Authentication

225
D = 10325476
E =c3d2e1f0
Mhese values are same as used
for SHA-1 algorithm.
Message processing: There are 10 rounds
f the rounds is similar, but
all
of 16
operationseach. The structure
each round uses different
Bnction. Each round makes
use of an additive constant. primitive logical
Ffh round is added to the The output of the
chaining variable input to the
first round.
EOutput: The final value of the
buffer is the output. It is 160-bit
digest.
message

Comparison of RIPEMD-160 with SHA-1 and MD5

Tt ns summarise the hashing algorithms about
their differences and similarities
n them, MD5,
SHA-1 and RIPEMD-160 are invulnerable
nk collision resistance.
attacks against
Cryptanalysis of RIPEMD-160 is more difficult
than SHA-1.
to

pIPEMD-160 and SHA-1 are slower than MD5. A

comparison of these algorithms are
given in Table 9.6.

Table 9.6 Comparison of RIPEMD-160 with SHA-1 and MD5

Algorithm RIPEMD-160 SHA-1 MD5
Message digest 160-bits 160-bits 128-bits
Cryptanalysis attack Vulnerable to attack Vulnerable to attack Not to be vulnerable
Speed Slow Slower Fast
Rounds 5 4 4

Operations 160 80 64
Buffer size (bits) 160 160 128
Endian architecture Little endian Big endian Little endian

9.4 KERBEROS
Authentication of the user is very important to provide the security to any application.
Under project Athena at MIT, an authenticationsystem is developed known as Kerberos.
The objective of this project was to provide a huge network of computer workstations
so that undergraduate students can access their files stored on any workstation easily
from anywhere in the campus.
For this project, a symmetric encryption is used to provide authentication and
Security. These authenticate and identify the users and the services in the network
to each other. The most common way of authentication is the use of password. The
Server has a database of userid and password. When any user wants the service in
the
network,he has first log in by giving his user id and password. The serververifies
the user id and password from the database available with it. Once it matches with
the database, the user is permitted to use the necessary service. But as we already
Studied about the security issues of password authentication, they thought about some
new system for authentication.So, they developed Kerberos,which address the security
sSues using a password for authentication.
 Cryptography and Information Security

226
there is no need of reveal
Kerberos is that
the
The key innovationin without revealing the secret. secret
They can identify about
the key by the user. over the can
Users
sending the secret or password network. In prove
their identity without
is used. Timestamp
helps to prove that when the Kerberos,
key
an encryption with shared secret, therequest1ssent,
timestamp and encrypted
the user created a a with shared secret key
request1s
decrypts the request and sent
to service. The service and the necessary service recovers the
successes is
timestamp. Then authentication encrypt the timestamp with provided to
If the user
uses wrong key and that
the user.
and authentication fails. In this key,then
not decrypt properly
the timestamp will This system is secure as shared case, the
service rejects
the request of the user. secret key
architectureis more complex is
over the network. Kerberos dueto the
not transmitted the
manner and to patch some of
use of a secret key in more convenient problems.

9.4.1 Basics of Kerberos

in client server
As discussed above, Kerberosis designed for authentication
the information given architecture.
In this architecture, server is not only dependent on by the
client
The components of
but it also verifies the same from its database. Kerberos are.a
an authentication server and a ticket-granting server.
server, clients,
and the server. In
Suppose there is no secret key shared by the client case this

the client is done using Kerberos protocol and a session key

is gena
identifying
for a communication between the server and a chent.
The Kerberos working is shome
in Figure 9.10.

Authentication Ticket-granting

server server

Client

Server

Figure 9.10 Kerberos.

the
The client sends his the service from
requests for a ticket to ticket-granting
user id
and
authentication server. The authentication server (AS) has a database of

password information for all the clients. Authentication server returns

an encrypted

ticket to the client.

Now,chent
The client decrypts the ticket using his secret key. allowed
would like to use the service from the server. But must be
before this, client
to communicate with the server. So, client submits the ticket to the ticket-granting
and ater
server. The ticket-granting server verifies the ticket client use of
for identifying
make
verification gives new ticket to client. This client to
a
ticket will allowthe
 Authentication

