Revolutionizing B.

Tech
 Module-2

Authentication Applications

Course Name: Cryptography &Network Security

Total Hours : 06
Basic Authentication system structure
In a basic authentication system, there are typically three main components −

• A user − The user is the individual attempting to access network resources. They
may be a person, a device, or a software application.

• An authentication server − The authentication server is responsible for verifying

the identity of the user. It stores the credentials of all authorized users and checks
the credentials provided by the user against this database.

• Network resources − These are the resources on the network that the user is
attempting to access. These could include file servers, database servers, web
applications, and more.
Table of Contents
• Network Access Control
• IEEE 802.1X Access Control

• Kerberos
• X.509 Authentication Service

• Public-Key Infrastructure
• Diffie Hellman key exchange algorithm
 • Module -4 [09 hours]

• AUTHENTICATION APPLICATION: Kerberos, X.509 Authentication Service, Public Key Infrastructure.

EMAIL SECURITY: Pretty Good Privacy (PGP) and S/MIME.
• IP SECURITY: Overview, IP Security Architecture, Authentication Header, Encapsulating Security Payload.
•
Aim

To equip students in the understanding of Authentication principles and

applications in Network Security
 a) Explain the Authentication Applications.
b) To understand the encryption concepts.
c) To understand the concept Authentication server protocols.

Objective
What is authentication in network security?
• Authentication is used by a client when the client needs to know that the server is
system it claims to be. In authentication, the user or computer has to prove its
identity to the server or client. Usually, authentication by a server entails the use of
a user name a
• While just one facet of cybersecurity, authentication methods are the first line of
defense. This is the process of determining whether a user is who they say they
are. Not to be confused with the step it precedes—authorization—authentication is
purely the means of confirming digital identification, so users have the level of
permissions to access or perform a task they are attempting.
• There are many authentication methods, ranging from passwords to fingerprints,
to confirm the identity of a user before allowing access. Doing so adds a layer of
protection and prevents security lapses like data breaches, though it’s often the
combination of different types of authentication that provides secure system
reinforcement against possible threats.
X.509 Certificate Components
• X.509 certificates include:
• 1. Version number
• 2. Serial number
• 3. Signature algorithm identifier
• 4. Issuer name
• 5. Validity period
• 6. Subject's public key information
Public Key Infrastructure (PKI)
• PKI is a framework for managing public key encryption and
digital signatures, essential for secure communications over the
internet.
PKI Components
• PKI components include:
• 1. Certificate Authorities (CAs)
• 2. Registration Authorities (RAs)
• 3. Certificate Revocation Lists (CRLs)
• 4. Public and private keys
Email Security: PGP
• Pretty Good Privacy (PGP) is an encryption program used to
secure emails and ensure confidentiality, integrity, and
authenticity.
How PGP Works
• PGP uses a combination of symmetric and asymmetric
encryption:
• 1. A session key is used for encrypting the message.
• 2. The session key is encrypted with the recipient's public key.
S/MIME
• Secure/Multipurpose Internet Mail Extensions (S/MIME) is a
standard for public key encryption and signing of MIME data.
S/MIME Functions
• S/MIME provides:
• 1. Data confidentiality through encryption
• 2. Message integrity through digital signatures
• 3. Authentication of the message sender
IP Security Overview
• IP Security (IPSec) is a protocol suite for securing internet
protocol (IP) communications by authenticating and encrypting
each IP packet.
IPSec Components
• IPSec includes:
• 1. Authentication Header (AH)
• 2. Encapsulating Security Payload (ESP)
• 3. Security Associations (SA)
IPSec Modes
• IPSec operates in two modes:
• 1. Transport mode: Secures the payload of the IP packet.
• 2. Tunnel mode: Secures the entire IP packet.
Authentication Header (AH)
• AH provides integrity and authentication of the IP packet
headers but does not encrypt the payload.
Encapsulating Security Payload (ESP)
• ESP provides both encryption and authentication of IP packets,
ensuring confidentiality and integrity.
IPSec Architecture
• IPSec architecture defines how security policies are applied to
secure communication between devices.
Security Associations (SA)
• SA is a set of parameters and cryptographic algorithms used to
secure communications in IPSec.
Summary of Module 4
• We covered Kerberos, X.509, PKI, PGP, S/MIME, and IPSec
with its components, providing a strong foundation in network
and communication security.
Authentication methods

Authentication keeps invalid users out of databases, networks, and other resources. These types of
authentication use factors, a category of credential for verification, to confirm user identity. Here are just
a few authentication methods.

