CS549:

Cryptography and Network

Security
© by Xiang-Yang Li

Department of Computer Science,

IIT
Cryptography and Network Security 1
Notice©
This lecture note (Cryptography and Network Security) is prepared by
Xiang-Yang Li. This lecture note has benefited from numerous
textbooks and online materials. Especially the “Cryptography and
Network Security” 2nd edition by William Stallings and the
“Cryptography: Theory and Practice” by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.

Cryptography and Network Security 2

Cryptography and Network Security

Identification
Xiang-Yang Li

Cryptography and Network Security 3

Identification

 Identification: user authentication

 convince system of your identity
 before it can act on your behalf
 sometimes also require that the computer verify its identity with
the user
 Based on three methods
 what you know
 what you have
 what you are
 Verification
 Validation of information supplied against a table of possible
values based on users claimed identity
Cryptography and Network Security 4
What you Know
 Passwords or Pass-phrases
 prompt user for a login name and password
 verify identity by checking that password is correct
 on some (older) systems, password was stored clear
 more often use a one-way function, whose output
cannot easily be used to find the input value
 either takes a fixed sized input (eg 8 chars)
 or based on a hash function to accept a variable sized
input to create the value
 important that passwords are selected with care to
reduce risk of exhaustive search
Cryptography and Network Security 5
Weakness
 Traditional password scheme is vulnerable
to eavesdropping over an insecure network

Cryptography and Network Security 6

Solutions?
 One-time password Key/60s
 these are passwords used once only
 future values cannot be predicted from older values
 Password generation
 either generate a printed list, and keep matching list on
system to be accessed
 or use an algorithm based on a one-way function f (eg
MD5) to generate previous values in series (eg SKey)
 start with a secret password s, and number N , p0 =
fN(s)
 ith password in series is pi = fN-i(s)
 must reset password after N uses

Cryptography and Network Security 7

What you Have
 Magnetic Card, Magnetic Key
 possess item with required code value encoded
 Smart Card or Calculator
 may interact with system
 may require information from user
 could be used to actively calculate:
 a time dependent password
 a one-shot password
 a challenge-response verification
 public-key based verification

Cryptography and Network Security 8

What you Are
 Verify identity based on your physical
characteristics, known as biometrics
 Characteristics used include:
 Signature (usually dynamic)
 Fingerprint, hand geometry
 face or body profile
 Speech, retina pattern

 Tradeoff between
 false rejection (type I error)
 false acceptance (type II error)

Cryptography and Network Security 9

Cryptography and Network
Security

Authentication
Xiang-Yang Li

Cryptography and Network Security 10

Message Authentication
Digital Signature
 Authentication
 Authentication requirements
 Authentication functions

 Mechanisms
 MAC: message authentication code
 Hash functions, security in hash functions
 Hash and MAC algorithms
 MD5, SHA, RIPEMD-160, HMAC
 Digital signatures

Cryptography and Network Security 11

Message Attacks
 Possible attacks
 Disclosure
 Traffic analysis
 Masquerade
 Content modification
 Sequence modification
 Time modification
 Repudiation
 Denial of the receipt of message by the destination
or
 Denial of the transmitting by the source

Cryptography and Network Security 12

Authentication
 Enables receiver to verify message
authenticity
 Using some lower level functions as primitive
 Three types of functions
 Message encryption
 Message authentication code (MAC)
 Hash function

Cryptography and Network Security 13

Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”

“I am Alice”
Failure scenario??

Cryptography and Network Security 14

Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”

in a network,
Bob can not “see”
Alice, so Trudy simply
“I am Alice” declares
herself to be Alice

Cryptography and Network Security 15

Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Alice’s
IP address “I am Alice”

Failure scenario??

Cryptography and Network Security 16

Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Trudy can create

a packet
Alice’s
“spoofing”
IP address “I am Alice” Alice’s address

Cryptography and Network Security 17

Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password

Alice’s Failure scenario??

OK
IP addr

Cryptography and Network Security 18

Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later
plays it back to Bob

Alice’s Alice’s
“I’m Alice”
IP addr password

Cryptography and Network Security 19

Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.

Alice’s encrypted
“I’m Alice”
IP addr password

Alice’s Failure scenario??

OK
IP addr

Cryptography and Network Security 20

Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.

Alice’s encrypted
IP addr password
“I’m Alice” record
and
Alice’s
OK playback
IP addr
still works!

