 I would like to now start with the next topic which is security protocols with him of this session ok. So, the topic over here is authentication basically security protocols. Authentication is a process in which a principle proved that he, she or it is the entity it claims to be. The principle is occasionally referred to as a prover. So, very often in security literature we refer to the guy who is providing the proof that he is indeed a for example, as the prover while the party to whom proof is submitted for verification is called the verifier. Note that a principle is often a human, but it does not have to be a human it could be a computer, it could be a computer application, it could even be a robot. Authentication may be based on what the principle knows for example, a password or a pass phrase. It can be based on what the principle has for example, an ID card or a passport. It may be based on physical characteristics such as voice, a fingerprint, retinal scan, DNA sample etcetera etcetera. Most of these are categorized as biometric forms of authentication. Now, there are different kinds of authentication protocols. So, we will concentrate over here on cryptographic authentication. So, there are different things that you might want to accomplish. One is one way authentication a tries to prove to be that a is indeed a. So, this is one way b does not have to prove to a for example. So, this is one paradigm. Another is b trying to prove to a, but not a to b. Another paradigm is mutual authentication where a proves to be that it is a and b proves to a that it is b. So, this is referred to as mutual authentication. So, we will start with a one way authentication and the most obvious way is through a password. The best example of this is a user's login name and password. So, my login name is abc. The other guy says prove to me that you are really abc. So, what proof do I offer? I offer the proof that I am abc my password is something and nobody else knows this password. So, therefore, I am proving to you that I am really abc. Then the server goes ahead and looks at its database of passwords and checks whether the received password matches the password stored by it against that user's name. So, against the name abc do I see this strange 10 character password? If so, then I conclude that the user is indeed xyz. However, an attacker may eavesdrop on the password and use it later to impersonate the real user. So, there are many problems that can take place now. So, I have the user over here the client and this is the server and she says that my name is alka and the password is the string. So, what he does is he goes into his database and sees where is alka and where is the corresponding password. So, whatever I receive this is the same thing as what I have stored and if it is stored under that name alka and if it is then I conclude that this message is from the legitimate client alka. Alka is at the other end. So, this is how you would communicate your password as one way of communicating the password, but then now there are several problems as you can possibly imagine. The first thing is the system administrator might be maintaining all this and he might by mistake or deliberately whatever he may actually leak out this file to an attacker. So, the attacker gets to see all these passwords out here. So, that is one possibility. Another possibility is this thing is going on the normal wire and somebody sees this taps into this wire and sees this password and then of course, misuses it that is another problem. So, what is the solution to some of these things. So, one possibility to the first thing is do not store the password, store the cryptographic hash of the password because of the beautiful property of the cryptographic hash that it is a one way function. If I know the hash value I cannot deduce the original password presumably I cannot. However, there is one attack and there was one question yesterday from one of the remote sites about a dictionary attack. However, you can launch a dictionary attack against this. So, if I know the hash of the password rather than a password I can do something like creating a dictionary of possible passwords for this person Alka. So, people have done that there are many dictionaries online that you can use to hack into passwords. So, for example, there could be things like you know some people are careless they may just use a password like 123 or 1234 or XYZ or ABC or whatever. So, many such things or the name of your favorite film star name of some movie or some you know name of a city or something like that. They could use those kind of things or they could use the name suppose I know more about Alka and a family and a kids and so on I can use I can suspect that maybe her password is her spouse's name or her child's name or something like that. So, I build up a full dictionary and I try, try, try. So, I got a big dictionary of say 100,000 or 10 million or whatever possible passwords for each of these people including Alka. And then I try and I take the first password in that dictionary and I hash it and I see whether the hash value corresponds to this hash value. So, I am storing the hash values now. So, I am seeing whether the hash value of the first password corresponds to the stored hash. And if it is then I am pretty sure that it is her password. I try this for every single password in that dictionary of passwords that I have created. So, this is one way of attacking and this attack is known as a dictionary attack. I create a dictionary of possible potential passwords for people and I can make it more user specific and say make one dictionary for Alka in particular knowing her names of what the her preferences and her family's names and so on. Another possibility now to