Network Security & CryptographyNetwork Security & Cryptography

HIMANSHU GUPTA

FACULTY MEMBER,

AMITY UNIVERSITY, NOIDA

Differential CryptanalysisDifferential Cryptanalysis&&

Linear CryptanalysisLinear Cryptanalysis

Differential CryptanalysisDifferential Cryptanalysis

Differential Cryptanalysis was followed by a number of papers by Biham and Shamir, who demonstrated this form of attack on a variety of encryption algorithms and hash functions.

Differential Cryptanalysis is the first published attack that is capable of breaking DES in less than 55 power of 2.

Contd…Contd…

This scheme can successfully cryptanalyze DES with an effort on the order of 47 power of 2.

Although Differential Cryptanalysis is a powerful tool, it does not do very well against DES.

Linear CryptanalysisLinear Cryptanalysis

Linear Cryptanalysis attack is based on finding linear approximation to describe

the transformations performed in DES.Linear Cryptanalysis can find a DES key

given 47 power of 2 known plaintexts, as compared to the 47 power of 2 chosen plaintexts for Differential Cryptanalysis.

Contd….Contd….

Linear Cryptanalysis is a minor improvement , because it may be easier to acquire known plaintext rather than the chosen plaintext.

Linear Cryptanalysis is still infeasible as an attack on DES.

Block cipher modes of Block cipher modes of operationoperation

Electronic Code Block ModeElectronic Code Block Mode

In ECB mode, we divide the long message into 64-bits blocks and encrypt each block separately.

The encryption of each block is independed of other block in ECB mode.

The problem with the ECB mode is that the encryption of each 8-byte block is independent of the others.

This means that Eve could exchange two blocks: Bob would not notice this change if the both blocks were related to the same message.

ECB MODEECB MODE

Cipher Block Chaining ModeCipher Block Chaining Mode

In CBC mode, the encryption (or decryption) of a block depends on all previous blocks.

To encrypt the second plaintext block, we first XOR it with the first ciphertext block and then pass it through the encryption process.

The situation for first block is different because there is no previous block, hence, a 64-bits random number, called initialization vector(IV), is used. The IV is sent with the data so that the receiver can use it in decryption.

CBC MODECBC MODE

Cipher Feedback ModeCipher Feedback Mode

CFB mode was created for those situations in which we need to send or receive data 1 byte at a time, but still want to use DES (or Triple DES). One solution is to make a 1-byte nth cipher block dependent on a 1-byte nth plaintext block, which depends on 8 previous bytes itself.

CFM MODECFM MODE

Cipher Stream ModeCipher Stream Mode

To encrypt/decrypt 1 bit at a time and at the same time be independent of the previous bits, we can use CSM mode.

In CSM mode, data are XORed bit by bit with a long, one-time bit stream that is generated by an initialization vector in a looping process.

The looping process generates a 64-bits sequence that is XORed with plaintext to create ciphertext.

CSM MODECSM MODE

Contemporary Symmetric Contemporary Symmetric CiphersCiphers

Blowfish AlgorithmBlowfish Algorithm

Blowfish is asymmetric block cipher developed by Bruce Schneier.

Blowfish encrypts 64-bit blocks of plaintext into 64-bit blocks of ciphertext.

Blowfish is implemented in numerous product. So far, the security of Blowfish is unchallenged.

Characteristics of BlowfishCharacteristics of Blowfish

Fast: Blowfish encrypts data on 32-bit microprocessor at a rate of 18 clock cycles per byte.

Compact: Blowfish can run in less than 5k of memory.

Simple: Blowfish’s simple structure is easy to implement and eases the task of determining the strength of the algorithm.

Variably Secure: The key length is variable and can be as long as 448 bits. This allows a tradeoff between higher speed and higher security.

Subkey and S-Box GenerationSubkey and S-Box Generation Blowfish makes use of a key that ranges from 32 bits to 448

bits.That key is used to generate eighteen 32-bit subkey and four 8×32 S-boxes containing a total of 1024 32-bit entries.

The keys are stored in a K-array: K1, K2, K3,…………., Kj 1j 14

The subkeys are stored in the P-array: P1, P2, P3, ………………., P18.

There are four s-boxes, each with 256 32-bit entries: S1,0, S1,1, S1,2,……………, S1,255 S2,0, S2,1, S2,2,……………, S2,255 S3,0, S3,1, S3,2,……………, S3,255 S4,0, S4,1, S4,2,……………, S4,255

AlgorithmAlgorithm Initialize first the P-array and then the four S-boxes in

order using the bits of the fractional part of the constant . Perform a bitwise XOR of the P-array and the K-array.

