UNIT-3

HASHING

 Hashing is the process of scrambling raw information to the extent that it cannot reproduce it back to
its original form.
 It takes a piece of information and passes it through a function that performs mathematical
operations on the plaintext.
 This function is called the hash function, and the output is called the hash value/digest.

 As seen from the above image, the hash function is responsible for converting the plaintext to its
respective hash digest.
 They are designed to be irreversible, which means your digest should not provide you with the original
plaintext by any means necessary.
 Hash functions also provide the same output value if the input remains unchanged, irrespective of the
number of iterations.

There are two primary applications of hashing:

 Password Hashes: In most website servers, it converts user passwords into a hash value before being
stored on the server. It compares the hash value re-calculated during login to the one stored in the
database for validation.
 Signature Generation and Verification: Verifying signatures is a mathematical process used to verify
the authenticity of digital documents or messages. A valid digital signature, where the prerequisites
are satisfied, gives its receiver strong proof that the message was created by a known sender and that
the message was not altered in transit.
 Verifying File and Message Integrity: Hashes can be used to make sure messages and files transmitted
from sender to receiver are not tampered with during transit.
 Integrity Verification: When it uploads a file to a website, it also shared its hash as a bundle. When a
user downloads it, it can recalculate the hash and compare it to establish data integrity.

Cryptographic Hash is a Hash function that takes random size input and yields a fixed-size output.

 It is easy to calculate but challenging to retrieve the original data.

 It is strong and difficult to duplicate the same hash with unique inputs and is a one-way function so
revert is not possible.
 Cryptographic hash functions add security features to typical hash functions, making it more difficult to
detect the contents of a message or information about recipients and senders.
 Hashing is also known by different names such as Digest, Message Digest, Checksum, etc.

Properties Of Cryptography Hash Function

The ideal cryptographic hash function has the following main properties:

Deterministic: This means that the same message always results in the same hash.

Quick: It is quick to compute the hash value for any given message.

Avalanche Effect: This means that every minor change in the message results in a major change in the hash
value.

One-Way Function: You cannot reverse the cryptographic hash function to get to the data.

Collision Resistance: It is infeasible to find two different messages that produce the same hash value.

Pre-Image Resistance: The hash value shouldn’t be predictable from the given string and vice versa.

Second Pre-Image Resistance: Given an input, it should be difficult to find another input that has the same
hash value.

cryptographic hash functions exhibit these three properties:

 They are “collision-free.” This means that no two input hashes should map to the same output hash.
 They can be hidden. It should be difficult to guess the input value for a hash function from its output.
 They should be puzzle-friendly. It should be difficult to select an input that provides a pre-defined
output. Thus, the input should be selected from a distribution that's as wide as possible .

Applications of Cryptographic Hash Functions

The most versatile cryptographic algorithm is the cryptographic hash function. It is used in a wide variety of se
curity applications and Internet protocols.

Message Authentication

 Message authentication is a mechanism or service used to verify the integrity of a message.

 Message authentication assures that data received are exactly as sent(i.e., contain no modification,
insertion, deletion or replay).
 In many cases, there is a requirement that the authentication mechanism assures that purported
identity of the sender is valid.
 When a hash function is used to provide message authentication, the hash function value is often
referred to as message digest.

Figure illustrates a variety of ways in which a hash code can be used to provide message authentication, as
follows:
 The message plus concatenated hash code is encrypted using symmetric encryption because only A
and B share the secret key, the message must have come from A and has not been altered.
 The hash code provides the structure or redundancy required to achieve authentication.
 Encryption is applied to the entire message plus hash code, confidentiality is also provided.

 Only the hash code is encrypted using symmetric encryption. This reduces the processing burden for
those applications that do not require confidentiality.
 The technique assumes that the two communicating parties share a common secret value ‘s’.
 A computes the hash value over the concatenation of M and S and appends the resulting
the hash value to M.
 Because B possesses S, it can recompute the hash value to verify the secret value itself.
 An opponent cannot modify an intercepted message and cannot generate a false message.


 Confidentiality can be added to the approach of method (c) by encrypting the entire message plus the
hash code.
 When confidentiality is not required, method (b) has an advantage over methods

 (a) and (d), which encrypts the entire message, in that less computation is required.
More commonly, message authentication is achieved using a message authentication code(MAC), also
known as a keyed hash function.

