lOMoARcPSD|47768088

UNIT3 - unit 3 cns

Cryptography and network security (Anna University)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])
 lOMoARcPSD|47768088

UNIT III - HASH FUNCTIONS AND DIGITAL SIGNATURES

Authentication requirement – Authentication function – MAC – Hash function – Security of hash
function and MAC –MD5 - SHA - HMAC – CMAC - Digital signature and authentication protocols –
DSS – EI Gamal – Schnorr.

AUTHENTICATION REQUIREMENT
1. Disclosure: Release of message contents to any person or process not possessing the appropriate
cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented
application, the frequency and duration of connections could be determined. In either a connection-
oriented or connectionless environment, the number and length of messages between parties could
be determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the
creation of messages by an opponent that are purported to come from an authorized entity.
4. Content modification: Changes to the contents of a message, including insertion, deletion,
transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between parties, including
insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages. In a connection-oriented application, an entire
session or sequence of messages could be a replay of some previous valid session, or individual
messages in the sequence could be delayed or replayed. In a connectionless application, an
individual message (e.g., datagram) could be delayed or replayed.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.

MESSAGE AUTHENTICATION FUNCTION

Message Authentication Function can be grouped into three classes.

• Hash function: A function that maps a message of any length into a fixed length hash value, which
serves as the authenticator
• Message encryption: The cipher text of the entire message serves as its authenticator
• Message authentication code (MAC): A function of the message and a secret key that produces a
fixed-length value that serves as the authenticator

HASH FUNCTION
Hash function accepts a variable size message M as input and produces a fixed size output,
referred to as hash code H(M). The hash code does not use any key. The hash code is also referred to
as message digest or hash value. The hash code is a function of all the bits of the message and provides
an error detection capability. Figure illustrates a variety of ways in which a hash code can be used to
provide message authentication.

a) The message plus concatenated hash code is encrypted using symmetric encryption. The encryption
is applied to the entire message plus hash code, confidentiality is also provided.
b) Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden
for those applications that do not require confidentiality.
c) Only the hash code is encrypted, using public-key encryption and using the sender's private
key. This provides authentication.
d) If confidentiality as well as a digital signature is desired, then the message plus the private-key-
encrypted hash code can be encrypted using a symmetric secret key.
e) The technique assumes that the two communicating parties share a common secret value S. A
computes the hash value over the concatenation of M and S and appends the resulting hash value to M.
Because B possesses S, it can recomputed the hash value to verify.
f) Confidentiality can be added to the approach of (e) by encrypting the entire message plus the hash
code.

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

MESSAGE ENCRYPTION

Message encryption by itself can provide a measure of authentication. The analysis differs for
symmetric and public-key encryption schemes.

Symmetric Encryption
Conventional encryption provides authentication as well as confidentiality. Message M
transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no
other party knows the key, then confidentiality is provided: No other party can recover the plaintext of
the message.
Given a decryption function D and a secret key K, the destination will accept any input X and
produce output Y = D(K, X). If X is the ciphertext of a legitimate message M produced by the
corresponding encryption function, then Y is some plaintext message M. Otherwise, Y will likely be a
meaningless sequence of bits.

Public-Key Encryption
The straightforward use of public-key encryption provides confidentiality but not
authentication. The source (A) uses the public key PUb of the destination (B) to encrypt M.
Because only B has the corresponding private key PRb, only B can decrypt the message.
To provide authentication, A uses its private key to encrypt the message, and B uses A's public
key to decrypt

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

To provide both confidentiality and authentication, A can encrypt M first using its private key,
which provides the digital signature, and then using B's public key, which provides
confidentiality.

