CW3551-DATA AND INFORMATION SECURITY

UNIT III- DIGITAL SIGNATURE AND AUTHENTICATION

UNIT III -DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and
their Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols -
Applications - Kerberos -X.509 Directory Services.

Digital Signature:
A digital signature is a mathematical technique used to validate the authenticity and integrity of a
digital document, message or software. It's the digital equivalent of a handwritten signature or
stamped seal, but it offers far more inherent security.
Digital signatures can provide evidence of origin, identity and status of electronic documents,
transactions or digital messages. Signers can also use them to acknowledge informed consent. In
many countries, including the U.S., digital signatures are considered legally binding in the same
way as traditional handwritten document signatures.

Encryption – Process of converting electronic data into another form, called ciphertext, which
cannot be easily understood by anyone except the authorized parties. This assures data security.
Decryption– Process of translating code to data.

The message is encrypted at the sender’s side using various encryption algorithms and decrypted at
the receiver’s end with the help of the decryption algorithms.
When some message is to be kept secure like username, password, etc., encryption and decryption
techniques are used to assure data security.
Types of Encryption
Symmetric Encryption– Data is encrypted using a key and the decryption is also done using the
same key.
Asymmetric Encryption-Asymmetric Cryptography is also known as public-key cryptography. It
uses public and private keys to encrypt and decrypt data. One key in the pair which can be shared
with everyone is called the public key. The other key in the pair which is kept secret and is only
known by the owner is called the private key. Either of the keys can be used to encrypt a message;
the opposite key from the one used to encrypt the message is used for decryption.
Public key– Key which is known to everyone. Ex-public key of A is 7, this information is known
to everyone.
Private key– Key which is only known to the person who’s private key it is.

Authentication-Authentication is any process by which a system verifies the identity of a user

who wishes to access it.
Non- repudiation– Non-repudiation means to ensure that a transferred message has been sent and
received by the parties claiming to have sent and received the message. Non-repudiation is a way to
guarantee that the sender of a message cannot later deny having sent the message and that the
recipient cannot deny having received the message.
Integrity– to ensure that the message was not altered during the transmission.
Message digest -The representation of text in the form of a single string of digits, created using a
formula called a one way hash function. Encrypting a message digest with a private key creates a
digital signature which is an electronic means of authentication..
Digital Signature

A digital signature is a mathematical technique used to validate the authenticity and integrity of a
message, software, or digital document.

Key Generation Algorithms: Digital signature is electronic signatures, which assure that the
message was sent by a particular sender. While performing digital transactions authenticity and
integrity should be assured, otherwise, the data can be altered or someone can also act as if he was
the sender and expect a reply.
Signing Algorithms: To create a digital signature, signing algorithms like email programs create a
one-way hash of the electronic data which is to be signed. The signing algorithm then encrypts the
hash value using the private key (signature key). This encrypted hash along with other information
like the hashing algorithm is the digital signature. This digital signature is appended with the data
and sent to the verifier. The reason for encrypting the hash instead of the entire message or
document is that a hash function converts any arbitrary input into a much shorter fixed-length
value. This saves time as now instead of signing a long message a shorter hash value has to be
signed and moreover hashing is much faster than signing.
Signature Verification Algorithms: Verifier receives Digital Signature along with the data. It
then uses Verification algorithm to process on the digital signature and the public key (verification
key) and generates some value. It also applies the same hash function on the received data and
generates a hash value. Then the hash value and the output of the verification algorithm are
compared. If they both are equal, then the digital signature is valid else it is invalid.
The steps followed in creating digital signature are :

Message digest is computed by applying hash function on the message and then message digest is
encrypted using private key of sender to form the digital signature. (digital signature = encryption
(private key of sender, message digest) and message digest = message digest algorithm(message)).
Digital signature is then transmitted with the message.(message + digital signature is transmitted)
Receiver decrypts the digital signature using the public key of sender.(This assures authenticity, as
only sender has his private key so only sender can encrypt using his private key which can thus be
decrypted by sender’s public key).
The receiver now has the message digest.
The receiver can compute the message digest from the message (actual message is sent with the
digital signature).
The message digest computed by receiver and the message digest (got by decryption on digital
signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash value of
the message is very difficult.

