it1352 cryptography & nw sec.pdf
TRANSCRIPT
-
7/27/2019 IT1352 cryptography & NW sec.pdf
1/72
http:/
/cse
tube
.tk/
1
IT1352 CRYPTOGRAPHY AND NETWORK SECURITYTWO MARKS QUESTION AND ANSWERS
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications are compromised
also is symmetric, parties are equal hence does not protect sender from receiver forging a message & claiming is sent by sender
Public-Key Cryptography probably most significant advance in the 3000 year history of cryptography uses two keysa public & a private key asymmetric since parties are not equal
uses clever application of number theoretic concepts to function complements rather than replaces private key crypto
Why Public-Key Cryptography? developed to address two key issues:
key distributionhow to have secure communications in general without having to trust aKDC with your key
digital signatureshow to verify a message comes intact from the claimed sender public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
known earlier in classified community
Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use oftwo keys:
a public-key, which may be known by anybody, and can be used to encrypt messages, and
verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create)
signatures is asymmetricbecause
those who encrypt messages or verify signatures cannot decrypt messages or createsignatures
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
2/72
http:/
/cse
tube
.tk/
2
Public-Key Characteristics
Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key knowing only algorithm & encryption
key it is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is
known eitherof the two related keys can be used for encryption, with the other used for decryption
(for some algorithms)
Public-Key Applications
can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication)
key exchange (of session keys) some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems more generally the hardproblem is known, but is made hard enough to be impractical to break
requires the use ofvery large numbers hence is slow compared to private key schemes
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
3/72
http:/
/cse
tube
.tk/
3
RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime
nb. exponentiation takes O((log n)3) operations (easy) uses large integers (eg. 1024 bits) security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n) operations (hard)
RSA Key Setup
each user generates a public/private key pair by: selecting two large primes at random - p, q
computing their system modulus n=p.q note (n)=(p-1)(q-1)
selecting at random the encryption key e
where 1
-
7/27/2019 IT1352 cryptography & NW sec.pdf
4/72
http:/
/cse
tube
.tk/
4
1. Select primes:p=17 & q=112. Compute n =pq =17 x 11=187
3. Compute (n)=(p
1)(q-1)=16 x 10=1604. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d< 160 Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}7. Keep secret private key PR={23,187}
RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88
-
7/27/2019 IT1352 cryptography & NW sec.pdf
5/72
http:/
/cse
tube
.tk/
5
also see choices of e=3 or e=17 but if e too small (eg e=3) can attack
using Chinese remainder theorem & 3 messages with different modulii
if e fixed must ensure gcd(e,(n))=1 ie reject any p or q not relatively prime to e
Efficient Decryption
decryption uses exponentiation to power d
this is likely large, insecure if not can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to
get desired answer
approx 4 times faster than doing directly only owner ofprivate key who knows values of p & q can use this technique
RSA Key Generation
users of RSA must: determine two primes at random - p, q
select either e or d and compute the other primes p,q must not be easily derived from modulus n=p.q
means must be sufficiently large typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse algorithm to compute the other
RSA Security possible approaches to attacking RSA are:
brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing (n), by factoring modulus n) timing attacks (on running of decryption)
chosen ciphertext attacks (given properties of RSA)
Factoring Problem
mathematical approach takes 3 forms: factor n=p.q, hence compute (n) and then d
determine (n) directly and compute d find d directly
currently believe all equivalent to factoring have seen slow improvements over the years
as of May-05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithm
cf QS to GHFS to LS currently assume 1024-2048 bit RSA is secure
ensure p, q of similar size and matching other constraints
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
6/72
http:/
/cse
tube
.tk/
6
Timing Attacks
developed by Paul Kocher in mid-1990s exploit timing variations in operations
eg. multiplying by small vs large number or IF's varying which instructions executed
infer operand size based on time taken
RSA exploits time taken in exponentiation
countermeasures use constant exponentiation time add random delays
blind values used in calculations
Chosen Ciphertext Attacks
RSA is vulnerable to a Chosen Ciphertext Attack (CCA)
attackers chooses ciphertexts & gets decrypted plaintext back choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis
can counter with random pad of plaintext
or use Optimal Asymmetric Encryption Padding (OASP)
Key Management public-key encryption helps address key distribution problems have two aspects of this:
distribution of public keys use ofpublic-key encryption to distribute secret keys
Distribution of Public Keys
can be considered as using one of: public announcement publicly available directory public-key authority
public-key certificates
Public Announcement users distribute public keys to recipients or broadcast to community at large
eg. append PGP keys to email messages or post to news groups or email list
major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user
Publicly Available Directory
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
7/72
http:/
/cse
tube
.tk/
7
can obtain greater security by registering keys with a public directory directory must be trusted with properties:
contains {name,public-key} entries
participants register securely with directory participants can replace key at any time
directory is periodically published directory can be accessed electronically
still vulnerable to tampering or forgery
Public-Key Authority
improve security by tightening control over distribution of keys from directory
has properties of directory and requires users to know public key for the directory
then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed
Public-Key Authority
Public-Key Certificates
certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key
