This document provides an overview of message authentication and integrity. It discusses the need for authentication in network security and outlines different authentication functions including message encryption, message authentication codes (MACs), and hash functions. It describes how MACs are generated using a secret key and message and provides the requirements for MACs. The document also discusses the MD5 and SHA hash algorithms, explaining their processes and analyzing their security strengths and weaknesses.

1. Prepared by
Dr. R. Arthy,
Assistant Professor,
Kamaraj College of Engineering and Technology
(Autonomous)
CS8792 - CRYPTOGRAPHY AND
NETWORK SECURITY

2. UNIT IV
MESSAGE AUTHENTICATION AND
INTEGRITY

3. Outline
 Authentication requirement
 Authentication function
 MAC
 Hash function
 Security of hash function and MAC
 SHA
 Digital signature and authentication protocols
 DSS

4. AUTHENTICATION REQUIREMENT

5. Security Requirements
• Disclosure of message contents
• Traffic analysis (discover the pattern)
• Masquerade (insert a msg from a fraudulent source)
• Content modification
• Sequence modification (insert, delete, reorder)
• Timing modification (delay or replay)
• Source repudiation (denial of a transmission)
• Destination repudiation (denial of a receipt)

6. AUTHENTICATION FUNCTION

7. • Message authentication is concerned with:
 Protecting the integrity of a message
 Validating identity of originator
 Non-repudiation of origin (dispute resolution)
• Will consider the security requirements
• Then three alternative functions used:
 Message encryption
 Message authentication code (MAC)
 Hash function
Message Authentication

8. Message Encryption
• Message encryption by itself also provides a measure of
authentication.
• If symmetric encryption is used then:
 Receiver know sender must have created it since only
sender and receiver know the key used
 Content of the message cannot be altered if the message
has a suitable structure, redundancy or a checksum to
detect any changes

9. Message Encryption
• If public-key encryption is used:
 Encryption provides no confidence of sender, since anyone
potentially knows public-key.
 However, if sender signs message using their private-key,
then encrypts with recipients public key, provides both
secrecy and authentication.
 Again need to recognize corrupted messages.
 But at cost of two public-key uses on message.

10. Basic Use of Message Encryption

11. Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption

12. Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption

13. Message Authentication Code

14. MESSAGE AUTHENTICATION
CODE

15. Message Authentication Code (MAC)
• Generated by an algorithm that creates a small fixed-sized
block
 Depending on both message and some key.
 Like encryption though need not be reversible.
• Appended to message as a signature.
• Receiver performs same computation on message and checks
it matches the MAC.
• Provides assurance that message is unaltered and comes from
sender.

16. Message Authentication Code (MAC)
• A message authentication code (MAC), also known as a
cryptographic checksum, is an authentication technique
involves the use of a secret key to generate a small fixed-size
block of data.

17. Message Authentication Code (MAC)

18. Message Authentication Code (MAC)

19. Message Authentication Codes (MACs)
• As shown the MAC provides confidentiality.
• Can also use encryption for secrecy:
 Generally use separate keys for each.
 Can compute MAC either before or after encryption.
 Is generally regarded as better done before.
• Why use a MAC?
 Sometimes only authentication is needed.
 Sometimes need authentication to persist longer than the
encryption (e.g., archival use).
• Note that a MAC is not a digital signature.

20. MAC Properties
• A MAC is a cryptographic checksum.
MAC = CK(M)
• Condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator.
• It is a many-to-one function
 Potentially many messages have same MAC.
 Finding these needs to be very difficult.

21. Requirements for MACs
• Taking into account the types of attacks.
• Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find
another message with same MAC.
2. MACs should be uniformly distributed.
3. MAC should depend equally on all bits of the message.

22. Message Authentication Code Based on DES
• Can use any block cipher chaining mode and use final block as
a MAC.
• Data Authentication Algorithm (DAA) is a widely used MAC
based on DES-CBC.
 Using IV=0 and zero-pad of final block.
 Encrypt message using DES in CBC mode.
 Send just the final block as the MAC or the leftmost M bits
(16≤M≤64) of final block.
• But final MAC is now too small for security.

