it1352 cryptography & nw sec.pdf

7/27/2019 IT1352 cryptography & NW sec.pdf

1/72

http:/

/cse

tube

.tk/

1

IT1352 CRYPTOGRAPHY AND NETWORK SECURITYTWO MARKS QUESTION AND ANSWERS

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised

also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender

Public-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keysa public & a private key asymmetric since parties are not equal

uses clever application of number theoretic concepts to function complements rather than replaces private key crypto

Why Public-Key Cryptography? developed to address two key issues:

key distributionhow to have secure communications in general without having to trust aKDC with your key

digital signatureshow to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976

known earlier in classified community

Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use oftwo keys:

a public-key, which may be known by anybody, and can be used to encrypt messages, and

verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create)

signatures is asymmetricbecause

those who encrypt messages or verify signatures cannot decrypt messages or createsignatures

http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


2/72

http:/

/cse

tube

.tk/

2

Public-Key Characteristics

Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption

key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is

known eitherof the two related keys can be used for encryption, with the other used for decryption

(for some algorithms)

Public-Key Applications

can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication)

key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one

Security of Public Key Schemes like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard

(cryptanalyse) problems more generally the hardproblem is known, but is made hard enough to be impractical to break

requires the use ofvery large numbers hence is slow compared to private key schemes

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


3/72

http:/

/cse

tube

.tk/

3

RSA

by Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime

nb. exponentiation takes O((log n)3) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

RSA Key Setup

each user generates a public/private key pair by: selecting two large primes at random - p, q

computing their system modulus n=p.q note (n)=(p-1)(q-1)

selecting at random the encryption key e

where 1


4/72

http:/

/cse

tube

.tk/

4

1. Select primes:p=17 & q=112. Compute n =pq =17 x 11=187

3. Compute (n)=(p

1)(q-1)=16 x 10=1604. Select e: gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d< 160 Value is d=23 since 23x7=161= 10x160+1

6. Publish public key PU={7,187}7. Keep secret private key PR={23,187}

RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88


5/72

http:/

/cse

tube

.tk/

5

also see choices of e=3 or e=17 but if e too small (eg e=3) can attack

using Chinese remainder theorem & 3 messages with different modulii

if e fixed must ensure gcd(e,(n))=1 ie reject any p or q not relatively prime to e

Efficient Decryption

decryption uses exponentiation to power d

this is likely large, insecure if not can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to

get desired answer

approx 4 times faster than doing directly only owner ofprivate key who knows values of p & q can use this technique

RSA Key Generation

users of RSA must: determine two primes at random - p, q

select either e or d and compute the other primes p,q must not be easily derived from modulus n=p.q

means must be sufficiently large typically guess and use probabilistic test

exponents e, d are inverses, so use Inverse algorithm to compute the other

RSA Security possible approaches to attacking RSA are:

brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing (n), by factoring modulus n) timing attacks (on running of decryption)

chosen ciphertext attacks (given properties of RSA)

Factoring Problem

mathematical approach takes 3 forms: factor n=p.q, hence compute (n) and then d

determine (n) directly and compute d find d directly

currently believe all equivalent to factoring have seen slow improvements over the years

as of May-05 best is 200 decimal digits (663) bit with LS

biggest improvement comes from improved algorithm

cf QS to GHFS to LS currently assume 1024-2048 bit RSA is secure

ensure p, q of similar size and matching other constraints

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


6/72

http:/

/cse

tube

.tk/

6

Timing Attacks

developed by Paul Kocher in mid-1990s exploit timing variations in operations

eg. multiplying by small vs large number or IF's varying which instructions executed

infer operand size based on time taken

RSA exploits time taken in exponentiation

countermeasures use constant exponentiation time add random delays

blind values used in calculations

Chosen Ciphertext Attacks

RSA is vulnerable to a Chosen Ciphertext Attack (CCA)

attackers chooses ciphertexts & gets decrypted plaintext back choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis

can counter with random pad of plaintext

or use Optimal Asymmetric Encryption Padding (OASP)

Key Management public-key encryption helps address key distribution problems have two aspects of this:

distribution of public keys use ofpublic-key encryption to distribute secret keys

