Chapter 4

Message Authentication
and Digital Signatures

- By
Jyoti Tryambake

1
 Message Authentication
• A message, file, document, or other collection of data is said to
be authentic when it is genuine and came from its alleged source.

• Message authentication is a procedure that allows

communicating parties to verify that received message is
authentic.

• The important aspects are

• To verify that the contents of the message have not been altered

• The source is authentic.

• To verify a message’s timeliness and sequence relative to other

messages flowing between two parties.

2
 Message Authentication
Techniques

• Encryption

• MAC – Message Authentication Code - fixed length code

• Hash Function – H(M) – fixed length code

3
 Message Authentication Techniques
(cont.)
• Authentication using Conventional Encryption
Symmetric Encryption -

• Assume only sender and receiver share a key

• Single key for both encryption and decryption

• the sender encrypts plaintext using the receiver’s secret key, which

can be later used by the receiver to decrypt the ciphertext.

4
 Message Authentication Techniques
(cont.)
• Authentication using Conventional Encryption
Asymmetric Encryption

• Public and private keys

5
 Message Authentication Techniques (cont.)
• Authentication using Conventional Encryption
Asymmetric

i. (A-sender) Message -> E (Public key of B)-> Cipher-> D(Private key of B) ->
(B - receiver) Message –

Authentication - ❌, Confidentiality - ✅

ii. (A-sender) Message -> E (Private key of A)-> Cipher-> D(Public key of A) ->
(B - receiver) Message

Authentication - ✅, Confidentiality - ❌

iii. (A-sender) Message -> E (Private key of A)-> Cipher1-> E(Public key of B) -
> Cipher2-> D(Private key of B)-> Decipher 1 -> D(Public key of A)-> (B -
receiver) Message

Authentication - ✅, Confidentiality - ✅ 6
 Message Authentication Techniques
(cont.)
• Authentication without Message Encryption

• An authentication tag is generated and appended to each message

• The algorithm uses it to verify whether or not the ciphertext and/or associated data

have been modified.

• If either the ciphertext or associated data has been modified, then the procedure

that re-computes the validation tag on the receiving end will end up generating a

different tag. The algorithm will check the re-computed tag against the tag that was

bundled with the ciphertext and associated data (which collectively can be referred

to as a "cryptogram").

• If the tags don't match, that means some part of the ciphertext and/or associated

data have been modified.

7
 Message Authentication Techniques (cont.)
Message Authentication Code(MAC)
• MAC algorithm is a symmetric key cryptographic technique to provide message
authentication.

• For establishing MAC process, the sender and receiver share a Symmetric key K.

• Essentially, a MAC is an encrypted checksum generated on the underlying

message that is sent along with a message to ensure message authentication.

8
Message Authentication Code(MAC) Process:
• The sender uses MAC algorithm, inputs the message and the secret key K and produces a
MAC value.

• Similar to hash, MAC function also compresses an arbitrary long input into a fixed length
output.

• The sender forwards the message along with the MAC.

• On receipt of the message and the MAC, the receiver feeds the received message and the
shared secret key K into the MAC algorithm and re-computes the MAC value.

• The receiver now checks equality of freshly computed MAC with the MAC received from the
sender. If they match, then the receiver accepts the message and assures himself that the
message has been sent by the intended sender.

• If the computed MAC does not match the MAC sent by the sender, the receiver cannot
determine whether it is the message that has been altered or it is the origin that has been
falsified.

• As a bottom-line, a receiver safely assumes that the message is not the genuine.

• No confidentiality but assures message origin authentication.

9
MAC with Confidentiality and
Authentication

10
 Hash Function
• A hash function is a mathematical function that converts a
numerical input value into another compressed numerical value.

• The input to the hash function is of arbitrary length but output is

always of fixed length.

• Values returned by a hash function are called message digest or

simply hash values

11
 Hash Function
• When hash function provides security , is called as cryptographic
hash functions.

• Hash function protects integrity of the message.

• If the encryption process is applied on message with hash

function, it provides authentication and confidentiality.

