Unit 4 – Message Authentication

& Integrity
Dr.S.Kalaivani
Assistant Professor/ Dept. of CSE
IRTT

*. Notes, pictures, algorithms and other details are used for educational
purpose only. It is collected from various web sites and text books for teaching
purpose only
 Topics Covered
1. Authentication requirement

2. Authentication function
– MAC
– Hash function

3. Security of hash function and MAC

– Hash Algorithms
• MD5
• SHA

– MAC Algorithms
• HMAC
• CMAC Unit 4– Message Authentication & Integrity 2
4. Digital signature and authentication protocols
– DSS

5. Entity Authentication
– Biometrics
– Passwords
– Challenge Response Protocols

6. Authentication applications
– Kerberos
– X.509 Authentication services
Unit 4– Message Authentication & Integrity 3
 Message Authentication
• Use of secret key to generate a small fixed sized block of data known as
cryptographic check sum or MAC that is appended to message.

• Message authentication is a procedure to verify that received message

come from alleged source and have not been altered

• Message authentication is concerned with:

– protecting the integrity of a message
– validating identity of originator
– non-repudiation of origin (dispute resolution)

• will consider the security requirements

• Three alternative functions used:

– message encryption
– message authentication code (MAC)
– hash function
Unit 4– Message Authentication & Integrity 4
 Authentication Requirements
• Disclosure-release of msg content to any person
• Traffic analysis-discovery of pattern of traffic
• Masquerade-insertion of msg to n/w from fraud
source
• Content modification
• Sequence modification
• Timing modification
• Source repudiation-denial of msg transmission by
source
• Destination repudiation-denial of msg receive by
destination
Unit 4– Message Authentication & Integrity 5
 Message Encryption
• Message encryption by itself also provides a
measure of authentication
• if symmetric encryption is used then:
– receiver know sender must have created it
– since only sender and receiver know key used
– know content cannot been altered
– if message has suitable structure, redundancy or a
checksum to detect any changes

Unit 4– Message Authentication & Integrity 6

 Message Encryption
• if public-key encryption is used:
– encryption provides no confidence of sender
– since anyone potentially knows public-key
– however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
– again need to recognize corrupted messages
– but at cost of two public-key uses on message

Unit 4– Message Authentication & Integrity 7

Basic uses of message encryption

Unit 4– Message Authentication & Integrity 8

 Hash and MAC Algorithms
• Hash Functions
– condense arbitrary size message to fixed size
– by processing message in blocks
– through some compression function
– either custom or block cipher based

• Message Authentication Code (MAC)

– fixed sized authenticator for some message
– to provide authentication for message
– by using block cipher mode or hash function

Unit 4– Message Authentication & Integrity 9

Message Authentication Code (MAC)
• Generated by an algorithm that creates a
small fixed-sized block
– depending on both message and some key
– like encryption though need not be reversible
• Appended to message as a signature
• Receiver performs same computation on
message and checks it matches the MAC
• Provides assurance that message is unaltered
and comes from sender

Unit 4– Message Authentication & Integrity 10

 Message Authentication Codes
• MAC provides authentication
• It can also use encryption for secrecy
– generally use separate keys for each
– can compute MAC either before or after encryption
– is generally regarded as better done before
– The algorithm need not be reversible
• why use a MAC?
– sometimes only authentication is needed
– sometimes need authentication to persist longer than the
encryption (eg. archival use)
• MAC is not a digital signature

Unit 4– Message Authentication & Integrity 11

Message Authentication Code

Unit 4– Message Authentication & Integrity 12

 MAC Properties
• a MAC is a cryptographic checksum
MAC = CK(M)
– condenses a variable-length message M
– using a secret key K
– to a fixed-sized authenticator
• is a many-to-one function
– potentially many messages have same MAC
– but finding these needs to be very difficult

Unit 4– Message Authentication & Integrity 13

Basic Uses of MAC

Unit 4– Message Authentication & Integrity 14

 Requirements for MACs
• Taking into account the types of attacks
• need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to
find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message

Unit 4– Message Authentication & Integrity 15

 Using Symmetric Ciphers for MACs
• It can use any block cipher chaining mode and
use final block as a MAC
• Data Authentication Algorithm (DAA) is a
widely used MAC based on DES-CBC
– using IV=0 and zero-pad of final block
– encrypt message using DES in CBC mode
– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security

Unit 4– Message Authentication & Integrity 16

 Hash Functions
• Unlike MAC , hash does not uses a key.
• It is also referred as message digest or hash value
• Hash function accepts a variable length block of data M
as input & produces a fixed size hash value h = H(M)
• usually assume that the hash function is public and not
keyed
– MAC which is keyed
• hash used to detect changes to message
• can use in various ways with message
• most often to create a digital signature
Unit 4– Message Authentication & Integrity 17
Basic uses of Hash Function

