SlideShare une entreprise Scribd logo

Network security-primer-9544

Télécharger en tant que PPT, PDF
Hfz Mushtaq
Hfz Mushtaq
1  sur  46
Full-service Software Product Development Life Cycle Services A Security Primer
2Full-service Software Product Development Life Cycle Services Security Topics PGP S/MIME SSL TLS IPSec Cryptography Symmetric Key Public Key Algorithms Encryption Digital Signatures Certificates Algorithms Encryption Key Mgmt
3Full-service Software Product Development Life Cycle Services Need for message security • Privacy – Am I sure no body else knows this? • Authentication – Am I sure that the sender is genuine and not an imposter? • Integrity – Am I sure that the message has not been tampered on its way? • Non-repudiation – What will I do if the sender denies sending the message?
Full-service Software Product Development Life Cycle Services Cryptography
5Full-service Software Product Development Life Cycle Services Cryptography • Jargon – Cryptography means “Secret Writing” – Original message – plaintext – Encrypted message – ciphertext – Encryption and decryption algorithms – ciphers – The number value that the cipher operates on –key • Types – Symmetric key cryptography – Public key cryptography
6Full-service Software Product Development Life Cycle Services Symmetric Key Cryptography 110.ico Encrypt Network 110.ico Decrypt Shared secret key • Features – Same key used by sender and receiver – Algorithm for decryption is inverse of the algorithm used for encryption Alice Bob 1 2
7Full-service Software Product Development Life Cycle Services Symmetric Key (contd.) • Algorithms – DES (Data Encryption Standard) – Triple DES • Advantages – Efficient algorithms (takes less time to encrypt and decrypt) – Simple • Disadvantages – Each pair must have unique keys. i.e. N people will require N(N-1)/2 keys – Distribution of keys between two parties can be difficult
8Full-service Software Product Development Life Cycle Services Public Key Cryptography 110.ico Encrypt Network 110.ico Decrypt Bob’s public key Alice Bob Bob’s private key To the public 1 2 • Features – There are two keys: a private key and a public key – The private key is kept by the receiver and the public key is announced to the public
9Full-service Software Product Development Life Cycle Services Public Key (contd.) • Algorithms – RSA (Rivest, Shamir and Adleman) • Advantages – Need to distribute only the public key. Private key can be safely kept – Lesser number of keys i.e. 1 million users may need only 2 million keys (as compared to 500 billion, if they use symmetric key cryptography) • Disadvantages – Complex algorithms – Association between the public key and the entity must be verified (need for certificates)
10Full-service Software Product Development Life Cycle Services Digital Signatures • Features – Enables integrity, authentication and non-repudiation – Private keys are used to sign a message (or hash) – Public keys are used to verify the signatures • Hash Functions – Signing the whole message is inefficient – Hash functions are used to create a unique digest of the message – Popular hashing algorithms are SHA-1 (secure hash algorithm) and MD5 (message digest)
11Full-service Software Product Development Life Cycle Services Digital Signatures (contd.) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest To Bob 1 2 3 Sender site
12Full-service Software Product Development Life Cycle Services Digital Signatures (contd.) 110.ico Receiver site Bob From Alice Decrypt Hash Function Digest Alice’s public key Digest X Compare 4 5 6
13Full-service Software Product Development Life Cycle Services Key Management • In symmetric key systems: – We need a mechanism to share the key between sender and receiver, and also reduce the number of keys – In some cases, public key systems also use symmetric key to encrypt a message and encrypt the key using public key – Solution: session keys. Symmetric keys are created for a session and destroyed when the session is over – Techniques for key management: » Deffie Hellman method » Key distribution center (Needham-Schroeder protocol and Otway-Rees protocol)
14Full-service Software Product Development Life Cycle Services Key Management (contd.) • In public key systems: – Alice needs to know whether Bob’s public key is genuine – Solution: Certificates – Bob goes to a Certification Authority (CA), e.g. VeriSign, which binds Bob’s public key to an entity called certificate. – Certificate is signed by CA, which has a well known public key, and hence cannot be forged. – Alice can verify the CA’s signature and hence be sure about Bob’s public key
15Full-service Software Product Development Life Cycle Services Certificates • Certificate is described by X.509 protocol • X.509 uses ASN.1 (Abstract Syntax Notation 1) to define the fields • X.509 fields: Field Explanation Version Version number of X.509 Serial Number The unique identifier used by the CA Signature The certificate signature Issuer The name of the CA defined by X.509 Validity Period Start and end period that certificate is valid Subject Name The entity whose public key is being certified Public Key The subject public key and the algorithms that use it
16Full-service Software Product Development Life Cycle Services Chain of Trust • Query propagation similar to DNS queries • At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs. • Thumb-rule: Everyone trusts Root CA Root CA Level-1 CA 1 Level-2 CA 3 Level-2 CA 4 Level-2 CA 5 Level-2 CA 6 Level-2 CA 2 Level-2 CA 1 Level-1 CA 2
Full-service Software Product Development Life Cycle Services Security at IP Level
18Full-service Software Product Development Life Cycle Services IPSec – IP Security • Secures the IP packet by adding additional header • Selection of encryption, authentication and hashing methods left to the user • It requires a logical connection between two hosts, achieved using Security Association (SA) • An SA is defined by: – A 32-bit security parameter index (SPI) – Protocol type: Authentication Header (AH) Or Encapsulating Security Payload (ESP) – The source IP address IP HeaderIPSec Header Rest of the PacketNew IP Header IP Header IPSec Header Rest of the Packet Transport Mode Tunnel Mode OR