Ways of Providing Structure

Append an error-detecting code (frame check sequence (FCS)) to each message
A prepares a plaintext message M and provides this as input to a function F that produces an
FCS.
The FCS is appended to M and the entire block is then encrypted.
At the destination, B decrypts the incoming block and treats the results as a message with an
appended FCS. B applies the same function F to attempt to reproduce the FCS.
If the calculated FCS is equal to the incoming FCS, then the message is considered authentic

MESSAGE AUTHENTICATION CODE

Uses a shared secret key to generate a fixed-size block of data (known as a cryptographic
checksum or MAC) that is appended to the message.
MAC = CK(M)
Where M is a variable-length message, K is a secret key shared only by sender and receiver,
and CK(M) is the fixed-length authenticator. The MAC is appended to the message at the source at a
time when the message is assumed or known to be correct. The receiver authenticates that message by
recomputing the MAC.
A MAC function is similar to encryption. One difference is that the MAC algorithm need not
be reversible, as it must for decryption

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

In the first case, the MAC is calculated with the message as input and is then concatenated to the
message. The entire block is then encrypted.
 In the second case, the message is encrypted first. Then the MAC is calculated using the resulting
ciphertext and is concatenated to the ciphertext to form the transmitted block

MD5 - MESSAGE DIGEST ALGORITHM

The MD5 message-digest algorithm was developed by Ron Rivest at MIT. MD5 was the most
widely used secure hash algorithm.
MD5 logic. The algorithm takes as input a message of arbitrary length and produces as output a 128-
bit message digest. The input is processed in 512-bit blocks. The processing consists of the
following steps:
Step 1: Appending padding bits. The massage is padded so that its length in bits is congruent to
448 modulo 512 (length ≡ 448 mod 512). That is, the length of the padded message is 64 bits less
than an integer multiple of 512 bits. Padding is always is added, even if the message is already of the
desired length. For example, if the message is 448 bits long, it is padded by 512 bits to a length of
960 bits. Thus, the number of padding bits is in the range of 1 to 512. The padding consists
of a single 1-bit followed by the necessary number of 0-bits.

Message digest generation using MD5

Step 2: Append length. A 64-bit representation of the length in bits of the original message (before
the padding) is appended to the result of step 1 (least significant byte first). If the original length is
greater than 264, then only the low-order 64 bits of the length are used. Thus, field contains the length
of the original message, modulo 264.
The outcome of the first two steps yields a message that is an integer multiple of 512 bits in length. In
figure below, expended message is represented as the sequence of 512-bit blocks Y0 , Y1 ,… , YL−1, so
that the total length of theexpanded message is L × 512 bits. Equivalently, the result is a multiple of 16
32-bit words. Let M [0… N − 1] denote the words of the resulting message, with n integer multiple of
16. Thus, N = L × 16.
Step 3: Initialize MD buffer. A 128-bit buffer is used to hold intermediate and final results of the
hash function. The buffer can be represented as four 32-bit registers (A, B, C, D). These registers
are initialized to the following 32-bit integers (hexadecimal values):
A = 67452301
B = EFCDAB89
C = 98BADCFE
D = 10325476
5

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

MD5 processing of a single 512-bit block

Step 4: Process message in 512-bit (16-word) blocks. The heart of the algorithm is a compression
algorithm that consists of four “rounds” of processing; this module is labeled HMD5. The four rounds
have the similar structure, but each uses a different primitive logical function, referred to as F, G, H,
and I in the specification.
Each round takes as input the current 512-bit block being processed (Yq) and the 28-bit buffer
value ABCD and updates the contents of the buffer.
Step 5: Output. After all L 512-bit blocks have been processed, the output from the Lth stage
is the 128-bit message digest.
CV 0 = IV
CV q +1 = SUM 32 (CV q , RFI [Yq , RFH [Yq , RFG [Yq , RFF [Yq , CV q ]]]])
MD = CV L
IV - initial value of the ABCD buffer, defined in step 3
Yq - the qth 512-bit block of the message
L - the number of blocks in the message (including padding and length fields)
CV q - chaining variable processed with the qth block of the message
RFx - round function using primitive logical function x
MD - final message digest value

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

MD5 Compression function

A=D,
B=B+(A+G(B,C,D)+x[k]+t[i]<<s),
C=B,
D=C
A,B,C,D are the four words of buffer g is the primitive logic function
<<<s circular left shift by s bit
The primitive function takes the following operation
1 F(B, C, D)= (B ^ C) v (B ^ D)
2 G(B, C, D) =(B ^ D) v (C ^ D)
3 H(B, C, D) =B ⊕ C ⊕ D
4 I(B, C, D) =C ⊕ (B v D)

SECURE HASH ALGORITHM (SHA)

The most widely used hash function has been the Secure Hash Algorithm (SHA). SHA was developed
by the National Institute of Standards and Technology (NIST) and published as a federal information
processing standard (FIPS 180) in 1993.SHA is based on the hash function MD4, and its design closely
models MD4. Three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known
as SHA-256, SHA-384, and SHA-512, respectively. Collectively, these hash algorithms are known as
SHA-2.

