Embed Size (px)
Citation preview
www.jntuworld.com
JNTUWORLD The Application Layer
1
The Application Layer
There is a need for support protocols to allow the real applications to function in the
application layer. The three important support protocols are:-
1. N/W Security
2. DNS
3. N/W Management
1. N/W Security: It is a large no. of protocols that can be used to ensure privacy where
needed. It is concerned with people trying to access remote services that they are not
authorized to use. N/W security problems can be divided roughly into 4 inter-twined areas: -
Security Non-repudiation
Authentication Integrity control
• Security: It has to do with keeping information out of the hands of unauthorized users.
• Authentication: It deals with determining whom you are talking to, revealing sensitive
information or entering into a business deal.
• Non repudiation: It deals with signatures.
• Integrity control: It makes sure that the message received was the one really sent and
same thing or a malicious adversary modified in transit.
N/W Security in different layers:
1. Physical layer: Wiretapping can be foiled by enclosing transmission lines in sealed
tubes containing ARGON gas at high pressure. Any attempt to drill into a tube will
release some gas, reducing the Pressure and triggering an atom.
2. Data link layer: If packets have to traverse on a point-to-point line, they are encoded
as they leave one machine and decoded as the enter another. If packets have to
traverse multiple routers, they are decrypted at each router, leaving them vulnerable to
attacks with in routes. This method is called LINK ENCRYPTION.
3. N/W layer: Firewalls can be installed to keep packets in or packets out.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
2
4. Transport layers: Entire connections can be encrypted, end to end, i.e., process to process.
5. Application layer:
a) Traditional cryptography
b) 2 fundamental cryptography principles.
c) Secret- key Algorithms.
d) Public-key Algorithms.
e) Authentication protocols.
f) Digital signatures.
g) Social issues.
a). Traditional cryptography:
The art of devising ciphers is called “Cryptography”. The message to be encrypted,
known as ‘plain text’ is transformed by a function that is parameterized by a key. The O/P of
execution process is known as “Cipher text” is then transmitted, often by message. Even, if the
enemy (intruder) hears and accurately copies down the complete cipher text, he cannot decrypt it,
as he doesn’t know the decryption key. Sometimes, he listens to common channel but also record
messages and plays them back later, injects his own messages or modifies legitimate messages
before they get to the receiver. This art of breaking ciphers is called “Cryptanalysis”
Cryptography + Cryptanalysis = Cryptology
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
3
Encryption of plain text ‘P’ using key ‘k’ gives the cipher text ‘C’.
i.e., C = EK (P)
Decryption of cipher text ‘C’ using the key ‘k’ gives plain text ‘P’
DK( C ) = P
i.e., DK (EK (P)) = P
Key is a short string that selects one of many potential encryptions. A key length of 2 digits
means that there are 100 possibilities, 3 digits means 1000 possibilities and 6 digits
means a million. The longer the key, the higher the work factor the cryptanalyst has to
deal with.
Encryption methods:
� Substitution Ciphers.
� Transposition Ciphers.
� One -Time Pads.
(i). Substitution Ciphers: They preserve the order of plaintext symbols but disguise them. In
this, another letter or group of letters to disguise it replaces each letter or group of letters. One of
the oldest ciphers is “Caesar Cipher”. In this, an alphabet is shifted by 3 alphabets. i.e.,
a→D, b→E, c→F….z→C.
Eg: attack ⇒ DWWDFN
Next improvement is mono alphabetic substitution in which each letter is mapped to some
other letter.
Eg: attack⇒ QZZQEA
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
4
To break a Substitution Cipher……………..
• Breaking of ciphers using digrams, trigrams : This takes advantage of statistical
properties of natural
languages. In English, for example ‘c’ is the most common one letter followed
by t, o, a, n etc. the most 2
letter combinations are th, an, in, re & 3 letter combinations are the, int, and, ion.
