INTEGRITY CHECKS AND AUTHENTICATION

ALGORITHMS

Introduction to MD5 Algorithm

MD5 message-digest algorithm is the 5th version of the Message-Digest Algorithm

developed by Ron Rivest to produce a 128-bit message digest. MD5 is quite fast

than other versions of the message digest, which takes the plain text of 512-bit

blocks, which is further divided into 16 blocks, each of 32 bit and produces the

128-bit message digest, which is a set of four blocks, each of 32 bits. MD5

produces the message digest through five steps, i.e. padding, append length,

dividing the input into 512-bit blocks, initialising chaining variables a process

blocks and 4 rounds, and using different constant it in each iteration.

Use of MD5 Algorithm

It was developed with the main motive of security as it takes an input of any size

and produces an output if a 128-bit hash value. To be considered cryptographically

secure, MD5 should meet two requirements:

1. It is impossible to generate two inputs that cannot produce the same hash

function.

2. It is impossible to generate a message having the same hash value.

Initially, MD5 was developed to store one way hash of a password, and some file

servers also provide pre-computed MD5 checksum of a file so that the user can

compare the checksum of the downloaded file to it. Most Unix based Operating

Systems include MD5 checksum utilities in their distribution packages.

Working of MD5
As we all know that MD5 produces an output of 128-bit hash value.

This encryption of input of any size into hash values undergoes 5 steps, and each

step has its predefined task.

Step1: Append Padding Bits

Step 2: Append Length
Step 3: Initialize MD buffer.
Step 4: Processing message in 16-word block

Advantages and Disadvantages of MD5

Algorithm
Below are the advantages and disadvantages explained:

 MD5 Algorithms are useful because it is easier to compare and store these

smaller hashes than store a large variable length text. It is a widely used

algorithm for one-way hashes used to verify without necessarily giving the

original value. Unix systems use the MD5 Algorithm to store the passwords
 of the user in a 128-bit encrypted format. MD5 algorithms are widely used

to check the integrity of the files.

 Moreover, it is very easy to generate a message digest of the original

message using this algorithm. It can perform the message digest of a

message having any number of bits; it is not limited to a message in the

multiples of 8, unlike MD5sum, which is limited to octets.

 But for many years, MD5 has prone to hash collision weakness, i.e. it is

possible to create the same hash function for two different inputs. MD5

provides no security over these collision attacks. Instead of MD5, SHA

(Secure Hash Algorithm, which produces 160-bit message digest and

designed by NSA to be a part of digital signature algorithm) is now

acceptable in the cryptographic field for generating the hash function as it is

not easy to produce SHA-I collision and till now no collision has been

produced yet.

 Moreover, it is quite slow then the optimized SHA algorithm.SHA is much

secure than the MD5 algorithm, and moreover, it can be implemented in

existing technology with exceeding rates, unlike MD5. Nowadays, new

hashing algorithms are coming up in the market, keeping in mind higher

security of data like SHA256 (which generates 256 bits of signature of a

text).

Conclusion
Nowadays, with the storage of all the data on the cloud and internet, it is essential

to keep the data’s security at the utmost priority. The most secure algorithm should

be adopted to encrypt private data. Recent studies show that the SHA algorithm

should be given paramount importance over MD5 as MD5 is more vulnerable to

collision attacks. However, researchers are proposing new algorithms that are

secure and least vulnerable to attacks like SHA256.

Introduction to SHA

SHA stands for secure hashing algorithm. SHA is a modified version

of MD5 and used for hashing data and certificates.
A hashing algorithm shortens the input data into a smaller form that
cannot be understood by using bitwise operations, modular additions,
and compression functions. You may be wondering, can hashing be
cracked or decrypted?
Hashing is similar to encryption, the only difference between hashing
and encryption is that hashing is one-way, meaning once the data is
hashed, the resulting hash digest cannot be cracked, unless a brute
force attack is used. See the image below for the working of SHA
algorithm.
SHA works in such a way even if a single character of the message
changed, then it will generate a different hash. For example, hashing
of two similar, but different messages i.e., Heaven and heaven is
different. However, there is only a difference of a capital and small
letter.
SHAs also assist in revealing if an original message was changed in any

way. By referencing the original hash digest, a user can tell if even a
single letter has been changed, as the hash digests will be completely

different. One of the most important parts of SHAs are that they are

deterministic. This means that as long as the hash function used is

known, any computer or user can recreate the hash digest. The

determinism of SHAs is one of reasons every SSL certificate on the

Internet is required to have been hashed with a SHA-2 function.

