UNIT IV MESSAGE AUTHENTICATION AND INTEGRITY

Authentication requirement – Authentication function – MAC – Hash function – Security of

hash function and MAC – SHA –Digital signature and authentication protocols – DSS-
Entity Authentication: Biometrics, Passwords, Challenge Response protocols-
Authentication applications - Kerberos, X.509

Message authentication
Message authentication is a mechanism or service used to verify the integrity of a
message. (i.e., it verifies that received messages come from the alleged source and have
not been altered.)
 Message authentication assures that data received are exactly as sent by (i.e., contain
no modification, insertion, deletion, or replay) and that the purported identity of the
sender is valid.
 Symmetric encryption provides authentication among those who share the secret key.
 .A digital signature is an authentication technique that also includes measures to
counter repudiation by the source.
Message authentication code (MAC)
A message authentication code (MAC) is an algorithm that requires the use of a secret
key. A MAC takes a variable-length message and a secret key as input and produces an
authentication code. A recipient in possession of the secret key can generate an
authentication code to verify the integrity of the message.
 One means of forming a MAC is to combine a cryptographic hash function in some
fashion with a secret key.
 Another approach to constructing a MAC is to use a symmetric block cipher in such a
way that it produces a fixed-length output for a variable length input.
4.1 AUTHENTICATION REQUIREMENT
The following attacks can be identified in the context of communications across a
network
1. Disclosure: Release of message contents to any person or process not possessing
the appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties.
3. Masquerade: Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to come
from an authorized entity.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 1
 4. Content modification: Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.

4.2 AUTHENTICATION FUNCTION –MAC, HASH FUNCTION

The types of functions that are used to produce an authenticator are grouped into three
classes.
 Hash function: A function that maps a message of any length into a fixed length hash
value, which serves as the authenticator
 Message encryption: The ciphertext of the entire message serves as its authenticator
 Message authentication code (MAC): A function of the message and a secret key
that produces a fixed-length value that serves as the authenticator.
4.2.1 Message Authentication Code (MAC)
An alternative authentication technique involves the use of a secret key to generate a small
fixed-size block of data, known as a cryptographic checksum or MAC, that is appended to the
message. This technique assumes that two communicating parties, say A and B, share a
common secret key .
When A has a message to send to B, it calculates the MAC as a function of the message and
the key:
MAC = MAC( K, M)
where
M= input message
C = MAC function
K= shared secret key
MAC = message authentication code
The message plus MAC are transmitted to the intended recipient. The recipient performs the
same calculation on the received message, using the same secret key, to generate a new
MAC. The received MAC is compared to the calculated MAC (Figure 3.1).

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 2
 (a) Message authentication

(b) Message authentication and confidentiality; authentication tied to plaintext

(c) Message authentication and confidentiality; authentication tied to ciphertext

Figure 3.1 : Basic Uses of Message Authentication code (MAC)

4.2.2 Hash Function

 A hash function H accepts a variable-length block of data M as input and produces a
fixed-size hash value h=H(M).
 A “good” hash function has the property that the results of applying the function to a
large set of inputs will produce outputs that are evenly distributed and apparently
random.
 In general terms, the principal object of a hash function is data integrity.
 A change to any bit or bits in results, with high probability, in a change to the hash
code.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 3
Figure shows the general operation of a cryptographic hash function. The input is padded out
to an integer multiple of some fixed length (e.g., 1024 bits), and the padding includes the
value of the length of the original message in bits.

Figure: Block Diagram of Cryptographic Hash Function; h = H(M)

Requirements for a Cryptographic Hash Function H
Requirement Description
Variable input size H can be applied to a block of data of any size.

Fixed output size H produces a fixed-length output.

Efficiency H( ) is relatively easy to compute for any given x

,making both hardware and software implementations
practical

Preimage resistant For any given hash value , it is computationally

(one-way property) infeasible to find y such that H(y) = h.

Second preimage resistant For any given block x, it is computationally infeasible

(weak collision resistant) to find y ≠ x with H(y) = H(x).

Collision resistant It is computationally infeasible to find any pair

(strong collision resistant) (x, y) such that H(x) = H(y).

