1. Cryptography and Network Security
Digital Signatures and Authentication Protocols

2. Chapter 13 –Digital Signatures & Authentication Protocols
To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often performed by the natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, so to speak, the tainted atmosphere by which they are supposed to be surrounded.
—The Golden Bough, Sir James George Frazer

3. Requirements
Message authentication protects two parties who exchange messages from any third party.
Does not protect two parties against each other
Several dispute between the two are possible

4. Mary may forge a different message and claim that it came from John
Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share.
John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message.

5. There is not complete trust between sender and receiver, then something more than the authentication is needed.
Most attractive solution to this problem is digital signature
The digital signature is analogous to the handwritten signature.

6. Properties
It must verify the author and the date and time of the signature
It must to authenticate the contents at the time of the signature
It must be verifiable by third parties, to resolve disputes

7. Requirements
The signature must be a bit pattern that depends on the message being signed
The signature must use some information unique to the sender, to prevent both forgery and denial.
It must be relatively easy to produce the digital signature.

8. Requirements
It must be relatively easy to recognize and verify the digital signature.
It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message.
It must be practical to retain a copy of the digital signature in storage.

9. Approaches
Direct Digital Signature
Arbitrated Digital Signature

10. Direct Digital Signature
Involves only communicating parties
Destination knows the public key of the source
Digital signature is formed by encrypting the entire message with the sender’s private key

11. Public Key Encryption: Authentication and Signature

12. Authentication and Digital Signature using public key encryption

13. Public Key Encryption: Confidentiality, Authentication and Signature

14. Confidentiality and Digital Signature

15. Weakness
Validity of the scheme depends on the security of the sender’s private key
Sender wishes to deny sending a particular message, the sender can claim that the private key was lost or stolen and that someone else forged his or her signature. Administrative controls relating to the security of private keys can be employed to thwart or at least weaken this ploy, but the threat is still there, at least to some degree. One example is to require every signed message to include a timestamp (date and time) and to require prompt reporting of compromised keys to a central authority.

16. Another threat is that some private key might actually be stolen from ‘X’ at time ‘T’. The opponent can then send a message signed with X's signature and stamped with a time before or equal to T.

17. Arbitrated Digital Signature
Every signed message from a sender ‘X’ to a receiver ‘Y’ goes first to an arbiter ‘A’
The message is then dated and sent to ‘Y’ with an indication that it has been verified to the satisfaction of the arbiter.
Presence of ‘A’ solves the problem faced by direct signature schemes: that ‘X’ might disown the message.

18. The arbiter plays a sensitive and crucial role
All parties must have a great deal of trust that the arbitration mechanism is working properly.

20. Conventional Encryption
‘X’ must trust ‘A’ not to reveal Kxa and not to generate false signatures of the form E(Kxa,[IDX||H(M)]).
‘Y’ must trust ‘A’ to send E(Kay,[IDX||M||E(Kxa,[IDX ||H(M)])||T ]) only if the hash value is correct and the signature was generated by ‘X’.
Both sides must trust ‘A’ to resolve disputes fairly.

21. Authentication Protocol
Mutual authentication
One-way authentication

22. Mutual Authentication
Enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys
Key distribution
Major problem of authenticated key exchanges are
Confidentiality
Timeliness

23. To prevent masquerade
Session key and identity information must be communicated through encrypted form
Timeliness is important
Threat of message replays
Replays allow an opponent to compromise a session key or successfully impersonate another party

24. Examples of replay attacks
Simple replay: The opponent simply copies a message and replays it later.
Repetition that can be logged: An opponent can replay a timestamped message within the valid time window.
Repetition that cannot be detected: This situation could arise because the original message could have been suppressed and thus did not arrive at its destination; only the replay message arrives.

25. Examples of replay attacks
Backward replay without modification: This is a replay back to the message sender. This attack is possible if symmetric encryption is used and the sender cannot easily recognize the difference between messages sent and messages received on the basis of content.

26. One approach to coping replay attack is to attach a sequence number to each message
New message is accepted only if its sequence number is in proper order
Each party to keep track of the last sequence numbers
Timestamps
Challenge / Response

27. Timestamps
Party A accepts a message as fresh only if the message contains a timestamp that, in A's judgment, is close enough to A's knowledge of current time. This approach requires that clocks among the various participants be synchronized.

28. Challenge / Response
Party A, expecting a fresh message from B, first sends B a nonce (challenge) and requires that the subsequent message (response) received from B contain the correct nonce value.