For example, P1=P1K1, P2=P2K2, ……., P14=P14K14, P15=P15K1,……., P18=P18K4.

Encrypt the 64-bit block of all zeros using the current P-array & S-array, replace P1 and P2 with the output of encryption.

Encrypt the output of step 3 using the current P and S arrays and replace P3 and P4 with the resulting ciphertext.

Continue this process to update all elements of P.

Encryption and DecryptionEncryption and Decryption

Blowfish uses two primitive operations:

• Addition: Addition of words, denoted by +, is performed modulo 2³².

• Bitwise exclusive-OR: This operation is denoted by .

CAST-128 AlgorithmCAST-128 Algorithm

CAST-128 is a DES-like substitution-permutation crypto algorithm, employing a 128-bit key operating on a 64-bit block. CAST-256 is an extension of CAST-128, using a 128-bit block .

The CAST-128 encryption algorithm has been designed to allow a key size which can vary from 40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120, and 128 bits.

Contd……Contd……

For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly as specified but uses 12 rounds instead of 16.

For key sizes greater than 80 bits, the algorithm uses the full 16 rounds;

For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least significant, positions) out to 128 bits (since the CAST-128 key schedule assumes an input key of 128 bits).

CAST-128 AlgorithmCAST-128 Algorithm CAST-128 uses a pair of subkeys per round: a 5-bit quantity Kri is used

as a "rotation" key for round i and a 32-bit quantity Kmi is used as a "masking" key for round i.

Three different round functions are used in CAST-128. The rounds are as follows (where D is the data input to the operation, Ia - Id are the most significant byte through least significant byte of I, respectively, Si is the ith s-box and O is the output of the operation). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise eXclusive-OR, and "<<<" is the circular left-shift operation.

a) Type 1: I = ((Kmi + D) <<< Kri) O = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id] b) Type 2: I = ((Kmi ^ D) <<< Kri) O = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id] c) Type 3: I = ((Kmi - D) <<< Kri) O = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id] Let f1, f2, f3 be keyed round function operations of Types 1, 2, and 3

(respectively) above. CAST-128 uses four round function substitution boxes (s-boxes), S1 - S4.

RC 2 AlgorithmRC 2 Algorithm A 64-bit block cipher using variable-sized keys designed to

replace DES. It's code has not been made public although many companies have licensed RC2 for use in their products.

A conventional (secret-key) block encryption algorithm, called RC2, which may be considered as a proposal for a DES replacement. The input and output block sizes are 64 bits each. The key size is variable, from one byte up to 128 bytes.

The algorithm is designed to be easy to implement on 16-bit microprocessors. On an IBM AT, the encryption runs about twice as fast as DES.

Algorithm DescriptionAlgorithm Description The term "word" to denote a 16-bit quantity. The symbol + will denote twos-

complement addition. The symbol & will denote the bitwise "and" operation. The term XOR will denote the bitwise "exclusive-or" operation. The symbol ~ will denote bitwise complement. The symbol ^ will denote the exponentiation operation. The term MOD will denote the modulo operation.

This algorithm is dealing with eight-bit byte operations as well as 16-bit word operations, we will use two alternative notations for referring to the key buffer: For word operations, we will refer to the positions of the buffer as K[0], ..., K[63]; each K[i] is a 16-bit word.

For byte operations, we will refer to the key buffer as L[0], ..., L[127]; each L[i] is an eight-bit byte. These are alternative views of the same data buffer. At all times it will be true that K[i] = L[2*i] + 256*L[2*i+1].

RC5 AlgorithmRC5 Algorithm A block-cipher supporting a variety of block sizes, key

sizes, and number of encryption passes over the data. RC5 is a group of algorithms designed by Ron Rivest

of RSA Data Security that can take on a variable block size, key size, and number of rounds.

The block size is generally dependent on the word size of the machine the particular version of RC5 was designed to run on; on 32-bit processors (with 32-bit words), RC5 generally has a 64-bit block size.

Contd….Contd….

David Wagner, John Kelsey, and Bruce Schneier have found weak keys in RC5, with the probability of selecting a weak key to be 2-10r, where r is the number of rounds.

Kundsen has also found a differential attack on RC5. RC5 is described in this RSA document.

Characteristics of RC5Characteristics of RC5

Suitable for hardware or software. Fast Adaptable to processor of different word length. Variable no. of rounds. Variable-length key. Simple Low memory requirement High Security. Data-dependent rotation.

Parameters of RC5Parameters of RC5

Sr. No. Parameter Definition Allowable Value

1. w

Word size in bits. RC5 encrypts 2-

word block.16, 32, 64

2. r Number of rounds. 0, 1, 2,….,255

3. b No. of 8-bits bytes in the secret key K.