Client now submnits

ticket to
the 227
service.
credential tothe the server.
server. He sends
authentication Server the service
to make sure whether it checks the ticket ticket and
is a an
credential
the service to client. valid client and the
provide or not. authentication
will After
The main objective of verification, server
KerberOs is
by the client.
The AS serves authentication.So,
the password as an there is no
must have a need to
and the service shared secret key introducer for
them. Both the store
which is
used for long time. Figure 9.11 shows client
are the Kerberosstored with the AS. Such
Authentication can be done keys
using the authentication.
followingsteps:
Step 1 The user sends a request to the
authenticationserver
2 Authentication server for a
Step generates a secret service.
user and the service. This key key that will be
is called shared only by
replies to the user's request
the session key. the
by
The first part contains the sending a
message. The
Authentication server
secret key message has two
encrypted with the along with the service's parts.
user's key.
along with the The other part name which is
user id encrypted contains that
with the server's same secret key
thefirst part is key. In Kerberos
called the user's
ticket. credentials and the second part phrasing,
is called

Client
File server
Ticket

Random key encryptedwith the

user's long-term key

Login Credentials
request
Ticket
1. Random key encrypted with the user's
2. Random key encrypted with long-term key
the service's long-term key.

Authentication server

Figure 9.11 Authentication.

uEp o Then the user generates a timestamp, and encrypts

it with the secret key.
User sends the timestamp called authenticator
along with the ticket, to the
Service. The servicedecrvpts the ticket with
its secret key, recovers the session
key. This key is then used to decrypt
the authenticator. The service trusts the
authenticationserver for the authentication of the user. So, at
the service no
Turther authentication process of the user takes place. Sometimes, the user
ay want the authentication of the service so the service takes the timestamp
rom the authenticator. adds the service's own name to it, and encrypts it
WAth the session key. This encrypted message is sent to the
user.
 Cryptography and Information Security

228
the authentication server,
every the user contacts
service if the
For of the users.
and it takes time for authentication To reduce load onAS
is increased theload
server, one more
server is introduced called on
the authentication
user requests his first service is for
tichet-granting
case the TGS, server
(TGS). Now, in this Thus, the database of user id aywhich then
additional tickets for other services. and
grants TGS
located with authentication server and the trust is with paseword
is

9.4.2 Kerberos Ticket-granting Approach

refers to a user or to
a clientt-side application
Here, the term "client" program
remoteserver refersto
operating a
on behalf of a user. The term "application"
computer which
The term "password" refers to the user's
provides a shared service. password or
key refers to a toa
derived from it. The term "session'"
key cryptgraphic key
cryptographic
communication between
a client and an application server,
issued for use in which is

some defined interval of time.

valid for
basic credentials used in
A ticket authenticator are the two
and an
Kerberos.
but both use different private key.
Both the credentials are based on private key
When
a computer, he
has to enter his password. He gets a ticket
the client or user login on
from the authentication server and send this ticket to the application server as a na
to the an: Part
of the request for a service. Then
the client sends an authenticator
server along with the ticket. The application server uses the authenticator and t
ticket to verify that the request was sent
by the client to whom the ticket was issued
To achieve these objectives, after the initial exchange with the authentication
ticket" (TGT)to the user. TGT contains
a
server, the AS issues a "ticket-granting
ticket requests. Each TGT have
fixed Jife snan
session key to be used for subsequent
generally it is set to 8 hours. The use
of TGT reduces the load on AS and also there
is no need for the user to authenticate
himself every time for different services in a

network.
time of login from the client
The message was sent automatically at the
initial
to the authentication server. The initial
message contains the user's identification
9.12. The authentication server
number and request for a TGT as shown in Figure

Request for

ticket granting
ticket

Authentication

server
Client

Ticket granting

ticket encrypted
with user's password

Figure 9.12 Ticket-granting ticket.

 Authentication
229

with a message encrypted with the password and containing a

user's
back
replies with the user's password (Figure 9.11). After receiving the
TGT encrypted the TGT message to get the session key. The message,
decrypts user uses this session
the
client ticket requests. This session key for
subsequent ticket-granting requests is
kev
as the TG
key for
to
referred

