dns ppt

PRESENTED BY

V.ANJALI REDDY(0671003)

D.KARUNA SRI(0671013)M.MYTHRI(0671023)K.RAMA SEETHA(0671033)S.SPANDANA(0671044)T.SWARNA LATHA(0671054)

PUBLIC KEY VALIDATION FOR DNS

SECURITY EXTENSIONS

OBJECTIVE

To provide security by combining the concept of both the Digital Signature and Asymmetric (public key) cryptography by sending the Public key over the Network.

DNS Architecture

Domain names are chosen from a tree-structured name space. A domain name is either a leafor an interior node of the tree space. Each leaf nodeholds a set of resource records. An interior node alsoholds a set of resource records, some of which willprovide information about other nodes in the tree.Servers hold information about the tree structure andresource records.

CRYPTOGRAPHIC TECHNIQUE USED

No key (Digital Signature)

One key (Symmetric Key)

Two key (Asymmetric key)

SECURITY

DATAFLOW DIAGRAM 1

DOMAIN-1 VERIFYSUB DOMAIN

IDENTIFYENCRYPTED

MESSAGE

ENCRYPTED

MESSAGE

IP ADDRESSENCRYPTDMESSAGE

SERVER

DATAFLOW DIAGRAM 2

SERVERVERIFY

SUB DOMAIN

IDENTIFYENCRYPTED

MESSAGE

ENCRYPTED

MESSAGE

IP ADDRESSENCRYPTDMESSAGE

DOMAIN-2

ENCRYPTION,KEY GENERATION,

SIGNATURE GENERATION,SIGNATURE VERIFICATION,

DECRYPTION

SENDERRECEIVER

ORIGINAL

MESSAGE

ORIGINAL

MESSAGE

DATA FLOW DIAGRAM 3

IMPLEMENTATION

• Authentication • Message Encryption using Message

Digest Algorithm • Key Generation using PRNG

Algorithm• Signature Generation• Verifying Signature and Decrypting

AUTHENTICATION

ENTER THE USER NAME AND PASSWORD

AUTHENTICATION

VERIFY

LOGIN

SEND MESSAGE OR ATTACHMENT

MESSAGE ENCRYPTION

MESSAGE ENCRYPTION

CONVERT EACH CHARACTER TO ASCII CODE

CONVERT THE ASCII CODE TO HEX CODE

ENCRYPTED MESSAGE

READ CHARACTER BY CHARACTER

When the sender clicks the send button, a message digest is produced by converting the message to its ASCII value, which in turn gets converted into Hex code then calling the digest method in the security package.

MESSAGE DIGESION

FIG : DFD FOR MESSAGE ENCRYPTION

SENDER

PRODUCEDIGEST USING

MESSAGEDIGEST

ALGORITHM

ENCRYPTED MESSAGE

ENCRYPTED,COMPRESSED

MESSAGE

MESSAGE.TXT

1.0

MESSAGE DIGESTION

The MD5 Message-Digest Algorithm

The algorithm takes as input

a message of arbitrary length and produces as output a 128-bit or "message digest" of the input. The MD5 algorithm is intended for digital signature applications.

Steps involved in MD-5 algorithm

Append Padding Bits Append Length Initialize MD Buffer Process Message in 16-Word

Blocks Output

KEY GENERATION

PRNG ALGORITHM

CALL THE METHOD IN THE CODING

GENERATE TWO RANDOM NUMBERS(PUBLIC AND PRIVATE KEY)

DISPLAY THE KEYS IN THE BACK END

GENERATE SIGNATURE AND SEND

As soon as the user clicks the send button key generation also takes place simultaneously. The key pair (public and private key) is generated using the Cryptography PRNG (Pseudo Random Number Generator) Algorithm. The keys are stored in separate text files (Public.txt, Private.txt).

KEY GENERATION

FIG : DFD FOR KEY GENERATION

KEY GENERATIONUSING

CRYPTOGRAPHY PRNG

PUBLIC KEY

PRIVATE KEY

PUBLIC.TXT,PRIVATE.TXT

MESSAGE

KEY GENERATION

Random Number Generator

Random Number Generators (RNGs)used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers.

There are two basic classes: deterministic nondeterministic A deterministic RNG consists of an

algorithm that produces a sequence of bits from an initial value called a seed.

