PUBLIC KEY VALIDATION

FOR DNS
SECURITY EXTENSIONS
PRESENTED BY

V.ANJALI REDDY(0671003)
D.KARUNA SRI(0671013)
M.MYTHRI(0671023)
K.RAMA SEETHA(0671033)
S.SPANDANA(0671044)
T.SWARNA LATHA(0671054)
OBJECTIVE
To provide security by
combining the concept of both the
Digital Signature and Asymmetric
(public key) cryptography by sending
the Public key over the Network.
DNS Architecture
 Domain names are chosen from a tree-
structured name space. A domain name is either a leaf
or an interior node of the tree space. Each leaf node
holds a set of resource records. An interior node also
holds a set of resource records, some of which will
provide information about other nodes in the tree.
Servers hold information about the tree structure and
resource records.
 CRYPTOGRAPHIC
TECHNIQUE USED
No key (Digital Signature)

SECURITY
One key (Symmetric Key)

Two key (Asymmetric key)

 DATAFLOW DIAGRAM 1

ENCRYPTD
IP ADDRESS MESSAGE ENCRYPTED

DOMAIN-1 VERIFY IDENTIFY SERVER

SUB DOMAIN ENCRYPTED MESSAGE
MESSAGE
 DATAFLOW DIAGRAM 2

ENCRYPTD
IP ADDRESS MESSAGE ENCRYPTED

VERIFY
SERVER SUB IDENTIFY DOMAIN-2
DOMAIN ENCRYPTED MESSAGE
MESSAGE
 DATA FLOW DIAGRAM 3

ORIGINAL
ENCRYPTION, ORIGINAL
KEY GENERATION,
RECEIVER
SIGNATURE GENERATION,
SENDER
SIGNATURE VERIFICATION, MESSAGE
DECRYPTION
MESSAGE
IMPLEMENTATION
• Authentication
• Message Encryption using Message
Digest Algorithm
• Key Generation using PRNG Algorithm
• Signature Generation
• Verifying Signature and Decrypting
AUTHENTICATION
AUTHENTICATION

ENTER THE USER NAME AND

PASSWORD

VERIFY

LOGIN

SEND MESSAGE OR ATTACHMENT

MESSAGE ENCRYPTION
MESSAGE ENCRYPTION

READ CHARACTER BY
CHARACTER

CONVERT EACH CHARACTER

TO ASCII CODE

CONVERT THE ASCII CODE

TO HEX CODE

ENCRYPTED MESSAGE
 MESSAGE
DIGESION
When the sender clicks the send
button, a message digest is produced
by converting the message to its ASCII
value, which in turn gets converted into
Hex code then calling the digest
method in the security package.
 MESSAGE DIGESTION

1.0

ENCRYPTED ENCRYPTED,
MESSAGE PRODUCE COMPRESSED
DIGEST
SENDER USING MESSAGE.TXT
MESSAGE
DIGEST
ALGORITHM MESSAGE

FIG : DFD FOR MESSAGE ENCRYPTION

The MD5 Message-Digest Algorithm

The algorithm takes as input a

message of arbitrary length and
produces as output a 128-bit or
"message digest" of the input. The MD5
algorithm is intended for digital
signature applications.
Steps involved in MD-5 algorithm

 Append Padding Bits

 Append Length
 Initialize MD Buffer
 Process Message in 16-Word Blocks
 Output
KEY GENERATION
PRNG ALGORITHM

CALL THE METHOD IN

THE CODING

GENERATE TWO RANDOM NUMBERS

(PUBLIC AND PRIVATE KEY)

DISPLAY THE KEYS IN THE

BACK END

GENERATE SIGNATURE
AND SEND
 KEY GENERATION

As soon as the user clicks the

send button key generation also takes
place simultaneously. The key pair
(public and private key) is generated
using the Cryptography PRNG (Pseudo
Random Number Generator) Algorithm.
The keys are stored in separate text
files (Public.txt, Private.txt).
 KEY GENERATION

MESSAGE PUBLIC KEY

KEY GENERATION
USING PUBLIC.TXT,
CRYPTOGRAPHY PRIVATE.TXT
PRNG
PRIVATE KEY

FIG : DFD FOR KEY GENERATION

Random Number Generator

Random Number Generators

(RNGs)used for cryptographic applications
typically produce a sequence of zero and one
bits that may be combined into sub-
sequences or blocks of random numbers.
There are two basic classes:
 deterministic

 nondeterministic

A deterministic RNG consists of an

algorithm that produces a sequence of
bits from an initial value called a seed.
PRNG mechanism

