Cns Unit 3
Cns Unit 3
MESSAGE AUTHENTICATION
Message authentication is a procedure to verify that received messages come
from the alleged source and have not been altered. Message authentication may also
verify sequencing and timeliness. It is intended against the attacks like content
modification, sequence modification, timing modification and repudiation. For
repudiation, concept of digital signatures is used to counter it. There are three classes
by which different types of functions that may be used to produce an authenticator.
They are:
51
MESSAGE AUTHENTICATION CODE
An alternative authentication technique involves the use of a secret key to
generate a small fixed-size block of data, known as cryptographic checksum or MAC,
which is appended to the message. This technique assumes that both the
52
communicating parties say A and B share a common secret key K. When A has a
message to send to B, it calculates MAC as a function C of key and message given as:
MAC=Ck(M) The message
and the MAC are transmitted to the intended recipient, who upon receiving performs
the same calculation on the received message, using the same secret key to generate a
new MAC. The received MAC is compared to the calculated MAC and only if they
match, then:
1. The receiver is assured that the message has not been altered: Any alternations
been done the MAC’s do not match.
2. The receiver is assured that the message is from the alleged sender: No one except
the sender has the secret key and could prepare a message with a proper MAC.
3. If the message includes a sequence number, then receiver is assured of proper
sequence as an attacker cannot successfully alter the sequence number.
Basic uses of Message Authentication Code (MAC) are shown in the figure:
53
The Data Authentication Algorithm, based on DES, has been one of the most widely
used MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB
113) and an ANSI standard (X9.17). But, security weaknesses in this algorithm have
been discovered and it is being replaced by newer and stronger algorithms. The
algorithm can be defined as using the cipher block chaining (CBC) mode of operation
of DES shown below with an initialization vector of zero.
The data (e.g., message, record, file, or program) to be authenticated are grouped into
contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final block is padded on the
right with zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and
a secret key, K, a data authentication code (DAC) is calculated as follows:
The DAC consists of either the entire block ON or the leftmost M bits of the block, with
16
≤ M ≤ 64 Use of MAC needs a shared secret key between the communicating
parties and also MAC does not provide digital signature. The following table
summarizes the confidentiality and authentication implications of the approaches
shown above.
HASH FUNCTION
A variation on the message authentication code is the one-way hash function.
As with the message authentication code, the hash function accepts a variable-size
message M as input and produces a fixed-size hash code H(M), sometimes called a
message digest, as output. The hash code is a function of all bits of the message and
provides an error- detection capability: A change to any bit or bits in the message
results in a change to the hash code. A variety of ways in which a hash code can be
used to provide message authentication is shown below and explained stepwise in the
table.
54
In cases where confidentiality is not required, methods b and c have a n
advantage over those that encrypt the entire message in that less computation is
required. Growing interest for techniques that avoid encryption is due to reasons lik e,
Encryption software is quite slow and may be covered by patents. Also encryption
hardware costs are not negligible and the algorithms are subject to U.S export control.
A fixed-length hash value h is generated by a function H that takes as input a message
of arbitrary length: h=H(M).
sends M and H(M)
A authenticates the message by computing H(M) and checking the match
B
55
authentication, the hash function H must have the following properties
can be applied to a message of any size produces fixed-length output
Computationally easy to compute H(M) for any given M
H
Computationally infeasible to find M such that H(M)=h, for a given h, referred to as
the
one-way property
Computationally infeasible to find M’ such that H(M’)=H(M), for a given M, referred
to as weak collision resistance.
Computationally infeasible to find M,M’ with H(M)=H(M’) (to resist to birthday
attacks), referred to as strong collision resistance.
