PGP Notations: 1.

sender creates message

UNIT – V
2. use SHA-1 to generate 160-bit hash of message
E-Mail Security:Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security
3. signed hash with RSA using sender's private key, and is attached to message
architecture, Authentication Header, Encapsulating security payload, Combining security
Ks =session key used in
associations, Internet Key Exchange 4. receiver uses RSA with sender's public key to decrypt and recover hash code
symmetric encryption
scheme 5. receiver verifies received message using hash of it and compares with decrypted hash
Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, code
Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability. PRa =private key of user A, used in
public-key encryption
PGP Operation- Confidentiality
Scheme
Q) Write a short note on Pretty Good Privacy.(or) Briefly discuss about different services
PUa =public key of user A, used in
provided by Pretty Good Privacy (PGP) (or).What are the five principal services provided
public-key encryption
by PGP?
Scheme

PRETTY GOOD PRIVACY EP = public-key encryption

DP = public-key decryption
In virtually all distributed environments, electronic mail is the most heavily used
EC = symmetric encryption
network-based application. But current email services are roughly like "postcards”,
DC = symmetric decryption
anyone who wants could pick it up and have a look as it’s in transit or sitting in the
H = hash function
recipients mailbox. PGP provides a confidentiality and authentication service that can be
|| = concatenation Sender:
used for electronic mail and file storage applications. With the explosively growing
Z = compression using ZIP 1. Generates message and a random number (session key) only for this message
reliance on electronic mail for every conceivable purpose, there grows a demand for
Algorithm 2. Encrypts message with the session key using AES, 3DES, IDEA or CAST-128
authentication and confidentiality services. The Pretty Good Privacy (PGP) secure email
R64 = conversion to radix 64 3. Encrypts session key itself with recipient’s public key using RSA
program, is a remarkable phenomenon, has grown explosively and is now widely used.
ASCII format 4. Attaches it to message
Largely the effort of a single person, Phil Zimmermann, who selected the best available
crypto algorithms to use & integrated them into a single program, PGP provides a
confidentiality and authentication service that can be used for electronic mail and file PGP Operation- Authentication Receiver:
storage applications. It is independent of government organizations and runs on a wide 1. Recovers session key by decrypting using his private key
range of systems, in both free & commercial versions. There are five important services in 2. Decrypts message using the session key
PGP Confidentiality service provides no assurance to the receiver as to the identity of sender
Authentication (Sign/Verify) (i.e. no authentication). Only provides confidentiality for sender that only the recipient
Confidentiality (Encryption/Decryption) can read the message (and no one else)

Compression
Email compatibility
Segmentation and Reassembly
The last three are transparent to the user

PGP Operation – Confidentiality & Authentication of converting the raw 8-bit binary stream to a stream of printable ASCII characters. It uses
radix-64 conversion, in which each group of three octets of binary data is mapped into
four ASCII characters. This format also appends a CRC to detect transmission errors. The
use of radix 64 expands a message by 33%, but still an overall compression of about one-
third can be achieved.
PGP Operation - Segmentation/Reassembly
E-mail facilities often are restricted to a maximum message length. For example, many of

can use both services on same message o create signature & attach to message the facilities accessible through the Internet impose a maximum length of 50,000 octets.

o encrypt both message & signature Any message longer than that must be broken up into smaller segments, each of which is

o attach RSA/ElGamal encrypted session key mailed separately. To accommodate this restriction, PGP automatically subdivides a

o is called authenticated confidentiality message that is too large into segments that are small enough to send via e-mail. The
segmentation is done after all of the other processing, including the radix-64 conversion.
Thus, the session key component and signature component appear only once, at the
PGP Operation – Compression PGP Message Format
beginning of the first segment. Reassembly at the receiving end is required before
As a default, PGP compresses the message after applying the signature but before A message consists of three components: the message component, a signature (optional),
verifying signature or decryption
encryption. This has the benefit of saving space both for e-mail transmission and for file and a session key component (optional). The message component includes the actual data
storage. The placement of the compression algorithm, indicated by Z for compression and PGP Operations – Summary to be stored or transmitted, as well as a filename and a timestamp that specifies the time
Z-1 for decompression is critical. The compression algorithm used is ZIP. of creation. The signature component includes the following:
The signature is generated before compression for two reasons: Timestamp: The time at which the signature was made.
Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private
1. so that one can store only the uncompressed message together with signature for later
signature key.
verification
Leading two octets of message digest: To enable the recipient to determine if the
2. Applying the hash function and signature after compression would constrain all PGP correct public key was used to decrypt the message digest for authentication, by
implementations to the same version of the compression algorithm as the PGP comparing this plaintext copy of the first two octets with the first two octets of the
compression algorithm is not deterministic decrypted digest. These octets also serve as a 16-bit frame check sequence for the
message.
Message encryption is applied after compression to strengthen cryptographic
Key ID of sender's public key: Identifies the public key that should be used to decrypt
security. Because the compressed message has less redundancy than the original
the message digest and, hence, identifies the private key that was used to encrypt the
plaintext, cryptanalysis is more difficult.
message digest
PGP Operation – Email Compatibility
When PGP is used, at least part of the block to be transmitted is encrypted, and thus
consists of a stream of arbitrary 8-bit octets. However many electronic mail systems only
permit the use of ASCII text. To accommodate this restriction, PGP provides the service

The sending PGP entity performs the following steps: Authenticating the message
a. PGP retrieves the sender's public key from the public-key ring, using the Key ID field in
Signing the message
the signature key component of the message as an index.
a. PGP retrieves the sender's private key from the private-key ring using your_userid as
b. PGP recovers the transmitted message digest.
an index. If your_userid was not provided in the command, the first private key on the
c. PGP computes the message digest for the received message and compares it to the
ring is retrieved.
transmitted message digest to authenticate.
b. PGP prompts the user for the passphrase to recover the unencrypted private key.
c. The signature component of the message is constructed
Q) Explain PGP trust model.
Encrypting the message
a. PGP generates a session key and encrypts the message.
PGP Trust Model
b. PGP retrieves the recipient's public key from the public-key ring using her_userid as an
index. • The node labeled “You” refers to the entry in the public-key ring corresponding to this user.
c. The session key component of the message is constructed. This key is legitimate, and the OWNERTRUST value is ultimate trust.

Message Reception • Each other node in the key ring has an OWNERTRUST value of undefined unless some other
value is assigned by the user.
• In this example, this user has specified that it always trusts the following users to sign other

The session key component includes the session key and the identifier of the recipient's keys, they are D, E, F, L.This user partially trusts users A and B to sign other keys.

public key that was used by the sender to encrypt the session key. The entire block is • So the shading, of the nodes in Figure indicates the level of trust assigned by this user.

usually encoded with radix-64 encoding. • The tree structure indicates which keys have been signed by which other users.
• If a key is signed by a user whose key is also in this key ring, the arrow joins the signed key to
Q)How the messages are generated and transmitted in pretty good privacy
the signatory.
(PGP) protocol? Explain with clear diagrams. • If a key is signed by a user whose key is not present in this key ring, the arrow joins the

PGP Message Transmission and Reception signed key to a question mark, indicating that the signatory is unknown to this user.