Distribution of Public Keys

can be considered as using one of: public announcement publicly available directory public-key authority

public-key certificates

Public Announcement users distribute public keys to recipients or broadcast to community at large

eg. append PGP keys to email messages or post to news groups or email list

major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user

Publicly Available Directory



7/72

http:/

/cse

tube

.tk/

7

can obtain greater security by registering keys with a public directory directory must be trusted with properties:

contains {name,public-key} entries

participants register securely with directory participants can replace key at any time

directory is periodically published directory can be accessed electronically

still vulnerable to tampering or forgery

Public-Key Authority

improve security by tightening control over distribution of keys from directory

has properties of directory and requires users to know public key for the directory

then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed

Public-Key Authority

Public-Key Certificates

certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key

usually with other info such as period of validity, rights of use etc with all contents signedby a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


8/72

http:/

/cse

tube

.tk/

8

Public-Key Distribution of Secret Keys

use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow

so usually want to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session

Simple Secret Key Distribution

proposed by Merkle in 1979

A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key

A decrypts the session key and both use

problem is that an opponent can intercept and impersonate both halves of protocol

Public-Key Distribution of Secret Keys



9/72

http:/

/cse

tube

.tk/

9

Hybrid Key Distribution

retain use of private-key KDC shares secret master key with each user

distributes session key using master key

public-key used to distribute master keys especially useful with widely distributed users

rationale

performance backward compatibility

Diffie-Hellman Key Exchange

first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts

note: now know that Williamson (UK CESG) secretly proposed the concept in 1970

is a practical method for public exchange of a secret key used in a number of commercial products a public-key distribution scheme

cannot be used to exchange an arbitrary message rather it can establish a common key

known only to the two participants value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring)hard

Diffie-Hellman Setup

all users agree on global parameters:

large prime integer or polynomial q

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


10/72

http:/

/cse

tube

.tk/

10

a being a primitive root mod q each user (eg. A) generates their key

chooses a secret key (number): xA < q

compute their public key: yA = axA mod q each user makes public that key yA

Diffie-Hellman Key Exchange

shared session key for users A & B is KAB:

KAB = axA.xB mod q

= yAxB mod q (which B can compute)= yBxA mod q (which A can compute)

KAB is used as session key in private-key encryption scheme between Alice and Bob if Alice and Bob subsequently communicate, they will have the same key as before, unless they

choose new public-keys attacker needs an x, must solve discrete log

Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime q=353 and a=3

select random secret keys: A chooses xA=97, B chooses xB=233

compute respective public keys: yA=397 mod 353 = 40 (Alice) yB=3233 mod 353 = 248 (Bob)

compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice)

KAB= yAxB mod 353 = 40233 = 160 (Bob)

Key Exchange Protocols users could create random private/public D-H keys each time they communicate users could create a known private/public D-H key and publish in a directory, then consulted and

used to securely communicate with them

both of these are vulnerable to a meet-in-the-Middle Attack authentication of the keys is needed

Elliptic Curve Cryptography majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very

large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves

offers same security with smaller bit sizes



11/72

http:/

/cse

tube

.tk/

11

newer, but not as well analysed

Real Elliptic Curves

an elliptic curve is defined by an equation in two variables x & y, with coefficients

consider a cubic elliptic curve of form y2 =x3 + ax + b where x,y,a,b are all real numbers

also define zero point O

have addition operation for elliptic curve geometrically sum of Q+R is reflection of intersection R

Finite Elliptic Curves

Elliptic curve cryptography uses curves whose variables & coefficients are finite have two families commonly used:

prime curves Ep(a,b) defined over Zp

use integers modulo a prime best in software

binary curves E2m(a,b) defined over GF(2n)

use polynomials with binary coefficients

best in hardware

Elliptic Curve Cryptography

ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation

need hard problem equiv to discrete log

Q=kP, where Q,P belong to a prime curve is easy to compute Q given k,P but hard to find k given Q,P

known as the elliptic curve logarithm problem Certicom example: E23(9,17)

ECC Diffie-Hellman

can do key exchange analogous to D-H users select a suitable curve Ep(a,b)

select base point G=(x1,y1) with large order n s.t. nG=O

A & B select private keys nA


12/72

http:/

/cse

tube

.tk/

12

same since K=nAnBG

ECC Encryption/Decryption

several alternatives, will consider simplest

must first encode any message M as a point on the elliptic curve Pm select suitable curve & point G as in D-H each user chooses private key nA


13/72

http:/

/cse

tube

.tk/

13

masquerade content modification

sequence modification

timing modification source repudiation

destination repudiation

Message Encryption

message encryption by itself also provides a measure of authentication

if symmetric encryption is used then:

receiver know sender must have created it

since only sender and receiver now key used

know content cannot of been altered

if message has suitable structure, redundancy or a checksum to detect any changes

if public-key encryption is used:

encryption provides no confidence of sendersince anyone potentially knows public-key

however if sendersigns message using their private-key

then encrypts with recipients public key

have both secrecy and authentication

again need to recognize corrupted messagesbut at cost of two public-key uses on message

Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block

depending on both message and some key like encryption though need not be reversible

appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender

Message Authentication Code

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


14/72

http:/

/cse

tube

.tk/

14

as shown the MAC provides authentication can also use encryption for secrecy

generally use separate keys for each

can compute MAC either before or after encryption is generally regarded as better done before

why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use)

note that a MAC is not a digital signature

MAC Properties

a MAC is a cryptographic checksumMAC = CK(M) condenses a variable-length message M

using a secret key K to a fixed-sized authenticator

is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult

Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following:

1. knowing a message and MAC, is infeasible to find another message with same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the messageIn assessing the security of a MAC function, we need to consider the types of attacks that may be mounted

against it. Hence it needs to satisfy the listed requirements.

The first requirement deals with message replacement attacks, in which an opponent is able to construct anew message to match a given MAC, even though the opponent does not know and does not learn the key.

The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.

The final requirement dictates that the authentication algorithm should not be weaker with respect to certain

parts or bits of the message than others.

Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC

Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16M64) of final block

but final MAC is now too small for security

Data Authentication Algorithm

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


15/72

http:/

/cse

tube

.tk/

Hash Functions condenses arbitrary message to fixed size

h = H(M) usually assume that the hash function is public and not keyed

cf. MAC which is keyed

hash used to detect changes to message can use in various ways with message

most often to create a digital signature

Hash Functions & Digital Signatures

1. can be applied to any sized message M2. produces fixed-length output h

3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h

one-way property

5. given x is infeasible to find y s.t. H(y)=H(x)

weak collision resistance6. is infeasible to find any x,y s.t. H(y)=H(x)

strong collision resistance15

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


16/72

http:/

/cse

tube

.tk/

16

Simple Hash Functions are several proposals for simple functions based on XOR of message blocks not secure since can manipulate any message and either not change hash or change hash also

need a stronger cryptographic function (next chapter)

Birthday Attacks

might think a 64-bit hash is secure but by Birthday Paradox is not birthday attackworks thus:

opponent generates 2m/2 variations of a valid message all with essentially the same meaning opponent also generates 2m/2 variations of a desired fraudulent message

two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday

paradox) have user sign the valid message, then substitute the forgery which will have a valid

signature conclusion is that need to use larger MAC/hash

Block Ciphers as Hash Functions can use blockciphers as hash functions

using H0=0 and zero-pad of final block

compute: Hi = EMi [Hi-1] and use final block as the hash value similarto CBC but without a key

resulting hash is too small (64-bit)

both due to direct birthday attack

and to meet-in-the-middle attack other variants also susceptible to attack

Hash Functions & MAC Security like block ciphers have: brute-force attacks exploiting

strong collision resistance hash have cost 2m/2 have proposal for h/w MD5 cracker

128-bit hash looks vulnerable, 160-bits better MACs with known message-MAC pairs

can either attack keyspace (cf key search) or MAC

at least 128-bit MAC is needed for security cryptanalytic attacks exploit structure

like block ciphers want brute-force attacks to be the best alternative

have a number of analytic attacks on iterated hash functions

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


17/72

http:/

/cse

tube

.tk/

17

CVi = f[CVi-1, Mi]; H(M)=CVN typically focus on collisions in function f

like block ciphers is often composed of rounds

attacks exploit properties of round functions

Cryptography and Network Security

Hash and MAC Algorithms

Hash Functions condense arbitrary size message to fixed size by processing message in blocks

through some compression function eithercustom or block cipher based

Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message

by using block cipher mode or hash function

Hash Algorithm Structure

Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993

was revised in 1995 as SHA-1 US standard for use with DSA signature scheme

standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS

based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications



18/72

http:/

/cse

tube

.tk/

18

Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA

SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1

hence analysis should be similar

but security levels are rather higher

SHA-512 Overview

SHA-512 Compression Function heart of the algorithm processing message in 1024-bit blocks

consists of 80 rounds updating a 512-bit buffer using a 64-bit value Wt derived from the current message block

and a round constant based on cube root of first 80 prime numbers

The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 12, as

shown in Figure 12.2. Each round takes as input the 512-bit buffer value, and updates the contents of the

buffer. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current

1024-bit block being processed. Each round also makes use of an additive constant Kt, based on thefractional parts of the cube roots of the first eighty prime numbers. The output of the eightieth round is

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


19/72

http:/

/cse

tube

.tk/

added to the input to the first round to produce the final hash value for this message block, which forms theinput to the next iteration of this compression function, as shown on the previous slide.

