Unit 3

Information Security
Dr. Uma Godase

Computer Science and Engineering
MIT School of Engineering
Hash Functions
Addresses two key issues:
▪ condenses arbitrary message to a fixed size
h = H(M)
▪ usually assume hash function is public
▪ hash used to detect changes to message
▪ want a cryptographic hash function such that
computationally infeasible to find data that maps to
a specific hash (one-way property)
▪ computationally infeasible to find two different data
with same hash (collision-free property)
Cryptographic Hash Functions
Cryptographic Hash Function
Applications of Cryptographic Hash Functions
Hash Functions & Message Authentication
Hash Functions & Digital Signatures
Other Hash Function Uses
▪ to create a one-way password file
▪ store hash of password, not actual password
▪ for intrusion detection and virus detection
▪ keep & check hashes of files on system
▪ pseudorandom function (PRF) or pseudorandom
number generator (PRNG)
Hash Functions
Hash Function Requirements
Hash Functions
Attacks on Hash Functions
▪ have brute-force attacks and cryptanalysis
▪ a preimage or second preimage attack
▪ find y such that H(y) equals a given hash value
▪ collision resistance
▪ find two messages x and y with same hash
▪ H(x) = H(y)
▪ hence value 2m/2 determines strength off
▪ hash code against brute-force attacks
▪ 128-bits inadequate, 160-bits suspect
Hash Functions
Block Ciphers as Hash Functions
▪ a large number of hash functions exist
▪ can use block ciphers as hash functions
▪ using H0 = 0 and zero-pad of final block
▪ compute: Hi = Emi(Hi-1)
▪ and use final block as the hash value
▪ similar to CBC but without a key
▪ resulting hash is small (64-bit) if use DES
▪ both due to direct birthday attack
▪ and to “meet-in-the-middle” attack
▪ other variants also susceptible to attack
Message Digest / Hash
• Fingerprint of the original data
• Similar to a Cyclic Redundancy Check (CRC)
• Used to detect if the data has changed
• Always one-to-one relationship with the original
data
Original data
Message digest
algorithm
Message Digest
Message Digest: Example
▪Original number is 7391743
▪Operation Result
▪Multiply 7 by 3 21
▪Discard first digit 1
•Message digest is 6
Message Digest Demands - 1
Original data
Message
Should be possible and the
digest
result should always be the
algorithm
same
Message
digest
Message
digest
Reverse
Message
Must not be possible digest
algorithm
Original data
Original data Original data

block 1 block 2
Message Message
digest digest
algorithm algorithm
Message Message
digest 1 digest 2
These two message

digests must be different
Secure Hash Algorithm
▪ SHA originally designed by NIST & NSA in 1993
▪ was revised in 1995 as SHA-1
▪ US standard for use with DSA signature scheme
▪ standard is FIIPS 180-1 1995,, also Internet RFC3174
▪ algorithm is SHA,, the standard is SHS
▪ based on design of MD4 with key differences
▪ produces 160-bit hash values
▪ 2005 results on security of SHA-1 have raised
concerns on its use in future applications
▪ these days use of SHA-1 is discouraged
Secure Hash Algorithm
SHA parameters
Secure Hash Algorithm (SHA – 1)
• Padding : add padding to the end of message such that
length of message is 64 bits short of a multiple of 512.
• Append Length : calculate length of a message excluding
padding and append to the end of padding.
• Divide : Divide input into 512 bit blocks.
• Initialize chaining variables : Initialize 5 chaining
variables A - E
• Process blocks
• Copy A – E into variables a – e
• Divide current 512 bit block into 16 sub blocks
• Execute 4 rounds each consisting 20 iterations.
Secure Hash Algorithm (SHA – 1)
a b c d e
Process P
Add
s5 Add
Add W[t]
Add K[t]
a b c d e
One Iteration of SHA – 1
• W[t] –
Value of W[t]
For t=0 to 15 Same as M[t] i.e.16 input sub blocks of 32 bits
For t=16 to 79 S1 ( W[t-16] XOR W[t-14] XOR W[t-8] XOR W[t-3])
• S1 – circular left shift by 1 bit

• K [t] - constant
Round Value of t between K[t] in hex
1 1 and 19 5A 92 79 99
2 20 and 39 6E D9 EB A1
3 40 and 59 9F 1B BC DC
4 60 and 79 CA 62 C1 D6
Message Digests - Advantages
• The generation of a digest is very fast and the digest
itself is very small and can easily be encrypted and
transmitted over the internet
• It is very easy and fast (and therefore cheap) to
check some data for validity
• The algorithms are well known and implemented in
most major programming languages, so they can be
used in almost all environments
Message Digests - Weaknesses
• There is no way to discern who actually created the digest.

