Message Authentication Code (MAC)

A MAC is a cryptographic checksum on data that uses a secret key to detect both
accidental and intentional modifications of the data. This allows the recipient of the
message to verify the integrity of the message and authenticate that the message's sender
has the shared secret key.

Example: HMAC

1
Trusted Third Party
Trusted third party (TTP) is an entity which facilitates interactions between two
parties who both trust the third party

Trusted Third Party is common in commercial transactions

⚫ Insurance brokers
⚫ Mortgage brokers
⚫ Online payment portals such as Paypal, Apple pay, etc.

TTP is common in cryptographic digital transactions as well as cryptographic

protocols

(1) Symmetric key exchange

⚫ Manual exchange
⚫ DH
⚫ TTP

2
3
(2) Public key exchange

What can we do using other’s public key?

Possible methods for public key exchange

⚫ Public Announcement
Append public key to messages that they send to public forums, such as
USENET newsgroups and Internet mailing lists.
Or Email?

Weakness? Anyone can forge such a public announcement or email. That is,
some user could pretend to be user A and send a public key to another
participant or broadcast such a public key.

⚫ Public key authority

4
⚫ Public key certificate
➢ Public key certificate is an electronic document used for key exchange
➢ Issued by a CA (Certification Authority), such as VeriSign, etc.
➢ Contains your name, expiration dates, your public key, and the digital
signature of CA so that a recipient can verify that the certificate is real if
the issuer’s public key is known.

⚫ Certificate is a way to
distribute public key
⚫ The certificate can prove the
ownership of a public key
⚫ A certificate cannot be
changed.
⚫ A hacker cannot make a valid
certificate
⚫ Assume that CA is trustful

5
When public key certificate is needed?
⚫ Public key exchange
Could hacker pretend to be user A and send A’s public key certificate to
another participant or broadcast A’s certificate? No use. Hacker do not have
corresponding private key of the certificate.
⚫ Authentication

Before sending sensitive information online, we may not be able to verify the
identity of a party (prove who is who) on the Internet. How to verify a server’s
identity on the Internet?

Answer: the server’s public key certificate. Verify its correctness and ensure the
server is the owner of the certificate.

6
How do you get a public certificate from the HTTPS webpage?
1. Access the web page via HTTPS
2. Click on the lock icon next to the URL and select View certificate

7
8
9
10
11
How to verify public key certificate?

12
Authentication
The process of determining whether someone or something is, in fact,
who or what it is declared to be.

Passwords are a classic way to authenticate (PIN numbers are a type of

password)

Advantages of passwords:
➢ easy to remember and use
➢ everyone know how to use it

Problem
➢ if password is sent in cleartext, can be intercepted
➢ if password is encrypted, requires establishment of encryption key

13
Authentication Protocols
• Symmetric key authentication protocols
• Public key authentication protocols

A protocol consists of a sequence of messages between principals and will be

described using different notations.
• Principals are parties who cooperate by exchanging messages over networks.
• Principals are generally denoted by capitals such as A, B and S (for a server).

(1) A → B : M1
(2) B → S : M2
(3) S → B : M3

E(K : M) denotes encrypting message M with key K.

Ra: A random number generated by a principal A.
➢ Used only once and is generally termed as a nonce.

14
Replay attack on Authentication Protocols

The attacker records the data of a successful authentication and replays this
information to attempt to falsely authenticate to the verifier.

A → B : A, E(Kab : Password)

Counter measures: using of timestamps, sequence numbers or random numbers.

Example of using a timestamp or sequence number

A → B : A, E(Kab : Password, Ta)

15
Symmetric Key Authentication Protocols
➢ Verify identity based on a secret key shared between the principles.

Symmetric Key without Trusted Third Party

➢ Symmetric Key One-Pass Unilateral Authentication Protocol

A → B : E(Kab: Ta, A, B)

B authenticates A if the timestamp has a recent value.

Replay A's message?

➢ Symmetric Key Two-Pass Unilateral Authentication Protocol

A is authenticated by the verifier B by the means of challenge - response.
(1) B→ A : Rb
(2) A → B : E(Kab : Rb, A, B) //Rb is a nonce

Replay A's message?

16
Symmetric Key Three-Pass Mutual Authentication
The mutual authentication is achieved by the use of random numbers Ra and Rb.

(1) B→ A : Rb
(2) A→ B : E(Kab : Ra, Rb, A, B)
(3) B→ A : E(Kab : Rb, Ra, B, A)

Replay A's messages?

Replay B's messages?

