Cryptography And Network Security | Shadow Cyber Security
The art or science encompassing the principles and methods of
transforming an intelligible message into one that is unintelligible,
and then transforming that message back to its original form.
Cryptography system are generally classified along 3 independent
dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are based on two general principles: substitution, in which each element in the plaintext is mapped into another element, and transposition, in which element in the plaintext are rearranged.
The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key or single key or conventional encryption.
If the sender and receiver uses same key then it is said to be public key encryption.
The way in which the plain text is processed
A block cipher processes the input and block of elements at a time,producing output block for each input block.
A stream cipher processes the input elements continuously, producing output element one at a time, as it goes along.
Cryptanalysis
The process of attempting to discover X OR Y or both is known as cryptanalysis. The strategy used by the cryptanalysis depends on the nature of the encryption scheme and the information available to the cryptanalyst.
There are various types of cryptanalysis attacks based on the amount of information known to the cryptanalyst.
Cipher text only - A copy of cipher text alone is known to the crytanalyst.
Known plaintext - The cryptanalyst has a copy of the cipher text and the corresponding plaintext.
Chosen plaintext - The cryptanalysis gains temporary access to the encryption machine. They cannot open it to find the key, however, they can encrypt a large number of suitably chosen plaintexts and try to use the resulting cipher texts to deduce the key.
Chosen cipher text- The cryptanalyst obtains temporary access to the decryption machine, Users it to decrypt several string of symbols , and tries to use the results to deduce the key.
Cryptographic Attacks
Passive Attacks
passive attacks are in the nature of eavesdropping on, or monitoring
of, transmissions. The goal of the opponent is to obtain information
that is being transmitted. passive attacks are of two types:
Release of message contents: A telephone conversation, an e-mail message and a transferred file may contain sensitive or confidential information. We would like to prevent the opponent from learning the contents of these transmissions.
Traffic anaysis: If we had encryption in place, an opponent might still be able to observe the pattern of the message. The opponent could determine the location and identity of communication hosts and could observe the frequency and length of messages being exchanged.This information might be useful in guessing the nature of communication that was taking place.
Active attacks
These attacks involves some modifications of the data steam or the
creation of a false stream.These attacks can be classified in to four
categories:
Masquerade - One entity pretends to be a different entity.
Replay- Involves passive capture of a data unit and its subsequent transmission to produce an unauthorised effect.
Modification of messages- Some portion of message is altered or the messages are delayed or recorded, to produce an unauthorised effect.
Dental of service- Prevents or inhibits the normal use or management of communication facilities. Another from of service denial is the disruption of an entire network, either by disabling the network or overloading it with messages so as to degrade performance.
It is quite difficult to prevent active attacks absolutely,because to do so would require physical protection of all communications facilities and paths at all times .
AUTHENTICATION SERVICES KERBEROS
Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Kerberos relies exclusively on conventional encryption, making no use of public-key encryption.
The following are the requirements for kerberos:
- Secure: A network eavesdropper should not be able to obtain the necessary information to important a user. More generally, kerberos should enough that a potential opponent does not find it to be the weak link.
-Reliable: For all services that rely on kerberos for access control, lack of availability of the kerberos service means lack of availability of the supported services. Hence, Kerberos should be highly reliable and should employ a distributed server architecture,with one system able to back up another.
-Transparent:Identity, the user should not be aware that authentication is taking place, beyond the requirement to enter a password.
-Scalable: The system should be capable of supporting large numbers of clients and servers.This suggests a modular, distributed architecture.
To support these requirement, the overall scheme of kerberos is that of a trusted third-party authentication service that uses a protocol based on that proposed by needham and schroeder ,it is trusted in the sense that clients and servers trust kerberos to mediate their mutual authentication. Assuming the kerberos protocol is well designed, then the authentication service is secure if the kerberos server itself it secure.
Cryptographic keys and key rings
These separate requirement can be identified with respect to these keys:
A means of generating unpredictable session keys is needed.It must allow a user to have multiple public key/private key pairs.Each PGP entity must maintain a file of its own public/private key pairs as well as a file of public keys of correspondents.
1.Session key generation
Each session key is associated with a single message and is used only for the purpose of encryption and decryption of that message. Random 128-bit numbers are generated using CAST-128 itself.The input to the random number generator consists of a 128-bit key and two 64-bit blocks that are treated as plaintext to be encrypted.
2.Key identifiers
If multiple public/private key pair are used, then how does the recipient known which of the public keys are used to encrypt the session key. One simple solution would be to transmit the public key with the message but, it is unnecessary wasteful of space. Another solution would be to associate an identifier with each public key that is unique at least within each user.
A message consists of three components.
Message component - Include actual data to be transmitted, as well as the filename and a timestamp that specifies the time of creation.
Signature component - Includes the following:
-Timestamp, time at which the signature was made.
-Message digest, hash code.
Two octets of message digest- to enable the recipient to determine if the correct public key was used to decrypt the message.
Key ID of sender's public key- identifies the public key
Session key component - Includes session key and the identified of
the recipient of the recipient public key.
3.Key Rings
PGP provides a pair of data structures at each node,one to store the public/private key pair owned by that node and one to store the public keys of the others users known at that node. These data structures are referred to as private key ring and public key ring.
The general structures of the private and public key rings are shown below:
Timestamp- the date/time when this entity was made.
Key ID - the least significant bits of the public key.
Public key - public key portion of the pair.Private key - private key portion of the pair
Signature trust field - includes the degree to which this PGP user trusts the signer to certify public key.
Owner trust field - Indicates the degree to which this public key is trusted to sign other public key certificates.
PGP message generation
First consider message transmission and assume that the message is to be both signed and encrypted. The sending PGP entity performance the following steps:
1.Singing the message
PGP retrieves the sender's private key from the private key ring using user ID as an index.if user ID was not provided ,the first private key from the ring is retrieved.
PGP prompt the user for the passpharse (password) to recover the unencrypted private key.
The signature component of the message is constructed.
2.Encrypting the message
PGP generated a session key and encrypts the message.
PGP retrieves the recipient's public key from the public key ring using user.
ID as index.
The session key component of the message is constructed. The receiving PGP entity performs the following steps.
Decrypting the message
PGP retrieves the receiver's private key from the private key ring, using the key ID field in the session key component of the message as an index.
PGP prompts the user for the passphrase (password) to receive the unencrypted private key:
PGP recovers the session key and crypts the message.
2.Authenticating the message
PGP retrieves the sender's public key from the public key ring, using the key ID field in the signature key component of the message as an index.
PGP recovers the transmitted message digest.
PGP computed the message digest for the received message and compares it to the transmitted message digest to authenticate.
Public key Management
This whole business of protecting public keys from tempering is the single most difficult problem in practical public key applications. PGP provide a structure for solving this problem, with several suggested options that may be used.
Approaches to public-key Management
The essence of the problem is this: A must build up a public key ring containing the public keys of other users to interoperate with them using PGP. Suppose that A's key ring contains a public key attributed to B but that the key is, in fact, owned by C. This could happen if,
ENHANCED SECURITY SERVICES
As of this writing, three enhanced security services have been proposed in an internet draft,
----------------------------------------------------------------------------
Post a Comment
Post a Comment