4

MESSAGE AUTHENTICATION AND

INTEGRITY
Authentication requirement – Authentication function – MAC – Hash function –
Security of hash function and MAC – SHA –Digital signature and authentication
protocols – DSS- Entity Authentication: Biometrics, Passwords, Challenge Response
protocols- Authentication applications - Kerberos, X.509.
4.1 Authentication and Authorization
Authentication
➢ Authentication techniques are used to verify identity. It prevents unauthorized users
from gaining access to the systems.
➢ Validating the identity of user, service or application
➢ Data authentication- providing data integrity
Authorization
➢ It is a procedure of controlling the access of authenticated users to the system
resources. An authorization system provides each user with exactly those rights
granted to them by the administrator
➢ Controls user privileges such as access to files, directories, etc...

4.2 Authentication Requirements

➢ Another type of threat that exist for data is the lack of message authentication.
➢ In this threat, the user is not sure about the originator of the message.
➢ Message authentication can be provided using the cryptographic techniques that use
secret keys as done in case of encryption.
➢ In the context of communications across a network, the following attacks can be
identified.

• Disclosure: Release of message contents to any person or process not possessing

the appropriate cryptographic key.
• Traffic analysis: Detection of the pattern of traffic between parties. In a
connection-oriented application, the frequency and duration of connections
could be determined, in which, the number and length of messages between
parties could be determined.
• Masquerade: Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to
come from an authorized entity. Also included are fraudulent
acknowledgements of message receipt or nonreceipt by someone other than
the message recipient.
• Contentmodification: Changes to the contents of a message, including
insertion, deletion, transposition, and modification
• Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering
• Timing modification: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of
some previous valid session, or individual messages in the sequence could be
 delayed or replayed. In a connectionless application, an individual message
(e.g., datagram) could be delayed or replayed

• Source repudiation: Denial of transmission of message by source.

• Destinationrepudiation: Denialofreceipt ofmessagebydestination.

4.3 Authentication Function

4.3.1 Message Authentication
➢ A mechanism or service used to verify the integrity of a message.
➢ Assures that data received are exactly as sent (i.e., contain no modification, insertion,
deletion, or replay).
➢ When a hash function is used to provide message authentication, the hash function
value is often referred to as a message digest.

4.3.2 Authentication function is of two levels of functionality

Lower Level
➢ Produces an authenticator: a value to be used to authenticate a message.
Higher-Level
➢ enables a receiver to verify the authenticity of a message

4.3.3 Grouped into Three Classes

Message Encryption
➢ The ciphertext of the entire message serves as its authenticator
Message authentication code (MAC)
➢ A function of the message and a secret key that produces a fixed-length value that
serves as the authenticator
Hash function
➢ A function that maps a message of any length into a fixed-length hash value, which
serves as the authenticator

Message Encryption
Symmetric Encryption
Symmetric encryption: confidentiality and authentication: A -> B:E(K, M)
 Figure 4.1 Symmetric encryption: confidentiality and authentication

Public-key encryption: confidentiality: A ->B:E(PUb, M)

Figure 4.2 Public Key Encrypton: Confidentiality

Public-key encryption: authentication and signature: A ->B:E(PRa, M)

Figure 4.3 Public-key encryption: authentication and signature

Public-key encryption: confidentiality, authentication, and signature:
A ->B : E(PUb, E(PRa, M))

Figure 4.4 Public-key encryption: confidentiality, authentication, and signature

4.3 Message Authentication Code (MAC)
➢ MAC stands for Message Authentication Code.
➢ Here in MAC, sender and receiver share same key where sender generates a fixed size
output called Cryptographic checksum or Message Authentication code and appends
it to the original message.
➢ On receiver’s side, receiver also generates the code and compares it with what he/she
received thus ensuring the originality of the message.
➢ This technique assumes that two communicating parties, say A and B, share a
common secret key K.

Theory of operation
➢ When A has a message to send to B, it calculates the MAC as a function of the
message and the key:
MAC = C (K, M), where
M = input message
C = MAC function
K = shared secret key
MAC = Message Authentication Code
➢ The message plus MAC are transmitted to the intended recipient.
➢ The recipient performs the same calculation on the received message, using the
same secret key, to generate a new MAC.
➢ The received MAC is compared to the calculated MAC
➢ if the received MAC matches the calculated MAC, then
➢ The receiver is assured that the message has not been altered
➢ The receiver is assured that the message is from the alleged sender
Basic Uses of Message Authentication Code (MAC)
(a) Message authentication: A->B: M||C(K, M)
 Figure 4.5 Message Authentication

➢ Provides authentication: Only A and B share K

(b) Message authentication and confidentiality; authentication tied to
plaintext

Figure 4.6 Message Authentication and Confidentiality

➢ A ->B:E(K2, [M||C(K, M)])

➢ Provides authentication
Only A and B share K1
➢ Provides confidentiality
Only A and B share K2

(c) Message authentication and confidentiality; authentication tied to ciphertext

Figure 4.7 Message Authentication and Confidentiality; authentication tied to ciphertext

 ➢ A -> B: E (K2, M) ||C (K1, E (K2, M))
➢ Provides authentication Using K1
➢ Provides confidentiality Using K2

4.3.1 MAC properties

➢ A MAC is a cryptographic checksum
MAC = CK(M)
– condenses a variable-length message M
– using a secret key K
– produce a fixed-sized authenticator
➢ MAC is a many-to-one function
potentially many messages have same MAC
100-bit M, and 20-bit MAC
but finding key K to be very difficult
4.3.2 Requirements for MACs
➢ Message replacement attacks, in which an attacker can construct a new message to
match a given MAC code, even though the attacker does not learn the key.
➢ Deals with need to prevent a brute-force attack based on chosen plaintext.
➢ Authentication algorithm should not be weaker.
Need the MAC to satisfy the following:
• knowing a message and MAC, is infeasible to find another message with same
MAC
• MACs should be uniformly distributed
• MAC should depend equally on all bits of the message
Limitations of MAC

There are two major limitations of MAC, both due to its symmetric nature of operation −

• Establishment of Shared Secret.

o It can provide message authentication among pre-decided legitimate users

who have shared key.

o This requires establishment of shared secret prior to use of MAC.

• Inability to Provide Non-Repudiation

 o Non-repudiation is the assurance that a message originator cannot deny any
previously sent messages and commitments or actions.

o MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot
provide a proof that a message was indeed sent by the sender.

o Though no third party can compute the MAC, still sender could deny having
sent the message and claim that the receiver forged it, as it is impossible to
determine which of the two parties computed the MAC.