avoid this kind of thing is instead of sending the password on the line I send the hash of the password. But once again there are too many problems with this if I can just tap the line and get this thing then I can impersonate C because I can set up a connection to the server and say my name is Alka and my the hash of my password is what I just received from this what I eavesdropped upon and then I am able to impersonate C. So, that is again not a very good idea just sending the hash of this thing. So, what is the solution? So, one possible solution is to send is to use something called a challenge response protocol. So, this is a very standard kind of way of handling authentication and that is an attacker who eavesdrops on the communication link may be able to obtain a user's password or the hash of the password and then replay it. So, this is a problem and this attack is known as the replay attack. So, in the context of that previous slide I see this thing the hash of the password and I simply replay this entire thing to this guy at some future point in time and then he thinks that I am actually Alka. So, this is an impersonation attack and in particular it is a replay attack and effective strategy to thwart a replay attack is for the verifier to offer a fresh challenge. So, the response is always going to be a variable. So, offer a fresh challenge typically the fresh challenge is something we called a nonce a random number to offer a fresh challenge to the prover in response the client does not communicate its password, but rather proves that it knows the password. So, what is this big proof over here? Is it a big mathematical proof proof by induction or something like that? Let us see what that is the freshness of the challenge ensures that a previous response cannot be reused. So, one party the verifier issues a challenge and the other party computes and communicates a response. Now, the response is this fancy thing this is the proof a one way function of the challenge and a secret known to both the parties like your keyed hash that we talked about before. So, one way function of two things these two things concatenated of the challenge and a secret known to both the parties. So, such protocols are referred to as challenge response protocols and this challenge varies every time. So, I cannot replay it one day he sends a challenge 1 2 7 9 8 3 something very fancy number and I concatenated with my secret and compute the hash of it and send it across at the next day the challenge is something completely different. So, the response will be completely different. So, the business of replaying a something will not arise. So, let us see how this actually works in practice. Now, once again this is one way authentication a is trying to prove to be that she is indeed a. So, she says I am a b says if you really are a take this as my challenge to you and perform the following operation on it. So, this is actually not e, but this is h over here perform the following operation perform the hash of your password concatenated with my fresh challenge to you. This is my fresh challenge concatenated with your password perform the cryptographic hash and send it across. So, this is h and not e. So, you can use the hash over here we use the encryption function same old thing I am a here is my challenge prove to me that you are indeed a. So, take this challenge r and you and only you can do this because only you know your password encrypt this challenge with a well determined predetermined function of this password. So, the key will actually be not exactly the password, but a function of the password some sort of a predetermined function of the password which both sides know. So, both sides know the password both sides know that function too. So, use that function on the password and use that as a key to encrypt this nonce this is called a nonce. So, now when this guy receives for this is the challenge this is the response only she could have responded correctly to this because the response involves an encryption with the key that only she and he share. This this communication protocol this authentication protocol is really one way authentication between a and b a is trying to prove to be that she is indeed a. So, it is one way the second thing is there is an assumption about a long term secret that they both share what is that common secret or long term secret they both know the value of a's password. So, this is the assumption that we are making that both sides know a's password on the other hand you can have certificate based authentication based on certificates that each person might have. So, in this case a has a digital certificate. So, I am sure most of you know what is a certificate I just repeat a certificate basically is a document a digital document that contains the credentials of a some credentials like her name for example, the place where she works a email address many things that are specific to a contains a's public key it is a very important thing is public key. So, it is really a binding between between a's credentials and a's public key contains a couple of other things like for example, what is this private key corresponding to the public key and the certificate supposed to be used for. So, do not this that the certificate does not contain the private key it only contains the public key of a, but the question is what is the corresponding private key to be used for can it be used for signing can it be used for decryption of a what. So, there are different rules for all that. So, all of that is also contained in the certificate and then an important field is a validity period with certificate is valid from January the 1st 2014 to December the 31st 2014. So, there is a validity period beyond which this thing