UNIT-IV

Data Integrity, Digital Signature Schemes & Key Management

Message Integrity and Message Authentication, Cryptographic Hash Functions, Digital

Signature, Key Management.

Message Integrity and Message Authentication

1. Message Integrity:
The cryptography systems that we have studied so far provide secrecy, or confidentiality, but not
integrity.
However, there are occasions where we may not even need secrecy but instead must have
integrity(Data will not changed).

Document and Fingerprint:

One way to preserve the integrity of a document is through the use of a fingerprint.
If Alice needs to be sure that the contents of her document will not be changed, she can put her
fingerprint at the bottom of the document.

Message and Message Digest:

The electronic equivalent of the document and fingerprint pair is the message and digests pair.
To preserve the integrity of a message, the message is passed through an algorithm called a
cryptographic hash function.

Difference:
The two pairs (document / fingerprint) and (message / message digest) are similar, with some
differences.
The document and fingerprint are physically linked together. The messa ge and message digest
can be unlinked separately, and, most importantly, the message digest needs to be
 safe from change.
Note: The message digests needs to be safe from change.

Checking Integrity:

Cryptographic Hash Function Criteria:

A cryptographic hash function must satisfy three criteria
1. Pre-image Resistance
2. Second Pre-image Resistance
3. Collision Resistance.
Preimage Resistance: The hash function must be a one-way function: For any given code h, it is
computationally infeasible to find h -1.

Second Preimage Resistance: In this criterion, an adversary is provided with the value of
x and is asked to compute the value of x1 ≠ x, such that h(x) = h(x1).
If it difficult for the attacker to perform this computation we claim that the hash
function is second pre-image resistant.

Collision Resistance: Collision of a hash function is the event when two values x and
x1, such that x1 ≠ x hash to the same value, i.e., h(x) = h(x 1).
Random Oracle Model:

2. Message Authentication:
 A message digest guarantees the integrity of a message. It guarantees that the
message has not been changed.
 A message digest does not authenticate the sender of the message.
 When Alice sends a message to Bob, Bob needs to know if the message
is coming from Alice.
 To provide message authentication, Alice needs to provide proof that it is Alice
sending the message and not a fraud.
 The digest created by a cryptographic hash function is normally called a
Modification Detection Code (MDC). This code can detect any
modifications in the message.
 What we need for message authentication is a Message Authentication Code
(MAC).

Modification Detection Code (MDC):

 A modification detection code (MDC) is a message digest that can prove the
integrity of the message: that message has not been changed.
 If Alice needs to send a message to Bob and be sure that the message
will not change during transmission,
 Alice can create a message digest, MDC, and send both the message and the
MDC to Bob. Bob can create a new MDC from the message and compare the
received MDC and thenew MDC. If they are the same, the message has not been
changed.
Message Authentication Code (MAC):
 To ensure the integrity of a message and the data origin authentication – we
need to change a modification detection code (MDC) to a Message
Authentication Code (MAC).
 The difference between MDC and MAC is that the second include a
secrete key between Alice and Bob.

MAC Security
How can Eve forge a message without having the key?
1. If size of the key allows exhaustive search, Eve may try all possible
keys to digest the message.
2. Use preimageattack.
3. Given some pairs of messages and their MACs, Eve can
manipulate them to come up with a new message and its digest
Note: The security of a MAC depends on the security of the underlying hash algorithm.

Nested MAC:
 To improve MAC security, nested MACs were designed in which hashing is performed
twice.
 In 1st step, the key is concatenated with the message and is hashed to
create an intermediate digest.
 In 2nd step, the key is concatenated with the intermediate digest to create the final digest.
HMAC (Hashed MAC):
 HMAC algorithm stands for Hashed or Hash based Message Authentication Code
 it uses the Hashing concept twice, so great resistant to attacker
 HMAC consists of twin benefits of Hashing and MAC
 The working of HMAC starts with taking a message M containing blocks of length b
bits.

 An input signature is padded to the left of the message and the whole is given as
input to a hash function which gives us a intermediate HMAC.

 Intermediate HMAC again is appended to an output signature and the whole is applied
a hash function again, the result is our final HMAC of n bits
CMAC (Cipher based MAC)

• This is similar to CBC(Cipher Block Chaining),

• It takes N blocks of message but creates one block of MAC
• The message is divided into N blocks of m-bit size. If last block is not m-bit
size,then
padded with start 1 then 0000…, like 100000…
• The block is encrypted with key K then its output is XOR with the next block for
2 nd
encryption, so on.
• The last block is encrypted with some addtional k value for more scurity.

Cryptographic Hash Functions

A cryptographic hash function takes a message of arbitrary length and
creates a message digest of fixed length, also called hash.

A cryptographic hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value.

There are two most promising cryptographic hash algorithms –

 SHA-512
  Whirlpool

Iterated Hash Function

All cryptographic functions need to create a fixed size digest out of a variable-size
message. Actually, the hash function is fixed size input function, but performs number of
times.
This fixed-size hash function is referred to as a compression function, it compresses m-bit string input to n bit
string.

Merkle-Damgard Scheme

 This is an iterated hash function that is collision resistant

 This is the basis for many cryptographic hash functions today.
  Message is divided into t-blocks of n-bit size. If necessary some bits are padded
 The blocks are M1,M2,…Mt and the digest created at each compression function are
H1,H2,…Ht
 Before starting the iteration, the digest H0 is set to fixed Value called IV(initial value
or initial vector)
The compression function operates on Hi-1 and Mi to create a new Hi. Hi=f(Hi-1,Mi) where f is a
compression function

Hash Functions Invention

 Several Hash functions were designed by Ron Rivest.
 These are MD(Message Digest), MD2, MD4, and MD5
 MD5 takes blocks of size 512-bits and creates 128-bit digest.
 The 128-bit size digest is too small to resist collision attack.

Secure Hash Algorithm(SHA)

 SHA originally designed by NIST & NSA in 1993

 SHA was revised in 1995 as SHA-1
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512structure & detail is similar to SHA-1

SHA – 512
 SHA-512 is family of Secure Hash Algorithm
 SHA-512 creates a 512 bit message digest .
 The original message divided into multiple blocks of size 1024bits.
 The Processing of each block involves 80 rounds
 Each block of size(1024bits) can be assumed as 16 words of size 64bits
 The maximum size of message is less than 2128. This means that if the length of a
message equal to or greater than 2128, it will not be processed by SHA-512
  SHA-512 based on Merkle-Damgard scheme.

The Following Figure shows internal logic of the SHA-512

STEPS:

1. Append padding bits:

The message is padded with 1000000…. To make the message multiples of 1024.
 2. Append length of the message:

A block of 128 bits is appended to the message. Contains the length of the original message.
Before addition of the length of message , we need to pad as specified in the first step.
The size of padding bits is calculated
as: (|M|+|P|+128)=0 mod 1024
|P|=-|M|-128 mod 1024
Example: What is the number of padding bits if the length of the original message is 2590
Solution: |P|=-2590-128 mod 1024
=-2718 mod 1024 = -670 mod 1024
=(1024-670) mod 1024 = 354
The padding consists of one 1 followed by 353 0’s
Length Field and Padding:
Before the message digest can be created, SHA-512 requires the addition of a 128-bit length field (0-(2128-
1)to the message that defines the length of the message in bits.

