Module 4 : Integrity, Authentication and Digital Certificates

A hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value h = H(M).
 Module 3 : Hashes, Message Digests and Digital Certificates

A hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value h = H(M).

A “good” hash function has the property that the results of applying the function
to a large set of inputs will produce outputs that are evenly distributed and
apparently random.
 Module 3 : Hashes, Message Digests and Digital Certificates

A hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value h = H(M).

A “good” hash function has the property that the results of applying the function
to a large set of inputs will produce outputs that are evenly distributed and
apparently random.

In general terms, the principal object of a hash function is data integrity. A

change to any bit or bits in M results, with high probability, in a change to the
hash code.
The kind of hash function needed for security applications is referred to as a
cryptographic hash function.
The kind of hash function needed for security applications is referred to as a
cryptographic hash function.

A cryptographic hash function is an algorithm for which it is computationally

infeasible to find either

(a) a data object that maps to a pre-specified hash result (the one-way property)

or

(b) two data objects that map to the same hash result (the collision-free
property).

Because of these characteristics, hash functions are often used to determine

whether or not data has changed.
 Applications of Cryptographic Hash Functions

To better understand some of the requirements and security implications for cryptographic hash
functions, it is useful to look at the range of applications in which it is employed.

1. MESSAGE AUTHENTICATION

Message authentication is a mechanism or service used to verify the integrity of a message. Message
authentication assures that data received are exactly as sent (i.e., contain no modification, insertion,
deletion, or replay).

In many cases, there is a requirement that the authentication mechanism assures that purported identity
of the sender is valid. When a hash function is used to provide message authentication, the hash function
value is often referred to as a message digest.
 A Common Scenario

The sender computes a hash value as a function of the bits in the message and transmits both the
hash value and the message. The receiver performs the same hash calculation on the message bits
and compares this value with the incoming hash value. If there is a mismatch, the receiver knows that
the message (or possibly the hash value) has been altered .
An Attack Scenario (MiTM)

The hash function must be transmitted in a secure

fashion. That is, the hash function must be
protected so that if an adversary alters or replaces
the message, it is not feasible for adversary to also
alter the hash value to fool the receiver.

This type of attack is shown in the figure . In this

example, Alice transmits a data block and attaches
a hash value. Darth intercepts the message, alters
or replaces the data block, and calculates and
attaches a new hash value.

Bob receives the altered data with the new hash

value and does not detect the change. To prevent
this attack, the hash value generated by Alice must
be protected
How to Protect Hash Values from Attacks
 How to Protect Hash Values from Attacks

a. The message plus concatenated hash code is encrypted using symmetric encryption.
Because only A and B share the secret key, the message must have come from A and has
not been altered. The hash code provides the structure or redundancy required to achieve
authentication. Because encryption is applied to the entire message plus hash code,
confidentiality is also provided.
 How to Protect Hash Values from Attacks

b. Only the hash code is encrypted, using symmetric encryption. This

reduces the processing burden for those applications that do not
require confidentiality.
 How to Protect Hash Values from Attacks

c. It is possible to use a hash function but no encryption for message authentication. The
technique assumes that the two communicating parties share a common secret value S. A
computes the hash value over the concatenation of M and S and appends the resulting
hash value to M. Because B possesses S, it can recompute the hash value to verify.
Because the secret value itself is not sent, an opponent cannot modify an intercepted
message and cannot generate a false message.
 How to Protect Hash Values from Attacks

d. Confidentiality can be added to the approach of method (c) by

encrypting the entire message plus the hash code.
Message Authentication is achieved using a Message Authentication Code (MAC), also known as a
keyed hash function. Typically, MACs are used between two parties that share a secret key to
authenticate information exchanged between those parties.
Message Authentication is achieved using a Message Authentication Code (MAC), also known as a
keyed hash function. Typically, MACs are used between two parties that share a secret key to
authenticate information exchanged between those parties.

A MAC function takes as input a secret key and a data block and produces a hash value, referred to as
the MAC, which is associated with the protected message.

If the integrity of the message needs to be checked, the MAC function can be applied to the message
and the result compared with the associated MAC value.

An attacker who alters the message will be unable to alter the associated MAC value without
knowledge of the secret key. Note that the verifying party also knows who the sending party is because
no one else knows the secret key.

Note that the combination of hashing and encryption results in an overall function that is, in fact, a
MAC. That is, E(K, H(M)) is a function of a variable-length message M and a secret key K, and it
produces a fixed-size output that is secure against an opponent who does not know the secret key. In
practice, specific MAC algorithms are designed that are generally more efficient than an encryption
algorithm.
 2. DIGITAL SIGNATURES

Another important application, which is similar to the message authentication

application, is the digital signature. The operation of the digital signature is
similar to that of the MAC.

In the case of the digital signature, the hash value of a message is encrypted
with a user’s private key.

Anyone who knows the user’s public key can verify the integrity of the message
that is associated with the digital signature.

In this case, an attacker who wishes to alter the message would need to know
the user’s private key
a. The hash code is encrypted with
the sender’s private key. This
provides authentication. It also
provides a digital signature,
because only the sender could
have produced the encrypted hash
code. In fact, this is the essence of
the digital signature technique.

b. If confidentiality as well as a
digital signature is desired, then
the message plus the private-key-
encrypted hash code can be
encrypted using a symmetric
secret key. This is a common
technique.
 Other Applications

Hash functions are commonly used to create a one-way password file. In this scheme a hash of a
password is stored by an operating system rather than the password itself. Thus, the actual password
is not retrievable by a hacker who gains access to the password file. In simple terms, when a user
enters a password, the hash of that password is compared to the stored hash value for verification.
This approach to password protection is used by most operating systems.

