CRYPTO Unit 6

Q1) What is Kerberos? What problem was Kerberos designed

to address? List requirements of Kerberos.
What is Kerberos?
Kerberos is a network authentication protocol designed to provide secure
authentication over an insecure network, such as the internet or a local area network
(LAN). It uses symmetric key cryptography and a trusted third-party system to
verify the identity of users and services.
Kerberos was developed at the Massachusetts Institute of Technology (MIT) as part
of Project Athena and is now widely used in systems like Windows Active Directory,
Linux, and UNIX networks.

What Problem Was Kerberos Designed to Address?

Kerberos was designed to solve the following security problem:

"How can a user prove their identity to a service over an insecure network,
without sending passwords in plain text and without risk of impersonation?"
In a network environment:
• Attackers can intercept passwords sent over the network.
• Servers may not be able to verify user identity securely.
• Replay attacks and unauthorized access become major risks.

Kerberos addresses these issues by using ticket-based authentication, where

the user's identity is confirmed using encrypted tokens instead of sending
passwords.

Requirements of Kerberos
To function securely and efficiently, Kerberos has the following key requirements:

Requirement Description
 1. Trusted Third Party A Key Distribution Center (KDC) must be trusted by all
users and services. It issues tickets and manages secret
keys.

2. Secure Authentication should be done without transmitting

Authentication passwords in plain text.

3. Single Sign-On Users should be able to log in once and access multiple
(SSO) services without re-authenticating.

4. Time All machines in the network must have closely

Synchronization synchronized clocks, as Kerberos uses timestamps to
prevent replay attacks.

5. Mutual Both the user and the service must be able to

Authentication authenticate each other.

6. Protection Against Kerberos uses time-stamped tickets and authenticators

Replay Attacks to ensure old tickets cannot be reused.

7. Scalability The system must work efficiently for large numbers of

users and services.

8. Strong Encryption Uses symmetric encryption algorithms (like AES) to

protect data and communications.

Q2) Discuss Key Distribution Centre (KDC) structure.

A Key Distribution Centre (KDC) is a trusted central server that plays a crucial role in
secure symmetric key distribution in a network. It is designed to authenticate users
and help them securely exchange session keys with other users or services, without
the need to share passwords or long-term secret keys over the network.
It is widely used in protocols such as Kerberos to ensure secure authentication and
communication.

Structure of KDC
The KDC is logically divided into two main components, each with a specific
function:

1. Authentication Server (AS)

➤ Purpose:
• To verify the identity of the user at the time of login and provide an initial
ticket (TGT - Ticket Granting Ticket).

➤ Functions:
• Receives an authentication request from the user (usually just the username).
• Looks up the user in a secure user database.
• If the user exists, generates a session key and a TGT.
• The session key is encrypted using the user’s password-derived key.
• Sends the encrypted TGT and session key back to the user.

2. Ticket Granting Server (TGS)

➤ Purpose:
• To issue service-specific tickets that allow access to different network
services after initial authentication.

➤ Functions:
• Receives the TGT and a request for access to a particular service.
• Decrypts and verifies the TGT using its own secret key.
• Checks the validity period of the TGT and authenticator (timestamp).
• If valid, creates a Service Ticket, containing a new session key for
communication between the user and the requested service.
• Sends this Service Ticket to the user, encrypted with the service's secret key.

What the KDC Stores

• User credentials (e.g., hashed passwords or symmetric keys).
• Service keys (shared secrets between KDC and each service).
• Session key records for temporary communication.
• Ticket expiration times to prevent replay attacks
Real-World Use

• Widely used in Kerberos-based systems (e.g., Windows Active Directory).

• Also forms the basis of secure enterprise environments requiring authenticated access
to shared resources.
 Q3) Explain Password Authentication in detail.
What is Password Authentication?
Password Authentication is one of the most basic and widely used techniques in
cryptography for verifying the identity of a user. It involves a user providing a secret
password, which the system checks against a stored value to determine whether
access should be granted.
It is commonly used in login systems, network protocols, and secured applications
to ensure that only authorized users can access sensitive data or resources.

How Password Authentication Works

The general steps involved in Password Authentication are:
1. User Registration (Initial Setup)
• The user selects a password during registration.
• Instead of storing the actual password, the system usually stores a hash of
the password using a secure hashing algorithm like SHA-256 or bcrypt.
• This ensures that even if the database is compromised, actual passwords are
not exposed.
2. User Login (Authentication Phase)
• The user enters the username and password.
• The system hashes the entered password using the same algorithm.
• It then compares this hash to the stored hash in the database.
• If the hashes match, the user is authenticated; otherwise, access is denied.