Message transmission

The following figure shows the steps during message transmission assuming that the
message is to be both signed and encrypted.
The receiving PGP entity performs the following steps:

Decrypting the message

a. PGP retrieves the receiver's private key from the private-key ring, using the Key ID field
in the session key component of the message as an index.
b. PGP prompts the user for the passphrase to recover the unencrypted private key.
c. PGP then recovers the session key and decrypts the message.
 • Text data that includes special characters (e.g., Hungarian text) cannot be transmitted • Content-Description: A text description of the object with the body; this is useful when
Q) Write a short note on S/MIME. the object is not readable (e.g., audio data)
as SMTP is limited to 7-bit ASCII
• Some servers reject mail messages over a certain size .
S/MIME
• Some common problems exist with the SMTP implementations which do not adhere Q) Explain MIME context types.
S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the completely to the SMTP standards defined in RFC 821. They are:
MIME Content Types The bulk of the MIME specification is concerned with the definition
MIME Internet e-mail format standard, which in turn provided support for varying delete, add, or reorder CR and LF characters
of a variety of content types. There are seven different major types of content and a total
content types and multi-part messages over the text only support in the original Internet truncate or wrap lines longer than 76 characters
of 15 subtypes. In general, a content type is a general type of data, and the subtype is a
RFC822 email standard. MIME allows encoding of binary data to textual form for remove trailing white space (tabs and spaces)
particular format for that type of data.
transport over traditional RFC822 email systems. S/MIME is defined in a number of pad lines in a message to the same length
. The Content-Type header field includes a parameter called boundary that defines the
documents, most importantly RFCs 3369, 3370, 3850 and 3851 and S/MIME support is convert tab characters into multiple spaces
delimiter between body parts. This boundary should not appear in any parts of the
now included in many modern mail agents.
message. Each boundary starts on a new line and consists of two hyphens followed by the
RFC 822 MIME is intended to resolve these problems in a manner that is compatible with existing
boundary value. The final boundary, which indicates the end of the last part, also has a
RFC 822 defines a format for text messages that are sent using electronic mail and it has RFC 822 implementations and the specification is provided in RFC’s 2045 through 2049.
suffix of two hyphens. Within each part, there may be an optional ordinary MIME header.
been the standard for Internet-based text mail message. The overall structure of a
The MIME specification includes the following elements: There are four subtypes of the multipart type, all of which have the same overall syntax.
message that conforms to RFC 822 is very simple. A message consists of some number of
1. Five new message header fields are defined, which provide information about the body
header lines (the header) followed by unrestricted text (the body). The header is
of the message.
separated from the body by a blank line. A header line usually consists of a keyword,
2. A number of content formats are defined, thus standardizing representations that
followed by a colon, followed by the keyword's arguments; the format allows a long line
support multimedia electronic mail.
to be broken up into several lines. The most frequently used keywords are From, To,
3. Transfer encodings are defined that protect the content from alteration by the mail
Subject, and Date.
system.

Multipurpose Internet Mail Extensions

MIME is an extension to the RFC 822 framework that is intended to address some of the Q) What are the key components of internet mail architecture?
problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some
other mail transfer protocol and RFC 822 for electronic mail. Problems with RFC 822 MIME - New header fields The five header fields defined in MIME are as follows:
and SMTP • MIME-Version: Must have the parameter value 1.0. This field indicates that the message
• Executable files or other binary objects must be converted into ASCII. Various schemes conforms to RFCs 2045 and 2046.
exist (e.g., Unix UUencode), but a standard is needed • Content-Type: Describes the data contained in the body with sufficient detail that the
receiving user agent can pick an appropriate agent or mechanism to represent the data to
the user or otherwise deal with the data in an appropriate manner.
• Content-Transfer-Encoding: Indicates the type of transformation that has been used to
represent the body of the message in a way that is acceptable for mail transport.
The message type provides a number of important capabilities in MIME. The
• Content-ID: Used to identify MIME entities uniquely in multiple contexts.
message/rfc822 subtype indicates that the body is an entire message, including header

and body. Despite the name of this subtype, the encapsulated message may be not only a readable and one that is safe for all types of data in a way that is reasonably compact. The
simple RFC 822 message, but also any MIME message. The message/partial subtype quoted-printable transfer encoding is useful when the data consists largely of octets that
enables fragmentation of a large message into a number of parts, which must be correspond to printable ASCII characters. In essence, it represents nonsafe characters by S/MIME Functionality
reassembled at the destination. For this subtype, three parameters are specified in the the hexadecimal representation of their code and introduces reversible (soft) line breaks S/MIME has a very similar functionality to PGP. Both offer the ability to sign and/or
Content-Type: Message/Partial field: an id common to all fragments of the same message, to limit message lines to 76 characters. The base64 transfer encoding, also known as encrypt messages.
a sequence number unique to each fragment, and the total number of fragments. The radix-64 encoding, is a common one for encoding arbitrary binary data in such a way as Functions
message/external-body subtype indicates that the actual data to be conveyed in this to be invulnerable to the processing by mail transport programs. S/MIME provides the following functions:
message are not contained in the body. Instead, the body contains the information needed Canonical Form • Enveloped data: This consists of encrypted content of any type and encrypted-content
to access the data. The application type refers to other kinds of data, typically either An important concept in MIME and S/MIME is that of canonical form. Canonical form is a encryption keys for one or more recipients.
uninterpreted binary data or information to be processed by a mail-based application. format, appropriate to the content type, that is standardized for use between systems. • Signed data: A digital signature is formed by taking the message digest of the content

This is in contrast to native form, which is a format that may be peculiar to a particular to be signed and then encrypting that with the private key of the signer. The content plus
MIME Transfer Encodings The other major component of the MIME specification, in
system. signature are then encoded using base64 encoding. A signed data message can only be
addition to content type specification, is a definition of transfer encodings for message
viewed by a recipient with S/MIME capability.
bodies. The objective is to provide reliable delivery across the largest range of
• Clear-signed data: As with signed data, a digital signature of the content is formed.
environments.
However, in this case, only the digital signature is encoded using base64. As a result,
recipients without S/MIME capability can view the message content, although they cannot
verify the signature.
• Signed and enveloped data: Signed-only and encrypted-only entities may be nested,
so that encrypted data may be signed and signed data or clear-signed data may be
encrypted.

Q)Write different cryptographic algorithms used in S/MIME. Explain how S/MIME is better
than MIME.
Cryptographic Algorithms : Table 19.5 summarizes the cryptographic algorithms
used in S/MIME.

The MIME standard defines two methods of encoding data. The Content-Transfer-
Encoding field can actually take on six values. Three of these values (7bit, 8bit, and
binary) indicate that no encoding has been done but provide some information about the
nature of the data. Another Content-Transfer-Encoding value is x-token, which indicates
that some other encoding scheme is used, for which a name is to be supplied. The two
actual encoding schemes defined are quoted-printable and base64. Two schemes are
defined to provide a choice between a transfer technique that is essentially human

S/MIME uses the following terminology taken from RFC 2119 A sample message (excluding the RFC 5322 headers) is Here is a sample message:
• MUST: The definition is an absolute requirement of the specification. An implementation
must include this feature or function to be in conformance with Content-Type: application/pkcs7-mime; smime-type = envelopeddata; Content-Type: multipart/signed;
the specification. Name = smime.p7m protocol="application/pkcs7-signature";
• SHOULD: There may exist valid reasons in particular circumstances to ignore this feature or Content-Transfer-Encoding : base64 micalg=sha1; boundary=boundary42
function, but it is recommended that an implementation include the feature or function. Content-Disposition: attachment; filename = smime.p7m —boundary42
rfvbnj756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6 Content-Type: text/plain
S/MIME incorporates three public-key algorithms. 7n8HHGghyHhHUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H This is a clear-signed message.
 The Digital Signature Standard (DSS) is the preferred algorithm for digital signature. f8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4 —boundary42
 S/MIME lists Diffie-Hellman as the preferred algorithm for encrypting session keys; in fact, 0GhIGfHfQbnj756YT64V Content-Type: application/pkcs7-signature; name=smime.p7s
 As an alternative, RSA,can be used for both signatures and session key encryption. Content-Transfer-Encoding: base64
(b) SignedData The signedData smime-type can be used with one or more signers. For clarity, Content-Disposition: attachment; filename=smime.p7s

