CNS Notes
Uploaded by
Sathish KoppojuCNS Notes
Uploaded by
Sathish KoppojuLECTURE NOTES
ON
CRYPTOGRAPHY AND NETWORK SECURITY
III B. Tech II semester
SYLLABUS
UNIT – I
Security Concepts: Introduction, The need for security, Security approaches, Principles
of security, Types of Security attacks, Security services, Security Mechanisms, A model
for Network Security
Cryptography Concepts and Techniques: Introduction, plain text and cipher text,
substitution techniques, transposition techniques, encryption and decryption, symmetric
and asymmetric key cryptography, steganography, key range and key size, possible types
of attacks.
UNIT – II
Symmetric key Ciphers: Block Cipher principles, DES, AES, Blowfish, RC5, IDEA,
Block cipher operation, Stream ciphers, RC4.
Asymmetric key Ciphers: Principles of public key cryptosystems, RSA algorithm,
Elgamal Cryptography, Diffie-Hellman Key Exchange, Knapsack Algorithm.
UNIT – III
Cryptographic Hash Functions: Message Authentication, Secure Hash Algorithm
(SHA- 512), Message authentication codes: Authentication requirements, HMAC,
CMAC, Digital signatures, Elgamal Digital Signature Scheme.
Key Management and Distribution: Symmetric Key Distribution Using Symmetric &
Asymmetric Encryption, Distribution of Public Keys, Kerberos, X.509 Authentication
Service, Public – Key Infrastructure
UNIT – IV
Transport-level Security: Web security considerations, Secure Socket Layer and
Transport Layer Security, HTTPS, Secure Shell (SSH)
Wireless Network Security: Wireless Security, Mobile Device Security, IEEE 802.11
Wireless LAN, IEEE 802.11i Wireless LAN Security
UNIT – V
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP
Security architecture, Authentication Header, Encapsulating security payload, Combining
security associations, Internet Key Exchange
Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual
Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site
Scripting Vulnerability.
TEXT BOOKS:
Cryptography and Network Security - Principles and Practice: William Stallings, Pearson
Education, 6th Edition
Cryptography and Network Security: Atul Kahate, Mc Graw Hill, 3rd Edition
REFERENCE BOOKS:
Cryptography and Network Security: C K Shyamala, N Harini, Dr T R Padmanabhan,
Wiley India, 1st Edition.
Cryptography and Network Security : Forouzan Mukhopadhyay, Mc Graw Hill,
3rd Edition
Information Security, Principles, and Practice: Mark Stamp, Wiley India.
Principles of Computer Security: WM. Arthur Conklin, Greg White, TMH
Introduction to Network Security: Neal Krawetz, CENGAGE Learning
INDEX
S.NO CONTENTS PAGE NO
1. UNIT-1
1. 1INTRODUCTION 1
1.2ASPECTS OF SECURITY 2
1.3SECURITY SERVICES 3
1.4SECURITY MECHANISMS 3
1.5SECURITY ATTACKS 5
1.6BASIC CONCEPTS 8
1.7CRYPTOGRAPHY 9
1.8A MODEL FOR NETWORK SECURITY 10
1.9CONVENTIONAL ENCRYPTION 12
1.10CLASSICAL ENCRYPTION TECHNIQUES 14
1.11STEGANOGRAPHY 20
1.12KEY RANGE AND KEY SIZE 21
1.13POSSIBLE TYPE OF ATTACKS 22
2. UNIT-2
2.1BLOCK CIPHER PRINCIPLES 26
2.2DES 30
2.3AES 36
2.4BLOWFISH 40
2.5IDE A 43
2.6BLOCKCIPHERMODES OFOPERATION 47
2.7STREAM CIPHER 55
2.8RC4 57
2.9RC5 63
2.10RSA 66
2.11 THE ELGAMAL PUBLIC KEY ALGORITHM 70
2.12 DEFFIE HELLMAN KEY EXCHANGE 72
3 UNIT-3
3.1 MAC 76
3.2 SHA 79
3.3 AUTHENTICATION REQUIREMENTS 84
3.4HMAC 84
3.5CMAC 88
3.6DIGITAL SIGNATURES 90
3.7ELGAMAL SIGNATURE SCHEME 93
3.8 SYMMETRIC KEY ENCRYPTION USING 96
SYMMETRIC AND ASYMMETRIC
3.9 KERBEROS 100
3.10 X.509 AUTHENTICATION SERVICE 106
3.11 AUTHENTICATION PROCEDURES 109
3.12 PKI 110
4. UNIT-4
4.1WEB CONSIDERATIONS 116
4.2 SSL 119
4.3TLS 128
4.4 HTTPS 129
4.5 SSH 131
4.6MOBILE DEVICE SECURITY 136
4.7IEEE 802.11 WIRELESS LAN 137
5. UNIT-5
5.1 PGP 145
5.2S/MIME 156
5.3IP SECURITY OVERVIEW 161
5.4IP SECURITY ARCHITECTURE 163
5.5SECURITY ASSOCIATIONS 165
5.6TRANSPORT AND TUNNEL MODE 167
5.7AUTHENTICATION HEADER 167
5.8 ENCAPSULATING SECURITY PAYLOAD 172
5.9BASIC COMBINATIONS OF SECURITY ASSOCIATIONS 173
5.10INTERNET KEYEXCHANGE(IKE) 177
5.11 KEY MANAGEMENT 178
5.12 SECURE INTER-BRANCH PAYMENT TRANSACTIONS 186
5.13 SECURE MULTI-PARTY COMPUTATION 190
5.14 CROSS SITE VULNERABILITY 192
6 UNIT –WISE IMPORTANT QUESTIONS 194
7 UNIT-WISE MULTIPLPE QUESTIONS 196
8 TUTORIAL QUESTIONS 206
9 ASSIGNMENT QUESTION 209
10 MID QUESTION PAPERS 213
11 PREVIOUS PAPERS 215
Cryptography And Network Security Department of CSE
UNIT - I
1.INTRODUCTION
Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention
could modify or forge your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by modern
mathematics that protects our data in powerful ways.
Computer Security - generic name for the collection of tools designed to protect data and
to thwart hackers
Network Security - measures to protect data during their transmission
Internet Security - measures to protect data during their transmission over a collection of
interconnected networks.
1.1WHY WE NEED INFORMATION SECURITY?
Because there are threats
Threats
A threat is an object, person, or other entity that represents a constant danger to an asset.
The 2007 CSI survey
494 computer security practitioners
46% suffered security incidents
29% reported to law enforcement
Average annual loss $350,424
1/5 suffered ‗targeted attack‗
The source of the greatest financial losses?
Most prevalent security problem.
Insider abuse of network access
VBIT Page 1
Cryptography And Network Security Dept. of CSE
Threat Categories
Acts of human error or failure
Compromises to intellectual property
Deliberate acts of espionage or trespass
Deliberate acts of information extortion
Deliberate acts of sabotage or vandalism
Deliberate acts of theft
Deliberate software attack
Forces of nature
Deviations in quality of service
Technical hardware failures or errors
Technical software failures or errors
Technological obsolesce
1.2 ASPECTS OF SECURITY
consider 3 aspects of information security:
Security Attack
Security Mechanism
Security Service
SECURITY ATTACKS, SERVICES AND MECHANISMS
To assess the security needs of an organization effectively, the manager responsible for
security needs some systematic way of defining the requirements for security and
characterization of approaches to satisfy those requirements. One approach is to consider
three aspects of information security:
Security attack – Any action that compromises the security of information owned by an
organization.
Security mechanism – A mechanism that is designed to detect, prevent or recover from a
securityattack.
VBIT Page 2
Cryptography And Network Security Dept. of CSE
Security service – A service that enhances the security of the data processing systems and
the information transfers of an organization. The services are intended to counter security
attacks and they make use of one or more security mechanisms to provide the service.
1.3SECURITY SERVICES
The classification of security services are as follows:
Confidentiality: Ensures that the information in a computer system and transmitted
information are accessible only for reading by authorized parties.
E.g. Printing, displaying and other forms of disclosure.
Authentication: Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer system assets
and transmitted information. Modification includes writing, changing status, deleting,
creating and delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able to
deny the transmission.
Access control: Requires that access to information resources may be controlled by or the
target system.
Availability: Requires that computer system assets be available to authorized parties when
needed.
1.4 SECURITY MECHANISMS
One of the most specific security mechanisms in use is cryptographic techniques.
Encryption or encryption-like transformations of information are the most common means
of providing security. Some of the mechanisms are
Encipherment
DigitalSignature
VBIT Page 3
Cryptography And Network Security Dept. of CSE
AccessControl
According to X.800, the security mechanisms are divided into those implemented in a
specific protocol
layer and those that are not specific to any particular protocol layer or security service.
X.800 also differentiates reversible & irreversible encipherment mechanisms. A reversible
encipherment mechanism is simply an encryption algorithm that allows data to be encrypted
and subsequently decrypted, whereas irreversible encipherment include hash algorithms
and message authentication codesused in digital signature and message authentication
applications.Incorporated into the appropriate protocol layer in order to provide some of the
OSI security services,
Encipherment:
It refers to the process of applying mathematical algorithms forconverting data into a form
that is not intelligible. This depends on algorithm used encryption keys.
Digital Signature: The appended data or a cryptographic transformation applied to anydata
unit allowing to prove the source and integrity of the data unit and protect against forgery.
Access Control: A variety of techniques used for enforcing access permissions to
thesystem resources
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit orstream
of data units.
Authentication Exchange: A mechanism intended to ensure the identity of an entity
bymeans of information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate
trafficanalysis attempts.
Routing Control: Enables selection of particular physically secure routes for certain
dataand allows routing changes once a breach of security is suspected.
VBIT Page 4
Cryptography And Network Security Dept. of CSE
Notarization: The use of a trusted third party to assure certain properties of a
dataexchange
Pervasive Security Mechanisms
These are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to b correct with respect to some criteria
Security Level: The marking bound to a resource (which may be a data unit) that namesor
designates the security attributes of that resource.
Event Detection: It is the process of detecting all the events related to network security.
Security Audit Trail: Data collected and potentially used to facilitate a security
audit,which is an independent review and examination of system records and activities.
Security Recovery: It deals with requests from mechanisms, such as event handling
andmanagement functions, and takes recovery actions.
1.5 SECURITYATTACKS
There are four general categories of attack which are listed below.
Interruption
An asset of the system is destroyed or becomes unavailable or unusable. This is an attack
on availability e.g., destruction of piece of hardware, cutting of a communication line or
Disabling of file management system.
Interception
An unauthorized party gains access to an asset. This is an attack on confidentiality.
Unauthorized party could be a person, a program or a
computer.e.g., wire tapping to capture data in the network, illicit copying of files.
VBIT Page 5
Cryptography And Network Security Dept. of CSE
Modification
An unauthorized party not only gains access to but tampers with an asset. This is an attack
on integrity. e.g., changing values in data file, altering a program, modifying the contents
ofmessages being transmitted in a network.
Fabrication
An unauthorized party inserts counterfeit objects into the system. This is an attack on
authenticity. e.g., insertion of spurious message in a network or addition of records to a file.
CRYPTOGRAPHIC ATTACKS
PASSIVE ATTACKS
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The
goal of the opponent is to obtain information that is being transmitted. Passive attacks are
of two types:
Release of message contents: A telephone conversation, an e-mail message and a
transferred file may
contain sensitive or confidential information. We would like to prevent the opponent from
learning the contents of these transmissions.
VBIT Page 6
Cryptography And Network Security Dept. of CSE
Traffic analysis: If we had encryption protection in place, an opponent might still be able
to observe the pattern of the message. The opponent could determine the location and
identity of communication hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of
communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of
data. However, it is feasible to prevent the success of these attacks.
ACTIVE ATTACKS
These attacks involve some modification of the data stream or the creation of a false stream.
These attacks can be classified in to four categories:
Masquerade – One entity pretends to be a different entity.
Replay – involves passive capture of a data unit and its subsequent transmission to produce
an unauthorized effect.
Modification of messages – Some portion of message is altered or the messages are
delayed or recorded, to produce an unauthorized effect.
VBIT Page 7
Cryptography And Network Security Dept. of CSE
Denial of service – Prevents or inhibits the normal use or management of communication
facilities. Another form of service denial is the disruption of an entire network, either by
disabling the network or overloading it with messages so as to degrade performance.
It is quite difficult to prevent active attacks absolutely, because to do so would require
physical protection of all communication facilities and paths at all times. Instead, the goal
is to detect them and to recover from any disruption or delays caused by them.
1.6 BASIC CONCEPTS
Cryptography The art or science encompassing the principles and methods of transforming
an intelligible message into one that is unintelligible, and then retransforming that message
back to its original form
Plaintext The original intelligible message
Cipher text The transformed message
Cipher An algorithm for transforming an intelligible message into one that is unintelligible
by transposition and/or substitution methods
Key Some critical information used by the cipher, known only to the sender& receiver
Encipher (encode) The process of converting plaintext to cipher text using a cipher and a
key
Decipher (decode) the process of converting cipher text back into plaintext using a cipher
and a key
VBIT Page 8
Cryptography And Network Security Dept. of CSE
Cryptanalysis The study of principles and methods of transforming an unintelligible
message back into an intelligible message without knowledge of the key. Also called code
breaking
Cryptology Both cryptography and cryptanalysis
Code An algorithm for transforming an intelligible message into an unintelligible one using
a code-book
1.7 CRYPTOGRAPHY
Cryptographic systems are generally classified along 3 independent dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are based on two general principles: substitution, in which
each element in the plaintext is mapped into another element, and transposition, in which
elements in the plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key (or) single key
(or) conventional encryption.
If the sender and receiver use different keys then it is said to be public key encryption.
The way in which the plain text is processed
A block cipher processes the input and block of elements at a time, producing output block
for each input block. A stream cipher processes the input elements continuously,
producing output element one at a time, as it goes along.
CRYPTANALYSIS
The process of attempting to discover X or K or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the
information available to the cryptanalyst.
VBIT Page 9
Cryptography And Network Security Dept. of CSE
There are various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst.
Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding
plaintext.
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine.
They cannot open it to find the key, however; they can encrypt a large number of suitably
chosen plaintexts and try to use the resulting cipher texts to deduce the key.
Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine,
uses it to decrypt several string of symbols, and tries to use the results to deduce the key
SYMMETRIC AND PUBLIC KEY ALGORITHMS
Encryption/Decryption methods fall into two categories.
Symmetric key Public key
In symmetric key algorithms, the encryption and decryption keys are known both to sender
and receiver. The encryption key is shared and the decryption key is easily calculated from
it. In many cases, the encryption and decryption keys are thesame.
In public key cryptography, encryption key is made public, but it is computationally
infeasible to find the decryption key without the information known to the receiver.
1.8 A MODEL FOR NETWORK SECURITY
VBIT Page 10
Cryptography And Network Security Dept. of CSE
A message is to be transferred from one party to another across some sort of internet. The
two parties, who are the principals in this transaction, must cooperate for the exchange to
take place. A logical information channel is established by defining a route through the
internet from source to destination and by the cooperative use of communication protocols
(e.g., TCP/IP) by the two principals.
Using this model requires us to:
–design a suitable algorithm for the security transformation
–generate the secret information (keys) used by the algorithm
–develop methods to distribute and share the secret information
– specify a protocol enabling the principals to use the transformation and secret
information for a security service
MODEL FOR NETWORK ACCESS SECURITY
Using this model requires us to:
–select appropriate gatekeeper functions to identify users
– implement security controls to ensure only authorized users access
designated information or resources
Trusted computer systems can be used to implement this model
VBIT Page 11
Cryptography And Network Security Dept. of CSE
1.9 CONVENTIONAL ENCRYPTION
Referred conventional / private-key /single-key
Sender and recipient share a common key
All classical encryption algorithms are private-key was only type prior to invention of
public- key in 1970‟plaintext - the original message
Some basic terminologies used:
cipher text - the coded message
Cipher - algorithm for transforming plaintext to cipher text
Key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to cipher text
decipher (decrypt) - recovering cipher text from plaintext
Cryptography - study of encryption principles/methods
Cryptanalysis (code breaking) - the study of principles/ methods of deciphering
ciphertext
Without knowing key
Cryptology - the field of both cryptography andcryptanalysis
Here the original message, referred to as plaintext, is converted into apparently random
nonsense, referred to as cipher text. The encryption process consists of an algorithm and a
key. The key is a value independent of the plaintext. Changing the key changes the
VBIT Page 12
Cryptography And Network Security Dept. of CSE
output of the algorithm. Once the cipher text is produced, it may be transmitted. Upon
reception, the cipher text can be transformed back to the original plaintext by using a
decryption algorithm and the same key that was used for encryption. The security depends
on several factors. First, the encryption algorithm must be powerful enough that it is
impractical to decrypt a message on the basis of cipher text alone. Beyond that, the security
depends on the secrecy of the key, not the secrecy of the algorithm.
Two requirements for secure use of symmetric encryption:
–A strong encryption algorithm
–A secret key known only to sender /receiver
=EK(X)
=DK(Y)
assume encryption algorithm is known
implies a secure channel to distribute key
A source produces a message in plaintext, X = [X1, X2… XM] where M are the number of
letters in the message. A key of the form K = [K1, K2… KJ] is generated. If the key is
generated at the source, then it must be provided to the destination by means of some secure
channel.
With the message X and the encryption key K as input, the encryption algorithm forms the
cipher text Y = [Y1, Y2, YN]. This can be expressed as
Y = EK(X)
The intended receiver, in possession of the k e y , is able to invert the transformation:
X = DK(Y)
If the opponent is interested in only this particular message, then the focus of effort is to
recover X by generating a plaintext estimate. Often if the opponent is interested in being
able to read future messages as well, in which case an attempt is made to recover K by
generating an estimate.
VBIT Page 13
Cryptography And Network Security Dept. of CSE
1.10 CLASSICAL ENCRYPTION TECHNIQUES
There are two basic building blocks of all encryption techniques: substitution and
transposition.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters
or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher
The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 places
further down the alphabet.
e.g., plain text : pay more money Cipher text: SDB PRUH PRQHB
Notethatthealphabetiswrappedaround,sothatletterfollowing„z‟is„a‟. For each plaintext
letter p, substitute the cipher text letter c such that
C = E(p) = (p+3) mod 26
A shift may be any amount, so that general Caesar algorithm is C = E (p) = (p+k) mod26
Where k takes on a value in the range 1 to 25. The decryption algorithm is simply P = D(C)
= (C-k) mod26
PLAYFAIR CIPHER
The best known multiple letter encryption cipher is the play fair, which treats diagrams
in
plaintextassingleunitsandtranslatestheseunitsintociphertextdigrams.Theplayfairalgorithm
is based on the use of 5x5 matrix of letters constructed using a keyword. Let the keyword
be „monarchy‟. The matrix is constructed by filling in the letters of the keyword (minus
duplicates) from left to right and from top to bottom, and then filling in the remainder of
the matrix with the remaining letters in alphabetical order.
VBIT Page 14
Cryptography And Network Security Dept. of CSE
The letter „i‟ and „j‟ count as one letter. Plaintext is encrypted two letters at a time
According to the following rules:
Repeating plaintext letters that would fall in the same pair are separated with a Filler letter
such as „x‟.
Plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row following thelast.
Plaintext letters that fall in the same column are replaced by the letter beneath, with the
top element of the column following the last.
Otherwise, each plaintext letter is replaced by the letter that lies in its own row And the
column occupied by the other plaintext letter.
M O N A R
C H Y B D
E F G I K
/
J
L P Q S T
U V W X Z
Plaintext = meet me at the school house
Splitting two letters as a unit => me et me at thescho xol ho us ex
Correspondingciphertext =>CL KL CL RS PD IL HY AV MP HF XLIU
VBIT Page 15
Cryptography And Network Security Dept. of CSE
Strength of playfair cipher
Playfair cipher is a great advance over simple mono alphabetic ciphers.
Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of individual
diagram is more difficult.
POLYALPHABETIC CIPHERS
Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutions as one proceeds through the plaintext message. The general
name for this approach is polyalphabetic cipher. All the techniques have the following
features in common.
A set of related monoalphabetic substitution rules are used
A key determines which particular rule is chosen for a given transformation.
Vigenere cipher
In this scheme, the set of related monoalphabetic substitution rules consisting of 26 caesar
ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar
cipher with a shift of 3 is denoted by the key value 'd‟ (since a=0, b=1, c=2 and so on).
Toaid in understanding the scheme, a matrix known as vigenere tableau is Constructed.Each
of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left. A
normal alphabet for the plaintext runs across the top. The process of
PLAIN TEXT
K a b c D e f g H i j k … x Y Z
a A B C D E F G H I J K … X Y Z
E b B C D E F G H I J K L … Y Z A
c C D E F G H I J K L M … Z A B
Y d D E F G H I J K L M N … A B C
e E F G H I J K L M N O … B C D
f F G H I J K L M N O P … C D E
g G H I J K L M N O P Q … D E F
VBIT Page 16
Cryptography And Network Security Dept. of CSE
L : : : : : : : : : : : : …: : :
: : : : : : : : : : : : : : :
E
x X Y Z A B C D E F G H … W
T y Y Z A B C D E F G H I… X
z Z A B C D E F G H I J … Y
Encryption is simple: Given a key letter X and a plaintext letter y, the cipher text is at the
intersection of the row labeled x and the column labeled y; in this case, the cipher text is
V.
To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword.
e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t ive
PT =wearediscoveredsaveyourse
CT =ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Decryption is equally simple. The key letter again identifies the row. The position of the
cipher text letter in that row determines the column, and the plaintext letter is at the top of
that column.
Strength of Vigenere cipher
There are multiple cipher text letters for each plain text letter.
oLetter frequency information is obscured.
One Time Pad Cipher
VBIT Page 17
Cryptography And Network Security Dept. of CSE
It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s. this
can be accomplished by writing all numbers in binary, for example, or by using ASCII. The
key is a random sequence of 0‟s and 1‟s of same length as the message. Once a key is used,
it is discarded and never used again. The system can be expressed as
Follows:
th th
Ci=Pi KiCi - i binary digit of cipher text Pi- i binary digit
th
of plaintext Ki- i binary digit ofkey
Exclusive OR operation
Thus the cipher text is generated by performing the bitwise XOR of the plaintext and the
key. Decryption uses the same key. Because of the properties of XOR, decryption simply
involves the same bitwise operation:
Pi= CiKi
e.g., plaintext = 0 0 1 0 1 0 0 1
Key = 1 0 1 0 1 1 0 0
------------------- ciphertext = 1 0 0 0 0 1 0 1
Advantage:
Encryption method is completely unbreakable for a ciphertext only attack.
Disadvantages:
It requires a very long key which is expensive to produce and expensive to transmit.
Once a key is used, it is dangerous to reuse it for a second message; any knowledge on the
first message would give knowledge of the second.
TRANSPOSITION TECHNIQUES
All the techniques examined so far involve the substitution of a cipher text symbol for a
plaintext symbol. A very different kind of mapping is achieved by performing some
VBIT Page 18
Cryptography And Network Security Dept. of CSE
sort of permutation on the plaintext letters. This technique is referred to as a transposition
cipher.
Rail fence
is simplest of such cipher, in which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.
Plaintext= meet at the schoolhouse
To encipher this message with a rail fence of depth 2, we write the message as follows: m
e a t e c o l os
et t h s h o h u e The encrypted message is
MEATECOLOSETTHSHOHUE
Row Transposition Ciphers-
A more complex scheme is to write the message in a rectangle, row by row, and read the
message off, column by column, but permute the order of the columns. The order of
columns then becomes the key of the algorithm.
e.g., plaintext = meet at the schoolhouse
CT =ESOTCUEEHMHLAHSTOETO
A pure transposition cipher is easily recognized because it has the same letter frequencies
as the original plaintext. The transposition cipher can be made significantly more secure by
performing more than one stage of transposition. The result is more complex permutation
that is not easily reconstructed.
1.11 STEGANOGRAPHY
A plaintext message may be hidden in any one of the two ways. The methods of
steganography conceal the existence of the message, whereas the methods of cryptography
render the message unintelligible to outsiders by various transformations of the text.
VBIT Page 19
Cryptography And Network Security Dept. of CSE
A simple form of steganography, but one that is time consuming to construct is one in which
an arrangement of words or letters within an apparently innocuous text spells out the real
message.
e.g., (i) the sequence of first letters of each word of the overall message spells out the real
(Hidden)message.
Subset of the words of the overall message is used to convey the hidden message.
Various other techniques have been used historically, some of them are
Character marking – selected letters of printed or typewritten text are overwritten in pencil.
The
marks are ordinarily not visible unless the paper is held to an angle to bright light.
Invisible ink – a number of substances can be used for writing but leave no visible trace
until heat or some chemical is applied to the paper.
Pin punctures – small pin punctures on selected letters are ordinarily not visible unless the
paper is held in front of the light. Typewritten correction ribbon – used between the lines
typed with a black ribbon, the results of typing with the correction tape are visible only
under a strong light.
Drawbacks of steganography
Requires a lot of overhead to hide a relatively few bits of information. Once the system is
discovered, it becomes virtually worthless.
1.12 KEY RANGE AND KEY SIZE
The encrypted message can be attacked and the crypt analyst may have the following
information:
The encryption Decryption algorithm
The Encrypted Message
Key
VBIT Page 20
Cryptography And Network Security Dept. of CSE
The attack may be in terms of following types:
Plain Text only attack(Known plain text attack)
Cipher text only attack(known cipher text attack)
Chosen plain text attack
Chosen cipher text attack
The simplest type of attack is brute force attack in which all types of substitution techniques
are used to fetch original message .A Brute force attack works on a principal of trying
everything possible key from the key range. Key range may contain individual single
arbitrary quantity whereas key size defines the total or maximum capacity of all the keys.
EXHAUSTIVE KEY SEARCH:
It is basically used by the side of cryptanalyst. Basically the procedure for exhaustive keys
search becomes more complex as the key size that means number of bits are increased. The
time required for single encryption message and entire message would be automatically
increased.
All encryption algorithm are having two main criteria for encryption-
1)The cost of breaking the cipher exceeds the value of encryption information.
2)The time required to break the cipher exceeds the useful timeline of the information.
An encryption scheme is said to be comparatively secure if the above criteria are met
1.13 POSSIBLE TYPES OF ATTACKS
Without security measures and controls in place, your data might be subjected to an attack.
Some attacks are passive, meaning information is monitored; others are active, meaning the
information is altered with intent to corrupt or destroy the data or the network itself.
VBIT Page 21
Cryptography And Network Security Dept. of CSE
Your networks and data are vulnerable to any of the following types of attacks if you do
not have a security plan in place.