Hash functions can be used for intrusion detection and virus detection. Store H(F) for each file on a
system and secure the hash values (e.g., on a CD-R that is kept secure). One can later determine if a
file has been modified by recomputing H(F). An intruder would need to change F without changing H(F).
 Properties of Hash Functions

There are 4 main properties of hash functions :-

1) It is quick to compute the hash value of any given number.

2) It is infeasible to generate a message from its hash value except by trying all the possible
combinations. (One Way Function)

3) A small change to a message should change the hash value so extensively that all the new hash
values appear uncorrelated to the old hash value. (Avalanche Effect)

4) It is infeasible to find two different messages with the same hash value. (Collision Resistance)
 Message Digest 5 (MD 5)

MD 5 is quite fast and produces a 128 bit message digest.

 Message Digest 5 (MD 5)

MD 5 is quite fast and produces a 128 bit message digest.

The input text is processed in 512 bit blocks (which are further divided into 16
32-bit sub blocks).

The output of the algorithm is a set of four 32- bit blocks, which make up the 128
bit message digest.
 Message Digest 5 (MD 5)
Working of MD 5

Step 1: Padding
The aim of this step is to make the length of the original message equal to a
value which is 64 bits less than an exact multiple of 512 bits.

For ex, if the length of the original message is 1000 bits, we add a padding of
472 bits to make the lenght if the message 1472 bits, because 1536= 512 x 3.
Also 1536 - 64 = 1472.

The padding consists of a single 1 bit followed by all 0 bits, as required.

# Padding bits are always added even if the length is already 64 bits less than an
exact multiple of 512.
 Message Digest 5 (MD 5)
Working of MD 5

Step 2: Append Length

After padding bits are added, the next step is to calculate the length of the
original message in terms of 64 bits (2^64), which is then appended at the end
of the (original msg + padding)
 Message Digest 5 (MD 5)
Working of MD 5
Step 3: Divide the input into 512 bit blocks

Step 4: Initialise the chaining variables:

In this step, four variables (called chaining variables) are initialized. They are
called A,B,C and D.

Each of these is a 32 bit number. The initial hexadecimal values of the chaining
variables are as follows:

A : 01 23 45 67 C : FE DC BA 98
B : 89 AB CD EF D : 76 54 32 10
 Message Digest 5 (MD 5)
Working of MD 5

Step 5: Process Blocks:

After all the initializations, the real algorithm begins. There is a loop that runs for as many 512-bit
blocks as are follows:

5.1: Copy the 4 chaining variables into four corresponding variables a,b,c and d
A=a , B=b, C=c, D=d.

5.2: Divide the current 512 - bit blocks into 16 sub blocks. Thus, each sub-block contains 32 bits.

5.3: We have 4 ROUNDS. In each round, we process all the 16 sub-blocks belonging to a block.
The inputs to each round are

a) All the 16 sub blocks

b) The variables a,b,c,d
c) Some constant, designated as K.
Internal Operations of each Round

All the four rounds vary in one major way:

Step 1 of the four rounds has different processing.

The other steps an all the four rounds are the same.

In each round we have 16 input sub blocks named

M[0], M[1]...M[15].

Also T is an array of constants. it contains 64

elements, with each element consisting of 32 bits.
We denote it as K[0], K[1], ... K[63].

Since there are 4 rounds, we use 16 values out of K

in each round.
F(X,Y,Z) = (X and Y) or (not(X) and Z)
G(X,Y,Z) = (X and Z) or (Y and not(Z))
H(X,Y,Z) = X xor Y xor Z
I(X,Y,Z) = Y xor (X or not(Z))
F(B,C,D) = (B and C) or (not(B) and D)

F(B,C,D) =(B and D) or (C and not(D))

F(B,C,D)= B xor C xor D

F(B,C,D)= C xor (B or not(D))

 Internal Operations of each Round

1. A Process F is first performed on b,c,d. This process is

different in all the 4 rounds.

2. The Variable a is added to the output of the process F.

3.The message sub-block M[i] is added to the output of step

2.

4. The constant K[i] is added to the output of step 3.

5. The output of step 4 is circularly left shifted by s bits.

6. The variable b is added to the output of step 5.

7. The output of step 6 becomes the new b.

8. all other variables are right shifted by 1 position.

c=b, d=c, a=d.

 Secure Hash Algorithm-1

The output of SHA-1 message digest is 160 bits in length, which is 32 bits more than MD5.

SHA is designed to be computationally infeasible to

a) obtain the original message, given its message digest.

b) find two messages producing the same message digest.
 Working of SHA-1

Step 1 : Padding

Like MD5, the first step in SHA is add padding to the end of the original message
in such a way that the length of the message is 64 bits short of a multiple of
512.

The padding bits are always added, even if the message is already 64 bits short
of a multiple pf 512.
 Working of SHA-1

Step 2 : Append Length

The length of the message excluding the length of the padding is now calculated
and appended to the end of the padding as a 64 bit block.
 Working of SHA-1

Step 3 : Divide the Input

The input message is now divided into blocks, each of length 512 bits. These
blocks become the input to the message-digest processing logic.
 Working of SHA-1

Step 4 : Initialize Chaining Variables

5 Chaining variables, A,B,C,D and E are initialized each of 32 bits.

In SHA, the variables A through D have the same values as they had in MD5,
additionally, E is initialized as HEX C3 D2 E1 F0.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.1 : Copy the Chaining variables A-E into variables a-e. The combination of
a-e, called abcde will be considered as a single register for storing the
temporary intermediate as well as final results.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.2 : Divide the current 512 bit block into 16 sub blocks each consisting of
32 bits.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.3 : SHA has 4 rounds, each consisting of 20 steps.