expires. So, it is no longer valid. So, all of those fields are contained together it is a few more and then the important thing is the certification authority the authority that is issued the certificate to a then signs the certificate and the certification authorities public key is presumably known to be maybe is browser is configured to store the public key of the CA the certification authority that is issued this certificate to a. So, b can actually verify that the certificate was indeed created by this well known certification authority. So, a sends the certificate to b never mind about the certificate chain we will talk about why we need a chain at times. So, it sends the certificate to b and then b responds and says. So, basically she says my name is a and here is my certificate and then b responds and says ok here is my challenge to you take this challenge and do what use do something that only you can do nobody else can do. So, that I am convinced that it is you on the other end take this and do something with it which only you can do and if you can send me that response. So, this is the challenge this is the response and since only you can do it if it is done correctly then I will conclude that indeed you are at the other end. So, she takes this r and she does what only she can do namely encrypting with a is private key. So, this is the response that she submits. Another way in which you can do this is the certificate and then b sends not r maybe b actually does some encryption using a is public key. So, a is public key was got from her certificate and a public key operation on this and then she responds by doing what she performs a private key operation on this to recover r and she sends that r. Then this guy checks to see whether the r that has been received is the same thing as the r that he generated. So, he generates a fresh r. So, typically all these nonces and challenges are supposed to be fresh otherwise what happens there will be a replay attack there is a possibility of a replay attack. So, he generated a fresh nonce here as well this fresh nonce here he did something more he encrypted it with her public key and send it across then she has to decrypt it using a decryption function, but using a private key and if she does it correctly then she will get back r and then he gets the r and he checks to see whether this r is the same thing as the r that he generated somewhere here. So, that was one way authentication let us go a step further to mutual authentication and again we will talk about both cases mutual authentication using a shared secret and then mutual authentication using certificates. So, the first one is mutual authentication using a shared secret. So, as usual I am a this is my challenge to you both are going to issue challenges to the other. We are assuming now that both sides share a common secret what is that secret that secret is this value k he gets the r a and then what he is supposed to do with it he is supposed to perform an operation that involves that secret key. So, e k r a so, here is my challenge to you he says here is my response to your challenge and by the way here is my challenge to you because I also need to know whether you really r a r a or somebody posing as a. So, I want you also to encrypt this thing just like you asked me to encrypt now you encrypt my challenge and you send it back. So, she takes r b encrypts it with a common key and sends it across when he receives this presumably he thinks that there is a on the other side, but wait a second most of the security protocols are very very very buggy most of them have got very subtle bugs and this is exactly one of those. Here is how you can attack that protocol what is going on this attack if we just look at it and try to figure out what is the attack who is doing what. So, the question is who is doing what in this attack what is the goal of the attacker who is the attacker what sort of an attack is this. If you look at the first message it appears that c is trying to impersonate a. So, that is the goal actually c is trying to impersonate a he is saying I am a he is telling b he is trying to make he is trying to fool b into believing that at the other end b is talking to a. So, he is trying to make b believe that he is actually a and that a wants to talk to him. So, he says I am a here is my challenge to you. So, he is quite happy he would like to talk to a. So, he responds to the challenge e k r a just as in the previous protocol. Let us see what happened in the previous protocol he responded to the challenge and then he offered his own challenge. So, she challenged him he responded to the challenge and then he offered his own challenge and then she responds to this fresh challenge. So, this is my challenge to you and here is my response to your challenge. Now, to complete this thing and to convince b that he is a what does he need to do he needs to respond to b's challenge using encryption of this using the common key that they share which is k. k is the common key that is shared between who and who between a and b not c and b. c does not know what is this k that is why c cannot continue and finish this thing up obviously not. So, now what is c do you think so very clever idea let me go and start talking to a pretending that I am b. So, I am b he suspects that a is quite happy to speak to b. So, she will say yes. So, let us continue. So, by the way he is telling her I am b and just to convince myself that your a take this challenge and encrypt it encrypt it with what the common key that is shared between a and b. So, she responds with encryption of this nonce using the common key that they share that she shares with b. So, this k is the common key shared between a and b. So, she responds with this is