UNIT-3

Primality Testing

A primality test is an algorithm for determining whether an input number is prime.

Among other fields of mathematics, it is used for cryptography. Unlike integer factorization,
primality tests do not generally give prime factors, only stating whether the input number is
prime or not.

Using Euclid’s algorithm

Amuch more efficient method is the Euclidean algorithm, which uses the division
algorithm in combination with the observation that the gcd of two numbers also divides their difference.
gcd(a,0) =a
gcd (a, b) =gcd (b, a mod b)
Public Key Cryptography
Symmetric cryptography was well suited for organizations such as governments, military, and big
financial corporations were involved in the classified communication. With the spread of more unsecure
computer networks in last few decades, a genuine need was felt to use cryptography at larger scale. The
symmetric key was found to be non-practical due to challenges it faced for key management. This gave rise
to the public key cryptosystems.
The process of encryption and decryption is depicted in the following illustration.

RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The
system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is termed
as RSA cryptosystem. We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to generate a pair
of keys, namely public key and private key. The process followed in the generation of keys is described below
“

Prepared By: Mrs.T.Kavitha, Dept. of CSE

1
1
Encryption and Decryption
To encrypt a message M the sender:

Example: Select primes: p=17 & q=11 Compute n = p × q =17 × 11 = 187

Compute ø(n) = (p–1) (q-1) = 16 × 10 = 160 Select e:
gcd (e,160) = 1; choose e=7

Prepared By: Mrs.T.Kavitha, Dept. of CSE

2
2
 Determine d: de = 1 mod 160 and d < 160 Value is d = 23 since 23×7=161= 10×16+1 Publish
public key PU = {7, 187}
Keep secret private key PR = {23, 187}

Encryption
Given message (Plaintext) M = 88
887 mod 187 = [(884 mod 187) x 882 mod 187) x 881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 x 77 x 132) mod 187
= 8,94432 mod 187
= 11
So, Cipher text C = 11
RSAAnalysis
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14641 mod 187 = 55
118 mod 187 = 2,14, 358, 881 mod 187 = 33
118 mod 187 = 2,14, 358, 881 mod 187 = 33
1123 mod 187 = (11 x 121 x 55 x 33 x 33) mod 187
= 79, 720, 245 mod 187
= 88
So, Plaintext M =88

KEY DISTRIBUTION

Symmetric Key Distribution Using Symmetric Encryption

In Symmetric key encryption, the two parties to an exchange must share the same key, and that key
must be protected from access by others. Therefore, the term that refers to the means of delivering a key
to two parties who wish to exchange data, without allowing others to see the key.
For two parties A and B, key distribution can be achieved in a number of ways, as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to the other,
encrypted using the old key.
4. If A and B each has an encrypted connection to a third-party C, C can deliver a key on the encrypted
links to A and B.
Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between
recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not
scale as number of parties who wish to communicate grows. 3 are mostly based on 1 or 2 occurring first.
A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment
of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all

Prepared By: Mrs.T.Kavitha, Dept. of CSE

3
3
 session keys. As numbers of parties grow, some variant of 4 is only practical solution to the huge growth
in number of keys potentially needed
Key Distribution Centre
The use of a key distribution centre is based on the use of a hierarchy of keys. At a minimum, two levels
of keys are used.
Communication between end systems is encrypted using a temporary key, often referred to as a
Session key.
Typically, the session key is used for the duration of a logical connection and then discarded
Master key is shared by the key distribution centre and an end system or user and used to encrypt the
session key.
Key Distribution Scenario
Let us assume that user A wishes to establish a logical connection with B and requires a one-time session
key to protect the data transmitted over the connection. A has a master key, Ka, known only to itself and
the KDC; similarly, B shares the master key Kb with the KDC (Figure 2.36). The following steps occur
An issue a request to the KDC for a session key to protect a logical connection to B. The message includes
the identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a nonce. The
nonce may be a timestamp, a counter, or a random number; the minimum requirement is that it differs with
each request. Also, to prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus,
a random number is a good choice for a nonce.
1. The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read
the message, and A knows that it originated at the KDC. The message includes two items intended for A:
The one-time session key, Ks, to be used for the session The original request message, including the
nonce, to enable A to match this response with the appropriate request Thus, A can verify that its original
request was not altered before reception by the KDC and, because of the nonce, that this is not a replay of
some previous request. In addition, the message includes two items intended for B: The one-time session
key, Ks to be used for the session
An identifier of A (e.g., its network address), IDA• These last two items are encrypted with Kb (the master
key that the KDC shares with B). They are to be sent to B to establish the connection and prove A's
identity.
2. A store the session key for use in the upcoming session and forwards to B the information that originated
at the KDC for B, namely, E (Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is
protected from eavesdropping. B now knows the session key (Ks), knows that the other party is A (from
IDA), and knows that the information originated at the KDC (because it is encrypted using Kb). At this
point, a session key has been securely delivered to A and B, and they may begin their protected exchange.
However, two additional steps are desirable:
3. Using the newly minted session key for encryption, B sends a nonce, N2, to A
4. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2
(e.g., adding one).

Prepared By: Mrs.T.Kavitha, Dept. of CSE

4
4
 KEY MANAGEMENT
Key management refers to management of cryptographic keys in a cryptosystem.
Figure 3.4 illustrates the lifecycle of key management.

Fig. 3.4 Lifecycle of Key Management

There are 2 aspects for Key Management:

1. Distribution of public keys.

2. Use of public-key encryption to distribute secret.
Prepared By: Mrs.T.Kavitha, Dept. of CSE
5
5
 Distribution of Public Keys
Several techniques have been proposed for the distribution of public keys which can mostly be
grouped into the categories shown.

1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates
Public Announcement
The point of public-key encryption is that the public key is public, hence any participant can send
his or her public key to any other participant, or broadcast the key to the community at large. eg. append
PGP keys to email messages or post to news groups or email list.
Figure 3.5 illustrates the public key distribution

Figure 3.5 Uncontrolled Public Key Distribution

Its major weakness is forgery, anyone could pretend to be user A and send a public key to another
participant or broadcast such a public key. Until the forgery is discovered they can masquerade as
the claimed user.
Publicly Available Directory
The user obtains greater security by registering keys with a public directory. The directory must be
trusted with properties: The authority maintains a directory with a {name, public key} entry for each
participant. Each participant registers a public key with the directory authority. A participant may replace the
existing key with a new one at any time because the corresponding private key has been compromised in
some way.

Participants could also access the directory electronically. For this purpose, secure, authenticated
communication from the authority to the participant is mandatory.
Figure 3.6 illustrates the public key publication

Prepared By: Mrs.T.Kavitha, Dept. of CSE

6
6
 Figure 3.6 Public Key Publications
This scheme is clearly more secure than individual public announcements but still has
vulnerabilities. If an adversary succeeds in obtaining or computing the private key of the directory
authority, the adversary could authoritatively pass out counterfeit public keys and subsequently
impersonate any participant and eavesdrop on messages sent to any participant. Another way to
achieve the same end is for the adversary to tamper with therecords kept by the authority.
Public-Key Authority
Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory. It requires users to know the
public key for the directory, and that they interact with directory in real- time to obtain any
desired public key securely. Totally seven messages are required.

Figure 3.7 illustrates the public key distribution Scenario

A sends a time stamped message to the public-key authority containing a request for the current
public key of B. The authority responds with a message that is encrypted using the authority’s private
key, PRauth Thus, A is able to decrypt the message using the authority’s public key. Therefore, A is
assured that the message originated with the authority. The message includes the following:

i. B’s public key, PU which A can use to encrypt messages destined for B.
b
ii.The original request, to enable A to match this response with the corresponding
earlier request and to verify that the original request was not altered before
reception by the authority.
iii. The original timestamp, so A can determine that this is not an old message from
the authority containing a key other than B’s current

Prepared By: Mrs.T.Kavitha, Dept. of CSE

7
7
 public key.
iv.A stores B’s public key and also uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
v.B retrieves A’s public key from the authority in the same manner as A retrieved B’s

public key.
vi. At this point, public keys have been securely delivered to A and B, and they may
begin their protected exchange. However, two additional steps are desirable:
vii.B sends a message to A encrypted with PUa and containing A’s nonce (N1) as well
as a new nonce generated by B (N2) Because only B could have decrypted message
(3), the presence of N1 in message (6) assures A that the correspondent is B.
viii. A returns N2, encrypted using B’s public key, to assure B that its correspondent is A.
Public-Key Certificates
i. A user must appeal to the authority for a public key for every other user that it
wishes to contact and it is vulnerable to tampering too.
ii. Public key certificates can be used to exchange keys without contacting a public-
key authority.
iii. Figure 3.8 illustrates the public key Certificate exchanges
iv. A certificate binds an identity to public key, with all contents signed by a trusted
Public- Key or Certificate Authority(CA).
i. This can be verified by anyone who knows the public-key authorities public-key.
ii. A participant can also convey its key information to another by transmitting its
certificate.
Other participants can verify that the certificate was created by the authority. We can place
the following requirements on this scheme:
i. Any participant can read a certificate to determine the name and public key of
the certificate’s owner.
ii. Anyparticipant can verify that the certificate originated from the certificate
authority and is not counterfeit.
Prepared By: Mrs.T.Kavitha, Dept. of CSE
8
8
 iii. Only the certificate authority can create and update certificates. iv.Any
participant can verify the currency of thecertificate.
One scheme has become universally accepted for formatting public-keycertificates.

