of 49

Computer networks

Published on March 2017 | Categories: Documents | Downloads: 7 | Comments: 0
120 views

Comments

Content

www.jntuworld.com

JNTUWORLD

The Application Layer

The Application Layer
There is a need for support protocols to allow the real applications to function in the application layer. The three important support protocols are:1. N/W Security 2. DNS 3. N/W Management 1. N/W Security: It is a large no. of protocols that can be used to ensure privacy where needed. It is concerned with people trying to access remote services that they are not authorized to use. N/W security problems can be divided roughly into 4 inter-twined areas: Security Authentication Non-repudiation Integrity control

• •

Security: It has to do with keeping information out of the hands of unauthorized users. Authentication: It deals with determining whom you are talking to, revealing sensitive information or entering into a business deal. Non repudiation: It deals with signatures. Integrity control: It makes sure that the message received was the one really sent and same thing or a malicious adversary modified in transit.

• •

N/W Security in different layers: 1. Physical layer: Wiretapping can be foiled by enclosing transmission lines in sealed tubes containing ARGON gas at high pressure. Any attempt to drill into a tube will release some gas, reducing the Pressure and triggering an atom. 2. Data link layer: If packets have to traverse on a point-to-point line, they are encoded as they leave one machine and decoded as the enter another. If packets have to traverse multiple routers, they are decrypted at each router, leaving them vulnerable to attacks with in routes. This method is called LINK ENCRYPTION. 3. N/W layer: Firewalls can be installed to keep packets in or packets out. 1

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

4. Transport layers: Entire connections can be encrypted, end to end, i.e., process to process. 5. Application layer: a) Traditional cryptography b) 2 fundamental cryptography principles. c) Secret- key Algorithms. d) Public-key Algorithms. e) Authentication protocols. f) Digital signatures. g) Social issues.

a). Traditional cryptography:
The art of devising ciphers is called “Cryptography”. The message to be encrypted, known as ‘plain text’ is transformed by a function that is parameterized by a key. The O/P of execution process is known as “Cipher text” is then transmitted, often by message. Even, if the enemy (intruder) hears and accurately copies down the complete cipher text, he cannot decrypt it, as he doesn’t know the decryption key. Sometimes, he listens to common channel but also record messages and plays them back later, injects his own messages or modifies legitimate messages before they get to the receiver. This art of breaking ciphers is called “Cryptanalysis” Cryptography + Cryptanalysis = Cryptology

2

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Encryption of plain text ‘P’ using key ‘k’ gives the cipher text ‘C’. i.e., C DK( C ) i.e., DK (EK (P)) = = = EK (P) P P Decryption of cipher text ‘C’ using the key ‘k’ gives plain text ‘P’

The Application Layer

Key is a short string that selects one of many potential encryptions. A key length

of 2 digits 6 digits

means that there are 100 possibilities, 3 digits means 1000 possibilities and deal with. Encryption methods: Substitution Ciphers. Transposition Ciphers. One -Time Pads.

means a million. The longer the key, the higher the work factor the cryptanalyst has to

(i). Substitution Ciphers: They preserve the order of plaintext symbols but disguise them. In this, another letter or group of letters to disguise it replaces each letter or group of letters. One of the oldest ciphers is “Caesar Cipher”. In this, an alphabet is shifted by 3 alphabets. i.e., a→D, b→E, c→F….z→C.

Eg: attack ⇒ DWWDFN Next improvement is mono alphabetic substitution in which each letter is mapped to some other letter.

Eg: attack⇒ QZZQEA

3

www.jntuworld.com

www.jntuworld.com

JNTUWORLD To break a Substitution Cipher…………….. •

The Application Layer

Breaking of ciphers using digrams, trigrams : This takes advantage of statistical languages. In English, for example ‘c’ is the most common one letter followed

properties of natural by t, o, a, n etc. the most 2 letter combinations are th, an, in, re & 3 letter combinations are the, int, and, ion. • Breaking of ciphers with a guess of probable word or phrase : The Cryptanalyst counts the relative frequencies of all letters in Cipher text and then tentatively assign the most common one to e and next most common one to t. He then look at trigrams to find a common one of the form t-e, which can be filled with ‘h’. If the pattern th-t occurs frequently, the empty space probably stands for ‘a’. Eg: CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBZ QJSW. (ii). Transposition Ciphers: These reorder the letters but do not disguise them. The following diagram depicts the columnar transposition, in which the cipher is keyed by a word or phrase not containing any repeated letters.

4

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

In the above example, MEGABUCK is the key. The purpose of the key is to number the columns, column-1 being under the key letter closest to the start of the alphabet, and so on. The plain text is normally written horizontally, in rows. The cipher text is read out by columns, starting with the column whose key letter is the lowest.

To break a Transposition Cipher……… • The cryptanalyst must first be aware that he is dealing with a transposition cipher. By looking at the frequency of E,T,A,O,I,N,…etc., it is easy to see that if they fit the normal pattern for plain text. If so, the cipher is clearly a transposition cipher, because in such a cipher every letter represents itself. • The next step is to make a guess at the number of columns. In many cases, a probable word or phrase may be guessed from the context of the message. For each key length, a different set of digrams is produced in the cipher text. By hunting for various possibilities, the cryptanalyst can often easily determine the key length. • The remaining step is to order the columns. When the number of columns, k, is small, each of the k(k-1) column pairs can be examined to see if its digram frequencies match those for English plain text. The pair with the best match is assumed to be correctly positioned. Now, each remaining column is tentatively tried as the successor to this pair. The column whose digram and trigram frequencies give the best match is tentatively assumed to be correct. The predecessor is found in the same way. The entire process is continued until a potential ordering is found. (iii). One-time pads: In this, first, choose a random bit string as the key. Then, convert the plaintext into a string, for example, by using its ASCII representation. Finally, compute the EXCLUSIVE-OR of these two strings, bit by bit.

Advantages: 1. As every possible plain text is an equally probable candidate, the resulting cipher text cannot be broken. 2. The resulting cipher text gives the cryptanalyst no information at all.

5

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Disadvantages:

The Application Layer

1. The key cannot be memorized and so both sender and receiver must carry a written copy with them. 2. The total amount of data that can be transmitted is limited by the amount of key available. 3. It is sensitive to lost or inserted characters.

(b). Two fundamental Cryptographic Principles:
1. All encrypted messages must contain some redundancy (information needed to misunderstand the message) to prevent active intruders from tricking the receiver into acting on a false message. 2. Some measures must be taken to prevent active intruders from playing back old messages.