Each round takes the current 512 bit block, the register abcde and a constant
K[t], t ranging from 0-79.

It then updates the contents of the register abcde using the SHA algorithm
steps.

A major difference is the fact that we had 64 different constants defined as K in

MD5, Here we have only 4 constants defined for K[t]. one used in each of the 4
rounds.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.3 :

Round Value of t between K[t] in Hexadecimal

1 1 and 19 5A 92 79 99
2 20 and 39 6E D9 EB A1
3 40 and 59 9F 1B BC DC
4 60 and 79 CA 62 C1 D6
 Working of SHA-1

Step 5 : Process Blocks

Step 5.4 : SHA consists of 4 rounds, each consisting of 20 iterations.

This makes it a total of 80 iterations.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.4 : Process P in each SHA-1 Round

Round Process P
1 (b AND c) OR ((NOT b) AND (d))
2 b XOR c XOR d
3 (b AND c) OR ( b AND d) OR (c AND d)
4 (b AND c) OR ((NOT b) AND (d))
 Working of SHA-1

Step 5 : Process Blocks

Step 5.4 : Calculation of W[t]

The values of W[t] is calculated as follows:

For the first 16 words of W (i.e t=0 to t=15), the contents of the input message
sub-block become the contents of W[t] straightaway.
 Working of SHA-1

Step 5 : Process Blocks

Step 5.4 : Calculation of W[t]

The values of W[t] is calculated as follows:

For the first 16 words of W (i.e t=0 to t=15), the contents of the input message
sub-block become the contents of W[t] straightaway.

The remaining 64 values are calculated using the equation:

W[t] = s^1 (W[t-16] XOR W[t-14] XOR W[t-8] XOR W[t-3])

MD5 vs SHA-1
 Hash Based Message Authentication Code

Step 1 :

The length of the message m must be equal to the length of the key.

Step 2 :

The secret key is XOR 'ed with ipad to produce OS1.

Where,

ipad = input pad = The String 0x36 repeated 64 times.

OS1= Output of Step1.

ipad - 00110110
 Hash Based Message Authentication Code
Step 3 :

Append the message M to output of Step 2

Step 4 :

Any Message Digest (MD5 or SHA1) is applied on the output of Step 3. This will produce thr output
hash.
 Hash Based Message Authentication Code

Step 5 :

XOR the secret key K with opad to produce output variable called OS2.

opad - 01011100
 Hash Based Message Authentication Code

Step 6 :

Add Hash H with OS2 and appended with output of Step 5

 Hash Based Message Authentication Code
Step 7 :

Message Digest algorithm is applied on output of step 6 to generate final output called as HMAC.
 Chapter 4
Cipher-Based Message
Authentication Code (CMAC)

26/04/25 1
Cipher-Based Message Authentication
Code (CMAC)
v It is a MAC that is based on the use of a block cipher mode of operations for use with AES and
tripleDES.
v It is also adopted by NIST.
v The operation of the CMAC can be defined as follows:
v Case 1: When the message is an integer multiple n of the cipher block length b.
1. For AES, b = 128, and for DES, b = 64.
2. The message is divided into n blocks (M1 , M2 ,…, Mn ).
3. The algorithm makes use of a k-bit encryption key K and a b-bit constant, K1 .
4. For AES, the key size k is 128, 192, or 256 bits; for triple DES, the key size is 112 or 168 bits.

26/04/25 2
 CMAC is calculated as follows :

where,

26/04/25 3
Case 2: If the message is not an integer
multiple of the cipher block length
v The final block is padded to the right (least significant bits) with a 1 and as many 0s as
necessary so that the final block is also of length b.
v The CMAC operation then proceeds as before, except that a different b-bit key K2 is used
instead of K1.

26/04/25 4
 Authentication Methodologies

A computer system does not have the cues we do with face-to-face communication that let
us recognize our friends. Instead computers depend on data to recognize others.

Determining who a person really is consists of two separate steps:

• Identification is the act of asserting who a person is.
• Authentication is the act of proving that asserted identity: that the person is who she says
she is.

Types of Authentication

Authentication Based on Phrases and Facts: Something You Know

Password Protection seems to offer a relatively secure system for confirming identity related
information, but human practice sometimes degrades its quality. Let us explore vulnerabilities
in authentication, focusing on the most common authentication parameter, the password. In
this section we consider the nature of passwords, criteria for selecting them, and ways of
using them for authentication.

How secure are passwords themselves?

Passwords are somewhat limited as protection devices because of the relatively small number
of bits of information they contain. Worse, people pick passwords that do not even take
advantage of the number of bits available: Choosing a well-known string, such as qwerty,
password, or 123456 reduces an attacker’s uncertainty or difficulty essentially to zero.

Knight and Hartley [KNI98] list, in order, 12 steps an attacker might try in order to determine
a password. These steps are in increasing degree of difficulty (number of guesses), and so
they indicate the amount of work to which the attacker must go in order to derive a password.
Here are their password guessing steps:
• no password
• the same as the user ID
• is, or is derived from, the user’s name
• on a common word list (for example, password, secret, private) plus common names and
patterns (for example, qwerty, aaaaaa)
• contained in a short college dictionary
• contained in a complete English word list
• contained in common non-English-language dictionaries
• contained in a short college dictionary with capitalizations (PaSsWorD) or
substitutions (digit 0 for letter O, and so forth)
• contained in a complete English dictionary with capitalizations or substitutions
• contained in common non-English dictionaries with capitalization or substitutions
• obtained by brute force, trying all possible combinations of alphabetic characters
• obtained by brute force, trying all possible combinations from the full character set

Although the last step will always succeed, the steps immediately preceding it are so time
consuming that they will deter all but the most dedicated attacker for whom time is not a
limiting factor.

