Page 1 :
CS8792, , CRYPTOGRAPHY AND NETWORK, SECURITY, UNIT 4 NOTES

Page 2 :
UNIT IV MESSAGE AUTHENTICATION AND INTEGRITY, Authentication requirement – Authentication function – MAC – Hash function – Security of hash, function and MAC – SHA –Digital signature and authentication protocols – DSS- Entity, Authentication: Biometrics, Passwords, Challenge Response protocols- Authentication applications, – Kerberos, X.509, , 4.1 AUTHENTICATION REQUIREMENT, Communication across the network, the following attacks can be identified., Disclosure – release of message contents to any person or process not possessing the appropriate, cryptographic key., Traffic analysis – discovery of the pattern of traffic between parties.,  In a connection oriented application, the frequency and duration of connections could be, , determined.,  In either a connection oriented or connectionless environment, the number and length of, , messages between parties could be determined., Masquerade – insertion of messages into the network from fraudulent source. This can be creation, of message by the attacker using the authorized port., Content modification – changes to the contents of a message, including insertion, deletion,, transposition, and modification., Sequence modification – any modification to a sequence of messages between parties, including, insertion, deletion, and reordering., Timing modification – delay or replay of messages.,  In a connection oriented application, an entire session or sequence of messages could be, , replay of some previous valid session, or individual messages in the sequence could be, delayed or replayed.,  In a connectionless application, an individual message could be delayed or replayed., , Source repudiation – denial of transmission of message by source., Destination repudiation – denial of receipt of message by destination., , 4.2 AUTHENTICATION FUNCTION, Any message authentication or digital signature mechanism can be viewed as having, fundamentally two levels., At the lower level, there must be some sort of function that produces an authenticator, a value to, be used to authenticate a message.

Page 3 :
At the higher-level, low-level function is then used as primitive in a higher-level authentication, protocol that enables a receiver to verify the authenticity of a message., The types of function that may be used to produce an authenticator are grouped into three classes., Message Encryption – the ciphertext of the entire message serves as its authenticator., Message Authentication Code (MAC) – a public function of the message and a secret key that, produces a fixed length value that serves as the authenticator., Hash Function – a public function that maps a message of any length into a fixed-length hash, value, which serves as the authenticator., Message Encryption:, Message encryption Message encryption by itself can provide a measure of authentication., The analysis differs from symmetric and public key encryption schemes., (a) If symmetric encryption is used then:,  A message m, transmitted from source A to destination B is encrypted using a secret key, , shared by A and B.,  Since only sender and receiver knows key used,  Receiver knows sender must have created it. Hence authentication is provided.,  Know content cannot have been altered. Hence confidentiality is also provided.,  If message has suitable structure, redundancy or a checksum to detect any changes,  Therefore Symmetric Encryption provides authentication and confidentiality., , Symmetric key encryption confidentiality, authentication and signature, (b) If public-key encryption is used:, , This method is the use of public key cryptography which provides confidentiality only., The sender A makes use of the public key of the receiver to encrypt the message. Here there is no, authentication because any user can use B‟s public key to send a message and claim that only A, has sent it.

Page 4 :
Public key encryption confidentiality, In this method to have only authentication, the message is encrypted with the sender‟s A‟s private, key. The receiver B uses the sender‟s A‟s public key to decrypt the message. Now A cannot deny, that it has not transmitted since it only knows its private key. This is called as authentication or, Digital Signature. Hence the problem is the,,  Receiver cannot determine whether the packet decrypted contains some useful message, , or random bits.,  The problem is that anyone can decrypt the message when they know the public key of, , sender A., , Public key encryption authentication and signature, This method provides authentication, confidentiality and digital signature. But the problem with, this method is the complex public key cryptography algorithm should be applied twice during, encryption and twice during decryption., , Public key encryption confidentiality, authentication and signature, Suppose the message can be any arbitrary bit pattern, in that case, there is no way to determine, automatically, at the destination whether an incoming message is the ciphertext of a legitimate, message., One solution to this problem is to force the plaintext to have some structure that is easily, recognized but that cannot be replicated without recourse to the encryption function., Append an error detecting code, also known as Frame Check Sequence (FCS) or checksum, to each message before encryption „A‟ prepares a plaintext message M and then provides this as, input to a function F that produces an FCS. The FCS is appended to M and the entire block is then, encrypted.

Page 5 :
At the destination, B decrypts the incoming block and treats the result as a message with, an appended FCS. B applies the same function F to attempt to reproduce the FCS., , If the calculated FCS is equal to the incoming FCS, then the message is considered, authentic. In the internal error control, the function F is applied to the plaintext, whereas in external, error control, F is applied to the ciphertext., , Internal error control, , External error control, , 4.3 MAC, An alternative authentication technique involves the use of secret key to generate a small, fixed size block of data, known as cryptographic checksum or MAC that is appended to the, message., This technique assumes that two communication parties say A and B, share a common, secret key „k‟. When A has to send a message to B, it calculates the MAC as a function of the, message and the key., MAC = CK (M), Where M – input message, , C – MAC function, , K – Shared secret key The, , message plus MAC are transmitted to the intended recipient. The recipient performs, the same calculation on the received message, using the shared secret key, to generate a new, MAC., The received MAC is compared to the calculated MAC. If it is equal, then the message is, considered authentic. A MAC function is similar to encryption. One difference is that MAC, algorithm need not be reversible, as it must for decryption. In general, the MAC function is a, many-to-one function.

Page 6 :
Message Authentication, , Message authentication and confidentiality, authentication tied to plain text, , Message authentication and confidentiality, authentication tied to ciphertext Requirements for, MAC:, , When an entire message is encrypted for confidentiality, using either symmetric or, asymmetric encryption, the security of the scheme generally depends on the bit length of the key., Barring some weakness in the algorithm, the opponent must resort to a brute-force attack, using all possible keys. On average, such an attack will require 2(k-1) attempts for a k-bit key., If confidentiality is not employed, the opponent has access to plaintext messages and their, associated MACs. Suppose k > n; that is, suppose that the key size is greater than the, MAC size. Then, given a known M1 and MAC1, with MAC1 = CK (M1), the cryptanalyst can, perform MACi = CKi (M1) for all possible key values Ki., At least one key is guaranteed to produce a match of MACi = MAC1.