23. Message Authentication Code Based on DES

24. HASH FUNCTION

25. Hash Functions
• A hash function h is generated by a function H of the form:
h = H(M)
• Condenses arbitrary message to fixed size; usually assume that
the hash function is public and not keyed as compared to MAC
which is keyed.
• Hash used to detect changes to message.
• Can use in various ways with message.
• Most often to create a digital signature.

27. Hash Functions and Digital Signatures
Basic Use of Hash Function.

28. Hash Functions and Digital Signatures
Basic Use of Hash Function.

29. Hash Functions and Digital Signatures
Basic Use of Hash Function H.

30. Hash Function Properties
• A Hash Function produces a fingerprint of some
file/message/data
h = H(M)
 Condenses a variable-length message M to a fixed-sized
fingerprint.
• Assumed to be public.

31. Other Hash Function Uses
 to create a one-way password file
 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
 pseudorandom function (PRF) or pseudorandom number
generator (PRNG)

32. Requirements for Hash Functions
1. Can be applied to any sized message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given h is infeasible to find x (H(x)=h)
• One-way property
5. Given x is infeasible to find y (H(y)=H(x))
• Weak collision resistance
6. It is infeasible to find any x, y (H(y)=H(x))
• Strong collision resistance

33.  consider two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block
 Ci = bi1 xor bi2 xor . . . xor bim
 a longitudinal redundancy check
 reasonably effective as data integrity check
 one-bit circular shift on hash value
 for each successive n-bit block
 rotate current hash value to left by1bit and XOR block
 good for data integrity but useless for security
Simple Hash Functions

34. Simple Hash Function Using Bitwise XOR
Bit 1 Bit 2 … Bit n
Block 1 b11 b21 … bn1
Block 2 b12 b22 … Bn2
… … … … …
Block m b1m b2m … bnm
Hash Code C1 C2 … Cn

36. Simple Hash Functions
Two Simple Hash Functions

37. Requirements for Hash Functions

38.  have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x)
= H(y)
 hence value 2m/2 determines strength of hash code
against brute-force attacks
 128-bits inadequate, 160-bits suspect
Attack on Hash Function

39. Birthday Attacks
• Might think a 64-bit hash is secure, but by Birthday Paradox is
not
• Birthday attack works thus:
 given user prepared to sign a valid message x
 opponent generates 2
m/2 variations x’ of x, all with
essentially the same meaning, and saves them
 opponent generates 2
m/2 variations y’ of a desired
fraudulent message y
 two sets of messages are compared to find pair with same
hash (probability > 0.5 by birthday paradox)
 have user sign the valid message, then substitute the
forgery which will have a valid signature
 conclusion is that need to use larger MAC/hash

40. General Structure of Secure Hash code
L
 cryptanalytic attacks exploit some property of alg so faster
than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f

41. Block Ciphers as Hash Functions
• Can use block ciphers as hash functions
 Using H0=0 and zero-pad of final block
 compute: Hi = EMi
[Hi-1]
 Use final block as the hash value
 Similar to CBC but without a key
• Resulting hash is too small (64-bit)
 Due to direct birthday attack
 Due to “meet-in-the-middle” attack
• Other variants also susceptible to attack

42. Hash Functions and MAC Security
• Brute-force attacks exploiting:
 Strong collision resistance hash have cost 2
m/2.
 Have proposal for hardware MD5 cracker.
 128-bit hash looks vulnerable, 160-bits better.
 MACs with known message-MAC pairs
 Can either attack keyspace (key search) or MAC.
 At least 128-bit MAC is needed for security.