12
 Hash Function
• Example

13
 Features of Hash Functions
Fixed Length Output (Hash Value)
• Hash function coverts data of arbitrary length to a fixed length. This
process is often referred to as hashing the data.

• In general, the hash is much smaller than the input data, hence
hash functions are sometimes called compression functions.

• Since a hash is a smaller representation of a larger data, it is also

referred to as a digest.

• Hash function with n bit output is referred to as an n-bit hash

function.

• Popular hash functions generate values between 160 and 512 bits.

14
 Features of Hash Functions
Efficiency of Operation

• Generally for any hash function h with input x,

computation of h(x) is a fast operation.

• Computationally hash functions are much faster than a

symmetric encryption.

15
 Hash Function Properties
It is mathematically impossible to extract the original
message from the digest.

• Hashing is sometimes referred to as one-way encryption:

the message can be encrypted but is impossible to decrypt.
This is accomplished using one-way functions within the
hashing algorithm.

• It is impossible to derive ‘hello’ knowing only a resulting

digest of ’52’. Mostly because there could be thousands of
messages that result in the identical digest.

16
 Hash Function Properties (cont.)
A slight change to the original message causes a drastic change in the
resulting digest.

• Any minor modification – even as small as changing a single character – to the

original Message should greatly alter the computed digest. This is sometimes
referred to as the Avalanche effect.

• If for two different messages, message digest in case is similar then this term is
known as Collision.

17
 Hash Function Properties (cont.)
The result of the hashing algorithm is always the same
length.

• It is vital for the resulting Digest to not provide any hints or

clues about the original Message – including its length. A
digest should not grow in size as the length of the Message
increases.

18
 Hash Function Properties (cont.)
It is infeasible to construct a message which generates a
given digest.

• As per example below, if given the digest of 52 , it would not

be overly difficult to generate a list of words that might have
been the original message.

19
 Cryptographic Hash Function
• Hash functions used for Security applications known as
Cryptographic Hash Functions.
• Two important properties:
• It is computationally infeasible to find either
• A data object that maps to a pre-specified hash result (the
one-way property)
• Two data objects that map to the same hash result (the
collision-free property)

20
 Cryptographic Hash Function
Requirements and Security
Pre-Image Resistance
• Computationally hard to reverse a hash function.

• In other words, if a hash function h produced a hash value z,

then it should be a difficult process to find any input value x
that hashes to z.

• This property protects against an attacker who only has a

hash value and is trying to find the input.

21
 Cryptographic Hash Function
Requirements and Security
Pre-Image Resistance

22
 Cryptographic Hash Function
Requirements and Security
Second Pre-Image Resistance
The property says the following: if I give you an input and the digest it hashes to, you
should be unable to find a different input that hashes to the same digest.

Given message m1, it is difficult to produce another message m2 such that , H(m1) =
H(m2).

23
 Cryptographic Hash Function
Requirements and Security
Second Pre-Image Resistance
• Given an input and its hash, it should be hard to find a
different input with the same hash.

• In other words, if a hash function h for an input x produces

hash value h(x), then it should be difficult to find any other
input value y such that h(y) = h(x).

• This property of hash function protects against an attacker

who has an input value and its hash, and wants to substitute
different value as legitimate value in place of original input
value.

24
 Cryptographic Hash Function
Requirements and Security
Second Pre-Image Resistance

H(abc) =

H(xyz) =

25
 Cryptographic Hash Function
Requirements and Security
Second Pre-Image Resistance

26
 Cryptographic Hash Function
Requirements and Security
Collision Resistance
• It guarantees that no one can produce two different inputs
that hash to the same output.

• Difficult to find any two different messages , m1 and m2 that

have same hash value; H(m1) = H(m2)

27
 Cryptographic Hash Function
Requirements and Security
Collision Resistance
• It is hard to find two inputs that hash to the same output; that
is, two inputs a and b where a ≠ b but H(a) = H(b).

• This property makes it very difficult for an attacker to find two

input values with the same hash.

• Also, if a hash function is collision-resistant then it is second

pre-image resistant.