• The digest must be transmitted/published in a way to ensure
that it is not tampered with. Otherwise a criminal could forge
both the data and the digest. This is usually prevented by
encrypting the digest, which is very small and can be encrypted
much faster than the whole data.
• Discovering that some data has been forged might not be
enough, as there is no way to discover what was changed.
Message Authentication Requirements
▪ Message authentication is a procedure to verify that received
messages come from the alleged source and have not been
altered.
▪ Message Authentication is concerned with:
▪ protecting the integrity of a message
▪ validating identity of originator
▪ How to detect changes by adversary to message?
▪ Ancient solution :
▪ sign and seal
▪ More technique: break to message part and authenticator part (“tag”)
▪ How to do this digitally?
▪ Create a tag t(M) and send tag securely
Communication without authentication
Very easy..
Eve can simply

Eve change the message
M M’
Alice Bob
Integrity Protection with MAC
k=??,
MAC=??
Eve can not forge
Eve MAC when k is
unknown
M M’
MAC (k,M) MAC??
Alice Bob
Key : k Key : k
Shared key k to generate authenticate message

MAC Authentication (I)
▪ MAC allows two or more mutually trusting parties to
authenticate messages sent between members
Only Alice and me know

Eve k, one of us sent M.
If I do not send M,
Alice Bob then Alice must
have sent it.
M
Key : k Key : k
MAC (k,M)
MAC Authentication (II)
Chris Only Alice, Chris, Doug

Eve and me know k, one of
us sent M.
Key : k
Alice Bob
M
Key : k Key : k
Doug MAC (k,M)
Key : k
Integrity with Hash
▪ Can we simply send the hash with the message to serve
message authentication ?
▪ Ans: No, Eve can change the message and recompute the hash.
▪ Using hash needs more appropriate procedure to guarantee
integrity
Forge M’ and
compute h(M’)
Eve
No shared key
M M’
h (M) h (M)
Alice Bob
Possible Attacks in the context of communication:
▪ Disclosure
▪ Release of message contents to any person or process not
possessing the appropriate cryptographic key.
▪ Traffic analysis
▪ Discovery of the pattern of traffic between parties.
▪ Connection- oriented application
▪ the frequency and duration of connections could be determined.
▪ Connection-oriented or connectionless environment
▪ the number and length of messages between parties could be
determined.
Possible Attacks in the context of communication :
▪ Masquerade
▪ Insertion of messages into the network from a fraudulent
source.
▪ fraudulent acknowledgments of message receipt
▪ nonreceipt by someone other than the message recipient.
▪ Content modification
▪ Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
▪ Sequence modification
▪ Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering.
Possible Attacks in the context of communication :
▪ Timing modification:
▪ Delay or replay of messages.
▪ Connection-oriented application
▪ an entire session or sequence of messages could be a replay of
some previous valid session, or individual messages in the
sequence could be delayed or replayed.
▪ Connectionless application
▪ an individual message (e.g., datagram) could be delayed or
replayed.
▪ Source repudiation
▪ Denial of transmission of message by source.
▪ Destination repudiation
▪ Denial of receipt of message by destination.
• Message authentication mechanism
• some sort of function that produces an authenticator
• a value to be used to authenticate a message.
• Three alternative functions used:

▪ Message encryption
▪ The ciphertext of the entire message serves as its authenticator
▪ Hash functions
▪ A function that maps a message of any length into a fixed length hash
value, which serves as the authenticator
▪ Message Authentication Code (MAC)
• A function of the message and a secret key that produces a fixed-length
value that serves as the authenticator
Message Authentication Functions
1. Message Encryption
▪ Encryption can also provide authentication
▪ Symmetric Message Encryption
▪ If symmetric encryption is used, then:
▪ Receiver know sender must have created it
▪ Since only sender and receiver know key used
▪ If message has suitable structure, redundancy or a
checksum to detect any changes
1. Message Encryption
▪ Public-key encryption is used:
▪ Anyone potentially knows public-key
▪ Secrecy and authentication
▪ Sender signs message using their private-key
▪ Then encrypts with recipient's public key
▪ Again, need to recognize corrupted messages
▪ But at cost of two public-key uses on message
Three alternative functions used:
2. Hash Functions
▪ Condenses arbitrary message to fixed size
h = H(M)
▪ Usually assume hash function is public
▪ Hash used to detect changes to message
▪ Want a cryptographic hash function
▪ Computationally infeasible to find data mapping to
specific hash (one-way property)
▪ Computationally infeasible to find two data to same hash
(collision-free property)
2. Hash Functions
▪ The message plus concatenated hash code is
encrypted using symmetric encryption. Since only A
and B share the secret key, the message must have
come from A and has not been altered.
2. Hash Functions
▪ Only the hash code is encrypted, using symmetric
encryption. This reduces the processing burden for
those applications not requiring confidentiality.

2. Hash Functions
▪ A computes the hash value over the concatenation of
M and S and appends the resulting hash value to M.
▪ Because B possesses S, it can re-compute the hash
value to verify.
▪ Because the secret value itself is not sent, an
opponent cannot modify an intercepted message and
cannot generate a false message.
2. Hash Functions
▪ Confidentiality can be added to the approach of (c)
by encrypting the entire message plus the hash code.
▪ Message Authentication Code
▪ Known as cryptographic checksum
MAC = C(K, M)
M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
▪ Generated by an algorithm that creates a small fixed-sized
block depending on both message and some key
▪ Like encryption though need not be reversible
▪ Appended to message as a signature
▪ Receiver performs same computation on message and
▪ Message Authentication Code
▪ A small fixed-sized block of data
▪ Generated from message + secret key
▪ MAC = C(K,M)
▪ Appended to message when sent
If the received MAC matches the calculated MAC, then

