e.g. Key, token, smartcard
Is (static biometrics) - e.g. Fingerprint, retina
Does (dynamic biometrics) - e.g. Voice, sign
Can use alone or combined
All can provide user authentication
All have issues
Authentication Protocols
 Used to convince parties of each others identity and to
exchange session keys
 May be one-way or mutual
 Key issues are
 Confidentiality – to protect session keys
 Timeliness – to prevent replay attacks
Replay Attacks
• Where a valid signed message is copied and later resent
• Simple replay
• Repetition that can be logged
• Repetition that cannot be detected
• Backward replay without modification
• Countermeasures include
• Use of sequence numbers (generally impractical)
• Timestamps (needs synchronized clocks)
• Challenge/response (using unique nonce)
One-Way Authentication
 Required when sender & receiver are not in
communications at same time (eg. Email)
 Have header in clear so can be delivered by email
system
 May want contents of body protected & sender
authenticated
Using Symmetric Encryption
 As discussed previously can use a two-level hierarchy
of keys
 Usually with a trusted key distribution center (KDC)
 Each party shares own master key with KDC
 KDC generates session keys used for connections
between parties
 Master keys used to distribute these to them
Needham-Schroeder Protocol
 original third-party key distribution protocol
 for session between A B mediated by KDC
 protocol overview is:
1. A  KDC: IDA || IDB || N1
2. KDC  A: E(Ka,[Ks||IDB||N1|| E(Kb,[Ks||IDA])])
3. A  B: E(Kb, [Ks||IDA])
4. B  A: E(Ks, [N2])
5. A  B: E(Ks, [f(N2)])
Needham-Schroeder Protocol
 Used to securely distribute a new session key for
communications between A & B
 But is vulnerable to a replay attack if an old session
key has been compromised
 Then message 3 can be resent convincing B that is
communicating with A
 Modifications to address this require:
 Timestamps in steps 2 & 3 (denning 81)
 Using an extra nonce (neuman 93)
One-Way Authentication
 use refinement of KDC to secure email
 since B no online, drop steps 4 & 5
 protocol becomes:
1. A  KDC: IDA || IDB || N1
2. KDC  A: E(Ka, [Ks||IDB||N1 || E(Kb,[Ks||IDA])])
3. A  B: E(Kb, [Ks||IDA]) || E(Ks, M)
 provides encryption & some authentication
 does not protect from replay attack
KERBEROS
Introduction
 Trusted key server system from MIT
 Provides centralised private-key third-party
authentication in a distributed network
 Allows users access to services distributed through
network
 Without needing to trust all workstations
 Rather all trust a central authentication server
 Two versions in use: 4 & 5
Kerberos Requirements
 First published report identified its requirements as:
 Security
 Reliability
 Transparency
 Scalability
 Implemented using an authentication protocol based
on needham-schroeder
Kerberos 4 Overview
 A basic third-party authentication scheme
 Have an Authentication Server (AS)
 Users initially negotiate with AS to identify self
 AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)
 Have a Ticket Granting Server (TGS)
 Users subsequently request access to other services from
TGS on basis of users TGT
Kerberos 4 Overview
Steps
 Step-1: User logon and request services on host. Thus user request for ticket-
granting-service.
 Step-2: Authentication Server verifies user’s access right using database and then
gives ticket-granting-ticket and session key. Results are encrypted using Password of
user.
 Step-3: Decryption of message is done using the password then send the ticket to
Ticket Granting Server. The Ticket contain authenticators like user name and
network address.
 Step-4: Ticket Granting Server decrypts the ticket send by User and authenticator
verifies the request then creates the ticket for requesting services from the Server.
 Step-5: User send the Ticket and Authenticator to the Server.
 Step-6: Server verifies the Ticket and authenticators then generate the access to the
Kerberos v4 Dialogue
Kerberos Realms
 A kerberos environment consists of:
 A kerberos server
 A number of clients, all registered with server
 Application servers, sharing keys with server
 This is termed a realm
 Typically a single administrative domain
 If have multiple realms, their kerberos servers must
share keys and trust
Kerberos Realms
Kerberos Version 5
 Developed in mid 1990’s
 Provides improvements over v4
 Addresses environmental shortcomings
 Encryption alg, network protocol, byte order, ticket lifetime,
authentication forwarding, interrealm auth
 And technical deficiencies
 Double encryption, non-std mode of use, session keys, password
attacks
 Specified as internet standard RFC 1510
Kerberos v5 Dialogue
X.509 Authentication Service
 part of CCITT X.500 directory service standards
 distributed servers maintaining some info database
 defines framework for authentication services
 directory may store public-key certificates
 with public key of user
 signed by certification authority
 also defines authentication protocols
 uses public-key crypto & digital signatures
 algorithms not standardised, but RSA recommended
X.509 Certificates
 issued by a Certification Authority (CA), containing:
 version (1, 2, or 3)
 serial number (unique within CA) identifying certificate
 signature algorithm identifier
 issuer X.500 name (CA)
 period of validity (from - to dates)
 subject X.500 name (name of owner)
 subject public-key info (algorithm, parameters, key)
 issuer unique identifier (v2+)
 subject unique identifier (v2+)
 extension fields (v3)
 signature (of hash of all fields in certificate)
 notation CA<<A>> denotes certificate for A signed by
CA
X.509 Certificates
Obtaining a Certificate
 any user with access to CA can get any certificate from
it
 only the CA can modify a certificate
 because cannot be forged, certificates can be placed in
a public directory
CA Hierarchy
 if both users share a common CA then they are
assumed to know its public key
 otherwise CA's must form a hierarchy
 use certificates linking members of hierarchy to
validate other CA's
 each CA has certificates for clients (forward) and parent
(backward)
 each client trusts parents certificates
 enable verification of any certificate from one CA
by users of all other CAs in hierarchy
CA Hierarchy Use
Certificate Revocation
 certificates have a period of validity
 may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
 CA’s maintain list of revoked certificates
 the Certificate Revocation List (CRL)
 users should check certs with CA’s CRL
Authentication Procedures
 X.509 includes three alternative authentication
procedures:
 One-Way Authentication
 Two-Way Authentication
 Three-Way Authentication
 all use public-key signatures
One-Way Authentication
 1 message ( A->B) used to establish
 the identity of A and that message is from A
 message was intended for B
 integrity & originality of message
 message must include timestamp, nonce, B's identity
and is signed by A
Two-Way Authentication
 2 messages (A->B, B->A) which also establishes in
addition:
 the identity of B and that reply is from B
 that reply is intended for A
 integrity & originality of reply
 reply includes original nonce from A, also timestamp
and nonce from B
Three-Way Authentication
 3 messages (A->B, B->A, A->B) which enables above
authentication without synchronized clocks
 has reply from A back to B containing signed copy of
nonce from B
 means that timestamps need not be checked or relied
upon
X.509 Version 3
 has been recognised that additional information is
needed in a certificate
 email/URL, policy details, usage constraints
 rather than explicitly naming new fields defined a
general extension method
 extensions consist of:
 extension identifier
 criticality indicator
 extension value
Certificate Extensions
 key and policy information
 convey info about subject & issuer keys, plus indicators
of certificate policy
 certificate subject and issuer attributes
 support alternative names, in alternative formats for
certificate subject and/or issuer
 certificate path constraints
 allow constraints on use of certificates by other CA’s
Summary
 have considered:
 Kerberos trusted key server system
 X.509 authentication and certificates
1 von 153

