CNS – Unit2: Security @ Application layer VVFGC, Tumkur

Unit2: Security at Application layer

Syllabus:
Authentication, Kerberos, X.509 certificate, Directory Authentication Service, Pretty Good Privacy, MIME,
S/MIME, Email: Structure and working of email, Advantages and disadvantages of email.

Introduction:
Restricting access to the devices on network is a very essential step for securing a network. Since
network devices comprise of communication as well as computing equipment, compromising these can potentially
bring down an entire network and its resources.

An important aspect of network device security is access control and authorization. Many protocols have been
developed to address these two requirements and enhance network security to higher levels. Application layer
security refers to ways of protecting web applications at the application layer.

Examples of application layer attacks include distributed

1. DDoS: DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a cybercrime in which
the attacker floods a server with internet traffic to prevent users from accessing connected online services
and sites.
2. HTTP floods: HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker
manipulates HTTP and POST unwanted requests in order to attack a web server or application.
3. cross-site scripting: Cross-site scripting (XSS) is an attack in which an attacker injects malicious
executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack
by sending a malicious link to a user and enticing the user to click it.
4. Parameter tampering attacks: The Web Parameter Tampering attack is based on the manipulation of
parameters exchanged between client and server in order to modify application data, such as user
credentials and permissions, price and quantity of products, etc.

Authentication:
Authentication is one of the security mechanisms and is a process of verifyinguser’s identity. it has two
aspects and they are
1. General access authentication: It is the method to control whether a particular user has “any” type of
access right to the system he is trying to connect to. Usually, this kind of access is associated with the
user having an “account” with that system.

2. Functional authorization: Authorization is a process by which a server determines if the client has
permission to use a resource or access a file. Authorization is usually coupled with authentication so that
the server has some concept of who the client is that is requesting access.

Some of the authentication techniques used in network security are

 Message Encryption

 Message Authentication Code(MAC)

 Hash Functions

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page1

 CNS – Unit2: Security @ Application layer VVFGC, Tumkur
Before establishing the connection between combination between client and server, clientshould be authenticated.
Authentication can be achieved by using two protocols or applications they are “Kerberos” and “X.509
Certificate”.

Kerberos
Kerberos is an authentication service used in open or unsecure computer networks. Thus, the security protocol
authenticates service requests between two or more trusted hosts over an untrusted network such as the Internet.
Cryptographic encryption and a trusted third party are used to authenticate client-server applications and verify
user identities.

Kerberos is an authentication protocol and a software suite implementing this protocol. Kerberos uses symmetric
cryptography to authenticate clients to services and vice versa.

Users, computers, and services that use Kerberos rely on the KDC, which provides two functions in a single
process: authentication and ticketing. So-called “KDC tickets” authenticate all parties by verifying the identity of
all nodes – the starting and ending points of logical connections. In doing so, the Kerberos authentication process
uses conventional shared-secret cryptography that prevents transmitted data packets from being read or modified.
This also protects them from eavesdrop and replay attacks.
Working of Kerbero’s:
To help understand how Kerberos authentication works, we'll break it down into its core components. Here are the
main components involved in a typical Kerberos workflow:

 Client: The client acts “on behalf” of the user and initiates communication when a service request is made.
 Hosting server: This is the server that hosts the service that the user wants to access.
 Authentication Server (AS): The AS performs the desired client authentication. If the authentication is
successful, the AS issues a ticket to the client, the TGT (Ticket Granting Ticket). This ticket assures the
other servers that the client is authenticated.
 Ticket Granting Server (TGS): The TGS is an application server that issues service tickets.
 Key Distribution Center (KDC): The KDC consists of the Authentication Server (AS) and the Ticket
Granting Server (TGS).

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page2

 CNS – Unit2: Security @ Application layer VVFGC, Tumkur

 Step 1: The client makes an encrypted request to the authentication server. When the AS receives the
request, it searches the Kerberos database for the password based on the user ID. If the user has entered the
correct password, the AS decrypts the request.
 Step 2: After verifying the user, the AS issues a Ticket Granting Ticket (TGT), which is sent back to the
client.
 Step 3: The client now sends the TGT to the TGS. Together with the TGT, the client “explains” the reason
for accessing the hosting server. The TGS decrypts the ticket using the secret key shared between the AS
and the TGS.
 Step 4: If the TGT is valid, the TGS issues a service ticket for the client.
 Step 5: The client sends the service ticket to the hosting server. The server decrypts the ticket using the
secret key shared between the server and TGB.
 Step 6: If the secret keys match, the hosting server allows the client to access the service. The service ticket
determines how long the user is allowed to use the service. Once the access expires, it can be renewed with
by going through the entire Kerberos authentication protocol again.