PRNG mechanism

PRNGs work by keeping an internal state. Typically this is a seed and a key, which are kept secret. When a consumer requests random data, a cryptographic algorithm operates on the seed and the key to produce pseudo-random output. The internal state is then updated so that the next request does not produce the same data.

Some typical pseudo-code for a PRNG generator might be

INPUT: (Key, Seed) OUTPUT: random_data, (Key', Seed') random_data = F(Key, Seed) Key' = F(Key, Seed+1) Seed' = F(Key', Seed) return random_data

SIGNATURE GENERATION

DSA ALGORITHM

PRIVATE KEY + ENCRYPTED TEXT FILE

GENERATE SIGNATURE

PUBLIC KEY + SIGNATURE

SEND THROUGH THE NETWORK

The encrypted message and the private key are combined to generate the Digital Signature using DSA Algorithm. The generated signature is stored in a text file (signature.txt). The encrypted message is send along with the public key and signature.


FIG DFD FOR SIGNATURE GENERATION


USINGDSA

ALGORITHM

ENCRYPTED

MESSAGE

PRIVATE KEY

DIGITAL

SIGNATURE

SIGNATURE.TXT

MESSAGE.TXT

PRIVATE.TXT


DSA Algorithm

Choose a prime q with the same number of bits as the output of H.

Choose a L-bit prime p such that p–1 is a multiple of q.

Choose g such that g = h(p–1)/q(1 < h < p-1) Choose x by some random method, where 0 < x < q. Calculate y = gx mod p.

Signing

Generate a random per-message value k where

0 < k < q Calculate r = (gk mod p) mod q Calculate s = (k-1(H(m) + x*r)) mod q Recalculate the signature in the unlikely case

that r=0 or s=0 The signature is (r,s) Where H is the hashing function and m is the

message

VERIFYING SIGNATURE AND DECRYPTING

DESTINATION

PUBLIC KEY ,SIGNATURE FROM THE SENDER

GENERATE SIGNATURE USING DSA ALGORITHM

DECRYPT THE MESSAGE OR FILE

REPLY TO THE SOURCE

VERIFY THE SIGNATURE

IF MATCHES

DISCARDNO MATCH

In the receiver side, by using the public key with DSA Algorithm a signature is generated. The generated signature is verified with the received signature. If the signature matches it decrypts the message or otherwise it exits without decrypting.

Verifying

Reject the signature if either 0< r <q or 0< s <q is not satisfied. Calculate w = (s)-1 mod q Calculate u1 = (H(m)*w) mod q Calculate u2 = (r*w) mod q Calculate v = ((gu1*yu2) mod p) mod q

OUTPUT SCREENS

ADVANTAGES DNSSEC (short for DNS Security Extensions)

adds security to the Domain Name System. • Described in RFC’s 4033, 4034, 4035 & 4310 • Protects against data spoofing and

corruption • It is a set of DNS security extensions which

provide: – Origin authentication of DNS data – Data integrity but not confidentiality – authenticated denial of existence

APPLICATIONS

E-mail is one of the more popular applications that use DNS.

Recently, many protocols in the Internet are proposing the use of public key cryptography in support of integrity and authentication security services.

The DNS as deployed in the Internet today meets three of the previously stated criteria

global availability real-time access to public keys globally unique and unambiguous

names

LIMITATIONS

The whole procedure is very time and space consuming.

Many rather long public keys have to be stored.

The keys have to be obtained before they can be used.

The calculations to encrypt and decrypt message digests may take too long to support the goal of the Domain Name System of efficiency.

FUTURE ENHANCEMENT

A recent protocol includes the specification of a global infrastructure that could be usedto distribute and manage public keys for otherprotocols: the secure Domain Name System (DNS) [9].As of this writing, it has been submitted forconsideration as a Proposed Internet Standard. It is anenhancement of the DNS [5,6,7,8], an existing globalinfrastructure.

SYSTEM REQUIREMENTS

HARDWARE REQUIREMENTS PROCESSOR III AND ABOVE 20 GB HARD DISK 256 DDR RAM

SOFTWARE REQUIREMENTS JDK 1.5 (SWINGS)

CONCLUSION

The security threats for DNS was overcome by using public key validation and it was implemented and executed successfully

dns ppt

Documents

message private key

key symmetric key

seed key

signature public key

message value

message digestion

encrypted message sender

signature generation