0, 1, 2,….,255

Encryption in RC5 AlgorithmEncryption in RC5 Algorithm The plaintext is assumed to initially resides in two w-bit

registers A and B. LEi and REi refers to the left and right half of the data after round i has completed. Both halves of data are updated in each round. Thus, one round of RC5 is equivalent to two rounds of DES.

The algorithm can be defined by the following pseudocode: LEo = A + S[0] ; REo = B + S[1] ; for i = 1 to r do LEi = ((LEi-1 REi-1) <<< REi-1) + S[2*i] ; REi = ((REi-1 LEi-1) <<< LEi-1) + S[2*I + 1] ;

Decryption in RC5 AlgorithmDecryption in RC5 Algorithm In this case, 2w bits of ciphertext are initially assigned to

the two one-word variables LDi and RDi to refer to the left and right half of the data before round i has begun..

The algorithm can be defined by the following pseudocode:

for i = r downto 1 do RDi-1 = ((RDi - S[2 * i + 1] >>> LDi) LDi) ; LDi-1 = ((LDi – S[2 * i] >>> RDi-1) RDi-1) ; B = RDo - S[1] ; A = LDo - S[0] ;

Characterstics of Advanced Symmetric Block Characterstics of Advanced Symmetric Block CipherCipher

Variable Key Length: The strength is determined by its key length. The longer the key, the longer it takes for a brute-force key search. Blowfish and RC5 provide a variable key length.

Mixed Operators: The use of more than one arithmatic and/or Boolean operator complicates cryptanalysis.

Data-dependent rotation: It provide excellent confusion and diffusion. It make recovery of the subkeys even more difficult. (RC5)

Key-dependent S-boxes: Larger S-boxes should yield highly nonlinear results and should be very difficult to cryptanalyze. Blowfish uses key dependent S-boxes.

Lengthy key schedule algorithm: The generation of subkeys takes much longer than a single encryption or decryption.

Contd…Contd… Variable plaintext/ciphertext block length.: A longer block

length yields greater cryptographic strength. (RC5) Variable number of rounds: It makes a tradeoff between

security and execution speed. An increase in the no. of rounds increases the encryption/decryption time. (RC5)

Operation on both data halves each round: In this, security could be increased with minimal a increase in execution time.(Blowfish & RC5)

Variable F: The use of a function F that varies from round to round may complicate the cryptanalysis problem.

Key-dependent rotation: A rotation can be used that depends on the key rather than on the data.

Elliptic Curve CryptographyElliptic Curve Cryptography

Elliptic curve are described by cubic equation as y2=x3+ax+b.

The addition operation in ECC is the counterpart of modular multiplication in RSA.

ECC PrincipleECC Principle

If Q = k.P and Q and P are known, it is “infeasible” to find k.This is called the discrete logarithm problem for elliptic curves.

We can find ke and kd such that

kd ke P = P

The message can be represented in form of a point on the Elliptic Curve

message M

ECC (cont’d)ECC (cont’d)

private key: kA,d

receive (Q, R)

Calculate Q - kA,dR

private key: kB,d

m M

(M+ kB,d P, kA,e kB,d P)

PublicP , kA,e , kB,e A_ B_

Security of ECCSecurity of ECC

Security of ECC Degree of Difficulty to determine k given Q & P.

The fastest known technique for elliptic curve logarithm is Pollard Rho method.

Smaller key size can be used for ECC compared to RSA, which is a computational advantage to using ECC.

Confidentiality Confidentiality Using Using

Symmetric EncryptionSymmetric Encryption

Placement of Encryption FunctionPlacement of Encryption Function

If encryption is to be used to counter attacks on confidentiality, then it should be decide that what to encrypt and where the encryption function should be located.

For safe encryption, there are two fundamental alternatives: link encryption and end-to-end encryption.

(A) Link Encryption(A) Link Encryption

In link encryption, each vulnerable communication link is equipped on both ends with an encryption device.

All the potential links in a path from source to destination must use link encryption.

Each pair of nodes that share a link should a unique key, with a different key used on each link.

In link encryption, each key must be distributed to only two nodes.

All traffic over all communications links is secured.

(B) End-to-end Encryption(B) End-to-end Encryption

In end-to-end encryption, the encryption process is carried out at the two end systems.

The source host or terminal encrypts the data. The data in encrypted form are then transmitted unaltered across the network to the destination terminal or host.

The destination shares a key with the source and so is able to decrypts the data.

End-to-end Encryption relieves the end user of concern about the degree of security of networks and links that support the communication.

Message Digest Algorithm-MD5Message Digest Algorithm-MD5

MD5 message digest algorithm was developed by Ron Rivest.

