SlideShare a Scribd company logo

Network security & cryptography full notes

G
gangadhar9989166446

This document discusses the OSI security architecture and its key concepts of security attacks, mechanisms, and services. It defines security attacks as any action compromising information security, security mechanisms as tools to detect, prevent or recover from attacks, and security services as services enhancing security. The document then discusses common types of security attacks like passive attacks involving unauthorized access and active attacks involving modifying information. It also outlines various cryptographic attacks against cryptosystems like ciphertext-only, known plaintext, chosen plaintext, and brute force attacks. Finally, it describes the main security services provided by cryptography as confidentiality, data integrity, authentication, and non-repudiation.

Engineering
1 of 73
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Most read
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Most read
71
72
73
1 UNIT-1INTRODUCTION THE OSI SECURITY ARCHITECTURE: To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The OSI security architecture was developed in the context of the OSI protocol architecture, which is described in Appendix H. However, for our purposes in this chapter, an understanding of the OSI protocol architecture is not required. For our purposes, the OSI security architecture provides a useful, if abstract, overview of many of the concepts.. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows: 1. Security attack – Any action that compromises the security of information owned by an organization. 2. Security mechanism – A mechanism that is designed to detect, prevent or recover from a security attack. 3. Security service – A service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks and they make use of one or more security mechanisms to provide the service. 1.SECURITY ATTACKS: AttacksonCryptosystems: Attacks are typically categorized based on the action performed by the attacker. An attack, thus, can be passive or active. PassiveAttacks: The main goal of a passive attack is to obtain unauthorized access to the information. For example, actions such as intercepting and eavesdropping on the communication channel can be regarded as passive attack. These actions are passive in nature, as they neither affect information nor disrupt the communication channel. A passive attack is often seen as stealing information. The only difference in stealing physical goods and stealing information is that theft of data still leaves the owner in possession of that data. Passive information attack is thus more dangerous than stealing of goods, as information theft may go unnoticed by the owner.
2 ActiveAttacks: An active attack involves changing the information in some way by conducting some process on the information. For example,  Modifying the information in an unauthorized manner.  Initiating unintended or unauthorized transmission of information.  Alteration of authentication data such as originator name or timestamp associated with information  Unauthorized deletion of data.  Denial of access to information for legitimate users (denial of service). Cryptography provides many tools and techniques for implementing cryptosystems capable of preventing most of the attacks described above. AssumptionsofAttacker: Let us see the prevailing environment around cryptosystems followed by the types of attacks employed to break these systems CryptographicAttacks: The basic intention of an attacker is to break a cryptosystem and to find the plaintext from the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret decryption key, as the algorithm is already in public domain. Hence, he applies maximum effort towards finding out the secret key used in the cryptosystem. Once the attacker is able to determine the key, the attacked system is considered as broken or compromised. Based on the methodology used, attacks on cryptosystems are categorized as follows −  Ciphertext Only Attacks (COA) − In this method, the attacker has access to a set of ciphertext(s). He does not have access to corresponding plaintext. COA is said to be successful when the corresponding plaintext can be determined from a given set of ciphertext. Occasionally, the encryption key can be determined from this attack. Modern cryptosystems are guarded against ciphertext-only attacks.  Known Plaintext Attack (KPA) − In this method, the attacker knows the plaintext for some parts of the ciphertext. The task is to decrypt the rest of the ciphertext using this information. This may be done by determining the key or via some other method. The best example of this attack is linear cryptanalysis against block ciphers.  Chosen Plaintext Attack (CPA) − In this method, the attacker has the text of his choice encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his task of
3 determining the encryption key. An example of this attack is differential cryptanalysis applied against block ciphers as well as hash functions. A popular public key cryptosystem, RSA is also vulnerable to chosen-plaintext attacks.  Dictionary Attack − This attack has many variants, all of which involve compiling a ‘dictionary’. In simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext, he refers the dictionary to find the corresponding plaintext.  Brute Force Attack (BFA) − In this method, the attacker tries to determine the key by attempting all possible keys. If the key is 8 bits long, then the number of possible keys is 28 = 256. The attacker knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one for decryption. The time to complete the attack would be very high if the key is long.  Birthday Attack − This attack is a variant of brute-force technique. It is used against the cryptographic hash function. When students in a class are asked about their birthdays, the answer is one of the possible 365 dates. Let us assume the first student's birthdate is 3rd Aug. Then to find the next student whose birthdate is 3rd Aug, we need to enquire 1.25* √365 ≈ 25 students. Similarly, if the hash function produces 64 bit hash values, the possible hash values are 1.8x1019 . By repeatedly evaluating the function for different inputs, the same output is expected to be obtained after about 5.1x109 random inputs. If the attacker is able to find two different inputs that give the same hash value, it is a collision and that hash function is said to be broken.  Man in Middle Attack (MIM) − The targets of this attack are mostly public key cryptosystems where key exchange is involved before communication takes place. o Host A wants to communicate to host B, hence requests public key of B. o An attacker intercepts this request and sends his public key instead. o Thus, whatever host A sends to host B, the attacker is able to read. o In order to maintain communication, the attacker re-encrypts the data after reading with his public key and sends to B. o The attacker sends his public key as A’s public key so that B takes it as if it is taking it from A.  Side Channel Attack (SCA) − This type of attack is not against any particular type of cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical implementation of the cryptosystem.  Timing Attacks − They exploit the fact that different computations take different times to compute on processor. By measuring such timings, it is be possible to know about a particular computation the processor is carrying out. For example, if the encryption takes a longer time, it indicates that the secret key is long.  Power Analysis Attacks − These attacks are similar to timing attacks except that the amount of power consumption is used to obtain information about the nature of the underlying computations.  Fault analysis Attacks − In these attacks, errors are induced in the cryptosystem and the attacker studies the resulting output for useful information. 2.SECURITYSERVICES: The primary objective of using cryptography is to provide the following four fundamental information security services. Let us now see the possible goals intended to be fulfilled by cryptography. A. Confidentiality: Confidentiality is the fundamental security service provided by cryptography. It is a security service that keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy. Confidentiality can be achieved through numerous means starting from physical securing to the use of mathematical algorithms for data encryption.
4 B. Data Integrity: It is security service that deals with identifying any alteration to the data. The data may get modified by an unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or not since it was last created, transmitted, or stored by an authorized user. Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has been manipulated in an unauthorized manner. C. Authentication: Authentication provides the identification of the originator. It confirms to the receiver that the data received has been sent only by an identified and verified sender. Authentication service has two variants  Message authentication identifies the originator of the message without any regard router or system that has sent the message.  Entity authentication is assurance that data has been received from a specific entity, say a particular website. Apart from the originator, authentication may also provide assurance about other parameters related to data such as the date and time of creation/transmission. D. Non-repudiation: It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of the said data to a recipient or third party. Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the purchase order, if non-repudiation service was enabled in this transaction. CryptographyPrimitives: Cryptography primitives are nothing but the tools and techniques in Cryptography that can be selectively used to provide a set of desired security services −  Encryption  Hash functions  Message Authentication codes (MAC)  Digital Signatures The following table shows the primitives that can achieve a particular security service on their own. Note − Cryptographic primitives are intricately related and they are often combined to achieve a set of desired security services from a cryptosystem 3. SECURITY MECHANISM: A mechanism that is designed to detect, prevent or recover from a security attack. One of the most specific security mechanisms in use is cryptographic techniques. Encryption or encryption-like
5 transformations of information are the most common means of providing security. Some of the mechanisms are: A. Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. B.Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). C.Access Control A variety of mechanisms that enforce access rights to resources. D.Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units. E.Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange. F.Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. G.Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when abreach of security is suspected. Cryptosystems: A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to provide information security services. A cryptosystem is also referred to as a cipher system. Let us discuss a simple model of a cryptosystem that provides confidentiality to the information being transmitted. This basic model is depicted in the illustration below − The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a way that any party intercepting or eavesdropping on the communication channel cannot extract the data. The objective of this simple cryptosystem is that at the end of the process, only the sender and the receiver will know the plaintext. ComponentsofaCryptosystem The various components of a basic cryptosystem are as follows −  Plaintext. It is the data to be protected during transmission.
6  Encryption Algorithm. It is a mathematical process that produces a ciphertext for any given plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key as input and produces a ciphertext.  Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm using a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be intercepted or compromised by anyone who has access to the communication channel.  Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the encryption algorithm and is thus closely related to it.  Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key into the encryption algorithm along with the plaintext in order to compute the ciphertext.  Decryption Key. It is a value that is known to the receiver. The decryption key is related to the encryption key, but is not always identical to it. The receiver inputs the decryption key into the decryption algorithm along with the ciphertext in order to compute the plaintext. For a given cryptosystem, a collection of all possible decryption keys is called a key space. An interceptor (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can see the ciphertext and may know the decryption algorithm. He, however, must never know the decryption key. TypesofCryptosystems Fundamentally, there are two types of cryptosystems based on the manner in which encryption- decryption is carried out in the system −  Symmetric Key Encryption  Asymmetric Key Encryption The main difference between these cryptosystems is the relationship between the encryption and the decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically impossible to decrypt the ciphertext with the key that is unrelated to the encryption key. Symmetric Key Encryption: The encryption process where same keys are used for encrypting and decrypting the information is known as Symmetric Key Encryption. The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric cryptosystems are also sometimes referred to as secret key cryptosystems. A few well-known examples of symmetric key encryption methods are − Digital Encryption Standard (DES), Triple-DES (3DES), IDEA, and BLOWFISH. Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will fade away, as it has certain advantages over asymmetric key encryption. The salient features of cryptosystem based on symmetric key encryption are −  Persons using symmetric key encryption must share a common key prior to exchange of information.  Keys are recommended to be changed regularly to prevent any attack on the system.  A robust mechanism needs to exist to exchange the key between the communicating parties. As keys are required to be changed regularly, this mechanism becomes expensive and cumbersome.  In a group of n people, to enable two-party communication between any two persons, the number of keys required for group is n × (n – 1)/2.  Length of Key (number of bits) in this encryption is smaller and hence, process of encryption- decryption is faster than asymmetric key encryption.  Processing power of computer system required to run symmetric algorithm is less.
7 Challenge of Symmetric Key Cryptosystem: There are two restrictive challenges of employing symmetric key cryptography.  Key establishment − Before any communication, both the sender and the receiver need to agree on a secret symmetric key. It requires a secure key establishment mechanism in place.  Trust Issue − Since the sender and the receiver use the same symmetric key, there is an implicit requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the receiver has lost the key to an attacker and the sender is not informed. These two challenges are highly restraining for modern day communication. Today, people need to exchange information with non-familiar and non-trusted parties. For example, a communication between online seller and customer. These limitations of symmetric key encryption gave rise to asymmetric key encryption schemes. Asymmetric Key Encryption: The encryption process where different keys are used for encrypting and decrypting the information is known as Asymmetric Key Encryption. Though the keys are different, they are mathematically related and hence, retrieving the plaintext by decrypting ciphertext is feasible. The process is depicted in the following illustration Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-shared secret key between communicating persons. The salient features of this encryption scheme are as follows −  Every user in this system needs to have a pair of dissimilar keys, private key and public key. These keys are mathematically related − when one key is used for encryption, the other can decrypt the ciphertext back to the original plaintext.  It requires to put the public key in public repository and the private key as a well-guarded secret. Hence, this scheme of encryption is also called Public Key Encryption.  Though public and private keys of the user are related, it is computationally not feasible to find one from another. This is a strength of this scheme.  When Host1 needs to send data to Host2, he obtains the public key of Host2 from repository, encrypts the data, and transmits.  Host2 uses his private key to extract the plaintext.  Length of Keys (number of bits) in this encryption is large and hence, the process of encryption- decryption is slower than symmetric key encryption.  Processing power of computer system required to run asymmetric algorithm is higher.
8 Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite difficult to comprehend.
9 UNIT-2 CLASSICAL ENCRYPTION TECHNIQUES Plaintext: This is original text &what you want to encrypt. Cipher text: The encrypted output Enciphering or Encryption: The process by which plaintext is converted into cipher text. Encryption algorithm: The sequence of data processing steps that go into transforming plaintext into cipher text. Various parameters used by an encryption algorithm are derived from a secret key. Secret key: A secret key is used to set some or the entire various secret key. A secret key is used to set some or all of the various parameters used by the encryption algorithm. The important thing to note is that, in classical cryptography, the same secret key is used for encryption and decryption. It is for this reason that classical cryptography is also referred to as symmetric key cryptography. On the other hand, in the more modern cryptographic algorithms, the encryption and decryption keys are not only different, but also one of them is placed in the public domain. Such algorithms are commonly referred to as asymmetric key cryptography, public key cryptography, etc. Deciphering or Decryption: Recovering plaintext from cipher text. Decryption algorithm: The sequence of data processing steps that go into transforming cipher text back into plaintext. In classical cryptography, the various parameters used by a decryption algorithm are derived from the same secret key that was used in the encryption algorithm. Cryptography: The many schemes available today for encryption and decryption. Cryptographic system: Any single scheme for encryption and decryption. Difference between Classic Cryptography & Modern Cryptography: There are three major characteristics that separate modern cryptography from the classical approach. Classic Cryptography Modern Cryptography It manipulates traditional characters, i.e., letters and digits directly. It operates on binary bit sequences. It is mainly based on ‘security through obscurity’. The techniques employed for coding were kept secret and only the parties involved in communication knew about them. It relies on publicly known mathematical algorithms for coding the information. Secrecy is obtained through a secrete key which is used as the seed for the algorithms. The computational difficulty of algorithms, absence of secret key, etc., make it impossible for an attacker to obtain the original information even if he knows the algorithm used for coding. It requires the entire cryptosystem for communicating confidentially. Modern cryptography requires parties interested in secure communication to possess the secret key only.
10 ClassicalCryptographicSystems: Before proceeding further, you need to know some facts about historical cryptosystems  All of these systems are based on symmetric key encryption scheme.  The only security service these systems provide is confidentiality of information.  Unlike modern systems which are digital and treat data as binary numbers, the earlier systems worked on alphabets as basic element. These earlier cryptographic systems are also referred to as Ciphers. In general, a cipher is simply just a set of steps (an algorithm) for performing both an encryption, and the corresponding decryption. CaesarCipher: It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted by another letter to form the cipher text. It is a simplest form of substitution cipher scheme. This cryptosystem is generally referred to as the Shift Cipher. The concept is to replace each alphabet by another alphabet which is ‘shifted’ by some fixed number between 0 and 25. For this type of scheme, both sender and receiver agree on a ‘secret shift number’ for shifting the alphabet. This number which is between 0 and 25 becomes the key of encryption. The name ‘Caesar Cipher’ is occasionally used to describe the Shift Cipher when the ‘shift of three’ is used. Process of Shift Cipher  In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath the first set of plaintext letters and slides it to LEFT by the number of positions of the secret shift.  The plaintext letter is then encrypted to the cipher text letter on the sliding ruler underneath. The result of this process is depicted in the following illustration for an agreed shift of three positions. In this case, the plaintext ‘tutorial’ is encrypted to the ciphertext ‘WXWRULDO’. Here is the cipher text alphabet for a Shift of 3.  On receiving the cipher text, the receiver who also knows the secret shift, positions his sliding ruler underneath the cipher text alphabet and slides it to RIGHT by the agreed shift number, 3 in this case.  He then replaces the cipher text letter by the plaintext letter on the sliding ruler underneath. Hence the cipher text ‘WXWRULDO’ is decrypted to ‘tutorial’. To decrypt a message encoded with a Shift of 3, generate the plaintext alphabet using a shift of ‘-3’ as shown below. Security Value: Caesar Cipher is not a secure cryptosystem because there are only 26 possible keys to try out. An attacker can carry out an exhaustive key search with available limited computing resources. Simple Substitution Cipher: It is an improvement to the Caesar Cipher. Instead of shifting the alphabets by some number, this scheme uses some permutation of the letters in alphabet. For
11 example, A.B
..Y.Z and Z.Y