 Typically, MACs are used between two parties that share a secret key to authenticate information
exchanged between those parties.
 A MAC function takes as input a secret key and a data block and produces a hash value,
referred to as the MAC.
 This can then be transmitted with or stored with the protected message.
 If the integrity of the message needs to be checked, the MAC function can be applied to
The message and the result compared with the stored MAC value.
 An attacker who alters the message will be unable to alter the MAC value without knowledge of th
e secret key.
 Note that the verifying party also knows who the sending party is because no one else knows the
secret key.

Digital Signatures

 Another important application, which is similar to the message authentication application, is the digital
signature.
 The operation of the digital signature is similar to that of the MAC.
 In the case of the digital signature, the hash value of a message is encrypted with a user’s private key.
 Anyone who knows the user’s public key can verify the integrity of the message that is associated with
the digital signature.
 In this case, an attacker who wishes to alter the message would need to know the user’s private key.

Hashing Algorithm — SHA-512

So, SHA-512 does its work in a few stages. These stages go as follows:

 Input formatting
 Hash buffer initialization
 Message Processing
 Output

Let’s look at these one-by-one.

Input Formatting:

 SHA-512 can’t actually hash a message input of any size, i.e. it has an input size limit. This limit is
imposed by its very structure.
 The entire formatted mesage has basically three parts: the original message, padding bits, size of
original message.
 And this should all have a combined size of a whole multiple of 1024 bits.
 This is because the formatted message will be processed as blocks of 1024 bits each, so each bock
should have 1024 bits to work with.
Padding bits

 The input message is taken and some padding bits are appended to it in order to get it to the desired
length.
 The bits that are used for padding are simply ‘0’ bits with a leading ‘1’ (100000…000).
 Also, according to the algorithm, padding needs to be done, even if it is by one bit. So a single padding
bit would only be a ‘1’.
 The total size should be equal to 128 bits short of a multiple of 1024 since the goal is to have the
formatted message size as a multiple of 1024 bits (N x 1024).

Padding size

 After this, the size of the original message given to the algorithm is appended.
 This size value needs to be represented in 128 bits and is the only reason that the SHA-512 has a
limitation for its input message.
 Since the size of the original message needs to be represented in 128 bits and the largest number that
can be represented using 128 bits is (2¹²⁸-1).
 The message size can be at most (2¹²⁸-1) bits; and also taking into consideration the necessary single
padding bit, the maximum size for the original message would then be (2¹²⁸-2).
 Even though this limit exists, it doesn’t actually cause a problem since the actual limit is so high (2¹²⁸-2
= 340,282,366,920,938,463,463,374,607,431,768,211,454 bits ).

 Now that the padding bits and the size of the message have been appended, we are left with the
completely formatted input for the SHA-512 algorithm.

Hash buffer initialization:

 The algorithm works in a way where it processes each block of 1024 bits from the message using the
result from the previous block.
 Now, this poses a problem for the first 1024 bit block which can’t use the result from any previous
processing.
 This problem can be solved by using a default value to be used for the first block in order to start off
the process.
 Since each intermediate result needs to be used in processing the next block, it needs to be stored
somewhere for later use.
  This would be done by the hash buffer, this would also then hold the final hash digest of the entire
processing phase of SHA-512 as the last of these ‘intermediate’ results.
 So, the default values used for starting off the chain processing of each 1024 bit block are also stored
into the hash buffer at the start of processing.
 The actual value used is of little consequence, but for those interested, the values used are obtained
by taking the first 64 bits of the fractional parts of the square roots of the first 8 prime numbers
(2,3,5,7,11,13,17,19). These values are called the Initial Vectors (IV).
 Why 8 prime numbers instead of 9? Because the hash buffer actually consists of 8 subparts (registers)
for storing them.

Message Processing:

 Message processing is done upon the formatted input by taking one block of 1024 bits at a time.
 The actual processing takes place by using two things: The 1024 bit block, and the result from the
previous processing.
 This part of the SHA-512 algorithm consists of several ‘Rounds’ and an addition operation.

 So, the Message block (1024 bit) is expanded out into ‘Words’ using a ‘message sequencer’. Eighty
Words to be precise, each of them having a size of 64 bits.

