CS6701-CRYPTOGRAPHY AND NETWORK SECURITY

DEPARTMENT OF INFORMATION TECHNOLOGY

IV YEAR-A, B&C FACULTY: Mr. P.V.RAO

CS6701 CRYPTOGRAPHY AND NETWORK SECURITY L T P C 3 0 0 3

OBJECTIVES: The student should be made to:

Understand OSI security architecture and classical encryption techniques.

Acquire fundamental knowledge on the concepts of finite fields and number theory.

Understand various block cipher and stream cipher models.

Describe the principles of public key cryptosystems, hash functions and digital

signature.

UNIT I INTRODUCTION & NUMBER THEORY 10

Services, Mechanisms and attacks-the OSI security architecture-Network security

model-Classical Encryption techniques (Symmetric cipher model, substitution techniques,

transposition techniques, steganography).FINITE FIELDS AND NUMBER THEORY:

Groups, Rings, Fields-Modular arithmetic-Euclid‟s algorithm-Finite fields- Polynomial

Arithmetic –Prime numbers-Fermat‟s and Euler‟s theorem-Testing for primality -The

Chinese remainder theorem- Discrete logarithms.

UNIT II BLOCK CIPHERS & PUBLIC KEY CRYPTOGRAPHY 10

Data Encryption Standard-Block cipher principles-block cipher modes of operation-

Advanced Encryption Standard (AES)-Triple DES-Blowfish-RC5 algorithm. Public key

cryptography: Principles of public key cryptosystems-The RSA algorithm-Key

management - Diffie Hellman Key exchange-Elliptic curve arithmetic-Elliptic curve

cryptography. UNIT III HASH

FUNCTIONS AND DIGITAL SIGNATURES 8

Authentication requirement – Authentication function – MAC – Hash function –

Security of hash function and MAC –MD5 - SHA - HMAC – CMAC - Digital signature and

authentication protocols – DSS – EI Gamal – Schnorr.

UNIT IV SECURITY PRACTICE & SYSTEM SECURITY 8

Authentication applications – Kerberos – X.509 Authentication services - Internet

Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of

Firewalls - Firewall designs - SET for E-Commerce Transactions. Intruder – Intrusion

detection system – Virus and related threats – Countermeasures – Firewalls design

principles – Trusted systems – Practical implementation of cryptography and security.

UNIT V E-MAIL, IP & WEB SECURITY 9 E-mail Security:

Security Services for E-mail-attacks possible through E-mail - establishing keys

privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good

Privacy-S/MIME. IPSecurity: Overview of IPSec - IP and IPv6-Authentication Header-

Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE,

ISAKMP/IKE Encoding). Web Security: SSL/TLS Basic Protocol-computing the keys-

client authentication-PKI as deployed by SSLAttacks fixed in v3- Exportability-Encoding-

Secure Electronic Transaction (SET).

TOTAL: 45 PERIODS OUTCOMES: Upon Completion of the course, the students should

be able to:

Compare various Cryptographic Techniques

Design Secure applications

Inject secure coding in the developed applications

UNIT-1

1. Explain about Security Services, Mechanisms and attacks (8)

2. Write about OSI security architecture and Network Security Model (10)

3. Classical Encryption Techniques or Symmetric cipher model, substitution,

Transposition techniques (12)

4. Introduction about number theory (groups, rings, fields and modular arithmetic)(6)

5. Write about Euclid’s algorithm (8)

6. Fermat’s and Euler’s theorem (8)

7. The Chinese Remainder theorem (8)

UNIT-II

1. Explain about Data Encryption Standard (10)

2. Write about Block cipher principles and block cipher modes of operation (8)

3. Explain about Advanced Encryption Standard (AES) (10)

4. Write about Triple DES (8)

5. Explain about Blowfish algorithm (8)

6. RC5 algorithm (8)

7. Explain about public key cryptography and principles (10)

8. Write about RSA algorithm, Diffie Hellmann key exchange (8)

9. Write about Elliptic Curve arithmetic and cryptography (8)

UNIT-III

1. Explain about Authentication requirement and function (6)

2. Explain about MAC, Hash Function and security of hash and MAC function (10)

3. Write about MD5, SHA,HMAC AND CMAC (8)

4. Explain about Digital signature and Authentication Protocols (10)

5. Write about DSS,EL GAMAL-Schnorr. (8)

UNIT-IV

1. Write about Authentication Applications (6)

2. Explain about Kerberos (16)

3. Write about X.509 Authentication services (10)

4. Write a short notes on internet Firewalls for trusted system (6)

5. Explain about types of Firewalls and design (10)

6. Write about Intrusion detection system (8)

7. Virus and related threats (8)

8. Firewalls design principles and trusted systems (6)

9. Practical implementation of cryptography and security (8)

UNIT-V

1. Write about E-MAIL Security (Security Services for E-mail-attacks possible through

E-mail)

2. Pretty Good Privacy-S/MIME (12)

3. IP Security (Overview of IPSec - IP and IPv6-Authentication Header-Encapsulation

Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE

Encoding).(16)

4. Web Security: SSL/TLS Basic Protocol-computing the keys- client authentication-PKI

as deployed by SSL Attacks fixed in v3-Exportability-Encoding-Secure Electronic

Transaction (SET).

