Computer networks

Published on March 2017 | Categories: Documents | Downloads: 42 | Comments: 0 | Views: 579
of 49
Download PDF   Embed   Report

Comments

Content

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

The Application Layer There is a need for support protocols to allow the real applications to function in the application layer. The three important support protocols are:1.   N/W Security 2.  DNS 3.   N/W Management o. of protocols tthat hat can be used to ensure privacy privac y where 1. N/W Security: It is a large nno. needed. It is concern concerned ed with people tr trying ying to access re remote mote services tthat hat they are nnot ot authorized to use. N/W security problems can be divided roughly into 4 inter-twined areas: Security

Non-repudiation

Authentication

Integrity control

  Security: It has to do with keeping information out of the hands of unauthorized users.



  Authentication:  It deals with determining whom you are talking to, revealing sensitive



information or entering into a business deal.   Non repudiation: It deals with signatures.



  Integrity control: It makes sure that the message received was the one really sent and



same thing or a malicious adversary modified in transit. N/W Security in different layers: 

1.  Physical layer: Wiretapping can be foiled by enclosing transmission lines in sealed tubes containing ARGON gas at high pressure. p ressure. Any attempt to drill into a tube t ube will release some gas, reducing the Pressure and triggering an atom. 2.  Data link layer: If packets have to traverse on a point-to-point line, they are encoded as they leave one machine and decoded as the enter another. If packets have to traverse multiple routers, router s, they are decrypted at each router, leaving them vulnerable to attacks with in routes. This method is called LINK ENCRYPTION. 3.  N/W layer: Firewalls can be installed to keep packets in or packets out. 1

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

4.  Transport layers: Entire connections can be encrypted, end to end, i.e., process to process. 5.  Application layer:  a)  Traditional cryptography  b)  2 fundamental cryptography principles. c)  Secret- key Algorithms. d)  Public-key Algorithms. e)  Authentication protocols. f)  Digital signatures. g)  Social issues.

a). Traditional cryptography:  The art of devising ciphers is called “Cryptography”. The message to be encrypted, known as ‘plain text’ is transformed by a function that is parameterized by a key. The O/P of execution process is known as “Cipher text”  is then transmitted, often by message. Even, if the enemy (intruder) hears and accurately copies down the complete cipher text, he cannot decrypt it, as he doesn’t know the decryption key. Sometimes, he listens to common channel but also record messages and plays them back later, injects his own messages or modifies legitimate messages  before they get to the receiver. This Th is art of breaking ciphers is called “Cryptanalysis” Cryptography + Cryptanalysis = Cryptology

2

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Encryption of plain text ‘P’ using key ‘k’ gives the cipher text ‘C’. i.e., C

=

EK (P)

Decryption of cipher text ‘C’ using the key ‘k’ gives plain text ‘P’ DK ( C ) i.e., DK  (E  (EK  (P))

=

P

=

P

Key is a short string that selects one of many potential encryptions. A key length

of 2 digits

means that there are 100 possibilities, 3 digits means 1000 possibilities an andd 6 digits d igits means a million. The longer the key, the higher the work factor the cryptanalyst has to deal with. Encryption methods:  

Substitution Ciphers.

 

Transposition Ciphers.   One -Time Pads. (i). Substitution Ciphers: They preserve the order of plaintext symbols but disguise them. In

this, another letter or group of letters to disguise it replaces each letter or group of letters. One of the oldest ciphers is “Caesar Cipher”. In this, an alphabet is shifted by 3 alphabets. i.e., a→D, b→E, c→F….z→C.

Eg: attack ⇒ DWWDFN

 Next improvement is mono alphabetic substitution in which each letter is mapped to some other letter.

Eg: attack ⇒ QZZQEA 

3

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

To break a Substitution Cipher……………..

   Breakin  Breaking g of ciphers using digrams, trigrams :  This takes advantage of statistical



 properties of natural languages. In English, for example ‘c’ is the most common one letter followed  by t, o, a, n  etc. the most 2 letter combinations are th, an, in, re  & 3 letter combinations are the, int, and, ion.    Breakin  Breaking g of ciphers with a guess of probable word or phrase : The Cryptanalyst



counts the relative frequencies of all letters in Cipher text and then tentatively assign the most common one to e  and next most common one to t . He then look at trigrams to find a common one of the form t-e, which can be filled with ‘h’. If the pattern th-t   occurs frequently, the empty space probably stands for ‘a’. Eg: CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JJQUUS QUUS JUBXJ DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBZ QJSW. (ii). Transposition Ciphers:  These reorder the letters but do nnot ot disguise them. The following

diagram depicts the columnar transposition, in which the cipher is keyed by a word or phrase not containing any repeated letters.

4

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

In the above example, MEGABUCK   is the key. The purpose of the key is to number the columns, column-1 being under the key letter closest to the start of the alphabet, and so on. The  plain text is normally written horizontally, in rows. The cipher text is read out by columns, starting with the column whose key letter is the lowest. To break a Transposition Cipher………

  The cryptanalyst must first be aware that he is dealing with a transposition cipher. By



looking at the frequency of E,T,A,O,I,N,…etc., it is easy to see that if they fit the normal pattern for plain text. If so, the cipher is clearly a transposition cipher, because in such a cipher every letter represents itself.   The next step is to make a guess at the number of columns. In many cases, a probable



word or phrase may be guessed from the context of the message. For each key length, a different set of digrams is produced in the cipher text. By hunting for various  possibilities, the cryptanalyst can often easily determine the key k ey length. •  The remaining step is to order the columns. When the number of columns, k, is small, each of the k(k-1) column pairs can be examined to see if its digram frequencies match those for English plain text. The pair with the best match is assumed to be correctly  positioned. Now, each remaining re maining column is tentatively tried as the successor to this pair. The column whose digram and trigram frequencies give the best match is tentatively assumed to be correct. The predecessor is found in the same way. The entire process is continued until a potential ordering is found.

(iii). One-time pads:  In this, first, choose a random bit string as the key. key. Then, convert the

 plaintext into a string, for example, by using its ASCII representation. Finally, compute the EXCLUSIVE-OR of these two strings, bit by bit.  Advantages:  Advantage s:

1.  As every possible plain text is an equally probable candidate, the resulting cipher text cannot be broken. 2.  The resulting cipher text gives the cryptanalyst no information at all.

5

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

 Disadvantages:  Disadvan tages:

1.  The key cannot be memorized and so both sender and receiver must carry a written copy with them. 2.  The total amount of data that can be transmitted is limited by the amount of key available. 3.  It is sensitive to lost or inserted characters.

(b). Two fundamental Cryptographic Principles: 1.  All encrypted messages must contain some redundancy (information needed to misunderstand the message) to prevent active intruders from tricking the receiver into acting on a false message. 2.  Some measures must be taken to prevent active intruders from playing back old messages.

