BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

COMPUTER SYSTEM SECURITY

(KNC301)
UNIT -4

Basic cryptography: Public key cryptography ,RSA public key crypto

,Digital signature Hash functions ,Public key distribution ,Real world
protocols ,Basic terminologies ,Email security certificates ,Transport
Layer security TLS ,IP security , DNS security.

1
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

1. Basic Cryptography
Cryptography — the science of secret writing .Cryptography basically
means keeping information in secret or hidden. Cryptography is
technique of securing information and communications through use of
codes so that only those person for whom the information is intended
can understand it and process it. Thus preventing unauthorized access
to information. The prefix “crypt” means “hidden” and suffix graph
means “writing”.

There are five primary functions of cryptography:

1. Privacy/confidentiality: Ensuring that no one can read

the message except the intended receiver.

2. Authentication: The process of proving one's identity.

2
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

3. Integrity: Assuring the receiver that the received message

has not been altered in any way from the original.

4. Non-repudiation: A mechanism to prove that the sender

really sent this message.

5. Key exchange: The method by which crypto keys are

shared between sender and receiver.

2.Basic Terminology

1. Plaintext: This is the readable message or data that is fed

into the algorithm as input.

2. Encryption algorithm: The encryption algorithm

performs various transformations on the plaintext.

3. Public and private keys: This is a pair of keys that have

been selected so that if one is used for encryption, the

3
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

other is used for decryption. The exact transformations

performed by the algorithm depend on the public or
private key that is provided as input.

4. Cipher text: This is the scrambled message produced as

output. It depends on the plaintext and the key. For a given
message, two different keys will produce two different
cipher texts.

5. Decryption algorithm: This algorithm accepts the

ciphertext and the matching key and produces the original
plaintext.

3. Types Of Cryptography

In general there are three types of cryptography:

3.1 Symmetric or Private Key Cryptography:
It is an encryption system where the sender and
receiver of message use a single common key to
encrypt and decrypt messages. Symmetric Key
Systems are faster and simpler but the problem is that
sender and receiver have to somehow exchange key in
a secure manner. The most popular symmetric key
cryptography system is Data Encryption System
(DES).

4
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

3.2 Asymmetric or Public Key Cryptography:

Under this system a pair of keys is used to encrypt and
decrypt information. A public key is used for
encryption and a private key is used for decryption.

5
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

Public key and Private Key are different. Even if the

public key is known by everyone the intended receiver
can only decode it because he alone knows the private
key.

6
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

4. RSA public key crypto

The RSA algorithm is named after Ron Rivest, Adi Shamir and
Len Adleman, who invented it in 1977.
The RSA cryptosystem is the most widely-used public key
cryptography algorithm in the world. It can be used to encrypt
a message without the need to exchange a secret key separately.
Messages encrypted using the public key can only be decrypted
with the private key. The steps for the RSA algorithm are the
following way:
Key Generation
1. Choose two different large random prime
numbers p and q.
2. Calculate n = p × q.
3. Calculate the Ф (n) = (p - 1) × (q - 1) .
4. Choose an integer e such that 1 < e < Ф(n), and e is
co-prime to Ф(n) i.e. e and Ф(n) share no factors other
than 1{ gcd (e, Ф(n)) = 1}.
5. Select d such that e × d ≡ 1 mod (φ(n).
6. Choose (e, n) as the public key.
7. Choose (d, n) as the private key.
Encryption
Suppose the sender wishes to send some text message
(plain text) “M” to someone whose public key is (e, n). The
sender then represents the plaintext as a series of numbers less
than n. The encryption process is simple mathematical step as
-
Cipher text (𝐶) = 𝑃𝑒 𝑚𝑜𝑑 𝑛
Decryption
Receiver can recover text message “M” from by using her
private key (d, n) in the following procedure:
Plain text (𝑃) = 𝐶 𝑑 𝑚𝑜𝑑 𝑛
Example -
I. Choose p = 3 and q = 11.
7
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

II. Compute n = p × q = 3 × 11 = 33
III. Compute Ф (n) = (p - 1) × (q - 1) = 2 × 10 = 20
IV. Choose e such that 1 < e < Ф(n), and e is co-prime
to Ф(n), let e = 7.
V. Select d such that e × d ≡ 1 mod (φ(n). one solution is d
= 3.
VI. Public key is (e, n) (7, 33).
VII. Private key is (d, n) (3, 33).
VIII. The encryption of M = 2 is C = 27 mod 33 = 29.
IX. The decryption of C = 29 is M = 293 mod 33 = 2.

