Cryptography and Network security # Lecture 7
Download as PPTX, PDF4 likes592 views
The document discusses the importance of leadership and teamwork in achieving organizational goals. Effective leaders inspire and motivate employees to work collaboratively towards shared objectives. When people work together as a cohesive unit, it allows a company to overcome challenges and thrive in a competitive business environment.
Cryptography and Network security # Lecture 7
- 1. Lec-7: Cryptography & Network Security Mr. Islahuddin Jalal MS (Cyber Security) – UKM Malaysia Research Title – 3C-CSIRT Model for Afghanistan BAKHTAR UNIVERSITY باخترپوهنتون د Bakhtar University پوهنتون باختر د 112/17/2017
- 2. Introduction • Email is one of the most widely used service on internet • Mail servers are favorite target after web server • Normally message contents are not secured • Can be read/edit while on transit from sender to receiver • Can be read/edit at destination 212/17/2017 Bakhtar University پوهنتون باختر د
- 3. 3 Architecture of E-mail • To explain the architecture of e-mail, we give four scenarios. We begin with the simplest situation and add complexity as we proceed. The fourth scenario is the most common in the exchange of e-mail. • First Scenario • Second Scenario • Third Scenario • Fourth Scenario 12/17/2017 Bakhtar University پوهنتون باختر د
- 4. 4 First scenario 1 2 12/17/2017 Bakhtar University پوهنتون باختر د
- 5. 5 When the sender and the receiver of an e- mail are on the same mail server, we need only two user agents. 12/17/2017 Bakhtar University پوهنتون باختر د
- 6. 6 Second scenario 1 2 3 4 5 12/17/2017 Bakhtar University پوهنتون باختر د
- 7. 7 When the sender and the receiver of an e- mail are on different mail servers, we need two UAs and a pair of MTAs (client and server). 12/17/2017 Bakhtar University پوهنتون باختر د
- 9. 9 When the sender is connected to the mail server via a LAN or a WAN, we need two UAs and two pairs of MTAs (client and server). 12/17/2017 Bakhtar University پوهنتون باختر د
- 11. 11 When both sender and receiver are connected to the mail server via a LAN or a WAN, we need two UAs, two pairs of MTAs (client and server), and a pair of MAAs (client and server). This is the most common situation today. 12/17/2017 Bakhtar University پوهنتون باختر د
- 12. 12 Push versus pull 12/17/2017 Bakhtar University پوهنتون باختر د
- 13. 13 USER AGENT The first component of an electronic mail system is the user agent (UA). It provides service to the user to make the process of sending and receiving a message easier. 12/17/2017 Bakhtar University پوهنتون باختر د
- 14. 14 Format of an email 12/17/2017 Bakhtar University پوهنتون باختر د
- 15. 15 E-mail address 12/17/2017 Bakhtar University پوهنتون باختر د
- 16. Message Transfer Agent • Mail transfer is done through Message Transfer Agent (MTAs) • To send mail • System must have client MTA • To receive mail • System must have server MTA • Note • The formal protocol that defines the MTA client and server in the internet is called SMTP 12/17/2017 Bakhtar University پوهنتون باختر د 16
- 17. 17 SMTP range 12/17/2017 Bakhtar University پوهنتون باختر د
- 18. 18 Commands and responses 12/17/2017 Bakhtar University پوهنتون باختر د
- 21. 21 Connection establishment 220 service ready 1 HELO: deanza.edu2 250 OK 3 12/17/2017 Bakhtar University پوهنتون باختر د
- 22. 22 Message transfer 12/17/2017 Bakhtar University پوهنتون باختر د
- 23. 23 Connection termination 1 QUIT 2221 service closed 12/17/2017 Bakhtar University پوهنتون باختر د
- 24. 24 MESSAGE ACCESS AGENT The first and the second stages of mail delivery use SMTP. However, SMTP is not involved in the third stage because SMTP is a push protocol; it pushes the message from the client to the server. In other words, the direction of the bulk data (messages) is from the client to the server. On the other hand, the third stage needs a pull protocol; the client must pull messages from the server. The direction of the bulk data are from the server to the client. The third stage uses a message access agent. 12/17/2017 Bakhtar University پوهنتون باختر د
- 25. 25 Pop3 and IMAP4 12/17/2017 Bakhtar University پوهنتون باختر د
- 27. Threats • Email Confidentiality (protection from disclosure) • Email Integrity (Protection from modification) • Email Authentication (verification of sender) • Lack of non-repudiation ( protection from denial by sender) 2712/17/2017 Bakhtar University پوهنتون باختر د
- 28. Two systems for Email Security • PGP • SMIME 12/17/2017 Bakhtar University پوهنتون باختر د 28
