Professional Documents
Culture Documents
During the process of data transmission, encryption can be done in two ways.
(i) Link encryption & (II) end-to-end encryption.
(1) Link encryption
This type of encryption is done at Internet layer (IP) of TCP/IP model.
Both header and payload is being encrypted.
This type of encryption is used in circuit switching technology.
This method use less number of keys but introduce more delay.
Link encryption (contd..)
The network contains 20 links, needs 20 different secure keys.
Encrypt data over individual link.
Each link end points shares a secret key.
Decrypt and Encrypt at each device in the path introduces large delay.
Requires all devices to support encryption.
Configuring the keys in small network can be done manually, but not in large
networks.
Symmetric key distribution using symmetric encryption
(2) End-to-End encryption
This is applied in transport layer.
End-to-end encryption is applied in packet switching technology.
This method is widely adopted.
If the number of nodes are n, then n(n-1)/2 number of keys are needed.
The scheme use key distribution center(KDC).
(2) End-to-End encryption (contd…)
Encrypt data at network end points (hosts or applications).
Each pair of host or application share a Secret key.
Does not rely on intermediate network devices.
If, each pair of host share a secret key, need 10x9/2=45 keys.
If, each application share a secret key need 50x49/2=1225 keys.
So, the strength of any cryptographic system rests upon the key distribution technique.
Keys requirement Vs end points
The graph illustrate the magnitude of key distribution task for an end-to-end
encryption.
As, the number of endpoints increase, relatively the number of key
requirement increase.
The key distribution mechanism is taken care by KDC.
Symmetric key distribution using symmetric encryption
KDC is a trusted third party, and is a part of cryptosystem who takes care of
key distribution and management for users.
KDC uses two types of keys called Master key & Session key.
Users can manually or securely, exchange the Master key with KDC.
Users obtain Session key via KDC for communication with other users.
Using that session key data can be exchanged between sender and receiver.
This is also called as centralized key distribution system.
Symmetric key distribution using symmetric encryption
A has a master key Ka, known only to itself and the KDC. Similarly, B shares his
A send a request message to the KDC for a session key (Ks), that include the
identity of A (IDA), and identity of B (IDB) and a unique identifier called nonce
The KDC responds with a message encrypted by using Ka. The message includes
one-time session key Ks , and the original request message of A appended with
E(Kb,[Ks|| IDA]).
A stores the session key for its use, and forward to B the information that
Using Ks, A responds with f(N2), where f is a function that performs some
transformation on N2.
Symmetric key distribution using symmetric encryption
For connection-oriented protocol, the same session key can be used for
complete length of time the connection is open.
For a connectionless protocol, the most secure approach is to use a new
session key for each exchange of datagram. But this introduce increase delay .
Therefore, a better strategy is to use a given session key for a certain fixed
period only or for a certain number of transactions.
A transparent key control scheme
This scheme is useful for providing end-to-end encryption at a network.
This scheme is applied at the transport layer level.
The method assumes that communication make use of a connection-oriented, end-to-end
protocol such as TCP.
In the implementation protocol use 4-steps.
Symmetric key distribution using symmetric encryption
(A transparent key control scheme)
If, KDC is trustworthy the system works fine, otherwise we can opt for key
distribution which is decentralized.
In decentralized approach, each end system will communicate with its
potential partner end system for a session key.
Symmetric key distribution using symmetric encryption
Sharing Session key in Decentralized Key distribution
The system uses 3 steps.
B share its master key , Km with A.
(1) A sends a nonce, N1 to B as part of request for a session key.
(2) B responds with a message that is encrypted using the shared Master key (K m).
The model was developed by IBM that was used in IBM main frames.
KDC distributes Ks, encrypted by using the Master key (Symmetric key).
compatibility.
Observations:
Symmetric key encryption algorithms are used to encrypt large data.
Algorithms that uses symmetric key are DES,3DES,AES,IDEA,RC4,RC5.
Asymmetric key encryption algorithms are used to encrypt small data.
Algorithms that uses Asymmetric key are RSA, DSA.
Practically, Asymmetric key algorithms are slow compared to symmetric
key algorithms.
Processing Public key is faster than private key .
Distribution Of Public Key
How to share my public key ?.
The sharing must preserve authentication. This is a challenging task. Several
techniques have been proposed for sharing the public key.
Some popular public key sharing techniques are,
(1) Public announcement
(2) Publicly available directory
(3) Public-key authority
(4) Public-key certificate
(1) Distribution of Public Keys by Public Announcement
You can make Public key available in open forum like email signature, website,
be other user.
(2) Publicly Available Directory
Some degree of security can be achieved by maintaining a special directory
called public key directory.
The maintenance and distribution of the public key directory is by a trusted
authority.
The authority maintains a directory containing {name, public key} of
users.
Each user register his public key with the directory authority by a secure
and authenticated communication.
(2) Publicly Available Directory(contd…)
A user may replace the existing public key by a new key at any time.
Users can access the directory to get their required public key.
The model works fine till the agency is trustworthy and directory is secure.
(3) Public-Key Authority
The model provides a stronger security for public-key distribution with a tight
control over the distribution process.
All the three entities(User A, User B & Authority), each has a pair of keys.
In this method, before any exchange take place, users published their public
key to the authority.
In turn authority share its public key (PUauth) with the user.
The model provides Confidentiality and greater degree of authenticity.
(3) Public-Key Authority (contd…)
How this method provide Authentication & Confidentiality?
(3) Public-Key Authority (contd…)
(iii) Format are used to represent [T1||IDA ||PUa] which is specified in X.509.
How A & B authenticates Digital certificate (X.509)
(1) The certificate is a digitally signed document by the authority.
(2) When the receiver B receive certificate from A, verify the certificate and authenticates.
So also A.
(3) CA = E(PRauth , [T1||IDA ||PUa])
Certificate Format X.509
Version: Default is version 1, latest version is version 3.
Serial number: A unique integer value associated the certificate issued by CA.
Issuer name: Name of the CA that created and signed this certificate.
Period of validity: Consists of two dates: the beginning and last dates.
Subject name: The name of the user to whom this certificate refers.
CRL Repository:
CRL repository is the list of revoked certificates which are signed by CA. The
repository is freely available for public reference. Each revoked certificate is listed
in CRL by certificate serial number.
PKIX Management (Public Key Infrastructure X.509 )
End of UNIT 4
Unit 5
Or