When both brute-force and cryptanalysis concern have arisen, MD5 was the most widely used secure hash algorithm.

MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit message digest. The input is processed in 512-bit block.

MD5 OperationMD5 Operation The processing of MD5 consists of the following steps: Step1: Appending padding bits. The message is padded

so that its length in bits is congruent to 448 modulo 512.Padding is always added, even if the message is already of the desired length. For example, if the message is 448bits long, it is padded by 512 bits to a length of 960 bits. Thus, the no. of padding bits is in the range of 1 to 512.

Step2: Append length. A 64-bit representation of the length in bits of the original message is appended to the result of step 1. The field contains the length of original message, modulo 64 power of 2.

Contd…..Contd….. Step3: Initialize MD buffer:A 128-bits buffer is used to hold

intermediate and final result of the hash function. The buffer can be represented as four 32-bits registers (A, B, C, D).

Step4: Process message in 512 bit blocks. The heart of the algorithm is a compression function that consists of four “rounds” of processing; this module is labeled as HMD5. The four rounds have a similar structure, but each uses a different primitive logical function. Each round takes as input the current 512-bit block being processed and the 128-bit buffer value and updates the contents of the buffer. The output of the fourth round is added to the input to the first round (CVq) to produce CVq+1.

Step5: Output. After all 512-bit blocks have been processed, the output from the Lth stage is the 128-bit message digest

Strength of MD5Strength of MD5 The MD5 algorithm has the property that every bit of the hash code

is a function of every bit in the input. The complex repetition of the basic functions produces results that are well mixed.

Using differential cryptanalysis, it is possible to find two messages that produce the same digest for a single round MD5, but not able to generalize the attack to the four-round MD5.

The most serious attack on MD5 is developed by Dobbertin. His technique enables the generation of collision for the MD5 compression function.

Thus, there was a need to replace the popular MD5 with a hash function that has a longer hash code and is more resistant to known method of cryptanalysis. Two alternatives are popular: SHA-1 and RIPEMD-160.

SHA1 AlgorithmSHA1 Algorithm

SHA1 was developed by the NSA for NIST as part of the Secure Hash Standard (SHS).

SHA1 is similar in design to MD4. The original published algorithm, known as SHA, was

modified by NSA to protect against an unspecified attack; the updated algorithm is named SHA1.

It produces a 160-bit digest -- large enough to protect against "birthday" attacks, where two different messages are selected to produce the same signature, for the next decade.

RIPEMD 160 AlgorithmRIPEMD 160 Algorithm

RIPEMD and its successors were developed by the European RIPE project

The original RIPEMD algorithm was then strengthened and renamed to RIPEMD-160.

RIPEMD-160 is a 160-bit cryptographic hash function, designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel

It is intended to be used as a secure replacement for the 128-bit hash functions MD4, MD5, and RIPEMD.

There are three good reasons to consider such a replacement: A 128-bit hash result does not offer sufficient protection anymore. A

brute force collision search attack on a 128-bit hash result requires 264 evaluations of the function.

Hans produced in the Fall of 1995 collisions for (all 3 rounds of) MD4. Hans also found collisions for the compression function of MD5. RSA Data Security, for which Ron Rivest developed MD4 and MD5, recommend that MD4 should not longer be used, and that MD5 should not be used for future applications that require the hash function to be collision-resistant.

At the rump session of Crypto 2004 it was announced that Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu found collisions for MD4, MD5, RIPEMD, and the 128-bit version of HAVAL. No details of this attack are public yet.

Comparison between various algorithmsComparison between various algorithms

Algorithm cycles Mbit/sec Mbyte/sec relative performance

MD4 241 191.2 23.90 1.00

MD5 337 136.7 17.09 0.72

RIPEMD 480 96.0 12.00 0.50

RIPEMD-128 592 77.8 9.73 0.41

SHA-1 837 55.1 6.88 0.29

RIPEMD-160 1013 45.5 5.68 0.24

HMACHMAC

HMAC is a Message Authentication Code with Hash function.

HMAC has been chosen as the mandatory-to-implement MAC for IP security.

HMAC is used in other internet protocols, such as SSL (Secure Socket Layer).

HMAC Design ObjectivesHMAC Design Objectives It is designed to use available hash functions without

modification, for which code is freely & widely available. It is designed to allow for easy replace ability of the

embedded hash function. It is designed to preserves the original performance of the

hash function without incurring a significant degradation. It is designed to use & handle keys in a simple way. It is designed to have a well understood cryptographic

analysis of the strength of the authentication mechanism.

HMAC AlgorithmHMAC Algorithm Append zeros to the left end of secret key K to create a block

bits string K+. ( e.g., if K is the length of 160 bits and b=512, then K will be appended with 44 zero bytes 0X00.

