CN Unit-5
CN Unit-5
It is Very difficult to find out the ip address associated to a website because there are
millions of websites and with all those websites we should be able to generate the ip
address immediately,
there should not be a lot of delay for that to happen organization of database is very
important.
DNS record – Domain name, ip address what is the validity?? what is the time to live ??
and all the information related to that domain name. These records are stored in tree like
structure.
Namespace – Set of possible names, flat or hierarchical . Naming system maintains a
collection of bindings of names to values – given a name, a resolution mechanism returns
the corresponding value –
Name server – It is an implementation of the resolution mechanism.. DNS (Domain Name
System) = Name service in Internet – Zone is an administrative unit, domain is a subtree.
The host request the DNS name server to resolve the domain name. And the name server
returns the IP address corresponding to that domain name to the host so that the host can
future connect to that IP address.
E-mail Security
Nowadays, e-mail has become very widely used network application. Let’s briefly discuss
the e-mail infrastructure before proceeding to know about e-mail security protocols.
E-mail Infrastructure
The simplest way of sending an e-mail would be sending a message directly from the
sender’s machine to the recipient’s machine. In this case, it is essential for both the
machines to be running on the network simultaneously. However, this setup is impractical
as users may occasionally connect their machines to the network.
Hence, the concept of setting up e-mail servers arrived. In this setup, the mail is sent to a
mail server which is permanently available on the network. When the recipient’s machine
connects to the network, it reads the mail from the mail server.
In general, the e-mail infrastructure consists of a mesh of mail servers, also termed
as Message Transfer Agents (MTAs) and client machines running an e-mail program
comprising of User Agent (UA) and local MTA.
Typically, an e-mail message gets forwarded from its UA, goes through the mesh of MTAs
and finally reaches the UA on the recipient’s machine.
If message integrity, authentication, and non-repudiation services are also needed in this
scenario, the following steps are added to the above process.
The sender produces hash of message and digitally signs this hash with his private
key, SPVT.
The sender sends this signed hash to the recipient along with other components.
The recipient uses public key SPUB and extracts the hash received under the sender’s
signature.
The recipient then hashes the decrypted message and now compares the two hash
values. If they match, message integrity is considered to be achieved.
Also, the recipient is sure that the message is sent by the sender (authentication).
And lastly, the sender cannot deny that he did not send the message (non-
repudiation).
One-to-Multiple Recipients E-mail
In this scenario, the sender sends an e-mail message to two or more recipients. The list is
managed by the sender’s e-mail program (UA + local MTA). All recipients get the same
message.
Let’s assume, the sender wants to send confidential e-mail to many recipients (say R1, R2,
and R3). The provision of privacy in this case is achieved as follows −
The sender and all recipients have their own pair of private-public keys.
The sender generates a secret symmetric key, Ks and encrypts the message with
this key.
The sender then encrypts KS multiple times with public keys of R1, R2, and R3,
getting R1PUB(KS), R2PUB(KS), and R3PUB(KS).
The sender sends encrypted message and corresponding encrypted K S to the
recipient. For example, recipient 1 (R1) receives encrypted message and R1PUB(KS).
Each recipient first extracts key KS by decrypting encoded KS using his private key.
Each recipient then decrypts the message using the symmetric key, KS.
For providing the message integrity, authentication, and non-repudiation, the steps to be
followed are similar to the steps mentioned above in one-to-one e-mail scenario.
One-to-Distribution List E-mail
In this scenario, the sender sends an e-mail message to two or more recipients but the list
of recipients is not managed locally by the sender. Generally, the e-mail server (MTA)
maintains the mailing list.
The sender sends a mail to the MTA managing the mailing list and then the mail is
exploded by MTA to all recipients in the list.
In this case, when the sender wants to send a confidential e-mail to the recipients of the
mailing list (say R1, R2, and R3); the privacy is ensured as follows −
The sender and all recipients have their own pair of private-public keys. The
Exploder Server has a pair of private-public key for each mailing list (List PUB, ListPVT)
maintained by it.
The sender generates a secret symmetric key K s and then encrypts the message
with this key.
The sender then encrypts KS with the public key associated with the list, obtains
ListPUB(KS).
The sender sends encrypted message and List PUB(KS). The exploder MTA decrypts
ListPUB(KS) using ListPVT and obtains KS.