• Breaking of ciphers with a guess of probable word or phrase : The Cryptanalyst
counts the relative frequencies of all letters in Cipher text and then tentatively
assign the most common one to e and next most common one to t. He then
look at trigrams to find a common one of the form t-e, which can be filled
with ‘h’. If the pattern th-t occurs frequently, the empty space probably stands
for ‘a’.
Eg: CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ
QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ
DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBZ QJSW.
(ii). Transposition Ciphers: These reorder the letters but do not disguise them. The following
diagram depicts the columnar transposition, in which the cipher is keyed by a word or phrase not
containing any repeated letters.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
5
In the above example, MEGABUCK is the key. The purpose of the key is to number the
columns, column-1 being under the key letter closest to the start of the alphabet, and so on. The
plain text is normally written horizontally, in rows. The cipher text is read out by columns,
starting with the column whose key letter is the lowest.
To break a Transposition Cipher………
• The cryptanalyst must first be aware that he is dealing with a transposition cipher. By
looking at the frequency of E,T,A,O,I,N,…etc., it is easy to see that if they fit the
normal pattern for plain text. If so, the cipher is clearly a transposition cipher, because in
such a cipher every letter represents itself.
• The next step is to make a guess at the number of columns. In many cases, a probable
word or phrase may be guessed from the context of the message. For each key length, a
different set of digrams is produced in the cipher text. By hunting for various
possibilities, the cryptanalyst can often easily determine the key length.
• The remaining step is to order the columns. When the number of columns, k, is small,
each of the k(k-1) column pairs can be examined to see if its digram frequencies match
those for English plain text. The pair with the best match is assumed to be correctly
positioned. Now, each remaining column is tentatively tried as the successor to this pair.
The column whose digram and trigram frequencies give the best match is tentatively
assumed to be correct. The predecessor is found in the same way. The entire process is
continued until a potential ordering is found.
(iii). One-time pads: In this, first, choose a random bit string as the key. Then, convert the
plaintext into a string, for example, by using its ASCII representation. Finally, compute the
EXCLUSIVE-OR of these two strings, bit by bit.
Advantages:
1. As every possible plain text is an equally probable candidate, the resulting cipher text
cannot be broken.
2. The resulting cipher text gives the cryptanalyst no information at all.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
6
Disadvantages:
1. The key cannot be memorized and so both sender and receiver must carry a written copy
with them.
2. The total amount of data that can be transmitted is limited by the amount of key
available.
3. It is sensitive to lost or inserted characters.
(b). Two fundamental Cryptographic Principles:
1. All encrypted messages must contain some redundancy (information needed to mis-
understand the message) to prevent active intruders from tricking the receiver into acting
on a false message.
2. Some measures must be taken to prevent active intruders from playing back old
messages.
(c ). Secret-Key algorithms:
The object is to make the encryption algorithm so complex and involuted that even if the
cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be able to
make any sense of it at all. Transpositions and substitutions can be implemented with simple
circuits like P-boxes and S-boxes respectively.
P-box( Permutation-box ): Used to effect a transposition on an 8-bit input. If the 8 bits are
designated as 01234567 from top to bottom, the output of this box is 36071245. By appropriate
internal wiring, a P-box can be made to perform any transposition and do it practically the speed
of light.
S-box( Substitution-box ): Substitutions are performed by S-boxes. The n-bit input selects one
of the 8 lines exiting from the first stage and sets it to 1. All the other lines are 0.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
7
There are mainly 3 secret-key algorithms. They are:
1. DES
2. DES-CHAINING
3. IDEA
1. DES ( Data Encryption Standard ) :
It is basically a mono-alphabetic substitution cipher using a 64-bit character. In this, plain text is
encrypted in blocks of 64-bits, yielding 64 bits of cipher text. The algorithm, which is
parameterized by a 56-bit key , has 19 distinct stages. The first stage is a key independent
transposition on the 64-bit plain text. The last stage is the exact inverse of this transposition. The
stage prior to the last one exchanges the left most 32-bits with the right most 32-bits. The
remaining 16 stages are functionally identical but are parameterized by different functions of the
key. The algorithm has been designed to allow decryption to be done with the same key as
encryption. The steps are just run in reverse order. The operation of one of these stages is
illustrated in the figure below:
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
8
Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output is simply a
copy of the right input. The right output is the bit-wise EXCLUSIVE-OR of the left input and a
function of the right input and the key for this stage, ‘Ki’. The function consists of 4 steps,
carried out in sequence.