Benefits of Digital Signatures

Legal documents and contracts: Digital signatures are legally binding. This makes them ideal for
any legal document that requires a signature authenticated by one or more parties and guarantees
that the record has not been altered.
Sales contracts: Digital signing of contracts and sales contracts authenticates the identity of the
seller and the buyer, and both parties can be sure that the signatures are legally binding and that the
terms of the agreement have not been changed.
Financial Documents: Finance departments digitally sign invoices so customers can trust that the
payment request is from the right seller, not from a bad actor trying to trick the buyer into sending
payments to a fraudulent account.
Health Data: In the healthcare industry, privacy is paramount for both patient records and research
data. Digital signatures ensure that this confidential information was not modified when it was
transmitted between the consenting parties.
Federal, state, and local government agencies have stricter policies and regulations than many
private sector companies. From approving permits to stamping them on a timesheet, digital
signatures can optimize productivity by ensuring the right person is involved with the proper
approvals.
Shipping Documents: Helps manufacturers avoid costly shipping errors by ensuring cargo
manifests or bills of lading are always correct. However, physical papers are cumbersome, not
always easily accessible during transport, and can be lost. By digitally signing shipping documents,
the sender and recipient can quickly access a file, check that the signature is up to date, and ensure
that no tampering has occurred.
Drawbacks of Digital Signatures
Dependence on Key Management: Digital signatures rely on the secure management of
cryptographic keys. This means that the sender must keep their private key safe and secure from
unauthorized access, while the recipient must verify the sender’s public key to ensure its
authenticity. Any failure in key management can compromise the security of the digital signature.
Complexity: Digital signatures require a complex process of key generation, signing, and
verification. This can make them difficult to implement and use for non-technical users.
Compatibility: Different digital signature algorithms and formats may not be compatible with
each other, making it difficult to exchange signed messages across different systems and
applications.
Legal Recognition: Although digital signatures have legal recognition in many countries, their
legal status may not be clear in all jurisdictions. This can limit their usefulness in legal or
regulatory contexts.
Revocation: In case of key compromise or other security issues, digital signatures must be revoked
to prevent their misuse. However, the revocation process can be complex and may not be effective
in all cases.
Cost: Digital signatures may involve additional costs for key management, certificate issuance,
and other related services, which can make them expensive for some users or organizations.
Limited Scope: Digital signatures provide authentication and integrity protection for a message,
but they do not provide confidentiality or protection against other types of attacks, such as denial-
of-service attacks or malware.

What are the benefits of digital signatures?

Digital signatures offer the following benefits:
Security. Security capabilities are embedded in digital signatures to ensure a legal document isn't
altered and signatures are legitimate. Security features include asymmetric cryptography, personal
identification numbers (PINs), checksums and cyclic redundancy checks (CRCs), as well as CA
and trust service provider (TSP) validation.
Timestamping. This provides the date and time of a digital signature and is useful when timing is
critical, such as for stock trades, lottery ticket issuance and legal proceedings.
Globally accepted and legally compliant. The public key infrastructure (PKI) standard ensures
vendor-generated keys are made and stored securely. With digital signatures becoming an
international standard, more countries are accepting them as legally binding.
Time savings. Digital signatures simplify the time-consuming processes of physical document
signing, storage and exchange, enabling businesses to quickly access and sign documents.
Cost savings. Organizations can go paperless and save money previously spent on the physical
resources, time, personnel and office space used to manage and transport documents.
Positive environmental effects. Reducing paper use also cuts down on the physical waste generated
by paper and the negative environmental impact of transporting paper documents.
Traceability. Digital signatures create an audit trail that makes internal record-keeping easier for
businesses. With everything recorded and stored digitally, there are fewer opportunities for a
manual signee or record-keeper to make a mistake or misplace something.
II-Digital Signature Scheme