(c ). Secret-Key algorithms:
The object is to make the encryption algorithm so complex and involuted that even if the cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be able to make any sense of it at all. Transpositions and substitutions can be implemented with simple circuits like P-boxes and S-boxes respectively. P-box( Permutation-box ): Used to effect a transposition on an 8-bit input. If the 8 bits are designated as 01234567 from top to bottom, the output of this box is 36071245. By appropriate internal wiring, a P-box can be made to perform any transposition and do it practically the speed of light. S-box( Substitution-box ): Substitutions are performed by S-boxes. The n-bit input selects one of the 8 lines exiting from the first stage and sets it to 1. All the other lines are 0.

6

www.jntuworld.com

www.jntuworld.com

JNTUWORLD There are mainly 3 secret-key algorithms. They are: 1. DES 2. DES-CHAINING 3. IDEA 1. DES ( Data Encryption Standard ) :

The Application Layer

It is basically a mono-alphabetic substitution cipher using a 64-bit character. In this, plain text is encrypted in blocks of 64-bits, yielding 64 bits of cipher text. The algorithm, which is parameterized by a 56-bit key , has 19 distinct stages. The first stage is a key independent transposition on the 64-bit plain text. The last stage is the exact inverse of this transposition. The stage prior to the last one exchanges the left most 32-bits with the right most 32-bits. The remaining 16 stages are functionally identical but are parameterized by different functions of the key. The algorithm has been designed to allow decryption to be done with the same key as encryption. The steps are just run in reverse order. The operation of one of these stages is illustrated in the figure below:

7

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output is simply a copy of the right input. The right output is the bit-wise EXCLUSIVE-OR of the left input and a function of the right input and the key for this stage, ‘Ki’. The function consists of 4 steps, carried out in sequence. 1. A 48-bit number, E , is constructed by expanding the 32-bit Ri-1 according to a fixed transposition and duplicate rule. 2. E and Ki are EXCLUSIVE-OR ed together. 3. This output is then partitioned into 8 groups (each of 6-bits), each of which is fed into a different S-box. Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output. 4. Finally, these 8 x 4 bits are passed through a P-box. In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit transposition is applied to the key. Just before each iteration, the key is partitioned into two 28bit units, each of which is rotated left by a number of bits dependent on the iteration number. Ki is derived from this rotated key by applying yet another 56-bit transposition to it. A different 48bit subset of the 56-bits is extracted and permuted on each round. 2. DES-CHAINING: Electronic code book mode: To overcome the problem of DES, this method is used in which a long message is encrypted by breaking it up into consecutive 8-byte(64-bit)blocks and encrypting them one after another with the same key. The last block is padded out to 64-bits, if need be. Let us consider an example in which a file consisting of consecutive 32-byte records in the format….16 bytes for name,8 bytes for the position and 8 bytes for the bonus of an employee in an organization. Each of the sixteen 8-byte blocks is encrypted by DES.

8

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

To overcome some types of attacks, DES is chained in various ways. One of the ways is Cipher Block Chaining. In this method, each plain text block is EXCLUSIVE-OR ed (#) with the previous cipher text block before being encrypted. Consequently, the same plain text block no longer maps on to the same cipher text block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is EXCLUSIVE-OR ed with a randomly chosen initialization vector, IV, that is transmitted along with the cipher text. Error!

Working: 1. compute C0 = E ( P0 XOR IV ) 2. Then, compute C1 = E ( P1 XOR C0 ) and so on. 3. The encryption of block ‘i’ is a function of all the plain text in blocks 0 through i-1, so the same plain text generates different cipher text depending on where it occurs. 4. The decryption occurs the other way , with P0 = IV XOR D (C0) and so on. Advantage: The same plain text block will not result in the same cipher text block, making cryptanalysts more difficult. Disadvantage: It requires an entire 64-bit block to arrive before decryption can begin. To overcome this disadvantage, byte-by-byte encryption is done using Cipher Feedback mode. In the figure, the state of encryption machine is shown after bytes 0 through 9 have been encrypted and sent. When plain text byte-10 arrives, the DES algorithm operates on the 64-bit shift register to generate 64-bit cipher text, in which the left most byte is extracted and

9

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

EXCLUSIVE-OR ed with P10. That byte is transmitted on the transmission line. In addition, the shift register is shifted left 8bits, causing C2 to fall off the left end , and C10 is inserted in the position just vacated at the right end by C9. Decryption is done by encrypting the contents of the shift register so that the selected byte that is EXCLUSIVE-OR ed with C10 to get P10 is the same one that was EXCLUSIVE-OR ed with P10 to generate C10 in the first place. Error!

For applications which require messing up 64-bits of plain text by having a 1-bit transmission error, Output feedback mode is used. It is identical to cipher feedback mode except that the byte fed back into the right end of the shift register is taken from just before the EXCLUSIVEOR box, not just after it. Advantage: It has the property that a 1-bit error in the cipher text causes only a 1-bit error in the resulting plain text. 3. IDEA (International Data Encryption Algorithm): The basic structure of the algorithm resembles DES in that 64-bit plain text input blocks are mangled in a sequence of parameterized iterations to produce 64-bit cipher txt output blocks. Given the extensive bit mangling, 8 iterations are sufficient. IDEA can be used in cipher feedback mode and other DES modes.

10

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

In the above figure, the details of one iteration are depicted, in which three operations are used, all on unsigned 16-bit numbers. These operations are EXCLUSIVE-OR, addition modulo 216 , and multiplication modulo 216 + 1. The operations have the property that no two pairs obey the associative law or distributive law, making cryptanalysis more difficult. The 128-bit key is used to generate 52 sub keys of 16-bits each, 6 for each of 8 iterations and 4 for the final transformation. Decryption uses the same algorithm as encryption, only with different sub keys.

(d). Public-Key algorithms:
Diffie and Hellmann proposed a new kind of crypto system, one in which the encryption and decryption keys were different, and the decryption key could not be delivered from the encryption key. In their proposal, the encryption algorithm, E, and the decryption algorithm, D, had to meet the following 3 requirements: 1. D(E(P)) = P. 2. It is exceedingly difficult to deduce D from E. 3. E cannot be broken by a chosen plain text attack. The main object in this is that the Encryption key is made public. Hence, the name Public-Key Cryptography.

