dns ppt
TRANSCRIPT
PRESENTED BY
V.ANJALI REDDY(0671003)
D.KARUNA SRI(0671013)M.MYTHRI(0671023)K.RAMA SEETHA(0671033)S.SPANDANA(0671044)T.SWARNA LATHA(0671054)
PUBLIC KEY VALIDATION FOR DNS
SECURITY EXTENSIONS
OBJECTIVE
To provide security by combining the concept of both the Digital Signature and Asymmetric (public key) cryptography by sending the Public key over the Network.
DNS Architecture
Domain names are chosen from a tree-structured name space. A domain name is either a leafor an interior node of the tree space. Each leaf nodeholds a set of resource records. An interior node alsoholds a set of resource records, some of which willprovide information about other nodes in the tree.Servers hold information about the tree structure andresource records.
CRYPTOGRAPHIC TECHNIQUE USED
No key (Digital Signature)
One key (Symmetric Key)
Two key (Asymmetric key)
SECURITY
DATAFLOW DIAGRAM 1
DOMAIN-1 VERIFYSUB DOMAIN
IDENTIFYENCRYPTED
MESSAGE
ENCRYPTED
MESSAGE
IP ADDRESSENCRYPTDMESSAGE
SERVER
DATAFLOW DIAGRAM 2
SERVERVERIFY
SUB DOMAIN
IDENTIFYENCRYPTED
MESSAGE
ENCRYPTED
MESSAGE
IP ADDRESSENCRYPTDMESSAGE
DOMAIN-2
ENCRYPTION,KEY GENERATION,
SIGNATURE GENERATION,SIGNATURE VERIFICATION,
DECRYPTION
SENDERRECEIVER
ORIGINAL
MESSAGE
ORIGINAL
MESSAGE
DATA FLOW DIAGRAM 3
IMPLEMENTATION
• Authentication • Message Encryption using Message
Digest Algorithm • Key Generation using PRNG
Algorithm• Signature Generation• Verifying Signature and Decrypting
AUTHENTICATION
ENTER THE USER NAME AND PASSWORD
AUTHENTICATION
VERIFY
LOGIN
SEND MESSAGE OR ATTACHMENT
MESSAGE ENCRYPTION
MESSAGE ENCRYPTION
CONVERT EACH CHARACTER TO ASCII CODE
CONVERT THE ASCII CODE TO HEX CODE
ENCRYPTED MESSAGE
READ CHARACTER BY CHARACTER
When the sender clicks the send button, a message digest is produced by converting the message to its ASCII value, which in turn gets converted into Hex code then calling the digest method in the security package.
MESSAGE DIGESION
FIG : DFD FOR MESSAGE ENCRYPTION
SENDER
PRODUCEDIGEST USING
MESSAGEDIGEST
ALGORITHM
ENCRYPTED MESSAGE
ENCRYPTED,COMPRESSED
MESSAGE
MESSAGE.TXT
1.0
MESSAGE DIGESTION
The MD5 Message-Digest Algorithm
The algorithm takes as input
a message of arbitrary length and produces as output a 128-bit or "message digest" of the input. The MD5 algorithm is intended for digital signature applications.
Steps involved in MD-5 algorithm
Append Padding Bits Append Length Initialize MD Buffer Process Message in 16-Word
Blocks Output
KEY GENERATION
PRNG ALGORITHM
CALL THE METHOD IN THE CODING
GENERATE TWO RANDOM NUMBERS(PUBLIC AND PRIVATE KEY)
DISPLAY THE KEYS IN THE BACK END
GENERATE SIGNATURE AND SEND
As soon as the user clicks the send button key generation also takes place simultaneously. The key pair (public and private key) is generated using the Cryptography PRNG (Pseudo Random Number Generator) Algorithm. The keys are stored in separate text files (Public.txt, Private.txt).
KEY GENERATION
FIG : DFD FOR KEY GENERATION
KEY GENERATIONUSING
CRYPTOGRAPHY PRNG
PUBLIC KEY
PRIVATE KEY
PUBLIC.TXT,PRIVATE.TXT
MESSAGE
KEY GENERATION
Random Number Generator
Random Number Generators (RNGs)used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers.
There are two basic classes: deterministic nondeterministic A deterministic RNG consists of an
algorithm that produces a sequence of bits from an initial value called a seed.