Rounds

 The main part of the message processing phase may be considered to be the Rounds. Each round takes
3 things: one Word, the output of the previous Round, and a SHA-512 constant.
  The first Round doesn’t have a previous Round whose output it can use, so it uses the final output
from the previous message processing phase for the previous block of 1024 bits.
 For the first Round of the first block (1024 bits) of the formatted input, the Initial Vector (IV) is used.
 SHA-512 constants are predetermined values, each of whom is used for each Round in the message
processing phase.
 Again, these aren’t very important, but for those interested, they are the first 64 bits from the
fractional part of the cube roots of the first 80 prime numbers.Why 80? Because there are 80 Rounds
and each of them needs one of these constants.
 Once the Round function takes these 3 things, it processes them and gives an output of 512 bits.
 This is repeated for 80 Rounds. After the 80th Round, its output is simply added to the result of the
previous message processing phase to get the final result for this iteration of message processing.

4. Output:

 After every block of 1024 bits goes through the message processing phase, i.e. the last iteration of the
phase, we get the final 512 bit Hash value of our original message.
 So, the intermediate results are all used from each block for processing the next block.
 When the final 1024 bit block has finished being processed, we have with us the final result of the SHA-
512 algorithm for our original message.
 Thus, we obtain the final hash value from our original message.

Authentication Requirements

In the context of communications across a network, the following attacks can be identified:
1. Disclosure: Release of message contents to any person or process not possessing the appropriate

cryptographic key.

2. Traffic analysis: Discovery of the pattern of traffic between parties. In a connectionoriented application, the

frequency and duration of connections could be determined. In either a connection-oriented or

connectionless environment, the number and length of messages between parties could be determined.

3. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation

of messages by an opponent that are purported to come from an authorized entity. Also included are

fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient.

4. Content Modification: Changes to the contents of a message, including insertion, deletion, transposition, or

modification.

5. Sequence modification: Any modification to a sequence of messages between parties, including insertion,

deletion, and reordering.

6.Timing modification: Delay or replay of messages. In a connection-orientated application, an entire session

or sequence of messages could be a replay of some previous valid session, or individual messages in the

sequence could be delayed or replayed. 7. Repudiation: Denial of receipt of message by destination or denial

of transmission of message by source.

Message Authentication Functions

Message authentication is a procedure to verify that received messages come from the alleged source and have not
been altered. Message authentication may also verify sequencing and timeliness.

A digital signature is an authentication technique that also includes measures to counter repudiation by either source or
destination.

 Any message authentication or digital signature mechanism can be viewed as having fundamentally two levels.
 At the lower level, there must be some sort of function that produces an authenticator: a value to be used to
authenticate a message.
 This lower level function is then used as primitive in a higher-level authentication protocol that enables a
receiver to verify the authenticity of a message.

The types of functions that may be used to produce an authenticator. These functions may be grouped into three
classes, as follows:

1. Message Encryption: The ciphertext of the entire message serves as its authenticator.

2. Message Authentication Code (MAC): A public function of the message and a secret key that produces a fixed length
value that serves as the authenticator.

3. Hash Functions: A public function that maps a message of any length into a fixed length hash value, which serves as
the authenticator.
Message Authentication

 Message authentication allows one party—the sender—to send a message to another party—the receiver—in
such a way that if the message is modified en route, then the receiver will almost certainly detect this.
 Message authentication is also called data-origin authentication.
 Message authentication is said to protect the integrity of a message, ensuring that each message that it is
received and deemed acceptable is arriving in the same condition that it was sent out—with no bits inserted,
missing, or modified.
 Message authentication provides two services.
 It provides a way to ensure message integrity and a way to verify who sent the message.
 To request authentication, the sending application must set the authentication level of the message to
be authenticated. Authenticating for message integrity ensures that no one has tampered with the
message or changed its content.
 There are two methods for producing the message authentication code:
 Data encryption standard (DES)
 Cyclic Redundancy Check (CRC)

Message Authentication Code – It is also called as MAC.

