0% found this document useful (0 votes)
56 views152 pages

Unit 4-Msg Authentication, Integrity-CNS

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
56 views152 pages

Unit 4-Msg Authentication, Integrity-CNS

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 152

Unit 4 – Message Authentication

& Integrity
Dr.S.Kalaivani
Assistant Professor/ Dept. of CSE
IRTT

*. Notes, pictures, algorithms and other details are used for educational
purpose only. It is collected from various web sites and text books for teaching
purpose only
Topics Covered
1. Authentication requirement

2. Authentication function
– MAC
– Hash function

3. Security of hash function and MAC


– Hash Algorithms
• MD5
• SHA

– MAC Algorithms
• HMAC
• CMAC Unit 4– Message Authentication & Integrity 2
4. Digital signature and authentication protocols
– DSS

5. Entity Authentication
– Biometrics
– Passwords
– Challenge Response Protocols

6. Authentication applications
– Kerberos
– X.509 Authentication services
Unit 4– Message Authentication & Integrity 3
Message Authentication
• Use of secret key to generate a small fixed sized block of data known as
cryptographic check sum or MAC that is appended to message.

• Message authentication is a procedure to verify that received message


come from alleged source and have not been altered

• Message authentication is concerned with:


– protecting the integrity of a message
– validating identity of originator
– non-repudiation of origin (dispute resolution)

• will consider the security requirements

• Three alternative functions used:


– message encryption
– message authentication code (MAC)
– hash function
Unit 4– Message Authentication & Integrity 4
Authentication Requirements
• Disclosure-release of msg content to any person
• Traffic analysis-discovery of pattern of traffic
• Masquerade-insertion of msg to n/w from fraud
source
• Content modification
• Sequence modification
• Timing modification
• Source repudiation-denial of msg transmission by
source
• Destination repudiation-denial of msg receive by
destination
Unit 4– Message Authentication & Integrity 5
Message Encryption
• Message encryption by itself also provides a
measure of authentication
• if symmetric encryption is used then:
– receiver know sender must have created it
– since only sender and receiver know key used
– know content cannot been altered
– if message has suitable structure, redundancy or a
checksum to detect any changes

Unit 4– Message Authentication & Integrity 6


Message Encryption
• if public-key encryption is used:
– encryption provides no confidence of sender
– since anyone potentially knows public-key
– however if
• sender signs message using their private-key
• then encrypts with recipients public key
• have both secrecy and authentication
– again need to recognize corrupted messages
– but at cost of two public-key uses on message

Unit 4– Message Authentication & Integrity 7


Basic uses of message encryption

Unit 4– Message Authentication & Integrity 8


Hash and MAC Algorithms
• Hash Functions
– condense arbitrary size message to fixed size
– by processing message in blocks
– through some compression function
– either custom or block cipher based

• Message Authentication Code (MAC)


– fixed sized authenticator for some message
– to provide authentication for message
– by using block cipher mode or hash function

Unit 4– Message Authentication & Integrity 9


Message Authentication Code (MAC)
• Generated by an algorithm that creates a
small fixed-sized block
– depending on both message and some key
– like encryption though need not be reversible
• Appended to message as a signature
• Receiver performs same computation on
message and checks it matches the MAC
• Provides assurance that message is unaltered
and comes from sender

Unit 4– Message Authentication & Integrity 10


Message Authentication Codes
• MAC provides authentication
• It can also use encryption for secrecy
– generally use separate keys for each
– can compute MAC either before or after encryption
– is generally regarded as better done before
– The algorithm need not be reversible
• why use a MAC?
– sometimes only authentication is needed
– sometimes need authentication to persist longer than the
encryption (eg. archival use)
• MAC is not a digital signature

Unit 4– Message Authentication & Integrity 11


Message Authentication Code

Unit 4– Message Authentication & Integrity 12


MAC Properties
• a MAC is a cryptographic checksum
MAC = CK(M)
– condenses a variable-length message M
– using a secret key K
– to a fixed-sized authenticator
• is a many-to-one function
– potentially many messages have same MAC
– but finding these needs to be very difficult

Unit 4– Message Authentication & Integrity 13


Basic Uses of MAC

Unit 4– Message Authentication & Integrity 14


Requirements for MACs
• Taking into account the types of attacks
• need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to
find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message

Unit 4– Message Authentication & Integrity 15


Using Symmetric Ciphers for MACs
• It can use any block cipher chaining mode and
use final block as a MAC
• Data Authentication Algorithm (DAA) is a
widely used MAC based on DES-CBC
– using IV=0 and zero-pad of final block
– encrypt message using DES in CBC mode
– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security