SHA-512 Round Function

Stallings Figure 12.4 details how the 64-bit word values Wt are derived from the 1024-bit message. The first

16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined

as a function of the earlier values using ROTates, SHIFTs and XORs as shown. The function elements are:0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)

1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6).

Whirlpool now examine the Whirlpool hash function

endorsed by European NESSIE project uses modified AES internals as compression function

addressing concerns on use of block ciphers seen previously with performance comparable to dedicated algorithms like SHA

Whirlpool Overview

Whirlpool Block Cipher19



20/72

http:/

/cse

tube

.tk/

20

designed specifically for hash function use with security and efficiency of AES

but with 512-bit block size and hence hash

similar structure & functions as AES but input is mapped row wise

has 10 rounds a different primitive polynomial for GF(2^8) uses different S-box design & values

Whirlpool Performance & Security

Whirlpool is a very new proposal hence little experience with use

but many AES findings should apply does seem to need more h/w than SHA, but with better resulting performance

Keyed Hash Functions as MACs



21/72

http:/

/cse

tube

.tk/

21

want a MAC based on a hash function because hash functions are generally faster

code for crypto hash functions widely available

hash includes a key along with message original proposal:

KeyedHash = Hash(Key|Message) some weaknesses were found with this

eventually led to development of HMAC

HMAC specified as Internet standard RFC2104 uses hash function on the message:

HMACK = Hash[(K+ XOR opad) ||Hash[(K+ XOR ipad)||M)]]

where K+ is the key padded out to size and opad, ipad are specified padding constants

overhead is just 3 more hash calculations than the message needs alone any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool

HMAC Overview

Stallings Figure 12.10 shows the structure of HMAC, which implements the function:HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


22/72

http:/

/cse

tube

.tk/

22

elements are:K+ is K padded with zeros on the left so that the result is b bits in length

ipad is a pad value of 36 hex repeated to fill block

opad is a pad value of 5C hex repeated to fill blockM is the message input to HMAC (including the padding specified in the embedded hash function)

HMAC Security

proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either:

brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages)

choose hash function used based on speed verses security constraints

CMAC

previously saw the DAA (CBC-MAC) widely used in govt & industry

but has message size limitation can overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC)

adopted by NIST SP800-38B

CMAC was previously described as the Data Authentication Algorithm, FIPS PUB 113, also known as

the CBC-MAC (cipher block chaining message authentication code). This cipher-based MAC has beenwidely adopted in government and industry. Has been shown to be secure, with the following restriction.

Only messages of one fixed length of mn bits are processed, where n is the cipher block size and m is a

fixed positive integer. This limitation can be overcome using multiple keys, which can be derived from a

single key. This refinement has been adopted by NIST as the cipher-based message authentication code(CMAC) mode of operation, for use with AES and triple DES. It is specified in NIST Special Publication

800-38B.

CMAC Overview



23/72

http:/

/cse

tube

.tk/

Stallings Figure 12.12 shows the structure of CMAC.It uses the blocksize of the underlying cipher (ie 128-bits for AES or 64-bits for triple-DES). The message is

divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K

and an n-bit constant K1 or K2 (depending on whether the message was padded or not). For AES, the key

size k is 128,192, or 256 bits; for triple DES, the key size is 112 or 168 bits. The two constants K1 & K2 are

derived from the original key K using encryption of 0 and multiplication in GF(2^n), as detailed in the text.

Digital Signatures have looked at message authentication

but does not address issues of lack of trust digital signatures provide the ability to:

verify author, date & time of signature23

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


24/72

http:/

/cse

tube

.tk/

24

authenticate message contents be verified by third parties to resolve disputes

hence include authentication function with additional capabilities

The most important development from the work on public-key cryptography is the digital signature.

Message authentication protects two parties who exchange messages from any third party. However, it does

not protect the two parties against each other. A digital signature is analogous to the handwritten signature,and provides a set of security capabilities that would be difficult to implement in any other way. It must

have the following properties:

It must verify the author and the date and time of the signature

It must to authenticate the contents at the time of the signature

It must be verifiable by third parties,to resolve disputes

Thus, the digital signature function includes the authentication function.