Unit 4– Message Authentication & Integrity 18

Basic uses of Hash Function

Unit 4– Message Authentication & Integrity 19

 Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
• weak collision resistance
6. is infeasible to find any x,y s.t. H(y)=H(x)
• strong collision resistance

Unit 4– Message Authentication & Integrity 20

 Simple Hash Functions
• There are several proposals for simple
functions
• based on XOR of message blocks
• not secure since can manipulate any message
and either not change hash or change hash
also
• need a stronger cryptographic function

Unit 4– Message Authentication & Integrity 21

 Block Ciphers as Hash Functions
• can use block ciphers as hash functions
– using H0=0 and zero-pad of final block
– compute: Hi = EMi [Hi-1]
– and use final block as the hash value
– similar to CBC but without a key
• resulting hash is too small (64-bit)
– both due to direct birthday attack
– and to “meet-in-the-middle” attack
• other variants also susceptible to attack
Unit 4– Message Authentication & Integrity 22
 Hash and MAC Algorithms
• Hash Functions
– condense arbitrary size message to fixed size
– by processing message in blocks
– through some compression function
– either custom or block cipher based

• Message Authentication Code (MAC)

– fixed sized authenticator for some message
– to provide authentication for message
– by using block cipher mode or hash function

Unit 4– Message Authentication & Integrity 23

 Attacks on Hash Function and MAC
• Brute force attack
– Computation resistance
• Cryptanalysis

• MAC does not provide digital signature

because both sender and receiver share a
same key
Unit 4– Message Authentication & Integrity 24
 Brute Force Attacks
– Hash Function
• One-way- H(x)=h
• Weak Collision Resistance y ≠ x with H(y)=H(x)
• Strong Collision resistance infeasible to find a pair(x,y)
such that H(x)=H(y)

– MAC
• Computation resistance- Given one or more text MAC
pairs(x,Ck(x)) it is infeasible to compute any text MAC
pair (xi,Ck(xi)) for new input x≠xi

Unit 4– Message Authentication & Integrity 25

 Cryptanalysis
• Hash Functions
– CV0= IV=initial n-bit value
– CVi=f(CVi-1,Yi-1) i<i<L
– H(M)=CVL
– Message M consists of blocks Y0,Y1,….YL-1
• MAC
– It is difficult to cryptanalysis of MAC

Unit 4– Message Authentication & Integrity 26

Secure Hash Algorithm Structure

Unit 4– Message Authentication & Integrity 27

 Secure Hash Algorithms
– MD5
• Message Digest Algorithm
• Input of Variable Length and produces as output a 128 bit
message digest.
• Input is processed in 512 bit blocks
• Four register with 16 steps of 4 rounds

– SHA-1
• Secure Hash Algorithm
• Input of Variable Length and produces as output a 160 bit
message digest.
• Input is processed in 512 bit blocks
• Five register with 20 steps of 4 rounds
Unit 4– Message Authentication & Integrity 28
MD5 Overview

Unit 4– Message Authentication & Integrity 29

 Steps in MD5 Algorithm
1. Append Padding bits

2. Append Length

3. Initialize MD buffer

4. Process message in 512 bit blocks

5. Output
Unit 4– Message Authentication & Integrity 30
 MD5 Overview – Append Padding bits
• Pad message so its length is congruent to 448 mod
512 (length ≡ 448 mod 512).
• Length of padded message is 64 bit less than an
integer multiple of 512 bits.
• Padding is always added even if message is already
of desired length.
• if message is 448 bits long, it is padded by 512 bits
to length of 960 bits.
• Padding means single 1 bit followed by necessary
number of 0 bits.

Unit 4– Message Authentication & Integrity 31

 Append length
•A 64-bit representation of the length of the message is
appended to the result of step1.

•If the length of the message is greater than 264, only the low-
order 64 bits will be used.

•Field contains length of original message mod 264

•The resulting message (after padding with bits and with b) has
a length that is an exact multiple of 512 bits.

•The expanded message is L × 512 bits.

•Let M[0…N-1] where N= L × 16 ie. ,multiple of 16 32 bit words.

Unit 4– Message Authentication & Integrity 32
 Initialize MD buffer
A 128 bit buffer is used to hold intermediate and final result of hash function

A four-32 bit registers (A, B, C, D) is used to compute the message digest.