Unit 4– Message Authentication & Integrity 16


Hash Functions
• Unlike MAC , hash does not uses a key.
• It is also referred as message digest or hash value
• Hash function accepts a variable length block of data M
as input & produces a fixed size hash value h = H(M)
• usually assume that the hash function is public and not
keyed
– MAC which is keyed
• hash used to detect changes to message
• can use in various ways with message
• most often to create a digital signature
Unit 4– Message Authentication & Integrity 17
Basic uses of Hash Function

Unit 4– Message Authentication & Integrity 18


Basic uses of Hash Function

Unit 4– Message Authentication & Integrity 19


Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
• weak collision resistance
6. is infeasible to find any x,y s.t. H(y)=H(x)
• strong collision resistance

Unit 4– Message Authentication & Integrity 20


Simple Hash Functions
• There are several proposals for simple
functions
• based on XOR of message blocks
• not secure since can manipulate any message
and either not change hash or change hash
also
• need a stronger cryptographic function

Unit 4– Message Authentication & Integrity 21


Block Ciphers as Hash Functions
• can use block ciphers as hash functions
– using H0=0 and zero-pad of final block
– compute: Hi = EMi [Hi-1]
– and use final block as the hash value
– similar to CBC but without a key
• resulting hash is too small (64-bit)
– both due to direct birthday attack
– and to “meet-in-the-middle” attack
• other variants also susceptible to attack
Unit 4– Message Authentication & Integrity 22
Hash and MAC Algorithms
• Hash Functions
– condense arbitrary size message to fixed size
– by processing message in blocks
– through some compression function
– either custom or block cipher based

• Message Authentication Code (MAC)


– fixed sized authenticator for some message
– to provide authentication for message
– by using block cipher mode or hash function

Unit 4– Message Authentication & Integrity 23


Attacks on Hash Function and MAC
• Brute force attack
– Computation resistance
• Cryptanalysis

• MAC does not provide digital signature


because both sender and receiver share a
same key
Unit 4– Message Authentication & Integrity 24
Brute Force Attacks
– Hash Function
• One-way- H(x)=h
• Weak Collision Resistance y ≠ x with H(y)=H(x)
• Strong Collision resistance infeasible to find a pair(x,y)
such that H(x)=H(y)

– MAC
• Computation resistance- Given one or more text MAC
pairs(x,Ck(x)) it is infeasible to compute any text MAC
pair (xi,Ck(xi)) for new input x≠xi

Unit 4– Message Authentication & Integrity 25


Cryptanalysis
• Hash Functions
– CV0= IV=initial n-bit value
– CVi=f(CVi-1,Yi-1) i<i<L
– H(M)=CVL
– Message M consists of blocks Y0,Y1,….YL-1
• MAC
– It is difficult to cryptanalysis of MAC

Unit 4– Message Authentication & Integrity 26


Secure Hash Algorithm Structure

Unit 4– Message Authentication & Integrity 27


Secure Hash Algorithms
– MD5
• Message Digest Algorithm
• Input of Variable Length and produces as output a 128 bit
message digest.
• Input is processed in 512 bit blocks
• Four register with 16 steps of 4 rounds

– SHA-1
• Secure Hash Algorithm
• Input of Variable Length and produces as output a 160 bit
message digest.
• Input is processed in 512 bit blocks
• Five register with 20 steps of 4 rounds
Unit 4– Message Authentication & Integrity 28
MD5 Overview

Unit 4– Message Authentication & Integrity 29


Steps in MD5 Algorithm
1. Append Padding bits

2. Append Length

3. Initialize MD buffer

4. Process message in 512 bit blocks

5. Output
Unit 4– Message Authentication & Integrity 30
MD5 Overview – Append Padding bits
• Pad message so its length is congruent to 448 mod
512 (length ≡ 448 mod 512).
• Length of padded message is 64 bit less than an
integer multiple of 512 bits.
• Padding is always added even if message is already
of desired length.
• if message is 448 bits long, it is padded by 512 bits
to length of 960 bits.
• Padding means single 1 bit followed by necessary
number of 0 bits.

Unit 4– Message Authentication & Integrity 31


Append length
•A 64-bit representation of the length of the message is
appended to the result of step1.

•If the length of the message is greater than 264, only the low-
order 64 bits will be used.

•Field contains length of original message mod 264

•The resulting message (after padding with bits and with b) has
a length that is an exact multiple of 512 bits.

•The expanded message is L × 512 bits.

•Let M[0…N-1] where N= L × 16 ie. ,multiple of 16 32 bit words.


Unit 4– Message Authentication & Integrity 32
Initialize MD buffer
A 128 bit buffer is used to hold intermediate and final result of hash function

A four-32 bit registers (A, B, C, D) is used to compute the message digest.


