UNIT – 3 NOTES

Digital Signature and Authentication Schemes: Digital signature-Digital

Signature Schemes and their Variants- Digital Signature Standards-
Authentication: Overview- Requirements Protocols - Applications - Kerberos -
X.509 Directory Services

What is a digital signature?

A digital signature is a mathematical technique used to validate the authenticity

and integrity of a digital document, message or software. It's the digital
equivalent of a handwritten signature or stamped seal, but it offers far more
inherent security. A digital signature is intended to solve the problem of
tampering and impersonation in digital communications.

Digital signatures can provide evidence of origin, identity and status of

electronic documents, transactions or digital messages. Signers can also use
them to acknowledge informed consent. In many countries, including the U.S.,
digital signatures are considered legally binding in the same way as traditional
handwritten document signatures.

How do digital signatures work?

Digital signatures are based on public key cryptography, also known as

asymmetric cryptography. Using a public key algorithm -- such as Rivest-
Shamir-Adleman, or RSA – two keys are generated, creating a mathematically
linked pair of keys: one private and one public. Digital signatures work through
public key cryptography's two mutually authenticating cryptographic keys. For
encryption and decryption, the person who creates the digital signature uses a
private key to encrypt signature-related data. The only way to decrypt that data
is with the signer's public key.
If the recipient can't open the document with the signer's public key, that
indicates there's a problem with the document or the signature. This is how
digital signatures are authenticated. Digital certificates, also called public key
certificates, are used to verify that the public key belongs to the issuer. Digital
certificates contain the public key, information about its owner, expiration dates
and the digital signature of the certificate's issuer. Digital certificates are issued
by trusted third-party certificate authorities (CAs), such as DocuSign or
GlobalSign, for example. The party sending the document and the person
signing it must agree to use a given CA.

Digital signature technology requires all parties trust that the person who creates
the signature image has kept the private key secret. If someone else has access
to the private signing key, that party could create fraudulent digital signatures in
the name of the private key holder.

DIGITAL SIGNATURE SCHEMES

Digital signature schemes Several digital signature schemes have evolved

during the last few decades. Some of them have been implemented.

RSA Digital Signature Scheme

The RSA idea can also be used for signing and verifying a message. In this case,
it is called the RSA digital signature scheme. The digital signature scheme
changes the roles of the private and public keys.

First, the private and public keys of the sender, not the receiver, are used.

Second, the sender uses her own private key to sign the document; the receiver
uses the sender’s public key to verify it.
If we compare the scheme with the conventional way of signing, we see that the
private key plays the role of the sender’s own signature, the sender’s public key
plays the role of the copy of the signature that is available to the public.

Obviously Alice cannot use Bob’s public key to sign the message because then
any other person could do the same. The below figure gives the general idea
behind the RSA digital signature scheme.

What Does Message Digest Mean?

A message digest is a cryptographic hash function containing a string of digits

created by a one-way hashing formula.

Message digests are designed to protect the integrity of a piece of data or media
to detect changes and alterations to any part of a message. They are a type of
cryptography utilizing hash values that can warn the copyright owner of any
modifications applied to their work. Message digest hash numbers represent
specific files containing the protected works. One message digest is assigned to
particular data content. It can reference a change made deliberately or
accidentally, but it prompts the owner to identify the modification as well as the
individual(s) making the change. Message digests are algorithmic numbers.
This term is also known as a hash value and sometimes as a checksum.

Working of RSA digital signature scheme:

Sender A wants to send a message M to the receiver B along with the digital
signature S calculated over the message M

Step1: The sender A uses the message digest algorithm to calculate the message
digest MD1 over the original message M

Step 2: The sender A now encrypts the message digest with her private key. The
output of this process is called the digital signature.
Step 3: Now the sender A sends the original message M along with digital
signature DS to receiver B

Step 4: After the receiver B receives the original message M and the sender A’s
digital signature, B uses the same message digest algorithm which was used by
A and calculate its own message digest MD2 as shown below.
Step 5: The receiver B now uses the sender’s A’s public key to decrypt the
digital signature. Note that A had used his private key to decrypt the message
digest MD1 to form the digital signature. Therefore only A’s public key can be
used to decrypt it. The output of this process is the original message digest
which was calculated by A (MD1) in step 1.