A =67452301
B=EFCDAB89
C=98BADCFE
D=10325476

Each of A, B, C, D is a 32-bit register. These registers are initialized to the

following values in hexadecimal, low-order bytes first):

WORD A: 01 23 45 67
WORD B: 89 AB CD EF
WORD C: FE DC BA 98
WORD D: 76 54 32 10
Unit 4– Message Authentication & Integrity 33
 Process Message
• Heart of algorithm is compression function
• It consists of 4 rounds
• Four rounds have similar structure but uses
different primitive logic function referred as
F,G,H and I
• Each round take input of 512 bit block and 128
bit buffer value ABCD
• Output of fourth round is added to input of first
round to produce CVq+1
• Addition is done independently for each 4 words
Unit 4– Message Authentication & Integrity 34
Unit 4– Message Authentication & Integrity 35
 Output
• After all L 512 bit blocks have processed, output from Lth stage is
128 bit message digest

CV0=IV
CVq+1= SUM 32[CVq,RFI(Yq,RFH(Yq,RFG(Yq,RFF(Yq,CVq))))]
MD= CVL-1

Where IV-intitial valus of ABCD buffer

Yq+1= qth 512 bit block of message
L=number of blocks in message
CVq=chaining variable
RFx=round function using primitive function X
MD=final message digest value
SUM32=addition mod 232
Unit 4– Message Authentication & Integrity 36
MD5 Algorithm Structure

Unit 4– Message Authentication & Integrity 37

MD5 operation in single step

Unit 4– Message Authentication & Integrity 38

 MD5 Compression Function
• each round has 16 steps of the form:
b = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
a=d , c=b, d=c
• a,b,c,d refer to the 4 words of the buffer, but used in
varying permutations
• where g(b,c,d) is a different nonlinear function in each
round (F,G,H,I)
• <<< left circular shift rotation if s bits
• X[k] kth 32 bit word in qth 512 bit block of message
• T[i] is a constant value derived from matrix
• + addition modulo 232
Unit 4– Message Authentication & Integrity 39
 Primitive function
Round Primitive Function g g(b,c,d)
1 F(b,c,d) (b˄c)˅ (b’ ˄d)

2 G(b,c,d) (b˄d)˅ (c ˄d’)

3 H(b,c,d) b XOR c XOR d

4 I(b,c,d) c XOR (b˅ d’)

Unit 4– Message Authentication & Integrity 40

 permutation
• ρ2(i) = (1+5i) mod 16

• ρ3(i) = (5+3i) mod 16

• ρ4(i) = 7i mod 16

• Each of 64 32 bit word elements of T in each

round
Unit 4– Message Authentication & Integrity 41
 Strength of MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
– Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
• conclusion is that MD5 looks vulnerable soon

Unit 4– Message Authentication & Integrity 42

 Secure Hash Algorithm
• SHA originally designed by NIST & NSA in 1993
• was revised in 1995 as SHA-1
• Sha is based on MD4 algorithm
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
• based on design of MD4 with key differences
• produces 160-bit hash values
• recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications
Unit 4– Message Authentication & Integrity 43
 Revised Secure Hash Standard
• NIST issued revision FIPS 180-2 in 2002
• adds 3 additional versions of SHA
– SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
• but security levels are rather higher

Unit 4– Message Authentication & Integrity 44

 Secure Hash Algorithm (SHA-1)
• SHA was designed by NIST & NSA in 1993, revised
1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– note: the algorithm is SHA, the standard is SHS
• Algorithm takes input a message with max length of
less than 264 bits
• produces 160-bit hash values
• Input is processed in 512 bit blocks
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
Unit 4– Message Authentication & Integrity 45
 Steps in SHA-1 Algorithm
1. Append Padding bits

2. Append Length

3. Initialize MD buffer

4. Process message in 512 bit blocks

5. Output
Unit 4– Message Authentication & Integrity 46
 SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
A=67452301,
B=EFCDAB89
C=98BADCFE
D=10325476
E=C3D2E1F0
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing & shifting
– use 4 rounds of processing of 20 steps each
– 4 primitive logic functions f1,f2,f3 and f4
5. output hash value is the final buffer value
Unit 4– Message Authentication & Integrity 47
SHA-1 Processing of single 512 bit block

Unit 4– Message Authentication & Integrity 48

 Output of SHA-1
• After all L 512 bit blocks have been processed, the output from
Lth stage is 160 bit message digest
CV0=IV
CVq+1= SUM 32(CVq,ABCDE)
MD= CV