Alice’s encrypted
“I’m Alice”
IP addr password

Cryptography and Network Security 21

 Authentication: yet another try
Goal: avoid playback attack
Nonce: number (R) used only once –in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key

“I am Alice”

R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
drawbacks? be Alice!
Cryptography and Network Security 22
Authentication: ap5.0
ap4.0 requires shared symmetric key
 can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography

“I am Alice”
Bob computes
R + -
- KA(KA (R)) = R
K A (R) and knows only Alice
could have the private
“send me your public key”
+ key, that encrypted R
KA such that
+ -
K (K (R)) = R
A A

Cryptography and Network Security 23

 ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)

I am Alice I am Alice
R -
K (R)
T
R - Send me your public key
K (R) +
A K
T
Send me your public key
+
K
A +
K (m)
Trudy gets T
- +
+ m = K (K (m))
K (m)
A sends T T Alice
m to
- + encrypted with
m = K (K (m))
A A Alice’s public key
Cryptography and Network Security 24
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)

Difficult to detect:
 Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
 problem is that Trudy receives all messages as well!

Solution for this?--- public key certificate

Cryptography and Network Security 25
Password Authentication
 Oldest(?) way to authenticate an entity.
 Each user has a password.
 Host keeps a list of (user id, password).
 When a user needs to login, he sends the
host his password.
 Host checks password before granting access.

26
Problems with Password
Authentication
 The host’s list of (user id, password) may
be revealed to adversary.
 This list becomes an attractive target of attack.
 The password may be eavesdropped in
transmission.

27
No Password Storage in Clear
 We can address the first problem using
one-way hash function.
 Host stores H(password) instead of password.
 Verifying password is still easy for host.
 Adversary can’t figure out password even if he sees
H(password).

28
Lamport’s Hash Chain
 We can address the second problem using a
hash chain.
 Let H() be a one-way hash function.
 Host keeps a list of (user id, Hn(password)).
 When user needs to login for the ith time, he sends the
host h=Hn-i(password).
 The host checks Hi(h)= Hn(password).

29
Security of Lamport’s Hash Chain
 Suppose the adversary can see all
communications and all storage of host.
 So he sees Hn-1(password), Hn-2(password), …, Hn-(i-
1)(password) in the i-1 previous sessions.

 He also sees Hn(password) in the host’s storage.

 But he still can’t figure out Hn-i(password), which is
needed for login.

30
Vulnerability of Lamport’s Hash
Chain
 The above “security analysis” assumes that
adversary can’t find password from
H(password) since H() is one-way.
 Unfortunately, normally this is not true.
 Most human memorizable passwords belong to a very
small space: a few letters and digits with special
meanings.
 So exhaustive search in this space is efficient.
 The most important part of the attack is construction of
the space; usually we build it based on a dictionary.
 This is called “dictionary attack”.

31
Entity Authentication without
Shared Secret
 Password-based authentication needs both
parties to share a secret—the password.
Can Alice authenticates to Bob who does
not share any secret with her?
 Without further assumption this is impossible.
 Who is “Alice” anyway? What is the definition of
Alice?
 With further assumption (e.g., trusted third party) this is
possible.

32
Woo-Lam Authentication
 Assume there is a trusted third party:
Trent.
 Alice shares a key KAT with Trent.
 Bob shares a key KBT with Trent.
 Alice wants to authenticate to Bob.
 Woo and Lam proposed a protocol.
 This protocol is flawed.
 There are many fixes, but most fixed versions are also
flawed.

33
Woo-Lam Protocol
 Alice →Bob: Alice
 Bob → Alice: Nonce.
 Alice →Bob: {Nonce}KAT
 Bob →Trent: {Alice, {Nonce}KAT}KBT
 Trent →Bob: {Nonce}KBT
 Bob: Decrypt the above ciphertext. If
getting Nonce back, then accept.
Otherwise, reject.

34
Idea behind Woo-Lam Protocol
(1)
 Why did they think this is secure?
 If Bob finally gets Nonce through decryption, then in
5th step Trent sends Bob {Nonce}KBT.
 This implies Trent gets Nonce when he decrypts the
message received in 4th step.
 This further implies in 4th step the inner-layer key used
to encrypt Nonce corresponds to Alice.
 In the 3rd step, Nonce is encrypted using KAT.