Both these limitations can be overcome by using the public key based digital signatures

4.4 Hash function

➢ Hash functions are extremely useful and appear in almost all information security
applications.

➢ A hash function is a mathematical function that converts a numerical input value into
another compressed numerical value. A hash function accepts a variable-size message
M as input and produces a fixed size output, referred to as a hash code H(M).

➢ A hash code does not use a key but is a function only of the input message

➢ The hash code is also referred to as a message digest or hash value.

➢ Figure 4.8 shows the generation of hash value.

Figure 4.8 Generation Hash Value

4.4.1 Features of Hash Functions
The typical features of hash functions are

➢ Fixed Length Output (Hash Value)

• Hash function coverts data of arbitrary length to a fixed length. This process
is often referred to as hashing the data.

• In general, the hash is much smaller than the input data, hence hash functions
are sometimes called compression functions.

• Since a hash is a smaller representation of a larger data, it is also referred to as

a digest.

• Hash function with n bit output is referred to as an n-bit hash function.

Popular hash functions generate values between 160 and 512 bits.

➢ Efficiency of Operation

• Generally, for any hash function h with input x, computation of h(x) is a fast
operation.

• Computationally hash functions are much faster than a symmetric encryption.

Basic Uses of Hash Function

a) Encrypt message plus hash code

Figure 4.9 Encrypt message plus hash code

➢ A -> B:E(K, [M||H(M)])
➢ Provides confidentiality
• Only A and B share K
➢ Provides authentication
➢ H(M) is cryptographically protected
(b) Encrypt hash code shared secret key

Figure 4.10 Encrypt hash code shared secret key

➢ A -> B: M||E(K, H(M))
➢ Provides authentication
➢ H(M) is cryptographically protected
(c) Encrypt hash code sender's private key

Figure 4.11 Encrypt hash code sender's private key

➢ A ->B: M||E(PRa, H(M))
➢ Provides authentication and digital signature
➢ H(M) is cryptographically protected
➢ Only A could create E(PRa, H(M))
(d) Encrypt result of (c) shared secret key

Figure 4.12 Encrypt Result of (c) shard secret key

 ➢ A ->B: E(K, [M||E(PRa, H(M))])
➢ Provides authentication and digital signature
➢ Provides confidentiality
o only A and B shared k
(e) Compute hash code of message plus secret value

Figure 4.13 Compute hash code of message plus secret value

➢ A ->B: M||H(M||S)
➢ Provides authentication
• Only A and B share S
Applications of Hash Functions

There are two direct applications of hash function based on its cryptographic properties.

Password Storage

Hash functions provide protection to password storage.

• Instead of storing password in clear, mostly all logon processes store the hash values
of passwords in the file.

• The Password file consists of a table of pairs which are in the form (user id, h(P)).

• An intruder can only see the hashes of passwords, even if he accessed the password.
He can neither logon using hash nor can he derive the password from hash value
since hash function possesses the property of pre-image resistance.

Data Integrity Check

• Data integrity check is a most common application of the hash functions. It is used to
generate the checksums on data files. This application provides assurance to the user
about correctness of the data.
4.5 Security of hash function and MAC
There are two types attacks on hash functions and MAC.
1. Brute-force attacks
2. Cryptanalysis

Brute-force attacks
• A brute-force attack on a MAC has cost related to min (2k, 2n), similar to symmetric
encryption algorithms. As with encryption algorithms, cryptanalytic attacks on hash
functions and MAC algorithms seek to exploit some property of the algorithm to
perform some attack other than an exhaustive search.

• The strength of a hash function against brute-force attacks depends solely on the
length of the hash code produced by the algorithm.

• A brute-force attack on a MAC is a more difficult because it requires known message-

MAC pairs

• Suppose there are N possible hash values from a set of strings X, and suppose that the
output of a hash function is randomly distributed in this space. Take a subset of n
strings.

• How big does n have to be in order to have a probability >0.5 of some string in that
subset having a given hash value?

• The answer is: choosing n = N+1 n = N+1, I have the certainty to find almost one of
such I have the certainty to find almost one of such strings. A more refined answer
gives: n= (ln 2) *N (for a large N).

• For a 128-bit hash function, you need to test 2128 inputs (approximately 1038) to get a
0.5 chance of pre-imaging the hash, that is to say, of getting a given hash value.

• How big does n have to be in order to have a probability >0.5 of two strings in that set
having the same hash value?

• The probability of no duplicate is: (N-1)/N * (N-2)/N * . . . * (N-n+1)/N = = (1-(1/N))

* (1-(2/N)) * . . . * (1-((n-1)/N) < e-1/N * e-2/N * . . . * e-(n-1)/N = = e-n(n-1)/2N The middle
inequality comes from 1-x<e-x.
 • Setting this to be 0.5, approximating n(n-1) as n 2 and solving for n gives n=sqrt
(2*(ln 2) *N)

• To try to put these numbers into perspective: 1019 microseconds is 317000 years,
while 1038 microseconds is 1024 years

Cryptanalysis

• Cryptanalysis attacks on hash functions and MAC algorithms seek to exploit some
property of the algorithm to perform some attacks other than an exhaustive search.

• Cryptanalytic attacks exploit structure

–like block ciphers want brute-force attacks to be the best alternative
• Have a number of analytic attacks on iterated hash functions
–CVi = f [CVi-1, Mi]; H(M)=CVN
• Typically focus on collisions in function f
• Like block ciphers it is often composed of rounds
• Attacks exploit properties of round functions

4.6 Secure Hash Algorithm (SHA)

➢ Security Hash Algorithm (SHA) was developed in 1993 by the National Institute of
Standards and Technology (NIST) and National Security Agency (NSA).

➢ It was designed as the algorithm to be used for secure hashing in the US Digital
Signature Standard.

➢ Hashing function is one of the most commonly used encryption methods. A hash is a
special mathematical function that performs one-way encryption.

➢ It has following versions

• SHA-1

• SHA-224

• SHA-256

• SHA-384

• SHA-512

SHA-1 (Secure Hash Algorithm -1)

 ➢ SHA-l is a revised version of SHA designed by NIST and was published as a Federal
Information Processing Standard (FIPS).

➢ It works for any input message that is less than 2 64 bits.

➢ Like MD5, SHA-l processes input data in 512-bit blocks.

➢ SHA-l generates a 160-bit message digest. Whereas MD5 generated message digest of
128 bits.

➢ This is designed to be computationally infeasible to:

• Obtain the original message, given its message digest.
• Find two messages producing the same message digest.