The exploder encrypts KS with as many public keys as there are members in the list.
The Exploder forwards the received encrypted message and corresponding
encrypted KS to all recipients in the list. For example, the Exploder forwards the
encrypted message and R1PUB(KS) to recipient 1 and so on.
For providing the message integrity, authentication, and non-repudiation the steps to be
followed are similar as given in case of one-to-one e-mail scenario.
Interestingly, the e-mail program employing above security method for securing e-mail is
expected to work for all the possible scenarios discussed above. Most of the above
security mechanisms for e-mail are provided by two popular schemes, Pretty Good Privacy
(PGP) and S/MIME. We discuss both in the following sections.
PGP
Pretty Good Privacy (PGP) is an e-mail encryption scheme. It has become the de-facto
standard for providing security services for e-mail communication.
As discussed above, it uses public key cryptography, symmetric key cryptography, hash
function, and digital signature. It provides −
Privacy
Sender Authentication
Message Integrity
Non-repudiation
Along with these security services, it also provides data compression and key
management support. PGP uses existing cryptographic algorithms such as RSA, IDEA,
MD5, etc., rather than inventing the new ones.
1. Confidentiality
This deals with how many people can understand the information that is being transmitted other than the
two parties that are engaged in the conversation. If more people are able to read the files, it means the
communication system is not secure.
2. Integrity
This deals with how easily the information that is being transmitted may be altered on its way from one
spot to another without either the sender or the receiver being aware of the changes to its content.
3. Non-repudiation
Whether or not the creator of the piece of communication may be able to deny the intentions behind
creating the message or its mode of transmission at a later stage.
4. Authentication
The sender and the receiver should both be able to confirm each other's identity as well as the point of
origin of the transmitted information. This is a crucial first step towards establishing the veracity of the
transmitted file.
The aim of cyber security is to attempt to create encryption systems that perform perfectly on all four of
the above-mentioned parameters. This can be almost impossible to fully accomplish, since the strength of
the encryption depends not only on computer programs but also on human behavior. The best security
systems in the world can still be defeated by an easily-guessed password, or the user not logging out after
a session or discussing security information with outsiders.
Today, cryptography uses some of the finest computer and mathematical minds on the planet. Every
industry on the planet, from war to healthcare makes use of encryption to protect sensitive information
that is being transmitted across the internet.
Symmetric
A symmetric encryption is used to create a file that can be both encrypted and decrypted using the same
key. Also known as the 'secret key' encryption, it makes use of the same algorithm to decode a script as
the algorithm used to encrypt it in the first place. This makes it easier for multiple sources to use the key
since only a single code needs to be learned, but it also means there is only a single line of defense
against hackers who may be able to guess the code.
Asymmetric
On the other hand, 'public key' encryption makes use of a key that belongs to a select group of people who
are able to use it for encrypting/decrypting the data. Essentially, the defense of the encryption algorithm
depends on more than a single key. Two keys are often used in this system, one to encrypt the
information and a separate one to decrypt it. While a greater number of keys leads to some amount of
confusion, it makes the communication system much more secure.
RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even
today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len
Adleman and hence, it is termed as RSA cryptosystem.
We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption
needs to generate a pair of keys, namely public key and private key. The process followed
in the generation of keys is described below −
Generate the RSA modulus (n)
o Select two large primes, p and q.
o Calculate n=p*q. For strong unbreakable encryption, let n be a large number,
typically a minimum of 512 bits.
Find Derived Number (e)
o Number e must be greater than 1 and less than (p − 1)(q − 1).
o There must be no common factor for e and (p − 1)(q − 1) except for 1. In
other words two numbers e and (p – 1)(q – 1) are coprime.
Form the public key
o The pair of numbers (n, e) form the RSA public key and is made public.
o Interestingly, though n is part of the public key, difficulty in factorizing a large
prime number ensures that attacker cannot find in finite time the two primes
(p & q) used to obtain n. This is strength of RSA.
Generate the private key
o Private Key d is calculated from p, q, and e. For given n and e, there is
unique number d.
o Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the
number less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1
modulo (p - 1)(q - 1).
o This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the
primes p & q taken here are small values. Practically, these values are very high).
Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
Select e = 5, which is a valid choice since there is no number that is common factor
of 5 and (p − 1)(q − 1) = 6 × 12 = 72, except for 1.
The pair of numbers (n, e) = (91, 5) forms the public key and can be made available
to anyone whom we wish to be able to send us encrypted messages.
Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will
be d = 29.
Check that the d calculated is correct by computing −
de = 29 × 5 = 145 = 1 mod 72
Hence, public key is (91, 5) and private keys is (91, 29).
Encryption and Decryption
Once the key pair has been generated, the process of encryption and decryption are
relatively straightforward and computationally easy.
Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key
encryption. It operates on numbers modulo n. Hence, it is necessary to represent the
plaintext as a series of numbers less than n.
RSA Encryption
Suppose the sender wish to send some text message to someone whose public key
is (n, e).
The sender then represents the plaintext as a series of numbers less than n.
To encrypt the first plaintext P, which is a number modulo n. The encryption process
is simple mathematical step as −
C = Pe mod n
In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times
and then reduced modulo n. This means that C is also a number less than n.
Returning to our Key Generation example with plaintext P = 10, we get ciphertext C
−
C = 105 mod 91
RSA Decryption
The decryption process for RSA is also very straightforward. Suppose that the
receiver of public-key pair (n, e) has received a ciphertext C.
Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P.
Plaintext = Cd mod n
Returning again to our numerical example, the ciphertext C = 82 would get
decrypted to number 10 using private key 29 −
Plaintext = 8229 mod 91 = 10
RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on the
practical difficulty of factoring the very large numbers.
Encryption Function − It is considered as a one-way function of converting
plaintext into ciphertext and it can be reversed only with the knowledge of private
key d.
Key Generation − The difficulty of determining a private key from an RSA public key
is equivalent to factoring the modulus n. An attacker thus cannot use knowledge of
an RSA public key to determine an RSA private key unless he can factor n. It is also
a one way function, going from p & q values to modulus n is easy but reverse is not
possible.
If either of these two functions are proved non one-way, then RSA will be broken. In fact, if
a technique for factoring efficiently is developed then RSA will no longer be safe.
The strength of RSA encryption drastically goes down against attacks if the number p and
q are not large primes and/ or chosen public key e is a small number.
ElGamal Cryptosystem
Along with RSA, there are other public-key cryptosystems proposed. Many of them are
based on different versions of the Discrete Logarithm Problem.
ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete Logarithm
Problem. It derives the strength from the assumption that the discrete logarithms cannot be
found in practical time frame for a given number, while the inverse operation of the power
can be computed efficiently.
Let us go through a simple version of ElGamal that works with numbers modulo p. In the
case of elliptic curve variants, it is based on quite different number systems.
Generation of ElGamal Key Pair
Each user of ElGamal cryptosystem generates the key pair through as follows −
Choosing a large prime p. Generally a prime number of 1024 to 2048 bits length is
chosen.
Choosing a generator element g.
o This number must be between 1 and p − 1, but cannot be any number.
o It is a generator of the multiplicative group of integers modulo p. This means
for every integer m co-prime to p, there is an integer k such that gk=a mod n.
For example, 3 is generator of group 5 (Z5 = {1, 2, 3, 4}).
N 3n 3n mod 5
1 3 3
2 9 4
3 27 2
4 81 1
Choosing the private key. The private key x is any number bigger than 1 and
smaller than p−1.
Computing part of the public key. The value y is computed from the parameters p,
g and the private key x as follows −
y = gx mod p
Obtaining Public key. The ElGamal public key consists of the three parameters (p,
g, y).
For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a
generator of group Z17). The private key x can be any number bigger than 1 and
smaller than 71, so we choose x = 5. The value y is then computed as follows −
y = 65 mod 17 = 7
Thus the private key is 62 and the public key is (17, 6, 7).
Encryption and Decryption
The generation of an ElGamal key pair is comparatively simpler than the equivalent
process for RSA. But the encryption and decryption are slightly more complex than RSA.
ElGamal Encryption
Suppose sender wishes to send a plaintext to someone whose ElGamal public key is (p, g,
y), then −
Sender represents the plaintext as a series of numbers modulo p.
