Cryptography and Network Security CSE

Introduction to Message Integrity and Authentication

1. Message Integrity:
The cryptography systems that we have studied so far provide secrecy or confidentiality, but not
integrity. However, there are occasions where we may not even need secrecy but instead must have
integrity (Data will not change).

Document and Fingerprint:

One way to preserve the integrity of a document is through the use of a fingerprint. If Alice needs to be
sure that the contents of her document will not be changed, she can put her fingerprint at the bottom of
the document.

Message and Message Digest:

The electronic equivalent of the document and fingerprint pair is the message and digests pair. To
preserve the integrity of a message, the message is passed through an algorithm called a cryptographic
hash function.

Difference:

The two pairs (document/fingerprint) and (message/message digest) are similar, with some differences.
The document and finger print are physically linked together. The message and message digest can be
unlinked separately, and, most importantly, the message digest needs to be safe from change.
Note: The message digests needs to be safe from change.

Checking Integrity:

To check the integrity of a message or document, we run the cryptographic hash function
again and compare the new message digest with the previous one. If both are the same, we are sure
that the original message has not been changed.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Cryptographic Hash Function Criteria:

A cryptographic hash function must satisfy three criteria

1. Pre-image Resistance
2. Second Pre-image Resistance
3. Collision Resistance.

Pre-image Resistance: The hash function must be a one-way function: For any given code h, it is
computationally infeasible to find h-1.

Second Pre-image Resistance: In this criterion, an adversary is provided with the value of x and is
asked to compute the value of x1≠x, such that h(x)=h(x1).

If it difficult for the attacker to perform this computation we claim that the hash function is second pre-
image resistant.

Collision Resistance: Collision of a hash function is the event when two values x and x1, such that
x1≠x has h to the same value, i.e., h(x)=h(x1).

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Random Oracle Model:

Random Oracle Model is an ideal mathematical model for hash function. A function based on this
model behaves as follows:
1. when a new message of any length is given, an oracle creates and gives a fixed length message digest
that is randon strings of 0'1 and 1's. The oracle records the message and message digest.
2. when a message is given for which the digest exists, the oracle simply gives the digest from the
record.

Analysis of Random Oracle Model

1. Pigeon hole principle : There can be collisions

a. If n pigeon holes are occupied by n+1 pigeons, then at least one pigeonhole is occupied
by 2 pigeons
i.e., n pigeonholes are kn+1 pigeons, then at least one pigeonhole is occupied by k+1
pigeons
b. There are some digests that correspond to more than one message; the relationship
between the possible messages and digests is many-to-one.
2. Birthday Problems
Birthday problem emphasizes its importance in understanding the security of hash
functions and the feasibility of attacks based on collisions. By leveraging the
principles derived from the birthday paradox, cryptographers can design more
secure systems and understand the potential vulnerabilities in existing
cryptographic algorithms.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Attacks on random oracle model

Generic attacks exploit the properties of the random oracle model without relying on the
specifics of the hash function used. Examples include:

 Birthday Attack: As previously mentioned, this attack exploits the birthday paradox to
find collisions in hash functions.
 Preimage and Second Preimage Attacks: These attacks involve finding an input that
maps to a given hash output (preimage) or another input that maps to the same hash
output (second preimage).

Message Authentication, MAC, HMAC & CMAC

Message Authentication:
 A message digest guarantees the integrity of a message. It guarantees that the message has
not been changed.
 A message digest does not authenticate the sender of the message.
 When Alice sends a message to Bob, Bob needs to know if the message is coming from
Alice.
 To provide message authentication, Alice needs to provide proof that it is Alice sending the
message and not a fraud.
 The digest created by a cryptographic hash function is normally called a Modification
Detection Code (MDC). This code can detect any modifications in the message.
 We need message authentication is a Message Authentication Code (MAC).

Modification Detection Code (MDC):

 A modification detection code (MDC) is a message digest that can prove the integrity of
the message: that message has not been changed.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

 If Alice needs to send a message to Bob and be sure that the message will not change
during transmission,
 Alice can create a message digest, MDC, and send both the message and the MDC to Bob.
Bob can create a new MDC from the message and compare the received MDC and the new
MDC. If they are the same, the message has not been changed.