Where IV-intitial valus of ABCDE buffer

ABCDE= output of last round of processing qth message
block
L=number of blocks in message
SUM32=addition mod 232
MD=final message digest value
Unit 4– Message Authentication & Integrity 49
 SHA-1 Compression Function
• each round has 20 steps of 4 rounds which
replaces the 5 buffer words thus:
(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,
(B<<30),C,D)
• A,B,C,D,E refer to the 5 words of the buffer
• t is the step number

• f(t,B,C,D) is nonlinear function for round

• Wt 32 bit word from input block
• Kt is a constant value

Unit 4– Message Authentication & Integrity 50

SHA-1 Compression Function

Unit 4– Message Authentication & Integrity 51

Comparison of SHA parameters

Unit 4– Message Authentication & Integrity 52

SHA-512 Overview

Unit 4– Message Authentication & Integrity 53

 SHA-512 Compression Function
• heart of the algorithm
• processing message in 1024-bit blocks
• consists of 80 rounds
– updating a 512-bit buffer
– using a 64-bit value Wt derived from the current
message block
– and a round constant based on cube root of first
80 prime numbers

Unit 4– Message Authentication & Integrity 54

Unit 4– Message Authentication & Integrity 55
SHA-512 Round Function

Unit 4– Message Authentication & Integrity 56

Unit 4– Message Authentication & Integrity 57
 Comparison of MD5 and SHA-1
MD5 SHA-1
Message Block Size 512 512

Message Digest Size 128 160

Message Size L × 512 bit block M < 264

Buffers 4 5

Rounds in each step 4 of 16 steps 4 of 20 steps

Word size 32 bits 32 bits

Additive Constant 64 4
Unit 4– Message Authentication & Integrity 58
 Keyed Hash Functions as MACs
• want a MAC based on a hash function
– because hash functions are generally faster
– code for crypto hash functions widely available
• hash includes a key along with message
• original proposal:
KeyedHash = Hash(Key|Message)
– some weaknesses were found with this
• eventually led to development of HMAC

Unit 4– Message Authentication & Integrity 59

 MAC Algorithms
• HMAC
– Used in IP Security

• CMAC
– Used in Govt and Industry

Unit 4– Message Authentication & Integrity 60

 HMAC Design Objectives
• Hash function perform well in software and
code is free
• Easy replacability of embedded hash function
• Faster and More secure
• Handle keys in simple way

• HMAC treats hash function as ‘black box’. Bulk

HMAC code is prepackaged and ready to use
without modification.
Unit 4– Message Authentication & Integrity 61
HMAC Overview

Unit 4– Message Authentication & Integrity 62

 HMAC
• specified as Internet standard RFC2104
• Used in IP Security
• uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than the
message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used
Unit 4– Message Authentication & Integrity 63
HMAC Algorithm

Unit 4– Message Authentication & Integrity 64

Unit 4– Message Authentication & Integrity 65
HMAC Algorithm

Unit 4– Message Authentication & Integrity 66

 Precomputed quantities
• f(IV, (K+ XOR ipad)

• f(IV, (K + XOR opad)

• Where f(cv,block) is compression function for

hash function which takes arguments a
chaining variable of n bits and block of b bits
produce chaining variable of n bits.
Unit 4– Message Authentication & Integrity 67
Efficient implementation of HMAC

Unit 4– Message Authentication & Integrity 68

 HMAC Security
• proved security of HMAC relates to that of the
underlying hash algorithm
• attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need to
observe a very large number of messages)
• choose hash function used based on speed
verses security constraints

Unit 4– Message Authentication & Integrity 69

 CMAC
• Cipher Based MAC use with AES and triple DES
• previously saw the DAA (CBC-MAC)
• widely used in govt & industry
• but has message size limitation
• can overcome using 2 keys & padding
• thus forming the Cipher-based Message
Authentication Code (CMAC)
• adopted by NIST SP800-38B

Unit 4– Message Authentication & Integrity 70

• Message is an integer multiple of n of cipher block length b
• For AES b=128 for triple DES b=64
• Message is divided into n blocks (M1,M2…Mn)
• For AES key k=128,192,256 for triple DES k=112 or 168 bits

Unit 4– Message Authentication & Integrity 71

CMAC Overview

Unit 4– Message Authentication & Integrity 72

 Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– Must verify author, date & time of signature
– Must authenticate message contents
– Must be verified by third parties to resolve
disputes
• hence include authentication function with
additional capabilities

Unit 4– Message Authentication & Integrity 73

 Digital Signature Requirements
• Signature must be a bit pattern depends on the
message
• Signature should be unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce Signature
• must be relatively easy to recognize & verify
• be computationally infeasible to forge a signature
– with new message for existing digital signature
– with fraudulent digital signature for given message
• be practical save digital signature in storage
Unit 4– Message Authentication & Integrity 74
 DIGITAL SIGNATURE PROCESS

Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
Unit 4– Message Authentication & Integrity 75
 Note

A cryptosystem uses the private and public keys of the

receiver:

A digital signature uses the private and public keys of the

sender.