Recomendados

Cns von
CnsCns
CnsArthyR3
172 views145 Folien
Cs8792 cns - unit iv von
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
569 views153 Folien
CNS - Unit v von
CNS - Unit vCNS - Unit v
CNS - Unit vArthyR3
107 views48 Folien
Message Authentication von
Message AuthenticationMessage Authentication
Message Authenticationchauhankapil
1.7K views20 Folien
Message authentication von
Message authenticationMessage authentication
Message authenticationCAS
26.3K views22 Folien
5. message authentication and hash function von
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
17.2K views30 Folien

Más contenido relacionado

Was ist angesagt?

Ch11 von
Ch11Ch11
Ch11Joe Christensen
683 views22 Folien
Message AUthentication Code von
Message AUthentication CodeMessage AUthentication Code
Message AUthentication CodeKeval Bhogayata
1.9K views10 Folien
Is unit 5_message authentication and hash functions von
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsSarthak Patel
2.6K views47 Folien
Message authentication and hash function von
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash functionomarShiekh1
284 views38 Folien
Message authentication code_course_bouchra_echandouri von
Message authentication code_course_bouchra_echandouriMessage authentication code_course_bouchra_echandouri
Message authentication code_course_bouchra_echandouriBouchra Echandouri
989 views26 Folien
Message Authentication: MAC, Hashes von
Message Authentication: MAC, HashesMessage Authentication: MAC, Hashes
Message Authentication: MAC, HashesShafaan Khaliq Bhatti
3.6K views11 Folien

Was ist angesagt?(20)

Is unit 5_message authentication and hash functions von Sarthak Patel
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functions
Sarthak Patel2.6K views
Message authentication and hash function von omarShiekh1
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
omarShiekh1284 views
Message authentication code_course_bouchra_echandouri von Bouchra Echandouri
Message authentication code_course_bouchra_echandouriMessage authentication code_course_bouchra_echandouri
Message authentication code_course_bouchra_echandouri
Bouchra Echandouri989 views
Message integrity protocol von PriyaKarnan3
Message integrity protocolMessage integrity protocol
Message integrity protocol
PriyaKarnan3223 views
Cryptography and Message Authentication NS3 von koolkampus
Cryptography and Message Authentication NS3Cryptography and Message Authentication NS3
Cryptography and Message Authentication NS3
koolkampus6K views
Information and data security cryptography and network security von Mazin Alwaaly
Information and data security cryptography and network securityInformation and data security cryptography and network security
Information and data security cryptography and network security
Mazin Alwaaly398 views
Information and data security cryptographic hash functions von Mazin Alwaaly
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
Mazin Alwaaly547 views
Distribution of public keys and hmac von anuragjagetiya
Distribution of public keys and hmacDistribution of public keys and hmac
Distribution of public keys and hmac
anuragjagetiya7.7K views
Hash von Tazo Al
HashHash
Hash
Tazo Al882 views
MACs based on Hash Functions, MACs based on Block Ciphers von Maitree Patel
MACs based on Hash Functions, MACs based on Block CiphersMACs based on Hash Functions, MACs based on Block Ciphers
MACs based on Hash Functions, MACs based on Block Ciphers
Maitree Patel2.4K views

Similar a Cs8792 cns - unit iv

Unit 3 von
Unit 3Unit 3
Unit 3tamil arasan
84 views53 Folien
ch11.ppt von
ch11.pptch11.ppt
ch11.pptSomuPatil8
6 views22 Folien
ch11.ppt von
ch11.pptch11.ppt
ch11.pptssuser4198c4
3 views22 Folien
Hash Function & Analysis von
Hash Function & AnalysisHash Function & Analysis
Hash Function & AnalysisPawandeep Kaur
5.6K views39 Folien
Message Authentication Requirement-MAC von
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MACSou Jana
135 views40 Folien
NSC_Unit-III_final.ppt von
NSC_Unit-III_final.pptNSC_Unit-III_final.ppt
NSC_Unit-III_final.pptDrVASAVIBANDE
8 views121 Folien

Similar a Cs8792 cns - unit iv(20)