17
Symmetric Key with Trusted Third Party

➢ Needham Schroeder Symmetric Key Authentication protocol

(1) A →S: A, B, Ra //both Ra and Rb are nonces
(2) S →A: E(Kas: Ra, B, Kab, E(Kbs: Kab, A))
(3) A →B: E(Kbs: Kab, A)
(4) B →A: E(Kab: Rb)
(5) A →B: E(Kab: Rb-1)

18
Challenge-Handshake Authentication Protocol (CHAP)
➢ CHAP authenticates a user or network host to an authenticating entity

➢ CHAP is defined as a one-way authentication method. You use CHAP in both

directions to create a two-way authentication.
➢ The shared key is Alice's password. It is vulnerable to brute force/dictionary attack.

19
Public Key Authentication Protocols
The public key certificate-based authentication mechanism is used as a representative of
the public key authentication protocols.

➢ Public Key Protocol without Trusted Third Party

Public Key One-Pass Unilateral Authentication Protocol

(1) A → B : CertA, Ta, B, E(Ka-1 : Ta, B) //Ta is a timestamp or sequence umber

Public Key Two-Pass Unilateral Authentication Protocol

(1) B → A : Rb
(2) A → B : CertA, Ra, Rb, B, E(Ka-1: Ra, Rb, B) // Ra and Rb are nonces

Public Key Three-Pass Mutual Authentication Protocol

(1) B→ A : Rb
(2) A→ B : CertA, Ra, Rb, B, E(Ka-1 : Ra, Rb, B)
(3) B→ A : CertB, Rb, Ra, A, E(Kb-1 : Rb, Ra, A)

20
 ➢ Public Key Protocol with Trusted Third Party

(1) A →S: A, B
(2) S →A: E(Ks-1: Kb, B) // Ra and Rb are nonces
(3) A →B: E(Kb: Ra, A)
(4) B →S: B, A
(5) S →B: E(Ks-1: Ka, A)
(6) B →A: E(Ka: Ra, Rb)
(7) A →B: E(Kb: Rb)

21
Two factor authentication
• use passwords plus something else

• Biometric
Retina, hand geometry, hand geometry, handwriting analysis, etc.

22
One way hash chain
• A hash chain is a successive application of a cryptographic hash function
h() to a string.

For example,
• h(h(h(h(st)))) gives a hash chain of length 4, often denoted h4(st)

Each token has a valid time period (10 minutes). St is a secret value and only can be
known by both.

23
One-time password, OTP (RFC 2289)

A one-time password is a password that is valid for only one login

session.
• Support two-factor authentication

24
http://en.wikipedia.org/wiki/SecurID

25
Benefits of One-Time Passwords (OTPs)
Resistance to replay attacks: OTP authentication provides distinct
advantages over using static passwords alone. Unlike traditional passwords,
OTPs aren’t vulnerable to replay attacks—where a hacker intercepts a
transmission of data (like a user submitting their password or token),
records it, and uses it to gain access to the system or account themselves.
Difficult to guess: OTPs are often generated with algorithms that make use
of randomness. This makes it difficult for attackers to successfully guess
and use them.
Reduced risk when passwords are compromised: Users may use the
same password across different accounts. If the password is fall into the
wrong hands, stolen data and fraud are significant threats to the user.
OTP security helps to prevent access breaches, even if an attacker has
obtained a valid password.

26
Analysis of Authentication Protocols

The objective:
• Highlight the design flaws of authentication protocols
• The successful attacks which have uncovered flaws in protocols allows to
learn from design errors, understand general attack methods and strategies.

Attack 1: man-in-the-middle on unauthenticated Diffie-Hellman

A and B are the legitimate parties, and E is an adversary.

A forms session key KA = xy' , while B forms session key KB = x'y.

E is able to compute both these keys.

27
Attack 2: Reflection attack

Suppose A and B share a symmetric key K, and authenticate one another on the
basis of demonstrating knowledge of this key by encrypting or decrypting a
challenge as follows.
Upon A sending (1), E intercepts it, and initiates a
new protocol, sending the identical message rA back
to A.

A completes the first protocol, and believes it has

successfully authenticated B, while in fact B has not
been involved in any communications.
An adversary E can impersonate B as follows.
The attack can be prevented by using distinct keys K
and K' for encryptions from A to B and B to A,
respectively.

An alternate solution is to include the identifier of

the originating party within the encrypted portion of
(2).

28
Attack 3: Interleaving attack

sA denotes the signature operation of party A, and it is assumed that all parties
have authentic copies of all others’ public keys.

An enemy E can initiate one protocol with B (pretending to be A), and another
with A (pretending to be B), as shown below, and use a message from the latter
protocol to successfully complete the former, thereby deceiving B into believing
E is A (and that A initiated the protocol). This attack is possible due to the
message symmetry of (2) and (3).

This attack may be prevented

by securely binding an identifier to
each message indicating a message
number.
29
30