56
4.) Process Message in 512-bit (16-word) blocks: The heart of algorithm is the
compression function that consists of four rounds of processing and this module is
labeled HMD5 in the above figure and logic is illustrated in the following figure. The
four rounds have a similar structure, but each uses a different primitive logical
function, referred to as F, G, H and I in the specification. Each block takes as input the
current 512-bit block being processed Yq and the 128-bit buffer value ABCD and
updates the contents of the buffer. Each round also makes use of one-fourth of a 64-
element table T*1….64+, constructed from the sine function. The ith element of T,
denoted T[i], has the value equal to the integer part of 232 * abs(sin(i)), where i is in
radians. As the value of abs(sin(i)) is a value between 0 and 1, each element of T is an
integer that can be represented in 32-bits and would eliminate any regularities in the
input data. The output of fourth round is added to the input to the first round (CVq) to
produce CVq+1. The addition is done independently for each of the four words in the
buffer with each of the corresponding words in CVq, using addition modulo 232. This
operation is shown in the figure below:
57
5.) Output: After all L 512-bit blocks have been processed, the output from the Lth
stage is the 128- bit message digest. MD5 can be summarized as follows:
CV0 = IV CVq+1 = SUM32(CVq,RFIYqRFH[Yq,RFG[Yq,RFF[Yq,CVq]]]]) MD = CVL
Where,
IV = initial value of ABCD buffer, defined in step 3. Y q = the qth 512-bit block of the
message
L = the number of blocks in the message
CVq = chaining variable processed with the qth block of the message. RFx = round
function using primitive logical function x.
MD = final message digest value
SUM32 = Addition modulo 232 performed separately.
MD5 Compression Function:
Each round consists of a sequence of 16 steps operating on the buffer ABCD. Each
step is of the form, a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
where a, b, c, d refer to the four words of the buffer but used in varying permutations.
After 16 steps, each word is updated 4 times. g(b,c,d) is a different nonlinear function
in each round (F,G,H,I). Elementary MD5 operation of a single step is shown below.
58
The primitive function g of the F,G,H,I is given as:
Where the logical operators (AND, OR, NOT, XOR) are represented by the symbols (ᴧ,ᴠ,
~,(+)).
Each round mixes the buffer input with the next "word" of the message in a complex,
non- linear manner. A different non-linear function is used in each of the 4 rounds
(but the same function for all 16 steps in a round). The 4 buffer words (a,b,c,d) are
rotated from step to step so all are used and updated. g is one of the primitive
functions F,G,H,I for the 4 rounds respectively. X[k] is the kth 32-bit word in the
current message block. T[i] is the ith entry in the matrix of constants T. The addition
of varying constants T and the use of different shifts helps ensure it is extremely
difficult to compute collisions. The array of 32-bit words X[0..15] holds the value of
current 512-bit input block being processed. Within a round, each of the 16 words of
X[i] is used exactly once, during one step. The order in which these words is used
varies from round to round. In the first round, the
words are used in their original order. For rounds 2 through 4, the following
permutations are used
ƿ2(i)
= (1 +
5i)
mod
16
ƿ3(i)
= (5 +
59
3i)
mod
16
ƿ4(I)
= 7i
mod
16
MD4
Precursor to MD5
Design goals of MD4 (which are
carried over to MD5) Security
Speed
Simplicity and
compactness
Favor little-
endian
architecture
Main differences
A between MD5 and
MD4 fourth round has
been added.
Each step now has a unique additive constant.
The function g in round 2 was changed from (bc v bd v cd) to (bd v cd’) to make g
less symmetric.
Each step now adds in the result of the previous step. This promotes a faster
"avalanche effect".
The order in which input words are accessed in rounds 2 and 3 is changed, to
make these patterns less like each other.
The shift amounts in each round have been approximately optimized, to yield a
faster "avalanche effect." The shifts in different rounds are distinct.
SECURE HASH ALGORITHM
The secure hash algorithm (SHA) was developed by the National Institute of
Standards and Technology (NIST). SHA-1 is the best established of the existing SHA
hash functions, and is employed in several widely used security applications and
protocols. The algorithm takes as input a message with a maximum length of less
than 264 bits and produces as output a 160-bit message digest.
60
The input is processed in 512-bit blocks. The overall processing of a message follows the
structure of MD5 with block length of 512 bits and a hash length and chaining variable
length of 160 bits. The processing consists of following steps:
1.) Append Padding Bits: The message is padded so that length is congruent to 448
modulo 512; padding always added –one bit 1 followed by the necessary number of 0
bits.