28
 Cryptographic Hash Function
Requirements and Security
Collision Resistance

29
 Security Requirements of
Cryptographic Hash Functions

30
Simple Hash Function

31
 Hash with Authentication and
Confidentiality
Method 1 - Message and hash code encrypted

Key
Sender
Message -> Hash fun -> append(msg, ‘h’) -> Encrypt (msg/plaintext)
-> (Cipher, ‘h’)
Receiver
(Cipher, ‘h’) -> Decrypt -> (msg,’h’) ->

Key Hash function

If matches then ,
‘h’ Compare
received message is
correct
32
 Hash with Authentication and
Confidentiality
Standard diagram – Message and hash code encrypted

33
 Hash with Authentication and No
Confidentiality
Method 2 – only hash code encrypted
Symmetric Encryption
Sender
Message -> Hash fun -> ‘h’ -> Encrypt (hash code) -> append(msg,
E(‘h’)) Key

Receiver
Decrypt(‘h’) and msg passed to hash function ->
Key
If matches then ,
‘h’ received message is
‘h’ correct
Compare

34
 Hash with Authentication and No
Confidentiality
Asymmetric Cryptography
Private
Sender Key of
A
Message -> Hash fun -> ‘h’ -> Encrypt (hash code) -> append(msg,
E(‘h’))
Receiver
Public
Key of A
Decrypt(‘h’) and msg passed to hash function -> If matches then ,
received message is
correct
‘h’ ‘h’
Compare

35
 Hash with Authentication and No
Confidentiality
Asymmetric Cryptography
Private
Sender Key of
A
Message -> Hash fun -> ‘h’ -> Encrypt (hash code) -> append(msg,
E(‘h’))
Receiver
Public
Key of A
Decrypt(‘h’) and msg passed to hash function -> If matches then ,
received message is
correct
‘h’ ‘h’
Compare

36
Hash with Authentication and No
Confidentiality
Standard diagram - Only Hash code is encrypted

37
 Hash with Authentication and No
Confidentiality
Method 3 - With secret code
Sender
Message -> apply secret code -> pass to hash fun-> ‘h’ ->
append(msg, ‘h’)

Receiver
Decrypt (msg, ‘h’)-> apply secret code to msg and send to hash fun

Compare ‘h’
‘h’
If matches then ,
received message is
correct 38
 Hash with Authentication and No
Confidentiality
With secret code/value – standard diagram

39
 Hash with Authentication and
Confidentiality
With secret code – message encrypted
Sender
Message -> apply secret code -> pass to hash fun-> ‘h’ ->
append(msg, ‘h’) -> Encrypt -> (cipher, E(‘h’))

Receiver
Decrypt (cipher, E(‘h’))-> (msg,’h’) -> apply secret code to msg and
send to hash fun
‘h’
Compare ‘h’

If matches then ,
received message is
correct 40
 Hash with Authentication and
Confidentiality
With secret code (message + hash encrypted)- standard
diagram

41
Hash Function Structure

42
Hash Algorithm

43
One way Hash Function

44
One way Hash Function

45
 One way Hash Function

HMAC
46
 One way Hash Function
Applications
• Digital Signatures
• Message Integrity
• Password verification
• Generation of pseudorandom bits
• Message Authentication Code (MAC)

47
Hash Function Family

48
49
SHA Versions

50
51
 SHA – Secure Hash Algorithm
• Developed by the National Institute of Standards and Technology
(NIST) and published as a federal information processing standard
(FIPS 180) in 1993; a revised version was issued as FIPS 180-1 in
1995 and is generally referred to as SHA-1.

• SHA-1 produces a hash value of 160 bits.

• The SHA-1 is called secure because it is computationally infeasible

to find a message which corresponds to a given message digest,
or to find two different messages which produce the same
message digest.

52
 SHA – Secure Hash Algorithm
• In 2002, NIST produced a revision of the standard, FIPS 180-2,
that defined three new versions of SHA, with hash value lengths
of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-
512.

• Collectively, these hash algorithms are known as SHA-2. These

new versions have the same underlying structure and use the
same types of modular arithmetic and logical binary operations as
SHA-1.

