UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY U-I Foundations of Cryptography What is Cryptography? Is art or science of Secret writing? It concerned with the developing algorithms to � To conceal the content of messages from all except sender and recipient � To verify the correctness of message or its sender and recipient Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original form Terminologies � Encryption(Enciphering) :Process of encoding the message so that meaning is not obvious or not in understandable form � Decryption(Deciphering): Reverse process of encryption � Plaintext: The original form of the message � Cipher text: Disguised(encrypted) message P- plain-text C- Cipher text E- Encryption algorithm D- Decryption algorithms C= E (p) P= D(C) P= D(E (P)) CSIT 1/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � Key : Critical (secret) information used in cipher and known only to sender and receiver Symmetric – Shared key Asymmetric – Public key � Code: Algorithm used for transforming the intelligible (plain text) to unintelligible (cipher text) � Cipher: Is algorithm /Code used for transforming plaintext to cipher text � Cryptanalysis (Code breaking): Study of method for transforming cipher text to plaintext without having knowledge of any key � Cryptology : Area of cryptography and cryptanalysis together is called as cryptology Types of ciphers: There are two types of ciphers 1. Stream cipher : Converts plaintext to cipher text one bit at time 2. Block cipher : It takes a given length of data as input and produces different length of encrypted data Encryption Conventional (Symmetric key) Public key (Asymmetric key) CSIT 2/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY

Conventional (Symmetric key) Cryptography: Symmetric key cryptography Is also termed as private or secret key encryption because secret key is shared between sender and receiver Cipher Cipher text Private Key Cipher Private Key Cipher text Fig Symmetric Encryption Plain Text Asymmetric cryptography: � Developed in 1970 � Two keys are involved in asymmetric encryption � One key is used by sender to encrypt the data and other by receiver to decrypt the data � Both the keys are reversible also � Generally public keys are used for encryption of data while private keys are used for decryption of data CSIT 3/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Why do we need Cryptography? Computers are used by millions of people for many purposes � Banking � Shopping � Tax returns � Protesting � Military � Student records � … Plain Text Cipher Cipher text Public Key Fig Asymmetric Encryption Private Key Cipher Cipher text Cipher Cipher text Private Key Cipher Public Key Cipher text Fig Asymmetric Encryption Plain Text CSIT 4/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Privacy is a crucial issue in many of the above applications Cryptography techniques would provide the solution to make sure that nosy people cannot read or secretly modify messages intended for other recipients Objectives of Network Security: � Availability : Ensures the availability of desired resource ( i.e. when there is need of specific resource or service it must be

available for access) � Confidentiality : only sender and receiver can understand the message ( to achieve this sender encrypts message with specific algorithm while receiver decrypts message) � Integrity: Sender and receiver may have provision to check the integrity of data & get themselves ensured that message is not altered in transit(during communication) � Anonymity : Ensures the privacy of the origin of data (i.e. receiver must have some mechanism to check that he is receiving data from a specific sender) � Authenticity : Sender or receiver want to confirm the identity of each other and may be possible they would access some service after giving there authentication � Authorization: Access to the resources are authorized after authentication CSIT 5/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Security issues: The world before computers was in some ways much simpler � Signing, legalizing a paper would authenticate it � Photocopying easily detected � Erasing, inserting, modifying words on a paper document easily detectable � Secure transmission of a document: seal it and use a reasonable mail carrier (hoping the mail train does not get robbed) � One can recognize each other’s face, voice, hand signature, etc. Electronic world: the ability to copy and alter information has changed dramatically � No difference between an “original” file and copies of it � Removing a word from a file or inserting others is undetectable � Adding a signature to the end of a file/email: one can impersonate it –add it to other files as well, modify it, etc. � Electronic traffic can be (and is!) monitored, altered, often without noticing � How to authenticate the person electronically communicating with you CSIT 6/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Security attack: Any action that comprises the security of information owned by an organization Security Services: A service that enhances the security of data processing system and information transfer of organization Security Services Data Authentication Confidentiality Data Integrity Access Control Non Repudiation

Data Confidentiality: Designed to protect data from disclosure attack. The service is defined by X.800 and it provides confidentiality for the whole message or the part of message and also offers protection against traffic analysis i.e. designed to prevent sniffing and traffic analysis Data Integrity: Is designed to ensure the integrity of data as it protects data from modification, insertion, deletion and replaying by intruder or hacker Authentication: This service checks authenticity of communicating parties Nonrepudiation: This service protects against repudiation by either sender of receiver Access Control: Provides protection against unauthorized access to data CSIT 7/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Security Mechanism: A mechanism that is designed to detect, prevent or recover from security attack Security Mechanism Encipherment Data Integrity Digital Signature Access Control Authenticati on exchange Encipherment: Hiding or covering data can provide confidentiality. Today two techniques cryptography and Steganography are used for enciphering Data Integrity: Sender and receiver ensures integrity of data on the basis of checksum values Digital Signature: is means by which sender can electronically sign the data and the receiver can electronically verify the signature Authentication Exchange: Two end users exchange some message to prove their identity Access Control: Uses method to prove that a user has access right to data or resource owned by the system CSIT 8/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 9/63 Information Source Information Destination Fig: (a) Normal Flow Information Source Information Destination Fig: (b) Interruption

Possibilities of Network Security attack: Figure: Shows normal flow of data from Information Source to Information Destination Figure: Shows Interruption of channel between source & Destination UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Information Source Information Destination Fig: (c) Interception Figure: Shows Interception of Data between source & Destination where some intruder is listening ongoing channel Information Source Information Destination Fig: (d) Modification Figure: Shows Modification of Data between source & Destination where intruder is modifying the channel CSIT 10/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Information Source Information Destination Fig: (e) Fabrication Figure: Shows Fabrication of Data between source & Destination where intruder fabricates data and divert it towards receiver Possible attackers: 1. Student: to have fun snooping on other people’s email 2. Cracker: to test out someone’s security system, to steal data 3. Businessman: to discover a competitor’s strategic marketing plan 4. Ex-employee: to get revenge for being fired 5. Accountant: to embezzle money from a company 6. Stockbroker: to deny a promise made to a customer by email 7. Convict: to steal credit card numbers for sale 8. Spy: to learn an enemy’s military or industrial secrets 9. Terrorist: to steal germ warfare secrets CSIT 11/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Security issues: Some Practical Situations 1. A sends a file to B: E intercepts it and reads it How to send a file that looks gibberish to all but the intended receiver? 2. A send a file to B: E intercepts it, modifies it, and then forwards it to B How to make sure that the document has been received in exactly the form it has been sent 3. E sends a file to B pretending it is from A How to make sure your communication partner is really who

he claims to be 4. A sends a message to B: E is able to delay the message for a while How to detect old messages? 5. A sends a message to B. Later A (or B) denies having sent (received) the message How to deal with electronic contracts? 6. E learns which user accesses which information although the information itself remains secure E prevents communication between A and B: B will reject any message from A because they look unauthentic CSIT 12/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 13/63 Secure Sender Secure Receiver Alice Bob Trudy Friends and Enemies: Alice, Bob, Trudy:- Figure: Shows well known example of Network security world � Alice, Bob and Trudy are well known in network security world � Bob and Alice are lovers and want to communicate securely with each other � Trudy is the intruder(cruel lady) may intercept , delete ,modify and fabricate message What can a bad guy (intruder)/ cruel lady (Trudy) do? � Eavesdrop: intercepts message � Actively insert message or data in ongoing connection � Impersonation: Can fake(spoof) source address in packet(or any field in packet) � High jacking: “Take Over” ongoing connection by removing sender or receiver inserting himself in place � Denial of service : Prevent service from being used by others(i.e. by overloading the resources) UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Types of Security attacks: Security attacks are categorized in main two categories � Passive attack � Active attack Passive attack Active attack Security Attack Passive attacks: they are having the nature of eavesdropping or monitoring of transmitting channel or packet sniffing (Here intruder simply listen the ongoing channel and grab important information later on makes use of grabbed data for analysis) Passive Attack Release of Message Content E.g. Telephonic

Conversation, e-mail, File transfer Traffic analysis used by intruder to gain the information Active attacks: Involves some modification of data stream or creation of false stream CSIT 14/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Active Attack Masquerade Replay Modification Denial of Service Repudiation Masquerade: Takes place when one entity pretends to be different entity Reply: Involves passive capture of data unit and its subsequent transmission to produce unauthorized effect Modification: Portion of message is altered Repudiation : This type of attack is different from others as its not performed by third party but it is performed by one of the two parties in the communication i.e. sender and receiver In this case either sender of message may deny that he has sent message; or the receiver of the message might later deny that he has received message Denial of service: Disruption of entire network by overloading the different services Attacks Passive/Active Threatening Sniffing/Traffic Analysis Passive Confidentiality Modification Masquerading Replaying Repudiation Active Integrity Denial of service Active Availability Table: Categorization of passive/Active attacks CSIT 15/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Model for Network Security: PT Message E Secure Message Secret Key Secret Key Security Related Transformation Security Related Transformation Opponent Message PT Message D

Secure Information Channel Sender Trusted 3rd Party e.g. Arbiter Distribution Fig: Model for Network Security A message to be transformed from one party to another across network, the two parties who are the principals in the transaction must have to cooperate for the exchange to take place through logical information channel General Model shows that there are basic four tasks � Design an algorithm for performing the security related transformation � Generate the secret information to be used with algorithms � Develop methods for distribution and sharing of secret information � Specify the protocols to be used CSIT 16/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Symmetric Cipher Model: Fig: Symmetric Cipher Model Fig: Simplified Symmetric Cipher Model CSIT 17/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 18/63 Message Source Encryption Algorithm X Secure Channel Key Source Decryption Algorithm Message Destination Y Cryptanalyst X X^ Y^ Symmetric cipher model has five ingredients 1. Plaintext 2. Encryption algorithms 3. Secret Key 4. Cipher text 5. Decryption algorithms There are major two requirements for secure use of conventional

cryptosystem � Opponent should not be able to decipher the ciphertext or discover the key even if he/she is having the ciphertext � Sender and receiver must have obtained the secret key in secure fashion We assume that it’s impractical to decrypt(decipher) the message on the basis of algorithmic knowledge and ciphertext i.e. no need to keep secrecy of algorithm So with the use of symmetric encryption principle security problem lies in to maintain the secrecy of the secret key Fig: Modified Model of conventional Cryptosystem UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY As shown in Fig Source produces message in plaintext X= [x1,x2,x3, - - - - - Xm] where m- is element of X are letters in some finite alphabet For encryption a key of the form K= [k1, K2, - - - - - - - - -km] is generated If the key is generated at the message source then it must also be provided to the destination by means of some secure channel So with message X and encryption key K as input encryption algorithm produces ciphertext Y=[y1, y2, - - - - - - - -yn] So we can write Y=Ek(X) i.e. ciphertext Y is produced with encryption and at Receiver end ciphertext is inverted to produce plaintext X= Dk(Y) CSIT 19/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 20/63 Packet sniffing/snooping: Fig: Shows Packet sniffing where C sniffs packets of A etween them intruder C is listening the ongoing communication st media i.e. Packet intended from B to A also passes through C by, it grabs the important information passing through it � can read all unencrypted data (e.g. passwords) � e.g.: C sniffs B’s packets � As shown in fig Computer A and B are genuine users , B is diverting data to A but in b � Our channel acts as broadca � Promiscuous NIC reads all packets passing UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY IP Spoofing: Fig: Shows Packet spoofing where C pretends himself as B � Based on sniffed information C fabricates a packet but in packet it writes source address as computer B � i.e. C can generate “raw” IP packets directly from application, putting any value into IP source address field � receiver can’t tell if source is spoofed

� e.g.: C pretends to be B CSIT 21/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Denial of service (DOS): Fig: Shows Denial of service attack � Here major objective of intruder is to overload the service/server so that it would deny to provide the service � For overloading the service generally intruders are writing some sort of script/code that would divert maliciously generated packets in the form of request � Flood of maliciously generated packets “swamp” receiver � Distributed DOS (DDOS): multiple coordinated sources Swamp receiver � e.g., C and remote host SYN-attack A CSIT 22/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Cryptographic Techniques: All cryptographic algorithms are based on following two techniques � Substitution � Transposition (Permutation) Substitution Technique: Is one in which the letters of the plaintext are replaced by other letters (i.e. Fixed symbols or alphabets) Transposition Technique: Method of disguising text or alphabet by shuffling or exchanging their position Substitution Method Mono Alphabetic Substitution Poly Alphabetic Substitution Monoalphabetic Substitution: Here substitution of an alphabet takes place with the fixed alphabet throughout the PT Poly Alphabetic Substitution: Here substitution of an alphabet takes place with more than one alphabet (i.e. not with specific fixed alphabet) CSIT 23/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Caesar’s Cipher The earliest known use of substitution cipher was given by Julius Caesar for exchanging military secret information before 2000 years An extremely simple example of conventional cryptography is a substitution cipher. A substitution cipher substitutes one piece of information for another. The Caesar cipher involved in replacing each letter of alphabet with the letter standing three places further down the alphabet For example, if we encode the word “SECRET” using Caesar’s key value of 3, we offset the alphabet so that the 3rd letter down (D) begins the alphabet. Where D=A, E=B, F=C, and so on. So starting with ABCDEFGHIJKLMNOPQRSTUVWXYZ and sliding everything up by 3, you get DEFGHIJKLMNOPQRSTUVWXYZABC i.e.

P.T.: A B C D E F G …….. Z C.T.: D E F G H I J ……… C Now let’s assign numerical value (NV) to each letter P.T.: A B C D E F G …….. Z N.V.: 0 1 2 3 4 5 6 …….. 25 The algorithms can be expressed as For plaintext letter p, substitute the ciphertext letter c3 C= E (p) = (p+3) mod 26 A shift may be of any amount so general Caesar algorithm is C=E(P) = (P+K) mod(26) CSIT 24/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Where K takes a value in the range of 1 to 25 and decryption algorithm is P = D(C) = (C – K) mod 26 Drawback of Caesar Cipher: Major problem of Caesar cipher is language regularity due to which there is possibility that cryptanalysis may guess the message present in CT Language regularity is based on the frequency of letter occurrence � Letter E is more frequent then � T R I O A S Then � Rarely used is J K Q X Z � Letter E is 25 times more frequent than the Q Example of language Regularity: (Caesar Monoalphabetic Substitution) P.T.: A B C D E F G …….. Z C.T.: D E F G H I J ……… C C.T.: W T I G M E P W T I E O I V G S Q M R R P.T.: S P E C I A L S P E A K E R C O M I N G As shown appearance frequencies of letters words and pairs of letters accelerates the identification of certain letters CSIT 25/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Attacking Caesar Cipher: � Caesar can be broken if we only know one pair (plain letter, encrypted letter) � The difference between them is the key � Caesar can be broken even if we only have the encrypted text andno knowledge of the plaintext � Brute-force attackis easy: there are only 25 keys possible � Try all 25 keys and check to see which key gives an intelligible message Fig: Brute Force Cryptanalysis of Caesar Cipher Why is Caesar easy to break? � Only 25 keys to try � The language of the plaintext is known and easily recognizable � What if the language is unknown? � What if the plaintext is a binary file of an unknown format? CSIT 26/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Playfair Cipher:

� Multiple letter encryption method � Invented by Sir Charles Wheatstone in 1854, but named after his friend Baron Playfair who championed the cipher at the British foreign office � Encrypts pair of letters at each step � Use words in language as key and build a 5*5 matrix (table of letters) in the key and other letters(I is considered the same as J) � This is called key matrix A 5X5 matrix of letters based on a keyword � Fill in letters of keyword (no duplicates) � Left to right, top to bottom � Fill the rest of matrix with the other letters in alphabetic order E.g. using the keyword MONARCHY, we obtain the following matrix Key: - MONARCHY M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z Rules of Substitution: The plaintext is encrypted two letters at a time: 1. Repeated letters in plaintext are replaced with filler letter such as Z E.g. "BALLOON" is treated as "BALZLOZON" & SUNNY is treated as SUNZNY CSIT 27/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY 2. Form the pair of alphabets if letters are not having even alphabet then add filler alphabet Z at end 3. If both letters fall in the same row of the key matrix, replace each with the letter to its right (wrapping back to start from end), e.g. “AR" encrypts as "RM" 4. If both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), e.g. “MU" encrypts to "CM" 5. Otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, e.g. “HS" encrypts to "BP", and “EA" to "IM" or "JM" (as desired) 6. Decryption works in the reverse direction 7. The examples above are based on this key matrix PT: SUNNY PAIRS: SU NZ NY CT: LX RW YG PT: BALLOON PAIRS: BA LZ LO ZO NZ CT: IB TU PM VR RZ Decryption works in the reverse direction � The examples above are based on this key matrix: M O N A R C H Y B D E F G I/J K L P Q S T M O N A R C H Y B D

E F G I/J K L P Q S T U V W X Z U V W X Z Security much improved over Monoalphabetic CSIT 28/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � There are 26 x 26 = 676 diagrams � Needs a 676 entry diagram frequency table to analyze (vs. 26 for a Monoalphabetic) and correspondingly more ciphertext � Widely used for many years (e.g. US & British military in WW I, other allied forces in WW II) � Can be broken, given a few hundred letters � Playfair cipher may attack based on appearance frequency of letters but still subject to an attack Transposition Method: � Perform some sort of permutation on the plaintext letters � Hide the message by rearranging the letter order without altering the actual letters used � The simplest such technique: rail fence technique Rail fence Cipher � Got the name from the structure of Rail fence � Idea: write plaintext letters diagonally over a number of rows, and then read off cipher row by row E.g., with a rail fence of depth 2, to encrypt the text “meet me after the toga party”, write message as: CSIT 29/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Ciphertext is read from the above row-by-row CT: MEMATRHTGPRYETEFETEOAAT Attack: this is easily recognized because it has the same frequency distribution as the original text Row Column Cipher: More complex scheme: row transposition Write letters of message in rows over a specified number of columns Reading the crypto text column-by-column, with the columns permuted according to some key Example: “attack postponed until two am” with key 4312567: first read the column marked by 1, then the one marked by 2, etc. CSIT 30/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY If we number the letters in the plaintext from 1 to 28, then the result of the first encryption is the following permutation of letters from plaintext: 03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 � Note the regularity of that sequence! � Easily recognized! Repeated Row Column Idea: use the same scheme once more to increase security After the second transposition we get the following sequence of letters: 17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 12 04

23 19 14 11 01 26 21 18 08 06 28 This is far less structured and so, more difficult to cryptanalyze CSIT 31/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Basics of Abstract Algebra Group(G, •,e): a set G with a binary operation •and an element e∈G satisfying the following laws: Associativity: a •(b •c)=(a •b) •c for any a,b,c∈G Identity element: a •e=e •a=a, for any a∈G Inverse element: for each a∈G, there exists an element a’∈G such that a •a’= a’•a=e. a’is usually denoted as -a and is called the inverseof a Exampleof a group: the set of integers with the addition (Z,+,0) Note that the set of integers with the multiplication (Z,x,1) isnot a group: the inverse element does not exist for all integers (it exists only for 1 and –1) A group (G,+,e) is called: Commutative(or abelian) if a •b=b •a for all a,b in G Finite if set G is finite Infinite if set G is infinite Example: (Z,+,0) is a commutative group The set of nxn matrices over integers, with the addition, is a commutative group The set of permutations of the set {1,2,…,n} with the composition, is a finite non-commutative group CSIT 32/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Rings: Ring(R,+,•,0): a set R with two binary operations + and •satisfying the following laws: (R,+,0) is a commutative group Associative multiplication: a•(b•c)=(a•b)•c for any a,b,c∈R Distributive: a•(b+c)=a•b + a•c; (a+b)•c=a•c + b•c A ring (R,+,•,0) is called: Commutative if the multiplication •is commutative Unitary (or with unity element) if operation •has an identity element 1: a•1=1•a=a, for all a in R. We denote it as (R,+,•,0,1) Integral domain if � It is commutative � It has unity element � It has no zero divisors: if a•b=0, then either a=0, or b=0 Example: (Z,+,•,0,1) is an integral domain The set of nxnmatrices over integers with addition and multiplication is a commutative unitary ring, but not an integral domain (Z26, +,•,0,1) is a commutative unitary ring, but not an integral domain:2•13=0 (mod 26) CSIT 33/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Fields:

Field (F, +, •, 0, 1): (F, +, •, 0, 1) is an integral domain Multiplicative inverse: for any nonzero element a in F there exists an element a’ in F such that a•a’=a’•a=1 a’ is usually denoted as a-1 and it is called the multiplicative inverse of a Example: The set of rational numbers (Q, +, •, 0, 1), the set of real numbers (R, +, •, 0, 1) are fields The set of integers (Z, +, •, 0, 1) is not field: only 1 and –1 have multiplicative inverses (Z26, +, •, 0, 1) is not field (Z3, +, •, 0, 1) is a finite field: the inverse of 1 is 1 and the inverse of 2 is 2 (Z5, +, •, 0, 1) is a finite field: 1•1=1 mod 5, 2•3=1 mod 5, 4•4=1 mod 5 Inverse of 1 is 1, inverse of 2 is 3, inverse of 3 is 2, and inverse of 4 is 4 Finite Fields: It can be proved that if a field is finite then it has pn elements, for some prime number p We also say that it has order pn We denote GF(pn) –GF stands for Galois field For n=1 we have GF(p) which is Zp If p is prime, then any element in Zp has a multiplicative inverse For n>1 the field has a different structure Start from Zp and build a field with pn elements CSIT 34/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Modular Arithmetic: Consider the set of integers: fix a positive integer n For any integer a, there exists integers q and r such that a=qn+r and r is from 0 to n-1 q is the largest integers less than or equal to a/n r is called the residue of a modulo n Define the operator mod: a mod n=r Define the operator div: a div n=q Example: 7 mod 5 = 2, 11 mod 7 =4, -11 mod 7 =3: -11=(-2).7+3 Congruence modulo n: a≡b mod n if a mod n = b mod n Example: 73 ≡4 mod 23, 21 ≡-9 ≡1mod 10 Greatest Common Divisor: The positive integer d is the greatest common divisor of integers a and b, denoted d=gcd(a, b) if It is a divisor of both a and b Any other divisor of a and b is a divisor of d Example: gcd (8, 12) =4, gcd(24,60)=12 Integers a and b are called relatively prime if gcd (a, b) =1 Computing gcd (a, b): Euclid’s algorithm Based on the following fact:

CSIT 35/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � gcd( a, 0) then gcd=a � gcd (a, b) =gcd (b, a mod b) Euclid's Algorithm to compute gcd (a, b) – Euclid (a, b) If b=0 then return a Else return Euclid (b, a mod b) Steps: gcd (a, b) 1. A =a, B=b 2. if B=0 3. return A=gcd(a, b) 4. R=A mod B 5. A=B 6. B=R 7. go to step 2 Note: the algorithm always terminates with solution i.e. gcd CSIT 36/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Example: D=gcd (1970, 1066) Result: gcd (1970, 1066) =2 CSIT 37/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Design Issues of Block Cipher: 1. S-Box(Substitution box or confusion box) , T-Box( Transposition box or diffusion box) : � Output bits produced by these boxes should not be closed to a linear function of input bits. � Input that differ in one bit should generate output that differ in many bits � Each row of the S-Box should be a permutation of the possible input / output values � Output bits of S-Box should be distributed such that they affect other S-Boxes in the following round 2. No. Of Rounds : � More rounds are generally better, but they cost in reduced performance � Number of rounds should maximize the Avalanche Effect (about 50% of output bits should change for any change in input bit) � Number of rounds should be selected to make the effects of advanced attacks (differential / linear / etc) be similar to exhaustive search (when taking into account the overhead required to run the attacks) 3. F-Function : � Must be difficult to unscramble � Should be non-linear � SAC (Strict Avalanche Criteria) – any output bit should be inverted with probability ½ when some input bit is changed

� BIC (Bit Independence Criteria) – any two output bits should change independently when some input bit is changed CSIT 38/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 39/63 Four E VFA% D Four _AND E *Xz$ Four Four Four E VFA% D Four Block Cipher Principles: Rather than encrypting one bit at a time a block of bit is encrypted at one go E.g. we have to encrypt FOUR _AND FOUR using block cipher FOUR would be encrypted first, followed by _AND and finally FOUR Thus one block of character gets encrypted at a time During decryption each block is translated back to the original form In actual practice communication takes place in bits therefore FOUR actually means binary equivalent of ACII characters later on any algorithm encrypts/decrypts resultant bits are converted in to ASCII equivalent then in their original format Major problem with block cipher is repeating blocks for which same cipher block is generated which gives cryptanalyst clue regarding the original data Even if the cryptanalyst cannot guess the complete word, consider he makes the changes like debit to credit and credit to debit in the fund transfer message it would create havoc /great problem To deal with above problem of block cipher, block ciphers are used in chaining mode Encryption process at sender end Decryption process at receiver end UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Fiestel Cipher: � Fiestel was one of the designer of early cryptographic algorithms at IBM in 1970 � Fiestel cipher is scheme or template for specifying the algorithms

of block cipher � Fiestel scheme allows encryption and decryption with the same hardware ckt. or piece of software � Fiestel scheme is used by algorithms like DES, IDEA, RC5 Figure: Shows the Fiestel Structure � There is r –rounds in Fiestel cipher � In round i input block Mi is broken in two half blocks Li and Ri � Input half block Ri is copied to output half block Li+1(to be used as input in round i+1) CSIT 40/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 41/63 M L1 R1 f + L2 R2 f + L3 R3 C K1 K2 C R3 L3 f + R2 L2 f + R1 L1 M K2 K1 Encryption Process Decryption Process: � Input half block Ri and round key Ki are scrambled by function f � The scrambled result is XORed with input half block Li to create Output half block (Ri+1) that can be used as input in round i+1 � In Fiestel cipher decryption is same as encryption process simply we have to reverse the order of round keys � Function f can be any function usually it is function that is easy to compute but hard to reverse � Function f only serves to generate a pad to be XORed with the left half block function f creates this pad from R half block and from round key K UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Fiestel Cipher scheme doesn’t specify the following � Block Size � Key Size � No. of Rounds � Round key generation algorithms

� Scrambling Function DES (Data Encryption Standard): DES History � In 1973, NBS (National Bureau of Standards) came out with an RFP (Request for Proposals) for a commercial encryption standard � IBM proposed its strong Lucifer algorithm (developed by Fiestel and others) � NSA (National Security Agency) requested to weaken the strength of Lucifer (by shortening the key) � NSA also made changes to IBM’s Lucifer algorithm � Data Encryption Standard (DES) accepted in 1976 DES Design Criteria � NBS had set the following design criteria for DES: � Algorithm must provide high level of security � Algorithm must be completely specified � Security of the algorithm must reside in the key � Algorithm must be available to all users � Algorithm must be adaptable for use in diverse applications � Algorithm must be efficiently implemented in hardware CSIT 42/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � Algorithm must be efficient to use � Algorithm must be able to be validated � Algorithm must be exportable DES Structure � Block size – 64 bits � Key size – 56 bits (in a 64-bit buffer) � Fixed initial permutation on input block (64 bits) � 16 round keys (48 bits) derived from key (56 bits) � Key scheduling scheme for 16 round keys � 16 iterations each consisting of scrambling the round-block (64 bits) with the round-key (48 bits) � Scrambling function detailed later � Fixed inverse initial permutation on output block CSIT 43/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Overall structure of DES is as follows : Initial Permutation (64 inputs / 64 outputs): CSIT 44/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Initial and Final Permutations: � “Final Permutation” is inverse of “Initial Permutation” � “Initial Permutation” and “Final Permutation” are fully specified and do not add to the security of DES � Purpose of “Initial Permutation” and “Final Permutation” is to make software implementations of DES slow Question: Why not use only “Initial Permutation”? Answer: To support encryption/decryption with the Feistel Scheme! Each round of DES consists of the following operations � Message block Mi (64 bits) is split into left half-block Li (32 bits)

and right half block Ri (32 bits) � Right half block Ri is copied to become left half-block Li+1 CSIT 45/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � Right half block Ri is expanded to 48 bits and is XORed with round key Ki (48 bits) � The eight S-Boxes – each takes 6 bits (of the 48 bits above) and generates 4 bits (resulting in 32 bits) � The resulting 32 bits are permuted and XORed with the left halfblock Li to create right half-block Ri+1 Expand Function (32 inputs / 48 outputs): Internal Permute (32 inputs / 32 outputs): CSIT 46/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY S-Box-1 (6 inputs / 4 outputs): � First and sixth input bits select row (between 0 and 3 in table below) � Four middle input bits select column (between 0 and 15 in table below) � Value of four output bits is depicted in decimal (between 0 and 15) in table entry below DES Design Issues � Unofficial requirement to make DES slow in software � The NSA reduction of the key-size to 56 bits � NSA changes to the S-Boxes � “Initial Permutation” and “Inverse Initial Permutation” CSIT 47/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY � Effects of the “Expand” and “Permute” operations � Effects of the “f” scrambling function � Effects of the S-Boxes � Exportability of cryptographic algorithms, software, and hardware Avalanche Effect in DES – Change in Plaintext: � Number of output bits that change when one input bit is changed Avalanche Effect in DES – Change in Key: � Number of output bits that change when one key bit is changed CSIT 48/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Avalanche Effect in DES and Number of Rounds: � For output to appear random - number of bits that change should be around 50% (that is – 32 bits) � With 16 DES rounds – the Avalanche Effect DES is about optimal � Also 16 rounds is large enough to withstand certain cryptanalytical attacks Weak DES Keys: � 4 keys in which each half of the key (after PC-1) is either all 0’s or all 1’s � For these keys: EK(EK(X)) = X Semi-Weak DES Keys: � 12 keys in which each half of the key (after PC-1) is one of the following: all 0’s, all 1’s, alternating 0’s and 1’s, and alternating

1’s and 0’s � For pairs of keys: EK1(EK2(X)) = X DES strength: � Since 1975, there was a debate regarding the selection of only 56 bits for the DES key size � Exhaustive Search Attack: Requires searching O(256) keys � Differential Cryptanalysis: Requires analyzing O(247) chosen plaintexts � Linear Cryptanalysis: Requires analyzing O(247) known plaintexts � In 1990’s – DES was declared not secure enough by the technical community (IETF) CSIT 49/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Exhaustive Search Attack: � Search space of O(256) = O(1017) keys � In the 1970’s, Diffie and Hellman suggested a $20M-machine that will crack DES in about one day � In the 1990’s, Wiener suggested a $1M-machine that will crack DES in 3.5 hours � Assume about 109 encryptions per second on today’s computers. Then about 108 computers seconds are required to crack DES � In 1990’s, DES challenges were broken in matter of days using distributed clusters of computers � Presumably, most national security agencies have the hardware and software to crack DES in hours Differential Cryptanalysis Attack: � Study the differences between two encryptions of two different plaintext blocks M and M* � Study the probability of output differences in each S-Box � Trace back differences to specific S-Boxes � Estimate the likelihood of key-bits involved in the XOR operation before the S-Boxes � Continue developing estimates for key until one key emerges as the only ultimate option � Chosen space of O(247) plaintexts � Not practical – but theoretically important CSIT 50/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Linear Cryptanalysis Attack: � Approximate the DES key as a linear transformation of the plaintext bits and the ciphertext bits � Change the coefficients based on multiple values of pairs of <plaintext,ciphertext> � Requires known space of O(247) <plaintext,ciphertext> pairs � Not practical – but theoretically important DES Strength – Summary � Since early 1990’s – DES is considered not secure enough for technical and commercial use � Several approaches: � Strengthening DES – 2-DES

� Strengthening DES – 3-DES � Strengthening DES – DES-X � Other Algorithms DES Variants: DES Double DES Triple DES 2 key Triple DES 3 Key Triple DES Figure: Shows the variants of DES CSIT 51/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Double DES: � Apply two iterations of DES with two keys K1 and K2 Figure: Double DES Encryption process C=Ek1 (Ek2 (M)) Figure: Double DES Decryption process M=DK2(Dk1(C)) Where � M- Plain text block � C- Cipher Text � ENC- Encryption Process � DEC- Decryption Process CSIT 52/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY 2-key Triple-DES DES Encrypt-Decrypt-Encrypt with two keys K1, and K2 Properties: � Two keys (112 bits) � Strength about O(2110) against Meet-in-the-Middle � Compatible with regular DES when K1= K2 Figure: 2-key Triple DES Encryption process C=Ek1 (Dk2 (EK1 (M))) Figure: 2-key Triple DES Decryption process M=DK1(Ek2(DK1(C))) CSIT 53/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 54/63 3-KEY TRIPLE-DES EEE Mode: DES Encrypt-Encrypt-Encrypt with three keys K1, K2, and K3 Figure: 3-key Triple DES Encryption process C=Ek1 (Ek2 (EK3 (M))) Figure: 3-key Triple DES Decryption process M=DK3(Dk2(DK1(C))) EDE Mode: C=Ek1 (Dk2 (EK3 (M))) and M=DK3 (Dk2 (DK1(C))) UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 55/63 Algorithmic Modes ECB CBC CFB OFB Works on Block Cipher Works on Block Cipher but acts as stream cipher

Algorithmic Modes (Modes of operation): An algorithmic mode is combination of series of algorithmic steps on a block cipher and some form of feedback from the previous steps There are four algorithmic modes namely 1. Electronic Code Book (ECB) 2. Cipher block Chaining (CBC) 3. Cipher Feedback(CFB) 4. Output Feedback(OFB) Electronic Code Book (ECB): ECB is simplest mode of operation � Incoming plaintext message is divided in blocks of 64 or 32 bit � All the plaintext blocks then encrypted independently ypting all the block of message same key and algorithm is used � � For encr UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 56/63 Encrypt Encrypt Encrypt PT1 PT2 PTn CT1 CT2 CT n Step1 Step2 Step n K1 K2 Kn Decrypt Decrypt Decrypt CT1 CT2 CTn PT1 PT2 PT n Step1 Step2 Step n K1 K2 Kn Fig: ECB Mode – Encryption Process vided into 64 or 32-bit blocks and y using same key as was used for encryption each block is decrypted tion so if input message block repeats then output CT block also repeated that’s why ECB is not suitable for encrypting secure data Fig: ECB Mode –Decryption Process At receivers end incoming data is di b to produce corresponding PT block In ECB single key is used for encryp UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 57/63 Encrypt Encrypt Encrypt IV CT1 CT2 CT n Step1 Step2 Step n K1 K2 Kn PT XOR XOR XOR PT PT

+ + + Cipher Block Chaining (CBC): � CBC ensures even if PT blocks repeats in input there would not be two identical blocks in CT they would differ from each other � CBC adds feedback mechanism to block ciphers. � Here result of encryption of previous block is fed back as input for the current block i.e. each block is used to modify the encryption of the next block Fig. : CBC Mode Encryption Process � As shown in figure first step receives two inputs i.e. first PT block and random vector IV (Initialization Vector) � IV has no special meaning it simply used to make each message unique since its value is randomly generated � First block of CT and IV are combined using XOR and then encrypted using a key to produce the first cipher text block CT1 and this block is provided as input to next plaintext block � Now PT2 or 2nd PT block is XORed with output of step1 it then encrypted with the same key as used in step1 and produced CT is passed to next step ….. UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 58/63 Decrypt Decrypt Decrypt PT1 PT2 PT n Step1 Step2 Step n K1 K2 Kn CT XOR XOR XOR CT2 CTn IV + + + Fig: CBC Mode Decryption Process � As shown in figure while decryption CT block1 is passed through the decryption algorithm using the same key which was used during encryption for all the blocks? � Output of the above step is XORed with IV and it produces PT block � In step2 CT block 2 is decrypted and XORed with CT block1to produce PT block 2 PT2 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 59/63 IV Encrypt CT of IV Key CFB (Cipher feedback): All applications cannot work on block of data. Security is also required in applications that are character oriented e.g. a operator is typing keystroke at terminal which need to be immediately transmitted across communication link in secure manner and CFB is useful in such cases . In this mode data is encrypted in units that are smaller Let’s understand CFB mode by assuming we are dealing with j bits at a

time (as we have usually j=8 not always) CFB is slightly complicated we see the step by step details Step 1: Like CBC a 64 –bit initialization vector is used in CFB mode � IV is kept in shift register � It is encrypted in first step to produce 64 bit IV-Cipher Fig: CFB Step1 Step 2: � Now MSB (i.e. leftmost bit) j-bit of encrypted � IV are XORed with first j-bits of plaintext � This produces first portion of ciphertext say ( c ) � C is transmitted to receiver UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY First J –bits of encrypted IV XOR First J –bits of plaintext Cipher text1 (c) Fig: CFB Step2 Step 3: � In this step IV bits (Contents of shift register containing IV) are shifted left by j-positions � Thus the rightmost j positions of the shift register now contain unpredictable data � These rightmost j-positions are now filled with C obtained in previous step IV Left shift IV by J-positions Move j-bits of C in IV C rightmost side of IV Fig: CFB Step2 CSIT 60/63 UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 61/63 XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits E + Ciphertext j-bits XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits

E + Ciphertext j-bits XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits E + Ciphertext j-bits Step 4: � Now step1 to step 3 continues until all the plain text block are encrypted i.e. following steps repeats � IV is encrypted � Leftmost j-bits of encrypted IV are XORed with next j-bits of Pt � Resulting j-bits of CT is send to receiver � The shift register containing IV is left shifted by j-bits � J- bits of CT are inserted from right into shift register containing IV Fig: CFB – Overall Encryption Process UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY CSIT 62/63 XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits E + Ciphertext j-bits XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits E + Ciphertext j-bits XOR IV Shift Register K Take just leftmost 8-bits Plaintext j-bits E + Ciphertext j-bits

Output feedback Mode (OFB): Fig: OFB – Overall Encryption Process � OFB is extremely similar to CFB � In OFB output of IV encryption process is fed as input to the next stage encryption process UNIT-I FOUNDATIONS OF CRYPTOGRAPHY AND SECURITY Question: 1. What are essential ingredients of a symmetric cipher? 2. What are two basic functions used in encryption algorithm 3. How many keys are used by two peoples to communicate via cipher 4. What difference is between block and stream cipher 5. Write down two general approaches of attacking ciphers 6. Define and explain Caesar cipher, Playfair cipher, Monoalphabetic cipher 7. Write a note on transposition cipher & Steganography 8. Write down the difference between diffusion and confusion 9. Why it’s important to study Fiestel cipher 10. Explain different algorithmic modes 11. Working of DES and its variants along with advantages 12. Explain Euclid’s algorithm with suitable example for generating GCD 13 Are all block Ciphers polyalphabetic? Explain 14 Alice can use only additive cipher (Caesar) on her computer to Send a message to a friend she thinks that the message is More secure if she encrypts the message two times each time, Each time with different key. Is she right? Defend your answer. 15. Define Key,Code,Encryption,Cryptanalysis,Symmetric key cipher 16. List and Explain different kinds of cryptanalysis attacks 17. Define greatest common divisor of two integers. Which algorithm can effectively find the greatest common divisor 18. Explain why modern block ciphers are designed as substitution ciphers instead of transposition ciphers. 19. Need of cryptography and its applications 20. Encrypt “ MEET ME AFTER TOGA PARTY “ by using caesar cipher, Rail fence cipher , Playfair cipher and row column method CSIT 63/63 UNIT-II BLOCK CIPHER ALGORITHMS CSIT 1/29 P2 Input Plaintext (64 bits) Round - 1 Round - 2 Round - 8 Output Transformation CT 64 bit K1 K6 K7 K12 K43 K48 P1 P3 P4 K49

K52 U-II BLOCK CIPHER ALGORITHMS IDEA: � Idea is block cipher similar to DES � Works on 64 bit plaintext block � Key is longer and consist of 128 bits � Idea is reversible like DES i.e. same algorithm can be used for encryption as well as decryption � IDEA also uses diffusion as well as confusion techniques Broad steps in IDEA: Fig: Broad level Steps in IDEA UNIT-II BLOCK CIPHER ALGORITHMS CSIT 2/29 � 64 –bit of Input PT block is divided into four parts (each of size 16 bit) Say p1 to p4 and taken as input in first round � There are 8-such rounds and as we mentioned key consist of 128 bit � In each round 6-subkeys are generated from the original � Each sub key consists of 16-bit and are applied on four input blocks from p1 to p4 � Eight round consist of series of operation on the four data blocks using six sub keys � Above specified broad steps perform lots of mathematical action in each step like Multiplication , Addition and XOR operations � ADD* MULTIPLY* are not mere addition and multiplication instead they are addition modulo 216 ( Addition Modulo: 65536) and multiplication Modulo 216+1 ( Multiplication Modulo: 65537 UNIT-II BLOCK CIPHER ALGORITHMS CSIT 3/29 Step1: MUL* P1 and K1 Step2: ADD* P2 and K2 Step3: ADD* P3 and K3 Step4: MUL* P4 and K4 Step5: XOR Step 1 and 3 Step6: XOR Step 2 & 4 Step7: MUL* Step 5 and K5 Step8: ADD* Step 6 and 7 Step9: MUL* Step 8 and K6 Step10: ADD* Step 7 and 9 Step11: XOR Step 1 and 9 Step12: XOR Step 3 and 9 Step13: XOR Step 2 and 10 Step14: XOR Step 4 and 10 Fig: Details of One Round in IDEA UNIT-II BLOCK CIPHER ALGORITHMS CSIT 4/29 Step1: MUL* R1 and K1 Step2: ADD* R2 and K2 Step3: ADD* R3 and K3 Step4: MUL* R4 and K4 Fig: Details of Output Transform in IDEA

