Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
UNIT 1:1. Introduction to computer security2. Need for security3. Principles of security4. Types of attacks5. Possible types of Attacks
1. INTRODUCTION:
Information Security is an old concept, but a new field of specialization. It involves protecting
information, especially personal or sensitive information, from deliberate or accidental loss or
misuse. The field is increasingly important in the area of business because, as our dependence on
computers to store and transmit information accurately and securely grows, the vulnerabilities in
our systems and our habits become increasingly obvious and open to exploitation.
When we began to use computers for business functions, data management became more
difficult, but still manageable, because most vital functions were still handled on paper. In those
early days of computing, no one thought much about information security because networks
were rarely used and not much understood. Each computer had its own files and no easy way to
communicate with other computers; if you wanted to share information, you had to copy it on to
a disk and then copy the disk on the other computer. The information on any one computer was
relatively safe, as long as the computer’s user took care to set a password on the files and lock
the office door.
Then we began using networks and, although the rules changed fundamentally, human
behavior didn’t. Blocks of computers were yoked together into networks and subnets, sharing
common network space, printers and other services. Still, no one paid much attention to
information security. Most people thought the only way to get a computer virus was from a
floppy disk, and almost everyone believed that their personal information was worthless to
anyone else.
The Internet today is a widespread information infrastructure, but it is inherently an insecure
channel for sending messages. When a message (or packet) is sent from one Website to another,
the data contained in the message are routed through a number of intermediate sites before
reaching its destination. The Internet was designed to accommodate heterogeneous platforms so
that people who are using different computers and operating systems can communicate. The
history of the Internet is complex and involves many aspects – technological, organizational and
community. The Internet concept has been a big step along the path towards electronic
commerce, information acquisition and community operations.
Early ARPANET researchers accomplished the initial demonstrations of packet switching
technology. In the late 1970s, the growth of the Internet was recognized and subsequently a
growth in the size of the interested research community was accompanied by an increased need
for a coordination mechanism. The Defense Advanced Research Projects Agency (DARPA) then
formed an International Cooperation Board (ICB) to coordinate activities with some European
countries centered on packet satellite research,
While the Internet Configuration Control Board (ICCB) assisted DARPA in managing
Internet activity. In 1983, DARPA recognized that the continuing growth of the Internet
Community demanded a restructuring of coordination mechanisms. The ICCB was disbanded
and in its place the Internet Activities Board (IAB) was formed from the chairs of the Task
Forces. The IAB revitalized the Internet Engineering Task Force (IETF) as a member of the
IAB. By 1985, there was a tremendous growth in the more practical Engineering side of the
Internet. This growth resulted in the creation of a substructure to the IETF in the form of
working groups. DARPA was no longer the major player in the funding of the Internet. Since
then, there has been a significant decrease in Internet activity at DARPA. The IAB recognized
the increasing importance of IETF, and restructured to recognize the Internet Engineering
Steering Group (IESG) as the major standards review body. The IAB also restructured to create
the Internet Research Task Force (IRTF) along with the IETF.
1.1. History of Internet Security – Overview:
Since the early 1980s, the Internet has grown beyond its primarily research roots, to include
both a broad user community and increased commercial activity. This growth in the commercial
sector brought increasing concern regarding the standards process. Increased attention was paid
to making progress, eventually leading to the formation of the Internet Society in 1991. In 1992,
the Internet Activities Board was reorganized and renamed the Internet Architecture board (IAB)
operating under the auspices of the Internet Society. The mutually supportive relationship
between the new IAB, IESG and IETF led to them taking more responsibility for the approval of
standards, along with the provision of services and other measures which would facilitate the
work of the IETF.
1.2. The Age of SecurityOver the last few decades, developers of communications
systems have been faced with a market demanding higher bandwidths, higher reliability,
lower cost, improved interoperability, and easier installation and operation. Users and
organizations have benefited greatly from the introduction of new communication
technologies such as xDSL, WiFi and fiber optics.
As networks incorporate more and more devices and span multiple locations, effectively
removing the network perimeter, they become increasingly vulnerable to security threats. Such
threats include the theft of confidential data, hacks, and malicious code - providing unguarded
entry into corporate networks and IT systems. To provide high-performance security solutions
that protect data, applications and infrastructure, equipment manufacturers are looking to
integrate security functionality deeper than ever - at the chip level.
“Computer crime remains a serious problem and some kinds of attacks can cause ruinous
financial damage. The stakes involved in information systems security have risen. Your
organization is vulnerable to numerous types of attack from many different sources and the
results of an intrusion can be devastating in terms of lost assets and good will.”
It should be clear now that, from a security perspective, the corporate network is no longer a
single entity and that current, popular approaches to protecting network devices have significant
limitations.
A common misperception among network security professionals is that there are three zones
of network trust: an unfrosted external network, a semi-trusted perimeter or DMZ network and a
trusted corporate network. The unfrosted external network typically includes the Internet and any
other networks that corporate IT services cannot directly control.
The perimeter or DMZ zone includes any Internet-facing hosts that accept connections from
users from unfrosted networks, while the corporate internal network was considered a safe and
secure location that was at little risk of compromise from other devices on the internal network.
Worms, viruses, Trojans, spy ware and scum ware have changed the network landscape so
that no network can be considered an implicitly trusted network. There are so many avenues of
attack, so many portals through which these exploits and malicious mobile code can move
between formerly trusted and unfrosted networks, that the concept of trusted network is no
longer valid.
We should now think of the corporate internal network as consisting of multiple security
zones that include multiple application perimeters, with each perimeter providing special
protection for each application or set of applications contained within the perimeter.
As the scope of the network is increasing after the invention of the Internet and the web
technologies, the area of security is getting more importance. Nowadays the Internet is used in
e-business, resource planning, e-banking and in various service sectors. Because of this
worldwide transactions the network is highly facing the problems with unauthorized access,
intrusion etc.
Normally with the Internet various areas of risks are identified as follows:
(1) Data risk
(2) Physical risk
(3) Network risk
(4) Service risk
(5) Natural risk Etc.
2. Need for Network Security
In the past, hackers were highly skilled programmers who understood the details of computer
communications and how to exploit vulnerabilities. Today almost anyone can become a hacker
by downloading tools from the Internet. These complicated attack tools and generally open
networks have generated an increased need for network security and dynamic security policies.
The easiest way to protect a network from an outside attack is to close it off completely from the
outside world. A closed network provides connectivity only to trusted known parties and sites; a
closed network does not allow a connection to public networks.
Because they have no Internet connectivity, networks designed in this way can be considered
safe from Internet attacks. However, internal threats still exist.There is a estimates that 60 to 80
percent of network misuse comes from inside the enterprise where the misuse has taken place.
With the development of large open networks, security threats have increased significantly in the
past 20 years. Hackers have discovered more network vulnerabilities, and because you can now
download applications that require little or no hacking knowledge to implement, applications
intended for troubleshooting and maintaining and optimizing networks can, in the wrong hands,
be used maliciously and pose severe threats.
2.1. Why require security?
We need security to:
(a) To protect our data, files and folders
(b) To protect our resources
(c) To protect e-commerce transaction information: user-id, password, pin, etc
(d) To Protect my site from getting blocked by any attack such as DOS
(e) To protect our I/P/ Address:
(f) To protect my e-mails:
(g) To protect Incoming packets so that no virus / worms comes in
(h) To protect outgoing packets so that the secrets does not leak out.
3. Principles of Security:
Generally the security issues can be classified into the following categories.
(1) Confidentiality
(2) Authenticity
(3) Availability
(4) Auditability
(5) Access Control
(6) Integrity
(7) Non-repudiability
Fig. 1.1
These three are the basic levels of issues, which will lead to the further loopholes.
3.1. Confidentiality:
Basically the threats can be in the area of network or in the area of application. Mainly the
insiders who are having full access with the computer system create the application levels of
threats. This can be easily detected can be avoided by using suitable mechanisms. Even though
the application level threats are easy to detect, this is also creating high level of problems to the
system.
The network levels of attacks are dangerous because of the major business transactions that
are happening through the Internet. This is maintaining the actual secrecy of the message. The
message that is traveling through the network should not be opened by any of the third parties
who are not related with the transaction.
Nowadays majority of the bank transactions are happening through the network. So that
confidentiality issue is creating lot of problems related with network, software and data.
The confidentiality related issues could be belonging to any one of the following categories:
(1) IP Spoofing
(2) Packet sniffing
(3) Alteration of message
(4) Modification of message
(5) Man-in-middle
(6) Brute force attack
(7) Password cracking
By using any of the above-mentioned methods an user can enter into others message and can
create problem related to the secrecy of the message. The intension of the user may be viewing
the message without making many changes to the hacked message.
Normally in banking system the people used to receive their bank balance-using network. In
this kind of situation any hacker who knows the IP address can get these information about
others account balance.
In some situation people may hack the message and forward it to some unknown person,
which will create confusion between the original sender and the receiver. This will also lead to
the problem related with integrity.
Fig. 1.2 Loss of Confidentiality
3.2. Authenticity:
This can be defined as an identity for a user to assure that the message is coming from the
right person. This is also an another important issue along with confidentiality which may lead to
the further security threats. This can be assured by any of the following factors:
(1) Something you have (like tokens, credit card, passport etc).
(2) Something you know (like PIN numbers, account number etc).
(3) Something you are (like fingerprints, signatures etc).
Generally with the computer system passwords are the very simple authentication
mechanism, which help the system to authenticate a particular person. The people can use one-
time passwords and key technology to assure authenticity during message transaction.
Various issues related to authenticity includes.
(1) Stealing password
(2) Fake login screen
(3) Information leakage Etc.
Fig. 1.3 Absence of Authenticity
Fabrication is possible in the absence of proper authentication mechanisms.
3.3. Availability:
This can be defined as keeping the right information or resources available to the right person
at the right time. This can happen either with the data or with the hardware resources. This will
stop the person from accessing various resources by flooding the network.
There is a complexity with the availability of the resources and data. Because it can be
identified as a issue only when the following conditions are existing in the system.
(1) The resources are completely available up to the users expectation.
(2) The content is present in a usable format.
(3) The access rights are used in a proper way.
The actual problem related with availability can be identified only when the above-
mentioned things are assured before the problem identification. This is a very serious issue,
which will totally stop the process and may lead the user to an idle condition without allowing
him to proceed with the further process.
The main problem related with the availability is DOS attack and DDOS attacks. Flooding
the network path by sending continuous packets, which will create a heavy traffic in the network,
does this. This stops the right people accessing right information at the right time.
Fig. 1.4 Attack on Availability
3.4. Access Control:
This also an issue, which is dealing with the hardware resources, software and data. This is
helping the operating system to allow access to a particular resource or data only to an
authorized person. In this way it is interrelated with the authenticity and availability.
Because the authenticated users will be allotted with certain kinds of rights like Read, Write,
Read/Write, Owner etc. These rights will be maintained by the operating system in a tabular
format or in a linked list format. First the users authenticity has to be verified and then the
authentic users rights will be verified against the table.
USERS/FILES FILE1 FILE2 FILE3
USER1 RW - W
USER2 O RW W
USER3 - OR OW
The attacks related to authenticity and availability can also create the problem related with
access control.
Attacks related to access control are as follows:
(1) Intrusion
(2) DDOS
(3) Interference
(4) Inference Etc.
The issues related with authenticity can be resolved by using hash algorithms.
3.5. Non-repudiability:
This is another issue, which is related with authenticity and integrity. Repudiability means
refusing. This is an issue, which is actually created by the sender who is participating in the
transaction. After sending a message a sender can refuse that he was not sending that message.
This is done intentionally to create problems at the receiver’s side, which creates confusion to
the receiver.
This can be done from either side. It may also be from the receiver side. The receiver can
deny after receiving the message that he doesn’t receive any message. Non-repudiation does not
allow the sender of the message to refute the claim of not sending that message.
The non-repudiability related issues can happen in any of the following three ways.
(1) Proof of origin
(2) Proof of receipt
(3) Proof of content
This can be assured by using digital signatures along with the hash algorithms. If the proper
authenticity and integrity is achieved then the problems related with non-repudiability can be
minimized. All above-mentioned issues are the basic issues of network security. Apart from
these various other threats like natural disasters, attacks, software modifications are also creating
problems with networks. But majority of the attacks are coming under the basic issues of the
network.
Fig. 1.5 Loss of Integrity
Wherever the problems are available accordingly solutions are also present. It is the
responsibility of the user to categorize the problem and identify the suitable solution.
Generally the solutions can be categorized as follows.
(a) Security Issues
(b) Security Objectives
(c) Security Techniques
Security Issue Security Objective Security Technique
Confidentiality Privacy of message Encryption
Authentication Origin Verification Digital Signatures
Challenge-response
Passwords
Biometric devices
Non-repudiation Proof of origin,
receipt and contents
Bi-directional
hashing
Digital signatures
Transaction
Certificates
Time stamps
Confirmation
services
Access controls Limiting entry to
authorized users
Firewalls
Passwords
Biometric devices
Types of Threats to the following data:
(1) Hardware
(2) Software
(3) Data
Hardware:Various computer components.
Software: Various applications involved.
Data: Various information stored in the system.
The issues are related to any of these following categories.
(a) Interception
(b) Fabrication
(c) Modification
While selecting a solution, the area of the threat has to be identified and accordingly the
solution has to be finalized.
Hardware:
Fig. 1.6
Software:
Fig. 1.7
Data:
Fig. 1.8
Generally the security issues can be classified into the following categories.
(1) Confidentiality
(2) Authenticity
(3) Availability
(4) Auditability
(5) Access Control
(6) Integrity
(7) Non-repudiability
Fig. 1.9
These three are the basic levels of issues, which will lead to the further loopholes.
4. ATTACKS:
In the cryptographic literature, there are two types of attacker Passive and Active.
The first is a passive adversary, who can eavesdrop on all network communication, with the
goal learning as much confidential information as possible.
The other is an active intruder, who can
Modify messages at will,
Introduce packets into the message stream, or
Delete messages.
Fig. 2.6 Types of Attacks
4.1. Active Attacks:
This type of attack requires the attacker to be able to transmit data to one or both of the
parties, or block the data stream in one or both directions. It is also possible that the attacker
is located between the communicating parties as shown in the figure below.
In this case the attacker can stop all or parts of the data sent by the communicating parties.
This attacker can e.g. try to take the place of the client (or server) when the authentication
procedure has been performed.
Without integrity checks of the received data, the server will not detect that the origin of the
data is not the authenticated person. A clever programmer can, with not to much effort,
implement a system like this on a computer acting as a gateway (bridge) between two
subnets. (On the Internet there are thousands of these computers.)
Fig. 2.7 Active attack
The following are examples of different attacks this person could impose.
Inserting his own data into the data stream.
Playback of data from another connection.
Playback of data that had previously been sent in the same and opposite direction on
the same connection.
Deletion of data.
Man-in-the-middle attack: In this attack, the intruder sits in the middle of the
communication link, intercepting messages and substituting them with his own messages. In
this way, he tries to fool the parties to believe they are talking to each other directly, while
they really are talking to the attacker him-selves.
4.2. Passive Attacks:
A passive attack on a cryptosystem is one in which the cryptanalyst cannot interact with any
of the parties involved, attempting to break the system solely based upon observed data (i.e. the
cipher text). This can also include known plaintext attacks where both the plaintext and its
corresponding cipher text are known.
The passive attacks can take place in the following ways:
(1) Eavesdropping: the unauthorized capture of transmitted data either by some form of line
tapping or from the compromising emanations broadcast by the electrical signals in the line.
Radio, optical and microwave signals can be similarly intercepted covertly.
Fig. 2.8 Passive attack
(2) Traffic Analysis: Even if enciphering has protected the message, an analysis of the traffic
down the line can, in many circumstances, reveal much to an outsider. The number, size,
frequency and times of messages sent, their sources and their destination can indicate, for
example an impending take – over bid, or the launch of a new product.
A passive attack is an attack where an unauthorized attacker monitors or listens in on the
communication between two parties. The figure below illustrates a passive attack where Eve
monitors the communication between Alice and Bob.
4.3. Practical side of attacks:
4.3.1. Application Level Attacks:
These attacks happen at an application level in the sends that the attacker attempts to access,
modify or prevent access to information of a particular application, or the application itself.
Example of this are trying to obtain someone's credit card information on the Internet, or'
changing the contents of a message to change the amount in a transaction, etc.
4.3.2. Network level attacks:
These attacks generally aim at reducing the capabilities of a network by a number of possible
means, These attacks generally make an attempt to either slow down, or completely bring to halt,
a computer network. Note that this automatically can lead to application level attacks, because
once someone is able to gain access to a network, usually she is able to access/modify at least
some sensitive information, causing havoc.
4.3.3. Cookies:
Cookies are born as a result of specific characteristics of the Internet. The Internet uses HTIP
protocol, which is stateless.
Suppose that the client sends an HTIP request for a Web page to the server. The web server
locates that page on its disk, sends it back to the client, and completely forgets about this
interaction.
If the client wants to continue this interaction, it must identify itself to the server in the next
HTIP request. Otherwise, the server would not know that this same client and sent an HTIP
request earlier.
Since a typical application is likely to involve a number of interactions between the client and
the server, there must be some mechanism for the client to identify itself to the server each time
it sends a HTIP request to the server.
For this, cookies are used. They are a popular mechanism of maintaining the state information
i.e. identifying a client to a server.
A cookie is just one or more pieces of information stored as text strings in a text file on the
disk of the client computer i.e. Web browser.
4.3.4. These attacks take two main forms:
(a) Packet Sniffing (also called as snooping)
(b) Packet Spoofing.
Since the protocol used in this communication is called as Internet Protocol (IP), other names
for these two attacks are: (a) IP sniffing and (b) IP spoofing. The meaning remains the same.
(a) Packet Sniffing: Packet sniffing is a passive attack on an ongoing conversation. An attacker
need not hijack a conversation, but instead, can simply observe i.e. sniff packets as they pass
by. Clearly, to prevent an attacker from sniffing packets, the information that is passing
needs to be protected in some ways.
This can be done at two levels:
(i) The data that is traveling can be encoded in some ways.
(ii) The transmission link itself can be encoded.
(b) Packet Spoofing: In this technique, an attacker sends packets with an incorrect source
address. When this happens, the receiver i.e. the party who receives the packets containing a
false source address would inadvertently send replies back to the forged address (called as
spoofed address) and not to the attacker.
This can lead to three possible cases:
(i) The attacker can intercept the reply- If the attacker is between the destination and the
forged source, the attacker can see the reply and use that information for hijacking
attacks.
(ii) The attacker need not see the reply-If the attacker's intention was a Denial of Service
(DOS) attack, the attacker need not bother about the reply.
(iii) The attacker does not want the reply- The attacker could simply be angry with the host.
So it may put that host's address as the forged source address and send the packet to the
destination. The attacker does not want a reply from the destination, as it wants the host
with the forged address to receive it and get confused.
5. Possible Types of attacks:
5.1. Distributed Attack
A distributed attack requires that the adversary introduce code, such as a Trojan horse or back-
door program, to a “trusted” component or software that will later be distributed to many other
companies and users Distribution attacks focus on the malicious modification of hardware or
software at the factory or during distribution. These attacks introduce malicious code such as a
back door to a product to gain unauthorized access to information or to a system function at a
later date.
5.2. Insider Attack
An insider attack involves someone from the inside, such as a disgruntled employee, attacking
the network Insider attacks can be malicious or no malicious. Malicious insiders intentionally
eavesdrop, steal, or damage information; use information in a fraudulent manner; or deny access
to other authorized users. No malicious attacks typically result from carelessness, lack of
knowledge, or intentional circumvention of security for such reasons as performing a task
5.3. Close-in Attack
A close-in attack involves someone attempting to get physically close to network components,
data, and systems in order to learn more about a network Close-in attacks consist of regular
individuals attaining close physical proximity to networks, systems, or facilities for the purpose
of modifying, gathering, or denying access to information. Close physical proximity is achieved
through surreptitious entry into the network, open access, or both.
5.4. Social Engineering:
One popular form of close in attack is social engineering in a social engineering attack, the
attacker compromises the network or system through social interaction with a person, through an
e-mail message or phone. Various tricks can be used by the individual to revealing information
about the security of company. The information that the victim reveals to the hacker would most
likely be used in a subsequent attack to gain unauthorized access to a system or network.
5.5. Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a popular site such as
the SBI bank or PayPal. The phishing part of the attack is that the hacker then sends an e-mail
message trying to trick the user into clicking a link that leads to the fake site. When the user
attempts to log on with their account information, the hacker records the username and password
and then tries that information on the real site.
5.6. Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and another
individual and disconnects the other individual from the communication. You still believe that
you are talking to the original party and may send private information to the hacker by accident.
5.7. Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the packets he or she is
sending so that they appear to be coming from someone else. This may be an attempt to bypass
your firewall rules.
5.8. Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to an application
than is expected. A buffer overflow attack usually results in the attacker gaining administrative
access to the system in commend prompt or shell.
5.9. Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem within an operating
system or a piece of software and leverages that knowledge by exploiting the vulnerability.
5.10. Password attack
Password attack An attacker tries to crack the passwords stored in a network account database or
a password-protected file. There are three major types of password attacks: a dictionary attack, a
brute-force attack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of
potential passwords. A brute-force attack is when the attacker tries every possible combination
of characters
Chapter 2
1. Plain Text and Cipher Text
2. Substitution & Transposition techniques
3. Playfair
4. Hill cipher
5. Encryption and Decryption
6. Symmetric and Asymmetric Key Cryptography
7. Steganography
1.Plain Text and Cipher Text:
1.1. Cryptography:
1.1.1. History of Cryptography:
Existed long before the ubiquity of computers.
Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet (just shifting
the letters a fixed amount) in government communications”.
Cryptography, the science of encrypting and decrypting information, dates as far back as
1900 BC.
Thomas Jefferson, invented a wheel cipher in the 1790's,
Used extensively during both the world wars; Cipher machines were created to encrypt
messages by the Nazis called by the allies as Enigma.
Were used by bootleggers in the 1930s for liquor smuggling.
In the 1970s, Dr. Horst Feistel established the precursor to today’s Data Encryption Standard
(DES) with his ‘family’ of ciphers, while working at IBM’s Watson Research Laboratory.
Also in 1976, two contemporaries of Feistel, Whitfield Diffie and Martin Hellman first
introduced the idea of public key cryptography.
1977, Rivest, Shamir and Adleman introduced to the world their RSA cipher, applicable to
public key cryptography and digital signatures.
Zimmerman released his first version of Pretty Good Privacy (PGP) in 1991 as a freeware
product, which uses the IDEA algorithm.
1.1.2. Reason for its existence:
(1) Secrecy: Only intended receiver understands the message.
(2) Authentication: sender and receiver need to confirm each others identity.
(3) Message Integrity: Ensure that their communication has not been altered, either maliciously
or by accident during transmission.
1.1.3. Terms frequently used in Cryptography:
Cryptology: Originated for the Greek kryptóslógos, meaning ``hidden word''.
Plaintext: The message to be encrypted.
Key: It is the object used to encrypt the plaintext.
Cyphertext: It is the encrypted text.
Encryption: The process of converting plaintext into cyphertext using an appropriate key.
Decryption: The process of converting cyphertext into plaintext using a appropriate key.
Cryptography: IT is the art or science of keeping communication classified.
Cryptographers: People who indulge in cryptography are known as cryptograhers.
Cryptanalysis: The art or science of decrypting a cyphertext without knowing the authorized
key is known as cryptanalysis.
Cryptanalysts: People who indulge in cryptanalysis. Could be ethical or fraudsters.
Cipher: The method of decryption and encryption is generally known as cipher.
2. SUBSTITUTION TECHNIQUE AND TRANSPOSITION TECHNIQUE:
2.1. Substitution Technique:
It is the very basic technique, which makes use of simple letter substitution to generate cipher
text.
Specific methods used in this type include:
(1) Caesar cipher (used by Julius Caesar),
(2) Modified Caesar Cipher,
(3) Mono-alphabetic cipher,
(4) Homophonic substitution cipher,
(5) Polygram substitution cipher
(6) Polyalphabetic cipher etc.
Now let us study them (Substitution Technique) one by one:
(1) Caesar Cipher:
A cryptographic scheme proposed by Julius Caesar is one special case of substitutional cipher
where each alphabet is the message is replaced by an alphabet, three places down the line, in the
alphabetical order.
Thus “A” becomes “D” and “B” becomes “E”
Plain text A B C D E F G H I J K L M N
Cipher
Text
D E F G H I J K L M N O P Q
Plain text O P Q R S T U V W X Y Z
Cipher Text R S T U V W X Y Z A B C
Caesar Cipher is very simple. But this simplicity comes with a cost. Obviously it is a very
weak scheme.
Algorithm to break Caesar Cipher:
(1) Read each alphabet in the cipher text message, and search for it in the second row of the
figure above
(2) When a match is found, replace that alphabet in the cipher text message with the
corresponding alphabet in the same column but the first row of the table (e.g. if the alphabet
in cipher text is J, replace it with G).
(3) Repeat the process for all alphabets in the cipher text message.
The process shown above will reveal the original plain text. Thus, given a cipher text message
L ORYH BRX, it is easy to work backwards and obtain the plain text I LOVE YOU as shown
below.
Cipher text L O R Y H B R X
Plain text I L O V E Y O U
Caesar Cipher is good in theory, but not so good in practice.
Let Ke be the encryption key and Kd be the decryption key. Here we have assumed that the
value of Ke = 3 and thus Kd would also be 3,
Let us now try and complicate the Caesar Cipher to make an attacker's life difficult.
(2) Modified Version of Caesar Cipher:
How can we generalize Caesar Cipher a bit more? Let us assume that the cipher text alphabets
corresponding to the original plain text alphabets may not necessarily be three places down the
order, but instead, can be any places down the order. This can complicate matters a bit.
Thus, we are now saying that D would not necessarily replace an alphabet A in plain text. It
can be replaced by any valid alphabet, i.e. by E or by F or by G, and so on. Once the replacement
scheme is decided, it would be constant and will be used for all other alphabets in that message.
As we know, the English language contains 26 alphabets. Thus, an alphabet A can be replaced
by any other alphabet in the English alphabet set, (i.e. B through Z). Of course, it does not make
sense to replace an alphabet by itself (i.e. replacing A with A). Thus, for each alphabet, we have
25 possibilities of replacement. Hence, to break a message in the modified version of Caesar
Cipher, our earlier algorithm would not work.
Let us write a new algorithm to break this version of Caesar Cipher, as shown:
(1) Let k be a number equal to 1.
(2) Read the complete cipher text message.
(3) Replace each alphabet in the cipher text message with an alphabet that is k positions down
the order.
(4) Increment k by 1.
(5) If k is less than 26, then go to step 2. Otherwise, stop the process. 6. The original text
message corresponding to the cipher text message is one of the 25 possibilities produced by
the above steps.
We write down all the 25 possibilities and try to make sense. Whichever makes some sense
we keep and the other 24 are rejected. Trying out all possibilities is called Brute-Force Attack.
(3) Mono-alphabetic Cipher:
The major weakness of the Caesar Cipher is its predictability. Once we decide to replace an
alphabet in a plain text message with an alphabet that is k positions up or down the order, we
replace all other alphabets in the plain text message with the same technique. Thus, the
cryptanalyst has to tryout a maximum of 25 possible attacks, and she is assured of a success.
Now imagine that rather than using a uniform scheme for all the alphabets in a given plain
text message, we decide to use random substitution. This means that in a given plain text
message, each A can be replaced by any other alphabet (B through Z), each B can also be
replaced by any other random alphabet (A or C through Z), and so on. The crucial difference
being, there is no relation between the replacement of B and replacement of A. That is, if we
have decided to replace each A with D, we need not necessarily replace each B with E-we can
replace each B with any other character I
To put it mathematically, we can now have any permutation or combination of the 26
alphabets, which means (26 x 25 x 24 x 23 x ... 2) or 4 x 1026 possibilities I This is extremely
hard to crack. It might actually take years to tryout these many combinations even with the most
modern computers.
(4) Homophonic Substitution Cipher:
The Homophonic Substitution Cipher is very similar to Mono Alphabetic Cipher. In a plain
substitution cipher technique, we replace one alphabet with another, but in this scheme, the
difference is that instead of having a fixed substitution, we can, choose the alphabet from a set.
So in this technique, A can be replaced by D, H, P, R; B can be replaced by E, I, Q, S etc.
Homophonic Substitution Cipher also involved substitution of one plain text character with a
Cipher Text character at a time. However the cipher text character can be any one of the chosen
sets.
(5) Polygram Substitution Cipher:
In Polygram Substitution Cipher technique, rather than replacing one plain text alphabet with
one cipher text alphabet at a time, a block of alphabets is replaced with another block. For
instance, HELLO could be replaced with YUQQW, but a totally different cipher text block
TEUL could replace HELL
(6) Poly-alphabetic Substitution Cipher:
This cipher uses multiple one-character keys. Each of the keys encrypts one plain text
character. The first key encrypts the first plain text character; the second key encrypts the second
plain text character, and so on. After al the keys are used, they are recycled. Thus if we have 30
one letter keys, every 30th character in the plain text would be replaced with the same key. This
number is called as the period of the cipher.
In some cases, the mono alphabetic cipher technique is used round after round over already
converted plain text and its cipher text. The more number of rounds, the more complex the
cipher becomes.
2.2. Transposition technique:
It is the modified version of substitution technique because this not only substitutes letters
but also makes some sort of permutation over the plain text in order to generate cipher text.
Specific examples include
(a) Rail fence technique.
(b) Simple columnar transposition.
(c) Simple columnar transposition with multiple rounds.
(d) Vernam cipher,
(e) Book cipher etc.
Now let us study them (Transposition Technique) one by one:
(1) Rail Fence Technique:
It uses a simple algorithm as:
(a) Write down the plain text message as a sequence of diagonals.
(b) Read the plain text written in step 1 as a sequence of rows.
Example: Original Plain text message: “Come home tomorrow”.
(1) After we arrange the plain text diagonally, it would like as follows:
C M H M T M R O
O E O E O O R W
(2) Now read the text row by row, write it sequentially. Thus we have:
C-M-H-M-T-M-R-O-O-E-O-E-O-O-R-W
(2) Simple Columnar Transposition Technique:
Basic Technique:
The idea is to:
(a) Write the plain text message row by row in a rectangle of a pre-defined size.
(b) Read the message column-by column, however, it need not be in the order of columns 1, 2,
3 etc. It can be any random order such as 2, 1, 3 etc.
(c) The message thus obtained is the cipher text message.
Original Plain Text Message:
Secrets have to be kept:
(1) Let us consider a rectangle with S columns. Therefore, when we write the message into
the rectangle row by row it would look as follows:
Column
1
Column
2
Column
3
Column
4
Column
5
Column
6
C O M E H O
M E T O M O
R R O W
(2) Now read the text in the order of the columns. 4, 6, 1, 2, 5, 3
(3) The cipher text thus obtained is:
E-O-W-O-O-C-M-R-O-E-R-H-M-M-T-O
(3) Simple Columnar Transposition Technique with Multiple Rounds: Here, the basic
Simple columnar technique is repeated for multiple rounds. The more number of rounds, the
more complex the cipher becomes. Hence, it is more difficult to crack.
The Basic Algorithm:
(1) Write the plain text message row-by-row in a rectangle of a pre-determined size
(2) Read the message column by column in a random sequence
(3) The message thus obtained as the cipher text message of round 1
(4) Use this output as a plain text for the next step
(4) Vernam Cipher (One-Time Pad): The Vernam Cipher, also called as One-Time Pad, is
implemented using a random set of non-repeating characters as the input cipher text. The
most significant point her is that once an input cipher text for transposition is used; it is
never used again for any other message (hence the name one-time). The length of the cipher
text is equal to the length of the original plain text.