Good Passwords

Chosen carefully, passwords can be strong authenticators. The term “password” implies a
single word, but you can actually use a non existent word or a phrase. So 2Brn2Bti? could be
a password (derived from “to be or not to be, that is the question”) as could
“PayTaxesApril15th.”
Note that these choices have several important characteristics: The strings are long, they are
chosen from a large set of characters, and they do not appear in a dictionary. These properties
make the password difficult (but, of course, not impossible) to determine.
If we do use passwords, we can improve their security by a few simple practices:

• Use characters other than just a–z. If passwords are chosen from the letters a– z, there
are only 26 possibilities for each character.
• Adding digits expands the number of possibilities to 36.
 • Using both uppercase and lowercase letters plus digits expands the number of
possible characters to 62.

Although this change seems small, the effect is large when someone is testing a full space of
all possible combinations of characters. It takes about 100 hours to test all 6-letter words
chosen from letters of one case only, but it takes about 2 years to test all 6-symbol passwords
from upper- and lowercase letters and digits. Although 100 hours is reasonable, 2 years is
oppressive enough to make this attack far less attractive.

Authentication Based on Biometrics: Something You Are

Biometrics are biological properties, based on some physical characteristic of the human
body. The list of biometric authentication technologies is still growing. Now devices can
recognize the following biometrics:
• fingerprint
• hand geometry (shape and size of fingers)
• retina and iris (parts of the eye)
• voice
• handwriting, signature, hand motion
• typing characteristics
• blood vessels in the finger or hand
• face
• facial features, such as nose shape or eye spacing
Authentication with biometrics has advantages over passwords because a biometric cannot
be lost, stolen, forgotten, or shared and is always available, always at hand, so to speak. These
characteristics are difficult, if not impossible, to forge.

Examples of Biometric Authenticators

Many physical characteristics are possibilities as authenticators. In this section we present
examples of two of them, one for the size and shape of the hand, and one for the patterns
of veins in the hand.
Problems with Use of Biometrics
Biometrics come with several problems:

• Biometric recognition devices are costly, although as the devices become more popular,
their cost per device should go down. Still, outfitting every user’s workstation with a reader
can be expensive for a large company with many employees.

• Biometric readers and comparisons can become a single point of failure. Consider a retail
application in which a biometric recognition is linked to a payment scheme: As one user puts
it, “If my credit card fails to register, I can always pull out a second card, but if my fingerprint
is not recognized, I have only that one finger.” (Fingerprint recognition is specific to a single
finger; the pattern of one finger is not the same as another.) Manual laborers can actually rub
off their fingerprints over time, and a sore or irritation may confound a fingerprint reader.
Forgetting a password is a user’s fault; failing biometric authentication is not.

• All biometric readers use sampling and establish a threshold for acceptance of a close
match. The device has to sample the biometric, measure often hundreds of key points, and
compare that set of measurements with a template. Features vary slightly from one reading
to the next, for example, if your face is tilted, if you press one side of a finger more than
another, or if your voice is affected by a sinus infection. Variation reduces accuracy.

• Although equipment accuracy is improving, false readings still occur. We label a false
positive or false accept a reading that is accepted when it should be rejected and a false
negative or false reject one that rejects when it should accept. Often, reducing a false positive
rate increases false negatives, and vice versa. The consequences for a false negative are
usually less than for a false positive, so an acceptable system may have a false positive rate
of 0.001 percent but a false negative rate of 1 percent. However, if the population is large and
the asset extremely valuable, even these small percentages can lead to catastrophic results.

Authentication Based on Tokens: Something You Have

Something you have means that you have a physical object in your possession. One physical
authenticator with which you are probably familiar is a key. When you put your key in your
lock, the ridges in the key interact with pins in the lock to let the mechanism turn. In a sense
the lock authenticates you for authorized entry because you possess an appropriate key. Of
course, you can lose your key or duplicate it and give the duplicate to someone else, so the
authentication is not perfect. But it is precise: Only your key works, and your key works only
for your lock.
Other familiar examples of tokens are badges and identity cards. You may have an “affinity
card”: a card with a code that gets you a discount at a store. Many students and employees
have identity badges that permit them access to buildings. You must have an identity card or
passport to board an airplane or enter a foreign country. In these cases you possess an object
that other people recognize to allow you access or privileges. Another kind of authentication
token has data to communicate invisibly.

Examples of this kind of token include credit cards with a magnetic stripe, credit cards with
an embedded computer chip, or access cards with passive or active wireless technology. You
introduce the token into an appropriate reader, and the reader senses values from the card.
If your identity and values from your token match, this correspondence adds confidence that
you are who you say you are.

Active and Passive Tokens

As the names imply, passive tokens do nothing, and active ones take some action. A photo or
key is an example of a passive token in that the contents of the token never change. (And, of
course, with photos permanence can be a problem, as people change hair style or color and
their faces change over time.)