XOR K+ with ipad (00110110 or 36 in Hexadecimal) to produce the b-bit block Si.

Append M ( Message input) to Si. Apply H (embedded hash function as MD5, SHA1 or RIPEMD-

160) to the stream generated in step 3. XOR K+ with opad (01011100 or 5C in Hexadecimal) to

produce the b-bit block So. Append the hash result from step4 to So. Apply H to the stream generated in step 6 and output the result.

Digital SignaturesDigital Signatures

Cryptographic technique analogous to hand-written signatures.

Sender (Bob) digitally signs document, establishing he is document owner/creator.

Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document.

Simple digital signature for message m:

Bob encrypts m with his private key dB, creating signed message, dB(m).

Bob sends m and dB(m) to Alice.

Digital Signatures (more)Digital Signatures (more)

Suppose Alice receives msg m, and digital signature dB(m)

Alice verifies m signed by Bob by applying Bob’s public key eB to dB(m) then checks eB(dB(m) ) = m.

If eB(dB(m) ) = m, whoever signed m must have used Bob’s private key.

Alice thus verifies that:– Bob signed m.– No one else signed m.– Bob signed m and not

m’.

Non-repudiation:– Alice can take m, and

signature dB(m) to court and prove that Bob signed m.

Digital signature = Signed message Digital signature = Signed message digestdigest

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:

Digital SignaturesDigital Signatures

Symmetric-Key SignaturesPublic-Key SignaturesMessage DigestsThe Birthday Attack

Symmetric-Key SignaturesSymmetric-Key Signatures

Digital signatures with Big Brother.

Public-Key SignaturesPublic-Key Signatures

Digital signatures using public-key cryptography.

Message DigestsMessage Digests

Digital signatures using message digests.

Timing AttacksTiming Attacks

developed by Paul Kocher in mid-1990’s exploit timing variations in operations

– eg. multiplying by small vs large number – or IF's varying which instructions executed

infer operand size based on time taken RSA exploits time taken in exponentiation countermeasures

– use constant exponentiation time– add random delays– blind values used in calculations

Authentication ProtocolsAuthentication Protocols

Mutual Authentication Protocol.

One-way Authentication Protocol

Mutual Authentication Mutual Authentication ProtocolProtocol

This protocols enable communicating parties to satisfy themselves mutually about each other’s identity and to exchange session keys.

In this protocol, to prevent compromise of session keys, essential identification and session key information must be communicated in encrypted form.

This protocol prevents the replay attack(threat of message replay) using timestamps or challenge/response.

Contd…..Contd…..

Mutual authentication follows two approaches as Symmetric Encryption approach and Public-key encryption approach.

In Symmetric Encryption approach : (1) A KDC (2) KDC A (3) A B (4) B A (5) A B. In Public-key encryption approach: (1) A AS (2) AS A (3) A BWhere, KDC is Key Distribution Center and As is

Authentication Server.

One-way Authentication ProtocolOne-way Authentication Protocol

It also follows two approaches as Symmetric Encryption approach and Public-key encryption approach.

In Symmetric Encryption approach:

In Symmetric Encryption approach :

(1) A KDC (2) KDC A (3) A B

In Public-key encryption approach:

A B: M || Eka [H(M)]

Digital Signature StandardDigital Signature Standard

The National Institute of Standard and Technology published Information Processing Standard FIPS 186, known as the Digital Signature Standard.

DSS makes use of Secure Hash Algorithm and presents a new digital signature technique, the Digital Signature Algorithm.

Digital Signature Algorithm based on RSA and on elliptic curve cryptography.

DSA ExplanationDSA Explanation Digital Signature Algorithm (DSA) appropriate for applications

requiring a digital rather than written signature. The DSA provides the capability to generate and verify

signatures. Signature generation makes use of a private key to generate a

digital signature. Signature verification makes use of a public key which corresponds to, but is not the same as, the private key.

Each user possesses a private and public key pair. Public keys are assumed to be known to the public in general. Private keys are never shared. Anyone can verify the signature of a user by employing that user's public key.

Signature generation can be performed only by the possessor of the user's private key.

DSA OperationDSA Operation1. A hash function is used in the signature generation process

to obtain a condensed version of data, called a message digest .

2. The message digest is then input to the DSA to generate the digital signature.

3. The digital signature is sent to the intended verifier along with the signed data (often called the message).

4. The verifier of the message and signature verifies the signature by using the sender's public key. The same hash function must also be used in the verification process.