43. • Cryptanalytic attacks exploit structure
 Like block ciphers want brute-force attacks to be the best
alternative.
• Have a number of analytic attacks on iterated hash functions.
CVi = f[CVi-1, Mi]; H(M)=CVN
 Typically focus on collisions in function f.
 Like block ciphers is often composed of rounds.
 Attacks exploit properties of round functions.
Hash Functions and MAC Security

44. MD5 ALGORITHM

45. MD5
 designed by Ronald Rivest (the “R” in RSA)
 latest in a series of MD2, MD4
 produces a 128-bit hash value
 until recently was the most widely used hash algorithm
 in recent times have both brute-force & cryptanalytic
concerns
 specified as Internet standard RFC1321

46. MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
 using 4 rounds of 16 bit operations on message block
& buffer
 add output to buffer input to form new buffer value
5. output hash value is the final buffer value

47. MD5 Overview

48. Implementation Steps
 Step 1: Append padding bits
 The message is Padded so that its bit length ≡ 448 mod
512 (i.e., the length of padded message is 64 bits less
than an integer multiple of 512 bits)
 Padding is always added, even if the message is already
of the desired length (1 to 512 bits)
 Padding bits: 1000….0 (a single 1-bit followed by the
necessary number of 0-bits)

49. Implementation Steps
 Step 2: Append length A 64-bit length
 contains the length of the original message modulo
264
 The expanded message is Y0, Y1, …, YL-1; the total
length is L × 512 bits
 The expanded message can be thought of as a multiple
of 16 32-bit words
 Let M[0 … N-1] denote the word of the resulting
message, where N = L × 16

50. Implementation Steps
 Step 3: Initialize MD buffer
 128-bit buffer (four 32-bit registers A,B,C,D) is used to hold
intermediate and final results of the hash function
 A,B,C,D are initialized to the following values
 A = 67452301
 B = EFCDAB89
 C = 98BADCFE
 D = 10325476
 Stored in little-endian format (least significant byte of a word
in the low-address byte position)
 word A : 01 23 45 67 (low address … high address)
 word B : 89 AB CD EF
 word C : FE DC BA 98
 word D : 76 54 32 10

51. Implementation Steps
 Step 4: Process message in 512-bit (16-word) blocks
 Heart of the algorithm called a compression function Consists
of 4 rounds
 The 4 rounds have a similar structure, but each uses a different
primitive logical functions, referred to as F, G, H, and I
 Each round takes as input the current 512-bit block (Yq), 128-
bit buffer value ABCD and updates the contents of the buffer
 Each round also uses the table T[1 … 64], constructed from
the sine function; T[i] = 232 × abs(sin(i))
 The output of 4th round is added to the CVq to produce
CVq+1

53. Implementation Steps
 Step 5: Output
 After all L 512-bit blocks have been processed, the output
from the Lth stage is the 128- bit message digest
 CV0 = IV
 CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])
 MD = CVL
Where
 IV = initial value of the ABCD buffer, defined in step 3
 Yq = the qth 512-bit block of the message
 L = the number of blocks in the message (including padding and
length fields)
 CVq = chaining variable processed with the qth block of the message
 RFx = round function using primitive logical function x
 MD = final message digest value
 SUM32 = addition modulo 232 performed separately on each word

54. MD5 Compression Function
 Each round consists of a sequence of 16 steps operating on the buffer
ABCD
 Each step is of the form
 a ← b + (( a + g(b, c, d) + X[k] + T[i] <<< s )
 where a,b,c,d = the 4 words of the buffer, in a specified order that varies across
steps g = one of the primitive functions F, G, H, I
 <<s = circular left shift (rotation) of the 32-bit arguments by s bits
 X[k] = M[q × 16 + k] = the kth 32-bit word in the qth 512-bit block of the
message
 T[i] = the ith 32-bit word in table T
 + = addition modulo 232 `

55. MD5 Compression Function

56. MD5 Operation
 One of the 4 primitive logical functions is used in each
4 rounds of the algorithm
 Each primitive function takes three 32-bit words as
input and produces a 32-bit word output
 Each function performs a set of bitwise logical
operations

