Public key cryptography

The most commonly used implementations of public key cryptography (also known as public-
key encryption and asymmetric encryption) are based on algorithms presented by Rivest-
Shamir-Adelman (RSA) Data Security.
 Public key cryptography involves a pair of keys known as a public key and a private key
(a public key pair), which are associated with an entity that needs to authenticate its
identity electronically or to sign or encrypt data.
 Each public key is published and the corresponding private key is kept secret.
 Data that is encrypted with the public key can be decrypted only with the corresponding
private key.

Public key cryptography enables the following:

 Encryption and decryption, which allow two communicating parties to

disguise data that they send to each other. The sender encrypts, or
scrambles, the data before sending it. The receiver decrypts, or
unscrambles, the data after receiving it. While in transit, the encrypted
data is not understood by an intruder.
 Nonrepudiation, which prevents:
o The sender of the data from claiming, at a later date, that the
data was never sent
o The data from being altered.

Figure 1 shows how you can freely distribute the public key so that only you (the owner of
the private key) can read data that was encrypted with the public key. In general, to send
encrypted data to someone, you must encrypt the data with that person's public key, and
the person receiving the data decrypts it with the corresponding private key.

If you compare symmetric-key encryption with public-key encryption, you will find that
public-key encryption requires more calculations. Therefore, public-key encryption is not
always appropriate for large amounts of data.
IP Security

Framework for protecting communication over IP.

IP security is an internet engineering task force (IETF) is a standard suite of

protocols between 2 communication points across IP network that provide data
authentication, integrity and confidentiality.

Uses of IPSec
i. To encrypt application data layer.
ii. Secure routers sending routing data across public internet.
iii. To provide authentication without encryption i.e to authenticate that the
data has originated from a known sender.
iv. To protect data by setting up the IPsec tunneling in which all data is send
between two end points is encrypted.

IPSec protocols address these major security issues:

Data Integrity: ensures that the originality of data.

Data origin Authentication: used to verify the data originated from authenticated user.
Data confidentiality: Privacy of data is maintained by the encryption algorithm.

Replay Protection: ensures that the attacker cannot replay the data after some time.

Automated management of cryptographic keys and security associations: ensuring the

VPN policy can be used throughout the tunneling with or without little manual configuration.

Components of IP Security –
It has the following components:
Encapsulating Security Payload (ESP) – Esp protocol Provides
confidentiality by encrypting the data and also provides integrity by
authenticating the user using authentication algorithm.
Authentication Header: this protocol provides origin authentication and replay
protection but it does not provide confidentiality.
AH and ESP Combined: VPN allows you to combine AH and ESP for host-to-host
connections in transport mode.
Enhanced cryptographic algorithm: Cryptographic algorithms added to the VPN selection for
Key Exchange Policy and Data policy security association attributes.

IPSec Architecture
Uses two protocol to secure the traffic or data flow. IPSec Architecture includes
protocols, algorithms, DOI, and Key Management. All these components are
very important in order to provide the three main services:
 Confidentiality
 Authentication
 Integrity

ESP Protocol: ESP(Encapsulation Security Payload) provides a confidentiality

service. Encapsulation Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.
Packet Format:

 Security Parameter Index (SPI): It is used to give a unique number to the

connection built between the Client and Server.
 Sequence Number: Unique Sequence numbers are allotted to every packet
so that on the receiver side packets can be arranged properly.
 Payload Data: Payload data means the actual data or the actual
message. The Payload data is in an encrypted format to achieve
confidentiality.
 Padding: Extra bits of space are added to the original message in order to
ensure confidentiality. Padding length is the size of the added bits of space
in the original message.
 Next Header: Next header means the next payload or next actual data.
 Authentication Data This field is optional in ESP protocol packet format.

Encryption algorithm: Document that describes various encryption algorithms

used for Encapsulation Security Payload.

AH Protocol: AH (Authentication Header) Protocol provides both

Authentication and Integrity service. Authentication Header is implemented in
one way only: Authentication along with Integrity.

Authentication Algorithm: Contains set of documents that describe the

authentication algorithm used for AH and for the authentication option of ESP.
DOI (Domain of Interpretation): DOI is the identifier that supports both AH and
ESP protocols. It contains values needed for documentation related to each
other.

Key Management: Key Management contains the document that describes

how the keys are exchanged between sender and receiver.

Transport Layer Security (TLS)

Provides security at the transport layer.
Derived from secure socket layer.
Ensures that no third party can do tampering or eavesdropping.
It is used by http and smtp.

What does TLS do?

The main component that TLS protocol accomplishes:

 Encryption: hides the data being transferred from third parties.

 Authentication: ensures that the parties exchanging information

are who they claim to be.

 Integrity: verifies that the data has not been forged or tampered
with

Working
Uses client server handshake mechanism
Key exchange between client and server (by diffie hellman key exchange algorithm).
Now TLS protocol will open an encryption channel.
Ensures that message are not altered (by MD5/SHA algorithm).
Before the client and the server can begin exchanging application data over TLS, the encrypted
tunnel must be negotiated: the client and the server must agree on the version of the TLS
protocol, choose the ciphersuite, and verify certificates if necessary. Unfortunately, each of
these steps requires new packet roundtrips between the client and the server, which adds
startup latency to all TLS connections.

DNS Security
DNS security is the practice of protecting DNS infrastructure from cyberattacks in
order to keep it performing quickly and reliably. An effective DNS security strategy
incorporates a number of overlapping defenses, including establishing redundant
DNS servers, applying security protocols like DNSSEC, and requiring rigorous DNS

logging
What is SSL?
SSL, or Secure Sockets Layer, is an encryption-based Internet
security protocol. It was first developed by Netscape in 1995 for the
purpose of ensuring privacy, authentication, and data integrity in
Internet communications. SSL is the predecessor to the
modern TLS encryption used today.

A website that implements SSL/TLS has "HTTPS" in its URL instead

of "HTTP."

How does SSL/TLS work?

 SSL encrypts data that is transmitted across the web. This means that
anyone who tries to intercept this data will only see a garbled mix of
characters that is nearly impossible to decrypt.

 SSL initiates an authentication process called a handshake between

two communicating devices to ensure that both devices are really who
they claim to be.

 SSL also digitally signs data in order to provide data integrity,

verifying that the data is not tampered with before reaching its intended
recipient.

Are SSL and TLS the same thing?

SSL is the direct predecessor of another protocol called TLS (Transport Layer
Security). In 1999 the Internet Engineering Task Force (IETF) proposed an
update to SSL.
The differences between the final version of SSL (3.0) and the first version of TLS
are not drastic; the name change was applied to signify the change in ownership.

What is an SSL certificate?

SSL can only be implemented by websites that have an SSL certificate (technically a
"TLS certificate").