Académique Documents
Professionnel Documents
Culture Documents
COM
Ans. Kerberos is a computer network authentication protocol which works on the basis of
“tickets” to allow nodes communication over a non secure network.
(Or)
It is a secure method (service) for authenticate a request for a service in a computer network.
Use of Kerberos:
Kerberos is used for decreasing the burden for server, means; Kerberos will take
responsibility of authentication.
It is designed for providing for strong authentication for client/server applications
by using secret-key.
Versions:
Kerberos Version4
Kerberos Version5
Characteristics of KERBEROS:
Requirements Kerberos:
1. Secure: Kerberos should be strong enough that a potential opponent does not find it
to be the weak link.
2. Reliable: Kerberos should be highly reliable and should employ distributed server
architecture with one system able to back up another.
3. Transparent: Ideally, the user should not be aware that authentication is taking place
beyond the requirement to enter a password.
4. Scalable: The system should be capable of supporting large numbers of clients and
servers.
Kerberos Version 4
Kerberos overcome this by using a new server, known as Ticket granting server (TGS).
Ans.
Once public keys have been distributed or have become accessible, secure
communication that thwarts eavesdropping, tampering, or both, is possible.
Public-key encryption provides for the distribution of secret keys to be used for
conventional encryption.
Here third party can intercept messages and then either relay the intercepted message or
substitute another message Such an attack is known as a man-in-the-middle attack.
A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a
nonce (N1), which is used to identify this transaction uniquely
B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a
new nonce generated by B (N2) Because only B could have decrypted message (1), the
presence of N1 in message (2) assures A that the correspondent is B
A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's private
key ensures that only A could have sent it.
B computes D(PUa, D(PRb, M)) to recover the secret key.
This information includes a mapping from users name to a network address, as well
as other attributes and information about the users.
X.509 defines alternative authentication protocols based on the use of public key
certificates.
This was initial used in 1988.
User of X.509:
X.509 is an important standard because the certificate structure and authentication protocols
defined in X.509 are used in a variety context.
Example: this format is used in
S/MIME
IP Security
SSL (Secure Socket Layer)
TLS (Transport Layer Security)
SET (Secure Electronic Transaction)
X.509 is based on the use of public key cryptography & Digital Signature
1. Version: Differentiates among successive versions of the certificate format; the default is
version 1. If the issuer unique identifier or subject unique identifier are present, the value
must be version 2. If one or more extensions are present, the version must be version 3.
2. Serial number: An integer value unique within the issuing CA that is unambiguously
associated with this certificate.
3. Signature algorithm identifier: The algorithm used to sign the certificate together with
any associated parameters. Because this information is repeated in the signature field at
the end of the certificate, this field has little, if any, utility.
4. Issuer name: X.500 is the name of the CA that created and signed this certificate.
5. Period of validity: Consists of two dates: the first and last on which the certificate is
valid.
6. Subject name: The name of the user to whom this certificate refers. That is, this
certificate certifies the public key of the subject who holds the corresponding private key.
7. Subject’s public-key information: The public key of the subject, plus an identifier of
the algorithm for which this key is to be used, together with any associated parameters.
8. Issuer unique identifier: An optional-bit string field used to identify uniquely the
issuing CA in the event the X.500 name has been reused for different entities.
9. Subject unique identifier: An optional-bit string field used to identify uniquely the
subject in the event the X.500 name has been reused for different entities.
10. Extensions: A set of one or more extension fields. Extensions were added in version 3
and are discussed later in this section.
11. Signature: Covers all of the other fields of the certificate; it contains the hash code of the
other fields encrypted with the CA’s private key. This field includes the signature
algorithm identifier.
Ans. The protection of email from unauthorized access and inspection is known as electronic
privacy. There are mainly two methods for proving security for electronic mails
1. Pretty Good Privacy
2. S/MIME
Ans. PGP is data encryption and decryption computer program that provides privacy
(Confidentiality) and authentication for data communication.
It was created by Phil Zimmermann in 1991
Use of PGP:
PGP is an open-source, freely available software package for e-mail security. It provides
authentication through the use of digital signature, confidentiality through the use of symmetric
block encryption, compression using the ZIP algorithm, and e-mail compatibility using the radix-
64 encoding scheme.
PGP incorporates tools for developing a public-key trust model and public-key certificate
management
PGP Notations:
Ks =session key used in symmetric encryption scheme
PRa =private key of user A, used in public-key encryption scheme
PUa =public key of user A, used in public-key encryption scheme
EP = public-key encryption
DP = public-key decryption
EC = symmetric encryption
DC = symmetric decryption
H = hash function
|| = concatenation
Z = compression using ZIP algorithm
5. Receiver verifies received message using hash of it and compares with decrypted hash
code
Sender:
1. Generates message and a random number (session key) only for this message
2. Encrypts message with the session key using AES, 3DES, IDEA or CAST-128
3. Encrypts session key itself with recipient’s public key using RSA
4. Attaches it to message
Receiver:
1. Recovers session key by decrypting using his private key
2. Decrypts message using the session key
1. Enveloped data: This consists of encrypted content of any type and encrypted-content
encryption keys for one or more recipients.
2. Signed data: A digital signature is formed by taking the message digest of the content to
be signed and then encrypting that with the private key of the signer. The content plus
signature are then encoded using base64 encoding. A signed data message can only be
viewed by a recipient with S/MIME capability.
3. Clear-signed data: As with signed data, a digital signature of the content is formed.
However, in this case, only the digital signature is encoded using base64.As a result,
recipients without S/MIME capability can view the message content, although they
cannot verify the signature.
4. Signed and enveloped data: Signed-only and encrypted-only entities may be nested, so
that encrypted data may be signed and signed data or clear-signed data may be encrypted.