Unit 4– Message Authentication & Integrity 76

Signing the Digest

Unit 4– Message Authentication & Integrity 77

 Categories of Digital Signature

• Direct Digital Signature

• Arbitrated Digital Signature

Unit 4– Message Authentication & Integrity 78

 Direct Digital Signatures
• Involves only communication parties
• It is formed by encrypting entire message with sender’s
private key
• Encrypting hash code of message with sender’s private key
• Confidentiality can be provided by encrypting entire message
plus signature with a shared secret key or receiver’s public
key
• digital signature made by sender signing entire message or
hash with private-key can encrypt using receiver’s public-key
• important that sign first then encrypt message & signature
• security depends on sender’s private-key
• Every signed message includes a timestamp (date & time)

Unit 4– Message Authentication & Integrity 79

 Arbitrated Digital Signatures
• It involves use of arbiter A
– validates any signed message
– then dated and sent to recipient
• It requires suitable level of trust in arbiter
• It can be implemented with either private or
public-key algorithms
• It arbiter may or may not see message

Unit 4– Message Authentication & Integrity 80

Unit 4– Message Authentication & Integrity 81
 Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS uses an algorithm that is designed to provide
only digital signature.
• Unlike RSA,it cannot be used for encryption or key
exchange

Unit 4– Message Authentication & Integrity 82

 Digital Signature Algorithm (DSA)

• creates a 320 bit signature

• with 512-1024 bit security
• smaller and faster than RSA
• a digital signature scheme only
• security depends on difficulty of computing
discrete logarithms
• variant of ElGamal & Schnorr schemes

Unit 4– Message Authentication & Integrity 83

Digital Signature Algorithm (DSA)

Unit 4– Message Authentication & Integrity 84

 DSA Key Generation
• have shared global public key values (p,q,g):
– choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q with 2159 < q < 2160
• such that q is a 160 bit prime divisor of (p-1)
– choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• g>1
• users choose private & compute public key:
– choose private key x from 1 to q-1 and choose
randomly
– compute public key y = gx mod p
Unit 4– Message Authentication & Integrity 85
• To create signature, user calculates r and s as
functions.
• Public key components (p,q,g)
• Private key (x)
• Hash code H(M)
• Additional integer k

Unit 4– Message Authentication & Integrity 86

Unit 4– Message Authentication & Integrity 87
Digital Signature Algorithm

Unit 4– Message Authentication & Integrity 88

DSS Signing and Verifying

Unit 4– Message Authentication & Integrity 89

 AUTHENTICATION PROTOCOLS
• used to convince parties of each others
identity and to exchange session keys
• may be one-way or mutual
• key issues are
– confidentiality – to protect session keys
– timeliness – to prevent replay attacks
• published protocols are often found to have
flaws and need to be modified

Unit 4– Message Authentication & Integrity 90

 General Areas
• Mutual Authentication
– Symmetric Encryption approach
– Public key Encryption approach

• One way Authentication

– Symmetric Encryption approach
– Public key Encryption approach

Unit 4– Message Authentication & Integrity 91

 Mutual Authentication
• Enable communication parties mutually satisfy
themselves and to exchange session keys
• Problem in key exchange is confidentiality and
timeliness
• Replay Attacks
– where a valid signed message is copied and later resent
• simple replay
• repetition that can be logged
• repetition that cannot be detected
• backward replay without modification
– countermeasures include
• use of sequence numbers (generally impractical)
• timestamps (needs synchronized clocks)
• challenge/response (using unique nonce)
Unit 4– Message Authentication & Integrity 92
 Using Symmetric Encryption
• as discussed previously can use a two-level
hierarchy of keys
• usually with a trusted Key Distribution Center
(KDC)
– each party shares own master key with KDC
– KDC generates session keys used for connections
between parties
– master keys used to distribute these to them

Unit 4– Message Authentication & Integrity 93

 Needom/Schroeder protocol
1. A KDC: IDA||IDB||N1

2. KDC  A: E(Ka, [Ks||IDB||N1||E(Kb, [Ks||IDA])])

3. A B: E(Kb, [Ks||IDA])

4. B A: E(Ks, N2)

5. A  B: E(Ks, f(N2))

Unit 4– Message Authentication & Integrity 94

• Ka – secret keys shared between A and KDC
• Kb – secret keys shared between B and KDC

