Embed Size (px)
Citation preview
PGP & IP Security
Pretty Good Privacy – PGP
IP Security.
Pretty Good Privacy
Introduction - Benefits
Services of PGP
Format of PGP
IP Security
IP Security Overview
IP Security Architecture
Authentication Header
Security Associations
Electronic Mail SecurityPRETTY GOOD PRIVACYPGP provides a confidentiality & authentication service that
can be used for electronic mail & file storage applications.
Reasons for the explosively growth of PGP.1. It is available free worldwide in versions that run on a
variety of platforms, including DOS/Windows, UNIX, Macintosh.
2. It is based on algorithms that have survived extensive public review & are considered extremely secure. Specifically, the package includes RSA,DSS, & Diffie-Hellman for public-key encryption.
3. It has a wide range of applicability, from
Encrypting files & Messages.
4.It was not developed by, nor is it controlled
by, any governmental or standards
organization.
Services of PGP
1. Authentication.
2. Confidentiality.
3. Compression.
4. E-mail Compatibility.
5. Segmentation.
Notations UsedK = Session KeyKRa = private key of user A.KUb = Public Key of User A.EP = Public Key Encryption.DP = Decryption of Public Key.EC = Conventional Encryption.
DC = Conventional Decryption.H = Hash Function.|| = Concatenation.Z = Compression using ZIP algorithm.
R64 = Conversion to radix 64 ASCII format.
Services – Authentication & Confidentiality
1. Authentication & 2.Confidentiality
Authentication
The Sequence is as follows:
1. The sender creates a message.
2. SHA-1 is used to generate a 160- bit hash code of the message.
3. The hash code is encrypted with RSA using the sender’s private key, & result is prepended to the message.
4. The receiver uses RSA with the sender’s public key to decrypt & recover the hash code.
5. The receiver generates a new hash code for the message & compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
Confidentiality
The Sequence is as follows :
1. The sender generates a message & a random 128-bit number to be used as a session key for this message only.
2. The message is encrypted, using 3DES (CAST-128) with the session key.
3. The session key is encrypted with RSA, using the recipient’s public key, & is prepended to the message.
4. The receiver uses RSA with its private key to decrypt & recover the session key.
5. The session key is used to decrypt the message.
Authentication & Confidentiality
Authentication & Confidentiality
Compression PGP Compresses the message after applying the
signature but before encryption. Benefit of saving space both for E-mail transmission &
for file storage.
1.The Signature is generated before compression because so that one can store only the uncompressed message
together with the signature for future verification.2.Message encryption is applied after compression to
strengthen cryptographic security. Because the compressed message has less redundancy than the original plaintext, cryptanalysis is more difficult.
E-mail Compatibility
Many Electronic Mail Systems only permit the use of blocks
consisting of ASCII text.
The scheme used for this purpose is radix-64 conversion.
Each group of three octets of binary data is mapped into
four ASCII characters.
The use of radix 64 expands a message by 33%.
Transmission & Reception of PGP Messages.
Segmentation & Reassembly
- Maximum Length Exceeds.
General Format of PGP Message
Message Component Data. Time Stamp. File name.
Signature Component Timestamp. Key ID of Sender’s public key(KUa). Leading two octets of Message Digest. Message Digest.
Session Key Component Key ID of recipient’s public key (KUb) Session key (Ks)
IP Security
1. Authentication2. Confidentiality3. Key Management
The principal feature of IPSec that enables it to support the various applications is that it can encrypt &/or authenticate all traffic at the IP level.
IP Security Overview
Benefits of IPSec
When IPSec is implemented in a firewall or router, it
provides strong security & also workstation does not incur
the overhead of security- related processing.
IPSec in a firewall is resistant to bypass if all traffic from the
outside must use IP & the firewall is the only means of
entrance from the Internet into the organization.
IPSec is below the transport layer (TCP,UDP) & so is
transparent to applications. There is no need to change
software on a user or server system when IPSec is
implemented in the firewall or router.
IP Security Architecture
IPSec DocumentsThe documents are divided into seven groups, as shown
1. Architecture
Covers the security requirements, definitions, & Mechanisms defining IPSec technology.
2. Encapsulating Security Payload(ESP)
Covers the packet format & packet encryption algorithm & optionally Authentication.
3.Authentication Header (AH) : Covers the packet format & packet authentication algorithm.
4. Encryption Algorithm : A set of documents that describe how various encryption algorithms are used for ESP.
5.Authentication Algorithm : A set of documents that describe how various Authentication algorithms are used for ESP.
6. Key Management : Documents that describe key management schemes.
7. Domain of Interpretation (DOI) : It includes the identifiers for approved encryption & authentication algorithms & also key life time.
IPSec Services
Access Control.
Connectionless Integrity.
Data Origin authentication.
Rejection of replayed packets.
Confidentiality (Encryption).
Limited traffic flow confidentiality.
Authentication HeaderThe Authentication Header provides support for data integrity &
authentication of IP packets.The Authentication Header consists of the following fields (figure below)
The Authentication Header Consists of the following fields :
1. Next Header(8 bits) : Identifies the type of header
immediately following this header.
2. Payload Length (8 bits) : Length of Authentication Header.
3. Reserved (16bits) : For future use.
4. Security Parameters Index(32 bits) : Identifies a security
association.
5. Authentication Data (variable) : Integrity Check value.
Transport & Tunnel Modes
Two ways of IPSec Authentication Service
Transport Mode
(a) Before Applying AH
(b) Transport Mode
For transport mode, Authentication covers the entire packet.
Tunnel Mode
Tunnel Mode
For Tunnel mode AH, the entire original IP packet is
authenticated, & the AH is inserted between the original IP header .
The inner IP header carries the ultimate source & destination
addresses, while an outer IP header may contain different IP addresses
(gateways).
Security Associations
Case 1: All security is provided between the end systems that implement IPSec.( Using Secret keys)
Case 2: Security is provided only between gateways (Routers) & no hosts implement IPSec.
Case 3 : End to End + Gateways (Case 1 + Case 2)
Case 4 : provides support for a remote host that uses the Internet to reach an organization's firewall & then to gain access to some server or workstation behind the firewall.
![LAB :: PGP (Pretty Good Privacy) · OpenPGP (PGP/MIME) or X.509 (S/MIME). click on [ Create personal OpenPGP key pair ] . 5. Now enter your e-mail address and your name in the following](https://img.pdfslide.us/doc/110x75/5f6098ab4ba6dc16f20b4ef8/lab-pgp-pretty-good-privacy-openpgp-pgpmime-or-x509-smime-click-on.jpg)
