Message Authentication Requirements

Authentication Requirements:

• Revelation: It means releasing the content of the message to someone who does not have
an appropriate cryptographic key.

• Analysis of Traffic: Determination of the pattern of traffic through the duration of

connection and frequency of connections between different parties.

• Deception: Adding out of context messages from a fraudulent source into a

communication network. This will lead to mistrust between the parties communicating and
may also cause loss of critical data.

• Modification in the Content: Changing the content of a message. This includes inserting
new information or deleting/changing the existing one.

• Modification in the sequence: Changing the order of messages between parties. This
includes insertion, deletion, and reordering of messages.

• Modification in the Timings: This includes replay and delay of messages sent between
different parties. This way session tracking is also disrupted.

• Source Refusal: When the source denies being the originator of a message.

• Destination refusal: When the receiver of the message denies the reception.

These message authentication functions are divided into three classes:

• Message encryption: While sending data over the internet, there is always a risk of a Man in
the middle(MITM) attack. A possible solution for this is to use message encryption. In
message encryption, the data is first converted to a ciphertext and then sent any further.
Message encryption can be done in two ways:

1. Symmetric Encryption: Say we have to send the message M from a source P to

destination Q. This message M can be encrypted using a secret key K that both P
and Q share. Without this key K, no other person can get the plain text from the
ciphertext. This maintains confidentiality. Further, Q can be sure that P has sent the
message. This is because other than Q, P is the only party who possesses the key K
and thus the ciphertext can be decrypted only by Q and no one else. This maintains
authenticity. At a very basic level, symmetric encryption looks like this:
 2. Public key Encryption: Public key encryption is not as advanced as symmetric
encryption as it provides confidentiality but not authentication. To provide both
authentication and confidentiality, the private key is used.

• Message authentication code (MAC): A message authentication code is a security code

that the user of a computer has to type in order to access any account or portal. These
codes are recognized by the system so that it can grant access to the right user. These
codes help in maintaining information integrity. It also confirms the authenticity of the
message.

• Hash function: A hash function is nothing but a mathematical function that can convert a
numeric value into another numeric value that is compressed. The input to this hash
function can be of any length but the output is always of fixed length. The values that a hash
function returns are called the message digest or hash values.

Measures to deal with these attacks:

Each of the above attacks has to be dealt with differently.

• Message Confidentiality: To prevent the messages from being revealed, care must be
taken during the transmission of messages. For this, the message should be encrypted
before it is sent over the network.

• Message Authentication: To deal with the analysis of traffic and deception issues,
message authentication is helpful. Here, the receiver can be sure of the real sender and his
identity. To do this, these methods can be incorporated:

o Parties should share secret codes that can be used at the time of identity
authentication.

o Digital signatures are helpful in the authentication.

o A third party can be relied upon for verifying the authenticity of parties.

• Digital Signatures: Digital signatures provide help against a majority of these issues. With
the help of digital signatures, content, sequence, and timing of the messages can be easily
monitored. Moreover, it also prevents denial of message transmission by the source.
 • Combination of protocols with Digital Signatures: This is needed to deal with the denial
of messages received. Here, the use of digital signature is not sufficient and it additionally
needs protocols to support its monitoring.

Types of Authentication Protocols

User authentication is the first most priority while responding to the request made by the user to
the software application. There are several mechanisms made which are required to authenticate
the access while providing access to the data. In this blog, we will explore the most common
authentication protocols and will try to explore their merits and demerits.

1. Kerberos :

Kerberos is a protocol that aids in network authentication. This is used for validating clients/servers
during a network employing a cryptographic key. It is designed for executing strong authentication
while reporting to applications. The overall implementation of the Kerberos protocol is openly
available by MIT and is used in many mass-produced products.

Some advantages of Kerberos :

• It supports various operating systems.

• The authentication key is shared much efficiently than public sharing.

Some disadvantages of Kerberos :

• It is used only to authenticate clients and services used by them.

• It shows vulnerability to soft or weak passwords.

 Message Digest in Information security
Message Digest is used to ensure the integrity of a message transmitted over an insecure channel
(where the content of the message can be changed). The message is passed through
a Cryptographic hash function. This function creates a compressed image of the message
called Digest.