MIME Messages : we confine our description to the case of a single digital signature. The steps for preparing a ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
signedData MIME entity are 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
 S/MIME secures a MIME entity with a signature, encryption, or both
n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
 All of the new application types use the designation PKCS. This refers to a set of public-
1. Select a message digest algorithm (SHA or MD5). 7GhIGfHfYT64VQbnj756
key cryptography specifications issued by RSA Laboratories and made available for
2. Compute the message digest (hash function) of the content to be signed. —boundary42—
the S/MIME effort.
3. Encrypt the message digest with the signer’s private key.
 MIME Messages have a range of content-types:
4. Prepare a block known as SignerInfo that contains the signer’s public-key certificate, an identifier (d) Registration Request Typically, an application or user will apply to a certification authority for
◦ enveloped data
of the message digest algorithm, an identifier of the algorithm used to encrypt the message digest, a public-key certificate. The certification request includes certification RequestInfo block, followed
◦ signed data and the encrypted message digest. by an identifier of the public-key encryption algorithm, followed by the signature of the certification
◦ clear-signed data Request Info block made using the sender’s private key.
◦ registration request A sample message (excluding the RFC 5322 headers) is
The certificationRequestInfo block includes a name of the certificate subject (the entity
◦ certificate only message whose public key is to be certified) and a bit-string representation of the user’s public key.
Content-Type: application/pkcs7-mime; smime-type = signed-data;
◦ Name = smime.p7m
(a) EnvelopedData The steps for preparing an envelopedData MIME entity are Content-Transfer-Encoding : base64 (e)Certificates-Only Message A message containing only certificates or a certificate
1. Generate a pseudorandom session key for a particular symmetric encryption Content-Disposition: attachment; filename=smime.p7m revocation list (CRL) can be sent in response to a registration request.
algorithm (RC2/40 or triple DES). 567GhIGfHfYT6ghyHhHUujpfyF4f8HHGTrfvhJhjH776tbB9HG4VQbnj7
2. For each recipient, encrypt the session key with the recipient’s public RSA key. 7n8HHGT9HG4VQpfyF467GhIGfHfYT6rfvbnj756tbBghyHhHUujhJhjH
3. For each recipient, prepare a block known as RecipientInfo that contains an identifier of HUujhJh4VQpfyF467GhIGfHfYGTrfvbnjT6jH7756tbB9H7n8HHGghyHh
the recipient’s public-key certificate,2 an identifier of the algorithm used to encrypt the 6YT64V0GhIGfHfQbnj75
session key, and the encrypted session key.
4. Encrypt the message content with the session key. (c)Clear Signing Clear signing is achieved using the multipart content type with a signed subtype. S/MIME Certificate Processing
 S/MIME uses public-key certificates that conform to version 3 of X.509. The key- intruders create packets with false IP addresses and exploit applications that use
management scheme used by S/MIME is in some ways a hybrid between a strict X.509 certification authentication based on IP and various forms of eavesdropping and packet sniffing, in
hierarchy and PGP’s web of trust. As with the PGP model, S/MIME managers and/or users must which attackers read transmitted information, including logon information and database
configure each client with a list of trusted keys and with certificate revocation lists. That is, the contents. In response to these issues, the IAB included authentication and encryption as necessary
responsibility is local for maintaining the certificates needed to verify incoming signatures and to security features in the next-generation IP i.e. IPv6.
encrypt outgoing messages. On the other hand, the certificates are signed by certification
authorities. Applications of IPSec
Certificate Authorities IPSec provides the capability to secure communications across a LAN, across private and
public wide area networks (WAN’s), and across the Internet.
VeriSign provides a CA service that is intended to be compatible with S/MIME and a • Secure branch office connectivity over the Internet: A company can build a secure The IPSec protocols operate in networking devices, such as a router or firewall that connect
variety of other applications. VeriSign issues X.509 certificates with the product name VeriSign virtual private network over the Internet or over a public WAN. This enables a business to each LAN to the outside world. The IPSec networking device will typically encrypt and
Digital ID. As of early 1998, over 35,000 commercial Web sites were using VeriSign Server Digital rely heavily on the Internet and reduce its need for private networks, saving costs and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the
IDs, and over a million consumer Digital IDs had been issued to users of Netscape and Microsoft network management overhead. WAN; these operations are transparent to workstations and servers on the LAN. Secure
browsers. The information contained in a Digital ID depends on the type of Digital ID • Secure remote access over the Internet: An end user whose system is equipped with transmission is also possible with individual users who dial into the WAN. Such user
and its use. At a minimum, each Digital ID contains IP security protocols can make a local call to an Internet service provider (ISP) and gain workstations must implement the IPSec protocols to provide security.
secure access to a company network. This reduces the cost of toll charges for travelling
• Owner’s public key employees and telecommuters. Benefits of IPSec
• Owner’s name or alias • Establishing extranet and intranet connectivity with partners: IPSec can be used to
o IPSec in a firewall/router provides strong security to all traffic crossing the perimeter
• Expiration date of the Digital ID secure communication with other organizations, ensuring authentication and confidentiality o IPSec in a firewall is resistant to bypass
• Serial number of the Digital ID and providing a key exchange mechanism. o IPSec is below transport layer(TCP,UDP), hence transparent to applications
• Name of the certification authority that issued the Digital ID • Enhancing electronic commerce security: Even though some Web and electronic o IPSec can be transparent to end users
o IPSec can provide security for individual users if needed (useful for offsite workers and
• Digital signature of the certification authority that issued the Digital ID commerce applications have built-in security protocols, the use of IPSec enhances that
setting up a secure virtual subnetwork for sensitive applications)
security.
Q) Give IP Security Overview The principal feature of IPSec enabling it to support varied applications is that it can encrypt
Q) Give IP Security architecture with neat diagram.
and/or authenticate all traffic at IP level. Thus, all distributed applications, including remote
IP SECURITY OVERVIEW IP SECURITY ARCHITECTURE
logon, client/server, e-mail, file transfer, Web access, and so on, can be secured.
Definition: Internet Protocol security (IPSec) is a framework of open standards for To understand IP Security architecture, we examine IPSec documents first and then move
The following figure shows a typical scenario of IPSec usage. An organization maintains LANs at
protecting communications over Internet Protocol (IP) networks through the use of on to IPSec services and Security Associations.
dispersed locations. Non secure IP traffic is conducted on each LAN.
cryptographic security services. IPSec supports network-level peer authentication, data IPSec Documents
origin authentication, data integrity, data confidentiality (encryption), and replay
The IPSec specification consists of numerous documents. The most important of these,
protection.
issued in November of 1998, are RFCs 2401, 2402, 2406, and 2408:
Need for IPSec
• RFC 2401: An overview of a security architecture
In Computer Emergency Response Team (CERT)’s 2001 annual report it listed 52,000
• RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
security incidents in which most serious types of attacks included IP spoofing, in which
• RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

• RFC 2408: Specification of key management capabilities algorithms, as well as operational parameters such as key lifetime.