Eavesdropping
In general, the majority of network communications occur in an unsecured or "cleartext"
format, which allows an attacker who has gained access to data paths in your network to
"listen in" or interpret (read) the traffic. When an attacker is eavesdropping on your
communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to
monitor the network is generally the biggest security problem that administrators face in an
enterprise. Without strong encryption services that are based on cryptography, your data
can be read by others as it traverses the network.
Data Modification
After an attacker has read your data, the next logical step is to alter it. An attacker can
modify the data in the packet without the knowledge of the sender or receiver. Even if you
do not require confidentiality for all communications, you do not want any of your messages
to be modified in transit. For example, if you are exchanging purchase requisitions, you do
not want the items, amounts, or billing information to be modified.
Identity Spoofing (IP Address Spoofing)
Most networks and operating systems use the IP address of a computer to identify a valid
entity. In certain cases, it is possible for an IP address to be falsely assumed— identity
spoofing. An attacker might also use special programs to construct IP packets that appear
to originate from valid addresses inside the corporate intranet.
After gaining access to the network with a valid IP address, the attacker can modify, reroute,
or delete your data. The attacker can also conduct other types of attacks, as described in the
following sections.
Password-Based Attacks
A common denominator of most operating system and network security plans is password-
based access control. This means your access rights to a computer and network resources
are determined by who you are, that is, your user name and your password.
VBIT Page 22
Cryptography And Network Security Dept. of CSE
Older applications do not always protect identity information as it is passed through the
network for validation. This might allow an eavesdropper to gain access to the network by
posing as a valid user.
When an attacker finds a valid user account, the attacker has the same rights as the real user.
Therefore, if the user has administrator-level rights, the attacker also can create accounts
for subsequent access at a later time.
After gaining access to your network with a valid account, an attacker can do any of the
following:
Obtain lists of valid user and computer names and network information.
Modify server and network configurations, including access controls and routing
tables.
Modify, reroute, or delete your data.
Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of your
computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
Randomize the attention of your internal Information Systems staff so that they do not see
the intrusion immediately, which allows the attacker to make more attacks during the
diversion.
Send invalid data to applications or network services, which causes abnormal termination
or behaviour of the applications or services.
Flood a computer or the entire network with traffic until a shutdown occurs because of the
overload.
Block traffic, which results in a loss of access to network resources by authorized
users.
Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you and
the person with whom you are communicating is actively monitoring, capturing, and
VBIT Page 23
Cryptography And Network Security Dept. of CSE
controlling your communication transparently. For example, the attacker can re-route a data
exchange. When computers are communicating at low levels of the network layer, the
computers might not be able to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read your
message. The person on the other end might believe it is you because the attacker might be
actively replying as you to keep the exchange going and gain more information. This attack
is capable of the same damage as an application-layer attack, described later in this section.
Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although
obtaining a key is a difficult and resource-intensive process for an attacker, it is possible.
After an attacker obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication without
the sender or receiver being aware of the attack. With the compromised key, the attacker
can decrypt or modify data, and try to use the compromised key to compute additional keys,
which might allow the attacker access to other secured communications.
Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer provides a
full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken
open and read unless they are encrypted and the attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
Analyze your network and gain information to eventually cause your network to crash or
to become corrupted.
Read your communications.
Application-Layer Attack: An application-layer attack targets application servers by
deliberately causing a fault in a server's operating system or applications. This results in
VBIT Page 24
Cryptography And Network Security Dept. of CSE
the attacker gaining the ability to bypass normal access controls. The attacker takes
advantage of this situation, gaining control of your application, system, or network, and can
do any of the following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program that uses your computers and software applications to copy
viruses throughout your network.
Introduce a sniffer program to analyze your network and gain information that can
eventually be used to crash or to corrupt your systems and network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
VBIT Page 25
Cryptography And Network Security Dept. of CSE
UNIT-2
2.1 BLOCK CIPHER PRINCIPLES
Virtually, all symmetric block encryption algorithms in current use are based on a structure
referred to as Fiestel block cipher. For that reason, it is important to examine the design
principles of the Fiestel cipher. We begin with a comparison of stream cipher with block
cipher.
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
E.g, vigenere cipher. A block cipher is one in which a block of plaintext is treated as a
whole and used to produce a cipher text block of equal length. Typically a block size of 64
or 128 bits is used.
Most symmetric block ciphers are based on a Feistel Cipher Structure needed since
must be able to decrypt cipher text to recover messages efficiently. block ciphers look like
an extremely large substitution would need table of 264 entries for a 64-bitblock instead
create from smaller building blocks using idea of a product cipher in 1949 Claude Shannon
introduced idea of substitution-permutation (S-P) networks called modern substitution-
transposition product cipher these form the basis of modern block ciphers
S-Pnetworksarebasedonthetwoprimitivecryptographicoperationswehaveseenbefore:
substitution(S-box)
permutation (P-box)
provide confusion and diffusion of message
diffusion– dissipates statistical structure of plaintext over bulk of ciphertext
confusion–makesrelationshipbetweenciphertextandkeyascomplexaspossible
FEISTEL CIPHER STRUCTURE
The input to the encryption algorithm are a plaintext block of length 2w bits and a key K.
the plaintext block is divided into two halves L0 and R0. The two halves of the data
through„n‟roundsofprocessingandthencombinetoproducetheciphertextblock.Eachround„i‟
has inputs Li-1 and Ri-1, derived from the previous round, as well as the sub key Ki,
VBIT Page 26
Cryptography And Network Security Dept. of CSE
derived from the overall key K. in general, the sub keys Kiare different from K and from
each other.
All rounds have the same structure. A substitution is performed on the left half of the data
(as similar to S-DES). This is done by applying a round function F to the right half of the
data and then taking the XOR of the output of that function and the left half of the data. The
round function has the same general structure for each round but is parameterized by the
round sub key ki. Following this substitution, a permutation is performed that consists of
the interchange of the two halves of the data. This structure is a particular form of the
substitution-permutation network. The exact realization of a Feistel network depends on the
choice of the following parameters and design features:
Block size - Increasing size improves security, but slows cipher
Key size - Increasing size improves security, makes exhaustive key searching harder, but
may slow cipher
Number of rounds - Increasing number improves security, but slows cipher
Subkey generation - Greater complexity can make analysis harder, but slows cipher
Round function - Greater complexity can make analysis harder, but slows cipher
Fast software en/decryption & ease of analysis - are more recent concerns for practical
use and testing.
VBIT Page 27
Cryptography And Network Security Dept. of CSE
Fig: Classical Feistel Network
VBIT Page 28
Cryptography And Network Security Dept. of CSE
Fig: Feistel encryption and decryption
The process of decryption is essentially the same as the encryption process. The rule is as
follows: use the cipher text as input to the algorithm, but use the sub key kiin reverse order.
i.e., kn in the first round, kn-1 in second round and so on. For clarity, we use the notation
LEiand REi for data traveling through the decryption algorithm. The diagram
below indicates that, at each round, the intermediate value of the decryption process is same
(equal) to the corresponding value of the encryption process with two halves of the value
swapped.
i.e., REi|| LEi(or) equivalently RD16-i || LD16-i
After the last iteration of the encryption process, the two halves of the output are swapped,
so that the cipher text is RE16 || LE16. The output of that round is the cipher
VBIT Page 29
Cryptography And Network Security Dept. of CSE
text. Now take the cipher text and use it as input to the same algorithm. The input to the
first round isRE16
LE16, which is equal to the 32-bit swap of the output of the sixteenth round of the
encryption process.
Now we will see how the output of the first round of the decryption process is equal to a
32-bit swap of the input to the sixteenth round of the encryption process. First consider
the encryption process,
LE16 = RE15
RE16 = LE15(+) F (RE15, K16)
On the decryption side, LD1 =RD0 = LE16 =RE15 RD1 = LD0 (+) F (RD0, K16)
RE16 F (RE15, K16)
[LE15 F (RE15, K16)] F (RE15, K16)
LE15
Therefore, LD1 = RE15 RD1 = LE15 In general, for the ith iteration of the encryption
algorithm, LEi = REi-1 REi = LEi-1 F (REi-1, Ki)
Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap
recovers the original plaintext.
2.2 DATA ENCRYPTION STANDARD (DES)
In May 1973, and again in Aug 1974 the NBS (now NIST) called for possible encryption
algorithms for use in unclassified government applications response was mostly
disappointing, however IBM submitted their Lucifer design following a period of redesign
and comment it became the Data Encryption Standard (DES).
VBIT Page 30
Cryptography And Network Security Dept. of CSE
DES is a symmetric-key algorithm for the encryption of electronic data. Developed in the
early 1970s at IBM and based on an earlier design by Horst Feistel, the algorithm was
submitted to the National Bureau of Standards (NBS) following the agency's invitation to
propose a candidate for the protection of sensitive, unclassified electronic government
data.However, this has now been replaced by a new standard known as the Advanced
Encryption Standard (AES). DES is a 64 bit block cipher which means that it encrypts data
64 bits at a time. This is contrasted to a stream cipher in which only one bit t a time (or
sometimes small groups of bits such as a byte) is encrypted.Even though DES actually
accepts a 64 bit key as input, the remaining eight bits are used for parity checking and have
no effect on DES‘s security. Outsiders were convinced that the 56 bit key was an easy target
for a brute force attack due to its extremely small size.DES of course isn‘t the only
symmetric cipher. There are many others, each with varying levels of complexity. Such
ciphers include: IDEA, RC4, RC5, RC6 and the new Advanced Encryption Standard
(AES).
INNER WORKING OF DES
DES (and most of the other major symmetric ciphers) is based on a cipher known as the
Feistel block cipher. It consists of a number of rounds where each round contains bit-
shuffling, non-linear substitutions (S-boxes) and exclusive OR operations. As with most
encryption schemes, DES expects two inputs - the plaintext to be encrypted and the secret
key. The manner in which the plaintext is accepted, and the key arrangement used for
encryption and decryption, both determine the type of cipher it is. DES is therefore a
symmetric, 64 bit block cipher as it uses the same key for both encryption and decryption
and only operates on 64 bit blocks of data at a time5 (be they plaintext or ciphertext). The
key size used is 56 bits, however a 64 bit(or eight-byte) key is actually input. The least
significant bit of each byte is either used for parity (odd for DES) or set arbitrarily and does
not increase the security in any way. All blocks are numbered from left to right which makes
the eight bit of each byte the parity bit. Once a plain-text message is received to be
encrypted, it is arranged into 64 bit blocks required forinput.
VBIT Page 31
Cryptography And Network Security Dept. of CSE
OVERALL STRUCTURE
Figure below shows the sequence of events that occur during an encryption operation. DES
performs an initial permutation on the entire 64 bit block of data. It is then split into 2, 32
bit sub-blocks, Li and Ri which are then passed into what is known as a round (see figure
2.3), of
which there are 16 (the subscript i in Li and Ri indicates the current round). Each of the
rounds are identical and the effects of increasing their number is twofold - the algorithms
security is increased and its temporal efficiency decreased. Clearly these are two conflicting
outcomes and a compromise must be made. For DES the number chosen was 16, probably
to guarantee the elimination of any correlation between the ciphertext and either the
plaintext or key6 . At the end of the 16th round, the 32 bit Li and Ri output quantities are
swapped to create what is known as the pre-output. This [R16, L16] concatenation is
permuted using a function which is the exact inverse of the initial permutation. The output
of this final permutation is the 64 bit ciphertext.
VBIT Page 32
Cryptography And Network Security Dept. of CSE
So in total the processing of the plaintext proceeds in three phases as can be seen from the
left hand side of figure
Initial permutation (IP - defined in table 2.1) rearranging the bits to form the
―permuted input‖.
Followed by 16 iterations of the same function (substitution and permutation). The output
of the last iteration consists of 64 bits which is a function of the plaintext and key. The left
and right halves are swapped to produce the pre output.
Finally, the pre output is passed through a permutation (IP−1 - defined in table 2.1) which
is simply the inverse of the initial permutation (IP). The output of IP−1 is the 64-bit cipher
text
As figure shows, the inputs to each round consist of the Li , Ri pair and a 48 bit sub key
which is a shifted and contracted version of the original 56 bit key. The use of the key can
be seen in the right hand portion of figure 2.2: • Initially the key is passed through a
permutation function (PC1 - defined in table 2.2) • For each of the 16 iterations, a sub key
(Ki) is produced by a combination of a left circular shift and a permutation (PC2 - defined
VBIT Page 33
Cryptography And Network Security Dept. of CSE
in table 2.2) which is the same for each iteration. However, the resulting sub key is different
for each iteration because of repeatedshifts.
The main operations on the data are encompassed into what is referred to as the cipher
function and is labeled F. This function accepts two different length inputs of 32 bits and
48 bits and outputs a single 32 bit number. Both the data and key are operated on in parallel,
however the operations are quite different.The 56 bit key is split into two 28 bit halves Ci
and Di (C and D being chosen so as not to be confused with L and R). The value of the key
used in any round is simply a left cyclic shift and a permuted contraction of that used in the
previous round. Mathematically, this can be written as
Ci = Lcsi(Ci−1), Di = Lcsi(Di−1) Ki = P C2(Ci , Di)
where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs after the shifts, P
C2(.) is a function which permutes and compresses a 56 bit number into a 48 bit number
and Ki is the actual key used in round i. The number of shifts is either one or two and is
determined by the round number i.
VBIT Page 34
Cryptography And Network Security Dept. of CSE
S-BOX
VBIT Page 35
Cryptography And Network Security Dept. of CSE
2.3 ADVANCED ENCRYPTION ALGORITHM (AES)
AES is a block cipher with a block length of 128bits.
AES allows for three different key lengths: 128, 192, or 256 bits. Most ofour discussion
will assume that the key length is 128bits.
Encryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit keys,
and 14 rounds for 256-bit keys.
Except for the last round in each case, all other rounds are identical.
Each round of processing includes one single-byte based substitution step, a row-wise
permutation step, a column-wise mixing step, and the addition of the round key. The order
in which these four steps are executed is different for encryption and decryption. To
appreciate the processing steps used in a single round, it is best to think of a
128-bit block as consisting of a 4 × 4 matrix of bytes, arranged as follows:
Therefore, the first four bytes of a 128-bit input block occupy the first column in the 4
4 matrix of bytes. The next four bytes occupy the second column, and so on. The 4×4
matrix of bytes shown above is referred to as the state array in AES.
VBIT Page 36
Cryptography And Network Security Dept. of CSE
The algorithm begins with an Add round key stage followed by 9 rounds of four stages and
a tenth round of three stages.
This applies for both encryption and decryption with the exception that each stage of a
round the decryption algorithm is the inverse of its counterpart in the encryption algorithm.
The four stages are as follows: 1. Substitute bytes 2. Shift rows 3. Mix Columns 4. Add
Round Key.
Substitute Bytes
This stage (known as SubBytes) is simply a table lookup using a 16 × 16 matrix of byte
values called ans-box.
This matrix consists of all the possible combinations of an 8 bit sequence (28 = 16 × 16 =
256).
VBIT Page 37
Cryptography And Network Security Dept. of CSE
However, the s-box is not just a random permutation of these values and there is a well
defined method for creating the s-boxtables.
The designers of Rijndael showed how this was done unlike the s-boxes in DES for which
no rationale was given.Our concern will be how state is effected in eachround.
For this particular round each byte is mapped into a new byte in the following way: the
leftmost nibble of the byte is used to specify a particular row of the s-box and the rightmost
nibble specifies acolumn.
For example, the byte {95} (curly brackets represent hex values in FIPS PUB 197)selects
row 9 column 5 which turns out to contain the value {2A}.
This is then used to update the statematrix.
Shift Row Transformation
This stage (known as Shift Rows) is shown in figure below.
Simple permutation an nothing more.
It works as follow: – The first row of state is not altered. – The second row is shifted 1 bytes
to the left in a circular manner. – The third row is shifted 2 bytes to the left in a circular
manner. – The fourth row is shifted 3 bytes to the left in a circular manner.
VBIT Page 38
Cryptography And Network Security Dept. of CSE
MIX COLUMN TRANSFORMATION
This stage (known as Mix Column) is basically substitution
Each column is operated on individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in the column.
The transformation can be determined by the following matrix multiplication onstate
Each element of the product matrix is the sum of products of elements of one row andone
column.
In this case the individual additions and multiplications are performed in GF(28).
The Mix Columns transformation of a single column j (0 ≤ j ≤ 3) of state can
beexpressed as:
s ′ 0,j = (2 • s0,j) ⊕ (3 • s1,j) ⊕ s2,j ⊕ s3,j s ′ 1,j = s0,j ⊕ (2 • s1,j) ⊕ (3 • s2,j) ⊕ s3,j s ′
2,j = s0,j ⊕ s1,j ⊕ (2 • s2,j) ⊕ (3 • s3,j) s ′ 3,j = (3 • s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2 •s3,j)
VBIT Page 39
Cryptography And Network Security Dept. of CSE
ADD ROUND KEY TRANSFORMATION
In this stage (known as Add Round Key) the 128 bits of state are bitwise XOR ed with the
128 bits of the round key.
The operation is viewed as a column wise operation between the 4 bytes of a state column
and one word of the round key.
This transformation is as simple as possible which helps in efficiency but it also effects
every bit of state.
The AES key expansion algorithm takes as input a 4-word key and produces a linear
array of 44 words. Each round uses 4 of these words as shown in figure.
Each word contains 32 bytes which means each sub key is 128 bits long. Figure 7 show
pseudo code for generating the expanded key from the actual key.
2.4 BLOWFISH ALGORITHM
A symmetric block cipher designed by Bruce Schneierin1993/94
characteristics
• fast implementation on 32-bitCPUs
• compact in use of memory
• simple structure for analysis/implementation
• variable security by varying key size
VBIT Page 40
Cryptography And Network Security Dept. of CSE
• has been implemented in various products
BLOWFISH KEY SCHEDULE
• uses a 32 to 448 bit key, 32-bit words stored in K-array Kj,j from 1 to14
• used to generate
• 18 32-bit sub keys stored in P array, P1….P18
• four 8x32 S-boxes stored in Si,j , each with 256 32-bitentries
Sub keys and S-Boxes Generation:
initialize P-array and then 4 S-boxes in order using the fractional part of pi P1 ( left most
32-bit), and so on,,,S4,255.
XOR P-array with key-Array (32-bit blocks) and reuse as needed: assume we haveup to
k10 then P10 XOR K10,, P11 XOR K1 … P18 XOR K8
3. Encrypt 64-bit block of zeros, and use the result to update P1 andP2.
4. encrypting output form previous step using current P & S and replace P3 andP4. Then
encrypting current output and use it to update successive pairs of P.
After updating all P‘s (last :P17 P18), start updating S values using the
encrypted output from previous step.
• requires 521 encryptions, hence slow in re-keying • Not suitable
for limited-memory applications.
BLOWFISH ENCRYPTION
• uses two main operations: addition modulo 232 ,
• andXOR data is divided into two 32-bit halves L0 &R0
fori= 1 to 16 do
Ri= Li-1 XOR Pi;
Li = F[Ri] XORRi-1; L17 = R16 XOR P18; R17 = L16 XOR P17;
• where
VBIT Page 41
Cryptography And Network Security Dept. of CSE
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d
VBIT Page 42
Cryptography And Network Security Dept. of CSE
2.5 IDEA (IPES)
DES algorithm has been a popular secret key encryption algorithm and is used in many
commercial and financial applications. However, its key size is too small by current
standards and its entire 56 bit key space can be searched in approximately 22 hours
IDEA is a block cipher designed by Xuejia Lai and James L. Massey in 1991
It is a minor revision of an earlier cipher, PES (Proposed Encryption Standard)
IDEA was originally called IPES (Improved PES) and was developed to replace
DES
It entirely avoids the use of any lookup tables or S-boxes
IDEA was used as the symmetric cipher in early versions of the Pretty Good Privacy
cryptosystem
IDEA operates with 64-bit plaintext and cipher text blocks and is controlled by a 128-bit
key
Completely avoid substitution boxes and table lookups used in the block ciphers
The algorithm structure has been chosen such that when different key sub-blocks are
used, the encryption process is identical to the decryption process
VBIT Page 43
Cryptography And Network Security Dept. of CSE
Key generation
The 64-bit plaintext block is partitioned into four 16-bit sub-blocks
six 16-bit key are generated from the 128-bit key. Since a further four 16-bit key-sub-blocks
are required for the subsequent output transformation, a total of 52 (= 8 x 6 + 4) different
16-bit sub-blocks have to be generated from the 128-bit key.
Key generation process
First, the 128-bit key is partitioned into eight 16-bit sub-blocks which are then directly
used as the first eight key sub-blocks
The 128-bit key is then cyclically shifted to the left by 25 positions, after which the resulting
128-bit block is again partitioned into eight 16-bit sub-blocks to be directly used as the next
eight key sub-blocks
VBIT Page 44
Cryptography And Network Security Dept. of CSE
The cyclic shift procedure described above is repeated until all of the required 52 16-bit
key
sub-blocks have been generated
Sequence of operation in one round
Multiply P1 andK1
Add P2 and secondK2
Add P3 and thirdK3
Multiply P4 andK4
Step 1 ⊕ step3
Step 2 ⊕ step4
7)Multiply step 5 with k5.
Add result of step 6 and step7
Multiply result of step 8 withK6.
VBIT Page 45
Cryptography And Network Security Dept. of CSE
Add result of step 7 and step9.
XOR result of steps 1 and step9.
XOR result of steps 3 and step9.
XOR result of steps 2 and step10.
XOR result of steps 4 and step10.
Encryption of the key sub-blocks
The key sub-blocks used for the encryption and the decryption in the individual rounds
are shown in Table 1
Encryption
the first four 16-bit key sub-blocks are combined with two of the 16-bit plaintext
blocks using addition modulo 216, and with the other two plaintext blocks using
multiplication modulo 216 + 1
At the end of the first encryption round four 16-bit values are produced which are used as
input to the second encryption round .
VBIT Page 46
Cryptography And Network Security Dept. of CSE
The process is repeated in each of the subsequent 7 encryption rounds
The four 16-bit values produced at the end of the 8th encryption round are
combined with the last four of the 52 key sub-blocks using addition modulo 216 and
multiplication modulo 216 + 1 to form the resulting four 16-bit ciphertext blocks
Decryption
The computational process used for decryption of the ciphertext is essentially the same as
that used for encryption
The only difference is that each of the 52 16-bit key sub-blocks used for decryption is the
inverse of the key sub-block used during encryption
In addition, the key sub-blocks must be used in the reverse order during decryption in
order to reverse the encryption process
Applications of IDEA
Today, there are hundreds of IDEA-based security solutions available in many market
areas, ranging from Financial Services, and Broadcasting to Government
The IDEA algorithm can easily be embedded in any encryption software. Data encryption
can be used to protect data transmission and storage. Typical fields are:
– Audio and video data for cable TV, pay TV, video conferencing, distance
learning
– Sensitive financial and commercial data
– Smart cards
2. 6 BLOCK CIPHER MODES OFOPERATIONS
A block cipher processes the data blocks of fixed size. Usually, the size of a message is
larger than the block size.
Hence, the long message is divided into a series of sequential message blocks, and the
cipher operates on these blocks one at a time.
Block ciphers encrypt fixed size blocks
VBIT Page 47
Cryptography And Network Security Dept. of CSE
e.g., DES encrypts 64-bit block
For different applications and uses, there are several modes of operations for a block
cipher
Electronic Code Book
Direct use of the block cipher
Used primarily to transmit encrypted keys
Very weak if used for general-purpose encryption; never use it for a file or a message.
Attacker can build up codebook; no semantic security
We write {P}k → C to denote ―encryption of plaintext P with key k to produce
cipher text C‖
Advantages and Limitations of ECB
Message repetitions may show in cipher text
If aligned with message block
Particularly with data such graphics Or with messages that change very
little, which become a code-book analysis problem
Weakness is due to the encrypted message blocks being independent
VBIT Page 48
Cryptography And Network Security Dept. of CSE
Vulnerable to cut-and-paste attacks
Main use is sending a few blocks of data
Cipher Block Chaining
We would like that same plaintext blocks produce different ciphertextblocks.
Cipher Block Chaining (see figure) allows this by XORing each plaintext with the Cipher
text from the previous round (the first round using an Initialisation Vector(IV)).
As before, the same key is used for eachblock.
Decryption works as shown in the figure because of the properties of the XORoperation,
i.e. IV ⊕ IV ⊕ P = P where IV is the Initialisation Vector and P is the plaintext.
Obviously the IV needs to be known by both sender and receiver and it should be kept
secret along with the key for maximum security.
ADVANTAGES AND DISADVANTAGES OF CBC:
A cipher text block depends on all blocks before it
Any change to a block affects all following cipher text blocks...
Need initialization vector (iv)
Which must be known to sender & receiver
VBIT Page 49
Cryptography And Network Security Dept. of CSE
in clear, attacker can change bits of first block, by changing corresponding bits
If sent
of iv
Hence iv must either be a fixed value
Or derived in way hard to manipulate
Or sent encrypted in ecb mode before rest of message
Or message integrity must be checked otherwise
CIPHER FEEDBACK (CFB) MODE
The Cipher Feedback and Output Feedback allows a block cipher to be converted into a
stream cipher.
This eliminates the need to pad a message to be an integral number of blocks. It also can
operate in real time.
Figure shows the CFB scheme.
In this figure it assumed that the unit of transmission is s bits; a common value is s =8
As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext (which is split into s bitsegments).
The input to the encryption function is a shift register equal in length to the block cipher of
the algorithm (although the diagram shows 64 bits, which is block size used by DES, this
can be extended to other block sizes such as the 128 bits ofAES).
VBIT Page 50
Cryptography And Network Security Dept. of CSE
This is initially set to some Initialisation Vector(IV).
Advantages and Disadvantages of CFB
Most common stream mode
Appropriate when data arrives in bits/bytes
Limitation is need to stall while do block encryption after every s-bits
VBIT Page 51
Cryptography and Network Security Dept. of CSE
Note that the block cipher is used in encryption mode at both ends (xor)
Errors propagate for several blocks after the error
OUTPUT FEEDBACK (OFB) MODE
The Output Feedback Mode is similar in structure to that of CFB, as seen in figure13.
As can be seen, it is the output of the encryption function that is fed back to the shift register
in OFB, whereas in CFB the cipher text unit is fed back to the shift register.
One advantage of the OFB method is that bit errors in transmission do not propagate.
For example, if a bit error occurs in C1 only the recovered value of P1 is affected;
subsequent plaintext units are not corrupted.
With CFB, C1 also serves as input to the shift register and therefore causes additional
corruption downstream.
Page 52
Cryptography And Network Security Dept. of CSE
Advantages and Limitations of OFB
Needs an IV which is unique for each use
If ever reuse attacker can recover outputs...