(16)

UNIT-I

1. OSI security architecture -Services, Mechanisms and attacks (10)

OSI architecture provides a systematic way to organize the security

Security attack

Security mechanism

Security service

Threat: it is a possible danger that might exploit vulnerability

Attack: it is an intelligent of act that is deliberate attempt to evade security service and violate

the security policy of a system

Security Attack:

Attack is defined as an action that compromises the security of in follwing by org

It can be classified as

Passive attack

Active attack

1.1Security Services

X.800: a service provided by a protocol layer of communicating open systems, which

ensures adequate security of the systems or of data transfers

RFC 2828: a processing or communication service provided by a system to give a

specific kind of protection to system resources

1. Authentication

Authentication - assurance that the communicating entity is the one claimed

1. Peer entity authentication: It is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection. 2. Data origin authentication it does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail where there are no prior interactions between the Communicating entities.

2. Access Control - prevention of the unauthorized use of a resource

3. Data Confidentiality –protection of data from unauthorized disclosure

4. Data Integrity - assurance that data received is as sent by an authorized entity

5. Non-Repudiation - protection against denial by one of the parties in a

communication

2.2Security Mechanisms

designed to detect, prevent, or recover from a security attack

Encipherment: The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. Digital Signature

Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). Access Control A variety of mechanisms that enforce access rights to resources. Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units. Traffic Padding The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. Notarization The use of a trusted third party to assure certain properties of a data exchange. 1.3. Security Attacks security attacks, used both in X.800 and RFC 2828, is in terms of Passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Active attack attempts to alter system resources or affect their operation.

2. Write about Network Security Model(10) The two parties, who are the principals in this transaction, must cooperate for the exchange to take place. A logical information channel is established by defining a route through the internet from source to destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two principals

This general model shows that there are four basic tasks in designing a particular security service

1. Design an algorithm for performing the security-related transformation. The

algorithm should be such that an opponent cannot defeat its purpose.

2. Generate the secret information to be used with the algorithm.

3. Develop methods for the distribution and sharing of the secret information

4. Specify a protocol to be used by the two principals that makes use of the security

algorithm and the secret information to achieve a particular security service.

Information access threats intercept or modify data on behalf of users who

should not have

access to that data.

● Service threats exploit service flaws in computers to inhibit use by legitimate

users.

3. Classical Encryption Techniques or Symmetric cipher model, substitution, Transposition techniques (12)

Symmetric Cipher Model

A symmetric encryption scheme has five ingredients Plaintext: This is the original intelligible message or data that is fed into the algorithm as input. Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. Secret key: The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of the algorithm. The algorithm will produce a different output depending on the specific key being used at the time. The exact substitutions and transformations performed by the algorithm depend on the key. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two

different ciphertexts. The ciphertext is an apparently random stream of data and, as it stands, is unintelligible. Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext. Figure 2.1. Simplified Model of Conventional Encryption

Figure 2.2. Model of Conventional Cryptosystem

2.2. Substitution Techniques

The two basic building blocks of all encryption techniques are substitution and transposition A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols. Caesar Cipher The Caesar cipher involves replacing each letter of the alphabet with the letter standing three places further down the alphabet. For example plain: meet me after the toga party cipher: PHHW PH DIWHU WKH WRJD SDUWB the letter following Z is A. We can define the transformation by listing all possibilities plain: a b c d e f g h i j k l m n o p q r s t u v w x y z

cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Let us assign a numerical equivalent to each letter:

We define a mod n to be the remainder when a is divided by n. For example, 11 mod 7 = 4 C = E(3, p) = (p + 3) mod 26 A shift may be of any amount, so that the general Caesar algorithm is C = E(k, p) = (p + k) mod 26 where k takes on a value in the range 1 to 25. The decryption algorithm is simply p = D(k, C) = (C k) mod 26 If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed: Simply try all the 25 possible keys Figure 2.3. Brute-Force Cryptanalysis of Caesar Cipher(all possible key combinations) Monoalphabetic Ciphers With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase in the key space can be achieved by allowing an arbitrary substitution plain: a b c d e f g h i j k l m n o p q r s t u v w x y z cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C If, instead, the "cipher" line can be any permutation of the 26 alphabetic characters, then there are 26! or greater than 4 x 1026 possible keys.

To eliminate brute-force techniques for cryptanalysis. Such an approach is referred to as a monoalphabetic substitution cipher, because a single cipher alphabet (mapping from plain alphabet to cipher alphabet) is used per message.

UNIT-II

1. Data Encryption Standard-Block cipher principles(12) The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST). DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, General Structure of DES is depicted in the following illustration

Since DES is based on the Feistel Cipher, all that is required to specify DES is −

Initial and final permutation Round Function Key Expansion

1.Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of each other.

2.Round Function

The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.

Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first need to expand right input to 48 bits

XOR (Whitener). − After the expansion permutation, DES does XOR operation on the expanded right section and the round key. The round key is used only in this operation.

Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration

There are a total of eight S-box tables. The output of all eight s-boxes is then combined in to 32 bit section.

Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight permutation with rule shown in the following illustration:

Key Generation The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key generation is depicted in the following illustration

2. Write about Block cipher principles and block cipher modes of operation(8) A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the block size. Hence, the long message is divided into a series of sequential message blocks, and the cipher operates on these blocks one at a time. Electronic Code Book (ECB) Mode This mode is a most straightforward way of processing a series of sequentially listed message blocks. The user takes the first block of plaintext and encrypts it with the key to produce the first block of ciphertext.