Page 7 :
Note that a total of 2k MACs will be produced, but there are only 2n< 2k different MAC values., Thus, a number of keys will produce the correct MAC and the opponent has no way of knowing, the correct key. On average, a total of 2k/2n = 2(k-n) keys will produce a match. Thus, the opponent, must iterate the attack:, Round 1, Given: M1, MAC1 = CK( M1), Compute MACi = CKi (M1) for all 2k, keys Number of matches ≈2(k-n), Round 2, Given: M2, MAC2 = CK( M2), Compute MACi = CKi(M2) for the 2(k-n) keys resulting from Round, 1Number of matches ≈2(k-2xn) and so on, Consider the following MAC algorithm. Let M = (X1||X2||...||Xm) be a message that is treated as a, concatenation of 64-bit blocks Xi. Then define, Δ(M)= X1 + X2…Xm, Ck(M)=Ek(Δ(M)), Thus, the key length is 56 bits and the MAC length is 64 bits. If an opponent observes, {M||C(K, M)}, a brute-force attempt to determine K will require at least 256 encryptions., But the opponent can attack the system by replacing X1 through X m-1 with any desired, values Y1 through Ym-1 and replacing Xm with Ym where Ym is calculated as follows:, Ym = Y1+ Y2 ….... Ym1 + Δ(M), The opponent can now concatenate the new message, which consists of Y1 through Ym, with the, original MAC to form a message that will be accepted as authentic by the receiver. With this tactic,, any message of length 64 X(m-1) bits can be fraudulently inserted., Then the MAC function should satisfy the following requirements: The MAC function, should have the following properties:,  If an opponent observes M and C K(M), it should be computationally infeasible for the, , opponent to construct a message M‟ such that CK(M‟) = CK(M), ,  CK(M) should be uniformly distributed in the sense that for randomly chosen messages, M, , and M‟, the probability that CK(M) = CK(M‟) is 2-n where n is the number of bits in the, MAC., ,  Let M‟ be equal to some known transformation on M. i.e., M‟ = f(M).

Page 8 :
PANIMALAR ENGINEERING COLLEGE, , MAC based on DES, One of the most widely used MACs, referred to as Data Authentication Algorithm (DAA) is based on DES., The algorithm can be defined as using cipher block chaining (CBC) mode of operation of DES with an, initialization vector of zero. The data to be authenticated are grouped into contiguous 64-bit blocks: D1, D2, … Dn. if necessary, the final block is padded on the right with zeros to form a full 64-bit block. Using the, DES encryption algorithm and a secret key, a data authentication code (DAC) is calculated as follows:, O1 = EK(D1), O2 = EK(D2 + O1) O3, = EK(D3 + O2), ……, ON = EK(DN + ON-1), , Data Authentication Algorithm, , 4.4 HASH FUNCTION, A variation on the message authentication code is the one way hash function. As with, MAC, a hash function accepts a variable size message M as input and produces a fixed-size output,, referred to as hash code H(M)., Unlike a MAC, a hash code does not use a key but is a function only of the input message., The hash code is also referred to as a message digest or hash value. There are varieties of ways in, which a hash code can be used to provide message authentication, as follows:, The message plus the hash code is encrypted using symmetric encryption. This is identical to that, of internal error control strategy. Because encryption is applied to the entire message plus the hash, code, confidentiality is also provided.

Page 9 :
PANIMALAR ENGINEERING COLLEGE, , Hash Function, Only the hash code is encrypted, using symmetric encryption. This reduces the processing burden, for those applications that do not require confidentiality., , Only the hash code is encrypted, using the public key encryption and using the sender‟s private, key. It provides authentication plus the digital signature., , Basic use of Hash Function, If confidentiality as well as digital signature is desired, then the message plus the public key, encrypted hash code can be encrypted using a symmetric secret key., , This technique uses a hash function, but no encryption for message authentication. This technique, assumes that the two communicating parties share a common secret value „S‟. The source, computes the hash value over the concatenation of M and S and appends the resulting hash value, to M.

Page 10 :
PANIMALAR ENGINEERING COLLEGE, , Confidentiality can be added to the previous approach by encrypting the entire message plus the hash, code., , Basic use of Hash Function, A hash value h is generated by a function H of the form, h = H(M), where M is a variable-length message and H(M) is the fixed-length hash value., The hash value is appended to the message at the source at a time when the message is assumed, or known to be correct. The receiver authenticates that message by recomputing the hash value., Requirements for a Hash Function, 1. H can be applied to a block of data of any size., 2. H produces a fixed-length output., 3. H(x) is relatively easy to compute for any given x, making both hardware and software, , implementations practical., 4. For any given value h, it is computationally infeasible to find x such that H(x) = h. This is, , sometimes referred to in the literature as the one-way property., 5. For any given block x, it is computationally infeasible to find y x such that H(y) = H(x). This, , is sometimes referred to as weak collision resistance., 6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). This is sometimes, , referred to as strong collision resistance., The first three properties are requirements for the practical application of a hash function to, message authentication., The fourth property, the one-way property, states that it is easy to generate a code given a, message but virtually impossible to generate a message given a code.

Page 11 :
The fifth property guarantees that an alternative message hashing to the same value as, a given message cannot be found. This prevents forgery when an encrypted hash code is used., The sixth property refers to how resistant the hash function is to a type of attack known, as the birthday attack., Simple Hash Functions, All hash functions operate using the following general principles. The input (message,, file, etc.) is viewed as a sequence of n-bit blocks. The input is processed one block at a time in, an iterative fashion to produce an n-bit hash function. One of the simplest hash functions is the, bit-by-bit exclusive-OR (XOR) of every block., This can be expressed as follows: Ci = bi1 + bi1 ... + bim, where, Ci = ith bit of the hash code, 1 ≤i, ≤n m = number of n-bit blocks in, the input bij= ith bit in jth block, Procedure:, 1. Initially set the n-bit hash value to zero., 2. Process each successive n-bit block of data as follows:, a. Rotate the current hash value to the left by one bit., b. XOR the block into the hash value., , Birthday Attacks, Suppose that a 64-bit hash code is used. One might think that this is quite secure. For, example, if an encrypted hash code C is transmitted with the corresponding unencrypted, message M, then an opponent would need to find an M' such that H(M') = H(M) to substitute, another message and fool the receiver., On average, the opponent would have to try about 263 messages to find one that matches, the hash code of the intercepted message., However, a different sort of attack is possible, based on the birthday paradox. The

Page 12 :
source, A, is prepared to "sign" a message by appending the appropriate m-bit hash code and, encrypting that hash code with A's private key., 1. The opponent generates 2m/2 variations on the message, all of which convey essentially the, , same meaning. (Fraudulent message), 2. The two sets of messages are compared to find a pair of messages that produces the same, , hash code. The probability of success, by the birthday paradox, is greater than 0.5. If no match, is found, additional valid and fraudulent messages are generated until a match is made., 3. The opponent offers the valid variation to A for signature. This signature can then be attached, , to the fraudulent variation for transmission to the intended recipient. Because the two variations, have the same hash code, they will produce the same signature; the opponent is assured of, success even though the encryption key is not known., Thus, if a 64-bit hash code is used, the level of effort required is only on the order of 2 32, MEET-IN-THE-MIDDLE ATTACK., Divide a message M into fixed-size blocks M1,M2,..., MN and use a symmetric encryption, system such as DES to compute the hash code G as follows:, Ho = initial, value Hi =, EMi [Hi-1 ], G = HN, This is similar to the CBC technique, but in this case there is no secret key. As with any hash, code, this scheme is subject to the birthday attack and if the encryption algorithm is DES and, only a 64-bit hash code is produced, then the system is vulnerable., Furthermore, another version of the birthday attack can be used even if the opponent has access, to only one message and its valid signature and cannot obtain multiple signings., Here is the scenario; we assume that the opponent intercepts a message with a signature in the, form of an encrypted hash code and that the unencrypted hash code is m bits long:, 1. Calculate the unencrypted hash code G., 2. Construct any desired message in the form Q1, Q2,..., QN2., 3. Compute for Hi = EQi [Hi-1 ]for 1 ≤i ≤(N-2)., m/2, 4. Generate 2 random blocks; for each block X, compute E X[HN-2.] Generate an additional, , 2m/2 random blocks; for each block Y, compute DY[G], where D is the decryption function, corresponding to E.

