Buddha Institute of Technology, GIDA, Gorakhpur

Cryptography & Network Security-KCS074

Unit-4
Key Management & Distribution, Authentication Applications,
Electronic Mail Security
Prepared by:
Mr. Satyam Kumar Singh
Assistant Professor
Computer Science & Engineering
Buddha Institute of Technology,
Gorakhpur
Key Management and distribution
• Key management and distribution are essential aspects of
cryptography, as they ensure that the cryptographic keys used for
encryption and decryption are securely generated, stored, and
exchanged between parties.
• There are two main categories of key management based on the
cryptosystem being used:
i. symmetric key distribution and
ii. asymmetric key distribution.
Symmetric Key Distribution
• Symmetric Key Distribution is the process of securely sharing a
single, secret cryptographic key between two or more parties. This
key is used in symmetric encryption, where the same key both
encrypts and decrypts messages.
• The main challenge with symmetric key encryption is ensuring the key
is safely distributed without interception or compromise.
• Since the security of symmetric cryptography relies on the secrecy of
the key, managing and distributing this key securely is critical. Here
are the primary methods used to accomplish secure symmetric key
distribution:
Summary
Symmetric Key Distribution
Symmetric Key Distribution
Method
Pre-Shared Key (PSK)
Key Distribution Center (KDC)
Diffie-Hellman Key Exchange
Public Key Encryption
Automated Key Management
Systems
Session Keys
Description Best Use Case
Physical/manual sharing of the key Small or trusted networks
Large networks with frequent
Third party distributes session keys
communication
Agreement on a shared secret Open, insecure channels needing
without transmission secure key
Hybrid system for secure symmetric
Internet communications, SSL/TLS
key exchange
Software for generating and Large-scale organizations or
distributing keys networks
Networks requiring frequent re-
Temporary keys for single sessions
keying
Diffie-Hellman Key Exchange
• The Diffie-Hellman Key Exchange (DHKE) is a cryptographic protocol
that allows two parties to securely establish a shared secret key over
an insecure communication channel. This shared key can then be
used for symmetric encryption, enabling both parties to securely
communicate without directly sharing the key.
• Developed by Whitfield Diffie and Martin Hellman in 1976, Diffie-
Hellman introduced the concept of public key cryptography and laid
the foundation for secure key exchange over open networks. DHKE is
widely used in protocols like HTTPS, SSL/TLS, and VPNs.
How Diffie-Hellman Key Exchange Works
Below is an infographic outlining all the steps of the Diffie-Hellman exchange between Alice and Bob.
Q. Determine the shared secret key in a Diffie-Hellman scheme with a common prime 71 and primitive root 7.
Given the private keys of the communicating parties A and B are 5 and 12 respectively.
Public key distribution
• Public key distribution is a mechanism in cryptography for securely sharing
public keys among users or systems to enable encrypted communication
and digital signature verification. It ensures that the correct public key is
made available to the intended recipient or verifier while preventing
tampering or impersonation by malicious actors.
• Public key distribution is a foundational concept in Public Key
Infrastructure (PKI) and other cryptographic frameworks that rely on
asymmetric encryption, where users have a pair of keys:
1.Public Key: Shared openly and used for encryption or signature
verification.
2.Private Key: Kept secret and used for decryption or signing.
Methods of Public Key Distribution
• Public Announcement- Users publish their public keys openly, e.g., on a website,
in an email, or via other platforms.
• Public Key Directories- A centralized directory stores public keys, allowing
authorized users to access them.
• Public Key Certificates- Issued by a trusted third party called a Certificate
Authority (CA).
• Key Exchange Protocols- Protocols like Diffie-Hellman enable parties to establish
a shared key without transmitting the private key, ensuring secure distribution
even over insecure channels.
• Web of Trust- A decentralized trust model where users validate and endorse each
other’s public keys. Popular in PGP (Pretty Good Privacy) systems.
• Blockchain-Based Distribution Public keys are stored on a blockchain, providing
an immutable and transparent record. Example: Some cryptocurrency wallets
distribute public keys this way.
X.509 Certificates
• An X.509 certificate is a digital certificate that uses the widely accepted
international X.509 public key infrastructure (PKI) standard to verify that a public
key belongs to the user, computer or service identity contained within the
certificate.
• A public key is a large numerical value used to encrypt data or check the
legitimacy of a digital signature. A PKI, moreover, is the underlying framework
that enables entities like users and servers to securely exchange information
using digital certificates.
• The X.509 certificate is a safeguard against malicious network impersonators.
When a certificate is signed by a trusted authority, or is otherwise validated, the
device holding the certificate can validate documents. It can also use a public key
certificate to secure communications with a second party.
Working of X.509 Authentication
Service Certificate:
• The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be
produced by some trusted certification authority and positioned in the
directory by the user or the certified authority. These directory servers are
only used for providing an effortless reachable location for all users so that
they can acquire certificates. X.509 standard is built on an IDL known as
ASN.1. With the help of Abstract Syntax Notation, the X.509 certificate
format uses an associated public and private key pair for encrypting and
decrypting a message.
• Once an X.509 certificate is provided to a user by the certified authority,
that certificate is attached to it like an identity card. The chances of
someone stealing it or losing it are less, unlike other unsecured passwords.
With the help of this analogy, it is easier to imagine how this
authentication works: the certificate is basically presented like an identity
at the resource that requires authentication.
Working & Format of X.509
Authentication Service Certificate:
• Version number: It defines the X.509 version that concerns the certificate.

