Unit 5: Cryptography

Cryptography / By /
Unit - 4 Cryptography

Contents :

Internet Security Protocols: Introduction, Concepts, Secure Socket Layer(SSL), Transport Layer Security(TLS), Secure Hypertext Transport Protocol(SHTTP), Time Stamping Protocol(TSP), Secure Electronic Transaction(SET), SSL Versus SET, 3-D Secure Protocol, Electronic Money, Email Security, Wireless Application Protocol(WAP)Security, Security in GSM, Security in 3G

Unit 5: Cryptography

Que 1: What are Internet Security Protocols? Explain any one.

Internet security protocols are a set of rules and procedures designed to ensure secure communication over the internet. These protocols include a wide range of technologies and techniques, such as encryption, digital signatures, and authentication mechanisms, that are used to protect data and information transmitted over the internet.

Transport Layer Security (TLS)

  • One common internet security protocol in cryptography is Transport Layer Security (TLS). TLS is a cryptographic protocol that provides secure communication over the internet by encrypting data transmissions between two parties, such as a web server and a web browser.
  • Transport Layer Security (TLS) is a cryptographic protocol that secures the connection between a web server and a web application using data encryption.
  • It applies to all data exchanged over the network, including emails, web browsing sessions, and file transfers.
  • As a result, hackers cannot access users’ sensitive data like login credentials and credit card numbers.
  • The TLS handshake protocol, for example, uses asymmetric cryptography to generate public and private keys that encrypt and decrypt data.
  • The client sends a list of all TLS versions along with suggestions for a cipher suite and generates a random number that will be used later.
  • The server confirms which options it will use to initiate the connection.
  • The server sends a TLS certificate to the client for the authentication process.
  • After validating the certificate, the client creates and sends a pre-master key encrypted by the server’s public key and decrypted by the server’s private key.
  • The client and server generate session keys using the previously generated random numbers and the pre-master key.
  • Both the client and server have a finished message that has been encrypted with a session key.
  • The TLS handshake process is finished, and both the client and server have created secure symmetric encryption.

Que 2: Explain four phase of Secure Socket Layer (SSL)?

The Secure Socket Layer (SSL) protocol

  • The Secure Socket Layer (SSL) protocol is an Internet protocol for the secure exchange of information between a Web browser and a Web server.
  • It provides two basic security services: authentication and confidentiality.
  • Logically, it provides a secure pipe between the Web browser and the Web server.
  • Netscape Corporation developed SSL in 1994.
  • Since then, SSL has become the world’s most popular Web-security mechanism.
  • All the major Web browsers support SSL.
  • Currently, SSL comes in three versions: 2, 3 and 3.1

Also Read : Unit – 4 Cryptography

Let us now study these four phases one by one.

Phase 1. Establish Security Capabilities:

This first phase of the SSL handshake is used to initiate a logical connection and establish the security capabilities associated with that connection. Thisconsists of two messages, the client hello and the server hello, as shown in Fig

Unit 5: Cryptography

As shown in the figure, the process starts with a client hello message from the client to the server. It consists of the following parameters:
Version This field identifies the highest version of SSL that the client can support. As we have seen,
at the time of this writing, this can be 2, 3 or 3.1.
Random This field is useful for the later, actual communication between the client and the server.
It contains two sub-fields:
● A 32-bit date-time field that identifies the current system date and time on the client computer.
● A 28-byte random number generated by the random-number generator software built inside the
client computer.
Session id This is a variable-length session identifier. If this field contains a non-zero value, it
means that there is already a connection between the client and the server, and the client wishes to update the parameters of that connection. A zero value in this field indicates that the client wants to create
a new connection with the server.
Cipher suite This list contains a list of the cryptographic algorithms supported by the client (e.g.
RSA, Diffie-Hellman, etc.), in the decreasing order of preference.