The X.509 standard. X.509 certificates are used in most network security applications,
including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and
S/MIME.

Figure 3.8 Public Key Certificates

Symmetric Key Distribution using Public Key Cryptography
Once public keys have been distributed or have become accessible, secure
communication that thwarts eavesdropping, tampering, or both, is possible. The Public- key
encryption provides for the distribution of secret keys to be used for conventional encryption.
Simple Secret Key Distribution
A generates a public/private key pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA. B generates a secret key, Ks, and transmits it to A,
encrypted with A’s public key.A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because
only A can decrypt the message, only A and B will
know the identity of Ks.A discards PUa and PRa and B discards PUa.

Figure 3.9 Simple Secret Key Distributions

Figure 3.9 illustrates the simple secret key distribution

Prepared By: Mrs.T.Kavitha, Dept. of CSE

9
9
 Here third party can intercept messages and then either relay the intercepted message or
substitute another message Such an attack is known as a man-in-the- middle attack. Figure
3.10 shows the mam-in-the-middle attack.

Figure 3.10 Man-in-the-Middle Attack

Secret Key Distribution with Confidentiality and Authentication
A uses B’s public key to encrypt a message to B containing an identifier of A (ID A) and a
nonce (N1), which is used to identify this transaction uniquely. B sends a message to A encrypted with
PUa and containing A’s nonce (N1) as well as a new nonce generated by B (N2) Because only B could
have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B.
Figure 3.11 illustrates the secret key distribution

Figure 3.11 Secret Key Distributions

A returns N2 encrypted using B’s public key, to assure B that its correspondent is A.
A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B’s
public key ensures that only B can read it; encryption with A’s private key ensures that only A could
have sentit. B computes D(PUa, D(PRb, M)) to recover the secret key.
A Hybrid Scheme
Another way to use public-key encryption to distribute secret keys is a hybrid approach.
This scheme retains the use of a Key Distribution Centre (KDC) that shares a secret master key with
each user and distributes secret session keys encrypted with the master key.A public key scheme is
used to distribute the master keys. The addition of a public- key layer provides a secure, efficient
means of distributing master keys.

DIFFIE HELLMAN KEY EXCHANGE:

Prepared By: Mrs.T.Kavitha, Dept. of CSE

10
10
 The Diffie–Hellman key exchange or KeyAgreement is a method of securely exchanging cryptographic keys
over a public channel. It was developed by Whitfield Diffie and Martin Hellman in 1976.
This protocol allows two users to exchange a secret key over an untrusted network without any prior secrets.
Security of transmission is critical for many network and Internet applications.
A number of commercial products employ this exchange technique. The purpose of the algorithm is to
enable two users to securely exchange a key that can be used for subsequent encryption of messages.
Suppose A and B wish to exchange a secret key, the following steps are needed.
There are two publicly known numbers: one is prime number q and an integer α that is primitive
root of q.
● Suppose the user A and B wish to exchange a key.
● User A selects a random integer XA < q and
● computes Y = αxA moAd q.
● Similarly, user B selects a random integer XB < q and
● computes Y = αxB mBod q.
● Then user A computes the key as K= (YB)xA modq
● User B computes K= (YA)xB mod q
● Then two calculations produce identical results.

Example 1:
• Choose global public elements
q=23, α = 9
• User A select value XA is 4

Prepared By: Mrs.T.Kavitha, Dept. of CSE

11
11
 • Calculate public YA
Y =A αxA mod q
= 94 mod 23
= 6561 mod 23
YA = 6
• User B select value XB is 3

• Calculate public YB
Y B= αxB mod q= 93 mod 23
= 729 mod 23
YB = 16
▪ Now, exchange their public keys
▪ Figure 3.13 shows the exchange of keys

After exchange their public keys, each can compute the common key.
● A compute K = (YB)xA mod q
= 164 mod 23
= 65536 mod 23
K=9
● B compute K = (YA)xB modq
= 63 mod 23
= 216 mod 23
K=9
Now A and B can talk securely
▪ compute respective public keys:
YA=397 mod 353 = 40 (Alice)
YB=3233 mod 353 = 248 (Bob)
▪ compute shared session key as:
KAB= Y xA mod 353 = 24897 = 160 (Alice) KAB= Y xB mod
353 = 40233 = 160 (Bob)

Prepared By: Mrs.T.Kavitha, Dept. of CSE

12
12
 Advantages
i. The sender and receiver don’t need any prior knowledge of each other.
ii. Once the keys are exchanged, the communication of data can be done through an
insecure channel.
iii. The sharing of the secret key is safe.
Disadvantages
i. The algorithm cannot be sued for any asymmetric key exchange.
ii. Similarly, it cannot be used for signing digital signatures.
iii. Since it doesn’t authenticate any party in the transmission, the Diffie Hellman key
exchange is susceptible to a man-in-the-middle attack.
Man-in-the-Middle Attack

Figure 3.14 Man-in-the-Middle Attack

1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to Bob. Darth also calculates a
shared key with Alice
4. Bob receives the public key and calculates the shared key (with Darth instead of
Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to Alice. Darth calculates a
shared key with Bob

7. Alice receives the key and calculates the shared key (with Darth instead of Bob)
Applications
Diffie-Hellman is currently used in many protocols, namely:
• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Secure Shell (SSH)
• Internet Protocol Security (IPSec)
•
Public Key Infrastructure (PKI)
ELLIPTIC CURVE CRYPTOGRAPHY.

Elliptic curve cryptography can be used to encrypt the plain text message M, into
ciphertext.
Prepared By: Mrs.T.Kavitha, Dept. of CSE
13
13
 The plain text message M is encoded into a point PM from the finite set of points
in the elliptic group, Ed(a,b).
The first step consists in choosing a generator point, G c Ed(a, b) , such that the smallest
value of n for which nG = o is a very large prime number.

The elliptic group Ed(a,b) and the generator point G are made public.
Each user select a private key,nA< n and compute the public key PA as PA = nAG
To encrypt the message point PM for Bob (B), Alice (A) choses a random integer k and compute the ciphertext pair
of points c. Using Bob‘s public key PB.

Elliptic curve cryptography Security of ECC:

1. The cryptographic strength of elliptic curve encryption lies in the difficulty for a crypt analyst to determine
the secret random number k from KP & P itself.
2. The fastest method to solve this problem (known as elliptic curve logarithm problem is the pollard
factorization method).
3. The computational complexity for breaking the elliptic curve cryptosystem, using the pollard method is 3.3 x
1010 MIPS years for an elliptic curve key size of only 150bits.
4. For comparison the fastest method to break RSA, using General Number Field Sieve method to factor the
composite integer n in to the two prime p & q requires 2x10 11 MIPS years for a 768 bit RSA key & 3x 1011
MIPS years for a RSA key length 1024 5. If the RSA key length is increased to 2048 bits, the GNES method
will need 3x10 20 MIPS years to factor n whereas increasing the elliptic curve key length to only 24 bits will
impose a computational complexity of 1.6x102 MIPS years.
Analog of Diffie-Hellman Key Exchange:
Key exchange using elliptic curves can be done in the following manner.
First pick a large integer q, which is either a prime number p or an integer of the form 2‖ and elliptic curve
parameters a and b. This defines the elliptic group of points Ed(a, b).
Next, pick a base point G = (x1. y1) in Ed(a, b) whose order is a very large value n. The order n of a point G
on an elliptic curve is the smallest positive integer n such that nG = O. Eq(a, b) and G are parameters of the
cryptosystem known to all participants.
1. A selects an integer nA less than n. This is A's private key. A then generates a public key PA nA x G; the
public key is a point in Ed(a, b)•
2. B similarly selects a private key nB and computes a public key PB Downloaded from:
annauniversityedu.blogspot.com
3. A generates the secret key K = nAx PB B generates the secret key K = nB x EA.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

14
14
 UNIT-4
AUTHENTICATION REQUIREMENT

➢ In the context of communications across a network, the following attacks can be identified.
• Disclosure: Release of message contents to any person or process not possessingthe
appropriate cryptographic key.
• Traffic analysis: Detection of the pattern of traffic between parties. In a connection-
oriented application, the frequency and duration of connections could be determined,
in which, the number and length of messages between parties could be determined.
• Masquerade: Insertion of messages into the network from afraudulent source.
This includes the creation of messages by an opponent that are purported to
come from an authorized entity. Also included are fraudulent
acknowledgements of message receipt or no receipt by someone other than
the message recipient.
• Content modification: Changes to the contents of a message, including
insertion, deletion, transposition, and modification
• Sequence modification: Any modification to a sequence of messagesbetween
parties, including insertion, deletion, and reordering
• Timing modification: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of
some previous valid session, or individual messages in the sequence could be
delayed or replayed. In a connectionless application, an individual message
(e.g., datagram) could be delayed or replayed

Prepared By: Mrs.T.Kavitha, Dept. of CSE

15
15
 • Source repudiation: Denial of transmission of message bysource.
• Destination repudiation: Denial of receipt of message by destination.