(c ). Secret-Key algorithms: The object is to make the encryption algorithm so complex and involuted that even if the cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be able to make any sense of it at all. Transpositions and substitutions can be implemented with simple circuits like P-boxes and S-boxes respectively. ransposition on an 8-bit input. If the 8 bits bits are P-box( Permutation-box ):  Used to effect a ttransposition designated as 01234567 from top to bottom, the output of this box is 36071245. By appropriate internal wiring, a P-box can be made to perform any transposition and do it practically the speed of light. S-box( Substitution-box ): Substitutions are performed by S-boxes. The n-bit input selects one

of the 8 lines exiting from the first stage and sets it to to 1. All the other lines are 0.

6

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

There are mainly 3 secret-key algorithms. They are: 1.  DES 2.  DES-CHAINING 3.  IDEA 1. DES ( Data Encryption Standard ) :

It is basically a mono-alphabetic substitution cipher using a 64-bit character. In this, plain text is encrypted in blocks of 64-bits, yielding 64 bits of cipher text. The algorithm, which is  parameterized by a 56-bit key , has 19 distinct stages. The first stage is a key independent transposition on the 64-bit plain text. The last stage is the exact inverse of this transposition. The stage prior to the last one exchanges the left most 32-bits with the right most 32-bits. The remaining 16 stages are functionally identical but are parameterized by different functions of the key. The algorithm has been designed to allow decryption to be done with the same key as encryption. The steps are just run in reverse order. The operation of one of these stages is illustrated in the figure below:

7

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output is simply a copy of the right input. The right output is the bit-wise EXCLUSIVE-OR of the left input and a function of the right input and the key for this stage, ‘K i’. The function consists of 4 steps, carried out in sequence. 1.  A 48-bit number, E , is constructed by expanding the 32-bit R ii-1-1  according to a fixed transposition and duplicate rule. 2.  E and K i are EXCLUSIVE-OR ed together. 3.  This output is then partitioned into 8 groups (each of 6-bits), each of which is fed into a different S-box. Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output. 4.  Finally, these 8 x 4 bits are passed through a P-box. In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit transposition is applied to the key. Just before each iteration, the key is partitioned into two 28 bit units, each of which is rotated left by a number of bits dependent on the iteration number. K i  is derived from this rotated key by applying yet another 56-bit transposition to it. A different 48 bit subset of the 56-bits is extracted and permuted on each round. 2. DES-CHAINING: Electronic code book mode: To overcome the problem of DES, this method is used in which a

long message is encrypted by breaking it up into consecutive 8-byte(64-bit)blocks and encrypting them one after another with the same key. The last block is padded out to 64-bits, if need be. Let us consider an example in which a file consisting of consecutive 32-byte records in the format….16 bytes for name,8 bytes for the position and 8 bytes for the bonus of an employee in an organization. Each of the sixteen 8-byte blocks is encrypted by DES.

8

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

To overcome some types of attacks, DES is chained in various ways. One of the ways is Cipher Block Chaining. In this method, each plain text block is EXCLUSIVE-OR ed (#) with the

 previous cipher text block before being encrypted. Consequently, the same plain text block no longer maps on to the same cipher text block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is EXCLUSIVE-OR ed with a randomly chosen initialization vector, IV, that is transmitted along with the cipher text. Error! 

Working:

1.  compute C0 = E ( P0 XOR IV ) 2.  Then, compute C1 = E ( P1 XOR C0 ) and so on. 3.  The encryption of block ‘i’ is a function of all the plain text in blocks 0 through i-1, so the same plain text generates different cipher text depending on where it occurs. 4.  The decryption occurs the other way , with P0 = IV XOR D (C0) and so on. Advantage:

The same plain text block will not result in the same cipher text block, making cryptanalysts more difficult. Disadvantage:

It requires an entire 64-bit block to arrive before decryption can begin. To overcome this disadvantage, byte-by-byte encryption  is done using Cipher Feedback mode. In the figure, the state of encryption machine is shown after bytes 0 through 9 have been

encrypted and sent. When plain text byte-10 arrives, the DES algorithm operates on the 64-bit shift register to generate 64-bit cipher text, in which the left most byte is extracted and

9

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

EXCLUSIVE-OR ed with P10. That byte is transmitted on the transmission line. In addition, the shift register is shifted left 8bits, causing C2 to fall off the left end , and C 10 is inserted in the  position just vacated at the right end by C9. Decryption is done by encrypting the contents of the shift register so that the selected byte that is EXCLUSIVE-OR ed with C10 to get P10 is the same one that was EXCLUSIVE-OR ed with P 10 to generate C10 in the first place. Error!

For applications which require messing up 64-bits of plain text by having a 1-bit transmission error, Output feedback mode  is used. It is identical to cipher feedback mode except that the  byte fed back into the ri right ght end of the shift rregister egister is taken from f rom just before the EXCLUSIVEOR box, not just after it. Advantage:

It has the property that a 1-bit error in the cipher text causes only a 1-bit error in the resulting  plain text. 3. IDEA (International Data Encryption Algorithm):

The basic structure of the algorithm resembles DES in that 64-bit plain text input blocks are mangled in a sequence of parameterized iterations to produce 64-bit cipher txt output blocks. Given the extensive bit mangling, 8 iterations are sufficient. IDEA can be used in cipher feedback mode and other DES modes.

10

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

  In the above figure, the details of one iteration are depicted, in which three operations are used, all on unsigned 16-bit numbers. These operations are EXCLUSIVE-OR, addition modulo 216  , and multiplication modulo 216 + 1. The operations have the property that no two pairs obey the associative law or distributive law, making cryptanalysis more difficult. The 128-bit key is used to generate 52 sub keys of 16-bits each, 6 for each of 8 iterations and 4 for the final transformation. Decryption uses the same algorithm as encryption, only with different sub keys.

(d). Public-Key algorithms: Diffie and Hellmann proposed a new kind of crypto system, one in which the encryption and decryption keys were different, and the decryption key could not be delivered from the encryption key. In their proposal, the encryption algorithm, E, and the decryption algorithm, D, had to meet the following 3 requirements: 1.  D(E(P)) = P. 2.  It is exceedingly difficult to deduce D from E. 3.  E cannot be broken by a chosen plain text attack. The main object in this is that the Encryption key is made public. Hence, the name Public-Key Cryptography.

