MODULE – 3

Authentication and Digital Signatures : Use of Cryptography for authentication, Secure

Hash function, Key management – Kerberos.
AUTHENTICATION
Authentication in cryptography is the process of verifying the identity of a user or
information. It ensures that the data being transferred is accessed only by authorized users
and prevents unauthorized access. Cryptographic authentication plays a crucial role in
securing data and maintaining its integrity during transmission.
Types of Cryptographic Authentication
Single-Factor Authentication
Single-Factor Authentication (SFA) is the simplest form of authentication, where the user
provides a username and password to gain access. While it is easy to implement and use, it is
not very secure as it relies solely on the strength of the password.
Two-Factor Authentication
Two-Factor Authentication (2FA) adds an extra layer of security by requiring the user to
provide additional information, such as a one-time password (OTP) or a security token, along
with the username and password. This method enhances security by making it harder for
attackers to gain access.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) involves using multiple authentication factors, such as
passwords, biometrics, and security tokens, to verify the user's identity. MFA provides a
higher level of security by making it more difficult for attackers to bypass all the
authentication layers.
Cryptographic Techniques for Authentication
Symmetric Encryption
Symmetric encryption uses a single key for both encryption and decryption. The same key is
shared between the sender and the receiver. While it is fast and efficient, the challenge lies in
securely sharing the key between the parties.
Asymmetric Encryption
Asymmetric encryption uses a pair of keys: a public key for encryption and a private key for
decryption. The public key is shared openly, while the private key is kept secret. This method
provides better security and authentication, as the private key is never exposed.
Hashing
Hashing is a process that converts data into a fixed-length string of characters, which is
unique to the input data. Hash functions are used to ensure data integrity and verify the
authenticity of the data. Hashing is commonly used in password storage and digital
signatures.

DIGITAL SIGNATURES
A digital signature is a mathematical technique used to validate the authenticity and integrity
of a message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic signatures, which assure
that the message was sent by a particular sender. While performing digital transactions
authenticity and integrity should be assured, otherwise, the data can be altered or
someone can also act as if he was the sender and expect a reply.
 2. Signing Algorithms: To create a digital signature, signing algorithms like email
programs create a one-way hash of the electronic data which is to be signed. The signing
algorithm then encrypts the hash value using the private key (signature key). This
encrypted hash along with other information like the hashing algorithm is the digital
signature. This digital signature is appended with the data and sent to the verifier. The
reason for encrypting the hash instead of the entire message or document is that a hash
function converts any arbitrary input into a much shorter fixed-length value. This saves
time as now instead of signing a long message a shorter hash value has to be signed and
moreover hashing is much faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital Signature along with the
data. It then uses Verification algorithm to process on the digital signature and the public
key (verification key) and generates some value. It also applies the same hash function
on the received data and generates a hash value. Then the hash value and the output of
the verification algorithm are compared. If they both are equal, then the digital signature
is valid else it is invalid.

The steps followed in creating digital signature are :

1. Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest =
message digest algorithm(message)).
2. Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his
private key which can thus be decrypted by sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual message is sent
with the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash
value of the message is very difficult.

USE OF CRYPTOGRAPHY FOR AUTHENTICATION

Cryptography is used for authentication in many different situations, such as when accessing a bank
account, logging into a computer, or using a secure network.
Cryptographic methods are employed by authentication protocols to confirm the user’s identity and
confirm that they have the required access rights to the resource.
Cryptography is also used to keep messages and data secure from being accessible to anyone other
than the sender and the intended recipient.
Cryptographic authentication allows relying parties to trust that the data asserted by users during
authentication and verification events is actually true by leveraging cryptography as the source of
truth.

SECURE HASH FUNCTION

A cryptographic hash function is a mathematical function used in cryptography. Typical hash
functions take inputs of variable lengths to return outputs of a fixed length.
Hash functions play a crucial role in various security applications, including password storage (hash
values instead of passwords), digital signatures, and data integrity checks. Hash values, or message
digests, are values that a hash function returns.

The hash function is shown in the image below −

The four SHA algorithms which make up the SHA family are SHA-0, SHA-1, SHA-2, and SHA-3.
Despite coming from the same family, the structure of it differs.