• Serial number: It is the unique number that the certified authority issues.

• Signature Algorithm Identifier: This is the algorithm that is used for signing the certificate.

• Issuer name: Tells about the X.500 name of the certified authority which signed and created the certificate.

• Period of Validity: It defines the period for which the certificate is valid.

• Subject Name: Tells about the name of the user to whom this certificate has been issued.

• Subject’s public key information: It defines the subject’s public key along with an identifier of the algorithm for which this key is
supposed to be used.

• Extension block: This field contains additional standard information.

• Signature: This field contains the hash code of all other fields which is encrypted by the certified authority private key.
Applications of X.509 Authentication
Service Certificate:
• Many protocols depend on X.509 and it has many applications, some of them are
given below:
• Document signing and Digital signature

• Web server security with the help of Transport Layer Security (TLS)/Secure Sockets
Layer (SSL) certificates

• Email certificates

• Code signing

• Secure Shell Protocol (SSH) keys

• Digital Identities
Public key Infrastructure
• Public key infrastructure or PKI is the governing body behind issuing digital
certificates. It helps to protect confidential data and gives unique identities
to users and systems. Thus, it ensures security in communications.
• The public key infrastructure uses a pair of keys: the public key and the
private key to achieve security. The public keys are prone to attacks and thus
an intact infrastructure is needed to maintain them.

Managing Keys in the Cryptosystem:

• The security of a cryptosystem relies on its keys. Thus, it is important that we

have a solid key management system in place. The 3 main areas of key
management are as follows:
• A cryptographic key is a piece of data that must be managed by secure
administration.

• It involves managing the key life cycle which is as follows:

• Public key management further requires:
• Keeping the private key secret: Only the owner of a private key is
authorized to use a private key. It should thus remain out of reach of
any other person.
• Assuring the public key: Public keys are in the open domain and can
be publicly accessed. When this extent of public accessibility, it
becomes hard to know if a key is correct and what it will be used for.
The purpose of a public key must be explicitly defined.

• PKI or public key infrastructure aims at achieving the assurance

of public key.
Public key infrastructure affirms the usage of a public key. PKI
identifies a public key along with its purpose. It usually consists of the
following components:
• A digital certificate also called a public key certificate
• Private Key tokens
• Registration authority
• Certification authority
• CMS or Certification management system
Authentication Applications
Authentication applications and electronic mail security are essential for ensuring
secure communication in modern digital systems.
Kerberos: Network Authentication Protocol
• Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users. In Kerberos Authentication
server and database is used for client authentication. Kerberos runs as a
third-party trusted server known as the Key Distribution Center (KDC). Each
user and service on the network is a principal.

