Applied Cryptography and Information Security

Subject Code: MR23-1CS0402

UNIT–III:

Hashing and Message Digests: Cryptographic Hash Functions- Applications- Simple hash
functions and features for ensuring security – Hash functions based on Cipher Block
Chaining- Secure Hash Algorithm (SHA) - Message Digest - MD5
Message Authentication: Authentication Systems – Password and Address – Security
Handshake Drawbacks - Authentication Standards – Kerberos- PKI Trust Models -Message
Authentication Codes (MAC) – Security features- MAC based on Hash Functions - MAC
based on Block Ciphers.

Cryptographic Hash Functions

Hash functions are extremely useful and appear in almost all information security
applications. A hash function is a mathematical function that converts a numerical input value
into another compressed numerical value. The input to the hash function is of arbitrary length
but output is always of fixed length. Values returned by a hash function are called message
digest or simply hash values. The following picture illustrated hash function
Features of Hash Functions
The typical features of hash functions are –
Fixed Length Output (Hash Value)
 Hash function coverts data of arbitrary length to a fixed length. This process is
often referred to as hashing the data.
 In general, the hash is much smaller than the input data, hence hash functions
are sometimes called compression functions.
 Since a hash is a smaller representation of a larger data, it is also referred to as
a digest.
 Hash function with n bit output is referred to as an n-bit hash function.
Popular hash functions generate values between 160 and 512 bits.
Efficiency of Operation
 Generally for any hash function h with input x, computation of h(x) is a fast
operation.
 Computationally hash functions are much faster than a symmetric encryption.

Properties of Hash Functions

In order to be an effective cryptographic tool, the hash function is desired to
possess following properties −
Pre-Image Resistance
 This property means that it should be computationally hard to reverse a hash
function.
 In other words, if a hash function h produced a hash value z, then it should be
a difficult process to find any input value x that hashes to z.
 This property protects against an attacker who only has a hash value and is
 trying to find the input.
Second Pre-Image Resistance
 This property means given an input and its hash, it should be hard to find a
different input with the same hash.
 In other words, if a hash function h for an input x produces hash value h(x),
then it should be difficult to find any other input value y such that h(y) = h(x).
 This property of hash function protects against an attacker who has an input
value and its hash, and wants to substitute different value as legitimate value
in place of original input value.
Collision Resistance
 This property means it should be hard to find two different inputs of any
length that result in the same hash. This property is also referred to as
collision free hash function.
 In other words, for a hash function h, it is hard to find any two different
inputs x and y such that h(x) = h(y).
 Since, hash function is compressing function with fixed hash length, it is
impossible for a hash function not to have collisions. This property of
collision free only confirms that these collisions should be hard to find.
 This property makes it very difficult for an attacker to find two input values
with the same hash.
 Also, if a hash function is collision-resistant then it is second pre image
resistant.
Design of Hashing Algorithms
At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of
data to create a hash code. This hash function forms the part of the hashing algorithm.
The size of each data block varies depending on the algorithm. Typically the block sizes are
from 128 bits to 512 bits. The following illustration demonstrates hash function –
Hashing algorithm involves rounds of above hash function like a block cipher. Each round
takes an input of a fixed size, typically a combination of the most recent message block and
the output of the last round. This process is repeated for as many rounds as are required to
hash the entire message. Schematic of hashing algorithm is depicted in the following
illustration –
Since, the hash value of first message block becomes an input to the second hash operation,
output of which alters the result of the third operation, and so on. This effect, known as an
avalanche effect of hashing. Avalanche effect results in substantially different hash values for
two messages that differ by even a single bit of data. Understand the difference between hash
function and algorithm correctly. The hash function generates a hash code by operating on
two blocks of fixed-length binary data. Hashing algorithm is a process for using the hash
function, specifying how the message will be broken up and how the results from previous
message blocks are chained together.
Popular Hash Functions
Let us briefly see some popular hash functions − Message Digest (MD) MD5 was most
popular and widely used hash function for quite some years.
 The MD family comprises of hash functions MD2, MD4, MD5 and MD6. It was adopted
as Internet Standard RFC 1321. It is a 128-bit hash function.
 MD5 digests have been widely used in the software world to provide assurance about
integrity of transferred file. For example, file servers often provide a pre-computed MD5
checksum for the files, so that a user can compare the checksum of the downloaded file to it.
 In 2004, collisions were found in MD5. An analytical attack was reported to be successful
only in an hour by using computer cluster. This collision attack resulted in compromised
MD5 and hence it is no longer recommended for use. Secure Hash Function (SHA) Family of
SHA comprise of four SHA algorithms; SHA-0, SHA-1, SHA-2, and SHA3. Though from
same family, there are structurally different.
 The original version is SHA-0, a 160-bit hash function, was published by the National
Institute of Standards and Technology (NIST) in 1993. It had few weaknesses and did not
become very popular. Later in 1995, SHA-1 was designed to correct alleged weaknesses of
SHA-0.
 SHA-1 is the most widely used of the existing SHA hash functions. It is employed in
several widely used applications and protocols including Secure Socket Layer (SSL) security.
 In 2005, a method was found for uncovering collisions for SHA-1 within practical time
frame making long-term employability of SHA-1 doubtful.
 SHA-2 family has four further SHA variants, SHA-224, SHA-256, SHA-384, and SHA-512
depending up on number of bits in their hash value. No successful attacks have yet been
reported on SHA-2 hash function.
 Though SHA-2 is a strong hash function. Though significantly different, its basic design is
still follows design of SHA-1. Hence, NIST called for new competitive hash function
designs.  In October 2012, the NIST chose the Keccak algorithm as the new SHA-3
standard. Keccak offers many benefits, such as efficient performance and good resistance for
attacks.
RIPEMD
The RIPEMD is an acronym for RACE Integrity Primitives Evaluation Message Digest. This
set of hash functions was designed by open research community and generally known as a
family of European hash functions.
 The set includes RIPEMD, RIPEMD-128, and RIPEMD-160. There also exist 256, and
320-bit versions of this algorithm.
 Original RIPEMD (128 bit) is based upon the design principles used in MD4 and found to
provide questionable security. RIPEMD 128-bit version came as a quick fix replacement to
overcome vulnerabilities on the original RIPEMD.
 RIPEMD-160 is an improved version and the most widely used version in the family. The
256 and 320-bit versions reduce the chance of accidental collision, but do not have higher
levels of security as compared to RIPEMD-128 and RIPEMD-160 respectively.
Whirlpool
This is a 512-bit hash function.
 It is derived from the modified version of Advanced Encryption Standard (AES). One of
the designer was Vincent Rijmen, a co-creator of the AES.
 Three versions of Whirlpool have been released; namely WHIRLPOOL-0, WHIRLPOOL-
T, and WHIRLPOOL.
Applications of Hash Functions
There are two direct applications of hash function based on its cryptographic properties.
Password Storage Hash functions provide protection to password storage.
 Instead of storing password in clear, mostly all logon processes store the hash values of
passwords in the file.
 The Password file consists of a table of pairs which are in the form (user id, h(P)).
 An intruder can only see the hashes of passwords, even if he accessed the password. He can
neither logon using hash nor can he derive the password from hash value since hash function
possesses the property of pre-image resistance
 The process of logon is depicted in the following illustration
 Data Integrity
Check Data integrity check is a most common application of the hash
functions. It is used to generate the checksums on data files. This application
provides assurance to the user about correctness of the data.