The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are encrypted twice under the same key, the output ciphertext blocks will be the same.

Cipher Block Chaining (CBC) Mode CBC mode of operation provides message dependence for generating ciphertext and makes the system non-deterministic.

Operation

The operation of CBC mode is depicted in the following illustration. The steps are as follows −

Load the n-bit Initialization Vector (IV) in the top register. XOR the n-bit plaintext block with data value in top register. Encrypt the result of XOR operation with underlying block cipher with key K. Feed ciphertext block into top register and continue the operation till all plaintext

blocks are processed. For decryption, IV data is XORed with first ciphertext block decrypted. The first

ciphertext block is also fed into to register replacing IV for decrypting next ciphertext block.

Cipher Feedback (CFB) Mode

In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order to encrypt the next plaintext block.

Operation

The operation of CFB mode is depicted in the following illustration. For example, in the present system, a message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps of operation are −

Load the IV in the top register. Encrypt the data value in top register with underlying block cipher with key K. Take only ‘s’ number of most significant bits (left bits) of output of encryption

process and XOR them with ‘s’ bit plaintext message block to generate ciphertext block.

Feed ciphertext block into top register by shifting already present data to the left and continue the operation till all plaintext blocks are processed.

Essentially, the previous ciphertext block is encrypted with the key, and then the result is XORed to the current plaintext block.

Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of decryption.

Output Feedback (OFB) Mode

It involves feeding the successive output blocks from the underlying block cipher back to it. These feedback blocks provide string of bits to feed the encryption algorithm which act as the key-stream generator as in case of CFB mode.

The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV as the initial random n-bit input block. The IV need not be secret.The operation is depicted in the following illustration

Counter (CTR) Mode

it can be considered as a counter-based version of CFB mode without the feedback. In this mode, both the sender and receiver need to access to a reliable counter, which computes a new shared value each time a ciphertext block is exchanged. This shared counter is not necessarily a secret value, but challenge is that both sides must keep the counter synchronized.

Operation

Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in operation are −

Load the initial counter value in the top register is the same for both the sender and the receiver. It plays the same role as the IV in CFB (and CBC) mode.

Encrypt the contents of the counter with the key and place the result in the bottom register.

Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result of this is C1. Send C1 to the receiver and update the counter. The counter update replaces the ciphertext feedback in CFB mode.

Continue in this manner until the last plaintext block has been encrypted. The decryption is the reverse process. The ciphertext block is XORed with the

output of encrypted contents of counter value. After decryption of each ciphertext block counter is updated as in case of encryption.

3. Explain about Advanced Encryption Standard (AES) (10)

The features of AES are as follows −

Symmetric key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger and faster than Triple-DES Provide full specification and design details Software implementable in C and Java

AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key.

Encryption Process Here, we restrict to description of a typical round of AES encryption. Each round comprise of four sub-processes. The first round process is depicted below

Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns.

Shiftrows

Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted on the right side of row. Shift is carried out as follows −

First row is not shifted. Second row is shifted one (byte) position to the left. Third row is shifted two positions to the left. Fourth row is shifted three positions to the left. The result is a new matrix consisting of the same 16 bytes but shifted with

respect to each other.

MixColumns

Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is not performed in the last round.

Addroundkey

The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round.

Decryption Process

The process of decryption of an AES ciphertext is similar to the encryption process in the reverse order. Each round consists of the four processes conducted in the reverse order −

Add round key Mix columns Shift rows Byte substitution

Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption and decryption algorithms needs to be separately implemented, although they are very closely related.

4. Write about Triple DES (8)

Incidentally, there are two variants of Triple DES known as 3-key Triple DES (3TDES) and 2-key Triple DES (2TDES).

3-KEY Triple DES

Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168 bits. The encryption scheme is illustrated as follows

The encryption-decryption process is as follows −

Encrypt the plaintext blocks using single DES with key K1. Now decrypt the output of step 1 using single DES with key K2. Finally, encrypt the output of step 2 using single DES with key K3. The output of step 3 is the ciphertext. Decryption of a ciphertext is a reverse process. User first decrypt using K3, then

encrypt with K2, and finally decrypt with K1.

Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a 3TDES (hardware) implementation for single DES by setting K1, K2, and K3 to be the same value. This provides backwards compatibility with DES.

Second variant of Triple DES (2TDES) is identical to 3TDES except that K3is replaced by K1. In other words, user encrypt plaintext blocks with key K1, then decrypt with key K2, and finally encrypt with K1 again. Therefore, 2TDES has a key length of 112 bits.

Triple DES systems are significantly more secure than single DES, but these are clearly a much slower process than encryption using single DES.

