This document covers topics in network security including: - It outlines the OSI security architecture and describes security services like authentication, access control, and data confidentiality. - It discusses security mechanisms like encipherment and digital signatures. Common security attacks are also defined, including passive attacks, active attacks, masquerade, replay, and denial of service. - Symmetric encryption techniques are introduced, including the Caesar cipher, monoalphabetic ciphers, Playfair cipher, and Hill cipher. Key concepts in classical cryptography are explained.

1. UNIT-I
 Security trends
 OSI Security Architecture
 Security Attacks
 Security Services
 Security mechanisms
 A Model for Network Security
 Symmetric Cipher Model
 Substitution Techniques and Transposition Techniques
 Block Cipher Principles
 The Data Encryption Standard and The Strength of DES
 Differential and linear cryptanalysis Block
 cipher design principles
 Evaluation criteria for AES and The AES Cipher.
1

2. Cryptography
Cryptography is the study of
Secret (crypto-) writing (-graphy).
2

3. Cryptography
cryptography - study of encryption
principles/methods.
Cryptography deals with creating
documents that can be shared secretly
over public communication channels.
3

4. Cryptanalysis
cryptanalysis (code breaking) - study of
principles/ methods of decrypting cipher
text without knowing key.
4

5. Cryptology
The area of cryptography and crypt
analysis together are called cryptology.
5

6. Computer Security
generic name for the collection of tools
designed to protect data.
6

7. Network Security
It is used to protect data during their
transmission.
7

8. Internet security
it is used to protect data during their
transmission over a collection of
interconnected networks.
8

9. Security trends
 In 1994, the Internet Architecture Board
(IAB) issued a report entitled "Security in
the Internet Architecture"
 The report stated the general agreement
that the Internet needs more and better
security, and it identified key areas for
security mechanisms.
9

10. CERT Statistics
security trend in Internet-related
vulnerabilities reported to CERT over a
10-year period.
These include security weaknesses in the
operating systems of attached computers
as well as vulnerabilities in Internet routers
and other network devices.
10

11. CERT Statistics
11

12. OSI Security Architecture
The OSI (open systems interconnection)
security architecture provides a systematic
framework for defining security attacks,
mechanisms, and services.
12

13. Services, Mechanisms, Attacks
consider three aspects of information
security:
 security attack
 security mechanism
 security service
13

14. Security service
A service that enhances the security of
data processing systems and information
transfers.
A security service makes use of one or
more security mechanisms.
14

15. Security Services
 Authentication
 Access control
 Data Confidentiality
 Data Integrity
 Non-Repudiation
15

16. Authentication
Authentication is a process of verification
of the sender.
16

17. Access Control
prevention of the unauthorized use of a
resource
17

18. Data Confidentiality
protection of data from unauthorized
disclosure.
18

19. Data Integrity
assurance that data received is as sent by
an authorized entity
19

20. Non-Repudiation
Nonrepudiation prevents either sender or
receiver from denying a transmitted
message.
20

21. Security Mechanism
A mechanism that is designed to detect,
prevent, or recover from a security attack.
21

22. Encipherment
The use of mathematical algorithm to
transmit from data into a form that is not
understandable.
22

23. Digital signature
A valid digital signature gives a recipient
reason to believe that the message was
created by a known sender.
23

24. Access control
A variety of mechanisms that enforce
access right to resource.
24

25. Data integrity
A variety of mechanism used to assure the
integrity of a data unit.
25

26. Traffic padding
The insertion of bits into gaps in a data
stream to avoid traffic analysis attempts.
26

27. Routing control
Enables selection of particular physically
secure routes for data.
27

28. Notarization
The use of a trusted third party to assure
certain properties of a data exchange.
28

29. Security Attack
Any action that compromise the security of
information.
threat & attack used to mean same thing
29

30. passive attacks
 passive attacks attempt to learn or make
use of information from the system but does
not affect system resources.
 Are difficult to detect because they do not
involve any alteration of the data.
30

31. Release of message contents
31

32. Traffic analysis
32

33. Active attacks
 active attacks attempt to alter system
resources or affect their operation.
 Easy to detect because they will involve
alteration of the data.
33

34. Masquerade
A masquerade takes place when one
entity pretends to be a different entity
34

35. Masquerade
35

36. Replay
36

37. Modification of messages
37

38. Denial of service
38

39. Model for Network Security
39

40. Model for Network Security
 design a suitable algorithm for the security
transformation
 generate the secret keys used by the
algorithm
 develop methods to distribute secret key
 specify a protocol enabling the principals to
use the transformation and secret information
for a security service
40

41. Model for Network Access Security

42. Symmetric Encryption
 Symmetric encryption, also referred to as
conventional encryption or single-key
encryption
 All traditional schemes are symmetric /
single key / private-key encryption
algorithms, with a single key, used for
both encryption and decryption.
 Since both sender and receiver are
equivalent, either can encrypt or decrypt
messages using that common key. 42

43. Some Basic Terminology
 plaintext - original message
 Cipher text - coded message
 key – shared by both sender and receiver
 encipher (encrypt) - converting plaintext to cipher text
 decipher (decrypt) – converting cipher text to plaintext

44. Symmetric Cipher Model

45. Cryptography
characterize cryptographic system by:
 type of encryption operations used
 substitution / transposition / product
 number of keys used
 single-key or private / two-key or public
 way in which plaintext is processed
 block / stream

46. Cryptanalysis
There are two general approach to attacking a
conventional encryption scheme
 cryptanalytic attack
 brute-force attack

47. Cryptanalytic attack
Cryptanalytic attacks rely on the nature of the
algorithm plus perhaps some knowledge of the
general characteristics of the plaintext.
47

48. Brute-force attack
Brute-force attacks try every possible key on a
piece of cipher text until plaintext is obtained.
48

49. Types of Encryption Schemes
Encryption
Classical Modern
Rotor Machines
Substitution Public KeyTransposition Secret Key
BlockStream
Steganography
49

50. Substitution Techniques
letters of plaintext are replaced by other
letters or by numbers or symbols.
50

51. Caesar Cipher
The Caesar cipher involves replacing
each letter of the alphabet with the
letter standing k places further down the
alphabet, for k in the range 1 through 25.

52. Caesar Cipher
• mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as:
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)

53. Caesar Cipher
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
53

54. Brute-Force Cryptanalysis of
Caesar Cipher
If it is known that a given cipher text is a
Caesar cipher, then a brute-force
cryptanalysis is easily performed.
Simply try all the 25 possible keys.
54

55. 55

56. Monoalphabetic Ciphers
mono alphabetic substitution uses
fixed substitution over the entire message
56

57. Mono alphabetic Ciphers
Shuffle the letters and map each plaintext letter
to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA
57

58. Monoalphabetic Cipher Security
• the monoalphabetic substitution cipher is
not secure
• problem is language characteristics

59. Relative Frequency of Letters in English Text
59

60. Monoalphabetic Cipher
the relative frequency of the letters can be
determined and compared to a standard
frequency distribution for English.
If the message were long enough, this
technique alone might be sufficient,
60

61. Playfair Cipher
The Playfair algorithm is based on the use
of a 5 * 5 matrix of letters constructed
using a keyword.
Plaintext is encrypted two letters at a time
using this matrix.
61

62. 62
Playfair Cipher
• Rules:
– Take a pair of letters from plaintext
– Separate repeating letters with an x
– Plaintext letters in the same row are replaced by
letters to the right (cyclic manner)
– Plaintext letters in the same column are replaced by
letters below (cyclic manner)
– Plaintext letters in different row and column are
replaced by the letter in the row corresponding to the
column of the other letter and vice versa

63. Playfair Cipher
63
Keyword: LARGEST
Plain text: Mu st se ey ou
Cipher text: UZTBDLGZPN

64. Hill Cipher
The encryption algorithm takes m
successive plaintext letters and
substitutes for them m cipher text letters.
The substitution is determined by m linear
equations in which each character is
assigned a numerical value (a = 0, b = 1 ...
z = 25).
64

65. Hill Cipher
65

66. Hill Cipher
where C and P are column vectors of
length 3, representing the plaintext and
cipher text, and K is a 3 x 3 matrix,
representing the encryption key
66

67. Hill Cipher
In general terms, the Hill cipher system can
be expressed as follows:
C = E(K, P) = KP mod 26
P = D(K1
, C) = K1
C mod 26 = P
67

68. Hill Cipher
68
Consider the message ‘CAT', and the key GYBNQKURP

69. For Example if the key is an 3 X 3 matrix
Plain Text : paymoremoney
m=3
(p a y)=(15 0 24)
So Encryption is as follows
(15 0 24) = (303 303 531) mod 26
= (17 17 11) = RRL
Now the cipher text for pay is RRL

70. For Decryption you have to find the K-1
How to find inverse of K that is
K-1
1. Find the adjoint of the element in the matrix,
2. Transpose the matrix
adj A= 300 -357 6
-313 313 0
267 -252 -51
This is
Transpose of
adj A
Determinant of matrix A is=
=17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2)
= -939
(18*19 – 21*2) – (19*21 – 21*2) +
( 17*19 – 5*2) ………

71. Now K-1
is 1/adj(A) * K-1
1/adj(A) = 1 /(-939) = (-939)-1
=
(-939 mod 26)-1
(the easy way to find -939mod 26 is keep
adding 26 with -939 till you get a positive value, so that you will get 23)
= (23)-1
mod 26
= 23 * 17 = 391 mod 26 =1 (find a number when
multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1)
Now (-939 mod 26)-1
= 17
Now according to 1/adj(A) * K-1
= 17 * K-1
= 17 *
=
300 -313 267
-357 313 -252
6 0 -51
5100 -5321 4539
6069 5321 4284
102 0 867
Mod 26
Mod 26 =
This is the
inverse matrix

72. Polyalphabetic Ciphers
Each plaintext letter has multiple
corresponding cipher text letters.
72

73. Vigenère Cipher
The Vigenère cipher is a method
of encrypting alphabetic text by using a
series of different Caesar ciphers based
on the letters of a keyword.
It is a simple form of polyalphabetic
substitution.
73

74. Vigenère Cipher
To encrypt a message, a key is needed that
as long as the message. Usually, the key
is a repeating keyword.
key: `deceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
74

75. 75

76. One-time pad
The one-time pad's security comes from
it's key; the key is EQUAL to the length of
the plaintext and is COMPLETELY
random.
76

77. One-time pad
H E L L O Message
7 4 11 11 14
X M C K L Key
+ 23 12 2 10 11
= 30 16 13 21 25 Message + key
= 4 16 13 21 25 Message+key(mod 26)
E Q N V Z → ciphertext
77

78. Transposition Encryption
position of the plain text will be changed.
78

79. Rail Fence cipher
The simplest such cipher is the rail fence technique, in
which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.
The example message is: meet me after the toga
party
eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
giving ciphertext
MEMATRHTGPRYETEFETEOAAT

80. Row Transposition Ciphers
A more complex transposition cipher is to
write the message in a rectangle, row by row,
and read the message off shuffling the order of
the columns in each row.
80

81. Row Transposition Ciphers
81

82. Rotor machine
In cryptography, a rotor machine is an
electro-mechanical device used for
encrypting and decrypting secret
messages.
82

83. Example of Rotor Machine
83

84. Steganography
Steganography is the art and science of
writing hidden messages in such a way
that no one knows, apart from the sender
and receiver.
84

85. Character marking:
text are overwritten in pencil The marks
are ordinarily not visible unless the paper
is held at an angle to bright light.
85

86. Invisible ink
A number of substances can be used for
writing but leave no visible trace until heat
or some chemical is applied to the paper.
86

87. Pin punctures:
Small pin punctures on selected letters are
ordinarily not visible unless the paper is
held up in front of a light.
87

88. Block Cipher Principles
A block cipher is an encryption/decryption
scheme in which a block of plaintext is
treated as a whole and used to produce a
cipher text block of equal length.
88

89. Block Cipher
Divide input bit stream into n-bit sections, encrypt only that section.
89

90. Block cipher versus Stream
Ciphers
 block ciphers process messages in blocks
 stream ciphers process messages in bit
or byte.
90

91. Reversible Mapping
Each block of plain text must produce a
unique cipher text block. Such a
transformation is called reversible.
91

92. Reversible Mapping
92

93. Irreversible Mapping
Each block of plain text must not produce
a unique cipher text block. Such a
transformation is called reversible.
93

94. Irreversible Mapping
94

95. Feistel cipher
Feistel cipher is a symmetric structure used in
the construction of block ciphers.
95

96. Confusion and Diffusion
• “Confusion” = Substitution (non linear function)
• a -> b
• “Diffusion” = Transposition (linear function)
• abcd -> dacb
Encryption Decryption
plaintext ciphertext plaintext
Key KA Key KB
96

97. Confusion
Each bit of the cipher text block has highly
nonlinear relations with the plaintext block
bits and the key bits.
97

98. Diffusion
Each plaintext block bit or key bit affects
many bits of the cipher text block.
98

99. 99

100. Feistel Cipher Structure
 The inputs to the encryption algorithm are a
plaintext block of length 2w bits and a key K.
 The plaintext block is divided into two halves, L0
and R0.
 The two halves of the data pass through n
rounds of processing and then combine to
produce the cipher text block.
 Each round i has as inputs Li-1 and Ri-1, derived
from the previous round, as well as a subkey Ki,
derived from the overall K.
100

101. Feistel Cipher Structure
A substitution is performed on the left
half of the data. This is done by applying
a round function F to the right half of the
data and then taking the exclusive-OR of
the output of that function and the left half
of the data.
101

102. Feistel Cipher structure
102

103. Feistel Cipher structure
103

104. Feistel Cipher Design Elements
block size - increasing size improves
security, but decrease the encryption
speed.
key size – increasing key size improves
security, but decrease the encryption
speed.
number of rounds - increasing number of
rounds improves security but decrease the
encryption speed.
104