Compression Function
The heart of the algorithm is a module that consists of 80 rounds; this module is labeled as F in Block
Diagram.
Each round t takes as input the 512-bit buffer value, abcdefgh, and updates the contents of the buffer.
Each round t makes use of a 64-bit value Wt, derived from the current 1024-bit block being
processed (Mi).
Each round t also makes use of an additive constant Kt (64-bit)
The output of the 80th round is added to the input to the first round (Hi-1) to produce Hi.
80-Word Input Sequence
 Constants

…..

Initialize hash buffer

 DIGITAL SIGNATURE
 A digital signature is a technique used to validate the authenticity and integrity of a
message.
 In the physical world, A person signs a document to show that it originated from him
or was approved by him. The signature is proof to recipient that the document
comes from the correct entity.
 Similarly, a digital signature is a technique that binds a person/entity to the
digital data. This binding can be independently verified by receiver as well as
any third party.
 Digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.

COMPARISON of conventional signature & DIGITAL SIGNATURE

Inclusion
A conventional signature is included in the document; it is part of the document.
But when we sign a document digitally, we send the signature as a separate document.

Verification Method
For a conventional signature, when the recipient receives a document, he compares the signature on the
document with the signature on file.
For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a
verification technique to the combination of the message and the signature to verify the authenticity.

Relationship
For a conventional signature, there is normally a one-to-many relationship between a signature and
documents. For a digital signature, there is a one-to-one relationship between a signature and a
message.

Duplicity
In conventional signature, a copy of the signed document can be distinguished from the original one on
file. In digital signature, there is no such distinction unless there is a factor of time on the document.

PROCESS OF DIGITAL SIGNATURE

Figure shows the digital signature process. The sender uses a signing algorithm to sign the message. The
message and the signature are sent to the receiver. The receiver receives the message and the signature and
applies the verifying algorithm to the combination. If the result is true, the message is accepted; otherwise,
it is rejected.

SIGNING THE DIGEST

The drawback of Asymmetric key cryptosystems that is ―inefficient for long messages‖ .t In a digital
signature system can be overcome by ―signing the digest of the message‖.

SERVICES

The services in cryptography are:

Message confidentiality, authentication, Integrity and Non-repudiation.
 • A digital signature system can provide Message authentication, Integrity and Non-
repudiation, but still need encryption/decryption for message confidentiality.

Message Authentication
• A secure digital signature scheme, like a secure conventional signature can
provide message authentication
• Example, Bob can verify that the message is sent by Alice because Alice’s public key is used in
verification.
Message Integrity
The integrity of the message is preserved even if we sign the whole message because we cannot get the
same signature if the message is changed.

Nonrepudiation
Nonrepudiation can be provided using a trusted party.

Confidentiality

A digital signature does not provide privacy.

If there is a need for privacy, another layer of encryption/decryption must be applied.
Figure Adding confidentiality to a digital signature scheme

ATTACKS ON DIGITAL SIGNATURE

Attack Types

1. Key-Only Attack
In key-only attack, the public key of A is available to every one and C makes use of this fact and try to
recreate the signature of A and digitally sign the documents that A does not intend to do.
2. Known-Message Attack
In the known message attack, C has few previous messages and signatures of A. Now C tries to forge
the signature of A on to the documents that A does not intend to sign by using the brute force method by
analyzing the previous data to recreate the signature of A
3. Chosen-Message Attack
In this method C has the knowledge about A’s public key and obtains A’s signature on the messages and
replaces the original message with the message C wants A to sign with having A’s signature on them
unchanged.

Forgery Types

1. Existential Forgery
Adversary can create a pair (message, signature), such that the signature of the message is valid.
Adversary has no control on the messages whose signature is forged
2. Selective Forgery
Adversary is able to create valid signatures on a message
chosen by someone else, with a significant probability.
Adversary controls the messages whose signature is forged

DIGITAL SIGNATURE SCHEMES

Several digital signature schemes have evolved during the last few decades. Some of them have been
implemented.

1. RSA Digital Signature Scheme

2. ElGamal Digital Signature Scheme
3. Schnorr Digital Signature Scheme
4. Digital Signature Standard (DSS)
5. Elliptic Curve Digital Signature Scheme

RSA DIGITAL SIGNATURE SCHEMES

Figure : General idea behind the RSA digital signature scheme

The sender uses his own private key tosign the documemnet, the receivr uses the senders public key to
verify it

RSA DIGITAL SIGNATURE SCHEMES – Key Generation

Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA.
1. Sender chooses two prime numbers p and q
2. Calculate n=pxq
3. Calculate f(n) = (p-1) x (q-1)
4. Chooses the public exponent e and calculates d (private exponent) such that e x d = 1 mod
f(n)
In the RSA digital signature scheme, d is private; e and n are public. RSA

DIGITAL SIGNATURE SCHEMES – Signing and verifying

Signing: Alice create a signature out of the message using her private exponent,
S=Md mod n and sends the signature to Bob
Verifying: Bob receives M and S. Bob applies A lice public exponent to the signature to create a copy of
the message M1 = Se mod n. Bob compares M and M 1 . If both are congruent, accepts the message.
M1 M (mod n)  Se  M (mod n)  Mdxe M (mod n)

RSA DIGITAL SIGNATURE SCHEMES – EXAMPLE

As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = 784319. The
value of f(n) is 782544. Now she chooses e = 313 and calculates d = 160009. At this point key
generation is complete. Now imagine that Alice wants to send a message with the value of M = 19070 to
Bob. She uses her private exponent, 160009, to sign the message:

Alice sends the message and the signature to Bob. Bob receives the message and the signature. He
calculates

Bob accepts the message because he has verified Alice’s signature

ElGamal Digital Signatures

• signature variant of ElGamal, related to D-H

– so uses exponentiation in a finite Galois field
– security based difficulty of computing discrete logarithms, as in D-H
• use private key for encryption (signing)
 • uses public key for decryption (verification)
• each user (eg. A) generates their key

 Alice signs a message M to Bob by computing

 the hash m = H(M), 0 <= m <= (q-1)
 chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
k
 compute temporary key: S1 = a mod q
 compute K-1 the inverse of K mod (q-1)
-1
 compute the value: S2 = K (m-xAS1) mod (q-1)
 signature is:(S1,S2)
 any user B can verify the signature by computing