B.A are two obvious permutation of all the letters in alphabet. Permutation is nothing but a jumbled up set of alphabets. With 26 letters in alphabet, the possible permutations are 26! (Factorial of 26) which is equal to 4x1026 . The sender and the receiver may choose any one of these possible permutation as a cipher text alphabet. This permutation is the secret key of the scheme. Process of Simple Substitution Cipher  Write the alphabets A, B, C,...,Z in the natural order.  The sender and the receiver decide on a randomly selected permutation of the letters of the alphabet.  Underneath the natural order alphabets, write out the chosen permutation of the letters of the alphabet. For encryption, sender replaces each plaintext letters by substituting the permutation letter that is directly beneath it in the table. This process is shown in the following illustration. In this example, the chosen permutation is K, D, G, ..., O. The plaintext ‘point’ is encrypted to ‘MJBXZ’. Here is a jumbled Cipher text alphabet, where the order of the cipher text letters is a key.  On receiving the cipher text, the receiver, who also knows the randomly chosen permutation, replaces each cipher text letter on the bottom row with the corresponding plaintext letter in the top row. The cipher text ‘MJBXZ’ is decrypted to ‘point’. Security Value: Simple Substitution Cipher is a considerable improvement over the Caesar Cipher. The possible number of keys is large (26!) and even the modern computing systems are not yet powerful enough to comfortably launch a brute force attack to break the system. However, the Simple Substitution Cipher has a simple design and it is prone to design flaws, say choosing obvious permutation, this cryptosystem can be easily broken. MonoalphabeticandPolyalphabeticCipher: Mono alphabetic cipher is a substitution cipher in which for a given key, the cipher alphabet for each plain alphabet is fixed throughout the encryption process. For example, if ‘A’ is encrypted as ‘D’, for any number of occurrence in that plaintext, ‘A’ will always get encrypted to ‘D’. All of the substitution ciphers we have discussed earlier in this chapter are monoalphabetic; these ciphers are highly susceptible to cryptanalysis. Poly alphabetic Cipher is a substitution cipher in which the cipher alphabet for the plain alphabet may be different at different places during the encryption process. The next two examples play fair and Vigenere Ciphers are poly alphabetic ciphers. PlayfairCipher: In this scheme, pairs of letters are encrypted, instead of single letters as in the case of simple substitution cipher. In play fair cipher, initially a key table is created. The key table is a 5×5 grid of alphabets that acts as the key for encrypting the plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet (usually J) is omitted from the table as we need only 25 alphabets instead of 26. If the plaintext contains J, then it is replaced by I.
12 The sender and the receiver deicide on a particular key, say ‘tutorials’. In a key table, the first characters (going left to right) in the table is the phrase, excluding the duplicate letters. The rest of the table will be filled with the remaining letters of the alphabet, in natural order. The key table works out to be − Process of Play fair Cipher:  First, a plaintext message is split into pairs of two letters (digraphs). If there is an odd number of letters, a Z is added to the last letter. Let us say we want to encrypt the message “hide money”. It will be written as − HI DE MO NE YZ  The rules of encryption are − o If both the letters are in the same column, take the letter below each one (going back to the top if at the bottom) T U O R I ‘H’ and ‘I’ are in same column, hence take letter below them to replace. HI → QC A L S B C D E F G H K M N P Q V W X Y Z  If both letters are in the same row, take the letter to the right of each one (going back to the left if at the farthest right) T U O R I ‘D’ and ‘E’ are in same row, hence take letter to the right of them to replace. DE → EFA L S B C
13 D E F G H K M N P Q V W X Y Z  If neither of the preceding two rules are true, form a rectangle with the two letters and take the letters on the horizontal opposite corner of the rectangle. Using these rules, the result of the encryption of ‘hide money’ with the key of ‘tutorials’ would be − QC EF NU MF ZV Decrypting the Play fair cipher is as simple as doing the same process in reverse. Receiver has the same key and can create the same key table, and then decrypt any messages made using that key. Security Value It is also a substitution cipher and is difficult to break compared to the simple substitution cipher. As in case of substitution cipher, cryptanalysis is possible on the Play fair cipher as well, however it would be against 625 possible pairs of letters (25x25 alphabets) instead of 26 different possible alphabets. The Play fair cipher was used mainly to protect important, yet non-critical secrets, as it is quick to use and requires no special equipment. VigenereCipher: This scheme of cipher uses a text string (say, a word) as a key, which is then used for doing a number of shifts on the plaintext. For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to its respective numeric value: In this case, p → 16, o → 15, i → 9, n → 14, and t → 20. Thus, the key is: 16 15 9 14 20. Process of Vigenere Cipher:  The sender and the receiver decide on a key. Say ‘point’ is the key. Numeric representation of this key is ‘16 15 9 14 20’.  The sender wants to encrypt the message, say ‘attack from south east’. He will arrange plaintext and numeric key as follows −
14  He now shifts each plaintext alphabet by the number written below it to create ciphertext as shown below −  Here, each plaintext character has been shifted by a different amount – and that amount is determined by the key. The key must be less than or equal to the size of the message.  For decryption, the receiver uses the same key and shifts received ciphertext in reverse order to obtain the plaintext. Security Value Vigenere Cipher was designed by tweaking the standard Caesar cipher to reduce the effectiveness of cryptanalysis on the cipher text and make a cryptosystem more robust. It is significantly more secure than a regular Caesar Cipher. In the history, it was regularly used for protecting sensitive political and military information. It was referred to as the unbreakable cipher due to the difficulty it posed to the cryptanalysis. Variants of Vigenere Cipher: There are two special cases of Vigenere cipher  The keyword length is same as plaintect message. This case is called Vernam Cipher. It is more secure than typical Vigenere cipher.  Vigenere cipher becomes a cryptosystem with perfect secrecy, which is called One-time pad. One-TimePad: The circumstances are −  The length of the keyword is same as the length of the plaintext.  The keyword is a randomly generated string of alphabets.  The keyword is used only once. Security Value: Let us compare Shift cipher with one-time pad. Shift Cipher − Easy to Break In case of Shift cipher, the entire message could have had a shift between 1 and 25. This is a very small size, and very easy to brute force. However, with each character now having its own individual shift between 1 and 26, the possible keys grow exponentially for the message. One-time Pad − Impossible to Break Let us say, we encrypt the name “point” with a one-time pad. It is a 5 letter text. To break the ciphertext by brute force, you need to try all possibilities of keys and conduct computation for
15 (26 x 26 x 26 x 26 x 26) = 265 = 11881376 times. That’s for a message with 5 alphabets. Thus, for a longer message, the computation grows exponentially with every additional alphabet. This makes it computationally impossible to break the ciphertext by brute force. TranspositionCipher: It is another type of cipher where the order of the alphabets in the plaintext is rearranged to create the cipher text. The actual plaintext alphabets are not replaced. An example is a ‘simple columnar transposition’ cipher where the plaintext is written horizontally with a certain alphabet width. Then the cipher text is read vertically as shown. For example, the plaintext is “golden statue is in eleventh cave” and the secret random key chosen is “five”. We arrange this text horizontally in table with number of column equal to key value. The resulting text is shown below. The cipher text is obtained by reading column vertically downward from first to last column. The cipher text is ‘gnuneaoseenvltiltedasehetivc’. To decrypt, the receiver prepares similar table. The number of columns is equal to key number. The number of rows is obtained by dividing number of total cipher text alphabets by key value and rounding of the quotient to next integer value. The receiver then writes the received cipher text vertically down and from left to right column. To obtain the text, he reads horizontally left to right and from top to bottom row.
16 UNIT-3 Modernencryptiontechniques: Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern cryptosystems need to process this binary strings to convert in to another binary string. Based on how these binary strings are processed, a symmetric encryption schemes can be classified in to BlockCiphers In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block of plaintext bits is selected, a series of operations is performed on this block to generate a block of ciphertext bits. The number of bits in a block is fixed. For example, the schemes DES and AES have block sizes of 64 and 128, respectively. StreamCiphers In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and a series of operations is performed on it to generate one bit of ciphertext. Technically, stream ciphers are block ciphers with a block size of one bit. BlockCipher The basic scheme of a block cipher is depicted as follows − A block cipher takes a block of plaintext bits and generates a block of cipher text bits, generally of same size. The size of block is fixed in the given scheme. The choice of block size does not directly affect to the strength of encryption scheme. The strength of cipher depends up on the key length. BlockSize Though any size of block is acceptable, following aspects are borne in mind while selecting a size of a block.  Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits combinations are then 2m . If the attacker discovers the plain text blocks corresponding to some
17 previously sent ciphertext blocks, then the attacker can launch a type of ‘dictionary attack’ by building up a dictionary of plaintext/ciphertext pairs sent using that encryption key. A larger block size makes attack harder as the dictionary needs to be larger.  Do not have very large block size − With very large block size, the cipher becomes inefficient to operate. Such plaintexts will need to be padded before being encrypted.  Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for implementation as most computer processor handle data in multiple of 8 bits. PaddinginBlockCipher Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each with third block of balance 22 bits. The last block of bits needs to be padded up with redundant information so that the length of the final block equal to block size of the scheme. In our example, the remaining 22 bits need to have additional 42 redundant bits added to provide a complete block. The process of adding bits to the last block is referred to as padding. Too much padding makes the system inefficient. Also, padding may render the system insecure at times, if the padding is done with same bits always. BlockCipherSchemes There is a vast number of block ciphers schemes that are in use. Many of them are publically known. Most popular and prominent block ciphers are listed below.  Digital Encryption Standard (DES) − The popular block cipher of the 1990s. It is now considered as a ‘broken’ block cipher, due primarily to its small key size.  Triple DES − It is a variant scheme based on repeated DES applications. It is still a respected block ciphers but inefficient compared to the new faster block ciphers available.  Advanced Encryption Standard (AES) − It is a relatively new block cipher based on the encryption algorithm Rijndael that won the AES design competition.  IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of 128 bits. A number of applications use IDEA encryption, including early versions of Pretty Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption due to patent issues. FeistelBlockCipher: Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic system based on Feistel cipher structure uses the same algorithm for both encryption and decryption. EncryptionProcess The encryption process uses the Feistel structure consisting multiple rounds of processing of the plaintext, each round consisting of a “substitution” step followed by a permutation step. Feistel Structure is shown in the following illustration –  The input block to each round is divided into two halves that can be denoted as L and R for the left half and the right half.  In each round, the right half of the block, R, goes through unchanged. But the left half, L, goes through an operation that depends on R and the encryption key. First, we apply an encrypting function ‘f’ that takes two input − the key K and R. The function produces the output f(R,K). Then, we XOR the output of the mathematical function with L.  In real implementation of the Feistel Cipher, such as DES, instead of using the whole encryption key during each round, a round-dependent key (a sub key) is derived from the encryption key. This means that each round uses a different key, although all these sub keys are related to the original key.  The permutation step at the end of each round swaps the modified L and unmodified R. Therefore, the L for the next round would be R of the current round. And R for the next round be the output L of the current round.
18  Above substitution and permutation steps form a ‘round’. The number of rounds are specified by the algorithm design.  Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in this order to form the cipher text block. The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In order to be unbreakable scheme, this function needs to have several important properties that are beyond the scope of our discussion. DecryptionProcess The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of plaintext, the ciphertext block is fed into the start of the Feistel structure and then the process thereafter is exactly the same as described in the given illustration. The process is said to be almost similar and not exactly same. In the case of decryption, the only difference is that the subkeys used in encryption are used in the reverse order. The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these are not swapped then the resulting ciphertext could not be decrypted using the same algorithm. NumberofRounds The number of rounds used in a Feistel Cipher depends on desired security from the system. More number of rounds provide more secure system. But at the same time, more rounds mean the inefficient slow encryption and decryption processes. Number of rounds in the systems thus depend upon efficiency–security tradeoff. The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST). DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm (function as check bits only). General Structure of DES is depicted in the following illustration −
19 Since DES is based on the Feistel Cipher, all that is required to specify DES is −  Round function  Key schedule  Any additional processing − Initial and final permutation InitialandFinalPermutation The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of each other. They have no cryptography significance in DES. The initial and final permutations are shown as follows − RoundFunction The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.
20  Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first need to expand right input to 48 bits. Permutation logic is graphically depicted in the following illustration −  The graphically depicted permutation logic is generally described as table in DES specification illustrated as shown −  XOR (Whitener). − After the expansion permutation, DES does XOR operation on the expanded right section and the round key. The round key is used only in this operation.  Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration −  The S-box rule is illustrated below −
21  There are a total of eight S-box tables. The output of all eight s-boxes is then combined in to 32 bit section.  Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight permutation with rule shown in the following illustration: KeyGeneration The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key generation is depicted in the following illustration −
22 The logic for Parity drop, shifting, and Compression P-box is given in the DES description. DESAnalysis The DES satisfies both the desired properties of block cipher. These two properties make cipher very strong.  Avalanche effect − A small change in plaintext results in the very grate change in the ciphertext.  Completeness − Each bit of ciphertext depends on many bits of plaintext. During the last few years, cryptanalysis have found some weaknesses in DES when key selected are weak keys. These keys shall be avoided. DES has proved to be a very well designed block cipher. There have been no significant cryptanalytic attacks on DES other than exhaustive key search. 3-KEYTripleDES Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168 bits. The encryption scheme is illustrated as follows −
23 The encryption-decryption process is as follows −  Encrypt the plaintext blocks using single DES with key K1.  Now decrypt the output of step 1 using single DES with key K2.  Finally, encrypt the output of step 2 using single DES with key K3.  The output of step 3 is the ciphertext.  Decryption of a ciphertext is a reverse process. User first decrypt using K3, then encrypt with K2, and finally decrypt with K1. Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a 3TDES (hardware) implementation for single DES by setting K1, K2, and K3 to be the same value. This provides backwards compatibility with DES. Second variant of Triple DES (2TDES) is identical to 3TDES except that K3is replaced by K1. In other words, user encrypt plaintext blocks with key K1, then decrypt with key K2, and finally encrypt with K1 again. Therefore, 2TDES has a key length of 112 bits. Triple DES systems are significantly more secure than single DES, but these are clearly a much slower process than encryption using single DES. ADVANCEDENCRYPTIONSTANDARD: The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES. A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome this drawback but it was found slow. The features of AES are as follows −  Symmetric key symmetric block cipher  128-bit data, 128/192/256-bit keys  Stronger and faster than Triple-DES
24  Provide full specification and design details  Software implementable in C and Java OperationofAES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix − Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The schematic of AES structure is given in the following illustration − EncryptionProcess Here, we restrict to description of a typical round of AES encryption. Each round comprise of four sub- processes. The first round process is depicted below −
25 Byte Substitution (Sub Bytes): The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns. Shift rows Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows −  First row is not shifted.  Second row is shifted one (byte) position to the left.  Third row is shifted two positions to the left.  Fourth row is shifted three positions to the left.  The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other. Mix Columns: Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round. Add roundkey: The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the cipher text. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round. DecryptionProcess: The process of decryption of an AES cipher text is similar to the encryption process in the reverse order. Each round consists of the four processes conducted in the reverse order −  Add round key  Mix columns  Shift rows  Byte substitution Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption and decryption algorithms need to be separately implemented, although they are very closely related. AESAnalysis In present day cryptography, AES is widely adopted and supported in both hardware and software. Till date, no practical cryptanalytic attacks against AES have been discovered. Additionally, AES has built-
26 in flexibility of key length, which allows a degree of ‘future-proofing’ against progress in the ability to perform exhaustive key searches. However, just as for DES, the AES security is assured only if it is correctly implemented and good key management is employed. BlockCipherModesofOperation: A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the block size. Hence, the long message is divided into a series of sequential message blocks, and the cipher operates on these blocks one at a time. ElectronicCodeBook(ECB)Mode This mode is a most straightforward way of processing a series of sequentially listed message blocks. Operation  The user takes the first block of plaintext and encrypts it with the key to produce the first block of cipher text.  He then takes the second block of plaintext and follows the same process with same key and so on so forth. The ECB mode is deterministic, that is, if plaintext block P1, P2,
, Pm are encrypted twice under the same key, the output cipher text blocks will be the same. In fact, for a given key technically we can create a codebook of ciphertexts for all possible plaintext blocks. Encryption would then entail only looking up for required plaintext and select the corresponding cipher text. Thus, the operation is analogous to the assignment of code words in a codebook, and hence gets an official name − Electronic Codebook mode of operation (ECB). It is illustrated as follows − Analysis of ECB Mode In reality, any application data usually have partial information which can be guessed. For example, the range of salary can be guessed. A cipher text from ECB can allow an attacker to guess the plaintext by trial-and-error if the plaintext message is within predictable. For example, if a cipher text from the ECB mode is known to encrypt a salary figure, then a small number of trials will allow an attacker to recover the figure. In general, we do not wish to use a deterministic cipher, and hence the ECB mode should not be used in most applications. CipherBlockChaining(CBC)Mode: CBC mode of operation provides message dependence for generating cipher text and makes the system non-deterministic. Operation The operation of CBC mode is depicted in the following illustration. The steps are as follows −  Load the n-bit Initialization Vector (IV) in the top register.  XOR the n-bit plaintext block with data value in top register.  Encrypt the result of XOR operation with underlying block cipher with key K.  Feed cipher text block into top register and continue the operation till all plaintext blocks are processed.  For decryption, IV data is XORed with first cipher text block decrypted. The first cipher text block is also fed into to register replacing IV for decrypting next cipher text block.
27 CipherFeedback(CFB)Mode: In this mode, each cipher text block gets ‘fed back’ into the encryption process in order to encrypt the next plaintext block. Operation The operation of CFB mode is depicted in the following illustration. For example, in the present system, a message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps of operation are −  Load the IV in the top register.  Encrypt the data value in top register with underlying block cipher with key K.  Take only ‘s’ number of most significant bits (left bits) of output of encryption process and XOR them with ‘s’ bit plaintext message block to generate cipher text block.  Feed cipher text block into top register by shifting already present data to the left and continue the operation till all plaintext blocks are processed.  Essentially, the previous cipher text block is encrypted with the key, and then the result is XORed to the current plaintext block.  Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of decryption. OutputFeedback(OFB)Mode It involves feeding the successive output blocks from the underlying block cipher back to it. These feedback blocks provide string of bits to feed the encryption algorithm which act as the key-stream generator as in case of CFB mode.
28 The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV as the initial random n-bit input block. The IV need not be secret. The operation is depicted in the following illustration − Counter(CTR)Mode: It can be considered as a counter-based version of CFB mode without the feedback. In this mode, both the sender and receiver need to access to a reliable counter, which computes a new shared value each time a cipher text block is exchanged. This shared counter is not necessarily a secret value, but challenge is that both sides must keep the counter synchronized. Operation Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in operation are −  Load the initial counter value in the top register is the same for both the sender and the receiver. It plays the same role as the IV in CFB (and CBC) mode.  Encrypt the contents of the counter with the key and place the result in the bottom register.  Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result of this is C1. Send C1 to the receiver and update the counter. The counter update replaces the ciphertext feedback in CFB mode.  Continue in this manner until the last plaintext block has been encrypted.  The decryption is the reverse process. The ciphertext block is XORed with the output of encrypted contents of counter value. After decryption of each ciphertext block counter is updated as in case of encryption.
29 IDEA: IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations (a round, see the illustration) and an output transformation (the half-round). The processes for encryption and decryption are similar. IDEA derives much of its security by interleaving operations from different groups — modular addition and multiplication, and bitwise eXclusive OR (XOR) — which are algebraically "incompatible" in some sense. In more detail, these operators, which all deal with 16-bit quantities, are:  Bitwise eXclusive OR (denoted with a blue circled plus ⊕).  Addition modulo 216 (denoted with a green boxed plus ⊞).  Multiplication modulo 216 +1, where the all-zero word (0x0000) in inputs is interpreted as 216 and 216 in output is interpreted as the all-zero word (0x0000) (denoted by a red circled dot ⊙). After the eight rounds comes a final “half round”, the output transformation illustrated below (the swap of the middle two values cancels out the swap at the end of the last round, so that there is no net swap): Structure: The overall structure of IDEA follows the Lai-Massey scheme. XOR is used for both subtraction and addition. IDEA uses a key-dependent half-round function. To work with 16 bit words (meaning four inputs instead of two for the 64 bit block size), IDEA uses the Lai-Massey scheme twice in parallel, with the two parallel round functions being interwoven with each other. To ensure sufficient diffusion, two of the sub-blocks are swapped after each round. Key schedule: Each round uses six 16-bit sub-keys, while the half-round uses four, a total of 52 for 8.5 rounds. The first eight sub-keys are extracted directly from the key, with K1 from the first round being the lower sixteen bits; further groups of eight keys are created by rotating the main key left 25 bits between each group of eight. This means that it is rotated less than once per round, on average, for a total of six rotations. Decryption: Decryption works like encryption, but the order of the round keys is inverted and the subkeys for the odd rounds are inversed. For instance, the values of subkeys K1 - K4 are replaced by the inverse of K49 - K52 for the respective group operation, K5 and K6 of each group should be replaced by K47 and K48 for decryption.
30 UNIT-4 CONFIDENTIALITY USING SYMMETRIC ENCRYPTION Placement of Encryption Function: If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located. To begin, this section examines the potential locations of security attacks and then looks at the two major approaches to encryption placement: link and end to end. There are a large number of locations at which an attack can occur. Furthermore, for wide area communications, many of these locations are not under the physical control of the end user. Even in the case of local area networks, in which physical security measures are possible, there is always the threat of the disgruntled employee. Link versus End-to-End Encryption: The most powerful and most common approach to securing the points of vulnerability highlighted in the preceding section is encryption. If encryption is to be used to counter these attacks, then we need to decide what to encrypt and where the encryption gear should be located. There are two fundamental alternatives: link encryption and end-to-end encryption. Link to Link Encryption: With link encryption, each vulnerable communications link is equipped on both ends with an encryption device. Thus, all traffic over all communications links is secured. One of its disadvantages is that the message must be decrypted each time it enters a switch because the switch must read the address (logical connection number) in the packet header in order to route the frame. Thus, the message is vulnerable at each switch. If working with a public network, the user has no control over the security of the nodes. Several implications of link encryption should be noted. For this strategy to be effective, all the potential links in a path from source to destination must use link encryption. Each pair of nodes that share a link should share a unique key, with a different key used on each link. Thus, many keys must be provided.
31 End-To-End Encryption: With end-to-end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data in encrypted form are then transmitted unaltered across the network to the destination terminal or host. The destination shares a key with the source and so is able to decrypt the data. This plan seems to secure the transmission against attacks on the network links or switches. Thus, end-to-end encryption relieves the end user of concerns about the degree of security of networks and links that support the communication. There is, however, still a weak spot. Consider the following situation. A host connects to a frame relay or ATM network, sets up a logical connection to another host, and is prepared to transfer data to that other host by using end-to- end encryption. Data are transmitted over such a network in the form of packets that consist of a header and some user data. What part of each packet will the host encrypt? Suppose that the host encrypts the entire packet, including the header. This will not work because, remember, only the other host can perform the decryption. The frame relay or ATM switch will receive an encrypted packet and be unable to read the header. Therefore, it will not be able to route the packet. It follows that the host may encrypt only the user data portion of the packet and must leave the header in the clear. Thus, with end-to-end encryption, the user data are secure. However, the traffic pattern is not, because packet headers are transmitted in the clear. On the other hand, end-to-end encryption does provide a degree of authentication. If two end systems share an encryption key, then a recipient is assured that any message that it receives comes from the alleged sender, because only that sender shares the relevant key. Such authentication is not inherent in a link encryption scheme. To achieve greater security, both link and end-to-end encryption are needed, as is shown in Figure 7.2. When both forms of encryption are employed, the host encrypts the user data portion of a packet using an end-to-end encryption key. The entire packet is then encrypted using a link encryption key. As the packet traverses the network, each switch decrypts the packet, using a link encryption key to read the header, and then encrypts the entire packet again for sending it out on the next link. Now the entire packet is secure except for the time that the packet is actually in the memory of a packet switch, at which time the packet header is in the clear. Differences between Link encryption & End to End Encryption: Link Encryption End-to-End Encryption Link encryption encrypts all the data along a specific communication path. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted, enabling attackers to learn more about a captured packet and where it is headed. All data are encrypted, including headers, addresses, and routing information. Headers, addresses, and routing information are not encrypted, and therefore not protected. It works at a lower layer in the OSI model. It works at Network layer. All of the information is encrypted, and the packets must be decrypted at each hop so the router, or other intermediate device, knows where to send the packet next. The packets do not need to be decrypted and then encrypted again at each hop, because the headers and trailers are not encrypted.
32 Logical Placement of End-to-End Encryption Function: With link encryption, the encryption function is performed at a low level of the communications hierarchy i.e. physical or link layers. For end-to-end encryption, several choices are possible for the logical placement of the encryption function. At the lowest practical level, the encryption function could be performed at the network layer. With network-layer encryption, Each end system can engage in an encrypted exchange with another end system if the two share a secret key. All the user processes and applications within each end system would employ the same encryption scheme with the same key to reach a particular target end system. Figure 7.4 illustrates the issues involved. In this example, an electronic mail gateway is used to interconnect an internetwork that uses a TCP/IP-based architecture. In such a configuration, there is no end-to-end protocol below the application layer. The transport and network connections from each end system terminate at the mail gateway, which sets up new transport and network connections to link to the other end system. Even if both end systems use TCP/IP or OSI, there are plenty of instances in actual configurations in which mail gateways sit between otherwise isolated internetworks. Thus, for applications like electronic mail that have a store-and-forward capability, the only place to achieve end- to-end encryption is at the application layer.
33 A drawback of application-layer encryption is that the number of entities to consider increases dramatically. A network that supports hundreds of hosts may support thousands of users and processes. Thus, many more secret keys need to be generated and distributed. An interesting way of viewing the alternatives is to note that as we move up the communications hierarchy, less information is encrypted but it is more secure. TRAFFIC CONFIDENTIALITY: The following types of information that can be derived from a traffic analysis attack:  Identities of partners  How frequently the partners are communicating  Message pattern, message length, or quantity of messages that suggest important information is being exchanged  The events that correlate with special conversations between particular partners Another concern related to traffic is the use of traffic patterns to create a covert channel. Typically, the channel is used to transfer information in a way that violates a security policy. For example, an employee may wish to communicate information to an outsider in a way that is not detected by management and that requires simple eavesdropping on the part of the outsider.
34 Link Encryption Approach: With the use of link encryption, network-layer headers (e.g., frame or cell header) are encrypted, reducing the opportunity for traffic analysis. However, it is still possible in those circumstances for an attacker to assess the amount of traffic on a network and to observe the amount of traffic entering and leaving each end system. An effective countermeasure to this attack is traffic padding, illustrated in Figure 7.6. Traffic padding produces cipher text output continuously, even in the absence of plaintext. A continuous random data stream is generated. When plaintext is available, it is encrypted and transmitted. When input plaintext is not present, random data are encrypted and transmitted. This makes it impossible for an attacker to distinguish between true data flow and padding and therefore impossible to deduce the amount of traffic. End-to-End Encryption Approach: Traffic padding is essentially a link encryption function. If only end-to-end encryption is employed, then the measures available to the defender are more limited. For example, if encryption is implemented at the application layer, then an opponent can determine which transport entities are engaged in dialogue. One technique that might prove useful is to pad out data units to a uniform length at either the transport or application level. In addition, null messages can be inserted randomly into the stream. These tactics deny opponent knowledge about the amount of data exchanged between end users and obscure the underlying traffic pattern. KEY DISTRIBUTION: For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the term that refers to the means of delivering a key to two parties who wish to exchange data, without allowing others to see the key. For two parties A and B, key distribution can be achieved in a number of ways, as follows: 1. A can select a key and physically deliver it to B. 2. A third party can select the key and physically deliver it to A and B. 3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. 4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B. Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first. A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution to the huge growth in number of keys potentially needed. Key distribution centre:  The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum, two levels of keys are used.  Communication between end systems is encrypted using a temporary key, often referred to as a session key.  Typically, the session key is used for the duration of a logical connection and then discarded
35  master key is shared by the key distribution center and an end system or user and used to encrypt the session key. Key Distribution Scenario: Let us assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the connection. A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb with the KDC. The following steps occur: 1. A issues a request to the KDC for a session key to protect a logical connection to B. The message includes the identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a nonce. The nonce may be a timestamp, a counter, or a random number; the minimum requirement is that it differs with each request. Also, to prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random number is a good choice for a nonce. 2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC. The message includes two items intended for A:  The one-time session key, Ks, to be used for the session  The original request message, including the nonce, to enable A to match this response with the appropriate request Thus, A can verify that its original request was not altered before reception by the KDC and, because of the nonce, that this is not a replay of some previous request. In addition, the message includes two items intended for B:  The one-time session key, Ks to be used for the session  An identifier of A (e.g., its network address), IDA These last two items are encrypted with Kb (the master key that the KDC shares with B). They are to be sent to B to establish the connection and prove A's identity.
36 3. A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping. B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb). At this point, a session key has been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable: 4. Using the newly minted session key for encryption, B sends a nonce, N2, to A. 5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one). These steps assure B that the original message it received (step 3) was not a replay. Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3, perform an authentication function. Major Issues with KDC: For very large networks, a hierarchy of KDCs can be established. For communication among entities within the same local domain, the local KDC is responsible for key distribution. If two entities in different domains desire a shared key, then the corresponding local KDCs can communicate through a (hierarchy of) global KDC(s). To balance security & effort, a new session key should be used for each new connection-oriented session. For a connectionless protocol, a new session key is used for a certain fixed period only or for a certain number of transactions. An automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other, provided they trust the system to act on their behalf. The use of a key distribution center imposes the requirement that the KDC be trusted and be protected from subversion. This requirement can be avoided if key distribution is fully decentralized. In addition to separating master keys from session keys, may wish to define different types of session keys on the basis of use.
37 UNIT-5
38
39
40
41
42
43
44
45
46
47
48
