HMAC | MAC based on Hash Function | HMAC Structure | HMAC

Impelmentation | HMAC Pros & Cons

HMAC Concept

HMAC stands for HASH Message Authentication Code (HMAC) is a specific

technique for calculating a message authentication code (MAC) involving a
combination of cryptographic hash function and a secret key cryptography.

Figure: Block diagram of HMAC

HMAC Structure & Implementation

Figure: HMAC Structure

Figure: HMAC Implementation

HMAC Algorithm

1. Append zeros to the left end of K to create a b-bit string K + .

2. XOR (bitwise exclusive-OR) with ipad to produce the b-bit block S i.

 3. Append M to Si.

4. Apply H to the stream generated in step 3.

5. XOR K+ with opad to produce the b-bit block S 0.

6. Append the hash result from step 4 to S 0.

7. Apply H to the stream generated in step 6 and output the result.

HMAC Algo Step by Step Explanation

Step – 1: Make the length of K+ equal to b.

If length of K+ < b: add 0 bit as required to the left of k.

If length of K+ = b: In this case, we do not take any action, and proceed to step 2.

If length of K+ > b: we need to trim k, for this, we pass K through the message-
digest algorithm(H) selected for this particular instance of HMAC.

Step – 2: XOR K+ with ipad to produce Si.

XOR K+ (the output of step 1) and ipad to produce a variable called S i.

Here ipad = 00110110 (36 in Hexadecimal) repeated b/8 times.

Equation, K+ ⊕ ipad = Si

Step – 3: Append original message M to Si

Take the original message (M) and simply append it to the end of S i.

Equation, [(K+ ⊕ ipad) || M] = Si || M

Step – 4: Apply Message-digest algorithm

The selected message-digest algorithm (e.g. MD5,SHA-l, etc.) is applied to the

output of step 3.

Equation, H[(K+ ⊕ ipad) || M] = H(Si || M)

Step – 5: XOR K+ with opad to produce So

XOR K+ (the output of step 1) with opad to produce a variable called as S o.

Here opad = 01011100 (5C in Hexadecimal) repeated b/8 times.

Equation, K+ ⊕ opad = So

Step – 6: Append H to So
Append the message digest calculated in step 4 to the end of S o.

Equation, (K+ ⊕ opad) || H [(K+ ⊕ ipad) || M] = So || H(Si || M)

Step – 7: Apply Message-digest algorithm

The selected message-digest algorithm (e.g., MD5, SHA-I, etc.) is applied to the
output of step 6 (i.e. to the concatenation of S o and H). Finally, we got MAC.

Equation, HMAC (K, M) = H [(K+ ⊕ opad) || H [(K+ ⊕ ipad) || M]]

Pros & Cons of HMAC

Pros:

HMAC is faster to compute and verify digital signatures because they use hash
functions rather than public key.

HMACs can be used in some cases where the use of public key cryptography is
prohibited.

HMACs are much smaller than digital signatures.

Cons:

Key exchange is main issue, so can’t prevent against replay of message attack.

HMAC cannot be used if the number of receivers is greater than one.

If multiple parties share the same symmetric key. How does a receiver know that
the message was prepared and sent by the sender?

Message Authentication Code based on Block Cipher | MAC based on

Block Cipher | Data Authentication algorithm (DAA) | Cipher based
Message Authentication Code (CMAC)

Data Authentication Algorithm (DAA)

Figure: DAA Block Diagram

One of the most widely used MACs is referred to as the Data Authentication
Algorithm. The algorithm is designed using the Cipher Block Chaining mode of
operation of DES, as shown in figure. The data (e.g., message, record, file, or
program) to be authenticated are grouped into fixed size 64-bit blocks: D1, D2,
….., DN. If necessary, the final block is padded on the right with zeroes to make a
64-bit blocks. Using the DES encryption algorithm and a secret key, a data
authentication code (DAC) is calculated as follows:

The DAC consists of either the entire block ON or the leftmost M bits of the block,
with 16 ≤ M ≤ 64.

Cipher based message authentication code (CMAC)

Figure: CMAC Block Diagram

Data Authentication Algorithm (DAA), which is now obsolete. Then CMAC, which
is designed to overcome the deficiencies of DAA. Cipher-based Message
Authentication Code (CMAC) mode of operation for use with AES and triple DES.
First, let us define the operation of CMAC when the message is an integer
multiple n of the cipher block length b. For AES, b=128, and for triple DES, b=64.
The message is divided into n blocks (M1, M2,…, Mn ).

For AES, the key size is 128, 192, or 256 bits; for triple DES, the key size is 112 or
168 bits. CMAC is calculated as follows:

C1 = E(K, M1)

C2 = E(K, [M2 ⊕ C1])

C3 = E(K, [M3 ⊕ C2])

Cn = E(K, [Mn ⊕ Cn-1 ⊕ K1])

T = MSBTlen(Cn)

Difference between Hash Function and MAC

Hash Function

In hash function H accepts a variable length block of input data called as ‘M’ and
produces the fixed size hash value can be represented as h = M(H).
Figure: Block diagram of Hash Function

When hash function provides security, this is called cryptographic hash functions.
Hash function protects the integrity of the message. If encryption process is
applying on message with hash function, it is also providing authentication and
confidentiality.

