Professional Documents
Culture Documents
CN 8 PDF
CN 8 PDF
com
JNTUWORLD
Non-repudiation
Authentication
Integrity control
Security: It has to do with keeping information out of the hands of unauthorized users.
Authentication: It deals with determining whom you are talking to, revealing sensitive
information or entering into a business deal.
Integrity control: It makes sure that the message received was the one really sent and
same thing or a malicious adversary modified in transit.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
4. Transport layers: Entire connections can be encrypted, end to end, i.e., process to process.
5. Application layer:
a) Traditional cryptography
b) 2 fundamental cryptography principles.
c) Secret- key Algorithms.
d) Public-key Algorithms.
e) Authentication protocols.
f) Digital signatures.
g) Social issues.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
EK (P)
Key is a short string that selects one of many potential encryptions. A key length
of 2 digits
means that there are 100 possibilities, 3 digits means 1000 possibilities and
6 digits
means a million. The longer the key, the higher the work factor the cryptanalyst has to
deal with.
Encryption methods:
Substitution Ciphers.
Transposition Ciphers.
One -Time Pads.
(i). Substitution Ciphers: They preserve the order of plaintext symbols but disguise them. In
this, another letter or group of letters to disguise it replaces each letter or group of letters. One of
the oldest ciphers is Caesar Cipher. In this, an alphabet is shifted by 3 alphabets. i.e.,
aD, bE, cF.zC.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
properties of natural
languages. In English, for example c is the most common one letter followed
by t, o, a, n etc. the most 2
letter combinations are th, an, in, re & 3 letter combinations are the, int, and, ion.
(ii). Transposition Ciphers: These reorder the letters but do not disguise them. The following
diagram depicts the columnar transposition, in which the cipher is keyed by a word or phrase not
containing any repeated letters.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
In the above example, MEGABUCK is the key. The purpose of the key is to number the
columns, column-1 being under the key letter closest to the start of the alphabet, and so on. The
plain text is normally written horizontally, in rows. The cipher text is read out by columns,
starting with the column whose key letter is the lowest.
The cryptanalyst must first be aware that he is dealing with a transposition cipher. By
looking at the frequency of E,T,A,O,I,N,etc., it is easy to see that if they fit the
normal pattern for plain text. If so, the cipher is clearly a transposition cipher, because in
such a cipher every letter represents itself.
The next step is to make a guess at the number of columns. In many cases, a probable
word or phrase may be guessed from the context of the message. For each key length, a
different set of digrams is produced in the cipher text. By hunting for various
possibilities, the cryptanalyst can often easily determine the key length.
The remaining step is to order the columns. When the number of columns, k, is small,
each of the k(k-1) column pairs can be examined to see if its digram frequencies match
those for English plain text. The pair with the best match is assumed to be correctly
positioned. Now, each remaining column is tentatively tried as the successor to this pair.
The column whose digram and trigram frequencies give the best match is tentatively
assumed to be correct. The predecessor is found in the same way. The entire process is
continued until a potential ordering is found.
(iii). One-time pads: In this, first, choose a random bit string as the key. Then, convert the
plaintext into a string, for example, by using its ASCII representation. Finally, compute the
EXCLUSIVE-OR of these two strings, bit by bit.
Advantages:
1. As every possible plain text is an equally probable candidate, the resulting cipher text
cannot be broken.
2. The resulting cipher text gives the cryptanalyst no information at all.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Disadvantages:
1. The key cannot be memorized and so both sender and receiver must carry a written copy
with them.
2. The total amount of data that can be transmitted is limited by the amount of key
available.
3. It is sensitive to lost or inserted characters.
(c ). Secret-Key algorithms:
The object is to make the encryption algorithm so complex and involuted that even if the
cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be able to
make any sense of it at all. Transpositions and substitutions can be implemented with simple
circuits like P-boxes and S-boxes respectively.
P-box( Permutation-box ): Used to effect a transposition on an 8-bit input. If the 8 bits are
designated as 01234567 from top to bottom, the output of this box is 36071245. By appropriate
internal wiring, a P-box can be made to perform any transposition and do it practically the speed
of light.
S-box( Substitution-box ): Substitutions are performed by S-boxes. The n-bit input selects one
of the 8 lines exiting from the first stage and sets it to 1. All the other lines are 0.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output is simply a
copy of the right input. The right output is the bit-wise EXCLUSIVE-OR of the left input and a
function of the right input and the key for this stage, Ki. The function consists of 4 steps,
carried out in sequence.
1. A 48-bit number, E , is constructed by expanding the 32-bit Ri-1 according to a fixed
transposition and duplicate rule.