Message Authentication Requirement-MAC von Sou Jana
Message Authentication Requirement-MACMessage Authentication Requirement-MAC
Message Authentication Requirement-MAC
Sou Jana135 views
Message Authentication and Hash Function.pdf von sunil sharma
Message Authentication and Hash Function.pdfMessage Authentication and Hash Function.pdf
Message Authentication and Hash Function.pdf
sunil sharma41 views
01204427-Hash_Crypto (1).ppt von GnanalakshmiV
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
GnanalakshmiV137 views
unit - III.pptx von sandyBS
unit - III.pptxunit - III.pptx
unit - III.pptx
sandyBS5 views

Más de ArthyR3

NodeJS and ExpressJS.pdf von
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdfArthyR3
4 views17 Folien
MongoDB.pdf von
MongoDB.pdfMongoDB.pdf
MongoDB.pdfArthyR3
4 views6 Folien
ANGULARJS.pdf von
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdfArthyR3
6 views10 Folien
JQUERY.pdf von
JQUERY.pdfJQUERY.pdf
JQUERY.pdfArthyR3
12 views22 Folien
Qb it1301 von
Qb   it1301Qb   it1301
Qb it1301ArthyR3
125 views84 Folien
Cs8792 cns - unit v von
Cs8792   cns - unit vCs8792   cns - unit v
Cs8792 cns - unit vArthyR3
440 views89 Folien

Más de ArthyR3(20)

NodeJS and ExpressJS.pdf von ArthyR3
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdf
ArthyR34 views
MongoDB.pdf von ArthyR3
MongoDB.pdfMongoDB.pdf
MongoDB.pdf
ArthyR34 views
ANGULARJS.pdf von ArthyR3
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdf
ArthyR36 views
JQUERY.pdf von ArthyR3
JQUERY.pdfJQUERY.pdf
JQUERY.pdf
ArthyR312 views
Qb it1301 von ArthyR3
Qb   it1301Qb   it1301
Qb it1301
ArthyR3125 views
Cs8792 cns - unit v von ArthyR3
Cs8792   cns - unit vCs8792   cns - unit v
Cs8792 cns - unit v
ArthyR3440 views
Cs8792 cns - unit i von ArthyR3
Cs8792   cns - unit iCs8792   cns - unit i
Cs8792 cns - unit i
ArthyR3892 views
Java quick reference von ArthyR3
Java quick referenceJava quick reference
Java quick reference
ArthyR3171 views
Cs8792 cns - Public key cryptosystem (Unit III) von ArthyR3
Cs8792   cns - Public key cryptosystem (Unit III)Cs8792   cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)
ArthyR3818 views
Cryptography Workbook von ArthyR3
Cryptography WorkbookCryptography Workbook
Cryptography Workbook
ArthyR3420 views
Cs6701 cryptography and network security von ArthyR3
Cs6701 cryptography and network securityCs6701 cryptography and network security
Cs6701 cryptography and network security
ArthyR3343 views
Compiler question bank von ArthyR3
Compiler question bankCompiler question bank
Compiler question bank
ArthyR3424 views
Compiler gate question key von ArthyR3
Compiler gate question keyCompiler gate question key
Compiler gate question key
ArthyR3139 views
Java conceptual learning material von ArthyR3
Java conceptual learning materialJava conceptual learning material
Java conceptual learning material
ArthyR3284 views
Cyber forensics question bank von ArthyR3
Cyber forensics   question bankCyber forensics   question bank
Cyber forensics question bank
ArthyR3268 views
Compiler worksheet von ArthyR3
Compiler worksheetCompiler worksheet
Compiler worksheet
ArthyR3139 views
Google classroom von ArthyR3
Google classroomGoogle classroom
Google classroom
ArthyR3164 views
Network forensics von ArthyR3
Network forensicsNetwork forensics
Network forensics
ArthyR3168 views
Fat File Systems von ArthyR3
Fat File SystemsFat File Systems
Fat File Systems
ArthyR3175 views

Último

Stone Masonry and Brick Masonry.pdf von
Stone Masonry and Brick Masonry.pdfStone Masonry and Brick Masonry.pdf
Stone Masonry and Brick Masonry.pdfMohammed Abdullah Laskar
25 views6 Folien
_MAKRIADI-FOTEINI_diploma thesis.pptx von
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptxfotinimakriadi
8 views32 Folien
GDSC Mikroskil Members Onboarding 2023.pdf von
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdfgdscmikroskil
51 views62 Folien
Activated sludge process .pdf von
Activated sludge process .pdfActivated sludge process .pdf
Activated sludge process .pdf8832RafiyaAltaf
9 views32 Folien
Proposal Presentation.pptx von
Proposal Presentation.pptxProposal Presentation.pptx
Proposal Presentation.pptxkeytonallamon
29 views36 Folien
Saikat Chakraborty Java Oracle Certificate.pdf von
Saikat Chakraborty Java Oracle Certificate.pdfSaikat Chakraborty Java Oracle Certificate.pdf
Saikat Chakraborty Java Oracle Certificate.pdfSaikatChakraborty787148
15 views1 Folie

Último(20)

_MAKRIADI-FOTEINI_diploma thesis.pptx von fotinimakriadi
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptx
fotinimakriadi8 views
GDSC Mikroskil Members Onboarding 2023.pdf von gdscmikroskil
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdf
gdscmikroskil51 views
zincalume water storage tank design.pdf von 3D LABS
zincalume water storage tank design.pdfzincalume water storage tank design.pdf
zincalume water storage tank design.pdf
3D LABS5 views
Introduction to CAD-CAM.pptx von suyogpatil49
Introduction to CAD-CAM.pptxIntroduction to CAD-CAM.pptx
Introduction to CAD-CAM.pptx
suyogpatil495 views
Effect of deep chemical mixing columns on properties of surrounding soft clay... von AltinKaradagli
Effect of deep chemical mixing columns on properties of surrounding soft clay...Effect of deep chemical mixing columns on properties of surrounding soft clay...
Effect of deep chemical mixing columns on properties of surrounding soft clay...
AltinKaradagli6 views
fakenews_DBDA_Mar23.pptx von deepmitra8
fakenews_DBDA_Mar23.pptxfakenews_DBDA_Mar23.pptx
fakenews_DBDA_Mar23.pptx
deepmitra814 views