Pseudorandomness Output of H meets standard tests for

pseudorandomness.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 4
4.3 SECURITY OF HASH FUNCTION AND MAC
4.3.1 Security of hash function
There are two categories of attacks on hash functions: brute-force attacks and
cryptanalysis.
 A brute-force attack does not depend on the specific algorithm but depends
only on bit length. In the case of a hash function, a brute-force attack depends
only on the bit length of the hash value.
 A cryptanalysis, in contrast, is an attack based on weaknesses in a particular
cryptographic algorithm.
Preimage and second preimage attack
For a preimage or second preimage attack, an adversary wishes to find a value such that
H(y ) is equal to a given hash value h.
ie find y such that H(y) equals a given hash value

Collision Resistant attacks

For a collision resistant attack, an adversary wishes to find two messages or data blocks, x
and y , that yield the same hash function: .
ie. find two messages x & y with same hash so H(x) = H(y)
 hence value 2m/2 determines strength of hash code against brute-force attacks (128-bits
inadequate, 160-bits suspect)
Birthday Attacks
This cryptanalytic attack attempts to find two values in the domain of a function that map
to the same value in its range.
 might think a 64-bit hash is secure but by Birthday Paradox is not
 birthday attack works as follows:
 given user prepared to sign a valid message x
 opponent generates 2m/2 variations x’ of x, all with essentially the same
meaning, and saves them
 opponent generates 2m/2 variations y’ of a desired fraudulent message y
 two sets of messages are compared to find pair with same hash (probability >
0.5 by birthday paradox)
 have user sign the valid message, then substitute the forgery which will have a
valid signature

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 5
  conclusion is that need to use larger MAC/hash
4.3.2 Security of MACs
The attacks on MACs are grouped into two categories: brute-force attacks and cryptanalysis.
Brute-force attack
A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack on a
hash function because it requires known message-tag pairs.
To attack a hash code, we can proceed in the following way.
Given a fixed message x with n-bit hash code h=H(x), a brute-force method of finding a
collision is to pick a random bit string and check if H(y)=H(x).
 brute-force attacks exploiting strong collision resistance hash have cost 2m/2 (128-bit
hash looks vulnerable, 160-bits better)
The security property of a MAC algorithm is expressed as follows.
Computation resistance: Given one or more text-MAC pairs, it is computationally
infeasible to compute any text-MAC pair [xi, MAC(K, xi)] for any new input x ≠ xi.
 In other words, the attacker would like to come up with the valid MAC code for a
given message . There are two lines of attack possible: attack the key space and attack
the MAC value.
 If an attacker can determine the MAC key, then it is possible to generate a valid MAC
value for any input .
 Suppose the key size is bits and that the attacker has one known text–tag pair. Then
the attacker can compute the -bit tag on the known text for all possible keys.
 cryptanalytic attacks exploit structure
o like block ciphers want brute-force attacks to be the best alternative
 more variety of MACs so harder to generalize about cryptanalysis
4.4 SECURE HASH ALGORITHM (SHA)
 SHA is based on the hash function MD4, and its design closely models MD4.
 SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version
of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value
lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512,
respectively.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 6
Comparison of SHA Parameters
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
Message Digest Size 160 224 256 384 512
Message Size <264 <264 <264 <2128 <2128
Block Size 512 512 512 1024 1024
Word Size 32 32 32 64 64
Number of Steps 80 64 64 80 80

SHA-512 Logic
 The algorithm takes as input a message with a maximum length of less than bits and
produces as output a 512-bit message digest.
 The input is processed in 1024-bit blocks. Figure 3.6 depicts the overall processing of
a message to produce a digest.

Figure : Message Digest Generation Using SHA-512

 The processing consists of the following steps.

Step 1 Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length≡896(mod 1024)].
 Padding is always added, even if the message is already of the desired length.
 Thus, the number of padding bits is in the range of 1 to 1024.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 7
  The padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message.
 This block is treated as an unsigned 128-bit integer (most significant byte first) and
contains the length of the original message (before the padding).
 The outcome of the first two steps yields a message that is an integer multiple of 1024
bits in length. In Figure 3.6, the expanded message is represented as the sequence of
1024-bit blocks , M1, M2,…, MN so that the total length of the expanded message is
N*1024 bits .
Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results
of the hash function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).

Step 4 Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a
module that consists of 80 rounds; this module is labeled F in Figure 3.6.
 The logic is illustrated in Figure 3.7.
 Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents
of the buffer.At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
 Each round t makes use of a 64-bit value Wi, derived from the current 1024-bit block
being processed (Mi).
 Each round also makes use of an additive constant Kt , where 0≤t≤79 indicates one of
the 80 rounds.
 The output of the eightieth round is added to the input to the first round (Hi-1) to
produce Hi.
 The addition is done independently for each of the eight words in the buffer with each
of the corresponding words in Hi-1, using addition modulo 264.

