UNIT-3

Authentication

Asst.Prof. Renuka Patel

Asst.Prof. Roshni Patel
 authentication requirements

 Authentication
The essential authentication requirements necessary for securing systems and
applications. It aims to provide a comprehensive overview of the best practices
and standards that should be implemented to ensure robust authentication
mechanisms. By adhering to these requirements, organizations can enhance their
security posture and protect sensitive data from unauthorized access.
 authentication requirements

1. User Identification

 Unique User IDs: Each user must have a unique

identifier to ensure accountability and traceability.
 Email Verification: Users should verify their email
addresses during the registration process to confirm
their identity.

🔹 Example:
•When you create an account on Facebook or Gmail, your email
ID or username is unique.
•Email Verification: When signing up, you receive a verification
email with a link. Your account is not activated until you click the
link, ensuring that the email belongs to you.
 authentication requirements

2. Password Policies

 Complexity Requirements: Passwords must include a mix of

uppercase letters, lowercase letters, numbers, and special
characters.
 Minimum Length: Passwords should be at least 8-12
characters long.
 Expiration: Passwords should expire every 90 days, requiring
users to update them regularly.
 History: Users should not be allowed to reuse their last 5
passwords.
 🔹 Example:
Complexity Requirements:
✔️ SecurePass@123 (Strong Password ✅)
❌ password123 (Weak Password ❌)
 authentication requirements

3. Multi-Factor Authentication (MFA)

 Implementation: MFA should be implemented for all

users, especially for access to sensitive information or
administrative functions.
 Methods: Acceptable MFA methods include SMS codes,
authenticator apps, or biometric verification.
🔹 Example:
•When logging into a banking app, after entering your
password, you receive an OTP (One-Time Password) via
SMS or email.
•Google Authenticator and other apps can generate
unique codes for MFA.
•Biometric authentication (fingerprint or face recognition)
is also a form of MFA.
 authentication requirements

4. Account Lockout Mechanisms

 Failed Login Attempts: Accounts should be

locked after a specified number of failed login
attempts (e.g., 5 attempts).

 Lockout Duration: The account should remain

locked for a minimum of 15 minutes or until
an administrator unlocks it.

🔹 Example:
•If you enter the wrong password 5 times on a banking
website, your account gets locked for 15 minutes.
•Some systems require an admin to unlock the account.
 authentication requirements

5. Session Management

 Session Timeouts: Sessions should

automatically log out after a period of
inactivity (e.g., 15 minutes).
 Secure Cookies: Use secure and Http
Only flags for cookies to prevent
session hijacking.
🔹 Example:
•In banking apps, if you remain inactive for 15 minutes, the
system automatically logs you out to prevent unauthorized
access.
•Secure cookies ensure that hackers cannot hijack user
sessions.
 authentication requirements

6. Logging and Monitoring

 Audit Logs: Maintain logs of all

authentication attempts, including successful
and failed logins.

 Monitoring: Regularly review logs for

suspicious activity and implement alerts for
unusual login patterns.
🔹 Example:
•If a hacker tries to guess your password multiple
times, the system detects this and sends an alert.
•Companies keep logs to track suspicious
activities and take action if needed.
 authentication requirements

7. User Education

 Training: Provide training for users on the

importance of strong passwords and
recognizing phishing attempts.

 Resources: Offer resources and tools for users

to manage their passwords securely.

🔹 Example:
•Employees are taught not to click on unknown
email links that might be phishing scams.
•Users are encouraged to use password
managers to store complex passwords securely.
 Authentication Functions

This document provides an overview of various

authentication functions, including Message
Authentication Codes (MACs), hashing
algorithms like MD5 and SHA, user
authentication methods such as passwords,
certificates, and biometrics, and a detailed
explanation of the Kerberos authentication
protocol with examples. Understanding these
concepts is crucial for ensuring secure
communication and protecting sensitive Authentication
information in digital environments.
Authentication Functions

Authentication
 Message Authentication Codes
(MACs)

A Message Authentication Code (MAC) is a

short piece of information used to authenticate
a message and confirm its integrity. It is
generated by applying a cryptographic function
to the message along with a secret key. The
MAC ensures that any alteration to the message
will result in a different MAC value, thus
allowing the recipient to verify that the
message has not been tampered with.
 Message Authentication Codes
(MACs)
Key Properties of MACs:
1. Integrity: Ensures that the message has not been
altered.
2. Authenticity: Confirms that the message comes from
a legitimate sender who possesses the secret key.
3. Non-repudiation: The sender cannot deny having
sent the message, as only they have access to the
secret key.
A MAC is generated using a cryptographic function that
takes:
•The message
•A secret key
The resulting MAC value is sent along with the message,
allowing the receiver to verify its authenticity.
 Message Authentication Codes
(MACs)
How Does MAC Work?
Step 1: Sender Generates a MAC
•The sender applies a cryptographic function (such as
HMAC) to the message along with a secret key.
•This generates a unique MAC value (a fixed-length hash).
•The message and MAC are sent to the receiver.
Step 2: Receiver Verifies the MAC
•The receiver receives the message and MAC.
•It recalculates the MAC using the same secret key and
cryptographic function.
•If the computed MAC matches the received MAC, the
message is authentic and unchanged.
•If the MAC values do not match, the message may have
been altered or tampered with.
 Message Authentication Codes
(MACs)
Example of MAC in Action
•Let’s consider an example where Alice sends a secure
message to Bob using MAC authentication.