ElGamal Signature Example

 use field GF(19) q=19 and a=10
 Alice computes her key:
16
 A chooses xA=16 & computes yA=10 mod 19 = 4
 Alice signs message with hash m=14 as (3,4):
 choosing random K=5 which has gcd(18,5)=1
5
 computing S1 = 10 mod 19 = 3
 finding K-1 mod (q-1) = 5-1 mod 18 = 11
 computing S2 = 11(14-16.3) mod 18 = 4
 any user B can verify the signature by computing
 V1 = 1014 mod 19 = 16
 V2 = 43.34 = 5184 = 16 mod 19
since 16 = 16signature is valid

Schnorr Digital Signatures

 also uses exponentiation in a finite (Galois)
 security based on discrete logarithms, as in D-H
 minimizes message dependent computation
 multiplying a 2n-bit integer with an n-bit integer
 main work can be done in idle time
 have using a prime modulus p
 p–1 has a prime factor q of
appropriate size typically p 1024-bit and q 160-bit
numbers

Schnorr Key Setup

 choose suitable primes p , q
 choose a such that aq = 1 mod p
  (a,p,q) are global parameters for all
 each user (eg. A) generates a key
 chooses a secret key (number): 0 < sA < q
-sA
 compute their public key: vA = a mod q

 user signs message by

 choosing random r with 0<r<q and computing x = ar mod p
 concatenate message with x and hash result to computing: e = H(M || x)
 computing: y = (r + se) mod q
 signature is pair (e, y)
 any other user can verify the signature as follows:
 computing: x' = ayve mod p
 verifying that: e = H(M || x’)
Digital Signature Standard (DSS)
 US Govt approved signature scheme
 designed by NIST & NSA in early 90's
 published as FIPS-186 in 1991
 revised in 1993, 1996 & then 2000
 uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm
 FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants
 DSA is digital signature only unlike RSA is a public-key technique

Digital Signature Algorithm (DSA)

 creates a 320 bit signature
 with 512-1024 bit security
 smaller and faster than RSA
 a digital signature scheme only
 security depends on difficulty of computing discrete logarithms
 variant of ElGamal & Schnorr schemes
DSA Key Generation
 have shared global public key values (p,q,g):
 choose 160-bit prime number q
 choose a large prime p with 2L-1 < p < 2L
• where L= 512 to 1024 bits and is a multiple of 64
• such that q is a 160 bit prime divisor of (p-1)
 choose g = h(p-1)/q
• where 1<h<p-1 and h(p-1)/q mod p > 1
 users choose private & compute public key:
 choose random private key: x<q
 compute public key: y = gx mod p
DSA Signature Creation
 to sign a message M the sender:
 generates a random signature key k, k<q
 nb. k must be random, be destroyed after use, and never be reused
 then computes
signature pair: r = (gk mod
p)mod q
s = [k-1(H(M)+ xr)] mod q
 sends signature (r,s) with message M
 having received M & signature (r,s)
  to verify a signature, recipient

DSS Overview
 KEY MANAGEMENT
SYMMETRIC-KEY DISTRIBUTION
• Symmetric-key cryptography is more efficient than asymmetric-key
cryptography for enciphering large messages.
• Symmetric-key cryptography, however, needs a shared secret key between two parties.
• Example: If Alice needs to exchange confidential messages with N people, she need N
different keys and if N people need to exchange with each other, they need N(N-1)
keys. If 1 million people need to communicate with each other , they need more than
trillions of keys.
• This proble normally referred as N2 problem, because the number of required
keys for N entitesis N2
• We also has a problem of the distribution of keys through the internet which is unsecure.

Key-Distribution Center: KDC

A practical solution for the above problem is the use of a trusted thord party, referred as Key-Distribution
Center( KDC )

1. Alice sends a request to the KDC stating that she needs a session secrete key between her
and Bob
2. KDC inform Bob about Alice request
If Bob agrees, a session key is created between the two.
Flat Multiple KDCs

When the number of people using a KDC increases, the system becomes unmanageable.
To solve the problem, we use multiple KDCs. We devide the world into domains

Hierarchical Multiple KDCs

In this, KDCs are arranged in hierarchical model, the international KDC are at root, then national next and
local KDCs at lower level.

Session Keys
A KDC creates a secret key for each member. This secret key can be used only between the member and
the KDC, not between two members.
A session symmetric key between two parties is used only once.

Simple protocol Using a KDC

Figure shows first approach using KDC
 1. Alice sends request to KDC
2. KDC creates ticket to Bob which is encrypted using Bob’s key KB. The ticket contains the
session key (KAB).
3. Alice extracts the Bob’s ticket
4. Alice sends ticket to Bob. Bob opens the ticket and knows that Alice want to send
message to him by using KAB.
Drawback: Eve can use the replay attack at step 3.
Needham-Schroeder Protocol

1. Alice sends message to KDC that include her nonce, RA

2. KDC sends encrypted ticket for Bob to Alice which contains session key
3. Alice sends Bobs ticket to him
4. Bob sends his challenge (RB) to Alice which contains session key
5. Alice responds to Bobs challenge

KERBEROS
Kerberos is an authentication protocol, and at the same time a KDC, that has become very popular.
Several systems, including Windows 2000, use Kerberos.
Originally designed at MIT, it has gone through several versions.

KERBEROS Servers

Three servers are involved in the Kerberos protocol.

Authentication Server (AS)
 The authentication server (AS) is the KDC in the Kerberos protocol.
 Each user registers with AS and is granted a user identity and a password.
 AS verifies the user, issues a session key to be used b/t Alice and TGS.
 and sends a ticket for TGS.
Ticket-Granting Server (TGS)
 The ticket-granting server (TGS) issues a ticket for the real server (Bob).
 Also provides the session key b/t Alice and Bob.
 Kerberos has a separated user verification from issuing of tickets.
 Alice can contact the TGS multiple times to obtained tickets for different real servers.
Real Server
 The real server (Bob) provides services for the user (Alice).
 Kerberos is designed for client-server programs.
 Kerberos is not used for person – to – person authentication
 SYMMETRIC-KEY AGREEMENT
Alice and Bob can create a session key between themselves without using
a KDC. This method of session-key creation is referred to as the symmetric-
key agreement. Example: Diffie-Hellman Key Agreement

Diffie-Hellman Key Agreement

In this two parties are creating symmetric key without the need of a KDC.
Before establishing, the two parties need to choose two numbers p and g.
The p is a large number on the order of 300 digits.

Steps:
1. Alice chooses a large random integer number x and calculates R1=gx mod p
2. Bob chooses another large number y and calculates R2=gy mod p
3. Alice sends R1 to Bob and Bob sends R2 to Alice
4. Alice calculates key K=(R2)x mod p
5. Bob calculates key K=(R1)y
mod p Where K is the symmetric key
for the session
The symmetric key in the Diffie-Hellman method is K=gxy mod p

Diffie-Hellman Key Agreement- EXAMPLE

Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that
in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows:

1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.

2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
 6. Bob calculates the symmetric key K = 216 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
xy
g mod p = 718 mod 35 = 18.

