Professional Documents
Culture Documents
CNS Unit IV Notes
CNS Unit IV Notes
Message authentication
Message authentication is a mechanism or service used to verify the integrity of a
message. (i.e., it verifies that received messages come from the alleged source and have
not been altered.)
Message authentication assures that data received are exactly as sent by (i.e., contain
no modification, insertion, deletion, or replay) and that the purported identity of the
sender is valid.
Symmetric encryption provides authentication among those who share the secret key.
.A digital signature is an authentication technique that also includes measures to
counter repudiation by the source.
Message authentication code (MAC)
A message authentication code (MAC) is an algorithm that requires the use of a secret
key. A MAC takes a variable-length message and a secret key as input and produces an
authentication code. A recipient in possession of the secret key can generate an
authentication code to verify the integrity of the message.
One means of forming a MAC is to combine a cryptographic hash function in some
fashion with a secret key.
Another approach to constructing a MAC is to use a symmetric block cipher in such a
way that it produces a fixed-length output for a variable length input.
4.1 AUTHENTICATION REQUIREMENT
The following attacks can be identified in the context of communications across a
network
1. Disclosure: Release of message contents to any person or process not possessing
the appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties.
3. Masquerade: Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to come
from an authorized entity.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 1
4. Content modification: Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 2
(a) Message authentication
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 3
Figure shows the general operation of a cryptographic hash function. The input is padded out
to an integer multiple of some fixed length (e.g., 1024 bits), and the padding includes the
value of the length of the original message in bits.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 4
4.3 SECURITY OF HASH FUNCTION AND MAC
4.3.1 Security of hash function
There are two categories of attacks on hash functions: brute-force attacks and
cryptanalysis.
A brute-force attack does not depend on the specific algorithm but depends
only on bit length. In the case of a hash function, a brute-force attack depends
only on the bit length of the hash value.
A cryptanalysis, in contrast, is an attack based on weaknesses in a particular
cryptographic algorithm.
Preimage and second preimage attack
For a preimage or second preimage attack, an adversary wishes to find a value such that
H(y ) is equal to a given hash value h.
ie find y such that H(y) equals a given hash value
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 5
conclusion is that need to use larger MAC/hash
4.3.2 Security of MACs
The attacks on MACs are grouped into two categories: brute-force attacks and cryptanalysis.
Brute-force attack
A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack on a
hash function because it requires known message-tag pairs.
To attack a hash code, we can proceed in the following way.
Given a fixed message x with n-bit hash code h=H(x), a brute-force method of finding a
collision is to pick a random bit string and check if H(y)=H(x).
brute-force attacks exploiting strong collision resistance hash have cost 2m/2 (128-bit
hash looks vulnerable, 160-bits better)
The security property of a MAC algorithm is expressed as follows.
Computation resistance: Given one or more text-MAC pairs, it is computationally
infeasible to compute any text-MAC pair [xi, MAC(K, xi)] for any new input x ≠ xi.
In other words, the attacker would like to come up with the valid MAC code for a
given message . There are two lines of attack possible: attack the key space and attack
the MAC value.
If an attacker can determine the MAC key, then it is possible to generate a valid MAC
value for any input .
Suppose the key size is bits and that the attacker has one known text–tag pair. Then
the attacker can compute the -bit tag on the known text for all possible keys.
cryptanalytic attacks exploit structure
o like block ciphers want brute-force attacks to be the best alternative
more variety of MACs so harder to generalize about cryptanalysis
4.4 SECURE HASH ALGORITHM (SHA)
SHA is based on the hash function MD4, and its design closely models MD4.
SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version
of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value
lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512,
respectively.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 6
Comparison of SHA Parameters
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
Message Digest Size 160 224 256 384 512
Message Size <264 <264 <264 <2128 <2128
Block Size 512 512 512 1024 1024
Word Size 32 32 32 64 64
Number of Steps 80 64 64 80 80
SHA-512 Logic
The algorithm takes as input a message with a maximum length of less than bits and
produces as output a 512-bit message digest.
The input is processed in 1024-bit blocks. Figure 3.6 depicts the overall processing of
a message to produce a digest.
Step 1 Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length≡896(mod 1024)].
Padding is always added, even if the message is already of the desired length.
Thus, the number of padding bits is in the range of 1 to 1024.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 7
The padding consists of a single 1 bit followed by the necessary number of 0 bits.
Step 2 Append length. A block of 128 bits is appended to the message.
This block is treated as an unsigned 128-bit integer (most significant byte first) and
contains the length of the original message (before the padding).
The outcome of the first two steps yields a message that is an integer multiple of 1024
bits in length. In Figure 3.6, the expanded message is represented as the sequence of
1024-bit blocks , M1, M2,…, MN so that the total length of the expanded message is
N*1024 bits .
Step 3 Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results
of the hash function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
Step 4 Process message in 1024-bit (128-word) blocks. The heart of the algorithm is a
module that consists of 80 rounds; this module is labeled F in Figure 3.6.
