UNIT IV Digital Signatures and

Authentication Protocols
• Digital Signatures
– Requirements
– Direct Digital Signature
– Arbitrated Digital Signature
• Authentication Protocols
– Mutual Authentication
– One-Way Authentication
• Digital Signature Standard
– The DSS Approach
– The Digital Signature Algorithm
 Key Points
• A digital signature is an authentication mechanism that
enables the creator of a message to attach a code that acts as
a signature.
• The signature is formed by taking the hash of the message
and encrypting the message with the creator's private key.
• The signature guarantees the source and integrity of the
message.
• Mutual authentication protocols enable communicating
parties to satisfy themselves mutually about each other's
identity and to exchange session keys.
• In one-way authentication, the recipient wants some
assurance that a message is from the alleged sender.
• The digital signature standard (DSS) is an NIST standard that
uses the secure hash algorithm (SHA).
 Digital Signatures - Requirements

• Message authentication protects two parties

who exchange messages from any third party.
However, it does not protect the two parties
against each other.
• Several forms of dispute between the two are
possible.
 Example
• John sends an authenticated message to Mary, using any one of the
schemes . The following disputes that could arise:
1. Mary may forge a different message and claim that it came from John. Mary
would simply have to create a message and append an authentication code
using the key that John and Mary share.
2. John can deny sending the message. Because it is possible for Mary to forge
a message, there is no way to prove that John did in fact send the message.

• Both scenarios are of legitimate concern.

• Here is an example of the first scenario: An electronic funds transfer takes
place, and the receiver increases the amount of funds transferred and
claims that the larger amount had arrived from the sender.
• An example of the second scenario is that an electronic mail message
contains instructions to a stockbroker for a transaction that subsequently
turns out badly. The sender pretends that the message was never sent.
 Digital Signatures - Requirements
• In situations where there is not complete trust between
sender and receiver, something more than authentication is
needed.
• The most attractive solution to this problem is the digital
signature. The digital signature is analogous to the
handwritten signature.
• It must have the following properties:
1. It must verify the author and the date and time of the
signature.
2. It must to authenticate the contents at the time of the
signature.
3. It must be verifiable by third parties, to resolve disputes.
• Thus, the digital signature function includes the authentication
function.
 Requirements for a Digital Signature
• The signature must be a bit pattern that depends on the
message being signed.
• The signature must use some information unique to the
sender, to prevent both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital
signature.
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an existing
digital signature or by constructing a fraudulent digital
signature for a given message.
• It must be practical to retain a copy of the digital signature in
storage.
 Direct Digital Signature
• The direct digital signature involves only the communicating
parties (source, destination).
• It is assumed that the destination knows the public key of the
source.
• A digital signature may be formed by encrypting the entire
message with the sender's private key or by encrypting a hash
code of the message with the sender's private key.
• Confidentiality can be provided by further encrypting the
entire message plus signature with either the receiver's public
key (public-key encryption) or a shared secret key (symmetric
encryption);
• Note that it is important to perform the signature function
first and then an outer confidentiality function.
 Direct Digital Signature
• In case of dispute, some third party must view the message
and its signature. If the signature is calculated on an
encrypted message, then the third party also needs access to
the decryption key to read the original message. However, if
the signature is the inner operation, then the recipient can
store the plaintext message and its signature for later use in
dispute resolution.
• The validity of the scheme depends on the security of the
sender's private key.
• If a sender later wishes to deny sending a particular message,
the sender can claim that the private key was lost or stolen
and that someone else forged his or her signature.
 Direct Digital Signature
• One example is to require every signed message to include a
timestamp (date and time) and to require prompt reporting
of compromised keys to a central authority.
• Another threat is that some private key might actually be
stolen from X at time T.
• The opponent can then send a message signed with X's
signature and stamped with a time before or equal to T.
 Arbitrated Digital Signature
• The problems associated with direct digital signatures can be addressed by
using an arbiter.
• Every signed message from a sender X to a receiver Y goes first to an arbiter
A, who subjects the message and its signature to a number of tests to check
its origin and content.
• The message is then dated and sent to Y with an indication that it has been
verified to the satisfaction of the arbiter.
• The presence of A solves the problem faced by direct signature schemes:
that X might disown the message.
• The arbiter plays a sensitive and crucial role in this sort of scheme, and all
parties must have a great deal of trust that the arbitration mechanism is
working properly.
 Arbitrated Digital Signature Techniques
(1) X → A: M||E(Kxa, [IDX||H(M)])
(2) A → Y: E(Kay, [IDX||M||E(Kxa, [IDX||H(M)])||T])
(a) Conventional Encryption, Arbiter Sees Message
(1) X A: IDX||E(Kxy, M)||E(Kxa, [IDX||H(E(Kxy, M))])
(2) A Y: E(Kay,[IDX||E(Kxy, M)])||E(Kxa, [IDX||H(E(Kxy, M))||T])
(b) Conventional Encryption, Arbiter Does Not See Message
(1) X A: IDX||E(PRx, [IDX||E(PUy, E(PRx, M))])
(2) A Y: E(PRa, [IDX||E(PUy, E(PRx, M))||T])
(c) Public-Key Encryption, Arbiter Does Not See Message
X = Sender ; Y = Recipient; A = Arbiter; m = Message; T = Timestamp
 Arbitrated Digital Signature Techniques
• Table gives several examples of arbitrated digital signatures.
• In the first, symmetric encryption is used.
• It is assumed that the sender X and the arbiter A share a secret key Kxa and that A and Y
share secret key Kay.
• X constructs a message M and computes its hash value H(M).
• Then X transmits the message plus a signature to A.
• The signature consists of an identifier IDX of X plus the hash value, all encrypted using
Kxa.
• A decrypts the signature and checks the hash value to validate the message.
• Then A transmits a message to Y, encrypted with Kay.
• The message includes IDX, the original message from X, the signature, and a timestamp.
• Y can decrypt this to recover the message and the signature. T
• he timestamp informs Y that this message is timely and not a replay.
• Y can store M and the signature. In case of dispute, Y, who claims to have received M
from X, sends the following message to A:
• E(Kay, [IDX||M||E(Kxa, [IDX||H(M)])])
.
 Arbitrated Digital Signature Techniques
• The arbiter uses Kay to recover IDX, M, and the signature, and then uses
Kxa to decrypt the signature and verify the hash code.
• In this scheme, Y cannot directly check X's signature; the signature is there
solely to settle disputes.
• Y considers the message from X authentic because it comes through A.
• In this scenario, both sides must have a high degree of trust in A:
– X must trust A not to reveal Kxa and not to generate false signatures
of the form E(Kxa, [IDX||H (M)]).
– Y must trust A to send E(Kay, [IDX||M||E(Kxa, [IDX||H(M)])||T]) only
if the hash value is correct and the signature was generated by X.
– Both sides must trust A to resolve disputes fairly.