A hash function provides a property that has function applied on variable amount
of data (M) and then it produces the fixed amount of output data. If any bit or
bits changes in the data, then whole hash function output data will also change.
Cryptographic has function is one-way function, which is practically infeasible to
invert. The most popular hashing algorithm is MD5 and SHA.

MAC

Message authentication is a mechanism or service used to verify the integrity of

a message. Message authentication guarantees that the sender of the message
is authentic.
A MAC algorithm, sometimes called a keyed hash function accepts as input a
secret key an arbitrary-length message to be authenticated, and outputs a MAC.
MAC value protects both a message’s data integrity as well as its authenticity, by
allowing verifies to detect any changes. The MAC is a small fixed-size block of
data that is generated based on a message M of variable length using secret key
K as follows. MAC is also called cryptographic checksum.

MAC = C (K, M)

Difference between Hash Function and Message Authentication Code

(MAC)

Digital Signature | Process of digital Signature | Properties of Digital

Signature | Purpose of Digital Signature

What is Digital Signature?

A digital signature is a mathematical technique used to validate the authenticity

and integrity of a message or digital document. A digital signature is defined the
signature generated electronically from the digital computer to ensure the
identity of the sender and content of the message cannot be modified during
transmission process.

Purpose of Digital Signature

Concept of digital signature is that sender of a message uses a signing key
(Private key) to sign the message and send that message and its digital
signature. The receiver uses a verification key (Public key) of the sender only to
verify the origin of the message and make sure that it has not been tempered
with while in transmission. Digital signature techniques achieve the authenticity
and integrity of the data over internet.

Process of Digital Signature

Hash value of a message when encrypted with the private key of a user is, his
digital signature on that e-Document. Digital signature is an example of
asymmetric key cryptography which uses three different algorithms to complete
the process.

Step – 1: First step is key generation algorithm which generates private key and
a corresponding public key.

Step – 2: Next step signing algorithm which selects sending message and a
private key generated in step 1, to produce a signature.

Step – 3: Third step is signature verifying algorithm which verifies the

authenticity of sending message and public key.
Properties of Digital Signature

In situations where, there is no complete trust between sender and receiver,

something more than authentication is needed. The most attractive solution to
this problem is the digital signature. The digital signature must have the
following properties:

1. It must verify the author and the date and time of the signature.

2. It must authenticate the contents at the time of the signature.

3. It must be verifiable by third parties, to resolve disputes.

Thus, the digital signature function includes the authentication function.

Advantage

Authentication: Identification of person that signs.

Integrity of data: Every change will be detected.

Non repudiation: Author cannot be denied of his work.

Imposter prevention: Elimination of possibility of committing fraud by an

imposter.

Disadvantage

Expiry: In this era of fast technology, many of these tech products have a short
life.
Certificates: In order to effectively use of digital signatures, both senders and
receivers may have to buy digital certificates.

Software: To work with digital certificates/digital signatures, senders and

receivers have to buy verification software or pay to third party for verification.

Digital Signature Requirement and Security | Real time application of

digital signature

Digital Signature Requirement

On the basis of the properties just discussed, we can formulate the following
requirements for a digital signature.

The signature must be a bit pattern that depends on the message being
signed.

The signature must use some unique information of the sender to prevent
both forgery and denial.

It must be relatively easy to produce the digital signature.

It must be relatively easy to recognize and verify the digital signature.

It must be computationally infeasible to forge a digital signature, either by

constructing a new message for an existing digital signature or by constructing a
fraud digital signature for a given message.

It must be practical to retain a copy of the digital signature in storage.

Security

Message Authentication: A digital signature technique can provide message

authentication. Digital signature is used to establish proof of identities and
ensure that the origin of an electronic message is correctly identified.

Message Integrity: Digital signature are used to detect unauthorized

modification to data which assures that the contents of message are not
changed after sender sends but before it reaches to intended receiver.

Non-Repudiation: There are situation where a user sends a message and alter
on refuses that he had sent that message. That is known as non-repudiation
because the person who signed the document cannot repudiate the signature at
a later time.

We can prevent man in the middle attack, Replay attack, Masquerade,

Impersonation attack.

Realtime usage of digital signature

Now a day’s digital signature techniques are used in many application areas like
sending confidential e-mails, during secure payment transfer and possibly all
software companies, universities, educational institutions those want to achieve
authentication and integrity of their confidential information.

Elgamal and Schnorr scheme of Digital Signature | Which scheme is best

Elgamal or Schnorr?

Elgamal Scheme (Digital Signature Scheme)

This scheme is variant of digital signature algorithm. This scheme is based on

computing assumption of large prime number. It is computationally very complex
to compute S1 and S2. This scheme assure that authenticity of message m sent
by sender/signer to verifier. As with Elgamal encryption, the global elements of
Elgamal digital signature are based on prime number q and α, which is a
primitive root of q.

Algorithm

Generating private key & public key pair:

Step-1: Generate a random integer XA, such that 1 < XA < q-1.
XA
Step-2: Compute YA = α mod q.

