Security Services in Cryptography

In this tutorial, you will learn the basic concepts of Security Services in Cryptography. After reading this tutorial, you will learn the types of security services, hash function, and digital signature.

Contents:

  1. Security Services
  2. Message Confidentiality
  3. Message Integrity
  4. Hash Function Criteria
  5. Message Authentication
  6. Digital Signature
  7. Process of Digital Signature
  8. Entity Authentication

Security Services

The security goals are confidentiality, integrity, and availability. Confidentiality means secrecy, protecting information from unauthorized access. Integrity means that the data cannot be modified by an attacker during transmission. Availability means, whenever the user requests the resources, the resources must be available. Security services are concerned with confidentiality, integrity, and availability.

The diagram below shows the security services.

  • As shown in the figure, message confidentiality, message integrity, message authentication, nonrepudiation, and entity authentication are security services.
  • The first four services are related to messaging, and the last one is related to entity authentication.

Message Confidentiality

The confidential information of the sender and receiver must be encrypted so that no attacker can steal the information. The message sent must be intended for the recipient, and only the recipient can understand the message sent by the sender. For others, the message should be garbage. We can achieve confidentiality in two ways: symmetric-key cryptography and asymmetric-key cryptography.

advertisement
advertisement

Symmetric-key cryptography: To achieve confidentiality with symmetric-key cryptography, a sender and receiver must share a common key.

  • The key is used on the sender side to encrypt the message, and the same key is used on the receiver side to decrypt the message.
  • Here, the shared key is known as the session key.It is used until the sender and receiver can communicate.Once the session between the sender and the receiver is over, the session key expires.

Asymmetric-key cryptography: The problem in symmetric-key was the key distribution. In asymmetric-key cryptography, there is no key distribution scheme. The sender and receiver use two keys for encryption and decryption.

  • The public key is known globally, while the private key is known only to the host. In asymmetric-key cryptography, the sender encrypts the message with the receiver’s public key, and the receiver decrypts the message using its private key.

Message Integrity

When we encrypt and decrypt data, we achieve confidentiality, but encryption and decryption do not provide integrity. In this section, we look at ways to achieve message integrity.

Documents and Fingerprint: The sender’s fingerprint is on the message sent by him. If an attacker tries to access the message sent by the sender, he cannot do so because the fingerprint does not match. The receiver matches the sender’s fingerprint with the fingerprint present on the document. If the fingerprint matches, the receiver can be sure that the document has been sent by the sender and has not been modified.

Message and Message Digest: Message and Message Digest are equivalent to document and fingerprint.

The diagram below shows the message and the message digest.

Message and Message Digest
  • The message is passed through a hash function and generates a fingerprint which is known as the message digest.
  • Neither document nor fingerprint needs to be secret, whereas message and message digest are separate, and message digest must be secret.
  • Here, the receiver creates a new hash function and compares the new message digest with the received message digest to check the integrity of the message.

Hash Function Criteria

One-wayness, resistance to weak collisions, and resistance to strong collisions are the three criteria to qualify a hash.

advertisement

One-wayness: One-wayness means that once we create a message digest from the message, we cannot do the vice-versa. We could not generate a message from the message digest. It is the same in the case of document and fingerprint, where one cannot create a document from the fingerprint of the host.

Weak Collision Resistance: A hash function has weak collision resistance, which means that an attacker cannot forge a message with the same hash value as the sender created it. In short, an attacker can’t create another message containing the same message digest.

Strong Collision Resistance: Strong collision resistance means, no two messages have the same message digest.

Message Authentication

We discussed that the hash function guarantees that the message is not modified during transmission. The hash function helps to achieve integrity, but not authentication. When the sender sends a message to the receiver, the receiver needs to know whether the message is coming from the sender or the attacker. To provide authentication of the message, the message authentication code is used.

advertisement

MAC: When we modified the message digest, also known as Modified Identification Code (MDC), the key is not used, it uses the keyless hash function. Now, we are passing the message to the hash function with the key that generates the message authentication code.

The diagram below explains the message authentication.

Message Authentication
  • PC-1 uses a hash function along with the key to authenticate its message and generates a message authentication code.
  • PC-1 adds the MAC to the original message and sends it to PC-2.PC-2 separates MAC and Message and applies the same keyed hash function to the message.
  • PC-2 generates a new MAC and compares the newly generated MAC with the MAC sent by the sender.If both MACs match, the message is not modified during transmission and is sent only by PC-1.

HMAC: MAC is based on the keyed hash function. HMAC is designed for keyless hash function and is known as Hashed MAC.

The figure below explains the hashed MAC.

hashed MAC
  • As shown in the figure, HMAC applies a keyed hash function to the message and the key, generating a nested MAC.
  • When the recipient receives the sender’s HMAC, it creates its own HMAC and compares its HMAC and the sender’s HMAC to authenticate the sender.