- 29. PGP • Pretty Good Privacy • Developed by Phil Zimmermann • Using best well known crypto algorithms • Available for free on many platforms with source code • Not controlled by a governmental or standards organizations 2912/17/2017 Bakhtar University پوهنتون باختر د
- 30. PGP • Has 5 components/service • Authentication • Confidentiality • Compression • Email compatibility • Segmentation 3012/17/2017 Bakhtar University پوهنتون باختر د
- 31. PGP - Authentication • Achieved by digital signature • The sender creates a message. • The message is hashed, using SHA-1 algorithm to generate a 150-bit hash code of the message. • The hash code is encrypted with the sender’s private key and appended to the message 3112/17/2017 Bakhtar University پوهنتون باختر د
- 32. PGP - Authentication 32 H( ). KA( ).- + - H(m )KA(H(m)) - m KA - Internet m KA( ).+ KA + KA(H(m)) - m H( ). H(m ) compare Hash the message Private key of A Public key of A Recomputed and compare 12/17/2017 Bakhtar University پوهنتون باختر د
- 33. PGP - Confidentiality • Protection from disclosure • Achieved by encrypting the message • Message is encrypted using conventional symmetric shared secret key (DES, CAST- 128, etc) • Key distribution between sender and receiver is a problem • In PGP, each key is used only once. • A new key is generated for each message 3312/17/2017 Bakhtar University پوهنتون باختر د
- 34. PGP - Confidentiality 34 KS( ). KB( ).+ + - KS(m ) KB(KS ) + m KS KS KB + Internet KS( ). KB( ).- KB - KS m KS(m ) KB(KS ) + Sending encrypted email Receiving and decrypting email Secret key Encrypt Ks using B’s public key 12/17/2017 Bakhtar University پوهنتون باختر د
- 35. • Sending /encrypting • Generate random symmetric secret key, Ks • Encrypts message with Ks • Encrypts Ks with Bob’s public key • Send both Ks(m) and Kb(Ks) to Bob 3512/17/2017 Bakhtar University پوهنتون باختر د
- 36. • Receiving / Decrypting • Use own private key to decrypt and recover Ks • Uses Ks to decrypt Ks(m) 3612/17/2017 Bakhtar University پوهنتون باختر د
- 37. • Confidentiality and Authentication: Both can be achieved simultaneously • Sender generates a signature of the plaintext message and attaches it to the message • The plaintext message and signature are encrypted using the public key of the receiver and attached to the message 3712/17/2017 Bakhtar University پوهنتون باختر د
- 38. PGP - Compression • PGP compresses message after applying signature but before encryption • Encrypt the compressed version of message • Use ZIP as compression algorithm 3812/17/2017 Bakhtar University پوهنتون باختر د
- 39. PGP – Email compatibility • PGP must ensure the message transmission format must be the same in both sender and receiver’s machine • PGP will encrypt part of the message • The encrypted part will consists of a stream of arbitrary 8-bit octets • Thus some of them will be non-printed character • E.g.: null, space, escape, etc • While many e-mail system will only permit use of blocks consisting of ASCII text 3912/17/2017 Bakhtar University پوهنتون باختر د
- 40. PGP – Email compatibility • Uses radix-64 algorithm • Maps 3 bytes (or 8 bit) to 4 printable chars • PGP provide service to convert raw 8-bit binary stream to a stream of printable ASCII characters. • Each group of three octets of binary data is mapped into four Base 64 characters. 4012/17/2017 Bakhtar University پوهنتون باختر د
- 41. 41 Convert into 8-bit octet Encode to form 6-bit Map into four Base64 character Decimal value http://en.wikipedia.org/wiki/Base64 http://en.wikipedia.org/wiki/ASCII 12/17/2017 Bakhtar University پوهنتون باختر د
- 42. • On receiver side, the incoming block is first converted back to 8-bit octet binary format. • Then message is decrypted and verified using the attached keys. 4212/17/2017 Bakhtar University پوهنتون باختر د
- 43. PGP - Segmentation • Many email system restricted the maximum message length to 50,000 octets • Email system will segmentize / divide a long message into smaller segments • Each segment is mailed separately. 4312/17/2017 Bakhtar University پوهنتون باختر د
- 44. • PGP subdivides large message into segments • Segmentation is done after all other processing (including radix-64 conversion) has been done • At receiver ends, all email header will be strips off and then reassemble as the original message. 4412/17/2017 Bakhtar University پوهنتون باختر د
- 45. PGP Operation Summary 4512/17/2017 Bakhtar University پوهنتون باختر د
- 46. PGP Message Format 46 Encrypted with public key Encrypted and Sign with private key 12/17/2017 Bakhtar University پوهنتون باختر د