Since, it is used as one-time pad and is discarded after a single use, this technique is
highly secure and suitable for small plain text message, but is impractical for large
messages.
(5) Book Cipher / Running Block Key Cipher: The idea used is quite simple and similar in
principle to Vernam Cipher. For producing cipher text, some portion of text from a book is
used, which serves the purpose of a one-time pad. This, the characters from a book are used
as one time pad, and they are added to the input plain text messages.
3. PLAYFAIR CIPHER:
The Playfair algorithm is based on the use of a 5 x 5 matrix of letters constructed using a
keyword..
1. Repeating plaintext letters that are in the same pair are separated with a filler letter,
such as x, so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced by the
letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. For example,
mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own
row and the column occupied by the other plaintext letter. Thus, hsbecomes BP and ea
becomes IM (or JM, as the encipherer wishes)
Polyalphabetic cipher:
To encrypt a message, a key is needed that is as long as the message.
Usually, the key is a repeating keyword. For example, if the keyword is deceptive, the
message "we are discovered save yourself" is encrypted as follows:
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
4. The Hill Cipher
As we pointed out above the Hill Cipher is a block cipher. Here is how it works in general. After
we discuss the general process we will look at an example.
4.1.Encryption with the Hill Cipher
The Hill Cipher Encryption Algorithm
1. Find an n n matrix E that is invertible modulo 26. This is actually the encryption
key.
2. Take the message that is to be sent (the plaintext), remove all of the spaces and
punctuation symbols, and convert the letters into all uppercase.
3. Convert each character to a number between 0 and 25. The usual way to do this is
A = 0, B = 1, C = 2, . . . , Z = 25.
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
As a historical note, Lester Hill did not use this coding of letters to numbers, he simply
mixed up the order. Mixing up the order does not make the method more secure, it
simply combines the Hill cipher with a simple substitution cipher, which are easy to
break.
4. Divide this string of numbers up into blocks of size n. Note that if E is an n n
matrix then the block size is n. Another note, if the message does not break evenly
into blocks of size n we pad the ending of the message with characters, this can be
done at random.
5. Write each block as a column vector of size n. At this point the message is a sequence
of n-dimensional vectors, v1; v2; : : : ; vt.
6. Take each of the vectors and multiply them by the encryption matrix E, so
Ev1= w1
Ev2= w2
Ev3= w3
...
Evt =wt
7. Take the vectors w1; w2; : : : ; wt, write the entries of the vectors in order, convert the
numbers back to characters and you have your cipher text.
One note about this algorithm is that we can do step 6 with a single matrix multiplication. If
we let the message matrix M be the matrix produced by having the vectors v1; v2; : : : ; vt as
columns, that is, M = [v1 v2 : : : vt] then EM = [w1 w2 : : : wt] = C would be our cipher text
matrix.
Example 7: Say Alice wants to send Bob the message \Cryptography is cool!"
1. Alice chooses the block size n = 3 and chooses the encryption matrix E to be,
2 3
E = 4
2 3 15
5
5 8 12
1 13 4
Since det (E) (mod 26) = 11, and 11 is invertible modulo 26, the matrix E is also invertible
modulo 26.
2. The message that is to be sent is \Cryptography is cool!", removing the spaces and
punctuation symbols, and convert the letters into all uppercase gives
CRYPTOGRAPHYISCOOL
3. Conversion to numbers using A = 0, B = 1, C = 2, . . . , Z = 25, gives
2 17 24 15 19 14 6 17 0 15 7 24 8 18 2 14 14 11
4. Dividing this string of numbers up into blocks of size 3.
2 17 24 15 19 14 6 17 0 15 7 24 8 18 2 14 14 11
so no padding is needed here.
5. Converting these blocks into a message matrix M gives,
M = 2 2 15 6 15 8 14 3
17 19 17 7 18 14
4 24 14 0 24 2 11 5
6. Multiply by the encryption matrix E,
EM = 2
2 3 15
3 2
2 15 6 15 8 14
3 = 2
25 11 11 21 22 1
35 8 12 17 19 17 7 18 14 18 5 10 3 0 2 = C
4 1 13 4 5 4 24 14 0 24 2 11 5 4 7 6 19 20 16 6 5
7. Convert C into the cipher text.
25 18 7 11 5 6 11 10 19 21 3 20 22 0 16 1 2 6
ZSHLFGLKTVDUWAQBCG
So Alice will send \ZSHLFGLKTVDUWAQBCG" to Bob.
Since this is a symmetric cipher, Alice and Bob would have to share this key with each other.
They obviously could not simply call or text each other with this information since Eve could
easily intercept that call or text and would know the key. So either Alice or Bob would have to
meet in person, in a secure location, and exchange the key or they would need some other trusted
person to deliver the key from Alice to Bob. This diffculty in exchanging the key securely gave
rise to the creation of public-key systems which are commonly used today, for more information
on public-key systems please see the references [5] and [7].
4.2. Decryption with the Hill Cipher
Now that Bob has the encrypted message and the encryption key he can decrypt the message that
Alice had sent to him. The decryption algorithm is essentially the same as the encryption
algorithm, except that we use E 1 in place of E. Since EM = C, and E is invertible we can
calculate M = E 1C. We will call D = E 1 the decryption matrix, so DC = M. Remember that this
inverse is the inverse modulo 26.
The Hill Cipher Decryption Algorithm
1. Find D = E 1 (mod 26). This is the decryption key.
2. Take the ciphertext and convert it to the matrix C.
3. Calculate DC = M.
4. Convert the matrix M to the plaintext message. You may need to insert the appropriate
spaces and punctuation symbols since these were removed.
Example 8: Bob has the encrypted message ZSHLFGLKTVDUWAQBCG.
1. He calculates
2
2 3 15 1
2
10 19 16
35 8 12 3 (mod 26) = 4 23 7
4 1 13 4 5 4 17 5 19 5
2. He also converts the ciphertext to the matrix C.
ZSHLFGLKTVDUWAQBCG
25 18 7 11 5 6 11 10 19 21 3 20 22 0 16 1 2 6
and since he knows that the block size is 3 he constructs C as
2
25 11 11 21 22 1
3C = 18 5 10 3 0 2
4 7 6 19 20 16 6 5
3. Calculate DC = M.
DC = 2
10 19 16
3 2
25 11 11 21 22 1
3 2
2 15 6 15 8 14
34 23 7 18 5 10 3 0 2 = 17 19 17 7 18 14 = M
4 17 5 19 5 4 7 6 19 20 16 6 5 4 24 14 0 24 2 11 5
4. Convert the matrix M to the plaintext message.
2 17 24 15 19 14 6 17 0 15 7 24 8 18 2 14 14 11
CRYPTOGRAPHYISCOOL
So Bob adds in a couple spaces to get CRYPTOGRAPHY IS COOL!
5. INTRODUCTION TO BASIC ENCRYPTION AND DECRYPTION:
The term 'Cryptography' means the concept of encryption and decryption together.
Cryptography is the technique in which the original 'plain text' message is 'encrypted' i.e.
converted into a coded form called 'cipher text' at the sender's end, which is then transmitted to
the receiver. The receiver then 'decrypts' i.e. converts the 'cipher text' back into the 'plain text' to
get the original message back.
Fig.5.1
Cryptography is also called as an art or technique to achieve secure communication between
the communicating parties by encoding the messages between them such that no third party can
gain anything useful out of interception.
Various techniques are utilized for this purpose of cryptography. Broadly these techniques
fall into two categories.
(1) Symmetric key cryptography: In which the 'key' element used, is the 'same' for both
encryption as well as decryption and
(2) Asymmetric key cryptography: In which the 'key' element used, is different for both
encryption as well as decryption.
(a) Symmetric key cryptography is also known as 'private or secret key cryptography'
Whereas
(b) Asymmetric key cryptography is also known as 'public key cryptography'
Recall that there are two basic types of encryption:
Symmetric algorithms: (also called “secret key”) use the same key for both encryption and
decryption;
Asymmetric algorithms: (also called “public key”) use different keys for encryption and
decryption.
For any encryption approach, there are two major challenges:
Key distribution: how do we convey keys to those who need them to establish secure
communication?
Key management: given a large number of keys, how do we preserve their safety and make
them available as needed.
Symmetric
1) Alice and Bob agree on a cryptosystem
2) Alice and Bob agree on a key
3) Alice takes her plaintext message and encrypts it using the encryption algorithm and the
key. This creates a ciphertext message
4) Alice sends the ciphertext message to Bob
5) Bob decrypts the ciphertext message with the same algorithm and key and reads it.
Asymmetric
1) Alice and Bob agree on a public-key cryptosystem
2) Bob sends Alice his public key
3) Alice encrypts her message using Bob’s public key and sends it to Bob
4) Bob decrypts Alice’s message using his private key
Problems:
Symmetric
• Keys must be distributed in secret
• If a key is compromised, Eve (eavesdropper) can
decrypt any message
pretend to be one of the parties
• A network requires a great number of keys
Asymmetric
• slow (~1000 times slower than the symmetric)
• vulnerable to chosen-plaintext attacks
Unit III
1. Overview of Symmetic key cryptography
2. Symmetric Key algorithms
3. Algorithm types and modes
4. DES,RC4
1. Overview of Symmetric key cryptography
(1) Symmetric (secret key):
An identical key is used for encryption and decryption
Strength of algorithm is determined by the size of the key, longer the key more difficult it
is to crack.
Key length is expressed in bits.
Typical key sizes vary between 48bits and 448 bits.
Set of possible keys for a cipher is called key space.
For 40-bit key there are 240 possible keys.
For 128-bit key there are 2128 possible keys.
Each additional bit added to the key length doubles the security.
To crack the key the hacker has to use brute-force (try all the possible keys till a key
works is found).
Super Computer can crack a 56-bit key in 24 hours.
It will take 272 times longer to crack a 128-bit key (Longer than the age of the universe).
Primitive Ciphers:
Caesar Cipher is a method in which each letter shifted in the plaintext n places.
Mono-alphabetic Cipher: Any letter can be substituted for any other letter
Advantages:
Relatively simple and significantly faster than the rest.
Used in an environment where single authority manages the keys.
Used in environments where secure secret key distribution can take place.
Disadvantages:
Key management (generation, transmission and storage of keys) may be a problem.
People could repudiate sent messages claiming the receiver had compromised the key
Third party involvement may be required for authentication of key. Database with keys of all
1.2. Types of Symmetric Ciphers:
(a) Stream cipher:
Each bit or byte is encrypted or decrypted individually
Simple substitution ciphers
Used for a single message
(b) Block cipher:
A block cipher is a type of symmetric-key encryption algorithm that transforms a fixed-length
block of plaintext data into a block of cipher text data of the same length
Encrypt data one bit or one byte at a time
Used if data is a constant stream of information
Iterated block cipher is when ciphering is repeatedly done
1.3. SYMMETRIC- KEY CRYPTOGRAPHY:
We can divide all the cryptography algorithms in the world into two groups: symmetric-key
(sometimes called secret-key) cryptography algorithms and public-key (sometimes called
asymmetric) cryptography algorithms.
In symmetric-key cryptography, the same key is used by both parties. The sender uses this
key and an encryption algorithm to encrypt data; the receiver uses the same key and the
corresponding decryption algorithm to decrypt the data
Fig. 5.2
In symmetric-key cryptography, the same key is used by the sender (for encryption) and the
receiver (for decryption). The key is shared.
In symmetric-key cryptography, the algorithm used for decryption is the inverse of the
algorithm used for encryption. This means that if the encryption algorithm uses a combination of
addition and multiplication, the decryption algorithm uses a combination of division and
subtraction.
Note that the symmetric-key cryptography algorithms are so named because the same key can
be used in both directions.
In symmetric-key cryptography, the same key is used in both directions.
Symmetric-key algorithms are efficient; it takes less time to encrypt a message using a
symmetric-key algorithm than it takes to encrypt using a public-key algorithm. The reason is that
the key is usually smaller. For this reason, symmetric-key algorithms are used to encrypt and
decrypt long messages.
1.4. Symmetric-key Cryptography is Often Used for Long Messages:
Disadvantages of symmetric key:
A symmetric-key algorithm has two major disadvantages.
(1) Each pair of users must have a unique symmetric key.
This means that if N people in the world want to use this method, there needs to be N(N -
1)/2 symmetric keys.
For example, for 1 thousand people to communicate, 1000 * 999 /2 = 4, 99, 500 (4 lakhs
99 thousand and five hundred symmetric keys are needed. The distribution of the keys
between two parties can be difficult.
(2) The sender needs to exchange the key to the receiver. It may be hijacked in between!
1.5. SYMMETRIC- KEY CRYPTOGRAPHY:
We can divide all the cryptography algorithms in the world into two groups: symmetric-key
(sometimes called secret-key) cryptography algorithms and public-key (sometimes called
asymmetric) cryptography algorithms.
In symmetric-key cryptography, the same key is used by both parties. The sender uses this
key and an encryption algorithm to encrypt data; the receiver uses the same key and the
corresponding decryption algorithm to decrypt the data
Fig. 5.2
In symmetric-key cryptography, the same key is used by the sender (for encryption) and the
receiver (for decryption). The key is shared.
In symmetric-key cryptography, the algorithm used for decryption is the inverse of the
algorithm used for encryption. This means that if the encryption algorithm uses a combination of
addition and multiplication, the decryption algorithm uses a combination of division and
subtraction.
Note that the symmetric-key cryptography algorithms are so named because the same key can
be used in both directions.
In symmetric-key cryptography, the same key is used in both directions.
Symmetric-key algorithms are efficient; it takes less time to encrypt a message using a
symmetric-key algorithm than it takes to encrypt using a public-key algorithm. The reason is that
the key is usually smaller. For this reason, symmetric-key algorithms are used to encrypt and
decrypt long messages.
Symmetric-key Cryptography is Often Used for Long Messages:
Disadvantages of symmetric key:
A symmetric-key algorithm has two major disadvantages.
(3) Each pair of users must have a unique symmetric key.
This means that if N people in the world want to use this method, there needs to be N(N -
1)/2 symmetric keys.
For example, for 1 thousand people to communicate, 1000 * 999 /2 = 4, 99, 500 (4 lakhs
99 thousand and five hundred symmetric keys are needed. The distribution of the keys
between two parties can be difficult.
(4) The sender needs to exchange the key to the receiver. It may be hijacked in between!
2.Symmetric Key Algorithms:
2.1. DES (DATA ENCRYPTION STANDARD) CIPHER ALGORITHM
DES CIPHER:
A 16-round Feistel cipher with block size of 64 bits. DES stands for Data Encryption
Standard. IBM developed DES in 1974 in response to a federal government public invitation for
data encryption algorithms. In 977, DES was published as a federal standard, FIPS PUB 46.
Algorithm:
Step 1: 64 bit plain text blocks is handed over to the initial permutation (IP) function.
Step 2: IP is performed on the plain text.
Step 3: IP produces 2 halves; say LPT and RPT, both of 32 bit each.
Step 4: Perform 16 rounds of encryption process each with its own key.
Rounds are defined as follows in the algorithm:
4a: Key transformation 4b: Expansion Permutation (EP)
4c: S-Box Substitution
4d: P-Box Permutation 4e: XOR and Swap.
Step 5: LPT and RPT are rejoined finally and a Final Permutation (FP) is performed on the
combined block. Step 6: The result of this process produces 64-bit cipher text.
Diagrammatical Representation:
Fig. 5.3
Explanation of the Algorithm:
IP – Initial Permutation:
Comparing the IP table performs IP. It happens only once, and it happens before the first
round. It suggests how the transposition in IP should proceed, as shown in the IP table.
After this IP, 64 bit plain text is divided into 2 halves normal LPT and RPT, 08 32 bits each.
In the rounds, step 1 is key transformation.
That is achieved by:
(a) Shifting the key position by considering the Round Table.
(b) Compare the Compression Table to get the sub key of 48 bits.
Step 2: is Expansion Permutation (EP):
In this step, the 32-bit RPT is expanded to 48 bits as it of key length. The process is shown as
under:
The 32-bit text is divided into 8 blocks of 4 bits each. Then by adding 2 bits extra, that is the
first bit of the block 1 is the last bit of the block 8 and the last bit of the block 8 is the first bit of
the 7th block the 48-bit text is obtained.
Diagram for the same is as below:
Fig. 5.4
After this expansion it will be compared with the Expansion Permutation Table.
Step 3: in Round is S-Box Substitution:
(1) This step reduces 48 bits RPT into 32 bits because LPT is of 32 bits.
(2) It accepts 48 bits, does some XOR logic and gives 32 bits.
(a) The 48 bits key (Result of Step 1) and the 48 bits of RPT (Result of Step 2) will be
XOR and the output will be 48 bits Input block and that will be given as the input for
the S-Box Substitution.
(b) The 48-bit block text will be divided into 8 blocks of 6 bits each.
(c) Decimal equivalent of the first and last bit in a block denotes the row number and
decimal equivalent of the bit 2, 3, 4 and 5 denotes the column number of the S-Box
Substitution table.
(d) Check the value and take the binary equivalent of the number.
(e) The result is 4-bit binary number.
Fig. 5.5
(f) For example if the 6-bit number is 100101 then the first and last bit is 11 and the
decimal equivalent of the number is 3. The remaining bits are 0010 and the decimal
equivalent of the number is 2. If it is the first block of input, then check the 3rd row 2nd
column value in the Sbox-1 substitution table. It is given as 1 in the table. Binary
equivalent of 1 is 0001.
(g) The input 100101 of 6-bit is now reduced to 0001 after S-Box Substitution.
Step 4: in Round is P-Box Permutation:
In this step, the output of S-Box, that is 32 bits are permuted using a p-box. This mechanism
involves simple permutation, that is replacement of each bit with another bit as specified in the
p-Box table, without any expansion or compression. This is called as P-Box Permutation. The P-
Box is shown below.
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
For example, a 16 in the first block indicates that the bit at position 16 moves to bit at position
1 in the output.
Step 5: is XOR and Swap:
The untouched LPT, which is of 32 bits, is XORed with the resultant RPT that is with the
output produced by P-Box permutation. The result of this XOR operation becomes the new right
half. The old right half becomes the new left half in the process of swapping. This is shown
below.
Fig. 5.6
Final Permutation (FP):
At the end of 16 rounds, the Final Permutation is performed only once. This is a simple
transposition based on the Final Permutation Table.
The output of the Final permutation is the 64-bit encrypted block.
2.2. IDEA ALGORITHM AND ITS WORKING:
International Data Encryption Algorithm (IDEA):
The IDEA in perceived as one of the strongest cryptographic algorithms. It was launched in
1990 and underwent certain changes in names and capabilities as shown in table.
Year Name
1990 Proposed Encryption Standard (PES)
1991 Improved Proposed Encryption Standard (IPES)
1992 International Data Encryption Algorithm (IDEA)
One popular email privacy technology known as Pretty Good Privacy (PGP) is based on
IDEA.
(1) IDEA is a block cipher.
(2) IDEA is reversible like DES, i.e. the same algorithm is used for encryption and decryption.
(3) It uses both confusion and diffusion for encryption.
Algorithm:
(1) Consider the input plain text of 64 bits.
(2) Divide the input plain text into 4 portions each of size 16 bits (Say P1 to P4).
(3) Now perform the 8 rounds of algorithm.
(a) In each round 6 sub-keys are generated from the original key. Each of the sub-keys
consists of 16-bits. These six sub-keys are applied to the four input blocks P1 to P4. Thus
for first round, we have 6 keys say k1 to k6; for second round, we have keys k7 to k12.
Finally for eighth round we have keys k43 to k48.
(b) Multiply, add and XOR the plain text blocks with sub keys.
(4) Perform an output transformation in sub-keys.
(5) Combine all the 4 blocks of output transformation to get the cipher text of 64 bits.
Fig. 5.7
Details of first round in IDEA:
The initial key consists of 128 bits from which 6 sub-keys k1 to k6 are generated for the first
round.
Since k1 to k6 consists of 16 bits each, out of original 128 bits, the first 96 bits (6 sub keys
16 bits per sub-key) are used for the first round. Thus, at the end of the first round, bits 97-128 of
the original key are unused.
Details of second round in IDEA:
In 2nd round 31 unused bits are used. For second round we still require (96-31 = 65) more
bits. But the original key 128 bits are exhausted.
Now IDEA uses the techniques of key shifting. At this stage the original key is shifted left
circularly by 25 bits that is, the 26th bit of the original key moves to the first position and
becomes the first bit after the shift, and the 25th bit of the original key moves to the last position
and becomes the 128th bit after the shift.
Details of one round in IDEA:
(1) Multiply P1 and k1.
(2) Add P2 and k2.
(3) Add P3 and k3.
(4) Multiply P4 and k4
(5) XOR results of step 1 and step 3.
(6) XOR results of step 2 and step 4.
(7) Multiply steps 5 and k5.
(8) Add step 6 and step 7.
(9) Multiply the result of step 8 and k6.
(10) Add step 7 and step 9.
(11) XOR the results of step 1 and step 9.
(12) XOR the results of step 3 and step 9.
(13) XOR the results of step 2 and step 10.
(14) XOR the results of step 4 and step 10.
Details of output Transformation:
(1) The output transformation is a one-time operation. It takes place at the end of 8th round.
(2) It is 64 bit value divided into 4 sub-blocks (say R1 to R4 each consisting of 16 bits).
Step 1: Multiply R1 and k49.
Step 2: Add R2 and k50.
Step 3: Add R3 and k51.
Step 4: Multiply R4 and k52.
Fig. 5.8
A Symmetric Cryptosystems Comparison Table
Cipher Security Speed (486 pc) Key length
DES low 400 kb/s 56 bits
Triple DES good 150 kb/s 112 bits
IDEA good* 200 kb/s 128 bits
Triple IDEA very good* ~100 kb/s 256 bits
* The algorithm is believed to be strong
** The algorithm itself is good, but it has a built-in weakness
Chapter 4:
1. AES
2. Algorithm types and modes
3. RC4
1.ADVANCED ENCRYPTION STANDARD (AES):
Origins:clear a replacement for DES was needed
have theoretical attacks that can break ithave demonstrated exhaustive key search attacks
can use Triple-DES – but slow, has small blocksUS NIST issued call for ciphers in 199715 candidates accepted in Jun 985 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000issued as FIPS PUB 197 standard in Nov-2001 AES Requirements:private key symmetric block cipher128-bit data, 128/192/256-bit keysstronger & faster than Triple-DESactive life of 20-30 years (+ archival use)provide full specification & design detailsboth C & Java implementationsNIST have released all submissions & unclassified analyses AES Evaluation Criteria:initial criteria:
security – effort for practical cryptanalysiscost – in terms of computational efficiencyalgorithm & implementation characteristics
final criteriageneral securityease of software & hardware implementationimplementation attacksflexibility (in en/decrypt, keying, other factors) The AES Cipher – Rijndael
designed by Rijmen-Daemen in Belgiumhas 128/192/256 bit keys, 128 bit dataan iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytesoperates on entire data block in every round
designed to be:resistant against known attacksspeed and code compactness on many CPUsdesign simplicity
Rijndael:
data block of 4 columns of 4 bytes is statekey is expanded to array of wordshas 9/11/13 rounds in which state undergo:
byte substitution (1 S-box used on every byte)shift rows (permute bytes between groups/columns)mix columns (subs using matrix multipy of groups)add round key (XOR state with key material)
view as alternating XOR key & scramble data bytesinitial XOR key material & incomplete last roundwith fast XOR & table lookup implementation
Byte Substitution:a simple substitution of each byteuses one table of 16x16 bytes containing a permutation of all 256 8-bit valueseach byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
eg.byte {95} is replaced by byte in row 9 column 5which has value {2A}
S-box constructed using defined transformation of values in GF (28)designed to be resistant to all known attacks
Shift Rows:a circular byte shift in each each
1st row is unchanged2nd row does 1 byte circular shift to left3rd row does 2 byte circular shift to left4th row does 3 byte circular shift to left
decrypt inverts using shifts to rightsince state is processed by columns, this step permutes bytes between the columns
Mix Columns:each column is processed separatelyeach byte is replaced by a value dependent on all 4 bytes in the columneffectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
to derive each new byte in coldecryption requires use of inverse matrix
with larger coefficients, hence a little harderhave an alternate characterization
each column a 4-term polynomialwith coefficients in GF (28)and polynomials multiplied modulo (x4+1)
Add Round Key:
Lastly is the Add Round Key stage which is a simple bitwise XOR of the current block with a
portion of the expanded key. Note this is the only step which makes use of the key and obscures
the result, hence MUST be used at start and end of each round, since otherwise could undo effect
of other steps. But the other steps provide confusion/diffusion/non-linearity. That us you can
look at the cipher as a series of XOR with key then scramble/permute block repeated. This is
efficient and highly secure it is believed.
AES Round:
AES Key Expansion:
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit wordsstart by copying key into first 4 wordsthen loop creating words that depend on values in previous & 4 places back
in 3 of 4 cases just XOR these together1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th
back
The first block of the AES Key Expansion is shown here in Figure. It shows each group of 4
bytes in the key being assigned to the first 4 words, then the calculation of the next 4 words
based on the values of the previous 4 words, which is repeated enough times to create all the
necessary subkey information.
3. Algorithm types and modes:3.1. Modes of Operation:
block ciphers encrypt fixed size blockseg. DES encrypts 64-bit blocks with 56-bit key
need some way to en/decrypt arbitrary amounts of data in practiseANSI X3.106-1983 Modes of Use (now FIPS 81)defines 4 possible modessubsequently 5 defined for AES & DEShave block and stream modes
3.1.1. Electronic Codebook Book (ECB):message is broken into independent blocks which are encryptedeach block is a value which is substituted, like a codebook, hence nameeach block is encoded independently of the other blocks Ci =
DESK1(Pi)uses: secure transmission of single values
Advantages and Limitations of ECB:message repetitions may show in ciphertext
if aligned with message blockparticularly with data such graphicsor with messages that change very little, which become a code-book analysis
problemweakness is due to the encrypted message blocks being independentmain use is sending a few blocks of data
3.1.2. Cipher Block Chaining (CBC):
message is broken into blockslinked together in encryption operationeach previous cipher blocks is chained with current plaintext block, hence nameuse Initial Vector (IV) to start process Ci =
DESK1(Pi XOR Ci-1)
C-1 = IVuses: bulk data encryption, authentication
Message Padding:
at end of message must handle a possible last short blockwhich is not as large as blocksize of cipherpad either with known non-data value (eg nulls)or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+countthis may require an extra entire block over those in message
there are other, more esoteric modes, which avoid the need for an extra block
Advantages and Limitations of CBC:
ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector
(IV)which must be known to sender & receiverif sent in clear, attacker can change bits of first block, and change IV to compensatehence IV must either be a fixed value (as in EFTPOS)
or must be sent encrypted in ECB mode before rest of message
3.1.3. Cipher FeedBack (CFB):
message is treated as a stream of bitsadded to the output of the block cipherresult is feed back for next stage (hence name)standard allows any number of bit (1,8, 64 or 128 etc) to be feed back
denoted CFB-1, CFB-8, CFB-64, CFB-128 etcmost efficient to use all bits in block (64 or 128) Ci = Pi XOR
DESK1(Ci-1)
C-1 = IVuses: stream data encryption, authentication
Advantages and Limitations of CFB:appropriate when data arrives in bits/bytesmost common stream modelimitation is need to stall while do block encryption after every n-bitsnote that the block cipher is used in encryption mode at both endserrors prorogate for several blocks after the error
3.1.4. Output FeedBack (OFB):
message is treated as a stream of bitsoutput of cipher is added to messageoutput is then feedback (hence name)feedback is independent of messagecan be computed in advance Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IVuses: stream encryption on noisy channels
Advantages and Limitations of OFB:bit errors do not propagatemore vulnerable to message stream modificationa variation of a Vernam cipher
hence must never reuse the same sequence (key+IV)sender & receiver must remain in syncoriginally specified with m-bit feedbacksubsequent research has shown that only full block feedback (ie CFB-64 or CFB-128)
should ever be used
Counter (CTR):a “new” mode, though proposed early onsimilar to OFB but encrypts counter value rather than any feedback value
must have a different key & counter value for every plaintext block (never reused) Ci =
Pi XOR Oi
Oi = DESK1(i)uses: high-speed network encryptions
Advantages and Limitations of CTR:efficiency
can do parallel encryptions in h/w or s/wcan preprocess in advance of needgood for bursts high speed links
random access to encrypted data blocksprovable security (good as other modes)but must ensure never reuse key/counter values, otherwise could break (cf OFB)
PLACEMENT OF ENCRYPTION:have two major placement alternativeslink encryption
encryption occurs independently on every link
implies must decrypt traffic between linksrequires many devices, but paired keys
4.RC4 Algorithm:
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-
size stream cipher with byte-oriented operations. The algorithm is based on the use of a random
permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater
than 10100 [ROBS95]. Eight to sixteen machine operations are required per output byte, and the
cipher can be expected to run very quickly in software. RC4 was kept as a trade secret by RSA
Security. In September 1994, the RC4 algorithm was anonymously posted on the Internet on the
Cypherpunks anonymous remailers list.
The RC4 algorithm is remarkably simply and quite easy to explain. A variable-length key
of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with
elements S[0], S[1], …, S[255]. At all times, S contains a permutation of all 8-bit numbers from
0 through 255. For encryption and decryption, a byte k (see Figure 1) is generated from S by
selecting one of the 255 entries in a systematic fashion. As each value of k is generated, the
entries in S are once again permuted.
Initialization of S:
To begin, the entries of S are set equal to the values from 0 through 255 in ascending order; that
is; S[0] = 0, S[1] = 1, …, S[255] = 255. A temporary vector, T, is also created. If the length of
the key K is 256 bytes, then K is transferred to T. Otherwise, for a key of length keylen bytes, the
first keylen elements of T are copied from K and then K is repeated as many times as necessary
to fill out T. These preliminary operations can be summarized as follows:
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[imodkeylen];
Next we use T to produce the initial permutation of S. This involves starting with S[0]
and going through to S[255], and, for each S[i], swapping S[i] with another byte in S according
to a scheme dictated by T[i]:
/* Initial Permutation of S
*/ j = 0;
fori = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
Because the only operation on S is a swap, the only effect is a permutation. S still
contains all the numbers from 0 through 255.
Stream Generation
Once the S vector is initialized, the input key is no longer used. Stream generation involves
starting with S[0] and going through to S[255], and, for each S[i], swapping S[i] with another
byte in S according to a scheme dictated by the current configuration of S. After S[255] is
reached, the process continues, starting over again at S[0]:
/* Stream Generation
*/ i, j = 0;
while(true)
i = (i + 1) mod 256;
j = (j + S[i])
mod 256;
Swap (S[i],
S[j]);
t = (S[i] + S[j])
mod 256; k =
S[t];
To encrypt, XOR the value k with the next byte of plaintext. To decrypt, XOR the
value k with the next byte of ciphertext.
Strength of RC4
A number of papers have been published analyzing methods of attacking RC4.. None of
these approaches is practical against RC4 with a reasonable key length, such as 128 bits.
A more serious problem is reported in [FLUH01]. The authors demonstrate that the WEP
protocol, intended to provide confidentiality on 802.11 wireless LAN networks, is
vulnerable to a particular attach approach. In essence, the problem is not with RC4 itself
but the way in which keys are generated for use as input to RC4. This particular problem
does not appear to be applicable to other applications using RC4 and can be remedied in
WEP by changing the way in which keys are generated. This problem points out the
difficulty in designing a secure system that involves both cryptographic functions and
protocols that make use of them.