Since IPSEC is designed to be able to use various security protocols, it uses Security
Support for these features is mandatory for IPv6 and optional for IPv4. In both cases, the Associations (SA) to specify the protocols to be used. SA is a database record which
IPSec Services
security features are implemented as extension headers that follow the main IP header. specifies security parameters controlling security operations. They are referenced by the
The extension header for authentication is known as the Authentication header; that for sending host and established by the receiving host. An index parameter called the
IPSec architecture makes use of two major protocols (i.e., Authentication Header and ESP
encryption is known as the Encapsulating Security Payload (ESP) header. In addition to Security Parameters Index (SPI) is used. SAs are in one direction only and a second SA
protocols) for providing security at IP level. This facilitates the system to beforehand
these four RFCs, a number of additional drafts have been published by the IP Security must be established for the transmission to be bi-directional.
choose an algorithm to be implemented, security protocols needed and any cryptographic
Protocol Working Group set up by the IETF. The documents are divided into seven
keys required to provide requested services. The IPSec services are as follows: A security association is uniquely identified by three parameters:
groups, as depicted in following figure:
• Security Parameters Index (SPI): A bit string assigned to this SA and having local
significance only. The SPI is carried in AH and ESP headers to enable the receiving system to
 Connectionless Integrity:- Data integrity service is provided by IPSec via AH which
select the SA under which a received packet will be processed.
prevents the data from being altered during transmission.
• IP Destination Address: Currently, only unicast addresses are allowed; this is the
 Data Origin Authentication:- This IPSec service prevents the occurrence of replay
address of the destination endpoint of the SA, which may be an end user system or a
attacks, address spoofing etc., which can be fatal
network system such as a firewall or router.
 Access Control:- The cryptographic keys are distributed and the traffic flow is
• Security Protocol Identifier: This indicates whether the association is an AH or ESP
controlled in both AH and ESP protocols, which is done to accomplish access control
security association.
over the data transmission.
 Confidentiality:- Confidentiality on the data packet is obtained by using an SA Parameters
encryption technique in which all the data packets are transformed into ciphertext In each IPSec implementation, there is a nominal Security Association Database that
packets which are unreadable and difficult to understand. defines the parameters associated with each SA. A security association is normally
• Architecture: Covers the general concepts, security requirements, definitions, and
mechanisms defining IPSec technology  Limited Traffic Flow Confidentiality:- This facility or service provided by IPSec defined by the following parameters:
ensures that the confidentiality is maintained on the number of packets transferred • Sequence Number Counter: A 32-bit value used to generate the Sequence Number
• Encapsulating Security Payload (ESP): Covers the packet format and general issues
or received. This can be done using padding in ESP. field in AH or ESP headers
related to the use of the ESP for packet encryption and, optionally, authentication.
 Replay packets Rejection:- The duplicate or replay packets are identified and • Sequence Counter Overflow: A flag indicating whether overflow of the Sequence
• Authentication Header (AH): Covers the packet format and general issues related to
discarded using the sequence number field in both AH and ESP. Number Counter should generate an auditable event and prevent further transmission of
the use of AH for packet authentication.
packets on this SA (required for all implementations).
• Encryption Algorithm: A set of documents that describe how various encryption • Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a
algorithms are used for ESP. replay
• Authentication Algorithm: A set of documents that describe how various • AH Information: Authentication algorithm, keys, key lifetimes, and related parameters
authentication algorithms are used for AH and for the authentication option of ESP. being used with AH (required for AH implementations).
• Key Management: Documents that describe key management schemes. • ESP Information: Encryption and authentication algorithm, keys, initialization values,
• Domain of Interpretation (DOI): Contains values needed for the other documents to key lifetimes, and related parameters being used with ESP (required for ESP
relate to each other. These include identifiers for approved encryption and authentication implementations).
Q) What is SECURITY ASSOCIATIONS in IP Sec

• Lifetime of This Security Association: A time interval or byte count after which an SA No routers along the way will be able (and will not need) to check the content of the Case:-2

must be replaced with a new SA (and new SPI) or terminated, plus an indication of which of packets
these actions should occur (required for all implementations).
• IPSec Protocol Mode: Tunnel, transport, or wildcard (required for all
implementations). These modes are discussed later in this section.
• Path MTU: Any observed path maximum transmission unit (maximum size of a packet
that can be transmitted without fragmentation) and aging variables (required for all
implementations).

Transport and Tunnel Modes

Security is provided only between gateways (routers, firewalls, etc.) and no hosts
Both AH and ESP support two modes of use: transport and tunnel mode.
implement IPSec. This case illustrates simple virtual private network support. The
Transport Mode SA Tunnel Mode SA security architecture document specifies that only a single tunnel SA is needed for this
AH Authenticates IP payload Authenticates entire inner Q) What parameters identify an SA and what parameters characterize the nature of a
and selected portions of IP IP packet plus selected case. The tunnel could support AH, ESP, or ESP with the authentication option. Nested
header and IPv6 extension portions of outer IP header
particular SA?
tunnels are not required because the IPSec services apply to the entire inner packet.
headers
ESP Encrypts IP payload and Encrypts inner IP packet Case-3:-
Basic Combinations of Security Associations
any IPv6 extesion header
ESP with authentication Encrypts IP payload and Encrypts inner IP packet. The IPSec Architecture document lists four examples of combinations of SAs that must be
any IPv6 extesion header. Authenticates inner IP
Authenticates IP payload packet supported by compliant IPSec hosts (e.g., workstation, server) or security gateways (e.g.
but no IP header firewall, router).
case:-1

IP sec can be used (both AH packets and ESP packets) in two modes
• Transport mode: the IP sec header is inserted just after the IP header –this contains
the security information, such as SA identifier, encryption, authentication
Typically used in end-to-end communication
The third combination is similar to the second, but in addition provides security even to
IP header not protected
nodes. This combination makes use of two tunnels first for gateway to gateway and
• Tunnel mode: the entire IP packet, header and all, is encapsulated in the body of a new
second for node to node. Either authentication or the encryption or both can be provided
IP packet with a completely new IP header
by using gateway to gateway tunnel. An additional IPSec service is provided to the
Typically used in firewall-to-firewall communication All security is provided between end systems that implement IPSec. For any two end
individual nodes by using node to node tunnel.
Provides protection for the whole IP packet systems to communicate via an SA, they must share the appropriate secret keys. Among
Case:-4
the possible combinations:
a) AH in transport mode
b) ESP in transport mode
c) ESP followed by AH in transport mode (an ESP SA inside an AH SA)
d) Any one of a, b, or c inside an AH or ESP in tunnel mode
 • Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.
For example, the default length of the authentication data field is 96 bits, or three 32-bit
words. With a three-word fixed header, there are a total of six words in the header, and the
Payload Length field has a value of 4.
• Reserved (16 bits): For future use.
• Security Parameters Index (32 bits): Identifies a security association.
• Sequence Number (32 bits): A monotonically increasing counter value, discussed
later.
• Authentication Data (variable): A variable-length field (must be an integral number
of 32-bit words) that contains the Integrity Check Value (ICV), or MAC, for this packet.
This combination is suitable for serving remote users i.e., the end user sitting anywhere Antireplay Mechanism
in the world can use the internet to access the organizational workstations via the Anti-Replay Service