105. Feistel Cipher Design Elements
sub key generation algorithm - greater
complexity can make analysis harder,
decrease the encryption speed.
round function - greater complexity can
make analysis harder, but decrease the
encryption speed.
105

106. Simplified DES
 Developed 1996 as a teaching tool
 Santa Clara University
 Prof. Edward
 Takes an 8-bit block plaintext, a 10 –bit key and
produces an 8-bit block of cipher text
 Decryption takes the 8-bit block of cipher text,
the same 10-bit key and produces the original 8-
bit block of plaintext
106

107. 107

108. Five Functions to Encrypt
 IP – an initial permutation
 fk - a complex, 2-input function
 SW – a simple permutation that swaps
the two nybles
 fk - a complex, 2-input function; again
 IP – inverse permutation of the initial
permutation
108

109. 109

110. 110

111. 111

112. 112

113. 113

114. 114

115. 115

116. 116

117. DES
The Data Encryption Standard (DES) is
a block cipher that uses shared secret
encryption.
data are encrypted in 64-bit blocks using a
56-bit key. The algorithm transforms 64-bit
input in a series of steps into a 64-bit
output.
117

118. DES
• Adopted in 1976 as US Government
standard encryption technique
• Utilizes a 56-bit symmetric key
• Cracked in 1998
• Replaced in 2002 by AES which utilizes
128 bit keys.
118

119. 119

120. DES
• First, the 64-bit plaintext passes through
an initial permutation (IP) that rearranges
the bits to produce the permuted input.
• This is followed by a phase consisting of
16 rounds of the same function, which
involves both permutation and substitution
functions.
120

121. DES
• The output of the last (sixteenth) round
consists of 64 bits that are a function of
the input plaintext and the key.
• The left and right halves of the output are
swapped to produce the preoutput.
• Finally, the preoutput is passed through a
permutation (IP-1) that is the inverse of
the initial permutation function, to produce
the 64-bit cipher text.
121

122. 64 Bit input
122

123. Initial permutation
123

124. 124

125. Figure 23-13
Permutation
125

126. Details of Single Round
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit sub key:
– expands R to 48-bits using perm E
– adds to sub key using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit perm P
126

127. 127

128. MS 128
1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32
1 48
Expansion Permutation
32
48

129. Definition of DES S-Boxes
129

130. S-Boxes
• The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as
input and produces 4 bits as output.
• The first and last bits of the input to box Si
form a 2-bit binary that represent the row
of the table for Si.
• The middle four bits select one of the
sixteen columns
130

131. Example
• For example, in S1 for input 011001, the
row is 01 (row 1) and the column is 1100
(column 12).
• The value in row 1, column 12 is 9, so the
output is 1001.
131

132. S-Boxes
132

133. 133

134. Key Generation
134

135. 64 bit input key
135

136. Permuted Choice One (PC-1)
136

137. Permuted Choice Two (PC-2)
137

138. Schedule of Left Shifts
138

139. Avalanche Effect
A small change in the plaintext or in the key
results in a significant change in the cipher text.
DES provides a strong avalanche effect
Changing 1 bit in the plaintext affects 34
bits in the cipher text on average.
139

140. Avalanche Effect in DES
140

141. The Strength of DES
• The use of 56 bit key
• The Nature of the DES algorithm
• Timing attacks
141

142. The use of 56 bit key
• With a key length of 56 bits, there are 256
possible keys.
• single machine performing one DES
encryption per microsecond would take
more than a thousand years to break the
cipher.
142

143. The Nature of the DES algorithm
Eight S-boxes, that are used in each
iteration.
143

144. Timing Attacks
timing attack is one in which information
about the key or the plaintext is obtained
by observing how long it takes a given
implementation to perform decryptions on
various cipher texts.
144

145. Differential Cryptanalysis
• Differential cryptanalysis is the first
published attack that is capable of
breaking DES in less than 255
encryptions.
• powerful method to analyse block ciphers

146. Differential Cryptanalysis
differential cryptanalysis compares two
related pairs of encryptions.
it is feasible to determine the sub key used in
the function f.
The differential cryptanalysis attack is
complex.
146

147. Differential Cryptanalysis
Compares Pairs of Encryptions
• with a known difference in the input
• searching for a known difference in output
• when same subkeys are used

148. Linear Cryptanalysis
• another recent development
• also a statistical method
• must be iterated over rounds, with
decreasing probabilities
• developed by Matsui in early 90's
• based on finding linear approximations
• can attack DES with 243
known plaintexts,
easier but still in practise infeasible

149. Linear Cryptanalysis
For example, the following equation,
states the XOR sum of the first and third
plaintext bits (as in a block cipher's block)
and the first cipher text bit is equal to the
second bit of the key
P1ӨP3 ӨC1=k2

150. Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
– have issues of how S-boxes are selected
• key schedule
– complex subkey creation, key avalanche

151. AES
• DES finally proved insecure in July 1998,
when the Electronic Frontier Foundation
(EFF) announced that it had broken a
DES encryption using a special-purpose
"DES cracker" machine that was built for
less than $250,000.
• The Advanced Encryption Standard (AES)
was published by NIST (National Institute
of Standards and Technology) in 2001.
151

152. AES
AES is a block cipher intended to replace
DES for commercial applications.
It uses a 128-bit block size.
AES does not use a Feistel structure.
152

153. Evaluation Criteria for AES
153

154. Security
Minimum key size for AES is 128 bits,
brute-force attacks with current and
projected technology were considered
impractical.
154

155. COST
The algorithm(s) specified in the AES shall
be available on a worldwide, non-
exclusive, royalty-free basis.
155

156. Computational efficiency
Computational efficiency refers to the
speed of the algorithm.
156

157. Memory requirement
The memory required to implement a
candidate algorithm for both hardware and
software implementations of the algorithm
will also be considered during the
evaluation process.
157

158. Algorithm and implementation
characteristics
This category includes a variety of
considerations, including flexibility;
suitability for a variety of hardware and
software implementations.
158

159. Key Agility
Key agility refers to the ability to change
keys quickly and with a minimum of
resources.
159

160. The AES Cipher
• The input to the encryption and decryption
algorithms is a single 128-bit block.
• This block is copied into the State array,
which is modified at each stage of
encryption or decryption.
• After the final stage, State is copied to an
output matrix.
160

161. 161

162. 162

163. AES
163

164. 164

165. Substitute Bytes
Transformation
• Replace each byte in the state array with
its corresponding value from the S-Box
00 44 88 CC
11 55 99 DD
22 66 AA EE
33 77 BB FF
55
165

166. Shift row transformation
• The first row of State is not altered.
• For the second row, a 1-byte circular left
shift is performed.
• For the third row, a 2- byte circular left
shift is performed.
• For the fourth row, a 3-byte circular left
shift is performed.
166

167. Shift row transformation
167

168. Shift row transformation
168

169. Mix column Transformation
• Apply mix column transformation to each
column.
169

170. Mix column Transformation
170

171. Add Round Key
• XOR each byte of the round key with its
corresponding byte in the state array.
171

172. AddRoundKey
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
S’0,0 S’0,1 S’0,2 S’0,3
S’1,0 S’1,1 S’1,2 S’1,3
S’2,0 S’2,1 S’2,2 S’2,3
S’3,0 S’3,1 S’3,2 S’3,3
S0,1
S1,1
S2,1
S3,1
S’0,1
S’1,1
S’2,1
S’3,1
R0,0 R0,1 R0,2 R0,3
R1,0 R1,1 R1,2 R1,3
R2,0 R2,1 R2,2 R2,3
R3,0 R3,1 R3,2 R3,3
R0,1
R1,1
R2,1
R3,1
XOR
172

173. Key Expansion Algorithm
• The AES key expansion algorithm takes
as input a 4-word (16-byte) key and
produces a linear array of 44 words (176
bytes).
• This is sufficient to provide a 4-word round
key for the initial AddRoundKey stage and
each of the 10 rounds of the cipher.
173

174. 174

175. 175
1. Using this Playfair matrix
encrypt this message: cryptography and network security

176. Answer
176
BGXQHWEGROKWLOSUADAWGIDLDQBPCW

177. Example
Given the plaintext {00 01 02 03 04 05 06 07 08 09
0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01
01 01 01 01 01 01 01 01 01 01 01},
I. Show the original contents of State, displayed as a
4 x 4 matrix.
II.Show the value of State array after initial
AddRoundKey.
III.Show the value of State array after Sub Bytes.
IV.Show the value of State array after Shift Rows.
V.Show the value of State array after Mix Columns.
177

178. State array
178

179. State array after initial
AddRoundKey
179

180. State array after Sub Bytes
180

181. State array after Shift Rows
181

182. State array after Mix Columns
182

183. Example
Consider the given key K and the plaintext,
namely: in hexadecimal notation: 0 1 2 3 4
5 6 7 8 9 A B C D E F
• in binary notation: 0000 0001 0010 0011
0100 0101 0110 0111 1000 1001 1010
1011 0100 1101 1110 1111
183

184. A. Derive K1, the first-round sub key.
B. Derive L0, R0.
C. Expand R0 to get E[R0], where E[·] is the
expansion function.
D. Calculate A = E[R0] Ө K1.
E. Group the 48-bit result of (d) into sets of 6 bits
and evaluate the corresponding S-box
substitutions.
F. Concatenate the results of (e) to get a 32-bit
result, B.
G. Apply the permutation to get P(B).
H. Calculate R1 = P(B)Ө L0.
i. Write down the cipher text. 184

185. UNIT-II
 Multiple Encryption and Triple DES
 Block Cipher Modes of Operation
 Stream cipher and RC4
 Placement of Encryption function
 Traffic confidentiality
 Key Distribution
 Principle of Public Key Cryptosystems
 The RSA Algorithm
 Key management
 Diffie Hellman Key Exchange
 Elliptic curve cryptography.
185

186. Multiple Encryption
Multiple encryption is a technique in
which an encryption algorithm is used
multiple times.
186

187. Double DES
The simplest form of multiple encryption
has two encryption stages and two keys .
Given a plaintext P and two encryption keys
K1 and K2, cipher text C is generated as
C = E(K2, E(K1, P))
187

188. Double DES
188

189. Double DES
• Decryption requires that the keys be
applied in reverse order
P = D(K1, D(K2, C))
• this scheme apparently involves a key
length of 56 x 2 = 112 bits, of resulting in a
dramatic increase in cryptographic
strength
189

190. Meet-in-the-middle attack
• Given a known pair, (P, C), the attack
proceeds as follows.
• First, encrypt P for all 256
possible values of
K1 Store these results in a table and then
sort the table by the values of X.
• Next, decrypt C using all 256
possible
values of K2. As each decryption is
produced, check the result against the
table for a match. 190

191. Meet-in-the-middle attack
• If a match occurs, then test the two
resulting keys against a new known
plaintext-cipher text pair.
• If the two keys produce the correct cipher
text, accept them as the correct keys.
191

192. Triple DES with Two Keys
• Triple DES makes use of three stages of
the DES algorithm, using a total of two or
three distinct keys.
• The function follows an encrypt-decrypt-
encrypt (EDE) sequence
C = E(K1, D(K2, E(K1, P)))
192

193. Triple DES with Two Keys
193

194. Triple DES with Three Keys
• Three-key 3DES has an effective key
length of 168 bits and is defined as
follows:
• C = E(K3, D(K2, E(K1, P)))
194

195. Block Cipher Modes of
Operation
• To apply a block cipher in a variety of
applications, four "modes of operation"
have been defined by NIST .
• mode of operation is a technique for
enhancing the effect of a cryptographic
algorithm for an application
195

196. Electronic Codebook (ECB)
Each block of 64 plaintext bits is encrypted
independently using the same key.
196

197. Electronic Codebook (ECB)
197

198. Limitation of ECB
• The most significant characteristic of ECB
is that the same b-bit block of plaintext, if it
appears more than once in the message,
always produces the same cipher text.
• For lengthy messages, the ECB mode
may not be secure.
198

199. Typical Application
• Secure transmission of single values (e.g.,
an encryption key)
199

200. Cipher Block Chaining (CBC)
200
• To overcome the security deficiencies of
ECB, we would like a technique in which
the same plaintext block, if repeated,
produces different cipher text blocks.
• A simple way to satisfy this requirement is
the cipher block chaining (CBC) mode
• The input to the encryption algorithm is the
XOR of the next 64 bits of plaintext and
the preceding 64 bits of cipher text.

201. Cipher Block Chaining (CBC)
201

202. Cipher Block Chaining (CBC)
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
202

203. Limitations of CBC
• need Initialization Vector (IV)
203

204. Typical Application
• General-purpose block-oriented
transmission
• Authentication
204

205. Cipher Feedback (CFB)
205
Input is processed j bits at a time.
Preceding cipher text is used as input to
the encryption algorithm to produce
pseudorandom output, which is XORed
with plaintext to produce next unit of
cipher text.

206. Cipher Feedback (CFB)
206

207. Cipher Feedback (CFB)
207

208. Limitation of CFB
A possible problem is that if its used over
a "noisy" link, then any corrupted bit will
destroy values in the current and next
blocks.
208

209. Typical Application
209
• General-purpose stream-oriented
transmission
• Authentication

210. Output Feedback (OFB)
The alternative to CFB is OFB. Here the
generation of the "random" bits is
independent of the message being
encrypted.
The advantage is that firstly, they can be
computed in advance, good for bursty
traffic, and secondly, any bit error only
affects a single bit. Thus this is good for
noisy links (eg satellite TV transmissions
etc).
210

211. Output Feedback (OFB)
211

212. Typical Application
• Stream-oriented transmission over noisy
channel (e.g., satellite communication)
212

213. Counter (CTR)
Each block of plaintext is XOR ed with an
encrypted counter. The counter is
incremented for each subsequent block.
213

214. Counter (CTR)
214

215. Advantages and Limitations of CTR
can do parallel encryptions in h/w or s/w.
good for bursty high speed links.
provable security (good as other modes)
but CTR does not reusing the same key
and counter value

216. Typical Application
• General-purpose block-oriented transmission
• Useful for high-speed requirements
216

217. Stream Ciphers and RC4
217

218. Stream Ciphers
• stream cipher encrypts plaintext one byte
at a time.
• stream cipher may be designed to operate
on one bit at a time.
218

219. Stream Cipher Structure

220. Stream Cipher Structure
220

221. Design considerations
• long period with no repetitions of pseudo
random key.
• output of the pseudorandom number
generator is conditioned on the value of
the input key.
• To protect against brute-force attacks, the
key needs to be sufficiently long.
221

222. RC4 Basics
• A symmetric key encryption algorithm.
• Invented by Ron Rivest.
• Normally uses 64 bit and 128 bit key sizes.
• Cryptographically very strong yet very easy to
implement.
• Consists of 2 parts: Key Scheduling Algorithm
(KSA) & Pseudo-Random Generation Algorithm

223. RC4 Block Diagram
Plain Text
Secret Key
RC4
+
Encrypted
Text
Keystream

224. RC4 …break up
• Initialize an array of 256 bytes.
• Run the KSA on them
• Run the PRGA on the KSA output to
generate keystream.
• XOR the data with the keystream.