• Single-Factor / Primary Authentication

• Historically the most common form of authentication, Single-Factor Authentication, is also the
least secure, as it only requires one factor to gain full system access. It could be a username and
password, pin-number or another simple code. While user-friendly, Single-Factor authenticated
systems are relatively easy to infiltrate by phishing, key logging, or mere guessing. As there is no
other authentication gate to get through, this approach is highly vulnerable to attack.

• Two-Factor Authentication (2FA)

• By adding a second factor for verification, two-factor authentication reinforces security efforts. It
is an added layer that essentially double-checks that a user is, in reality, the user they’re
attempting to log in as—making it much harder to break. With this method, users enter their
primary authentication credentials (like the username/password mentioned above) and then must
input a secondary piece of identifying information.
Contd..
• Single Sign-On (SSO)

• With SSO, users only have to log in to one application and, in doing so, gain access to many
other applications. This method is more convenient for users, as it removes the obligation to
retain multiple sets of credentials and creates a more seamless experience during operative
sessions.

• Multi-Factor Authentication (MFA)

• Multi-factor authentication is a high-assurance method, as it uses more system-irrelevant

factors to legitimize users. Like 2FA, MFA uses factors like biometrics, device-based
confirmation, additional passwords, and even location or behavior-based information (e.g.,
keystroke pattern or typing speed) to confirm user identity. However, the difference is that
while 2FA always utilizes only two factors, MFA could use two or three, with the ability to
vary between sessions, adding an elusive element for invalid users.
Popular authentication methods
Here are some of the most popular authentication methods that are commonly used in computer networks −

• Passwords − As mentioned earlier, passwords are a common method of authentication. Users are prompted to enter
a combination of their username and password in order to log in to a system or access network resources.

• Biometric authentication − This method relies on unique physical characteristics of the user, such as fingerprints,
facial recognition, or iris scans, to verify their identity. Biometric authentication can be more secure than passwords,
as it is difficult to forge or steal someone's fingerprints or facial features.

• Security tokens − Security tokens are physical devices that generate one-time codes or passwords that can be used
to log in to a system. The codes generated by the security token are typically only valid for a short period of time
and can't be used again, adding an additional layer of security.

• Two-factor authentication (2FA) − This method requires users to provide two different types of credentials in order
to log in. For example, a user might be prompted to enter their password and then confirm their identity by entering
a code sent to their phone.

• Certificates and PKI − Some networks use certificates or public key infrastructure (PKI) to verify the identity of
devices. In these systems, each device is issued a unique digital certificate that is used to authenticate its identity.
Contd..
• Single sign-on (SSO) − SSO systems allow users to log in to multiple applications with a single
set of credentials. This can make it easier for users to access the resources they need, while still
maintaining strong security controls.

• Smart cards − Smart cards are physical cards that contain a chip that stores information about the
user, such as their credentials or other identifying information. Users can use smart cards to log in
to systems or access network resources by inserting the card into a card reader.

• One-time passwords (OTP) − OTPs are passwords that are valid for only a single use. They are
often used in conjunction with other authentication methods, such as passwords or security tokens.
OTPs can add an additional layer of security, as they can't be used again once they have been used
to log in.

• Multi-factor authentication (MFA) − MFA requires users to provide multiple types of credentials
in order to log in. This can include passwords, security tokens, biometric authentication, and more.
MFA can be more secure than other methods, as it requires multiple types of credentials to be
provided.
Authentication Applications:
• Developed to support application-level authentication and digital signatures
• Most widely used services:
• Kerberos
• X.509
• Kerberos – a private-key authentication service
• X.509 – a public-key directory authentication service
• Kerberos:
• Developed as part of Project Athena at MIT
• Symmetric encryption
• using no public keys
• Provides centralized private-key third-party authentication in a distributed network
• Version 4 and 5
KERBEROS
• In Greek mythology, a many headed dog, the guardian of the entrance of Hades.