usually with other info such as period of validity, rights of use etc with all contents signedby a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
8/72
http:/
/cse
tube
.tk/
8
Public-Key Distribution of Secret Keys
use previous methods to obtain public-key can use for secrecy or authentication but public-key algorithms are slow
so usually want to use private-key encryption to protect message contents hence need a session key have several alternatives for negotiating a suitable session
Simple Secret Key Distribution
proposed by Merkle in 1979
A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key
A decrypts the session key and both use
problem is that an opponent can intercept and impersonate both halves of protocol
Public-Key Distribution of Secret Keys
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
9/72
http:/
/cse
tube
.tk/
9
Hybrid Key Distribution
retain use of private-key KDC shares secret master key with each user
distributes session key using master key
public-key used to distribute master keys especially useful with widely distributed users
rationale
performance backward compatibility
Diffie-Hellman Key Exchange
first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts
note: now know that Williamson (UK CESG) secretly proposed the concept in 1970
is a practical method for public exchange of a secret key used in a number of commercial products a public-key distribution scheme
cannot be used to exchange an arbitrary message rather it can establish a common key
known only to the two participants value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy security relies on the difficulty of computing discrete logarithms (similar to factoring)hard
Diffie-Hellman Setup
all users agree on global parameters:
large prime integer or polynomial q
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
10/72
http:/
/cse
tube
.tk/
10
a being a primitive root mod q each user (eg. A) generates their key
chooses a secret key (number): xA < q
compute their public key: yA = axA mod q each user makes public that key yA
Diffie-Hellman Key Exchange
shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q (which B can compute)= yBxA mod q (which A can compute)
KAB is used as session key in private-key encryption scheme between Alice and Bob if Alice and Bob subsequently communicate, they will have the same key as before, unless they
choose new public-keys attacker needs an x, must solve discrete log
Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime q=353 and a=3
select random secret keys: A chooses xA=97, B chooses xB=233
compute respective public keys: yA=397 mod 353 = 40 (Alice) yB=3233 mod 353 = 248 (Bob)
compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice)
KAB= yAxB mod 353 = 40233 = 160 (Bob)
Key Exchange Protocols users could create random private/public D-H keys each time they communicate users could create a known private/public D-H key and publish in a directory, then consulted and
used to securely communicate with them
both of these are vulnerable to a meet-in-the-Middle Attack authentication of the keys is needed
Elliptic Curve Cryptography majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very
large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves
offers same security with smaller bit sizes
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
11/72
http:/
/cse
tube
.tk/
11
newer, but not as well analysed
Real Elliptic Curves
an elliptic curve is defined by an equation in two variables x & y, with coefficients
consider a cubic elliptic curve of form y2 =x3 + ax + b where x,y,a,b are all real numbers
also define zero point O
have addition operation for elliptic curve geometrically sum of Q+R is reflection of intersection R
Finite Elliptic Curves
Elliptic curve cryptography uses curves whose variables & coefficients are finite have two families commonly used:
prime curves Ep(a,b) defined over Zp
use integers modulo a prime best in software
binary curves E2m(a,b) defined over GF(2n)
use polynomials with binary coefficients
best in hardware
Elliptic Curve Cryptography
ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation
need hard problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve is easy to compute Q given k,P but hard to find k given Q,P
known as the elliptic curve logarithm problem Certicom example: E23(9,17)
ECC Diffie-Hellman
can do key exchange analogous to D-H users select a suitable curve Ep(a,b)
select base point G=(x1,y1) with large order n s.t. nG=O
A & B select private keys nA
-
7/27/2019 IT1352 cryptography & NW sec.pdf
12/72
http:/
/cse
tube
.tk/
12
same since K=nAnBG
ECC Encryption/Decryption
several alternatives, will consider simplest
must first encode any message M as a point on the elliptic curve Pm select suitable curve & point G as in D-H each user chooses private key nA
-
7/27/2019 IT1352 cryptography & NW sec.pdf
13/72
http:/
/cse
tube
.tk/
13
masquerade content modification
sequence modification
timing modification source repudiation
destination repudiation
Message Encryption
message encryption by itself also provides a measure of authentication
if symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
know content cannot of been altered
if message has suitable structure, redundancy or a checksum to detect any changes
if public-key encryption is used:
encryption provides no confidence of sendersince anyone potentially knows public-key
however if sendersigns message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
again need to recognize corrupted messagesbut at cost of two public-key uses on message
Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block
depending on both message and some key like encryption though need not be reversible
appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender
Message Authentication Code
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
14/72
http:/
/cse
tube
.tk/
14
as shown the MAC provides authentication can also use encryption for secrecy
generally use separate keys for each
can compute MAC either before or after encryption is generally regarded as better done before
why use a MAC? sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use)
note that a MAC is not a digital signature
MAC Properties
a MAC is a cryptographic checksumMAC = CK(M) condenses a variable-length message M
using a secret key K to a fixed-sized authenticator
is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult
Requirements for MACs taking into account the types of attacks need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the messageIn assessing the security of a MAC function, we need to consider the types of attacks that may be mounted
against it. Hence it needs to satisfy the listed requirements.