Cs8792 cns - unit iv

  • 1. Prepared by Dr. R. Arthy, Assistant Professor, Kamaraj College of Engineering and Technology (Autonomous) CS8792 - CRYPTOGRAPHY AND NETWORK SECURITY
  • 3. Outline  Authentication requirement  Authentication function  MAC  Hash function  Security of hash function and MAC  SHA  Digital signature and authentication protocols  DSS
  • 5. Security Requirements • Disclosure of message contents • Traffic analysis (discover the pattern) • Masquerade (insert a msg from a fraudulent source) • Content modification • Sequence modification (insert, delete, reorder) • Timing modification (delay or replay) • Source repudiation (denial of a transmission) • Destination repudiation (denial of a receipt)
  • 7. • Message authentication is concerned with:  Protecting the integrity of a message  Validating identity of originator  Non-repudiation of origin (dispute resolution) • Will consider the security requirements • Then three alternative functions used:  Message encryption  Message authentication code (MAC)  Hash function Message Authentication
  • 8. Message Encryption • Message encryption by itself also provides a measure of authentication. • If symmetric encryption is used then:  Receiver know sender must have created it since only sender and receiver know the key used  Content of the message cannot be altered if the message has a suitable structure, redundancy or a checksum to detect any changes
  • 9. Message Encryption • If public-key encryption is used:  Encryption provides no confidence of sender, since anyone potentially knows public-key.  However, if sender signs message using their private-key, then encrypts with recipients public key, provides both secrecy and authentication.  Again need to recognize corrupted messages.  But at cost of two public-key uses on message.
  • 10. Basic Use of Message Encryption
  • 11. Basic Use of Message Encryption Confidentiality and Authentication Implications of Message Encryption
  • 12. Basic Use of Message Encryption Confidentiality and Authentication Implications of Message Encryption
  • 15. Message Authentication Code (MAC) • Generated by an algorithm that creates a small fixed-sized block  Depending on both message and some key.  Like encryption though need not be reversible. • Appended to message as a signature. • Receiver performs same computation on message and checks it matches the MAC. • Provides assurance that message is unaltered and comes from sender.
  • 16. Message Authentication Code (MAC) • A message authentication code (MAC), also known as a cryptographic checksum, is an authentication technique involves the use of a secret key to generate a small fixed-size block of data.
  • 19. Message Authentication Codes (MACs) • As shown the MAC provides confidentiality. • Can also use encryption for secrecy:  Generally use separate keys for each.  Can compute MAC either before or after encryption.  Is generally regarded as better done before. • Why use a MAC?  Sometimes only authentication is needed.  Sometimes need authentication to persist longer than the encryption (e.g., archival use). • Note that a MAC is not a digital signature.
  • 20. MAC Properties • A MAC is a cryptographic checksum. MAC = CK(M) • Condenses a variable-length message M • using a secret key K • to a fixed-sized authenticator. • It is a many-to-one function  Potentially many messages have same MAC.  Finding these needs to be very difficult.
  • 21. Requirements for MACs • Taking into account the types of attacks. • Need the MAC to satisfy the following: 1. Knowing a message and MAC, is infeasible to find another message with same MAC. 2. MACs should be uniformly distributed. 3. MAC should depend equally on all bits of the message.
  • 22. Message Authentication Code Based on DES • Can use any block cipher chaining mode and use final block as a MAC. • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC.  Using IV=0 and zero-pad of final block.  Encrypt message using DES in CBC mode.  Send just the final block as the MAC or the leftmost M bits (16≤M≤64) of final block. • But final MAC is now too small for security.
  • 25. Hash Functions • A hash function h is generated by a function H of the form: h = H(M) • Condenses arbitrary message to fixed size; usually assume that the hash function is public and not keyed as compared to MAC which is keyed. • Hash used to detect changes to message. • Can use in various ways with message. • Most often to create a digital signature.
  • 27. Hash Functions and Digital Signatures Basic Use of Hash Function.
  • 28. Hash Functions and Digital Signatures Basic Use of Hash Function.
  • 29. Hash Functions and Digital Signatures Basic Use of Hash Function H.
  • 30. Hash Function Properties • A Hash Function produces a fingerprint of some file/message/data h = H(M)  Condenses a variable-length message M to a fixed-sized fingerprint. • Assumed to be public.
  • 31. Other Hash Function Uses  to create a one-way password file  store hash of password not actual password  for intrusion detection and virus detection  keep & check hash of files on system  pseudorandom function (PRF) or pseudorandom number generator (PRNG)
  • 32. Requirements for Hash Functions 1. Can be applied to any sized message M. 2. Produces fixed-length output h. 3. It is easy to compute h=H(M) for any message M. 4. Given h is infeasible to find x (H(x)=h) • One-way property 5. Given x is infeasible to find y (H(y)=H(x)) • Weak collision resistance 6. It is infeasible to find any x, y (H(y)=H(x)) • Strong collision resistance
  • 33.  consider two simple insecure hash functions  bit-by-bit exclusive-OR (XOR) of every block  Ci = bi1 xor bi2 xor . . . xor bim  a longitudinal redundancy check  reasonably effective as data integrity check  one-bit circular shift on hash value  for each successive n-bit block  rotate current hash value to left by1bit and XOR block  good for data integrity but useless for security Simple Hash Functions
  • 34. Simple Hash Function Using Bitwise XOR Bit 1 Bit 2 … Bit n Block 1 b11 b21 … bn1 Block 2 b12 b22 … Bn2 … … … … … Block m b1m b2m … bnm Hash Code C1 C2 … Cn
  • 36. Simple Hash Functions Two Simple Hash Functions
  • 38.  have brute-force attacks and cryptanalysis  a preimage or second preimage attack  find y s.t. H(y) equals a given hash value  collision resistance  find two messages x & y with same hash so H(x) = H(y)  hence value 2m/2 determines strength of hash code against brute-force attacks  128-bits inadequate, 160-bits suspect Attack on Hash Function
