Prof. Chintan Patel Information Security

CE Department. Unit - 7

MEFGI , RAJKOT

• Digital Signature

• Authentication Protocols

• Digital Signature standards

• Application Authentication Technique.

Kerberos

X 509 Directory

• Authentication Services

• Active Directory services

• have looked at message authentication but does not address issues of lack of trust

• digital signatures provide the ability to: verify author, date & time of signature

authenticate message contents

be verified by third parties to resolve disputes

• hence digital signatures include authentication function with additional capabilities

Alice can deny sending a message M to Bob since

Bob can also produce MACs for different

messages.

Bob can produce a MAC for another message M’

and can claim that it came from Alice.

PrivateKey

PublicKey

Bob

Key GenerationAliceBob’s

Fig 13.2 Simplified Depiction of Essential

Elements of Digital Signature Process

• Goldwaser, Micali and Rivest also defined success of breaking a signature scheme

Total break:

Attacker finds the signer’s private key

Universal forgery:

Attacker finds an efficient signing algorithm that provides an equivalent way of constructing signatures on arbitrary messages.

Selective forgery:

Attacker forges a signature for a particular message chosen by him.

Existential forgery:

Attacker can forge a signature for at least one message. However he does not have control over the message (so can not harm much the signer).

• must depend on the message signed

• must use information unique to sender

to prevent both forgery and denial

• must be relatively easy to produce

• must be relatively easy to recognize & verify

• be computationally infeasible to forge

with new message for existing digital signature

with fraudulent digital signature for given message

• be practical save digital signature in storage

• Direct Digital signature :

Involves only source and Destination

Assumes that Destination knows the public key of sender

Generated by

Encrypting entire message using sender’s private key.

Encrypting Generated Hash code using Sender’s private key.

Weakness : Sender can later deny of sending particularmessage by claiming that private key was lost or stolen andsome one else forged his signature.

• Message transmission in Arbitrated Digital Signature :

Every signed message from sender X to Receiver Y goes first to anarbiter A.

A will validate the signed message

Put Date and sent to Y with indication that it has been verifiedto the satisfaction of the arbiter.

Solves problem of Direct digital signature of source repudiation.

• Need : All parties must have great deal oftrust that the arbitration mechanism isworking properly.

• Mutual Authentication Protocol

Two communicating parties them selves understand about eachother’s identity and authenticate key exchange protocol.

• Problems in Authenticated Key exchange :

(1) confidentiality (2) Timeliness

• Confidentiality : Information must communicated in encryptedformat which requires prior existence of secret or public key.

• Timeliness : Important because of threat of message replays.

• Simple Replay : copies a message and replays it later.

• Repetition that can be logged : Opponent can replay a timestampmessage with the valid time window.

• Repetition that can not be detected : Original message does notarrive at destination , only replay arrives.

• Backward replay without modification : replay back to messagesender. Possible when symmetric key encryption is used.

• Can we use sequence number to cop with replay attack ??

Yes but generally not used…………

• Two general approaches

(1) Time stamp

Synchronized clock requires

Can not work with connection oriented protocol

Fault tolerant clock synchronization protocol requires.

Temporary loss of synchronization leads to successful attack

(2) Challenge and Response

A sends challenge or nonce to B. B will response to nonce.

Unsuitable for connection less protocol.

Overload of hand shaking will be increased.

• Key distribution Technique : Technique ofdelivering a key to two parties who wish toexchange the data.

• Why we need ??

Frequent key exchange is needed to limit the amount ofdata loss……….

CHAPTER NO 7 WILLIAM STALLING 4 TH EDITION

• 1) A can select a key and physically deliver it to B

• 2) A third party can select the key and physically deliverit to A and B 1 and 2 is difficult in distributed wide area network.

• 3) If A and B have previously and recently used keys. Oneparty can transmit the new key to others , encryptedusing old key. One success of and attacker will release all further keys

• 4) if A and B each has an encrypted connection to a thirdparty C. C can deliver a key on the encrypted links to Aand B KDC is responsible for distributing keys to pair of users based

on need.

• Uses Two levels of Key

• 1) Session key : Communication between endsystem is encrypted using a temporary key , oftenreferred as session key.

For particular duration of time period or logicalconnection.

• 2) Mater key : Session keys are transmitted inencrypted form using Master keys.shared by KDCand end user.

• A wishes to establish logical connection with B. and require one time sessionkey to protect the data transmission over the connection.

• A has a master key, Ka , known only to itself and KDC same with B.