Advantages:

 In Kerberos, clients and services are mutually authenticated.

 Various operating systems support it.
 Tickets in Kerberos have a limited period. If the ticket gets stolen, it is hard to reuse the ticket because of
strong authentication needs.
 Passwords are never sent over the network unencrypted.
 In Kerberos, secret keys are shared, which is more efficient than sharing public keys.

Disadvantages:

 It is vulnerable to weak or repeated passwords.

 It only provides authentication for services and clients.

X.509 Certificate
An X.509 certificate is a digital certificate that uses the widely accepted international X.509
public key infrastructure (PKI) standard to verify that a public key belongs to the user,
computer or service identity contained within the certificate.

 It is one of the authentication protocols.

 It uses 2 keys public key and private key, it should be pair.
 Here certificate authority maintains all public keys.
Certification Authority: (CA)

o It is a trusted third party and it is a responsible of sharing public keys.

o It is not responsible to generate public keys.
o It will generate a signature by using sender’s private key.
o It provides easy way to access public keys.
CA Process:

o CA receives the data like users public key and identity both can combine called as“unsigned certificate”.

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page3

CNS – Unit2: Security @ Application layer VVFGC, Tumkur

o Apply some hashing techniques on it and some hah code will be generated.
o Hash code is encrypted by Certification Authority’s (CA) private key.
o Then encrypted hash code will going to be generated.
o That encrypted hash code can be combined with user’s data (public key + identity)then we get signed
certificate.
o If both hash codes are matched then only decrypt the data and that user isauthenticated.

Parameters / elements in X.509 certificate

X.509 consists of 2 keys. Public key and Private Key.

 If public key is used in encryption and private key of same pair is used in decryption.
 Public key is sharable or public access but private key is not sharable.
 Public key is maintained by certification authority.
 Here X standards for data Networks.

 Version: It gives version number of X.509 certificate. Every certificate will have differentversions.
They are 3 versions they are 1, 2 and 3.

 Serial Number: Every certificate will have unique number provided by Certification authority. (CA)

 Algorithm along with parameters: It indicates an algorithm which is used to generates signature, either RSA
or DSA algorithm.
Issuer Name: Is nothing but who will issue this certificate. Generally certification authoritywill issue
certificate that is the reason issuer name is CA name.
Not before & not after: It shows the period of validity between issued date and Expiry date of the
certificate.
Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page4
 CNS – Unit2: Security @ Application layer VVFGC, Tumkur
Subject Name: Is nothing but user or receiver name, for whom the certificate is going to be issued?
Subject’s public key information: It consists of public key of user and identity of user for authentication.
Issuer Unique Identifier: For every issuer will have unique ID. Issuer is nothing CA.
Subject Unique Identifier: At the same time every user also having Unique ID.
Extensions: It is an optional field, if any extensions is needed then they can use.
Signature: Signature is created by certificate authority. It will have encrypted hash codeand all remaining
fields.
X.509 Certificate Revocation:

When x.509 certificates are issued, they are assigned a validity period that defines a start and end (expiration) date
and time for the certificate. Certificates are considered valid if used during the validity period. If the certificate is
deemed to be no longer trustable prior to its expiration date, it can be revoked by the issuing Certificate Authority
(CA). The process of revoking the certificate is known as certificate revocation. There are a number of reasons why
certificates are revoked. Some common reasons for revocation are:

 Encryption keys of the certificate have been compromised.

 Errors within an issued certificate.
 Change in usage of the certificate.
 Certificate owner is no longer deemed trusted.

Directory Service / Directory Authentication service:

A directory service is a database for storing and maintaining information about users and resources.
Directory Services are often referred to as directories, user stores, Identity Stores, or LDAP Directory, and they
store information such as usernames, passwords, user preferences, information about devices, and more.

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page5

 CNS – Unit2: Security @ Application layer VVFGC, Tumkur

Network and system administrators use directory services to

 onboard users,

 manage access privileges and

 monitor and control access to applications and infrastructure resources.

For example, when a user accesses an application, that application will reference the directory service to ensure the
user is legitimate and has the proper privileges to access and use that application.

Directory services are fundamental elements of an Identity Security strategy. Many identity and access

management (IAM) solutions use directory services in conjunction with single sign-on (SSO), multi-factor
authentication (MFA) or identity lifecycle management functionality.

Directory Services Elements

A directory service is usually implemented in software and distributed across multiple servers for scalability,
performance and resiliency.

Enterprise directory services like Microsoft Active Directory provide:

 A schema that describes the various directory objects (e.g., user, server, printer) and their attributes (e.g.,
name, address, telephone number)
 A universal database or catalog containing detailed information about every object in the directory
 An index and query methodology for users, administrators and applications to retrieve information from
the directory
 Replication functionality for disseminating(spread) directory information across distributed servers
 Peering functionality for federating directory services across different enterprises and namespaces

Note: peering: Peering is a method that allows two networks to connect and exchange traffic directly
without having to pay a third party to carry traffic across the Internet.