225. Array Initialization
C Code:
char S[256];
Int i;
For(i=0; i< 256; i++)
S[i] = i;
After this the array would like this :
S[] = { 0,1,2,3, ……, 254, 255}

226. The KSA
• The initialized array S[256] is now run through
the KSA. The KSA uses the secret key to
scramble the array.
• C Code for KSA:
int i, j = 0;
for(i=0; i<256; i++)
{
j = ( j + S[i] + key[ i % key_len] ) % 256;
swap(S[i], S[j]);
}

227. The PRGA
• The KSA scrambled S[256] array is used to generate the
PRGA. This is the actual keystream.
• C Code:
i = j = 0;
while(output_bytes)
{
i = ( I + 1) % 256;
j = ( j + S[i] ) % 256;
swap( S[i], S[j] );
output = S[ ( S[i] + S[j] ) % 256 ]
}

228. Encryption using RC4
• Choose a secret key
• Run the KSA and PRGA using the key to
generate a keystream.
• XOR keystream with the data to generated
encrypted stream.
• Transmit Encrypted stream.

229. Decryption using RC4
• Use the same secret key as during the encryption phase.
• Generate keystream by running the KSA and PRGA.
• XOR keystream with the encrypted text to generate the
plain text.
• Logic is simple :
(A xor B) xor B = A
A = Plain Text or Data
B = KeyStream

230. RC4 Example
• Simple 4-byte example
• S = {0, 1, 2, 3}
• K = {1, 7, 1, 7}
• Set i = j = 0

231. KSA
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1
Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3}
Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}

232. KSA
Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3
Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2}
Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}):
j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}

233. PRGA
Reset i = j = 0, Recall S = {2, 1, 3, 0}
i = i + 1 = 1
j = j + S[ i ] = 0 + 1 = 1
Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0}
Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3

234. Analysis of RC4
• Advantages
– Faster than DES
– Enormous key space (average of 1700 bits)
• Disadvantages
– Large number of “weak” keys 1 of 256
– “Weak” keys can be detected and exploited
with a high probability

235. Placement of Encryption
function
If encryption is to be used to counter
attacks on confidentiality, we need to
decide what to encrypt and where the
encryption function should be located.
235

236. Confidentiality using Symmetric
Encryption
• traditionally symmetric encryption is used
to provide message confidentiality

237. Placement of Encryption
• link encryption
• end-to-end encryption
237

238. Link encryption
Link encryption is an approach to
encrypts and decrypts all data at each
end of a communications line
238

239. End-to-end encryption
encryption process is carried out at the
two end systems
239

240. Placement of Encryption

241. Placement of Encryption
With end-to-end encryption, user data are
secure, but the traffic pattern is not because
packet headers are transmitted in the clear.
To achieve greater security, both link and
end-to-end encryption are needed

242. Placement of Encryption
• can place encryption function at various
layers in OSI Reference Model
– link encryption occurs at layers 1 or 2
– end-to-end can occur at layers 3, 4, 6, 7

243. Front-End Processor Function
243

244. 244

245. Traffic Confidentiality
Knowledge about the number and length
of messages between nodes may enable
an opponent to determine who is talking to
whom.
245

246. Information that can be derived from a traffic
analysis attack:
• Identities of partners
• How frequently the partners are
communicating
• Message pattern, message length, or
quantity of messages that suggest
important information is being exchanged
246

247. Link Encryption Approach
Network-layer headers are encrypted,
reducing the opportunity for traffic
analysis.
However, it is still possible to observe the
amount of traffic entering and leaving
each end system.
247

248. Traffic-Padding Encryption Device
• Traffic padding produces cipher text
output continuously, even in the absence
of plaintext.
248

249. Traffic-Padding Encryption Device
249

250. Traffic-Padding Encryption Device
• A continuous random data stream is
generated.
• When plaintext is available, it is encrypted
and transmitted.
• When input plaintext is not present,
random data are encrypted and
transmitted.
• This makes it impossible for an attacker to
distinguish between true data flow and
padding
250

251. End-to-End Encryption Approach
• if encryption is implemented at the
application layer, then an opponent can
determine which transport unit are
engaged in dialogue.
• In addition, null messages can be inserted
randomly into the stream. These tactics
deny an opponent knowledge about the
amount of data exchanged between end
users and difficult to understand the
underlying traffic pattern.
251

252. Key Distribution
252

253. Key Distribution
given parties A and B have various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can
use previous key to encrypt a new key
4. if A & B have secure communications with a
third party C, C can relay key between A & B

254. Session key
• Session keys can also be termed
temporary keys or one-time use keys.
Usually after a session, these keys are
discarded and not used again.
• Communication between end systems is
encrypted using session key.
254

255. Master key
• session keys are transmitted in encrypted
form, using a master key that is shared
by the key distribution center and an end
system or user.
255

256. The Use of a Key Hierarchy
256

257. Key Distribution Scenario

258. Key Distribution Scenario
• A issues a request to the KDC for a
session key to protect a logical connection
to B.
• The KDC responds with a message
encrypted using Ka Thus, A is the only
one who can successfully read the
message, and A knows that it originated at
the KDC
258

259. Key Distribution Scenario
• A stores the session key for use in the upcoming
session and forwards to B the information that
originated at the KDC for B, namely, E(Kb, [Ks ||
IDA]). Because this information is encrypted with
Kb, it is protected from eavesdropping.
• B now knows the session key (Ks), knows that
the other party is A (from IDA), and knows that
the information originated at the KDC (because it
is encrypted using Kb).
259

260. Key Distribution Scenario
• Using the newly minted session key for
encryption, B sends a nonce, N2, to A.
• Also using Ks, A responds with f(N2),
where f is a function that performs some
transformation on N2 (e.g., adding one).
260

261. 15.261
Hierarchical Key Control

262. Hierarchical Key Control
• It is not necessary to limit the key
distribution function to a single KDC.
Indeed, for very large networks, it may not
be practical to do so. As an alternative, a
hierarchy of KDCs can be established.
• If two entities in different domains desire a
shared key,then the corresponding local
KDCs can communicate through a global
KDC.
262

263. Decentralized Key Control
263

264. Decentralized Key Control
1. A issues a request to B for a session key and
includes a nonce, N1
2. B responds with a message that is encrypted
using the shared master key. The response
includes the session key selected by B, an
identifier of B, the value f(N1), and another
nonce, N2.
3. Using the new session key, A returns f(N2) to B.
264

265. Principles of Public-Key
Cryptosystems
265

266. Private-Key Cryptography
• traditional private/secret/single key
cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are
compromised
• does not support authentication
266

267. Public-Key Cryptography
• Asymmetric encryption is a form of cryptosystem
in which encryption and decryption are performed
using the different keys—one a public key and
one a private key. It is also known as public-key
encryption.
• Asymmetric encryption transforms plaintext into
cipher text using a one of two keys and an
encryption algorithm. Using the paired key and a
decryption algorithm, the plaintext is recovered
from the cipher text.
• Asymmetric encryption can be used for
confidentiality, authentication, or both. 267

268. Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
– a public-key, which may be known by
anybody, and can be used to encrypt
messages, and verify signatures
– a private-key, known only to the recipient,
used to decrypt messages, and sign
(create) signatures
268

269. Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography
evolved from an attempt to attack two of
the most difficult problems associated with
symmetric encryption.
• Key distribution
• Does not Supports Data authentication
269

270. 270
Confidentiality using public-Key
system

271. Encryption
• Each user generates a pair of keys to be
used for the encryption and decryption of
messages.
• Each user places one of the two keys in a
public register This is the public key.
• The companion key is kept private.
271

272. Encryption
• If Bob wishes to send a confidential
message to Alice, Bob encrypts the
message using Alice's public key.
• When Alice receives the message, she
decrypts it using her private key.
• No other recipient can decrypt the
message because only Alice knows
Alice's private key.
272

273. 273
Authentication using Public-Key
System

274. Difference between Symmetric Encryption and asymmetric
Encryption
Symmetric encryption Asymmetric encryption
symmetric encryption is a form of
cryptosystem in which encryption and
decryption are performed using same
key.
Asymmetric encryption is a form of
cryptosystem in which encryption and
decryption are performed using the
different keys .one is public key and
another one is private key.
It is also known as secret key
encryption.
It is also known as public-key
encryption.
symmetric encryption can be used for
confidentiality.
Asymmetric encryption can be used for
confidentiality, authentication, or both.
The most widely used symmetric key-
key cryptosystem is Transposition and
substitution.
The most widely used public-key
cryptosystem is RSA.
274

275. Public-Key Cryptosystem:
Secrecy
275

276. Public-Key Cryptosystem:
Secrecy
• With the message X and the encryption
key PUb as input, A forms the cipher text
Y = [Y1, Y2,..., YN]:
• Y = E(PUb, X)
• The intended receiver, in possession of
the matching private key, is able to invert
the transformation:
• X = D(PRb, Y)
276

277. Public-Key Cryptosystem:
Authentication
277

278. Public-Key Cryptosystem:
Authentication and Secrecy
278

279. Applications for Public-Key
Cryptosystems
• Encryption/decryption
• Digital signature
• Key exchange
279

280. Requirements for Public-Key
Cryptography
1.It is computationally easy for a party B to
generate a pair (public key PUb, private key
PRb).
2. It is computationally easy for a sender A,
knowing the public key and the message to be
encrypted, M, to generate the corresponding
cipher text: C = E(PUb, M)
3.It is computationally easy for the receiver B to
decrypt the resulting cipher text using the private
key to recover the original message: M = D(PRb,
C) = D[PRb, E(PUb, M)] 280

281. Requirements for Public-Key
Cryptography
4. It is computationally infeasible for an
opponent, knowing the public key, PUb, to
determine the private key, PRb.
5.It is computationally infeasible for an
opponent, knowing the public key, PUb,
and a cipher text, C, to recover the original
message, M.
281

282. The RSA Algorithm
282

283. Our dramatis personae
Rivest Shamir Adleman
283

284. The RSA Algorithm
RSA algorithm is developed by Ron
Rivest , Adi Shamir, and Len Adleman at
MIT and first published in 1978.
The RSA scheme is a block cipher in
which the plaintext and cipher text are
integers between 0 and n.
284

285. RSA Public Key Cryptosystem
c=
m e
mod n
Network
Plain Text Cipher Text Cipher Text Plain Text
Alice
Bob
Bob: (e, n)
Public Key Directory (Yellow/White Pages)
public key:
e & n
secret key: d
m=
c d
mod n

286. The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
286
)1)(1()( −−=Φ qpn
)(1;1)),(gcd( neen Φ<<=Φ
)(mod1
ned Φ= −

287. The RSA Algorithm - Encryption
• Plaintext: M<n
• Ciphertext: C = Me
(mod n)
287

288. The RSA Algorithm - Decryption
• Ciphertext: C
• Plaintext: M = Cd
(mod n)
288

289. Example
Select two prime numbers, p = 17 and q = 11.
Calculate n = pq = 17 x 11 = 187
Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160.
Select e such that e is relatively prime to θ(n) =
160 and less than θ(n) we choose e = 7
289

290. Example
Calculate d value using the formula
d=(1+X * θ(n) )/e
X=0 d=(1+0*160)/ 7 = 0.143
X=1 d=(1+1 *160)/7 = 23
d=23
290

291. Example
PU={e, n}
PR={d , n}
The resulting keys are
public key PU = {7,187}
private key PR = {23,187}.
291

292. Encryption
Ciphertext: C = Me
(mod n)
C=887
(mod 187)
c=11
292

293. Decryption
Plaintext: M = Cd
(mod n)
M=1123
(mod 187)
M=88
293

294. The RSA Algorithm
294

295. The RSA Algorithm
295

296. The RSA Algorithm
296

297. Example
perform the Encryption and decryption for
p =7, q = 11, e = 17 and m = 8
297

298. Key generation
Calculate n = pq = 7 x 11 = 77
Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60
Calculate d value using the formula
d=(1+X * θ(n) )/e
X=0 d=(1+0*60)/ 17 = 0.0588
X=1 d=(1+1*60)/17 = 3.58
X=2 d=(1+2*60)/17 =7.11
x=3 d=(1+3*60)/17=10.64
298

299. Key generation
X=4 d=(1+4*60)/17=14.17
X=5 d=(1+5*60)/17=17.70
X=6 d=(1+6*60)/17=21.23
X=7 d=(1+7*60)/17=24.76
X=8 d=(1+8*60)/17=28.29
X=9 d=(1+9*60)/17=31.82
x=10 d=(1+10*60)/17=35.35
299

300. Key generation
X=11 d=(1+11*60)/17=38.88
X=12 d=(1+12*60)/17=42.41
X=13 d=(1+13*60)/17=45.94
X=14 d=(1+14*60)/17=49.47
X=15 d=(1+15*60)/17=53
300

