Please do not share these notes on apps like WhatsApp or Telegram.

The revenue we generate from the ads we show on our website and app
funds our services. The generated revenue helps us prepare new notes
and improve the quality of existing study materials, which are
available on our website and mobile app.

If you don't use our website and app directly, it will hurt our revenue,
and we might not be able to run the services and have to close them.
So, it is a humble request for all to stop sharing the study material we
provide on various apps. Please share the website's URL instead.
Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Subject Notes
Subject Name: Information Security Subject Code: IT 801
Syllabus:
Authentication Applications, Kerberos, X.509 Authentication Service, Public key infrastructure; Electronic
Mail Security:Pretty Good Privacy; IP Security: IP Security Overview, Architecture, Authentication header,
encapsulating security payload, Key management; Web Security: Web security considerations, Secure
Socket Layer and Transport layer Security,Secure Electronic Transaction.

__________________________________________________________________________________________
Course Objective: The objective of this course is to familiarize the students with the fundamentals
of information security and the methods used in protecting both the information present in computer storage
as well as information traveling over computer networks.
__________________________________________________________________________________________
__ Course Outcome : Understand principles of web security to secure network by monitoring and analyzing
the nature of attacks and design/develop security architecture for an organization

UNIT-IV
Authentication Applications
Authontication applications provide a centralized authentication server whose function is to authenticate
users to servers and servers to users. Kerberos provide centralized authentication it relies exclusively on
conventional encryption, making no use of public-key encryption.
The following are the requirements for Authentication applications :
Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate
a user. More generally, Kerberos should be strong enough that a potential opponent does not find it to be
the weak link.
Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service
means lack of availability of the supported services. Hence, Kerberos should be highly reliable and
should employ a distributed server architecture, with one system able to back up another.
Kerberos:
Kerberos is an authentication protocol for client/server applications. This protocol relies on a combination of
private key encryption and access tickets to safely verify user identities.
The main reasons for adopting Kerberos are:

 Plain text passwords are never sent across an insecure network.

 Every login has three stages of authentication.
 Encryption protects all access keys and tickets.
 Authentication is mutual, so both users and providers are safe from scams.
MIT developed the first instances of Kerberos in the late ’80s. The protocol was named after Cerberus, a
creature from Greek mythology. Cerberus was a ferocious three-headed dog who guarded Hades.
A refined version of Kerberos came out of Microsoft as part of Windows 2000. Since then, Kerberos became
Windows’ default authorization protocol. Implementations of Kerberos also exist for Apple OS, FreeBSD, UNIX,
and Linux. The Kerberos Consortium treats the protocol as an open-source project.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Three Main Components of Kerberos

Every Kerberos verification involves a Key Distribution Center (KDC). The KDC acts as a trusted third-
party authentication service, and it operates from the Kerberos server. KDC consists of three main
components:
 An authentication server (AS): The AS performs initial authentication when a user wants to access a
service.
 A ticket granting server (TGS): This server connects a user with the service server (SS).
 A Kerberos database: This database stores IDs and passwords of verified users.
All Kerberos authentications take place in Kerberos realms. A realm is a group of systems over which a KDC has
the authority to verify users and services.

Figure 4.1: Working of Kerberos Authentication

X.509 Authentication Service
X.509 is part of the X.500 series of recommendations that define a directory service. The directory is, in effect,
a server or distributed set of servers that maintains a database of information about users. The information
includes a mapping from user name to network address, as well as other attributes and information about the
users.
X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The
directory may serve as a repository of public-key certificates. Each certificate contains the public key of a user
and is signed with the private key of a trusted certification authority. In addition, X.509 defines alternative
authentication protocols based on the use of public-key certificates.
X.509 is an important standard because the certificate structure and authentication protocols defined in X.509
are used in a variety of contexts. For example, the X.509 certificate format is used in S/MIME IP Security and
SSL/TLS and SET .
X.509 was initially issued in 1988. The standard was subsequently revised to address some of the security
concerns documented in [IANS90] and [MITC90]; a revised recommendation was issued in 1993. A third
version was issued in 1995 and revised in 2000.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the
use of a specific algorithm but recommends RSA. The digital signature scheme is assumed to require the use of
a hash function. Again, the standard does not dictate a specific hash algorithm. The 1988 recommendation
included the description of a recommended hash algorithm; this algorithm has since been shown to be
insecure and was dropped from the 1993 recommendation.

Public key infrastructure(PKI):

Public key infrastructure(PKI) provides assurance of public key. It provides the identification of public keys and
their distribution. An anatomy of PKI comprises of the following components.

 Public Key Certificate, commonly referred to as ‘digital certificate’.