Message Authentication Code (MAC):

 To ensure the integrity of a message and the data origin authentication– we need to change
a modification detection code (MDC) to a Message Authentication Code (MAC).
 The difference between MDC and MAC is that the second include a secret key between
Alice and Bob.

MAC Security
How can Eve forge a message without having the key?
 If size of the key allows exhaustive search, Eve may try all possible keys to digest the
message.
 Use pre-image attack.
 Given some pairs of messages and their MACs, Eve can manipulate the m to come up
with a new message and its digest.
Note: The security of a MAC depends on the security of the underlying hash algorithm.

Nested MAC:

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

 To improve MAC security, nested MACs were designed in which hashing is performed
twice.
 In 1st step, the key is concatenated with the message and is hashed to create an
intermediate digest.
nd
 In 2 step, the key is concatenated with the intermediate digest to create the final digest.

HMAC (Hashed MAC):

 HMAC algorithm stands for Hashed or Hash based Message Authentication Code
 It uses the Hashing concept twice, so great resistant to attacker
 HMAC consists of twin benefits of Hashing and MAC
 The working of HMAC starts with taking a message M containing blocks of length b bits.
 An input signature is padded to the left of the message and the whole is given as input to a
hash function which gives us a intermediate HMAC.
 Intermediate HMAC again is appended to an output signature and the whole is applied a
hash function again, the result is our final HMAC of n bits

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

CMAC (Cipher based MAC)

 This is similar to CBC (Cipher Block Chaining),

 It takes N blocks of message but creates one block of MAC
 The message is divided into N blocks of m-bit size. If last block is not m-bit
size, then padded with start 1 then 0000…, like 100000…
 The block is encrypted with key K then its output is XOR with the next block
for 2 nd encryption, soon.
 The last block is encrypted with some additional k value for more security.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Cryptographic Hash Functions

A cryptographic hash function takes a message of arbitrary length and creates a message
digest of fixed length, also called hash. A cryptographic hash function H accepts a variable-
length block of data M as input and produces a fixed-size hash value.

Iterated Hash Function

All cryptographic functions need to create a fixed size digest out of a variable-size message.
Actually, the hash function is fixed size input function, but performs number of times. This
fixed-size hash function is referred to as a compression function; it compresses m-bit string
input to n bit string.

Merkle-Damgard Scheme

 This is an iterated hash function that is collision resistant

 This is the basis for many cryptographic hash functions today.

 Message is divided into t-blocks of n-bit size. If necessary some bits are

padded

 The blocks are M1,M2,…Mt and the digest created at each compression
function are H1,H2,…Ht

 Before starting the iteration, the digest H0 is set to fix Value called IV (initial
value or initial vector). The compression function operates on H i-1and Mi to create a new Hi.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Hi=f(Hi-1,Mi) where f is a compression function

Hash Functions Invention

Several cryptographic hash algorithms are included in following 3;

 MD family

 Whirlpool

 SHA family

Out of all, here are two most promising cryptographic hash algorithms- Whirlpool & SHA-512

MD Family

 These are MD(Message Digest),MD2,MD4,andMD5

 MD5 takes blocks of size 512-bits and creates 128-bit digest.

 The 128-bit size digest is too small to resist collision attack.

 The hash functions MD2, MD4 and MD5 are members of the MD family. It was
adopted as the RFC 1321, Internet Standard. It is a 128-bit hash function.

 In the software industry, MD5 digests are frequently used to ensure the integrity
of transferred files. To enable users to compare the checksum of the downloaded file with the
pre-computed MD5 checksum, file servers frequently provide this feature.

 In 2004, collisions were found in MD5. It was claimed that an analytical attack
using a computer cluster was successful in less than one hour. Since MD5 was compromised
by this collision attack, using it is no longer recommended.

Whirlpool

Whirlpool is a cryptographic hash function designed by Vincent Rijmen and Paulo S. L. M.

Barreto, who first described it in 2000. Whirlpool is based on a substantially modified version
of the Advanced Encryption Standard (AES). Whirlpool produces a hash digest of 512 bits (64
bytes).