11

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

The RSA algorithm:

One of the Public-key algorithms is the RSA algorithm. This was discovered by Rivest, Shamir, Adleman and is based on the following principles: 1.  Choose two large primes, p and q. (typically greater than 10100) 2.  Compute n = p * q and z = (p-1) * (q-1) 3.  Choose a number relatively prime to z  and  and call it d . 4.  Find e such that e * d = 1 mod z

In this algorithm, the plain text is divided into blocks, so that each plain text message, P, falls in the interval 0 ≤ P < n. This can be done by grouping the plain text into blocks of K bits, where K is the largest integer for which 2k < n is true. To encrypt a message, P, compute C = P e (mod n) i.e., e and n are needed to do so. To decrypt a message, C, compute P = C d (mod n) i.e., d  and  and n are needed to do so. Therefore, the public key consists of the pair (e, n) and the private key consists of the pair (d, n).

In the above example, the encryption of the plain text “SUZANNE” is shown:  p = 3, q = 11, n = 33, z = 20

 

d = 7 ( since 7 and 20 have no comm common on factors)

 

7e = 1 (mod 20)

 

e=3

 

C = P3 (mod 33)

 

P = C7 (mod 33) 12

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Encryption: C

=

Me  mod n

=

887 mod 187

=

[ (884 mod 187) * ( 882 mod 187) * ( 881 mod 187] mod 187

= =

[ (59,969,536 mod 187)(7744 mod 187)(88 mod 187)] mod187 (132 * 77 * 88) mod 187

=

894,432 mod 187

=

11

Decryption: M =Cd mod n =1123 mod 187 =[(111 mod 187)* (112 mod 187)* (114 mod 187)*(118 mod 187)* (118mod 187)] mod 187 =[(111mod187)*(121mod187)*(14,641mod187)*(214,358,881mod187)*(214,358,881mod187)]mod187 =(11 * 121 * 55 * 33 * 33) mod 187 =79,720,245 mod 187 =88.

If p = 3, q = 11, n = 33, Φ(n) = 20, d = 7 (because 7, 20 have no common factors) =>7e = 1 mod 20 =3 EXAMPLE :  Plain text SUZANNE is to be transformed into Cipher text Senders Computation

Receivers Computation

13

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Drawbacks:

1. The Brute force approach i.e., trying all possible private keys. 2. Calculations involved in key generation, Encryption / Decryption are complex. 3. The larger the size of the key, the slower the system will run Advantage:-

The larger no. of bits in e, d, the more secure the algorithm is the…

(5). Authentication Authentication Protocols: Authentication:   It is the technique by which a process verifies that its communication partner is

who it is supposed to be and not an imposter. It deals with the question of whether or not the user is actually communicating with a specific Process.    

Authentication Based on a shared secret key. Authentication Using a key Distribution Centre.

 

Authentication Using Kerberos.

 

Authentication Using public-key Cryptography

(1)Authentication Based on a shared secret key: In this, both the users A and B share a secret key K AABB. These protocols are based on a  principle that one party send a random number to the other, who then transf transforms orms it in a special way and then returns result and are called Challenge Response Protocols. 2-way Authentication using Challenge - Response protocol :

14

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

M-1 : ALICE sends her identity ‘A’ to BOB in a way that BOB understands. M-2 : As Bob has no way of knowing from whom this message has come from actually ,

he picks a large random number R B and sends it back to ALICE in plaintext. then encrypts the m message essage with the key she shares w with ith BOB and sends M-3: ALICE then cipher text, K AABB(R B). M-4: After receiving, BOB confirms that this message is from ALICE but not from any

other user because K(suffix)AB is shared only by ALICE. But ALICE has no way of confirmation that she is talking to BOB. To do so, she picks a random number R A and sends it to BOB as plain text. M-5: Now, when BOB responds w with ith K AABB(R A), ALICE gets the confirmation.

 Now, If A and B wish to establish a session key, ‘K S’, ALICE can send it to BOB encrypted with K AABB. A Shortened 2-way Authentication protocol:

Extra messages in above protocol can be eliminated by combining information as in the figure:

M-1:-ALICE initiates C-R Protocol. M-2:-BOB responds to ALICE’s challenge along sending his own. M-3:-ALICE then encrypts the message with the key she shares with BOB and sends cipher

text, K AABB(R B).

15

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

3 General Rules to design a correct Authentication protocol:1.  Have the Initiator prove who she is before the responder has to. 2.  Have the Initiator and Responder use different keys for proof, i..e, use 2 shared keys K AABB  and K 'AB. 3.  Have the Initiator and responder draw their challenges from different sets. (I). The Diffie-Hellman Key Exchange:

It is the protocol that allows strangers to establish a shared secret key. Working:-

1.  Alice and Bob have to agree on 2 large prime numbers (which are public), n and g, where (n-1)/2, is also a prime and certain conditions apply to ‘g’. 2.   Now, Alice &Bob respectively Picks large numbers x,y(say a512- bit) and keeps them secret. 3.  Alice initiates key exchange protocol by sending by sending Bob a message containing (n, g, gx mod n), for which Bob responds with gy mod n. 4.  Alice takes the number and raises it to x th power to get (gy mod n)x. Bob does the same and gets (gx mod n)y. 5.  Thus, Alice &Bob now share a secret key, g xy mod n.

Example: n=47, g=3, x=8, y=10

1.  Alice’s message to Bob : 47,3,28 (since 38mod 47 = 28) 2.  Bob’s message to Alice : 17

(since 310mod47 = 17)

3.  Alice Computes

: 178mod 47

=

4

4.  Bob computes

: 2810mod 47

=

4

Therefore, The Shared - Secret Key =

4.

16

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

The problem that is faced by Diffe - Hellman Key Exchange protocol is Bucket Brigade attack   or WO(man)- in – the –middle attack.  Consider a third person ‘c’ is involved in the interaction of A & B……… in the above algorithm.

1.  A&B chooses x & y respectively while ‘c’ randomly chooses ‘z’. 2.  When A sends message-1 interested for B,’C’ intercepts it and sends m-2 to B, using correct g and n. But with her own ‘z’ instead of ‘x’ and does same back to ‘A’ with m-3. 3.  Later, ‘B’ sends M-4 to ‘A’ ,which was intercepted by ‘c’ and kept with it. 4. Modular Arithmetic being done by everyone, A Computes Secret Key as gxzmod n. B Computes Secret Key as gyzmod n. C Computes Secret Key as gxzmod n, gyzmod n. 5. Therefore, Every message sent by A on the encrypted session is captured by ‘C’, stored, modified if desired and then (optionally) passed to ‘B’. Similarly in other direction. i..e, A&B on under the illusion that they have a secure channel to one another while ‘C’ sees everything & can modify them. This attack is called Bucket Brigade Attack. (II): Authentication using KDC:

In this model, each user has a single key shared with KDC. The simplest protocols is mouth frog”

17

“wide-

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Working:

1.  'A' picks a session key Ks and informs KDC that it w wants ants to talk to 'B', with a m message essage which is encrypted with a secret key(K A) 2.  KDC decrypts this message, extracts B's identity and session key and constructs a new message containing A's identity and session key and sends to 'B', encrypted with KB shared by 'B' with K KDC DC 3.  'B' decrypts and knows the 'A's wish and it's key. The Needham-Schroeder authentication protocol:  Error! 