• In 2005, NIST announced the intention to phase out approval of

SHA-1 and move to a reliance on the other SHA versions by 2010.
53
 SHA - 512
• The algorithm takes as input a message with a maximum
length of less than 2128 bits and produces as output a 512-
bit message digest. The input is processed in 1024-bit
blocks.

54
 SHA - 512
Steps
Step 1: Append padding bits.

• The message is padded so that its length is congruent to 896

modulo 1024 [length K ≅ 896 (mod 1024)].

• Padding is always added, even if the message is already of the

desired length.

• Thus, the number of padding bits is in the range of 1 to 1024.

• The padding consists of a single 1-bit followed by the necessary

number of 0-bits

55
SHA - 512

56
 SHA - 512
Step 2: Append length.
• A block of 128 bits is appended to the message. This block is
treated as an unsigned 128-bit integer (most significant byte
first) and contains the length of the original message (before
the padding).
• The outcome of the first two steps yields a message that is an
integer multiple of 1024 bits in length. In Figure, the expanded
message is represented as the sequence of 1024-bit blocks
M1, M2, . . . , MN, so that the total length of the expanded
message is N * 1024 bits.

57
 Padding Example
Consider Input Message – ‘abc’

Represented in binary

01100001 01100010 01100011

Message length = 24 bits

Needed,

Message_length ≅ 896 mod 1024

Message_length mod 1024 ≅ 896

24 + 872 mod 1024 ≅ 896

Pad 872 bits to message such that

Message_length mod 1024 ≅ 896

872 bits to be padded – 1 bit followed by 871 zeros

58
 Padding Example
Consider Input Message – ‘abc’

Represented in binary

01100001 01100010 01100011 –

Padding(10000……….)

896 bits representation is shown below;

59
 Padding Example
Pad the original length of the message for 128 bits at the end
Message_length = 24 bits
Convert this in hexadecimal = 18
So, represent 18 in 128 bits hexadecimal value –
0000000000000000 0000000000000018 (total 64 bits)

Message size = 896+128 =1024 bits

60
Exercise
• How many bits will you pad for input message
length of 2348 bits?

61
 Exercise
• How many bits will you pad for input message length of 2348 bits?

Sol - Message_length ≅ 896 mod 1024

2348 mod 1024 = 300

Need 596 bits more

Pad 596 bits where in 1 followed by 595 zeros

Message_length (with padding) is = 2348+596 = 2944 bits

Add actual message length 2348 as 128 bits at the end

Total bits = 2944+128 = 3072

Which takes 3 M blocks of size 1024 bits each

62
Message Digest Creation

63
Message Digest Creation

64
Message Digest Creation

65
 SHA - 512
Steps
Step 3: Initialize hash buffer.

• A 512-bit buffer is used to hold intermediate and final results of the

hash function.

• The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f,

g, h).

• These registers are initialized to the following 64-bit integers

(hexadecimal values):
a = 6A09E667F3BCC908 b = BB67AE8584CAA73B

c = 3C6EF372FE94F82B d = A54FF53A5F1D36F1

e = 510E527FADE682D1 f = 9B05688C2B3E6C1F

g = 1F83D9ABFB41BD6B h = 5BE0CD19137E2179 66
 SHA - 512
Steps
Step 3: Initialize hash buffer.
h = 5BE0CD19137E2179

The values are calculated from first eight prime numbers (2,3,5,7,11,13,17,19)

67
 SHA - 512
Steps
Step 4: Process message in 1024-bit blocks.

The heart of the algorithm is a module that consists of 80 rounds; this module
is labeled F. Each message block generates 80 words of 64 bits each

68
Word Expansion – derive 80 words from 1024
bits block

69
 SHA - 512
Steps

Step 4:

• Each round takes as input the 512-bit buffer value abcdefgh and updates the contents of the buffer.

• At input to the first round, the buffer has the value of the intermediate hash value, Hi-1.

• Each round t makes use of a 64-bit value Wt, derived from the current 1024-bit block being processed (Mi).

• Each round also makes use of an additive constant Kt, where 0 <= t <= 79 indicates one of the 80 rounds.
These words represent the first 64 bits of the fractional parts of the cube roots of the first 80 prime
numbers.