Page 13 :
5. Based on the birthday paradox, with high probability there will be an X and Y such that E X, , [HN-2 ] = DY[ G]., 6. Form the message Q1, Q2,..., QN-2, X, Y. This message has the hash code G and therefore can, , be used with the intercepted encrypted signature., , 4.5 SECURITY OF HASH FUNCTION AND, MAC, Just as with symmetric and public-key encryption, we can group attacks on hash functions and, MACs into two categories: brute-force attacks and cryptanalysis., Brute-Force Attacks, The nature of brute-force attacks differs somewhat for hash functions and MACs., Hash Functions, The strength of a hash function against brute-force attacks depends solely on the length of the, hash code produced by the algorithm., Requirements of Hash Function:, One-way: For any given code h, it is computationally infeasible to find x such that, H(x) = h., Weak collision resistance: For any given block x, it is computationally infeasible to, find y x with H(y) = H(x)., Strong collision resistance: It is computationally infeasible to find any pair (x, y) such, that H(x) = H(y)., For a hash code of length n, the level of effort required, as we have seen is proportional to the, following:, One way, Weak collision resistance, Strong collision resistance, , 2n, 2n, 2n/2, , Message Authentication Codes, A brute-force attack on a MAC is a more difficult undertaking because it requires known, message-MAC pairs.. To attack a hash code, we can proceed in the following way. Given a

Page 14 :
fixed message x with n-bit hash code h = H(x), a brute-force method of finding a collision is to, pick a random bit string y and check if H(y) = H(x). The attacker can do this repeatedly off line., To proceed, we need to state the desired security property of a MAC algorithm, which, can be expressed as follows:, Cryptanalysis, As with encryption algorithms, cryptanalytic attacks on hash functions and MAC, algorithms seek to exploit some property of the algorithm to perform some attack other than an, exhaustive search., Hash Functions, The hash function takes an input message and partitions it into L fixed-sized blocks of, b bits each. If necessary, the final block is padded to b bits. The final block also includes the, value of the total length of the input to the hash function. The inclusion of the length makes the, job of the opponent more difficult., Either the opponent must find two messages of equal length that hash to the same value or two, messages of differing lengths that, together with their length values, hash to the same value., , IV=Initial Value, Yi = ithinput block, n=Length of Hash code, , CV=Changing Variable, L=number of input blocks, b=Length of input block, , General structure of secure hash code, The hash algorithm involves repeated use of a compression function,f, that takes two inputs (an, n-bit input from the previous step, called the chaining variable, and a b-bit block) and produces, an n-bit output.

Page 15 :
At the start of hashing, the chaining variable has an initial value that is specified as part of the, algorithm. The final value of the chaining variable is the hash value. Often b > n; hence the term, compression., , The hash function can be summarized as follows:, , CV0 = IV = initial n-bit value CVI = f(CVi-1, Yi-1) 1 ≤i ≤L H(M) = CVL, Where the input to the hash function is a message M consisting of the blocks Yo, Y1,..., YL-1., The structure can be used to produce a secure hash function to operate on a message of any, length., , Message Authentication Codes :, There is much more variety in the structure of MACs than in hash functions, so it is difficult to, generalize about the cryptanalysis of MACs., , 4.6 SHA, The algorithm takes as input a message with a maximum length of less than 2128 bits and produces, as output a 512-bit message digest. The input is processed in 1024-bit blocks., Comparison of SHA Parameters, , Message, Digest, Size, Message, Size, Block, Size, Word, Size, Number, of Steps, , SHA I, , SHA 224, , SHA 256, , SHA 384, , SHA, 512, , 160, , 224, , 256, , 384, , 512, , <264, , <264, , <264, , <2128, , <2128, , 512, , 512, , 512, , 1024, , 1024, , 32, , 32, , 32, , 64, , 64, , 80, , 64, , 64, , 80, , 80, , Step 1, Append padding bits.

Page 16 :
The message is padded so that its length is congruent to 896 modulo 1024 [length K 896(mod, 1024)]. Padding is always added, even if the message is already of the desired length. Thus, the, number of padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit followed, by the necessary number of 0 bits., , Step 2, Append length., A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit integer, (most significant byte first) and contains the length of the original message (before the padding)., , Message Digest Generation Using SHA-512, Step 3, Initialize hash buffer., A 512-bit buffer is used to hold intermediate and final results of the hash function. The buffer can, be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).

Page 17 :
a = 6A09E667F3BCC908, b = BB67AE8584CAA73B, c = 3C6EF372FE94F82B, d = A54FF53A5F1D36F1, , e = 510E527FADE682D1, f = 9B05688C2B3E6C1F, g = 1F83D9ABFB41BD6B, h = 5BE0CD19137E2179, , Step 4, Process message in 1024-bit (128-word) blocks., The heart of the algorithm is a module that consists of 80 rounds; this module is labeled F., Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the buffer., At input to the first round, the buffer has the value of the intermediate hash value, Hi-1. Each round, t makes use of a 64-bit value Wt, derived from the current 1024-bit block being processed (Mi)., These values are derived using a message schedule described subsequently., Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79 indicates one of the 80, rounds., The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi. The, addition is done independently for each of the eight words in the buffer with each of the, corresponding words in Hi-1, using addition modulo 264., , SHA-512 Processing of a Single 1024-Bit Block, Step 5

Page 18 :
Output., After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit, message digest., , Elementary SHA Operation (single step), Summary of SHA-512, H0 = IV, Hi = SUM64(Hi-1, abcdefghi), MD = HN, where,, IV = initial value of the abcdefgh buffer, defined in step 3, abcdefghi = the output of the last round of processing of the ith message, block, N = the number of blocks in the message (including padding and length, fields), SUM64 = addition modulo 264 performed separately on each word of the, pair of inputs, MD = final message digest value, , SHA-512 Round Function

Page 19 :
h=g, g=f, f=e, e = d + T1, d=c, c=b, b=a, a = T1 + T2, , Wt = a 64-bit word derived from the current 1024-bit input block, Kt = a 64-bit additive constant, + = addition modulo 264, , 4.7 DIGITAL SIGNATURE AND, AUTHENTICATION PROTOCOLS, Digital Signature Requirements, Message authentication protects two parties who exchange messages from any third party., However, it does not protect the two parties against each other., Disputes created by message authentication are:,  Creation of fraud message.,  Deny the sending of message, For example, suppose that John sends an authenticated message to Mary, the following disputes that, could arise:, 1 Mary may forge a different message and claim that it came from John. Mary would simply have to, create a message and append an authentication code using the key that John and Mary share.