 A message authentication code (MAC) is a cryptographic checksum on data that uses a session key to detect
both accidental and intentional modifications of the data.
 It is a security code that is typed in by the user of a computer to access accounts or portals.
 This code is attached to the message or request sent by the user.
 Message authentication codes (MACs) attached to the message must be recognized by the receiving system in
order to grant the user access.
 MACs are commonly used in electronic funds transfers (EFTs) to maintain information integrity.
 The message authentication code technique involves the use of a secret key to generate a small block of data
that is appended to the message.
 This technique assumes that two communicating parties, say A and B, share a common secret key KAB.
 When A has a message to send to B, it calculates the message authentication code as a function of the
message and the key: MACM = F (KAB,M).
 The message plus code are transmitted to the intended recipient.
 The recipient performs the same calculation on the received message, using the same secret key, to
generate a new message authentication code.
 The received code is compared to the calculated code. If we assume that only the receiver and the
sender know the identity of the key, and if the received code matches the calculate code, then
 The receiver is assured that the message has not been altered.
 The receiver is assured that the message is from the alleged sender.
 Because no one else knows the secret key, no one else could prepare a message with a proper code.
 If the message includes a sequence number, then the receiver can be assured of the proper sequence, because
an attacker cannot successfully alter the sequence number.
 A number of algorithms could be used to generate the code. The national Bureau of Standards, in its publication
DES Modes of Operation, recommends the use of Data Encryption Algorithm (DEA).

Hash Functions

 A hash function takes a group of characters (called a key) and maps it to a value of a certain length (called a
hash value or hash).
 The hash value is representative of the original string of characters, but is normally smaller than the original.
Hashing is used in encryption and also done for indexing and locating items in databases.
 A hash function maps keys to small integers (buckets).
  An ideal hash function maps the keys to the integers in a random-like manner, so that bucket values are evenly
distributed even if there are regularities in the input data. This process can be divided into two steps as
 Map the key to an integer.
 Map the integer to a bucket.
 Simple hash functions map a single integer key (k) to a small integer bucket value h(k). m is the size of the hash
table (number of buckets).
 Few simple hash function are
 Division method (Cormen) Choose a prime that isn’t close to a power of 2. h(k) = k mod m. Works badly
for many types of patterns in the input data.
 Knuth Variant on Division h(k) = k(k+3) mod m. Supposedly works much better than the raw division
method.
 Hash functions chop up the input data and make mess of it so that the original data would be difficult or
impossible to deduce from the mangled remains.
 Value provides a way of checking whether the message has been manipulated or corrupted in transit or storage.
It is a sort of “digital fingerprint”.
 Moreover, the message digest can be encrypted using either conventional or public-key cryptography to
produce a digital signature, which is used to help the recipient feel confident that the received message is not
forget.
 The hash function H must satisfy following conditions
 It should be one-way: For a given hash value v =H(x) it should be infeasible for an opponent to find a
message x such that x= H-1(v).
 It should at least be weakly collision resistant: Given a hash value v =H(x) and the message x from which
it was computed, it should be computationally infeasible for an opponent to find another message y
different from x such that v =H(y).
 It might be strongly collision resistant: It is computationally infeasible for an opponent to find a pair of
distinct messages x and y such that H(x)=H(y).

HMAC (Hash-Based Message Authentication Codes)

 Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a
hash function and a secret key.
 With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as
opposed to approaches that use signatures and asymmetric cryptography.

How HMAC Works

 Two parties want to communicate, but they want to ensure that the contents of their connection remain
private.
 They also distrust the internet, and they need a way to verify that the packets they receive haven't been
tampered with. HMAC is a valid solution.
 HMAC provides a private key, which is known to both the server and the client.
 The client generates a hash key for every request.
 There are three types of authentication functions.
 They are message encryption, message authentication code, and hash functions.
 The significant difference between MAC and hash (HMAC here) is the dependence on a key.
 In HMAC, we have to apply the hash function along with a key on the plain text.
 The hash function will be used for the primary text message.
 But before applying, we have to compute S bits and then append them to plain text and apply the hash function.
For generating those S bits, we use a shared key between the sender and receiver.

HMAC keys consist of two parts. These are:

  Cryptographic keys. An encryption algorithm alters data, and a recipient needs a specific code (or key) to make it
readable once more. HMAC relies on a shared sets of secret keys.
 Hash function. A hash algorithm alters or digests the message once more. HMAC uses generic cryptographic
hash functions, such as SHA-1, MD5, or RIPEMD-128/60.

