This document provides an overview of message authentication and integrity. It discusses the need for authentication in network security and outlines different authentication functions including message encryption, message authentication codes (MACs), and hash functions. It describes how MACs are generated using a secret key and message and provides the requirements for MACs. The document also discusses the MD5 and SHA hash algorithms, explaining their processes and analyzing their security strengths and weaknesses.
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
Cs8792 cns - unit iv
1. Prepared by
Dr. R. Arthy,
Assistant Professor,
Kamaraj College of Engineering and Technology
(Autonomous)
CS8792 - CRYPTOGRAPHY AND
NETWORK SECURITY
3. Outline
Authentication requirement
Authentication function
MAC
Hash function
Security of hash function and MAC
SHA
Digital signature and authentication protocols
DSS
7. • Message authentication is concerned with:
Protecting the integrity of a message
Validating identity of originator
Non-repudiation of origin (dispute resolution)
• Will consider the security requirements
• Then three alternative functions used:
Message encryption
Message authentication code (MAC)
Hash function
Message Authentication
8. Message Encryption
• Message encryption by itself also provides a measure of
authentication.
• If symmetric encryption is used then:
Receiver know sender must have created it since only
sender and receiver know the key used
Content of the message cannot be altered if the message
has a suitable structure, redundancy or a checksum to
detect any changes
9. Message Encryption
• If public-key encryption is used:
Encryption provides no confidence of sender, since anyone
potentially knows public-key.
However, if sender signs message using their private-key,
then encrypts with recipients public key, provides both
secrecy and authentication.
Again need to recognize corrupted messages.
But at cost of two public-key uses on message.
15. Message Authentication Code (MAC)
• Generated by an algorithm that creates a small fixed-sized
block
Depending on both message and some key.
Like encryption though need not be reversible.
• Appended to message as a signature.
• Receiver performs same computation on message and checks
it matches the MAC.
• Provides assurance that message is unaltered and comes from
sender.
16. Message Authentication Code (MAC)
• A message authentication code (MAC), also known as a
cryptographic checksum, is an authentication technique
involves the use of a secret key to generate a small fixed-size
block of data.
19. Message Authentication Codes (MACs)
• As shown the MAC provides confidentiality.
• Can also use encryption for secrecy:
Generally use separate keys for each.
Can compute MAC either before or after encryption.
Is generally regarded as better done before.
• Why use a MAC?
Sometimes only authentication is needed.
Sometimes need authentication to persist longer than the
encryption (e.g., archival use).
• Note that a MAC is not a digital signature.
20. MAC Properties
• A MAC is a cryptographic checksum.
MAC = CK(M)
• Condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator.
• It is a many-to-one function
Potentially many messages have same MAC.
Finding these needs to be very difficult.
21. Requirements for MACs
• Taking into account the types of attacks.
• Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find
another message with same MAC.
2. MACs should be uniformly distributed.
3. MAC should depend equally on all bits of the message.
22. Message Authentication Code Based on DES
• Can use any block cipher chaining mode and use final block as
a MAC.
• Data Authentication Algorithm (DAA) is a widely used MAC
based on DES-CBC.
Using IV=0 and zero-pad of final block.
Encrypt message using DES in CBC mode.
Send just the final block as the MAC or the leftmost M bits
(16≤M≤64) of final block.
• But final MAC is now too small for security.
25. Hash Functions
• A hash function h is generated by a function H of the form:
h = H(M)
• Condenses arbitrary message to fixed size; usually assume that
the hash function is public and not keyed as compared to MAC
which is keyed.
• Hash used to detect changes to message.
• Can use in various ways with message.
• Most often to create a digital signature.
30. Hash Function Properties
• A Hash Function produces a fingerprint of some
file/message/data
h = H(M)
Condenses a variable-length message M to a fixed-sized
fingerprint.
• Assumed to be public.