firewall. This combination states that only one tunnel is needed for communication Anti-replay service is designed to overcome the problems faced due to replay attacks in 1. If the received packet falls within the window and is new, the MAC is checked. If the
between a remote user and an organizational firewall. which an intruder intervenes the packet being transferred, make one or more duplicate packet is authenticated, the corresponding slot in the window is marked.
copies of that authenticated packet and then sends the packets to the desired destination, 2. If the received packet is to the right of the window and is new, the MAC is checked. If
thereby causing inconvenient processing at the destination node. The Sequence Number the packet is authenticated, the window is advanced so that this sequence number is the
Q) Draw the IP security authentication header and explain the functions of each
field field is designed to thwart such attacks. right edge of the window, and the corresponding slot in the window is marked.
AUTHENTICATION HEADER When a new SA is established, the sender initializes a sequence number counter to 0. Each
3. If the received packet is to the left of the window, or if authentication fails, the packet
is discarded; this is an auditable event.
The Authentication Header provides support for data integrity and authentication of IP time that a packet is sent on this SA, the sender increments the counter and places the
packets. The data integrity feature ensures that undetected modification to a packet's value in the Sequence Number field. Thus, the first value to be used is 1. This value goes
Integrity Check Value
content in transit is not possible. The authentication feature enables an end system or on increasing with respect to the number of packets being transmitted. The sequence
ICV is the value present in the authenticated data field of ESP/AH, which is used to
network device to authenticate the user or application and filter traffic accordingly; it also number field in each packet represents the value of this counter. The maximum value of
determine any undesired modifications made to the data during its transit. ICV can also
prevents the address spoofing attacks observed in today's Internet. The AH also guards the sequence number field can go up to 2 32-1. If the limit of 232-1 is reached, the sender
be referred as MAC or part of MAC algorithm. MD5 hash code and SHA-1 hash code are
against the replay attack. Authentication is based on the use of a message authentication should terminate this SA and negotiate a new SA with a new key.
implemented along with HMAC algorithms i.e.,
code (MAC), hence the two parties must share a secret key. The Authentication Header The IPSec authentication document dictates that the receiver should implement a
• HMAC-MD5-96
consists of the following fields: window of size W, with a default of W = 64. The right edge of the window represents the
• HMAC-SHA-1-96
highest sequence number, N, so far received for a valid packet. For any packet with a In both cases, the full HMAC value is calculated but then truncated by using the first 96
sequence number in the range from N-W+1 to N that has been correctly received (i.e., bits, which is the default length for the Authentication Data field. The MAC is calculated
properly authenticated), the corresponding slot in the window is marked as shown. over
Inbound processing proceeds as follows when a packet is received: • IP header fields that either do not change in transit (immutable) or that are predictable
in value upon arrival at the endpoint for the AH SA. Fields that may change in transit and

IPSec Authentication Header whose value on arrival is unpredictable are set to zero for purposes of calculation at both

• Next Header (8 bits): Identifies the type of header immediately following this header. source and destination.

• The AH header other than the Authentication Data field. The Authentication Data field
is set to zero for purposes of calculation at both source and destination. Security Parameters Index (32 bits): Identifies a security association.

• The entire upper-level protocol data, which is assumed to be immutable in transit (e.g., • Sequence Number (32 bits): A monotonically increasing counter value; this provides

a TCP segment or an inner IP packet in tunnel mode). an anti-replay function, as discussed for AH.

• • Payload Data (variable): This is a transport-level segment (transport mode) or IP

Transport AH and Tunnel Modes AH packet (tunnel mode) that is protected by encryption.
• Padding (0-255 bytes): This field is used to make the length of the plaintext to be a
The following figure shows typical IPv4 and IPv6 packets. In this case, the IP payload is a
multiple of some desired number of bytes. It is also added to provide confidentiality.
TCP segment; it could also be a data unit for any other protocol that uses IP, such as UDP
• Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this
or ICMP.
field.
For tunnel mode AH, the entire original IP packet is authenticated, and the AH is inserted • Next Header (8 bits): Identifies the type of data contained in the payload data field by
between the original IP header and a new outer IP header. The inner IP header carries identifying the first header in that payload (for example, an extension header in IPv6, or an
the ultimate source and destination addresses, while an outer IP header may contain upper-layer protocol such as TCP).
different IP addresses (e.g., addresses of firewalls or other security gateways). With • Authentication Data (variable): A variable-length field (must be an integral number
tunnel mode, the entire inner IP packet, including the entire inner IP header is protected of 32-bit words) that contains the Integrity Check Value computed over the ESP packet
by AH. The outer IP header (and in the case of IPv6, the outer IP extension headers) is minus the Authentication Data field.
For transport mode AH using IPv4, the AH is inserted after the original IP header and protected except for mutable and unpredictable fields. Adding encryption makes ESP a bit more complicated because the encapsulation
before the IP payload (e.g., a TCP segment) shown below. Authentication covers the entire surrounds the payload rather than precedes it as with AH: ESP includes header and trailer
packet, excluding mutable fields in the IPv4 header that are set to zero for MAC Q)Discuss in detail encapsulating security payload
calculation. In the context of IPv6, AH is viewed as an end-to-end payload; that is, it is not Transport Mode ESP
ENCAPSULATING SECURITY PAYLOAD
examined or processed by intermediate routers. Therefore, the AH appears after the IPv6
base header and the hop-by-hop, routing, and fragment extension headers. The The Encapsulating Security Payload provides confidentiality services, including
destination options extension header could appear before or after the AH header, confidentiality of message contents and limited traffic flow confidentiality. As an optional
depending on the semantics desired. Again, authentication covers the entire packet, feature, ESP can also provide an authentication service.
excluding mutable fields that are set to zero for MAC calculation. ESP Format
The following figure shows the format of an ESP packet. It contains the following fields:

Tunnel Mode ESP

• It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which receives the message, R verifies the signature using I's public signing key. R acknowledges

Q)How IPSec does provides public key management? an opponent requests a high number of keys. the message by echoing back I's cookie, identifier, and nonce, as well as the group. R also

Oakley is designed to retain the advantages of Diffie-Hellman while countering its includes in the message a cookie, R's Diffie-Hellman public key, the selected algorithms
KEY MANAGEMENT weaknesses. (which must be among the offered algorithms), R's identifier, and R's nonce for this

Features of Oakley exchange. Finally, R appends a signature using R's private key that signs the two
The key management portion of IPSec involves the determination and distribution of
secret keys. The IPSec Architecture document mandates support for two types of key The Oakley algorithm is characterized by five important features: identifiers, the two nonces, the group, the two Diffie-Hellman public keys, and the
management: 1. It employs a mechanism known as cookies to thwart clogging attacks. selected algorithms.
• Manual: A system administrator manually configures each system with its own keys 2. It enables the two parties to negotiate a group; this, in essence, specifies the global
When I receives the second message, I verifies the signature using R's public key. The
and with the keys of other communicating systems. This is practical for small, relatively parameters of the Diffie-Hellman key exchange.
nonce values in the message assure that this is not a replay of an old message. To complete
static environments. 3. It uses nonces to ensure against replay attacks.
the exchange, I must send a message back to R to verify that I has received R's public key.
• Automated: An automated system enables the on-demand creation of keys for SAs and 4. It enables the exchange of Diffie-Hellman public key values.
facilitates the use of keys in a large distributed system with an evolving configuration. 5. It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks.
Q) Explain ISAKMP
Aggressive Oakley Key Exchange
The default automated key management protocol for IPSec is referred to as ISAKMP defines procedures and packet formats to establish, negotiate, modify, and delete
Aggressive key exchange is a technique used for exchanging the message keys and is so
ISAKMP/Oakley and consists of the following elements: security associations. As part of SA establishment, ISAKMP defines payloads for
called because only three messages are allowed to be exchanged at any time.
• Oakley Key Determination Protocol: Oakley is a key exchange protocol based on the exchanging key generation and authentication data.
Diffie-Hellman algorithm but providing added security. Oakley is generic in that it does not ISAKMP Header Format
dictate specific formats.
• Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP
provides a framework for Internet key management and provides the specific protocol
support, including formats, for negotiation of security attributes.

Q) Explain Oakley Key Determination Protocol

Oakley is a refinement of the Diffie-Hellman key exchange algorithm. The Diffie-Hellman
algorithm has two attractive features:
• Secret keys are created only when needed. There is no need to store secret keys for a Example of Aggressive Oakley Key Exchange

long period of time, exposing them to increased vulnerability.

