Unit - II

Public key cryptosystems

Public-Key Cryptosystems Asymmetric algorithms rely on one key for
encryption and a different but related key for decryption.
A public-key encryption scheme has six ingredients:
Plaintext: This is the readable message or data that is fed into the
algorithm as input.
Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext.
Public and private keys: This is a pair of keys that have been selected so
that if one is used for encryption, the other is used for decryption. The exact
transformations performed by the algorithm depend on the public or private
key that is provided as input.
Ciphertext: This is the scrambled message produced as output. It depends
on the plaintext and the key. For a given message, two different keys will
produce two different ciphertexts.
Decryption algorithm: This algorithm accepts the ciphertext and the
matching key and produces the original plaintext.
The essential steps are the following: ·
 Each user generates a pair of keys to be used for encryption and
decryption of messages.
 Each user places one of the two keys in a public register or other
accessible file. This is the public key. The companion key is kept private.
 If A wishes to send a confidential message to B, A encrypts the message
using B s‟s public key.
 When B receives the message, it decrypts using its private key. No other
recipient can decrypt the message because only B knows B s private key

31
The most important properties of public key encryption scheme are
–
 Different keys are used for encryption and decryption. This is a property
which set this scheme different than symmetric encryption scheme.

 Each receiver possesses a unique decryption key, generally referred to as

his private key.

 Receiver needs to publish an encryption key, referred to as his public key

Encryption algorithm is complex enough to prohibit attacker from deducing
the plaintext from the ciphertext and the encryption (public) key.

 Though private and public keys are related mathematically, it is not be

feasible to calculate the private key from the public key

32
Introduction to Number Theory
Number theory is a branch of mathematics that studies the properties
and relationships of integers. In cryptography, number theory provides the
tools needed to develop algorithms for secure communication.
Fundamental Concepts in Number Theory
Divisibility and Division Algorithm
Divisibility
Divisibility refers to whether one integer can be divided by another
without leaving a remainder. If a and b are integers and b ≠ 0 , then a is
divisible by b if there exists an integer k such that a = b × k. In this case,
we say b divides a and write b ∣ a
Key Properties of Divisibility:
1. Transitivity: If a ∣ b and b ∣ c, then a ∣ c
2. Additivity: If a ∣ b, then a ∣ (b+c) for any integer c
3. Multiplicativity: If a ∣ b, then a ∣ (b×c) for any integer c.
Division Algorithm
The Division Algorithm provides a way to divide one integer by another,
yielding a quotient and a remainder. It states that for any integers a (the
dividend) and b (the divisor, where b > 0 there exist unique integers q (the
quotient) and r (the remainder) such that:
a =b×q+ r
where 0 ≤ r < b
 Quotient (q): The integer result of dividing a by b
 Remainder (r): The non-negative integer less than b that represents
what’s left after division.
Prime Numbers and Their Properties:
 Definition: A prime number is an integer greater than 1 that has no
divisors other than 1 and itself.

33
  Applications: Large prime numbers are essential for generating
cryptographic keys. For example, RSA encryption uses the product of
two large primes to form a modulus for the public and private keys.
The difficulty of factoring this large number into its prime components
underpins the security of RSA.
Euclidean Algorithm
One of the basic techniques of number theory is the Euclidean
algorithm, which is a simple procedure for determining the greatest
common divisor of two positive integers.
Two integers are relatively prime if and only if their only common
positive integer factor is 1.
Greatest Common Divisor
Recall that nonzero b is defined to be a divisor of a if a = mb for some
m, where a, b, and m are integers.
We will use the notation gcd(a, b) to mean the greatest common
divisor of a and b. The greatest common divisor of a and b is the largest
integer that divides both a and b. We also define gcd(0, 0) = 0.

More formally, the positive integer c is said to be the greatest common

divisor
of a and b if
1. c is a divisor of a and of b.
2. any divisor of a and b is a divisor of c.
An equivalent definition is the following:
gcd(a, b) = max[k, such that k | a and k | b]
Example:
Find the GCD of 48 and 18:
 Compute 48 mod 18=12
 Compute 18 mod 12=6
 Compute 12 mod 6=0
34
 Finding the Greatest Common Divisor
1. Suppose we wish to determine the greatest common divisor d of the
integers
a and b; that is determine d = gcd(a, b). Because gcd(| a| , | b|) =
gcd(a, b),
2. Dividing a by b and applying the division algorithm, we can state:
a = q 1b + r 1 0 < r1 < b
3. First consider the case in which r1 = 0. Therefore b divides a and
clearly no
larger number divides both b and a, because that number would be
larger
than b. So we have d = gcd(a, b) = b.
4. The other possibility from Equation is r1 ≠ 0. For this case, we can
state

35
 that d|r1. This is due to the basic properties of divisibility: the relations d
|a
and d| b together imply that d | (a - q1b), which is the same as d | r1.

Modular Arithmetic:
 Definition: Modular arithmetic deals with the remainder after division
of one number by another (the modulus). For instance, 7 mod 3 equals
1 because 7 divided by 3 leaves a remainder of 1.
 Importance: Many cryptographic algorithms, including RSA and Diffie-
Hellman, use modular arithmetic to perform operations on large
numbers efficiently.

RSA Algorithm
RSA encryption algorithm is a type of public-key encryption algorithm.
To better understand RSA, lets first understand what is public-key
encryption algorithm.

Public key encryption algorithm:

Public Key encryption algorithm is also called the Asymmetric algorithm.
Asymmetric algorithms are those algorithms in which sender and receiver
use different keys for encryption and decryption. Each sender is assigned a
pair of keys:
o Public key
o Private key
The Public key is used for encryption, and the Private Key is used for
decryption. Decryption cannot be done using a public key.