2.) Append Length: a block of 64 bits containing the length of the original message is
added. 3.) Initialize MD buffer: A 160-bit buffer is used to hold intermediate and final
results on the hash function. This is formed by 32-bit registers A,B,C,D,E. Initial values:
A=0x67452301, B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0. Stores
in big-endian format
i.e. the most significant bit in low address.
4.) Process message in blocks 512-bit (16-word) blocks: The processing of a single 512-
bit block is shown above. It consists of four rounds of processing of 20 steps each. These
four rounds have similar structure, but uses a different primitive logical function, which
we refer to as f1, f2, f3 and f4. Each round takes as input the current 512-bit block being
processed and the 160-bit buffer value ABCDE and updates the contents of the buffer.
Each round also makes use of four distinct additive constants Kt. The output of the fourth
round i.e. eightieth step is added to the input to the first round to produce CV q+1.
5.) Output: After all L 512-bit blocks have been processed, the output from the Lth
stage is the 160-bit message digest.
61
The behavior of SHA-1 is as follows: CV0 = IV CVq+1 = SUM32(CVq, ABCDEq) MD =
CVL Where, IV = initial value of ABCDE buffer ABCDEq = output of last round of
processing of qth message block L = number of blocks in the message SUM32 =
Addition modulo 232 MD = final message digest value.
62
SHA shares much in common with MD4/5, but with 20 instead of 16
steps in each of the 4 rounds. Note the 4 constants are based on
sqrt(2,3,5,10). Note also that instead of just splitting the input block
into 32-bit words and using them directly, SHA-1 shuffles and mixes
them using rotates & XOR’s to form a more complex input, and greatly
increases the difficulty of finding collisions. A sequence of logical
functions f0, f1,..., f79 is used in the SHA-1. Each ft, 0<=t<=79, operates on
three 32-bit words B, C, D and produces a 32-bit word as output.
ft(B,C,D) is defined as follows: for words B, C, D, ft(B,C,D) = (B AND C) OR
((NOT B) AND D) ( 0 <= t <= 19) ft(B,C,D) = B XOR C XOR D (20 <= t
<= 39) ft(B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=
59) ft(B,C,D) = B XOR C XOR D (60
<= t <= 79).
63
• The block cipher W is the core element of the Whirlpool hash function
• It is comprised of 4 steps.
– Add Round Key
– Shift Columns
– Mix Rows
– Substitute bytes
Add Round Key
• During the Add Round Key step, the message is XOR’d with the key
• If this is the first message block being run through, the key is a block of all zeros
• If this is any block except the first, the key is the digest of the previous block
Shift Columns
• Starting from left to right, each column gets rotated vertically a
number of bytes equal to which number column it is, from top to
bottom –
Ex:
64
Mix Rows
• [0,0][0,1][0,2] [0,0][2,1][1,2]
• [1,0][1,1][1,2] ------> [1,0][0,1][2,2]
• [2,0][2,1][2,2] [2,0][1,1][0,2]
• Each row gets shifted horizontally by the number of row it is.
Similar to the shift column function, but rotated left to right –
Ex:
• [0,0][0,1][0,2] [0,0][0,1][0,2]
• [1,0][1,1][1,2] ------> [1,2][1,0][1,2]
• [2,0][2,1][2,2] [2,1][2,2][0,2]
Substitute bytes
• Each byte in the message is passed through a set of s-boxes
• The output of this is then set to be the key for the next round
HMAC
Interest in developing a MAC, derived from a cryptographic hash code
has been increasing mainly because hash functions are generally faster
and are also not limited by export restrictions unlike block ciphers.
Additional reason also would be that the library code for cryptographic
hash functions is widely available. The original proposal is for
incorporation of a secret key into an existing hash algorithm and the
approach that received most support is HMAC. HMAC is specified as
Internet standard RFC2104. It
makes use of the hash function on the given message. Any of MD5,
SHA-1, RIPEMD-160 can be used.
HMAC Design Objectives
To use, without modifications, available hash functions
To allow for easy replaceability of the
embedded hash function To preserve the
original performance of the hash function
To use and handle keys in a simple way
To have a well understood cryptographic analysis of the strength of
the MAC based on reasonable assumptions on the embedded hash
function
The first two objectives are very important for the acceptability of HMAC. HMAC
treats the hash function as a “black box”, which has two benefits. First is that an
existing implementation of the hash function can be used for implementing HMAC
making the bulk of HMAC code readily available without modification. Second is that
if ever an existing hash function is to be replaced, the existing hash function module is
removed and new module is dropped in. The last design objective provides the main
advantage of HMAC over other proposed hash-based schemes. HMAC can be proven
secure provided that the embedded hash function has some reasonable cryptographic
strengths.