The first requirement deals with message replacement attacks, in which an opponent is able to construct anew message to match a given MAC, even though the opponent does not know and does not learn the key.
The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.
The final requirement dictates that the authentication algorithm should not be weaker with respect to certain
parts or bits of the message than others.
Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC
Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC or the leftmost M bits (16M64) of final block
but final MAC is now too small for security
Data Authentication Algorithm
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
15/72
http:/
/cse
tube
.tk/
Hash Functions condenses arbitrary message to fixed size
h = H(M) usually assume that the hash function is public and not keyed
cf. MAC which is keyed
hash used to detect changes to message can use in various ways with message
most often to create a digital signature
Hash Functions & Digital Signatures
1. can be applied to any sized message M2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M4. given h is infeasible to find x s.t. H(x)=h
one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
weak collision resistance6. is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance15
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
16/72
http:/
/cse
tube
.tk/
16
Simple Hash Functions are several proposals for simple functions based on XOR of message blocks not secure since can manipulate any message and either not change hash or change hash also
need a stronger cryptographic function (next chapter)
Birthday Attacks
might think a 64-bit hash is secure but by Birthday Paradox is not birthday attackworks thus:
opponent generates 2m/2 variations of a valid message all with essentially the same meaning opponent also generates 2m/2 variations of a desired fraudulent message
two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday
paradox) have user sign the valid message, then substitute the forgery which will have a valid
signature conclusion is that need to use larger MAC/hash
Block Ciphers as Hash Functions can use blockciphers as hash functions
using H0=0 and zero-pad of final block
compute: Hi = EMi [Hi-1] and use final block as the hash value similarto CBC but without a key
resulting hash is too small (64-bit)
both due to direct birthday attack
and to meet-in-the-middle attack other variants also susceptible to attack
Hash Functions & MAC Security like block ciphers have: brute-force attacks exploiting
strong collision resistance hash have cost 2m/2 have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security cryptanalytic attacks exploit structure
like block ciphers want brute-force attacks to be the best alternative
have a number of analytic attacks on iterated hash functions
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
17/72
http:/
/cse
tube
.tk/
17
CVi = f[CVi-1, Mi]; H(M)=CVN typically focus on collisions in function f
like block ciphers is often composed of rounds
attacks exploit properties of round functions
Cryptography and Network Security
Hash and MAC Algorithms
Hash Functions condense arbitrary size message to fixed size by processing message in blocks
through some compression function eithercustom or block cipher based
Message Authentication Code (MAC) fixed sized authenticator for some message to provide authentication for message
by using block cipher mode or hash function
Hash Algorithm Structure
Secure Hash Algorithm
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
18/72
http:/
/cse
tube
.tk/
18
Revised Secure Hash Standard
NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512 designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher
SHA-512 Overview
SHA-512 Compression Function heart of the algorithm processing message in 1024-bit blocks
consists of 80 rounds updating a 512-bit buffer using a 64-bit value Wt derived from the current message block
and a round constant based on cube root of first 80 prime numbers
The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 12, as
shown in Figure 12.2. Each round takes as input the 512-bit buffer value, and updates the contents of the
buffer. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current
1024-bit block being processed. Each round also makes use of an additive constant Kt, based on thefractional parts of the cube roots of the first eighty prime numbers. The output of the eightieth round is
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
19/72
http:/
/cse
tube
.tk/
added to the input to the first round to produce the final hash value for this message block, which forms theinput to the next iteration of this compression function, as shown on the previous slide.