Working:-

1.  'A' tells KDC that he wants to talk to 'B', with a message which contains a large random number, R A. 2.  KDC sends back m-2 containing A's random number, a session key and a ticket that it can send to B. 3.   Now, 'A' sends ticket to 'B', along with a new random number, R AA22  encrypted with session key K S. 4.  'B' sends back Ks(R A2-1) to confirm 'A' that it is talking to 'B'. 5.  'B' is convinced that it is talking to 'A' only but with no other one. The Otway-Rees Authentication protocol:

18

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Working:-

1.  'A' starts out by generating a pair of random number, R, which will be used as a common identifier and R A, which A will use to challenge 'B'. 2.  When 'B' gets this message, he constructs a new message from the encrypted part of A's message and an analogous one of his own. 3.  Both the parts encrypted with K A and K B identify A and B, contain the common identifier and contain a challenge. 4.  The KDC checks to see if R iinn both parts is same, an andd if so, it believes that the request message from 'B' is valid and so it generates a session key and encrypts it twic twicee (both for A and B). 5.  Each message contains receiver’s random number, indicating that it was generated by KDC. 6.   Now, A and B are in possession of o f same session key and can c an start communicating. (III). Authentication using KERBEROS:

Kerberos was designed to allow workstation users to access network resources in a secure key. It involves three servers in addition to a client workstation:   Authentication Server (AS):-  Verifies users during login



  Ticket-Granting Server (TGS):- issues "PROOF OF IDENTITY TICKETS"



  B, The Server:- Actually does the work 'A' wants performed



WORKING:   'A' sits down at an arbitrary public work station and types his name, which is sent to 'AS'



in plain text.   Session key and a ticket TGS (A, Ks) intended for TGS comes back, which are packed



together and encrypted using A's secret key, so that only 'A' can encrypt them.   Only when message-2 arrives, the work station ask for A's password and this is used to



generate K A in order to decrypt m-2 and obtain session key and TGS ticket inside it.   At this point, the workstation overwrites A’s password to make sure that it is only inside



the workstation for a few milliseconds at most.   After 'A' logging in, she tells the workstation that she wants to contact 'B' the file server.



19

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

with   The workstation then sends message-3 to the TGS asking for a ticket to use with 'B', with



the key element KTGS(A, K S) encrypted by TGS's secret key as a proof of 'A'.   The TGS responds by creating a session key KAB for 'A' to use with 'B'.



  Two versions of it are sent back, with first encrypted with K S intended for A and second



encrypted with K B intended for 'B'.    Now, 'A' sends K AABB to 'B' to establish a session key with him, which is time stamped.



After some series of exchanges, communication is established.

(IV) . Authentication Using Public Key Cryptography: Working:-  A and B know each other public keys  

1.  'A' starts by encrypting her identity and a random number R A using B's public key EB. 2.  when 'B' receives this message ,'B' sends back 'A' message containing A's R A, his own random number R B ,and a proposed session key K S.

3.  When 'A' gets m-2, he decrypts it using his private key and agrees to session key by sending back m-3. 4.  when 'B' sends R B encrypted with session key he just generated, he confirms that m-2 is received and R A is verified by 'A'. So, a session is established. 20

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

(6). DIGITAL SIGNATURES: It is devised to replace hand-written signatures between 2 parties in a system in such a way that   The receiver can verify the claimed identity of the sender



 



The sender cannot later repudiate the contents of the message.

  The receiver cannot possibly have concocted the message himself.



 Di   f   f er ent   a a p pr oaches:-    

(a)Secret-key signatures

 

(b)Public-key signatures

 

(c)Message digests

 

(d)Birthday attack

(a) . Secret-key signatures: 

In this approach each user chooses a secret key and carries with by hand to a central authority (BB) that knows everything and by everyone. So only A and BB know A’s secret key K A and so on.

Working:1.  When ‘A’ wants to send a signed plain text message, ‘P’ to ‘B’, she generates KA(B, R A, t ,p)and sends it. 2.  BB sees that tthe he sender is ‘A’ & decrypts the message and sends it to B. 3.  The message to B contains the plain text A A’s ’s message and also signed message KBB(A, t, p) where ‘t’ is a timestamp. 4.  ‘B’ now carries out A’s request.

k ey  ssignatures:   (b) . Public  k  In this, an assumption is made initially that public key encryption and decryption algorithms have the property E(D(p))=P in addition to D(E(p))=P. 21

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Working:-

1.  ‘A’ sends a plain text message ‘p’ to B by transmitting EB(DA(p)). 2.  When B receives the message ,he transforms it using his private key yielding DA(p) which is stored in a safe place and then decrypted using EA to get original plain text.

( c). Message Digests: Def ::-- A one-way hash function that takes an arbitrarily long of piece plain text from iitt

Computes a fixed-length bit string is called a message digest and has 3 important  properties. They are:  Given P, it is easy to compute MD (P).



  Given MD (P), it is effectively impossible to find P.



hav e the same message digest.    No one generates 2 messages that have



Working:-    ‘A’ first computes the message digest of her plain text ‘BB’ computes message digest



 by applying MD to P, yielding MD (P).BB then encloses enclose s KBB (A, t, MD (P)) as 5th item in list encrypted with KB that is sent to ‘B’.   She then signs the message digest and sends both the signed digest and plain text B.



22

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

(d). Birthday Attack: 

If there is some mapping between inputs and outputs with ‘n’ inputs (people, messages etc..) and ‘k’ possible outputs (birthday , message ddigests igests etc..), there are [n(n-1)/2] input pairs. If [n (n1)/2] >k ,the chance of having at least one match likely for n>√k. This result means that a 64-bit message digests can probably be broken by generating about 2 32 messages and looking for 2 with the message digest. The idea for this attack comes from a technique that mathematical professors often use in their  probability courses. The question is : “ How many students do yyou ou need in a class before the probability of having 2 people with same birthday exceeds ½? ”

The probability is 23 i.e., with 23 people, we can form (23*22)/2=253 different pairs, each of which has a probability of being a hit.

DNS--Domain Name System:  This is primarily used for mapping host and e-mail destinations to IP addresses but can also be used other purposes. DNS is defined in RFCs 1034 and 1035. Working:-    To map a name onto an IP address, an application program calls a library procedure



called Resolver, passing it the name as a parameter.   The resolver sends a UDP packet to a local DNS server, which then looks up the name



and returns the IP address to the resolver, which then returns it to the caller. •  Armed with the IP address, the program can then establish a TCP connection with the destination, or send it UDP packets.  

The DNS name space.

