www.BrainKart.

com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

CS6701-

CRYPTOGRAPHY AND NETWORK

SECURITY

UNIT 1 NOTES

PREPARED BY

R.CYNTHIA PRIYADHARSHINI

AP/IT/SREC
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

UNIT – I INTRODUCTION & NUMBER THEORY

Services, Mechanisms and attacks-the OSI security architecture-Network security model-Classical Encryption
techniques (Symmetric cipher model, substitution techniques, transposition techniques, steganography).FINITE
FIELDS AND NUMBER THEORY: Groups, Rings, Fields-Modular arithmetic-Euclid‟s algorithm-Finite fields-
Polynomial Arithmetic –Prime numbers-Fermat‟s and Euler‟s theorem-Testing for primality -The Chinese
remainder theorem- Discrete logarithms.

COMPUTER SECURITY CONCEPTS

Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of
preserving the integrity, availability, and confidentiality of information system resources (includes
hardware, software, firmware, information / data, and telecommunications)

Confidentiality
  Data confidentiality 
 O Assures that private or confidential information is not made available or disclosed to unauthorized 
 Privacy 

Assures that individuals control or influence what information related to them may be collected and
stored and by whom and to whom that information may be disclosed. 
Integrity
  Data integrity 
 O Assures that information and programs are changed only in a specified and authorized manner. 
 System integrity 

0 Assures that a system performs its intended function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system. 
Availability
5888 Assures that systems work promptly and service is not denied to authorized users. 

CIA Triad
Confidentiality

5888 Preserving authorized restrictions on information

access and disclosure, including means for protecting
5889 personal privacy and proprietary information. 

5888 A loss of confidentiality is the unauthorized

disclosure of information. 
Integrity

23 Guarding against improper information modification

or destruction, including ensuring information
24 nonrepudiation and authenticity. 

23 A loss of integrity is the unauthorized modification or

destruction of information. 
Availability

  Ensuring timely and reliable access to and use of information 

 A loss of availability is the disruption of access to or use of information or an information system. 
Authenticity
 The property of being genuine and being able to be verified and trusted 
Accountability
 The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity 


 www.

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

The OSI Security Architecture
  ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach 
 The OSI security architecture focuses on security attacks, mechanisms, and services. 
Security attack
 Any action that compromises the security of information owned by an organization. 
Security mechanism
 A process (or a device) that is designed to detect, prevent, or recover from a security attack. 
Security service

5888 A processing or communication service that enhances the security of the data processing systems and
the
5889 information transfers of an organization 
5888 The services are intended to counter security attacks, and they make use of one or
more security mechanisms to provide the service 

Security Attacks
  means of classifying security attacks, used both in X.800 and RFC 2828 
  A passive attack attempts to learn or make use of information but does not affect system resources. 
 An active attack attempts to alter system resources or affect their operation. 

Passive Attacks
  in the nature of eavesdropping on, or monitoring of, transmissions. 
  The goal is to obtain information that is being transmitted. 
  very difficult to detect, because they do not involve any alteration of the data 
  feasible to prevent the success of these attacks, usually by means of encryption 
 emphasis in dealing with passive attacks is on prevention rather than detection 
Two types of passive attacks

  Release of message contents 

 Traffic analysis. 

Release Of Message Contents

5888 A telephone conversation, an
electronic mail message, and a
transferred file may contain sensitive
or
5889 confidential information 
5888 prevent an opponent from
learning the contents of these
transmissions 

Traffic Analysis
  observe the pattern of these messages 
5888 The opponent could
determine the location and identity of
communicating hosts and could
observe the frequency
5889 and length of messages being exchanged. 
5888 This information might be useful in
guessing the nature of the communication
that was taking place 
2
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Active Attacks
  Active attacks involve some modification of the data stream or the creation of a false stream 
  detect and to recover from any disruption or delays caused by them 
 can be subdivided into four categories: 
O masquerade,
O replay,
O modification of messages
O denial of service

Masquerade
 one entity pretends to be a different entity 

 usually includes one of the other forms
of active attack 
Example

 authentication sequences can be

captured and replayed after a valid
authentication sequence 

Replay
 passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect 

Modification Of Messages
some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect 
Example

a message meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow
Fred Brown to read confidential file accounts.” 

Denial Of Service

prevents or inhibits the normal use or
management of communications facilities 

may have a specific target; for example, an
entity may suppress all messages directed
to a particular destination 

disruption of an entire network, either by
disabling the network or by overloading it with
messages so as to degrade performance 

3
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Security Services in X.800


X.800 defines a security service as a service that is provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of data transfers. 

RFC 2828, defines as a processing or communication service that is provided by a system to give a specific
kind of protection to system resources; 
O security services implement security policies and are implemented by security mechanisms. 
X.800
 divides these services into five categories and fourteen specific services 
Authentication

  The assurance that the communicating entity is the one that it claims to be 

  Two types 
Peer Entity Authentication
Data-Origin Authentication 
Access control
 The prevention of unauthorized use of a resource 
Data confidentiality

  The protection of data from unauthorized disclosure. 

  Four Types 
O Connection Confidentiality 

Connectionless Confidentiality
Selective-Field Confidentiality
Traffic-Flow Confidentiality 
Data integrity

 The assurance that data received are exactly as sent by an authorized entity (i.e., contain no
 modification, insertion, deletion, or replay). 
  Five types 
O Connection Integrity with Recovery 

O Connection Integrity without Recovery
 O Selective-Field Connection Integrity 
 O Connectionless Integrity 
O Selective-Field Connectionless Integrity 

Nonrepudiation

Provides protection against denial by one of the entities involved in a communication of having participated
in all or part of the communication 
 Two types 
O Nonrepudiation, Origin 
O Nonrepudiation, Destination 

Security Mechanisms in X.800.

  feature designed to detect, prevent, or recover from a security attack 
 no single mechanism that will support all services required 
Specific security mechanisms:
 those that are implemented in a specific protocol layer, such as TCP or an application-layer protocol 

 encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding,
routing control, notarization 
pervasive security mechanisms:

  trusted functionality, security labels, event detection, security audit trails, security recovery 
 those that are not specific to any particular protocol layer or security service 

4
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Model for Network Security

  A message is to be transferred from one party to another across some sort of Internet service. 
 The two parties, who are the principals in this transaction, must cooperate for the exchange to take place. 

 A logical information channel is established by defining a route through the Internet from source to
destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two principals 

All the techniques for providing security have two components:

  A security-related transformation on the information to be sent. 
O Examples: encryption of the message, addition of a code based on the contents 

 Some secret information shared by the two principals, unknown to the opponent O
Example: encryption key used in conjunction with the transformation 
A trusted third party may be needed to achieve secure transmission.

  for distributing the secret information to the two principals 

 to arbitrate disputes between the two principals concerning the authenticity of a message transmission 
Four basic tasks in designing a particular security service:
Design an algorithm for performing the security-related transformation
  such that an opponent cannot defeat its purpose. 
Generate the secret information to be used with the algorithm.
Develop methods for the distribution and sharing of the secret information.
Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret
information to achieve a particular security service

Network Access Security Model

5
 www.

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

  protecting an information system from unwanted access from hacker, intruder 

  hacker who, with no malign intent, simply gets satisfaction from breaking and entering a computer system. 

intruder can be a disgruntled employee who wishes to do damage or a criminal who seeks to exploit
computer assets for financial gain 

placement in a computer system of logic that exploits vulnerabilities in the system and that can affect
application programs as well as utility programs, such as editors and compilers 
O Two kinds of threats: 

O Information access threats: Intercept or modify data on behalf of users who should not have access
O Service threats: Exploit service flaws in computers to inhibit use by legitimate users 
O Examples: Viruses and worms, spread using disks & inserted over network 

Classical Encryption Techniques

  Symmetric Cipher Model 
 O Cryptanalysis and Brute-Force Attack 

Substitution Techniques
O Caesar Cipher 
O Monoalphabetic Ciphers
 O Playfair Cipher 
O Hill Cipher 

Polyalphabetic Ciphers
 O One-Time Pad 

  Transposition Techniques 
  Rotor Machines 
 Steganography 

Introduction

Symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using
the same key. It is also known as conventional encryption. 

Symmetric encryption transforms plaintext into ciphertext using a secret key and an encryption algorithm.
Using the same key and a decryption algorithm, the plaintext is recovered from the ciphertext. 

The two types of attack on an encryption algorithm are cryptanalysis,based on properties of the encryption
algorithm, and brute-force, which involves trying all possible keys. 

Traditional (precomputer) symmetric ciphers use substitution and/or transposition techniques. Substitution
techniques map plaintext elements (characters, bits) into ciphertext elements. Transposition techniques
systematically transpose the positions of plaintext elements. 
 Rotor machines are sophisticated precomputer hardware devices that use substitution techniques. 

Steganography is a technique for hiding a secret message within a larger one in such a way that others
cannot discern the presence or contents of the hidden message. 
 An original message is known as the plaintext, while the coded message is called the ciphertext. 

The process of converting from plaintext to ciphertext is known as enciphering or encryption; restoring
the plaintext from the ciphertext is deciphering or decryption. 

The many schemes used for encryption constitute the area of study known as cryptography. Such a
scheme is known as a cryptographic system or a cipher. 

Techniques used for deciphering a message without any knowledge of the enciphering details fall into the
area of cryptanalysis. Cryptanalysis is what the layperson calls “breaking the code.”The areas of
cryptography and cryptanalysis together are called cryptology 

6
 www.

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Symmetric Cipher Model

A symmetric encryption scheme has five ingredients

  Plaintext 
  Encryption algorithm 
 O performs various substitutions and transformations 
  Secret key 
 O another input to the encryption algorithm 
 O a value independent of the plaintext and of the algorithm 
  Ciphertext 
 O For a given message, two different keys will produce two different ciphertexts 
  Decryption algorithm 
O encryption algorithm run in reverse 
Simplified Model of Symmetric Encryption

Two requirements for secure use of conventional / symmetric encryption

 need a strong encryption algorithm 

The opponent should be unable to decrypt ciphertext or discover the key even if he or she is in
 possession of a number of ciphertexts together with the plaintext that produced each ciphertext 

Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep
the key secure. 
O If someone can discover the key and knows the algorithm, all communication using this key is readable
O do not need to keep the algorithm secret; we need to keep only the key secret  O the principal security
problem is maintaining the secrecy of the key 

Model of Symmetric Cryptosystem

Plain Text: X = [X1, X2, . , XM]

Key: K = [K1, K2, . , KJ]
Cipher text Y = [Y1, Y2, . , YN]
Y = E(K, X)
X = D(K, Y)

7
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Cryptanalysis and Brute-Force Attack

Cryptanalysis

Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general
characteristics of the plaintext or even some sample plaintext–ciphertext pairs. 

This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or
to deduce the key being used. 

various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst 

Type of Attack Known to Cryptanalyst

 Encryption algorithm
 Ciphertext Only
 Ciphertext
 Known Plaintext
 Plaintext message chosen by cryptanalyst, together with its corresponding
 Chosen Plaintext
ciphertext generated with the secret key
 Chosen Ciphertext
 Ciphertext chosen by cryptanalyst, together with its corresponding decrypted
 Chosen Text
plaintext generated with the secret key

Two schemes
 unconditionally secure 


if the ciphertext generated by the scheme does not contain enough information to determine uniquely
the corresponding plaintext, no matter how much ciphertext is available 
 computationally secure 
O meets either of the following criteria: 
O The cost of breaking the cipher exceeds the value of the encrypted information. 

The time required to break the cipher exceeds the useful lifetime of the information. 
Brute-force attack

The attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext
is obtained. 

On average, half of all possible keys must be tried to achieve success. 

Cryptographic systems characterization

Three independent dimensions
The type of operations used for transforming plaintext to ciphertext. 
O substitution

each element is mapped into another element
transposition

elements are rearranged

product systems, involve multiple stages of substitutions and transpositions
 The number of keys used 

If both sender and receiver use the same key, the system is referred to as symmetric, single-key,
secret-key, or conventional encryption.

If the sender and receiver use different keys, the system is referred to as asymmetric, two-key, or
public-key encryption
 The way in which the plaintext is processed. 

A block cipher processes the input one block of elements at a time, producing an output block for each

input block.

A stream cipher processes the input elements continuously, producing output one element at a time,
as it goes along

8
 www.

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Substitution Techniques
 A substitution technique is one in which the letters of plaintext are replaced by other letters or by
 numbers or symbols 
 If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit
patterns with ciphertext bit patterns 

Julius Caesar Cipher

  replacing each letter of the alphabet with the letter standing three places further down the alphabet 
 alphabet is wrapped around, so that the letter following Z is A 
can define transformation as:

abcdefghijklmnopqrstuvwxyzD
EFGHIJKLMNOPQRSTUVWXYZABC
mathematically give each letter a number

abcdefghij k l m n o p q r s t u v w x y z
1
0 1 2 3 4 5 6 7 8 9 10 11 2 13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:
c = E(p) = (p + k) mod (26) p

= D(c) = (c – k) mod (26)

Cryptanalysis of Caesar Cipher

  only have 26 possible ciphers 

  A maps to A,B,..Z 
  could simply try each in turn 
  a brute force search 
  given ciphertext, just try all shifts of letters 
 do need to recognize when have plaintext 

Monoalphabetic Ciphers
  rather than just shifting the alphabet shuffle (jumble) the letters arbitrarily 
  each plaintext letter maps to a different random ciphertext letter 


the “cipher” line can be any permutation of the 26 alphabetic characters, then there are 26! or greater
26
than 4x10 possible keys. 

This is 10 orders of magnitude greater than the key space for DES and would seem to eliminate brute-
force techniques for cryptanalysis 
 Monoalphabetic ciphers are easy to break because they reflect the frequency data of the original alphabet 
 A countermeasure is to provide multiple substitutes, known as homophones, for a single letter. 

For example, the letter e could be assigned a number of different cipher symbols, such as 16, 74, 35, and 21, with each
hencekeyis26letterslong
homophone assigned to a letter in rotation or randomly 

Language Redundancy and Cryptanalysis

  human languages are redundant 

  eg "th lrd s m shphrd shll nt wnt" 
  letters are not equally commonly used 
  in English E is by far the most common letter 
  followed by T,R,N,I,O,A,S 
  other letters like Z,J,K,Q,X are fairly rare 
  have tables of single, double & triple letter frequencies for various languages 
 two-letter combinations, known as digrams (ex: th) 

9
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Playfair Cipher
  best-known multiple-letter encryption cipher 

treats digrams in the plaintext as single units and translates these units into ciphertext digrams 
Playfair Key Matrix
  5 × 5 matrix of letters constructed using a keyword 


filling in the letters of the keyword (minus duplicates) from left to right and
from top to bottom, 
 filling in the remainder matrix with the remaining letters in alphabetic order. 
 The letters I and J count as one letter 

Example matrix using the keyword MONARCHY 
Plaintext is encrypted two letters at a time, according to the following rules

Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x,
O Ex: balloon would be treated as ba lx lo on. 

Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with
the first element of the row circularly following the last. 
O Ex: ar is encrypted as RM. 

Two plaintext letters that fall in the same column are each replaced by the letter beneath, with the top
element of the column circularly following the last. 
O Ex: mu is encrypted as CM. 

Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column
occupied by the other plaintext letter. 
O Ex: hs becomes BP and ea becomes IM (or JM, as the encipherer wishes) 
Example

Given the key MONARCHY apply Play fair cipher to plain text “FACTIONALISM”
Solution
(p) FA CT IO NA LI SM
(c) IO DL FA AR SE LA
(d) FA CT IO NA LI SM
Security of Playfair Cipher

  security much improved over monoalphabetic since have 26 x 26 = 676 digrams 

  would need a 676 entry frequency table to analyse and correspondingly more ciphertext 
  was widely used for many years eg. by US & British military in WW1 
 it can be broken, given a few hundred letters since still has much of plaintext structure 

Hill Cipher
Finding the inverse of a matrix

10
 www.

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Example:

The Hill algorithm

  This encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. 

The substitution is determined by m linear equations in which each character is assigned a numerical
value (a = 0, b = 1, . , z = 25) 

For m = 3, the system can be described as 


where C and P are row vectors of length 3 representing the plaintext and ciphertext, and K is a 3x3
matrix representing the encryption key. 
 Operations are performed mod 26. 

In general terms, the Hill system can be expressed as 

Example
Encrypt the message “meet me at the usual place at ten rather than eight oclock” using the Hill cipher with the key ( ). Show your calculations and the result.Show the calculations for the corresponding decryption of the ciphertext to recover the original plaintext.

11
 www.

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT-1

Hence the plain text is “me”

Polyalphabetic Ciphers
  use different monoalphabetic substitutions as one proceeds through the plaintext message. 
  improve security using multiple cipher alphabets 
  make cryptanalysis harder with more alphabets to guess and flatter frequency distribution 
  general name for this approach is polyalphabetic substitution cipher 

 has the following features in common: 
 O A set of related monoalphabetic substitution rules is used. 
O A key determines which particular rule is chosen for a given transformation. 

One-Time Pad
  improvement to the Vernam cipher that yields the ultimate in security 
  using a random key that is as long as the message, so that the key need not be repeated 
  the key is to be used to encrypt and decrypt a single message, and then is discarded. 
 Each new message requires a new key of the same length as the new message 
Example

ciphertext:ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
key: pxlmvmsydofuyrvzwc tnlebnecvgdupahfzzlmnyih
plaintext: mr mustard with the candlestick in the hall
ciphertext:ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS
key: mfugpmiydgaxgoufhklllmhsqdqogtewbqfgyovuhwt
plaintext: miss scarlet with the knife in the library
two fundamental difficulties

  problem of making large quantities of random keys 

 problem of key distribution and protection 

Transposition Techniques
A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters

Rail Fence Technique

The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence
of diagonals and then read off as a sequence of rows.
 12

– www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

For example, to encipher the message "meet me after the toga party" with a rail fence of depth 2, we
write the following
mematrhtgpry
etefeteoaat
The encrypted message is

MEMATRHTGPRYETEFETEOAAT
Pure Transposition Cipher
write the message in a rectangle, row by row, and read the message off, column by column, but permute
the order of the columns.
The order of the columns then becomes the key to the algorithm
Example

Key: 431 2567

Plaintext: a t t a c k p
ostpone
duntilt
woamxyz
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
Double Transposition
performing more than one stage of transposition
Example
if the foregoing message is reencrypted using the same algorithm

Key: 4312 5 67
Input: ttnaapt
mtsuoao
dwcoixk
nlypetz
Output: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
This is a much less structured permutation and is much more difficult to cryptanalyze

Rotor Machines (Skip)

The machine consists of a set of independently rotating cylinders through which electrical pulses can flow.

Each cylinder has 26 input pins and 26 output pins, with internal wiring that connects each input pin to a unique
output pin

Steganography
A plaintext message may be hidden in one of two ways.
 The methods of steganography conceal the existence of the message 

 The methods of cryptography render the message unintelligible to
outsiders O by various transformations of the text 
Various ways to conceal the message
arrangement of words or letters within an apparently innocuous text spells out the real message

13
 – www.BrainKart.com
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

Character marking

Selected letters of printed or typewritten text are overwritten in pencil. The marks are ordinarily not visible
unless the paper is held at an angle to bright light.
Invisible ink
A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied
Pin punctures
Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.
Typewriter correction ribbon

Used between lines typed with a black ribbon, the results of typing with the correction tape are visible
only under a strong light
hiding a message by using the least significant bits of frames on a CD

the Kodak Photo CD format's maximum resolution is 2048 by 3072 pixels, with each pixel containing 24 bits
of RGB color information. 
 The least significant bit of each 24-bit pixel can be changed without greatly affecting the quality of the image 

Thus you can hide a 2.3-megabyte message in a single digital snapshot 
Number of drawbacks

  lot of overhead to hide a relatively few bits of information 

  once the system is discovered, it becomes virtually worthless 
  the insertion method depends on some sort of key 
O Alternatively, a message can be first encrypted and then hidden using steganography 

Advantage of steganography

can be employed by parties who have something to lose should the fact of their secret communication be
discovered 

Encryption flags traffic as important or secret or may identify the sender or receiver as someone with
something to hide 































14
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

FINITE FIELDS AND NUMBER THEORY

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

TWO ASSERTION OF CRT

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

DISCRETE LOGARITHMS
 www.BrainKart.com

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

GROUPS, RINGS AND FIELDS

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

FINITE FIELDS OF THE FORM GF(p)

POLYNOMIAL ARITHMETIC

Three classes of polynomial arithmetic:

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com

CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I

FINITE FIELDS OF THE FORM GF(2n)

 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com
CS6701 –CRYPTOGRAPHY AND NETWORK SECURITY UNIT - I
 www.BrainKart.com

CS6701-

CRYPTOGRAPHY AND NETWORK

SECURITY

UNIT 2 NOTES

PREPARED BY R.CYNTHIA
PRIYADHARSHINI
AP/IT/SREC
 www.BrainKart.com

Block Ciphers

A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and
used to produce a ciphertext block of equal length. 
 A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. 
O Examples of classical stream ciphers are the autokeyed Vigenère cipher and the Vernam cipher. 

A block cipher is one in which a block of plaintext is treated as a whole and used to produce a
ciphertext block of equal length 

Many block ciphers have a Feistel structure. Such a structure consists of a number of identical rounds of
processing. In each round, a substitution is performed on one half of the data being processed, followed by
a permutation that interchanges the two halves. The original key is expanded so that a different key is
used for each round. 

The Data Encryption Standard (DES) has been the most widely used encryption algorithm until recently. It
exhibits the classic Feistel structure. DES uses a 64-bit block and a 56-bit key. 

Two important methods of cryptanalysis are differential cryptanalysis and linear cryptanalysis. DES has
been shown to be highly resistant to these two types of attack 

Diffusion and Confusion

Shannon suggests two methods for frustrating statistical cryptanalysis: diffusion and confusion.
Diffusion

  the statistical structure of the plaintext is dissipated into long-range statistics of the ciphertext. 
  This is achieved by having each plaintext digit affect the value of many ciphertext digits; 
 generally this is equivalent to having each ciphertext digit be affected by many plaintext digits 
Confusion

seeks to make the relationship between the statistics of the ciphertext and the value of the encryption
key as complex as possible, again to thwart attempts to discover the key. 

Thus, even if the attacker can get some handle on the statistics of the ciphertext, the way in which the
key was used to produce that ciphertext is so complex as to make it difficult to deduce the key. 

Feistel Cipher Structure

  All rounds have the same structure. 

  A substitution is performed on the left half of the data. 

This is done by applying a round function F to the right half of the data and then taking the exclusive-OR of
the output of that function and the left half of the data. 
 The round function has the same general structure and parameterized by the round subkey Ki 

Following this, a permutation is performed that consists of the interchange of the two halves of the data 
 www.BrainKart.com


This structure is a particular form of the substitution-permutation network (SPN) 
Feistel network depends on the choice of the following parameters and design features

Block size, Key size, Number of rounds, Subkey generation algorithm, Round function,
Fast software encryption/decryption, Ease of analysis

Feistel Encryption and Decryption

 www.BrainKart.com

Simplified DES

educational rather than a secure encryption
algorithm. 

It has similar properties and structure to
DES with much smaller parameters 

Simplified DES Scheme


The S-DES encryption algorithm takes an 8-bit
block of plaintext (example: 10111101) and a
10-bit key as input and produces an 8-bit block
of ciphertext as output. 

The S-DES decryption algorithm takes an 8-bit
block of ciphertext and the same 10-bit key used
to produce that ciphertext as input and
produces the original 8-bit block of plaintext. 
Involves five functions:
 an initial permutation (IP); 
 a complex function labeled fK, which
involves both permutation and substitution
 operations and depends on a key input; 
 a simple permutation function that
 switches (SW) the two halves of the data; 
  the function fK again; 
–1
 finally a permutation function that is the inverse of the initial permutation (IP ). 
Algorithm

rename these 8 bits

 www.BrainKart.com

Key Generation for Simplified DES Simplified DES Encryption Detail

1 234 5 6 7 8 9 10
Plain Text 0 010 1 0 0 0
Key 1 100 0 1 1 11 0
P10 3 5 2 7 4 10 198 6 0 011 0 0 1 11 1
LS-1 0110 0 11110
P8 (K1) 6 3 7 4 8 5 10 9 1 110 1 0 01
 www.BrainKart.com

LS-2 1 0 0 0 1 1 1 0 1 1
(K2 1 01 0 0 1 11
P8 ) 0 01 0 0 0 10
IP (PT) 26314857 0 01 0
R (IP) 0 0 0 1 0 1 0 0
EP 4 1 232 3 4 1 1 11 0 1 00 1
K1 1 11 1 1 10 1
XO S0 = 10 S1 = 0 0
R 001
S0 (10 11) 011
P4 0 0 1 1 0 0 1 0
P4 XOR L 0 0 1 0 0 0 1 1
SWITC 1 0 0 1 0 1 1 0
H 1 0 1 0 0 1 1 1
0 0 1 1 0 0 0 1
EP(SW(R)) 1 0 1 0
XOR 011
K2 010
001
& 0 00 1 0 0 1 1
S0 S1 1 00 0 1 01 0
P4
XOR L

IP-1
CT

The Data Encryption Standard (DES)

  Overview 
 DES Encryption 


General Depiction of DES Encryption Algorithm
O Initial Permutation 

Permutation Tables for DES
 O Details of Single Round 


O Calculation of F(R, K) 
Definition of DES S-Boxes
 O Key Generation 

  DES Decryption 
 The Avalanche Effect 

Overview
  data are encrypted in 64-bit blocks using a 56-bit key. 
  The algorithm transforms 64-bit input in a series of steps into a 64-bit output. 
 The same steps, with the same key, are used to reverse the encryption 

DES Encryption
  there are two inputs to the encryption function: the plaintext to be encrypted and the key. 
 In this case, the plaintext must be 64 bits in length and the key is 56 bits in length 

General Depiction of DES Encryption Algorithm

  processing of the plaintext proceeds in three phases. 

First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce
the permuted input. 
 This is followed by a phase consisting of 16 rounds of the same function, which involves both
 permutation and substitution functions. 
The output of the sixteenth round consists of 64 bits that are a function of the input plaintext and the key
The left and right halves of the output are swapped to produce the preoutput.
 www.BrainKart.com

Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation
function, to produce the 64-bit ciphertext. 

Initial Permutation
The initial permutation and its inverse are defined by tables 
The tables are to be interpreted as follows. 
The input to a table consists of 64 bits numbered from 1 to 64. 
The 64 entries in the permutation table contain a permutation of the
numbers from 1 to 64. 
Each entry in the permutation table indicates the position of a numbered
input bit in the output, which also consists of 64 bits 

Permutation Tables for DES

Initial Permutation (IP) Expansion Permutation (E)

–1
Inverse Initial Permutation (IP )

Permutation Function (P)

 www.BrainKart.com

Details of Single Round

Calculation of F(R, K)

Definition of DES S-Boxes (S1 .. S8)

 www.BrainKart.com

Key Generation
  a 64-bit key is used as input to the algorithm. 
  The bits of the key are numbered from 1 through 64; every eighth bit is ignored 
  The key is first subjected to a permutation governed by a table labeled Permuted Choice One 
  The resulting 56-bit key is then treated as two 28-bit quantities, labeled C0 and D0. 
  At each round, Ci-1 and Di-1 are separately subjected to a circular left shift, or rotation, of 1 or 2 bits 
 These shifted values serve as input to the next round. 

 They also serve as input to Permuted Choice Two , which produces a 48-bit output that serves as input
to the function F(Ri-1, Ki). 

DES Decryption
As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the application of
the subkeys is reversed

The Avalanche Effect

  a small change in either the plaintext or the key should produce a significant change in the ciphertext 

a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the
ciphertext 

DES exhibits a strong avalanche effect 
Example
two plaintexts that differ by one bit were used

00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

10000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
with the key

0000001 1001011 0100100 1100010 0011100 0011000 0011100 0110010

  after just three rounds, 21 bits differ between the two blocks. 
 On completion, the two ciphertexts differ in 34 bit positions 
similar test in which a single plaintext is input with two keys that differ in only one bit position
0110100 1000010 0010111 0111101 00010011 1110101
0 1 1 0 01110110 110100100
Keys
1110010 1111011 1101111 0011101 011000
0011000 0000100 111011100
0110010 1111011 1101111 0011000 0011101 0000100 0110001 11011100
about half of the bits in the ciphertext differ and that the avalanche effect is pronounced after just a few rounds

Differential and Linear Cryptanalysis

Differential Cryptanalysis
  powerful method to analyse block ciphers 
  a statistical attack against Feistel ciphers 
  uses cipher structure not previously used 

the analysis compares differences between two related encryptions, and looks for a known difference
in leading to a known difference out with some (pretty small but still significant) probability. 
 If a number of such differences are determined, it is feasible to determine the subkey used in the function f. 

compares two related pairs of encryptions with a
O known difference in the input and 
O searching for a known difference in output when same subkeys are used 
 www.BrainKart.com

begin with two plaintext messages m and m’

Differential Propagation through Three Rounds of DES

after three rounds, the probability that the output difference is as shown is equal to 0.25 * 1 * 0.25 = 0.0625
 www.BrainKart.com

Linear Cryptanalysis
  This attack is based on finding linear approximations to describe the transformations performed in DES 
 43 47
This method can find a DES key given 2 known plaintexts, as compared to 2 chosen plaintexts
for differential cryptanalysis 
 it may be easier to acquire known plaintext rather than chosen plaintext 
 infeasible as an attack on DES 

For a cipher with nbit plaintext and ciphertext blocks and an m-bit key, let the plaintext block be labeled
P[1], ... P[n], the cipher text block C[1], ... C[n], and the key K[1], ... K[m] 

Then define
The objective of linear cryptanalysis is to find an effective linear equation of the form

The further p is from 0.5, the more effective the equation

Once a proposed relation is determined, the procedure is to compute the results of the lefthand side of
the preceding equation for a large number of plaintext-ciphertext pairs

If the result is 0 more than half the time, assume = 0.