5. Explain about Blowfish algorithm(8)

a symmetric block cipher designed by Bruce Schneier in 1993/94

characteristics

uses a 32 to 448 bit key used to generate

18 32-bit subkeys stored in K-array Kj four 8x32 S-boxes stored in Si,j

key schedule consists of:

initialize P-array and then 4 S-boxes using pi XOR P-array with key bits (reuse as needed) loop repeatedly encrypting data using current P & S and replace

successive pairs of P then S values requires 521 encryptions, hence slow in rekeying

BLOWFISH ENCRYPTION

uses two primitives: addition & XOR data is divided into two 32-bit halves L0 &

R0

for i = 1 to 16 do

Ri = Li-1 XOR Pi;

Li = F[Ri] XOR Ri-1;

L17 = R16 XOR P18;

R17 = L16 XOR i17;

• where • F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,a

6. Explain about RC5 algorithm (8)

designed by Ronald Rivest, RC5 encryption and decryption both expand the random key into 2(r+1) words that will be used sequentially (and only once each) during the encryption and decryption processes. All of the below comes from Rivest's revised paper on RC5

RC5 is a family of ciphers RC5-w/r/b

– w = word size in bits (16/32/64) nb data=2w – r = number of rounds (0..255) – b = number of bytes in key (0..255)

nominal version is RC5-32/12/16

– ie 32-bit words so encrypts 64-bit data blocks – using 12 rounds – with 16 bytes (128-bit) secret key

• RC5 uses 2r+2 subkey words (w-bits) • subkeys are stored in array S[i], i=0..t-1 • then the key schedule consists of

– initializing S to a fixed pseudorandom value, based on constants e and phi – the byte key is copied (little-endian) into a c-word array L – a mixing operation then combines L and S to form the final S array

RC5 Encryption

split input into two halves A & B

L0 = A + S[0];

R0 = B + S[1];

for i = 1 to r do

Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i];

Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];

each round is like 2 DES rounds

7. Public key cryptography: Principles of public key cryptosystems(8) or RSA

Symmetric cryptography was well suited for organizations such as governments, military, and big financial corporations were involved in the classified communication.

The process of encryption and decryption is depicted in the following illustration

RSA Cryptosystem

RSA Designed by Rivest, Shamir & Adleman of MIT in 1977 best known & widely used public-key scheme based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy)

each user generates a public/private key pair by:

selecting two large primes at random - p, q computing their system modulus n=p.q

note ø(n)=(p-1)(q-1) selecting at random the encryption key e

• where 1<e<ø(n), gcd(e,ø(n))=1 solve following equation to find decryption key d

e.d=1 mod ø(n) and 0≤d≤n publish their public encryption key: PU={e,n} keep secret private decryption key: PR={d,n}

to encrypt a message M the sender: obtains public key of recipient PU={e,n} computes: C = Me mod n, where 0≤M<n

to decrypt the ciphertext C the owner: uses their private key PR={d,n} computes: M = Cd mod n

note that the message M must be smaller than the modulus n (block if needed)

RSA Example

1. Select primes: p=17 & q=11

2. Compute n = pq =17 x 11=187

3. Compute ø(n)=(p–1)(q-1)=16 x 10=160

4. Select e: gcd(e,160)=1; choose e=7

5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161=

10x160+1

6. Publish public key PU={7,187}

7. Keep secret private key PR={23,187}

sample RSA encryption/decryption is:

1.given message M = 88 (nb. 88<187)

encryption:

C = 887 mod 187 = 11

decryption:

M = 1123 mod 187 = 88

8.Write about Diffie Hellman Key exchange(8)

first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts is a practical method for public exchange of a secret key used in a number of commercial products

a public-key distribution scheme

cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants

value of key depends on the participants (and their private and public key information) based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) – easy security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Diffie-Hellman Example

1.users Alice & Bob who wish to swap keys:

2.agree on prime q=353 and a=3

3.select random secret keys:

A chooses xA=97, B chooses xB=233

4.compute respective public keys:

yA=397 mod 353 = 40 (Alice) yB=3233 mod 353 = 248 (Bob)

5.compute shared session key as:

KAB= yBxA mod 353 = 24897 = 160 (Alice)

KAB= yAxB mod 353 = 40233 = 160 (Bob)

UNIT-III

1. Explain about Authentication requirement and function(6) In the context of communications across a network, the following attacks can be identified: 1.Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. 2.Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented

application, the frequency and duration of connections could be determined. In either a connection-oriented or connectionless environment, the number and length of messages between parties could be determined. 3.Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity.Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient. 4.Content modification: Changes to the contents of a message, including insertion, deletion,transposition, and modification. 5.Sequence modification: Any modification to a sequence of messages between parties,including insertion, deletion, and reordering. 6.Timing modification: Delay or replay of messages. In a connection-oriented application, anentire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed. 7.Source repudiation: Denial of transmission of message by source. 8.Destination repudiation: Denial of receipt of message by destination. 2. Explain about Authentication function(10) Any message authentication or digital signature mechanism has two levels of functionality , types of functions that may be used to produce an authenticator. These may be grouped into three classes 1.Message encryption: The cipher text of the entire message serves as its authenticator 2. Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator 3. Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator 2.1 Message Encryption Message encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes Basic Uses of Message Encryption

2.2 Message Authentication Code An alternative authentication technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message say A and B, share a common secret key K. When A has a message to send to B, it calculates the MAC as a function of the message and the key:MAC = C(K, M), where

M = input message C = MAC function K = shared secret key MAC = message authentication code

2.3. Hash Function A variation on the message authentication code is the one-way hash function. As with the message authentication code, a hash function accepts a variable-size message M as input and produces a fixed size output, referred to as a hash code H(M) The hash code is also referred to as a message digest or hash value.