▪ The receiver is assured that the message has not been altered. If
an attacker alters the message but does not alter the MAC, then
the receiver’s calculation of the MAC will differ from the
received MAC. Because the attacker is assumed not to know
the secret key, the attacker cannot alter the MAC to correspond
to the alterations in the message.
▪ The receiver is assured that the message is from the alleged
sender. Because no one else knows the secret key, no one else
could prepare a message with a proper MAC.
▪ If the message includes a sequence number, then the receiver
can be assured of the proper sequence because an attacker
cannot successfully alter the sequence number.
▪ Basic uses of Message Authentication Code
▪ Basic uses of Message Authentication Code
▪ Symmetric encryption can be used for authentication
then why Message Authentication Code
▪ Situations where MAC is used
1. Applications in which the same message is broadcast to a
number of destinations.
▪ E.g. notification to users that the network is now unavailable or an
alarm signal in a military control centre.
▪ Cheaper and more reliable to have only one destination
responsible for monitoring authenticity.
▪ Thus, the message must be broadcast in plaintext with an
associated message authentication code.
▪ The responsible system has the secret key and performs
authentication. If a violation occurs, the other destination
systems are alerted by a general alarm.
▪ Situations where MAC is used
2. Exchange in which one side has a heavy load and cannot
afford the time to decrypt all incoming messages.
3. Authentication of a computer program in plaintext
• The computer program can be executed without having to decrypt it
every time, which would be wasteful of processor resources.
• However, if MAC were attached to the program, it could be
checked whenever assurance was required of the integrity of the
program.
4. Applications not concerned to keep messages secret, but it
is important to authenticate messages.
HMAC-MAC Based on Hash Function
▪ Hash-based Message Authentication Code
▪ Result of work done on developing a MAC derived from cryptographic
hash functions.
▪ Use cryptographic hash function in combination with a secret key.
▪ HMAC is a great resistance towards cryptanalysis attacks as it uses the
Hashing concept twice.
▪ HMAC consists of twin benefits of Hashing and MAC and thus is more
secure than any other authentication code.
▪ Like any of the MAC, it is used for both data integrity and
authentication.
▪ Digital signatures are nearly similar to HMACs i.e they both employ a
hash function and a shared key. The difference lies in the keys i.e
HMACs use symmetric key(same copy) while Signatures use
asymmetric (two different keys).
▪ Any hash function can be used
▪ eg. MD5, SHA-1, RIPEMD-160, Whirlpool
▪ HMAC-MD5, HMAC-SHA1, HMAC-RIPEND-160, HMAC-Whirlpool
▪ HMAC-SHA1 and HMAC-MD5 are used within the IPsec and TLS protocols
▪ Applications
▪ Verification of e-mail address during activation or creation of an account.
▪ Authentication of form data that is sent to the client browser and then
submitted back.
▪ HMACs can be used for Internet of things (IoT) due to less cost.
▪ Whenever there is a need to reset the password, a link that can be used
once is sent without adding a server state.
▪ It can take a message of any length and convert it into a fixed-length
message digest. That is even if you got a long message, the message
digest will be small and thus permits maximizing bandwidth.
▪ Scheme consists of 2-stage nested : an inner and outer hash
▪ K+ is expanded key k padded with zeros on the left so that the result is b
bits in length
▪ Intermediate result of first hash padded to increase complexity next hash
▪ Different “round keys” generated for each hash
▪ Stage 1: k1 = K  ipad
▪ Stage 2: k2 = K  opad
▪ Ipad : a string of repeated 0x36
▪ 00110110,00110110, . . .,00110110
▪ Opad : is a string of repeated 0x5C
▪ 01011100,01011100, . . .,01011100
HMAC(K,M) = H( (K+⊕opad) | H( (K+ ⊕ ipad)| M) )

▪ Working of HMAC
▪ HMACs provides client and server with a shared private key
that is known only to them. The client makes a unique hash
(HMAC) for every request. When the client requests the server,
it hashes the requested data with a private key and sends it as a
part of the request. Both the message and key are hashed in
separate steps making it secure. When the server receives the
request, it makes its own HMAC. Both the HMACS are
compared and if both are equal, the client is considered
legitimate.
▪ The formula for HMAC:
▪ HMAC = hashFunc(secret key + message)

▪ Select K.
▪ If K < b, pad 0’s on left until k is equal to b.And K is between
0 and b ( 0 < K < b )
▪ EXOR K with ipad equivalent to b bits producing S1 bits.
▪ Append S1 with plain text M
▪ Apply SHA-512 on ( S1 || M )
▪ Pad n-bits until length is equal to b-bits
▪ EXOR K with opad equivalent to b bits producing S2 bits.
▪ Append S2 with output of step 5.
▪ Apply SHA-512 on step 7 to output n-bit hash code.
Digital Signatures
▪ digital signatures provide the ability to:
▪ verify author, date & time of signature
▪ authenticate message contents
▪ be verified by third parties to resolve disputes
▪ hence include authentication function with
additional capabilities
Digital Signatures
User A Transmit via the Internet
Use A’s private key to sign the document
User B received
the document with
Verify the signature signature attached
by A’s public key stored
at the directory
User B
54
Digital Signature Generation & Verification
Message Message
Digest
Digest
Algorithm Hash function Algorithm Hash function
Digest
Public Key
Private Key Encryption Decryption
Signature Expected Actual

digest digest
Signer Channel Receiver

Digital Signature Properties
▪ must depend on the message signed
▪ must use information unique to sender
▪ to prevent both forgery and denial
▪ must be relatively easy to produce
▪ must be relatively easy to recognize & verify
▪ be computationally infeasible to forge
▪ with new message for existing digital signature
▪ with fraudulent digital signature for given message
▪ be practical to save digital signature in storage
X.509 Certificate
▪ Digital version of a paper-based passport
▪ Identifies a person/organization uniquely on the
Internet
▪ Binds a user with its public key
Digital Certificate
“I officially approve the

relation between the
holder of this
certificate (the user)
and this particular
public key.
X.509 Certificate
▪ Digital Certificate Contents
Version
Certificate Serial Number
Signature Algorithm Identifier
Issuer Name
Validity (Not Before / Not After)
Subject Name
Subject Public Key Information
Issuer Unique Identifier
Subject Unique Identifier
Extensions
Certification Authority’s Digital Signature