301. Key generation
PU={e, n}
PR={d , n}
The resulting keys are
public key PU = {17,77}
private key PR = {53,77}.
301

302. Encryption
Ciphertext: C = Me
(mod n)
C=817
(mod 77)
c=57
302

303. Decryption
Plaintext: M = Cd
(mod n)
M=5753
(mod 77)
M=8
303

304. The Security of RSA
Brute force: This involves trying all
possible private keys.
Mathematical attacks: There are several
approaches, all equivalent in effort to
factoring the product of two primes.
Timing attacks: These depend on the
running time of the decryption algorithm.
Chosen cipher text attacks This type of
attack make use of properties of the RSA
algorithm. 304

305. Key Management
One of the major roles of public-key
encryption has been to address the
problem of key distribution.
• The distribution of public keys
• Distribution of secret keys using public key
305

306. Distribution of Public Keys
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
306

307. Public Announcement of
Public Keys
• any participant can send his or her public
key to any other participant or broadcast
the key to the community at large.
307

308. Public Announcement of
Public Keys
308

309. Example
• For Example USENET is a public forum
anybody can post a message and read
message.
• it has a major weakness.
• some user could pretend to be user A and
send a public key to another participant.
309

310. Publicly Available Directory
• can obtain greater security by registering keys
with a public directory
• The authority maintains a directory with a {name,
public key} entry for each participant.
• Each participant registers a public key with the
directory authority.
• A participant may replace the existing key with a
new one at any time.
• Participants could also access the directory
electronically.
310

311. Publicly Available Directory
311

312. Public-Key Authority
Stronger security for public-key distribution
can be achieved by providing tighter
control over the distribution of public keys
from the directory.
312

313. Public-Key Authority
313

314. Public-Key Authority
1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B.
2. The authority responds with a message that is encrypted using the
authority's private key, PRauthThus, A is able to decrypt the message using
the authority's public key.
The message includes the following:
● B's public key, PUb which A can use to encrypt messages destined for B
● The original request, to enable A to match this response with the
corresponding earlier request and to verify that the original request was not
altered before reception by the authority
● The original timestamp, so A can determine that this is not an old
message from the authority.
314

315. Public-Key Authority
A stores B's public key and also uses it to encrypt a message to B containing
an identifier of A(IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
4,5.B retrieves A's public key from the authority in the same manner as A
retrieved B's public key.
At this point, public keys have been securely delivered to A and B, and they
may begin their protected exchange. However, two additional steps are
desirable:
6. B sends a message to A encrypted with PUa and containing A's nonce
(N1) as well as a new nonce generated by B (N2) Because only B could
have decrypted message (3), the presence of N1 in message (6) assures A
that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its
correspondent is A.
315

316. Public-Key Certificates
316

317. Public-Key Certificates
• Any participant can read a certificate to
determine the name and public key of the
certificate's owner.
• Any participant can verify that the
certificate originated from the certificate
authority and is not counterfeit.
• Only the certificate authority can create
and update certificates.
317

318. Distribution of Secret Keys Using Public-Key
Cryptography
• Simple Secret Key Distribution
• Secret Key Distribution with
Confidentiality and Authentication
318

319. Simple Secret Key Distribution
319

320. Simple Secret Key
Distribution
1.A generates a public/private key pair
{PUa, PRa} and transmits a message to B
consisting of Pua and an identifier of A,
IDA.
2. B generates a secret key, Ks, and
transmits it to A, encrypted with A's
public key.
320

321. Simple Secret Key
Distribution
3. A computes D(PRa, E(PUa, Ks)) to
recover the secret key. Because only A
can decrypt the message, only A and B
will know the identity of Ks.
4. A discards PUa and PRa and B
discards PUa.
321

322. Man-in-the-middle attack
1.A generates a public/private key pair
{PUa, PRa} and transmits a message
intended for B consisting of PUa and an
identifier of A, IDA.
2.E capture the message, creates its own
public/private key pair {PUe, PRe} and
transmits PUe|| IDA to B.
322

323. Man-in-the-middle attack
3.B generates a secret key, Ks, and
transmits E(PUe, Ks).
4.E capture the message, and learns Ks by
computing D(PRe, E(PUe, Ks)).
5.E transmits E(PUa, Ks) to A.
323

324. Secret Key Distribution with
Confidentiality and Authentication
324

325. 1. A uses B's public key to encrypt a
message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to
identify this transaction uniquely.
2. B sends a message to A encrypted with
PUa and containing A's nonce (N1) as well
as a new nonce generated by B (N2)
Because only B could have decrypted
message (1), the presence of N1 in
message (2) assures A that the
correspondent is B.
325

326. 3. A returns N2 encrypted using B's public
key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and sends M =
E(PUb, E(PRa, Ks)) to B. Encryption of
this message with B's public key ensures
that only B can read it; encryption with A's
private key ensures that only A could have
sent it.
5. B computes D(PUa, D(PRb, M)) to
recover the secret key.
326

327. Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable
two users to securely exchange a key that
can then be used for subsequent
encryption of messages.
327

328. Primitive roots
P is prime number
a is a primitive root of p means
It should satisfies following condition
a mod p, a2
mod p,..., ap-1
mod p
are distinct and consist of the integers from
1 through p-1 in some permutation.
328

329. Primitive roots
3 is a primitive root of 5:
a=3,p=5
p ap
ap
mod 5
1 3 3
2 9 4
3 27 2
4 81 1
329

330. Primitive roots
4 is not a primitive root of 5:
a= 4 p=5
p ap
ap
mod 5
1 4 4
2 16 1
3 64 4
4 256 1
330

331. The Diffie-Hellman Key
Exchange Algorithm
331

332. The Diffie-Hellman Key
Exchange Algorithm
332

333. The Diffie-Hellman Key
Exchange Algorithm
333

334. The Diffie-Hellman Key
Exchange Algorithm
334

335. The Diffie-Hellman Key
Exchange Algorithm
335

336. The Diffie-Hellman Key
Exchange Algorithm
336

337. Diffie-Hellman Example
Users A and B use the Diffie-Hellman key
exchange technique with a common prime
q = 71 and a primitive root a = 7.
i)If user A has private key XA = 5, what is A's
public key YA?
ii)If user B has private key XB = 12, what is
B's public key YB?
iii) What is the shared secret key?
337

338. Diffie-Hellman Example
YA= a
XA
mod q
=75
mod 71
= 51
YB= a
XB
mod q
=712
mod 71
= 4
338

339. Diffie-Hellman Example
Ks= yB
XA
mod q = 4
5
mod 71 = 30
Ks= yA
XB
mod q = 51
12
mod 71 = 30
339

340. Diffie-Hellman Example
Consider a Diffie-Hellman scheme with a
common prime q = 11 and a primitive root
a = 2.
I. Show that 2 is a primitive root of 11.
II.If user A has public key YA = 9, what is A's
private key XA?
III.If user B has public key YB = 3, what is the
shared secret key K, shared with A?
340

341. Elliptic Curve Cryptography
Elliptical curve cryptography (ECC) is a
public key encryption technique based on
elliptic curve theory that can be used to
create faster, smaller, and more efficient
cryptographic keys.
341

342. Elliptic Curve Cryptography
ECC generates keys through the
properties of the elliptic curve equation
instead of the traditional method of
generation as the product of very large
prime numbers
342

343. Elliptic Curve Cryptography
• ECC requires significantly smaller key
size with same level of security.
• Benefits of having smaller key sizes :
faster computations, need less storage
space.
• ECC ideal for constrained environments :
Pagers ; PDAs ; Cellular Phones ; Smart
Cards.
343

344. elliptic curve
• Elliptic curves are not ellipses. They are
so named because they are described by
cubic equations, used for calculating the
circumference of an ellipse.
• An elliptic curve is a set of points (x, y), for
which it is true that
• y2
= x3
+ ax + b given certain chosen
numbers a and b.
344

345. elliptic curve
345

346. ECC Diffie-Hellman Key Exchange
346

347. ECC Diffie-Hellman Key
Exchange
347

348. ECC Diffie-Hellman Key
Exchange
348

349. ECC Diffie-Hellman Key
Exchange
349

350. ECC Diffie-Hellman Key
Exchange
350

351. UNIT-III
351

352. Contents
 Message Authentication and Hash functions
Authentication requirements
Authentication functions
Message Authentication codes and Hash functions
Security of hash functions and MAC’s
 Secure hash Algorithm
 Whirlpool
 HMAC and CMAC
 Digital Signatures
 Authentication protocols
 Digital signature standard
 Kerberos
 X.509 Authentication Service
• Public Key Infrastructure.
352

353. Authentication requirements
 disclosure
 traffic analysis
 masquerade
 content modification
 sequence modification
 timing modification
 source repudiation
 destination repudiation
353

354. Authentication Functions
Message encryption: The cipher text of the
entire message serves as its authenticator
Message authentication code (MAC):
A function of the message and a secret key that
produces a fixed-length value that serves as the
authenticator
Hash function: A function that maps a
message of any length into a fixed-length hash
value, which serves as the authenticator
354

355. Basic Uses of Message Encryption
355

356. Basic Uses of Message Encryption
356

357. Basic Uses of Message Encryption
357

358. Basic Uses of Message Encryption
358

359. Internal Error Control
359

360. External Error Control
360

361. Message Authentication Codes
Message authentication code (often
MAC) is a short piece of information used
to authenticate a message.
361

362. Message Authentication Codes
MAC = C(K, M)
M = input message
C= MAC function
K= shared secret key
MAC= message authentication code
362

363. Basic Uses of Message
Authentication Code
363

364. Basic Uses of Message
Authentication Code
364

365. Basic Uses of Message
Authentication Code
365

366. Requirements for MACs
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message.

367. Data Authentication Algorithm
• Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
– using IV=0 and zero-pad of final block
– encrypt message using DES in CBC mode
– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security

368. Data Authentication Algorithm

369. Hash Function
hash function accepts a variable-size
message M as input and produces a fixed-
size output, referred to as a hash code
H(M).
The hash code is also referred to as a
message digest or hash value
A hash value h is generated by a function
H of the form h = H(M)
369

370. Basic Uses of Hash Function
370

371. Basic Uses of Hash Function
371

372. Basic Uses of Hash Function
372

373. Basic Uses of Hash Function
373

374. Basic Uses of Hash Function
374

375. Basic Uses of Hash Function
375

376. Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• one-way property

377. Weak collision resistance
Given an input m1 it should be difficult to
find another input m2 — where m1!=m2
— such that H(m1)=H(m2)
377

378. Strong collision resistance
It should be difficult to find two different
messages m1 and m2 such that
H(m1)=H(m2)
378

379. Hash Functions & MAC Security
• like block ciphers have:
• brute-force attacks exploiting
– strong collision resistance hash have cost 2
m/2
• have proposal for h/w MD5 cracker
• 128-bit hash looks vulnerable, 160-bits better
– MACs with known message-MAC pairs
• can either attack keyspace (cf key search) or MAC
• at least 128-bit MAC is needed for security

380. Hash Functions & MAC Security
• cryptanalytic attacks exploit structure
– like block ciphers want brute-force attacks to be the
best alternative
• have a number of analytic attacks on iterated
hash functions
– CVi = f[CVi-1, Mi]; H(M)=CVN
– typically focus on collisions in function f
– like block ciphers is often composed of rounds
– attacks exploit properties of round functions

381. Secure Hash Algorithms
The Secure Hash Algorithm (SHA) was
developed by the National Institute of
Standards and Technology (NIST) and
published as a federal information
processing standard in 1993.
381

382. Types of SHA
1. SHA-0
2. SHA-1
3. SHA-224
4. SHA-256
5. SHA-384
6. SHA-512
382

383. Comparisons
SHA-1 SHA-256 SHA-384 SHA-512
Message digest
size
160 256 384 512
Message size <264
<264
<2128
<2128
Block size 512 512 1024 1024
Word size 32 32 64 64
Number of
steps
80 64 80 80
383

384. SHA-512
• The algorithm takes as input a message
with a maximum length of less than 2128
bits
and produces as output a 512-bit
message digest.
• The input is processed in 1024-bit blocks.
384

385. SHA-512 Logic
Padding is the addition of one or more
extra bits to a transmission .
385

386. Message Digest Generation
Using SHA-512
386

387. Message Digest Generation
Using SHA-512
Step 1: Append padding bits.
Step 2: Append length.
Step 3: Initialize hash buffer.
Step 4: Process message in 1024-bit
(128-word) blocks.
387

388. Processing of a Single 1024-Bit Block
388

389. Processing of a Single 1024-
Bit Block
• A 512-bit buffer is used to hold
intermediate and final results of the hash
function.
• The buffer can be represented as eight
64-bit registers (a, b, c, d, e, f, g, h).
• These registers are initialized default
hexadecimal values.
389

390. a = 6A09E667F3BCC908
b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B
h = 5BE0CDI9137E2179 390

391. SHA-512 Processing of a
Single 1024-Bit Block
• Each round takes as input the 512-bit
buffer value abcdefgh, and updates the
contents of the buffer.
391

392. H0= IV
Hi= SUM64(Hi-1, abcdefghi)
MD= HN
392

393. • Where
IV= initial value of the abcdefgh buffer,
• abcdefghi= the output of the last round of
processing of the ith message block
• N= the number of blocks in the message
(including padding and length fields)
• SUM64= Addition modulo 264
performed
separately on each word of the pair of
inputs
• MD= final message digest value
393

394. SHA-512 Round Function
394

395. SHA-512 Round Function
395

396. SHA-512 Round Function
396

397. SHA-512 Round Function
397

398. SHA-512 Round Function
398

399. SHA-512 Round Function
399

400. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
400

401. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
401

402. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
402

403. Whirlpool
• Whirlpool is based on the use of a block
cipher for the compression function.
• It takes a message of any length less than
2256
bits and returns a 512-bit message
digest.
403