 The National Institute of Standards and Technology (NIST) released the first iteration
of the 160-bit hash algorithm, known as SHA-0, in 1993. It did not gain much
popularity and had few drawbacks. SHA-1 was created later in 1995 to address
perceived flaws in SHA-0.
 SHA-1 is the most widely used of the existing SHA hash functions. It is used in most
of the applications and protocols including Secure Socket Layer (SSL) security.
 In 2005, a technique was discovered for SHA-1 collision detection that can be used in
a realistic time frame. So it is doubtful on SHA-1's long-term usability.
 SHA-224, SHA-256, SHA-384, and SHA-512 are the other four SHA variants in the
SHA-2 family, which vary based on the number of bits in their hash value. The SHA-
2 hash function has not yet been the target of any effective attacks
 Though SHA-2 is a strong hash function. Though significantly different, its basic
design still follows the design of SHA-1. NIST thus demanded the creation of new
competitive hash function designs.
  The Keccak algorithm was selected by the NIST in October 2012 to replace the SHA-
3 standard. Keccak has several advantages, including effective operation and strong
attack resistance.
Processing of SHA
1. Input
Input is the original message and need to be hashed before sending to the recipient.
For example, let's take "Hello, World!"
2. Preprocessing
Next, We need to perform preprocessing (removal of unnecessary characters or punctuation
wherever applicable) and then input message to a binary format conversion .
3. Hashing
Next, We will be applying the SHA hash function by using the mathematical operations on
the processessed input message to a fixed size output or hash value.
4. Output
Hash value can act as a tool for authenticating the originality of the input message by
making sure to verify any unauthorised and modifications made due to the data tampering
and henceforth discarding the message. If the recipient gets different hash value upon using
the same hashing algorithm and hash function on the input then the message are tempered
and modified and henceforth need to be discarded.
We may be get the hash or fixed size output as follows,
e3b0c4429cfbbc8c830a8f102620e8a020869d64f84e98fc48d7b8b67f677f8b9d
64f84e98fc48d7b8b67f677f8b9d
Properties of Secure Hash Functions
Collision Attacks
A collision attack are the technique used by an attacker and generally for any two different
inputs the attackers try to find the same hash value and uses it for carrying out crimes and
related activities. SHA function can handle , manage and are resistant to collision attacks
which are often used by attackers to compromise the security and henceforth resulting in
loss of data and sensitive information and sometimes financial and related losses also.
Attacker and cyber criminals can break the security and may modify the electronic
document and files leading to loss of authenticity and identity but doesn't allow to notice
the same by showing the same hash as similar to the original and hence can prove the file’s
genuineness and integrity. But in reality the attacker has changed and switched out the
orginal file and tricked the recipient to download a different file without getting aware and
unknowingly falling pray to cyber attacks.
Avalanche Effect
Secure Hash functions support avalanche effect and are used to determine the underlying
modification and tempering of the data even if any negligible and small changes are made
to the inputs as it would result into a significant and large change in the hash and
henceforth are easily detected and identified.
Applications of Secure Hash Algorithms in Cryptography
1. Message Authentication Codes (MACs)
Message Authentication Codes or MACs is one of the most popular applications of SHA
and are used to ensure message integrity. SHA hash is attached with the input message and
then send to the recipient.
Recipient can verify the integrity by recomputing the hash value and check with the
attached and can ensure and authenticate whether the message has been changed or not.
2. Digital Signatures
SHA are also used with cryptography technique such as digital signatures to ensure and
verify the authenticity and identity of electronic documents( e- mail, confidential reports,
project data).
3. Password Hashing
Password Hashing is one of the most effective and important features and uses hashing to
manage and store password in online websites and applications.
Pros and Cons
Pros
1. Non-repudiation: Hash value are calculated systematically and using the complex
mathematical algorithms based on the message contents and hence it's not feasible to say
that the message transmission is under risk or neither anyone can deny the non receptive of
the sent or encrypted the message.
2. Collision Resistance: SHA-256 is are built and designed to be collision-resistant as to
ensure that there should be different digest for messages and hence reducing the possibility
of the same hash value.