31. Other Hash Function Uses
to create a one-way password file
store hash of password not actual password
for intrusion detection and virus detection
keep & check hash of files on system
pseudorandom function (PRF) or pseudorandom number
generator (PRNG)
32. Requirements for Hash Functions
1. Can be applied to any sized message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given h is infeasible to find x (H(x)=h)
• One-way property
5. Given x is infeasible to find y (H(y)=H(x))
• Weak collision resistance
6. It is infeasible to find any x, y (H(y)=H(x))
• Strong collision resistance
33. consider two simple insecure hash functions
bit-by-bit exclusive-OR (XOR) of every block
Ci = bi1 xor bi2 xor . . . xor bim
a longitudinal redundancy check
reasonably effective as data integrity check
one-bit circular shift on hash value
for each successive n-bit block
rotate current hash value to left by1bit and XOR block
good for data integrity but useless for security
Simple Hash Functions
34. Simple Hash Function Using Bitwise XOR
Bit 1 Bit 2 … Bit n
Block 1 b11 b21 … bn1
Block 2 b12 b22 … Bn2
… … … … …
Block m b1m b2m … bnm
Hash Code C1 C2 … Cn
38. have brute-force attacks and cryptanalysis
a preimage or second preimage attack
find y s.t. H(y) equals a given hash value
collision resistance
find two messages x & y with same hash so H(x)
= H(y)
hence value 2m/2 determines strength of hash code
against brute-force attacks
128-bits inadequate, 160-bits suspect
Attack on Hash Function
39. Birthday Attacks
• Might think a 64-bit hash is secure, but by Birthday Paradox is
not
• Birthday attack works thus:
given user prepared to sign a valid message x
opponent generates 2
m/2 variations x’ of x, all with
essentially the same meaning, and saves them
opponent generates 2
m/2 variations y’ of a desired
fraudulent message y
two sets of messages are compared to find pair with same
hash (probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the
forgery which will have a valid signature
conclusion is that need to use larger MAC/hash
40. General Structure of Secure Hash code
L
cryptanalytic attacks exploit some property of alg so faster
than exhaustive search
hash functions use iterative structure
process message in blocks (incl length)
attacks focus on collisions in function f
41. Block Ciphers as Hash Functions
• Can use block ciphers as hash functions
Using H0=0 and zero-pad of final block
compute: Hi = EMi
[Hi-1]
Use final block as the hash value
Similar to CBC but without a key
• Resulting hash is too small (64-bit)
Due to direct birthday attack
Due to “meet-in-the-middle” attack
• Other variants also susceptible to attack
42. Hash Functions and MAC Security
• Brute-force attacks exploiting:
Strong collision resistance hash have cost 2
m/2.
Have proposal for hardware MD5 cracker.
128-bit hash looks vulnerable, 160-bits better.
MACs with known message-MAC pairs
Can either attack keyspace (key search) or MAC.
At least 128-bit MAC is needed for security.
43. • Cryptanalytic attacks exploit structure
Like block ciphers want brute-force attacks to be the best
alternative.
• Have a number of analytic attacks on iterated hash functions.
CVi = f[CVi-1, Mi]; H(M)=CVN
Typically focus on collisions in function f.
Like block ciphers is often composed of rounds.
Attacks exploit properties of round functions.
Hash Functions and MAC Security
45. MD5
designed by Ronald Rivest (the “R” in RSA)
latest in a series of MD2, MD4
produces a 128-bit hash value
until recently was the most widely used hash algorithm
in recent times have both brute-force & cryptanalytic
concerns
specified as Internet standard RFC1321
46. MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
using 4 rounds of 16 bit operations on message block
& buffer
add output to buffer input to form new buffer value
5. output hash value is the final buffer value
48. Implementation Steps
Step 1: Append padding bits
The message is Padded so that its bit length ≡ 448 mod
512 (i.e., the length of padded message is 64 bits less
than an integer multiple of 512 bits)
Padding is always added, even if the message is already
of the desired length (1 to 512 bits)
Padding bits: 1000….0 (a single 1-bit followed by the
necessary number of 0-bits)
49. Implementation Steps
Step 2: Append length A 64-bit length
contains the length of the original message modulo
264
The expanded message is Y0, Y1, …, YL-1; the total
length is L × 512 bits
The expanded message can be thought of as a multiple
of 16 32-bit words
Let M[0 … N-1] denote the word of the resulting
message, where N = L × 16
50. Implementation Steps
Step 3: Initialize MD buffer
128-bit buffer (four 32-bit registers A,B,C,D) is used to hold
intermediate and final results of the hash function
A,B,C,D are initialized to the following values
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
Stored in little-endian format (least significant byte of a word
in the low-address byte position)
word A : 01 23 45 67 (low address … high address)
word B : 89 AB CD EF
word C : FE DC BA 98
word D : 76 54 32 10
51. Implementation Steps
Step 4: Process message in 512-bit (16-word) blocks
Heart of the algorithm called a compression function Consists
of 4 rounds
The 4 rounds have a similar structure, but each uses a different
primitive logical functions, referred to as F, G, H, and I
Each round takes as input the current 512-bit block (Yq), 128-
bit buffer value ABCD and updates the contents of the buffer
Each round also uses the table T[1 … 64], constructed from
the sine function; T[i] = 232 × abs(sin(i))
The output of 4th round is added to the CVq to produce
CVq+1
52.