• The exchange requires no pre-existing infrastructure other than an agreement on the In the first step, the initiator (I) transmits a cookie, the group to be used, and I's public
An ISAKMP message consists of an ISAKMP header followed by one or more payloads and
global parameters. Diffie-Hellman key for this exchange. I also indicates the offered public-key encryption,
must follow UDP transport layer protocol for its implementation. The header format of
hash, and authentication algorithms to be used in this exchange. Also included in this
an ISAKMP header is shown below:
However, Diffie-Hellman has got some weaknesses: message are the identifiers of I and the responder (R) and I's nonce for this exchange.
• Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment, SA
• No identity information about the parties is provided. Finally, I appends a signature using I's private key that signs the two identifiers, the
notification, or SA deletion.
• It is possible for a man-in-the-middle attack nonce, the group, the Diffie-Hellman public key, and the offered algorithms. When R
• Responder Cookie (64 bits): Cookie of responding entity; null in first message from
 initiator. to identify this particular payload so that the responder may use it to indicate acceptance 1. Base Exchange: allows key exchange and authentication material to be transmitted
• Next Payload (8 bits): Indicates the type of the first payload in the message of this transform. The Transform-ID and Attributes fields identify a specific transform together. This minimizes the number of exchanges at the expense of not providing
• Major Version (4 bits): Indicates major version of ISAKMP in use. (e.g., 3DES for ESP, HMAC-SHA-1-96 for AH) with its associated attributes (e.g., hash identity protection.
• Minor Version (4 bits): Indicates minor version in use. length).
• Exchange Type (8 bits): Indicates the type of exchange. Can be informational,
d. The Key Exchange payload can be used for a variety of key exchange techniques,
aggressive, authentication only, identity protection or base exchange (S).
including Oakley, Diffie-Hellman, and the RSA-based key exchange used by PGP. The Key
• Flags (8 bits): Indicates specific options set for this ISAKMP exchange. Two bits so far
Exchange data field contains the data required to generate a session key and is dependent
defined: The Encryption bit is set if all payloads following the header are encrypted using the
on the key exchange algorithm used.
encryption algorithm for this SA. The Commit bit is used to ensure that encrypted material
e. The Identification payload is used to determine the identity of communicating peers
is not received prior to completion of SA establishment.
and may be used for determining authenticity of information. Typically the ID Data field
• Message ID (32 bits): Unique ID for this message. The first two messages provide cookies and establish an SA with agreed protocol and
will contain an IPv4 or IPv6 address.
• Length (32 bits): Length of total message (header plus all payloads) in octets. transforms; both sides use a nonce to ensure against replay attacks. The last two
f. The Certificate payload transfers a public-key certificate. The Certificate Encoding field
messages exchange the key material and user IDs, with an authentication mechanism
indicates the type of certificate or certificate-related information, which may include
used to authenticate keys, identities, and the nonces from the first two messages.
SPKI, ARL, CRL, PGP info etc. At any point in an ISAKMP exchange, the sender may include
ISAKMP Payload Types
a Certificate Request payload to request the certificate of the other communicating entity.
All ISAKMP payloads begin with the same generic payload header shown below.
g. The Hash payload contains data generated by a hash function over some part of the 2. Identity Protection Exchange: expands the Base Exchange to protect the users'

message and/or ISAKMP state. This payload may be used to verify the integrity of the identities.

data in a message or to authenticate negotiating entities.

h. The Signature payload contains data generated by a digital signature function over
The Next Payload field has a value of 0 if this is the last payload in the message; otherwise some part of the message and/or ISAKMP state. This payload is used to verify the integrity
its value is the type of the next payload. The Payload Length field indicates the length in of the data in a message and may be used for nonrepudiation services.
octets of this payload, including the generic payload header. There are many different i. The Nonce payload contains random data used to guarantee liveness during an
ISAKMP payload types. They are: exchange and protect against replay attacks.
a. The SA payload is used to begin the establishment of an SA. The Domain of
j. The Notification payload contains either error or status information associated with
Interpretation parameter identifies the DOI under which negotiation is taking place. The
this SA or this SA negotiation. Some of the ISAKMP error messages that have been defined The first two messages establish the SA. The next two messages perform key exchange,
Situation parameter defines the security policy for this negotiation; in essence, the levels
are Invalid Flags, Invalid Cookie, Payload Malformed etc with nonces for replay protection. Once the session key has been computed, the two
of security required for encryption and confidentiality are specified (e.g., sensitivity level,
k. The Delete payload indicates one or more SAs that the sender has deleted from its parties
security compartment).
database and that therefore are no longer valid.
b. The Proposal payload contains information used during SA negotiation. The payload exchange encrypted messages that contain authentication information, such as digital
signatures and optionally certificates validating the public .
indicates the protocol for this SA (ESP or AH) for which services and mechanisms are
ISAKMP Exchanges 3. Authentication Only Exchange: used to perform mutual authentication, without a
being negotiated. The payload also includes the sending entity's SPI and the number of key exchange
ISAKMP provides a framework for message exchange, with the payload types serving as
transforms. Each transform is contained in a transform payload.
the building blocks. The specification identifies five default exchange types that should The first two messages establish the SA. In addition, the responder uses the second
c. The Transform payload defines a security transform to be used to secure the
be supported. message to convey its ID and uses authentication to protect the message. The initiator
communications channel for the designated protocol. The Transform # parameter serves

sends the third message to transmit its authenticated ID.

4. Aggressive Exchange: minimizes the number of exchanges at the expense of not (2) Virtual Elections
Case Studies on Cryptography and security
providing identity protection.

(1) Secure Multiparty Calculation Points for classroom discussions

1. Is it technically possible to have elections on the Internet? How? What sort of infrastructure would
be needed for this?
Points for classroom discussions
2. What would be the main concerns in such a virtual election?
3. What would be the use of digital signatures and encryption in virtual elections?
1. Can you think of any practical situations where secure multiparty calculations would be required?
2. Can symmetric key encryption alone suffice the needs of secure multiparty calculations? If yes,
Another situation where cryptography is useful is virtual elections. Computerized voting
what are the possible issues/constraints?
In the first message, the initiator proposes an SA with associated offered protocol and would become quite common in the next few decades. As such, it is important that the protocol for virtual
3. Is an arbitrator mandatory in such a scheme?
transform options. The initiator also begins the key exchange and provides its ID. In the elections should protect individual privacy and should also disallow cheating.
second message, the responder indicates its acceptance of the SA with a particular
Suppose that we have the following problem:
protocol and transform, completes the key exchange, and authenticates the transmitted Consider the following protocol in order that voters can send their votes electronically to the Election
information. In the third message, the initiator transmits an authentication result that Authority (EA).
Alice, Bob, Carol and Dave are four people working in an organization. One fine day, they
covers the previous information, encrypted using the shared secret session key.
are interested in knowing their average salary. However, they want to (obviously) ensure that no one comes
5. Informational Exchange: used for one-way transmittal of information for SA 1. Each voter casts the vote and encrypts it with the public key of the EA.
to know about the salary of anyone else. Unfortunately, there is no arbitrator, who can take this task
management. 2. Each voter sends the encrypted vote to the EA.
upon itself.
3. The EA decrypts all the votes to retrieve the original vote, tabulates all the votes and announces the
result of the election.
How can this be achieved? An interesting protocol can be used to fulfill these requirements, as follows:
Is this protocol secure and does it provide comfort both to the voters as well as to the
1. Alice generates a random number, adds that number to her salary, encrypts the resulting value with
EA? Not at all!
the public key of Bob and sends it to Bob.
2. Bob decrypts the information received from Alice with his private key. He adds his salary to the
There are following problems in this scheme:
decrypted number (which is Alice’s salary + random number). He then encrypts it with the public
key of Carol and sends the result to Carol.
1. The EA does not know whether the authorized voters have voted or it has received fake (bogus) votes.
3. Carol decrypts the value received from Bob with her private key, adds her salary to it, encrypts the
2. Secondly, there is no mechanism to prevent duplicate voting.
result with Dave’s public key and sends the result to Dave.
4. Dave decrypts the value received from Carol with his private key, adds his salary to it, encrypts
What is the advantage of this protocol? Clearly, no one would be able to change another
the result with Alice’s public key and sends the result to Dave.
voter’s vote, because it is first encrypted with the EA’s public key and is then sent to the EA. However, if
5. Alice decrypts the value received from Dave with her private key and subtracts the original
we observe this scheme carefully, an attacker need not change someone’s vote at all. The attacker can
random number from it. This gives her the total salary.
simply send duplicate votes!
6. Alice divides the total salary by the number of people (4). This produces the value of the average
salary, which she announces to Bob, Carol and Dave.