the response to this challenge and then she offers her own challenge this guy receives it he is quite happy and does not care about continuing with any way he cannot continue the conversation, but very nicely what he does is he plucks this out from this message and nicely puts it into this message and sends it to b. So, you can see this perfect example of a replay attack he is taking this value and he is simply sending it across. So, what happens is b is fooled into thinking that this guy is actually a because what b is saying in his mind is if I get a response to this that response cannot come from anybody, but from a. So, if I get this response the correct response then I am sure that this party is a actually this party is c. So, the standard replay attack and this aspect of the attack is a parallel session. So, c establishes one session with b or tries to establish and then in parallel at the same time it interleaves that session with another session to a. So, the obvious question is now that we understand the attack how do we fix the attack. So, in words what is going on in the previous attack c attempts to impersonate a to b message 3 the third message was required to complete the authentication of c posing as a to b. So, the third message was necessary. So, now he figured out a very nice clever trick c could not compute the response to b's challenge since that required a computation involving the secret key k that is only shared between a and b. So, what c does initiates a connection set up with a presenting to a the same challenge that received from b and saying that he is actually b is response to the challenge in message 2 prime was used by c to convince b that it was a that was trying to establish communication with. So, I just put the attack for another minute so that we can think of how we can possibly solve this problem. So, ask your students to think of creative ways to solve this problem. So, there is one more than one possible solution. So, here is one possible solution I am a this is my challenge. What this guy does here is my response to your challenge I have also got a challenge and what I have done with that challenge r a or r b I have come up with a random number r b and I am encrypting it with our common secret a k r b and what do I challenge you to do I challenge you to give me that secret back. So, you have to use a decryption operation over here. So, a k r b take that as my challenge to you and now you perform a decryption operation not encryption, but decryption operation. So, that you give me back the original nonce that I generated somewhere here. So, d k of e k r b decryption encryption you will get back the original thing r b. So, if she is able to compute the decryption function correctly using the correct key then she will get back r b and then b will be convinced that it is indeed a at the other end. Now, use this new protocol and see whether that previous attack works or not. So, try this out and see whether the attack works and also try many other fixes this is not the only fix you could possibly think of other fixes, but do not make it too complicated because we do not want it to be too time consuming ok. So, what have we talked about so far one be authentication using a common long term secret that the two parties share then we talked about one be authentication using certificates, then we talked about mutual authentic authentication using a long term secret. So, in this case the long term secret was precisely that this value k. So, this is known as a long term secret that is they share it for possibly months together it is like a password you share it for weeks or months together. And then now we have mutual authentic authentication, but using certificates. So, how do we go about it I am a and here is my challenge r a now what he responds is I am acknowledging that you are at the other end. So, I understand that you are the recipient of this message this is your identity you also offered me a challenge r a I am putting it there I am offering you one challenge r b. So, I am creating a message which has got these components your name your challenge my challenge I am taking all of this I am not encrypting it I am simply signing it. So, this is a notation for a digital signature. So, basically I am sending you all these things in the clear not encrypting it and in addition I am adding or including a signature on this entire message signed by me. So, this means this box bracket and the b means this entire message is signed by b. So, I am assuming that a and b know each other certificates otherwise you can send the certificate along in this case. So, I am sending you this message and I am signing it and in my in the message I am including your nonce I am including your challenge. Now, nobody else could have signed this correctly unless he knows the private key of b and assuming b keeps his private key safely and securely nobody else could generate this signature. So, there are two thing this notation means I am sending this thing this thing this thing there are different fields in my message one field is your name this person's name her challenge my challenge and then the other field is the signature. So, this whole thing goes as one message to a and then she responds with this is your identity I acknowledge that and I also know that you sent me this thing I got it in the clear and now I am going to take these two things concatenate them in one message and then compute the signature my signature on this message. So, that a thing once again is the signature of a the box bracket means I am taking the entire message and signing it and I am sending you across and as you very well know corresponding to signature generation there is signature verification. So, in order to sign she