 

Resource Records.

 

Name Servers.

23

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

☼ The DNS name space:The Internet is divided into several hundred top level domains, where each domain covers many hosts. Each domain is partitioned into sub domains, and these are further partitioned as so on. All these domains can be represented by a tree, in which the leaves represent domains that have no sub domains. A leaf domain may contain a single host, or it may represent a company and contains thousands of hosts. Each domain is named by the path upward from it to the root. The components are separated by periods(pronounced “dot”) Eg: Sun Microsystems Engg. Department

=

eng.sun.com.

The top domain comes in 2 flavours:  Generic:



com(commercial), edu(educational instructions), mil(the U.S armed forces,

government), int (certain international organizations), net( network providers), org(non  profit organizations).   Country:  include 1 entry for every country.



Domain names can be either absolute (ends with a period e.g. eng.sum.com) or relative (doesn’t end with a period). Domain names are case sensitive and the component names can be up to 63 characters long and full path names must not exceed 255 characters.

Insertions of a domain into the tree can be done in 2 days:  Under a generic domain

( Eg: cs.yale.edu)

  Under the domain of their country

(E.g: cs.yale.ct.us)

• •



Resource Records: Every domain can have a sent of resource records associated with it. For a single host, the

most common resource record is just its IP address. When a resolver gives a domain name to

24

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

DNS, it gets both the resource records associated with that name i.e., the real function of DNS is to map domain names into resource records. A resource record is a 5-tuple and its format is as follows:

Domain _name : Tells the domain to which this record applies. Time- to- live : Gives an identification of how stable the record is

(High Stable = 86400 i.e. no. of seconds /day) ( High Volatile = 1 min) Type: Tells what kind of record this is. Class: It is IN for the internet information and codes for non internet information Value: This field can be a number a domain name or an ASCII string



Type

Meaning

Value

SOA A

Start Of Authority IP address of host

32-bit integer 32 bit integer

MX

Mail Exchange

Priority domain willing to accept

 NS

Name Server

Name of server for this ddomain omain

CNAME

Canonical Name

Domain name

PTR

Pointer

Alias for an IP address

HINIF

Host Description

CPU and OS in a ASCII

TXT

Text

Un interpreted ASCII Text

Name Servers: It contains the entire database and responds to all queries about itit.. DNS name space is

divided up into non-overlapping zones, in which each zone contains some part of the tree and also contains name servers holding the authoritative information about that zone.

25

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

When a resolver has a query about a domain name, it passes the query to one of the local name servers: 1.  If the domain being sought falls under the jurisdiction of name server, it returns the authoritative resource records ( that comes from the authority that manages the record, and is always correct). 2.  If the domain is remote and no information about the requested domain is available locally the name server sends a query message to the top level name server for the domain requested. Eg: A resolver of flits.cs.vle.nl wants to know the IP address of the host Linda.cs.yale.edu

Step 1: Resolver sends a query containing domain name sought the type and the class to local name server, cs.vu.nl. Step 2: Suppose local name server knows nothing about it, it asks few others near by name servers. If none of them know, it sends a UDP packet to the server for edu-server.net. Step 3: This server knows nothing about Linda.cs.yale.edu or cs.yale.edu and so it forwards the request to the name server for yale.edu. Step 4: This one forwards the request to cs.yale.edu which must have authoritative resource records. Step 5 to 8: The resource record requested works its way back in steps 5-8 This query method is known as Recursive Query 3.  When a query cannot be satisfied locally, the query fails but the name of the next server along the line to try is returned.

26

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Simple Network Management Protocol    SNMP - Version 1



  SNMP - Version 2



  SNMP - Version 3



SNMP was developed for use as as a n/w management tool for N/W and internet works operating TCP/IP. It includes the following key elements: 1.  Management Station or Manager

3. Management Information Base

2.  Agent

4. N/W Management Protocol

Management Station serves as interface for human N/W manager into network Management

system. It will have the following: 1.  A set of management applications for data analysis fault recovery and so on. 2.  An interface by which the n/w manager may monitor and control the n/w. 3.  The capability of translation the n/w managers requirements into the actual monitoring and control of remote elements in the n/w. 4.  A data base of n/w management information extracted from the databases of all the managed entities in the n/w. Management Agent software equips key platforms such as hosts, Bridges, routers and hubs so

that they may be managed from a management station. The agent responds to requests for information from a management station, responds to requests for actions from management station, and may asynchronously provide management station with important but unsolicited information. To manage resources in the n/w, each resource is represented as an object (a data variable that represents one aspect of managed agent). The collection of objects is referred to as a Management Information Base (MIB). The MIB functions as a collection of access points at

the agent for management station. A management station performs the monitoring function by retrieving the value of MIB objects.

27

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

The management station and agents are linked by a n/w management protocol. The  protocol used for the management of TCP/IP network is SNMP. Each of these protocols includes the following key capabilities:   GET:  Enables the management station to retrieve the value of objects at the agent



  SET: Enables the management station to set the value of objects at the agent



  NOTIFY: Enables an agent to send unsolicited notifications to management station of



Significant events

SNMP – V1 Configuration: Configuration: 

Role of SNMP-V2 :

28

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD  

The Application Layer  

From management station, 3 types of SNMP messages are issued or behalf of a Management application: Get Request , Get Next Request and Set Request. All these 3 messages are acknowledge by the agent in the form of Get Response message which is passed up to management application. In addition the agent may issue a type message in response to an event that effect the MIB and the underlying managed resources. Management requests are sent to UDP port 161 , while the agent sends traps to UDP port 162.

SNMP-V2:  It provides a framework on which n/w management , performance , monitoring , accounting and so on. Error! 

Each player in the N/w management system maintains a local database of information relevant to N/W management, a known as MIB. The SNMPV2 standard defines the structure of this info and the allowable data types. This information is known as Structure of Management Information (SMI). 

One system is responsible for N/W management while the other systems art and role of agent. An agent collects the information and stores it for later access by a manager. The information includes data accounts the system it self and may also include traffic information for  N/W to which the agent attaches. 29

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

SMI: It defines the general framework with in which a MIB can be defined and constructed. The SMI identifies the data types hat can be used in MIB, and how resources with in MIB are represented and named. The MIB can store only simplify the task of implementation and to enhance interoperability. There are 3 key elements in SMI specification: 1.  At lowest level, the SMI specifies the data types that may be stored. 2.  Then SMI specifies a formal technique for defining objects and tables of objects. 3.  Finally, SMI provides a scheme for associating a unique identifies with each actual object in a system, so that a manager can reference data at an agent.