1. A 48-bit number, E , is constructed by expanding the 32-bit Ri-1 according to a fixed
transposition and duplicate rule.
2. E and Ki are EXCLUSIVE-OR ed together.
3. This output is then partitioned into 8 groups (each of 6-bits), each of which is fed into a
different S-box. Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output.
4. Finally, these 8 x 4 bits are passed through a P-box.
In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit
transposition is applied to the key. Just before each iteration, the key is partitioned into two 28-
bit units, each of which is rotated left by a number of bits dependent on the iteration number. Ki
is derived from this rotated key by applying yet another 56-bit transposition to it. A different 48-
bit subset of the 56-bits is extracted and permuted on each round.
2. DES-CHAINING:
Electronic code book mode: To overcome the problem of DES, this method is used in which a
long message is encrypted by breaking it up into consecutive 8-byte(64-bit)blocks and
encrypting them one after another with the same key. The last block is padded out to 64-bits, if
need be.
Let us consider an example in which a file consisting of consecutive 32-byte records in the
format….16 bytes for name,8 bytes for the position and 8 bytes for the bonus of an employee in
an organization. Each of the sixteen 8-byte blocks is encrypted by DES.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
9
To overcome some types of attacks, DES is chained in various ways. One of the ways is Cipher
Block Chaining. In this method, each plain text block is EXCLUSIVE-OR ed (#) with the
previous cipher text block before being encrypted. Consequently, the same plain text block no
longer maps on to the same cipher text block, and the encryption is no longer a big mono-
alphabetic substitution cipher. The first block is EXCLUSIVE-OR ed with a randomly chosen
initialization vector, IV, that is transmitted along with the cipher text.
Error!
Working:
1. compute C0 = E ( P0 XOR IV )
2. Then, compute C1 = E ( P1 XOR C0 ) and so on.
3. The encryption of block ‘i’ is a function of all the plain text in blocks 0 through i-1, so
the same plain text generates different cipher text depending on where it occurs.
4. The decryption occurs the other way , with P0 = IV XOR D (C0) and so on.
Advantage:
The same plain text block will not result in the same cipher text block, making cryptanalysts
more difficult.
Disadvantage:
It requires an entire 64-bit block to arrive before decryption can begin.
To overcome this disadvantage, byte-by-byte encryption is done using Cipher Feedback
mode. In the figure, the state of encryption machine is shown after bytes 0 through 9 have been
encrypted and sent. When plain text byte-10 arrives, the DES algorithm operates on the 64-bit
shift register to generate 64-bit cipher text, in which the left most byte is extracted and
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
10
EXCLUSIVE-OR ed with P10. That byte is transmitted on the transmission line. In addition, the
shift register is shifted left 8bits, causing C2 to fall off the left end , and C10 is inserted in the
position just vacated at the right end by C9.
Decryption is done by encrypting the contents of the shift register so that the selected byte that is
EXCLUSIVE-OR ed with C10 to get P10 is the same one that was EXCLUSIVE-OR ed with P10
to generate C10 in the first place.
Error!
For applications which require messing up 64-bits of plain text by having a 1-bit transmission
error, Output feedback mode is used. It is identical to cipher feedback mode except that the
byte fed back into the right end of the shift register is taken from just before the EXCLUSIVE-
OR box, not just after it.