Phase 2. Server Authentication and Key Exchange:

The server initiates this second phaseof the SSL handshake, and is the sole sender of all the messages in this phase. The client is the solerecipient of all these messages. This phase contains four steps, as shown in Fig.. These steps are Certificate, Server key exchange, Certificate request, and Server hello done.

Unit 5: Cryptography

Let us discuss the four steps of this phase.
In the first step (certificate), the server sends its digital certificate and the entire chain leading up to root
CA to the client. This will help the client to authenticate the server using the server’s public key from
the server’s certificate. The server’s certificate is mandatory in all situations, except if the key is being agreed upon by using Diffie-Hellman.
The second step (Server key exchange) is optional. It is used only if the server does not send its digital
certificate to the client in step 1 above. In this step, the server sends its public key to the client (as the
certificate is not available).
The third step (certificate request), the server can request for the client’s digital certificate. The client
authentication in SSL is optional, and the server may not always expect the client to be authenticated.
Therefore, this step is optional.
The last step (server hello done) message indicates to the client that its portion of the hello message
(i.e. the server hello message) is complete. This indicates to the client that the client can now (optionally) verify the certificates sent by the server, and ensure that all the parameters sent by the server are
acceptable. This message does not have any parameters. After sending this message, the server waits
for the client’s response.

Phase 3. Client Authentication and Key Exchange:

The client initiates this third phase of the SSL handshake, and is the sole sender of all the messages in this phase. The server is the sole re-cipient of all these messages. This phase contains three steps, as shown in Fig. 6.16. These steps are Certificate, Client key exchange, and Certificate verify. The first step (certificate) is optional.

This step is performed only if the server had requested for the client’s digital certificate. If the server has requested for the client’s certificate, and if the client does not have one, the client sends a No certificate message, instead of a Certificate message. It then is up to the server to decide if it wants to still continue or not.

Like the server key exchange message, this second step (client key exchange) allows the client to send information to the server, but in the opposite direction. This information is related to the symmetric key that both the parties will use in this session. Here, the client creates a 48-byte pre-master secret, and encrypts it with the server’s public key and sends this encrypted pre-master secret to the server.

Unit 5: Cryptography
Phase 4. Finish

The client initiates this fourth phase of the SSL handshake, which the server ends. This phase contains four steps, as shown in Fig. The first two messages are from the client: Change cipher specs, Finished. The server responds back with two identical messages: Change cipher specs, Finished

Unit 5: Cryptography

Based on the pre-master secret that was created and sent by the client in the Client key exchange message, both the client and the server create a master secret. Before secure encryption or integrity verification can be performed on records, the client and server need to generate shared secret information
known only to them.

Also Read : Unit – 3 Cryptography

Que 3. Draw & Explain Transport Layer Security (TLS).

Transport Layer Security (TLS) is a cryptographic protocol that secures the connection between a web server and a web application using data encryption.

It applies to all data exchanged over the network, including emails, web browsing sessions, and file transfers.

As a result, hackers cannot access users’ sensitive data like login credentials and credit card numbers.

The TLS handshake protocol, for example, uses asymmetric cryptography to generate public and private keys that encrypt and decrypt data.

Then, the overall process is as follows:

  • The client sends a list of all TLS versions along with suggestions for a cipher suite and generates a random number that will be used later.
  • The server confirms which options it will use to initiate the connection.
  • The server sends a TLS certificate to the client for the authentication process.
  • After validating the certificate, the client creates and sends a pre-master key encrypted by the server’s public key and decrypted by the server’s private key.
  • The client and server generate session keys using the previously generated random numbers and the pre-master key.
  • Both the client and server have a finished message that has been encrypted with a session key.
  • The TLS handshake process is finished, and both the client and server have created secure symmetric encryption.