  • 39. Birthday Attacks • Might think a 64-bit hash is secure, but by Birthday Paradox is not • Birthday attack works thus:  given user prepared to sign a valid message x  opponent generates 2 m/2 variations x’ of x, all with essentially the same meaning, and saves them  opponent generates 2 m/2 variations y’ of a desired fraudulent message y  two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox)  have user sign the valid message, then substitute the forgery which will have a valid signature  conclusion is that need to use larger MAC/hash
  • 40. General Structure of Secure Hash code L  cryptanalytic attacks exploit some property of alg so faster than exhaustive search  hash functions use iterative structure  process message in blocks (incl length)  attacks focus on collisions in function f
  • 41. Block Ciphers as Hash Functions • Can use block ciphers as hash functions  Using H0=0 and zero-pad of final block  compute: Hi = EMi [Hi-1]  Use final block as the hash value  Similar to CBC but without a key • Resulting hash is too small (64-bit)  Due to direct birthday attack  Due to “meet-in-the-middle” attack • Other variants also susceptible to attack
  • 42. Hash Functions and MAC Security • Brute-force attacks exploiting:  Strong collision resistance hash have cost 2 m/2.  Have proposal for hardware MD5 cracker.  128-bit hash looks vulnerable, 160-bits better.  MACs with known message-MAC pairs  Can either attack keyspace (key search) or MAC.  At least 128-bit MAC is needed for security.
  • 43. • Cryptanalytic attacks exploit structure  Like block ciphers want brute-force attacks to be the best alternative. • Have a number of analytic attacks on iterated hash functions. CVi = f[CVi-1, Mi]; H(M)=CVN  Typically focus on collisions in function f.  Like block ciphers is often composed of rounds.  Attacks exploit properties of round functions. Hash Functions and MAC Security
  • 45. MD5  designed by Ronald Rivest (the “R” in RSA)  latest in a series of MD2, MD4  produces a 128-bit hash value  until recently was the most widely used hash algorithm  in recent times have both brute-force & cryptanalytic concerns  specified as Internet standard RFC1321
  • 46. MD5 Overview 1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 4-word (128-bit) MD buffer (A,B,C,D) 4. process message in 16-word (512-bit) blocks:  using 4 rounds of 16 bit operations on message block & buffer  add output to buffer input to form new buffer value 5. output hash value is the final buffer value
  • 48. Implementation Steps  Step 1: Append padding bits  The message is Padded so that its bit length ≡ 448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits)  Padding is always added, even if the message is already of the desired length (1 to 512 bits)  Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits)
  • 49. Implementation Steps  Step 2: Append length A 64-bit length  contains the length of the original message modulo 264  The expanded message is Y0, Y1, …, YL-1; the total length is L × 512 bits  The expanded message can be thought of as a multiple of 16 32-bit words  Let M[0 … N-1] denote the word of the resulting message, where N = L × 16
  • 50. Implementation Steps  Step 3: Initialize MD buffer  128-bit buffer (four 32-bit registers A,B,C,D) is used to hold intermediate and final results of the hash function  A,B,C,D are initialized to the following values  A = 67452301  B = EFCDAB89  C = 98BADCFE  D = 10325476  Stored in little-endian format (least significant byte of a word in the low-address byte position)  word A : 01 23 45 67 (low address … high address)  word B : 89 AB CD EF  word C : FE DC BA 98  word D : 76 54 32 10
  • 51. Implementation Steps  Step 4: Process message in 512-bit (16-word) blocks  Heart of the algorithm called a compression function Consists of 4 rounds  The 4 rounds have a similar structure, but each uses a different primitive logical functions, referred to as F, G, H, and I  Each round takes as input the current 512-bit block (Yq), 128- bit buffer value ABCD and updates the contents of the buffer  Each round also uses the table T[1 … 64], constructed from the sine function; T[i] = 232 × abs(sin(i))  The output of 4th round is added to the CVq to produce CVq+1
  • 53. Implementation Steps  Step 5: Output  After all L 512-bit blocks have been processed, the output from the Lth stage is the 128- bit message digest  CV0 = IV  CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])  MD = CVL Where  IV = initial value of the ABCD buffer, defined in step 3  Yq = the qth 512-bit block of the message  L = the number of blocks in the message (including padding and length fields)  CVq = chaining variable processed with the qth block of the message  RFx = round function using primitive logical function x  MD = final message digest value  SUM32 = addition modulo 232 performed separately on each word
  • 54. MD5 Compression Function  Each round consists of a sequence of 16 steps operating on the buffer ABCD  Each step is of the form  a ← b + (( a + g(b, c, d) + X[k] + T[i] <<< s )  where a,b,c,d = the 4 words of the buffer, in a specified order that varies across steps g = one of the primitive functions F, G, H, I  <<s = circular left shift (rotation) of the 32-bit arguments by s bits  X[k] = M[q × 16 + k] = the kth 32-bit word in the qth 512-bit block of the message  T[i] = the ith 32-bit word in table T  + = addition modulo 232 `
  • 56. MD5 Operation  One of the 4 primitive logical functions is used in each 4 rounds of the algorithm  Each primitive function takes three 32-bit words as input and produces a 32-bit word output  Each function performs a set of bitwise logical operations
  • 57. MD4  precursor to MD5  also produces a 128-bit hash of message  has 3 rounds of 16 steps versus 4 in MD5  design goals:  collision resistant (hard to find collisions)  direct security (no dependence on "hard" problems)  fast, simple, compact  favors little-endian systems (eg PCs)
  • 58. Strength of MD5  MD5 hash is dependent on all message bits  Rivest claims security is good as can be  known attacks are:  Berson 92 attacked any 1 round using differential cryptanalysis (but can’t extend)  Boer & Bosselaers 93 found a pseudo collision (again unable to extend)  Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit)  conclusion is that MD5 looks vulnerable soon
  • 59. SHA