36
 The two keys are linked, but the private key cannot be derived from
the public key. The public key is well known, but the private key is secret
and it is known only to the user who owns the key.
RSA Encryption Algorithm:
RSA is the most common public-key algorithm, named after its
inventors Rivest, Shamir, and Adelman (RSA).

RSA algorithm uses the following procedure to generate public and

private keys:

o Select two large prime numbers, p and q.

o Multiply these numbers to find n = p x q, where n is called the
modulus for encryption and decryption.
o Choose a number e less than n, such that n is relatively prime to (p -
1) x (q 1). It means that e and (p - 1) x (q - 1) have no common
factor except 1. Choose "e" such that 1<e < φ (n), e is prime to φ (n),
gcd (e,d(n)) =1

37
o If n = p x q, then the public key is <e, n>. A plaintext message m is
encrypted using public key <e, n>. To find ciphertext from the plain
text following formula is used to get ciphertext C.
C = me mod n
Here, m must be less than n. A larger message (>n) is treated as a
concatenation of messages, each of which is encrypted separately.
o To determine the private key, we use the following formula to
calculate the d such that:
De mod {(p - 1) x (q - 1)} = 1
Or
De mod φ (n) = 1
o The private key is <d, n>. A ciphertext message c is decrypted using
private key <d, n>. To calculate plain text m from the ciphertext c
following formula is used to get plain text m.
m = cd mod n

38
Key Management
What is Key Management?
Key management refers to the processes and procedures involved in
generating, storing, distributing, and managing cryptographic keys used in
cryptographic algorithms to protect sensitive data.
It ensures that keys used to protect sensitive data are kept safe from
unauthorized access or loss.
Symmetric Key Distribution Using Symmetric Encryption
For symmetric encryption to work, the two parties to an exchange must
share the same key, and that key must be protected from access by others.
Therefore, the term that refers to the means of delivering a key to two
parties who wish to exchange data, without allowing others to see the key.

39
 For two parties A and B, key distribution can be achieved in a number
of ways, as follows:

1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can
transmit the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third-party C, C can
deliver a key on the encrypted links to A and B.

Key distribution center:

The use of a key distribution center is based on the use of a hierarchy of

keys. At a minimum, two levels of keys are used.
Communication between end systems is encrypted using a temporary key,
often referred to as a Session key.
Typically, the session key is used for the duration of a logical connection
and then discarded
Master key is shared by the key distribution center and an end system or
user and used to encrypt the session key.

40
A Key Distribution Scenario
The key distribution concept can be deployed in a number of ways.
The scenario assumes that each user shares a unique master key with the
key distribution
center (KDC).

Let us assume that user A wishes to establish a logical connection with B

and requires a one-time session key to protect the data transmitted over
the connection. A has a master key, Ka, known only to itself and the KDC;
similarly, B shares the master key Kb with the KDC. The following steps
occur:

1. A issues a request to the KDC for a session key to protect a logical

connection to B. The message includes the identity of A and B and a
unique identifier, N1, for this transaction, which we refer to as a
nonce. The nonce may be a timestamp, a counter, or a random
number; the minimum requirement is that it differs with each request.

41
 2. The KDC responds with a message encrypted using Ka Thus, A is the
only one who can successfully read the message, and A knows that it
originated at the KDC. The message includes two items intended for
A:

 The one-time session key, Ks, to be used for the session

 The original request message, including the nonce, to enable A
to match this response with the appropriate request

Thus, A can verify that its original request was not altered before
reception by the KDC and, because of the nonce, that this is not a replay of
some previous request. In addition, the message includes two items
intended for B:

 The one-time session key, Ks to be used for the session

 An identifier of A (e.g., its network address), IDA

These last two items are encrypted with Kb (the master key that the
KDC shares with B). They are to be sent to B to establish the connection
and prove A's identity.
3. A stores the session key for use in the upcoming session and forwards
to B the information that originated at the KDC for B, namely, E(Kb,
[Ks || IDA]). Because this information is encrypted with Kb, it is
protected from eavesdropping. B now knows the session key (Ks),
knows that the other party is A (from IDA), and knows that the
information originated at the KDC (because it is
encrypted using Kb).

4. Using the newly minted session key for encryption, B sends a nonce,
N2, to A.

42
 5. Also using Ks, A responds with f(N2), where f is a function that
performs some transformation on N2 (e.g., adding one).

Session Key Lifetime

The distribution of session keys delays the start of any exchange and places
a burden on network capacity. A security manager must try to balance
these competing considerations in determining the lifetime of a particular
session key.

For connection-oriented protocols, one obvious choice is to use the

same session key for the length of time that the connection is open, using
a new session key for each new session.
 If a logical connection has a very long lifetime, then it would be
prudent to change the session key periodically, perhaps every time
the PDU (protocol data unit) sequence number cycles.

For a connectionless protocol, such as a transaction-oriented protocol,

there is no explicit connection initiation or termination.
 New session key for exchange
 Use a given for a certain fixed period only for a certain number of
transactions
A Transparent Key Control Scheme
The steps involved in establishing a connection are shown in Figure 14.4.
 When one host wishes to set up a connection to another host, it
transmits a connection-request packet.
 The SSM saves that packet and applies to the KDC for permission to
establish the connection.
 The communication between the SSM and the KDC is encrypted using
a master key shared only by this SSM and the KDC. If the KDC
approves the connection request, it generates the session key and

43
 delivers it to the two appropriate SSMs, using a unique permanent key
for each SSM.
 The requesting SSM can now release the connection request packet,
and a connection is set up between the two end systems.
 All user data exchanged between the two end systems are encrypted
by their respective SSMs using the onetime session key.

Controlling Key Usage

The concept of a key hierarchy and the use of automated key
distribution techniques greatly reduce the number of keys that must be
manually managed and distributed.