A =67452301
B=EFCDAB89
C=98BADCFE
D=10325476

Each of A, B, C, D is a 32-bit register. These registers are initialized to the


following values in hexadecimal, low-order bytes first):

WORD A: 01 23 45 67
WORD B: 89 AB CD EF
WORD C: FE DC BA 98
WORD D: 76 54 32 10
Unit 4– Message Authentication & Integrity 33
Process Message
• Heart of algorithm is compression function
• It consists of 4 rounds
• Four rounds have similar structure but uses
different primitive logic function referred as
F,G,H and I
• Each round take input of 512 bit block and 128
bit buffer value ABCD
• Output of fourth round is added to input of first
round to produce CVq+1
• Addition is done independently for each 4 words
Unit 4– Message Authentication & Integrity 34
Unit 4– Message Authentication & Integrity 35
Output
• After all L 512 bit blocks have processed, output from Lth stage is
128 bit message digest

CV0=IV
CVq+1= SUM 32[CVq,RFI(Yq,RFH(Yq,RFG(Yq,RFF(Yq,CVq))))]
MD= CVL-1

Where IV-intitial valus of ABCD buffer


Yq+1= qth 512 bit block of message
L=number of blocks in message
CVq=chaining variable
RFx=round function using primitive function X
MD=final message digest value
SUM32=addition mod 232
Unit 4– Message Authentication & Integrity 36
MD5 Algorithm Structure

Unit 4– Message Authentication & Integrity 37


MD5 operation in single step

Unit 4– Message Authentication & Integrity 38


MD5 Compression Function
• each round has 16 steps of the form:
b = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
a=d , c=b, d=c
• a,b,c,d refer to the 4 words of the buffer, but used in
varying permutations
• where g(b,c,d) is a different nonlinear function in each
round (F,G,H,I)
• <<< left circular shift rotation if s bits
• X[k] kth 32 bit word in qth 512 bit block of message
• T[i] is a constant value derived from matrix
• + addition modulo 232
Unit 4– Message Authentication & Integrity 39
Primitive function
Round Primitive Function g g(b,c,d)
1 F(b,c,d) (b˄c)˅ (b’ ˄d)

2 G(b,c,d) (b˄d)˅ (c ˄d’)

3 H(b,c,d) b XOR c XOR d

4 I(b,c,d) c XOR (b˅ d’)

Unit 4– Message Authentication & Integrity 40


permutation
• ρ2(i) = (1+5i) mod 16

• ρ3(i) = (5+3i) mod 16

• ρ4(i) = 7i mod 16

• Each of 64 32 bit word elements of T in each


round
Unit 4– Message Authentication & Integrity 41
Strength of MD5
• MD5 hash is dependent on all message bits
• Rivest claims security is good as can be
• known attacks are:
– Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
– Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
– Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
• conclusion is that MD5 looks vulnerable soon

Unit 4– Message Authentication & Integrity 42


Secure Hash Algorithm
• SHA originally designed by NIST & NSA in 1993
• was revised in 1995 as SHA-1
• Sha is based on MD4 algorithm
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
• based on design of MD4 with key differences
• produces 160-bit hash values
• recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications
Unit 4– Message Authentication & Integrity 43
Revised Secure Hash Standard
• NIST issued revision FIPS 180-2 in 2002
• adds 3 additional versions of SHA
– SHA-256, SHA-384, SHA-512
• designed for compatibility with increased
security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
• but security levels are rather higher

Unit 4– Message Authentication & Integrity 44


Secure Hash Algorithm (SHA-1)
• SHA was designed by NIST & NSA in 1993, revised
1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– note: the algorithm is SHA, the standard is SHS
• Algorithm takes input a message with max length of
less than 264 bits
• produces 160-bit hash values
• Input is processed in 512 bit blocks
• now the generally preferred hash algorithm
• based on design of MD4 with key differences
Unit 4– Message Authentication & Integrity 45
Steps in SHA-1 Algorithm
1. Append Padding bits

2. Append Length

3. Initialize MD buffer

4. Process message in 512 bit blocks

5. Output
Unit 4– Message Authentication & Integrity 46
SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
A=67452301,
B=EFCDAB89
C=98BADCFE
D=10325476
E=C3D2E1F0
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing & shifting
– use 4 rounds of processing of 20 steps each
– 4 primitive logic functions f1,f2,f3 and f4
5. output hash value is the final buffer value
Unit 4– Message Authentication & Integrity 47
SHA-1 Processing of single 512 bit block

Unit 4– Message Authentication & Integrity 48


Output of SHA-1
• After all L 512 bit blocks have been processed, the output from
Lth stage is 160 bit message digest
CV0=IV
CVq+1= SUM 32(CVq,ABCDE)
MD= CV

