D.O.P. D.O.S.

Signature Grade
Experiment No. 1
Aim: Write a program to study & implement basic cryptography using Product Cipher
algorithm

Objectives: From this experiment, the student will be able to

 Understand the basics of cryptography

Scope: The learner will be able to

 Apply knowledge of cryptography in creating secure messages

Software Required: C / C++ / JAVA

Theory:

Product Cipher:
In cryptography, a product cipher combines two or more transformations in a manner
intending that the resulting cipher is more secure than the individual components to make it
resistant to cryptanalysis. The product cipher combines a sequence of simple transformations
such as substitution (S-box), permutation (P-box), and modular arithmetic. The concept of
product ciphers is due to Claude Shannon, who presented the idea in his foundational paper,
Communication Theory of Secrecy Systems.
For transformation involving reasonable number of n message symbols, both of the
foregoing cipher systems (the S-box and P-box) are by themselves wanting. Shannon suggested
using a combination of S-box and P-box transformation - a product cipher. The combination
could yield a cipher system more powerful than either one alone. This approach of alternatively
applying substitution and permutation transformation has been used by IBM in the Lucifer cipher
system, and has become the standard for national data encryption standards such as the Data
Encryption Standard and the Advanced Encryption Standard. A product cipher that uses only
substitutions and permutations is called a SP-network. Feistel ciphers are an important class of
product ciphers.
Keyless Transposition Cipher:
In this cipher technique, the message is converted to ciphertext by either of two permutation
techniques:
a. Text is written into a table column-by-column and is then transmitted row-by-row.
b. Text is written into a table row-by-row and is then transmitted column-by-column
Keyed Transposition cipher:
In this approach, rather than permuting all the symbols together, we divide the entire
plaintext into blocks of predetermined size and then permute each block independently.
What makes a product cipher secure?
Nobody knows how to prove mathematically that a product cipher is completely secure.
So in practice one begins by demonstrating that the cipher "looks highly random". For example,
the cipher must be nonlinear, and it must produce cipher text which functionally depends on
every bit of the plaintext and the key. Meyer has shown that at least 5 rounds of DES are
required to guarantee such dependence. In this sense a product cipher should act as a "mixing"
function which combines the plaintext, key, and cipher text in a complex nonlinear fashion.

Figure1. A product cipher made of two rounds.

In the rail fence cipher, the plain text is written downwards and diagonally on successive
"rails" of an imaginary fence, then moving up when we reach the bottom rail. When we reach the
top rail, the message is written downwards again until the whole plaintext is written out. The
message is then read off in rows
The Playfair cipher or Playfair square or Wheatstone-Playfair cipher is a
manual symmetric encryption technique and was the first literal digram substitution cipher.
The columnar transposition cipher is a fairly simple, easy to implement cipher. It is a
transposition cipher that follows a simple rule for mixing up the characters in the plaintext to
form the ciphertext.
Double Transposition consists of two applications of columnar transposition to a
message. The two applications may use the same key for each of the two steps, or they may use
different keys.
Both Monoalphabetic Substitution Ciphers and Simple Transposition Ciphers are
susceptible to different means of cryptanalysis, and neither has been secure for quite some time.
Even more so, with the invention of the computer, these types of codes have fallen, and are not
used for any truly important pieces of information
The Vernam Cipher is based on the principle that each plaintext character from a message
is 'mixed' with one character from a key stream. If a truly random key stream is used, the result
will be a truly 'random' ciphertext which bears no relation to the original plaintext.
In computer security, a threat is a possible danger that might exploit a vulnerability to
breach security and therefore cause possible harm.
Diffusion and Confusion
Claude Shannon, in one of the fundamental papers on the theoretical foundations of
cryptography ["Communication theory of secrecy systems," Bell Systems Technical Journal 28
(1949), 656 - 715], gave two properties a good cryptosystem should have to hinder statistical
analysis: diffusion and confusion.
Diffusion means that if we change a character of the plaintext, then several characters of
the cipher text should change, and similarly, if we change a character of the cipher text, then
several characters of the plaintext should change. We saw that the Hill cipher has this property.
This means that frequency statistics of letters, [digraphs], etc. in the plaintext are diffused over
several characters in the cipher text, which means that much more cipher text is needed to do a
meaningful statistical attack.
Confusion means that the key does not relate in a simple way to the cipher text. In
particular, each character of the cipher text should depend on several parts of the key. For
example, suppose we have a Hill cipher with an n × n matrix, and suppose we have a plaintext-
ciphertext pair of length n2with which we are able to solve for the encryption matrix. If we
change one character of the cipher text, one column of the matrix can change completely. Of
course, it would be more desirable to have the entire key change. When a situation like that
happens, the cryptanalyst would probably need to solve for the entire key simultaneously, rather
than piece by piece.
The Vigenère and substitution ciphers do not have the properties of diffusion and
confusion, which is why they are so susceptible to frequency analysis.

Figure2. Diffusion and Confusion in a block cipher

Conclusion:
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Result:
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Industrial Application:
In cryptography, a product cipher combines two or more transformations in a manner intending
that the resulting cipher is more secure than the individual components to make it resistant to
cryptanalysis. The product cipher combines a sequence of simple transformations such as
substitution (S-box), permutation (P-box), and modular arithmetic. The concept of product
ciphers is due to Claude Shannon, who presented the idea in his foundational paper.

Questions:

Write in short about the following

1. Product Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
2. Keyless Transposition Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
3. Keyed Transposition Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
4. Playfair Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
5. Columnar Transposition Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
6. double Transposition Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
7. Combined Transposition Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
8. Threat
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
9. Rail fence Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
10. Vernam Cipher
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 2
Aim: Write a program to study & implement Rivest Shamir Adelman (RSA) asymmetric key
cryptographic algorithm

Objectives: From this experiment, the student will be able to

 Understand Symmetric and Asymmetric algorithm

Outcomes: The learner will be able to

 Implement RSA Algorithm

Software Required: C / C++ / JAVA

Theory:
RSA is an algorithm used by modern computers to encrypt and decrypt messages. It is an
asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This
is also called public key cryptography, because one of them can be given to everyone.
The RSA Cryptosystem
The various observations just stated form the basis for the RSA public-key cryptosystem, which
was invented at MIT in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman.
The public key in this cryptosystem consists of the value n, which is called the modulus, and the
value e, which is called the public exponent. The private key consists of the modulus n and the
value d, which is called the private exponent.

An RSA public-key / private-key pair can be generated by the following steps:

1. Generate a pair of large, random primes p and q.
2. Compute the modulus n as n = pq.
3. Select an odd public exponent e between 3 and n-1 that is relatively prime to p-
1and q-1.
4. Compute the private exponent d from e, p and q.
5. Output (n, e) as the public key and (n, d) as the private key.
The encryption operation in the RSA cryptosystem is exponentiation to the eth power modulo n:
c = ENCRYPT (m) = m ͤ mod n
The input m is the message; the output c is the resulting ciphertext. In practice, the message m is
typically some kind of appropriately formatted key to be shared. The actual message is encrypted
with the shared key using a traditional encryption algorithm. This construction makes it possible
to encrypt a message of any length with only one exponentiation.
The decryption operation is exponentiation to the dth power modulo n:
m = DECRYPT (c) = c ͩ mod n.
The relationship between the exponent’s e and d ensures that encryption and decryption are
inverses, so that the decryption operation recovers the original message m. Without the private
key (n, d) (or equivalently the prime factors p and q), it's difficult (by CONJECTURE 6) to
recover m from c. Consequently, n and e can be made public without compromising security,
which is the basic requirement for a public-key cryptosystem.

Key Pair Key Pair Generation Primes: p = 5, q =11 Modulus: n

Public key: n = 55, e = 3 Private key: n = p q =55 Public exponent: e =3
= 55, d =7 Private exponent: d = 3-1 mod 20 =7
Message Encryption Decryption
c = m³ mod n m = c⁷ mod n
m m² mod n m³ mod n m² mod n m³ mod n m⁶ mod n m⁷ mod n
0 0 0 0 0 0 0
1 1 1 1 1 1 1
2 4 8 9 17 14 2
3 9 27 14 48 49 3
4 16 9 26 14 31 4
5 25 15 5 20 15 5
6 36 51 16 46 26 6
7 49 13 4 52 9 7
8 9 17 14 18 49 8
9 26 14 31 49 36 9

Algorithm:
1. Start
2. Select two very large prime numbers. (i.e. p & q)
3. n = p.q
4. Φ = (p - 1).(q - 1)
5. Select e; such that, e is relatively prime to Φ and 1< e < Φ, gcd (e, Φ) = 1
6. Select d; such that, d.e mod Φ = 1
7. Public key: {e, n}
Private Key: {d, n}
8. C= P ͤ mod n
P= C ͩ mod n
Where, P= Plaintext message & C= Ciphertext message
9. End

Return of Coppersmith’s Attack, or ROCA for short is a cryptographic weakness in generation of

RSA keys, that allows the private key of a key pair to be recovered from the public key. RSA is a
public key cryptosystem widely used for secure data transmission. The vulnerability tracked
as CVE-2017-15361, affects RSA key pair generation implementation of Infineon’s Trusted
Platform Module (TPM)
Conclusion:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Results:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Industrial Application:
RSA is used mostly in hybrid encryption schemes and digital signatures.
In the former it is used to encrypt a symmetric key and send it to a second party who has
requested it.
This is because RSA is comparatively slow so you would never use it to encrypt a whole file.
Instead the file is encrypted symmetrically and only the key is encrypted by RSA directly.

For Digital signatures one can use the private key to sign a message or file (or better: sign the
cryptographic hash of the message/file, much faster). If a second party has the corresponding
public key he can verify that the file is authentic and has not been altered or damaged.

Questions:

1. RSA Algorithm is
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
2. Define prime number?
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
3. How many keys are used in RSA algorithm?
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
4. Vulnerabilities for RSA algorithm are?
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
5. RSA uses Feistel Cipher techniques or not? (True or False)
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
6. How Cipher text generated in RSA algorithm (equation)?
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
7. ___________are very crucial for success of RSA algorithm.
(A) Integers.
(B) Prime numbers.
(C) Negative number.
(D) Fraction

8. RSA used for digital signature. (True or False) ------------------------------------ --------------------

9. On which of the following does RSA cryptography rely on?

(A) The difficulty in calculating the factors of a large prime number.
(B) The difficulty in calculating the prime factors of a large composite number.
(C) The difficulty in calculating the composite factors of a large composite number.
(D) The difficulty in calculating the inverse of a large number

------------------------------------------------------------------------------------------------------------
10. Differentiate between Asymmetric Key Cryptography and Symmetric Key Cryptography?

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No.3
Aim: Write a program to study & implement Diffie-Hellman key exchange asymmetric key
cryptographic algorithm

Objectives: From this experiment, the student will be able to

 Understand Diffie-Hellman key exchange algorithm

Outcomes: The learner will be able to

 Send and receive important data trough insure network.

Software Required: C / C++ / JAVA

Theory:
Diffie-Hellman key exchange (D-H) is a specific method of exchanging keys. It is one of
the earliest practical examples of Key exchange implemented within the field of cryptography.
The Diffie-Hellman key exchange method allows two parties that have no prior knowledge of
each other to jointly establish a shared secret key over an insecure communications channel. This
key can then be used to encrypt subsequent communications using a symmetric key cipher. It is a
type of key exchange.
Diffie-Hellman establishes a shared secret that can be used for secret communications by
exchanging data over a public network. Here is an explanation which includes the encryption's
mathematics:

Figure 1: Diffie-Hellman key exchange

 The simplest, and original, implementation of the protocol uses the multiplicative group
of integers modulo p, where p is prime and g is primitive root mod p. Here's a more general
description of the protocol:
1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is
usually done long before the rest of the protocol; g is assumed to be known by all
attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends g ͣ to Bob.
3. Bob picks a random natural number b and sends g ᵇ to Alice.
4. Alice computes (g ᵇ) ͣ.
5. Bob computes (g ͣ) ᵇ.
Both Alice and Bob are now in possession of the group element gab, which can serve as
the shared secret key. The values of (g ᵇ) ͣ and (g ͣ) ᵇ are the same because groups are power
associative.

Algorithm:
1. Start
2. Alice and Bob are two users wants to communicate and agree on two large prime
numbers p & g. such that, g is primitive mod p.
3. Alice chooses a random large integer a and sends Bob 'A' where,
A = g ͣ mod n
4. Bob chooses a random large integer b and sends Alice 'B' where,
B = g ᵇ mod n
5. Alice computes: K1 = B ͣ mod n
6. Bob computes: K2 = A ᵇ mod n
Both K1 & K2 are equal to K = g ͣ ᵇ mod n
i.e. K=K1=K2
7. End.

Conclusion:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Result:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Industrial Application:
The Diffie-Hellman protocol has been applied to many security protocols including
-The Security Sockets Layer (SSL),
-Secure shell (SSH),
and IP Sec.

Questions:

1. Primitive root of prime number is?

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
2. Diffie -Hellman is key exchange algorithm or not?
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
3. Security measures for Diffie-Hellman key exchange algorithm.
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
4. Diffie -Hellman is key exchange algorithm vulnerable to which type of attack?
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
5. Prove that 3 is primitive root of 5.
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
6. Advantages of Diffie-Hellman algorithm over man in the middle attack
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
7. Feature of Public key certificate?
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
8. How the keys are generated in man in the middle attack?
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

9. How the public keys are generated in Diffie -Hellman is key exchange algorithm
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
10. What is the formula for Key generation at both sides?
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 4
Aim: Write a program to study & implement Data Encryption Standard symmetric key
cryptographic algorithm

Objectives: From this experiment, the student will be able to

 Analyse the data encryption standard algorithm.

Outcomes: The learner will be able to

 Assess the strength and weaknesses of data encryption standard algorithm.

Software Required: C / C++ / JAVA

Theory:

Data Encryption Standard (DES)

DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the
effective key strength is only 56 bits, as explained below). It takes a 64-bit block of plaintext as
input and outputs a 64-bit block of cipher text. Since it always operates on blocks of equal size
and it uses both permutations and substitutions in the algorithm, DES is both a block cipher and a
product cipher.
DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the
cipher text. It has been found that the number of rounds is exponentially proportional to the
amount of time required to find a key using a brute-force attack. So as the number of rounds
increases, the security of the algorithm increases exponentially.
 Figure 1. General depiction of DES encryption algorithm

Key Scheduling
Although the input key for DES is 64 bits long, the actual key used by DES is only 56
bits in length. The least significant (right-most) bit in each byte is a parity bit, and should be set
so that there are always an odd number of 1s in every byte. These parity bits are ignored, so only
the seven most significant bits of each byte are used, resulting in a key length of 56 bits.
 Figure 2. Key Scheduling
The first step is to pass the 64-bit key through a permutation called Permuted Choice 1,
or PC-1 for short. The table for this is given below. Note that in all subsequent descriptions of bit
numbers, 1 is the left-most bit in the number, and n is the rightmost bit.
PC-1: Permuted Choice 1
Bit 0 1 2 3 4 5 6
1 57 49 41 33 25 17 9
8 1 58 50 42 34 26 18
15 10 2 59 51 43 35 27
22 19 11 3 60 52 44 36
29 63 55 47 39 31 23 15
36 7 62 54 46 38 30 22
43 14 62 54 46 38 30 22
For example, we can use the PC-1 table to figure out how bit 30 of the original 64-bit key
transforms to a bit in the new 56-bit key. Find the number 30 in the table, and notice that it
belongs to the column labeled 5 and the row labeled 36. Add up the value of the row and column
to find the new position of the bit within the key. For bit 30, 36 + 5 = 41, so bit 30 becomes bit
41 of the new 56-bit key. Note that bits 8, 16, 24, 32, 40, 48, 56 and 64 of the original key are not
in the table. These are the unused parity bits that are discarded when the final 56-bit key is
created.
Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit sub keys,
called K [1]-K [16], which is used in the 16 rounds of DES for encryption and decryption. The
procedure for generating the sub keys - known as key scheduling - is fairly simple:
1. Set the round number R to 1.
2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half)
and R (the right-hand half).
3. Rotate L left by the number of bits specified in the table below, and rotate R left
by the same number of bits as well.
4. Join L and R together to get the new K.
5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round
number we are on.
6. Increment R by 1 and repeat the procedure until we have all 16 sub keys K[1]-
K[16].
Here are the tables involved in these operations:
Subkey Rotation Table
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number
Number 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
of bits to
rotate

PC-2: Permuted Choice 2

Bit 0 1 2 3 4 5
1 14 17 11 24 1 5
7 3 28 15 6 21 10
13 23 19 12 4 26 8
19 16 7 27 20 13 2
25 41 52 31 37 47 55
31 30 40 51 45 33 48
37 44 49 39 56 34 53
43 46 42 50 36 29 32
Algorithm:

Conclusion:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Result:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Industrial Application:
DES method is used to store sensitive information or transmit information across insecure
networks so that it cannot be read by anyone except the intended recipient.

Questions:
1. Enlist modes of operation are there in in DES and AES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
2. Which mode of operation in DES is used for operating short data?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

3. Describe 3DES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. Data Encryption Standard (DES), was designed by
a) Intel b)IBM c)HP d)Sony
------------------------------------------------------------------------------------------------------------
5. Explain AES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
6. Justify subkey in DES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
7. Tell what is preoutput in DES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

8. Analyze avalanche effect?

------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. Differentiate between AES and DES?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
10. State and explain symmetric key cryptography?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 5

Aim: Demonstrating the vulnerability, attacks & defense mechanism for program security using
working of virus.
Objectives: From this experiment, the student will be able to
 Analyse the vulnerability, attacks for program.
 Study working of virus.

Outcomes: The learner will be able to

 Understand the working of virus.

Software Required: C / C++ / JAVA

Theory:
How Computer Viruses Work?
Computer viruses tend to grab our attention. On the one hand, viruses show us how
vulnerable we are. A properly engineered virus can have an amazing effect on the worldwide
Internet. On the other hand, they show how sophisticated and interconnected human beings have
become. For example, experts estimate that the Mydoom worm infected approximately a quarter-
million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so
powerful that it forced Microsoft and a number of other very large companies to completely turn
off their e-mail systems until the virus could be contained. The
ILOVEYOU virus in 2000 had a similarly devastating effect. That's pretty impressive when you
consider that the Melissa and ILOVEYOU viruses are incredibly simple.
In this article, we will discuss viruses -- both "traditional" viruses and the newer e-mail
viruses -- so that you can learn how they work and also understand how to protect yourself.
Viruses in general are on the wane, but occasionally a person finds a new way to create one, and
that's when they make the news. When you listen to the news, you hear about many different
forms of electronic infection.

The most common are:

 Viruses - A virus is a small piece of software that piggybacks on real programs. For
example, a virus might attach itself to a program such as a spreadsheet program. Each
 time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce
(by attaching to other programs) or wreak havoc.
 E-mail viruses - e-mail virus moves around in e-mail messages, and usually replicates
itself by automatically mailing itself to dozens of people in the victim's email address
book.
 Worms - A worm is a small piece of software that uses computer networks and security
holes to replicate itself. A copy of the worm scans the network for another machine that
has a specific security hole. It copies itself to the new machine using the security hole,
and then starts replicating from there, as well.
 Trojan horses - A Trojan horse is simply a computer program. The program claims to do
one thing (it may claim to be a game) but instead does damage when you run it (it may
erase your hard disk). Trojan horses have no way to replicate automatically.

Conclusion:
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Result:
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Questions:
1. Enlist specific security mechanisms?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
2. What is confidentiality?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
3. What is passive attack?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. What is active attack?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
5. What is integrity?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
6. What are the different types of viruses?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
7. What is antivirus? Explain.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
8. Explain Trojan horse virus?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. What is vulnerability?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
10. What is a computer worm?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 6
Aim: Write a program to study & demonstrate message authentication using Digital Signature
algorithm
Objectives: From this experiment, the student will be able to
 Analyse the data, identify the problem and choose relevant algorithm to apply
 Understand and implement classical association mining algorithms
 Identify the application of association mining algorithms
Outcomes: The learner will be able to

 Assess the strength and weaknesses of algorithms

 Identify, formulate and solve engineering problems
 Analyse the local and global impact of data mining on individuals, organizations
and society

Software Required: C / C++ / JAVA

Theory:
A Digital Signature is a protocol that produces the same effect as a real signature: It is a
mark that only the sender can make, nut other people can easily recognize as belonging to the
sender.
Just like a real signature, a digital signature is used to confirm agreement to a message.
Properties:
 A digital signature must meet two primary conditions:
 It must be unforgeable. If person P signs message M with signature S(P,M), it is
impossible for anyone else to produce the pair [M, S(P,M)].
 It must be authentic. If a person R receives the pair [M, S(P,M)] purportedly from P, R
can check that the signature is really from P. Only P could have created this signature,
and the signature is firmly attached to M.
Algorithm:
1. Start.
2. Accept two prime numbers p and q.
3. Calculate value for phi function and n as
Phi=(p-1)*(q-1)
n=p*q
4. Accept encryption key e.
5. Calculate public key and private key.
6. Accept message to be encrypted.
7. Accept hash function
8. Calculate and display Message Digest and Digital Signature.
9. If message digest and digital signature are equivalent then accept signature o
otherwise reject it.
10. Stop.

Conclusion:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Result:

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

Industrial Application:
In e-government, electronic documents and their exchange are the core of any application.
Therefore, our work focuses on the standards for semantic information structuring; separation of
content and layout ,meta-information and standardisation for the reuse of information, standards
for the electronic exchange of documents which are used by several applications, embedding
digital signatures in the document structures.

Questions:

1. A digital signature is ________________________

a) scanned signature b) signature in binary form
b) encrypting information d) handwritten signature

2. A digital signature needs a __________________________

a) private-key system b)shared-key system
c) public-key system d)All of them
3. What is Digital Signature?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. Write the steps followed in creating Digital Signature.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
5. What is Digital Certificate?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
6. Differentiate between Digital Signature and Digital Certificate.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
7. What is Electronic Signature?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
8. What are the various applications of Electronic Signature?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. What are the various applications of Digital Signature?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
10. What is Hashing?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 7
Aim: Write a program to study and Simulate Denial of Service attack such as, the Ping of Death

Objectives: From this experiment, the student will be able to

 Analyse the Denial of Service attack.

Outcomes: The learner will be able to

 Assess the strength and weaknesses of Denial of Service Attack.

Software Required: C / C++ / JAVA

Theory:
A Denial of Service (DoS) attack is an attack for preventing legitimate users from using a
specific resource such as web services, network or a host. The hacker intentionally blocks the
availability of the resource to its authorized users. DoS attack using UDP flooding is a technique
that executes the attack sing the UDP packets. During the year 1998-2000 security specialist
discovered vulnerabilities in many of the Systems including Microsoft products. Vulnerabilities
were discovered in ACE/Server in its port 5000 against Fraggle attack. Cisco has also discovered
vulnerabilities of its IOS software in routers against diagnostic port where attacker used two
ports namely diagnostics ports and chargen port as attacking media to attack using UDP
Flooding. Although DoS attacks are not new, there is still a significant risk of such attacks as the
new technique of DoS attacks is being invented by the hackers. This paper discusses existing
taxonomies for understanding different DoS attacks, techniques and tools, and countermeasures.
This paper also discusses the setup and installation techniques of DoS attacking tools.
Motivation of DoS Attack:
The motivation for DoS attacks is not to break into a system but to make the target
system deny the legitimate user giving service. This will typically happen through one of the
following ways:
 Crashing the target host system.
 Disabling communication between systems.
 Make the network or the system down or have it operate at a lower speed to
reduce productivity.
  Freeze the system, so that there is no automatic reboot, so that, production is
disrupted.
Depending on the type of DoS attacks planned, the hacker first needs to find a
sufficiently large number of vulnerable computers to use for attacking. This process can be
achieved manually or automatically. Nowadays, hackers use scripts or scanning tools that
automate the entire process for finding vulnerable computers to take over. Next, the hacker
establishes a communication channels between computers, so that they can be controlled and
engaged in a coordinated manner.
DoS Attack Classes:
The main classes of DoS attacks are:
(i) Bandwidth Depletion attack
(ii) Resource Depletion attack
Bandwidth Depletion attack:
The Bandwidth Depletion attack floods a victim network and thereby prevents
authorized traffic from reaching and getting the service of the targeted victim.
1. Flood Attack
In this kind of attack, the network of the victims system is flooded with a large number of
packets by the attacker to deplete the network bandwidth and thereby making the victim's
systems performance degradation or sometimes system crash. Due to saturation of the network
bandwidth of the victim's system, the legitimate users of the system are prevented from accessing
the system.

Flood attacks are being launched either with

UDP or ICMP packets. In a UDP Flood
attack, numerous amounts of UDP packets
are sent to either random or specified ports
on the victim system. In order to
determine the requested processes the
incoming data. In case of absence of the
requested application on the requested port, the victim system sends a "Destination unreachable"
message to the sender (attacker). In order to hide the identity of the attacker, the attacker often
spoofs the source IP address of the attacking packets. UDP flood attacks may also depletes the
bandwidth of network application, the victim system around the victim's system. Thereby, the
systems around the victim are also impacted due to the UDP flooding attack.
Algorithm:
Steps to perform DOS:
SYN Flood:
1. Download the software called LOIC (Low Orbit Ion Cannon) from a website like
www.sourceforge.net .
2. Run the Application.
3. In the Textbox labeled "URL" under the section "Choose your target" input the URL of
the target website and clicks on "lock on" button.

4. The IP address of the website will be displayed.

5. Go to attack options. Under this change the thread count from 10 to 1000 and select
attack method as "TCP".

6. Click on the button Labeled "IMMA CHARGIN MAH LAZER".

7. The attack status shows the number of packets sent.

ICMP FLOOD OR PING OF DEATH ATTACK:

1. Open Command Prompt in windows by going to Start -> All Programs -> Accessories ->
Command Prompt.
2. Type "ping site-ip -l 5120 -n 100000 -w 1".
Here "site-ip" is the IP Address of Target, You can also use site-name like "www.google.com"
instead of site-ip."5120" is the size of packet sent to the target Which is 5 KB in example.
"100000" is the no of requests sent to the Target. "- w 1" is the waiting time after each request
which is 1 sec in example. You can change these parameters according to your need, but Don't
omit these.
Conclusion:

------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Result:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

Questions:
1. What is DOS attack?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
2. Which attacks make computer systems inaccessible by flooding servers, networks, or even end
user systems with useless traffic so that legitimate users can no longer gain access to those
resources?
a. Blacklisting attacks b. PWC
c. DDoS d. Flooding attacks e. Spoofing attacks
------------------------------------------------------------------------------------------------------------
3. The attackers a network of compromised devices known as
a) Internet b) Botnet c) Telnet d) D-net
-----------------------------------------------------------------------------------------------------------
4. Which of the following is a form of DoS attack ?
 a) Vulnerability attack b) Bandwidth flooding
c) Connection flooding d) All of the mentioned
------------------------------------------------------------------------------------------------------------
5. The DoS attack is which the attacker establishes a large number of half-open or fully open
TCP connections at the target host
a) Vulnerability attackb) Bandwidth flooding
c) Connection flooding d) All of the mentioned
------------------------------------------------------------------------------------------------------------
6. The DoS attack is which the attacker establishes a large number of half-open or fully open
TCP connections at the target
a) Vulnerability attackb) Bandwidth flooding
c) Connection flooding d) All of the mentioned
------------------------------------------------------------------------------------------------------------
7. Packet sniffers involve
a) Active receiver b) Passive receiver
c) Both of the mentioned d) None of the mentioned
------------------------------------------------------------------------------------------------------------
8. Sniffers can be deployed in
a) Wired environment b) WiFi
c) Ethernet LAN d) All of the mentioned
------------------------------------------------------------------------------------------------------------
9. Firewalls are often configured to block
a) UDP traffic b) TCP traffic
c) Both of the mentioned d) None of the mentioned
------------------------------------------------------------------------------------------------------------
10. Give real life examples of DOS attack
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 8
Aim: Write a program to study and implement SQL Injection using SQLmap.

Objectives: From this experiment, the student will be able to

 Learn basics of SQL Injection

Outcomes: The learner will be able to

 Use the techniques to protect the data.

Software Required: C / C++ / JAVA

Theory:
SQL Injection (SQLi)
SQL injection (SQLi) refers to an injection attack wherein an attacker can execute
malicious SQL statements (also commonly referred to as a malicious payload) that control a web
application's database server (also commonly referred to as a Relational Database Management
System - RDBMS). Since an SQL injection vulnerability could possibly affect any website or
web application that makes use of an SQL-based database, the vulnerability is one of the oldest,
most prevalent and most dangerous of web application vulnerabilities.
By leveraging SQL injection vulnerability, given the right circumstances, an attacker can
use it to bypass a web application's authentication and authorization mechanisms and retrieve the
contents of an entire database. SQL injection can also be used to add, modify and delete records
in a database, affecting data integrity.
To such an extent, SQL injection can provide an attacker with unauthorized access to
sensitive data including, customer data, personally identifiable information (PII), trade secrets,
intellectual property and other sensitive information.
How SQL Injection works?
In order to run malicious SQL queries against a database server, an attacker must first
find an input within the web application that is included inside of an SQL query.
In order for an SQL injection attack to take place, the vulnerable website needs to directly
include user input within an SQL statement. An attacker can then insert a payload that will be
included as part of the SQL query and run against the database server.
 The following server-side pseudo-code is used to authenticate users to the web
application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" +
passwd + "'"
# Execute the SQL statement
database.execute(sql)
The above script is a simple example of authenticating a user with a username and a password
against a database with a table named users, and a username and password column.
The above script is vulnerable to SQL injection because an attacker could submit malicious input
in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL injection payload could be something as simple as setting the
password field to password' OR 1=1.
This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'
An attacker can also comment out the rest of the SQL statement to control the execution
of the SQL query further.
-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16
Once the query executes, the result is returned to the application to be processed,
resulting in an authentication bypass. In the event of authentication bypass being possible, the
applications will most likely log the attacker in with the first account from the query result - the
first account in a database is usually of an administrative user.
Conclusion:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Result:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

Questions:

1. What is SQL injection?

------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
2. What is the anatomy of SQL injection attack?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
3. What are the different ways to avoid SQL injection vulnerabilities?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. SQL injection is an attack in which ________________ code is inserted into strings that
are later passed to an instance of SQL Server.
a) malicious b) redundant
c) clean d) non malicious

5. Which of the stored procedure is used to test SQL injection attack?

a) xp_write b) xp_regwrite
c) xp_reg d) All of the mentioned

------------------------------------------------------------------------------------------------------------
 6. ______________________ is time based SQL injection attack.
a) Quick detection b) Initial Exploitation
c) Blind SQL Injection d) Inline Comments
7. What is SQLmap?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
8. What is DDL command? Example
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. What is DML command? Example
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
10. Define DBMS.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No. 9

Aim: Write a program to study and implement Firewall for securing systems.
Objectives: From this experiment, the student will be able to
 Learn basics of firewall with its importance in computer system.

Outcomes: The learner will be able to

 Use current techniques, skills and tools for mining.

Software Required: C / C++ / JAVA

Theory:

A firewall is a part of a computer system or network that is designed to block

unauthorized access while permitting authorized communications. It is a device or set of devices
that is configured to permit or deny network transmissions based upon a set of rules and other
criteria.
Firewalls can be implemented in either hardware or software, or a combination of both.
Firewalls are frequently used to prevent unauthorized Internet users from accessing private
networks connected to the Internet, especially intranets. All messages entering or leaving the
intranet pass through the firewall, which inspects each message and blocks those that do not meet
the specified security criteria.
This type of packet filtering pays no attention to whether a packet is part of an existing
stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet
based only on information contained in the packet itself (most commonly using a combination of
the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port
number).
There are several types of firewall techniques:
1. Packet filter: Packet filtering inspects each packet passing through the network
and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly
effective and mostly transparent to its users. It is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such
as FTP and Telnet servers. This is very effective, but can impose performance degradation.
 3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can flow between the
hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.

Conclusion:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Result:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

Industrial Application:
A firewall is a barrier or shield that is intended to protect your PC, tablet, or phone from the data-
based malware dangers that exist on the Internet. Data is exchanged between your computer and
servers and routers in cyberspace, and firewalls monitor this data (sent in packets) to check
whether they’re safe or not.

Questions:
1. What is firewall?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
2. What are the different types of firewall?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
3. What can’t a firewall protect against?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. What is network firewall?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
5. What are the critical resources in firewall?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
6. What is the difference between gateway and firewall?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
7. What is packet filtering?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
8. What is IP spoofing and how it can be prevented?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. What is POP3?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
10. What is HTTP?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
 D.O.P. D.O.S. Signature Grade
Experiment No.10

Aim: To implement Email Security using Pretty Good Privacy (PGP) and secure multi-purpose
internet mail extensions (S/MIME)
Objectives: From this experiment, the student will be able to
 Discover patterns from data warehouse
Outcomes: The learner will be able to
 Recognize the need of online analytical processing.
Theory:

Email Security: PGP & S/MIME

In virtually all distributed environments, electronic mail is the most heavily used
network-based application. Users expect to be able to, and do, send e-mail to others who are
connected directly or indirectly to the Internet, regardless of host operating system or
communications suite. With the explosively growing reliance on e-mail, there grows a demand
for authentication and confidentiality services. Two schemes stand out as approaches that enjoy
widespread use: Pretty Good Privacy (PGP) and S/MIME.
PGP (Pretty Good Privacy)
PGP is a remarkable phenomenon. Largely the effort of a single person, Phil
Zimmermann, PGP provides a confidentiality and authentication service that can be used for
electronic mail and file storage applications. In essence, Zimmermann has done the following:
1. Selected the best available cryptographic algorithms as building blocks.
2. Integrated these algorithms into a general-purpose application that is independent
of operating system and processor and that is based on a small set of easy-to-use commands.
3. Made the package and its documentation, including the source code, freely
available via the Internet, bulletin boards, and commercial networks such as AOL (America On
Line).
4. Entered into an agreement with a company (Via crypt, now Network Associates)
to provide a fully compatible, low-cost commercial version of PGP.
 Figure 1. Summary of PGP services

Figure 2. PGP cryptographic functions

S/MIME
Secure/Multipurpose Internet Mail Extension (S/MIME) is a security enhancement to the
MIME Internet e-mail format standard based on technology from RSA Data Security. Although
both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will
emerge as the industry standard for commercial and organizational use, while PGP will remain
the choice for personal e-mail security for many users. S/MIME is defined in a number of
documents-most importantly RFCs 3370, 3850, 3851, and 3852.
 In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability
to sign and/or encrypt messages. In this subsection, we briefly summarize S/MIME capability.
We then look in more detail at this capability by examining message formats and message
preparation.
S/MIME provides the following functions.
i. Enveloped data: This consists of encrypted content of any type and encrypted
content encryption keys for one or more recipients.
ii. Signed data: A digital signature is formed by taking the message digest of the
content to be signed and then encrypting that with the private key of the signer. The content plus
signature are then encoded using base64 encoding. A signed data message can only be viewed by
a recipient with S/MIME capability.
iii. Clear-signed data: As with signed data, a digital signature of the content is
formed. However, in this case, only the digital signature is encoded usingbase64.As a result,
recipients without S/MIME capability can view the message content, although they cannot verify
the signature.
iv. Signed and enveloped data: Signed-only and encrypted-only entities may be
nested, so that encrypted data may be signed and signed data or clear-signed data may be
encrypted.

Figure 1. Cryptographic Algorithms used in S/MIME

The following rules, in the following order, should be followed by a sending agent.
 i. If the sending agent has a list of preferred decrypting capabilities from an
intended recipient, it SHOULD choose the first (highest preference) capability on the list that it
is capable of using.
ii. If the sending agent has no such list of capabilities from an intended recipient but
has received one or more messages from the recipient, then the outgoing message SHOULD use
the same encryption algorithm as was used on the last signed and encrypted message received
from that intended recipient.
iii. If the sending agent has no knowledge about the decryption capabilities of the
intended recipient and is willing to risk that the recipient may not be able to decrypt the message,
then the sending agent SHOULD use triple DES.
iv. If the sending agent has no knowledge about the decryption capabilities of the
intended recipient and is not willing to risk that the recipient may not be able to decrypt the
message, then the sending agent MUST use RC2/40.
Conclusion:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Result:
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

Industrial Application:
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and
authentication for data communication. PGP is used for signing, encrypting, and decrypting
texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail
communications.

Questions:
1. What is PGP?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------

2. What is S/MIME?
 ------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
3. What are the applications of S/MIME?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
4. Differentiate between PGP and S/MIME.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
5. What are the applications of PGP?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
6. What is the security issues related to PGP?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
7. Explain the backdoor feature in PGP.
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
8. What is key escrow?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
9. S/MIME Provide _________________
a) Digital Signature b) Integrity
b) Encryption d) All of the above
10. List security services provided by S/MIME?
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------