Use different types of session keys

 Data-encrypting key, for general communication across a network
 PIN-encrypting key, for personal identification numbers (PINs) used
in electronic funds transfer and point-of-sale applications

44
  File-encrypting key, for encrypting files stored in publicly accessible
locations

The proposed technique is for use with DES and makes use of the extra 8
bits in each 64-bit DES key. That is, the eight non-key bits ordinarily
reserved for parity checking form the key tag.
The bits have the following interpretation:
 One bit indicates whether the key is a session key or a master key.
 One bit indicates whether the key can be used for encryption.
 One bit indicates whether the key can be used for decryption.
 The remaining bits are spares for future use.

The Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange (also known as exponential key
exchange) is a method for securely exchanging cryptographic keys over an
insecure channel.

The Diffie-Hellman key exchange works by allowing two parties (Alice

and Bob) to agree on a shared secret key over an insecure channel, without
any other party being able to intercept the key or learn anything about it.

Primitive root of a prime number p is one whose powers modulo p

generate all the integers from 1 to p - 1. That is, if a is a primitive root of
the prime number p, then the numbers

45
Example:
Step 1: Alice and Bob get public numbers P = 23, G = 9
Step 2: Alice selected a private key a = 4 and
Bob selected a private key b = 3
Step 3: Alice and Bob compute public values
Alice: x =(9^4 mod 23) = (6561 mod 23) = 6
Bob: y = (9^3 mod 23) = (729 mod 23) = 16
Step 4: Alice and Bob exchange public numbers
Step 5: Alice receives public key y =16 and
Bob receives public key x = 6
Step 6: Alice and Bob compute symmetric keys
Alice: ka = y^a mod p = 65536 mod 23 = 9
Bob: kb = x^b mod p = 216 mod 23 = 9

46
Step 7: 9 is the shared secret.

Man-In-Middle attack

Alice and Bob wish to exchange keys, and Darth is the adversary. The
attack proceeds as follows

1. Darth prepares for the attack by generating two random private keys
XD1 and
XD2 and then computing the corresponding public keys YD1 and YD2.
2. Alice transmits YA to Bob.
3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates
K2 = (YA) XD2 mod q.
4. Bob receives YD1 and calculates K1 = (YD1) XB mod q.
5. Bob transmits YB to Alice.

47
6. Darth intercepts YB and transmits YD2 to Alice. Darth calculates
K1 = (YB)XD1 mod q.
7. Alice receives YD2 and calculates K2 = (YD2) XA mod q.

Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography (ECC) is a modern public-key

cryptographic system based on the algebraic structure of elliptic curves
over finite fields. ECC offers strong security with smaller key sizes
compared to traditional cryptographic systems like RSA and DSA, making it
efficient and suitable for a wide range of applications.

Basics of Elliptic Curves

Elliptic Curve Definition:
1. Definition: An elliptic curve is a set of points that satisfy a specific
mathematical equation of the form y2=x3+ax+b, where a and b are
constants that define the curve.
2. Properties: The points on the curve form an abelian group, meaning
you can perform mathematical operations like addition on them.

Analog of Diffie–Hellman Key Exchange

48
 Key exchange using elliptic curves can be done in the following
manner. First pick a large integer q, which is either a prime number p or an
integer of the form 2m, and elliptic curve parameters a and b.
This defines the elliptic group of points Eq(a, b). Next, pick a base point G =
(x1, y1) in E p(a, b) whose order is a very large value n. The order n of a
point G on an elliptic curve is the smallest positive integer n such that n G =
0 and G are parameters of the cryptosystem known to all participants.

A key exchange between users A and B can be accomplished as follows

1. A selects an integer n A less than n. This is A’s private key. A then
generates a
public key PA = nA * G; the public key is a point in E q(a, b).
2. B similarly selects a private key nB and computes a public key PB.
3. A generates the secret key k = nA * PB. B generates the secret key k =
n B * P A.
The two calculations in step 3 produce the same result because
nA * PB = nA * (nB * G) = nB * (nA * G) = nB * PA

Elliptic Curve Encryption/Decryption

Several approaches to encryption/decryption using elliptic curves have
been analyzed in the literature

49
 The first task in this system is to encode the plaintext message m to be
sent as an (x, y) point Pm. It is the point Pm that will be encrypted as a
ciphertext and subsequently decrypted.
As with the key exchange system, an encryption/decryption system
requires a point G and an elliptic group Eq (a, b) as parameters.
Each user A selects a private key n A and generates a public key P A =
nA * G. To encrypt and send a message Pm to B, A chooses a random
positive integer k and produces the ciphertext Cm consisting of the pair of
points: Cm = {kG, Pm + kPB}
Note that A has used B’s public key PB. To decrypt the ciphertext, B
multiplies the first point in the pair by B’s private key and subtracts the
result from the second point:
Pm + kPB - nB(kG) = Pm + k(nBG) - nB(kG) = Pm

50
Message authentication and Hash function
Message Authentication
Message authentication is a mechanism or service used to verify the
integrity of a message. Message authentication assures that data received
are exactly as sent by (i.e., contain no modification, insertion, deletion, or
replay) and that the purported identity of the sender is valid.
Symmetric encryption provides authentication among those who
share the secret key. Encryption of a message by a sender's private key
also provides a form of authentication.
The two most common cryptographic techniques for message
authentication are
 Message authentication code (MAC) and
 Secure hash function.
A MAC is an algorithm that requires the use of a secret key. A MAC takes
a variable length message and a secret key as input and produces an
authentication code. A recipient in possession of the secret key can
generate an authentication code to verify the integrity of the message.
A hash function maps a variable-length message into a fixed length hash
value, or message digest. For message authentication, a secure hash
function must be combined in some fashion with a secret key.

