UNIT-IV

MESSAGE AUTHENTICATION AND

INTEGRITY

Prepared By:
Dr. Somya Dubey
 Content
 Authentication requirement
 Authentication function – MAC – Hash function
 SHA
 Digital signature and authentication protocols – DSS
 Entity Authentication: Biometrics, Passwords
 Challenge Response protocols- Authentication applications
,Kerberos, X.509
 Authentication Requirements

 Authentication helps establish trust by identifying the particular user/system.

 Authentication ensures that the claimant is really who he/she claims to be.
 Authentication is the first step in any cryptographic solution.
 Message authentication is a procedure to verify that received messages come from the
alleged source and have not been altered. Message authentication may also verify
sequencing and timeliness.
 A digital signature is an authentication technique that also includes measures to counter
repudiation by either source or destination.
 There is no use of encryption without authentication.
 In the context of communications across a network, the following attacks can be
identified:
 1. Disclosure
 2. Traffic analysis: Discovery of the pattern of traffic between parties.
 3. Masquerade: Insertion of messages into the network from a fraudulent source.
 4. Content Modification: Changes to the contents of a message, including
insertion,
 5. Sequence modification: Any modification to a sequence of messages
 6. Timing modification: Delay or replay of messages.
 7. Repudiation: Denial of receipt of message by destination or denial of
transmission
 History of Authentication
 A timeline of digital authentication
 1960s: Passwords and encryption
In 1961, Corbato created a password program to use on the MIT computer system. By the late 1960s,
programmers worked to develop a stronger password solution—one that wasn’t stored in plaintext files.
Robert Morris, a cryptographer at Bell Labs, developed a password encryption scheme while working on
Unix. It used a key derivation function that calculates a secret value and makes it easy to compute in one
direction, but not in the opposite.
 1970s: Asymmetric cryptography
Asymmetric cryptography, also known as public-key cryptography, uses a mathematically related pair of
keys—one public and one private—to encrypt and decrypt information. Asymmetric cryptography was
developed in the 1970s by UK government employees, James Ellis, Clifford Cocks, and Malcolm J.
Williamson. However, this knowledge was not made public until 1997.
Contd..
 1980s: Dynamic passwords
Traditional passwords quickly became insufficient as technology advanced. Passwords were
easily guessable, and many people reused their passwords, making them vulnerable. So
computer scientists developed dynamic passwords. Dynamic passwords change based on
variables like location, time, or a physical password update. Eventually, two dynamic
password protocols were introduced:
 TOTP—Time-based One-Time Password(OTP), where the password is generated based on the
time requested.
 HOTP—HMAC (Hash-based Message Authentication Code) OTP is an event-based OTP,
where the password is generated by a hash code that uses an incremental counter.
 Dynamic passwords are often used in combination with regular passwords as one form of two-
factor authentication.
 1990s: Public key infrastructure
Once asymmetric cryptography was made public, computer scientists built on that work and
standardized it through the development of public key infrastructure (PKI). PKI defined how
to create, store, and send digital certificates—adding more robust protection for online users
and communication.
Contd…
 2000s: Multi-factor authentication and single sign-on
By the early 2000s, programmers built stronger authentication technologies with
layered protections.
 Multi-factor authentication required users to provide two forms of verification before
gaining access. And single sign-on (SSO) streamlined the verification process so that
users only have to provide credentials at one access point—verified by a trusted third
party.
 2010s: Biometrics
Before the 2010s, biometric authentication was reserved for high-security government
access and spy movies. But with the advancement of recent technology, biometrics is
now a common form of authentication—including fingerprint TouchID and FaceID on
smart devices.
Authentication Factors
 An authentication factor is a category of credentials used to authenticate or verify a user’s
identity. Authentication factors can include passwords, security tokens (like keys or smart
cards), and biometric verification such as fingerprint scans.
 Here are three main authentication factors:
 Something you know (aka knowledge factors): This is the most common authentication
factor. It verifies identity by confirming users through confidential information they have,
such as a login and password.
 Something you have (aka possession factors): Users verify their identity with a unique
object such as an access card or key fob.
 Something you are (aka inherence factors): An inherence factor verifies identity through
inherent biometric characteristics of the user—like a fingerprint, voice, or iris pattern
 Message authentication is a procedure to verify that received messages come from
the alleged source and have not been altered. Message authentication may also verify
sequencing and timeliness.
 Any message authentication or digital signature mechanism can be viewed as having
fundamentally two levels.
Message Authentication Functions:
 Lower level: At this level, there is a need for a function that produces an authenticator,
which is the value that will further help in the authentication of a message.
 Higher-level: The lower level function is used here in order to help receivers verify the
authenticity of messages.
 Types of functions that may be used to produce an
authenticator

These functions may be grouped into three classes, as follows:

 1. Message Encryption: The ciphertext of the entire message serves as its
authenticator.
 2. Message Authentication Code1 (MAC): A public function of the message and a
secret key that produces a fixed length value that serves as the authenticator.
 3. Hash Functions: A public function that maps a message of any length into a
fixed length hash value, which serves as the authenticator.
 MESSAGE ENCRYPTION

 Message encryption by itself can provide a measure of authentication.

 The analysis differs for conventional and public-key encryption schemes.
 The message must have come from the sender itself, because the ciphertext can be
decrypted using his (secret or public) key.
 Also, none of the bits in the message have been altered because an opponent does not
know how to manipulate the bits of the ciphertext to induce meaningful changes to the
plaintext. Often one needs alternative authentication schemes than just encrypting the
message.
 Sometimes one needs to avoid encryption of full messages due to legal requirements.
 Encryption and authentication may be separated in the system architecture.