AUTHENTICATION FUNCTION- MESSAGE AUTHENTICATION-MAC- HASH FUNCTION

MESSAGE AUTHENTICATION
➢ A mechanism or service used to verify the integrity of amessage.
➢ Assures that data received are exactly as sent (i.e., contain no modification,insertion,
deletion, or replay).
➢ When a hash function is used to provide message authentication, the hashfunction
value is often referred to as a message digest.
Authentication function is of two levels offunctionality
Lower Level
➢ Produces an authenticator: a value to be used to authenticate a message.
Higher-Level
➢ enables a receiver to verify the authenticity of a message

Grouped into Three ClassesMESSAGE

ENCRYPTION
➢ The ciphertext of the entire message serves as its authenticator
Message authentication code (MAC)
➢ A function of the message and a secret key that produces a fixed-lengthvalue
that serves as the authenticator
Hash function
➢ A function that maps a message of any length into a fixed-length hash value,which
serves as the authenticator
Message Encryption-SymmetricEncryption

Symmetric encryption: confidentiality and authentication: A -> B:E(K, M)

Figure 4.1 Symmetric encryption: confidentiality and authentication

Prepared By: Mrs.T.Kavitha, Dept. of CSE

16
16
 Public-key encryption: confidentiality: A ->B:E(PUb, M)

Figure 4.2 Public Key Encrypton:

Confidentiality
Public-key encryption: authentication and signature: A ->B:E(PRa, M)

Figure 4.3 Public-key encryption: authentication and signature

Public-key encryption: confidentiality, authentication, andsignature: A ->B :
E(PUb, E(PRa, M))

Figure 4.4 Public-key encryption: confidentiality, authentication, and signature

Message Authentication Code (MAC)

➢ MAC stands for Message Authentication Code.
➢ Here in MAC, sender and receiver share same key where sender generates a fixedsize output
called Cryptographic checksum or Message Authentication code and appends it to the
original message.
➢ On receiver’s side, receiver also generates the code and compares it with what he/she
received thus ensuring the originality of the message.
➢ This technique assumes that two communicating parties, say A and B, share a common secret
key K.
Theory of operation
➢ When A has a message to send to B, it calculates the MAC as a function of the message and
the key:
MAC = C (K, M),
where M = input

Prepared By: Mrs.T.Kavitha, Dept. of CSE

17
17
 message
C = MAC function
K = shared secret key
MAC = Message Authentication Code
➢ The message plus MAC are transmitted to the intended recipient.
➢ The recipient performs the same calculation on the received message, using thesame
secret key, to generate a new MAC.
➢ The received MAC is compared to the calculated MAC
➢ if the received MAC matches the calculated MAC, then
➢ The receiver is assured that the message has not been altered
➢ The receiver is assured that the message is from the alleged sender

Basic Uses of Message Authentication Code (MAC)

(a) Message authentication: A->B: M||C(K, M)

Figure 4.5 Message Authentication

➢ Provides authentication: Only A and B share K
(b) Message authentication and confidentiality; authentication tied to plaintext

Figure 4.6 Message Authentication and Confidentiality

➢ A ->B:E(K2, [M||C(K, M)])
➢ Provides authentication
Only A and B share K1
➢ Provides confidentiality
Only A and B share K2
(c) Message authentication and confidentiality; authentication tied to ciphertext

Prepared By: Mrs.T.Kavitha, Dept. of CSE

18
18
 Figure 4.7 Message Authentication and Confidentiality; authentication tied to ciphertext
➢ A -> B: E (K2, M) ||C (K1, E (K2, M))
➢ Provides authentication Using K1
➢ Provides confidentiality Using K2
MAC properties
➢ A MAC is a cryptographicchecksum MAC = CK(M)
– condenses a variable-length message M
– using a secret key K
– produce a fixed-sized authenticatorMAC
is a many-to-one function
potentially many messages have same
MAC 100-bit M, and 20-bit MAC but
finding key K to be very difficult
Requirements for MACs
➢ Message replacement attacks, in which an attacker can construct a new messageto match
a given MAC code, even though the attacker does not learn the key.
➢ Deals with need to prevent a brute-force attack based on chosen plaintext.
➢ Authentication algorithm should not be
weaker. Need the MAC to satisfy the following:
• knowing a message and MAC, is infeasible to find another message withsame
MAC
• MACs should be uniformly distributed
• MAC should depend equally on all bits of the message
Limitations of MAC
There are two major limitations of MAC, both due to its symmetric nature ofoperation d
• Establishment of Shared Secret.
o It can provide message authentication among pre-decided legitimateusers
who have shared key.

o This requires establishment of shared secret prior to use of MAC.

• Inability to Provide Non-Repudiation
Prepared By: Mrs.T.Kavitha, Dept. of CSE
19
19
 o Non-repudiation is the assurance that a message originator cannot denyany
previously sent messages and commitments or actions.
o MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot provide
a proof that a message was indeed sent by the sender.
o Though no third party can compute the MAC, still sender could deny having sent
the message and claim that the receiver forged it, as it is impossible to determine
which of the two parties computed the MAC.
Both these limitations can be overcome by using the public key based digital signatures
Hash function
➢ Hash functions are extremely useful and appear in almost all information security applications.
➢ A hash function is a mathematical function that converts a numerical input value into another
compressed numerical value. A hash function accepts a variable-size message M as input and
produces a fixed size output, referred to as a hash code H(M).
➢ A hash code does not use a key but is a function only of the inputmessage
➢ The hash code is also referred to as a message digest or hash value.
➢ Figure 4.8 shows the generation of hash value.

Figure 4.8 Generation Hash Value

Features of Hash Functions
The typical features of hash functions are
➢ Fixed Length Output (Hash Value)
• Hash function coverts data of arbitrary length to a fixed length. This processis
often referred to as hashing the data.
• In general, the hash is much smaller than the input data, hence hash functions

Prepared By: Mrs.T.Kavitha, Dept. of CSE

20
20
 are sometimes called compression functions.
• Since a hash is a smaller representation of a larger data, it is also referred toas a
digest.
• Hash function with n bit output is referred to as an n-bit hash function.
Popular hash functions generate values between 160 and 512 bits.
➢ Efficiency of Operation
• Generally, for any hash function h with input x, computation of h(x) is a
fast operation.
• Computationally hash functions are much faster than a symmetric encryption.
Basic Uses of Hash Function
a) Encrypt message plus hash code

Figure 4.9 Encrypt message plus hash code

➢ A -> B:E(K, [M||H(M)])
➢ Provides confidentiality
• Only A and B shareK
➢ Provides authentication
➢ H(M) is cryptographically protected

(b) Encrypt hash code shared secret key

Figure 4.10 Encrypt hash code shared secret key

➢ A -> B: M||E(K, H(M))
➢ Provides authentication

Prepared By: Mrs.T.Kavitha, Dept. of CSE

21
21
 ➢ H(M) is cryptographically protected
(c) Encrypt hash code sender’s private key

Figure 4.11 Encrypt hash code sender’s private key

➢ A ->B: M||E(PRa, H(M))
➢ Provides authentication and digital signature
➢ H(M) is cryptographically protected
➢ Only A could create E(PRa, H(M))
(d) Encrypt result of (c) shared secret key

Figure 4.12 Encrypt Result of (c) shard secret key

➢ A ->B: E(K, [M||E(PRa, H(M))])

➢ Provides authentication and digital signature
➢ Provides confidentiality
o only A and B shared k
(e) Compute hash code of message plus secret value

