6

Hypertext Transfer Protocol Secure (HTTPS)

Overview

 HTTPS: The secure version of HTTP, used to send data between a web
browser and a website.
 Importance: HTTPS encrypts data to increase security, essential when
transmitting sensitive data like bank account logins, emails, or health
information.

Key Features

 Encryption: HTTPS uses public key encryption, authentication, and

digital signatures over the internet.
 Security Mechanisms: Supports multiple security mechanisms,
providing end-user security.
 Protocol Variants: HTTPS adds a layer of security to HTTP via SSL
(Secure Socket Layer) or TLS (Transport Layer Security).

How HTTPS Works

 Encryption Protocol: Uses Transport Layer Security (TLS), previously

known as Secure Sockets Layer (SSL).
 Asymmetric Public Key Infrastructure: Utilizes two different keys
(public and private) for encryption between parties.
 Port Usage: Default port for HTTPS is 443, while HTTP uses port 80.
HTTPS connections require port 443, which also supports HTTP.

SSL/TLS Handshake

 Purpose: Establishes a secure connection by deciding on connection

parameters before data transfer.
 Process: The browser and server perform an SSL/TLS handshake to
start the secure data transfer.

HTTPS and the CIA Triad

  Confidentiality: Encrypts the connection, hiding cookies, URLs, and
sensitive metadata.
 Integrity: Ensures data transferred between visitor and website
cannot be tampered with or modified by hackers.
 Authentication: Verifies that the user accesses the actual website
and not a fake version.

Cookies

 Definition: Text files with small pieces of data (e.g., username,

password) used to identify your computer on a network.
 Creation: Generated by the server upon connection, labeled with a
unique ID.
 Function: When exchanged, the server reads the ID to know what
information to serve specifically to you.

Hypertext Transfer Protocol (HTTP)

 Overview: Protocol used to access data on the World Wide Web.

 Data Transfer: Transfers data in plain text, hypertext, audio, video,
etc.
 Efficiency: Known for its efficiency in a hypertext environment,
allowing rapid jumps from one document to another.

Comparisons

 HTTP vs. FTP: Both transfer files, but HTTP is simpler, using only one
connection.
 HTTP vs. SMTP: Both transfer data between client and server but
differ in message-sending methods.

HTTP Functionality

 Foundation of the Web: Loads web pages using hypertext links.

 Application Layer Protocol: Transfers information between
networked devices, running on top of other network protocol layers.
 Typical Flow: Involves a client making a request to a server, which
sends a response.

Steps Involved in an HTTP Request

 1. Open a link to the HTTP server.
2. Send a request.
3. Server processes the request.
4. Server sends back a response.
5. Connection is closed.

Secure Electronic Transaction (SET)

Overview

 SET: A communications protocol developed in 1996 to secure

electronic debit and credit card payments for e-commerce.
 Support: Backed by major electronic transaction providers like Visa
and MasterCard.
 Function: Allows merchants to verify customers' card information
without seeing it, protecting the customer by transferring card details
directly to the credit card company for verification.

Components

6. Card Holder's Digital Wallet Software: Enables secure online

purchases via a point-and-click interface.
7. Merchant Software: Facilitates secure communication between
merchants, potential customers, and financial institutions.
8. Payment Gateway Server Software: Interfaces between a seller’s
website and a customer’s bank to process transactions securely and
reliably.
9. Certificate Authority Software: Issues digital certificates to
cardholders and merchants, enabling secure electronic commerce
through account registration.

Working of SET Protocol

  Digital Certificates: Provide electronic access to funds using
encrypted certificates for each transaction.
 Verification: Each certificate comes with matching digital keys to
verify transactions and confirm participants.
 Security: Ensures only participants with the correct digital key can
confirm transactions, protecting card details from malicious actors.

Business Requirements

10. Privacy of Customer Payment and Order Information: Uses

encryption to maintain confidentiality.
11. Integrity of Customer Data: Ensures digital signatures are not
altered during transmission.
12. Cardholder Authentication: Links the cardholder to the
account number to reduce fraud.
13. Merchant Authentication: Confirms the merchant's ability to
process credit card transactions.
14. Security Best Practices: Ensures systems are secure and well-
tested to protect transaction participants.

Internet Protocol Secure (IPsec)

Overview

 IPsec: A suite of protocols for setting up encrypted connections

between devices, often used for VPNs. Encrypts IP packets and
authenticates packet sources.

Key Components

15. Authentication Header (AH): Protects data within IP packets

from tampering.
16. Encapsulating Security Payload (ESP): Encrypts and
authenticates data packets, enabling secure VPN functionality.
17. Internet Key Exchange (IKE): Generates security associations
within the IPsec suite, adding an extra security layer to VPNs.