Step 5 Output. After all 1024-bit blocks have been processed, the output from the th stage is
the 512-bit message digest.
The behavior of SHA-512 is summarized as follows:
H0 = IV
Hi = SUM64(Hi-1, abcdefghi)
MD = HN

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 8
 where
IV = initial value of the abcdefgh buffer, defined in step 3
abcdefghi = the output of the last round of processing of the th message block
N = the number of blocks in the message (including padding and length
fields)
SUM64 = addition modulo performed separately on each word of the pair of inputs
MD = final message digest value

Figure :SHA-512 Processing of a Single 1024-Bit Block

SHA-512 Round Function

The logic in each of the 80 steps of the processing of one 512-bit block is shown in Figure
3.8. Each round is defined by the following set of equations:

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 9
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 10
 Figure :Elementary SHA-512 Operation (single round)
Two observations can be made about the round function.
1. Six of the eight words of the output of the round function involve simply
permutation ( b,c d,e f,g ,h , ) by means of rotation. This is indicated by shading in
Figure 3.8.
2. Only two of the output words ( a,e ) are generated by substitution. Word is a
function of input variables (d ,e ,f ,g ,h ), as well as the round word Wt and the
constant Kt. Word a is a function of all of the input variables except d, as well as the
round word Wt and the constant Kt.

4.5 DIGITAL SIGNATURE AND AUTHENTICATION PROTOCOLS

Digital Signature
 A digital signature is an authentication mechanism that enables the creator of a
message to attach a code that acts as a signature.
 The signature is formed by taking the hash of the message and encrypting the message
with the creator’s private key.
 The signature guarantees the source and integrity of the message. Figure 3.13 shows
the Generic Model of Digital Signature Process

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 11
Properties of Digital Signature
 It must verify the author and the date and time of the signature.
 It must authenticate the contents at the time of the signature.
 It must be verifiable by third parties, to resolve disputes.

Figure :Generic Model of Digital Signature Process

Attacks and Forgeries
The types of attacks are listed in order of increasing severity. Let A denotes the user
whose signature method is being attacked, and C denotes the attacker.
 Key-only attack: C only knows A’s public key.
 Known message attack: C is given access to a set of messages and their
signatures.
 Generic chosen message attack: C chooses a list of messages before
attempting to breaks A’s signature scheme, independent of A’s public key. C
then obtains from A valid signatures for the chosen messages.
 Directed chosen message attack: Similar to the generic attack, except that
the list of messages to be signed is chosen after C knows A’s public key but
before any signatures are seen.
 Adaptive chosen message attack: C is allowed to use A as an “oracle.” This
means the A may request signatures of messages that depend on previously
obtained message–signature pairs.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 12
 Break success levels
o total break
o selective forgery
o existential forgery
Digital Signature Requirements
 The signature must be a bit pattern that depends on the message being signed.
 The signature must use some information unique to the sender to prevent both
forgery and denial.
 It must be relatively easy to produce the digital signature.
 It must be relatively easy to recognize and verify the digital signature.
 It must be computationally infeasible to forge a digital signature, either by
constructing a new message for an existing digital signature or by constructing
a fraudulent digital signature for a given message.
 It must be practical to retain a copy of the digital signature in storage.

Direct Digital Signature

Direct digital signature refers to a digital signature scheme that involves only the
communicating parties (source, destination). is assumed that the destination knows the
public key of the source.
4.6 DSS (DIGITAL SIGNATURE STANDARD)

 The National Institute of Standards and Technology (NIST) has published

Federal Information Processing Standard FIPS 186, known as the Digital
Signature Standard (DSS).
 The DSS makes use of the Secure Hash Algorithm (SHA) presents a new
digital signature technique, the Digital Signature Algorithm (DSA).

The DSS Approach

The DSS uses an algorithm that is designed to provide only the digital signature
function.
Figure contrasts the DSS approach for generating digital signatures to that used with
RSA.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 13
 In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length. This hash code is then encrypted using
the sender’s private key to form the signature. Both the message and the signature are
then transmitted. The recipient takes the message and produces a hash code. The
recipient also decrypts the signature using the sender’s public key. If the calculated
hash code matches the decrypted signature, the signature is accepted as valid.

