Digital signature

1. DigitalSignature
Thehashvalueofamessageisencryptedwitha
user’sprivatekey(signing)
Anyonewhoknowstheuser’spublickeycan
verifytheintegrityofthemessage(Verification)
Anattackerwhowishestoalterthemessage
wouldneedtoknowtheuser’sprivatekey
EnsuresMessageauthenticationandnon-
repudiation.

2. DigitalSignatures
digitalsignaturesprovidetheabilityto:
verifyauthor,date&timeofsignature
authenticatemessagecontents
beverifiedbythirdpartiestoresolvedisputes
henceincludeauthenticationfunctionwith
additionalcapabilities

7. Direct&ArbitratedDigitalSignatures
involveonlysender&receiver
Assumesthatreceiverhassender’spublic-key
digitalsignaturemadebysendersigningentiremessageorhashwith
private-key
canencryptusingreceiverspublic-key
importantthatsignfirstthenencryptmessage&signature
securitydependsonsender’sprivate-key
Arbitrated
In an arbitrated signature there is more trust because the
sender'smessageissenttoanarbitertogetauthenticatedbeforeitis
sentofftothereceiver.
Direct

11. w
‘

12. AuthenticationProtocols
Usedtoconvincepartiesabouteachothers
identityandtoexchangesessionkeys
MaybeOne-wayorMutual

13. UsingSymmetric
Encryption
Usesatwo-levelhierarchyofkeysusuallywitha
trustedKeyDistributionCenter(KDC)
eachpartysharesownmasterkeywithKDC
KDCgeneratessessionkeysusedforconnections
betweenparties
masterkeysareusedtodistributethesetothem

14. Needham-Schroeder
Protocol
Original third-party key distribution
protocol for session between A and
BmediatedbyKDC
Protocoloverviewis:
1.A->KDC :IDA||IDB||N₁
2.KDC->A :EKa[Ks||IDB||
N₁||EKb[Ks||IDA]]
3.A->B :EKb[Ks||IDA]
4.B->A :EKs[N₂]
5.A->B :EKs[f(N₂)]

15. Needham-Schroeder
Protocol
usedtosecurelydistributeanewsessionkeyfor
communicationsbetweenA&B
butisvulnerabletoareplayattackifanold
sessionkeyhasbeencompromised
thenmessage3canberesentconvincingBthatis
communicatingwithA
modificationstoaddressthisrequire:
timestamps(Denning81)
usinganextranonce(Neuman93)

16. Denning’sApproach
1.
A ->KDC
:
IDA||IDB
2.
KDC-> A
:
E(Ka, [Ks||IDB||T||E(Kb,
[Ks||IDA||T])])
3.
A-> B
:
E(Kb, [Ks||IDA||T])
4.
B-> A
:
E(Ks, N₁)
5.
A ->B
:
E(Ks, f(N₁))

17. T is a timestamp that assures A and B that the session key has only just been generated. Thus, both A and B
knowthatthekeydistributionisafreshexchange.
AandBcanverifytimelinessbycheckingthat
|ClockT|<Dt₁+Dt₂
where Dt₁ is the estimated normal discrepancy between the KDC's clock and the local clock (at A or B) and
Dt₂istheexpectednetworkdelaytime.
Each node can set its clock against some standard reference source. Because the timestamp T is encrypted
using the secure master keys, an opponent, even with knowledge of an old session key, cannot succeed
becauseareplayofstep3willbedetectedbyBasuntimely.
The Denning protocol provide increased degree of security compared to the Needham/Schroeder protocol
butrequiresrelianceonclocksthataresynchronizedthroughoutthenetwork.
The problem occurs when a sender's clock is ahead of the intended recipient's clock. In this case, an
opponent can intercept a message from the sender and replay it later when the timestamp in the message
becomescurrentattherecipient'ssite.Thisreplay(SupressReplay)couldcauseunexpectedresult
DenningsApproach

18. Neuman’sApproach
Thisapproachpreventssuppress-replayattacksandatthe
sametimefixtheproblemsintheNeedham/Schroeder
protocol.
A->B : IDA||Na
2.B->KDC : IDB||Nb||E(Kb,[IDA||Na||Tb])
3.KDC->A : E(Ka,[IDB||Na||Ks||Tb])||E(Kb,
[IDA||Ks||Tb])||Nb
4.A->B : E(Kb,[IDA||Ks||Tb])||E(Ks,Nb)
1.
2.

19. Public-KeyEncryptionApproaches
Dening’sApproach
A->AS :IDA||IDB
2.AS->A :E(PRas,[IDA||PUa||T])||E(PRas,
[IDB||PUb||T])
A->B :E(PRas,[IDA||PUa||T])||E(PRas,
[IDB||PUb||T])
||E(PUb,E(PRa,[Ks||T]))
1.
2.
3.

20. WooandLam’sApproach
1.A->KDC :IDA||IDB
2.KDC->A :E(PRauth,[IDB||PUb])
3.A->B :E(PUb,[Na||IDA])
4.B->KDC :IDA||IDB||E(PUauth,Na)
5.KDC->B :E(PRauth,[IDA||PUa])||E(PUb,E(PRauth,
[Na||Ks||IDB]))
6.B->A :E(PUa,E(PRauth,[(Na||Ks||IDB)||Nb]))
7.A->B :E(Ks,Nb)

21. One-WayAuthentication
SymmetricEncryptionApproach
1.A->KDC:IDA||IDB||N₁
2.KDC->A:E(Ka,[Ks||IDB||N₁||E(Kb,[Ks||IDA])])
3.A->B:E(Kb,[Ks||IDA])||E(Ks,M)

22. Public-KeyEncryptionApproaches
Ifconfidentialityistheprimaryconcern,thenthe
followingmaybemoreefficient:
A->B:E(PUb,Ks)||E(Ks,M)
Ifauthenticationistheprimaryconcern,thena
digitalsignaturemaybesufficient
A->B:M||E(PRa,H(M))

23. One-WayAuthentication
Requiredwhensender&receiverarenotin
communicationsatsametime(eg.email)
Haveheaderinclearsocanbedeliveredby
emailsystem
Maywantcontentsofbodyprotected&sender
authenticated

24. UsingSymmetric
Encryption
canrefineuseofKDCbutcan’thavefinal
exchangeofnonces,vis:
1.A→KDC:IDA||IDB||N₁
2.KDC→A:EKa[Ks||IDB||N₁||EKb[Ks||IDA]]
3.A→B:EKb[Ks||IDA]||EKs[M]
doesnotprotectagainstreplays
couldrelyontimestampinmessage,though
emaildelaysmakethisproblematic

25. Public-KeyApproaches
haveseensomepublic-keyapproaches
ifconfidentialityismajorconcern,canuse:
A→B:EKUb[Ks]||EKs[M]
hasencryptedsessionkey,encryptedmessage
ifauthenticationneededuseadigitalsignaturewitha
digitalcertificate:
A→B:M||EKRa[H(M)]||EKRas[T||IDA||KUa]
withmessage,signature,certificate