51
Authentication Requirements
In the context of communications across a network, the following
attacks can be identified:
1- Disclosure: Release of message contents to any person or process not
possessing the appropriate cryptographic key
2- Traffic analysis: Discovery of the pattern of traffic between parties. In a
connection-oriented application, the frequency and duration of connections
could be determined. In either a connection-oriented or connectionless
environment, the number and length of messages between parties could be
determined.
3- Masquerade: Insertion of messages into the network from a fraudulent
source. This includes the creation of messages by an opponent that are
purported to come from an authorized entity. Also included are fraudulent
acknowledgments of message receipt or non-receipt by someone other
than the message recipient.
4- Content modification: Changes to the contents of a message,
including insertion, deletion, transposition, and modification.
5- Sequence modification: Any modification to a sequence of messages
between parties, including insertion, deletion, and reordering.
6- Timing modification: Delay or replay of messages. In a connection-
oriented application, an entire session or sequence of messages could be a
replay of some previous valid session, or individual messages in the
sequence could be delayed or replayed. In a connectionless application, an
individual message (e.g., datagram) could be delayed or replayed.
7- Source repudiation: Denial of transmission of message by source. 8-
Destination repudiation: Denial of receipt of message by destination
Authentication Functions
Any message authentication or digital signature mechanism has two
levels of functionality.

52
  At the lower level, there must be some sort of function that produces
an authenticator: a value to be used to authenticate a message.
 This lower-level function is then used as a primitive in a higher level
authentication protocol that enables a receiver to verify the authenticity of
a message.

These may be grouped into three classes, as follows:

 Message encryption: The ciphertext of the entire message serves
as its authenticator.
 Message authentication code (MAC): A function of the message
and a secret key that produces a fixed-length value that serves as the
authenticator.
 Hash function: A function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator

Message Authentication Code (MAC)

53
 MAC algorithm is a symmetric key cryptographic technique to provide
message authentication. For establishing MAC process, the sender and
receiver share a symmetric key K.
Essentially, a MAC is an encrypted checksum generated on the
underlying message that is sent along with a message to ensure message
authentication.

The entire process in detail –

 The sender uses some publicly known MAC algorithm, inputs the
message and the secret key K and produces a MAC value.
 Similar to hash, MAC function also compresses an arbitrary long input
into a fixed length output. The major difference between hash and
MAC is that MAC uses secret key during the compression.
 The sender forwards the message along with the MAC. Here, we
assume that the message is sent in the clear, as we are concerned of
providing message origin authentication, not confidentiality. If
confidentiality is required then the message needs encryption.
 On receipt of the message and the MAC, the receiver feeds the
received message and the shared secret key K into the MAC algorithm
and recomputes the MAC value.

54
 The receiver now checks equality of freshly computed MAC with the
MAC received from the sender. If they match, then the receiver
accepts the message and assures himself that the message has been
sent by the intended sender.
 If the computed MAC does not match the MAC sent by the sender, the
receiver cannot determine whether it is the message that has been
altered or it is the origin that has been falsified. As a bottom-line, a
receiver safely assumes that the message is not the genuine.

HMAC Algorithm
 Overall operation of HMAC. Define the following terms:
 H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
 IV = initial value input to hash function
 M = message input to HMAC(including the padding specified in the
embedded hash function)
 Yi = ith block of M, 0 i (L – 1)

55
  L = number of blocks in M
 b = number of bits in a block
 n = length of hash code produced by embedded hash function
 K= secret key recommended length is n; if key length is greater
than b; the key is input to
 the hash function to produce an n-bit key
 K+ = K padded with zeros on the left so that the result is b bits in
length ipad = 00110110 (36 in hexadecimal) repeated b/8
times opad = 01011100 (5C in hexadecimal) repeated b/8 times

Hash Function
A Hash function is a mathematical function that converts a numerical
input value into another compressed numerical value. The input to the hash
function is of arbitrary length but output is always of fixed length. Values
returned by a hash function are called message digest or simply hash
values.

Hashing algorithms use a sequence of rounds, similar to a block

cipher, to process a message. In each round, a fixed-size input is used,
which usually combines the current message block and the result from the
previous round.

56
Applications of Cryptographic Hash Functions:
The most versatile cryptographic algorithm is the cryptographic hash
function. It is used in a wide variety of security applications and Internet
protocols.
Message Authentication:
 Message authentication is a mechanism or service used to verify the
integrity of a message.
 Message authentication assures that data received are exactly as sent
(i.e., there is no modification, insertion, deletion, or replay).
 When a hash function is used to provide message authentication, the
hash function value is often referred to as a message digest.
Digital Signatures:
 Another important application, which is similar to the message
authentication application, is the digital signature.
 The operation of the digital signature is similar to that of the MAC.
 In the case of the digital signature, the hash value of a message is
encrypted with a user’s private key.
 Anyone who knows the user’s public key can verify the integrity of the
message that is associated with the digital signature.
Other Applications:
 Hash functions are commonly used to create a one-way password file.
 Hash functions can be used for intrusion detection and virus detection.

57
  A cryptographic hash function can be used to construct a
pseudorandom function (PRF) or a pseudorandom number generator
(PRNG).

DIGITAL SIGNATURES
Digital signatures are the public-key primitives of message
authentication. In the physical world, it is common to use handwritten
signatures on handwritten or typed messages.
They are used to bind signatory to the message. Similarly, a digital
signature is a technique that binds a person/entity to the digital data. This
binding can be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the
data and a secret key known only by the signer. In real world, the receiver
of message needs assurance that the message belongs to the sender and
he should not be able to repudiate the origination of that message.