Port Usage

 Port 500: Typically used by IPsec for key exchanges and secure
communications.
IPsec Process

18. Key Exchange: Sets up encryption keys between connected

devices.
19. Authentication: Ensures packets are from trusted sources.
20. Packet Headers and Trailers: Adds authentication and
encryption information to data packets.
21. Encryption: Encrypts payloads and IP headers within packets.
22. Transmission: Uses UDP for transport, allowing packets to
traverse firewalls.
23. Decryption: Decrypts packets at the destination, making data
usable by applications.

Steps in an IPsec Connection

24. Key Exchange: Generates keys for encryption and decryption.

25. Authentication: Verifies packet sources.
26. Packet Headers and Trailers: Adds metadata for handling and
authentication.
27. Encryption: Encrypts data for secure transmission.
28. Transmission: Sends encrypted data packets across networks.
29. Decryption: Decrypts data at the receiving end for application
use.

8 , 9, 10 on slides

11

Blowfish
Overview
  Blowfish: Symmetric encryption algorithm created by Bruce Schneier
in 1993.
 Symmetric Encryption: Uses a single encryption key for both
encryption and decryption.
 Block Size: Originally uses a block size of 64 bits.
 Successor: Twofish was developed to address Blowfish's limitations,
including a larger block size of 128 bits.

Twofish

 Successor: Developed as an improvement over Blowfish, uses a 256-

bit key for symmetric encryption.
 Speed: Known for its fast encryption and suitability for both hardware
and software environments.
 Adoption: Despite not being selected as the AES standard, it remains
widely used in various products.

Products Using Blowfish

Password Management

 Purpose: Protects and generates passwords securely.

 Examples: Access Manager, Java PasswordSafe, Web Confidential.

File/Disk Encryption

 Purpose: Encrypts files and disks to secure sensitive data.

 Examples: GnuPG, Bcrypt, CryptoForge.

Backup Tools

 Purpose: Encrypts data in backups to protect sensitive information.

 Examples: Symantec NetBackup, Backup for Workgroups.

Email Encryption

 Purpose: Ensures email content remains confidential during

transmission.
 Examples: A-Lock, SecuMail.

Operating System Examples

  Usage: Integrated into various operating systems for file and data
security.
 Examples: Linux, OpenBSD.

Secure Shell (SSH)

 Usage: Provides secure remote access and communication over

networks.
 Protocol: Based on a client-server architecture using cryptographic
security.

RC-4
Overview

 RC-4: Stream cipher developed by Ron Rivest in 1987.

 Usage: Initially widely adopted in SSL/TLS, WEP, and other protocols.
 Flaws: Significant vulnerabilities discovered over time, leading to
decreased usage.
 Key Sizes: Supports 64-bit and 128-bit keys.

Security Concerns

 Vulnerabilities: Exploited vulnerabilities allowed for key recovery

attacks.
 Impact: Weaknesses prompted the development and adoption of more
secure protocols like WPA.

RC-5
Overview

 RC-5: Block encryption algorithm developed by Ron Rivest in 1994.

 Features: Known for its speed and efficiency in operations.
 Block Size: Supports block sizes of 16, 32, or 64 bits.
 Memory Efficiency: Requires minimal memory, suitable for various
applications including desktop operations and smart cards.

Example

 Encryption Example:
o Key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 o Plain Text: 00000000 00000000
o Cipher Text: EEDBA521 6D8F4B15

Parameters

 Configurability: Adjustable block/word sizes, number of rounds, and

key sizes to fit specific security and performance requirements.

12

X.509 International Standards

 Defines the format, processes, and entities for creating, managing, and
revoking public key digital certificates.
 Used for public-key certificates or digital documents.
 Associates a cryptographic key pair with a user, organization, website,
or device.

X.509 Certificate

 Verifies the ownership of a public key using the X.509 Public Key
Infrastructure (PKI) standard.
 Can be used for asymmetric or symmetric encryption.
 Contains information about the certificate’s owner and the certificate
itself.
 Issued by Certificate Authorities (CAs).

Issuing X.509 Certificates

 CAs validate organizational identities before issuing public key

certificates.
  Validation methods:
o Domain Validation (DV): Uses automation to verify domain
control via email or file upload.
o Organizational Validation (OV): Verifies domain control and
organization legitimacy.
o Extended Validation (EV): Requires multiple verification
checks and documents.

Public Key and Organizational Identities

 CAs bind verified identities to public keys, ensuring they are genuine
and unmodifiable.
 Secure connections, like HTTPS, use the server’s public key and
confirm authenticity with certificates.
 Certificates contain details such as the owner, issuer, serial number,
expiration date, and public key.