49 UNIT-6 PUBLIC KEY CRYPTOGRAPHY PublicKeyCryptography: Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a relatively new concept. Symmetric cryptography was well suited for organizations such as governments, military, and big financial corporations were involved in the classified communication. With the spread of more unsecure computer networks in last few decades, a genuine need was felt to use cryptography at larger scale. The symmetric key was found to be non-practical due to challenges it faced for key management. This gave rise to the public key cryptosystems. The process of encryption and decryption is depicted in the following illustration − The most important properties of public key encryption scheme are  Different keys are used for encryption and decryption. This is a property which set this scheme different than symmetric encryption scheme.  Each receiver possesses a unique decryption key, generally referred to as his private key.  Receiver needs to publish an encryption key, referred to as his public key.  Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary as the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a particular public key belongs to a specific person or entity only.  Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext from the ciphertext and the encryption (public) key.  Though private and public keys are related mathematically, it is not be feasible to calculate the private key from the public key. In fact, intelligent part of any public-key cryptosystem is in designing a relationship between two keys. There are three types of Public Key Encryption schemes. We discuss them in following sections RSACryptosystem: This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem. We will see two aspects of the RSA cryptosystem, firstly generation of key pair and secondly encryption-decryption algorithms. Generation of RSA Key Pair Each person or a party who desires to participate in communication using encryption needs to generate a pair of keys, namely public key and private key. The process followed in the generation of keys is described below −  Generate the RSA modulus (n)
50 o Select two large primes, p and q. o Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.  Find Derived Number (e) o Number e must be greater than 1 and less than (p − 1)(q − 1). o There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two numbers e and (p – 1)(q – 1) are coprime.  Form the public key o The pair of numbers (n, e) form the RSA public key and is made public. o Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of RSA.  Generate the private key o Private Key d is calculated from p, q, and e. For given n and e, there is unique number d. o Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q - 1). o This relationship is written mathematically as follows − ed = 1 mod (p − 1)(q − 1) The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output. Example An example of generating RSA Key pair is given below. (For ease of understanding, the primes p & q taken here are small values. Practically, these values are very high).  Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.  Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)(q − 1) = 6 × 12 = 72, except for 1.  The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom we wish to be able to send us encrypted messages.  Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.  Check that the d calculated is correct by computing − de = 29 × 5 = 145 = 1 mod 72  Hence, public key is (91, 5) and private keys is (91, 29). Encryption and Decryption Once the key pair has been generated, the process of encryption and decryption are relatively straightforward and computationally easy. Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key encryption. It operates on numbers modulo n. Hence, it is necessary to represent the plaintext as a series of numbers less than n. RSA Encryption  Suppose the sender wish to send some text message to someone whose public key is (n, e).  The sender then represents the plaintext as a series of numbers less than n.  To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple mathematical step as − C = Pe mod n  In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then reduced modulo n. This means that C is also a number less than n.  Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −
51 C = 105 mod 91 RSA Decryption  The decryption process for RSA is also very straightforward. Suppose that the receiver of public- key pair (n, e) has received a ciphertext C.  Receiver raises C to the power of his private key d. The result modulo n will be the plaintext P. Plaintext = Cd mod n  Returning again to our numerical example, the ciphertext C = 82 would get decrypted to number 10 using private key 29 − Plaintext = 8229 mod 91 = 10 RSA Analysis The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem is most popular public-key cryptosystem strength of which is based on the practical difficulty of factoring the very large numbers.  Encryption Function − It is considered as a one-way function of converting plaintext into ciphertext and it can be reversed only with the knowledge of private key d.  Key Generation − The difficulty of determining a private key from an RSA public key is equivalent to factoring the modulus n. An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key unless he can factor n. It is also a one way function, going from p & q values to modulus n is easy but reverse is not possible. If either of these two functions are proved non one-way, then RSA will be broken. In fact, if a technique for factoring efficiently is developed then RSA will no longer be safe. The strength of RSA encryption drastically goes down against attacks if the number p and q are not large primes and/ or chosen public key e is a small number. In the last chapter, we discussed the data integrity threats and the use of hashing technique to detect if any modification attacks have taken place on the data. Another type of threat that exist for data is the lack of message authentication. In this threat, the user is not sure about the originator of the message. Message authentication can be provided using the cryptographic techniques that use secret keys as done in case of encryption. MessageAuthenticationCode(MAC): MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For establishing MAC process, the sender and receiver share a symmetric key K. Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication. The process of using MAC for authentication is depicted in the following illustration – Let us now try to understand the entire process in detail −  The sender uses some publicly known MAC algorithm, inputs the message and the secret key K and produces a MAC value.  Similar to hash, MAC function also compresses an arbitrary long input into a fixed length output. The major difference between hash and MAC is that MAC uses secret key during the compression.  The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption.  On receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value.
52  The receiver now checks equality of freshly computed MAC with the MAC received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender.  If the computed MAC does not match the MAC sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom-line, a receiver safely assumes that the message is not the genuine. LimitationsofMAC There are two major limitations of MAC, both due to its symmetric nature of operation −  Establishment of Shared Secret. o It can provide message authentication among pre-decided legitimate users who have shared key. o This requires establishment of shared secret prior to use of MAC.  Inability to Provide Non-Repudiation o Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. o MAC technique does not provide a non-repudiation service. If the sender and receiver get involved in a dispute over message origination, MACs cannot provide a proof that a message was indeed sent by the sender. o Though no third party can compute the MAC, still sender could deny having sent the message and claim that the receiver forged it, as it is impossible to determine which of the two parties computed the MAC. Both these limitations can be overcome by using the public key based digital signatures discussed in following section. HASH FUNCTION: Hash functions are extremely useful and appear in almost all information security applications. A hash function is a mathematical function that converts a numerical input value into another compressed numerical value. The input to the hash function is of arbitrary length but output is always of fixed length. Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function −
53 FeaturesofHashFunctions: The typical features of hash functions are −  Fixed Length Output (Hash Value) o Hash function coverts data of arbitrary length to a fixed length. This process is often referred to as hashing the data. o In general, the hash is much smaller than the input data, hence hash functions are sometimes called compression functions. o Since a hash is a smaller representation of a larger data, it is also referred to as a digest. o Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions generate values between 160 and 512 bits.  Efficiency of Operation o Generally for any hash function h with input x, computation of h(x) is a fast operation. o Computationally hash functions are much faster than a symmetric encryption. PropertiesofHashFunctions: In order to be an effective cryptographic tool, the hash function is desired to possess following properties −  Pre-Image Resistance o This property means that it should be computationally hard to reverse a hash function. o In other words, if a hash function h produced a hash value z, then it should be a difficult process to find any input value x that hashes to z. o This property protects against an attacker who only has a hash value and is trying to find the input.  Second Pre-Image Resistance o This property means given an input and its hash, it should be hard to find a different input with the same hash. o In other words, if a hash function h for an input x produces hash value h(x), then it should be difficult to find any other input value y such that h(y) = h(x). o This property of hash function protects against an attacker who has an input value and its hash, and wants to substitute different value as legitimate value in place of original input value.  Collision Resistance o This property means it should be hard to find two different inputs of any length that result in the same hash. This property is also referred to as collision free hash function. o In other words, for a hash function h, it is hard to find any two different inputs x and y such that h(x) = h(y). o Since, hash function is compressing function with fixed hash length, it is impossible for a hash function not to have collisions. This property of collision free only confirms that these collisions should be hard to find. o This property makes it very difficult for an attacker to find two input values with the same hash. o Also, if a hash function is collision-resistant then it is second pre-image resistant. DesignofHashingAlgorithms: At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of data to create a hash code. This hash function forms the part of the hashing algorithm. The size of each data block varies depending on the algorithm. Typically the block sizes are from 128 bits to 512 bits. The following illustration demonstrates hash function −
54 Hashing algorithm involves rounds of above hash function like a block cipher. Each round takes an input of a fixed size, typically a combination of the most recent message block and the output of the last round. This process is repeated for as many rounds as are required to hash the entire message. Schematic of hashing algorithm is depicted in the following illustration − Since, the hash value of first message block becomes an input to the second hash operation, output of which alters the result of the third operation, and so on. This effect, known as an avalanche effect of hashing. Avalanche effect results in substantially different hash values for two messages that differ by even a single bit of data. Understand the difference between hash function and algorithm correctly. The hash function generates a hash code by operating on two blocks of fixed-length binary data. Hashing algorithm is a process for using the hash function, specifying how the message will be broken up and how the results from previous message blocks are chained together. PopularHashFunctions Let us briefly see some popular hash functions − Message Digest (MD) MD5 was most popular and widely used hash function for quite some years.  The MD family comprises of hash functions MD2, MD4, MD5 and MD6. It was adopted as Internet Standard RFC 1321. It is a 128-bit hash function.  MD5 digests have been widely used in the software world to provide assurance about integrity of transferred file. For example, file servers often provide a pre-computed MD5 checksum for the files, so that a user can compare the checksum of the downloaded file to it.  In 2004, collisions were found in MD5. An analytical attack was reported to be successful only in an hour by using computer cluster. This collision attack resulted in compromised MD5 and hence it is no longer recommended for use. Secure Hash Function (SHA) Family of SHA comprise of four SHA algorithms; SHA-0, SHA-1, SHA-2, and SHA-3. Though from same family, there are structurally different.  The original version is SHA-0, a 160-bit hash function, was published by the National Institute of Standards and Technology (NIST) in 1993. It had few weaknesses and did not become very popular. Later in 1995, SHA-1 was designed to correct alleged weaknesses of SHA-0.  SHA-1 is the most widely used of the existing SHA hash functions. It is employed in several widely used applications and protocols including Secure Socket Layer (SSL) security.
55  In 2005, a method was found for uncovering collisions for SHA-1 within practical time frame making long-term employability of SHA-1 doubtful.  SHA-2 family has four further SHA variants, SHA-224, SHA-256, SHA-384, and SHA-512 depending up on number of bits in their hash value. No successful attacks have yet been reported on SHA-2 hash function.  Though SHA-2 is a strong hash function. Though significantly different, its basic design is still follows design of SHA-1. Hence, NIST called for new competitive hash function designs.  In October 2012, the NIST chose the Keccak algorithm as the new SHA-3 standard. Keccak offers many benefits, such as efficient performance and good resistance for attacks. ApplicationsofHashFunctions There are two direct applications of hash function based on its cryptographic properties. Password Storage Hash functions provide protection to password storage.  Instead of storing password in clear, mostly all logon processes store the hash values of passwords in the file.  The Password file consists of a table of pairs which are in the form (user id, h(P)).  The process of logon is depicted in the following illustration −  An intruder can only see the hashes of passwords, even if he accessed the password. He can neither logon using hash nor can he derive the password from hash value since hash function possesses the property of pre-image resistance. Data Integrity Check Data integrity check is a most common application of the hash functions. It is used to generate the checksums on data files. This application provides assurance to the user about correctness of the data. The process is depicted in the following illustration – The integrity check helps the user to detect any changes made to original file. It however, does not provide any assurance about originality. The attacker, instead of modifying file data, can change the entire file and compute all together new hash and send to the receiver. This integrity check application is useful only if the user is sure about the originality of file.
56 DIGITAL SIGNATURES: Digital signatures are the public-key primitives of message authentication. In the physical world, it is common to use handwritten signatures on handwritten or typed messages. They are used to bind signatory to the message. Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can be independently verified by receiver as well as any third party. Digital signature is a cryptographic value that is calculated from the data and a secret key known only by the signer. In real world, the receiver of message needs assurance that the message belongs to the sender and he should not be able to repudiate the origination of that message. This requirement is very crucial in business applications, since likelihood of a dispute over exchanged data is very high. ModelofDigitalSignature As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of digital signature scheme is depicted in the following illustration − The following points explain the entire process in detail −  Each person adopting this scheme has a public-private key pair.  Generally, the key pairs used for encryption/decryption and signing/verifying are different. The private key used for signing is referred to as the signature key and the public key as the verification key.  Signer feeds data to the hash function and generates hash of data.  Hash value and signature key are then fed to the signature algorithm which produces the digital signature on given hash. Signature is appended to the data and then both are sent to the verifier.
57  Verifier feeds the digital signature and the verification key into the verification algorithm. The verification algorithm gives some value as output.  Verifier also runs same hash function on received data to generate hash value.  For verification, this hash value and output of verification algorithm are compared. Based on the comparison result, verifier decides whether the digital signature is valid.  Since digital signature is created by ‘private’ key of signer and no one else can have this key; the signer cannot repudiate signing the data in future. It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place of data. The most important reason of using hash instead of data directly for signing is efficiency of the scheme. Let us assume RSA is used as the signing algorithm. As discussed in public key encryption chapter, the encryption/signing process using RSA involves modular exponentiation. Signing large data through modular exponentiation is computationally expensive and time consuming. The hash of the data is a relatively small digest of the data, hence signing a hash is more efficient than signing the entire data. ImportanceofDigitalSignature: Out of all cryptographic primitives, the digital signature using public key cryptography is considered as very important and useful tool to achieve information security. Apart from ability to provide non-repudiation of message, the digital signature also provides message authentication and data integrity. Let us briefly see how this is achieved by the digital signature −  Message authentication − When the verifier validates the digital signature using public key of a sender, he is assured that signature has been created only by sender who possess the corresponding secret private key and no one else.  Data Integrity − In case an attacker has access to the data and modifies it, the digital signature verification at receiver end fails. The hash of modified data and the output provided by the verification algorithm will not match. Hence, receiver can safely deny the message assuming that data integrity has been breached.  Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature key, he can only create unique signature on a given data. Thus the receiver can present data and the digital signature to a third party as evidence if any dispute arises in the future. By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can provide the four essential elements of security namely − Privacy, Authentication, Integrity, and Non- repudiation. EncryptionwithDigitalSignature: In many digital communications, it is desirable to exchange encrypted messages than plaintext to achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available in open domain, and hence anyone can spoof his identity and send any encrypted message to the receiver. This makes it essential for users employing PKC for encryption to seek digital signatures along with encrypted data to be assured of message authentication and non-repudiation. This can archived by combining digital signatures with encryption scheme. Let us briefly discuss how to achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-sign. However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-then- sign is more reliable and widely adopted. This is depicted in the following illustration – The receiver after receiving the encrypted data and signature on it, first verifies the signature using sender’s public key. After ensuring the validity of the signature, he then retrieves the data through decryption using his private key.
58 Authentication protocol: An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax. Authentication protocols developed for PPP Point-to-Point Protocol: Protocols are used mainly by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them are using a password as the cornerstone of the authentication. The password has to be shared between the communicating entities in advance.[5] PAP 2-way handshake scheme PAP - Password Authentication Protocol: Password Authentication Protocol is one of the oldest authentication protocols. Authentication is initialized by client/user by sending packet with credentials (username and password) at the beginning of the connection.[6] It is highly insecure because the credentials are being transmitted over the network in plain ASCII text thus it is vulnerable even to the most simple attacks like Eavesdropping and man-in-the- middle based attacks. CHAP - Challenge-handshake authentication protocol: The authentication process in this protocol is always initialized by the server/host and can be performed anytime during the session, even repeatedly. Server sends a random string (usually 128B long). Client uses his password and the string received as parameters for MD5 hash function and then sends the result together with username in plain text. Server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful or unsuccessful.
59 EAP - Extensible Authentication Protocol: EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in IEEE 802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE 802.1x authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are:  EAP-MD5  EAP-TLS  EAP-TTLS  EAP-FAST  EAP-PEAP Authentication applications: KERBEROS: It is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication— both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.
60 UNIT-7 Email security: Pretty Good Privacy It is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991. PGP is an open-source freely available software package for e-mail security. It provides authentication through the use of digital signature; confidentiality through the use of symmetric block encryption; compression using the ZIP algorithm; e-mail compatibility using the radix-64 encoding scheme; and segmentation and reassembly to accommodate long e-mails. ● PGP incorporates tools for developing a public-key trust model and public-key certificate management. ● S/MIME is an Internet standard approach to e-mail security that incorporates the same functionality as PGP. PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth: 1. It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with vendor support. 2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding. 3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks. 4. It was not developed by, nor is it controlled by, any governmental or standards organization. For those with an instinctive distrust of "the establishment," this makes PGP attractive. 5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an aura of an antiestablishment endeavor. Design: PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server. Authentication 1 The sender creates a message. 2. SHA-1 is used to generate a 160-bit hash code of the message. 3. The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the message. 4. The receiver uses RSA with the sender's public key to decrypt and recover the hash code. 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic. Confidentiality: PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires
61 a symmetric key. Each symmetric key is used only once and is also called a session key. The message and its session key are sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it during transmission it is encrypted with the receiver's public key. Only the private key belonging to the receiver can decrypt the session key. 1. The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2. The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key. 3. The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message. 4. The receiver uses RSA with its private key to decrypt and recover the session key. 5. The session key is used to decrypt the message. Confidentiality and Authentication: both services may be used for the same message. First, a signature is generated for the plaintext message and prepended to the message. Then the plaintext message plus signature is encrypted using CAST-128 (or IDEA or 3DES), and the session key is encrypted using RSA (or ElGamal). This sequence is preferable to the opposite: encrypting the message and then generating a signature for the encrypted message. It is generally more convenient to store a signature with a plaintext version of a message. Furthermore, for purposes of third-party erification, if the signature is performed first, a third party need not be concerned with the symmetric key when verifying the signature.
62 Digital signatures: PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property) and the former to determine whether it was actually sent by the person or entity claimed to be the sender (a digital signature). Because the content is encrypted, any changes in the message will result in failure of the decryption with the appropriate key. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext and then creates the digital signature from that hash using the sender's private key. S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet email format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many users.
63 Multipurpose Internet Mail Extensions: MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for electronic mail. The MIME specification includes the following elements: 1. Five new message header fields are defined, which may be included in an RFC 822 header. These fields provide information about the body of the message. 2. A number of content formats are defined, thus standardizing representations that support multimedia electronic mail. 3. Transfer encodings are defined that enable the conversion of any content format into a form that is protected from alteration by the mail system. In this subsection, we introduce the five message header fields. The next two subsections deal with content formats and transfer encodings. The five header fields defined in MIME are as follows: ● MIME-Version: Must have the parameter value 1.0. This field indicates that the message conforms to RFCs 2045 and 2046. ● Content-Type: Describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal with the data in an appropriate manner. ● Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent the body of the message in a way that is acceptable for mail transport. ● Content-ID: Used to identify MIME entities uniquely in multiple contexts. ● Content-Description: A text description of the object with the body; this is useful when the object is not readable (e.g., audio data). IP SECURITY: IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6), by means of additional headers. ● IPSec encompasses three functional areas: authentication, confidentiality, and key management. ● Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to the entire packet except for the IP header (transport mode). ● Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. ● IPSec defines a number of techniques for key management. Applications of IPSec IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following: ● Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. ● Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. ● Establishing extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. ● Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security. Benefits of IPSec
64 ● When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. ● IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP, and the firewall is the only means of entrance from the Internet into the organization. ● IPSec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. Even if IPSec is implemented in end systems, upper-layer software, including applications, is not affected. ● IPSec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. ● IPSec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications. IPSec Services IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. Two protocols are used to provide security: An authentication protocol designated by the header of the protocol, Authentication Header (AH); and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services are ● Access control ● Connectionless integrity ● Data origin authentication ● Rejection of replayed packets (a form of partial sequence integrity) ● Confidentiality (encryption) ● Limited traffic flow confidentiality Authentication Header The Authentication Header provides support for data integrity and authentication of IP packets. The data integrity feature ensures that undetected modification to a packet's content in transit is not possible. The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly; it also prevents the address spoofing attacks observed in today's Internet. The AH also guards against the replay attack described later in this section. Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key. The Authentication Header consists of the following fields ● Next Header (8 bits): Identifies the type of header immediately following this header.
65 ● Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. For example, the default length of the authentication data field is 96 bits, or three 32-bit words. With a three-word fixed header, there are a total of six words in the header, and the Payload Length field has a value of 4. ● Reserved (16 bits): For future use. ● Security Parameters Index (32 bits): Identifies a security association. ● Sequence Number (32 bits): A monotonically increasing counter value, discussed later. ● Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC, for this packet, discussed later. WEB SECURITY: The Internet is two way. Unlike traditional publishing environments, even electronic publishing systems involving teletext, voice response, or fax-back, the Web is vulnerable to attacks on the Web servers over the Internet. ● The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. ● Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. ● A Web server can be exploited as a launching pad into the corporation's or agency's entire computer complex. Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site. ● Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures.
66 Web Security Threats: Secure Socket Layer and Transport Layer Security Netscape originated SSL. Version 3 of the protocol was designed with public review and input from industry and was published as an Internet draft document. Subsequently, when a consensus was reached to submit the protocol for Internet standardization, the TLS working group was formed within IETF to develop a common standard. SSL Architecture SSL is designed to make use of TCP to provide a reliable end-to-end secure service. SSL is not a single protocol but rather two layers of protocols. The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol.
67 Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows: ● Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session. ● Session: An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections. In theory, there may also be multiple simultaneous sessions between parties, but his feature is not used in practice. There are actually a number of states associated with each session. Once a session is established, there is a current operating state for both read and write (i.e., receive and send). In addition, during the Handshake Protocol, pending read and writes states are created. A session state is defined by the following parameters (definitions taken from the SSL specification): ● Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state. ● Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null. ● Compression method: The algorithm used to compress data prior to encryption. ● Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. Master secret: 48-byte secret shared between the client and server. ● Is resumable: A flag indicating whether the session can be used to initiate new connections. A connection state is defined by the following parameters: ● Server and client random: Byte sequences that are chosen by the server and client for each connection. ● Server write MAC secret: The secret key used in MAC operations on data sent by the server. ● Client write MAC secret: The secret key used in MAC operations on data sent by the client. ● Server write key: The conventional encryption key for data encrypted by the server and decrypted by the client. ● Client write key: The conventional encryption key for data encrypted by the client and decrypted by the server.
68 ● Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the final cipher text block from each record is preserved for use as the IV with the following record. ● Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed 264 1.
69 UNIT-8 SECURITY SYSTEM INTRUDERS: One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker identified three classes of intruders: ● Masquerader: An individual who is not authorized to use the computer and who penetrates a System’s access controls to exploit a legitimate user's account ● Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges ● Clandestine user: An individual who seizes supervisory control of the system. The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider. Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system. INTRUSION TECHNIQUES: The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruder to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user's password, an intruder can log in to a system and exercise all the privileges accorded to the legitimate user. One-way function: The system stores only the value of a function based on the user's password. When the user presents a password, the system transforms that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the one-way function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts. 1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults. 2. Exhaustively try all short passwords (those of one to three characters). 3. Try words in the system's online dictionary or a list of likely passwords. Examples of the latter are readily available on hacker bulletin boards. 4. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies. 5. Try users' phone numbers, Social Security numbers, and room numbers. 6. Try all legitimate license plate numbers for this state. 7. Tap the line between a remote user and the host system. INTRUSION DETECTION: 1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Malicious software is software that is intentionally included or inserted in a system for a harmful purpose. VIRUS: A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. Virus and Related Threads:
70 THE NATURE OF VIRUSES: A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs. During its lifetime, a typical virus goes through the following four phases: ● Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. ● Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. ● Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. ● Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. TYPES OF VIRUSES: There has been a continuous arms race between virus writers and writers of antivirus software since viruses first appeared. As effective countermeasures have been developed for existing types of viruses, new types have been developed. ● Parasitic virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect. ● Memory-resident virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes. ● Boot sector virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. ● Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. ● Polymorphic virus: A virus that mutates with every infection, making detection by the "signature" of the virus impossible.
71 ● Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every File. Worms A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has some of the characteristics of a worm, because it propagates itself from system to system. However, we can still classify it as a virus because it requires a human to move it forward. A worm actively seeks out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machines. Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions. To replicate itself, a network worm uses some sort of network vehicle. Examples include the following: ● Electronic mail facility: A worm mails a copy of itself to other systems. ● Remote execution capability: A worm executes a copy of itself on another system. ● Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other. Firewall: A firewall forms a barrier through which the traffic going in each direction must pass. A firewall security policy dictates which traffic is authorized to pass in each direction. ● A firewall may be designed to operate as a filter at the level of IP packets, or may operate at a higher protocol layer. Firewall characteristics: 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later 3. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system. Almost every medium and large-scale organization has a presence on the Internet and has an organizational network connected to it. Network partitioning at the boundary between the outside Internet and the internal network is essential for network security. Sometimes the inside network (intranet) is referred to as the “trusted” side and the external Internet as the “un-trusted” side. TYPESOFFIREWALL: Firewall is a network device that isolates organization’s internal network from larger outside network/Internet. It can be hardware, software, or combined system that prevents unauthorized access to or from internal network. All data packets entering or leaving the internal network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.
72 Deploying firewall at network boundary is like aggregating the security at a single point. It is analogous to locking an apartment at the entrance and not necessarily at each door. Firewall is considered as an essential element to achieve network security for the following reasons −  Internal network and hosts are unlikely to be properly secured.  Internet is a dangerous place with criminals, users from competing companies, disgruntled ex- employees, spies from unfriendly countries, vandals, etc.  To prevent an attacker from launching denial of service attacks on network resource.  To prevent illegal modification/access to internal data by an outsider attacker. Firewall is categorized into three basic types −  Packet filter (Stateless & Stateful)  Application-level gateway  Circuit-level gateway These three categories, however, are not mutually exclusive. Modern firewalls have a mix of abilities that may place them in more than one of the three categories. STATELESS&STATEFULPACKETFILTERINGFIREWALL: In this type of firewall deployment, the internal network is connected to the external network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet. Packet-filtering firewalls allow or block the packets mostly based on criteria such as source and/or destination IP addresses, protocol, source and/or destination port numbers, and various other parameters within the IP header. The decision can be based on factors other than IP header fields such as ICMP message type, TCP SYN and ACK bits, etc. Packet filter rule has two parts −  Selection criteria − It is a used as a condition and pattern matching for decision making.  Action field − This part specifies action to be taken if an IP packet meets the selection criteria. The action could be either block (deny) or permit (allow) the packet across the firewall. Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on routers or switches. ACL is a table of packet filter rules. As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each incoming packet, finds matching criteria and either permits or denies the individual packets.
73 Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the criteria even if it is not part of any established ongoing communication. Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of firewalls offer a more in-depth inspection method over the only ACL based packet inspection methods of stateless firewalls. Stateful firewall monitors the connection setup and teardown process to keep a check on connections at the TCP/IP level. This allows them to keep track of connections state and determine which hosts have open, authorized connections at any given point in time. They reference the rule base only when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, and decision to allow or block is taken. This process saves time and provides added security as well. No packet is allowed to trespass the firewall unless it belongs to already established connection. It can timeout inactive connections at firewall after which it no longer admit packets for that connection.