Digital Signature Properties must depend on the message signed must use information unique to sender

to prevent both forgery and denial

must be relatively easy to produce must be relatively easy to recognize & verify

be computationally infeasible to forge with new message for existing digital signature

with fraudulent digital signature for given message be practical save digital signature in storage

Direct Digital Signatures involve only sender & receiver assumed receiver has senders public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key

important that sign first then encrypt message & signature security depends on sendersprivate-key

Direct Digital Signatures involve the direct application of public-key algorithms involving only the

communicating parties. A digital signature may be formed by encrypting the entire message with the

senders private key, or by encrypting a hash code of the message with the senders private key.

Confidentiality can be provided by further encrypting the entire message plus signature using either publicor private key schemes. It is important to perform the signature function first and then an outer

confidentiality function, since in case of dispute, some third party must view the message and its signature.But these approaches are dependent on the security of the senders private-key. Will have problems if it is

lost/stolen and signatures forged. Need time-stamps and timely key revocation.

Arbitrated Digital Signatures



25/72

http:/

/cse

tube

.tk/

25

involves use of arbiter A

validates any signed message

then dated and sent to recipient requires suitable level of trust in arbiter

can be implemented with either private or public-key algorithms arbiter may or may not see message

Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are

confidentialityto protect session keys timelinessto prevent replay attacks

published protocols are often found to have flaws and need to be modified

Authentication Protocols are used to convince parties of each others identity and to exchange session keys.

They may be one-way or mutual.Central to the problem of authenticated key exchange are two issues: confidentiality and timeliness. Toprevent masquerade and to prevent compromise of session keys, essential identification and session key

information must be communicated in encrypted form. This requires the prior existence of secret or publickeys that can be used for this purpose. The second issue, timeliness, is important because of the threat of

message replays.Stallings discusses a number of protocols that appeared secure but were revised after additional analysis.

These examples highlight the difficulty of getting things right in the area of authentication.

Replay Attacks where a valid signed message is copied and later resent

simple replay repetition that can be logged repetition that cannot be detected

backward replay without modification countermeasures include

use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)

Replay Attacks are where a valid signed message is copied and later resent. Such replays, at worst,could allow an opponent to compromise a session key or successfully impersonate another party. At

minimum, a successful replay can disrupt operations by presenting parties with messages that appear

genuine but are not.

[GONG93] lists the examples above of replay attacks.Possible countermeasures include the use of:

sequence numbers (generally impractical since must remember last number used with every

communicating party) timestamps (needs synchronized clocks amongst all parties involved, which can be problematic)



26/72

http:/

/cse

tube

.tk/

26

challenge/response (using unique, random, unpredictable nonce, but not suitable for connectionlessapplications because of handshake overhead)

Using Symmetric Encryption as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC)

each party shares own master key with KDC

KDC generates session keys used for connections between parties

master keys used to distribute these

A two-level hierarchy of symmetric encryption keys can be used to provide confidentiality forcommunication in a distributed environment.

Usually involves the use of a trusted key distribution center (KDC). Each party in the network shares a

secret master key with the KDC. The KDC is responsible for generating session keys, and for distributing

those keys to the parties involved, using the master keys to protect these session keys.

Digital Signature Algorithm (DSA) creates a 320bit signature with 512-1024 bit security

smaller and faster than RSA a digital signature scheme only

security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes

DSA Key Generation have shared global public key values (p,q,g):

choose a large prime p with 2L-1 < p < 2L

where L= 512 to 1024 bits and is a multiple of 64

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


27/72

http:/

/cse

tube

.tk/

27

choose q with 2159 < q < 2160 such that q is a 160 bit prime divisor of (p-1)

choose g = h(p-1)/q

where 1


28/72

http:/

/cse

tube

.tk/

28

Unit -4 Authentication Applications

will consider authentication functions developed to support application-level authentication & digital signatures will considerKerberosa private-key authentication service

then X.509 - a public-key directory authentication service

Kerberos trusted key server system from MIT provides centralised private-key third-party authentication in a distributed network

allows users access to services distributed through network

without needing to trust all workstations ratherall trust a central authentication server

two versions in use: 4 & 5

Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best

known and most widely implemented trusted third party key distribution systems.Kerberos provides a centralized authentication server whose function is to authenticate users to servers and

servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric

encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 &

v5.