UNIT V:
1. Asymmetric Key
Algorithms
2. Digital Signatures
3. Brief history of
Asymmetric Key
Cryptography
4. Overview of
Asymmetric Key
Cryptography
5. RSA algorithm
1. THE CONCEPT OF PUBLIC KEY AND PRIVATE KEY:
The Asymmetric key cryptography is also known as a 'public key cryptography',
which uses a key-pair rather than a single key. The importance of this scheme is that only
one key-pair is required to securely communicate between any number of other parties.
(unlike the huge no. of keys that we've seen with earlier method.) Hence, one problem is
overcome right away. One of these two keys is called public key (which can be
announced to the world) and another is private key (obviously to be kept with oneself).
This is to be followed by everyone who wants to communicate securely.
2. DIGITAL SIGNATURES:
In earlier discussion of Asymmetric key cryptography, we had considered the only
situation, in which if X is sender & Y receiver, then X encrypts the message with Y's
public key and on receiving, Y decrypts with his own private key. This method only
ensures secure communication between the two. Now consider another situation. If X is
sender and Y is receiver, X encrypts the message using his own private key! On
receiving, Y decrypts it using X's public key. The purpose behind this move is
'authentication'. It is clear that, only X knows his private key.
So, when Y receives this message (encrypted with X's private key), it is an indication
or proof that it has originated only from X and none else! Remember that in earlier
scheme, the purpose was only 'confidentiality' and the origin of message was not the
concern.
Now, one may say that if someone else wants to intercept this communication it
should be easy. i.e. anyone can decrypt the message who knows X's public key. This is
true, but then it will not be possible for anyone to again encrypt this message as only X
knows his private key. Thus receiver here will not be fooled that message came from X
This scheme confirms the origin of the message. So, in this case X cannot deny that he
has sent the message to Y, because it was encrypted with X's private key, known only to
X
The above discussion forms the basis for the concept called ‘ Digital Signature’’ In
case of our normal operations, we make use of our (handwritten) signatures. These are
used to confirm the 'origin' or the 'authentication' of the individual. In the Internet world,
it would be difficult to use any such method in practice. Hence the concept of 'Digital
signatures' was evolved.
This technique is vitally important in the E-commerce concept used in the Internet. It
proves as a valid mechanism for 'authenticity' of individual. Most of the financial
transactions done over Internet make use of this method.
2.1. Techniques of Digital signatures:
Actual working of Digital signatures involves the use of a concept called 'Message
digest' or 'hash'. Message digest is something like the summary of original message.
(works similar to the CRC checksum concept) This is basically used to verify the
'integrity' of data i.e. to ensure that the message has not been modified after it was sent by
sender and before it reaches the receiver.
The Digital Signature Standard (DSS) was developed by NIST first in 1991. It
suggests using the SHA-1 algorithm for calculating the message digest. This digest is
further used for performing Digital signatures, by using the algorithm called Digital
Signature Algorithm (DSA). In DSA, message digest is encrypted with the sender's
private key to form the Digital Signature (DS). This signature is transmitted further along
with the original message. It is also possible to use the earlier RSA algorithm for
performing digital signatures. RSA is prominently used over DSA as DSA turns out to be
more complicated.
2.2. STEPS FOR THE PROCESS:
Sender’s Side:
(1) If X is the sender, the SHA-1 algorithm is used to first calculate the message digest
(MD 1) of original message.
(2) This MD1 is further encrypted using RSA with X's private key. This output is called
the Digital Signature (DS) of X.
(3) Further, the original message (M) along with the Digital signature (DS) is sent to
receiver.
Receiver’s Side:
(1) Y thus receives the original message (M) and X's digital signature. Y uses the same
message digest algorithm used by X to calculate the message digest (MD2) of
received message (M).
(2) Also, Y uses X's public key to decrypt the digital signature. The outcome of this
decryption is nothing but original message digest (MD1) calculated by X.
(3) Y, then compares this digest MD1 with the digest MD2 he has just calculated in step
4. If both of them are matching, i.e. MDl = MD2, Y can accept the original message
(M) as correctly authenticated and assured to have originated from X. whereas, if
they are different, the message shall be rejected.
This method turns out to be foolproof. Even if an attacker intercepts anywhere in
between, it is not likely for him to again sign the modified/read message, as only X in this
case will know the private key! Hence, even if intercepted, this method remains very
much secure and reliable!
Fig.5.15
The Sender’s Side:
Modus Operandi – Digital Signature:
After the digest has been created, it is encrypted (signed) using the sender's private
key. The encrypted digest is attached to the original message and sent to the receiver.
Figure (on previous page) shows the sender site.
Fig.5.16
The Receiver’s Side:
The receiver receives the original message and the encrypted digest. He separates the
two. He applies the same hash function to the message to create a second digest. He also
decrypts the received digest, using the public key of the sender. If the two digests are the
same, all three-security measures are preserved. Figure 30.7 shows the receiver site.
2.3. Properties of Digital Signature:
(1) Digital signature does not provide privacy. If there is a need for privacy, another
layer of encryption/decryption must be applied.
(2) Digital signatures can provide:
(a) Integrity,
(b) Authentication, and
(c) Non-repudiation.
(i) Integrity: The integrity of a message is preserved because if Eve
intercepted the message and partially or totally changed it, the decrypted
message would be unreadable.
(ii) Authentication: We can use the following reasoning to show how a
message can be authenticated. If Eve sends a message while pretending that
it is coming from Alice, she must use her own private key for encryption.
The message is then decrypted with the public key of Alice and will
therefore be nonreadable. Encryption with Eve's private key and decryption
with Alice's public key result in garbage.
(iii) Non-repudiation: Digital signature also provides for non-repudiation. Bob
saves the message received from Alice. If Alice later denies sending the
message, Bob can show that encrypting and decrypting the saved message
with Alice's private and public key can create a duplicate of the saved
message. Since only Alice knows her private key, she cannot deny sending
the message.
Implementation of Digital signature
Source: Ecommerce by Kamlesh K. Bajaj.
COMPARE AND CONTRAST BETWEEN SYMMETRIC KEY
CRYPTOGRAPHY AND ASYMMETRIC KEY CRYPTOGRAPHY:
Sr.
No
.
Categories Symmetric Key
Cryptography
Asymmetric Key
Cryptography
(1)
Key used for
encryption/
decryption
Same key is used
for encryption and
decryption
One key used for
encryption and
another, different
key is used for
decryption
(2)Key Process Ke = Kd KdKd
(3)
Speed of
encryption/
decryption
Very fast Slower
(4)
Size of resulting
encrypted text
Usually same as or
less than the
original clear text
size
More than the
original clear text
size
(5)Key agreement /
exchange
A big problem No problem at all
(6)
Number of keys
required as
compared to the
number of
participants in the
message exchange
Equals about the
square of the
number of
participants, so
scalability is an
issue
Same as the
number of
participants, so
scales up quite well
(7)
Usage Mainly for
encryption and
decryption
(confidentiality),
cannot be used for
digital signatures
(integrity and non-
repudiation checks)
Can be used for
encryption and
decryption
(confidentiality) as
well as for digital
signatures
(integrity and non-
repudiation checks)
(8)
Efficiency in usage Symmetric key
cryptography is
often used for long
messages
Public key
algorithm are more
efficient for short
messages
The above table shows that both symmetric key cryptography and asymmetric key
cryptography have nice features.
Also, both have some areas where better alternatives are generally desired.
Asymmetric key cryptography solves the major problem of key agreement / key
exchange as well as scalability.
However, it is far slower and produces huge chunks of cipher text as compared to
symmetric key Cryptography (essentially because it uses large keys and complex
algorithms as compared to symmetric key cryptography).
How nice it would be, if we can combine the two cryptography mechanisms, so as to
achieve the better of the two, and yet do not compromise on any of the features? More
specifically, we need to ensure that the following objectives are met.
(1) The solution should be completely secure.
(2) The encryption and decryption processes must not take a long time.
(3) The generated cipher text should be compact in size.
(4) The solution should scale to a large number of users easily, without introducing any
additional complications.
(5) The key distribution problem must be solved by the solution.
In practice symmetric key cryptography and asymmetric key cryptography are
combined to have a very efficient security solutions.
2.4. PRETTY GOOD PRIVACY:
The implementation of security at the application layer is more feasible and simpler,
particularly when the Internet communication involves only two parties, as in the case of
email and TELNET. The sender and the receiver can agree to use the same protocol and
to use any type of security services they desire. In this section, we discuss one protocol
used at the application layer to provide security: PGP.
Pretty Good Privacy (PGP) was invented by Phil Zimmermann to provide all four
aspects of security (privacy, integrity, authentication, and non-repudiation) in the sending
of email.
Fig.5.20
PGP uses digital signature (a combination of hashing and public-key encryption) to
provide integrity, authentication, and non-repudiation. It uses a combination of secret-key
and public-key encryption to provide privacy. Specifically, it uses one hash function, one
secret key, and two private-public key pairs.
The figure shows how PGP creates secure email at the sender site. The email message
is hashed to create a digest. The digest is encrypted (signed) using Alice's private key.
The message and the digest are encrypted using the one-time secret key created by Alice.
The secret key is encrypted using Bob's public key and is sent together with the encrypted
combination of message and digest.
Figure below shows how PGP uses hashing and a combination of three keys to extract
the original message at the receiver site. The combination of encrypted secret key and
message plus digest is received. The encrypted secret key first is decrypted (using Bob's
private key) to get the one-time secret key created by Alice. The secret key then is used to
decrypt the combination of the message plus digest.
PRETTY GOOD PRIVACY:
The implementation of security at the application layer is more feasible and simpler,
particularly when the Internet communication involves only two parties, as in the case of
email and TELNET. The sender and the receiver can agree to use the same protocol and
to use any type of security services they desire. In this section, we discuss one protocol
used at the application layer to provide security: PGP.
2.5. LONGITUDINAL REDUNDANCY CHECK / CYCLIC
REDUNDANCY CHECK (LRC / CRC):
A message digest us a finger print or the summary of a message. It is similar to the
concepts of LRC and CRC which us sued to verify the integrity of the data (i.e. to ensure
that a message has not bus tampered before it reaches to the receivers). Let us understand
this concept with the help of LRC example:
(1) A block of bits is organised in the form of a list (as rows in the LRC. consider if we
want to send 32 bits, we arrange them into a list as four (horizontal) rours. Then we
count how many 1 bits occur in each of the 8 (vertical columns). [If the no. of 1’s in
the column is odd then we say that the column has odd parity (indicated by a 1 bit in
the shaded LRC row); otherwise if the no. of 1s in the columns is even, we call it as
even parity (indicated by 0 bit in the shaded LRC row).]
(2) For instance in the first column, we have two 1’s indicating an even parity and
therefore, we have a 0 in the shaded LRC row for the first column. Similarly, for the
last column, we have 3 1’s indicating an odd parity and therefore we have a 1 in the
shaded LRC row for the last column.
(3) Thus, the parity bit for each column in calculated and a new row of eight parity bits
is created. These becomes the parity bits or the whole blocks. Thus, the LRC is
actually a finger print of the original message.
(4) The data along with the LRC is then sent to the receiver. The receiver separates the
data block from the LRC block. It performs its own LRC on the data block alone. It
then compares its LRC values with the ones received from the sender. If the two
LRC values match, then the receiver has a reasonable confidence that the message
sent by the sender has not been changed, while in transit.
The working of public and private keys:
Asymmetric key cryptography (using public and private keys) works as under:
Consider the scenario, X wants to send a message to Y, without having to worry about
its security.
(1) Then X and Y should each have a private key and a public key.
(a) X should keep its private key secret.
(b) Y should keep its private key secret.
(c) X should inform Y about its public key.
(d) Y should inform X about its public key
(Both now have their own set of keys ready.)
(2) When X wants to send message to Y, X encrypts with Y's public key (as it is known
to everyone)
(3) X then sends this message to Y.
(4) Then, Y decrypts this message using his own private key (known only to Y)
[This ensures in this case, that the message can be encrypted & sent by anyone,
but can only be decrypted by Y. Hence, any interception will not result in knowing
the sensitive information as key is only with Y.]
Similarly, on the other side, if Y wants to send the message to X, reverse method
is performed.
(5) Y encrypts the message using X's public key and sends this to X.
(6) On receiving the message, X can further decrypt it using his own private key.
The basis of this working lies in the assumption of large prime number with only two
factors. If one of the factors is used for encryption process, only the other factor shall be
used for decryption.
The best example of an asymmetric key cryptography algorithm is the famous RSA
algorithm (developed by Rivest, Shamir and Adleman at MIT in 1978, based on the
framework setup by Diffie& Hellman earlier).
3. ASYMMETRIC KEY CRYPTOGRAPHY:
In public-key cryptography, there are two keys: a private key and a public key. The
receiver keeps the private key. The public key is announced to the public.
Imagine Alice, as shown in Figure 29.20, wants to send a message to Bob. Alice uses
the public key to encrypt the message. When Bob receives the message, the private key is
used to decrypt the message.
Fig. 5.10
In public-key encryption/decryption, the public key that is used for encryption is
different from the private key that is used for decryption.
The public key is available to the public; the private key is available only to an
individual.
3.1.Public-Key Encryption/Decryption has Two Advantages:
First, it removes the restriction of a shared symmetric key between two entities (e.g.,
persons) that need to communicate with each other. A shared symmetric key is shared by
the two parties and cannot be used when one of them wants to communicate with a third
party. In public-key encryption! Decryption, each entity creates a pair of keys; the private
one is kept, and the public one is distributed. Each entity is independent, and the pair of
keys created can be used to communicate with any other entity.
The second advantage is that the number of keys needed is reduced tremendously.
In this system, for I thousand users to communicate, only 1 thousand pairs of keys i.e.
2000 keys are needed, not 4,99,500, as was the case in symmetric-key cryptography.
3.2. Public-Key Cryptography also has Two Disadvantages:
The big disadvantage is the complexity of the algorithm. If we want the method to be
effective, the algorithm needs large numbers. Calculating the cipher text from plaintext
using the long keys takes a lot of time. That is the main reason that public-key
cryptography is not recommended for large amounts of text.
Public-Key Algorithms are more Efficient for Short Messages:
The second disadvantage of the public-key method is that the association between an
entity and its public key must be verified. If Alice sends her public key via an email to
Bob, then Bob must be sure that the public key really belongs to Alice and nobody else.
One point needs to re-mention that if your private key were made public you would
Get Bankrupted in no time!
4. RSA ALGORITHM:
(1) Generate two large random primes, p and q, of approximately equal size
(2) Calculate N = PXQ
(3) Select the public key that is the encryption key E such that it is not a factor of (p-1)
(q-1).
(4) Select the private key that is the decryption key D such that the following equation is
true: (DXE) mod (P-1) X (Q-1)=1
(5) For encryption, calculate the cipher text CT as CT=PTE mod N.
(6) Send CT as the cipher text to the receiver.
(7) For decryption, calculate the plain text PT as PT=CTD mod N.
A Very Simple Example of RSA Encryption:
This is an extremely simple example using numbers you can work out on a pocket
calculator (those of you over the age of 35 can probably even do it by hand).
(1) Select primes p=11, q=3.
(2) n = pq = 11.3 = 33 phi = (p-1)(q-1) = 10.2 = 20
(3) Choose e=3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common
factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1therefore gcd(e, phi) = gcd(e,
(p-1)(q-1)) = gcd(3, 20) = 1
(4) Compute d such that ed = 1 (mod phi) i.e. compute d = e-1 mod phi = 3-1 mod 20 i.e.
find a value for d such that phi divides (ed-1) i.e. find d such that 20 divides 3d-1.
Simple testing (d = 1, 2,...) gives d = 7 Check: ed-1 = 3.7 - 1 = 20, which is divisible
by phi.
(5) Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7).
This is actually the smallest possible value for the modulus n for which the RSA
algorithm works.
Now say we want to encrypt the message m = 7, c = me mod n = 73 mod 33 = 343 mod
33 = 13. Hence the cipher text c = 13.
To check decryption we compute m' = cd mod n = 137 mod 33 = 7. Note that we don't
have to calculate the full value of 13 to the power 7 here. We can make use of the fact
that a = bc mod n = (b mod n).(c mod n) mod n so we can break down a potentially large
number into its components and combine the results of easier, smaller calculations to
calculate the final value.
One-way of calculating m' is as follows: m' = 13 7 mod 33 = 13(3+3+1) mod 33 =
133.133.13 mod 33 = (133 mod 33). (133 mod 33).(13 mod 33) mod 33 = (2197 mod 33).
(2197 mod 33).(13 mod 33) mod 33 = 19.19.13 mod 33 = 4693 mod 33 = 7.
What would happen if your private key were made public?
The answer is in just one word!–
Get Bankrupted!
However rich you were! Now popper!!
The receiver of your private key can, not only withdraw all that you have but also can
also avail credit for banks and enjoy and you keep paying throughout your life!
UNIT VI
1. Knapsack algorithms
2. Elliptic Curve Cryptography
3. ElGamal
1. KNAPSACK PROBLEM: Given an integer-vector X=(x1,…,xn) and an integer c.
Determine a binary vector B=(b1,…,bn) (if it exists) such thatXBT=c.
Knapsack problem with superincreasing vector – easy
Problem
Given a superincreasing integer-vectorX=(x1,…,xn)
and an integer c,determine a binary vectorB=(b1,…,bn) (if it exists) such that
XBT=c.
Algorithm–
to solve knapsack problems with superincreasing vectors:
fori¬ndownto2do
ifcł 2xithen terminate {no solution}
elseifc>xi thenbi¬ 1; c ¬ c – xi ;
elsebi= 0;
ifc = x1then b1 ¬ 1
elseifc = 0 thenb1 ¬ 0;
else terminate {no solution}
Example:
X=(1,2,4,8,16,32,64,128,256,512)c=999
X=(1,3,5,10,20,41,94,199)c=242
Let a (knapsack) vector
A=(a1,…,an)be given.
Encoding of a (binary) message B=(b1,b2,…,bn) by A is done by the vector/vector
multiplication:
ABT=c
and results in the crypto text c
Decoding of c requires to solve the knapsack problem for the instant given by the
knapsack vector A and the crypto text c.
The problem is that decoding seems to be infeasible.
Example
If A=(74, 82,94, 83, 39, 99, 56, 49, 73, 99)and B =(1100110101) then
ABT=Each knapsack vector A=(a1,…,an)defines an integer valued
Knapsack-function
Specified by
Example A0=(43,129,215,473,903,302,561,1165,697,1523)
fA0(364)=fA0(0101101100)=129+473+903+561+1165=3231
Unambiguity of knapsack systems
For unambiguity of the decryption of the knapsack cryptosystems with knapsack
vector A, it is important that
Example: If A=(17,103,50,81,33), then 131=17+33+81=50+81
S nd therefore for crypto texts:
(131, 33, 100, 234, 33)
SAUNA FAUNA
Two plaintexts are obtained
1.. Choose a superincreasing vector X=(x1,…,xn).
2. Choose m,u such that m>2xn,gcd(m,u)=1.
3. Compute u -1modm,X'=(x1’,…,xn
'),xi’=uximod m.
diffusion
confusion
Cryptosystem: X' - public key
X, u,m - trapdoor information
Encryption: of a binary vector w of length n: c = X' w
Decryption: compute c‘ = u-1c mod m
and solve the knapsack problem with X and c'.
Lemma Let X, m, u, X', c, c' be as defined above. Then the knapsack problem
instances (X,c') and (X',c) have at most one solution, and if one of them has a solution,
then the second one has the same solution.
f A : {x|0≤x<2n }→N
∑representation of x is1 ¿
¿ i−th bit inthe binary ¿¿
Proof Let X'w=c. Then
c‘ºu-1cºu-1X'wºu-1uXwºXw (mod m).
Since X is superincreasing and m>2xn we have
(X w)mod m=X w
and therefore c‘=Xw.
Example X=(1,2,4,9,18,35,75,151,302,606)
m=1250, u=41
X‘=(41,82,164,369,738,185,575,1191,1132,1096)
In order to encrypt an English plaintext, we first encode its letters by 5-bit
numbers _ - 00000, A - 00001, B - 00010… and then divide the resulting binary strings
into blocks of length 10.
Plaintext: Encoding of AFRICA results in vectors
w1=(0000100110)w2=(1001001001)w3=(0001100001)
Encryption: c1’=X'w1=3061 c2’=X'w2=2081 c3’=X‘w3=2203
Crypto text :( 3061, 2081, 2203)
Decryption of crypto texts: (2163, 2116, 1870, 3599)
By multiplying with u–1=61 (mod 1250) we get new crypto texts (several new c’)
(693,326,320,789)
and in the binary form solutions B of equations XBT=c’ have the form
(1101001001, 0110100010, 0000100010, 1011100101)
That is the resulting plaintext is:
ZIMBABWE
2.ELLIPTIC CURVE CRYPTOGRAPHY:
majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messagesan alternative is to use elliptic curvesoffers same security with smaller bit sizesnewer, but not as well analysed
Real Elliptic Curves:
an elliptic curve is defined by an equation in two variables x & y, with
coefficients consider a cubic elliptic curve of form
y2= x3+ ax+ bwhere x,y,a,b are all real numbersalso define zero point O
have addition operation for elliptic curvegeometrically sum of Q+R is reflection of intersection R
Finite Elliptic Curves:Elliptic curve cryptography uses curves whose variables & coefficients are finitehave two families commonly used:
prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware
Elliptic Curve Cryptography:ECC addition is analog of modulo multiplyECC repeated addition is analog of modulo exponentiationneed “hard” problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve
is “easy” to compute Q given k,Pbut “hard” to find k given Q,Pknown as the elliptic curve logarithm problem
Certicom example: E23(9,17)
ECC Diffie-Hellman:can do key exchange analogous to D-Husers select a suitable curve Ep(a,b)select base point G=(x1,y1)
with large order n s.t.nG=OA & B select private keys nA<n, nB<ncompute public keys: PA=nAG, PB=nBGcompute shared key: K=nAPB,K=nBPA
same since K=nAnBG
ECC Encryption/Decryption:several alternatives, will consider simplestmust first encode any message M as a point on the elliptic curve Pmselect suitable curve & point G as in D-Heach user chooses private key nA<nand computes public key PA=nAGto encrypt Pm : Cm={kG, Pm+kPb}, k randomdecrypt Cm compute: Pm+kPb–nB(kG) =
Pm+k(nBG)–nB(kG) = Pm
ECC Security:relies on elliptic curve logarithm problemfastest method is “Pollard rho method”compared to factoring, can use much smaller key sizes than with RSA etcfor equivalent key lengths computations are roughly equivalenthence for similar security ECC offers significant computational advantages
NUMBER THEORY:
Prime Numbers:prime numbers only have divisors of 1 and self
they cannot be written as a product of other numbersnote: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are notprime numbers are central to number theorylist of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107
109
113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
Prime Factorisation:to factor a number n is to write it as a product of other numbers: n=a x b x cnote that factoring a number is relatively hard compared to multiplying the factors
together to generate the numberthe prime factorisation of a number n is when its written as a product of primes
eg. 91=7x13 ; 3600=24x32x52
3. Elgamal algorithm:
Chapter 71. Digital Certificates2. Public Key Infrastructure3. Private key management4. Public Key Infrastructure Standards
1.Digital Certificates:
1.1.KEY DISTRIBUTION:
Every process of encryption and decryption is necessarily associated with a 'key'- the
combination used for encryption and/or decryption, and an algorithm i.e. the rules or
steps used for both encryption and decryption. The requirement of 'same' key as in case
of 'symmetric' key cryptography leads to a common problem called 'problem of key
distribution', i.e. how the two parties should agree upon a 'common' key that has to be
used for the process. This is as described below.
1.2. Problem of Key Distribution in Symmetric Key Cryptography:
As in case of symmetric key cryptography, the key that has to be used for both
encryption and decryption should be the 'same' this leads to a problem that how the two
parties requiring secure communication can 'agree' or 'decide' upon a common key,
without letting any third person know about it? There can be many ways in which the two
parties will try to communicate assuming it is secure, but it may not be so. e.g. even if
they exchange letters, seal envelopes into locked boxes, talk over open media for the
common key, or send the key along with the locked boxes, whatever may be the means
used, it turns out to be practically non-viable or difficult to implement.
That is to say, there are very much chances of intercepting the communication
between two parties if any of these methods are used. This is called the 'problem of key
distribution'.
In order to come out of this problem, one good solution was given by two scientists
jointly known as 'Diffie-Hellman key exchange algorithm'.
1.3. The Diffie-Hellman Key Exchange Algorithm:
Whitefield Diffie and Martin Hellman, in 1976 have come out with a good solution to
the problem of key distribution as mentioned above. The steps of this algorithm are as
given below. (It must be noted, that this is NOT an encryption or decryption algorithm
but is only used for agreeing upon a. symmetric key. Once it is done, some specific
algorithm should be used for the purpose of encryption/decryption.)
Fig. 5.9
Steps for Algorithm:
Assume two parties viz. 'first' and 'second' want to communicate securely.
(1) Let 'first' and 'second' agree upon two large prime nos., say n and g. These need not
be kept secured. (i.e. everyone can know these values.)
(2) 'First’ chooses another large random no. say x to calculate another number A such
that, A = g^xmod n. (Note, value of x is only known to 'first'!)
(3) This no. A is then sent by 'first' to 'second'.
(4) 'Second’ also chooses another large random no. say y to calculate another number B
such that,
(5) B = g^y mod n. (Note, value of y is only known to 'second'!)
(6) This no. B is then sent by 'second' to 'first'.
(7) Now, independently, 'first' calculates the key KI as: KI = B^xmod n
(8) Also, 'second' independently calculates the key K2 as: K2 = A^y mod n
(9) As it should be required here in symmetric key cryptography, KI = K2.
Example:
Let us take an actual example, to illustrate above algorithm. Assuming values such as
n= 11, g=7, x=3 and y=6, we have following equations:
(1) Value of A=7^3mod 11 =343 mod 11 =2.
(2) Value of B = 7^6mod 11 = 117649 mod 11 = 4.
(3) Key KI = 4^3mod 11 = 64 mod 11 = 9.
(4) And, Key K2 = 2^6mod 11 = 64 mod 11 = 9.
(5) Thus, we find that KI = K2.
(6) Hence the algorithm is proved.
1.4. Problems with the Algorithm:
Although, it is seen that this algorithm turns out to be a good solution to the above
mentioned key distribution problem, still it does not solve all the problems! This is
because the algorithm can fail if a hacker makes what is called as the man-in-the-middle
attack. This way, even though the two parties will feel that they are talking to each other,
practically they are in-turn communicating with the hacker as he places himself in
between them and switches back and forth the communication.
For example:
(1) Alice wants to communicate with Bob securely. For this purpose, she sends the
values of n and g to Bob. Let n=11 and g=7.
(2) Alice does not realize that the attacker Tom is listening quietly; to the conversation
between her and Bob. Tom simply picks up the values of n and g, and also forwards
them to Bob as they originally were.
Alice Tom Bob
N=11, g=7 N=11, g=7 N=11, g=7
(3) Now, let us assume that Alice, Tom and Bob select random numbers x and y.
Alice Tom Bob
X=3 x=8,y=6 y=9
(4) Alice calculates A and Bob calculates B whereas Tom calculates both A and B to
play the role of man in middle.
Alice Tom Bob
A = gxmod n A = gxmod n B = gymod n
= 73 mod 11 = 78 mod 11 = 79 mod 11
= 343
mod 11
= 5764801 mod 11 = 40353607 mod 11
= 2 = 9 = 8
B = gymod n
= 76 mod 11
= 117649 mod 11
= 4
(5) Alice send her A2 to Bob. Tom intercepts it and send his A 9 to him.
(a) In return, Bob sends his B 8 to Alice. Tom intercepts it and send his B 4 to
Alice.
(b) Based on these values, all the three persons now calculate their keys.
Alice Tom Bob
K1 = Bx mod
n
K1 = Bx mod n K2 = Ay mod n
= 43 mod 11 = 88 mod 11 = 99 mod 11
= 64 mod 11 = 16777216 mod 11 = 387420489 mod
11
= 9 = 5 = 5
K2 = Ay mod n
= 26 mod 11
= 64 mod 11
= 9
As we can see, the MITM attack can work against the Diffie-Hellman Key exchange
algorithm, causing it to fail. This is plainly because the person in middle makes the actual
communicators believe that they are talking to each other, whereas they are actually
talking to he man-in-the middle, who is talking to each of them.
The second problem is regarding the no. Of keys required. In our example, we have
just seen the situation of only two communicating parties. What would be the situation if
a third party say 'third' is added!
One must think of the situation when communication between first-second, second-
third as well as third-first must be secure! This would obviously require three keys! Then
assume how many keys would be required to securely communicate between 1000 people
that to independently?
To find out this answer, one formula is used. It says, the total no. of keys required to
securely communicate between 'n' individuals is = n (n-l) / 2. Hence in our example for
1000 people, 1000(999)/2 = 499500 keys would be needed. This certainly increases the
complications further.
In order to recover from these problems, the second technique (mentioned in the
beginning) comes into picture, i.e. the Asymmetric Key cryptography. This states that
two types of keys would be required, one each for encryption and decryption.
2. THE CONCEPT OF PUBLIC KEY AND PRIVATE KEY:
The Asymmetric key cryptography is also known as a 'public key cryptography',
which uses a key-pair rather than a single key. The importance of this scheme is that only
one key-pair is required to securely communicate between any number of other parties.
(unlike the huge no. of keys that we've seen with earlier method.) Hence, one problem is
overcome right away. One of these two keys is called public key (which can be
announced to the world) and another is private key (obviously to be kept with oneself).
This is to be followed by everyone who wants to communicate securely.
The working of public and private keys:
Asymmetric key cryptography (using public and private keys) works as under:
Consider the scenario, X wants to send a message to Y, without having to worry about
its security.
(7) Then X and Y should each have a private key and a public key.
(e) X should keep its private key secret.
(f) Y should keep its private key secret.
(g) X should inform Y about its public key.
(h) Y should inform X about its public key
(Both now have their own set of keys ready.)
(8) When X wants to send message to Y, X encrypts with Y's public key (as it is known
to everyone)
(9) X then sends this message to Y.
(10) Then, Y decrypts this message using his own private key (known only to Y)
[This ensures in this case, that the message can be encrypted & sent by anyone,
but can only be decrypted by Y. Hence, any interception will not result in knowing
the sensitive information as key is only with Y.]
Similarly, on the other side, if Y wants to send the message to X, reverse method
is performed.
(11) Y encrypts the message using X's public key and sends this to X.
(12) On receiving the message, X can further decrypt it using his own private key.
The basis of this working lies in the assumption of large prime number with only two
factors. If one of the factors is used for encryption process, only the other factor shall be
used for decryption.
The best example of an asymmetric key cryptography algorithm is the famous RSA
algorithm (developed by Rivest, Shamir and Adleman at MIT in 1978, based on the
framework setup by Diffie& Hellman earlier).
3.ASYMMETRIC KEY CRYPTOGRAPHY:
In public-key cryptography, there are two keys: a private key and a public key. The
receiver keeps the private key. The public key is announced to the public.
Imagine Alice, as shown in Figure 29.20, wants to send a message to Bob. Alice uses
the public key to encrypt the message. When Bob receives the message, the private key is
used to decrypt the message.
Fig. 5.10
In public-key encryption/decryption, the public key that is used for encryption is
different from the private key that is used for decryption.
The public key is available to the public; the private key is available only to an
individual.
Public-Key Encryption/Decryption has Two Advantages:
First, it removes the restriction of a shared symmetric key between two entities (e.g.,
persons) that need to communicate with each other. A shared symmetric key is shared by
the two parties and cannot be used when one of them wants to communicate with a third
party. In public-key encryption! Decryption, each entity creates a pair of keys; the private
one is kept, and the public one is distributed. Each entity is independent, and the pair of
keys created can be used to communicate with any other entity.