LDAP(Light Weight Directory Access Protocol) : LDAP is a standard protocol designed to

maintain and access “directory services” within a network. Think of a directory service as a phonebook for

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page6

 CNS – Unit2: Security @ Application layer VVFGC, Tumkur
different network resources like files, printers, users, devices, and servers, etc. For example, an
organization may store information for all their printers in a directory.

PGP [Pretty Good Privacy]

o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
o PGP was designed to provide all four aspects of security, i.e., privacy, integrity, authentication, and
non-repudiation in the sending of email.
o PGP uses a digital signature (a combination of hashing and public key encryption) to provide
integrity, authentication, and non-repudiation. PGP uses a combination of secret key encryption
and public key encryption to provide privacy. Therefore, we can say that the digital signature in
PGP uses one hash function, one secret key, and two private-public key pairs.
o PGP is an open source and freely available software package for email security.
o PGP provides authentication through the use of Digital Signature.
o It provides confidentiality through the use of symmetric block encryption.
o It provides compression by using the ZIP algorithm, and EMAIL compatibility using the radix-64
encoding scheme.

PGP at the Sender site (A)

Following are the steps taken by PGP to create secure e-mail at the sender site:
o The e-mail message is hashed by using a hashing function to create a digest.
o The digest is then encrypted to form a signed digest by using the sender's private key, and then
signed digest is added to the original email message.
o The original message and signed digest are encrypted by using a one-time secret key created by
the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of message and digest are sent
together.

PGP at the Receiver site (B)

Following are the steps taken to show how PGP uses hashing and a combination of three keys to generate the
original message:
o The receiver receives the combination of encrypted secret key and message digest is received.

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page7

CNS – Unit2: Security @ Application layer VVFGC, Tumkur

o The encrypted secret key is decrypted by using the receiver's private key to get the one-time
secret key.
o The secret key is then used to decrypt the combination of message and digest.
o The digest is decrypted by using the sender's public key, and the original message is hashed by
using a hash function to create a digest.
o Both the digests are compared if both of them are equal means that all the aspects of security are
preserved.

S/MIME:
S/MIME is an abbreviation for "Secure/Multipurpose Internet Mail Extension" .
It is a secure enhanced variant of the MIME. It is secure internet email format based on RSA Data security
technology.
Public key cryptography is utilized in this case to sign, encrypt, or decode the email digitally.
The user obtains a public-private key pair from a trusted authority and then uses those keys appropriately with
email programs.
Note:
MIME is a supplementary protocol which allows “non ASCII data”( like audio, video etc.) tobe sent through email.
In earlier days we can send messages only in NVT 7-bit ASCII code format. We cannot send Non ASCII code
data. That is the reason MIME came into existence. It allows the users to exchange different kinds of data files like
audio, video, images, application program on the Internet.

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page8

 CNS – Unit2: Security @ Application layer VVFGC, Tumkur
Structure of S/MIME
A MIME email message comprises
 a text message,
 some specific headers, and
 formatted text parts.
Each segment may include
 an ASCII-encoded portion of data and
 the technique for decoding the data at the receiver's end.
MIME headers provide the following information:
 MIME version,
 Content-ID,
 Content-Type,
 Content-Transfer-Encoding, and
 Content-Description.

Features / services provided by S/MIME:

o Authentication: it ensures the receiver believes that message is came from originalsource only.
o Message Integrity: while at the time of transmitting message between 2 systems it ensures that the
message should not be altered.
o Message Privacy: it deals with confidentiality. Encrypted emails are readable only by the authorized
recipient. This keeps your emails protected when an unauthorized person tries to read your emails. Any
content or document that ispart of the email is kept confidential between the sender and receiver.

Working of S/MIME: The process starts with the sender and receiver possessing each other's public key.The steps
in Email encryption are as follows:

Encryption process

1. Once the sender clicks on Send, the original unencrypted message is captured.
2. The recipient's public key is used to encrypt the original message. At the end of the process, an encrypted
version of the original message is produced.
3. The encryption message replaces the original message.
4. The email is sent to the recipient.
Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page9
 CNS – Unit2: Security @ Application layer VVFGC, Tumkur
Decryption process

The recipient receives the email.

1. The encrypted message is retrieved.

2. The recipient's private key is used to decrypt the encrypted message.
3. The original message is obtained and displayed to the recipient.