More Related Content

PPTX
OBSTACLE AVOIDING CAR
Shubham Thakur
 
PDF
VTU Network & cyber security (1-5 Module) Full notes
Jayanth Dwijesh H P
 
PPTX
Introduction to php
Taha Malampatti
 
PDF
Deterministic Finite Automata (DFA)
Animesh Chaturvedi
 
PDF
Educational management
Dr. Satish Kumar
 
PDF
Computer Network notes (handwritten) UNIT 1
NANDINI SHARMA
 
PPT
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
PDF
Pmp chap13 - project stakeholder management details
Anand Bobade
 
OBSTACLE AVOIDING CAR
Shubham Thakur
 
VTU Network & cyber security (1-5 Module) Full notes
Jayanth Dwijesh H P
 
Introduction to php
Taha Malampatti
 
Deterministic Finite Automata (DFA)
Animesh Chaturvedi
 
Educational management
Dr. Satish Kumar
 
Computer Network notes (handwritten) UNIT 1
NANDINI SHARMA
 
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Pmp chap13 - project stakeholder management details
Anand Bobade
 

What's hot (20)

PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PPTX
Topic1 substitution transposition-techniques
MdFazleRabbi18
 
PPTX
Public Key Cryptography
Gopal Sakarkar
 
PPTX
Rotor machine,subsitution technique
kirupasuchi1996
 
PPTX
Cryptography and network security
patisa
 
PPTX
Cryptography
Sidharth Mohapatra
 
PPTX
Congestion control
Aman Jaiswal
 
PPTX
Security Mechanisms
priya_trehan
 
PPTX
Public key algorithm
Prateek Pandey
 
PPTX
TCP/IP 3-way Handshake
Alok Tripathi
 
PPTX
Dynamic interconnection networks
Prasenjit Dey
 
PDF
Cryptography and Network Lecture Notes
FellowBuddy.com
 
PPTX
Point to-point protocol (ppp)
Kongu Engineering College, Perundurai, Erode
 
PDF
IP Security
Dr.Florence Dayana
 
PPTX
Security services and mechanisms
Rajapriya82
 
PPT
Internet control message protocol
asimnawaz54
 
PPTX
Data Encryption Standard (DES)
Haris Ahmed
 
PPTX
Symmetric and asymmetric key
Triad Square InfoSec
 
PPT
Message authentication and hash function
omarShiekh1
 
PPT
Network Security and Cryptography
Adam Reagan
 
Network security - OSI Security Architecture
BharathiKrishna6
 
Topic1 substitution transposition-techniques
MdFazleRabbi18
 
Public Key Cryptography
Gopal Sakarkar
 
Rotor machine,subsitution technique
kirupasuchi1996
 
Cryptography and network security
patisa
 
Cryptography
Sidharth Mohapatra
 
Congestion control
Aman Jaiswal
 
Security Mechanisms
priya_trehan
 
Public key algorithm
Prateek Pandey
 
TCP/IP 3-way Handshake
Alok Tripathi
 
Dynamic interconnection networks
Prasenjit Dey
 
Cryptography and Network Lecture Notes
FellowBuddy.com
 
Point to-point protocol (ppp)
Kongu Engineering College, Perundurai, Erode
 
IP Security
Dr.Florence Dayana
 
Security services and mechanisms
Rajapriya82
 
Internet control message protocol
asimnawaz54
 
Data Encryption Standard (DES)
Haris Ahmed
 
Symmetric and asymmetric key
Triad Square InfoSec
 
Message authentication and hash function
omarShiekh1
 
Network Security and Cryptography
Adam Reagan
 
Ad

Similar to Network security & cryptography full notes (20)

PPTX
CRYPTOGRAPHY crytopgraphy wh is sd wkd ,w d .pptx
abduganiyevbekzod011
 
PDF
Types of Cryptosystem and Cryptographic Attack
Mona Rajput
 
PDF
Cryptography and Network Security ppt . pdf
22cc005
 
PDF
Network security chapter 1
osama elfar
 
PPTX
Unit-1.pptx
ssuseref9c81
 
PPTX
cns unit 1.pptx
Saranya Natarajan
 
PPT
Cryptography introduction
Vasuki Ramasamy
 
PDF
Information Security Imp +Past Paper.pdf
ag3777499
 
PPT
NS-Lec-01&02.ppt
ahmed127489
 
PPT
Network security in computer network for BS
23017156038
 
PDF
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
PDF
The Road Network security
Khaled Omar
 