X.509 Certificate
Field Description
Version Identifies a particular version of the X.509 protocol, which is used for this digital
certificate. Currently, this field can contain 1, 2 or 3.
Certificate Serial Number Contains a unique integer number, which is generated by the CA.
Signature Algorithm Identifies the algorithm used by the CA to sign this certificate.
Identifier
Issuer Name Identifies the Distinguished Name (DN) of the CA that created and signed
this certificate.
Validity (Not Before / Not Contains two date-time values (Not Before and Not After), which specify the
After) timeframe within which the certificate should be considered as valid. These
values generally specify the date and time up to seconds or milliseconds.
Subject Name Identifies the Distinguished Name (DN) of the end entity (i.e. the user or the
organization) to whom this certificate refers. This field must contain an entry
unless an alternative name is defined in Version 3 extensions.
Subject Public Key Contains the subject’s public key and algorithms related to that key. This field can
Information never be blank.
X.509 Certificate
▪ Certification Authority : Trusted organization that
issues certificates and maintains status information
about certificates.
End user
Registratio Certificatio
n n Authority
End user Authority (CA)
(RA)
End user
X.509 Certificate
▪ Registration Authority (RA)
▪ Acts on behalf of a CA & provides following services :
▪ Accepting & verifying registration information about new
users
▪ Generating keys on behalf of the end users
▪ Accepting & authorizing requests for key back ups &
recovery
▪ Accepting & authorizing requests for certificate revocation
X.509 Certificate
▪ Digital Certificate Creation
Key generation
Registration
Verification
Certificate creation
Digital Certificate Request
Digital Certificate Contents
X.509 Certificate
▪ Why to Trust Digital Certificate
▪ Because it is digitally signed by Certification Authority.
▪ How does CA sign a digital certificate :
▪ Calculates a message digest of all fields of certificate using
algorithm like MD 5, SHA -1.
▪ Encrypts the digest with its private key
▪ Inserts the calculated digital signature in the certificate.
Creation
Version
of CA Signature on Digital Certificate
Signature Algorithm
Identifier
Message
Issuer Name Digest
Validity (Not Before / Not
After)
Algorithm
Subject Name
Subject Public Key

Information
Subject Unique Identifier Message

Extensions Digest
Certification Authority’s
Digital Signature
Digital
Signature
Algorithm
CA’s Private
Key
Digital
Signature
Verification of CA Signature on a Certificate
Version
Signature Algorithm Identifier Step 1
Issuer Name Message
Validity (Not Before / Not After) Digest
Subject Name
Subject Public Key Information
Algorithm
Subject Unique Identifier
Extensions
Step 2
Certification Authority’s Digital Signature Message
Digest
Step 3 (MD1)
Digital
Signature
Step 6
Is
De-signing Step 4 MD1 =
MD2
Algorithm
(Decryption)
CA’s Public
Key
Message Step 5 Valid Invalid
Digest Certificate Certificate
(MD2) Accept Reject
X.509 Certificate
▪ Certificate Revocation
▪ Reasons for certificate revocation :
▪ Certificate holder’s private key is compromised – user
initiates revocation process
▪ CA realizes some mistake made while issuing certificate –
CA initiates revocation process
▪ Certificate holder leaves a job and certificate was issued
while he was employed in that job – Employer initiates
revocation process
▪ CA must authenticate Certificate Revocation Requester
before accepting revocation request.
CA Hierarchy (Chain of Trust)
▪ There can be multiple level CAs
▪ Useful for delegation of work
Root CA
Second Level Second Level Second Level

CA CA CA
Third Level Third Level … Third Level Third Level

CA CA CA CA
… …
Same Root CA
Root CA
Second Level CA Second Level CA Second Level CA