2. E and Ki are EXCLUSIVE-OR ed together.
3. This output is then partitioned into 8 groups (each of 6-bits), each of which is fed into a
different S-box. Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output.
4. Finally, these 8 x 4 bits are passed through a P-box.
In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit
transposition is applied to the key. Just before each iteration, the key is partitioned into two 28bit units, each of which is rotated left by a number of bits dependent on the iteration number. Ki
is derived from this rotated key by applying yet another 56-bit transposition to it. A different 48bit subset of the 56-bits is extracted and permuted on each round.
2. DES-CHAINING:
Electronic code book mode: To overcome the problem of DES, this method is used in which a
long message is encrypted by breaking it up into consecutive 8-byte(64-bit)blocks and
encrypting them one after another with the same key. The last block is padded out to 64-bits, if
need be.
Let us consider an example in which a file consisting of consecutive 32-byte records in the
format.16 bytes for name,8 bytes for the position and 8 bytes for the bonus of an employee in
an organization. Each of the sixteen 8-byte blocks is encrypted by DES.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
To overcome some types of attacks, DES is chained in various ways. One of the ways is Cipher
Block Chaining. In this method, each plain text block is EXCLUSIVE-OR ed (#) with the
previous cipher text block before being encrypted. Consequently, the same plain text block no
longer maps on to the same cipher text block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is EXCLUSIVE-OR ed with a randomly chosen
initialization vector, IV, that is transmitted along with the cipher text.
Error!
Working:
1. compute C0 = E ( P0 XOR IV )
2. Then, compute C1 = E ( P1 XOR C0 ) and so on.
3. The encryption of block i is a function of all the plain text in blocks 0 through i-1, so
the same plain text generates different cipher text depending on where it occurs.
4. The decryption occurs the other way , with P0 = IV XOR D (C0) and so on.
Advantage:
The same plain text block will not result in the same cipher text block, making cryptanalysts
more difficult.
Disadvantage:
It requires an entire 64-bit block to arrive before decryption can begin.
To overcome this disadvantage, byte-by-byte encryption is done using Cipher Feedback
mode. In the figure, the state of encryption machine is shown after bytes 0 through 9 have been
encrypted and sent. When plain text byte-10 arrives, the DES algorithm operates on the 64-bit
shift register to generate 64-bit cipher text, in which the left most byte is extracted and
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
EXCLUSIVE-OR ed with P10. That byte is transmitted on the transmission line. In addition, the
shift register is shifted left 8bits, causing C2 to fall off the left end , and C10 is inserted in the
position just vacated at the right end by C9.
Decryption is done by encrypting the contents of the shift register so that the selected byte that is
EXCLUSIVE-OR ed with C10 to get P10 is the same one that was EXCLUSIVE-OR ed with P10
to generate C10 in the first place.
Error!
For applications which require messing up 64-bits of plain text by having a 1-bit transmission
error, Output feedback mode is used. It is identical to cipher feedback mode except that the
byte fed back into the right end of the shift register is taken from just before the EXCLUSIVEOR box, not just after it.
Advantage:
It has the property that a 1-bit error in the cipher text causes only a 1-bit error in the resulting
plain text.
3. IDEA (International Data Encryption Algorithm):
The basic structure of the algorithm resembles DES in that 64-bit plain text input blocks are
mangled in a sequence of parameterized iterations to produce 64-bit cipher txt output blocks.
Given the extensive bit mangling, 8 iterations are sufficient. IDEA can be used in cipher
feedback mode and other DES modes.
10
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
In the above figure, the details of one iteration are depicted, in which three operations are used,
all on unsigned 16-bit numbers. These operations are EXCLUSIVE-OR, addition modulo 216 ,
and multiplication modulo 216 + 1. The operations have the property that no two pairs obey the
associative law or distributive law, making cryptanalysis more difficult. The 128-bit key is used
to generate 52 sub keys of 16-bits each, 6 for each of 8 iterations and 4 for the final
transformation. Decryption uses the same algorithm as encryption, only with different sub keys.
11
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
In the above example, the encryption of the plain text SUZANNE is shown:
p = 3, q = 11, n = 33, z = 20
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Encryption:
C
Me mod n
[ (884 mod 187) * ( 882 mod 187) * ( 881 mod 187] mod 187
11
Decryption:
M =Cd mod n
=1123 mod 187
=[(111 mod 187)* (112 mod 187)* (114 mod 187)*(118 mod 187)* (118mod 187)] mod 187
=[(111mod187)*(121mod187)*(14,641mod187)*(214,358,881mod187)*(214,358,881mod187)]mod187
=(11 * 121 * 55 * 33 * 33) mod 187
=79,720,245 mod 187
=88.