Figure 4.14 SHA Structure

➢ The processing consists of the following 5 steps: Figure 4.14 shows the structure of
SHA

Step 1: Appending padding bits.

➢ A b-bit message M is padded in the following manner:
• Add a single “1” to the end of M
• Then pad message with “0’s” until the length of message is congruent to 448,
modulo 512 (which means pad with 0’s until message is 64-bits less than some
multiple of 512).
Step 2: Append Length
 ➢ A 64-bit representation of the length in bits of the original message (before the
padding) is appended to the result of step 1 (least significant byte first). If the original
length is greater than 264, then only the low-order 64 bits of the length are used. Thus,
field contains the length of the original message, modulo 264.
➢ The outcome of the first two steps yields a message that is an integer multiple of 512
bits in length. From the figure, expended message is represented as the sequence of
512-bit blocks Y0, Y1,Y2,YL−1,
➢ so that the total length of the expanded message is L × 512 bits. Equivalently, the
result is a multiple of 16 (32-bit) words.
➢ N = L ×16.
Step 3: Divide the input into 512-bit Blocks
➢ Divide the original input message into number of 512-bit blocks, M0, M1, …Mj.
Step 4: Initialize the Chaining variable (Buffer Initiation)
• A 512-bit buffer is used to intermediate and final results of the hash function.
• Initialize Message Digest (MD) to these five 32-bit words (buffer) A, B, C, D,
E to
o A = 01 23 45 67
o B = 89 AB CD EF
o C = FE DC BA 98
o D = 76 54 32 10
o E = C3 D2 E1 F0
Step 5: Process Blocks

➢ Process each Mj sequentially, one after the other

Step 5.1: Copy the chaining variables A-E to into variables a-e.

Step 5.2: Divide the current 512- bit block into 16 sub-blocks of 32 bits.

Step 5.3: SHA- 1 has four rounds, each consisting of steps.

• Each round takes 3 inputs.

o 512- bit blocks

o The register abcde

o A constant K[t] (where t= 0 to 79)

 Round Value of t between
1 1 to 19
2 20 to 39
3 40 to 59
4 60 to 79

Figure 4.15 SHA-1 Processing of a Single 160-Bit Block

Step 5.4: SHA has a total of 80 iterations (4 rounds * 20 iterations). Each iteration
consists of following operations:
abcde = (e + process P+S5 (a) + W[t] + K [t], a, S30 (b), c, d
where,
abcde = The register made up of 5 variables a, b, c, d, e
Process P = The logic operation
St = Circular-left shift of 32- bit sub-block t bits.
W[t] = A 32-bit derived from the current 32-bit sub-block.
K[t] = One of the five additive constants.
 Figure 4.16 SHA-1 Processing of a Single Round

➢ The Process P in each SHA round

➢ The values of W[t] are calculated as follows:

• For the first 16 words of W (i.e. t= 0 to 15), the contents of the input
message of sub-block M[t] become the contents of W[t].

• For the remaining 64 values of W are derived using the equations

W[t]= s1(W[t-16] XOR W[t-14] XOR W[t-8] XOR [ t-3])

SHA-512
➢ The algorithm takes as input a message with a maximum length of less than 2128 bits
and produces as output a 512-bit message digest. The input is processed in 1024-bit
blocks. Figure 4.17 depicts the overall processing of a message to produce a digest.
 Figure 4.17 SHA-512 Structure

Step 1: Append padding bits

➢ The message is padded so that its length is congruent to 896 modulo 1024. Padding is
always added, even if the message is already of the desired length. So, the number of
padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit
followed by the necessary number of 0 bits.

Step 2: Append Length

➢ A block of 128 bits is appended to the message. This block is treated as an unsigned
128-bit integer that contains the length of the original message.

➢ The outcome of the first two steps produces a message that is an integer multiple of
1024 bits in length. In figure 4.12, the expanded message is represented as the
sequence of 1024 bit-blocks M1, M2,…. MN, hence that the total length of the
expanded message is N * 1024 bits.

Step 3: Initialize hash buffer

➢ A 512-bit buffer is used to hold intermediate and final results of the hash function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). These
registers are initialized to the following 64-bit integers (hexadecimal values).
 ➢ These values are stored in big-endian format, which is the most significant byte of a
word in the low-address byte position.

Step 4: Process message in 1024-bit(128-word ) blocks

➢ It consits of 80 rounds. Each round takes as input the 512-bit buffer value abcdefgh
and updates the contents of the buffer.

Figure 4.18 SHA-1 Processing of a Single 1024-Bit Block

➢ Each round t makes use of a 64-bit value Wt. The output of the last round is added to
the input to the first round (Hi-1) to produce Hi. Fig 4.18 shows the processing of a
single 1024-bit block.
Step 5: Output
➢ After all N 1024-bit blocks have been processed, the output fro the N th stage is the
512-bit message digest.

➢ The behavior of SHA-512 as follows

H0 = IV
Hi = SUM64 (Hi-1, abcdefghi)
MD = HN
Where,
IV = Initial value of the abcdefgh buffer.
abcdefghi = The output of the round of processing of the ith message
block.
N = The number of blocks in the message.
MD = Final message digest value
SUM64 = Addition modulo 264 performed separaately on each word of
the pair or inputs.
SHA-512 round function
➢ Fig. 4.19 shows single round operation.

Figure 4.19 SHA 512 Single Round Function

 ➢ Each round is defined by the following set of equations

T1 =h + ch (e, f, g) + ) +Wt + Kt

T2 =( ) + Maj (a, b, c)
a = T1 + T2
b =a
c =b
d =c
e = d + T1
f =e
g =f
h =g

Characteristics of Secure Hash Algorithms

Difference between MD5 and SHA-1

4.7 Digital signature

➢ A digital signature is an authentication mechanism that enables the creator of a

message to attach a code, which acts as a signature.

➢ Digital signature is a cryptographic value that is calculated from the data and a secret
key known only by the signer.

➢ Signature is formed by taking the hash of the message and encrypting the message
with creator’s private key

➢ Signatures guarantees, the original content of the message or document that has been
sent is unchanged.

Properties Digital Signature

• Verify author, date & time of signature

• Authenticate message contents at the time of signature

• Be verified by third parties to resolve disputes

Requirements of DS

➢ The signature must be a bit pattern that depends on the message being signed.

➢ The signature must use some information unique to the sender

- to prevent both forgery and denial

➢ It must be relatively easy to produce the DS.