How can we improve upon this protocol to make it more robust? Let us rewrite it, as follows:  This case study deals with the retail-banking segment only.
 Each of the applications within this segment for the bank works fine. Proposed Solution
1. Each voter casts the vote and signs it with her private key. 2. Each voter then encrypts the signed vote  Customers are very happy with the Internet account access facilities and with the provisions of SSO solutions are based on one of the two broad level approaches:
with the public key of the EA. online bill payment and direct debits. (a) The script approach
3. Each voter sends the vote to the EA.  They use these services quite frequently and with ease. This has caused more customers to opt for (b) The agent approach.
4. The EA decrypts the voter with its private key and verifies the signature of the voter with the help Internet banking services of the bank.
of the voter’s public key. We can choose either one. However, since the agent approach is considered more suitable for
5. The EA then tabulates all the votes and announces the result of the election. However, a major concern has surfaced of late, which is described as follows. Web-based applications, we shall use it here. As we know, an agent is a small program that runs on each of
the Web servers that host an application within the application framework. This agent helps coordinate the
This protocol would now ensure that duplicate voting is disallowed. Because the voter has  The applications within each segment work very fine. However, since the applications were SSO workflow in terms of user authentication and session handling.
signed the vote (with her private key) in Step 1, this can be checked. Similarly, no one can change another developed with an isolated design in mind, each application has its own user authentication model. The bank’s application runs on Intel-based servers, on Windows NT 4.0 operating system.
voter’s vote. This is because a vote is digitally signed and any changes to it will be detected and exposed in  That is, Internet account access, electronic bill payment and direct debit, all maintain their own user These applications are developed on the Microsoft technology, using ASP 2.0 and SQL Server 6.0. The
the signature verification process. databases and the user has to log on to the particular application as and when she wants to access it. Web server is Microsoft’s Internet Information Server (IIS) 4.0. There is an involvement of Microsoft
Although this protocol is a lot better, the trouble with this scheme is that the EA would come Transaction Server (MTS) for transaction handling. However, the SSO requirement need not be concerned
 For instance, suppose that the user logs on to the electronic bill payment application and pays her
to know who voted for whom, leading to privacy concerns. We shall leave it to the reader to figure out how with it.
electricity bill. To check the effect of this payment on her bank account, the user is required to now
this problem can be solved. log on to the Internet account access module separately! This is quite annoying for the users, since The broad level solution architecture is depicted in Fig. 10.4. As we can see, the SSO architecture
contains two main pieces: the agents sitting on the Web server and a dedicated SSO server. The purpose of
the bank hosts all the applications and the end users feel that they should not have to worry about
(3) Single Sign On (SSO) these two pieces is as follows:
the internal design issues of the applications hosted by the bank. They should get a single
authentication module.
Points for classroom discussions  In other words, once they log on to any one application (say Internet account access) using the id
1. What is Single Sign On (SSO)? and password, they should automatically be logged on to the other applications (i.e. electronic bill
2. Why is SSO required? payment and direct debit). It is quite tiring for them to have to remember three separate user ids and
3. What are the main ways of achieving SSO? passwords and use them during the application logons.
4. Discuss the working of Kerberos as a SSO protocol.  Thus, the requirement is to group all the user logins into a single login and offer a single user id
and password for the bank users.
Functional and Technical Requirements  A user should be able to log on to the bank’s site using this id and password and once she is logged
 The National Bank of India (NBI) is a very successful bank in India for many years. To keep itself on, she must not have to log on separately to access each of the applications.
tuned to the modern world, the bank had started its computerization many years ago.  The applications should automatically detect that the user has already authenticated her to one of
 Now, the bank has moved into the arena of Internet banking. The bank was into retail, corporate the applications and simply reuse the credentials of that authentication.
and investment banking. All these services were moved to the Internet.
 Therefore, the bank’s customers could access all the necessary banking services via the Internet. Clearly, this requirement calls for the solution of Single Sign On (SSO). SSO provides a
 Within each category of services, the bank offered many individual applications. single authentication interface to end-users. Once a user logs on to one of the applications within a group of
 For instance, within the retail banking segment, the bank offered solutions in the areas of Internet applications successfully, she does not have to log on to other applications separately. The authentication
account access, electronic bill payment, direct debits, etc. credentials of the user are simply picked up from the first log on and are reused by the other applications.
• Agents: An agent would intercept every HTTP request arriving at the Web server. There is one agent per the system. Accordingly, it will initiate the authentication process or will inform the agent to allow user to
Web server, which hosts an application. It interacts with the client browser on the user side and with the access the application, if the session is still valid.
SSO server on the application side.
• SSO server: The SSO server uses transient cookies to provide session management functionalities. A
cookie contains information such as the user id, session id, session creation time, session expiration time, (4) Secure Inter-branch Payment Transactions
etc.

Points for classroom discussions

Application Flow
1. What is the technology to achieve non-repudiation? How is this guaranteed?
2. How is the problem of key distribution resolved in PKI?
The application flow would be as follows:
3. Why are cryptographic toolkits required?
4. How can smart cards be used in cryptography?
1. For every HTTP request that is intercepted, the agent will look for the existence of a valid cookie.
There are two possibilities:
 General Bank Of India (GBI) has implemented an Electronic Payment System called as EPS in
(a) If the cookie is not found, it will initiate a challenge screen to allow the user to enter her
about 1200 branches across the country.
credentials. The credentials may be a simple user id/password or user id and digital certificate, depending
 This system transfers payment instructions between two computerized branches of GBI. A central
on the mechanism chosen for user authentication. The agent would receive these details entered by the user
server is maintained at the EPS office located in Mumbai. A typical payment transfer takes the following steps:
and forward them to the SSO server, which would validate them against the user database.
 The branch offices connect to the Local VSAT of a private network by using dial-up connection.
 The local VSAT has a connectivity established with the EPS office. GBI utilizes its proprietary 1. A data-entry person in the Payer Branch enters transaction details through the EPS interface.
If the user is authenticated successfully, the SSO server will respond back with a credential
messaging service called as GBI-Transfer to exchange payment instructions. 2. A Bank Officer checks the validity of the transaction through the EPS interface.
token. The agent may forward part of the token to the client browser as a cookie. The cookie may contain
 Currently, EPS has minimal data security. As the system operates in a closed network, the current 3. After validating the transaction, the Bank Officer authorizes the transaction. Authorized transaction is
basic information like session identifier, session expiry time, etc.
security infrastructure may suffice the need. The data moving across the network is in encrypted stored in a local Payment Master (PM) database.
format. 4. Once the transaction is stored in PM, a copy of the same is encrypted and stored in a file. This
(b) If the agent finds an existing cookie along with an intercepted HTTP request, it will
transaction file is stored in OUT directory.
request the SSO server to decrypt the same and determine whether:
Current EPS Architecture EPS is used to transmit payment details from the payer branch to the 5. The GBI-Transfer application looks for any pending transactions (i.e. for the presence of any files in the
• The user is already authenticated
payee branch via the central server in Mumbai. Fig. 10.5 depicts the flow, which is also described step-by- OUT directory) by a polling mechanism and if it finds such transactions, it sends all these files one-by-one
• The authentication is still valid
step. to the EPS central office located in Mumbai by dialing the local VSAT.
• The user can access the application associated with this agent
6. The local VSAT gets connectivity to the EPS central office and the transaction is transferred and
If the authentication has expired, it will ask the user to provide authentication details once again.
stored in the IN directory at the EPS central office.
7. The interface program at the EPS central office collects the file pending in the IN directory and sends it
2. The SSO server will receive authentication requests from the agents. It will then initiate a call to an
to the PM application at that office.
authentication ASP. This ASP will authenticate the user against the user database and return success or
8. In order to send the Credit Request to PM, the transaction headers are changed. The transaction with
failure.
changed headers in encrypted format is then placed in OUT directory of the EPS central office.
On successful authentication, the SSO server will build a credential token with some
9. The GBI-Transfer application at the EPS central office collects the transactions pending in the OUT
information and return the whole or part of this token to the agent. If the user is already authenticated and
directory and sends them to the Payee Bank through the VSAT.
the agent requests for verification, the SSO server will determine whether the user is allowed an access to