Step 6: B now compare the following two message digests.

1. MD2, which it had calculated in step 4

2. MD1, which is retrieved from A’s digital signature in step 5

If MD1 = MD2 the following facts are established:

a. B accepts the original message (M) as the correct, unaltered message

from A

b. B is also assured that the message came from A and not from someone
else attached, posing as A
Thus, the principle of digital signature is quite strong, secure and reliable.
El-gamal digital signature scheme:
Schnorr Digital Signature Scheme

The problem with the ElGamal digital signature scheme is that p needs to be
very large to guarantee that the discrete log problem is intractable in Zp*. The
recommendation is a p of at least 1024 bits. This could make the signature as
large as 2048 bits. To reduce the size of the signature, Schnorr proposed a new
scheme based on ElGamal, but with a reduced signature size.

A Schnorr signature is a digital signature created via the cryptography's Claus

Schnorr-described Schnorr Signature Scheme.

It is a digital signature system famous for its ease of use and was one of the first
whose security was discovered by specific discrete logarithm problems. Schnorr
Signature Scheme produces concise signatures and is effective.
Working of Schnorr Signature Scheme
Elliptic Curve Digital Signature Scheme

Our last scheme is the elliptic curve digital signature scheme, which is DSA
based on elliptic curves, as we discussed in Chapter 10. The scheme sometimes
is referred to as ECDSA (elliptic curve DSA). Figure 13.15 gives the general
idea behind ECDSS. In the signing process, two functions and an extractor
create two signatures; in the verifying process the output of one function (after
passing through the extractor) is compared to the first signature for verification.
Functions f1 and f3 actually create points on the curve. The first creates a new
point from the signer’s private key (which is a point); the second creates a new
point from the signer’s two public keys (which are the points). Each extractor
extracts the first coordinates of the corresponding point in modular arithmetic.
The details of inputs and the functions will be discussed shortly.

Variations Following are brief discussions of several variations and additions to

the main concept of digital signatures. For more insight, the reader can consult
the specialized literature. Time Stamped Signatures Sometimes a signed
document needs to be timestamped to prevent it from being replayed by an
adversary. This is called timestamped digital signature scheme. For example, if
Alice signs a request to her bank, Bob, to transfer some money to Eve, the
document can be intercepted and replayed by Eve if there is no timestamp on
the document. Including the actual date and time on the documents may create a
problem if the clocks are not synchronized and a universal time is not used. One
solution is to use a nonce (a one-time random number). A nonce is a number
that can be used only once. When the receiver receives a document with a
nonce, he makes a note that the number is now used by the sender and cannot be
used again. In other words, a new nonce defines the “present time”; a used
nonce defines “past time”. Blind Signatures Sometimes we have a document
that we want to get signed without revealing the contents of the document to the
signer. For example, a scientist, say Bob, might have discovered a very
important theory that needs to be signed by a notary public, say Alice, without
allowing Alice to know the contents of the theory. David Chaum has developed
some patented blind digital signature schemes for this purpose. The main idea is
as follows: a. Bob creates a message and blinds it. Bob sends the blinded
message to Alice. b. Alice signs the blinded message and returns the signature
on the blinded message. c. Bob unblinds the signature to obtain a signature on
the original message. Blind Signature Based on the RSA Scheme Let us briefly
describe a blind digital signature scheme developed by David Chaum. Blinding
can be done using a variation of the RSA scheme. Bob selects a random number,
b, and calculates the blinded message B = M × be mod n, in which e is Alice’s
public key and n is the modulus defined in the RSA digital signature scheme.
Note that b is sometimes called the blinding factor.