53. Implementation Steps
Step 5: Output
After all L 512-bit blocks have been processed, the output
from the Lth stage is the 128- bit message digest
CV0 = IV
CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])
MD = CVL
Where
IV = initial value of the ABCD buffer, defined in step 3
Yq = the qth 512-bit block of the message
L = the number of blocks in the message (including padding and
length fields)
CVq = chaining variable processed with the qth block of the message
RFx = round function using primitive logical function x
MD = final message digest value
SUM32 = addition modulo 232 performed separately on each word
54. MD5 Compression Function
Each round consists of a sequence of 16 steps operating on the buffer
ABCD
Each step is of the form
a ← b + (( a + g(b, c, d) + X[k] + T[i] <<< s )
where a,b,c,d = the 4 words of the buffer, in a specified order that varies across
steps g = one of the primitive functions F, G, H, I
<<s = circular left shift (rotation) of the 32-bit arguments by s bits
X[k] = M[q × 16 + k] = the kth 32-bit word in the qth 512-bit block of the
message
T[i] = the ith 32-bit word in table T
+ = addition modulo 232 `
56. MD5 Operation
One of the 4 primitive logical functions is used in each
4 rounds of the algorithm
Each primitive function takes three 32-bit words as
input and produces a 32-bit word output
Each function performs a set of bitwise logical
operations
57. MD4
precursor to MD5
also produces a 128-bit hash of message
has 3 rounds of 16 steps versus 4 in MD5
design goals:
collision resistant (hard to find collisions)
direct security (no dependence on "hard" problems)
fast, simple, compact
favors little-endian systems (eg PCs)
58. Strength of MD5
MD5 hash is dependent on all message bits
Rivest claims security is good as can be
known attacks are:
Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
conclusion is that MD5 looks vulnerable soon
60. Overview
Developed by NIST (National Institute of Standards and Technology)
Published as a FIPS 180 in 1993
A revised version is issued as FIPS 180-1 IN 1995
Generally referred to as SHA-1
SHA is based on the hash function MD4 and its design closely models
MD4.
SHA- 1 produces a hash value of 160 bits.
Revised version of the standard, FIPS 180-2, that defined three new
versions of SHA, with hash value lengths of 256, 384 and 512 bits,
known as SHA-256, SHA-384 and SHA-512.
61. SHA Overview
1. pad message so its length is 896 mod 1024
2. append a 128-bit length value to message
3. initialise 8-word (512-bit) buffer (A,B,C,D,E,F,G,H)
4. process message in 128-word (1024-bit) chunks:
5. output hash value is the final buffer value
63. Implementation Steps
Step 1: Append padding bits
The message is Padd d so that its bit length is congruent
to 896 modulo 1024 [length K ≡ 896 mod 1024]
Padding is always added, even if the message is already
of the desired length.
Thus, the number of padding bits is in the range of 1 to
1024.
The padding consists of a single 1-bit followed by the
necessary number of 0-bits.
64. Implementation Steps
Step 2: Append length
A block of 128-bits is appended to the message.
This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the
original message (before the padding).
The outcome of the first two steps yields a message that
is an integer multiple of 1024 bits in length.
In Figure, the expanded message is represented as the
sequence of 1024-bit blocks M1, M2,.., Mn, so that the
total length of the expanded message is N x 1024 bits.
65. Implementation Steps
Step 3: Initialize hash buffer
A 512-bit buffer is used to hold intermediate and final results of the hash
function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g and h).
These registers are initialized to the following 64-bit integers (hexadecimal
values):
These values are stored in big-endian format, which is the most significant byte
of a word in the low-address (leftmost) byte position.
These words were obtained by taking the first sixty-four bits of the fractional
parts of the square roots of the first eight prime numbers.
66. Implementation Steps
Step 4: Process message in 1024-bit (128-word)
blocks
The heart of the algorithm is a module that consists of 80 rounds; this
module is labeled F in above figure.
Each round takes as input the 512-bit buffer value, abcdefgh, and updates
the contents of the buffer.
At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
Each round t makes use of a 64-bit value Wt, derived from the current
1024-bit block being processed (Mi).
Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79
indicates one of the 80 rounds.