Protocol operation:The protocol provides a straight forward, basic mechanism for the exchange of management information between agent and manager. The basic unit of exchange is message, which consists of an outer message wrapper and an inter protocol data unit .The outer message header deals with security. 7 types of PDU s may be carried in an SNMP message. (a).Get-Request-PDU, Get-Next-Request-PDU, Set-Request-PDU, SNMPV2-TrapPDU, Inform-Request-PDU:  

PDU type

Req -id 10

Variable-bindings

(b). Response-PDU:

PDU type

Req-id

Error-status

Error-index

Variable-bindings

(c). Get-Bulk-Request-PDU:

PDU type

Req-id

Non-repeaters

Max-repetitions Variable-bindings

(d). Variable bindings:

 Name 1 Value 1

Name 2

Value 2

30

……………

Name n

Value n

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

which hich values   GET REQUEST-PDU:  Includes a list of one (or) more object names for w



are requested .If the get operation is successful, and then the responding agent will send a Response-PDU    GET NEXT REQUEST-PDU:  Includes a list of one (or) m more ore objects .For each object



named in variable-bindings field, a value is to be returned for the object that is next in lexographic order   GET BULK REQUEST-PDU: The purpose is to minimize the number of protocol



exchanges required to retrieve a large amount of management information .It allows manager to request that the response be as large as possible given the constraints or message size   SET REQUEST-PDU:  Used to request that the values of one (or) more objects be



altered .The operation is atomic   SNMPV2-TRAP-PDU:  It is generated when an unusual event occurs and is used to



 provide management station with asynchronous as ynchronous notification of so some me sign significant ificant even eventt ..It It is an unconfirmed message   INFORM REQUEST-PDU:  It is sent on behalf of an application to provide



management information to an application using it    VARIABLE BINDINGS: Used to convey the associated information



SNMP-V3: This defines an over all SNMP architecture and a set of security capabilities .It  provides 3 important services:   Authentication



  Privacy

Part of User-Based Security Model (USM)

  Access Control

Defined in View-Based Access Control Model (VACM)

• •

The Authentication mechanism in USM assures that a received message was transmitted  by the principal whose identifier appears as the source in message header .It also assumes that the message has not been altered in transit and has not been artificially delayed (or) replayed .The sending principal provides authentication by including a message authentication code with SNMP message it is sending .The code is a function of the message contents, the identity of

31

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

sending and receiving parities, the time of transmission and a secret key that should be known only to sender and receiver . The configuration/network manager distributes the secret keys and so they are kept outside of USM .When the receiving principal gets the message, it uses the same secret key to calculate the message authentication code once again and if it is matched with the appended value of incoming message, the receiver confirms that the sender is the authorized one. The authentication code is called HMAC. The privacy facility of USM enables managers and agents to encrypt messages, by sharing a secret key between them. If they are configured to use the  privacy facility, all traffic between them is encrypted using DES. The access control facility makes it possible to configure agents to provide different levels of access to the agents Management Information Base (MIB) to different managers. An agent principal can restrict access to its MIB for a particular manager principal in 2ways:  It can restrict access to a certain portion of its MIB



  It can limit the operations that a manager can use on that portion of MIB



E-MAIL  (Used in RFC 821,822 in internet)

1. Architecture and Services: E-mail systems consist of two subsystems. They are:-    (a). User Agents, which allow people to read and send e-mail



 



(b). Message Transfer Agents, which move messages from source to destination

E-mail systems support 5 basic functions:  Composition



  Transfer



  Reporting



  Displaying



  Disposition



32

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

(a).Composition:  It refers to the process of creating messages and answers. Any text editor is

used for body of the message. While the system itself can provide assistance with addressing and numerous header fields attached to each message (b).Reporting:   It has to do with telling the originator what happened to the message that is,

whether it was delivered, rejected (or) lost. (c).Transfer:   It refers to moving messages from originator to the recipient  (d).Displaying:  Incoming messages are to be displayed so that people can read their email. (e).Disposition:  It concerns what the recipient dose with the message after receiving it.

Possibilities include throwing it away before reading (or) after reading, saving it and so on 

(2). The User Agent:  It is normally a program that accepts a variety of commands for composing,

receiving

and

replying

to

messages

as

well

as

for

manipulating mail boxes.   Sending E-mail: To do so, User must provide the messages, the destination address



and possibly some other parameters (Eg: the priority (or) security level). The message can be produced with a free-standing text editor, a word processing program or  possibly with a text editor built into the user agent. agent . The destination address must be in a format that the user agent can deal with. Many user agents expect DNS address of the form mailbox @ location.    Reading E-mail :  When a user agent is started up, it will look at the user’s mailbox for



incoming mail before displaying anything on the screen. Then it may announce the no. of messages in the mailbox or display a one-line summary of each one and wait for a command. Each display line contains several fields(extracted from the header of the corresponding message) like…….. Eg:

#

Flags

Bytes

Sender

1 2

K KA

1030 6348

ASW SAM 33

Subject

changes to MIN-MAX RC: Hai

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

1st field(#)

:

Message Number.

2nd field(flags)

:

K- Message is not new but already read. KA - Message has already been answered.

rd

3  field(Bytes) 4th field(sender)

: :

Tells how long the message is. Tells who sent the message.

5th field(subject)

:

Gives brief summary of what the message is about.

After the headers have been displayed, the user can perform any of the commands available.

Message Formats :   RFC 822 (SMTP)



  RFC 1551 (MIME)



(1). RFC 822 :

Messages consist of a primitive envelope, some no. of header fields, a blank line and then the message body. Each header field consists of a single line of ASCII text containing the fieldname, a colon and a value. The principal header fields related to message transport one :

34

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

  After the headers, comes the message body. Users can put whatever they want here.

(outgoing-mail)  

(incoming-mail)

Each Queued message has 2 parts :   The message text, consisting of RFC 822 header and body of message.



  A list of mail destinations.



The SMTP Sender  takes messages from the outgoing mail queue and transmits them to proper

destination host via SMTP transactions over one or more TCP connections to port 25 on target hosts.

35

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Pretty Good Privacy (PGP) :   This is a complete e-mail security package that provides privacy,



authentication,

digital signatures and compression, all in easy-to-use form.   The complete package along with all the source code is distributed free of change via



the internet, bullet in boards and of commercial networks.

  Due to its quality, price (zero) and easy availability on MS-DOS/WINDOWS, UNIX and



MACINTOSH platforms, it is widely used today.   It is largely based on RSA, IDEA and MD5.



  PGP



supports text compressor , secrecy, and digital signatures and also provides

extensive key management facilities. Working:

  Alice wants to send a signed plaintext m message essage ‘p’ to bob in a secure way in which each



one of them posses private(Dx) and public (Ex) RSA keys and each one knows the others public key. nvoking the PGP program on her computer.   Alice starts out by iinvoking



  PGP first hashes her message , p , using MD5 and then encrypts the resulting hash using



her private RSA key, DA.   When Bob eventually gets the message , he can decrypt the hash with Alice’s public key



and verify that the hash is correct.