  • 60. Overview  Developed by NIST (National Institute of Standards and Technology)  Published as a FIPS 180 in 1993  A revised version is issued as FIPS 180-1 IN 1995  Generally referred to as SHA-1  SHA is based on the hash function MD4 and its design closely models MD4.  SHA- 1 produces a hash value of 160 bits.  Revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384 and 512 bits, known as SHA-256, SHA-384 and SHA-512.
  • 61. SHA Overview 1. pad message so its length is 896 mod 1024 2. append a 128-bit length value to message 3. initialise 8-word (512-bit) buffer (A,B,C,D,E,F,G,H) 4. process message in 128-word (1024-bit) chunks: 5. output hash value is the final buffer value
  • 63. Implementation Steps  Step 1: Append padding bits  The message is Padd d so that its bit length is congruent to 896 modulo 1024 [length K ≡ 896 mod 1024]  Padding is always added, even if the message is already of the desired length.  Thus, the number of padding bits is in the range of 1 to 1024.  The padding consists of a single 1-bit followed by the necessary number of 0-bits.
  • 64. Implementation Steps  Step 2: Append length  A block of 128-bits is appended to the message.  This block is treated as an unsigned 128-bit integer (most significant byte first) and contains the length of the original message (before the padding).  The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in length.  In Figure, the expanded message is represented as the sequence of 1024-bit blocks M1, M2,.., Mn, so that the total length of the expanded message is N x 1024 bits.
  • 65. Implementation Steps  Step 3: Initialize hash buffer  A 512-bit buffer is used to hold intermediate and final results of the hash function.  The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g and h).  These registers are initialized to the following 64-bit integers (hexadecimal values):  These values are stored in big-endian format, which is the most significant byte of a word in the low-address (leftmost) byte position.  These words were obtained by taking the first sixty-four bits of the fractional parts of the square roots of the first eight prime numbers.
  • 66. Implementation Steps  Step 4: Process message in 1024-bit (128-word) blocks  The heart of the algorithm is a module that consists of 80 rounds; this module is labeled F in above figure.  Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the buffer.  At input to the first round, the buffer has the value of the intermediate hash value, Hi-1.  Each round t makes use of a 64-bit value Wt, derived from the current 1024-bit block being processed (Mi).  Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of the 80 rounds.  The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi. The addition is done independently for each of the eight words in the buffer with each of the corresponding words in Hi-1, using addition modulo 264.
  • 68. Implementation Steps  Step 5: Output  After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit message digest.  H0 = IV,Hi = SUM64 (Hi-1, abcdefghi)  MD = HN where,  IV = initial value of the abcdefgh buffer, defined in step 3.  abcdefghi = the output of the last round of processing of the ith message block.  N = the number of blocks in the message (including padding and length fields).  SUM64 = Addition modulo 264 performed separately on each word of the pair of inputs.  MD = final message digest value.
  • 72. HMAC
  • 73. HMAC Design Principles  To use, without modifications, in available hash functions. In particular, to use hash functions that perform well in software and for which code is freely and widely available.  To allow for easy replaceability of the embedded hash function in case faster or more secure hash functions are found or required.  To preserve the original performance of the hash function without incurring a significant degradation.  To use and handle keys in a simple way.  To have a well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions about the embedded hash function.
  • 74. Algorithm  HMAC defines the following terms.  H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) IV = initial value input to hash function  M = message input to HMAC (including the padding specified in the embedded hash function)  Yi = i th block of M, 0 ≤ i ≤ (L - 1)  L = number of blocks in M  b = number of bits in a block  n = length of hash code produced by embedded hash fu ction  K = secret key; recommended length is ≥ n; if key length s greater than b, the key is input to the hash function to produce an n-bit key  K+ = K padded with zeros on the left so that the result is b bits in length ipad = 00110110 (36 in hexadecimal) repeated b/8 times opad = 01011100 (5C in hexadecimal) repeated b/8 times
  • 76. Algorithm  The algorithm is as follows:  1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is of length 160 bits and b = 512, then K will be appended with 44 zeroes).  2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.  3. Append M to Si.  4. Apply H to the stream generated in step 3.  5. XOR K+ with opad to produce the b-bit block So.  6. Append the hash result from step 4 to So.  7. Apply H to the stream generated in step 6 and output the result.
  • 77. CMAC
  • 88. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication
  • 89. 14-1 INTRODUCTION Entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant is called the verifier.
  • 90. 14.1.1 Data-Origin Versus Entity Authentication Message Authentication Entity Authentication Does not happen in real time Happen in real time Authenticates one message and repeated for each new message Authenticates the claimant for the entire duration of a session
  • 91. 14.1.2 Verification Categories Something known Something possessed Something inherent
  • 92. 14-2 PASSWORDS Password-based authentication, where the password is something that the claimant knows. Two Groups Fixed password One – Time password
  • 93. 14.2.1 Fixed Password First Approach Figure 14.1 User ID and password file Attacks on the first approach Eavesdropping Stealing a password Accessing a password file guessing
  • 94. Second Approach [contd…] Figure 14.2 Hashing the password Dictionary attack Create a list of password, calculate the hash value, and search the second-column entries to find a match.
  • 95. Third Approach [contd…] Figure 14.3 Salting the password When the password is created, a random string, called the salt, is concatenated to the password. The salted password is then hashed. The Unix OS uses a variation of this method.
  • 96. Fourth Approach • Two identification techniques are combined. • A good example of this type of authentication is the use of an ATM card (something possessed) with a PIN (personal identification number) (something known). [contd…]
