Cryptography can provide five services. Four of these are related to the message
exchange between Alice and Bob. The fifth is related to the entity trying to access a
system for using its resources.
Message confidentiality means that the sender and the receiver expect privacy.
Message integrity means that the data must arrive at the receiver exactly as sent.
Message authentication means that the receiver is ensured that the message is coming
from the intended sender, not an imposter.
Nonrepudiation means that a sender must not be able to deny sending a message
that he sent.
Entity authentication means to prove the identity of the entity that tries to access
the system’s resources.
A message digest can be used to preserve the integrity of a document or a message.
A hash function creates a message digest out of a message.
A hash function must meet three criteria: one-wayness, resistance to weak collision,
and resistance to strong collision.
A keyless message digest is used as a modification detection code (MDC). It guarantees the integrity of the message. To authenticate the data origin, one needs a
message authentication code (MAC).
MACs are keyed hash functions that create a compressed digest from the message
added with the key. The method has the same basis as encryption algorithms.
A digital signature scheme can provide the same services provided by a conventional signature. A conventional signature is included in the document; a digital
signature is a separate entity.
Digital signature provides message integrity, authentication, and nonrepudiation.
Digital signature cannot provide confidentiality for the message. If confidentiality
is needed, a cryptosystem must be applied over the scheme.
A digital signature needs an asymmetric-key system.
In entity authentication, a claimant proves her identity to the verifier by using one of the three kinds of witnesses: something known, something possessed, or something inherent.
In password-based authentication, the claimant uses a string of characters as something she knows.
Password-based authentication can be divided into two broad categories: fixed and one-time.
In Challenge-response authentication, the claimant proves that she knows a secret without actually sending it.
Challenge-response authentication can be divided into four categories: symmetrickey ciphers, keyed-hash functions, asymmetric-key ciphers, and digital signature.
A key distribution center (KDC) is a trusted third party that assigns a symmetric key to two parties.
KDC creates a secret key only between a member and the center. The secret key between members needs to be created as a session key when two members contact KDC.
Kerberos is a popular session key creator protocol that requires an authentication server and a ticket-granting server.
A certification authority (CA) is a federal or state organization that binds a public key to an entity and issues a certificate.
A public-key infrastructure (PKI) is a hierarchical system to answer queries about key certification.