Figure 4.13 Compute hash code of message plus secret value

Prepared By: Mrs.T.Kavitha, Dept. of CSE

22
22
 ➢ A ->B: M||H(M||S)
➢ Provides authentication
• Only A and B share S
Applications of Hash Functions
There are two direct applications of hash function based on its cryptographic properties.
Password Storage
Hash functions provide protection to password storage.
• Instead of storing password in clear, mostly all logon processes store the hash values of
passwords in the file.
• The Password file consists of a table of pairs which are in the form (user id, h(P)).
• An intruder can only see the hashes of passwords, even if he accessed the password. He can
neither logon using hash nor can he derive the password from hash value since hash function
possesses the property of pre-image resistance.
Data Integrity Check
• Data integrity check is a most common application of the hash functions. It is used to
generate the checksums on data files. This application provides assurance to the user about
correctness of the data.
HMAC:
• In recent years, there has been increased interest in developing a MAC derived from a cryptographic
hash function.
• The motivations for this interest are
• 1. Cryptographic hash functions such as MD5 and SHA generally execute faster in software than
symmetric block ciphers such as DES.
• 2. Library code for cryptographic hash functions is widely available.
• RFC 2104 lists the following design objectives for HMAC.
• ■ To use, without modifications, available hash functions. In particular, to use hash functions that
perform well in software and for which code is freely and widely available.
• ■ To allow for easy replace ability of the embedded hash function in case faster or more secure hash
functions are found or required.
• ■ To preserve the original performance of the hash function without incurring a significant
degradation.
• ■ To use and handle keys in a simple way.
• ■ To have a well understood cryptographic analysis of the strength of the authentication mechanism
based on reasonable assumptions about the embedded hash function.
• HMAC ALGORITHM:
•
• H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
• IV = initial value input to hash function
• M = message input to HMAC (including the padding specified in the embedded hash function)
• Yi = i th block of M, 0 … i … (L - 1)
• L = number of blocks in M
• b = number of bits in a block
• n = length of hash code produced by embedded hash function
• K = secret key; recommended length is Ú n; if key length is greater than b, the key is input to the hash
Prepared By: Mrs.T.Kavitha, Dept. of CSE
23
23
 function to produce an n-bit key
• K+ = K padded with zeros on the left so that the result is b bits in length

• HMAC should execute in approximately the same time as the embedded hash function for long
messages. HMAC adds three executions of the hash compression function (for Si , So, and the block
produced from the inner hash). A more efficient implementation is possible, as shown in Figure 12.6.
Two quantities are precomputed:
f(IV, (K+ ⊕ ipad))
f(IV, (K+ ⊕ opad))
where f(cv, block) is the compression function for the hash function, which takes as arguments a
chaining variable of n bits and a block of b bits and produces a chaining variable of n bits. These
quantities only need to be computed initially and every time the key changes. In effect, the
precomputed quantities substitute for the initial value (IV) in the hash function. W

SECURITY OF HMAC:

• The security of any MAC function based on an embedded hash function depends in some way on the
cryptographic strength of the underlying hash function. The appeal of HMAC is that its designers
have been able to prove an exact relationship between the strength of the embedded hash function and
the strength of HMAC.
• The security of a MAC function is generally expressed in terms of the probability of successful
forgery with a given amount of time spent by the forger and a given number of message-tag pairs

Prepared By: Mrs.T.Kavitha, Dept. of CSE

24
24
 created with the same key. In essence, it is proved in [BELL96a] that for a given level of effort (time,
message–tag pairs) on messages generated by a legitimate user and seen by the attacker, the
probability of successful attack on HMAC is equivalent to one of the following attacks on the
embedded hash function.
• 1. The attacker is able to compute an output of the compression function even with an IV that is
random, secret, and unknown to the attacker.
• 2. The attacker finds collisions in the hash function even when the IV is random and secret.

SHA:
SHA was developed by the National Institute of Standards and Technology (NIST) and published as
a federal information processing standard (FIPS 180) in 1993.
SHA-512 Logic The algorithm takes as input a message with a maximum length of less than 2128
bits and produces as output a 512-bit message digest. The input is processed in 1024-bit
blocks.

Step 1 Append padding bits.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

25
25
The message is padded so that its length is congruent to 896 modulo 1024 [length K 896(mod 1024)].
Padding is always added, even if the message is already of the desired length. Thus, the number of
padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit followed by the
necessary number of 0 bits.
Step 2 Append length.
A block of 128 bits is appended to the message. This block is treated as an unsigned 128-bit integer
(most significant byte first) and contains the length of the original message in bits (before the
padding). The outcome of the first two steps yields a message that is an integer multiple of 1024 bits
in length. In Figure 11.9, the expanded message is represented as the sequence of 1024-bit blocks M1,
M2, c , MN, so that the total length of the expanded message is N * 1024 bits.
Step 3 Initialize hash buffer.
A 512-bit buffer is used to hold intermediate and final results of the hash function. The buffer can be
represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to the following 64-bit integers (hexadecimal values)
Step 4 Process message in 1024-bit (128-byte) blocks.
The heart of the algorithm is a module that consists of 80 rounds. Each round takes as input the 512-
bit buffer value, abcdefgh, and updates the contents of the buffer. At input to the first round, the buffer
has the value of the intermediate hash value, Hi-1. Each round t makes use of a 64-bit value Wt ,
derived from the current 1024-bit block being processed (Mi ).
Each round also makes use of an additive constant Kt , where 0 … t … 79 indicates one of the 80
rounds. These words represent the first 64 bits of the fractional parts of the cube roots of the first 80
prime numbers. The constants provide a “randomized” set of 64-bit patterns, which should eliminate
any regularities in the input data.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

26
26
The output of the eightieth round is added to the input to the first round (Hi-1) to produce Hi . The
addition is done independently for each of the eight words in the buffer with each of the corresponding
words in Hi-1, using addition modulo 264.
Step 5 Output.
After all N 1024-bit blocks have been processed, the output from the Nth stage is the 512-bit message
digest. We can summarize the behavior of SHA-512 as follows
H0 = IV
Hi = SUM64(Hi-1, abcdefghi )
MD = H
where IV = initial value of the abcdefgh buffer, defined in step 3
abcdefghi = the output of the last round of processing of the ith message block
N = the number of blocks in the message (including padding and length fields)
SUM64 = addition modulo 264 performed separately on each word of the pair of inputs
MD = final message digest value

Prepared By: Mrs.T.Kavitha, Dept. of CSE

27
27
 Two observations can be made about the round function
. 1. Six of the eight words of the output of the round function involve simply permutation (b, c, d, f, g,
h) by means of rotation. This is indicated by shading in Figure 11.11.
2. Only two of the output words (a, e) are generated by substitution. Word e is a function of input
variables (d, e, f, g, h), as well as the round word Wt and the constant Kt . Word a is a function of all
of the input variables except d, as well as the round word Wt and the constant Kt

Digital signature

➢ A digital signature is an authentication mechanism that enables the creator of a messageto

attach a code, which acts as a signature.

➢ Digital signature is a cryptographic value that is calculated from the data and a secretkey
known only by the signer.

➢ Signature is formed by taking the hash of the message and encrypting the messagewith
creator’s private key

➢ Signatures guarantees, the original content of the message or document that has beensent
is unchanged.

Properties Digital Signature

• Verify author, date & time of signature

• Authenticate message contents at the time of signature
• Be verified by third parties to resolve disputes

Requirements of DS

➢ The signature must be a bit pattern that depends on the message being signed.
➢ The signature must use some information unique to the sender

Prepared By: Mrs.T.Kavitha, Dept. of CSE

28
28
 - to prevent both forgery and denial

➢ It must be relatively easy to produce the DS.

➢ It must be relatively easy to recognize and verify the DS
➢ Be computationally infeasible to forge
• with new message for existing digital signature

• with fraudulent digital signature for given message

Approaches of Digital Signature Two categories

1. Direct Digital Signatures
2. Arbitrated Digital Signature

➢ The Direct Digital Signature is only including two parties one to send message andother
one to receive it. According to direct digital signature both parties trust each other and
knows their public key. Figure 4.21 shows that DDS Approach.

➢ The sender generates hash code, which is act as signature and encrypt by sender’s
private key and send to receiver.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

29
29
 ➢ The receiver generates hash code from the message and compare with sender’s hashcode.
➢ Here, the message is decrypted by sender’s public key.
Arbitrated Digital Signatures
➢ The Arbitrated Digital Signature includes three parties in which one is sender, second is
receiver and the third is arbiter who will become the medium for sending and receiving
message between them. The messages are less prone to get corrupted becauseof timestamp
being included by default.

Figure 4.22 Arbitrated Digital Signature

➢ It involves use of an arbiter who
• validates any signed message
• then dated and sent to recipient
➢ Requires suitable level of trust in arbiter
➢ It can be implemented with either private or public-key algorithms
➢ The arbiter may or may not see message
There are three different Arbitrated DS
1) Conventional Encryption, Arbiter Sees Message
In this technique, symmetric encryption is used.

Drawback
A can read the message from X to Y like an eavesdropper
2) Conventional Encryption, Arbiter does not see message

3) Public key Encryption, Arbiter does not see message

Prepared By: Mrs.T.Kavitha, Dept. of CSE

30
30
 Digital Signature Standard (DSS)
➢ Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developedby the
U.S. National Security Agency (NSA) to generate a digital signature for the
authentication of electronic documents. The DSS makes use of the Secure Hash Algorithm
(SHA) and present a new digital signature technique.
Two approaches to Digital Signature
• DSS Approach
• RSAApproach
DSS Approach
➢ The DSS approach for generating digital signatures to that used with RSA.
➢ It makes use of hash function. Figure 4.24 shows DSS approach.
➢ The Hash code is provided as input to a signature function along with a random numberK
generated for this particular signature.
➢ The signature function also depends on the sender’s private key (PRa)and a set of
parameters known to a group of communicating principals and use of a global publickey
(PUG).
➢ The Resulting signature contains two components as s and r.
➢ The output of the verification function is s value that is equal to the signature componentr if the
signature is valid

Fig: 4.25 DSS Approach

RSA Approach
➢ In the RSA approach, the message to be signed is input to a hash function that producesa
secure hash code of fixed length.
➢ This hash code is then encrypted using the sender’s private key to form the signature.Both

Prepared By: Mrs.T.Kavitha, Dept. of CSE

31
31
 the message and the signature are then transmitted.
➢ The recipient takes the message and produces a hash code. The recipient also decryptsthe
signature using the sender’s public key.
➢ If the calculated hash code matches the decrypted signature, the signature is acceptedas
valid.

