Module IV

Authentication Protocols & Digital Signature

Schemes
User Authentication
• User authentication is a process of verifying user identity whenever they attempt
to access a system, network, account, or device.
• It’s a security procedure that ensures unauthorized entities wouldn’t reach
sensitive data or connect to private networks.
• Businesses can also apply user verification methods to grant different
authorization levels when employees access certain information or assets.
• During the authentication process, the user is asked to provide their credentials,
usually a username and password, created upon registration.
• In some cases, credentials can include other forms than a user-created password,
such as an additional one-time password (OTP) sent to a phone or email account,
a piece of biometric data, If the user fails to provide correct login credentials for
the account or network, the authentication system blocks their access.
 Types
1. Single-Factor authentication: – This was the first method .
the user has to enter the username and the password to confirm whether that user is
logging in or not. Now if the username or password is wrong, then the user will not be
allowed to log in or access the system.
Disadvantage
• It is not at all password secure. It will depend on the strength of the password entered by
the user.
• The protection level in Single-Factor Authentication is much low.
2. Two-factor Authentication: – the user has to give a username, password, and other
information. There are various types of authentication systems that are used by the user for
securing the system. Some of them are: – wireless tokens and virtual tokens. OTP and more.
Disadvantages of Two-Factor Authentication
• It is time-consuming.
3. Multi-Factor authentication system: – In this type of authentication, more than one
factor of authentication is needed. This gives better security to the user. Any type of
keylogger or phishing attack will not be possible in a Multi-Factor Authentication system.
This assures the user, that the information will not get stolen from them.

Disadvantage:

• It is time-consuming.

• it can rely on third parties.

Entity authentication
Entity authentication is a technique designed to let one party prove the identity of
another party.
An entity can be a person, a process, a client, or a server.
The entity whose identity needs to be proved is called the claimant; the party that
tries to prove the identity of the claimant is called the verifier.
The simplest and oldest method of entity authentication is the password-based
authentication, where the password is something that the claimant knows.
• Fixed Password
• One-Time Password
Fixed password
Hashing Password
 Salting the Password

Password salting is a technique to protect passwords stored in databases by adding a string of

32 or more characters and then hashing them.

Salting prevents hackers who breach an enterprise environment from reverse-engineering

passwords and stealing them from the database.
Challenge Response Authentication Mechanism (CRAM)

• It is the most often

used way to
authenticate actions.
• They are a group of
protocols in which one
side presents a
challenge(to be
answered) and the
other side must
present a correct
answer(to be
checked/validated) to
the challenge in order
to get authenticated.
Two types of questions
(Challenge)–
•Static : involve a static approach to the challenge selection. The user can select his challenge and
authenticate himself.
•For example, take the use case of FORGET PASSWORD in email services. A static challenge is the
‘security question’ that you have saved as part of your account setup. The correct answer to
those questions are not expected to change over time.

•Dynamic questions involve a dynamic approach to the Challenge selection and authentication.
The challenges are selected randomly presuming that the user will know the valid answer to the
challenge considering the user is the real one.
• CAPTCHA:
The Completely Automated Public Turing Test to Tell Computers and Humans Apart. CAPTCHA is
used to prevent spam and auto-registration of new accounts for email or websites.

• SSH (Secure Shell):

SSH is a cryptographic network protocol for operating network services securely over an unsecured
network.

• Password:
The password is sent to the server for validation by matching with the correct password.

• Salted Challenge Response Authentication Mechanism (SCRAM, a variant of CRAM):

The challenge is salted with a hash to make sure the password is used for only one time.
The hash is sent to the server for matching with the hash of the correct password for match and not
the match of the plain text password itself. So, the password is not revealed preventing the Man-in-
the-Middle attack and replay attacks because the password can be used only once.
• Biometrics:
The biometric details(retina scan, fingerprint scan) that are unique are recorded and every
time a user wants to authenticate himself, he has to present his biometric credentials to the
authenticating system for validation.
Common attacks on CRAMs –

•Eavesdropping
•Phishing Attacks
•Pharming Attacks
•Man-In-The-Middle Attacks
•DNS Cache Poisoning Attacks : fake information in DNS cache
•Trojans Attacks :
•Man-In-The-Phone Attacks :targets mobile devices
•Browser Poisoning Attacks :
•Brute-Force Attacks
•zero-knowledge password proof
•Reusable password attacks
Limitations –

A fundamental problem with passwords is that passwords are used repeatedly. When a
password is received by the server, the server cannot determine if the real user is entering the
password or not.