(A1) (A2) (A3)
Third Level CA Third Level CA … Third Level CA Third Level CA

(B1) (B2) (B10) (B11)
Alice … … Bob
Verifying Root CA
Digital Certificate
…
Issuer Name: ???
Subject Name: Root
…
Digital Certificate
…
Issuer Name: Root
Subject Name: A3
…
Digital Certificate
…
Issuer Name: A3
Subject Name: B11
…
Digital Certificate
…
Issuer Name: B11
Subject Name: Bob
…
Verifying Root CA
Self – certification :
▪ Root CA signs its own certificate
Digital Certificate
…
Issuer Name: Root
Subject Name: Root
…
Cross-Certification of CAs
▪ In some cases, even root CAs can be different
▪ In such cases, they certify each other
▪ Creates a cross level trust
Root CA of Cross-certified Root CA of the

Japan US
Second Level CA Second Level CA

(A1) (P1)
Third Level CA Third Level CA Third Level CA Third Level CA

(B1) (B2) (Q1) (Q2)
Alice … … Bob
Certificate Revocation
Reasons for certificate revocation :
▪ Certificate holder’s private key is compromised – user
initiates revocation process
▪ CA realizes some mistake made while issuing certificate
– CA initiates revocation process
▪ Certificate holder leaves a job and certificate was issued
while he was employed in that job – Employer initiates
revocation process
▪ CA must authenticate Certificate Revocation
Requester before accepting revocation request.
Certificate Revocation Check Mechanisms
Digital Certificate revocation

checks
Offline revocation status Online revocation status

checks checks
Certificate Revocation Online Certificate Simple Certificate

List (CRL) Validation Protocol Validation Protocol
(OCSP) (SCVP)
Certification Revocation List (CRL)
▪ File containing a list of invalid certificates
▪ Issued periodically by a CA
Logical View of a CRL :
CA: XYZ
Certificate Revocation List (CRL)
This CRL: 1 Jan 2002, 10:00 am
Next CRL: 12 Jan 2002, 10:00 am
Serial Number Date Reason

1234567 30-Dec-01 Private key
compromised
2819281 30-Dec-01 Changed job
………
Delta CRL
▪ Reduces the burden of a full CRL
▪ Contains list of revoked certificates since the last
CRL was issued
▪ Better performance
First CRL CA: XYZ CA: XYZ

distribution CRL Base CRL
… …
CA: XYZ CA: XYZ

CRL Update 1
CRL Delta CRL
…
CRL Update 2 CA: XYZ CA: XYZ

CRL Delta CRL
…
Approach 1: Issuing the Approach 2: Issuing only

full CRL every time the delta CRL
CRL Field Descriptions
Field Description
Version Indicates the version of the CRL.
Signature Algorithm Identifies the algorithm used by the CA to sign the CRL (e.g. it could be SHA-1 with RSA, which indicates
Identifier that the CA first calculated the message digest of the CRL using the SHA-1 algorithm, and then signed it
(i.e. encrypted the message digest with its private key) using the RSA algorithm.
Issuer Name Identifies the Distinguished Name (DN) of the CA.
This Update (Date and Contains the date and time value when this CRL was issued.
Time)
Next Update (Date and Contains the date and time value when the next CRL will be issued.
Time)
User Certificate Serial Contains the certificate number of the revoked certificate. This field repeats for every revoked certificate.
Number
Revocation Date Contains the revocation date and time of the revoked certificate. This field repeats for every revoked
certificate.
CRL Entry Extensions Discussed subsequently, these extensions are one per revoked certificate.
CRL Extensions Discussed subsequently, these extensions are one per entire CRL.
Signature Contains the CA signature.