PRNGs work by keeping an internal

state. Typically this is a seed and a key,
which are kept secret. When a consumer
requests random data, a cryptographic
algorithm operates on the seed and the key
to produce pseudo-random output. The
internal state is then updated so that the
next request does not produce the same
data.
Some typical pseudo-code for a PRNG generator might be

 INPUT: (Key, Seed)

 OUTPUT:
random_data, (Key', Seed')
random_data = F(Key, Seed)
Key' = F(Key, Seed+1)
Seed' = F(Key', Seed)
return random_data
SIGNATURE GENERATION

DSA ALGORITHM

PRIVATE KEY + ENCRYPTED

TEXT FILE

GENERATE SIGNATURE

PUBLIC KEY + SIGNATURE

SEND THROUGH THE

NETWORK
 SIGNATURE GENERATION

The encrypted message and the

private key are combined to generate
the Digital Signature using DSA
Algorithm. The generated signature is
stored in a text file (signature.txt). The
encrypted message is send along with
the public key and signature.
 SIGNATURE
GENERATION

ENCRYPTED
MESSAGE.TXT SIGNATURE
GENERATION DIGITAL
MESSAGE
USING SIGNATURE.TXT
DSA
PRIVATE KEY ALGORITHM SIGNATURE

PRIVATE.TXT

FIG DFD FOR SIGNATURE GENERATION

DSA Algorithm
 Choose a prime q with the same number of
bits as the output of H.
 Choose a L-bit prime p such that p–1 is a
multiple of q.
 Choose g such that g = h(p–1)/q(1 < h < p-1)
 Choose x by some random method, where
0 < x < q.
 Calculate y = gx mod p.
Signing

 Generate a random per-message value k where

0<k<q
 Calculate r = (gk mod p) mod q
 Calculate s = (k-1(H(m) + x*r)) mod q
 Recalculate the signature in the unlikely case that
r=0 or s=0
 The signature is (r,s)
 Where H is the hashing function and m is the
message
VERIFYING SIGNATURE
AND DECRYPTING
DESTINATION

PUBLIC KEY ,SIGNATURE

FROM THE SENDER

GENERATE SIGNATURE USING

DSA ALGORITHM
NO MATCH
VERIFY THE SIGNATURE DISCARD
IF MATCHES

DECRYPT THE MESSAGE

OR FILE

REPLY TO THE SOURCE

 In the receiver side, by using
the public key with DSA Algorithm a
signature is generated. The generated
signature is verified with the received
signature. If the signature matches it
decrypts the message or otherwise it
exits without decrypting.
Verifying
 Reject the signature if either 0< r <q or
0< s <q is not satisfied.
 Calculate w = (s)-1 mod q
 Calculate u1 = (H(m)*w) mod q
 Calculate u2 = (r*w) mod q
 Calculate v = ((gu1*yu2) mod p) mod q
OUTPUT
SCREENS
ADVANTAGES
 DNSSEC (short for DNS Security Extensions) adds
security to the Domain Name System.
 • Described in RFC’s 4033, 4034, 4035 & 4310
 • Protects against data spoofing and corruption
 • It is a set of DNS security extensions which
provide:
 – Origin authentication of DNS data
 – Data integrity but not confidentiality
 – authenticated denial of existence
 APPLICATIONS

 E-mail is one of the more popular

applications that use DNS.
 Recently, many protocols in the Internet are
proposing the use of public key cryptography
in support of integrity and authentication
security services.
 The DNS as deployed in the Internet
today meets three of the previously stated criteria

 global availability
 real-time access to public keys
 globally unique and unambiguous names
 LIMITATIONS
 The whole procedure is very time and space
consuming.
 Many rather long public keys have to be stored.
 The keys have to be obtained before they can be
used.
 The calculations to encrypt and decrypt message
digests may take too long to support the goal of
the Domain Name System of efficiency.
FUTURE ENHANCEMENT

A recent protocol includes the specification of

a global infrastructure that could be usedto distribute
and manage public keys for otherprotocols: the
secure Domain Name System (DNS) [9].As of this
writing, it has been submitted forconsideration as a
Proposed Internet Standard. It is anenhancement of
the DNS [5,6,7,8], an existing globalinfrastructure.  
SYSTEM REQUIREMENTS
HARDWARE REQUIREMENTS
 PROCESSOR III AND ABOVE

 20 GB HARD DISK

 256 DDR RAM

SOFTWARE REQUIREMENTS
 JDK 1.5 (SWINGS)
CONCLUSION
The security threats for
DNS was overcome by using public key
validation and it was implemented and
executed successfully