Advantage:
It has the property that a 1-bit error in the cipher text causes only a 1-bit error in the resulting
plain text.
3. IDEA (International Data Encryption Algorithm):
The basic structure of the algorithm resembles DES in that 64-bit plain text input blocks are
mangled in a sequence of parameterized iterations to produce 64-bit cipher txt output blocks.
Given the extensive bit mangling, 8 iterations are sufficient. IDEA can be used in cipher
feedback mode and other DES modes.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
11
In the above figure, the details of one iteration are depicted, in which three operations are used,
all on unsigned 16-bit numbers. These operations are EXCLUSIVE-OR, addition modulo 216 ,
and multiplication modulo 216 + 1. The operations have the property that no two pairs obey the
associative law or distributive law, making cryptanalysis more difficult. The 128-bit key is used
to generate 52 sub keys of 16-bits each, 6 for each of 8 iterations and 4 for the final
transformation. Decryption uses the same algorithm as encryption, only with different sub keys.
(d). Public-Key algorithms:
Diffie and Hellmann proposed a new kind of crypto system, one in which the encryption and
decryption keys were different, and the decryption key could not be delivered from the
encryption key. In their proposal, the encryption algorithm, E, and the decryption algorithm, D,
had to meet the following 3 requirements:
1. D(E(P)) = P.
2. It is exceedingly difficult to deduce D from E.
3. E cannot be broken by a chosen plain text attack.
The main object in this is that the Encryption key is made public. Hence, the name Public-Key
Cryptography.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
12
The RSA algorithm:
One of the Public-key algorithms is the RSA algorithm. This was discovered by Rivest, Shamir,
Adleman and is based on the following principles:
1. Choose two large primes, p and q. (typically greater than 10100)
2. Compute n = p * q and z = (p-1) * (q-1)
3. Choose a number relatively prime to z and call it d.
4. Find e such that e * d = 1 mod z
In this algorithm, the plain text is divided into blocks, so that each plain text message, P, falls in
the interval 0 ≤ P < n. This can be done by grouping the plain text into blocks of K bits, where K
is the largest integer for which 2k < n is true.
To encrypt a message, P, compute C = Pe (mod n) i.e., e and n are needed to do so.
To decrypt a message, C, compute P = Cd (mod n) i.e., d and n are needed to do so.
Therefore, the public key consists of the pair (e, n) and the private key consists of the pair (d, n).
In the above example, the encryption of the plain text “SUZANNE” is shown:
p = 3, q = 11, n = 33, z = 20
���� d = 7 ( since 7 and 20 have no common factors)
���� 7e = 1 (mod 20)
���� e = 3
���� C = P3 (mod 33)
���� P = C7 (mod 33)
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
13
Encryption:
C = Me mod n
= 887 mod 187
= [ (884 mod 187) * ( 882 mod 187) * ( 881 mod 187] mod 187
= [ (59,969,536 mod 187)(7744 mod 187)(88 mod 187)] mod187
= (132 * 77 * 88) mod 187
= 894,432 mod 187
= 11
Decryption:
M =Cd mod n
=1123 mod 187
=[(111 mod 187)* (112 mod 187)* (114 mod 187)*(118 mod 187)* (118mod 187)] mod 187
=[(111mod187)*(121mod187)*(14,641mod187)*(214,358,881mod187)*(214,358,881mod187)]mod187
=(11 * 121 * 55 * 33 * 33) mod 187
=79,720,245 mod 187
=88.
If p = 3, q = 11, n = 33, Φ(n) = 20, d = 7 (because 7, 20 have no common factors) =>7e = 1 mod 20 =3 EXAMPLE : Plain text SUZANNE is to be transformed into Cipher text Senders Computation Receivers Computation
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
14
Drawbacks:
1. The Brute force approach i.e., trying all possible private keys.
2. Calculations involved in key generation, Encryption / Decryption are complex.
3. The larger the size of the key, the slower the system will run
Advantage:-
The larger no. of bits in e, d, the more secure the algorithm is the…
(5). Authentication Protocols:
Authentication: It is the technique by which a process verifies that its communication partner is
who it is supposed to be and not an imposter. It deals with the question of whether or not the user
is actually communicating with a specific Process.