What SHA is used for and Why

As previously mentioned, Secure Hashing Algorithms are required in all digital
signatures and certificates relating to SSL/TLS connections, but there are more
uses to SHAs as well. Applications such as SSH, S-MIME (Secure /
Multipurpose Internet Mail Extensions), and IPSec utilize SHAs as well. SHAs
are also used to hash passwords so that the server only needs to remember
hashes rather than passwords. In this way, if an attacker steals the database
containing all the hashes, they would not have direct access to all of the
plaintext passwords, they would also need to find a way to crack the hashes to
be able to use the passwords. SHAs can also work as indicators of a file’s
integrity. If a file has been changed in transit, the resulting hash digest created
from the hash function will not match the hash digest originally created and sent
by the file’s owner.

Let’s see the difference between MD5 and SHA1 which are
given below:
S.NO MD5 SHA1

While SHA1 stands for

1. MD5 stands for Message Digest. Secure Hash Algorithm.
 S.NO MD5 SHA1

Whereas SHA1 can have

MD5 can have 128 bits length of 160 bits length of message
2. message digest. digest.

While the speed of SHA1 is

The speed of MD5 is fast in slow in comparison of MD5’s
3. comparison of SHA1’s speed. speed.

To make out the initial message the On the opposite hand, in

aggressor would want 2^128 SHA1 it’ll be 2^160 that
operations whereas exploitation the makes it quite troublesome
4. MD5 algorithmic program. to seek out.

While SHA1 is more

5. MD5 is simple than SHA1. complex than MD5.

MD5 provides indigent or poor While it provides balanced

6. security. or tolerable security.

In MD5, if the assailant needs to seek Whereas in SHA1, assailant

out the 2 messages having identical would need to perform 2^80
message digest then assailant would operations which is greater
7. need to perform 2^64 operations. than MD5.

While SHA1 was presented

8. MD5 was presented in the year 1992. in the year 1995.

What is a digital signature?

A digital signature—a type of electronic signature—is a mathematical algorithm
routinely used to validate the authenticity and integrity of a message (e.g., an
email, a credit card transaction, or a digital document). Digital signatures create
a virtual fingerprint that is unique to a person or entity and are used to identify
users and protect information in digital messages or documents. In emails, the
email content itself becomes part of the digital signature. Digital signatures are
significantly more secure than other forms of electronic signatures.

Why would you use a digital signature?

Digital signatures increase the transparency of online interactions and
develop trust between customers, business partners, and vendors.

How do digital signatures work?

Familiarize yourself with the following terms to better understand how digital
signatures work:

 Hash function – A hash function (also called a “hash”) is a fixed-length

string of numbers and letters generated from a mathematical algorithm
and an arbitrarily sized file such as an email, document, picture, or other
type of data. This generated string is unique to the file being hashed and
is a one-way function— a computed hash cannot be reversed to find other
files that may generate the same hash value. Some of the more popular
hashing algorithms in use today are Secure Hash Algorithm-1 (SHA-1),
the Secure Hashing Algorithm-2 family (SHA-2 and SHA-256), and
Message Digest 5 (MD5).
 Public key cryptography – Public key cryptography (also known as
asymmetric encryption) is a cryptographic method that uses a key pair
system. One key, called the public key, encrypts the data. The other key,
called the private key, decrypts the data. Public key cryptography can be
used several ways to ensure confidentiality, integrity, and authenticity.
Public key cryptography can
o Ensure integrity by creating a digital signature of the message
using the sender’s private key. This is done by hashing the message
and encrypting the hash value with their private key. By doing this,
any changes to the message will result in a different hash value.
o Ensure confidentiality by encrypting the entire message with the
recipient’s public key. This means that only the recipient, who is in
possession of the corresponding private key, can read the message.
o Verify the user’s identity using the public key and checking it
against a certificate authority.
 Public key infrastructure (PKI) – PKI consists of the policies,
standards, people, and systems that support the distribution of public keys
and the identity validation of individuals or entities with digital
certificates and a certificate authority.
 Certificate authority (CA) – A CA is a trusted third party that validates
a person’s identity and either generates a public/private key pair on their
behalf or associates an existing public key provided by the person to that
 person. Once a CA validates someone’s identity, they issue a digital
certificate that is digitally signed by the CA. The digital certificate can
then be used to verify a person associated with a public key when
requested.
 Digital certificates – Digital certificates are analogous to driver licenses
in that their purpose is to identify the holder of a certificate. Digital
certificates contain the public key of the individual or organization and
are digitally signed by a CA. Other information about the organization,
individual, and CA can be included in the certificate as well.
 Pretty Good Privacy (PGP)/OpenPGP – PGP/OpenPGP is an
alternative to PKI. With PGP/OpenPGP, users “trust” other users by
signing certificates of people with verifiable identities. The more
interconnected these signatures are, the higher the likelihood of verifying
a particular user on the internet. This concept is called the “Web of
Trust.”

Digital signatures work by proving that a digital message or document was not
modified—intentionally or unintentionally—from the time it was signed.
Digital signatures do this by generating a unique hash of the message or
document and encrypting it using the sender’s private key. The hash generated
is unique to the message or document, and changing any part of it will
completely change the hash.
Once completed, the message or digital document is digitally signed and sent to
the recipient. The recipient then generates their own hash of the message or
digital document and decrypts the sender’s hash (included in the original
message) using the sender’s public key. The recipient compares the hash they
generate against the sender’s decrypted hash; if they match, the message or
digital document has not been modified and the sender is authenticated.

What are authentication protocols?

An authentication protocol allows the receiving party (such as a server) to verify
the identity of another party (such as a person using a mobile device to log in).
Almost every single computer system uses some kind of network authentication
to verify users.
As more critical information is stored electronically, and as hackers become
more and more adept at theft, authentication becomes more important. Without
it, losses can be significant. For example, Deloitte experienced a data breach in
2017 that exposed client email (including some tied to government agencies).
Authentication may never keep your information perfectly secure. But it can
make theft harder to accomplish. Hackers may move to a different target if your
servers are too difficult to penetrate.

TYPES OF AUTHENTICATION PROTOCOLS:-

1. Kerberos :
Kerberos is a protocol that aids in network authentication. This is used for
validating clients/servers during a network employing a cryptographic key. It
is designed for executing strong authentication while reporting to
applications. The overall implementation of the Kerberos protocol is openly
available by MIT and is used in many mass-produced products.
Some advantages of Kerberos :
 It supports various operating systems.
 The authentication key is shared much efficiently than public
sharing.
Some disadvantages of Kerberos :
 It is used only to authenticate clients and services used by them.
 It shows vulnerability to soft or weak passwords.

2. Lightweight Directory Access Protocol (LDAP) :

LDAP refers to Lightweight Directory Access Protocol. It is a protocol that is
used for determining any individuals, organizations, and other devices during
a network regardless of being on public or corporate internet. It is practiced
as Directories-as-a-Service and is the grounds for Microsoft building Activity
Directory.
Some advantages of LDAP :
 It is an automated protocol which makes it modernizing easier.
 It supports existing technologies and allows multiple directories.
Some disadvantages of LDAP :
 It requires the experience of deployment.
 The directory servers are required to be LDAP obedient for
deployment.