57. MD4
 precursor to MD5
 also produces a 128-bit hash of message
 has 3 rounds of 16 steps versus 4 in MD5
 design goals:
 collision resistant (hard to find collisions)
 direct security (no dependence on "hard" problems)
 fast, simple, compact
 favors little-endian systems (eg PCs)

58. Strength of MD5
 MD5 hash is dependent on all message bits
 Rivest claims security is good as can be
 known attacks are:
 Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
 Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
 Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
 conclusion is that MD5 looks vulnerable soon

59. SHA

60. Overview
 Developed by NIST (National Institute of Standards and Technology)
 Published as a FIPS 180 in 1993
 A revised version is issued as FIPS 180-1 IN 1995
 Generally referred to as SHA-1
 SHA is based on the hash function MD4 and its design closely models
MD4.
 SHA- 1 produces a hash value of 160 bits.
 Revised version of the standard, FIPS 180-2, that defined three new
versions of SHA, with hash value lengths of 256, 384 and 512 bits,
known as SHA-256, SHA-384 and SHA-512.

61. SHA Overview
1. pad message so its length is 896 mod 1024
2. append a 128-bit length value to message
3. initialise 8-word (512-bit) buffer (A,B,C,D,E,F,G,H)
4. process message in 128-word (1024-bit) chunks:
5. output hash value is the final buffer value

62. Overview

63. Implementation Steps
 Step 1: Append padding bits
 The message is Padd d so that its bit length is congruent
to 896 modulo 1024 [length K ≡ 896 mod 1024]
 Padding is always added, even if the message is already
of the desired length.
 Thus, the number of padding bits is in the range of 1 to
1024.
 The padding consists of a single 1-bit followed by the
necessary number of 0-bits.

64. Implementation Steps
 Step 2: Append length
 A block of 128-bits is appended to the message.
 This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the
original message (before the padding).
 The outcome of the first two steps yields a message that
is an integer multiple of 1024 bits in length.
 In Figure, the expanded message is represented as the
sequence of 1024-bit blocks M1, M2,.., Mn, so that the
total length of the expanded message is N x 1024 bits.

65. Implementation Steps
 Step 3: Initialize hash buffer
 A 512-bit buffer is used to hold intermediate and final results of the hash
function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g and h).
 These registers are initialized to the following 64-bit integers (hexadecimal
values):
 These values are stored in big-endian format, which is the most significant byte
of a word in the low-address (leftmost) byte position.
 These words were obtained by taking the first sixty-four bits of the fractional
parts of the square roots of the first eight prime numbers.

66. Implementation Steps
 Step 4: Process message in 1024-bit (128-word)
blocks
 The heart of the algorithm is a module that consists of 80 rounds; this
module is labeled F in above figure.
 Each round takes as input the 512-bit buffer value, abcdefgh, and updates
the contents of the buffer.
 At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
 Each round t makes use of a 64-bit value Wt, derived from the current
1024-bit block being processed (Mi).
 Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79
indicates one of the 80 rounds.
 The output of the eightieth round is added to the input to the first round
(Hi-1) to produce Hi. The addition is done independently for each of the
eight words in the buffer with each of the corresponding words in Hi-1,
using addition modulo 264.

68. Implementation Steps
 Step 5: Output
 After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.
 H0 = IV,Hi = SUM64 (Hi-1, abcdefghi)
 MD = HN
where,
 IV = initial value of the abcdefgh buffer, defined in step 3.
 abcdefghi = the output of the last round of processing of the ith
message block.
 N = the number of blocks in the message (including padding and
length fields).
 SUM64 = Addition modulo 264 performed separately on each word of
the pair of inputs.
 MD = final message digest value.

69. Compression Function

71. Generation of Input Sequence

72. HMAC

73. HMAC Design Principles
 To use, without modifications, in available hash functions.
In particular, to use hash functions that perform well in
software and for which code is freely and widely available.
 To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions are
found or required.
 To preserve the original performance of the hash function
without incurring a significant degradation.
 To use and handle keys in a simple way.
 To have a well understood cryptographic analysis of the
strength of the authentication mechanism based on
reasonable assumptions about the embedded hash function.