35
Idea behind Woo-Lam Protocol
(2)
 Since only Alice and Trent know KAT, the
message in the 3rd step must be sent by
Alice.
 So this is indeed Alice.

36
Error in the Idea
 Look at the 2nd part of the idea:
 “This implies Trent gets Nonce when he decrypts the
message received in 4th step.”
In the 4th step of which session?
 This is not clear; actually not necessary this session.
 When there are more than one sessions in parallel, the
protocol is broken.

37
Parallel Session Attack (1)
 Malice impersonates Alice →Bob: (Session
1) Alice
 Malice →Bob: (Session 2) Malice
 Bob → Alice (intercepted by Malice):
Nonce1.
 Bob → Malice: Nonce2.
 Malice impersonates Alice →Bob:
{Nonce2}KMT
 Malice →Bob: {Nonce1}KMT Note Malice
exchanges the
nonces of two
sessions 38
Parallel Session Attack (2)
 Bob →Trent: {Alice, {Nonce2}KMT}KBT
 Bob →Trent: {Malice, {Nonce1}KMT}KBT
 Trent →Bob: Garbage
 Trent →Bob: {Nonce1}KBT
 Bob: Reject session 2 for Malice. Accept
session 1 for “Alice” (Who is actually
Malice).
 Actually Bob should reject session 1; but he identifies
session using the nonce, which has been switched.

39
A Quick Fix
 The main problem causing the parallel
session attack is that messages from
different sessions are not appropriately
separated.
 So each message should carry a session number.
 Accept a session only if the last message of this session
is accepted.
 However, this fixed version is still subject to other
attacks.

40
MESSAGE
AUTHENTICATION CODE

Cryptography and Network Security 41

Public Key Encryption
 Direct encryption by receiver’s public key
 Only confidentiality, no authentication
 For authentication
 Encrypt using sender’s private key
 Assume the message is intelligible
 No confidentiality: everyone can decrypt

 Confidentiality and authentication

 Encrypt by sender’s, then receiver’s public key
 But too time-consuming: 4 rounds RSA on large data

Cryptography and Network Security 42

Message Authentication Code
 Assume both uses share secret key k
 Procedure
 Sender computes MAC=Ck(M) for M
 Sent M and MAC of it to receiver
 Receiver computes the MAC on received M
 Compare it with received MAC
 If match, then accepts the message

 MAC is similar to encryption, but not need

be reversible!

Cryptography and Network Security 43

MAC with Confidentiality
 Two options
 Using another key to encrypt M and MAC
 Using another key to encrypt M only

 Requirements of MAC
 Size of MAC: n
 Size of key: k
 Need 2n computations of MAC and n/k pairs of Mi and
MACi

Cryptography and Network Security 44

Why not Conventional Encrypt
 Possible situations
 Broadcast a message (one destination can verify)
 Authentication is done selectively
 Authentication of computer program
 Authentication may be important than secrecy
 Architecture flexibility
 Authentication lasts longer than secret protection

Cryptography and Network Security 45

MAC Requirements
 Computationally infeasible to construct M’
such that Ck(M’)=Ck(M)
 Ck(M) uniformly distributed

Cryptography and Network Security 46

Data Authentication Algorithm
 ANSI standard X9.17
 Based on DES
 Using Cipher Block Chaining mode
 Data is grouped into 64 bits blocks
 Padding 0’s if necessary
 Outputi=Ek(DiOutputi-1)
 0<i, and Output0=0’s
 The data authentication code DAC consists of the
leftmost m bits of the last output, m16

Cryptography and Network Security 47

Authentication Protocols
 Central issues
 Confidentiality: prevent masqueraded and
compromised
 Timeliness: prevent replay attacks
 Simple replay, repetition within timestamp, replay
arrives but not the true messages,backward replay
attack to the sender
 Mutual authentication
 One-way authentication

Cryptography and Network Security 48

Coping with Replay
 Time stamps
 Party A accepts a message only if has valid timestamp
within a valid time
 Need synchronized clock
 How to set the synchronized clock?
 Network delay consideration?
 Challenge/response
 Party A, (receiver), sends B a nonce (challenge) and
requires the subsequent message contains it