A pair using this system must agree on:

 Secret keys. They must have a way to decode messages they get. A secret key handles this task, and it's meant
to stay secret and hidden.
 Algorithm. They must pick one hash function that all of their messages will move through.

HMAC Algorithm

The work of the HMAC algorithm starts by taking the message M from the block of length L bits. Then the input
signature is merged with the left message and the whole input gives the output of the embedded hash function. Then
the entire hash function is again applied with the complete message. After this, the final note has come.

Here is the diagram for the HMAC algorithm.

Here H = hash function.

M = original message.
Si = Input signature.
So= output signature.
Yi = ith block of the message M whose length range from 1 to L.
L= number of blocks in message M.
K= secret key used for the encryption process.
IV = initial vector.

MACS BASED ON BLOCK CIPHERS: DAA AND CMAC

Data Authentication Algorithm

 The Data Authentication Algorithm (DAA), based on DES, has been one of the most widely used
MACs for a number of years.
 The algorithm is both a FIPS publi- cation (FIPS PUB 113) and an ANSI standard (X9.17). However, as
we discuss sub- sequently, security weaknesses in this algorithm have been discovered, and it is being
replaced by newer and stronger algorithms.
 The algorithm can be defined as using the cipher block chaining (CBC) mode of operation of DES
(Figure 6.4) with an initialization vector of zero.
 The data (e.g., mes- sage, record, file, or program) to be authenticated are grouped into contiguous 64-
bit blocks: D1, D2, .... , DN. If necessary, the final block is padded on the right with zeroes to form a
full 64-bit block. Using the DES encryption algorithm E and a secret key K, a data authentication code
(DAC) is calculated as follows (Figure 12.7).

Cipher-Based Message Authentication Code (CMAC)

 As was mentioned, DAA has been widely adopted in government and industry. [BELL00] demonstrated
that this MAC is secure under a reasonable set of security criteria, with the following restriction.
 Only messages of one fixed length of mn bits are processed, where n is the cipher block size and m is a
fixed positive integer.
 Black and Rogaway [BLAC00] demonstrated that this limitation could be overcome using three keys:

one key of length K to be used at each step of the cipher block chaining and
two keys of length n,
where k is the key length and n is the cipher block length.
This proposed construction was refined by Iwata and Kurosawa so that the two n-bit keys could
be derived from the encryption key, rather than being provided separately [IWAT03].
 This refinement, adopted by NIST, is the Cipher-based Message Authentication Code (CMAC) mode of
oper- ation for use with AES and triple DES.
 It is specified in NIST Special Publication 800-38B.
First, let us define the operation of CMAC when the message is an integer multiple n of the
cipher block length b.
For AES, b = 128, and for triple DES, b = 64.
The message is divided into n blocks (M1, M2, . . . , Mn).
The algorithm makes use of a k-bit encryption key K and an n-bit constant, K1.
For AES, the key size k is 128, 192, or 256 bits; for triple DES, the key size is 112 or 168 bits.
CMAC is calculated as follows (Figure 12.8).

 If the message is not an integer multiple of the cipher block length, then the final block is padded to the
right (least significant bits) with a 1 and as many 0s as necessary so that the final block is also of length
b.
 The CMAC operation then pro- ceeds as before, except that a different n-bit key K2 is used instead of
K1.
  The two n-bit keys are derived from the k-bit encryption key as follows.

Digital Signature:

 Digital Signature is a process that guarantees that the contents of a message have not been altered in
transit.
 In other words, a digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software or digital document.
 As the digital equivalent of a handwritten signature or stamped seal, a digital signature offers far more
inherent security, and it is intended to solve the problem of tampering and impersonation in digital
communications.
 Digital signatures can provide the added assurances of evidence of origin, identity and status of an
electronic document, transaction or message and can acknowledge informed consent by the signer.
 Digital signatures are based on public key cryptography. Using a public key algorithm, such as RSA,
one can generate two keys that are mathematically linked: one private and one public.
Suppose that Bob wants to send a message to Alice.
Although it is not important that the message be kept secret, he wants Alice to be certain
that the message is indeed from him.
For this purpose, Bob uses a secure hash function, such as SHA-512, to generate a hash
value for the message.
That hash value, together with Bob’s private key serves as input to a digital signature
generation algorithm, which produces a short block that functions as a digital signature.
Bob sends the message with the signature attached.
When Alice receives the message plus signature, she
 calculates a hash value for the message;
 provides the hash value and Bob’s public key as inputs to a digital signature
verification algorithm.
If the algorithm returns the result that the signature is valid, Alice is assured that the message
must have been signed by Bob.
No one else has Bob’s private key and therefore no one else could have created a signature
that could be verified for this message with Bob’s public key.
In addition, it is impossible to alter the message without access to Bob’s private key, so the
message is authenticated both in terms of source and in terms of data integrity.
Properties:

 Message authentication protects two parties who exchange messages from any third party.
 However, it does not protect the two parties against each other. Several forms of dispute between the
two parties are possible.
 In situations where there is not complete trust between sender and receiver, something more than
authentication is needed. The most attractive solution to this problem is the digital signature. The
digital signature must have the following properties:
It must verify the author and the date and time of the signature.
It must authenticate the contents at the time of the signature.
It must be verifiable by third parties, to resolve disputes.
 Thus, the digital signature function includes the authentication function.

Direct Digital Signature

 The term direct digital signature refers to a digital signature scheme that involves only the
communicating parties (source, destination). It is assumed that the destination knows the public key of
the source.
 Confidentiality can be provided by encrypting the entire message plus signature with a shared secret key
(symmetric encryption). Note that it is important to perform the signature function first and then an
outer confidentiality function.
 In case of dispute, some third party must view the message and its signature.If the signature is
calculated on an encrypted message, then the third party also needs access to the decryption key to read
the original message.
 However, if the signature is the inner operation, then the recipient can store the plaintext message and
its signature for later use in dispute resolution.
Elgamal Digital Signature

 The Elgamal signature scheme involves the use of the private key for encryption(digital signature
generation) and the public key for decryption(digital signature verification).
 As with Elgamal encryption, the global elements of Elgamal digital signature are a prime number q
and a, which is a primitive root of q. User A generates a private/public key pair as follows.
1. Generate a random integer XA, such that 1 6 XA 6 q - 1.
2. Compute YA = aXA mod q.
3. A’s private key is XA; A’s pubic key is {q, a, YA}.
 To sign a message M, user A first computes the hash m = H(M), such thatm is an integer in the range 0
… m … q - 1. A then forms a digital signature as follows.
1. Choose a random integer K such that 1 … K … q - 1 and gcd(K, q - 1) = 1.
That is, K is relatively prime to q - 1.
2. Compute S1 = aK mod q. Note that this is the same as the computation of C1 for Elgamal
encryption.
3. Compute K-1mod (q - 1). That is, compute the inverse of K modulo q - 1.
4. Compute S2 = K-1(m - XAS1) mod (q - 1).
5. The signature consists of the pair (S1, S2).
 Any user B can verify the signature as follows.
1. Compute V1 = am mod q.
2. Compute V2 = (YA)S1(S1)S2mod q.
 The signature is valid if V1 = V2. Let us demonstrate that this is so. Assume that the equality is true.
Then we have
am mod q = (YA)S1(S1)S2 mod q assume V1 = V2
am mod q = aXAS1aKS2 mod q substituting for YA and S1
am-XA S1 mod q = aKS2 mod q rearranging terms
m - XAS1 K KS2 mod (q - 1) property of primitive roots
m - XAS1 K KK-1 (m - XAS1) mod (q - 1) substituting for S2
 For example, let us start with the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13,
14, 15}, as shown in Table 8.3. We choose a = 10.
Alice generates a key pair as follows:
1. Alice chooses XA = 16.
2. Then YA = aXA mod q = a16 mod 19 = 4.
3. Alice’s private key is 16; Alice’s pubic key is {q, a, YA} = {19, 10, 4}.
Suppose Alice wants to sign a message with hash value m = 14.
1. Alice chooses K = 5, which is relatively prime to q - 1 = 18.
2. S1 = aK mod q = 105 mod 19 = 3 (see Table 8.3).
3. K-1 mod (q - 1) = 5-1 mod 18 = 11.
4. S2 = K-1 (m - XAS1) mod (q - 1) = 11 (14 - (16)(3)) mod 18 = -374 mod 18 = 4.
Bob can verify the signature as follows.
1. V1 = am mod q = 1014 mod 19 = 16.
 2. V2 = (YA)S1(S1)S2 mod q = (43)(34) mod 19 = 5184 mod 19 = 16.
Thus, the signature is valid.