PPTX
Unit-1.pptx Distributed system ppt all info
nandinimakwana22cse
 
PPTX
IT235 POC - Unit I priciples of cryptography
ssuser000e54
 
PPT
CNS Unit-I_final.ppt
SwapnaPavan2
 
PDF
Cryptography and network security part a question and answers
uthayashangar1
 
PDF
Introduction to Network security
mohanad alobaidey
 
PPT
Module-1.ppt cryptography and network security
AparnaSunil24
 
PPTX
Basics -1.pptx kiy fdest xfderwe dgdar d
SoundaryaBC2
 
PPTX
X.800 defines a security service iyew gt
SoundaryaBC2
 
CRYPTOGRAPHY crytopgraphy wh is sd wkd ,w d .pptx
abduganiyevbekzod011
 
Types of Cryptosystem and Cryptographic Attack
Mona Rajput
 
Cryptography and Network Security ppt . pdf
22cc005
 
Network security chapter 1
osama elfar
 
Unit-1.pptx
ssuseref9c81
 
cns unit 1.pptx
Saranya Natarajan
 
Cryptography introduction
Vasuki Ramasamy
 
Information Security Imp +Past Paper.pdf
ag3777499
 
NS-Lec-01&02.ppt
ahmed127489
 
Network security in computer network for BS
23017156038
 
IMPLEMENTATION OF METHODS FOR TRANSACTION IN SECURE ONLINE BANKING
International Journal of Technical Research & Application
 
The Road Network security
Khaled Omar
 
Unit-1.pptx Distributed system ppt all info
nandinimakwana22cse
 
IT235 POC - Unit I priciples of cryptography
ssuser000e54
 
CNS Unit-I_final.ppt
SwapnaPavan2
 
Cryptography and network security part a question and answers
uthayashangar1
 
Introduction to Network security
mohanad alobaidey
 
Module-1.ppt cryptography and network security
AparnaSunil24
 
Basics -1.pptx kiy fdest xfderwe dgdar d
SoundaryaBC2
 
X.800 defines a security service iyew gt
SoundaryaBC2
 
Ad

Recently uploaded (20)

PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPT
introduction to datamining and warehousing
ssuser4ab3a2
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPTX
Artificial Intelligence
dikshendrasarpate2
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PDF
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPT on Performance Review to get promotions
prashant593122
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
introduction to datamining and warehousing
ssuser4ab3a2
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Artificial Intelligence
dikshendrasarpate2
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Well-logging-methods_new................
ZafriFarid
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 

Network security & cryptography full notes

  • 1. 1 UNIT-1INTRODUCTION THE OSI SECURITY ARCHITECTURE: To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The OSI security architecture was developed in the context of the OSI protocol architecture, which is described in Appendix H. However, for our purposes in this chapter, an understanding of the OSI protocol architecture is not required. For our purposes, the OSI security architecture provides a useful, if abstract, overview of many of the concepts.. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows: 1. Security attack – Any action that compromises the security of information owned by an organization. 2. Security mechanism – A mechanism that is designed to detect, prevent or recover from a security attack. 3. Security service – A service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks and they make use of one or more security mechanisms to provide the service. 1.SECURITY ATTACKS: AttacksonCryptosystems: Attacks are typically categorized based on the action performed by the attacker. An attack, thus, can be passive or active. PassiveAttacks: The main goal of a passive attack is to obtain unauthorized access to the information. For example, actions such as intercepting and eavesdropping on the communication channel can be regarded as passive attack. These actions are passive in nature, as they neither affect information nor disrupt the communication channel. A passive attack is often seen as stealing information. The only difference in stealing physical goods and stealing information is that theft of data still leaves the owner in possession of that data. Passive information attack is thus more dangerous than stealing of goods, as information theft may go unnoticed by the owner.
  • 2. 2 ActiveAttacks: An active attack involves changing the information in some way by conducting some process on the information. For example,  Modifying the information in an unauthorized manner.  Initiating unintended or unauthorized transmission of information.  Alteration of authentication data such as originator name or timestamp associated with information  Unauthorized deletion of data.  Denial of access to information for legitimate users (denial of service). Cryptography provides many tools and techniques for implementing cryptosystems capable of preventing most of the attacks described above. AssumptionsofAttacker: Let us see the prevailing environment around cryptosystems followed by the types of attacks employed to break these systems CryptographicAttacks: The basic intention of an attacker is to break a cryptosystem and to find the plaintext from the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret decryption key, as the algorithm is already in public domain. Hence, he applies maximum effort towards finding out the secret key used in the cryptosystem. Once the attacker is able to determine the key, the attacked system is considered as broken or compromised. Based on the methodology used, attacks on cryptosystems are categorized as follows −  Ciphertext Only Attacks (COA) − In this method, the attacker has access to a set of ciphertext(s). He does not have access to corresponding plaintext. COA is said to be successful when the corresponding plaintext can be determined from a given set of ciphertext. Occasionally, the encryption key can be determined from this attack. Modern cryptosystems are guarded against ciphertext-only attacks.  Known Plaintext Attack (KPA) − In this method, the attacker knows the plaintext for some parts of the ciphertext. The task is to decrypt the rest of the ciphertext using this information. This may be done by determining the key or via some other method. The best example of this attack is linear cryptanalysis against block ciphers.  Chosen Plaintext Attack (CPA) − In this method, the attacker has the text of his choice encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his task of
  • 3. 3 determining the encryption key. An example of this attack is differential cryptanalysis applied against block ciphers as well as hash functions. A popular public key cryptosystem, RSA is also vulnerable to chosen-plaintext attacks.  Dictionary Attack − This attack has many variants, all of which involve compiling a ‘dictionary’. In simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext, he refers the dictionary to find the corresponding plaintext.  Brute Force Attack (BFA) − In this method, the attacker tries to determine the key by attempting all possible keys. If the key is 8 bits long, then the number of possible keys is 28 = 256. The attacker knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one for decryption. The time to complete the attack would be very high if the key is long.  Birthday Attack − This attack is a variant of brute-force technique. It is used against the cryptographic hash function. When students in a class are asked about their birthdays, the answer is one of the possible 365 dates. Let us assume the first student's birthdate is 3rd Aug. Then to find the next student whose birthdate is 3rd Aug, we need to enquire 1.25* √365 ≈ 25 students. Similarly, if the hash function produces 64 bit hash values, the possible hash values are 1.8x1019 . By repeatedly evaluating the function for different inputs, the same output is expected to be obtained after about 5.1x109 random inputs. If the attacker is able to find two different inputs that give the same hash value, it is a collision and that hash function is said to be broken.  Man in Middle Attack (MIM) − The targets of this attack are mostly public key cryptosystems where key exchange is involved before communication takes place. o Host A wants to communicate to host B, hence requests public key of B. o An attacker intercepts this request and sends his public key instead. o Thus, whatever host A sends to host B, the attacker is able to read. o In order to maintain communication, the attacker re-encrypts the data after reading with his public key and sends to B. o The attacker sends his public key as A’s public key so that B takes it as if it is taking it from A.  Side Channel Attack (SCA) − This type of attack is not against any particular type of cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical implementation of the cryptosystem.  Timing Attacks − They exploit the fact that different computations take different times to compute on processor. By measuring such timings, it is be possible to know about a particular computation the processor is carrying out. For example, if the encryption takes a longer time, it indicates that the secret key is long.  Power Analysis Attacks − These attacks are similar to timing attacks except that the amount of power consumption is used to obtain information about the nature of the underlying computations.  Fault analysis Attacks − In these attacks, errors are induced in the cryptosystem and the attacker studies the resulting output for useful information. 2.SECURITYSERVICES: The primary objective of using cryptography is to provide the following four fundamental information security services. Let us now see the possible goals intended to be fulfilled by cryptography. A. Confidentiality: Confidentiality is the fundamental security service provided by cryptography. It is a security service that keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy. Confidentiality can be achieved through numerous means starting from physical securing to the use of mathematical algorithms for data encryption.
  • 4. 4 B. Data Integrity: It is security service that deals with identifying any alteration to the data. The data may get modified by an unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or not since it was last created, transmitted, or stored by an authorized user. Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has been manipulated in an unauthorized manner. C. Authentication: Authentication provides the identification of the originator. It confirms to the receiver that the data received has been sent only by an identified and verified sender. Authentication service has two variants  Message authentication identifies the originator of the message without any regard router or system that has sent the message.  Entity authentication is assurance that data has been received from a specific entity, say a particular website. Apart from the originator, authentication may also provide assurance about other parameters related to data such as the date and time of creation/transmission. D. Non-repudiation: It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of the said data to a recipient or third party. Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the purchase order, if non-repudiation service was enabled in this transaction. CryptographyPrimitives: Cryptography primitives are nothing but the tools and techniques in Cryptography that can be selectively used to provide a set of desired security services −  Encryption  Hash functions  Message Authentication codes (MAC)  Digital Signatures The following table shows the primitives that can achieve a particular security service on their own. Note − Cryptographic primitives are intricately related and they are often combined to achieve a set of desired security services from a cryptosystem 3. SECURITY MECHANISM: A mechanism that is designed to detect, prevent or recover from a security attack. One of the most specific security mechanisms in use is cryptographic techniques. Encryption or encryption-like
  • 5. 5 transformations of information are the most common means of providing security. Some of the mechanisms are: A. Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. B.Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). C.Access Control A variety of mechanisms that enforce access rights to resources. D.Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units. E.Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange. F.Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts. G.Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when abreach of security is suspected. Cryptosystems: A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to provide information security services. A cryptosystem is also referred to as a cipher system. Let us discuss a simple model of a cryptosystem that provides confidentiality to the information being transmitted. This basic model is depicted in the illustration below − The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a way that any party intercepting or eavesdropping on the communication channel cannot extract the data. The objective of this simple cryptosystem is that at the end of the process, only the sender and the receiver will know the plaintext. ComponentsofaCryptosystem The various components of a basic cryptosystem are as follows −  Plaintext. It is the data to be protected during transmission.
  • 6. 6  Encryption Algorithm. It is a mathematical process that produces a ciphertext for any given plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key as input and produces a ciphertext.  Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm using a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be intercepted or compromised by anyone who has access to the communication channel.  Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the encryption algorithm and is thus closely related to it.  Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key into the encryption algorithm along with the plaintext in order to compute the ciphertext.  Decryption Key. It is a value that is known to the receiver. The decryption key is related to the encryption key, but is not always identical to it. The receiver inputs the decryption key into the decryption algorithm along with the ciphertext in order to compute the plaintext. For a given cryptosystem, a collection of all possible decryption keys is called a key space. An interceptor (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can see the ciphertext and may know the decryption algorithm. He, however, must never know the decryption key. TypesofCryptosystems Fundamentally, there are two types of cryptosystems based on the manner in which encryption- decryption is carried out in the system −  Symmetric Key Encryption  Asymmetric Key Encryption The main difference between these cryptosystems is the relationship between the encryption and the decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically impossible to decrypt the ciphertext with the key that is unrelated to the encryption key. Symmetric Key Encryption: The encryption process where same keys are used for encrypting and decrypting the information is known as Symmetric Key Encryption. The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric cryptosystems are also sometimes referred to as secret key cryptosystems. A few well-known examples of symmetric key encryption methods are − Digital Encryption Standard (DES), Triple-DES (3DES), IDEA, and BLOWFISH. Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will fade away, as it has certain advantages over asymmetric key encryption. The salient features of cryptosystem based on symmetric key encryption are −  Persons using symmetric key encryption must share a common key prior to exchange of information.  Keys are recommended to be changed regularly to prevent any attack on the system.  A robust mechanism needs to exist to exchange the key between the communicating parties. As keys are required to be changed regularly, this mechanism becomes expensive and cumbersome.  In a group of n people, to enable two-party communication between any two persons, the number of keys required for group is n × (n – 1)/2.  Length of Key (number of bits) in this encryption is smaller and hence, process of encryption- decryption is faster than asymmetric key encryption.  Processing power of computer system required to run symmetric algorithm is less.
  • 7. 7 Challenge of Symmetric Key Cryptosystem: There are two restrictive challenges of employing symmetric key cryptography.  Key establishment − Before any communication, both the sender and the receiver need to agree on a secret symmetric key. It requires a secure key establishment mechanism in place.  Trust Issue − Since the sender and the receiver use the same symmetric key, there is an implicit requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the receiver has lost the key to an attacker and the sender is not informed. These two challenges are highly restraining for modern day communication. Today, people need to exchange information with non-familiar and non-trusted parties. For example, a communication between online seller and customer. These limitations of symmetric key encryption gave rise to asymmetric key encryption schemes. Asymmetric Key Encryption: The encryption process where different keys are used for encrypting and decrypting the information is known as Asymmetric Key Encryption. Though the keys are different, they are mathematically related and hence, retrieving the plaintext by decrypting ciphertext is feasible. The process is depicted in the following illustration Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-shared secret key between communicating persons. The salient features of this encryption scheme are as follows −  Every user in this system needs to have a pair of dissimilar keys, private key and public key. These keys are mathematically related − when one key is used for encryption, the other can decrypt the ciphertext back to the original plaintext.  It requires to put the public key in public repository and the private key as a well-guarded secret. Hence, this scheme of encryption is also called Public Key Encryption.  Though public and private keys of the user are related, it is computationally not feasible to find one from another. This is a strength of this scheme.  When Host1 needs to send data to Host2, he obtains the public key of Host2 from repository, encrypts the data, and transmits.  Host2 uses his private key to extract the plaintext.  Length of Keys (number of bits) in this encryption is large and hence, the process of encryption- decryption is slower than symmetric key encryption.  Processing power of computer system required to run asymmetric algorithm is higher.
  • 8. 8 Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite difficult to comprehend.
  • 9. 9 UNIT-2 CLASSICAL ENCRYPTION TECHNIQUES Plaintext: This is original text &what you want to encrypt. Cipher text: The encrypted output Enciphering or Encryption: The process by which plaintext is converted into cipher text. Encryption algorithm: The sequence of data processing steps that go into transforming plaintext into cipher text. Various parameters used by an encryption algorithm are derived from a secret key. Secret key: A secret key is used to set some or the entire various secret key. A secret key is used to set some or all of the various parameters used by the encryption algorithm. The important thing to note is that, in classical cryptography, the same secret key is used for encryption and decryption. It is for this reason that classical cryptography is also referred to as symmetric key cryptography. On the other hand, in the more modern cryptographic algorithms, the encryption and decryption keys are not only different, but also one of them is placed in the public domain. Such algorithms are commonly referred to as asymmetric key cryptography, public key cryptography, etc. Deciphering or Decryption: Recovering plaintext from cipher text. Decryption algorithm: The sequence of data processing steps that go into transforming cipher text back into plaintext. In classical cryptography, the various parameters used by a decryption algorithm are derived from the same secret key that was used in the encryption algorithm. Cryptography: The many schemes available today for encryption and decryption. Cryptographic system: Any single scheme for encryption and decryption. Difference between Classic Cryptography & Modern Cryptography: There are three major characteristics that separate modern cryptography from the classical approach. Classic Cryptography Modern Cryptography It manipulates traditional characters, i.e., letters and digits directly. It operates on binary bit sequences. It is mainly based on ‘security through obscurity’. The techniques employed for coding were kept secret and only the parties involved in communication knew about them. It relies on publicly known mathematical algorithms for coding the information. Secrecy is obtained through a secrete key which is used as the seed for the algorithms. The computational difficulty of algorithms, absence of secret key, etc., make it impossible for an attacker to obtain the original information even if he knows the algorithm used for coding. It requires the entire cryptosystem for communicating confidentially. Modern cryptography requires parties interested in secure communication to possess the secret key only.
  • 10. 10 ClassicalCryptographicSystems: Before proceeding further, you need to know some facts about historical cryptosystems  All of these systems are based on symmetric key encryption scheme.  The only security service these systems provide is confidentiality of information.  Unlike modern systems which are digital and treat data as binary numbers, the earlier systems worked on alphabets as basic element. These earlier cryptographic systems are also referred to as Ciphers. In general, a cipher is simply just a set of steps (an algorithm) for performing both an encryption, and the corresponding decryption. CaesarCipher: It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted by another letter to form the cipher text. It is a simplest form of substitution cipher scheme. This cryptosystem is generally referred to as the Shift Cipher. The concept is to replace each alphabet by another alphabet which is ‘shifted’ by some fixed number between 0 and 25. For this type of scheme, both sender and receiver agree on a ‘secret shift number’ for shifting the alphabet. This number which is between 0 and 25 becomes the key of encryption. The name ‘Caesar Cipher’ is occasionally used to describe the Shift Cipher when the ‘shift of three’ is used. Process of Shift Cipher  In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath the first set of plaintext letters and slides it to LEFT by the number of positions of the secret shift.  The plaintext letter is then encrypted to the cipher text letter on the sliding ruler underneath. The result of this process is depicted in the following illustration for an agreed shift of three positions. In this case, the plaintext ‘tutorial’ is encrypted to the ciphertext ‘WXWRULDO’. Here is the cipher text alphabet for a Shift of 3.  On receiving the cipher text, the receiver who also knows the secret shift, positions his sliding ruler underneath the cipher text alphabet and slides it to RIGHT by the agreed shift number, 3 in this case.  He then replaces the cipher text letter by the plaintext letter on the sliding ruler underneath. Hence the cipher text ‘WXWRULDO’ is decrypted to ‘tutorial’. To decrypt a message encoded with a Shift of 3, generate the plaintext alphabet using a shift of ‘-3’ as shown below. Security Value: Caesar Cipher is not a secure cryptosystem because there are only 26 possible keys to try out. An attacker can carry out an exhaustive key search with available limited computing resources. Simple Substitution Cipher: It is an improvement to the Caesar Cipher. Instead of shifting the alphabets by some number, this scheme uses some permutation of the letters in alphabet. For
  • 11. 11 example, A.B
..Y.Z and Z.Y