The main components of Kerberos are:

• Authentication Server (AS):

The Authentication Server performs the initial authentication and ticket for
Ticket Granting Service.

• Database:
The Authentication Server verifies the access rights of users in the database.

• Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server
• Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.

• Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session key. Results are
encrypted using the Password of the user.

• Step-3:
The decryption of the message is done using the password then send the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.

• Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then creates the ticket for requesting services
from the Server.

• Step-5:
The user sends the Ticket and Authenticator to the Server.

• Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After this User can access the services.
Kerberos Limitations
• Each network service must be modified individually for use with Kerberos

• It doesn’t work well in a timeshare environment

• Secured Kerberos Server

• Requires an always-on Kerberos server

• Stores all passwords are encrypted with a single key

• Assumes workstations are secure

• May result in cascading loss of trust.

• Scalability
Kerberos Applications
• User Authentication: User Authentication is one of the main applications of Kerberos. Users only have to input their
username and password once with Kerberos to gain access to the network. The Kerberos server subsequently receives
the encrypted authentication data and issues a ticket granting ticket (TGT).

• Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that enables users to log in once to access a
variety of network resources. A user can access any network resource they have been authorized to use after being
authenticated by the Kerberos server without having to provide their credentials again.

• Mutual Authentication: Before any data is transferred, Kerberos uses a mutual authentication technique to make sure
that both the client and server are authenticated. Using a shared secret key that is securely kept on both the client and
server, this is accomplished. A client asks the Kerberos server for a service ticket whenever it tries to access a network
resource. The client must use its shared secret key to decrypt the challenge that the Kerberos server sends via
encryption. If the decryption is successful, the client responds to the server with evidence of its identity.

• Authorization: Kerberos also offers a system for authorization in addition to authentication. After being authenticated,
a user can submit service tickets for certain network resources. Users can access just the resources they have been given
permission to use thanks to information about their privileges and permissions contained in the service tickets.

• Network Security: Kerberos offers a central authentication server that can regulate user credentials and access
restrictions, which helps to ensure network security. In order to prevent unwanted access to sensitive data and
resources, this server may authenticate users before granting them access to network resources.
Pretty Good Privacy (PGP): Electronic Mail Security
PGP is a cryptographic software application designed to provide privacy and authentication
for email communication. It uses a hybrid cryptographic approach that combines
symmetric encryption, asymmetric encryption, and hash functions.
Key Features of PGP:
• Confidentiality: Encrypts the content of email messages.
• Authentication: Uses digital signatures to verify the sender's identity.
• Integrity: Ensures that the message has not been tampered with.
• Web of Trust: A decentralized trust model where users validate each other’s public keys.
Authentication in PGP
• Authentication basically means something that is used to validate something as true or real. To login
into some sites sometimes we give our account name and password, that is an authentication
verification procedure.
• In the email world, checking the authenticity of an email is nothing but to check whether it actually
came from the person it says. In emails, authentication has to be checked as there are some people
who spoof the emails or some spams and sometimes it can cause a lot of inconvenience.
• As shown in the above figure, the Hash Function (H) calculates the Hash Value of the message. For
the hashing purpose, SHA-1 is used and it produces a 160 bit output hash value. Then, using the
sender’s private key (KPa), it is encrypted and it’s called as Digital Signature. The Message is then
appended to the signature. All the process happened till now, is sometimes described as signing the
message . Then the message is compressed to reduce the transmission overhead and is sent over to
the receiver.
• At the receiver’s end, the data is decompressed and the message, signature are obtained. The
signature is then decrypted using the sender’s public key(PUa) and the hash value is obtained. The
message is again passed to hash function and it’s hash value is calculated and obtained.
• Both the values, one from signature and another from the recent output of hash function are
compared and if both are same, it means that the email is actually sent from a known one and is
legit, else it means that it’s not a legit one.
 Confidentiality in PGP
• Sometimes we see some packages labelled as ‘Confidential’, which means that those packages are not meant for all the
people and only selected persons can see them. The same applies to the email confidentiality as well. Here, in the email
service, only the sender and the receiver should be able to read the message, that means the contents have to be kept
secret from every other person, except for those two.
• Then, the session key (Ks) itself gets encrypted through public key encryption (EP) using receiver’s public key(KUb) . Both
the encrypted entities are now concatenated and sent to the receiver.