Email - Electronic mail

“Email” stands for electronic mail. It is the message distributed by electronic means among computer users in a
network. An email will be sent from one user and can be distributed to many. The common protocolsused for email
services are IMAP, POP and SMTP. Some of the E-mail service providers are Outlook.com, Gmail, Yahoo Mail,
Inbox.com, Mail.com., AOL Mail and Zoho Mail

Structure of an email:
There is a standard structure for emails. Email contents are primarily classified as two, theheader and the body. We
are going to see the contents come under the two subparts.

The Header:

The email header gives us common details about the message such as the unique identity of the message. The
details of the users of the ‘from’ and ‘to’ ends are also stored here.

The email header consists of the following parts.

1) Subject
2) Sender (From:)
3) Date and time received (On)
4) Reply-to
5) Recipient (To:)
6) Recipient email address

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page10

CNS – Unit2: Security @ Application layer VVFGC, Tumkur
Subject: The subject part is the topic of the message. In most email systems, if the content view of the folders is

set to view each message separately, the subject part also will be visible with theuser’s name.

Sender (From:): This field describes the ‘from’ address of the email. This will specify the sender’s email address.

Date and time received (On): This is the date and time the message received.

Reply-to: This field describes the email address that will become the recipient of thereply to the particular email.

Recipient (To:): This is the first/last name of the email recipient as configured by the sender.
Recipient email address: The email address of the recipient is specified here.
Attachments: Some emails could be attached with files such as text, image, audio,video etc. These files are
specified here.

Body: The actual content is stored in this part. This will be in the format of text. This fieldcould also include
signatures or text generated automatically by the sender’s email system.
Components of an Email System

Mail User Agent (MUA): It is the application which is used to write, send, and receive emails.

Mail Transfer Agent (MTA) : It handles all the incoming and outgoing mail.

Mail host : It is the server that will deliver and receive mail for a host/network. The mail host will store the emails

in mailboxes.

Domain name system (DNS): It is required for determining where to deliver the email- A system that translates

domain names such as: youtube.com, google.com, yahoo.com, and etc into internet protocol (IP) addresses like

105.104.204.101.

Simple Mail Transfer Protocol (SMTP): It is perhaps the most important component where it's implemented as a

server application that will process your emails, send it to the correct server and relay messages. It's constantly

running waiting for to send new mail. SMTP will also verify outgoing email to ensure it's from a legitimate active

user account.

Here is a basic example of what it looks like on the outside.

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page11

CNS – Unit2: Security @ Application layer VVFGC, Tumkur
And for the internals, here is a typical example of how an email is processed from sender to receiver.

How E-mail works:

In the above diagram, the sender is using their company account to send an email to someone at a different
company.

Step A: Sender creates and sends an email: The originating sender creates an email in their Mail User Agent

(MUA) and clicks 'Send'. The MUA is the application the originating sender uses to compose and read email,
such as Eudora, Outlook, etc.

Step B: Sender's MDA/MTA routes the email: The sender's MUA transfers the email to a Mail Delivery

Agent (MDA). The MDA/MTA accepts the email, then routes it to local mailboxes or forwards it if it isn't
locally addressed.

Step C: Network Cloud: An MDA forwards the email to an MTA and it enters the first of a series of "network
clouds," labeled as a "Company Network" cloud.

Step D: Email Queue: If the email is addressed to someone at another company, it enters an email queue with
other outgoing email messages. If there is a high volume of mail in the queue—either because there are many
messages or the messages are unusually large, or both—the message will be delayed in the queue until the MTA

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page12

CNS – Unit2: Security @ Application layer VVFGC, Tumkur
processes the messages ahead of it.

Step E: MTA to MTA Transfer: As the email clears the queue, it enters in to Internet network cloud, where it
passes through the chain of servers / more than one MTA with in the cloud and is likely to be passed to at least
one firewall before it reaches it's destination.

Step F: Firewalls, Spam and Virus Filters: An email encountering a firewall may be tested by spam and virus
filters before it is allowed to pass inside the firewall. If the message contains malware, the file is usually
quarantined and the sender is notified. If the message is identified as spam, it will probably be deleted without
notifying the sender. If the message is safe then it will be transferred to receiver MTA

Delivery; The Receiver MTA calls a local MDA to deliver the mail to the correct mailbox, where it will sit until it
is retrieved by the recipient's MUA.

Advantages of Email:
 Reliable: Because it notifies the sender if not delivered.
 Speed: E-mail is very fast delivered in fraction of seconds.
 Inexpensive: It’s very cheap.
 Waste Reduction: Helps in paperless communication thus eco-friendly.
Disadvantages:

• Forgery: Anyone who hacks the password of the sender can send a message to anyone.
• Overload: Because it is cheap loads and loads of messages keeps coming.

************************

Prepared By: SATISHA.C, Asst.Prof., Dept. of BCA Page13