Summary: � IDEA is a strong encryption algorithm � Simple binary operations (XOR, ADD, MULT) � Difficult to crypt analyze (because of 3 operations, use of 16 bits in the manipulations, and number of rounds) � Efficient in software (simple operations, no convoluted permutations, same algorithm for encryption and decryption) � Efficient in hardware (simple modules, simple operations on 16- bit registers) � Used in commercial products (PGP and some standards) UNIT-II BLOCK CIPHER ALGORITHMS CSIT 5/29 BLOWFISH: � Developed by Bruce schnier � It has got the reputation of being very strong symmetric key cryptographic algorithm Features: � Fast: Encryption rate on 32 bit microprocessor is 26 clock cycles/sec � Compact: Can execute in less than 5 kb of memory � Simple: Uses only primitive operations i.e. Addition XOR and table lookup � Secure: Having Variable key length up to maximum of 448 bits � Suitable for the applications where the key remains constant for a long interval of time Working: Encrypts 64-bit block with a variable length key it contains major two operation 1. Key Expansion: This process expands key up to 448 bit long to sub key totaling 4168 bits 2. Data Encapsulation: This process involves iteration simple function 16 –times. Each round contains key- dependant permutation and key dependant substitution UNIT-II BLOCK CIPHER ALGORITHMS CSIT 6/29 P.T (64 bit) XOR F XOR XOR F XOR 13 – More Rounds XOR F XOR XOR XOR C.T (64 bit) P1 (32bit) P2 (32bit) P16 (32bit) P18 (32bit) P17 (32bit) 32bit 32bit Fig: Working of Blowfish UNIT-II BLOCK CIPHER ALGORITHMS CSIT 7/29 Encryption of 64 bit input PT block is as follows

1. Divide X in two parts XL and XR of equal size i.e. 32 bit each 2. for I = 1 to 16 XL = XL XOR P(i) XR = f(XL) XOR XR SWAP XL, XR Next i 3. SWAP XL, XR 4. XL = XL XOR P18 5. XR = XR XOR P17 6. Combine XL and XR back into X to produce CT as shown in above fig TWO FISH: � Developed by Bruce Schnier and teammates ( in 1993) � Symmetric key block cipher � PT Block size is of 128 bits � Key Size up to 256 bits i.e. 128, 192 and 256 � No. of rounds -16 uses basic Fiestel Network � It was one among the Five Finalist for AES UNIT-II BLOCK CIPHER ALGORITHMS CSIT 8/29 AES (Advanced Encryption Standard): � In 1990 US government wanted to standardized algorithm which was universally accepted � Many proposals submitted after a long debate Rijndael was accepted � Rijndael was developed by Joan Daeman and Vincent Rijmen ( From Belgium) � Out of 15 proposals only 5 are sort listed in August 1999 � In October 2000 Rijndael was accepted as final selection for AES Features of AES: � Symmetric and parallel structure- Gives implementer flexibility and stand up well against cryptanalysis attack � Suitable for modern RISC processors � Suited for smart cards Working: � PT Block size : 128,192,256 � Key length: Independent of selected PT block and are organized in variable sizes(16,24 and 32 bytes) � Rijndael /AES consist of 10,12 or 14 rounds and each round consist of 4 steps � Does not have the structure of a classical feistelcipher � treats data in 4 groups of 4 bytes operates an entire block in every round UNIT-II BLOCK CIPHER ALGORITHMS CSIT 9/29 Step1: Byte Substitution Step2: Shift Rows Step3: Mix Columns Step4: Round Key Addition Repeat this Four Steps

10, 12 or 14 Fig: Broad Level Steps 1 Designed to be: � resistant against known attacks � speed and code compactness on many platforms � Decryption algorithm different than the encryption 1 2 3 4 2 3 4 1 (a) Initial PT/Key block UNIT-II BLOCK CIPHER ALGORITHMS CSIT 10/29 Step1: Byte Substitution: S – Box technique is used similar to Des input text passes through Sbox and corresponding text is generated Step1: Byte Substitution: Step2: Shift Rows: In this step first row is untouched the other three rows are shifted by a variable amount as shown below Step2: Shift Rows Step3: Mix Columns In this step 4 bits of every column is mixed in linear fashion, its not possible to depict A B C D E F G H I J K L M N O p A B C D H E F G K L I J N O P M Sbox Shift Rows UNIT-II BLOCK CIPHER ALGORITHMS CSIT 11/29 Step4: Key Addition: Each Key byte is XORed with the corresponding input byte and result become CT for this round A B C D E F G H I J K L M N O P A B C D E F G H I J K L M N O p A B C D

E F G H I J K L M N O P Input Key XOR Output UNIT-II BLOCK CIPHER ALGORITHMS CSIT 12/29 CAST CAST-128 CAST - 256 Block Size 64-bit Key Size 40 to 128 bit in 8-increments Block Size 128 bit Key Size 128,160,192,2 24 or 256 bits CAST: � CAST takes its name from the initials of its designers- Carlisle Adams and Stafford Tavares � CAST cipher is patented by entrust Technologies � They allow the royalty free uses of the cipher to any one � CAST uses DES like substitution permutation Network(SPN) � CAST also posses number of other desirable cryptographic properties including avalanche and strict avalanche(SAC) UNIT-II BLOCK CIPHER ALGORITHMS CSIT 13/29 Stream Cipher Structure: � Process the message byte by byte (as a stream) � Typically have a (pseudo) random stream key that is XORed with plaintext bit by bit � Randomness of stream key completely destroys any statistically properties in the message � Ci= Mi XOR Stream Key i � The simplest encryption/decryption algorithm possible! � A stream cipher is similar to the one-time pad discussed a few lectures back � The difference is that a one-time pad uses a genuine random number stream, whereas a stream cipher uses a pseudorandom number stream generated based on a secret key � One must never reuse stream key � Otherwise can remove effect and recover messages � XOR two cipher texts obtained with the same key stream to obtain the XOR of the plaintexts –enough to know about the structure of the files to effectively attack them Pseudo Random Number generation Standard: � As we know random numbers are extremely crucial in cryptography

� A series of numbers is said to be random if a given number n of series then we can not predict what would be the n+1th number in concerned series � We feel that computers can generate random number even some programming language provide facility to generate random numbers � However this is not quite correct method, random number generated by computers are not truly random over a period of time as we can predict them UNIT-II BLOCK CIPHER ALGORITHMS CSIT 14/29 � Prediction of computer generated random number is possible because computers are rule based machines and they have a finite range of generating random number � So to tackle the problem of generating truly random number by computers we use some external means with computers � The process of generating truly random number by using some external means is called as pseudo random number generation There are following ways for generating pseudo random number 1. Monitor hardware that generate random Data: Best but costliest approach the generator is generally an electronic circuit which is sensitive to some random physical event such as diode, noise or atmospheric changes. This unpredictable sequence of event can be transformed into a random number 2. Collect Random Data from user Interaction: In this approach user interaction such as keyboards, key press, mouse movements are used as input to generate random number 3. Collect Random Data from inside the computers: This approach involves the collection of data from inside the computers which is hard to predict, this data can be systems clock, total no. of files on disk, the number of disk block the amount of free and unused memory etc Netscape navigator is using the system clock and some other attributes to generate random number which form the basis of SSL protocol UNIT-II BLOCK CIPHER ALGORITHMS CSIT 15/29 Pseudo Random Number generator (PRNG) Linear Congruencies generator: � This is the first algorithm proposed by Lehmer (Lehm-51), it consist of following parameters M - Modulus m>0 a - the number 0<a<m c - The increment 0<=c<m X0 - Seed / Starting value 0<= X0 < m � The sequence of random no. {Xn} is obtains with the following iterative equation � If m, a, c and X0 are integers then this technique will produce a sequence of integers with each integer in the range of

0<=Xn < m � We would like to keep m to be very large so that there is the potential to produce long series of distinct random numbers � The strength of linear congruential algo depends on the selection of multiplies and modulus � If opponent knows linear congruential method is used then there is possibility of discovering all subsequent numbers Xn+1 = (aXn + C) mod m UNIT-II BLOCK CIPHER ALGORITHMS CSIT 16/29 C C+1 Encryption Algorithms Master Key Km Xi=EKm(C+1) Computer with Period N Fig: Pseudo Random Number generator from counter Cryptographic Generators For cryptographic applications it makes advantage of encryption algorithm available to produce random number Cyclic Encryption: � In this case procedure is used to generate session keys from master key. � A counter with period N provides encryption logic � After key is produced counter is incremented � So pseudo random number produced by this scheme cycles through a full period X0, X1. . . . . Xn-1 UNIT-II BLOCK CIPHER ALGORITHMS CSIT 17/29 Vi+1 Seed Value EDE + EDE + EDE K1, k2- DES Keys used for each Ri – Pseudo Random no. produced Vi Seed Value DTi Date ,Time Fig: ANSI X9.17 PRNG ANSI X9.17 PRNG: Cyclic Encryption: � IS one of the strongest PRNG method shown below which makes use of triple DES (DES-III) Inputs: Two inputs drive the generator and they are 1. 64 – bit representation of current data and time which is updated after each number generation 2. Other is 64 –bit seed value initialized to some arbitrary value Keys: Generators makes use of triple DES encryption module and

they make use of the same pair of 56 bit key which must be kept secret and used only for random number generation Output: Consist of 64-bit PRN and 64 bit seed value UNIT-II BLOCK CIPHER ALGORITHMS CSIT 18/29 Vi+1=EDEk1k2[Ri XOR EDEk1k2 [DTi]] Ri=EDEk1k2[vi XOR EDEk1k2 [DTi]] DTi – Date and time of ith round Vi - Seed value of beginning of ith generation Ri- Pseudo random number produces by ith gen stage K1, k2- Des keys used for each stage Random No is Given by: Seed value is given by: UNIT-II BLOCK CIPHER ALGORITHMS CSIT 19/29 Stream Cipher Design � Key stream should have a large period –a pseudorandom number generator uses a function that produces a deterministic stream of bits that eventually repeats � Key stream should approximate the properties of a true random number generator � Same frequency of 0 and 1 � If treated as a stream of bytes, all 255 values should occur with the same frequency � Key should be long enough to protect against brute-force attack � At least 128 bits � Advantage over block ciphers: generating the stream key is much faster than encrypting and decrypting and less code is needed Fig: Stream Cipher Diagram UNIT-II BLOCK CIPHER ALGORITHMS CSIT 20/29 RC4 Stream Cipher � This is the most popular symmetric stream cipher � Designed by Rivest for RSA Security � Used in SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards for secure communication between Web browsers and servers � Used in WEP, part of the IEEE 802.11 wireless LAN standard � RC4 was kept as a trade secret by RSA Inc but got anonymously posted on the Internet in 1994 RC4 Algorithm: � Key length is variable: from 1 to 256 bytes � Based on the key initialize a 256-byte state vector S: S[0…255] � At all times S contains a permutation of the numbers 0, 1, …, 255 � For encryption and decryption a byte k is selected from S and the entries in S are permuted RC4 Initialization of S: � Initially S[i]=i, i=0,1,…,255 and create a temporary vector T of length 256 –the key K is copied to T (if K has less than 256

bytes, repeat K as many times as necessary to fill T) UNIT-II BLOCK CIPHER ALGORITHMS CSIT 21/29 � Use T to produce the initial permutation of S � Input key is never used after this initialization � RC4 Key stream Generation: � Encryption: XOR k with the next byte of the plaintext � Decryption: XOR k with the next byte of the ciphertext � There is no practical attack against RC4 with reasonable key length such as 128 bits � Strength of RC4: there has been a report of a problem in the WEP protocol (for 802.11 wirelesses LAN) –the problem is not with RC4 but rather with the way in which keys are generated to use as input to RC4 UNIT-II BLOCK CIPHER ALGORITHMS CSIT 22/29 RC5 Algorithm: � Symmetric key encryption algorithm developed by Ronald Rivest Features of RC5 are � Fast : Since uses primitive operation such as addition XOR and shift � It allows variable no of rounds and variable length of keybits � Requires less memory � Suitable for modern processors, smart cards as well as devices with less memory Working: 1. Basic Principles: � Word size (PT block size) in bits: RC5 encrypts two word blocks at a time and they are of 16, 32, 64 bits � No. of rounds: 0 to 255 � No. of 8 bit bytes (octets) in the key are 0-255 � i.e. PT block size can be of 32,64 or 128 bit (since 2-word blocks are used) � Output resulting from the RC5 i.e. CT has same size as the input plaintext � RC5 allows variable values in three parameters i.e. PT length, No. of rounds , Key length so at any instance RC5 algo is denoted as RC5- w/r/b or RC5wrb � Where w- Word size r- No. of rounds b- No. of 8 bit bytes in key UNIT-II BLOCK CIPHER ALGORITHMS CSIT 23/29 Divide the original PT in two blocks of equal sizes call them A and B Add A and s[0] to produce C Add B and s[1] to produce D Start with counter i=1 1. XOR C & D to produce E 2. Circular left shift E by D-bits

3. Add E & S[2i] to produce F 4. XOR D & F to produce G 5. Circular left shift G by F-bits 6. Add G & S[2i+1]to produce H Increment I by 1 Check is I>r? Stop Call F as C (i.e. C=F) Call H as D (i.e. H=D) Fig: Encryption using RC5 � RC5-32/16/16 means RC5- with block size of 64 bit as it uses two word blocks at a time RC5- with 16 rounds RC5 – with 16 bytes (i.e. 128 bits) in key values � Rivest suggested RC5 – 32/12/16 as minimum safety version 2. Principle of operation: � As shown in above fig. first two steps are of one-time initial operation. Input PT is divided in to 32 bit blocks A and B UNIT-II BLOCK CIPHER ALGORITHMS CSIT 24/29 Original PT A A A + C S [0] A + C S [1] Fig: One-time Initial operation in RC5 � First two sub keys s[0] and s[1] are added to A and B and produces C & D � Now the rounds will begin and in each round there are following operations 1. Bitwise XOR 2. Left Circular Shift 3. Addition with the next sub key for both C and D � As shown in fig. the output of one block is feedback to the input of next block which makes whole logic complicated for cryptanalyst to decipher Step by step Algorithmic Details: UNIT-II BLOCK CIPHER ALGORITHMS CSIT 25/29 C D XOR E

Step- I: XOR C and D in first step of each round to produce E E Step- II: Circular left shift E by D bits + F Shifted E S[2i] Step- III: E added to next Sub Key UNIT-II BLOCK CIPHER ALGORITHMS CSIT 26/29 D F XOR G Step- IV: XOR D and F To produce G UNIT-II BLOCK CIPHER ALGORITHMS CSIT 27/29 Step VII: Miscellaneous task � In this step we check to see if all the rounds are over or not for this we perform the following steps � Increment I by 1 � Check to see if i<r perform following + H Shifted G S[2i+1] Step- VI: G is added to next Sub Key G Step- V: Circular left shift G by F bits I=i+1 If i<r Call F as C again Call H as D again Go back to step1 Else Stop End if UNIT-II BLOCK CIPHER ALGORITHMS CSIT 28/29 A=A+S[0] B=B+S[1] For i=1 to r A=((A XOR B) <<< B)+S[2i] B=((B XOR A) <<< A)+S[2i+1] Next i Mathematical representation of RC5 (Encryption): Mathematical representation of RC5 (Decryption) :

Sub key creation: � Sub key creation is two step process 1. First step the sub keys (denoted by s[0] ,s[1],_ _ _ _ ) are generated 2. Original key is called as L in second step the sub key (s[0], s[1],_ __ ) are mixed with corresponding sub-portion or original key i.e. [0],L[1]_ _ _ _ as shown For I = r to 1 step-1 A= ((B-S [2i+1] >>> A) XOR A B= ((A-S [2i] >>> B) XOR B Next I B= B-S [1] A= A-S [0] UNIT-II BLOCK CIPHER ALGORITHMS CSIT 29/29 Question: 1. Explain the working of IDEA by drawing block diagram and details of round steps 2. Explain output transformation process of IDEA 3. Explain the working of Blowfish by giving the details of bits and bytes utilized for block and key 4. What is difference between random no and pseudo random no ? also explain the role of random no in cryptography 5. Explain different methods used for generating pseudo random numbers 6. Explain Linear congruencies method for generating pseudo random number 7. What is cryptographic random no generator? How they are different from normal random number generators 8. Explain cyclic method and ANSI X9.17 for generating random numbers 9. Explain working of RC5 with details of each and every step also give mathematical representation of encryption and decryption 10. Explain working of RC4 Generate S [0], S [1] Sub Key Mixing Mix with L [0], L [1] Sub Key generation UNIT-III PUBLIC KEY CRYPTOGRAPHY U-III PUBLIC KEY CRYPTOGRAPHY Prime Numbers: � Prime number is a positive integer greater than 1 whose only factors are 1 and number itself � Prime number cannot be divided by any number other than 1 and itself E.g. 2, 3, 5,7,11 ……. Are prime numbers 4, 6, 8, 10, 12 …..Are not prime Relative prime numbers: � Two numbers are relatively prime when they have no factors common other than 1 E.g. number 21 and 44 are relatively prime (because they have no factors in common) Number 21 and 45 are not relatively prime as they have common factor 3 Deterministic

Deterministic with absolute certainty whether number is prime or not Probabilistic Can potentially/falsely identify a composite no. as prime number Primality Test � As shown in above fig. Primality test is of two types i.e. Deterministic and Probabilistic � Probabilistic test is fast as compared with deterministic one CSIT 1/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Testing for Primality of number: � Cryptographic algorithms select one or more very large prime number at random � So it’s important to check the Primality of selected random number Fermatt’s Little Theorem: If P is prime and a is positive integer not divisible by P then ap-1 OE 1 mod p (Symbol OE stand for Identical) Miller Rabin Test: If either the first element in sequence is 1 or some other element is n-1 then n could be probably prime otherwise n is certainly not prime Test (n) 1. n-1 =2kq compute K and Q 2. select a random integer a 3. 1<a<n-1 4. If aq mod n=1 then Return “No. is probably prime” 5. For j=0 to k-1 do 6. If a2jq mod n = n-1 then Return “No. is probably prime” Return “Not Prime” CSIT 2/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Composite Number: � A positive integer which has positive divisor other than one and itself is called composite number � By definition every integer greater than 1 is either a prime number or composite number � No. 0 and 1 are considered to be neither prime nor composite Properties: � All even numbers greater than 2 are composite numbers � The Smallest composite number is 4 Factoring large No.: � Process of finding the factors of a number is called factoring � Integer factorization is(breaking large no) or breaking down composite number into smaller nontrivial divisor which when multiplied together equals original number

� For very large no. there is no efficient integer factorization algorithm � A RECENT EFFORT WHICH FACTORED 200 DIGIT NO.(RSA-200) TAKEN 18 MONTHS Overview of Asymmetric key cryptography: � Asymmetric key cryptography is also called as public key cryptography � Two different keys which form key pair are used for encryption and decryption � One of the two keys is called public key and other is called private key � Public key is used for encryption and private key is used for decryption � Private key will remain with user while public key is shared among the group of users � In this scheme each person or node publishes its public key and by using this detail directory can be constructed where details of various nodes and keys are maintained CSIT 3/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � If someone interested to communicate with concerned node he get details of public key through the directory Key Details A Should Know B Should Know A’s Private Key YES NO A’s Public Key NO YES B’s Private Key NO YES B’s Public Key YES NO Table: Directory of public and private key A E CT N/W Cloud CT D B Public Key of Comp B Private Key of Comp A Fig: Asymmetric Key Cryptography CSIT 4/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Working: � Let Kua is public key and Kpa is private key of Compute A � Similarly Kub & Kpb are public & private key of computer B � Computer A wants to transfer message to computer B so A encrypts message by using B’s public key and this is only possible when A knows B’s public key � A produces CT by using public key of computer B i.e. CT=Ekub(PT) and diverts it to B � B decrypts message by using by using its own private key i.e.(Kpb) A B C D