The process is depicted in the following illustration –

The integrity check helps the user to detect any changes made to original file. It however,
does not provide any assurance about originality. The attacker, instead of modifying file data,
can change the entire file and compute all together new hash and send to the receiver. This
integrity check application is useful only if the user is sure about the originality of file.
Secure Hash Algorithm (SHA)
SHA algorithm is Secure Hash Algorithm developed by the National Institute of Standards
and Technology (NIST) along with National Security Agency, previously released as a
Federal Information Processing Standard, later in 1995, it was named as SHA algorithm,
design to modify the MD4, in other words, we can say that the SHA algorithm is the
modified version of MD4. SHA is designed to obtain the original message, given its message
digest, and find the message producing the same message.
What is SHA Algorithm?
In the field of cryptography and crypt analytics, the SHA-1 algorithm is a cryptformatted
hash function that is used to take a smaller input and produces a string that is 160 bits, also
known as 20-byte hash value long. The hash value therefore generated, is known as a
message digest which is typically rendered and produced as a hexadecimal number which is
specifically 40 digits long.
Characteristics
The cryptographic hash functions are utilized and used to keep and store the secured form of
data by providing three different kinds of characteristics such as pre-image resistance, which
is also known as the first level of image resistance, the second level of pre-image resistance
and collision resistance.
 The cornerstone lies in the fact that the pre-image crypt resistance technique makes it hard
and more time consuming for the hacker or the attacker to find the original intended message
by providing the respective hash value.
 The security, therefore, is provided by the nature of a one way that has a function that is
mostly the key component of the SHA algorithm. The pre-image resistance is important to
clear off brute force attacks from a set of huge and powerful machines.
 Similarly, the second resistance technique is applied where the attacker has to go through a
hard time decoding the next error message even when the first level of the message has been
decrypted. The last and most difficult to crack is the collision resistance, making it extremely
hard for the attacker to find two completely different messages which hash to the same hash
value.
 Therefore, the ratio to the number of inputs and the outputs should be similar in fashion to
comply with the pigeonhole principle. The collision resistance implies that finding two
different sets of inputs that hash to the same hash is extremely difficult and therefore marks
its safety.
Types of SHA Algorithm
The Different Types of SHA algorithm include the ones:

1. SHA-0
It is a retronym that is applied to the basic version of the year-old 160 bit or 20-byte
long hash function, which was published back in 1993 with the name of the SHA
algorithm. It was withdrawn very shortly after it was published due to a major flaw,
and therefore SHA-1 came into the picture.
2. SHA-1
It is a 160 bit or a 20-byte long hash-based function-based encryption mechanism that
is used to resemble the year-old MD5 algorithm. The particular algorithm was
designed and developed by the NSA, i.e. the National Security Agency and was
supposed to be part of the critical component- Digital Signature Algorithm (DSA).
The weaknesses related to the cryptographic techniques were found in SHA-1; the
encryption standard was later on discarded and was not much put to use.
3. SHA-2
This forms a family of 2 identical hash functions, which consist of differently sized
block sizes which are known to be SHA-512 and SHA-256, which differ mainly in the
word size. The former consists of the word value range of 32 words, whereas the
 latter consists of the 64-bit word value. The truncated versions of these values include
SHA-224, SHA-384 and SHA-512 and SHA-224 or SHA-256.
4. SHA-3
This is the encryption technique being used mainly today, which makes use of the
hash function named Keccak. The length supported is the same as that of SHA-2.
Still, the majority of the difference lies in the fact that this one is structurally different
as it is based on a wide range of random function generation, which typically supports
all random permutations and thereby allowing inputting or absorbing, as it is called,
any amount of data presented and outputting or squeezing the presented data. While
doing all this, this acts as a pseudorandom function for all the inputs provided, which
therefore leads to greater flexibility.
Uses of SHA Algorithm
 These SHA algorithms are widely used in security protocols and applications,
including the ones such as TLS, PGP, SSL, IPsec, and S/MiME.
 These also find their place in all the majority of cryptanalytic techniques and coding
standards which is mainly aimed to see the functioning and working of majorly all
governmental as well as private organizations and institutions.
 Major giants today such as Google, Microsoft, or Mozilla have started to recommend
the use of SHA-3 and stop the usage of the SHA-1 algorithm.
Message Authentication Codes
Message Authentication Codes are the codes which plays their role in two important
functions: Authentication Detection and Falsification Detection
Where do we need these codes?
Suppose User A send message to user B with message – ‘abc’. A encrypts the
message using Shared – Key Cryptosystem for encrypting the message. A sends the
key to B using a source key. Key exchange is based on different protocols such as
Public – Key Cryptosystem. B uses the key to decrypt the Cipher text and obtains the
message.
If a malicious user X has falsified the ciphertext during the transmission. Then, in that
case, B has no way to realize that it has been falsified. When B decrypts the message,
it will get the wrong message. Unknown to the fact B will think wrong information to
be the right. Although you can decrypt or encrypt the data later on but these
operations, you are applying the wrong data.