Let’s assume, Alice sent a message and digest pair to Bob. To check the integrity of the message
Bob runs the cryptographic hash function on the received message and gets a new digest. Now,
Bob will compare the new digest and the digest sent by Alice. If, both are same then Bob is sure that
the original message is not changed.

This message and digest pair is equivalent to a physical document and fingerprint of a person on
that document. Unlike the physical document and the fingerprint, the message and the digest can
be sent separately.

• Most importantly, the digest should be unchanged during the transmission.

• The cryptographic hash function is a one way function, that is, a function which is
practically infeasible to invert. This cryptographic hash function takes a message of variable
length as input and creates a digest / hash / fingerprint of fixed length, which is used to
verify the integrity of the message.

• Message digest ensures the integrity of the document. To provide authenticity of the
message, digest is encrypted with sender’s private key. Now this digest is called digital
signature, which can be only decrypted by the receiver who has sender’s public key. Now
the receiver can authenticate the sender and also verify the integrity of the sent message.

Example:
The hash algorithm MD5 is widely used to check the integrity of messages. MD5 divides the
message into blocks of 512 bits and creates a 128 bit digest(typically, 32 Hexadecimal digits). It is
no longer considered reliable for use as researchers have demonstrated techniques capable of
easily generating MD5 collisions on commercial computers.
 What is PGP?
Pretty Good Privacy (PGP) is an encryption software program software designed to ensure the
confidentiality, integrity, and authenticity of virtual communications and information. Developed
with the aid of Phil Zimmermann in 1991, PGP has emerged as a cornerstone of present-day
cryptography, notably regarded as one of the best methods for securing digital facts.

At its core, PGP employs a hybrid cryptographic method, combining symmetric-key and public-key
cryptography techniques. Symmetric-key cryptography entails the use of a single mystery key to
each encrypt and decrypt statistics. Conversely, public-key cryptography utilizes a pair of
mathematically associated keys: a public key, that is freely shared and used for encryption, and a
personal key, that is stored in mystery and used for decryption.

Evolution and Advancement of Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) has undergone extensive evolution and advancement because its
inception in 1991. Developed with the aid of Phil Zimmermann, PGP was to start with conceived as
a tool to permit stable communique and protect man or woman privacy in the face of developing
concerns approximately authorities surveillance and statistics interception.

1. Early Development (1991-1996): PGP turned into first launched as freeware, allowing users
to encrypt and decrypt e-mail messages and files the usage of public-key cryptography. This
early version of PGP utilized the RSA algorithm for public-key encryption and the IDEA
cipher for symmetric-key encryption. Despite its groundbreaking skills, PGP faced prison
demanding situations due to export regulations on cryptographic software.

2. International Expansion and Standardization (1996-2000): In 1997, PGP changed into

acquired with the aid of Network Associates Inc. (NAI), which continued its improvement
and improved its international presence. During this period, PGP have become a de facto
preferred for e mail encryption and digital signatures, with support for multiple platforms
and electronic mail customers. The OpenPGP standard, primarily based on the original PGP
protocol, changed into established to make certain interoperability and compatibility
among specific implementations of PGP.

3. Open Source Development (2000-Present): In response to concerns about the proprietary

nature of PGP and the need for transparency and security, the OpenPGP Working Group
become shaped to increase an open-supply version of PGP. This caused the advent of
GnuPG (GNU Privacy Guard), an open-supply implementation of the OpenPGP trendy.
GnuPG remains actively maintained and widely used as a loose opportunity to industrial
PGP software program.

4. Modernization and Integration (2000s-Present): PGP has persisted to adapt in response

to technological improvements and changing protection requirements. Modern versions of
PGP provide stronger functions together with guide for elliptic curve cryptography (ECC),
stepped forward key management, integration with cloud garage services, and compatibility
with cellular gadgets. Additionally, PGP has been integrated into diverse encryption gear,
steady e-mail customers, and agency safety answers, expanding its utility and reach.
The following are the services offered by PGP:

1. Authentication

2. Confidentiality

3. Email Compatibility

4. Segmentation

1. Authentication in PGP

Authentication basically means something that is used to validate something as true or real. To
login into some sites sometimes we give our account name and password, that is an authentication
verification procedure.