• (1) A request to KDC for session key with message including identity of A andB and Unique identifier N1 for this transaction. Can be any random number.Must be differ in each request

• (2) KDC Responds with message encrypted using Ka. Message includes: One time session key Ks.

Original message with N1,to enable A to match response with its request.

Message encrypted using Kb which has Ks and Identifier of A.

• (3) A stores Ks for use in upcoming session and forward to B. A sends Ks and ID of A encrypted with Kb to B.

With ID of A , B will know that other party is A. and this information is originated fromKDC because KDC only know Kb except itself.

• (4) B sends N2 encrypted with Ks.

• (5) A responds f(N2) encrypted with Ks

TO STOP REPLAY

• Local KDC will communicate with Global KDC , if very large network is there.

• Life time of session key depends on protocol used. Either connection oriented or connection less

• (1) A issues a request to B for session key and includes N1.

• (2) B responds with message encrypted using shared master key which includes session key Selected by B and identifier of B , the f(N1),N2

• (3) Using new session key , A returns f(N2) to B

• GATE Que. :

• (1) How many session keys and master keys are neededin centralized key distribution if there are N entities?

Answer : N master keys and [N(N-1)]/2 Session keysat any one time.

• (2)How many master keys are used in Decentralized keydistribution ?

• Answer : N-1 Master keys at any one time.

• Example of One way Application : E-Mail

• Not necessary for sender and receiver to beonline at same time.

• SMTP , need not access of plain text.

• Authentication : Recipient wants come assurancethat the message is from alleged sender.

• (1) Symmetric Approach

• (2) Public key encryption Approach

• This scheme Requires the sender to issue a request to the intendedrecipient, awaits a response that includes session key.

• No need to worry about Replay

1 A KDC : IDa||IDb||N1

2 KDCA : E(Ka,[Ks||IDb||N1||E(Kb,[Ks||IDa])])

3 AB : E(Kb,[Ks||IDa])||E(Ks,M)

3 Potential Delay in E mail Process , Timess stemp is not thatmuchuseful.

• Sender should know the recipient’s public key : confidentiality

• Receiver know the sender’s public key : Authentication

• If confidentiality is important :

AB : E(PUb,Ks) || E(Ks,M)

• If Authentication is important :

AB : M||E(PRa,H(M))

• Message confidentiality plus Signature

A B : E(PUb,[M||E(PRa,H(M))])

• DSS Makes use of SHA algorithms to present new digitalsignature technique called Digital SignatureAlgorithms…..

• Proposed in 1991 revised in 1993 and after that in 1996.

• DSS uses an algorithms that is designed to provide onlythe digital signature function. Unlike RSA , which is used for encryption as well as key –

exchange.

• Two approaches to Digital signature

Authentication Applications:

Kerberos, X.509 and Certificates

Outline

Introduction to KERBEROS

How Kerberos works?

Comparison between version 4 and 5

Certificates

X.509 Directory Authentication Service

Conclusion

Introduction to Kerberos

An authentication service developed for Project

Athena at MIT

Provides

– strong security on physically insecure network

– a centralized authentication server which authenticates

Users to servers

Servers to users

Relies on conventional encryption rather than public-

key encryption

Why Kerberos is needed ?

Problem: Not trusted workstation to identify

their users correctly in an open distributed environment

3 Threats:

– Pretending to be another user from the workstation

– Sending request from the impersonated

workstation

– Replay attack to gain service or disrupt operations

Why Kerberos is needed ? Cont.

Solution:

– Building elaborate authentication protocols

at each server

– A centralized authentication server

(Kerberos)

Requirements for KERBEROS

Secure: – An opponent does not find it to be the weak link

Reliable:– The system should be able to back up another

Transparent:– An user should not be aware of authentication

Scalable:– The system supports large number of clients and

severs

Versions of KERBEROS

Two versions are in common use

– Version 4 is most widely used version

– Version 4 uses of DES

– Version 5 corrects some of the security

deficiencies of Version 4

– Version 5 has been issued as a draft

Internet Standard (RFC 1510)

Kerberos Version 4: Dialog 1- Simple

Ticket=Ekv[IDc,ADc,IDv]

kv=Secret Key between AS and

V (Server)

Pc=password of client

More secure Authentication Dialogue

Target :

– Minimize the number of times user need to enter password.

For single logon session , the workstation can store the mail

server ticket after its received and use it on behalf of the user

for multiple accesses to mail server.

– User would need a new ticket for every different service.

– “TICKET GRANTING SERVER”

“In plain text transmission of message[1] , an opponent can

capture the password and use any service accessible to victim”

Ticket Granting Server(TGS)

Issues ticket to the user who have been authorized to AS.