There are several benefits of TLS: 

  • Encryption: 
    TLS can help to secure transmitted data using encryption.
  • Interoperability: 
    TLS works with most web browsers, including Microsoft Internet Explorer and on most operating systems and web servers.
  • Algorithm flexibility: 
    TLS provides operations for authentication mechanism, encryption algorithms and hashing algorithm that are used during the secure session.
  • Ease of Deployment: 
    Many applications TLS temporarily on a windows server 2003 operating systems.
  • Ease of Use: 
    Because we implement TLS beneath the application layer, most of its operations are completely invisible to client. 

Que 4. Explain Secure Hypertext Transport Protocol (SHTTP).

The Secure Hyper Text Transfer Protocol (SHTTP) is a set of security mechanisms defined for protecting the Internet traffic. This includes the data-entry forms and Internet-based transactions.

Unit 5: Cryptography
Positions of SHTTP and SSL in TCP/IP protocol suite

It is application level protocol it extends http by adding encryption to web pages.

It provides mechanism for authentication and signature messages.

It is protocol for encrypting http traffic.

SHTTP supports both authentication and encryption of HTTP traffic between the client and the server. The encryption and digital signature formats used in SHTTP have origins in the PEM protocol.

The key difference between SSL and SHTTP is that SHTTP works at the level of individual messages. It can encrypt
and sign individual messages. On the other hand, SSL does not differentiate between different messages. Instead, it aims at making the connection between a client and the server, regardless of the messages that they are exchanging. Also, SSL cannot perform digital signatures.

SHTTP is very rarely used.

Que 5. Explain Time Stamping Protocol (TSP).

The Time-Stamp Protocol, or TSP is a cryptographic protocol for certifying timestamps using X.509 certificates and public key infrastructure. The timestamp is the signer’s assertion that a piece of electronic data existed at or before a particular time. The protocol is defined in RFC 3161. One application of the protocol is to show that a digital signature was issued before a point in time, for example before the corresponding certificate was revoked. The TSP protocol is an example of trusted timestamping. It has been extended to create the ANSI ASC X9.95 Standard.

A time-stamping service supports assertions of proof that a datum existed before a particular time. A TSA may be operated as a Truste Third Party (TTP) service, though other operational models may be appropriate, e.g., an organization might require a TSA for internal time-stamping purposes.

The TSA is a TTP that creates time-stamp tokens in order to indicate that a datum existed at a particular point in time.

The TSA is REQUIRED:

1. to use a trustworthy source of time.

2. to include a trustworthy time value for each time-stamp token.

3. to include a unique integer for each newly generated time-stamp
token.

The TSA MUST sign each time-stamp message with a key reserved specifically for that purpose. A TSA MAY have distinct private keys, e.g., to accommodate different policies, different algorithms, different private key sizes or to increase the performance. The corresponding certificate MUST contain only one instance of the extended key usage field extension.

Que 6. What is role of SET? Explain different SET participants.

(a) Cardholder

  • Using the Internet, consumers and corporate purchasers interact with merchants.
  • For buying goods and services. A cardholder is an authorized holder of a payment card such as Master-Card or Visa that has been issued by an issuer.

(b) Merchant

  • A merchant is a person or an organization that wants to sell goods or services to cardholders.
  • A merchant must have a relationship with an acquirer for accepting payments on the Internet.

(c) Issuer- (related to cardholder )

  • The issuer is a financial institution (such as a bank) that provides a payment card to a cardholder. The most critical point is that the issuer is ultimately responsible for the payment of the cardholder’s debit.

(d) Acquirer- (Credit card related)

  • This is a financial institution that has a relationship with merchants for processing payment-card authorizations and payments.
  • The reason for having acquirers is that merchants accept credit cards of more than one brand, but are not interested in dealing with so many bankcard organizations or issuers.
  • Instead, an acquirer provides the merchant an assurance (with the help of the issuer) that a particular cardholder account is active and that the purchase amount does not exceed the credit limits, etc.
  • The acquirer also provides electronic funds transfer to the merchant account.
  • Later, the issuer reimburses the acquirer using some payment network.