3. OAuth2 :
OAuth as the name suggests it is an authorization framework that promotes
granting limited access to the user on its account through an HTTP service.
When a user requests access to resources an API call is made and after the
authentication token is passed.
Some advantages of OAuth2 :
 It is a simple protocol and is easy to implement.
 It provides server-side authorization of code.
Some disadvantages of OAuth2 :
 It is vulnerable to manage different sets of code.
 It shows serious effects on sites connected to another affected
system.

4. SAML :
SAML stands for Security Assertion Markup Language which is based on
XML-based authentication data format which provides the authorization
between an identity provider and service provider. It serves as a product of
the OASIS Security Services Technical Committee.
Some advantages of SAML :
 It reduced the administrative costs for the end-users.
 It provides a single sign-in for authenticating across service
providers.
Some disadvantages of SAML :
 It is dependent on the identity provider.
 All the data is managed in a single XML format.

5. RADIUS :
RADIUS stands for Remote Authentication Dial-In User Service. It is a
network protocol that provides sufficient centralized Authentication,
Accounting, and Authorization for the users that use and network
services. The functioning of the protocol occurs when the user requests
access to network resources, where the RADIUS server encrypts the
credentials which are entered by the user. After this, the user credentials are
mapped through the local database and provide access.
Some advantages of RADIUS :
 It is a great mechanism for providing multiple access for Admins.
 It provides a unique identity to each user in a session.
Some disadvantages of RADIUS :
 Initial implementation for this mechanism is hard on hardware.
 It has a variety of models that may require a special team which is
cost consuming.

DIGITAL SIGNATURE STANDARS (DSS)

Digital Signature Standard (DSS) is a Federal Information Processing
Standard(FIPS) which defines algorithms that are used to generate digital
signatures with the help of Secure Hash Algorithm(SHA) for the
authentication of electronic documents. DSS only provides us with the digital
signature function and not with any encryption or key exchanging strategies.

Sender Side :
In DSS Approach, a hash code is generated out of the message and
following inputs are given to the signature function –
1. The hash code.
2. The random number ‘k’ generated for that particular signature.
3. The private key of the sender i.e., PR(a).
4. A global public key(which is a set of parameters for the
communicating principles) i.e., PU(g).
These input to the function will provide us with the output signature
containing two components – ‘s’ and ‘r’. Therefore, the original message
concatenated with the signature is sent to the receiver.
Receiver Side :
At the receiver end, verification of the sender is done. The hash code of the
sent message is generated. There is a verification function which takes the
following inputs –
1. The hash code generated by the receiver.
2. Signature components ‘s’ and ‘r’.
3. Public key of the sender.
4. Global public key.
The output of the verification function is compared with the signature
component ‘r’. Both the values will match if the sent signature is valid
because only the sender with the help of it private key can generate a valid
signature.
 What Is the DSA Algorithm?

Digital Signatures Algorithm is a FIPS (Federal Information Processing Standard) for digital
signatures. It was proposed in 1991 and globally standardized in 1994 by the National
Institute of Standards and Technology (NIST). It functions on the framework of modular
exponentiation and discrete logarithmic problems, which are difficult to compute as a force-
brute system.

DSA Algorithm provides three benefits, which are as follows:

 Message Authentication: You can verify the origin of the sender using the right
key combination.

 Integrity Verification: You cannot tamper with the message since it will prevent
the bundle from being decrypted altogether.

 Non-repudiation: The sender cannot claim they never sent the message if verifies
the signature.

The image above shows the entire procedure of the DSA algorithm. You will use two
different functions here, a signing function and a verification function. The difference
between the image of a typical digital signature verification process and the one above is the
encryption and decryption part. They have distinct parameters, which you will look into in
the next section of this lesson on the DSA Algorithm.
Steps in DSA Algorithm

Keeping the image above in mind, go ahead and see how the entire process works, starting
from creating the key pair to verifying the signature at the end.

1. Key Generation

 You first choose a prime number q, which is known as the prime divisor.

 Another prime number, p, is chosen such that p-1 mod q = 0.