Page 20 :
2. John can deny sending the message. Because it is possible for Mary to forge a message,, there is no way to prove that John did in fact send the message., , Properties of digital signature :,  It must verify the author and the date and time of the signature.,  It must to authenticate the contents at the time of the signature.,  It must be verifiable by third parties, to resolve disputes., Requirements for a digital signature:,  The signature must be a bit pattern that depends on the message being signed.,  The signature must use some information unique to the sender, to prevent both, forgery and denial.,  It must be relatively easy to produce the digital signature.,  It must be relatively easy to recognize and verify the digital signature.,  It must be computationally infeasible to forge a digital signature, either by constructing, a new message for an existing digital signature or by constructing a fraudulent digital, signature for a given message.,  It must be practical to retain a copy of the digital signature in storage., , Direct Digital Signature, The term direct digital signature refers to a digital signature scheme that involves only the, communicating parties (source, destination). It is assumed that the destination knows the public, key of the source., Confidentiality can be provided by encrypting the entire message plus signature with a, shared secret key (symmetric encryption). Note that it is important to perform the signature, function first and then an outer confidentiality function. In case of dispute, some third party, must view the message and its signature., If the signature is calculated on an encrypted message, then the third party also needs, access to the decryption key to read the original message. However, if the signature is the inner, operation, then the recipient can store the plaintext message and its signature for later use in, dispute resolution., The validity of the scheme just described depends on the security of the sender‟s private key.

Page 21 :
Weakness of Direct Digital Signature:,  If a sender later wishes to deny sending a particular message, the sender can claim that, , the private key was lost or stolen and that someone else forged his or her signature.,  Another threat is that some private key might actually be stolen from X at time T. The, , opponent can then send a message signed with X‟s signature and stamped with a time, before or equal to T., Arbitrated Digital Signatures, The problem associated with the Direct digital signature can be overcome by using arbitrated, schemes., In the arbitrated scheme, the entire signed message from the sender goes to the arbiter A. The, arbiter subjects the message and signature to a number of tests to check the origin and control., The date and time is attached to the message. This indicates that the digital signature has been, verified and is satisfied. The message is then transmitted to the receiver., Requirement of the arbiter:,  As the arbiter plays a sensitive and crucial role, it should be a trusted third party., , Notation:X = Sender Y = Recipient A = Arbiter M=Message T=Timestamp, Scheme 1: Conventional encryption, Arbiter sees the message:, The sender X and arbiter A share the master key Kax the receiver y and the arbiter, A share the master key Kay

Page 22 :
When X wants to send a message M to Y, construct a message computes the hash value, H(M). This hash is encrypted using symmetric encryption with the key Kax which acts as, signature. The message along with the signature is transmitted to A., At A, it decrypts the signature and checks the hash value to validate the message. A, transmit the message to Y, encrypted with Kay. Y decrypt to extract the message and signature., Disadvantage:, Eaves dropper can read the message as there is no confidentiality., Scheme 2: Conventional encryption, Arbiter does not see the message:,  Kax and Kay are the master keys.,  Kxy is the key shared between the X and Y,  When x wants to transmit a message to Y, the packet goes to arbiter.,  The same procedure as that of I scheme is used X transmit an identifier, a copy of the, , message encrypted with Kxy and a signature to A.,  The signature is the hash of the message encrypted with Kxa,  A decrypt the signature, and checks the hash value to validate the message.,  A cannot read the message, A attaches to it the time stamps, encrypt with Kxa and, , transmit to Y., Attack: The arbiter can join with an attacker and deny a message with sender‟s signature., Scheme 3: Public key encryption, Arbiter does not see the message:, This method uses the public key cryptography which gives authentication and digital signature., The doubly encrypted message is concatenated with IDx and sent to arbiter.,  A can decrypt the outer encryption to ensure that the message has come from X.,  A then transmit the message with IDx and time, , stamp. Advantages:,  No information is shared among parties before communication, hence fraud is avoided.,  No incorrectly dated message can be, , sent. Disadvantages:, The complex public key algorithm is to be twice for encryption and twice for decryption., , Authentication Protocols, Authentication Protocols used to convince parties of each other‟s identity and to exchange

Page 23 :
session keys., Mutual Authentication, An important application area is that of mutual authentication protocols. Such protocols, enable communicating parties to satisfy themselves mutually about each other‟s identity and to, exchange session keys., Key issues are,  confidentiality – to protect session keys and prevent masqueraded and, , compromised,  timeliness – to prevent replay attacks, Replay Attacks, Where a valid signed message is copied and later resent,  Simple replay, , The opponent simply copies the message and replays it later.,  Repetition that can be logged, , The opponent replay a time stamped message within a valid time window.,  Repetition that cannot be detected, , The attacker would have suppressed the original message from the receiver., Only the replay message alone arrives.,  Backward replay without modification, , This replay back to the sender itself.This is possible if the sender cannot easily, recognize the difference between the message sent and the message received, based on the content., Countermeasures include, One approach to coping with replay attacks is to attach a sequence number to each, message used in an authentication exchange. A new message is accepted only if its sequence, number is in the proper order., The difficulty with this approach is that it requires each party to keep track of the last, sequence number for each claimant it has dealt with. Because of this overhead, sequence, numbers are generally not used for authentication and key exchange. Instead, one of the, following two general approaches is used:,  Timestamps: Party A accepts a message as fresh only if the message contains a, , Timestamp that is close enough to A‟s knowledge of current time. This approach, requires that clocks among the various participants be synchronized.

Page 24 :
 Challenge/response: Party A, expecting a fresh message from B, first sends B a, , nonce (challenge) and requires that the subsequent message (response) received, from B contain the correct nonce value., Using Symmetric Encryption,  Use a two-level hierarchy of keys,  Usually with a trusted Key Distribution Center (KDC),  Each party shares own master key with KDC,  KDC generates session keys used for connections between parties,  Master keys used to distribute the session ke, , Needham-Schroeder Protocol,  Original third-party key distribution protocol,  For session between A and B mediated by KDC,  Protocol overview is:, 1. A→KDC: IDA|| IDB|| N1, 2. KDC→A: EKa[Ks || IDB|| N1|| EKb[Ks||IDA] ], 3. A→B: EKb[Ks||IDA], 4. B→A: EKs[N2], 5. A→B: EKs[f(N2)], , Step 1: A to KDC ,transmit the id of source and destination and a nonce N1 as a request., Step 2: A securely acquires the session key in step 2 and a packet to B encrypted with EKb is, also received from KDC., Step 3: A transmit to B the message it got from KDC., Step 4: As a hand shake, B encrypts a new nonce N2 and transmit to A with, Ks. Step 5: As a hand shake, A encrypt the function of N 2 with Ks, Step 4 and Step 5 as used as hand shake and prevent the reply attacks., Attacks:,  Used to securely distribute a new session key for communications between A &B,  But is vulnerable to a replay attack if an old session key has been Compromised,  Then message 3 can be resent convincing B that is communicating With A,  Modifications to address this require:,  Timestamps,  Using an extra nonce, DenningProtocol:, To overcome the above weakness by a modification to the Needham/Schroeder protocol that