Step-3: A’s private key is XA; A’s pubic key is {q, α, YA}.

Create Digital Signature:

Step-1: Choose a random integer K such that 1 ≤ K ≤ q-1 and gcd (K, q-1) = 1.
K is relatively prime to q-1.

Step-2: Compute S1 = α K mod q.

Step-3: Compute S2 = K-1(m – XAS1) mod (q – 1).

Step-4: The signature consists of the pair (S 1, S2).

Signature Verification

Step-1: Calculate V1 = αm mod q.

Step-2: Calculate V2 = (YA)S1 (S1)S2mod q.

Schnorr (Digital Signature Scheme)

The Schnorr signature scheme is also based on discrete logarithms. The Schnorr
scheme minimizes the message-dependent amount of computation required to
generate a signature. The main work for signature generation does not depend
on the message. The scheme is based on using a prime modulus p, with having a
(p-1) prime factor of q appropriate size; that is, p = 1 (mod q). Typically, we use
p = 21024 and q = 2160. Thus, p is a 1024-bit number, and q is a 160-bit number,
which is also the length of the SHA-1 hash value.

Algorithm

Generating private key & public key pair:

Step-1: Choose primes p and q, such that q is a prime factor of p-1.

Step-2: Choose an integer α, such that αq = 1 mod p. The values α, p, and q

comprise a global public key that can be common to a group of users.

Step-3: Choose a random integer s with 0 < s < q. This is the user’s private key.
-s
Step-4: Calculate v = α mod p. This is the user’s public key.

Create Digital Signature:

Step-1: Choose a random integer r with 0 < r < q and compute x = αr mod p.
This computation is a pre-processing stage independent of the message M to be
signed.

Step-2: Concatenate the message with and hash the result to compute the
value:

e = H (M || x)

Step-3: Compute y = (r + se) mod q. The signature consists of the pair (e, y).
Signature Verification

Step-1: Compute x’

x’ = α y ve mod p

x’ = α y α -se
mod p (∵ v = α -s
mod p)
(y-se)
x’ = α mod p

x’ = α r mod p (∵ y = r + se)

x’ = x

So, here x’ = x.

Step-2: Verify e = H (M || x).

Hence, H (M || x’) = H (M || x).

Which scheme is best Elgamal or Schnorr?

Elgamal Signature scheme is more time consuming in compare to Schnorr

Scheme. Schnorr scheme is 6 times faster than Elgamal and produce signature
which is 6 times smaller.
Digital Signature Algorithm (DSA) | Digital Signature Standards (DSS) |
RSA Approach

Digital Signature Algorithm & Digital Signature Standards

The National Institute of Standards and Technology (NIST) has published Federal
Information Processing Standard FIPS 186, known as the Digital Signature
Standard (DSS). The DSS makes use of the SHA and presents a new digital
signature technique, the Digital Signature Algorithm (DSA). Latest version also
incorporates digital signature algorithms based on RSA and on elliptic curve
cryptography. Let us discuss RSA and DSS Approach….

The RSA Approach

In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length. This hash code is then encrypted
using the sender’s private key to form the signature. Both the message and the
signature are then transmitted. The recipient takes the message and produces a
hash code. The recipient also decrypts the signature using the sender’s public
key. If the calculated hash code matches the decrypted signature, the signature
is accepted as valid.

The DSS Approach

The DSS approach also makes use of a hash function. The hash code is provided
as input to a signature function along with a random number k, generated for
this particular signature. The signature function also depends on the sender’s
private key (PRa), and a set of parameters known to a group of communicating
principle. We can consider this set to constitute a global public key (PUG). The
result is a signature consisting of two components, labelled s and r. At the
receiving end, the hash code of the incoming message is generated. The
signature is input to a verification function. The verification function also
depends on the global public key as well as the sender’s public key (PU a), which
is paired with the sender’s private key. The output of the verification function is a
value that is equal to the signature component r, if the signature is valid. The
signature function is such that only the sender, with knowledge of the private
key, could have produced the valid signature.
Digital Signature Algorithm

Key Generation Process

Create digital Signature

Signature Verification
Key Management and Key Distribution in network security

Key Management

The main aim of key management is to generate a secret key between two
parties and store it to prove the authenticity between communicating users. Key
management is the techniques which support key generation, storage and
maintenance of the key between authorized users.

Key management plays an important role in cryptography as the basis for

securing cryptographic goals like confidentiality, authentication, data integrity
and digital signatures. It is not the case where communicating parties are using
same key for encryption and decryption or whether two different keys are used
for encryption and decryption.

Basic purpose of key management is key generation, key distribution, controlling

the use of keys, updating, destruction of keys and key backup/recovery.

Following point to be executed in key management

User registration

User initialization

Key generation

Key installation

Key registration

Normal use

Key backup
Key update

Key de-registration and revocation

Key recovery

Key Distribution

Symmetric Key Distribution using Symmetric Encryption | Key

Distribution using symmetric encryption

Introduction

When two parties share the same key (i.e. symmetric key) that protect from
access by others, the process between two parties that exchanges that key
called as symmetric key distribution. If two person wants to communicates with
each other via messages or exchange data without interference of other. Two
parties/person A and B achieved the key distribution in various ways:

1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A and B.