Fig:4.26 RSA Approach

➢ Because only the sender knows the private key, only the sender could have produceda valid
signature. Figure 4.26 shows RSA approach.
Digital Signature Algorithm
➢ There are three parameters that are public and can be common to a group of users.
➢ A 160-bit prime number q is chosen.
➢ Then, a prime number p is selected with a length between 512 and 1024 bits such that
q divides (P-1).

➢ Choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1

private key
• choose random private key x where x < q
Public key

• compute public key: y = gx mod p

➢ To create a signature, a user calculates two quantities r and s, that are functions of public
key components (p, q, g) the user’s private key (x), the hash code of the message,H(M), and an
additional integer k that should be generated randomly or pseudorandomlyand be unique for
each signing.
Computes signature pair

r = (gk mod p) mod q

s = [k-1(H(M)+ xr)] mod q

➢ Now, sends signature (r, s) with message M
Signature Verification
➢ After receiving M and signature (r, s), need to verify a signature. Now recipient
computes:
w = s-1 mod q
Prepared By: Mrs.T.Kavitha, Dept. of CSE
32
32
 u1= [H(M)w] mod
qu2= (rw)mod q
v = [(gu1 yu2) mod p] mod q
➢ if v = r then signature is verified. Figure 4.27 shows DSS Signing and Verifying.

(a) Signing (b) Verifying

Fig: 4.27 DSS Signing and Verifying
Schnorr Digital Signature Scheme -ElGamal cryptosystem
Elgamal digital signature scheme, the Schnorr signature scheme is based on discrete logarithms [SCHN89,
SCHN91]. The Schnorr scheme minimizes the message-dependent amount of computation required to generate a
signature.
The main work for signature generation does not depend on the message and can be done during the idle time
of the processor. The message-dependent part of the signature generation requires multiplying a 2n-bit integer with
an n-bit integer. The scheme is based on using a prime modulus p, with p - 1 having a prime factor q of appropriate
size; that is, p - 1 K 0 (mod q). Typically, we use p ≈ 21024 and q ≈ 2160. Thus, p is a 1024-bit number, and q is a
160-bit number, which is also the length of the SHA-1 hash value.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

33
33
ELGAMAL
Elgamal encryption scheme is designed to enable encryption by a user’s public key with decryption by the user’s
private key. The Elgamal signature scheme involves the use of the private key for digital signature generation and
the public key for digital signature verification [ELGA84, ELGA85]. Before proceeding, we need a result from
number theory.
A prime number q, if a is a primitive root of q, then a, a2 , c , aq-1

Biometrics

Prepared By: Mrs.T.Kavitha, Dept. of CSE

34
34
 ➢ Biometrics is the measurement of physiological or behavioral features that identify a
person (authentication something inherent).
➢ It measures features that cannot be guessed, stolen or shared.
➢ Figure 4.40 shows the classification of biometrics.
Components
➢ Several components are needed for biometrics, including capturing devices, processorsand
storage devices.
➢ Capturing devices such as readers or sensors measure biometrics features. Processors
change the measured features to the type of data appropriate for saving.
➢ Storage devices save the result of processing for authentication.
Challenge Response protocols
➢ In challenge-response authentication, the claimant proves that she knows a secret without
sending it to the verifier.
➢ The challenge is a time-varying value sent by the verifier; the response is the result of a
function applied on the challenge.

Kerberos
➢ It is a network authentication protocol designed to allow users, clients and servers,
authenticate themselves to each other through a trusted third party.
➢ Kerberos was designed and developed as part of Project Athena at MIT.
➢ It is done with Symmetric encryption- using no public keys
➢ It provides centralised private-key third-party authentication in a distributed network
➢ Currently, Kerberos is upto 5. Version 4 being the first version to be releasedoutsideof MIT.
➢ This mutual authentication is done using secret key cryptography with parties provingto each
other their identity across an insecure network
➢ Communication between the client and server can be secure after the client and serverhave
used Kerberos to prove their identity.
Kerberos Requirements
➢ Security-strong enough to stop potential eavesdroppers from finding it to be a weak
link
➢ Reliability- is highly reliable employing a distributed server where one server is ableto back
up another.
➢ Transparency-user is not aware that authentication is taking place beyond providing
passwords.
➢ Scalability – accept and support new clients and servers.
• To meet these requirements, Kerberos designers proposed a third-partytrusted
authentication service to arbitrate between the client and server in their mutual
authentication.

Prepared By: Mrs.T.Kavitha, Dept. of CSE

35
35
 Kerberos Version 4
Kerberos Overview
➢ Kerberos Version 4 makes use of DES, to provide the authentication service. Figure
4.41 shows overview of Kerberos.
A Simple Authentication Dialogue
➢ For secure transaction, server should confirm the client and its request. In unprotected
network it creates burden on server, therefore an authentication server (AS) is used.
➢ An authentication server (AS) maintains password of all users in centralized database.Also,
the authentication server shares a unique secret key with each other.

➢ (1) C -> AS : IDC || PC ||IDV

➢ (2) AS -> C: Ticket
➢ Ticket = E K(V) [IDC || ADC ||
IDV]
❖ C = client
❖ AS = authentication server
❖ IDC = identifier of user on C
❖ PC = password of user on C
❖ IDV = identifier of server V
❖ C asks user for the password
❖ AS checks that user supplied the right password

• K(V) = secret encryption key shared by AS andV

• AD C= network address of C

Prepared By: Mrs.T.Kavitha, Dept. of CSE

36
36
 • Ticket cannot be altered by C or an adversary
➢ (3) C -> V: IDC || Ticket

Figure 4.41 Overiew of Kerberos

Secure Authentication Dialogue

➢ The new service, TGS, issues tickets to users who have been authenticated toAS.
Thus, the user first requests a ticket-granting ticket (Tickettgs) from the
AS. The client module in the user workstation saves this ticket. Each time the
user requires access to
a new service, the client applies to the TGS, using the ticket to authenticateitself.
➢ The TGS then grants a ticket for the particular service. The client saves each service-
granting ticket and uses it to authenticate its user to a server each time a particular
service is requested. The client requests a ticket-granting ticket on behalf of the user
by sending its user’s ID and password to the AS,together with the TGS ID, indicating
a request to use the TGS service.

➢ The AS responds with a ticket that is encrypted with a key that is derived from the
user’s password. When this response arrives at the client, the client prompts the user
for his or her password, generates the key, and attempts to decrypt the incoming
message. If the correct password is supplied, the ticket is successfullyrecovered.
➢ The ticket itself consists of the ID and network address of the user, and the ID of the
TGS.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 Once per user logon session:
(1) C -> AS: IDC||IDtgs
(2) AS -> C: E(Kc, Tickettgs)
Once per type of service:
(3) C ->TGS: IDC||IDV||Tickettgs
(4) TGS -> C: Ticketv
Once per service session:
(5) C -> V: IDC||Ticketv

Tickettgs = E(Ktgs, [IDC||ADC||IDtgs||TS1||Lifetime1])

Ticketv = E(Kv, [IDC||ADC||IDv||TS2||Lifetime2])
Kerberos Realms
➢ A Kerberos realm is a set of managed nodes that share the same Kerberos database.
The Kerberos database resides on the Kerberos master computer system, which
should be kept in a physically secure room.
➢ A read-only copy of the Kerberos database might also reside on other Kerberos
computer systems. However, all changes to the database must be made onthe
master computer system.
➢ Changing or accessing the contents of a Kerberos database requires the Kerberos
master password.

➢ A Kerberos principal is a service or user that is known to the Kerberos system. Each
Kerberos principal is identified by its principal name. Principal names consist of three parts: a
service or user name, an instance name, and a realm name.