Whirlpool is based on 512-bit block cipher, which structure is similar to Rijndael (AES). It
uses 512-bit keys. The block cipher is dedicated only to be used for hashing, which is very
exceptional in cryptography i.e. Whirlpool block cipher will most likely never be used for
standalone encryption. It is designed for both software and hardware implementations, with
compactness and performance in mind.

Represent in 8*8 matrix, where each word size in whirlpool is 64 bits

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Secure Hash Algorithm (SHA)

 SHA originally designed by NIST & NSA in 1993

 SHA was revised in 1995 as SHA-1

 Adds 3 additional versions of SHA

 SHA-256, SHA-384, SHA-512 structure & detail is similar to SHA-1

Introduction to SHA –512

 SHA-512 is family of Secure Hash Algorithm

 SHA-512 creates a 512 bit message digest.

 The original message divided into multiple blocks of size 1024 bits.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

 The Processing of each block involves 80 rounds

 Each block of size (1024bits) can be assumed as 16 words of size 64bits

 The maximum size of message is less than 2128. This means that if the length
of a message equal to or greater than 2128, it will not be processed by SHA-512

 SHA-512 based on Merkle-Damgard scheme.

TOP VIEW OF SHA-512

Functionality of SHA-512

• Security: Designed to be secure against cryptographic attacks, including collision

resistance, pre-image resistance, and second pre-image resistance.

• SHA-512 takes an input (or "message") and produces a fixed-size 512-bit (64-byte)
hash value, typically represented as a 128-character hexadecimal number. This process
is non-reversible i.e., you cannot derive the original input from the hash value.

Applications of SHA-512

- Integrity Verification: Ensuring that data has not been altered.

- Digital Signatures: Creating and verifying digital signatures.

- Password Hashing: Storing hashed versions of passwords.

- Data De-duplication: Identifying duplicate data based on hash values.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

SHA-512 Algorithm - Secure Hash Algorithm 512

- Digest Size: 512 bits (64 bytes)

- Block Size: 1024 bits (128 bytes)
- Rounds: 80
- Security: Designed to be secure against cryptographic attacks, including collision resistance,
preimage resistance, and second preimage resistance.
SHA-512 involves 80 rounds of operations
Each Message block involves 1024 bits, represented in 16 words, where each word size in
SHA-512 is 64bits i.e., 16 * 64 = 1024 bits.

Functionality

SHA-512 takes an input (or "message") and produces a fixed-size 512-bit (64-byte) hash value,
typically represented as a 128-character hexadecimal number. This process is non-reversible
i.e., you cannot derive the original input from the hash value.

Steps of the SHA-512 Algorithm

1. Padding the Message:

- The original message is padded with a single '1' bit, followed by a number of '0' bits such
that the total length is congruent to 896 modulo 1024. The final 128 bits are filled with the
length of the original message, in bits.

2. Parsing the Padded Message:

- The padded message is divided into blocks of 1024 bits each.

3. Setting Initial Hash Values:

- The algorithm uses eight 64-bit words as initial hash values. These are derived from the first
64 bits of the fractional parts of the square roots of the first eight prime numbers.

4. Processing Message Blocks:

- For each block, the algorithm uses a message schedule of 80 64-bit words and processes
each word through a series of bitwise operations, modular additions, and logical functions.

5. Updating the Hash Values:

- After processing each block, the hash values are updated using the results from the message
schedule and the previous hash values.

6. Producing the Final Hash Value:

- The final hash value is obtained by concatenating the eight 64-bit words that result from
processing all message blocks.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

SHA-512 Algorithm - Secure Hash Algorithm 512

- Digest Size: 512 bits (64 bytes)

- Block Size: 1024 bits (128 bytes)

- Rounds: 80

- Security: Designed to be secure against cryptographic attacks, including collision resistance,

preimage resistance, and second preimage resistance.

SHA-512 involves 80 rounds of operations

Each Message block involves 1024 bits, represented in 16 words, where each word size in
SHA-512 is 64bits i.e., 16 * 64 = 1024 bits.

Functionality

SHA-512 takes an input (or "message") and produces a fixed-size 512-bit (64-byte) hash value,
typically represented as a 128-character hexadecimal number. This process is non-reversible
i.e., you cannot derive the original input from the hash value.