3. If A and B have previously and recently used a key, one party can transmit the
new key to the other, encrypted using the old key.

4. If A and B each has an encrypted connection to a third-party C, C can deliver a

key on the encrypted links to A and B.

Options 1 and 2 calls for manual delivery of a key to the users. In manual
delivery of key is difficult in a wide-area distributed system. Returning to our list,
option 3 is a possibility for either link encryption or end-to-end encryption, but if
an attacker ever succeeds in gaining access to one key, then all subsequent keys
will be revealed. For end-to-end encryption some variation on option 4 has been
widely adopted. In this scheme, a key distribution centre responsible for
distributing keys to pairs of users (hosts, processes, applications) as needed.
Each user must share a unique key with the distribution centre for purposes of
key distribution.

The use of a key distribution centre is based on the use of a hierarchy of keys. At
a minimum, two levels of keys are used (show in Figure). Communication
between end systems is encrypted using a temporary key, often referred to as a
session key. Typically, the session key is used for the duration of a logical
connection, such as a frame relay connection or transport connection, and then
discarded. Each session key is obtained from the key distribution centre over the
same networking facilities used for end-user communication. Accordingly,
session keys are transmitted in encrypted form, using a master key that is
shared by the key distribution centre and an end system or user.

Key distribution Scenario

The key distribution concept can be deployed in a number of ways. A typical

scenario is illustrated in Figure.

The scenario assumes that each user shares a unique master key with the key
distribution centre (KDC). Let us assume that user A wishes to establish a logical
connection with B and requires a one-time session key to protect the data
transmitted over the connection. User A has a master key, Ka, known only to
itself and the KDC; similarly, User B shares the master key K b with the KDC. Let
us discuss all steps…

Step – 1: A issues a request to the KDC for a session key to protect a logical
connection to B.

IDA || IDB || N1

The message includes the identity of A and B and a unique identifier, N1, for this
transaction, which we refer to as a nonce. The nonce may be a timestamp, a
counter, or a random number; the minimum requirement is that it differs with
each request. Also, to prevent masquerade, it should be difficult for an opponent
to guess the nonce. Thus, a random number is a good choice for a nonce.

Step – 2: The KDC responds with a message encrypted using K a. Thus, A is the
only one who can successfully read the message, and A knows that it originated
at the KDC.

E (Ka, [Ks || IDA || IDB || N1]) || E (Kb, [Ks || IDA])

The message includes two items intended for A: The one-time session key, K s, to
be used for the session. The original request message, including the nonce, to
enable A to match this response with the appropriate request. Thus, A can verify
that its original request was not altered before reception by the KDC and,
because of the nonce. In addition, the message includes two items intended for
B: The one-time session key, Ks, to be used for the session. An identifier of A
(e.g., its network address), IDA These last two items are encrypted with K b(the
master key that the KDC shares with B).They are to be sent to B to establish the
connection and prove A’s identity.

Step – 3: A stores the session key for use in the upcoming session and forwards
to B the information that originated at the KDC for B, namely, E (K b, [Ks || IDA]).
Because this information is encrypted with Kb, it is protected from
eavesdropping. B now knows the session key (K s), knows that the other party is A
(from IDA), and knows that the information originated at the KDC (because it is
encrypted using Kb). At this point, a session key has been securely delivered to A
and B, and they may begin their protected exchange.

Step – 4: Using the newly minted session key for encryption, B sends a nonce,
N2, to A. E (Ks, N2).

Step – 5: Also, using Ks, A responds with f (N2), where f is a function that
performs some transformation on N2 (e.g., adding one). E (Ks, f (N2)).

Now, we will discuss symmetric key distribution technique using

symmetric encryption. There are 4 different methods are used: Hierarchical
Key Control, Session key life time, A transperant key control scheme,
Decentralized key control.

Hierarchical key control

It is not necessary to limit the key distribution function to a single KDC. Indeed,
for very large networks, single KDC is not enough to distribute keys among all
users. As an alternative, a hierarchy of KDCs can be established.

For example, there can be local KDCs, each responsible for a small domain of the
overall internetwork, such as a single LAN or a single building. For
communication among entities within the same local domain, the local KDC is
responsible for key distribution. If two entities in different domains desire a
shared key, then the corresponding local KDCs can communicate through a
global KDC. In this case, any one of the three KDCs involved can actually select
the key. The hierarchical concept can be extended to three or even more layers,
depending on the size of the number of users and the geographic scope of the
internetwork.

Session key life time

The more frequently session keys are exchanged, the more secure they are,
because the attacker has to capture session key every time to decrypt cipher
text. Short session key life time à Key exchange frequently & more secure. Long
session key life time à Reduce Key exchange time & less network bandwidth
used. For connection-oriented protocols, new session key for each new
connection. Update key periodically, if the connection has long time. For
connection less protocols, not to use a new key for each session but use a given
session key for a fixed period of time.
A transparent key control scheme

The steps involved in establishing a connection are shown in figure. When one
host wants to set up a connection to another host, it transmits a connection -
request packet (step 1).