Page 25 :
includes the addition of a timestamp to steps 2 and 3., A→KDC: IDA||IDB, KDC → A: E(Ka, [KsIIIDB II T II E(Kb, [Ks IIIDA II, T])]) A→B: E(Kb, [Ks II IDA IIT]), B→A: E(Ks,, N1) A→ B:, E(Ks, f(N1)), T is a timestamp that assures A and B that the session key has only just been generated. Thus,, both A and B know that the key distribution is a fresh exchange.A and B can verify timeliness, by checking that, I Clock – T I < ∆t1+∆t2, The Denning protocol seems to provide an increased degree of security compared to, the Needham/Schroeder protocol. However, a new concern is raised: namely, that this new, scheme requires reliance on clocks that are synchronized throughout the network., Suppress-replay attacks:, The problem occurs when a sender‟s clock is ahead of the intended recipient‟s clock. In, this case, an opponent can intercept a message from the sender and replay it later when the, timestamp in the message becomes current at the recipient‟s site. This replay could cause, unexpected results., Method to overcome:, One way to counter suppress-replay attacks is to enforce the requirement that parties, regularly check their clocks against the KDC‟s clock. The other alternative, which avoids the, need for clock synchronization, is to rely on handshaking protocols using nonce., This latter alternative is not vulnerable to a suppress-replay attack, because the nonce, the recipient will choose in the future are unpredictable to the sender., An attempt is made to respond to the concerns about suppress replay attacks and at the same, time fix the problems in the Needham/Schroeder protocol., The protocol is, 1. A: →B: IDA||Na, 2. B: → KDC: IDB||Nb||E(Kb, [IDA||Na||Tb] )

Page 26 :
PANIMALAR ENGINEERING COLLEGE, , 3. KDC: → A: E(Ka, [IDBƒ ƒNaƒ ƒKs ƒ ƒTb]) „ E(Kb , [IDA„ Ks „ Tb]) „ Nb, 4. A: →B: Kb, [IDA„ Ks„ Tb] ) „ E(Ks, Nb), , 1. A initiates the authentication exchange by generating a nonce,N a , and sending that plus its, identifier to B in plaintext. This nonce Na will be returned to A in an encrypted message that, includes the session key, assuring A of its timeliness., 2. B alerts the KDC that a session key is needed. Its message to the KDC includes its identifier, and a nonce, . This nonce will be returned to B in an encrypted message that includes the session, key, assuring B of its timeliness.B‟s message to the KDC also includes a block encrypted with, the secret key shared by B and the KDC. This block is used to instruct the KDC to issue, credentials to A; the block specifies the intended recipient of the credentials, a suggested, expiration time for the credentials, and the nonce received from A., 3. The KDC passes on to A B‟s nonce and a block encrypted with the secret key that B shares, with the KDC. The block serves as a “ticket” that can be used by A for subsequent, authentications, as will be seen. The KDC also sends to A block encrypted with the secret key, shared by A and the KDC. This block verifies that B has received A‟s initial message ( IDB), and that this is a timely message and not a replay (Na ), and it provides A with a session key (KS, ) and the time limit on its use (Tb )., A transmits the ticket to B, together with the B‟s nonce, the latter encrypted with the session, key. The ticket provides B with the secret key that is used to decrypt E(KS,Nb) to recover, the message came from A and is not a replay., , Using Public-Key Encryption, , , , , , Have a range of approaches based on the use of public-key encryption, Need to ensure have correct public keys for other parties, Using a central authentication server (AS), Various protocols exist using timestamps or nonces, , Denning AS Protocol, , , Denning presented the following:, 1. A→AS: IDA|| IDB, 2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T], 3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] ||EKUb[E KRas[Ks||T]], , , , , Note session key is chosen by A, hence AS need not be trusted to protect it, timestamps prevent replay but require synchronized, , clocks Another approach proposed by woo and lam makes use, of nonce., 1. A→KDC: IDA|| IDB, 2. KDC→A: EKRauth[IDB II KUb]

Page 27 :
3. a→b: EKUb[Na II IDA], 4. B→KDC: IDB II IDA II EKUauth [Na], 5. KDC→B: EKRauth [IDA II KUa] II EKUb[E KRauth[Na II Ks II IDB]], 6. B→A: EKUa[E KRauth[Na II Ks II IDB] II Nb], 7. A→B: E Ks[Nb], , Step 1: A informs the KDC of its intention to establish a secure connection with B., Step 2: The KDC returns to A a copy of B‟s public key certificate., Step 3: A informs B of its desire to communicate and sends a nonce N a., Step 4: B asks the KDC for A‟s public key certificate and request a session key.;B includes A‟s, nonce so that the KDC can stamp the session key with that nonce.The nonce is protected using, the KDC‟s public key., Step 5: The KDC returns to B a copy of A‟s public key certificate, plus the, information[Na,Ks,IDB]., Step 6: The triple [Na,Ks,IDB] , still encrypted with the KDC‟s private key,is relayed to, A,together with a nonce Nb generated by B., All the foregoing are encrypted using A‟s public key. A retrieves the session key Ks and uses, it to encrypt Nb and return it to B., Step 7: Assures B of A’s Knowledge of the session key, , One-Way Authentication, , , , , Required when sender & receiver are not in communications at same time (eg. Email), Have header in clear so can be delivered by email system, May want contents of body protected & sender authenticated, , Using Symmetric Encryption, , , can refine use of KDC but can‟t have final exchange of nonce, 1. A→KDC: IDA|| IDB|| N1, 2. KDC→A: EKa[Ks || IDB|| N1|| EKb[Ks||IDA] ], 3. A→B: EKb[Ks||IDA] || EKs[M], , , , Does not protect against replays,  could rely on timestamp in message, though email delays make this problematic

Page 28 :
PANIMALAR ENGINEERING COLLEGE, , Public-Key Approaches,  If confidentiality is major concern, can use:, A→B: EKUb[Ks] || EKs[M], , In this case, the message is encrypted with a one-time secret key. A also encrypts this, one-time key with B‟s public key. Only B will be able to use the corresponding private key to, recover the one-time key and then use that key to decrypt the message. This scheme is more, efficient than simply encrypting the entire message with B‟s public key.,  If authentication needed use a digital signature with a digital, , certificate: A→ B: M„II EKRa( H(M)), This method guarantees that A cannot later deny having sent the message. However, this, technique is open to another kind of fraud. Bob composes a message to his boss Alice that, contains an idea that will save the company money. He appends his digital signature and sends, it into the e-mail system., Eventually, the message will get delivered to Alice‟s mailbox. But suppose that Max has, heard of Bob‟s idea and gains access to the mail queue before delivery. He finds Bob‟s, message, strips off his signature, appends his, and requeues the message to be delivered to Alice., Max gets credit for Bob‟s idea., To counter such a scheme, both the message and signature can be encrypted with the recipient‟s, public key:, A→ B: EKUb, [M || EKRa, H(M)], , The latter two schemes require that B know A‟s public key and be convinced that it is timely., An, effective way to provide this assurance is the digital certificate, A→B: M || EKRa [H(M)] || EKRas II T|| IDA || KUa], In addition to the message,A sends B the signature encrypted with A‟s private key and A‟s, certificate encrypted with the private key of the authentication server. The recipient of the, message first uses the certificate to obtain the sender‟s public key and verify that it is authentic, and then uses the public key to verify the message itself., , 4.8 DSS, The DSS Approach

Page 29 :
The DSS uses an algorithm that is designed to provide only the digital signature function. Unlike, RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key, technique., RSA approach, The message to be signed is input to a hash function that produces a secure hash code, of fixed length. This hash code is then encrypted using the sender‟s private key to form the, signature., Both the message and the signature are then transmitted. The recipient takes the message, and produces a hash code. The recipient also decrypts the signature using the sender‟s public, key., If the calculated hash code matches the decrypted signature, the signature is accepted as, valid. Because only the sender knows the private key, only the sender could have produced a, valid signature., DSS approach, The DSS approach also makes use of a hash function. The hash code is provided as input, to a signature function along with a random number generated for this particular signature., The signature function also depends on the sender‟s private key (PRa) and a set of, parameters known to a group of communicating principals. We can consider this set to, constitute a global public key (PUG). The result is a signature consisting of two components,, labeled s and r., , Two Approaches to Digital Signatures, At the receiving end, the hash code of the incoming message is generated. This plus the, signature is input to a verification function. The verification function also depends on the global, public key as well as the sender‟s public key, which is paired with the sender‟s private key., The output of the verification function is a value that is equal to the signature component, if the signature is valid. The signature function is such that only the sender, with knowledge of, the private key, could have produced the valid signature.