74. Algorithm
 HMAC defines the following terms.
 H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) IV
= initial value input to hash function
 M = message input to HMAC (including the padding specified in the
embedded hash function)
 Yi = i th block of M, 0 ≤ i ≤ (L - 1)
 L = number of blocks in M
 b = number of bits in a block
 n = length of hash code produced by embedded hash fu ction
 K = secret key; recommended length is ≥ n; if key length s greater
than b, the key is input to the hash function to produce an n-bit key
 K+ = K padded with zeros on the left so that the result is b bits in
length ipad = 00110110 (36 in hexadecimal) repeated b/8 times opad
= 01011100 (5C in hexadecimal) repeated b/8 times

76. Algorithm
 The algorithm is as follows:
 1. Append zeros to the left end of K to create a b-bit string K+ (e.g.,
if K is of length 160 bits and b = 512, then K will be appended with
44 zeroes).
 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
 3. Append M to Si.
 4. Apply H to the stream generated in step 3.
 5. XOR K+ with opad to produce the b-bit block So.
 6. Append the hash result from step 4 to So.
 7. Apply H to the stream generated in step 6 and output the result.

77. CMAC

78. DIGITAL SIGNATURE STANDARD

81. Elgamal Digital Signature

84. Schnorr Digital Signature

88. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 14
Entity Authentication

89. 14-1 INTRODUCTION
Entity authentication is a technique designed to let one
party prove the identity of another party.
An entity can be a person, a process, a client, or a server.
The entity whose identity needs to be proved is called
the claimant; the party that tries to prove the identity
of the claimant is called the verifier.

90. 14.1.1 Data-Origin Versus Entity Authentication
Message Authentication Entity Authentication
Does not happen in real time Happen in real time
Authenticates one message
and repeated for each new
message
Authenticates the claimant for
the entire duration of a session

91. 14.1.2 Verification Categories
Something known
Something possessed
Something inherent

92. 14-2 PASSWORDS
Password-based authentication, where the password is
something that the claimant knows.
Two Groups
Fixed password
One – Time password

93. 14.2.1 Fixed Password
First Approach
Figure 14.1 User ID
and password file
Attacks on the first approach
Eavesdropping
Stealing a password
Accessing a password file
guessing

94. Second Approach
[contd…]
Figure 14.2 Hashing
the password
Dictionary attack
Create a list of password, calculate the hash value,
and search the second-column entries to find a
match.

95. Third Approach
[contd…]
Figure 14.3 Salting
the password
When the password is created, a random string, called
the salt, is concatenated to the password. The salted
password is then hashed.
The Unix OS uses a variation of this method.

96. Fourth Approach
• Two identification techniques are combined.
• A good example of this type of authentication is the use of
an ATM card (something possessed) with a PIN (personal
identification number) (something known).
[contd…]

97. 14.2.2 One-Time Password
 A one-time password is a password that is used only
once.
 In the first approach, the user and the system agree upon
a list of passwords.
 In the second approach, the user and the system agree to
sequentially update the password.
 In the third approach, the user and the system create a
sequentially updated password using a hash function.

98. [contd…]
Figure 14.4 the third approach -- Lamport one-time password
 Alice and Bob agree upon an
original password P0 and a counter n.
 The system stores the identity of
Alice, the value of n and the hash.

99. 14-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her
identity by demonstrating that she knows a secret,
the password.
In challenge-response authentication, the claimant
proves that she knows a secret without sending it.

100. [contd…]
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
Note

101. 14.3.1 Using a Symmetric-Key Cipher
First Approach Figure 14.5 Nonce challenge
1. ID of claimant
2. The challenge: RB is the nonce randomly chosen by the Bob to
challenge Alice
3. Alice encrypts the nonce using the shared secret key known only
to Alice and Bob. Bob decrypts the message. If the nonce
obtained from decryption is the same as the one sent by Bob.