Receivers Computation
13
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Drawbacks:
1. The Brute force approach i.e., trying all possible private keys.
2. Calculations involved in key generation, Encryption / Decryption are complex.
3. The larger the size of the key, the slower the system will run
Advantage:The larger no. of bits in e, d, the more secure the algorithm is the
(1)
Authentication Based on a shared secret key:
In this, both the users A and B share a secret key KAB. These protocols are based on a
principle that one party send a random number to the other, who then transforms it in a special
way and then returns result and are called Challenge Response Protocols.
2-way Authentication using Challenge - Response protocol :
14
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
M-1 : ALICE sends her identity A to BOB in a way that BOB understands.
M-2 : As Bob has no way of knowing from whom this message has come from actually ,
he picks a large random number RB and sends it back to ALICE in plaintext.
M-3: ALICE then encrypts the message with the key she shares with BOB and sends
cipher text, KAB(RB).
M-4: After receiving, BOB confirms that this message is from ALICE but not from any
other user because K(suffix)AB is shared only by ALICE. But ALICE has no way
of confirmation that she is talking to BOB. To do so, she picks a random number
RA and sends it to BOB as plain text.
M-5: Now, when BOB responds with KAB(RA), ALICE gets the confirmation.
Now, If A and B wish to establish a session key, KS, ALICE can send it to BOB encrypted
with KAB.
A Shortened 2-way Authentication protocol:
Extra messages in above protocol can be eliminated by combining information as in the figure:
15
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
3 General Rules to design a correct Authentication protocol:1. Have the Initiator prove who she is before the responder has to.
2. Have the Initiator and Responder use different keys for proof, i..e, use 2 shared keys KAB
and K'AB.
3. Have the Initiator and responder draw their challenges from different sets.
3. Alice Computes
: 178mod 47
4. Bob computes
: 2810mod 47
4.
16
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
The problem that is faced by Diffe - Hellman Key Exchange protocol is Bucket Brigade attack
or WO(man)- in the middle attack.
Consider a third person c is involved in the interaction of A & B in the above algorithm.
17
www.jntuworld.com
wide-
www.jntuworld.com
JNTUWORLD
Working:
1. 'A' picks a session key Ks and informs KDC that it wants to talk to 'B', with a message
which is encrypted with a secret key(KA)
2. KDC decrypts this message, extracts B's identity and session key and constructs a new
message containing A's identity and session key and sends to 'B', encrypted with KB
shared by 'B' with KDC
3. 'B' decrypts and knows the 'A's wish and it's key.
The Needham-Schroeder authentication protocol:
Error!
Working:1. 'A' tells KDC that he wants to talk to 'B', with a message which contains a large random
number, RA.
2. KDC sends back m-2 containing A's random number, a session key and a ticket that it
can send to B.
3. Now, 'A' sends ticket to 'B', along with a new random number, RA2 encrypted with
session key KS.
4. 'B' sends back Ks(RA2-1) to confirm 'A' that it is talking to 'B'.
5. 'B' is convinced that it is talking to 'A' only but with no other one.
The Otway-Rees Authentication protocol:
18
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Working:1. 'A' starts out by generating a pair of random number, R, which will be used as a common
identifier and RA, which A will use to challenge 'B'.
2. When 'B' gets this message, he constructs a new message from the encrypted part of A's
message and an analogous one of his own.
3. Both the parts encrypted with KA and KB identify A and B, contain the common identifier
and contain a challenge.
4. The KDC checks to see if R in both parts is same, and if so, it believes that the request
message from 'B' is valid and so it generates a session key and encrypts it twice (both for
A and B).
5. Each message contains receivers random number, indicating that it was generated by
KDC.
6. Now, A and B are in possession of same session key and can start communicating.
(III). Authentication using KERBEROS:
Kerberos was designed to allow workstation users to access network resources in a secure key. It
involves three servers in addition to a client workstation:
WORKING:
'A' sits down at an arbitrary public work station and types his name, which is sent to 'AS'
in plain text.
Session key and a ticket TGS (A, Ks) intended for TGS comes back, which are packed
together and encrypted using A's secret key, so that only 'A' can encrypt them.
Only when message-2 arrives, the work station ask for A's password and this is used to
generate KA in order to decrypt m-2 and obtain session key and TGS ticket inside it.
At this point, the workstation overwrites As password to make sure that it is only inside
the workstation for a few milliseconds at most.
After 'A' logging in, she tells the workstation that she wants to contact 'B' the file server.
19
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
The workstation then sends message-3 to the TGS asking for a ticket to use with 'B', with
the key element KTGS(A, KS) encrypted by TGS's secret key as a proof of 'A'.
The TGS responds by creating a session key KAB for 'A' to use with 'B'.