PUBLIC-KEY DISTRIBUTION

In asymmetric-key cryptography, people do not need to know a symmetric shared key; everyone shields a
private key and advertises a public key.
In public key key cryptography, everyone have access to every one’s public key: public keys are
available to the public.
So, public keys need to be distributed.

1. Public Announcement
2. Trusted Center
3. Controlled Trusted Center
4. Certification Authority

5. X.509
6. Public-Key Infrastructures (PKI)

Public Announcement
The normal method is to announce public keys publicly, but is not secure

Figure Announcing a public key

Trusted Center
A more secure approach is to have a trusted center retain a directory of public keys
Controlled Trusted Center
A higher level security can be achieved when there are added controls on
UNIT –V
Network Security-I
Security at application layer: PGP and S/MIME, Security at the Transport Layer: SSL and TLS

Security at Application layer and Transport Layer

Various business services are now offered online though client-server applications.
The most popular forms are web application and e-mail.
In both applications, the client communicates to the designated server and obtains services.

While using a service from any server application, the client and server exchange a lot of information on the
underlying intranet or Internet. We are aware of fact that these information transactions are vulnerable to
various attacks.
Network security entails securing data against attacks while it is in transit on a network.

E-mail Security
Nowadays, e-mail has become very widely used network application. Email is one of the most widely
used and regarded network services. Currently message contents are not secure, may be inspected either
in transit or by suitably privileged users on destination system.
E-mail Architecture:

1. UA-User Agent is useful to prepare the messages

2. MTA-Message Transfer Agent is useful to send messages to mail server. This is the Push program
3. MAA-Message Access Agent is useful to receive messages from mail server. This is Pull program
PGP(Pretty Good Privacy)
 Provides a confidentiality and authentication service that can be used for electronic mail and file
storage applications
 Developed by Phil Zimmermann
 Selected the best available cryptographic algorithms asbuilding blocks
 Integrated these algorithms into a general-purpose application that is independent of operating
system and processor and that is based on a small set of easy-to-usecommands
 Made the package and its documentation, including the source code, freely available via the
Internet, bulletin boards, and commercial networks
 Entered into an agreement with a company to provide a fully compatible, low –cost commercial
version of PGP
PGP Growth

It is available free worldwide in versions that run on a variety of platforms

• The commercial version satisfies users who want a product that comes with vendor support
• It is based on algorithms that have survived extensive public review and are considered extremely secure
• It has a wide range of applicability
• It was not developed by, nor is it controlled by, any governmental or standards organization
• Is now on an Internet standards track, however it still has an aura of an antiestablishment endeavor.

PGP Notation:
Ks = session key used in symmetric encryption scheme
PRa = private key of user A, used in public-key encryption scheme
PUa = public key of user A, used in public-key encryption scheme
EP = public-key encryption
DP = public-key decryption
EC = symmetric encryption
DC = symmetric decryption
H = hash function
|| = concatenation
Z = compression using ZIP algorithm
R64 = conversion to radix 64 ASCII format1

PGP Operation – Authentication:

1. sender creates a message
2. SHA-1 used to generate 160-bit hash code of message
3. hash code is encrypted with RSA using the sender's private key, and result is attached to message
4. receiver uses RSA or DSS with sender's public key to decrypt and recover hash code
5. receiver generates new hash code for message and compares with decrypted hash code, if match,
message is accepted as authentic
PGP Operation – Confidentiality:
1. sender generates message and random 128-bit number to be used as session key for this message only
2. message is encrypted, using CAST-128 / IDEA/3DES with session key
3. session key is encrypted using RSA with recipient's public key, then attached to message
4. receiver uses RSA with its private key to decrypt and recover session key
5. session key is used to decrypt message

PGP Operation – Confidentiality & Authentication

Uses both services on same message
Create signature & attach to message o encrypt both message & signature o attach RSA encrypted session
key

PGP Operation – Compression

As a default, PGP compresses the message after applying the signature but before encryption. This has the
benefit of saving space both for e-mail transmission and for file storage.
The placement of the compression algorithm, indicated by Z for compression and Z -1 for decompression.
So can store uncompressed message & signature for later verification & because compression is non
deterministic uses ZIP compression algorithm
PGP Operation – Email Compatibility

 When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature
service is used, then the message digest is encrypted (with the sender’s private key). If the
confidentiality service is used, the message plus signature (if present) are encrypted (with a one-
time symmetric key).
 Thus, part or all of the resulting block consists of a stream of arbitrary 8 -bit octets.
 However, many electronic mail systems only permit the use of blocks consisting of ASCII text.
 To accommodate this restriction, PGP provides the service of converting the raw 8 -bit binary
stream to a stream of printable ASCII characters. The scheme used for this purpose is radix-64
conversion.
 Each group of three octets of binary data is mapped into four ASCII characters. This format also
appends

S/MIME (Secure/Multipurpose Internet Mail Extensions)

Secure/Multipurpose Internet Mail Extension (S/MIME) is a security enhancement to the MIME Internet
e-mail format standard based on technology from RSA Data Security. it appears likely that S/MIME will
emerge as the industry standard for commercial and organizational use, while PGP will remain the choice
for personal e-mail security for many users. S/MIME is defined in a number of documents—most
importantly RFCs 3370, 3850, 3851, and 3852.
S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etc
To understand S/MIME, we need first to have a general understanding of the underlying e -mail format
that it uses, namely MIME. We have to learn about RFC5322(internet Message Format)
RFC 5322:

• Defines a format for text messages that are sent using electronic mail
• Messages are viewed as having an envelope and contents
• The envelope contains whatever information is needed to accomplish transmission and
delivery
• The contents compose the object to be delivered to the recipient
• RFC 5322 standard applies only to the contents
The content standard includes a set of header fields that may be used by the mail system to create the
envelope

The overall structure of a message that conforms to RFC 5322 is very simple. A message consists of some
number of header lines (the header) followed by unrestricted text (the body). The header is separated from
the body by a blank line. Put differently, a message is ASCII text, and all lines up to the first blank line
are assumed to be header lines used by the user agent part of the mail system.

A header line usually consists of a keyword, followed by a colon, followed by the keyword’s arguments;
the format allows a long line to be broken up into several lines. The most frequently used keywords are
From, To, Subject, and Date. Here is an example message:

Date: October 8, 2009 2:15:49 PM EDT

 From: “William Stallings”
<[email protected]> Subject: The
Syntax in RFC 5322
To: [email protected]
Cc: [email protected]

Hello. This section begins the actual message body, which is delimited from the
message heading by a blank line.

Multipurpose Internet Mail Extensions (MIME):

An extension to the RFC 5322 framework that is intended to address some of the problems and limitations
of the use of Simple Mail Transfer Protocol (SMTP) lists the following limitations of the SMTP/5322
scheme.
1. SMTP cannot transmit executable files or other binary objects.
2. SMTP cannot transmit text data that includes national language characters, because these are
represented by 8-bit codes with values of 128 decimal or higher, and SMTP is limited to 7-bit ASCII.
3.SMTP servers may reject mail message over a certain size.
4.SMTP gateways that translate between ASCII and the character code EBCDIC do not use a consistent
set of mappings, resulting in translation problems.
MIME is intended to resolve these problems in a manner that is compatible with existing RFC 5322
implementations. The specification is provided in RFCs 2045 through 2049.