Steps of the SHA-512 Algorithm

1. Padding the Message:

- The original message is padded with a single '1' bit, followed by a number of '0' bits such
that the total length is congruent to 896 modulo 1024. The final 128 bits are filled with the
length of the original message, in bits.

2. Parsing the Padded Message:

- The padded message is divided into blocks of 1024 bits each.

3. Setting Initial Hash Values:

- The algorithm uses eight 64-bit words as initial hash values. These are derived from the first
64 bits of the fractional parts of the square roots of the first eight prime numbers.

4. Processing Message Blocks:

- For each block, the algorithm uses a message schedule of 80 64-bit words and processes
each word through a series of bitwise operations, modular additions, and logical functions.

5. Updating the Hash Values:

- After processing each block, the hash values are updated using the results from the message
schedule and the previous hash values.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

6. Producing the Final Hash Value:

- The final hash value is obtained by concatenating the eight 64-bit words that result from
processing all message blocks.

Working of SHA-512

The Following Figure shows internal logic of the SHA-512

STEPS:

1. Append padding bits: The message is padded with 1000000…. To make the
message multiples of 1024.

2. Append length of the message: A block of 128 bits is appended to the message.
Contains the length of the original message. Before addition of the length of message, we need
to pad as specified in the first step.

The size of padding bits is calculated as: (|M|+|P|+128)=0 mod 1024

|P|=-|M|-128 mod 1024

Example: What is the number of padding bits if the length of the original message is 2590
Solution: |P|=-2590-128 mod 1024

=-2718 mod 1024=-670 mod 1024

=(1024-670)mod1024=354

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

The padding consists of one 1 followed by 353 0’s

Length Field and Padding:

Before the message digest can be created, SHA-512 requires the addition of a 128-bit length
field (0-(2128- 1) to the message that defines the length of the message in bits.

Compression Function

The heart of the algorithm is a module that consists of 80 rounds; this module is labeled as Fin
Block Diagram.

Each round t takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the
buffer. Each round t makes use of a 64-bit value Wt, derived from the current1024-bit block
being processed (Mi).

Each round t also makes use of an additive constant Kt(64-bit)

The output of the 80th round is added to the input to the first round (Hi-1) to produce Hi.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

80-Word Input Sequence

Constants

Initialize hash buffer

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Digital Signature

 A digital signature is a technique used to validate the authenticity and

integrity of a message.

 In the physical world, a person signs a document to show that it originated

from him or was approved by him. The signature is proof to recipient that the document
comes from the correct entity.

 Similarly, a digital signature is a technique that binds a person/entity to the

digital data. This binding can be independently verified by receiver as well as any third
party.

 Digital signature is a cryptographic value that is calculated from the data and
a secret key known only by the signer.

Comparison of conventional signature & Digital signature

Inclusion: A conventional signature is included in the document; it is part of the document.

But when we sign a document digitally, we send the signature as a separate document.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Verification Method: For a conventional signature, when the recipient receives a document,
he compares the signature on the document with the signature on file.

For a digital signature, the recipient receives the message and the signature. The recipient needs
to apply a verification technique to the combination of the message and the signature to verify
the authenticity.

Relationship: For a conventional signature, there is normally a one-to-many relationship

between a signature and documents. For a digital signature, there is a one-to-one relationship
between a signature and a message.

Duplicity: In conventional signature, a copy of the signed document can be distinguished from
the original one on file. In digital signature, there is no such distinction unless there is a factor
of time on the document.

Process of Digital Signature

The sender uses a signing algorithm to sign the message. The message and the signature are
sent to the receiver. The receiver receives the message and the signature and applies the
verifying algorithm to the combination. If the result is true, the message is accepted; otherwise,
it is rejected.

Signing & Verifying the Digest

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

The drawback of Asymmetric key cryptosystems that is “inefficient for long messages”. A
digital signature system can be overcome by “signing the digest of the message”.

SERVICES

The services in cryptography are: Message confidentiality, authentication, Integrity and

Non-repudiation.

• A digital signature system can provide Message authentication, Integrity and

Non- repudiation, but still need encryption/decryption for message confidentiality.