• Purpose of this protocol is to distribute

session key Ks to A and B

Unit 4– Message Authentication & Integrity 95

 Modified Needom/Schroeder protocol
1. A KDC: IDA||IDB

2. KDC  A: E(Ka, [Ks||IDB||T||E(Kb, [Ks||IDA||T])])

3. A B: E(Kb, [Ks||IDA||T])

4. B A: E(Ks, N1)

5. A  B: E(Ks, f(N1))

Unit 4– Message Authentication & Integrity 96

• T is a time stamp that assures A and B that
session key has just been generated

• |Clock – T| < Δ t1+ Δ t2

• Where Δ t1 is estimated normal discrepancy

between KDC’s clock and local clock

• Δ t2 is the expected network delay time

Unit 4– Message Authentication & Integrity 97

 Denning Protocol
1. A B: IDA||Na

2. B KDC: IDB||Nb||E(Kb, [IDA||Na||Tb])

3. KDC A: E(Ka, [IDB||Na||Ks||Tb])||E(Kb,[IDA||Ks||Tb])||Nb

4. A B: E(Kb, [IDA||Ks||Tb])||E(Ks, Nb)

Unit 4– Message Authentication & Integrity 98

 Advanced Protocol Model
1. A B: E(Kb, [IDA||Ks||Tb])||N'a

2. B A: N'b||E(Ks, N'a)

3. A B: E(Ks, N'b)

Unit 4– Message Authentication & Integrity 99

 Using Public Key Encryption approach
1. A AS: IDA||IDB

2. AS A: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||PUb||T])

3. A B: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||PUb||T])

||E(PUb, E(PRa, [Ks||T]))

Unit 4– Message Authentication & Integrity 100

1. A KDC: IDA||IDB

2. KDC A: E(PRauth, [IDB||PUb])

3. A B: E(PUb, [Na||IDA])

4. B KDC: IDA||IDB||E(PUauth, Na)

5. KDC B: E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDB]))

6. B A: E(PUa, E(PRauth, [(Na||Ks||IDB)||Nb]))

7. A B: E(Ks, Nb)

Unit 4– Message Authentication & Integrity 101

 Revised Version
1. A KDC: IDA||IDB

2. KDC A: E(PRauth, [IDB||PUb])

3. A B: E(PUb, [Na||IDA])

4. B KDC: IDA||IDB||E(PUauth, Na)

5. KDC B: E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDA||IDB])

6. B A: E(PUa, E(PRauth, [(Na||Ks||IDA||IDB)||Nb]))

7. A B: E(Ks, Nb)

Unit 4– Message Authentication & Integrity 102

 One Way Authentication
• Email is an application
• Symmetric approach
1. A KDC: IDA||IDB||N1

2. KDC A: E(Ka, [Ks||IDB||N1||E(Kb, [Ks||IDA])])

3. A B: E(Kb, [Ks||IDA])||E(Ks, M)

Unit 4– Message Authentication & Integrity 103

• Public key encryption approach
• Confidentiality
AB : EKUb[Ks] || EKs[M]
• Authentication
AB : M || EKRa[H(M)]
• Both message and signature can be encrypted
AB : EKUb[M || EKRa[H(M)]

AB : M || EKRa[H(M) || EKRa[T|| IDA || KUa]

Unit 4– Message Authentication & Integrity 104

 Entity Authentication
• It is a technique designed to prove identity of
another party
• Entity can be a person, process, client, or a
server

Unit 4– Message Authentication & Integrity 105

 Message Authentication VS Entity
Authentication
• Msg Authentication
– Data origin
– Might not happen in real time
– Simply authenticate one message
– It is required when an email is sent

• Entity Authentication
– It happens at real time
– It authenticates entire duration of a session
– It is required when gets cash from ATM
Unit 4– Message Authentication & Integrity 106
 Biometrics
• It is a measurement of physiological or
behavioral features that identify a person
• It cant by guessed, stolen, shared
• Components
– Capturing devices-measure biometric features
– Processors-change to data for saving
– Storage devices-save result of processing for
authentication

Unit 4– Message Authentication & Integrity 107

• Enrollment
– Before biometric technique, feature of each
person in community should be available in DB

• Authentication
– It is done by verification or identification
– Verification
• A persons feature is matched against single record in
DB to find if she is who she is claiming to be.
– Identification
• A persons feature is matched against all records in DB