11

www.jntuworld.com

www.jntuworld.com

JNTUWORLD The RSA algorithm:

The Application Layer

One of the Public-key algorithms is the RSA algorithm. This was discovered by Rivest, Shamir, Adleman and is based on the following principles: 1. Choose two large primes, p and q. (typically greater than 10100) 2. Compute n = p * q and z = (p-1) * (q-1) 3. Choose a number relatively prime to z and call it d. 4. Find e such that e * d = 1 mod z In this algorithm, the plain text is divided into blocks, so that each plain text message, P, falls in the interval 0 ≤ P < n. This can be done by grouping the plain text into blocks of K bits, where K is the largest integer for which 2k < n is true. To encrypt a message, P, compute C = Pe (mod n) i.e., e and n are needed to do so. To decrypt a message, C, compute P = Cd (mod n) i.e., d and n are needed to do so. Therefore, the public key consists of the pair (e, n) and the private key consists of the pair (d, n).

In the above example, the encryption of the plain text “SUZANNE” is shown: p = 3, q = 11, n = 33, z = 20 d = 7 ( since 7 and 20 have no common factors) 7e = 1 (mod 20) e=3 C = P3 (mod 33) P = C7 (mod 33) 12

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Encryption:
C = = = = = = = Me mod n 887 mod 187 [ (884 mod 187) * ( 882 mod 187) * ( 881 mod 187] mod 187 [ (59,969,536 mod 187)(7744 mod 187)(88 mod 187)] mod187 (132 * 77 * 88) mod 187 894,432 mod 187 11

The Application Layer

Decryption:
M =Cd mod n =1123 mod 187 =[(111 mod 187)* (112 mod 187)* (114 mod 187)*(118 mod 187)* (118mod 187)] mod 187 =[(111mod187)*(121mod187)*(14,641mod187)*(214,358,881mod187)*(214,358,881mod187)]mod187 =(11 * 121 * 55 * 33 * 33) mod 187 =79,720,245 mod 187 =88.

If p = 3, q = 11, n = 33, Φ(n) = 20, d = 7 (because 7, 20 have no common factors) =>7e = 1 mod 20 =3 EXAMPLE : Plain text SUZANNE is to be transformed into Cipher text Senders Computation Receivers Computation

13

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Drawbacks: 1. The Brute force approach i.e., trying all possible private keys.

The Application Layer

2. Calculations involved in key generation, Encryption / Decryption are complex. 3. The larger the size of the key, the slower the system will run Advantage:The larger no. of bits in e, d, the more secure the algorithm is the…

(5). Authentication Protocols:
Authentication: It is the technique by which a process verifies that its communication partner is who it is supposed to be and not an imposter. It deals with the question of whether or not the user is actually communicating with a specific Process. Authentication Based on a shared secret key. Authentication Using a key Distribution Centre. Authentication Using Kerberos. Authentication Using public-key Cryptography

(1) Authentication Based on a shared secret key:
In this, both the users A and B share a secret key KAB. These protocols are based on a principle that one party send a random number to the other, who then transforms it in a special way and then returns result and are called Challenge Response Protocols. 2-way Authentication using Challenge - Response protocol :

14

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

M-1 : ALICE sends her identity ‘A’ to BOB in a way that BOB understands. M-2 : As Bob has no way of knowing from whom this message has come from actually , he picks a large random number RB and sends it back to ALICE in plaintext. M-3: ALICE then encrypts the message with the key she shares with BOB and sends cipher text, KAB(RB). M-4: After receiving, BOB confirms that this message is from ALICE but not from any other user because K(suffix)AB is shared only by ALICE. But ALICE has no way of confirmation that she is talking to BOB. To do so, she picks a random number RA and sends it to BOB as plain text. M-5: Now, when BOB responds with KAB(RA), ALICE gets the confirmation. Now, If A and B wish to establish a session key, ‘KS’, ALICE can send it to BOB encrypted with KAB. A Shortened 2-way Authentication protocol: Extra messages in above protocol can be eliminated by combining information as in the figure:

M-1:-ALICE initiates C-R Protocol. M-2:-BOB responds to ALICE’s challenge along sending his own. M-3:-ALICE then encrypts the message with the key she shares with BOB and sends cipher text, KAB(RB).

15

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

3 General Rules to design a correct Authentication protocol:1. Have the Initiator prove who she is before the responder has to. 2. Have the Initiator and Responder use different keys for proof, i..e, use 2 shared keys KAB and K'AB. 3. Have the Initiator and responder draw their challenges from different sets.

(I). The Diffie-Hellman Key Exchange: It is the protocol that allows strangers to establish a shared secret key. Working:1. Alice and Bob have to agree on 2 large prime numbers (which are public), n and g, where (n-1)/2, is also a prime and certain conditions apply to ‘g’. 2. Now, Alice &Bob respectively Picks large numbers x,y(say a512- bit) and keeps them secret. 3. Alice initiates key exchange protocol by sending by sending Bob a message containing (n, g, gx mod n), for which Bob responds with gy mod n. 4. Alice takes the number and raises it to xth power to get (gy mod n)x. Bob does the same and gets (gx mod n)y. 5. Thus, Alice &Bob now share a secret key, gxy mod n.

Example: n=47, g=3, x=8, y=10 1. Alice’s message to Bob : 47,3,28 (since 38mod 47 = 28) 2. Bob’s message to Alice : 17 3. Alice Computes 4. Bob computes (since 310mod47 = 17) = = 4 4 4. : 178mod 47 : 2810mod 47

Therefore, The Shared - Secret Key =

16

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The problem that is faced by Diffe - Hellman Key Exchange protocol is Bucket Brigade attack or WO(man)- in – the –middle attack. Consider a third person ‘c’ is involved in the interaction of A & B……… in the above algorithm.

1. A&B chooses x & y respectively while ‘c’ randomly chooses ‘z’. 2. When A sends message-1 interested for B,’C’ intercepts it and sends m-2 to B, using correct g and n. But with her own ‘z’ instead of ‘x’ and does same back to ‘A’ with m-3. 3. Later, ‘B’ sends M-4 to ‘A’ ,which was intercepted by ‘c’ and kept with it. 4. Modular Arithmetic being done by everyone, A Computes Secret Key as gxzmod n. B Computes Secret Key as gyzmod n. C Computes Secret Key as gxzmod n, gyzmod n. 5. Therefore, Every message sent by A on the encrypted session is captured by ‘C’, stored, modified if desired and then (optionally) passed to ‘B’. Similarly in other direction. i..e, A&B on under the illusion that they have a secure channel to one another while ‘C’ sees everything & can modify them. This attack is called Bucket Brigade Attack. (II): Authentication using KDC: In this model, each user has a single key shared with KDC. The simplest protocols is mouth frog” “wide-

17

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Working:

The Application Layer

1. 'A' picks a session key Ks and informs KDC that it wants to talk to 'B', with a message which is encrypted with a secret key(KA) 2. KDC decrypts this message, extracts B's identity and session key and constructs a new message containing A's identity and session key and sends to 'B', encrypted with KB shared by 'B' with KDC 3. 'B' decrypts and knows the 'A's wish and it's key. The Needham-Schroeder authentication protocol: Error!