E CT Banks public key Banking Server Fig: Banking Example � Similarly when B wants to send message to A it encrypts message by public key of computer A i.e.(Kua) As shown in above fig bank publishes its public key to all its customer’s .Customer can use banks public key for encrypting the message while they can decipher data received from bank by using their own private key CSIT 5/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY RSA Algorithm: � Developed by Rivest, Shamir, Adleman � Most popular asymmetric key cryptographic algorithm � RSA algorithm is based on mathematical fact that it is easy to find and multiply to large prime numbers together but it is extremely difficult to factor their products � The public and private key in RSA are based on very large prime number(made of 100 or more digit prime number) � Algorithm is quiet simple however challenge was related with selection and generation of public and private key Algorithm: 1. Select two large prime numbers let P and Q 2. Calculate N= P * Q 3. Select the public key (i.e. Encryption key ) E such that it is not the factor of (P – 1) and (Q – 1) 4. Select private key ( i.e. Decryption key) D such that the following equation becomes true (D * E) mod (P – 1) * (Q – 1) = 1 5. For encryption calculate Cipher text CT from plain text PT as follows CT=PTE mod N 6. Send CT i.e. cipher text to receiver 7. For decryption calculate PT from CT i.e. PT= CTD Mod N A B CT=PTE mod n PT=CTD mod n I PT= e √CT mod n As shown for user A & B there is polynomial complexity while for intruder I there is logarithmic complexity i.e. hard to break cipher by Intruder CSIT 6/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Example: 1. Take P=7 and Q=17 as two prime numbers 2. N=P * Q =7*17 =119 3. (P-1)* (Q-1)=6*16=96 so factors are 2,2,2,2,2 and 3 so public key should not have factor of 2 and 3 let us choose public key value as 5 4. Select private key D such that (D *E) mod (P-1)*(Q-1)=1 so choose 77 as D because it satisfies the equation

5. i.e. (5*77) mod 96 => 385 mod 96=1 which satisfy our condition 6. E=5 and D=77 Diffie and Hellman Key exchange Algorithm: � Whitefield Diffie and Martin Hellman devised amazing solution to the problem of key arrangement or key exchange in 1976 � Two personnel who wants to communicate securely can agree on a symmetric key using this technique � This key can be used for encryption or decryption � Diffie and Hellman algo can be used for key arrangement and for encryption and decryption Description of Algorithm: 1. A and B agree on two large prime number n and g these two integers are not kept secret A and B use an insecure communication channel to agree on them 2. A (Alice) choose another large random number X and calculate A such that A=gx mod n 3. Alice (A) send the no A to Bob (B) 4. Meanwhile B independently selects another large random number Y and calculates B such that B=gy mod n 5. Bob sends B to A 6. Now Alice compute key K1=Bx mod N 7. Now Bob compute key K2 =Ay mod N CSIT 7/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY It’s surprising that K1 and K2 are equal this means K1=K2=K is the symmetric key Note: Diffie and Hellman key exchange algorithm gets its security from the difficulty of calculating discrete logarithm in a finite field as compared with ease of computing exponentiation from the same field A A & B Agree on two prime no Exchange Value of A & B K2=Ay mod n B=gy mod n Select R.N. y n, g K1=Bx mod n A=gx mod n Select R.N. x n, g B Fig: Shows the working process of Diffie & Hellman Key Exchange Example: 1. Firstly Alice and Bob agree on two large prime no. n and g, These integers need not be kept secret they can use unsecured communication channel to agree on it let n=11 and g=7 2. Alice select another large random no x and calculates A such that A=gx mod n Let X= 3 then we have A=73 mod 11 A= 343 mod 11 i.e. A=2 3. Alice sends value of A i.e. A=2 to Bob

4. Bob independently selects another large random number y and calculates B such that B=gy mod n Let y=6 then we have b=76mod 11 b=117649 mod 11 .i.e. b=4 CSIT 8/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY 5. Bob sends value of B i.e. B=4 to Alice 6. Now Alice computes the secret key k1 at his end K1=bx mod n Where K1= 43 mod 11=9 7. Bob calculates key k2 at his end K2=Ay mod n Where K2= 26 mod 11=9 So as shown secret keys computed at both the ends are same Problem with Diffie and Hellman key exchange Algorithm: It can fall pray to the man in middle attack (or to be politically correct, woman in middle attack), also called bucket bridge attack 1. Alice and Bob wants to communicate so first Alice sends value of g and n to Bob as usual let n=11 and g=7 Alice Tom Bob N=11, g=7 N=11, g=7 N=11, g=7 2. Alice does not realize that attacker Tom is listening the channel. Tom simply picks the value of n and g and forwards it to Bob 3. Now lets assume Alice, bob as well as tom selects random numbers x and y independently (where Tom select both X & Y) Alice Tom Bob X=3 X=8, Y=6 Y=9 CSIT 9/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY 4. Now based on selected Random values Alice and Bob calculates A & B However Tom calculates both A & B Alice Tom Bob A=gx mod n = 73 mod 11 = 343 mod 11 = 2 A=gx mod n B=gy mod n = 78 mod 11 = 79 mod 11 = 576 mod 11 = 40353607 mod 11 = 9 = 8 B=gy mod n = 76 mod 11 = 11764 mod 11 = 4 5. Now the real drama begins Alice sends A=2 to bob Tom interpret and instead of sending A=2 send A=9 to Bob 6. In return Bob sends B i.e. B=8 to Alice Tom interpret it again and sends his B i.e. B=4 to Alice Now Secret key computed by Alice and bob are based on the value of A & B given by Tom i.e. Tom too knows key used by Alice and Bob Tom is able to

Decipher CT used by Alice & Bob for communication CSIT 10/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Elgamal Algorithm: • Elgamal is symmetric key encryption algorithm for public key cryptography which is based on Diffie and Hellman key exchange algorithm • Developed by Taher Elgamal in 1984 • Algorithm is used in free GNU privacy guard software • Security of Elgamal is based on the difficulty of computing discrete logarithm in finite field Working: 1. To generate key pair first select prime number P and two random number g and x so that both g and x are less than P 2. Find the value of y=gx mod p 3. Public key becomes y, g, p both g and p can be shared among the group of users 4. The private key is X 5. For encrypting plaintext message M first select a random number k which is relatively prime to p-1 6. Now find a and b where a=gk mod p and b=yk M mod p here M=(ax + kb) mod (p-1) 7. Pair (a, b) becomes the cipher text 8. To decrypt (a, b) find out plaintext M calculate M=b/ax mod p CSIT 11/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Elliptical Curve cryptography (ECC): � RSA is the most popular encryption algorithm used in public key cryptography � Over the years key length of RSA is increasing which keeps considerable burden on RSA � Another public key cryptography algorithm is gaining popularity is known as ECC � Main difference between RSA and ECC is ECC offers same level of security by smaller key sizes � ECC is highly mathematical in nature Elliptical Curve: � Elliptical curve is similar to normal curve drawn on X and Y axis � It has some point and each point can be designated by and (X,y) coordinates just like any graph � A point can be designated as P(4,-9) as shown in graph which means that it is 4 unit on x axis and 9 below on y axis Y X 4 � Consider elliptical curve E with a point P no generate a random number d

� Let we have Q=d * P -9 . P � As per the mathematics of ECC E, P and Q are public values and the challenge is to find d � This challenge is called as elliptical curve discrete logarithmic problem � As long as curve is big enough it is almost impossible to find d � Thus E, P, Q together form a public key � D is correspondingly private key CSIT 12/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Strengths of ECC: � Small key size (RSA-1024 bit equivalent to ECC-160bit) � Less computational overheads than RSA since it does not analyze prime numbers � Requires less storage , less power, less memory and less bandwidth � Can be used in wireless devices, handhelds and smart cards Weaknesses of ECC: � Not extensively researched as RSA � New details are still being resolved � Many ECC techniques are still new to be trusted � Not widely used or supported Key Management: One of the major role of public key encryption algorithm is to address the problem of key distribution, there are two distinct aspects 1. Distribution of public key 2. Use of public key encryption to distribute secret key Distribution of public key: Several techniques are proposed for distribution of public key and all these proposals are grouped to form following methods 1. Public announcement 2. Public available directory 3. Public key authority 4. Public key certificates CSIT 13/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Public key announcement: Public key is public so if there is some broadly accepted algorithm such as RSA any participant can send his or her public key to any other participant or broadcast the key to the community at large A B Ka Kb Ka Kb Ka Kb Ka Kb Fig. Uncontrolled Public key Distribution Ex: because of growing popularity of PGP (pretty good privacy) that makes uses of RSA many PGP users have adopted practice to attach public key to the message that they send to public forum such as USENET newsgroup and internet mailing list Above approach is convenient but it has major problem/weakness that anyone can forge such public announcement Public available directory:

� Greater security can be maintained by using publically available dynamic directories � Maintenance and distribution of publically available directory is done by some trusted entity or organization A B Ka Kb Public key Directory Fig. Public key publication CSIT 14/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � Authority maintains a directory with name and public key for each participants � Each participant register PK with directory authority � Registration to be done in person or by some form of authenticated communication � Participant may replace the existing key with new one at any time � Periodically the authority publishes the entire directory or updates made in the directory � Participants can access directory electronically Public Key Authority: Stronger security for public key distribution can be achieved by providing tighter control over distribution of public key 2. Encrypted PKB as response with timestamp A B Public key Authority Fig. Public key distribution Scenario 1. Request for Public key of B i.e. PKB with timestamp 3. encrypted msg with pkb , N1 6. encrypted msg with pka , N1, N2 7. encrypted msg with pkb , N2 5. Encrypted PKA as response with timestamp 4. Request for Public key of A i.e. PKA with timestamp 1. A sends time stamped message to Public key authority containing

request for the public key of computer B i.e. (PKB) CSIT 15/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY 2. Public key authority responds with encrypted public key of computer B i.e. PKB with timestamp generated from A so that it recognize message is genuine 3. A uses public key of B and nonce (N1) which is used to identify transaction uniquely 4. B sends times tamed message to public key authority containing request for the public key of computer A i.e. (PKA) 5. Public key authority responds with encrypted public key of computer A i.e. PKA with timestamp generated from B so that it recognize message is genuine 6. B send encrypted message to A which contains A’s nonce (N1) as well new nonce (N2) generated by B so that A could assure that the correspondent is B 7. A returns message with N2 encrypted by using B’s public key to assure B that correspondent is A Note: Step No. 6 and 7 are desirable steps and acts as transaction & user identifiers Drawbacks: � Public key authority could be somewhat bottleneck in the system since user must have to appeal to authority for public key for every other user it wishes to contact � It may be possible that directory of name and public keys maintained by the authority is vulnerable CSIT 16/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Public key Certificates: CA=[ t,IDA,Kua] A B Certificate Authority Fig. Public key distribution through certificates CB=[t2,IDB,Kub] Request for Kua Request for Kub 1. CA 2. CB � This approach is suggested by Kohnfelder[KOHN78] is to use certificate that can be used by participants to exchange the keys without contacting a public key authority � Overcomes drawbacks of public key authority � Participants convey their key information to others by transmitting certificates � Digital certificate would actually be a computer file such as a.cer � Certificates are similar to our passport but they are in electronic form � Any participant can read the certificate to determine name and public key of certificate owner

� Any participant can verify that certificate is originated from certificate authority � Only certificate authority can create and update certificates � Any participant can verify the currency of certificate � Recipient uses certificate authority’s key to decrypt the certificate because it’s only readable by he authority’s public key. This verifies that certificate came from the certificate authority CSIT 17/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Use of public key encryption to establish session: A B Fig. Public key Encryption to establish session Kua| IDA EKua [KS] � A generates public and private key pair and transmit message with kua i.e. public key of A � B generates secret key KS and transmit it to A, encrypted with A’s public key � A decrypts message to recover secret key KS as only A can decipher message by using his own private key � A discards Kua and and they start communication with session key KS (Secret key) Secret key distribution with confidentiality and authentication: Following figure is based on the approach (NEED 78), provide protection against active and passive attacks Responder B Initiator A 1. Ekub[IDA| N1] 2. Ekua[IDB |N1 |N2] 3. Ekub[N2] 4. Ekua[KS] Fig. Secret key distribution with confidentiality � Lets consider A & B has exchanged their public keys with each other � A uses B’s public key to encrypt message containing identifier of computer A (IDA)and nonce N1 used to identify transaction uniquely CSIT 18/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � B encrypts message and sends N1 as well N2 nonce generated at B � A returns N2 encrypted by using B’s public key to assure B that correspondent is A � B select secret key KS and send encrypted Ks to A Public Key Cryptography Standards: PKCS model was originally developed by RSA lab with the help of representatives from Government and Academia. Main purpose of PKCS is to standardize public key infrastructure (PKI) Standard Purpose Description PKCS#1 RSA Encryption Standard Describe basic formatting rules for RSA public key function more

specifically digital signature PKCS#2 RSA Encryption Standard for message digest This std. outlines message digest calculation, However this is now merged with PKCS#1 PKCS#3 Diffie and Hellman key arrangement Define mechanism to implement Diffie and Hellman key arrangement protocol PKCS#4 NA Merged with PKCS#1 PKCS#5 Password based Describe method for encrypting the octet with symmetric key , where symmetric key is derived from password PKCS#13 ECC Currently under development PKCS#14 PRNG Standard Generates pseudo random numbers PKCS#15 Cryptographic token information syntax standard CSIT 19/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Message Authentication: Goal: � We have received some message now someone like to check whether message is altered in way or not � Produce short sequence of bit(identifier) that depends on message at sender end � Send message and short sequence of bit(identifier) toward destination user � Receiver authenticate message by computing sequence of small bit pattern of received message and compares computed and received identifier. � If computed and received bit patterns(identifier) matches then receiver concludes that there is no alteration in message during transaction Types of message Authentication Methods Message authentication Code (MAC) Message Encryption Hash Function 1. Message Encryption: Cipher text acts as authenticator � Main idea is receiver get assured that message came from A because CT can be decrypted by only his private key � Also none of the bit in message is altered because opponent doesn’t know how to manipulate bits of CT to induce meaningful changes to PT � Conclusion: Encryption provides authentication as well as confidentiality CSIT 20/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY 2. Message Authentication code (MAC): Public function of message and

secret key produces a fixed length value to serve as authenticator 3. Hash function: Way of creating a small digital fingerprint from any kind of data Message Digest: A message digest is fingerprint or summary of message. It is similar to the concept of CRC (cyclic redundancy check) or LRC (Longitudinal redundancy check) that is used to verify the integrity of data In CRC or LRC we compute parity bit and along with data we divert parity towards receiver. Now receiver can separates parity and data bit and computes parity of received data. If computed parity matches with the received parity then it indicate that there is no error otherwise there is the error present in the data. So here we can say CRC and LRC are the fingerprints of original message Concept of message digests: � Lets assume we want to calculate message digest o a number 7391753 � We multiply each digit in the number with the next digit (excluding if it is 0) and discarding the first digit of multiplication operation if result is two digit number � The process is shown below for original number 739174 fig(a) shows simplest MD example and fig(b) shows MD Concept Operation Result Multiply 7*3 21 Discard first digit 1 Multiply 1*9 9 Multiply 9*1 9 Multiply 9*7 63 Discard 6 3 Multiply 3*4 12 Discard 1 2 Original Data 10101010101010 10010011000110 M. D. Algo. M. D. MD=2 10101 CSIT 21/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � Above fig shows the simplest example of MD usually message digest consist of 128 or more bits � This means that chance of any two message digest being the same is anything between 0 and at least 2128 � MD length should be long with a purpose to minimize the scope for two messages digest being the same Requirement of message digest: � Given message digest algorithm should be very easy to find its corresponding message digest � Given a message digest it should be very difficult to find the original message for which the digest was created � For given any two messages if we calculate message digest ,then the

two message digest must be different � If any two messages produces the same message digest it violates the principles and it is called as a collision � Usually M.D. algo uses 128 or 160 bits this means that the chances of any two message digest being the same are 2128 and 2 160 respectively. Clearly it seems to be possible in theory but not in practical Message MD Fig. For same data M.D. may be always same MD Message Fig. M.D. Should not work in apposite direction CSIT 22/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Message1 Message2 MD1 MD2 Fig: Message digests should not reveal anything about original message as well should be collision free MD5: � MD5 is message digest algorithm developed by Ron Rivest � MD5 has roots in series of message digest algorithms which were predecessor to MD5 and all of them are developed by Rivest � MD5 is quiet fast and produces 128 bit message digest � Over years researchers have developed potential weakness in MD5. However so for MD5 has been able to successfully defend itself against collision Working of MD5 Step-1 Padding:- � Ist step in MD5 is to add padding bits to the original message aim of this step is to make the length of original message equal to a value which is 64 bit less than an exact multiple of 512 � The padding consist of single 1-bit followed by as many 0- bits as required � Note: Padding is always added even if the original message is already a multiple of 512 � Following Fig. Shows the padding process CSIT 23/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Original Message + Padding 1-512 bit Original Message Padding bit Total length of this should be 64 bit less than a multiple of 512 E.g. It can be 448bit(i.e. 448=512-64) or 960 =( 2*512)-64 Step-2 Append length: � After padding bits are added next step is to calculate the original

length of message and add it to the end of the message Original Message Padding bit + Length Compute the original length of data or message Now add it to the end Original Message Padding bit + Length Original Message Padding bit Length Data to be hashed digested CSIT 24/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � Length of message is calculated excluding padding bits e.g. original message is of 1000 bit and we added 472 bit to make the length of message 64 bit less than 1536(a multiple of 512) � Length is expressed in terms of 64 bit � If length of message exceeds 64 bit(i.e. it is greater than 264) then only 64 bit of length is used by performing modulo operation � After that 64 bit of message appended this becomes the final message (i.e. message to be hashed) which is exact multiple of 512 Step-3 Divide the Input in 512 bit block: � Now we divide the input message in to block each of 512 bit lengthy as shown below Data to be hashed digested 512 bit 512 bit 512 bit 512 bit 512 bit Fig: Data is divided into 512-bit blocks Step-4 Initialize chaining variables: � In this step 4 variables called as chaining variable are initialized they are called A,B,C,D each of which is 32 bit Step-5 Process the blocks: � After all the initialization real algorithm begins we will see the step by step working � 5.1: Copy all four chaining variables in corresponding variables a,b,c,d Thus a=A, b=B, c=C and d=D CSIT 25/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY A B C D a b c d Fig: Copying Chaining variables to temporary variables � Actually algo consider combination of a,b,c and d as a 128 bit register (abcd) � Register abcd is useful in the actual algorithm for holding the intermediate as well final result abcd a b c d Abstract View Internal View Fig Abstract and Internal view of variables � 5.2: Divide current 512 bit block to 16 subblocks thus each subblock contains 32 bits each as shown Block1 (512 bit) 32 bit 32 bit 32 bit 32 bit 32 bit Fig: 16 Sub blocks within block

CSIT 26/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � 5.3: Now we have four rounds in each round process all 16 sub blocks belonging to a block input to each round are 1. All 16 sub blocks 2. Variables a,b,c and d 3. some constant designated as t and shown in following fig Round1 a b c d Fig. Conceptual process within round 16 sub blocks Other const. � Let’s summarize the iteration of all the four rounds. In each case output of intermediate as well as final iteration is copied into register abcd. Note we have 16 such iteration in each round a b c d Processor P Add Add Add Shift Add a M[1] T[k] b c d Fig. One MD5 operation CSIT 27/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY We can mathematically express MD5 as � a=b+((a+process p(b,c,d) + M[i] +T[k])<<<S) � where a,b,c,d are chaining variables � Process P= A nonlinear operation described subsequently � M[i]=M[2 * 16 + i] which is ith 32 bitword in qth 512 bit block of message � T[k] = A constant as discussed � <<< Circular left shift by s bits Understanding Process P Process p is different in four rounds in simple term process P is nothing but some basic Boolean operation on b, c, and d as shown Round Process P 1 (b AND C) OR ((NOT b) AND (d)) 2 (b AND d) OR (C AND (NOT d)) 3 B XOR c XOR d 4 C XOR ( v OR (NOT d)) CSIT 28/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY SHA (Secure hash algorithm): � NIST ( National Institute of standard and Technology) along with NSA(National standard agency) developed secure hash based algorithm SHA � SHA was published as Federal information processing standard