An active token can have some variability or interaction with its surroundings. For example,
some public transportation systems use cards with a magnetic strip. When you insert the card
into a reader, the machine reads the current balance, subtracts the price of the trip and
rewrites a new balance for the next use. In this case, the token is just a repository to hold the
current value. Another form of active token initiates a two-way communication with its
reader, often by wireless or radio signaling. These tokens lead to the next distinction among
tokens, static and dynamic interaction.

Static and Dynamic Tokens

The value of a static token remains fixed. Keys, identity cards, passports, credit and other
magnetic-stripe cards, and radio transmitter cards (called RFID devices) are examples of static
tokens. Static tokens are most useful for onsite authentication: When a guard looks at your
picture badge, the fact that you possess such a badge and that your face looks (at least
vaguely) like the picture causes the guard to pass your authentication and allow you access.

Tokens are vulnerable to an attack called Skimming. Skimming is the use of a device to copy
authentication data surreptitiously and relay it to an attacker. Automated teller machines
(ATMs) and point-of-sale credit card readers are particularly vulnerable to skimming.

At an ATM the thief attaches a small device over the slot into which you insert your bank card.
Because all bank cards conform to a standard format (so you can use your card at any ATM or
merchant), the thief can write a simple piece of software to copy and retain the information
recorded on the magnetic strip on your bank card. Some skimmers also have a tiny camera to
record your key strokes as you enter your PIN on the keypad. Either instantaneously (using
wireless communication) or later (collecting the physical device), the thief thus obtains both
your account number and its PIN. The thief simply creates a dummy card with your account
number recorded and, using the PIN for authentication, visits an ATM and withdraws cash
from your account or purchases things with a cloned credit card.

To overcome copying of physical tokens or passwords, we can use dynamic tokens. A dynamic
token is one whose value changes. Although there are several different forms, a dynamic
authentication token is essentially a device that generates an unpredictable value that we
might call a pass number. Some devices change numbers at a particular interval, for example,
once a minute; others change numbers when you press a button, and others compute a new
number in response to an input, sometimes called a challenge. In all cases, it does not matter
if someone else sees or hears you provide the pass number, because that one value will be
valid for only one access (yours), and knowing that one value will not allow the outsider to
guess or generate the next pass number.
otp
 Authentication Protocols

1. One Way Authentication.

2. Mutual Authentication.
 Authentication Protocols

1. One Way Authentication.

This is required when sender and receiver are not in

communication at the same time.

Eg. Email Messages

Authentication Protocols

1. One Way Authentication.

Authentication Protocols

1. One Way Authentication.

 Authentication Protocols

1. One Way Authentication.

Not Secure , as
Username and MiTM Attacks are
Password are usually easily possible
sent in cleartext.

Vulnerable to
Username and Credential sharing
Password Guessing is possible
Authentication Protocols

1. One Way Authentication.

Authentication Protocols

1. One Way Authentication.

Authentication Protocols

1. One Way Authentication.

Authentication Protocols

2. Mutual Authentication.
 One-way and mutual authentication schemes

One - Way Authentication

One Way authentication refers to the authentication of only one end of the communication.

For example, if there are 2 users A and B who want to communicate with each other. In this scheme
User A is the client and User B is the server. Suppose User B wants to authenticate user A before the
actual communication, but user A is not able to authenticate the server before the communication
begins. Such a scheme is called a One Way Authentication Scheme or Protocol.

There could be multiple factored authentication mechanisms used to provide much better security. for
example a 2 Factor authentication, which depends upon a password and a 4 digit PIN to validate the
authentication process.

But Dont confuse this with mutual authentication. Over here only the client is getting authenticated to
the server using multi factor authentication.
 One-way and mutual authentication schemes

Mutual Authentication

Mutual Authentication is a mechanism to authenticate both the entities involved in the communication
process, ie. the sender and the receiver or client and server.

The sender must prove its identity to the receiver and vice versa before the actual communication could
even begin.
 One-way and mutual authentication schemes

In order to achieve mutual authentication, there must be certain provisions of some protocols which
suppose to verify identity of the sender over an insecure communication channel.

To achieve this goal , most of the protocols depend upon an authentication server also called as the Key
Distribution Center (KDC).

If the sender A wants to communicate with receiver B, then A can request for a session key from the
Key Distribution Center(KDC) for communicating with B. These Authentication servers are capable of
delivering good quality random session keys and distribute them securely to the clients who request it.

These Authentication servers also maintain a table containing the name and master key or secret key
of each client.

The secret keys are used to authenticate the clients to the authentication servers and then for secure
transmission of data between the client and the authentication servers.
 Needham Schroeder Authentication protocol

Needham and Schroeder protocol uses a secret key known to the sender and also to
an authentication server.

Sender and Receiver share a secret key and use it for secure communication with the
authentication server.
 Step 1:

Sender A requests for a session key to the

authentication server for communiation with
Receiver B.

The message consists of A's Secret key Ka,

A's Network Address Na, B's Network
Address Nb and a Nonce.

The request sent by A to the authentication

server which is in its encrypted form is :

E(Ka,[Na,Nb,N])

a nonce is a number used only once in a cryptographic communication. It's often a random or pseudo-random number,
sometimes including a timestamp, and is crucial for preventing replay attacks.
Step 2:

Authentication Server returns a message,

containing a newly generated key Kab, nonce
N(same), ticket(Kab+Sender's Name)
encrypted with B's secret key Kb, receiver's
name and this whole message is encrypted
with the sender's private key Ka to ensure
that no one else can read it.
Sender Authentication Server Receiver

E(Kab, N, {A,Kab}Kb,B)Ka
Step 3:

After receiving the reply from the

Authentication Server, the sender decrypts
the message and send the {A,Kab} to receiver
B.