3. Explain about MAC, Hash Function and security of hash and MAC function(10)

MAC FUNCTION A MAC, also known as a cryptographic checksum, is generated by a function C of the form MAC = C(K, M) where M is a variable-length message, K is a secret key shared only by sender and receiver, and C(K,M) is the fixed-length authenticator. The MAC is appended to the message at the source at a time whenthe message is assumed or known to be correct. The receiver authenticates that message by recomputing the MAC.

Hash Functions A hash value h is generated by a function H of the form h = H(M) where M is a variable-length message and H(M) is the fixed-length hash value. The hash value is appended to the message

Security of Hash Functions and Macs symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis Brute-Force Attacks The nature of brute-force attacks differs somewhat for hash functions and MACs. Hash Functions The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. Recall from our discussion of hash functions that there are three desirable properties: ● One-way: For any given code h, it is computationally infeasible to find x such that H(x) = h. ● Weak collision resistance: For any given block x, it is computationally infeasible to find y x with H(y) = H(x). ● Strong collision resistance: It is computationally infeasible to find any pair (x, y) such that H (x) = H(y). For a hash code of length n, the level of effort required, as we have seen is proportional to the following:

General Structure of Secure Hash Code

Message Authentication Codes A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs. Let us see why this is so. To attack a hash code, we can proceed in the following way. Given a fixed message x with n-bit hash code h = H(x), a brute-force method of finding a collision is to pick a random bit string y and check if H(y) = H(x). The attacker can do this repeatedly off line. Whether an off-line attack can be used on a MAC algorithm depends on the relative size of the key and the MAC.To proceed, we need to state the desired security property of a MAC algorithm, which can be expressed as follows: ● Computation resistance: Given one or more text-MAC pairs [xi, C(K, xi)], it is computationally infeasible to compute any text-MAC pair [x, C(K, x)] for any new input x xi. In other words, the attacker would like to come up with the valid MAC code for a given message x.There are two lines of attack possible: Attack the key space and attack the MAC value. We examine each of these in turn. 5.Explain about Secure Hash Algorithm( SHA)(8)

SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme standard is FIPS 180-1

1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS

based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

heart of the algorithm, processing message in 1024-bit blocks consists of 80 rounds

updating a 512-bit buffer using a 64-bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers

SHA-512 Round Function

6. Hashes and Message Digest(MD5)(8) Hash is also called message digest One-way function: d=h(m) but no h’(d)=m

Cannot find the message given a digest Cannot find m1, m2, where d1=d2

1. Pad message so its length is 448 mod 512 2. Append a 64-bit original length value to message 3. Initialise 4-word (128-bit) MD buffer (A,B,C,D) 4. Process message in 16-word (512-bit) blocks:

– Using 4 rounds of 16 bit operations on message block & buffer – Add output to buffer input to form new buffer value

5. Output hash value is the final buffer value 6. Given original message M, add padding bits “10*” such that resulting length is 64

bits less than a multiple of 512 bits. 7. Append (original length in bits mod 264), represented in 64 bits to the padded

message 8. Final message is chopped 512 bits a block

7. Write about HMAC CMAC(10)

7.1HMAC:

specified as Internet standard RFC2104 uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]

any hash function can be used eg. MD5, SHA-1, RIPEMD-160, Whirlpool

H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160) IV = initial value input to hash function

M = message input to HMAC(including the padding specified in the embedded hash function) Yi = ith block of M, 0 i (L - 1) L = number of blocks in M b = number of bits in a block n = length of hash code produced by embedded hash function K = secret key recommended length is n; if key length is greater than b; the key is input to the hash function to produce an n-bit key K+ = K padded with zeros on the left so that the result is b bits in length ipad = 00110110 (36 in hexadecimal) repeated b/8 times

opad = 01011100 (5C in hexadecimal) repeated b/8 times HMAC Structure

Then HMAC can be expressed as follows: HMAC(K,M) = H[(K+ opad)||H[(K+ ipad)||M]] 1.Append zeros to the left end of K to create a b-bit string K+(e.g., if K is of length 160 bits and b= 512 then K will be appended with 44 zero bytes 0 x 00). 2.XOR (bitwise exclusive-OR) K+ with ipad to produce the b-bit block Si. 3.Append M to Si. 4.Apply H to the stream generated in step 3. 5.XOR K+ with opad to produce the b-bit block So 6.Append the hash result from step 4 to So 7.Apply H to the stream generated in step 6 and output the result. 7.2 CMAC(6)

previously saw the DAA (CBC-MAC) widely used in govt & industry but has message size limitationcan overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC) adopted by NIST SP800-38B

8. Digital signature and authentication protocols(8)

have looked at message authentication a. but does not address issues of lack of trust digital signatures provide the

ability to: b. verify author, date & time of signature c. authenticate message contents d. be verified by third parties to resolve disputes hence include authentication

function with additional capabilities A variety of approaches has been proposed for the digital signature function. These approaches fall into two categories: direct and arbitrated Direct Digital Signatures

involve only sender & receiver assumed receiver has sender’s public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on sender’s private-key

Arbitrated Digital Signatures involves use of arbiter A

validates any signed message then dated and sent to recipient

requires suitable level of trust in arbiter

can be implemented with either private or public-key algorithms arbiter may or may not see message

Authentication Protocols used to convince parties of each others identity and to exchange session keys

may be one-way or mutual key issues are confidentiality – to protect session keys timeliness – to prevent replay attacks

published protocols are often found to have flaws and need to be modified 9.. DSS(Digital Signature Standard )(8)