In the email world, checking the authenticity of an email is nothing but to check whether it actually
came from the person it says. In emails, authentication has to be checked as there are some
people who spoof the emails or some spams and sometimes it can cause a lot of inconvenience.
The Authentication service in PGP is provided as follows:

Authentication in PGP

As shown in the above figure, the Hash Function (H) calculates the Hash Value of the message. For
the hashing purpose, SHA-1 is used and it produces a 160 bit output hash value. Then, using the
sender’s private key (KPa), it is encrypted and it’s called as Digital Signature. The Message is then
appended to the signature. All the process happened till now, is sometimes described as signing
the message . Then the message is compressed to reduce the transmission overhead and is sent
over to the receiver.

At the receiver’s end, the data is decompressed and the message, signature are obtained. The
signature is then decrypted using the sender’s public key(PUa) and the hash value is obtained. The
message is again passed to hash function and it’s hash value is calculated and obtained.

Both the values, one from signature and another from the recent output of hash function are
compared and if both are same, it means that the email is actually sent from a known one and is
legit, else it means that it’s not a legit one.

2. Confidentiality in PGP

Sometimes we see some packages labelled as ‘Confidential’, which means that those packages are
not meant for all the people and only selected persons can see them. The same applies to the
email confidentiality as well. Here, in the email service, only the sender and the receiver should be
able to read the message, that means the contents have to be kept secret from every other person,
except for those two.
PGP provides that Confidentiality service in the following manner:

Confidentiality in PGP

Then, the session key (Ks) itself gets encrypted through public key encryption (EP) using receiver’s
public key(KUb) . Both the encrypted entities are now concatenated and sent to the receiver.

As you can see, the original message was compressed and then encrypted initially and hence even
if any one could get hold of the traffic, he cannot read the contents as they are not in readable form
and they can only read them if they had the session key (Ks). Even though session key is transmitted
to the receiver and hence, is in the traffic, it is in encrypted form and only the receiver’s private key
(KPb)can be used to decrypt that and thus our message would be completely safe.

At the receiver’s end, the encrypted key is decrypted using KPb and the message is decrypted with
the obtained session key. Then, the message is decompressed to obtain the M.

RSA algorithm is used for the public-key encryption and for the symmetric key encryption, CAST-
128(or IDEA or 3DES) is used.

Practically, both the Authentication and Confidentiality services are provided in parallel as follows :

Authentication and Confidentiality services in PGP

Note:

M – Message

H – Hash Function

Ks – A random Session Key created for Symmetric Encryption purpose

DP – Public-Key Decryption Algorithm

EP – Public-Key Encryption Algorithm

DC – Asymmetric Decryption Algorithm

EC – Symmetric Encryption Algorithm

KPb – A private key of user B used in Public-key encryption process

KPa – A private key of user A used in Public-key encryption process

PUa – A public key of user A used in Public-key encryption process

PUb – A public key of user B used in Public-key encryption process

|| – Concatenation

Z – Compression Function

Z-1 – Decompression Function

Why Authentication and Confidentiality are important in PGP?

Authentication and confidentiality play pivotal roles in Pretty Good Privacy (PGP), ensuring the
security and integrity of virtual verbal exchange. Authentication, carried out through virtual
signatures, verifies the identity of the sender and safeguards towards spoofing and impersonation.
By signing messages with their personal key, senders offer recipients with a means to verify the
authenticity of the verbal exchange. This authentication mechanism not simplest fosters agree with
among parties but additionally guarantees message integrity, as virtual signatures verify that the
message has not been tampered with at some stage in transmission. On the opposite hand,
confidentiality, facilitated via encryption, protects the content material of messages from
unauthorized access. Through encryption algorithms, PGP scrambles the message, rendering it
unreadable to everybody with out the decryption key. This ensures that touchy facts stays private
and inaccessible to eavesdroppers and unauthorized parties. Together, authentication and
confidentiality in PGP set up a stable framework for relied on conversation, allowing individuals and
corporations to change information confidentially and securely while keeping privacy and integrity.

Advantages of PGP

• The primary benefit of PGP encryption lies in its unbreakable algorithm.

• It is regarded as a top technique for improving cloud security and is frequently utilised by
users who need to encrypt their private conversations.