404. Features
• The hash code length is 512 bits
• The underlying block cipher is based on
AES .
404

405. Whirlpool Hash Structure
405

406. 12.406
Message Digest Generation Using
Whirlpool

407. Whirlpool Overview
Step 1: Append padding bits
Step 2: Append length
Step 3: Initialize hash matrix
Step 4: Process message in 512-bit (64-
byte) blocks, using as its core, the block
cipher W.
407

408. Whirlpool Overview
408

409. Comparison of Whirlpool
Block Cipher W and AES
W AES
Block size (bits) 512 128
Key size (bits) 512 128, 192, or 256
Matrix
orientation
Input is mapped row-wise Input is mapped column-
wise
Number of
rounds
10 10, 12, or 14
409

410. Whirlpool Block Cipher W
410

411. Whirlpool Block Cipher W
The encryption algorithm takes a 512-bit
block of plaintext and a 512-bit key as
input and produces a 512-bit block of
cipher text as output.
The encryption algorithm involves the use
of four different functions add key (AK),
substitute bytes (SB), shift columns (SC),
and mix rows (MR).
411

412. Whirlpool Matrix Structure
• The plaintext input to W is a single 512-bit
block.
• This block is treated as an 8 x 8 square
matrix of bytes, labeled Cstate.
412

413. Whirlpool Matrix Structure
413

414. The Nonlinear Layer SB
414

415. The Nonlinear Layer SB
The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are
used as a column value.
These row and column values serve as
indexes into the S-box to select a unique
8-bit output value.
For example, the hexadecimal value[3]
{95}references row 9, column 5 of the S-
box, which contains the value {BA}.
Accordingly, the value {95}is mapped into
the value {BA}. 415

416. Mix Row
• Each byte of a row is mapped into a new
value that is a function of all eight bytes in
that row.
• The transformation can be defined by the
matrix multiplication: B = AC
• where A is the input matrix, B is the output
matrix, and C is the transformation matrix:
416

417. Whirlpool Performance &
Security
• Whirlpool is a very new proposal, hence
there is little experience with use
• compared to SHA-512, Whirlpool requires
more hardware resources but performs
much better in terms of throughput.
417

418. MAC
418

419. HMAC(Hash-based Message Authentication Code)
CMAC(Cipher-based Message Authentication Code)
Types of MAC
419

420. HMAC
Message authentication code is generated
by hash function.
HMAC is computationally very fast and
very compact.
Any cryptographic hash function, such as
MD5 or SHA-1, may be used in the
calculation of an HMAC.
420

421. HMAC Algorithm
H = embedded hash function
IV = initial value input to hash function
M = message input to HMAC
Yi = ith block of M,
L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded
hash function
K= secret key
421

422. HMAC Algorithm
K+ = K padded with zeros on the left
ipad = 00110110 (36 in hexadecimal)
opad = 01011100 (5C in hexadecimal)
422

423. HMAC Overview
423

424. HMAC Overview
1.Append zeros to the left end of K to create
a b-bit string K+.
2. XOR K+ with ipad to produce the b-bit
block Si.
3. Append M to Si.
4. Apply H to the stream generated in step
5. XOR K+ with opad to produce the b-bit
block So
424

425. HMAC Overview
6.Append the hash result from step 4 to So
7.Apply H to the stream generated in step 6
and output the result.
425

426. HMAC Overview
426

427. Efficient Implementation of HMAC
427

428. Two quantities are precomputed
428

429. CMAC
Message authentication code is generated
by cipher based.
429

430. CMAC Overview
430

431. CMAC Overview
The message is divided into n blocks
M1..Mn, padded if necessary.
The algorithm makes use of a k-bit
encryption key K and an n-bit constant K1
or K2 (depending on whether the
message was padded or not).
431

432. CMAC Overview
432

433. CMAC Overview
T= MSBTlen(Cn)
where
T= message authentication code, also referred to
as the tag
Tlen= bit length of T
MSBs(X)= the s leftmost bits of the bit string X
433

434. Digital signature
A digital signature is an authentication
mechanism that enables the creator of a
message to attach a code that acts as a
signature.
The signature is formed by taking the
hash of the message and encrypting the
message with the creator's private key.
The signature guarantees the source and
integrity of the message.
434

435. Digital Signature Properties
 The signature must be a bit pattern that depends on the
message being signed.
 The signature must use some information unique to the
sender, to prevent both fake and disagreement.
 It must be relatively easy to produce the digital signature.
 It must be relatively easy to recognize and verify the
digital signature.
 It must be computationally infeasible to fake a digital
signature.
 It must be practical to retain a copy of the digital
signature in storage.
435

436. Direct Digital Signatures
Direct Digital Signatures involve only the
communicating parties.
A digital signature may be formed by encrypting the
entire message with the sender’s private key.
Confidentiality can be provided by further encrypting
the entire message plus signature using either public
or private key schemes.
security depends on sender’s private-key
436

437. Arbitrated Digital Signatures
• involves use of arbiter A
– validates any signed message
– then dated and sent to recipient
• requires suitable level of trust in arbiter
• can be implemented with either private or
public-key algorithms
• arbiter may or may not see message
437

438. Arbitrated Digital Signatures
438
X = sender
Y = recipient
A = Arbiter
M = message
T = timestamp

439. Authentication Protocols
• Authentication Protocols are used to
support parties of each others identity and
to exchange session keys.
• may be one-way or mutual
439

440. One-Way Authentication
• required when sender & receiver are not in
communications at same time (eg. email)
440

441. Mutual Authentication
• required when sender & receiver are in
communications at same time. (eg. Client-
server)
441

442. Digital Signature Standard
The digital signature standard (DSS) is an
NIST standard that uses the secure hash
algorithm (SHA).
442

443. Two Approaches to Digital
Signatures
443

444. The Digital Signature
Algorithm (DSA)
444

445. Global Public-Key Components
p prime number where 2L-1
< p < 2L
for 512 <= L <= 1024
q prime divisor of (p- 1), where 2159
< q < 2160
g = h(p-1)/q
mod p, where h is any integer with 1 < h < (p -1)
such that h(p- 1)/q
mod p > 1
445

446. User's Private Key
X random or pseudorandom integer with 0 < x < q
446

447. User's Public Key
y= gx
mod p
447

448. User's Per-Message Secret Number
k= random or pseudorandom integer with 0 < k < q
448

449. Signing
r= (gk
mod p) mod q
s= [k-1
(H(M) + xr)] mod q
Signature = (r, s)
449

450. Verifying
w= (s')-1
mod q
u1= [H(M')w] mod q
u2=(r')w mod q
v= [(gu1
yu2
) mod p] mod q
450

451. Verifying
TEST: v = r'
M= message to be signed
H(M)= hash of M using SHA-1
M', r', s’= received versions of M, r, s
451

452. Kerberos
452

453. Kerberos
Kerberos provides a centralized
authentication server whose function is to
authenticate users to servers and servers
to users.
453

454. Kerberos
Kerberos is an authentication service
designed for use in a distributed
environment.
Kerberos makes use of a trusted third-part
authentication service that enables clients
and servers to establish authenticated
communication.
454

455. 455
Requirements for KERBEROS
Secure:
opponent does not find it to be the weak link
Scalable:
The system supports large number of clients and
severs
Reliable: For all services that rely on Kerberos for
access control, lack of availability of the Kerberos
service means lack of availability of the supported
services.
Transparent: the user should not be aware that
authentication is taking place.

456. A Simple Authentication
Dialogue
C = client
AS = authentication server
V =server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
Kv = secret encryption key shared by AS and V
456

457. 457
A Simple Authentication Dialogue
1- IDc + Pc+IDv
2- Ticket
3- IDc +Ticket
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key between AS and
V (Server)
Pc=password of client

458. A More Secure Authentication Dialogue
 minimize the number of times that a
user has to enter a password
 tickets are not reusable
 To solve these problems, we introduce a
scheme a new server, known as the ticket-
granting server (TGS)
458

459. Once per user logon session:
(1)CAS : IDC||Idtgs
(2) AS C : E(Kc, Tickettgs)
459

460. Once per type of service:
(3) C TGS: IDC||IDV||Tickettgs
(4) TGS C: Ticketv
460

461. Once per service session:
(5) C V: IDC||Ticketv
461

462. Kerberos 4 Overview
462

463. 1.The client requests a ticket-granting ticket on
behalf of the user by sending its user's ID and
password to the AS, together with the TGS ID,
indicating a request to use the TGS service.
2. The AS responds with a ticket that is
encrypted with a key that is derived from the
user‘s password. When this response arrives at
the client, the client prompts the user for his or
her password, generates the key, and attempts
to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully
recovered.
463

464. 3.The client requests a service-granting ticket on
behalf of the user.
4. The TGS decrypts the incoming ticket and
verifies the success of the decryption by the
presence of its ID. It checks to make sure that
the lifetime has not expired. Then it compares
the user ID and network address with the
incoming information to authenticate the user. If
the user is permitted access to the server V, the
TGS issues a ticket to grant access to the
requested service.
464

465. 5.The client requests access to a service on
behalf of the user. For this purpose, the
client transmits a message to the server
containing the user's ID and the service-
granting ticket. The server authenticates
by using the contents of the ticket.
465

466. 466

467. 467

468. 468

469. Kerberos allows the global distribution of ASs and TGSs,
with each system called a realm. A user may get a ticket for
a local server or a remote server.
Kerberos realm

470. Kerberos realm
• 1.The Kerberos server must have the user ID
and hashed passwords of all participating users
in its database.
• 2.The Kerberos server must share a secret key
with each server. All servers are registered with
the Kerberos server.
• Such an environment is referred to as a
Kerberos realm.
470

471. 31/03/2005 Authentication Applications471
Request for Service in another realm:
1-Request ticket
for local TGS
2-Ticket for local TGS
5-Request ticket for remote server
6-Ticket for remote server
3-Request ticket for remote TGS
4-Ticket for remote TGS
7-request for remote service

472. The minor differences between version 4 and version 5
1) Version 5 has a longer ticket lifetime.
2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.

473. X.509 Authentication Service
X.509 is an ITU-T standard for a public key
infrastructure (PKI) and Privilege Management
Infrastructure (PMI).
X.509 specifies standard formats for public key
certificates, certificate revocation lists, attribute
certificates, and a certification path validation
algorithm.
473

474. Public-Key Certificate Use
474

475. X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA) identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
475

476. X.509 Certificates
476

477. CRL
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CRL is a file that contains a list of
revoked certificates, their serial numbers,
and their revocation dates.
477

478. Obtaining a Certificate
• any user with access to CA can get any
certificate from it
• only the CA can modify a certificate
• because cannot be forged, certificates can
be placed in a public directory
478

479. CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a hierarchy
• use certificates linking members of hierarchy to
validate other CA's
– each CA has certificates for clients (forward) and
parent (backward)
• each client trusts parents certificates
• enable verification of any certificate from one CA
by users of all other CAs in hierarchy
479

480. CA Hierarchy Use
480
A get B certificate using chain:
X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>

481. 31/03/2005 Authentication Applications 481
Authentication Procedures:
• CA must authenticate/verify an applicant
before issuing it a certificate for it.
• Three alternative authentication procedures:
– One-Way Authentication
– Two-Way Authentication
– Three-Way Authentication

482. One-Way Authentication
• One way authentication involves a single
transfer of information from one user (A) to
another (B)
482

483. 31/03/2005 Authentication Applications 483
One-Way Authentication:
• 1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identity
sgnData=signed with A’s private key

484. 31/03/2005 Authentication Applications 484
Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
A B
1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kab]}

485. 31/03/2005 Authentication Applications 485
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which
enables above authentication without
synchronized clocks
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}

486. Public-Key Infrastructure
public-key infrastructure (PKI) as the set of
hardware, software, people, policies, and
procedures needed to create, manage,
store, distribute, and revoke digital
certificates based on asymmetric
cryptography.
486

487. Public-Key Infrastructure
End entity: A generic term used to denote
end users, devices (e.g., servers, routers)
Certification authority (CA): The issuer
of certificates and certificate revocation
lists (CRLs).
Registration authority (RA): An optional
component that can assume a number of
administrative functions.
487

488. Public-Key Infrastructure
CRL issuer: An optional component that a
CA can delegate to publish CRLs.
Repository: A generic term used to
denote any method for storing certificates
and CRLs so that they can be retrieved by
End Entities.
488

489. Public-Key Infrastructure
489

490. Public-Key Infrastructure
Registration: This is the process whereby a
user first makes itself known to a CA (directly, or
through an RA), prior to that CA issuing a
certificate or certificates for that user.
Initialization: Before a client system can
operate securely, it is necessary to install key
materials that have the appropriate relationship
with keys stored elsewhere in the infrastructure
490

491. Public-Key Infrastructure
Certification: This is the process in which
a CA issues a certificate for a user's public
key, and returns that certificate to the
user's client system and/or posts that
certificate in a repository.
Key pair update: All key pairs need to be
updated regularly (i.e., replaced with a
new key pair) and new certificates issued.
491

492. Public-Key Infrastructure
Cross certification: one certificate
authority use the certificate to the another
certificate authority.
492

493. UNIT-IV
493

494. Contents
 Pretty Good Privacy
 S/MIME
 IP Security Overview
 IP Security Architecture
 Authentication Header
 Encapsulating Security Payload
 Combining Security Associations
 Key management.
494

495. Pretty Good Privacy
495

496. Pretty Good Privacy
 PGP provides a confidentiality and
authentication service that can be used for
electronic mail and file storage
applications.
496

497. Pretty Good Privacy
 PGP is an open-source freely available
software package for e-mail security.
 It provides authentication through the use
of digital signature;
 It provides confidentiality through the use
of symmetric block encryption;
497

498. Pretty Good Privacy
 It provides compression using the ZIP
algorithm.
 It provides e-mail compatibility using the
radix-64 encoding scheme.
 It provides Segmentation and reassembly
to accommodate long e-mails.
498

499. Pretty Good Privacy
 Ks =session key used in symmetric
encryption scheme
 PRa =private key of user A, used in
public-key encryption scheme
 PUa =public key of user A, used in public-
key encryption scheme
499