The MIME specification includes the following elements.

1. Five new message header fields are defined, which may be included in an RFC 5322
header. These fields provide information about the body of the message.
2. A number of content formats are defined, thus standardizing representations that
support multimedia electronic mail.
3. Transfer encodings are defined that enable the conversion of any content format into a
form that is protected from alteration by the mail system.

The Five Header Fields Defined in MIME: The five header fields defined in MIME are

• MIME-Version: Must have the parameter value 1.0. This field indicates that the message
conforms to RFCs 2045 and 2046.
• Content-Type: Describes the data contained in the body with sufficient detail that the
receiving user agent can pick an appropriate agent or mechanism to represent the data to
the user or otherwise deal with the data in an appropriate manner.
• Content-Transfer-Encoding: Indicates the type of transformation that has been used to
represent the body of the message in a way that is acceptable for mail transport.
• Content-ID: Used to identify MIME entities uniquely in multiple contexts.
• Content-Description: A text description of the object with the body; this is useful when the
object is not readable (e.g., audio data).
MIME Content Types:

MIME Transfer Encodings:

 S/MIME Functionality: S/MIME provides the following functions.

• Enveloped data: This consists of encrypted content of any type and encrypted content
encryption keys for one or more recipients.
• Signed data: A digital signature is formed by taking the message digest of the content to
be signed and then encrypting that with the private key of the signer. The content plus
signature are then encoded using base64 encoding. A signed data message can only be
viewed by a recipient with S/MIME capability.
• Clear-signed data: As with signed data, a digital signature of the content is formed.
However, in this case, only the digital signature is encoded using base64. As a result,
recipients without S/MIME capability can view the message content, although they cannot
verify the signature.
• Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so
that encrypted data may be signed and signed data or clear - signed data may be
encrypted.

S/MIME Messages:

• S/MIME secures a MIME entity with a signature, encryption, or both. forming a MIME
wrapped
Public-Key Cryptography Standards(PKCS) object have a range of content-types:
enveloped data o signed data, clear-signed data o registration request,certificate only message

S/MIME Content Types

S/MIME Certificate Processing:

• S/MIME uses public-key certificates that conform to version 3 of X.509

• The key-management scheme used by S/MIME is in some ways a hybrid between a
strict X.509 certification hierarchy and PGP’s web of trust
• S/MIME managers and/or users must configure each client with a list of trusted keys
and with certificate revocation lists.
The responsibility is local for maintaining the certificates needed to verify incoming signatures and
to encrypt outgoing messages
• The certificates are signed by certification authorities
User Agent Role An S/MIME user has several key-management functions to perform
 • Key generation: The user of some related administrative utility (e.g., one associated with
LAN management) MUST be capable of generating separate Diffie-Hellman and DSS key
pairs and SHOULD be capable of generating RSA key pairs. Each key pair MUST be
generated from a good source of nondeterministic random input and be protected in a secure
fashion. A use agent SHOULD generate RSA key pairs with a length in the range of 768 to
1024 bits and MUST NOT generate a length of less than 512 bits.
• Registration: A user’s public key must be registered with a certification authority in order to receive
an X.509 public-key certificate.
• Certificate storage and retrieval: A user requires access to a local list of certificates in
order to verify incoming signatures and to encrypt outgoing messages. Such a list could be
maintained by the user or by some local administrative entity on behalf of a number of users.

VeriSign Certificates There are several companies that provide certification authority (CA) services. For
example, Nortel has designed an enterprise CA solution and can provide S/MIME support within an
organization. There are a number of Internet-based CAs, including VeriSign, GTE, and the U.S. Postal
Service.
Enhanced Security Services : three enhanced security services have been proposed in an
Internet draft. The three services are : Signed receipts, Security labels, Secure mailing
lists

Transport Level Security:

Web security considerations:
The World Wide Web is fundamentally a client/server application running over the Internet
and TCP/IP intranets
The following characteristics of Web usage suggest the need for tailored security tools:
 The Internet is two-way. Unlike traditional publishing environments—even electronic publishing
systems involving teletext, voice response, or fax-back— the Web is vulnerable to attacks on the
Web servers over the Internet.
 The Web is increasingly serving as a highly visible outlet for corporate and product information and
as the platform for business transactions. Reputations can be damaged and money can be lost if the
Web servers are subverted.
 Although Web browsers are very easy to use, Web servers are relatively easy to configure and
manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily
complex. This complex software may hide many potential security flaws.
 A Web server can be exploited as a launching pad into the corporation’s or agency’s entire computer
complex. Once the Web server is subverted, an attacker may be able to gain access to data and
systems not part of the Web itself but connected to the server at the local site.
 Casual and untrained (in security matters) users are common clients for Web-based services. Such
users are not necessarily aware of the security risks that exist and do not have the tools or knowledge
to take effective countermeasures.
Web security Threats:

Table. A Comparison of Threats on the Web

Web Traffic Security Approaches:

A number of approaches to providing Web security are possible.

1. One way to provide Web security is to use IP security (IPsec) (Figure(a)). The advantage
of using IPsec is that it is transparent to end users and applications and provides a general-
purpose solution. It includes filtering capability that filters the unwanted data.
2. Another relatively general-purpose solution is to implement security just above TCP (Figure
(b)). The example of this approach is the Secure Sockets Layer (SSL) and the follow-on
Internet standard known as Transport Layer Security (TLS). At this level, there are two
implementation choices. For full generality, SSL (or TLS) could be provided as part of the
underlying protocol suite and therefore be transparent to applications. Alternatively, SSL
can be embedded in specific packages. For example, Netscape and Microsoft Explorer
browsers come equipped with SSL, and most Web servers have implemented the protocol.
3. Application-specific security services are embedded within the particular application.
Figure (c) shows examples of this architecture. The advantage of this approach is that the
service can be tailored to the specific needs of a given application.
 Figure: relative location of security facilities in the TCP/IP Protocol stack 5.4.

SSL (Secure Socket Layer):

SSL probably most widely used Web security mechanism, and it is implemented at the Transport layer.
SSL is designed to make use of TCP to provide a reliable end-to-end secure service.
Netscape originated SSL. Version 3 of the protocol was designed with public review and input from
industry and was published as an Internet draft document. Subsequently, became Internet standard known
as TLS (Transport Layer Security)
SSL Architecture:

SSL is designed to make use of TCP to provide a reliable end-to-end

secure service. SSL is not a single protocol but rather two layers of
protocols.
Two important SSL concepts are the SSL session and the SSL connection, which are defined in
the specification as follows.
1. Connection: A connection is a transport that provides a suitable type of service.
For SSL, such connections are peer-to-peer relationships. Every connection is
associated with one session.
2. Session: An SSL session is an association between a client and a server. Sessions
are created by the Handshake Protocol. Sessions define a set of cryptographic
security parameters which can be shared among multiple connections.