• Provides a centralized authentication server to authenticate users to servers

and servers to users.
• Relies on conventional encryption, making no use of public-key encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
Kerberos Motivation
• Provide security in a distributed architecture consisting of dedicated user workstations
(clients), and distributed or centralized servers
• Require the user to prove his identity for each service invoked
• Require that servers prove their identity to clients
• Secure, Reliable, Transparent, and Scalable
• Kerberos Version 4
• Uses DES, in a rather elaborate protocol, to provide authentication
• Uses an Authentication Server (AS)
• Knows all user passwords, and stores in a DB
• Shares a unique secret key with each server
• Send an encrypted ticket granting ticket
• TGT contains a lifetime and timestamp
Uses a Ticket Granting Server (TGS)
• Issues tickets to users authenticated by AS
• Encrypted with a key only known by AS and TGS
• Returns a service granting ticket
• Service granting ticket contains timestamp and lifetime
• Kerberos Dialog:
• Problem: lifetime and no server authenticate to user
• Uses a session key
• Message Exchanges (see table 14.1)
• AS exchange to obtain ticket-granting ticket
• TGS exchange to obtain service granting ticket
• Client/Server authentication exchange to obtain service
Kerberos Overview:
Kerberos Version 5:
• Fixes version 4 environmental shortcomings
• New elements for AS exchange:
• Realm, Options, Times, Nonce
• Client/server authentication exchange
• Subkey, sequence number

Difference Between Version 4 and 5

• Encryption system dependence (V.4 DES)
• Internet protocol dependence
• Message byte ordering
• Ticket lifetime
• Authentication forwarding
• Inter realm authentication
X.509 Authentication Service
• X.509 is a digital certificate that is built on top of a widely trusted standard known as ITU or International
Telecommunication Union X.509 standard, in which the format of PKI certificates is defined. X.509 digital certificate is a
certificate-based authentication security framework that can be used for providing secure transaction processing and private
information. These are primarily used for handling the security and identity in computer networking and internet-based
communications.
• Most of the protocols depend on X.509 and it has many applications, some of them are given below:
• Document signing and Digital signature
• Web server security with the help of Transport Layer Security (TLS)/Secure Sockets Layer (SSL) certificates
• Email certificates
• Code signing
• Secure Shell Protocol (SSH) keys
• Digital Identities
X.509:
Part of X.500 series
•distributed servers maintaining user information database
•defines framework for authentication services
•directory may store public-key certificates
•with public key of user signed by certification authority
•also defines authentication protocols
•uses public-key cryptology & digital signatures
•algorithms not standardized, but RSA recommended
•X.509 certificates are widely used
•Public key certificate associated with each user
•Generated by some trusted CA
•Certification Authority (CA) issues certificates
Contd..
•The notation CA<<A>> represents a certificate for a client A signed by CA
issued by a Certification Authority (CA), containing:
• version 1, 2, or 3
• serial number (unique within CA) identifying certificate
• signature algorithm identifier
• issuer X.500 name (CA)
• period of validity (from - to dates)
• subject X.500 name (name of owner)
• subject public-key info (algorithm, parameters, key)
• issuer unique identifier (v2+)
• subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
X.509 Certificates:
Certificate Revocation
Obtaining a User Certificate:
•Certificate notation: CA{...}
•Any user with CA’s public key can verify the user public key that was certified
•No party other than the CA can modify the certificate without being detected
•because cannot be forged, certificates can be placed in a public directory
Certificate Revocation:
certificates have a period of validity may need to revoke before expiry:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CA’s maintain list of revoked certificates
the Certificate Revocation List (CRL)
users should check certificates with CA’s CRL
Authentication Procedures:
• X.509 includes three alternative authentication procedures:
• One-Way Authentication
• Two-Way Authentication
• Three-Way Authentication
• all use public-key signatures
One-Way Authentication:
1 message ( A->B) used to establish the identity of A and that message is from A
•message was intended for B
•integrity & originality of message
•message must include timestamp, nonce, B's identity and is signed by A
•may include additional info for B
•eg session key
Contd..
•Two-Way Authentication:
2 messages (A->B, B->A) which also establishes in addition:
the identity of B and that reply is from B
that reply is intended for A
integrity & originality of reply
reply includes original nonce from A, also timestamp and nonce from B
may include additional info for A

• Three-Way Authentication:
3 messages (A->B, B->A, A->B) which enables above authentication
without synchronized clocks
has reply from A back to B containing signed copy of nonce from B
means that timestamps need not be checked or relied upon
X.509 Version 3:
➢ •has been recognized that additional information is needed in a certificate
➢ •email/URL, policy details, usage constraints
➢ •rather than explicitly naming new fields defined a general extension
➢ method
➢ •extensions consist of:
➢ •extension identifier
➢ •criticality indicator
➢ •extension value
Certificate Extensions:
➢ •key and policy information
➢ •convey info about subject & issuer keys, plus indicators of certificate
➢ policy
➢ •certificate subject and issuer attributes
➢ •support alternative names, in alternative formats for certificate
➢ subject and/or issuer
➢ •certificate path constraints
➢ •allow constraints on use of certificates by other CA’s
AUTHENTICATION FUNCTIONS
• Message Authentication - a mechanism or service used to verify the integrity of a message.
•Assures that data received are exactly as sent (i.e., contain no modification, insertion, deletion, or
replay).
•Assures that purported identity of the sender is valid.
• When a hash function is used to provide message authentication, the hash
function value is often referred to as a message digest.