Server
04.3 Ticket-Granting
the load on the authentication server, one more server is
introduced called
server (TGS). TGS resolves the problem of password re-entry every time
To reduce
ticket-granting The TGS is located on the sameserver where
service requests. authentication
for new it is different from AS. The
located but logically purpose of the TGS is to
server key so that user has to enter his
the ticket and session password only once
provide additional services in the network by the use of
ticket and session key.
and obtained
Initially, the user sends the request for a ticket from the AS to talk tothe TGS.
t is called the ticket-granting ticket, or TGT. The key
session is encrypted
the user's secret key. TGT and the session key, the user
After receiving the
using
Rnests a TGS for a ticket. This can be done at any time if he wants to use any
service. The from TGS is encrypted with the session key. The user already has a
reply
session so there is no need of his own secret key. It is sort of like when you visit
key,
some industry or organisation. You have to show your regular ID to the receptionist
at the counter to get a guest D
(visitor card) for visit the industry or organisation.
This is work like client's request to AS. After verifying the user ID, the receptionist
jssue a guest ID or visitor card just like AS replies to the user by sending TGT

and the session key. Now, when you want to enter various rooms in the industry or
organisation, instead of showing your regular ID over and over again, which might
make it vulnerable to be dropped or stolen, you have to show your guest ID,which is
only valid for a short time anyway. This is like user does not have to use his password
once AS gives him the TGT and the session key. If it was stolen, you could get it
invalidated and be issued a new one quickly and easily, something that you could not
do with your regular ID.
The advantage of above scheme is that session key and ticket are used instead
ofuser's secret key. Therefore, if the session key is captured by the attacker, less
damage is happened as sessionkey and TGT are valid only for a limited time period.
But if the user has to use his secret key and the key is captured by the attacker, then
the more damage is happened than sessionkey and the TGT as the life of secret key
S more. This TGT, as well as any tickets that you obtain using it, is stored in the
edentials cache. The term "credentials" actually refers to both the ticket and the
session key in
conjunction.
Once the
is
client gets a TG key, then the client requests for a specific service. This
shown in Figure 9.13. The client sends to the TGS to obtain a ticket for
a request
the
service. The TGS can verify the client identification information encrypted in the
message with its
database of the TG key. Each ticket has a timestamp. The tìmestamp
protects from reuse of the
meSsage.
 Security
and Information
Cyptography

230 ticket
Encrypted
ticket
granting

Ticket granting
service

Client

Session key
encrypted
TG key

Ticket for service

with AS key
encrypted

from the ticket-granting service.

services
requests for
9.13 Subsequent
Figure sends a ticket
service to

identity,
the ticket-granting of the client and the newly
the about the identity
client's
After checking information cannot be changed or altered
The ticket contains with the ticket
the user.
key. The information
authentication
server.
session it to the server. This message
generated
He can only forward
by the client. a message to the application 9.14. As noted above, the
sends Figure
The client then as shown in information
and a

and an authenticator identifying

the ticket and contains the ticket
contains by the client, server can decrypt
is constructed
authenticator the application
The ticket contains
the message, server's own key.
After receiving the
timestamp. the authentication For the valid request,
it is encrypted with authenticator.
because to decrypt the ticket. Further
messages
the session
key which is used match that in the
must the session key.

data embedded
in the authenticator
server may be encrypted using
the client and
the application
between

Athenticator
key
encrypted session Application
server
Client
Ticket for

requested service

application server.
between the client and the
Figure 9.14 Communication

Model
9.4.4 Kerberos Third-party Authentication used(termed
may be
more trusted authenticationservers authentication
In the Kerberos system, one or
provide third-party acquires
KDCs or key distribution servers). This is used to Client the

which are helpful for cooperating systems and applications,

used to
provide
services
which can be
tickets from the trusted authentication server(s)
 Authentication

for
subsequent request 231
of identification for
proof so it is secured in
service and
transmission. The applications.
is encrypted detail of the This ticket
is as
follows: Kerberos
1 The user wants some seervice so he first
authentication

This request contains the sends his

server. request to an
user's name
server that and the
name ofauthenticate
granting he will use.
the
2.
The user login on the client and service
requests for a
After authentication using
3. password and ticket-granting ticket.
ticket is granted by the AS to the client username, the
initial
The client then submits this ticket to authentication
4.
the
service. ticket-granting service for a
.mheticket-granting service1ssues a
particular
ticket to the client
The client now submits the ticket
6.
to the
service. particular server for the desired
The details of the
communications between
a
client,the
services
used by the client are rather KDCs, and the
complex. Figure 9.15 various
interactions between different systems graphically illustrates
involved in the the
Kerberos network.

KDC

Ticket-granting ticket
Ticket-granting service

Jsername
2 3 4
5o
6 Service providing
server
1 User
Client

asswor
Figure 9.15 Authentication model.