B.A are two obvious permutation of all the letters in alphabet. Permutation is nothing but a jumbled up set of alphabets. With 26 letters in alphabet, the possible permutations are 26! (Factorial of 26) which is equal to 4x1026 . The sender and the receiver may choose any one of these possible permutation as a cipher text alphabet. This permutation is the secret key of the scheme. Process of Simple Substitution Cipher  Write the alphabets A, B, C,...,Z in the natural order.  The sender and the receiver decide on a randomly selected permutation of the letters of the alphabet.  Underneath the natural order alphabets, write out the chosen permutation of the letters of the alphabet. For encryption, sender replaces each plaintext letters by substituting the permutation letter that is directly beneath it in the table. This process is shown in the following illustration. In this example, the chosen permutation is K, D, G, ..., O. The plaintext ‘point’ is encrypted to ‘MJBXZ’. Here is a jumbled Cipher text alphabet, where the order of the cipher text letters is a key.  On receiving the cipher text, the receiver, who also knows the randomly chosen permutation, replaces each cipher text letter on the bottom row with the corresponding plaintext letter in the top row. The cipher text ‘MJBXZ’ is decrypted to ‘point’. Security Value: Simple Substitution Cipher is a considerable improvement over the Caesar Cipher. The possible number of keys is large (26!) and even the modern computing systems are not yet powerful enough to comfortably launch a brute force attack to break the system. However, the Simple Substitution Cipher has a simple design and it is prone to design flaws, say choosing obvious permutation, this cryptosystem can be easily broken. MonoalphabeticandPolyalphabeticCipher: Mono alphabetic cipher is a substitution cipher in which for a given key, the cipher alphabet for each plain alphabet is fixed throughout the encryption process. For example, if ‘A’ is encrypted as ‘D’, for any number of occurrence in that plaintext, ‘A’ will always get encrypted to ‘D’. All of the substitution ciphers we have discussed earlier in this chapter are monoalphabetic; these ciphers are highly susceptible to cryptanalysis. Poly alphabetic Cipher is a substitution cipher in which the cipher alphabet for the plain alphabet may be different at different places during the encryption process. The next two examples play fair and Vigenere Ciphers are poly alphabetic ciphers. PlayfairCipher: In this scheme, pairs of letters are encrypted, instead of single letters as in the case of simple substitution cipher. In play fair cipher, initially a key table is created. The key table is a 5×5 grid of alphabets that acts as the key for encrypting the plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet (usually J) is omitted from the table as we need only 25 alphabets instead of 26. If the plaintext contains J, then it is replaced by I.
  • 12. 12 The sender and the receiver deicide on a particular key, say ‘tutorials’. In a key table, the first characters (going left to right) in the table is the phrase, excluding the duplicate letters. The rest of the table will be filled with the remaining letters of the alphabet, in natural order. The key table works out to be − Process of Play fair Cipher:  First, a plaintext message is split into pairs of two letters (digraphs). If there is an odd number of letters, a Z is added to the last letter. Let us say we want to encrypt the message “hide money”. It will be written as − HI DE MO NE YZ  The rules of encryption are − o If both the letters are in the same column, take the letter below each one (going back to the top if at the bottom) T U O R I ‘H’ and ‘I’ are in same column, hence take letter below them to replace. HI → QC A L S B C D E F G H K M N P Q V W X Y Z  If both letters are in the same row, take the letter to the right of each one (going back to the left if at the farthest right) T U O R I ‘D’ and ‘E’ are in same row, hence take letter to the right of them to replace. DE → EFA L S B C
  • 13. 13 D E F G H K M N P Q V W X Y Z  If neither of the preceding two rules are true, form a rectangle with the two letters and take the letters on the horizontal opposite corner of the rectangle. Using these rules, the result of the encryption of ‘hide money’ with the key of ‘tutorials’ would be − QC EF NU MF ZV Decrypting the Play fair cipher is as simple as doing the same process in reverse. Receiver has the same key and can create the same key table, and then decrypt any messages made using that key. Security Value It is also a substitution cipher and is difficult to break compared to the simple substitution cipher. As in case of substitution cipher, cryptanalysis is possible on the Play fair cipher as well, however it would be against 625 possible pairs of letters (25x25 alphabets) instead of 26 different possible alphabets. The Play fair cipher was used mainly to protect important, yet non-critical secrets, as it is quick to use and requires no special equipment. VigenereCipher: This scheme of cipher uses a text string (say, a word) as a key, which is then used for doing a number of shifts on the plaintext. For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to its respective numeric value: In this case, p → 16, o → 15, i → 9, n → 14, and t → 20. Thus, the key is: 16 15 9 14 20. Process of Vigenere Cipher:  The sender and the receiver decide on a key. Say ‘point’ is the key. Numeric representation of this key is ‘16 15 9 14 20’.  The sender wants to encrypt the message, say ‘attack from south east’. He will arrange plaintext and numeric key as follows −
  • 14. 14  He now shifts each plaintext alphabet by the number written below it to create ciphertext as shown below −  Here, each plaintext character has been shifted by a different amount – and that amount is determined by the key. The key must be less than or equal to the size of the message.  For decryption, the receiver uses the same key and shifts received ciphertext in reverse order to obtain the plaintext. Security Value Vigenere Cipher was designed by tweaking the standard Caesar cipher to reduce the effectiveness of cryptanalysis on the cipher text and make a cryptosystem more robust. It is significantly more secure than a regular Caesar Cipher. In the history, it was regularly used for protecting sensitive political and military information. It was referred to as the unbreakable cipher due to the difficulty it posed to the cryptanalysis. Variants of Vigenere Cipher: There are two special cases of Vigenere cipher  The keyword length is same as plaintect message. This case is called Vernam Cipher. It is more secure than typical Vigenere cipher.  Vigenere cipher becomes a cryptosystem with perfect secrecy, which is called One-time pad. One-TimePad: The circumstances are −  The length of the keyword is same as the length of the plaintext.  The keyword is a randomly generated string of alphabets.  The keyword is used only once. Security Value: Let us compare Shift cipher with one-time pad. Shift Cipher − Easy to Break In case of Shift cipher, the entire message could have had a shift between 1 and 25. This is a very small size, and very easy to brute force. However, with each character now having its own individual shift between 1 and 26, the possible keys grow exponentially for the message. One-time Pad − Impossible to Break Let us say, we encrypt the name “point” with a one-time pad. It is a 5 letter text. To break the ciphertext by brute force, you need to try all possibilities of keys and conduct computation for
  • 15. 15 (26 x 26 x 26 x 26 x 26) = 265 = 11881376 times. That’s for a message with 5 alphabets. Thus, for a longer message, the computation grows exponentially with every additional alphabet. This makes it computationally impossible to break the ciphertext by brute force. TranspositionCipher: It is another type of cipher where the order of the alphabets in the plaintext is rearranged to create the cipher text. The actual plaintext alphabets are not replaced. An example is a ‘simple columnar transposition’ cipher where the plaintext is written horizontally with a certain alphabet width. Then the cipher text is read vertically as shown. For example, the plaintext is “golden statue is in eleventh cave” and the secret random key chosen is “five”. We arrange this text horizontally in table with number of column equal to key value. The resulting text is shown below. The cipher text is obtained by reading column vertically downward from first to last column. The cipher text is ‘gnuneaoseenvltiltedasehetivc’. To decrypt, the receiver prepares similar table. The number of columns is equal to key number. The number of rows is obtained by dividing number of total cipher text alphabets by key value and rounding of the quotient to next integer value. The receiver then writes the received cipher text vertically down and from left to right column. To obtain the text, he reads horizontally left to right and from top to bottom row.
  • 16. 16 UNIT-3 Modernencryptiontechniques: Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern cryptosystems need to process this binary strings to convert in to another binary string. Based on how these binary strings are processed, a symmetric encryption schemes can be classified in to BlockCiphers In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block of plaintext bits is selected, a series of operations is performed on this block to generate a block of ciphertext bits. The number of bits in a block is fixed. For example, the schemes DES and AES have block sizes of 64 and 128, respectively. StreamCiphers In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and a series of operations is performed on it to generate one bit of ciphertext. Technically, stream ciphers are block ciphers with a block size of one bit. BlockCipher The basic scheme of a block cipher is depicted as follows − A block cipher takes a block of plaintext bits and generates a block of cipher text bits, generally of same size. The size of block is fixed in the given scheme. The choice of block size does not directly affect to the strength of encryption scheme. The strength of cipher depends up on the key length. BlockSize Though any size of block is acceptable, following aspects are borne in mind while selecting a size of a block.  Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits combinations are then 2m . If the attacker discovers the plain text blocks corresponding to some
  • 17. 17 previously sent ciphertext blocks, then the attacker can launch a type of ‘dictionary attack’ by building up a dictionary of plaintext/ciphertext pairs sent using that encryption key. A larger block size makes attack harder as the dictionary needs to be larger.  Do not have very large block size − With very large block size, the cipher becomes inefficient to operate. Such plaintexts will need to be padded before being encrypted.  Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for implementation as most computer processor handle data in multiple of 8 bits. PaddinginBlockCipher Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each with third block of balance 22 bits. The last block of bits needs to be padded up with redundant information so that the length of the final block equal to block size of the scheme. In our example, the remaining 22 bits need to have additional 42 redundant bits added to provide a complete block. The process of adding bits to the last block is referred to as padding. Too much padding makes the system inefficient. Also, padding may render the system insecure at times, if the padding is done with same bits always. BlockCipherSchemes There is a vast number of block ciphers schemes that are in use. Many of them are publically known. Most popular and prominent block ciphers are listed below.  Digital Encryption Standard (DES) − The popular block cipher of the 1990s. It is now considered as a ‘broken’ block cipher, due primarily to its small key size.  Triple DES − It is a variant scheme based on repeated DES applications. It is still a respected block ciphers but inefficient compared to the new faster block ciphers available.  Advanced Encryption Standard (AES) − It is a relatively new block cipher based on the encryption algorithm Rijndael that won the AES design competition.  IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of 128 bits. A number of applications use IDEA encryption, including early versions of Pretty Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption due to patent issues. FeistelBlockCipher: Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic system based on Feistel cipher structure uses the same algorithm for both encryption and decryption. EncryptionProcess The encryption process uses the Feistel structure consisting multiple rounds of processing of the plaintext, each round consisting of a “substitution” step followed by a permutation step. Feistel Structure is shown in the following illustration –  The input block to each round is divided into two halves that can be denoted as L and R for the left half and the right half.  In each round, the right half of the block, R, goes through unchanged. But the left half, L, goes through an operation that depends on R and the encryption key. First, we apply an encrypting function ‘f’ that takes two input − the key K and R. The function produces the output f(R,K). Then, we XOR the output of the mathematical function with L.  In real implementation of the Feistel Cipher, such as DES, instead of using the whole encryption key during each round, a round-dependent key (a sub key) is derived from the encryption key. This means that each round uses a different key, although all these sub keys are related to the original key.  The permutation step at the end of each round swaps the modified L and unmodified R. Therefore, the L for the next round would be R of the current round. And R for the next round be the output L of the current round.
  • 18. 18  Above substitution and permutation steps form a ‘round’. The number of rounds are specified by the algorithm design.  Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in this order to form the cipher text block. The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In order to be unbreakable scheme, this function needs to have several important properties that are beyond the scope of our discussion. DecryptionProcess The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of plaintext, the ciphertext block is fed into the start of the Feistel structure and then the process thereafter is exactly the same as described in the given illustration. The process is said to be almost similar and not exactly same. In the case of decryption, the only difference is that the subkeys used in encryption are used in the reverse order. The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these are not swapped then the resulting ciphertext could not be decrypted using the same algorithm. NumberofRounds The number of rounds used in a Feistel Cipher depends on desired security from the system. More number of rounds provide more secure system. But at the same time, more rounds mean the inefficient slow encryption and decryption processes. Number of rounds in the systems thus depend upon efficiency–security tradeoff. The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST). DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm (function as check bits only). General Structure of DES is depicted in the following illustration −
  • 19. 19 Since DES is based on the Feistel Cipher, all that is required to specify DES is −  Round function  Key schedule  Any additional processing − Initial and final permutation InitialandFinalPermutation The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of each other. They have no cryptography significance in DES. The initial and final permutations are shown as follows − RoundFunction The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.
  • 20. 20  Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first need to expand right input to 48 bits. Permutation logic is graphically depicted in the following illustration −  The graphically depicted permutation logic is generally described as table in DES specification illustrated as shown −  XOR (Whitener). − After the expansion permutation, DES does XOR operation on the expanded right section and the round key. The round key is used only in this operation.  Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration −  The S-box rule is illustrated below −
  • 21. 21  There are a total of eight S-box tables. The output of all eight s-boxes is then combined in to 32 bit section.  Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight permutation with rule shown in the following illustration: KeyGeneration The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key generation is depicted in the following illustration −
  • 22. 22 The logic for Parity drop, shifting, and Compression P-box is given in the DES description. DESAnalysis The DES satisfies both the desired properties of block cipher. These two properties make cipher very strong.  Avalanche effect − A small change in plaintext results in the very grate change in the ciphertext.  Completeness − Each bit of ciphertext depends on many bits of plaintext. During the last few years, cryptanalysis have found some weaknesses in DES when key selected are weak keys. These keys shall be avoided. DES has proved to be a very well designed block cipher. There have been no significant cryptanalytic attacks on DES other than exhaustive key search. 3-KEYTripleDES Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168 bits. The encryption scheme is illustrated as follows −
  • 23. 23 The encryption-decryption process is as follows −  Encrypt the plaintext blocks using single DES with key K1.  Now decrypt the output of step 1 using single DES with key K2.  Finally, encrypt the output of step 2 using single DES with key K3.  The output of step 3 is the ciphertext.  Decryption of a ciphertext is a reverse process. User first decrypt using K3, then encrypt with K2, and finally decrypt with K1. Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a 3TDES (hardware) implementation for single DES by setting K1, K2, and K3 to be the same value. This provides backwards compatibility with DES. Second variant of Triple DES (2TDES) is identical to 3TDES except that K3is replaced by K1. In other words, user encrypt plaintext blocks with key K1, then decrypt with key K2, and finally encrypt with K1 again. Therefore, 2TDES has a key length of 112 bits. Triple DES systems are significantly more secure than single DES, but these are clearly a much slower process than encryption using single DES. ADVANCEDENCRYPTIONSTANDARD: The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES. A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome this drawback but it was found slow. The features of AES are as follows −  Symmetric key symmetric block cipher  128-bit data, 128/192/256-bit keys  Stronger and faster than Triple-DES
  • 24. 24  Provide full specification and design details  Software implementable in C and Java OperationofAES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix − Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The schematic of AES structure is given in the following illustration − EncryptionProcess Here, we restrict to description of a typical round of AES encryption. Each round comprise of four sub- processes. The first round process is depicted below −
  • 25. 25 Byte Substitution (Sub Bytes): The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns. Shift rows Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows −  First row is not shifted.  Second row is shifted one (byte) position to the left.  Third row is shifted two positions to the left.  Fourth row is shifted three positions to the left.  The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other. Mix Columns: Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round. Add roundkey: The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the cipher text. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round. DecryptionProcess: The process of decryption of an AES cipher text is similar to the encryption process in the reverse order. Each round consists of the four processes conducted in the reverse order −  Add round key  Mix columns  Shift rows  Byte substitution Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption and decryption algorithms need to be separately implemented, although they are very closely related. AESAnalysis In present day cryptography, AES is widely adopted and supported in both hardware and software. Till date, no practical cryptanalytic attacks against AES have been discovered. Additionally, AES has built-
  • 26. 26 in flexibility of key length, which allows a degree of ‘future-proofing’ against progress in the ability to perform exhaustive key searches. However, just as for DES, the AES security is assured only if it is correctly implemented and good key management is employed. BlockCipherModesofOperation: A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the block size. Hence, the long message is divided into a series of sequential message blocks, and the cipher operates on these blocks one at a time. ElectronicCodeBook(ECB)Mode This mode is a most straightforward way of processing a series of sequentially listed message blocks. Operation  The user takes the first block of plaintext and encrypts it with the key to produce the first block of cipher text.  He then takes the second block of plaintext and follows the same process with same key and so on so forth. The ECB mode is deterministic, that is, if plaintext block P1, P2,
, Pm are encrypted twice under the same key, the output cipher text blocks will be the same. In fact, for a given key technically we can create a codebook of ciphertexts for all possible plaintext blocks. Encryption would then entail only looking up for required plaintext and select the corresponding cipher text. Thus, the operation is analogous to the assignment of code words in a codebook, and hence gets an official name − Electronic Codebook mode of operation (ECB). It is illustrated as follows − Analysis of ECB Mode In reality, any application data usually have partial information which can be guessed. For example, the range of salary can be guessed. A cipher text from ECB can allow an attacker to guess the plaintext by trial-and-error if the plaintext message is within predictable. For example, if a cipher text from the ECB mode is known to encrypt a salary figure, then a small number of trials will allow an attacker to recover the figure. In general, we do not wish to use a deterministic cipher, and hence the ECB mode should not be used in most applications. CipherBlockChaining(CBC)Mode: CBC mode of operation provides message dependence for generating cipher text and makes the system non-deterministic. Operation The operation of CBC mode is depicted in the following illustration. The steps are as follows −  Load the n-bit Initialization Vector (IV) in the top register.  XOR the n-bit plaintext block with data value in top register.  Encrypt the result of XOR operation with underlying block cipher with key K.  Feed cipher text block into top register and continue the operation till all plaintext blocks are processed.  For decryption, IV data is XORed with first cipher text block decrypted. The first cipher text block is also fed into to register replacing IV for decrypting next cipher text block.
  • 27. 27 CipherFeedback(CFB)Mode: In this mode, each cipher text block gets ‘fed back’ into the encryption process in order to encrypt the next plaintext block. Operation The operation of CFB mode is depicted in the following illustration. For example, in the present system, a message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps of operation are −  Load the IV in the top register.  Encrypt the data value in top register with underlying block cipher with key K.  Take only ‘s’ number of most significant bits (left bits) of output of encryption process and XOR them with ‘s’ bit plaintext message block to generate cipher text block.  Feed cipher text block into top register by shifting already present data to the left and continue the operation till all plaintext blocks are processed.  Essentially, the previous cipher text block is encrypted with the key, and then the result is XORed to the current plaintext block.  Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of decryption. OutputFeedback(OFB)Mode It involves feeding the successive output blocks from the underlying block cipher back to it. These feedback blocks provide string of bits to feed the encryption algorithm which act as the key-stream generator as in case of CFB mode.
  • 28. 28 The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV as the initial random n-bit input block. The IV need not be secret. The operation is depicted in the following illustration − Counter(CTR)Mode: It can be considered as a counter-based version of CFB mode without the feedback. In this mode, both the sender and receiver need to access to a reliable counter, which computes a new shared value each time a cipher text block is exchanged. This shared counter is not necessarily a secret value, but challenge is that both sides must keep the counter synchronized. Operation Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in operation are −  Load the initial counter value in the top register is the same for both the sender and the receiver. It plays the same role as the IV in CFB (and CBC) mode.  Encrypt the contents of the counter with the key and place the result in the bottom register.  Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result of this is C1. Send C1 to the receiver and update the counter. The counter update replaces the ciphertext feedback in CFB mode.  Continue in this manner until the last plaintext block has been encrypted.  The decryption is the reverse process. The ciphertext block is XORed with the output of encrypted contents of counter value. After decryption of each ciphertext block counter is updated as in case of encryption.
  • 29. 29 IDEA: IDEA operates on 64-bit blocks using a 128-bit key, and consists of a series of eight identical transformations (a round, see the illustration) and an output transformation (the half-round). The processes for encryption and decryption are similar. IDEA derives much of its security by interleaving operations from different groups — modular addition and multiplication, and bitwise eXclusive OR (XOR) — which are algebraically "incompatible" in some sense. In more detail, these operators, which all deal with 16-bit quantities, are:  Bitwise eXclusive OR (denoted with a blue circled plus ⊕).  Addition modulo 216 (denoted with a green boxed plus ⊞).  Multiplication modulo 216 +1, where the all-zero word (0x0000) in inputs is interpreted as 216 and 216 in output is interpreted as the all-zero word (0x0000) (denoted by a red circled dot ⊙). After the eight rounds comes a final “half round”, the output transformation illustrated below (the swap of the middle two values cancels out the swap at the end of the last round, so that there is no net swap): Structure: The overall structure of IDEA follows the Lai-Massey scheme. XOR is used for both subtraction and addition. IDEA uses a key-dependent half-round function. To work with 16 bit words (meaning four inputs instead of two for the 64 bit block size), IDEA uses the Lai-Massey scheme twice in parallel, with the two parallel round functions being interwoven with each other. To ensure sufficient diffusion, two of the sub-blocks are swapped after each round. Key schedule: Each round uses six 16-bit sub-keys, while the half-round uses four, a total of 52 for 8.5 rounds. The first eight sub-keys are extracted directly from the key, with K1 from the first round being the lower sixteen bits; further groups of eight keys are created by rotating the main key left 25 bits between each group of eight. This means that it is rotated less than once per round, on average, for a total of six rotations. Decryption: Decryption works like encryption, but the order of the round keys is inverted and the subkeys for the odd rounds are inversed. For instance, the values of subkeys K1 - K4 are replaced by the inverse of K49 - K52 for the respective group operation, K5 and K6 of each group should be replaced by K47 and K48 for decryption.