Cryptography and Network Security 49

Challenge-Response
 To ensure a password is never sent in the
clear. Given a client and a server share a
key
 server sends a random challenge vector
 client encrypts it with private key and returns this
 server verifies response with copy of private key
 can repeat protocol in other direction to authenticate
server to client (2-way authentication)
 Secret key management
 physically distributed before secure communications
 keys are stored in a central trusted key server

Cryptography and Network Security 50

Conventional Encryption App.
 Each user shares a secret master key with
KDC (Key Distribution Center)
 Kerberos is an example
 Needham-Schroeder protocol
 Party A KDC Ida|Idb|Na
 KDCA Eka(Ks|Idb|Na|Ekb(Ks|Ida))
 AB Ekb(Ks|Ida)
 BA Eks(Nb)
 AB Eks(f(Nb))

Cryptography and Network Security 51

Analysis
 Step 4 and 5 prevent the replay of step 3
 Assume that Ks is not compromised
 If Ks is compromised
 Vulnerable to replay attack
 Attacker can replay step 3
 Unless B remembers all previous session keys with A,
it can not tell that it is a replay!

Cryptography and Network Security 52

Denning Protocol
 Denning Protocol
 Party A KDC Ida|Idb
 KDCA Eka(Ks|Idb|T|Ekb(Ks|Ida|T))
 AB Ekb(Ks|Ida|T)
 BA Eks(Nb)
 AB Eks(f(Nb))
 Here T is timestamp assures the freshness
of the key Ks
 Rely on synchronized clock

Cryptography and Network Security 53

Public-key Encryption App.
 The simple one proposed by Denning
 AS: authentication server
 AAS Ida|Idb
 ASA Ekras(KUa|Ida|T)|Ekras(Kub|Idb|T)
 AB Ekras(KUa|Ida|T)|Ekras(Kub|Idb|T)|
 Ekub(Ekra(Ks|T))
 It needs clock synchronization

Cryptography and Network Security 54

Cont.
 Protocol by Woo and Lam, using nonce
 AKDC Ida|Idb
 KDCA EKRau(Idb|KUb)
 AB EKUb(Na|Ida)
 BKDC Idb|Ida|EKUau(Na)
 KDCB EKRau(Ida|KUa)|EKUb(EkRau(Na|Ks|Ida|Idb))
 BA EKUa(EkRau(Na|Ks|Ida|Idb) | Nb)
 AB Eks(Nb)

Cryptography and Network Security 55

One-way Authentication
 Using Public Key approach
 If confidentiality is main concern
 AB: EKUb(Ks) | Eks(M)
 If authentication is main concern
 AB: M|EKRa(H(M))
 This can not avoid the interception and replay attack
 Sign the message then
 EKUb(M|EKRa(H(M)) )
 Or EKUb(Ks) | Eks(M|EKRa(H(M)) )
 Also A can sends the digital certificate
EKRau(T|Ida|KUa)

Cryptography and Network Security 56

Authentication Applications
 will consider authentication functions
 developed to support application-level
authentication & digital signatures
 will consider Kerberos – a private-key
authentication service
 then X.509 directory authentication
service

Cryptography and Network Security 57

Kerberos
 Trusted key server system developed by
MIT
 Provides centralized third-party authentication in a
distributed network
 access control may be provided for
 each computing resource
 in either a local or remote network (realm)
 A Key Distribution Centre (KDC), containing database:
 principles (customers and services)
 encryption keys
 KDC provides non-corruptible authentication
credentials (tickets or tokens)

Cryptography and Network Security 58

Kerberos
 Two Kerberos versions
 4 : restricted to a single realm
 5 : allows inter-realm authentication, in beta test
 Kerberos v5 is an Internet standard specified in RFC1510
 To use Kerberos
 need to have a KDC on your network
 need to have Kerberised applications running on all participating
systems
 US export restrictions
 Cannot be directly distributed outside US in source format
 Crypto libraries must be re-implemented locally

Cryptography and Network Security 59

Kerberos Requirements
 first published report identified its
requirements as:
 security
 reliability
 transparency
 scalability

 implemented using an authentication

protocol based on Needham-Schroeder

Cryptography and Network Security 60

Kerberos 4 Overview
 a basic third-party authentication scheme
 have an Authentication Server (AS)
 users initially negotiate with AS to identify self
 AS provides a non-corruptible authentication credential
(ticket granting ticket TGT)
 have a Ticket Granting server (TGS)
 users subsequently request access to other services from
TGS on basis of users TGT