SHA-512 Round Function
Stallings Figure 12.4 details how the 64-bit word values Wt are derived from the 1024-bit message. The first
16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined
as a function of the earlier values using ROTates, SHIFTs and XORs as shown. The function elements are:0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)
1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6).
Whirlpool now examine the Whirlpool hash function
endorsed by European NESSIE project uses modified AES internals as compression function
addressing concerns on use of block ciphers seen previously with performance comparable to dedicated algorithms like SHA
Whirlpool Overview
Whirlpool Block Cipher19
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
20/72
http:/
/cse
tube
.tk/
20
designed specifically for hash function use with security and efficiency of AES
but with 512-bit block size and hence hash
similar structure & functions as AES but input is mapped row wise
has 10 rounds a different primitive polynomial for GF(2^8) uses different S-box design & values
Whirlpool Performance & Security
Whirlpool is a very new proposal hence little experience with use
but many AES findings should apply does seem to need more h/w than SHA, but with better resulting performance
Keyed Hash Functions as MACs
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
21/72
http:/
/cse
tube
.tk/
21
want a MAC based on a hash function because hash functions are generally faster
code for crypto hash functions widely available
hash includes a key along with message original proposal:
KeyedHash = Hash(Key|Message) some weaknesses were found with this
eventually led to development of HMAC
HMAC specified as Internet standard RFC2104 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size and opad, ipad are specified padding constants
overhead is just 3 more hash calculations than the message needs alone any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC Overview
Stallings Figure 12.10 shows the structure of HMAC, which implements the function:HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
22/72
http:/
/cse
tube
.tk/
22
elements are:K+ is K padded with zeros on the left so that the result is b bits in length
ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill blockM is the message input to HMAC (including the padding specified in the embedded hash function)
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either:
brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages)
choose hash function used based on speed verses security constraints
CMAC
previously saw the DAA (CBC-MAC) widely used in govt & industry
but has message size limitation can overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC)
adopted by NIST SP800-38B
CMAC was previously described as the Data Authentication Algorithm, FIPS PUB 113, also known as
the CBC-MAC (cipher block chaining message authentication code). This cipher-based MAC has beenwidely adopted in government and industry. Has been shown to be secure, with the following restriction.
Only messages of one fixed length of mn bits are processed, where n is the cipher block size and m is a
fixed positive integer. This limitation can be overcome using multiple keys, which can be derived from a
single key. This refinement has been adopted by NIST as the cipher-based message authentication code(CMAC) mode of operation, for use with AES and triple DES. It is specified in NIST Special Publication
800-38B.
CMAC Overview
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
23/72
http:/
/cse
tube
.tk/
Stallings Figure 12.12 shows the structure of CMAC.It uses the blocksize of the underlying cipher (ie 128-bits for AES or 64-bits for triple-DES). The message is
divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K
and an n-bit constant K1 or K2 (depending on whether the message was padded or not). For AES, the key
size k is 128,192, or 256 bits; for triple DES, the key size is 112 or 168 bits. The two constants K1 & K2 are
derived from the original key K using encryption of 0 and multiplication in GF(2^n), as detailed in the text.
Digital Signatures have looked at message authentication
but does not address issues of lack of trust digital signatures provide the ability to:
verify author, date & time of signature23
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
24/72
http:/
/cse
tube
.tk/
24
authenticate message contents be verified by third parties to resolve disputes
hence include authentication function with additional capabilities
The most important development from the work on public-key cryptography is the digital signature.
Message authentication protects two parties who exchange messages from any third party. However, it does
not protect the two parties against each other. A digital signature is analogous to the handwritten signature,and provides a set of security capabilities that would be difficult to implement in any other way. It must
have the following properties:
It must verify the author and the date and time of the signature
It must to authenticate the contents at the time of the signature
It must be verifiable by third parties,to resolve disputes
Thus, the digital signature function includes the authentication function.
Digital Signature Properties must depend on the message signed must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce must be relatively easy to recognize & verify
be computationally infeasible to forge with new message for existing digital signature
with fraudulent digital signature for given message be practical save digital signature in storage
Direct Digital Signatures involve only sender & receiver assumed receiver has senders public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key
important that sign first then encrypt message & signature security depends on sendersprivate-key
Direct Digital Signatures involve the direct application of public-key algorithms involving only the
communicating parties. A digital signature may be formed by encrypting the entire message with the
senders private key, or by encrypting a hash code of the message with the senders private key.