1. ElGamal encryption is a public-key cryptosystem. It uses asymmetric key encryption for

communicating between two parties and encrypting the message. This cryptosystem is based on
the difficulty of finding discrete logarithm in a cyclic group that is even if we know ga and gk, it
is extremely difficult to compute gak.
Idea of ElGamal cryptosystem:

EXAMPLE:
Original Message : encryption
g used : 5860696954522417707188952371547944035333315907890
g^a used : 4711309755639364289552454834506215144653958055252
g^k used : 12475188089503227615789015740709091911412567126782
g^ak used : 39448787632167136161153337226654906357756740068295
Decrypted Message : encryption
In this cryptosystem, the original message M is masked by multiplying gak to it. To remove the
mask, a clue is given in form of gk. Unless someone knows a, he will not be able to retrieve M.
This is because finding discrete log in a cyclic group is difficult and simplifying knowing ga and
gk is not good enough to compute gak.

Advantages:

 Security: ElGamal is based on the discrete logarithm problem, which is considered to be a

hard problem to solve. This makes it secure against attacks from hackers.
 Key distribution: The encryption and decryption keys are different, making it easier to
distribute keys securely. This allows for secure communication between multiple parties.
 Digital signatures: ElGamal can also be used for digital signatures, which allows for secure
authentication of messages.
Disadvantages:

 Slow processing: ElGamal is slower compared to other encryption algorithms, especially

when used with long keys. This can make it impractical for certain applications that require
fast processing speeds.
 Key size: ElGamal requires larger key sizes to achieve the same level of security as other
algorithms. This can make it more difficult to use in some applications.

 Vulnerability to certain attacks: ElGamal is vulnerable to attacks based on the discrete

logarithm problem, such as the index calculus algorithm. This can reduce the security of the
algorithm in certain situations.
 2. Schnorr Digital Signature:

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature

algorithm that was described by Claus Schnorr. It is a digital signature scheme known for its
simplicity, is efficient and generates short signatures. It is one of the protocols used to implement
“Proof Of Knowledge”.In cryptography, a proof of knowledge is an interactive proof in which
the prover succeeds in ‘convincing’ a verifier that the prover knows something ‘X’. For a
machine to know ‘X’ is defined in terms of computation. A machine knows ‘X’ if this ‘X’ can be
computed. The Verifier either accepts or rejects the proof. The signature proof is supposed to
convince the Verifier that they are communicating with a user who knows the private key
corresponding to the public key. In other words, the Verifier should be convinced that they are
communicating with the Prover without knowing the private key. Schnorr Digital Signature to
implement Zero Knowledge Proof : Let’s take an example of two friends Sachin and Sanchita.
Sanchita has announced to the world that she has a public key and can accept and receive
information through it. Sachin thinks that Sanchita is lying. Sanchita wants to prove her honesty
without showing her private keys. Here is where Schnorr’s protocol will help us.

3. RSA algorithm is an asymmetric cryptography algorithm. Asymmetric actually means that it

works on two different keys i.e. Public Key and Private Key. As the name describes that the
Public Key is given to everyone and the Private key is kept private.
An example of asymmetric cryptography:
1. A client (for example browser) sends its public key to the server and requests some data.
2. The server encrypts the data using the client’s public key and sends the encrypted data.
3. The client receives this data and decrypts it.
Since this is asymmetric, nobody else except the browser can decrypt the data even if a third
party has the public key of the browser.
The idea! The idea of RSA is based on the fact that it is difficult to factorize a large integer. The
public key consists of two numbers where one number is a multiplication of two large prime
numbers. And private key is also derived from the same two prime numbers. So if somebody can
factorize the large number, the private key is compromised. Therefore encryption strength totally
lies on the key size and if we double or triple the key size, the strength of encryption increases
exponentially. RSA keys can be typically 1024 or 2048 bits long, but experts believe that 1024-
bit keys could be broken in the near future. But till now it seems to be an infeasible task.

4. DSA(Digital Signature Algorithm)

We will be focussing on DSA. The NIST(National Institute of Standards and Technology) accepted
the Digital Signature Algorithm as a standard in 1994. The digital signature algorithm is similar to
asymmetric encryption in many ways but departs from it slightly.
In contrast to asymmetric encryption, the Digital Signature Algorithm generates a digital signature
from two 160-bit values using mathematical functions.