• This is due to PGP’s ability to prevent hackers, governments, and nation-states from
accessing files or emails that are encrypted with PGP.

Disadvantage of PGP

• The main drawback of PGP encryption is that it is usually not intuitive to use. PGP requires
time and effort to fully encrypt data and files, which might make messaging more difficult
for users. If an organization is thinking about deploying PGP, it has to train its employees.

• It is imperative that users comprehend the intricacies of the PGP system to prevent
unintentionally weakening their security measures. This may occur from using PGP
incorrectly or from losing or corrupting keys, endangering other users in situations where
security is at an extreme.
 • Absence of anonymity: PGP encrypts user messages but does not provide users with any
anonymity. This makes it possible to identify the source and recipient of emails sent using a
PGP solution.

Introduction to Email Security

Email (short for electronic mail) is a digital method by using it we exchange messages between
people over the internet or other computer networks. With the help of this, we can send and receive
text-based messages, often an attachment such as documents, images, or videos, from one person
or organization to another. In this article, we will understand the concept of email security, how we
can protect our email, email security policies, and email security best practices, and one of the
features of email is an email that we can use to protect the email from unauthorized access.

What is Email Security?

Basically, Email security refers to the steps where we protect the email messages and the
information that they contain from unauthorized access, and damage. It involves ensuring the
confidentiality, integrity, and availability of email messages, as well as safeguarding against
phishing attacks, spam, viruses, and another form of malware. It can be achieved through a
combination of technical and non-technical measures.

Some standard technical measures include the encryption of email messages to protect their
contents, the use of digital signatures to verify the authenticity of the sender, and email filtering
systems to block unwanted emails and malware, and the non-technical measures may include
training employees on how to recognize and respond to phishing attacks and other email security
threats, establishing policies and procedures for email use and management, and conducting
regular security audits to identify and address vulnerabilities.

What is VPN and How It Works?

VPN is a mechanism of employing encryption, authentication, and integrity protection so that we
can use a public network as if it is a private network. It offers a high amount of security and allows
users to remotely access private networks. In this article, we will cover every point about virtual
private networks.
What is a VPN?

A virtual private network (VPN) is a technology that creates a safe and encrypted connection over a
less secure network, such as the Internet. A Virtual Private Network is a way to extend a private
network using a public network such as the Internet. The name only suggests that it is a “Virtual
Private Network”, i.e. user can be part of a local network sitting at a remote location. It makes use of
tuneling protocols to establish a secure connection.

History of VPNs

ARPANET introduced the idea of connecting distant computers in the 1960s. The foundation for
current internet connectivity was established by ensuring the development of protocols
like TCP/IP in the 1980s. Particular VPN technologies first appeared in the 1990s in response to the
growing concerns about online privacy and security.

Need for VPN

It could easily be said that VPNs are a necessity since privacy, security, and free internet access
should be everybody’s right. First, they establish secure access to the corporate networks for
remote users; then, they secure the data during the transmission and, finally, they help users to
avoid geo-blocking and censorship. VPNs are highly useful for protecting data on open Wi-Fi, for
privacy, and preventing one’s ISP from throttling one’s internet connection.

How Does a VPN Work?

Let us understand VPN with an example think of a situation where the corporate office of a bank is
situated in Washington, USA. This office has a local network consisting of say 100 computers.
Suppose other branches of the bank are in Mumbai, India, and Tokyo, Japan. The traditional method
of establishing a secure connection between the head office and the branch was to have a leased
line between the branches and head office which was a very costly as well as troublesome job. VPN
lets us effectively overcome this issue.

The situation is described below

• All 100 hundred computers of the corporate office in Washington are connected to the VPN
server(which is a well-configured server containing a public IP address and a switch to
connect all computers present in the local network i.e. in the US head office).

• The person sitting in the Mumbai office connects to The VPN server using a dial-up window
and the VPN server returns an IP address that belongs to the series of IP addresses
belonging to a local network of the corporate office.

• Thus person from the Mumbai branch becomes local to the head office and information can
be shared securely over the public internet.

• So this is the intuitive way of extending the local network even across the geographical
borders of the country.
Now we typed “What is my IP address”? Amazingly the IP address changed to 45.79.66.125 which
belongs to the USA And since Spotify works well in the US, we can use it now being in India (virtually
in the USA). Is not that good? obviously, it is very useful.