OTP
Can pre-compute
Bit errors do not propagate
More vulnerable to message stream modification...
ciphertext
Change arbitrary bits by changing
Sender & receiver must remain in sync
Only use with full block feedback
Subsequent research has shown that only full block feedback (ie CFB-64 or
CFB-128) should ever be used
Page 53
Cryptography And Network Security Dept. of CSE
Counter Mode:
A ―new‖ mode, though proposed early on
Similar to ofb but encrypts counter value rather than any feedback value
Oi = ek(i)
Ci = pixoroi
Must have a different key &counter value for every plaintext block (never reused)
Again, otp issue
Uses: high-speed network encryptions
Advantages and Limitations of CTR
Efficiency
Can do parallel encryptions in h/w or s/w
Can preprocess in advance of need
Page 54
Cryptography And Network Security Dept. of CSE
Good for burstyhigh speed links
Random access to encrypted data blocks
Provable security (good as other modes)
Never have cycle less than 2b
But must ensure never reuse key/counter values, otherwise could break.
2.7 STREAMCIPHER
A stream cipher is an encryption algorithm that encrypts 1 bit or byte of plaintext at a time. It
uses an infinite stream of pseudorandom bits as the key. For a stream cipher implementation
to remain secure, its pseudorandom generator should be unpredictable and the key should never
be reused. Stream ciphers are designed to approximate an idealized cipher, known as the One-
Time Pad.
The One-Time Pad, which is supposed to employ a purely random key, can potentially
achieve "perfect secrecy". That is, it's supposed to be fully immune to brute force attacks. The
problem with the one-time pad is that, in order to create such a cipher, its key should beas long
or even longer than the plaintext. In other words, if you have 500 MegaByte video file that you
would like to encrypt, you would need a key that's at least 4 Gigabitslong.
Clearly, while Top Secret information or matters of national security may warrant the use of a
one-time pad, such a cipher would just be too impractical for day-to-day public use. The key
of a stream cipher is no longer as long as the original message. Hence, it can no longer
guarantee "perfect secrecy". However, it can still achieve a strong level ofsecurity.
Comparison between Block Cipher and Stream Cipher
Page 55
Cryptography And Network Security Dept. of CSE
BASIS FOR BLOCK
STREAM CIPHER
COMPARISON CIPHER
Basic Converts the Converts the text by
plain text by taking one byte of the
taking its block plain text at a time.
at a time.
Complexity Simple design Complex
comparatively
No of bits used 64 Bits or more 8 Bits
Confusion and Uses both Relies on confusion
Diffusion confusion and only
diffusion
Algorithm modes ECB (Electronic CFB (Cipher
used Code Book) Feedback)
CBC (Cipher OFB (Output
Block Chaining) Feedback)
Reversibility Reversing It uses XOR for the
encrypted text is encryption which can
hard. be easily reversed to
the plain text.
Page 56
Cryptography And Network Security Dept. of CSE
2.8 RC4
RC4 designed in 1987 by RSA (Ron Rivest, Adi Shamir, and Leonard Adleman). A symmetric key
encryption algorithm, followed with Stream Cipher.
In the RC4 encryption algorithm, the key stream is completely independent of the plaintext used. An
8 * 8 S-Box (S0 S255), where each of the entries is a permutation of the numbers 0 to 255, and the
permutation is a function of the variable length key. There are two counters i, and j, both initialized
to 0 used in the algorithm.
The algorithm uses a variable length key from 1 to 256 bytes to initialize a 256-byte state table. The
state table is used for subsequent generation of pseudo-random bytes and then to generate a pseudo-
random stream which is XORed with the plaintext to give the ciphertext. Each element in the state
table is swapped at least once.
The key is often limited to 40 bits, because of export restrictions but it is sometimes used as a 128
bit key. It has the capability of using keys between 1 and 2048 bits. RC4 is used in many commercial
software packages such as Lotus Notes and Oracle Secure SQL.
The algorithm works in two phases, key setup and ciphering. Key setup is the first and most difficult
phase of this encryption algorithm. During a N-bit key setup (N being your key length), the
encryption key is used to generate an encrypting variable using two arrays, state and key, and N-
number of mixing operations. These mixing operations consist of swapping bytes, modulo
operations, and other formulas. A modulo operation is the process of yielding a remainder from
division. For example, 11/4 is 2 remainder 3; therefore eleven mod four would be equal tothree.
Strengths of RC4
The difficulty of knowing where any value is in the table.
The difficulty of knowing which location in the table is used to select each value in
the sequence.
A particular RC4 Algorithm key can be used only once.
Mallareddy Engineering College For Women-Autonomous Institution-UGC, Govt, Of India) Page 57
Cryptography And Network Security Dept. of CSE
Encryption is about 10 times faster than DES.
Architecture of Rc4
Inside of rc4
Consists of 2 parts:
Key Scheduling Algorithm (KSA)
Pseudo-RandomGenerationAlgorithm(PRGA)
Generate State array
PRGA on the KSA
Generate keystream
XOR keystream with the data to generated encrypted stream.
Page 58
Cryptography And Network Security Dept. of CSE
K
S
KSA A
Use the secret key to initialize and permutation of state vector S, done in two steps
fori = 0 to 255 do
S[i] = i;
T[i] = K[i mod(|K|)]);
[S], S is set equal to the values from 0 to 255
S[0]=0, S[1]=1,…, S[255]=255
[T], A temporary vector
[K], Array of bytes of secret key
|K| = Keylen, Length of (K)
j = 0;
Page 59
Cryptography And Network Security Dept. of CSE
fori = 0 to 255 do
j = (j+S[i]+T[i])(mod 256)
swap (S[i], S[j])
Use T to produce initial permutation of S
After KSA, the input key and the temporary vector T will be no longer used
PRGA
Generate key stream k , one by one
XOR S[k] with next byte of message to encrypt/decrypt
i, j = 0;
for (int x = 0; x <byteLen; x++) do
i = (i + 1) mod 256;
j = (j + S[i]) mod 256; Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256; k = S[t];
Page 60
Cryptography And Network Security Dept. of CSE
Detailed Diagram
Page 61
Cryptography And Network Security Dept. of CSE
OverallOperationOfRC4
Page 62
Cryptography And Network Security Dept. of CSE
2.9 RC5
.
RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in1994
RC stands for "Rivest Cipher", or alternatively, "Ron'sCode
Rivest announced also RC2 and RC4 and now there is RC6 which is The
AdvancedEncryption Standard (AES) candidate (RC6 was based onRC5)
Features
Symmetric block cipher (Like Feistel Network Structure)
the same secret cryptographic key is used for encryption and decryption
suitable for hardware andsoftware
It uses only computational primitive operations commonly found on typical
microprocessors
Fastbecause it uses Word-Oriented operations
Adaptable to processors of different wordlengths
For example with 64 bit processor RC5 can exploit their longer worklength
Variable length cryptographickey
The user can choose the level of security appropriate for his application the key length b in
bytes is thus a third parameter of RC5
Simple
It is simple to implement,Thissimplicitymakes it more interesting to analyze and evaluate, so
that the cryptographic strength can be more rapidlydetermined
Page 63
Cryptography And Network Security Dept. of CSE
Low memory requirements
So it is easily implemented on devices with restricted memory
Algorithm RC5
There are three components ofRC5
Key expansion algorithm
Encryption algorithm
Decryption algorithm
Page 64
Cryptography And Network Security Dept. of CSE
Principles of Public-Key Cryptosystems The concept of public-key cryptography evolved from
an attempt to attack two of the most difficult problems associated with symmetric encryption. key
distribution under symmetric encryption requires either (1) that two communicants already share a
key, which somehow has been distributed to them; or (2) the use of a key distribution center.
Whitfield Diffie, one of the discoverers of public-key encryption (along with Martin Hellman, both
at Stanford University at the time), reasoned that this second requirement negated the very essence
of cryptography: the ability to maintain total secrecy over your own communication. The second
problem that Diffie pondered, and one that was apparently unrelated to the first was that of "digital
signatures." If the use of cryptography was to become widespread, not just in military situations
but for commercial and private purposes, then electronic messages and documents would need the
equivalent of signatures used in paper documents. Public-Key Cryptosystems Asymmetric
algorithms rely on one key for encryption and a different but related key for decryption. These
algorithms have the following important characteristic: It is computationally infeasible to determine
the decryption key given only knowledge of the cryptographic algorithm and the encryption.In
addition, some algorithms, such as RSA, also exhibit the following characteristic: Either of the two
related keys can be used for encryption, with the other used for decryption. A public-key encryption
scheme has six ingredients Plaintext: This is the readable message or data that is fed into the
algorithm as input. Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext. Public and private keys: This is a pair of keys that have been
selected so that if one is used for encryption, the other is used for decryption. The exact
transformations performed by the algorithm depend on the public or private key that is provided as
input. Cipher text: This is the scrambled message produced as output. It depends on the plaintext
and the key. For a given message, two different keys will produce two different cipher texts.
Decryption algorithm: This algorithm accepts the cipher text and the matching key and produces
the original plaintext .
Page 65
Cryptography And Network Security Dept. of CSE
The important point is that the security of conventional encryption depends on the secrecy of
the key, not the secrecy of the algorithm i.e. it is not necessary to keep the algorithm secret,
but only the key is to be kept secret. This feature that algorithm need not be kept secret made
it feasible for wide spread use and enabled manufacturers develop low cost chip
implementation of data encryption algorithms. With the use of conventional algorithm, the
principal security problem is maintaining the secrecy of the key.
2.10 RSA
RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir &Adleman of MIT in 1978 [RIVE78].
Since that time RSA has reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption. The RSA scheme is a block cipher in
which the plaintext and the ciphertext are integers between 0 and n-1 for some fixed n and
typical size for n is 1024 bits (or 309 decimal digits). It is based on exponentiation in a finite
(Galois) field over integers modulo a prime, using large integers (eg. 1024 bits). Its security is
due to the cost of factoring large numbers. RSA involves a public-key and a private-key where
the public key is known to all and is used to encrypt data or message. The data or message
which has been encrypted using a public key can only be decryted by
Page 66
Cryptography And Network Security Dept. of CSE
using its corresponding private-key. Each user generates a key pair i.e. public and private key
using the following steps:
each user selects two large primes at random - p, q
compute their system modulus n=p.q
calculate ø(n), where ø(n)=(p-1)(q-1)
selecting at random the encryption key e, where 1<e<ø(n),and gcd(e,ø(n))=1
solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: KU={e,n}
keep secret private decryption key: KR={d,n}
Both the sender and receiver must know the values of n and e, and only the receiver knows the
value of d. Encryption and Decryption are done using the following equations. To encrypt a
message M the sender:
– obtains public key of recipient KU={e,n}
– computes: C=Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:
– uses their private key KR={d,n}
– computes: M=Cd mod n = (Me) d mod n = Med mod n
For this algorithm to be satisfactory, the following requirements are to be met.
Its possible to find values of e, d, n such that Med = M mod n for all M<n
It is relatively easy to calculate Me and C for all values of M < n.
It is impossible to determine d given e and n
Page 67
Cryptography And Network Security Dept. of CSE
The way RSA works is based on Number theory: Fermat’s little theorem: if p is prime and
is positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For any positive
integer a and prime p, ap ≡ a mod p.
Fermat‘s theorem, as useful as will turn out to be does not provide us with integers d,e we are
looking for –Euler‘s theorem (a refinement of Fermat‘s) does. Euler‘s function associates to
any positive integer n, a number φ(n): the number of positive integers smaller than n and
relatively prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any prime p. For any two
primes p,q, φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively prime integers a,n we have
aφ(n)≡1 mod n. Corollary: For any integers a,n we have aφ(n)+1≡a mod n Corollary: Let
p,q be two odd primes and n=pq. Then: φ(n)=(p-1)(q-1).
For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with0<m<n,
mk(p-1)(q-1)+1 ≡ m mod n Euler‘s theorem provides us the numbers d, e such that Med=M
mod n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-1mod φ(n)
An example of RSA can be given as,
Select primes: p=17 &q=11
Compute n = pq =17×11=187
Compute ø(n)=(p–1)(q-1)=16×10=160
Select e :gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d< 160 Value is d=23 since 23×7=161= 10×160+1
Publish public key KU={7,187}
Keep secret private key KR={23,187}
Now, given message M = 88 (nb. 88<187)
encryption: C = 887 mod 187 = 11
Page 68
Cryptography And Network Security Dept. of CSE
decryption: M = 1123 mod 187 = 88
Another example of RSA is given as,
Let p = 11, q = 13, e = 11, m = 7
n = pq i.e. n= 11*13 = 143
ø(n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120
e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1;so d = 11 public key :{11,143}
and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106 M=Cd mod n,
plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7
For RSA key generation,
– determine two primes at random - p, q
– select either e or d and compute the other
– means must be sufficiently large
– typically guess and use probabilistic test.
Page 69
Cryptography And Network Security Dept. of CSE
Security of RSA
There are three main approaches of attacking RSA algorithm.
Brute force key search (infeasible given size of numbers) As explained before, involves trying all
possible private keys. Best defence is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)There are
several approaches, all equivalent in effect to factoring the product of two primes. Some of them
are given as:
– factor N=p.q, hence find ø(N) and then d
– determine ø(N) directly and find d
– find d directly
The possible defense would be using large keys and also choosing large numbers for p and q, which
should differ only by a few bits and are also on the order of magnitude 1075 to 10100. And gcd (p-
1, q-1) should be small.
2.11 THE ELGAMAL PUBLIC KEY ENCRYPTION ALGORITHM
The ElGamal Algorithm provides an alternative to the RSA for public key encryption. 1) Security of the
RSA depends on the (presumed) difficulty of factoring large integers. 2) Security of the ElGamal algorithm
depends on the (presumed) difficulty of computing discrete logs in a large prime modulus. ElGamal has the
disadvantage that the ciphertext is twice as long as the plaintext. It has the advantage the same plaintext
gives a different ciphertext (with near certainty) each time it is encrypted. Alice chooses i) A large prime pA
(say 200 to 300 digits), ii) A primitive element α A modulo pA, iii) A (possibly random) integer dA with 2
≤ dA ≤ pA –2. Alice computes iv) β A ≡ α A dA (mod pA). Alice‘s public key is (pA, α A, β A).
Page 70
Cryptography And Network Security Dept. of CSE
Algorithm: ELGAMAL ENCRYPTION
INPUT: Domain parameters (p, q, g); recipient's public key B; encoded message m in range
0<M<P-1.
Choose a random k in the range 1 < k < p − 1.
Compute c1 = gk mod p
Compute c2 = mBk mod p
Return ciphertext (c1, c2).
Algorithm: ELGAMAL DECRYPTION
INPUT: Domain parameters (p, q, g); recipient's private key b; ciphertext (c1, c2).
OUTPUT:Messagerepresentative, m.
Compute m = c1p − b − 1c2 mod p
Return m.
Page 71
Cryptography And Network Security Dept. of CSE
2.12 DIFFIE-HELLMAN KEY EXCHANGE
Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel.
This key can then be used to encrypt subsequent communications using a symmetric key
cipher. The D-H algorithm depends for its effectiveness on the difficulty of computing discrete
logarithms.
First, a primitive root of a prime number p, can be defined as one whose powers generate all
the integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers, a
mod p, a2mod p,..., ap-1mod p, are distinct and consist of the integers from 1 through p 1 in
some permutation.
For any integer b and a primitive root a of prime number p, we can find a unique
exponentisuch that .The exponent i is referred to as the
discrete logarithm of b for the base a, mod p. We express this value as dloga,p(b). The
algorithm is summarized below:
Page 72
Cryptography And Network Security Dept. of CSE
For this scheme, there are two publicly known numbers: a prime number q and an integerthat
is a primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a
random integer XA < q and computes YA = αXA mod q. Similarly, user B independently
selects a random integer XA < q and computes YB = αXB mod q. Each side keeps the X value
private and makes the Y value available publicly to the other side. User A computes the key
as K = (YB)XA mod q and user B computes the key as K = (YA)XB mod q. These two
calculations produce identical results.
Page 73
Cryptography And Network Security Dept. of CSE
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a
modulus p, calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem is
fairly easy and can be calculated "quickly" using fast-exponentiation. The discrete log problem
is the inverse problem: Given a base a, a result c (0 ≤ c < p) and a modulus p,calculate the
exponent b such that ab ≡ c (mod p). It turns out that no one has found a quick way to solve
this problem With DLP, if P had 300 digits, Xa and Xb have more than 100 digits, it would
take longer than the life of the universe to crack the method.
Man-in-the-Middle Attack on D-H protocol
Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds
as follows:
1.Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.
2.Alice transmits YA to Bob.
3.Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)XD2modq.
Bob receives YD1 and calculates K1 = (YD1)XE mod q.
Bob transmits XA to Alice.
Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB)XD1 mod q.
Alice receives YD2 and calculates K2 = (YD2)XA mod q.
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2. All future communication between
Bob and Alice is compromised in the following way:
Page 74
Cryptography And Network Security Dept. of CSE
1.Alice sends an encrypted message M: E(K2, M).
2.Darth intercepts the encrypted message and decrypts it, to recover M.
3.Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth
simply wants to eavesdrop on the communication without altering it. In the second case, Darth
wants to modify the message going to Bob
Page 75
Cryptography And Network Security Dept. of CSE
UNIT 3
3.1 MESSAGE AUTHENTICATION CODE (MAC)
An alternative authentication technique involves the use of secret key to generate a small fixed
size block of data, known as cryptographic checksum or MAC that is appended to the message.
This technique assumes that two communication parties say A and B, share a common secret
key ‗k‘. When A has to send a message to B, it calculates the MAC as a function of the message
and the key.
MAC=CK(M) Where M – input message
C – MAC function
K – Shared secret key
The message and the MAC are transmitted to the intended recipient, who upon receiving
performs the same calculation on the received message, using the same secret key to generate a
new MAC. The received MAC is compared to the calculated MAC and only if they match, then:
The receiver is assured that the message has not been altered: Any alternations been done the
The receiver is assured that the message is from the alleged sender: No one except the sender
has the secret key and could prepare a message with a proper MAC.
If the message includes a sequence number, then receiver is assured of proper sequence as an
attacker cannot successfully alter the sequence number.
Page 76
Cryptography And Network Security Dept. of CSE
There are three different situations where use of a MAC is desirable:
If a message is broadcast to several destinations in a network (such as a military control center),
then it is cheaper and more reliable to have just one node responsible to evaluate the
authenticity –message will be sent in plain with an attached authenticator.
If one side has a heavy load, it cannot afford to decrypt all messages –it will just check the
authenticity of some randomly selected messages
MESSAGE AUTHENTICATION CODE BASED ON DES
The Data Authentication Algorithm, based on DES, has been one of the most widely used
MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB 113) and
an ANSI standard (X9.17). But, security weaknesses in this algorithm have been discovered
and it is being replaced by newer and stronger algorithms. The algorithm can be defined as
using the cipher block chaining (CBC) mode of operation of DES shown below with an
initialization vector of zero. The data (e.g., message, record, file, or program) to be
authenticated are grouped into contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final
block is padded on the right with zeroes to form a full 64-bit block. Using the DES
Page 77
Cryptography And Network Security Dept. of CSE
encryption algorithm, E, and a secret key, K, a data authentication code (DAC) is calculated
as follows:
The DAC consists of either the entire block ON or the leftmost M bits of the block, with 16 ≤ M ≤
64Use of MAC needs a shared secret key between the communicating parties and also MAC does
not provide digital signature. The following table summarizes the confidentiality and authentication
implications of the approaches shown above.
Page 78
Cryptography And Network Security Dept. of CSE
3.2 SECURE HASH ALGORITHM
The secure hash algorithm (SHA) was developed by the National Institute of Standards and
Technology (NIST). SHA-1 is the best established of the existing SHA hash functions, and is
employed in several widely used security applications and protocols. The algorithm takes as
input a message with a maximum length of less than 264 bits and produces as output a 160-bit
message digest.
The input is processed in 512-bit blocks. The overall processing of a message follows the
structure of MD5 with block length of 512 bits and a hash length and chaining variable length
of 160 bits. The processing consists of following steps:
1.) Append Padding Bits: The message is padded so that length is congruent to 448 modulo
512; padding always added –one bit 1 followed by the necessary number of 0 bits.
2.) Append Length: a block of 64 bits containing the length of the original message is added.
3.) Initialize MD buffer: A 160-bit buffer is used to hold intermediate and final results on the
Page 79
Cryptography And Network Security Dept. of CSE
hash function. This is formed by 32-bit registers A,B,C,D,E. Initial values: A=0x67452301,
B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0. Stores in big-endian
format i.e. the most significant bit in low address.
4.) Process message in blocks 512-bit (16-word) blocks: The processing of a single 512-bit
block is shown above. It consists of four rounds of processing of 20 steps each. These four
rounds have similar structure, but uses a different primitive logical function, which we refer to
as f1, f2, f3 and f4. Each round takes as input the current 512-bit block being processed and
the 160-bit buffer value ABCDE and updates the contents of the buffer. Each round also makes
use of four distinct additive constants Kt. The output of the fourth round i.e. eightieth step is
added to the input to the first round to produceCVq+1.
5.) Output: After all L 512-bit blocks have been processed, the output from the Lth stage is the
160-bit message digest.
Page 80
Cryptography And Network Security Dept. of CSE
The behavior of SHA-1 is as follows: CV0 = IV CVq+1 = SUM32(CVq, ABCDEq) MD =
CVL Where, IV = initial value of ABCDE buffer ABCDEq = output of last round of
processing of qth message block L = number of blocks in the message SUM32 = Addition
modulo 232 MD = final message digest value.
SHA-1 Compression Function:
Each round has 20 steps which replaces the 5 buffer words. The logic present in each one of the
80 rounds present is given as (A,B,C,D,E) <- (E + f(t,B,C,D) + S5(A)+ Wt+ Kt),A,S30(B),C,D
Page 81
Cryptography And Network Security Dept. of CSE
Where, A, B, C, D, E = the five words of the buffer t = step number; 0< t< 79 f(t,B,C,D) = primitive
logical function for step t Sk = circular left shift of the 32-bit argument by k bits Wt = a 32-bit
word derived from current 512-bit input block. Kt = an additive constant; four distinct values are
used + = modulo addition.
SHA shares much in common with MD4/5, but with 20 instead of 16 steps in each of the 4 rounds.
Note the 4 constants are based on sqrt(2,3,5,10). Note also that instead of just splitting the input
block into 32-bit words and using them directly, SHA-1 shuffles and mixes them using rotates &
XOR‘s to form a more complex input, and greatly increases the difficulty of finding collisions.
A sequence of logical functions f0, f1,..., f79 is used in the SHA-1. Each ft, 0<=t<=79, operates
on three 32-bit words B, C, D and produces a 32-bit word as output. ft(B,C,D) is defined as follows:
for words B, C, D, ft(B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)
Page 82
Cryptography And Network Security Dept. of CSE
ft(B,C,D) = B XOR C XOR D (20 <= t <= 39) ft(B,C,D) = (B AND C) OR (B AND D) OR (C
AND D) (40 <= t <= 59) ft(B,C,D) = B XOR C XOR D (60 <= t <=79)
SHA-512 Compression Function
Heart of the algorithm
processing message in 1024-bit blocks
consists of 80 rounds
updating a 512-bit buffer
using a 64-bit value Wt derived from the current message block
and a round constant based on cube root of first 80 prime numbers
SHA-512 Round Function
Page 83
Cryptography And Network Security Dept. of CSE
3.3 AUTHENTICATION REQUIREMENTS
In the context of communication across a network, the following attacks can be identified:
Disclosure – releases of message contents to any person or process not possessing the
appropriate cryptographic key.
Traffic analysis – discovery of the pattern of traffic between parties.
Masquerade – insertion of messages into the network fraudulent source.
Content modification – changes to the content of the message, including insertion deletion,
transposition and modification.
Sequence modification – any modification to a sequence of messages between parties,
including insertion, deletion and reordering.
Timing modification – delay or replay of messages.
Source repudiation – denial of transmission of message by source.
Destination repudiation – denial of transmission of message by destination.
Measures to deal with first two attacks are in the realm of message confidentiality. Measures
to deal with 3 through 6 are regarded as message authentication. Item 7 comes under digital
signature and dealing with item 8 may require a combination of digital signature and a protocol
to counter this attack.
3.4 HMAC
Interest in developing a MAC, derived from a cryptographic hash code has been increasing
mainly because hash functions are generally faster and are also not limited by export
restrictions unlike block ciphers. Additional reason also would be that the library code for
cryptographic hash functions is widely available. The original proposal is for incorporation of
a secret key into an existing hash algorithm and the approach that received most support is
Page 84
Cryptography And Network Security Dept. of CSE
HMAC. HMAC is specified as Internet standard RFC2104. It makes use of the hash function
on the given message. Any of MD5, SHA-1, RIPEMD-160 can be used.
HMAC Design Objectives
To use, without modifications, available hash functions
To allow for easy replacability of the embedded hash function
To preserve the original performance of the hash function
To use and handle keys in a simple way
To have a well understood cryptographic analysis of the strength of the MAC based on
reasonable assumptions on the embedded hash function
The first two objectives are very important for the acceptability of HMAC. HMAC treats the
hash function as a ―black box‖, which has two benefits. First is that an existing
implementation of the hash function can be used for implementing HMAC making the bulk of
HMAC code readily available without modification. Second is that if ever an existing hash
function is to be replaced, the existing hash function module is removed and new module
Is dropped in. The last design objective provides the main advantage of HMAC over other
proposed hash-based schemes. HMAC can be proven secure provided that the embedded hash
function has some reasonable cryptographic strengths.
Steps involved in HMAC algorithm:
Append zeroes to the left end of K to create a b-bit string K+ (ex: If K is of length 160-bits and
b = 512, then K will be appended with 44 zero bytes).
XOR(bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si.
Append M to Si.
Page 85
Cryptography And Network Security Dept. of CSE
Now apply H to the stream generated in step-3
XOR K+ with opad to produce the b-bit block S0.
Append the hash result from step-4 to S0.
Apply H to the stream generated in step-6 and output the result.
Hmac Algorithm
HMAC Structure
Page 86
Cryptography And Network Security Dept. of CSE
The XOR with ipad results in flipping one-half of the bits of K. Similarly, XOR with opad
results in flipping one-half of the bits of K, but different set of bits. By passing Si and S0
through the compression function of the hash algorithm, we have pseudo randomly generated
two keys from K.
HMAC should execute in approximately the same time as the embedded hash function for long
messages. HMAC adds three executions of the hash compression function (for S0, Si, and the
block produced from the inner hash)
A more efficient implementation is possible. Two quantities are precomputed. f(IV, (K+
f(IV, (K+
where f is the compression function for the hash function which takes as arguments a chaining
variable of n bits and a block of b-bits and produces a chaining variable of n bits.