65
Steps involved in HMAC algorithm:
1. Append zeroes to the left end of K to create a b-bit string K+ (ex: If K
is of length 160- bits and b = 512, then K will be appended with 44 zero
bytes).
2. XOR(bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Now apply H to the stream generated in step-3
5. XOR K+ with opad to produce the b-bit block S0.
6. Append the hash result from step-4 to S0.
7. Apply H to the stream generated in step-6 and output the result.
HMAC Algorithm
HMAC Structure
The XOR with ipad results in flipping one-half of the bits of K. Similarly, XOR with
opad results in flipping one-half of the bits of K, but different set of bits. By passing Si
66
and S0 through the compression function of the hash algorithm, we have
pseudorandomly generated two keys from K.
HMAC should execute in approximately the same time as the embedded hash function
for long messages. HMAC adds three executions of the hash compression function (for
S0, Si, and the block produced from the inner hash)
A more efficient implementation is possible. Two quantities are precomputed. f(IV,
(K+
f(IV, (K+
where f is the compression function for the hash function which takes as arguments a
chaining variable of n bits and a block of b-bits and produces a chaining variable of n
bits.
As shown in the above figure, the values are needed to be computed initially and
every time a key changes. The precomputed quantities substitute for the initial value
(IV) in the hash function. With this implementation, only one additional instance of the
compression function is added to the processing normally produced by the hash
function. This implementation is worthwhile if most of the messages for which a MAC
is computed are short.
Security of HMAC:
The appeal of HMAC is that its designers have been able to prove an exact
relationship between the strength of the embedded hash function and the strength of
HMAC. The
security of a MAC function is generally expressed in terms of the probability of
successful forgery with a given amount of time spent by the forger and a given
number of message- MAC pairs created with the same key. Have two classes of
attacks on the embedded hash function:
1. The attacker is able to compute an output of the compression function even with an
IV that is random, secret and unknown to the attacker.
2. The attacker finds collisions in the hash function even when the IV is random and
67
secret.
These attacks are likely to be caused by brute force attack on key used which has work
of order 2n; or a birthday attack which requires work of order 2 (n/2) - but which
requires the attacker to observe 2 n blocks of messages using the same key - very
unlikely. So even MD5 is still secure for use in HMAC given these constraints.
CMAC
In cryptography, CMAC (Cipher-based Message Authentication Code)[1] is a block
cipher- based message authentication code algorithm. It may be used to provide
assurance of the authenticity and, hence, the integrity of binary data. This mode of
operation fixes security deficiencies of CBC-MAC (CBC-MAC is secure only for fixed-
length messages).
The core of the CMAC algorithm is a variation of CBC-
MAC that Black and Rogaway proposed and analyzed under the name XCBC and [2]
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and
a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following
algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let
≪ denote the standard left-shift operator and ⊕ denote exclusive or:
1. Divide message into b-bit blocks m = m1 ∥ ... ∥ mn−1 ∥ mn where m1, ..., mn−1 are
68
complete blocks. (The empty message is treated as 1 incomplete block.)
2. If mn is a complete block then mn′ = k1 ⊕ mn else mn′ = k2 ⊕ (mn∥ 10...02). 3. Let
c0 = 00…02.
4. For i = 1, ..., n-1, calculate ci = Ek(ci−1 ⊕ mi).
5. cn = Ek(cn−1 ⊕ mn′)
6. Output t = msbℓ(cn).
The verification process is as follows:
69
A decrypts the signature and checks the hash value to validate the message. Then
A transmits a message to Y, encrypted with Kay. The message includes IDx, the
original message from X, the signature, and a timestamp.
Arbiter sees message
Problem : the arbiter could form an alliance with sender to deny a signed message,
or with the receiver to forge the sender’s signature.
decrypts the signature using the sender's public key. If the calculated hash code
matches the decrypted signature, the signature is accepted as valid. Because only the
sender knows the private key, only the sender could have produced a valid signature.