Full-service Software Product Development Life Cycle Services Security at Transport Layer
20Full-service Software Product Development Life Cycle Services Secure Sockets Layer (SSL) • Developed by Netscape • Used to establish secure connection between two parties • Protocol similar to TLS (p.t.o) • OpenSSL (www.openssl.org) provides libraries which implement SSL and TLS • Several application layer security protocols run on top of SSL. E.g. Secure HTTP (https)
21Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server
22Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends a hello message that includes TLS version and other preferences
23Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server sends a certificate that has its public key
24Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser verifies the certificate. It generates a session key, encrypts with server’s public key and sends it to the server
25Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends handshake terminating message, encrypted by the secret key
26Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack
Full-service Software Product Development Life Cycle Services Security at Application Layer
28Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site
29Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Email message is hashed to create digest
30Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Digest is encrypted using Alice’s private key
31Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Signed digest added to the message
32Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The message and digest are encrypted using one time secret key created by Alice
33Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The secret key is encrypted using Bob’s public key
34Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The encrypted message, digest and secret key is sent to Bob
35Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8
36Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the secret key with his private key
37Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted message and digest using the decrypted secret key
38Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted digest with Alice’s public key
39Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob hashes the received message to create a digest (for message integrity)
40Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 The two digests are compared, thus providing authentication and integrity
41Full-service Software Product Development Life Cycle Services Sample PGP Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:30 -0600 Subject: Message signed with PGP MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" -----BEGIN PGP SIGNED MESSAGE----- Bob, This is a message signed with PGP, so you can see how much overhead PGP signatues introduce. Compare this with a similar message signed with S/MIME. Alice -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8M aIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0 O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HX rKvnc2aBPFI= =mUaH -----END PGP SIGNATURE-----
42Full-service Software Product Development Life Cycle Services S/MIME • Working principle similar to PGP • S/MIME uses multipart MIME type to include the cryptographic information with the message • S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information • Creating S/MIME message: MIME Entity CMS Object S/MIME Certificates Algo identifiers CMS Processing MIME Wrapping
43Full-service Software Product Development Life Cycle Services Sample SMIME Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:08 -0600 Subject: Message signed with S/MIME MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="simple boundary" --simple boundary Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" Bob, This is a message signed with S/MIME, so you can see how much overhead S/MIME signatures introduce. Compare this with a similar message signed with PGP. Alice --simple boundary Content-Type: application/octet-stream; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnww ggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcT CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcy MzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD
44Full-service Software Product Development Life Cycle Services Sample SMIME Signature UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1h cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5 WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4e CLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA 8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEw CwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fK EXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/ pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQ mGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXz zkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRz O8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwg SW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJl cgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05 NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI 3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eI xIwDet+c --simple boundary--
Full-service Software Product Development Life Cycle Services References
46Full-service Software Product Development Life Cycle Services References • Overview of cryptography: – www.rsalabs.com/faq/ – http://www.faqs.org/faqs/cryptography-faq/part06/ • Implementation of SSL and TSL: – www.openssl.org • S/MIME Internet task force: – www.imc.org/ietf-smime/index.html • Relationship between S/MIME and PGP/MIME: – www.imc.org/smime-pgpmime.html