Where IV-intitial valus of ABCDE buffer


ABCDE= output of last round of processing qth message
block
L=number of blocks in message
SUM32=addition mod 232
MD=final message digest value
Unit 4– Message Authentication & Integrity 49
SHA-1 Compression Function
• each round has 20 steps of 4 rounds which
replaces the 5 buffer words thus:
(A,B,C,D,E) <-(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,
(B<<30),C,D)
• A,B,C,D,E refer to the 5 words of the buffer
• t is the step number

• f(t,B,C,D) is nonlinear function for round


• Wt 32 bit word from input block
• Kt is a constant value

Unit 4– Message Authentication & Integrity 50


SHA-1 Compression Function

Unit 4– Message Authentication & Integrity 51


Comparison of SHA parameters

Unit 4– Message Authentication & Integrity 52


SHA-512 Overview

Unit 4– Message Authentication & Integrity 53


SHA-512 Compression Function
• heart of the algorithm
• processing message in 1024-bit blocks
• consists of 80 rounds
– updating a 512-bit buffer
– using a 64-bit value Wt derived from the current
message block
– and a round constant based on cube root of first
80 prime numbers

Unit 4– Message Authentication & Integrity 54


Unit 4– Message Authentication & Integrity 55
SHA-512 Round Function

Unit 4– Message Authentication & Integrity 56


Unit 4– Message Authentication & Integrity 57
Comparison of MD5 and SHA-1
MD5 SHA-1
Message Block Size 512 512

Message Digest Size 128 160

Message Size L × 512 bit block M < 264

Buffers 4 5

Rounds in each step 4 of 16 steps 4 of 20 steps

Word size 32 bits 32 bits

Additive Constant 64 4
Unit 4– Message Authentication & Integrity 58
Keyed Hash Functions as MACs
• want a MAC based on a hash function
– because hash functions are generally faster
– code for crypto hash functions widely available
• hash includes a key along with message
• original proposal:
KeyedHash = Hash(Key|Message)
– some weaknesses were found with this
• eventually led to development of HMAC

Unit 4– Message Authentication & Integrity 59


MAC Algorithms
• HMAC
– Used in IP Security

• CMAC
– Used in Govt and Industry

Unit 4– Message Authentication & Integrity 60


HMAC Design Objectives
• Hash function perform well in software and
code is free
• Easy replacability of embedded hash function
• Faster and More secure
• Handle keys in simple way

• HMAC treats hash function as ‘black box’. Bulk


HMAC code is prepackaged and ready to use
without modification.
Unit 4– Message Authentication & Integrity 61
HMAC Overview

Unit 4– Message Authentication & Integrity 62


HMAC
• specified as Internet standard RFC2104
• Used in IP Security
• uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
• where K+ is the key padded out to size
• and opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than the
message needs alone
• any of MD5, SHA-1, RIPEMD-160 can be used
Unit 4– Message Authentication & Integrity 63
HMAC Algorithm

Unit 4– Message Authentication & Integrity 64


Unit 4– Message Authentication & Integrity 65
HMAC Algorithm

Unit 4– Message Authentication & Integrity 66


Precomputed quantities
• f(IV, (K+ XOR ipad)

• f(IV, (K + XOR opad)

• Where f(cv,block) is compression function for


hash function which takes arguments a
chaining variable of n bits and block of b bits
produce chaining variable of n bits.
Unit 4– Message Authentication & Integrity 67
Efficient implementation of HMAC

Unit 4– Message Authentication & Integrity 68


HMAC Security
• proved security of HMAC relates to that of the
underlying hash algorithm
• attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need to
observe a very large number of messages)
• choose hash function used based on speed
verses security constraints

Unit 4– Message Authentication & Integrity 69


CMAC
• Cipher Based MAC use with AES and triple DES
• previously saw the DAA (CBC-MAC)
• widely used in govt & industry
• but has message size limitation
• can overcome using 2 keys & padding
• thus forming the Cipher-based Message
Authentication Code (CMAC)
• adopted by NIST SP800-38B

Unit 4– Message Authentication & Integrity 70


• Message is an integer multiple of n of cipher block length b
• For AES b=128 for triple DES b=64
• Message is divided into n blocks (M1,M2…Mn)
• For AES key k=128,192,256 for triple DES k=112 or 168 bits

Unit 4– Message Authentication & Integrity 71


CMAC Overview

Unit 4– Message Authentication & Integrity 72


Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– Must verify author, date & time of signature
– Must authenticate message contents
– Must be verified by third parties to resolve
disputes
• hence include authentication function with
additional capabilities

Unit 4– Message Authentication & Integrity 73


Digital Signature Requirements
• Signature must be a bit pattern depends on the
message
• Signature should be unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce Signature
• must be relatively easy to recognize & verify
• be computationally infeasible to forge a signature
– with new message for existing digital signature
– with fraudulent digital signature for given message
• be practical save digital signature in storage
Unit 4– Message Authentication & Integrity 74
DIGITAL SIGNATURE PROCESS

Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
Unit 4– Message Authentication & Integrity 75
Note

A cryptosystem uses the private and public keys of the


receiver:

A digital signature uses the private and public keys of the


sender.