70
The DSS approach also makes use of a hash function. The hash code is provided
as input to a signature function along with a random number k generated for this
particular signature. The signature function also depends on the sender's private key
(PRa) and a set of parameters known to a group of communicating principals. We can
consider this set to constitute a global public key (PUG).The result is a signature
consisting of two components, labeled s and r.
At the receiving end, the hash code of the incoming message is generated. This
plus the signature is input to a verification function. The verification function also
depends on the global public key as well as the sender's public key (PUa), which is
paired with the sender's private key. The output of the verification function is a value
that is equal to the signature component r if the signature is valid. The signature
function is such that only the sender, with knowledge of the private key, could have
produced the validsignature.
KNAPSACK ALGORITHM
Public-key cryptography needs two keys. One key tells you how to encrypt (or code) a
message and this is "public" so anyone can use it. The other key allows you to decode
(or decrypt) the message. This decryption code is kept secret (or private) so only the
person who knows the key can decrypt the message. It is also possible for the person
with the private key to encrypt a message with the private key, then anyone holding
the public key can decrypt the message, although this seems to be of little use if you
are trying to keep something secret!
The First General Public-Key Algorithm used what we call the Knapsack Algorithm.
Although we now know that this algorithm is not secure we can use it to look at how
these types of encryption mechanisms work.
71
weighs 17 but this might not matter.
You might represent the weight 30 by the binary code 11110 (one 1, one 6, one 8, one
15 and no 24).
Example:
Knapsack 1 6 8 15 24 1 6 8 15 24 1 6 8 15 24 1 6 8 15 24
So, if someone sends you the code 38 this can only have come from the plain text
01101. When the Knapsack Algorithm is used in public key cryptography, the idea is
to create two different knapsack problems. One is easy to solve, the other not. Using
the easy knapsack, the hard knapsack is derived from it. The hard knapsack becomes
the public key. The easy knapsack is the private key. The public key can be used to
encrypt messages, but cannot be used to decrypt messages. The private key decrypts
the messages.
The Superincreasing Knapsack Problem
So, for example, if you have a knapsack that weighs 23 that has been made from the
weights of the superincreasing series {1, 2, 4, 9, 20, 38} then it does not contain the
weight 38 (as 38 > 23)
but it does contain the weight 20; leaving 3;
which does not contain the weight 9 still leaving 3; which does not contain the weight
4 still leaving 3;
which contains the weight 2, leaving 1; which contains the weight 1. The binary code
is therefore 110010.
72
non-superincreasing knapsack and a total and see why this is the case.
One algorithm that uses a superincreasing knapsack for the private (easy) key and a
non-superincreasing knapsack for the public key was created by Merkle and Hellman
They did this by taking a superincreasing knapsack problem and converting it into a
non-superincreasing one that could be made public, using modulus arithmetic.
1×31 mod(110) = 31
2×31 mod(110) = 62
4×31 mod(110) = 14
10×31 mod(110) = 90
20×31 mod(110) = 70
40×31 mod(110) = 30
So the public key is: {31, 62, 14, 90, 70, 30} and
the private key is {1, 2, 4, 10, 20.40}.
73
The coded message is 121 197 205:
The
decoded
messag
e is:
100100
111100
101110.
Just as I thought!
Simple and short knapsack codes are far too easy to break to be of any real use. For a
knapsack code to be reasonably secure it would need well over 200 terms each of
length 200 bits.
AUTHENTICATION
APPLICATIONS
KERBEROS
Kerberos is an authentication service developed as part of Project Athena at MIT.
It addresses the threats posed in an open distributed environment in which users at
workstations wish to access services on servers distributed throughout the network.
Some of these threats are:
A user may gain access to a particular workstation and pretend to be another
user operating from that workstation.
A user may alter the network address of a workstation so that the requests
sent from the altered workstation appear to come from the impersonated
workstation.
A user may eavesdrop on exchanges and use a replay attack to gain entrance
to a server or to disrupt operations.