Two versions of it are sent back, with first encrypted with KS intended for A and second
encrypted with KB intended for 'B'.
Now, 'A' sends KAB to 'B' to establish a session key with him, which is time stamped.
After some series of exchanges, communication is established.
3. When 'A' gets m-2, he decrypts it using his private key and agrees to session key by
sending back m-3.
4. when 'B' sends RB encrypted with session key he just generated, he confirms that m-2 is
received and RA is verified by 'A'.
So, a session is established.
20
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Working:1. When A wants to send a signed plain text message, P to B, she generates
KA(B, RA, t ,p)and sends it.
2. BB sees that the sender is A & decrypts the message and sends it to B.
3. The message to B contains the plain text As message and also signed message KBB(A,
t, p) where t is a timestamp.
4. B now carries out As request.
(b) . Public key signatures:
In this, an assumption is made initially that public key encryption and decryption
algorithms have the property E(D(p))=P in addition to D(E(p))=P.
21
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
A one-way hash function that takes an arbitrarily long of piece plain text from it
Computes a fixed-length bit string is called a message digest and has 3 important
properties. They are:-
Working:
A first computes the message digest of her plain text BB computes message digest
by applying MD to P, yielding MD (P).BB then encloses KBB (A, t, MD (P)) as 5th item
in list encrypted with KB that is sent to B.
She then signs the message digest and sends both the signed digest and plain text B.
22
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Working:
The resolver sends a UDP packet to a local DNS server, which then looks up the name
and returns the IP address to the resolver, which then returns it to the caller.
Armed with the IP address, the program can then establish a TCP connection with the
destination, or send it UDP packets.
Resource Records.
Name Servers.
23
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
The DNS name space:The Internet is divided into several hundred top level domains, where each domain covers
many hosts. Each domain is partitioned into sub domains, and these are further partitioned as so
on. All these domains can be represented by a tree, in which the leaves represent domains that
have no sub domains. A leaf domain may contain a single host, or it may represent a company
and contains thousands of hosts. Each domain is named by the path upward from it to the root.
The components are separated by periods(pronounced dot)
Eg: Sun Microsystems Engg. Department
eng.sun.com.
Generic:
(doesnt end with a period). Domain names are case sensitive and the component names can be
up to 63 characters long and full path names must not exceed 255 characters.
( Eg: cs.yale.edu)
(E.g: cs.yale.ct.us)
Resource Records:
Every domain can have a sent of resource records associated with it. For a single host, the
most common resource record is just its IP address. When a resolver gives a domain name to
24
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
DNS, it gets both the resource records associated with that name i.e., the real function of DNS is
to map domain names into resource records.
A resource record is a 5-tuple and its format is as follows:
Type
Meaning
Value
SOA
Start Of Authority
32-bit integer
IP address of host
32 bit integer
MX
Mail Exchange
NS
Name Server
CNAME
Canonical Name
Domain name
PTR
Pointer
HINIF
Host Description
TXT
Text
Name Servers:
It contains the entire database and responds to all queries about it. DNS name space is
divided up into non-overlapping zones, in which each zone contains some part of the tree and
also contains name servers holding the authoritative information about that zone.
25
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
When a resolver has a query about a domain name, it passes the query to one of the local name
servers:
1. If the domain being sought falls under the jurisdiction of name server, it returns the
authoritative resource records ( that comes from the authority that manages the record,
and is always correct).
2. If the domain is remote and no information about the requested domain is available
locally the name server sends a query message to the top level name server for the
domain requested.
Eg: A resolver of flits.cs.vle.nl wants to know the IP address of the host Linda.cs.yale.edu
Step 1: Resolver sends a query containing domain name sought the type and the class to
local name server, cs.vu.nl.
Step 2: Suppose local name server knows nothing about it, it asks few others near by
name servers. If none of them know, it sends a UDP packet to the server for
edu-server.net.
Step 3: This server knows nothing about Linda.cs.yale.edu or cs.yale.edu and so it
forwards the request to the name server for yale.edu.
Step 4: This one forwards the request to cs.yale.edu which must have authoritative
resource records.
Step 5 to 8: The resource record requested works its way back in steps 5-8
This query method is known as Recursive Query
3. When a query cannot be satisfied locally, the query fails but the name of the next server
along the line to try is returned.
26
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
2. Agent
Management Station serves as interface for human N/W manager into network Management
system. It will have the following:
1. A set of management applications for data analysis fault recovery and so on.
2. An interface by which the n/w manager may monitor and control the n/w.
3. The capability of translation the n/w managers requirements into the actual
monitoring and control of remote elements in the n/w.
4. A data base of n/w management information extracted from the databases of all the
managed entities in the n/w.