Digital Certificate Fields (X.509)

 Version: Indicates required data.

 Serial Number: Unique identifier.
 Algorithm Information: Signing algorithm used.
 Issuer Distinguished Name: Name of the issuing entity.
 Validity Period: Start and end dates.
 Subject Distinguished Name: Name of the certificate owner.
 Subject Public Key Information: Associated public key.
 Extensions: Optional additional data.

X.509 Version History

 Version 1 (1988): Initial publication.

 Version 2 (1993): Added Issuer Unique Identifier and Subject Unique
Identifier.
 Version 3 (1996): Enabled multiple extensions.

Common Applications of X.509

 SSL/TLS and HTTPS for secure web browsing.

 Signed and encrypted email (S/MIME).
 Code and document signing.
  Client authentication.
 Government-issued electronic IDs.

Key Pairs and Signatures

 Uses asymmetric cryptography (public key cryptography).

 Private Key: Kept by the owner, used to decrypt data and sign
documents.
 Public Key: Distributed to clients, used to encrypt data and verify
signatures.
 Protects against Man-in-the-Middle attacks and data-in-transit
compromises.

Digital Signature

 An encoded hash of a document, encrypted with a private key.

 Publicly trusted CA-signed certificates verify the identity of the
presenting entity.
 X.509 certificates include fields for the subject, issuing CA, version, and
validity period, with v3 certificates containing extensions for key
usages and additional identities.

13

Cryptography - Authentication Protocols

 Discusses authentication protocols, focusing on Kerberos.

 User authentication is a top priority for software applications.
 Various mechanisms exist to authenticate data access.

Authentication Protocols

 Securely transfer authenticated data between two parties.

 Common protocols: Kerberos and X.509.
Kerberos

 Widely used in Windows environments.

 Uses symmetric keys from a centralized key distribution center.
 Not perfect; encountered issues in 2020 post-update.
 Validates clients/servers using cryptographic keys.
 Implementation available by MIT, used in many products.

Types of Authentication

1. Password-based: Simple but vulnerable to attacks.

2. Two-factor: Adds a layer of security using two forms of ID.
3. Biometric: Uses physical traits; secure but costly and may not suit
everyone.

Brute Force vs. Dictionary Attack

 Brute Force: Uses trial and error to crack passwords.

 Dictionary Attack: Systematically tries every word in a dictionary.

Choosing Authentication Protocols

 Consider application needs, infrastructure, effort, and future scalability.

Session Keys

 Generated for single sessions, often using symmetric keys.

 Volatile and frequently changed.

Security Concerns

 Confidentiality and timeliness are key.

 Encrypt identification and session key info using shared keys.
 Use sequence numbers, timestamps, or challenge/response to prevent
replay attacks.

Replay Attack

 Intercepts and retransmits secure communication to deceive the

receiver.
 Example: Fraudulent use of intercepted credit card data.
Timeliness Techniques

 Sequence Numbers: Detect replays but have high overhead.

 Timestamps: Mark the time of events; used in logs and notifications.

Challenge-Response

 Validates identity by sending a challenge to be encrypted and

returned.
 Can be used for two-way authentication.
 Keys can be physically distributed or stored on a trusted server.

Other Authentication Protocols

 LDAP: Locates network resources, considered lightweight.

 OAuth2: Grants third-party application access without sharing
passwords.
 SAML: Enables SSO and secure access to web resources using identity
assertions.
 RADIUS: Manages and authenticates network users, used in dial-up,
wireless, and VPN.

14

Asymmetric Encryption

 Common Algorithms: RSA (Rivest-Shamir-Adleman), Diffie-Hellman.

 RSA (Rivest-Shamir-Adleman):
o Basis of a cryptosystem used for public key encryption.
o Secures sensitive data over insecure networks like the internet.
o Publicly described in 1977 by Rivest, Shamir, and Adleman from
MIT.
o Works with two keys: Public Key (distributed) and Private Key
(kept secret).
RSA Uses

 Digital Signing:
o For code and certificates.
o Verifies who a public key belongs to by signing with a private
key.
o Used by software developers to sign applications and ensure
code integrity.
 Applications:
o Secures communications via Transport Layer Security (TLS).
o Utilized in products like Pretty Good Privacy (PGP).
o Used in VPNs, email services, web browsers, and other
communication channels.

Diffie-Hellman Key Exchange

 Allows two parties to securely establish a key without prior contact.

 Developed by Whitfield Diffie and Martin Hellman.
 Rarely used alone due to lack of authentication, making it vulnerable
to man-in-the-middle attacks.
 Often combined with digital certificates and public-key algorithms (like
RSA) for authentication.