 Choose an integer g (1<g<p), satisfying the two conditions, g**q mod p = 1 and g
= h**((p–1)/q) mod p

 x is our private key, and it is a random integer such that 0 < x < q.

 y is our public key, and you can calculate it as y = gx mod p.

 Now the private key package is {p,q,g,x}.

 The public key package is {p,q,g,y}.

2. Signature Generation

 It passes the original message (M) through the hash function (H#) to get our hash
digest(h).

 It passes the digest as input to a signing function, whose purpose is to give two
variables as output, s, and r.

 Apart from the digest, you also use a random integer k such that 0 < k < q.

 To calculate the value of r, you use the formula r = (gk mod p) mod q.

 To calculate the value of s, you use the formula s = [K-1(h+x . R)mod q].

 It then packages the signature as {r,s}.

 The entire bundle of the message and signature {M,r,s} are sent to the receiver.

3. Signature Verification
  You use the same hash function (H#) to generate the digest h.

 You then pass this digest off to the verification function, which needs other
variables as parameters too.

 Compute the value of w such that: s*w mod q = 1

 Calculate the value of u1 from the formula, u1 = h*w mod q

 Calculate the value of u2 from the formula, u2 = r*w mod q

 The final verification component v is calculated as v = [((gu1 . yu2) mod p) mod

q].

 It compares the value of v to the value of r received in the bundle.

 If it matches, the signature verification is complete.

Having understood the functionality of the DSA Algorithm, you must know the advantages
this algorithm offers over alternative standards like the RSA algorithm.

AUTHENTICATION APPLICATIONS

1.KERBEROS
Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users. In Kerberos
Authentication server and database is used for client authentication.
Kerberos runs as a third-party trusted server known as the Key Distribution
Center (KDC). Each user and service on the network is a principal.
The main components of Kerberos are:

 Authentication Server (AS):

The Authentication Server performs the initial authentication and
ticket for Ticket Granting Service.

 Database:
The Authentication Server verifies the access rights of users in the
database.

 Ticket Granting Server (TGS):

The Ticket Granting Server issues the ticket for the Server
Kerberos Overview:

 Step-1:
User login and request services on the host. Thus user requests for
ticket-granting service.

 Step-2:
Authentication Server verifies user’s access right using database
and then gives ticket-granting-ticket and session key. Results are
encrypted using the Password of the user.

 Step-3:
The decryption of the message is done using the password then
send the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.

 Step-4:
Ticket Granting Server decrypts the ticket sent by User and
authenticator verifies the request then creates the ticket for
requesting services from the Server.

 Step-5:
The user sends the Ticket and Authenticator to the Server.
  Step-6:
The server verifies the Ticket and authenticators then generate
access to the service. After this User can access the services.

Kerberos Limitations

 Each network service must be modified individually for use with

Kerberos
 It doesn’t work well in a timeshare environment
 Secured Kerberos Server
 Requires an always-on Kerberos server
 Stores all passwords are encrypted with a single key
 Assumes workstations are secure
 May result in cascading loss of trust.
 Scalability

Is Kerberos Infallible?

No security measure is 100% impregnable, and Kerberos is no exception.

Because it’s been around for so long, hackers have had the ability over the
years to find ways around it, typically through forging tickets, repeated
attempts at password guessing (brute force/credential stuffing), and the use
of malware, to downgrade the encryption.
Despite this, Kerberos remains the best access security protocol available
today. The protocol is flexible enough to employ stronger encryption
algorithms to combat new threats, and if users employ good password-
choice guidelines, you shouldn’t have a problem!

What is Kerberos Used For?

Although Kerberos can be found everywhere in the digital world, it is

commonly used in secure systems that rely on robust authentication and
auditing capabilities. Kerberos is used for Posix, Active Directory, NFS, and
Samba authentication. It is also an alternative authentication system to SSH,
POP, and SMTP.

