Unit-2:

Network Security
BCA-601: Computer Network Security
 Network Security
• Privacy: Privacy means both the sender and the receiver expects confidentiality. The transmitted
message should be sent only to the intended receiver while the message should be opaque for other
users. Only the sender and receiver should be able to understand the transmitted message as
eavesdroppers can intercept the message. Therefore, there is a requirement to encrypt the message
so that the message cannot be intercepted. This aspect of confidentiality is commonly used to achieve
secure communication.
• Message Integrity: Data integrity means that the data must arrive at the receiver exactly as it was
sent. There must be no changes in the data content during transmission, either maliciously or
accident, in a transit. As there are more and more monetary exchanges over the internet, data
integrity is more crucial. The data integrity must be preserved for secure communication.
• End-point authentication: Authentication means that the receiver is sure of the sender?s identity,
i.e., no imposter has sent the message.
• Non-Repudiation: Non-Repudiation means that the receiver must be able to prove that the received
message has come from a specific sender. The sender must not deny sending a message that he or
she send. The burden of proving the identity comes on the receiver. For example, if a customer sends
a request to transfer the money from one account to another account, then the bank must have a
proof that the customer has requested for the transaction.
Q : What is Authentication applications – Kerberos?

Kerberos was created by MIT as a solution to these

network security problems. The Kerberos protocol uses
strong cryptography so that a client can prove its
identity to a server (and vice versa) across an insecure
network connection. After a client and server has used
Kerberos to prove their identity, they can also encrypt
all of their communications to assure privacy and data
integrity as they go about their business.
 Authentication Applications – Kerberos
• Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by
using secret-key cryptography. A free implementation of this
protocol is available from the Massachusetts Institute of
Technology. Kerberos is available in many commercial products
as well.
• Kerberos is an authentication service designed for use in a
distributed environment.
• Kerberos provides a trusted third-party authentication service
that enables clients and servers to establish authenticated
communication.
 Authentication Applications – Kerberos
• If a set of users is provided with dedicated personal computers that have no network connections,
then a user’s resources and files can be protected by physically securing each personal computer.
When these users instead are served by a centralized timesharing system, the time-sharing operating
system must provide the security. The operating system can enforce access-control policies based on
user identity and use the logon procedure to identify users. Kerberos listed the following
requirements:
• Secure : A network eavesdropper should not be able to obtain the necessary information to
impersonate a user. More generally, Kerberos should be strong enough that a potential opponent
does not find it to be the weak link.
• Reliable : For all services that rely on Kerberos for access control, lack of availability of the Kerberos
service means lack of availability of the supported services. Hence, Kerberos should be highly reliable
and should employ distributed server architecture with one system able to back up another.
• Transparent : Ideally, the user should not be aware that authentication is taking place beyond the
requirement to enter a password.
• Scalable : The system should be capable of supporting large numbers of clients and servers. This
suggests a modular, distributed architecture.
 Authentication Applications – Kerberos
• Kerberos provides a centralized authentication server whose function is to authenticate users to
servers and servers to users. In Kerberos Authentication server and database is used for client
authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center
(KDC). Each user and service on the network is a principal.

• The main components of Kerberos are:

a) Authentication Server (AS):

The Authentication Server performs the initial authentication and ticket for Ticket Granting Service.

b) Database:
The Authentication Server verifies the access rights of users in the database.

c) Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server
Authentication Applications – Kerberos
 Authentication Applications – Kerberos
Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.

Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session key. Results
are encrypted using the Password of the user.

Step-3:
The decryption of the message is done using the password then send the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.

Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then creates the ticket for
requesting services from the Server.

Step-5:
The user sends the Ticket and Authenticator to the Server.

Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After this User can access the services.
Authentication Applications – Kerberos
 Authentication Applications – Kerberos
Kerberos Limitations
• Each network service must be modified individually for use with
Kerberos
• It doesn’t work well in a timeshare environment
• Secured Kerberos Server
• Requires an always-on Kerberos server
• Stores all passwords are encrypted with a single key
• Assumes workstations are secure
• May result in cascading loss of trust.
• Scalability
 Authentication Applications – Kerberos
What is Kerberos Used For?
• Although Kerberos can be found everywhere in the digital world, it is
commonly used in secure systems that rely on robust authentication
and auditing capabilities. Kerberos is used for Posix, Active Directory,
NFS, and Samba authentication. It is also an alternative
authentication system to SSH, POP, and SMTP.
 X.509 Authentication Service
• X.509 is a digital certificate that is built on top of a widely trusted
standard known as ITU or International Telecommunication Union
standard, in which the format of PKI certificates is defined.

• X.509 digital certificate is a certificate-based authentication security

framework that can be used for providing secure transaction
processing and private information.

• These are primarily used for handling the security and identity in
computer networking and internet-based communications.
 Working of X.509 Authentication Service Certificate:
• The core of the X.509 authentication service is the public key
certificate connected to each user.
• These user certificates are assumed to be produced by some
trusted certification authority and positioned in the directory by the
user or the certified authority.
• These directory servers are only used for providing an effortless
reachable location for all users so that they can acquire certificates.
• X.509 standard is built on an IDL (Interface Definition Language)
known as ASN.1. With the help of Abstract Syntax Notation, the
X.509 certificate format uses an associated public and private key
pair for encrypting and decrypting a message.
 Working of X.509 Authentication Service Certificate:
• Once an X.509 certificate is provided to a user by the certified
authority, that certificate is attached to it like an identity card.

• The chances of someone stealing it or losing it are less, unlike other

unsecured passwords.

• With the help of this analogy, it is easier to imagine how this

authentication works: the certificate is basically presented like an
identity at the resource that requires authentication.
Working of X.509 Authentication Service Certificate:
Working of X.509 Authentication Service Certificate:
Working of X.509 Authentication Service Certificate:
 Elements of X.509 Authentication Service Certificate:
Version number: It defines the X.509 version that concerns the certificate.
Serial number: It is the unique number that the certified authority issues.
Signature Algorithm Identifier: This is the algorithm that is used for signing the
certificate.
Issuer name: Tells about the X.500 name of the certified authority which signed and
created the certificate.
Period of Validity: It defines the period for which the certificate is valid.
Subject Name: Tells about the name of the user to whom this certificate has been
issued.
Subject’s public key information: It defines the subject’s public key along with an
identifier of the algorithm for which this key is supposed to be used.
Extension block: This field contains additional standard information.
Signature: This field contains the hash code of all other fields which is encrypted by
the certified authority private key.
Format of X.509 Authentication Service Certificate:
 Applications of X.509 Authentication Service Certificate:
Many protocols depend on X.509 and it has many applications, some of them are
given below:
• Document signing and Digital signature
• Web server security with the help of Transport Layer Security (TLS)/Secure
Sockets Layer (SSL) certificates
• Email certificates
• Code signing
• Secure Shell Protocol (SSH) keys
• Digital Identities
 Certificate Revocation
Certificates have a period of validity.
May need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
4. CA’s maintain list of revoked certificates – the Certificate
Revocation List (CRL)
5. Users should check certificates with CA’s CRL
 Authentication Procedures in X.509

X.509 includes three alternative authentication procedures:

• One-Way Authentication (A -> B)
• Two-Way Authentication (A -> B & B->A)
• Three-Way Authentication (A -> B & B->A & A->B)
 Pretty Good Privacy (PGP)
• PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmermann.
• PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
• PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation. PGP uses
a combination of secret key encryption and public key encryption to provide
privacy. Therefore, we can say that the digital signature uses one hash function,
one secret key, and two private-public key pairs.
• PGP is an open source and freely available software package for email security.
• PGP provides authentication through the use of Digital Signature.
• It provides confidentiality through the use of symmetric block encryption.
• It provides compression by using the ZIP algorithm, and EMAIL compatibility
using the radix-64 encoding scheme.
 Pretty Good Privacy (PGP)
Following are the steps taken by PGP to create secure e-mail at the
sender site:
• The e-mail message is hashed by using a hashing function to create
a digest.
• The digest is then encrypted to form a signed digest by using the
sender's private key, and then signed digest is added to the original
email message.
• The original message and signed digest are encrypted by using a
one-time secret key created by the sender.
• The secret key is encrypted by using a receiver's public key.
• Both the encrypted secret key and the encrypted combination of
message and digest are sent together.
PGP at the Sender site (A)
 Pretty Good Privacy (PGP)
Following are the steps taken to show how PGP uses hashing and a
combination of three keys to generate the original message:
• The receiver receives the combination of encrypted secret key and
message digest is received.
• The encrypted secret key is decrypted by using the receiver's private
key to get the one-time secret key.
• The secret key is then used to decrypt the combination of message
and digest.
• The digest is decrypted by using the sender's public key, and the
original message is hashed by using a hash function to create a digest.
• Both the digests are compared if both of them are equal means that
all the aspects of security are preserved.
PGP at the Receiver site (B)
 Steps for Authentication only: PGP Encryption

1. Sender creates message

2. Use sha-1 to generate 160-bit hash of message
3. Signed hash with RSA using sender's private key, and is attached to message
4. Receiver uses RSA with sender's public key to decrypt and recover hash code
5. Receiver verifies received message using hash of it and compares with
decrypted hash code
 Steps for Confidentiality only: PGP Encryption
Sender:
1. Generates message and a random number (session key) only for this message
2. Encrypts message with the session key using AES, 3DES, IDEA or CAST-128
3. Encrypts session key itself with recipient’s public key using RSA
4. Attaches it to message
Receiver:
1. Recovers session key by decrypting using his private key
2. Decrypts message using the session key
Confidentiality service provides no assurance to the receiver as to the identity of
sender
(i.e. no authentication). Only provides confidentiality for sender that only the
recipient can
read the message (and no one else)
Steps for Authentication and Confidentiality both: PGP Encryption

It can use both services on same message

1.Create signature & attach to message
2.Encrypt both message & signature
3.Attach RSA/ELGAMAL encrypted session key
4.Is called authenticated confidentiality
 Disadvantages of PGP Encryption
The Administration is difficult: The different versions of PGP complicate the
administration.
Compatibility issues: Both the sender and the receiver must have compatible versions of
PGP. For example, if you encrypt an email by using PGP with one of the encryption
technique, the receiver has a different version of PGP which cannot read the data.
Complexity: PGP is a complex technique. Other security schemes use symmetric
encryption that uses one key or asymmetric encryption that uses two different keys. PGP
uses a hybrid approach that implements symmetric encryption with two keys.
No Recovery: Computer administrators face the problems of losing their passwords. In
such situations, an administrator should use a special program to retrieve passwords. For
example, a technician has physical access to a PC which can be used to retrieve a
password. However, PGP does not offer such a special program for recovery; encryption
methods are very strong so, it does not retrieve the forgotten passwords results in lost
messages or lost files.
 S/MIME
Secure/Multipurpose Internet Mail Extension (S/MIME):

• S/MIME is a security-enhanced version of Multipurpose Internet Mail

Extension (MIME).
• In this, public key cryptography is used for digital sign, encrypt or decrypt the
email.
• User acquires a public-private key pair with a trusted authority and then
makes appropriate use of those keys with email applications.
 S/MIME
S/MIME provides the following functions:

• Enveloped data: This consists of encrypted content of any type and encrypted-content
encryption keys for one or more recipients.
• Signed data: A digital signature is formed by taking the message digest of the content to be
signed and then encrypting that with the private key of the signer. The content plus
signature are then encoded using base64 encoding. A signed data message can only be
viewed by a recipient with S/MIME capability.
• Clear-signed data: As with signed data, a digital signature of the content is formed.
However, in this case, only the digital signature is encoded using base64. As a result,
recipients without S/MIME capability can view the message content, although they cannot
verify the signature.
• Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so
that encrypted data may be signed and signed data or clear-signed data may be encrypted.
 S/MIME
Pre-requisites for S/MIME:

• S/MIME has to be enabled

by both the sender and
recipient.
• You need to have a valid
S/MIME certificate. This
certificate would include a
public key and private key
mapped to your email
address.
 S/MIME
Pre-requisites for S/MIME:

• The sender and the receiver

have to exchange their
public key with each other.
This process happens
automatically when the
sender and recipient
exchange emails for the first
time.
 S/MIME
Email Encryption

• Why is it needed? S/MIME encrypts the content of an email when it is

transported from the sender to the receiver. Encrypting your message
ensures the following:
• Message Privacy - Encrypted emails are readable only by the intended
recipient. This keeps your emails protected when an unauthorized person
tries to read your emails. Any content or document that is part of the email is
kept confidential between the sender and receiver.
• Message Integrity - The decryption process of the message involves verifying
the contents of the encrypted message. A change in the content of the
message would ensure the failure of the decryption process thus making it
possible to verify its integrity.
 S/MIME
How does it work?
The process starts with the sender and receiver possessing each other's public key. The steps
in Email encryption is as follows:
Encryption process.
1. Once the sender clicks on Send, the original unencrypted message is captured.
2. The recipient's public key is used to encrypt the original message. At the end of
the process, an encrypted version of the original message is produced.
3. The encryption message replaces the original message.
4. The email is sent to the recipient.
 S/MIME
Decryption process
1. The recipient receives the email.
2. The encrypted message is retrieved.
3. The recipient's private key is used to decrypt the encrypted message.
4. The original message is obtained and displayed to the recipient.
 S/MIME
Digital Signature
Why is it needed?
S/MIME digitally signs emails in order to validate the sender. Digital Signature provides the
following advantages:
1. Sender Validation - Digital signatures are unique to each user. Thus, it allows the recipient
to verify if the email is actually sent by the person who it appears from. This eliminates
the risk of anyone spoofing of your email address.
2. Nonrepudiation - The uniqueness of the digital signature ensures that the author of the
email will not be able to deny ownership of the emails. Claims of impersonation can easily
be refuted.

How does it work?

The process starts with the sender and receiver possessing each other's public
key. Digital signing of an email works as follows:
 S/MIME
Digital Signature
Digital signing process

Once the sender clicks on Send, the original message is captured.

1.The message hash is calculated.
2.The sender's private key is used to encrypt the hash value.
3.The encrypted hash value is added to the email.
4.The email is sent to the recipient.
 S/MIME
Digital Signature
Signature verification process
1.The recipient receives the digitally signed email.
2.The original message is obtained and its hash value is calculated.
3.The encrypted hash is retrieved from the email.
4.The encrypted hash is decrypted using the sender's public key.
5.The decrypted hash and the hash value calculated from the original
message obtained are compared. If the values match, the signature
is verified.
 S/MIME

Digital Signature
Signature
verification
process
 Difference between PGP and S/MIME :
S.NO PGP S/MIME
While it is designed to process email as well as many
1. It is designed for processing the plain texts
multimedia files.
2. PGP is less costly as compared to S/MIME. While S/MIME is comparatively expensive.
3. PGP is good for personal as well as office use. While it is good for industrial use.
4. PGP is less efficient than S/MIME. While it is more efficient than PGP.
Whereas it relies on a hierarchically valid certificate for key
5. It depends on user key exchange.
exchange.
While it is more convenient than PGP due to the secure
6. PGP is comparatively less convenient.
transformation of all the applications.
7. PGP contains 4096 public keys. While it contains only 1024 public keys.
While it is also the standard for strong encryption but has
8. PGP is the standard for strong encryption.
some drawbacks.
9. PGP is also be used in VPNs. While it is not used in VPNs, it is only used in email services.
10. PGP uses Diffie hellman digital signature. While it uses Elgamal digital signature.