Confidentiality can be provided by further encrypting the entire message plus signature using either publicor private key schemes. It is important to perform the signature function first and then an outer
confidentiality function, since in case of dispute, some third party must view the message and its signature.But these approaches are dependent on the security of the senders private-key. Will have problems if it is
lost/stolen and signatures forged. Need time-stamps and timely key revocation.
Arbitrated Digital Signatures
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
25/72
http:/
/cse
tube
.tk/
25
involves use of arbiter A
validates any signed message
then dated and sent to recipient requires suitable level of trust in arbiter
can be implemented with either private or public-key algorithms arbiter may or may not see message
Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are
confidentialityto protect session keys timelinessto prevent replay attacks
published protocols are often found to have flaws and need to be modified
Authentication Protocols are used to convince parties of each others identity and to exchange session keys.
They may be one-way or mutual.Central to the problem of authenticated key exchange are two issues: confidentiality and timeliness. Toprevent masquerade and to prevent compromise of session keys, essential identification and session key
information must be communicated in encrypted form. This requires the prior existence of secret or publickeys that can be used for this purpose. The second issue, timeliness, is important because of the threat of
message replays.Stallings discusses a number of protocols that appeared secure but were revised after additional analysis.
These examples highlight the difficulty of getting things right in the area of authentication.
Replay Attacks where a valid signed message is copied and later resent
simple replay repetition that can be logged repetition that cannot be detected
backward replay without modification countermeasures include
use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)
Replay Attacks are where a valid signed message is copied and later resent. Such replays, at worst,could allow an opponent to compromise a session key or successfully impersonate another party. At
minimum, a successful replay can disrupt operations by presenting parties with messages that appear
genuine but are not.
[GONG93] lists the examples above of replay attacks.Possible countermeasures include the use of:
sequence numbers (generally impractical since must remember last number used with every
communicating party) timestamps (needs synchronized clocks amongst all parties involved, which can be problematic)
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
26/72
http:/
/cse
tube
.tk/
26
challenge/response (using unique, random, unpredictable nonce, but not suitable for connectionlessapplications because of handshake overhead)
Using Symmetric Encryption as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC)
each party shares own master key with KDC
KDC generates session keys used for connections between parties
master keys used to distribute these
A two-level hierarchy of symmetric encryption keys can be used to provide confidentiality forcommunication in a distributed environment.
Usually involves the use of a trusted key distribution center (KDC). Each party in the network shares a
secret master key with the KDC. The KDC is responsible for generating session keys, and for distributing
those keys to the parties involved, using the master keys to protect these session keys.
Digital Signature Algorithm (DSA) creates a 320bit signature with 512-1024 bit security
smaller and faster than RSA a digital signature scheme only
security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes
DSA Key Generation have shared global public key values (p,q,g):
choose a large prime p with 2L-1 < p < 2L
where L= 512 to 1024 bits and is a multiple of 64
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
27/72
http:/
/cse
tube
.tk/
27
choose q with 2159 < q < 2160 such that q is a 160 bit prime divisor of (p-1)
choose g = h(p-1)/q
where 1
-
7/27/2019 IT1352 cryptography & NW sec.pdf
28/72
http:/
/cse
tube
.tk/
28
Unit -4 Authentication Applications
will consider authentication functions developed to support application-level authentication & digital signatures will considerKerberosa private-key authentication service
then X.509 - a public-key directory authentication service
Kerberos trusted key server system from MIT provides centralised private-key third-party authentication in a distributed network
allows users access to services distributed through network
without needing to trust all workstations ratherall trust a central authentication server
two versions in use: 4 & 5
Kerberos is an authentication service developed as part of Project Athena at MIT, and is one of the best
known and most widely implemented trusted third party key distribution systems.Kerberos provides a centralized authentication server whose function is to authenticate users to servers and
servers to users. Unlike most other authentication schemes, Kerberos relies exclusively on symmetric
encryption, making no use of public-key encryption. Two versions of Kerberos are in common use: v4 &
v5.