Recommandé

Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Silc
SilcSilc
SilcMayank Saxena
 

Recommandé

Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
OpenSSL
OpenSSLOpenSSL
OpenSSLTimbal Mayank
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Silc
SilcSilc
SilcMayank Saxena
 
SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101Chul-Woong Yang
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)CAS
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
SSl/TLS Analysis
SSl/TLS AnalysisSSl/TLS Analysis
SSl/TLS AnalysisDuduman Bogdan Vlad
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]SISA Information Security Pvt.Ltd
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSpavansmiles
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 

Contenu connexe

Tendances

How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacyPawan Arya
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)CAS
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)amanchaurasia
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]SISA Information Security Pvt.Ltd
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 

Tendances (20)

SSL/TLS 101
SSL/TLS 101SSL/TLS 101
SSL/TLS 101
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
Key management
Key managementKey management
Key management
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
SSl/TLS Analysis
SSl/TLS AnalysisSSl/TLS Analysis
SSl/TLS Analysis
 
SSL intro
SSL introSSL intro
SSL intro
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 

Similaire à Network security-primer-9544

Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in CordaGuy Hochstetler
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vandaVanda KANY
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
Seminar on ECommerce
Seminar on ECommerce Seminar on ECommerce
Seminar on ECommerce STS
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 

Similaire à Network security-primer-9544 (20)

Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Cryptographic Agility in Corda
Cryptographic Agility in CordaCryptographic Agility in Corda
Cryptographic Agility in Corda
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Unit08
Unit08Unit08
Unit08
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Secure 3 kany-vanda
Secure 3 kany-vandaSecure 3 kany-vanda
Secure 3 kany-vanda
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Seminar on ECommerce
Seminar on ECommerce Seminar on ECommerce
Seminar on ECommerce
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 