Unit 4– Message Authentication & Integrity 76


Signing the Digest

Unit 4– Message Authentication & Integrity 77


Categories of Digital Signature

• Direct Digital Signature

• Arbitrated Digital Signature

Unit 4– Message Authentication & Integrity 78


Direct Digital Signatures
• Involves only communication parties
• It is formed by encrypting entire message with sender’s
private key
• Encrypting hash code of message with sender’s private key
• Confidentiality can be provided by encrypting entire message
plus signature with a shared secret key or receiver’s public
key
• digital signature made by sender signing entire message or
hash with private-key can encrypt using receiver’s public-key
• important that sign first then encrypt message & signature
• security depends on sender’s private-key
• Every signed message includes a timestamp (date & time)

Unit 4– Message Authentication & Integrity 79


Arbitrated Digital Signatures
• It involves use of arbiter A
– validates any signed message
– then dated and sent to recipient
• It requires suitable level of trust in arbiter
• It can be implemented with either private or
public-key algorithms
• It arbiter may or may not see message

Unit 4– Message Authentication & Integrity 80


Unit 4– Message Authentication & Integrity 81
Digital Signature Standard (DSS)
• US Govt approved signature scheme
• designed by NIST & NSA in early 90's
• published as FIPS-186 in 1991
• revised in 1993, 1996 & then 2000
• uses the SHA hash algorithm
• DSS uses an algorithm that is designed to provide
only digital signature.
• Unlike RSA,it cannot be used for encryption or key
exchange

Unit 4– Message Authentication & Integrity 82


Digital Signature Algorithm (DSA)

• creates a 320 bit signature


• with 512-1024 bit security
• smaller and faster than RSA
• a digital signature scheme only
• security depends on difficulty of computing
discrete logarithms
• variant of ElGamal & Schnorr schemes

Unit 4– Message Authentication & Integrity 83


Digital Signature Algorithm (DSA)

Unit 4– Message Authentication & Integrity 84


DSA Key Generation
• have shared global public key values (p,q,g):
– choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q with 2159 < q < 2160
• such that q is a 160 bit prime divisor of (p-1)
– choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
• g>1
• users choose private & compute public key:
– choose private key x from 1 to q-1 and choose
randomly
– compute public key y = gx mod p
Unit 4– Message Authentication & Integrity 85
• To create signature, user calculates r and s as
functions.
• Public key components (p,q,g)
• Private key (x)
• Hash code H(M)
• Additional integer k

Unit 4– Message Authentication & Integrity 86


Unit 4– Message Authentication & Integrity 87
Digital Signature Algorithm

Unit 4– Message Authentication & Integrity 88


DSS Signing and Verifying

Unit 4– Message Authentication & Integrity 89


AUTHENTICATION PROTOCOLS
• used to convince parties of each others
identity and to exchange session keys
• may be one-way or mutual
• key issues are
– confidentiality – to protect session keys
– timeliness – to prevent replay attacks
• published protocols are often found to have
flaws and need to be modified

Unit 4– Message Authentication & Integrity 90


General Areas
• Mutual Authentication
– Symmetric Encryption approach
– Public key Encryption approach

• One way Authentication


– Symmetric Encryption approach
– Public key Encryption approach

Unit 4– Message Authentication & Integrity 91


Mutual Authentication
• Enable communication parties mutually satisfy
themselves and to exchange session keys
• Problem in key exchange is confidentiality and
timeliness
• Replay Attacks
– where a valid signed message is copied and later resent
• simple replay
• repetition that can be logged
• repetition that cannot be detected
• backward replay without modification
– countermeasures include
• use of sequence numbers (generally impractical)
• timestamps (needs synchronized clocks)
• challenge/response (using unique nonce)
Unit 4– Message Authentication & Integrity 92
Using Symmetric Encryption
• as discussed previously can use a two-level
hierarchy of keys
• usually with a trusted Key Distribution Center
(KDC)
– each party shares own master key with KDC
– KDC generates session keys used for connections
between parties
– master keys used to distribute these to them