D:2.0 Kerberos Authentication Model: Definitions and Notational Conventions

Some terms and
notational conventions used in Kerberos authentication model are:
1.
Authenticationticket:
Server to a Itis a record of authentication issued by an authentication
client system as
a proof of that client's user being auuthentic.
2.
Authenticated service: service which is only provided to authenticated users
Via A

Kerberos and whose clients

can present valid authentication tickets as proof of
authentication.
 Securitv
Cryptography and Information

232
which a client is requesting
The servicefor a
ticket
Target service: or to
a ticket.
3.
presenting which
the client is
It is the service by which the clients
service: receive
4. Initialticketing their
initial
tickets.
The service by which clients receive
service: tickets to
5. Ticket-granting specific

target services.
A ticket provided on demand by the initial
ticket:
6. Ticket-granting to the ticket-granting service in order
service which
must be presented to ticketing
request a
service ticket.

Model
9.4.6 Kerberos Authentication
model uses a symmetric key
The Kerberos authentication and Kerberos V uses DES and IDEA
encryption technique

Kerberos IV uses DES algorithm algorithms. To

double encryption technique is used. For encryption two
provide more security,
keys
and the session key. The user password have along
are used, i.e.,
user password
authentication whereas session key has a
life
3eg
sDan and used only for initial of

and used for requesting different services after initial authentication.

8 to 10 hours
by using his user id and password. Client sends
The user first login on the client
the reguest for a ticket to the authentication
server for the particular user by providie
the merd
his user id to AS and not the
password. The authentication server verifies
If the user is able to decrypt the ickot
and sends the encrypted ticket to the client.
as authenticate.Then the user sends th.
by his password then the user is considered
to decrypt a ticket using ite
to use. If a service is able
ticket to the service, he wants

own secret key, the service

may presume that the user is authentic.
information over the insecure channel.
In this way, without passing the password
So, it is difficult for the
the authentication takes place in Kerberos environment.
The authentication in
attacker to capture the secret
information about the user.
in Figure 9.16.
Kerberos takes place in 6 steps as shown

KDC

Initial Ticket-granting service

Ticket-granting
service

4
2 3
5

ysemame 6
Target service

1 User Client

Passwo|

Figure 9.16 Kerberos authentication model.

 Authentication

user first login on the 233

Step
1 The client by using his
client sends a request to the AS user id and
2 The password.
Step is totally requesting a ticket
request unauthenticated and it for the
contains only user.
passwordof the user. user id and This
not the
Step
3 Thetheticketing service
databasethen
verifies
he is an
the user's name in its
in authenticateuser and database. If user name is
a unique session key for later
use during ticketing service
ticket sends to the client the generates
user's
This a
authenticated session.
the session key in the form: double-encrypted
ticket-granting ticket and

Kuser(Ks, Ktgs {Ttgs,

Ks}}
The client then decrypts the
ticket-granting ticket
If the client successfully deecrypts
using the user's
the ticket using password.
user is authentic.Then the the user's
client stores the ticket password,then
later use. TGT(Ktgs (Ttgs, Ks})
for
Then theclient sends a ticket request to
narticular ticket-granting service (TGS) for
service requested by the a
user. This request for ticket
is in the form:
{TGT,Ks{request, client-IP,timestamp}}
(where TGT = Ktgs(Ttgs, Ks})
Step 5 The ticket-granting service decrypts the TGT
and the rest of the using its own secret key (Ktgs)
part of the message is
key.If the ticket-granting decrypted by using the session
service successfully decrypts the
ticket, it gets the
following information:
. The TGT was issued by authenticate
ticketing service.
• The request for the service is from
the authenticate user.
Once the authentication is
completed the TGS generates a
the ticket for a requested service. session.key and
The TGS sends the session key and the
ticket to the client machine in the form:
Ks(Ksession, Kser{Tservice, Ksession}}
Step 6 The client machine decrypts the
service ticket using the session key
yield the sessionkey (Ks) and
(Ksession)and an encrypted service ticket (Kser{Tservice,
Ksession).
1ne chent then submits the encrypted ticket to the requested service. The service
decrypts the ticket using its own secret key (Kser).If the decryption is successful, the
target
service
authenticates the user. The communication betweenthe client and the
service
now start. They can use the session key for secure communication.
User
can acccess other
firom the cient servicesin the Kerberos using steps4, 5 and 6 repeatedly
machine.