� Authentication Based on a shared secret key.
� Authentication Using a key Distribution Centre.
� Authentication Using Kerberos.
� Authentication Using public-key Cryptography
(1)����Authentication Based on a shared secret key:
In this, both the users A and B share a secret key KAB. These protocols are based on a
principle that one party send a random number to the other, who then transforms it in a special
way and then returns result and are called Challenge Response Protocols.
2-way Authentication using Challenge - Response protocol :
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
15
M-1 : ALICE sends her identity ‘A’ to BOB in a way that BOB understands.
M-2 : As Bob has no way of knowing from whom this message has come from actually ,
he picks a large random number RB and sends it back to ALICE in plaintext.
M-3: ALICE then encrypts the message with the key she shares with BOB and sends
cipher text, KAB(RB).
M-4: After receiving, BOB confirms that this message is from ALICE but not from any
other user because K(suffix)AB is shared only by ALICE. But ALICE has no way
of confirmation that she is talking to BOB. To do so, she picks a random number
RA and sends it to BOB as plain text.
M-5: Now, when BOB responds with KAB(RA), ALICE gets the confirmation.
Now, If A and B wish to establish a session key, ‘KS’, ALICE can send it to BOB encrypted
with KAB.
A Shortened 2-way Authentication protocol:
Extra messages in above protocol can be eliminated by combining information as in the figure:
M-1:-ALICE initiates C-R Protocol.
M-2:-BOB responds to ALICE’s challenge along sending his own.
M-3:-ALICE then encrypts the message with the key she shares with BOB and sends cipher
text, KAB(RB).
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
16
3 General Rules to design a correct Authentication protocol:-
1. Have the Initiator prove who she is before the responder has to.
2. Have the Initiator and Responder use different keys for proof, i..e, use 2 shared keys KAB
and K'AB.
3. Have the Initiator and responder draw their challenges from different sets.
(I). The Diffie-Hellman Key Exchange:
It is the protocol that allows strangers to establish a shared secret key.
Working:-
1. Alice and Bob have to agree on 2 large prime numbers (which are public), n and g, where
(n-1)/2, is also a prime and certain conditions apply to ‘g’.
2. Now, Alice &Bob respectively Picks large numbers x,y(say a512- bit) and keeps them
secret.
3. Alice initiates key exchange protocol by sending by sending Bob a message containing
(n, g, gx mod n), for which Bob responds with gy mod n.
4. Alice takes the number and raises it to xth power to get (gy mod n)x. Bob does the same
and gets (gx mod n)y.
5. Thus, Alice &Bob now share a secret key, gxy mod n.
Example: n=47, g=3, x=8, y=10
1. Alice’s message to Bob : 47,3,28 (since 38mod 47 = 28)
2. Bob’s message to Alice : 17 (since 310mod47 = 17)
3. Alice Computes : 178mod 47 = 4
4. Bob computes : 2810mod 47 = 4
Therefore, The Shared - Secret Key = 4.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
17
The problem that is faced by Diffe - Hellman Key Exchange protocol is Bucket Brigade attack
or WO(man)- in – the –middle attack.
Consider a third person ‘c’ is involved in the interaction of A & B……… in the above algorithm.
1. A&B chooses x & y respectively while ‘c’ randomly chooses ‘z’.
2. When A sends message-1 interested for B,’C’ intercepts it and sends m-2 to B, using
correct g and n. But with her own ‘z’ instead of ‘x’ and does same back to ‘A’ with m-3.
3. Later, ‘B’ sends M-4 to ‘A’ ,which was intercepted by ‘c’ and kept with it.
4. Modular Arithmetic being done by everyone,
A Computes Secret Key as gxzmod n.