Here we need to detect the falsification in the message B has got. Here A will
create a key (used to create Message Authentication Code) and sends the key to B. A
will create a value using Ciphertext and key and the value is obtained. This value
Created by Ciphertext + Key = Message Authentication Code. B has to check
whether the ciphertext is falsified or not using Message Authentication Code. Now B
can clearly know that whether the ciphertext is falsified or not.
Apart from intruders, the transfer of message between two people also faces other
external problems like noise, which may alter the original message constructed by the
sender. To ensure that the message is not altered there’s this cool method MAC.

MAC stands for Message Authentication Code. Here in MAC, sender and receiver
share same key where sender generates a fixed size output called Cryptographic
checksum or Message Authentication code and appends it to the original message. On
receiver’s side, receiver also generates the code and compares it with what he/she
received thus ensuring the originality of the message.
These are components:
 Message
 Key
 MAC algorithm
 MAC value
There are different types of models Of Message Authentication Code (MAC) as
following below:
1. MAC without encryption – This model can provide authentication but not
confidentiality as anyone can see the message.

2. Internal Error Code - In this model of MAC, sender encrypts the content before
sending it through network for confidentiality. Thus this model provides
confidentiality as well as authentication
M' = MAC(M, k)

3. External Error Code – For cases when there is an alteration in message, we

decrypt it for waste, to overcome that problem, we opt for external error code.
Here we first apply MAC on the encrypted message ‘c’ and compare it with
received MAC value on the receiver’s side and then decrypt ‘c’ if they both are
same, else we simply discard the content received. Thus it saves time.
c = E(M, k')
M' = MAC(c, k)
Problems in MAC –
If we do reverse engineering we can reach plain text or even the key. Here we have mapped
input to output, to overcome this we move on to hash functions which are “One way”.
Note – symbol “E” denotes symmetric key encryption.
MAC-based on Hash Function (HMAC)
This Hashed or Hash-based Message Authentication Code in cryptography. Thus, developing
a MAC derived from cryptographic hash functions in this. Mainly, HMAC is a great
resistance towards cryptanalysis attacks as it uses the hashing concept twice in cryptography.
Thus, HMAC consists of twin benefits of Hashing and MAC and thus is more secure than
any other authentication code in cryptography. Thus, RFC 2104 has issued HMAC, and
HMAC has been made compulsory to implement in IP security in MAC. Then, the FIPS 198
NIST standard has also issued HMAC in cryptography.

HMAC Algorithm
Hence, the working of HMAC starts with taking a message M containing blocks of length b
bits of the message. Thus, an input signature is padded to the left of the message and the
whole is given as input to a hash function which gives us a temporary message-digest MD' of
the message of plaintext or original text. Thus, MD' again is appended to an output signature,
and the whole is applied a hash function again, the result is our final message digest MD in
cryptography.
Here, H stands for hashing function,

M is the original message

Si and So are input and output signatures respectively,

Yi is the I th block in original message M, where I ranges from [1, L)

L = the count of blocks in M

K is the secret key used for hashing IV is an initial vector (some constant)

The generation of input signature and output

Signature Si and So respectively.

 Kerberos
Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users. In Kerberos Authentication server and database is used for
client authentication. Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network is a principal.

The main components of Kerberos are:

Authentication Server (AS):
The Authentication Server performs the initial authentication and ticket for Ticket Granting
Service.
Database:
The Authentication Server verifies the access rights of users in the database.
Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server
Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.
Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-
granting-ticket and session key. Results are encrypted using the Password of the user.
Step-3:
The decryption of the message is done using the password then send the ticket to Ticket
Granting Server. The Ticket contains authenticators like user names and network addresses.
Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request
then creates the ticket for requesting services from the Server.
Step-5:
The user sends the Ticket and Authenticator to the Server.
Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After
this User can access the services.
Kerberos Limitations
● Each network service must be modified individually for use with Kerberos
● It doesn’t work well in a timeshare environment
● Secured Kerberos Server
● Requires an always-on Kerberos server
● Stores all passwords are encrypted with a single key
● Assumes workstations are secure
● May result in cascading loss of trust.
● Scalability

Is Kerberos Infallible?