(e) Payment Gateway

  • This is a task that can be taken up by the acquirer or it can be taken up by an organization as a dedicated function.
  • The payment gateway processes the payment messages on behalf of the merchant.
  • Specifically in SET, the payment gateway acts as an interface between SET and the existing card-payment networks for payment authorizations.
  • The merchant exchanges SET messages with the payment gateway over the Internet.
  • The payment gateway, in turn, connects to the acquirer’s systems using a dedicated network line in most cases.

Que 7. What is role of 3-D Secure Protocol? Explain.

  • One prevent a customer from using another person’s credit-card number? That is not achieved in SET.
  • Consequently, a new protocol developed by Visa has emerged, called 3-D Secure.
  • The main difference between SET and 3-D Secure is that any cardholder who wishes to participate in a payment transaction involving the usage of the 3-D Secure protocol has to enroll on the issuer bank’s Enrollment Server.
Unit 5: Cryptography

Step 1

  • The user shops using the shopping cart on the merchant site, and decides to pay the amount. The user enters the credit-card details for this purpose, and clicks on the OK button, as shown in Fig.
Unit 5: Cryptography

Step 2

  • When the user clicks on the OK button, the user will be redirected to the issuer bank’s site.
  • •The bank site will produce a pop-up screen, prompting the user to enter the password provided by the issuer bank. This is shown in Fig.
  • •The bank (issuer) authenticates the user by the mechanism selected by the user earlier.
  • In this case, we consider a simple static id and password-based mechanism.
  • •Newer trends involve sending a number to the user’s mobile phone and asking the user to enter that number on the screen
Unit 5: Cryptography

Que 8. What are protocols for Email Security?

The Simple Mail Transfer Protocol (SMTP) is used for email communications. The email software at the sender’s end gives the email message to the local SMTP server. This SMTP server actually transfers the email message from the SMTP server of the receiver. Its main job is to carry the email message between the sender and the receiver. This is shown in Fig. 6.46. Of course, it uses the TCP/IP protocol underneath. That is, SMTP runs on top of TCP/IP (in the application layer).

4

The basic phases of an email communication consists of the following steps:

  1. At the sender’s end, an SMTP server takes the message sent by a user’s computer.
  2. The SMTP server at the sender’s end then transfers the message to the SMTP server of the receiver.
  3. The receiver’s computer then pulls the email message from the SMTP server at the receiver’s end, using other email protocols such as Post Office Protocol (POP) or Internet Mail Access Protocol (IMAP).

SMTP is actually quite simple. The communication between a client and a server using SMTP consists of human-understandable ASCII text. We shall first describe the steps and then list the actual interaction steps. Note that although we describe the communication between the two SMTP servers, the sender’s SMTP server assumes the role of a client, whereas the receiver’s SMTP server assumes the role of the server.

  1. Based on the client’s request for an email message transfer, the server sends back a READY FOR MAIL reply, indicating that it can accept an email message from the client.
  2. The client then sends a HELO (abbreviation of HELLO) command to the server, and identifies itself.
  3. The server then sends back an acknowledgement in the form of its own DNS name.
  4. The client can now send one or more email messages to the server. The email transfer begins with a MAIL command that identifies the sender.
  5. The recipient allocates buffers to store the incoming email message, and sends back an OK response to the client. The server also sends back a return code of 250, which essentially means OK. The reason both OK and a return code of 250 are sent back is to help both humans and application programs understand the server’s intentions (humans prefer OK, application programs prefer a return code such as 250)
  6. The client now sends the list of the intended recipients of the email message by one or more RCPT commands (one per recipient). The server must send back a 250 OK or 550: No such user here reply back to the client for each recipient.
  7. After all RCPT commands, the client sends a DATA command, informing the server that the client is ready to start transmission of the email message.
  8. The server responds back with a 354 Start mail input message, indicating that it is ready to accept the email message. It also tells the client what identifiers it should send to signify that the message is over.
  9. The client sends the email message and when it is over, sends the identifier provided by the server to indicate that its transmission is over.
  10. The server sends back a 250 OK response.
  11. The client sends a QUIT command to the server.
  12. The server sends back a 221 Service closing transmission channel message, indicating that it is also closing its portion of the connection.