  • 30. 30 UNIT-4 CONFIDENTIALITY USING SYMMETRIC ENCRYPTION Placement of Encryption Function: If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located. To begin, this section examines the potential locations of security attacks and then looks at the two major approaches to encryption placement: link and end to end. There are a large number of locations at which an attack can occur. Furthermore, for wide area communications, many of these locations are not under the physical control of the end user. Even in the case of local area networks, in which physical security measures are possible, there is always the threat of the disgruntled employee. Link versus End-to-End Encryption: The most powerful and most common approach to securing the points of vulnerability highlighted in the preceding section is encryption. If encryption is to be used to counter these attacks, then we need to decide what to encrypt and where the encryption gear should be located. There are two fundamental alternatives: link encryption and end-to-end encryption. Link to Link Encryption: With link encryption, each vulnerable communications link is equipped on both ends with an encryption device. Thus, all traffic over all communications links is secured. One of its disadvantages is that the message must be decrypted each time it enters a switch because the switch must read the address (logical connection number) in the packet header in order to route the frame. Thus, the message is vulnerable at each switch. If working with a public network, the user has no control over the security of the nodes. Several implications of link encryption should be noted. For this strategy to be effective, all the potential links in a path from source to destination must use link encryption. Each pair of nodes that share a link should share a unique key, with a different key used on each link. Thus, many keys must be provided.
  • 31. 31 End-To-End Encryption: With end-to-end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data in encrypted form are then transmitted unaltered across the network to the destination terminal or host. The destination shares a key with the source and so is able to decrypt the data. This plan seems to secure the transmission against attacks on the network links or switches. Thus, end-to-end encryption relieves the end user of concerns about the degree of security of networks and links that support the communication. There is, however, still a weak spot. Consider the following situation. A host connects to a frame relay or ATM network, sets up a logical connection to another host, and is prepared to transfer data to that other host by using end-to- end encryption. Data are transmitted over such a network in the form of packets that consist of a header and some user data. What part of each packet will the host encrypt? Suppose that the host encrypts the entire packet, including the header. This will not work because, remember, only the other host can perform the decryption. The frame relay or ATM switch will receive an encrypted packet and be unable to read the header. Therefore, it will not be able to route the packet. It follows that the host may encrypt only the user data portion of the packet and must leave the header in the clear. Thus, with end-to-end encryption, the user data are secure. However, the traffic pattern is not, because packet headers are transmitted in the clear. On the other hand, end-to-end encryption does provide a degree of authentication. If two end systems share an encryption key, then a recipient is assured that any message that it receives comes from the alleged sender, because only that sender shares the relevant key. Such authentication is not inherent in a link encryption scheme. To achieve greater security, both link and end-to-end encryption are needed, as is shown in Figure 7.2. When both forms of encryption are employed, the host encrypts the user data portion of a packet using an end-to-end encryption key. The entire packet is then encrypted using a link encryption key. As the packet traverses the network, each switch decrypts the packet, using a link encryption key to read the header, and then encrypts the entire packet again for sending it out on the next link. Now the entire packet is secure except for the time that the packet is actually in the memory of a packet switch, at which time the packet header is in the clear. Differences between Link encryption & End to End Encryption: Link Encryption End-to-End Encryption Link encryption encrypts all the data along a specific communication path. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted, enabling attackers to learn more about a captured packet and where it is headed. All data are encrypted, including headers, addresses, and routing information. Headers, addresses, and routing information are not encrypted, and therefore not protected. It works at a lower layer in the OSI model. It works at Network layer. All of the information is encrypted, and the packets must be decrypted at each hop so the router, or other intermediate device, knows where to send the packet next. The packets do not need to be decrypted and then encrypted again at each hop, because the headers and trailers are not encrypted.
  • 32. 32 Logical Placement of End-to-End Encryption Function: With link encryption, the encryption function is performed at a low level of the communications hierarchy i.e. physical or link layers. For end-to-end encryption, several choices are possible for the logical placement of the encryption function. At the lowest practical level, the encryption function could be performed at the network layer. With network-layer encryption, Each end system can engage in an encrypted exchange with another end system if the two share a secret key. All the user processes and applications within each end system would employ the same encryption scheme with the same key to reach a particular target end system. Figure 7.4 illustrates the issues involved. In this example, an electronic mail gateway is used to interconnect an internetwork that uses a TCP/IP-based architecture. In such a configuration, there is no end-to-end protocol below the application layer. The transport and network connections from each end system terminate at the mail gateway, which sets up new transport and network connections to link to the other end system. Even if both end systems use TCP/IP or OSI, there are plenty of instances in actual configurations in which mail gateways sit between otherwise isolated internetworks. Thus, for applications like electronic mail that have a store-and-forward capability, the only place to achieve end- to-end encryption is at the application layer.
  • 33. 33 A drawback of application-layer encryption is that the number of entities to consider increases dramatically. A network that supports hundreds of hosts may support thousands of users and processes. Thus, many more secret keys need to be generated and distributed. An interesting way of viewing the alternatives is to note that as we move up the communications hierarchy, less information is encrypted but it is more secure. TRAFFIC CONFIDENTIALITY: The following types of information that can be derived from a traffic analysis attack:  Identities of partners  How frequently the partners are communicating  Message pattern, message length, or quantity of messages that suggest important information is being exchanged  The events that correlate with special conversations between particular partners Another concern related to traffic is the use of traffic patterns to create a covert channel. Typically, the channel is used to transfer information in a way that violates a security policy. For example, an employee may wish to communicate information to an outsider in a way that is not detected by management and that requires simple eavesdropping on the part of the outsider.
  • 34. 34 Link Encryption Approach: With the use of link encryption, network-layer headers (e.g., frame or cell header) are encrypted, reducing the opportunity for traffic analysis. However, it is still possible in those circumstances for an attacker to assess the amount of traffic on a network and to observe the amount of traffic entering and leaving each end system. An effective countermeasure to this attack is traffic padding, illustrated in Figure 7.6. Traffic padding produces cipher text output continuously, even in the absence of plaintext. A continuous random data stream is generated. When plaintext is available, it is encrypted and transmitted. When input plaintext is not present, random data are encrypted and transmitted. This makes it impossible for an attacker to distinguish between true data flow and padding and therefore impossible to deduce the amount of traffic. End-to-End Encryption Approach: Traffic padding is essentially a link encryption function. If only end-to-end encryption is employed, then the measures available to the defender are more limited. For example, if encryption is implemented at the application layer, then an opponent can determine which transport entities are engaged in dialogue. One technique that might prove useful is to pad out data units to a uniform length at either the transport or application level. In addition, null messages can be inserted randomly into the stream. These tactics deny opponent knowledge about the amount of data exchanged between end users and obscure the underlying traffic pattern. KEY DISTRIBUTION: For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the term that refers to the means of delivering a key to two parties who wish to exchange data, without allowing others to see the key. For two parties A and B, key distribution can be achieved in a number of ways, as follows: 1. A can select a key and physically deliver it to B. 2. A third party can select the key and physically deliver it to A and B. 3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. 4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B. Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first. A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution to the huge growth in number of keys potentially needed. Key distribution centre:  The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum, two levels of keys are used.  Communication between end systems is encrypted using a temporary key, often referred to as a session key.  Typically, the session key is used for the duration of a logical connection and then discarded
  • 35. 35  master key is shared by the key distribution center and an end system or user and used to encrypt the session key. Key Distribution Scenario: Let us assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the connection. A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb with the KDC. The following steps occur: 1. A issues a request to the KDC for a session key to protect a logical connection to B. The message includes the identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a nonce. The nonce may be a timestamp, a counter, or a random number; the minimum requirement is that it differs with each request. Also, to prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random number is a good choice for a nonce. 2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC. The message includes two items intended for A:  The one-time session key, Ks, to be used for the session  The original request message, including the nonce, to enable A to match this response with the appropriate request Thus, A can verify that its original request was not altered before reception by the KDC and, because of the nonce, that this is not a replay of some previous request. In addition, the message includes two items intended for B:  The one-time session key, Ks to be used for the session  An identifier of A (e.g., its network address), IDA These last two items are encrypted with Kb (the master key that the KDC shares with B). They are to be sent to B to establish the connection and prove A's identity.
  • 36. 36 3. A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping. B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb). At this point, a session key has been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable: 4. Using the newly minted session key for encryption, B sends a nonce, N2, to A. 5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one). These steps assure B that the original message it received (step 3) was not a replay. Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3, perform an authentication function. Major Issues with KDC: For very large networks, a hierarchy of KDCs can be established. For communication among entities within the same local domain, the local KDC is responsible for key distribution. If two entities in different domains desire a shared key, then the corresponding local KDCs can communicate through a (hierarchy of) global KDC(s). To balance security & effort, a new session key should be used for each new connection-oriented session. For a connectionless protocol, a new session key is used for a certain fixed period only or for a certain number of transactions. An automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other, provided they trust the system to act on their behalf. The use of a key distribution center imposes the requirement that the KDC be trusted and be protected from subversion. This requirement can be avoided if key distribution is fully decentralized. In addition to separating master keys from session keys, may wish to define different types of session keys on the basis of use.
  • 38. 38
  • 39. 39
  • 40. 40
  • 41. 41
  • 42. 42
  • 43. 43
  • 44. 44
  • 45. 45
  • 46. 46
  • 47. 47
  • 48. 48
  • 49. 49 UNIT-6 PUBLIC KEY CRYPTOGRAPHY PublicKeyCryptography: Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a relatively new concept. Symmetric cryptography was well suited for organizations such as governments, military, and big financial corporations were involved in the classified communication. With the spread of more unsecure computer networks in last few decades, a genuine need was felt to use cryptography at larger scale. The symmetric key was found to be non-practical due to challenges it faced for key management. This gave rise to the public key cryptosystems. The process of encryption and decryption is depicted in the following illustration − The most important properties of public key encryption scheme are  Different keys are used for encryption and decryption. This is a property which set this scheme different than symmetric encryption scheme.  Each receiver possesses a unique decryption key, generally referred to as his private key.  Receiver needs to publish an encryption key, referred to as his public key.  Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary as the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a particular public key belongs to a specific person or entity only.  Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext from the ciphertext and the encryption (public) key.  Though private and public keys are related mathematically, it is not be feasible to calculate the private key from the public key. In fact, intelligent part of any public-key cryptosystem is in designing a relationship between two keys. There are three types of Public Key Encryption schemes. We discuss them in following sections RSACryptosystem: This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem. We will see two aspects of the RSA cryptosystem, firstly generation of key pair and secondly encryption-decryption algorithms. Generation of RSA Key Pair Each person or a party who desires to participate in communication using encryption needs to generate a pair of keys, namely public key and private key. The process followed in the generation of keys is described below −  Generate the RSA modulus (n)
  • 50. 50 o Select two large primes, p and q. o Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.  Find Derived Number (e) o Number e must be greater than 1 and less than (p − 1)(q − 1). o There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two numbers e and (p – 1)(q – 1) are coprime.  Form the public key o The pair of numbers (n, e) form the RSA public key and is made public. o Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of RSA.  Generate the private key o Private Key d is calculated from p, q, and e. For given n and e, there is unique number d. o Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q - 1). o This relationship is written mathematically as follows − ed = 1 mod (p − 1)(q − 1) The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output. Example An example of generating RSA Key pair is given below. (For ease of understanding, the primes p & q taken here are small values. Practically, these values are very high).  Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.  Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)(q − 1) = 6 × 12 = 72, except for 1.  The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom we wish to be able to send us encrypted messages.  Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.  Check that the d calculated is correct by computing − de = 29 × 5 = 145 = 1 mod 72  Hence, public key is (91, 5) and private keys is (91, 29). Encryption and Decryption Once the key pair has been generated, the process of encryption and decryption are relatively straightforward and computationally easy. Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key encryption. It operates on numbers modulo n. Hence, it is necessary to represent the plaintext as a series of numbers less than n. RSA Encryption  Suppose the sender wish to send some text message to someone whose public key is (n, e).  The sender then represents the plaintext as a series of numbers less than n.  To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple mathematical step as − C = Pe mod n  In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then reduced modulo n. This means that C is also a number less than n.  Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −
  • 51. 51 C = 105 mod 91 RSA Decryption  The decryption process for RSA is also very straightforward. Suppose that the receiver of public- key pair (n, e) has received a ciphertext C.  Receiver raises C to the power of his private key d. The result modulo n will be the plaintext P. Plaintext = Cd mod n  Returning again to our numerical example, the ciphertext C = 82 would get decrypted to number 10 using private key 29 − Plaintext = 8229 mod 91 = 10 RSA Analysis The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem is most popular public-key cryptosystem strength of which is based on the practical difficulty of factoring the very large numbers.  Encryption Function − It is considered as a one-way function of converting plaintext into ciphertext and it can be reversed only with the knowledge of private key d.  Key Generation − The difficulty of determining a private key from an RSA public key is equivalent to factoring the modulus n. An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key unless he can factor n. It is also a one way function, going from p & q values to modulus n is easy but reverse is not possible. If either of these two functions are proved non one-way, then RSA will be broken. In fact, if a technique for factoring efficiently is developed then RSA will no longer be safe. The strength of RSA encryption drastically goes down against attacks if the number p and q are not large primes and/ or chosen public key e is a small number. In the last chapter, we discussed the data integrity threats and the use of hashing technique to detect if any modification attacks have taken place on the data. Another type of threat that exist for data is the lack of message authentication. In this threat, the user is not sure about the originator of the message. Message authentication can be provided using the cryptographic techniques that use secret keys as done in case of encryption. MessageAuthenticationCode(MAC): MAC algorithm is a symmetric key cryptographic technique to provide message authentication. For establishing MAC process, the sender and receiver share a symmetric key K. Essentially, a MAC is an encrypted checksum generated on the underlying message that is sent along with a message to ensure message authentication. The process of using MAC for authentication is depicted in the following illustration – Let us now try to understand the entire process in detail −  The sender uses some publicly known MAC algorithm, inputs the message and the secret key K and produces a MAC value.  Similar to hash, MAC function also compresses an arbitrary long input into a fixed length output. The major difference between hash and MAC is that MAC uses secret key during the compression.  The sender forwards the message along with the MAC. Here, we assume that the message is sent in the clear, as we are concerned of providing message origin authentication, not confidentiality. If confidentiality is required then the message needs encryption.  On receipt of the message and the MAC, the receiver feeds the received message and the shared secret key K into the MAC algorithm and re-computes the MAC value.
  • 52. 52  The receiver now checks equality of freshly computed MAC with the MAC received from the sender. If they match, then the receiver accepts the message and assures himself that the message has been sent by the intended sender.  If the computed MAC does not match the MAC sent by the sender, the receiver cannot determine whether it is the message that has been altered or it is the origin that has been falsified. As a bottom-line, a receiver safely assumes that the message is not the genuine. LimitationsofMAC There are two major limitations of MAC, both due to its symmetric nature of operation −  Establishment of Shared Secret. o It can provide message authentication among pre-decided legitimate users who have shared key. o This requires establishment of shared secret prior to use of MAC.  Inability to Provide Non-Repudiation o Non-repudiation is the assurance that a message originator cannot deny any previously sent messages and commitments or actions. o MAC technique does not provide a non-repudiation service. If the sender and receiver get involved in a dispute over message origination, MACs cannot provide a proof that a message was indeed sent by the sender. o Though no third party can compute the MAC, still sender could deny having sent the message and claim that the receiver forged it, as it is impossible to determine which of the two parties computed the MAC. Both these limitations can be overcome by using the public key based digital signatures discussed in following section. HASH FUNCTION: Hash functions are extremely useful and appear in almost all information security applications. A hash function is a mathematical function that converts a numerical input value into another compressed numerical value. The input to the hash function is of arbitrary length but output is always of fixed length. Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function −
  • 53. 53 FeaturesofHashFunctions: The typical features of hash functions are −  Fixed Length Output (Hash Value) o Hash function coverts data of arbitrary length to a fixed length. This process is often referred to as hashing the data. o In general, the hash is much smaller than the input data, hence hash functions are sometimes called compression functions. o Since a hash is a smaller representation of a larger data, it is also referred to as a digest. o Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions generate values between 160 and 512 bits.  Efficiency of Operation o Generally for any hash function h with input x, computation of h(x) is a fast operation. o Computationally hash functions are much faster than a symmetric encryption. PropertiesofHashFunctions: In order to be an effective cryptographic tool, the hash function is desired to possess following properties −  Pre-Image Resistance o This property means that it should be computationally hard to reverse a hash function. o In other words, if a hash function h produced a hash value z, then it should be a difficult process to find any input value x that hashes to z. o This property protects against an attacker who only has a hash value and is trying to find the input.  Second Pre-Image Resistance o This property means given an input and its hash, it should be hard to find a different input with the same hash. o In other words, if a hash function h for an input x produces hash value h(x), then it should be difficult to find any other input value y such that h(y) = h(x). o This property of hash function protects against an attacker who has an input value and its hash, and wants to substitute different value as legitimate value in place of original input value.  Collision Resistance o This property means it should be hard to find two different inputs of any length that result in the same hash. This property is also referred to as collision free hash function. o In other words, for a hash function h, it is hard to find any two different inputs x and y such that h(x) = h(y). o Since, hash function is compressing function with fixed hash length, it is impossible for a hash function not to have collisions. This property of collision free only confirms that these collisions should be hard to find. o This property makes it very difficult for an attacker to find two input values with the same hash. o Also, if a hash function is collision-resistant then it is second pre-image resistant. DesignofHashingAlgorithms: At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of data to create a hash code. This hash function forms the part of the hashing algorithm. The size of each data block varies depending on the algorithm. Typically the block sizes are from 128 bits to 512 bits. The following illustration demonstrates hash function −
  • 54. 54 Hashing algorithm involves rounds of above hash function like a block cipher. Each round takes an input of a fixed size, typically a combination of the most recent message block and the output of the last round. This process is repeated for as many rounds as are required to hash the entire message. Schematic of hashing algorithm is depicted in the following illustration − Since, the hash value of first message block becomes an input to the second hash operation, output of which alters the result of the third operation, and so on. This effect, known as an avalanche effect of hashing. Avalanche effect results in substantially different hash values for two messages that differ by even a single bit of data. Understand the difference between hash function and algorithm correctly. The hash function generates a hash code by operating on two blocks of fixed-length binary data. Hashing algorithm is a process for using the hash function, specifying how the message will be broken up and how the results from previous message blocks are chained together. PopularHashFunctions Let us briefly see some popular hash functions − Message Digest (MD) MD5 was most popular and widely used hash function for quite some years.  The MD family comprises of hash functions MD2, MD4, MD5 and MD6. It was adopted as Internet Standard RFC 1321. It is a 128-bit hash function.  MD5 digests have been widely used in the software world to provide assurance about integrity of transferred file. For example, file servers often provide a pre-computed MD5 checksum for the files, so that a user can compare the checksum of the downloaded file to it.  In 2004, collisions were found in MD5. An analytical attack was reported to be successful only in an hour by using computer cluster. This collision attack resulted in compromised MD5 and hence it is no longer recommended for use. Secure Hash Function (SHA) Family of SHA comprise of four SHA algorithms; SHA-0, SHA-1, SHA-2, and SHA-3. Though from same family, there are structurally different.  The original version is SHA-0, a 160-bit hash function, was published by the National Institute of Standards and Technology (NIST) in 1993. It had few weaknesses and did not become very popular. Later in 1995, SHA-1 was designed to correct alleged weaknesses of SHA-0.  SHA-1 is the most widely used of the existing SHA hash functions. It is employed in several widely used applications and protocols including Secure Socket Layer (SSL) security.