A sends the ticket to B which is not in

encrypted format because it was previously
enrypted by the Authentication server using Sender Authentication Server Receiver

B's secret key.

(A, Kab)Kb
Step 4:

B decrypts the ticket received from A using

the secret key Kb and compares the sender's
identity.

B again encrypts the message using the shared

secret key Kab and generates nonce N1 and
sends it back to the receiver. 2. REPLY

Sender Authentication Server Receiver

E(N1)Kab

4. Authentication Response
In this step B got the session key (Kab) to
securely communicate with A.
Step 5:

Sender decrypts the Nonce N1 using the

shared secret key Kab . This proves th
sender's identity.

The sender sends response N1+1 encrypted

using the shared secret key Kab.
2. REPLY

Authentication Server
E(N1+1)Kab Sender Receiver

4. Authentication Response

5. Sender responds to receiver

Step 6:

Now the sender A and receiver B can securely

communicate with each other using the session
key generated

2. REPLY

Authentication Server
Sender Receiver

4. Authentication Response

5. Sender responds to receiver

 Kerberos Authentication Protocol

Kerberos is a mutual authentication protocol which lets workstations to share network resources and
communicate with each other in a secure manner.

Version 4 of Kerberos is found in most implementations but version 5 is also in use now.
 Kerberos Authentication Protocol

Kerberos is a mutual authentication protocol which lets workstations to share network resources and
communicate with each other in a secure manner.

Version 4 of Kerberos is found in most implementations but version 5 is also in use now.

Working

There are 4 parties involved in the Kerberos Protocol:

Alice: The Client Workstation

Authentication Server (AS): Authenticates the Client during Login

Ticket Granting Server (TGS): Issues tickets to certify proof of identity

Bob: The Server offering services

 Kerberos Authentication Protocol

The job of the AS is to authenticate every user at the login time.

The AS Shares a unique secret password with every user.

The job of the TGS is to certify to the servers in the network that a user is really who he/she calims to be.

For proving this, the mechanism of tickets is used.

There are 3 primary steps in the Kerberos Protocol :

1) Login
2) Obtaining a Service Granting Ticket
3) Communicate
 LOGIN

1. Alice uses her workstation and sends 5. The output of this step is called as
her name in plaintext to the AS. Ticket Granting Ticket (TGT).

2. The AS first creates a package of the 6. The TGT can be opened only by the
user name(ALICE) and a randomly TGS.
generated session key (KS).
7. The AS then combines the TGT with
3. The AS first creates a package of the the session key(KS) and encrypts the
user name(ALICE) and a randomly two together using a symmetric key
generated session key (KS). derived from the password of Alice
(KA).
4. It encrypts this package with the
symmetric key that the AS shares with 8. The final output can therefore be
the Ticket Granting Server(TGS) only opened by Alice.
1.. Alice would now inform her
workstation that she needs to contact
the server (Bob), hence she needs a
ticket.

2.. Alice's workstation creates a

message intended for the TGS which
contains the following items.

a) The TGT obtained in Step 1

b) The id of the server (Bob) whose
services she is interested in.
c) The current Timestamp, encrypted
with the same session key KS
3. Once the TGS is satisfied of the credentials of
Alice, the TGS creates a session key KAB, for Alice to
have a secure communication with Bob.

4. TGS sends it twice to Alice:

a) once combined with Bob's id and encrypted with

the session key KS, and second time

b) combined with Alice's id and encrypted with Bob's

secret key.
1. Alice can now send KAB to Bob in order to enter 5. Since only Bob has his secret key, he uses it
into a session with him/her. to first obtain the information (Alice's ID +
KAB), which he uses to decrypt the encrypted
2. Alice simply forwards KAB encrypted with Bob's time stamp value.
Secret key (received in the previous step) to Bob.
6. Now for Alice to know that Bob ha indeed
received KAB correctly or not , Bob increments
3. This will ensure that only Bob can access KAB. the timestamp value by 1, encrypts it with KAB
and sends it back to Alice.

7. Since only Alice and Bob know KAB, Alic can

4. Furthermore Alice also attaches a timestamp
open the packet and verify the incremented
encrypted with KAB to Bob, to guard against any
Timestamp value.
Replay Attacks.

8. After successful verification, Alice and Bob can now

communicate with each other securely using the session
key , KAB (SGT)
RSA and Digital Signatures



Digital Signature : As the name suggests are the new alternative to sign a document
digitally. It ensures that the message is sent by the intended user without any
tampering by any third party (attacker). In simple words, digital signatures are used
to verify the authenticity of the message sent electronically.

RSA : It is the most popular asymmetric cryptographic algorithm. It is primarily used

for encrypting message s but can also be used for performing digital signature over a
message. Let us understand how RSA can be used for performing digital signatures
step-by-step. Assume that there is a sender (A) and a receiver (B). A wants to send a
message (M) to B along with the digital signature (DS) calculated over the
message. Step-1 : Sender A uses SHA-1 Message Digest Algorithm to calculate the
message digest (MD1) over the original message M.

Message digest calculation

Step-2 : A now encrypts the message digest with its private key. The output of this
process is called Digital Signature (DS) of A.

Digital signature creation

Step-3 : Now sender A sends the digital signature (DS) along with the original
message (M) to B.

Transmission of original message and digital signature simultaneously

Step-4 : When B receives the Original Message(M) and the Digital Signature(DS)
from A, it first uses the same message-digest algorithm as was used by A and
calculates its own Message Digest (MD2) for M.
 Receiver calculates its own message digest

Step-5 : Now B uses A’s public key to decrypt the digital signature because it was
encrypted by A’s private key. The result of this process is the original Message
Digest (MD1) which was calculated by A.