500. Pretty Good Privacy
 EP = public-key encryption
 DP = public-key decryption
 EC = symmetric encryption
 DC = symmetric decryption
 H = hash function
 || = concatenation
 Z = compression using ZIP algorithm
 R64 = conversion to radix 64 ASCII format
500

501. 501

502. Authentication
1.The sender creates a message.
2.SHA-1 is used to generate a 160-bit hash
code of the message.
3.The hash code is encrypted with RSA
using the sender's private key, and the
result is prepended to the message.
4.The receiver uses RSA with the sender's
public key to decrypt and recover the hash
code.
502

503. Authentication
5. The receiver generates a new hash code
for the message and compares it with the
decrypted hash code. If the two match, the
message is accepted as authentic.
503

504. Confidentiality
1.The sender generates a message and a
random 128-bit number to be used as a
session key for this message only.
2.The message is encrypted, using CAST-
128 (or IDEA or 3DES) with the session
key.
3.The session key is encrypted with RSA,
using the recipient's public key, and is
prepended to the message.
504

505. Confidentiality
4.The receiver uses RSA with its private key
to decrypt and recover the session key.
5.The session key is used to decrypt the
message.
505

506. Transmission and Reception
of PGP Messages
506

507. PGP Message Format

508. PGP Message Format
 The message component includes the
actual data to be stored or transmitted,
as well as a filename and a timestamp
that specifies the time of creation.
508

509. PGP Message Format
 The signature component includes the
following:
 Timestamp: The time at which the
signature was made.
 Message digest: The 160-bit SHA-1
digest, encrypted with the sender's
private signature key.
509

510. PGP Message Format
 Leading two octets of message digest:
To enable the recipient to determine if
the correct public key was used to
decrypt the message digest for
authentication
• Key ID of sender's public key: Identifies
the public key that should be used to
decrypt the message digest
510

511. PGP Message Format
 The session key component includes
the session key and the identifier of the
recipient's public key that was used by
the sender to encrypt the session key.
511

512. Signing the message
 PGP retrieves the sender's private key from the
private-key ring using your_userid as anindex. If
your_userid was not provided in the command,
the first private key on the ring is retrieved.
 PGP prompts the user for the passphrase to
recover the unencrypted private key.
 The signature component of the message is
constructed.
512

513. Encrypting the message
 PGP generates a session key and
encrypts the message.
 PGP retrieves the recipient's public key
from the public-key ring using her_userid
as an index.
 The session key component of the
message is constructed.
513

514. PGP Message Generation

515. PGP Message Reception

516. Decrypting the message
 PGP retrieves the receiver's private key
from the private-key ring, using the Key ID
field in
 the session key component of the
message as an index.
 PGP prompts the user for the passphrase
to recover the unencrypted private key.
 PGP then recovers the session key and
decrypts the message.
516

517. Authenticating the message
 PGP retrieves the sender's public key from the
public-key ring, using the Key ID field in the
signature key component of the message as an
index.
 PGP recovers the transmitted message digest.
 PGP computes the message digest for the
received message and compares it to the
transmitted message digest to authenticate.
517

518. S/MIME
 Another security service designed for electronic mailAnother security service designed for electronic mail
is Secure/Multipurpose Internet Mail Extensionis Secure/Multipurpose Internet Mail Extension
(S/MIME).(S/MIME).
 The protocol is an enhancement of the MultipurposeThe protocol is an enhancement of the Multipurpose
Internet Mail Extension (MIME) protocolInternet Mail Extension (MIME) protocol
518

519. RFC 822
 RFC 822 defines a format for text
messages that are sent using electronic
mail. It has been the standard for Internet-
based text mail message and remains in
common use.
519

520. RFC 822
520

521. MIME
MIME is an extension to the RFC 822
framework that is intended to address
some of the problems and limitations of
the use of SMTP .
521

522. MIME
SMTP cannot transmit executable files or other
binary objects.
SMTP cannot transmit text data that includes
national language characters
SMTP servers may reject mail message over a
certain size.
SMTP cannot handle non textual data.
522

523. 16.523
MIME

524. 16.524
MIME Message structure

525. 16.525
MIME-VersionMIME-Version
This header defines the version of MIME used. TheThis header defines the version of MIME used. The
current version is 1.1.current version is 1.1.
Content-TypeContent-Type
The content type and the content subtype are separatedThe content type and the content subtype are separated
by a slash. Depending on the subtype, the header mayby a slash. Depending on the subtype, the header may
contain other parameters.contain other parameters.

526. 16.526

527. 16.527
16.3.1 Continued

528. S/MIME Functions
enveloped data
encrypted content and associated keys
signed data
encoded message + signed digest
clear-signed data
clear text message + encoded signed digest
signed & enveloped data
nesting of signed & encrypted entities

529. Cryptographic Algorithms
Function Requirement
Create a message digest to be used in
forming a digital signature.
MUST support SHA-1.
Encrypt message digest to form digital
signature.
Receiver SHOULD support MD5 for
backward compatibility.
Sending and receiving agents MUST
support DSS.
Sending agents SHOULD support RSA
encryption.
Receiving agents SHOULD support
verification of RSA signatures with key
sizes 512 bits to 1024 bits.
Encrypt session key for transmission with
message.
Sending and receiving agents SHOULD
support Diffie-Hellman.
Sending and receiving agents MUST
support RSA encryption with key sizes 512
bits to 1024 bits.
529

530. Cryptographic Algorithms
Encrypt message for
transmission with one-time
session key.
Sending and receiving agents MUST support
encryption with triple DES
Sending agents SHOULD support encryption
with AES.
Sending agents SHOULD support encryption
with RC2/40.
530

531. S/MIME Messages
Type Subtype smime Parameter Description
Multipart Signed
A clear-signed message in two parts:
one is the message and the other is the
signature.
Application pkcs 7-mime signedData A signed S/MIME entity.
pkcs 7-mime envelopedData An encrypted S/MIME entity.
pkcs 7-mime degenerate
signedData An entity containing only public- key
certificates.
pkcs 7-mime CompressedData A compressed S/MIME entity
531

532. Enveloped data
This consists of encrypted content of any
type and encrypted-content encryption
keys for one or more recipients.
532

533. 533
enveloped data
Version
Encrypted Content Info
Recipient Info
Version
Recipient ID (issuer and s.no.)
Key Encryption Algorithm
Encrypted Key
Content Encryption Alg.
Content type
Encrypted Content
Originator Info
S/MIME/messageformats

534. 534
Enveloped data – Example
Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m
rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6
7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H
f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
0GhIGfHfQbnj756YT64V
S/MIME/messageformats

535. Signed data
A digital signature is formed by taking the
message digest of the content to be
signed and then encrypting that with the
private key of the signer.
535

536. Clear-signed data
recipients without S/MIME capability can
view the message content, although they
cannot verify the signature.
536

537. 537
Clear-signed data – Example
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary=boundary42
--boundary42
Content-Type: text/plain
This is a clear-signed message.
--boundary42
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7s
ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
7GhIGfHfYT64VQbnj756
--boundary42--
S/MIME/messageformats

538. Signed and enveloped data
Signed-only and encrypted-only entities
may be nested, so that encrypted data
may be signed and signed data or clear-
signed data may be encrypted.
538

539. IP Security
• IP security (IPSec) is a capability that can
be added to either current version of the
Internet Protocol (IPv4 or IPv6), by means
of additional headers.
• IPSec encompasses three functional
areas: authentication, confidentiality, and
key management.
539

540. IP Security
 The Internet community has developed
application-specific security mechanisms in a
number of application areas, including
electronic mail (S/MIME, PGP), client/server
(Kerberos), Web access (Secure Sockets
Layer), and others.
540

541. IPSec
 The authentication mechanism assures that a
received packet was transmitted by the party
identified as the source in the packet header,
and that the packet has not been altered in
transit.
541

542. IPSec
 The confidentiality facility enables
communicating nodes to encrypt messages to
prevent watch by third parties.
 The key management facility is concerned
with the secure exchange of keys. IPSec
provides the capability to secure
communications across a LAN, across private
and public WANs, and across the Internet.
542

543. IPSec Uses

544.  An organization maintains LANs at dispersed
locations.
 Non secure IP traffic is conducted on each
LAN.
 For traffic offsite, through some sort of private
or public WAN, IPSec protocols are used.
 These protocols operate in networking devices,
such as a router or firewall, that connect each
LAN to the outside world.
544

545.  The IPSec networking device will typically
encrypt and compress all traffic going into the
WAN, and decrypt and decompress traffic
coming from the WAN;
 these operations are transparent to
workstations and servers on the LAN.
 Secure transmission is also possible with
individual users who dial into the WAN. Such
user workstations must implement the IPSec
protocols to provide security.
545

546. Benefits of IPSec
 When IPSec is implemented in a firewall
or router, it provides strong security
 IPSec is below the transport layer (TCP,
UDP) and so is transparent to
applications.
 IPSec can be transparent to end users.
 IPSec can provide security for individual
users

547. IP Security Architecture
The IPSec specification consists of numerous
documents.
 RFC 2401: An overview of a security architecture
 RFC 2402: Description of a packet authentication
extension to IPv4 and IPv6
 RFC 2406: Description of a packet encryption
extension to IPv4 and IPv6
 RFC 2408: Specification of key management
capabilities

548. IPSec Document Overview
548

549. IPSec Document Overview
Encapsulating Security Payload (ESP):
Covers the packet format and general
issues related to the use of the ESP for
packet encryption and, optionally,
authentication.
Domain of Interpretation (DOI): Contains
values needed for the other documents to
relate to each other.
549

550. IPSec Document Overview
Authentication Header (AH): Covers the
packet format and general issues related
to the use of AH for packet authentication.
550

551. IPSec Document Overview
• Encryption Algorithm: A set of documents
that describe how various encryption
algorithms are used for ESP.
• Authentication Algorithm: A set of
documents that describe how various
authentication algorithms are used for AH
and for the authentication option of ESP.
• Key Management: Documents that
describe key management schemes
551

552. IPSec Services
• Connectionless integrity
Assurance that received traffic has not been
modified.
• Data origin authentication
Assurance that traffic is sent by valid party.
• Confidentiality (encryption)
Assurance that user’s traffic is not examined by non-authorized
parties.
• Access control
Prevention of unauthorized use of a resource.

553. Applications of IPSec
 Secure branch office connectivity over the
Internet
 Secure remote access over the Internet
 Establsihing extranet and intranet connectivity
with partners
 Enhancing electronic commerce security
553

554. Security Associations
A security association is simply the bundle
of algorithms and parameters (such as
keys) that is being used to encrypt and
authenticate a particular flow in one
direction.
Agreement between two entities on a security policy,
including:
– Encryption algorithm
– Authentication algorithm
– Shared session keys
– SA lifetime
554

555. Transport Mode
In transport mode, only the payload of the
IP packet is usually encrypted and/or
authenticated.
555

556. Tunnel mode
In tunnel mode, the entire IP packet is
encrypted and/or authenticated.
556

557. Authentication Header (AH)
 The Authentication Header provides support
for data integrity and authentication of IP
packets.
 The data integrity feature ensures that
undetected modification to a packet’s content
in transit is not possible.
 The authentication feature enables an end
system or network device to authenticate the
user or application and filter traffic
accordingly; 557

558. Authentication Header (AH)
 it also prevents address spoofing attacks and
replay attacks.
 Authentication is based on the use of a
message authentication code (MAC), hence
the two parties must share a secret key.
 AH supports MACs using HMAC-MD5-96
or HMAC-SHA-1-96.
558

559. Authentication Header

560. Next Header (8 bits)
 Identifies the type of header immediately
following this header.
560

561.  PAYLOAD LEN specifies the length of the
authentication header
 Reserved (16 bits): For future use
 SEQUENCE NUMBER contains a unique
sequence number for each packet sent.
 SECURITY PARAMETERS INDEX specifies
the security scheme used
561

562.  Authentication Data (variable): A variable-
length field (must be an integral number of 32-
bit words) that contains the Integrity Check
Value (ICV), or MAC,for this packet
562

563. Transport & Tunnel Modes

564. Transport mode
 Transport mode provides protection primarily
for upper-layer protocol payloads, by inserting
the AH after the original IP header and before
the IP payload.
 Typically, transport mode is used for end-to-
end communication between two hosts.
564

565. Tunnel mode
 Tunnel mode provides protection to the entire
IP, after the AH or ESP fields are added to the
IP packet, the entire packet plus security fields
is treated as the payload of new “outer”IP
packet with a new outer IP header.
 Tunnel mode is used when one or both ends
of an SA are a security gateway, such as a
firewall or router that implements IPSec.
565

566. AH: Transport and Tunnel Mode
Original
Transport mode
Tunnel mode

567. Encapsulating Security Payload
(ESP)
The Encapsulating Security Payload provides
confidentiality services, including confidentiality of
message contents and limited traffic flow
confidentiality.
As an optional feature, ESP can also provide an
authentication service, with the same MACs as AH
• supports range of ciphers, modes, padding
– incl. DES, Triple-DES, RC5, IDEA, CAST etc

568. Encapsulating Security Payload

569. Encapsulating Security Payload
 Security Parameters Index (32 bits): Identifies a
security association
 Sequence Number (32 bits): contains a unique
sequence number for each packet sent.
 Payload Data (variable): This is a transport-level
segment (transport mode)
569

570. Encapsulating Security Payload
 Padding (0–255 bytes): for various reasons
 Pad Length (8 bits): length of pad bytes
 Next Header (8 bits): Identifies the type of data
contained in the payload data field by identifying the
first header in that payload
 Authentication Data (variable): A variable-length
field that contains the Integrity Check Value
computed over the ESP packet minus the
Authentication Data field
570

571. Transport vs Tunnel Mode ESP
• transport mode is used to encrypt &
optionally authenticate IP data
– data protected but header left in clear
– can do traffic analysis but is efficient
– good for ESP host to host traffic
• tunnel mode encrypts entire IP packet
– add new header for next hop
– good for VPNs, gateway to gateway security

572. ESP: Transport and Tunnel Mode
• Original
• Transport Mode
– Good for host to
host traffic
• Tunnel Mode
– Good for VPNs,
gateway to
gateway security

573. Combining Security Associations
• SA’s can implement either AH or ESP
• to implement both need to combine SA’s
– form a security association bundle
– may terminate at different or same endpoints
– combined by
• transport adjacency
• iterated tunneling

574. Combining Security Associations

575. • Case 1 security is provided between end systems that
implement IPSec.
• Case 2 security is provided only between gateways
(routers,firewalls,etc.) and no hosts implement IPSec.
• Case 3 builds on Case 2 by adding end-to-end
security .The same combinations discussed for cases
1 and 2 are allowed here.
• Case 4 provides support for a remote host that uses
the Internet to reach an organization’s firewall and
then to gain access to some server or workstation
behind the firewall
575

576. Key Management
• The key management portion of IPSec involves the
determination and distribution of secret keys.
• manual key management
– Sys admin manually configures every system
• automated key management
– automated system for on demand creation of
keys for SA’s in large systems
• The default automated key management protocol for
IPSec is referred to as ISAKMP/Oakley.