Cons
1. Length: However one shortfall of the SHA-256 algorithm is the hash value are if fixed
size(32 bytes) and hence are inappropriate for very long messages and often required
multiple hash function in a chained mode which is tedious and inefficient.
2. Key management: Key management are very necessary as if by any means the secret
key is lost, stolen or misused then can lead to unauthorised access and security loss.

KEY MANAGEMENT
Key management refers to the processes and procedures involved in generating, storing,
distributing, and managing cryptographic keys used in cryptographic algorithms to protect
sensitive data. It ensures that keys used to protect sensitive data are kept safe from
unauthorized access or loss. Good key management helps maintain the security of encrypted
information and is important for protecting digital assets from cyber threats. Effective key
management is crucial for ensuring the confidentiality, integrity, and availability of encrypted
information by securing cryptographic keys from unauthorized access, loss, or compromise.
How Cryptographic Keys Works?
Cryptographic keys are special codes that protect information by locking (encrypting) and
unlocking (decrypting) it. In symmetric key cryptography, a single shared key does both jobs,
so the same key must be kept secret between users. In asymmetric key cryptography, there
are two keys: a public key that anyone can use to encrypt messages or verify signatures, and a
private key that only the owner uses to decrypt messages or create signatures. This makes it
easier to share the public key openly while keeping the private key secret. These keys are
crucial for secure communication, like when you visit a secure website (HTTPS), where they
help encrypt your data and keep it safe from eavesdroppers and criminals. So, to manage
these keys properly is vital to keep digital information secure and dependable.
Types of Key Management
There are two aspects of Key Management:
1. Distribution of public keys.
2. Use of public-key encryption to distribute secrets.
Distribution of Public Key
The public key can be distributed in four ways:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcast to everyone. The major weakness
of this method is a forgery. Anyone can create a key claiming to be someone else and
broadcast it. Until forgery is discovered can masquerade as claimed user.

2. Publicly Available Directory: In this type, the public key is stored in a public directory.
Directories are trusted here, with properties like Participant Registration, access and allow to
modify values at any time, contains entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening
control over the distribution of keys from the directory. It requires users to know the public
key for the directory. Whenever the keys are needed, real-time access to the directory is made
by the user to obtain any desired public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to
the public key) to allow key exchange without real-time access to the public authority each
time. The certificate is accompanied by some other info such as period of validity, rights of
use, etc. All of this content is signed by the private key of the certificate authority and it can
be verified by anyone possessing the authority's public key.
First sender and receiver both request CA for a certificate which contains a public key and
other information and then they can exchange these certificates and can start communication.
Key Management Lifecycle
The key management lifecycle outlines the stages through which cryptographic keys are
generated, used, and eventually retired or destroyed. Proper management of these keys is
critical to ensuring the security of cryptographic systems. Here’s an overview of each stage:
1. Key Generation:
  Creation: Keys are created using secure algorithms to ensure randomness and
strength.
 Initialization: Keys are initialized with specific parameters required for their intended
use (e.g., length, algorithm).
2. Key Distribution:
 Sharing: For symmetric keys, secure methods must be used to share the key between
parties.
 Publication: For asymmetric keys, the public key is shared openly, while the private
key remains confidential.
3. Key Storage:
 Protection: Keys must be stored securely, typically in hardware security modules
(HSMs) or encrypted key stores, to prevent unauthorized access.
 Access Control: Only authorized users or systems should be able to access keys.
4. Key Usage:
 Application: Keys are used for their intended cryptographic functions, such
as encrypting/decrypting data or signing/verifying messages.
 Monitoring: Usage is monitored to detect any unusual or unauthorized activities.

Key Management in Cryptography

5. Key Rotation:
 Updating: Keys are periodically updated to reduce the risk of exposure or
compromise.
 Re-Keying: New keys are generated and distributed, replacing old ones while
ensuring continuity of service.
6. Key Revocation:
 Invalidation: Keys that are no longer secure or needed are invalidated.
 Revocation Notices: For public keys, revocation certificates or notices are distributed
to inform others that the key should no longer be trusted.
7. Key Archival:
 Storage: Old keys are securely archived for future reference or compliance purposes.
 Access Restrictions: Archived keys are kept in a secure location with restricted
access.
8. Key Destruction:
  Erasure: When keys are no longer needed, they are securely destroyed to prevent any
possibility of recovery.
 Verification: The destruction process is verified to ensure that no copies remain.