(FIPS pub 180) � ___________It was revise to FIPS Pub 180-1 in 1995 and name was changed to SHA-1 � SHA-1 is revised version of MD4 � SHA works with any message that is less than 264 bit in length � The output of SHA is MD-160 bit length (i.e. 32 bit more than MD5) Word secure was decided based on two features , SHA is designed to be computationally infeasible to 1. to obtain the original message from MD 2. Find two messages producing same MD Working of SHA Step-1 Padding:- � Ist step in MD5 is to add padding bits to the original message aim of this step is to make the length of original message equal to a value which is 64 bit less than an exact multiple of 512 � The padding consist of single 1-bit followed by as many 0- bits as required � Note: Padding is always added even if the original message is already a multiple of 512 � Following Fig. Shows the padding process CSIT 29/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Original Message + Padding 1-512 bit Original Message Padding bit Total length of this should be 64 bit less than a multiple of 512 E.g. It can be 448bit(i.e. 448=512-64) or 960 =( 2*512)-64 Step-2 Append length: � After padding bits are added next step is to calculate the original length of message and add it to the end of the message Original Message Padding bit Length Compute the original length of data or message + Now add it to the end Original Message Padding bit + Length Original Message Padding bit Length Data to be hashed digested CSIT 30/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY � Length of message is calculated excluding padding bits e.g. original message is of 1000 bit and we added 472 bit to make the length of message 64 bit less than 1536(a multiple of 512) � Length is expressed in terms of 64 bit � If length of message exceeds 64 bit(i.e. it is greater than 264) then only 64 bit of length is used by performing modulo operation � After that 64 bit of message appended this becomes the final message (i.e. message to be hashed) which is exact multiple of 512 Step-3 Divide the Input in 512 bit block: � Now we divide the input message in to block each of 512 bit lengthy as

shown below Data to be hashed digested 512 bit 512 bit 512 bit 512 bit 512 bit Fig: Data is divided into 512-bit blocks Step-4 Initialize chaining variables: � In this step 4 variables called as chaining variable are initialized they are called A,B,C,D & E each of which is 32 bit Step-5 Process the blocks: � After all the initialization real algorithm begins we will see the step by step working � 5.1: Copy all four chaining variables in corresponding variables a,b,c,d Thus a=A, b=B, c=C , d=D and e=E CSIT 31/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY A B C D a b c d E e Fig: Copying Chaining variables to temporary variables � Actually algo consider combination of a,b,c ,d and e as a 160 bit register (abcd) � Register abcd is useful in the actual algorithm for holding the intermediate as well final result abcde a b c d Abstract View e Internal Fig Abstract and Internal view of variables � 5.2: Divide current 512 bit block to 16 subblocks thus each subblock contains 32 bits each as shown Block1 (512 bit) 32 bit 32 bit 32 bit 32 bit 32 bit Fig: 16 Sub blocks within block CSIT 32/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY CSIT 33/37 Round1 a b c d Fig. Conceptual process within round 16 sub blocks Other const. e a b c d Processor P Add Add e Add Add W[t] W[k] a b c d e

S5 � 5.3: Now we have four rounds in each round process all 16 sub blocks belonging to a block input to each round are 1. All 16 sub blocks 2. Variables a,b,c, d and e 3. some constant designated as t and shown in following fig � Let’s summarize the iteration of all the four rounds. In each case output of intermediate as well as final iteration is copied into register abcd. Note we have 16 such iteration in each round UNIT-III PUBLIC KEY CRYPTOGRAPHY Mathematically iteration consist of following operations: abcde=(e+process P + S5(a)+W[t]+k[t] a.S30 (b) c, d) where abcde=register made up of abcde var Process P=logical operation St – Circular left shift of 32 bit subblock by t bits W[t] = A-32 bit value derived from current 32 bit subblock K[t]= One of the 5 additive constants as defined earlier Understanding Process P Process p is different in four rounds in simple term process P is nothing but some basic Boolean operation on b, c, d and e as shown Round Process P 1 (b AND C) OR ((NOT b) AND (d)) 2 (b XOR c) XOR d 3 (b AND c) OR (b and d) OR ( c AND d) 4 b XOR c XOR d Comparison of MD5 with SHA1: Algorithm MD5 SHA1 MD length 128 bit 160 bit Breaking possibility Requires 2128 operations to break Requires 2160 possibilities to break i.e. more Secure Attack Attacks reported No such claim Implementation Software implementation Software Implementation CSIT 34/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY CSIT 35/37 S E N D E R Message Sign1 E MAC

Message MAC R E C E I V E R Message Sign2 D Sign1 Sign1=Sign2 ? Fig: MAC (Message Authentication Code) Message Authentication Code: Similar to message digest (MD) however difference is in case MD there is no cryptographic encryption while in MAC there is need of cryptographic algorithm A and B share dynamic secret key not known to any one � A sends original message and MAC to B � B creates own signature and deciphers received MAC � B compares two message equivalent signatures if there is the difference it concludes that there is error in the message UNIT-III PUBLIC KEY CRYPTOGRAPHY HMAC (Hash based message authentication code): HMAC is selected as mandatory security implementation for Internet protocol and also used in SSL Fundamental idea behind HMAC is to reuse the existing message digest algo such as MD-5 or SHA-1 Original Message Existing Message digest Algo such as MD5, SHA1 MD Encrypt MAC Drawbacks of MAC & HMAC: 1. Its having problem regarding symmetric key exchange 2. HMAC can not be used if no of receivers are greater than one 3. No means to know that message was prepared by a particular user RIPE-MD: � Developed by European community project RIPE[1305] � Algorithm is variant of MD4 � Designed to resist known crypt analytical attack and produces a 128 bit hash value � The rotation and order of the message word are modified CSIT 36/37 UNIT-III PUBLIC KEY CRYPTOGRAPHY Questions: 1. Write a note on primality checking algorithms

2. Explain Working of RSA 3. Discuss the working of asymmetric key cryptography 4. If A want to send message to B through asymmetric key cryptography , what would be the typical steps involved 5. Explain the working of Diffie & Hellman key exchange algorithm 6. What is man in middle or woman in middle attack in connection with Diffie and Hellman Algo explain with example 7. Explain the working of RSA with suitable example 8. Describe the advantages and disadvantages of symmetric and asymmetric key cryptography 9. What is key wrapping? How is it useful 10. Write a note of Elgamal and ECC with strengths and weaknesses 11. Write a note on key management techniques in PKCS 12. Explain the working of public announcement & public available directory with requirements and drawbacks 13. Explain the working of public certificates for exchanging keys 14. Explain the working of session key exchange through PKCS system with authentication and confidentiality 15. Write a note on public key cryptography standards 16. What are the key requirements of message digests? 17. What is the problem with exchanging of public keys? 18. What is collision related to message digest 19. Explain the step by step working of MD5 20. Explain Step by step working of SHA 21. Compare SHA with MD5 22. Why SHA is more secure than MD5? 23. What is the difference between message digest and MAC? 24. What is difference between MAC and HMAC? Explain by drawing suitable block diagram 25. Explain RIPEMD with its working details with bits/bytes of Hash value produced CSIT 37/37 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS U-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS � Due to problems associated with MAC, Digital signature standard (DSS) was developed for digitally signing the document or certificates � NIST (National Institute of standard Technology) published DSS standard as FIPS � FIPS revised in 1993 and 1996. DSS makes use of SHA-1 algorithm for calculating the message digest of an original message and uses message digest to perform digital signature � DSS make the use of algorithm called digital signature algorithm (DSA) � Similar to RSA, DSA is also based on asymmetric key cryptography. However their objectives are totally different � As we know RSA is primarily used for encrypting the message but we can use RSA to produce digital signature � DSA can only be used to perform digital signature , it cannot be used for encryption RSA and Digital Signature: Lets assume sender A wants to send a message M to receiver B along with digital signature S calculated over message M following steps occur for

preparation of message Step I: Sender A uses SHA-1 Message digest algorithm for calculating the MD1 of original message M as shown below CSIT 1/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step II: Sender A now encrypts the MD with his private key and the output of this process is called digital signature (DS) Step III: Now sender A sends original message M along with digital signature DS to receiver B as shown below Fig. Transmission of original message & digital signature A M DS M B DS Fig. Digital Signature Creation A MD E Private Key of Comp A Sender DS Original Message (M) A MD Message Digest Algorithms Fig. Message Digest Calculation CSIT 2/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step IV: � B receives original message (M) from A and digital signature DS � B uses same message digest algorithm used by A and calculates MD2 of received message as shown below Received Message (M) Message Digest Algorithms Fig. Message Digest Calculation at receiver MD2 Step V: � Now receiver uses A’s public key to decipher(decrypt) the digital signature � Output of above step is the original message digest (MD1) calculated by A. DS Fig. Receiver retrieves senders MD D DS Public Key of Comp A Sender CSIT 3/49

UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step V: � B now compares two message digest i.e. MD2 –calculated in step-4 and MD1- retrieved from A’s digital signature in step5 � If MD1=MD2 then – B accepts original message (M) as the correct unaltered message from A Message Digest MD1 Message Digest MD2 IS MD1=MD2? Trust and accept original message (M) YES NO Reject the original message (M) Fig. Digital signature verification � i.e. B is assured/confirmed that message came from A not from someone else posing as A Q. Why attacker doesn’t alter message and recalculate MD and sign it again? ANS: Attacker can perform 2 steps very well (i.e. alter the message and recalculate the MD) but can not sign it again because for that attacker needs A’s private key) Since only A knows his private key , attacker cannot use A’s private key to encrypt message digest (i.e. sign the message ) again Thus principle of digital signature is quiet strong secure and reliable CSIT 4/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Digital signature Algorithm (DSA): Description of DSA is mathematical and complicated DSA algorithm makes uses of following variables p = Prime no. of length l - bits Where l – is multiple of 64 between 512 and 1024(i.e. l=512 or 576 or 640 ……..1024) q=160 bit prime factor of (p-1) g= h (p-1)/q mod p where h is a no. less than (p-1) such that h (p-1)/q mod p > 1 X= a number less than Q Y= gx mod p H= message digest algorithm (SHA-1) First 3-variables p, q and g are public in nature and can be sending across insecure network Private Key is X where as public key is Y Let’s assume sender want to sign message M and sends signed message to receiver then following steps takes place 1. Sender generates a random no. k which is less than q 2. Sender calculates - (a) r=(gk mod p) mod q

- (b) s=(kl (H(M)+Xr)) mod q Values of r and s are signatures of sender the sender sends these values to receiver to verify signature the receiver calculates - W= S-1 mod q - U1= (H(m) * W) mod q - U2= (r w) mod q - V= ((gu1 * yu2 ) mod p ) mod q If v=r sign said to be verified otherwise it is rejected CSIT 5/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 6/49 Digital Certificate Subject Name: XXXXXXX Public Key: XXXXXXX Serial No. : XXXXXXXX Other Data: XXX Valid for: Valid to: Issuer Name: Digital certificates: We have seen diffie and hellman algorithm for key exchange but its also having problem regarding man in middle attack Solution for above problem is digital certificates Conceptually we can compare digital certificate to the document such as our passport or driving license which proves our identity by specifying - Name - Nationality - Date and place of birth - Photograph and signature Concept of digital certificate: Digital certificate would be actually a computer file with name abc.cer. So similar to passport digital signature signifies the association between my public key and me Digital certificates are issued by trusted parties, government authorities in which all the concerned parties have great amount of trust and belief Imagine situation if our passport is issued by ordinary shopkeeper then no one trust that passport As we mentioned digital signature establishes relation between user and his public key, therefore a digital certificate must contain user’s public key and his name UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Certificate Authority (CA): CA is trusted agency that can issue certificates. Government finalizes that who can acts as CA and who cannot. Usually CA is reputed organization such as post offices, financial institution and software companies etc Two of worlds famous CA are Entrust and Verisign Technical Details of digital certificate: A standard called as X.509 defines the structure of digital certificate The international telecommunication union (ITU) came up with this standard in 1988 at that time it was the part of another standard called as X.509 Since then X.509 as it was revised three times current version is called

X.509V3 Version Certificate Serial no Signature Algo Identifier Issuer name Validity(not before/not after) Subject Name Subject public key information Issuer unique identifier Subject unique identifier Extension Certificate authority digital signature V1 V2 V3 Common to all Versions Fig. Contents of a digital certificate CSIT 7/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 8/49 End User End User End User Registration Authority (RA) Certification Authority (RA) Fig. Registration Authority (RA) Digital certificate creation: Parties involved: - As we know mainly three parties involved in the process of digital certificate creation namely subject (end user) and the issuer – certification authority (CA). A third party is also optionally involved in certificate creation and management Since CA can be overloaded with variety of task such as issuing new certificate maintaining the old one so CA can delegate some of its task the third party called as registration authority (RA) as shown RA acts as mediator between end user and CA it performs following task 1. Accept and verify registration information about new user 2. Generate keys on behalf of end user 3. Accept and authorizes request for key backup and recovery 4. Accept and authorize request for certificate revocation Due to RA CA becomes isolated entity which makes it less susceptible to security attacks UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Digital certificate creation Steps: Certificate creation contains following steps outlines in fig Key Generation Registration Verification Certificate Creation

Fig. Digital certificate creation step Key Generation User can generate Key RA can generate Key Step I: Key generation As shown below user generates private and public key by interacting with software. After creating keys user keeps private key and diverts public key towards RA/CA CSIT 9/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS RA RA generates key Public key towards CA RA diverts private key towards user A Public key towards CA Key generation User keeps Secret/private key Fig. Shows User generates key Fig. Shows RA generates key Alternative is RA can generate key pair on subject behalf and transmits private key to concerned subject. Here there is possibility of exposing private key during transfer from RA to end user (Simply this approach is less secure) CSIT 10/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step II: Registration • This step requires only when user or subject generate key pair in first step • User sends public key and registration information , all evidences about himself to RA by using software wizard or certificate signing request (CSR) Other required information, evidences Public key RA Fig. Subject sends public key and evidence • Evidences however not in electronic usually it consist of POP based document e.g. PAN, passport etc Step III: Verification Now RA verifies the users credentials this is having two aspects 1. Verifies users credentials such as organization , business record , History 2. To ensure user who is requesting indeed posses the private key corresponding to public key or not Above check is called proof of possession (POP) of private key for this RA can do following 1. Demand user digitally sign her certificate from that RA verify genuine

/authentic user 2. RA can create random number challenge encrypt it with users public key and send encrypted challenge to the user. If user successfully decrypt the challenge RA assume user posses the right private key CSIT 11/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS 3. RA can generate dummy certificate for user and encrypt it using users public key and send it to the user. User can decrypt it only if he is having correct corresponding private key and he can obtain plaintext certificate Step IV: Certificate creation RA passes on all the details of user to CA CA does its own verification if required CA create certificate by using program in X.509 standard format CA send certificate to user as well maintain the copy of certificate in a certificate directory LDAP( light weight directory access protocol)this is central storage location maintained by the CA (Certification authority) it allows user and applications to access X.500 directories depending on their privileges CA send certificate through email attachment or sends email Why to trust on Digital Certificate? • As digital certificate is simple computer file in a specific standard format so any one can produce it • Can we trust on a file of specified format which is only having important information regarding users public key signed by any authority • Obviously not we cannot trust digital certificate on above ground • We can trust the certificate if its signed by trusted authority or trusted party (CA) who always signs a digital certificate with his own private key • Trusted party gives assurance that I’ve signed this certificate to guarantee that this user posses the specified public key • So simply trust on the digital certificate as CA gives you guarantee CSIT 12/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS How Does CA sign a digital Certificate? (Digital certificate signing process) • CA signs certificate with his own private key Digital Certificate Subject Name: XXXXXXX Public Key: XXXXXXX Serial No. : XXXXXXXX Other Data: XXX Valid for: Valid to: Issuer Name: Certificate authorities Digital Signature Message Digest Algorithm Message Digest Digital signature

algorithm Digital Signature CA’s Private key Fig. Certificate signing process • As shown content of certificate is treated as message and passed to MD algorithm like SHA-1 • Output of MD algorithm is Message Digest(MD) • MD is encrypted by using certificate authorities private key to produce digital signature • At the end digital signature of certificate authority is stored as last field of digital certificate CSIT 13/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Digital Certificate/signature Verification: Consider we have received digital certificate of user and interested to verify it. What should we do for this? Clearly we need to verify digital signature of CA For verification of signature we have to follow the steps shown in the following block diagram Digital Certificate Subject Name: XXXXXXX Public Key: XXXXXXX Serial No. : XXXXXXXX Other Data: XXX Valid for: Valid to: Issuer Name: Certificate authorities Digital Signature Message Digest Algorithm Message Digest (MD1) CA’s Public key IS MD1=MD2 Fig. Certificate Verification Digital Signature Decryption Algorithm MD2 YES NO Valid Certificate Invalid Certificate Accept It Reject It CSIT 14/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS • All the fields except last one(digital signature) of received digital certificate passed to Message Digest algorithm • MD algorithm calculates MD1 • Now user extracts digital signature of CA from certificate

• User Deciphers CA’s signature by using CA’s public key • This produces another message digest call it as MD2 • Now user compares MD1 with MD2 if found match MD1=MD2 then user get convinced that certificate is signed by CA otherwise user will not trust the certificate and rejects it Certificate Hierarchy: Root CA Second Level CA Second Level CA Second Level CA Third Level CA Third Level CA • Security of certificate can be increased by increasing the level of hierarchy of CA’s • As shown root CA will act as MD i.e. the highest authority of certification • Then at second level there are many managers reporting to root CA • Mat peoples are there at third level reporting to the managers at second level and so on • Purpose of creating hierarchy is just to relieve MD or CEO ‘s to perform all types of task in all departments CSIT 15/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Kerberos :( Network authentication protocol) • Kerberos is network authenticator protol used in many real-time system • Kerberos is based on another protocol called as Nedham- Shroeder • Desigend at MIT in 1980 • Available as open source or supported by commercial software’s • Kerberos signify a multithreaded dog as per Greek mythology Why Kerberos? • Sending username and password in clear text may cause problem to security • If each time password is send in clear there is chance for interception • So to resolve and sort out above problem Kerberos is needed Firewall VS Kerberos: • Firewalls make a risky assumption: those attackers are coming from the outside. In reality, attacks frequently come from within. • Kerberos assumes that network connections (rather than servers and work stations) are the weak link in network security Design requirements for Kerberos: • Interactions between hosts and clients should be encrypted. • Must be convenient for users (or they won’t use it). • Protect against intercepted credentials. • Private Key: Each party uses the same secret key to encode and decode messages. • Uses a trusted third party which can vouch for the identity of both parties in a transaction. Security of third party is imperative. CSIT 16/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Working of Kerberos:

• Instead of client sending password to application server: – Request Ticket from authentication server – Ticket and encrypted request sent to application server Applications 1. Authentication 2. Authorization 3. Confidentiality 4. Within Network and small set of Networks CSIT 17/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Version 4 problem Problems: – Lifetime associated with the ticket-granting ticket: – If too short → the user is repeatedly asked for the password – If too long → a greater opportunity to replay exists. The threat is that an opponent will steal the ticket and use it before it expires. - Inter realm authentication is not possible in V4 CSIT 18/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Fig. Shows Request for service in another realm (Kingdom) Difference between Version 4 and 5 • Encryption system dependence (v.4 DES with non standard PCBC, v.5 you can choose the encryption algorithm and use CBC) • Internet protocol dependence (v.4 only IP; v.5 any type) • Message byte ordering (v.4 arbitrary; v.5 defined by ASN1 Standard) • Ticket lifetime (v.4 21h max; v.5 arbitrary) • Authentication forwarding to other hosts (v.4 no; v.5 yes) (A client issues a request to a print server that then accesses the client’s file from a file server, using the client’s credentials for access.) • Inter-realm authentication: v.4 N2 (!) realm to realm relationships (v5. simpler) Kerberos V. 5 • V5 : allows inter-realm authentication with less overhead than v. 4 • Kerberos v5 is an Internet standard • specified in RFC1510, and used by many utilities To use Kerberos: • you need a KDC on your network • you need to have “Kerberised” applications running on all participating systems CSIT 19/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS X.509 Authentication Service: • Part of CCITT X.500 directory service standard • Distributed servers maintain user information in database • Defines framework for authentication service • Directory may store public key certificate with public key of user • Signed with private key by certification authority • Defines authentication protocol • Uses public key cryptography and digital signature • Used in a variety of context like 1. S/MIME

2. IP Security 3. SSL/TLS, SET protocols Authentication procedure: X.509 include three alternative authentication procedures 1. One way authentication 2. Two way authentication 3. Three way authentication All above authentication procedure uses public key signatures One-way authentication: • 1-message (A->B) used to establish • Message includes identity of A and that message is from A • Message was intended for B • Integrity and originality of message i.e. message must include timestamp, nonce, B’s identity and is signed by A CSIT 20/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Two way authentication: • Two messages (A->B and B->A) which also establishes in addition • Identity of B and reply is from B • Reply is intended for A • Integrity and originality of reply • Reply includes original nonce from A , also timestamp and nonce from B Three way authentication: 3 messages (A->B, B->A, A->B) which enables above authentication possible without Synchronized clock possible i.e. timestamp need not be checked or relied upon E-mail Security: • E-mail is most widely used application on Internet • Using e-mail user can send messages(pictures, sound • Due to wide uses of e-mail security of it is major important issue • RFC822 defines the format of text e-mail message. An e-mail message is considered to be made up of two portion its content (body) and header i.e. too similar to our normal postal system From: D. P. Mishra (dpmishra@bitdurg.org) Headers To: Registrar (registrar@bitdurg.org) Subject: …………………………… Date: ………………… Body xxxx…………………………………………… …………………………………………………….. …………………………………………………….. Fig : E-mail Header and body section CSIT 21/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 22/49 A Fig: E-mail using SMTP protocol B Sender Sender’s SMTP Server Receivers