 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
Digital certificates are based on the ITU standard X.509 which defines a standard certificate format for public
key certificates and certification validation. Hence digital certificates are sometimes also referred to as X.509
certificates.
Public key pertaining to the user client is stored in digital certificates by The Certification Authority (CA) along
with other relevant information such as client information, expiration date, usage, issuer etc.
Registration Authority (RA): CA may use a third-party Registration Authority (RA) to perform the necessary
checks on the person or company requesting the certificate to confirm their identity. The RA may appear to
the client as a CA, but they do not actually sign the certificate that is issued.
Certificate Management System (CMS): It is the management system through which certificates are published,
temporarily or permanently suspended, renewed, or revoked. Certificate management systems do not
normally delete certificates because it may be necessary to prove their status at a point in time, perhaps for
legal reasons. A CA along with associated RA runs certificate management systems to be able to track their
responsibilities and liabilities.
Private Key Tokens: While the public key of a client is stored on the certificate, the associated secret private
key can be stored on the key owner’s computer. This method is generally not adopted. If an attacker gains
access to the computer, he can easily gain access to private key. For this reason, a private key is stored on
secure removable storage token access to which is protected through a password.

Electronic Mail Security: Pretty good privacy (PGP)

PGP provides the confidentiality and authentication service that can be used for electronic mail and file
storage applications. The steps involved in PGP are:
1. Select the best available cryptographic algorithms as building blocks.
2. Integrate these algorithms into a general purpose application that is independent of operating
system and processor and that is based on a small set of easy-to-use commands.
3. Make the package and its documentation, including the source code, freely available via the internet,
bulletin boards and commercial networks.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

4. Enter into an agreement with a company to provide a fully compatible, low cost commercial version
of PGP.
PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth.
 It is available free worldwide in versions that run on a variety of platform.
 It is based on algorithms that have survived extensive public review and are considered extremely
secure. e.g., RSA, DSS and Diffie Hellman for public key encryption CAST-128, IDEA and 3DES for
conventional encryption SHA-1 for hash coding.
 It has a wide range of applicability. It was not developed by, nor it is controlled by, any governmental
or standards organization.

Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure
communications over Internet Protocol (IP) networks, through the use of cryptographic security services. IPSec
is a suite of cryptography-based protection services and security protocols. Because it requires no changes to
programs or protocols, you can easily deploy IPSec for existing networks. The driving force for the acceptance
and deployment of secure IP is the need for business and government users to connect their private WAN/
LAN infrastructure to the Internet for providing access to Internet services and use of the Internet as a
component of the WAN transport system. As we all know, users need to isolate their networks and at the
same time send and receive traffic over the Internet. The authentication and privacy mechanisms of secure IP
provide the basis for a security strategy for us.
IPsec protects one or more paths between a pair of hosts, a pair of security gateways, or a security gateway
and a host. A security gateway is an intermediate device, such as a switch or firewall, that implements IPsec.
Devices that use IPsec to protect a path between them are called peers.

IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These protocols are ESP
(Encapsulation Security Payload) and AH (Authentication Header). IPSec Architecture include protocols,
algorithms, DOI, and Key Management. All these components are very important in order to provide the three
main services:
 Confidentiality
 Authentication
 Integirity

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Figure 4.2: IP Security architecture

1. Architecture:
Architecture or IP Security Architecture covers the general concepts, definitions, protocols, algorithms and
security requirements of IP Security technology.
2. ESP Protocol:
ESP(Encapsulation Security Payload) provide the confidentiality service. Encapsulation Security Payload is
implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.

IP Authentication header
IP Authentication Header is used to provide connection-less integrity and data origin authentication. There are
two main advantages that Authentication Header provides,
1. Message Integrity – It means, message is not modified while coming from source.
2. Source Authentication –It means, source is exactly source from whom we were expecting data.
When packet is sent from source A to Destination B, it consists of data that we need to send and header which
consist of information regarding packet. Authentication Header verifies origin of data and also payload to
confirm if there has been modification done in between, during transmission between source and destination.
However, in transit, values of some IP header fields might change (like- Hop count, options, extension
headers). So, values of such fields cannot be protected from Authentication header. Authentication header
cannot protect every field of IP header. It provides protection to fields which are essential to be protected.

Authentication Header :
The question may arise, that how IP header will know that adjacent Extension header is Authentication
Header. Well, there is protocol field in IP Header which tells type of header that is present in packet. So,
protocol field in IP Header should have value of “51” in order to detect Authentication Header.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Figure 4.3: IP Header

IP Encapsulating security payload

Encapsulating Security Payload (abbreviated as ESP) offers the help we need in keeping the integrity,
authenticity and confidentiality of the information we send across networks.
Now, we heavily rely on the internet technologies and transfer massive amounts of data daily. For this data
traffic, we often employ wireless and wired networks. As a result, network security and necessary
cybersecurity measures gain importance each day.
Encapsulating Security Payload (abbreviated as ESP) offers the help we need in keeping the integrity,
authenticity and confidentiality of the information we send across networks.