Example of Password Hashing

Let’s say a user sets the password: mySecurePass123
• System hashes it using SHA-256:
6a27e9a7e76... (example hash)
• Stores only the hash, not the plain password.
 • During login, it re-computes the hash of the entered password and matches it
with the stored hash.

Security Enhancements in Password Authentication

To improve the security of password authentication, the following techniques are
commonly used:
1. Salting
• A salt is a random string added to the password before hashing.
• It prevents rainbow table attacks by making the same password hash
differently for different users.
2. Hashing Algorithms
• Secure algorithms like bcrypt, PBKDF2, or Argon2 are preferred over simple
hashes like MD5 or SHA-1.
• These are slow by design, making brute-force attacks harder.
3. Multi-Factor Authentication (MFA)
• Combines password with another authentication factor (e.g., OTP,
fingerprint).
• Adds an extra layer of protection even if the password is compromised.
4. Account Lockouts and Rate Limiting
• Prevent repeated guessing of passwords by locking accounts or delaying
login attempts after several failures.

Q4) Explain Certificate-based Authentication. How does

Certificate-based Authentication work?
What is Certificate-based Authentication?
Certificate-based Authentication is a secure method of verifying a user's or device’s
identity using digital certificates issued by a trusted authority. Unlike password-
based systems, it uses asymmetric cryptography, where a public-private key pair is
used for authentication.
It is widely used in HTTPS, SSL/TLS, VPNs, email encryption, and enterprise
systems.
What is a Digital Certificate?
• A Digital Certificate is an electronic document that contains:
• The public key of a user or device.
• The identity information (like name, organization).
• The issuer’s digital signature (from a trusted Certificate Authority - CA).
• The certificate’s expiration date and serial number.
• The certificate follows a standard format, commonly X.509.

How Does Certificate-based Authentication Work?

• The working of certificate-based authentication involves several steps:

1. Certificate Generation and Issuance

• A user or device generates a public-private key pair.
• A Certificate Signing Request (CSR) is created and sent to a Certificate
Authority (CA).
• The CA verifies the identity and issues a signed digital certificate, binding the
public key to the user.

2. Authentication Process
• When a user tries to authenticate (e.g., accessing a secure server), the
following steps occur:
Step 1: Client Presents Certificate
• The client sends its digital certificate to the server.
Step 2: Server Verifies Certificate
• The server checks:
o Certificate is signed by a trusted CA.
o Certificate is valid (not expired or revoked).
o Certificate matches the expected identity.
Step 3: Challenge–Response
• The server sends a random challenge (e.g., nonce).
 • The client signs the challenge using its private key.
• The server verifies the signature using the client’s public key from the
certificate.
• If the verification is successful, authentication is complete.

Q5) Explain one-way authentication mechanism.

What is One-Way Authentication?

One-Way Authentication is a type of authentication mechanism where only one
party verifies its identity to the other, while the other party remains unauthenticated.
It is most commonly used when a client needs to verify the identity of a server, such
as in HTTPS communication, where a website proves its identity to the user's
browser using a digital certificate.

How One-Way Authentication Works

In a typical one-way authentication setup (like SSL/TLS in HTTPS), the following
steps take place:
Step 1: Client Requests a Secure Connection
• The client (e.g., a web browser) initiates a request to connect securely to a
server (e.g., a website).
Step 2: Server Sends Digital Certificate
• The server sends its digital certificate, which includes:
o The server’s public key.
o Identity information (domain name, organization).
o Certificate Authority (CA) signature.
Step 3: Client Verifies the Certificate
• The client checks whether:
o The certificate is issued by a trusted CA.
o The certificate is not expired or revoked.
o The domain name matches the certificate.
• If the certificate is valid, the client trusts the server's identity.
Step 4: Secure Communication Begins
 • The client generates a symmetric session key, encrypts it using the server's
public key, and sends it to the server.
• Now both parties share the same session key, enabling confidential
communication.
Real-Life Example
When you visit https://example.com:
• Your browser checks the website’s SSL certificate.
• If the certificate is trusted, a padlock icon appears, indicating that the site is
authenticated and communication is encrypted.
• However, the server does not authenticate you unless you log in.

Q6) What is Authentication Token? What are the types of

Authentication Tokens? Explain any one in brief.
What is an Authentication Token?
An Authentication Token is a digital object or physical device used to verify the
identity of a user or system. It serves as proof that the user has already been
authenticated and is authorized to access specific resources or services.
Tokens are widely used in systems that require secure login, session management,
and multi-factor authentication.
Purpose of Authentication Tokens
• To maintain secure user sessions.
• To provide temporary access without needing to re-enter credentials.
• To support stateless authentication in APIs and distributed systems.
• To enable multi-factor authentication in sensitive environments.