• If the arbiter does live up to this trust, then X is assured that no one can
forge his signature and Y is assured that X cannot disavow his signature.
 Arbitrated Digital Signature Techniques
• Table ( b) shows a scenario that provides the arbitration as before but also
assures confidentiality.
• In this case it is assumed that X and Y share the secret key Kxy.
• Now, X transmits an identifier, a copy of the message encrypted with Kxy,
and a signature to A.
• The signature consists of the identifier plus the hash value of the
encrypted message, all encrypted using Kxa.
• As before, A decrypts the signature and checks the hash value to validate
the message. In this case, A is working only with the encrypted version of
the message and is prevented from reading it. A then transmits everything
that it received from X, plus a timestamp, all encrypted with Kay, to Y.
• Although unable to read the message, the arbiter is still in a position to
prevent fraud on the part of either X or Y.
 Arbitrated Digital Signature Techniques
• All the problems just discussed can be resolved by going to a public-key
scheme, one version of which is shown in Table ( c )
• In this case, X double encrypts a message M first with X's private key, PRx
and
• then with Y's public key, PUy. This is a signed, secret version of the
message.
• This signed message, together with X's identifier, is encrypted again with
PRx and, together with IDX, is sent to A. The inner, double-encrypted
message is secure from the arbiter (and everyone else except Y).
However, A can decrypt the outer encryption to assure that the message
must have come from X (because only X has
• PRx). A checks to make sure that X's private/public key pair is still valid
and, if so, verifies the message.
• Then A transmits a message to Y, encrypted with PRa. The message
includes IDX, the double-encrypted message, and a timestamp.
 Arbitrated Digital Signature Techniques