  • 97. 14.2.2 One-Time Password  A one-time password is a password that is used only once.  In the first approach, the user and the system agree upon a list of passwords.  In the second approach, the user and the system agree to sequentially update the password.  In the third approach, the user and the system create a sequentially updated password using a hash function.
  • 98. [contd…] Figure 14.4 the third approach -- Lamport one-time password  Alice and Bob agree upon an original password P0 and a counter n.  The system stores the identity of Alice, the value of n and the hash.
  • 99. 14-3 CHALLENGE-RESPONSE In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it.
  • 100. [contd…] In challenge-response authentication, the claimant proves that she knows a secret without sending it to the verifier. Note The challenge is a time-varying value sent by the verifier; the response is the result of a function applied on the challenge. Note
  • 101. 14.3.1 Using a Symmetric-Key Cipher First Approach Figure 14.5 Nonce challenge 1. ID of claimant 2. The challenge: RB is the nonce randomly chosen by the Bob to challenge Alice 3. Alice encrypts the nonce using the shared secret key known only to Alice and Bob. Bob decrypts the message. If the nonce obtained from decryption is the same as the one sent by Bob.
  • 102. Second Approach [contd...] Figure 14.6 Timestamp challenge The challenge message is the current time sent from the verifier to the claimant. The claimant encrypt Alice ID and time with Alice-Bob secret key.
  • 103. Third Approach. [contd…] Figure 14.7 Bidirectional authentication 1. Alice ID 2. The challenge from Bob to Alice RB 3. Alice respond and send her challenge RA 4. Bob’s response. RA and RB are switched to prevent a replay attack.
  • 104. 14.3.2 Using Keyed-Hash Functions Figure 14.8 Keyed-hash function 1. The challenge message is the current time sent from the verifier to the claimant. 2. The timestamp is sent both as plaintext and as text scrambled by the keyed-hash function. 3. Bob compares his calculation with what he received.
  • 105. 14.3.3 Using an Asymmetric-Key Cipher First Approach Figure 14.9 Unidirectional, asymmetric-key authentication Ownership of claimant’s private key
  • 106. Second Approach [contd…] Figure 14.10 Bidirectional, asymmetric-key
  • 107. 14.3.4 Using Digital Signature First Approach Figure 14.11 Digital signature, unidirectional Ownership of claimant’s private key
  • 108. Second Approach [contd…] Figure 14.12 Digital signature, bidirectional authentication
  • 109. 14-4 ZERO-KNOWLEDGE In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret.
  • 110. 14.4.1 Fiat-Shamir Protocol Figure 14.13 Fiat-Shamir protocol c c c c xv s r s r rs y     ) ( ) ( 2 2 2 2 2 2 2 y is from private key and challenge c xv is from public key of Alice
  • 111. Cave Example [contd…] Figure 14.14 Cave example 1. Alice chooses to go either right or left. After Alice disappears, Bob comes to point 2 and asks Alice to come up from either the right or left. 2. if Alice knows the magic word, she will come up from the right direction. If she does not know the word, she comes up from the right direction with ½ probability. 3. The game will be repeated many times. The door can only be opened with a magic word. Alice claims that she knows the word and that she can open the door. Bob and Alice are at pint 1. Alice enters eh case and reaches the point 2.
  • 112. 14.4.2 Feige-Fiat-Shamir Protocol Figure 14.15 Feige-Fiat-Shamir protocol x x v s v s v s x v s v s v s x v v v s s s r v v v y k k k k k k k c c c c k k c c c k c k c c c c c k c c c k c c c k c c                        ) 1 ( ) 1 ( ) 1 ( ) ( ) ( ) ( ) ( ) ( ) ( ) )( ( ) ( ) ( ) ( ) ( 2 1 2 1 2 2 1 1 2 1 2 1 2 1 2 2 2 2 1 2 1 2 2 2 2 1 2 1 2 1 2 2 2 2 1 2 2 1 2
  • 113. 14.4.3 Guillou-Quisquater Protocol Figure 14.16 Guillou-Quisquater protocol x x v s r v s r v s r v y c c e e c ce e c e c c e              1 ) ( ) (
  • 114. 14-5 BIOMETRICS Biometrics is the measurement of physiological or behavioral features that identify a person (authentication by something inherent). Biometrics measures features that cannot be guessed, stolen, or shared.
  • 116. Corresponding feature of each person in the community should be available in the database. This is referred to as enrollment. 14.5.2 Enrollment
  • 120. User Authentication  Fundamental security building block Basis of access control & user accountability  Is the process of verifying an identity claimed by or for a system entity  Has two steps: Identification - specify identifier Verification - bind entity (person) and identifier  Distinct from message authentication
  • 121. Means of User Authentication Four means of authenticating user's identity Based one something the individual Knows - e.g. Password, PIN Possesses - e.g. Key, token, smartcard Is (static biometrics) - e.g. Fingerprint, retina Does (dynamic biometrics) - e.g. Voice, sign Can use alone or combined All can provide user authentication All have issues
  • 122. Authentication Protocols  Used to convince parties of each others identity and to exchange session keys  May be one-way or mutual  Key issues are  Confidentiality – to protect session keys  Timeliness – to prevent replay attacks
  • 123. Replay Attacks • Where a valid signed message is copied and later resent • Simple replay • Repetition that can be logged • Repetition that cannot be detected • Backward replay without modification • Countermeasures include • Use of sequence numbers (generally impractical) • Timestamps (needs synchronized clocks) • Challenge/response (using unique nonce)
  • 124. One-Way Authentication  Required when sender & receiver are not in communications at same time (eg. Email)  Have header in clear so can be delivered by email system  May want contents of body protected & sender authenticated
  • 125. Using Symmetric Encryption  As discussed previously can use a two-level hierarchy of keys  Usually with a trusted key distribution center (KDC)  Each party shares own master key with KDC  KDC generates session keys used for connections between parties  Master keys used to distribute these to them
  • 126. Needham-Schroeder Protocol  original third-party key distribution protocol  for session between A B mediated by KDC  protocol overview is: 1. A  KDC: IDA || IDB || N1 2. KDC  A: E(Ka,[Ks||IDB||N1|| E(Kb,[Ks||IDA])]) 3. A  B: E(Kb, [Ks||IDA]) 4. B  A: E(Ks, [N2]) 5. A  B: E(Ks, [f(N2)])