Kerberos Requirements its first report identified requirements as:

secure reliable

transparent scalable

implemented using an authentication protocol based on Needham-Schroeder

Kerberos v4 Overview a basic third-party authentication scheme have an Authentication Server (AS)

users initially negotiate with AS to identify self



29/72

http:/

/cse

tube

.tk/

29

AS provides a non-corruptible authentication credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)

users subsequently request access to other services from TGS on basis of users TGT

Kerberos v4 Dialogue1. obtain ticket granting ticket from AS

once per session

2. obtain service granting ticket from TGT

for each distinct service required

3. client/server exchange to obtain service

on every service request

Kerberos Realms a Kerberos environment consists of:

a Kerberos server

a number of clients, all registered with server application servers, sharing keys with server

this is termed a realm

typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust



30/72

http:/

/cse

tube

.tk/

30

Kerberos Version 5 developed in mid 1990s specified as Internet standard RFC 1510

provides improvements over v4 addresses environmental shortcomings

encryption alg, network protocol, byte order, ticket lifetime, authentication

forwarding, interrealm auth and technical deficiencies

double encryption, non-std mode of use, session keys, password attacks

X.509 Authentication Service part of CCITT X.500 directory service standards

distributed servers maintaining user info database defines framework for authentication services

directory may store public-key certificates with public key of user signed by certification authority

also defines authentication protocols

uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended

X.509 certificates are widely used

X.509 is part of the X.500 series of recommendations that define a directory service, being a server or

distributed set of servers that maintains a database of information about users.X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.

The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative

authentication protocols based on the use of public-key certificates. X.509 is based on the use of

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


31/72

http:/

/cse

tube

.tk/

31

public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithmbut recommends RSA.

The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET.

X.509 Certificates issued by a Certification Authority (CA), containing:

version (1, 2, or 3) serial number (unique within CA) identifying certificate

signature algorithm identifier

issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner)

subject public-key info (algorithm, parameters, key) issuerunique identifier (v2+)

subject unique identifier (v2+) extension fields (v3)

signature (of hash of all fields in certificate) notation CA denotes certificate for A signed by CA

The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the

certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used. These

user certificates are assumed to be created by some trusted certification authority (CA) and placed in the

directory by the CA or by the user. The directory server itself is not responsible for the creation of publickeys or for the certification function; it merely provides an easily accessible location for users to obtain

certificates. The certificate includes the elements shown.

The standard uses the notation for a certificate of: CA where the CA signs the certificate for user A

with its private key.



32/72

http:/

/cse

tube

.tk/

32

Obtaining a Certificate

any user with access to CA can get any certificate from it only the CA can modify a certificate

because cannot be forged, certificates can be placed in a public directory

User certificates generated by a CA have the characteristics that any user with access to the public key of

the CA can verify the user public key that was certified, and no party other than the certification authoritycan modify the certificate without this being detected. Because certificates are unforgeable, they can be

placed in a directory without the need for the directory to make special efforts to protect them

CA Hierarchy

if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy

use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward)

each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy

If both parties use the same CA, they know its public key and can verify others certificates. If not, then

there has to be some means to form a chain of certifications between the CA's used by the two parties, by

the use of client and parent certificates. It is assumed that each client trusts its parents certificates

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


33/72

http:/

/cse

tube

.tk/

33

Certificate Revocation

certificates have a period of validity may need to revoke before expiry, eg:

1. user's private key is compromised

2. user is no longer certified by this CA3. CA's certificate is compromised

CAs maintain list of revoked certificates

1. the Certificate Revocation List (CRL) users should check certificates with CAs CRL

A certificate includes a period of validity. Typically a new certificate is issued just before the expiration of

the old one.

In addition, it may be desirable on occasion to revoke a certificate before it expires, for one of a range ofreasons, such as those shown above.

To support this, each CA must maintain a list consisting of all revoked but not expired certificates issued by

that CA, known as the certificate revocation list (CRL).When a user receives a certificate in a message, the user must determine whether the certificate has been

revoked, by checking the directory CRL each time a certificate is received, this often does not happen in

practice.

Authentication Procedures X.509 includes three alternative authentication procedures: One-Way Authentication

Two-Way Authentication Three-Way Authentication all use public-key signaturesX.509 also includes three alternative authentication procedures that are intended for use across a variety

of applications, used when obtaining and using certificates. 1-way for unidirectional messages (like email),

2-way for interactive sessions when timestamps are used, 3-way for interactive sessions with no need for

timestamps (and hence synchronised clocks). See Stallings Figure 14.6 for details of each of thesealternatives.

One-Way Authentication message ( A->B) used to establish

the identity of A and that message is from A

message was intended for B integrity & originality of message

message must include timestamp, nonce, B's identity and is signed by A may include additional info for B

eg session key

One way authentication involves a single transfer of information from one user (A) to another (B),

and establishes the details shown above. Note that only the identity of the initiating entity is verified in thisprocess, not that of the responding entity. At a minimum, the message includes a timestamp ,a nonce, and

the identity of B and is signed with As private key. The message may also include information to be

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


34/72

http:/

/cse

tube

.tk/

34

conveyed, such as a session key for B.