US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants

Digital Signature Algorithm (DSA)

creates a 320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes

DSA Key Generation

have shared global public key values (p,q,g): choose q, a 160 bit choose a large prime p = 2L

• where L= 512 to 1024 bits and is a multiple of 64

• and q is a prime factor of (p-1) choose g = h(p-1)/q

• where h<p-1, h(p-1)/q (mod p) > 1 users choose private & compute public key:

choose x<q compute y = gx (mod p)

DSA Signature Creation

to sign a message M the sender: generates a random signature key k, k<q k must be random, be destroyed after use, and never be reused

then computes signature pair:

r = (gk(mod p))(mod q) s = (k-1.H(M)+ x.r)(mod q)

sends signature (r,s) with message M DSA Signature Verification

having received M & signature (r,s) to verify a signature, recipient computes: w = s-1(mod q) u1= (H(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q)

if v=r then signature is verified

UNIT-IV

1. Write about Authentication Applications OR Explain about Kerberos (V4 and v5) (16)

Will consider authentication functions developed to support application-level

authentication & digital signatures, will consider Kerberos – a private-key

authentication service then X.509 - a public-key directory authentication service

Kerberos

trusted key server system from MIT

provides centralised private-key third-party authentication in a distributed network

allows users access to services distributed through network

without needing to trust all workstations

rather all trust a central authentication server

two versions in use: 4 & 5

Kerberos Requirements

its first report identified requirements as:

secure

reliable

transparent

scalable

implemented using an authentication protocol based on Needham-Schroeder

Kerberos v4 Overview

a basic third-party authentication scheme have an Authentication Server (AS)

users initially negotiate with AS to identify self

AS provides a non-corruptible authentication credential (ticket granting

ticket TGT)

have a Ticket Granting server (TGS)

users subsequently request access to other services from TGS on basis of

users TGT

Kerberos v4 Dialogue

1. obtain ticket granting ticket from AS

• once per session

2. obtain service granting ticket from TGT

• for each distinct service required

3. client/server exchange to obtain service

• on every service request

Summary of Kerberos Version 4 Message Exchanges

Kerberos Realms and Multiple Kerberi A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers requires the following:

1.The Kerberos server must have the user ID and hashed passwords of all participating users in its database. All users are registered with the Kerberos server. 2.The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server. 3.The Kerberos server in each interoperating realm shares a secret key with the server in the other realm. The two Kerberos servers are registered with each other. The details of the exchanges illustrated in Figure 14.2

(1) C AS: IDc||IDtgs||TS1 (2) AS C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs]) (3) C TGS: IDtgsrem||Tickettgs||Authenticatorc (4) TGS C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem]) (5) C TGSrem: IDvrem||Tickettgsrem||Authenticatorc (6) TGSrem C: E(Kc,tgsrem, [Kc,vrem||IDvrem||TS6||Ticketvrem]) (7) C Vrem: Ticketvrem||Authenticatorc

3. Write about X.509 Authentication services (8 or 6)

defines framework for authentication services

directory may store public-key certificates with public key of user signed

by certification authority also defines authentication protocols uses public-

key crypto & digital signatures algorithms not standardised, but RSA

recommended

X.509 certificates are widely used

issued by a Certification Authority (CA), containing:

version (1, 2, or 3)

serial number (unique within CA) identifying certificate

signature algorithm identifier

issuer X.500 name (CA)

period of validity (from - to dates)

subject X.500 name (name of owner)

subject public-key info (algorithm, parameters, key)

issuer unique identifier (v2+)

subject unique identifier (v2+)

extension fields (v3)

signature (of hash of all fields in certificate)

notation CA<<A>> denotes certificate for A signed by CA

Obtaining a Certificate

any user with access to CA can get any certificate from it only the CA can modify

a certificate

because cannot be forged, certificates can be placed in a public directory

4. Write a short notes on internet Firewalls for trusted system and Explain about types of Firewalls and design (10)

Centralized data processing system, with a central mainframe supporting a number of directly connected terminals

● Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe ● Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN)

● Internet connectivity, in which the various premises networks all hook into the Internet and may or may not also be connected by a private WAN Firewall Characteristics 1.All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section. 2.Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies 3.The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system. Types of Firewalls(8)

Packet-Filtering Router A packet-filtering router applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. The router is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet: ● Source IP address: The IP address of the system that originated the IP packet (e.g., ● Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2) ● Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET ● IP protocol field: Defines the transport protocol ● Interface: For a router with three or more ports, which interface of the router the packet came from or which interface of the router the packet is destined Application-Level Gateway

have application specific gateway / proxy has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user can log / audit traffic at application level

need separate proxies for each service some services naturally support proxying others are more problematic

Firewalls - Circuit Level Gateway relays two TCP connections imposes security by limiting which such connections are allowed once created

usually relays traffic without examining contents typically used when trust internal users by allowing general outbound

connections SOCKS is commonly used

5. Write about Intrusion detection system (8)

significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

masquerader misfeasor clandestine user

clearly a growing publicized problem from “Wily Hacker” in 1986/87 to clearly escalating CERT stats

may seem benign, but still cost resources may use compromised system to launch other attacks awareness of intruders has led to the development of CERTs