Figure: SSL Protocol stack

SSL Record Protocol:

SSL Record Protocol defines two services for SSL connections:

1. Confidentiality: The Handshake Protocol defines a shared secret key that is
used for conventional encryption of SSL payloads. The message is
compressed before being concatenated with the MAC and encrypted, with a
range of ciphers being supported as shown.
2. Message Integrity: The Handshake Protocol also defines a shared secret
key that is used to form a message authentication code (MAC).
 Cryptography and Network Security B.Tech(CSE) IV Year I Sem

Figure: SSL Record Protocol Operation

Figure shows the overall operation of the SSL Record Protocol. The Record Protocol takes an application
message to be transmitted, fragments the data into manageable blocks, optionally compresses the data,
applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data
are decrypted, verified, decompressed, and reassembled before being delivered to higher-level users.

Figure: SSL Record Format

The final step of SSL Record Protocol processing is to prepare a header consisting of the following
fields:
Content Type (8 bits): The higher-layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
Compressed Length (16 bits): The length in bytes of the plaintext fragment (or
compressed fragment if compression is used). The maximum value is 214 + 2048.
ChangeCipherSpec Protocol:
The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record
Protocol. It is the simplest, consisting of a single message, which consists of a single byte with the value
1. The sole purpose of this message is to cause the pending state to be copied into the current state,
which updates the cipher suite to be used on this connection.

13
 Cryptography and Network Security B.Tech IV Year I Sem

SSL Alert Protocol:

The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications that
use SSL, alert messages are compressed and encrypted, as specified by the current state. Each message in
this protocol consists of two bytes, the first takes the value warning (1) or fatal (2) to convey the severity
of the message. The second byte contains a code that indicates the specific alert.

SSL Handshake Protocol:

The most complex part of SSL is the Handshake Protocol. This protocol allows the server and client to
authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be
used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is
transmitted. The Handshake Protocol consists of a series of messages exchanged by client and server.

The exchange can be viewed in 4 phases:

• Phase 1. Establish Security Capabilities - this phase is used by the client to
initiate a logical connection and to establish the security capabilities that will be
associated with it
• Phase 2. Server Authentication and Key Exchange - the server begins this phase
by sending its certificate if it needs to be authenticated.
• Phase 3. Client Authentication and Key Exchange - the client should verify that the
server provided a valid certificate if required and check that the server_hello parameters
are acceptable
• Phase 4. Finish - this phase completes the setting up of a secure connection. The client
sends a change_cipher_spec message and copies the pending CipherSpec into the
current CipherSpec. At this point the handshake is complete and the client and server may
begin to exchange application layer data.

140
Cryptography and Network Security B.Tech IV Year I Sem

141
 Cryptography and Network Security B.Tech IV Year I Sem

Transport Layer Security (TLS) Protocol

In order to provide an open Internet standard of SSL, Internet Engineering Task Force(IETF) released
The Transport Layer Security (TLS) protocol in January 1999. TLS is defined as a proposed Internet
Standard in RFC 5246.
Salient Features
TLS protocol has same objectives as SSL.
It enables client/server applications to communicate in a secure manner by authenticating, preventing
eavesdropping and resisting message modification.
TLS protocol sits above the reliable connection-oriented transport TCP layer in the networking layers’
stack.
The architecture of TLS protocol is similar to SSLv3 protocol. It has two sub protocols: the TLS Record
protocol and the TLS Handshake protocol.
Though SSLv3 and TLS protocol have similar architecture, several changes were made in
architecture and functioning particularly for the handshake protocol.

Comparison of TLS and SSL Protocols:

1. Protocol Version − The header of TLS protocol segment carries the version number
3.1 todifferentiate between number 3 carried by SSL protocol segment header.
2. Message Authentication − TLS employs a keyed-hash message authentication code
(HMAC). Benefit is that H-MAC operates with any hash function, not just MD5 or SHA,
as explicitly stated by the SSL protocol.
3. Session Key Generation − There are two differences between TLS and SSL protocol
for generation of key material.
1. Method of computing pre-master and master secrets is similar. But in TLS protocol,
computation of master secret uses the HMAC standard and pseudorandom function
(PRF) output instead of ad-hoc MAC.
2. The algorithm for computing session keys and initiation values (IV) is different in
TLS than SSL protocol.
4. Alert Protocol Message −
1. TLS protocol supports all the messages used by the Alert protocol of SSL, except
No certificate alert message being made redundant. The client sends empty
certificate in case client authentication is not required.
2. Many additional Alert messages are included in TLS protocol for other error conditions
such as
record_overflow, decode_erroretc.

5. Supported Cipher Suites − SSL supports RSA, Diffie-Hellman and Fortezza cipher
suites. TLS protocol supports all suits except Fortezza.
6. Client Certificate Types − TLS defines certificate types to be requested in a
certificate_request message. SSLv3 support all of these. Additionally, SSL support
certain other types of certificate such as Fortezza.
7. CertificateVerify and Finished Messages −

142
 Cryptography and Network Security B.Tech IV Year I Sem
1. In SSL, complex message procedure is used for thecertificate_verify message. With
TLS, the verified information is contained in the handshake messages itself thus
avoiding this complex procedure.
2. Finished message is computed in different manners in TLS and SSLv3.
8. Padding of Data − In SSL protocol, the padding added to user data before encryption
is the minimum amount required to make the total data-size equal to a multiple of the
cipher’s block length. In TLS, the padding can be any amount that results in data-size
that is a multiple of the cipher’s block length, up to a maximum of 255 bytes.

Secure Shell Protocol (SSH):

The salient features of SSH are as follows −

SSH is a network protocol that runs on top of the TCP/IP layer. It is designed to
replace the TELNET which provided unsecure means of remote logon facility.

SSH provides a secure client/server communication and can be used for tasks
such as file transfer and e-mail.
SSH2 is a prevalent protocol which provides improved network communication
security over earlier version SSH1.

Figure: SSH Protocol stack

Transport Layer Protocol:

In this part of SSH protocol provides data confidentiality, server (host) authentication, an d data
integrity. It may optionally provide data compression as well.
Server Authentication − Host keys are asymmetric like public/private keys. A server uses a
public
key to prove its identity to a client. The client verifies that contacted server is a ―known‖ host from
the database it maintains. Once the server is authenticated, session keys are generated.