The output of the eightieth round is added to the input to the first round
(Hi-1) to produce Hi. The addition is done independently for each of the
eight words in the buffer with each of the corresponding words in Hi-1,
using addition modulo 264.
67.
68. Implementation Steps
Step 5: Output
After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.
H0 = IV,Hi = SUM64 (Hi-1, abcdefghi)
MD = HN
where,
IV = initial value of the abcdefgh buffer, defined in step 3.
abcdefghi = the output of the last round of processing of the ith
message block.
N = the number of blocks in the message (including padding and
length fields).
SUM64 = Addition modulo 264 performed separately on each word of
the pair of inputs.
MD = final message digest value.
73. HMAC Design Principles
To use, without modifications, in available hash functions.
In particular, to use hash functions that perform well in
software and for which code is freely and widely available.
To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions are
found or required.
To preserve the original performance of the hash function
without incurring a significant degradation.
To use and handle keys in a simple way.
To have a well understood cryptographic analysis of the
strength of the authentication mechanism based on
reasonable assumptions about the embedded hash function.
74. Algorithm
HMAC defines the following terms.
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) IV
= initial value input to hash function
M = message input to HMAC (including the padding specified in the
embedded hash function)
Yi = i th block of M, 0 ≤ i ≤ (L - 1)
L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded hash fu ction
K = secret key; recommended length is ≥ n; if key length s greater
than b, the key is input to the hash function to produce an n-bit key
K+ = K padded with zeros on the left so that the result is b bits in
length ipad = 00110110 (36 in hexadecimal) repeated b/8 times opad
= 01011100 (5C in hexadecimal) repeated b/8 times
75.
76. Algorithm
The algorithm is as follows:
1. Append zeros to the left end of K to create a b-bit string K+ (e.g.,
if K is of length 160 bits and b = 512, then K will be appended with
44 zeroes).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit
block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So.
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.
89. 14-1 INTRODUCTION
Entity authentication is a technique designed to let one
party prove the identity of another party.
An entity can be a person, a process, a client, or a server.
The entity whose identity needs to be proved is called
the claimant; the party that tries to prove the identity
of the claimant is called the verifier.
90. 14.1.1 Data-Origin Versus Entity Authentication
Message Authentication Entity Authentication
Does not happen in real time Happen in real time
Authenticates one message
and repeated for each new
message
Authenticates the claimant for
the entire duration of a session
93. 14.2.1 Fixed Password
First Approach
Figure 14.1 User ID
and password file
Attacks on the first approach
Eavesdropping
Stealing a password
Accessing a password file
guessing
94. Second Approach
[contd…]
Figure 14.2 Hashing
the password
Dictionary attack
Create a list of password, calculate the hash value,
and search the second-column entries to find a
match.
95. Third Approach
[contd…]
Figure 14.3 Salting
the password
When the password is created, a random string, called
the salt, is concatenated to the password. The salted
password is then hashed.
The Unix OS uses a variation of this method.
96. Fourth Approach
• Two identification techniques are combined.
• A good example of this type of authentication is the use of
an ATM card (something possessed) with a PIN (personal
identification number) (something known).
[contd…]
97. 14.2.2 One-Time Password
A one-time password is a password that is used only
once.
In the first approach, the user and the system agree upon
a list of passwords.
In the second approach, the user and the system agree to
sequentially update the password.
In the third approach, the user and the system create a
sequentially updated password using a hash function.
98. [contd…]
Figure 14.4 the third approach -- Lamport one-time password
Alice and Bob agree upon an
original password P0 and a counter n.
The system stores the identity of
Alice, the value of n and the hash.
99. 14-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her
identity by demonstrating that she knows a secret,
the password.
In challenge-response authentication, the claimant
proves that she knows a secret without sending it.
100. [contd…]
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
Note
101. 14.3.1 Using a Symmetric-Key Cipher
First Approach Figure 14.5 Nonce challenge
1. ID of claimant
2. The challenge: RB is the nonce randomly chosen by the Bob to
challenge Alice
3. Alice encrypts the nonce using the shared secret key known only
to Alice and Bob. Bob decrypts the message. If the nonce
obtained from decryption is the same as the one sent by Bob.
102. Second Approach
[contd...]
Figure 14.6 Timestamp challenge
The challenge message is the current time sent
from the verifier to the claimant.
The claimant encrypt Alice ID and time with
Alice-Bob secret key.