PRNG mechanism
PRNGs work by keeping an internal state. Typically this is a seed and a key, which are kept secret. When a consumer requests random data, a cryptographic algorithm operates on the seed and the key to produce pseudo-random output. The internal state is then updated so that the next request does not produce the same data.
Some typical pseudo-code for a PRNG generator might be
INPUT: (Key, Seed) OUTPUT: random_data, (Key', Seed') random_data = F(Key, Seed) Key' = F(Key, Seed+1) Seed' = F(Key', Seed) return random_data
SIGNATURE GENERATION
DSA ALGORITHM
PRIVATE KEY + ENCRYPTED TEXT FILE
GENERATE SIGNATURE
PUBLIC KEY + SIGNATURE
SEND THROUGH THE NETWORK
The encrypted message and the private key are combined to generate the Digital Signature using DSA Algorithm. The generated signature is stored in a text file (signature.txt). The encrypted message is send along with the public key and signature.
SIGNATURE GENERATION
FIG DFD FOR SIGNATURE GENERATION
SIGNATURE GENERATION
USINGDSA
ALGORITHM
ENCRYPTED
MESSAGE
PRIVATE KEY
DIGITAL
SIGNATURE
SIGNATURE.TXT
MESSAGE.TXT
PRIVATE.TXT
SIGNATURE GENERATION
DSA Algorithm
Choose a prime q with the same number of bits as the output of H.
Choose a L-bit prime p such that p–1 is a multiple of q.
Choose g such that g = h(p–1)/q(1 < h < p-1) Choose x by some random method, where 0 < x < q. Calculate y = gx mod p.
Signing
Generate a random per-message value k where
0 < k < q Calculate r = (gk mod p) mod q Calculate s = (k-1(H(m) + x*r)) mod q Recalculate the signature in the unlikely case
that r=0 or s=0 The signature is (r,s) Where H is the hashing function and m is the
message
VERIFYING SIGNATURE AND DECRYPTING
DESTINATION
PUBLIC KEY ,SIGNATURE FROM THE SENDER
GENERATE SIGNATURE USING DSA ALGORITHM
DECRYPT THE MESSAGE OR FILE
REPLY TO THE SOURCE
VERIFY THE SIGNATURE
IF MATCHES
DISCARDNO MATCH
In the receiver side, by using the public key with DSA Algorithm a signature is generated. The generated signature is verified with the received signature. If the signature matches it decrypts the message or otherwise it exits without decrypting.
Verifying
Reject the signature if either 0< r <q or 0< s <q is not satisfied. Calculate w = (s)-1 mod q Calculate u1 = (H(m)*w) mod q Calculate u2 = (r*w) mod q Calculate v = ((gu1*yu2) mod p) mod q
OUTPUT SCREENS
ADVANTAGES DNSSEC (short for DNS Security Extensions)
adds security to the Domain Name System. • Described in RFC’s 4033, 4034, 4035 & 4310 • Protects against data spoofing and
corruption • It is a set of DNS security extensions which
provide: – Origin authentication of DNS data – Data integrity but not confidentiality – authenticated denial of existence
APPLICATIONS
E-mail is one of the more popular applications that use DNS.
Recently, many protocols in the Internet are proposing the use of public key cryptography in support of integrity and authentication security services.
The DNS as deployed in the Internet today meets three of the previously stated criteria
global availability real-time access to public keys globally unique and unambiguous
names
LIMITATIONS
The whole procedure is very time and space consuming.
Many rather long public keys have to be stored.
The keys have to be obtained before they can be used.
The calculations to encrypt and decrypt message digests may take too long to support the goal of the Domain Name System of efficiency.
FUTURE ENHANCEMENT
A recent protocol includes the specification of a global infrastructure that could be usedto distribute and manage public keys for otherprotocols: the secure Domain Name System (DNS) [9].As of this writing, it has been submitted forconsideration as a Proposed Internet Standard. It is anenhancement of the DNS [5,6,7,8], an existing globalinfrastructure.
SYSTEM REQUIREMENTS
HARDWARE REQUIREMENTS PROCESSOR III AND ABOVE 20 GB HARD DISK 256 DDR RAM
SOFTWARE REQUIREMENTS JDK 1.5 (SWINGS)
CONCLUSION
The security threats for DNS was overcome by using public key validation and it was implemented and executed successfully