143
 Cryptography and Network Security B.Tech IV Year I Sem
Session Key Establishment − After authentication, the server and the client agree upon cipher
to be
used. Session keys are generated by both the client and the server. Session keys are generated before
user authentication so that usernames and passwords can be sent encrypted. These keys are generally
replaced at regular intervals (say, every hour) during the session and are destroyed immediately after
use.
Data Integrity − SSH uses Message Authentication Code (MAC) algorithms to for data
integrity check. It is an improvement over 32 bit CRC used by SSH1.
User Authentication Protocol:
In this part of SSH authenticates the user to the server. The server verifies that access is given to
intended users only. Many authentication methods are currently used such as, typed passwords,
Kerberos, public-key authentication, etc.
Connection Protocol:
This provides multiple logical channels over a single underlying SSH connection
SSH Services:
SSH provides three main services that enable provision of many secure solutions. These services are
briefly described as follows −
Secure Command-Shell (Remote Logon) − It allows the user to edit files, view the contents of
directories, and access applications on connected device. Systems administrators can remotely
start/view/stop services and processes, create user accounts, and change file/directories permissions
and so on. All tasks that are feasible at a machine’s command prompt can now be performed securely
from the remote machine using secure remote logon.
Secure File Transfer − SSH File Transfer Protocol (SFTP) is designed as an extension for SSH -2 for
secure file transfer. In essence, it is a separate protocol layered over the Secure Shell protocol to
handle file transfers. SFTP encrypts both the username/password and the file data being transferred. It
uses the same port as the Secure Shell server, i.e. system port no 22.
Port Forwarding (Tunneling) − It allows data from unsecured TCP/IP based applications to be
secured. After port forwarding has been set up, Secure Shell reroutes traffic from a program (usually a
client) and sends it across the encrypted tunnel to the program on the other side (usually a server).
Multiple applications can transmit data over a single multiplexed secure channel, eliminating the need
to open many ports on a firewall or router.

144
 Cryptography and Network Security B.Tech IV Year I Sem
UNIT -VI:
Network Security-II : Security at the Network Layer: IPSec, System Security

1. IP SECURITY OVERVIEW
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data
authentication, integrity, and confidentiality as data is transferred between communication points
across IP networks.
IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for
transmission across a network, and it includes a header and payload (the data in the packet).

IPSec SECURITY FEATURES:

IPSec is the most secure method commercially available for connecting network sites.
IPSec was designed to provide the following security features when transferring packets across
networks:
Authentication: Verifies that the packet received is actually from the claimed sender.
Integrity: Ensures that the contents of the packet did not change in transit.
Confidentiality: Conceals the message content through encryption.

IPSec ELEMENTS:
IPSec contains the following elements:
Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity.
Authentication Header (AH): Provides authentication and integrity.
Internet Key Exchange (IKE): Establish shared symmetric key. Provides key management and
Security Association (SA) management.

APPLICATIONS OF IPSec:
IPSec provides the capability to secure communications across a LAN, across private and public
WANs, and across the Internet.
Examples of its use include the following:
 Secure branch office connectivity over the Internet
 Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners:
 IPSec can be used to secure communication with other organizations, ensuring authentication
and confidentiality and providing a key exchange mechanism.
Enhancing electronic commerce security:
 Even though some Web and electronic commerce applications have built-in security protocols,
the use of IPSec enhances that security.

BENEFITS OF IPSEC:
 IPSec provides strong security within and across the LANs.
 Firewall uses IPSec to restrict all those incoming packets which are not using IP. Since firewall
is the only way to enter into an organization, restricted packets cannot enter.
 IPSec is below the transport layer (TCP, UDP) and so is transparent to applications.
 There is no need to change software on a user or server system when IPSec is implemented in
the firewall or router.
 Even if IPSec is implemented in end systems, upper- layer software, including applications, is
not affected. IPSec can be transparent to end users.

145
 Cryptography and Network Security B.Tech IV Year I Sem
 IPSec can provide security for individual users if needed.

IPSec Scenario:

IPSec Architecture:
Architecture covers general concepts of security requirements, definitions, and mechanisms defining
IPSec technology.

146
 Cryptography and Network Security B.Tech IV Year I Sem

Figure : IPSec Architecture

Encapsulating Security Payload(ESP): The ESP header is designed to provide a mix of security
services in IPv4 and IPv6. ESP may be applied alone, in combination with AH, or in a nested fashion.
It consists of an encapsulating header and trailer used to provide encryption or combined
encryption/authentication. Current specification is RFC 4303

Authentication Header(AH): An extension header to provide message authentication. Current

specification is RFC 4302.

Encryption algorithms: Encryption algorithms encrypt data with a key. The ESP module in IPsec
uses encryption algorithms.

Authentication algorithms: Authentication algorithms produce an integrity checksum value

or digest that is based on the data and a key. The AH module uses authentication algorithms. The ESP
module can use authentication algorithms as well.

Domain of Interpretation(DOI): DOI is the identifier which support both AH and ESP protocols. It
contains values needed for documentation related to each other.

Key Management: It contains the document that describes how the keys are exchanged between
sender and receiver.

Security Associations (SAs)

An SA is a relationship between communicating devices that describes how they will use security
services to communicate securely.
If client wants to communicate with server, it has client Security Association, if Server wants to reply
to client, it has server Security association.
These SAs are one way communications.
If two parties need to communicate, they must determine which algorithms (RSA, 3DES, MD5,

147
 Cryptography and Network Security B.Tech IV Year I Sem
SHA…) and session keys are used. SA used by IPsec to track all these parameters for each session.
You will need to configure SA parameters and monitor SAs on Cisco routers and the PIX Firewall.
• A separate pair of IPSec SAs are set up for AH and ESPtransform.
• Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the
IPSec session.
• The SAs are unidirectional for IPSec so that peer 1 will offer peer 2 a policy.
• If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-
way SAs between the peers.
• Two-way communication consists of two SAs, one for each direction.
• Each SA consists of values such as destination address, a security parameter index (SPI), the
IPSec transforms used for that session, security keys, and additional attributes such as IPSec
lifetime.
A security association is uniquely identified by three parameters:
• Security Parameters Index (SPI): A bit string assigned to this SA and having local
significance only. SPI is located in AH and ESP headers. SPI enables the receiving system
under which the packet is to process.
• IP Destination Address: It is the end point address of SA which can be end user system or a
network system.
• Security Protocol Identifier: security protocol identifier indicates whether the associations is
an AH or ESP.
All the SAs are maintained in Security Association Database(SAD)

SA Parameters:
Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or
ESP headers.
Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number
Counter should generate an auditable event and prevent further transmission of packets on this
SA.
Anti-Replay Window: Avoid duplicate of packets
AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used
with AH.
ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes,
and related parameters being used with ESP (required for ESP implementations).
Lifetime of This Security Association: A time interval or byte count after which an SA must be
replaced with a new SA or terminated.
IPSec Protocol Mode: This parameter represents the type of mode used for IPSec implementation.
The mode may be a Tunnel or transport.