102. Second Approach
[contd...]
Figure 14.6 Timestamp challenge
The challenge message is the current time sent
from the verifier to the claimant.
The claimant encrypt Alice ID and time with
Alice-Bob secret key.

103. Third Approach.
[contd…]
Figure 14.7 Bidirectional authentication
1. Alice ID
2. The challenge from Bob to Alice RB
3. Alice respond and send her challenge RA
4. Bob’s response. RA and RB are switched to prevent a replay attack.

104. 14.3.2 Using Keyed-Hash Functions
Figure 14.8 Keyed-hash function
1. The challenge message is the current time sent from the
verifier to the claimant.
2. The timestamp is sent both as plaintext and as text scrambled
by the keyed-hash function.
3. Bob compares his calculation with what he received.

105. 14.3.3 Using an Asymmetric-Key Cipher
First Approach
Figure 14.9 Unidirectional, asymmetric-key authentication
Ownership of claimant’s private key

106. Second Approach
[contd…]
Figure 14.10 Bidirectional, asymmetric-key

107. 14.3.4 Using Digital Signature
First Approach
Figure 14.11 Digital signature, unidirectional
Ownership of claimant’s private key

108. Second Approach
[contd…]
Figure 14.12 Digital signature, bidirectional authentication

109. 14-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does not
reveal anything that might endanger the
confidentiality of the secret.
The claimant proves to the verifier that she knows a
secret, without revealing it.
The interactions are so designed that they cannot lead to
revealing or guessing the secret.

110. 14.4.1 Fiat-Shamir Protocol
Figure 14.13 Fiat-Shamir protocol
c
c
c
c
xv
s
r
s
r
rs
y 


 )
(
)
( 2
2
2
2
2
2
2
y is from private key and challenge
c
xv is from public key of Alice

111. Cave Example
[contd…]
Figure 14.14 Cave example
1. Alice chooses to go either right or left. After Alice disappears, Bob comes to
point 2 and asks Alice to come up from either the right or left.
2. if Alice knows the magic word, she will come up from the right direction. If
she does not know the word, she comes up from the right direction with ½
probability.
3. The game will be repeated many times.
The door can only be
opened with a magic word.
Alice claims that she knows
the word and that she can
open the door. Bob and
Alice are at pint 1. Alice
enters eh case and reaches
the point 2.

112. 14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
x
x
v
s
v
s
v
s
x
v
s
v
s
v
s
x
v
v
v
s
s
s
r
v
v
v
y
k
k
k
k
k
k
k
c
c
c
c
k
k
c
c
c
k
c
k
c
c
c
c
c
k
c
c
c
k
c
c
c
k
c
c























)
1
(
)
1
(
)
1
(
)
(
)
(
)
(
)
(
)
(
)
(
)
)(
(
)
(
)
(
)
(
)
(
2
1
2
1
2
2
1
1
2
1
2
1
2
1
2
2
2
2
1
2
1
2
2
2
2
1
2
1
2
1
2
2
2
2
1
2
2
1
2

113. 14.4.3 Guillou-Quisquater Protocol
Figure 14.16 Guillou-Quisquater protocol
x
x
v
s
r
v
s
r
v
s
r
v
y
c
c
e
e
c
ce
e
c
e
c
c
e













1
)
(
)
(

114. 14-5 BIOMETRICS
Biometrics is the measurement of physiological or
behavioral features that identify a person
(authentication by something inherent).
Biometrics measures features that cannot be guessed,
stolen, or shared.