103. Third Approach.
[contd…]
Figure 14.7 Bidirectional authentication
1. Alice ID
2. The challenge from Bob to Alice RB
3. Alice respond and send her challenge RA
4. Bob’s response. RA and RB are switched to prevent a replay attack.
104. 14.3.2 Using Keyed-Hash Functions
Figure 14.8 Keyed-hash function
1. The challenge message is the current time sent from the
verifier to the claimant.
2. The timestamp is sent both as plaintext and as text scrambled
by the keyed-hash function.
3. Bob compares his calculation with what he received.
105. 14.3.3 Using an Asymmetric-Key Cipher
First Approach
Figure 14.9 Unidirectional, asymmetric-key authentication
Ownership of claimant’s private key
109. 14-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does not
reveal anything that might endanger the
confidentiality of the secret.
The claimant proves to the verifier that she knows a
secret, without revealing it.
The interactions are so designed that they cannot lead to
revealing or guessing the secret.
110. 14.4.1 Fiat-Shamir Protocol
Figure 14.13 Fiat-Shamir protocol
c
c
c
c
xv
s
r
s
r
rs
y
)
(
)
( 2
2
2
2
2
2
2
y is from private key and challenge
c
xv is from public key of Alice
111. Cave Example
[contd…]
Figure 14.14 Cave example
1. Alice chooses to go either right or left. After Alice disappears, Bob comes to
point 2 and asks Alice to come up from either the right or left.
2. if Alice knows the magic word, she will come up from the right direction. If
she does not know the word, she comes up from the right direction with ½
probability.
3. The game will be repeated many times.
The door can only be
opened with a magic word.
Alice claims that she knows
the word and that she can
open the door. Bob and
Alice are at pint 1. Alice
enters eh case and reaches
the point 2.
112. 14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
x
x
v
s
v
s
v
s
x
v
s
v
s
v
s
x
v
v
v
s
s
s
r
v
v
v
y
k
k
k
k
k
k
k
c
c
c
c
k
k
c
c
c
k
c
k
c
c
c
c
c
k
c
c
c
k
c
c
c
k
c
c
)
1
(
)
1
(
)
1
(
)
(
)
(
)
(
)
(
)
(
)
(
)
)(
(
)
(
)
(
)
(
)
(
2
1
2
1
2
2
1
1
2
1
2
1
2
1
2
2
2
2
1
2
1
2
2
2
2
1
2
1
2
1
2
2
2
2
1
2
2
1
2
114. 14-5 BIOMETRICS
Biometrics is the measurement of physiological or
behavioral features that identify a person
(authentication by something inherent).
Biometrics measures features that cannot be guessed,
stolen, or shared.
120. User Authentication
Fundamental security building block
Basis of access control & user accountability
Is the process of verifying an identity claimed by or for
a system entity
Has two steps:
Identification - specify identifier
Verification - bind entity (person) and identifier
Distinct from message authentication
121. Means of User Authentication
Four means of authenticating user's identity
Based one something the individual
Knows - e.g. Password, PIN
Possesses - e.g. Key, token, smartcard
Is (static biometrics) - e.g. Fingerprint, retina
Does (dynamic biometrics) - e.g. Voice, sign
Can use alone or combined
All can provide user authentication
All have issues
122. Authentication Protocols
Used to convince parties of each others identity and to
exchange session keys
May be one-way or mutual
Key issues are
Confidentiality – to protect session keys
Timeliness – to prevent replay attacks
123. Replay Attacks
• Where a valid signed message is copied and later resent
• Simple replay
• Repetition that can be logged
• Repetition that cannot be detected
• Backward replay without modification
• Countermeasures include
• Use of sequence numbers (generally impractical)
• Timestamps (needs synchronized clocks)
• Challenge/response (using unique nonce)
124. One-Way Authentication
Required when sender & receiver are not in
communications at same time (eg. Email)
Have header in clear so can be delivered by email
system
May want contents of body protected & sender
authenticated
125. Using Symmetric Encryption
As discussed previously can use a two-level hierarchy
of keys
Usually with a trusted key distribution center (KDC)
Each party shares own master key with KDC
KDC generates session keys used for connections
between parties
Master keys used to distribute these to them
126. Needham-Schroeder Protocol
original third-party key distribution protocol
for session between A B mediated by KDC
protocol overview is:
1. A KDC: IDA || IDB || N1
2. KDC A: E(Ka,[Ks||IDB||N1|| E(Kb,[Ks||IDA])])
3. A B: E(Kb, [Ks||IDA])
4. B A: E(Ks, [N2])
5. A B: E(Ks, [f(N2)])
127. Needham-Schroeder Protocol
Used to securely distribute a new session key for
communications between A & B
But is vulnerable to a replay attack if an old session
key has been compromised
Then message 3 can be resent convincing B that is
communicating with A
Modifications to address this require:
Timestamps in steps 2 & 3 (denning 81)
Using an extra nonce (neuman 93)
128. One-Way Authentication
use refinement of KDC to secure email
since B no online, drop steps 4 & 5
protocol becomes:
1. A KDC: IDA || IDB || N1
2. KDC A: E(Ka, [Ks||IDB||N1 || E(Kb,[Ks||IDA])])