- 47. Symmetric vs Asymmetric Key 4712/17/2017 Bakhtar University پوهنتون باختر د
- 48. Key Rings • Two key IDs (private and public key) are included in each message • Provide confidentiality and authentication • A user often have many public/private key pairs in use • The keys need to be stored and organized systematically. • Key IDs also used in signatures • Key IDs are sent together with messages 4812/17/2017 Bakhtar University پوهنتون باختر د
- 49. Key Rings • PGP user has a pair of key rings to store public and private keys • Public-key ring contains all the public-keys of other PGP users known to the user • Indexed by Key ID • Private-key ring contains the private/public key pairs for the user • The stored private keys are encrypted using a key derived from a hashed passphrase 4912/17/2017 Bakhtar University پوهنتون باختر د
- 51. Key Ring - Private • Each row of the table represents a private/public key pair owned by the user. • Key_ID: The least significant 64 bits of the public key (for that entry) • Timestamp: The timestamp when this key pair was generated. • Public_Key : The Public key • Private_Key: Encrypted private key 5112/17/2017 Bakhtar University پوهنتون باختر د
- 52. Key Ring – Private • Private key is encrypted using CAST-128, IDEA, or 3DES algorithms • Encryption procedure • Users selects a password to be used for encryption • System will asks the user for a password before generating a new key pair • Using SHA-1, a 160 bit hash code is generated from the password. • System encrypts the private key using CAST-128, and use 128 bits (from the 160-bit generated) from the hash, as the key. • Encrypted private key stored in ring 5212/17/2017 Bakhtar University پوهنتون باختر د
- 53. Key Ring - Public • Stores the public keys of other users known to this user. • User ID: Owner of the key. 5312/17/2017 Bakhtar University پوهنتون باختر د
- 54. PGP Key Management • PGP uses trust, associates trust with public keys • Public-key rings has 3 fields: 1. Key legitimacy field (computed by PGP) “indicate the extent to which PGP will trust the validity of a public key of any user” 5412/17/2017 Bakhtar University پوهنتون باختر د
- 55. PGP Key Management 2. Signature trust field: “indicates the degree to which the user trusts the signer to certify any public keys” >Key legitimacy field is derived from the collection of signature trust fields. 5512/17/2017 Bakhtar University پوهنتون باختر د
- 56. 3. Owner trust field: “indicates the degree to which this public key is trusted to sign other public key certificates” >Level of trust is assigned by the user. 5612/17/2017 Bakhtar University پوهنتون باختر د
- 57. • Relation between ‘Signature trust’ and ‘Key legitimacy’ is illustrated by figure on next slide • The figure shows the structure of a public-key ring. • The user has acquired several public-keys. • Some directly from their owners. • Some from a third party (key server) 5712/17/2017 Bakhtar University پوهنتون باختر د
- 58. 58 A public key ring owned by “you” This is calculated “fully”/”partially” are assigned by “You” 12/17/2017 Bakhtar University پوهنتون باختر د
- 59. • Users D, E, F, and L are always trusted to sign other keys • legitimate and fully trusted • Users A and B are partially trusted to sign other keys. • All keys whose owners are fully or partially trusted are signed by this user “You”. • Exception user L: (such a user signature is not always necessary.) • Both D and L are fully trusted by “You” 5912/17/2017 Bakhtar University پوهنتون باختر د
- 60. • Key H is deemed legitimate: two partially trusted users are sufficient to certify a key. • H is signed by A and B • A legitimate key user may not be trusted to sign other keys. • Example: User N signs R’s key but PGP does not consider R’s key legitimate • S is a detached orphan with two unknown signatures. • Such key acquired from a key server. • PGP cannot assume the key to be legitimate. 6012/17/2017 Bakhtar University پوهنتون باختر د
- 61. Revoking Public Key • A user might want to revoke his current key due to any reason. • Key Revocation procedure: • The owner issues a key revocation certificate. • the corresponding private key is used to sign the revocation certificate. • has the same form as normal signature certificate with a revoke indicator. • disseminated as widely and as quickly as possible. • receiving nodes updates their rings. 6112/17/2017 Bakhtar University پوهنتون باختر د
- 62. Thank You For Your Patience 12/17/2017 Bakhtar University پوهنتون باختر د 62