➢ It must be relatively easy to recognize and verify the DS

 ➢ Be computationally infeasible to forge

• with new message for existing digital signature

• with fraudulent digital signature for given message

Figure 4.20 Model of Digital Signature

➢ Fig. 4.20 is a generic model of the process of making and using digital signatures.

➢ Bob can sign a message using a digital signature algorithm. The inputs to the
algorithm are the message and Bob’s private key. Any other user, say Alice, can
verify the signature using a verification algorithm, whose inputs are the message, the
signature and Bob’s public key.

Approaches of Digital Signature

Two categories
1. Direct Digital Signatures
2. Arbitrated Digital Signature
4.7.1 Direct Digital Signatures

Digital Signature Model

 ➢ The Direct Digital Signature is only including two parties one to send message and
other one to receive it. According to direct digital signature both parties trust each
other and knows their public key. Figure 4.21 shows that DDS Approach.

Figure 4.21 Direct Digital Signature

➢ The sender generates hash code, which is act as signature and encrypt by
sender’s private key and send to receiver.
➢ The receiver generates hash code from the message and compare with sender’s
hash code.
➢ Here, the message is decrypted by sender’s public key.
Arbitrated Digital Signatures

➢ The Arbitrated Digital Signature includes three parties in which one is sender,
second is receiver and the third is arbiter who will become the medium for sending
and receiving message between them. The messages are less prone to get corrupted
because of timestamp being included by default.

Figure 4.22 Arbitrated Digital Signature

➢ It involves use of an arbiter who

• validates any signed message
 • then dated and sent to recipient
➢ Requires suitable level of trust in arbiter
➢ It can be implemented with either private or public-key algorithms
➢ The arbiter may or may not see message
There are three different Arbitrated DS

1) Conventional Encryption, Arbiter Sees Message

In this technique, symmetric encryption is used.

Drawback
A can read the message from X to Y like an eavesdropper
2) Conventional Encryption, Arbiter does not see message

3) Public key Encryption, Arbiter does not see message

4.8 Authentication Protocols
➢ An authentication protocol is a type of computer
communications protocol or cryptographic protocol specifically designed for transfer
of authentication data between two entities. It is the most important layer of protection
needed for secure communication within computer networks.

➢ Also, it is used to convince parties of each other’s identity and to exchange session
keys. They may be one-way or mutual.

➢ The important two issues are

• confidentiality – to protect session keys

• timeliness – to prevent replay attacks

Types of Replay attacks

1. Simply replay: An attacker simply copies a message and relays it later.

2. Repetition that can be logged: Replay time stamped message within valid time.

3. Repetition that cannot be changed: The original message suppressed and it did not
arrive at its destination, that means, only replay messages arrives.

4. Backward replay without modification: This type of attack is possible if symmetric

encryption is used and the sender not able to easily recognize the difference between
messages sent and messages received on the basis of content.

Countermeasures include

• Use of sequence numbers (generally impractical)

• Timestamps (needs synchronized clocks)

• Challenge/response (using unique nonce)

One-Way Authentication

➢ In one-way authentication, one party wishes to be convinced of the identity of

another party.

➢ It required when sender & receiver are not in communications at same time (eg. E-
mail)
Password based authentication

➢ Password is a front-line protection against the unauthorized access(intruder) to the

system.

➢ It authenticates the identifier and provides security to the system.

1. Password Vulnerability

➢ Passwords can often be guessed.

➢ Use of mechanisms to keep passwords secret

Some techniques to protect password

➢ Longer password

➢ System assistance in password selection

2. Encrypted Passwords

➢ Instead of storing the names and passwords in plain text form, they are encrypted and
stored in cipher text form in the table.

3. One-time passwords

➢ When session begins, the system randomly selects the passwords

Password selection strategies

➢ Too short password is too easy to guess.

➢ If the password is 8 random character, it is impossible to crack. In order to eliminate

guessable passwords four techniques are suggested.

1. User education

2. Computer generated password

3. Reactive password checking

4. Proactive password checking

Certificate based authentication

➢ A certificate-based authentication scheme is a scheme that uses a public key
cryptography and digital certificate to authenticate a user.

➢ A digital certificate is an electronic form that contains identification data, public key,
and the digital signature of a certification authority derived from that certification
authority’s private key.

➢ When a user signs on to the server, he provides his digital certificate that has the
public key and signature of the certification authority.

➢ The server then confirms the validity of the digital signature and if the certificate has
been issued by a trusted certificate authority or not. The server then authenticates the
user with public key cryptography to confirm the user is in possession of the private
key associated with the certificate. Fig. 4.23 shows the certificate-based
authentication.

Fig. 4.23 Certificate based authentication

• Step 1: A sends his certificate
• Step 2: B verfies like name, validuty period, CA etc.
• Step 3: B then sends his nonce R.
• Step 4: A responds by encrypting the nonce with his private key.

• Step 5: When B receives EA,pr (R), decrypts it with A’s public key and compares it
with the nonce transmitted in message 2.
 • Step 6: If they match, he concludes that A has used the private key corresponding to
the public key in his certificate.
Mutual Authentication

➢ Mutual authentication, also called two-way authentication, is a process or technology

in which both entities in a communications link authenticate each other. In a network
environment, the client authenticates the server and vice-versa.

Two techniques
1. Based on a shared secret key
2. Using public key cryptography
Based on a shared secret key
➢ In this authentication approach, secret key is shared with both party such as source
and destination.
➢ The scheme is also known as “Challenge-Response protocol”

➢ Let KA,B be the shared secret key between Alice and Bob

Figure 4.24 The Challenge-Response Protocol

➢ ‘A’ sends her identity to ‘B’
➢ ‘B’ sends a challenge RB back to ‘A’
➢ ‘A’ responds to the challenge by encrypting RB with KA,B (denoted by KA,B (RB)), and
sending it back to ‘B’

➢ ‘A’ challenges ‘B’ by sending RA

➢ ‘B’ responds to the challenge by sending the encrypted message KA,B(RA)
➢ Now A and B are mutually authenticated.
Using public key cryptography
➢ In this approach, Alice sends a random number RA and identity by encrypting. Alice
uses Bob’s public key EB for sending message.

➢ When Bob receives this message, Bob sends Alice back a message containing Alice’s
random number RA and his own random number RB and proposed session key, Ks.

➢ When Alice gets message 2, Alice decrypts it using private key.

➢ After examining message 2, Alice finds out the random number RA. A knows that
message 2 is from Bob only. Then Alice agrees to the session by sending back
message to Bob.

➢ When Bob reads RB encrypted with the session key which is generated by Bob, Bob
knows that A got message 2 and verified RA.

