Assignment No 1

Name: Areeb Yasir

Roll NO: 211128
Subject: Information Security
Department: BS-CYS
Semester: 6th

a) Verification of a Digital Certificate:

When a destination receives a digital certificate from a sender (typically during an SSL/TLS
handshake), it verifies the authenticity of the certificate to ensure trustworthiness. This
verification process involves several steps:

1. Checking the Certificate Authority (CA):

The destination checks if the digital certificate was issued by a trusted Certificate Authority. This
is done by verifying the signature on the certificate using the public key of the CA.

2. Validity Period:
The destination checks if the certificate is within its validity period. If the certificate has expired,
it's considered invalid.

3. Revocation Status:
The destination checks if the certificate has been revoked by the CA. This is usually done by
checking Certificate Revocation Lists (CRLs) or using Online Certificate Status Protocol
(OCSP) responses.

4. Matching Domain:
If the certificate is being used for website authentication, the destination verifies if the domain in
the certificate matches the domain of the website being accessed.

Why it's difficult to generate a fake digital signature:

Digital signatures are generated using asymmetric cryptography, where a private key is used to
sign data, and a corresponding public key is used to verify the signature. The private key is kept
secret by the owner and is never shared. Generating a fake digital signature would require
obtaining the private key, which is computationally infeasible with current cryptographic
algorithms, assuming proper key management practices are followed.

b) SSL/TLS Session for Protecting Multiple TCP Connections:

In SSL/TLS, multiple TCP connections can be protected by a single SSL session through a
feature called session resumption. When a client and server establish an SSL connection for the
first time, they negotiate cryptographic parameters and exchange cryptographic keys. After the
initial handshake, the session parameters are cached by both client and server.

Advantages:
- Reduced overhead: Subsequent connections between the same client and server can resume the
session without renegotiating parameters, reducing the overhead of establishing new
connections.
- Faster connection setup: Resuming a session is faster than establishing a new one since it skips
the negotiation of cryptographic parameters.
- Efficient resource usage: Session resumption reduces the computational and network resources
required for establishing secure connections, which can be beneficial for high-traffic websites.

Disadvantages:
- Increased risk if sessions are compromised: If a session's cryptographic keys are compromised,
all subsequent connections that use the same session could also be compromised.
- Limited scalability: Session resumption works well for a small number of clients reconnecting
to the same server, but it may not scale effectively for scenarios with a large number of clients
and servers.
c) Server Responsibility for Cipher Suite Selection:

In SSL communication, the server is responsible for selecting the cipher suite during the
handshake process. This is because the server has the ultimate authority to decide which
cryptographic algorithms and parameters will be used for securing the connection.

Justification for Downgrading Cipher Suites:

A non-malicious server might downgrade the cipher suite offered by the client for compatibility
reasons. For example:
- Legacy client support: The server might downgrade to support older clients that do not support
the latest cryptographic algorithms.
- Interoperability: The server might choose a cipher suite that is compatible with a wider range of
clients, ensuring successful handshakes with various configurations.
- Performance considerations: The server might prioritize cipher suites that offer better
performance or lower computational overhead, especially in resource-constrained environments.

However, it's essential for servers to prioritize security and avoid downgrading to weaker cipher
suites unless absolutely necessary to maintain compatibility.

d) Advantages of CTR over CFB Mode for Stream Data Encryption using AES:

CTR (Counter) mode is often preferred over CFB (Cipher Feedback) mode for stream data
encryption using AES due to several advantages:
- Parallelization: CTR mode allows encryption and decryption to be parallelized, making it more
efficient for processing large streams of data in modern computing architectures.
- Random access: CTR mode supports random access to encrypted data, allowing efficient
manipulation of specific portions of the ciphertext without needing to decrypt the entire stream.
- Error propagation: In CFB mode, errors in the ciphertext propagate through subsequent blocks,
potentially causing synchronization issues. CTR mode does not suffer from this problem as
errors are confined to the affected block.
- Bit-flipping attacks: CFB mode is vulnerable to bit-flipping attacks, where an attacker can
modify the ciphertext to manipulate the plaintext. CTR mode does not have this vulnerability as
it encrypts a unique counter value for each block, making manipulation detectable.

Overall, CTR mode offers better performance, security, and flexibility compared to CFB mode
for stream data encryption using AES.

e) Comparison of Stream and Symmetric Key Modes (ECB, AES, Feistel, etc.):

-ECB (Electronic Codebook):

- Pros: Simple and efficient, suitable for parallel encryption of independent blocks.
- Cons: Vulnerable to plaintext patterns, identical blocks produce identical ciphertext blocks.

- AES (Advanced Encryption Standard):

- Pros: Widely adopted, offers high security with proper key sizes and modes.
- Cons: Limited to block encryption, requires additional modes like CBC or GCM for secure
data transmission.

- Feistel Cipher:
- Pros: Enables encryption and decryption using the same algorithm, allows for the construction
of iterated block ciphers.
- Cons: Slower compared to some other modes due to multiple rounds of processing.

Each mode has its strengths and weaknesses, and the choice depends on factors such as security
requirements, performance considerations, and compatibility with existing systems. AES is a
symmetric block cipher, whereas Feistel ciphers are more generalized structures used for
constructing block ciphers. The choice between them depends on specific cryptographic needs
and system constraints.