The logic is illustrated in Figure 3.7.
Each round takes as input the 512-bit buffer value, abcdefgh, and updates the contents
of the buffer.At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
Each round t makes use of a 64-bit value Wi, derived from the current 1024-bit block
being processed (Mi).
Each round also makes use of an additive constant Kt , where 0≤t≤79 indicates one of
the 80 rounds.
The output of the eightieth round is added to the input to the first round (Hi-1) to
produce Hi.
The addition is done independently for each of the eight words in the buffer with each
of the corresponding words in Hi-1, using addition modulo 264.
Step 5 Output. After all 1024-bit blocks have been processed, the output from the th stage is
the 512-bit message digest.
The behavior of SHA-512 is summarized as follows:
H0 = IV
Hi = SUM64(Hi-1, abcdefghi)
MD = HN
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 8
where
IV = initial value of the abcdefgh buffer, defined in step 3
abcdefghi = the output of the last round of processing of the th message block
N = the number of blocks in the message (including padding and length
fields)
SUM64 = addition modulo performed separately on each word of the pair of inputs
MD = final message digest value
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 9
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 10
Figure :Elementary SHA-512 Operation (single round)
Two observations can be made about the round function.
1. Six of the eight words of the output of the round function involve simply
permutation ( b,c d,e f,g ,h , ) by means of rotation. This is indicated by shading in
Figure 3.8.
2. Only two of the output words ( a,e ) are generated by substitution. Word is a
function of input variables (d ,e ,f ,g ,h ), as well as the round word Wt and the
constant Kt. Word a is a function of all of the input variables except d, as well as the
round word Wt and the constant Kt.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 11
Properties of Digital Signature
It must verify the author and the date and time of the signature.
It must authenticate the contents at the time of the signature.
It must be verifiable by third parties, to resolve disputes.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 12
Break success levels
o total break
o selective forgery
o existential forgery
Digital Signature Requirements
The signature must be a bit pattern that depends on the message being signed.
The signature must use some information unique to the sender to prevent both
forgery and denial.
It must be relatively easy to produce the digital signature.
It must be relatively easy to recognize and verify the digital signature.
It must be computationally infeasible to forge a digital signature, either by
constructing a new message for an existing digital signature or by constructing
a fraudulent digital signature for a given message.
It must be practical to retain a copy of the digital signature in storage.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 13
In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length. This hash code is then encrypted using
the sender’s private key to form the signature. Both the message and the signature are
then transmitted. The recipient takes the message and produces a hash code. The
recipient also decrypts the signature using the sender’s public key. If the calculated
hash code matches the decrypted signature, the signature is accepted as valid.
The DSS approach also makes use of a hash function. The hash code is provided as
input to a signature function along with a random number generated for this particular
signature. The signature function also depends on the sender’s private key (PRa) and a
set of parameters known to a group of communicating principals. This set is
considered to constitute a global public key(PUG). The result is a signature consisting
of two components, labeled s and r.
At the receiving end, the hash code of the incoming message is generated. This plus
the signature is input to a verification function. The verification function also depends
on the global public key as well as the sender’s public key , which is paired with the
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 14
sender’s private key. The output of the verification function is a value that is equal to
the signature component if the signature is valid.
The Digital Signature Algorithm
The different phases of Digital Signature Algorithm namely Key Generation,
Signature Creation
Signature Verification are described as follows
DSA Key Generation
have shared global public key values (p,q,g):
o choose 160-bit prime number q
o choose a large prime p with 2L-1 < p < 2L
o where L= 512 to 1024 bits and is a multiple of 64
o such that q is a 160 bit prime divisor of (p-1)
o choose g = h(p-1)/q
where 1<h<p-1 and h(p-1)/q mod p > 1
users choose private & compute public key:
o choose random private key: x<q
o compute public key: y = gx mod p
DSA Signature Creation
to sign a message M the sender:
o generates a random signature key k, k<q
o k must be random, be destroyed after use, and never be reused
then computes signature pair:
o r = (gk mod p)mod q
o s = [k-1(H(M)+ xr)] mod q
sends signature (r,s) with message M
DSA Signature Verification
having received M & signature (r,s)
to verify a signature, recipient computes:
w = (s')-1 mod q
u1= [H(M ' )w]mod q
u2= (r')w mod q
v = [(gu1 yu2)mod p ]mod q
if v=r' then signature is verified
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 15
4.7 ENTITY AUTHENTICATION: BIOMETRICS, PASSWORDS, CHALLENGE
RESPONSE PROTOCOLS
Verification
• Presenting an step
identifier to • Presenting or generating
the security authentication information
system
Identification that corroborates the
step binding between the entity
and the identifier
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 16
4.9 KERBEROS
Kerberos is a trusted key server system from MIT. It provides centralised private-key
third-party authentication in a distributed network that does the following
It allows users access to services distributed through network
The Ticket Granting server (TGS) issues ticket to users. Users subsequently request
access to other services from TGS on basis of users Ticket Granting Ticket (TGT).