• The constants provide a “randomized” set of 64-bit patterns, which should eliminate any regularities in the
input data.

• The operations performed during a round consist of circular shifts, and primitive Boolean functions based
on AND, OR, NOT, and XOR.

• The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi.

• The addition is done independently for each of the eight words in the buffer, with each of the corresponding
words in Hi-1, using addition modulo 264 70
Functioning of Module F

71
 What happens in a Round?
• Round Function

T2 T1

72
What happens in a Round? (cont.)

• Computing T1 –

• Ch – conditional function

73
What happens in a Round? (cont.)
• Computing T1 –

• Kt – 80 constants

74
What happens in a Round? (cont.)

• Computing T2 –

• Maj(a,b,c) – majority function

75
 What happens in a Round? (cont.)
• Round
T2 T1

76
 SHA - 512
Step 5:
Output. After all ‘N’ 1024-bit blocks have been processed, the output from
the Nth stage is the 512-bit message digest.

Reference – Fourozan and Stalling

77
SHA - 1

78
SHA-1 Steps

79
Step 1: Append Padding bits
SHA-1 Steps
padding bits are added to the original message to make the original message equal to a value
divisible by 512.
Example –
• The massage padding is applied to the last data block such that SHA-1 can process the data
of n×512 bits.
• The last two words (64 bits) of padded message are reserved of the original message length
(in bits).
• Input message – ‘abcde’ – 40 bits
• 01100001 01100010 01100011 01100100 01100101.
• After ‘1” is appended, 407 ‘0’ are required to complete 448 bits. In Hex, this can be written
as:
61626364 65800000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
80
00000000 00000000
 SHA-1 Steps
Step 2: Append length
The rest two words are preserved for the original message
length.
As per example, length of msg = 40 = “00000000 00000028” (Hexadecimal Value).
As a result, the passed massage is
61626364 65800000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000028.

81
SHA-1 Steps

82
 SHA-1 Steps
Step 3: Initialize the hash buffer

83
 SHA-1 Steps
Step 4: SHA Processing

Each round = 20 iterations. Total iterations = 80 84

 SHA-1 Steps
Step 4: SHA Processing

85
 SHA-1 Steps
Step 4: SHA Processing

86
 SHA-1 Steps
Step 4: SHA Processing

87
 SHA-1 Steps
Step 4: SHA Processing

88
 SHA-1 Steps
Step 4: SHA Processing

89
 SHA-1 Steps
Step 4: SHA Processing

90
 SHA-1 Steps
Step 4: SHA Processing

91
 SHA-1 Steps
Step 4: The Output

92
Let’s recall MAC ..

93
 Hash based Message
Authentication Code (HMAC)
• Hash-based message authentication code (HMAC) is a mechanism
for calculating a message authentication code involving a hash
function in combination with a secret key. This can be used to
verify the integrity and authenticity of a message.

• HMACs are almost similar to digital signatures. They both enforce

integrity and authenticity. They both use cryptography keys. And

they both employ hash functions.

• The main difference is that digital signatures use asymmetric

keys, while HMACs use symmetric keys (no public key).

94
HMAC Authentication

95
 How does HMAC Work ?
A data integrity check on a file transfer.

• Let's say a client application downloads a file from a remote server. It's
assumed that the client and server have already agreed on a common
hash function, for example SHA2.

96
 How does HMAC Work ?
• Before the server sends out the file, it first obtains a hash of that file using the
SHA2 hash function. It then sends that hash (ex. a message digest) along with
the file itself.

• Upon receiving the two items (ex. the downloaded file and the hash), the client
obtains the SHA2 hash of the downloaded file and then compares it with the
downloaded hash.
• If the two match, then that would mean the file was not tampered with.

97
 How does HMAC Work ?
• If an attacker manages to intercept the downloaded file, alter the file's contents,
and then forward the altered file to the recipient, that malicious act won't go
unnoticed.

• That's because, once the client runs the tampered file through the agreed hash
algorithm, the resulting hash won't match the downloaded hash.

• This will let the receiver know the file was tampered with during transmission.

