www.jntuworld.

com

JNTUWORLD

The Application Layer

The Application Layer

There is a need for support protocols to allow the real applications to function in the
application layer. The three important support protocols are:1. N/W Security
2. DNS
3. N/W Management
1. N/W Security: It is a large no. of protocols that can be used to ensure privacy where
needed. It is concerned with people trying to access remote services that they are not
authorized to use. N/W security problems can be divided roughly into 4 inter-twined areas: Security

Non-repudiation

Authentication

Integrity control

Security: It has to do with keeping information out of the hands of unauthorized users.

Authentication: It deals with determining whom you are talking to, revealing sensitive
information or entering into a business deal.

Non repudiation: It deals with signatures.

Integrity control: It makes sure that the message received was the one really sent and
same thing or a malicious adversary modified in transit.

N/W Security in different layers:

1. Physical layer: Wiretapping can be foiled by enclosing transmission lines in sealed
tubes containing ARGON gas at high pressure. Any attempt to drill into a tube will
release some gas, reducing the Pressure and triggering an atom.
2. Data link layer: If packets have to traverse on a point-to-point line, they are encoded
as they leave one machine and decoded as the enter another. If packets have to
traverse multiple routers, they are decrypted at each router, leaving them vulnerable to
attacks with in routes. This method is called LINK ENCRYPTION.
3. N/W layer: Firewalls can be installed to keep packets in or packets out.
1

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

4. Transport layers: Entire connections can be encrypted, end to end, i.e., process to process.
5. Application layer:
a) Traditional cryptography
b) 2 fundamental cryptography principles.
c) Secret- key Algorithms.
d) Public-key Algorithms.
e) Authentication protocols.
f) Digital signatures.
g) Social issues.

a). Traditional cryptography:

The art of devising ciphers is called Cryptography. The message to be encrypted,
known as plain text is transformed by a function that is parameterized by a key. The O/P of
execution process is known as Cipher text is then transmitted, often by message. Even, if the
enemy (intruder) hears and accurately copies down the complete cipher text, he cannot decrypt it,
as he doesnt know the decryption key. Sometimes, he listens to common channel but also record
messages and plays them back later, injects his own messages or modifies legitimate messages
before they get to the receiver. This art of breaking ciphers is called Cryptanalysis
Cryptography + Cryptanalysis = Cryptology

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Encryption of plain text P using key k gives the cipher text C.

i.e., C

EK (P)

Decryption of cipher text C using the key k gives plain text P

DK( C )
i.e., DK (EK (P))

Key is a short string that selects one of many potential encryptions. A key length

of 2 digits

means that there are 100 possibilities, 3 digits means 1000 possibilities and

6 digits

means a million. The longer the key, the higher the work factor the cryptanalyst has to
deal with.
Encryption methods:

Substitution Ciphers.

Transposition Ciphers.

One -Time Pads.
(i). Substitution Ciphers: They preserve the order of plaintext symbols but disguise them. In
this, another letter or group of letters to disguise it replaces each letter or group of letters. One of
the oldest ciphers is Caesar Cipher. In this, an alphabet is shifted by 3 alphabets. i.e.,
aD, bE, cF.zC.

Eg: attack DWWDFN

Next improvement is mono alphabetic substitution in which each letter is mapped to some
other letter.

Eg: attack QZZQEA

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

To break a Substitution Cipher..

Breaking of ciphers using digrams, trigrams : This takes advantage of statistical

properties of natural
languages. In English, for example c is the most common one letter followed
by t, o, a, n etc. the most 2
letter combinations are th, an, in, re & 3 letter combinations are the, int, and, ion.

Breaking of ciphers with a guess of probable word or phrase : The Cryptanalyst

counts the relative frequencies of all letters in Cipher text and then tentatively
assign the most common one to e and next most common one to t. He then
look at trigrams to find a common one of the form t-e, which can be filled
with h. If the pattern th-t occurs frequently, the empty space probably stands
for a.
Eg: CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ
QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ
DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBZ QJSW.

(ii). Transposition Ciphers: These reorder the letters but do not disguise them. The following
diagram depicts the columnar transposition, in which the cipher is keyed by a word or phrase not
containing any repeated letters.

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

In the above example, MEGABUCK is the key. The purpose of the key is to number the
columns, column-1 being under the key letter closest to the start of the alphabet, and so on. The
plain text is normally written horizontally, in rows. The cipher text is read out by columns,
starting with the column whose key letter is the lowest.

To break a Transposition Cipher

The cryptanalyst must first be aware that he is dealing with a transposition cipher. By
looking at the frequency of E,T,A,O,I,N,etc., it is easy to see that if they fit the
normal pattern for plain text. If so, the cipher is clearly a transposition cipher, because in
such a cipher every letter represents itself.

The next step is to make a guess at the number of columns. In many cases, a probable
word or phrase may be guessed from the context of the message. For each key length, a
different set of digrams is produced in the cipher text. By hunting for various
possibilities, the cryptanalyst can often easily determine the key length.

The remaining step is to order the columns. When the number of columns, k, is small,
each of the k(k-1) column pairs can be examined to see if its digram frequencies match
those for English plain text. The pair with the best match is assumed to be correctly
positioned. Now, each remaining column is tentatively tried as the successor to this pair.
The column whose digram and trigram frequencies give the best match is tentatively
assumed to be correct. The predecessor is found in the same way. The entire process is
continued until a potential ordering is found.

(iii). One-time pads: In this, first, choose a random bit string as the key. Then, convert the
plaintext into a string, for example, by using its ASCII representation. Finally, compute the
EXCLUSIVE-OR of these two strings, bit by bit.

Advantages:
1. As every possible plain text is an equally probable candidate, the resulting cipher text
cannot be broken.
2. The resulting cipher text gives the cryptanalyst no information at all.

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Disadvantages:
1. The key cannot be memorized and so both sender and receiver must carry a written copy
with them.
2. The total amount of data that can be transmitted is limited by the amount of key
available.
3. It is sensitive to lost or inserted characters.

(b). Two fundamental Cryptographic Principles:

1. All encrypted messages must contain some redundancy (information needed to misunderstand the message) to prevent active intruders from tricking the receiver into acting
on a false message.
2. Some measures must be taken to prevent active intruders from playing back old
messages.

(c ). Secret-Key algorithms:
The object is to make the encryption algorithm so complex and involuted that even if the
cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be able to
make any sense of it at all. Transpositions and substitutions can be implemented with simple
circuits like P-boxes and S-boxes respectively.
P-box( Permutation-box ): Used to effect a transposition on an 8-bit input. If the 8 bits are
designated as 01234567 from top to bottom, the output of this box is 36071245. By appropriate
internal wiring, a P-box can be made to perform any transposition and do it practically the speed
of light.
S-box( Substitution-box ): Substitutions are performed by S-boxes. The n-bit input selects one
of the 8 lines exiting from the first stage and sets it to 1. All the other lines are 0.