577. Oakley Key Determination
Protocol
Oakley is a key exchange protocol based
on the Diffie-Hellman algorithm but
providing added security.
577

578. Features of Oakley
• It employs a mechanism known as
cookies to prevent clogging attacks.
• It uses nonces to ensure against replay
attacks.
• It enables the exchange of Diffie-Hellman
public key values.
• It authenticates the Diffie-Hellman
exchange to prevent man-in-the-middle
attacks.
578

579. 04/02/06 Hofstra University – Network
Security Course, CSC290A
579
Aggressive Oakley Key
Exchange

580. ISAKMP
• Internet Security Association and Key
Management Protocol provides framework
for key management
• defines procedures and packet formats to
establish, negotiate, modify, & delete SAs

581. ISAKMP

582. ISAKMP
Initiator Cookie (64 bits): Cookie of entity
that initiated SA establishment, SA
notification, or SA deletion.
Responder Cookie (64 bits): Cookie of
responding entity; null in first message
from initiator.
Next Payload (8 bits): Indicates the type
of the first payload in the message;
582

583. ISAKMP
Major Version (4 bits): Indicates major
version of ISAKMP in use.
Minor Version (4 bits): Indicates minor
version in use.
Exchange Type (8 bits): Indicates the
type of exchange
583

584. ISAKMP
Flags (8 bits): Indicates specific options set for
this ISAKMP exchange. Two bits so far defined:
The Encryption bit is set if all payloads following
the header are encrypted using the encryption
algorithm for this SA. The Commit bit is used to
ensure that encrypted material is not received
prior to completion of SA establishment.
Message ID (32 bits): Unique ID for this
message.
Length (32 bits): Length of total message
(header plus all payloads) in octets 584

585. ISAKMP Payload Types
SA payload is used to begin the
establishment of an SA
The Proposal payload contains
information used during SA negotiation
585

586. ISAKMP Payload Types
The Transform payload defines a security
transform to be used to secure the
communications channel for the
designated protocol.
The Key Exchange payload can be used
for a variety of key exchange techniques,
including Oakley, Diffie-Hellman, and the
RSA-based key exchange used by PGP.
586

587. ISAKMP Payload Types
The Identification payload is used to
determine the identity of communicating
peers and may be used for determining
authenticity of information.
The Certificate payload transfers a
public-key certificate
587

588. ISAKMP Payload Types
Certificate Request payload to request
the certificate of the other communicating
entity.
The Hash payload contains data
generated by a hash function over some
part of the message and/or ISAKMP state.
588

589. ISAKMP Payload Types
The Signature payload contains data
generated by a digital signature function
over some part of the message and/or
ISAKMP state.
The Nonce payload contains random data
used to avoid the reply attack.
The Notification payload contains either
error or status information
589

590. UNIT-V
590

591. Contents
 Web Security Considerations
 Secure Socket Layer and Transport Layer Security
 Secure Electronic Transaction
 Intruders and Intrusion Detection
 Password Management
 Viruses and related threads
 Virus countermeasures
 Distributed denial of services attack
 Firewall Design principles
 Trusted System
 Common Criteria for Information Technology Security
Evaluation.
591

592. Web Security
 Web now widely used by business,
government, individuals
 but Internet & Web are vulnerable
 have a variety of threats
 integrity
 confidentiality
 denial of service
 authentication
 need added security mechanisms

593. 593
What is Secure Socket Layer ?
• Secure Socket Layer (SSL) is a protocol
developed by Netscape for transmitting private
documents via the Internet.
• The SSL Security protocol provides data
encryption, server authentication, message
integrity, and optional client authentication for a
TCP/IP connection.
• SSL is built into all major browsers and web
servers.

594. 594
What is SSL? (cont’d)
• Both Netscape Navigator and Internet
Explorer support SSL, and many websites
use the protocol to obtain confidential user
information, such as credit card numbers.
• The primary goal of SSL is to provide
privacy and reliability between two
communicating applications.

595. SSL (Secure Socket Layer)
• SSL probably most widely used Web
security mechanism.
• Its implemented at the Transport layer;
IPSec at Network layer; or various
Application layer mechanisms eg. S/MIME
& SET (later).
• SSL is designed to make use of TCP to
provide a reliable end-to-end secure service.
595

596. Relative Location of Security Facilities in the
TCP/IP Protocol Stack
596

597. SSL Architecture

598. SSL Architecture
The SSL Protocol Stack is composed of two
layers.
1. The first layer is the higher layer which is
composed of SSL Handshake Protocol,
SSL Change Cipher Spec Protocol, SSL
Alert Protocol, and HTTP, which are used
in the management of SSL exchanges.
2. The second layer is the lower layer
composed of the SSL Record Protocol,
TCP, and IP.
598

599. SSL Architecture
• The SSL Record Protocol provides basic
security services to various higher-layer
protocols.
• In particular , the Hypertext Transfer
Protocol (HTTP), which provides the
transfer service for Web client/server
interaction, can operate on top of SSL.
599

600. SSL Architecture
 SSL connection
A connection is a network transfer that provides a suitable type
of service, such connections are transient, peer-to-peer
relationships, associated with one session
 SSL session
An SSL session is an association between a client and a
server. Sessions are created by the Handshake Protocol.
Sessions define a set of cryptographic security parameters,
which can be shared among multiple connections.

601. SSL Record Protocol Services
• SSL Record Protocol defines two services for
SSL connections:
• Message Integrity: The Handshake Protocol also
defines a shared secret key that is used to form a
message authentication code (MAC), which is similar
to HMAC
• Confidentiality using symmetric encryption with
a shared secret key defined by Handshake
Protocol
601

602. SSL Record Protocol Operation

603. SSL Record Format
603

604. SSL Change Cipher Spec Protocol
• The Change Cipher Spec Protocol is one of the
three SSL-specific protocols that use the SSL
Record Protocol, and it is the simplest,
consisting of a single message which consists
of a single byte with the value 1.
 Its purpose is to cause the pending state to be
copied into the current state

605. SSL Change Cipher Spec
Protocol
605

606. SSL Alert Protocol
• The Alert Protocol is used to convey SSL-related
alerts to the peer entity.
• Each message in this protocol consists of two bytes,
the first takes the value warning(1) or fatal(2) to
convey the severity of the message. The second byte
contains a code that indicates the specific alert.

607. SSL Alert Protocol
 severity
 warning or fatal
 specific alert
 fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
 warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
607

608. SSL Alert Protocol
608

609. SSL Handshake Protocol
• The most complex part of SSL is the Handshake
Protocol.
• This protocol allows the server and client to
authenticate each other and to agree an
encryption and MAC algorithm and
cryptographic keys to be used to protect data
sent in an SSL record.
• The Handshake Protocol is used before any
application data is transmitted.

610. SSL Handshake Protocol
610

611. SSL Handshake Protocol
• Type (1 byte): Indicates type of the
messages.
• Length (3 bytes): The length of the
message in bytes.
• Content ( 0 bytes): The parameters
associated with this message;
611

612. SSL Handshake Protocol

613. SSL Handshake Protocol
• The Handshake Protocol consists of a series of
messages exchanged by client and server,
which can be viewed in 4 phases:
• Phase 1. Establish Security Capabilities - this
phase is used by the client to initiate a logical
connection and to establish the security
capabilities that will be associated with it
613

614. SSL Handshake Protocol
• Phase 2. Server Authentication and Key
Exchange - the server begins this phase by
sending its certificate if it needs to be
authenticated.
• Phase 3. Client Authentication and Key
Exchange - the client should verify that the
server provided a valid certificate if required
and check that the server_hello parameters are
acceptable
614

615. SSL Handshake Protocol
• Phase 4. Finish - this phase completes the
setting up of a secure connection. The client
sends a change_cipher_spec message and
copies the pending CipherSpec into the current
CipherSpec
615

616. TLS (Transport Layer Security)
TLS is an IETF standardization initiative
whose goal is to produce an Internet standard
version of SSL.

617. Version Number
• The TLS Record Format is the same as
that of the SSL Record Format, and the
fields in the header have the same
meanings. The one difference is in version
values. For the current version of TLS,the
Major Version is 3 and the Minor Version
is 1.
617

618. Message Authentication Code
For TLS, the MAC calculation encompasses the
fields indicated in the following expression:
• HMAC_hash(MAC_write_secret, seq_num || TLSCompressed.type ||
TLSCompressed.version || TLSCompressed.length ||
TLSCompressed.fragment)
618

619. Alert Codes
TLS supports all of the alert codes defined in
SSLv3 with the exception of no_certificate. A
number of additional codes are defined in
TLS;
• protocol_version
• encryption failed:
• record_overflow:
• unknown_ca
• decode_error
• export_restriction
619

620. Secure Electronic Transactions
SET is an open encryption and security specification
designed to protect credit card transactions on the
Internet.
620

621. Secure Electronic Transactions
Secure Electronic Transaction (SET) was
a standard protocol for securing credit
card transactions over insecure networks,
specifically, the Internet.
SET was not itself a payment system, but
rather a set of security protocols and
formats that enable users to employ the
existing credit card payment infrastructure
on an open network in a secure fashion.
621

622. Key Features of SET
Confidentiality of information: Cardholder
account and payment information is secured as
it travels across the network.
Integrity of data: Payment information sent from
cardholders to merchants includes order
information, personal data, and payment
instructions. SET guarantees that these
message contents are not altered in transfer.
RSA digital signatures, using SHA-1 hash
codes, provide message integrity.
622

623. Key Features of SET
Cardholder account authentication: SET
enables merchants to verify that a cardholder is
a legitimate user of a valid card account number.
623

624. SMU CSE 5349/7349
SET Transactions

625. SET Transaction
1. Customer browse and decide to purchase .
2. SET send order and payment information.
3. Merchants forward the payment information to
the bank
4. Bank check with the issuer for payment
authorization.
5. Issuer authorize the payment
6. Bank authorize the payment
7. merchant complete the order
8. Merchant capture the transaction
9. Issuer send credit card bill to the customer.

626. Dual Signature
The purpose of the SET dual signature is to link two
messages that are intended for two different
recipients, the order information (OI) for the
merchant and the payment information (PI) for the
bank.
The merchant does not need to know the customer’s
credit card number, and the bank does not need to
know the details of the customer’s order, however the
two items must be linked in a way that can be used to
resolve disputes if necessary.

627. Dual Signature
The customer takes the hash (using SHA-1) of the PI
and the hash of the OI, concatenates them, and hashes
the result.
Finally, the customer encrypts the final hash with his
or her private signature key, creating the dual
signature. This can be summarized as: DS=E(PRc,
[H(H(PI)||H(OI))])
627

628. Dual Signature
628

629. SET Purchase Request
SET purchase request exchange consists of
four messages
1. Initiate Request - get certificates
2. Initiate Response - signed response
3. Purchase Request - of OI & PI
4. Purchase Response - ack order

630. Purchase Request – Customer

631. Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
3. processes order and forwards the payment
information to the payment gateway for
authorization (described later)
4. sends a purchase response to cardholder

632. Purchase Request – Merchant

633. Intruders
Referred to as a hacker or cracker
633

634. Three classes of intruders
 Masquerader
 Misfeasor
 Clandestine user
634

635. Masquerader
An individual who is not authorized to
use the computer and who break in a
system's access controls to exploit a valid
user's account.
The masquerader is likely to be an
outsider.
635

636. Misfeasor
A legitimate user who accesses data,
programs, or resources for which such
access is not authorized, or who is
authorized for such access but misuses
his or her privileges.
the misfeasor generally is an insider.
636

637. Clandestine user
An individual who seizes supervisory
control of the system and uses this
control to avoid auditing and access
controls.
clandestine user can be either an outsider
or an insider
637

638. Intrusion
The basic aim is to gain access and/or increase
privileges on some system.
A set of actions aimed to compromise the
security goals, namely
• Integrity, confidentiality, or availability, of a
computing and networking resource
638

639. Password Guessing
A basic technique for gaining access is to get a
user password, so the attacker can login and
use all the access rights of the account
owner.
639

640. Password Guessing
1.Try default passwords used with standard
accounts that are shipped with the system.
Many administrators do not bother to
change these defaults.
2.Exhaustively try all short passwords
3.Collect information about users, such as
their full names, the names of their spouse
and children, pictures in their office, and
books in their office that are related to
hobbies. 640

641. Password Guessing
4.Try users' phone numbers, Social Security
numbers, and room numbers.
5.Try all legitimate license plate numbers for
this state.
641

642. Intrusion Detection
The process of identifying and responding to
intrusion activities.
642

643. Intrusion Detection

644. Intrusion Detection
intruder differs from the typical behavior
of an authorized user, there is an overlap
in these behaviors.
which will catch more intruders, will also
lead to a number of "false positives," or
authorized users identified as intruders.