Que 9. What is role of Wireless Application Protocol (WAP)? Draw WAP stack

In 1997 with the arrival of a new set of standards for wireless Internet access through wireless handheld devices and Personal Digital Assistants (PDAs).

The Wireless Application Protocol (WAP) had arrived. In simple terms, WAP is a communication protocol that enables wireless mobile devices to have an access to the Internet.

For instance, establishing and closing a TCP connection between a client and a server takes a lot of time and bandwidth, which is fine for the wired world. However, for the mobile world, where the processing power and bandwidth are already areas of concern

The mobile devices cannot be expected to perform high amount of information processing, or also carry high amount of data even for establishing connections.

unit 5: Cryptography

In case of the WAP architecture, we have an additional level between the client and the server: the WAP gateway. Simplistically, the job of the WAP gateway is to translate client requests to the server from WAP to HTTP, and on the way back from the server to the client, from HTTP to WAP as shown

WAP Stack

image 13
  • WAP stack is based more on the OSI model, rather than the TCP/IP model.
  • The security layer in the WAP stack is also called Wireless Transport Layer Security (WTLS) protocol.

Que 10. Explain following Email Protocol
i) PGP ii) PEM

PGP

Phil Zimmerman is the father of the Pretty Good Privacy (PGP) protocol. He is credited with the creation of PGP. PGP has become extremely popular and is far more widely used, as compared to PEM. The email cryptographic support offered by PGP is shown in Fig.

11

The Working of PGP

In PGP, the sender of the message needs to include the identifiers of the algorithm used in the message, along with the value of the keys. The broad-level steps in PEM are illustrated in Fig.

Let us discuss the five steps in PGP now. Note that the receiver has to perform these four steps in the reverse direction to retrieve the original plain text email message.

Step 1: Digital Signature

This is a typical process of digital signature, which we have studied many times before. In PGP, it consists of the creation of a message digest of the email message using the SHA-1 algorithm. The resulting message digest is then encrypted with the sender’s private key. •The result is the sender’s digital signature.

Step 2: Compression

This is an additional step in PGP. Here, the input message as well as the digital signature are compressed together to reduce the size of the final message that will be transmitted.

13

Step 3: Encryption

In this step, the compressed output of step 2 (i.e. the compressed form of the original email and the digital signature together) are encrypted with a symmetric key. For this, generally the IDEA algorithm in CFB mode is used.

Step 4: Digital Enveloping

In this case, the symmetric key used for encryption in step 3 is now encrypted with the receiver’s public key. The output of step 3 and step 4 together form a digital enveloped.

14

Step 5: Base-64 encoding

The output of step 4 is Base-64 is encoded now, as described earlier. We will not repeat that description here.

PEM

The Privacy Enhanced Mail (PEM) is an email security standard adopted by the Internet Architecture Board (IAB) to provide secure electronic mail communication over the Internet. PEM supports the three main cryptographic functions of encryption, non-repudiation, and message integrity, as shown in Fig.

5

The Working of PEM

The broad-level steps in PEM are illustrated in Fig.

6

Let us now discuss the four steps shown earlier in the figure. Note that the receiver has to perform these
four steps in the reverse direction to retrieve the original plain-text email message.

Step-1 canonical representation

PEM transforms each email message into an abstract, canonical representation. This means that regardless of the architecture and the operating system of the sending and the receiving computers, the email message always travels in a uniform, independent format.

Step 2: Digital Signature

This is a typical process of digital signature, It starts by creating a message digest of the email message using an algorithm such as MD2 or MD5.

7

The message digest thus created is then encrypted with the sender’s private key to form the sender’s digital signature. This process is shown

8

Step 3: Encryption

In this step, the original email and the digital signature are encrypted together with a symmetric key. For this, the DES or DES-3 algorithm in CBC mode is used.