Fig. 4.42 Request for service in another realm

The details of the exchanges illustrated in Figure 4.42 areas follows:
(1) C -> AS: IDc||IDtgs||TS1
(2) AS -> C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs])
(3) C -> TGS: IDtgsrem||Tickettgs||Authenticatorc
(4) TGS -> C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem])

(5) C ->TGSrem: IDvrem||Tickettgsrem||Authenticatorc

(6) TGSrem -> C: E(Kc,tgsrem, [Kc,vrem||IDvrem||TS6||Ticketvrem])
(7) C -> Vrem: Ticketvrem||Authenticatorc

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

Kerberos Version 5
Kerberos Version 5 is specified in RFC 1510 and provides a number of improvementsover
version 4.
Version 5 is intended to address the limitations of version 4 in two areas: environmental
shortcomings and technical deficiencies
Environmental Shortcomings
1. Encryption system dependence: Version 4 requires the use of DES. Export restriction
on DES as well as doubts about the strength of DES were thus of concern. In version 5,
ciphertext is tagged with an encryption type identifier so that any encryption technique
may be used. Encryption keys are tagged with a type and a length, allowing the same
key to be used in different algorithms and allowing the specification of different
variations on a given algorithm.
2. Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP)
addresses. Other address types, such as the ISO network address, are not accommodated.
Version 5 network addresses are tagged with type and length, allowing any network
address type to be used.
3. Message byte ordering: In version 4, the sender of a message employs a byte ordering
of its own choosing and tags the message to indicate least significant byte in lowest
address or most significant byte in lowest address. This technique works but does not
follow established conventions. In version 5, all message structures are defined using
Abstract Syntax Notation One (ASN.1) andBasic Encoding Rules (BER), which provide
an unambiguous byte ordering.
4. Ticket lifetime: Lifetime values in version 4 are encoded in an 8-bit quantity inunits of
five minutes. Thus, the maximum lifetime that can be expressed is 28 x 5
= 1280 minutes, or a little over 21 hours. This may be inadequate for some applications
(e.g., a long- running simulation that requires valid Kerberos credentials throughout
execution). In version 5, tickets include an explicit start time and end time, allowing
tickets with arbitrary lifetimes.

5. Authentication forwarding: Version 4 does not allow credentials issued to oneclient to

be forwarded to some other host and used by some other client. This capability would
enable a client to access a server and have that server access another server on behalf of
the client.
6. Interrealm authentication: In version 4, interoperability among N realmsrequires on
the order of N2 Kerberos-to-Kerberos relationships, as described earlier. Version 5
supports a method that requires fewer relationships, as described shortly.
Technical Deficiencies
1. Double encryption: The tickets provided to clients are encrypted twice, once with the
secret key of the target server and then again with a secret key known to the client. The
second encryption is not necessary and is computationally

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 wasteful.
2. PCBC encryption: Encryption in version 4 makes use of a nonstandard mode of DES
known as propagating cipher block chaining (PCBC). It has been demonstrated that this
mode is vulnerable to an attack involving the interchange of ciphertext blocks. Version 5
provides explicit integrity mechanisms, allowingthe standard CBC mode to be used for
encryption.
3. Session keys: Each ticket includes a session key that is used by the client to encrypt the
authenticator sent to the service associated with that ticket. Inaddition, the session key may
subsequently be used by the client and the server to protect messages passed during that
session. However, because the same ticket may be used repeatedly to gain service from a
particular server, there is the risk that an opponent will replay messages from an old session
to the client or the server. In version 5, it is possible for a client and server to negotiate a
sub-session key, which is to be used only for that one connection.
4. Password attacks: Both versions are vulnerable to a password attack.
➢

Key management and distribution – Symmetric key distribution using symmetric and asymmetric encryption
Symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be
protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data
compromised if an attacker learns the key. Therefore, the strength of any cryptographic system rests with the key
distribution technique, a term that refers to the means of delivering a key to two parties who wish to exchange data
without allowing others to see the key.
For two parties A and B, key distribution can be achieved in a number of ways, as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to the other,
encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links
to A and B.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in Figure
14.3, which is based on a figure in [POPE79].
The scenario assumes that each user shares a unique master key with the key distribution center (KDC). Let
us assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect
the data transmitted over the connection.

A has a master key, Ka, known only to itself and the KDC; similarly, B shares the master key Kb with the
KDC. The following steps occur.
1. A issues a request to the KDC for a session key to protect a logical connection to B. The message includes
the identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a nonce. The nonce may
be a timestamp, a counter, or a random number; the minimum requirement is that it differs with each request. Also, to
prevent masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random number is a good choice
for a nonce.
2. The KDC responds with a message encrypted using Ka. Thus, A is the only one who can successfully read
the message, and A knows that it originated at the KDC. The message includes two items intended for A:
■ The one-time session key, Ks, to be used for the session
■ The original request message, including the nonce, to enable A to match this response with the appropriate
request.
Thus, A can verify that its original request was not altered before reception by the KDC and, because of the
nonce, that this is not a replay of some previous request. In addition, the message includes two items intended for B:
■ The one-time session key, Ks, to be used for the session
■ An identifier of A (e.g., its network address), IDA These last two items are encrypted with Kb (the master
key that the KDC shares with B). They are to be sent to B to establish the connection and prove A’s identity.

3. A stores the session key for use in the upcoming session and forwards to B the information that originated
at the KDC for B, namely, E(Kb,[Ks } IDA]). Because this information is encrypted with Kb, it is protected from
eavesdropping. B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the
information originated at the KDC (because it is encrypted using Kb). At this point, a session key has been securely
delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable:
4. Using the newly minted session key for encryption, B sends a nonce, N2, to A.
5. Also, using Ks, A responds with f(N2), where f is a function that performs some transformation on N2
(e.g., adding one)

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 Hierarchical Key Control:

As an alternative, a hierarchy of KDCs can be established. For example, there can be local KDCs, each
responsible for a small domain of the overall internetwork, such as a single LAN or a single building. For
communication among entities within the same local domain, the local KDC is responsible for key distribution. If
two entities in different domains desire a shared key, then the corresponding local KDCs can communicate through a
global KDC.
In this case, any one of the three KDCs involved can actually select the key. The hierarchical concept can be
extended to three or even more layers, depending on the size of the user population and the geographic scope of the
internetwork. A hierarchical scheme minimizes the effort involved in master key distribution, because most master
keys are those shared by a local KDC with its local entities. Furthermore, such a scheme limits the damage of a faulty
or subverted KDC to its local area only.
Session Key Life Time
On the other hand, the distribution of session keys delays the start of any exchange and places a burden on
network capacity. A security manager must try to balance these competing considerations in determining the lifetime
of a particular session key.
For connection-oriented protocols, one obvious choice is to use the same session key for the length of time
that the connection is open, using a new session key for each new session. If a logical connection has a very long
lifetime, then it would be prudent to change the session key periodically, perhaps every time the PDU (protocol data
unit) sequence number cycles. For a connectionless protocol, such as a transaction-oriented protocol, there is no
explicit connection initiation or termination.

The most secure approach is to use a new session key for each exchange. However, this negates one of the
principal benefits of connectionless protocols, which is minimum overhead and delay for each transaction. A better
strategy is to use a given session key for a certain fixed period only or for a certain number of transactions. A
Transparent Key Control Scheme The approach suggested in Figure 14.3 has many variations, one of which is
described in this subsection.
The scheme (Figure 14.4) is useful for providing end-to-end encryption at a network or transport level in a
way that is transparent to the end users. The approach assumes that communication makes use of a connection-
oriented end-to-end protocol, such as TCP. The noteworthy element of this approach is a session security module
(SSM), which may consist of functionality

The approach assumes that communication makes use of a connection- oriented end-to-end protocol, such as
TCP. The noteworthy element of this approach is a session security module (SSM), which may consist of
functionality

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 The use of a key distribution center imposes the requirement that the KDC be trusted and be protected from
subversion. This requirement can be avoided if key distribution is fully decentralized. Although full decentralization
is not practical for larger networks using symmetric encryption only, it may be useful within a local context.
A decentralized approach requires that each end system be able to communicate in a secure manner with all
potential partner end systems for purposes of session key distribution. Thus, there may need to be as many as [n(n -
1)]/2 master keys for a configuration with n end systems. A session key may be established with the following
sequence of steps (Figure 14.5).
1. A issues a request to B for a session key and includes a nonce, N1.
2. B responds with a message that is encrypted using the shared master key. The response includes the session key
selected by B, an identifier of B, the value f(N1), and another nonce, N2. 3. Using the new session key, A returns
f(N2) to B

SYMMETRIC KEY DISTRIBUTION USING ASYMMETRIC ENCRYPTION

An extremely simple scheme was put forward by Merkle [MERK79], as illustrated in Figure 14.7. If A wishes to
communicate with B, the following procedure is employed:
1. A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of PUa and an identifier
of A, IDA.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 2. B generates a secret key, Ks, and transmits it to A, which is encrypted with A’s public key.
3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B
will know the identity of Ks.
4. A discards PUa and PRa and B discards PUa

Then the following steps occur.