4.9 Digital Signature Standard (DSS)

➢ Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developed
by the U.S. National Security Agency (NSA) to generate a digital signature for
the authentication of electronic documents. The DSS makes use of the Secure Hash
Algorithm (SHA) and present a new digital signature technique.

Two approaches to Digital Signature

• DSS Approach
• RSA Approach

4.9.1 DSS Approach

➢ The DSS approach for generating digital signatures to that used with RSA.

➢ It makes use of hash function. Figure 4.24 shows DSS approach.

➢ The Hash code is provided as input to a signature function along with a random
number K generated for this particular signature.

➢ The signature function also depends on the sender's private key (PRa)and a set of
parameters known to a group of communicating principals and use of a global public
key (PUG).

➢ The Resulting signature contains two components as s and r.

➢ The output of the verification function is s value that is equal to the signature
component r if the signature is valid
 Fig: 4.25 DSS Approach

4.9.2 RSA Approach

➢ In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length.
➢ This hash code is then encrypted using the sender's private key to form the signature.
Both the message and the signature are then transmitted.
➢ The recipient takes the message and produces a hash code. The recipient also decrypts
the signature using the sender's public key.
➢ If the calculated hash code matches the decrypted signature, the signature is accepted
as valid.

Fig:4.26 RSA Approach

➢ Because only the sender knows the private key, only the sender could have produced
a valid signature. Figure 4.26 shows RSA approach.
Digital Signature Algorithm

➢ There are three parameters that are public and can be common to a group of users.
➢ A 160-bit prime number q is chosen.
➢ Then, a prime number p is selected with a length between 512 and 1024 bits such that
q divides (P-1).
➢ Choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1
private key
• choose random private key x where x < q
Public key
• compute public key: y = gx mod p

➢ To create a signature, a user calculates two quantities r and s, that are functions of
public key components (p, q, g) the user's private key (x), the hash code of the
message, H(M), and an additional integer k that should be generated randomly or
pseudorandomly and be unique for each signing.

Computes signature pair

r = (gk mod p) mod q

s = [k-1(H(M)+ xr)] mod q

➢ Now, sends signature (r, s) with message M

Signature Verification

➢ After receiving M and signature (r, s), need to verify a signature. Now recipient
computes:
w = s-1 mod q
u1= [H(M)w] mod q
u2= (rw)mod q
v = [(gu1 yu2) mod p] mod q
➢ if v = r then signature is verified. Figure 4.27 shows DSS Signing and Verifying.
 (a) Signing (b) Verifying

Fig: 4.27 DSS Signing and Verifying

4.10 Entity Authentication

➢ Entity authentication is a technique designed to let one party prove the identity of
another party. An entity can be a person, a process, a client, or a server. The entity
whose identity needs to be proved is called the claimant; the party that tries to prove
the identity of the claimant is called the verifier.

Data-Origin Versus Entity Authentication

➢ There are two differences between message authentication (data-origin

authentication), and entity authentication.
1) Message authentication might not happen in real time; entity authentication does.
2) Message authentication simply authenticates one message; the process needs to be
repeated for each new message. Entity authentication authenticates the claimant for
the entire duration of a session.

Verification Categories

➢ In entity authentication, the claimant must identify herself to the verifier. This can be
done with one of three kinds of witnesses.
• Something known
 o This is a secret known only by the claimant that can be checked by the
verifier. Examples are a password, a PIN, a secret key, and a private
key.
• Something possessed
o This is something that can be prove the claimant’s identity. Examples
are a passport, a driver’s license, a credit card etc.
• Something inherent
o This is an inherent characteristic of the claimant. Examples are
conventional signatures, fingerprints, voice and handwriting.
4.11 Passwords

➢ The simplest and oldest method of entity authentication is the password-based

authentication, where the password is something that the claimant knows. A password
is used when a user needs to access a system to use the system’s resources (login).
Each user has a user identification that is public, and a password that is private. The
authentication schemes divide into groups.
• Fixed Password
• One-Time Password
4.11.1 Fixed Password

➢ A fixed password is a password that is used over and over again for every access.
First Approach
➢ The system keeps a table (a file) that is sorted by user identification. To access the
system resources, the user sends their identification and password, in plaintext, to the
system. The system uses the identification to find the password in the table. If the
password sent by the user matches the password in the table, access is granted;
otherwise, it is denied. Fig. 4.28 shows this approach.
 Figure 4.28 First Approach in Fixed password
Attacks on the First Approach
• Eavesdropping
• Stealing a password
• Accessing a password file
• Guessing
Second Approach

➢ A more secure approach is to store the hash of the password (instead of the plaintext
password) in the password file. Any user can read the contents of the file but the hash
function is a one-way function, it is almost impossible to guess the value of the
password. Figure 4.29 shows this approach, the system hashes it and stores the hash in
the password file when the password is created.

Figure 4.29 Second Approach in Fixed password

 ➢ When the user sends the ID and the password, the system creates a hash of the
password and then compares the hash value with the one stored in the table. If there is
a match, the user is granted access otherwise access is denied.

Attacks on the second approach

➢ Dictionary Attack

Third Approach

➢ The third approach is called salting the password. When the password string is created
a random string, called the salt, is concatenated to the password. The salt password is
then hashed. The ID, the salt and the hash are then stored in the file. When a user asks
for access, the system extracts the salt concatenates it with the received password,
makes a hash out of the result and compares it with the hash stored in the file. If there
is a match, access is granted otherwise it is denied.
➢ Figure 4.30 shows this approach.

Figure 4.30 Third Approach in Fixed password

➢ Stalting makes the dictionary attack more difficult. If the original password is 6 digits
and the salts is 4 digits, then hashing is done over a 10 digit value. To attack this,
needs to make 10 million items to create a hash for each of them.

Fourth Approach
 ➢ In the fourth approach, two identification techniques are combined. A good example of
this type of authentication is the use of an ATM card with a PIN (personal
identification number).
▪ Card – something possessed
▪ PIN – something known
➢ The PIN is a password that enhances the security of the card. If the card is stolen, it
cannot be used the PIN is known.
➢ The PIN number is very short, so it is easily remembered by the owner. But this makes
it vulnerable to the guessing type of attack.