Validating Certificate : Steps
To trust the certificate following checks should be done :
1. Certificate expiry check : Compare the current date
with the validity period of the certificate.
2. Signature check : Check signature of CA on the
certificate.
3. Certificate revocation check : Check the latest
CRL issued by corresponding CA to ensure that
certificate is not already revoked.
VeriSign Certificates
• VeriSign provides a certification authority (CA) service that
is intended to be compatible with S/MIME and a variety of
other applications
• Issues X.509 certificates with the product name VeriSign
Digital ID
• At a minimum, each Digital ID contains:
◦ Owner’s public key
◦ Owner’s name or alias
◦ Expiration date of the Digital ID
◦ Serial number of the Digital ID
◦ Name of the certification authority that issued the Digital ID
◦ Digital signature of the certification authority that issued the
Digital ID
One Way Authentication
One Way Authentication : client authenticates itself to

the server, server may or may not be authenticated to
the client.
▪ Password based Authentication
▪ Certificate based Authentication
Password based One Way Authentication
Communicating password
Server
Login = A, pw= gasd Login Password
Client Name
▪ Password is sent in clear.

▪ Password is stored in unencrypted form on the server.
Communicating Hash of password
Login = A, h(pw)= 6364d Server

Client Login Hash of
Name Password
▪ Stores hash of password

▪ one way property of hash prevents attacker from deducing
password from information in the password file / transferred
▪ But replay attack is possible .
One Way Authentication using Challenge-Response
Protocol
Challenge Response Protocol

▪ avoids replay attack
▪ verifier i.e. server sends a fresh challenge to the
client
▪ In response client does not send the password but
proves that it knows the password.
▪ Freshness of the challenge avoid replay attack
One Way Authentication using Challenge-
Response Protocol
A B A B A B A B
“A” 1 “A” 1 “A” 1 “A”
1
R 2 R 2 R 2 Epw (R) 2
3 f(pw, R) 3 h(pw|| R) 3 Epw (R) 3 R
(a) (b) (c) (d)

One Way Authentication using Challenge-Response
Protocol
Figure a : 3 message one way protocol
▪ A conveys its identity
▪ Server sends challenge i.e. nonce
▪ Client responds by a chosen function of the challenge
and the password i.e. f(pw, R).
Properties of function f(pw, R) :
▪ Given pw & R, it should be easy to compute f(pw, R).
▪ f must be one way i.e. knowing f(pw, r) it should be
infeasible to compute pw.
▪ Given R, it should be infeasible to compute f(pw, R)
even if one knows
▪ f(pw, R1), f(pw, R2), f(pw, R3)…
▪ Corresponding R1, R2, …….
Certificate Based One Way Authentication
A B A B
1 Certificate chain 1 Certificate chain
R 2 EA.pu(R) 2
3 EA.pr(R) 3 R
(a) (b)
Mutual Authentication
Mutual Authentication : both parties authenticate

themselves to each other.
▪ Shared Secret- based Authentication
▪ Asymmetric Key-based Authentication
(Authentication using public Key Cryptography)
Mutual Authentication using a shared secret
A B
1 “A”,RA
EK(RA), RB 2
3 EK (RB)
(a) Flawed Protocol

C B A
1 “A”,RA
EK(RA), RB 2
1’ “B”,RB
EK(RB), RA 2’
3 EK (RB)
(a) Parallel Session / Reflection Attack

A B
1 “A”,RA
EK(RA), EK(RB) 2
3 DK(EK (RB))=RB
(a) Corrected Protocol

Asymmetric Key Based Mutual Authentication
A B
1 “A”,RA, A’s Certificate
[RA, RB]B, B’s Certificate 2
3 [RB]A
(a) Flawed Protocol

A C B
1 “A”,RA
1’ “A”,RA
[RA, RB]B 2’
[RA, RB]C 2
3 [RB]A
3’ [RB]A
(a) Attack on Flawed Protocol