Page 87
Cryptography And Network Security Dept. of CSE
As shown in the above figure, the values are needed to be computed initially and every time a
key changes. The pre computed quantities substitute for the initial value (IV) in the hash
function. With this implementation, only one additional instance of the compression function
is added to the processing normally produced by the hash function. This implementation is
worthwhile if most of the messages for which a MAC is computed are short.
Security of HMAC:
The appeal of HMAC is that its designers have been able to prove an exact relationship between
the strength of the embedded hash function and the strength of HMAC. The security of a MAC
function is generally expressed in terms of the probability of successful forgery with a given
amount of time spent by the forger and a given number of message-MAC pairs created with
the same key. Have two classes of attacks on the embedded hash function:
The attacker is able to compute an output of the compression function even with an IV that is
random, secret and unknown to the attacker.
The attacker finds collisions in the hash function even when the IV is random and secret.
These attacks are likely to be caused by brute force attack on key used which has work of order
2n; or a birthday attack which requires work of order 2(n/2) - but which requires the attacker to
observe 2n blocks of messages using the same key - very unlikely. So even MD5 is still secure
for use in HMAC given these constraints.
3.5 CMAC
In cryptography, CMAC (Cipher-based Message Authentication Code)[1] is a block cipher-
based message authentication code algorithm. It may be used to provide assurance of the
authenticity and, hence, the integrity of binary data. This mode of operation fixes security
deficiencies of CBC-MAC (CBC-MAC is secure only for fixed-length messages).
The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rog away
proposed and analyzed under the name XCBC[2] and submitted to NIST.[3] The XCBC
algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three
Page 88
Cryptography And Network Security Dept. of CSE
keys. Iwata and Kurosawa proposed an improvement of XCBC and named the resulting
algorithm One-Key CBC-MAC (OMAC) in their papers.[4][5] They later submitted
OMAC1[6], a refinement of OMAC, and additional security analysis.[7] The OMAC
algorithm reduces the amount of key material required for XCBC. CMAC is equivalent to
OMAC1.
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one
first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to
multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote
exclusive or:
Calculate a temporary value k0 = Ek(0).
If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that
depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first
irreducible degree-b binary polynomial with the minimal number of ones.)
If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕ C.
Return keys (k1, k2) for the MAC generation process.
Page 89
Cryptography And Network Security Dept. of CSE
3.6 DIGITALSIGNATURE
The most important development from the work on public-key cryptography is the digital
signature. Message authentication protects two parties who exchange messages from any third
party. However, it does not protect the two parties against each other. A digital signature is
analogous to the handwritten signature, and provides a set of security capabilities that would
be difficult to implement in any other way. It must have the following properties:
It must verify the author and the date and time of the signature
It must to authenticate the contents at the time of the signature • It must be verifiable by
third parties, to resolve disputes Thus, the digital signature function includes the authentication
function. A variety of approaches has been proposed for the digital signature function. These
approaches fall into two categories: direct and arbitrated.
Direct Digital Signature
Direct Digital Signatures involve the direct application of public-key algorithms involving only
the communicating parties. A digital signature may be formed by encrypting the entire message
with the sender‘s private key, or by encrypting a hash code of the message with the sender‘s
private key. Confidentiality can be provided by further encrypting the entire message plus
signature using either public or private key schemes. It is important to perform
the signature function first and then an outer confidentiality function, since in case of dispute,
some third party must view the message and its signature. But these approaches are dependent
on the security of the sender‘s private-key. Will have problems if it is lost/stolen and signatures
forged. Need time-stamps and timely key revocation.
Arbitrated Digital Signature
The problems associated with direct digital signatures can be addressed by using an arbiter, in
a variety of possible arrangements. The arbiter plays a sensitive and crucial role in this sort of
scheme, and all parties must have a great deal of trust that the arbitration mechanism is
Page 90
Cryptography And Network Security Dept. of CSE
working properly. These schemes can be implemented with either private or public-key
algorithms, and the arbiter may or may not see the actual message contents.
Using Conventional encryption
X A : M || E ( Kxa ,[ IDx || H (M) ] )
AY:E(Kay,[IDx||M ||E(Kxa,[IDx||H(M))])||T])
It is assumed that the sender X and the arbiter A share a secret key Kxa and that A and Y share
secret key Kay. X constructs a message M and computes its hash value H(m) . Then X transmits
the message plus a signature to A. the signature consists of an identifier IDx of X plus the hash
value, all encrypted usingKxa.
A decrypts the signature and checks the hash value to validate the message. Then A transmits
a message to Y, encrypted with Kay. The message includes IDx, the original message from X,
the signature, and atimestamp.
Arbiter sees message
Problem : the arbiter could form an alliance with sender to deny a signed message, orwith the
receiver to forge the sender‘s signature.
Using Public Key Encryption
A : IDx ||E( PRx,[ IDx|| E ( PUy, E( PRx, M))]) A Y : E( PRa, [ IDx ||E (PUy, E (PRx,
M))|| T])
X double encrypts a message M first with X‘s private key,PRx, and then with Y‘s public key,
PUy. This is a signed, secret version of the message. This signed message, together with X‘s
identifier ,is encrypted again with PRx and, together with IDx, is sent to A. The inner, double
encrypted message is secure from the arbiter (and everyone else exceptY)
Page 91
Cryptography And Network Security Dept. of CSE
A can decrypt the outer encryption to assure that the message must have come from X (because
only X has PRx). Then A transmits a message to Y, encrypted with PRa. The message includes
IDx, the double encrypted message, and a timestamp.
Arbiter does not see message
Digital Signature Standard (DSS)
The National Institute of Standards and Technology (NIST) has published Federal Information
Processing Standard FIPS 186, known as the Digital Signature Standard (DSS). The DSS
makes use of the Secure Hash Algorithm (SHA) and presents a new digital signature technique,
the Digital Signature Algorithm (DSA). The DSS uses an algorithm that is designed to provide
only the digital signature function and cannot be used for encryption or key exchange, unlike
RSA.
The RSA approach is shown below. The message to be signed is input to a hash function that
produces a secure hash code of fixed length. This hash code is then encrypted using the sender's
private key to form the signature. Both the message and the signature are then transmitted.
The recipient takes the message and produces a hash code. The recipient also decrypts the
signature using the sender's public key. If the calculated hash code matches the decrypted
Page 92
Cryptography And Network Security Dept. of CSE
signature, the signature is accepted as valid. Because only the sender knows the private key,
only the sender could have produced a valid signature.
The DSS approach also makes use of a hash function. The hash code is provided as input to a
signature function along with a random number k generated for this particular signature. The
signature function also depends on the sender's private key (PRa) and a set of parameters
known to a group of communicating principals. We can consider this set to constitute a global
public key (PUG).The result is a signature consisting of two components, labeled sand r.
At the receiving end, the hash code of the incoming message is generated. This plus the
signature is input to a verification function. The verification function also depends on the global
public key as well as the sender's public key (PUa), which is paired with the sender's private
key. The output of the verification function is a value that is equal to the signature component
r if the signature is valid. The signature function is such that only the sender, with knowledge
of the private key, could have produced the valid signature.
3.7 ELGAMAL SIGNATURE SCHEME
The ElGamal signature scheme is a digital signature scheme which is based on the
difficulty of computing discrete logarithms. It was described by TaherElgamal in 1984.
The ElGamal signature algorithm is rarely used in practice. A variant developed at the NSA
and known as the Digital Signature Algorithm is much more widely used. There are
Page 93
Cryptography And Network Security Dept. of CSE
several other variants. The ElGamal signature scheme must not be confused with ElGamal
encryption which was also invented by TaherElgamal.
The ElGamal signature scheme allows a third-party to confirm the authenticity of a message.
given prime p, public random number g, private (key) random number x,compute
o y = gx(modp)public key is(y,g,p)
Key Generation
Randomly choose a secret key x with 1 < x < p − 2.
The public key is y,g,p.
The secret key is x.
Compute y = g x mod p.
These steps are performed once by the signer.
Signature Generation
To sign a message m the signer performs the following steps.
Choose a random k such that 1 < k < p − 1 and gcd(k, p − 1) = 1.
Compute a = gk(mod p)
Compute . M = x.a+k.b(mod p-1)
If s=0 start over again.
Then the pair (r,s) is the digital signature of m. The signer repeats these steps for every
signature.
El Gamal Signaturescheme
given prime p, public random number g, private (key) random number x,compute
y = gx(modp)
Page 94
Cryptography And Network Security Dept. of CSE
public key is(y,g,p)
nb (g,p) may be shared by manyusers
p must be large enough so discrete log ishard
private key is(x)
to sign a messageM
choose a random number k,GCD(k,p-1)=1
compute a = gk(modp)
use extended Euclidean (inverse) algorithm tosolve
M = x.a + k.b (modp-1)
the signature is (a,b), k must be keptsecret
(like ElGamal encryption is double the messagesize)
to verify a signature (a,b)confirm:
ya.ab(mod p) = gM(modp)
Example of ElGamal Signature Scheme
given p=11,g=2
choose private keyx=8
computey = gx(mod p) = 28(mod 11) =3
public key isy=3,g=2,p=11)to sign a messageM=5
choose randomk=9
confirmgcd(10,9)=1
compute
a = gk(mod p) = 29(mod 11) =6
signature is(a=6,b=3)to verify the signature, confirm the following arecorrect:
ya.ab(mod p) = gM(modp)36.63(mod 11) = 25(mod11)
Page 95
Cryptography And Network Security Dept. of CSE
3.8 SYMMETRIC KEY ENCRYPTION USING SYMMETRIC AND ASYMMETRIC
Symmetric Key Encryption Using Symmetric
For symmetric encryption to work, the two parties to an exchange must share the same key,
and that. . For two parties A and B, key distribution can be achieved in a number of ways, as
follows:
A can select a key and physically deliver it to B.
A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit
the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on
the encrypted links to A and B.
The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum,
twolevels of keys are used (Figure 14.2). Communication betweenend systems is encrypted us
ing atemporary key, often referred to as a session key. Typically, the session key is used for th
e duration ofa logical connection, such as a frame relay connection or transport connection, and
then discarded.
For each end system or user, there is a unique master key that it shares with the key
distributioncenter. Of course, these master keys must be distributed in somefashion. Ho wever,
the scale of theproblem is vastly reduced. If there are N entitiesthat wish to communicat e in
pairs, then, as wasmentioned, as many as [N(N - 1)]/2
session keys are needed at any one time. However, only N masterkeys are required,
one for each entity. Thus, master keys can be distributed in some noncryptographicway, such
as physical delivery.
Page 96
Cryptography And Network Security Dept. of CSE
SYMMETRIC KEY ENCRYPTION USING ASYMMETRIC
Because of the inefficiency of public key cryptosystems, they are almost never used for the
direct encryption of sizable block of data, but are limited to relatively small blocks. One of the
most important uses of a public-key cryptosystem is to encrypt secret keys for distribution. We
see many specific examples of this in Part Five. Here, we discuss general principles and typical
approaches.
Simple Secret Key Distribution
An extremely simple scheme was put forward by Merkle [MERK79], as illustrated
in Figure 14.7. If A wishes to communicate with B, the following procedure is employed:
A generates a public/private key pair {PUa, PRa} and transmits a message to
Bconsisting of PUa and an identifier of A, IDA.
B generates a secret key, Ks, and transmits it to A, which is encrypted with A‘s publickey.3.
A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A candecrypt
themessa ge, only A and B will know the identity of Ks.
A discards PUa and PRa and B discards PUa.
Page 97
Cryptography And Network Security Dept. of CSE
A and B can now securely communicate using conventional encryption and the session
key Ks. At the completion of the exchange, both A and B discard Ks.
Despite its simplicity, this is an attractive protocol. No keys exist before the start
of the communicationand none exist after the completion of communication. Thus,
the risk of compromise of the keys isminimal. At the same time, the
communication is secure from eavesdropping.
. Such anattack is known as a man-in-the-
middleattack . In this case, if an adversary, E, has controlof the intervening communication
channel, then E can compromise the communication in the following fashion without being
detected.
ᜀĀᜀĀ A generates a public/private key pair {PUa, PRa}and transmits a message
intended for B consisting of PUa and an identifier of A, IDA.
ᜀĀᜀĀ E intercepts the message, creates itsown public/private key pair {PUe, PRe}
andtransmits P Ue || IDA to B.
ᜀĀᜀĀ B generates a secret key, Ks, and transmits E(PUe, Ks) .
ᜀĀᜀĀ E intercepts the message and learns Ks by computing D(PRe, E(PUe, Ks)).
ᜀĀᜀĀ E transmits E(PUa, Ks) to A.
The result is that both A and B know Ks and are unaware that Ks has also been revealed to E.
A and B can now exchange messages using Ks. E no longer actively interferes with
Page 98
Cryptography And Network Security Dept. of CSE
the communications channel but simply eavesdrops. Knowing Ks, E can decrypt all
messages, and both A and B
areunaware of the problem. Thus, this simple protocol is only useful in an environment
where t he only threat is eavesdropping.
Secret Key Distribution with Confidentiality and Authentication
Figure 14.8,based onan approachsuggested in [NEED78],
provides protection against both activeand passive attacks. We begin at a point when it is
assu med thatA and B have exchanged public keysby one of the schemes described
subsequently in this chapter. Then the following steps occur.
Page 99
Cryptography And Network Security Dept. of CSE
A uses B‘s public key to encrypt a message to B containing an identifier of A(IDA) and a
nonce (N1), which is used to identify this transaction uniquely.
B sends a message to A encrypted with PUa and containing A‘s nonce (N1) as ell as a new
nonce generated by B (N2). Because only B could have (N2). Because only B could have
decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is
B.
A returns N2, encrypted using B‘s public key, to assure B that its correspondent is A.
A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message
with B‘spublic key ensures that only B can read it; encryptionwith A‘s private key ensures that
only A could have sent it.
B computes D(PUa, D(PRb, M)) to recover the secret key.
The result is that this scheme ensures both confidentiality and authentication in the
exchange of a secret key.
3.9 KERBEROS
KERBEROS VERSION 4
1.) SIMPLE DIALOGUE:
Page 100
Cryptography And Network Security Dept. of CSE
More Simple Dialogue
The Version 4 Authentication Dialogue The full Kerberos v4 authentication dialogue is
shown here divided into 3 phases.
Page 101
Cryptography And Network Security Dept. of CSE
MORE SECURE DIALOGUE
There is a problem of captured ticket-granting tickets and the need to determine that the ticket
presenter is the same as the client for whom the ticket was issued. An efficient way of doing this
is to use a session encryption key to secure information.
Message (1) includes a timestamp, so that the AS knows that the message is timely. Message(2)
includes several elements of the ticket in a form accessible to C. This enables C to confirm that
this ticket is for the TGS and to learn its expiration time. Note that the ticket does not prove
anyone's identity but is a way to distribute keys securely. It is the authenticator that proves the
client's identity. Because the authenticator can be used only once and has a short lifetime, the
threat of an opponent stealing both the ticket and the authenticator for presentation later is
countered. C then sends the TGS a message that includes the ticket plus the ID of the requested
service (message 3). The reply from the TGS, in message (4), follows the form of message (2).
C now has a reusable service-granting ticket for V. When C presents this ticket, as shown in
message (5), it also sends anauthenticator.
Page 102
Cryptography And Network Security Dept. of CSE
Kerberos Realms A full-service Kerberos environment consisting of a Kerberos server, a
number of clients, and a number of application servers is referred to as a Kerberos realm. A
Kerberos realm is a set of managed nodes that share the same Kerberos database, and are part
of the same administrative domain. If have multiple realms, their Kerberos servers must share
keys and trust each other.
The following figure shows the authentication messages where service is being requested from
another domain. The ticket presented to the remote server indicates the realm in which the user
was originally authenticated. The server chooses whether to honor the remote request. One
problem presented by the foregoing approach is that it does not scale well tomany realms, as
each pair of realms need to share akey.
Page 103
Cryptography And Network Security Dept. of CSE
The limitations of Kerberos version-4 are categorised into two types:
Environmental shortcomings of Version 4:
– Encryption system dependence :DES
– Internet protocol dependence
– Ticket lifetime
– Authentication forwarding
– Inter-realm authentication Technical deficiencies of Version4:
– Double encryption
– Session Keys
– Password attack
VBIT Page 104
Cryptography And Network Security Dept. of CSE
KERBEROS VERSION5
Kerberos Version 5 is specified in RFC 1510 and provides a number of improvements over version
4 in the areas of environmental shortcomings and technical deficiencies. It includes some new
elements such as:
Realm: Indicates realm of the user Options
Times
– From: the desired start time for the ticket
– Till: the requested expiration time
– R time: requested renew-till time
Nonce: A random value to assure the response is fresh
The basic Kerberos version 5 authentication dialogue is shown here First, consider the
authentication service exchange.Message (1) is a client request for a ticket-granting ticket. Message
returns a ticket- granting ticket, identifying information for the client, and a block encrypted using
the encryption key based on the user's password. This block includes the session key to be used
between the client and the TGS. Now compare the ticket-granting service exchange for versions 4
and 5. See that message (3) for both versions includes an authenticator, a ticket, and the name of the
requested service. In addition, version 5 includes requested times and options for the ticket and a
nonce, all with functions similar to those of message (1). The authenticator itself is
VBIT Page 105
Cryptography And Network Security Dept. of CSE
essentially the same as the one used in version 4. Message (4) has the same structure as message (2),
returning a ticket plus information needed by the client, the latter encrypted with the session key now
shared by the client and the TGS. Finally, for the client/server authentication exchange, several new
features appear in version 5, such as a request for mutual authentication. If required, the server
responds with message (6) that includes the timestamp from the authenticator. The flags field
included in tickets in version 5 supports expanded functionality compared to that available in version
4.
Advantages of Kerberos:
User's passwords are never sent across the network, encrypted or in plaintext
Secret keys are only passed across the network in encrypted form
Client and server systems mutually authenticate
It limits the duration of their users' authentication
Authentications are reusable and durable
Kerberos has been scrutinized by many of the top programmers, cryptologists and security experts
in the industry.
3.10 X.509 AUTHENTICATION SERVICE
ITU-T recommendation X.509 is part of the X.500 series of recommendations that define a
directory service. The directory is, in effect, a server or distributed set of servers that maintains a
database of information about users. The information includes a mapping from user name to
network address, as well as other attributes and information about the users. X.509 is based on the
use of public-key cryptography and digital signatures. The heart of the X.509 scheme is the public-
key certificate associated with each user. These user certificates are assumed to be created by some
trusted certification authority (CA) and placed in the directory by the CA or by the user. The
directory server itself is not responsible for the creation of public keys or for the certification
function; it merely provides an easily accessible location for users to obtain certificates.
The general format of a certificate is shown above, which includes the following elements:
VBIT Page 106
Cryptography And Network Security Dept. of CSE
version 1, 2, or 3 serial number (unique within CA) identifying certificate signature
algorithm identifier issuer X.500 name (CA)
period of validity (from - to dates)
Subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
Subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
The standard uses the following notation to define a certificate:
CA<<A>> = CA {V, SN, AI, CA, TA, A, Ap}
Where Y<<X>>= the certificate of user X issued by certification authority Y
Y {I} == the signing of I by Y. It consists of I with an encrypted hash code appended
User certificates generated by a CA have the following characteristics:
VBIT Page 107
Cryptography And Network Security Dept. of CSE
Any user with CA’s public key can verify the user public key that was certified No party other than
the CA
can modify the certificate without being detected because they cannot be forged, certificates can be
placed in a public directory
Scenario: Obtaining a User Certificate If both users share a common CA then they areassumed to
know its public key. Otherwise CA's must form a hierarchy and use certificates linking members of
hierarchy to validate other CA's. Each CA has certificates for clients (forward) and parent (backward).
Each client trusts parents certificates. It enables verification of any certificate from one CA by users
of all other CAs in hierarchy. A has obtained a certificate from the CA X1. B has obtained a certificate
from the CA X2. A can read the B’s certificate but cannot verify it. In order to solve the problem ,the
Solution: X1<<X2> X2<<B>>. A obtain the certificate of X2 signed by X1 from directory.
obtainX2’s public key. A goes back to directory and obtain the certificate of B signed by X2.
obtain B’s public key securely. The directory entry for each CA includes two types of certificates:
Forward certificates: Certificates of X generated by other CAs Reverse certificates: Certificates
generated by X that are the certificates of other CAs
X.509 CA Hierarchy
A acquires B certificate using chain:
X<<W>>W<<V>>V<<Y>>Y<<Z>> Z<<B>>B acquires A
certificate using chain:
Z<<Y>>Y<<V>>V<<W>>W<<X>> X<<A>>
VBIT Page 108
Cryptography And Network Security Dept. of CSE
Revocation of Certificates Typically, a new certificate is issued just before the expiration of the old
one. In addition, it may be desirable on occasion to revoke a certificate before it expires, for one of
the following reasons:
The user's private key is assumed to be compromised.
The user is no longer certified by this CA.
The CA's certificate is assumed to be compromised.
Each CA must maintain a list consisting of all revoked but not expired certificates issued by that CA,
including both those issued to users and to other CAs. These lists should also be posted on the
directory. Each certificate revocation list (CRL) posted to the directory is signed by the issuer and
includes the issuer's name, the date the list was created, the date the next CRL is scheduled to be
issued, and an entry for each revoked certificate. Each entry consists of the serial number of a
certificate and revocation date for that certificate. Because serial numbers are unique within a CA,
the serial number is sufficient to identify the certificate.
3.11 AUTHENTICATION PROCEDURES
X.509 also includes three alternative authentication procedures that are intended for use across a
variety of applications. All these procedures make use of public-key signatures. It is assumed that the
two parties know each other's public key, either by obtaining each other's certificates from the
directory or because the certificate is included in the initial message from each side. 1. One-Way
Authentication: One way authentication involves a single transfer of information from one user (A)
to another (B), and establishes the details shown above. Note that only the identity of the initiating
entity is verified in this process, not that of the responding entity. At a minimum, the message includes
a timestamp ,a nonce, and the identity of B and is signed with A’s private key. The message may also
include information to be conveyed, such as a session key for B.
VBIT Page 109
Cryptography And Network Security Dept. of CSE
Two-Way Authentication: Two-way authentication thus permits both parties in a communication to
verify the identity of the other, thus additionally establishing the above details. The reply message
includes the nonce from A, to validate the reply. It also includes a timestamp and nonce generated by
B, and possible additional information for A.
Three-Way Authentication: Three-Way Authentication includes a final message from A to B, which
contains a signed copy of the nonce, so that timestamps need not be checked, for use when
synchronized clocks are not available.
3.12 PUBLICKEYINFRASTRUCTURE(PKI)
PKI provides assurance of public key. It provides the identification of public keys and their
distribution. An anatomy of PKI comprises of the following components.
Public Key Certificate, commonly referred to as ‘digital certificate’.
Private Key tokens.
VBIT Page 110
Cryptography And Network Security Dept. of CSE
ᜀĀĀ Certification Authority.
ᜀĀĀ Registration Authority.
ᜀĀĀ Certificate Management System.
Digital Certificate
For analogy, a certificate can be considered as the ID card issued to the person. People use ID cards
such as a driver's license, passport to prove their identity. A digital certificate does the same basic
thing in the electronic world, but with one difference.
Digital Certificates are not only issued to people but they can be issued to computers, software
packages or anything else that need to prove the identity in the electronic world.
⸀ĀĀDigital certificates are based on the ITU standard X.509 which defines a standard certificate format
for public key certificates and certification validation. Hence digital certificates are sometimes also
referred to as X.509certificates.
Public key pertaining to the user client is stored in digital certificates by The Certification Authority (CA)
along with other relevant information such as client information, expiration date, usage, issuer etc.
⸀ĀĀCA digitally signs this entire information and includes digital signature in the certificate.
⸀ĀĀAnyone who needs the assurance about the public key and associated information of client, he carries
out the signature validation process using CA’s public key. Successful validation assures that the
public key given in the certificate belongs to the person whose details are given in the certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the following
illustration.
VBIT Page 111
Cryptography And Network Security Dept. of CSE
As shown in the illustration, the CA accepts the application from a client to certify his public key.
The CA, after duly verifying identity of client, issues a digital certificate to that client.
Certifying Authority (CA)
As discussed above, the CA issues certificate to a client and assist other users to verify the certificate.
The CA takes responsibility for identifying correctly the identity of the client asking for a certificate
to be issued, and ensures that the information contained within the certificate is correct and digitally
signs it.
Key Functions of CA
The key functions of a CA are as follows −
Generating key pairs − The CA may generate a key pair independently or jointly with theclient.
Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport agency
− the CA issues a certificate after client provides the credentials to confirm his identity. The CA then
signs the certificate to prevent modification of the details contained in thecertificate.
Publishing Certificates − The CA need to publish certificates so that users can find them. There are
two ways of achieving this. One is to publish certificates in the equivalent of an electronic telephone
directory. The other is to send your certificate out to those people you think might need it by one
means or another.
Verifying Certificates − The CA makes its public key available in environment to assist verification
of his signature on clients’ digital certificate.
VBIT Page 112
Cryptography And Network Security Dept. of CSE
Revocation of Certificates − At times, CA revokes the certificate issued due to some reason such as
compromise of private key by user or loss of trust in the client. After revocation, CA maintains the
list of all revoked certificate that is available to the environment.
Classes of Certificates
There are four typical classes of certificate −
Class 1 − These certificates can be easily acquired by supplying an email address.
Class 2 − These certificates require additional personal information to be supplied.
Class 3 − These certificates can only be purchased after checks have been made about the
requestor’s identity.
Class 4 − They may be used by governments and financial organizations needing very high levels of
trust.
Registration Authority (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on the person
or company requesting the certificate to confirm their identity. The RA may appear to the client as a
CA, but they do not actually sign the certificate that is issued.
Certificate Management System (CMS)
It is the management system through which certificates are published, temporarily or permanently
suspended, renewed, or revoked. Certificate management systems do not normally delete certificates
because it may be necessary to prove their status at a point in time, perhaps for legal reasons. A CA
along with associated RA runs certificate management systems to be able to track their
responsibilities and liabilities.
Private Key Tokens
While the public key of a client is stored on the certificate, the associated secret private key can be
stored on the key owner’s computer. This method is generally not adopted. If an attacker gains access
to the computer, he can easily gain access to private key. For this reason, a private key is stored on
secure removable storage token access to which is protected through apassword.
VBIT Page 113
Cryptography And Network Security Dept. of CSE
Different vendors often use different and sometimes proprietary storage formats for storing keys. For
example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore use the
standard .p12 format.