2. X.509 Authentication Service

X.509 is a digital certificate that is built on top of a widely trusted standard
known as ITU or International Telecommunication Union X.509 standard, in
which the format of PKI certificates is defined. X.509 digital certificate is a
certificate-based authentication security framework that can be used for
providing secure transaction processing and private information. These are
primarily used for handling the security and identity in computer networking
and internet-based communications.
Working of X.509 Authentication Service Certificate:
The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be produced
by some trusted certification authority and positioned in the directory by the
user or the certified authority. These directory servers are only used for
providing an effortless reachable location for all users so that they can acquire
certificates. X.509 standard is built on an IDL known as ASN.1. With the help
of Abstract Syntax Notation, the X.509 certificate format uses an associated
public and private key pair for encrypting and decrypting a message.
Once an X.509 certificate is provided to a user by the certified authority, that
certificate is attached to it like an identity card. The chances of someone
stealing it or losing it are less, unlike other unsecured passwords. With the
help of this analogy, it is easier to imagine how this authentication works: the
certificate is basically presented like an identity at the resource that requires
authentication.

Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:
 Version number: It defines the X.509 version that concerns the
certificate.
 Serial number: It is the unique number that the certified authority
issues.
 Signature Algorithm Identifier: This is the algorithm that is used for
signing the certificate.
 Issuer name: Tells about the X.500 name of the certified authority
which signed and created the certificate.
 Period of Validity: It defines the period for which the certificate is
valid.
 Subject Name: Tells about the name of the user to whom this
certificate has been issued.
 Subject’s public key information: It defines the subject’s public
key along with an identifier of the algorithm for which this key is
supposed to be used.
 Extension block: This field contains additional standard
information.
 Signature: This field contains the hash code of all other fields which
is encrypted by the certified authority private key.

Applications of X.509 Authentication Service Certificate:
Many protocols depend on X.509 and it has many applications, some of them
are given below:
 Document signing and Digital signature
  Web server security with the help of Transport Layer Security
(TLS)/Secure Sockets Layer (SSL) certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities

ELECTRONIC MAIL SECURITY

Email security is a term for describing different procedures and techniques for
protecting email accounts, content, and communication against unauthorized
access, loss or compromise. Email is often used to spread malware, spam and
phishing attacks. Attackers use deceptive messages to entice recipients to part
with sensitive information, open attachments or click on hyperlinks that install
malware on the victim’s device. Email is also a common entry point for
attackers looking to gain a foothold in an enterprise network and obtain valuable
company data.

Email encryption involves encrypting, or disguising, the content of email

messages to protect potentially sensitive information from being read by anyone
other than intended recipients. Email encryption often includes authentication.

How Secure Is Email?

Email was designed to be as open and accessible as possible. It allows people in
organizations to communicate with each other and with people in other
organizations. The problem is that the security of email, on its own, is not
reliable. This allows attackers to use email as a way to cause problems in
attempt to profit. Whether through spam campaigns, malware and phishing
attacks, sophisticated targeted attacks, or business email compromise (BEC),
attackers try to take advantage of the lack of security of email to carry out their
actions. Since most organizations rely on email to do business, attackers exploit
email in an attempt to steal sensitive information.

Because email is an open format, it can be viewed by anyone who can intercept
it, causing email security concerns. This became an issue as organizations began
sending confidential or sensitive information through email. An attacker could
easily read the contents of an email by intercepting it. Over the years,
organizations have been increasing email security measures to make it harder
for attackers to get their hands on sensitive or confidential information.
Email Security Tools
A secure email gateway, deployed either on-premises or in the cloud, should
increase the security of email by offering multi-layered protection from
unwanted, malicious and BEC email; granular visibility; and business continuity
for organizations of all sizes. These controls enable security teams to have
confidence that they can secure users from email threats and maintain email
communications in the event of an outage.

An email encryption solution reduces the risks associated with regulatory

violations, data loss and corporate policy violations while enabling essential
business communications. The email security solution should work for any
organization that needs to protect sensitive data, while still making it readily
available to affiliates, business partners and users—on both desktops and
mobile devices. An email encryption solution is especially important for
organizations required to follow compliance regulations, like GDPR, HIPAA or
SOX, or abide by security standards like PCI-DSS.