9.4.7

Cross-Realm Authentication
So far
we
Ifthe have discussed the
User cient using the service in one Kerberos environment.
from one
Kerberos enyironment wants to use the services from other
 Cryptography and Information Security
234
authentication that user should be done
of
Kerberos environment,the
cross-realm authentication. bythe
which the belongs is called
user So,
the Kerberos
the services from other Kerberos environment without user
can
authentication by Use
clients one
environment. The realm use Kerbero8
users or of
Kerberos that
realm other than their own. to other
which belong to a
to services This authenticate
It is based on a trust between the property
as cross-authentication. known Kerberos
may be mono-directional, or bi-directional.
involved. This
relationship Mono-directional
users of Kerberos environment A can access the services of means the
Kerberos
B but not vice-versa. Bi-directional means the users of Kerber0s environment
access the services of Kerberos environment and vice-versa B
environment A
can
We discuss where there is only one authentication
the case server and
ticket-granting These servers may or may not be installed on the
server. only one
small. same
This can work well if the requests are
f the number of clients is machine.

If
more on
there are more number of requests to the AS and TGS. This the
network,
performance of AS and TGS. If the AS or TGS fails, the whole deterioratesthe
system fails.
single KDC cannot work properly forthe whole
network. This is just Therefore,
like to
work in a
small group which always give better performance. In the same way, the
large Kerberos
environment divides into distinct small realms. Each realm has its own authentication
serverand ticket-granting server. This helps to improve the performance and also aw

the failure problem due to single AS and TGS.

To the user from one Kerberos environment to accessthe service in anathe

allow
Kerberos environment, the user should first register with TGS in the service's realm
In some cases, if there are many Kerberos realms, it 1s difficult for the user to register
each realm in every other realm. Instead of above method, there is a network f
realms, so that,the user sometimes contact to the RTGS in one or more intermediate
realm. These realms are called the transited realms. Also the names of the realms
are included in the ticket. Due to this, the end service knows all of the intermediate
realms that were transited, and can decide whether or not to accept the authentication.
Kerberos version 4 had only peer to peer realm authenticationwhile Kerberos version
5 support for scaling.
There are three types of cross-realm authentication based on trust: direct,
transitive and hierarchical.

1.Direct relationship: It occurs when the KDC of one realm has direct trust in the

KDC of another realm (Figure 9.17), It allows the users of the latter realm to access

its services. This can be done by using a shared key.

Direct trust

N M

N1 N2 Direct trust
M

Figure 9.17 Direct trust.

 Authenticationo
235
trust relationship: In the above case, if the
2.
Transitive number of realms
the shared secret keys also increased. Transitivity
increases, trust relationship solves
realm A has a trust on realm
problem. Here
if
this B, and realm B has a trust
on
then realm A has a trust on realm C. This helps to reduce the
realm C, number of
shared secret keys required.
Hierarchical trust relationship: If, within organisations, the convention of
ming realms uses upper case letters with the name of DNS
domains and it belongs
bierarchy, then Kerberos version 5
will support adjacent realms having a
trust
relationship.

Steps follows by cross-realm authentication are:

Step 1 Client requests to local KDC for a cross-realm ticket.

Sten 2 Client submits a cross-realm ticket to the another KDC for a service ticket
for the target service.

Step 3 Client submits the service ticket to the another AS server.

9.4.8 Kerberos and Public Key Cryptography

Kerberos uses symmetrickey encryption techniques. But as we know that asymmetric

key encryption techniques are more powerful than symmetric key encryption can be
used for authentication, key distribution and non-repudiation. In this case, the public
key is available for all the users in the Kerberos realms whereas the private key is
known only by the owner user. KDC also not knows about the user's private key.
When the KDC generates the ticket after authentication,it encrypts the session
key with the random key generated by the KDC. Again it encrypts it with user's
public key.While at the user end the user can decrypt it using his privatekey and
then obtains the random key, which he decrypts the message and get the session key.
We can use one of the methods of public key cryptography as discussed earlier in this
chapter.

9.4.9 Advantages of Kerberos

The Kerberos authentication model offers a number of advantages over more traditional
authentication schemes.

1. User login on the machine with his id and password. His passwords
client
are never transmitted across the network in any form, i.e., encrypted or
plaintext form. Only shared secret key is transmitted across the network in
the encrypted form. This provides more security.
2. Client machine and server mutually authenticate each other during each
communication.
3. Kerberos authentication model use timestamp and lifetime information in the
ticket which limit the duration of their users' authentication. After specifhc
lifetime, ticket is invalid for authentication.
4. Once the authentication of the user takes place, he can use different services
across the Kerberos network without re-entering his personal information like
password.
236 Cryptography and Information Security

The shared secret may be used for encrypting the communication

5.
betweenthe
client and the service. This improves the securityin Kerberos
environment.
6. Kerberos is entirely based on open Internet standards.