🔹 Step 1: Message Creation (Alice)

Alice wants to send the message:
📩 Message: "Transfer $1000 to account XYZ.“

🔹 Step 2: Generate MAC

Alice applies a cryptographic function using a secret key
(known only to Alice and Bob).
Let’s assume the secret key is: "SecretKey123“
Using HMAC-SHA256, Alice computes:
📌 MAC: "A3B5C9D8E2F7..."(a unique hash value)
 Message Authentication Codes
(MACs)
🔹 Step 3: Send Message and MAC
Alice sends:
📩 Message: "Transfer $1000 to account XYZ.“
🔐 MAC:"A3B5C9D8E2F7...“

🔹 Step 4: Bob Verifies the MAC

Bob receives the message and MAC.
 He applies the same HMAC-SHA256 function using the
same secret key ("SecretKey123").
 If the calculated MAC matches the received MAC
("A3B5C9D8E2F7...“) the message is authentic and has
not been modified.
 If the MAC values do not match, Bob rejects the
message, as it may have been altered by an attacker.
 Message Authentication Codes
(MACs)
Why is MAC Important?

✅ 1. Prevents Message Tampering

If a hacker modifies the message, the computed MAC will
not match the original MAC, and the receiver will detect
the tampering.

🔹 Example:
An attacker intercepts Alice’s message and changes it to:
📩 "Transfer $5000 to account XYZ.“
When Bob computes the MAC, it will be different from
the MAC received. Bob will reject the message as it is not
authentic.
 Message Authentication Codes
(MACs)
Why is MAC Important?

✅ 2. Ensures Authentication
Only those who know the secret key can generate a valid
MAC.

🔹 Example:
If a hacker tries to create a fake message, they cannot
generate a correct MAC because they do not have the
secret key.

✅ 3. Fast and Efficient

MACs are computationally efficient and can be used in
real-time systems like online banking, digital signatures,
and data integrity checks.
 Message Authentication Codes
(MACs)
Types of MAC Algorithms

1.HMAC (Hash-based MAC) – Uses a cryptographic hash

function (e.g., SHA-256) with a secret key.

2.CMAC (Cipher-based MAC) – Uses a block cipher

(e.g., AES) instead of a hash function.

3.Poly1305 MAC – A fast MAC used in modern

cryptographic protocols.
 MD5 Message Digest Algorithm

MD5

The MD5 (Message-Digest Algorithm 5)

is a widely used cryptographic hash
function that produces a 128-bit hash
value (32 hexadecimal characters). It is
commonly used to verify data integrity.
However, MD5 is considered weak due
to vulnerabilities that allow for collision
attacks, where two different inputs
produce the same hash output.
 MD5 Message Digest Algorithm

MD5
How MD5 Works (Step-by-Step with Example)

✅ Step 1: Take an Input Message

Let’s say we want to hash the message:
📩 "Hello, World!“
✅ Step 2: Apply MD5 Hash Function
After applying MD5, we get:
🔹 MD5 Hash:
fc3ff98e8c6a0d3087d515c0473f8677
✅ Step 3: Hash Output is Always Fixed
No matter how many times you hash "Hello,
World!“, the output will always be the same 32-
character hash.
 MD5 Message Digest Algorithm

MD5
Why is MD5 Considered Weak? (Collision
Example)

MD5 has a major flaw: Different inputs can sometimes

generate the same hash (collision attack).

🔹 Example of Collision Attack:

Let’s hash two different messages:
📩 Message 1:"hello“
🔹 MD5 Hash: 5d41402abc4b2a76b9719d911017c592
📩 Message 2:"h3ll0"(slightly different)
🔹 MD5 Hash:5d41402abc4b2a76b9719d911017c592

Even though the messages are different, the hashes are the
same! This makes MD5 unsafe for cryptographic security.
 MD5 Message Digest Algorithm