36

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

  The encrypted hash and original message are now concatenated into a single message ,



PI, and compressed using the ZIP program (which uses the Ziv-Lempel algorithm ) in which the output is (PI).(Z) PG P prompts p rompts ALICE for some random input, by which a 128-bit IDEA mess message age key,    Now, PGP



K M is generated which encrypts (PI).(Z) in cipher feedback mode.

  In addition, K M is encrypted with Bob’s public key, EB. 



  These 2 components are then concatenated and converted into base-64.



  The resulting message then contains only letter, digits and the symbols +,/ and =.



  When Bob gets the message , he reserves the base-64 encoding and decrypts the IDEA key



using his private RSA key.   Using this key, he decrypts the message to get (PI).(Z)



  After decompressing it, Bob separates the plain text from encrypted hash and decrypts the



hash using Alice’s public key. PGP Supports 3 RSA key lengths  :-

1.  Casual (384 bits): can be broken by folks with large budgets. 2.  Commercial(512-bits):  Might be breakable by 3 letter organizations. 3.  Military(1024 bits):not breakable by anyone on earth.

PGP Message Format: ID

Km Time ID

Of

Of

EB

EA

Types MD5 Message File Hash

Header

Time Message

Name

The message has 3 parts :1)  The message key part , which contains both the key and key identifier. 2)  The signature part , which contains 37

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

  Header Timestamp Identifier for sender’s public key that can be used to decrypt the signature hash Some type information that identifies the algorithm used. The encrypted hash itself. 3)  The Message part, which contains Header The default name of the file to be used if the receiver writes the file to the desh A message creation time stamp Message itself PGP has grown explosively and is now widely used. A number of reasons can be cited for this

growth: 1. It is available free worldwide in versions that run on a variety of platforms, including DOS/Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with the vendor support. 2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS and DeffieHellman for public key encryption; CAST-128, IDEA, and 3DES for conventional encryption and SHA-1 for hash coding. 3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks.

38

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD  

The Application Layer  

PGP intentionally uses existing cryptographic algorithm rather than inventing new ones.

It is largely based on RSA, IDEA and MD5 all algorithms that have withstood extensive peer review and were not designed or influenced by any government agency. PGP supports text compression, secrecy and digital signatures and also provides extensive key management facilities. PGP ENVIRONMENT:

PGP’s primary purpose is to send messages: signed and encrypted. PGP also allows sending messages that are only signed. The intended receiver can only read encrypted messages. Using  public-key cryptography, c ryptography, the send sender er does not hav havee to exchange a sec secret ret key with the receiver. If the sender has the receiver’s public key, then she can send him a message. Encrypted PGP messages can be addressed to one receiver or several receivers. PGP can also be used to send signed but unencrypted messages. These messages are in the clear: Anyone can read them. Also, anyone who has the sender’s public key can verify the integrity and authentication of the messages. This type of security is useful for messages posted to Usenet newsgroups. PGP SUBSYSTEMS:

There are normally two subsystems:   USER AGENTS •  MESSAGE TRANSFER AGENTS •

hat User agents allow people to read and send email. The user agents are local programs tthat  provide a command-based, menu based or geographical method for int interacting eracting with the email system. Message Transfer agents move the message from the source to the destination. The agents

are typically system daemons that run in the background and move email through the system.

39

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

BASIC FUNCTIONS:

Email systems support 5 basic functions, they are. Composition Transfer Reporting Displaying Disposition

COMPOSITION:  It refers to the process of creating message and answers. Although any text

editor can be used for the body of the message, the system itself can provide assistance with addressing and the numerous header fields attached to each message. TRANSFER:  It refers to moving messages from the originator to the recipient. In large part

this requires establishing a connection to the destination or some intermediate machine, outputting the message and releasing the connection.

The email system should do this

automatically. REPORTING:  It has to do with telling the originator what happened to the message. Was it

delivered? Was it rejected? Was it lost numerous applications exist in which confirmation of delivery is important and may even have legal significance. DISPOSITION:  It is the final step and concerns what the recipient does with the message after

receiving it. Possibilities include throwing it way before reading, throwing it away after reading, saving it and so on. It should also be possible to retrieve and reread saved messages, forward them, or process them in other ways. PGP OPERATION FOR SENDING A MESSAGE :

PGP first hashes her message ‘P’ using MD5 and then encrypts the resulting hash using  private key DA and decrypts by public ke keyy and verify that the hash is correct. Even if someone could acquire the hash at this stage and decrypt it with public key the strength of MD5 guarantee

40

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

 Km 

RSA

P

C SHA

RSA

X

IDEA

ZIP

X

BASE 64

that it would be computationally infeasible to produce another message with the same MD5 hash. The encrypted hash and the original message are now concatenated in to a single message P1 and compressed using the Zip program, and thus the output of this step P1.Z.   The content and the typing speed are used to generate a 128-bit IDEA message key, KM is now used to encrypt P1.Z with IDEA in cipher feedback mode. KM is also encrypted with  public key EB these two components are then th en concatenated and converted to t o base 64. When the opponent receives the message he reverse the base 64 encoding and decrypts the IDEA key using Private key. Using this key decrypts th thee message to get P1.Z after decompressing it separates the plaintext from the encrypted hash and decrypts the hash using  public key. If the plain text hah agrees with his own MD5 computation thus the opponent ‘P’ assures that it is the correct message. PGP SERVICES:  

Digital signature

 

Message encryption

 

Compression

   

Email compatibility Segmentation

OPRATIONAL DESCRIPTION :  

Authentication

 

Confidentiality

 

Compression

 

E-mail compatibility

 

Segmentation

41

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

1)  Digital signature provides message authentication and protects two parties who exchange message from any third party by using an algorithm DSS/SHA or RSA/SHA. A hash code of a message is created using SHA-1 which is an public-key encryption algorithm takes a input message of arbitrary length and produces as output 128-bit message digest. The input is processed in 512-bit blocks. This message digest is encrypted using DSS or RSA. 2)  The RSA scheme is a block cipher in which the plaintext and cipher text are integer  between 0 and n-1 for some n. The plaintext is encrypted in blocks, with ssender ender pprivate rivate key and each block having a binary value less than some number ‘n’ and included with the message. 3)  A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with the recipient’s public key, and included with the message. 4)  A message may be compressed for storage or transmission using Zip. 5)  E-mail compatibility uses Radix 64-conversion algorithm to provide transparency for Email application and encrypted message may be converted to an ASCII string. CRYPTOGRAPHIC KEYS :

PGP makes use of four types of keys a)  One-time Session Conventional Keys :  provides only one key for entire process.  b)  Public key : The purpose of making your key so that it is available in a common

database where everybody can have access to it for the purpose of encrypting message also. c) Pass phrase-based conventional keys : The pass phrase really has only one purpose, but a

very important one. The pass phrase is hashed to become the key to which our private key is is encrypted. It’s whole purpose is ttoo protect your private key so that no one else can use your  private key. This is why an anyy time you try ttoo use private key you are prompted to eenter nter your pass  phrase so you need n eed your pass phras phrasee to sign a mess message, age, to decrypt a messa message, ge, to revoke a key, to add name or E-mail address to your key etc.