Hierarchy of CA
With vast networks and requirements of global communications, it is practically not feasible to have
only one trusted CA from whom all users obtain their certificates. Secondly, availability of only one
CA may lead to difficulties if CA is compromised.
In such case, the hierarchical certification model is of interest since it allows public key certificates
to be used in environments where two communicating parties do not have trust relationships with the
same CA.
The root CA is at the top of the CA hierarchy and the root CA's certificate is a self-signedcertificate.
The CAs, which are directly subordinate to the root CA (For example, CA1 andCA2) have CA
certificates that are signed by the root CA.
The CAs under the subordinate CAs in the hierarchy (For example, CA5 and CA6) have their CA
certificates signed by the higher-level subordinate CAs.
Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate chain traces a
path of certificates from a branch in the hierarchy to the root of the hierarchy.
VBIT Page 114
Cryptography And Network Security Dept. of CSE
The following illustration shows a CA hierarchy with a certificate chain leading from an entity
certificate through two subordinate CA certificates (CA6 and CA3) to the CA certificate for the root
CA. Verifying a certificate chain is the process of ensuring that a specific certificate chain is valid,
correctly signed, and trustworthy. The following procedure verifies a certificate chain, beginning with
the certificate that is presented for authentication −
A client whose authenticity is being verified supplies his certificate, generally along with the chain
of certificates up to Root CA.
Verifier takes the certificate and validates by using public key of issuer. The issuer’s public key is
found in the issuer’s certificate which is in the chain next to client’s certificate.
Now if the higher CA who has signed the issuer’s certificate, is trusted by the verifier, verification
is successful and stops here.
Else, the issuer's certificate is verified in a similar manner as done for client in above steps. This
process continues till either trusted CA is found in between or else it continues till RootCA.
VBIT Page 115
Cryptography And Network Security Dept. of CSE
UNIT-4
4.1 WEB SECURITY CONSIDERATIONS:
Usage of internet for transferring or retrieving the data has got many benefits like speed, reliability,
security etc. Much of the Internet's success and popularity lies in the fact that it is an open global
network. At the same time, the fact that it is open and global makes it not very secure. The unique
nature of the Internet makes exchanging information and transacting business over it inherently
dangerous. The faceless, voiceless, unknown entities and individuals that share the Internet may or
may not be who or what they profess to be. In addition, because the Internet is a global network, it
does not recognize national borders and legal jurisdictions. As a result, 1the transacting parties may
not be where they say they are and may not be subject to the same laws or regulations. For the
exchange of information and for commerce to be secure on any network, especially the Internet, a
system or process must be put in place that satisfies requirements for confidentiality, access control,
authentication, integrity, and non repudiation. These requirements are achieved on the Web through
the use of encryption and by employing digital signature technology. There are many examples on
the Web of the practical application of encryption. One of the most important is the SSL protocol.
A summary of types of security threats faced in using the Web is given below
One way of grouping the security threats is in terms of passive and active attacks. Passive attacks
include eavesdropping on network traffic between browser and server and gaining access to
information on a website that is supposed to be restricted. Active attacks include impersonating
another user, altering messages in tr nsit between client and server and altering information on a
website. Another way of classifying these security threats is in terms of location of the threat: Web
server, Web browser and network traffic between browser and server.
Web Traffic Security Approaches
Various approaches for providing Web Security are available, where they are similar in the services
they provide and also similar to some extent in the mechanisms they use. They differ with respect to
their sco e of applicability and their relative location within the TCP/IP protocol stack. The main a
proaches are IPSec, SSL or TLS and SET.
VBIT Page 116
Cryptography And Network Security Dept. of CSE
Relative location of Security Faculties in the TCP/IP Protocol Stack
IPSec provides security at the network level and the main advantage is that it is transparent to end
users and applications. In addition, IPSec includes a filtering capability so that only selected traffic
can be processed. Secure Socket Layer or Transport Layer Security (SSL/TLS) provides security
just above the TCP at transport layer. Two implementation choices are present here. Firstly, the
SSL/TLS can be implemented as a part of TCP/IP protocol suite, thereby being transparent to
applications. Alternatively, SSL can be embedded in specific packages like SSL being implemented
by Netscape and Microsoft Explorer browsers. Secure Electronic Transaction (SET) approach
provides application-specific services i.e., according to the security requirements of a particular
application. The main advantage of this approach is that service can be tailored to the specific needs
of a given application.
VBIT Page 117
Cryptography And Network Security Dept. of CSE
VBIT Page 118
Cryptography And Network Security Dept. of CSE
4.2 SECURE SOCKET LAYER/TRANSPORT LAYER SECURITY
SSL was developed by Netscape to provide security when transmitting information on the Internet.
The Secure Sockets Layer protocol is a protocol layer which may be placed between11
a reliable connection-oriented network layer protocol (e.g. TCP/IP) and the application protocol
layer (e.g. HTTP).
VBIT Page 119
Cryptography And Network Security Dept. of CSE
SSL provides for secure communication between client and server by allowing mutual authentication,
the use of digital signatures for integrity and encryption for privacy. SSL protocol has different
versions such as SSLv2.0, SSLv3.0, where SSLv3.0 has an advantage with the addition of support
for certificate chain loading. SSL 3.0 is the basis for the Transport Layer Security [TLS] protocol
standard. SSL is designed to make use of TCP to provide a reliable end-to-end secure service. SSL
is not a single protocol, but rather two layers of protocols as shown below:
The SSL Record Protocol provides basic security services to various higher-layer protocols. In
particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web
client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part
of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. Two
important SSL concepts are the SSL session and the SSL connection, which are defined in the
specification as follows:
Connection: A connection is a transport (in the OSI layering model definition) that provides a
suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections
are transient. Every connection is associated with one session.
Session: An SSL session is an association between a client and a server. Sessions are created by the
Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared
among multiple connections. Sessions are used to avoid the expensive negotiation of new security
parameters for each connection.
An SSL session is stateful. Once a session is established, there is a current operating state for both
read and write (i.e., receive and send). In addition, during the Handshake Protocol, pending read and
write states are created. Upon successful conclusion of the Handshake Protocol, the pending states
become the current states. An SSL session may include multiple secure connections; in addition,
parties may have multiple simultaneous sessions.
A session state is defined by the following parameters:
Session identifier: An arbitrary byte sequence chosen by the server to identify an active or
resumable session state.
Peer certificate:An X509.v3 certificate of the peer. This element of the state may be null.
VBIT Page 120
Cryptography And Network Security Dept. of CSE
Compression method: The algorithm used to compress data prior to encryption.
Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc) and a hash
algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes
such as the hash_size.
Master secret:48-byte secret shared between the client and server.
Is resumable:A flag indicating whether the session can be used to initiate new connections.
A connection state is defined by the following parameters:
Server and client random: Byte sequences that are chosen by the server and client for each
connection.
Server write MAC secret: The secret key used in MAC operations on data sent by the server.
Client write MAC secret: The secret key used in MAC operations on data sent by the client.
Server write key:The conventional encryption key for data encrypted by the server and decrypted
by the client.
Client write key: The conventional encryption key for data encrypted by the client and decrypted by
the server.
Initialization vectors:When a block cipher in CBC mode is used, an initialization vector (IV) is
maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the
final ciphertext block from each record is preserved for use as the IV with the following record.
Sequence numbers: Each party maintains separate sequence numbers for transmitted and received
messages for each connection. When a party sends or receives a change cipher spec message, the
appropriate sequence number is set to zero. Sequence numbers may not exceed 264-1.
SSL Record Protocol
The SSL Record Protocol provides two services for SSL connections:
Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional
encryption of SSL payloads.
VBIT Page 121
Cryptography And Network Security Dept. of CSE
Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a
message authentication code (MAC).
The Record Protocol takes an application message to be transmitted, fragments the data into
manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and
transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed,
and reassembled and then delivered to higher-level users. The overall operation of the SSL Record
Protocol is shown below:
The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214 bytes
(16384 bytes) or less. Next, compression is optionally applied. Compression must be lossless and
may not increase the content length by more than 1024 bytes. The next step in processing is to
compute a message authentication code over the compressed data. For this purpose, a shared secret
key is used. The calculation is defined as:
hash(MAC_write_secret || pad_2 || hash(MAC_write_secret || pad_1 || seq_num ||
SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment))
VBIT Page 122
Cryptography And Network Security Dept. of CSE
The main difference between HMAC and above calculation is that the two pads are concatenated in
SSLv3 and are XORed in HMAC. Next, the compressed message plus the MAC are encrypted using
symmetric encryption. Encryption may not increase the content length by more than 1024 bytes, so
that the total length m y not exceed 214 + 2048. The encryption algorithms allowed are AES-128/256,
IDEA-128, DES-40, 3DES-168, RC2-40, Fortezza, RC4-40 and RC4-128. For stream encryption, the
compressed message plus the MAC are encrypted whereas, for block encryption, padding may be
added after the MAC prior to encryption.
The final step of SSL Record Protocol processing is to prepend a header, consisting of the following
fields:
Content Type (8 bits): The higher layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment
if compression is used). The maximum value is 214 + 2048.
The content types that have been defined are change_cipher_spec, alert, handshake, and
application_data.
SSL Change Cipher Spec Protocol
The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record
Protocol, and it is the simplest. This protocol consists of a single message, which consists of a single
byte with the value 1.
VBIT Page 123
Cryptography And Network Security Dept. of CSE
The sole purpose of this message is to cause the pending st te to be copied into the current state,
which updates the cipher suite to be used on th s connection.
SSL Alert Protocol
The Alert Protocol is used to convey SSL-r lat alerts to the peer entity. As with other applications
that use SSL, alert messages are compressed and encrypted, as specified by the current state. Each
me age in this protocol consists of two bytes.
The first byte takes the value warning(1) or fatal(2) to convey the severity of the message. If the level
is fatal, SSL immediately terminates the connection. Other connections on the same session may
continue, b t no new connections on this session may be established. The second byte contains a code
that indicates the specific alert. The fatal alerts are listed below
unexpected_message: An inappropriate message was received.
bad_record_mac: An incorrect MAC was received.
decompression_failure: The decompression function received improper input (e.g., unable to
decompress or decompress to greater than maximum allowable length).
handshake_failure: Sender was unable to negotiate an acceptable set of security parameters given
the options available.
illegal_parameter: A field in a handshake message was out of range or inconsistent with other
fields.
The remainder of the alerts are given below:
close_notify: Notifies the recipient that the sender will not send any more messages on this
connection. Each party is required to send a close_notify alert before closing the write side of a
connection.
no_certificate: May be sent in response to a certificate request if no appropriate certificate is
available.
bad_certificate: A received certificate was corrupt (e.g., contained a signature that did not verify).
unsupported_certificate: The type of the received certificate is not supported.
certificate_revoked: A certificate has been revoked by its signer.
certificate_expired: A certificate has expired.
VBIT Page 124
Cryptography And Network Security Dept. of CSE
certificate_unknown: Some other unspecified issue arose in processing the certificate, rendering it
unacceptable.
SSL Handshake Protocol
SSL Handshake protocol ensures establishment of reliable nd secure session between client and
server and also allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
The Handshake Protocol consists of a eries of messages exchanged by client and server.
All of these have the format shown below and each message has three fields:
Type (1 byte): Indicates one of 10 messages.
Length (3 bytes): The length of the message in bytes.
Content (>=0 bytes): The parameters associated with this message
The following figure shows the initial exchange needed to establish a logical connection between
client and server. The exchange can be viewed as having four phases.in phases o Establish Security
Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
Phase 1. Establish Security Capabilities
VBIT Page 125
Cryptography And Network Security Dept. of CSE
This phase is used to initiate a logical connection and to establish the security capabilities that will
be associated with it. The exchange is initiated by the client, which sends a client_hello message with
the following parameters:
Version: The highest SSL version understood by the client.
Random: A client-generated random structure, consisting of a 32-bit timestamp and 28 bytes
generated by a secure random number generator. These values serve as nonces and are used during
key exchange to prevent replay attacks.
Session ID: A variable-length session identifier. A nonzero value indicates that the client wishes to
update the parameters of an existing connection or create a new connection on this session. A zero
value indicates that the cl ent wishes to establish a new connection on a new session.
CipherSuite: This is a list that contains the combinations of cryptographic algorithms supported by
the client, in decreasing order of preference. Each element of the list (each cipher suite) defines both
a key exchange algorithm and a CipherSpec.
Compression Method: This is a list of the compression methods the client supports.
Phase 2. Server Authentication and Key Exchange The server begins this phase by sending its
certificate via a certificate message, which contains one or a chain of X.509 certificates. The
certificate message is required for any agreed-on key exchange method except anonymous Diffie-
Hellman. Next, a server_key_exchange message may be sent if it is required. It is not required in
two instances: (1) The server has sent a certificate with fixed Diffie-Hellman parameters, or (2) RSA
key exchange is to be used.
Phase 3. Client Authentication and Key Exchange
The server begins this phase by sending its certificate via a certificate message, which contains one
or a chain of X.509 certificates. The certificate message is required for any agreed-on key exchange
method except anonymous Diffie-Hellman. Next, a server_key_exchange message may be sent if it
is required. It is not required in two instances: (1) The server has sent a certificate with fixed Diffie-
Hellman parameters, or (2) RSA key exchange is to be used
VBIT Page 126
Cryptography And Network Security Dept. of CSE
Once the server_done message is received by client, it should verify whether a valid certificate is
provided and check that the server_hello parameters are acceptable. If all is satisfactory, the client
sends one or more messages back to the server. If the server has requested a certificate, the client
begins this phase by sending a certificate message. If no suitable certificate is available, the client
sends a no_certificate alert instead. Next is the client_key_exchange message, for which the content
of the message depends on the type of key exchange.
VBIT Page 127
Cryptography And Network Security Dept. of CSE
Phase 4. Finish
This phase completes the setting up of a secure connection. The client sends a change_cipher_spec
message and copies the pending Cipher Spec into the current Cipher Spec. The client then
immediately sends the finished message under the new algorithms, keys, and secrets. The finished
message verifies that the key exchange and authentication processes were successful.
4.3 TRANSPORT LAYER SECURITY
TLS was released in response to the Internet community’s demands for a standardized protocol. TLS
(Transport Layer Security), defined in RFC 2246, is a protocol for establishing a secure connection
between a client and a server. TLS (Transport Layer Security) is capable of authenticating both the
client and the server and creating a encrypted connection between the two. Many protocols use TLS
(Transport Layer Security) to establish secure connections, including HTTP, IMAP, POP3, and
SMTP. The TLS Handshake Protocol first negotiates key exchange using an asymmetric algorithm
such as RSA or Diffie-Hellman. The TLS Record
Protocol then begins opens an encrypted channel using a symmetric algorithm such as RC4,
IDEA, DES, or 3DES. The TLS Record Protocol is also responsible for ensuring that the
communications are not altered in transit. Hashing algorithms such as MD5 and SHA are used for
this purpose. RFC 2246 is very similar to SSLv3. There are some minor differences ranging from
protocol version numbers to generation of key material.
Version Number: The TLS Record Format is the same as that of the SSL Record Format and the
fields in the header have the same meanings. The one difference is in version values. For the current
version of TLS, the Major Version is 3 and the Minor Version is 1.
Message Authentication Code: Two differences arise one being the actual algorithm and the other
being scope of MAC calculation. TLS makes use of the HMAC algorithm defined in RFC 2104.
SSLv3 uses the same algorithm, except that the padding bytes are concatenated with the secret key
rather than being XOR ed with the secret key padded to the block length. For TLS, the MAC
calculation encompasses the fields indicated in the following expression:
HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type || TLSCompressed.version ||
TLSCompressed.length || TLSCompressed.fragment)
VBIT Page 128
Cryptography And Network Security Dept. of CSE
The MAC calculation covers all of the fields covered by the SSLv3 calculation, plus the field TLS
Compressed. version, which is the version of the protocol being employed. Pseudorandom Function:
TLS makes use of a pseudorandom function referred to as PRF to expand secrets into blocks of data
for purposes of key generation or validation. The PRF is based on the following data expansion
function:
P_hash(secret, seed) = HMAC_hash(secret, A(1) || seed) ||
HMAC_hash(secret, A(2) || seed) ||
HMAC_hash(secret, A(3) || seed) || ...
where A() is defined as
A(0) = seed
A(i) = HMAC_hash (secret, A(i - 1))
The data expansion function makes use of the HMAC algorithm, with either MD5 or SHA-1 as the
underlying hash function. As can be seen, P_hash can be iterated as many times as necessary to
produce the required quantity of data. each iteration involves two executions of HMAC, each of
which in turn involves two executions of the underlying hash algorithm.
4.4 HYPERTEXT TRANSFER PROTOCOL SECURE (HTTPS)
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol
(HTTP) for secure communication over a computer network, and is widely used on the Internet. In
HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or,
formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred
to as HTTP over TLS, or HTTP over SSL.
The principal motivation for HTTPS is authentication of the accessed website and protection of the
privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle
attacks. The bidirectional encryption of communications between a client and server protects against
eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance
that one is communicating without interference by attackers with the website that one intended to
communicate with, as opposed to an impostor. Historically, HTTPS connections were primarily used
for payment transactions on the World Wide Web, e-mail and for sensitive
VBIT Page 129
Cryptography And Network Security Dept. of CSE
transactions in corporate information systems The Uniform Resource Identifier (URI) scheme HTTPS
has identical usage syntax to the HTTP scheme. However, HTTPS signals the browser to use an
added encryption layer of SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP,
since it can provide some protection even if only one side of the communication is authenticated.
This is the case with HTTP transactions over the Internet, where typically only the server is
authenticated (by the client examining the server's certificate).
HTTPS creates a secure channel over an insecure network. This ensures reasonable protection from
eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that
the server certificate is verified and trusted.
Because HTTPS piggybacks HTTP entirely on top of TLS, the entirety of the underlying HTTP
protocol can be encrypted. This includes the request URL (which particular web page was requested),
query parameters, headers, and cookies (which often contain identity information about the user).
However, because host (website) addresses and port numbers are necessarily part of the underlying
TCP/IP protocols, HTTPS cannot protect their disclosure. In practice this means that even on a
correctly configured web server, eavesdroppers can infer the IP address and port number of the web
server (sometimes even the domain name e.g. www.example.org, but not the rest of the URL) that
one is communicating with, as well as the amount (data transferred) and duration (length of session)
of the communication, though not the content of the communication.[4]
Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-
installed in their software. Therefore, a user should trust an HTTPS connection to a website if and
only if all of the following are true:
The user trusts that the browser software correctly implements HTTPS with correctly pre-installed
certificate authorities.
The user trusts the certificate authority to vouch only for legitimate websites.
The website provides a valid certificate, which means it was signed by a trusted authority.
The certificate correctly identifies the website (e.g., when the browser visits "https://example.com",
the received certificate is properly for "example.com" and not some other entity).
The user trusts that the protocol's encryption layer (SSL/TLS) is sufficiently secure against
eavesdroppers.
VBIT Page 130
Cryptography And Network Security Dept. of CSE
HTTPS is especially important over insecure networks (such as public Wi-Fi access points), as
anyone on the same local network can packet-sniff and discover sensitive information not protected
by HTTPS. Additionally, many free to use and paid WLAN networks engage in packet injection in
order to serve their own ads on web pages. However, this can be exploited maliciously in many ways,
such as injecting malware onto web pages and stealing users' private information.
HTTPS is also very important for connections over the Tor anonymity network, as malicious Tor
nodes can damage or alter the contents passing through them in an insecure fashion and inject
malware into the connection. As more information is revealed about global mass surveillance and
criminals stealing personal information, the use of HTTPS security on all websites is becoming
increasingly important regardless of the type of Internet connection being used. While metadata about
individual pages that a user visits is not sensitive, when combined, they can reveal a lot about the
user and compromise the user's privacy.
Deploying HTTPS also allows the use of HTTP/2 (or its predecessor, the now-deprecated protocol
SPDY), that are new generations of HTTP, designed to reduce page load times, size and latency.
It is recommended to use HTTP Strict Transport Security (HSTS) with HTTPS to protect users from
man-in-the-middle attacks, especially SSL stripping.[12][13]
HTTPS should not be confused with the little-used Secure HTTP (S-HTTP) specified in RFC 2660.
4.5 SECURE SHELL (SSH)
Protocol for secure network communications
Designed to be simple & inexpensive
Ssh1 provided secure remote logon facility
Replace telnet & other insecure schemes
Also has more general client/server capability
Ssh2 fixes a number of security flaws
Documented in rfcs 4250 through 4254
Ssh clients & servers are widely available
Method of choice for remote login/ x tunnels
VBIT Page 131
Cryptography And Network Security Dept. of CSE
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over
an unsecured network. Typical applications include remote command-linelogin and remote command
execution, but any network service can be secured with SSH.SSH provides a secure channel over an
unsecured network in a client–server architecture, connecting an SSH client application with an SSH
server. The protocol specification distinguishes between two major versions, referred to as SSH-1
and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating
systems, but it can also be used on Windows. SSH was designed as a replacement for Telnet and for
unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. Those
protocols send information, notably passwords, in plaintext, rendering them susceptible to
interception and disclosure using packet analysis. The encryption used by SSH is intended to provide
confidentiality and integrity of data over an unsecured network, such as the Internet, although files
leaked by Edward Snowden indicate that the National Security Agency can sometimes decrypt SSH,
allowing them to read the contents of SSH sessions.
SSH PROTOCOL STACK
VBIT Page 132
Cryptography And Network Security Dept. of CSE
SSH Transport Layer Protocol
server authentication occurs at transport layer, based on server/host
key pair(s)
requires clients to know host keys in advance
server authentication
packet exchange
establish TCP connection
can then exchange data
Identification string exchange, algorithm negotiation, key exchange, end of key exchange, service
request
using specified packet format
SSH User Authentication Protocol
authenticates client to server
three message types:
SSH_MSG_USERAUTH_REQUEST
SSH_MSG_USERAUTH_FAILURE
SSH_MSG_USERAUTH_SUCCESS
authentication methods used
public-key, password, host-based
SSH Connection Protocol
runs on SSH Transport Layer Protocol
assumes secure authentication connection
used for multiple logical channels
SSH communications use separate channels
either side can open with unique id number
flow controlled
have three stages:
opening a channel, data transfer, closing a channel
VBIT Page 133
Cryptography And Network Security Dept. of CSE
four types:
• session, x11, forwarded-tcp ip, direct-tcp ip.
SSH Connection Protocol Exchange
The message exchange involves the following steps:
The client sends a SSH_MSG_USERAUTH_REQUEST with a requested method of none.
The server checks to determine if the username is valid. If not, the server returns
SSH_MSG_USERAUTH_FAILURE with the partial success value of false. If the username is valid,
the server proceeds to step 3.
The server returns SSH_MSG_USERAUTH_FAILURE with a list of one or more authentication
methods to be used.
The client selects one of the acceptable authentication methods and sends a
SSH_MSG_USERAUTH_REQUEST with that method name and the required method-specific
fields. At this point, there may be a sequence of exchanges to perform the method.
VBIT Page 134
Cryptography And Network Security Dept. of CSE
If the authentication succeeds and more authentication methods are required, the server proceeds to
step 3, using a partial success value of true. If the authentication fails, the server proceeds to step 3,
using a partial success value of false.
When all required authentication methods succeed, the server sends a
SSH_MSG_USERAUTH_SUCCESS message, and the Authentication Protocol is over.
WIRELESS NETWORK SECURITY:
Wireless Security
[citation
Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks. The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA).
WEP is a notoriously weak security standard.
needed] The password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP is an old
IEEE 802.11 standard from 1999, which was superseded in 2003 by WPA, or Wi-Fi Protected Access. WPA was a quick alternative to improve security
over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption
device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a
certificate-based system to authenticate the connecting device, following the standard 802.1X.
Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile
has great benefits. However, wireless networking is prone to some security issues. Hackers have
found wireless networks relatively easy to break into, and even use wireless technology to hack into
wired networks. As a result, it is very important that enterprises define effective wireless security
policies that guard against unauthorized access to important resources. Wireless Intrusion Prevention
Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce
wireless security policies. The risks to users of wireless technology have increased as the service has
become more popular. There were relatively few dangers when wireless technology was first
introduced. Hackers had not yet had time to latch on to the new technology, and wireless networks
were not commonly found in the work place. However, there are many security risks associated with
the current wireless protocols and encryption methods, and in the carelessness and ignorance that
exists at the user . Hacking methods have become much more sophisticated and
VBIT Page 135
Cryptography And Network Security Dept. of CSE
innovative with wireless access. Hacking has also become much easier and more accessible with
easy-to-use Windows- or Linux-based tools being made available on the web at no charge
Network security issues, whether wired or wireless, fall into three main categories: availability,
confidentiality and integrity:
Confidentiality: is the information being sent across the network transmitted in such a way that
only the intended recipient(s) can read it.
Integrity: is the information reaching the recipient intact.
Availability: is the network available to users whenever it is needed.
4.6 MOBILE DEVICE SECURITY
Mobile security, or more specifically mobile device security, has become increasingly important in
mobile computing. Of particular concern is the security of personal and business information now
stored on smart phones. More and more users and businesses use smart phones to communicate, but
also to plan and organize their users' work and also private life. Within companies, these technologies
are causing profound changes in the organization of information systems and therefore they have
become the source of new risks. Indeed, smart phones collect and compile an increasing amount of
sensitive information to which access must be controlled to protect the privacy of the user and the
intellectual property of the company. All smart phones, as computers, are preferred targets of attacks.
These attacks exploit weaknesses inherent in smart phones that can come from the communication
mode—like Short Message Service (SMS, aka text messaging), Multimedia Messaging Service
(MMS), WiFi, Bluetooth and GSM, the de facto global standard for mobile communications.
Mobile Threats and Attacks
Mobile devices make attractive targets:
– People store much personal info on them: email, calendars, contacts, pictures, etc.
– Sensitive organizational info too…
– Can fit in pockets, easily lost/stolen
– Built-in billing system: SMS/MMS (mobile operator), in-app purchases (credit card), etc.
Many new devices have near field communications (NFC), used for contactless payments, etc.
Your device becomes your credit card
VBIT Page 136
Cryptography And Network Security Dept. of CSE
– Location privacy issues
Mobile Device Information Leakage
Types of mobile device information sources:
– Internal to device (e.g., GPS location, IMEI, etc.)
– External sources (e.g., CNN, Chase Bank, etc.)
Third-party mobile apps can leak info
– Send out device ID (IMEI/EID), contacts, location, etc.
– Apps ask permission to access such info; users can ignore!
– Apps can intercept info sent to a source, send to different destination!
Motives:
– Monitor activity
– Advertisement
– Market research (include user location, behavior, etc.)