No security measure is 100% impregnable, and Kerberos is no exception. Because it’s been
around for so long, hackers have had the ability over the years to find ways around it, typically
through forging tickets, repeated attempts at password guessing (brute force/credential stuffing),
and the use of malware, to downgrade the encryption.
Despite this, Kerberos remains the best access security protocol available today. The protocol is
flexible enough to employ stronger encryption algorithms to combat new threats, and if users
employ good password-choice guidelines, you shouldn’t have a problem!
What is Kerberos Used For?
● Although Kerberos can be found everywhere in the digital world, it is commonly used in
secure systems that rely on robust authentication and auditing capabilities. Kerberos is used
for Posix, Active Directory, NFS, and Samba authentication. It is also an alternative
authentication system to SSH, POP, and SMTP.

Authentication Systems

Authentication Systems Authentication is a process in which a principal proves that he/she/it

is the entity it claims to be.

➢ The principal is referred to as the proverb, while the party to whom proof is submitted
identity verification is called the verifier.

➢ Authentication may be based on what the principal knows (e.g., a password or a

passphrase) or has (an identity card or passport, for example).

➢ A principal is often a human, a computer, an application, or a robot.

➢ In the case of a human principal, authentication may use physical characteristics such as
voice, a fingerprint, a retinal scan, or even a DNA sample — this form of authentication is
referred to as biometric authentication.

➢ with password-based authentication, an individual is often expected to communicate

his/her password to a verifying entity. However, in many cases it may not be advisable for
the individual to reveal his/her password.

➢ Instead, he/she may be required to perform some "one-way" cryptographic operation

using his/her secret, which cannot be performed without knowledge of it.
➢ Finally, many authentication systems today use a combination of techniques. This is
referred to as multi-factor authentication.

Password and Address:

1.Password based authentication

Passwords to the systems are something like the keys to the front doors. A front door is
likely to be the first that is attacked by an intruder. Making use of login-name & password is
an easy & cheap method of authentication, and is the most widely used. The passwords and
the corresponding usernames are stored with the server database. Whenever the user enters
into the system, the password entered by the user will be forwarded to the server and the
verification with the database will be performed and the authentication will be completed.
The storage of password with the server and the transmission password from the client to the
server may create security breach. The various types of attacks possible with the password
are discussed below.

1.1 On-line vs. off-line guessing: Certain techniques are cracking the password directly by
creating some hackers programme or by creating the fake login screen. This will attack the
password directly either by using certain permutation combination or by the support of the
dictionary. The passwords can also be attacked offline by using social engineering
techniques or by casual discussions with the user. The following are some methods which
will attack the password either offline or online.

i. Direct Approach: This method apparently seems to be very easy but yet is very
ineffective, since nobody is going to disclose the password easily to anyone. Still, intruders
use this as the first method & try their luck & then go for more difficult ones. This attack is
performed in such a way that the intruders will try with the various keywords, which are
directly related with the user like name, relatives name, organization, city, designation etc.
Normally user will select the passwords which can be easily remembered by them and
which are directly related with them. The intruders will use this loophole and directly attack
the password.
ii. Dictionary based attacks: Hackers may use ready-made dictionaries for checking the
passwords of systems, using special software. This method is somewhat difficult and time
consuming, but not very sure. The main problem with this method is that the dictionary will
be containing only the meaningful combination of characters, whereas the password can be
of any combination of characters. The average of success will be very less with this method.

iii. Brute force attacks: This involves using several combinations of keys such as
alphabets, numbers, special characters etc. for a specific no. Of digits & comparing or
applying them to guess passwords. Normally the possibility of getting the password is very
easy with this method. Because of the possibility of the password is the only combination of
the keys available within the keypad. By combining the same keys with various
combinations the passwords can be easily cracked. This refers to the process of trial and
error method with lots of permutations and combinations. Of course this is most tedious and
time consuming, but surer method of getting passwords.

iv. Using fake / login: Sometimes, if the attacker is an insider, or is someone who can get a
direct access, then the attacker may keep a fake login program running on a terminal, which
feels legitimate to unknown users. When someone logins, he gets an invalid login message,
and the password is meanwhile collected somewhere, which is available for the attacker.
Windows prevents from this attack, by requiring Ctrl-Alt Del keys before login. Another
way to protect is to always lock the terminal while going away from it.

v. Packet sniffing: As another attempt, attackers may intercept the packets flowing through
the network. Some protocols let out the passwords in clear text while transmitting, which
may be grabbed by attackers sniffing the packets. Although this is also tedious, it may work
out sometimes. Packet sniffing is a form of wiretap applied to computer networks instead of
phone networks. It came into vogue with Ethernet, which is known as a "shared medium"
network.

1.2 Storing password:

i. User’s authentication information is individually configured into every server the user
will use.

ii. Another location called authentication storage node, stores user information and servers
retrieve that information when they want to authenticate the user.

iii. Another location is called as authentication facilitator node. This location stores the user
information and a server that wants to authenticate user will send the information received
from the user to the AF node.
iv. Encrypted password: Normally with any networking system the password from the node
to the server will always travel in a plain text format. In the same way within the server
database also the password will be stored in a plain text format. It will be easy for any
hacker to crack the password. To avoid this kind of attack one should keep the password in
an encrypted format. Any encryption method can be used to encrypt the password.

Various methods to prevent from password stealing:

1. One time password: This is the basic method, which will use different password with
every access. As the passwords are easily cracked by the systems, this method will help the
user to protect the password from the hackers. Every time the password will change. Before
the hackers use any method to crack the password, the user will change the password.

2. Encrypted password: Normally with any networking system the password from the node
to the server will always travel in a plain text format. In the same way within the server
database also the password will be stored in a plain text format. It will be easy for any
hacker to crack the password. To avoid this kind of attack one should keep the password in
an encrypted format. Any encryption method can be used to encrypt the password.

