Unit- 4

1. Explain Public Key Infrastructure in detail.

ANS: Public Key Infrastructure:

Public key infrastructure or PKI is the governing body behind issuing digital certificates.
It helps to protect confidential data and gives unique identities to users and systems.
Thus, it ensures security in communications.
The public key infrastructure uses a pair of keys: the public key and the private key to
achieve security. The public keys are prone to attacks and thus an intact infrastructure
is needed to maintain them.
Key Management:

There are some important aspects of key management which are as follows −

• Cryptographic keys are nothing but special pieces of data. Key management
refers to the secure administration of cryptographic keys.
• Key management deals with entire key lifecycle as depicted in the following
illustration –
 • There are two specific requirements of key management for public key
cryptography.
o Secrecy of private keys. Throughout the key lifecycle, secret keys must
remain secret from all parties except those who are owner and are
authorized to use them.
o Assurance of public keys. In public key cryptography, the public keys
are in open domain and seen as public pieces of data. By default there
are no assurances of whether a public key is correct, with whom it can
be associated, or what it can be used for. Thus key management of
public keys needs to focus much more explicitly on assurance of
purpose of public keys.

Elements of PKI
A typical PKI includes the following key elements:

1) Certificate authority(CA) :
the CA issues certificate to a client and assist other users to verify the
certificate. The CA takes responsibility for identifying correctly the
identity of the client asking for a certificate to be issued, and ensures
that the information contained within the certificate is correct and
digitally signs it.

Key Functions of CA

The key functions of a CA are as follows −

• Generating key pairs

• Issuing digital certificates
• Publishing Certificates
• Verifying Certificates
•
Classes of Certificates

There are four typical classes of certificate −

 • Class 1 − These certificates can be easily acquired by supplying an email
address.
• Class 2 − These certificates require additional personal information to be
supplied.
• Class 3 − These certificates can only be purchased after checks have been
made about the requestor’s identity.
• Class 4 − They may be used by governments and financial organizations
needing very high levels of trust.

2) Registration Authority (RA)

CA may use a third-party Registration Authority (RA) to perform the necessary

checks on the person or company requesting the certificate to confirm their
identity. The RA may appear to the client as a CA, but they do not actually sign the
certificate that is issued.

3)Certificate Management System (CMS)

It is the management system through which certificates are published,

temporarily or permanently suspended, renewed, or revoked. Certificate
management systems do not normally delete certificates because it may be
necessary to prove their status at a point in time, perhaps for legal reasons. A CA
along with associated RA runs certificate management systems to be able to track
their responsibilities and liabilities.

2. Explain Certificate Life Cycle.

3. What is a Certificate? And explain Certificate Life Cycle.

3. Explain Secure Socket Layer.

ANS:
SSL provides security to the data that is transferred between web
browser and server. SSL encrypts the link between a web server and a browser
which ensures that all data passed between them remain private and free from
attack.
Secure Socket Layer Protocols:
• SSL record protocol
• Handshake protocol
 • Change-cipher spec protocol
• Alert protocol

SSL Protocol Stack:

1) SSL Record Protocol:

SSL Record provides two services to SSL connection.
1. Confidentiality
2. Message Integrity
In the SSL Record Protocol application data is divided into fragments. The
fragment is compressed and then encrypted MAC (Message Authentication
Code) generated by algorithms like SHA (Secure Hash Protocol) and MD5
(Message Digest) is appended. After that encryption of the data is done and
in last SSL header is appended to the data.

2) Handshake Protocol:
• Phase-1: In Phase-1 both Client and Server send hello-packets to
each other. In this IP session, cipher suite and protocol version are
exchanged for security purposes.
• Phase-2: Server sends his certificate and Server-key-exchange. The
server end phase-2 by sending the Server-hello-end packet.
• Phase-3: In this phase, Client replies to the server by sending his
certificate and Client-exchange-key.
• Phase-4: In Phase-4 Change-cipher suite occurs and after this the
Handshake Protocol ends.
 3) Change-cipher Protocol:

Change-cipher protocol consists of a single message which is 1 byte in length and

can have only one value. This protocol’s purpose is to cause the pending state to
be copied into the current state.

4) Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contains 2 bytes.

4. What are Trust models? Explain any one Trust model.

ANS:
1) Public and Private Keys
2) Digital Certificates:
3) Certificate Authorities (CAs)
4) Certificate Revocation
5) Certificate Trust Chains
6) Secure Communication

5. Explain Strict Hierarchy Model.

ANS:
The Strict Hierarchy Model in cyber and information security refers to a security
framework that establishes a clear and rigid structure for access control and data
protection within an organization's network or system. This model is characterized by its
hierarchical arrangement of security levels or classifications, where access to information
is strictly controlled based on the sensitivity or importance of the data.
Key features of the Strict Hierarchy Model include:

1. Clear Levels of Classification: Data and resources within the system are
categorized into different security levels based on their sensitivity and
importance to the organization. These levels typically include classifications such
as public, internal use only, confidential, and top-secret.
2. Access Control Policies: Strict access control policies are implemented to govern
the access rights of users or entities within the system. Access permissions are
granted based on the security clearance or authorization level of the user and the
classification level of the data they are trying to access.
3. Need-to-Know Principle: Access to information is restricted to only those
individuals or entities who have a legitimate need to know or access that
information to perform their job duties. This principle helps minimize the risk of
unauthorized access and data breaches.
4. Compartmentalization: Information is compartmentalized based on its
classification level, with higher classified information being segregated and
protected more rigorously than lower classified information. This segregation
helps contain the impact of security breaches and limits the exposure of sensitive
data.
5. Security Clearance Requirements: Users or personnel within the organization
undergo security clearance procedures to determine their level of access to
classified information. This may involve background checks, security training, and
signing confidentiality agreements.
6. Encryption and Data Protection: Data encryption techniques are often
employed to protect sensitive information, especially during transmission and
storage. Encryption helps safeguard data from unauthorized interception or
access, even if the security measures are breached.
7. Auditing and Monitoring: Continuous monitoring and auditing of access
activities are conducted to detect any unauthorized attempts or suspicious
behavior. Logs of access attempts and actions taken are maintained for
accountability and forensic purposes.

8. Explain Pretty Good Privacy.

ANS:
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
o PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
 o PGP uses a digital signature (a combination of hashing and public key encryption)
to provide integrity, authentication, and non-repudiation. PGP uses a combination
of secret key encryption and public key encryption to provide privacy. Therefore,
we can say that the digital signature uses one hash function, one secret key, and
two private-public key pairs.
o PGP is an open source and freely available software package for email security.
o PGP provides authentication through the use of Digital Signature.
o It provides confidentiality through the use of symmetric block encryption.
o It provides compression by using the ZIP algorithm, and EMAIL compatibility using
the radix-64 encoding scheme.

Following are the steps taken by PGP to create secure e-mail

at the sender site:
o The e-mail message is hashed by using a hashing function to create a digest.
o The digest is then encrypted to form a signed digest by using the sender's private key, and
then signed digest is added to the original email message.
o The original message and signed digest are encrypted by using a one-time secret key
created by the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of message and digest are
sent together.

PGP at the Sender site (A)

Following are the steps taken to show how PGP uses hashing
and a combination of three keys to generate the original
message:
o The receiver receives the combination of encrypted secret key and message digest is
received.
o The encrypted secret key is decrypted by using the receiver's private key to get the one-
time secret key.
o The secret key is then used to decrypt the combination of message and digest.
o The digest is decrypted by using the sender's public key, and the original message is
hashed by using a hash function to create a digest.
o Both the digests are compared if both of them are equal means that all the aspects of
security are preserved.

PGP at the Receiver site (B)