Two-Way Authentication

2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B

that reply is intended for A integrity & originality of reply

reply includes original nonce from A, also timestamp and nonce from B

may include additional info for A

Two-way authentication thus permits both parties in a communication to verify the identity of the other,thus additionally establishing the above details. The reply message includes the nonce from A, to validate

the reply. It also includes a timestamp and nonce generated by B, and possible additional information for A.

Three-Way AuthenticationThree-Way Authentication includes a final message from A to B, which contains a signed copy of

the nonce, so that timestamps need not be checked, for use when synchronized clocks are not available.

X.509 Version 3 has been recognised that additional information is needed in a certificate

email/URL, policy details, usage constraints

rather than explicitly naming new fields defined a general extension method extensions consist of:

extension identifier criticality indicator

extension value

The X.509 version 2 format does not convey all of the information that recent design and implementationexperience has shown to be needed. Rather than continue to add fields to a fixed format, standards

developers felt that a more flexible approach was needed. X.509 version 3 includes a number of optional

extensions that may be added to the version 2 format. Each extension consists of an extension identifier, a

criticality indicator, and an extension value. The criticality indicator indicates whether an extension can besafely ignored or not (in which case if unknown the certificate is invalid).

Certificate Extensions key and policy information

convey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes

support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints

allow constraints on use of certificates by other CAs

The certificate extensions fall into three main categories: key and policy information - convey additional information about the subject and issuer keys, plus

indicators of certificate policy



35/72

http:/

/cse

tube

.tk/

35

subject and issuer attributes - support alternative names, in alternative formats, for a certificatesubject or certificate issuer and can convey additional information about the certificate subject

certification path constraints - allow constraint specifications to be included in certificates issued for

CAs by other CAs

Public Key InfrastructureRFC 2822 (Internet Security Glossary) defines public-key infrastructure (PKI) as the set of

hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke

digital certificates based on asymmetric cryptography. The IETF Public Key Infrastructure X.509 (PKIX)

working group has setup a formal (and generic) model based on X.509 that is suitable for deploying acertificate-based architecture on the Internet.

Email Security email is one of the most widely used and regarded network services

currently message contents are not secure may be inspected either in transit

or by suitably privileged users on destination system

Email Security Enhancements

confidentiality protection from disclosure

authentication

of sender of message message integrity

protection from modification non-repudiation of origin

protection from denial by senderWith the explosively growing reliance on electronic mail for every conceivable purpose, there grows a

demand for authentication and confidentiality services. What we want is something more akin to standardmail (contents protected inside an envelope) if not registered mail (have confidence about the sender of the

mail and its contents). That is, the classic security services listed are desired.

Pretty Good Privacy (PGP) widely used de facto secure email developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program

on Unix, PC, Macintosh and other systems originally free, now also have commercial versions available

The Pretty Good Privacy (PGP) secure email program, is a remarkable phenomenon, has grown explosivelyand is now widely used. Largely the effort of a single person, Phil Zimmermann, who selected the best

available crypto algorithms to use & integrated them into a single program, PGP provides a confidentiality

and authentication service that can be used for electronic mail and file storage applications. It runs on a wide

range of systems, in both free & commercial versions.

PGP OperationAuthentication



36/72

http:/

/cse

tube

.tk/

36

1. sender creates message2. use SHA-1 to generate 160-bit hash of message

3. signed hash with RSA using sender's private key, and is attached to message

4. receiver uses RSA with sender's public key to decrypt and recover hash code5. receiver verifies received message using hash of it and compares with decrypted hash code

The actual operation of PGP consists of five services: authentication, confidentiality, compression, e-mail

compatibility, and segmentation.Here see the digital signature service provided by PGP, using the steps as shown. Note this assumes use of

RSA digital signatures, recent PGP versions also support the use of DSS signatures. Signatures can also be

detached from a message/file and sent/stored separately.