DSA Generation & VerificationDSA Generation & Verification

DSA PARAMETERSDSA PARAMETERS 1. p = a prime modulus, where 2L-1 < p < 2L for 512 = < L = <1024 and L a multiple

of 642. q = a prime divisor of p - 1, where 2159 < q < 2160

3. g = h(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such that h(p-1)/q mod p > 1

4. x = a randomly or pseudorandomly generated integer with 0 < x < q

5. y = gx mod p

6. k = a randomly or pseudorandomly generated integer with 0 < k < q The integers p, q, and g can be public and can be common to a group of users. A user's private and

public keys are x and y, respectively. They are normally fixed for a period of time. Parameters x and k are used for signature generation only, and must be kept secret.

SIGNATURE GENERATIONSIGNATURE GENERATION The signature of a message M is the pair of numbers r and s

computed according to the equations below:r = (gk mod p) mod q and s = (k-1(SHA(M) + xr)) mod q.

In the above, k-1 is the multiplicative inverse of k, mod q; i.e., (k-1 k) mod q = 1 and 0 < k-1 < q. The value of SHA(M) is a 160-bit string output by the Secure Hash Algorithm specified in FIPS 180.

The signature is transmitted along with the message to the verifier.

SIGNATURE VERIFICATIONSIGNATURE VERIFICATION Prior to verifying the signature in a signed message, p, q and g plus the sender's public key and

identity are made available to the verifier in an authenticated manner. Let M', r' and s' be the received versions of M, r, and s, respectively, and let y be the public key of the

signatory. To verifier first checks to see that 0 < r' < q and 0 < s' < q; if either condition is violated the signature shall be rejected. If these two conditions are satisfied, the verifier computes

w = (s')-1 mod q u1 = ((SHA(M')w) mod q u2 = ((r')w) mod q v = (((g)ul (y)u2) mod p) mod q.

If v = r', then the signature is verified and the verifier can have high confidence that the received message was sent by the party holding the secret key x corresponding to y. For a proof that v = r' when M' = M, r' = r, and s' = s, see Appendix1.

If v does not equal r', then the message may have been modified, the message may have been incorrectly signed by the signatory, or the message may have been signed by an impostor. The message should be considered invalid.

KerberosKerberos

Kerberos is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner.

Kerberos prevents eavesdropping or replay attacks, and ensures the integrity of the data. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the service verify each other's identity.

Contd…..Contd….. It makes use of a trusted third party, termed a Key

Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.

Kerberos maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to Kerberos.

For communication between two entities, Kerberos generates a session key which they can use to secure their interactions.

Protocol DescriptionProtocol Description One can specify the protocol as follows in security protocol notation,

where Alice (A) authenticates herself to Bob (B) using a server S:

We see here that the security of the protocol relies heavily on timestamps T and lifespans L as reliable indicators of the freshness of a communication (see the BAN logic).

In relation to the following Kerberos operation, it is helpful to note that the server S here stands for both authentication service (AS), and ticket granting service (TGS). In , KAB stands for the session key between A and B, is the client to server ticket, is the authenticator, and confirms B's true identity and its recognition of A. This is required for mutual authentication.

X.509 ProtocolX.509 Protocol X.509 is an ITU standard for digital certificates. X.509 defines a certificate format for binding public

keys to X.500 distinguished path names. X.509 supports both secret-key (single-key) cryptography and public-key cryptography.

The original X.509 data record was originally designed to hold a password instead of a public key.

The fields in the certificate define the issuing CA, the signing algorithms, how long the certificate is valid, and information about the owner of the certificate.

Contd….Contd…. Certificates are typically managed by CAs (certificate

authorities), which are public entities, usually regulated, that act as third-party key holders. To create a certificate, the CA combines a user's public key with the user information (as defined by X.509), then signs the information with its private key. Anyone receiving the certificate can verify its authenticity with the CA's public key. The authenticity of the CA's public key can be further verified via the chain of trust that exists within the PKI (public-key infrastructure).

The X.509 standard defines what information can go into a certificate, and describes how to write it down (the data format).

International Data Encryption International Data Encryption

AlgorithmAlgorithm (IDEA)(IDEA)

IDEA (International Data Encryption Algorithm) is an encryption algorithm developed at ETH in Zurich, Switzerland.

It uses a block cipher with a 128-bit key, and is generally considered to be very secure.

The algorithm was intended as a replacement for the Data Encryption Standard.

The cipher is patented in a number of countries but is freely available for non-commercial use. The name "IDEA" is also a trademark. The patents will expire in 2010–2011.

IDEA OperationIDEA Operation IDEA operates on 64-bit blocks using a 128-bit key, and

consists of a series of eight identical transformations (a round, see the illustration) and an output transformation (the half-round).