SHA-512 Logic
Message Digest Generation Using SHA-512
The algorithm takes as input a message with a maximum length of less than bits 2128 bits and produces
as output a 512-bit message digest. The input is processed in 1024-bit blocks. The processing consists
of the following steps.

Step 1 Append padding bits. The message is padded so that its length is congruent to 896 modulo 1024
of 1 to 1024. The padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message. This block is treated as an
unsigned 128-bit integer (most significant byte first) and contains the length of the original message
(before the padding).
The outcome of the first two steps yields a message that is an integer multiple of 1024 bits in length.
The expanded message is represented as the sequence of 1024-bit blocks M1, M2, Á , MN , so that the
total length of the expanded message is N * 1024 bits

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of the hash
function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).These registers are
initialized to the following 64-bit integers (hexadecimal values) These values are stored in big-endian
format, which is the most significant byte of a word in the low-address (leftmost) byte position.
Step 4 Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a module that
consists of 80 rounds; Each round takes as input the 512-bit buffer value, ABCDEFGH, and updates
the contents of the buffer. At input to the first round, the buffer has the value of the intermediate hash
value, Hi-1).

SHA-512 Processing of a Single 1024-Bit Block

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

Compression Function
Step 5 Output. After all 1024-bit blocks have been processed, the output from the N th stage is the 512-
bit message digest. Thus, in the first 16 steps of processing, the value of Wt is equal to the corresponding
word in the message block. For the remaining 64 steps, the value of Wt consists of the circular left shift
by one bit of the XOR of four of the preceding values of Wt , with two of those values subjected to shift
and rotate operations.

HMAC- MAC based Hash Function

HMAC has been issued as RFC 2104, has been chosen as the mandatory-to-implement MAC for
IP security, and is used in other Internet protocols, such as SSL. HMAC has also been issued as a NIST
standard
HMAC Design Objectives
To use, without modifications, available hash functions. In particular, hash functions that perform
well in software, and for which code is freely and widely available.
To allow for easy replaceability of the embedded hash function in case faster or more secure hash
functions are found or required.
To use and handle keys in a simple way.
To have a well understood cryptographic analysis of the strength of the authentication mechanism
based on reasonable assumptions about the embedded hash function.

HMAC Algorithm
Figure illustrates the overall operation of HMAC.
Define the following terms:
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC(including the padding specified in the embedded hash function)
Yi = ith block of M, 0 ≤i ≤(L - 1)
L= number of blocks in M
b= number of bits in a block
n= length of hash code produced by embedded hash function
K= secret key recommended length is ≥n; if key length is greater than b; the key is input to the hash
function to produce an n-bit key
K+= K padded with zeros on the left so that the result is b bits in length
ipad = 00110110 (36 in hexadecimal) repeated b/8 times
opad = 01011100 (5C in hexadecimal) repeated b/8 times

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

HMAC can be expressed as follows

HMAC(K,M) = H[(K+ ⊕opad)||H[(K+ ⊕ipad)||M]]
We can describe the algorithm as follows
1. Append zeros to the left end of K to create a b-bit string K+(e.g., if K is of length 160 bits and
b = 512 then K will be appended with 44 zero bytes 0 x 00).
2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So
7. Apply H to the stream generated in step 6 and output the result.

Security of HMAC
 The security of HMAC is expressed as probability of successful forgery with a given
amount of time spent by the forger and a given number of message, MAC pairs created
with the same key.
 The probability of successful attack on HMAC is equivalent to the following attack on
embedded hash function.
 The attacker is able to compute an output of compression function even when initialization
vector is random, unknown.
 The attacker finds collision in the hash function even when the Initialization Vector random
and secret.