Bob sends B to Alice. Alice signs the blinded message using the signing
algorithm defined in the RSA digital signature Sb = Bd mod n, in which d is
Alice’s private key. Note that Sb is the signature on the blind version of the
message. Bob simply uses the multiplicative inverse of his random number b to
remove the blind from the signature. The signature is S = Sb b−1 mod n. We can
prove that S is the signature on the original message as defined in the RSA
digital signature scheme

Preventing Fraud It appears that Bob can get Alice to sign a blind message that
may later hurt her. For example, Bob’s message could be a document, claiming
to be Alice’s will, that will give everything to Bob after her death. There are at
least three ways to prevent such damage: a. The authorities can pass a law that
Alice is not responsible for signing any blind message that is against her
interest. b. Alice can request a document from Bob that the message she will
sign does not hurt Alice. c. Alice could require that Bob proves his honesty
before she signs the blind message.
Digital Signature Standard (DSS)

The Digital Signature Standard (DSS) was adopted by the National Institute of
Standards and Technology (NIST) in 1994. NIST published DSS as FIPS 186.
DSS uses a digital signature algorithm (DSA) based on the ElGamal scheme
with some ideas from the Schnorr scheme. DSS has been criticized from the
time it was published. The main complaint regards the secrecy of DSS design.
The second complaint regards the size of the prime, 512 bits. Later NIST made
the size variable to respond to this complaint. Figure 13.13 gives the general
idea behind the DSS scheme.

In the signing process, two functions create two signatures; in the verifying
process, the output of one function is compared to the first signature for
verification. This is similar to Schnorr, but the inputs are different. Another
difference is that this scheme uses the message digest (not the message) as part
of inputs to functions 1 and 3. The interesting point is that the scheme uses two
public moduli: p and q. Functions 1 and 3 use both p and q; function 2 uses only
q. The details of inputs and the functions will be discussed shortly.

Key Generation Before signing a message to any entity, Alice needs to generate
keys and announce the public ones to the public. 1. Alice chooses a prime p,
between 512 and 1024 bits in length. The number of bits in p must be a multiple
of 64. 2. Alice chooses a 160-bit prime q in such a way that q divides (p − 1). 3.
Alice uses two multiplication groups and ; the second is a subgroup of the first.
4. Alice creates e1 to be the qth root of 1 modulo p (e1 p = 1 mod p). To do so,
Alice chooses a primitive element in Zp, e0, and calculates e1 = e0 (p−1)/q mod
p. 5. Alice chooses d as the private key and calculates e2 = e1 d mod p. 6.
Alice’s public key is (e1, e2, p, q); her private key is (d).

Signing The following shows the steps to sign the message: 1. Alice chooses a
random number r (1 ≤ r ≤ q). Note that although public and private keys can be
chosen once and used to sign many messages, Alice needs to select a new r each
time she needs to sign a new message. 2. Alice calculates the first signature S1
= (e1 r mod p) mod q. Note that the value of the first signature does not depend
on M, the message. 3. Alice creates a digest of message h(M). 4. Alice
calculates the second signature S2 = (h(M) + d S1)r −1mod q. Note that the
calculation of S2 is done in modulo q arithmetic. 5. Alice sends M, S1, and S2
to Bob.

Verifying Following are the steps used to verify the message when M, S1, and
S2 are received: 1. Bob checks to see if 0 < S1 < q. 2. Bob checks to see if 0 <
S2 < q. 3. Bob calculates a digest of M using the same hash algorithm used by
Alice. 4. Bob calculates V = [(e1 h(M)S2 −1 e2 S1S2 −1 ) mod p] mod q. 5. If
S1 is congruent to V, the message is accepted; otherwise, it is rejected.

What is Authentication?

Authentication is the process of determining if the person or entity accessing a

computing system really is who they claim to be. Authentication systems make
a binary decision. They allow or deny access based on credentials or other proof
provided by those requesting access. Authentication typically works together
with authorization systems, which determine what type or level of access a user
should have.