Figure :Two Approaches to Digital Signatures

The DSS approach also makes use of a hash function. The hash code is provided as
input to a signature function along with a random number generated for this particular
signature. The signature function also depends on the sender’s private key (PRa) and a
set of parameters known to a group of communicating principals. This set is
considered to constitute a global public key(PUG). The result is a signature consisting
of two components, labeled s and r.
At the receiving end, the hash code of the incoming message is generated. This plus
the signature is input to a verification function. The verification function also depends
on the global public key as well as the sender’s public key , which is paired with the

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 14
 sender’s private key. The output of the verification function is a value that is equal to
the signature component if the signature is valid.
The Digital Signature Algorithm
The different phases of Digital Signature Algorithm namely Key Generation,
Signature Creation
Signature Verification are described as follows
DSA Key Generation
 have shared global public key values (p,q,g):
o choose 160-bit prime number q
o choose a large prime p with 2L-1 < p < 2L
o where L= 512 to 1024 bits and is a multiple of 64
o such that q is a 160 bit prime divisor of (p-1)
o choose g = h(p-1)/q
 where 1<h<p-1 and h(p-1)/q mod p > 1
 users choose private & compute public key:
o choose random private key: x<q
o compute public key: y = gx mod p
DSA Signature Creation
 to sign a message M the sender:
o generates a random signature key k, k<q
o k must be random, be destroyed after use, and never be reused
 then computes signature pair:
o r = (gk mod p)mod q
o s = [k-1(H(M)+ xr)] mod q
 sends signature (r,s) with message M
DSA Signature Verification
 having received M & signature (r,s)
 to verify a signature, recipient computes:
 w = (s')-1 mod q
 u1= [H(M ' )w]mod q
 u2= (r')w mod q
 v = [(gu1 yu2)mod p ]mod q
 if v=r' then signature is verified

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 15
4.7 ENTITY AUTHENTICATION: BIOMETRICS, PASSWORDS, CHALLENGE
RESPONSE PROTOCOLS

Remote User-Authentication Principles

• The process of verifying an identity claimed by or for a system entity
• An authentication process consists of two steps:

Verification
• Presenting an step
identifier to • Presenting or generating
the security authentication information
system
Identification that corroborates the
step binding between the entity
and the identifier

Means of User Authentication

Something the individual knows Something the individual possesses

• Examples include a password, a personal • Examples include cryptographic keys,
identification number (PIN), or answers electronic keycards, smart cards, and
to a prearranged set of questions physical keys
• This is referred to as a token
There are four general means of
authenticating a user’s identity,
which can be used alone or in
combination

Something the individual is (static Something the individual does (dynamic

biometrics) biometrics)
• Examples include recognition by • Examples include recognition by voice
fingerprint, retina, and face pattern, handwriting characteristics, and
typing rhythm

4.8 AUTHENITCATION APPLICATIONS

• Authentication applications uses authentication functions and they are developed to

support application-level authentication & digital signatures.

• Kerberos is a private-key third party authentication service whereas X.509 is a

directory authentication service

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 16
4.9 KERBEROS

Kerberos is a trusted key server system from MIT. It provides centralised private-key
third-party authentication in a distributed network that does the following
 It allows users access to services distributed through network

 It does authentication without needing to trust all workstations involved

 It rather trust a central authentication server

There are two versions of Kerberos in use: version 4 & version 5

Kerberos Requirements
The first report published on Kerberos listed the following requirements
 Secure: A network eavesdropper should not be able to obtain the necessary
information to impersonate a user. More generally, Kerberos should be strong
enough that a potential opponent does not find it to be the weak link.
 Reliable: For all services that rely on Kerberos for access control, lack of
availability of the Kerberos service means lack of availability of the supported
services. Hence, Kerberos should be highly reliable and should employ a distributed
server architecture, with one system able to back up another.
 Transparent: Ideally, the user should not be aware that authentication is taking
place, beyond the requirement to enter a password.
 Scalable: The system should be capable of supporting large numbers of clients and
servers. This suggests a modular, distributed architecture.
It is implemented using an authentication protocol based on Needham-Schroeder
Kerberos version 4 overview
Kerberos is a basic third-party authentication scheme has Authentications Server (AS)
and Ticket Granting server (TGS). The Authentication Server (AS) does authentication by
users initially negotiate with AS to identify self. AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)

The Ticket Granting server (TGS) issues ticket to users. Users subsequently request
access to other services from TGS on basis of users Ticket Granting Ticket (TGT).
Kerberos uses a complex protocol using DES.
A simple authentication dialogue
In an unsecured environment any client can access any server for service. This has a
risk on impersonation. To counter this treat, servers must be able to confirm the clients which

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 17
we call as authentication. If server is given this authentication job additionally, it creates
burden substantially on each server. An alternative is to use an authentication server (AS) that
knows passwords of all the users which is stored in the database centrally. AS shares a unique
secret key which each server.