Kerberos uses a complex protocol using DES.
A simple authentication dialogue
In an unsecured environment any client can access any server for service. This has a
risk on impersonation. To counter this treat, servers must be able to confirm the clients which
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 17
we call as authentication. If server is given this authentication job additionally, it creates
burden substantially on each server. An alternative is to use an authentication server (AS) that
knows passwords of all the users which is stored in the database centrally. AS shares a unique
secret key which each server.
(1) C AS ; IDC||PC||IDV
(2) AS C ; Ticket
(3) C V ; E(KV, [IDC||ADC||IDV])
where
C = client
AS = authentication server
V = server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
KV = secret encryption key shared by AS and V
Kerberos v4 Dialogue
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 18
1. The client requests a ticket-granting ticket on behalf of the user by sending its user's ID
and password to the AS, together with the TGS ID, indicating a request to use the TGS
service.
2. The AS responds with a ticket that is encrypted with a key that is derived from the user's
password. When this response arrives at the client, the client prompts the user for his or her
password, generates the key, and attempts to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully recovered.
3. The client requests a service-granting ticket on behalf of the user. For this purpose, the
client transmits a message to the TGS containing the user's ID, the ID of the desired service,
and the ticket-granting ticket.
4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the
presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares
the user ID and network address with the incoming information to authenticate the user. If the
user is permitted access to the server V, the TGS issues a ticket to grant access to the
requested service.
5. The client requests access to a service on behalf of the user. For this purpose, the client
transmits a message to the server containing the user's ID and the service-granting ticket. The
server authenticates by using the contents of the ticket.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 19
Kerberos Realms
A typical Kerberos environment consists of
a. A Kerberos server
b. A number of clients, all registered with server
c. Application servers, sharing keys with server
This is termed a realm typically a single administrative domain. If the system has multiple
realms, their Kerberos servers must share keys and trust
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 20
Kerberos Realms
4.10 : X.509
It is a part of CCITT X.500 directory service standards. The directory is in effect, a server
or distributed servers maintaining some information about users to the database. X.509
defines a framework for authentication services.
It acts as a repository to store public-key certificates with public key of user that is signed
with the private key of the certification authority. X.509 is an important standard because the
certificate structure also defines authentication protocols defined in X.509 are used in a
variety of contexts. For example X.509 certificate format is used in S/MIME but the
algorithms are not standardised, but RSA recommended.
X.509 Certificates
The heart of X.509 is the public key certificate associated with each user. The
certificates area created and issued by a Certification Authority (CA), containing the
following fields:
Version: Differentiates among successive versions of the certificate format; the default is
version 1. If the issuer unique identifier or subject unique identifier are present, the value
must be version 2. If one or more extensions are present, the version must be version 3.
Serial number: An integer value unique within the issuing CA that is unambiguously
associated with this certificate.
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 21
Signature algorithm identifier: The algorithm used to sign the certificate together with any
associated parameters. Because this information is repeated in the signature field at the end of
the certificate, this field has little, if any, utility.
Issuer name: X.500 is the name of the CA that created and signed this certificate.
Period of validity: Consists of two dates: the first and last on which the certificate is valid.
Subject name: The name of the user to whom this certificate refers. That is, this certificate
certifies the public key of the subject who holds the corresponding private key.
Subject’s public-key information: The public key of the subject, plus an identifier of the
algorithm for which this key is to be used, together with any associated parameters.
Issuer unique identifier: An optional-bit string field used to identify uniquely the issuing
CA in the event the X.500 name has been reused for different entities.
Subject unique identifier: An optional-bit string field used to identify uniquely the subject
in the event the X.500 name has been reused for different entities.
Extensions: A set of one or more extension fields. Extensions were added inversion 3 and are
discussed later in this section.
Signature: Covers all of the other fields of the certificate; it contains the hash code of the
other fields encrypted with the CA’s private key. This field includes the signature algorithm
identifier.
The unique identifier fields were added in version 2 to handle the possible reuse of
subject and/or issuer names over time. These fields are rarely used. The standard uses the
following notation to define a certificate:
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 22
OBTAINING A CERTIFICATE
• Any user with access to CA can get any certificate from it
• Only the CA can modify a certificate because it cannot be forged, certificates can be
placed in a public directory
CA HIERARCHY
• If both users share a common CA then they are assumed to know its public key
otherwise CA's must form a hierarchy
• It use certificates linking members of hierarchy to validate other CA's and each CA
has certificates for clients (forward) and parent (backward)
• It enables verification of any certificate from one CA by users of all other CAs in
hierarchy
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 23
CA HIERARCHY USE
Certificate Hierarchy
CERTIFICATE REVOCATION
• Every certificates have a period of validity
• There are situations where the certificates may need to revoke before expiry, eg:
• CA’s maintain list of revoked certificates in the Certificate Revocation List (CRL)
and users should check certificates with CA’s CRL
CS 8792-CNS UNIT IV Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College 24