2. Address based authentication

i. KDCs (Key Distribution Center)

One way to make things manageable is to use a trusted node known as Key Distribution
Center (KDC).The KDC knows keys for all nodes. If a new node is installed in the network,
only that, new node and the KDC need to be configured with a key for that node. If node α
wants to talk to node β, α talks to the KDC (securely,since α and the KDC share a key),and
asks for a key with which to talk to β .The KDC authenticates α ,chooses a random number
Rαβ to be used as a key to be shared by α and β for their conversation ,encrypts Rαβ with
the key the KDC shares with α and gives that to α. The KDC also encrypts Rαβ with the key
the KDC shares with β and gives that to β. With the instruction that it is to be used for
conversing with α.(Usually ,the KDC will not bother to actually transmit the encrypted Rαβ
to β but rather will give it to α to forward to β.)the encrypted message to β that the KDC
gives to α to forward is often referred to as a ticket. Besides containing Rαβ, the ticket
generally contains other information such as an expiration time and α’s name. KDCs make
key distribution much more convenient .when a new user is being installed into the network,
or when a user’s key is suspected of having been compromised, there’s a single location (the
KDC) that needs to be configured .

ii. Certificate Revocation

 The PKI method distributes the certificates using third parties. These certificated are
providing the additional security mechanism to the existing message exchange. For
certificate status to be determined, public key infrastructure (PKI) certificate revocation
information must be made available to individuals, computers, network devices, and
applications attempting to verify the validity of certificates. Traditionally, a PKI uses a
distributed method of verification so that the clients do not have to contact the Certification
Authority (CA) directly to validate the credentials presented. Instead, clients connect to
alternate resources, such as Web servers or Lightweight Directory Access Protocol (LDAP)
directories, where the CA has published its revocation information. Without checking
certificates for revocation, the possibility exists that an application or user will accept
credentials that have been revoked by a CA administrator.

3.3 BIOMETRICS

Biometrics are the another way to ensure the security mechanism. This authenticates the
user by verifying either the one 101 which the user possesses or the one which user has as a
physical features. The one which the user possesses may be a smart card or SID chip. The
one which the user has may be his fingerprints or the facial expressions.

There are variety of Biometrics devices available.

o Retinal Scanner.

o Fingerprint readers.

o Face recognition

o IRIS scanner

o Handprint readers.

o Voiceprints.

Security Handshake Pitfalls

Authentication Systems
Authentication is a process in which a principal proves that he/she/it is the entity it claims to
be.

➢ The principal is referred to as the proverb, while the party to whom proof is submitted
identity verification is called the verifier.

➢ Authentication may be based on what the principal knows (e.g., a password or a

passphrase) or has (an identity card or passport, for example).
➢ A principal is often a human, a computer, an application, or a robot.

➢ In the case of a human principal, authentication may use physical characteristics such as
voice, a fingerprint, a retinal scan, or even a DNA sample — this form of authentication is
referred to as biometric authentication.

➢ with password-based authentication, an individual is often expected to communicate

his/her password to a verifying entity. However, in many cases it may not be advisable for the
individual to reveal his/her password.

➢ Instead, he/she may be required to perform some "one-way" cryptographic operation using
his/her secret, which cannot be performed without knowledge of it.

➢ Finally, many authentication systems today use a combination of techniques. This is

referred to as multi-factor authentication.

Password and Address

1. Password based authentication

Passwords to the systems are something like the keys to the front doors. A front door
is likely to be the first that is attacked by an intruder. Making use of login-name &
password is an easy & cheap method of authentication, and is the most widely used.
The passwords and the corresponding usernames are stored with the server database.
Whenever the user enters into the system, the password entered by the user will be
forwarded to the server and the verification with the database will be performed and
the authentication will be completed. The storage of password with the server and the
transmission password from the client to the server may create security breach. The
various types of attacks possible with the password are discussed below.

1.1 On-line vs. off-line guessing: Certain techniques are cracking the password directly by
creating some hackers programme or by creating the fake login screen. This will attack the
password directly either by using certain permutation combination or by the support of the
dictionary. The passwords can also be attacked offline by using social engineering techniques
or by casual discussions with the user. The following are some methods which will attack the
password either offline or online.

i. Direct Approach: This method apparently seems to be very easy but yet is very
ineffective, since nobody is going to disclose the password easily to anyone. Still,
intruders use this as the first method & try their luck & then go for more difficult
ones. This attack is performed in such a way that the intruders will try with the
various keywords, which are directly related with the user like name, relatives name,
organization, city, designation etc. Normally user will select the passwords which can
be easily remembered by them and which are directly related with them. The intruders
will use this loophole and directly attack the password.
ii. Dictionary based attacks: Hackers may use ready-made dictionaries for checking the
passwords of systems, using special software. This method is somewhat difficult and
time consuming, but not very sure. The main problem with this method is that the
dictionary will be containing only the meaningful combination of characters, whereas
the password can be of any combination of characters. The average of success will be
very less with this method.
iii. Brute force attacks: This involves using several combinations of keys such as
alphabets, numbers, special characters etc. for a specific no. Of digits & comparing or
applying them to guess passwords. Normally the possibility of getting the password is
very easy with this method. Because of the possibility of the password is the only

combination of the keys available within the keypad. By combining the same keys
with various combinations the passwords can be easily cracked. This refers to the
process of trial and error method with lots of permutations and combinations. Of
course this is most tedious and time consuming, but surer method of getting
passwords.
iv. Using fake / login: Sometimes, if the attacker is an insider, or is someone who can get
a direct access, then the attacker may keep a fake login program running on a
terminal, which feels legitimate to unknown users. When someone logins, he gets an
invalid login message, and the password is meanwhile collected somewhere, which is
available for the attacker. Windows prevents from this attack, by requiring Ctrl-Alt-
Del keys before login. Another way to protect is to always lock the terminal while
going away from it.
v. Packet sniffing: As another attempt, attackers may intercept the packets flowing
through the network. Some protocols let out the passwords in clear text while
transmitting, which may be grabbed by attackers sniffing the packets. Although this is
also tedious, it may work out sometimes. Packet sniffing is a form of wiretap applied
 to computer networks instead of phone networks. It came into vogue with Ethernet,
which is known as a "shared medium" network.