Kerberos Requirements its first report identified requirements as:
secure reliable
transparent scalable
implemented using an authentication protocol based on Needham-Schroeder
Kerberos v4 Overview a basic third-party authentication scheme have an Authentication Server (AS)
users initially negotiate with AS to identify self
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
29/72
http:/
/cse
tube
.tk/
29
AS provides a non-corruptible authentication credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
Kerberos v4 Dialogue1. obtain ticket granting ticket from AS
once per session
2. obtain service granting ticket from TGT
for each distinct service required
3. client/server exchange to obtain service
on every service request
Kerberos Realms a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server application servers, sharing keys with server
this is termed a realm
typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
30/72
http:/
/cse
tube
.tk/
30
Kerberos Version 5 developed in mid 1990s specified as Internet standard RFC 1510
provides improvements over v4 addresses environmental shortcomings
encryption alg, network protocol, byte order, ticket lifetime, authentication
forwarding, interrealm auth and technical deficiencies
double encryption, non-std mode of use, session keys, password attacks
X.509 Authentication Service part of CCITT X.500 directory service standards
distributed servers maintaining user info database defines framework for authentication services
directory may store public-key certificates with public key of user signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended
X.509 certificates are widely used
X.509 is part of the X.500 series of recommendations that define a directory service, being a server or
distributed set of servers that maintains a database of information about users.X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.
The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative
authentication protocols based on the use of public-key certificates. X.509 is based on the use of
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
31/72
http:/
/cse
tube
.tk/
31
public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithmbut recommends RSA.
The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET.
X.509 Certificates issued by a Certification Authority (CA), containing:
version (1, 2, or 3) serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key) issuerunique identifier (v2+)
subject unique identifier (v2+) extension fields (v3)
signature (of hash of all fields in certificate) notation CA denotes certificate for A signed by CA
The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the
certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used. These
user certificates are assumed to be created by some trusted certification authority (CA) and placed in the
directory by the CA or by the user. The directory server itself is not responsible for the creation of publickeys or for the certification function; it merely provides an easily accessible location for users to obtain
certificates. The certificate includes the elements shown.
The standard uses the notation for a certificate of: CA where the CA signs the certificate for user A
with its private key.
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
32/72
http:/
/cse
tube
.tk/
32
Obtaining a Certificate
any user with access to CA can get any certificate from it only the CA can modify a certificate
because cannot be forged, certificates can be placed in a public directory
User certificates generated by a CA have the characteristics that any user with access to the public key of
the CA can verify the user public key that was certified, and no party other than the certification authoritycan modify the certificate without this being detected. Because certificates are unforgeable, they can be
placed in a directory without the need for the directory to make special efforts to protect them
CA Hierarchy
if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward)
each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy
If both parties use the same CA, they know its public key and can verify others certificates. If not, then
there has to be some means to form a chain of certifications between the CA's used by the two parties, by
the use of client and parent certificates. It is assumed that each client trusts its parents certificates
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
33/72
http:/
/cse
tube
.tk/
33
Certificate Revocation
certificates have a period of validity may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA3. CA's certificate is compromised
CAs maintain list of revoked certificates
1. the Certificate Revocation List (CRL) users should check certificates with CAs CRL
A certificate includes a period of validity. Typically a new certificate is issued just before the expiration of
the old one.
In addition, it may be desirable on occasion to revoke a certificate before it expires, for one of a range ofreasons, such as those shown above.
To support this, each CA must maintain a list consisting of all revoked but not expired certificates issued by
that CA, known as the certificate revocation list (CRL).When a user receives a certificate in a message, the user must determine whether the certificate has been
revoked, by checking the directory CRL each time a certificate is received, this often does not happen in
practice.
Authentication Procedures X.509 includes three alternative authentication procedures: One-Way Authentication
Two-Way Authentication Three-Way Authentication all use public-key signaturesX.509 also includes three alternative authentication procedures that are intended for use across a variety
of applications, used when obtaining and using certificates. 1-way for unidirectional messages (like email),
2-way for interactive sessions when timestamps are used, 3-way for interactive sessions with no need for
timestamps (and hence synchronised clocks). See Stallings Figure 14.6 for details of each of thesealternatives.
One-Way Authentication message ( A->B) used to establish
the identity of A and that message is from A
message was intended for B integrity & originality of message
message must include timestamp, nonce, B's identity and is signed by A may include additional info for B
eg session key
One way authentication involves a single transfer of information from one user (A) to another (B),
and establishes the details shown above. Note that only the identity of the initiating entity is verified in thisprocess, not that of the responding entity. At a minimum, the message includes a timestamp ,a nonce, and
the identity of B and is signed with As private key. The message may also include information to be
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
34/72
http:/
/cse
tube
.tk/
34
conveyed, such as a session key for B.
Two-Way Authentication
2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B
that reply is intended for A integrity & originality of reply
reply includes original nonce from A, also timestamp and nonce from B
may include additional info for A
Two-way authentication thus permits both parties in a communication to verify the identity of the other,thus additionally establishing the above details. The reply message includes the nonce from A, to validate
the reply. It also includes a timestamp and nonce generated by B, and possible additional information for A.
