WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 1

Q.1 Explain Kerberos in detail.

Ans. Kerberos is a computer network authentication protocol which works on the basis of

“tickets” to allow nodes communication over a non secure network.

(Or)

It is a secure method (service) for authenticate a request for a service in a computer network.

It was developed in “Athena Project” at MIT.

It provide authentication by using Secret-Key cryptography.

Use of Kerberos:

Kerberos is used for decreasing the burden for server, means; Kerberos will take

responsibility of authentication.

It is designed for providing for strong authentication for client/server applications

by using secret-key.

Versions:

Kerberos Version4

Kerberos Version5

Characteristics of KERBEROS:

1. It is secure: it never sends a password unless it is encrypted.

2. Only a single login is required per session. Credentials defined at login are then passed

between resources without the need for additional logins.

3. The concept depends on a trusted third party – a Key Distribution Center (KDC). The

KDC is aware of all systems in the network and is trusted by all of them.

4. It performs mutual authentication, where a client proves its identity to a server and a

server proves its identity to the client.

Requirements Kerberos:

1. Secure: Kerberos should be strong enough that a potential opponent does not find it

to be the weak link.

2. Reliable: Kerberos should be highly reliable and should employ distributed server

architecture with one system able to back up another.

3. Transparent: Ideally, the user should not be aware that authentication is taking place

beyond the requirement to enter a password.

4. Scalable: The system should be capable of supporting large numbers of clients and

servers.

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 2

Kerberos Version 4

Version 4 of Kerberos makes use of DES

A SIMPLE AUTHENTICATION DIALOGUE

An authentication server (AS) is used in the simple authentication

Authentication server (AS) that knows the passwords of all users and stores these in a

centralized database. In addition, the AS shares a unique secret key with each server.

These keys have been distributed physically or in some other secure manner.

Consider the following hypothetical dialogue:

A MORE SECURE AUTHENTICATION DIALOGUE

The main problem in A SIMPLE AUTHENTICATION DIALOGUE, the user must

enter password for every individual service.

Kerberos overcome this by using a new server, known as Ticket granting server (TGS).

Now in Kerberos we have two servers; AS and TGS.

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 3

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 4

Q. 2 Define symmetric key distribution using asymmetric encryption

Ans.

Once public keys have been distributed or have become accessible, secure

communication that thwarts eavesdropping, tampering, or both, is possible.

Public-key encryption provides for the distribution of secret keys to be used for

conventional encryption.

Simple Secret Key Distribution

A generates a public/private key pair {PUa, PRa} and transmits a message to B

consisting of PUa and an identifier of A, IDA

B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.

A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt

the message, only A and B will know the identity of Ks.

A discards PUa and PRa and B discards PUa.

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 5

Here third party can intercept messages and then either relay the intercepted message or

substitute another message Such an attack is known as a man-in-the-middle attack.

Secret Key Distribution with Confidentiality and Authentication:

A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a

nonce (N1), which is used to identify this transaction uniquely

B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a

new nonce generated by B (N2) Because only B could have decrypted message (1), the

presence of N1 in message (2) assures A that the correspondent is B

A returns N2 encrypted using B's public key, to assure B that its correspondent is A.

A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this

message with B's public key ensures that only B can read it; encryption with A's private

key ensures that only A could have sent it.

B computes D(PUa, D(PRb, M)) to recover the secret key.

Q.3 Explain X.509 certificate.

Ans.In cryptography, X.509 is a TU-T (International Telecommunication Union-

Telecommunication) standard for proving authentication directory service.

The directory is a server or distributed set of servers that maintains a database of

information about users.

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 6

This information includes a mapping from users name to a network address, as well

as other attributes and information about the users.

X.509 defines alternative authentication protocols based on the use of public key

certificates.

This was initial used in 1988.

User of X.509:

X.509 is an important standard because the certificate structure and authentication protocols

defined in X.509 are used in a variety context.

Example: this format is used in

S/MIME

IP Security

SSL (Secure Socket Layer)

TLS (Transport Layer Security)

SET (Secure Electronic Transaction)

X.509 is based on the use of public key cryptography & Digital Signature

1. Version: Differentiates among successive versions of the certificate format; the default is

version 1. If the issuer unique identifier or subject unique identifier are present, the value

must be version 2. If one or more extensions are present, the version must be version 3.

2. Serial number: An integer value unique within the issuing CA that is unambiguously

associated with this certificate.

3. Signature algorithm identifier: The algorithm used to sign the certificate together with

any associated parameters. Because this information is repeated in the signature field at

the end of the certificate, this field has little, if any, utility.