1.2 Storing password:

i. User’s authentication information is individually configured into every server the user
will use.
ii. Another location called authentication storage node, stores user information and
servers retrieve that information when they want to authenticate the user.
iii. Another location is called as authentication facilitator node. This location stores the
user information and a server that wants to authenticate user will send the information
received from the user to the AF node.
iv. Encrypted password: Normally with any networking system the password from the
node to the server will always travel in a plain text format. In the same way within the
server database also the password will be stored in a plain text format. It will be easy
for any hacker to crack the password. To avoid this kind of attack one should keep the
password in an encrypted format. Any encryption method can be used to encrypt the
password.

Various methods to prevent from password stealing:

1. One time password: This is the basic method, which will use different password with
every access. As the passwords are easily cracked by the systems, this method will help
the user to protect the password from the hackers. Every time the password will change.
Before the hackers use any method to crack the password, the user will change the
password.

2. Encrypted password: Normally with any networking system the password from the
node to the server will always travel in a plain text format. In the same way within the
server database also the password will be stored in a plain text format. It will be easy for
any hacker to crack the password. To avoid this kind of attack one should keep the
password in an encrypted format. Any encryption method can be used to encrypt the
password.

2. Address based authentication

i. KDCs (Key Distribution Center)
One way to make things manageable is to use a trusted node known as Key
Distribution Center (KDC).The KDC knows keys for all nodes. If a new node is
installed in the network, only that, new node and the KDC need to be configured with
 a key for that node. If node α wants to talk to node β, α talks to the KDC
(securely,since α and the KDC share a key),and asks for a key with which to talk to β
.The KDC authenticates α ,chooses a random number Rαβ to be used as a key to be
shared by α and β for their conversation ,encrypts Rαβ with the key the KDC shares
with α and gives that to α. The KDC also encrypts Rαβ with the key the KDC shares
with β and gives that to β. With the instruction that it is to be used for conversing with
α.(Usually ,the KDC will not bother to actually transmit the encrypted Rαβ to β but
rather will give it to α to forward to β.)the encrypted message to β that the KDC gives
to α to forward is often referred to as a ticket. Besides containing Rαβ, the ticket
generally contains other information such as an expiration time and α’s name. KDCs
make key distribution much more convenient .when a new user is being installed into
the network, or when a user’s key is suspected of having been compromised, there’s a
single location (the KDC) that needs to be configured .
ii. Certificate Revocation
The PKI method distributes the certificates using third parties. These certificated are
providing the additional security mechanism to the existing message exchange. For
certificate status to be determined, public key infrastructure (PKI) certificate
revocation information must be made available to individuals, computers, network
devices, and applications attempting to verify the validity of certificates.
Traditionally, a PKI uses a distributed method of verification so that the clients do not
have to contact the Certification Authority (CA) directly to validate the credentials
presented. Instead, clients connect to alternate resources, such as Web servers or
Lightweight Directory Access Protocol (LDAP) directories, where the CA has
published its revocation information. Without checking certificates for revocation, the
possibility exists that an application or user will accept credentials that have been
revoked by a CA administrator
3.3 BIOMETRICS
Biometrics are the another way to ensure the security mechanism. This authenticates
the user by verifying either the one 101 which the user possesses or the one which
user has as a physical features. The one which the user possesses may be a smart card
or SID chip. The one which the user has may be his fingerprints or the facial
expressions. There are variety of Biometrics devices available.
 Retinal Scanner.
 Fingerprint readers.
 Face recognition
 IRIS scanner
  Handprint readers.
 Voiceprints.

Security Handshake Pitfalls

A bad idea
 Alice sends name and password in clear (across network) to Bob
 Bob verifies name and password and communication proceeds

Better idea using shared secret

Implications
 Authentication is not mutual
 How to encrypt subsequent conversation?
 If key derived from a password, offline password guessing is possible
 Bob knows KAlice-Bob so if Bob's database is compromised, attacker can
impersonate Alice

Implications

 Requires reversible cryptography (hash will not work)

 If R is known and key derived from password, dictionary attack is possible by simply
claiming to be Alice
 If R has a limited lifetime, Alice can authenticate Bob (mutual authentication)

Implications

 Easy to modify "bad idea" to this form, since no additional messages

  More efficient
 Bob does not need to maintain state
 Eavesdropper can impersonate Alice (within acceptable clock skew); might also be
possible to impersonate Alice to another server
 If Bob sets his clock back, intercepted authentication messages can be replayed
 Setting time (and agreeing on time) is a security issue

Implications

 Same as above, but using a hash

 Why transmit timestamp in the clear?

Better idea using public key crypto

(Notation: [R]Alice means sign with private key and {R}Alice means encrypt with public key.)

Implications
 Compromise of Bob's database will not allow attacker to impersonate Alice
 Attacker may be able to trick Alice into signing anything

Implications
 Compromise of Bob's database will not allow attacker to impersonate Alice
 Attacker may be able to trick Alice into decrypting anything

Mutual authentication

o Reflection attack
Implications

 Authenticated exchange in each direction

 Inefficient?