Working:1. 'A' tells KDC that he wants to talk to 'B', with a message which contains a large random number, RA. 2. KDC sends back m-2 containing A's random number, a session key and a ticket that it can send to B. 3. Now, 'A' sends ticket to 'B', along with a new random number, RA2 encrypted with session key KS. 4. 'B' sends back Ks(RA2-1) to confirm 'A' that it is talking to 'B'. 5. 'B' is convinced that it is talking to 'A' only but with no other one. The Otway-Rees Authentication protocol:

18

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Working:-

The Application Layer

1. 'A' starts out by generating a pair of random number, R, which will be used as a common identifier and RA, which A will use to challenge 'B'. 2. When 'B' gets this message, he constructs a new message from the encrypted part of A's message and an analogous one of his own. 3. Both the parts encrypted with KA and KB identify A and B, contain the common identifier and contain a challenge. 4. The KDC checks to see if R in both parts is same, and if so, it believes that the request message from 'B' is valid and so it generates a session key and encrypts it twice (both for A and B). 5. Each message contains receiver’s random number, indicating that it was generated by KDC. 6. Now, A and B are in possession of same session key and can start communicating. (III). Authentication using KERBEROS: Kerberos was designed to allow workstation users to access network resources in a secure key. It involves three servers in addition to a client workstation: • • • Authentication Server (AS):- Verifies users during login Ticket-Granting Server (TGS):- issues "PROOF OF IDENTITY TICKETS" B, The Server:- Actually does the work 'A' wants performed

WORKING: • 'A' sits down at an arbitrary public work station and types his name, which is sent to 'AS' in plain text. • Session key and a ticket TGS (A, Ks) intended for TGS comes back, which are packed together and encrypted using A's secret key, so that only 'A' can encrypt them. • Only when message-2 arrives, the work station ask for A's password and this is used to generate KA in order to decrypt m-2 and obtain session key and TGS ticket inside it. • At this point, the workstation overwrites A’s password to make sure that it is only inside the workstation for a few milliseconds at most. • After 'A' logging in, she tells the workstation that she wants to contact 'B' the file server. 19

www.jntuworld.com

www.jntuworld.com

JNTUWORLD •

The Application Layer

The workstation then sends message-3 to the TGS asking for a ticket to use with 'B', with the key element KTGS(A, KS) encrypted by TGS's secret key as a proof of 'A'. The TGS responds by creating a session key KAB for 'A' to use with 'B'. Two versions of it are sent back, with first encrypted with KS intended for A and second encrypted with KB intended for 'B'. Now, 'A' sends KAB to 'B' to establish a session key with him, which is time stamped. After some series of exchanges, communication is established.

• •



(IV) . Authentication Using Public Key Cryptography: Working:- A and B know each other public keys 1. 'A' starts by encrypting her identity and a random number RA using B's public key EB. 2. when 'B' receives this message ,'B' sends back 'A' message containing A's RA, his own random number RB ,and a proposed session key KS.

3. When 'A' gets m-2, he decrypts it using his private key and agrees to session key by sending back m-3. 4. when 'B' sends RB encrypted with session key he just generated, he confirms that m-2 is received and RA is verified by 'A'. So, a session is established. 20

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

(6). DIGITAL SIGNATURES:
It is devised to replace hand-written signatures between 2 parties in a system in such a way that • • • The receiver can verify the claimed identity of the sender The sender cannot later repudiate the contents of the message. The receiver cannot possibly have concocted the message himself.

Different approaches:(a)Secret-key signatures (b)Public-key signatures (c)Message digests (d)Birthday attack (a) . Secret-key signatures: In this approach each user chooses a secret key and carries with by hand to a central authority (BB) that knows everything and by everyone. So only A and BB know A’s secret key KA and so on.

Working:1. When ‘A’ wants to send a signed plain text message, ‘P’ to ‘B’, she generates KA(B, RA, t ,p)and sends it. 2. BB sees that the sender is ‘A’ & decrypts the message and sends it to B. 3. The message to B contains the plain text A’s message and also signed message KBB(A, t, p) where ‘t’ is a timestamp. 4. ‘B’ now carries out A’s request. (b) . Public key signatures: In this, an assumption is made initially that public key encryption and decryption algorithms have the property E(D(p))=P in addition to D(E(p))=P. 21

www.jntuworld.com

www.jntuworld.com

JNTUWORLD Working:-

The Application Layer

1. ‘A’ sends a plain text message ‘p’ to B by transmitting EB(DA(p)). 2. When B receives the message ,he transforms it using his private key yielding DA(p) which is stored in a safe place and then decrypted using EA to get original plain text.

( c). Message Digests:
Def:A one-way hash function that takes an arbitrarily long of piece plain text from it Computes a fixed-length bit string is called a message digest and has 3 important properties. They are:• • • Given P, it is easy to compute MD (P). Given MD (P), it is effectively impossible to find P. No one generates 2 messages that have the same message digest.

Working:• ‘A’ first computes the message digest of her plain text ‘BB’ computes message digest by applying MD to P, yielding MD (P).BB then encloses KBB (A, t, MD (P)) as 5th item in list encrypted with KB that is sent to ‘B’. • She then signs the message digest and sends both the signed digest and plain text B.

22

www.jntuworld.com

www.jntuworld.com

JNTUWORLD (d). Birthday Attack:

The Application Layer

If there is some mapping between inputs and outputs with ‘n’ inputs (people, messages etc..) and ‘k’ possible outputs (birthday , message digests etc..), there are [n(n-1)/2] input pairs. If [n (n1)/2] >k ,the chance of having at least one match likely for n>√k. This result means that a 64-bit message digests can probably be broken by generating about 232 messages and looking for 2 with the message digest. The idea for this attack comes from a technique that mathematical professors often use in their probability courses. The question is : “ How many students do you need in a class before the probability of having 2 people with same birthday exceeds ½? ” The probability is 23 i.e., with 23 people, we can form (23*22)/2=253 different pairs, each of which has a probability of being a hit.

DNS--Domain Name System:
This is primarily used for mapping host and e-mail destinations to IP addresses but can also be used other purposes. DNS is defined in RFCs 1034 and 1035.

Working:• To map a name onto an IP address, an application program calls a library procedure called Resolver, passing it the name as a parameter. • The resolver sends a UDP packet to a local DNS server, which then looks up the name and returns the IP address to the resolver, which then returns it to the caller. • Armed with the IP address, the program can then establish a TCP connection with the destination, or send it UDP packets.