PGP OperationConfidentiality

1. sender generates message and 128-bit random number as session key for it2. encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key

3. session key encrypted using RSA with recipient's public key, & attached to msg

4. receiver uses RSA with private key to decrypt and recover session key5. session key is used to decrypt message

Another basic service provided by PGP is confidentiality, provided by encrypting messages to be

transmitted or to be stored locally as files, using symmetric encryption algorithms CAST-128, IDEA or3DES in 64-bit cipherfeedback (CFB) mode. The randomly chosen session key used for this is sent

encrypted using the recipients public RSA key. The steps used in this process are as shown. Recent PGP

versions also support the use of ElGamal (a Diffie-Hellman variant) for session-key exchange.

can use both services on same message

create signature & attach to message encrypt both message & signature

attach RSA/ElGamal encrypted session key

PGP OperationCompression by default PGP compresses message after signing but before encrypting

so can store uncompressed message & signature for later verification

& because compression is non deterministic uses ZIP compression algorithm

PGP OperationEmail Compatibility when using PGP will have binary data to send (encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into printable ASCII characters

uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC

PGP also segments messages if too bigWhen PGP is used, at least part of the block to be transmitted is encrypted, and thus consists of a stream of

arbitrary 8-bit octets. However many electronic mail systems only permit the use of ASCII text. To

accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a streamof printable ASCII characters. It uses radix-64 conversion, in which each group of three octets of binary

data is mapped into four ASCII characters. This format also appends a CRC to detect transmission errors.

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


37/72

http:/

/cse

tube

.tk/

37

See Stallings Appendix 15B for a description.PGP also automatically subdivides a message that is too large for a single email, into segments that are

small enough to send.

PGP Session Keys need a session key for each message

of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES generated using ANSI X12.17 mode uses random inputs taken from previous uses and from keystroke timing of user

PGP makes use of four types of keys: one-time session symmetric keys, public keys, private keys, and

passphrase-based symmetric keys.

Each session key is associated with a single message and is used only for the purpose of encrypting anddecrypting that message. Random numbers are generated using the ANSI X12.17 generator, with inputs

based on keystroke input from the user, where both the keystroke timing and the actual keys struck are used

to generate a randomized stream of numbers. Stallings Appendix 15C discusses PGP random number

generation techniques in more detailPGP Public & Private Keys since many public/private keys may be in use, need to identify which is actually used to encrypt

session key in a message could send full public-key with every message but this is inefficient

rather use a key identifier based on key

is least significant 64-bits of the key will very likely be unique

also use key ID in signatures

Since many public/private keys may be in use with PGP, there is a need to identify which key is actuallyused to encrypt the session key for any specific message. You could just send the full public-key with every

message, but this is inefficient. Rather PGP use a key identifier based on the least significant 64-bits of thekey, which will very likely be unique. Then only the much shorter key ID would need to be transmitted with

any message. A key ID is also required for the PGP digital signature.

PGP Message Format



38/72

http:/

/cse

tube

.tk/

38

PGP Key Rings each PGP userhas a pair of keyrings:

public-key ring contains all the public-keys of other PGP users known to this user, indexedby key ID

private-key ring contains the public/private key pair(s) for this user, indexed by key ID &encrypted keyed from a hashed passphrase

security of private keys thus depends on the pass-phrase security

Keys & key IDs are critical to the operation of PGP. These keys need to be stored and organized in a

systematic way for efficient and effective use by all parties. PGP uses a pair of data structures, one to storethe users public/private key pairs - their private-key ring; and one to store the public keys of other known

users, their public-key ring. The private keys are kept encrypted using a block cipher, with a key derived by

hashing a pass-phrase which the user enters whenever that key needs to be used. As in any system based onpasswords, the security of this system depends on the security of the password, which should be not easily

guessed but easily remembered.

PGP Key Management rather than relying on certificate authorities in PGP every user is own CA

can sign keys for users they know directly

forms a web of trust

trust keys have signed

http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/


39/72

http:/

/cse

tube

.tk/

39

can trust keys others have signed if have a chain of signatures to them key ring includes trust indicators

users can also revoke their keys

The PGP documentation notes that This whole business of protecting public keys from tampering is the

single most difficult problem in practical public key applications. Its solution is to support a variety of

formal and informal environments, in which any user can act as a CA to certify another userspublic key,and then act as a trusted introducer to other users, thus forming a web of trust. PGP provides a

convenient means of using trust, associating trust with public keys, and exploiting trust information. Thekey ring is regularly processed to derive trust indicators for keys in it.

PGP allows a user to revoke their current public key, either because compromise is suspected or simply to

avoid the use of the same key for an extended period.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

security enhancement to MIME email original Internet RFC822 email was text only

MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form S/MIME added security enhancements

have S/MIME support in many mail agents

eg MS Outlook, Mozilla, Mac Mail etc

S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-

mail format standard, which in turn provided support for varying content types and multi-part messages over

the text only support in the original Internet RFC822 email standard. MIME allows encoding of binary datato textual form for transport over traditional RFC822 email systems. S/MIME support is now included in

many modern mail agents.S

it1352 cryptography & nw sec.pdf

Documents