• As you can see, the original message was compressed and then encrypted initially and hence even if any one could get
hold of the traffic, he cannot read the contents as they are not in readable form and they can only read them if they had
the session key (Ks). Even though session key is transmitted to the receiver and hence, is in the traffic, it is in encrypted
form and only the receiver’s private key (KPb)can be used to decrypt that and thus our message would be completely
safe.

• At the receiver’s end, the encrypted key is decrypted using KPb and the message is decrypted with the obtained session
key. Then, the message is decompressed to obtain the M.

• RSA algorithm is used for the public-key encryption and for the symmetric key encryption, CAST-128(or IDEA or 3DES) is
used.

• Practically, both the Authentication and Confidentiality services are provided in parallel as follows :
How PGP Works:
1.Message Encryption:
1. The sender encrypts the message using a symmetric session key (e.g., AES).
2. The session key is then encrypted with the recipient’s public key and sent along with the
encrypted message.
2.Message Decryption:
1. The recipient decrypts the session key using their private key.
2. The session key is used to decrypt the message content.
3.Digital Signature:
1. The sender generates a hash of the message and encrypts it with their private key to create a
digital signature.
2. The recipient verifies the signature using the sender's public key.
Applications of PGP:
• Secure email communication.
• File encryption.
S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME is a standard for secure email communication that provides encryption, digital signatures, and integrity checks using a Public
Key Infrastructure (PKI).
Key Features of S/MIME:
• Encryption: Protects email content using public key encryption.
• Digital Signatures: Verifies the sender’s identity and ensures message integrity.
• Integration: Built into many modern email clients (e.g., Microsoft Outlook, Apple Mail).
• Certificate-Based Trust: Relies on certificates issued by trusted Certificate Authorities (CAs).
How S/MIME Works:
1. Encryption:
1. The sender encrypts the email content using a symmetric key.
2. The symmetric key is encrypted with the recipient’s public key and sent along with the email.
2. Digital Signature:
1. The sender hashes the email content and encrypts the hash with their private key to create a digital signature.
2. The signature is attached to the email for recipient verification.
3. Decryption and Verification:
1. The recipient decrypts the symmetric key using their private key to access the email content.
2. The digital signature is verified using the sender’s public key.
Applications of S/MIME:
• Corporate email systems.
• Government and healthcare communication for secure data
exchange.
• Secure messaging in financial institutions.
Versions of S/MIME Versions
• 1st Version: 1995

• 2nd Version: 1998

• 3rd Version: 1999

• Microsoft products that support the third version of S/MIME:-

1.Microsoft Outlook 2000 and more ( SR-1 ).

2.Outlook Express 5.01 and later.

3.Microsoft Exchange version 5.5 and later.

How to Get S/MIME Certificates
• Choose a Certificate Authority: You can select any trusted Certificate Authority, such as Sectigo, DigiCert, or
GlobalSign, that has the functionality to provide you with S/MIME certificates. Most of these Certificate Authorities
provide both free and paid versions according to one's needs.

• Get or Apply for a Certificate: Log on to the website of the CA, and select the S/MIME certificate you would like to buy
or apply for. You might be asked for your name, email address, and organizational details.

• Validate Your Identity: The CA may request you to validate your identity before issuing the certificate. It could be in
the form of email verification, sending official documents, or other means of authentication.

• Download and install the certificate: If your identity can be verified, then a CA issues your certificate. Instructions will
be provided about downloading/installing the certificate into your email client say, Outlook or Apple Mail.

• Configuration of Your Email Client: Configure your email client to use the S/MIME certificate for encrypting and
digitally signing all of your messages upon installation. Typically, this step is different for various clients. However, in
general, you will need to pick the certificate within the security settings.

• Test Your Setup: At a minimum, you will have to send an email to test that everything works fine with both encryption
and digital signing.