115. Capturing devices
Processors
Storage devices..
14.5.1 Components

116. Corresponding feature of each person in the community
should be available in the database. This is referred to as
enrollment.
14.5.2 Enrollment

117. 14.117
14.5.3 Authentication
Verification
Identification

118. 14.5.4 Techniques
Figure 14.17 Techniques

119. USER AUTHENTICATION

120. User Authentication
 Fundamental security building block
Basis of access control & user accountability
 Is the process of verifying an identity claimed by or for
a system entity
 Has two steps:
Identification - specify identifier
Verification - bind entity (person) and identifier
 Distinct from message authentication

121. Means of User Authentication
Four means of authenticating user's identity
Based one something the individual
Knows - e.g. Password, PIN
Possesses - e.g. Key, token, smartcard
Is (static biometrics) - e.g. Fingerprint, retina
Does (dynamic biometrics) - e.g. Voice, sign
Can use alone or combined
All can provide user authentication
All have issues

122. Authentication Protocols
 Used to convince parties of each others identity and to
exchange session keys
 May be one-way or mutual
 Key issues are
 Confidentiality – to protect session keys
 Timeliness – to prevent replay attacks

123. Replay Attacks
• Where a valid signed message is copied and later resent
• Simple replay
• Repetition that can be logged
• Repetition that cannot be detected
• Backward replay without modification
• Countermeasures include
• Use of sequence numbers (generally impractical)
• Timestamps (needs synchronized clocks)
• Challenge/response (using unique nonce)

124. One-Way Authentication
 Required when sender & receiver are not in
communications at same time (eg. Email)
 Have header in clear so can be delivered by email
system
 May want contents of body protected & sender
authenticated

125. Using Symmetric Encryption
 As discussed previously can use a two-level hierarchy
of keys
 Usually with a trusted key distribution center (KDC)
 Each party shares own master key with KDC
 KDC generates session keys used for connections
between parties
 Master keys used to distribute these to them

126. Needham-Schroeder Protocol
 original third-party key distribution protocol
 for session between A B mediated by KDC
 protocol overview is:
1. A  KDC: IDA || IDB || N1
2. KDC  A: E(Ka,[Ks||IDB||N1|| E(Kb,[Ks||IDA])])
3. A  B: E(Kb, [Ks||IDA])
4. B  A: E(Ks, [N2])
5. A  B: E(Ks, [f(N2)])

127. Needham-Schroeder Protocol
 Used to securely distribute a new session key for
communications between A & B
 But is vulnerable to a replay attack if an old session
key has been compromised
 Then message 3 can be resent convincing B that is
communicating with A
 Modifications to address this require:
 Timestamps in steps 2 & 3 (denning 81)
 Using an extra nonce (neuman 93)

128. One-Way Authentication
 use refinement of KDC to secure email
 since B no online, drop steps 4 & 5
 protocol becomes:
1. A  KDC: IDA || IDB || N1
2. KDC  A: E(Ka, [Ks||IDB||N1 || E(Kb,[Ks||IDA])])
3. A  B: E(Kb, [Ks||IDA]) || E(Ks, M)
 provides encryption & some authentication
 does not protect from replay attack

129. KERBEROS

130. Introduction
 Trusted key server system from MIT
 Provides centralised private-key third-party
authentication in a distributed network
 Allows users access to services distributed through
network
 Without needing to trust all workstations
 Rather all trust a central authentication server
 Two versions in use: 4 & 5

131. Kerberos Requirements
 First published report identified its requirements as:
 Security
 Reliability
 Transparency
 Scalability
 Implemented using an authentication protocol based
on needham-schroeder

132. Kerberos 4 Overview
 A basic third-party authentication scheme
 Have an Authentication Server (AS)
 Users initially negotiate with AS to identify self
 AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)
 Have a Ticket Granting Server (TGS)
 Users subsequently request access to other services from
TGS on basis of users TGT

133. Kerberos 4 Overview

134. Steps
 Step-1: User logon and request services on host. Thus user request for ticket-
granting-service.
 Step-2: Authentication Server verifies user’s access right using database and then
gives ticket-granting-ticket and session key. Results are encrypted using Password of
user.
 Step-3: Decryption of message is done using the password then send the ticket to
Ticket Granting Server. The Ticket contain authenticators like user name and
network address.
 Step-4: Ticket Granting Server decrypts the ticket send by User and authenticator
verifies the request then creates the ticket for requesting services from the Server.
 Step-5: User send the Ticket and Authenticator to the Server.
 Step-6: Server verifies the Ticket and authenticators then generate the access to the