Intrusion Techniques aim to gain access and/or increase privileges on a system basic attack methodology

target acquisition and information gathering initial access privilege escalation covering tracks

key goal often is to acquire passwords so then exercise access rights of owner Intrusion Detection

inevitably will have security failures so need also to detect intrusions so can block if detected quickly act as deterrent collect info to improve security

assume intruder will behave differently to a legitimate user but will have imperfect distinction between

Statistical anomaly detection: Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. a.Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events. Profile based: A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts. 2.Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. a.Anomaly detection: Rules are developed to detect deviation from previous usage patterns. b.Penetration identification: An expert system approach that searches for suspicious behavior. Audit Records

fundamental tool for intrusion detection native audit records

part of all common multi-user O/S already present for use may not have info wanted in desired form

detection-specific audit records created specifically to collect wanted info at cost of additional overhead on system

Rule-Based Intrusion Detection observe events on system & apply rules to decide if activity is suspicious or not

rule-based anomaly detection analyze historical audit records to identify usage patterns & auto-generate

rules for them then observe current behavior & match against rules to see if conforms like statistical anomaly detection does not require prior knowledge of

security flaws Distributed Intrusion Detection – Architecture

6. Virus and related threats (10) computer viruses have got a lot of publicity one of a family of malicious software effects usually obvious have figured in news reports, fiction, movies (often exaggerated) getting more attention than deserve are a concern though

Backdoor or Trapdoor secret entry point into a program allows those who know access bypassing usual security procedures have been commonly used by developers a

threat when left in production programs allowing exploited by attackers very hard to block in O/S requires good s/w development & update Trojan Horse Program with hidden side-effects, which is usually superficially attractive

eg game, s/w upgrade etc When run performs some additional tasks

allows attacker to indirectly gain access they do not have directly

Often used to propagate a virus/worm or install a backdoor or simply to destroy

data

Viruses

a piece of self-replicating code attached to some other code cf biological virus

both propagates itself & carries a payload carries code to make copies of itself as well as code to perform some covert task

Virus Operation virus phases:

dormant – waiting on trigger event propagation – replicating to programs/disks triggering – by event to execute payload execution – of payload

details usually machine/OS specific exploiting features/weaknesses

Types of Viruses can classify on basis of how they attack parasitic virus memory-resident virus boot sector virus stealth polymorphic virus

metamorphic virus Worms

replicating but not infecting program typically spreads over a network cf Morris Internet Worm in 1988 led to creation of CERTs

using users distributed privileges or by exploiting system vulnerabilities widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS major issue is lack of security of permanently connected systems, esp PC's

Worm Operation worm phases like those of viruses: dormant propagation

• search for other systems to infect • establish connection to target remote system • replicate self onto remote system

triggering execution UNIT-V

1.Write about E-MAIL Security(Security Services for E-mail-attacks possible through E-mail) or Pretty Good Privacy (12) email is one of the most widely used and regarded network services currently

message contents are not secure may be inspected either in transit or by suitably

privileged users on destination system

Email Security Enhancements

Confidentiality : protection from disclosure

Authentication: of sender of message

message integrity: protection from modification

non-repudiation of origin: protection from denial by sender

***Pretty Good Privacy

PGP provides confidentiality and authentication services that can be used for electronic mail and file storage Applications.

PGP Operation – Authentication

1. sender creates message

2. use SHA-1 to generate 160-bit hash of message

3. signed hash with RSA using sender's private key, and is attached to message

4. receiver uses RSA with sender's public key to decrypt and recover hash code

5. receiver verifies received message using hash of it and compares with decrypted

hash code

PGP Operation – Confidentiality

1. sender generates message and 128-bit random number as session key for it

2. encrypt message using CAST-128 / IDEA / 3DES in CBC mode with session key

3. session key encrypted using RSA with recipient's public key, & attached to msg

4. receiver uses RSA with private key to decrypt and recover session key

session key is used to decrypt message

PGP Operation – Confidentiality & Authentication

can use both services on same message

create signature & attach to message

encrypt both message & signature

attach RSA/ElGamal encrypted session key

PGP Operation – Compression

by default PGP compresses message after signing but before encrypting so

can store uncompressed message & signature for later verification & because

compression is non deterministic

uses ZIP compression algorithm

PGP Operation – Email Compatibility

when using PGP will have binary data to send (encrypted message etc) however

email was designed only for text hence PGP must encode raw binary data into

printable ASCII characters

uses radix-64 algorithm

maps 3 bytes to 4 printable chars

also appends a CRC

PGP also segments messages if too big

PGP Public & Private Keys

since many public/private keys may be in use, need to identify which is actually

used to encrypt session key in a message

could send full public-key with every message

but this is inefficient

rather use a key identifier based on key

is least significant 64-bits of the key

will very likely be unique

also use key ID in signatures

PGP Operation – Summary

PGP Message Generation(Below diagram)

PGP Message Reception

2. ******S/MIME (Secure/Multipurpose Internet Mail Extensions) (8)