Authentication function is of two levels of functionality :

• Lower Level produces an authenticator: a value to be used to authenticate a
message.
• Higher-Level enables a receiver to verify the authenticity of a message
Grouped Into Three Classes
Grouped Into Three Classes :
• Message Encryption -The ciphertext of the entire message serves as its
authenticator

• Message authentication code (MAC) -A function of the message and a secret key
that produces a fixed-length value that serves as the authenticator

• Hash function- A function that maps a message of any length into a fixed-
length hash value, which serves as the authenticator
Encryption
Message authentication code (MAC)
Hashing
IEEE 802.1X
• 802.1X is used for secure network authentication. If you are an organization dealing with valuable and
sensitive information, you need a secure method of transporting data. 802.1X is used so devices can
communicate securely with access points (enterprise-grade routers). It was historically only used by large
organizations like enterprises, universities, and hospitals, but is rapidly becoming adopted by smaller
businesses because of the growing threats in 802.1X cyber security.

• 802.1X is often referred to as WPA2-Enterprise. In contrast, the Pre-Shared Key network security most often
used at home is referred to as WPA2-Personal. WPA2-Personal is not sufficient for any organization dealing
with sensitive information and can put organizations at serious risk for cybercrimes.
Most common authentication protocols?
Here are a few of the most commonly used authentication protocols.
• Password Authentication Protocol (PAP)
• While common, PAP is the least secure protocol for validating users, due mostly to its lack of
encryption. It is essentially a routine log in process that requires a username and password
combination to access a given system, which validates the provided credentials. It’s now most often
used as a last option when communicating between a server and desktop or remote device.
• Challenge Handshake Authentication Protocol (CHAP)
• CHAP is an identity verification protocol that verifies a user to a given network with a higher
standard of encryption using a three-way exchange of a “secret.” First, the local router sends a
“challenge” to the remote host, which then sends a response with an MD5 hash function. The router
matches against its expected response (hash value), and depending on whether the router determines
a match, it establishes an authenticated connection—the “handshake”—or denies access. It is
inherently more secure than PAP, as the router can send a challenge at any point during a session,
and PAP only operates on the initial authentication approval.
• Extensible Authentication Protocol (EAP)
• This protocol supports many types of authentication, from one-time passwords to smart cards. When
used for wireless communications, EAP is the highest level of security as it allows a given access
point and remote device to perform mutual authentication with built-in encryption. It connects users
to the access point that requests credentials, confirms identity via an authentication server, and then
makes another request for an additional form of user identification to again confirm via the server—
completing the process with all messages transmitted, encrypted.
Public Key Infrastructure:
Diffie-Hellman Key Exchange
• The Diffie-Hellman key exchange (also known as exponential key exchange) is a method for
securely exchanging cryptographic keys over an insecure channel. It is a fundamental building
block of many secure communication protocols, including SSL/TLS and SSH.
• The Diffie-Hellman key exchange works by allowing two parties (Alice and Bob) to agree on a
shared secret key over an insecure channel, without any other party being able to intercept the key
or learn anything about it. The key exchange involves the following steps −
• Alice and Bob agree on two large prime numbers, p and g, and a public key exchange algorithm.
• Alice chooses a secret integer, a, and computes A = g^a mod p. She sends A to Bob.
• Bob chooses a secret integer, b, and computes B = g^b mod p. He sends B to Alice.
• Alice computes s = B^a mod p. Bob computes s = A^b mod p.
• Alice and Bob now both have shared secret keys, which they can use to establish a secure
communication channel.
Write a java program which calculates the Key for two persons using the Diffie-Hellman Key
exchange algorithm.
• // This program calculates the Key for two persons using the Diffie-Hellman Key exchange algorithm