Transport and Tunnel Modes in IPsec

IPSec operates in two modes:
1)Tunnel Mode
2) Transport Mode

148
 Cryptography and Network Security B.Tech IV Year I Sem

Tunnel Mode:
With tunnel mode, the entire original IP packet is protected by IPSec. This means IPSec wraps the
original packet, encrypts it, adds a new IP header and sends it to the other side.
Original IP Header not visible to attacker(if it is using ESP).
Attacker does not know which hosts are talking.

Figure : IPSec Tunnel mode

Tunnel mode is most commonly used between gateways, end-system to Gateways.

Transport Mode:
IPSec Transport mode is used for end-to-end communications, for example, for communication
between a client and a server or between a workstation and a gateway (if the gateway is being treated
as a host).

When using the transport mode, only the IP payload is encrypted. AH or ESP provides protection for
the IP payload. The original IP header is not changed,
So the passive attackers can see who is talking.

149
 Cryptography and Network Security B.Tech IV Year I Sem

Figure : IPSec Transport Mode

AUTHENTICATION HEADER (AH)

The Authentication Header provides support for data integrity and authentication of IP packets.
Data integrity service insures that data inside IP packets is not altered during the transit.
The authentication feature enables an end system to authenticate the user or application and filter
traffic accordingly. It also prevents the address spoofing attacks
AH is implemented in one way only i.e Authentication along with Integrity.
AH provides authentication for as much of the IP header as possible, but cannot all be protected by
AH.
AH also includes an IPSec sequence number, which provides protection against replay attacks
because this number is also included in authenticated data and can be checked by the receiving party.
Data privacy is not provided by AH.

Figure : Authentication Header Format

1. Next Header: Identifies the type of header that immediately following the AH.
2. Payload Length: Length of Authentication Header in 32-bit words.
3. Reserved: For future use.
4. Security Parameters Index: Identifies a security association.
5. Sequence Number: A monotonically increasing counter value.
6. Authentication Data (variable): A variable-length field that contains the Integrity Check Value
(ICV), or MAC, for this packet.

150
 Cryptography and Network Security B.Tech IV Year I Sem

Encapsulating Security Payload(ESP):

Security services can be provided between a pair of communicating hosts, between a pair of
communicating security gateways, or between a security gateway and a host. The ESP header is
inserted after the IP header and before the next layer protocol header (transport mode) or before an
encapsulated IP header (tunnel mode). ESP can be used to provide confidentiality, data origin
authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity),
and (limited) traffic flow confidentiality. The set of services provided depends on options selected at
the time of Security Association (SA) establishment and on the location of the implementation in a
network topology.

Figure : ESP Format

1. Security Parameters Index : Identifies a security association.

2. Sequence Number : A monotonically increasing counter value; this provides an anti-replay
function, as discussed for AH.
3. Payload Data : This is a transport-level segment (transport mode) or IP packet (tunnel
mode) that is protected by encryption.
4. Padding (0-255 bytes):Extra bits or spaces are added to the message in order to maintain
confidentiality
5. Pad Length : Indicates the number of pad bytes immediately preceding this field.
6. Next Header : means the next payload or next data
7. Authentication Data (variable): contains the Integrity Check Value computed over the ESP packet
minus the Authentication Data field.

Security Policy(SP)
A Security Policy is a set of rules that define the type security applied to a packet when it is to be sent or
when it has arrived. It defines the network traffic at the IP layer.

IPSec protects your private network from internet attacks through end-to-end security.

151
 Cryptography and Network Security B.Tech IV Year I Sem
IPSec policy is determined primarily by the interaction of two databases, the Security Association
Database(SAD) and the Security Policy Databases(SPD)

IPSec policies must be carefully designed, configures, coordinated and managed to ensure that IPSec
communication is successful.

Security Policy Database (SPD)

IPSec Policies are maintained in the Security Policy Database (SPD).

IPSec Policies defines which traffic to be protected, how it is to be protected, and with whom to protect
it.

The sending host determines what policy is appropriate for the packet, depending on various "Selectors"
by checking in the Security Policy Database (SPD).

"Selectors" can include Source and Destination IP Addresses, Name (User ID ir a System Name),
Transport Layer Protocols (TCP or UDP) or Source and Destination Ports.

The Security Policy Database (SPD) indicates what the policy is for a particular packet. If the packet
requires IPsec processing, it will be it is passed to the IPsec module for the required processing.

KEY MANAGEMENT of IPSec

The key management portion of IPSec involves the determination and distribution of secret keys

typical requirement is four keys for communication between two applications: transmit and receive pairs
for both AH and ESP.

Keys are managed by

• Manual: A system administrator manually configures each system with its own keys and with the
keys of other communicating systems. This is suitable for small, relatively static environments.
• Automated: An automated system enables the on-demand creation of keys for SAs and facilitates
the use of keys in a large distributed system.

The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley .

Key management protocol – Elements

1. Oakley Key Determination Protocol

2. Internet Security Association and Key Management Protocol (ISAKMP)

Oakley Key Determination Protocol:

152
 Cryptography and Network Security B.Tech IV Year I Sem
• Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added
security.
• Oakley is generic in that it does not dictate specific formats.

The Diffie-Hellman algorithm has two attractive features:

1. Secret keys are created only when needed.

2. The exchange requires no preexisting infrastructure other than an agreement on the global parameters.
However, there are a number of weaknesses to Diffie-Hellman, as pointed outin

3. It does not provide anyinformation about the identities of the parties.

4. It is subject to a man-in-the-middle attack

It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an opponent

requests a high number of keys. Oakley is designed to retain the advantages of Diffie-Hellman while
countering its weaknesses.

Features of Oakley:

The Oakley algorithm is characterized by five important features:

• It employs a mechanism known ascookies to thwart clogging attacks.

• It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of
the Diffie-Hellman key exchange.
• It uses nonces to ensure against replay attacks.
• It enables the exchange of Diffie-Hellman public key values.
• It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.

Internet Security Association and Key Management Protocol (ISAKMP):

ISAKMP provides a framework for Internet key management and provides the specific protocol support,
including formats, for negotiation of security attributes.

ISAKMP Header Format:

An ISAKMP message consists of an ISAKMP header followed by one or more payloads. All of this is
carried in a transport protocol. The specification dictates that implementations must support the use of
UDP for the transport protocol.

153
 Cryptography and Network Security B.Tech IV Year I Sem

It consists of the following fields:

1. Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA notification, or SA
deletion.
2. Responder Cookie (64 bits): The cookie of entity that is responding to an SA establishment request,
SA notification, or SA deletion. On the first message, the responder cookie iszero.
3. Next Payload (8 bits): Indicates the type of the first payload in the message
4. Major Version (4 bits): Indicates major version of ISAKMP in use.
5. Minor Version (4 bits): Indicates minor version in use.
6. Exchange Type (8 bits): Indicates the type of exchange.
7. Flags (8 bits): Indicates specific options set for this ISAKMP exchange.
8. Message ID (32 bits): Unique ID for this message.
• Length (32 bits): Length of total message (header plus all payloads)

inoctets. ion has a high false alarm rate.

154