Page 30 :
The Digital Signature Algorithm:, There are three parameters that are public and can be common to a group of users.,  A 160-bit prime number q is chosen.,  Next, a prime number p is selected with a length between 512 and 1024 bits such, , that q divides (p - 1)., (p-1)/q, ,  Finally, g is chosen to be of the form h, , mod p, where h is an integer between 1, , and (p-1)., With these numbers in hand, each user selects a private key and generates a public, key.The private key x must be a number from 1 to (q-1) and should be chosen randomly. T, The public key is calculated from the private key as y = g x mod p .The calculation of, given is relatively straightforward. However, given the public key y, it is believed to be, computationally infeasible to determine x, which is the discrete logarithm of y to the base g,, mod p., At the receiving end, verification is performed using the formulas. The receiver, generates a quantity v that is a function of the public key components, the sender‟s public key,, and the hash code of the incoming message. If this quantity matches the component of the, signature, then the signature is validated., , The Digital Signature Algorithm (DSA), The value r does not depend on the message at all. Instead, r is a function of k and the, three global public-key components., The multiplicative inverse of k (mod q) is passed to a function that also has as inputs the, message hash code and the user‟s private key.

Page 31 :
The structure of this function is such that the receiver can recover using the incoming, message and signature, the public key of the user, and the global public key. Given the difficulty, of taking discrete logarithms, it is infeasible for an opponent to recover k from r to recover x, from s., The only computationally demanding task in signature generation is the exponential, calculation gkmod p. Because this value does not depend on the message to be signed, it can be, computed ahead of time., Selects a private key and generates a public key. The private key x must be a number, from 1 to (q1) and should be chosen randomly. The public key is calculated from the private, key as y = gxmod p., To create a signature, a user calculates two quantities, r and s, that are functions of the, public key components ( p, q, g), the user's private key (x), the hash code of the message, H(M),, and an additional integer k that should be generated randomly and be unique for each signing., At the receiving end, verification is performed using the formulas. The receiver, generates a quantity v that is a function of the public key components, the sender's public key,, and the hash code of the incoming message. If this quantity matches the r component of the, signature, then the signature is validated., , DSS Signing and Verifying, , 4.9 ENTITY AUTHENTICATION, , , , , , Entity authentication is a technique designed to let one party prove the identity of another, party., An entity can be a person, a process, a client, or a server., The entity whose identity needs to be proved is called the claimant;, the party that tries to prove the identity of the claimant is called the verifier

Page 32 :
Terminologies involved, , , , , , Verifier-The person who is in charge of checking that the correct entity is involved in, communication is the Verifier. Verifier can also create some tokens by itself during, communication which are used., Claimant-The person who wants to start communication by proving its identity is, Claimant., Nonce–Time variant parameter which is served to distinguish one protocol instance from, another like random number., Salt–Upon arrival of password we may add some bits upon initial entry. This t-bit, random string is called “Salt”., , Entity Authentication Vs. Message, Authentication, Message Authentication, This involves a meaningful message., This doesn‟t provide timeliness guarantees, as to when it was created etc., , Entity Authentication, This doesn‟t involve meaningful, message; it involves some “claim”, for proving its entity., Time is important, as in this protocol, corroboration of a claimant‟s identity takes, place., , Data-Origin Versus Entity Authentication, There are two differences between message authentication (data-origin, authentication), and entity authentication., 1) Message authentication might not happen in real time; entity authentication does., 2) Message authentication simply authenticates one message; the process needs to be repeated for, , each new message. Entity authentication authenticates the claimant for the entire duration of a, session., Verification Categories, Something known - They include standard password, PIN –personal identification numbers,, , ., , etc, Something possessed - This includes some physical accessory like our own student id to access, labs, ATM cards etc., Something inherent - They include characteristics like finger prints, handwritten signatures,, voice, i.e. some human physical characteristic.

Page 33 :
4.10 PASSWORDS (Weak Authentication), The simplest and oldest method of entity authentication is the password-based authentication,, where the password is something that the claimant knows., , This is amongst the most conventional schemes where in a user has an „user id‟ and a, „password‟. User id acts like a claim and password as evidence supporting the claim., The system checks to see if it matches or not. Here demonstration of knowledge of the secret, which is password in this case; corroborates that the person is verified., Passphrase :, The user types in a sentence rather than a short word for password. The idea is it is easier for a, user to remember sentences., The entered sentence is then compared with what is stored in for the corresponding user., The long password can be encrypted or in plain-text when stored on the medium or data base, , First Approach User ID and password file

Page 34 :
Second Approach Hashing the password, , Third Approach Salting the password, , Fourth Approach, In the fourth approach, two identification techniques are combined. A good example of this type, of authentication is the use of an ATM card with a PIN (personal identification number).

Page 35 :
Advantages :, It has better entropy than a short password., It is easier to remember than the usual passwords., Disadvantage:, This is really weak against attacks as intruder can hear over communication channel and, impersonate it later., It is also very easy to replay the same message and use it later., Exhaustive search or password guessing i.e. dictionary attacks can also be used., One has to type extra., , 4.11 CHALLENGE-RESPONSE (Strong, Auhenticaion), In password authentication, the claimant proves her identity by demonstrating that she knows a, secret, the password., In challenge-response authentication, the claimant proves that she knows a secret without, sending it., The central idea of challenge response is that claimant proves its identity to verifier by, demonstrating knowledge of a secret known to be associated with entity without revealing the, secret itself to the verifier during the protocol., The challenge is usually time variant and is random number., As every time the challenge is different, even if the adversary is monitoring the network it won‟t, help as challenge changes every time.