X.509 Authentication Service

Introduction:

 X.509 uses the public-key cryptography and digital signatures.

 It does not dictate the use of a specific algorithm but recommends RSA.
 The digital signature scheme is assumed to require the use of a hash function. Again, the standard does
not dictate a specific hash algorithm.

Certificates

 The key of X.509 scheme is the public-key certificate associated with each user.
 These user certificates are assumed to be created by some trusted certification authority (CA) and placed
in the directory by the CA or by the user.
 The directory server itself is not responsible for the creation of public keys or for the certification
function.

The general format of a certificate, which includes the following elements:

Version: Differentiates among successive versions of the certificate format; the default is version

If the Issuer Unique Identifier or Subject Unique Identifier are present, the value must be version 2. If one or
more extensions are present, the version must be version 3.
Serial number:An integer value, unique within the issuing CA, that is unambiguously associated with this
certificate.
Signature algorithm identifier:The algorithm used to sign the certificate, together with any associated
parameters. Because this information is repeated in the Signature field at the end of the certificate, this field has
little, if any, utility.
Issuer name:X.500 name of the CA that created and signed this certificate.
Period of validity: Consists of two dates: the first and last on which the certificate is valid.
Subject name: The name of the user to whom this certificate refers. That is, this certificate certifies the public
key of the subject who holds the corresponding private key.
Subject's public-key information: The public key of the subject, plus an identifier of the algorithm for which
this key is to be used, together with any associated parameters.
Issuer unique identifier: An optional bit string field used to identify uniquely the issuing CA in the event the
X.500 name has been reused for different entities.
Subject unique identifier: An optional bit string field used to identify uniquely the subject in the event the
X.500 name has been reused for different entities.
Extensions: A set of one or more extension fields. Extensions were added in version 3 and are discussed later
in this section.

Signature: Covers all of the other fields of the certificate; it contains the hash code of the other fields,
encrypted with the CA's private key. This field includes the signature algorithm identifier.

The unique identifier fields were added in version 2 to handle the possible reuse of subject and/or issuer names
over time. These fields are rarely used.
Obtaining a User\'s Certificate

 User certificates generated by a CA have the following characteristics:

Any user with access to the public key of the CA can verify the user public key that was
certified.
No party other than the certification authority can modify the certificate without this being
detected.
 Certificates are placed in a directory without the need to make special efforts to protect them. If all
users subscribe to the same CA, then there is a common trust of that CA. All user certificates can be
placed in the directory for access by all users.
 If there is a large community of users, it may not be practical for all users to subscribe to the same CA.
Because it is the CA that signs certificates, each participating user must have a copy of the CA's own
public key to verify signatures. This public key must be provided to each user in an absolutely secure
way so that the user has confidence in the associated certificates.
 Now suppose that A has obtained a certificate from certification authority X1 and B has obtained a
certificate from CA X2. If A does not securely know the public key of X2, then B's certificate, issued
by X2, is useless to A. A can read B's certificate, but A cannot verify the signature. However, if the two
CAs have securely exchanged their own public keys, the following procedure will enable A to obtain
B's public key:
A obtains, from the directory, the certificate of X2 signed by X1. Because A securely knows X1's
public key, A can obtain X2's public key from its certificate and verify it by means of X1's
signature on the certificate.
A then goes back to the directory and obtains the certificate of B signed by X2 Because A now has
a trusted copy of X2's public key, A can verify the signature and securely obtain B's public key.
  A has used a chain of certificates to obtain B's public key. In the notation of X.509, this chain is
expressed as

X1<<X2>> X2 <<B>>

 In the same fashion, B can obtain A's public key with the reverse chain:

X2<<X1>> X1 <<A>>

 This scheme need not be limited to a chain of two certificates. An arbitrarily long path of CAs can be
followed to produce a chain. A chain with N elements would be expressed as

X1<<X2>> X2 <<X3>>... XN<<B>>

 In this case, each pair of CAs in the chain (Xi, Xi 1) must have created certificates for each other. All
thee certificates of CAs by CAs need to appear in the directory, and the user needs to know how they
are linked to follow a path to another user's public-key certificate.
 X.509 suggests that CAs be arranged in a hierarchy so that navigation is straightforward.

