Table of contents

1. Pretty Good Privacy(PGP)…………………………………………. ……...2

1.1 PGP Web of trust……………………………………………………….21.2 What PGP does…………………………………………………………31.3 How PGP works………………………………………………...............41.4 Trusting public keys…………………………………………………...71.5 Conceptual design of secure message transmission …………………...9

1.5.1 Secure message transmission: preparations……………………..101.5.2 Secure message transmission: encryption and finalization……..11

1.6 Participants, asymmetric keys, signatures and their relationships…….12

2. Kerberos………………………………………………………………………………………………….13

2.1 Basic blocks……………………………………………………………………………………….152.2 Names, identifiers, addresses and keys……………………………………………..162.3 Rounds of the Kerberos protocol……………………………………………………….19

3. References………………………………………………………………………………………………20

1

Pretty Good Privacy (PGP)Pretty Good Privacy (PGP) is one of today's most widely used public key cryptography programs. Developed by Philip Zimmermann in the early 1990s and long the subject of controversy, PGP is available as a plug-in for many e-mail clients, such as Claris Emailer, Microsoft Outlook/Outlook Express, and Qualcomm Eudora.

PGP can be used to sign or encrypt e-mail messages with the mere click of the mouse. Depending upon the version of PGP, the software uses SHA or MD5 for calculating the message hash; CAST, Triple-DES, or IDEA for encryption; and RSA or DSS/Diffie-Hellman for key exchange and digital signatures.

1.1 PGP Web of TrustPretty Good Privacy is a widely used private e-mail scheme based on public key methods. A PGP user maintains a local keyring of all their known and trusted public keys. The user makes their own determination about the trustworthiness of a key using what is called a "web of trust."

If Alice needs Bob's public key, Alice can ask Bob for it in another e-mail or, in many cases, download the public key from an advertised server; this server might a well-known PGP key repository or a site that Bob maintains himself. In fact, Bob's public key might be stored or listed in many places. (The author's public key, for example, can be found at http://www.garykessler.net/pubkey.html.) Alice is prepared to believe that Bob's public key, as stored at these locations, is valid.

Suppose Carol claims to hold Bob's public key and offers to give the key to Alice. How does Alice know that Carol's version of Bob's key is valid or if Carol is actually giving Alice a key that will allow Mallory access to messages? The answer is, "It depends." If Alice trusts Carol and Carol says that she thinks that her version of Bob's key is valid, then Alice may — at her option — trust that key. And trust is not necessarily transitive; if Dave has a copy of Bob's key and Carol trusts Dave, it does not necessarily follow that Alice trusts Dave even if she does trust Carol.

The point here is that who Alice trusts and how she makes that determination is strictly up to Alice. PGP makes no statement and has no protocol about how one

2

user determines whether they trust another user or not. In any case, encryption and signatures based on public keys can only be used when the appropriate public key is on the user's keyring.

From its beginnings just a few years ago, PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth:

It is available for free worldwide in versions that run on a variety of platforms, including DOS, Windows, Unix, and Macintosh. And the commercial version satisfies users who want a product that comes with vendor support.

It is based on algorithms that have survived extensive public review and are considered extremely secure (RSA for public-key encryption, IDEA for conventional encryption, and MD5 for hash, or summary, coding).

It has a wide range of applicability and can be used by corporations that want to enforce a standardized scheme for encrypting files and messages as well as by individuals who wish to communicate securely with people worldwide over the Internet and other networks.

It was not developed by, nor is it controlled by, any governmental or standards organization. For people with an instinctive distrust of ``the establishment'', this makes PGP attractive.

1.2 What PGP doesPGP provides two services: encryption and digital signatures. Encryption allows a user to encode a file for storage locally or for transmission as an e-mail message. The local storage option is handy if you are worried about other people having access to files on your machine. The e-mail option enables PGP to be used for private exchanges over a network. PGP encrypts the entire contents of the message in such a way that only the intended recipient can decode and read the message. Anyone else who attempts to capture or copy the message en route will receive meaningless garble. The digital signature service allows a user to `sign' a document before transmission in such a way that anyone can verify that the signature is genuine and belongs with a particular document. If someone alters the message or substitutes a different message, the signature will no longer be valid. And any recipient can verify that the message has been signed by its true creator and not an imposter.

3

PGP's confidentiality and encoding services use the most popular public-key encryption scheme, known as RSA. All public-key encryption systems make use of an encoding and decoding algorithm and a related pair of keys. The input to the encryption algorithm is the text to be encrypted -- known as plaintext -- and a key. The algorithm takes the input and produces scrambled output known as ciphertext. To use the decryption algorithm, you input the ciphertext plus the key that matches the one used for encryption, and the original plaintext is produced as output. The two keys used in any public-key encryption scheme, including RSA, are called the public key and private key. The public key, as the name suggests, is made public. The idea is to make your public key available to people with whom you correspond. You keep your private key secure, and it should be known only to you. These two keys can be used to provide confidentiality and encryption.