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

There are mainly 3 secret-key algorithms. They are:

1. DES
2. DES-CHAINING
3. IDEA
1. DES ( Data Encryption Standard ) :
It is basically a mono-alphabetic substitution cipher using a 64-bit character. In this, plain text is
encrypted in blocks of 64-bits, yielding 64 bits of cipher text. The algorithm, which is
parameterized by a 56-bit key , has 19 distinct stages. The first stage is a key independent
transposition on the 64-bit plain text. The last stage is the exact inverse of this transposition. The
stage prior to the last one exchanges the left most 32-bits with the right most 32-bits. The
remaining 16 stages are functionally identical but are parameterized by different functions of the
key. The algorithm has been designed to allow decryption to be done with the same key as
encryption. The steps are just run in reverse order. The operation of one of these stages is
illustrated in the figure below:

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output is simply a
copy of the right input. The right output is the bit-wise EXCLUSIVE-OR of the left input and a
function of the right input and the key for this stage, Ki. The function consists of 4 steps,
carried out in sequence.
1. A 48-bit number, E , is constructed by expanding the 32-bit Ri-1 according to a fixed
transposition and duplicate rule.
2. E and Ki are EXCLUSIVE-OR ed together.
3. This output is then partitioned into 8 groups (each of 6-bits), each of which is fed into a
different S-box. Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output.
4. Finally, these 8 x 4 bits are passed through a P-box.
In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit
transposition is applied to the key. Just before each iteration, the key is partitioned into two 28bit units, each of which is rotated left by a number of bits dependent on the iteration number. Ki
is derived from this rotated key by applying yet another 56-bit transposition to it. A different 48bit subset of the 56-bits is extracted and permuted on each round.
2. DES-CHAINING:
Electronic code book mode: To overcome the problem of DES, this method is used in which a
long message is encrypted by breaking it up into consecutive 8-byte(64-bit)blocks and
encrypting them one after another with the same key. The last block is padded out to 64-bits, if
need be.
Let us consider an example in which a file consisting of consecutive 32-byte records in the
format.16 bytes for name,8 bytes for the position and 8 bytes for the bonus of an employee in
an organization. Each of the sixteen 8-byte blocks is encrypted by DES.

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

To overcome some types of attacks, DES is chained in various ways. One of the ways is Cipher
Block Chaining. In this method, each plain text block is EXCLUSIVE-OR ed (#) with the
previous cipher text block before being encrypted. Consequently, the same plain text block no
longer maps on to the same cipher text block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is EXCLUSIVE-OR ed with a randomly chosen
initialization vector, IV, that is transmitted along with the cipher text.
Error!

Working:
1. compute C0 = E ( P0 XOR IV )
2. Then, compute C1 = E ( P1 XOR C0 ) and so on.
3. The encryption of block i is a function of all the plain text in blocks 0 through i-1, so
the same plain text generates different cipher text depending on where it occurs.
4. The decryption occurs the other way , with P0 = IV XOR D (C0) and so on.
Advantage:
The same plain text block will not result in the same cipher text block, making cryptanalysts
more difficult.
Disadvantage:
It requires an entire 64-bit block to arrive before decryption can begin.
To overcome this disadvantage, byte-by-byte encryption is done using Cipher Feedback
mode. In the figure, the state of encryption machine is shown after bytes 0 through 9 have been
encrypted and sent. When plain text byte-10 arrives, the DES algorithm operates on the 64-bit
shift register to generate 64-bit cipher text, in which the left most byte is extracted and

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

EXCLUSIVE-OR ed with P10. That byte is transmitted on the transmission line. In addition, the
shift register is shifted left 8bits, causing C2 to fall off the left end , and C10 is inserted in the
position just vacated at the right end by C9.
Decryption is done by encrypting the contents of the shift register so that the selected byte that is
EXCLUSIVE-OR ed with C10 to get P10 is the same one that was EXCLUSIVE-OR ed with P10
to generate C10 in the first place.
Error!

For applications which require messing up 64-bits of plain text by having a 1-bit transmission
error, Output feedback mode is used. It is identical to cipher feedback mode except that the
byte fed back into the right end of the shift register is taken from just before the EXCLUSIVEOR box, not just after it.
Advantage:
It has the property that a 1-bit error in the cipher text causes only a 1-bit error in the resulting
plain text.
3. IDEA (International Data Encryption Algorithm):
The basic structure of the algorithm resembles DES in that 64-bit plain text input blocks are
mangled in a sequence of parameterized iterations to produce 64-bit cipher txt output blocks.
Given the extensive bit mangling, 8 iterations are sufficient. IDEA can be used in cipher
feedback mode and other DES modes.

10

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

In the above figure, the details of one iteration are depicted, in which three operations are used,
all on unsigned 16-bit numbers. These operations are EXCLUSIVE-OR, addition modulo 216 ,
and multiplication modulo 216 + 1. The operations have the property that no two pairs obey the
associative law or distributive law, making cryptanalysis more difficult. The 128-bit key is used
to generate 52 sub keys of 16-bits each, 6 for each of 8 iterations and 4 for the final
transformation. Decryption uses the same algorithm as encryption, only with different sub keys.

(d). Public-Key algorithms:

Diffie and Hellmann proposed a new kind of crypto system, one in which the encryption and
decryption keys were different, and the decryption key could not be delivered from the
encryption key. In their proposal, the encryption algorithm, E, and the decryption algorithm, D,
had to meet the following 3 requirements:
1. D(E(P)) = P.
2. It is exceedingly difficult to deduce D from E.
3. E cannot be broken by a chosen plain text attack.
The main object in this is that the Encryption key is made public. Hence, the name Public-Key
Cryptography.

11

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The RSA algorithm:

One of the Public-key algorithms is the RSA algorithm. This was discovered by Rivest, Shamir,
Adleman and is based on the following principles:
1. Choose two large primes, p and q. (typically greater than 10100)
2. Compute n = p * q and z = (p-1) * (q-1)
3. Choose a number relatively prime to z and call it d.
4. Find e such that e * d = 1 mod z
In this algorithm, the plain text is divided into blocks, so that each plain text message, P, falls in
the interval 0 P < n. This can be done by grouping the plain text into blocks of K bits, where K
is the largest integer for which 2k < n is true.
To encrypt a message, P, compute C = Pe (mod n) i.e., e and n are needed to do so.
To decrypt a message, C, compute P = Cd (mod n) i.e., d and n are needed to do so.
Therefore, the public key consists of the pair (e, n) and the private key consists of the pair (d, n).