MD5
Where is MD5 Still Used?
Although MD5 is not secure for encryption, it is still used for:
✔ File Integrity Checks – Checking if a file is
corrupted or modified.
✔ Non-Security Applications – Storing checksums
for data validation.
🔹 Example:
When you download a software file, the website
might provide an MD5 hash. After downloading,
you can recompute the MD5 hash of the file.
•If the hash matches, the file is not corrupted.
•If it doesn’t match, the file has been modified or
is corrupted.
 Secure Hash Algorithm (SHA)
SHA
The Secure Hash Algorithm (SHA) family includes several
hash functions, with SHA-1, SHA-256, and SHA-3 being
the most notable. SHA-1 produces a 160-bit hash, while
SHA-256 generates a 256-bit hash. SHA-2 and SHA-3 are
more secure than MD5 and SHA-1, making them suitable
for cryptographic applications.
 What is SHA (Secure Hash Algorithm)?
SHA (Secure Hash Algorithm) is a family of cryptographic
hash functions used for data integrity and security. It
takes an input (message) and generates a fixed-length
hash (digest) that uniquely represents the input.
SHA is commonly used in:
✔ Password hashing (storing passwords securely)
✔ Digital signatures (verifying authenticity)
✔ Data integrity checks (ensuring no data tampering)
 Secure Hash Algorithm (SHA)

SHA
Types of SHA Algorithms
✅ SHA-1
•Produces a 160-bit hash (40 hexadecimal
characters)
•No longer secure due to collision attacks
•Example:
"hello"→f572d396fae9206628714fb2ce00f72e94f22
58f

✅ SHA-256 (Part of SHA-2 Family)

•Produces a 256-bit hash (64 hexadecimal
characters)
 Secure Hash Algorithm (SHA)

SHA
•More secure than SHA-1
•Commonly used in blockchain (e.g., Bitcoin), SSL
certificates, and digital security
•Example: "hello“→
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7
425e73043362938b9824

✅ SHA-3
•Latest SHA version, introduced for higher security
•More resistant to attacks than SHA-1 and SHA-2
•Used in modern cryptographic applications
 Secure Hash Algorithm (SHA)
How Does SHA Work? (Example)
🔹 Step 1: Take an Input Message
📩"Hello, World!“
🔹 Step 2: Apply SHA-256 Hash Function
After applying SHA-256, we get:
🔹Hash Output:
a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b5
3f6e8b32ad18692
🔹 Step 3: Hash Output is Always Fixed
No matter how many times you hash "Hello, World!", the
output will always be the same.
🔹 Step 4: Even a Small Change Produces a Completely
Different Hash
📩 Message: "hello, world!" (small difference in
capitalization)
🔹 SHA-256 Hash:
09ca7e4eaa6e8ae9c7d261167129184883644d0745a1a608e00fd
17f4e6f5f72
 Secure Hash Algorithm (SHA)

Why is SHA Important?

✅ Prevents Data Tampering – If even one
letter in a message changes, the hash changes
completely.
✅ Used in Cryptography – SHA is used in
password storage, digital signatures, and
secure communications.
✅ More Secure than MD5 – MD5 is
vulnerable to attacks, but SHA-256 and SHA-3
offer stronger protection.
 Secure Hash Algorithm (SHA)

Where is SHA Used?

✔ Password Hashing – Websites store

passwords in SHA-256 format instead of plain
text.
✔ Blockchain (Cryptocurrency) – Bitcoin
uses SHA-256 to secure transactions.
✔ File Integrity Checks – Ensures a file is
not modified or corrupted.
 User Authentication Methods