Unit 4– Message Authentication & Integrity 93


Needom/Schroeder protocol
1. A KDC: IDA||IDB||N1

2. KDC  A: E(Ka, [Ks||IDB||N1||E(Kb, [Ks||IDA])])

3. A B: E(Kb, [Ks||IDA])

4. B A: E(Ks, N2)

5. A  B: E(Ks, f(N2))

Unit 4– Message Authentication & Integrity 94


• Ka – secret keys shared between A and KDC
• Kb – secret keys shared between B and KDC

• Purpose of this protocol is to distribute


session key Ks to A and B

Unit 4– Message Authentication & Integrity 95


Modified Needom/Schroeder protocol
1. A KDC: IDA||IDB

2. KDC  A: E(Ka, [Ks||IDB||T||E(Kb, [Ks||IDA||T])])

3. A B: E(Kb, [Ks||IDA||T])

4. B A: E(Ks, N1)

5. A  B: E(Ks, f(N1))

Unit 4– Message Authentication & Integrity 96


• T is a time stamp that assures A and B that
session key has just been generated

• |Clock – T| < Δ t1+ Δ t2

• Where Δ t1 is estimated normal discrepancy


between KDC’s clock and local clock

• Δ t2 is the expected network delay time

Unit 4– Message Authentication & Integrity 97


Denning Protocol
1. A B: IDA||Na

2. B KDC: IDB||Nb||E(Kb, [IDA||Na||Tb])

3. KDC A: E(Ka, [IDB||Na||Ks||Tb])||E(Kb,[IDA||Ks||Tb])||Nb

4. A B: E(Kb, [IDA||Ks||Tb])||E(Ks, Nb)

Unit 4– Message Authentication & Integrity 98


Advanced Protocol Model
1. A B: E(Kb, [IDA||Ks||Tb])||N'a

2. B A: N'b||E(Ks, N'a)

3. A B: E(Ks, N'b)

Unit 4– Message Authentication & Integrity 99


Using Public Key Encryption approach
1. A AS: IDA||IDB

2. AS A: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||PUb||T])

3. A B: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||PUb||T])


||E(PUb, E(PRa, [Ks||T]))

Unit 4– Message Authentication & Integrity 100


1. A KDC: IDA||IDB

2. KDC A: E(PRauth, [IDB||PUb])

3. A B: E(PUb, [Na||IDA])

4. B KDC: IDA||IDB||E(PUauth, Na)

5. KDC B: E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDB]))

6. B A: E(PUa, E(PRauth, [(Na||Ks||IDB)||Nb]))

7. A B: E(Ks, Nb)

Unit 4– Message Authentication & Integrity 101


Revised Version
1. A KDC: IDA||IDB

2. KDC A: E(PRauth, [IDB||PUb])

3. A B: E(PUb, [Na||IDA])

4. B KDC: IDA||IDB||E(PUauth, Na)

5. KDC B: E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||Ks||IDA||IDB])

6. B A: E(PUa, E(PRauth, [(Na||Ks||IDA||IDB)||Nb]))

7. A B: E(Ks, Nb)

Unit 4– Message Authentication & Integrity 102


One Way Authentication
• Email is an application
• Symmetric approach
1. A KDC: IDA||IDB||N1

2. KDC A: E(Ka, [Ks||IDB||N1||E(Kb, [Ks||IDA])])

3. A B: E(Kb, [Ks||IDA])||E(Ks, M)

Unit 4– Message Authentication & Integrity 103


• Public key encryption approach
• Confidentiality
AB : EKUb[Ks] || EKs[M]
• Authentication
AB : M || EKRa[H(M)]
• Both message and signature can be encrypted
AB : EKUb[M || EKRa[H(M)]

AB : M || EKRa[H(M) || EKRa[T|| IDA || KUa]

Unit 4– Message Authentication & Integrity 104


Entity Authentication
• It is a technique designed to prove identity of
another party
• Entity can be a person, process, client, or a
server

Unit 4– Message Authentication & Integrity 105


Message Authentication VS Entity
Authentication
• Msg Authentication
– Data origin
– Might not happen in real time
– Simply authenticate one message
– It is required when an email is sent

• Entity Authentication
– It happens at real time
– It authenticates entire duration of a session
– It is required when gets cash from ATM
Unit 4– Message Authentication & Integrity 106
Biometrics
• It is a measurement of physiological or
behavioral features that identify a person
• It cant by guessed, stolen, shared
• Components
– Capturing devices-measure biometric features
– Processors-change to data for saving
– Storage devices-save result of processing for
authentication

Unit 4– Message Authentication & Integrity 107


• Enrollment
– Before biometric technique, feature of each
person in community should be available in DB

• Authentication
– It is done by verification or identification
– Verification
• A persons feature is matched against single record in
DB to find if she is who she is claiming to be.
– Identification
• A persons feature is matched against all records in DB