The DNS name space. Resource Records. Name Servers.

23

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

☼ The DNS name space:The Internet is divided into several hundred top level domains, where each domain covers many hosts. Each domain is partitioned into sub domains, and these are further partitioned as so on. All these domains can be represented by a tree, in which the leaves represent domains that have no sub domains. A leaf domain may contain a single host, or it may represent a company and contains thousands of hosts. Each domain is named by the path upward from it to the root. The components are separated by periods(pronounced “dot”) Eg: Sun Microsystems Engg. Department The top domain comes in 2 flavours:• Generic: com(commercial), edu(educational instructions), mil(the U.S armed forces, government), int (certain international organizations), net( network providers), org(non profit organizations). • Country: include 1 entry for every country. Domain names can be either absolute (ends with a period e.g. eng.sum.com) or relative (doesn’t end with a period). Domain names are case sensitive and the component names can be up to 63 characters long and full path names must not exceed 255 characters. = eng.sun.com.

Insertions of a domain into the tree can be done in 2 days:• • Under a generic domain Under the domain of their country ( Eg: cs.yale.edu) (E.g: cs.yale.ct.us)



Resource Records:
Every domain can have a sent of resource records associated with it. For a single host, the

most common resource record is just its IP address. When a resolver gives a domain name to

24

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

DNS, it gets both the resource records associated with that name i.e., the real function of DNS is to map domain names into resource records. A resource record is a 5-tuple and its format is as follows:

Domain _name : Tells the domain to which this record applies. Time- to- live : Gives an identification of how stable the record is (High Stable = 86400 i.e. no. of seconds /day) ( High Volatile = 1 min) Type: Tells what kind of record this is. Class: It is IN for the internet information and codes for non internet information Value: This field can be a number a domain name or an ASCII string

Type
SOA A MX NS CNAME PTR HINIF TXT

Meaning
Start Of Authority IP address of host Mail Exchange Name Server Canonical Name Pointer Host Description Text

Value
32-bit integer 32 bit integer Priority domain willing to accept Name of server for this domain Domain name Alias for an IP address CPU and OS in a ASCII Un interpreted ASCII Text



Name Servers:
It contains the entire database and responds to all queries about it. DNS name space is

divided up into non-overlapping zones, in which each zone contains some part of the tree and also contains name servers holding the authoritative information about that zone.

25

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

When a resolver has a query about a domain name, it passes the query to one of the local name servers: 1. If the domain being sought falls under the jurisdiction of name server, it returns the authoritative resource records ( that comes from the authority that manages the record, and is always correct). 2. If the domain is remote and no information about the requested domain is available locally the name server sends a query message to the top level name server for the domain requested. Eg: A resolver of flits.cs.vle.nl wants to know the IP address of the host Linda.cs.yale.edu

Step 1: Resolver sends a query containing domain name sought the type and the class to local name server, cs.vu.nl. Step 2: Suppose local name server knows nothing about it, it asks few others near by name servers. If none of them know, it sends a UDP packet to the server for edu-server.net. Step 3: This server knows nothing about Linda.cs.yale.edu or cs.yale.edu and so it forwards the request to the name server for yale.edu. Step 4: This one forwards the request to cs.yale.edu which must have authoritative resource records. Step 5 to 8: The resource record requested works its way back in steps 5-8 This query method is known as Recursive Query 3. When a query cannot be satisfied locally, the query fails but the name of the next server along the line to try is returned.

26

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Simple Network Management Protocol • SNMP - Version 1 • SNMP - Version 2 • SNMP - Version 3
SNMP was developed for use as a n/w management tool for N/W and internet works operating TCP/IP. It includes the following key elements: 1. Management Station or Manager 2. Agent 3. Management Information Base 4. N/W Management Protocol

Management Station serves as interface for human N/W manager into network Management system. It will have the following: 1. A set of management applications for data analysis fault recovery and so on. 2. An interface by which the n/w manager may monitor and control the n/w. 3. The capability of translation the n/w managers requirements into the actual monitoring and control of remote elements in the n/w. 4. A data base of n/w management information extracted from the databases of all the managed entities in the n/w. Management Agent software equips key platforms such as hosts, Bridges, routers and hubs so that they may be managed from a management station. The agent responds to requests for information from a management station, responds to requests for actions from management station, and may asynchronously provide management station with important but unsolicited information. To manage resources in the n/w, each resource is represented as an object (a data variable that represents one aspect of managed agent). The collection of objects is referred to as a Management Information Base (MIB). The MIB functions as a collection of access points at the agent for management station. A management station performs the monitoring function by retrieving the value of MIB objects.

27

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

The management station and agents are linked by a n/w management protocol. The protocol used for the management of TCP/IP network is SNMP. includes the following key capabilities: • • • GET: Enables the management station to retrieve the value of objects at the agent SET: Enables the management station to set the value of objects at the agent NOTIFY: Enables an agent to send unsolicited notifications to management station of Significant events Each of these protocols

SNMP – V1 Configuration:

Role of SNMP-V2 :

28

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

From management station, 3 types of SNMP messages are issued or behalf of a Management application: Get Request , Get Next Request and Set Request. All these 3 messages are acknowledge by the agent in the form of Get Response message which is passed up to management application. In addition the agent may issue a type message in response to an event that effect the MIB and the underlying managed resources. Management requests are sent to UDP port 161 , while the agent sends traps to UDP port 162.

SNMP-V2: It provides a framework on which n/w management , performance , monitoring ,
accounting and so on. Error!

Each player in the N/w management system maintains a local database of information relevant to N/W management, a known as MIB. The SNMPV2 standard defines the structure of this info and the allowable data types. This information is known as Structure of Management Information (SMI). One system is responsible for N/W management while the other systems art and role of agent. An agent collects the information and stores it for later access by a manager. The information includes data accounts the system it self and may also include traffic information for N/W to which the agent attaches.

29

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

SMI: It defines the general framework with in which a MIB can be defined and constructed.
The SMI identifies the data types hat can be used in MIB, and how resources with in MIB are represented and named. The MIB can store only simplify the task of implementation and to enhance interoperability. There are 3 key elements in SMI specification: 1. At lowest level, the SMI specifies the data types that may be stored. 2. Then SMI specifies a formal technique for defining objects and tables of objects. 3. Finally, SMI provides a scheme for associating a unique identifies with each actual object in a system, so that a manager can reference data at an agent.