If it is 1 most of the time, assume = 1. This gives us a linear equation on the key bits.

Modes of operation
Mode Description Typical Application
Electronic
Each block of 64 plaintext bits is encoded independently Secure transmission of single
Codebook
using the same key values (e.g., an encryption key)
(ECB)
Cipher Block The input to the encryption algorithm is the XOR of the General-purpose block-oriented
Chaining next 64 bits of plaintext and the preceding 64 bits of transmission
(CBC) ciphertext Authentication
Input is processed j bits at a time. Preceding ciphertext is
Cipher General-purpose stream-oriented
used as input to the encryption algorithm to produce
Feedback transmission
pseudorandom output, which is XORed with plaintext to
(CFB) Authentication
produce next unit of ciphertext
Output Stream-oriented transmission over
Similar to CFB, except that the input to the encryption
Feedback noisy channel (e.g., satellite
algorithm is the preceding DES output.
(OFB) communication)
Each block of plaintext is XORed with an encrypted General-purpose block-oriented
Counter
counter. The counter is incremented for each subsequent transmission
(CTR)
block Useful for high-speed requirements

Various Modes
Electronic Codebook Mode
Cipher Block Chaining Mode
Cipher Feedback Mode
Output Feedback Mode
Counter Mode
 www.BrainKart.com

Electronic Codebook Mode

Encryption

Decryption

Cipher Block Chaining Mode

Encryption

Decryption
 www.BrainKart.com

Cipher Feedback Mode – Encryption / Decryption

Output Feedback Mode– Encryption / Decryption

 www.BrainKart.com

Counter Mode
Encryption

Decryption

  IV: initialization vector 

  plaintext (padded as necessary) consists of a sequence of b-bit blocks, P1, P2,...,PN; 
  the corresponding sequence of ciphertext blocks is C1, C2,..., CN. 
 the unit of transmission is s bits; a common value is s = 8 
Advantages Of CTR Mode

  Hardware efficiency 
  Software efficiency 
  Preprocessing 
  Random access 
  Provable security 
 Simplicity 

Encryption Algorithms
Advanced Encryption Standard
  The AES Cipher 
  AES Parameters 
  AES Encryption and Decryption 
  AES Data Structures 
  AES Encryption Round 
  Substitute Bytes Transformation 
  ShiftRows Transformation 
  AddRoundKey Transformation 
 AES Key Expansion 
 www.BrainKart.com

The AES Cipher


The Rijndael proposal for AES defined a cipher in which the block length and the key length can
be independently specified to be 128, 192, or 256 bits. 
 The AES specification uses the same three key size alternatives but limits the block length to 128 bits. 
 A number of AES parameters depend on the key length. 

In the description of this section, we assume a key length of 128 bits, which is likely to be the one
most commonly implemented 

AES Parameters

AES Encryption and Decryption

 www.BrainKart.com

AES Data Structures

Input, state array, and output

Key and expanded key

AES Encryption Round

  Substitute Bytes Transformation 

  ShiftRows Transformation 
  AddRoundKey Transformation 
 AES Key Expansion 
www.BrainKart.com
 www.BrainKart.com

Double DES
  has two encryption stages and two keys 

Given a plaintext P and two encryption keys
K1 and K2 and , ciphertext C is generated as 
C = E(K2, E(K1, P)) 

Decryption requires that the keys be applied
in reverse order P = D(K1, D(K2, C)) 

this scheme apparently involves a key length
of 56 * 2 = 112 bits, resulting in a dramatic
increase in cryptographic strength 

Meet-In-The-Middle Attack

It is based on the observation that, if we have C =
E(K2, E(K1, P)) then X = E(K1, P) = D(K2, C) 
 Given a known pair, (P, C) the attack proceeds as follows 
56
 First, encrypt P for all 2 possible values of K1 
 Store these results in a table and then sort the table by the values of X 
56
 Next, decrypt C using all 2 possible values of K2 
 As each decryption is produced, check the result against the table for a match. 
 If a match occurs, then test the two resulting keys against a new known plaintext–ciphertext pair. 
 If the two keys produce the correct ciphertext, accept them as the correct keys. 
64
 For any given plaintext P, there are 2 possible ciphertext values that could be produced by double DES 
48

the foregoing procedure will produce about 2 false alarms on the
48-64 -16
first (P,C) pair. 
 With an additional 64 bits of known plaintext and ciphertext, the false alarm rate is reduced to 2 =2 .

If the meet-in-the-middle attack is performed on two blocks of known plaintext–ciphertext, the
-16
 probability that the correct keys are determined is 1 – 2 .
 The result is that a known plaintext attack will succeed against double DES, which has a key size of
56 55
112 bits, with an effort on the order of 2 , which is not much more than the 2 required for single DES 

Triple DES
 triple encryption method that uses
 only two keys 
 The function follows an encrypt-
decrypt-encrypt (EDE) sequence 

  C = E(K1, D(K2, E(K1, P))) 

There is no cryptographic significance
to the use of decryption for the second
stage. 
 advantage is that it allows users of 3DES 
to decrypt data encrypted by users of the older single DES: 

C = E(K1, D(K1, E(K1, P))) = E(K1, P) 
Attacks on TDES
Known-Plaintext Attack on Triple DES

Triple DES with Three Keys

  Three-key 3DES has an effective key length of 168 bits and is defined as follows: 
  C = E(K3, D(K2, E(K1, P))) 
  Backward compatibility with DES is provided by putting K3 = K2 or K1 = K2. 
 A number of Internet-based applications have adopted three-key 3DES, including PGP and S/MIME 
 www.BrainKart.com

Blowfish
  Symmetric block cipher that can be effectively used for encryption and safeguarding of data 
  It takes a variable-length key, from 32 bits to 448 bits, making it ideal for securing data. 
  fast, free alternative to existing encryption algorithms 
  unpatented and license-free, and is available free for all uses 
  Blowfish Algorithm is a Feistel Network, iterating a simple encryption function 16 times. 
  The block size is 64 bits, and the key can be any length up to 448 bits. 

Although there is a complex initialization phase required before any encryption can take place, the actual
encryption of data is very efficient on large microprocessors. 
 Blowfish is a variable-length key block cipher. 

It is suitable for applications where the key does not change often, like a communications link or an
automatic file encryptor. 

It is significantly faster than most encryption algorithms when implemented on 32-bit microprocessors with
large data caches 
Feistel Networks


A Feistel network is a general method of transforming
any function (usually called an Ffunction) into a
permutation. 

It was invented by Horst Feistel and has been used in
many block cipher designs. 

The working of a Feistal Network is given below:
 O Split each block into halves 
 O Right half becomes new left half 
O New right half is the final result when the left half is 

XOR’d with the result of applying f to the right half
 and the key. 
Note that previous rounds can be derived even if the
function f is not invertible 
The Blowfish Algorithm:

  Manipulates data in large blocks 

  Has a 64-bit block size. 
  Has a scalable key, from 32 bits to at least 256 bits. 
  Uses simple operations that are efficient on microprocessors. 
 O e.g., exclusive-or, addition, table lookup, modular- multiplication. 
 O It does not use variable-length shifts or bit-wise permutations, or conditional jumps. 
  Employs precomputable subkeys. 
O On large-memory systems, these subkeys can be precomputed for faster operation. 

O Not precomputing the subkeys will result in slower operation, but it should still be possible to encrypt
data without any precomputations. 
 Consists of a variable number of iterations. 
 Uses subkeys that are a one-way hash of the key. 
O This allows the use of long passphrases for the key without compromising security. 
 Has no linear structures that reduce the complexity of exhaustive search.   Uses a
design that is simple to understand. 
Description Of The Algorithm
 Blowfish is a variable-length key, 64-bit block cipher. 

 The algorithm consists of two parts:
O a key-expansion part and 

 O a data- encryption part. 
  Key expansion converts a key of at most 448 bits into several subkey arrays totaling 4168 bytes. 
  Data encryption occurs via a 16-round Feistel network. 
  Each round consists of a keydependent permutation, and a key- and data-dependent substitution. 
 All operations are XORs and additions on 32-bit words. 
 www.BrainKart.com

I
 The only additional operations are four indexed array data lookups per round 
Subkeys

  Blowfish uses a large number of subkeys. 

  These keys must be precomputed before any data encryption or decryption. 
 The P-array consists of 18 32-bit subkeys:P1, P2,..., P18. 

 There are four 32-bit S-boxes with 256 entries
 each: O S1,0, S1,1,..., S1,255; 
S2,0, S2,1,..,, S2,255;
S3,0, S3,1,..., S3,255;
S4,0, S4,1,..,, S4,255. 
Encryption

  Blowfish has 16 rounds. 

  The input is a 64-bit data element, x. 
  Divide x into two 32-bit halves: xL, xR. 
 Then, 

for i = 1 to 16:
xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR
  After the sixteenth round, swap xL and xR again to undo the last swap. 
  Then, xR = xR XOR P17 and xL = xL XOR P18. 
 Finally, recombine xL and xR to get the ciphertext. 
Decryption
 Exactly the same as encryption, except that P1, P2,..., P18 are used in the reverse order 

Generating the Subkeys

The subkeys are calculated using the Blowfish algorithm:

1. Initialize first the P-array and then the four S-boxes, in order, with a fixed string.

This string consists of the hexadecimal digits of pi (less the initial 3): P1 = 0x243f6a88, P2 = 0x85a308d3, P3
= 0x13198a2e, P4 = 0x03707344, etc.

XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all bits of
the key (possibly up to P14). Repeatedly cycle through the key bits until the entire P-array has been XORed
with key bits. (For every short key, there is at least one equivalent longer key; for example, if A is a 64-bit key,
then AA, AAA, etc., are equivalent keys.)

Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2).

Replace P1 and P2 with the output of step (3).

Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys.

Replace P3 and P4 with the output of step (5).


Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output
of the continuously changing Blowfish algorithm.
 In total, 521 iterations are required to generate all required subkeys. 
 Applications can store the subkeys rather than execute this derivation process multiple times. 
 www.BrainKart.com

RC5
Introduction
  a proprietary cipher owned by RSADSI 
  designed by Ronald Rivest (of RSA fame) 
  used in various RSADSI products 
  can vary key size / data size / no rounds 
  very clean and simple design 
  easy implementation on various CPUs 
 yet still regarded as secure 

RC5 Ciphers
 RC5 is a family of ciphers RC5-w/r/b 

w = word size in bits (16/32/64) nb data=2w
 O r = number of rounds (0..255) 
 O b = number of bytes in key (0..255) 
 nominal version is RC5-32/12/16 


32-bit words so encrypts 64-bit data blocks
O using 12 rounds 

with 16 bytes (128-bit) secret key 

RC5 Key Expansion

  RC5 uses 2r+2 subkey words (w-bits) 
  subkeys are stored in array S[i], i=0..t-1 

  the key schedule consists of 


initializing S to a fixed pseudorandom value, based on constants e and phi
O the byte key is copied (little-endian) into a c-word array L 

a mixing operation then combines L and S to form the final S array 

RC5 Encryption
  split input into two halves A & B 
  L0 = A + S[0]; 
  R0 = B + S[1]; 
 for i = 1 to r do 

Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i];
 O Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1]; 

  each round is like 2 DES rounds 

  note rotation is main source of non-linearity 
 need reasonable number of rounds (eg 12-16) 

RC5 Modes
  RFC2040 defines 4 modes used by RC5 
  RC5 Block Cipher, is ECB mode 
  RC5-CBC, is CBC mode 
 RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes 

 RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing
to keep size same as original.
 www.BrainKart.com

Public Key Cryptography

Principles of Public-Key Cryptosystems
  Public-Key Cryptosystems 
  Applications for Public-Key Cryptosystems 
  Requirements for Public-Key Cryptography 
 Public-Key Cryptanalysis 

Public-Key Cryptosystems
Introduction

 The concept evolved from an attempt to attack two of the most difficult problems associated with
 symmetric encryption 
 O Key Distribution 
 O The Digital Signatures 
  Called as Asymmetric Cryptography 
Asymmetric algorithms make use of one key for encryption, another for decryption 
Characteristics of Asymmetric algorithms

 It is computationally infeasible to determine the decryption key given only knowledge of the
 cryptographic algorithm and the encryption key 
 Either of the two related keys can be used for encryption, with the other used for decryption 
Public-Key Cryptography
Six Ingredients

  Plaintext: This is the readable message or data that is fed into the algorithm as input. 
  Encryption algorithm: The encryption algorithm performs various transformations on the plaintext. 

Public and private keys: This is a pair of keys that have been selected so that if one is used for
encryption, the other is used for decryption. The exact transformations performed by the algorithm
depend on the public or private key that is provided as input. 

Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the
key. For a given message, two different keys will produce two different ciphertexts. 

Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces
the original plaintext. 
Encryption
 www.BrainKart.com

Authentication

Comparison with Symmetric Key Encryption

Conventional Encryption Public-Key Encryption

Needed to Work
Needed to Work
1. One algorithm is used for encryption and decryption
1. The same algorithm with the same key is used for
with a pair of keys, one for encryption and one for
encryption and decryption.
decryption.
2. The sender and receiver must share the algorithm 2. The sender and receiver must each have one of the
and the key. matched pair of keys (not the same one).
Needed for Security: Needed for Security:
1. The key must be kept secret. 1. One of the two keys must be kept secret.
2. It must be impossible or at least impractical to 2. It must be impossible or at least impractical to
decipher a message if no other information is decipher a message if no other information is available.
available. 3. Knowledge of the algorithm plus one of the keys plus
3. Knowledge of the algorithm plus samples of samples of ciphertext must be insufficient to determine
ciphertext must be insufficient to determine the key. the other key.

Public-Key Cryptosystem: Secrecy

 www.BrainKart.com

Public-Key Cryptosystem: Authentication

Public-Key Cryptosystem: Authentication and Secrecy

Applications for Public-Key Cryptosystems

Encryption/decryption
The sender encrypts a message with the recipient's public key.