Unit 4– Message Authentication & Integrity 108


Techniques
• Physiological
– Fingerprint
– Iris
– Retina
– Face
– Hands
– Voice
– DNA
• Behavioral
– Signature
– Keystroke
Unit 4– Message Authentication & Integrity 109
Accuracy
• It is measured in biometric with 2 parameters
• False Rejection Rate (FRR)
– It is measured how often a person be recognized.
– Ratio of false rejection to total number of attempts
• False Acceptance Rate (FAR)
– It is measured how often a person should not be
recognized.
– Ratio of false acceptance to total number of
attempts
Unit 4– Message Authentication & Integrity 110
Applications
• Attendance maintenance
• Transaction
• Access facilities
• Access information systems
• Investigation
• Forensic analysis
• Border control
• Immigration control
Unit 4– Message Authentication & Integrity 111
Passwords
• Simple and oldest method of entity
authentication
• Two groups
– Fixed password
• It is a password that is used over and over again for
every access

– One-time password
• It is a password that is used only once.

Unit 4– Message Authentication & Integrity 112


Fixed Password
• First Approach-system keeps a file that is sorted by
user identification. For accessing resource user
sends his id and password. If password match,
access will be granted. Otherwise denied.

– Eavesdropping- see password when it is typed


– Stealing a password-physically steal password
– Accessing a password file-hack system and get password
– Guessing-try combination of characters for getting
password
Unit 4– Message Authentication & Integrity 113
• Second Approach- store hash of the password
in password file. Any user can read the
content of file but impossible to guess value of
password.
– When user sends id and password, system creates
hash value of password and verify it.

– Dictionary Attack – attacker created all


combination of passwords with its hash value.

Unit 4– Message Authentication & Integrity 114


• Third Approach- salting a password
– When password string is created a random string called salt is
concatenated to password
– Salted password is then hashed
– ID the salt and hash are then stored in file
– When user asks access, system extracts salt, concatenates it
with received password, make a hash and compare hash
values.
– If match access is granted, otherwise it is denied.
– This attack is very difficult
– Eg. UNIX OS
• Fourth Approach
– Two identification techniques are combined
– Eg. ATM card with a PIN
Unit 4– Message Authentication & Integrity 115
One-time password
• Approaches
– First Approach
• User and system agree list of passwords. Each password in list
used only once.

– Second Approach
• User and system agree to sequentially update the password
• Original password valid only for first access
• Second password given during that access

– Third Approach
• User and system creates sequentially updated password using a
hash function
Unit 4– Message Authentication & Integrity 116
Challenge-Response
• Entity whose identity needs to be proved is
called claimant
• In this approach, claimant proves that she
knows a secret without sending it.
• Claimant does not send secret to the verifier.
The verifier either has it or finds it
• In challenge-response, the claimant proves
that she knows a secret without sending it to
the verifier
Unit 4– Message Authentication & Integrity 117
• Challenge is a time varying value that is sent
by the verifier.
• Claimant applies a function to the challenge
and sends the result called a response.

• Approaches
– Using symmetric key cipher
– Using keyed hash function
– Using an asymmetric key cipher
– Using digital signature

Unit 4– Message Authentication & Integrity 118


Authentication Applications
• will consider authentication functions
• developed to support application-level
authentication & digital signatures
• will consider Kerberos – a private-key
authentication service
• then X.509 - a public-key directory
authentication service

Unit 4– Message Authentication & Integrity 119


Kerberos
• Trusted key server system for authentication
from Athena at MIT
• provides centralised private-key third-party
authentication in a distributed network
– allows users access to services distributed through
network
– without needing to trust all workstations
– rather all trust a central authentication server
• two versions in use: 4 & 5
Unit 4– Message Authentication & Integrity 120
Kerberos Requirements
• its first report identified requirements as:
– secure
– reliable
– transparent
– scalable
• implemented using an authentication protocol
based on Needham-Schroeder

Unit 4– Message Authentication & Integrity 121


Kerberos v4 Overview
• Version 4 use DES
• a basic third-party authentication scheme
• have an Authentication Server (AS)
– users initially negotiate with AS to identify self
– AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
• have a Ticket Granting server (TGS)
– users subsequently request access to other
services from TGS on basis of users TGT
Unit 4– Message Authentication & Integrity 122
Unit 4– Message Authentication & Integrity 123
Unit 4– Message Authentication & Integrity 124
Kerberos v4 Dialogue
1. obtain ticket granting ticket from AS
• once per session
2. obtain service granting ticket from TGT
• for each distinct service required
3. client/server exchange to obtain service
• on every service request