Unit 4– Message Authentication & Integrity 108

 Techniques
• Physiological
– Fingerprint
– Iris
– Retina
– Face
– Hands
– Voice
– DNA
• Behavioral
– Signature
– Keystroke
Unit 4– Message Authentication & Integrity 109
 Accuracy
• It is measured in biometric with 2 parameters
• False Rejection Rate (FRR)
– It is measured how often a person be recognized.
– Ratio of false rejection to total number of attempts
• False Acceptance Rate (FAR)
– It is measured how often a person should not be
recognized.
– Ratio of false acceptance to total number of
attempts
Unit 4– Message Authentication & Integrity 110
 Applications
• Attendance maintenance
• Transaction
• Access facilities
• Access information systems
• Investigation
• Forensic analysis
• Border control
• Immigration control
Unit 4– Message Authentication & Integrity 111
 Passwords
• Simple and oldest method of entity
authentication
• Two groups
– Fixed password
• It is a password that is used over and over again for
every access

– One-time password
• It is a password that is used only once.

Unit 4– Message Authentication & Integrity 112

 Fixed Password
• First Approach-system keeps a file that is sorted by
user identification. For accessing resource user
sends his id and password. If password match,
access will be granted. Otherwise denied.

– Eavesdropping- see password when it is typed

– Stealing a password-physically steal password
– Accessing a password file-hack system and get password
– Guessing-try combination of characters for getting
password
Unit 4– Message Authentication & Integrity 113
• Second Approach- store hash of the password
in password file. Any user can read the
content of file but impossible to guess value of
password.
– When user sends id and password, system creates
hash value of password and verify it.

– Dictionary Attack – attacker created all

combination of passwords with its hash value.

Unit 4– Message Authentication & Integrity 114

• Third Approach- salting a password
– When password string is created a random string called salt is
concatenated to password
– Salted password is then hashed
– ID the salt and hash are then stored in file
– When user asks access, system extracts salt, concatenates it
with received password, make a hash and compare hash
values.
– If match access is granted, otherwise it is denied.
– This attack is very difficult
– Eg. UNIX OS
• Fourth Approach
– Two identification techniques are combined
– Eg. ATM card with a PIN
Unit 4– Message Authentication & Integrity 115
 One-time password
• Approaches
– First Approach
• User and system agree list of passwords. Each password in list
used only once.

– Second Approach
• User and system agree to sequentially update the password
• Original password valid only for first access
• Second password given during that access

– Third Approach
• User and system creates sequentially updated password using a
hash function
Unit 4– Message Authentication & Integrity 116
 Challenge-Response
• Entity whose identity needs to be proved is
called claimant
• In this approach, claimant proves that she
knows a secret without sending it.
• Claimant does not send secret to the verifier.
The verifier either has it or finds it
• In challenge-response, the claimant proves
that she knows a secret without sending it to
the verifier
Unit 4– Message Authentication & Integrity 117
• Challenge is a time varying value that is sent
by the verifier.
• Claimant applies a function to the challenge
and sends the result called a response.

• Approaches
– Using symmetric key cipher
– Using keyed hash function
– Using an asymmetric key cipher
– Using digital signature

Unit 4– Message Authentication & Integrity 118

 Authentication Applications
• will consider authentication functions
• developed to support application-level
authentication & digital signatures
• will consider Kerberos – a private-key
authentication service
• then X.509 - a public-key directory
authentication service

Unit 4– Message Authentication & Integrity 119

 Kerberos
• Trusted key server system for authentication
from Athena at MIT
• provides centralised private-key third-party
authentication in a distributed network
– allows users access to services distributed through
network
– without needing to trust all workstations
– rather all trust a central authentication server
• two versions in use: 4 & 5
Unit 4– Message Authentication & Integrity 120
 Kerberos Requirements
• its first report identified requirements as:
– secure
– reliable
– transparent
– scalable
• implemented using an authentication protocol
based on Needham-Schroeder

Unit 4– Message Authentication & Integrity 121

 Kerberos v4 Overview
• Version 4 use DES
• a basic third-party authentication scheme
• have an Authentication Server (AS)
– users initially negotiate with AS to identify self
– AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)
– users subsequently request access to other
services from TGS on basis of users TGT
Unit 4– Message Authentication & Integrity 122
Unit 4– Message Authentication & Integrity 123
Unit 4– Message Authentication & Integrity 124
 Kerberos v4 Dialogue
1. obtain ticket granting ticket from AS
• once per session
2. obtain service granting ticket from TGT
• for each distinct service required
3. client/server exchange to obtain service
• on every service request