1. A uses B’s public key to encrypt a message to B containing an identifier of A(IDA) and a nonce (N1), which is
used to identify this transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A’s nonce (N1) as well as a new nonce generated by
B (N2). Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the
correspondent is B.
3. A returns N2, encrypted using B’s public key, to assure B that its correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B’s public key
ensures that only B can read it; encryption with A’s private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key. The result is that this scheme ensures both
confidentiality and authentication in the exchange of a secret key

Distribution of public keys

Distribution of Public Keys

Several techniques have been proposed for the distribution of public keys which can mostly be
grouped into the categories shown.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 5. Public announcement
6. Publicly available directory
7. Public-key authority
8. Public-key certificates
Public Announcement
The point of public-key encryption is that the public key is public, hence any participant can send
his or her public key to any other participant, or broadcast the key to the community at large. eg. append
PGP keys to email messages or post to news groups or email list.
Figure 3.5 illustrates the public key distribution

Figure 3.5 Uncontrolled Public Key Distribution

Its major weakness is forgery, anyone could pretend to be user A and send a public key to another
participant or broadcast such a public key. Until the forgery is discovered they can masquerade as
the claimed user.
Publicly Available Directory
The user obtains greater security by registering keys with a public directory. The directory must be
trusted with properties: The authority maintains a directory with a {name, public key} entry for each
participant. Each participant registers a public key with the directory authority. A participant may replace the
existing key with a new one at any time because the corresponding private key has been compromised in
some way.

Participants could also access the directory electronically. For this purpose, secure, authenticated
communication from the authority to the participant is mandatory.
Figure 3.6 illustrates the public key publication

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 Figure 3.6 Public Key Publications
This scheme is clearly more secure than individual public announcements but still has
vulnerabilities. If an adversary succeeds in obtaining or computing the private key of the directory
authority, the adversary could authoritatively pass out counterfeit public keys and subsequently
impersonate any participant and eavesdrop on messages sent to any participant. Another way to
achieve the same end is for the adversary to tamper with therecords kept by the authority.
Public-Key Authority
Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory. It requires users to know the
public key for the directory, and that they interact with directory in real- time to obtain any
desired public key securely. Totally seven messages are required.

Figure 3.7 illustrates the public key distribution Scenario

A sends a time stamped message to the public-key authority containing a request for the current
public key of B. The authority responds with a message that is encrypted using the authority’s private
key, PRauth Thus, A is able to decrypt the message using the authority’s public key. Therefore, A is
assured that the message originated with the authority. The message includes the following:

vii. B’s public key, PU which A can use to encrypt messages destined for B.
b
viii. The original request, to enable A to match this response with the corresponding
earlier request and to verify that the original request was not altered before
reception by the authority.
ix. The original timestamp, so A can determine that this is not an old message from
the authority containing a key other than B’s current

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 public key.
x. A stores B’s public key and also uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
xi. B retrieves A’s public key from the authority in the same manner as A retrieved

B’s public key.

xii. At this point, public keys have been securely delivered to A and B, and they may
begin their protected exchange. However, two additional steps are desirable:
vii.B sends a message to A encrypted with PUa and containing A’s nonce (N1) as well
as a new nonce generated by B (N2) Because only B could have decrypted message
(3), the presence of N1 in message (6) assures A that the correspondent is B.
viii. A returns N2, encrypted using B’s public key, to assure B that its correspondent is A.
Public-Key Certificates
v. A user must appeal to the authority for a public key for every other user that it
wishes to contact and it is vulnerable to tampering too.
vi. Public key certificates can be used to exchange keys without contacting a public-
key authority.
vii. Figure 3.8 illustrates the public key Certificate exchanges
viii. A certificate binds an identity to public key, with all contents signed by a trusted
Public- Key or Certificate Authority(CA).
iii. This can be verified by anyone who knows the public-key authorities public-key.
iv. A participant can also convey its key information to another by transmitting its
certificate.
Other participants can verify that the certificate was created by the authority. We can place
the following requirements on this scheme:
i. Any participant can read a certificate to determine the name and public key of
the certificate’s owner.
ii. Anyparticipant can verify that the certificate originated from the certificate
Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE
 authority and is not counterfeit.
iii. Only the certificate authority can create and update certificates. iv.Any
participant can verify the currency of thecertificate.
One scheme has become universally accepted for formatting public-keycertificates.

The X.509 standard. X.509 certificates are used in most network security applications,
including IP security, secure sockets layer (SSL), secure electronic transactions (SET), and
S/MIME.

Figure 3.8 Public Key Certificates

X.509 CERTIFICATE
➢ An X.509 certificate is a digital certificate that uses the widely accepted international
X.509 public key infrastructure (PKI) standard to verify that a public key belongs to theuser,
computer or service identity contained within the certificate.
➢ An X.509 certificate contains a public keyand an identity (a hostname, or an organization,or an
individual), and is either signed by a certificate authority or self-signed. When a certificate is
signed by a trusted certificate authority, or validated byother means, someone holding that
certificate can rely on the public key it contains to establish secure communications with
another party, or validate documents digitally signed by the corresponding private key.
Issued by a Certification Authority (CA) It
consists of
• version V (1, 2, or 3)
• serial number SN (unique within CA) identifying certificate
• signature algorithm identifier AI
• issuer X.500 name CA
• period of validity TA (from - to dates)
• subject X.500 name A (name ofowner)
• subject public-key info Ap (algorithm, parameters, key)
• issuer unique identifier (v2+)

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 • subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA

Fig. 4.43 Public-key Certificate

Certificates
➢ The heart of the X.509 scheme is the public-key certificate associated with each user.These
user certificates are assumed to be created by some trusted certification authority (CA) and
placed in the directory by the CA or bythe user.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

➢ The directory server itself is not responsible for the creation of public keys or for the
certification function. Figure 4.43 illustrates the genration of public key certificates.

➢ Version: Differentiates amongsuccessive versions (1, 2, and 3) of the certificate format.

➢ Serial number: An integer value unique within the issuing CA.
➢ Signature algorithm identifier: The algorithm used to sign the certificate togetherwith
any associated parameters.
➢ Issuer name: the name of the CA that created and signed this certificate.
➢ Period of validity: Consists of two dates: the first and last on which the certificate isvalid.
➢ Subject name: The name of the user to whom this certificate refers.
➢ Subject’s public-key information: The public key of the subject, plus an identifierof the
algorithm for which this key is to be used, together with any associated parameters.
➢ Issuer unique identifier: (optional) used to identify uniquely the issuing CA.
➢ Subject unique identifier :( optional) used to identify uniquely thesubject.
➢ Extensions: A set of one or more extensionfields.
➢ Signature: it contains the hash code of the other fields encrypted with the CA’sprivatekey.
This field includes the signature algorithm identifier.
The standard uses the following notation to define a certificate: CA<<A>> = CA {V, SN, AI,CA,
TA, A, Ap}
Where Y <<X>> = the certificate of user X issued by certification authorityY
Y {I} = the signing of I by Y. It consists of I with an encrypted hash code appendV-

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 Version of the certificate
SN- serial number of the certificate
AI- identifier of the algorithm used to sign the certificateCA-
name of CA
A- Name of user A
Ap- public key of user A
TA- period of validity of the C
Obtaining a Certificate
➢ Any user with access to CA can get any certificate fromit
➢ Only the CA can modify acertificate
➢ Because cannot be forged, certificates can be placed in a public directory
CA Hierarchy
➢ If both users share a common CA then they are assumed to know its publickey
➢ Otherwise CA’s must form a hierarchy
➢ Use certificates linking members of hierarchy to validate other CA’s
⚫ each CA has certificates for clients (forward) and parent (backward)
➢ Each client trusts parents certificates
➢ Enable verification of anycertificate from one CA by users of all other CAs in
hierarchy
Certificate Revocation
➢ Certificates have a period of validity
➢ May need to revoke before expiry, eg:
1. user’s private key is compromised
2. user is no longer certified by this CA
3. CA’s certificate is compromised
➢ CA’s maintain list of revoked certificates
1. The Certificate Revocation List (CRL)
➢ Users should check certificates with CA’s CRL.
UNIT-5

CLASSIFICATION OF CYBER CRIME:

1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that result in loss of life. This
may include different type of activities either by software or hardware for threatening life of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed through the use of cyberspace or
computer resources.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 2. Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is subjected to or threatened with
repeated denial of service or other attacks by malicious hackers. These hackers demand huge money in return
for assurance to stop the attacks and to offer protection.
3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of computers, online control
systems and networks. It involves both offensive and defensive operations concerning to the threat of
cyber attacks, espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet and could include hiding of
information or providing incorrect information for the purpose of deceiving victims for money or property.
Internet fraud is not considered a single, distinctive crime but covers a range of illegal and illicit actions
that are committed in cyberspace.
5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a barrage of online messages and
emails. In this case, these stalkers know their victims and instead of offline stalking, they use the Internet
to stalk. However, if they notice that cyber stalking is not having the desired effect, they begin offline
stalking along with cyber stalking to make the victims’ lives more miserable.

CHALLENGES OF CYBER CRIME:

1. People are unaware of their cyber rights-

The Cybercrime usually happen with illiterate people around the world who are unaware about their cyber
rights implemented by the government of that particular country.

2. Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do anything to that person.

3. Less numbers of case registered-

Every country in the world faces the challenge of cyber crime and the rate of cyber crime is increasing day
by day because the people who even don’t register a case of cyber crime and this is major challenge for us
as well as for authorities as well.