Let us understand the algorithm in brief:

 Consider a simple text message.

 Apply the hash function to this simple text message then our hash code is generated.

 Hash code, along with the random variable k, is given input to the signature algorithm.

 For this signature, we use the global public key PUA. Along with this, we will use the
private key of the sender PRA.

 Now we get the signature appended to the simple text.

 Along with the simple text, we will get two components named s and r.

 These s and r are known as signature components.

 Now reverse functions are applied.

 The hash function is applied along with the s and r components to a verifying function.

 The verifying function uses the global public key and the sender's public key.

 The resultant of verifying function is compared with signature component r.

let us go through the mathematical understanding of the Digital Signature algorithm.

5. Elliptic Curve Digital Signature Algorithm (ECDSA)

What is ECDSA?
The Elliptic Curve Digital Signature Algorithm is a Digital Signature Algorithm (DSA) that
uses elliptic curve cryptography keys. It is a very efficient equation that is based on cryptography
with public keys. ECDSA is utilized in many security systems, is popular in encrypted messaging
apps, and is the foundation of Bitcoin security (with Bitcoin “addresses” serving as public keys).
Elliptic Curve Digital Signature Algorithms (ECDSA) have recently received significant
attention, particularly from standards developers, as alternatives to existing standard
cryptosystems such as integer factorization cryptosystems and discrete logarithm problem
cryptosystems. In security applications, crypto-algorithms are always the most significant
fundamental tool.

Digital Signature of ECDSA

A digital signature is an electronic equivalent of a handwritten signature that allows a receiver to
persuade a third party that the message was indeed sent by the sender. Handwritten signatures are
substantially less secure than digital signatures. A digital signature cannot be forged in any way.
Another advantage of digital signatures over handwritten signatures is that they apply to the
entire message.
Every part of the digital message is affected by the signature key. On the bottom of a paper
document, a handwritten signature is applied. Nothing prohibits the text displayed above the
penned signature from being altered while the signature remains unaltered. Digital signatures do
not allow for such changes. Today’s digital signature methods can be categorized based on a
mathematical issue that provides the foundation for their security:
 Integer Factorization (IF) Schemes: They rely their security on the integer factorization
problem’s intractability. RSA Signature Schemes are one example.
 Discrete Logarithm (DL) Schemes: Their security is based on the intractable nature of the
discrete logarithm challenge in a finite field.
 Elliptic Curve (EC) Schemes: They rely their security on the elliptic curve discrete
logarithm problem’s intractability. The Elliptic Curve Digital Signature Algorithm, for
example, is being used in this investigation and without a doubt the most recent of the many
designs.

6. EdDSA- Edwards-curve Digital Signature Algorithm

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital
signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is
designed to be faster than existing digital signature schemes without sacrificing security.

Digital Signature Standard (DSS)

As we have studied, signature is a way of authenticating the data coming from a trusted
individual. Similarly, digital signature is a way of authenticating a digital data coming from a
trusted source. Digital Signature Standard (DSS) is a Federal Information Processing
Standard(FIPS) which defines algorithms that are used to generate digital signatures with the
help of Secure Hash Algorithm(SHA) for the authentication of electronic documents. DSS only
provides us with the digital signature function and not with any encryption or key exchanging
strategies.
Sender Side : In DSS Approach, a hash code is generated out of the message and following
inputs are given to the signature function –
1. The hash code.
2. The random number ‘k’ generated for that particular signature.
3. The private key of the sender i.e., PR(a).
4. A global public key(which is a set of parameters for the communicating principles) i.e.,
PU(g).
These input to the function will provide us with the output signature containing two components
– ‘s’ and ‘r’. Therefore, the original message concatenated with the signature is sent to the
receiver. Receiver Side : At the receiver end, verification of the sender is done. The hash code of
the sent message is generated. There is a verification function which takes the following inputs –
1. The hash code generated by the receiver.
2. Signature components ‘s’ and ‘r’.
3. Public key of the sender.
4. Global public key.
The output of the verification function is compared with the signature component ‘r’. Both the
values will match if the sent signature is valid because only the sender with the help of it private
key can generate a valid signature.
Benefits of advanced signature:
1.A computerized signature gives better security in the exchange. Any unapproved individual
can’t do fakeness in exchanges.
2. You can undoubtedly follow the situation with the archives on which the computerized mark is
applied.
3. High velocity up record conveyance.
4. It is 100 percent lawful it is given by the public authority approved ensuring authority.
5. In the event that you have marked a report carefully, you can’t deny it.
6. In this mark, When a record is get marked, date and time are consequently stepped on it.
7.It is preposterous to expect to duplicate or change the report marked carefully.
8. ID of the individual that signs.
9. Disposal of the chance of committing misrepresentation by a sham.