Forward certificates: Certificates of X generated by other CAs

Reverse certificates: Certificates generated by X that are the certificates of other CAs

Example: - user A can acquire the following certificates from the directory to establish a certification path to
B:
X<<W>> W <<V>> V <<Y>><<Z>> Z <<B>>

When A has obtained these certificates, it can unwrap the certification path in sequence to recover a trusted
copy of B's public key. Using this public key, A can send encrypted messages to B. If A wishes to receive
encrypted messages back from B, or to sign messages sent to B, then B willrequire A's public key, which can be
obtained from the following certification path:

Z<<Y>> Y <<V>> V <<W>> W <<X>>X <<A>>

B can obtain this set of certificates from the directory, or A can provide them as part of its initial message to B.

Revocation of Certificates

 Each certificate includes a period of validity, much like a credit card.

 Typically, a new certificate is issued just before the expiration of the old one.
  It may be desirable on occasion to revoke a certificate before it expires, for one of the following
reasons:
The user's private key is assumed to be compromised.
The user is no longer certified by this CA.
The CA's certificate is assumed to be compromised.
 Each CA must maintain a list consisting of all revoked but not expired certificates issued by that CA,
including both those issued to users and to other CAs. These lists should also be posted on the directory.
 Each certificate revocation list (CRL) posted to the directory is signed by the issuer and includes the
issuer's name, the date the list was created, the date the next CRL is scheduled to be issued, and an entry
for each revoked certificate.
 Each entry consists of the serial number of a certificate and revocation date for that certificate. Because
serial numbers are unique within a CA, the serial number is sufficient to identify the certificate.
 When a user receives a certificate in a message, the user must determine whether the certificate has been
revoked.
 The user could check the directory each time a certificate is received.
 To avoid the delays (and possible costs) associated with directory searches, it is likely that the user
would maintain a local cache of certificates and lists of revoked certificates.

Kerberos

Introduction:-

 Kerberos is a network authentication protocol. It is designed to provide strong authentication for

client/server applications by using secret-key cryptography.
 The following three threats exist:
A user may gain access to a particular workstation and pretend to be another user operating from that
workstation.
A user may alter the network address of a workstation so that the requests sent from the altered
workstation appear to come from the impersonated workstation.
A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt
operations.
In all of these cases, an unauthorized user may be able to gain access to services and data that he or
she is not authorized to access.

Motivation

 If a set of users is provided with dedicated personal computers that have no network connections, then a
user's resources and files can be protected by physically securing each personal computer.
 When these users instead are served by a centralized time-sharing system, the time-sharing operating
system must provide the security.
 The operating system can enforce access control policies based on user identity and use the logon
procedure to identify users.
 Today, neither of these scenarios is typical. More common is a distributed architecture consisting of
dedicated user workstations (clients) and distributed or centralized servers. In this environment, three
approaches to security can be envisioned:
Rely on each individual client workstation to assure the identity of its user or users and rely on
each server to enforce a security policy based on user identification (ID).
Require that client systems authenticate themselves to servers, but trust the client system
concerning the identity of its user.
Require the user to prove his or her identity for each service invoked. Also require that servers
prove their identity to clients.
 In a small, closed environment, in which all systems are owned and operated by a single organization,
the first or perhaps the second strategy may suffice]
 But in a more open environment, in which network connections to other machines are supported, the
third approach is needed to protect user information and resources housed at the server. Kerberos
 supports this third approach. Kerberos assumes distributed client/server architecture and employs one or
more Kerberos servers to provide an authentication service.

The first published report on Kerberos listed the following requirements:

Secure:A network eavesdropper should not be able to obtain the necessary information to
impersonate a user. More generally, Kerberos should be strong enough that a potential opponent does
not find it to be the weak link.
Reliable:For all services that rely on Kerberos for access control, lack of availability of the Kerberos
service means lack of availability of the supported services. Hence, Kerberos should be highly
reliable and should employ a distributed server architecture, with one system able to back up another.
Transparent:Ideally, the user should not be aware that authentication is taking place, beyond the
requirement to enter a password.
Scalable:The system should be capable of supporting large numbers of clients and servers. This
suggests a modular, distributed architecture.