Types of Authentication Tokens

Authentication tokens can be broadly classified into two main categories:
1. Software Tokens
These are digital tokens generated and managed by software applications.
• Session Tokens – Generated after login to maintain the session.
 • OAuth Tokens – Used for authorizing access to APIs.
• JWT (JSON Web Tokens) – Encoded data used in web authentication.
• One-Time Passwords (OTPs) – Tokens valid for a single use only.
2. Hardware Tokens
These are physical devices that generate or store authentication codes.
• Smart Cards – Contain cryptographic chips and digital certificates.
• USB Tokens – Plugged into a device to authenticate users.
• RSA SecurID Tokens – Display a new OTP every 30-60 seconds.

Explanation of One Type: JSON Web Token (JWT)

1. JWT (JSON Web Token) is a widely used software token format for securely
transmitting information between parties.
Structure of a JWT:
2. A JWT has three parts, separated by dots (.):
3. Header – Contains token type and signing algorithm (e.g., HS256).
4. Payload – Contains the actual data or claims (e.g., user ID, role).
5. Signature – Used to verify the token's authenticity using a secret key.
How it Works:
• After successful login, the server generates a JWT and sends it to the client.
• The client includes the token in future requests (usually in the Authorization
header).
• The server validates the token’s signature and allows access if valid.

Q7) Explain Biometric Authentication.

What is Biometric Authentication?
Biometric Authentication is a security process that verifies a person’s identity based
on their unique biological characteristics. Instead of using passwords or tokens, it
relies on inherent human traits, such as fingerprints, facial structure, voice, or iris
patterns.
It is widely used in access control systems, mobile devices, e-passports, and secure
facilities.
Purpose of Biometric Authentication
• To ensure that only authorized individuals can access a system or resource.
• To provide high accuracy and security since biometric traits are hard to
replicate.
• To eliminate the need for remembering passwords or carrying tokens.

Common Types of Biometric Authentication

Type Description
Fingerprint Scans patterns on a finger. Most widely used in phones and
Recognition security systems.
Face Recognition Analyzes facial features such as the distance between eyes,
jaw shape, etc.
Voice Recognition Identifies users based on vocal patterns and pitch.
Behavioral Analyzes how a person types, walks, or uses a device.
Biometrics

How Biometric Authentication Works

The process involves two main phases:
1. Enrollment Phase
• The user's biometric trait is captured using a scanner (e.g., fingerprint
scanner, camera).
• The system extracts features from the sample (e.g., fingerprint ridges, facial
points).
• These features are converted into a mathematical template and stored
securely.
2. Authentication Phase
• The user presents the same biometric trait again.
• The system captures a new sample, extracts features, and compares it with
the stored template.
• If the match is successful (above a threshold), access is granted.
Biometric Authentication in Cryptography
In cryptographic systems, biometrics can be used as:
• A factor in multi-factor authentication (MFA).
 • An input to generate keys (with caution, due to biometric variability).
• A secure method for user identification in encrypted systems.

Q8) What is the difference between challenge/response

tokens and time-based tokens?
Authentication tokens come in different types based on how they generate and
verify credentials. Two important types used in secure systems are:
1. Challenge/Response Tokens
Definition:
Challenge/Response tokens are used in an interactive authentication method where
the system sends a challenge (usually a random value), and the user/device must
compute a valid response based on that challenge.
Use case: Often used in two-factor authentication systems, smart cards, or
hardware security modules.

2. Time-Based Tokens
Definition:
Time-Based tokens generate authentication codes based on the current time and a
shared secret key between the user and server. A common example is TOTP (Time-
Based One-Time Password).
Use case: Used in mobile authenticator apps like Google Authenticator or Authy.