The SSM (Session security module) saves that packet and applies to the KDC for
permission to establish the connection (step 2). The communication between
the SSM and the KDC is encrypted using a master key shared only by this SSM
and the KDC. If the KDC approves the connection request, it generates the
session key and delivers it to the two appropriate SSMs, using a unique
permanent key for each SSM (step 3). The requesting SSM can now release the
connection request packet, and a connection is set up between the two end
systems (step 4). All user data exchanged between the two end systems are
encrypted by their respective SSMs using the onetime session key.
Decentralized Key Control

Decentralized key control is not practical for larger networks using symmetric
encryption only, it may be useful within a local context. A session key may be
established with the following sequence of steps:

Step – 1: A issues a request to B for a session key and includes a nonce, N 1.

Step – 2: B responds with a message that is encrypted using the shared master
key. The response includes the session key selected by B, an identifier of B, the
value f(N1), and another nonce, N2.

Step – 3: Using the new session key, A returns f(N 2) to B.

Symmetric Key Distribution using Asymmetric Encryption | Secret Key

Distribution using Asymmetric Encryption

There are two approaches: Simple Secret Key Distribution and Secret key
Distribution with Confidentiality and Authentication.

Simple Secret Key Distribution

If A wishes to communicate with B, the following procedure is employed: A

generates a public/private key pair {PU a, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA. B generates a secret key, Ks, and
transmits it to A, which is encrypted with A’s public key.
A decrypt message using, D (PRa, E (PUa, Ks)) to recover the secret key. Because
only A can decrypt the message, only A and B will know the identity of K s. A
discards PUa and PRa and B discards PUa. A and B can now securely communicate
using conventional encryption and the session key K s. At the completion of the
exchange, both A and B discard Ks.

Secret Key Distribution with Confidentiality and Authentication

A uses B’s public key to encrypt a message to B containing an identifier of

A(IDA)and a nonce (N1), which is used to identify this transaction uniquely. B
sends a message to user A encrypted with PU a and containing A’s nonce as (N1)
well as a new nonce generated by B(N 2). Because only B could have decrypted
message (1), the presence of N1 in message (2) assures A that the correspondent
is B. A returns N2, encrypted using B’s public key, to assure B that its
correspondent is A. A selects a secret key and sends M = E (PU b, E (PRa, Ks)) to B.

Figure: Secret Key distribution with confidentiality and authentication

Encryption of this message with B’s public key ensures that only B can read it;
encryption with A’s private key ensures that only A could have sent it. B decrypt
the message and get secret key Ks. The result is that this scheme ensures both
confidentiality and authentication in the exchange of a secret

Public Key Distribution in Network Security

There are four methods of public key distribution: Public announcement of Public
Keys, Publicly Available Directory, Public Key Authority and Public Key
Certificates.

Public Announcement of Public Keys

In a public key cryptography, such as RSA, any user can send his/her key to any
other user or broadcast it to the group as shown in figure.
 Figure: Public Announcement of Public Keys

This type of approach is having a biggest drawback. Any user can pretend to be
a user A and send a public to another user or broadcast it. Until user A has got
this thing and alerts to other user, a pretender is able to read all encrypted
message of other users.

Publicly Available Directory

A dynamic publicly available directory is used to achieve the security.

Maintenance and distribution of public directory is controlled by a trust entity.
This technique is explained as follows and shown in figure.

Figure: Publicly Available Directory

A trusted entity maintains a directory for each user as <name, public key>

Each user has to register a public key with the directory.

A user can replace the existing key with a new one at any time for any particular
reason.

It is more secure than public announcement but still having some weakness. A
hacker can obtain the private key of directory or temper with the information
kept by directory.

Public-Key Authority

It gives stronger security. As shown in figure a central authority keeps a dynamic

directory of public keys of all users. Additionally, each user knows the public key
of authority.

Figure: Publlic Key Authority

Step – 1: A sends a time stamped message to the public-key authority

containing a request for the current public key of B.

Step – 2: The authority responds with a message that is encrypted using the
authority’s private key, PRauth. Thus, A is able to decrypt the message using the
authority’s public key. Therefore, A is assured that the message originated with
the authority.

The message includes the following: B’s public key, PU b, which A can use to
encrypt messages destined for B. The original request used to enable A to match
this response with the corresponding earlier request and to verify that the
original request was not altered before reception by the authority. The original
timestamp given so A can determine that this is not an old message from the
authority containing a key other than B’s current public key.

Step – 3: A stores B’s public key and also uses it to encrypt a message to B
containing an identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely.

Step – 4 & 5: B retrieves A’s public key from the authority in the same manner
as A retrieved B’s public key.

Step – 6: B sends a message to A encrypted with PU a and containing A’s nonce

(N1) as well as a new nonce generated by B (N 2). Because only B could have
decrypted message (3), the presence of in message (6) assures A that the
correspondent is B.

Step – 7: A returns N2, which is encrypted using B’s public key, to assure B that
its correspondent is A.