5.Public key distribution

In public key cryptography, everyone has access to everyone’s

public key, public keys are available to the public. Several
techniques have been proposed for the distribution of public
keys. Virtually all of these proposals can be grouped into the
following general schemes:
 Public announcement
 Publicly available directory (trusted center)
 Public-key authority (controlled trusted center)
 Public-key certificates

5.1 Public Announcement - In the public-key encryption,

public key is available for all i.e. public. Thus, if there is some
broadly accepted public-key algorithm, such as RSA, any
participant can send his or her public key to any other
participant or broadcast the key to the community at large.
Although this approach is convenient, it has a major weakness.
Anyone can forge such a public announcement. That is, some
user could pretend to be user A and send a public key to another
participant or broadcast such a public key.

8
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

5.2 Publicly available directory (trusted center) - A more

secure approach is to have a trusted center retain directory of
public keys. The directory, like the one used in a telephone
system, is dynamically updated. Each user can select a private
and public key, keep the private key, and deliver the public key
for insertion into the directory. The center requires that each
user register in the center and prove his/her identity. The
directory can be publicly advertised by the trusted center. The
center can also respond to any inquiry about the public key.
Such a scheme would include the following elements:

I. The authority maintains a directory with a {name, public

key} entry for each participant.
II. Each participant
registers a public key with the directory authority.
III. A participant may replace the existing key with a new
one at any time, either because of the desire to replace a
public key that has already been used for a large
amount of data, or because the corresponding private key
has been com- promised in some way.
IV. Participants could also access the directory electronically.

9
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

For this purpose, secure, authenticated communication from

the authority to the participant is mandatory.

5.3 Public-key authority (controlled trusted center) -

Stronger security for public-key distribution can be achieved
by providing tighter
control over the distribution of public keys from the directory.
As before, the scenario assumes that a central authority
maintains a dynamic directory of public
keys of all participants. In addition, each participant
reliably knows a public key for the authority, with only the
authority knowing the corresponding private key.
The following steps occur:
1. A sends a time stamped message to the public-key
authority containing a request for the current public key of
B.
2. The authority responds with a message that is encrypted
using the authority’s private key, PRauth.Thus,
A is able to decrypt the message using the authority’s
public key.Therefore,A is assured that the message
originated with the authority.The message
includes the following:
 B’s public key, PUb, which A can use to encrypt messages
destined for B.
10
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 The original request used to enable A to match this

response with the corresponding earlier request and to
verify that the original request was not altered before
reception by the authority.
 The original timestamp given so A can determine that this
is not an old
this is not an old message from the authority containing
a key other than B’s current public key.
3. A stores B’s public key and also uses it to encrypt a
message to B containing an
identifier of A (IDA) and a nonce
(N1), which is used to identify this transaction uniquely.

4. & 5. B retrieves A’s public key from the authority in

the same manner as A retrieved B’s public key.

11
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

At this point, public keys have been securely delivered to

A and B, and they may begin their protected
exchange. However, two additional steps are desirable:
6. B sends a message to A encrypted with PUa and containing
A’s nonce (N1) as well as a new nonce generated by B
(N2). Because only B could have decrypted message (3),
the presence of N1 in message (6) assures A that the
correspondent is B.
7. A returns N2, which is encrypted using B’s public key, to
assure B that its correspondent is A.

5.4 Public Key Certificates - An alternative approach to the

public key authority is the use of certificates that can be used
by participants to exchange keys without contacting a public-
key authority. Each certificate, containing a public key and
other information, is created by a certificate authority and is
given to the participant. Typically, the third
party is a certificate authority, such as a government agency or
a financial institution, which is trusted by the user
community. A user can present his or her public key to the
authority in a secure manner and obtain a certificate. The user
can then publish the certificate. Anyone needing this user’s
public key can obtain the certificate and verify that it is valid
by way of the attached trusted signature. A participant can also
convey its key information to another
by transmitting its certificate. Other participants can verify
that the certificate was created by the authority. We can place
the following requirements on this scheme:
I. Any participant can read a certificate to determine the na
me and public key of the certificate’s owner.
II. Any participant can verify that the certificate originated
from the certificate authority and is not counterfeit.