Digital signature

The sender "signs" a message with its private key. Signing is achieved by a cryptographic algorithm applied
to the message or to a small block of data that is a function of the message.

Key exchange

Two sides cooperate to exchange a session key. Several different approaches are possible, involving
the private key(s) of one or both parties.
 www.BrainKart.com

original message, M.
The two keys can be applied in either order: M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

Public-Key Cryptanalysis
Three types of attacks

  Brute force 
  Deducing the private key 
 Probale message attack 
Brute force

  public-key encryption scheme is vulnerable to a brute-force attack 

  countermeasure is to use large keys 
 Public-key systems depend on the use of some sort of invertible mathematical function 

 the key size must be large enough to make brute-force attack impractical but small enough for
practical encryption and decryption 
Deducing the private key

  find some way to compute the private key given the public key 
  So far, not been mathematically proven that this is infeasible for a particular public-key algorithm 
 Not been successful till date 
Probale message attack

  peculiar to public-key systems 

  Suppose, for example, that a message were to be sent that consisted solely of a 56-bit DES key. 

An adversary could encrypt all possible 56-bit DES keys using the public key and could discover
the encrypted key by matching the transmitted ciphertext. 

Thus, no matter how large the key size of the public-key scheme, the attack is reduced to a brute-
force attack on a 56-bit key. 

This attack can be thwarted by appending some random bits to such simple messages 

Rivest-Shamir-Adleman (RSA) Algorithm

  block cipher in which the plaintext and ciphertext are integers between 0 and n - 1 for some n. 
  A typical size for n is 1024 bits, or 309 decimal digits 
 public-key encryption algorithm with a public key of PU = {e, n} and a private key of PR = {d, n}. 
Key Generation

Encryption

Decryption
 www.BrainKart.com

Example of RSA Algorithm

Encryption

Decryption

The Security of RSA

Four possible approaches to attacking the RSA algorithm are as follows:

Brute force
 This involves trying all possible private keys. 

 www.BrainKart.com

  The defense is to use a large key space 

  the larger the number of bits in e and d, the better 
 the larger the size of the key, the slower the system will run 
Mathematical attacks
There are several approaches, all equivalent in effort to factoring the product of two primes.

Timing attacks
These depend on the running time of the decryption algorithm.

Chosen ciphertext attacks

This type of attack exploits properties of the RSA algorithm.

Mathematical Attacks
Three approaches to attacking RSA mathematically: 

To avoid values of n that may be factored more easily, the algorithm’s inventors
suggest the following constraints on p and q.

1/4
if e < n and d < n , then d can be easily determined

Timing Attack
 This attack is alarming for two reasons: 

O It comes from a completely unexpected direction
O it is a ciphertext-only attack 

A timing attack is somewhat analogous to a burglar guessing the combination of a safe by observing
how long it takes for someone to turn the dial from number to number. 
 We can explain the attack using the modular exponentiation algorithm 

modular exponentiation is accomplished bit by bit, with one modular multiplication performed at
each iteration and an additional modular multiplication performed for each 1 bit 
Working of this attack

  The attack proceeds bit-by-bit starting with the leftmost bit, b k 

  Suppose that the first j bits are known 
  For a given ciphertext, the attacker can complete the first j iterations of the for loop. 
  The operation of the subsequent step depends on the unknown exponent bit. 

if the observed time to execute the decryption algorithm is always slow when this particular iteration is
slow with a 1 bit, then this bit is assumed to be 1. 

If a number of observed execution times for the entire algorithm are fast, then this bit is assumed to be 0 
Methods to overcome timing attacks
Constant exponentiation time

  Ensure that all exponentiations take the same amount of time before returning a result. 
 This is a simple fix but does degrade performance 
 www.BrainKart.com

Random delay

Better performance could be achieved by adding a random delay to the exponentiation algorithm to confuse the
timing attack.
Blinding
 Multiply the ciphertext by a random number before performing exponentiation. 

This process prevents the attacker from knowing what ciphertext bits are being processed inside
the computer and therefore prevents the bit-by-bit analysis essential to the timing attack
 www.BrainKart.com

Cryptography and
Network Security

Dr. B. Shanthini
Prof. & Head, IT Department
St. Peter’s College of Engineering & Technology
1
 wwwwww..–..comcom

Unit 3 Outline
Authentication requirement
Authentication functions
MAC
Hash function
Security of hash function and MAC
MD5 and SHA
HMAC and CMAC
Digital signature and authentication
protocols
DSS – EI Gamal – Schnorr
 www.BrainKart.com

Message Authentication
Message authentication is
concerned with:
– protecting the integrity of a message
– validating identity of originator
– non-repudiation of origin (dispute
resolution)
Will consider the security
requirements
Three functions used:
– Message Encryption
– Message Authentication Code (MAC)
– Hash Function
 www.BrainKart.com

Security Requirements
Disclosure
Traffic analysis
Masquerade
Content modification
Sequence modification
Timing modification
Source repudiation
Destination repudiation
 www.BrainKart.com

Message Encryption
Message encryption by itself also
provides a measure of
authentication
If symmetric encryption is used then:
– receiver knows sender must have
created it
since only sender and receiver know key
used
– knows content is not been altered
– if message has suitable structure,
redundancy or a checksum to detect any
changes
 www.BrainKart.com

Message Encryption
Symmetric encryption: Confidentiality &
Authentication

Source A Destination B

M E D M

EK(M) K
K
 www.BrainKart.com

Message Encryption

If public-key encryption is used:

– encryption provides no confidence of
sender
– since anyone potentially knows public-
key
– however if
0 sender signs message using their private-
key
1 then encrypts with recipients public key
2 have both secrecy and authentication
 www.BrainKart.com

Message Encryption
Public-key encryption :
Confidentiality
Source A Destination B

M E D M

E (M)
KUb KUb KRb
 www.BrainKart.com

Message Encryption
Public-key encryption : Authentication &
Signature

Source A Destination B

M E D M

E (M)
KRa KRa KUa
 www.BrainKart.com

Message Encryption
Public-key encryption : Confidentiality, Authentication
& Signature

M E D D M
E

EKUb[EKRa(M)]
EKRa(M)
EKRa(M) KUa
KRa KUb KRb
 www.BrainKart.com

Message Authentication Code

(MAC)

Generated by an algorithm that creates

a small fixed-sized block called
cryptographic checksum
or MAC
– depending on both message and some key
– need not be reversible like encryption
Appended to message as a signature
Receiver performs same computation on
message and checks it matches the
MAC
Provides assurance that message is
unaltered and comes from sender
 www.BrainKart.com

Message Authentication
Code
 www.BrainKart.com

Message Authentication
Codes
As shown the MAC provides authentication
Can also use encryption for secrecy
– generally use separate keys for each
– can compute MAC either before or after encryption
– is generally regarded as better done before
If only sender and receiver only knows secret
key and if MAC is matched then,
– Receiver is assured that the message has not been
altered
– Receiver is assured that the message is from the
alleged sender
– If message includes Sequence no. then the
receiver can be assured of the proper
sequence
 www.BrainKart.com

Message Authentication
Codes

Message Authentication:

M K ||
Compare
C K

CK(M)
 www.BrainKart.com

Message Authentication Codes

Message Authentication and Confidentiality:

(Authentication Tied to Plaintext)

D
M K1 || E M C
Compare

C
K2 K2 K1

E [M || C (M)] CK1(M)
K2 K1
 www.BrainKart.com

Message Authentication
Codes

Message Authentication and Confidentiality:

(Authentication Tied to Cipher text)

EK2(M)

E D
K1 M
M || C
K2 C Compare K2
K1
CK1[EK2(M)]
 www.BrainKart.com

Hash Functions
Condenses arbitrary message to fixed size
Hash code h = H(M)
Also called Message digest or Hash value
The hash function is public and not keyed (MAC
is keyed)
Hash code is a function of all bits of the
message
Change to any bit or bits in the message
results in a change to the Hash code
Most often to create a digital signature
Can use in various ways with message
 www.BrainKart.com

Basic Uses of Hash Function

a. Message plus concatenated hash code is encrypted using
symmetric encryption

Authentication and Confidentiality

 www.BrainKart.com

Basic Uses of Hash Function

b. Only the hash code is encrypted using symmetric encryption

No Confidentiality only Authentication (Acts as MAC)

 www.BrainKart.com

Basic Uses of Hash Function

c. Only hash code is encrypted using public key
encryption using sender’s private key

No Confidentiality only Authentication

 www.BrainKart.com

Basic Uses of Hash Function

Message plus public-key-encrypted hash code is encrypted

using a symmetric secret key

Confidentiality and digital signature

 www.BrainKart.com

Basic Uses of Hash Function

e. Hash value is computed over message plus secret value S

No Confidentiality only Authentication

 www.BrainKart.com

Basic Uses of Hash Function

f. Message plus hash code is encrypted to the approach (e)

Confidentiality and Authentication

 www.BrainKart.com

Requirements for Hash

Functions
The Purpose of Hash function is to produce
the fingerprint of file, message or other
block of data
For message authentication, a hash
function H must have the following
properties:

H can be applied to any sized message M

H produces fixed-length output h

It is easy to compute h=H(M) for any message M

Given h,it is infeasible to find M s.t. H(M)=h
0 one-way property

Given x, it is infeasible to find y s.t. H(y)=H(x)
0 weak collision resistance

It is infeasible to find any x,y s.t. H(y)=H(x)
0 strong collision resistance
 www.BrainKart.com

Birthday Attacks
Might think a 64-bit hash is secure
But by Birthday Paradox is not
The birthday paradox can be stated as
follows:
– What is the minimum value of k such that the
probability is greater than 0.5 that at least two
people in a group of
k people have the same birthday?
– It turns out that the answer is 23 which
is quite a surprising result.
– In other words if there are 23 people in a
room, the probability that two of them have
the same birthday is
approximately 0.5.
– If there is 100 people (i.e. k=100) then the
probability is
.9999997, i.e. you are almost guaranteed
that there will be a duplicate.
 www.BrainKart.com

Birthday Attacks
Digital signatures can be susceptible to a
birthday attack.
A message is typically signed by first computing ,
where is a cryptographic hash function, and
then using some secret key to sign .
• Suppose Mallory wants to trick Bob into signing
a fraudulent contract.
Mallory prepares a fair contract and a fraudulent
one .
She then finds a number of positions where can
be changed without changing the meaning,
such as inserting commas, empty lines, one
versus two spaces after a sentence, replacing
synonyms, etc.
 www.BrainKart.com

Birthday Attacks
By combining these changes, she can create a
huge number of variations on which are all fair
contracts.
In a similar manner, Mallory also creates a huge
number of variations on the fraudulent
contract .
She then applies the hash function to all these
variations until she finds a version of the fair
contract and a version of the fraudulent
contract which have the same hash value, .
She presents the fair version to Bob for signing.
After Bob has signed, Mallory takes the signature
and attaches it to the fraudulent contract.
This signature then "proves" that Bob signed the
fraudulent contract.
 www.BrainKart.com

Birthday Attacks
Might think a 64-bit hash is secure
But by Birthday Paradox is not
Birthday attack works thus:
m/
– opponent generates 2 2 variations of a valid
message all with essentially the same meaning
m/
– opponent also generates 2 2 variations
of a desired fraudulent message
– two sets of messages are compared to find
pair with same hash (probability > 0.5 by
birthday paradox)
– user sign the valid message, then substitute
the forgery which will have a valid signature
Conclusion is that need to use larger
MAC/hash
 www.BrainKart.com

MD5: Message Digest

Version 5
Input Message

Output 128 bits Digest

Developed by Ron Rivest at MIT

Until recently the most widely used hash
algorithm
Specified as Internet standard RFC1321
 www.BrainKart.com

MD5 Overview
 www.BrainKart.com

MD5 Overview
Append Padding Bits:
0 Pad message so its length is 448 mod
512

ie the length of padded message is 64 bits
less than an integer multiple of 512 bits.
0 Padding is always added
1 For eg. If the message is 448 bits long, it
is padded by 512 bits to a length of 960
bits
2 The number of padding bits is in the
range of 1-512
3 Padding consists of single 1-bit followed
by the necessary no of 0-bits
 www.BrainKart.com

MD5 Overview
Append Length:

A 64-bit length value of original
message is appended to the result
of step 1.

If64
the original message is greater than
2 then only the lower order 64 bits of
the length are used.

Thus the field contains length of
the original message

The outcome of the first 2 steps yields the

message that is an integer multiple of 512
bits in length.
Expanded message is represented as the
sequence of 512-bit blocks Y0, Y1 … YL-1
Total length of the expanded message is L x 512
bits
 MD5 Overview
Initialize MD buffer:

A 128-bit buffer is used to hold the
intermediate and final results of the hash
function.

Buffer can be represented as four 32-
bit registers (A,B,C,D)

These registers are initialized to the
following 32-bit integers:
A = 67 45 23 01 B = EF CD AB 89
C = 98 BA DC FE D = 10 32 54 76
- These values are stored in little-endian
format
word A = 01 23 word B = 89 AB
45 67 word C = CD EF word D =
FE DC BA 98 76 54 32 10
 www.BrainKart.com

MD5 Overview
Process message in 512-bit (16-word) blocks:
(Compression
Function)
– Using 4 rounds of 16 bit operations on message
block & buffer
– These 4 rounds have similar structures but uses
different logical functions, F, G, H and I
– Each round takes the current 512-bit block (Yq)
and 128-bit buffer value ABCD as input and
updates the contents of the buffer.
– Each round also makes use of the one fourth of a
64-element
ta le T[1…64] o stru ted fro si e fu tio .
th 32
– The i element of T, T[i] = 2 x abs(sin(i)) (i is in
radians)
– The output of the fourth round is added to the input
to the first round (CVq) to produce CVq+1.
 32
– This addition is done using addition modulo 2 .
 www.BrainKart.com

MD5 Overview
Output:

After all L 512-bit blocks have been processed, the
th
output from the L stage is the 128-bit message
digest.