4.11.2 One-Time Password

➢ A one-time password is a password that is used only once.
First Approach
➢ In this approach, the user and the system agree upon a list of passwords. Each
password on the list can be used only once.
Drawbacks
➢ The system and the user must keep a long list of passwords.
➢ If the user does not use the passwords in sequence, the system needs to perform a long
search to find the match.
Second Approach
➢ In the second approach, the user and the system agree to sequentially update the
password.
Third Approach
➢ In the third approach, the user and the system create a sequentially updated password
using a hash function.
➢ In this approach, elegantly devised by Leslie Lamport, the user and the system agree
upon on original password, P0 and a counter n. the system calculates hn(P0), where hn
means applying a hash function n time. Figure 4.31 shows how user access the system
the first time.
 Figure 4.31 Third Approach in One-time password
➢ When the system receives the response of the user in the third message, it applies the
hash function to the value received to see if it matches the value stored in the entry.
➢ If there is a match, access is granted otherwise it is denied. The system then
degrements the value of n in the entry and replaces the old value of the password
hn(P0) with the new value hn-1(P0).
➢ When the user tries to access the system for second time, the value of the counter it
receives is n-1. The third message from the user is now hn-2(P0).
➢ When the system receives this message, it applies the hash functions to get hn-1(P0),
which can be compared with the updated entry.
➢ The value of n in the entry is decremented each time there is an access. When the
value becomes 0, the user can no longer access the system; everything must be setup
again. For this reason, the value of n is normally chosen as a large number such as
1000.

4.12 Challenge Response protocols

➢ In challenge-response authentication, the claimant proves that she knows a secret
without sending it to the verifier.
➢ The challenge is a time-varying value sent by the verifier; the response is the result of
a function applied on the challenge.

Using a Symmetric-Key Cipher

 ➢ Several approaches to challenge-response authentication use symmetric key
encryption. The secret here is the shared secret key, known by both the claimant and
the verifier. The function is the encrypting algorithm applied on the challenge.

First Approach
➢ In this approach, the verifier sends a nonce, a random number used only once, to
challenge the claimant.
➢ A nonce must be time-varying; every time it is created, it is different. The claimant
responses to the challenge using the secret key shared between the claimant and the
verifier. Figure 4.32 shows this first approach.

Figure 4.32 First Approach using Symmetric Key Cipher

➢ The first message is not part of challenge response, only informs the verifier that the
claimant wants to be challenged.
➢ The second message is the challenge, RB is the nonce randomly chosen by the verifier
(Bob) to challenge the claimant.
➢ The claimant encrypts the nonce using the shared the secret key know only to the
claimant and the verifier and sends the result to the verifier.
➢ The verifier decrypts the message. If the nonce obtained from decryption is the same
as the one sent by the verifier, Alice is granted access.
Second Approach
 ➢ In this approach, the time-varying value is a timestamp, which obivously changes
with time. The challenge message is the current time sent from the verifier to the
claimant.
➢ The claimant knows the current time. The first and second messages can be
combined.
➢ The result is that authentication can be done using one message. The figure 4.33
shows this approach.

Figure 4.33 Second Approach using Symmetric Key Cipher

Third Approach
➢ The first and second approaches are for unidirectionals authentication. Alice is
authenticated to Bob, but not other side.
➢ If Alice also needs to be sure about Bob’s identity, needs bidirectional
authentication. The figure 4.34 shows the third approach.
➢ The second message RB is the challenge from Bob to Alice. In the third message,
Alice responds to Bob’s challenge and at the same time, sends her challenge R A to
Bob. The third message is Bob’s response.
➢ The fourth message the order of RA and RB are switched to prevent a replay attack.
 Figure 4.34 Third Approach using Symmetric Key Cipher

Using Keyed-Hash Functions

➢ Instead of using encryption/decryption for entity authentication, we can also use a
keyed-hash function (MAC).
➢ It prevents the integrity of challenge and response messages and at the same time uses
a secret key. Figure 4.35 shows a keyed-hash function, how to create a challenge
response with a timestamp.

Figure 4.35 Keyed Hash Function

➢ Here, the timestamp is sent both as plaintext and as text scrambled by the keyed-hash
function.
➢ When Bob receives the message, he takes the plaintext T, applies the keyed-hash
function and then compares his calculation with what he received to determine the
authenticity of Alice.
Using an Asymmetric-Key Cipher
➢ In this cipher, Verifier encrypts the challenge with the Public key of the claimant.
Then the Claimant decrypts the challenge with her private key.
First Approach
➢ It is the unidirectional approach. Bob encrypts the challenge using Alice’s public key.
➢ Alice decrypts the message with her private key and sends the nonce to Bob. Figure
4.36 shows this approach.

Figure 4.36 First Approach using Asymmetric Key Cipher

Second Approach
➢ It is the bidirectional approach. In this approach, two public keys are used, one in each
direction.
➢ Alice sends her identity and nonce encrypted with Bob’s public key. Bob response
with his nonce encrypted with Alice’s public key.
➢ Finally, Alice, responds with Bob’s decrypted nonce. Figure 4.37 shows this
approach.
 Figure 4.37 Second Approach using Asymmetric Key Cipher

Using Digital Signature

➢ Entity authentication can also be achieved using a digital signature. When a digital is
used for entity authentication, the claimant uses her private key for signing.

First approach
➢ In this first approach, Bob uses a plaintext challenge and Alice signs the response.
Figure 4.38 shows this approach.

Figure 4.38 First Approach using Digital Signature

Second Approach
➢ In this approach, Alice and Bob authenticate each other. Figure 4.39 shows this
approach.

Figure 4.39 Second Approach using Digital Signature

4.13 Biometrics
➢ Biometrics is the measurement of physiological or behavioral features that identify a
person (authentication something inherent).
➢ It measures features that cannot be guessed, stolen or shared.
➢ Figure 4.40 shows the classification of biometrics.
Components
➢ Several components are needed for biometrics, including capturing devices,
processors and storage devices.
➢ Capturing devices such as readers or sensors measure biometrics features. Processors
change the measured features to the type of data appropriate for saving.
➢ Storage devices save the result of processing for authentication.
Enrollment
 ➢ The corresponding feature of each person in the community supposed to be in the
database before using any biometric techniques for authentication. This is referred to
as enrollment.

Authentication

➢ Authentication is done by verification and identification.

Verification

➢ A person’s feature is matched against a single record in the database (one-to-one

matching) to find if she/he is who is claiming to be.

Identification

➢ A person’s feature is matched against all records in the database to find if she/he has a
record in the database.

Techniques

➢ Biometrics techniques can be divided into two broad categories.

o Physiological

o Behaviroal

4.13.1 Physiological Techniques

➢ This technique measures the physical traits of the human body for verification and
identification. The trait should be unique among all and feature should be changeable
due to aging, surgery, illness, disease and so on. There are several physiological
techniques are there.