Network security-primer-9544

  • 1. Full-service Software Product Development Life Cycle Services A Security Primer
  • 2. 2Full-service Software Product Development Life Cycle Services Security Topics PGP S/MIME SSL TLS IPSec Cryptography Symmetric Key Public Key Algorithms Encryption Digital Signatures Certificates Algorithms Encryption Key Mgmt
  • 3. 3Full-service Software Product Development Life Cycle Services Need for message security • Privacy – Am I sure no body else knows this? • Authentication – Am I sure that the sender is genuine and not an imposter? • Integrity – Am I sure that the message has not been tampered on its way? • Non-repudiation – What will I do if the sender denies sending the message?
  • 4. Full-service Software Product Development Life Cycle Services Cryptography
  • 5. 5Full-service Software Product Development Life Cycle Services Cryptography • Jargon – Cryptography means “Secret Writing” – Original message – plaintext – Encrypted message – ciphertext – Encryption and decryption algorithms – ciphers – The number value that the cipher operates on –key • Types – Symmetric key cryptography – Public key cryptography
  • 6. 6Full-service Software Product Development Life Cycle Services Symmetric Key Cryptography 110.ico Encrypt Network 110.ico Decrypt Shared secret key • Features – Same key used by sender and receiver – Algorithm for decryption is inverse of the algorithm used for encryption Alice Bob 1 2
  • 7. 7Full-service Software Product Development Life Cycle Services Symmetric Key (contd.) • Algorithms – DES (Data Encryption Standard) – Triple DES • Advantages – Efficient algorithms (takes less time to encrypt and decrypt) – Simple • Disadvantages – Each pair must have unique keys. i.e. N people will require N(N-1)/2 keys – Distribution of keys between two parties can be difficult
  • 8. 8Full-service Software Product Development Life Cycle Services Public Key Cryptography 110.ico Encrypt Network 110.ico Decrypt Bob’s public key Alice Bob Bob’s private key To the public 1 2 • Features – There are two keys: a private key and a public key – The private key is kept by the receiver and the public key is announced to the public
  • 9. 9Full-service Software Product Development Life Cycle Services Public Key (contd.) • Algorithms – RSA (Rivest, Shamir and Adleman) • Advantages – Need to distribute only the public key. Private key can be safely kept – Lesser number of keys i.e. 1 million users may need only 2 million keys (as compared to 500 billion, if they use symmetric key cryptography) • Disadvantages – Complex algorithms – Association between the public key and the entity must be verified (need for certificates)
  • 10. 10Full-service Software Product Development Life Cycle Services Digital Signatures • Features – Enables integrity, authentication and non-repudiation – Private keys are used to sign a message (or hash) – Public keys are used to verify the signatures • Hash Functions – Signing the whole message is inefficient – Hash functions are used to create a unique digest of the message – Popular hashing algorithms are SHA-1 (secure hash algorithm) and MD5 (message digest)
  • 11. 11Full-service Software Product Development Life Cycle Services Digital Signatures (contd.) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest To Bob 1 2 3 Sender site
  • 12. 12Full-service Software Product Development Life Cycle Services Digital Signatures (contd.) 110.ico Receiver site Bob From Alice Decrypt Hash Function Digest Alice’s public key Digest X Compare 4 5 6
  • 13. 13Full-service Software Product Development Life Cycle Services Key Management • In symmetric key systems: – We need a mechanism to share the key between sender and receiver, and also reduce the number of keys – In some cases, public key systems also use symmetric key to encrypt a message and encrypt the key using public key – Solution: session keys. Symmetric keys are created for a session and destroyed when the session is over – Techniques for key management: » Deffie Hellman method » Key distribution center (Needham-Schroeder protocol and Otway-Rees protocol)
  • 14. 14Full-service Software Product Development Life Cycle Services Key Management (contd.) • In public key systems: – Alice needs to know whether Bob’s public key is genuine – Solution: Certificates – Bob goes to a Certification Authority (CA), e.g. VeriSign, which binds Bob’s public key to an entity called certificate. – Certificate is signed by CA, which has a well known public key, and hence cannot be forged. – Alice can verify the CA’s signature and hence be sure about Bob’s public key
  • 15. 15Full-service Software Product Development Life Cycle Services Certificates • Certificate is described by X.509 protocol • X.509 uses ASN.1 (Abstract Syntax Notation 1) to define the fields • X.509 fields: Field Explanation Version Version number of X.509 Serial Number The unique identifier used by the CA Signature The certificate signature Issuer The name of the CA defined by X.509 Validity Period Start and end period that certificate is valid Subject Name The entity whose public key is being certified Public Key The subject public key and the algorithms that use it
  • 16. 16Full-service Software Product Development Life Cycle Services Chain of Trust • Query propagation similar to DNS queries • At any level, the CA can certify performance of CAs in the next level i.e. level-1 CA can certify level-2 CAs. • Thumb-rule: Everyone trusts Root CA Root CA Level-1 CA 1 Level-2 CA 3 Level-2 CA 4 Level-2 CA 5 Level-2 CA 6 Level-2 CA 2 Level-2 CA 1 Level-1 CA 2
  • 17. Full-service Software Product Development Life Cycle Services Security at IP Level
  • 18. 18Full-service Software Product Development Life Cycle Services IPSec – IP Security • Secures the IP packet by adding additional header • Selection of encryption, authentication and hashing methods left to the user • It requires a logical connection between two hosts, achieved using Security Association (SA) • An SA is defined by: – A 32-bit security parameter index (SPI) – Protocol type: Authentication Header (AH) Or Encapsulating Security Payload (ESP) – The source IP address IP HeaderIPSec Header Rest of the PacketNew IP Header IP Header IPSec Header Rest of the Packet Transport Mode Tunnel Mode OR
  • 19. Full-service Software Product Development Life Cycle Services Security at Transport Layer