• VPN also ensures security by providing an encrypted tunnel between the client and the VPN
server.

• VPN is used to bypass many blocked sites.

• VPN facilitates Anonymous browsing by hiding your IP address.

• Also, the most appropriate Search engine optimization (SEO) is done by analyzing the data
from VPN providers which provide country-wise statics of browsing a particular product.

• VPNs encrypt your internet traffic, safeguarding your online activities from potential
eavesdropping and cyber threats, thereby enhancing your privacy and data protection.

Characteristics of VPN

• Encryption: VPNs employ several encryption standards to maintain the confidentiality of

the transmitted data and, even if intercepted, can’t be understood.

• Anonymity: Thus, VPN effectively hides the users IP address, thus offering anonymity and
making tracking by websites or other third parties impossible.

• Remote Access: VPNs provide the means for secure remote connection to business’
networks thus fostering employee productivity through remote working.

• Geo-Spoofing: The user can also change the IP address to another country using the VPN
hence breaking the regional restrictions of some sites.
 • Data Integrity: VPNs make sure that the data communicated in the network in the exact
form and not manipulated in any way.

Birthday attack in Cryptography

Birthday attack is a type of cryptographic attack that belongs to a class of brute force attacks. It
exploits the mathematics behind the birthday problem in probability theory. The success of this
attack largely depends upon the higher likelihood of collisions found between random attack
attempts and a fixed degree of permutations, as described in the birthday paradox problem.

Birthday paradox problem –

Let us consider the example of a classroom of 30 students and a teacher. The teacher wishes to
find pairs of students that have the same birthday. Hence the teacher asks for everyone’s birthday
to find such pairs. Intuitively this value may seem small. For example, if the teacher fixes a
particular date say October 10, then the probability that at least one student is born on that day is 1
– (364/365)30 which is about 7.9%. However, the probability that at least one student has the same
birthday as any other student is around 70% using the following formula:

1 - 365! / ((365 - n!) * (365n)) (substituting n = 30 here)

Derivation of the above term:

Assumptions –
1. Assuming a non leap year(hence 365 days).
2. Assuming that a person has an equally likely chance of being born on any day of the year.
Let us consider n = 2.
P(Two people have the same birthday) = 1 – P(Two people having different birthday)
= 1 – (365/365)*(364/365)
= 1 – 1*(364/365)
= 1 – 364/365
= 1/365.
So for n people, the probability that all of them have different birthdays is:
P(N people having different birthdays) = (365/365)*(365-1/365)*(365-2/365)*….(365-n+1)/365.
= 365!/((365-n)! * 365n)

Hash function –
A hash function H is a transformation that takes a variable sized input m and returns a fixed size
string called a hash value(h = H(m)). Hash functions chosen in cryptography must satisfy the
following requirements:
 • The input is of variable length,

• The output has a fixed length,

• H(x) is relatively easy to compute for any given x,

• H(x) is one-way,

• H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where “hard to invert” means that given
a hash value h, it is computationally infeasible to find some input x such that H(x) = h.

If, given a message x, it is computationally infeasible to find a message y not equal to x such
that H(x) = H(y) then H is said to be a weakly collision-free hash function.

A strongly collision-free hash function H is one for which it is computationally infeasible to find any
two messages x and y such that H(x) = H(y).

Let H: M => {0, 1}n be a hash function (|M| >> 2n )

Following is a generic algorithm to find a collision in time O(2n/2) hashes.

Algorithm:

1. Choose 2n/2 random messages in M: m1, m2, …., mn/2

2. For i = 1, 2, …, 2n/2 compute ti = H(mi) => {0, 1}n

3. Look for a collision (ti = tj). If not found, go back to step 1

We consider the following experiment. From a set of H values, we choose n values uniformly at
random thereby allowing repetitions. Let p(n; H) be the probability that during this experiment at
least one value is chosen more than once. This probability can be approximated as:

p(n; H) = 1 - ( (365-1)/365) * (365-2)/365) * ...(365-n+1/365))

p(n; H) = e-n(n-1)/(2H) = e-n2/(2H)