Key management
In cryptography it is a very tedious task to distribute the public and private key between sender and receiver.
If key is known to the third party (forger/eavesdropper) then the whole security mechanism becomes
worthless. So, there comes the need to secure the exchange of keys.
Distribution of Public Key:
Public key can be distributed in 4 ways: Public announcement, Publicly available directory, Public-key
authority, and Public-key certificates. These are explained as below:
1. Public Announcement:
Here the public key is broadcasted to everyone. Major weakness of this method is forgery. Anyone can
create a key claiming to be someone else and broadcast it. Until forgery is discovered can masquerade
as claimed user.
2. Publicly Available Directory:
In this type, the public key is stored at a public directory. Directories are trusted here, with properties
like Participant Registration, access and allow to modify values at any time, contains entries like {name,
public-key}.Directories can be accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority:
It is similar to the directory but, improve security by tightening control over distribution of keys from
directory. It requires users to know public key for the directory. Whenever the keys are needed, a real-
time access to directory is made by the user to obtain any desired public key securely.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

4. Public Certification:
This time authority provides a certificate (which binds identity to the public key) to allow key exchange
without real-time access to the public authority each time. The certificate is accompanied with some
other info such as period of validity, rights of use etc. All of this content is signed by the trusted Public-
Key or Certificate Authority (CA) and it can be verified by anyone possessing the authority’s public-key.

Web security considerations

Websites are always to prone to security risks. Cyber crime impacts your business by hacking your website.
Your website is then used for hacking assaults that install malicious software or malware on your visitor’s
computer.
Updated Software
It is mandatory to keep you software updated. It plays vital role in keeping your website secure.
SQL Injection
It is an attempt by the hackers to manipulate your database. It is easy to insert rogue code into your query
that can be used to manipulate your database such as change tables, get information or delete data.
Cross Site Scripting (XSS)
It allows the attackers to inject client side script into web pages. Therefore, while creating a form It is good to
endure that you check the data being submitted and encode or strip out any HTML.
Error Messages
You need to be careful about how much information to be given in the error messages. For example, if the
user fails to log in the error message should not let the user know which field is incorrect: username or
password.
Validation of Data
The validation should be performed on both server side and client side.
Passwords
It is good to enforce password requirements such as of minimum of eight characters, including upper case,
lower case and special character. It will help to protect user’s information in long run.
Upload files
The file uploaded by the user may contain a script that when executed on the server opens up your website.
SSL
It is good practice to use SSL protocol while passing personal information between website and web server or
database.
Secure Socket Layer security
Secure Socket Layer (SSL) provide security to the data that is transferred between web browser and server.
SSL encrypt the link between a web server and a browser which ensures that all data passed between them
remain private and free from attack.
Secure Socket Layer Protocols:
 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

 Alert protocol

Figure 4.4: SSL Protocol Stack

SSL Record Protocol:

SSL Record provide two services to SSL connection.
 Confidentiality
 Message Integerity
In SSL Record Protocol application data is divided into fragments. The fragment is compressed and then
encrypted MAC (Message Authentication Code) generated by algorithms like SHA (Secure Hash Protocol) and
MD5 (Message Digest) is appended. After that encryption of the data is done and in last SSL header is
appended to the data.
Transport Layer Securities (TLS)
Transport Layer Securities (TLS) are designed to provide security at the transport layer. TLS was derived from a
security protocol called Secure Service Layer (SSL). TLS ensures that no third party may eavesdrops or tampers
with any message.

There are several benefits of TLS:

 Encryption:
TLS/SSL can help to secure transmitted data using encryption.
 Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet Explorer and on most operating
systems and web servers.
 Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism, encryption algorithms and hashing
algorithm that are used during the secure session.
 Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003 operating systems.
 Ease of Use:
Because we implement TLS/SSL beneath the application layer, most of its operations are completely
invisible to client.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Secure Electronic Transaction(SET)

Secure Electronic Transaction or SET is a system which ensures security and integrity of electronic
transactions done using credit cards in a scenario. SET is not some system that enables payment but it is a
security protocol applied on those payments. It uses different encryption and hashing techniques to
secure payments over internet done through credit cards. SET protocol was supported in development by
major organizations like Visa, Mastercard, Microsoft which provided its Secure Transaction Technology
(STT) and NetScape which provided technology of Secure Socket Layer (SSL). SET protocol restricts
revealing of credit card details to merchants thus keeping hackers and thieves at bay. SET protocol includes
Certification Authorities for making use of standard Digital Certificates like X.509 Certificate.

Requirements in SET :
SET protocol has some requirements to meet, some of the important requirements are :

 It has to provide mutual authentication i.e., customer (or cardholder) authentication by confirming if
the customer is intended user or not and merchant authentication.
 It has to keep the PI (Payment Information) and OI (Order Information) confidential by appropriate
encryptions.
 It has to be resistive against message modifications i.e., no changes should be allowed in the content
being transmitted.
 SET also needs to provide interoperability and make use of best security mechanisms.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in

Thank you for using our services. Please support us so that we can
improve further and help more people.
https://www.rgpvnotes.in/support-us

If you have questions or doubts, contact us on

WhatsApp at +91-8989595022 or by email at [email protected].

For frequent updates, you can follow us on

Instagram: https://www.instagram.com/rgpvnotes.in/.