Implications

 More efficient
 Easy to get chosen plaintext
 Subject to a reflection attack

Attack

 Trudy opens 1st session to Bob

 Trudy opens 2nd session to Bob in order to get information needed to complete 1st
session
 Solution?

 Alice and Bob should not do exactly the same thing

 Have Bob encrypt with KAlice-Bob and Alice encrypt with KAlice-Bob+1 or
 Initiator sends odd R, responder sends even R, etc.
o Password guessing (chosen plaintext)

Implications
 One "extra" message and Alice cannot obtain chosen plaintext
o Public keys

Implications
 How to obtain public keys?
 How can workstation obtain private key from password? (Easy with symmetric key
crypto, not so easy with public key crypto.)
 Identity-based encryption is an active research area
Timestamps

Implications

 Only 2 messages
 Alice and Bob must encrypt different things
  Everyone must agree on the time
 Time is now security-critical
Kerberos

A user could use the same password for all servers but distributing and maintaining a
password file across multiple servers poses a securit risk.

➢ A password-based system should ensure the following:y

1. The password should not be transmitted in the clear.

2. It should not be possible to launch dictionary attacks

3. The password itself should not be stored on the authentication server, rather it should be
cryptographically transformed before being stored.

4. It should not be possible to launchdictionary attacks by obtaining a file containing

cryptographically transformed versions of the password.

5. A user enters her password only ONCE during login. Thereafter, she should not have to re-
enter her password to access other servers for the duration of the session. This feature is
called single sign-on.

6. The password should reside on a machine for only a few milliseconds after being entered
bythe user. The Kerberos protocol elegantly addresses many of these issues.

➢ Developed at MIT, Kerberos has been through many revisions.

➢ The latest is Kerberos Version 5.

➢ The KDC used in the Needham—Schroeder protocol is logically split into two entities here
— the Authentication Sewer (AS) and the Ticket Granting Server (TGS).

➢ The sequence of messages exchanged between the client (C), the Kerberos servers (AS and
TGS) and the requested server(S) is shown in Fig.3.14 .

➢ There are three steps — each involving two messages

Step 1: Receipt of Ticket-Granting Ticket

Message 1 C →AS

➢ In Message 1, the client informs the AS that it wishes to communicate with the TGS.

➢ "Times" field specifies the start time and expected duration of the login session.

➢ "C," is the ID of the user/client who has logged in.

➢ R1 is a nonce generated by C

Message2 AS → C

➢ The response from the AS (Message 2) contains a session key, Kc,TGS, to be used for
communication between C and the TGS.

➢ This key is encrypted with the long-term key, KC known to C and theAS.

➢ This key is a function of the user's password.

➢ AS encrypts the nonce, that it received in Message 1.

➢ The nonce is used to prevent replay attacks.

➢ The AS also includes a TGT (Ticket TGS)in connection with C's request.

Step 2: Receipt of Service-Granting Ticket

Message3 C→TGS

➢ In Message 3, C forwards the TGT (Ticket TGS), Authenticator Cto the TGS

➢ Using this Ticket TGS ,TGS server extracts the session key, KC,TGS,known only to C and
the TGS. ➢As shown above, the Authenticator Cencrypts the current time (timestamp) and
ID usingKC,TGS Message4 TGS→C

➢ The TGS generates a fresh session key, Kc,s, to be shared between C and S.

➢ This key is encrypted using the session key KC,TGS, so only C can decrypt it.

➢ The fresh nonce, R2, from C is also encrypted by the TGS using K C,TGS

➢ This convinces C that the received message is from the TGS

➢ Finally, the fresh session key Kc,s is enclosed in a service-granting ticket to be forwarded
by C to S.

➢ The service-granting ticket is encrypted with the long-term secret shared between the TGS
and S

Step 3: Client-Server Authentication

Message5 C→S

➢ C forwards to S the ticket containing the session key, Kc,s.

➢ C also creates and sends to S an authenticator by encrypting a timestamp with the session
key Kc,s Message6 S→C

➢ S retrieves Kc,s from the service-granting ticket.

➢ S verifies the authenticator from C.

➢ S then increments the timestamp and encrypts it with the fresh session key.
➢ The encrypted timestamp serves to authenticate S to C.
PKI Trust Models
implement a trust model that can cover all or some of these principles, one of the best ways is
Public Key Infrastructure (PKI) and there are four types that are used to implement the trust
model with PKI.
A. Hierarchical Trust Model: The hierarchical model or tree model is the most common
model to implement the PKI. A root CA at the top provides all the information and the
intermediate CAs are next in the hierarchy, and they only trust the information provided by the
root. The root CA also trusts intermediate CAs that are in their level in the hierarchy.
This arrangement allows a high level of control at all levels of the hierarchical tree this might
be the most common implementation in a large organization that wants to extend its
certificate-processing capabilities. Hierarchical models allow tight control over certificate-
based activities.

B. Bridge Trust Model: In Bridge Trust Model we have many P2P relations between Root C
As that the Root CAs can communicate with each other and allow cross-certificates. This
implementation model allows a certification process to be established between Organizations
(or departments).In this model, each intermediate CA trusts only the CAs above and below it
but the CA structure can be expanded without creating additional layers of CAs. Additional
flexibility and interoperability between organizations are the primary advantages of a bridge
model.

C. Hybrid Trust Model: Sometimes you need to link two or more organizations or

departments in some part and separate other segments. When you need to make trust in some

parts of two organization but you don`t want to be this trust in other segments of your
organization. In these times the Hybrid Trust Model can be the best model for you. You can be

extremely flexible when you build a hybrid trust structure and the flexibility of this model also

allows you to create hybrid environments.