98
 How does HMAC Work ?
Authenticity Check

• An HMAC employs both a hash function and a shared secret key.

• A shared secret key provides exchanging parties a way to establish the

authenticity of the message.

• That is, it provides the two parties a way of verifying whether both the
message and MAC (more specifically, an HMAC) they receive really came
from the party they're supposed to be transacting with.

99
 How does HMAC Work ?
Suitable for File Transfers

Efficiency - hash functions can take a message of arbitrary

length and transform it into a fixed-length digest. That means,
even if you have relatively long messages, their corresponding
message digests can remain short, allowing you to maximize
bandwidth.

100
HMAC Structure

101
 HMAC Structure

Reference - Stallings 102

MAC and HMAC reference
• Stalling

103
 HMAC Security
• Security depends on the cryptographic strength of
the underlying hash function

• It is much harder to launch successful collision

attacks on HMAC because of secret key

104
 Message Digest (MD 5)
• MD5 is the Message Digest algorithm 5, created by Ronald Rivest.

• It is the most widely used of the MD family of hash algorithms.

• MD5 creates a 128-bit hash value based on arbitrary input length.

• It verifies Integrity and authenticity of message.

• Initially designed for digital signatures.

• MD5 hashing is no longer considered reliable for use because

security experts have demonstrated techniques capable of easily

producing MD5 collisions on commercial off-the-shelf computers.

105
 MD 5 Concept
Every message is padded into blocks of
512 bits each.

4 rounds of 16 operations =
64 operations

O/P of every block,

is fed into the
subsequent block.

Message
Digest

106
How MD5 works?

107
Step 1: Padding bits

108
Step 1: Padding bits (cont.)

109
Step 2: Padding length

110
Step 3: Divide the I/P in 512 - bit block and
Initialize Buffer

111
Step 4: Process each block

112
Step 4: Process each block (cont.)

113
Non-linear Process Function

114
Compressed Function

115
MD5 – new A,B,C,D

116
Reference MD5
• Research paper’s PDFs will be shared
• https://en.wikipedia.org/wiki/MD5
• https://datatracker.ietf.org/doc/html/rfc1321

117
Learn …
• Difference between MD5 and SHA
• Advantages and Disadvantages of
• MD5
• SHA
• HMAC

118
 MAC Implementation
• To realize and construct MAC algorithms, two different
cryptographic primitives are used.

• MACs can be implemented using cryptographic hash functions or

using symmetric block ciphers.

• Cryptographic hash functions - HMAC

• Symmetric block ciphers –

• DAA,

• CMAC

• (1. CBC – MAC (it used AES) and

• 2. variant of CBC-MAC is CMAC (AES + triple DES))

• Reference – Authentication_paper.pdf and Stalling (for CMAC) 119

 MAC based on Block Ciphers

• Data Authentication Algorithm(DAA)

• Cipher Based Message Authentication Code(CMAC)

120
 Data Authentication Algorithm(DAA)
• Data Authentication Algorithm (DAA) widely used MAC based on DES-
CBC
• The message to be authenticated grouped into contiguous 64-bit
blocks:
D1, D2,…, DN.
• The final block is padded on the right with zeros to form a full 64-bit
block
• Using DES encryption algorithm E and a secret key K, Data
Authentication Code (DAC) is calculated.

121
Data Authentication Algorithm(DAA)

122
DAA
• Reference - Stallings

123
Understand
• Digital Signature
• E- signature
• Conventional Signature

124
 Digital Signatures
• A digital signature is a mathematical scheme for
verifying the authenticity of digital messages or
documents. A valid digital signature, where the
prerequisites are satisfied, gives a recipient very strong
reason to believe that the message was created by a
known sender (authentication), and that the message
was not altered in transit (integrity).

125
Conventional –
• Traditional method of document
signing (Handwritten, seal etc.)
• Physical part of document
• Verified by comparing it to authentic
signatures
• Same sign on various docs – (one to
many)
Digital vs
Digital –
• E-signature based on public key
Conventional
cryptography
• Authenticating digital documents or
Signature
message
• Issued by Certificate Authority (CA)
• Schemes – RSA, Elgamal
• Verified by verification algorithm
• Different sign for different
documents(one to one)
 Digital Signature Process
• Bob uses a secure hash function, such as SHA-
512, to generate a hash value for the message.