• This scheme has a number of advantages over the preceding

two schemes.
• First, no information is shared among the parties before
communication, preventing alliances to defraud.
• Second, no incorrectly dated message can be sent, even if PRx
is compromised, assuming that PRa is not compromised.
Finally, the content of the message from X to Y is secret from
A and anyone else.
• However, this final scheme involves encryption of the
message twice with a public-key algorithm.
 Authentication Protocols - Mutual Authentication
• An important application area is that of mutual authentication
protocols. Such protocols enable communicating parties to
satisfy themselves mutually about each other's identity and to
exchange session keys.
• This topic was examined in symmetric techniques and public
key techniques. There, the focus was key distribution.
• Central to the problem of authenticated key exchange are two
issues: confidentiality and timeliness.
• To prevent masquerade and to prevent compromise of session
keys, essential identification and session key information must
be communicated in encrypted form.
 Authentication Protocols - Mutual Authentication
• This requires the prior existence of secret or public keys that
can be used for this purpose.
• The second issue, timeliness, is important because of the
threat of message replays. Such replays, at worst, could allow
an opponent to compromise a session key or successfully
impersonate another party.
• At minimum, a successful replay can disrupt operations by
presenting parties with messages that appear genuine but are
not.
 Examples of Replay Attacks
• Simple replay: The opponent simply copies a message and
replays it later.
• Repetition that can be logged: An opponent can replay a
timestamped message within the valid time window.
• Repetition that cannot be detected: This situation could arise
because the original message could have been suppressed and
thus did not arrive at its destination; only the replay message
arrives.
• Backward replay without modification: This is a replay back to
the message sender. This attack is possible if symmetric
encryption is used and the sender cannot easily recognize the
difference between messages sent and messages received on
the basis of content.
 Authentication Protocols - Mutual Authentication

• One approach to coping with replay attacks is to attach a sequence number to

each message used in an authentication exchange.
• A new message is accepted only if its sequence number is in the proper order.
• The difficulty with this approach is that it requires each party to keep track of the
last sequence number for each claimant it has dealt with. Because of this
overhead, sequence numbers are generally not used for authentication and key
exchange. Instead, one of the following two general approaches is used:
• Timestamps: Party A accepts a message as fresh only if the message contains a
timestamp that, in A's judgment, is close enough to A's knowledge of current time.
This approach requires that clocks among the various participants be
synchronized.
• Challenge/response: Party A, expecting a fresh message from B, first sends B a
nonce (challenge) and requires that the subsequent message (response) received
from B contain the correct nonce value.
 Authentication Protocols - Mutual Authentication

• It can be argued that the timestamp approach should not be used for
connection oriented applications because of the inherent difficulties with
this technique.
• First, some sort of protocol is needed to maintain synchronization among
the various processor clocks.
• This protocol must be both fault tolerant, to cope with network errors,
and secure, to cope with hostile attacks.
• Second, the opportunity for a successful attack will arise if there is a
temporary loss of synchronization resulting from a fault in the clock
mechanism of one of the parties.
• Finally, because of the variable and unpredictable nature of network
delays, distributed clocks cannot be expected to maintain precise
synchronization. Therefore, any timestamp-based procedure must allow
for a window of time sufficiently large to accommodate network delays
yet sufficiently small to minimize the opportunity for attack.
 Authentication Protocols - Mutual Authentication