42

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

KEY IDENTIFIERS :

A key ID is also required for the PGP digital signature. Because a sender may use one of a number of private keys to encrypt the message digest, the recipient must know which public key is intended for use. Accordingly< the digital signature component of a m message essage includes the 64-bit key ID of the required public key when the message is received, the recipient verifies that the key ID is for a public key that it knows for that sender and then proceeds to verify the signature. Now that the concept of key ID has been introduced, we take a more detailed look at the format of a transmitted message. A message consists of three components: 1.

Message component

2.

Signature component

3.

Session key component

1. Message component: It includes the actual data to be stored or transmitted, as well as a

filename and a timestamp that specific the time of creation. 2. Signature component: It includes the following components: Timestamp:  The time at which signature was made.

SHA-1 -1 digest, encrypted with the sender’s private signature key. Message digest:  The 160-bit SHA The digest is calculated over the signature timestamp concatenated with the data portion of the message component. The inclusion of the signature timestamp in the digest assures against replay types of attacks. The exclusion of the filename and timestamp portions of the message component ensures that detached signatures are exactly the same as attached signatures prefixed to the message. Detached signatures are calculated on separate files that has none of the message component header fields. Leading two octets of message digest: To enable the recipient to determine if the correct public

key was used to decrypt the message digest for authentication. By comparing this plaintext copy of the first two octets with the first two octets of the decrypted digest. These octets also serve as a 16-bit frame-check sequence for the message.

43

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Key ID of sender’s public key:  Identifies the public key that should be used to decrypt the

message digest and, hence, identifies the private key that was used to encrypt the message digest General format of PGP message :

3. Session key component:  It includes the session key and the identifier of the recipient’s

 public key that was used by the sender to t o encrypt the session key. ke y. KEY RINGS :

The scheme used in PGP is to provide a pair of data structures at each node, one to store the  public/private key pairs owned by that node and one to store the public keys of other users known at this node these data structures are referred to, respectively as the following: Private-key ring Public –key ring PRIVATE KEY-RING : Each row represents one of the public/private key pairs owned by

this user. Each row contains the foll following owing entries: Timestamp

: The date/time where this key pair was generated.

key ID

: The least significant 64 bits of the public key for this entry.

Public-key

: The Public-key portion of the pair.

 private-key

: The Private-key portion of the pair. This field is encrypted. 44

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD User-ID

The Application Layer  

: Typically, this will be the user’s e-mail address, the user may choose to associate a different name with each pair or to reuse the same user-ID more than once.

The private key ring can be indexed by either user-ID, although it is intended that the  private key ring rin g be stored only on the machine of the us user er that created an andd owns the key pair and that it be accessible only to that user it makes sense to make the value of the private-key secure as possible. Accordingly, the private key itself is not stored in the key ring. Rather, this key is encrypted using IDEA or 3DES the procedure is as follows: 1.  The user selects a pass phrase to be used for encrypting private keys. 2.  When the system generates a new public/private key pair using RSA, it asks the user for the pass phrase using SHA-1, a 160-bit hash code is generated from the pass phrase, and the pass phrase is discarded. 3.  The system encrypts the private key using CAST_128 with the 128 bits of the hash code as the key. The hash code is then discarded, and the encrypted private key is stored in the  private-key ring. 4.  When the user access the private key ring to retrieve a private key then we must supply the pass phrase, PGP will retrieve the encrypted private key, generate the hash code of the Pass phrase and decrypt the encrypted private key using cast-128 with hash code. PUBLIC KEY RING : It is used to store public keys of users that are kknown nown to this user:

Timestamp Key ID

: The date/time when this entry was generated. : The last significant 64bits of the public key for this entry.

Public key

: The public key for this entry.

User ID

: The owner of this key. multiple user ID’s may be associated with a single public key.

The public-key ring can be indexed by either user ID or keyed. First consider message transmission and assume the sending PGP entity performs the following steps:

45

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

Signing the message: PGP retrieves the sender’s private key from the private key ring using

your user -id as an index. If your user-id was not provided in the command the first private key on the ring is retrieved PGP prompts the user for the pass phrase to recover the unencrypted Private key. The signature component of the message is constructed Encrypting the message: PGP generates a session key and encrypts the msg. PGP retrieves the

recipients public key key from tthe he public-key ring using user-id as an index. The session key component of the message is constructed The receiving PGP entity performs the following steps: Decrypting the message: PGP retrieves the receiver’s private key from the private –key ring

using the key ID field in the session key component of the message as an Index. PGP prompts the user for the pass phrase to recover the unencrypted Private-key. PGP then recovers the session key and decrypts the msg. Authenticating the message: PGP retrieves the sender’s public key from the public-key, using

the Key-id field in the signature key component of the message as an index. PGP recovers the transmitted message digest. PGP computes the message digest for the received message and compares it to the transmitted message digest to authenticate. MERITS OF PGP:

1.  We can generate our own public\private key pairs 2.  We can have multiple keys for different uses, and can replace a key whenever desired. 3.  It uses established and peer reviewed encryption algorithm 4.  It is free for personal use. 5.  You can securely communicate with users of other operating systems, and with any email address. 6.  All PGP encryption functions take place on your own computer, with your private Keys residing only on your computer. 7.  PGP is public key encryption that does not require the transmission of a secret pass phrase. 8.  It includes digital signatures that assures that the message/file is not altered, and is from 46

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD  

The Application Layer  

who it is suppose to be from.

9.  There is no backdoor, key recovery, or key function that would allow anyone else access to your encrypted messages/files 10. PGP includes multiple other features such as file wiping, free space wiping, wiping, PGP disk and PGP net NOTATIONS:

Ks

-

Session key used in conventional encryption scheme.

Kr a  -

Private key of user A used in public-key encryption scheme.

Kua  -

Public key of user A used in public-key encryption scheme.

E p 

-

Public-key encryption.

D p

-

Public-key decryption.

Ec 

-

Conventional encryption.

Dc 

-

Conventional decryption.

H

-

Hash function.

||

-

Concatenation

Z

-

Compression using Zip algorithm.

R64

-

Coversion to radix 64 ASCII format.

47

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

 

48

www.jntuworld.com

 

www.jntuworld.com

JNTUWORLD

The Application Layer  

 

49

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close