Any computing system can and should have authentication—hardware

appliances, networks, servers, individual workstations, mobile devices, and
internet of things (IoT) devices. In reality, many devices and computing systems
have weak or ineffective authentication, or authentication is not properly
configured by administrators, resulting in severe security risks.

Authentication has critical importance in today’s complex, highly connected

digital environment, for three reasons:

1. Convenience—as individuals access more applications and services on their

own devices, on corporate networks, and in the cloud, they require convenient
and efficient authentication methods. Password-based authentication is
impractical for users, can be easily compromised by attackers, and is quickly
becoming a thing of the past.

2. Third party integrations—the API economy and microservices architectures

have led to an explosion in the number of software systems connecting to each
other, within and in between organizations. Secure authentication mechanisms
are necessary to enable easy development, prevent accidental data exposure, and
protect against cyber attacks.

3. Credential theft and account takeover—a vast majority of cyber attacks use
social engineering techniques to take over trusted accounts. Robust
authentication, both for external and internal communications, is critical to
prevent modern cyber threats. The Zero Trust security paradigm, adopted by the
US government and security giants like Google, Microsoft, and AWS, has
secure authentication at its core.

Authentication Requirements

Disclosure

Release of message contents to any person or process not possessing the

appropriate cryptographic key

Traffic analysis
Discovery of the pattern of traffic between parties.

In a connection-oriented application, the frequency and duration of connections

could be determined.

the number and length of messages between parties could be determined on

both environments

Masquerade

Insertion of messages into the network from a fraudulent source.

includes the creation of messages by an opponent that are purported to come

from an authorized entity.

Also included are fraudulent acknowledgments of message receipt or

nonreceipt by someone else

Content modification

Changes to the contents of a message, including insertion, deletion,

transposition, and modification

Sequence modification

Any modification to a sequence of messages between parties,including

insertion, deletion, and reordering

Timing modification

Delay or replay of messages.

In a connection-oriented application, an entire session or sequence of messages

could be a replay of some previous valid session, or individual messages in the
sequence could be delayed or replayed.

In a connectionless application, an individual message (e.g., datagram) could

be delayed or Replayed Source repudiation
Denial of transmission of message by source.

Destination repudiation

Denial of receipt of message by destination Authentication Protocols

An authentication protocol is a set of rules that allow a system to verify the

identity of an endpoint (laptop, desktop, phone, server, etc.) or a user. Here are a
few common authentication protocols.

Password Authentication Protocol (PAP)

PAP is the least secure protocol for authenticating users, primarily because it is
not encrypted. This is a login process that requires a username/password
combination to access the specified system, and verifies the provided
credentials against a user directory.

Challenge Handshake Authentication Protocol (CHAP)

CHAP is an authentication protocol that uses a three-way exchange to

authenticate users, verifying their identity with strong encryption. This works as
follows:

1. The local device sends a “challenge” to the remote host

2. The remote host sends a response using a cryptographic hash function

3. The local device checks if the hash value of the response matches the
expected response, and if so, establishes an authenticated connection
(“handshake”). Otherwise, it closes the connection.

CHAP is more secure than PAP, because PAP only performs authentication
when the user is first authenticated, while CHAP verified authentication on an
ongoing basis.

OpenID Connect (OIDC)

OIDC leverages the authentication and authorization mechanisms of OAuth 2.0,
commonly applied by numerous identity providers. It was created by the
OpenID Foundation (OIDF), a non-profit dedicated to OpenID technology.

Here is the key difference between OIDC and OAuth 2.0:

●OAuth 2.0 is an authorization protocol

●OIDC is an identity authentication protocol

OIDC helps a client service verify the identity of end-users. It can also share (on
request) user claims such as name and email address.

OIDC works with various clients, including single-page applications (SPA) and
mobile applications. Here are key benefits of OIDC:

●You can use OIDC for single sign-on (SSO) across several applications.