Model of Digital Signature

The following points explain the entire process in detail –

58
  Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and
signing/verifying are different. The private key used for signing is
referred to as the signature key and the public key as the verification
key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm
which produces the digital signature on given hash. Signature is
appended to the data and then both are sent to the verifier.
 Verifier feeds the digital signature and the verification key into the
verification algorithm. The verification algorithm gives some value as
output.
 Verifier also runs same hash function on received data to generate
hash value.
 For verification, this hash value and output of verification algorithm
are compared. Based on the comparison result, verifier decides
whether the digital signature is valid.
 Since digital signature is created by „private‟ key of signer and no one
else can have this key; the signer cannot repudiate signing the data in
future.

Direct Digital Signature

 involve only sender & receiver
 assumed receiver has senders public-key
 digital signature made by sender signing entire message or hash with
private key
 can encrypt using receiver’s public-key
 important that sign first then encrypt message & signature
 security depends on sender’s private-key

59
 
Arbitrated Digital Signatures
As with direct signature schemes, there is a variety of arbitrated
signature schemes. In general terms, they all operate as follows.
Every signed message from a sender X to a receiver Y goes first to an
arbiter A, who subjects the message and its signature to a number of tests
to check its origin and content.
The message is then dated and sent to Y with an indication that it has
been verified to the satisfaction of the arbiter. The presence of A solves the
problem faced by direct signature schemes: that X might disown the
message

60
 Unit - III

AUTHENTICATION APPLICATIONS

One of the key aspects of cryptography and network security is

authentication. It helps to establish trust by identifying a particular user or a
system. There are many ways to authenticate a user. Traditionally, user ids
and passwords have been used.

Kerberos

Kerberos provides a centralized authentication server whose function

is to authenticate users to servers and servers to users. In Kerberos
Authentication server and database is used for client authentication.

Kerberos runs as a third-party trusted server known as the Key

Distribution Center (KDC).

Addresses the following threats

 A user may gain access to a particular workstation and pretend to be

another user operating from that workstation

61
  A user may alter the network address of a workstation so that the
requests sent from the altered workstation appear to come from the
impersonated workstation
 A user may eavesdrop on exchanges and use a replay attack to gain
entrance to a server or to disrupt operations.

Two versions of Kerberos are in current use: Version-4 and Version-5.

Kerberos listed the following requirements:

Secure : An opponent does not find it to be the weak link

Reliable: The system should be able to back up another

Transparent: An user should not be aware of authentication

Scalable: The system supports large number of clients and sever

Components of Kerberos
The main components of Kerberos are:
 Client.
 Server
 Authentication Server (AS)
 Key Distribution Center (KDC)
 Ticket Granting Server(TGS)

62
Client: The client acts on behalf of the user and initiates communication for
a service request
Server: The server hosts the service the user wants to access
Authentication Server (AS): The Authentication Server performs the initial
authentication and ticket for Ticket Granting Service
Key Distribution Center (KDC). In a Kerberos environment, the
authentication server logically separated into three parts: A database (db),
the Authentication Server (AS), and the Ticket Granting Server (TGS). These
three parts, in turn, exist in a single server called the Key Distribution
Center.

Ticket Granting Server (TGS). The TGS is an application server that

issues service tickets as a service

Kerberos Overview

63
Kerberos Encryption Techniques

Simple Kerberos Dialogue

64
Ticket Granting Server

• TGS, issues tickets to users who have been authenticated to AS.

• Thus, the user first requests a ticket-granting ticket (Ticket tgs) from the
AS.

• The client module in the user workstation saves this ticket.

• Each time the user requires access to a new service, the client applies to
the TGS, using the ticket to authenticate itself.

• The TGS then grants a ticket for the particular service.

• The client saves each service-granting ticket and uses it to authenticate

its user to a server each time a particular service is requested.

Authentication Dialogue

65
Kerberos Exchange

66
Step 1. The client requests a ticket-granting ticket on behalf of the user by
sending its user’s ID to the AS, together with the TGS ID, indicating a
request to use the TGS service.

Step 2. The AS responds with a ticket that is encrypted with a key that is
derived from the user’s password (KC ), which is already stored at the AS.
When this response arrives at the client, the client prompts the user for
password, generates the key, and attempts to decrypt the message. If the
correct password is supplied, the ticket is successfully recovered.

Step 3. The client requests a service-granting ticket on behalf of the user.

For this purpose, the client transmits a message to the TGS containing the
user’s ID, the ID of the desired service, and the ticket-granting ticket.

Step 4. The TGS decrypts the incoming ticket using a key shared only by
the AS and the TGS (Ktgs) and verifies the success of the decryption by the
presence of its ID. It checks to make sure that the lifetime has not expired.
Then it compares the user ID and network address with the incoming
information to authenticate the user. If the user is permitted access to the
server V, the TGS issues a ticket to grant access to the requested service.

Step 5: The client requests access to a service on behalf of the user. For
this purpose, the client transmits a message to the server containing the
user’s ID and the service granting ticket. The server authenticates by using
the contents of the ticket.

X.509 CERTIFICATES

X.509 Defines a framework for authentication service using the X. 500

directory. It is the Repository of public-key certificates, Based on use of
public-key cryptography (recommends RSA.) and digital signatures.

67
X.509 is an important standard because the certificate structure and
authentication

protocols defined in X.509 are used in a variety of contexts. For example,

the X.509

certificate format is used in S/MIME , IP Security , and SSL/TLS .

X.509 Public-Key Certificate Use

Certificates
The heart of the X.509 scheme is the public-key certificate associated
with each user. These user certificates are assumed to be created by some
trusted certification authority (CA) and placed in the directory by the CA or
by the user.

Version: Differentiates among successive versions of the certificate

format; the

default is version 1.