  • 127. Needham-Schroeder Protocol  Used to securely distribute a new session key for communications between A & B  But is vulnerable to a replay attack if an old session key has been compromised  Then message 3 can be resent convincing B that is communicating with A  Modifications to address this require:  Timestamps in steps 2 & 3 (denning 81)  Using an extra nonce (neuman 93)
  • 128. One-Way Authentication  use refinement of KDC to secure email  since B no online, drop steps 4 & 5  protocol becomes: 1. A  KDC: IDA || IDB || N1 2. KDC  A: E(Ka, [Ks||IDB||N1 || E(Kb,[Ks||IDA])]) 3. A  B: E(Kb, [Ks||IDA]) || E(Ks, M)  provides encryption & some authentication  does not protect from replay attack
  • 130. Introduction  Trusted key server system from MIT  Provides centralised private-key third-party authentication in a distributed network  Allows users access to services distributed through network  Without needing to trust all workstations  Rather all trust a central authentication server  Two versions in use: 4 & 5
  • 131. Kerberos Requirements  First published report identified its requirements as:  Security  Reliability  Transparency  Scalability  Implemented using an authentication protocol based on needham-schroeder
  • 132. Kerberos 4 Overview  A basic third-party authentication scheme  Have an Authentication Server (AS)  Users initially negotiate with AS to identify self  AS provides a non-corruptible authentication credential (ticket granting ticket TGT)  Have a Ticket Granting Server (TGS)  Users subsequently request access to other services from TGS on basis of users TGT
  • 134. Steps  Step-1: User logon and request services on host. Thus user request for ticket- granting-service.  Step-2: Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session key. Results are encrypted using Password of user.  Step-3: Decryption of message is done using the password then send the ticket to Ticket Granting Server. The Ticket contain authenticators like user name and network address.  Step-4: Ticket Granting Server decrypts the ticket send by User and authenticator verifies the request then creates the ticket for requesting services from the Server.  Step-5: User send the Ticket and Authenticator to the Server.  Step-6: Server verifies the Ticket and authenticators then generate the access to the
  • 136. Kerberos Realms  A kerberos environment consists of:  A kerberos server  A number of clients, all registered with server  Application servers, sharing keys with server  This is termed a realm  Typically a single administrative domain  If have multiple realms, their kerberos servers must share keys and trust
  • 138. Kerberos Version 5  Developed in mid 1990’s  Provides improvements over v4  Addresses environmental shortcomings  Encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth  And technical deficiencies  Double encryption, non-std mode of use, session keys, password attacks  Specified as internet standard RFC 1510
  • 140. X.509 Authentication Service  part of CCITT X.500 directory service standards  distributed servers maintaining some info database  defines framework for authentication services  directory may store public-key certificates  with public key of user  signed by certification authority  also defines authentication protocols  uses public-key crypto & digital signatures  algorithms not standardised, but RSA recommended
  • 141. X.509 Certificates  issued by a Certification Authority (CA), containing:  version (1, 2, or 3)  serial number (unique within CA) identifying certificate  signature algorithm identifier  issuer X.500 name (CA)  period of validity (from - to dates)  subject X.500 name (name of owner)  subject public-key info (algorithm, parameters, key)  issuer unique identifier (v2+)  subject unique identifier (v2+)  extension fields (v3)  signature (of hash of all fields in certificate)  notation CA<<A>> denotes certificate for A signed by CA
  • 143. Obtaining a Certificate  any user with access to CA can get any certificate from it  only the CA can modify a certificate  because cannot be forged, certificates can be placed in a public directory
  • 144. CA Hierarchy  if both users share a common CA then they are assumed to know its public key  otherwise CA's must form a hierarchy  use certificates linking members of hierarchy to validate other CA's  each CA has certificates for clients (forward) and parent (backward)  each client trusts parents certificates  enable verification of any certificate from one CA by users of all other CAs in hierarchy
  • 146. Certificate Revocation  certificates have a period of validity  may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised  CA’s maintain list of revoked certificates  the Certificate Revocation List (CRL)  users should check certs with CA’s CRL
  • 147. Authentication Procedures  X.509 includes three alternative authentication procedures:  One-Way Authentication  Two-Way Authentication  Three-Way Authentication  all use public-key signatures
  • 148. One-Way Authentication  1 message ( A->B) used to establish  the identity of A and that message is from A  message was intended for B  integrity & originality of message  message must include timestamp, nonce, B's identity and is signed by A
  • 149. Two-Way Authentication  2 messages (A->B, B->A) which also establishes in addition:  the identity of B and that reply is from B  that reply is intended for A  integrity & originality of reply  reply includes original nonce from A, also timestamp and nonce from B
  • 150. Three-Way Authentication  3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks  has reply from A back to B containing signed copy of nonce from B  means that timestamps need not be checked or relied upon
  • 151. X.509 Version 3  has been recognised that additional information is needed in a certificate  email/URL, policy details, usage constraints  rather than explicitly naming new fields defined a general extension method  extensions consist of:  extension identifier  criticality indicator  extension value
  • 152. Certificate Extensions  key and policy information  convey info about subject & issuer keys, plus indicators of certificate policy  certificate subject and issuer attributes  support alternative names, in alternative formats for certificate subject and/or issuer  certificate path constraints  allow constraints on use of certificates by other CA’s
  • 153. Summary  have considered:  Kerberos trusted key server system  X.509 authentication and certificates