digital signature and Authentication: Overview

What is the digital signature authentication mechanism?
A digital signature is a form of cryptography that uses the public key infrastructure, or PKI, to
securely transmit messages and authenticate senders. Digital signatures require both a public
and a private key to be decrypted. The public key will be signed by a trusted CA and will need to
match the private key.

Kerberos:

Kerberos provides a centralized authentication server whose function is to authenticate users to

servers and servers to users. In Kerberos Authentication server and database is used for client
authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center
(KDC). Each user and service on the network is a principal.
The main components of Kerberos are:

 Authentication Server (AS):

The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.

 Database:
The Authentication Server verifies the access rights of users in the database.

 Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:

 Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.

 Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-
granting-ticket and session key. Results are encrypted using the Password of the user.

 Step-3:
The decryption of the message is done using the password then send the ticket to Ticket
Granting Server. The Ticket contains authenticators like user names and network
addresses.

 Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the
 request then creates the ticket for requesting services from the Server.

 Step-5:
The user sends the Ticket and Authenticator to the Server.

 Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After
this User can access the services.

Kerberos Limitations

 Each network service must be modified individually for use with Kerberos
 It doesn’t work well in a timeshare environment
 Secured Kerberos Server
 Requires an always-on Kerberos server
 Stores all passwords are encrypted with a single key
 Assumes workstations are secure
 May result in cascading loss of trust.
 Scalability

Applications

 User Authentication: User Authentication is one of the main applications of Kerberos.

Users only have to input their username and password once with Kerberos to gain access to
the network. The Kerberos server subsequently receives the encrypted authentication data
and issues a ticket granting ticket (TGT).
 Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that enables users
to log in once to access a variety of network resources. A user can access any network
resource they have been authorized to use after being authenticated by the Kerberos server
without having to provide their credentials again.
 Mutual Authentication: Before any data is transferred, Kerberos uses a mutual
authentication technique to make sure that both the client and server are authenticated.
Using a shared secret key that is securely kept on both the client and server, this is
accomplished. A client asks the Kerberos server for a service ticket whenever it tries to
access a network resource. The client must use its shared secret key to decrypt the challenge
that the Kerberos server sends via encryption. If the decryption is successful, the client
responds to the server with evidence of its identity.
 Authorization: Kerberos also offers a system for authorization in addition to
authentication. After being authenticated, a user can submit service tickets for certain
network resources. Users can access just the resources they have been given permission to
use thanks to information about their privileges and permissions contained in the service
tickets.
 Network Security: Kerberos offers a central authentication server that can regulate user
credentials and access restrictions, which helps to ensure network security. In order to
 prevent unwanted access to sensitive data and resources, this server may authenticate users
before granting them access to network resources.

notes_2
Key Distribution Center (KDC)

A trusted third-party that verifies user identities located on a Domain Controller (DC), such as the
Active Directory domain.

The KDC includes two servers:

 Authentication Server (AS): Confirms that the access request the user is making is from a
known service and issues Ticket Granting Tickets (TGTs).
 Ticket Granting Service (TGS): Confirms that the access request the user is making is
from a known service and issues service tickets.

Client

Refers to the user or the service the user wants to access. There are often multiple clients within a
realm.