645. Audit record
 A fundamental tool for intrusion detection
is the audit record.
 Some record of ongoing activity by users
must be maintained as input to an
intrusion detection system.
645

646. Types of Audit Record
 Native audit records
 Detection-specific audit records
646

647. Native audit records:
 Virtually all main O/S’s include
accounting software that collects
information on user activity.
 advantage is its already there in O/S.
 disadvantage is it may not contain the
needed information
647

648. Detection-specific audit
records:
 implement collection facility to generates
custom audit records with desired info.
 advantage is it can be vendor
independent and portable,
 disadvantage is extra overhead involved
648

649. Approaches to intrusion detection:
Statistical anomaly detection:
Involves the collection of data relating to
the behavior of valid users over a period of
time.
Then statistical tests are applied to
observed behavior to determine with a
high level of confidence whether that
behavior is not valid user behavior.
649

650. Threshold detection: This approach
involves defining thresholds, independent
of user, for the frequency of occurrence of
various events.
Profile based: develop profile of activity
of each user and use to detect changes in
the behavior
650

651. Rule-based detection
Involves an attempt to define a set of
rules that can be used to decide that a
given behavior is that of an intruder.
651

652. Rule-based detection
Anomaly detection: Rules are developed
to detect difference from previous usage
patterns.
Penetration identification: An expert
system approach that searches for unsure
behavior.
652

653. Distributed Intrusion Detection
• A distributed intrusion detection system
may need to deal with different audit
record formats.
• Either a centralized or decentralized
architecture can be used
653

654. Distributed Intrusion Detection -
Architecture

655. Distributed Intrusion Detection -
Architecture
 Host agent module: audit collection module
operating as a background process on a
monitored system.
 LAN monitor agent module: like a host agent
module except it analyzes LAN traffic .
 Central manager module: Receives reports
from LAN monitor and host agents and
processes and correlates these reports to detect
intrusion 655

656. Distributed Intrusion Detection –
Agent Implementation

657. Distributed Intrusion Detection –
Agent Implementation
 The agent captures each native O/S audit
record, & applies a filter that retains only records
of security interest.
 These records are then reformatted into a
standardized format (HAR). Then a template-
driven logic module analyzes the records for
suspicious activity. When suspicious activity is
detected, an alert is sent to the central manager.
657

658. Distributed Intrusion Detection –
Agent Implementation
 The central manager includes an expert
system that can draw inferences from
received data.
 The manager may also query individual
systems for copies of HARs to correlate
with those from other agents.
658

659. Honeypots
 Honeypots are decoy systems, designed
to attract a potential attacker away from
critical systems and divert an attacker
from accessing critical systems.
 collect information about the attacker’s
activity

660. How do HPs work?
Prevent
Detect
Response
Monitor
No connection

661. Password Management
Passwords are usually stored encrypted
rather than in the clear .
Unix systems traditionally used a multiple
DES variant with salt as a one-way hash
function (see text).

662. 662

663. 663

664. Password Studies
• Purdue 1992 - many short passwords
• Klein 1990 - many guessable passwords
• conclusion is that users choose poor
passwords too often
• need some approach to counter this

665. Password Selection
Strategies
• User education
• Computer Generated
• Reactive Checking
• Proactive Checking

666. user education
Users can be told the importance of using
hard-to-guess passwords and can be
provided with guidelines for selecting
strong passwords.
666

667. Computer Generated
Computer-generated passwords also have
problems. If the passwords are quite
random in nature ,users will not be able to
remember them.
667

668. Reactive Checking
A reactive password checking strategy is
one in which the system periodically runs
its own password cracker to find
guessable passwords.
668

669. Proactive Checking
In this scheme, a user is allowed to select
his or her own password. However, at the
time of selection, the system will checks
whether the password is allowable or not.
669

670. Viruses and related threads
670

671. Malicious software
Malicious software is software that is
intentionally included or inserted in a
system for a harmful purpose.
671

672. Malicious software
672

673. trapdoor
A trapdoor is a means of access to a
computer program that bypasses security
mechanisms.
673

674. Logic bomb
A logic bomb is a piece
of code intentionally inserted into
a software system that will set off a
malicious function when specified
conditions are met.
674

675. Trojan Horses
• A Trojan horse is a useful, program or
command procedure containing hidden
code that performs some unwanted or
harmful function that an unauthorized user
could not accomplish directly.
• Commonly used to make files readable,
propagate a virus or worm, or simply to
destroy data.
675

676. Viruses
A virus is a small piece of software that
attached on real programs.
2 main characteristics of viruses
 It must execute itself.
 It must replicate itself.
676

677. Viruses
 A virus is a piece of software that can “infect”
other programs by modifying them.
 A virus can do anything that other programs do.
The only difference is that it attaches itself to
another program and executes secretly when
the host program is run.
 Once a virus is executing, it can perform any
function, such as erasing files and programs.
677

678. virus phases
Dormant phase: virus is idle, waiting for trigger
event.
Propagation phase: virus places a copy of itself
into other programs
Triggering phase: virus is activated by some
trigger event to perform planned function.
Execution phase: desired function is performed
678

679. Virus Structure

680. Types of Viruses
Boot sector infector: spoil a boot record and spreads
when a system is booted from the disk containing the
virus.
File infector: When an infectious file is executed on a
system, the infection routine will seek out other files and
insert its code into them, generally at the beginning or
end of the existing file.
Macro virus: macro virus is a virus that is written in
a macro language. Many applications, such as Microsoft
Word and Excel, support powerful macro languages.
680

681. Types of Viruses
Encrypted virus: A virus using encryption
to hide itself from virus scanners.
Stealth virus: A computer virus that actively
hides itself from antivirus software by
masking the size of the file.
681

682. Types of Viruses
Polymorphic virus: A virus that changes its virus
signature (i.e., its binary pattern) every time it replicates
and infects a new file in order to keep from being
detected by an antivirus program.
Metamorphic virus: As with a polymorphic virus ,a
metamorphic virus change with every infection. The
difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of
detection. Metamorphic viruses may change their
behavior as well as their appearance.
682

683. Worms
A worm is a program that can replicate
itself and send copies from computer to
computer across network connections.
683

684. zombie
zombie is a computer connected to
the Internet that has
been compromised by a cracker.
It can be used to perform malicious tasks
under remote direction.
684

685. Virus Countermeasures
• best countermeasure is prevention
• but in general not possible
• hence need to do one or more of:
– detection - of viruses in infected system
– identification - of specific infecting virus
– removeal - restoring system to clean state

686. Anti-Virus Software
first-generation
– scanner uses virus signature to identify virus
second-generation
– heuristic scanners use rules to search for probable
virus infection
third-generation
– activity traps which identify a virus by its actions
rather than its structure
fourth-generation
– packages with a variety of antivirus techniques

687. Digital Immune System
The Digital Immune System from IBM is a
comprehensive approach to virus protection,
and provides a general purpose emulation and
virus-detection system.
When a new virus enters an organization, the
immune system automatically captures it,
analyzes it, adds detection and shielding for it,
removes it, and passes information about that
virus to systems running IBM Antivirus so it can
be detected before it is run elsewhere.
687

688. Digital Immune System

689. Digital Immune System
1. A monitoring program on each PC uses a variety of
heuristics based on system behavior, suspicious changes
to programs, or family signature to infer that a virus may
be present, & forwards infected programs to an
administrative machine
2. The administrative machine encrypts the sample and
sends it to a central virus analysis machine
3. This machine creates an environment in which the
infected program can be safely run for analysis to
produces a prescription for identifying and removing the
virus
689

690. Digital Immune System
4.The resulting prescription is sent back to the
administrative machine
5.The administrative machine forwards the
prescription to the infected client
6.The prescription is also forwarded to other
clients in the organization
7. Subscribers around the world receive regular
antivirus updates that protect them from the new
virus.
690

691. Distributed denial of services attack
distributed denial-of-service attack (DDoS
attack) is an attempt to make a computer
or network resource unavailable to its
intended users
691

692. Distributed Denial of Service
Attacks (DDoS)

693. SYN flood attack
1. The attacker takes control of multiple hosts over the
Internet
2. The slave hosts begin sending TCP/IP SYN
(synchronize/initialization) packets, with erroneous return
IP address information, to the target
3. For each such packet, the Web server responds with a
SYN/ACK (synchronize/acknowledge) packet. The Web
server maintains a data structure for each SYN request
waiting for a response back and becomes get stuck as
more traffic floods in.
693

694. ICMP attack
1. The attacker takes control of multiple hosts
over the Internet, instructing them to send
ICMP ECHO packets with the target’s spoofed
IP address to a group of hosts that act as
reflectors.
2. Nodes at the bounce site receive multiple
spoofed requests and respond by sending echo
reply packets to the target site.
3. The target’s router is flooded with packets from
the bounce site, leaving no data transmission
capacity for legitimate traffic. 694

695. What is a Firewall ?
• A firewall :
– Acts as a security
gateway between two
networks
• Usually between trusted
and untrusted networks
(such as between a
corporate network and
the Internet)
Internet
Corporate
Site
Corporate Network
Gateway

696. Firewall
A firewall is inserted between the premises
network and the Internet to establish a
controlled link and to erect an outer
security wall or perimeter, forming a single
choke point where security and audit can
be imposed.
696

697. Firewall
697

698. defines a single choke point that keeps
unauthorized users out of the protected
network, prohibits potentially vulnerable
services from entering or leaving the
network, and provides protection from
various kinds of IP spoofing and routing
attacks.
 provides a location for monitoring security-
related events
698

699. Firewall is a convenient platform for
several Internet functions that are not
security related, such as NAT and Internet
usage audits or logs
 A firewall can serve as the platform for
IPSec to implement virtual private
networks.
.
699

700. Firewall Limitations
1. cannot protect against attacks that
bypass the firewall, eg PCs with dial-out
capability to an ISP.
2. do not protect against internal threats.
3. cannot protect against the transfer of
virus-infected programs.

701. Types of firewalls
 packet filters
 application-level gateways
 circuit-level gateways
701

702. Firewalls – Packet Filters
A packet-filtering router applies a set of
rules to each incoming and outgoing IP
packet to forward or discard the packet.
Filtering rules are based on information
contained in a network packet such as src
& dest IP addresses, ports, transport
protocol & interface.
advantages are simplicity, transparency &
speed.

703. Firewalls – Packet Filters

704. Firewalls - Application Level
Gateway (or Proxy)
An application level gateway ,also called
proxy server.

705. Firewalls - Application Level
Gateway (or Proxy)
• A user contacts the gateway to access
some service, provides details of the
service, remote host & authentication
details, contacts the application on the
remote host and relays all data between
the two endpoints.
• If the gateway does not implement the
proxy code for a specific application, then
it is not supported and cannot be used.

706. Firewalls - Application Level
Gateway (or Proxy)

707. Firewalls - Circuit Level
Gateway
A circuit-level gateway does not permit an end-to-
end TCP connection; rather, the gateway sets
up two TCP connections, one between itself and
a TCP user on an inner host and one between
itself and a TCP user on an outside host.
Once the two connections are established, the
gateway typically relays TCP segments from one
connection to the other without examining the
contents.
The security function consists of determining
which connections will be allowed. 707

708. Firewalls - Circuit Level Gateway

709. Firewall Configurations

710. Single-homed bastion
configuration
• screened host firewall, single-homed
bastion configuration”, where the firewall
consists of two systems:
• a packet-filtering router - allows Internet
packets to/from bastion only
• a bastion host - performs authentication
and proxy functions
710

711. Firewall Configurations

712. Dual-homed bastion
configuration
screened host firewall, dual-homed bastion
configuration” which physically separates the
external and internal networks, ensuring two
systems must be compromised to breach
security.
an information server or other hosts can be
allowed direct communication with the router if
this is in accord with the security policy, but are
now separated from the internal network.
712

713. Firewall Configurations

714. Screened subnet firewall
configuration
It has two packet-filtering routers, one between
the bastion host and the Internet and the other
between the bastion host and the internal
network, creating an isolated sub network.
This may consist of simply the bastion host but
may also include one or more information
servers and modems for dial-in capability.
Typically, both the Internet and the internal
network have access to hosts on the screened
subnet, but traffic across the screened subnet is
blocked. 714

715. Henric Johnson 715
The Concept ofThe Concept of
Trusted SystemsTrusted Systems
• Trusted Systems
– Protection of data and resources on the
basis of levels of security (e.g. military)
– Users can be granted clearances to access
certain categories of data

716. 04/19/06 Hofstra University – Network
Security Course, CSC290A
716
Access Matrix
General model of access control:
• Subject – entity capable of accessing
objects (user = process= subject)
• Object – anything to which access is
controlled (files, programs, memory)
• Access right – way in which an object is
accessed by a subject (read, write, exe)

717. Henric Johnson 717
The Concept ofThe Concept of
Trusted SystemsTrusted Systems

718. Henric Johnson 718
The Concept ofThe Concept of
Trusted SystemsTrusted Systems
• Reference Monitor
– Controlling element in the hardware and
operating system of a computer that
regulates the access of subjects to objects
on basis of security parameters
– The monitor has access to a file (security
kernel database)
– The monitor enforces the security rules (no
read up, no write down)

719. Henric Johnson 719
The Concept ofThe Concept of
Trusted SystemsTrusted Systems
• Properties of the Reference Monitor
– Complete mediation: Security rules are
enforced on every access
– Isolation: The reference monitor and
database are protected from unauthorized
modification
– Verifiability: The reference monitor’s
correctness must be provable
(mathematically)

720. Henric Johnson 720
The Concept ofThe Concept of
Trusted SystemsTrusted Systems
• A system that can provide such
verifications (properties) is referred to
as a trusted system

721. Henric Johnson 721
Trojan Horse DefenseTrojan Horse Defense
• Secure, trusted operating systems are
one way to secure against Trojan Horse
attacks

722. Trojan Horse Defense

723. Trojan Horse Defense

724. Trojan Horse Defense

725. Trojan Horse Defense