D. Mesh Trust Model: When you want to implement a Hierarchical Trust Model with cross-
certification checking or a web of Root CAs, the mesh trust model is your best choice. In the
other sights, the mesh model migrates the concepts of bridge structure with multi-paths and
multi Root CAs.
Certifications in each one of Root CAs are authorized in all of Root, Intermediate, and leaf
CAs and all end-users that connected to each one of CA chains.

Message Authentication Codes

Message Authentication Codes are the codes which plays their role in two important
functions: Authentication Detection and Falsification Detection
Where do we need these codes?
Suppose User A send message to user B with message – ‘abc’. A encrypts the
message using Shared – Key Cryptosystem for encrypting the message. A sends the
key to B using a source key. Key exchange is based on different protocols such as
Public – Key Cryptosystem. B uses the key to decrypt the Cipher text and obtains the
message.

If a malicious user X has falsified the ciphertext during the transmission. Then, in that
case, B has no way to realize that it has been falsified. When B decrypts the message,
it will get the wrong message. Unknown to the fact B will think wrong information to
be the right. Although you can decrypt or encrypt the data later on but these
operations, you are applying the wrong data.

Here we need to detect the falsification in the message B has got. Here A will
create a key (used to create Message Authentication Code) and sends the key to B. A
will create a value using Ciphertext and key and the value is obtained. This value
Created by Ciphertext + Key = Message Authentication Code. B has to check
whether the ciphertext is falsified or not using Message Authentication Code. Now B
can clearly know that whether the ciphertext is falsified or not.
Apart from intruders, the transfer of message between two people also faces other
external problems like noise, which may alter the original message constructed by the
sender. To ensure that the message is not altered there’s this cool method MAC.

MAC stands for Message Authentication Code. Here in MAC, sender and receiver
share same key where sender generates a fixed size output called Cryptographic
checksum or Message Authentication code and appends it to the original message. On
receiver’s side, receiver also generates the code and compares it with what he/she
received thus ensuring the originality of the message.
These are components:
 Message
 Key
 MAC algorithm
 MAC value
There are different types of models Of Message Authentication Code (MAC) as
following below:
1. MAC without encryption – This model can provide authentication but not
confidentiality as anyone can see the message.
 2. Internal Error Code - In this model of MAC, sender encrypts the content before
sending it through network for confidentiality. Thus this model provides
confidentiality as well as authentication
M' = MAC(M, k)

3. External Error Code – For cases when there is an alteration in message, we

decrypt it for waste, to overcome that problem, we opt for external error code.
Here we first apply MAC on the encrypted message ‘c’ and compare it with
received MAC value on the receiver’s side and then decrypt ‘c’ if they both are
same, else we simply discard the content received. Thus it saves time.
c = E(M, k')
M' = MAC(c, k)

Problems in MAC –
If we do reverse engineering we can reach plain text or even the key. Here we have mapped
input to output, to overcome this we move on to hash functions which are “One way”.
Note – symbol “E” denotes symmetric key encryption.
 MAC-based on Hash Function (HMAC)
This Hashed or Hash-based Message Authentication Code in cryptography. Thus, developing
a MAC derived from cryptographic hash functions in this. Mainly, HMAC is a great
resistance towards cryptanalysis attacks as it uses the hashing concept twice in cryptography.
Thus, HMAC consists of twin benefits of Hashing and MAC and thus is more secure than
any other authentication code in cryptography. Thus, RFC 2104 has issued HMAC, and
HMAC has been made compulsory to implement in IP security in MAC. Then, the FIPS 198
NIST standard has also issued HMAC in cryptography.

HMAC Algorithm
Hence, the working of HMAC starts with taking a message M containing blocks of length b
bits of the message. Thus, an input signature is padded to the left of the message and the
whole is given as input to a hash function which gives us a temporary message-digest MD' of
the message of plaintext or original text. Thus, MD' again is appended to an output signature,
and the whole is applied a hash function again, the result is our final message digest MD in
cryptography.
 Here, H stands for hashing function,

M is the original message

Si and So are input and output signatures respectively,

Yi is the I th block in original message M, where I ranges from [1, L)

L = the count of blocks in M

K is the secret key used for hashing IV is an initial vector (some constant)

The generation of input signature and output

Signature Si and So respectively.

MAC based on Block Ciphers

Data Authentication Algorithm (DAA)

One of the most widely used MACs is referred to as the Data Authentication Algorithm. The
algorithm is designed using the Cipher Block Chaining mode of operation of DES, as shown
in figure. The data (e.g., message, record, file, or program) to be authenticated are grouped
into fixed size 64-bit blocks: D1, D2,….., DN. If necessary, the final block is padded on the
right with zeroes to make a 64-bit blocks. Using the DES encryption algorithm and a secret
key, a data authentication code (DAC) is calculated as follows:
The DAC consists of either the entire block ON or the leftmost M bits of the block, with
16 ≤ M ≤ 64.
Cipher based message authentication code (CMAC)
Data Authentication Algorithm (DAA), which is now obsolete. Then CMAC, which is designed to overcome the
deficiencies of DAA. Cipher-based Message Authentication Code (CMAC) mode of operation for use with AES and
triple DES. First, let us define the operation of CMAC when the message is an integer multiple n of the cipher block
length b. For AES, b=128, and for triple DES, b=64. The message is divided into n blocks (M1, M2,…, Mn ).
For AES, the key size is 128, 192, or 256 bits; for triple DES, the key size is 112 or 168 bits. CMAC is calculated
as follows:
C1 = E(K, M1)
C2 = E(K, [M2 ⊕C1])
C3 = E(K, [M3 ⊕C2])
.
.
.
Cn = E(K, [Mn ⊕Cn-1 ⊕K1])
T = MSBTlen(Cn)