(1) C  AS ; IDC||PC||IDV
(2) AS  C ; Ticket
(3) C V ; E(KV, [IDC||ADC||IDV])
where
C = client
AS = authentication server
V = server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
KV = secret encryption key shared by AS and V
Kerberos v4 Dialogue

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 18
1. The client requests a ticket-granting ticket on behalf of the user by sending its user's ID
and password to the AS, together with the TGS ID, indicating a request to use the TGS
service.
2. The AS responds with a ticket that is encrypted with a key that is derived from the user's
password. When this response arrives at the client, the client prompts the user for his or her
password, generates the key, and attempts to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully recovered.
3. The client requests a service-granting ticket on behalf of the user. For this purpose, the
client transmits a message to the TGS containing the user's ID, the ID of the desired service,
and the ticket-granting ticket.
4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the
presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares
the user ID and network address with the incoming information to authenticate the user. If the
user is permitted access to the server V, the TGS issues a ticket to grant access to the
requested service.
5. The client requests access to a service on behalf of the user. For this purpose, the client
transmits a message to the server containing the user's ID and the service-granting ticket. The
server authenticates by using the contents of the ticket.

6. The server gives access to the client.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 19
Kerberos Realms
A typical Kerberos environment consists of
a. A Kerberos server
b. A number of clients, all registered with server
c. Application servers, sharing keys with server

This is termed a realm typically a single administrative domain. If the system has multiple
realms, their Kerberos servers must share keys and trust

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 20
 Kerberos Realms

4.10 : X.509

It is a part of CCITT X.500 directory service standards. The directory is in effect, a server
or distributed servers maintaining some information about users to the database. X.509
defines a framework for authentication services.
It acts as a repository to store public-key certificates with public key of user that is signed
with the private key of the certification authority. X.509 is an important standard because the
certificate structure also defines authentication protocols defined in X.509 are used in a
variety of contexts. For example X.509 certificate format is used in S/MIME but the
algorithms are not standardised, but RSA recommended.
X.509 Certificates
The heart of X.509 is the public key certificate associated with each user. The
certificates area created and issued by a Certification Authority (CA), containing the
following fields:
Version: Differentiates among successive versions of the certificate format; the default is
version 1. If the issuer unique identifier or subject unique identifier are present, the value
must be version 2. If one or more extensions are present, the version must be version 3.

Serial number: An integer value unique within the issuing CA that is unambiguously
associated with this certificate.

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 21
Signature algorithm identifier: The algorithm used to sign the certificate together with any
associated parameters. Because this information is repeated in the signature field at the end of
the certificate, this field has little, if any, utility.

Issuer name: X.500 is the name of the CA that created and signed this certificate.

Period of validity: Consists of two dates: the first and last on which the certificate is valid.

Subject name: The name of the user to whom this certificate refers. That is, this certificate
certifies the public key of the subject who holds the corresponding private key.

Subject’s public-key information: The public key of the subject, plus an identifier of the
algorithm for which this key is to be used, together with any associated parameters.

Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing
CA in the event the X.500 name has been reused for different entities.

Subject unique identifier: An optional-bit string field used to identify uniquely the subject
in the event the X.500 name has been reused for different entities.

Extensions: A set of one or more extension fields. Extensions were added inversion 3 and are
discussed later in this section.

Signature: Covers all of the other fields of the certificate; it contains the hash code of the
other fields encrypted with the CA’s private key. This field includes the signature algorithm
identifier.

The unique identifier fields were added in version 2 to handle the possible reuse of
subject and/or issuer names over time. These fields are rarely used. The standard uses the
following notation to define a certificate:

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 22
OBTAINING A CERTIFICATE
• Any user with access to CA can get any certificate from it

• Only the CA can modify a certificate because it cannot be forged, certificates can be
placed in a public directory

CA HIERARCHY
• If both users share a common CA then they are assumed to know its public key
otherwise CA's must form a hierarchy

• It use certificates linking members of hierarchy to validate other CA's and each CA
has certificates for clients (forward) and parent (backward)

• Each client trusts parents certificates

• It enables verification of any certificate from one CA by users of all other CAs in
hierarchy

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 23
CA HIERARCHY USE

Certificate Hierarchy
CERTIFICATE REVOCATION
• Every certificates have a period of validity

• There are situations where the certificates may need to revoke before expiry, eg:

1. User's private key is compromised

2. User is no longer certified by this CA

3. CA's certificate is compromised

• CA’s maintain list of revoked certificates in the Certificate Revocation List (CRL)
and users should check certificates with CA’s CRL

CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 24