Message Authentication

• A secure digital signature scheme, like a secure conventional signature can

provide message authentication

• Example, Bob can verify that the message is sent by Alice because Alice’s public
key is used in verification.

Message Integrity: The integrity of the message is preserved even if we sign the whole
message because we cannot get the same signature if the message is changed.

Non-repudiation: Non-repudiation can be provided using a trusted party.

Confidentiality: A digital signature does not provide privacy. If there is a need for privacy,
another layer of encryption/decryption must be applied. Adding confidentiality to a digital
signature scheme is as follows:

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

ATTACKS ON DIGITAL SIGNATURE

1. Key – Only Attack

In key-only attack, the public key of A is available to everyone and C makes use of this fact
and tries to recreate the signature of A and digitally sign the documents that A does not intend
to do.

2. Known – Message Attack

In the known message attack, C has few previous messages and signatures of A. Now C tries to
forge the signature of A onto the documents that A does not intend to sign by using the brute
force method by analyzing the previous data to recreate the signature of A

3. Chosen – Message Attack

In this method C has the knowledge about A’s public key and obtains A’s signature on the
messages and replaces the original message with the message C wants A to sign with having
A’s signature on them unchanged.

4. Forgery Attacks

1. Existential Forgery

Adversary can create a pair (message, signature), such that the signature of the message is
valid. Adversary has no control on the messages whose signature is forged

2. Selective Forgery

Adversary is able to create valid signatures on a message chosen by someone else, with a
significant probability. Adversary controls the messages whose signature is forged

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during the last few decades. Such as:
 RSA Digital Signature Scheme
 ElGamal Digital Signature Scheme
 Elliptic Curve Digital Signature Scheme
 Schnorr Digital Signature Scheme
 Uses exponentiation in a finite(Galois)
 Security based on discrete logarithms, as in D-H
 Minimizes message dependent computation
 Multiplying a 2n-bit integer with an n-bit integer
 Main work can be done in idle time
 Have using a prime modulus p
 p–1 has a prime factor q of appropriate size typically p 1024-bit and q 160-bit
numbers
 Digital Signature Standard(DSS)

RSA DIGITAL SIGNATURE SCHEMES

General idea behind the RSA digital signature scheme is the sender uses his own private key to sign the
document; the receiver uses the sender’s public key to verify it.

RSA DIGITAL SIGNATURE SCHEME–Key Generation

Key generation in the RSA digital signature scheme is exactly the same as key generation in the
RSA.
1. Sender chooses two prime numbers p and q
2. Calculate n = p x q
3. Calculate f(n) = (p-1) x (q-1)
4. Chooses the public exponent e and calculates d (private exponent) such that
• e * d=1 mod f(n)
In the RSA digital signature scheme, d is private; e and n are public.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

RSA DIGITAL SIGNATURE SCHEME–Signing and verifying

Signing: Alice create a signature out of the message using her private exponent, S = M d mod n and
sends the signature to Bob
Verifying: Bob receives M and S. Bob applies Alice public exponent to the signature to create a
copy of the message M1 = Se mod n. Bob compares M and M1. If both are congruent, accepts the
message.

RSA DIGITAL SIGNATURE SCHEME – EXAMPLE

As a trivial example, suppose that Alice chooses p=823 and q=953, and calculates n=784319. The
value of f(n) is 782544. Now she chooses e=313 and calculates d=160009. At this point key
generation will be complete. Now imagine that Alice wants to send a message with the value of
M=19070 to Bob. She uses her private exponent, 160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the message and the signature. He
calculates

Bob accepts the message because he has verified Alice’s signature.

Digital Signature Standard (DSS)

 US Govt. approved signature scheme

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

 Designed by NIST & NSA in early 90's

 Published as FIPS-186 in1991
 Revised in 1993,1996 & then 2000
 Uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm
 DSA is digital signature only unlike RSA is a public-key technique

Digital Signature Algorithm (DSA)

 Creates a 320 bit signature

 With 512-1024 bit security
 Smaller and faster than RSA
 It’s a digital signature scheme only
 Security depends on difficulty of computing discrete logarithms
 Variant of ElGamal & Schnorr schemes