In the above example, the encryption of the plain text SUZANNE is shown:
p = 3, q = 11, n = 33, z = 20







d = 7 ( since 7 and 20 have no common factors)

7e = 1 (mod 20)
e=3
C = P3 (mod 33)
P = C7 (mod 33)
12

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Encryption:
C

Me mod n

887 mod 187

[ (884 mod 187) * ( 882 mod 187) * ( 881 mod 187] mod 187

[ (59,969,536 mod 187)(7744 mod 187)(88 mod 187)] mod187

(132 * 77 * 88) mod 187

894,432 mod 187

11

Decryption:
M =Cd mod n
=1123 mod 187
=[(111 mod 187)* (112 mod 187)* (114 mod 187)*(118 mod 187)* (118mod 187)] mod 187
=[(111mod187)*(121mod187)*(14,641mod187)*(214,358,881mod187)*(214,358,881mod187)]mod187
=(11 * 121 * 55 * 33 * 33) mod 187
=79,720,245 mod 187
=88.

If p = 3, q = 11, n = 33, (n) = 20,

d = 7 (because 7, 20 have no common factors)
=>7e = 1 mod 20
=3
EXAMPLE : Plain text SUZANNE is to be transformed into Cipher text
Senders Computation

Receivers Computation

13

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Drawbacks:
1. The Brute force approach i.e., trying all possible private keys.
2. Calculations involved in key generation, Encryption / Decryption are complex.
3. The larger the size of the key, the slower the system will run
Advantage:The larger no. of bits in e, d, the more secure the algorithm is the

(5). Authentication Protocols:

Authentication: It is the technique by which a process verifies that its communication partner is
who it is supposed to be and not an imposter. It deals with the question of whether or not the user
is actually communicating with a specific Process.


Authentication Based on a shared secret key.

Authentication Using a key Distribution Centre.

Authentication Using Kerberos.

Authentication Using public-key Cryptography

(1)
Authentication Based on a shared secret key:
In this, both the users A and B share a secret key KAB. These protocols are based on a
principle that one party send a random number to the other, who then transforms it in a special
way and then returns result and are called Challenge Response Protocols.
2-way Authentication using Challenge - Response protocol :

14

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

M-1 : ALICE sends her identity A to BOB in a way that BOB understands.
M-2 : As Bob has no way of knowing from whom this message has come from actually ,
he picks a large random number RB and sends it back to ALICE in plaintext.
M-3: ALICE then encrypts the message with the key she shares with BOB and sends
cipher text, KAB(RB).
M-4: After receiving, BOB confirms that this message is from ALICE but not from any
other user because K(suffix)AB is shared only by ALICE. But ALICE has no way
of confirmation that she is talking to BOB. To do so, she picks a random number
RA and sends it to BOB as plain text.
M-5: Now, when BOB responds with KAB(RA), ALICE gets the confirmation.
Now, If A and B wish to establish a session key, KS, ALICE can send it to BOB encrypted
with KAB.
A Shortened 2-way Authentication protocol:
Extra messages in above protocol can be eliminated by combining information as in the figure:

M-1:-ALICE initiates C-R Protocol.

M-2:-BOB responds to ALICEs challenge along sending his own.
M-3:-ALICE then encrypts the message with the key she shares with BOB and sends cipher
text, KAB(RB).

15

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

3 General Rules to design a correct Authentication protocol:1. Have the Initiator prove who she is before the responder has to.
2. Have the Initiator and Responder use different keys for proof, i..e, use 2 shared keys KAB
and K'AB.
3. Have the Initiator and responder draw their challenges from different sets.

(I). The Diffie-Hellman Key Exchange:

It is the protocol that allows strangers to establish a shared secret key.
Working:1. Alice and Bob have to agree on 2 large prime numbers (which are public), n and g, where
(n-1)/2, is also a prime and certain conditions apply to g.
2. Now, Alice &Bob respectively Picks large numbers x,y(say a512- bit) and keeps them
secret.
3. Alice initiates key exchange protocol by sending by sending Bob a message containing
(n, g, gx mod n), for which Bob responds with gy mod n.
4. Alice takes the number and raises it to xth power to get (gy mod n)x. Bob does the same
and gets (gx mod n)y.
5. Thus, Alice &Bob now share a secret key, gxy mod n.

Example: n=47, g=3, x=8, y=10

1. Alices message to Bob : 47,3,28 (since 38mod 47 = 28)
2. Bobs message to Alice : 17

(since 310mod47 = 17)

3. Alice Computes

: 178mod 47

4. Bob computes

: 2810mod 47

Therefore, The Shared - Secret Key =

4.

16

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The problem that is faced by Diffe - Hellman Key Exchange protocol is Bucket Brigade attack
or WO(man)- in the middle attack.
Consider a third person c is involved in the interaction of A & B in the above algorithm.

1. A&B chooses x & y respectively while c randomly chooses z.

2. When A sends message-1 interested for B,C intercepts it and sends m-2 to B, using
correct g and n. But with her own z instead of x and does same back to A with m-3.
3. Later, B sends M-4 to A ,which was intercepted by c and kept with it.
4. Modular Arithmetic being done by everyone,
A Computes Secret Key as gxzmod n.
B Computes Secret Key as gyzmod n.
C Computes Secret Key as gxzmod n, gyzmod n.
5. Therefore, Every message sent by A on the encrypted session is captured by C, stored,
modified if desired and then (optionally) passed to B. Similarly in other direction. i..e,
A&B on under the illusion that they have a secure channel to one another while C sees
everything & can modify them. This attack is called Bucket Brigade Attack.
(II): Authentication using KDC:
In this model, each user has a single key shared with KDC. The simplest protocols is
mouth frog

17

www.jntuworld.com

wide-

www.jntuworld.com

JNTUWORLD

The Application Layer

Working:
1. 'A' picks a session key Ks and informs KDC that it wants to talk to 'B', with a message
which is encrypted with a secret key(KA)
2. KDC decrypts this message, extracts B's identity and session key and constructs a new
message containing A's identity and session key and sends to 'B', encrypted with KB
shared by 'B' with KDC
3. 'B' decrypts and knows the 'A's wish and it's key.
The Needham-Schroeder authentication protocol:
Error!

Working:1. 'A' tells KDC that he wants to talk to 'B', with a message which contains a large random
number, RA.
2. KDC sends back m-2 containing A's random number, a session key and a ticket that it
can send to B.
3. Now, 'A' sends ticket to 'B', along with a new random number, RA2 encrypted with
session key KS.
4. 'B' sends back Ks(RA2-1) to confirm 'A' that it is talking to 'B'.
5. 'B' is convinced that it is talking to 'A' only but with no other one.
The Otway-Rees Authentication protocol:

18

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Working:1. 'A' starts out by generating a pair of random number, R, which will be used as a common
identifier and RA, which A will use to challenge 'B'.
2. When 'B' gets this message, he constructs a new message from the encrypted part of A's
message and an analogous one of his own.
3. Both the parts encrypted with KA and KB identify A and B, contain the common identifier
and contain a challenge.
4. The KDC checks to see if R in both parts is same, and if so, it believes that the request
message from 'B' is valid and so it generates a session key and encrypts it twice (both for
A and B).
5. Each message contains receivers random number, indicating that it was generated by
KDC.
6. Now, A and B are in possession of same session key and can start communicating.
(III). Authentication using KERBEROS:
Kerberos was designed to allow workstation users to access network resources in a secure key. It
involves three servers in addition to a client workstation:

Authentication Server (AS):- Verifies users during login

Ticket-Granting Server (TGS):- issues "PROOF OF IDENTITY TICKETS"

B, The Server:- Actually does the work 'A' wants performed

WORKING:

'A' sits down at an arbitrary public work station and types his name, which is sent to 'AS'
in plain text.

Session key and a ticket TGS (A, Ks) intended for TGS comes back, which are packed
together and encrypted using A's secret key, so that only 'A' can encrypt them.

Only when message-2 arrives, the work station ask for A's password and this is used to
generate KA in order to decrypt m-2 and obtain session key and TGS ticket inside it.

At this point, the workstation overwrites As password to make sure that it is only inside
the workstation for a few milliseconds at most.

After 'A' logging in, she tells the workstation that she wants to contact 'B' the file server.
19

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The workstation then sends message-3 to the TGS asking for a ticket to use with 'B', with
the key element KTGS(A, KS) encrypted by TGS's secret key as a proof of 'A'.

The TGS responds by creating a session key KAB for 'A' to use with 'B'.

Two versions of it are sent back, with first encrypted with KS intended for A and second
encrypted with KB intended for 'B'.

Now, 'A' sends KAB to 'B' to establish a session key with him, which is time stamped.
After some series of exchanges, communication is established.

(IV) . Authentication Using Public Key Cryptography:

Working:- A and B know each other public keys
1. 'A' starts by encrypting her identity and a random number RA using B's public key EB.
2. when 'B' receives this message ,'B' sends back 'A' message containing A's RA, his own
random number RB ,and a proposed session key KS.

3. When 'A' gets m-2, he decrypts it using his private key and agrees to session key by
sending back m-3.
4. when 'B' sends RB encrypted with session key he just generated, he confirms that m-2 is
received and RA is verified by 'A'.
So, a session is established.
20

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

(6). DIGITAL SIGNATURES:

It is devised to replace hand-written signatures between 2 parties in a system in such a way that

The receiver can verify the claimed identity of the sender

The sender cannot later repudiate the contents of the message.

The receiver cannot possibly have concocted the message himself.

Different approaches: (a)Secret-key signatures

 (b)Public-key signatures
 (c)Message digests
 (d)Birthday attack
(a) . Secret-key signatures:
In this approach each user chooses a secret key and carries with by hand to a central
authority (BB) that knows everything and by everyone. So only A and BB know As secret key
KA and so on.

Working:1. When A wants to send a signed plain text message, P to B, she generates
KA(B, RA, t ,p)and sends it.
2. BB sees that the sender is A & decrypts the message and sends it to B.
3. The message to B contains the plain text As message and also signed message KBB(A,
t, p) where t is a timestamp.
4. B now carries out As request.
(b) . Public key signatures:
In this, an assumption is made initially that public key encryption and decryption
algorithms have the property E(D(p))=P in addition to D(E(p))=P.
21

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Working:1. A sends a plain text message p to B by transmitting EB(DA(p)).

2. When B receives the message ,he transforms it using his private key yielding DA(p)
which is stored in a safe place and then decrypted using EA to get original plain text.

( c). Message Digests:

Def:-

A one-way hash function that takes an arbitrarily long of piece plain text from it
Computes a fixed-length bit string is called a message digest and has 3 important
properties. They are:-

Given P, it is easy to compute MD (P).

Given MD (P), it is effectively impossible to find P.

No one generates 2 messages that have the same message digest.

Working:

A first computes the message digest of her plain text BB computes message digest
by applying MD to P, yielding MD (P).BB then encloses KBB (A, t, MD (P)) as 5th item
in list encrypted with KB that is sent to B.

She then signs the message digest and sends both the signed digest and plain text B.

22

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

(d). Birthday Attack:

If there is some mapping between inputs and outputs with n inputs (people, messages etc..) and
k possible outputs (birthday , message digests etc..), there are [n(n-1)/2] input pairs. If [n (n1)/2] >k ,the chance of having at least one match likely for n>k. This result means that a 64-bit
message digests can probably be broken by generating about 232 messages and looking for 2 with
the message digest.
The idea for this attack comes from a technique that mathematical professors often use in their
probability courses. The question is :
How many students do you need in a class before the probability of having 2 people with
same birthday exceeds ?
The probability is 23 i.e., with 23 people, we can form (23*22)/2=253 different pairs, each of
which has a probability of being a hit.

DNS--Domain Name System:

This is primarily used for mapping host and e-mail destinations to IP addresses but can also be
used other purposes. DNS is defined in RFCs 1034 and 1035.

Working:

To map a name onto an IP address, an application program calls a library procedure

called Resolver, passing it the name as a parameter.

The resolver sends a UDP packet to a local DNS server, which then looks up the name
and returns the IP address to the resolver, which then returns it to the caller.

Armed with the IP address, the program can then establish a TCP connection with the
destination, or send it UDP packets.

The DNS name space.

Resource Records.

Name Servers.

23

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The DNS name space:The Internet is divided into several hundred top level domains, where each domain covers
many hosts. Each domain is partitioned into sub domains, and these are further partitioned as so
on. All these domains can be represented by a tree, in which the leaves represent domains that
have no sub domains. A leaf domain may contain a single host, or it may represent a company
and contains thousands of hosts. Each domain is named by the path upward from it to the root.
The components are separated by periods(pronounced dot)
Eg: Sun Microsystems Engg. Department

eng.sun.com.

The top domain comes in 2 flavours:

Generic:

com(commercial), edu(educational instructions), mil(the U.S armed forces,

government), int (certain international organizations), net( network providers), org(non

profit organizations).

Country: include 1 entry for every country.

Domain names can be either absolute (ends with a period e.g. eng.sum.com) or relative

(doesnt end with a period). Domain names are case sensitive and the component names can be
up to 63 characters long and full path names must not exceed 255 characters.

Insertions of a domain into the tree can be done in 2 days:-

Under a generic domain

( Eg: cs.yale.edu)

Under the domain of their country

(E.g: cs.yale.ct.us)

Resource Records:
Every domain can have a sent of resource records associated with it. For a single host, the

most common resource record is just its IP address. When a resolver gives a domain name to

24

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

DNS, it gets both the resource records associated with that name i.e., the real function of DNS is
to map domain names into resource records.
A resource record is a 5-tuple and its format is as follows:

Domain _name : Tells the domain to which this record applies.

Time- to- live : Gives an identification of how stable the record is
(High Stable = 86400 i.e. no. of seconds /day)
( High Volatile = 1 min)
Type: Tells what kind of record this is.
Class: It is IN for the internet information and codes for non internet information
Value: This field can be a number a domain name or an ASCII string

Type

Meaning

Value

SOA

Start Of Authority

32-bit integer

IP address of host

32 bit integer

MX

Mail Exchange

Priority domain willing to accept

NS

Name Server

Name of server for this domain

CNAME

Canonical Name

Domain name

PTR

Pointer

Alias for an IP address

HINIF

Host Description

CPU and OS in a ASCII

TXT

Text

Un interpreted ASCII Text

Name Servers:
It contains the entire database and responds to all queries about it. DNS name space is

divided up into non-overlapping zones, in which each zone contains some part of the tree and
also contains name servers holding the authoritative information about that zone.

25

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

When a resolver has a query about a domain name, it passes the query to one of the local name
servers:
1. If the domain being sought falls under the jurisdiction of name server, it returns the
authoritative resource records ( that comes from the authority that manages the record,
and is always correct).
2. If the domain is remote and no information about the requested domain is available
locally the name server sends a query message to the top level name server for the
domain requested.
Eg: A resolver of flits.cs.vle.nl wants to know the IP address of the host Linda.cs.yale.edu

Step 1: Resolver sends a query containing domain name sought the type and the class to
local name server, cs.vu.nl.
Step 2: Suppose local name server knows nothing about it, it asks few others near by
name servers. If none of them know, it sends a UDP packet to the server for
edu-server.net.
Step 3: This server knows nothing about Linda.cs.yale.edu or cs.yale.edu and so it
forwards the request to the name server for yale.edu.
Step 4: This one forwards the request to cs.yale.edu which must have authoritative
resource records.
Step 5 to 8: The resource record requested works its way back in steps 5-8
This query method is known as Recursive Query
3. When a query cannot be satisfied locally, the query fails but the name of the next server
along the line to try is returned.

26

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Simple Network Management Protocol

SNMP - Version 1
SNMP - Version 2
SNMP - Version 3
SNMP was developed for use as a n/w management tool for N/W and internet works operating
TCP/IP. It includes the following key elements:
1. Management Station or Manager

3. Management Information Base

2. Agent

4. N/W Management Protocol

Management Station serves as interface for human N/W manager into network Management
system. It will have the following:
1. A set of management applications for data analysis fault recovery and so on.
2. An interface by which the n/w manager may monitor and control the n/w.
3. The capability of translation the n/w managers requirements into the actual
monitoring and control of remote elements in the n/w.
4. A data base of n/w management information extracted from the databases of all the
managed entities in the n/w.
Management Agent software equips key platforms such as hosts, Bridges, routers and hubs so
that they may be managed from a management station. The agent responds to requests for
information from a management station, responds to requests for actions from management
station, and may asynchronously provide management station with important but unsolicited
information.
To manage resources in the n/w, each resource is represented as an object (a data variable
that represents one aspect of managed agent). The collection of objects is referred to as a
Management Information Base (MIB). The MIB functions as a collection of access points at
the agent for management station. A management station performs the monitoring function by
retrieving the value of MIB objects.

27

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The management station and agents are linked by a n/w management protocol. The
protocol used for the management of TCP/IP network is SNMP.

Each of these protocols

includes the following key capabilities:

GET: Enables the management station to retrieve the value of objects at the agent

SET: Enables the management station to set the value of objects at the agent

NOTIFY: Enables an agent to send unsolicited notifications to management station of

Significant events

SNMP V1 Configuration:

Role of SNMP-V2 :

28

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

From management station, 3 types of SNMP messages are issued or behalf of a

Management application: Get Request , Get Next Request and Set Request.
All these 3 messages are acknowledge by the agent in the form of Get Response message
which is passed up to management application.
In addition the agent may issue a type message in response to an event that effect the
MIB and the underlying managed resources. Management requests are sent to UDP port
161 , while the agent sends traps to UDP port 162.

SNMP-V2: It provides a framework on which n/w management , performance , monitoring ,

accounting and so on.
Error!

Each player in the N/w management system maintains a local database of information
relevant to N/W management, a known as MIB. The SNMPV2 standard defines the structure of
this info and the allowable data types. This information is known as Structure of Management
Information (SMI).
One system is responsible for N/W management while the other systems art and role of
agent. An agent collects the information and stores it for later access by a manager. The
information includes data accounts the system it self and may also include traffic information for
N/W to which the agent attaches.

29

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

SMI: It defines the general framework with in which a MIB can be defined and constructed.
The SMI identifies the data types hat can be used in MIB, and how resources with in MIB are
represented and named. The MIB can store only simplify the task of implementation and to
enhance interoperability. There are 3 key elements in SMI specification: 1. At lowest level, the SMI specifies the data types that may be stored.
2. Then SMI specifies a formal technique for defining objects and tables of objects.
3. Finally, SMI provides a scheme for associating a unique identifies with each
actual object in a system, so that a manager can reference data at an agent.

Protocol operation:The protocol provides a straight forward, basic mechanism for the exchange of
management information between agent and manager. The basic unit of exchange is message,
which consists of an outer message wrapper and an inter protocol data unit .The outer message
header deals with security. 7 types of PDU s may be carried in an SNMP message.
(a).Get-Request-PDU, Get-Next-Request-PDU, Set-Request-PDU, SNMPV2-TrapPDU,
Inform-Request-PDU:
PDU type

Req -id 10

Variable-bindings

(b). Response-PDU:
PDU type

Req-id

Error-status

Error-index

Variable-bindings

(c). Get-Bulk-Request-PDU:
PDU type

Req-id

Non-repeaters

Max-repetitions

Variable-bindings

(d). Variable bindings:

Name 1 Value 1

Name 2

Value 2

30

www.jntuworld.com

Name n

Value n

www.jntuworld.com

JNTUWORLD

The Application Layer

GET REQUEST-PDU: Includes a list of one (or) more object names for which values
are requested .If the get operation is successful, and then the responding agent will send a
Response-PDU

GET NEXT REQUEST-PDU: Includes a list of one (or) more objects .For each object
named in variable-bindings field, a value is to be returned for the object that is next in
lexographic order

GET BULK REQUEST-PDU: The purpose is to minimize the number of protocol

exchanges required to retrieve a large amount of management information .It allows
manager to request that the response be as large as possible given the constraints or
message size

SET REQUEST-PDU: Used to request that the values of one (or) more objects be
altered .The operation is atomic

SNMPV2-TRAP-PDU: It is generated when an unusual event occurs and is used to

provide management station with asynchronous notification of some significant event .It
is an unconfirmed message

INFORM REQUEST-PDU: It is sent on behalf of an application to provide

management information to an application using it

VARIABLE BINDINGS: Used to convey the associated information

SNMP-V3: This defines an over all SNMP architecture and a set of security capabilities .It
provides 3 important services:

Authentication

Privacy

Part of User-Based Security Model (USM)

Access Control

Defined in View-Based Access Control Model (VACM)

The Authentication mechanism in USM assures that a received message was transmitted
by the principal whose identifier appears as the source in message header .It also assumes that
the message has not been altered in transit and has not been artificially delayed (or) replayed
.The sending principal provides authentication by including a message authentication code with
SNMP message it is sending .The code is a function of the message contents, the identity of

31

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

sending and receiving parities, the time of transmission and a secret key that should be known
only to sender and receiver .
The configuration/network manager distributes the secret keys and so they are kept
outside of USM .When the receiving principal gets the message, it uses the same secret key to
calculate the message authentication code once again and if it is matched with the appended
value of incoming message, the receiver confirms that the sender is the authorized one. The
authentication code is called HMAC. The privacy facility of USM enables managers and agents
to encrypt messages, by sharing a secret key between them. If they are configured to use the
privacy facility, all traffic between them is encrypted using DES. The access control facility
makes it possible to configure agents to provide different levels of access to the agents
Management Information Base (MIB) to different managers.
An agent principal can restrict access to its MIB for a particular manager principal in 2ways:

It can restrict access to a certain portion of its MIB

It can limit the operations that a manager can use on that portion of MIB

E-MAIL
(Used in RFC 821,822 in internet)

1. Architecture and Services:

E-mail systems consist of two subsystems. They are:

(a). User Agents, which allow people to read and send e-mail

(b). Message Transfer Agents, which move messages from source to destination

E-mail systems support 5 basic functions:

Composition

Transfer

Reporting

Displaying

Disposition

32

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

(a).Composition: It refers to the process of creating messages and answers. Any text editor is
used
for body of the message. While the system itself can provide assistance with
addressing and numerous header fields attached to each message
(b).Reporting: It has to do with telling the originator what happened to the message that is,
whether it was delivered, rejected (or) lost.
(c).Transfer: It refers to moving messages from originator to the recipient
(d).Displaying: Incoming messages are to be displayed so that people can read their email.
(e).Disposition: It concerns what the recipient dose with the message after receiving it.
Possibilities include throwing it away before reading (or) after reading, saving
it and so on

(2). The User Agent: It is normally a program that accepts a variety of commands for
composing,

receiving

and

replying

to

messages

as

well

as

for

manipulating mail boxes.

Sending E-mail: To do so, User must provide the messages, the destination address
and possibly some other parameters (Eg: the priority (or) security level). The message
can be produced with a free-standing text editor, a word processing program or
possibly with a text editor built into the user agent. The destination address must be in
a format that the user agent can deal with. Many user agents expect DNS address of
the form mailbox @ location.

Reading E-mail : When a user agent is started up, it will look at the users mailbox for
incoming mail before displaying anything on the screen. Then it may announce the no. of
messages in the mailbox or display a one-line summary of each one and wait for a
command. Each display line contains several fields(extracted from the header of the
corresponding message) like..

Eg:

Flags

Bytes

Sender

1
2

K
KA

1030
6348

ASW
SAM
33

www.jntuworld.com

Subject
changes to MIN-MAX
RC: Hai

www.jntuworld.com

JNTUWORLD

The Application Layer

1st field(#)

Message Number.

2nd field(flags)

K- Message is not new but already read.

KA - Message has already been answered.

3rd field(Bytes)

Tells how long the message is.

4th field(sender)

Tells who sent the message.

5th field(subject)

Gives brief summary of what the message is about.

After the headers have been displayed, the user can perform any of the commands available.

Message Formats :

RFC 822 (SMTP)

RFC 1551 (MIME)

(1). RFC 822 :

Messages consist of a primitive envelope, some no. of header fields, a blank line
and then the message body. Each header field consists of a single line of ASCII text containing
the fieldname, a colon and a value. The principal header fields related to message transport one :

34

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

After the headers, comes the message body. Users can put whatever they want here.

(outgoing-mail)

(incoming-mail)
Each Queued message has 2 parts :

The message text, consisting of RFC 822 header and body of message.

A list of mail destinations.

The SMTP Sender takes messages from the outgoing mail queue and transmits them to proper
destination host via SMTP transactions over one or more TCP connections to port 25 on target
hosts.

35

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Pretty Good Privacy (PGP) :

This is a complete e-mail security package that provides privacy,

digital signatures and compression,

authentication,

all in easy-to-use form.

The complete package along with all the source code is distributed free of change via
the internet, bullet in boards and of commercial networks.

Due to its quality, price (zero) and easy availability on MS-DOS/WINDOWS,

UNIX and

MACINTOSH platforms, it is widely used today.

It is largely based on RSA, IDEA and MD5.

PGP

supports text compressor , secrecy, and digital signatures and also provides

extensive key management facilities.

Working:

Alice wants to send a signed plaintext message p to bob in a secure way in which each
one of them posses private(Dx) and public (Ex) RSA keys and each one knows the
others public key.

Alice starts out by invoking the PGP program on her computer.

PGP first hashes her message , p , using MD5 and then encrypts the resulting hash using
her private RSA key, DA.

When Bob eventually gets the message , he can decrypt the hash with Alices public key
and verify that the hash is correct.

36

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The encrypted hash and original message are now concatenated into a single message ,
PI, and compressed using the ZIP program (which uses the Ziv-Lempel algorithm ) in
which the output is (PI).(Z)

Now, PGP prompts ALICE for some random input, by which a 128-bit IDEA message key,
KM is generated which encrypts (PI).(Z) in cipher feedback mode.

In addition, KM is encrypted with Bobs public key, EB.

These 2 components are then concatenated and converted into base-64.

The resulting message then contains only letter, digits and the symbols +,/ and =.

When Bob gets the message , he reserves the base-64 encoding and decrypts the IDEA key
using his private RSA key.

Using this key, he decrypts the message to get (PI).(Z)

After decompressing it, Bob separates the plain text from encrypted hash and decrypts the
hash using Alices public key.

PGP Supports 3 RSA key lengths :1. Casual (384 bits): can be broken by folks with large budgets.
2. Commercial(512-bits): Might be breakable by 3 letter organizations.
3. Military(1024 bits):not breakable by anyone on earth.
PGP Message Format:
ID

Km Time ID

Of

Of

EB

EA

Types MD5 Message File

Hash

Header

Time Message

Name

The message has 3 parts :1) The message key part , which contains both the key and key identifier.
2) The signature part , which contains

37

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Header
Timestamp
Identifier for senders public key that can be used to decrypt the signature hash
Some type information that identifies the algorithm used.
The encrypted hash itself.
3) The Message part, which contains
Header
The default name of the file to be used if the receiver writes the file to the desh
A message creation time stamp
Message itself
PGP has grown explosively and is now widely used. A number of reasons can be cited for this
growth:
1. It is available free worldwide in versions that run on a variety of platforms, including
DOS/Windows, UNIX, Macintosh, and many more. In addition, the commercial version
satisfies users who want a product that comes with the vendor support.
2. It is based on algorithms that have survived extensive public review and are
considered extremely secure. Specifically, the package includes RSA, DSS and DeffieHellman for public key encryption; CAST-128, IDEA, and 3DES for conventional
encryption and SHA-1 for hash coding.
3. It has a wide range of applicability, from corporations that wish to select and enforce
a standardized scheme for encrypting files and messages to individuals who wish to
communicate securely with others worldwide over the Internet and other networks.

38

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

PGP intentionally uses existing cryptographic algorithm rather than inventing new ones.
It is largely based on RSA, IDEA and MD5 all algorithms that have withstood extensive peer
review and were not designed or influenced by any government agency. PGP supports text
compression, secrecy and digital signatures and also provides extensive key management
facilities.
PGP ENVIRONMENT:
PGPs primary purpose is to send messages: signed and encrypted. PGP also allows sending
messages that are only signed. The intended receiver can only read encrypted messages. Using
public-key cryptography, the sender does not have to exchange a secret key with the receiver. If
the sender has the receivers public key, then she can send him a message. Encrypted PGP
messages can be addressed to one receiver or several receivers.
PGP can also be used to send signed but unencrypted messages. These messages are in the
clear: Anyone can read them. Also, anyone who has the senders public key can verify the
integrity and authentication of the messages. This type of security is useful for messages posted
to Usenet newsgroups.
PGP SUBSYSTEMS:
There are normally two subsystems:

USER AGENTS

MESSAGE TRANSFER AGENTS

User agents allow people to read and send email. The user agents are local programs that
provide a command-based, menu based or geographical method for interacting with the email
system.
Message Transfer agents move the message from the source to the destination. The agents
are typically system daemons that run in the background and move email through the system.

39

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

BASIC FUNCTIONS:
Email systems support 5 basic functions, they are.
Composition
Transfer
Reporting
Displaying
Disposition
COMPOSITION: It refers to the process of creating message and answers. Although any text
editor can be used for the body of the message, the system itself can provide assistance with
addressing and the numerous header fields attached to each message.
TRANSFER: It refers to moving messages from the originator to the recipient. In large part
this requires establishing a connection to the destination or some intermediate machine,
outputting the message and releasing the connection.

The email system should do this

automatically.
REPORTING: It has to do with telling the originator what happened to the message. Was it
delivered? Was it rejected? Was it lost numerous applications exist in which confirmation of
delivery is important and may even have legal significance.
DISPOSITION: It is the final step and concerns what the recipient does with the message after
receiving it. Possibilities include throwing it way before reading, throwing it away after reading,
saving it and so on. It should also be possible to retrieve and reread saved messages, forward
them, or process them in other ways.
PGP OPERATION FOR SENDING A MESSAGE :
PGP first hashes her message P using MD5 and then encrypts the resulting hash using
private key DA and decrypts by public key and verify that the hash is correct. Even if someone
could acquire the hash at this stage and decrypt it with public key the strength of MD5 guarantee

40

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Km

RSA

C
SHA

RSA

IDEA

ZIP

BASE 64

that it would be computationally infeasible to produce another message with the same MD5
hash. The encrypted hash and the original message are now concatenated in to a single message
P1 and compressed using the Zip program, and thus the output of this step P1.Z.
The content and the typing speed are used to generate a 128-bit IDEA message key, KM
is now used to encrypt P1.Z with IDEA in cipher feedback mode. KM is also encrypted with
public key EB these two components are then concatenated and converted to base 64.
When the opponent receives the message he reverse the base 64 encoding and decrypts
the IDEA key using Private key.

Using this key decrypts the message to get P1.Z after

decompressing it separates the plaintext from the encrypted hash and decrypts the hash using
public key. If the plain text hah agrees with his own MD5 computation thus the opponent P
assures that it is the correct message.
PGP SERVICES:
 Digital signature
 Message encryption
 Compression
 Email compatibility
 Segmentation
OPRATIONAL DESCRIPTION :
 Authentication
 Confidentiality
 Compression
 E-mail compatibility
 Segmentation

41

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

1) Digital signature provides message authentication and protects two parties who exchange
message from any third party by using an algorithm DSS/SHA or RSA/SHA. A hash
code of a message is created using SHA-1 which is an public-key encryption algorithm
takes a input message of arbitrary length and produces as output 128-bit message digest.
The input is processed in 512-bit blocks. This message digest is encrypted using DSS or
RSA.
2) The RSA scheme is a block cipher in which the plaintext and cipher text are integer
between 0 and n-1 for some n. The plaintext is encrypted in blocks, with sender private
key and each block having a binary value less than some number n and included with
the message.
3) A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key
generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with
the recipients public key, and included with the message.
4) A message may be compressed for storage or transmission using Zip.
5) E-mail compatibility uses Radix 64-conversion algorithm to provide transparency for Email application and encrypted message may be converted to an ASCII string.
CRYPTOGRAPHIC KEYS :
PGP makes use of four types of keys
a) One-time Session Conventional Keys : provides only one key for entire process.
b) Public key : The purpose of making your key so that it is available in a common
database where everybody can have access to it for the purpose of encrypting message
also.
c) Pass phrase-based conventional keys : The pass phrase really has only one purpose, but a
very important one. The pass phrase is hashed to become the key to which our private key is
encrypted. Its whole purpose is to protect your private key so that no one else can use your
private key. This is why any time you try to use private key you are prompted to enter your pass
phrase so you need your pass phrase to sign a message, to decrypt a message, to revoke a key, to
add name or E-mail address to your key etc.

42

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

KEY IDENTIFIERS :
A key ID is also required for the PGP digital signature. Because a sender may use one of
a number of private keys to encrypt the message digest, the recipient must know which public
key is intended for use. Accordingly< the digital signature component of a message includes the
64-bit key ID of the required public key when the message is received, the recipient verifies that
the key ID is for a public key that it knows for that sender and then proceeds to verify the
signature. Now that the concept of key ID has been introduced, we take a more detailed look at
the format of a transmitted message. A message consists of three components:
1.

Message component

2.

Signature component

3.

Session key component

1. Message component: It includes the actual data to be stored or transmitted, as well as a

filename and a timestamp that specific the time of creation.
2. Signature component: It includes the following components:
Timestamp: The time at which signature was made.
Message digest: The 160-bit SHA-1 digest, encrypted with the senders private signature key.
The digest is calculated over the signature timestamp concatenated with the data portion of the
message component. The inclusion of the signature timestamp in the digest assures against
replay types of attacks. The exclusion of the filename and timestamp portions of the message
component ensures that detached signatures are exactly the same as attached signatures prefixed
to the message. Detached signatures are calculated on separate files that has none of the message
component header fields.
Leading two octets of message digest: To enable the recipient to determine if the correct public
key was used to decrypt the message digest for authentication. By comparing this plaintext copy
of the first two octets with the first two octets of the decrypted digest. These octets also serve as
a 16-bit frame-check sequence for the message.

43

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Key ID of senders public key: Identifies the public key that should be used to decrypt the
message digest and, hence, identifies the private key that was used to encrypt the message digest
General format of PGP message :

3. Session key component: It includes the session key and the identifier of the recipients
public key that was used by the sender to encrypt the session key.
KEY RINGS :
The scheme used in PGP is to provide a pair of data structures at each node, one to store the
public/private key pairs owned by that node and one to store the public keys of other users
known at this node these data structures are referred to, respectively as the following:
Private-key ring
Public key ring
PRIVATE KEY-RING : Each row represents one of the public/private key pairs owned by
this user. Each row contains the following entries:
Timestamp

: The date/time where this key pair was generated.

key ID

: The least significant 64 bits of the public key for this entry.

Public-key

: The Public-key portion of the pair.

private-key

: The Private-key portion of the pair. This field is encrypted.

44

www.jntuworld.com

www.jntuworld.com

JNTUWORLD
User-ID

The Application Layer

: Typically, this will be the users e-mail address, the user may choose to
associate a different name with each pair or to reuse the same user-ID
more than once.

The private key ring can be indexed by either user-ID, although it is intended that the
private key ring be stored only on the machine of the user that created and owns the key pair and
that it be accessible only to that user it makes sense to make the value of the private-key secure
as possible. Accordingly, the private key itself is not stored in the key ring. Rather, this key is
encrypted using IDEA or 3DES the procedure is as follows:
1. The user selects a pass phrase to be used for encrypting private keys.
2. When the system generates a new public/private key pair using RSA, it asks the user for
the pass phrase using SHA-1, a 160-bit hash code is generated from the pass phrase, and
the pass phrase is discarded.
3. The system encrypts the private key using CAST_128 with the 128 bits of the hash code
as the key. The hash code is then discarded, and the encrypted private key is stored in the
private-key ring.
4. When the user access the private key ring to retrieve a private key then we must supply
the pass phrase, PGP will retrieve the encrypted private key, generate the hash code of
the Pass phrase and decrypt the encrypted private key using cast-128 with hash code.
PUBLIC KEY RING : It is used to store public keys of users that are known to this user:
Timestamp

The date/time when this entry was generated.

Key ID

The last significant 64bits of the public key for this entry.

Public key

The public key for this entry.

User ID

The owner of this key. multiple user IDs may be associated with a
single public key.

The public-key ring can be indexed by either user ID or keyed. First consider message
transmission and assume the sending PGP entity performs the following steps:

45

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Signing the message: PGP retrieves the senders private key from the private key ring using
your user -id as an index. If your user-id was not provided in the command the first private key
on the ring is retrieved PGP prompts the user for the pass phrase to recover the unencrypted
Private key. The signature component of the message is constructed
Encrypting the message: PGP generates a session key and encrypts the msg. PGP retrieves the
recipients public key from the public-key ring using user-id as an index. The session key
component of the message is constructed
The receiving PGP entity performs the following steps:
Decrypting the message: PGP retrieves the receivers private key from the private key ring
using the key ID field in the session key component of the message as an Index. PGP prompts
the user for the pass phrase to recover the unencrypted Private-key. PGP then recovers the
session key and decrypts the msg.
Authenticating the message: PGP retrieves the senders public key from the public-key, using
the Key-id field in the signature key component of the message as an index. PGP recovers the
transmitted message digest. PGP computes the message digest for the received message and
compares it to the transmitted message digest to authenticate.
MERITS OF PGP:
1. We can generate our own public\private key pairs
2. We can have multiple keys for different uses, and can replace a key whenever desired.
3. It uses established and peer reviewed encryption algorithm
4. It is free for personal use.
5. You can securely communicate with users of other operating systems, and with any email
address.
6. All PGP encryption functions take place on your own computer, with your private
Keys residing only on your computer.
7. PGP is public key encryption that does not require the transmission of a secret pass phrase.
8. It includes digital signatures that assures that the message/file is not altered, and is from

46

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

who it is suppose to be from.

9. There is no backdoor, key recovery, or key function that would allow anyone else access to
your encrypted messages/files
10. PGP includes multiple other features such as file wiping, free space wiping, PGP disk and
PGP net
NOTATIONS:
Ks

Session key used in conventional encryption scheme.

Kra

Private key of user A used in public-key encryption scheme.

Kua -

Public key of user A used in public-key encryption scheme.

Ep

Public-key encryption.

Dp

Public-key decryption.

Ec

Conventional encryption.

Dc

Conventional decryption.

Hash function.

||

Concatenation

Compression using Zip algorithm.

R64

Coversion to radix 64 ASCII format.

47

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

48

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

49

www.jntuworld.com