4. Mostly committed by well educated people-

Committing a cyber crime is not a cup of tea for every individual. The person who commits cyber crime is
a very technical person so he knows how to commit the crime and not get caught by the authorities.

5. No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is harsh punishment in some cases
like when somebody commits cyber terrorism in that case there is harsh punishment for that individual.
But in other cases there is no harsh punishment so this factor also gives encouragement to that person who
commits cyber crime.
Prevention of Cyber Crime:
Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each account and resist the temptation to write
them down. Weak passwords can be easily cracked using certain attacking methods like Brute force attack,
Rainbow table attack etc, So make them complex. That means combination of letters, numbers and special
characters.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 2. Use trusted antivirus in devices –
Always use trustworthy and highly advanced antivirus software in mobile and personal computers. This leads
to the prevention of different virus attack on devices.

3. Keep social media private –

Always keep your social media accounts data privacy only to your friends. Also make sure only to make
friends who are known to you.

4. Keep your device software updated –

Whenever you get the updates of the system software update it at the same time because sometimes the
previous version can be easily attacked.

5. Use secure network –

Public Wi-Fi are vulnerable. Avoid conducting financial or corporate transactions on these networks.

6. Never open attachments in spam emails –

A computer get infected by malware attacks and other forms of cybercrime is via email attachments in
spam emails. Never open an attachment from a sender you do not know.

7. Software should be updated – Operating system should be updated regularly when it comes to internet
security. This can become a potential threat when cybercriminals exploit flaws in the system.

NETWORK ACCESS CONTROL (NAC)

Network access control (NAC) is an umbrella term for managing access to a network. NAC authenticates
users logging into the network and determines what data they can access and actions they can perform.
NAC also examines the health of the user’s computer or mobile device (the endpoints). Elements of a
Network Access Control System

NAC systems deal with three categories of components:

• Access requestor (AR): The AR is the node that is attempting to access the network and may be any device
that is managed by the NAC system, including workstations, servers, printers, cameras, and other IP-enabled
devices. ARs are also referred to as supplicants, or simply, clients.
• Policy server: Based on the AR’s posture and an enterprise’s defined policy, the policy server determines
what access should be granted. The policy server often relies on backend systems, including antivirus, patch
management, or a user directory, to help determine the host’s condition
• Network access server (NAS): The NAS functions as an access control point for users in remote locations
connecting to an enterprise’s internal network. Also called a media gateway, a remote access server (RAS),
or a policy server, an NAS may include its own authentication services or rely on a separate authentication
service from the policy server
Figure 16.1 is a generic network access diagram. A variety of different ARs seek access to an enterprise network
by applying to some type of NAS. The first step is generally to authenticate the AR. Authentication typically
involves some sort of secure protocol and the use of cryptographic keys.

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

 Authentication may be performed by the NAS, or the NAS may mediate the authentication process. In the
latter case, authentication takes place between the supplicant and an authentication server that is part of the policy
server or that is accessed by the policy server. The authentication process serves a number of purposes. It verifies a
supplicant’s claimed identity, which enables the policy server to determine what access privileges, if any, the AR
may have. The authentication exchange may result in the establishment of session keys to enable future secure
communication between the supplicant and resources on the enterprise network.

Network Access Enforcement methods

Enforcement methods are the actions that are applied to ARs to regulate access to the
enterprise network. Many vendors support multiple enforcement methods simultaneously, allowing the customer to
tailor the configuration by using one or a combination of methods.
The following are common NAC enforcement methods.
■ IEEE 802.1X: This is a link layer protocol that enforces authorization before a port is assigned an IP address. IEEE
802.1X makes use of the Extensible Authentication Protocol for the authentication process. Sections 16.2 and 16.3
cover the Extensible Authentication Protocol and IEEE 802.1X, respectively.
■ Virtual local area networks (VLANs): In this approach, the enterprise network, consisting of an interconnected set
of LANs, is segmented logically into a number of virtual LANs.1 The NAC system decides to which of the network’s
VLANs it will direct an AR, based on whether the device needs security remediation, Internet access only, or some

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

level of network access to enterprise resources. VLANs can be created dynamically and VLAN membership, of both
enterprise servers and ARs, may overlap. That is, an enterprise server or an AR may belong to more than one VLAN.
■Firewall: A firewall provides a form of NAC by allowing or denying network traffic between an enterprise host and
an external user. Firewalls are discussed in Chapter 23.
■ DHCP management: The Dynamic Host Configuration Protocol (DHCP) is an Internet protocol that enables dynamic
allocation of IP addresses to hosts. A DHCP server intercepts DHCP requests and assigns IP addresses instead. Thus,
NAC enforcement occurs at the IP layer based on subnet and IP assignment. A DCHP server is easy to install and
configure, but is subject to various forms of IP spoofing, providing limited security.
There are a number of other enforcement methods available from vendors. The ones in the
preceding list are perhaps the most common, and IEEE 802.1X is by far the most commonly implemented solution.
CLOUD SECURITY
The Cloud Security Alliance lists the following as the top cloudspecific security threats, together
with suggested countermeasures:
• Abuse and nefarious use of cloud computing: For many CPs, it is relatively easy to register
and begin using cloud services, some even offering free limited trial periods. This enables
attackers to get inside the cloud to conduct various attacks, such as spamming, malicious
code attacks, and denial of service. PaaS providers have traditionally suffered most from this
kind of attacks; however, recent evidence shows that hackers have begun to target IaaS
vendors as well. The burden is on the CP to protect against such attacks, but cloud service
clients must monitor activity with respect to their data and resources to detect any malicious
behavior.
Countermeasures include (1) stricter initial registration and validation processes; (2)
enhanced credit card fraud monitoring and coordination; (3) comprehensive introspection of
customer network traffic; and (4) monitoring public blacklists for one’s own network blocks
• Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs that customers
use to manage and interact with cloud services. The security and availability of general
cloud services are dependent upon the security of these basic APIs. From authentication and
access control to encryption and activity monitoring, these interfaces must be designed to
protect against both accidental and malicious attempts to circumvent policy
Countermeasures include (1) analyzing the security model of CP interfaces; (2) ensuring that
strong authentication and access controls are implemented in concert with encrypted
transmission; and (3) understanding the dependency chain associated with the API

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

• Malicious insiders: Under the cloud computing paradigm, an organization relinquishes
direct control over many aspects of security and, in doing so, confers an unprecedented level
of trust onto the CP. One grave concern is the risk of malicious insider activity. Cloud
architectures necessitate certain roles that are extremely high risk. Examples include CP
system administrators and managed security service providers.
Countermeasures include the following: (1) enforce strict supply chain management and
conduct a comprehensive supplier assessment; (2) specify human resource requirements as
part of legal contract; (3) require transparency into overall information security and
management practices, as well as compliance reporting; and (4) determine security breach
notification processes.
• Shared technology issues: IaaS vendors deliver their services in a scalable way by sharing
infrastructure. Often, the underlying components that make up this infrastructure (CPU
caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant
architecture. CPs typically approach this risk by the use of isolated virtual machines for
individual clients. This approach is still vulnerable to attack, by both insiders and outsiders,
and so can only be a part of an overall security strategy.
Countermeasures include the following: (1) implement security best practices for
installation/configuration; (2) monitor environment for unauthorized changes/activity; (3)
promote strong authentication and access control for administrative access and operations;
(4) enforce SLAs for patching and vulnerability remediation; and (5) conduct vulnerability
scanning and configuration audits.
■ Data loss or leakage: For many clients, the most devastating impact from a security breach
is the loss or leakage of data. We address this issue in the next subsection.
Countermeasures include the following: (1) implement strong API access control; (2)
encrypt and protect integrity of data in transit; (3) analyze data protection at both design and
run time; and (4) implement strong key generation, storage and management, and
destruction practices.
■ Account or service hijacking: Account or service hijacking, usually with stolen
credentials, remains a top threat. With stolen credentials, attackers can often access critical
areas of deployed cloud computing services, allowing them to compromise the
confidentiality, integrity, and availability of those services.
Countermeasures include the following: (1) prohibit the sharing of account credentials
between users and services; (2) leverage strong two- factor authentication techniques where
Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE
 possible; (3) employ proactive monitoring to detect unauthorized activity; and (4)
understand CP security policies and SLAs.
• Unknown risk profile: In using cloud infrastructures, the client necessarily cedes control to
the CP on a number of issues that may affect security. Thus the client must pay attention to
and clearly define the roles and responsibilities involved for managing risks. For example,
employees may deploy applications and data resources at the CP without observing the
normal policies and procedures for privacy, security, and oversight.
Countermeasures include (1) disclosure of applicable logs and data; (2) partial/full
disclosure of infrastructure details (e.g., patch levels and firewalls); and (3) monitoring and
alerting on necessary information

Prepared By: Mrs.T.Kavitha, Assistant Professor, Dept. of CSE

Prepared By: Mrs.T.Kavitha, Dept. of CSE
Prepared By: Mrs.T.Kavitha, Dept. of CSE
Prepared By: Mrs.T.Kavitha, Dept. of CSE