Management Agent software equips key platforms such as hosts, Bridges, routers and hubs so
that they may be managed from a management station. The agent responds to requests for
information from a management station, responds to requests for actions from management
station, and may asynchronously provide management station with important but unsolicited
information.
To manage resources in the n/w, each resource is represented as an object (a data variable
that represents one aspect of managed agent). The collection of objects is referred to as a
Management Information Base (MIB). The MIB functions as a collection of access points at
the agent for management station. A management station performs the monitoring function by
retrieving the value of MIB objects.
27
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
The management station and agents are linked by a n/w management protocol. The
protocol used for the management of TCP/IP network is SNMP.
GET: Enables the management station to retrieve the value of objects at the agent
SET: Enables the management station to set the value of objects at the agent
SNMP V1 Configuration:
Role of SNMP-V2 :
28
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Each player in the N/w management system maintains a local database of information
relevant to N/W management, a known as MIB. The SNMPV2 standard defines the structure of
this info and the allowable data types. This information is known as Structure of Management
Information (SMI).
One system is responsible for N/W management while the other systems art and role of
agent. An agent collects the information and stores it for later access by a manager. The
information includes data accounts the system it self and may also include traffic information for
N/W to which the agent attaches.
29
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
SMI: It defines the general framework with in which a MIB can be defined and constructed.
The SMI identifies the data types hat can be used in MIB, and how resources with in MIB are
represented and named. The MIB can store only simplify the task of implementation and to
enhance interoperability. There are 3 key elements in SMI specification: 1. At lowest level, the SMI specifies the data types that may be stored.
2. Then SMI specifies a formal technique for defining objects and tables of objects.
3. Finally, SMI provides a scheme for associating a unique identifies with each
actual object in a system, so that a manager can reference data at an agent.
Protocol operation:The protocol provides a straight forward, basic mechanism for the exchange of
management information between agent and manager. The basic unit of exchange is message,
which consists of an outer message wrapper and an inter protocol data unit .The outer message
header deals with security. 7 types of PDU s may be carried in an SNMP message.
(a).Get-Request-PDU, Get-Next-Request-PDU, Set-Request-PDU, SNMPV2-TrapPDU,
Inform-Request-PDU:
PDU type
Req -id 10
Variable-bindings
(b). Response-PDU:
PDU type
Req-id
Error-status
Error-index
Variable-bindings
(c). Get-Bulk-Request-PDU:
PDU type
Req-id
Non-repeaters
Max-repetitions
Variable-bindings
Name 2
Value 2
30
www.jntuworld.com
Name n
Value n
www.jntuworld.com
JNTUWORLD
GET REQUEST-PDU: Includes a list of one (or) more object names for which values
are requested .If the get operation is successful, and then the responding agent will send a
Response-PDU
GET NEXT REQUEST-PDU: Includes a list of one (or) more objects .For each object
named in variable-bindings field, a value is to be returned for the object that is next in
lexographic order
SET REQUEST-PDU: Used to request that the values of one (or) more objects be
altered .The operation is atomic
SNMP-V3: This defines an over all SNMP architecture and a set of security capabilities .It
provides 3 important services:
Authentication
Privacy
Access Control
The Authentication mechanism in USM assures that a received message was transmitted
by the principal whose identifier appears as the source in message header .It also assumes that
the message has not been altered in transit and has not been artificially delayed (or) replayed
.The sending principal provides authentication by including a message authentication code with
SNMP message it is sending .The code is a function of the message contents, the identity of
31
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
sending and receiving parities, the time of transmission and a secret key that should be known
only to sender and receiver .
The configuration/network manager distributes the secret keys and so they are kept
outside of USM .When the receiving principal gets the message, it uses the same secret key to
calculate the message authentication code once again and if it is matched with the appended
value of incoming message, the receiver confirms that the sender is the authorized one. The
authentication code is called HMAC. The privacy facility of USM enables managers and agents
to encrypt messages, by sharing a secret key between them. If they are configured to use the
privacy facility, all traffic between them is encrypted using DES. The access control facility
makes it possible to configure agents to provide different levels of access to the agents
Management Information Base (MIB) to different managers.
An agent principal can restrict access to its MIB for a particular manager principal in 2ways:
It can limit the operations that a manager can use on that portion of MIB
E-MAIL
(Used in RFC 821,822 in internet)
(a). User Agents, which allow people to read and send e-mail
(b). Message Transfer Agents, which move messages from source to destination
Composition
Transfer
Reporting
Displaying
Disposition
32
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
(a).Composition: It refers to the process of creating messages and answers. Any text editor is
used
for body of the message. While the system itself can provide assistance with
addressing and numerous header fields attached to each message
(b).Reporting: It has to do with telling the originator what happened to the message that is,
whether it was delivered, rejected (or) lost.