Serial number: An integer value unique within the issuing CA

68
Signature algorithm identifier: The algorithm used to sign the certificate

together with any associated parameters. Because this information is

repeated in

the signature field at the end of the certificate, this field has little, if any,
utility.

Issuer name: X.500 is the name of the CA that created and signed this
certificate.
Period of validity: Consists of two dates: the first and last on which the
certificate
is valid.
Subject name: The name of the user to whom this certificate refers. That
is, this

69
certificate certifies the public key of the subject who holds the
corresponding private key.
Subject’s public key information: The public key of the subject, plus an
identifier of the algorithm for which this key is to be used, together with any
associated parameters.
Issuer unique identifier: An optional-bit string field used to identify
uniquely
the issuing CA in the event the X.500 name has been reused for different
entities.
Subject unique identifier: An optional-bit string field used to identify
uniquely
the subject in the event the X.500 name has been reused for different
entities.
Extensions: A set of one or more extension fields.
Signature: Covers all of the other fields of the certificate; it contains the
hash
code of the other fields encrypted with the CA’s private key.

The unique identifier fields were added in version 2 to handle the possible
reuse of subject and/orissuer names over time. These fields are rarely
used.
The standard uses the following notation to define a
certificate:
CA << A >> = CA {V, SN, AI, CA, UCA, A, UA, Ap, TA}
where
Y<< X>> = the certificate of user X issued by certification authority Y
Y {I} = the signing of I by Y. It consists of I with an encrypted hash code
appendedV = version of the certificate
SN = serial number of the certificate

70
AI = identifier of the algorithm used to sign the
certificateCA = name of certificate authority
UCA = optional unique identifier of the
CAA = name of user A
UA = optional unique identifier of the user
AAp = public key of user A
TA = period of validity of the certificate

Email security

Email security refers to the steps where we protect the email messages
and the information that they contain from unauthorized access, and
damage. It involves

ensuring the confidentiality, integrity, and availability of email messages,

as well as safeguarding against phishing attacks, spam, viruses, and
another form of malware.

Internet Mail Architecture

Internet mail architecture consists of a user world in the form of

Message User Agents (MUA), and the transfer world, in the form of the
Message Handling Service (MHS), which is composed of Message Transfer
Agents (MTA).

The MHS accepts a message from one user and delivers it to one or
more other users, creating a virtual MUA-to-MUA exchange environment.

Key components of the Internet mail architecture

Message User Agent (MUA): Operates on behalf of user actors and user
applications. It is their representative within the email service.

71
Mail Submission Agent (MSA): Accepts the message submitted by an
MUA and enforces the policies of the hosting domain and the requirements
of Internet standards. This function may be located together with the MUA
or as a separate functional model.

Message Transfer Agent (MTA): Relays mail for one application-level

hop. It is like a packet switch or IP router in that its job is to make routing
assessments and to move the message closer to the recipients. Relaying is
performed by a sequence of MTAs until the message reaches a destination
MDA.

Mail Delivery Agent (MDA): Responsible for transferring the message

from the MHS to the MS.

72
Message Store (MS): An MUA can employ a long-term MS. An MS can be
located on a remote server or on the same machine as the MUA. Typically,
an MUA retrieves messages from a remote server using POP (Post Office
Protocol) or IMAP (Internet Message Access Protocol).

Two other concepts need to be defined. An administrative

management domain (ADMD) is an Internet email provider.

The Domain Name System (DNS) is a directory lookup service that

provides a mapping between the name of a host on the Internet and its
numerical address.

Email protocols

Email protocols are a collection of protocols that are used to send

and receive emails properly. The email protocols provide the ability for the
client to transmit the mail to or from the intended mail server.

Email protocols are a set of commands for sharing mails between two
computers. Email protocols establish communication between the sender
and receiver for the transmission of email.

73
 Two types of protocols are used for transferring email. The first type
is used to move messages through the Internet from source to destination.
The protocol used for this purpose is SMTP, with various extensions and in
some cases restrictions.

The second type consists of protocols used to transfer messages

between mail servers, of which IMAP and POP are the most commonly
used.

Simple Mail Transfer mechanism (SMTP) is a mechanism for

exchanging email messages between servers. It is an essential component
of the email communication process and operates at the application layer
of the TCP/IP protocol stack. SMTP is a protocol for transmitting and
receiving email messages.

Mail Access Protocols (POP3, IMAP) Post Office Protocol (POP3) allows
an email client (user agent) to download an email from an email server
(MTA). POP3 user agents connect via TCP to the server (typically port 110).

The user agent enters a username and password (either stored

internally for convenience or entered each time by the user for stronger
security).

74
 After authorization, the UA can issue POP3 commands to retrieve and
delete mail. As with POP3, Internet Mail Access Protocol (IMAP) also
enables an email client to access mail on an email server.

IMAP also uses TCP, with server TCP port 143. IMAP is more complex
than POP3. IMAP provides stronger authentication than POP3 and provides
other functions not supported by POP3.

Pretty Good Privacy (PGP)

PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmermann.

 PGP was designed to provide all four aspects of security, i.e., privacy,
integrity, authentication, and non-repudiation in the sending of email.
 PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation.
PGP uses a combination of secret key encryption and public key
encryption to provide privacy.
 PGP is an open source and freely available software package for
email security.
 PGP provides authentication through the use of Digital Signature.
 It provides confidentiality through the use of symmetric block
encryption.

75
How PGP Works

Encryption:

 Symmetric Encryption: PGP uses a symmetric key (a single secret

key) to encrypt the message itself. This type of encryption is fast and
efficient for encrypting large amounts of data.
 Asymmetric Encryption: PGP also uses asymmetric encryption
(public key cryptography) to securely exchange the symmetric key.
This involves a pair of keys:
 Public Key: Used to encrypt the symmetric key.
 Private Key: Used to decrypt the symmetric key.