Receiver retrieves sender’s message digest

Step-6 : If MD1==MD2, the following facts are established as follows.
 B accepts the original message M as the correct, unaltered message from A.
 It also ensures that the message came from A and not someone posing as
A.

Digital signature verification

 Elgamal Digital Signature Scheme

1. Introduction
The ElGamal Digital Signature Scheme is a cryptographic protocol used for digital authentication. It is based
on the ElGamal encryption system and relies on the difficulty of computing discrete logarithms in a finite
field, ensuring security. This signature scheme is widely used in various cryptographic applications, including
secure communications and digital certificates.

2. Mathematical Foundations
The ElGamal digital signature scheme operates over a finite cyclic group Zp*, where is a large prime number.
It uses the discrete logarithm problem (DLP) for security.

Parameters:
 Public Parameters:
o A large prime number p
o A generator of the multiplicative group Zp*
 Private Key:
o A randomly chosen integer (private key) such that 1 <= x <= p-2
 Public Key:
x
o Computed as y=g mod p
3. Key Generation
1. Choose a large prime and a generator g
2. Select a private key x where 1 <= x <= p-2
3. Compute the public key as y=gx mod p
4. Publish (p,g,y) as the public key, and keep x secret.

4. Signature Generation
To sign a message m :

1. Choose a random integer k such that 1 <= k <= p-2 and gcd(k,p-1) =1
2. Compute r= gk mod p
3. Compute s such that:

S=k-1 (H(m)-xr) mod (p-1)

where H(m) is the hash of the message.

4. The digital signature is (r,s)

5. Signature Verification
To verify a signature (r,s) for message m:

1. Check that 1<=r<=p-1 and 1<=s<=p-2

2. Compute:

V1= gH(m) mod p

V2=yrrs modp

3. If V1=V2, the signature is valid; otherwise, it is rejected.

6. Example
 ElGamal Encryption Algorithm
ElGamal is an asymmetric key encryption algorithm used in cryptography. It is based on the
Diffie-Hellman key exchange and operates over modular arithmetic in a finite cyclic group.
It is widely used for encryption and digital signatures in cryptographic applications.

Key Features of ElGamal

 Asymmetric encryption: Uses a public key for encryption and a private key for
decryption.
 Based on the discrete logarithm problem, making it computationally secure.
 Probabilistic encryption: The same plaintext encrypts to different ciphertexts each
time.
 Used in cryptographic protocols like PGP (Pretty Good Privacy).

How ElGamal Works?

ElGamal consists of three main steps:

1. Key Generation
2. Encryption
3. Decryption
Advantages of ElGamal
✅ Secure – Based on the hard discrete logarithm problem.
✅ Probabilistic encryption – Produces different ciphertexts for the same plaintext.
✅ Widely Used – Used in PGP, GPG, and digital signatures.

Disadvantages
❌ Ciphertext Expansion – Ciphertext is twice the size of the plaintext.
❌ Slower than RSA – Due to exponentiation and modular arithmetic.

Use Cases of ElGamal

 Encryption in PGP (Pretty Good Privacy)

 Digital Signatures (DSA is based on ElGamal)
 Secure key exchange protocols
 Blockchain and Cryptographic applications
X.509 Digital Certificate
Public Key Infrastructure (PKI)
1. Introduction to PKI
Public Key Infrastructure (PKI) is a framework used to secure communications and digital
transactions by providing encryption, authentication, and integrity through public-key
cryptography. PKI enables secure data exchange over insecure networks (like the Internet).

2. Components of PKI
PKI consists of the following key components:

2.1 Certificate Authority (CA)

 The trusted entity responsible for issuing, revoking, and managing digital
certificates.
 Examples: DigiCert, Let's Encrypt, GlobalSign, Entrust, Sectigo.
 Hierarchical structure:
o Root CA (highest authority)
o Intermediate CAs (issue certificates to end-users)
o End-Entity Certificates (used by individuals or organizations)

2.2 Registration Authority (RA)

 Verifies and validates users before requesting a digital certificate from the CA.
 Acts as a middle layer between the user and the CA.

2.3 Digital Certificates

 Issued by the CA to validate the identity of users, websites, or organizations.

 Follow the X.509 standard.
 Contains:
o Subject Name (Identity of user/website)
o Public Key
o Issuer Name (CA)
o Expiration Date
o Signature of CA
o Certificate Serial Number

2.4 Public & Private Keys

 Public Key: Shared with others and used for encryption.

 Private Key: Kept secret and used for decryption/signature.
2.5 Certificate Revocation List (CRL) & Online Certificate Status Protocol
(OCSP)

 CRL: A list of revoked certificates maintained by the CA.

 OCSP: An online method to check the real-time status of a certificate

3. Working of PKI
PKI works based on public-key cryptography and digital certificates.

3.1 Certificate Issuance Process

1. User requests a certificate from the RA.

2. RA verifies user identity.
3. RA forwards request to CA.
4. CA issues a digital certificate after signing with its private key.
5. User receives the certificate and uses it for authentication or encryption.

3.2 Authentication Using PKI

1. Client sends a request to a server (e.g., HTTPS request to a website).

2. Server presents its digital certificate.
3. Client verifies the certificate using the CA’s public key.
4. Client establishes a secure connection if the certificate is valid.