Finger Print

➢ Fingerprints have been used for a long time. They show a high level of accuracy and
support verification and identification. It can be altered by aging, injury or disease.
 Figure 4.40 Classification of Biometrics
Iris

➢ It measures the pattern within the iris that is unique for each person. They are very
accurate and stable over a person’s life. Its support verification and identification.

Retina

➢ The devices for this purpose examine the blood vessels in the back of the eyes. But
these devices are expensive and not common yet.

Face

➢ This technique analyses the geometry of the face based on the distance between facial
features such as the nose, mouth and eyes. It is support for verification and
identification.

Hands

➢ This technique measures the dimension of hands, including the shape and length of
the fingers. It is suitable for verification and identification.

Voice

➢ It is measures pitch, cadence and tone in the voice. It can be used locally or remotely.
This method used for verification.

DNA

➢ It is the chemical found in the nucleus of all cells of humans and most other
organisms. The pattern is persistent throughout life and even after death. It is
 extremely accurate. It can be used for verification and identification. The only
problem is that identical twins may share the same DNA.

4.13.2 Behaviroal Techniques

➢ It measures some human behaviour traits. It needs to be monitored to ensure the

claimant behaves normally and does not attempt to impersonate someone else.

Signature
➢ Biometric approaches use signature tablets and special pens to identify the person.
Signature are mostly used for verification.

Keystroke

➢ It is measuring the behaviour of a person related to working with a keyboard. It can

measure the duration of key depression, the time between keystrokes, number and
frequency of errors, the pressure on the keys and so on.

4.14 Authentication Applications

➢ Authentication is the process of recognizing a user's identity. It is the mechanism of
associating an incoming request with a set of identifying credentials.

➢ Most widely used services:

• Kerberos

• X.509

➢ Kerberos – a private-key authentication service

➢ X.509 – a public-key directory authentication service

4.15 Kerberos
➢ It is a network authentication protocol designed to allow users, clients and servers,
authenticate themselves to each other through a trusted third party.

➢ Kerberos was designed and developed as part of Project Athena at MIT.

➢ It is done with Symmetric encryption- using no public keys

➢ It provides centralised private-key third-party authentication in a distributed network

 ➢ Currently, Kerberos is upto 5. Version 4 being the first version to be released outside
of MIT.

➢ This mutual authentication is done using secret key cryptography with parties proving
to each other their identity across an insecure network

➢ Communication between the client and server can be secure after the client and server
have used Kerberos to prove their identity.

Kerberos Requirements

➢ Security-strong enough to stop potential eavesdroppers from finding it to be a weak

link

➢ Reliability- is highly reliable employing a distributed server where one server is able
to back up another.

➢ Transparency-user is not aware that authentication is taking place beyond providing

passwords.

➢ Scalability – accept and support new clients and servers.

• To meet these requirements, Kerberos designers proposed a third-party trusted

authentication service to arbitrate between the client and server in their mutual
authentication.

Kerberos Version 4

Kerberos Overview

➢ Kerberos Version 4 makes use of DES, to provide the authentication service. Figure
4.41 shows overview of Kerberos.

A Simple Authentication Dialogue

➢ For secure transaction, server should confirm the client and its request. In unprotected
network it creates burden on server, therefore an authentication server (AS) is used.

➢ An authentication server (AS) maintains password of all users in centralized database.

Also, the authentication server shares a unique secret key with each other.

➢ (1) C -> AS : IDC || PC || IDV

 ❖ C = client
❖ AS = authentication server

❖ IDC = identifier of user on C

❖ PC = password of user on C
❖ IDV = identifier of server V
❖ C asks user for the password
❖ AS checks that user supplied the right password
➢ (2) AS -> C: Ticket
➢ Ticket = E K(V) [IDC || ADC || IDV]
• K(V) = secret encryption key shared by AS and V
• ADC = network address of C
• Ticket cannot be altered by C or an adversary
➢ (3) C -> V: IDC || Ticket
 Figure 4.41 Overiew of Kerberos

Secure Authentication Dialogue

➢ The new service, TGS, issues tickets to users who have been authenticated to AS.
Thus, the user first requests a ticket-granting ticket (Tickettgs) from the AS. The client
module in the user workstation saves this ticket. Each time the user requires access to
a new service, the client applies to the TGS, using the ticket to authenticate itself.

➢ The TGS then grants a ticket for the particular service. The client saves each service-
granting ticket and uses it to authenticate its user to a server each time a particular
service is requested. The client requests a ticket-granting ticket on behalf of the user
by sending its user's ID and password to the AS, together with the TGS ID, indicating
a request to use the TGS service.
 ➢ The AS responds with a ticket that is encrypted with a key that is derived from the
user's password. When this response arrives at the client, the client prompts the user
for his or her password, generates the key, and attempts to decrypt the incoming
message. If the correct password is supplied, the ticket is successfully recovered.

➢ The ticket itself consists of the ID and network address of the user, and the ID of the
TGS.

Once per user logon session:

(1) C -> AS: IDC||IDtgs
(2) AS -> C: E(Kc, Tickettgs)
Once per type of service:
(3) C ->TGS: IDC||IDV||Tickettgs
(4) TGS -> C: Ticketv
Once per service session:
(5) C -> V: IDC||Ticketv

Tickettgs = E(Ktgs, [IDC||ADC||IDtgs||TS1||Lifetime1])

Ticketv = E(Kv, [IDC||ADC||IDv||TS2||Lifetime2])
Kerberos Realms

➢ A Kerberos realm is a set of managed nodes that share the same Kerberos database.
The Kerberos database resides on the Kerberos master computer system, which
should be kept in a physically secure room.
➢ A read-only copy of the Kerberos database might also reside on other Kerberos
computer systems. However, all changes to the database must be made on the master
computer system.
➢ Changing or accessing the contents of a Kerberos database requires the Kerberos
master password.
➢ A Kerberos principal is a service or user that is known to the Kerberos system. Each
Kerberos principal is identified by its principal name. Principal names consist of three
parts: a service or user name, an instance name, and a realm name.
 Fig. 4.42 Request for service in another realm

The details of the exchanges illustrated in Figure 4.42 are as follows:

(1) C -> AS: IDc||IDtgs||TS1

(2) AS -> C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs])
(3) C -> TGS: IDtgsrem||Tickettgs||Authenticatorc
(4) TGS -> C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem])
(5) C ->TGSrem: IDvrem||Tickettgsrem||Authenticatorc
(6) TGSrem -> C: E(Kc,tgsrem, [Kc,vrem||IDvrem||TS6||Ticketvrem])
(7) C -> Vrem: Ticketvrem||Authenticatorc

Kerberos Version 5

Kerberos Version 5 is specified in RFC 1510 and provides a number of improvements over
version 4.