●OIDC uses JSON Web Tokens (JWT), and HTTP flows to avoid sharing end-
user credentials with client services.

●The protocol comes with built-in consent, requiring explicit consent from
users before sharing their data.

●OIDC is simple to implement and is ideal for use in mobile applications.

Related: OIDC Authentication

Lightweight Directory Access Protocol (LDAP)

LDAP is a software protocol that enables users or applications to locate data

about organizations, individuals and other resources, such as files and devices in
a network. It can be used for resources on the public Internet or a corporate
Intranet. The LDAP directory tells the user where in the network something is
located. For example, it is possible to search for a specific user or a service
available on the network. LDAP returns the hostname, and then the user can use
DNS to obtain the IP and connect to it.
Security Assertion Markup Language (SAML)

SAML is an open standard that allows application developers to implement

single sign on (SSO) and federated identity. It provides a standardized and
secure protocol, based on XML, that allows applications to transfer
authentication and authorization data between them. SAML can be used to
implement SSO among multiple applications, which can be deployed within an
enterprise network, operated by third-party vendors, or running within customer
networks. All these applications can request and receive a user’s identity,
authentication, and authorization levels.

Related: OIDC vs SAML

Extensible Authentication Protocol (EAP)

The protocol supports different types of authentication, from one-time

passwords to smart cards. When used for wireless communications, EAP is
highly secure because it allows remote devices to perform mutual authentication
using built-in encryption. In the EASP protocol, all transmissions are encrypted
—this is achieved by connecting the user to an access point, requesting
credentials, verifying their identity through an authentication server, and then
requesting a user ID through the server to verify again.

JSON Web Token (JWT)

JWT is an encoded version of a “claim”, a secure transfer of information

between two parties. A claim can be used to:

●Assert that a specific party issued the token and it is authentic

●Determine how long the token is valid

●Provide information about permissions granted to the user

●Provide general information about the user which can be used by the
application

JWTs use a digital certificate to prove who issued the claim. Technically, a
JSON Web Token includes three parts: a header, specifying the algorithm used
in the certificate, a payload, which contains the information included in the
claim, and the digital signature.

Kerberos provides a centralized authentication server whose function is to

authenticate users to servers and servers to users. In Kerberos Authentication
server and database is used for client authentication. Kerberos runs as a third-
party trusted server known as the Key Distribution Center (KDC). Each user
and service on the network is a principal.

The main components of Kerberos are:

●Authentication Server (AS):

The Authentication Server performs the initial authentication and ticket for
Ticket Granting Service.

●Database:

The Authentication Server verifies the access rights of users in the database.

●Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:
●Step-1:

User login and request services on the host. Thus user requests for ticket-
granting service.

●Step-2:

Authentication Server verifies user’s access right using database and then gives
ticket-granting-ticket and session key. Results are encrypted using the Password
of the user.

●Step-3:

The decryption of the message is done using the password then send the ticket
to Ticket Granting Server. The Ticket contains authenticators like user names
and network addresses.

●Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator
verifies the request then creates the ticket for requesting services from the
Server.

●Step-5:

The user sends the Ticket and Authenticator to the Server.

●Step-6:

The server verifies the Ticket and authenticators then generate access to the
service. After this User can access the services.

Kerberos Limitations

● Each network service must be modified individually for use with Kerberos

● It doesn’t work well in a timeshare environment

● Secured Kerberos Server

● Requires an always-on Kerberos server

● Stores all passwords are encrypted with a single key

● Assumes workstations are secure

● May result in cascading loss of trust.

● Scalability

Is Kerberos Infallible?

No security measure is 100% impregnable, and Kerberos is no exception.

Because it’s been around for so long, hackers have had the ability over the years
to find ways around it, typically through forging tickets, repeated attempts at
password guessing (brute force/credential stuffing), and the use of malware, to
downgrade the encryption.
Despite this, Kerberos remains the best access security protocol available today.
The protocol is flexible enough to employ stronger encryption algorithms to
combat new threats, and if users employ good password-choice guidelines, you
shouldn’t have a problem!