To encrypt the first plaintext P, which is represented as a number modulo p. The
encryption process to obtain the ciphertext C is as follows −
o Randomly generate a number k;
Compute two values C1 and C2, where −
o
C1 = gk mod p
C2 = (P*yk) mod p
Send the ciphertext C, consisting of the two separate values (C1, C2), sent together.
Referring to our ElGamal key generation example given above, the plaintext P = 13
is encrypted as follows −
o Randomly generate a number, say k = 10
Compute the two values C1 and C2, where −
o
C1 = 6 mod 17
10
C2 = (13*710) mod 17 = 9
Send the ciphertext C = (C1, C2) = (15, 9).
ElGamal Decryption
To decrypt the ciphertext (C1, C2) using private key x, the following two steps are
taken −
o Compute the modular inverse of (C1)x modulo p, which is (C1)-x , generally
referred to as decryption factor.
o Obtain the plaintext by using the following formula −
C2 × (C1)-x mod p = Plaintext
In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private key x =
5, the decryption factor is
15-5 mod 17 = 9
Extract plaintext P = (9 × 9) mod 17 = 13.
ElGamal Analysis
In ElGamal system, each user has a private key x. and has three components of public
key − prime modulus p, generator g, and public Y = g x mod p. The strength of the
ElGamal is based on the difficulty of discrete logarithm problem.
The secure key size is generally > 1024 bits. Today even 2048 bits long key are used. On
the processing speed front, Elgamal is quite slow, it is used mainly for key authentication
protocols. Due to higher processing efficiency, Elliptic Curve variants of ElGamal are
becoming increasingly popular.
RSA ElGamal
For a particular security level, lengthy keys are required in RSA. For the same level of security, very sho
It is widely accepted and used. It is new and not very popular in marke
1. Block algorithms. Set lengths of bits are encrypted in blocks of electronic data with the
use of a specific secret key. As the data is being encrypted, the system holds the data in its
memory as it waits for complete blocks.
2. Stream algorithms. Data is encrypted as it streams instead of being retained in the
system’s memory.
Some examples of symmetric encryption algorithms include:
DES
In “modern” computing, DES was the first standardized cipher for securing electronic
communications, and is used in variations (e.g. 2-key or 3-key 3DES). The original DES
is not used anymore as it is considered too “weak”, due to the processing power of
modern computers. Even 3DES is not recommended by NIST and PCI DSS 3.2, just like
all 64-bit ciphers. However, 3DES is still widely used in EMV chip cards.
AES
The most commonly used symmetric algorithm is the Advanced Encryption Standard
(AES), which was originally known as Rijndael. This is the standard set by the U.S.
National Institute of Standards and Technology in 2001 for the encryption of electronic
data announced in U.S. FIPS PUB 197. This standard supersedes DES, which had been in
use since 1977. Under NIST, the AES cipher has a block size of 128 bits, but can have
three different key lengths as shown with AES-128, AES-192 and AES-256.
Key Exhaustion
Symmetric Encryption suffers from behavior where every use of a key ‘leaks’ some
information that can potentially be used by an attacker to reconstruct the key. The
defenses against this behavior include using a key hierarchy to ensure that master or key-
encryption keys are not over-used and the appropriate rotation of keys that do encrypt
volumes of data. To be tractable, both these solutions require competent key-management
strategies as if (for example) a retired encryption key cannot be recovered the data is
potentially lost.
Attribution data
Unlike asymmetric (public-key) Certificates, symmetric keys do not have embedded
metadata to record information such as expiry date or an Access Control List to indicate
the use the key may be put to - to Encrypt but not Decrypt for example.
The latter issue is somewhat addressed by standards such as ANSI X9-31 where a key can
be bound to information prescribing its usage. But for full control over what a key can be
used for and when it can be used, a key-management system is required.
Conclusion
Maintaining large-scale symmetric encryption systems is a very challenging task. This is
especially true when we want to achieve banking-grade security and auditability when the
corporate and/or IT architecture is decentralized / geographically distributed.
Digital signatures are the public-key primitives of message authentication. In the physical
world, it is common to use handwritten signatures on handwritten or typed messages. They
are used to bind signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital data.
This binding can be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a secret key
known only by the signer.
In real world, the receiver of message needs assurance that the message belongs to the
sender and he should not be able to repudiate the origination of that message. This
requirement is very crucial in business applications, since likelihood of a dispute over
exchanged data is very high.