1.3 How PGP Works

Suppose Alice wants to correspond with Bob. If Alice prepares a message and encrypts it with Bob's public key, only Bob can decrypt the message using his private key. If Alice prepares a message and encrypts it with her private key, then anyone, including Bob, can decrypt the message. But only Alice could have encrypted the message, therefore the encrypted message is, in effect, signed by Alice. It turns out that RSA, and all other known public-key algorithms, are time-consuming and inefficient. Therefore PGP, like most other encryption applications, does not use RSA directly to provide confidentiality and digital signatures. For confidentiality, PGP encrypts messages with an efficient single-key or conventional encryption algorithm known as IDEA. It then uses RSA to encrypt, with the receiver's public key, the IDEA key used to encrypt the message. The receiver can use RSA to recover the IDEA key and use that key to recover the message. For digital signatures, PGP uses an efficient algorithm known as MD5 to produce a summary code, or hash code, of the message that is, for all practical purposes, unique to that message. PGP then uses RSA to encrypt the hash code with the sender's private key. The receiver can use RSA to recover the hash code and verify that it is the correct hash code for the message. If it is correct, then only the alleged sender could have prepared the encrypted hash code.

When PGP is first installed, the user has to create a key-pair. One key, the public key, can be advertised and widely circulated. The private key is protected by use of

4

a passphrase. The passphrase has to be entered every time the user accesses their private key.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi Carol.

What was that pithy Groucho Marx quote?

/kess

-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv

iQA/AwUBNFUdO5WOcz5SFtuEEQJx/ACaAgR97+vvDU6XWELV/GANjAAgBtUAnjG3 Sdfw2JgmZIOLNjFe7jP0Y8/M =jUAU -----END PGP SIGNATURE-----

FIGURE 7: A PGP signed message. The sender uses their private key; at the destination, the sender's e-mail address yields the public key from the receiver's keyring.

Figure 7 shows a PGP signed message. This message will not be kept secret from an eavesdropper, but a recipient can be assured that the message has not been altered from what the sender transmitted. In this instance, the sender signs the message using their own private key. The receiver uses the sender's public key to verify the signature; the public key is taken from the receiver's keyring based on the sender's e-mail address. Note that the signature process does not work unless the sender's public key is on the receiver's keyring.

5

-----BEGIN PGP MESSAGE-----Version: PGP for Personal Privacy 5.0MessageID: DAdVB3wzpBr3YRunZwYvhK5gBKBXOb/m

qANQR1DBwU4D/TlT68XXuiUQCADfj2o4b4aFYBcWumA7hR1Wvz9rbv2BR6WbEUsyZBIEFtjyqCd96qF38sp9IQiJIKlNaZfx2GLRWikPZwchUXxB+AA5+lqsG/ELBvRac9XefaYpbbAZ6z6LkOQ+eE0XASe7aEEPfdxvZZT37dVyiyxuBBRYNLN8Bphdr2zvz/9Ak4/OLnLiJRk05/2UNE5Z0a+3lcvITMmfGajvRhkXqocavPOKiin3hv7+Vx88uLLem2/fQHZhGcQvkqZVqXx8SmNw5gzuvwjV1WHj9muDGBY0MkjiZIRI7azWnoU93KCnmpR60VO4rDRAS5uGl9fioSvze+q8XqxubaNsgdKkoD+tB/4u4c4tznLfw1L2YBS+dzFDw5desMFSo7JkecAS4NB9jAu9K+f7PTAsesCBNETDd49BTOFFTWWavAfEgLYcPrcn4s3EriUgvL3OzPR4P1chNu6sa3ZJkTBbriDoA3VpnqG3hxqfNyOlqAka

mJJuQ53Ob9ThaFH8YcE/VqUFdw+bQtrAJ6NpjIxi/x0FfOInhC/bBw7pDLXBFNaXHdlLQRPQdrmnWskKznOSarxq4GjpRTQo4hpCRJJ5aU7tZO9HPTZXFG6iRIT0wa47

AR5nvkEKoIAjW5HaDKiJriuWLdtN4OXecWvxFsjR32ebz76U8aLpAK87GZEyTzBxdV+lH0hwyT/y1cZQ/E5USePP4oKWF4uqquPee1OPeFMBo4CvuGyhZXD/18Ft/53YWIebvdiCqsOoabK3jEfdGExce63zDI0==MpRf-----END PGP MESSAGE-----

FIGURE 8: A PGP encrypted message. The receiver's e-mail address is the pointer to the public key in the sender's keyring. At the destination side, the receiver uses their own private key.