135. Kerberos v4 Dialogue

136. Kerberos Realms
 A kerberos environment consists of:
 A kerberos server
 A number of clients, all registered with server
 Application servers, sharing keys with server
 This is termed a realm
 Typically a single administrative domain
 If have multiple realms, their kerberos servers must
share keys and trust

137. Kerberos Realms

138. Kerberos Version 5
 Developed in mid 1990’s
 Provides improvements over v4
 Addresses environmental shortcomings
 Encryption alg, network protocol, byte order, ticket lifetime,
authentication forwarding, interrealm auth
 And technical deficiencies
 Double encryption, non-std mode of use, session keys, password
attacks
 Specified as internet standard RFC 1510

139. Kerberos v5 Dialogue

140. X.509 Authentication Service
 part of CCITT X.500 directory service standards
 distributed servers maintaining some info database
 defines framework for authentication services
 directory may store public-key certificates
 with public key of user
 signed by certification authority
 also defines authentication protocols
 uses public-key crypto & digital signatures
 algorithms not standardised, but RSA recommended

141. X.509 Certificates
 issued by a Certification Authority (CA), containing:
 version (1, 2, or 3)
 serial number (unique within CA) identifying certificate
 signature algorithm identifier
 issuer X.500 name (CA)
 period of validity (from - to dates)
 subject X.500 name (name of owner)
 subject public-key info (algorithm, parameters, key)
 issuer unique identifier (v2+)
 subject unique identifier (v2+)
 extension fields (v3)
 signature (of hash of all fields in certificate)
 notation CA<<A>> denotes certificate for A signed by
CA

142. X.509 Certificates

143. Obtaining a Certificate
 any user with access to CA can get any certificate from
it
 only the CA can modify a certificate
 because cannot be forged, certificates can be placed in
a public directory

144. CA Hierarchy
 if both users share a common CA then they are
assumed to know its public key
 otherwise CA's must form a hierarchy
 use certificates linking members of hierarchy to
validate other CA's
 each CA has certificates for clients (forward) and parent
(backward)
 each client trusts parents certificates
 enable verification of any certificate from one CA
by users of all other CAs in hierarchy

145. CA Hierarchy Use

146. Certificate Revocation
 certificates have a period of validity
 may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
 CA’s maintain list of revoked certificates
 the Certificate Revocation List (CRL)
 users should check certs with CA’s CRL

147. Authentication Procedures
 X.509 includes three alternative authentication
procedures:
 One-Way Authentication
 Two-Way Authentication
 Three-Way Authentication
 all use public-key signatures

148. One-Way Authentication
 1 message ( A->B) used to establish
 the identity of A and that message is from A
 message was intended for B
 integrity & originality of message
 message must include timestamp, nonce, B's identity
and is signed by A

149. Two-Way Authentication
 2 messages (A->B, B->A) which also establishes in
addition:
 the identity of B and that reply is from B
 that reply is intended for A
 integrity & originality of reply
 reply includes original nonce from A, also timestamp
and nonce from B

150. Three-Way Authentication
 3 messages (A->B, B->A, A->B) which enables above
authentication without synchronized clocks
 has reply from A back to B containing signed copy of
nonce from B
 means that timestamps need not be checked or relied
upon

151. X.509 Version 3
 has been recognised that additional information is
needed in a certificate
 email/URL, policy details, usage constraints
 rather than explicitly naming new fields defined a
general extension method
 extensions consist of:
 extension identifier
 criticality indicator
 extension value

152. Certificate Extensions
 key and policy information
 convey info about subject & issuer keys, plus indicators
of certificate policy
 certificate subject and issuer attributes
 support alternative names, in alternative formats for
certificate subject and/or issuer
 certificate path constraints
 allow constraints on use of certificates by other CA’s

153. Summary
 have considered:
 Kerberos trusted key server system
 X.509 authentication and certificates