Public-Key Certificates

The directory of names and public keys maintained by the authority is vulnerable
to tampering. An alternative approach, first suggested by Kohn Felder, is to use
certificates. In essence, a certificate consists of a public key, an identifier of the
key owner, and the whole block signed by a trusted third party. Typically, the
third party is a certificate authority, such as a government agency or a financial
institution that is trusted by the user community. A user can present his or her
public key to the authority in a secure manner and obtain a certificate. The user
can then publish the certificate. Anyone needing this user’s public key can obtain
the certificate and verify that it is valid by way of the attached trusted signature.
A participant can also convey its key information to another by transmitting its
certificate. Other participants can verify that the certificate was created by the
authority. Below diagram shows the distribution of public keys using public key
certificates.
Figure: Public Key certificates

We can place the following requirements on this scheme:

Step – 1: Any participant can read a certificate to determine the name and
public key of the certificate’s owner.

Step – 2: Any participant can verify that the certificate originated from the
certificate authority and is not counterfeit.

Step – 3: Only the certificate authority can create and update certificates.

Step – 4: Any participant can verify the certificate.

Public Key Infrastructure (PKI) | Purpose of PKI | PKIX Elements | PKIX

Management Functions

Public Key Infrastructure (PKI)

Public-key infrastructure (PKI) is the set of hardware, software, people, policies,

and procedures needed to create, manage, store, distribute, and revoke digital
certificates based on asymmetric cryptography.

Purpose of PKI
The purpose for developing a PKI is to enable secure, convenient, and efficient
obtain public keys.

PKIX

Public key infrastructure X.509 is called as PKIX. Figure shows the PKIX
Architectural Model.

Figure: Public Key Infrastructure (PKIX)

PKIX Elements

Figure shows the interrelationship among the key elements of the PKIX model.
These elements are,

End entity: A generic term used to denote end users, devices (e.g., servers,
routers), or any other entity that can be identified in the subject field of a public
key certificate.

Certification authority (CA): The issuer of certificates and (usually) certificate

revocation lists (CRLs). It may also support a variety of administrative functions,
although these are often delegated to one or more Registration Authorities.

Registration authority (RA): An optional component that can assume a

number of administrative functions from the CA. The RA is often associated with
the end entity registration process but can assist in a number of other areas as
well.
CRL issuer: An optional component that a CA can delegate to publish CRLs.

Repository: A generic term used to denote any method for storing certificates
and CRLs so that they can be retrieved by end entities.

PKIX Management Functions

PKIX identifies a number of management functions that potentially need to be

supported by management protocols which are:

Registration:

Registration begins the process of enrolling in a PKI. User first makes itself known
to a CA (directly or through an RA), prior to that CA issuing a certificate for that
user. Registration usually involves some offline or online procedure for mutual
authentication. Typically, the end entity is issued one or more shared secret keys
used for subsequent authentication.

Initialization: Before a client system can operate securely, it is necessary to

install key materials that have the appropriate relationship with keys stored
elsewhere in the infrastructure. For example, the client needs to be securely
initialized with the public key and other assured information of the trusted CA(s),
to be used in validating certificate paths.

Certification: This is the process in which a CA issues a certificate for a user’s

public key, returns that certificate to the user’s client system, and/or posts that
certificate in a repository.

Key Pair Recovery: Key pairs can be used to support digital signature creation
and verification, encryption and decryption, or both. When a key pair is used for
encryption/decryption, it is important to provide a mechanism to recover the
necessary decryption keys when normal access to the keying material is no
longer possible, otherwise it will not be possible to recover the encrypted data.
Key pair recovery allows end entities to restore their encryption/decryption key
pair from an authorized key backup facility (typically, the CA that issued the end
entity’s certificate).

Key Pair Update: All key pairs need to be updated regularly (i.e., replaced with
a new key pair) and new certificates issued. Update is required when the
certificate lifetime expires and as a result of certificate revocation.

Revocation Request: An authorized person advises a CA of an abnormal

situation requiring certificate revocation. Reasons for revocation include private
key compromise, change in affiliation, and name change.

Cross Certification: Two CAs exchange information used in establishing a

cross-certificate. A cross-certificate is a certificate issued by one CA to another
CA that contains a CA signature key used for issuing certificates.
PKI Management Protocols

The PKI working group has defines two alternative management protocols.

RFC 2510 defines the certificate management protocols (CMP).

PKI Services allows a CMP client to communicate with it to request, revoke,

suspend and resume certificates.

RFC 2797 defines certificate management messages over CMS.

Where CMS refers to RFC 2630, and cryptographic message syntax (CMS).

CMS can encrypt, decrypt, sign and verify, compress and decompress CMS
documents.

Figure: Working of PKIX

Remote User Authentication using Symmetric Encryption | Needham –

Schroeder Protocol | Solution by Denning | Solution for Suppress-replay
attacks | One-way Authentication

Introduction

Two-level hierarchy of symmetric encryption keys can be used to provide

confidentiality for communication in a distributed environment. In general, this
strategy involves the use of a trusted Key Distribution Centre (KDC). Each party
in the network shares a secret key, known as a master key, with the KDC. The
KDC is responsible for generating keys to be used for a short time over a
connection (session key for logical connection) between two parties, known as
session keys, and for distributing those keys using the master keys to protect the
distribution. Initially proposed by Needham and Schroeder for secret key
distribution using a KDC includes authentication features.