The second advantage is that the number of keys needed is reduced tremendously.
In this system, for I thousand users to communicate, only 1 thousand pairs of keys i.e.
2000 keys are needed, not 4,99,500, as was the case in symmetric-key cryptography.
Public-Key Cryptography also has Two Disadvantages:
The big disadvantage is the complexity of the algorithm. If we want the method to be
effective, the algorithm needs large numbers. Calculating the cipher text from plaintext
using the long keys takes a lot of time. That is the main reason that public-key
cryptography is not recommended for large amounts of text.
Public-Key Algorithms are more Efficient for Short Messages:
The second disadvantage of the public-key method is that the association between an
entity and its public key must be verified. If Alice sends her public key via an email to
Bob, then Bob must be sure that the public key really belongs to Alice and nobody else.
One point needs to re-mention that if your private key were made public you would
Get Bankrupted in no time!
4.RSA ALGORITHM:
(8) Generate two large random primes, p and q, of approximately equal size
(9) Calculate N = PXQ
(10) Select the public key that is the encryption key E such that it is not a factor of (p-1)
(q-1).
(11) Select the private key that is the decryption key D such that the following equation is
true: (DXE) mod (P-1) X (Q-1)=1
(12) For encryption, calculate the cipher text CT as CT=PTE mod N.
(13) Send CT as the cipher text to the receiver.
(14) For decryption, calculate the plain text PT as PT=CTD mod N.
A Very Simple Example of RSA Encryption:
This is an extremely simple example using numbers you can work out on a pocket
calculator (those of you over the age of 35 can probably even do it by hand).
(6) Select primes p=11, q=3.
(7) n = pq = 11.3 = 33 phi = (p-1)(q-1) = 10.2 = 20
(8) Choose e=3 Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common
factors except 1), and check gcd(e, q-1) = gcd(3, 2) = 1therefore gcd(e, phi) = gcd(e,
(p-1)(q-1)) = gcd(3, 20) = 1
(9) Compute d such that ed = 1 (mod phi) i.e. compute d = e-1 mod phi = 3-1 mod 20 i.e.
find a value for d such that phi divides (ed-1) i.e. find d such that 20 divides 3d-1.
Simple testing (d = 1, 2,...) gives d = 7 Check: ed-1 = 3.7 - 1 = 20, which is divisible
by phi.
(10) Public key = (n, e) = (33, 3) Private key = (n, d) = (33, 7).
This is actually the smallest possible value for the modulus n for which the RSA
algorithm works.
Now say we want to encrypt the message m = 7, c = me mod n = 73 mod 33 = 343 mod
33 = 13. Hence the cipher text c = 13.
To check decryption we compute m' = cd mod n = 137 mod 33 = 7. Note that we don't
have to calculate the full value of 13 to the power 7 here. We can make use of the fact
that a = bc mod n = (b mod n).(c mod n) mod n so we can break down a potentially large
number into its components and combine the results of easier, smaller calculations to
calculate the final value.
One-way of calculating m' is as follows: m' = 13 7 mod 33 = 13(3+3+1) mod 33 =
133.133.13 mod 33 = (133 mod 33). (133 mod 33).(13 mod 33) mod 33 = (2197 mod 33).
(2197 mod 33).(13 mod 33) mod 33 = 19.19.13 mod 33 = 4693 mod 33 = 7.
What would happen if your private key were made public?
The answer is in just one word!–
Get Bankrupted!
However rich you were! Now popper!!
The receiver of your private key can, not only withdraw all that you have but also can
also avail credit for banks and enjoy and you keep paying throughout your life!
DIGITAL ENVELOPE:
In practice, symmetric key cryptography and asymmetric key cryptography are
combined to a very efficient security solution.
When using secret-key cryptosystems, users must first agree on a session key, that is, a
secret key to be used for the duration of one message or communication session. In
completing this task there is a risk the key will be intercepted during transmission. This is
part of the key management problem.
Public-key cryptography offers an attractive solution to this problem within a
framework called a digital envelope.
It is a secure container for electronic message. It includes a packet of electronic data
including an encoded message, plus authenticating information
The digital envelope consists of a message encrypted using secret-key cryptography
and an encrypted secret key. While digital envelopes usually use public-key cryptography
to encrypt the secret key, this is not necessary.
(1) If Alice and Bob have an established secret key, they could use this to encrypt the
secret key in the digital envelope.
(2) Suppose Alice wants to send a message to Bob using secret-key cryptography for
message encryption and public-key cryptography to transfer the message encryption
key.
(3) Alice chooses a secret key and encrypts the message with it, then encrypts the secret
key using Bob's public key.
(4) She sends Bob both the encrypted secret key and the encrypted message.
(5) When Bob wants to read the message he decrypts the secret key, using his private
key, and then decrypts the message, using the secret key.
(6) In a multi-addressed communications environment such as e-mail, this can be
extended directly and usefully.
(7) If Alice's message is intended for both Bob and Carol, the message encryption key
can be represented concisely in encrypted forms for Bob and for Carol, along with a
single copy of the message's content encrypted under that message encryption key.
(8) Alice and Bob may use this key to encrypt just one message or they may use it for an
extended communication.
(9) One of the nice features about this technique is they may switch secret keys as
frequently as they would like.
Not only do digital envelopes help solve the key management problem; they increase
performance without sacrificing security. The increase in performance is obtained by
using a secret-key cryptosystem to encrypt the large and variably sized amount of
message data, reserving public-key cryptography for encryption of short-length keys.
In general, secret-key cryptosystems are much faster than public-key cryptosystems.
The digital envelope technique is a method of key exchange, but not all key exchange
protocols use digital envelopes.
5.THE CONCEPT OF HASH (MESSAGE DIGEST):
Signing the Digest:
We said before that public-key encryption is efficient if the message is short.
Using a public key to sign the entire message is very inefficient if the message is very
long.
The solution is to let the sender sign a digest of the document instead of the whole
document. The sender creates a miniature version or digest of the document and signs it;
the receiver then checks the signature on the miniature.
To create a digest of the message, we use a hash function. The hash function creates a
fixed-size digest from a variable-length message, as shown in Figure.
Fig. 5.11
The two most common hash functions are called MD5 (Message Digest 5) and SHA-I
(Secure Hash Algorithm I). The first one produces a 120-bit digest. The second produces
a 160-bit digest.
Note that a hash function must have two properties to guarantee its success.
First, hashing is one-way; the digest can only be created from the message, not vice
versa.
Second, hashing is a one-to-one function; there is little probability that two messages
will create the same digest. We will see the reason for this condition shortly.
After the digest has been created, it is encrypted (signed) using the sender's private
key. The encrypted digest is attached to the original message and sent to the receiver.
Idea of a Message Digest:
The concept of message digests is based on similar principles. However, it is slightly
wider in scope. For instance, suppose that we have a number 4000 and we divide it by 4
to get 1000 Thus, 4 can become a fingerprint of the number 4000. Dividing 4000 by 4
will always yield 1000. If we change either 4000 or 4, the result will not be 1000.
Another important point is, if we are simply given the number 4, but are not given any
further information, we would not be able to trace back the equation 4 x 1000 = 4000.
Thus, we have one more important concept here. The fingerprint of a message (in this
case, the number 4) does not tell anything about the original message (in this case, the
number 4000). This is because there are infinite other possible equations, which can
produce the result 4.
Another simple example of message digest: Let us assume that we want to calculate
the message digest of a number 7391753. Then, we multiply each digit in the number
with the next digit (excluding it if it is 0), and discarding the first digits of the
multiplication operation, if the result is a two-digit number.
Thus, we perform a hashing operation (or a message digest algorithm) over a block of
data to produce its hash or message digest, which is smaller in size than the original
message. This concept is shown in fig.
Actually, the message digests are not so small and straightforward to compute.
Message digests usually consist of 128 or more bits. This means that the chance of any
two-message digests being the same is anything between 0 and at least 2128. The
message digest length is chosen to be so long with a purpose. This minimizes that the
scope for two messages digests being the same.
Requirement of a Message Digest
We can summarize the requirements of the message digest concept, as follows:
(1) Given a message, it should be very easy to find its corresponding message digest.
Also for a given message, the message digest must always be the same.
(2) Given a message digest, it should be very difficult to find the original message for
which the digest was created.
(3) Given any two messages, if we calculate their message digests, the two message
digests must be different.
Another basis of message digest is that it should not give any clue or indication of the
original message. i.e. it should not be possible to revert back to original message from the
digest. Also, for a given message it's digest should be the same always.
Different algorithms are used to convert original message into its message digest. The
popularly used ones are MD5 or Message Digest 5 (developed by Rivest) a modified
version of earlier MD4, MD3 and MD2, while the first one was simply MD, and the SHA
(Secure Hash Algorithm) developed by National Institute of Standards and Technology
(NISI) in 1993. SHA-l is promoted & prominently used than the MD5 algorithm.
7 3 9 1 7 5 3
7 3 = 21 9 7 = 63
1 9 = 09 3 5 = 15
9 1 = 09 5 3 = 15
Fig. 5.12
Fig. 5.13
MD5:
In cryptography, MD5 (Message-Digest algorithm 5) is a widely used, partially
insecure cryptographic hash function with a 128-bit hash value. As an Internet standard
(RFC 1321), MD5 has been employed in a wide variety of security applications, and is
also commonly used to check the integrity of files. An MD5 hash is typically expressed
as a 32 digit hexadecimal number.
MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In
2007 a group of researchers including Arjen Lenstra described how to create a pair of
files that share the same MD5 checksum
MD5 Algorithm Description:
We begin by supposing that we have a 1000-bit message as input, and that we wish to
find its message digest.
The following five steps are performed to compute the message digest of the message.
Step 1: Append Padding Bits:
The message is "padded" (extended) so that its length (in bits) is Similar to 448,
modulo 512. That is, the message is extended so that it is just 64 bits timid of being a
multiple of 512 bits long. Padding is always performed, even if the length of the message
is already similar to 448, modulo 512. Padding is performed as follows: a single "1" bit is
appended to the message, and then "0" bits are appended so that the length in bits of the
padded message becomes congruent to 448, modulo 512. In all, at least one bit and at
most 512 bits are appended.
Step 2: Append Length:
A 64-bit representation of 1000 (The message length excluding padded one) is
appended to the result of the previous step.
In the unlikely event that the message length is greater than 2^64, then only the low-
order 64 bits of b are used.
At this point the resulting message (that is message + padding + length) has a length
that is an exact multiple of 512 bits. Equivalently, this message has a length that is an
exact multiple of 16 (32-bit) words.
Step 3: Divide the input into 512-bit blocks:
Now, we divide the input message into blocks, each of length 512 bits.
Step 4: Initialize MD Buffer/Chaining Variables:
A four-word buffer (A, B, C, D) is used to compute the message digest. Here each of
A, B, C, D is a 32-bit register. These registers are initialized to the following values in
hexadecimal, low-order bytes first):
A: 01 23 45 67
B: 89 ab cd ef
C:fe dc ba 98
D: 76 54 32 10
Step 5: Process Message in 16-Word Blocks:
5.1: Copy the four chaining variables into four corresponding
variables a, b, c, and d. The Algorithm considers the
combination of abcd as a 128 bit single registers. This is
useful for holding intermediate as well as final results.
5.2: Divide the current 512 bit block into 16 sub blocks of 32
bit each.
5.3: Now we have 4 rounds. In each round, we process all the
16 sub blocks.
The inputs to each round are:
(1) All the 16 sub-blocks. Say M[0] to M[15] of 32 bits.
(2) The variables a, b, c and d of 32 bits.
(3) Some constants t, an array of 64 elements. Say t[1] to t[64].Since there are four
rounds, we use 16 out of the 64 values of t in each round.
The Process of Rounds:
(1) A process P is first performed on b, c and d. This process P is different in all the four
rounds.
(2) The variable a is added to the output of the process P.
(3) The message sub-block M[I] is added to the output of step 2.
(4) The constant t[k] is added to the output of step 3.
(5) The output of step 4 is circular-left shifted by s bits. The value of s keeps changing.
(6) The variable b is added to the output of step 5.
(7) The output of step 6 becomes the new abcd for the next round.
One MD5 Operation:
Fig. 5.14
We define four auxiliary functions that is Process P in our context, that each take as
input of three 32-bit words and produce as output one 32-bit word.
Round 1 = (b and c) or (not (b)) and d
Round 2 = (b and d) or (c and (not(c)))
Round 3 = b xor c xor d
Round 4 = c xor (b or not (d))
For any encryption approach, there are two major challenges:
Key distribution: how do we convey keys to those who need them to establish secure
communication.
Key management: given a large number of keys, how do we preserve their safety and
make them available as needed.
Public Key Infrastructure:
Symmetric
6) Alice and Bob agree on a cryptosystem
7) Alice and Bob agree on a key
8) Alice takes her plaintext message and encrypts it using the encryption algorithm
and the key. This creates a ciphertext message
9) Alice sends the ciphertext message to Bob
10) Bob decrypts the ciphertext message with the same algorithm and key and reads
it.
Asymmetric
5) Alice and Bob agree on a public-key cryptosystem
6) Bob sends Alice his public key
7) Alice encrypts her message using Bob’s public key and sends it to Bob
8) Bob decrypts Alice’s message using his private key
Problems:
Symmetric
• Keys must be distributed in secret
• If a key is compromised, Eve (eavesdropper) can
decrypt any message
pretend to be one of the parties
• A network requires a great number of keys
Asymmetric
• slow (~1000 times slower than the symmetric)
• vulnerable to chosen-plaintext attacks
Private – Key Cryptography:
• Traditional private/secret/single key cryptography uses one key
• Key is shared by both sender and receiver
• if the key is disclosed communications are compromised
• also known as symmetric, both parties are equal
– hence does not protect sender from receiver forging a message & claiming
is sent by sender
Public Key Cryptography:
• Probably most significant advance in the 3000 year history of cryptography
• Uses two keys – a public key and a private key
• asymmetric since parties are not equal
• uses clever application of number theory concepts to function
• complements rather than replaces private key cryptography
• public-key/two-key/asymmetric cryptography involves the use of two keys:
• a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
• a private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures
• is asymmetric because
• those who encrypt messages or verify signatures cannot decrypt messages
or create signatures
• public-key/two-key/asymmetric cryptography involves the use of two keys:
• a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
• a private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures
• is asymmetric because
• those who encrypt messages or verify signatures cannot decrypt messages
or create signatures
Why Public Key Cryptography:
• developed to address two key issues:
– key distribution – how to have secure communications in general without
having to trust a KDC with your key
– digital signatures – how to verify a message comes intact from the
claimed sender
Public Key Characteristics:
• public invention due to Whitfield Diffie& Martin Hellman at Stanford U. in 1976
– known earlier in classified community
– Public-Key algorithms rely on two keys with the characteristics that it is:
– computationally infeasible to find decryption key knowing only algorithm
& encryption key
– computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known
– either of the two related keys can be used for encryption, with the other
used for decryption (in some schemes)
Public Key applications:
• can classify uses into 3 categories:
– encryption/decryption (provide secrecy)
– digital signatures (provide authentication)
– key exchange (of session keys)
• some algorithms are suitable for all uses, others are specific to one
Security of Public key schemes:
• like private key schemes brute force exhaustive search attack is always
theoretically possible
• but keys used are too large (>512bits)
• security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalyse) problems
• more generally the hard problem is known, its just made too hard to do in
practise
• requires the use of very large numbers
• hence is slow compared to private key schemes
Chapter 8:
1. Hash Functions
2. Key Predistribution
3. Diffie-Hellmean Key Exchange
4. Kerberos
5. The station – to – station Protocol
1. Hash Funtions:
Message Authentication;message authentication is concerned with:
protecting the integrity of a messagevalidating identity of originatornon-repudiation of origin (dispute resolution)
will consider the security requirementsthen three alternative functions used:
message encryptionmessage authentication code (MAC)hash function
Security Requirements:disclosuretraffic analysismasqueradecontent modificationsequence modificationtiming modificationsource repudiationdestination repudiation
Message Encryption:message encryption by itself also provides a measure of authenticationif symmetric encryption is used then:
receiver know sender must have created itsince only sender and receiver now key usedknow content cannot of been alteredif message has suitable structure, redundancy or a checksum to detect any
changes
if public-key encryption is used:encryption provides no confidence of sendersince anyone potentially knows public-keyhowever if
sender signs message using their private-keythen encrypts with recipients public keyhave both secrecy and authentication
again need to recognize corrupted messagesbut at cost of two public-key uses on message
1.1.Message Authentication Code (MAC):generated by an algorithm that creates a small fixed-sized block
depending on both message and some keylike encryption though need not be reversible
appended to message as a signaturereceiver performs same computation on message and checks it matches the MACprovides assurance that message is unaltered and comes from sender
as shown the MAC provides authenticationcan also use encryption for secrecy
generally use separate keys for eachcan compute MAC either before or after encryptionis generally regarded as better done before
why use a MAC?sometimes only authentication is neededsometimes need authentication to persist longer than the encryption (eg.
archival use)note that a MAC is not a digital signature
MAC Properties:
a MAC is a cryptographic checksum
MAC = CK(M)condenses a variable-length message Musing a secret key Kto a fixed-sized authenticator
is a many-to-one functionpotentially many messages have same MACbut finding these needs to be very difficult
Requirements for MACs:taking into account the types of attacksneed the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with
same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
Using Symmetric Ciphers for MACs:can use any block cipher chaining mode and use final block as a MACData Authentication Algorithm (DAA) is a widely used MAC based on DES-
CBCusing IV=0 and zero-pad of final blockencrypt message using DES in CBC modeand send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block but final MAC is now too small for securitycan use any block cipher chaining mode and use final block as a MACData Authentication Algorithm (DAA) is a widely used MAC based on DES-
CBCusing IV=0 and zero-pad of final blockencrypt message using DES in CBC modeand send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block but final MAC is now too small for security
Hash Functions:
condenses arbitrary message to fixed size
h = H(M)usually assume that the hash function is public and not keyed
cf. MAC which is keyedhash used to detect changes to messagecan use in various ways with messagemost often to create a digital signature
1.2.Requirements for Hash Functions:
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
• weak collision resistance
6. is infeasible to find any x,ys.t. H(y)=H(x)
• strong collision resistance
Simple Hash Functions:are several proposals for simple functionsbased on XOR of message blocksnot secure since can manipulate any message and either not change hash or change
has also need a stronger cryptographic function (next chapter)
1.3.Birthday Attacks:might think a 64-bit hash is securebut by Birthday Paradox is notbirthday attack works thus:
opponent generates 2m/2 variations of a valid message all with
essentially the same meaningopponent also generates 2m/2 variations of a desired fraudulent messagetwo sets of messages are compared to find pair with same hash (probability
> 0.5 by birthday paradox)have user sign the valid message, then substitute the forgery which will
have a valid signatureconclusion is that need to use larger MAC/hash
Block Ciphers as Hash Functions:can use block ciphers as hash functions
using H0=0 and zero-pad of final blockcompute: Hi = EMi [Hi-1]and use final block as the hash valuesimilar to CBC but without a key
resulting hash is too small (64-bit)both due to direct birthday attackand to “meet-in-the-middle” attack
other variants also susceptible to attack
Hash Functions & MAC Security:like block ciphers have:brute-force attacks exploiting
strong collision resistance hash have cost 2m/2
• have proposal for h/w MD5 cracker
• 128-bit hash looks vulnerable, 160-bits better MACs with known message-MAC pairs
• can either attack keyspace (cf key search) or MAC
• at least 128-bit MAC is needed for security cryptanalytic attacks exploit structure
like block ciphers want brute-force attacks to be the best alternative
have a number of analytic attacks on iterated hash functionsCVi = f[CVi-1, Mi]; H(M)=CVNtypically focus on collisions in function f
like block ciphers is often composed of roundsattacks exploit properties of round functions
1.5. Hash and MAC Algorithms:Hash Functions
condense arbitrary size message to fixed sizeby processing message in blocksthrough some compression functioneither custom or block cipher based
Message Authentication Code (MAC)fixed sized authenticator for some messageto provide authentication for message
by using block cipher mode or hash function
Most important modern hash functions follow the basic structure shown in this figure.
This has proved to be a fundamentally sound structure, and newer designs simply refine
the structure and add to the hash code length. Within this basic structure, two approaches
have been followed in the design of the compression function, as mentioned previously,
which is the basic building block of the hash function.
Secure Hash Algorithm:
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
o standard is FIPS 180-1 1995, also Internet RFC3174
o nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have raised concerns on its use in
future applications
Revised Secure Hash Standard:NIST issued revision FIPS 180-2 in 2002adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512designed for compatibility with increased security provided by the AES cipherstructure & detail is similar to SHA-1hence analysis should be similarbut security levels are rather higher
SHA-512 Overview:
SHA-512 Compression Function:
heart of the algorithmprocessing message in 1024-bit blocksconsists of 80 rounds
updating a 512-bit bufferusing a 64-bit value Wt derived from the current message block
and a round constant based on cube root of first 80 prime numbers
Keyed Hash Functions as MACs:
want a MAC based on a hash functionbecause hash functions are generally faster
code for crypto hash functions widely availablehash includes a key along with message
original proposal:
KeyedHash = Hash(Key|Message)some weaknesses were found with this
eventually led to development of HMAC
1.6.HMAC:specified as Internet standard RFC2104uses hash function on the message: HMACK =
Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]where K+ is the key padded out to sizeand opad, ipad are specified padding constantsoverhead is just 3 more hash calculations than the message needs aloneany hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC Security:proved security of HMAC relates to that of the underlying hash algorithmattacking HMAC requires either:
brute force attack on key usedbirthday attack (but since keyed would need to observe a very large number
of messages)choose hash function used based on speed verses security constraints
1.7.CMAC:previously saw the DAA (CBC-MAC)widely used in govt& industrybut has message size limitationcan overcome using 2 keys & padding
thus forming the Cipher-based Message Authentication Code (CMAC)adopted by NIST SP800-38B
2. Kerberos:
Kerberos:trusted key server system from MITprovides centralised private-key third-party authentication in a distributed network
allows users access to services distributed through networkwithout needing to trust all workstationsrather all trust a central authentication server
two versions in use: 4 & 5
2.1. Kerberos Requirements:its first report identified requirements as:
secure
reliabletransparentscalable
implemented using an authentication protocol based on Needham-Schroeder
2.2.Kerberos v4 Overview:a basic third-party authentication schemehave an Authentication Server (AS)
users initially negotiate with AS to identify selfAS provides a non-corruptible authentication credential (ticket granting
ticket TGT)have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of
users TGT
2.3. Kerberos v4 Dialogue:
1. obtain ticket granting ticket from AS
• once per session
2. obtain service granting ticket from TGT
• for each distinct service required
3. client/server exchange to obtain service
• on every service request
2.4. Kerberos Realms:a Kerberos environment consists of:
a Kerberos servera number of clients, all registered with serverapplication servers, sharing keys with server
this is termed a realmtypically a single administrative domain
if have multiple realms, their Kerberos servers must share keys and trust
2.5. Kerberos Version 5:developed in mid 1990’sspecified as Internet standard RFC 1510provides improvements over v4
addresses environmental shortcomings
• encryption alg, network protocol, byte order, ticket
lifetime, authentication forwardingand technical deficiencies
• double encryption, non-std mode of use, session keys, password
attacks
3. Diffie-Hellman Key Exchange:
Diffie-Hellman’s Algorithm:
Key agreement is a method to create secret key by exchanging only public keys.
Example:
o Bob sends Alice his public key
o Alice sends Bob her public key
o Bob uses Alice’s public key and his private key to generate a session key
o Alice uses Bob’s public key and her private key to generate a session key
o Using a key agreement algorithm both will generate same key
o Bob and Alice do not need to transfer any key
Bob & Alice agree on non-secret prime p and value a
Diffie-Hellman is the first key agreement algorithm
o Invented by Whitfield Diffie & Martin Hellman
o Provided ability for messages to be exchanged securely without having to have
shared some information previously
o Inception of public key cryptography which allowed keys to be exchanged in the
open
No exchange of secret keys
o Man-in-the middle attack avoided
Authentication:
Authentication is the process of determining the authenticity of a message or user.
Two types of authentication:
Authentication of the identity presented by a remote or application participating in a
session
Authentication of the sender’s identity is presented along with a message.
Use of secret character string only known to user and server
Problems with password based authentication:
o Attacker learns password by social engineering
o Attacker cracks password by brute-force and/or guesswork
o Eavesdrops password if it is communicated unprotected over the network
o Replays an encrypted password back to the authentication server
Set of rules that governs the communication of data related to authentication between
the server and the user
Techniques used to build a protocol are:
o Transformed password
Password transformed using one way function before transmission
Prevents eavesdropping but not replay
o Challenge-response
Server sends a random value (challenge) to the client along with the
authentication request. This must be included in the response
Protects against replay
o Time Stamp
The authentication from the client to server must have time-stamp embedded
Server checks if the time is reasonable
Protects against replay
Depends on synchronization of clocks on computers
o One-time password
New password obtained by passing user-password through one-way function
n times which keeps incrementing
Protects against replay as well as eavesdropping
Personal Tokens are hardware devices that generate unique strings that are usually
used in conjunction with passwords for authentication
Different types of tokens exist
o Storage Token: A secret value that is stored on a token and is available after the
token has been unlocked using a PIN.
o Synchronous one-time password generator: Generate a new password periodically
(e.g. each minute) based on time and a secret code stored in the token.
o Challenge-response: Token computes a number based on a challenge value sent
by the server.
o Digital Signature Token: Contains the digital signature private key and computes
a computes a digital signature on a supplied data value.
A variety of different physical forms of tokens exist
4.Station – to Station Protocol:
• The Station-to-Station (STS) protocol adds authentication:
1. A ® B : tA
2. B ® A : tB , { SignB(tA, tB ) }Kab
3. A ® B : { SignA(tA, tB ) }Kab
1. A ® B : A, B, tA
2. B ® A : B, A, tB , { SignB(tA, tB ) }Kab
3. A ® B : A, B, { SignA(tA, tB ) }Kab
• Good Key: as before Key
• Key Confirmation: A knows that B knows the Kab.
1. A ® E(B) : A, B, tA
1’. E ® B : E, B, tA
2’. B ® E : B,E,tB,{SignB(tA,tB)}Kab
2. E(B) ® A : B,A,tB,{SignB(tA,tB)}Kab
3. A ® E(B) : A, B, { SignA(tA, tB ) }Kab
4.1.What does STS Provides:
• Attacker E does NOT learn the key.
• B does not accept the key.
• But A does accept the key.
This can be fixed by changing line 2 to:
2. B ® A : tB , { A, SignB(tA, tB ) }Kab
This is not done because this attack does not pose a real risk.
In this case Key Confirmation is enough
4.2.Security Properties of STS
• the scheme is secure against known session key attacks and provides perfect forward
secrecy
• the scheme is a secure mutual identification scheme (i.e., if the adversary is active
during a given flow of the protocol, then no honest participant will “accept” after that
time)
• in addition, the scheme is a secure KAS wrt a passive adversary (i.e., U and V can both
compute the same session key, K,and the adversary cannot compute any information
about K)
• if U “accepts”, it means that she believes that – she has been communicating with V – U
and V can compute the same session key, and – no one other than V can compute any
information about the session key.
4.3. Key Authentication and Key Confirmation:
Suppose U and V are honest, and they execute an SKDS or KAS. At the end of the
session, U and V should each be able to compute the same session key,K, whose value
should be unknown to the adversary. Suppose that U “accepts”. The following properties
discuss various types of assurance that may be provided to U :
implicit key authentication
U is assured that no one other than V can compute K
implicit key confirmation
U is assured that V can compute K, and no one other than V can compute K
explicit key confirmation
U is assured that V has computed K, and no one other than V can compute K
Chapter 9:1. Firewalls2. TCP3. VPN
1.Firewalls:
INTRODUCTION:
1.1.What are Firewalls?
The Internet is a vital and growing network that is changing the way many
organizations and individuals communicate and do business. Using the Internet we can
get connected to any other computer, no matter how far the two are located from each
other on the network. However, the Internet suffers from significant and widespread
security problems. Many agencies and organizations have been attacked or probed by
intruders, with resultant high losses to productivity and reputation. In some cases,
organizations have had to disconnect from the Internet temporarily, and have invested
significant resources in correcting problems with system and network configuration. Sites
that are unaware of or ignorant of these problems face a significant risk that network
intruders will attack them. Even sites that do observe good security practices face
problems with new vulnerabilities in networking software and the persistence of some
intruders. But this facility usually may be a nightmare for network support staff, which is
left with a very difficult job of trying to protect the corporate networks from a variety of
attacks. At a broad level, there are two kinds of attacks:
(1) Most corporations have large amounts of valuable and confidential data in their
networks. Leaking of this critical information to competitors can be a great setback.
(2) Apart from the danger of the insider information leaking out, there is a great danger
of the outside elements (such as viruses and Worms) entering a corporate network to
create havoc.
(a) Some of the problems with Internet security are a result of inherent
vulnerabilities in the services (and the protocols that the services implement),
while others are a result of host configuration and access controls that are poorly
implemented or overly complex to administer.
(b) Additionally, the role and importance of system management is often short-
changed in job descriptions, resulting in many administrators being, at best, part-
time and poorly prepared. We will talk about these problems in detail.
The Security Related Problems in the Internet:
Vulnerable:
TCP/IP services - a number of the TCP/IP services are not secure and can
be compromised by knowledgeable intruders; services used in the local area-
networking environment for improving network management are especially vulnerable.
Ease of spying and spoofing:
The majority of Internet traffic is unencrypted; e-mail, passwords, and file transfers
can be monitored and captured using readily available software, intruders can then reuse
passwords to break into systems.
Lack of policy:
Many sites are configured unintentionally for wide-open Internet access without
regard for the potential for abuse from the Internet; many sites permit more TCP/IP
services than they require for their operations and do not attempt to limit access to
information about their computers that could prove valuable to intruders.
Complexity of configuration:
Host security access controls are often complex to configure and monitor; controls that
is accidentally misconfigured often result in unauthorized access.
As a result of these dangers, we must have mechanisms which can ensure that the
inside information remains inside, and also prevents the outsider attackers from entering
inside a corporate network. This is where a firewall is needed.
A firewall acts like a guard, which can guard a corporate network by standing
between the network and the outside world. A firewall is a network security system
designed to prevent unauthorized access to a private network from any other network. It
works closely with a router program to determine if a packet should be forwarded to its
destination. It also provides a proxy service that makes network requests on behalf of the
users on a network.
All traffic between the network and the Internet in either direction must pass through
the firewall. The firewall decides if the traffic can be allowed to flow, or whether it must
be stopped from proceeding further. Technically, therefore, a firewall is specialized
version of a router. Apart from the basic routing functions and rules, a router can be
configured to perform the firewall functionality with the help of additional software
resources.
Fig. 4.1 Architecture of Firewall
1.2.Need of firewall:
The Internet, like any other society, is plagued with the kind of jerks who enjoy the
electronic equivalent of writing on other people's walls with spray paint, tearing their
mailboxes off, or just sitting in the street blowing their car horns. Some people try to get
real work done over the Internet, and others have sensitive or proprietary data they must
protect. Usually, a firewall's purpose is to keep the jerks out of your network while still
letting you get your job done.
Many traditional-style corporations and data centers have computing security policies
and practices that must be adhered to. In a case where a company's policies dictate how
data must be protected, a firewall is very important, since it is the embodiment of the
corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large
company, is not justifying the expense or effort, but convincing management that it's safe
to do so. A firewall provides not only real security--it often plays an important role as a
security blanket for management.