– Identity theft
Challenges for Monitoring Privacy Info
Resource constraints
– E.g. tracking Panorama images would be expensive towards
– performance Battery consumption
Third-party apps are entrusted with several types of private information
Sensitive information can be difficult to identify even when it’s sent in clear format
– Geo-location data is a pair of floating point numbers
Apps can share information
– Facebook, twitter, Google search
4.7 IEEE 802.11 WIRELESS LAN
History
Norman Abramson, a professor at the University of Hawaii, developed the world's first wireless
computer communication network, ALOHAnet (operational in 1971), using low-cost ham-like
VBIT Page 137
Cryptography And Network Security Dept. of CSE
radios. In response to lacking standards, IEEE developed the first internationally recognized wireless
LAN standard – IEEE 802.11 . IEEE published 802.11 in 1997, after seven years of work.
IEEE 802.11 is part of the IEEE 802 set of LAN protocols, and specifies the set of media access
control (MAC) and physical layer (PHY) protocols for implementing wireless local area network
(WLAN) computer communication in various frequencies, including but not limited to 2.4, 5, and 60
GHz frequency bands.
A wireless local area network (WLAN) is a wireless computer network that links two or more devices
using a wireless distribution method (often spread- spectrum radio) within a limited area such as a
home, school, computer laboratory, or office building.
There are two types of wireless networks:
• Type networks Ad Hoc, where stations communicate directly;
Infrastructure type networks where stations communicate through access points.
To communicate, each station must of course be equipped with an adapter WiFi and a radio antenna
(often integrated into the adapter). More and more computer equipment come with a built-in WiFi
adapter. Except not the case, you must buy one and connect it to the station. The connection is very
varied: there are WiFi USB adapters, PCMCIA, PCI, etc.
VBIT Page 138
Cryptography And Network Security Dept. of CSE
802.11 Services
Basic Service Set(BSS)
The BSS contain stationary or mobile wireless stations and a central base station called Access
Point(AP)
If the AP is not present it is known as stand-alone network. Such a BSS cannot send data to other
BSS .
The BSS in which access point is present is known as infrastructure network.
Wi-Fi networks are deployed in infrastructure mode.
In infrastructure mode, a base station acts as a wireless access point hub, and nodes communicate
through the hub. The hub usually, but not always, has a wired or fiber network connection, and may
have permanent wireless connections to other nodes.
Wireless access points are usually fixed, and provide service to their client nodes within range.
Wireless clients, such as laptops, smart phones etc. connect to the access point to join the network.
Peer-to-peer
Two PCs equipped with wireless adapter cards can be set up as an independent network whenever
they are within range of one another.
A peer-to-peer
network allows wireless devices to directly communicate with each other.
Bridge
A bridge can be used to connect networks, typically of different types.
A wireless Ethernet bridge allows the connection of devices on a wired Ethernet network to a
wireless network.
VBIT Page 139
Cryptography And Network Security Dept. of CSE
The bridge acts as the connection
point to the Wireless LAN.
Wireless distribution system
It allows a wireless network to be expanded using multiple access points without the traditional
requirement for a wired backbone to link them.
802.11 WLANs – Outline
801.11 bands and layers
Link layer
Media access layer
frames and headers
CSMA/CD
Physical layer
frames
modulation
Frequency hopping
Direct sequence
Infrared
Security
Implementation
VBIT Page 140
Cryptography And Network Security Dept. of CSE
IEEE 802.11 Frame types
There are three different types of frames:
Management frame
Control frame
Data frame
Management frame. These are used for initial communication between stations and access points.
Control frame. These are used for accessing the channel and acknowledging frames. The control
frames are RTS and CTS.
Data frame. These are used for carrying data and control information.
IEEE 802.11i or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as
Wi-Fi Protected Access II (WPA2. This standard specifies security mechanisms for wireless
networks, replacing the short Authentication and privacy clause of the original standard with a
detailed Security clause.
802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was
shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been
introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA
VBIT Page 141
Cryptography And Network Security Dept. of CSE
implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable
implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i
makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use
the RC4stream cipher
Protocol operation
IEEE 802.11i enhances IEEE 802.11 providing a Robust Security Network (RSN) with two new
protocols: the four-way handshake and the group key handshake. These utilize the authentication
services and port access control described in IEEE 802.1X to establish and change the appropriate
cryptographic keys. The RSN is a security network that only allows the creation of robust security
network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if
the procedure to establish authentication or association between them includes the 4-Way Handshake.
4-Way Handshake
VBIT Page 142
Cryptography And Network Security Dept. of CSE
The four-way handshake is designed so that the access point (or authenticator) and wireless client (or
supplicant) can independently prove to each other that they know the PSK/PMK, without ever
disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages
to each other—that can only be decrypted by using the PMK that they already share—and if
decryption of the messages was successful, this proves knowledge of the PMK. The four-way
handshake is critical for protection of the PMK from malicious access points—for example, an
attacker's SSID impersonating a real access point—so that the client never has to tell the access point
its PMK.
The PMK is designed to last the entire session and should be exposed as little as possible; therefore,
keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key
called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following
attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC
address. The product is then put through a pseudo-random function. The handshake also yields the
GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.
Steps in this 4 way handshake
The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a
number that is used to match each pair of messages sent, and discard replayed messages. The STA
now has all the attributes to construct the PTK.
The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code
(MIC), including authentication, which is really a Message Authentication and Integrity Code
(MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match
the right Message 1.
The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if
valid constructs and sends the GTK with another MIC.
The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a
confirmation to the AP.
Group key handshake
The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration
of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to
prevent the device from receiving any more multicast or broadcast messages from the AP.
VBIT Page 143
Cryptography And Network Security Dept. of CSE
To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way
handshake:
The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK
assigned to that STA, and protects the data from tampering, by use of a MIC.
The STA acknowledges the new GTK and replies to the AP.
VBIT Page 144
Cryptography And Network Security Dept. of CSE
UNIT-5
5.1 PRETTY GOOD PRIVACY
In virtually all distributed environments, electronic mail is the most heavily used network-
based application. But current email services are roughly like "postcards”, anyone who wants could
pick it up and have a look as it’s in transit or sitting in the recipients mailbox. PGP provides a
confidentiality and authentication service that can be used for electronic mail and file storage
applications. With the explosively growing reliance on electronic mail for every conceivable purpose,
there grows a demand for authentication and confidentiality services. The Pretty Good Privacy (PGP)
secure email program, is a remarkable phenomenon, has grown explosively and is now widely used.
Largely the effort of a single person, Phil Zimmermann, who selected the best available crypto
algorithms to use& integrated them into a single program, PGP provides a confidentiality and
authentication service that can be used for electronic mail and file storage applications. It is
independent of government organizations and runs on a wide range of systems, in both free &
commercial versions. There are five important services inPGP
Authentication(Sign/Verify)
Confidentiality(Encryption/Decryption) Compression
Emailcompatibility
Segmentation andReassembly
The last three are transparent to theuser
VBIT Page 145
Cryptography And Network Security Dept. of CSE
PGP Notations:
Ks =sessionkey used in
Symmetric encryption
Scheme
PRa =private key of user A, used in
public-key Encryption
Scheme
=public key of user A, used in
public-key Encryption
PUa
Scheme
EP = public-key encryption
DP = public-key decryption
EC = symmetric encryption
DC = symmetric decryption
H = hash function
|| = concatenation
Z =compression using ZIP
Algorithm
R64 = conversion to radix 64
ASCII format
VBIT Page 146
Cryptography And Network Security Dept. of CSE
PGP Operation- Authentication
sender createsmessage
use SHA-1 to generate 160-bit hash ofmessage
signed hash with RSA using sender's private key, and is attached tomessage
receiver uses RSA with sender's public key to decrypt and recover hashcode
receiver verifies received message using hash of it and compares with decrypted hashcode
Sender:
Generates message and a random number (session key) only for thismessage
Encrypts message with the session key using AES, 3DES, IDEA orCAST-128
VBIT Page 147
Cryptography And Network Security Dept. of CSE
Encrypts session key itself with recipient’s public key usingRSA
Attaches it tomessage
Receiver:
Recovers session key by decrypting using his privatekey
Decrypts message using the sessionkey
Confidentiality service provides no assurance to the receiver as to the identity of sender (i.e. no
authentication). Only provides confidentiality for sender that only the recipient can read the message
(and no one else)
PGP Operation – Confidentiality & Authentication
encrypt both message & signature
o attach RSA/ElGamal encrypted session key
o is called authenticated confidentiality
VBIT Page 148
Cryptography And Network Security Dept. of CSE
PGP Operation – Compression
As a default, PGP compresses the message after applying the signature but before encryption. This
has the benefit of saving space both for e-mail transmission and for file storage. The placement of
the compression algorithm, indicated by Z for compression and Z-1 for decompression is critical.
The compression algorithm used is ZIP.
The signature is generated before compression for tworeasons:
so that one can store only the uncompressed message together with signature forlater verification
Applying the hash function and signature after compression would constrain all PGP
implementations to the same version of the compression algorithm as the PGP compression
algorithm is not deterministic.
Message encryption is applied after compression to strengthen cryptographic security. Because
the compressed message has less redundancy than the original plaintext, cryptanalysis is more
difficult.
PGP Operation – Email Compatibility
When PGP is used, at least part of the block to be transmitted is encrypted, and thus consists of
a stream of arbitrary 8-bit octets. However many electronic mail systems only permit the use of
ASCII text. To accommodate this restriction, PGP provides the service of converting the raw 8-
bit binary stream to a stream of printable ASCII characters. It uses radix-64 conversion, in which
each group of three octets of binary data is mapped into four ASCII characters. This format also
appends a CRC to detect transmission errors. The use of radix 64 expands a message by 33%,
but still an overall compression of about one-third can be achieved.
PGP Operation - Segmentation/Reassembly
E-mail facilities often are restricted to a maximum message length. For example, many of the
facilities accessible through the Internet impose a maximum length of 50,000 octets. Any
message longer than that must be broken up into smaller segments, each of which is mailed
separately. To accommodate this restriction, PGP automatically subdivides a message that is too
large into segments that are small enough to send via e-mail. The segmentation is done after
VBIT Page 149
Cryptography And Network Security Dept. of CSE
all of the other processing, including the radix-64 conversion. Thus, the session key component
and signature component appear only once, at the beginning of the first segment.
Reassembly at the receiving end is required before verifying signature or decryption
PGP Operations – Summary
PGP Message Format
A message consists of three components: the message component, a signature (optional), and a
session key component (optional). The message component includes the actual data to be stored or
transmitted, as well as a filename and a timestamp that specifies the time of creation. The signature
component includes the following:
Timestamp: The time at which the signature was made.
Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key.
Leading two octets of message digest: To enable the recipient to determine if the correct public key
was used to decrypt the message digest for authentication, by comparing this plaintext copy of the
first two octets with the first two octets of the decrypted digest. These octets also serve as a 16-bit
frame check sequence for the message.
VBIT Page 150
Cryptography And Network Security Dept. of CSE
Key ID of sender's public key: Identifies the public key that should be used to decrypt the message
digest and, hence, identifies the private key that was used to encrypt the message digest
The session key component includes the session key and the identifier of the recipient's public key
that was used by the sender to encrypt the session key. The entire block is usually encoded with radix-
64 encoding.
PGP Message Transmission and Reception
Message transmission
The following figure shows the steps during message transmission assuming that the message is to
be both signed and encrypted.
VBIT Page 151
Cryptography And Network Security Dept. of CSE
The sending PGP entity performs the following steps:
Signing the message
PGP retrieves the sender's private key from the private-key ring using your_userid as an index. If
your_userid was not provided in the command, the first private key on the ring is retrieved.
PGP prompts the user for the passphrase to recover the unencrypted private key.c. The signature
component of the message is constructed
Encrypting the message
a. PGP generates a session key and encrypts the message.
b. PGP retrieves the recipient's public key from the public-key ring using her_userid asan index.
The session key component of the message is constructed.
VBIT Page 152
Cryptography And Network Security Dept. of CSE
Message Reception
The receiving PGP entity performs the following steps:
Decrypting the message
PGP retrieves the receiver's private key from the private-key ring, using the Key ID field in the
session key component of the message as an index.
PGP prompts the user for the passphrase to recover the unencrypted private key.
PGP then recovers the session key and decrypts the message.
Authenticating the message
PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the signature
key component of the message as an index. b. PGP recovers the transmitted message digest.
PGP computes the message digest for the received message and compares it to the transmitted
message digest to authenticate.A message consists of three components: the message component, a
signature (optional), and a session key component (optional). The message component includes the
actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time
of creation. The signature component includes the following:
Timestamp: The time at which the signature was made.
VBIT Page 153
Cryptography And Network Security Dept. of CSE
Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key.
Leading two octets of message digest: To enable the recipient to determine if the correct public key
was used to decrypt the message digest for authentication, by comparing this plaintext copy of the
first two octets with the first two octets of the decrypted digest. These octets also serve as a 16-bit
frame check sequence for the message.
Key ID of sender's public key: Identifies the public key that should be used to decrypt the message
digest and, hence, identifies the private key that was used to encrypt the message digest
The session key component includes the session key and the identifier of the recipient's public key
that was used by the sender to encrypt the session key. The entire block is usually encoded with radix-
64 encoding.
PGP Message Transmission and Reception
The sending PGP entity performs the following steps:
Signing the message
a. PGP retrieves the sender's private key from the private-key ring using our_userid as an index. If
your_userid was not provided in the command, the first private key on the ring is retrieved.
VBIT Page 154
Cryptography And Network Security Dept. of CSE
PGP prompts the user for the passphrase to recover the unencrypted private key.c. The signature
component of the message is constructed
Encrypting the message
a. PGP generates a session key and encrypts the message.
b.PGP retrieves the recipient's public key from the public-key ring using her_ userid as an index.
c.The session key component of the message is constructed.
Message Reception
The receiving PGP entity performs the following steps:
Decrypting the message
a.PGP retrieves the receiver's private key from the private-key ring, using the Key ID field in the
session key component of the message as an index.
VBIT Page 155
Cryptography And Network Security Dept. of CSE
b.PGP prompts the user for the passphrase to recover the unencrypted private key.
c.PGP then recovers the session key and decrypts the message.
Authenticating the message
a. PGP retrieves the sender's public key from the public-key ring, using the Key ID field in the
signature key component of the message as an index.
b. PGP recovers the transmitted message digest.
c.PGP computes the message digest for the received message and compares it to the transmitted
message digest to authenticate.
5.2 S/MIME
Stands for Secure/Multipurpose Internet Mail Extension
Security enhancement to the MIME internet e-mail format
The MIME specification includes the following elements:
1.Five new message header fields are defined, which provide information about the body of the
message.
2.A number of content formats are defined, thus standardizing representations that support
multimedia electronic mail.
Transfer encodings are defined that protect the content from alteration by the mail system.
MIME - New header fields The five header fields defined in MIME are as follows:
MIME-Version: Must have the parameter value 1.0. This field indicates that the message conforms
to RFCs 2045 and2046.
Content-Type: Describes the data contained in the body with sufficient detail that the receiving user
agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal
with the data in an appropriate manner.
Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent the
body of the message in a way that is acceptable for mail transport.
VBIT Page 156
Cryptography And Network Security Dept. of CSE
Content-ID: Used to identify MIME entities uniquely in multiple contexts. Content-Description: A
text description of the object with the body; this is useful when the object is not readable (e.g.,
audiodata).
MIME Content Types
MIME – Content Transferring Encoding
Two types
– Quoted printable
Used when data consists largely of octets.
Limits message lines to 76 characters.
– Base64 transfer encoding
Common for encoding arbitrary binary data
S/MIME Functionality
VBIT Page 157
Cryptography And Network Security Dept. of CSE
S/MIME has a very similar functionality to PGP. Both offer the ability to sign and/or encrypt
messages.
Functions
S/MIME provides the following functions:
Enveloped data: This consists of encrypted content of any type and encrypted-content encryption
keys for one or more recipients.
Signed data: A digital signature is formed by taking the message digest of the content to be signed
and then encrypting that with the private key of the signer. The content plus signature are then
encoded using base64 encoding. A signed data message can only be viewed by a recipient with
S/MIMEcapability.
Clear-signed data: As with signed data, a digital signature of the content is formed. However,
inthis case, only the digital signature is encoded using base64. As a result, recipients without
S/MIME capability can view the message content, although they cannot verify thesignature.
Signed and enveloped data: Signed-only and encrypted-only entities may be nested, sothat
encrypted data may be signed and signed data or clear-signed data may beencrypted.
S/MIME – Cryptographic Algorithms
Create message digest to form digital signature
– Must use SHA-1, Should support MD5
Encrypt message digest to form signature
– Must support DSS, Should support RSA
Encrypt session key for transmission
– Should support Diffie-Hellman, Must support RSA
Encrypt message for transmission with one-time session key
– Must support triple DES, Should support
AES, Should support RC2/40
Create a message authentication code
– Must support HMAC with SHA-1, Should support HMAC with SHA-1
VBIT Page 158
Cryptography And Network Security Dept. of CSE
S/MIME – User Agent Role
Key generation
– Generating key
with RSA
Registration
– Register a user’s public key mustbe registered with a certification authority
Certificate storage and retrieval
– Access to a local list of certificates in order to verify incoming signatures and encrypt outgoing
S/MIME – Enhanced Security Services
Signed receipts
– The receiver returns
a signed receipt back to the sender to verify the message arrived
Security labels
– Permission, priority
or role of message being sent
Secure mailing lists
– Sending to multiple recipients at once securely by using a public key for the whole mailing list
VBIT Page 159
Cryptography And Network Security Dept. of CSE
5.3 IP SECURITYOVERVIEW
Definition: Internet Protocol security (IPSec) is a framework of open standards for protecting
communications over Internet Protocol (IP) networks through the use of cryptographic security
services. IPSec supports network-level peer authentication, data origin authentication, data integrity,
data confidentiality (encryption), and replay protection.
Need for IPSec
In Computer Emergency Response Team (CERT)’s 2001 annual report it listed 52,000 security
incidents in which most serious types of attacks included IP spoofing, in which intruders create
packets with false IP addresses and exploit applications that use authentication based on IP and
various forms of eavesdropping and packet sniffing, in which attackers read transmitted
information, including logon information and database contents. In response to these issues, the
VBIT Page 160
Cryptography And Network Security Dept. of CSE
IAB included authentication and encryption as necessary security features in the next-generation IP
i.e. IPv6.
Applications of IPSec
IPSec provides the capability to secure communications across a LAN, across private and public
wide area networks (WAN’s), and across the Internet.
Secure branch office connectivity over the Internet: A company can build a secure virtual private
network over the Internet or over a public WAN. This enables a business to rely heavily on the
Internet and reduce its need for private networks, saving costs and network managementoverhead.
Secure remote access over the Internet: An end user whose system is equipped with IP security
protocols can make a local call to an Internet service provider (ISP) and gain secure access to a
company network. This reduces the cost of toll charges for travelling employees andtelecommuters.
Establishing extranet and intranet connectivity with partners: IPSec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing
a key exchange mechanism.
Enhancing electronic commerce security: Even though some Web and electronic commerce
applications have built-in security protocols, the use of IPSec enhances that security.
The principal feature of IPSec enabling it to support varied applications is that it can encrypt and/or
authenticate all traffic at IP level. Thus, all distributed applications, including remote logon,
client/server, e-mail, file transfer, Web access, and so on, can be secured.
The following figure shows a typical scenario of IPSec usage. An organization maintains LANs at
dispersed locations. Non secure IP traffic is conducted on each LAN.
VBIT Page 161
Cryptography And Network Security Dept. of CSE
The IPSec protocols operate in networking devices, such as a router or firewall that connect each
LAN to the outside world. The IPSec networking device will typically encrypt and compress all
traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these
operations are transparent to workstations and servers on the LAN. Secure transmission is also
possible with individual users who dial into the WAN. Such user workstations must implement the
IPSec protocols to provide security.
Benefits of IPSec
The benefits of IPSec are listed below:
IPSec in a firewall/router provides strong security to all traffic crossing theperimeter
IPSec in a firewall is resistant to by pass
IPSec is below transport layer(TCP,UDP), hence transparent to applications
IPSec can be transparent to end users
IPSec can provide security for individual users if needed (useful for offsite workers and setting up a
secure virtual subnet work for sensitive applications)
Routing Applications
IPSec also plays a vital role in the routing architecture required for internetworking. It assures that:
VBIT Page 162
Cryptography And Network Security Dept. of CSE
router advertisements come from authorized routers
neighbor advertisements come from authorized routers
redirect messages come from the router to which initial packet was sent
A routing update is not forged.
5.4 IP SECURITY ARCHITECTURE
To understand IP Security architecture, we examine IPSec documents first and then move on to
IPSec services and Security Associations.
IPSec Documents
The IPSec specification consists of numerous documents. The most important of these, issued in
November of 1998, are RFCs 2401, 2402, 2406, and 2408:
RFC 2401: An overview of a security architecture
RFC 2402: Description of a packet authentication extension to IPv4 andIPv6
RFC 2406: Description of a packet encryption extension to IPv4 andIPv6
RFC 2408: Specification of key management capabilities
Support for these features is mandatory for IPv6 and optional for IPv4. In both cases, the security
features are implemented as extension headers that follow the main IP header. The extension header
for authentication is known as the Authentication header; that for encryption is known as the
Encapsulating Security Payload (ESP) header. In addition to these four RFCs, a number of additional
drafts have been published by the IP Security Protocol Working Group set up by the IETF. The
documents are divided into seven groups, as depicted in following figure:
VBIT Page 163
Cryptography And Network Security Dept. of CSE
Architecture: Covers the general concepts, security requirements, definitions, and mechanisms
defining IPSec technology
Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the
use of the ESP for packet encryption and, optionally, authentication.
Authentication Header (AH): Covers the packet format and general issues related to the use of
AH for packet authentication.
•EncryptionAlgorithm:Asetofdocumentsthatdescribehowvariousencryption algorithms are used
forESP.
Authentication Algorithm: A set of documents that describe how various authentication
algorithms are used for AH and for the authentication option of ESP.
Key Management: Documents that describe key management schemes.
Domain of Interpretation (DOI): Contains values needed for the other documents to relate to each
other. These include identifiers for approved encryption and authentication algorithms, as well as
operational parameters such as key lifetime.
IPSec Services
IPSec architecture makes use of two major protocols (i.e., Authentication Header and ESP
protocols) for providing security at IP level. This facilitates the system to beforehand choose an
VBIT Page 164
Cryptography And Network Security Dept. of CSE
algorithm to be implemented, security protocols needed and any cryptographic keys required to
provide requested services. The IPSec services are as follows:
Connectionless Integrity:-Data integrity service is provided by IPSec via AH which prevents the
data from being altered during transmission.
Data Origin Authentication:- This IPSec service prevents the occurrence of replay attacks, address
spoofing etc., which can be fatal
Access Control:- The cryptographic keys are distributed and the traffic flow is controlled in both AH
and ESP protocols, which is done to accomplish access control over the data transmission.
confidentiality:- Confidentiality on the data packet is obtained by using an encryption technique in
which all the data packets are transformed into ciphertext packets which are unreadable and difficult
to understand.
Limited Traffic Flow Confidentiality:- This facility or service provided by IPSec ensures that the
confidentiality is maintained on the number of packets transferred or received. This can be done using
padding inESP
Replay packets Rejection:- The duplicate or replay packets are identified and discarded using the
sequence number field in both AH andESP
5.5 SECURITY ASSOCIATIONS
Since IPSEC is designed to be able to use various security protocols, it uses Security Associations
(SA) to specify the protocols to be used. SA is a database record which specifies security parameters
controlling security operations. They are referenced by the sending host and established
VBIT Page 165
Cryptography And Network Security Dept. of CSE
by the receiving host. An index parameter called the Security Parameters Index (SPI) is used. SAs
are in one direction only and a second SA must be established for the transmission to be bi-directional.
A security association is uniquely identified by three parameters:
Security Parameters Index (SPI): A bit string assigned to this SA and having local significance
only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under
which a received packet will be processed.
IP Destination Address: Currently, only unicast addresses are allowed; this is the address of the
destination endpoint of the SA, which may be an end user system or a network system such as a
firewall or router.
Security Protocol Identifier: This indicates whether the association is an AH or ESP
securityassociation.
SA Parameters
In each IPSec implementation, there is a nominal Security Association Database that defines the
parameters associated with each SA. A security association is normally defined by the following
parameters:
Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or
ESP headers
Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number
Counter should generate an auditable event and prevent further transmission of packets on this SA
(required for all implementations).
Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay
AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used
with AH (required for AH implementations).
ESP Information: Encryption and authentication algorithm, keys, initialization values, key
lifetimes, and related parameters being used with ESP (required for ESP implementations).
Lifetime of This Security Association: A time interval or byte count after which an SA must be
replaced with a new SA (and new SPI) or terminated, plus an indication of which of these actions
should occur (required for all implementations).
IPSec Protocol Mode: Tunnel, transport, or wildcard (required for all implementations).
Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be
transmitted without fragmentation) and aging variables (required for all implementations).
VBIT Page 166
Cryptography And Network Security Dept. of CSE
5.6 TRANSPORT AND TUNNEL MODE
Both AH and ESP support two modes of use: transport and tunnel mode.
Transport Mode SA Tunnel Mode SA
AH Authenticates IP payload Authenticates entire inner
and selected portions of IP IP packet plus selected
header and IPv6 extension portions of outer IP header
Headers
ESP Encrypts IP payload and Encrypts inner IP packet
any IPv6 extesion header
ESP with authentication Encrypts IP payload and Encrypts inner IP packet.
any IPv6 extesion header. Authenticates inner IP
Authenticates IP payload packet
but no IP header
5.7 AUTHENTICATIONHEADER
VBIT Page 167
Cryptography And Network Security Dept. of CSE
The Authentication Header provides support for data integrity and authentication of IP packets. The
data integrity feature ensures that undetected modification to a packet's content in transit is not
possible. The authentication feature enables an end system or network device to authenticate the user
or application and filter traffic accordingly; it also prevents the address spoofing attacks observed in
today's Internet. The AH also guards against the replay attack. Authentication is based on the use of
a message authentication code (MAC), hence the two parties must share a secret key. The
Authentication Header consists of the following fields:
Next Header (8 bits): Identifies the type of header immediately following thisheader.
• Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. For example,
the default length of the authentication data field is 96 bits, or three 32-bit words. With a three-word
fixed header, there are a total of six words in the header, and the Payload Length field has a value
of4.
Reserved (16 bits): For future use.
Security Parameters Index (32 bits): Identifies a security association.
Sequence Number (32 bits): A monotonically increasing counter value, discussed later.