Page 36 :
Using a Symmetric-Key Cipher, Challenge-response by symmetric-key techniques -unilateral authentication, using random, number.,  Here, A is the claimant and B is the verifier.,  Communication takes place as, A B : rB------ (1), A B : EK(rB, B*) ---- (2), B sends A a random number. To prove its claim, A then encrypts the random number send by B, using the symmetric encryption key „k‟. It also sends the optional field of the verifier as „B‟., This prevents reflection attack as the key used is bi-directional key „k‟., B then decrypts the message sent by A to see the random number is the same as it had sent. It, also sees if the identifier matches. If either of them is not true it stops any further, communication., , First Approach Unidirectional Authentication, Nonce challenge

Page 37 :
 Cannot be replaced by EVE, , Second Approach Unidirectional Authentication, Timestamp challenge, ,  Assumed that the clocks are synchronized.,  Authentication can be done with only one message, , Third Approach Bidirectional authentication

Page 38 :
Order of RA and RB are changed to prevent Replay attack of the third message., Using Keyed-Hash Functions, Instead of using encryption/decryption for entity authentication, we can also use a, keyed-hash function (MAC)., Keyed-hash function, , Using an Asymmetric-Key Cipher,  Verifier encrypts the challenge with the Public key of the claimant.,  Claimant decrypts the challenge with her private key.,  Sends the challenge back to the verifier., First Approach Unidirectional, asymmetric-key authentication

Page 39 :
Second Approach Bidirectional, asymmetric-key, , Bob is Authenticated, , Using Digital Signature, Claimant uses private key for signing., First Approach Digital signature, Unidirectional, , Alice is Authenicated

Page 40 :
Second Approach Digital signature, bidirectional authentication, , Advantages::

Page 41 :
 It is a time variant challenge where the response depends on entity‟s, secret and challenge.,  Even if the communication line is monitored, the response from one, execution of identification protocol will not provide an adversary with, useful information., Disadvantages::,  This protocol still would reveal some partial information about the, claimant‟s secret, an adversarial verifier might still be able to, strategically select challenges to obtain responses providing, information., , 4.12 BIOMETRICS,  Biometrics is the measurement of physiological or behavioral features, that identify a person (authentication by something inherent).,  Biometrics measures features that cannot be guessed, stolen, or, shared., Components, Several components are needed for biometrics, including capturing devices,, processors, and storage devices., Enrollment, Before using any biometric techniques for authentication, the corresponding, feature of each person in the community should be available in the database. This, is referred to as enrollment.

Page 42 :
Authentication,  Verification,  Identification, Techniques, , Physiological Techniques,  Fingerprint,  Iris Retina,  Face Hands,  Voice DNA, Behavioral Techniques,  Signature,  Keystroke, Applications, Several applications of biometrics are already in use.

Page 43 :
, , , , In commercial environments, these include access to facilities, access to information, systems, transaction at point-of-sales, and employee timekeeping., In the law enforcement system, they include investigations (using fingerprints or DNA), and forensic analysis., Border control and immigration control also use some biometric techniques. Applications, , 4.13 Authentication Application, , Kerberos, Kerberos is an authentication service., • Secure: A network eavesdropper should not be able to obtain the necessary information to, impersonate a user. More generally, Kerberos should be strong enough that a potential opponent, does not find it to be the weak link., • Reliable: For all services that rely on Kerberos for access control, lack of, availability of the Kerberos service means lack of availability of the supported services. Hence,, Kerberos should be highly reliable and should employ a distributed server architecture with one, system able to back up another., • Transparent: Ideally, the user should not be aware that authentication is taking place beyond, the requirement to enter a password., • Scalable: The system should be capable of supporting large numbers of clients and servers. This, suggests a modular, distributed architecture., To support these requirements, the overall scheme of Kerberos is that of a, trusted third-party authentication service that uses a protocol based on that proposed by Needham, and Schroeder., Kerberos Version 4, Version 4 of Kerberos makes use of DES, in a rather elaborate protocol, to provide the, authentication service., A Simple Authentication Dialogue, (1) C → AS: IDC || PC || IDV, (2) A → C: Ticket, (3) C → V: IDC || Ticket, Ticket = E(Kv, [IDC || ADC | |IDV]), where, C = client, AS = authentication server, V = server, IDC = identifier of user on C, IDV = identifier of V, PC = password of user on C

Page 44 :
ADC = network address of C, Kv = secret encryption key shared by AS and V, , A More Secure Authentication Dialogue, Introduce a scheme for avoiding plaintext passwords and a new server, known as the ticketgranting server (TGS)., Once per user logon session:, (1) C → AS: IDC || IDtgs, (2) AS → C: E(Kc, Tickettgs), Once per type of service:, (3) C → TGS: IDC || IDV || Tickettgs, (4) TGS → C: Ticketv, Once per service session:, (5) C → V: IDC || Ticketv, Tickettgs = E(Ktgs, [IDC || ADC || IDtgs || TS1 || Lifetime1]), Ticketv = E(Kv, [IDC || ADC || IDv || TS2 || Lifetime2]), The new service, TGS, issues tickets to users who have been authenticated to AS. Thus, the user, first requests a ticket-granting ticket (Tickettgs) from the AS. The client module in the user, workstation saves this ticket. Each time the user requires access to a new service, the client applies, to the TGS, using the ticket to authenticate itself. The TGS then grants a ticket for the particular, service. The client saves each service-granting ticket and uses it to authenticate its user to a server, each time a particular service is requested., 1. The client requests a ticket-granting ticket on behalf of the user by sending its user’s ID to the, AS, together with the TGS ID, indicating a request to use the TGS service., 2. The AS responds with a ticket that is encrypted with a key that is derived, from the user’s password (Kc), which is already stored at the AS. When this, response arrives at the client, the client prompts the user for his or her password, generates the key,, and attempts to decrypt the incoming message. If the correct password is supplied, the ticket is, successfully recovered., 3. The client requests a service-granting ticket on behalf of the user. For this purpose, the client, transmits a message to the TGS containing the user’s ID, the ID of the desired service, and the, ticket-granting ticket., 4. The TGS decrypts the incoming ticket using a key shared only by the AS and the TGS (Ktgs), and verifies the success of the decryption by the presence of its ID. It checks to make sure that the, lifetime has not expired. Then it compares the user ID and network address with the incoming, information to authenticate the user. If the user is permitted access to the server V, the TGS issues, a ticket to grant access to the requested service.

Page 45 :
5. The client requests access to a service on behalf of the user. For this purpose, the client transmits, a message to the server containing the user’s ID and the servicegranting ticket. The server, authenticates by using the contents of the ticket., Authentication Service Exchange to obtain ticket-granting ticket, , Ticket-Granting Service Exchange to obtain service-granting ticket, , \, , Client/Server Authentication Exchange to obtain service

Page 46 :
Kerberos Realms and Multiple Kerberi, A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a, number of application servers requires the following:, 1. The Kerberos server must have the user ID and hashed passwords of all participating users in, its database. All users are registered with the Kerberos server., 2. The Kerberos server must share a secret key with each server. All servers are registered with, the Kerberos server., Such an environment is referred to as a Kerberos realm. The concept of realm can be explained, as follows.,  A Kerberos realm is a set of managed nodes that share the same Kerberos database.,  The Kerberos database resides on the Kerberos master computer system, which should be, kept in a physically secure room.,  A readonly copy of the Kerberos database might also reside on other Kerberos computer, systems. However, all changes to the database must be made on the master computer, system.

Page 49 :
4.14 X.509 certificate, The public-key certificate associated with each user. These user certificates are assumed to be, created by some trusted certification authority (CA) and placed in the directory by the CA or by, the user. The directory server itself is not responsible for the creation of public keys or for the, certification function; it merely provides an easily accessible location for users to obtain, certificates.