(c).Transfer: It refers to moving messages from originator to the recipient
(d).Displaying: Incoming messages are to be displayed so that people can read their email.
(e).Disposition: It concerns what the recipient dose with the message after receiving it.
Possibilities include throwing it away before reading (or) after reading, saving
it and so on
(2). The User Agent: It is normally a program that accepts a variety of commands for
composing,
receiving
and
replying
to
messages
as
well
as
for
Sending E-mail: To do so, User must provide the messages, the destination address
and possibly some other parameters (Eg: the priority (or) security level). The message
can be produced with a free-standing text editor, a word processing program or
possibly with a text editor built into the user agent. The destination address must be in
a format that the user agent can deal with. Many user agents expect DNS address of
the form mailbox @ location.
Reading E-mail : When a user agent is started up, it will look at the users mailbox for
incoming mail before displaying anything on the screen. Then it may announce the no. of
messages in the mailbox or display a one-line summary of each one and wait for a
command. Each display line contains several fields(extracted from the header of the
corresponding message) like..
Eg:
Flags
Bytes
Sender
1
2
K
KA
1030
6348
ASW
SAM
33
www.jntuworld.com
Subject
changes to MIN-MAX
RC: Hai
www.jntuworld.com
JNTUWORLD
1st field(#)
Message Number.
2nd field(flags)
3rd field(Bytes)
4th field(sender)
5th field(subject)
After the headers have been displayed, the user can perform any of the commands available.
Message Formats :
34
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
After the headers, comes the message body. Users can put whatever they want here.
(outgoing-mail)
(incoming-mail)
Each Queued message has 2 parts :
The message text, consisting of RFC 822 header and body of message.
The SMTP Sender takes messages from the outgoing mail queue and transmits them to proper
destination host via SMTP transactions over one or more TCP connections to port 25 on target
hosts.
35
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
authentication,
The complete package along with all the source code is distributed free of change via
the internet, bullet in boards and of commercial networks.
UNIX and
PGP
supports text compressor , secrecy, and digital signatures and also provides
Alice wants to send a signed plaintext message p to bob in a secure way in which each
one of them posses private(Dx) and public (Ex) RSA keys and each one knows the
others public key.
PGP first hashes her message , p , using MD5 and then encrypts the resulting hash using
her private RSA key, DA.
When Bob eventually gets the message , he can decrypt the hash with Alices public key
and verify that the hash is correct.
36
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
The encrypted hash and original message are now concatenated into a single message ,
PI, and compressed using the ZIP program (which uses the Ziv-Lempel algorithm ) in
which the output is (PI).(Z)
Now, PGP prompts ALICE for some random input, by which a 128-bit IDEA message key,
KM is generated which encrypts (PI).(Z) in cipher feedback mode.
The resulting message then contains only letter, digits and the symbols +,/ and =.
When Bob gets the message , he reserves the base-64 encoding and decrypts the IDEA key
using his private RSA key.
After decompressing it, Bob separates the plain text from encrypted hash and decrypts the
hash using Alices public key.
PGP Supports 3 RSA key lengths :1. Casual (384 bits): can be broken by folks with large budgets.
2. Commercial(512-bits): Might be breakable by 3 letter organizations.
3. Military(1024 bits):not breakable by anyone on earth.
PGP Message Format:
ID
Km Time ID
Of
Of
EB
EA
Header
Time Message
Name
The message has 3 parts :1) The message key part , which contains both the key and key identifier.
2) The signature part , which contains
37
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Header
Timestamp
Identifier for senders public key that can be used to decrypt the signature hash
Some type information that identifies the algorithm used.
The encrypted hash itself.
3) The Message part, which contains
Header
The default name of the file to be used if the receiver writes the file to the desh
A message creation time stamp
Message itself
PGP has grown explosively and is now widely used. A number of reasons can be cited for this
growth:
1. It is available free worldwide in versions that run on a variety of platforms, including
DOS/Windows, UNIX, Macintosh, and many more. In addition, the commercial version
satisfies users who want a product that comes with the vendor support.
2. It is based on algorithms that have survived extensive public review and are
considered extremely secure. Specifically, the package includes RSA, DSS and DeffieHellman for public key encryption; CAST-128, IDEA, and 3DES for conventional
encryption and SHA-1 for hash coding.
3. It has a wide range of applicability, from corporations that wish to select and enforce
a standardized scheme for encrypting files and messages to individuals who wish to
communicate securely with others worldwide over the Internet and other networks.
38
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
PGP intentionally uses existing cryptographic algorithm rather than inventing new ones.