Newer CRAMs also employ cryptography so that the hash of the passwords is matched and not
the plain passwords.
 Digital signature
A digital signature is an electronic, encrypted, stamp of authentication on digital information
such as email messages, macros, or electronic documents.
A signature confirms that the information originated from the signer and has not been
altered.
Signing certificate : To create a digital signature, we need a signing certificate, which proves
identity. When we send a digitally-signed macro or document, we also send certificate and
public key. Certificates are issued by a certification authority, and like a driver’s license, can be
revoked. A certificate is usually valid for a year, after which, the signer must renew, or get a
new, signing certificate to establish identity.
Certificate authority (CA) A certificate authority is an entity similar to a notary public. It
issues digital certificates, signs certificates to verify their validity and tracks which certificates
have been revoked or have expired.
Digital signature assurances
• Authenticity The signer is confirmed as the signer.
• Integrity The content has not been changed or tampered with since it was digitally
signed.
• Non-repudiation Proves to all parties the origin of the signed content. Repudiation
refers to the act of a signer denying any association with the signed content.
• Notarization Signatures in Microsoft Word, Microsoft Excel, or Microsoft PowerPoint
files, which are time stamped by a secure time-stamp server, under certain
circumstances, have the validity of a notarization.
Steps in Digital Signature
• Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest =
message digest algorithm(message)).
• Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
• Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his private
key which can thus be decrypted by sender’s public key).
• The receiver now has the message digest.
• The receiver can compute the message digest from the message (actual message is sent
with the digital signature).
• The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Attacks on Digital Signature
1.Chosen-message Attack
2. Known-message Attack
3. Key-only Attack
Chosen-message Attack
• Generic chosen-method – In this method C tricks A to digitally sign the messages that A
does not intend to do and without the knowledge about A’s public key.
• Direct chosen-method – In this method C has the knowledge about A’s public key and
obtains A’s signature on the messages and replaces the original message with the
message C wants A to sign with having A’s signature on them unchanged.
known message attack

In the known message attack, C has a few previous messages and signatures of A. Now C
tries to forge the signature of A on to the documents that A does not intend to sign by
using the brute force method by analyzing the previous data to recreate the signature of A.
This attack is similar to known-plain text attack in encryption.
key-only attack

In key-only attack, the public key of A is available to every one and C makes use of this fact
and try to recreate the signature of A and digitally sign the documents or messages that A
does not intend to do.
This would cause a great threat to authentication of the message which is non-repudiated
as A cannot deny signing it.
RSA Digital Signature Scheme

It is the most popular asymmetric

cryptographic algorithm.
It is primarily used for encrypting messages
but can also be used for performing digital
signature over a message.
Assume that there is a sender (A) and a
receiver (B). A wants to send a message (M)
to B along with the digital signature (DS)
calculated over the message.
Step-1 :
Sender A uses SHA-1 Message Digest
Algorithm to calculate the message digest
(MD1) over the original message M.
Step-2 :

A now encrypts the message digest with its private key. The output of this process is called
Digital Signature (DS) of A.

Step-3 :
Now sender A sends the digital signature (DS) along with the original message (M) to B.
Step-4 :
When B receives the Original Message(M) and the Digital Signature(DS) from A, it first uses the same
message-digest algorithm as was used by A and calculates its own Message Digest (MD2) for M.
Step-5 :
Now B uses A’s public key to decrypt the digital signature because it was encrypted by A’s private
key. The result of this process is the original Message Digest (MD1) which was calculated by A.
Step 6

• If MD1==MD2, the following facts are established as follows.

• B accepts the original message M as the correct, unaltered message from A.
• It also ensures that the message came from A and not someone posing as A.