Authentication Data (variable): A variable-length field (must be an integral number of 32-bit
words) that contains the Integrity Check Value (ICV), or MAC, for this packet.
Anti-Replay Service
Anti-replay service is designed to overcome the problems faced due to replay attacks inwhich an
intruder intervenes the packet being transferred, make one or more duplicate copies of that
authenticated packet and then sends the packets to the desired destination, thereby causing
VBIT Page 168
Cryptography And Network Security Dept. of CSE
inconvenient processing at the destination node. The Sequence Number field is designed to thwart
suchattacks.
When a new SA is established, the sender initializes a sequence number counter to 0. Each time that
a packet is sent on this SA, the sender increments the counter and places the value in the Sequence
Number field. Thus, the first value to be used is 1. This value goes on increasing with respect to the
number of packets being transmitted. The sequence number field in each packet represents the value
of this counter. The maximum value of the sequence number field can go up to 232-1. If the limit
of 232-1 is reached, the sender should terminate this SA and negotiate a new SA with a new key.
The IPSec authentication document dictates that the receiver should implement a window of size
W, with a default of W = 64. The right edge of the window represents the highest sequence number,
N, so far received for a valid packet. For any packet with a sequence number in the range from N-
W+1 to N that has been correctly received (i.e., properly authenticated), the corresponding slot in
the window is marked as shown. Inbound processing proceeds as follows when a packet is received:
If the received packet falls within the window and is new, the MAC is checked. If the packet is
authenticated, the corresponding slot in the window is marked.
VBIT Page 169
Cryptography And Network Security Dept. of CSE
If the received packet is to the right of the window and is new, the MAC is checked. If the packet is
authenticated, the window is advanced so that this sequence number is the right edge of the window,
and the corresponding slot in the window is marked.
If the received packet is to the left of the window, or if authentication fails, the packet is
discarded; this is an auditable event.
Integrity Check Value
ICV is the value present in the authenticated data field of ESP/AH, which is used to determine any
undesired modifications made to the data during its transit. ICV can also be referred as MAC or part
of MAC algorithm. MD5 hash code and SHA-1 hash code are implemented along with HMAC
algorithms i.e.,
HMAC-MD5-96
HMAC-SHA-1-96
In both cases, the full HMAC value is calculated but then truncated by using the first 96 bits,
which is the default length for the Authentication Data field. The MAC is calculated over
IP header fields that either do not change in transit (immutable) or that are predictable in value upon
arrival at the endpoint for the AH SA. Fields that may change in transit and whose value on arrival
is unpredictable are set to zero for purposes of calculation at both source anddestination.
The AH header other than the Authentication Data field. The Authentication Data field is set to
zero for purposes of calculation at both source and destination.
The entire upper-level protocol data, which is assumed to be immutable in transit (e.g., a TCP
segment or an inner IP packet in tunnel mode).
Transport and Tunnel Modes
The following figure shows typical IPv4 and IPv6 packets. In this case, the IP payload is a TCP
segment; it could also be a data unit for any other protocol that uses IP, such as UDP or ICMP.
VBIT Page 170
Cryptography And Network Security Dept. of CSE
For transport mode AH using IPv4, the AH is inserted after the original IP header and before the IP
payload (e.g., a TCP segment) shown below. Authentication covers the entire packet, excluding
mutable fields in the IPv4 header that are set to zero for MAC calculation. In the context of IPv6, AH
is viewed as an end-to-end payload; that is, it is not examined or processed by intermediate routers.
Therefore, the AH appears after the IPv6 base header and the hop-by-hop, routing, and fragment
extension headers. The destination options extension header could appear before or after the AH
header, depending on the semantics desired. Again, authentication covers the entire packet, excluding
mutable fields that are set to zero for MAC calculation.
For tunnel mode AH, the entire original IP packet is authenticated, and the AH is inserted between
the original IP header and a new outer IP header. The inner IP header carries the ultimate source and
destination addresses, while an outer IP header may contain different IP addresses (e.g.,
VBIT Page 171
Cryptography And Network Security Dept. of CSE
addresses of firewalls or other security gateways). With tunnel mode, the entire inner IP packet,
including the entire inner IP header is protected by AH. The outer IP header (and in the case of IPv6,
the outer IP extension headers) is protected except for mutable and unpredictable Fields
IP sec can be used (both AH packets and ESP packets) in two modes
5.8 ENCAPSULATING SECURITYPAYLOAD
The Encapsulating Security Payload provides confidentiality services, including confidentiality of
message contents and limited traffic flow confidentiality. As an optional feature, ESP can also
provide an authentication service.
ESP Format
The following figure shows the format of an ESP packet. It contains the following fields:
Security Parameters Index (32 bits): Identifies a security association.
Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-
replay function, as discussed for AH.
Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel
mode) that is protected by encryption.
Padding (0-255 bytes): This field is used to make the length of the plaintext to be a multiple of
some desired number of bytes. It is also added to provide confidentiality.
Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.
Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying
the first header in that payload (for example, an extension header in IPv6, or an upper-layer protocol
such as TCP).
Authentication Data (variable): A variable-length field (must be an integral number of 32-bit
words) that contains the Integrity Check Value computed over the ESP packet minus the
Authentication Data field.
Adding encryption makes ESP a bit more complicated because the encapsulation surrounds
the payload rather than precedes it as with AH: ESP includes header and trailer
ESP followed by AH in transport mode (an ESP SA inside an AHSA)
Any one of a, b, or c inside an AH or ESP in tunnelmode
VBIT Page 172
Cryptography And Network Security Dept. of CSE
Transport Mode ESP
Tunnel Mode ESP
5.9 BASIC COMBINATIONS OF SECURITY ASSOCIATIONS
The IPSec Architecture document lists four examples of combinations of SAs that must be
supported by compliant IPSec hosts (e.g., workstation, server) or security gateways (e.g. firewall,
router).
case:-1
VBIT Page 173
Cryptography And Network Security Dept. of CSE
All security is provided between end systems that implement IPSec. For any two end systems to
communicate via an SA, they must share the appropriate secret keys. Among the possible
combinations:
AH in transport mode
ESP in transport mode
ESP followed by AH in transport mode (an ESP SA inside an AHSA)
Any one of a, b, or c inside an AH or ESP in tunnel mode
Case:-2
Security is provided only between gateways (routers, firewalls, etc.) and no hosts implement IPSec.
This case illustrates simple virtual private network support. The security architecture document
specifies that only a single tunnel SA is needed for this case. The tunnel could support AH, ESP, or
ESP with the authentication option. Nested tunnels are not required because the IPSec services apply
to the entire inner packet
Case-3:-
VBIT Page 174
Cryptography And Network Security Dept. of CSE
The third combination is similar to the second, but in addition provides security even to nodes. This
combination makes use of two tunnels first for gateway to gateway and second for node to node.
Either authentication or the encryption or both can be provided by using gateway to gateway tunnel.
An additional IPSec service is provided to the individual nodes by using node to node tunnel.
Case:-4
This combination is suitable for serving remote users i.e., the end user sitting anywhere in the world
can use the internet to access the organizational workstations via the firewall. This combination states
that only one tunnel is needed for communication between a remote user and an organizational
firewall.
VBIT Page 175
Cryptography And Network Security Dept. of CSE
Security Association Database (SAD) holds SA’s
Security Associations (SA) is a one way, cryptographically protected connection between a sender
and a receiver that affords security services to traffic
SA contains the fields:
protocol identifier (ESP or AH)
mode (tunnel or transport)
algorithms for encryption/ decryption/ authentication and their respective keys
VBIT Page 176
Cryptography And Network Security Dept. of CSE
lifetime
SPI’s
sequence number
SA’s building and managing is either:
Static (manual) – keys and other attributes of SA are manually configured by system administrator.
Practical for small, relatively static environments.
5.10 INTERNET KEY EXCHANGE (IKE)
Internet Key Exchange (IKE) is a key management protocol standard used in conjunction with the
Internet Protocol Security (IPSec) standard protocol. It provides security for virtual private networks'
(VPNs) negotiations and network access to random hosts. It can also be described as a method for
exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.
Dynamic (automated) – On-demand creation of keys. Handled by IKE protocol
IKE is a protocol that builds and manages IPSec SA’s between two computers that implement
IPSec.
IKE is the only standard protocol for building IPSec SA’s (Standard IPSec implementation must
also implement IKE)
IKE (like IPSec) is carried out either between a pair of hosts, a pair of security gateways or a host
and a security gateway
Endpoint to Endpoint Transport
Both endpoints of the IP connection implement IPsec
Used with no inner IP header
One of the protected points can be behind a NAT node
Expectations from IKE
Secrecy and authenticity
Protection against replay attacks
Scalability (being suitable for big networks)
VBIT Page 177
Cryptography And Network Security Dept. of CSE
Privacy and anonymity (protecting identity of players in the protocol)
Protection against DOS
Efficiency (both computational and minimal in the number of messages)
Independence of cryptographic algorithms
Minimize protocol complexity
Reliability
Key exchange protocols goal is to agree on a shared key for the two participant and Should
implement
authenticity
secrecy
5.11 KEYMANAGEMENT
The key management portion of IPSec involves the determination and distribution of secret keys.
The IPSec Architecture document mandates support for two types of key management:
Manual: A system administrator manually configures each system with its own keys and with the
keys of other communicating systems. This is practical for small, relatively static environments.
Automated: An automated system enables the on-demand creation of keys for SAs and facilitates
the use of keys in a large distributed system with an evolvingconfiguration.
The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley and
consists of the following elements:
Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the Diffie-
Hellman algorithm but providing added security. Oakley is generic in that it does not dictate
specificformats.
Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP provides a
framework for Internet key management and provides the specific protocol support, including
formats, for negotiation of securityattributes.
VBIT Page 178
Cryptography And Network Security Dept. of CSE
Oakley Key Determination Protocol
Oakley is a refinement of the Diffie-Hellman key exchange algorithm. The Diffie-Hellman
algorithm has two attractive features:
Secret keys are created only when needed. There is no need to store secret keys for a long period of
time, exposing them to increased vulnerability.
The exchange requires no pre-existing infrastructure other than an agreement on the global
parameters.
However, Diffie-Hellman has got some weaknesses:
No identity information about the parties is provided.
It is possible for a man-in-the-middle attack
It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an
opponent requests a high number of keys.
Oakley is designed to retain the advantages of Diffie-Hellman while countering its
weaknesses. Features of Oakley
The Oakley algorithm is characterized by five important features:
It employs a mechanism known as cookies to thwart clogging attacks.
It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of
the Diffie-Hellman key exchange.
It uses nonces to ensure against replay attacks.
It enables the exchange of Diffie-Hellman public key values.
It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.
In clogging attacks, an opponent forges the source address of a legitimate user and sends a public
Diffie-Hellman key to the victim. The victim then performs a modular exponentiation to compute the
secret key. Repeated messages of this type can clog the victim's system with useless work. The cookie
exchange requires that each side send a pseudorandom number, the cookie, in the initial message,
which the other side acknowledges. This acknowledgment must be repeated in the first message of
the Diffie-Hellman key exchange. The recommended method for creating the cookie is
VBIT Page 179
Cryptography And Network Security Dept. of CSE
to perform a fast hash (e.g., MD5) over the IP Source and Destination addresses, the UDP Source
and Destination ports, and a locally generated secret value. Oakley supports the use of different
groups for the Diffie-Hellman key exchange. Each group includes the definition of the two global
parameters and the identity of the algorithm. Oakley employs nonces to ensure against replay attacks.
Each nonce is a locally generated pseudorandom number. Nonces appear in responses and are
encrypted during certain portions of the exchange to secure their use. Three different authentication
methods can be used with Oakley are digital signatures, public-key encryption and Symmetric-key
encryption.
Aggressive Oakley Key Exchange
Aggressive key exchange is a technique used for exchanging the message keys and is so called
because only three messages are allowed to be exchanged at any time.
Example of Aggressive Oakley Key Exchange
In the first step, the initiator (I) transmits a cookie, the group to be used, and I's public Diffie-Hellman
key for this exchange. I also indicates the offered public-key encryption, hash, and authentication
algorithms to be used in this exchange. Also included in this message are the identifiers of I and the
responder (R) and I's nonce for this exchange. Finally, I appends a signature using I's private key that
signs the two identifiers, the nonce, the group, the Diffie- Hellman public key, and the offered
algorithms. When R receives the message, R verifies the signature using I's public signing key. R
acknowledges the message by echoing back I's cookie, identifier, and nonce, as well as the group. R
also includes in the message a cookie, R's Diffie-Hellman public key, the selected algorithms (which
must be among the offered algorithms), R's identifier, and R's nonce for this exchange. Finally, R
appends a signature using R's private key that signs the two
VBIT Page 180
Cryptography And Network Security Dept. of CSE
identifiers, the two nonces, the group, the two Diffie-Hellman public keys, and the selected
algorithms.
When I receives the second message, I verifies the signature using R's public key. The nonce values
in the message assure that this is not a replay of an old message. To complete the exchange, I must
send a message back to R to verify that I has received R's public key.
ISAKMP
ISAKMP defines procedures and packet formats to establish, negotiate, modify, and delete security
associations. As part of SA establishment, ISAKMP defines payloads for exchanging key generation
and authentication data.
ISAKMP Header Format
An ISAKMP message consists of an ISAKMP header followed by one or more payloads and must
follow UDP transport layer protocol for its implementation. The header format of an ISAKMP header
is shown below:
Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or
SAdeletion.
Responder Cookie (64 bits): Cookie of responding entity; null in first message from initiator.
Next Payload (8 bits): Indicates the type of the first payload in themessage
VBIT Page 181
Cryptography And Network Security Dept. of CSE
Major Version (4 bits): Indicates major version of ISAKMP inuse.
Minor Version (4 bits): Indicates minor version inuse.
Exchange Type (8 bits): Indicates the type of exchange. Can be informational,aggressive,
authentication only, identity protection or base exchange(S).
Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Two bits so far defined: The
Encryption bit is set if all payloads following the header are encrypted using the encryption algorithm
for this SA. The Commit bit is used to ensure that encrypted material is not received prior to
completion of SAestablishment.
Message ID (32 bits): Unique ID for thismessage.
Length (32 bits): Length of total message (header plus all payloads) in octets.
ISAKMP Payload Types
All ISAKMP payloads begin with the same generic payload header shown below.
The Next Payload field has a value of 0 if this is the last payload in the message; otherwise its value
is the type of the next payload. The Payload Length field indicates the length in octets of this payload,
including the generic payload header. There are many different ISAKMP payload types. They are:
The SA payload is used to begin the establishment of an SA. The Domain of Interpretation parameter
identifies the DOI under which negotiation is taking place. The Situation parameter defines the
security policy for this negotiation; in essence, the levels of security required for encryption and
confidentiality are specified (e.g., sensitivity level, security compartment).
The Proposal payload contains information used during SA negotiation. The payload indicates the
protocol for this SA (ESP or AH) for which services and mechanisms are being negotiated. The
payload also includes the sending entity's SPI and the number of transforms. Each transform is
contained in a transform payload.
VBIT Page 182
Cryptography And Network Security Dept. of CSE
The Transform payload defines a security transform to be used to secure the communications channel
for the designated protocol. The Transform # parameter serves to identify this particular payload so
that the responder may use it to indicate acceptance of this transform. The Transform-ID and
Attributes fields identify a specific transform (e.g., 3DES for ESP, HMAC-SHA-1-96 for AH) with
its associated attributes (e.g., hash length).
The Key Exchange payload can be used for a variety of key exchange techniques, including Oakley,
Diffie-Hellman, and the RSA-based key exchange used by PGP. The Key Exchange data field
contains the data required to generate a session key and is dependent on the key exchange algorithm
used.
The Identification payload is used to determine the identity of communicating peers and may be used
for determining authenticity of information. Typically the ID Data field will contain an IPv4 or
IPv6address.
The Certificate payload transfers a public-key certificate. The Certificate Encoding field indicates the
type of certificate or certificate-related information, which may include SPKI, ARL, CRL, PGP info
etc. At any point in an ISAKMP exchange, the sender may include a Certificate Request payload to
request the certificate of the other communicating entity. g. The Hash payload contains data generated
by a hash function over some part of the message and/or ISAKMP state. This payload may be used
to verify the integrity of the data in a message or to authenticate negotiating entities.
The Signature payload contains data generated by a digital signature function over some part of the
message and/or ISAKMP state. This payload is used to verify the integrity of the data in
message and may be used for non repudiation services.
The Nonce payload contains random data used to guarantee liveness during an exchange and
protect against replay attacks.
The Notification payload contains either error or status information associated with this SA or this
SA negotiation. Some of the ISAKMP error messages that have been defined are Invalid Flags,
Invalid Cookie, Payload Malformed etc
The Delete payload indicates one or more SAs that the sender has deleted from its database and that
therefore are no longer valid.
ISAKMP Exchanges
ISAKMP provides a framework for message exchange, with the payload types serving as the
building blocks. The specification identifies five default exchange types that should be supported.
VBIT Page 183
Cryptography And Network Security Dept. of CSE
Base Exchange: allows key exchange and authentication material to be transmitted together. This
minimizes the number of exchanges at the expense of not providing identity protection.
The first two messages provide cookies and establish an SA with agreed protocol and transforms;
both sides use a nonce to ensure against replay attacks. The last two messages exchange the key
material and user IDs, with an authentication mechanism used to authenticate keys, identities, and
the nonces from the first two messages.
Identity Protection Exchange: expands the Base Exchange to protect the users identities.
The first two messages establish the SA. The next two messages perform key exchange, with
nonces for replay protection. Once the session key has been computed, the two parties
exchange encrypted messages that contain authentication information, such as digital signatures and
optionally certificates validating the public keys.
Authentication Only Exchange: used to perform mutual authentication, without akey exchange
VBIT Page 184
Cryptography And Network Security Dept. of CSE
The first two messages establish the SA. In addition, the responder uses the second message to convey
its ID and uses authentication to protect the message. The initiator sends the third message to transmit
its authenticated ID.
Aggressive Exchange: minimizes the number of exchanges at the expense of not providing identity
protection.
In the first message, the initiator proposes an SA with associated offered protocol and transform
options. The initiator also begins the key exchange and provides its ID. In the second message, the
responder indicates its acceptance of the SA with a particular protocol and transform, completes the
key exchange, and authenticates the transmitted information. In the third message, the initiator
transmits an authentication result that covers the previous information, encrypted using the shared
secret session key.
Informational Exchange: used for one-way transmittal of information for SA management.
Electronic voting (also known as e-voting) is voting that uses electronic means to either aid or take
care of casting and counting votes.
Depending on the particular implementation, e-voting may use standalone electronic voting machines
(also called EVM) or computers connected to the Internet. It may encompass a range of Internet
services, from basic transmission of tabulated results to full-function online voting through common
connectable household devices. The degree of automation may be limited to marking a paper ballot,
or may be a comprehensive system of vote input, vote recording, data encryption and transmission to
servers, and consolidation and tabulation of election results.
VBIT Page 185
Cryptography And Network Security Dept. of CSE
A worthy e-voting system must perform most of these tasks while complying with a set of standards
established by regulatory bodies, and must also be capable to deal successfully with
strong requirements associated with security, accuracy, integrity, swiftness, privacy, auditability,
accessibility, cost-effectiveness, scalability and ecological sustainability.
Electronic voting technology can include punched cards, optical scan voting systems and specialized
voting kiosks (including self-contained direct-recording electronic voting systems, or DRE). It can
also involve transmission of ballots and votes via telephones, private computer networks, or the
Internet.
5.12 SECURE INTER-BRANCH PAYMENT TRANSACTIONS
Points for classroom discussions
What is the technology to achieve non-repudiation? How is this guaranteed?
How is the problem of key distribution resolved in PKI?
Why are cryptographic toolkit required?
How can smart cards be used in cryptography.
General Bank Of India (GBI) has implemented an Electronic Payment System called as EPS in about
1200 branches across the country. This system transfers payment instructions between two
computerized branches of GBI. A central server is maintained at the EPS office located in Mumbai.
The branch offices connect to the Local VSAT of a private network by using dial-up connection. The
local VSAT has a connectivity established with the EPS office. GBI utilizes its proprietary messaging
service called as GBI-Transfer to exchange payment instructions.
Currently, EPS has minimal data security. As the system operates in a closed network, the current
security infrastructure may suffice the need. The data moving across the network is in encrypted
format.
Current EPS Architecture EPS is used to transmit payment details from the payer branch to the
payee branch via the central server in Mumbai. Fig. 10.5 depicts the flow, which is also described
step-by-step.
VBIT Page 186
Cryptography And Network Security Dept. of CSE
A typical payment transfer takes the following steps:
A data-entry person in the Payer Branch enters transaction details through the EPS interface.
A Bank Officer checks the validity of the transaction through the EPS interface.
After validating the transaction, the Bank Officer authorizes the transaction. Authorized transaction
is stored in a local Payment Master (PM)database.
Once the transaction is stored in PM, a copy of the same is encrypted and stored in a file. This
transaction file is stored in OUT directory
The GBI-Transfer application looks for any pending transactions (i.e. for the presence of any files in
the OUT directory) by a polling mechanism and if it finds such transactions, it sends all these files
one-by-one to the EPS central office located in Mumbai by dialing the local VSAT.
The local VSAT gets connectivity to the EPS central office and the transaction is transferred and
stored in the IN directory at the EPS central office.
VBIT Page 187
Cryptography And Network Security Dept. of CSE
The interface program at the EPS central office collects the file pending in the IN directory and
sends it to the PM application at that office.
In order to send the Credit Request to PM, the transaction headers are changed. The transaction with
changed headers in encrypted format is then placed in OUT directory of the EPS central office.
The GBI-Transfer application at the EPS central office collects the transactions pending in the OUT
directory and sends them to the Payee Bank through the VSAT.
The transaction is transferred and stored in the IN directory of the Payee Branch.
The interface program at the Payee Branch collects the transaction and posts it in PM.
PM marks the credit entry and returns back an acknowledgement of the same. The
acknowledgement is placed in OUT directory of the Payee Branch.
The acknowledgement is picked by GBI-Transfer at the Payee Branch and sent to the EPS central
office through the VSAT.
The EPS central office receives the credit acknowledgement and forwards it to Payer Branch.
The Payer Branch receives the credit acknowledgement receipt. This completes the transaction.
Requirements to Enhance EPS As GBI is in the process of complete automation and setting up
connectivity over the Internet or a private network, they need to ensure stringent security measures,
which demand the usage of a Public Key Infrastructure (PKI) framework.
As a part of implementing security, GBI wants the following aspects to be ensured: Non-
repudiation (Digital Signatures)
Encryption – 128-bit (Upgrade to the current 56-bit encryption) Smart card support for storing
sensitive data & on-card digital signing Closed loop Public Key Infrastructure
Proposed Solution Since providing cryptographic functionalities require the usage of a
cryptographic toolkit, it is assumed that GBI will implement an appropriate Certification Authority
(CA) infrastructure and a PKI infrastructure offering.
The transaction will be digitally signed and encrypted/decrypted at the Payer and Payee branches, as
well as at the EPS central office. The signing operation can be performed on the system or on external
hardware like a smart card. On the server side, a provision of automated signing without any
manual intervention will be provided.
VBIT Page 188
Cryptography And Network Security Dept. of CSE
The transaction flow described earlier would now be split into two legs: The Payer Leg (Payer Branch
to the EPS central office)
The Payee Leg (EPS central office to the Payee Branch)
The architecture for the Payer Leg is shown in Fig. 10.6. As shown, after verifying the transaction,
the EPS Officer authorizes the transaction at the Payer Branch. Internally, the application digitally
signs the transaction. This signature, along with the transaction data is stored in the local PM Database
and then encrypted and placed in the IN directory. For signature and encryption, a cryptographic
toolkit is required at the Payer Branch. The signed- and-encrypted transaction is sent to the EPS
central office in the same way as before.
The encrypted file is decrypted at EPS central office. Before storing the transaction in the database,
the digital signature is verified using an appropriate cryptographic toolkit. The verification process
may also check the status of the user’s digital certificate by either CRL or OCSP check. If the status
of the certificate is invalid, the transaction will be rejected, otherwise it will be stored in the local PM
database.
On the Payee Leg, the EPS central office will create a Credit Request as before, sign and encrypt it
with the bank officer’s digital certificate. This signed-and-encrypted request will be forwarded to the
Payee Branch. The flow is shown in Fig. 10.7.
VBIT Page 189
Cryptography And Network Security Dept. of CSE
The encrypted file is decrypted at EPS central office. Before storing the transaction in the database,
the digital signature is verified using an appropriate cryptographic toolkit. The verification process
may also check the status of the user’s digital certificate by either CRL or OCSP check. If the status
of the certificate is invalid, the transaction will be rejected, otherwise it will be stored in the local PM
database.
On the Payee Leg, the EPS central office will create a Credit Request as before, sign and encrypt it
with the bank officer’s digital certificate. This signed-and-encrypted request will be forwarded to the
Payee Branch. The flow is shown in Fig. 10.7.
5.13 SECURE MULTI-PARTY COMPUTATION (also known as secure
computation, multi-party computation/MPC, or privacy-preserving computation) is a
subfield of cryptography with the goal of creating methods for parties to jointly compute a
VBIT Page 190
Cryptography And Network Security Dept. of CSE
function over their inputs while keeping those inputs private. Unlike traditional cryptographic
tasks, where the adversary is outside the system of participants (an eavesdropper on the sender and
receiver), the adversary in this model controls actual participants. These types of tasks started in
the late 1970s with the work on mental poker, cryptographic work that simulates game playing
over distances without requiring a trusted third party.
In the Payee Leg, the PM software at the EPS central office will generate a Credit Request for the
Payee Bank. This request will be digitally signed. The signature along with the Credit Request will
be encrypted and sent to the Payee Branch.
The Payee Branch will decrypt the Credit Request and verify the digital signature. If the signature
is verified successfully, the transaction is entered into database. Otherwise, it gets rejected and the
status
of the same is sent to EPS central Office. The Credit Response to the EPS central office can also
be digitally signed and encrypted in a similar fashion.
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software
systems. With this property, a user logs in with a single ID and password to gain access to a
connected system or accomplished using the Lightweight Directory Access Protocol (LDAP) and
stored LDAP databases on (directory) servers. [1] A simple version of single sign-on can be
achieved over IP networks using cookies but only if the sites share a common DNS parent domain.
For clarity, it is best to refer to systems requiring authentication for each application but using the
same credentials from a directory server as Directory Server Authentication and systems where a
single authentication provides access to multiple applications by passing the authentication token
seamlessly to configured applications as single sign-on.
Conversely, single sign-off is the property whereby a single action of signing out terminates access
to multiple software systems.