12
 BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

III. Only the certificate authority can create and update certif
icates.
IV. Any participant can verify the currency of the certificate.
A certificate scheme is illustrated in Figure. Each participant a
pplies to the certificate authority, supplying a public key and
requesting a certificate.

An example of this scheme can be seen using the following

transaction:
CA = E (PRauth, [T1 || IDA || PUa])
where CA is A’s certificate, PRauth is the private key used by the
authority IDA is A’s identification and PUA is A’s
public key and T is a timestamp.

13
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

A can then pass this certificate CA to

any other participant, who reads and verifies the certificate as
follows:
D(PUauth, CA) = D(PUauth, E(PRauth,
[T1 || IDA || PUa])) = (T1 || IDA || PUa)
An example of a certification service is the X.509. X.509
certificates are used in most network security applications,
including IP security, transport layer security (TLS), and
S/MIME.

6. Digital Signature

A digital signature is a mathematical technique used to validate

the authenticity and integrity of a message, software or digital
document. As the digital equivalent of a handwritten signature
or stamped seal, a digital signature offers far more inherent
security, and it is intended to solve the problem of tampering
and impersonation in digital communications.

Digital signatures can provide the added assurances of evidence

of origin, identity and status of an electronic document,
transaction or message and can acknowledge informed consent
by the signer.

14
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

6.1 Advantages of digital signatures

 Saves time

Digital signatures ensure that businesses save on cost and

time with documents and contracts signed off with a click
of a button. Documents can be signed off almost instantly,
from anywhere. Be it a tablet, phone or computer, digital
signatures can seamlessly ensure this otherwise tedious
task is wrapped up in minutes.

 Cost savings

Many companies also see significant cost savings, with

little or no expense in ink, paper, printing, scanning,
shipping/delivery or travel expenses. There are also
savings in other indirect costs such as filing, rekeying data,
archiving, or tracking.

 Workflow efficiency

With lesser delays, digital signatures ensure better

efficiency in workflow. Managing and tracking
documents are made easier, with lesser effort and time
involved. Many features of the digital signatures help
speed up the work process. For instance, email
notifications help remind the person to sign, while status
tracking, help to know at which stage the document is at.

 Better customer experience

Digital signatures provide the convenience of signing

important documents where ever a customer or the person

15
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

to sign is located. Sales persons do not have to wait for the

customer to come to the bank or office. Documents can be
signed off at the door step. This is ideal, especially in
remote areas and smaller townships providing improved
and personalized services. The customer has the freedom
to be anywhere, and engage with a company, making
services and businesses far easier, quick and user –
friendly.

 Security

When it comes to signatures, authenticity and security is a

priority. Digital signatures reduce the risk of duplication
or alteration of the document itself. Digital signatures
ensure that signatures are verified, authentic and
legitimate. Signers are provided with PINs, password and
codes that can authenticate and verify their identity and
approve their signatures. Time stamping provides the date
and time of the signature and thus provide a track of the
document, minimising any risk of tampering or fraud.
Security features embedded in digital signatures ensure
that documents have not been altered without
authorization.

 Legal validity

Digital signatures provides authenticity and ensures that

the signature is verified. This can stand in any court of law
like any other signed paper document. Time stamping and
ability to track and easily archive documents improve and
simplify audit and compliance.

16
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 Environmental benefits

As corporates and business become more conscious of

their role in sustainability, digital signatures is a step
ahead in their efforts in reducing waste and being
environmental friendly.

 Business efficiency

The costs involved in integrating digital signatures into the

work processes is relatively small, compared to its
benefits. With quicker contract turnaround time, and
reduced the work flow time, digital signatures are ideal for
both small and large organizations.

17
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

6.2 Uses of digital signatures

Industries use digital signature technology to streamline
processes and improve document integrity. It increases the
transparency of online interactions and develops trust between
customers, business partners, and vendors. Industries that use
digital signatures include:
 Government - Digital signatures are used by
governments worldwide for a variety of uses, including
processing tax returns, verifying business-to-government
(B2G) transactions, ratifying laws and managing
contracts.
 Healthcare - Digital signatures are used in the healthcare
industry to improve the efficiency of treatment and
administrative processes, to strengthen data security,
for e-prescribing and hospital admissions.
 Manufacturing - Manufacturing companies use digital
signatures to speed up processes, including product
design, quality assurance (QA), manufacturing
enhancements, marketing and sales.
 Finance Services - The U.S. financial sector uses digital
signatures for contracts, paperless banking, loan
processing, insurance documentation, mortgages, and
more.