Lastly, a firewall can act as your corporate “ambassador'' to the Internet. Many
corporations use their firewall systems as a place to store public information about
corporate products and services, files to download, bug fixes, and so forth. Several of
these systems have become important parts of the Internet service structure (e.g.:
UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their
organizational sponsors.
The following list summarizes the primary benefits of using a firewall.
(1) Protection from Vulnerable Services.
(2) Controlled Access to Site Systems.
(3) Concentrated Security.
(4) Enhanced Privacy.
(5) Logging and Statistics on Network Use, Misuse.
(6) Policy Enforcement.
1.3.What can a firewall protect against?
(1) Some firewalls permit only email traffic through them, thereby protecting the
network against any attacks other than attacks against the email service. Other
firewalls provide less strict protections, and block services that are known to be
problems.
(2) Generally, firewalls are configured to protect against unauthenticated interactive
logins from the “outside'' world. This, more than anything, helps prevent vandals
from logging into machines on your network. More elaborate firewalls block traffic
from the outside to the inside, but permit users on the inside to communicate freely
with the outside. The firewall can protect you against any type of network-borne
attack if you unplug it.
(3) Firewalls are also important since they can provide a single “choke point'' where
security and audit can be imposed. Unlike in a situation where someone dialing in
with a modem is attacking a computer system, the firewall can act as an effective
“phone tap” and tracing tool. Firewalls provide an important logging and auditing
function; often they provide summaries to the administrator about what kinds and
amount of traffic passed through it, how many attempts there were to break into it,
etc.
(4) This is an important point: providing this “choke point'' can serve the same purpose
on your network as a guarded gate can for your site's physical premises. That means
anytime you have a change in “zones'' or levels of sensitivity, such a checkpoint is
appropriate. A company rarely has only an outside gate and no receptionist or
security staff to check badges on the way in. If there are layers of security on your
site, it's reasonable to expect layers of security on your network.
1.4.What can't a firewall protect against?
(1) Firewalls can't protect against attacks that don't go through the firewall. Many
corporations that connect to the Internet are very concerned about proprietary data
leaking out of the company through that route. Unfortunately for those concerned, a
magnetic tape can just as effectively be used to export data. Many organizations that
are terrified (at a management level) of Internet connections have no coherent policy
about how dial-in access via modems should be protected. It's silly to build a 6-foot
thick steel door when you live in a wooden house, but there are a lot of organizations
out there buying expensive firewalls and neglecting the numerous other back-doors
into their network.
(2) For a firewall to work, it must be a part of a consistent overall organizational
security architecture. Firewall policies must be realistic and reflect the level of
security in the entire network. For example, a site with top secret or classified data
doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first
place, or the systems with the really secret data should be isolated from the rest of
the corporate network.
(3) Another thing is that a firewall can't really protect you against the traitors or idiots
inside your network. While an industrial spy might export information through your
firewall, he's just as likely to export it through a telephone, FAX machine, or floppy
disk. Floppy disks are a far more likely means for information to leak from your
organization than a firewall! Firewalls also cannot protect you against stupidity.
Users who reveal sensitive information over the telephone are good targets for social
engineering; an attacker may be able to break into your network by completely
bypassing your firewall, if he can find a “helpful'' employee inside who can be
fooled into giving access to a modem pool.
(4) Before deciding this isn't a problem in your organization, ask yourself how much
trouble a contractor has getting logged into the network or how much difficulty a
user who forgot his password has getting it reset. If the people on the help desk
believe that every call is internal, you have a problem.
(5) Lastly, firewalls can't protect against tunneling over most application protocols to
roamed or poorly written clients. There are no magic bullets and a firewall is not an
excuse to not to implement software controls on internal networks or ignores host
security on servers. Tunneling “bad'' things over HTTP, SMTP, and other protocols
is quite simple and trivially demonstrated. Security isn't “fire and forget''.
The characteristics of a good firewall can be described as follows:
(1) All traffic from inside to outside, and vice versa must pass through the firewall. To
achieve this, all the access to the local network must first be physically blocked, and
access only via the firewall should be permitted.
(2) Only the traffic authorized as per the local security policy should be allowed to pass
through.
(3) The firewall itself must be strong enough, so as to render attacks on it useless.
The word 'firewall' has come from a kind of arrangement in automobiles, to prevent
the passengers from engine components. The firewalls in computers also work with
similar concept. It is defined as 'the collection of components that are placed between the
local (unprotected) private network / workstation and the Internet (unprotected) which is
the external public network.
Firewalls come in various categories, configurations, set of devices and products,
which run on the hosts in the network. They work like logical security guards, which
keep an eye on the outgoing and incoming traffic.
1.5.Advantages of the Firewall:
(1) A firewall prevents unauthorized Internet users from accessing a private network
connected to the Internet.
(2) It enforces a security policy by allowing a single point for implementing and
controlling all security decisions to be made.
(3) It filters, monitors, and logs the sessions between any two networks. As a result, your
exposure to the Internet is also limited.
Limitation of the Firewall:
The main limitations of a firewall can be listed as follows:
(1) Insider's intrusion: A firewall system is designed to thwart outside attacks.
Therefore, if an inside user attacks the internal network in some way, the firewall
cannot prevent such an attack.
(2) Direct Internet traffic: A firewall must be configured very carefully. It is effective
only if it is the only-entry point of an organization's network. If, instead, the firewall
is one of the entry-exit points, a user can bypass the firewall and exchange
information with the Internet via the other entry exit points. This can open up the
possibilities of attacks on the internal network through those points. The firewall
cannot, obviously be expected to take care of such situations.
(3) Virus attacks: A firewall cannot protect the internal network from virus threats.
This is because a firewall cannot be expected to scan every incoming file or packet
for possible virus contents. Therefore, a separate virus detection and removal
mechanism is required for preventing virus attacks. Alternatively, some vendors
bundle their firewall products with anti virus software, to enable both the features out
of the box.
(4) It needs specialized skills to configure, and many attacks occur because of badly
configured policies on a firewall.
1.6.KINDS OF FIREWALLS:
In general, the firewalls have been classified as per the work carried out by them.
They have two basic types:
(1) Network-Level Firewall (or) Packet Filtering and
(2) Application Level.
Based on these two primary types two more types have also resulted. They are:
(1) Circuit level gateways and
(2) Dynamic Firewall (or) Stateful Multi-layer inspection
Packet Filters:
This is the basic level of the firewalls. As the name suggests, this firewall checks for
each and every IP packet individually, either coming in or going out of private network.
A network level firewall uses the protocols on the two networks to filter the data.
Filtering systems are often built into routers or can be added optionally. The router being
a point of interconnection between two networks, it becomes a natural location for
filtering.
Fig. 4.2
Source: Basics of network security, firewalls and VPNs-NIIT.
According to the selected policies (called Rule-sets or Access Control Lists or ACLs)
it determines whether to accept a packet or reject it. This is the first line of defense
against the intruders, and is not totally foolproof. It has to be combined with other
techniques as well, to strengthen the security.
Advantages of packet filters:
(1) Simple and straightforward mechanism.
(2) It is cost effective.
(3) It is fairly effective and adequate in most cases.
(4) Operation is totally transparent to the users.
(5) Faster in operation.
(6) It has a built-in operating system optimized for security and performance. So it can
be plugged into a network, regardless of the OS being used.
Disadvantages of packet filters:
(1) It does not support user authentication as the filtering is based purely on the IP
address of the hardware system.
(2) Rule-sets to be defined for a packet filter may be very complex and rigid.
(3) In order to allow certain access, some exceptions to the rules need to be added. This
may add further to the complexity.
(4) Some packet filters do not filter on the source TCP/UDP ports at all, which may
increase the flaws in the filtering system.
(5) It does not allow you to record the logs of individual sessions. These do not possess
any auditing capabilities and auditing is considered to be of major importance in
security.
(6) All the applications on Internet may not be fully supported by packet filtering
firewalls.
(7) It does not conceal the internal architecture of the network and hence it gets exposed.
(8) Using packet filters may be complex as graphical interface is not available in most of
the cases.
Application level filtering:
An application gateway is also called as a proxy server. This is because it acts like a
proxy i.e. deputy or substitute, and decides about the flow of application level traffic.
An application gateway typically works as follows:
(1) An internal user contacts the application gateway using a TCP/IP application, such as
HTTP or TELNET.
(2) The application gateway asks the user about the remote host with which the user
wants to set up a connection for actual communication (i.e. its domain name or IP
address) The application gateway also asks for the user id and the password required
to access the services of the application gateway.
(3) The user provides the information to the application gateway.
(4) The application gateway now accesses the remote host on behalf of the user, and
passes the packets of the user to the remote host.
Fig. 4.3 An Application Level Firewall
Application gateways are generally more secure than packet filters, because rather
than examining every packet against a number of rules, we simply detect whether a user
is allowed to work with a TCP/IP application or not.
The disadvantage is the overhead in terms of connections. There are actually two sets
of connections now: one / between the end user and the application gateway, and another
between the application gateway and the remote host. The application gateway has to
manage these two sets of connections, and the traffic going between them. This means
that the actual communicating internal host is under an illusion.
The Application level firewalls work at the topmost layer in the network i. e. the
Application Layer. Hence, they can monitor the flow of information in great details. They
do not need to check each and every packet but rather check an application as a whole
and determine whether it should be allowed the access of a network both in-bound as
well as out-bound. Hence, they are more secure than the packet filters.
These are also called Application level gateways as they are between the local network
and the Internet. They require the policies to be set up by using specific software and
hence are NOT transparent to the end users.
Another variation in them is called a Proxy server. These are the hosts which
make/receive the requests to/from the Internet to the local network which they do on
behalf of the local clients. These provide a single point of entry for Internet traffic into
the, local network.
The Proxy servers work with two faces - one towards the local network (with an
internal I P address) and another towards the Internet (using an external lP address),
which is similar to the coin with two sides. Local network clients refer to it using its local
I P address whereas anyone from the Internet uses its external lP address for
communication.
The services, which are proxied, include FTP, DNS, TELNET, HTTP, SMTP and so
on. Thus, the application gateway allows the clients to think or believe that they are
getting the direct connection to the Internet; in fact it is routed always through the proxy
server.
Examples of Application level firewalls include Zone Lab's Zone Alarm, and Zone
Alarm-Pro, IBM firewall, Mc-A’fee Firewall, Norton Firewall, Linux based Mitel
Networks SME server, Squid proxy server, Wingate, Winproxy and many more with
various facilities and configurations.
Advantages of Application level fire walls:
(1) Checks traffic in greater details than the packet filters.
(2) No need to check each and every packet, but checks application as a whole.
(3) Provides more security than the packet filters.
(4) These are available as software with Graphical interface, hence specifying, changing
the Rule-sets is easier in this case.
(5) Ability to hide the structure, topology and other sensitive information of the private
network from the external parties.
(6) Has capability of complete auditing/logging of events, which is an important aspect
of security.
(7) Easier to install, setup and operate from the point of users (also called as personal
firewalls sometimes)
Disadvantages of Application level firewalls:
(1) Operation may be slower since it has to check the traffic in more detail.
(2) The software products used may be costly to procure.
(3) In some cases, setup may be difficult and require administrative help.
(4) They are not transparent to the end users, and may have to be set up specifically on
the client nodes.
(5) It does not support new services easily.
1.7. Circuit level Gateways:
Another variation of firewalls is called the Circuit Level Gateways. These are set to
run on the Transport level of TCP/IP model (or Session layer in case of the OSI model).
This check for the specific sessions or services for filtering. They neither check
individual packets nor the entire applications for filtering purpose. They are sometimes
called as the Relays which relay the sessions / services (also called circuits) for the users.
Normally they relay the services such as Telnet or FTP for the users. But in the process,
they tend to break the standard client-server model.
Thus, for every request/response, there will be two connections to be set-up: one from
the client machine to the firewall, and the second between the firewall to the external
server, and similarly in reverse way. But they provide the facility to control these
services. It is hence possible to enable/disable these services through the circuit gateways.
It performs some additional functions as compared to those performed by an
application gateway. A circuit gateway, in fact, creates a new connection between itself
and the remote host. The user is not aware of this, and thinks that there is a direct
connection between itself and the remote host. Also, the circuit gateway changes the
source IP addresses in the packets from the end user's IP address to its own. This way the
IP address of the internal network are hidden from the outer world.
The SOCKS server is an example of the real life implementation of a circuit gateway.
It is a client server application. The SOCKS client runs on the internal host, and, the
SOCKS server runs on the firewall.
Fig. 4.4
Advantages of Circuit level gateways:
(1) More secure than packet filters since work on higher level.
(2) Do not check individual packets inbound or outbound.
(3) Can hide internal network structure to the external entities.
(4) Flexibility to enable or disable sessions or services is available.
(5) Less expensive compared to the Application level products.
(6) Operation is transparent to the end-users
Disadvantages of Circuit level gateways:
(1) Less secure compared to application level gateways.
(2) Breaks the client-server model.
(3) Requires two dedicated connections to be set up for each service / response.
1.8.Dynamic (Stateful Multi-layer Inspection) Firewalls:
The last category of firewalls is the Dynamic also known as the Stateful, multi-layer
inspection type. As the name suggests it checks the traffic in multiple layers viz.
Application, Transport as well as Internet layer. Hence, it combines all the advantages of
the first three categories of firewalls. These are the recent type of firewalls being used.
They check the individual packets at the Internet layer, checks for valid sessions at the
Transport layer and evaluates the application at the topmost layer.
Another difference between this type and earlier ones is the awareness of a State and
the Dynamic nature of them. This means, the firewall can modify itself or can adapt to
changes in situations and can change the rules dynamically. This facility is not available
in any of the earlier types, which make this a more efficient. and hence they are known to
be Stateless. For this purpose the firewall needs to maintain some historical information
about all the transactions in a form called state tables. These state tables are updated as
and when new events are generated. These are used by the firewall to modify or update
the Rule-sets in different situations.
Examples of this type of firewall include Checkpoint's Firewall-1, Sun's Sunscreen
etc.
Fig. 4.5 Stateful Inspection
Advantages of Dynamic Firewalls:
(1) Scans the traffic in three different layers in great details.
(2) Provides much more security than in first three types of firewalls.
(3) Facility to adapt to the changes in the stage of network.
(4) More flexible in its operation due to its dynamic nature.
(5) Combines most of the advantages of first three types of firewalls.
Disadvantages of Dynamic Firewalls:
(1) Operation much slow may reduce the overall performance.
(2) Applications need to be procured, especially and can be expensive.
(3) Setup or implementation may be more difficult.
Distributed Firewalls:
Provide multiple checkpoints less prone (is in multiple forms). Possible to prevent
inside attacks more secure implementation Servers can be outside perimeter more
flexibility in operation Different security levels possible
The Distributed firewalls are the host-resident security solutions, which protect the
enterprise network's critical end points against the intrusion. As the name suggests, the
firewall implementation is distributed over multiple points rather than providing a single-
point-entry into your network in case of traditional firewalls. With distributed firewalls,
one can provide separate level of security to the Web, Mail servers, Application servers
or individual nodes in the setup.
These are meant to provide higher security to the corporate networks. These can also
prevent the malicious inside attacks also within the network, as they treat all traffic as
unfriendly whether it is originating from the Internet or your Local network. This is more
important advantage, since most of the attacks are initiated from inside the network.
These firewalls also guard the individual machines the same way as the perimeter
firewall guards the entire network. .
These are like the personal firewalls but the additional features include the centralized
management, logging and fine access-control granularity. These are the prime
features considered for implementation of firewalls in larger enterprises. These protect
remote employees, precious servers of the enterprise, internal network as well as the
individual terminal. Presently, organizations of various types that are security conscious
are deploying the Distributed type of firewalls and have a scope of unlimited scalability
even keeping the same performance. In some cases, even the perimeter firewalls need not
be installed at all when distributed firewalls are deployed.
Fig. 4.6
Some key differences between the Traditional Firewall implementations and the
Distributed Firewall Implementations are as stated below.
Traditional Firewalls:
(a) Provide single entry point into the network.
(b) More prone to attacks.
(c) Cannot prevent inside attacks.
(d) Less secure implementation.
(e) Servers have to be inside perimeter.
(f) Has less flexibility of operation.
(g) Provides same level of security.
2.Virtual Private Network:
2.1.Introduction:
The virtual private network (VPN) technology included in Windows Server 2003 helps
enable cost-effective, secure remote access to private networks. VPN allows
administrators to take advantage of the Internet to help provide the functionality and
security of private WAN connections at a lower cost. In Windows Server 2003, VPN is
enabled using the Routing and Remote Access service. VPN is part of a comprehensive
network access solution that includes support for authentication and authorization
services, and advanced network security technologies.
There are two main strategies that help provide secure connectivity between private
networks and enabling network access for remote users.
Dial-up or leased line connections
A dial-up or leased line connection creates a physical connection to a port on a remote
access server on a private network. However, using dial-up or leased lines to provide
network access is expensive when compared to the cost of providing network access
using a VPN connection.
VPN connections
VPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer Two
Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over an intermediate
network, such as the Internet. By using the Internet as a connection medium, VPN saves
the cost of long-distance phone service and hardware costs associated with using dial-up
or leased line connections. A VPN solution includes advanced security technologies such
as data encryption, authentication, authorization, and Network Access Quarantine
Control.
Note
Network Access Quarantine Control is used to delay remote access to a private
network until the configuration of the remote access computer has been examined
and validated.
Using VPN, administrators can connect remote or mobile workers (VPN clients) to
private networks. Remote users can work as if their computers are physically connected
to the network. To accomplish this, VPN clients can use a Connection Manager profile to
initiate a connection to a VPN server. The VPN server can communicate with an Internet
Authentication Service (IAS) server to authenticate and authorize a user session and
maintain the connection until it is terminated by the VPN client or by the VPN server. All
services typically available to a LAN-connected client (including file and print sharing,
Web server access, and messaging) are enabled by VPN.
VPN clients can use standard tools to access resources. For example, clients can use
Windows Explorer to make drive connections and to connect to printers. Connections are
persistent: Users do not need to reconnect to network resources during their VPN
sessions. Because drive letters and universal naming convention (UNC) names are fully
supported by VPN, most commercial and custom applications work without modification.
2.2.VPN Scenarios
Virtual private networks are point-to-point connections across a private or public network
such as the Internet. A VPN client uses special TCP/IP-based protocols, called tunneling
protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN
deployment, a client initiates a virtual point-to-point connection to a remote access server
over the Internet. The remote access server answers the call, authenticates the caller, and
transfers data between the VPN client and the organization’s private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The
header provides routing information that enables the data to traverse the shared or public
network to reach its endpoint. To emulate a private link, the data being sent is encrypted
for confidentiality. Packets that are intercepted on the shared or public network are
indecipherable without the encryption keys. The link in which the private data is
encapsulated and encrypted is known as a VPN connection.
There are two types of VPN connections:
Remote access VPN
Site-to-site VPN
Remote Access VPN
Remote access VPN connections enable users working at home or on the road to access a
server on a private network using the infrastructure provided by a public network, such as
the Internet. From the user’s perspective, the VPN is a point-to-point connection between
the computer (the VPN client) and an organization’s server. The exact infrastructure of
the shared or public network is irrelevant because it appears logically as if the data is sent
over a dedicated private link.
Site-to-Site VPN
Site-to-site VPN connections (also known as router-to-router VPN connections) enable
organizations to have routed connections between separate offices or with other
organizations over a public network while helping to maintain secure communications. A
routed VPN connection across the Internet logically operates as a dedicated WAN link.
When networks are connected over the Internet, as shown in the following figure, a router
forwards packets to another router across a VPN connection. To the routers, the VPN
connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN
server provides a routed connection to the network to which the VPN server is attached.
The calling router (the VPN client) authenticates itself to the answering router (the VPN
server), and, for mutual authentication, the answering router authenticates itself to the
calling router. In a site-to site VPN connection, the packets sent from either router across
the VPN connection typically do not originate at the routers.
2.3.VPN Connection Properties
PPTP-based VPN and L2TP/IPSec-based VPN connection properties are described in the
following sections.
Encapsulation
VPN technology provides a way of encapsulating private data with a header that allows
the data to traverse the network.
Authentication
There are three types of authentication for VPN connections:
User authentication
For the VPN connection to be established, the VPN server authenticates the VPN client
attempting the connection and verifies that the VPN client has the appropriate
permissions. If mutual authentication is being used, the VPN client also authenticates the
VPN server, providing protection against masquerading VPN servers.
The user attempting the PPTP or L2TP/IPSec connection is authenticated using Point-to-
Point (PPP)-based user authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS), Microsoft Challenge-Handshake
Authentication Protocol (MS-CHAP), Microsoft Challenge-Handshake Authentication
Protocol version 2 (MS-CHAP v2), Shiva Password Authentication Protocol (SPAP), and
Password Authentication Protocol (PAP). For PPTP connections, you must use EAP-
TLS, MS-CHAP, or MS-CHAP v2. EAP-TLS using smart cards or MS-CHAP v2 is
highly recommended, as they provide mutual authentication and are the most secure
methods of exchanging credentials.
Computer authentication with L2TP/IPSec
By performing computer-level authentication with IPSec, L2TP/IPSec connections also
verify that the remote access client computer is trusted.
Data authentication and integrity
To verify that the data being sent on an L2TP/IPSec VPN connection originated at the
other end of the connection and was not modified in transit, L2TP/IPSec packets include
a cryptographic checksum based on an encryption key known only to the sender and the
receiver.
Data Encryption
Data can be encrypted for protection between the endpoints of the VPN connection. Data
encryption should always be used for VPN connections where private data is sent across
a public network such as the Internet. Data that is not encrypted is vulnerable to
unauthorized interception. For VPN connections, Routing and Remote Access uses
Microsoft Point-to-Point Encryption (MPPE) with PPTP and IPSec encryption with
L2TP.
Address and Name Server Allocation
When a VPN server is configured, it creates a virtual interface that represents the
interface on which all VPN connections are made. When a VPN client establishes a VPN
connection, a virtual interface is created on the VPN client that represents the interface
connected to the VPN server. The virtual interface on the VPN client is connected to the
virtual interface on the VPN server, creating the point-to-point VPN connection.
The virtual interfaces of the VPN client and the VPN server must be assigned IP
addresses. The assignment of these addresses is done by the VPN server. By default, the
VPN server obtains IP addresses for itself and VPN clients using the Dynamic Host
Configuration Protocol (DHCP). Otherwise, a static pool of IP addresses can be
configured to define one or more address ranges, with each range defined by an IP
network ID and a subnet mask or start and end IP addresses.
Name server assignment, the assignment of Domain Name System (DNS) and Windows
Internet Name Service (WINS) servers to the VPN connection, also occurs during the
process of establishing the VPN connection.
2.4.Tunneling Overview
Tunneling is a method of using a network infrastructure to transfer data for one network
over another network. The data (or payload) to be transferred can be the frames (or
packets) of another protocol. Instead of sending a frame as it is produced by the
originating node, the tunneling protocol encapsulates the frame in an additional header.
The additional header provides routing information so that the encapsulated payload can
traverse the intermediate network.
The encapsulated packets are then routed between tunnel endpoints over the network.
The logical path through which the encapsulated packets travel through the network is
called a tunnel. After the encapsulated frames reach their destination on the network, the
frame is de-encapsulated (the header is removed) and the payload is forwarded to its final
destination. Tunneling includes this entire process (encapsulation, transmission, and de-
encapsulation of packets).
2.5.Tunneling Protocols
Tunneling enables the encapsulation of a packet from one type of protocol within the
datagram of a different protocol. For example, VPN uses PPTP to encapsulate IP packets
over a public network such as the Internet. A VPN solution based on either PPTP or
L2TP can be configured.
PPTP and L2TP depend heavily on the features originally specified for PPP. PPP was
designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP
encapsulates IP packets within PPP frames and then transmits the encapsulated PPP-
packets across a point-to-point link. PPP was originally defined as the protocol to use
between a dial-up client and a network access server (NAS).
PPTP
PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an IP header
to be sent across an organization’s IP network or a public IP network such as the Internet.
PPTP encapsulates Point-to-Point Protocol (PPP) frames in IP datagram’s for
transmission over the network. PPTP can be used for remote access and site-to-site VPN
connections. PPTP is documented in RFC 2637 in the IETF RFC Database.
PPTP uses a TCP connection for tunnel management and a modified version of Generic
Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads
of the encapsulated PPP frames can be encrypted, compressed, or both. The following
figure shows the structure of a PPTP packet containing an IP datagram.
When using the Internet as the public network for VPN, the PPTP server is a PPTP-
enabled VPN server with one interface on the Internet and a second interface on the
intranet.
L2TP
L2TP allows multiprotocol traffic to be encrypted and then sent over any medium that
supports point-to-point datagram delivery, such as IP, X.25, frame relay, or asynchronous
transfer mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a
technology developed by Cisco Systems, Inc. L2TP represents the best features of PPTP
and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, frame relay, or ATM
networks. When configured to use IP as its datagram transport, L2TP can be used as a
tunneling protocol over the Internet. L2TP is documented in RFC 2661 in the IETF RFC
Database.
L2TP over IP networks uses User Datagram Protocol (UDP) and a series of L2TP
messages for tunnel management. L2TP also uses UDP to send L2TP-encapsulated PPP
frames as tunneled data. The payloads of encapsulated PPP frames can be encrypted,
compressed, or both, although the Microsoft implementation of L2TP does not use MPPE
to encrypt the PPP payload. The following figure shows the structure of an L2TP packet
containing an IP datagram.
L2TP with IPSec (L2TP/IPSec)
In the Microsoft implementation of L2TP, IPSec Encapsulating Security Payload (ESP)
in transport mode is used to encrypt L2TP traffic. The combination of L2TP (the
tunneling protocol) and IPSec (the method of encryption) is known as L2TP/IPSec.
L2TP/IPSec is described in RFC 3193 in the IETF RFC Database.
The result after applying ESP to an IP packet containing an L2TP message is shown in
the following figure.
2.6.Routing for VPN
Routing for remote access and site-to-site VPN connections is described in the following
sections.
Routing for Remote Access VPN Connections
Conventional routing occurs between routers over either LAN-based shared access
technologies, such as Ethernet or Token Ring, or WAN-based point-to-point
technologies, such as T1 or frame relay.
Default Routing
The preferred method for directing packets to a remote network is to create a default
route on the remote access client that directs packets to the remote network (the default
configuration for VPN remote access clients). Any packet that is not intended for the
neighboring LAN segment is sent to the remote network. When a connection is made, the
remote access client, by default, adds a default route to its routing table and increases the
metric of the existing default route to ensure that the newest default route is used. The
newest default route points to the new connection, which ensures that any packets that are
not addressed to the local LAN segment are sent to the remote network.
Under this configuration, when a VPN client connects and creates a new default route,
Internet sites that have been accessible are no longer accessible (unless Internet access is
available through the organization’s intranet). This poses no problem for remote VPN
clients that require access only to the organization’s network. However, it is not
acceptable for remote clients that need access to the Internet while they are connected to
the organization’s network.
Split Tunneling
Split tunneling enables remote access VPN clients to route corporate-based traffic over
the VPN connection while sending Internet-based traffic using the user’s local Internet
connection. This prevents the use of corporate bandwidth for access to Internet sites.
However, a split tunneling implementation can introduce a security issue. If a remote
access client has reachability to both the Internet and a private organization network
simultaneously, the possibility exists that the Internet connection could be exploited to
gain access to the private organization network through the remote access client.
Security-sensitive companies can choose to use the default routing model to help ensure
that all VPN client communications are protected by the corporate firewall.
Routing for Site-to-Site VPN Connections
With conventional WAN technologies, IP packets are forwarded between two routers
over a physical or logical point-to-point connection. This connection is dedicated to the
customer across a private data network that is provided by the WAN service provider.
With the advent of the Internet, packets can now be routed between routers that are
connected to the Internet across a virtual connection that emulates the properties of a
dedicated, private, point-to-point connection. This type of connection is known as a site-
to-site VPN connection. Site-to-site VPN connections can be used to replace expensive
long-haul WAN links with short-haul WAN links to a local Internet service provider
(ISP).
A site-to-site VPN connection connects two portions of a private network. The VPN
server provides a routed connection to the network to which the VPN server is attached.
On a site-to-site VPN connection, the packets sent from either router across the VPN
connection typically do not originate at the routers.
To facilitate routing between the sites, each VPN server and the routing infrastructure of
its connected site must have a set of routes that represent the address space of the other
site. These routes can be added manually, or routing protocols can be used to
automatically add and maintain a set of routes.
Site-to-Site Routing Protocols
There are two routing protocols that can be used in a site-to-site VPN deployment:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
RIP
RIP is designed for exchanging routing information within a small to medium-size
network. RIP routers dynamically exchange routing table entries.
The Windows Server 2003 implementation of RIP has the following features:
The ability to select which RIP version to run on each interface for incoming and
outgoing packets.
Split-horizon, poison-reverse, and triggered-update algorithms that are used to
avoid routing loops and speed recovery of the network when topology changes
occur.
Route filters for choosing which networks to announce or accept.
Peer filters for choosing which router’s announcements are accepted.
Configurable announcement and route-aging timers.
Simple password authentication support.
The ability to disable subnet summarization.
OSPF
OSPF is designed for exchanging routing information within a large or very large
network. Instead of exchanging routing table entries like RIP routers, OSPF routers
maintain a map of the network that is updated after any change to the network topology.
This map, called the link state database, is synchronized between all the OSPF routers
and is used to compute the routes in the routing table. Neighboring OSPF routers form an
adjacency, which is a logical relationship between routers to synchronize the link state
database.
3.Introduction to TCP:
TCP:
Because insiders are trusted, is it okay to allow outgoing TCP connections? Not
completely. Although the insiders might be trusted, it is not always certain that the code
they are running is behaving properly.
Applets running on users' machines are considered insiders.
There are ways that bad things can originate from the inside. Assume that the mail
filter is weeding out viruses and worms. That only works if users obtain their mail via
POP3 or IMAP.
If mail is read through a Web-based server, such as Hotmail or Hushmail, there is little
to prevent the poor user from infection via these vectors. Once hit, the inside machine
may generate problematic outgoing TCP connections. (Imagine a dual-mode worm:
When it can, it spreads by direct attacks on vulnerable systems, but it also e-mails copies
of itself to users behind firewalls. Your imagination won’t be stretched very far; these
worms exist.)
Incoming TCP connections should not be allowed. If there is a strong need for access
to an internal machine from the outside, this should be handled via a dedicated proxy,
often from a machine on the DMZ.
If possible, use cryptographically enhanced services such as ssh. It is also best to limit
the sets of machines that can be reached; and, if possible, the set of machines that can
initiate access. The filtering rule for TCP can be summarized as follows:
Inbound and outbound queries can be summarised as:
Sr.
No.
Protocol Outbound
Query
Inbound
response
Comment
(1) TCP Allow Block Generally
trust insider
NTP (Network Time Protocol)
There are now cheap, extremely accurate time devices available based on the Global
Positioning System and other radio sources. If these are not used, there are time sources
on the Internet. You should limit access to selected, trusted external servers.
If you have a close relationship with the outside time server, you may want to use
NTP’s built-in authentication mechanisms. It is also common to run an external NTP
server of your own and use the firewall to restrict insiders' access to that server alone.
Inbound and outbound queries can be summarised as:
Sr.
No.
Protocol Outbound
Query
Inbound
response
Comment
(1) NTP Passive Block Put FTP
server in
DMZ
SSH:
One of the principles of computer security is to trust as little as possible. Ssh is one of
the things we trust. As with Mail, it is thus crucial to keep up with bugs and patches. Ssh
has indeed had some serious security problems in the past. Ssh is reasonable to allow
through the firewall because it implements cryptographic authentication and encryption,
and is the best way we know of to allow access through a firewall.