Unit 4– Message Authentication & Integrity 125


Kerberos 4 Overview

Unit 4– Message Authentication & Integrity 126


Kerberos Version 4 Message Exchange

Unit 4– Message Authentication & Integrity 127


Kerberos Exchanges

Unit 4– Message Authentication & Integrity 128


Kerberos Realms
• A set of managed nodes that share same kerberos
database
• a Kerberos environment consists of:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
• this is termed a realm
– typically a single administrative domain
• if have multiple realms, their Kerberos servers must
share keys and trust
Unit 4– Message Authentication & Integrity 129
Kerberos Realms

Unit 4– Message Authentication & Integrity 130


Kerberos Version 5
• developed in mid 1990’s
• specified as Internet standard RFC 1510
• provides improvements over v4
– addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
– and technical deficiencies
• double encryption, non-std mode of use, session keys,
password attacks

Unit 4– Message Authentication & Integrity 131


Kerberos Version 5 Message Exchange

Unit 4– Message Authentication & Integrity 132


Version 5 Authentication Dialogue
• Authentication Service Exchange
– Realm
– Options
– Times
– Nonce
• Ticket-granting Service Exchange
• Client/Server Authentication Exchange
– Subkey
– Sequence Number
• Ticket Flags
– INITIAL, PRE-AUTHENT, HW-AUTHENT, RENEWABLE, MAY-
POSTDATE, INVALID PROXIABLE, PROXY FORWARABLE,
FORWARDED, POSTDATED
Unit 4– Message Authentication & Integrity 133
X.509 Authentication Service
• It is used in S/MIME, IP Security and SSL/TLS and SET
• part of CCITT X.500 directory service standards
– distributed servers maintaining user info database
• defines framework for authentication services
– directory may store public-key certificates
– with public key of user signed by certification authority
• X.509 defines a framework for the provision of
authentication services by X.500 to its users
• uses public-key crypto & digital signatures
– algorithms not standardised, but RSA recommended
• X.509 certificates are widely used
Unit 4– Message Authentication & Integrity 134
Public Key Certificate Use

Unit 4– Message Authentication & Integrity 135


X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA) identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA

Unit 4– Message Authentication & Integrity 136


X.509 Certificates

Unit 4– Message Authentication & Integrity 137


Unit 4– Message Authentication & Integrity 138
Obtaining a Certificate
• any user with access to CA can get any certificate
from it
• only the CA can modify a certificate
• because cannot be forged, certificates can be placed
in a public directory

Unit 4– Message Authentication & Integrity 139


CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a hierarchy
• use certificates linking members of hierarchy to
validate other CA's
– Forward Certificate  Certificates of X generated by other
CAs
– Reverse Certificate Certificates generated by X that are
certificates of other CAs
• each client trusts parents certificates
• enable verification of any certificate from one CA by
users of all other CAs in hierarchy

Unit 4– Message Authentication & Integrity 140


CA Hierarchy Use

Unit 4– Message Authentication & Integrity 141


Path from A to B and B to A

Unit 4– Message Authentication & Integrity 142


Certificate Revocation
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CA’s maintain list of revoked certificates
– the Certificate Revocation List (CRL)
• users should check certificates with CA’s CRL

Unit 4– Message Authentication & Integrity 143


Authentication Procedures
• X.509 includes three alternative
authentication procedures:
– One-Way Authentication
– Two-Way Authentication
– Three-Way Authentication
• all use public-key signatures

Unit 4– Message Authentication & Integrity 144


One-Way Authentication

Unit 4– Message Authentication & Integrity 145


One-Way Authentication
• 1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
• message must include timestamp, nonce, B's
identity and is signed by A
• may include additional info for B
– eg session key

Unit 4– Message Authentication & Integrity 146


Two-Way Authentication

Unit 4– Message Authentication & Integrity 147


Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
• reply includes original nonce from A, also
timestamp and nonce from B
• may include additional info for A

Unit 4– Message Authentication & Integrity 148


Three-Way Authentication

Unit 4– Message Authentication & Integrity 149


Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which enables
above authentication without synchronized
clocks
• has reply from A back to B containing signed
copy of nonce from B
• means that timestamps need not be checked
or relied upon

Unit 4– Message Authentication & Integrity 150


X.509 Version 3
• has been recognised that additional
information is needed in a certificate
– email/URL, policy details, usage constraints
• rather than explicitly naming new fields
defined a general extension method
• extensions consist of:
– extension identifier
– criticality indicator
– extension value

Unit 4– Message Authentication & Integrity 151


Certificate Extensions
• key and policy information
– Authority key identifier, subject key identifier, key
usage, private key usage period, certificate policies,
policy mappings

• certificate subject and issuer attributes


– Subject alternative name, issuer alternative name,
subject directory attributes

• certificate path constraints


– Basic constraints, name constraints and policy
constraints
Unit 4– Message Authentication & Integrity 152

You might also like