4. Issuer name: X.500 is the name of the CA that created and signed this certificate.

5. Period of validity: Consists of two dates: the first and last on which the certificate is

valid.

6. Subject name: The name of the user to whom this certificate refers. That is, this

certificate certifies the public key of the subject who holds the corresponding private key.

7. Subject’s public-key information: The public key of the subject, plus an identifier of

the algorithm for which this key is to be used, together with any associated parameters.

8. Issuer unique identifier: An optional-bit string field used to identify uniquely the

issuing CA in the event the X.500 name has been reused for different entities.

9. Subject unique identifier: An optional-bit string field used to identify uniquely the

subject in the event the X.500 name has been reused for different entities.

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 7

10. Extensions: A set of one or more extension fields. Extensions were added in version 3

and are discussed later in this section.

11. Signature: Covers all of the other fields of the certificate; it contains the hash code of the

other fields encrypted with the CA’s private key. This field includes the signature

algorithm identifier.

Q. 4 Explain Electronic Mail System?

Ans. The protection of email from unauthorized access and inspection is known as electronic

privacy. There are mainly two methods for proving security for electronic mails

1. Pretty Good Privacy

2. S/MIME

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 8

Q.5 What is Pretty Good Privacy?

Ans. PGP is data encryption and decryption computer program that provides privacy

(Confidentiality) and authentication for data communication.

It was created by Phil Zimmermann in 1991

Use of PGP:

It is used in Electronic mail

File storage applications.

PGP is an open-source, freely available software package for e-mail security. It provides

authentication through the use of digital signature, confidentiality through the use of symmetric

block encryption, compression using the ZIP algorithm, and e-mail compatibility using the radix-

64 encoding scheme.

PGP incorporates tools for developing a public-key trust model and public-key certificate

management

There are five important services in PGP

1. Authentication (Sign/Verify)

2. Confidentiality (Encryption/Decryption)

3. Compression

4. Email compatibility

5. Segmentation and Reassembly

The last three are transparent to the user

PGP Notations:

Ks =session key used in symmetric encryption scheme

PRa =private key of user A, used in public-key encryption scheme

PUa =public key of user A, used in public-key encryption scheme

EP = public-key encryption

DP = public-key decryption

EC = symmetric encryption

DC = symmetric decryption

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 9

H = hash function

|| = concatenation

Z = compression using ZIP algorithm

Steps for Authentication only:

1. Sender creates message

2. Use sha-1 to generate 160-bit hash of message

3. Signed hash with rsa using sender's private key, and is attached to message

4. Receiver uses rsa with sender's public key to decrypt and recover hash code

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 10

5. Receiver verifies received message using hash of it and compares with decrypted hash

code

Steps for Confidentiality only:

Sender:

1. Generates message and a random number (session key) only for this message

2. Encrypts message with the session key using AES, 3DES, IDEA or CAST-128

3. Encrypts session key itself with recipient’s public key using RSA

4. Attaches it to message

Receiver:

1. Recovers session key by decrypting using his private key

2. Decrypts message using the session key

Confidentiality service provides no assurance to the receiver as to the identity of sender

(i.e. no authentication). Only provides confidentiality for sender that only the recipient can

read the message (and no one else)

Steps for Authentication and Confidentiality both:

It can use both services on same message

Create signature & attach to message

Encrypt both message & signature

Attach RSA/ELGAMAL encrypted session key

Is called authenticated confidentiality

Q.6 Explain S/MINE in detail.

Ans. Secure/Multipurpose Internet Mail Extension is a security enhancement to the MIME

internet email standard, based on technology from R.S.A Data security.

S/MIME is for industry standard for commercial and organizational use.

It defined in number of documents that is RFC 2630, RFC 2632, RFC 2633

S/MIME provides the following functions:

WWW.UPTUNOTES.COM

By:Ruchi khetan (Assistant Professor) ruchi.khetan10@gmail.com 11

1. Enveloped data: This consists of encrypted content of any type and encrypted-content

encryption keys for one or more recipients.

2. Signed data: A digital signature is formed by taking the message digest of the content to

be signed and then encrypting that with the private key of the signer. The content plus

signature are then encoded using base64 encoding. A signed data message can only be

viewed by a recipient with S/MIME capability.

3. Clear-signed data: As with signed data, a digital signature of the content is formed.

However, in this case, only the digital signature is encoded using base64.As a result,

recipients without S/MIME capability can view the message content, although they

cannot verify the signature.

4. Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so

that encrypted data may be signed and signed data or clear-signed data may be encrypted.