What is Kerberos Used For?

Although Kerberos can be found everywhere in the digital world, it is

commonly used in secure systems that rely on robust authentication and
auditing capabilities. Kerberos is used for Posix, Active Directory, NFS, and
Samba authentication. It is also an alternative authentication system to SSH,
POP, and SMTP.

Applications

●User Authentication: User Authentication is one of the main applications of

Kerberos. Users only have to input their username and password once with
Kerberos to gain access to the network. The Kerberos server subsequently
receives the encrypted authentication data and issues a ticket granting ticket
(TGT).

●Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that
enables users to log in once to access a variety of network resources. A user can
access any network resource they have been authorized to use after being
authenticated by the Kerberos server without having to provide their credentials
again.

●Mutual Authentication: Before any data is transferred, Kerberos uses a mutual

authentication technique to make sure that both the client and server are
authenticated. Using a shared secret key that is securely kept on both the client
and server, this is accomplished. A client asks the Kerberos server for a service
ticket whenever it tries to access a network resource. The client must use its
shared secret key to decrypt the challenge that the Kerberos server sends via
encryption. If the decryption is successful, the client responds to the server with
evidence of its identity.

●Authorization: Kerberos also offers a system for authorization in addition to

authentication. After being authenticated, a user can submit service tickets for
certain network resources. Users can access just the resources they have been
given permission to use thanks to information about their privileges and
permissions contained in the service tickets.

●Network Security: Kerberos offers a central authentication server that can

regulate user credentials and access restrictions, which helps to ensure network
security. In order to prevent unwanted access to sensitive data and resources,
this server may authenticate users before granting them access to network
resources.

X.509 Directory Services

X.509 is a digital certificate that is built on top of a widely trusted standard

known as ITU or International Telecommunication Union X.509 standard, in
which the format of PKI certificates is defined. X.509 digital certificate is a
certificate-based authentication security framework that can be used for
providing secure transaction processing and private information. These are
primarily used for handling the security and identity in computer networking
and internet-based communications.

Working of X.509 Authentication Service Certificate:

The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be produced by
some trusted certification authority and positioned in the directory by the user or
the certified authority. These directory servers are only used for providing an
effortless reachable location for all users so that they can acquire certificates.
X.509 standard is built on an IDL known as ASN.1. With the help of Abstract
Syntax Notation, the X.509 certificate format uses an associated public and
private key pair for encrypting and decrypting a message.

Once an X.509 certificate is provided to a user by the certified authority, that

certificate is attached to it like an identity card. The chances of someone
stealing it or losing it are less, unlike other unsecured passwords. With the help
of this analogy, it is easier to imagine how this authentication works: the
certificate is basically presented like an identity at the resource that requires
authentication.

Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:

●Version number: It defines the X.509 version that concerns the certificate.

●Serial number: It is the unique number that the certified authority issues.

●Signature Algorithm Identifier: This is the algorithm that is used for signing
the certificate.

●Issuer name: Tells about the X.500 name of the certified authority which
signed and created the certificate.

●Period of Validity: It defines the period for which the certificate is valid.

●Subject Name: Tells about the name of the user to whom this certificate has
been issued.

●Subject’s public key information: It defines the subject’s public key along with
an identifier of the algorithm for which this key is supposed to be used.

●Extension block: This field contains additional standard information.

●Signature: This field contains the hash code of all other fields which is
encrypted by the certified authority private key.
Applications of X.509 Authentication Service Certificate:

Many protocols depend on X.509 and it has many applications, some of them
are given below:

● Document signing and Digital signature

● Web server security with the help of Transport Layer Security (TLS)/Secure
Sockets Layer (SSL) certificates

● Email certificates

● Code signing

● Secure Shell Protocol (SSH) keys

● Digital Identities