• On the other hand, the challenge-response approach

is unsuitable for a connectionless type of application
because it requires the overhead of a handshake
before any connectionless transmission, effectively
negating the chief characteristic of a connectionless
transaction.
• For such applications, reliance on some sort of
secure time server and a consistent attempt by each
party to keep its clocks in synchronization may be
the best approach.
Symmetric Encryption Approaches
• A two-level hierarchy of symmetric encryption keys can be used to
provide confidentiality for communication in a distributed environment.
• This strategy involves the use of a trusted key distribution center (KDC).
• Each party in the network shares a secret key, known as a master key,
with the KDC.
• The KDC is responsible for generating keys to be used for a short time
over a connection between two parties, known as session keys, and for
distributing those keys using the master keys to protect the distribution.
• Example: Kerberos.
 Symmetric Encryption Approaches
1. A KDC: IDA||IDB||N1
2. KDC A: E(Ka, [Ks||IDB||N1||E(Kb, [Ks||IDA])])
3. A B: E(Kb, [Ks||IDA])
4. A A: E(Ks, N2)
5. A B: E(Ks, f(N2))
 Symmetric Encryption Approaches
• Secret keys Ka and Kb are shared between A and the KDC and B and the KDC,
respectively.
• The purpose of the protocol is to distribute securely a session key Ks to A and B. A
securely acquires a new session key in step 2.
• The message in step 3 can be decrypted, and hence understood, only by B.
• Step 4 reflects B's knowledge of Ks, and step 5 assures B of A's knowledge of Ks and
assures B that this is a fresh message because of the use of the nonce N2.
• the purpose of steps 4 and 5 is to prevent a certain type of replay attack.
• Despite the handshake of steps 4 and 5, the protocol is still vulnerable to a form of
replay attack.
Suppose that an opponent, X, has been able to compromise an old session key.
Admittedly, this is a much more unlikely occurrence than that an opponent has simply
observed and recorded step 3. Nevertheless, it is a potential security risk. X can
impersonate A and trick B into using the old key by simply replaying step 3. Unless B
remembers indefinitely all previous session keys used with A, B will be unable to
determine that this is a replay. If X can intercept the handshake message, step 4, then
it can impersonate A's response, step 5. From this point on, X can send bogus
messages to B that appear to B to come from A using an authenticated session key.
 Symmetric Encryption Approaches

• Denning proposes to overcome this weakness

by a modification to the Needham/ Schroeder
protocol that includes the addition of a
timestamp to steps 2 and 3.
• Assumes that the master keys, Ka and Kb are
secure, and it consists of the following steps:
 Symmetric Encryption Approaches
1.A KDC: IDA||IDB
2. KDC A: E(Ka, [Ks||IDB||T||E(Kb, [Ks||IDA||T])])
3. A B: E(Kb, [Ks||IDA||T])
4. B A: E(Ks, N1)
5. A B: E(Ks, f(N1))

•T is a timestamp that assures A and B that the session key has only just been
generated. Thus, both A and B know that the key distribution is a fresh exchange.
• A and B can verify timeliness by checking that |Clock T| < ∆t1 + ∆t2 where ∆t1 is
the estimated normal discrepancy between the KDC's clock and the local clock (at
A or B) and ∆t2 is the expected network delay time.
•Timestamp T is encrypted using the secure master keys, an opponent, even with
knowledge of an old session key, cannot succeed because a replay of step 3 will be
detected by B as untimely
 Symmetric Encryption Approaches
• The Denning protocol provide an increased degree of security
compared to the Needham/ Schroeder protocol.
• requires reliance on clocks that are synchronized throughout
the network.
• The risk is based on the fact that the distributed clocks can
become unsynchronized as a result of sabotage on or faults in
the clocks or the synchronization mechanism.
• The problem occurs when a sender's clock is ahead of the
intended recipient's clock. In this case, an opponent can
intercept a message from the sender and replay it later when
the timestamp in the message becomes current at the
recipient's site. This replay could cause unexpected results.
Gong refers to such attacks as suppress-replay attacks
 Symmetric Encryption Approaches
• One way to counter suppress-replay attacks is to
enforce the requirement that parties regularly check
their clocks against the KDC's clock.
• The other alternative, which avoids the need for clock
synchronization, is to rely on handshaking protocols
using nonces.
• This latter alternative is not vulnerable to a suppress-
replay attack because the nonces the recipient will
choose in the future are unpredictable to the sender.
Symmetric Encryption Approaches
Public-Key Encryption Approaches
• A protocol using timestamps is provided in
1. A AS: IDA||IDB
2. AS A: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||
PUb||T])
3. A B: E(PRas, [IDA||PUa||T])||E(PRas, [IDB||
PUb||T]) ||E(PUb, E(PRa, [Ks||T]))
• This protocol is compact but, as before,
requires synchronization of clocks
Public-Key Encryption Approaches
• Another approach, proposed by Woo and Lam makes use of
nonces. The protocol consists of the following steps:
1. A →KDC: IDA||IDB
2. KDC A: E(PRauth, [IDB||PUb])
3. A B: E(PUb, [Na||IDA])
4. B KDC: IDA||IDB||E(PUauth, Na)
5. KDC B: E(PRauth, [IDA||PUa])||E(PUb, E(PRauth, [Na||
Ks||IDB]))
6. B A: E(PUa, E(PRauth, [(Na||Ks||IDB)||Nb]))
7. A B: E(Ks, Nb)