It is largely based on RSA, IDEA and MD5 all algorithms that have withstood extensive peer
review and were not designed or influenced by any government agency. PGP supports text
compression, secrecy and digital signatures and also provides extensive key management
facilities.
PGP ENVIRONMENT:
PGPs primary purpose is to send messages: signed and encrypted. PGP also allows sending
messages that are only signed. The intended receiver can only read encrypted messages. Using
public-key cryptography, the sender does not have to exchange a secret key with the receiver. If
the sender has the receivers public key, then she can send him a message. Encrypted PGP
messages can be addressed to one receiver or several receivers.
PGP can also be used to send signed but unencrypted messages. These messages are in the
clear: Anyone can read them. Also, anyone who has the senders public key can verify the
integrity and authentication of the messages. This type of security is useful for messages posted
to Usenet newsgroups.
PGP SUBSYSTEMS:
There are normally two subsystems:
USER AGENTS
User agents allow people to read and send email. The user agents are local programs that
provide a command-based, menu based or geographical method for interacting with the email
system.
Message Transfer agents move the message from the source to the destination. The agents
are typically system daemons that run in the background and move email through the system.
39
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
BASIC FUNCTIONS:
Email systems support 5 basic functions, they are.
Composition
Transfer
Reporting
Displaying
Disposition
COMPOSITION: It refers to the process of creating message and answers. Although any text
editor can be used for the body of the message, the system itself can provide assistance with
addressing and the numerous header fields attached to each message.
TRANSFER: It refers to moving messages from the originator to the recipient. In large part
this requires establishing a connection to the destination or some intermediate machine,
outputting the message and releasing the connection.
automatically.
REPORTING: It has to do with telling the originator what happened to the message. Was it
delivered? Was it rejected? Was it lost numerous applications exist in which confirmation of
delivery is important and may even have legal significance.
DISPOSITION: It is the final step and concerns what the recipient does with the message after
receiving it. Possibilities include throwing it way before reading, throwing it away after reading,
saving it and so on. It should also be possible to retrieve and reread saved messages, forward
them, or process them in other ways.
PGP OPERATION FOR SENDING A MESSAGE :
PGP first hashes her message P using MD5 and then encrypts the resulting hash using
private key DA and decrypts by public key and verify that the hash is correct. Even if someone
could acquire the hash at this stage and decrypt it with public key the strength of MD5 guarantee
40
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
RSA
C
SHA
RSA
IDEA
ZIP
BASE 64
that it would be computationally infeasible to produce another message with the same MD5
hash. The encrypted hash and the original message are now concatenated in to a single message
P1 and compressed using the Zip program, and thus the output of this step P1.Z.
The content and the typing speed are used to generate a 128-bit IDEA message key, KM
is now used to encrypt P1.Z with IDEA in cipher feedback mode. KM is also encrypted with
public key EB these two components are then concatenated and converted to base 64.
When the opponent receives the message he reverse the base 64 encoding and decrypts
the IDEA key using Private key.
decompressing it separates the plaintext from the encrypted hash and decrypts the hash using
public key. If the plain text hah agrees with his own MD5 computation thus the opponent P
assures that it is the correct message.
PGP SERVICES:
Digital signature
Message encryption
Compression
Email compatibility
Segmentation
OPRATIONAL DESCRIPTION :
Authentication
Confidentiality
Compression
E-mail compatibility
Segmentation
41
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
1) Digital signature provides message authentication and protects two parties who exchange
message from any third party by using an algorithm DSS/SHA or RSA/SHA. A hash
code of a message is created using SHA-1 which is an public-key encryption algorithm
takes a input message of arbitrary length and produces as output 128-bit message digest.
The input is processed in 512-bit blocks. This message digest is encrypted using DSS or
RSA.
2) The RSA scheme is a block cipher in which the plaintext and cipher text are integer
between 0 and n-1 for some n. The plaintext is encrypted in blocks, with sender private
key and each block having a binary value less than some number n and included with
the message.
3) A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key
generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with
the recipients public key, and included with the message.
4) A message may be compressed for storage or transmission using Zip.
5) E-mail compatibility uses Radix 64-conversion algorithm to provide transparency for Email application and encrypted message may be converted to an ASCII string.
CRYPTOGRAPHIC KEYS :
PGP makes use of four types of keys
a) One-time Session Conventional Keys : provides only one key for entire process.
b) Public key : The purpose of making your key so that it is available in a common
database where everybody can have access to it for the purpose of encrypting message
also.
c) Pass phrase-based conventional keys : The pass phrase really has only one purpose, but a
very important one. The pass phrase is hashed to become the key to which our private key is
encrypted. Its whole purpose is to protect your private key so that no one else can use your
private key. This is why any time you try to use private key you are prompted to enter your pass
phrase so you need your pass phrase to sign a message, to decrypt a message, to revoke a key, to
add name or E-mail address to your key etc.