• That hash value, together with Bob’s private key

serves as input to a digital signature generation
algorithm, which produces a short block that
functions as a digital signature

• Bob sends the message with the signature

attached.

• When Alice receives the message plus signature,

she (1) calculates a hash value for the message;
(2) provides the hash value and Bob’s public key
as inputs to a digital signature verification
algorithm.

• If the algorithm returns the result that the

signature is valid, Alice is assured that the
message must have been signed by Bob. 127
 Digital Signature Properties
• Message Authentication does not protect the two parties against
each other.
• Disputes:
• Receiver may forge the message
• Sender denies sending the message

• The most attractive solution to this problem is the digital

signature. The digital signature must have the following
properties:
• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.
128
 Digital Signature Services
• Authentication
• Bob can verify the message is sent by Alice as Alice’s public key is used for
verification

• Integrity
• Different signature will be produced if message is changed.

• Hash preserves integrity

• Nonrepudiation
• Using Trusted Party

129
 Digital Signature Services
• Nonrepudiation (cont.)
• Using Trusted Party

130
 Digital Signature Services
• Confidentiality
• Not provided.
• If required ; then message and encryption must be encrypted.

131
 Attacks on Digital Signature
Key-Only Same as Ciphertext – only attack
• C – attacker, A – sender, B- receiver.
• A’s public key is known to everyone.
• C recreates signature using A’s public key and digitally sign the documents which A
doesn’t intend to do.

Known - Message Same as Known – plaintext attack

• C knows previous message-signature pairs of A.
• C recreate signature by analyzing previous data (by using brute force)

Chosen - Message Similar to Chosen – plaintext attack

• C makes A to sign one or more messages.
• C has message-digital pairs.

132
 Forgery Types
Existential
Forgery
• Attacker may be able to create a valid message-signature
pair but not that she can really use.
• Attacker’s message could be syntactically and semantically
unintelligible.

Selective
Forgery
• Attacker may be able to forge Sender’s signature on a
message with the content selectively chosen by attacker.

133
 Digital Signature
Schemes

RSA ElGamal Schnorr

134
 Digital Signature Standard (DSS)
• NIST has published Federal Information Processing
Standard FIPS 186, known as DSS.

• It makes use of the Secure Hash Algorithm (SHA)

• It was originally proposed in 1991 and revised in

1993 in response to public feedback concerning the
security of the scheme.

135
 DSS Steps
• Generation of Public and Private key for User A

• Creation of Digital Signature by User A for message M

• User B verifies the Digital Signature

136
Generation of Global Public Key
Components {p,q,g}

137
User A Public Key and User A
Private Key

138
Generating Signature {r,s}

139
Verifying Signature {r,s}

140
 Authentication Applications

Verifying User’s Identity:

• Kerberos,
• X.509 Authentication Service

141
 Kerberos
• In mythology, Kerberos (also known as Cerberus) is a large, three-
headed dog that guards the gates to the underworld to keep souls
from escaping.

• Kerberos is the computer network authentication protocol initially

developed in the 1980s by Massachusetts Institute of Technology
(MIT) computer scientists.

• The idea behind Kerberos is to authenticate users while preventing

passwords from being sent over the internet.

• It uses secret-key cryptography and a trusted third party for

authenticating client-server applications and verifying users'
identities.

• But in the protocol's case, the three heads of Kerberos represent the
142
client, the server, and the Key Distribution Center (KDC).
 Kerberos Steps
• Client wants to access file on a server and with third party client must
be verified through trusted –third party

Authentication
Server(AS)
Key Distribution
Center (KDC)
Ticket Granting
Server(TGS) 143
 Kerberos Steps
Step 1: Login.

• The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS).

• This request includes the client ID. And client’s password is a shared secret key.