SMTP Server Receiv SMTP (Simple mail transfer protocol) is used for e-mail communication. The e-mail client software at sender end gives message to local SMTP server and this local SMTP server transfer’s message to receivers SMTP. Main job is to carry mail messages between sender and receiver It uses TCP/IP protocol underneath i.e. SMTP runs on the top of TCP/IP (in application layer) Following are the main three e-mail security protocols 1. Privacy enhanced mail (PEM) 2. Pretty good privacy(PGP) 3. Secure MIME (S/MIME) multipurpose internet mail extensions Privacy enhanced mail (PEM): Internet e-mail security standard adopted by internet architecture board (IAB) to provide secure electronic mail communication over the Internet PEM was initially developed by Internet Research task force (IRTF) and privacy security research group (PSRG) they then handed over PEM to Internet Engineering task force (IETF) UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS PEM supports main three cryptographic functions Privacy Enhanced mail (PEM) Encryption Non-repudiation Message Integrity Working of PEM (Privacy enhanced mail): • Broad level steps of PEM are shown in following fig 1. Canonical Conversion 2. Digital Signature 3. Encryption 4. Base 64 Encoding Fig: PEM Operations Above steps are performed at sender end and at receiver end above steps are performed in reverse order i.e. 4,3,2,1 CSIT 23/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step-I Canonical conversion: • Since there is possibility that computers used by sender and receiver are not of same architecture and operating system • So there is possibility that some content or message would be represented differently on different computers • E.g. in MS-DOS enter key is represented by two characters while in UNIX enter key is represented by 1-character • In order to maintain appearance symmetry of message on different machines PEM transform each e-mail message to abstract canonical representation i.e. message is converted to uniform and architecture independent format Step-II Digital Signature: E-Mail Message (M) Message Digest Algorithms

1010 1010 1010 MD Fig. Creation of Digital Signature over E-mail Message Sender’s Private key Digital E Sign (DS) • As shown in above block diagram e-mail message is passed through message digest algorithm to generate MD • MD is encrypted by using senders private key to generate digital signature equivalent to e-mail message • Digital Signature and message is combined and encrypted by using symmetric key as shown in next block diagram CSIT 24/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step-III Encryption: E-Mail Symmetric Message Encrypte + E d Result (DS) Fig. Encryption in PEM As shown e-mail message along with DS is encrypted by using symmetric key Step-IV Base-64 Encoding: This is the last step in PEM, base64 encoding is (also called as radix-64 encoding or ASCII armor) process transform binary input into portable character 1010101010001010101010101010010100101010101010110010 101010101…….. 101010101…….. 101010101…… 101001 101010 1010101 101010 1010010 1010100 1010101 1010100 Fig. Base 64 Encoding Concept I/P bit t Divide into 24 bit block Each 24-bit block is divided into four 6-bit Each 6-bit block is mapped to 8-bit CSIT 25/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS • As shown in above block diagram output of step –III i.e. CT is treated as input stream • Input stream is divided into 24 bit block • Each 24-bit block is divided into four 6-bit block

• Each 6-bit block is further mapped to 8-bit block to produce the final result of BASE-64 Encoding Pretty Good Privacy (PGP): Pretty Good Privacy (PGP) Encryption Non-repudiation Message Integrity Fig: Security features offered by PGP • Developed by Phil Zimmerman • Supports the basic requirement of cryptography • Simple to use and completely free including its source code • Algorithm is supported by PGP are RSA, DSS, CAT, IDEA and DES-III • PGP is more popular and widely used as compared to PEM • Broad level steps of PGP are shown in following fig CSIT 26/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS 1. Digital Signature 2. Compression 3. Encryption 4. Base 64 Encoding Fig: PGP Operations Step-I Digital Signature: Consist of creation of message digest of e-mail message by using SHA-I algorithm resulting message digest is then encrypted with senders private key and result is senders digital signature Step-II Compression: Input message and digital signature are compressed together to reduce the size of the final message that will be transmitted For compression famous ZIP program is used. ZIP is based on the Lempel Ziv algorithm Lempel ziv algorithm looks for repeated strings or words and stores them invariables and then replaces then occurrence of word by variables What is your name? My name is abc Input String / Variable creation & Assignment 1. A=is 2. B = What 1 your 2? My 2 1 abc Compressed String Fig: Lempel Ziv algorithm used by Zip programs CSIT 27/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step-III Encryption: In this step compressed output of step-II is encrypted by symmetric key for this IDA algorithm in CFB mode is performed Step-IV Digital Enveloping: • Here symmetric key of step-III is encrypted with receiver’s public key. • The output of step-II and step-III together form digital envelope A E O/P of Digital Envelope Receiver’s public Symmetric

Fig. Formation of digital envelope CSIT 28/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Step-V Base-64 Encoding: • As shown in following block diagram output of step –IV i.e. digital envelope is treated as input stream • Input stream is divided into 24 bit block • Each 24-bit block is divided into four 6-bit block • Each 6-bit block is further mapped to 8-bit block to produce the final result of BASE-64 Encoding I/P bit t 1010101010001010101010101010010100101010101010110010 101010101…….. Divide into 101010101…….. 101010101…… 24 bit block 101001 101010 1010101 101010 1010010 1010100 1010101 1010100 Each 24-bit block is divided into four 6-bit Each 6-bit block is mapped to 8-bit Fig. Base 64 Encoding Concept Secure multipurpose Internet mail extension(S/MIME) • Traditional mail was text based now users want to transfer text along with data file in various binary formats • To cater the need of user MIME system extends the basic email system • A mime email system contain normal message along with some special header and formatted sections of text • Each section can hold ASCII encoded portion of data CSIT 29/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS • Each section starts with explanation that how the data follows should be interpreted or decoded at recipients end • Recipient e-mail system uses the explanation to decode the data From : dpmishra < dpmishra@bitdurg.org> To : Ashwini < ashwini@gmail.com > Subject : Regarding SMIME MIME Version 1.0 Content type image/gif <Actual image data in binary form> As shown in above s-mime message format the content type is image or gif so based on it recipient mail system will recognize that this is .gif file and it invokes appropriate program that can read interpret and display the content of .gif file MIME Headers: Email system provides headers like from, to , date, subject etc where as MIME specification adds 5-new headers to the e-mail system which describes the information about the body of message 1. MIME Version: must have value of 1.0 this field indicates that message confirms to RFC 2045 and 2046

2. Content type: Describes data contained in the body of message so that receiver e-mail system can deal with received e-mail message 3. Content transfer encoding: Specifies the type of transformation that has been used to represent the body of the message 4. Content ID: Identifies MIME entities uniquely with reference to multiple context 5. Content description: Used when body is not readable S-MIMIE functionality: Too much similar to PGP Note: when we enhance basic MIME system to provide security features, it is called as secure multipurpose Internet mail extension CSIT 30/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS X.400: Is messaging (notably e-mail) standard specified by ITU-TS (International telecommunication union –Telecommunication standard) • It’s an alternative to SMTP protocol • X.400 is common in Europe and Canada • Its actually a set of standard , each in the range of number 400 • X.400 is an official standard where as SMTP is defacto standard • As x.400 is official standard products with it are more rigorously tested than the products with SMTP implementations • X.400 offers more capabilities than SMTP IP and Web Security Protocols: IPSEC (IP Security): • IP packet contains data in plain text format • The data of packet can be watched by anyone through whom the packets are passing • We have seen some higher level securities like PGP,PEM, S-MIME to prevent problem related plaintext data of packet • However there was general feeling from long time that why not to secure the IP packet itself rather than relying on higher layer protocols • If we are able to achieve the IPSEC then there is no need to rely on higher level protocol • Thus we have two levels of security mechanism that can serve as additional security mechanism or scheme • First offers security at IP packet level itself • Continue implementing higher level security mechanism depending on the requirement CSIT 31/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Application Layer Transport Layer Internet Layer / IPSEC Data link Layer Physical Layer Second level of Security First level of security Fig. Security at Internet layer as ell as on above layers too A A Message

Application Transport IPSEC Phy/D-Link Message Application Transport IPSEC Phy/D-Link Fig: Conceptual IPSEC positioning in TCP/IP Protocol • IP Packet consist of two portion i.e. IP header and Actual data • IPSEC features are implemented in the form of Additional IP headers (called extension headers) CSIT 32/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS • IPSEC offers two main services 1. Authentication 2. Confidentiality Each of above services will require its own header IPSEC Authentication Header (AH) Encapsulated sec. Payload (ESP) Fig. : IPSEC Headers Authentication header (AH): • Provides authentication integrity and an optional anti replay service • IPSEC AH is header in IP Packet which contains a cryptographic checksum (Similar to message digest or hash) • AH is simply inserted between IP header and any subsequent packet content no changes are required to the data contents of the packet. Thus security resides completely in the content of AH i CSIT 33/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Encapsulated Security Payload (ESP): • This protocol provides data confidentiality • ESP also defines new header to be inserted into IP packet • ESP processing also includes transformation of the processed data into an unreadable encrypted format • On recipient end AH is processed and checked by IPSEC if its correct then decryption of payload is carried out Both AH and ESP can be used in one of two modes AH & ESP Mode of Operation Tunnel Mode Transport Mode Fig. : AH & ESP Modes of Operation CSIT 34/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Tunnel Mode: In tunnel mode an encrypted tunnel is established between two hosts as shown below X Y P1 P2

Tunnel Proxy Proxy Network1 Network2 • As shown in above block diagram X and Y are the two hosts wants to communicate with each other using IPSEC tunnel • Both X and Y would identify their respective proxy servers say P1 and P2 • Logical encrypted tunnel is established between P1 and P2 • X sends information to P1 then tunnel carries information from P1 to P2 and P2 forwards it to Y P1<->P2 X<->Y Data External IP Header Internal IP Header & Data Fig: Implementation of Tunnel Mode CSIT 35/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Fig: Shows IPSEC in Tunnel Mode Transport Mode: Doesn’t hide the actual source and destination address the are visible in plain text while transfer as shown in following block diagram Fig: Shows IPSEC in Transport Mode • Protection covers IP datagram payload (and selected header fields). • Could be TCP packet, UDP, ICMP message • Host-to-host (end-to-end) security: • IPSec processing performed at the endpoints of the secure channel. • So the endpoint hosts must be IPSec-aware, i.e. they must be able to do all the authentications and integrity checks plus all the deciphering. CSIT 36/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS The Internet Key Exchange (IKE) protocol: • IKE is supporting protocol used in IPSEC this protocol is used in user key management • IKE is used to negotiate the cryptographic algorithm to be later used by AH and ESP in actual cryptographic operation • Output of IKE is SA(Security association) A B Step1: Algorithm and key negotiation using IKE Step2: Actual AH & ESP operation Fig: IKE operation steps Security Association (SA): SA is agreement between communicating parties about factors such as 1. IPSEC protocol version in use 2. Mode of operation (Transport or Tunnel mode) 3. Cryptographic algorithm 4. Cryptographic keys and lifetime of keys etc Once SA is established both major protocols IPSEC (i.e. AH and ESP) make use of it for actual operation Note: If both AH and ESP are used in that case communicating parties require two set of SA one for AH and other for ESP CSIT 37/49

UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS A B SA: 1 Traffic Dir: Incoming. Protocol: AH SA: 1 Traffic Dir: Incoming. Protocol: AH SA: 2 Traffic Dir: Outgoing. Protocol: AH SA: 2 Traffic Dir: Outgoing. Protocol: AH SA: 3 Traffic Dir: Incoming. Protocol: ESP SA: 3 Traffic Dir: Incoming. Protocol: ESP SA: 4 Traffic Dir: outgoing. Protocol: ESP SA: 4 Traffic Dir: outgoing. Protocol: ESP Fig: Security association when AH and ESP used • Both communicating parties must allocate some storage area for storing the SA information at their end • For storage purpose a standard storage area called as security association database (SAD) is predefined and used by IPSEC • So each communicating part requires to maintain its own SAD that contains 1. Sequence number counter 2. Sequence counter overflow 3. Anti replay window 4. AH authentication 5. ESP authentication 6. ESP encryption 7. IPSEC protocol mode CSIT 38/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Virtual Private Network (VPN): There is clear demarcation between private and public network Public Network: Public telephone system and the Internet Private Network: Made up of computers owned by a single organization with each other Consider a corporate office wants to connect two of its branches Branches are situates at far distances i.e. one in Bangalore and other in Bhilai for achieving this there are two solutions 1. Connect two branches using personal network i.e. lay cables or

establish radio link between two branches 2. Connect two branches with the help of public network such as N/W of N/W or Internet Laying cable is costliest solution and not feasible solution so we have to opt second option to use public network for joining two branches What is VPN? There are two ways to connect remote sites: - Use a dedicated line (a private network). - Use the Internet. ● Not private, so need to secure the connection. ● Want to keep internal network hidden from Internet. ● Want to allow two sites to access LAN at each site as if part of same network. ● The secure access using the Internet instead of a dedicated line is what makes it a Virtual, Private Network. Why VPN? CSIT 39/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS • Connect two sites securely through public network • Allow remote access by individual users. • Allows travelling users to remotely access private network • If we remove VPN link then two sites will be separated with each other • By employing VPN two remote sites seems to be the one/single virtual site VPN architecture: X Network1 Y VPN Firewall1 Firewall2 Network2 Fig: Architecture of VPN CSIT 40/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS As shown in above block diagram two networks (two branch offices) are connected with each other through the firewall with best possible configuration for setting firewall was selected by organization Key point here is two firewalls are connected with each other through Internet as shown through VPN tunnel Let’s consider host X on network-1 wants to transfer data packet to host y on network-2 for this following steps are used 1. Host X creates the packet with header information X <----> Y and gives it to firewall1 X Y Other Header and Data 2. Firewall1 adds new headers to the packet as well encrypt the original packet data X Y Other Header and Data F1 F2 AH X Y Other Header and Data Encrypted Packet Information/Data 3. Now Firewall1 diverts packet to Firewall2

4. Firewall2 discards the outer header make check of AH and decrypts the header information and payload this results actual packet created in step-1 CSIT 41/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS F1 F2 AH X Y Other Header and Data X Y Other Header and Data Fig. Firewall-II retrieves the original packet content Types of VPN: 1. Remote access VPN 2. Intranet VPN 3. Extranet VPN Remote Access VPN: Gives access to remote or roaming users access of Main office / branch office as shown in above block diagram CSIT 42/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Intranet VPN As shown in above block diagram Intranet VPN is used for joining different branches of organization. Important thing here is all the branches are connected through common service provider Extranet VPN As shown main branch and branch offices are joined by different service providers through public network CSIT 43/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS Advantages of VPN 1. Greater scalability 2. Easy to add or remove users 3. Reduce long distance Telecommunication cost 4. Mobility 5. Scalability Drawbacks: 1. Lack of standards 2. Understanding of security issues 3. Unpredictable Intranet traffic 4. Difficult to accommodate product from different vendors Secure Socket Layer (SSL): • SSL is an Internet protocol used for secure exchange of Information between a web browser and web server • Provides two basic services - Authentication - Confidentiality • Logically it provides secure pipe between the web browser and web server • SSL is developed by Netscape corporation in 1994 since then SSL becomes the world most popular web security mechanism • SSL is supported by all web browsers available in the market • SSL comes in three version 2 , 3 and 3.1 Application Layer As shown in fig SSL can be conceptually considered as an additional layer in TCP/IP

protocol suite SSL SSL layer is located in between transport Xport layer and application layer as shown Internet Layer Physical Layer CSIT 44/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS L5 Data X Y Fig: Conceptual SSL positioning in TCP/IP Protocol L5 Data SH L5 Data H4 L4 Data H3 L3 Data H2 1010101010101010100001010 L5 Data L5 Data SH L5 Data H4 L4 Data H3 L3 Data H2 1010101010101010100001010 • Application layer of sender computer X-prepares data to be send to receiving computer Y • As usual what happen in normal case application layers data is passed to transport layer directly but here in this case data is passed to SSL layer • SSL layer encrypts data received from application layer and adds its own header information • From SSL layer data is passed to transport layer and it adds its own header H4 and so on rest of the process is similar to normal TCP/IP protocol in which each and every layer is adding its own header to data received from the upper layer(i.e. process of encapsulating data) • At receiving end exactly reverse process is carried every layer verifies data as per their own functionality if its found correct then it discards corresponding header of that concerned layer and popup the data for the upper layer (i.e. decapsulation process carried) CSIT 45/49 UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 46/49 Type Length Content 1-byte 3-byte 1 or more byte Web Browser 1. Establish Secure Capabilities 2. Server Authentication & key exchange 3. Client Auth. & key exchange 4. Finish Fig. SSL Handshake phase Web Browser

Step-1 Client Hello Step-2 Server Hello SSL Working: SSL has three sub protocols namely 1. Handshake protocol 2. Record protocol 3. Alert protocol Above three sub protocols constitute the overall working of SSL 1. Handshake protocol • First sub protocol of SSL used by client and server to communicate using and SSL enabled connections • Handshake protocol has series of messages between client and server and format of message is Phase-I: Establish Security capabilities: This phase of SSL handshake is used to initiate a logical connection as shown below UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 47/49 Web Browser Fig. Phase2 of SSL handshake protocol Step1: Certificate Setp2: Server key exchange Step3: Certificate request Step4: Server Hello Done Web Browser Fig. Phase3 of SSL handshake protocol Step1: Certificate Setp2: Client key exchange Step3: Certificate verify As shown in above block diagram web browser and web server establishes secure capabilities by exchanging version of SSL, Random session ID , cipher suite and compression method Phase-II: Server authentication and key exchange: • Server initiates the second phase of SSL handshake and is the sole sender of all the messages in this phase • The client is sole recipient of all these messages this phase contain four steps as shown below Phase-III: Client authentication and key exchange: • Client initiate 3rd phase of SSL and is whole and sole sender of all messages in this phase • Server is sole recipient of all the messages this phase contains 3 – steps as shown below UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 48/49 Web Browser Step-1 Change cipher specification Step-2 Finished Step-3 Change cipher specification Step-4 Finished

• First step is optional and performed only if there is request from server • Second step related with client key exchange and key is for symmetric algorithm • Here client creates 48 bit premaster secret and encrypt it with server key and send this encrypted premaster to server • Third step(certificate verify ) is only necessary if server has demanded clients authentication as we know client already send his certificate now its time for client to prove the server that he is correct and authorized holder of the private key corresponding to certificate Phase-IV: Finish Client initiate fourth phase of SSL first two messages are there from client i.e. change cipher specification and finished similarly server responds with two identical messages change cipher specification and finish 2. Record protocol Record protocol in SSL comes into picture after completion of successful handshake between client and server This protocol provides two services to an SSL connection as follows 1. Confidentiality: Achieved by using the secret key that is defined by handshake protocol 2. Integrity: Handshake protocol also defines a shared secret key (MAC) that is used for assuring the message integrity 3. Alert protocol: • When either client or server detects an error the detecting party sends an alert message to the other part • If error is fatal both parties immediately close connection and destroy session identifier and secret key associated with this connection • Non secure errors do not result in the termination of connection , instead the parties handle the error and continue session UNIT-IV DIGITAL SIGNATURES, CERTIFICATES & STANDARDS CSIT 49/49 SSL Handshake protocol SSL change cipher specificatio SSL alert protocol HTTP SSL Record Protocol TCP IP Fig: Architecture of SSL Transport layer security (TLS): • SSL is also called as TLS after version 3.0 • Transport layer security service • Originally developed by Netscape • Version-3 developed with public I/P • Subsequently become Internet standard known as TLS (Transport layer security) • Uses TCP to provide a reliable end – to – end service

• SSL has two layers of protocol UNIT-V SYSTEM SECURITY CSIT 1/33 UNIT-V System Security Internet Security: ecurity threats goes on emerging in Internet world due to mobile codes (software agents Mobile codes is software agent which have ability to move from one computer to other nd also have ability to get themselves invoked without the external influence 1. Threat to the local computing Environment hrough local interpreter on client machine without users knowledge. Client threats arises mostly due to malicious code chameleon, ordinary software bombs, timed software bombs and logical software bombs 1. Unauthorized modification of server dification of incoming data packets by exploiting the bug in server software ed by denial of service where intruder make system unusable by destroying resources so that they can be used of service attacks is service overloading and message overloading S or rogue software) which are responsible to create virus threat a Threats are divided in major two categories 2. Access control and threat to the server Security threats arise when downloaded data is passes t refers to viruses like Trojan horse, worms rabbits, Threats to Server: Threats to server consist of 2. Unauthorized mo 3. Server can be attack Most common form of denial UNIT-V SYSTEM SECURITY CSIT 2/33 Service Overloading: Servers are vulnerable to service overloading for ex we can easily overload www server y writing small loop that send request continuously for a particular file to server. Server tries to respond as it assumes the request is genuine one Hence while providing services t i.e. Denial of service will occur due to overloading of the server : ritten to alter the way a computer operates, e of the user. A virus must execute and replicate itself. • A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. ll computer viruses are manmade. • A computer program written by a smart person who chooses to be an idiot. (ebility to replicate themselves n an ever increasing number of computers. They originally spread by people

aring floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packa ese b to all the request a stage will reach when server is not able to satisfy the need or request so it deny for providing services to the reques Message Overloading Message overloading will occur when someone sends a very large file to the message box of sever at every few seconds. Due to of which message box grows in size and begins to occupy the hard disk space and increases they no of receiving processes on recipient machine and thereby causes disk crash Virus: - • A small program w without the permission or knowledg • Program that replicates itself so as to infect more computers A mail signature file) • Computer “Viruses” and related programs have the a o sh • ges. Th UNIT-V SYSTEM SECURITY CSIT 3/33 are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs). • Software (floppy disks and CDs) • E-mail 7 Types of Viruses • Multi-partite viruses • Macro viruses • Infect program files. • Can infect other files when infected program is run from floppy, hard drive, or network. y non-infected executable that runs becomes infected. e ruses • Infect the system area of a disk. (boot record on floppy/hard disks) • Activated when user starts up from infected disk. • Always memory resident in nature. • Once in memory, all non-write protected floppy disks will become infected when • Examples: Form, Disk Killer, Michelangelo, and Stoned Master Boot Record Viruses Ways Viruses Are Transmitted • File infector viruses • Boot sector viruses • Master boot record viruses • Script viruses • Companion viruses

