UNIT 3

DIGITAL SIGNATURE AND AUTHENTICATION

Digital Signature and Authentication Schemes: Digital signature-Digital Signature

Schemes and their Variants- Digital Signature Standards-Authentication:
Overview- Requirements Protocols - Applications - Kerberos -X.509 Directory
Services
Authentication
• Authentication is the process of verifying the identity of a user,
system, or entity
• It involves providing credentials, such as usernames and passwords,
biometric data
• The primary goal of authentication is to prevent unauthorized access
and protect sensitive information by confirming the legitimacy of the
user or entity seeking access.
Kerberos
• Network authentication protocol
• Kerberos provides a centralized authentication server whose function
is to authenticate users to servers and servers to users.
• Allows user to access services distributed throughout the network
• Provides centralized private key(Symmetric key)
• Requires a third party (Key Distribution Center KDC- DB of Secret key)
for key in a distributed network
 Key
Distribution
Center (KDC)

Authentication
Ticket Granting
Server
Server (TGS)
(AS) –(TGT)

User Network Services

Client Server

Kerberos Architecture
Terms
• Client: A user or service requesting access to a network service.
• Server: A service on the network that the client wants to access (such
as file servers, email servers, etc.).
• Authentication Server (AS): A trusted server responsible for
authenticating clients and issuing a Ticket Granting Ticket (TGT).
Ticket Granting Ticket (TGT)
• a Ticket Granting Ticket (TGT) is a special type of ticket used during
the authentication process.
• It is issued by the Authentication Server (AS) after the user or client
successfully authenticates (e.g., by providing a valid username and
password).
• The TGT serves as a proof that the client has been authenticated and
can be used to request additional service tickets from the Ticket
Granting Server (TGS) without having to repeatedly enter credentials.
Ticket Granting Server (TGS):
• Ticket Granting Server (TGS): The server that issues service tickets for
accessing network resources.
• Key Distribution Center (KDC): The central server that includes both
the Authentication Server (AS) and Ticket Granting Server (TGS).
• It manages secret keys for the entities on the network.
• Database: Stores the user credentials (username, passwords, and
keys).
 Key
Distribution
1.Key Center (KDC)

Authentication
4.AccessTicket Granting
Server approved Server (TGS)
(AS)
en ket
Tic

t-
c

tk
2.

de d
co pte
sh r y
ha Dec

User Network Services

3.

5. Service Tkt (secret key)

6. Communicate using secret key
Client Server
 Process Flow
• Phase 1: Client Authentication:
• The client sends a request to the Authentication Server (AS) via Key
Distribution Center (KDC), typically consisting of the client's username.
• The AS checks the client’s credentials in its database and responds with
two things:
• A Ticket Granting Ticket (TGT): This is encrypted using the TGS’s secret key.
• A session key: A temporary symmetric key shared between the client and the
TGS, encrypted with the client’s password hash.
• The client decrypts the session key using their password. If the
password is correct, the client now has a valid TGT and a session key.
• In Kerberos, a TKT refers to a ticket, which is a token used to
authenticate users and grant access to network services. Tickets are
central to the way Kerberos operates, as they enable secure
communication between clients and servers without sending
passwords across the network.
Phase 2: Service Request to the TGS
• When the client wants to access a specific service, it sends the TGT
and a request for a service ticket to the Ticket Granting Server (TGS).
• The TGS validates the TGT (by decrypting it with its secret key) and,
if valid, generates a service ticket. This service ticket is encrypted
using the server’s secret key.
• The TGS sends this service ticket to the client along with a session key
for communication between the client and the server.
Phase 3: Accessing the Service
• The client sends the service ticket (received from the TGS) and an
authenticator to the desired server.
• The server decrypts the service ticket using its own secret key,
verifying the client’s identity and allowing access.
• Optionally, the server can send back an acknowledgment encrypted
with the session key to confirm successful authentication.
Example: Client Authentication
Phase
• Step 1: The student logs into their computer and opens the online
library portal. The computer sends a request to the Authentication
Server (AS), asking for access. This request includes the student’s
username.
• Step 2:
• The Authentication Server (AS) checks the student's username against its
database and verifies the identity using the student's password.
• If successful, the AS responds with:A Ticket Granting Ticket (TGT): This is
encrypted using the secret key of the Ticket Granting Server (TGS) and is only
readable by the TGS.
• A session key: Encrypted using the student's password hash.
• Step 3: The student’s computer decrypts the session key using the
student's password. Now, the computer has the TGT and session key,
but the student’s password was never transmitted over the network.
Requesting Service Ticket Phase
• Step 1: The student wants to access the online library, so the computer
sends a request to the Ticket Granting Server (TGS). The request
contains the TGT and a request for a service ticket for the library
system.
• Step 2: The TGS decrypts the TGT using its secret key to verify that the
student is legitimate.
• Step 3: The TGS creates a service ticket for the online library system
and sends it back to the student’s computer. The service ticket is
encrypted using the online library server’s secret key and contains a
session key for secure communication between the student and the
library system.
Accessing the Service Phase
• Step 1: The student’s computer sends the service ticket (received from
the TGS) to the online library server.
• Step 2: The library server decrypts the service ticket using its own
secret key and verifies the student's identity.
• Step 3: If everything is verified, the library server grants access to the
system, and the student can now browse the library resources securely.
• Example Walkthrough:
• Client Authentication: The student logs in with their university
credentials. The system gets a TGT, proving the student is
authenticated, but without ever sending the password over the
network.
• Service Ticket Request: The system uses the TGT to request a service
ticket from the TGS to access the online library. The student doesn't
have to re-enter their credentials.
• Accessing the Service: The library server accepts the service ticket,
and the student can access books and resources securely.
Benefits in this Example:

• Single Sign-On: The student logs in once and can use the online
library without entering credentials again.
• Secure Authentication: Passwords are never sent across the network.
The entire process relies on encrypted tickets and session keys.
• Time-bound Access: Tickets are valid only for a certain period,
reducing security risks.
• This simple example demonstrates how Kerberos ensures secure
access to network services without compromising sensitive user
information like passwords.
X509 Authentication Service
• Digital certificate accepted internationally
• Does not generate any keys
• provides a way to access public keys
• X509 has three versions
• Version 1
• Version 2
• Version 3
• Several elements are there in X509 certificate
Serial No
Versions
Signature Algorithm Identifier

Version 1
Version 2

Version 3
Issuer Name

Validity Period
Subject Name

Public key information

Issue unique Id

Subject unique Id

Extentions