144
Kerberos Steps

145
 Kerberos Steps
Step 2: Obtaining a Service Granting Ticket (SGT)

i. Request

146
 Kerberos Steps
Step 2: Obtaining a Service Granting Ticket (SGT)

ii. Response from TGS

147
 Kerberos Steps
Step 3: User contacts Bob for accessing the server

i. Alice sends KAB to Bob

148
 Kerberos Steps
Step 3: User contacts Bob for accessing the server

ii. Acknowledgement from Bob

149
Enable Kerberos support in
browsers
• http://woshub.com/enable-kerberos-
authentication-in-browser/

150
Kerberos Reference
• Cryptography and Network Security by Atul Kahate

151
Kerberos 4 vs 5
• Home laptop

152
Digital Certificates

153
 Digital Certificate
• In cryptography, a public key certificate, also
known as a digital certificate or identity
certificate, is an electronic document used to
prove the ownership of a public key.

• The certificate includes

• information about the key,
• information about the identity of its owner (called the
subject), and
• The digital signature of an entity that has verified the
certificate's contents (called the issuer).
154
 Digital Certificate (cont.)
• In a typical public-key infrastructure (PKI) scheme, the
certificate issuer is a certificate authority (CA), usually a
company that charges customers to issue certificates
for them.

• The most common format for public key certificates is

defined by X.509 defined in RFC 5280.

155
Steps for obtaining Digital
Certificate

156
What is inside a Digital
Certificate?

157
 X.509 Certificates
• Defines the structure of a digital certificate.

• The International Telecommunication Union (ITU)

released this standard 1988. It was a part of X.500.

• Since then, X.509 was revised twice. And, the

current version is Version 3 – X.509V3.

• IETF published the RFC2459 for X.509 in 1999.

158
X.509 Certificates (cont.)

159
 X.509 Certificates Contents
Version: which X.509 version applies to the
certificate (which indicates what data the certificate
must include)
Serial number: the identity creating the certificate
must assign it a serial number that distinguishes it
from other certificates
Algorithm information: the algorithm used by the
issuer to sign the certificate
Issuer distinguished name: the name of the entity
issuing the certificate (usually a certificate
authority)
Validity period of the certificate: the period of time
for which the certificate is valid with the start/end
date. 160
 X.509 Certificates Contents
Subject distinguished name: the name of the
identity the certificate is issued to
Subject public key information the public key
associated with the identity
Extensions (optional)

161
 X.509 – Version 3
Field Description

Authority Key Identifier Identifies the certification authority (CA) public key
that corresponds to the CA private key used to sign
the certificate.

Subject Key Identifier Differentiates between multiple public keys held by

the certificate subject. The extension value is
typically a SHA-1 hash of the key.

Key Usage Specifies restrictions on the operations that can be

performed by the public key contained in the
certificate.

Enhanced Key Usage Specifies the manner in which the public key
contained in the certificate can be used.

Private Key Usage Period Specifies a different validity period for the private
key than for the certificate with which the private
key is associated. 162
 X.509 – Version 3 (cont.)
Field Description

Certificate Policies Specifies the policies under which the

certificate has been issued and the purposes
for which it can be used.

Policy Mappings Specifies the policies in a subordinate CA that

correspond to policies in the issuing CA.

Subject Alternative Name Specifies one or more alternative name forms

for the subject of the certificate request.
Example alternative forms include email
addresses, DNS names, IP addresses, and URIs.

Issuer Alternative Name Specifies one or more alternative name forms

for the issuer of the certificate request.

163
 X.509 – Version 3 (cont.)
Field Description

Subject Directory Attributes Conveys identification attributes such as the

nationality of the certificate subject.

Basic Constraints Specifies whether the entity can be used as a

CA and, if so, the number of subordinate CAs
that can exist beneath it in the certificate
chain.

Name Constraints Specifies the namespace within which all

subject names in a certificate hierarchy must
be located. The extension is used only in a CA
certificate.

164
 X.509 – Version 3 (cont.)
Field Description

Name Constraints Specifies the namespace within which all

subject names in a certificate hierarchy must
be located. The extension is used only in a CA
certificate.

References:
https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-
version-3-extensions

Book:
Cryptography and Network Security by Atul Kahate

165
References
• Books
• William Stalling
• Fourozan
• Atul kahate

166