S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet email format standard, based on technology from RSA Data Security. security enhancement to MIME email

original Internet RFC822 email was text only

MIME provided support for varying content types and multi-part messages

with encoding of binary data to textual form

S/MIME added security enhancements

have S/MIME support in many mail agents

eg MS Outlook, Mozilla, Mac Mail etc

S/MIME Cryptographic Algorithms

digital signatures: DSS & RSA

hash functions: SHA-1 & MD5

session key encryption: ElGamal & RSA

message encryption: AES, Triple-DES, RC2/40 and others

MAC: HMAC with SHA-1

have process to decide which algs to use

S/MIME Messages

S/MIME secures a MIME entity with a signature, encryption, or both forming a

MIME wrapped PKCS object have a range of content-types:

enveloped data

signed data

clear-signed data

registration request

certificate only message

S/MIME Functionality In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or encrypt messages. Functions S/MIME provides the following functions: ● Enveloped data: This consists of encrypted content of any type and encrypted-content encryption keys for one or more recipients. ● Signed data: A digital signature is formed by taking the message digest of the content to be signed and then encrypting that with the private key of the signer. The content plus signature are then encoded using base64 encoding. A signed data message can only be viewed by a recipient with S/MIME capability. ● Clear-signed data: As with signed data, a digital signature of the content is formed. However, in this case, only the digital signature is encoded using base64. As a result,

recipients without S/MIME capability can view the message content, although they cannot verify the signature. ● Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted. S/MIME Certificate Processing

S/MIME uses X.509 v3 certificates managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust each client has a list of trusted CA’s certs and own public/private key pairs & certs certificates must be signed by trusted CA’s

3. IPSecurity (Overview of IPSec - IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding) . (16)

have a range of application specific security mechanisms

eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that cut across protocol layers would like security implemented by the network for all applications IPSec general IP Security mechanisms provides

authentication confidentiality key management

applicable to use over LANs, across public & private WANs, & for the Internet IPSec Uses

Benefits of IPSec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to bypass is below transport layer, hence transparent to applications

can be transparent to end users can provide security for individual users secures routing architecture

IP Security Architecture specification is quite complex defined in numerous RFC’s

incl. RFC 2401/2402/2406/2408 many others, grouped by category

mandatory in IPv6, optional in IPv4 have two security header extensions: Authentication Header (AH) Encapsulating Security Payload (ESP)

Security Associations a one-way relationship between sender & receiver that affords security for traffic

flow defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier

has a number of other parameters seq no, AH & EH info, lifetime etc

have a database of Security Associations Authentication Header (AH) provides support for data integrity & authentication of IP packets

end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers

based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96

parties must share a secret key Authentication Header

Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality

can optionally provide the same authentication services as AH

supports range of ciphers, modes, padding incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC & other modes padding needed to fill blocksize, fields, for traffic flow

Encapsulating Security Payload

ISAKMP

Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, & delete SAs independent of key exchange protocol, encryption alg, & authentication method

4. Web Security: SSL/TLS Basic Protocol-computing the keys- client authentication-PKI as deployed by SSLAttacks fixed in v3-Exportability-Encoding-Secure Electronic Transaction (SET). (16)

Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats

integrity confidentiality denial of service authentication

SSL (Secure Socket Layer) (10) transport layer security service originally developed by Netscape version 3 designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) uses TCP to provide a reliable end-to-end service SSL has two layers of protocols SSL Architecture

SSL connection

a transient, peer-to-peer, communications link associated with 1 SSL session

SSL session an association between client & server created by the Handshake Protocol define a set of cryptographic parameters may be shared by multiple SSL connections

SSL Record Protocol Services message integrity

using a MAC with shared secret key similar to HMAC but with different padding

confidentiality using symmetric encryption with a shared secret key defined by

Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption

SSL Record Protocol Operation

SSL Alert Protocol

specific alert • fatal: unexpected message, bad record mac, decompression

failure, handshake failure, illegal parameter • warning: close notify, no certificate, bad certificate, unsupported

certificate, certificate revoked, certificate expired, certificate unknown

SSL Handshake Protocol

allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used

comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

TLS (Transport Layer Security) (4) IETF standard RFC 2246 similar to SSLv3 with minor differences

in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate types & negotiations changes in crypto computations & padding

Secure Electronic Transactions (SET) (8)

open encryption & security specification to protect Internet credit card transactions developed in 1996 by Mastercard, Visa etc not a payment system rather a set of security protocols & formats

secure communications amongst parties trust from use of X.509v3 certificates privacy by restricted info to those who need it

SET Transaction

1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10. merchant requests payment SET Purchase Request SET purchase request exchange consists of four messages

1. Initiate Request - get certificates 2. Initiate Response - signed response 3. Purchase Request - of OI & PI 4. Purchase Response - ack order

Purchase Request – Merchant 1. verifies cardholder certificates using CA sigs 2. verifies dual signature using customer's public signature key to ensure order has

not been tampered with in transit & that it was signed using cardholder's private signature key

3. processes order and forwards the payment information to the payment gateway for authorization (described later)

4. sends a purchase response to cardholder

Payment Gateway Authorization 1. verifies all certificates 2. decrypts digital envelope of authorization block to obtain symmetric key & then

decrypts authorization block 3. verifies merchant's signature on authorization block 4. decrypts digital envelope of payment block to obtain symmetric key & then

decrypts payment block 5. verifies dual signature on payment block 6. verifies that transaction ID received from merchant matches that in PI received

(indirectly) from customer 7. requests & receives an authorization from issuer 8. sends authorization response back to merchant Payment Capture merchant sends payment gateway a payment capture request gateway checks request then causes funds to be transferred to merchants account notifies merchant using capture response