Needham – Schroeder Protocol

Figure : Needham Schroeder

Protocol

The protocol can be summarized as follows.

𝐴 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵||𝑁1

𝐾𝐷𝐶 → 𝐴: 𝐸 (𝐾𝑎, [𝐾𝑠||𝐼𝐷𝐵||𝑁1||𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴])])

𝐴 → 𝐵: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴])

𝐵 → 𝐴: 𝐸 (𝐾𝑠, 𝑁2)

𝐴 → 𝐵: 𝐸 (𝐾𝑠, 𝑓(𝑁2))
The protocol is still vulnerable to a form of replay attack. Suppose that an
opponent, X, has been able to compromise an old session key. X can impersonate
A and trick B into using the old key by simply replaying step 3. Unless B
remembers indefinitely all previous session keys used with A, B will be unable to
determine that this is a replay. If X can intercept the handshake message in step
4, then it can impersonate A’s response in step 5. From this point on, X can send
bogus messages to B that appear to B to come from A using an authenticated
session key. Denning proposes to overcome this weakness by a modification to
the Needham/Schroeder protocol that includes the addition of a timestamp to
steps 2 and 3.

Solution by Denning

Figure : Denning's
Solution

Her proposal assumes that the master keys, K a and Kb, are secure, and it consists
of the following steps.

𝐴 → 𝐾𝐷𝐶: 𝐼𝐷𝐴||𝐼𝐷𝐵

𝐾𝐷𝐶 → 𝐴: 𝐸 (𝐾𝑎, [𝐾𝑠||𝐼𝐷𝐵||𝑇||𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴||𝑇])])

𝐴 → 𝐵: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴||𝑇])

𝐵 → 𝐴: 𝐸 (𝐾𝑠, 𝑁1)
𝐴 → 𝐵: 𝐸 (𝐾𝑠, 𝑓(𝑁1))

T is a timestamp that assures A and B that the session key has only just been
generated. Thus, both A and B know that the key distribution is a fresh
exchange.

A and B can verify time by checking that |𝐶𝑙𝑜𝑐𝑘 − 𝑇| < ∆𝑡1 + ∆𝑡2, where ∆𝑡1, is
the estimated normal difference between the KDC’s clock and the local clock (at
A or B) and ∆𝑡2 is the expected network delay time. A new concern is raised:
namely, that this new scheme requires rely on clocks that are synchronized
throughout the network points out a risk involved.

The risk is based on the fact that the distributed clocks can become
unsynchronized as a result of damage on or faults in the clocks or the
synchronization mechanism. The problem occurs when a sender’s clock is ahead
of the intended recipient’s clock.

In this case, an opponent can intercept a message from the sender and replay it
later when the timestamp in the message becomes current at the recipient’s
site. This replay could cause unexpected results. Gong refers to such attacks as
suppress-replay attacks. One way to counter suppress-replay attacks is to
enforce the requirement that parties regularly check their clocks against the
KDC’s clock.

Alternate Solution for Suppress-replay attacks

Figure : Suppress Replay Attack

Solution

The other alternative, which avoids the need for clock synchronization, is to rely
on handshaking protocols using nonces. This alternative is not vulnerable to a
suppress-replay attack, because the nonces the recipient will choose in the
future are unpredictable to the sender.

The Needham/Schroeder protocol relies on nonces only but, as we have seen,

has other vulnerabilities. Improved strategy was presented in this protocol is:

𝐴 → 𝐵: 𝐼𝐷𝐴 || 𝑁𝑎

𝐵 → 𝐾𝐷𝐶: 𝐼𝐷𝐵 || 𝑁𝑏 || 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || 𝑁𝑎 || 𝑇𝑏])

𝐾𝐷𝐶 → 𝐴: 𝐸(𝐾𝑎, [𝐼𝐷𝐵 || 𝑁𝑎 || 𝐾𝑠 || 𝑇𝑏]) || 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || 𝐾𝑠 || 𝑇𝑏])||𝑁𝑏)

𝐴 → 𝐵: 𝐸(𝐾𝑏, [𝐼𝐷𝐴 || 𝐾𝑠 || 𝑇𝑏]) || 𝐸(𝐾𝑠, 𝑁𝑏)

This protocol provides an effective, secure means for A and B to establish a

session with a secure session key. Furthermore, the protocol leaves A in
possession of a key that can be used for subsequent authentication to B,
avoiding the need to contact the authentication server repeatedly. Suppose that
A and B establish a session using the aforementioned protocol and then conclude
that session. Subsequently, but within the time limit established by the protocol,
A desires a new session with B.

The following protocol ensures:

𝐴 → 𝐵: 𝐸 (𝐾𝑏, [𝐼𝐷𝐴||𝐾𝑠||𝑇𝑏])||𝑁𝑎′

𝐵 → 𝐴: 𝑁𝑏′||𝐸 (𝐾𝑠, 𝑁𝑎′)

𝐴 → 𝐵: 𝐸 (𝐾𝑠, 𝑁𝑏′)

When B receives the message in step 1, it verifies that the ticket has not expired.
The newly generated nonces and assure each party that there is no replay
attack.