The processes for encryption and decryption are similar. In more detail, these operators, which all deal with 16-bit

quantities, are:1. Bitwise eXclusive OR (denoted with a blue circle). 2. Addition modulo 216 (denoted with a green rectangle). 3. Multiplication modulo 216+1, where the all-zero word (0x0000) is

interpreted as 216 (denoted by a red circle ).

(See the IDEA Diagram)

IDEA OverviewIDEA Overview

GeneralDesigners: James Massey, Xuejia Lai

First published:1991

Derived from: PES

Cipher(s) based on this design: MESH, Akelarre, FOX (IDEA NXT)

Algorithm detailBlock size(s): 64 bits

Key size(s): 128 bits

Structure: Substitution-permutation network

Number ofrounds: 8.5

Best cryptanalysisA collision attack requiring 224 chosen plaintexts

breaks 5 rounds with a complexity of 2126.

IDEA Operation ModesIDEA Operation Modes IDEA is a block-cipher, it may be used, as DES, in any of the

operations modes: ECB

The electronic cookbook mode, where each block of 64 plaintext bits is encoded independently using the same key. This is useful only when encrypting short messages, as equal blocks of 64 plaintext bits in the text will be equal in the ciphertext as well.

CBC The cipher block chaining mode, where the input to the

encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of ciphertext. This is useful when encrypting longer messages since equal blocks of 64 plaintext bits in a message will be different in the ciphertext.

CFB The cipher feedback mode, where the input is processed x bits at a

time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudo-random output, which is XOR-ed with the plaintext to produce the next unit of ciphertext.

OFB The Output feedback mode, which is similar to CFB, except that the

input is the preceding IDEA output. The CBC, CFB, and OFB mode also uses an initialization vector (IV),

which is used as the first input to the encryption algorithm and is XOR-ed with the first block of 64 plaintext bits. This is because, without an IV, the first block of 64 plaintext bits would otherwise be equal in ciphertext as well--as is the case with all blocks in ECB mode. In CBC and OFB mode the IV should be different every time the same plaintext is encrypted, while in CFB mode the IV must be different every time--this is because, if the IV in CFB mode is not unique, a cryptoanalyst can easily recover the corresponding plaintext block

MIMEMIME Multipurpose Internet Mail Extensions (MIME) is an

Internet Standard for the format of e-mail. Virtually all human written Internet e-mail and a fairly large

proportion of automated e-mail is transmitted via SMTP in MIME format.

MIME defines mechanisms for sending other kinds of information in e-mail, including text in languages other than English using character encodings other than ASCII as well as 8-bit binary content such as files containing images, sounds, movies, and computer programs.

MIME is also a fundamental component of communication protocols such as HTTP, which requires that data be transmitted in the context of e-mail-like messages, even though the data may not actually be e-mail.

Contd….Contd…. MIME defines a collection of e-mail headers for specifying

additional attributes of a message including content type, and defines a set of transfer encodings which can be used to represent 8-bit binary data using characters from the 7-bit ASCII character set.

MIME also specifies rules for encoding non-ASCII characters in e-mail message headers, such as "Subject:", allowing these header fields to contain non-English characters.

MIME headers contains MIME-Version to indicates the message is MIME-formatted, Content-Type to indicates the type and subtype of the message content and Content-Transfer-Encoding as a set of methods for representing binary data in ASCII text format.

S/MIMES/MIME S/MIME (Secure / Multipurpose Internet Mail

Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.

S/MIME is the IETF enhancement of the PEM (Privacy Enhanced Mail) specifications of the mid 1990s.

S/MIME provides the cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption).

Contd….Contd…. S/MIME functionality is built into the vast majority of modern e-mail software and interoperates

between all of the following (and others): Outlook (since 1999? and Outlook 98) Outlook Express (since 1999?) Apple Mail (Since Mac OS X v10.3 Panther) Mozilla Mail (all releases after 0.9.7) Mozilla Thunderbird (all releases) Netscape Communicator (since 3.0?) Lotus Notes (since release 5.0) Novell GroupWise (since 1998 with the 5.5 release) Qualcomm Eudora (since release 7.0. However 7.0 implementation of S/MIME is very deficient.) The Bat! Mutt (since release 1.5.5i) Gnus (with an external extension) Novell Evolution (since release 2.0.0) Balsa (since release 2.2.6)

KMail (since release 1.6, integrated in KDE 3.2)

Functionality of S/MIMEFunctionality of S/MIME In term of general functionality, S/MIME is very similar to the

PGP(Pretty Good Privacy). Both offer the ability to sign and/or encrypt message.

S/MIME provides the following functions:1. Enveloped Data: This consists of encrypted content of any type data.2. Signed Data: A digital signature is formed by taking the message

digest of the content to be signed and then encrypting that with the private key of the signer.