9

Step 4: Base-64 Encoding

This is the last step in PEM. The Base-64 encoding (also called Radix- 64 encoding or ASCII) process transforms arbitrary binary input into printable character output.

10

Que 11. Explain how security is achieved in GSM.

In the earlier days of mobile telephony, analog technologies such as Advanced Mobile Phone System (AMPS) were used.

An improvement over AMPS was to make it digital. This was in the form of a technology called Digital AMPS (D-AMPS). D-AMPS is used extensively in the US and Japan (with certain modifications). Another similar voice technology called Global System for Mobile Communications (GSM) is used widely in Europe, and it has now spread its wings even in the US. In the last few years, alternatives to the WAP standard have emerged, and have actually become quite popular.

There are three key aspects to GSM security:
● Subscriber identity authentication
● Signaling data confidentiality
● User data confidentiality

The security is distributed in three different elements of the GSM infrastructure: the Subscriber Identity Module (SIM), which is a plastic card inside a mobile phone, the GSM handset and the GSM network

● The SIM contains the IMSI, Ki, the ciphering key generation algorithm (A8), the authentication
algorithm (A3) as well as a Personal Identification Number (PIN).
● The GSM handset contains the ciphering algorithm (A5). ● The Authentication Center (AUC), which is a part of the GSM network, contains the encryption
algorithms (A3, A5 and A8) as well as a database of identification and authentication information
about the subscribers.

(A) Authentication :

The GSM network authenticates a subscriber as shown in Fig(a), which we shall discuss now.

Unit 5: Cryptography
Fig (a) GSM authentication

The process begins with a challenge-response mechanism. The network sends a 128-bit random number to the subscriber when authentication begins. After this, 32-bit signed response using the authentication algorithm (A3) and the subscriber authentication key (Ki) is prepared by the handset, and sent back to the network. The network retrieves its value of Ki from its database, performs the same operation using the A3 algorithm on the original 128-bit random number, and compares this result with the one received from the handset. If the two match, the user is considered as successfully authenticated. Since the calculation of the signed response takes place inside the SIM, the IMSI or Ki never have to leave the SIM. That makes authentication secure.

(B) Signaling and Data Confidentiality :

As we have mentioned earlier, the SIM contains the ciphering key generation algorithm (A8). This is used to produce the 64-bit ciphering key (Kc). The value of Kc is obtained by applying the same random number as used in authentication to the A8 algorithm with the individual subscriber authentication key (Ki). This key (Kc) is later used for secure communications between the subscriber and the mobile telephony base station. This process is shown in Fig. (b).

(C) Voice and Data Security :

The A5 algorithm is used to encrypt the voice and data traffic between the user’s handset and the GSM network. For this, the subscriber’s handset sends a ciphering mode request to the GSM network. The network, in response, starts encryption and decryption of the traffic using the ciphering algorithm (A5) and the ciphering key (Kc).

Unit 5: Cryptography
Fig(b) GSM encryption

Que 12: Explain security in 3G.

GPRS has naturally evolved into Universal Mobile Telephone System (UMTS). UMTS is an extension of the basic premises on which GPRS is based.

As we have noted, GPRS is called a technology that is somewhat in-between the second and third generation of wireless technologies (2.5), whereas UMTS is called the third generation of wireless/mobile technology (3G).

UMTS extends the wireless system performance of GPRS networks 2.5 by offering expanded data services and enhanced data speeds.

UMTS can be used to deliver high-tech applications such as video on demand, video/audio streaming, high-speed multimedia, videoconferencing, multi-player gaming and improved mobile Internet access.

The main benefit will be high-end service capabilities, which include substantially enhanced capacity, quality and data rates that are currently available. UMTS also allows the concurrent usage of multiple services.

Unit 5: Cryptography
WhatsApp Group Join Now
Telegram Group Join Now
Instagram Group Join Now
Linkedin Page Join Now

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top