will use her private key and to verify he will use her public key inside a certificate perhaps unless he already knows it before. So, implicit in all this is the transfer of certificates possibly with this message or before. So, she will send a certificate he will send his certificate etcetera unless they already have a certificate from before. So, this is mutual authentication using certificates. So, this is basically a description of what was seen on that slide. So, now most of the protocols that you will see whether it be SSL or whether it is IPsec or whether it is cell phone security protocols or whether it is wireless LAN protocols etcetera will typically involve mutual authentication. So, that is entity authentication together with session key exchange. So, notice that k over there was a long term key now we need to agree on a session key which is valid for the duration of the session. So, for that purpose we are modifying this mutual authentication algorithm which uses a mutual authentication protocol which uses a shared secret and including this business of key exchange. So, hi I am a here is my challenge to you. So, it is assumed in this case that there is a common long term secret that both sides share that secret is k this thing here. So, I am a and this is my challenge to you and then what does he do in response he encrypts this thing this r a with the common key that they share the long term key then he chooses his own challenge r b the nonce and then he chooses his contribution to the session key. So, s stands for session key a key that will be used only for the duration of the session and contributed by him s b. So, he concatenates this nonce and the contribution to the session key and encrypts it with the long term secret that he shares with a and then when she gets it she decrypts this thing to see whether she can get back r a if. So, then she concludes that it is actually b at the other end and then she decrypts this part and gets r b which is the response to his challenge and she also gets s b let us see why she needs to keep s b and then she generates an s a and sends r b s a is her contribution to the session key encrypted with the long term secret that they share and sends it across and. So, now, what you see is that he can verify because how would she be able to send r b r b was generated by this guy somewhere here in time. So, this is like a time axis. So, somewhere in time over here b generated this key this nonce r b and encrypted it and send it and the very fact that she could decrypt it and recover this nonce that nobody else knows about means that she must be there the authentic person at the other end. And then I have also got to decrypt this so that I can pull out so that he can pull out the session key her contribution to the session key. Then the final session key that they will use for all further interactions in that session they will start exchanging messages 10, 20 messages during the session all of them will be encrypted using the session key which will be a concatenation of s a and s b. So, this is how mutual authentication plus key exchange works using a long term secret ok now using certificates. So, same all thing mutual authentication plus key exchange, but now with certificates rather than a long term secret. So, similar kind of an idea here the certificates are actually shown explicitly. So, hi I am a I want to talk to you Mr. b here is my challenge to you and here is my certificate what will you do with my certificate you will pull it out pull out the public key and so on. So, what does he do in response he creates a message that has got the following components her identity her nonce his nonce and of course, nobody else should see the session key. So, he encrypts it with her public key which he is obtained from her certificate. So, he pulls out the public key and encrypts this his contribution to the session key s b with her public key and the entire message is signed not encrypted it is signed using his private key and then he sends his certificate. So, that she can verify the certificate and she can verify the signature on this entire message. So, this entire thing goes across visualize what he will do at the other end the first thing she will do she will pull out the certificate she will look at whose name is inside that certificate is it b's name b's email address whatever some credentials there is a certificate valid is a validity period has a certificate been signed by the C A let us verify the signature of the C A signature of the C A signature on that certificate all of that is ok. Then she will start looking at this now from the certificate I got the public key of b. Now, let me verify where the b's signature on this message is correct for which purpose I need b's public key which is contained inside his certificate if all that is ok. Then she is convinced and then she goes ahead and responds to his challenge which is r b. So, now once again including the identity of the recipient. So, the guy who is going to receive this message b his nonce r b his challenge and then once again since this is also key exchange her contribution to the session key essay and nobody else should see this. So, she should encrypt it with b's public key. So, that b and only b can decrypt it and this entire thing is then signed by her. So, that he can verify the signature and then later on extract the session key. So, this session key essay concatenated with S B will be used to encrypt all messages for the duration of the session another variation. So, there are so many such a rich diversity of authentication and key exchange protocols why use nonces we could use just time stamps or we could use a combination of the two. So, let us see how we would implement it using time