Protocol operation:The protocol provides a straight forward, basic mechanism for the exchange of management information between agent and manager. The basic unit of exchange is message, which consists of an outer message wrapper and an inter protocol data unit .The outer message header deals with security. 7 types of PDU s may be carried in an SNMP message. (a).Get-Request-PDU, Get-Next-Request-PDU, Set-Request-PDU, SNMPV2-TrapPDU, Inform-Request-PDU: PDU type (b). Response-PDU: PDU type Req-id Error-status Error-index Variable-bindings Req -id 10 Variable-bindings

(c). Get-Bulk-Request-PDU: PDU type Req-id Non-repeaters Max-repetitions Variable-bindings

(d). Variable bindings: Name 1 Value 1 Name 2 Value 2 …………… Name n Value n

30

www.jntuworld.com

www.jntuworld.com

JNTUWORLD •

The Application Layer

GET REQUEST-PDU: Includes a list of one (or) more object names for which values are requested .If the get operation is successful, and then the responding agent will send a Response-PDU GET NEXT REQUEST-PDU: Includes a list of one (or) more objects .For each object named in variable-bindings field, a value is to be returned for the object that is next in lexographic order GET BULK REQUEST-PDU: The purpose is to minimize the number of protocol exchanges required to retrieve a large amount of management information .It allows manager to request that the response be as large as possible given the constraints or message size SET REQUEST-PDU: Used to request that the values of one (or) more objects be altered .The operation is atomic SNMPV2-TRAP-PDU: It is generated when an unusual event occurs and is used to provide management station with asynchronous notification of some significant event .It is an unconfirmed message INFORM REQUEST-PDU: It is sent on behalf of an application to provide management information to an application using it VARIABLE BINDINGS: Used to convey the associated information













SNMP-V3: This defines an over all SNMP architecture and a set of security capabilities .It
provides 3 important services: • • • Authentication Privacy Access Control Part of User-Based Security Model (USM) Defined in View-Based Access Control Model (VACM)

The Authentication mechanism in USM assures that a received message was transmitted by the principal whose identifier appears as the source in message header .It also assumes that the message has not been altered in transit and has not been artificially delayed (or) replayed .The sending principal provides authentication by including a message authentication code with SNMP message it is sending .The code is a function of the message contents, the identity of

31

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

sending and receiving parities, the time of transmission and a secret key that should be known only to sender and receiver . The configuration/network manager distributes the secret keys and so they are kept outside of USM .When the receiving principal gets the message, it uses the same secret key to calculate the message authentication code once again and if it is matched with the appended value of incoming message, the receiver confirms that the sender is the authorized one. The authentication code is called HMAC. The privacy facility of USM enables managers and agents to encrypt messages, by sharing a secret key between them. If they are configured to use the privacy facility, all traffic between them is encrypted using DES. The access control facility makes it possible to configure agents to provide different levels of access to the agents Management Information Base (MIB) to different managers. An agent principal can restrict access to its MIB for a particular manager principal in 2ways:• • It can restrict access to a certain portion of its MIB It can limit the operations that a manager can use on that portion of MIB

E-MAIL
(Used in RFC 821,822 in internet)

1. Architecture and Services:
E-mail systems consist of two subsystems. They are:• • (a). User Agents, which allow people to read and send e-mail (b). Message Transfer Agents, which move messages from source to destination

E-mail systems support 5 basic functions:• • • • • Composition Transfer Reporting Displaying Disposition

32

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

(a).Composition: It refers to the process of creating messages and answers. Any text editor is used for body of the message. While the system itself can provide assistance with addressing and numerous header fields attached to each message (b).Reporting: It has to do with telling the originator what happened to the message that is, whether it was delivered, rejected (or) lost. (c).Transfer: It refers to moving messages from originator to the recipient (d).Displaying: Incoming messages are to be displayed so that people can read their email. (e).Disposition: It concerns what the recipient dose with the message after receiving it. Possibilities include throwing it away before reading (or) after reading, saving it and so on

(2). The User Agent: It is normally a program that accepts a variety of commands for
composing, receiving and replying to messages as well as for manipulating mail boxes. • Sending E-mail: To do so, User must provide the messages, the destination address and possibly some other parameters (Eg: the priority (or) security level). The message can be produced with a free-standing text editor, a word processing program or possibly with a text editor built into the user agent. The destination address must be in a format that the user agent can deal with. Many user agents expect DNS address of the form mailbox @ location. Reading E-mail : When a user agent is started up, it will look at the user’s mailbox for incoming mail before displaying anything on the screen. Then it may announce the no. of messages in the mailbox or display a one-line summary of each one and wait for a command. Each display line contains several fields(extracted from the header of the corresponding message) like…….. Eg:



# 1 2

Flags K KA

Bytes 1030 6348

Sender ASW SAM 33

Subject changes to MIN-MAX RC: Hai

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer : : Message Number. K- Message is not new but already read. KA - Message has already been answered.

1st field(#) 2nd field(flags) 3rd field(Bytes) 4th field(sender) 5th field(subject)

: : :

Tells how long the message is. Tells who sent the message. Gives brief summary of what the message is about.

After the headers have been displayed, the user can perform any of the commands available.

Message Formats :
• • RFC 822 (SMTP) RFC 1551 (MIME)

(1). RFC 822 : Messages consist of a primitive envelope, some no. of header fields, a blank line and then the message body. Each header field consists of a single line of ASCII text containing the fieldname, a colon and a value. The principal header fields related to message transport one :

34

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

After the headers, comes the message body. Users can put whatever they want here.

(outgoing-mail)

(incoming-mail) Each Queued message has 2 parts : • • The message text, consisting of RFC 822 header and body of message. A list of mail destinations.

The SMTP Sender takes messages from the outgoing mail queue and transmits them to proper destination host via SMTP transactions over one or more TCP connections to port 25 on target hosts.

35

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Pretty Good Privacy (PGP) :
• This is a complete e-mail security package that provides privacy, digital signatures and compression, • all in easy-to-use form. authentication,

The complete package along with all the source code is distributed free of change via the internet, bullet in boards and of commercial networks. Due to its quality, price (zero) and easy availability on MS-DOS/WINDOWS, MACINTOSH platforms, it is widely used today. It is largely based on RSA, IDEA and MD5. PGP supports text compressor , secrecy, and digital signatures and also provides extensive key management facilities. UNIX and



• •

Working:



Alice wants to send a signed plaintext message ‘p’ to bob in a secure way in which each one of them posses private(Dx) and public (Ex) RSA keys and each one knows the others public key.

• •

Alice starts out by invoking the PGP program on her computer. PGP first hashes her message , p , using MD5 and then encrypts the resulting hash using her private RSA key, DA.