Advantages

– Authentication: Identification of person sign

– Integrity of data: Every change is detected
– Non Repudiation: Author has encrypted sign on message
– Speed: Contracts are easily written, completed, and signed by all concerned
parties in a little amount of time no matter how far the parties are geographically
Disadvantages

• Expiry
• Certificate issue procedures
• Software compatibility

DSA Key Generation

 Have shared global public key values (p, q, g)

 Choose 160-bit prime number q
 Choose a large prime p with 2L-1<p<2L
 where L=512 to 1024 bits and is a multiple of 64
 such that q is a 160 bit prime divisor of (p-1)
 Choose g = h(p-1)/q
 where 1<h<p-1 and h(p-1)/q mod p>1
 users choose private & compute public key
 choose random private key : x<q
 compute public key : y = gx mod p

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Signing and Verifying the digest

At Sender Side

• 1. Message digest is generated using a set of Hash functions

• 2. A message digest is encrypted using senders private key
• 3. The resulting encrypted message is known as digital signature
• 4. Digital signature is attached with data or message and send to receiver

At Receiver Side

1. Receiver uses senders public key to decrypt senders digital signature to obtain message
digest send by receiver

2. Receiver uses same message digest algorithm, which is used by sender

3. Now, receiver will compare these two message digest

4. If message digest are equal then signature is valid else not

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

KEY MANAGEMENT
Symmetric Key Distribution
• Symmetric key cryptography is more efficient than asymmetric key cryptography for
enciphering large messages.
• Symmetric key cryptography, however, needs a shared secret key between two parties.
• Example: If Alice needs to exchange confidential messages with N people, she needs N
different keys and if N people need to exchange with each other, they need N (N-1) keys. If 1
million people need to communicate with each other, they need more than trillions of keys.
• This problem normally referred as N 2 problem, because the number of required keys for
N entities is N2
• We also have a problem of the distribution of keys through the internet which is
unsecure.

Key Distribution Center: KDC

A practical solution for the above problem is the use of a trusted third party, referred as Key
Distribution Center (KDC)

1. Alice sends a request to KDC stating that she needs a secret session key between her and
Bob.
2. KDC inform Bob about Alice request, if Bob agrees, a session key is created between them.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

Flat Multiple KDCs

When the number of people using a KDC increases, the system becomes unmanageable. To solve
the problem, we use multiple KDCs. We divide the world into domains.

Hierarchical Multiple KDCs

In this, KDCs are arranged in hierarchical model, the international KDC are at root, then national
next and local KDCs at lower level.

Session Keys
A KDC creates a secret key for each member. This secret key can be used only between the
member and the KDC, not between two members. A session symmetric key between two parties is
used only once.

Simple protocol Using a KDC

First approach using KDC

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

1. Alice sends request to KDC

2. KDC creates ticket to Bob which is encrypted using Bob’s key K B. The ticket contains the
session key (KAB).
3. Alice extracts the Bob’s ticket
4. Alice sends ticket to Bob. Bob opens the ticket and knows that Alice want to send
message to him by using K AB.
Drawback: Eve can use the replay attack at step3.

Needham Schroeder Protocol

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an
insecure network, both proposed by Roger Needham and Michael Schroeder. The Needham–
Schroeder Symmetric Key Protocol, based on a symmetric encryption algorithm. It forms the basis for
the Kerberos protocol.

1. Alice sends message to KDC that include her nonce, RA

2. KDC sends encrypted ticket for Bob to Alice which contains session key.
3. Alice sends Bobs ticket to him.
4. Bob sends his challenge (R B) to Alice which contains session key.
5. Alice responds to Bobs challenge.

SYMMETRIC KEY AGREEMENT

Alice and Bob can create a session key between themselves without using a KDC. This
method of session key creation is referred to as the symmetric key agreement. Example:
Diffie Hellman Key Agreement

Diffie Hellman Key Agreement

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

In this two parties are creating symmetric key without the need of a KDC. Before establishing,
the two parties need to choose two numbers p and g. The p is a large number on the order of
300 digits.