CMAC- Cipher based Message Authentication Code

In CMAC, the message is an integer multiple of n of the cipher block length b.
For AES, b=128
For Triple DES, b=64
The message is divided in to n blocks (M1, M2,…Mn). The algorithm makes use of a k-bit
encryption key K and a b-bit constant M.
10

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

For AES, the key size =128 or 192 bits

For Triple DES, the nkey size =112 or 168 bits

CMAC is calculated as follows

C1 = E(K,M1)
C2 = E(K,[M2 ⊕C1])
C3 = E(K,[M3 ⊕C2])
·
·
Cn = E(K,[Mn ⊕Cn1 ⊕K1])
T = MSBTlen(Cn)

where
T = message authentication code, also referred to as the tag
Tlen = bit length of T
MSBs(X) = the s leftmost bits of the bit string X

If the message is not an integer multiple of the cipher block length, then the final block is padded to the
right (least significant bits) with a 1 and as many 0s as necessary so that the final block is also of length
b. The CMAC operation then proceeds as before, except that a different n-bit key K2 is used instead of
K 1.

ELGAMAL DIGITAL SIGNATURES

Elgamal signature scheme involves the use of private key for encryption and public key for decryption
The global elements of Elgamal digital signature are prime number q and a, which is the primitive
root of q.
1. Global Public key Components
q - prime no.
a – primitive root of q

2. User A signs a message M to B by computing

 Generate a random integer XA, such that 1 < XA < q-1
 Compute YA= a X A mod q
11

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

 A’s Private key is XA

 A’s Public key is YA
To sign a message M, user A first computes the hash m=H(M), such that m is an integer in the range
0≤ m ≤(q-1)
3. User A generates the digital signature
 Choose a random integer K, such that 1≤ K≤(q-1) and gcd(K,q-1) = 1. That is, K is
relatively prime to q-1.
 Compute, S1 = a K mod q
 Compute K -1 mod q-1
 Compute, S2 = K-1(m-xAS1) mod (q-1)
 The signature consists of a pair (S1,S2)

2. User B verifies the Signature
V1 = am mod q
V2= (YA)S1 (S1)S2 mod q
The signature is valid if V1 = V2.
Example I
Global Element
q=19 and a=10
Alice computes the private and public key
 Alice computes her key:
 Alice chooses Private key, XA=16
 Computes Public Key, YA=1016 mod 19 = 4
 Alice signs message with hash m=14
 Alice chooses K=5 which is relatively prime to q-1=18
 Compute S1 = 105 mod 19 = 3
 Compute K-1 mod (q-1) = 5-1 mod 18 = 11
 Compute S2 = 11(14-16*3) mod 18 = -374 mod 18=4 {-374 mod 18=18-374%18}
 B can verify the signature by computing
 V1 = 1014 mod 19 = 16
 V2 = 43.34 = 5184 = 16 mod 19
 Since 16 = 16 signature is verified and valid.

SCHNORR SIGNATURE SCHEME

The Schnorr digital signature is based on discrete logarithms. This scheme minimizes the
message-dependent amount of computation required to generate a signature. The main work for
signature generation does not depend on the message and can be done during the idle time of the
processor.
The scheme is based on using a prime modulus p, with p - 1 having a prime factor q of
appropriate size; that is, p - 1 ≡K (mod q). Typically, we use p ≈21024 and q ≈ 2160. Thus, p is a 1024-bit
number, and q is a 160-bit number.

The generation of a private/public key pair, which consists of the following steps.
1. Choose primes p and q, such that q is a prime factor of p - 1.
2. Choose an integer a, such that aq = 1 mod p. The values a, p, and q comprise a global public
key that can be common to a group of users.
3. Choose a random integer s with 0 < s < q. This is the user’s private key.
4. Calculate v = a-s mod p. This is the user’s public key.
A user with private key s and public key v generates a signature as follows.
1. Choose a random integer r with 0 < r < q and compute x = ar mod p. This computation is a
preprocessing stage independent of the message M to be signed.
2. Concatenate the message with x and hash the result to compute the value e:
e = H(M||x)
3. Compute y = (r + se) mod q. The signature consists of the pair (e, y).
12

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

Any other user can verify the signature as follows.