18
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

6.3 Digital signature security features and benefits

Security features embedded in digital signatures ensure that a
document is not altered and that signatures are legitimate.
 PINs, passwords and codes - Used to authenticate and
verify a signee’s identity and approve their signature.
Email, username and password are most common.
 Time stamping - Provides the date and time of a
signature. Time stamping is useful when the timing of a
digital signature is critical, such as stock trades, lottery
ticket issuance and legal proceedings.
 Trust Service Provider validation - A TSP is a person or
legal entity that performs validation of a
digital signature on a company’s behalf and offers
signature validation reports.
 Certificate authority validation
 Checksum - A checksum is a value used to verify the
integrity of a file or a data transfer. In other words, it is a
sum that checks the validity of data. Checksums are
typically used to compare two sets of data to make sure
they are the same. Some common applications include
verifying a disk image or checking the integrity of
a downloaded file. If the checksums don't match those of
the original files, the data may have been altered or
corrupted.

19
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

7. Real World Protocols

Following are the Real world protocols:
1. SSL Architecture - Secure Socket Layer (SSL) provide
security to the data that is transferred between web
browser and server. SSL encrypt the link between a web
server and a browser which ensures that all data passed
between them remain private and free from attack.
Secure Socket Layer Protocols:

 SSL record protocol

 Handshake protocol
 Change-cipher spec protocol
 Alert protocol

SSL Record Protocol:

SSL Record provide two services to SSL connection
 Confidentiality
 Message Integrity

20
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

2. S/MIME OR Email security certificates - Secure/

Multipurpose Internet Mail Extensions
S/MIME keeps your emails protected during transit. S/MIME
uses cryptography to digitally sign and encrypt your email to
prevent interception from any unauthorized person.
Email certificates, also known as SMIME certificates, are
digital certificates that can be used to sign and encrypt email
messages. When you encrypt an email using an email
certificate, only the person that you sent it to can decrypt and
read the email. The recipient can also be sure that the email
hasn’t been changed in any way.

S/MIME includes two security features:

 Email Encryption - It encrypts the content of the email

sent between two S/MIME enabled users to make it

unreadable to anyone other than the intended recipient.
 Digital Signature - It digitally signs the emails sent

between two S/MIME enabled users to eliminate any risk

of spoofing.

How do I install an SMIME certificate?

For step-by step instructions on how to order and install an
SMIME certificate, see the following tutorials:
 Getting a Free Comodo Email Certificate
 Install Email Certificate In Mail 3.0 – Leopard OS X
 Getting a Thawte Email Certificate

21
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

How does an SMIME Email Certificate work?

Once you install the SMIME (Secure / Multipurpose Internet
Mail Extensions) certificate in your email client, you will send
a signed email to people that need to send encrypted emails to
you. Your contacts’ email client should automatically
download your certificate add it the address book. From then
on, your contacts can send you encrypted emails by clicking the
“Encrypt” button when creating a new email. Different email
clients handle this differently than others so make sure to check
the documentation of the email client that you use.

3. PGP-Pretty Good Privacy –

 PGP was designed to provide all four aspects of
security, i.e., privacy, integrity, authentication, and
non-repudiation in the sending of email.
 PGP uses a digital signature (a combination of
hashing and public key encryption) to provide
integrity, authentication, and non-repudiation. PGP
uses a combination of secret key encryption and
public key encryption to provide privacy. Therefore,
we can say that the digital signature uses one hash
function, one secret key, and two private-public key
pairs.
 PGP is an open source and freely available software
package for email security.
 PGP provides authentication through the use of
Digital Signature.
22
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 It provides confidentiality through the use of

symmetric block encryption.
 It provides compression by using the ZIP algorithm,
and EMAIL compatibility using the radix-64 encoding
scheme.