Behavior of MD5 can be
summarized: CV0 = IV
CVq+1 = SUM32[CVq, RFI(Yq, RFH(Yq,RFG(Yq,
RFF(Yq, CVq))))] where
IV = Initial value of ABCD buffer
Yq = qth 512-bit block of the
message L = No. of blocks in
the message
CVq = Chaining Variable processed with qth block
RFx = Round Function using primitive legal fn x
MD = Final message digest
32
SUM32 = Addition modulo 2
 www.BrainKart.com

MD5 Compression
Function
Each round has 16 steps of the form:
b = b+((a + g(b,c,d)+ X[k]+T[i])<<< s)
Where
a,b,c,d = the 4 words of the buffer
g = one of the primitive fn F, G, H, I
<<<s = circular left shift of the 32-bit argument by
s Bits
X[k] = M[q x 16 + k] = kth 32-bit word in the qth 512-
bit block of the message
X[i] = In the first round – used in their
original order p2[i] = (1 + 5i)
mod 16
p3[i] = (5 + 3i) mod 16
p4[i] = 7i mod 16
T[i] = ith 32-bit word in matrix T + = Addition modulo
32
2
 www.BrainKart.com

MD5 Compression
Function
 www.BrainKart.com

Functions F, G, H and I
G(b, c,
Round Primitive Fn. g d)

(bc)(~b
1 F(b,c,d)  d)

(b  d) (c
2 G(b,c,d) ~ d)

bc
3 H(b,c,d) d
 c(b 
4 I(b,c,d) ~d)
 www.BrainKart.com

Truth Table of Logical

Functions
b c d F G H I
0 0 0 0 0 0 1
0 0 1 1 0 1 0
0 1 0 0 1 1 0
0 1 1 1 0 0 1
1 0 0 0 0 1 1
1 0 1 0 1 0 1
1 1 0 1 1 0 0
1 1 1 1 1 1 0
 www.BrainKart.com

Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993
and was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– nb. the algorithm is SHA, the standard is SHS
Based on design of MD4 with key differences
Produces 160-bit hash values
Recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
 www.BrainKart.com

Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002
and added 3 additional versions of SHA
– SHA-256, SHA-384, SHA-512
Designed for compatibility with increased
security provided by the AES cipher
Structure & detail is similar to SHA-1
Hence analysis should be similar
But security levels are rather higher
 www.BrainKart.com

SHA-512 Overview
 www.BrainKart.com

SHA-512 Overview
Append Padding Bits:
Pad message so its length is congruent to 1024


Padding is always added



Padding consists of single 1-bit followed by the



necessary no of 0-bits
Append Length:
A 128-bit length value of original


message is appended to the result

of step 1.
128

If the original message is greater than 2
then only the lower order 128 bits of the
length are used.


Thus the field contains length of
the original message
 www.BrainKart.com

SHA-512
512 bit message digest (secure against brute force
attack)
– Block size: 1024 bits

– Digest rokedow i to 64 it words alled A – H

44
 www.BrainKart.com

Word Expansion in SHA-

512
3. Word Expansion:
Block of 16 words expanded to 80 words
– Used by 80-round compression function
45
 www.BrainKart.com

SHA-512 Round Function

 www.BrainKart.com

Word Expansion in SHA-

512
Each word function
of previous 4
words
– Combined with XOR
– Confusion added
with rotation and
shifting (not
invertible)
Right rotation i bits


RotShift i-j-k
Right rotation j bits 
       
Left shift k bits
(adding 0’s to end)
0 0 0 0 0
47
 www.BrainKart.com

SHA-512 Initial Digest

Initializing
values of
Buffers A 6A09E667F3BCC908
Designed for appearance B BB67AE8584CAA73B
of ra do ess C 3C6EF372EF94F828
– Created from first 8 primes D A54FE53A5F1D36F1
E 510E527FADE682D1
(2, 3, 5, 7, 11, 13, 17, 19)
F 9B05688C2B3E6C1F
– Take square root
G 1F83D9ABFB41BD6B
– Take first 64 H 5BE0CD19137E2179
digits of
fractional part
48
 www.BrainKart.com

SHA-512 Compression
Function

80 rounds
– Each creates new

ter ediate
message digest
Final stage is sum
64
(mod 2 ) of:
– Initial round digest
– Final round digest

49
 www.BrainKart.com

SHA-512 Compression
Function
Each round
i function
of:
Previous
message
digest
Word Wi
Rou d ke Ki
created from
fractional parts
of square root
of first 80 prime
numbers (like
initial message
digest values)
50
 www.BrainKart.com

SHA-512 Round
Function
 www.BrainKart.com

SHA-512 Round Function

Ch(e,f,g) = (e AND f) XOR (NOT e AND g)

Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)

∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)

∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)

+ = addition modulo 2^64

Kt = a 64-bit additive constant
Wt = a 64-bit word derived from the current 512-bit input
block.
 www.BrainKart.com

SHA-512 Round Function

Dr. B. Shanthini
 www.BrainKart.com

Other Secure HASH

functions
SHA-1 SHA- MD5 RIPEMD-
512 160
Digest 160 bits 512 bits 128 160 bits
length bits
Basic unit of 512 bits 1024 512 512 bits
processing bits bits
Number of 80 80 64 160 (5
steps (4 rounds (4 rnds paired
of 20) of 16) rnds of
16)
64 128
Maximum 2 -1 bits 2 -1
message bits  
size 54
 www.BrainKart.com

HMAC
Uses a MAC derived from a
cryptographic hash code, such
as SHA-1.
Motivations:
–Cryptographic hash functions
executes faster in software than
encryptoin algorithms such as
DES
–Library code for cryptographic
hash functions is widely available
–No export restrictions from
the US 55
 www.BrainKart.com

HMAC Overview

+ +
HMACK = H[(K  opad)||H[(K  ipad)||M]]
H = hash function
M = Message
Yi = ith block of M, 0 ≤ i ≤ L-1
L = no. of blocks in M
b = no. of bits in a block (based on chosen
n
hash f )
n = length of hash code
K = secret key
+
K = K padded with zeros on the left so
that the length is b bits
ipad = 00110110(0x36) repeated b/8 times
opad = 01011010(0x5C) repeated b/8 times
Dr. B. Shanthini
 www.BrainKart.com

HMAC Advantages
Existing hash function can be implemented in HMAC
Easy to replace with more secure or updated hash
algorithm
HMAC is proven more secure than hash algorithms

HMAC Security
Proved security of HMAC relates to that of the
underlying hash algorithm
Attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need to
observe a very large number of messages)
Choose hash function used based on speed verses
security
constraints
Dr. B. Shanthini
 www.BrainKart.com

CMAC (Cipher-based
MAC)
Hashless MAC
– Uses an encryption algorithm (DES,
AES, etc.) to generate MAC
– Based on same idea as cipher
block chaining
Compresses result to size of single
block (unlike encryption
 www.BrainKart.com

CMAC Overview

Message broken into N blocks

Each block fed into an encryption
algorithm with key
Result XOR’d with e t lo k
efore encryption to make
final MAC
 www.BrainKart.com

CMAC Facts
Advantages:
– Can use existing encryption functions
– Encryption functions have properties that
resist pre-image and collision attacks
• Cipher te t desig ed to appear like
ra do
oise
– good approximation of random oracle
model
0Most exhibit strong avalanche effect –
minor change in message gives great
change in resulting
MAC
Disadvantage:
– Encryption algorithms (particularly when
chained) can
be much slower than hash
algorithms 60
 www.BrainKart.com

Cryptography amd
Network Security

Dr. B. Shanthini
Prof. & Head, IT Department
St. Peter’s College of Engineering & Technology
1
 wwwwww..–..comcom

Unit 3 Outline
Authentication requirement
Authentication functions
MAC
Hash function
Security of hash function and MAC
MD5 and SHA
HMAC and CMAC
Digital signature and authentication
protocols
DSS – EI Gamal – Schnorr
 www.BrainKart.com

Authentication
Protocols

Used to convince parties of each

others identity and to exchange
session keys
May be one-way
authentication or mutual
authentication
Key issues are
– confidentiality – to protect
session keys
– timeliness – to prevent replay
attacks
Dr. B. Shanthini
 www.BrainKart.com

Replay Attacks
Examples of replay attacks:
– simple replay (copies message and replays)
– repetition that can be logged (within time
frame)
– repetition that cannot be detected
(Actual msg suppressed)
– backward replay without modification (to
sender)
Countermeasures include
– use of sequence numbers (generally
impractical)
– timestamps (needs synchronized clocks)
– challenge/response (using unique nonce)

Dr. B. Shanthini
 www.BrainKart.com

Mutual Authentication
Using Symmetric
Encryption
A two-level hierarchy of keys are used.
Usually with a trusted Key Distribution
Center (KDC)
– each party shares own master key with KDC
– KDC generates session keys used for
connections between parties
– master keys used to distribute the session
keys to them
Dr. B. Shanthini
 www.BrainKart.com

Needham-Schroeder
Protocol
Original third-party key distribution
protocol
For session between A and B mediated
by KDC
Protocol overview is:
1
. A→KDC : IDA || IDB || N1
: EKa[Ks || IDB || N1 || EKB[KS||
2. KDC→A IDA] ]
3
. A→B : EKB[KS||IDA]
4. B→A : EKS[N2]
5
. A→B : EKS[f(N2)]

Dr. B. Shanthini
 www.BrainKart.com

Needham-Schroeder
Protocol

Used to securely distribute a new

session key for communications
between A & B
But is vulnerable to a replay attack
if an old session key has been
compromised
– then message 3 can be resent
convincing B that is
communicating with A
Modifications to address this
require:
– timestamps
– using an extra nonce
Dr. B. Shanthini
 www.BrainKart.com

Mutual Authentication
Using Public-Key
Encryption

Have a range of approaches

based on the use of public-key
encryption
Need to ensure that they have
correct public keys for other parties
Using a central Authentication Server
(AS)
Various protocols exist using
timestamps or
nonces
Dr. B. Shanthini
 www.BrainKart.com

Denning AS Protocol
Denning presented the following:

A→AS : IDA || IDB

AS→A : EKRas[IDA||KUA||T] ||
EKRas[IDB||KUB||T]
3. A→B : EKRas[IDA||KUA||T] ||
EKRas[IDB||KUB||T] ||
EKUb[EKRa[KS||T]]
Note session key is chosen by A, hence AS
need not be trusted to protect it
Timestamps prevent replay but
require synchronized clocks
Dr. B. Shanthini
 www.BrainKart.com

One-Way
Authentication

Required when sender & receiver are

not in communications at same
time (eg. email)
Have header in clear so can be delivered
by email system
May want contents of body protected &
sender authenticated
Dr. B. Shanthini
 www.BrainKart.com

Using Symmetric
Encryption
• Can refine use of KDC ut an’t
have final
exchange of nonces, vis:
1
. A→KDC : IDA || IDB || N1

2. : EKa[Ks || IDB || N1
KDC→A ||
EKB[KS||IDA] ]
3 A→B : EKB[KS||IDA] ||
 . EKs[M]
Does not protect against replays
– could rely on timestamp in message,
though email delays make this
problematic
Dr. B. Shanthini
 www.BrainKart.com

Public-Key
Approaches

Have seen some public-key approaches

If confidentiality is major concern, can
use:
A→B : EKUb[Ks] || EKs[M]
– has encrypted session key, encrypted
message
If authentication needed use a digital
signature with a digital certificate:
A→B : M || EKRa[H(M)] || EKRas[T||IDA||KUa]
– with message, signature, certificate

Dr. B. Shanthini
 www.BrainKart.com

Digital Signatures
Inclusion: A conventional signature is included in
the document; it is part of the document.
But when we sign a document digitally, we send the
signature as a separate document.
Verification: For a CS, when the recipient receives a
document, she compares the signature on the
document with the signature on file.
For a DS, the recipient receives the message and the
signature. The recipient needs to apply a verification
technique to the combination of the message and the
signature to verify the authenticity.
13.13
 www.BrainKart.com

Digital Signatures
Relationship: For a CS, there is normally a one-
to-many relationship between a signature and
documents.
For a DS, there is a one-to-one relationship between
a signature and a message.
Duplicity: In CS, a copy of the signed document
can be distinguished from the original one on file.
In DS, there is no such distinction unless there is a
factor of time on the document.
www.BrainKart.com
www.BrainKart.com
 www.BrainKart.com

Digital Signature
Properties

It must verify It must

the It must be
authenticate the
author and the verifiable by
date and time contents at the third parties,
of to
time of the resolve
the signature disputes
signature
 Adaptive chosen message attack

Key-
only
attac
k

Known
messa
ge
attac
k

Generi
c
chosen
messa
ge
attack
Directe
d
chosen
messa
ge
attack
 www.Brai
nKart.co
m
C is given access to a set of messages
At and their signatures
C chooses a list of messages before
ta attempting to
ck break A’s signature scheme,
independent of A’s
s public key; C then obtains from A valid
signatures for the chosen messages
Similar to the generic attack, except that
C the list of messages to be signed is
only chosen after C knows A’s
public key but before any signatures are
know seen
s A’s
publi C may request from A signatures of
messages that depend on previously
c key obtained message- signature pairs
 www.BrainKart.com

Forgeries

Universal
forgery Selective Existential
forgery forgery
Total break
C finds an
C • C forges
determines efficient • C forges a a
A’s signature
private signing signature for for
key at least
algorithm a particular one
message;
that provides message C
an equivalent chosen by C has no
control
way of over
constructing the
message
signatures on
arbitrary
messages
 www.BrainKart.com

Digital Signature
Requirements
The signature must be a bit pattern that depends on the message
being signed
The signature must use some information unique to the sender
to prevent both forgery and denial
It must be relatively easy to produce the digital signature
It must be relatively easy to recognize and verify the digital
signature
It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an existing
digital signature or by constructing a fraudulent digital signature
for a given message
It must be practical to retain a copy of the digital signature in
storage
 www.BrainKart.com

ELGamal Cryptosystem
The ElGamal Algorithm provides an alternative to
the RSA for public key encryption.
Security of the RSA depends on the difficulty
of factoring large integers.
Security of the ElGamal depends on the
difficulty of computing discrete logs
in a large prime modulus.
ElGamal has the disadvantage that the cipher
text is twice as long as the plaintext.
It has the advantage the same plaintext gives a
different cipher text (with near certainty) each
time it is encrypted.

