Authentication Requirements - must be able to verify that: Message came from its alleged source or author, Contents have not been altered, Sometimes, it was sent at a certain time or sequence. Protection against active attack (falsification of data and transactions) Two levels for message authentication mechanism Lower level: authenticator – a value to be used to authenticate a message Higher level: an authentication protocol that enables a receiver to verify the authenticity of the message
Approaches to Message Authentication Authentication Using Conventional Encryption Only the sender and receiver should share a key Message Authentication without Message Encryption An authentication tag is generated and appended to each message Two ways Message Authentication Code (MAC) Hash function (or message digest)
Message Authentication Code generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender
Message Authentication Code Calculate the MAC as a function of the message and the key, i.e. MAC = F K (M)
MAC Properties a MAC is a cryptographic checksum MAC = F K (M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message Approaches to constructing MACs Using DES HMAC
Hash Functions condenses arbitrary message to fixed size usually assume that the hash function is public and not keyed cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature
Secret value is added before the hash and removed before transmission. Authentication Using Hash
Hash Function Properties a Hash Function produces a fingerprint of some file/message/data h = H(M) condenses a variable-length message M to a fixed-sized fingerprint Hash function assumed to be public
Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x s.t. H(x)=h one-way property 5. given x is infeasible to find y s.t. H(y)=H(x) weak collision resistance 6. is infeasible to find any x,y s.t. H(y)=H(x) strong collision resistance
Secure Hash Functions and HMAC Secure Hash Functions Secure Hash Algorithm (SHA-1) NIST standard (FIPS 180-1), issued in 1995 Input: message length (<2 64 ); Output: 160-bit MD MD5 RIPEMD-160 HMAC Developing a MAC derived from a cryptographic hash code, such as SHA-1. Used in IP security, Transport Layer Security (TLS) and Secure Electronic Transaction (SET).
Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos – a private-key authentication service then X.509 directory authentication service
KERBEROS In Greek mythology, a many headed dog, the guardian of the entrance of Hades
KERBEROS Users wish to access services on servers. Three threats exist: User pretends to be another user. User alters the network address of a workstation. User eavesdrops on exchanges and uses a replay attack.
KERBEROS Provides a centralized authentication server to authenticate users to servers and servers to users. Relies on conventional encryption, making no use of public-key encryption Two versions: version 4 and 5 Version 4 makes use of DES
Kerberos Version 4 Terms: C = Client AS = authentication server V = server ID c = identifier of user on C ID v = identifier of V P c = password of user on C ADc = network address of C K v = secret encryption key shared by AS and V TS = timestamp || = concatenation
A Simple Authentication Dialogue (1) C AS: ID c || P c || ID v (2) AS C:Ticket (3) C V: ID c || Ticket Ticket = E K v [ ID c || AD c || ID v] Two problems The number of times a user has to enter a password Plaintext transmission of the password
The Idea towards Solution Introducing a ticket-granting server (TGS) The user first requests a ticket-granting ticket (Ticket tgs ) from the AS; The user then authenticates itself to TGS for a ticket (Ticket v ) for accessing new service; The user finally authenticate itself to V for requesting a particular service.
Kerberos - in practice Currently have two Kerberos versions: 4 : restricted to a single realm 5 : allows inter-realm authentication, in beta test Kerberos v5 is an Internet standard specified in RFC1510, and used by many utilities To use Kerberos: need to have a KDC on your network need to have Kerberised applications running on all participating systems major problem - US export restrictions Kerberos cannot be directly distributed outside the US in source format (& binary versions must obscure crypto routine entry points and have no encryption) else crypto libraries must be reimplemented locally
X.509 Authentication Service Distributed set of servers that maintains a database about users. Each certificate contains the public key of a user and is signed with the private key of a CA. Is used in S/MIME, IP Security, SSL/TLS and SET. RSA is recommended to use.
Obtaining a User ’ s Certificate Characteristics of certificates generated by CA: Any user with access to the public key of the CA can recover the user public key that was certified. No part other than the CA can modify the certificate without this being detected.
Revocation of Certificates Reasons for revocation: The users secret key is assumed to be compromised. The user is no longer certified by this CA. The CA ’ s certificate is assumed to be compromised.