3.3 Encryption Using PKI

1. Sender encrypts data using the recipient’s public key.

2. Only the recipient can decrypt using their private key.
3. Ensures confidentiality.

3.4 Digital Signature Using PKI

1. Sender hashes the message.

2. Sender encrypts hash with private key (creates a signature).
3. Receiver decrypts the signature using the sender’s public key.
4. Receiver compares hashes to verify integrity.

4. PKI Certificate Types

PKI supports various types of digital certificates:

4.1 SSL/TLS Certificates

 Used for website security (HTTPS).

 Types:
o DV (Domain Validation)
o OV (Organization Validation)
o EV (Extended Validation)
4.2 Code Signing Certificates

 Used by developers to digitally sign software/code.

4.3 Email Signing Certificates

 Used for email encryption and digital signatures.

4.4 Client Authentication Certificates

 Used for user authentication instead of passwords.

4.5 Document Signing Certificates

 Used for signing PDFs and legal documents.

5. PKI Hierarchical Structure

5.1 Single-Tier PKI

 A single CA issues and revokes certificates.

 Simple but less secure.

5.2 Two-Tier PKI

 Root CA (top-level) → Intermediate CA (issues certificates).

 More secure as the Root CA is kept offline.

5.3 Three-Tier PKI

 Root CA → Intermediate CA → Issuing CA.

 Provides maximum security.

6. PKI Protocols & Standards

6.1 X.509 Standard

 Defines the structure of digital certificates.

6.2 TLS/SSL (Transport Layer Security)

 Encrypts web traffic using PKI-based certificates.

6.3 S/MIME (Secure Email)

 Uses PKI for email encryption and signing.

6.4 IPSec (Internet Protocol Security)

  Uses PKI for VPN encryption.

6.5 LDAP (Lightweight Directory Access Protocol)

 Stores and retrieves digital certificates.

7. Advantages of PKI
✅ Strong Authentication – Protects against impersonation and identity fraud.
✅ Data Confidentiality – Ensures encrypted communication.
✅ Data Integrity – Detects tampering and message modifications.
✅ Non-repudiation – Digital signatures prevent denial of actions.
✅ Scalability – Can be deployed in large networks.

8. Challenges & Disadvantages

❌ Complex Implementation – Requires setup and maintenance.
❌ Single Point of Failure (CA Breach) – If CA is compromised, all certificates are
affected.
❌ High Cost – Commercial CAs charge fees for certificates.
❌ Revocation Challenges – Managing CRLs and OCSP can be slow.

9. Applications of PKI
🔹 Secure Websites (HTTPS, SSL/TLS)
🔹 Email Encryption & Signing (S/MIME, PGP)
🔹 Digital Signatures (Legal & Financial Documents)
🔹 Virtual Private Networks (VPNs)
🔹 Secure Software Distribution (Code Signing)
🔹 Enterprise Authentication (Smart Cards, Tokens, Biometrics)

10. Future of PKI

🚀 Quantum-Safe Cryptography – Post-quantum cryptographic algorithms for PKI.
🚀 Decentralized PKI (dPKI) – Blockchain-based PKI to remove central authority
dependency.
🚀 Automated Certificate Management – ACME (Let's Encrypt) for automatic certificate
renewal.
Public Key Infrastructure

• A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption.
• The purpose of a PKI is to facilitate the secure electronic transfer of information for a
range of network activities such as e-commerce, internet banking and confidential
email.
• It is required for activities where simple passwords are an inadequate authentication
method and more rigorous proof is required to confirm the identity of the parties
involved in the communication and to validate the information being transferred.
• In cryptography, a PKI is an arrangement that binds public keys with respective
identities of entities (like people and organizations).
• The binding is established through a process of registration and issuance of certificates
at and by a certificate authority (CA).
• Depending on the assurance level of the binding, this may be carried out by an
automated process or under human supervision. When done over a network, this
requires using a secure certificate enrolment or certificate management protocol such
as CMP.
 • The PKI role that may be delegated by a CA to assure valid and correct registration is
called a registration authority (RA). Basically, an RA is responsible for accepting
requests for digital certificates and authenticating the entity making the request.
• The Internet Engineering Task Force's RFC 3647 defines an RA as "An entity that is
responsible for one or more of the following functions:
• The identification and authentication of certificate applicants, the approval or
rejection of certificate applications, initiating certificate revocations or suspensions
under certain circumstances, processing subscriber requests to revoke or suspend
their certificates, and approving or rejecting requests by subscribers to renew or re-
key their certificates. RAs, however, do not sign or issue certificates (i.e., an RA is
delegated certain tasks on behalf of a CA)."
• An entity must be uniquely identifiable within each CA domain on the basis of
information about that entity. A third-party validation authority (VA) can provide this
entity information on behalf of the CA.
• The X.509 standard defines the most commonly used format for public key
certificates.

Public key cryptography is a cryptographic technique that enables entities to securely

communicate on an insecure public network, and reliably verify the identity of an entity via
digital signatures.
A public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital
certificates which are used to verify that a particular public key belongs to a certain entity.
The PKI creates digital certificates which map public keys to entities, securely stores these
certificates in a central repository and revokes them if needed.

A PKI consists of

• A certificate authority (CA) that stores, issues and signs the digital certificates;
• A registration authority (RA) which verifies the identity of entities requesting their
digital certificates to be stored at the CA;
• A central directory—i.e., a secure location in which keys are stored and indexed;
• A certificate management system managing things like the access to stored
certificates or the delivery of the certificates to be issued;
• A certificate policy stating the PKI's requirements concerning its procedures. Its
purpose is to allow outsiders to analyze the PKI's trustworthiness.