Cryptography and Network Security

Unit - 4

Key Management and Distribution

 Topics
Key Management and Distribution:
Symmetric Key Distribution
Diffie-Hellman Key Exchange
Public Key Distribution
X.509 Certificates
Public Key Infrastructure
Authentication Applications
Kerberos
Electronic Mail Security
Pretty Good Privacy (PGP)
S/MIME
 Key Management
Key Management refers to the collection of processes used for the
generation, storage, installation, transcription, recoding, change,
disposition, and control of keys that are used in cryptography.
It can be defined as managing cryptographic keys within a
cryptosystem.
A key management system will also contains key servers, user process
and protocols, including cryptographic protocol design.
There are various functions of key management are:
Generation: This process involves the selection of a key that is used
for encryption and decryption the messages.
Distribution: This process involves all the efforts made in carrying
the key from the point where it is generated to the point where it is
to be used
 Key Management
Installation: This process involves getting the key into the storage of
the device or the process that needs to use this key.
Storage: This process involves maintaining the confidentiality of the
stored or installed keys while preserving the integrity of the storage
mechanism.
Change: This process involves ending with the use of the key and
starting with the use of another key.
Control: This process refers to the ability to implement a directing or
restarting influence over the content and use of the key.
 Symmetric Key Cryptography Asymmetric Key Cryptography
Uses single key for both encryption andUses two different keys--public key for
decryption of data. encryption and private key for
decryption.
Both communication parties share theBoth the communication parties should
same algorithm and the key. have at least one of the matched pair of
keys.
The processes of encryption andEncryption and Decryption process are
decryption are very fast. slow.

Key distribution is a big problem. Key distribution is not problem.

The size of encrypted text is same or lessThe size of encrypted text is more than
than the original text. the size of original text.
Diffie-Hellman Key Exchange Algorithm
The Diffie-Hellman key exchange algorithm is cryptographic method
used to secure the exchange of cryptographic keys over a potentially
insecure communication channel.
Diffie-Hellman key exchange is a specific method of exchanging keys
implemented within the field of cryptography.
The Diffie-Hellman key exchange method allows two parties that have
no prior knowledge of each other to jointly establish a shared secret key
over an insecure communications channel.
This key can then be used to encrypt subsequent communication using
a symmetric key cipher.
The symmetric (shared) key in the Diffie-Hellman protocol is K = G^(xy)
mod N.
Diffie-Hellman Key Exchange Algorithm

K is the symmetric key for the session.

Diffie-Hellman Key Exchange Algorithm
Diffie-Hellman Key Exchange Algorithm
Numerical:-
 Public Key Distribution
Schemes used for the distribution of public keys are follows:
Public Announcement
Main focus of public-key encryption is that the public key should be
public.
Main problem of pubic-key is anyone can forge the key while it is
being transmitted, i.e. Forgery.
Public Directory:
The public key is stored in a public directory.
Directories are trusted here, with properties like Participant
Registration, access and allow to modify values at any time.
Contains entries like {name, public-key}.
Each user has to register his or her public key with the directory
authority.
 Public Key Distribution
Public-key Authority
It is similar to the directory but, improves security by tightening
control over the distribution of keys from the directory.
In public directory scheme, if the private key of the authority is
stolen, then it may result in loss of data.
It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is
made by the user to obtain any desired public key securely.
 Digital Certificate
A digital certificate is a digital file that certifies the identity of an
individual or even a router seeking access to computer-based
information.
It is issued by a Certificate Authority (CA) and serves the same purpose
as a driver’s license or a passport.
Digital Certificates are primarily used in secure communication
protocols like HTTPS, S/MIME, digital signature, etc.
 X.509 Certificate
X.509 certificates are digital documents that represent a user,
computer, service, or device.
An X.509 certificates are a widely used standard format for digital
certificates.
It defines structure and data fields that a digital certificate must obtain.
X.509 is built on top of a widely trusted standard known as ITU or
International Telecommunication Union.
The certificates contain the public key of the certificate subject. They
don’t contain the subject’s private key, which must be stored securely.
Format of X.509
Certificate ->
 Format of X.509 Certificate
Version Number: It defines the X.509 version that concerns the
certificate.
Serial Number: It is the unique number that the certified authority
issues.
Signature Algorithm Identifier: This is the algorithm that is used for
signing the certificate.
Issuer Name: Tells about the X.500 name of the certified authority
which signed and created the certificate.
Period of Validity: It defines the period for which the certificate is valid.
Subject Name: Tells about the name of the user to whom this certificate
has been issued.
 Format of X.509 Certificate
Subject’s Public Key Information: It defines the subject’s public key
along with an identifier of the algorithm for which this key is supposed
to be used.
Extension Block: This field contains additional standard information.
Signature: This field contains the hash code of all other fields which is
encrypted by the certified authority private key.
 Role of X.509 Certificates
1. To verify that a public key belong to the user, computer or service
identify contained within the certificate.
2. To validate the identity of encrypted data.
 Revocation of Certificates
When X.509 certificates are issued, they are assigned a validity period
that defines a start and end date and time for the certificate.
Certificates are considered valid if used during the validity period.
A new certificate is issued just before the expiration of the old
certificate.
Each Certificate Authority must maintain a list consisting of all revoked
but not expired certificates issued by CA.
Each Certificate Revocation List (CRL) posted to the directory is signed
by the issuer and includes the issuer’s name, the date the list was
created, the date the next CRL is scheduled to be issued and an entry
for each revoked certificate.
 Public Key Infrastructure
Public Key Infrastructure or PKI provides assurance of public key.
A PKI is a set of hardware, software, people, policies and procedures
needed to create, manage, store, distribute and revoke PKCs based on
public-key cryptography.
PKI is the governing body behind issuing digital certificates.
It provides the identification of public keys and their distribution.
It helps to protect confidential data and gives unique identities to users
and systems.
Public Key
Infrastructure
 Public Key Infrastructure
These elements are:
1. End entity: Used to validate digital signatures their certification path
from a known public key of a trusted CA.
2. Certificate Authority (CA): Used to issue and revoke public-key
cryptography.
3. Registration Authority (RA): It is used to validate the binding between
public key and certificate holder identities.
4. CRL issuer: An optional component that a CA can delegate to publish
CRLs.
5. Repository: It is used to store and make available certificates and
Certificate Revocation Lists (CRLs).
 Public Key Infrastructure
PKI management function: PKI identifies a number of management
functions that potentially need to be supported by management protocols:

1. Registration
2. Initialization
3. Certification
4. Key-pair recovery
5. Key pair update
6. Revocation request
7. Cross certification
 Kerberos
Kerberos is a computer network authentication protocol, which allows
individuals communicating over a non-secure network to prove their
identity to one another in a secure manner.
Initially developed by the Massachusetts Institute of Technology (MIT)
for Project Athena in the late 80s.
Now, it is default authorization technology in Microsoft Windows.
It is also implemented in other Operating Systems like Apple OS,
FreeBSD, UNIX, and LINUX.
Kerberos is primarily aimed at a client-server model, it provides mutual
authentication to both the user and the server to verify each other’s
identity.
 Kerberos
Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC).
Kerberos protocol messages are protected against eavesdropping and
replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted
third party.
There are four entities involved in the Kerberos protocol:
The client workstation such as user.
Authentication Server (AS): Verifies (authenticates) the user during
login.
Ticket Granting Server (TGS): The Ticket Granting Server issues the
ticket for the Server.
Server offering services such as network printing, file sharing or an
application program.
Overview of
Kerberos
 Overview of Kerberos
Step-1: User login and request services on the host. Thus user requests
for ticket-granting service.
Step-2: Authentication Server verifies user’s access right using database
and then gives ticket-granting-ticket and session key. Results are
encrypted using the Password of the user.
Step-3: The decryption of the message is done using the password then
send the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.
Step-4: Ticket Granting Server decrypts the ticket sent by User and
authenticator verifies the request then creates the ticket for requesting
services from the Server.
 Overview of Kerberos
Step-5: The user sends the Ticket and Authenticator to the Server.
Step-6: The server verifies the Ticket and authenticators then generate
access to the service. After this User can access the services.
 Kerberos Version 4 Kerberos Version 5
Launched in 1980s. Launched in 1990.
It provides Ticket support. It provides ticket support with extra
facilities for forwarding, renewing and
postdating tickets.
Works on Receiver-make-Right Works on ASN.1 encoding system.
encoding system.
It doesn’t support transitive cross- It supports transitive cross-realm
realm authentication. authentication.
It uses DES for encryption. It uses any encryption techniques as
the cipher text is tagged with an
encryption identifier.
The ticket lifetime has to be specified The ticket lifetime is specified with the
in units for a lifetime of 5 minutes. freedom of arbitrary time.
 Electronic Mail Security
Email security refers to the collective measures used to secure the
access and content of an email account or service.
It involves ensuring the confidentiality, integrity, and availability of
email messages, as well as safeguarding against phishing attacks, spam,
viruses, and another form of malware.
It allows an individual or organization to protect the overall access to
one or more email addresses/accounts.
SSL, TLS refers to the standard protocol used to secure email
transmission.
TLS provide a way to encrypt a communication channel between two
computers over the internet.
 Pretty Good Privacy (PGP)
It was designed by Phil Zimmermann in 1991.
Pretty Good Privacy (PGP) is an encryption algorithm that provides
cryptographic privacy and authentication for data communication.
PGP was designed to provide all four aspects of security, i.e., privacy,
integrity, authentication, and non-repudiation in the sending of email.
PGP uses a combination of public-key and conventional encryption to
provide security for electronic mail message and data file.
PGP is an open source and freely available software package for email
security.
PGP provides authentication through the use of Digital Signature.
It provides confidentiality through the use of symmetric block
encryption.
 S/MIME
It is secure version of MIME, aka S/MIME (Secure/Multipurpose Internet
Mail Extension).
It is used to support encryption of email messages.
S/MIME is widely accepted protocol for sending digitally signed and
encrypted messages.
It is based on MIME standard and provides the security services for
email applications: authentication, message integrity and data security.
S/MIME uses public key cryptography to sign and encrypt E-mail.
Every participant has two keys:
A private key, which is kept private.
A public key, which is available to everyone.
 Previous Year Questions
2 Marks Questions:
What are the services provided by the PGP?
What is realm?
Compute 3 mod 7.
61

List out services provided by the Digital Signature.

 Previous Year Questions
10 Marks Questions:
What is Digital Certificates? Give the format of X.509 certificate
showing the important elements of the certificate. How is an X.509
certificate revoked?
Explain the full service of Kerberos environment. What are the
principle differences between version 4 and version 5 of Kerberos?
Describe how Diffie-Hellman algorithm used for key exchange is
vulnerable to man in middle attack? Determine the shared secret
key in a Diffie-Hellman scheme with a common prime 71 and
primitive root 7. Given the private keys of the communicating parties
A and B are 5 and 12 respectively.
Explain the sequence of steps involved in the message generation
and reception in Pretty Good Privacy (PGP) with block diagrams.
 THANK YOU
LIKE &
SO MUCH!
SUBSCRIBE