File Infector Viruses • Many are memory resident. • After memory is infected, an Examples: Jerusalem and cascad Boot Sector Vi accessed. UNIT-V SYSTEM SECURITY CSIT 4/33 • Similar to boot sector virus except viral code is located in different area. ooting. , and unashamed (Symantec.com) files. • Boot area and files must both be cleaned of virus or re-infection will occur. lf, Emperor, Anthrax, and Tequila s. • Infect data files – word, excel, power point and access files. • Use another program’s internal programming language which was created to tomate certain tasks within that program. • Examples:w97m.Melissa, WM.NiceDay, and W97M.Groov • Infect various script languages such as DOS, Java Script, and Visual Basic Script. s or boot C’, ABC.COM executes before uld place its code in a COM file with existing EXE file. When the user next executed the ‘ABC’ command, the virus’ ABC.COM program would be run. • Executable Viruses - These are viruses hidden within executable files or posing as executable files. • Visual Basic Script Viruses - Visual Basic Script (VBS) is a powerful programming language built into Windows. VBS viruses can send emails, delete files, rename files etc. VBS viruses often pretend to be something that they are not. • Boot Sector Virus - resides in the boot sector of a hard disk or floppy. The boot sector is that portion of a disk that gives it its identity. After a given number of boots, the virus activates and the system is usually destroyed. • Prevents computer from b • Examples: NYB, AntiExe Multi-Partite Viruses • Infect boot records and program • Difficult to repair. • Examples: One Ha • Macro Viruses • Most common type of viru allow users to au • Script Viruses Companion Viruses • Execute through operating system rather than directly infecting program sectors. • When you execute the command ‘AB ABC.EXE Thus, a companion virus co its first name matching that of an

UNIT-V SYSTEM SECURITY CSIT 5/33 • Stealth Virus - designed to def Can be any one of the previously mentioned types, but were eat anti-viral scanning and other anti-viral detection software and acro ers to • Self-replicating program that are self contained and doesn’t require host ies of itself and executes them and generally it utilizes the network services to propagate to other host system. They will consume all resources on network and affects response time ly s using up the computer's resources and systems, or networks. • Worms – spreads by creating duplicates of itself on other drives, systems, Rabbits • Rabbits are similar to worms they too are full programs. However as soon as they are executed they are replicating themselves on the disk until its capacity is exhausted this process is then repeated on other nodes so that complete network comes to stand still. • Rabbits are less harmful as compared to worms since they are easily detected. methods. • Macro Viruses – These are very common and make use of the m functionality in Microsoft Office. Macros are mini-programs that allow us automate various commands within the program. Other Threats to Computers Worm program. It creates cop • A program or algorithm at replicates itself over a computer network and usual performs malicious actions, such a possibly shutting the system down. • A virus that spreads by creating duplicates of itself on other drives, or networks UNIT-V SYSTEM SECURITY CSIT 6/33 rom a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after e their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in pplication. Unlike horses do not replicate themselves but they can be just as the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. gment, which “explodes” as soon as it Trojan Horse • Program which appears to be harmless but has piece of code which is very harmful . Trojan horse is derived from the greek mythology Trojan horse here means to fool the common users , Hence all the rogue s/w delivered comes under

this category • The term comes f the Trojans drag the horse insid and capture Troy • A destructive program that masquerades as a good/useful a viruses, Trojan destructive. • One of Ordinary Software bombs: S/w bombs are the piece of code se executed without any delay and brings system to grinding halt Timed Software bombs: Similar to ordinary software bomb except that it becomes active only at specific time or frequency Logical Software bombs: UNIT-V SYSTEM SECURITY CSIT 7/33 Similar to ordinary software bomb , except its activated only if the logical condition is re similar to Trojan horses It normally seems like a useful and correct program and rows a logon screen to collect all the valid user names and passwords and then display Backdoor known by the programmer. A backdoor is a potential security risk. alware • Short for malicious software. Software designed specifically to damage or disrupt a system, such as a virus or a Trojan Horse. Spyware satisfied(e.g. Delete employees master data when gross salary exceeds say 10,000) Chameleon: A th a message system shut down and then it makes the utilization of collected password later on • Also called a trapdoor. An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only M • Also called adware, spyware is any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. UNIT-V SYSTEM SECURITY CSIT 8/33 • Spyware applications are typical bundled as a hidden component of freeware or the Internet and transmits that information in the background to someone else. information about e-mail addresses and even passwords and credit card numbers. milar to a Trojan horse in that users unwittingly install the product when they install something else. • Aside from the questions of ethics and privacy, spyware steals from the user by

using the computer's memory resources and also by eating bandwidth as it sends information back to the spyware's home base via the user's Internet connection. cause spyware is using memory and system resources, the applications running round can lead to system crashes or general system instability. shareware programs that can be downloaded from the Internet. • Once installed, the spyware monitors user activity on • Spyware can also gather • Spyware is si • Be in the backg UNIT-V SYSTEM SECURITY CSIT 9/33 Top Ten Viruses as of 05-23-2002 he Rogue’s Gallery ome of our more common and infamous viruses. alrt.html TS Klez http://www.virus.uga.edu/klez address from web pages, ICQ databases or Windows Address Books and inserts it as the From: address before sending out its payload to the rest of your address book. When you someone whose computer is infected, it may appear to come rent person. lez • What does it do? (cont.) ably not infected with the virus. The From: e-mail address happens to be in the infected machine’s address book. lez • What else does it do? rsonal documents and send them out to others and, therefore, possibly send out confidential information. • What does it do? – The Klez virus propagates by taking a randomly picked e-mail receive an e-mail from from an entirely diffe K – This means that the e-mail address in the From: field of the infected e-mail you receive is prob K – The virus can infect pe Sircam http://www.virus.uga.edu/scalrt.html TrendMicro Sophos McAfee MessageLabs • WORM_KLEZ.H • PE_FUNLOVE.4099 • PE_ELKERN.D • WORM_KLEZ.E • PE_NIMDA.A • JS_EXCEPTION.GEN • WORM_SIRCAM.A

• PE_MAGISTR.B • PE_NIMDA.E • WORM_HYBRIS.M • W32/Klez-G • W32/Klez-E • W32/Badtrans- B • W32/ElKern-C • W32/Magistr-B • W32/Klez-A • W32/MyLife-F • W32/Magistr-A • W32/Sircam-A • W32/Nimda-D • W95/Elkern.cav.c • W32/Nimda.eml • W32/Klez.e@MM • W32/Nimda.gen@MM • JS/IEStart.gen • VBS/Loveletter@MM • JS/NoClose • VBS/Haptime@MM • W32/Klez.gen@MM • JS/Kak@M • W32/Klez.H-mm • W32/Klez.E-mm • W32/SirCam.A-mm m • W32/BadTrans.Bmm • W32/Yaha.C-mm • W32/Magistr.B-mm • W32/Magistr.A-m • W32/Hybris.B-mm • EML/Fortnight UNIT-V SYSTEM SECURITY CSIT 10/33 • What does it do? – Sircam is a mass mailing e-mail worm with the ability of spreading through Network shares. It sends e-mails with variable user names and subject d attaches user documents with double extensions to them. – Since the worm can pick any of the user's personal documents it might send out confidential information. • How Does It Spread? – The worm uses Windows Address Book, which is used by both the Outlook and k Express e-mail clients to collect e-mail addresses. The worm also tries to look for e-mail addresses in the \Windows\Temporary Internet Files\ folder, which is where Internet Explorer and other programs store temporary copies of downloaded web pages and other Internet files. Windows fields, an – When a Sircam-infected e-mail attachment is opened it shows the document it

picked up from the sender’s machine. The file is displayed with the appropriate program according to its extension. This is so the recipient is unaware of virus infecting his machine. Outloo Nimda http://www.f-secure.com/v-descs/nimda.shtml • What does it do? – Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE. If affects Windows 95, Windows 98, ws Me, Windows NT 4 and Windows 2000 users. – It uses normal end user machines to scan for vulnerable web sites. It is looking for the Unicode exploit Windo to infect IIS web servers. • How does it spread? – Infecting files da locates EXE files from the local machine and infects them. These files then spread the infection when people exchange programs. ail to each address. These mails contain an attachment called README.EXE, which might be executed automatically on some systems. – Web worm – The actual lifecycle of Nimda can be split to four parts: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation. • Nim Nimda – Mass mailing • It then locates e-mail addresses from your e-mail client as well as searching local HTML files for additional addresses. Then it sends one e-m UNIT-V SYSTEM SECURITY CSIT 11/33 • Nimda starts to scan the internet, trying to locate web servers. Once a web server the web surfer’s computer. ybris http://www.fsecure.com/v-descs/hybris.shtml is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm will modify random web pages on the site, which if viewed may infect H • What does it do? – Hybris is an Internet worm that spreads itself as an attachment to e-mail messages. It can upgrade itself via the Internet. ailable drives. The worm renames EXE files in archive with .EX$ extension and add its copy with .EXE extension to the archive. copy worm's EXE file to TEMP directory and execute it. • Depending on system date and time, a "spiral" effect is shown on the Windows Desktop. ads the data that is sent and received, looking for e-mail addresses. When an address is found, the worm waits and then sends an

infected message to each person. – – Depending on the installed plugins, it can: • Infect all ZIP and RAR archives on all av • Infect DOS and Windows executable files (*.exe) files. The worm changes them so that they become droppers. When run, they • How does it spread? – The worm intercepts Windows functions that establishes network connections, including those to the Internet. It re Magistr http://www.fsecure.com/v-descs/magistr.shtml • What does it do? – Magistr is a very dangerous memory resident worm combined with virus infection routines. – The virus has an extremely dangerous payload, and depending on different conditions it erases hard drive data, CMOS memory and Flash Bios contents. – When the virus is run (from infected message for example, if a user clicks on it installs itself to the Windows memory, then runs in background, sleeps for a few minutes and run its routines: local and network EXE file infection, e-mail spreading, etc. UNIT-V SYSTEM SECURITY CSIT 12/33 Magistr – Depending on its internal counters the virus manifests itself: it gets access to Windows desktop and does not allow access to icons on the desktop by mouse. cursor is m n icon, the vi s the icon out ouse cursor. • How does it spread? over a local network. c settings--Outlook Express Netscape Messenger Internet Mail & News hen scans email d e – The Subject onstructed from words and sentences that are C and .TXT files When mouse It looks like desktop icons tr oved to a y to "escape" m rus move of the cursor. – Magistr virus spreads via Internet with infected emails, infects Windows executable files on a infected machine (local machine) and is able to spread itself • Mass mailing: – To send infe ted emails, the virus reads the settings of installed e-mail client – The virus t atabase files of those clients, gets e-mail addresses from there and send - The attachment nam s itself to those addresses. e is variable, it can have an EXE or SCR ext em for an EXE file ension. The virus

looks on the syst , infects it and attach s it to the message. and Body are randomly c found in .DO in the system (the virus also scans local drives for these files and get texts from there). UNIT-V SYSTEM SECURITY CSIT 13/33 How big is the virus problem? ut it? Can it really happen to me? Virus trends between 1999 and 2001 illustrate the threat to an e-mail system. contained a virus. In 2000, it was 1 in 700, and 1 in There are 808 viruses listed on the May 2002 WildList and Supplemental list. ered “in the wild”, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting ut how do they work? ethods of Attack • MS Office Document Macros all the time… Should I really worry abo YES!!! • The number of known viruses surpassed 50,000 in August 2000. According to the anti-virus vendor, Sophos the number of new viruses discovered every month continues to rise. • • In 1999, 1 in 1400 e-mails 300 this year. Message Labs, an anti-virus vendor that specializes in scanning email, predicts that if trends continue that by 2008, 1 in 10 e-mails will contain a virus. • • For a virus to be consid users. How do I get a virus? I know what they are, b M • E-Mail Attachments • Web Pages • Open Network Shares (Peer to Peer Networking) • Internet Relay Chat & Instant Messaging • Floppy Disks • Macromedia Flash Documents • And, new ways appearing UNIT-V SYSTEM SECURITY CSIT 14/33 How do I protect myself from viruses? How can I avoid this agony? • It is available for download from the Anti-Virus @ UGA website: http://www.virus.uga.edu Steps to Protect Yourself • Be paranoid. • According to Murphy’s law--"If anything can go wrong, it will“ • In computing, this is not as far from the truth as you might hope. • Make sure you have an up to date anti-virus package installed on your computer.

• EITS currently provides the F-Secure Anti-Virus package for UGA student, faculty, and staff use. o not open unexpected attachments. e-mails. This is a particularly ments that have been sent by acquaintances, co-workers, or friends, only to find that the attachment is in fact a virus. e software you use in a timely manner • There are viruses that exploit 'holes' or vulnerabilities in operating systems and • It is recommended that you visit your software manufacturer's Web site regularly 8 • D • Increasingly, viruses are sent as attachments to insidious method of transmission because often people will open attach • Install patches for th applications. Anti-virus programs are generally able to protect you from this kind of 'malware' even if you have not installed the appropriate patch for that vulnerability. to download and install new patches in a timely fashion. • From http://online.securityfocus.com/infocus/128 Always scan floppy disks and CDs for viruses before using them pact disks, etc.). • Users should always check these external media for viruses before using it on their computers. It is a simple, straightforward procedure to scan a disk with an kes just a few seconds, and can save hours of aggravation. • From http://online.securityfocus.com/infocus/1288 •• Despite the fact that approximately 85% of all registered cases of computer infection are transmitted through e-mail, we should not ignore the traditional transport for malware: the mobile media (diskettes, com anti-virus program. It ta h software, even from a credible source t may carry a virus. Another source of infection may be a computer that has been taken in for maintenance that may be returned to its owner with a hard drive that is infected ith a virus. • Be careful wit • It is not just pirated software that may be infectious. Sometimes even licensed CDs with software from well-established, credible vendors may contain viruses. Also, software downloaded from the Interne • w UNIT-V SYSTEM SECURITY CSIT 15/33 • From http://online.securityfocus.com/infocus/1288 ted data from your hard drive; it only means that your operating system cannot be loaded any more. • To solve this problem, you should use a virus-free start-up diskette containing an program that has been developed for your operating system. This ill help you to start your computer and delete any viruses in your • Create a virus-free start-up disk for your computer and keep it in a safe place.

• Sometimes an infected computer cannot be started. This does not mean that a virus has dele anti-virus diskette w operating system. • From http://online.securityfocus.com/infocus/1288 • Back up your files regularly. • Although this rule will not protect against virus infection, it will allow you to protect your valuable data in case your computer becomes infected (or, as an added bonus, if you have any other problems with your hardware). t is advisable to back up your most valuable data using external media, such as this case, whatever might happen, you will always be prepared. • From http://online.securityfocus.com/infocus/1288 • I diskettes, MO disks, magnetic tapes, CDs, etc. In Make file extensions visible. t executables in disguise. own file extensions. Thus, a seemingly ay be PICTURE.JPG.EXE. In on hiding option under Folder Options. • From http://security.oreilly.com/news/maliciouscode_0801.html •• It is safe to run non-executable file content, such as JPGs, MPGs, GIFs, WAVs, etc. You just need to make sure they aren' • Most Windows versions will hide kn innocuously named file, PICTURE.JPG, m Windows Explorer, look for the file extensi se a password, and ONLY give the minimum that you have to a people who can use it. • Don't share your hard drive (disable file sharing on your hard drive). • If you do need to provide some file and print sharing, don't give the keys to the kingdom; u directory (folder) is much better than giving all of the C:\, read only is better than full access. If you have to give a C:\ administrative share, limit the number of UNIT-V SYSTEM SECURITY CSIT 16/33 • • By doing the following steps, if you ever "accidentally" click on a worm or virus written in Visual Basic, it will pop open in notepad rather than executing. er window. [2] On the pull-down menus select "Options" on the "View" pull-down. pes" tab. ] For each of them, highlight the entry and select "Edit." te the proper path. ce changed, click "OK" and "Close." Repeat for the .vbe file type. There is a very simple way for Windows users to eliminate the threat of "accidentally" executing a VBS attachment to an e-mail. [1] Go to any open Windows Explorer or File Manag

[3] Select the "File Ty [4] Scroll down until you see the .vbs file type. [5 [6] Highlight "Open" and select "Edit." [7] Change the "application use to perform action" from "wscript.exe" to the path name for where "notepad.exe" is located. This is likely either "C:windowsnotepad.exe" or "C:WINNTnotepad.exe." You can use the file find feature to loca [8] On [9] UNIT-V SYSTEM SECURITY CSIT 17/33 Ways to Protect Your Computer From Viruses • Install an anti-virus program. • • your email program to auto-run attachments. • Write protect floppy disks when finished. McAfee virus scan • Remove disks from disk drive before shutting down/restarting computer. Be cautious of email attachments from unknown sources. Do not set Some Popular Antivirus Programs • Norton Antivirus • UNIT-V SYSTEM SECURITY CSIT 18/33 FIREWALL very time corporate connects its Intranet to Internet and it faces potential danger, Due to e openness of Internet there is a possibility of attack by the hackers and Intruders to cause the harm to local computing Enviro n no of ways like • They can steal or damage the important data ces d rules. • Function as “front doors” to a network. and are build up by using routers, servers and variety of n a "gateway server" that protect the resources of an internal network • A network device or an host that connect 2 or more networks • A device able to monitor each packet to determine whether to forward it toward its destination • A device able to evaluates packets with the objective to Control, Modify and Filter network traffic E th nment i • Damage individual computer or entire network • Use the corporate ‘s computers resour Solution for all such types of threats and many more to build a firewall to protect Intranet. What is a firewall? • A firewall is any mechanism that acts to restrict access to a network

according to a set of define • A firewall is combination of hardware and software software’s and are placed in between Internet & Intranet A set of programs residing o UNIT-V SYSTEM SECURITY CSIT 19/33 Advantages • Hiding net • application/content-level filtering oad balancing features (easy to control access) ging features ges work information • fail over and l • single-point of control • powerful log Disadvanta • increases the communication latency/delay • proxy per application and no generic one gured to use the proxy server ices through the firewall • introduce vulnerabilities • __insiders can exercise internal vulnerabilities • __performance may suffer_ single point of failure • client might need to be modified/reconfi • __connections which bypass firewall serv How do they work? • By inspecting traffic ccording to the policy that’s been set. that travels across/through them a How are they set up? • Act as a go-between for any two given networks UNIT-V SYSTEM SECURITY CSIT 20/33 o ensure that only suitable traffic goes back and • All traffic between external and internal networks must go through the firewall • Firewall has opportunity t forth Firewall Architecture’s Fig : Shows Simple Firewall Architecture Intranet Interne Bastion Host UNIT-V SYSTEM SECURITY CSIT 21/33 Inner Barrier Outer