Unit 4– Message Authentication & Integrity 125

Kerberos 4 Overview

Unit 4– Message Authentication & Integrity 126

Kerberos Version 4 Message Exchange

Unit 4– Message Authentication & Integrity 127

Kerberos Exchanges

Unit 4– Message Authentication & Integrity 128

 Kerberos Realms
• A set of managed nodes that share same kerberos
database
• a Kerberos environment consists of:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
• this is termed a realm
– typically a single administrative domain
• if have multiple realms, their Kerberos servers must
share keys and trust
Unit 4– Message Authentication & Integrity 129
Kerberos Realms

Unit 4– Message Authentication & Integrity 130

 Kerberos Version 5
• developed in mid 1990’s
• specified as Internet standard RFC 1510
• provides improvements over v4
– addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
– and technical deficiencies
• double encryption, non-std mode of use, session keys,
password attacks

Unit 4– Message Authentication & Integrity 131

Kerberos Version 5 Message Exchange

Unit 4– Message Authentication & Integrity 132

 Version 5 Authentication Dialogue
• Authentication Service Exchange
– Realm
– Options
– Times
– Nonce
• Ticket-granting Service Exchange
• Client/Server Authentication Exchange
– Subkey
– Sequence Number
• Ticket Flags
– INITIAL, PRE-AUTHENT, HW-AUTHENT, RENEWABLE, MAY-
POSTDATE, INVALID PROXIABLE, PROXY FORWARABLE,
FORWARDED, POSTDATED
Unit 4– Message Authentication & Integrity 133
 X.509 Authentication Service
• It is used in S/MIME, IP Security and SSL/TLS and SET
• part of CCITT X.500 directory service standards
– distributed servers maintaining user info database
• defines framework for authentication services
– directory may store public-key certificates
– with public key of user signed by certification authority
• X.509 defines a framework for the provision of
authentication services by X.500 to its users
• uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
• X.509 certificates are widely used
Unit 4– Message Authentication & Integrity 134
Public Key Certificate Use

Unit 4– Message Authentication & Integrity 135

 X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA) identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA

Unit 4– Message Authentication & Integrity 136

X.509 Certificates

Unit 4– Message Authentication & Integrity 137

Unit 4– Message Authentication & Integrity 138
 Obtaining a Certificate
• any user with access to CA can get any certificate
from it
• only the CA can modify a certificate
• because cannot be forged, certificates can be placed
in a public directory

Unit 4– Message Authentication & Integrity 139

 CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a hierarchy
• use certificates linking members of hierarchy to
validate other CA's
– Forward Certificate  Certificates of X generated by other
CAs
– Reverse Certificate Certificates generated by X that are
certificates of other CAs
• each client trusts parents certificates
• enable verification of any certificate from one CA by
users of all other CAs in hierarchy

Unit 4– Message Authentication & Integrity 140

CA Hierarchy Use

Unit 4– Message Authentication & Integrity 141

Path from A to B and B to A

Unit 4– Message Authentication & Integrity 142

 Certificate Revocation
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CA’s maintain list of revoked certificates
– the Certificate Revocation List (CRL)
• users should check certificates with CA’s CRL

Unit 4– Message Authentication & Integrity 143

 Authentication Procedures
• X.509 includes three alternative
authentication procedures:
– One-Way Authentication
– Two-Way Authentication
– Three-Way Authentication
• all use public-key signatures

Unit 4– Message Authentication & Integrity 144

One-Way Authentication

Unit 4– Message Authentication & Integrity 145

 One-Way Authentication
• 1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
• message must include timestamp, nonce, B's
identity and is signed by A
• may include additional info for B
– eg session key

Unit 4– Message Authentication & Integrity 146

Two-Way Authentication

Unit 4– Message Authentication & Integrity 147

 Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
• reply includes original nonce from A, also
timestamp and nonce from B
• may include additional info for A

Unit 4– Message Authentication & Integrity 148

Three-Way Authentication

Unit 4– Message Authentication & Integrity 149

 Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables
above authentication without synchronized
clocks
• has reply from A back to B containing signed
copy of nonce from B
• means that timestamps need not be checked
or relied upon

Unit 4– Message Authentication & Integrity 150

 X.509 Version 3
• has been recognised that additional
information is needed in a certificate
– email/URL, policy details, usage constraints
• rather than explicitly naming new fields
defined a general extension method
• extensions consist of:
– extension identifier
– criticality indicator
– extension value

Unit 4– Message Authentication & Integrity 151

 Certificate Extensions
• key and policy information
– Authority key identifier, subject key identifier, key
usage, private key usage period, certificate policies,
policy mappings

• certificate subject and issuer attributes

– Subject alternative name, issuer alternative name,
subject directory attributes

• certificate path constraints

– Basic constraints, name constraints and policy
constraints
Unit 4– Message Authentication & Integrity 152