When Bob eventually gets the message , he can decrypt the hash with Alice’s public key and verify that the hash is correct.

36

www.jntuworld.com

www.jntuworld.com

JNTUWORLD •

The Application Layer

The encrypted hash and original message are now concatenated into a single message , PI, and compressed using the ZIP program (which uses the Ziv-Lempel algorithm ) in which the output is (PI).(Z)



Now, PGP prompts ALICE for some random input, by which a 128-bit IDEA message key, KM is generated which encrypts (PI).(Z) in cipher feedback mode.

• • • •

In addition, KM is encrypted with Bob’s public key, EB. These 2 components are then concatenated and converted into base-64. The resulting message then contains only letter, digits and the symbols +,/ and =. When Bob gets the message , he reserves the base-64 encoding and decrypts the IDEA key using his private RSA key.

• •

Using this key, he decrypts the message to get (PI).(Z) After decompressing it, Bob separates the plain text from encrypted hash and decrypts the hash using Alice’s public key.

PGP Supports 3 RSA key lengths :1. Casual (384 bits): can be broken by folks with large budgets. 2. Commercial(512-bits): Might be breakable by 3 letter organizations. 3. Military(1024 bits):not breakable by anyone on earth. PGP Message Format: ID Of EB Km Time ID Of EA Types MD5 Message File Hash Header Name Time Message

The message has 3 parts :1) The message key part , which contains both the key and key identifier. 2) The signature part , which contains

37

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Header Timestamp Identifier for sender’s public key that can be used to decrypt the signature hash Some type information that identifies the algorithm used. The encrypted hash itself. 3) The Message part, which contains Header The default name of the file to be used if the receiver writes the file to the desh A message creation time stamp Message itself PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth: 1. It is available free worldwide in versions that run on a variety of platforms, including DOS/Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with the vendor support. 2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS and DeffieHellman for public key encryption; CAST-128, IDEA, and 3DES for conventional encryption and SHA-1 for hash coding. 3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks.

38

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

PGP intentionally uses existing cryptographic algorithm rather than inventing new ones. It is largely based on RSA, IDEA and MD5 all algorithms that have withstood extensive peer review and were not designed or influenced by any government agency. PGP supports text compression, secrecy and digital signatures and also provides extensive key management facilities. PGP ENVIRONMENT: PGP’s primary purpose is to send messages: signed and encrypted. PGP also allows sending messages that are only signed. The intended receiver can only read encrypted messages. Using public-key cryptography, the sender does not have to exchange a secret key with the receiver. If the sender has the receiver’s public key, then she can send him a message. Encrypted PGP messages can be addressed to one receiver or several receivers. PGP can also be used to send signed but unencrypted messages. These messages are in the clear: Anyone can read them. Also, anyone who has the sender’s public key can verify the integrity and authentication of the messages. This type of security is useful for messages posted to Usenet newsgroups. PGP SUBSYSTEMS: There are normally two subsystems: USER AGENTS MESSAGE TRANSFER AGENTS

• •

User agents allow people to read and send email. The user agents are local programs that provide a command-based, menu based or geographical method for interacting with the email system. Message Transfer agents move the message from the source to the destination. The agents are typically system daemons that run in the background and move email through the system.

39

www.jntuworld.com

www.jntuworld.com

JNTUWORLD BASIC FUNCTIONS: Email systems support 5 basic functions, they are. Composition Transfer Reporting Displaying Disposition

The Application Layer

COMPOSITION: It refers to the process of creating message and answers. Although any text editor can be used for the body of the message, the system itself can provide assistance with addressing and the numerous header fields attached to each message. TRANSFER: It refers to moving messages from the originator to the recipient. In large part this requires establishing a connection to the destination or some intermediate machine, outputting the message and releasing the connection. automatically. REPORTING: It has to do with telling the originator what happened to the message. Was it delivered? Was it rejected? Was it lost numerous applications exist in which confirmation of delivery is important and may even have legal significance. DISPOSITION: It is the final step and concerns what the recipient does with the message after receiving it. Possibilities include throwing it way before reading, throwing it away after reading, saving it and so on. It should also be possible to retrieve and reread saved messages, forward them, or process them in other ways. PGP OPERATION FOR SENDING A MESSAGE : PGP first hashes her message ‘P’ using MD5 and then encrypts the resulting hash using private key DA and decrypts by public key and verify that the hash is correct. Even if someone could acquire the hash at this stage and decrypt it with public key the strength of MD5 guarantee The email system should do this

40

www.jntuworld.com

www.jntuworld.com

JNTUWORLD
Km RSA

The Application Layer

P SHA RSA X ZIP IDEA X BASE 64

C

that it would be computationally infeasible to produce another message with the same MD5 hash. The encrypted hash and the original message are now concatenated in to a single message P1 and compressed using the Zip program, and thus the output of this step P1.Z. The content and the typing speed are used to generate a 128-bit IDEA message key, KM is now used to encrypt P1.Z with IDEA in cipher feedback mode. KM is also encrypted with public key EB these two components are then concatenated and converted to base 64. When the opponent receives the message he reverse the base 64 encoding and decrypts the IDEA key using Private key. Using this key decrypts the message to get P1.Z after decompressing it separates the plaintext from the encrypted hash and decrypts the hash using public key. If the plain text hah agrees with his own MD5 computation thus the opponent ‘P’ assures that it is the correct message. PGP SERVICES: Digital signature Message encryption Compression Email compatibility Segmentation OPRATIONAL DESCRIPTION : Authentication Confidentiality Compression E-mail compatibility Segmentation

41

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

1) Digital signature provides message authentication and protects two parties who exchange message from any third party by using an algorithm DSS/SHA or RSA/SHA. A hash code of a message is created using SHA-1 which is an public-key encryption algorithm takes a input message of arbitrary length and produces as output 128-bit message digest. The input is processed in 512-bit blocks. This message digest is encrypted using DSS or RSA. 2) The RSA scheme is a block cipher in which the plaintext and cipher text are integer between 0 and n-1 for some n. The plaintext is encrypted in blocks, with sender private key and each block having a binary value less than some number ‘n’ and included with the message. 3) A message is encrypted using CAST-128 or IDEA or 3DES with a one-time session key generated by the sender. The session key is encrypted using Diffie-Hellman or RSA with the recipient’s public key, and included with the message. 4) A message may be compressed for storage or transmission using Zip. 5) E-mail compatibility uses Radix 64-conversion algorithm to provide transparency for Email application and encrypted message may be converted to an ASCII string. CRYPTOGRAPHIC KEYS : PGP makes use of four types of keys a) One-time Session Conventional Keys : provides only one key for entire process. b) Public key : The purpose of making your key so that it is available in a common database where everybody can have access to it for the purpose of encrypting message also. c) Pass phrase-based conventional keys : The pass phrase really has only one purpose, but a very important one. The pass phrase is hashed to become the key to which our private key is encrypted. It’s whole purpose is to protect your private key so that no one else can use your private key. This is why any time you try to use private key you are prompted to enter your pass phrase so you need your pass phrase to sign a message, to decrypt a message, to revoke a key, to add name or E-mail address to your key etc.