42
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
KEY IDENTIFIERS :
A key ID is also required for the PGP digital signature. Because a sender may use one of
a number of private keys to encrypt the message digest, the recipient must know which public
key is intended for use. Accordingly< the digital signature component of a message includes the
64-bit key ID of the required public key when the message is received, the recipient verifies that
the key ID is for a public key that it knows for that sender and then proceeds to verify the
signature. Now that the concept of key ID has been introduced, we take a more detailed look at
the format of a transmitted message. A message consists of three components:
1.
Message component
2.
Signature component
3.
43
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Key ID of senders public key: Identifies the public key that should be used to decrypt the
message digest and, hence, identifies the private key that was used to encrypt the message digest
General format of PGP message :
3. Session key component: It includes the session key and the identifier of the recipients
public key that was used by the sender to encrypt the session key.
KEY RINGS :
The scheme used in PGP is to provide a pair of data structures at each node, one to store the
public/private key pairs owned by that node and one to store the public keys of other users
known at this node these data structures are referred to, respectively as the following:
Private-key ring
Public key ring
PRIVATE KEY-RING : Each row represents one of the public/private key pairs owned by
this user. Each row contains the following entries:
Timestamp
key ID
: The least significant 64 bits of the public key for this entry.
Public-key
private-key
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
User-ID
: Typically, this will be the users e-mail address, the user may choose to
associate a different name with each pair or to reuse the same user-ID
more than once.
The private key ring can be indexed by either user-ID, although it is intended that the
private key ring be stored only on the machine of the user that created and owns the key pair and
that it be accessible only to that user it makes sense to make the value of the private-key secure
as possible. Accordingly, the private key itself is not stored in the key ring. Rather, this key is
encrypted using IDEA or 3DES the procedure is as follows:
1. The user selects a pass phrase to be used for encrypting private keys.
2. When the system generates a new public/private key pair using RSA, it asks the user for
the pass phrase using SHA-1, a 160-bit hash code is generated from the pass phrase, and
the pass phrase is discarded.
3. The system encrypts the private key using CAST_128 with the 128 bits of the hash code
as the key. The hash code is then discarded, and the encrypted private key is stored in the
private-key ring.
4. When the user access the private key ring to retrieve a private key then we must supply
the pass phrase, PGP will retrieve the encrypted private key, generate the hash code of
the Pass phrase and decrypt the encrypted private key using cast-128 with hash code.
PUBLIC KEY RING : It is used to store public keys of users that are known to this user:
Timestamp
Key ID
The last significant 64bits of the public key for this entry.
Public key
User ID
The owner of this key. multiple user IDs may be associated with a
single public key.
The public-key ring can be indexed by either user ID or keyed. First consider message
transmission and assume the sending PGP entity performs the following steps:
45
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Signing the message: PGP retrieves the senders private key from the private key ring using
your user -id as an index. If your user-id was not provided in the command the first private key
on the ring is retrieved PGP prompts the user for the pass phrase to recover the unencrypted
Private key. The signature component of the message is constructed
Encrypting the message: PGP generates a session key and encrypts the msg. PGP retrieves the
recipients public key from the public-key ring using user-id as an index. The session key
component of the message is constructed
The receiving PGP entity performs the following steps:
Decrypting the message: PGP retrieves the receivers private key from the private key ring
using the key ID field in the session key component of the message as an Index. PGP prompts
the user for the pass phrase to recover the unencrypted Private-key. PGP then recovers the
session key and decrypts the msg.
Authenticating the message: PGP retrieves the senders public key from the public-key, using
the Key-id field in the signature key component of the message as an index. PGP recovers the
transmitted message digest. PGP computes the message digest for the received message and
compares it to the transmitted message digest to authenticate.
MERITS OF PGP:
1. We can generate our own public\private key pairs
2. We can have multiple keys for different uses, and can replace a key whenever desired.
3. It uses established and peer reviewed encryption algorithm
4. It is free for personal use.
5. You can securely communicate with users of other operating systems, and with any email
address.
6. All PGP encryption functions take place on your own computer, with your private
Keys residing only on your computer.
7. PGP is public key encryption that does not require the transmission of a secret pass phrase.
8. It includes digital signatures that assures that the message/file is not altered, and is from
46
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
Kra
Kua -
Ep
Public-key encryption.
Dp
Public-key decryption.
Ec
Conventional encryption.
Dc
Conventional decryption.
Hash function.
||
Concatenation
R64
47
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
48
www.jntuworld.com
www.jntuworld.com
JNTUWORLD
49
www.jntuworld.com