Depending on your internal trust policies, you may want to terminate incoming ssh
connections at the firewall. Here you can do strong, centralized authentication. It's also
attractive to pretend that doing so prevents people or malicious programs from creating
back doors, but it's just that: a pretense. If you permit outbound TCP, it's easy to create
back doors, and ssh's port forwarding just lets Bad Guys do it a bit more easily, from the
command line. The rule for ssh is as follows:
Inbound and outbound queries can be summarised as:
Sr.
No.
Protocol Outbound
Query
Inbound
response
Comment
(1) ssh allow allow Stay current on
patches
Telnet:
Telnet Services:
(1) Outbound Telnet Service
(2) Inbound Telnet Service
Outbound Telnet Service:
In an outbound telnet a local client is talking to a remote server. We need to handle
both outgoing and incoming packets. The outgoing packets contain the user’s keystrokes
and have the following characteristics.
(1) The IP Source address of the outgoing packets is the local host’s IP address.
(2) The IP Destination address of the outgoing packets is the remote host’s IP address.
(3) Telnet is a TCP-based service. So the IP packet type is TCP.
(4) The TCP Destination port is 23.
(5) The TCP Source port number is some seemingly random number greater than 1023
(6) The first outgoing packet, establishing the connection, will not have the ACK bit set;
the rest of the outgoing packets will.
The incoming packets contain the data to be displayed on the user’s screen and have
the following characteristics.
(1) The IP Source address of the incoming packets is the remote host’s IP address.
(2) The IP Destination address is the local host’s IP address.
(3) The IP packet type is TCP.
(4) The TCP Source port is 23.That is the port the server use.
(5) The TCP Destination port number is the same random number greater than 1023 that
we used as the source port for the outgoing packets.
(6) All incoming packets will have the ACK bit set.
Fig. 4.10
Inbound telnet Services:
In the inbound telnet services a remote client communicates with a local telnet server.
We need to handle both incoming and the outgoing packets.
The incoming packets for the inbound telnet services contain the users keystrokes and
have the following characteristics:
(1) The IP source address of these packets in the remote host address.
(2) The IP destination address is the local host address.
(3) The IP packet type is TCP.
(4) The TCP source code is some random code number greater than 1023.
(5) The TCP destination port is 23.
(6) The TCP ACK bit will not be set on the very first inbound packet establishing the
connection, but it will be set on all other inbound packets.
The outgoing packet for this inbound telnet service contain the server responses and
have the following characteristics:
(1) The IP source address is the local host address
(2) The IP destination address is the remote host address
(3) The IP packet type is TCP
(4) The IP source port is 23
(5) The TCP destination port is the same random port “Z” that was used as a source port
for the inbound packets.
(6) The TCP ACK bit will be set on all outgoing packets.
Telnet Summary:
(1) Rule A allows packets out to remote telnet servers.
(2) Rule B allows the returning packets to come back in because it verifies that the ACK
bit is set, Rule B can be abused by an attacker to allow incoming TCP connections
from port 23 on the attackers end to port above 1023 on your end.
(3) Rule C is the default rule. If none of the preceding rules apply the packet is blocked.
Remember from your previous discussion that any blocked packet should be logged
and that it may or may not cause an ICMP message to be returned to the originator.
The following table illustrates the various types of packets involved in inbound and
outbound telnet services:
Service
directio
n
Packet
Directi
on
Sourc
e
Addre
ss
Destinati
on
Address
Pack
et
type
Sour
ce
port
Destinati
on Port
AC
K
Set
Outbou
nd
Outgoin
g
Interna
l
External TCP Y 23 a
Outbou
nd
Incomin
g
Extern
al
Internal TCP 23 Y Yes
Inbound Incomin
g
Extern
al
Internal TCP Z 23 a
Inbound Outgoin
g
Interna
l
External; TCP 23 Z yes
(A) The TCP ACK bit will be set on all but the first of these packets which establishes
the Connection.
Note that y and z are both random port numbers above 1023.
If u want to allow outgoing telnet, but nothing else you would set up your packet
filtering as follows:
Ru
le
Direct
ion
Sour
ce
Addr
ess
Destina
tion
Addres
s
Proto
col
Sou
rce
port
Destina
tion
Port
AC
K
set
Acti
on
A Out Intern
al
Any TCP >10
23
23 Eit
her
Per
mit
B In Any Internal TCP 23 >1023 yes Per
mit
C Either Any Any Any Any Any Eit
her
Den
y
Chapter 101. IP Security2. SSL
1.IP Security:have a range of application specific security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPShowever there are security concerns that cut across protocol layerswould like security implemented by the network for all applicationsgeneral IP Security mechanismsprovides
authenticationconfidentialitykey management
applicable to use over LANs, across public & private WANs, & for the Internet
1.1.IPSec Uses:
1.2.Benefits of IPSec;
in a firewall/router provides strong security to all traffic crossing the perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence transparent to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
1.3.IP Security Architecture:
specification is quite complex
defined in numerous RFC’s
incl. RFC 2401/2402/2406/2408
many others, grouped by category
mandatory in IPv6, optional in IPv4
have two security header extensions:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
1.4.IPSec Services:
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
a form of partial sequence integrity
Confidentiality (encryption)
Limited traffic flow confidentiality
Security Associations :
a one-way relationship between sender & receiver that affords security for traffic flow
defined by 3 parameters:
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifier
has a number of other parameters
seq no, AH & EH info, lifetime etc
have a database of Security Associations
1.5.Authentication Header (AH):
provides support for data integrity & authentication of IP packets
end system/router can authenticate user/app
prevents address spoofing attacks by tracking sequence numbers
Web Browser Web ServerSecure Socket
Layer (SSL)
based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
parties must share a secret key
2. Secure Socket Layer(SSL):
2.1.INTRODUCTION
The Secure Socket Layer (SSL) protocol is an Internet protocol for the security exchange
information between a Web browser and a Web Server. Logically, it provides a secure
pipe between the Web Browser and Web server. SSL allows sensitive information such
as credit card numbers, social security numbers, and login credentials to be transmitted
securely.
(Fig): Secure Socket Layer)
It can be conceptually considered as an additional layer in TCP/IP protocol suite.
The SSL layer is located between application layer and the transport layer.
Application Layer
SSL Layer
Transport Layer
Internet Layer
Data Link Layer
Physical Layer
(Fig)Position of SSL in TCP/IP
It provides two basic security services: AUTHENTICATION and
CONFIDENTIALITY.
(fig) SSL Services
SSL was developed by Netscape Corporation in 1994.
All major web browser support SSL. Currently, SSL comes in three versions: 2,3 and 3.1.
2.2.Working of SSL
SSL has three sub- protocols: 1.Handshake Protocol
2. Record Protocol
3. Alert Protocol
2.3.HANDSHAKE PROTOCOL
The handshake protocol of SSL is the first sub-protocol used by the client and the
server to communicate using a SSL-enabled connection.
Handshake message has three fields:
Type
1 byte
Length
3 byte
Content
1 or more bytes
(Fig) format of handshake protocol.
a) Type (1 byte): This field indicates the length of the message in byte.
b) Length (3 bytes): This field contains the length of the message in bytes.
c) Content (1 or more byte): This field contains the parameters associated with this
message depending upon the message type.
Message Type Parameters
Hello request None
Client Hello Version, Random Number, Session Id, Cipher suite, Compression
method
Server Hello Version, Random Number, Session Id, Cipher suite, Compression
method
Certificate Chain of X.509V3 certificates
Server-key
Exchange
Parameter, signatures
Certificate request Type, authorities
Server hello Done None
Certificate verify Signature
Client-key
exchange
Parameters, signatures
Finished Hash value
(Fig)SSL handshake protocol message types
1. Establish security capabilities.
2. Server authentication and key exchange.
Web Browser Web Server
Phase 1: Establish Security Capabilities
The first phase of the SSL handshake is used to initiate a logical connection and establish
the security capabilities associated with that connection. This consists of two messages:
the client hello and the server hello.
(Fig.)Phase 1: Establish Security capabilities.
The client hello message consists of the following parameters.
Version: This field identifies the highest version of SSL that the client can
support.
Random: It contains two sub fields:
A 32-bit date-time field that identifies the current system
date and time on the client computer.
A 28-byte random number generated by the random-
number generator software built inside the client computer.
Session ID: This is a variable length identifier. If this contains a non-zero value, it
means that there is already a connection between the client and the server, and the
client wishes to upgrade the parameters of that connection.
Cipher suite: This list contains a list of the compression algorithms supported by
the client.
The server hello message consists of the following phase:
Version: This field identifies the lower of the versions suggested by the client and
the highest supported by the server.
1. Establish security capabilities.
2. Server authentication and key exchange.
Web Browser Web Server
Web Browser Web ServerStep 1: Client Hello
Step 2: Sever Hello
Random: This field has the same structure as the random field of the client. The
random value generated by the server is completely independent of the client’s
Random value.
Session id: If the session id value sent by the client was non-zero, the server uses
the same value. Otherwise, the server creates a new session id and puts it in this
field.
Cipher suite: Contains a single cipher suite, which the server selects from the list
sent earlier by the client.
Compression method: Contains a compression algorithm, which the server selects
from the list sent earlier by the client.
Phase 2: Server Authentication and Key Exchange.
The server initiates the second phase of the SSL handshake, and is the sole sender of all
message inthis phase. The client is the sole recipient of all these messages.
Four steps of phase 2:
First step : Certificate
The server sends its digital certificate and the entire chain leading up to root CA to the
client. This will help the client to authenticate the server using the server’s public key
from the server’s certificate.
Second Step: Server Key Exchange(optional)
It is used only if the server does not send its digital certificate to the client in step 1.
Web Browser Web ServerStep 1: Certificate
Step 2: Server Key
Step 3: Certificate request
Step 4: Server hello done
Third Step: Certificate Request
The server can request for the client’s digital certificate.
Fourth Step: Server Hello Done
Message indicates to the client that its partition of the hello message is complete.
Phase 3: Client Authentication and Key Exchange
The client initiates this third phase o the SSL handshake, and is the sole sender of the all
message in this phase. The server is the sole recipient of all these messages. This phase
contains three steps:
1. Certificate
2. Client Key Exchange
3. Certificate Verify.
(fig) Client Authentication and key exchange.
First Step: Certificate (optional):
This step is performed only if the server had requested for the client’s digital certificate.
Second Step: Client Key Exchange:
Allows the client to send information to the server, but in opposite direction. This
information is related to the symmetric key that both the parties will use in this session.
Third Step: (Certificate Verify):
It is necessary only if the server had demanded client authentication.
Phase 4: Finish
Web Browser Web ServerStep 1: Certificate
Step 2: Client Key Exchange
Step 3: Certificate Verify
The client initiates the fourth phase of SSL handshake, which the server ends. This phase
contains four steps:
(Fig)Phase 4: Finished
Web Browser Web Server1. Change cipher specs
2. Finished
Step 3: Change cipher specs
Step 4: Finished
2.4.RECORD PROTOCOL
The Record protocol in SSL comes into picture after a successful hanshake is
completed between the client and the server.
Adter the client and the server have optionally authenticated each other and have
decided what algorithms to use for secure information exchanged.
The services of this steps are as follows:
(fig)Services of Record Protocol
a.)Confidentiality: This is achieved by using the secret key that is defined by the
handshake protocol.
b.)Integrity: The SSL record protocol takes an application message as input,it
fragments it into smaller blocks,optionally compress each block.
Steps of Record protocol:
(fig)Process of Record Protocol
1. Fragmentation: The original application is broken into blocks, so that the size of
the block is less than or equal to 214 bytes(16,384 bits).
2. Compression:The fragmented blocks are optionally compressed.
3. Addition of MAC: Usinng the shared key established previously in the handshake
protocol, the Message Authentication Code(MAC) for each block is calculated.
4. Encryption: Using the symmetric key, the output of the previous step in
encrypted.
5. Append Header: Finally, a header is added to the encrypted block.
Integrity
Field Length(in
bits)
Decription
Conetnt Type 8 bits Specifies the protocol used for processing the record
Major Version 8 bits Specifies the major version of the SSL protocol in
used
Minor Version 8 bits Specifies the minor version of the SSL protocol in
used
Compressed
length
16 bits Specifies the length in bits of the original plain text
(fig) Contents of the header
The final SSL message looks as follows:
Content Type Major Version Minor Version Compressed Length
Plain Text(optionally compressed)
MAC(0,16 or 20 bytes)
2.5.ALERT PROTOCOL
When either the client or the server detects an error, the detecting party
sends an alert message to the other party.
If the error is fatal, both the parties immediately close the SSL connection.
Both the parties also destroy the session identifiers,secrets and keys
associated with this connection before it is terminated.
Other errors,which are not so severe,do not result in the termination of the
connection.Instead,the parties handle the error and continue.
Severity Cause
Byte 1 Byte 2
(Fig).Alert protocol message format.
Each alert message consists of two bytes.The first byte signifies the type
of error.If it is a warning, this byte contains 1.If the error is fatal, this byte
contains 2.The second byte specifies the actual error.
Alert Descriptive
Unexpected message An inappropriate message was received
Bad record MAC A message is received without a correct MAC
Decompression
failure
The decomposition function received an improper
input.
Handshake failure Sender was unable to negotiate an acceptable set of
security paeameters from the available options.
Illegal parameters A field in the handshake
message was out of range
or was inconsistent with
the other fields.
(fig) Fatal alerts
Alert Description
No certificate Sent in response to certificate request if an appropriate certificate
is not available.
Bad certificate A certificate was corrupt
Unsupported
certificate
The type of the received certificate is not supported
Certificate revoked The signer of a certificate has revoked it
Certificate expired A received certificate has expired
Certificate unknown An unspecified error occurred while processing the certificate
Close notify Notifies that the sender will not send any more messages in this
connection. Each party must send this message before closing its
side of the connection.
(fig) Non-fatal alerts
Closing SSL Connection
Before ending the SSL connection, the client and the server must inform each
other that their
Side of the connection is ending.
Each party sends a Close notify alert to the other party. This ensures a graceful
closure of the connection.
When a party receives this alert, it must immediately stop whatever it is doing,
send its own Close notify alert and end the connection from its side as well.
If an SSL connection ends without a Close notify from either party, it cannot be
resumed.
2.6.SSL CERTIFICATE
SSL Certificates are small data files that digitally bind a cryptographic key to an
organization’s details. When installed on a web server, it activates the padlock and the
https protocol (over port 443) and allows secure connections from a web server to a
browser. Typically, SSL is used to secure credit card transactions, data transfer and
logins, and more recently is becoming the norm when securing browsing of social media
sites. SSL Certificates bind together:
A domain name, server name or hostname
An organizational identity (i.e. company name) and location
2.7.CREATE SECURE CONNECTION
When a browser attempts to access a website that is secured by SSL, the browser and the
web server establish an SSL connection using a process called an “SSL Handshake”.
Essentially, three keys are used to set up the SSL connection: the public, private, and
session keys. Anything encrypted with the public key can only be decrypted with the
private key, and vice versa.
Because encrypting and decrypting with private and public key takes a lot of processing
power, they are only used during the SSL Handshake to create a symmetric session key.
After the secure connection is made, the session key is used to encrypt all transmitted
data.
1. Browser connects to a web server (website) secured with SSL (https). Browser
requests that the server identify itself.
2. Server sends a copy of its SSL Certificate, including the server’s public key.
3. Browser checks the certificate root against a list of trusted CAs and that the
certificate is unexpired, unrevoked, and that its common name is valid for the
website that it is connecting to. If the browser trusts the certificate, it creates,
encrypts, and sends back a symmetric session key using the server’s public
key.
4. Server decrypts the symmetric session key using its private key and sends
back an acknowledgement encrypted with the session key to start the
encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
2.8.NEED OF SSL
One of the most important components of online business is creating a trusted
environment where potential customers feel confident in making purchases. Browsers
give visual cues, such as a lock icon or a green bar, to help visitors know when their
connection is secured. If your site collects credit card information you are required by the
Payment Card Industry (PCI) to have an SSL Certificate. If your site has a login section
or sends/receives other private information (street address, phone number, health records,
etc.), you should use SSL Certificates to protect that data.
Your customers want to know that you value their security and are serious about
protecting their information. More and more customers are becoming savvy online
shoppers and reward the brands that they trust with increased business.
2.9.ADVANTAGE AND DISADVANTAGE OF SSL
ADVANTAGE
1.Customers Will Trust Your Website:
The SSL encryption will cause your customer to trust your website as professional and
genuine, knowing that his personal information will be safe when he submits. This will
help to increase the number of submissions that you receive.
2.Avoid Disputes Due to Credit Card Fraud:
If a customer submits his credit card information on your unprotected server and then
experiences identity theft, the first place he will likely suspect is your website. Even if
your website is not the source of the issue, you still may have to deal with a lengthy and
involved dispute process with the customer and his credit card company. If your website
has SSL technology, you are less likely to deal with these types of claims from
customers.
DISADVANTAGE
1. Regular Renewal: Like a website domain and hosting plan, an SSL certificate expires
after a short period of time—usually one to five years. You have to renew the SSL
protection regularly and pay the subscription price again forever in order to keep the
protection. If you forget to renew the SSL protection, your website will display an error
on the user's computer stating that the certificate is not valid.
2. Complex Installation: SSL technology can be difficult to install on a website,
especially for someone who isn't very familiar with website development. The provider
will send you a set of files to install in a certain folder of your web server. You must also
activate the certificate using specific instructions from the provider. The process can be
overwhelming for a beginner, and some trial-and-error may be required to get the
technology to work properly on your website.
2.10.CONCLUSION
SSL is a Protocol for communicating between Web server and web browser.
The approves that the site you are navigating is secure or not.
SSL works in three protocols: Handshake, Record and Alert Protocol.
Secure web server obtain SSL certificate to provide confidence to the users that
the website is secure. For example: banking website.
SSL certificate provides confidence to the user.
Chapter 111. SET
2. TLS
1.SET:
1.1.Introduction
Electronic commerce, as exemplified by the popularity of the Internet, is going to have an
enormous impact on the financial services industry. No financial institution will be left
unaffected by the explosion of electronic commerce. Even though SSL is extremely
effective and widely accepted as the online payment standard, it requires the customer
and merchant to trust each other: an undesirable requirement even in face-to-face
transactions, and across the Internet it admits unacceptable risks.
Visa and MasterCard and a consortium of 11 technology companies made a promise to
banks, merchants, and consumers: they would make the Internet safe for credit card
transactions and send electronic commerce revenues skyward. With great fanfare, they
introduced the Secure Electronic Transaction protocol for processing online credit card
purchases [1].
1.2.Overview of SET Protocol
Secure payment systems are critical to the success of E-commerce. There are four
essential security requirements for safe electronic payments (Authentication, Encryption,
Integrity and Non -repudiation). Encryption is the key security schemes adopted for
electronic payment systems, which is used in protocols like SSL and SET.
1.3.Problem with SSL
The SSL protocol, widely deployed today on the Internet, has helped create a basic level
of security sufficient for some hearty souls to begin conducting business over the Web.
SSL is implemented in most major Web browsers used by consumers, as well as in
merchant server software, which supports the seller's virtual storefront in cyberspace.
Hundreds of millions of dollars are already changing hands when cybershoppers enter
their credit card numbers on Web pages secured with SSL technology.
In this sense, SSL provides a secure channel to between the consumer and the merchant
for exchanging payment information. This means any data sent through this channel is
encrypted, so that no one other than these two parties will be able to read it. In other
words, SSL can give us confidential communications, it also introduces huge risks:
! The cardholder is protected from eavesdroppers but not from the merchant. Some
merchants are dishonest: pornographers have charged more than advertised price,
expecting their customers to be too embarrassed to complain. Some others are just
hackers who put up a snazzy illegal Web site and profess to be the XYZ Corp., or
impersonate the XYZ Corp. and collecting credit card numbers for personal use.
! The merchant has not protected from dishonest customers who supply an invalid
credit card number or who claim a refund from their bank without cause. Contrary to
popular belief, it is not the cardholder but the merchant who has the most to lose from
fraud. Legislation in most countries protects the consumer.
1.4.SET protocol Overview
What we want here is a protocol very similar to credit card transactions at a local store,
something SSL doesn’t mimic in functionality. SET is the one.
Purpose and Entities
Purpose
The purpose of the SET protocol is to establish payment transactions that
! provide confidentiality of information;
! ensure the integrity of payment instructions for goods and services order
data;
! authenticate both the cardholder and the merchant .
Main Entities
There are four main entities in SET:
! Cardholder (customer)
! Merchant (web server)
! Merchant’s Bank (payment gateway, acquirer): payment gateway is a device
operated by an acquirer. Sometime, separate these two entities.
! Issuer (cardholder’s bank)
1.5.How it Works
Both cardholders and merchants must register with CA (certificate authority) first,
before they can buy or sell on the Internet, which we will talk about later. Once
registration is done, cardholder and merchant can start to do transactions, which
involve 9 basic steps in this protocol, which is simplified.
1. Customer browses website and decides on what to purchase
2. Customer sends order and payment information, which includes 2 parts
in one message:
a. Purchase Order – this part is for merchant
b. Card Information – this pat is for merchant’s bank only.
3. Merchant forwards card information (part b) to their bank
4. Merchant’s bank checks with Issuer for payment authorization
5. Issuer send authorization to Merchant’s bank
6. Merchant’s bank send authorization to merchant
7. Merchant completes the order and sends confirmation to the
customer
8. Merchant captures the transaction from their bank
9. Issuer prints credit card bill (invoice) to customer
1.6.Protocol Overview
SET (Secure Electronic Transaction) is a very comprehensive security protocol,
which utilizes cryptography to provide confidentiality of information, ensure
payment integrity, and enable identity authentication. For authentication purposes,
cardholders, merchants, and acquirers will be issued digital certificates by their
sponsoring organizations.
It relies on cryptography and digital certificate to ensure message confidentiality
and security. Digital envelop is widely used in this protocol. Message data is
encrypted using a randomly generated key that is further encrypted using the
recipient's public key. This is referred to as the "digital envelope" of the message
and is sent to the recipient with the encrypted message. The recipient decrypts the
digital envelope using a private key and then uses the symmetric key to unlock the
original message.
Digital certificates, which are also called electronic credentials or digital IDs, are
digital documents attesting to the binding of a public key to an individual or
entity. Both cardholders and merchants must register with a certificate authority
(CA) before they can engage in transactions. Thecardholder thereby obtains
electronic credentials to prove that he is trustworthy. The merchant similarly
registers and obtains credentials. These credentials do not contain sensitive details
such as credit card numbers. Later, when the customer wants to make purchases,
he and the merchant exchange their credentials. If both parties are satisfied then
they can proceed with the transaction. Credentials must be renewed every few
years, and presumably are not available to known fraudsters.
1.7.SET Cryptography
Overview
Secure Electronic Transactions (SET) relies on the science of cryptography – the
encoding and decoding messages. There are two primary encryption methods in use
today: secret-key cryptography and public-key cryptography. Secret-key cryptography is
impractical for exchanging messages with a large group of previously unknown
correspondents over a public network. For a merchant to conduct transactions securely
with millions of subscribers, each consumer would need a distinct key assigned by that
merchant and transmitted over a separate secure channel. However, by using public-key
cryptography, that same merchant could create a public/private key pair and publish the
public key, allowing any
consumer to send a secure message to that merchant. This is why SET uses both methods
in its encryption process. The secret-key cryptography used in SET is the well-known
Data Encryption Standard (DES), which is used by financial institutions to encrypt PINs
(personal identification numbers). And the public-key cryptography used in SET is RSA.
In the following section, the usage of symmetric (secret-key) and asymmetric (public-
key) key encryption in SET will be discussed.
Use of Symmetric Key
In SET, message data is encrypted using a randomly generated symmetric key (a DES 56
-bit key). This key, in turn, is encrypted using the message recipient’s public key (RSA).
The result is the so called “digital envelope” of the message. This combines the
encryption speed of DES with the key management advantages of RSA public-key
encryption. After encryption, the envelope and the encrypted message itself are sent to
the recipient. After receiving the encrypted data, the recipient decrypts the digital
envelope first using his or her private key to obtain the randomly generated symmetric
key and then uses the symmetric key to unlock the original message.
This level of encryption, using DES, can be easily cracked using modern hardware. In
1993, a brute-force DES cracking machine was designed by Michael Wiener – one which
was massively parallel. For less than a million dollars, a 56-bit DES key could be cracked
in average time of 3.5 hours. For a billion dollars, a parallel machine can be constructed
that cracks 56-bit DES in a second (Schneier, 1996). Obviously, this is of great concern
since DES encrypts the majority of a SET transaction.
Use of Asymmetric Key – Digital Signature (Message Digests)
In SET, the public key cryptography is only used to encrypt DES keys and for
authentication (digital signature) but not for the main body of the transaction. In SET, the
RSA modulus is 1024 bits in length (Using the latest facto
ring results it appears that factoring a 1024-bit modulus would require over
100,000,000,000 MY of computational effort). To generate the digital signature, SET
uses a distinct public/private key. Each SET participant possesses two asymmetric key
pairs: a “key exchange” pair, which is used in the process of section key encryption and
decryption, and a “signature” pair for the creation and verification of digital signatures
(160-bit message digests).
The algorithm is such that changing a single bit in the message will change, on average,
half of the bits in the message digest. Approximately, the possibility of two messages
having the same message digest is one in
1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000, which means it is
computationally unfeasible to generate two different messages that have the same
message digest.
RSA-OAEP
RSA-OAEP (RSA Encryption Scheme - Optimal Asymmetric Encryption Padding) was
proposed by Bel-lare and Rogaway in 1994 which is one of the innovations of SET.
RSA-OAEP public-key encryption scheme combines the encoding method of OAEP
with the encryption primitive RSA. RSA-OAEP takes a plaintext as input, transforms it
into an encoded message via OAEP and apply RSAEP (RSA encryption primitive) to the
result (interpreted as an integer) using an RSA Public Key. RSA-OAEP is intended to
be both efficient and secure and is designed to encrypt only short messages--typically
secret keys for symmetric encryption or MAC algorithms. OAEP ties the security of RSA
encryption closely to that of the basic RSA operation. The version of OAEP used in SET
is a more advanced version of the original scheme. While existing message formatting
methods for RSA encryption have no known flaw, the provable security aspects of OAEP
are very appealing. OAEP is very new but already it is a part of the IEEE P1363
standards effort.
RSA-OAEP encryption scheme has been proven to be semantically secure against
adaptive chosen-ciphertext attacks in the random oracle model under the RSA
assumption. However, the reduction is not tight, and thus it is not clear what security
assurances the proof provides. It is recommended that RSA-OAEP be modified to RSA-
OAEP+ that has a tighter security reduction, and furthermore can be easily modified to
allow encryption of arbitrarily-long messages. Furthermore, the RSA-KEM encryption
scheme of which has a tight reduction should be considered as a replacement for RSA-
OAEP.
Dual Signatures
A new application of digital signatures is introduced in SET, namely the concept of dual
signatures. Dual signatures is needed when two messages are need to be linked securely
but only one party is allowed to read each. The following picture shows the process of
generating dual signatures.
In SET, dual signatures are used to link an order message sent to the merchant with the
payment instructions containing account information sent to the acquirer (merchant
bank). When the merchant sends an authorization request to the acquirer, it includes the
payment instructions sent to it by the cardholder and the message digest of the order
information. The acquirer uses the message digest from the merchant and computes the
message digest of the payment instructions to check the dual signatures.
1.8.SET Process
The SET protocol utilizes cryptography to provide confidentiality of information, ensure
payment integrity, and enable identity authentication. For authentication purposes,
cardholders, merchants, and acquirers will be issued digital certificates by their
sponsoring organizations. It also use dual signature, which hides the customer’s credit
card information from merchants, and also hides the order information to banks, to
protect privacy.
Process Steps
1). Merchant sends invoice and unique transaction ID (XID)
2). Merchant sends merchant certificate and bank certificate (encrypted with
CA’s private key)
3). Customer decrypts certificates, obtains public keys
4). Customer generates order information (OI) and payment info (PI)
encrypted with different session keys and dual-signed
5). Merchant sends payment request to bank encrypted with bank-
merchant session key, PI, digest of OI and merchant’s certificate
6). Bank verifies that the XID matches the one in the PI
7). Bank sends authorization request to issuing bank via card network 8).
Bank sends approval to merchant
9). Merchant sends acknowledgement to customer
. Payment Initialization
The Purpose of the payment initialization is to allow customer to get certificate from the
merchant. The initialization request is represented as PinitReq which carries eight fields
of information (Table 1).
Table 1- Fields in Payment Initialization
Field Information
RRPID Request/Response Pair ID
Language Customer’s Language
LID_C Customer’s Local ID
[LID_M] Merchant’s Local ID
Chall_C Customer’s challenge salt to Merchant’s signature freshness
BrandID Card Brand (VISA, Master etc.)
BIN Bank ID Number
Thumbs Thumbnails (hashes) of of certificates known to Customer
Before two parties use public-key cryptography to conduct business, each wants to be
sure that the other party is authenticated. One way to be sure that the public key belongs
to the right party is to receive it over a secure channel directly from the same place.
However, in most circumstances this solution is not practical.
An alternative to secure transmission of the key is to use a trusted third party to
authenticate that the public key belongs to Alice. Such a party is known as a Certificate
Authority (CA). Because SET participants have two key pairs, theyalso have two
certificates. Both certificates are created and signed at the same time by the Certificate
Authority.
1.9.Certificate of Participants
Cardholder certificates
Cardholder certificates function as an electronic representation of the payment card.
Because they are digitally signed by a financial institution, they cannot be altered by a
third party and and can only be generated by a financial institution. A cardholder
certificate does not contain the account number and expiration date. Instead the account
information and a secret value known only to the ardholder’s software are encoded using
a one-way hashing algorithm. If the account number, expiration date, and the secret value
are known, the link to the certificate can be proven, but the information cannot be derived
by looking at the certificate. Within the SET protocol, the cardholder supplies the account
information and the secret value to the payment gateway where the link is verified.
A certificate is only issued to the cardholder when the cardholder’s issuing financial
institution approves it. By requesting a certificate, a cardholder has indicated the intent to
perform commerce via electronic means. This certificate is transmitted to merchants with
purchase requests and encrypted payment instructions. Upon receipt of the cardholder’s
certificate, a merchant can be assured, at a minimum, that the account number has been
validated by the card-issuing financial institution or its agent. In this specification,
cardholder certificates are optional at the payment card brand’s discretion.
Merchant certificates
Merchant certificates function as an electronic substitute for the payment brand decal that
appears in the store window—the decal itself is a representation that the merchant has a
relationship with a financial institution allowing it to accept the payment card brand.
Because they are digitally signed by the merchant’s financial institution, merchant
certificates cannot be altered by a third party and can only be generated by a financial
institution. These certificates are approved by the acquiring financial institution and
provide assurance that the merchant holds a valid agreement with an Acquirer. A
merchant must have at least one pair of certificates to participate in the SET environment,
but there may be
multiple certificate pairs per merchant. A merchant will have a pair of certificates for
each payment card brand that it accepts.
Payment Gateway Certificates
Payment gateway certificates are obtained by Acquirers or their processors for the
systems that process authorization and capture messages. The gateway’s encryption key,
which the cardholder gets from this certificate, is used to protect the cardholder’s account
information. Payment gateway certificates are issued to the Acquirer by the payment
brand.
Acquirer Certificates
An Acquirer must have certificates in order to operate a Certificate Authority that can
accept and process certificate requests directly from merchants over public and private
networks. Those Acquirers that choose to have the payment card brand process certificate
requests on their behalf will not require certificates because they are not processing SET
messages. Acquirers receive their certificates from the payment card brand.