• class DHK {
• private static long power (long a, long b, long p)
• {
• if (b == 1)
• return a;
• else
• return (((long)Math.pow(a, b)) % p);
• }
• public static void main (String[] args)
• {
• long P, G, x, a, y, b, ka, kb;
• P = 23;
• System.out.println("The value of P:" + P);
Contd..
• G = 9;
• System.out.println("The value of G:" + G);
• a = 4;
• System.out.println("The private key a for Alice:"+ a);
• x = power(G, a, P);
• b = 3;
• System.out.println("The private key b for Bob:" + b);
• y = power(G, b, P);
• ka = power(y, a, P); // Secret key for Alice
• kb = power(x, b, P); // Secret key for Bob
• System.out.println("Secret key for the Alice is:"+ ka);
• System.out.println("Secret key for the Bob is:" + kb);
• }
• }
Applications of Diffie Hellman Algorithm
Many protocols use Diffie-Hellman algorithm to enhance security and few of them are:

• Secure Shell (SSH): SSH is a secure network protocol that can be used to transmit files and log into distant
machines. SSH uses the Diffie-Hellman algorithm to allow secure key exchange between client and server and
secure data transfer.

• Transport Layer Security (TLS) / Secure Sockets Layer (SSL): Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) are encryption protocols that are used to protect online communication. These protocols use the
Diffie-Hellman algorithm to safely exchange encryption keys, preventing data manipulation and eavesdropping.

• Public Key Infrastructure (PKI): To secure communication over the internet, PKI uses a system of digital
certificates, certificate authorities, and public key encryption. PKI uses the Diffie-Hellman algorithm to exchange
encryption keys securely while preserving data integrity and secrecy.

• Internet Key Exchange (IKE): IKE is a protocol that is used to establish a secure virtual private network (VPN)
connection. IKE uses the Diffie-Hellman algorithm to create a secure VPN connection and securely exchange
encryption keys.
• Internet Protocol Security (IPSec): The security protocol known as Internet Protocol Security (IPSec) is used to
protect online communication. IPSec uses the Diffie-Hellman algorithm to exchange encryption keys securely while
preserving the confidentiality and integrity of data transmission
Limitations of Diffie-Hellman algorithm:
The following are the limitations of Diffie-Hellman algorithm:

1. Lack of authentication procedure.

2. Algorithm can be used only for symmetric key exchange.

3. As there is no authentication involved, it is vulnerable to man-in-the-middle attack.

4. As it is computationally intensive, it is expensive in terms of resources and CPU performance time.

5. Encryption of information cannot be performed with the help of this algorithm.

• Digital signature cannot be signed using Diffie-Hellman algorithm.

Module 4: Authentication Applications
• Overview of Kerberos, X.509 Authentication Service, and Public
Key Infrastructure.
Authentication Applications: Kerberos
• Kerberos is a network authentication protocol designed to
provide strong authentication for client-server applications.
How Kerberos Works
• Kerberos uses tickets and symmetric key cryptography to
authenticate users and services.
Authentication Process in
Kerberos
• 1. Client requests authentication.
• 2. Authentication server responds with a ticket-granting ticket
(TGT).
• 3. Client presents TGT to the Ticket-Granting Server (TGS) to
access services.
X.509 Authentication Service
• X.509 is a standard defining the format of public key certificates,
which are used in various security protocols.
Assessments
Question 1:

1. Which among the following are the components of

Kerberos?
a) Web Server
b) Windows Server
c) Client Server
d) Authentication Server
Assessments

Question 2:

2. The protocol which uses Diffie-Hellman algorithm to

enhance security are?

1. Public Key Infrastructure

2. Private Key Infrastructure
3. Protected Key Infrastructure
4. Symmetric Key Infrastructure
Assessments

3. What protocol is used in NAC?

1. 802.11X protocol
2. 802.1X protocol
3. 802.2X protocol
4. 803.1X protocol
 Lab Assessment

Q1) Write a java program which calculates the Key for two persons
using the Diffie-Hellman Key exchange algorithm.
Activities

• Surprise Quiz in Class

Summary

Outcomes:

a. Understanding the authentication concept in Network security

b. Basic Authentication Protocols
c. Diffie Hellman key exchange algorithm
Terminal Questions

1. Explain the Basic Authentication system structure in Network Security?

2. List the Applications of X.509 Authentication Service Certificate?
3. What is IEEE 802.1X Used For?
4. Explain the X.509 Authentication Service in Network Security?
5. List out the Applications of Diffie Hellman Algorithm and its Limitations?
6. Explain the most popular authentication methods in network security in detail?
Reference Links Reference Material

https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmY
XVsdGRvbWFpbnxha2hsYWdoZWF8Z3g6MTRmYTdkZDQ4
Y2Q2MmFhMQ
Thank you