10. The transaction is transferred and stored in the IN directory of the Payee Branch. The architecture for the Payer Leg is shown in Fig. 10.6. As shown, after verifying the
11. The interface program at the Payee Branch collects the transaction and posts it in PM. transaction, the EPS Officer authorizes the transaction at the Payer Branch. Internally, the application
12. PM marks the credit entry and returns back an acknowledgement of the same. The acknowledgement is digitally signs the transaction. This signature, along with the transaction data is stored in the local PM
placed in OUT directory of the Payee Branch. Database and then encrypted and placed in the IN directory. For signature and encryption, a cryptographic
13. The acknowledgement is picked by GBI-Transfer at the Payee Branch and sent to the EPS central toolkit is required at the Payer Branch. The signed-and-encrypted transaction is sent to the EPS central
office through the VSAT. office in the same way as before.
14. The EPS central office receives the credit acknowledgement and forwards it to Payer Branch.
15. The Payer Branch receives the credit acknowledgement receipt. This completes the transaction.

Requirements to Enhance EPS

As GBI is in the process of complete automation and setting up connectivity over the Internet or a private
network, they need to ensure stringent security measures, which demand the usage of a Public Key
Infrastructure (PKI) framework. As a part of implementing security, GBI wants the following aspects to be
ensured:
• Non-repudiation (Digital Signatures)
• Encryption – 128-bit (Upgrade to the current 56-bit encryption)
• Smart card support for storing sensitive data & on-card digital signing
• Closed loop Public Key Infrastructure

Proposed Solution

Since providing cryptographic functionalities require the usage of a cryptographic toolkit, it is

assumed that GBI will implement an appropriate Certification Authority (CA) infrastructure and a PKI
infrastructure offering.
The encrypted file is decrypted at EPS central office. Before storing the transaction in the
The transaction will be digitally signed and encrypted/decrypted at the Payer and Payee
database, the digital signature is verified using an appropriate cryptographic toolkit. The verification In the Payee Leg, the PM software at the EPS central office will generate a Credit Request for the
branches, as well as at the EPS central office. The signing operation can be performed on the system or on
process may also check the status of the user’s digital certificate by either CRL or OCSP check. If the Payee Bank. This request will be digitally signed. The signature along with the Credit Request will be
external hardware like a smart card. On the server side, a provision of automated signing without any
status of the certificate is invalid, the transaction will be rejected, otherwise it will be stored in the local PM encrypted and sent to the Payee Branch.
manual intervention will be provided.
database.
On the Payee Leg, the EPS central office will create a Credit Request as before, sign and The Payee Branch will decrypt the Credit Request and verify the digital signature. If the
The transaction flow described earlier would now be split into two legs:
encrypt it with the bank officer’s digital certificate. This signed-and-encrypted request will be forwarded to signature is verified successfully, the transaction is entered into database. Otherwise, it gets rejected and
the Payee Branch. The flow is shown in Fig. 10.7. the status of the same is sent to EPS central Office. The Credit Response to the EPS central office can also
• The Payer Leg (Payer Branch to the EPS central office)
be digitally signed and encrypted in a similar fashion.
• The Payee Leg (EPS central office to the Payee Branch)

(5) Cross Site Scripting Vulnerability (CSSV) As we know, this would most likely treat the value of the address field as a script, which  The chief measure to protect against these attacks is to validate all the input fields for tags that look
would be executed as if it is written in a scripting language, such as JavaScript etc on the Web browser. suspicious (e.g.. <, >, SCRIPT, APPLET, OBJECT, etc).
Therefore, the user would get to see Hello World.  The server-side program should not trust a browser-based user to enter data with only good
Points for classroom discussions
1. What is the purpose of scripting technologies on the Internet? intention.

2. What can prevent CSSV attacks?  It can very well be malicious, causing damage to other clients.

3. What sort of testing can the creators of a Web site perform in order to guard against possible CSSV  One can test for CSSV on any Web site, by simply trying to enter scripts or script-like tags in the
attacks? input areas, such as text boxes.

 Cross Site Scripting Vulnerability (CSSV) is a relatively new form of attacks that exploits
inadequate validations on the server-side.
 The term Cross Server Scripting Vulnerability (CSSV) is actually not completely correct. However,
this term was coined when the problem was not completely understood and has stuck ever since.
Cross-site scripting happens when malicious tags and/or scripts attack a Web browser via another
site’s dynamically generated Web pages.
 The attacker’s target is not a Website, but rather its users (i.e. clients or browsers).
 The idea of CSSV is quite simple to understand and is based on exploiting the scripting
technologies, such as JavaScript, VBScript or JScript.
 Let us understand how this works. Consider the following Web page containing a form as shown in
Fig. 10.9 Sample HTML form
Fig. 10.9, in which the user is expected to enter her postal address. Suppose that the URL of the
site sending this page is www.test.com and when the user submits this form, it would be processed
Obviously, no serious damage is done. However, extrapolate this possibility to other
by a server-side program called as address.asp. We would typically expect the user to enter the
situations where a user can actually send damaging scripts to the server. This can cause the same or another
house number, street name, city, postal code and country, etc.
client to receive a Web page whose contents/look-and-feel are changed. In a more damaging case, the
confidential information entered by a user could also be captured and sent to another user and so on.
However, imagine that the user enters the following weird string, instead:
How can this be done?

<SCRIPT>Hello World</SCRIPT>
 When a JavaScript program gets downloaded on a browser through a CSSV attack, the JavaScript,
As a result, the URL submitted would be something like www.test.com/address.asp?address=
in turn, can call up the services of an ActiveX control.
<SCRIPT>Hello World </SCRIPT>.
 An ActiveX control is a small program that gets downloaded from the server to the client and
executes on the client.
Now suppose that the server-side program address.asp does not validate the input sent by the
 The ActiveX control can write to the disk or read from it and perform many such tasks.
user and simply sends the value of the field address to the next Web page. What would this translate to? It
 Once downloaded to the client via the malicious JavaScript call, the ActiveX control, therefore, can
would mean that the next Web page would receive the value of address as <SCRIPT>Hello World</
do real damage in this case.
SCRIPT>.