Digital Signature

The Message Authentication Code (MAC) provides message authentication and message integrity. But it has a disadvantage that sender and receiver need a symmetric key before communication. A digital signature does not use a symmetric key, it uses a public and private key pair, or asymmetric key.

  • The signature is used to verify that the host is authenticated and that the document sent by them is also authentic.
  • When the receiver receives the message, it needs to check the sender’s electronically generated signature to verify that the sender is authenticated.
  • The sender sends the message and the digital signature separately. The receiver receives both messages and verifies the sender’s signature to check that the signature belongs to the potential sender.
  • The signature of one message cannot be used in another message; it is a one-to-one relationship.
  • The sender signs the document, and the sender’s signature is private to them. When the receiver receives the document, it verifies the sender’s signature using the sender’s public key and verification algorithm.
  • Problems can arise if there is a secret or shared key between the sender and the receiver. For example, PC-1 (the sender) can use the secret key to sign the document and send it to PC-3 (another user). PC-3 can then send it to PC-2 (the receiver) and pretend that the document has come from PC-1.

Process of Digital Signature

A digital signature can be obtained by signing the document or by signing the message digest of the document.

Document signing: In the cryptosystem, we were using the receiver’s private and public key, whereas, in the digital signature, we are using the sender’s private and public key.
The diagram below explains the document signing.

Document Signing
  • As shown in the figure, the sender encrypts the document with their private key, which is known as signing the document.
  • The receiver receives the document and decrypts it with the sender’s public key, a process known as verifying the document.

Signing the message digest: In a digital signature, using the public key on the receiver side is not an efficient way to verify a document. Our messages are very long and confidential and we have to use public keys. So, the solution is to sign the message digest instead of signing the message as there is only one message digest in a message.
The diagram below explains the signing of message digest.

Signing of Message Digest
  • The sender creates a message digest and signs the message digest using its private key. The sender sends the message and signature to the recipient.
  • The receiver uses the public hash function to generate the message digest. If the message digests of the recipient and the sender match, integrity is achieved, and the receiver verifies the sender’s signature for authentication.
  • So, we can say that digital signatures provide message integrity, message authentication, and message rejection.

Entity Authentication

An entity can be a person, client, server, process, or any end device. The terms verifier and claimant are used in entity authentication.

  • Claimant: The claimant is an entity whose identity needs to be proved by the verifier.
  • Verifier: The verifier is the party who tries to prove the identity of the claimant.
  • In the entity authentication process, the claimant has to prove their identity to the verifier. For that, three things are used: something known, something possessed, and something inherent.
    • Something Known: This is a secret, known only to the claimant. The verifier checks this secret to identify the claimant. For example, password, PIN, and private key.
    • Something Possessed: This is something that helps in proving the identity of the claimant. For example, driving license, credit card, and identity card.
    • Something Inherent: It is the inherent qualities of the claimant such as fingerprints, facial features, retinal patterns, and handwriting.

Password: The most common way to identify a claimant is through a password. The claimant enters the password to prove himself and access the system’s resources.

Challenge-response: In this certification, the claimant proves his identity that he knows without revealing the secret. The verifier sends the challenge to the claimant with a timestamp and the claimant replies to the challenge to prove his identity.

We can also authenticate the entity using symmetric-key and asymmetric cryptography algorithms, key-hash functions, and digital signatures.

Key Points to Remember

Here is the list of key points we need to remember about “Security Services”.

  • The message confidentiality, message integrity, message authentication, nonrepudiation, and entity authentication are security services.
  • We can achieve confidentiality in two ways: symmetric-key cryptography and asymmetric-key cryptography.
  • Neither document nor fingerprint needs to be secret, whereas message and message digest are separate, and message digest must be secret.
  • Message Authentication Code (MAC) and Hashed-MAC (HMAC) are used for message authentication.
  • The signature of one message cannot be used in another message, it is a one-to-one relationship.
  • A digital signature can be obtained by signing the document or by signing the message digest of the document.
  • An entity can be a person, client, server, process, or any end device. The terms verifier and claimant are used in entity authentication.

If you find any mistake above, kindly email to [email protected]

advertisement
advertisement
Subscribe to our Newsletters (Subject-wise). Participate in the Sanfoundry Certification contest to get free Certificate of Merit. Join our social networks below and stay updated with latest contests, videos, internships and jobs!

Youtube | Telegram | LinkedIn | Instagram | Facebook | Twitter | Pinterest
Manish Bhojasia - Founder & CTO at Sanfoundry
Manish Bhojasia, a technology veteran with 20+ years @ Cisco & Wipro, is Founder and CTO at Sanfoundry. He lives in Bangalore, and focuses on development of Linux Kernel, SAN Technologies, Advanced C, Data Structures & Alogrithms. Stay connected with him at LinkedIn.

Subscribe to his free Masterclasses at Youtube & discussions at Telegram SanfoundryClasses.