KERBEROS
Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users. In Kerberos Authentication server and database is used for
client authentication. Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network is a principal. The main
components of Kerberos are:
• Authentication Server (AS):
The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.
• Database:
The Authentication Server verifies the access rights of users in the database.
• Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:

• Step-1:
User login and request services on the host. Thus user requests for ticket-granting
service.
• Step-2:
Authentication Server verifies user’s access right using database and then gives
ticketgranting-ticket and session key. Results are encrypted using the Password of the
user.
• Step-3:
The decryption of the message is done using the password then send the ticket to Ticket
Granting Server. The Ticket contains authenticators like user names and network
addresses.
 • Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the
request then creates the ticket for requesting services from the Server.
• Step-5:
The user sends the Ticket and Authenticator to the Server.
• Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After
this User can access the services.

Kerberos Limitations
• Each network service must be modified individually for use with Kerberos
• It doesn’t work well in a timeshare environment
• Secured Kerberos Server
• Requires an always-on Kerberos server
• Stores all passwords are encrypted with a single key
• Assumes workstations are secure • May result in cascading loss of trust.
• Scalability

Is Kerberos Infallible?
No security measure is 100% impregnable, and Kerberos is no exception. Because it’s been
around for so long, hackers have had the ability over the years to find ways around it,
typically through forging tickets, repeated attempts at password guessing (brute
force/credential stuffing), and the use of malware, to downgrade the encryption.
Despite this, Kerberos remains the best access security protocol available today. The protocol
is flexible enough to employ stronger encryption algorithms to combat new threats, and if
users employ good password-choice guidelines, you shouldn’t have a problem! What is
Kerberos Used For?
Although Kerberos can be found everywhere in the digital world, it is commonly used in
secure systems that rely on robust authentication and auditing capabilities. Kerberos is used
for Posix, Active Directory, NFS, and Samba authentication. It is also an alternative
authentication system to SSH, POP, and SMTP.
Kerberos Requirements
• Secure – no masquerading
• Reliable – distributed server architecture
• Transparent – user unaware authentication is taking place
• Scalable – support large number of clients and servers

Advantages of Kerberos:
• Access Control: The Kerberos authentication protocol permits powerful access control.
Users advantage of a single point for track of all logins and the enforcement of protection
policies.
• Mutual Authentication: Kerberos authentication permits carrier structures and customers
to authenticate each other. During all steps of the process, the user and the server will
understand that the counterparts that they may be interacting with are authentic.
• Limited Ticket Lifetime: Each ticket in Kerberos has timestamps and lifelong data, and
the period of authentication is managed through admins.
• Reusable Authentication: Kerberos authentication is durable and reusable. Each user will
effectively be tested through the system once.
 • Security: Multiple secret keys, third-party authorization, and cryptography make
Kerberos a secure verification protocol. Passwords are not sent over the networks, and
secret keys are encrypted, making it hard for attackers to impersonate users or services.

QUESTION BANK

Module – 3
PART - A
1. What is the purpose of authentication in security?
2. Define digital signatures. How does a digital signature ensure data integrity?
3. How does cryptography help in authentication?
4. What is a secure hash function? Give an example.
5. Name two properties of a good cryptographic hash function.
6. What is Kerberos?
7. What role does a Key Distribution Center (KDC) play in Kerberos?
8. How do digital signatures provide authenticity?
9. Name a common secure hash algorithm.
10. What is a message digest?
11. Why is key management important in cryptography?
12. What are the main components of Kerberos authentication?

PART - B
1. Explain how digital signatures are created and verified using asymmetric cryptography. Discuss
their applications.
2. Describe the Kerberos authentication protocol, including its components (KDC, TGT, service
tickets) and process.
3. Discuss the properties and requirements of secure hash functions like SHA-256. Why are they
important in cryptography?
4. Analyze the role of key management in cryptographic systems. What are the challenges?
5. Compare digital signatures and message authentication codes (MACs) in terms of security and use
cases.
6. Discuss the importance of secure hash functions in ensuring data integrity and authentication.
7. What are the security benefits and potential vulnerabilities of Kerberos? How can they be
mitigated?
8. Evaluate the use of digital signatures for authenticity, integrity, and non-repudiation in electronic
transactions.