- Cryptography can provide five services. Four of these are related to the message
exchange between Alice and Bob. The fifth is related to the entity trying to access a
system for using its resources.
- Message confidentiality means that the sender and the receiver expect privacy.
- Message integrity means that the data must arrive at the receiver exactly as sent.
- Message authentication means that the receiver is ensured that the message is coming
from the intended sender, not an imposter.
- Nonrepudiation means that a sender must not be able to deny sending a message
that he sent.
- Entity authentication means to prove the identity of the entity that tries to access
the system’s resources.
- A message digest can be used to preserve the integrity of a document or a message.
A hash function creates a message digest out of a message.
- A hash function must meet three criteria: one-wayness, resistance to weak collision,
and resistance to strong collision.
- A keyless message digest is used as a modification detection code (MDC). It guarantees the integrity of the message. To authenticate the data origin, one needs a
message authentication code (MAC).
- MACs are keyed hash functions that create a compressed digest from the message
added with the key. The method has the same basis as encryption algorithms.
- A digital signature scheme can provide the same services provided by a conventional signature. A conventional signature is included in the document; a digital
signature is a separate entity.
- Digital signature provides message integrity, authentication, and nonrepudiation.
Digital signature cannot provide confidentiality for the message. If confidentiality
is needed, a cryptosystem must be applied over the scheme.
- A digital signature needs an asymmetric-key system.
- In entity authentication, a claimant proves her identity to the verifier by using one of the three kinds of witnesses: something known, something possessed, or something inherent.
- In password-based authentication, the claimant uses a string of characters as something she knows.
- Password-based authentication can be divided into two broad categories: fixed and one-time.
- In Challenge-response authentication, the claimant proves that she knows a secret without actually sending it.
- Challenge-response authentication can be divided into four categories: symmetrickey ciphers, keyed-hash functions, asymmetric-key ciphers, and digital signature.
- A key distribution center (KDC) is a trusted third party that assigns a symmetric key to two parties.
- KDC creates a secret key only between a member and the center. The secret key between members needs to be created as a session key when two members contact KDC.
- Kerberos is a popular session key creator protocol that requires an authentication server and a ticket-granting server.
- A certification authority (CA) is a federal or state organization that binds a public key to an entity and issues a certificate.
- A public-key infrastructure (PKI) is a hierarchical system to answer queries about key certification.