User first request ticket granting ticket(Tickettgs)

From the AS. Client saves the ticket.

Each time for every new service from same server, client will

apply that ticket. TGS than give ticket for particular service

Client saves ticket for each particular service for next time use.

Kerberos Version 4 : Dialog 2-More Secure

4-TicketV

Once per user

logon session

Once per type of

service

ticketTGS=EKtgs[IDc,ADc,

IDtgs,TS1,LifeTime1 ]

Kerberos Version 4 : Dialog 2- More Secure Cont.

5- TicketV+ IDc

Once per service session

TicketV=EKv[IDc,ADc,IDv,Ts2,Lifetime2]

Kerberos: The Version 4 Authentication Dialog

1- IDc + IDtgs +TS1

2- EKc [Kc.tgs,IDtgs,Ts2,

Lifetime2,TicketTGS]

KERBEROSOnce per user logon session

ticketTGS=EKtgs [Kc.tgs,

IDc,ADc,IDtgs,TS2,

LifeTime2 ]

Kerberos: The Version 4 Authentication Dialog Cont.

KERBEROS

3- TicketTGS + AuthenticatorC +

IDv

4-EKc.tgs[ Kc.v,IDv,Ts4,Ticketv]

Once per type of service

ticketTGS=EKtgs [Kc.tgs,IDc,ADc,IDtgs, TS2,

LifeTime2 ]

AuthenticatorC=EKc.tgs[IDc,ADc,TS3]

ticketV=EKV[Kc.v,IDc,ADc,IDv, TS4,

LifeTime4 ]

Kerberos: The Version 4 Authentication Dialog Cont.

5- TicketV+ AuthenticatorC

Once per service session

TicketV=EKv [Kv.c, IDc, ADc, IDv, TS4, Lifetime4]

AuthenticatorC=EKc.v [IDc,ADc,TS5]

6- EKc.v[TS5+1]

Tickets:

Contains information which must be

considered private to the user

Allows user to use a service or to access TGS

Reusable for a period of particular time

Used for distribution of keys securely

Authenticators

Proves the client’s identity

Proves that user knows the session key

Prevents replay attack

Used only once and has a very short life time

One authenticator is typically built per

session of use of a service

Kerberos Realms

A single administrative domain includes:

– a Kerberos server

– a number of clients, all registered with server

– application servers, sharing keys with server

What will happen when users in one realm

need access to service from other realms?:

– Kerberos provide inter-realm authentication

Inter-realm Authentication:

Kerberos server in each realm shares a

secret key with other realms.

It requires

– Kerberos server in one realm should trust the one

in other realm to authenticate its users

– The second also trusts the Kerberos server in the

first realm

Problem: N*(N-1)/2 secure key exchange

Request for Service in another realm:

5-Request ticket for remote server

6-Ticket for remote server

4-Ticket for remote TGS

7-request for remote service

KERBEROS Version 5 versus Version4

Environmental shortcomings of Version 4:

– Encryption system dependence: DES

– Internet protocol dependence(IP Protocol)

– Ticket lifetime(Maximum = 21 hours)

– Authentication forwarding

– No fix byte ordering

– Inter-realm authentication(More kerberos-

to kerberos relation ship)

KERBEROS Version 5 versus Version4

Technical deficiencies of Version 4:

– Double encryption

– Session Keys

– Password attack(Trial and Error)

– Version 5 provides pre authentication

mechanism to protect password some

how.

Realm – Indicates realm of the user

Options

Times– From: the desired start time for the ticket

– Till: the requested expiration time

– Rtime: requested renew-till time

Nonce– A random value to assure the response is fresh

New Elements in Kerberos Version 5

Kerberos Version 5 Message Exchange:1

To obtain ticket-granting ticket:

(1)C AS : Options || IDc || Realmc || IDtgs ||Times ||

Nonce1

(2) AS C : Realmc || IDc || Ticket tgs ||

EKc [ Kc,tgs || IDtgs || Times || Nonce1 ||| Realm tgs ]

Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c ||

IDc || ADc || Times]

Kerberos Version 5 Message Exchange:2

To obtain service-granting ticket :

(3)C TGS : Options || IDv || Times || Nonce2 || Ticket tgs ║

Authenticator c

(4)TGS C : Realmc || IDc || Ticket v || EK c,tgs [ Kc,v ║Times||

Nonce2 || IDv ║ Realm v]

Ticket tgs= EKtgs [ Flags || Kc,tgs || Realm c || IDc || ADc ||

Times]