Issuer Certificates
An Issuer must have certificates in order to operate a Certificate Authority that can accept
and process certificate requests directly from cardholders over public and private
networks. Those Issuers that choose to have the payment card brand process certificate
requests on their behalf will not require certificates because they are not processing SET
messages. Issuers receive their certificates from the payment card brand.
1.10.SET Certificate Hierarchy
Root Signaute
Brand Signaure
Geo-Political Signature
(Optional)
CCA MCA PCA
Signature Signatue Signature
Cardholde
r Merchant
Payment
Gateway
Payment
Gateway
Signature Signature Signature Key Exchange
Figure 3- Hierarchy of Trust
Registration
Participants Registration
As described in section 1, both the cardholder and the merchant have to register with a
CA before they can do transactions. And the registration processes have to be secure
enough, since these two processes involve sensitive details.
Cardholder Registration
This process comprised 6 messages between two parties: cardholder and Issuer (CA).
1. The cardholder initiates request to the CA.
2. After the CA receives message 1 from the cardholder, the CA replies. The message
includes the CA’s public key-exchange key certification signed by root CA, CA’s
signature certificate and the initial request encrypted using CA’s private key.
3. The cardholder request a registration form in this message. He randomly generates a
symmetric key K1, which is used to encrypt the request, and sends this along with a
digital envelop including key K1 and his credit card number.
4. The CA determines the cardholder’s issuing bank by the credit card number and
returns the appropriate the form, which is signed by the CA and along with CA’s
signature certificate.
5. The cardholder generates a public/private signature key pair, two symmetric keys
K2, K3 and a random number S1. He creates a message with his filled registration
form, public key, and K2, and its digital signature. This message is encrypted using
K3 and sent with a digital envelop including K3 and card number.
6. The CA verifies the information, then issue a digital ID to CA. The CA generates a
secret value using the random number S2 generated by the CA and S1. This secret
value, the account number and the expiration date further feed into a one-way
hashing to generate a secret number. The CA signs the certificate includes this secret
number and the cardholder’s public signature key. Then, CA sends this certificate
encrypted using K2 along with and its signature certificate.
This registration process includes 3 steps. The first two messages are about to get CA’s
public key. Once the cardholder has CA’s key-exchange key, he can request a registration
form in message 3 and 4. The certificate is in the last 2 messages.
Merchant Registration
The Merchant’ registration is simpler than cardholder’s, which include 4 messages. The
first two messages are almost same as cardholder’s, except in the second message the
registration form has been sent. The merchant has to generate two public/private key
pairs – one is for signature, the other is for key-exchange—instead of one pair compared
to the cardholder.
Two problems with registration protocol
The registration protocol has been proved to be secure [3]. But there are two risks to
cause insecure. The first is that the cardholder is not required to generate a fresh signature
key pair, but may register an old one. There is a risk that the old one could be
compromised. And another problem is that the secret value generation mentioned above
which is the exclusive-OR of numbers (S1, S2) chosen by two parties. Since exclusive-
OR is invertible, a criminal working for a CA can give every cardholder the same secret
value. This combination introduces some risk that a criminal can impersonate the
cardholder.
These two problems are fixable. The first insecurity can be repaired in the cardholder’s
implementation. The second one can be fixed by replacing exclusive-OR by one-way
hashing.
3.Transport Layer Security(TLS):
The Transport Layer Security (TLS) protocol, Secure Sockets Layer (SSL) protocol,
versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are
based on public key cryptography. The Security Channel (Schannel) authentication
protocol suite provides these protocols. All Schannel protocols use a client/server model.
In the authentication process, a TLS/SSL client sends a message to a TLS/SSL server,
and the server responds with the information that the server needs to authenticate itself.
The client and server perform an additional exchange of session keys, and the
authentication dialog ends. When authentication is completed, SSL-secured
communication can begin between the server and the client using the symmetric
encryption keys that are established during the authentication process.
For servers to authenticate to clients, TLS/SSL does not require server keys to be stored
on domain controllers or in a database, such as the Microsoft Active Directory directory
service. Clients confirm the validity of a server’s credentials with a trusted root
certification authority’s (CA’s) certificates, which are loaded when you install Microsoft
Windows Server 2003. Therefore, unless user authentication is required by the server,
users do not need to establish accounts before they create a secure connection with a
server.
3.1.History and Standards for TLS and SSL
SSL was developed by Netscape Communications Corporation in 1994 to secure
transactions over the World Wide Web. Soon after, the Internet Engineering Task Force
(IETF) began work to develop a standard protocol that provided the same functionality.
They used SSL 3.0 as the basis for that work, which became the TLS protocol. The
implementation of the TLS protocol in Windows Server 2003 closely follows the
specification defined in Request for Comments (RFC) 2246, The TLS Protocol
Version 1.0. For more information about TLS, see RFC 2246 in the IETF RFC database.
TLS and SSL are most widely recognized as the protocols that provide secure HTTP
(HTTPS) for Internet transactions between Web browsers and Web servers. TLS/SSL can
also be used for other application level protocols, such as File Transfer Protocol (FTP),
Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol
(SMTP). TLS/SSL enables server authentication, client authentication, data encryption,
and data integrity over networks such as the World Wide Web.
3.2.Differences between TLS and SSL
Although there are some slight differences between SSL 3.0 and TLS 1.0, this reference
refers to the protocol as TLS/SSL.
Note
Although their differences are minor, TLS 1.0 and SSL 3.0 are not
interchangeable. If the same protocol is not supported by both parties, the parties
must negotiate a common protocol to communicate successfully.
3.3.TLS Enhancements to SSL
The keyed-Hashing for Message Authentication Code (HMAC) algorithm
replaces the SSL Message Authentication Code (MAC) algorithm.
HMAC produces more secure hashes than the MAC algorithm. The HMAC
produces an integrity check value as the MAC does, but with a hash function
construction that makes the hash much harder to break. For more information
about the HMAC, see “Hash Algorithms in The Handshake Layer in TLS/SSL
Architecture” in How TLS/SSL Works.
TLS is standardized in RFC 2246.
Many new alert messages are added.
In TLS, it is not always necessary to include certificates all the way back to the
root CA. You can use an intermediary authority.
TLS specifies padding block values that are used with block cipher algorithms.
RC4, which is used by Microsoft, is a streaming cipher, so this modification is not
relevant.
Fortezza algorithms are not included in the TLS RFC, because they are not open
for public review. (This is Internet Engineering Task Force (IETF) policy.)
Minor differences exist in some message fields.
3.4.Benefits of TLS/SSL
TLS/SSL provides numerous benefits to clients and servers over other methods of
authentication, including:
Strong authentication, message privacy, and integrity
Interoperability
Algorithm flexibility
Ease of deployment
Ease of use
Strong authentication, message privacy, and integrity
TLS/SSL can help to secure transmitted data using encryption. TLS/SSL also
authenticates servers and, optionally, authenticates clients to prove the identities of
parties engaged in secure communication. It also provides data integrity through an
integrity check value. In addition to protecting against data disclosure, the TLS/SSL
security protocol can be used to help protect against masquerade attacks, man-in-the-
middle or bucket brigade attacks, rollback attacks, and replay attacks.
Interoperability
TLS/SSL works with most Web browsers, including Microsoft Internet Explorer and
Netscape Navigator, and on most operating systems and Web servers, including the
Microsoft Windows operating system, UNIX, Novell, Apache (version 1.3 and later),
Netscape Enterprise Server, and Sun Solaris. It is often integrated in news readers, LDAP
servers, and a variety of other applications.
Algorithm flexibility
TLS/SSL provides options for the authentication mechanisms, encryption algorithms, and
hashing algorithms that are used during the secure session.
Note
Data can be encrypted and decrypted, but you cannot reverse engineer a hash.
Hashing is a one-way process. Running the process backward will not create the
original data. This is why a new hash is computed and then compared to the sent
hash.
Ease of deployment
Many applications use TLS/SSL transparently on a Windows Server 2003 operating
system. You can use TLS for more secure browsing when you are using Internet Explorer
and Internet Information Services (IIS) and, if the server already has a server certificate
installed, you only have to select the check box.
Ease of use
Because you implement TLS/SSL beneath the application layer, most of its operations
are completely invisible to the client. This allows the client to have little or no knowledge
of the security of communications and still be protected from attackers.
3.5.Limitations of TLS/SSL
There are a few limitations to using TLS/SSL, including:
Increased processor load
This is the most significant limitation to implementing TLS/SSL. Cryptography,
specifically public key operations, is CPU-intensive. As a result, performance varies
when you are using SSL. Unfortunately, there is no way to know how much performance
you will lose. The performance varies, depending on how often connections are
established and how long they last. TLS uses the greatest resources while it is setting up
connections.
Administrative overhead
A TLS/SSL environment is complex and requires maintenance; the system administrator
must configure the system and manage certificates.
3.6.Common TLS/SSL Scenarios
Many people think of TLS and SSL as protocols that are used with Web browsers to
browse the Internet more securely. However, they are also general purpose protocols that
can be used whenever authentication and data protection are necessary. For example, you
can use TLS/SSL for:
SSL-secured transactions with an e-commerce Web site
Authenticated client access to an SSL-secured Web site
Remote access
SQL access
Chapter 12:1. Timestamping protocol2. 3-D Secure Protocol3. E- mail security
1. Time stamp based protocols:! Each transaction is issued a timestamp when it enters the system. If
an old transaction Ti has time-stamp TS(Ti), a new transaction Tj is
assigned time-stamp TS(Tj) such that TS(Ti) <TS(Tj). (system
clock or logical counter)
! The protocol manages concurrent execution such that the time-
stamps determine the serializability order. If Ti<Tj then the
produced schedule is equivalent to a serial schedule in which Ti
is executed before Tj.
! In order to assure such behavior, the protocol maintains for each data Q
two timestamp values:
! W-timestamp(Q) is the largest time-stamp of any
transaction thatexecuted write(Q) successfully.
! R-timestamp(Q) is the largest time-stamp of any
transaction thatexecuted read(Q) successfully.
2.2 The timestamp ordering protocol ensures that any conflicting
read and write operations are executed in timestamp order.
2.3 When a transaction is rolled back, the system
assigns it a new timestamp and restarts it.
2.4 Suppose a transaction Ti issues a read(Q)
If TS(Ti) <W-timestamp(Q), then Ti needs to
read a value of Q that was already
overwritten.
Hence, the read operation is rejected, and Ti is rolled
back.
If TS(Ti)≥W-timestamp(Q), then the read
operation is executed, and R-timestamp(Q) is set
to max(R-timestamp(Q), TS(Ti)).
� Suppose that transaction Ti issues write(Q).
1. If TS(Ti) < R-timestamp(Q), then the value of Q
that Ti is producing was needed previously, and
the system assumed that that value would never
be produced.
� Hence, the write operation is rejected, and Ti is rolled
back.
2. If TS(Ti) < W-timestamp(Q), then Ti is
attempting to write an obsolete value of
Q.
� Hence, this write operation is rejected, and Ti is rolled
back.
3. Otherwise, the write operation is executed, and W-
timestamp(Q) is set to TS(Ti).
Example:
A partial schedule for several data items for transactions
with timestamps 1, 2, 3, 4, 5
� The timestamp-ordering protocol guarantees
serializability since all the arcs in the precedence
graph are of the form:
Thus, there will be no cycles in the precedence graph
2 Timestamp protocol ensures freedom
from deadlock as no transaction ever
waits.
3 But the schedule may not be cascade-free, and
may not even be recoverable.
2.3-D Secure Protocol:
2.1.How it works
The 3D Secure feature
enables the shopper to
enter a password to
confirm their identity with
the card issuer. If accepted
they then complete their
order, and when received
by you, you have much
more confidence that is
genuine and real.
Please note that all
new Solution
customers must use the
3D Secure integration. If
using our secure checkout
page, this is already done
for you.
2.2.Main Key Benefits
Added protection from fraudulent payments
Allows you to trade online more safely
Enhances shopper confidence and spending
Reduces costs from fraudulent chargeback
2.3.Chargeback Liability Shift
If you are enabled for 3D Secure (Verified by Visa and MasterCard SecureCode) you can
be protected from certain "it wasn't me" Chargebacks on credit, and some debit, card
transactions. According to Visa, over 80% of all chargebacks fall into this 'friendly"
fraud-related category. Liability for this kind of chargeback passes from the merchant to
the card issuer, even if the card issuer is not a participating member of the scheme, or if
the cardholder is not enrolled.
2.4.What is it?
The 3-D Secure protocol was developed by
Visa to improve the security of Internet
payments. The protocol is offered with the
service name Verified by Visa. MasterCard
has also adapted a similar protocol called
MasterCard SecureCode. Both are
designed to allow authentication of
cardholders by their Issuers at participating
merchants.
The objective is to benefit all participants
by providing Issuers the ability to fully
authenticate cardholders through the use
of a password during Internet purchases,
reducing the likelihood of fraudulent
usage of Visa and MasterCard credit cards
and improving overall transaction
performance
2.5.What does 3D secure stand for?
3D Secure stands for 3 Domain Secure. The three parties involved in the 3D Secure
process are the following:
1) The Vendor
2) The Acquiring Bank
3) Visa and MasterCard
Please note that 3D secure does not totally eliminate fraud or chargebacks, therefore
merchants should continue to use their anti-fraud systems and security measures
2.6.Benefits of 3-D Secure
The combined effect of ease and flexibility of implementation, secure transmission of
account information, and reduced disputes offers the following benefits for all parties
involved:
Increased consumer confidence, leading to increased sales
Increased card acceptance through better merchant confidence in accepting
international transactions
Reduced cardholder disputes, exception handling, retrievals, chargebacks, re-
presentments, write-offs, and associated handling costs
2.7.Benefits for Members
The primary benefit of 3-D Secure for
Members is the reduction in disputed
transactions and the resultant exception
handling expense and losses. It is expected
that nearly 80% of all e-commerce
chargebacks and fraud, and a substantial
proportion of customer complaints, could
be eliminated with the use of Authenticated
Payment. This will have a positive impact
on Member profitability.
A less tangible, but nevertheless real,
benefit is the assurance members can
provide to their cardholders who are
considering e-commerce transactions.
Studies indicate that as many as a third of
cardholders are afraid to shop online due
to security concerns. Authenticated
Payment may convince prospective
ecommerce shoppers that it is safe to use
their card online.
Benefits for Cardholder
Increased consumer confidence
when purchasing on the Internet
No special software is needed at the
cardholder access device
Easy to use
Control over card use for online
purchases
Benefits for Merchants
Minimal impact on merchant’s
interaction with consumer
Increased sales by enhancing
consumer confidence
Reduced risk of fraudulent
transactions
Decrease in disputed transactions
3.E-Mail Security:
3.1.Email SecurityElectronic mail (email) is perhaps the most popularly used system for exchanging business
information over the Internet (or any other computer network). At the most basic level, the email
process can be divided into two principal components: (1) mail servers, which are hosts that
deliver, forward, and store email; and (2) mail clients, which interface with users and allow users
to read, compose, send, and store email. This document addresses the security issues of mail
servers and mail clients, including Web-based access to mail.
Mail servers and user workstations running mail clients are frequently targeted by attackers.
Because the computing and networking technologies that underlie email are ubiquitous and well-
understood by many, attackers are able to develop attack methods to exploit security weaknesses.
Mail servers are also targeted because they (and public Web servers) must communicate to some
degree with untrusted third parties. Additionally, mail clients have been targeted as an effective
means of inserting malware into machines and of propagating this code to other machines. As a
result, mail servers, mail clients, and the network infrastructure that supports them must be
protected.
3.2. WHAT DOES EMAIL SECURITY INVOLVE?The three main principles of Information Security involve maintaining the confidentiality,
integrity, and availability of information resources. These three principles can be directly applied
to the area of email security as well.
Confidentiality of email involves making sure it is protected from unauthorized
access.
Integrity of email involves a guarantee that it has not be modified or destroyed by an
unauthorized individual.
Availability of email involves ensuring that mail servers remain on-line and able to
service the user community. A weakness in any one of these three key areas will
undermine the security posture of an email system and open the door to exploitation.
3.3.Examples of email security issues
To exchange email with the outside world, a requirement for most organizations,
it is allowed through organizations’ network perimeter defences. At a basic level,
viruses and other types of malware may be distributed throughout an organization
via email. Increasingly, however, attackers are getting more sophisticated and
using email to deliver targeted zero-day attacks in an attempt to compromise
users’ workstations within the organization’s internal network.
Given email’s nature of human to human communication, it can be used as a
social engineering vehicle. Email can allow an attacker to exploit an
organization’s users to gather information or get the users to perform actions that
further an attack.
Flaws in the mail server application may be used as the means of compromising
the underlying server and hence the attached network. Examples of this
unauthorized access include gaining access to files or folders that were not meant
to be publicly accessible, and being able to execute commands and/or install
software on the mail server.
Denial of service (DoS) attacks may be directed to the mail server or its support
network infrastructure, denying or hindering valid users from using the mail
server.
Sensitive information on the mail server may be read by unauthorized individuals
or changed in an unauthorized manner.
Sensitive information transmitted unencrypted between mail server and client
may be intercepted. All popular email communication standards default to
sending user names, passwords, and email messages unencrypted.
Information within email messages may be altered at some point between the
sender and recipient.
Malicious entities may gain unauthorized access to resources elsewhere in the
organization’s network via a successful attack on the mail server. For example,
once the mail server is compromised, an attacker could retrieve users’ passwords,
which may grant the attacker access to other hosts on the organization’s network.
Malicious entities may attack external organizations from a successful attack on a
mail server host.
Misconfiguration may allow malicious entities to use the organization’s mail
server to send email-based advertisements (spam).
Users may send inappropriate, proprietary, or other sensitive information via
email. This could expose the organization to legal action.
3.4.Why is SSL important for Exchange Servers?
Exchange servers come with useful remote access features such as Outlook Web
Access, Outlook Anywhere, and ActiveSync. These features allow your users to
access their email from any location with an internet connection by using a web
browser, their laptop, or a mobile device such as a smartphone.
This convenience carries with it some security risks, the most obvious being the
risk of password credentials being compromised.
Operating any of these remote access services without SSL means that the
connection, including password credentials, occurs over an unsecured HTTP
connection. HTTP is the protocol that most websites use. It is fast, stable, and
works through just about any firewall. But HTTP has no built in security. Every
bit of data sent over HTTP is unencrypted, so when passwords are sent over
HTTP they are sent “in the clear”, vulnerable to network sniffers.
Because so much of this remote access occurs from untrusted locations such as
free wireless hotspots, it is critical that SSL be used to protect this traffic.
Chapter 13:1. WAP2. IP Security3. Security in GSM and 3G
1. The WAP Forum
In 1997, Ericsson, Motorola, Nokia, and Unwired Planet formed the WAP
Forum(www.wapforum.org). More than 90 companies in the wireless
telecommunications business are members of the WAP Forum. WAP is the standard
developed by the WAP Forum, a consortium formed by device manufacturers, service
providers, content providers, and application providers. WAP specifies an application
framework and protocols for wireless devices. WAP is a kind of fusion of mobile
networking technologies and Internet technologies.
The WAP Forum’s objectives include:
o To bring Internet content and advanced data services to digital cellular
phones and other wireless terminals.
o To create an interoperable wireless protocol specification that will work
across differing wireless network technologies.
o To enable the creation of content and applications that could scale across
a wide range of wireless bearer networks and device types.
o To embrace and extend existing standards and technologies
The key features provided by WAP include:
o A programming model similar to the Internet
o Wireless Markup Language(WML)
o WMLScript
o Wireless Telephony Application(WTA)
1.1.The WAP Service Model
In the current Internet model, the client runs a copy of the Web browser, which uses
the underlying Internet protocols to access useful content residing in a server in the
network. Such interactions occur through using HTTP request and reply messages. WAP
is based on an Internet technology that has been optimized to address the constraints of
wireless links and wireless devices. Services created by HTML do not usually fit well on
small handheld wireless devices due to their display HTML. WML pages can be also be
encoded in binary format to reduce the amount of data to be transmitted over the wireless
interface.
The WAP service model reveals the presence of a WAP proxy, which is responsible for
protocol conversion and data formatting. It acts as the interface between the wired and
wireless worlds. These two environments have extreme differences, such as available
bandwidth, bit error rates, and storage and processing capabilities. When a mobile device
requests information via the WAP, it is intercepted and interpreted by the WAP proxy,
which then forwards the request via HTTP on behalf of the mobile device to the
appropriate HTTP server in the network. When the proxy receives the information in
response to its earliest request, the information is stored and converted (formatting) to a
suitable form for processing and display on the mobile device using the WAP protocol.
! The user selects an option on their mobile device that has a URL with WML
content assigned to it.
! The phone sends the URL request via the phone network to a WAP gateway, using
the binary encoded WAP protocol.
! The gateway translates this WAP request into a conventional HTTP request for the
specified URL, and sends it on to the Internet.
! The appropriate Web server picks up the HTTP request.
! The server processes the request, just as it would be any other request. If the URL
refers to a static WML file, the server delivers it. If a CGI script is requested, it is
processed and the content returned as usual.
! The Web server adds the HTTP header to the WML content and returns it to the
gateway.
! The WAP gateway compiles the WML into binary form.
! The gateway then sends the WML response back to the phone.
! The phone receives the WML via the WAP protocol.
! The micro-browser processes the WML and displays the content on the screen.
1.2.Adapting to the Restrictions of the Wireless Network
Low Bandwidth
The size of an average HTML page these days, including graphics, is around 20KB.
With a 56 Kbps modem, the download time for this page would be in the region of 4
seconds. As the bandwidth of a wireless network is around 9.6Kbps, however, the
download time for the data equivalent of just that one page would be around 17
seconds. That is not making any allowances for the network itself being slow due to
congestion, or for latency. The majority of mobile users are not aware of access
speeds, and they should have to care about the differences in access methods to get the
same perception of performance. WAP addresses this bandwidth issue by minimizing
the traffic over the wireless interface. WML and WMLScript are binary encoded into a
compact form before they are transmitted, in order to minimize the bandwidth
restriction.
Less Connection Stability and Unpredictable Bearer Availability
Wired network access provides a more or less reliable connection to the network. That
is not the case in wireless networks, where the bearers might be inaccessible for
shorter or longer periods of time due to fading, lost radio coverage, or deficient
capacity. If you have ever lost a connection when you were driving in your car, you
will know just how frustrating this can be. The architects of the WAP protocol
infrastructure, when putting together the specifications for WAP, have taken the
problem of connection stability into account and have designed into the layers.
Small Display
Instead of using the flat document structure that HTML provides, WML
structures its document in decks and cards. A card is a single unit of
interaction with the end-user, such as a text screen, a selection list, an input
field, or a combination of those. A card is typically small enough to be
displayed even on a small screen. When an application is executed, the user
navigates through a series of cards-the series of cards used for making an
application is collected in a deck.
Limited Memory and CPU
Wireless devices are usually not equipped with large amounts of memory
or computational power in comparison to desktop computers. The memory
restriction applies to RAM as well as ROM. Even though it is likely that
more memory and more powerful CPUs will be available in the near future,
the relative difference will most probably remain. WAP handles these
restrictions by defining a lightweight protocol stack. The limited set of
functionalities provided by WML and WMLScript makes it possible to
implement browsers that make small claims on computational power and
ROM resources. When it comes to RAM, the binary encoding of WML and
WMLScript helps to keep the amount of RAM used as small as possible.
Development on mobile communication devices. It achieves this through a layered
protocol design, covering protocols at Layer 4 and above. The WAP protocol stack is
independent of the underlying network, which could take the form of GSM, CDMA,
CDPD, iDEN, etc. Hence, WAP is essentially an application stack specification; it is not
network-centric.
Wireless Application Environment (WAE)
Generally, WAE enables a spectrum of applications to be supported over WAP.
WAE has two main elements, namely: (a) user agents, and (b) services and formats.
The former includes the WML and WTA(Wireless Telephone Application) user agents.
The latter consists of WML scripts, image formats, etc. A user agent can take the form
of a Web browser. The WML user agent is responsible for the interpretation of WML
and WMLScript. WAP employs the same addressing model as in the Internet, that is, it
use Uniformed Resource Locators(URLs). A URL uniquely identifies an available
resource. WAP also uses Uniform Resource Identifiers (URIs) to address resources that
are not accessed via well-known protocols.
Wireless Session Protocol (WSP)
The WSP provides both connection-oriented and connectionless services. It is
optimized for low-bandwidth networks with relatively long latency. WSP is a binary
version of HTTP version 1.1, but with the additions of : (a) session migrations, (b)
header caching, etc. WAP connection mode allows the establishment of sessions
between a client and the WAP gateway or proxy. It can handle session interruptions as a
result of mobility and reestablish session states at a later point in time. Header caching
allows better bearer utilization since in HTTP, most of the requests contain static
headers that need to be re-sent again.
Wireless Transaction Protocol (WTP)
WTP is designed for transaction-style communications on wireless devices. In a
transaction, users express their intentions and financial commitments to service
providers for processing. Very often, such transactions demand reliable, fast, and secure
communications. WTP is a lightweight protocol suitable for implementation in thin
clients. WTP implements selective retransmission of lost segments.
Wireless Transport Layer Security(WTLS)
WTLS is needed for WAP to ensure data integrity, privacy, authentication, and
protection from denial-of-service. It is based on Transport Layer Security(TLS) 1.0, but
optimized for wireless channels. It provides transport layer security between a WAP
client and the WAP gateway/proxy. Digital certificates are used for authentication and
nonrepudiation of server and client. Encryption is also used to enhance the degree of
confidentiality.
Wireless Datagram Protocol(WDP)
WDP is the transport layer protocol in WAP. It has the same functionality provided
by the Internet User Datagram Protocol(UDP). Whether WAP uses UDP or WDP,
datagram delivery services are provided by port number functionality and the
characteristics of different bearer services are hidden from the upper layers. WDP can
be extended to provide segmentation and reassembly functions.
2.IP Security:
2.1.Introduction to IPsec
IPsec provides security mechanisms that include secure datagram authentication and
encryption mechanisms within IP. When you invoke IPsec, IPsec applies the security
mechanisms to IP datagrams that you have enabled in the IPsec global policy file.
Applications can invoke IPsec to apply security mechanisms to IP datagrams on a per-
socket level.
Figure 1–1 shows how an IP addressed packet, as part of an IP datagram, proceeds when
IPsec has been invoked on an outbound packet. As you can see from the flow diagram,
authentication header (AH) and encapsulating security payload (ESP) entities can be
applied to the packet. Subsequent sections describe how you apply these entities, as well
as authentication and encryption algorithms.
Figure 1–1 IPsec Applied to Outbound Packet Process
Figure 1–2 shows the IPsec inbound process.
Figure 1–2 IPsec Applied to Inbound Packet Process
2.2.IPsec Security Associations
An IPsec security association (SA) specifies security properties that are recognized by
communicating hosts. These hosts typically require two SAs to communicate securely. A
single SA protects data in one direction. The protection is either to a single host or a
group (multicast) address. Because most communication is peer-to-peer or client-to-
server, two SAs must be present to secure traffic in both directions.
The security protocol (AH or ESP), destination IP address, and security parameter index
(SPI) identify an IPsec SA. The SPI, an arbitrary 32-bit value, is transmitted with an AH
or ESP packet.. An integrity checksum value is used to authenticate a packet. If the
authentication fails, the packet is dropped.
Security associations are stored in a security associations database. A socket-based
administration engine, the pf_key interface, enables privileged applications to manage the
database. The in.iked daemon provides automatic key management.
2.3.Key Management
A security association contains the following information:
Material for keys for encryption and authentication
The algorithms that can be used
The identities of the endpoints
Other parameters that are used by the system
SAs require keying material for authentication and encryption. The managing of keying
material that SAs require is called key management. The Internet Key Exchange (IKE)
protocol handles key management automatically. You can also manage keys manually
with the ipseckey command. SAs on IPv4 and IPv6 packets can use automatic key
management.
2.4.Protection Mechanisms
IPsec provides two mechanisms for protecting data:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Both mechanisms have their own Security Association Database (SADB).
Authentication Header
The authentication header provides data authentication, strong integrity, and replay
protection to IP datagrams. AH protects the greater part of the IP datagram. AH cannot
protect fields that change non deterministically between sender and receiver. For
example, the IP TTL field is not a predictable field and, consequently, not protected by
AH. AH is inserted between the IP header and the transport header. The transport header
can be TCP, UDP, ICMP, or another IP header when tunnel are being used.
Authentication Algorithms and the AH Module
IPsec implements AH as a module that is automatically pushed on top of IP. The
/dev/ipsecah entry tunes AH with the ndd command. Future authentication algorithms can
be loaded on top of AH. Current authentication algorithms include HMAC-MD5 and
HMAC-SHA-1. Each authentication algorithm has its own key size and key format
properties.
Security Considerations for AH
Replay attacks threaten an AH when an AH does not enable replay protection. An AH
does not protect against eavesdropping. Adversaries can still see data that is protected
with AH.
Encapsulating Security Payload
The encapsulating security payload (ESP) header provides confidentiality over what the
ESP encapsulates, as well as the services that AH provides. However, ESP only provides
its protections over the part of the datagram that ESP encapsulates. ESP's authentication
services are optional. These services enable you to use ESP and AH together on the same
datagram without redundancy. Because ESP uses encryption-enabling technology, ESP
must conform to U.S. export control laws.
ESP encapsulates its data, so ESP only protects the data that follows its beginning in the
datagram. In a TCP packet, ESP encapsulates only the TCP header and its data. If the
packet is an IP-in-IP datagram, ESP protects the inner IP datagram. Per-socket policy
allows self-encapsulation, so ESP can encapsulate IP options when ESP needs to. Unlike
the authentication header (AH), ESP allows multiple kinds of datagram protection. Using
only a single form of datagram protection can make the datagram vulnerable. For
example, if you use ESP to provide confidentiality only, the datagram is still vulnerable
to replay attacks and cut-and-paste attacks. Similarly, if ESP protects only integrity, ESP
could provide weaker protection than AH. The datagram would be vulnerable to
eavesdropping.
Security Considerations for ESP
An ESP without authentication is vulnerable to cut-and-paste cryptographic attacks and
to replay attacks. When you use ESP without confidentiality, ESP is as vulnerable to
eavesdropping as AH is.
Authentication and Encryption Algorithms
IPsec uses two types of algorithms, authentication and encryption. The authentication
algorithms and the DES encryption algorithms are part of core Solaris installation. If you
plan to use other algorithms that are supported for IPsec, you must install the Solaris
Encryption Kit. The Solaris Encryption Kit is provided on a separate CD.
Authentication Algorithms
Authentication algorithms produce an integrity checksum value or digest that is based on
the data and a key. The man pages for authentication algorithms describe the size of both
the digest and key. The following table lists the authentication algorithms that are
supported in the Solaris operating environment. The table also lists the format of the
algorithms when the algorithms are used as security options to the IPsec utilities and their
man page names.
Protection Policy and Enforcement Mechanisms
IPsec separates its protection policy from its enforcement mechanisms. You can enforce
IPsec policies in the following places:
On a system-wide level
On a per-socket level
IPsec applies the system-wide policy to incoming datagrams and outgoing datagrams.
You can apply some additional rules to outgoing datagrams, because of the additional
data that is known by the system. Inbound datagrams can be either accepted or dropped.
The decision to drop or accept an inbound datagram is based on several criteria, which
sometimes overlap or conflict. Conflicts are resolved by determining which rule is parsed
first. Except when a policy entry states that traffic should bypass all other policy, the
traffic is automatically accepted. Outbound datagrams are either sent with protection or
without protection. If protection is applied, the algorithms are either specific or non-
specific.
The policy that normally protects a datagram can be bypassed. You can either specify an
exception in the system-wide policy, or you can request a bypass in the per-socket policy.