Two versions of Kerberos are in current use: Version-4 and Version-5. The first
published report on Kerberos listed the following requirements:
Secure: A network eavesdropper should not be able to obtain the necessary
information to impersonate a user. More generally, Kerberos should be strong enough
that a potential opponent does not find it to be the weak link.
Reliable: For all services that rely on Kerberos for access control, lack of availability
of the Kerberos service means lack of availability of the supported services. Hence,
Kerberos should be highly reliable and should employ a distributed server
architecture, with one system able to back up another.
Transparent: Ideally, the user should not be aware that authentication is taking
place, beyond the requirement to enter a password.
74
Scalable: The system should be capable of supporting large numbers of clients and
servers. This suggests a modular, distributed architecture
Two versions of Kerberos are in common use: Version 4 is most widely used version.
Version 5 corrects some of the security deficiencies of Version 4. Version 5 has been
issued as a draft Internet Standard (RFC 1510)
KERBEROS VERSION 4
75
The Version 4 Authentication Dialogue The full Kerberos v4
authentication dialogue is shown here divided into 3 phases.
76
presents this ticket, as shown in message (5), it also sends an authenticator.
The server can decrypt the ticket, recover the session key, and decrypt
the authenticator. If mutual authentication is required, the server can
reply as shown in message (6).
Overview of Kerberos
77
The limitations of Kerberos version-4 are
categorised into two types: Environmental
shortcomings of Version 4:
– Encryption system dependence: DES
– Internet protocol dependence
– Ticket lifetime
– Authentication forwarding
– Inter-realm
authentication
Technical
deficiencies of
Version 4:
– Double encryption
– Session Keys
– Password attack
KERBEROS VERSION 5
Kerberos Version 5 is specified in RFC 1510 and provides a number of
improvements over version 4 in the areas of environmental
shortcomings and technical deficiencies. It includes some new elements
such as:
Realm: Indicates
realm of the user
Options
Times
– From: the desired start time for the ticket
– Till: the requested expiration time
– Rtime: requested renew-till time
Nonce: A random value to assure the response is fresh
The basic Kerberos version 5 authentication dialogue is shown here First, consider
the
78
authentication service exchange.
Message (1) is a client request for a ticket-granting ticket. Message (2) returns a
ticket- granting ticket, identifying information for the client, and a block encrypted
using the encryption key based on the user's password. This block includes the
session key to be used between the client and the TGS. Now compare the ticket-
granting service exchange for versions 4 and 5. See that message (3) for both
versions includes an authenticator, a ticket, and the name of the requested service. In
addition, version 5 includes requested times and options for the ticket and a nonce, all
with functions similar to those of message (1). The authenticator itself is essentially
the same as the one used in version 4. Message (4) has the same structure as message
(2), returning a ticket plus information needed by the client, the latter encrypted with
the session key now shared by the client and the TGS. Finally, for the client/server
authentication exchange, several new features appear in version 5, such as a request
for mutual authentication. If required, the server responds with message (6) that
includes the timestamp from the
authenticator. The flags field included in tickets in version 5 supports
expanded functionality compared to that available in version 4.
Advantages of Kerberos:
User's passwords are never sent across the network,
encrypted or in plain text Secret keys are only passed across
the network in encrypted form
Client and server systems
mutually authenticate limits the
It
duration of their users'
authentication.
Authentications are reusable and durable
Kerberos has been scrutinized by many of the top programmers,
cryptologists and security experts in the industry
79
X.509 AUTHENTICATION SERVICE
ITU-T recommendation X.509 is part of the X.500 series of recommendations
that define a directory service. The directory is, in effect, a server or distributed set of
servers that maintains a database of information about users. The information
includes a mapping from user name to network address, as well as other attributes
and information about the users. X.509 is based on the use of public-key
cryptography and digital signatures. The heart of the X.509 scheme is the public-key
certificate associated with each user. These user certificates are assumed to be created
by some trusted certification authority (CA) and placed in the directory by the CA or
by the user. The directory server itself is not responsible for the creation of public
keys or for the certification function; it merely provides an easily accessible location
for users to obtain certificates.