Three-Way AuthenticationThree-Way Authentication includes a final message from A to B, which contains a signed copy of
the nonce, so that timestamps need not be checked, for use when synchronized clocks are not available.
X.509 Version 3 has been recognised that additional information is needed in a certificate
email/URL, policy details, usage constraints
rather than explicitly naming new fields defined a general extension method extensions consist of:
extension identifier criticality indicator
extension value
The X.509 version 2 format does not convey all of the information that recent design and implementationexperience has shown to be needed. Rather than continue to add fields to a fixed format, standards
developers felt that a more flexible approach was needed. X.509 version 3 includes a number of optional
extensions that may be added to the version 2 format. Each extension consists of an extension identifier, a
criticality indicator, and an extension value. The criticality indicator indicates whether an extension can besafely ignored or not (in which case if unknown the certificate is invalid).
Certificate Extensions key and policy information
convey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes
support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints
allow constraints on use of certificates by other CAs
The certificate extensions fall into three main categories: key and policy information - convey additional information about the subject and issuer keys, plus
indicators of certificate policy
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
35/72
http:/
/cse
tube
.tk/
35
subject and issuer attributes - support alternative names, in alternative formats, for a certificatesubject or certificate issuer and can convey additional information about the certificate subject
certification path constraints - allow constraint specifications to be included in certificates issued for
CAs by other CAs
Public Key InfrastructureRFC 2822 (Internet Security Glossary) defines public-key infrastructure (PKI) as the set of
hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke
digital certificates based on asymmetric cryptography. The IETF Public Key Infrastructure X.509 (PKIX)
working group has setup a formal (and generic) model based on X.509 that is suitable for deploying acertificate-based architecture on the Internet.
Email Security email is one of the most widely used and regarded network services
currently message contents are not secure may be inspected either in transit
or by suitably privileged users on destination system
Email Security Enhancements
confidentiality protection from disclosure
authentication
of sender of message message integrity
protection from modification non-repudiation of origin
protection from denial by senderWith the explosively growing reliance on electronic mail for every conceivable purpose, there grows a
demand for authentication and confidentiality services. What we want is something more akin to standardmail (contents protected inside an envelope) if not registered mail (have confidence about the sender of the
mail and its contents). That is, the classic security services listed are desired.
Pretty Good Privacy (PGP) widely used de facto secure email developed by Phil Zimmermann selected best available crypto algs to use integrated into a single program
on Unix, PC, Macintosh and other systems originally free, now also have commercial versions available
The Pretty Good Privacy (PGP) secure email program, is a remarkable phenomenon, has grown explosivelyand is now widely used. Largely the effort of a single person, Phil Zimmermann, who selected the best
available crypto algorithms to use & integrated them into a single program, PGP provides a confidentiality
and authentication service that can be used for electronic mail and file storage applications. It runs on a wide
range of systems, in both free & commercial versions.
PGP OperationAuthentication
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
36/72
http:/
/cse
tube
.tk/
36
1. sender creates message2. use SHA-1 to generate 160-bit hash of message
3. signed hash with RSA using sender's private key, and is attached to message
4. receiver uses RSA with sender's public key to decrypt and recover hash code5. receiver verifies received message using hash of it and compares with decrypted hash code
The actual operation of PGP consists of five services: authentication, confidentiality, compression, e-mail
compatibility, and segmentation.Here see the digital signature service provided by PGP, using the steps as shown. Note this assumes use of
RSA digital signatures, recent PGP versions also support the use of DSS signatures. Signatures can also be
detached from a message/file and sent/stored separately.
PGP OperationConfidentiality
1. sender generates message and 128-bit random number as session key for it2. encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key
3. session key encrypted using RSA with recipient's public key, & attached to msg
4. receiver uses RSA with private key to decrypt and recover session key5. session key is used to decrypt message
Another basic service provided by PGP is confidentiality, provided by encrypting messages to be
transmitted or to be stored locally as files, using symmetric encryption algorithms CAST-128, IDEA or3DES in 64-bit cipherfeedback (CFB) mode. The randomly chosen session key used for this is sent
encrypted using the recipients public RSA key. The steps used in this process are as shown. Recent PGP
versions also support the use of ElGamal (a Diffie-Hellman variant) for session-key exchange.