Figure 8 shows a PGP encrypted message (PGP compresses the file, where practical, prior to encryption because encrypted files have a high degree of randomness and, therefore, cannot be efficiently compressed). In this example, public key methods are used to exchange the session key for the actual message encryption that employs secret-key cryptography. In this case, the receiver's e-mail address is the pointer to the public key in the sender's keyring; in fact, the same message can be sent to multiple recipients and the message will not be significantly longer since all that needs to be added is the session key encrypted by each receiver's public key. When the message is received, the recipient will use their private key to extract the session secret key to successfully decrypt the message (Figure 9).

6

Hi Gary,

"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read."

Carol

FIGURE 9: The decrypted message.

It is worth noting that PGP was one of the first so-called "hybrid cryptosystems" that combined aspects of SKC and PKC. When Zimmermann was first designing PGP in the late-1980s, he wanted to use RSA to encrypt the entire message. The PCs of the days, however, suffered significant performance degradation when executing RSA so he hit upon the idea of using SKC to encrypt the message and PKC to encrypt the SKC key.

1.4 Trusting public keysThe most difficult aspect of using PGP, or any public-key application, is getting your hands on the public keys of the people with whom you wish to correspond. You must make sure you have the true public key of each individual in your electronic Rolodex. Suppose I create a linked pair of public and private keys and send you the public key, declaring that I am Elvis. How do you know I am the real Elvis and not an impostor? If I am an impostor, I could send you signed messages and you would be sure they were from Elvis. If you send an encrypted message to Elvis, I can capture the message and recover the plain text.

PGP provides a number of tools and recommended procedures for obtaining public keys in trusted ways. One handy tool is the public-key fingerprint, which is nothing more than a string of printable characters based on the MD5 hash code of the key. For all practical purposes, the fingerprint of a key is unique. So, if Alice knows Bob's voice, Bob could send his public key to Alice via e-mail. Alice then could generate the fingerprint of that key, call Bob, and have Bob read the fingerprint over the phone to make sure there is a match.

Once you have a few trusted keys, you can make use of PGP's signature capability. If you have Bob's public key and you trust Bob to provide you with other public keys of other persons, Bob can send you John's key signed by Bob. That is, Bob takes John's public key and feeds it through the signature mechanism of PGP.

7

Alice can use Bob's public key to ensure that John's key was provided by Bob and that the key has not been altered.

There also are a number of servers on the Internet that are public-key repositories. Most of keys are signed by one or more people. You can obtain someone's public key from the server and if you trust the signatories to the key, you can have faith that it is genuine. These public-key servers do not authenticate the keys; they merely serve as repositories.

One public-key directory that does attempt to provide authenticated PGP keys is SLED (Stable Large E-mail Database). The public keys in the directory are signed by SLED, indicating that the user's authenticity has been verified.

8

1.5 Conceptual design of secure message transmission

9

1.5.1 Secure message transmission: preparations

10

1.5.2 Secure message transmission: encryption and finalization

11

1.6 Participants, asymmetric keys, signatures and their relationships

12

KERBEROSUser authentication scheme for Open source (non-proprietary) and public domain (free). A client-server environment’s network security system. Named after Greek mythology’s fierce three-headed guard dog. At user login and every service request, it verifies the user. To encrypt data It uses private or secret keys known as ‘tickets’. Contrast to public keys. Based on symmetric key cryptography and data encryption standard algorithms, it was developed at Massachusetts Institute of Technology (MIT).

Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder (in ``Using Encryption for Authentication in Large Networks of Computers'', Communications of the ACM, Vol. 21(12), pp. 993-999, December, 1978). It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES. 

Kerberos works by providing principals (users or services) with tickets that they can use to identify themselves to other principals and secret cryptographic keys for secure communication with other principals. A ticket is a sequence of a few hundred bytes. These tickets can then be embedded in virtually any other network protocol, thereby allowing the process implementing that protocol to be sure about the identity of the principals involved. 

Practically speaking, Kerberos is mostly used in application-level protocols (ISO model level 7), such as Telnet or FTP, to provide user to host security. It is also used, though less frequently, as the implicit authentication system of data stream (such as SOCK_STREAM) or RPC mechanisms (ISO model level 6). It could also be used at a lower level for host to host security, in protocols like IP, UDP, or TCP (ISO model levels 3 and 4), although such implementations are currently rare, if they exist at all. 