subject
80
unique
identifier
(v2+)
extension
fields (v3)
signature (of hash of all fields in certificate)
Scenario: Obtaining a User Certificate If both users share a common CA then they
are assumed to know its public key. Otherwise CA's must form a hierarchy and use
certificates linking members of hierarchy to validate other CA's. Each CA has
certificates for clients (forward) and parent (backward). Each client trusts parents
certificates. It
enables verification of any certificate from one CA by users of all other CAs in
hierarchy. A has obtained a certificate from the CA X1. B has obtained a certificate
from the CA X2. A can read the B’s certificate but cannot verify it. In order to solve the
problem ,the Solution: X1<<X2> X2<<B>>. A obtain the certificate of X2 signed by
X1 from directory.
obt
ain X2’s public key. A goes back to directory and obtain the certificate of B signed
by X2. obtain B’s public key securely. The directory entry for each CA includes two
types of certificates: Forward certificates: Certificates of X generated by other CAs
Reverse
certificates: Certificates generated by X that are the certificates of other CAs
X.509 CA Hierarchy
81
Revocation of Certificates Typically, a new certificate is issued
just before the expiration of the old one. In addition, it may be desirable
on occasion to revoke a certificate before it expires, for one of the
following reasons:
The user's private key is assumed to
be compromised. The user is no
longer certified by this CA.
The CA's certificate is assumed to be compromised.
Each CA must maintain a list consisting of all revoked but not expired certificates
issued by that CA, including both those issued to users and to other CAs. These lists
should also be posted on the directory. Each certificate revocation list (CRL)
posted to the directory is signed by the issuer and includes the issuer's name, the
date the list was created, the date the next CRL is scheduled to be issued, and an entry
for each revoked certificate. Each entry consists of the serial number of a certificate
and revocation date for that certificate. Because serial numbers are unique within a
CA, the serial number is sufficient to identify the certificate.
AUTHENTICATION PROCEDURES
X.509 also includes three alternative authentication procedures that are intended for use
across a variety of applications. All these procedures make use of public-key signatures. It
is assumed that the two parties know each other's public key, either by obtaining each
other's certificates from the directory or because the certificate is included in the initial
message from each side. 1. One-Way Authentication: One way authentication involves a
single transfer of information from one user (A) to another (B), and establishes the
details shown above.
Note that only the identity of the initiating entity is verified in this process, not that of the
82
responding entity. At a minimum, the message includes a timestamp ,a nonce, and the
identity of B and is signed with A’s private key. The message may also include
information to be conveyed, such as a session key for B.
BIOMETRIC AUTHENTICATION
Biometric authentication is a type of system that relies on the unique
biological characteristics of individuals to verify identity for secure access to
electronic systems.
Biometric verification is considered a subset of biometric authentication.
The biometric technologies involved are based on the ways in which individuals can
be uniquely identified through one or more distinguishing biological traits, such as
fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves,
keystroke dynamics, DNA and signatures. Biometric authentication is the application
of that proof of identity as part of a process validating a user for access to a
83
system. Biometric technologies are used to secure a wide range of electronic
communications, including enterprise security, online commerce and banking -- even
just logging in to a computer or smartphone.
Biometric authentication systems compare the current biometric data capture to
stored, confirmed authentic data in a database. If both samples of the biometric data
match,
authentication is confirmed and access is granted. The process is sometimes part of
amultifactor authentication system. For example, a smartphone user might log on
with his personal identification number (PIN) and then provide an iris scan to
complete the authentication process.
Iris recognition is used to identify individuals based on unique patterns within the
ring- shaped region surrounding the pupil of the eye.
Facial recognition systems work with numeric codes called faceprints, which identify
80 nodal points on a human face.
Once seen mostly in spy movies (where it might be used to protect access to a top-
secret military lab, for example), biometric authentication is becoming relatively
commonplace. In addition to the security provided by hard-to-fake individual
biological traits, the acceptance of biometric verification has also been driven by
convenience: One can’t easily forget or lose ones biometrics.
84
Until recently, biometrics was typically used at a physical security level – protecting
facilities at military bases or impenetrable bank vaults, for example. But, because
single- factor authentication methods are easy to break, companies have started
looking to
two-factor solutions, like biometrics.
However, the following five fundamental barriers may limit the growth of biometric
authentication:
85