can use both services on same message
create signature & attach to message encrypt both message & signature
attach RSA/ElGamal encrypted session key
PGP OperationCompression by default PGP compresses message after signing but before encrypting
so can store uncompressed message & signature for later verification
& because compression is non deterministic uses ZIP compression algorithm
PGP OperationEmail Compatibility when using PGP will have binary data to send (encrypted message etc) however email was designed only for text hence PGP must encode raw binary data into printable ASCII characters
uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC
PGP also segments messages if too bigWhen PGP is used, at least part of the block to be transmitted is encrypted, and thus consists of a stream of
arbitrary 8-bit octets. However many electronic mail systems only permit the use of ASCII text. To
accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a streamof printable ASCII characters. It uses radix-64 conversion, in which each group of three octets of binary
data is mapped into four ASCII characters. This format also appends a CRC to detect transmission errors.
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
37/72
http:/
/cse
tube
.tk/
37
See Stallings Appendix 15B for a description.PGP also automatically subdivides a message that is too large for a single email, into segments that are
small enough to send.
PGP Session Keys need a session key for each message
of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES generated using ANSI X12.17 mode uses random inputs taken from previous uses and from keystroke timing of user
PGP makes use of four types of keys: one-time session symmetric keys, public keys, private keys, and
passphrase-based symmetric keys.
Each session key is associated with a single message and is used only for the purpose of encrypting anddecrypting that message. Random numbers are generated using the ANSI X12.17 generator, with inputs
based on keystroke input from the user, where both the keystroke timing and the actual keys struck are used
to generate a randomized stream of numbers. Stallings Appendix 15C discusses PGP random number
generation techniques in more detailPGP Public & Private Keys since many public/private keys may be in use, need to identify which is actually used to encrypt
session key in a message could send full public-key with every message but this is inefficient
rather use a key identifier based on key
is least significant 64-bits of the key will very likely be unique
also use key ID in signatures
Since many public/private keys may be in use with PGP, there is a need to identify which key is actuallyused to encrypt the session key for any specific message. You could just send the full public-key with every
message, but this is inefficient. Rather PGP use a key identifier based on the least significant 64-bits of thekey, which will very likely be unique. Then only the much shorter key ID would need to be transmitted with
any message. A key ID is also required for the PGP digital signature.
PGP Message Format
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
38/72
http:/
/cse
tube
.tk/
38
PGP Key Rings each PGP userhas a pair of keyrings:
public-key ring contains all the public-keys of other PGP users known to this user, indexedby key ID
private-key ring contains the public/private key pair(s) for this user, indexed by key ID &encrypted keyed from a hashed passphrase
security of private keys thus depends on the pass-phrase security
Keys & key IDs are critical to the operation of PGP. These keys need to be stored and organized in a
systematic way for efficient and effective use by all parties. PGP uses a pair of data structures, one to storethe users public/private key pairs - their private-key ring; and one to store the public keys of other known
users, their public-key ring. The private keys are kept encrypted using a block cipher, with a key derived by
hashing a pass-phrase which the user enters whenever that key needs to be used. As in any system based onpasswords, the security of this system depends on the security of the password, which should be not easily
guessed but easily remembered.
PGP Key Management rather than relying on certificate authorities in PGP every user is own CA
can sign keys for users they know directly
forms a web of trust
trust keys have signed
http://csetube.weebly.com/
http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/http://csetube.weebly.com/ -
7/27/2019 IT1352 cryptography & NW sec.pdf
39/72
http:/
/cse
tube
.tk/
39
can trust keys others have signed if have a chain of signatures to them key ring includes trust indicators
users can also revoke their keys
The PGP documentation notes that This whole business of protecting public keys from tampering is the
single most difficult problem in practical public key applications. Its solution is to support a variety of
formal and informal environments, in which any user can act as a CA to certify another userspublic key,and then act as a trusted introducer to other users, thus forming a web of trust. PGP provides a
convenient means of using trust, associating trust with public keys, and exploiting trust information. Thekey ring is regularly processed to derive trust indicators for keys in it.
PGP allows a user to revoke their current public key, either because compromise is suspected or simply to
avoid the use of the same key for an extended period.
S/MIME (Secure/Multipurpose Internet Mail Extensions)
security enhancement to MIME email original Internet RFC822 email was text only
MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form S/MIME added security enhancements
have S/MIME support in many mail agents
eg MS Outlook, Mozilla, Mac Mail etc
S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-
mail format standard, which in turn provided support for varying content types and multi-part messages over
the text only support in the original Internet RFC822 email standard. MIME allows encoding of binary datato textual form for transport over traditional RFC822 email systems. S/MIME support is now included in
many modern mail agents.S