9.4.10 Weaknesses of Kerberos

The weaknesses of Kerberos authentication model are as follows:

1. In Kerberos IV,DES algorithm used for encryption. But DES is not a secure
is

algorithm today. So in Kerberos V, 3DES or IDEA is used for encryptionwhich

1s more secure.

2. For a multi-user client system, the Kerberos authentication scheme fails due
to variety of ticket-stealing and replay attacks.
3. The AS modelis vulnerableto brute-forceattacks.

9.4.11 Attacks on Kerberos

Many attacks are successfully carried out against Kerberos. These attacks include:
replay attacks,password guessing attacks, and inter-session chosen plaintext attacks

1. Replay attacks: A replay attack oceurs when an attacker captures a packet from
the network and sends that packet to a service as a user of that service. When the
packet is authenticated by the service, then the attacker can use the replay on behalf
of other user and access other user's resources. Use of authenticatorin Kerberos helps
to prevent replay attack.

2. Password-guessing attacks: The reply to the request of a user, the ticket.

granting ticket is sent in encrypted form. To decrypt the reply user's password is
required. If user's password is not strong, then it is possible for the attacker to guess
the password and attacker is able to decrypt the message.

3. Inter-session chosen plaintext attacks: As per Kerberos version 5 draft,inter

session chosen plaintext attacks are possible against it.
doo egsinsvh
9.4.12 Applications and Limitations of Kerberos

To provide authentication,authorisationand confidentiality within a network or small

set of networks, Kerberos is used. However, one cannot use Kerberos for generating
digital signature.

The main assumptions about the Kerberos environment is that there should be
truston the hosts. But if the host is compromised, the attack can occur and the security
ofthe Kerberos may be broken. Ticket is stored in host's cache may be used for such
attack. But there is less possibility of such attacks.Dictionary attack is possible it
the user password is guessable. Timestamp prevents such attacks. If the user needs
more time for using the different services, then the small timestamp creates proDIeu
and again authenticationis required.In Kerberos 4, for long processes, tickets havits
small timestamp can have this problem.Kerberos version 5 solved this problem by
renewing the ticket after the end of time span allotted to a ticket.
 Authentication
237
9.4.13 Comparisons of Kerberos with SSL
Socure socket layer protocol
(5SL) is also used for
comparison between Kerberos and SSL authentication.Table 9.7 shows the

Table 9.7 Comparison

between Kerberos and SSL
SSL
Kerberos
Encryption is done using public key.
Encryption is done using
Authentication is based on certificate. private key.
Authentication is based on a
ldeal for secure communicationswith a large. trusted third party.
Ideal for networked
variable user base that is not known in advance. environments where all
services and users are
known in advance.
Key revocation must achievedbeeither by Key revocation can be
sending certificates to related servers or
all by achieved by disabling a
user at the KDC.
having a centralised sever.

Probability of cracking the certificates is more Probability of cracking the

as it is stored in user's hard-disk. password is less as
it is not stored
in written form.
One has to pay for the service as it is patented. Freely available as Kerberos has open
source.

9.5 X.509 AUTHENTICATION SERVICE

ITU-T recommends X.509, the authentication
service. It specifies the authentication
service for X.500 directories. It also
syntax for X.509 certificate. The first
specifies
version of X.509 was published in 1988. The
second version was published in 1993. The
third version was proposed in 1994 and
considered for approval in 1995. There were
some securityissues in the first two versions of X.509. These
issues are addressed in
version 3.Secret key or public key is used for directory
authentication.The standard
does not specifyabout the algorithms used for
certificates but RSA is the most popular
choice for this. In this, every user has a
certificate whose validity depends on a chain
oftrust.

An X.509 certificate consists of the following fields:

1. Version: This gives information aboutthe version of the X.509 standard
applies
to the certificate. Currently three versions of X.509 certificates are available.
Version indicates the information available with the certificate.

2. Serial number: A serial number of the certificate distinguishes it from other

certificates issued by the same party. Certificate's serial number is placed in
a certificate revocation list (CRL) when a certificate is revoked.
3. Signature: This identifies the algorithm used to compute the signature on the
certificate.

4. lssuer name: It is X.500 name of the entity who signed the certificate.

Generally, it is a certificate authority (CA). Using issuer name certificate

implies trusting the entity who signed the certificate.

5. Validity: Each has its life span. Validity gives the information about
certificate

this life span. The span can be as short as a few seconds or almost as
life

1ong as a century. This contains two types of information:

a start date and