1. Compute x’ = ayve mod p.
2. Verify that e = H(M|| x’).
To see that the verification works, observe that
x’ ≡ ayve ≡ aya-se ≡ ay-se ≡ ar ≡ x (mod p)
Hence, H(M|| x`) = H(M||x)

DIGITAL SIGNATURE STANDARD (DSS)

Digital Signature Standard is an US Govt approved signature scheme FIPS 186. It uses the SHA hash
algorithm. It is designed by NIST & NSA in early 90's. It creates a 320 bit signature, but with 512-1024
bit security.
Two approaches of Digital signature
 RSA approach
 DSS approach
RSA APPROACH
In the RSA approach, the message to be signed is input to a hash function that produces a secure hash
code of fixed length. This hash code is then encrypted using the sender’s private key to form the
signature. Both the message and the signature are then transmitted. The recipient takes the message and
produces a hash code. The recipient also decrypts the signature using the sender’s public key. If the
calculated hash code matches the decrypted signature, the signature is accepted as valid. Because only
the sender knows the private key, only the sender could have produced a valid signature.

M – Message
H(M) – Hash function of M
C – Cipher text
C = M || EPRa[H(M)]
V1=DPUa[H(M)]
V2= H(M)
If V1= V2 Then signature is verified

DSS APPROACH
DSS uses an algorithm that is designed to provide only digital signature function. Unlike RSA,
it cannot be used for encryption or key exchange.
The DSS approach makes use of a hash function. The hash code is provided as input to a
signature function along with a random number k generated for this particular signature. The signature
function also depends on the sender’s private key (PRa) and the global public key (PUG) The result is
a signature consisting of two components, labeled s and r. At the receiving end, the hash code of the
incoming message is generated. This plus the signature is input to a verification function.

The verification function also depends on the global public key as well as the sender’s public
key (PUa), which is paired with the sender’s private key. The output of the verification function is a
13

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

value that is equal to the signature component if the signature is valid. The signature function is such
that only the sender, with knowledge of the private key, could have produced the valid signature.
THE DIGITAL SIGNATURE ALGORITHM
1. Global Public key Components
p- prime no. where 2L-1 < p< 2 L for 512 ≤L ≤1024
q – prime divisor of ( p-1 ) where 2
g = h (p-1)/q mod p
where h is any integer with 1 < h < (p-1) such that h (p-1)/q mod p > 12 160

2. User’s Private key

x - random or pseudo random integer with 0 < x < q
3. User’s Public key
y = g x mod p
4. User’s Per Message Secret Number
k = random or pseudo random integer with 0 < k < q
5. DSA Signature Creation
To sign a message M the sender: the sender generates a random signature key k, k<q
Computes signature pair:
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
Signature = (r,s)
6. DSA Signature Verification
After received M & signature (r,s)
Verify a signature, recipient computes:
w = (s’)-1 mod q
u1= [H(M’)w ]mod q
u2= (r’w)mod q
v = [(gu1 yu2)mod p ]mod q
If v=r then signature is verified.