Page 50 :
• Version: Differentiates among successive versions of the certificate format; the default is version, 1. If the issuer unique identifier or subject unique identifier are present, the value must be version, 2. If one or more extensions are present, the version must be version 3., • Serial number: An integer value unique within the issuing CA that is unambiguously associated, with this certificate., • Signature algorithm identifier: The algorithm used to sign the certificate, Together with any associated parameters. Because this information is repeated in the signature, field at the end of the certificate, this field has little, if any, utility., • Issuer name: X.500 name of the CA that created and signed this certificate., • Period of validity: Consists of two dates: the first and last on which the certificate is valid., • Subject name: The name of the user to whom this certificate refers. That is, this certificate, certifies the public key of the subject who holds the corresponding private key., • Subject’s public-key information: The public key of the subject, plus an identifier of the, algorithm for which this key is to be used, together with any associated parameters., • Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing CA, in the event the X.500 name has been reused for different entities., • Subject unique identifier: An optional-bit string field used to identify uniquely the subject in, the event the X.500 name has been reused for different entities., • Extensions: A set of one or more extension fields. Extensions were added in version 3 and are, discussed later in this section., • Signature: Covers all of the other fields of the certificate; it contains the, hash code of the other fields encrypted with the CA’s private key. This field

Page 51 :
includes the signature algorithm identifier., The unique identifier fields were added in version 2 to handle the possible, reuse of subject and/or issuer names over time. These fields are rarely used., CA << A >> = CA {V, SN, AI, CA, UCA, A, UA, Ap, T A}, where, Y <<X>> = the certificate of user X issued by certification authority Y, Y {I} = the signing of I by Y. It consists of I with an encrypted hash, code appended, V = version of the certificate, SN = serial number of the certificate, AI = identifier of the algorithm used to sign the certificate, CA = name of certificate authority, UCA = optional unique identifier of the CA, A = name of user A, UA = optional unique identifier of the user A, Ap = public key of user A, TA = period of validity of the certificate, Obtaining a User’s Certificate, User certificates generated by a CA have the following characteristics:, • Any user with access to the public key of the CA can verify the user public key that was certified., • No party other than the certification authority can modify the certificate without this being, detected., A has obtained a certificate from certification authority X1 and B has obtained a certificate from, CA X2. If A does not securely know the public, key of X2, then B’s certificate, issued by X2, is useless to A. A can read B’s certificate, but A, cannot verify the signature. However, if the two CAs have securely exchanged their own public, keys, the following procedure will enable A to obtain B’s public key., Step 1 A obtains from the directory the certificate of X2 signed by X1. Because A securely knows, X1’s public key, A can obtain X2’s public key from its certificate and verify it by means of X 1’s, signature on the certificate., Step 2 A then goes back to the directory and obtains the certificate of B signed by X 2. Because A, now has a trusted copy of X2’s public key, A can verify the signature and securely obtain B’s, public key., A has used a chain of certificates to obtain B’s public key. In the notation of, X.509, this chain is expressed as, X1 << X2 >> X2 << B >>, In the same fashion, B can obtain A’s public key with the reverse chain:, X2 << X1 >> X1 << A >>, This scheme need not be limited to a chain of two certificates. An arbitrarily

Page 52 :
long path of CAs can be followed to produce a chain. A chain with N elements would be expressed, as, X1 << X2 >> X2 << X3 >>..... XN << B >>, In this case, each pair of CAs in the chain (Xi, Xi+1) must have created certificates for each other., All these certificates of CAs by CAs need to appear in the directory, and the, user needs to know how they are linked to follow a path to another user’s publickey certificate., X.509 suggests that CAs be arranged in a hierarchy so that navigation is straightforward., • Forward certificates: Certificates of X generated by other CAs, • Reverse certificates: Certificates generated by X that are the certificates of other CAs, X.509 Version 3, The X.509 version 2 format does not convey all of the information that recent design and, implementation experience has shown to be needed., 1. The subject field is inadequate to convey the identity of a key owner to a public- key user. X.509, names may be relatively short and lacking in obvious identification details that may be needed by, the user., 2. The subject field is also inadequate for many applications, which typically recognize entities by, an Internet e-mail address, a URL, or some other Internetrelated identification., 3. There is a need to indicate security policy information. This enables a security application or, function, such as IPSec, to relate an X.509 certificate to a given policy., 4. There is a need to limit the damage that can result from a faulty or malicious CA by setting, constraints on the applicability of a particular certificate., 5. It is important to be able to identify different keys used by the same owner at different times., This feature supports key lifecycle management: in particular, the ability to update key pairs for, users and CAs on a regular basis or under exceptional circumstances., Key and Policy Information, These extensions convey additional information about the subject and issuer keys, plus indicators, of certificate policy. A certificate policy is a named set of rules that indicates the applicability of, a certificate to a particular community and/or class of application with common security, requirements., • Authority key identifier: Identifies the public key to be used to verify the signature on this, certificate or CRL. Enables distinct keys of the same CA to be differentiated. One use of this field, is to handle CA key pair updating., • Subject key identifier: Identifies the public key being certified. Useful for subject key pair, updating. Also, a subject may have multiple key pairs and, correspondingly, different certificates, for different purposes (e.g., digital signature and encryption key agreement)., • Key usage: Indicates a restriction imposed as to the purposes for which, and the policies under, which, the certified public key may be used. May indicate one or more of the following: digital

Page 53 :
signature, nonrepudiation, key encryption, data encryption, key agreement, CA signature, verification on certificates, CA signature verification on CRLs., • Private-key usage period: Indicates the period of use of the private key corresponding to the, public key. Typically, the private key is used over a different period from the validity of the public, key. For example, with digital signature keys, the usage period for the signing private key is, typically shorter than that for the verifying public key., • Certificate policies: Certificates may be used in environments where multiple policies apply., This extension lists policies that the certificate is recognized as supporting, together with optional, qualifier information., • Policy mappings: Used only in certificates for CAs issued by other CAs. Policy mappings allow, an issuing CA to indicate that one or more of that issuer’s policies can be considered equivalent to, another policy used in the subject CA’s domain., Certificate Subject and Issuer Attributes, These extensions support alternative names, in alternative formats, for a certificate subject or, certificate issuer and can convey additional information about the certificate subject to increase a, certificate user’s confidence that the certificate subject is a particular person or entity., The extension fields in this area include:, • Subject alternative name: Contains one or more alternative names, using any of a variety of, forms. This field is important for supporting certain applications, such as electronic mail, EDI, and, IPSec, which may employ their own name forms., • Issuer alternative name: Contains one or more alternative names, using any of a variety of, forms., • Subject directory attributes: Conveys any desired X.500 directory attribute values for the, subject of this certificate., Certification Path Constraints, These extensions allow constraint specifications to be included in certificates issued for CAs by, other CAs. The constraints may restrict the types of certificates that can be issued by the subject, CA or that may occur subsequently in a certification chain., The extension fields in this area include:, • Basic constraints: Indicates if the subject may act as a CA. If so, a certification path length, constraint may be specified., • Name constraints: Indicates a name space within which all subject names in subsequent, certificates in a certification path must be located., • Policy constraints: Specifies constraints that may require explicit certificate policy identification or, inhibit policy mapping for the remainder of the certification path.