UNIT 3
DIGITAL SIGNATURE AND AUTHENTICATION
Digital Signature and Authentication Schemes: Digital signature-Digital Signature
Schemes and their Variants- Digital Signature Standards-Authentication:
Overview- Requirements Protocols - Applications - Kerberos -X.509 Directory
Services
Authentication
• Authentication is the process of verifying the identity of a user,
  system, or entity
• It involves providing credentials, such as usernames and passwords,
  biometric data
• The primary goal of authentication is to prevent unauthorized access
  and protect sensitive information by confirming the legitimacy of the
  user or entity seeking access.
Kerberos
• Network authentication protocol
• Kerberos provides a centralized authentication server whose function
  is to authenticate users to servers and servers to users.
    • Allows user to access services distributed throughout the network
• Provides centralized private key(Symmetric key)
• Requires a third party (Key Distribution Center KDC- DB of Secret key)
  for key in a distributed network
                        Key
                    Distribution
                    Center (KDC)
         Authentication
                             Ticket Granting
             Server
                              Server (TGS)
          (AS) –(TGT)
User                                           Network Services
Client                                              Server
                Kerberos Architecture
Terms
• Client: A user or service requesting access to a network service.
• Server: A service on the network that the client wants to access (such
  as file servers, email servers, etc.).
• Authentication Server (AS): A trusted server responsible for
  authenticating clients and issuing a Ticket Granting Ticket (TGT).
Ticket Granting Ticket (TGT)
• a Ticket Granting Ticket (TGT) is a special type of ticket used during
  the authentication process.
• It is issued by the Authentication Server (AS) after the user or client
  successfully authenticates (e.g., by providing a valid username and
  password).
• The TGT serves as a proof that the client has been authenticated and
  can be used to request additional service tickets from the Ticket
  Granting Server (TGS) without having to repeatedly enter credentials.
Ticket Granting Server (TGS):
• Ticket Granting Server (TGS): The server that issues service tickets for
  accessing network resources.
• Key Distribution Center (KDC): The central server that includes both
  the Authentication Server (AS) and Ticket Granting Server (TGS).
• It manages secret keys for the entities on the network.
• Database: Stores the user credentials (username, passwords, and
  keys).
                                             Key
                                         Distribution
          1.Key                          Center (KDC)
                       Authentication
                                               4.AccessTicket Granting
                           Server              approved Server (TGS)
                            (AS)
         en ket
           Tic
                               t-
           c
                             tk
         2.
                        de d
                      co pte
                    sh r y
                  ha Dec
User                                                                     Network Services
                  3.
                                      5. Service Tkt (secret key)
                                    6. Communicate using secret key
Client                                                                        Server
                         Process Flow
• Phase 1: Client Authentication:
• The client sends a request to the Authentication Server (AS) via Key
  Distribution Center (KDC), typically consisting of the client's username.
• The AS checks the client’s credentials in its database and responds with
  two things:
   • A Ticket Granting Ticket (TGT): This is encrypted using the TGS’s secret key.
   • A session key: A temporary symmetric key shared between the client and the
     TGS, encrypted with the client’s password hash.
• The client decrypts the session key using their password. If the
  password is correct, the client now has a valid TGT and a session key.
• In Kerberos, a TKT refers to a ticket, which is a token used to
  authenticate users and grant access to network services. Tickets are
  central to the way Kerberos operates, as they enable secure
  communication between clients and servers without sending
  passwords across the network.
Phase 2: Service Request to the TGS
• When the client wants to access a specific service, it sends the TGT
  and a request for a service ticket to the Ticket Granting Server (TGS).
• The TGS validates the TGT (by decrypting it with its secret key) and,
  if valid, generates a service ticket. This service ticket is encrypted
  using the server’s secret key.
• The TGS sends this service ticket to the client along with a session key
  for communication between the client and the server.
Phase 3: Accessing the Service
• The client sends the service ticket (received from the TGS) and an
  authenticator to the desired server.
• The server decrypts the service ticket using its own secret key,
  verifying the client’s identity and allowing access.
• Optionally, the server can send back an acknowledgment encrypted
  with the session key to confirm successful authentication.
Example: Client Authentication
Phase
• Step 1: The student logs into their computer and opens the online
  library portal. The computer sends a request to the Authentication
  Server (AS), asking for access. This request includes the student’s
  username.
• Step 2:
   • The Authentication Server (AS) checks the student's username against its
     database and verifies the identity using the student's password.
   • If successful, the AS responds with:A Ticket Granting Ticket (TGT): This is
     encrypted using the secret key of the Ticket Granting Server (TGS) and is only
     readable by the TGS.
   • A session key: Encrypted using the student's password hash.
• Step 3: The student’s computer decrypts the session key using the
  student's password. Now, the computer has the TGT and session key,
  but the student’s password was never transmitted over the network.
Requesting Service Ticket Phase
• Step 1: The student wants to access the online library, so the computer
  sends a request to the Ticket Granting Server (TGS). The request
  contains the TGT and a request for a service ticket for the library
  system.
• Step 2: The TGS decrypts the TGT using its secret key to verify that the
  student is legitimate.
• Step 3: The TGS creates a service ticket for the online library system
  and sends it back to the student’s computer. The service ticket is
  encrypted using the online library server’s secret key and contains a
  session key for secure communication between the student and the
  library system.
Accessing the Service Phase
• Step 1: The student’s computer sends the service ticket (received from
  the TGS) to the online library server.
• Step 2: The library server decrypts the service ticket using its own
  secret key and verifies the student's identity.
• Step 3: If everything is verified, the library server grants access to the
  system, and the student can now browse the library resources securely.
• Example Walkthrough:
• Client Authentication: The student logs in with their university
  credentials. The system gets a TGT, proving the student is
  authenticated, but without ever sending the password over the
  network.
• Service Ticket Request: The system uses the TGT to request a service
  ticket from the TGS to access the online library. The student doesn't
  have to re-enter their credentials.
• Accessing the Service: The library server accepts the service ticket,
  and the student can access books and resources securely.
Benefits in this Example:
• Single Sign-On: The student logs in once and can use the online
  library without entering credentials again.
• Secure Authentication: Passwords are never sent across the network.
  The entire process relies on encrypted tickets and session keys.
• Time-bound Access: Tickets are valid only for a certain period,
  reducing security risks.
• This simple example demonstrates how Kerberos ensures secure
  access to network services without compromising sensitive user
  information like passwords.
X509 Authentication Service
• Digital certificate accepted internationally
• Does not generate any keys
• provides a way to access public keys
• X509 has three versions
   • Version 1
   • Version 2
   • Version 3
• Several elements are there in X509 certificate
Serial No
Versions
Signature Algorithm Identifier
                                 Version 1
                                             Version 2
                                                         Version 3
Issuer Name
Validity Period
Subject Name
Public key information
Issue unique Id
Subject unique Id
Extentions