Dr. B. Shanthini 21
 www.BrainKart.com

ELGamal
Cryptosystem
Dr. B. Shanthini 22
 www.BrainKart.com

ELGamal
Cryptosystem
Dr. B. Shanthini 23
 www.BrainKart.com

ELGamal
Cryptosystem
Dr. B. Shanthini 24
 www.BrainKart.com

ELGamal
Cryptosystem
Dr. B. Shanthini 25
 www.BrainKart.com

ElGamal Example
pA=11 and ᵅA=2
Alice computes her key:
– chooses dA=5 & computes ᵝA=25 mod 11 = 10
– Public Key = (11, 2, 10)
– Private Key = (5)
Bob send message m=1 as (9,1) by
– chosing random k=6
– computing r = ᵅ Ak mod pA = 26 mod 11 = 9
– computing t = ᵝ Ak.m mod pA = 106.1 mod 11 = 1
Alice recovers original message by
computing:
– m = tr-dA mod pA = 1.910-5 mod 11 = 1
Dr. B. Shanthini 26
 www.BrainKart.com

ElGamal Example
pA=19 and ᵅA=10
Alice computes her key:
– A chooses dA=5 & computes ᵝA=105 mod 19 = 3
– Public Key = (19, 10, 3)
– Private Key = (5)
Bob send message m=17 as (11,5) by
– chosing random k=6
– computing r = ᵅ Ak mod pA = 106 mod 19 = 11
– computing t = ᵝ Ak.m mod pA = 36 . 17 mod 19 = 5
Alice recovers original message by
computing:
– m = tr-dA mod pA = 5.1118-5 mod 19 = 17
Dr. B. Shanthini 27
 www.BrainKart.com

Schnorr Digital
Signature
Scheme is based on discrete logarithms
Minimizes the message-dependent amount of
computation required to generate a signature
Multiplying a 2N-bit integer with an N-bit integer
•Main work can be done during the idle time of the
processor
•Based on using a prime modulus P, with P – 1 having
a prime factor Q of appropriate size
Typically P is a 1024-bit number, and Q is a 160-bit
number
 www.BrainKart.com

Schnorr Digital
Signature
Generation of Private-Public Key Pair:
Choose prime p and q, such that q is a prime
factor of p-1.
q
Choose an integer a, such that a =1 mod p. (a,
p and q are the global public keys
and common to all users of a group)
Choose a random integer s with 0<s<q.
(This ‘s’ is user’s private key)
-s
Calculate v=a mod p.
(This ‘v’ is user’s public key)
 www.BrainKart.com

Schnorr Digital
Signature
Generation of signature with Private-
Public Key Pair (s-v):
Choose a random integer r with 0<r<q and
r
compute x = a mod p.
Concatenate the message M with x and hash the
result to compute the value e = H(M||x)
Compute y = (r+se) mod q.

The signature consists of the pair (e, y)

 www.BrainKart.com

Schnorr Digital
Signature
Signature verification by any other user:
y e
Compute x’ = a v mod p.
Verify that e = H(M||x’)

To Prove this:
y e y -se y-se r
x’ = a v = a a =a = a = x (mod p)

Hence H(M||x’) = H(M||x)

 www.BrainKart.com

Cryptography and
Network Security

Dr. B. Shanthini
Prof. & Head
St. Peter’s College of Engineering & Technology 1
 www.BrainKart.com

Unit 4 – Outline
Authentication applications:
– Kerberos SET for E-Commerce
Transactions
– X.509
Intruder
Authentication services 
Intrusion detection
Internet Firewalls for system
Trusted System: Virus and related threats
– Roles of Firewalls 
Countermeasures
– Firewall related terminology Trusted systems
– Types of Firewalls Practical implementation of
– Firewall designs cryptography and security.

– Firewalls design principles.

 www.BrainKart.com

Security Concerns
• Key concerns are confidentiality and
timeliness
To provide confidentiality must encrypt
identification and session key info
Which requires the use of previously shared
private or public keys
Need timeliness to prevent replay attacks
Provided by using sequence numbers or
timestamps or challenge/response
 www.BrainKart.com

KERBEROS

In Greek mythology, a many headed dog, the

guardian of the entrance of Hades
 www.BrainKart.com

KERBEROS
Users wish to access services on servers.
Three threats exist:
– User pretends to be another user.
– User alter the network address of a workstation.
– User eavesdrop on exchanges and use a replay
attack.
 www.BrainKart.com

Kerboros
Provides a centralized authentication server
to authenticate users to servers and servers
to users.
Relies on conventional encryption, making
no use of public-key encryption
Two versions: version 4 and 5
Version 4 makes use of DES
 www.BrainKart.com

Kerberos
Motivation: 3 Approaches

Rely on each individual client to assure the
identity of the user to enforce security
policy based on user identification.

Require that client systems
authenticate themselves to servers

Require that the user to prove his or her
identity for each service invoked
 www.BrainKart.com

Kerberos
Motivation: Requirements
– Secure: Eavesdropper should not be able to
obtain the necessary info. to impersonate a user.
– Reliable: Should be highly reliable and should
employ a distributed server architecture with
one system able to back up another.
– Transparent: User should not be aware that
authentication is taking place beyond the
requirement to enter the password.
– Scalable: System should be capable of supporting
large numbers of clients and servers.
 www.BrainKart.com

Kerberos Version 4

Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenation
 www.BrainKart.com

A Simple Authentication Dialogue

(1) C  AS: IDc || Pc || IDv

(2) AS  C: Ticket
(3) C  V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

 www.BrainKart.com

Version 4 Authentication Dialogue

Problems:
– User would need a new ticket for every
different service.
– Since the plaintext transmission of the
password is involved, an eavesdropper could
capture the pw and use any accessible service.
Lifetime associated with the ticket-granting ticket
If too short  repeatedly asked for password
If too long  greater opportunity to replay
 www.
www.

Ticket Granting Server Scenario

Once Per User Logon Session

1. C  AS: IDC || IDtgs
2. AS  C: E(KC ,Tickettgs)
Once Per Type of Service
3. C  TGS: IDC || IDV || Tickettgs
4. TGS  C: TicketV
Once Per Service Session
5. C  V: IDC || TicketV

Tickettgs = E( Ktgs [IDc || ADc || IDtgs || TS1 || Lifetime1] )

TicketV = E( KV , [IDc || ADc || IDV || TS2 || Lifetime2] )
 www.BrainKart.com

Ticket Granting Server Scenario

Problems:

Lifetime associated with the ticket-granting ticket
0 If too short  repeatedly asked for password
1 If too long  greater opportunity to replay

There may be a requirement for servers
to authenticate themselves to users.
 www.BrainKart.com

Version 4 Authentication Dialogue

Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C  AS: IDc || IDtgs ||TS1
AS  C:EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket

(3) C  TGS: IDv ||Tickettgs ||Authenticatorc
TGS  C:EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service

(5) C  V: Ticketv || Authenticatorc
(6) V  C: EKc,v[TS5 +1]
 www.BrainKart.com

Overview of Kerberos
 www.BrainKart.com

Kerberos Exchanges
 www.BrainKart.com

Kerberos Realms & Multiple Kerberi

Full-Service Kerberos Environment

called Kerberos Realm consists:
1. Kerberos Server
2. No. of Clients
3. No. of Application Servers
 www.BrainKart.com

Kerberos Realms & Multiple Kerberi

Application Servers Requirements:
Kerberos Server must have the user ID and hashed
passwords of all participating users in its
database. All users are registered with the
Kerberos Server.
Kerberos Server must share a secret key with each
server. All servers are registered with the
Kerberos server.
The Kerberos Server in each interoperating realm
shares a secret key with the server in other realm.
2 Kerberos servers are registered with each other.
 www.BrainKart.com

Request for Service in Another Realm

1. Request ticker for
local TGS
2. Ticket for local TGS
3. Request ticker for
remote TGS
4. Ticket for remote
TGS
5. Request ticker for
remote server
6. Ticket for remote
server
7. Request for remote
service
 www.BrainKart.com

Difference Between Version 4 and 5

Encryption system dependence (V.4 DES)
Internet protocol dependence
Message byte ordering
Ticket lifetime
Authentication forwarding
Interrealm authentication
 www.BrainKart.com

X.509 Authentication Service

Distributed set of servers that maintains a
database about users.
Each certificate contains the public key of a
user and is signed with the private key of a
CA.
Is used in S/MIME, IP Security, SSL/TLS
and SET.
RSA is recommended to use.
 www.BrainKart.com

X.509 Formats
 www.BrainKart.com

Typical Digital Signature

Approach
 www.BrainKart.com

Obtaining a User’s Certificate

Characteristics of certificates generated by

CA:
– Any user with access to the public key of the
CA can recover the user public key that was
certified.
– No part other than the CA can modify the
certificate without this being detected.
 www.BrainKart.com

X.509 CA Hierarchy
 www.BrainKart.com

Revocation of Certificates
Reasons for revocation:
– The users secret key is assumed to be
compromised.
– The user is no longer certified by this CA.
– The CA’s certificate is assumed to
be compromised.
 www.BrainKart.com

Authentication Procedures
 www.BrainKart.com

Firewalls
 www.BrainKart.com

Firewall
 www.BrainKart.com

Need for Firewalls

Centralized data processing system, with a central
mainframe supporting a no. of directly connected terminals
Local area networks (LANs) interconnecting PCs and
terminals to each other and the mainframe
Premises network, consisting of a number of LANs,
interconnecting PCs, servers, and a mainframe or two
Enterprise-widenetwork,consistingofmultiple,
geographically distributed premises networks interconnected
by a private wide area network (WAN)
Internet connectivity, in which the various premises
networks all hook into the Internet and may or may not also
be connected by a private WAN
 www.BrainKart.com

Design Goals of Firewalls

All traffic from inside to outside, and vice versa,
must pass through the firewall.
– This is achieved by physically blocking all access to the
local network except via the firewall.
Only authorized traffic, as defined by the local
security policy, will be allowed to pass.
– Various types of firewalls are used, which implement
various types of security policies.
The firewall itself is immune to penetration.
– This implies the use of a hardened system with a secured
operating system.
 www.BrainKart.com

Characteristics of Firewalls
Service control: Determines the types of Internet services that
can be accessed, inbound or outbound. The firewall may filter
traffic on the basis of IP address, protocol, or port number.
Direction control: Determines the direction in which particular
service requests may be initiated and allowed to flow through
the firewall.
User control: Controls access to a service according to which
user is attempting to access it.
Behavior control: Controls how particular services are used.
For example, the firewall may filter e-mail to eliminate spam,
or it may enable external access to only a portion of the
information on a local Web server.
 www.BrainKart.com

Capabilities of Firewalls
A firewall defines a single choke point that keeps
unauthorized users out of the protected network,
prohibits potentially vulnerable services from entering
or leaving the network, and provides protection from
various kinds of IP spoofing and routing attacks.
A firewall provides a location for monitoring security-
related events like auditing and alarms.
A firewall is a convenient platform for several Internet
functions that are not security related like network
address translator and network mgmt. function.
A firewall can serve as the platform for IPSec and
virtual private networks.
 www.BrainKart.com

Limitations of Firewalls
The firewall cannot protect against attacks that
bypass the firewall.
The firewall may not protect fully against internal
threats, such as a disgruntled employee or an
employee who unwittingly cooperates with an
external attacker.
An improperly secured wireless LAN may be
accessed from outside the organization.
A laptop, PDA, or portable storage device may be
used and infected outside the corporate network,
and then attached and used internally.
 www.BrainKart.com

Types of Firewalls
Packet Filtering Firewall
A firewall may act as a packet filter.
It can operate as a positive filter, allowing to pass
only packets that meet specific criteria, or as a
negative filter, rejecting any packet that meets
certain criteria.
A packet filtering firewall applies a set of rules to
each incoming and outgoing IP packet and then
forwards or discards the packet.
The firewall is typically configured to filter packets
going in both directions.
 www.BrainKart.com

1. Packet Filtering Firewall

 www.BrainKart.com

0 Packet Filtering Firewall

Filtering rules are based on info. in network packet:
– Source IP address: The IP address of the system that
originated the IP packet (e.g., 192.178.1.1)
– Destination IP address: The IP address of the system the
IP packet is trying to reach (e.g., 192.168.1.2)
– Source and destination transport-level address: The
transport-level (e.g., TCP or UDP) port number
– IP protocol field: Defines the transport protocol
– Interface: For a firewall with three or more ports, which
interface of the firewall the packet came from or which
interface of the firewall the packet is destined for
 www.BrainKart.com


Packet Filtering Firewall
The packet filter is typically set up as a list of rules
based on matches to fields in the IP or TCP header.
If there is a match to one of the rules, that rule is
invoked to forward or discard the packet.
If there is no match to any rule, then a default action
is taken.
Two default policies are possible:
– Default = discard: That which is not expressly permitted
is prohibited.
– Default = forward: That which is not expressly
prohibited is permitted.
 www.BrainKart.com


Packet Filtering Firewall

Following table gives some examples of packet

filtering rule sets.
In each set, the rules are applied top to bottom.
The “*” in a field is a wildcard designator that
matches everything.
We assume that the default = discard policy is in
force.
www.BrainKart.com
 www.BrainKart.com

Packet Filtering Firewall-Rule Set

A. Inbound mail is allowed, but only to a gateway
host, however, packets from SPIGOT, are blocked
because that host has a history of sending massive
files in e-mail messages.
B. This is an explicit statement of the default policy.
C. This rule set is intended to specify that any
inside host can send mail to the outside.
D. This rule set achieves the intended result that
was not achieved in C.
E. This rule set is one approach to handling FTP
connections.
 www.BrainKart.com

Attacks on Packet Filtering Firewall

IP address spoofing: The intruder transmits packets
from the outside with a source IP address field
containing an address of an internal host.

The countermeasure is to discard packets with an
inside source address if the packet arrives on an
external interface.
Source routing attacks: The source station specifies
the route that a packet should take as it crosses the
Internet, that this will bypass security measures that do
not analyze the source routing information.

The countermeasure is to discard all packets that
use this option.
 www.BrainKart.com

Attacks on Packet Filtering Firewall

Tiny fragment attacks: The intruder uses the IP
fragmentation option to create extremely small
fragments and force the TCP header information into a
separate packet fragment.