3. A B: E(Kb, [Ks||IDA]) || E(Ks, M)
provides encryption & some authentication
does not protect from replay attack
130. Introduction
Trusted key server system from MIT
Provides centralised private-key third-party
authentication in a distributed network
Allows users access to services distributed through
network
Without needing to trust all workstations
Rather all trust a central authentication server
Two versions in use: 4 & 5
131. Kerberos Requirements
First published report identified its requirements as:
Security
Reliability
Transparency
Scalability
Implemented using an authentication protocol based
on needham-schroeder
132. Kerberos 4 Overview
A basic third-party authentication scheme
Have an Authentication Server (AS)
Users initially negotiate with AS to identify self
AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)
Have a Ticket Granting Server (TGS)
Users subsequently request access to other services from
TGS on basis of users TGT
134. Steps
Step-1: User logon and request services on host. Thus user request for ticket-
granting-service.
Step-2: Authentication Server verifies user’s access right using database and then
gives ticket-granting-ticket and session key. Results are encrypted using Password of
user.
Step-3: Decryption of message is done using the password then send the ticket to
Ticket Granting Server. The Ticket contain authenticators like user name and
network address.
Step-4: Ticket Granting Server decrypts the ticket send by User and authenticator
verifies the request then creates the ticket for requesting services from the Server.
Step-5: User send the Ticket and Authenticator to the Server.
Step-6: Server verifies the Ticket and authenticators then generate the access to the
136. Kerberos Realms
A kerberos environment consists of:
A kerberos server
A number of clients, all registered with server
Application servers, sharing keys with server
This is termed a realm
Typically a single administrative domain
If have multiple realms, their kerberos servers must
share keys and trust
140. X.509 Authentication Service
part of CCITT X.500 directory service standards
distributed servers maintaining some info database
defines framework for authentication services
directory may store public-key certificates
with public key of user
signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
algorithms not standardised, but RSA recommended
141. X.509 Certificates
issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
notation CA<<A>> denotes certificate for A signed by
CA
143. Obtaining a Certificate
any user with access to CA can get any certificate from
it
only the CA can modify a certificate
because cannot be forged, certificates can be placed in
a public directory
144. CA Hierarchy
if both users share a common CA then they are
assumed to know its public key
otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to
validate other CA's
each CA has certificates for clients (forward) and parent
(backward)
each client trusts parents certificates
enable verification of any certificate from one CA
by users of all other CAs in hierarchy
146. Certificate Revocation
certificates have a period of validity
may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CA’s maintain list of revoked certificates
the Certificate Revocation List (CRL)
users should check certs with CA’s CRL
147. Authentication Procedures
X.509 includes three alternative authentication
procedures:
One-Way Authentication
Two-Way Authentication
Three-Way Authentication
all use public-key signatures
148. One-Way Authentication
1 message ( A->B) used to establish
the identity of A and that message is from A
message was intended for B
integrity & originality of message
message must include timestamp, nonce, B's identity
and is signed by A
149. Two-Way Authentication
2 messages (A->B, B->A) which also establishes in
addition:
the identity of B and that reply is from B
that reply is intended for A
integrity & originality of reply
reply includes original nonce from A, also timestamp
and nonce from B
150. Three-Way Authentication
3 messages (A->B, B->A, A->B) which enables above
authentication without synchronized clocks
has reply from A back to B containing signed copy of
nonce from B
means that timestamps need not be checked or relied
upon
151. X.509 Version 3
has been recognised that additional information is
needed in a certificate
email/URL, policy details, usage constraints
rather than explicitly naming new fields defined a
general extension method
extensions consist of:
extension identifier
criticality indicator
extension value
152. Certificate Extensions
key and policy information
convey info about subject & issuer keys, plus indicators
of certificate policy
certificate subject and issuer attributes
support alternative names, in alternative formats for
certificate subject and/or issuer
certificate path constraints
allow constraints on use of certificates by other CA’s