3. Clear-Signed Data: Recipient without S/MIME capability can view the message content, although they can not verify the signature.

4. Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and signed data or clear-signed data may be encrypted.

Pretty Good PrivacyPretty Good Privacy PGP provides a confidentiality and authentication service that can be

used for electronic mail and file storage applications. PGP has grown explosively and is now widely used. A number of

reasons can be sited for this growth as:1. It is available free worldwide in versions that run on a variety of

platforms, including Windows, UNIX, Macintosh, and many more.2. It is based on algorithm that have survived extensive public review and

are considered more secure like as RSA, CAST-128, IDEA and SHA-1.3. It has wide range of applicability over the internet and other networks.4. It is not developed by, nor is it controlled by, any government or

standard organization, this makes PGP attractive.5. PGP is now on an Internet standards track.

IP SecurityIP Security

IP Security includes the Security in the Internet Architecture. It provides the security to the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanism.

Applications of IP SecurityApplications of IP Security

It provides the capabilities to secure communications across a LAN, across public and private WAN, and across the internet. Some applications are given as:

1. Secure branch office connectivity over the internet.

2. Secure remote access over the internet.3. Establishing extranet and intranet connectivity

with partners.4. Enhancing electronic commerce security.

IP Security ArchitectureIP Security Architecture

The IP Security specification consists of following components:

1. IP Security Documents.

2. IP Security Services.

3. Security Association (SA).

4. Transport and Tunnel Modes.

1. IP Security Documents1. IP Security Documents Architecture: It covers the general concepts, security

requirements, definitions, and mechanism defining IP security technology.

Encapsulating Security Payload: It covers the packet format and general issues related to the use of ESP for packet encryption.

Authentication Header: It covers the packet format and general issues related to the use of AH for packet authentication.

Encryption Algorithm: A set of documents that describe how various encryption algorithm are used for ESP.

Authentication Algorithm: A set of documents that describe how various authentication algorithm are used for AH.

Key Management: A set of documents that describe key management scheme.

Domain of Interpretation: This include identifiers for approved encryption and authentication algorithms, as well as operational parameters.

2. 2. IP Security ServicesIP Security Services

Access Control.Connectionless integrity.Data origin authentication.Rejection of replayed packets.Confidentiality.Limited traffic flow confidentiality.

3. 3. Security AssociationSecurity Association A key concept that appears in both the authentication and

confidentiality mechanism for IP is the security association. A security association is uniquely identified by three

parameters:

1. Security Parameter Index: a bit string assigned to this SA and having logical significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed.

2. IP Destination Address: This is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router.

3. Security Protocol Identifier: This indicates whether the association is an AH or ESP security association.

4. Transport and Tunnel Modes4. Transport and Tunnel Modes Transport mode provides protection primarily for

upper-layer protocols.Transport mode is used for end-to-end communication between two hosts. ESP in the transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in the transport mode authenticates the IP payload and selected portion of IP header.

Tunnel mode provides the protection to the entire IP packet. To achieve this, after the AH and ESP fields are added to the IP packet, the entire packet plus security field is treated as the payload of new “outer” IP packet with a new outer IP header.

IntrudersIntruders One of the two most publicized threats to security is

the intruder and other is Virus. Anderson identified three class of intruders:1. Masquerader: An individual who is not authorized to

use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.

2. Misfeasor: A legitimate user who access data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.

3. Clandestine user: An individual who seizes supervisory control of the system and use this control to evade auditing or to suppress audit collection.

Intrusion TechniquesIntrusion Techniques

The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. This requires the intruder to acquire information as user password that should have been protected.

The password file can be protected in two ways:1. One-way encryption: The system stores only an

encrypted form of the user’s password. When user present a password, the system encrypts that password and compares it with the stored value.

2. Access Control: Access to the password file is limited to one or a few accounts.

Intrusion DetectionIntrusion Detection

Intrusion Detection is very beneficial due to the various reasons:

1. If an intrusion is detected, the intruder can be identified and ejected from the system before any damage is done or any data is compromised.

2. An effective intrusion detection system can serve as deterrent to prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

Intrusion Detection TechniquesIntrusion Detection Techniques

Statistical Anomaly Detection:

1. Audit Records.

2. Statistical Anomaly Detection. Rule-Based Detection:

1. The Base-Rate Fallacy.

2. Distributed Intrusion detection.

3. Honeypots.

4. Intrusion Detection Exchange Format.

HoneypotsHoneypots

Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to

Divert an attacker from accessing critical systems.

Collect information about the attacker’s activity.

Encourage the attacker to stay on the system long enough for administrators to respond.