Countermeasure: A tiny fragment attack can be
defeated by enforcing a rule that the first fragment
of a packet must contain a predefined minimum
amount of the transport header. If the first fragment
is rejected, the filter can remember the packet and
discard all subsequent fragments.
 www.BrainKart.com

2. Stateful Inspection Firewall

 www.BrainKart.com


Stateful Inspection Firewall
A packet filtering firewall permit inbound network
traffic on all high-numbered ports for TCP-based
traffic to occur.
This creates a vulnerability that can be exploited by
unauthorized users.
A stateful inspection packet firewall tightens up the
rules for TCP traffic by creating a directory of
currently established outbound TCP connections
The packet filter will now allow incoming traffic to
high-numbered ports only for those packets that fit the
profile of one of the entries in this directory.
 www.BrainKart.com

2. Stateful Inspection Firewall

 www.BrainKart.com


Stateful Inspection Firewall
A stateful packet inspection firewall reviews the same
packet information as a packet filtering firewall, but
also records information about TCP connections.
Some stateful firewalls also keep track of TCP
sequence numbers to prevent attacks that depend on
the sequence number, such as session hijacking.
Some even inspect limited amounts of application
data for some well-known protocols like FTP, IM and
SIP commands, in order to identify and track related
connections.
 www.BrainKart.com

3. Application Level Gateway

 www.BrainKart.com

3. Application Level Gateway

• An application-level gateway, also called an
application proxy, acts as a relay of application-level
traffic.
• The user contacts the gateway using a TCP/IP
application, such as Telnet or FTP, and the gateway
asks the user for the name of the remote host to be
accessed.
• When the user responds and provides a valid user
ID and authentication information, the gateway
contacts the application on the remote host and relays
TCP segments containing the application data between
the two endpoints.
 www.BrainKart.com


Application Level Gateway
If the gateway does not implement the proxy
code for a specific application, the service is
not supported and cannot be forwarded across
the firewall.
Further, the gateway can be configured to
support only specific features of an
application that the network administrator
considers acceptable while denying all other
features.
 www.BrainKart.com


Application Level Gateway

Application-level gateways tend to be more

secure than packet filters.
Rather than trying to deal with the numerous
possible combinations that are to be allowed and
forbidden at the TCP and IP level, the
application-level gateway need only scrutinize
a few allowable applications.
In addition, it is easy to log and audit all
incoming traffic at the application level.
 www.BrainKart.com


Application Level Gateway

A prime disadvantage of this type of gateway is

the additional processing overhead on each
connection.
In effect, there are two spliced connections
between the end users, with the gateway at the
splice point, and the gateway must examine and
forward all traffic in both directions.
 www.BrainKart.com

4. Circuit Level Gateway

 www.BrainKart.com


Circuit Level Gateway
A fourth type of firewall is the circuit-level gateway or
circuit-level proxy.
This can be a stand-alone system or it can be a
specialized function performed by an application-
level gateway.
As with an application gateway, a circuit-level
gateway does not permit an end-to-end TCP
connection.
Rather, the gateway sets up two TCP connections,
one between itself and a TCP user on an inner host and
one between itself and a TCP user on an outside host.
 www.BrainKart.com


Circuit Level Gateway
Once the two connections are established, the
gateway typically relays TCP segments from
one connection to the other without examining
the contents.
The security function consists of determining
which connections will be allowed.
A typical use of circuit-level gateways is a
situation in which the system administrator
trusts the internal users.
 www.BrainKart.com


Circuit Level Gateway

The gateway can be configured to support

application-level or proxy service on inbound
connections and circuit-level functions for
outbound connections.
In this configuration, the gateway can incur the
processing overhead of examining incoming
application data for forbidden functions but
does not incur that overhead on outgoing data.
www.BrainKart.com

SET
 www.BrainKart.com

Secure Electronic Transactions

• An open encryption and security

specification.

Protect credit card transaction on the Internet.

Companies involved:
– MasterCard, Visa, IBM, Microsoft, Netscape,
RSA, Terisa and Verisign
Not a payment system.
Set of security protocols and formats.
 www.BrainKart.com

SET Services

Provides a secure communication

channel in a transaction.
Provides trust by the use of
X.509v3 digital certificates.
Ensures privacy.
 www.BrainKart.com

SET Overview

Key Features of SET:

– Confidentiality of information
– Integrity of data
– Cardholder account authentication
– Merchant authentication
SET Participantswww.www.
 www.BrainKart.com

SET Participants
Card Holder: Authorized holder of a payment card that has been
issued by an issuer.
Merchant: Person or organization that has goods or services to sell to
the cardholder.
Issuer: Financial institution (bank) that provides the cardholder with
the payment card.
Acquirer: Financial institution that establishes an account with a
merchant and processes payment card authorizations and payments.

Payment Gateway: Function operated by the acquirer or a designated

third party that processes merchant payment messages.
Certification Authority: An entity that is trusted to issue X.509v3
public key certificates for card holders, merchants and payment
gateways.
 www.BrainKart.com

Sequence of events for transactions

The customer opens an account: Customer obtains a credit card
account with a bank.
The customer receives a certificate: After verification the
customer receives an X.509v3 digital certificate. The certificate
verifies the customer’s RSA public key.
Merchants have their own certificates: Merchant should possess 2
certificates for 2 public keys: one for signing messages and one for
key exchange. He should also needs PG’s public-key certificate.
The customer places an order: Customer browses through
merchant’s website to select items and determine price. He then
sends a list of the items to be purchased to the merchant, who
returns an order form containing list of items, their prices, total
price and an order no.
The merchant is verified: In addition to the order form the merchant
sends its certificate, so that the customer can verify that he is
dealing with a valid store.
 www.BrainKart.com

Sequence of events for transactions

The order and payment are sent: Customer sends the order and
payment information to the merchant along with the customer’s
certificate. Order confirms the purchase and payment contains the
credit card details. PI is encrypted that it cannot be read by the
merchant. Customer’s certificate enables the merchant to verify the
customer.
The merchant request payment authorization: Merchant sends the PI
to the PG requesting authorization that the customer’s available
credit is sufficient for this purchase.
The merchant confirms the order: Merchant sends confirmation of the
order to the customer.
The merchant provides the goods or service: Merchant ships the goods
to the customer.
The merchant requests payments: Request is sent to the PG which
handles all of the payment processing.
 www.BrainKart.com

Dual Signature

DS  EKRC [H (H (PI ) || H(OI))]

Merchant Computes: H(PIMD || H(OI)) and D(PUc, DS)

If these two quantities are equal, then the merchant has verified the signature.

Bank Computes: H(PI) || OIMD) and D(PUc, DS)

If these two quantities are equal, then the bank has verified the signature.
 www.BrainKart.com

Payment processing
Purchase Request
– Initiate Request – customer to merchant
– Initiate Response – merchant’s certificate and PG’s certificate
– Purchase Request – shown in the next slide
– Purchase Response - acknowledgement
Payment Authorization:
– Authorization Request – merchant to PG
– Authorization Response – PG to the merchant
Payment Capture:
– Capture Request – merchant to PG
– Capture Response – PG to merchant (acquirer)
 www.

Payment processing
www. .com

Cardholder sends Purchase Request

 www.BrainKart.com

Payment processing

Merchant Verifies Customer Purchase Request

 www.BrainKart.com

Intruders
 www.BrainKart.com

Intruders
Three classes of intruders (hackers or crackers):
– Masquerader-an individual who is not authorized to use
the computer and who penerates a system’s access
controls to exploit a legitimate user’s account
– Misfeasor-a legitimate user who accesses data, programs
or resources for which such access is not authorized
– Clandestine user-an individual who seizes supervisory
control of the system and uses this control to evade
auditing and access controls or to suppress audit collection

70
 www.BrainKart.com

Intrusion Techniques
System maintain a file that associates a
password with each authorized user.
Password file can be protected with:
– One-way encryption
– Access Control

71
 www.BrainKart.com

Intrusion Techniques
Techniques for guessing passwords:
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary(60,000).
Collect information about the user’s hobbies, family
names, birthday, etc.
Try user’s phone number, social security number,
street address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host
system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)

72
 www.BrainKart.com

Virus and related threats

 www.BrainKart.com

Viruses and Malicious Programs

Computer “Viruses” and related programs have the ability to
replicate themselves on an ever increasing number of
computers. They originally spread by people sharing floppy
disks. Now they spread primarily over the Internet (a “Worm”).

Other “Malicious Programs” may be installed by hand on a single

machine. They may also be built into widely distributed
commercial software packages. These are very hard to detect
before the payload activates (Trojan Horses, Trap Doors, and
Logic Bombs).

74
 www.BrainKart.com

Taxanomy of Malicious Programs

Malicious
Programs

Need Host Independent

Program

Trapdoors Logic Trojan Viruses Bacteria Worms

Bombs Horses

75
 www.BrainKart.com

Definitions
A “Bacteria” replicates until it fills all disk space, or
CPU cycles.
Worm - a program that replicates itself across the
network (usually riding on email messages or
attached documents (e.g., macro viruses).
Virus - code that copies itself into other programs.
Payload - harmful things the malicious program does,
after it has had time to spread.

76
 www.BrainKart.com

Definitions
Trojan Horse - instructions in an otherwise good program
that cause bad things to happen (sending your data or
password to an attacker over the net).
Logic Bomb - malicious code that activates on an event
(e.g., date).
Trap Door (or Back Door) - undocumented entry point
written into code for debugging that can allow unwanted
users.
Easter Egg - extraneous code that does something “cool.”
A way for programmers to show that they control the
product.

77
 www.BrainKart.com

Virus Phases
Dormant phase - the virus is idle, will be
activated by some events like date
Propagation phase - the virus places an identical
copy of itself into other programs
Triggering phase – the virus is activated to
perform the function for which it was intended
Execution phase – the function is performed

78
 www.BrainKart.com

Virus Protection
Have a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.

Do not execute programs (or "macro's") from unknown

sources (e.g., PS files, Hypercard files, MS Office documents,

Avoid the most common operating systems and email

programs, if possible.

79
 www.BrainKart.com

Virus Structure

Henric Johnson 80
 www.BrainKart.com

A Compression Virus

81
 www.BrainKart.com

Types of Viruses
Parasitic Virus - attaches itself to executable files as part of their
code and replicates. Runs whenever the host program runs.

Memory-resident Virus - Lodges in main memory as part of the

residual operating system.

Boot Sector Virus - infects the boot sector of a disk, and spreads
when the operating system boots up (DOS viruses).

Stealth Virus - explicitly designed to hide from Virus Scanning

programs.

Polymorphic Virus - mutates with every new host to prevent

signature detection.
Metamorphic Virus – mutates with every infection. Difference is it
rewrites itself completely 82
 www.BrainKart.com

Macro Viruses
Microsoft Office applications allow “macros”
to be part of the document. The macro could run
whenever the document is opened, or when a
certain command is selected (Save File).
Platform independent.
Infect documents, delete files, generate email and
edit letters.
Easily spread, common method is emails

83
 www.BrainKart.com

Email Viruses

Email viruses sends itself to everyone in the

mailing list
Does local damage

84
 www.BrainKart.com

Antivirus Approaches
Goals: Detection
Identification
Removal
1st Generation, Scanners: searched files for any of a library of known
virus “signatures.” Checked executable files for length changes.

2nd Generation, Heuristic Scanners: looks for more general signs

than specific signatures (code segments common to many viruses).
Checked files for checksum or hash changes.

3rd Generation, Activity Traps: stay resident in memory and look for
certain patterns of software behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of the techniques above.
85
 www.BrainKart.com

Advanced Antivirus Techniques

Generic Decryption (GD)

– CPU Emulator - A s/w based virtual computer.
Instructions in an exe file are interpreted rather
than executed in the processor
– Virus Signature Scanner - Module that scans the target
code looking for known signatures
– Emulation Control Module - controls the execution of
the target code

86
 www.BrainKart.com

Advanced Antivirus Techniques

87
 www.BrainKart.com

Trusted Systems
 www.BrainKart.com

Trusted Computer Systems

Information system security is increasingly important
Have varying degrees of sensitivity of information
Subjects (people or programs) have varying rights of
access to objects (information)
Hence:
Information system security is the application of
managerial and administrative procedures and
technical and physical safeguards to ensure not only
the confidentiality, integrity and availability of
information which is processed by an information
system, but also of the information system itself,
together with its environment.
 www.BrainKart.com

Types of Secure Computing Systems

Dedicated (Single-Level) Systems

Handles subjects and objects with same classification

Relies on other security procedures (eg physical)
System-High

Only provides need-to-know protection between users

Entire system operates at highest classification level

All users must be cleared for that level of information
Compartmented

Varaition of System-High which can process two or more
types of compartmented information

Not all users are cleared for all compartments, but
all must be cleared to the highest level of information
processed
 www.BrainKart.com

Types of Secure Computing Systems

Multi-Level Systems

Is validated for handling subjects and objects with
different rights and levels of security
simultaneously

Major features of such systems include:
0user identification and authentication
1resource access control and object labelling
2audit trails of all security relevant events
3external validation of the systems security
 www.BrainKart.com

Network Security

Dr. B. Shanthini
Professor and Head
St. Peter’s College of Engineering & Technology 1
 www.BrainKart.com

Unit 5 - Outline
E-mail Security: Security Services for E-mail-
attacks possible through E-mail - establishing
keys privacy-authentication of the source-
Message Integrity-Non-repudiation-Pretty
Good Privacy-S/MIME.
IPSecurity: Overview of IPSec - IP and IPv6-
Authentication Header-ESP-Internet Key
Exchange (Phases of IKE, ISAKMP/IKE
Encoding).
Web Security: SSL/TLS Basic Protocol-
computing the keys- client authentication-PKI
as deployed by SSL Attacks fixed in v3-
Exportability-Encoding-
Secure Electronic Transaction (SET). 2
 www.BrainKart.com

Email Security
 www.BrainKart.com

Email Security Enhancements

Confidentiality
– protection from disclosure
Authentication
– of sender of message
Message integrity
– protection from modification
Non-repudiation of origin
– protection from denial by sender
 www.BrainKart.com

Pretty Good Privacy (PGP)

Widely used de facto secure email
Developed by Phil Zimmermann
Selected best available crypto algs to
use
Integrated into a single program
On Unix, PC, Macintosh and other
systems
Originally free, now also have
commercial versions available
 www.BrainKart.com

PGP Operation

Consists of 5 services:

Authentication
Confidentiality
Compression
E-mail Compatibility
Segmentation
 www.BrainKart.com

PGP Operation – Authentication

Sender creates message
Use SHA-1 to generate 160-bit hash of
message
Hash code is encrypted with RSA using
sender's private key, and is attached to
message
Receiver uses RSA with sender's public key to
decrypt and recover hash code
Receiver generates a new hash code for the
received message and compares it with the
decrypted hash code
If the two match, the message is accepted
 www.BrainKart.com

Authentication Only
 www.BrainKart.com

PGP Operation – Confidentiality

Sender generates message and 128-bit

random number as session key for it
Encrypt message using CAST-128 / IDEA /
3DES in CBC mode with session key
Session key encrypted using RSA with
recipient's public key & attached to msg
Receiver uses RSA with private key to
decrypt and recover session key
Session key is used to decrypt message
 www.BrainKart.com

Confidentiality Only
 www.BrainKart.com

PGP Operation – Confidentiality &

Authentication
Can use both services on same message
– Create signature & attach to message
– Encrypt both message & signature
using CAST-128 (or IDEA or 3DES )
– Session key is encrypted using RSA
(or ElGamal )
 Confidentialitywww.BrainKart.com &

Authentication
www.BrainKart.com
 www.BrainKart.com

PGP Operation – Compression

By default PGP compresses message

after signing but before encrypting
– So we can store uncompressed message
& signature for later verification

Uses ZIP compression algorithm

 www.
www.
–

PGP Operation Email

Compatibility
When using PGP will have binary data to send
(encrypted message etc)
However email was designed only for text
Hence PGP must encode raw binary data into
printable ASCII characters
Uses radix-64 algorithm
– maps 3 bytes to 4 printable chars
– also appends a CRC
PGP also segments messages if too big
 www.BrainKart.com

E-mail Compatibility
The scheme used is radix-64 conversion
The use of radix-64 expands the message
by 33%.
 www.www.
–

PGP Operation Segmentation &

Reassembly
E-mail facilities are restricted to a maximum
length of 50,000 bytes.
Any message longer than that must be
broken into smaller segments
Segmentation is done after all the
processing
At the receiving end, PGP strip off all e-mail
headers and reassemble the entire original
block
 –
www.BrainKart.com

PGP Operation Summary

 www.BrainKart.com

PGP Message Format

 www.BrainKart.com

PGP Key Rings

Each PGP user has a pair of key rings:
– public-key ring contains all the public-
keys of other PGP users known to this
user, indexed by key ID
– private-key ring contains the
public/private key pair(s) for this user,
indexed by key ID
 www.BrainKart.com

PGP Key Rings

 www.BrainKart.com

Private Key Ring

Timestamp: The date/time when this key pair
was generated.
Key ID: The least significant 64 bits of the
public key for this entry.
Public key: The public-key portion of the pair.
Private key: The private-key portion of the
pair; this field is encrypted.
User ID: Typically, this will be the user's e-
mail address (e.g., [email protected]).
www.BrainKart.com
www.BrainKart.com
 www.BrainKart.com

Sumary of PGP Services

Function Algorithm Used
Digital Signature DSS/SHA or
RSA/SHA
Message CAST or IDEA or
Encryption three-key triple DES
with Diffie-Hellman
or RSA
Compression ZIP
E-mail Radix-64 conversion
Compatibility
Segmentation -
 S/MIME www.BrainKart.com

(Secure/Multipurpose Internet
Mail Extensions)
Security enhancement to MIME email
– Original Internet RFC822 email was text only
– MIME provided support for varying content
types & multi-part messages with encoding of
binary data to textual form
– S/MIME adds security enhancements
Have S/MIME support in many mail agents
– eg MS Outlook, Mozilla, Mac Mail etc
 www.BrainKart.com

RFC 822
Defines the format for the text messages that are
sent through e-mail
In RFC 822 messages have envelope and contents
Envelope contains information needed to accomplish
transmission and delivery
Contents compose the object to be delivered to
the recipient
Message contains some header lines followed by
unrestricted text
Header is separated by the body by a blank line
Header line consists of a keyword, followed by a
colon, followed by the keyword’s arguments
Frequently used keywords are From, To, Subject and
Date
Ex. From : “William Stallings” <[email protected]>
 MIME
www.www .