29. Timestamp approach should not be used for connection oriented applications
Challenge and Response is unsuitable for connectionless applications

30. Using Symmetric Encryption
Can use a two-level hierarchy of keys
trusted Key Distribution Center (KDC)
each party shares own master key with KDC
KDC generates session keys used for connections between parties
master keys used to distribute these to them

31. Needham-Schroeder Protocol
original third-party key distribution protocol
Session between A & B mediated by KDC
Purpose
To distribute the session key securely between two parties
This is the original, basic key exchange protocol. Used by 2 parties who both trusted a common key server, it gives one party the info needed to establish a session key with the other. Note that since the key server chooses the session key, it is capable of reading/forging any messages between A&B, which is why they need to trust it absolutely!
Note that all communications is between A&KDC and A&B, B&KDC don't talk directly (though indirectly a message passes from KDC via A to B, encrypted in B's key so that A is unable to read or alter it). Other variations of key distribution protocols can involve direct communications between B&KDC.

33. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]

34. Needham-Schroeder Protocol
Vulnerable to a replay attack if an old session key has been compromised
then message 3 can be resent convincing B that is communicating with A
modifications to address this problem:
Timestamps (Denning 81)
Nonce (Neuman 93)
There is a critical flaw in the protocol, as shown. This emphasises the need to be extremely careful in codifying assumptions, and tracking the timeliness of the flow of info in protocols. Designing secure protocols is not easy, and should not be done lightly. Great care and analysis is needed.

35. Denning Method
Overcome of the weakness by a modification to the Needham / Schroeder protocol
Timestamp is included in step (2) & (3)
A→KDC: IDA || IDB
2. KDC→A: EKa[Ks || IDB || T || EKb[Ks ||IDA || T ] ]
3. A→B: EKb[Ks||IDA || T ]
4. B→A: EKs[N1]
5. A→B: EKs[f(N1)]

36. The risk is based on the fact that the distributed clocks can become unsynchronized as a result of sabotage on or faults in the clocks or the synchronization mechanism. The problem occurs when a sender's clock is ahead of the intended recipient's clock. In this case, an opponent can intercept a message from the sender and replay it later when the timestamp in the message becomes current at the recipient's site. This replay could cause unexpected results. Gong refers to such attacks as suppress-replay attacks.

37. One way to counter suppress-replay attack
Communicating parties regularly check their clocks against the KDC’s clock
In [KEHN92], an attempt is made to respond to the concerns about suppress-replay attacks and at the same time fix the problems in the Needham/Schroeder protocol.

38. A - > B
IDA || Na
B –> KDC
IDB || Nb || EKb(IDA||Na||Tb])
KDC -> A
EKa (IDB || Na || Ks || Tb) || EKb (IDA || Ks || Tb]) || Nb
A -> B
EKb (IDA || Ks || Tb ) || E(Ks, Nb)

39. A - > B
E Kb ( IDA || Ks || Tb) || Na’
B –> A
Nb’ || EKs(Na’)
A -> B
EKs (Nb’)

40. Public Key Encryption approach
Central system is referred to as an Authentication Server (AS)
AS is not responsible for secret key distribution
AS provides public key certificates
Session key is chosen and encrypted by ‘A’
Compact but requires synchronization of clocks

41. A→AS
IDA || IDB
AS→A
EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T]
A→B
EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]]

42. Denning AS Protocol Denning 81 presented the following:
Session key is chosen by A, hence AS need not be trusted to protect it
Timestamps prevent replay but require synchronized clocks

43. Another approach Woo and Lam [WOO92a]
Makes use of nonces

44. [WOO92a] A -> KDC IDA || IDB KDC -> A E (KRauth, [IDB || KUb])
A -> B
E(KUb, [Na || IDA])
B -> KDC
IDA || IDB || E(KUauth, Na)
KDC -> B
E (KRauth, [IDA||KUa]) || E(KUb, E(KRauth, [Na || Ks || IDB]))
B -> A
E(KUa, E(KRauth, [(Na || Ks || IDB)|| Nb]))
E(Ks, Nb)

45. Revised Version [WOO92b]
A -> KDC
IDA || IDB
KDC -> A
E (PRauth, [IDB || PUb])
A -> B
E(PUb, [Na || IDA])
B -> KDC
IDA || IDB || E(PUauth, Na)
KDC -> B
E (PRauth, [IDA||PUa]) || E(PUb, E(PRauth, [Na || Ks || IDA || IDB]))
B -> A
E(PUa, E(PRauth, [(Na || Ks || IDA || IDB) || Nb]))
E(Ks, Nb)