14

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

AUTHENTICATION PROTOCOLS
Two types of authentication protocols are
 Mutual authentication
 One way authentication
MUTUAL AUTHENTICATION
Mutual authentication protocols enable communicating parties to satisfy themselves mutually
about each other’s identity and exchange session keys. Problems faced by authenticated key
exchange are
o Confidentiality
o Timeliness
Following are the examples of replay attack
Simple replay: The opponent simply copies a message and replays it later.
Repetition that can be logged: An opponent can replay a time stamped message within the valid
time window.
Repetition that cannot be detected: This situation could arise because the original message could
have been suppressed and thus did not arrive at its destination; only the replay message arrives.
Backward replay without modification: This is a replay back to the message sender. This attack is
possible if symmetric encryption is used and the sender cannot easily recognize the difference
between messages sent and messages received on the basis of content.
Countermeasures include
Timestamps: Party A accepts a message as fresh only if the message contains a timestamp that, in
A's judgment, is close enough to A's knowledge of current time. This approach requires that clocks
among the various participants be synchronized.
Challenge/response: Party A, expecting a fresh message from B, first sends B a nonce (challenge)
and requires that the subsequent message (response) received from B contain the correct nonce
value.
USING SYMMETRIC ENCRYPTION
Two-level hierarchy of symmetric key encryption can be used to provide confidentiality for the
distribution of key. Here, a trusted Key Distribution Center (KDC) is used for the distribution of session
key.
Needham-Schroeder Protocol for Distribution of session key
The purpose of this protocol is to distribute securely a session key Ks to A and B. Secret keys
Ka and Kb are shared between A and KDC; and KDC and B respectively.
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]
This protocol is vulnerable to a replay attack. Consider that opponent X has got the old session key that
was used by A and B, Now, X can impersonate A and trick B using the old key, replay step3. To
overcome this attack another protocol was proposed by Denning.
Denning Protocol
In this protocol a timestamp T was used that assures A and B that the session key has only just been
generated.
1. A→KDC: IDA || IDB
2. KDC→A: EKa[Ks || IDB ||T || EKb[Ks||IDA||T] ]
3. A→B: EKb[Ks||IDA||T]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]
USING PUBLIC-KEY ENCRYPTION
Protocol 1:Denning AS Protocol
Denning 81 presented the following:
1. A→AS: IDA || IDB
2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T]
3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]]
AS is an authentication server which provides the certificate.
Protocol 2: By Woo

15

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])

 lOMoARcPSD|47768088

Another approach, proposed by Woo and Lam, makes use of nonces. The protocol consists of the
following steps:
1. A →KDC:IDA||IDB
2. KDC →A:E(PRauth, [IDB||PUb])
3. A →B: E(PUb, [Na||IDA])
4. B →KDC:IDA||IDB||E(PUauth, Na)
5. KDC →B:E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDA||IDB])
6. B →A: E(PUa, E(PRauth, [(Na||Ks||IDA||IDB)||Nb]))
7. A →B: E(Ks, Nb)
Explanation
1. In step 1, A informs the KDC of its intention to establish a secure connection with B.
2. The KDC returns to A a copy of B's public-key certificate (step 2).
3. Using B's public key, A informs B of its desire to communicate and sends a nonce Na (step 3).
4. In step 4, B asks the KDC for A's public-key certificate and requests a session key; B includes A's
nonce so that the KDC can stamp the session key with that nonce. The nonce is protected using the
KDC's public key.
5. In step 5, the KDC returns to B a copy of A's public-key certificate, plus the information {Na, Ks,
IDB}. This information basically says that Ks is a secret key generated by the KDC on behalf of B
and tied to Na; the binding of Ks and Na will assure A that Ks is fresh. This triple is encrypted, using
the KDC's private key, to allow B to verify that the triple is in fact from the KDC. It is also encrypted
using B's public key, so that no other entity may use the triple in an attempt to establish a fraudulent
connection with A.
6. In step 6, the triple {Na, Ks, IDB}, still encrypted with the KDC's private key, is relayed to A,
together with a nonce Nb generated by B. All the foregoing are encrypted using A's public key. A
retrieves the session key Ks and uses it to encrypt Nb and return it to B.
7. This last message assures B of A's knowledge of the session key.

One-Way Authentication
required when sender & receiver are not in communications at same time (eg. email)
have header in clear so can be delivered by ema
• note session key is chosen by A, hence AS need not be trusted to protect it
• timestamps prevent replay but require synchronized clocks
This protocol is compact but, as before, requires synchronization of clocks. Another approach,
proposed by Woo and Lam, makes use of nonces. The protocol consists of the following steps:
1. A →KDC:IDA||IDB
2. KDC →A:E(PRauth, [IDB||PUb])
3. A →B: E(PUb, [Na||IDA])
4. B →KDC:IDA||IDB||E(PUauth, Na)
5. KDC →B:E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDA||IDB])
6. B →A: E(PUa, E(PRauth, [(Na||Ks||IDA||IDB)||Nb]))
7. A →B: E(Ks, Nb)

16

Downloaded by 7.21E+11 MAHALAKSHMI P ([email protected])