You are on page 1of 21

Q1: Different types of security attacks along with prevention techniques?

Ans. Security attacks can be classified into two:-

 Passive Attacks: - A passive attack attempts to learn or make use of information from
the system but doesn’t affect system resources. Passive attacks are in the nature of
eavesdropping on, or monitoring of transmissions. The goal of the opponent is to obtain
information that is being transmitted. Following are the two types of passive attacks: -
o Release of message contents (eavesdropping): - A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning
the contents of these transmissions.

o Traffic Analysis: - Suppose we had a way of masking the contents of message or


other information traffic so that the opponents, even if they captured the
message could not extract the information from the message. The common
technique for masking contents is encryption. If we had encryption protection in
place, an opponent could determine the location and identity of the
communicating hosts and could observe the frequency and length of message
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of
the data. Typically, the message traffic is sent and received in an apparently normal
fashion and the sender nor receiver is aware that a third party has read the message or
observed the traffic pattern. However, it is feasible to prevent the success of these
attacks, usually by the means of encryption. Thus, the emphasis in dealing with passive
attacks is on prevention rather than detection.
 Active Attacks: - An active attack attempts to alter system resources or affect their
operation. Active attack involve some modification of the data stream or creation of
false data stream and can be subdivided into four categories: -
o Masquerade/Unauthorized Access: - A masquerade takes place when one entity
pretends to be different entity. The attack is not aimed at any particular user,
but by doing this attacker gain unauthorized access to the whole network. A
masquerade attack usually includes one of the other forms of active attacks. This
attack in turn gives rise to more malicious attacks such as MITM, ARP
positioning. For example, unauthorized user gaining access to system by
pretending to be different entity.

o Man in the Middle (MITM) attack: - In cryptography, the man-in-the-middle


attack (often abbreviated MITM), bucket-brigade attack, or sometimes Janus
attack, is a form of active eavesdropping in which the attacker makes
independent connections with the victims and relays messages between them,
making them believe that they are talking directly to each other over a private
connection, when in fact the entire conversation is controlled by the attacker.
For example, modification of message content is a type of MITM attack - a
message meaning “Allow John Smith to read confidential file accounts” is
modified to mean ”Allow Fred Brown to read confidential file accounts.”
o Denial of Service: - DoS prevents or inhibits the normal use or management of
communication facilities. This attack may have a specific target: for example, an
entity may suppress all messages directed to a particular destination. Another
form of service denial is disruption of entire network, either by disabling the
network or by overloading it with messages so as to degrade performance.

Active attacks present opposite characteristics of passive attacks. Whereas passive


attacks are difficult to detect, measures are available to prevent their success. On the
other hand, it is quite difficult to prevent active attack absolutely, because of wide
variety of potential physical, software and network vulnerabilities. Instead, the goal is to
detect active attacks and to recover from disruption or delays caused by them. If the
detection has a deterrent effect, it may also contribute to prevention.

Prevention Techniques

Prevention from eavesdropping

1. Use equipment with no or limited signal leakage ('tempest') or put the equipment in a
shielded room. Although effective, those methods are expensive and are only to be
recommended when there is an extremely high risk. Optical fibers can be used to
prevent emission leakage from the lines running between peripherals and the Local
Area Network (LAN).
2. Encryption of the Wide Area Network (WAN) will not stop electromagnetic emissions
but the eavesdropper will not be able to use the information without the encryption
key.

Prevention from Masquerade/ Unauthorized access

1. Install an 'Identification and Authorization' system. Adopt a 'two-man rule' for granting
privileges.
2. Regularly check logs.
3. Regularly check that configuration is correct. Install a firewall

Prevention of Denial of Service Attack

1. Firewalls- have simple rules such as to allow or deny protocols, ports or IP addresses.
Firewalls can effectively prevent users from launching simple flooding type attacks from
machines behind the firewall.
2. Switches-Most switches have rate limiting capability. Some switches provide automatic
rate limiting, deep packet inspection and delayed binding to detect and remediate DoS
attack.

Prevention from Traffic Analysis

1. Principle- Make the adversary spend time and energy to detect and jam.
2. Frequency Hopping- Modulate frequency according to keys
3. Spread Spectrum- Transform Signal to high band low power, so that it is difficult to
detect under noise floor

Prevention from MITM attack

1. Use an external alarming service


2. Vigilance is the key-keep your internal configuration in sync with the configuration
stored on the service.
Q2: Describe WAN virtual circuits?

A WAN is a data communications network that covers a relatively broad geographic area
and often uses transmission facilities provided by common carriers, such as telephone
companies. WAN technologies function at the lower three layers of the OSI reference model:
the physical layer, the data link layer, and the network layer. Figure below illustrates the
relationship between the common WAN technologies and the OSI model.

WAN Virtual Circuits

A virtual circuit is a logical circuit created to ensure reliable communication between two
network devices. Two types of virtual circuits exist: switched virtual circuits (SVCs) and
permanent virtual circuits (PVCs).

SVCs are virtual circuits that are dynamically established on demand and terminated when
transmission is complete. Communication over an SVC consists of three phases: circuit
establishment, data transfer, and circuit termination. The establishment phase involves creating
the virtual circuit between the source and destination devices. Data transfer involves
transmitting data between the devices over the virtual circuit, and the circuit-termination
phase involves tearing down the virtual circuit between the source and destination devices.
SVCs are used in situations in which data transmission between devices is sporadic, largely
because SVCs increase bandwidth used due to the circuit establishment and termination
phases, but decrease the cost associated with constant virtual circuit availability.

PVCs are permanently established virtual circuit that consists of one mode: data transfer. PVCs
are used in situations in which data transfer between devices is constant. PVCs decrease the
bandwidth use associated with the establishment and termination of virtual circuits, but
increase costs due to constant virtual circuit availability.

PVCs are also permanent circuits dedicated to a single subscriber. The connection is always
active. However, because multiple virtual circuits share a physical circuit, there is no guarantee
that any specific amount of bandwidth will be available at any specific time. Sometimes there
may not be any bandwidth available on the physical circuit because the physical circuit is
saturated.
When the physical circuit is saturated, the traffic is temporarily stored at a switching point until
bandwidth becomes available. When bandwidth becomes available, the stored traffic is
forwarded to its destination. This process is referred to as store-and-forward processing, or
packet switching, which is same as processing method used on LANs.
PVCs provide an average bandwidth guarantee. The average bandwidth guarantee is
accomplished through statistical multiplexing (STM), which underlies packet switching
technology. Because PVCs are more cost effective for the public carrier, PVCs are usually less
expensive for the subscriber than dedicated circuits. PVCs are commonly used for Frame
Relay.

Frame Relay
Frame Relay is a layer-2 protocol used in wide area networking. It uses the Telecommunication
provider's packet-switching infrastructure to move data. Frame Relay can provide speeds from
56kbps DS0 up to 43Mbps DS3 connections depending on the capability of the service
provider's network.

The WAN is typically built up of many point to point connections, at both layers 1 and 2. This
can make it difficult for the designer to consider connectivity. To make the routing most
efficient the layer 2 network must often be fully meshed, to reduce the number of hops
between sites. (A full mesh is one where all sites are completely connected to every other site.)
If all traffic goes back and forth from central site to remote, there is little problem. When all
sites have to share information equally the number of interfaces required per site, physical or
virtual, will be N-1=interfaces, where N equals the number of sites.
Virtual circuits, such as created with Frame Relay, will add another layer of complexity to this
and will add connection points if you want a “full mesh” as described with the physical layer
example. Notice the example with Frame Relay. Even though there is only one physical
connection there are two arrow points at each physical connection. In essence the same
formula applies. It is just that you will need to consider both the “raw” physical bandwidth
available on a physical single link and then the committed information rate for the two virtual
links.
Packet Switching
Packet switching is a WAN switching method in which network devices share a single point-to-
point link to transport packets from a source to a destination across a carrier network.
Statistical multiplexing is used to enable devices to share these circuits. Asynchronous Transfer
Mode (ATM), Frame Relay, Switched Multimegabit Data Service (SMDS), and X.25 are examples
of packet-switched WAN technologies.

Point-to-Point Links
A point-to-point link provides a single, pre-established WAN communications path from the
customer premises through a carrier network, such as a telephone company, to a remote
network. A point-to-point link is also known as a leased line because its established path is
permanent and fixed for each remote network reached through the carrier facilities. The carrier
company reserves point-to-point links for the private use of the customer. These links
accommodate two types of transmissions: datagram transmissions, which are composed of
individually addressed frames, and data-stream transmissions, which are composed of a stream
of data for which address checking occurs only once.
Q 3: Difference between Kerberos and RADIUS authentication along with 4
advantages and disadvantages of each?

Kerberos - Kerberos is a computer network authentication protocol, which allows nodes


communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed primarily at a client–server model, and it provides mutual
authentication — both the user and the server verify each other's identity. Kerberos protocol
messages are protected against eavesdropping and replay attacks.

RADIUS - Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and
software that enables remote access servers to communicate with a central server to
authenticate dial-in users and authorize their access to the requested system or service. It
provides centralized Authentication, Authorization, and Accounting (AAA) management for
computers to connect and use a network service. RADIUS allows a company to maintain user
profiles in a central database that all remote servers can share. It provides better security,
allowing a company to set up a policy that can be applied at a single administered network
point. Having a central service also means that it's easier to track usage for billing and for
keeping network statistics.

Differences between Kerberos and RADIUS.

S.No ASPECTS Kerberos RADIUS


1. SCOPE Kerberos only provides The Remote Authentication
authentication. Dial-In User Service (RADIUS)
protocol provides
authentication, authorization,
and accounting (AAA) for dial-
in infrastructures.
2. PASSWORD User passwords are never A shared secret is used along
TRANSMISSION transmitted in clear text with the MD5 hashing
over the network, nor are algorithm to obfuscate
they cached (stored) on the passwords. Because this
client machine. Instead, particular implementation is
encrypted so-called tickets not considered to be a very
are used, which have a strong protection of the user's
limited lifetime, 10 hours by credentials, additional
default. protection - such as IPsec
tunnels or physically-secured
data-center networks - should
be used to further protect the
RADIUS traffic between the
NAS device and the RADIUS
server.

3. PORT One feature that all Kerberos RADIUS has officially assigned
tools have in common is that UDP Ports 1812 for RADIUS
by default, Kerberos uses authentication and 1813 for
port 88. This means that RADIUS accounting.
when tools are designed and
developed, the logon ids,
user ids and passwords need
to first communicate
through port 88.
4. SUITABILITY It is well suited for PC and It is well suited for PC and
workstation network. workstation.
5. SIGN-ON Has single sign-on capability. Does not have single sign
capability.
6. MUTUAL It does mutual Does not provide mutual
AUTHENTICATION authentication between authentication.
client and server i.e. both
sides prove their identity to
the other party, not just the
user to the server.

7. CLOCK Kerberos requires the clocks It does not require clock


SYNCRONIZATION of the involved hosts to be synchronization.
synchronized; authentication
will fail if they aren't.
8. SERVER Kerberos uses a central RADIUS is a client/server
server for all authentication, protocol that runs in the
which introduces a single application layer, using UDP as
point of failure to your transport. The Remote Access
network – when the Server, the Virtual Private
Kerberos server is down, no Network server, the Network
one can log in. switch with port-based
authentication, and the
Network Access Server, are all
gateways that control access
to the network, and all have a
RADIUS client component that
communicates with the
RADIUS server.
9. COMPLETE SOLUTION Kerberos is not a complete RADIUS provides the complete
network security solution. network wide solution with
While it does provide Authentication, Authorization
powerful tools to enable and accounting.
network wide user
authentication and secure
communications, it has no
provisions for access control
or accounting.
10. PROTOCOL Kerberos uses as its basis the RADIUS uses as its basis the
symmetric Needham- SNMP (Simple Network
Schroeder protocol. Management Protocol)

Advantages of Kerberos

 Tight Security - User's passwords are never sent across the network, encrypted or in
plain text. Secret keys are only passed across the network in encrypted form. Hence, a
miscreant snooping and logging conversations on a possibly insecure network cannot
deduce from the contents of network conversations enough information to impersonate
an authenticated user or an authenticated target service.

 Time Stamping of the Tickets - , the tickets passed between clients and servers in the
Kerberos authentication model include timestamp and lifetime information. This allows
Kerberos clients and Kerberized servers to limit the duration of their users'
authentication. While the specific length of time for which a user's authentication
remains valid after his initial ticket issued is implementation dependent, Kerberos
systems typically use small enough ticket lifetimes to prevent brute-force and replay
attacks.

 Reusability and Durability - Authentications are reusable and durable. A user need only
authenticate to the Kerberos system once (using his principal and password). For the
lifetime of his authentication ticket, he may then authenticate to Kerberized services
across the network without re-entering his personal information.

 Open Source - Unlike many alternative authentication mechanisms, Kerberos is entirely


based on open Internet standards. A number of well-tested and widely-understood
reference implementations are available free of charge to the Internet community.
Commercial implementations based on the accepted standards are also available.
Disadvantages of Kerberos

 Multi User Security Issue - Kerberos was designed for use with single-user client
systems. In the more general case, where a client system may itself be a multi-user
system, the Kerberos authentication scheme can fall prey to a variety of ticket-stealing
and replay attacks. The overall security of multi-user Kerberos client systems (filesystem
security, memory protection, etc.) is therefore a limiting factor in the security of
Kerberos authentication. No amount of cleverness in the implementation of a Kerberos
authentication system can replace good system administration practices on Kerberos
client and server machines.

 Problem with Legacy System Implementation - Because Kerberos uses a mutual


authentication model, it is necessary for both client machines and service providers
(servers) to be designed with Kerberos authentication in mind. Many proprietary
applications already provide support for Kerberos or will be providing Kerberos support
in the near future. Some legacy systems and many locally-written and maintained
packages, however, were not designed with any third-party authentication mechanism
in mind, and would have to be re-written (possibly extensively) to support Kerberos
authentication.

 The Kerberos authentication model is vulnerable to brute-force attacks against the KDC
(the initial ticketing service and the ticket-granting service). The entire authentication
system depends on the trust ability of the KDC(s), so anyone who can compromise
system security on a KDC system can theoretically compromise the authentication of all
users of systems depending on the KDC.

 Clock Synchronization - Kerberos requires the clocks of the involved hosts to be


synchronized or else the authentication will fail.

Advantages of RADIUS

 Tight Security - In large networks, security information may be scattered throughout the
network on different devices. RADIUS allows user information to be stored on one host,
minimizing the risk of security loopholes. All authentication and access to network
services is managed by the host functioning as the RADIUS server.

 Flexibility - RADIUS can be adapted to work with existing security systems and
protocols. The RADIUS server may be adapted to your network, rather than adjusting
your network to work with RADIUS. RADIUS may be used with any communications
server that supports the RADIUS protocol. When new security technology becomes
available or security needs increase, RADIUS may be expanded to offer new services.

 Simplified management - Security information is stored in text files at a central location,


the RADIUS server. Adding new users to the database or modifying existing user
information can be easily accomplished by editing these text files.

 Extensive logging capabilities - RADIUS provides extensive audit trail capabilities,


referred to as RADIUS accounting. Information collected in a log file can be analyzed for
security purposes, or used for billing.

Disadvantages of RADIUS

 The RADIUS protocol does not transmit passwords in cleartext between the NAS and
RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with
the MD5 hashing algorithm to obfuscate passwords. Because this particular
implementation is not considered to be a very strong protection of the user's
credentials, additional protection - such as IPsec tunnels or physically-secured data-
center networks - should be used to further protect the RADIUS traffic between the NAS
device and the RADIUS server.

 The user's security credentials are the only part protected by RADIUS itself, yet other
user-specific attributes such as tunnel-group IDs or vlan memberships passed over
RADIUS may be considered sensitive (helpful to an attacker) or private (sufficient to
identify the individual client) information as well.

 In case of large installations, management of shared secrets becomes an overhead.

 Conventional RADIUS uses the unreliable User Datagram Protocol (UDP) for transport.
UDP does not guarantee to deliver messages. The RADIUS protocol permits a limited
number of retransmissions, but it does not guarantee to deliver requests, and therefore
conventional RADIUS requests can sometimes be lost or dropped, especially on a
congested network. This can cause inconvenience for users trying to log in, and lost
accounting messages can mean lost income for operators.
Q 4: List down and make a table for WAP devices only with respect to following:

 Name of Manufacturer
 Name of device
 Operating Layer
 Speed/Bandwidth supported
 Minimum 4 technical specifications and minimum 3 manufacturers?

Manufacturer Device Operating Bandwidth Technical


Layer Specification
Nokia 6210 Navigator Symbian OS 9.3, 2G – GSM  Browser – WAP
mobile phone S60 3G – 2.0
HSDPA  Java – MIDP
3.6 Mbps 2.1
 GPS with A-GPS
Support
 Digital
Compress
 WLAN – No
Palm Treo Pro Microsoft 2G – GSM  Browser – WAP
Windows 3G – 2.0
Mobile 6.1 HSDPA  GPS –Yes
Professional 32-48 Kbps  Java – MIDP
(GPRS) 2.0
 WLAN – Wi-Fi
802.11
Black Berry 8800 BlackBerry OS 2G – GSM  Browser – WAP
3G – No 2.0
 Java – Yes
 GPS – Yes
 Document
Viewer
 Organizer

WAP offers subscribers a much wider range of services:

• Unified Messaging applications, access to voice mail, e-mail and fax mail
• Information services like stock quotes, restaurants, cinemas etc. • Reservation services
• News services
• E-commerce and bank applications (e.g. Commonwealth Bank/Telstra in Australia)
Q 5: What do you mean by Public Key and Private Key? Along with creating
private and public keys with PGP steps?
Data that can be read and understood without any special measures is called plaintext or clear
text. The method of disguising plaintext in such a way as to hide its substance is called
encryption. Encrypting plaintext results in unreadable gibberish called cipher text. You use
encryption to ensure that information is hidden from anyone for whom it is not intended, even
those who can see the encrypted data. The process of reverting cipher text to its original
plaintext is called decryption.

The secret piece of using a well-known encryption algorithm is the key. The key can be any
value that is made up of a large sequence of random bits. Is it just any random number of bits
crammed together? Not really. An algorithm contains a key space, which is a range of values
that can be used to construct a key. The key is made up of random values within the key space
range. The larger the key space, the more available values can be used to represent different
keys, and the more random the keys are, the harder it is for intruders to figure them out.

Public and Private Keys:

Some things you can tell the public, but some things you just want to keep private. In symmetric
key cryptography, a single secret key is used between entities, whereas in public key systems,
each entity has different keys, or asymmetric keys. The two different asymmetric keys are
mathematically related. If a message is encrypted by one key, the other key is required to
decrypt the message.
In a public key system, the pair of keys is made up of one public key and one private key. The
public key can be known to everyone, and the private key must only be known to the owner.
Many times, public keys are listed in directories and databases of e-mail addresses so they are
available to anyone who wants to use these keys to encrypt or decrypt data when
communicating with a particular person. Figure illustrates an asymmetric cryptosystem. The
public and private keys are mathematically related, but cannot be derived from each other. This
means that if an evildoer gets a copy of Bob’s public key, it does not mean he can now use
some mathematical magic and find out Bob’s private key.

If Bob encrypts a message with his private key, the receiver must have a copy of Bob’s public
key to decrypt it. The receiver can decrypt Bob’s message and decide to reply back to Bob in an
encrypted form. All she needs to do is encrypt her reply with Bob’s public key, and then Bob can
decrypt the message with his private key. It is not possible to encrypt and decrypt using the
exact same key when using an asymmetric key encryption technology.
Bob can encrypt a message with his private key and the receiver can then decrypt it with Bob’s
public key. By decrypting the message with Bob’s public key, the receiver can be sure that the
message really came from Bob. A message can only be decrypted with a public key if the
message was encrypted with the corresponding private key. This provides authentication,
because Bob is the only one who is supposed to have his private key. When the receiver wants
to make sure Bob is the only one that can read her reply, she will encrypt the response with his
public key. Only Bob will be able to decrypt the message because he is the only one who has
the necessary private key. Now the receiver can also encrypt her response with her private key
instead of using Bob’s public key. Why would she do that? She wants Bob to know that the
message came from her and no one else. If she encrypted the response with Bob’s public key, it
does not provide authenticity because anyone can get a hold of Bob’s public key. If she uses her
private key to encrypt the message, then Bob can be sure that the message came from her and
no one else. Symmetric keys do not provide authenticity because the same key is used on both
ends. Using one of the secret keys does not ensure that the message originated from a specific
entity.

The following outlines the strengths and weaknesses:


• Strengths

• Better key distribution than symmetric systems

• Better scalability than symmetric systems

• Can provide confidentiality, authentication, and non-repudiation

• Weaknesses

• Works much slower than symmetric systems

Following are examples of asymmetric key algorithms:

• RSA

• Elliptic Curve Cryptosystem (ECC)

• Diffie-Hellman

• El Gamal

• Digital Signature Standard (DSS)

Encryption Algorithms

There are several types of asymmetric algorithms used in the computing world today. They may
have different internal mechanisms and methods, but the one thing they do have in common is
that they are all asymmetric. This means that a different key is used to encrypt a message than
the key that is used to decrypt a message.

RSA

RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key
algorithm that is the most understood, easiest to implement, and most popular when it comes
to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital
signatures and encryption. It was developed in 1978 at MIT and provides authentication as well
as encryption. The security of this algorithm comes from the difficulty of factoring large
numbers. The public and private keys are functions of a pair of large prime numbers and the
necessary activities required to decrypt a message from cipher text to plaintext using a public
key is comparable to factoring the product of two prime numbers. (A prime number is a
positive whole number with no proper divisors, meaning the only numbers that can divide a
prime number is one and the number itself.) One advantage of using RSA is that it can be used
for encryption and digital signatures. Using its one-way function, RSA provides encryption and
signature verification and the inverse direction performs decryption and signature generation.
RSA is used in many Web browsers with the Secure Sockets Layer (SSL) protocol. PGP and
government systems that use public key cryptosystems (encryption systems that use
asymmetric algorithms) also use RSA.

El Gamal

El Gamal is a public key algorithm that can be used for digital signatures and key exchange. It is
not based on the difficulty of factoring large numbers, but is based on calculating discrete
logarithms in a finite field

Elliptic Curve Cryptosystems (ECCs)

Elliptic curves are rich mathematical structures that have shown usefulness in many different
types of applications. An Elliptic Curve Cryptosystem (ECC) provides much of the same
functionality that RSA provides: digital signatures, secure key distribution, and encryption. One
differing factor is ECC’s efficiency. Some devices have limited processing capacity, storage,
power supply, and bandwidth like the newer wireless devices and cellular telephones. With
these types of devices, efficiency of resource use is very important. ECC provides encryption
functionality requiring a smaller percentage of the resources required by RSA and other
algorithms, so it is used in these types of devices. In most cases, the longer the key length, the
more protection that is provided, but ECC can provide the same level of protection with a key
size that is smaller than what RSA requires. Because longer keys require more resources to
perform mathematical tasks, the smaller keys used in ECC require fewer resources of the
device.

ECC cryptosystems use the properties of elliptic curves in their public key systems. The elliptic
curves provide ways of constructing groups of elements and specific rules of how the elements
within these groups combine. The properties between the groups are used to build
cryptographic algorithms.
Diffie-Hellman

DH is a method for securely exchanging a shared secret between two parties, in real-time, over
an untrusted network. A shared secret is important between two parties who may not have
ever communicated previously, so that they can encrypt their communications. As such, it is
used by several protocols, including Secure Sockets Layer (SSL), Secure Shell (SSH), and Internet
Protocol Security (IPSec).

Digital signatures

A major benefit of public key cryptography is that it provides a method for employing digital
signatures. Digital signatures enable the recipient of information to verify the authenticity of
the information’s origin, and also verify that the information is intact. Thus, public key digital
signatures provide authentication and data integrity A digital signature serves the same
purpose as a handwritten signature. However, a handwritten signature is easy to counterfeit. A
digital signature is superior to a handwritten signature in that it is nearly impossible to
counterfeit, plus it attests to the contents of the information as well as to the identity of the
signer.

PGP (Pretty good Privacy)

PGP is the most widely recognized public key encryption program in the world. It can be used to
protect the privacy of email, data files, drives and instant messaging.

PGP combines some of the best features of both conventional and public key cryptography.
PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses
the plaintext. Data compression saves modem transmission time and disk space and, more
importantly, strengthens cryptographic security. Compression reduces these patterns in the
plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to
compress or which don’t compress well aren’t compressed.) PGP then creates a session key,
which is a one-time-only secret key. This key is a random number generated from the random
movements of your mouse and the keystrokes you type. This session key works with a very
secure, fast Conventional encryption algorithm to encrypt the plaintext; the result is cipher text.
Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This
public key-encrypted session key is transmitted along with the cipher text to the recipient.
Encryption:

Decryption works in the reverse. The recipient’s copy of PGP uses his or her private key to
recover the temporary session key, which PGP then uses to decrypt the conventionally-
encrypted cipher text. The combination of the two encryption methods combines the
convenience of public key encryption with the speed of conventional encryption. Conventional
encryption is about 1,000 times faster than public key encryption. Public key encryption in turn
provides a solution to key distribution and data transmission issues. Used together,
performance and key distribution are improved without any sacrifice in security.

Decryption:
Steps:

The command gpg --gen-key will make a new key for you. You will be prompted for the
following:

 Kind of key this is asking which key generation algorithm to use. Choose "DSA and
ElGamal" , RSA etc.
 Key length : Decided among below the size u want

1) 512 bits- Low commercial grade, fast but less secure

2) 768 bits- High commercial grade, medium speed, good security


3) 1024 bits- "Military" grade, slow, highest security

 Expiry When your key should expire. 0 is the default, which means the key does not
expire - you have to confirm this.

Name Just enter your name as you would normally write .Ex: user ID "Marty McFly”
You need a user ID for your public key. The desired form for this
User ID is your name, followed by your E-mail address enclosed in. If you have an E-mail
address.

Email address the email address that you would like to use .Ex: John Q. Smith
<12345.6789@compuserve.com>

 Passphrase (twice) this is the password you must enter for certain actions. Choose a
password with a mix of numbers, letters and punctuation. A bad password will
significantly reduce the security value of your key. Enter password two times.
 Some random information in the form of keyed in data or mouse movements that PGP
will use generate a strong key