46. Digital Signature Standard (DSS)
Published by NIST
Make use of SHA
Proposed in 1991 and revised in 1993
Designed to provide only the digital signature
Public key technique

49. Hash code is provided as input to a signature function along with a random number ‘K’ generated for this particular signature
Signature function depends on the
Sender’s private key (PRa)
Set of parameters known to a group of communicating principals (PUG)

50. Verification function depends on
Global public keys (PUG)
Sender’s public key (PUa)

51. Receiver Side Hash code is generated for the incoming message
Input to the verification function is hash code and signature components (s & r)
Output of the verification function is equal to the signature component ‘r’

52. Digital Signature Algorithm (DSA)
Based on the difficulty of computing discrete logarithms
ElGamal Cryptosystems
Schnorr Signature function

53. ElGamal

54. ElGamal In 1984, T. Elgamal announced a public-key scheme
based on discrete logarithms, closely related to the Diffie-Hellman technique
The ElGamal cryptosystem is used in some form in a number of standards including the digital signature standard (DSS)
a prime number ‘q’ and ‘α’, which is a primitive root of ‘q’.

55. User A generates a private/public key pair
Any user B that has access to A’s public key can encrypt a message
User A recovers the plaintext

56. User A generates a private/public key pair as follows
Generate a random integer XA, such that 1 < XA <
q-1
Compute YA = αXA mod q
A’s private key is XA; public key is (q, α, YA)

57. Any user B that has access to A’s public key can encrypt a message as follows:
Represent the message as an integer in the range 0≤M≤q-1. Longer messages are sent as a sequence of blocks, with each block being an integer less than ‘q’
Choose the random integer ‘k’ such that 1≤k≤q-1
Compute a one-time key K = (YA)k mod q
Encrypt ‘M’ as a pair of integers (C1, C2) where C1 = αk mod q; C2 = KM mod q

58. User A recovers the plaintext as follows:
Recover the key by computing K = (C1)XA mod q
Compute M = (C2K-1) mod q

59. Using ‘K’ recover the plaintext message as
K is defined during the encryption process
Substitute using YA = αXA mod q by the rules of modular arithmetic
Using ‘K’ recover the plaintext message as
C2 = KM mod q
(C2K-1) mod q = M mod q = M

60. 1. Bob generates a random integer ‘k’.
2. Bob generates a one-time key ‘K’ using Alice’s public-key components ‘YA’, ‘q’, and ‘k’.
3. Bob encrypts ‘k’ using the public-key component ‘α’, yielding C1. C1 provides sufficient information for Alice to recover ‘K’.
4. Bob encrypts the plaintext message ‘M’ using ‘K’.
5. Alice recovers ‘K’ from C1 using her private key.
6. Alice uses K-1 to recover the plaintext message from C2.

64. Schnorr Digital Signature Scheme
Based on discrete logarithms
Minimizes the message dependent amount of computation
Signature generation does not depend on the message
Done during the idle time of the processor
Message dependent part of the signature generation

65. Based on using the prime modulus p
P-1 has a prime factor q of appropriate size
‘p’ is 1024-bits & ‘q’ is 160-bits

66. Generation of private & Public Key
Choose primes ‘p’ & ‘q’ such that ‘q’ is a prime factor of ‘p-1’
Choose an integer ‘a’, such that αq = 1 (mod p). The values of ‘a’, ‘p’ & ‘q’ comprise a global public key that can be common to a group of users
Choose a random integer ‘s’ with 0<s<q. This is the user’s private key
Calculate v = a-s (mod p). This is the user’s public key

67. Generation signature
Choose a random integer ‘r’ with 0 < r < q and compute x = ar (mod p). This computation is a preprocessing stage independent of the message ‘M’ to be signed.
Concatenate the message with ‘x’ and hash the result to compute the value ‘e’
e = H(M || x)
Compute y = (r + se) mod q. This signature consists of the pair (e, y)

68. Verification of the signature
Compute x’ = ayve (mod p)
Verify that e = H (M || x’)
X’ ≡ ayve mod p ≡ aya-se mod p ≡ ay-se mod p ≡ ar mod p ≡ x mod p
Hence, H (M || x’) = H(M || x)