Ticket Granting Ticket (TGT)

Contains the majority of information that needs to pass between the AS and TGS, such as client ID,
service ID, hostname, IP address, session keys, timestamps, time-to-live (TTL). TGTs are
encrypted using a server’s secret key.

Service Ticket (ST)

Provides Users with access to the requested service.

Authenticator Message

Contains the User ID and a timestamp.

How the Kerberos Authentication Process Works

The Kerberos authentication process consists of eight steps, across three different stages:

Stage 1: Client Authentication

1. The user account sends a plaintext message to the Authentication Server (AS), e.g. a
request to access a particular service, including the user ID.
2. The AS confirms whether or not the request is coming from an authorized user by checking
the User ID in the database.

If the User ID belongs to an authorized user, the AS retrieves the user’s password from the
database and uses it as a key to decrypt the request.

3. The user’s password is shared between the AS and the User.

4. The AS verifies the client and then responds with a Ticket Granting Ticket (TGT), which is
encrypted with a different secret key.

Stage 2: Client Service Authorization

5. The User receives and decrypts the TGT before sending it to the TGS.
6. The TGS receives and decrypts the TGT, performs validation, then generates a service
ticket.

Stage 3: Client Service Request

7. The User receives and decrypts the Service Ticket (ST), creates an Authenticator Message,
and sends both tickets to the Service.
8. The Service performs decryption and validation on the ST and Authenticator Message,
creates a new Authenticator Message, and sends this final message to the User to enable
access.
This client authentication process enables mutual authentication between the User and the

Service. Passwords are never shared across the unencrypted network with Kerberos.
Kerberos Uses

Kerberos implementations are used on a number of operating systems and networking systems to
verify user accounts.

Examples include:

 Amazon Web Services (AWS)

 Google Cloud
 Microsoft Azure
 Microsoft Windows Server and Active Directory
 Apple macOS
 IBM Advanced Interactive eXecutive
 Oracle Solaris
 Linux
 UNIX
 FreeBSD
 OpenBSD
 X.509 is a digital certificate that is built on top of a widely trusted standard known as ITU
or International Telecommunication Union X.509 standard, in which the format of PKI
certificates is defined. X.509 digital certificate is a certificate-based authentication security
framework that can be used for providing secure transaction processing and private
information. These are primarily used for handling the security and identity in computer
networking and internet-based communications.

Working of X.509 Authentication Service Certificate:

 The core of the X.509 authentication service is the public key certificate connected to each
user. These user certificates are assumed to be produced by some trusted certification
authority and positioned in the directory by the user or the certified authority. These
 directory servers are only used for providing an effortless reachable location for all users so
that they can acquire certificates. X.509 standard is built on an IDL known as ASN.1. With
the help of Abstract Syntax Notation, the X.509 certificate format uses an associated public
and private key pair for encrypting and decrypting a message.
 Once an X.509 certificate is provided to a user by the certified authority, that certificate is
attached to it like an identity card. The chances of someone stealing it or losing it are less,
unlike other unsecured passwords. With the help of this analogy, it is easier to imagine how
this authentication works: the certificate is basically presented like an identity at the
resource that requires authentication.


 Public Key certificate use

 Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:

 Version number: It defines the X.509 version that concerns the certificate.
  Serial number: It is the unique number that the certified authority issues.
 Signature Algorithm Identifier: This is the algorithm that is used for signing the
certificate.
 Issuer name: Tells about the X.500 name of the certified authority which signed and
created the certificate.
 Period of Validity: It defines the period for which the certificate is valid.
 Subject Name: Tells about the name of the user to whom this certificate has been issued.
 Subject’s public key information: It defines the subject’s public key along with an
identifier of the algorithm for which this key is supposed to be used.
 Extension block: This field contains additional standard information.
 Signature: This field contains the hash code of all other fields which is encrypted by the
certified authority private key.

Applications of X.509 Authentication Service Certificate:

Many protocols depend on X.509 and it has many applications, some of them are given below:

 Document signing and Digital signature

 Web server security with the help of Transport Layer Security (TLS)/Secure Sockets Layer
(SSL) certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities