'' Man in the middle attack''

The protocol shown above is insecure against man-in-middle attack

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows:
(i)Darth prepares for the attack by generating two random private keys Xd1 and Xd2 and then
computing the corresponding public keys Yd1 and Yd2.
(ii) Alice transmits YA to Bob.
(iii) Darth intercepts YA and transmit YD1 to Bob.
(iv) Darth also calculates K2 = (YA)xD2 mod q.
(V) Bob receives YD1, and calculate K1 = (YD1)XB mod q.
(vi)Bob transmits YB to Alice.
(vii)Darth intercepts YB and transmits YD2 to Alice.
(viii)Darth calculate K1 = (YB)XD1 mod q
(ix)Alice receives YD2 and calculates
K2 = (Yd2) XA mod
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key and Alice and Darth share secret key.
All future communication between Bob and Alice is compromised in the following way:
(i)Alice sends an encrypted message.
(ii)Darth intercepts the encrypted message and decrypt it to recover.
(iii)Darth sends Bob E (K1, M) or E (K1, M'), where M' is any message.
In the first case, Darth simply wants to eavesdrop on the communication without altering it.
In the second case, Darth wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants.
This vulnerability can be overcome with the use of digital signatures and public-key
certificates.
Elliptic curve cryptography:
Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the
algebraic structure of elliptic curves over finite fields.
One of the main benefits in comparison with non-ECC cryptography is the same level of
security provided by keys of smaller size.
Elliptic curves are applicable for encryption, digital signatures,pseudo-random generators and
other tasks.
They are also used in several integer factorization algorithms that have applications in
cryptography, such as Lenstra elliptic curve factorization.
Elliptic curve cryptography (ECC) is one of the most powerful but least understood types of
cryptography.
An increasing number of websites make extensive use of ECC to secure everything from
customers' HTTPS connections to how they pass data between data centers.
Elliptic Curve Cryptography (ECC) was discovered as an alternative mechanism for
implementing public-key cryptography.
Public-key algorithms create a mechanism for sharing keys among large number of
participants or entities in a complex information system. Unlike other popular algorithms
such as RSA, ECC is based on discrete algorithms that is much more difficult to to challenges
equivalent key lengths.
At the time of its discovery, the ECC algorithm was described and placed in the public
domain. What others found was that while it offered greater potential security it was slow,
Certicom focused its efforts on creating better implementation of the algorithm to improve its
performance. After many years of research, Certicom introduced the first commercial toolkit
of support ECC and make it practical for use in variety of applications.
For elliptic curve cryptography, an operation over elliptic curves,called addition, is used.
Multiplication is defined by repeated addition.
An elliptic curve is a nonsingular projective algebraic curve over some field k with genus 1
and a specified point O (this will be the"point at infinity").
So long as k does not have characteristic 2 or 3, this will be smooth plane cubic curve with
the point at infinity, and we can describe the curve as points satisfying the equation :
Y2 = x3+ ax + b,
with a and b such that the discriminant,
Y2 =-16 (4a3 +27b2)
is nonzero (which will give the desired non singularity).
The group law on an elliptic curve is as follows:
(i)The operation exploited for key selection in elliptic curve ction in cryptography comes
from considering the elliptic curve as an abelian group with points as elements.
(ii)The group law is point addition to add two points P and Q, we will draw the line PQ
through them or use the tangent line at P to add it to itself), find the third point of intersection
R of that line, and reflect it over the axis of symmetry of the curve.
(iii)The resulting point, R, will be the sum of P and Q.
(iv)For the purposes of this addition, note that the point at infinity O lies on any line through
a point and its opposite.
The formal properties of the addition law are described below:
The addition law on elliptic curve C has the following properties (where 0= -0 is the point at
infinity, and if P (x0, y0), then- P (x0-y0)):
(i)For point P" C, P +0=P.
(ii)For points P, Q" C, P+ Q=Q+P
(iii)For point P" C, there is some point -P such that P+(P) = 0
(iv)For P, Q, R"C. (P+Q) + R = P+ (Q + R).
In short, the addition law gives us the group properties that we desire.
Additionally, we will note that the subset of points in this group whose both coordinates
belong to a given field k, along with the point at infinity, will form a subgroup of the curve
group C.
This will be important, because the curves used in elliptic curve cryptography are defined
over a finite field, and we need that set to be closed under point addition.

Conventional Encryption vs Public-key Encryption

Conventional Encryption
(1) The same algorithm with the same key is used for encryption and decryption.
(2) The sender and receiver must share the algorithm and the key.
(3) The key must be kept secret.
(4) Knowledge of the algorithm plus samples of ciphertext must be insufficient to determine
the key
(5) Speed of encryption decryption is very fast
(6) Key agreement/exchange is a big problem.
(7) It is mainly used for encryption decryption (confidentiality) cannot be used for digital
signatures
(integrity and non-repudiation checks).

Public-key Encryption
1.One algorithm is used for encryption and decryption with a pair of keys, one for encryption
and one for decryption.
2.The sender and receiver must each have one of the matched pair of keys (not the same one)
key.
3.One of the two keys must be kept secret.
4.Knowledge of the algorithm plus one of the keys plus samples of ciphertext must be
insufficient to determine the key.
5.Speed of encryption decryption is slower
6.No problem at all for key agreement / exchange.
7.It can be used for encryption decryption (confidentiality) as well as for digital signatures
integrity and non-repudiation checks).

The RSA algorithm is given as under:

Step 1: Choose two large prime numbers P and Q.
Step 2: Calculate N P x Q.
Step 3: Select the public key (i.e. the encryption key) E such that it is not a factor of (P-1) and
(Q-1).
Step 4: Select the private key (ie the decryption key) D such that the following equation is
true :
(Dx E) mod (P-1) * (Q-1) = 1
Step 5: For encryption, calculate the cipher text CT from the plaintext PT as follows:
CT = PT^E mod N
Step 6: Send CT as the cipher text to the receiver.
Step 7: For decryption, calculate the plain text PT from the cipher text CT as follows:
PT= CT^D mod N
Diffie-Hellman key exchange algorithm:
The first published public-key algorithm appeared in the seminal paper by Diffie.
The purpose of Diffie-Hellman algorithm is to enable two users to securely exchange a key
that can then be used for subsequent encryption of messages.
The algorithm itself is limited to the exchange of secret values.
The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing
discrete logarithms.
The discrete logarithm can be defined in the following way:
(1)A primitive nt of a prime number as one whose powers modulo generate all the integers
from / to p.1
(2) That is if a is a primitive root of the prime number number p,then the numbers a mod p,
a2 mod p,A,ap. I mod p are distinct and consist of the integers from 1 through pl in some
permutation.
(3)For any integer a and b primitive roots of prime number p. w ne number p, we can find a
unique exponent such that
B=a^i(mod p)where 0<=i<=(p-1)
(4) The exponent is referred to as the discrete logarithm of b for the base a,mod p.
Algorithm:

Step 1 : There are two publicly known numbers:

(1) A prime number q.
(2) An integer a that is a primitive root of q.
Step 2:Suppose the users A and B wish to exchange a key.
User A selects a random integer XA <q and computes :
YA= a^XA mod q
Similarly, user B independently selects a random integer XB <q and computes:
YB= a^XB mod q.

Step 3 :Each side keeps the X value private and makes the Y value available publicly to the
other side.
Step 4 :User A computes the key as K = (YB)XA mod q
User B computes the key as K=(YA)XB mod q
Step 5: These two calculations produce identical results:
K=(YB)^XA mod q
= (a^XB mod q) ^Xa mod q
= (a^XB) ^XA mod q by the rules of modular arithmetic
= a^XBXA mod q
= (a^XA) XB mod q
= (a ^Xa mod q) ^XB mod q
= (Ya) ^Xb mod q
This result is that the two sides have exchanged a secret value
Limitation of the algorithm:
The algorithm can fail if a hacker makes what is called man in the middle attack. This way,
even though the two parties will they are talking to each other. Practically, they are in turn,
communicating with the hacker as he places himself in them and switches back and forth the
communication.

Hash function:
A cryptographic hash function is a type of security mechanism that produces a hash value,
message digest or checksum value for a specific data object.
Cryptographic hash functions are implemented in information security to the integrity of data,
authentication control and other security mechanisms.
A cryptographic hash function is a one-way computational mathematical operation that takes
a stream of data and returns a fix sized bit string known as cryptographic hash value. A hash
value is also called as message digest, a digital fingerprint, digest or a checksum.
This value is unique, any small modification to the file will change it.
Cryptographic hash functions work by generating the checksum value of a data object. If the
data is intentionally or unintentionally modified, the checksum value is changed. Thus, a data
object integrity may be evaluated by comparing and verifying previous and current
checksums.
Hashing functions are one of the most commonly used encryption methods. A hash function
maps a variable length into fixed length hash value or message digest.
A hash is a special function that performs one-way encryption, meaning that once the
algorithm is processed, there is no feasible way to take the cipher text and retrieve the plain
text that was used
to generate it.
The hash code is a function of all bits of the message and provides an error detection
capability.
A change in any bit or bits results in a change of hash value.
A hash function accepts a variable size message M as input and produces a fixed size output,
referred to as a hash code H (m). The hash code is also referred to as a message digest or hash
value.

MD5
MD5 message digest algorithm is a widely used cryptographic hash function producing a
128 bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal
number.
The MDS message digest algorithm was developed by Ronald Rivest at MIT
Until the last few years, when both brute-force and cryptanalytic concerns have arisen, MDS
was the most widely used secure hash algorithm.
Algorithm:
The algorithm takes as input a message of arbitrary length and produces as output a 128-bit
message digest. The input is processed in 512-bit blocks, The processing consists of the
following steps:
Step 1 : Append padding bits:
(i)The message is padded so that its length in bits is congruent to 448 modulo 512 (length =
448 mod 512). That is, the length of the padded message is 64 bits less than an integer
multiple of 512 bits.
(ii)Padding is always added, even if the message is already of the desired length.
For example, if the message is 448 bits long, it is padded by 512 bits to a length of 960 bits.
(iii)Thus, the number of padding bits is in the range of 1 to 512. The padding consists of a
single 1-bit followed by the necessary number of 0-bits.
Step 2: Append length:
(i)A 64-bit representation of the length in bits of the original message (before the padding) is
appended to the result of step 1 (leastsignificant byte first).
(ii)If the original length is greater than 264, then only the low-order 64 bits of the length are
used. Thus, field contains the length of the original message, modulo 264. The outcome of
the first two steps yields a message that is an integer multiple of 512 bits in length.
(iii)In expanded message is represented as the sequence of 512 bit blocks Yo, Y, Y.Y., so that
the total length of the expanded message is L x 512 bits. Equivalently, the result is a multiple
of 16 32-bit words. Let M[0 1]...N - denote the words of the resulting message, with N an
integer multiple of 16. Thus, N Lx 16.
Step 3: Initialize MD buffer :
(i)A 128-bit buffer is used to hold intermediate and final results of the hash function. The
buffer can be represented as four 32-bit registers (A, B, C, D).
(ii)These registers are initialized to the following 32-bit integers(hexadecimal values):
A=67452301
B = EFCDAB89
C=98BADCFE
D=10325476
(iii)These values are stored in little-endian format, which is the least significant byte of a
word in the low-address byte position. As 32-bit nos the initialization values (in hexadecimal)
appears as follows:
Word A: 01 23 45 67 Word B: 89 AB CD EF Word C: FE DC BA 98 Word D: 76543210
Step 4: Process message in 512-bit (16-word) blocks :
(i)The heart of the algorithm is a compression algorithm that consists of four "rounds" of
processing, this module is labeled HMDS.
The four rounds have the similar structure, but each uses a different primitive logical
function, referred to as F, G, H, and I in the specification.
Each round takes as input the current 512-bit block being processed(Yq) and the 28-bit buffer
value ABCD and updates the contents of the buffer
Each round also makes use of one-fourth of a 64-element table T[]1 64 ... , constructed from
the sine function. The ith clement of T,denoted T[i], has the value equal to the integer part of
232 x abs i
(sin()), where I is in radians.
Step 5: Output:
After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit
message digest.
CV0= IV
CVq +1 = SUM32(CV, RF1[Yq, RFh[Yq, RFg, [Y, RF,[Yq,CVq]]]])
MD=CVl
Where,
IV - initial value of the ABCD buffer, defined in step 3
Yq-the oath 512-bit block of the message
L- the number of blocks in the message (including padding and length fields)
CV chaining variable processed with the qth block of the message
RFx- round function using primitive logic function x
MD-final message digest value
SUM32- addition modulo 232 performed separately on each word of the pair of inputs.
The message digest produce as output is A,B,C,D.
That is output begins with the low order byte of A, and end with the highonder byte of D.
The MDS algorithm is simple to implement, and provides a fingerprint or message digest of a
message of arbitrary length
The difficulty or coming up with two messages with the same message digest is on the order
of 2^64 operations
MD-S consists of 64 of these operations, grouped in four rounds of 16 operations. F is a
nonlinear function: one function is used in each round. Mi denotes a 32-bit block of the
message input, and Ki
denotes a 32-bit constant different for cache operations denotes a left bit rotation by s places :
s varies for each operation denotes addition modulo 2^32.

Kerberos
1. Kerberos is a computer network authentication protocol, which allows nodes
communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed primarily at a client server model, and it provides mutual
authentication-both the user and the server verify each other's identity.
2. Kerberos protocol messages are protected against eavesdropping and replay attacks,
Kerberos builds on symmetric key cryptography and requires a trusted third party, and
optionally may use public key cryptography by utilizing asymmetric key cryptography during
certain phases of authentication.
3. In a Kerberos System, there is a designated site on the network, called the Kerberos
server, which performs centralized key management and administrative functions
4. The server maintains a database containing the secret keys of all users, generates
session keys whenever two users wish to communicate securely, and authenticates the
identity of a user who requests certain network services.
5. The Kerberos protocol uses strong cryptography so that a client can prove its identity
to a server (and vice versa) across an insecure network connection. After a client and server
has used Kerberos to prove their identity, they can also encrypt all of their communications to
assure privacy and data integrity as they go about their business.
6. Kerberos is freely available from MIT, under copyright permissions very similar those
used for the BSD operating system and the X window System.
7. In summary, Kerberos is a solution to our network security problems. It provides the
tools of authentication and strong cryptography over the network to help us secure our
information systems across our entire enterprise.
8. The process is as follows. As we read through this process, keep in mind that
Kerberos uses conventional (symmetric) encryption rather than publickey (asymmetric)
encryption. In other words, the same key is used at both ends of cach exchange :
The client wants to access a service on server A. The client sends the KDC a request for
access to the service on Server A. (In some cases, the client has already undergone an
authentication process and received a separate session key for encrypting communication
with the ticket granting service on the KDC).
The KDC performs the following steps:
(i)The KDC generates a session key that will be used to encrypt communication between the
client and server A.
(ii)The KDC creates a session ticket. The session ticket includes a copy of the session key
generated in step 2(a). The ticket also contains timestamp information and information about
the client that is requesting access, such as client security settings.
The KDC encrypts the session ticket using Server A's long term key.
The KDC bundles the KDC bundles the encrypted session ticket, a copy of the session key,
and other response parameters for the client and encrypts the whole package using the client's
key. The response is then sent to the client.
(iii)The client receives the response from the KDC and decrypts it. The client obtains the
session key necessary for communicating with server A. Also included in the package is the
season ticket, which is
encrypted with the server's long term key. The client cannot read the session ticket, but it
knows it must send the ticket to the server in order to be authenticated. The client creates an
authenticator (astring of authentication parameters) and encrypts it with the session key

The various steps of Kerberos version 4

Step 1: The client sends a message to the AS requesting access to the TGS.
Step 2: The AS responds with a message, encrypted with a key derived from the user's
password (Kc),that contains the ticket
The encrypted message also contains a copy of the session key, Kn, where the subscripts
indicate that this is a session key for C and TGS, Because this session key is inside the
message encrypted with K, only the user's client can read it.
Step 3
Armed with the ticket and the session key, C is ready to approach the TGS.
As before, Send the TOS a message that includes the ticket plus the ID of the requested
service. In addition, transmits an authenticator, which includes the ID and address of C's user
and a timestamp.
The TGS can decrypt the ticket with the key that it shares with the AS. This ticket indicates
that user C has been provided with the session key Kc,tgs.
The TGS uses the session key to decrypt the authenticator.
The TGS can then check the name and address from the authenticator with that of the ticket
and with the network address of the incoming message.
If all match, then the TGS is assured that the sender of the ticket is indeed the ticket is real
owner.
Step 4: The reply from the TGS in message (4) follows the form of message (2).
The message is encrypted with the session key shared by the TGS and C and includes a
session key to be shared between C and the server V, the ID of V, and the timestamp of the
ticket
The ticket itself includes the same session key
Step 5: Cow has a reusable service-granting ticket for V.
When C presents this ticket, as shown in message (5). it also sends an authenticator
The server can decrypt the ticket, recover the session key, and decrypt the authenticator
Step 6: If mutual authentication is required, the server can reply as shown inmessage (6)
The server returns the value of the timestamp from the authenticator,incremented by 1, and
encrypted in the session key.
C can decrypt this message to recover the incremented timestamp.
Because the message was encrypted by the session key, C is assured hat it could have been
created only by V.
The contents of the message assure C that this is not a replay of an old reply.
X.509 certificate
(1)Version : Differentiates among successive versions of the certificate the default is version
1. If the issuer unique identifier or subject unique identifier are present the value must be
version 2.If one or more extensions are present, the version must be version 3.
(2)Serial number: An integer value unique within the issuing CA that is unambiguously
associated with this certificate.
(3)Signature algorithm identifier : The algorithm used to sign the certificate together with any
associated parameters. Because this information is repeated in the signature field at the end of
the certificate, this field has little, if any, utility.
(4)Issuer name : X.500 is the name of the CA that created and signed this certificate.
(5)Period of validity : Consists of two dates: the first and last on which the certificate is valid.
(6)Subject name: The name of the user to whom this certificate refers.That is, this certificate
certifies the public key of the subject who holds the corresponding private key.
(7)Subject's public-key information : The public key of the subject, plus an identifier of the
algorithm for which this key is to be used together with any associated parameters.
(8)Issuer unique identifier : An optional-bit string field used toidentify uniquely the issuing
CA in the event the X.500 name has been refused for different entities.
(9)Subject unique identifier:An optional-bit string field used to identify uniquely the subject
in the event the X.500 name has been reused for different entities.
(10)Extension:A set of one or more extension fields.Extensions were added in version 3 to
provide more flexibility and to convey information needed in special circumstances.
(11)Signature:Covers all of the other fields of the certificate;it contains the hash code of the
other fields encrypted with the CA’s private key.This field includes the signature algorithm
identifier
Certificate revocation:
Each certificate blades a period of validity, much like a credit card Typically, a new
certificate new certificate is issued just before the expiration of the old one
In addition, it may be derable on occation to revoke a certificate before it expires, for cne of
the following reason
1.The user's private key is assumed to be compromised.
2.The user is no longer certified by this CA.Reason for this include that the subject’s name
has changed,the certificate is superseded,or the certificate was not issued in conformance
with the CA’s policies.
3.The CA’s certificate is assumed to be comprised.
• Each certificate revocation list (CRL) posted to the directory is signed by the issuer
and includes the issuer's name, the date the list was created, the date the next CRL is
scheduled to be issued, and an entry for each revoked certificate.
• Each entry consists of the serial number of a certificate and revocation date for that
certificate. Because serial numbers are unique within a CA, the serial number is sufficient to
identify the certificate.
• When a user receives a certificate in a message, the user must determine whether the
certificate has been revoked.
• The user could check the directory cache time a certificate is received. To avoid the
delays (and possible costs) associated with directory searches, it is likely that the user would
maintain a local cache of certificates and lists of revoked certificates.

PKIX architecture
Public-key infrastructure is defined as the set of hardware, software, people, policies and
procedures needed to create, manage, store, distribute and revoke digital certificates based on
asymmetric cryptography
These elements are as follows:
• End entity: A generic term used to denote end users, devices (for eg, servers, routers),
or any other entity that can be identified in the subject field of a public key certificate. End
entities typically consume and/or support PKI-related services.
• Certification authority (CA): The issuer of certificates and (usually) certificate
revocation lists (CRLS). It may also support a variety of administrative functions, although
these are often delegated to one or more Registration Authorities.
• Registration authority (RA): An optional component that can assume a number of
administrative functions from the CA. The RA is often associated with the end entity
registration process but can assist in a number of other areas as well.
• CRL issuer : An optional component that a CA can delegate to publish CRLs.
• Repository: A generic term used to denote any method for storing certificates and
CRLs so that they can be retrieved by end entities.