Barrier UNIT-V SYSTEM SECURITY CSIT 22/33 UNIT-V SYSTEM SECURITY CSIT 23/33 Requisites of Good Firewall Systems: equisites are totally depends on security requirements however one should check some attributes before commissioning any type of firewall system m should be able to support or deny services except those are specifically permitted • Firewall system should posses flexibility i.e. it must have ability to new changes based on company’s policy t Fire ls • Packet Filters/FW Rules: to implement the FW policy Which services do want to offer on the network and in which direction? ss: which, what and when? • Is there any trusted external hosts to which you want to give network • • TCP and UDP: src/dest port, flags, SYN and ACK bits R • Firewall syste • I should contain advanced authentication measures • It should employ filtering techniques wal Rules • Questions to ask: • • Do want to restrict user Internet acce access? Fields used to Filter Packets: IP headers: options, proto, src/dest IP, • Firewall Rules Basis UNIT-V SYSTEM SECURITY CSIT 24/33 • Interface name (FW may have more than one incoming/outgoing link • Interface or traffic direction • Source and destination IP address: this includes broadcast and multicast addresses • IP options : need to check this for source routing • ICMP • Transport Protocols: UDP, TCP, IPX, .. • Well-know TCP/UDP Services: WEB, FTP .. etc • More restricted rules comes first to avoid rules conflict and shadow 1. Permit ANY TCP incoming (more general) 2. Deny DestPort=25 TCP incoming (will be shadowed by 1) UNIT-V SYSTEM SECURITY CSIT 25/33 PACKET FILTERING FIREWALLS packet fitering firewall examines each and every incoming and outgoing

ing the specific field in IP datagram headers, e packet to come inside / go outside or • TCP/UDP source port acket filtering firewalls • Packet filtering firewalls decide whether or not to forward packets based on o source and destination IP addresses o protocol field o source and destination port numbers IP packet flowing through it by examin Firewall decides whether to allow th discard the packet Key fields tested by the firewall are • Source Ip headers • Destination IP headers • TCP/UDP destination port P o SYN flag settings • Rules dictate whether or not packets should be forwarded • Inspects packets in isolation • Does not keep track of connection state • Susceptible to application layer attacks UNIT-V SYSTEM SECURITY CSIT 26/33 Usenet e-mail Server Clien Clien IP Packet screening router Filtering/Scr eening rules WWW FTP UNIT-V SYSTEM SECURITY CSIT 27/33 incoming and outgoing Packets based on the e of configuring the firewall host based on the company’s policies particular user ervices to outsiders then firewall is configured to reject the request related with FTP rts >1024! (I) bjective: allow a network application (based on sockets), to be accessible by receive connection requests n. reply to the client (in the payload of an UDP packet) with port to use to connect to the dedicate process • The client receive the packet, read the port (ex:40001) and send the next all REJECT the packet cause port>1024 are closed

erly de your LAN you must open all port>1024 • A statfull Firewall allow to leave ports >1024 closed As shown in above fig firewall router filters security rules that are set at the tim can do: allow incoming telnet from a particular host cannot do: allow incoming telnet from a e.g. If company doesn’t offer FTP s An example: Po O hosts outside your local LAN: • The software is made by a main process that on port 999. • Then the main process create a new process for each new connectio New processes waits for client data on ports from 40001 to 41000. • The main process send a packet to port 40001 of the same server • A statless firew • With a stateless firewall, if you want to allow your server to work prop with hosts outsi UNIT-V SYSTEM SECURITY CSIT 28/33 UNIT-V SYSTEM SECURITY CSIT 29/33 Statefull vs. Stateless Firewalls • Statless firewalls can make filter decision based only on: o source/destination addresses and ports o Statfull firewall associate a packet to a state and can make decision base on: o source/destination addresses and ports o state of the packet Drawbacks Of packet filtering firewall: 1. Packet filtering rules can be compl 2. Logg lity is not provided by such firewall 3. If TCP t filtering is not implemented fully , it can lead to security hole 4. Can not handle RPC(Remote procedure calls) • Two main types of filtering firewall � Routing based filters • From where did you come? • Where are you going? • Don’t care what you do once you get there. � Content based filters • What are you trying to do? • Not as common as Routing based because it’s harder to implement successfully roxy Application Gateways ex ing faci /UDP packe P UNIT-V SYSTEM SECURITY

CSIT 30/33 In such type of firewall remote host or network can interact only with proxy server (proxy application gateway) proxy server is responsible for hiding the details of e Internal network ie Intranet. If the remote host is interested to avail the cilities placed inside the company in that case first proxy authenticates remote /user then it creates the session between application gateway and the ternal host and allows the transmission of packet as well maintain the log details of user too. th fa host In Proxy Server running on Firewall M/C that connects to I t t Clients Inside Firewall Web HTTP Server FTP Server Gopher Server Telnet Server USENET Server Secure Subnet Firewall Security perimeter UNIT-V SYSTEM SECURITY CSIT 31/33 As shown in fig. Proxy application gateway is special server which runs on firewall machine and user ie inside or outside if they have to share the data in that case they have to divert the request to the proxy server proxy applies the security policy by authenticating the user and then maintains or establishes the session between the end users Gopher: Is as server application that allows you to browse huge amount of formation by performing remote logins and FTP es Of Application Gateways: in Advantag 1. Proxy authenticates only those services for which it is configured /installed 2. Robust authentication and logging facility 3. Cost effectiveness 4. Less complex filtering rules Hardened Firewall Hosts (HFH): Hardened firewall hosts are similar to proxy application gateways and are configured for increased security . This type of firewall requires inside or outside user to connect to some trusted application running on firewall machine before getting connected furthur. These firewalls are configured to protect against unauthorized interactive logins from the external world

Steps required to setup HFH: • Remove all users account except those are necessary for the operation of firewall machine • Remove all noncrucial files and executables especially network server programs and client programs like FTP and Telnet • Exten the feature of traffic logging and monitoring to check remote access • Disable IP forwarding to prevent firewall to forward unauthorized packets UNIT-V SYSTEM SECURITY CSIT 32/33 Advantages: • Concentration of security • Centralized and simplified network services management HFH AA Security: and Accounting) Security AA Security works similar to Proxy application gateway in this too user must have to et himself authenticated by security system for availing the facilities that are kept inside pany ,ie its an compulsion over clients to get themselves logged on en only they would be authorized for availing facilities based on the policies set on the security system, after giving the authorization AAA system will • Information hiding: Having ability to hide the company’s Intranet Drawbacks: • Concentrates security at one spot as apposed to distribute it among system • S/w support is not enough as few vendors are offering A Fig : Shows AAA(Authentication Authorization Ag or outside of the com Security system and th Intranet Internet AAA Security UNIT-V SYSTEM SECURITY CSIT 33/33 maintain the details data packet transaction for the purpose of further ccounting/auditing Two ways to approach the rule sets: along a wide open road. Deny all except what is defined as wanted – Firewalls as filters can be considered for most part to be infallible... but as a ly static) hy on the outside, but soft and chewy on the inside.” – People don’t just put up a thick front door for their sensitive belongings, you our p a � – Allow all except what is defined as unwanted • Place roadblocks/watch gates

– • Build a wall and carve paths for everyone you like. � Problems: security measure? They can only enforce rules (general • Crunc • Conclusions shouldn’t for your network either. – Firewalls are an effective start to securing a network. Not a finish. – Care must be taken to construct an appropriate set of rules that will enforce y olicy. 1 SET (Secure Electronic Transaction) 2 Secure Electronic Transaction • SET is open encryption & Security specification • Designed for protecting credit card transaction • Pioneered in 1996 by Master and Visa card jointly • Master & Visa cards later joined by IBM, Microsoft, Netscape, RSA, Tersa and Verisign • In 1998 First generation of SET compliant products appeared in market 3 SET ……. • SET is not payment system • It is security protocol • Enable user to employ existing payment infrastructure on Internet in Secure Manner 4 SET Services • Provides secure communication channel among all parties in E-Com • Provides authentication by use of digital certificates • Ensures confidentiality by providing information to the parties involved in a transaction that too only when and where necessary 5 Summary of SET Participants SET is having complex specification. when released it was of 971 pages so we see summary 1. Cardholder:Authorized holder of payment card such as master & Visa card 2. Merchant:Person or organisation that want to sell goods or services to card holder 3. Issuer:Is financial institution that provides payment card to cardholder

6 SET Participants …………… 4.Acquirer:Financial Institution that has relationship with merchant for processing payment cards,authorization & payments 5.Payment gateway:Payment gateway processes the payment messages on behalf of the merchant Payment gateway acts as interface between SET and existing card payment network for payment authorization 7 SET Process 1. Customer opens an account: Customer opens credit card account with bank that support electronic paymet mechanism and SET Protocol 2. Customer receives certificate:After customers identity verification customer receives digital certificate from CA 3. Merchant receives a certificate:Merchant that want to receive a particular brand of card must posses digital certificate 8 SET Process…. 4. Customer places an order: Typical shopping cart process and order placement. Merchant send back detail of purchase and total bill back to customer for his record 5. Merchant is verified:Merchant sends its digital certificate to customer to assure he is dealing with valid merchant 9 SET Process…. 6. Order and payment details are sent:Customer sends both order and payment details to merchant along with digital certificate 7. Merchant Request Payment authorization: Merchant forwards payment details send by customer to payment gateway via acquirer with request to authorize the payment(To ensure validity and limit of credit) 10 SET Process…. 8. Payment gateway authorizes the payment: Payment gateway verify the received details of customer credit card with issuer and either authorizes or rejects payment 9. Merchant Confirms the order :Assuming that the payment gateway authorizes the payment , the merchant sends a confirmation of the order

to customer 11 SET Process…. 10.Merchant provides goods or services:Merchant now ships the goods or provides the services as per customers order 11.Merchant requests Payment:Payment gateway receives request from the merchant for making payment Payment gateway interacts with financial institution such as issuer acquirer and clearing house to effect payment from customer to merchants account 12 How SET achieves its objective of Confidentiality • Main concern In online transaction is merchant demand credit card no • There are two aspect of above 1. Credit card no may travel in clear text format which provides intruder opportunity to know no and make misuse of it 2. Credit card no. can be available with the merchant who make the misuse of it 13 How SET achieves its objective of Confidentiality………. • First aspect dealt with SSL as all information exchange is done through SSL in encrypted format • IInd aspect is important which is not achieved by SSL I.e. protection of credit card no. from merchant • So SET is very important as it hides credit card details from merchant • Concept of hiding credit card no from merchant is based on digital enveloping 14 Digital Enveloping in SET • SET S/W prepare PI(Payment information) on card holders computer which contains credit card details • Card holders computer now prepares one time session key • Using one time session key card holders computer encrypts PI(Payment information) • Now cardholders comp wraps one time session key with public key of payment gateway to form a digital envelope • It then sends encrypted PI and digital envelope together to the merchant who pass it to gateway 15 Important points • Merchant has access of encrypted PI so he

can not read PI • If he is interested to read PI it requires one time session key that was used to encrypt the payment information • Interesting fact is one time session key itself is encrypted by public key of payment gateway to form digital envelope 16 Merchant Payment Gateway 1. Creates one time session key KS 2. Encrypts PI with Ks 3. Encrypts Ks with public key of Payment gateway Eks (PI) Ekupg (KS) Unable to read payment details as one time session key is needed 17 SET Internals Major transactions supported by SET are 1. Purchase request 2. Payment authorization 3. Payment capture Purchase Request: Before transaction begins cardholder is assumed to have completed browsing selecting and ordering the items 18 Purchase Request: Purchase request exchange is made of four messages 1. Initiate request 2. Initiate response 3. Purchase request 4. Purchase response 19 Step-I Initiate Request Card Holder 1. Pl. send me your digital certificate and that of payment gateway 2. Here is my unique ID to identify our interaction and here is my credit cards issuer number

Merchant 20 Step-II: Initiate Response Card Holder Here is my transaction ID and digital certificates of payment gateway and myself Merchant 21 Step-III: Purchase Request Here is My OI and PI Details along with digital envelope OI+E(PI)+E(SK) Merchant Card Holder OI- Order information PI – Purchase Information 22 Step-IV Purchase response OK here is the result of processing your order Merchant Card Holder 23 II. Payment authorization This process ensures that the issuer of card approaches the transaction 1. Purchase information 2. Authorization information 3. Card holders and my certificate Payment Gateway Merchant Fig.: Authorization of request 24 1. Validations are OK 2. Authorization information 3. Token information 4. Digital certificate Payment Gateway Merchant Fig.: Authorization response 25 III Payment Capture

Step-I: Capture request: Merchant generates sign and encrypt capture request block that include payment amount and transaction Id in encrypted format 1. Need payment for purpose 2. Transaction ID 3. Amount token 4. My digital certificate Payment Gateway Merchant Fig: Capture request for payment 26 Step-II: Capture response: 1. Payment authorized 2. Details of payment 3. Digital signature of PG Payment Gateway Merchant Fig: Capture response 27 Advantages • Extremely secure – Fraud reduced since all parties are authenticated – Requires all parties to have certificates 28 Problems with SET – Not easy to implement – Not as inexpensive as expected – Expensive to integrated with legacy applications – Not tried and tested, and often not needed – Scalability is still in question 29 That’s All ! Questions! 1 Electronic Money E-Cash 2 E-Cash • E-cash is one or more way of paying /making payment on Internet • E-cash is nothing but money represented by computer file • i.e. Physical form of money is converted into binary form of computer data 3 Requirements for e-payments • Atomicity

– Money is not lost or created during a transfer • Good atomicity – Money and good are exchanged atomically • Non-repudiation – No party can deny its role in the transaction – Digital signatures 4 Desirable Properties of E-Cash • Universally accepted • Transferable electronically • Non-forgeable, non-stealable • Private (no one except parties know the amount) • Anonymous (no one can identify the payer) • Work off-line (no on-line verification needed) No known system satisfies all. 5 Types of E-payments • E-cash • Electronic wallets • Smart card • Credit card 6 E-cash Concept Merchant Consumer Bank 1 2 3 4 5 1. Consumer buys e-cash from Bank 2. Bank sends e-cash bits to consumer (after charging that amount plus fee) 3. Consumer sends e-cash to merchant 4. Merchant checks with Bank that e-cash is valid (check for forgery or fraud) 5. Bank verifies that e-cash is valid 6. Parties complete transaction: e.g., merchant present e-cash to issuing back for deposit once goods or services are delivered Consumer still has (invalid) e-cash 7 Obtaining e-money from Bank C U S T O M

E R B A N K - Customer opens account with bank -When he needs money sends e-mail demanding money in encrypted format -Bank authenticates message and debits customer AC -Banks sends money as computer file to customer thus file is also encrypted 8 Making Purchase using E-money C U S T O M E R M E R C H A N T - When customer wants to purchase -He send the necessary file to merchant in encrypted format 9 Merchant paid from Bank M E R C H A N T B A N K - Merchant sends file (S) to bank which is verified by bank -Based on verification bank credits

merchant account with that much amount 10 Security Mechanism in E-Money • Security mechanism is similar to SET & SSL Bank $454545 E E Original Message ^^`A Customer Encrypt with banks private key Encrypt with customers public key Twice Encrypted data Fig: Bank sends Electronic Money to the customer after encrypting it twice 11 Customer receives money and decrypts it Customer ^^`A D D $454545 Decrypt with Customer private key Decrypts with banks public key 12 Electronic Cash Issues • E-cash must allow spending only once • Must be anonymous, just like regular currency – Safeguards must be in place to prevent counterfeiting – Must be independent and freely transferable regardless of nationality or storage mechanism • Divisibility and Convenience • Complex transaction (checking with Bank) – Atomicity problem 13 Advantages and Disadvantages of Electronic Cash • Advantages – More efficient, eventually meaning lower prices – Lower transaction costs – Anybody can use it, unlike credit cards, and does not require special authorization • Disadvantages – Tax trail non-existent, like regular cash – Money laundering – Susceptible to forgery 14 Electronic Cash Security • Complex cryptographic algorithms prevent

double spending – Anonymity is preserved unless double spending is attempted • Serial numbers can allow tracing to prevent money laundering – Does not prevent double spending, since the merchant or consumer could be at fault 15 Past and Present E-cash Systems • Checkfree – Allows payment with online electronic checks • Clickshare – Designed for magazine and newspaper publishers – Miscast as a micropayment only system; only one of its features – Purchases are billed to a user’s ISP, who in turn bill the customer 16 Past and Present E-cash Systems • CyberCash – Combines features from cash and checks – Offers credit card, micropayment, and check payment services – Connects merchants directly with credit card processors to provide authorizations for transactions in real time • CyberCoins – Stored in CyberCash wallet, a software storage mechanism located on customer’s computer – Used to make purchases between .25c and $10 17 Past and Present E-cash Systems • DigiCash – Trailblazer in e-cash – Allowed customers to purchase goods and services using anonymous electronic cash • Coin.Net – Electronic tokens stored on a customer’s computer is used to make purchases – Works by installing special plug-in to a customer’s web browser – Merchants do not need special software to accept eCoins. 18 Past and Present E-cash Systems • MilliCent – Developed by Digital, now part of Compaq – Electronic scrip system – Participating merchant creates and sells own scrip to broker at a discount • Consumers register with broker and buy bulk

generic scrip, usually with credit card • Customers buy by converting broker scrip to vendor-specific scrip, i.e. scrip that a particular merchant will accept – Customers can purchase items of very low value 19 Electronic Wallets • Stores credit card, electronic cash, owner identification and address – Makes shopping easier and more efficient • Eliminates need to repeatedly enter identifying information into forms to purchase • Works in many different stores to speed checkout – Amazon.com one of the first online merchants to eliminate repeat form-filling for purchases 20 An Electronic Checkout Counter Form 21 Electronic Wallets • Agile Wallet – Developed by CyberCash – Allows customers to enter credit card and identifying information once, stored on a central server – Information pops up in supported merchants’ payment pages, allowing one-click payment • eWallet – Developed by Launchpad Technologies – Free wallet software that stores credit card and personal information on users’ computer, not on a central server; info is dragged into payment form from eWallet 22 Electronic Wallets • Microsoft Wallet – Comes pre-installed in Internet Explorer 4.0, but not in Netscape – All information is encrypted and password protected – Microsoft Wallet Merchant directory shows merchants setup to accept Microsoft Wallet 23 Entering Information Into Microsoft Wallet 24 Smart Cards • Magnetic stripe – 140 bytes • Memory cards – 1-4 KB memory, no processor • Optical memory cards

– 4 megabytes read-only (CD-like) • Microprocessor cards – Embedded microprocessor • (OLD) 8-bit processor, 16 KB ROM, 512 bytes RAM • Equivalent power to IBM XT PC • 32-bit processors now available 25 Smart Cards • Plastic card containing an embedded microchip • Available for over 10 years • So far not successful in U.S., but popular in Europe, Australia, and Japan • Unsuccessful in U.S. partly because few card readers available • Smart cards gradually reappearing success depends on: – Critical mass of smart cards that support applications – Compatibility between smart cards, card-reader devices, and applications 26 Smart Card Applications • Ticketless travel – Seoul bus system: 4M cards, 1B transactions since 1996 – Planned the SF Bay Area system • Authentication, ID • Medical records • Ecash • Store loyalty programs • Personal profiles • Government – Licenses • Mall parking . . . 27 Advantages of Smart Cards • Advantages: 1.Atomic, debt-free transactions 2.Feasible for very small transactions (information commerce) 3.(Potentially) anonymous 4.Security of physical storage 5.(Potentially) currency-neutral 28 Disadvantages of Smart Cards • Disadvantages: 1.Low maximum transaction limit (not suitable for B2B or most B2C) 2.High Infrastructure costs (not suitable for

C2C) 3.Single physical point of failure (the card) 4.Not (yet) widely used 29 Mondex Smart Card • Holds and dispenses electronic cash (Smart-card based, stored-value card) • Developed by MasterCard International • Requires specific card reader, called Mondex terminal, for merchant or customer to use card over Internet • Supports micropayments as small as 3c and works both online and off-line at stores or over the telephone • Secret chip-to-chip transfer protocol • Value is not in strings alone; must be on Mondex card • Loaded through ATM – ATM does not know transfer protocol; connects with secure device at bank 30 Mondex Smart Card Processing 31 Mondex transaction • Placing the card in a Mondex terminal starts the transaction process: 1.Information from the customer's chip is validated by the merchant's chip. Similarly, the merchant's card is validated by the customer's card. 2.The merchant's card requests payment and transmits a "digital signature" with the request. Both cards check the authenticity of each other's message. The customer's card checks the digital signature and, if satisfied, sends acknowledgement, again with a digital signature. 32 Mondex transaction Only after the purchase amount has been deducted from the customer's card is the value added to the merchant's card. The digital signature from this card is checked by the customer's card and if confirmed, the transaction is complete. 33 Credit Cards • Credit card – Used for the majority of Internet purchases – Has a preset spending limit – Currently most convenient method – Most expensive e-payment mechanism • MasterCard: $0.29 + 2% of transaction value – Disadvantages • Does not work for small amount (too expensive) • Does not work for large amount (too expensive)

• Charge card – No spending limit – Entire amount charged due at end of billing period 34 Payment Acceptance and Processing • Merchants must set up merchant accounts to accept payment cards • Law prohibits charging payment card until merchandise is shipped • Payment card transaction requires: – Merchant to authenticate payment card – Merchant must check with card issuer to ensure funds are available and to put hold on funds needed to make current charge – Settlement occurs in a few days when funds travel through banking system into merchant’s account 35 Processing a Payment Card Order 36 Credit Card Processing SOURCE: PAYMENT PROCESSING INC.