A B
1 “A”,RA
[“A”, RA, RB]B 2
3 [“B”, RB]A
(a) Corrected Protocol

Centralized Authentication
Secret key cryptography vs. public key crypto. in authentication :
▪ For public key system, need of digital cert. & PKI increases the
cost to setup & maintain.
▪ Public key operations are relatively slow.
▪ But entity must share a secret key with each other entity.
Centralized Authentication :
▪ Trusted third party functions as Key Distribution Centre.
▪ Each user registers with KDC & chooses a password.
▪ User shares a long term secret (function of password) with KDC
“A” , “I wish to communicate with B “
A EA{ KAB }
KDC
EB{ KAB }
B
Kerberos
Kerberos
▪ trusted key server system from MIT
▪ provides centralised private-key third-party authentication in
a distributed network
▪ allows users access to services distributed through network
▪ without needing to trust all workstations
▪ rather all trust a central authentication server
▪ two versions in use: 4 & 5
Kerberos
Kerberos Requirements
▪ its first report identified requirements as:
▪ secure
▪ reliable
▪ transparent
▪ scalable
▪ implemented using an authentication protocol based on
Needham-Schroeder
Kerberos
Kerberos v4 Overview
▪ a basic third-party authentication scheme
▪ have an Authentication Server (AS)
▪ users initially negotiate with AS to identify self
▪ AS provides a non-corruptible authentication credential (ticket
granting ticket TGT)
▪ have a Ticket Granting server (TGS)
▪ users subsequently request access to other services from TGS on
basis of users TGT
▪ using a complex protocol using DES
Kerberos
Kerberos v4 Dialogue
Kerberos
Kerberos 4 Overview
Kerberos Realms
a Kerberos environment consists of:
◦ a Kerberos server
◦ a number of clients, all registered with server
◦ application servers, sharing keys with server
this is termed a realm
◦ typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
Kerberos Realms
Kerberos
Kerberos Version 5
▪ developed in mid 1990’s
▪ specified as Internet standard RFC 1510
▪ provides improvements over v4
▪ addresses environmental shortcomings
▪ encryption alg, network protocol, byte order, ticket lifetime,
authentication forwarding, interrealm auth
▪ and technical deficiencies
▪ double encryption, non-std mode of use, session keys, password
attacks
Kerberos v5 Dialogue

Unit 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 3

Uploaded by

Copyright:

Available Formats

Information Security

Dr. Uma Godase

Original data Original data

These two message

For t=16 to 79 S1 ( W[t-16] XOR W[t-14] XOR W[t-8] XOR W[t-3])

• S1 – circular left shift by 1 bit

• There is no way to discern who actually created the digest.

Eve can simply

MAC (k,M) MAC??

Shared key k to generate authenticate message

Only Alice and me know

Chris Only Alice, Chris, Doug

Doug MAC (k,M)

• Three alternative functions used:

Three alternative functions used:

If the received MAC matches the calculated MAC, then

HMAC(K,M) = H( (K+⊕opad) | H( (K+ ⊕ ipad)| M) )

▪ The formula for HMAC:

▪ HMAC = hashFunc(secret key + message)

User A Transmit via the Internet

Use A’s private key to sign the document

Private Key Encryption Decryption

Signature Expected Actual

Signer Channel Receiver

“I officially approve the

Certificate Serial Number

Signature Algorithm Identifier

Validity (Not Before / Not After)

Subject Public Key Information

Issuer Unique Identifier

Subject Unique Identifier

Certification Authority’s Digital Signature

Subject Public Key

Subject Unique Identifier Message

Second Level Second Level Second Level

Third Level Third Level … Third Level Third Level

Second Level CA Second Level CA Second Level CA

Third Level CA Third Level CA … Third Level CA Third Level CA

Root CA of Cross-certified Root CA of the

Second Level CA Second Level CA

Third Level CA Third Level CA Third Level CA Third Level CA

Digital Certificate revocation

Offline revocation status Online revocation status

Certificate Revocation Online Certificate Simple Certificate

Serial Number Date Reason

First CRL CA: XYZ CA: XYZ

CA: XYZ CA: XYZ

CRL Update 2 CA: XYZ CA: XYZ

Approach 1: Issuing the Approach 2: Issuing only

Version Indicates the version of the CRL.

Issuer Name Identifies the Distinguished Name (DN) of the CA.

Signature Contains the CA signature.

One Way Authentication : client authenticates itself to

▪ Password is sent in clear.

Login = A, h(pw)= 6364d Server

▪ Stores hash of password

Challenge Response Protocol

3 f(pw, R) 3 h(pw|| R) 3 Epw (R) 3 R

(a) (b) (c) (d)

Mutual Authentication : both parties authenticate

(a) Flawed Protocol

(a) Parallel Session / Reflection Attack

(a) Corrected Protocol

[RA, RB]B, B’s Certificate 2