Ticket v : EK v [Kc,,v ║ Realmc || IDc ║ ADc ║ Times ]

Authenticator c : EK c,tgs [IDc ║ Realmc ║ TS1]

Kerberos Version 5 Message Exchange:3

To obtain service

(5) C S : Options || Ticket v|| Authenticator c

(6) S C : EK c,v [TS2|| Subkey || Seq# ]

Ticket v : EK v [Flags || Kc,v || Realmc ||

IDc || ADc || Times ]

Authenticator c : EK c,v [IDc || Realmc ||

TS2 || Subkey|| Seq# ]

Kerberos : Strengths

User's passwords are never sent across the network, encrypted or in plain text

Secret keys are only passed across the network in encrypted form

Client and server systems mutually authenticate

It limits the duration of their users' authentication.

Authentications are reusable and durable

Kerberos has been examined carefully for accuracyby many of the top programmers, cryptologists and security experts in the industry

Directory : A server or distributed set of servers that

maintains a database of information about users.

A mapping from username to network address

X.509 is based on use of public-key cryptography

and digital signatures.

Heart of X.509 IS scheme is the public key certificate

associated with each user.

Certificates created by CA(Certification authority)and

putted in to directory.

Certificate:

Electronic counterparts to driver licenses,

passports

Verifies authenticity of the public key

Prevents impersonation

Enables individuals and organizations to

secure business and personal transactions

What a certificate includes:

Version :

– Version 1 : Default

– Version 2 : If unique identifier is present

– Version 3: more than one extension.

Unique Serial Number

Signature Algorithm Identifier

Issuer name: X.500 name of CA that created and signed.

Period of validity:

– First and last date on which the certification is valid

Subject name :Name of user to whom this certificate refers

Subject’s public key information : Public key + algorithm + parameter

Issuer Unique identifier

Subject unique identifier

Extension : extra fields

Signature : Hash code encrypted with private key of CA.

Certificate Authorities:

Trusted entity which issue and manage certificates

for a population of public-private key-pair holders.

A digital certificate is issued by a CA and is signed

with CA’s private key.

Who are the Certificate Authorities?

VeriSign

GTE CyberTrust

Entrust

IBM

CertCo

USPS / Cylink

Certificate Issuance Process:

Generate public/private key pair

Sends public key to CA

Proves identity to CA - verify

CA signs and issues certificate

CA e-mails certificate or Requestor retrieves certificate from secure websites

Requestor uses certificate to demonstrate legitimacy of their public key

Types of Digital Certificates

E-Mail Certificates

Browser Certificates

Server (SSL) Certificates

Software Signing Certificates

Potential security holes:

Was the user really identified?

Security of the private key

Can the Certificate Authority be trusted?

Names are not unique

X.509 Directory Authentication Service

CCITT recommendation defining a directory

service

Defines a framework for the authentication

services

The X.500 directory serving as a repository

of public-key certificates

Defines alternative authentication protocols

X.509 Certificate format

Version

Serial number

Algorithm

Parameters

Issuer

Not before

Not after

Subject

Algorithm

Parameter

Key

Signature

Algorithm

identifier

Period of

validity

Subject’s

public key

Authentication Procedures:

Three alternative authentication procedures:

– One-Way Authentication

– Two-Way Authentication

– Three-Way Authentication

All use public-key signatures

One-Way Authentication:

1 message ( A->B) used to establish

– the identity of A and that message is from A

– message was intended for B

– integrity & originality of message

A B1-A {ta,ra,B,sgnData,KUb[Kab]}

Ta-timestamp rA=nonce B =identity

sgnData=signed with A’s private key

Two-Way Authentication

2 messages (A->B, B->A) which also

establishes in addition:

– the identity of B and that reply is from B

– that reply is intended for A

– integrity & originality of reply

A B

1-A {ta,ra,B,sgnData,KUb[Kab]}

2-B {tb,rb,A,sgnData,KUa[Kab]}

Three-Way Authentication

3 messages (A->B, B->A, A->B) which

enables above authentication without

synchronized clocks

A B

1- A {ta,ra,B,sgnData,KUb[Kab]}

2 -B {tb,rb,A,sgnData,KUa[Kab]}

3- A{rb}

One way : Ex., One-Way SSL Authentication,

S/MIME or PGP Message Authentication.

Two way : Two-Way SSL Authentication,

SET Protocol.

Three way :Way SSL Authentication and

Key-Session Generation and Agreement

Conclusion

Kerberos is an authentication service using

convention encryption

Certificates is the proof of the identity

X.509 defines alternative authentication

protocols

THANKS AND Have a Nice Day!!!