User Authentication Methods

User authentication is a critical aspect of
securing systems and data. Various methods
are employed to verify the identity of users:
 User Authentication Methods
1. Password-Based Authentication
🔹 What is it?
Users provide a username and password to log in. The system checks
the password against stored credentials.
🔹 Example:
•Logging into Gmail, Facebook, or a banking website using a
password.
🔹 Pros:
✔ Simple and easy to implement.
✔ Works on almost all platforms.
🔹 Cons:
❌ Weak passwords can be guessed or cracked.
❌ Users may forget passwords or reuse them, making them
vulnerable to attacks.
🔹 How to Improve Security?
•Use strong passwords (mix of uppercase, lowercase,
numbers, and special characters).
•Enable Multi-Factor Authentication (MFA) for extra security.
 User Authentication Methods
2. Biometric Authentication
🔹 What is it?
Authentication based on biological characteristics, such as
fingerprints, facial recognition, iris scan, or voice recognition.
🔹 Example:
•Unlocking a smartphone using a fingerprint scanner or
Face ID.
•Airport security using iris scans.
🔹 Pros:
✔ Very difficult to forge or steal.
✔ Faster and more convenient than typing passwords.
🔹 Cons:
❌ If biometric data is stolen, it cannot be changed (unlike
passwords).
❌ Some biometric systems can be fooled (e.g., using a
photo for facial recognition).
 User Authentication Methods
3. Certificate-Based Authentication
Certificate-Based Authentication (CBA) is a secure
authentication method where users, devices, or
applications use digital certificates instead of passwords
to verify identity.
A digital certificate is an electronic document issued by a
Certificate Authority (CA) that contains:
✔ The user’s public key
✔ The issuer’s digital signature
✔ User’s identity details
💡 How does it work?
•Instead of typing a password, the system verifies the
user’s digital certificate to authenticate access.
•These certificates use Public Key Infrastructure (PKI) for
encryption and security.
 User Authentication Methods
3. Certificate-Based Authentication
🔹 Pros:
✅ More Secure Than Passwords – No risk of password theft,
phishing, or brute-force attacks.
✅ No Need to Remember Passwords – Users don’t need to
type or reset passwords.
✅ Prevents Identity Theft – Uses cryptographic signatures,
making impersonation difficult.
✅ Ideal for Enterprises & Secure Systems – Used in banking,
government, and corporate networks.
🔹 Cons:
❌ Complex Setup – Requires managing Certificate Authorities
(CAs) and issuing certificates.
❌ Certificate Expiry – Certificates must be renewed
periodically.
❌ Lost Certificate Issues – If a certificate is lost or stolen,
access can be compromised.
 Kerberos Authentication Protocol
Kerberos Authentication Protocol
Kerberos is a network authentication protocol
designed to provide secure authentication for
users and services in a distributed environment.
It uses secret-key cryptography and a trusted
third party known as the Key Distribution Center
(KDC).
✅ Key Features:
✔ Uses secret-key cryptography (symmetric
encryption).
✔ Prevents password transmission over the
network.
✔ Uses a trusted third party called the Key
Distribution Center (KDC).
 Kerberos Authentication Protocol
Kerberos Authentication Protocol
Kerberos is a network authentication protocol
designed to provide secure authentication for
users and services in a distributed environment.
It uses secret-key cryptography and a trusted
third party known as the Key Distribution Center
(KDC).
✅ Key Features:
✔ Uses secret-key cryptography (symmetric
encryption).
✔ Prevents password transmission over the
network.
✔ Uses a trusted third party called the Key
Distribution Center (KDC).
 Kerberos Authentication Protocol
🔹 How Kerberos Works (Step-by-Step)
Kerberos authentication follows a ticket-based system
using three main components:
1⃣ Key Distribution Center (KDC)
•A trusted server that manages authentication.
•It has two parts:
• Authentication Server (AS) → Verifies user identity.
• Ticket Granting Server (TGS) → Issues service
tickets for access.
2⃣ Client (User or Service Requestor)
•The user or device requesting access.
3⃣ Service (Application or Resource)
•The server hosting the resource (e.g., file server,
database).
 Kerberos Authentication Protocol
🔹 Kerberos Authentication Process (Step-by-Step)

1⃣ User Authentication Request

•The user enters their username and password.
•The password is never sent over the network.
•Instead, a hashed version of the password is sent to the
Authentication Server (AS) in the KDC.
2⃣ KDC Issues a Ticket Granting Ticket (TGT)
•If credentials are correct, the AS sends a TGT encrypted
with a secret key.
•The TGT proves that the user is authenticated.
•The user’s system stores this TGT for future requests.
 Kerberos Authentication Protocol
3⃣ User Requests Access to a Service
•When the user wants to access a service (e.g., file
server), they send the TGT to the Ticket Granting Server
(TGS).
•The TGS verifies the TGT and issues a Service Ticket
encrypted with the service’s secret key.
4️⃣ Access to the Requested Service
•The user sends the Service Ticket to the service (e.g., file
server).
•The service decrypts the ticket and verifies it with the
KDC.
•If valid, the service grants access without requiring a
password again.
💡 Key Benefit: The user does not need to enter a
password multiple times; they authenticate once and
receive tickets for further access.
 Kerberos Authentication Protocol
🔹 Example of Kerberos Authentication in Real
Life

Secure Access to a Web Application

•A company uses Kerberos Single Sign-On (SSO) for

internal applications.
•When an employee logs in once, they can access:
✅ Email (Exchange Server)
✅ Internal Web Portals
✅ File Servers
…without needing to enter credentials repeatedly!
 Kerberos Authentication Protocol
🔹 Advantages of Kerberos Authentication
✅ Password Never Sent Over the Network → Reduces risk of
password theft.
✅ Single Sign-On (SSO) → Users log in once and access multiple
services.
✅ Mutual Authentication → Both the user and the server verify
each other.
✅ Prevents Replay Attacks → Timestamps ensure tickets expire
after a set time.
✅ Widely Used in Enterprise Environments → Used in Windows
Active Directory, UNIX, and Linux.
🔹 Disadvantages of Kerberos
❌ KDC is a Single Point of Failure → If the KDC goes down,
authentication stops.
❌ Requires Clock Synchronization → Time differences can cause
authentication failures.
❌ Complex to Set Up → Requires proper key and ticket
management.