  • 20. 20Full-service Software Product Development Life Cycle Services Secure Sockets Layer (SSL) • Developed by Netscape • Used to establish secure connection between two parties • Protocol similar to TLS (p.t.o) • OpenSSL (www.openssl.org) provides libraries which implement SSL and TLS • Several application layer security protocols run on top of SSL. E.g. Secure HTTP (https)
  • 21. 21Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server
  • 22. 22Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends a hello message that includes TLS version and other preferences
  • 23. 23Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server sends a certificate that has its public key
  • 24. 24Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser verifies the certificate. It generates a session key, encrypts with server’s public key and sends it to the server
  • 25. 25Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends handshake terminating message, encrypted by the secret key
  • 26. 26Full-service Software Product Development Life Cycle Services Transport Layer Security (TLS) • Designed by IETF; derived from SSL • Lies on top of Transport layer • Uses two protocols: – Handshake Protocol – Data exchange protocol – Uses secret key to encrypt data. – Secret key already shared during handshake Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack
  • 27. Full-service Software Product Development Life Cycle Services Security at Application Layer
  • 28. 28Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site
  • 29. 29Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Email message is hashed to create digest
  • 30. 30Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Digest is encrypted using Alice’s private key
  • 31. 31Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Signed digest added to the message
  • 32. 32Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The message and digest are encrypted using one time secret key created by Alice
  • 33. 33Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The secret key is encrypted using Bob’s public key
  • 34. 34Full-service Software Product Development Life Cycle Services Pretty Good Privacy (PGP) 110.ico Alice Hash Function Digest Encrypt Alice’s private key + 110.ico Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The encrypted message, digest and secret key is sent to Bob
  • 35. 35Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8
  • 36. 36Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the secret key with his private key
  • 37. 37Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted message and digest using the decrypted secret key
  • 38. 38Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted digest with Alice’s public key
  • 39. 39Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob hashes the received message to create a digest (for message integrity)
  • 40. 40Full-service Software Product Development Life Cycle Services PGP (contd.) 110.ico Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 The two digests are compared, thus providing authentication and integrity
  • 41. 41Full-service Software Product Development Life Cycle Services Sample PGP Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:30 -0600 Subject: Message signed with PGP MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" -----BEGIN PGP SIGNED MESSAGE----- Bob, This is a message signed with PGP, so you can see how much overhead PGP signatues introduce. Compare this with a similar message signed with S/MIME. Alice -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8M aIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0 O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HX rKvnc2aBPFI= =mUaH -----END PGP SIGNATURE-----
  • 42. 42Full-service Software Product Development Life Cycle Services S/MIME • Working principle similar to PGP • S/MIME uses multipart MIME type to include the cryptographic information with the message • S/MIME uses Cryptographic Message Syntax (CMS) to specify the cryptographic information • Creating S/MIME message: MIME Entity CMS Object S/MIME Certificates Algo identifiers CMS Processing MIME Wrapping
  • 43. 43Full-service Software Product Development Life Cycle Services Sample SMIME Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:08 -0600 Subject: Message signed with S/MIME MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="simple boundary" --simple boundary Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" Bob, This is a message signed with S/MIME, so you can see how much overhead S/MIME signatures introduce. Compare this with a similar message signed with PGP. Alice --simple boundary Content-Type: application/octet-stream; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnww ggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcT CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcy MzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD
  • 44. 44Full-service Software Product Development Life Cycle Services Sample SMIME Signature UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1h cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5 WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4e CLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA 8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEw CwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fK EXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/ pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQ mGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXz zkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRz O8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwg SW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJl cgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05 NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI 3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eI xIwDet+c --simple boundary--
  • 45. Full-service Software Product Development Life Cycle Services References
  • 46. 46Full-service Software Product Development Life Cycle Services References • Overview of cryptography: – www.rsalabs.com/faq/ – http://www.faqs.org/faqs/cryptography-faq/part06/ • Implementation of SSL and TSL: – www.openssl.org • S/MIME Internet task force: – www.imc.org/ietf-smime/index.html • Relationship between S/MIME and PGP/MIME: – www.imc.org/smime-pgpmime.html