Comparison Table:-

Feature Challenge/Response Token Time-Based Token

Basis Based on server-generated Based on current time

challenge

User Interaction User must enter a challenge into Code is auto-generated

the token periodically

Communication Requires challenge from server Works independently

Needed (after setup)
 Typical Format Response to a specific input 6- or 8-digit code shown
on token/app

Security Very secure; resistant to replay Secure, but depends on

attacks time sync

Common Use Enterprise systems, banking Mobile-based 2FA,

Cases tokens online logins

Protocol Example CHAP (Challenge Handshake TOTP (RFC 6238)

Authentication Protocol)

Q9) What are passwords? What are the problems associated

with passwords? What is the alternative to passwords? How
do Authentication Tokens work?
What are Passwords?
Passwords are secret strings of characters used to verify the identity of a user
during the authentication process. They are the most basic and commonly used
form of authentication in computer systems, applications, and networks.
• A password is known only to the user and is used to gain access to protected
resources.
• It is usually combined with a username or user ID to complete the
authentication.
Problems Associated with Passwords
While passwords are widely used, they come with several security and usability
issues:
1. Weak Passwords
• Users often choose simple passwords (like 123456, password, or names),
which are easy to guess or brute-force.
2. Password Reuse
• Many users reuse the same password across multiple sites, increasing the
risk of compromise if one system is breached.
3. Password Sharing
 • Passwords may be shared with others, violating the principle of individual
accountability.
4. Phishing Attacks
• Attackers can trick users into revealing passwords via fake websites or
emails.
5. Forgotten Passwords
• Users may forget complex passwords, leading to frequent reset requests and
user inconvenience.
6. Storage Risks
• If passwords are not stored securely (e.g., in plain text), attackers can easily
steal them during data breaches.

Alternatives to Passwords

To improve security and reduce reliance on traditional passwords, several stronger

authentication methods are used:

• 1. Authentication Tokens
• 2. Biometric Authentication
• 3. Certificate-Based Authentication
• 4. Multi-Factor Authentication (MFA)

Among these, authentication tokens are one of the most reliable and widely
adopted alternatives.

Q10) Explain in brief security handshake pitfalls.

Security Handshake Pitfalls
A security handshake is a process used in secure communication protocols (like
SSL/TLS) to establish a trusted connection between two parties. Despite its
importance, several pitfalls or vulnerabilities can arise during this process, which can
compromise security.

1. Man-in-the-Middle (MITM) Attacks

• During the handshake, if authentication is weak or certificates are not properly
verified, an attacker can intercept and alter communication.
• The attacker poses as the legitimate server or client, gaining access to
sensitive information.
2. Improper Certificate Validation
• If clients or servers do not properly validate certificates, they may accept fake
or expired certificates.
• This opens the door for attackers to impersonate trusted entities.

3. Replay Attacks
• An attacker can capture valid handshake messages and resend them later to
trick the system into establishing a false connection.
• Lack of nonce (random number) or timestamp usage can make this possible.

4. Weak Cryptographic Algorithms

• Using outdated or weak algorithms (like MD5, SHA-1, or weak ciphers) during
handshake reduces security.
• Attackers can exploit these weaknesses to decrypt or tamper with data.

5. Lack of Mutual Authentication

• One-way authentication (only server authenticates client) can be vulnerable.
• Without verifying both parties, unauthorized clients or servers may gain
access.

6. Session Hijacking
• If session keys are not properly protected or refreshed during handshake,
attackers can steal session information to hijack the connection.

7. Downgrade Attacks
• Attackers force the use of older, less secure protocol versions or cipher suites
during handshake.
• This makes the connection vulnerable to known exploits.
 Q11) Explain any one one-way authentication and any one
mutual authentication mechanism with its advantages and
drawbacks.
One-Way Authentication: Password-Based Authentication
How It Works:
• The client (user) provides a username and password.
• The server verifies the password against its stored data.
• If the password matches, the server grants access.
• Only the client is authenticated; the server’s identity is not verified by the
client.
Advantages:
• Simple and easy to implement across most systems.
• Familiar to users and requires no additional hardware.
• Efficient in terms of communication overhead.
Drawbacks:
• Vulnerable to password theft, guessing, and phishing attacks.
• Does not verify the server’s identity, so users may connect to fake or
malicious servers (risk of MITM attacks).
• Passwords can be forgotten, reused, or shared, reducing security.

Mutual Authentication: SSL/TLS Handshake

How It Works:
• Both client and server authenticate each other using digital certificates during
the handshake process.
• The server presents its certificate to the client, which the client verifies.
• In two-way SSL/TLS (mutual SSL), the client also presents its certificate for
server verification.
• Once both sides verify identities, they establish a secure encrypted session.
Advantages:
• Strong security: Both parties are verified, reducing risk of impersonation.
• Protects against Man-in-the-Middle (MITM) attacks.
 • Enables encrypted communication ensuring confidentiality and integrity.
Drawbacks:
• Requires digital certificates and a Public Key Infrastructure (PKI), which adds
complexity and cost.
• Managing client certificates can be difficult, especially for large user bases.
• The handshake process adds overhead, making it slower compared to one-
way authentication.