Following are the steps taken by PGP to create secure e-mail at

the sender site:

 The e-mail message is hashed by using a hashing function to create a

digest.
 The digest is then encrypted to form a signed digest by using the
sender's private key, and then signed digest is added to the original
email message.
 The original message and signed digest are encrypted by using a
one-time secret key created by the sender.
 The secret key is encrypted by using a receiver's public key.
 Both the encrypted secret key and the encrypted combination of
message and digest are sent together.

76
Decryption:
 The recipient uses their private key to decrypt the symmetric key.
 With the symmetric key decrypted, they can then decrypt the
message.
Following are the steps taken to show how PGP uses hashing and
a combination of three keys to generate the original message:

 The receiver receives the combination of encrypted secret key and

message digest is received.
 The encrypted secret key is decrypted by using the receiver's private
key to get the one time secret key.
 The secret key is then used to decrypt the combination of message
and digest.
 The digest is decrypted by using the sender's public key, and the
original message is hashed by using a hash function to create a
digest.
 Both the digests are compared if both of them are equal means that
all the aspects of security are preserved.

77
S/MIME
S/MIME stands for Secure/Multipurpose Internet Mail Extensions. Through
encryption, S/MIME offers protection for business emails. S/MIME comes
under the concept of Cryptography.
S/MIME is a protocol used for encrypting or decrypting digitally signed E-
mails. This means that users can digitally sign their emails as the
owner(sender) of the e-mail.
S/MIME is defined in a number of documents, most importantly RFCs 3369,
3370, 3850 and 3851,5751,5752.

S/MIME Operational Description

S/MIME provides for four message-related services: authentication,
confidentiality, compression, and email compatibility.

78
AUTHENTICATION
Authentication is provided by means of a digital signature, using the
general scheme, most commonly RSA with SHA-256 is used.
The sequence is as follows:
1. The sender creates a message.
2. SHA-256 is used to generate a 256-bit message digest of the
message.
3. The message digest is encrypted with RSA using the sender’s private
key, and the result is appended to the message. Also appended is
identifying information for the signer, which will enable the receiver to
retrieve the signer’s public key.
4. The receiver uses RSA with the sender’s public key to decrypt and
recover the message digest.
5. The receiver generates a new message digest for the message and
compares it with the decrypted hash code. If the two match, the
message is accepted as authentic.

79
CONFIDENTIALITY
S/MIME provides confidentiality by encrypting messages. Most
commonly AES with a 128-bit key is used, with the cipher block
chaining (CBC) mode.
One must address the problem of key distribution. In S/MIME, each
symmetric key, referred to as a content-encryption key, is used only
once. That is, a new key is generated as a random number for each
message. To protect the key, it is encrypted with the receiver’s public key.
The sequence can be described as follows:
1. The sender generates a message and a random 128-bit number to be
used as a content-encryption key for this message only.

80
2. The message is encrypted using the content-encryption key.
3. The content-encryption key is encrypted with RSA using the recipient’s
public key and is attached to the message.
4. The receiver uses RSA with its private key to decrypt and recover the
content-encryption key.
5. The content-encryption key is used to decrypt the message.

EMAIL COMPATIBILITY When S/MIME is used, at least part of the block to

be transmitted is encrypted. If only the signature service is used, then the
message digest is encrypted (with the sender’s private key). If the
confidentiality service is used.
Many electronic mail systems only permit the use of blocks consisting
of ASCII text. To accommodate this restriction, S/MIME provides the service
of converting the raw 8-bit binary stream to a stream of printable ASCII
characters, a process referred to as 7-bit encoding.
COMPRESSION
S/MIME also offers the ability to compress a message. This has the
benefit of saving space both for email transmission and for file storage.
Compression can be applied in any order with respect to the signing and
message encryption operations. RFC 5751 provides the following
guidelines:
■ Compression of binary encoded encrypted data is discouraged, since it
will not yield significant compression. Base64 encrypted data could very
well benefit, however.
■ If a lossy compression algorithm is used with signing, you will need to
compress first, then sign

S/MIME Message Content Types

S/MIME uses the following message content types, which are defined
in RFC 5652, Cryptographic Message Syntax:

81
Data content types: - This is an arbitrary string. The object created is
called Data.
Signed- Data content type: - This type provides only integrity of data. It
contains any type & zero or more signature values. The encoded result is
called signed data.
following are the steps in the process
1. for each signer ,a message digest is created from the content using a
specific header algorithm chosen by that signer.
2. Each message digest is signal with the private key of the signs.
3. The content signature values , certificates are then collected to create
the 'signed data object'.

Enveloped -Data content type :

This type is used to provide privacy for the message. It contains any type &
zero or more encrypted keys & certificated. The encoded result is an object
called enveloped data .

82
 1. A pseudorandom session key is created for the symmetric key
algorithm to be used.
2. For each recipient, a copy of the session key is encrypted with the
public key of each recipient.
3. The content is encrypted using the defined Algorithm & created
session key.
4. The encrypted contents, encrypted session keys, algorithm used &
certificate are encoded using radix 64 .
Encrypted data type content type : This type is used to create an
encrypted session of any content type. This is similar to the enveloped data
content type, the encrypted data content type has no recipient. It can be
used to store the encrypted data instead of transmitting it.
The encrypted content is stored without including the key or the
algorithm.The object created is called encrypted data.
Authenticated -Data content type: This type is used to provide
authentication of the data. The object is called authenticated Data. figure
below shows the process.

83
  using a pseudorandom generator, a MAC key is generated for each
recipient.
 The MAC key is encrypted with the public key of the recipient.
IP Security
IP Security overview
IPsec refers to a collection of communication rules or protocols used to
establish secure network connections. Internet Protocol (IP) is the common
standard that controls how data is transmitted across the internet. IPsec
enhances the protocol’s security by introducing encryption and
authentication.