4. SET-Secure Electronic Transaction- Secure Electronic

Transaction or SET is a system which ensures security and
integrity of electronic transactions done using credit cards in a
scenario. SET is not some system that enables payment but it is
a security protocol applied on those payments. It uses different
encryption and hashing techniques to secure payments over
internet done through credit cards. SET protocol was supported
in development by major organizations like Visa, Mastercard,
Microsoft which provided its Secure Transaction Technology
(STT) and NetScape which provided technology of Secure
Socket Layer (SSL).
SET protocol restricts revealing of credit card details to
merchants thus keeping hackers and thieves at bay. SET
protocol includes Certification Authorities for making use of
standard Digital Certificates like X.509 Certificate.

23
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

Before discussing SET further, let’s see a general scenario of

electronic transaction, which includes client, payment gateway,
client financial institution, merchant and merchant financial
institution.

Requirements in SET :
SET protocol has some requirements to meet, some of the
important requirements are :
 It has to provide mutual authentication i.e., customer (or
cardholder) authentication by confirming if the customer
is intended user or not and merchant authentication.
 It has to keep the PI (Payment Information) and OI (Order
Information) confidential by appropriate encryptions.
 It has to be resistive against message modifications i.e., no
changes should be allowed in the content being
transmitted.
 SET also needs to provide interoperability and make use
of best security mechanisms
Participants in SET :

24
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

In the general scenario of online transaction, SET includes

similar participants:
1. Cardholder – customer
2. Issuer – customer financial institution
3. Merchant
4. Acquirer – Merchant financial
5. Certificate authority – Authority which follows certain
standards and issues certificates(like X.509V3) to all other
participants.

5.IP security (IPSec)- The IP security (IPSec) is an Internet

Engineering Task Force (IETF) standard suite of protocols
between 2 communication points across the IP network that
provide data authentication, integrity, and confidentiality. It
also defines the encrypted, decrypted and authenticated
packets. The protocols needed for secure key exchange and key
management are defined in it.

Uses of IP Security –
IPsec can be used to do the following things:
 To encrypt application layer data.

 To provide security for routers sending routing data across

the public internet.

 To provide authentication without encryption, like to

authenticate that the data originates from a known sender.

 To protect network data by setting up circuits using IPsec

tunneling in which all data is being sent between the two

endpoints is encrypted, as with a Virtual Private Network
(VPN) connection.

Components of IP Security –
 Encapsulating Security Payload (ESP)

25
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 Authentication Header (AH)

 Internet Key Exchange (IKE)

8. Transport Layer security (TLS)

Transport Layer Security, or TLS, is a widely adopted
security protocol designed to facilitate privacy and data
security for communications over the Internet. A primary use
case of TLS is encrypting the communication between web
applications and servers, such as web browsers loading a
website. TLS can also be used to encrypt other
communications such as email, messaging, and voice over IP
(VoIP). In this article we will focus on the role of TLS in web
application security.
Transport Layer Securities (TLS) are designed to provide
security at the transport layer. TLS was derived from a
security protocol called Secure Service Layer (SSL). TLS
ensures that no third party may eavdrops or tamper with any
message.
There are several benefits of TLS:
 Encryption:

TLS/SSL can help to secure transmitted data using

encryption.
 Interoperability:

TLS/SSL works with most web browsers, including

Microsoft Internet Explorer and on most operating
systems and web servers.

26
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 Algorithm flexibility:
TLS/SSL provides operations for authentication
mechanism, encryption algorithms and hashing algorithm
that are used during the secure session.
 Ease of Deployment:
Many applications TLS/SSL temporarily on a windows
server 2003 operating systems.
 Ease of Use:
Because we implement TLS/SSL beneath the application
layer, most of its operations are completely invisible to
client.

9.DNS security (Domain Name System)

A secure DNS is essential for an organization's online presence
as well as for its applications on the internal private network.
DNS attacks are becoming more frequent and sophisticated, so
securing the DNS layer is essential to protecting revenue, users
and brand reputation.
The DNS turns domain names, or website names, into internet
protocol (IP) addresses. These are unique identifiers that help
computers around the world access the information quickly.
DNS security adds a set of extensions for increased protection
These security extensions include:
 Origin authentication of DNS data: this ensures that the

recipient of the data can verify the source.

27
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 4

 Authenticated denial of existence: this tells a resolver

(responsible for translating the domain name into an IP
address) that a certain domain name does not exist.
 Data integrity: this assures the data recipient that the data
has not been changed in transit.

28