Cryptography and Network Security 61

Kerberos 4 Overview

Cryptography and Network Security 62

Kerberos Realms
 a Kerberos environment consists of:
 a Kerberos server
 a number of clients, all registered with server
 application servers, sharing keys with server

 this is termed a realm

 typically a single administrative domain
 if have multiple realms, their Kerberos
servers must share keys and trust

Cryptography and Network Security 63

Kerberos Version 5
 developed in mid 1990’s
 provides improvements over v4
 addresses environmental shortcomings
 encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
 and technical deficiencies
 double encryption, non-std mode of use, session keys,
password attacks
 specified as Internet standard RFC 1510

Cryptography and Network Security 64

Authentication Protocols
 used to convince parties of each others
identity and to exchange session keys
 may be one-way or mutual
 key issues are
 confidentiality – to protect session keys
 timeliness – to prevent replay attacks

Cryptography and Network Security 65

Replay Attacks
 where a valid signed message is copied and
later resent
 simple replay
 repetition that can be logged
 repetition that cannot be detected
 backward replay without modification

 countermeasures include
 use of sequence numbers (generally impractical)
 timestamps (needs synchronized clocks)
 challenge/response (using unique nonce)

Cryptography and Network Security 66

Using Symmetric Encryption
 as discussed previously can use a two-level
hierarchy of keys
 usually with a trusted Key Distribution
Center (KDC)
 each party shares own master key with KDC
 KDC generates session keys used for connections
between parties
 master keys used to distribute these to them

Cryptography and Network Security 67

Needham-Schroeder Protocol
 original third-party key distribution
protocol
 for session between A B mediated by KDC
 protocol overview is:
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]

Cryptography and Network Security 68

Needham-Schroeder Protocol
 used to securely distribute a new session
key for communications between A & B
 but is vulnerable to a replay attack if an
old session key has been compromised
 then message 3 can be resent convincing B that is
communicating with A
 modifications to address this require:
 timestamps (Denning 81)
 using an extra nonce (Neuman 93)

Cryptography and Network Security 69

Using Public-Key Encryption
 have a range of approaches based on the
use of public-key encryption
 need to ensure have correct public keys
for other parties
 using a central Authentication Server (AS)
 various protocols exist using timestamps or
nonces

Cryptography and Network Security 70

Denning AS Protocol
 Denning 81 presented the following:
1. A→AS: IDA || IDB
2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T]
3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] ||
EKUb[EKRas[Ks||T]]
 note session key is chosen by A, hence AS
need not be trusted to protect it
 timestamps prevent replay but require
synchronized clocks

Cryptography and Network Security 71

One-Way Authentication
 required when sender & receiver are not in
communications at same time (eg. email)
 have header in clear so can be delivered by
email system
 may want contents of body protected &
sender authenticated

Cryptography and Network Security 72

Using Symmetric Encryption
 can refine use of KDC but can’t have final
exchange of nonces, vis:
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA] || EKs[M]
 does not protect against replays
 could rely on timestamp in message, though email
delays make this problematic

Cryptography and Network Security 73

Public-Key Approaches
 have seen some public-key approaches
 if confidentiality is major concern, can use:
A→B: EKUb[Ks] || EKs[M]
 has encrypted session key, encrypted message

 if authentication needed use a digital signature

with a digital certificate:
A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa]
 with message, signature, certificate

Cryptography and Network Security 74

Differences between Authentication
and Digital Signature
 Two authentications:
 Data authentication is comparable to stamping a document in a way disallowing all
future modifications to it. Data authentication is usually accompanied with
 data origin authentication that bounds a concrete person to this document
 Digital signature is a cryptographic technique that enables to
protect digital information (represented as a bit-stream) from
undesirable modification. Since signature cannot just be appended
to a digital bitstream, more sophisticated methods (also known as
signatures schemes) for signing have been elaborated.
 Signature scheme is a function Sig of a key pair (SA,VA) and a
bitstring M, such that
 for anyone who knows the secret key SA, it is easy to compute for any plaintext M
the signature C=Sig(SA,M).
 for anyone who knows VA (the public key), C and M, it is easy to verify if
C=Sig(SA,M).
 for a randomly chosen C, it is intractable for anyone who does not know SA to find
a value M for which C=Sig(SA,M).

Cryptography and Network Security 75