stamps. So, what a does my name is a I want to talk to you Mr. b the time stamp as I see it is t a. So, the time stamp is used to guard against replay messages. So, this is the time today right now today is date hour millisecond whatever you want to include in the time stamp and this is my contribution of the session key. So, everything I am sending over here and I am encrypting all this using your public key which I have obtained before from your certificate. So, assumes that I have already got that she has already got b's certificate from that certificate she pulls out his public key and encrypts this entire message using b's public key and then on top of that message encrypted message she then signs it and sends it across to b. So, what does b do? b looks at a certificate checks everything is ok etcetera if he does not have it already. So, then will obtain her public key and then verify the signature on this message. So, because she assigned it and then b will take his own private key and decrypt this thing. So, he gets all this part out in particular he wants to know whether this message is fresh. So, the time stamp is a stale time stamp he will simply reject this message. So, he will check amongst other things the time stamp on this message is it enough fresh enough and then of course, what is the contribution of hers to the session key and then he will go ahead and take that time stamp incremented by one nobody else can see that time stamp incremented by one and encrypted. So, that nobody else can see with her public key include in that message contribution to the session key the identities of both the parties and so on and then on top of it he will sign it. So, that she can verify the signature of b and b convinced that this message has indeed come from b and nobody else. So, this is now mutual authentication using time stamps and assuming certificates and finally, the EKE protocol the stands for encrypted key exchange. So, we had seen Diffie-Helman key exchange she sends g raise to a mod p he sends g raise to b mod p and they both compute g raise to a b mod p. So, why all this extra fuss of having so many messages and so many other things. So, what is exactly going on? So, it is assumed that both sides have a common secret like a password and this thing that you see out there is p which is basically a weak password. Now, as you very well know most people do not have strong passwords. So, it is very easy to crack not very easy, but moderately easy to crack many people's passwords. So, I am assuming that they have he she has a password, but it is not sufficiently strong. So, it is a weak password. So, what she does is. So, this key really is a function of a password the function is known to both sides and to everybody for that matter, but the password is not known to anybody else other than a and b of course, you can guess the password. So, what she does is she takes this g raise to a mod p just like in Diffie Helman she generates an a and computes this g raise to a mod p g and p are regular parameters of the Diffie Helman key exchange and then she encrypts that partial key this is known as a partial key this g raise to a mod p. She encrypts this partial key with that function of the password. So, he can he can see it he decrypts it because he knows that password and the function of the password and so he decrypts it and he obtains this thing. Likewise he generates his own b and g raise to b mod p is computed by him and then he includes one nonce and then he encrypts the entire thing using this so called weak password and sends it across. So, she can decrypt this message she can get g raise to b mod p and she can get r a and then what she does is now here is the interesting step. So, at this point in time she knows what is g raise to b mod p and she of course, knows her own private key little a. So, she can compute g raise to a b mod p. So, that becomes another key this key over here is g raise to a b mod p and she sends a message now responding to his challenge r a she encrypts that challenge with this secret this new secret now which is an ephemeral secret. So, this is the session key actually g raise to a b mod p. So, she encrypts this r a which she obtained from here by decrypting with her password she encrypts this challenge with the key k, but this new key now the new session key g raise to a b mod p and she also includes her own challenge. So, I say so what she basically saying is here is my response I can see what is this r a because I know the password. So, I obtained it and I have also obtained the session key and I am encrypting this challenge of yours and I am also dispatching my own challenge to you. So, let me see if you can respond to my challenge. So, e k r b is the response now the beauty of this is that it is not vulnerable to a dictionary attack. So, let us suppose I have got a dictionary. So, this is a key point about this protocol this is what makes it. So, beautiful is that you cannot really launch a dictionary attack on this because let us suppose this weak password I happen to come I happen to know I happen to know this weak password. So, I get g raise to a mod p. So, I try try try and let us suppose I am able to succeed and I also get this thing. So, I get g raise to b mod p now the question is what is the use of getting g raise to a mod p and g raise to b mod p I cannot compute g raise to a b mod p from that. So, even if I have happen to know how password there is not much there is in fact nothing I can do because I simply cannot obtain this value and this is the value which is the session key that they are going to use for all subsequent messages. So, this is a very interesting protocol called the encrypted key exchange well known protocol key key. So, with that I stop for today.