For intra-system traffic, policies are enforced, but actual security mechanisms are not
applied. Instead, the outbound policy on an intra-system packet translates into an inbound
packet that has had those mechanisms applied.
Transport and Tunnel Modes
When you invoke ESP or AH after the IP header to protect a datagram, you are using
transport mode. An example follows. A packet starts off with the following header:
ESP, in transport mode, protects the data as follows:
AH, in transport mode, protects the data as follows:
AH actually covers the data before the data appears in the datagram. Consequently, the
protection that is provided by AH, even in transport mode, covers some of the IP header.
When an entire datagram is inside the protection of an IPsec header, IPsec is protecting
the datagram in tunnel mode. Because AH covers most of its preceding IP header, tunnel
mode is usually performed only on ESP. The previous example datagram would be
protected in tunnel mode as follows:
In tunnel mode, the inner header is protected, while the outer IP header is unprotected.
Often, the outer IP header has different source and different destination addresses from
the inner IP header. The inner and outer IP headers can match if, for example, an IPsec-
aware network program uses self-encapsulation with ESP. Self-encapsulation with ESP
protects an IP header option.
The Solaris implementation of IPsec is primarily an implementation of IPsec in transport
mode. Tunnel mode is implemented as a special instance of the transport mode. The
implementation treats IP-in-IP tunnels as a special transport provider. The ifconfig
configuration options to set tunnels are nearly identical to the options that are available to
socket programmers when enabling per-socket IPsec. Also, tunnel mode can be enabled
in per-socket IPsec. In per-socket tunnel mode, the inner packet IP header has the same
addresses as the outer IP header.
3.GSM Security :
The Purpose of GSM Security: The use of radio communications for transmission to the
mobile subscribers makes GSM Public Land Mobile Networks (PLMN) particularly
sensitive to misuse of their resources by unauthorized persons using manipulated Mobile
Stations, who try to impersonate authorized subscribers and eavesdropping of the various
information, which are exchanged on the radio path. So the security features in GSM
PLMN is implemented to protect:
• The access to the mobile services.
• Any relevant item from being disclosed at the radio path, mainly in order to ensure the
privacy of user-related information.
Security Features of GSM several security functions were built into GSM to safeguard
subscriber privacy. These include:
Authentication of the registered subscribers only
Secure data transfer through the use of encryption
Subscriber identity protection
Mobile phones are inoperable without a SIM
Duplicate SIM are not allowed on the network
3.1.Authentication of the registered subscribers:
International Mobile Subscriber identity (IMSI) authentication is the corroboration by
the land- based part of the system that the subscriber identity (IMSI or TMSI), transferred
by the mobile subscriber within the identification procedure at the radio path, is the one
claimed. The purpose of this authentication security feature is to protect the network
against unauthorized use. It enables also the protection of the GSM PLMN subscribers by
denying the possibility for intruders to impersonate authorized users.
3.2.The authentication procedure:
• The mobile station sends IMSI to the network
• The network received the IMSI and found the correspondent KI of that IMSI.
• The network generated a 128 bit random number (RAND) and sent it to the mobile
station over the air interface.
• The MS calculates a SRES with the A3 algorithm using the given Challenge (RAND)
and the KI residing in the SIM.
• At the same time, the network calculates the SRES using the same algorithm and the
same inputs.
• The MS sends the SRES to the network
• The network test the SRES for validity.
The authentication is based on a shared secret KI between the subscriber’s home
network’s HLR and the subscriber' s SIM. This KI was generated and write to the SIM
card at a safe place when the SIM card is personalized, and a copy of the key is put to the
HLR. When a new GSM subscriber turns on his phone for the first time, its IMSI is
transmitted to the AuC on the network. After which, a Temporary Mobile Subscriber
Identity (TMSI) is assigned to the subscriber. The IMSI is rarely transmitted after this
point unless it is absolutely necessary. This prevents a potential eavesdropper from
identifying a GSM user by their IMSI. The user continues to use the same TMSI,
depending on the how often, location updates occur. Every time a location update occurs,
the network assigns a new TMSI to the mobile phone. The TMSI is stored along with the
IMSI in the network. The mobile station uses the TMSI to report to the network or during
call initiation. Similarly, the network uses the TMSI, to communicate with the mobile
station. The Visitor Location Register (VLR) performs the assignment, the administration
and the update of the TMSI. When it is switched off, the mobile station stores the TMSI
on the SIM card to make sure it is available when it is switched on again.
3.3.Encryption of the data
a. Generation of the cipher key KC
GSM makes use of a ciphering key to protect both user data and signal on the vulnerable
air interface. Once the user is authenticated, the RAND (delivered from the network)
together with the KI (from the SIM) is sent through the A8 ciphering key generating
algorithm, to produce a ciphering key (KC). The A8 algorithm is stored on the SIM card.
The KC created by the A8 algorithm, is then used with the A5 ciphering algorithm to
encipher or decipher the data.
Note that the session key is generated in the SIM card of the Mobil Station. And the
network can use the same set of Ki, RAND and the same algorithm to generate the same
key to decrypt the data. Almost all the GSM operators use one algorithm (called
COMP128) for both authentication and generation of Kc. As will be discussed below.
Encryption of the data Encrypted communication is initiated by a ciphering mode request
command from the GSM network. Upon receipt of this command, the mobile station
begins encryption and decryption of data. Each frame in the over-the-air traffic is
encrypted with a different key-stream. The A5 algorithm used to encrypt the data is
initialized with the KC and the number of the frame to be encrypted, thus generating a
different key stream for every frame. The same KC is used as long as the MSC does not
authenticate the MS again, in which case a new KC is generated. In practice, the same
KC may be in use for days. The MS authentication is an optional procedure in the
beginning of a call, but it is usually not performed. So it is very common the KC will not
change during calls. When it is switched off, the mobile station stores the TMSI on the
SIM card to make sure it is available when it is switched on again. The A5 algorithm is
implemented in the hardware of the mobile phone, as it has to encrypt and decrypt data
on the fly.
Other security features Subscriber identity protection The IMSI(International Mobile
Subscriber Identity) is stored in the SIM card. To ensure subscriber identity
confidentiality, the Temporary Mobile Subscriber Identity (TMSI) is used. The TMSI is
sent to the mobile station after the authentication and encryption procedures have taken
place. The mobile station responds by confirming reception of the TMSI. The TMSI is
valid in the location area in which it was issued. For communications outside the location
area, the Location Area Identification (LAI) is necessary in addition to the TMSI. Smart
card The smart card is like a micro computer which has memory, cpu and operating
system. By programming the rom, it can store the sensitive data with very high security
level. So it provides a good way to store the Ki and IMSI and other sensitive user data.
Chapter 14Authentication basicsCertificate – based authenticationPasswords
1.Authentication Basics:
1.1.AUTHENTICATION:
This error message indicates that the authentication process between your local computer and
the remote host computer has for some reason failed. The most common cause for failed
authentication is an incorrect password, likely caused by a typing mistake.
Also the user name may be incorrect. So it is necessary to check that the typing has been done
correctly.
One possible reason for authentication failure is that the remote host computer may have been
configured to require several authentication methods to be used. For example both password and
public key authentication could be used for increased security. Even if the password is typed
incorrectly, some other required authentication method could have failed. A relatively common
situation is one where the remote host computer is expecting public-key authentication and the
user has not sent the public key to the host. It may also be possible that the user account on the
remote host computer has been disabled or that the remote host computer is having temporary
problems causing errors with the login procedure.
Try to connect again and carefully type in your user name and password. If after a couple of
retries you are sure that you have entered both of them correctly, contact the system
administrator of the remote host computer.
Authentication
Something
that you
Know
Something
that you
Have
Something
that you Are
Some place
where you
Are
Authentication can be stated as the method of validating the identity of genuine or authorized
users.
Something that you know:
The very first and the foremost are your user-id and passwords.
The next can be your personal matters such as your date of birth, your mother’s maiden
name, your pet’s name etc.
These are simple to use and require no special hardware; user-id and password continue to be
the most popular method of authentication.
Something that you have:
Image of person’s face
Retina or iris
Fingerprints
Hand geometry
Digital Signature
Something that you are:
This is the actual physical feature of the user like the fingerprints or the way the user
communicates (Voice) or the way that the user looks (Image) etc. These are the natural qualities
of the user, which cannot be changed or misused even by the user himself.
There are various methods used for this purpose, but the most commonly used one is by way
of login name and passwords. In order to keep your authentication method foolproof, some strict
policies have to be adopted. But, still the authentication failure is one of the ways in which the
intruders can penetrate into the systems.
Firstly the passwords have to be properly designed using all the available rules. Sometimes, if
the password is stored in some user database in clear text, then the intruder can easily intercept it
another example of authentication failure is by way of a fake login program run on a terminal.
One more form of authentication attack may come from the remote login programs. Protocols
like rlogin, telnet is vulnerable to this. If these are available on for your host, intruders may keep
retrying till they are lucky and get a chance to penetrate these systems. Hence, normally it is
advised to turn often-remote login features for added security.
Most of the attacks that take place are as a result of some authentication failure. But
authentication failures or authentication race refers to the tactic of beating a one-time
password scheme that works with many security systems.
Usually a one-time password is a good technique of ensuring that the password even if
intercepted and understood will not have any significance since its not going to be used again.
But even then eavesdroppers can easily pick up a plain password on an unencrypted session and
they may take a shot at single time passwords also.
For this we assume an example of a password that contains only digits and is of known
length. The attacker initiates ten connections to the desired service. Each connection is waiting
for the same unknown password. The valid user connects and starts typing the correct password.
The attack program watches this, and relays the correct characters to its ten connections as
they arc typed. When anyone digit remains to be entered, the program sends a different digit to
each of its connections, before the valid user can type the last digit. Because the computer is
faster, it wins the race, and one of the connections is validated. These authentication schemes
often allow only a single login with each password, so the valid user will be rejected, and will
have to try again. Of course, in this case the attacker needs to know the length of the password.
2.Passwords & Authentication tokens:
2.1.Intruders: Significant issue for networked systems is hostile or unwanted access
Either via network or local
can identify classes of intruders:
Masquerader
Misfeasor
Clandestine user
Varying levels of capability
clearly a growing publicized problem
from “Wily Hacker” in 1986/87
to clearly escalating CERT stats
may seem benign, but still cost resources
there is no way in advance to know whether an intruder will be benign or malign
may use compromised system to launch other attacks
awareness of intruders has led to the development of CERTs
2.2.Intrusion Techniques:
Aim to gain access and/or increase privileges on a system
Basic attack methodology
target acquisition and information gathering
initial access
privilege escalation
covering tracks
key goal often is to acquire passwords
so then exercise access rights of owner
Password Guessing:
one of the most common attacks
attacker knows a login (from email/web page etc)
then attempts to guess password for it
defaults, short passwords, common word searches
user info (variations on names, birthday, phone, common words/interests)
exhaustively searching all possible passwords
check by login or against stolen password file
success depends on password chosen by user surveys show many users choose poorly.
2.3.Password Capture:
another attack involves password capture
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login
• eg. telnet, FTP, web, email
extracting recorded info after successful login (web history/cache, last number
dialed etc)
using valid login/password can impersonate user
users need to be educated to use suitable precautions/countermeasures
2.4.Password Management:
front-line defense against intruders
users supply both:
login – determines privileges of that user
password – to identify them
passwords often stored encrypted
Unix uses multiple DES (variant with salt)
more recent systems use crypto hash function
should protect password file on system
2.5.Password Study:
Purdue 1992 - many short passwords
Klein 1990 - many guessable passwords
conclusion is that users choose poor passwords too often
need some approach to counter this
Managing Passwords:
Education:
can use policies and good user education
educate on importance of good passwords
give guidelines for good passwords
minimum length (>6)
require a mix of upper & lower case letters, numbers, punctuation
not dictionary words
Generally ignored by many users
2.6.Computer Generated:
let computer create passwords
if random likely not memorisable, so will be written down (sticky label syndrome)
even pronounceable not remembered
have history of poor user acceptance
FIPS PUB 181 one of best generators
has both description & sample code
generates words from concatenating random pronounceable syllables
2.7.Reactive Checking:
reactively run password guessing tools
note that good dictionaries exist for almost any language/interest group
cracked passwords are disabled
but is resource intensive
bad passwords are vulnerable till found
2.8.Proactive checking:
most promising approach to improving password security
allow users to select own password
but have system verify it is acceptable
simple rule enforcement (see earlier slide)
compare against dictionary of bad passwords
use algorithmic (markov model or bloom filter) to detect poor choices)
3.Certificate based authentication:
3.1.X.509 Authentication Service:
part of CCITT X.500 directory service standards
distributed servers maintaining user info database
defines framework for authentication services
directory may store public-key certificates
with public key of user signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
algorithms not standardised, but RSA recommended
X.509 certificates are widely used
3.2.X.509 Certificates:
issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
notation CA<<A>> denotes certificate for A signed by CA
Obtaining a Certificate:
any user with access to CA can get any certificate from it
only the CA can modify a certificate
because cannot be forged, certificates can be placed in a public directory
CA Hierarchy:
if both users share a common CA then they are assumed to know its public key
otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to validate other CA's
each CA has certificates for clients (forward) and parent (backward)
each client trusts parents certificates
enable verification of any certificate from one CA by users of all other CAs in hierarchy
Certificate Revocation:
certificates have a period of validity
may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CA’s maintain list of revoked certificates
1. the Certificate Revocation List (CRL)
users should check certificates with CA’s CRL
Authentication Procedures:
X.509 includes three alternative authentication procedures:
One-Way Authentication
Two-Way Authentication
Three-Way Authentication
all use public-key signatures
One-Way Authentication:
1 message ( A->B) used to establish
the identity of A and that message is from A
message was intended for B
integrity & originality of message
message must include timestamp, nonce, B's identity and is signed by A
may include additional info for B
eg session key
Two-Way Authentication:
2 messages (A->B, B->A) which also establishes in addition:
the identity of B and that reply is from B
that reply is intended for A
integrity & originality of reply
reply includes original nonce from A, also timestamp and nonce from B
may include additional info for A
Three-Way Authentication:
3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
has reply from A back to B containing signed copy of nonce from B
means that timestamps need not be checked or relied upon
2.3.X.509 Version 3:
has been recognised that additional information is needed in a certificate
email/URL, policy details, usage constraints
rather than explicitly naming new fields defined a general extension method
extensions consist of:
extension identifier
criticality indicator
extension value
Certificate Extensions:
key and policy information
convey info about subject & issuer keys, plus indicators of certificate policy
certificate subject and issuer attributes
support alternative names, in alternative formats for certificate subject and/or issuer
certificate path constraints
allow constraints on use of certificates by other CA’s
Chapter 151. Security handshake pitfalls2. Single Sign On (SSO)3. Biometric authentication
1. Security handshake pitfalls:
During the handshake phase communication parameters are negotiated and initial
information are exchanged. Some of these information are secret (e.g. the password), some
are not (e.g. the user names).
To cope with different types of threats individual protocols have different strengths and
weaknesses.
– Some threats are more likely in some situations.
– Availability of resources may differ:
· Computational power
· Specialized hardware
– Humans and computers may behave differently.
– Protocols themselves may be flawed.
Login Only:
Many protocols were designed for environments where eavesdropping was not a concern.
Authentication in such protocols consist of :
1. Alice sends her name and password to Bob.
2. Bob verifies the name and password, and then communication commences, without any
further attention to security.
A very common enhancement to such a protocol is to replace the transmission of the clear
text password with a cryptographic challenge /response.
Login only/ shared secret:
This would be a big improvement over clear text passwords. An eavesdropper cannot
impersonate Alice based on overhearing the exchange, since next time there will be a different
challenge.
However, there are some weaknesses to this protocol:
– Authentication is not mutual.
– If this is the entire protocol, then Trudy can hijack the conversation after the initial exchange. –
An eavesdropper could mount an off -line password -guessing attack.
– Someone who has access to Bob’s database can impersonate Alice.
This protocol has only minor security differences from the previous one:
– This protocol requires reversible cryptography, for example a secret key cryptographic
algorithm.
– If R is a recognizable quantity, Trudy can mount a password-guessing attack without
eavesdropping by merely sending the message „I am Alice“and obtaining K {R}.
This modification requires Bob and Alice to have synchronized clocks. The properties of this
modification include:
– It can be added very easily to a protocol designed for sending cleartext passwords, since is
does not add any additional messages.
– The protocol is now more efficient. The server does not have to keep any transient status
information about Alice.
– Someone eavesdropping can use Alice’s K (albeit only within a small time interval).
– Another potential security pitfall occurs if there are multiple servers for which Alice uses
the same secret K AB: an eavesdropper who acts quickly can use Alice’s encrypted
timestamp field, and impersonate Alice on a different server.
Requirements and disadvantages of the discussed protocols:
– They require a secret key cryptography algorithm, and therefore shared secret keys.
– Trudy can impersonate Alice if she can read Bob’s database.
Theses weaknesses can be avoided if the protocol is based on public key technology.
Login Only / One-Way Public Key:
The above protocol is based on a public key and similar to the first protocol. Bob verifies
Alice’s signature [ R] login if the result matches R. using her public key , and accepts the Alice .
The advantage of this protocol:
– Reading Bob’s database at is no longer a potential security- threat, but it must be protected
from unauthorized modification.
– If you can impersonate Bob’s network address you can trick Alice into signing something (wait
for Alice to try log in and then give her your quantity ).
Properties of this protocol:
– Requires a reversible public key algorithm.
– If you can impersonate Bob’s network address you can trick Alice into decrypting something
(wait for Alice to try log in and send the encrypted message ).
Solution:
– A message should have a structure so that it cannot be mistaken for another type .
Login Only / Lamport’s Hash:
Lamport’s Hash:
– Interesting one- time password scheme.
– It allows Bob to authenticate Alice in a way that neither eavesdropping on an authentication
exchange nor reading Bob’s database enables someone to impersonate Alice.
– No need for public key cryptography.
Requirements:
– Alice remembers a password, Alice is a human.
– Bob (the server) has a database; for each user it stores:
· username,
· n, decremented each time the user authenticates herself,
· hash (Password ), i.e. hash(hash(...(hash(Password ))...)))
Initialization of a password:
– Alice chooses a password.
– The workstation of Alice chooses the number n and computes
Authentication of a user:
– Alice enters her username and password.
– Her workstation sends the name to Bob which returns n.
– The workstation computes hash n-1 (Password) and sends the result to Bob.
– Bob takes the received value and hashes it once, and compares it with its database. In case
of a match Bob considers the response valid , replaces the stored quantity with the received
quantity, and replaces n by n-1 .
Setting up a new password:
– If n = 1 Alice needs to set her password again.
– In many situations it suffices to choose a new password, compute hash (new Password),
and transmit hash (new Password) and n to Bob.
– An enhancement is to add a salt value to the password (like in the UNIX- Password
environment), with the same advantages.
– Another advantage of salt is that Alice will not need to change her password if n = 1. n n
2.Single Sign on:
What is single sign on?
Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a
user to enter the same id and password to logon to multiple applications within an enterprise. As
passwords are the least secure authentication mechanism, single sign on has now become known
as reduced sign on (RSO) since more than one type of authentication mechanism is used
according to enterprise risk models.
For example, in an enterprise using SSO software, the user logs on with their id and password.
This gains them access to low risk information and multiple applications such as the enterprise
portal. However, when the user tries to access higher risk applications and information, like a
payroll system, the single sign on software requires them to use a stronger form of
authentication. This may include digital certificates, security tokens, smart cards, biometrics or
combinations thereof.
Single sign on can also take place between enterprises using federated authentication. For
example, a business partner's employee may successfully log on to their enterprise system. When
they click on a link to your enterprise's application, the business partner's single sign on system
will provide a security assertion token to your enterprise using a protocol like SAML, Liberty
Alliance, WS Federation or Shibboleth. Your enterprise's SSO software receives the token,
checks it, and then allows the business partner's employee to access your enterprise application
without having to sign on.
Single sign on federated authentication also works with your employees. For example, an
employee who is trying to access your outsourced benefits supplier to update their benefits
information would click on the benefits link on your intranet. Your enterprise's single sign on
software would then send a security assertion token to the benefits supplier. The benefits
supplier's SSO system would then take the token, check it and grant access to your employee
without making them sign on.
Single Sign On Benefits
Single sign on benefits are:
Ability to enforce uniform enterprise authentication and/or authorization policies across
the enterprise
End to end user audit sessions to improve security reporting and auditing
Removes application developers from having to understand and implement identity
security in their applications
Usually results in significant password help desk cost savings
Since the internet is stateless, this means that the single sign on software must check every
request by the user's browser to see if there is an authentication policy pertaining to the resource
or application the user is trying to access. In a medium to large enterprise, this means that every
time the user clicks on a different URL, there is traffic between the user's browser, the web or
application servers and the security server. This traffic can become large and cumbersome from a
performance perspective. Therefore, most modern single sign on systems use LDAP
(Lightweight Directory Access Protocol) directories to store the authentication and authorization
policies. The LDAP directories are made for high performance lookups thus addressing the high
traffic load. Further, the LDAP directories are often the source for the single sign on system to
authenticate against.
Single sign on systems in medium to large enterprises can become a single point of enterprise
failure if not properly designed. If the single sign on system goes down but the applications
remain up, no user can access any resource or application protected by the SSO system. Many
enterprises have experienced this painful condition resulting in productivity loss. Therefore, it is
essential that your enterprise single sign on system have a good and well tested failover and
disaster recovery design.
Finally, single sign on systems in medium to large enterprises requires good identity data
governance. Enterprise security features being offered by the single sign on system is only as
good as the underlying identity data. Thus it is critical that all enterprise identity data have good,
quick business processes that pick up on any change to the identity such as new identity creation,
identity termination or role changes. Without this, enterprise SSO systems are vulnerable to
creating enterprise security holes.
Components of Single Sign-On
Single Sign-On has two components:
Login Serve
Single Sign-On Application Programming Interface (API)
Login Server
The first time that a user seeks access to an application, the Login Server:
Authenticates the user by means of user name and password
Passes the client's identity to the various applications
Marks the client being authenticated with an encrypted login cookie
In subsequent user logins, this login cookie provides the Login Server with the user's identity,
and indicates that authentication has already been performed. If there is no login cookie, then the
Login Server presents the user with a login challenge.
To guard against sniffing, the Login Server can send the login cookie to the client browser over
an encrypted SSL channel.
The login cookie expires with the session, either at the end of a time interval specified by the
administrator, or when the user exits the browser. It is never written to disk.
A partner application can expire its session through its own explicit logout.
Single Sign-On Application Programming Interface (API)
The Single Sign-On API enables:
Applications to communicate with the Login Server and to accept a user's identity as
validated by the Login Server
Administrators to manage the application's association to the Login Server
Single Sign-On Application Types
There are two kinds of applications to which Single Sign-On provides access:
Partner Applications
External Applications
Partner Applications
Partner applications are integrated with the Login Server. They contain a Single Sign-On API
that enables them to accept a user's identity as validated by the Login Server.
External Applications
External applications are web-based applications that retain their authentication logic. They do
not delegate authentication to the Login Server and, as such, require a user name and password to
provide access. Currently, these applications are limited to those which employ an HTML form
for accepting the user name and password. The user name may be different from the SSO user
name, and the Login Server provides the necessary mapping.
Single Sign-On Authentication Methods
Single Sign-On can use one of these authentication methods:
Single Sign-On Authentication Methods
Local user
authentication
Uses a lookup table within the Login Server schema. This table contains
user name, password, Login Server privilege level, and other auditing fields
for the user. The incoming password is one-way hashed and compared to
the entry in the table.
External repository
authentication
Typically relies on an LDAP-compliant directory. In this case, the Login
Server binds to the LDAP-compliant directory, then looks up the user
credentials stored there. External Authentication includes LDAP and
Database Authentication and any others that may be custom-developed.
How Single Sign-On Works
Whenever a user accesses either a partner application or an external application, the Login
Server first authenticates that user.
This section contains these topics:
Authenticating to the Login Server
Accessing a Partner Application
Accessing an External Application
Authenticating to the Login Server
The Login Server authenticates a user in this way:
Accessing a Partner Application
When a user seeks access to a partner application, the following steps occur:
Partner Application Development Requirement
To implement an authentication check:
1. Protected URLs need to check for an application session cookie for authorization.
2. If no application session cookie exists, then the browser redirects the user to the
Single Sign-On server.
3. If the URL is publicly accessible, then no authorization check is implemented.
To implement a sign-on URL:
1. This URL must establish an application session cookie using the identity
information sent by the Single Sign-On server.
2. The browser then redirects the user to the requested URL
Accessing an External Application
You can accessing an external application through Oracle Portal. In this scenario, Oracle Portal
functions as a partner application.
This section contains these topics:
Authenticating to Oracle Portal
Authenticating to an External Application for the First Time
Authenticating to an External Application After the First Time
Authenticating to Oracle Portal
When a user seeks access to an external application by way of Oracle Portal, Single Sign-On
authenticates the user to Oracle Portal through this process:
If, during the same session, the user again seeks access to Oracle Portal, then the Login Server
does not prompt the user for user name and password. Instead, it obtains that information from
the login cookie on the client browser.
Authenticating to an External Application for the First Time
Single Sign-On uses the process described in the next figure under these conditions:
The user has authenticated to the Oracle Portal
The user is accessing an external application for the first time through Oracle Portal
Authenticating to an External Application After the First Time
Single Sign-On uses the process described in the next figure if the user:
Has authenticated to the Oracle Portal
Has a user name and password in the Login Server password store
Is accessing an external application after the first time
3. Biometric Authentication:
The Biometric Advantage
Of course, one-time password tokens can be lost as well as potentially hacked so relying on
"something they have" is not always a foolproof approach.
Instead, an even more secure two-factor system can be based on "something they are" – that is,
biometric information derived from measurable biological or behavioral characteristics.
Common biological characteristics used for enterprise authentication are fingerprints, palm or
finger vein patterns, iris features, and voice or face patterns. These last three involve no physical
contact with a biometric sensor, which makes them less intrusive to use.
Behavioral characteristics such as keystroke dynamics – a measure of the way that a user types,
analyzing features such as typing speed and the amount of time they "dwell" on a given key –
can also be used to authenticate a user.
The biggest growth area is the deployment of systems that make use of a Smartphone as a
portable biometric sensor, according to Ant Allan, a research vice president at Gartner. "There is
an explosion in the choice of authentication methods open to organizations, and we are certainly
seeing a shift towards biometric systems that take advantage of sensors in mobile devices – the
camera, for face or iris recognition, the microphone for voice recognition, and the keyboard for
typing rhythm," he said.
The advantages of this Smartphone-based approach are that it is not necessary to purchase any
special biometric hardware, because users are likely to have their phone with them any time they
need to log on to a system, and the phone's cellular or Wi-Fi connectivity can be used to transmit
biometric information to a back-end authentication system.
Benefits and Drawbacks
The main benefit of using a biometric authentication factor instead of a physical token is that
biometrics can't easily be lost, stolen, hacked, duplicated, or shared. They are also resistant to
social engineering attacks – and since users are required to be present to use a biometric factor, it
can also prevent unethical employees from repudiating responsibility for their actions by
claiming an imposter had logged on using their authentication credentials when they were not
present.
"Biometric systems can be much more convenient than tokens and other systems, and are useful
to augment existing security methods like passwords," said Alan Goode, a security analyst at
Goode Intelligence. "For added security they are also sometimes used as a third factor," he
added.
The main drawback of any biometric system is that it can never be 100 percent accurate. To use
a biometric system, it is first necessary for each user to enroll by providing one or more samples
of the biometric in question (such as a fingerprint) which is used to make a "template" of that
biometric. When a user attempts to authenticate, the biometric they provide is then compared
with their stored template. The system then assesses whether the sample is similar enough to the
template to be judged to be a match.
A measure of a system's accuracy is commonly provided by two statistics: False Non Match Rate
(FNMR) and False Match Rate (FMR). The former measures how often a biometric is not
matched to the template when it should be, while the latter measures how often a false biometric
is matched (and authentication is allowed) when it shouldn't be. Most biometric systems can be
"tuned" to reduce one of these two measurements, usually at the expense of the other. "It's
important to understand that when a user supplies a password or a number from an OTP (one
time password) token, it is either correct or it isn’t. With biometrics you never get a definitive
yes or no," explained Mark Diodati, a Gartner analyst.
What to Look For
1. Cost. The purpose of implementing any biometric system is generally to maintain the same
level of security at lower cost, or to improve security at a reasonable cost. The cost of
implementing a biometric system will depend on whether biometric authentication can be added
to your existing authentication infrastructure using standards such as BioAPI (vendors such as
Entrust support fingerprint readers as authenticators on their platform), or whether your entire
authentication platform has to be replaced, or whether you decide to use an additional biometric
authentication system in parallel with your existing one.
An alternative approach could be to use biometrics to access a single sign-on system that then
accesses your existing authentication system(s).
Other factors include the cost of sensors such as fingerprint readers or iris scanners that have to
be purchased. This drawback obviously does not apply with biometric system that use smart
phones as sensors.
2. Biometric type and security. Different biometric systems provide different levels of security
as measured by FNMR and FMR scores – and with the current state of technology, a good
fingerprint reader generally offers a lower FNMR and FMR (and therefore "better security") than
non-contact technologies such as voice or face recognition.
But before rejecting any biometric type on the grounds that its FNMR and FMR scores are too
high, it is important to consider what level of security you really need a biometric system to
provide. A biometric system that you plan to use as the single factor for authentication needs to
offer more security than a system that you plan to use as a second or third factor.
It's also important to take into account the environment the biometric authentication system will
be used in. For example, fingerprint readers do not work well in environments where users'
fingers are likely to be dirty. Similarly, voice recognition systems are not a good match for
excessively noisy environments.
3. Anti-spoofing measures. One potential problem with biometric factors is that they are not
"secrets" in the way that passwords or tokens are. This means that it could be possible for a
hacker to present a photograph to fool a facial recognition system, to present a wax cast of a
fingerprint to a reader, or to play back a recording of a voice to a voice recognition system. It
may even be possible to intercept the biometric data from the reader and replay it later,
bypassing the biometric sensor. Before purchasing any biometric technology, be sure to
understand what types of anti-spoofing measures it employs.
Vendors tackle this problem in a number of ways. For example, some voice recognition systems
require users to authenticate by asking them to speak a series of random words, preventing them
from using a previously recorded voice sample. Similarly, face recognition systems may attempt
to detect blinking to ascertain that the image in front of the camera is not a photograph.
Sophisticated fingerprint readers also measure heat or electrical conductivity to establish that the
finger is "alive."
4. Revocation. Unlike a password, biometric characteristics such as fingerprints can't be revoked
or changed. This can pose a serious problem should a hacker successfully compromise the
database housing the biometric credentials. Some biometric systems may deal with this challenge
by uniquely distorting or transforming the biometric template when it is stored, and transforming
or distorting the biometric in the same way during the match process. If a hacker compromises a
fingerprint template database, users can then re-enroll and distinct templates can be generated by
using a different distortion or transformation. Ask any vendor you talk to how their system deals
with template revocation.
5. Compatibility with operating systems and devices. Make sure any biometric system you are
considering works with every operating system in your organization that will use it. The same
goes for mobile devices such as tablets and cell phones.
6. Ease of management. When evaluating a biometric authentication system, make sure to pay
particular attention to how easily the system can be managed using the management software
provided to you by the vendor. It's particularly important to investigate how easily you can enroll
large numbers of users into the system.
# 7. Integration with directory systems: It's advisable to consider if the system can integrate
easily with Active Directory or any other LDAP directory system you use. If not, does it use its
own directory system, and how practical would it be for you to use it?