Steps:
1. Alice chooses a larger and an integer number x and calculates R1=gxmodp
2. Bob chooses another large number y and calculates R2=gymodp
3. Alice sends R1 to Bob and Bob sends R2 to Alice
4. Alice calculates key K=(R2)xmodp
5. Bob calculates key K=(R1)y modp Where K is the symmetric key for the
session
The symmetric key in the Diffie Hellman method is K=g xymodp

Diffie Hellman Key Agreement - EXAMPLE

Assume that g=7 and p=23.The steps are as follows:

1. Alice chooses x=3 and calculates R1=73mod23=21.

2. Bob chooses y=6 and calculates R2=76mod23=4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K=43mod23=18.
6. Bob calculates the symmetric key K=216mod23=18.
7. The value of K is the same for both Alice and Bob;
gxymodp= 718mod35=18.

KERBEROS
 Kerberos is an authentication protocol, and at the same time a KDC, that has become very
popular.

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography and Network Security CSE

 Several systems, including Windows2000, use Kerberos.

 Originally designed at MIT, it has gone through several versions.

KERBEROS Servers

Three servers are involved in the Kerberos protocol.

1. Authentication Server (AS)
2. Ticket-Granting Server (TGS)
3. Real Server

Authentication Server (AS)

 The authentication server (AS) is the KDC in the Kerberos protocol.

 Each user registers with AS and is granted a user identity and a password.
 AS verifies the user, issues a session key to be used between Alice and TGS.
 Sends a ticket for TGS.

Ticket-Granting Server (TGS)

 The ticket-granting server (TGS) issues a ticket for the real server (Bob).
 Also provides the session key between Alice and Bob.
 Kerberos has separated user verification from issuing of tickets.
 Alice can contact TGS multiple times to obtained tickets for different real servers.

Real Server  The real server (Bob) provides services for the user (Alice).
 Kerberos is designed for client-server programs.
 Kerberos is not used for person–to–person authentication

SUTHOJU GIRIJA RANI, Assistant Professor, CSE

Cryptography & Network Security CSE

PUBLIC KEY DISTRIBUTION

In public key cryptography, every one shields a private key and advertises a public key and have
access to everyone’s public key: public keys are available to the public. So, public keys need to
be distributed.
1. Public Announcement
2. Trusted Center
3. Controlled Trusted Center
4. Certification Authority
5. X.509
6. Public-Key Infrastructures (PKI)

Public Announcement: Announcing a public key

Suthoju Girija Rani, Assistant Professor, CSE.

Cryptography & Network Security CSE

The normal method is to announce public keys publicly, but is not secure

Trusted Center: Directory of public keys

A more secure approach is to have a trusted center retain a directory of public keys

Controlled Trusted Center

A higher level security can be achieved when there are added controls on

Suthoju Girija Rani, Assistant Professor, CSE.

 Cryptography & Network Security CSE

Certificate Authority (CA)

If the number of requests is large, creation of public key certificate will resolves the
issue. It does two things:

1. People will know the public key

2. No forged public key

 CA is a federal or state organization that binds a public key to an entity and issues a
certificate. CA has a well known public key itself that cannot be forged.
 CA collect public key of user and write it on the certificate. To prevent the certificate
itself from being forged, the CA signs the certificate with its private key.
 CA solved the problem of public key fraud.

X.509
Although CA has solved the problem of public key fraud, it has created a side effect, where
certificates may have different formats. Thus, ITU has designed X.509, it’s a way to describe the
certificate in a structured way. It uses well known protocol called ASN.1 (Abstract Syntax
Notation 1).

A certificate has following fields:

 Version.
 Serial number.
 Algorithm information
 Issuer distinguished name
 Validity period of the certificate.
 Subject distinguished name.

Suthoju Girija Rani, Assistant Professor, CSE.

 Cryptography & Network Security CSE

 Subject public key information.

 Issuer Unique Identifier (optional).
 Subject Unique Identifier (optional).
 Extensions (optional).
 Signature

Certificate Revocation
A certificate must be revoked before its expiration. There is a format for certificate revocation:

Suthoju Girija Rani, Assistant Professor, CSE.

Cryptography & Network Security CSE

Public Key Infrastructure (PKI)

PKI is a model for creating, distributing and revoking certificates based on the X.509.

The Internet Engineering Task Force (IETF) has created the PKI X.509 called as PKIX.

Several duties have been defined for PKI.

Suthoju Girija Rani, Assistant Professor, CSE.