Version 5 is intended to address the limitations of version 4 in two areas: environmental

shortcomings and technical deficiencies
Environmental Shortcomings

1. Encryption system dependence: Version 4 requires the use of DES. Export restriction on
DES as well as doubts about the strength of DES were thus of concern. In version 5,
ciphertext is tagged with an encryption type identifier so that any encryption technique may
be used. Encryption keys are tagged with a type and a length, allowing the same key to be
used in different algorithms and allowing the specification of different variations on a given
algorithm.
2. Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP)
addresses. Other address types, such as the ISO network address, are not accommodated.
Version 5 network addresses are tagged with type and length, allowing any network address
type to be used.
3. Message byte ordering: In version 4, the sender of a message employs a byte ordering of
its own choosing and tags the message to indicate least significant byte in lowest address or
most significant byte in lowest address. This technique works but does not follow established
conventions. In version 5, all message structures are defined using Abstract Syntax Notation
One (ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous byte
ordering.
4.Ticket lifetime: Lifetime values in version 4 are encoded in an 8-bit quantity in units of
five minutes. Thus, the maximum lifetime that can be expressed is 28 x 5 = 1280 minutes, or
a little over 21 hours. This may be inadequate for some applications (e.g., a long-running
simulation that requires valid Kerberos credentials throughout execution). In version 5,
tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes.
5. Authentication forwarding: Version 4 does not allow credentials issued to one client to
be forwarded to some other host and used by some other client. This capability would enable
a client to access a server and have that server access another server on behalf of the client.
6. Interrealm authentication: In version 4, interoperability among N realms requires on the
order of N2 Kerberos-to-Kerberos relationships, as described earlier. Version 5 supports a
method that requires fewer relationships, as described shortly.

Technical Deficiencies
1. Double encryption: The tickets provided to clients are encrypted twice, once with the
secret key of the target server and then again with a secret key known to the client. The
second encryption is not necessary and is computationally wasteful.
2. PCBC encryption: Encryption in version 4 makes use of a nonstandard mode of DES
known as propagating cipher block chaining (PCBC). It has been demonstrated that this mode
is vulnerable to an attack involving the interchange of ciphertext blocks. Version 5 provides
explicit integrity mechanisms, allowing the standard CBC mode to be used for encryption.
3. Session keys: Each ticket includes a session key that is used by the client to encrypt the
authenticator sent to the service associated with that ticket. In addition, the session key may
subsequently be used by the client and the server to protect messages passed during that
session. However, because the same ticket may be used repeatedly to gain service from a
particular server, there is the risk that an opponent will replay messages from an old session
to the client or the server. In version 5, it is possible for a client and server to negotiate a sub-
session key, which is to be used only for that one connection.
4. Password attacks: Both versions are vulnerable to a password attack.

4.16 X.509 Certificate

➢ An X.509 certificate is a digital certificate that uses the widely accepted international
X.509 public key infrastructure (PKI) standard to verify that a public key belongs to
the user, computer or service identity contained within the certificate.

➢ An X.509 certificate contains a public key and an identity (a hostname, or an

organization, or an individual), and is either signed by a certificate authority or self-
signed. When a certificate is signed by a trusted certificate authority, or validated by
other means, someone holding that certificate can rely on the public key it contains to
establish secure communications with another party, or validate documents digitally
signed by the corresponding private key.

Issued by a Certification Authority (CA)

It consists of
• version V (1, 2, or 3)
• serial number SN (unique within CA) identifying certificate
• signature algorithm identifier AI
 • issuer X.500 name CA
• period of validity TA (from - to dates)
• subject X.500 name A (name of owner)
• subject public-key info Ap (algorithm, parameters, key)
• issuer unique identifier (v2+)
• subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA

Fig. 4.43 Public-key Certificate

Certificates

➢ The heart of the X.509 scheme is the public-key certificate associated with each user.
These user certificates are assumed to be created by some trusted certification
authority (CA) and placed in the directory by the CA or by the user.
➢ The directory server itself is not responsible for the creation of public keys or for the
certification function. Figure 4.43 illustrates the genration of public key certificates.
 Fig. 4.44 X.509 Formats
➢ Version: Differentiates among successive versions (1, 2, and 3) of the certificate
format.
➢ Serial number: An integer value unique within the issuing CA.
➢ Signature algorithm identifier: The algorithm used to sign the certificate together
with any associated parameters.
➢ Issuer name: the name of the CA that created and signed this certificate.
➢ Period of validity: Consists of two dates: the first and last on which the certificate is
valid.
➢ Subject name: The name of the user to whom this certificate refers.
➢ Subject’s public-key information: The public key of the subject, plus an identifier
of the algorithm for which this key is to be used, together with any associated
parameters.
➢ Issuer unique identifier: (optional) used to identify uniquely the issuing CA.
➢ Subject unique identifier :( optional) used to identify uniquely the subject.
➢ Extensions: A set of one or more extension fields.
➢ Signature: it contains the hash code of the other fields encrypted with the CA’s
private key. This field includes the signature algorithm identifier.
The standard uses the following notation to define a certificate: CA<<A>> = CA {V, SN, AI,
CA, TA, A, Ap}
Where Y <<X>> = the certificate of user X issued by certification authority Y
Y {I} = the signing of I by Y. It consists of I with an encrypted hash code append

V- Version of the certificate

SN- serial number of the certificate
AI- identifier of the algorithm used to sign the certificate
CA- name of CA
A- Name of user A
Ap- public key of user A
TA- period of validity of the C
Obtaining a Certificate
➢ Any user with access to CA can get any certificate from it
➢ Only the CA can modify a certificate
➢ Because cannot be forged, certificates can be placed in a public directory
CA Hierarchy
➢ If both users share a common CA then they are assumed to know its public key
➢ Otherwise CA's must form a hierarchy
➢ Use certificates linking members of hierarchy to validate other CA's
⚫ each CA has certificates for clients (forward) and parent (backward)
➢ Each client trusts parents certificates
➢ Enable verification of any certificate from one CA by users of all other CAs in
hierarchy
Certificate Revocation
➢ Certificates have a period of validity
➢ May need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
➢ CA’s maintain list of revoked certificates
1. The Certificate Revocation List (CRL)
➢ Users should check certificates with CA’s CRL.