As different applications and resources support different authentication mechanisms, single sign-
on must internally store the credentials used for initial authentication and translate them to the
credentials required for the different mechanisms.
VBIT Page 191
Cryptography And Network Security Dept. of CSE
5.14 CROSS SITEVULNERABILITY
CROSS SITE SCRIPTING (XSS) ATTACKS
• Cross site scripting (XSS) is a common attack vector that injects malicious
code into a vulnerable web application. XSS differs from other web attack vectors (e.g., SQL
injections), in that it does not directly target the application itself. Instead, the users of the web
application are the ones atrisk.
• A successful cross site scripting attack can have devastating consequences for
an online business's reputation and its relationship with itsclients.
• Depending on the severity of the attack, user accounts may be compromised,
Trojan horse programs activated and page content modified, misleading users into willingly
surrendering their private data. Finally, session cookies could be revealed, enabling a perpetrator to
impersonate valid users and abuse their privateaccounts.
Cross site scripting attacks can be broken down into two types: stored and reflected.
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a
malicious script is injected directly into a vulnerable webapplication.
Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's
browser. The script is embedded into a link, and is only activated once that link is clickedon.
To successfully execute a stored XSS attack, a perpetrator has to locate a vulnerability in a web
application and then inject malicious script into its server (e.g., via a comment field).
SCANNING FOR AND FINDING VULNERABILITIES IN CROSS SITE SCRIPTING
Use of Vulnerability Management tools, like AVDS, are standard practice for the discovery of this
vulnerability. The primary failure of VA in finding this vulnerability is related to setting the proper
scope and frequency of network scans. It is vital that the broadest range of hosts (active IPs) possible
are scanned and that scanning is done frequently. We recommend weekly. Your existing scanning
solution or set of test tools should make this not justpossible, but easy and affordable.
PENETRATION TESTING (PENTEST) FOR THIS VULNERABILITY
The Vulnerabilities in Cross Site Scripting is prone to false positive reports by most vulnerability
assessment solutions. AVDS is alone in using behavior based testing that eliminates this issue. For
VBIT Page 192
Cryptography And Network Security Dept. of CSE
all other VA tools security consultants will recommend confirmation by direct observation. In any
case Penetration testing procedures for discovery of Vulnerabilities in Cross Site Scripting produces
the highest discovery accuracy rate, but the infrequency of this expensive form of testing degrades
its value. The ideal would be to have pen testing accuracy and the frequency and scope possibilities
of VA solutions, and this is accomplished only by AVDS.
VBIT Page 193
Cryptography And Network Security ` Dept. of CSE
UNIT WISE IMPORTANT QUESTIONS
UNIT-1
Define a Security attack. Explain in detail about the various types of attacks an Inter
network is vulnerable to.
Define Information Security and explain its significance in today’s world. Also clearly
bring out the meaning of the following related terms: Computer Security, Network Security and
Internet Security with relevant examples.
Discuss the following terms in detail with relevant examples:
Interruption ii. Interception iii. Modification iv. Fabrication
Explain the different types of security attacks, security services and mechnasims?
Discuss Network security model with neat illustration and explain the components of the
model.
Explain the substitution techniques a) Ceaser Cipher b) Play Fair Cipher c) Hill Cipher
Explain the transposition technique.
Compare and contrast between Cryptography and Cryptology.
UNIT-2
With a neat block diagram explain the DES algorithm?
Explain Blowfish algorithm.
With neat illustration explain Advanced Encryption Standard algorithm (AES).
Write short notes on: (a) RC4 (b) Fiestel cipher structure
Explain Elgamal algorithm with an example.
Enumerate the various cipher block modes of operation.
Explain IDEA Algorithm
Explain the structure of the Conventional Public-key encryption with relevant
illustrations.
Page 194
Cryptography And Network Security ` Dept. of CSE
Explain about RC5 algorithm.
Explain RSA Algorithm.
Explain about Diffie Hellman Key Exchange.
UNIT-3
Explain the importance of Secure Hash functions with relevant examples.
Describe the various requirements of message authentication?
Explain the Elgamal Digital Signature Scheme.\
Explain the various steps involved in the HMAC algorithm
Explain the Secure Hash Algorithm (SHA-1) in detail
Describe Symmetric Key Distribution Using Symmetric & Asymmetric Encryption
Explain the types of digital signature.
Explain kerberos
Explain X.509 authentication service
10.Discuss Distribution of Public Keys.
UNIT-4
What are the two levels of alerts? List the alerts under them?
Discuss how SSL record protocol provides confidentiality and message integrity for SSL
connections?
Clearly explain in detail the Multipurpose Internet Mail Extensions (MIME).
Explain SSH in detail?
Explain HTTPS in detail manner?
Enumerate various frames in wireless security?
Illustrate versions of wireless lan?
Page 195
Cryptography And Network Security ` Dept. of CSE
Explain the difference betweenI EEE 802.11 Wireless LAN, IEEE 802.11i Wireless LAN
Security?
Explain webSecurity considerations.
Elaborate mobile device security.
UNIT-5
Explain PGP (Pretty Good Privacy)?
Discuss the features of S/MIME?
Explain the general format of a PGP message with a pictorial representation.
Explain the general format of a PGP message with a pictorial representation.
Discuss about the documents regarding IPSec protocol and its architecture.
Elaborate architecture header.
Enumerate Encapsulating Security Payload.
Explain combining security associations.
Illustrate IKE in detail.
Explain secure inter branch payment transaction.
UNIT WISE MULTIPLE CHOICE QUESTIONS
UNIT-1:
Which of the following pieces of information can be found in the IP header?
Source address of the IP packet
Destination address for the IP packet
Sequence number of the IP packet
Both (A) and (B) only.
We also don't want our undeliverable packets to hop around forever. What feature/flag limits
the life of an IP packet on the network?
Page 196
Cryptography And Network Security ` Dept. of CSE
Time to Live counter
Subnet Mask
Header Checksum
Wackamole field
Which of the following are application-level encryption protocols that I would most likely use to
securely bank online?
SSL and SET
Verisign and SHA1
READY, SET, and GO
PGP, PEM, and SSL
We don't want our packets to get lost in transit. Which OSI layer is responsible for ordered
delivery of packets?
Network
Link
Transport d.
Physical
When my teleconference data packets reach the destination computer, what information in
the packet is used by the destination computer to figure out that the packets belong to the
teleconferencing application?
Firewall rules
Port numbers in the TCP/UDP header
Three-way handshake initiated at the start of the communication.
IANA subnet class number in the first octet of the IP address
I want to request secure web pages using https://. What port will I need to open on my
firewall to allow these SSL-encrypted packets to flow?
Page 197
Cryptography And Network Security ` Dept. of CSE
161
53
6000
443
Based on what we have learned about TCP and UDP packet accounting mechanisms, which
transport control protocol would I most likely use for Internet Telephony/Teleconferencing
(Voice over IP)?
UDP - Because I don't want to retransmit if some of the packets get lost.
UDP - Because I want to make sure that no packets get lost.
TCP - Because I don't want to retransmit if some of the packets get lost.
TCP - Because I want to retransmit lost voice IP packets later on in the conversation.
What is the standard IANA port number used for requesting web pages?
a. 80
b. 53
c. 21
d. 25
In tunnel mode IPsec protects the
entire IP packet
IP header
IP payload
none of the mentioned
10. In tunnel mode IPsec protects the
entire IP packet
IP header
IP payload
none of the mentioned
UNIT-II
1. What is data encryption standard (DES)?
Page 198
Cryptography And Network Security ` Dept. of CSE
Block Cipher
Stream Cipher
Bit Cipher
None Of The Mentioned
2. Cryptanalysis Is Used
To Find Some Insecurity In A Cryptographic Scheme
To Increase The Speed
To Encrypt The Data
None Of The Mentioned
3. Which one of the following is a cryptographic protocol used to secure HTTP connection?
Stream Control Transmission Protocol (SCTP)
Transport Layer Security (TSL)C) Explicit
Congestion Notification (ECN)
Resource reservation protocol
Voice privacy in GSM cellular telephone protocol is provided by
A5/2 cipher
b5/4 cipher
b5/6 cipher
b5/8 cipher
5. ElGamal encryption system is
symmetric key encryption algorithm
asymmetric key encryption algorithm
not an encryption algorithm
none of the mentioned
Cryptographic hash function takes an arbitrary block of data and returns a) fixed size a) a)
Bit string
b) variable size bit string
Page 199
Cryptography And Network Security ` Dept. of CSE
both (a) and (b)
none of the mentioned
7. Secure shell (SSH) network protocol is used for
secure data communication
remote command-line login
remote command execution
all of the mentioned.
SSH can be used in only
unix-like operating systems
windows
both (a) and (b)
none of the mentioned.
9. SSH uses to authenticate the remote computer.
public-key cryptography
private-key cryptography
both (a) and (b)
none of the mentioned
10. Which standard TCP port is assigned for contacting SSH servers?
port 21
port 22
port 23
port 24
UNIT-III
1. SCP protocol is evolved from over SSH.
RCP protocol
DHCP protocol
Page 200
Cryptography And Network Security ` Dept. of CSE
MGCP protocol
none of the mentioned
Which one of the following authentication method is used by SSH?
public-key
host based
password
all of the mentioned.
Transport layer aggregates data from different applications into a single stream before passing it
to
Network Layer
Data Link Layer
Application Layer
Physical Layer
Which one of the following is a transport layer protocol used in internet?
TCP
UDP
both (a) and (b)
none of the mentioned
User datagram protocol is called connectionless because
all UDP packets are treated independently by transport layer
it sends data as a stream of related packets
both (a) and (b)
none of the mentioned.
Transmission control protocol is
Page 201
Cryptography And Network Security ` Dept. of CSE
connection oriented protocol
uses a three way handshake to establish a connection
recievs data from application as a single stream
all of the mentioned
An endpoint of an inter-process communication flow across a computer network is called
socket
pipe
port
none of the mentioned
Socket-style API for windows is called
wsock
winsock
wins
none of the mentioned.
Which one of the following is a version of UDP with congestion control?
datagram congestion control protocol
stream control transmission protocol
structured stream transport
none of the mentioned
10. A is a TCP name for a transport service access point.
port
pipe
node
none of the mentioned
Page 202
Cryptography And Network Security ` Dept. of CSE
UNIT-IV
The Network Layer Protocol Of Internet Is
Ethernet
Internet Protocol
Hypertext Transfer Protocol
None Of The Mentioned
ICMP is primarily used for
Error And Diagnostic Functions
Addressing
Forwarding
None Of The Mentioned
ATM and frame relay are
virtual circuit networks
datagram networks
both (a) and (b)
none of the mentioned
ATM uses the
asynchronous frequency division multiplexing
asynchronous time division multiplexing
asynchronous space division multiplexing
none of the mentioned.
5. ATM standard defines layers.
2
3
4
Page 203
Cryptography And Network Security ` Dept. of CSE
ATM can be used for
local area network
wide area network
both (a) and (b)
none of the mentioned
An ATM cell has the payload field of
32 bytes
48 bytes
64 bytes
128 bytes
Frame relay has error detection at the
physical layer
data link layer
network layer
transport layer
Virtual circuit identifier in frame relay is called
data link connection identifier
frame relay identifier
cell relay identifier
none of the mentioned
Frame relay has only
Page 204
Cryptography And Network Security ` Dept. of CSE
physical layer
data link layer
both (a) and (b)
none of the mentioned
UNIT-V
1. If the value in protocol field is 17, the transport layer protocol used is .
TCP
UDP
Either of the mentioned
None of the mentioned
The data field can carry which of the following?
TCP segemnt
UDP segment
ICMP messages
None of the mentioned.
What should be the flag value to indicate the last fragment?
0
1
TTlvalue
d)None of the mentioned.
Which of these is not applicable for IP protocol?
is connectionless
offer reliable service
offer unreliable service
None of the mentioned
Page 205
Cryptography And Network Security ` Dept. of CSE
Fragmentation has following demerits
complicates routers
open to DOS attack
overlapping of fragments
All of the mentioned
Which field helps to check rearrangement of the fragments?
offset
flag
TTL
identifier
TUTORIAL QUESTIONS
UNIT-1
Explain security attacks.
Explain internetwork security
Explain how gateway works in internetwork security model
Explain about play fair with an example?
Discuss the following terms in detail with relevant examples:
Explain the network security model.
What is Steganography? Explain its features.
Elaborate with an example of any one type of transposition technique?
UNIT-2
Explain Block Cipher design principles.
Explain the AES algorithm
Page 206
Cryptography And Network Security ` Dept. of CSE
Explain Rc4 algorithms in detail with an example.
Consider a Diffie-Hellman scheme with a common prime q=11, and a primitive root
α=2. a)If user „A‟ has public key YA=9, what is A‟s private key XA.
b)If user „B‟ has public key YB=3, what is shared secret key K.
Compare block ciphers with stream ciphers.
Explain about conventional principles for encryption
Describe basic fiestal cipher structure for principle encryption algorithms
Explain basic DES algorithm and how it is dependent on fiestal structure
Describe public-key cryptography principles
Explain how public key cryptography algorithms are framed depending upon the principles
UNIT-3
Explain how SHA-512 works for message authentication
Describe how hash functions was developed based on MAC code
Describe one way hash functions for message authentication
In detail explain Kerberos 4 and version 4 authentication dialogue
Explain how certification are issued using x.509 authentication service
Explain Kerberos realms and multiple Kerberos
Explain knapsack algorithm with an example.
Explain the DSA algorithm.
What is bio-metric authentication?
Explain how SHA-512 works for message authentication.
UNIT-4
1. Explain S/MIME?
Page 207
Cryptography And Network Security ` Dept. of CSE
Discuss about the MIME content types.
What are the five principal services provided by PGP?
What are different cryptographic algorithms used in S/MIME?Explain how S/MIME is different
from MIME?
Enumerate IP security architecture
.
Explain the features of PGP
Explain how key rings work during message authentication and encryption.
Explain S/MIME?
Describe the concepts of MIME
Explain the following
A)Compatability
B)Key legitimacy
C)Multipart and message type in MIME
UNIT-5
Describe the requirements in web security.
Describe how SSL works
Explain about TLS
Describe SET in detail
Explain secure session layer architecture with its requirements with a neat diagram
Explain the concept of intruders in detail
Explain how the principles of firewall works in security
Write a brief notes on intrusion detection system.
Page 208
Cryptography And Network Security ` Dept. of CSE
ASSIGNMENT QUESTIONS
UNIT-1
SET -1
Explain in detail about various types of security services and mechanisms?
Consider the following: Plaintext: “PROTOCOL” Secret key: “NETWORK” What is the
corresponding cipher text using play fair cipher method?
SET-2
What is the need of security?
Compare and contrast between Cryptography and Cryptology.
SET-3
Explain the substitution techniques a) Ceaser Cipher b) Play Fair Cipher c) Hill Cipher
Define Information Security and explain its significance in today’s world. Also clearly bring
out the meaning of the following related terms: Computer Security, Network Security and
Internet Security with relevant examples.
SET-4
1 Define a Security attack. Explain in detail about the various types of attacks an Internetwork
is vulnerable to.
2 Describe in detail about Conventional Encryption Model.
SET-5
Discuss network security model with neat illustration and explain the components of the
model.
Discuss the following terms in detail with relevant examples:
a. Interruption ii. Interception iii. Modification iv. Fabrication.
UNIT-2
SET-1
Explain RSA algorithms in detail.
Page 209
Cryptography And Network Security ` Dept. of CSE
Explain how key exchange is done using Diffie-Hellman key exchange.
SET-2
Explain Blowfish algorithm.
Write short notes on: (a) Location of encryption devices b)fiestel cipher.
SET-3
1.Explain the structure of the Conventional Public-key encryption with relevant illustrations.
2.Explain the various Key distribution methods.
SET-4
1.Differentiate between DES and AES algorithms.
2.Explain about cipher block modes of operations in detail.
SET-5
1.Differentiate between DES and AES algorithms.
2. Describe the approaches of key distribution in public key cryptosystems.
UNIT-3
SET-1
In detail explain Kerberos 4 and version 4 authentication dialogue.
Explain the importance of Secure Hash functions with relevant examples.
SET-2
Describe the various approaches of message authentication?
Enumerate message authentication requirements.
SET-3
Explain the various codes in MAC.
Explain DSS
Page 210
Cryptography And Network Security ` Dept. of CSE
SET-4
Explain the types of digital signature.
Explain the importance of Secure Hash functions with relevant examples.
SET-5
Explain X.509 authentication service.
Discuss Biometric Authentication.
UNIT-4
SET-1
Discuss about Oakley key determination protocol?
Explain tunnel mode and transport mode functionality?
SET-2
Explain how encapsulation security payload works.
Discuss the purpose of SA selectors?
SET-3
Describe the five principal services that Pretty Good Privacy (PGP) provides.
Discuss the features of S/MIME?
SET-4
Discuss the purpose of SA selectors?
Clearly explain in detail the Multipurpose Internet Mail Extensions (MIME).
SET-5
Page 211
Cryptography And Network Security ` Dept. of CSE
Explain the general format of a PGP message with a pictorial representation.
Explain how key rings work during message authentication and encryption
UNIT-5
SET-1
Explain about TLS
Discuss in detail different types of firewall?
SET-2
Explain the operations of SSL Record Protocol
List and explain the SET requirements?
SET-3
Discuss how SSL record protocol provides confidentiality and message integrity for SSL
connections?
Discuss the two techniques for developing an effective and efficient proactive password
checker?
SET-4
What protocol is used to convey SSL-related alerts to the peer entity? Give the protocol
format? Describe the fields?
Explain the significance of dual signature in SET
SET-5
1. Explain the operations of SSL Record Protocol
2.With neat diagrams show the differences between screened host firewall single homed
bastion and screened host firewall dual homed bastion?
Page 212
Cryptography And Network Security ` Dept. of CSE
Page 213
HY AND NETWORK SECURITY DEPT OF IT
`Code No: 126AQ
JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY HYDERABAD
B. Tech III Year II Semester Examinations, May - 2016
CRYPTOGRAPHY AND NETWORK SECURITY
(Computer Science and Engineering)
Time: 3hours Max.Marks:75
Note: This question paper contains two parts A and B. Part A is compulsory which carries 25
marks. Answer all questions in Part A. Part B consists of 5 Units. Answer any one full question
from each unit. Each question carries 10 marks and may have a, b, c as sub questions.
PART- A (25 Marks)
1.a) What are the types of security attacks? [2]
b) Compare substitution ciphers with transposition ciphers. [3]
Compare block ciphers with stream ciphers. [2]
d) Write about strength of DES algorithm. [3]
What is a digital signature? [2]
What properties must a hash function have to be useful for message authentication?[3]
What are the various PGP services?
What parameters identify an SA and what parameters characterize the nature of a particular
SA? [3]
i) What is cross site scripting vulnerability? [2]
What are the limitations of firewalls? [3]
PART-B (50 Marks)
2.a) Consider the following: Plaintext: “PROTOCOL” Secret key: “NETWORK”
Plaintext: “PROTOCOL” Secret key: “NETWORK”
What is the corresponding cipher text using play fair cipher method?
b) What is the need for security? [5+5]
OR
3.a) Explain the model of network security.
Write about steganography. [5+5]
Explain the AES algorithm.
OR
Consider a Diffie-Hellman scheme with a common prime q=11, and a primitive root
α=2.
If user „A‟ has public key YA=9, what is A‟s private key XA.
Page 215
RYPTOGRAPHY AND NETWORK SECURITY DEPT OF IT
b) If user „B‟ has public key YB=3, what is shared secret key K. [5+5]
6) Explain HMAC algorithm. [10]
OR
7.a) Explain the DSA algorithm
b) What is bio-metric authentication? [5+5]
8.a) Explain PGP trust model.
b) What are the key components of internet mail architecture? [5+5]
OR
9.a) Explain MIME context types.
b) What are the five principal services provided by PGP? [5+5]
10. Explain secure electronic transaction . [10]
OR
11.a) Explain password management.
b) What are the types of firewalls? [5+5]
CRYPTOGRAPHY AND NETWORK SECURITY DEPT OF IT
Code No: 126AQ
JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY HYDERABAD
B. Tech III Year II Semester Examinations, October/November - 2016
CRYPTOGRAPHY AND NETWORK SECURITY
(Computer Science and Engineering)
Time: 3 hours Max.Marks: 75
Note: This question paper contains two parts A and B.Part A is compulsory which carries 25
marks. Answer all questions in Part A. Part B consists of 5 Units. Answer any one full question
from each unit. Each question carries 10 marks and may have a, b, c as sub questions.
PART – A (25 Marks)
1.a) Explain the network security model. [2]
What are the two basic functions used in encryption algorithms? [3]
c) What are the advantages of Key Distribution? [2]
d) What are the principles of public key cryptosystems? [3]
List three approaches to Message Authentication. [2]
f) Explain the importance of knapsack algorithm. [3]
What are different approaches to Public-key Management? [2]
How does PGP provides public key management? [3]
i) What is Secure Socket Layer? [2]
j) What are different alert codes of TLS protocol? [3]
PART – B (50 Marks)
2.a) Explain the terminologies used in Encryption.
b)Describe in detail about Conventional Encryption Model. [5+5]
OR
3.a) Compare symmetric and asymmetric key cryptography.
b) What is Steganography? Explain its features [5+5]
4.a) Differentiate linear and differential crypto-analysis.
b)Explain Block Cipher design principles. [5+5]
OR
CRYPTOGRAPHY AND NETWORK SECURITY DEPT OF IT
Briefly explain the characteristics and operations of RC4 Encryption algorithm. [10] 6.a)
What are the requirements of Authentication?
b) Discuss about Secure Hash algorithm. [5+5]
OR
7.a) Explain the approaches for Digital Signatures based on Public Key Encryption.
b) Discuss about Biometric Authentication. [5+5]
Briefly discuss about different services provided by Pretty Good Privacy (PGP). [10]
OR
What are different cryptographic algorithms used in S/MIME? Explain how S/MIME is
different from MIME? [10]
10 a)List and briefly define the parameters that define an SSL session state? b)What are different
service providers define by the SSL protocol record? [5+5]
OR
11.a)What is a Firewall? Explain its design principles and types with example.
b) Discuss about Password Management. [5+5]
You might also like
- Unit 4 - Software Engineering - WWW - Rgpvnotes.inNo ratings yetUnit 4 - Software Engineering - WWW - Rgpvnotes.in12 pages
- Scripting Languages Unit - V Handwritten NotesNo ratings yetScripting Languages Unit - V Handwritten Notes37 pages
- @vtucode - in 21CS61 Module 4 2021 SchemeNo ratings yet@vtucode - in 21CS61 Module 4 2021 Scheme31 pages
- Chapter 6 (Pipelining and Superscalar Techniques)No ratings yetChapter 6 (Pipelining and Superscalar Techniques)10 pages
- Fog Screen Technology: A Technical Seminar Report ONNo ratings yetFog Screen Technology: A Technical Seminar Report ON15 pages
- Unit - I:: Social Networks and Semantic WebNo ratings yetUnit - I:: Social Networks and Semantic Web19 pages
- @vtucode - in 21CS63 Question Bank 2021 SchemeNo ratings yet@vtucode - in 21CS63 Question Bank 2021 Scheme6 pages
- Unit 5 Short Answers: 1. Write Short Notes Wamp? Ans: Wamp For IotNo ratings yetUnit 5 Short Answers: 1. Write Short Notes Wamp? Ans: Wamp For Iot21 pages
- Grid Architecture and Relationship To Other Distributed Technologies67% (3)Grid Architecture and Relationship To Other Distributed Technologies24 pages
- Software Quality: Robert Hughes and Mike CotterellNo ratings yetSoftware Quality: Robert Hughes and Mike Cotterell46 pages
- Chapter 7 Common Standard in Cloud Computing: Working GroupNo ratings yetChapter 7 Common Standard in Cloud Computing: Working Group6 pages
- Software Engineering Handwritten Notes by AbhishekNo ratings yetSoftware Engineering Handwritten Notes by Abhishek176 pages
- CS3352 Foundations of Data Science Apr May 2023 Question Paper DownloadNo ratings yetCS3352 Foundations of Data Science Apr May 2023 Question Paper Download3 pages
- Blockchain Notes B Tech AKTU by Krazy Kreation (Kulbhushan)100% (1)Blockchain Notes B Tech AKTU by Krazy Kreation (Kulbhushan)2 pages
- Chapter 6 - GUI and Interactive Input MethodsNo ratings yetChapter 6 - GUI and Interactive Input Methods18 pages
- Object Oriented Software Engineering Solved Question Paper by MCA Scholar's GroupNo ratings yetObject Oriented Software Engineering Solved Question Paper by MCA Scholar's Group23 pages
- (R17A0526) Information Security Digital NotesNo ratings yet(R17A0526) Information Security Digital Notes143 pages
- Design and Analysis of Algorithms (Complete)No ratings yetDesign and Analysis of Algorithms (Complete)116 pages
- Information Security Introduction: By: Mitul PatelNo ratings yetInformation Security Introduction: By: Mitul Patel28 pages
- Whatsapp Security: Made By: Abdelrahman Badawy Yousef Abdelfatah Subervised By: Eng/Mai Magdy100% (1)Whatsapp Security: Made By: Abdelrahman Badawy Yousef Abdelfatah Subervised By: Eng/Mai Magdy8 pages
- Welcome To The Seminar Titled: Visual CryptographyNo ratings yetWelcome To The Seminar Titled: Visual Cryptography26 pages
- Security Attacks, Mechanisms, and ServicesNo ratings yetSecurity Attacks, Mechanisms, and Services41 pages
- Learn Cryptography With Python - Python TechnologiesNo ratings yetLearn Cryptography With Python - Python Technologies94 pages
- Enigma Cipher & Columnar Transposition CipherNo ratings yetEnigma Cipher & Columnar Transposition Cipher6 pages
- Taglio Taglio Piv Applet V2.1 On NXP Jcop 3 Secid P60 Cs (Osb) Fips 140-2 Non-Proprietary Security PolicyNo ratings yetTaglio Taglio Piv Applet V2.1 On NXP Jcop 3 Secid P60 Cs (Osb) Fips 140-2 Non-Proprietary Security Policy21 pages
- Codex Magica Secret Signs Mysterious Symbols Hidden Codes of The Illuminati 2005 by Marrs100% (1)Codex Magica Secret Signs Mysterious Symbols Hidden Codes of The Illuminati 2005 by Marrs588 pages
- 10 IJAEST Volume No 3 Issue No 2 Cryptic E Mailing Scheme Over Stymieing Channel 155 158No ratings yet10 IJAEST Volume No 3 Issue No 2 Cryptic E Mailing Scheme Over Stymieing Channel 155 1584 pages