42

www.jntuworld.com

www.jntuworld.com

JNTUWORLD KEY IDENTIFIERS :

The Application Layer

A key ID is also required for the PGP digital signature. Because a sender may use one of a number of private keys to encrypt the message digest, the recipient must know which public key is intended for use. Accordingly< the digital signature component of a message includes the 64-bit key ID of the required public key when the message is received, the recipient verifies that the key ID is for a public key that it knows for that sender and then proceeds to verify the signature. Now that the concept of key ID has been introduced, we take a more detailed look at the format of a transmitted message. A message consists of three components: 1. 2. 3. Message component Signature component Session key component

1. Message component: It includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specific the time of creation. 2. Signature component: It includes the following components: Timestamp: The time at which signature was made. Message digest: The 160-bit SHA-1 digest, encrypted with the sender’s private signature key. The digest is calculated over the signature timestamp concatenated with the data portion of the message component. The inclusion of the signature timestamp in the digest assures against replay types of attacks. The exclusion of the filename and timestamp portions of the message component ensures that detached signatures are exactly the same as attached signatures prefixed to the message. Detached signatures are calculated on separate files that has none of the message component header fields. Leading two octets of message digest: To enable the recipient to determine if the correct public key was used to decrypt the message digest for authentication. By comparing this plaintext copy of the first two octets with the first two octets of the decrypted digest. These octets also serve as a 16-bit frame-check sequence for the message.

43

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Key ID of sender’s public key: Identifies the public key that should be used to decrypt the message digest and, hence, identifies the private key that was used to encrypt the message digest General format of PGP message :

3. Session key component: It includes the session key and the identifier of the recipient’s public key that was used by the sender to encrypt the session key. KEY RINGS : The scheme used in PGP is to provide a pair of data structures at each node, one to store the public/private key pairs owned by that node and one to store the public keys of other users known at this node these data structures are referred to, respectively as the following: Private-key ring Public –key ring PRIVATE KEY-RING : Each row represents one of the public/private key pairs owned by this user. Each row contains the following entries: Timestamp key ID Public-key private-key : The date/time where this key pair was generated. : The least significant 64 bits of the public key for this entry. : The Public-key portion of the pair. : The Private-key portion of the pair. This field is encrypted. 44

www.jntuworld.com

www.jntuworld.com

JNTUWORLD User-ID

The Application Layer

: Typically, this will be the user’s e-mail address, the user may choose to associate a different name with each pair or to reuse the same user-ID more than once.

The private key ring can be indexed by either user-ID, although it is intended that the private key ring be stored only on the machine of the user that created and owns the key pair and that it be accessible only to that user it makes sense to make the value of the private-key secure as possible. Accordingly, the private key itself is not stored in the key ring. Rather, this key is encrypted using IDEA or 3DES the procedure is as follows: 1. The user selects a pass phrase to be used for encrypting private keys. 2. When the system generates a new public/private key pair using RSA, it asks the user for the pass phrase using SHA-1, a 160-bit hash code is generated from the pass phrase, and the pass phrase is discarded. 3. The system encrypts the private key using CAST_128 with the 128 bits of the hash code as the key. The hash code is then discarded, and the encrypted private key is stored in the private-key ring. 4. When the user access the private key ring to retrieve a private key then we must supply the pass phrase, PGP will retrieve the encrypted private key, generate the hash code of the Pass phrase and decrypt the encrypted private key using cast-128 with hash code. PUBLIC KEY RING : It is used to store public keys of users that are known to this user: Timestamp Key ID Public key User ID : : : : The date/time when this entry was generated. The last significant 64bits of the public key for this entry. The public key for this entry. The owner of this key. multiple user ID’s may be associated with a single public key. The public-key ring can be indexed by either user ID or keyed. First consider message transmission and assume the sending PGP entity performs the following steps:

45

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

Signing the message: PGP retrieves the sender’s private key from the private key ring using your user -id as an index. If your user-id was not provided in the command the first private key on the ring is retrieved PGP prompts the user for the pass phrase to recover the unencrypted Private key. The signature component of the message is constructed Encrypting the message: PGP generates a session key and encrypts the msg. PGP retrieves the recipients public key from the public-key ring using user-id as an index. The session key component of the message is constructed The receiving PGP entity performs the following steps: Decrypting the message: PGP retrieves the receiver’s private key from the private –key ring using the key ID field in the session key component of the message as an Index. PGP prompts the user for the pass phrase to recover the unencrypted Private-key. PGP then recovers the session key and decrypts the msg. Authenticating the message: PGP retrieves the sender’s public key from the public-key, using the Key-id field in the signature key component of the message as an index. PGP recovers the transmitted message digest. PGP computes the message digest for the received message and compares it to the transmitted message digest to authenticate. MERITS OF PGP: 1. We can generate our own public\private key pairs 2. We can have multiple keys for different uses, and can replace a key whenever desired. 3. It uses established and peer reviewed encryption algorithm 4. It is free for personal use. 5. You can securely communicate with users of other operating systems, and with any email address. 6. All PGP encryption functions take place on your own computer, with your private Keys residing only on your computer. 7. PGP is public key encryption that does not require the transmission of a secret pass phrase. 8. It includes digital signatures that assures that the message/file is not altered, and is from

46

www.jntuworld.com

www.jntuworld.com

JNTUWORLD who it is suppose to be from.

The Application Layer

9. There is no backdoor, key recovery, or key function that would allow anyone else access to your encrypted messages/files 10. PGP includes multiple other features such as file wiping, free space wiping, PGP disk and PGP net NOTATIONS: Ks Kra Session key used in conventional encryption scheme. Private key of user A used in public-key encryption scheme. Public key of user A used in public-key encryption scheme. Public-key encryption. Public-key decryption. Conventional encryption. Conventional decryption. Hash function. Concatenation Compression using Zip algorithm. Coversion to radix 64 ASCII format.

Kua Ep Dp Ec Dc H || Z R64 -

47

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

48

www.jntuworld.com

www.jntuworld.com

JNTUWORLD

The Application Layer

49

www.jntuworld.com

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close