One-way Authentication
 Figure : One way Authentication

With some refinement, the KDC strategy is a candidate for encrypted electronic
mail. Because we wish to avoid requiring that the recipient (B) be on line at the
same time as the sender (A), steps 4 and 5 must be eliminated. For a message
with content, the sequence is as follows:

𝐴 → 𝐾𝐷𝐶: 𝐼𝐷𝐴 || 𝐼𝐷𝐵 || 𝑁1

𝐾𝐷𝐶 → 𝐴: 𝐸 (𝐾𝑎, [𝐾𝑠 || 𝐼𝐷𝐵 || 𝑁1 || 𝐸 (𝐾𝑏, [𝐾𝑠 || 𝐼𝐷𝐴])])

𝐴 → 𝐵: 𝐸 (𝐾𝑏, [𝐾𝑠||𝐼𝐷𝐴]) || 𝐸 (𝐾𝑠, 𝑀)

This approach guarantees that only the intended recipient of a message will be
able to read it. It also provides a level of authentication that the sender is A. The
protocol does not protect against replay attack.

Kerberos | Kerberos Terminology | Kerberos Working | Characteristics of

Kerberos

Kerberos Protocol

What is Kerberos?

Kerberos: Kerberos is a network authentication protocol that works on the basis

of tickets to allow nodes communicating over a non-secure network to prove
their identity to one another in a secure manner.
What do the three heads of Kerberos represent?

Kerberos is a three-step security process used for authorization and

authentication. The three-heads of Kerberos are:

1-User,

2-KDC-Key Distribution Service (security server) and

3-Services (servers).

Kerberos is a standard feature of Windows software.

Why Kerberos?

Kerberos is an authentication protocol that is used to verify the identity of a user

or host. The authentication is based on tickets used as credentials, allowing
communication and proving identity in a secure manner even over a non-secure
network.

Characteristics of Kerberos

Secure: Kerberos should be strong enough that a potential opponent does not
find it to be the weak link.

Reliable: For all services that rely on Kerberos for access control, lack of
availability of the Kerberos service means lack of availability of the supported
services. Hence, Kerberos should be highly reliable and should employ
distributed server architecture, with one system able to back up another.

Transparent: Ideally, the user should not be aware that authentication is taking
place, beyond the requirement to enter a password.

Scalable: The system should be capable of supporting large numbers of clients

and servers. This suggests a modular, distributed architecture.
Kerberos Protocol Terminology

Figure : Block Diagram of

Kerberos server

Authentication Server (AS): A server that issues tickets for a desired service
which are in turn given to users for access to the service.

Client: An entity on the network that can receive a ticket from Kerberos.

Credentials: A temporary set of electronic credentials that verify the identity of

a client for a particular service. It also called a ticket.

Credential cache or ticket file: A file which contains the keys for encrypting
communications between a user and various network services.

Crypt hash: A one-way hash used to authenticate users.

Key: Data used when encrypting or decrypting other data.

Key distribution centre (KDC): A service that issue Kerberos tickets and which
usually run on the same host as the ticket-granting server (TGS).
Realm: A network that uses Kerberos composed of one or more servers called
KDCs and a potentially large number of clients.

Ticket-granting server (TGS): A server that issues tickets for a desired service
which are in turn given to users for access to the service. The TGS usually runs
on the same host as the KDC.

Ticket-granting ticket (TGT): A special ticket that allows the client to obtain
additional tickets without applying for them from the KDC.

Working of Kerberos

Step 1: (Fig 1)

The AS, receives the request by the client and verifies that the client.

Figure : Authentication Service verifies

the User ID

Step 2:

Upon verification, a timestamp is created with current time in a user session with
expiration date. The timestamp ensures that when 8 hours is up, the encryption
key is useless.

Step 3: (Fig 2)
 Figure : Authentication Service issues
TGT

The key is sent back to the client in the form of a TGT.

Step 4: (Fig 3)

Figure : Client submits TGT to

TGS

The client submits the TGT to the TGS, to get authenticated.

Step 5: (Fig. 4)
 Figure : TGS grants client the
service ticket

The TGS creates an encrypted key with a timestamp and grants the client a
service ticket.

Step 6:

The client decrypts the ticket & send ACK to TGS.

Step 7 (Fig. 5)
 Figure : Service server decrypt key and check
the time stamp

Client sends its own encrypted key to the service server.

The server decrypts the key and check timestamp is still valid or not.

Step 8: (Fig. 6)

Figure : For secret keys

communication initiated

The client decrypts the ticket. If the keys are still valid, communication is
initiated between client and server. Now the client is authenticated until the
session expires.

Is Kerberos symmetric or asymmetric?

Kerberos is capable of both symmetric and asymmetric cryptography.

Is Kerberos safe?

Kerberos is more secure than other authentication methods because it does not
send plain text pass- words over the network and instead of password uses
encrypted tickets.