Applications of IPsec

IPsec provides the capability to secure communications across a LAN,

across private and public WANs, and across the Internet. Examples of its
use include:

■ Secure branch office connectivity over the Internet: A company can build
a secure virtual private network over the Internet or over a public WAN. This
enables a business to rely heavily on the Internet and reduce its need for
private networks, saving costs and network management overhead.

■ Secure remote access over the Internet: An end user whose system is
equipped with IP security protocols can make a local call to an Internet
Service Provider (ISP) and gain secure access to a company network. This
reduces the cost of toll charges for traveling employees and
telecommuters.

■ Establishing extranet and intranet connectivity with partners: IPsec can

be used to secure communication with other organizations, ensuring
authentication and confidentiality and providing a key exchange
mechanism.

84
■ Enhancing electronic commerce security: Even though some Web and
electronic commerce applications have built-in security protocols; the use of
IPsec enhances that security. IPsec guarantees that all traffic designated by
the network administrator is both encrypted and authenticated, adding an
additional layer of security to whatever is provided at the application layer.

IPsec Documents
IPsec encompasses three functional areas: authentication,
confidentiality, and key management. The totality of the IPsec specification
is scattered across dozens of RFCs and draft IETF documents.

85
Architecture: Covers the general concepts, security requirements,
definitions, and mechanisms defining IPsec technology. The current
specification is RFC 4301, Security Architecture for the Internet Protocol.
Authentication Header (AH): AH is an extension header to provide
message authentication. The current specification is RFC 4302, IP
Authentication Header. Because message authentication is provided by
ESP, the use of AH is deprecated. It is included in IPsecv3 for backward
compatibility but should not be used in new applications. We do not discuss
AH in this chapter.
Encapsulating Security Payload (ESP): ESP consists of an
encapsulating header and trailer used to provide encryption or combined
encryption/ authentication. The current specification is RFC 4303, IP
Encapsulating Security Payload (ESP).
Internet Key Exchange (IKE): This is a collection of documents
describing the key management schemes for use with IPsec. The main
specification is RFC 7296, Internet Key Exchange (IKEv2) Protocol, but there
are a number of related RFCs.
Cryptographic algorithms: This category encompasses a large set of
documents that define and describe cryptographic algorithms for
encryption, message authentication, pseudorandom functions (PRFs), and
cryptographic key exchange.

IPsec Services
IPsec provides security services at the IP layer by enabling a system to
select required security protocols, determine the algorithm(s) to use for the
service(s), and put in place any cryptographic keys required to provide the
requested services.
Two protocols are used to provide security: an authentication
protocol designated by the header of the protocol, Authentication

86
Header (AH); and a combined encryption/authentication protocol
designated by the format of the packet for that protocol,
 Access control
 Connectionless integrity
 Data origin authentication
 Rejection of replayed packets (a form of partial sequence
integrity)
 Confidentiality (encryption)
 Limited traffic flow confidentiality

IP Security Policy
Fundamental to the operation of IPsec is the concept of a security
policy applied to each IP packet that transits from a source to a destination.
IPsec policy is determined primarily by the interaction of two databases, the
security association database (SAD) and the security policy
database (SPD).

Security Associations
A key concept that appears in both the authentication and
confidentiality mechanisms for IP is the security association (SA). An
association is a one-way logical connection between a sender and a
receiver that affords security services to the traffic carried on it.
A security association is uniquely identified by three parameters.
 Security Parameters Index (SPI): A 32-bit unsigned integer
assigned to this SA and having local significance only. The SPI is
carried in AH and ESP heaers to enable the receiving system to select
the SA under which a received packet will be processed.
 IP Destination Address: This is the address of the destination
endpoint of the SA, which may be an end-user system or a network
system such as a firewall or router.
87
  Security Protocol Identifier: This field from the outer IP header
indicates whether the association is an AH or ESP security association

Security Association Database

In each IPsec implementation, there is a nominal2 Security Association
Database that defines the parameters associated with each SA.
A security association is normally defined by the following parameters in an
SAD entry.
 Security Parameter Index: A 32-bit value selected by the receiving
end of an SA to uniquely identify the SA. In an SAD entry for an
outbound SA, the SPI is used to construct the packet’s AH or ESP
header. In an SAD entry for an inbound SA, the SPI is used to map
traffic to the appropriate SA.
 Sequence Number Counter: A 32-bit value used to generate the
Sequence Number field in AH or ESP headers.
 Sequence Counter Overflow: A flag indicating whether overflow of
the Sequence Number Counter should generate an auditable event
and prevent further transmission of packets on this SA (required for all
implementations).
 Anti-Replay Window: Used to determine whether an inbound AH or
ESP packet is a replay.

88
  AH Information: Authentication algorithm, keys, key lifetimes, and
related parameters being used with AH (required for AH
implementations).
 ESP Information: Encryption and authentication algorithm, keys,
initialization values, key lifetimes, and related parameters being used
with ESP (required for ESP implementations).

Security Policy Database

The following selectors determine an SPD entry:
 Remote IP Address: This may be a single IP address, an enumerated
list or range of addresses, or a wildcard (mask) address. The latter two
are required to support more than one destination system sharing the
same SA (e.g., behind a firewall).

 Local IP Address: This may be a single IP address, an enumerated

list or range of addresses, or a wildcard (mask) address. The latter two
are required to support more than one source system sharing the
same SA (e.g., behind a firewall).
 Name: A user identifier from the operating system. This is not a field
in the IP or upper-layer headers but is available if IPsec is running on
the same operating system as the user.
 Local and Remote Ports: These may be individual TCP or UDP port
values, an enumerated list of ports, or a wildcard port

89