Authentication with Diffie-Hellman

 Ensures secure connections by verifying the identity of each party.

 Diffie-Hellman combined with RSA:
o RSA encrypts messages with the recipient’s public key,
decrypted only by the matching private key.
o RSA isn't used to encrypt all communications due to inefficiency.

15
Data Integrity

 Common Algorithms:
o MD5 (Message-Digest algorithm 5)
o SHA-1 (Secure Hash Algorithm 1)
o RIPEMD-160 (RACE Integrity Primitives Evaluation Message
Digest with a 160-bit digest)
o HMAC (Hash-Based Message Authentication Code)

MD5

 Cryptographic hash function that converts messages of any length into

a 16-byte fixed-length message.
 Developed as an improvement of MD4 by Ronald Rivest in 1991.
 Produces a 128-bit digest.
 Primarily used for authentication and verifying the integrity of files.
 Easier to check MD5 hash for file comparison rather than bit-by-bit.

SHA-1

 Cryptographic computer security algorithm created by the US NSA in

1995.
 Part of the Digital Signature Algorithm (DSA) and Digital Signature
Standard (DSS).
 Used in protocols like TLS, SSL, PGP, SSH, S/MIME, and IPSec.
 Produces a 160-bit hash value.
 Considered insecure since 2005; major browsers stopped accepting
SHA-1 SSL certificates by 2017.

RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

 Developed in 1992 by Hans Dobbertin, Antoon Bosselaers, and Bart

Preneel.
 Based on the weak MD4 hash function.
 Designed for 32-bit processors.
 Types include RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-
320.
 o RIPEMD-128: Initially had design flaws; less secure due to 128-bit
output.
o RIPEMD-160: 160-bit hash function used in Bitcoin
implementation.
o RIPEMD-256 and RIPEMD-320: Extensions for larger hash values.

HMAC (Hash-Based Message Authentication Code)

 Used for calculating message authentication codes with a

cryptographic hash function and a secret key.
 Ensures both data integrity and authentication.
 Commonly used in HTTPS, SFTP, FTPS, and other transfer protocols.
 Combines cryptographic keys and a hash function (e.g., SHA-1, MD5,
RIPEMD-128/160).
 Resistant to hacking and ensures message integrity.

Applications of HMAC

 Email verification during account activation.

 Authentication of form data sent to and from the client browser.
 Used in IoT for cost-effective solutions.
 Password reset links that can be used once without adding a server
state.
 Converts messages of any length into a fixed-length message digest,
optimizing bandwidth.

16

Email Security

 Issues: Unauthorized access and inspection of electronic email during

transit or storage on email servers.
 Challenges: Email passes through many untrusted servers, making it
vulnerable to interception and modification.
Secure Transmission of Emails

 Pretty Good Privacy (PGP)

 Secure/Multipurpose Internet Mail Extensions (S/MIME)

Pretty Good Privacy (PGP)

 Open-source software designed for email security.

 Developed in 1991 by Paul Zimmerman.
 Initially owned by PGP Corporation, later acquired by Symantec in
2010.
 Encrypts data to ensure privacy in email communication, preventing
cyber criminals from forging messages.
 Uses a digital signature (hashing and public key encryption) for
integrity, authentication, and non-repudiation.
 Combines secret key encryption and public key encryption for privacy.
 Involves multiple steps to secure email: confidentiality, authentication,
compression, segmentation, and email compatibility.
 Utilizes the ZIP algorithm for compression and radix-64 encoding for
email compatibility.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

 Protocol developed by RSA Security for secure email exchange.

 Enhances Internet email security based on Simple Mail Transfer
Protocol (SMTP).
 Uses public key cryptography for digital signing, encryption, and
decryption.
 Users acquire public-private key pairs from a trusted authority for
secure email communication.
 Provides encryption and digital signatures for email messages.
 Ensures authentication, message integrity, non-repudiation, privacy,
and data security through encryption.

Multipurpose Internet Mail Extensions (MIME)

 Extension of SMTP email protocol allowing exchange of various data

files (audio, video, images, applications) over email.
 Supports both ASCII text and non-ASCII data.
 Advantages over SMTP:
 o Allows sending of different kinds of binary attachments via email.
o Supports multiple attachments of different types in a single
email.
o No message length limits.
o Supports multipart messages.

ASCII (American Standard Code for Information Interchange)

 Most common character encoding format for text data in computers

and on the internet.
 Designed in the early 1960s as a standard character set for computers
and electronic devices.
 7-bit character set representing 128 English characters as numbers (0-
127).
 Includes numbers (0-9), upper and lower case English letters (A-Z), and
special characters.
 Forms the basis for character sets used in modern computers, HTML,
and the Internet.