  • 55. 55  In 2005, a method was found for uncovering collisions for SHA-1 within practical time frame making long-term employability of SHA-1 doubtful.  SHA-2 family has four further SHA variants, SHA-224, SHA-256, SHA-384, and SHA-512 depending up on number of bits in their hash value. No successful attacks have yet been reported on SHA-2 hash function.  Though SHA-2 is a strong hash function. Though significantly different, its basic design is still follows design of SHA-1. Hence, NIST called for new competitive hash function designs.  In October 2012, the NIST chose the Keccak algorithm as the new SHA-3 standard. Keccak offers many benefits, such as efficient performance and good resistance for attacks. ApplicationsofHashFunctions There are two direct applications of hash function based on its cryptographic properties. Password Storage Hash functions provide protection to password storage.  Instead of storing password in clear, mostly all logon processes store the hash values of passwords in the file.  The Password file consists of a table of pairs which are in the form (user id, h(P)).  The process of logon is depicted in the following illustration −  An intruder can only see the hashes of passwords, even if he accessed the password. He can neither logon using hash nor can he derive the password from hash value since hash function possesses the property of pre-image resistance. Data Integrity Check Data integrity check is a most common application of the hash functions. It is used to generate the checksums on data files. This application provides assurance to the user about correctness of the data. The process is depicted in the following illustration – The integrity check helps the user to detect any changes made to original file. It however, does not provide any assurance about originality. The attacker, instead of modifying file data, can change the entire file and compute all together new hash and send to the receiver. This integrity check application is useful only if the user is sure about the originality of file.
  • 56. 56 DIGITAL SIGNATURES: Digital signatures are the public-key primitives of message authentication. In the physical world, it is common to use handwritten signatures on handwritten or typed messages. They are used to bind signatory to the message. Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can be independently verified by receiver as well as any third party. Digital signature is a cryptographic value that is calculated from the data and a secret key known only by the signer. In real world, the receiver of message needs assurance that the message belongs to the sender and he should not be able to repudiate the origination of that message. This requirement is very crucial in business applications, since likelihood of a dispute over exchanged data is very high. ModelofDigitalSignature As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of digital signature scheme is depicted in the following illustration − The following points explain the entire process in detail −  Each person adopting this scheme has a public-private key pair.  Generally, the key pairs used for encryption/decryption and signing/verifying are different. The private key used for signing is referred to as the signature key and the public key as the verification key.  Signer feeds data to the hash function and generates hash of data.  Hash value and signature key are then fed to the signature algorithm which produces the digital signature on given hash. Signature is appended to the data and then both are sent to the verifier.
  • 57. 57  Verifier feeds the digital signature and the verification key into the verification algorithm. The verification algorithm gives some value as output.  Verifier also runs same hash function on received data to generate hash value.  For verification, this hash value and output of verification algorithm are compared. Based on the comparison result, verifier decides whether the digital signature is valid.  Since digital signature is created by ‘private’ key of signer and no one else can have this key; the signer cannot repudiate signing the data in future. It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place of data. The most important reason of using hash instead of data directly for signing is efficiency of the scheme. Let us assume RSA is used as the signing algorithm. As discussed in public key encryption chapter, the encryption/signing process using RSA involves modular exponentiation. Signing large data through modular exponentiation is computationally expensive and time consuming. The hash of the data is a relatively small digest of the data, hence signing a hash is more efficient than signing the entire data. ImportanceofDigitalSignature: Out of all cryptographic primitives, the digital signature using public key cryptography is considered as very important and useful tool to achieve information security. Apart from ability to provide non-repudiation of message, the digital signature also provides message authentication and data integrity. Let us briefly see how this is achieved by the digital signature −  Message authentication − When the verifier validates the digital signature using public key of a sender, he is assured that signature has been created only by sender who possess the corresponding secret private key and no one else.  Data Integrity − In case an attacker has access to the data and modifies it, the digital signature verification at receiver end fails. The hash of modified data and the output provided by the verification algorithm will not match. Hence, receiver can safely deny the message assuming that data integrity has been breached.  Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature key, he can only create unique signature on a given data. Thus the receiver can present data and the digital signature to a third party as evidence if any dispute arises in the future. By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can provide the four essential elements of security namely − Privacy, Authentication, Integrity, and Non- repudiation. EncryptionwithDigitalSignature: In many digital communications, it is desirable to exchange encrypted messages than plaintext to achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available in open domain, and hence anyone can spoof his identity and send any encrypted message to the receiver. This makes it essential for users employing PKC for encryption to seek digital signatures along with encrypted data to be assured of message authentication and non-repudiation. This can archived by combining digital signatures with encryption scheme. Let us briefly discuss how to achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-sign. However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-then- sign is more reliable and widely adopted. This is depicted in the following illustration – The receiver after receiving the encrypted data and signature on it, first verifies the signature using sender’s public key. After ensuring the validity of the signature, he then retrieves the data through decryption using his private key.
  • 58. 58 Authentication protocol: An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax. Authentication protocols developed for PPP Point-to-Point Protocol: Protocols are used mainly by Point-to-Point Protocol (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them are using a password as the cornerstone of the authentication. The password has to be shared between the communicating entities in advance.[5] PAP 2-way handshake scheme PAP - Password Authentication Protocol: Password Authentication Protocol is one of the oldest authentication protocols. Authentication is initialized by client/user by sending packet with credentials (username and password) at the beginning of the connection.[6] It is highly insecure because the credentials are being transmitted over the network in plain ASCII text thus it is vulnerable even to the most simple attacks like Eavesdropping and man-in-the- middle based attacks. CHAP - Challenge-handshake authentication protocol: The authentication process in this protocol is always initialized by the server/host and can be performed anytime during the session, even repeatedly. Server sends a random string (usually 128B long). Client uses his password and the string received as parameters for MD5 hash function and then sends the result together with username in plain text. Server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful or unsuccessful.
  • 59. 59 EAP - Extensible Authentication Protocol: EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used in IEEE 802.3, IEEE 802.11(WiFi) or IEEE 802.16 as a part of IEEE 802.1x authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are:  EAP-MD5  EAP-TLS  EAP-TTLS  EAP-FAST  EAP-PEAP Authentication applications: KERBEROS: It is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication— both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.
  • 60. 60 UNIT-7 Email security: Pretty Good Privacy It is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991. PGP is an open-source freely available software package for e-mail security. It provides authentication through the use of digital signature; confidentiality through the use of symmetric block encryption; compression using the ZIP algorithm; e-mail compatibility using the radix-64 encoding scheme; and segmentation and reassembly to accommodate long e-mails. ● PGP incorporates tools for developing a public-key trust model and public-key certificate management. ● S/MIME is an Internet standard approach to e-mail security that incorporates the same functionality as PGP. PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth: 1. It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with vendor support. 2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding. 3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks. 4. It was not developed by, nor is it controlled by, any governmental or standards organization. For those with an instinctive distrust of "the establishment," this makes PGP attractive. 5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an aura of an antiestablishment endeavor. Design: PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server. Authentication 1 The sender creates a message. 2. SHA-1 is used to generate a 160-bit hash code of the message. 3. The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the message. 4. The receiver uses RSA with the sender's public key to decrypt and recover the hash code. 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic. Confidentiality: PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires
  • 61. 61 a symmetric key. Each symmetric key is used only once and is also called a session key. The message and its session key are sent to the receiver. The session key must be sent to the receiver so they know how to decrypt the message, but to protect it during transmission it is encrypted with the receiver's public key. Only the private key belonging to the receiver can decrypt the session key. 1. The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2. The message is encrypted, using CAST-128 (or IDEA or 3DES) with the session key. 3. The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message. 4. The receiver uses RSA with its private key to decrypt and recover the session key. 5. The session key is used to decrypt the message. Confidentiality and Authentication: both services may be used for the same message. First, a signature is generated for the plaintext message and prepended to the message. Then the plaintext message plus signature is encrypted using CAST-128 (or IDEA or 3DES), and the session key is encrypted using RSA (or ElGamal). This sequence is preferable to the opposite: encrypting the message and then generating a signature for the encrypted message. It is generally more convenient to store a signature with a plaintext version of a message. Furthermore, for purposes of third-party erification, if the signature is performed first, a third party need not be concerned with the symmetric key when verifying the signature.
  • 62. 62 Digital signatures: PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property) and the former to determine whether it was actually sent by the person or entity claimed to be the sender (a digital signature). Because the content is encrypted, any changes in the message will result in failure of the decryption with the appropriate key. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext and then creates the digital signature from that hash using the sender's private key. S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet email format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many users.
  • 63. 63 Multipurpose Internet Mail Extensions: MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for electronic mail. The MIME specification includes the following elements: 1. Five new message header fields are defined, which may be included in an RFC 822 header. These fields provide information about the body of the message. 2. A number of content formats are defined, thus standardizing representations that support multimedia electronic mail. 3. Transfer encodings are defined that enable the conversion of any content format into a form that is protected from alteration by the mail system. In this subsection, we introduce the five message header fields. The next two subsections deal with content formats and transfer encodings. The five header fields defined in MIME are as follows: ● MIME-Version: Must have the parameter value 1.0. This field indicates that the message conforms to RFCs 2045 and 2046. ● Content-Type: Describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal with the data in an appropriate manner. ● Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent the body of the message in a way that is acceptable for mail transport. ● Content-ID: Used to identify MIME entities uniquely in multiple contexts. ● Content-Description: A text description of the object with the body; this is useful when the object is not readable (e.g., audio data). IP SECURITY: IP security (IPSec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6), by means of additional headers. ● IPSec encompasses three functional areas: authentication, confidentiality, and key management. ● Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to the entire packet except for the IP header (transport mode). ● Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. ● IPSec defines a number of techniques for key management. Applications of IPSec IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following: ● Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. ● Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. ● Establishing extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. ● Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security. Benefits of IPSec
  • 64. 64 ● When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. ● IPSec in a firewall is resistant to bypass if all traffic from the outside must use IP, and the firewall is the only means of entrance from the Internet into the organization. ● IPSec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. Even if IPSec is implemented in end systems, upper-layer software, including applications, is not affected. ● IPSec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. ● IPSec can provide security for individual users if needed. This is useful for offsite workers and for setting up a secure virtual subnetwork within an organization for sensitive applications. IPSec Services IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. Two protocols are used to provide security: An authentication protocol designated by the header of the protocol, Authentication Header (AH); and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services are ● Access control ● Connectionless integrity ● Data origin authentication ● Rejection of replayed packets (a form of partial sequence integrity) ● Confidentiality (encryption) ● Limited traffic flow confidentiality Authentication Header The Authentication Header provides support for data integrity and authentication of IP packets. The data integrity feature ensures that undetected modification to a packet's content in transit is not possible. The authentication feature enables an end system or network device to authenticate the user or application and filter traffic accordingly; it also prevents the address spoofing attacks observed in today's Internet. The AH also guards against the replay attack described later in this section. Authentication is based on the use of a message authentication code (MAC), hence the two parties must share a secret key. The Authentication Header consists of the following fields ● Next Header (8 bits): Identifies the type of header immediately following this header.
  • 65. 65 ● Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2. For example, the default length of the authentication data field is 96 bits, or three 32-bit words. With a three-word fixed header, there are a total of six words in the header, and the Payload Length field has a value of 4. ● Reserved (16 bits): For future use. ● Security Parameters Index (32 bits): Identifies a security association. ● Sequence Number (32 bits): A monotonically increasing counter value, discussed later. ● Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC, for this packet, discussed later. WEB SECURITY: The Internet is two way. Unlike traditional publishing environments, even electronic publishing systems involving teletext, voice response, or fax-back, the Web is vulnerable to attacks on the Web servers over the Internet. ● The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. ● Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. ● A Web server can be exploited as a launching pad into the corporation's or agency's entire computer complex. Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site. ● Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures.
  • 66. 66 Web Security Threats: Secure Socket Layer and Transport Layer Security Netscape originated SSL. Version 3 of the protocol was designed with public review and input from industry and was published as an Internet draft document. Subsequently, when a consensus was reached to submit the protocol for Internet standardization, the TLS working group was formed within IETF to develop a common standard. SSL Architecture SSL is designed to make use of TCP to provide a reliable end-to-end secure service. SSL is not a single protocol but rather two layers of protocols. The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol.
  • 67. 67 Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows: ● Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session. ● Session: An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections. In theory, there may also be multiple simultaneous sessions between parties, but his feature is not used in practice. There are actually a number of states associated with each session. Once a session is established, there is a current operating state for both read and write (i.e., receive and send). In addition, during the Handshake Protocol, pending read and writes states are created. A session state is defined by the following parameters (definitions taken from the SSL specification): ● Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state. ● Peer certificate: An X509.v3 certificate of the peer. This element of the state may be null. ● Compression method: The algorithm used to compress data prior to encryption. ● Cipher spec: Specifies the bulk data encryption algorithm (such as null, AES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. Master secret: 48-byte secret shared between the client and server. ● Is resumable: A flag indicating whether the session can be used to initiate new connections. A connection state is defined by the following parameters: ● Server and client random: Byte sequences that are chosen by the server and client for each connection. ● Server write MAC secret: The secret key used in MAC operations on data sent by the server. ● Client write MAC secret: The secret key used in MAC operations on data sent by the client. ● Server write key: The conventional encryption key for data encrypted by the server and decrypted by the client. ● Client write key: The conventional encryption key for data encrypted by the client and decrypted by the server.
  • 68. 68 ● Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the final cipher text block from each record is preserved for use as the IV with the following record. ● Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed 264 1.
  • 69. 69 UNIT-8 SECURITY SYSTEM INTRUDERS: One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker identified three classes of intruders: ● Masquerader: An individual who is not authorized to use the computer and who penetrates a System’s access controls to exploit a legitimate user's account ● Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges ● Clandestine user: An individual who seizes supervisory control of the system. The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider. Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system. INTRUSION TECHNIQUES: The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruder to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user's password, an intruder can log in to a system and exercise all the privileges accorded to the legitimate user. One-way function: The system stores only the value of a function based on the user's password. When the user presents a password, the system transforms that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the one-way function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts. 1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults. 2. Exhaustively try all short passwords (those of one to three characters). 3. Try words in the system's online dictionary or a list of likely passwords. Examples of the latter are readily available on hacker bulletin boards. 4. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies. 5. Try users' phone numbers, Social Security numbers, and room numbers. 6. Try all legitimate license plate numbers for this state. 7. Tap the line between a remote user and the host system. INTRUSION DETECTION: 1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Malicious software is software that is intentionally included or inserted in a system for a harmful purpose. VIRUS: A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. Virus and Related Threads:
  • 70. 70 THE NATURE OF VIRUSES: A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function, such as erasing files and programs. During its lifetime, a typical virus goes through the following four phases: ● Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date, the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. ● Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. ● Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. ● Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. TYPES OF VIRUSES: There has been a continuous arms race between virus writers and writers of antivirus software since viruses first appeared. As effective countermeasures have been developed for existing types of viruses, new types have been developed. ● Parasitic virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect. ● Memory-resident virus: Lodges in main memory as part of a resident system program. From that point on, the virus infects every program that executes. ● Boot sector virus: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus. ● Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. ● Polymorphic virus: A virus that mutates with every infection, making detection by the "signature" of the virus impossible.
  • 71. 71 ● Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every File. Worms A worm is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function. An e-mail virus has some of the characteristics of a worm, because it propagates itself from system to system. However, we can still classify it as a virus because it requires a human to move it forward. A worm actively seeks out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machines. Network worm programs use network connections to spread from system to system. Once active within a system, a network worm can behave as a computer virus or bacteria, or it could implant Trojan horse programs or perform any number of disruptive or destructive actions. To replicate itself, a network worm uses some sort of network vehicle. Examples include the following: ● Electronic mail facility: A worm mails a copy of itself to other systems. ● Remote execution capability: A worm executes a copy of itself on another system. ● Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself from one system to the other. Firewall: A firewall forms a barrier through which the traffic going in each direction must pass. A firewall security policy dictates which traffic is authorized to pass in each direction. ● A firewall may be designed to operate as a filter at the level of IP packets, or may operate at a higher protocol layer. Firewall characteristics: 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later 3. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system. Almost every medium and large-scale organization has a presence on the Internet and has an organizational network connected to it. Network partitioning at the boundary between the outside Internet and the internal network is essential for network security. Sometimes the inside network (intranet) is referred to as the “trusted” side and the external Internet as the “un-trusted” side. TYPESOFFIREWALL: Firewall is a network device that isolates organization’s internal network from larger outside network/Internet. It can be hardware, software, or combined system that prevents unauthorized access to or from internal network. All data packets entering or leaving the internal network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.
  • 72. 72 Deploying firewall at network boundary is like aggregating the security at a single point. It is analogous to locking an apartment at the entrance and not necessarily at each door. Firewall is considered as an essential element to achieve network security for the following reasons −  Internal network and hosts are unlikely to be properly secured.  Internet is a dangerous place with criminals, users from competing companies, disgruntled ex- employees, spies from unfriendly countries, vandals, etc.  To prevent an attacker from launching denial of service attacks on network resource.  To prevent illegal modification/access to internal data by an outsider attacker. Firewall is categorized into three basic types −  Packet filter (Stateless & Stateful)  Application-level gateway  Circuit-level gateway These three categories, however, are not mutually exclusive. Modern firewalls have a mix of abilities that may place them in more than one of the three categories. STATELESS&STATEFULPACKETFILTERINGFIREWALL: In this type of firewall deployment, the internal network is connected to the external network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet. Packet-filtering firewalls allow or block the packets mostly based on criteria such as source and/or destination IP addresses, protocol, source and/or destination port numbers, and various other parameters within the IP header. The decision can be based on factors other than IP header fields such as ICMP message type, TCP SYN and ACK bits, etc. Packet filter rule has two parts −  Selection criteria − It is a used as a condition and pattern matching for decision making.  Action field − This part specifies action to be taken if an IP packet meets the selection criteria. The action could be either block (deny) or permit (allow) the packet across the firewall. Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on routers or switches. ACL is a table of packet filter rules. As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each incoming packet, finds matching criteria and either permits or denies the individual packets.
  • 73. 73 Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the criteria even if it is not part of any established ongoing communication. Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of firewalls offer a more in-depth inspection method over the only ACL based packet inspection methods of stateless firewalls. Stateful firewall monitors the connection setup and teardown process to keep a check on connections at the TCP/IP level. This allows them to keep track of connections state and determine which hosts have open, authorized connections at any given point in time. They reference the rule base only when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, and decision to allow or block is taken. This process saves time and provides added security as well. No packet is allowed to trespass the firewall unless it belongs to already established connection. It can timeout inactive connections at firewall after which it no longer admit packets for that connection.