(Multipurpose Internet Mail Extensions)

MIME is the extension of RFC 822 framework
Used to address the limitations of SMTP /
RFC 822
Limitations of SMTP / RFC 822:
SMTP cannot send executable files or binary files
SMTP cannot transmit text data that includes
national language characters (8 bits) but
SMTP limited to 7-bit ASCII
SMTP servers may reject mails over a certain size
SMTP gateways have translation problems
 www.BrainKart.com

Limitations of SMTP / RFC

0 (Contd…)
SMTP gateways to X.400 e-mail networks cannot
handle non-textual data
Some SMTP implementations has the following
problems:
– Deletion, addition or reordering of carriage return and
linefeed
– Truncating and wrapping lines longer that 76 chars
– Removal of trailing white spaces (tab & space char)
– Padding of lines in a message to the same length
– Conversion of Tab characters into multiple space chars
 www.BrainKart.com

MIME Overview

MIME spec. includes the following

elements:
Five new message headers are
defined
A number of content formats are
defined
Transfer Encodings are defined
 www.BrainKart.com

Header fields in MIME

MIME-Version: Must be “1.0”
Content-Type: More types being added by
developers (application/word)
Content-Transfer-Encoding: How
message has been encoded
Content-ID: Used to identify MIME
entities uniquely in multiple contents
Content Description: Needed when
content is not readable text (e.g. mpeg)
 www.BrainKart.com

MIME Content Types

Type Subtype
Text Plain
Enriched
Multipart Mixed
Parallel
Alternative
Digest
Message rfc 822
Partial
External Body
 www.BrainKart.com

MIME Content Types-

Continued
Type Subtype
Image jpeg
gif
Video mpeg

Audio Basic
Application Post Script
Octet Stream
 www.BrainKart.com

MIME Transfer Encodings

7 bit ASCII Characters

8 bit Non-ASCII Characters may also present
Binary Non-ASCII & not short enough for SMTP
transport
Quoted- Encoded to ASCII text
Printable
Base64 Encodes data by mapping 6-bits to 8-bits
which are printable ASCII characters
X-token A named nonstandard encoding
 www.BrainKart.com

S/MIME Cryptographic Algorithms

Digital signatures: DSS & RSA

Hash functions: SHA-1 & MD5
Session key encryption: ElGamal & RSA
Message encryption: AES, Triple-DES,
RC2/40 and others
MAC: HMAC with SHA-1
Have process to decide which algs to use
 www.BrainKart.com

S/MIME Functions
Enveloped data
– Encrypted content and associated keys
Signed data
– Encoded message + signed digest
Clear-signed data
– Clear text message + encoded signed digest
Signed & enveloped data
– Nesting of signed & encrypted entities
 www.BrainKart.com

Enveloped Data
Steps for preparing an Enveloped Data:
Generate a pseudorandom session key for a particular
symmetric encryption algorithm (RC2/40 or Triple
DES)
For each recipient, encrypt the session key with the
recipient’s public RSA key and share it with them.
For each recipient, prepare a block RecipientInfo that
contains an identifier of the recipient’s public-key
certificate, an identifier of the algorithm used to
encrypt the session key and the encrypted session
key.
Encrypt the message content with the session key.
 www.BrainKart.com

Signed Data
Steps for preparing an Signed Data:
Select a message digest algorithm (SHA or MD5)
Compute the message digest, or hash function of the
content to be signed.
Encrypt the message digest with the signer’s
private key.
Prepare a block, SignerInfo that contains the
signer’s public-key certificate, an identifier of
the message digest algorithm, an identifier of the
algorithm used to encrypt the message digest and
the encrypted message digest.
 www.BrainKart.com

Clear Signed Data

Clear signing is achieved using multipart

content type with the signed sub type.
Signing process does not involve
transforming the message to be signed, so
that the message is sent “in the clear”.
Thus the recipients with MIME capability
but not S/MIME capability are able to read
the incoming message.
 www.BrainKart.com

Registration Request
An application or user will apply to a
certification authority for a public-key
certificate.
A Certification Request including
certificationRequestInfo block, an
identifier of the public-key encryption
algorithm, the signature of the
certificationRequestInfo block, a name of
the certificate subject and the user’s public
key is sent using application/pkcs10.
 www.BrainKart.com

Certificates-only Message

A message containing only certificates or

certificate revocation list (CRL) can be sent
in response to a registration request.
Message is an application/pkcs7-MIME
type/Subtype with an smime-type parameter
of degenerate.
Steps involved are the same as those for
signedData message, except there is no
message content and the signerInfo field is
empty.
 www.BrainKart.com

S/MIME Certificate Processing

S/MIME uses X.509 v3 certificates.

Managed using a hybrid of a strict X.509 CA
hierarchy & PGP’s web of trust.
Each client has a list of trusted CA’s certs
and own public/private key pairs & certs.
Certificates must be signed by trusted CA’s.
 www.BrainKart.com

Certificate Authorities
Have several well-known CA’s
Verisign one of most widely used
Verisign issues several types of Digital IDs
increasing levels of checks & hence trust
Class Identity Checks Usage
1 name/email check web browsing/email
2 + enroll/addr check email, subs, s/w validate
3 + ID documents e-banking/service access
 www.BrainKart.com

IP Security
 www.BrainKart.com

Outline

Internetworking and Internet

Protocols
IP Security Overview
IP Security Architecture
Authentication Header
Encapsulating Security Payload
Combinations of Security Associations
Key Management
 www.BrainKart.com

TCP/IP Example
 www.BrainKart.com

IPv4 Header
 www.BrainKart.com

IPv6 Header
 www.BrainKart.com

IP Security Overview

IPSec is not a single protocol.

Instead, IPSec provides a set of
security algorithms plus a general
framework that allows a pair of
communicating entities to use
whichever algorithms provide security
appropriate for the communication.
 www.BrainKart.com

IP Security Overview

Applications of IPSec
– Secure branch office connectivity
over the Internet
– Secure remote access over the Internet
– Establishing extranet and intranet
connectivity with partners
– Enhancing electronic commerce security
 www.BrainKart.com

IP Security Scenario
 www.BrainKart.com

IP Security Overview

Benefits of IPSec
– Transparent to applications (below transport
layer (TCP, UDP)
– Provide security for individual users
IPSec can assure that:
– A router or neighbor advertisement comes from
an authorized router
– A redirect message comes from the router to
which the initial packet was sent
– A routing update is not forged
 www.BrainKart.com

IP Security Architecture
IPSec documents:
– RFC 2401: An overview of
security architecture
– RFC 2402: Description of a packet
encryption extension to IPv4 and IPv6
– RFC 2406: Description of authentication
extension to IPv4 and IPv6
– RFC 2408: Specification of
key managament capabilities
 www.BrainKart.com

IPSec Document Overview

 www.BrainKart.com

IPSec Services
Access Control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
Confidentiality (encryption)
Limited traffic flow confidentiallity
 www.BrainKart.com

IPSec Services
 www.BrainKart.com

Security Associations (SA)

A one way relationship between a

sender and a receiver.
Identified by three parameters:
– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier
 SA Parameters www.BrainKart.com

A security association is normally defined by

the following parameters:
Sequence Number Counter: A 32-bit value used to
generate the Sequence Number field in AH or ESP
headers
Sequence Counter Overflow: A flag indicating
whether overflow of the Sequence Number Counter
should generate an auditable event and prevent
further transmission of packets on this SA
Anti-Replay Window: Used to determine whether
an inbound AH or ESP packet is a replay
AH Information: Authentication algorithm, keys,
key lifetimes, and related parameters being used
with AH
 www.

SA Parameterswww.

ESP Information: Encryption and authentication

algorithm, keys, initialization values, key lifetimes,
and related parameters being used with ESP
Lifetime of This Security Association: A time
interval or byte count after which an SA must
be replaced with a new SA
IPSec Protocol Mode: Tunnel, transport, or
wildcard.
Path MTU: Any observed path maximum
transmission unit.
 www.BrainKart.com

Transport Mode
•Transport mode provides protection primarily for upper-layer protocols.
•Examples include a TCP or UDP segment or an ICMP packet, all of
which operate directly above IP in a host protocol stack.
•Used for end-to-end communication between two hosts •When a host
runs AH or ESP over IPv4, the payload is the data that normally follow
the IP header.
•For IPv6, the payload is the data that normally follow both the IP
header and any IPv6 extensions headers that are present, with the
possible exception of the destination options header.
•ESP in transport mode encrypts and optionally authenticates the IP
payload but not the IP header.
•AH in transport mode authenticates the IP payload and selected
portions of the IP header.
 www.BrainKart.com

Tunnel Mode
•Tunnel mode provides protection to the entire IP packet.
•To achieve this, after the AH or ESP fields are added to the IP packet,
the entire packet plus security fields is treated as the payload of new
"outer" IP packet with a new outer IP header.
•The entire original, or inner, packet travels through a "tunnel" from
one point of an IP network to another.
•Because the original packet is encapsulated, the new, larger packet
may have totally different source and destination addresses, adding to
the security.
•Tunnel mode is used when one or both ends of an SA are a security
gateway, such as a firewall or router that implements IPSec.
 www.BrainKart.com

Transport Mode Tunnel Mode

SA SA
Authenticates IP payload and Authenticates entire inner
AH selected portions of IP header IP packet plus selected
and IPv6 extension headers portions of outer IP
header

Encrypts IP payload and any Encrypts inner IP packet

ESP IPv6 extesion header

Encrypts IP payload and any Encrypts inner IP packet.

ESP with
IPv6 extesion header. Authenticates inner IP
authentication Authenticates IP payload but packet.
no IP header
 www.BrainKart.com

Before applying AH
 www.BrainKart.com

Transport Mode
(AH Authentication)
 www.BrainKart.com

Tunnel Mode
(AH Authentication)
 www.BrainKart.com

Authentication Header
Provides support for data integrity and
authentication (MAC code) of IP packets.
Guards against replay attacks.
 www.BrainKart.com

End-to-end versus End-to-

Intermediate Authentication
 www.BrainKart.com

Encapsulating Security Payload

ESP provides confidentiality services
 www.BrainKart.com

Encryption and
Authentication Algorithms
Encryption:
– Three-key triple DES
– RC5
– IDEA
– Three-key triple IDEA
– CAST
– Blowfish
Authentication:
– HMAC-MD5-96
– HMAC-SHA-1-96
 www.BrainKart.com

ESP Encryption and

Authentication
 www.BrainKart.com

ESP Encryption and

Authentication
Combinations of Security

associations
 www.BrainKart.com

Combinations of Security
Associations
 www.BrainKart.com

Combinations of Security
Associations
 www.BrainKart.com

Combinations of Security
Associations
 www.BrainKart.com

Key Management
Two types:
– Manual
– Automated
0 Oakley Key Determination Protocol
1 Internet Security Association and Key
Management Protocol (ISAKMP)
 www.BrainKart.com

WEB Security
 www.BrainKart.com

Outline
Web Security Considerations
Secure Socket Layer (SSL) and
Transport Layer Security (TLS)
Secure Electronic Transaction (SET)
 www.BrainKart.com

Web Security Considerations

The WEB is very visible.

Complex software hide many security
flaws.
Web servers are easy to configure
and manage.
Users are not aware of the risks.
 www.BrainKart.com

Security facilities in the

TCP/IP protocol stack
 www.BrainKart.com

SSL and TLS

SSL was originated by Netscape
TLS working group was formed within
IETF
First version of TLS can be viewed as
an SSLv3.1
 www.BrainKart.com

SSL Architecture
 www.BrainKart.com

SSL Record Protocol Operation

 www.BrainKart.com

SSL Record Format

 www.BrainKart.com

SSL Record Protocol

Payload
 www.BrainKart.com

Handshake Protocol
The most complex part of SSL.
Allows the server and client to
authenticate each other.
Negotiate encryption, MAC algorithm
and cryptographic keys.
Used before any application data are
transmitted.
 www.BrainKart.com

Handshake Protocol Action

 www.BrainKart.com

Message Types

Code Description
0 HelloRequest
1 ClientHello
2 ServerHello
11 Certificate
12 ServerKeyExchange
13 CertificateRequest
14 ServerHelloDone
15 CertificateVerify
16 ClientKeyExchange
20 Finished
 www.BrainKart.com

Alert level types

Code Level type Connection state

connection or security
1 warning
may be unstable.
connection or security
may be compromised,
2 fatal
or an unrecoverable
error has occurred.
 www.BrainKart.com

Transport Layer Security

The same record format as the SSL record
format.
Defined in RFC 2246.
Similar to SSLv3.
Differences in the:
– version number
– message authentication code
– pseudorandom function
– alert codes
– cipher suites
– client certificate types
– certificate_verify and finished message
– cryptographic computations
– padding