PGP
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmermann.
o PGP was designed to provide all four aspects of security, i.e., privacy,
integrity, authentication, and non-repudiation in the sending of
email.
o PGP uses a digital signature (a combination of hashing and public
key encryption) to provide integrity, authentication, and non-
repudiation. PGP uses a combination of secret key encryption and
public key encryption to provide privacy. Therefore, we can say that
the digital signature uses one hash function, one secret key, and two
private-public key pairs.
o PGP is an open source and freely available software package for
email security.
o PGP provides authentication through the use of Digital Signature.
o It provides confidentiality through the use of symmetric block
encryption.
 o It provides compression by using the ZIP algorithm, and EMAIL
compatibility using the radix-64 encoding scheme.

Following are the steps taken by PGP to create secure e-mail at

the sender site:

o The e-mail message is hashed by using a hashing function to create a

digest.
o The digest is then encrypted to form a signed digest by using the sender's
private key, and then signed digest is added to the original email message.
o The original message and signed digest are encrypted by using a one-time
secret key created by the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of message
and digest are sent together.

Following are the steps taken to show how PGP uses hashing
and a combination of three keys to generate the original
message:

o The receiver receives the combination of encrypted secret key and message
digest is received.
o The encrypted secret key is decrypted by using the receiver's private key
to get the one-time secret key.
o The secret key is then used to decrypt the combination of message and
digest.
o The digest is decrypted by using the sender's public key, and the original
message is hashed by using a hash function to create a digest.
o Both the digests are compared if both of them are equal means that all the
aspects of security are preserved.
 Disadvantages of PGP Encryption

o The Administration is difficult: The different versions of PGP

complicate the administration.
o Compatibility issues: Both the sender and the receiver must have
compatible versions of PGP. For example, if you encrypt an email by
using PGP with one of the encryption technique, the receiver has a
different version of PGP which cannot read the data.
o Complexity: PGP is a complex technique. Other security schemes
use symmetric encryption that uses one key or asymmetric
encryption that uses two different keys. PGP uses a hybrid approach
that implements symmetric encryption with two keys. PGP is more
complex, and it is less familiar than the traditional symmetric or
asymmetric methods.
o No Recovery: Computer administrators face the problems of losing
their passwords. In such situations, an administrator should use a
special program to retrieve passwords. For example, a technician has
physical access to a PC which can be used to retrieve a password.
However, PGP does not offer such a special program for recovery;
encryption methods are very strong so, it does not retrieve the
forgotten passwords results in lost messages or lost files.

What is S/MIME?
S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It
references a type of public encryption and signing of MIME data (a.k.a. email
messages) to verify a sender’s identity. With S/MIME, it is possible to send and
receive encrypted emails.

S/MIME has been around for a long while—long enough that Microsoft puts their
help article for S/MIME under “Legacy security capabilities” on their website. Over
the years, S/MIME has undergone several changes to eliminate security weaknesses
such as EFAIL, a security vulnerability affecting end-to-end encryption solutions like
S/MIME and PGP.
How Does S/MIME Work?
As mentioned above, S/MIME is a type of “end-to-end” encryption solution used for
email messages. To be more specific, it uses asymmetric cryptography to protect
emails from being read by a third party.

As noted by GlobalSign, a company specializing in Public Key Infrastructure (PKI)

solutions for enterprises to secure communications, S/MIME used a public key to
encrypt emails and “The email can only be decrypted with the corresponding private
key, which is supposed to be in sole possession of the recipient.”

In other words, it’s a two-key system that leverages two different, but mathematically-
related cryptography keys to work. This is why it’s called “asymmetric cryptography.”
One key may be public, but without the hidden private key held by the recipient, the
email should be nigh impossible to crack.

One common criticism of the way that S/MIME encryption works is that, because it
encrypts all of the contents of an email, it can make it harder for antivirus/antimalware
scanners to detect malicious software downloads and site links in an email. This can
make it more difficult for some security measures to stop email-based cyberattacks
where a legitimate sender’s email account is either used maliciously or hijacked by
hackers.