There are several different versions and distributions of Kerberos. Most of them are based on an MIT distributions in one form or another, but the lineage is not always simple. Some of the distributions are freely available, some are stand-alone commercial products, and others are part of a larger free or commercial systems. 

13

Several vendors currently sell relevant Kerberos material, and to name a few: CyberSAFE, Cygnus Support, Digital Equipment Corporation, Emulex Network Systems, OpenVision Technologies, TGV. 

Kerberos employs a client/server architecture and provides user-to-server authentication rather than host-to-host authentication. In this model, security and authentication will be based on secret key technology where every host on the network has its own secret key. It would clearly be unmanageable if every host had to know the keys of all other hosts so a secure, trusted host somewhere on the network, known as a Key Distribution Center (KDC), knows the keys for all of the hosts (or at least some of the hosts within a portion of the network, called a realm). In this way, when a new node is brought online, only the KDC and the new node need to be configured with the node's key; keys can be distributed physically or by some other secure means. 

14

The Kerberos Server/KDC has two main functions (Figure 3), known as the Authentication Server (AS) and Ticket-Granting Server (TGS). The steps in establishing an authenticated session between an application client and the application server are:

1. The Kerberos client software establishes a connection with the Kerberos server's AS function. The AS first authenticates that the client is who it purports to be. The AS then provides the client with a secret key for this login session (the TGS session key) and a ticket-granting ticket (TGT), which gives the client permission to talk to the TGS. The ticket has a finite lifetime so that the authentication process is repeated periodically.

2. The client now communicates with the TGS to obtain the Application Server's key so that it (the client) can establish a connection to the service it wants. The client supplies the TGS with the TGS session key and TGT; the TGS responds with an application session key (ASK) and an encrypted form of the Application Server's secret key; this secret key is never sent on the network in any other form.

3. The client has now authenticated itself and can prove its identity to the Application Server by supplying the Kerberos ticket, application session key, and encrypted Application Server secret key. The Application Server responds with similarly encrypted information to authenticate itself to the client. At this point, the client can initiate the intended service requests (e.g., Telnet, FTP, HTTP, or e-commerce transaction session establishment).

The current shipping version of this protocol is Kerberos V5 (described in RFC 1510), although Kerberos V4 still exists and is seeing some use. While the details of their operation, functional capabilities, and message formats are different, the conceptual overview above pretty much holds for both. One primary difference is that Kerberos V4 uses only DES to generate keys and encrypt messages, while V5 allows other schemes to be employed (although DES is still the most widely algorithm used).

2.1 Basic blocks•symmetric encryption, – for evaluating the authenticity of messages on the basis of the possession of a secret symmetric key– for enforcing the confidentiality and integrity of messages•passwords, used as substitutes for the secret symmetric key agreed between a particular participant and the Kerberos server

15

•one-way hash functionfor dynamically regenerating a key from the substituting password

•random generatorto generate symmetric session keys, to be used for a secureend-to-end connection during a client–server interaction

•timestamps, used as indications of the freshnessof messages

•nonces(random bit strings), used as challengesto be included in responses

•tickets, used as a special kind of credentialthat – encode privilegesgranted to a client as a grantee– are shown to a server as a (self-protecting) controlled object•validity specifications for tickets

•access decisions, taken by a server on the basis of shown tickets

•delegationof the issuing of tickets by the Kerberos server on behalf of a server

2.2 Names, identifiers, addresses and keys

•Kerberos server – AS authentication server – TGS ticket-granting server

•participant P (client Cl, Kerberos server Kerwith components AS and TGS)– IdP unique identifier– Add PNetwork address – KP Secret symmetric key for a symmetric encryption method

16

17

2.3 Rounds of the Kerberos protocol

18

•each round is initialized by a client and has two messages•first round,executed once per client session (can beintegrated within a login procedure): to authenticate the client for the later process of obtaining and exploiting a reusable ticketthat expresses a privilegefor a service•second round,performed once for each functional server that is contacted during a client session:to actually grant the privilege to the client•third round,repeatedly called for each actual service invocation:to exploit the granted privilege

19

REFERENCES: Information Theory, Coding and Cryptography

 By Ranjan Bose

Kurose and Ross - Computer Networking A Top-Down Approach Featuring The Internet

Cry-Cryptography and Network Security Principles and Practices, 4th Ed - William Stallings

http://www.garykessler.net/library/crypto.html#kerb

http://denis.arnaud.free.fr/zds/report/node45.html

https://www.cs.purdue.edu/homes/ssw/cs355/new8.pdf

http://ls6-www.informatik.uni-dortmund.de/uploads/tx_ls6ext/ SI12_CaseStudiesPGPKerberos.pdf

20