B Computes Secret Key as gyzmod n.
C Computes Secret Key as gxzmod n, gyzmod n.
5. Therefore, Every message sent by A on the encrypted session is captured by ‘C’, stored,
modified if desired and then (optionally) passed to ‘B’. Similarly in other direction. i..e,
A&B on under the illusion that they have a secure channel to one another while ‘C’ sees
everything & can modify them. This attack is called Bucket Brigade Attack.
(II): Authentication using KDC:
In this model, each user has a single key shared with KDC. The simplest protocols is “wide-
mouth frog”
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
18
Working:
1. 'A' picks a session key Ks and informs KDC that it wants to talk to 'B', with a message
which is encrypted with a secret key(KA)
2. KDC decrypts this message, extracts B's identity and session key and constructs a new
message containing A's identity and session key and sends to 'B', encrypted with KB
shared by 'B' with KDC
3. 'B' decrypts and knows the 'A's wish and it's key.
The Needham-Schroeder authentication protocol:
Error!
Working:-
1. 'A' tells KDC that he wants to talk to 'B', with a message which contains a large random
number, RA.
2. KDC sends back m-2 containing A's random number, a session key and a ticket that it
can send to B.
3. Now, 'A' sends ticket to 'B', along with a new random number, RA2 encrypted with
session key KS.
4. 'B' sends back Ks(RA2-1) to confirm 'A' that it is talking to 'B'.
5. 'B' is convinced that it is talking to 'A' only but with no other one.
The Otway-Rees Authentication protocol:
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
19
Working:-
1. 'A' starts out by generating a pair of random number, R, which will be used as a common
identifier and RA, which A will use to challenge 'B'.
2. When 'B' gets this message, he constructs a new message from the encrypted part of A's
message and an analogous one of his own.
3. Both the parts encrypted with KA and KB identify A and B, contain the common identifier
and contain a challenge.
4. The KDC checks to see if R in both parts is same, and if so, it believes that the request
message from 'B' is valid and so it generates a session key and encrypts it twice (both for
A and B).
5. Each message contains receiver’s random number, indicating that it was generated by
KDC.
6. Now, A and B are in possession of same session key and can start communicating.
(III). Authentication using KERBEROS:
Kerberos was designed to allow workstation users to access network resources in a secure key. It
involves three servers in addition to a client workstation:
• Authentication Server (AS):- Verifies users during login
• Ticket-Granting Server (TGS):- issues "PROOF OF IDENTITY TICKETS"
• B, The Server:- Actually does the work 'A' wants performed
WORKING:
• 'A' sits down at an arbitrary public work station and types his name, which is sent to 'AS'
in plain text.
• Session key and a ticket TGS (A, Ks) intended for TGS comes back, which are packed
together and encrypted using A's secret key, so that only 'A' can encrypt them.
• Only when message-2 arrives, the work station ask for A's password and this is used to
generate KA in order to decrypt m-2 and obtain session key and TGS ticket inside it.
• At this point, the workstation overwrites A’s password to make sure that it is only inside
the workstation for a few milliseconds at most.
• After 'A' logging in, she tells the workstation that she wants to contact 'B' the file server.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
20
• The workstation then sends message-3 to the TGS asking for a ticket to use with 'B', with
the key element KTGS(A, KS) encrypted by TGS's secret key as a proof of 'A'.
• The TGS responds by creating a session key KAB for 'A' to use with 'B'.
• Two versions of it are sent back, with first encrypted with KS intended for A and second
encrypted with KB intended for 'B'.
• Now, 'A' sends KAB to 'B' to establish a session key with him, which is time stamped.
After some series of exchanges, communication is established.
(IV) . Authentication Using Public Key Cryptography:
Working:- A and B know each other public keys
1. 'A' starts by encrypting her identity and a random number RA using B's public key EB.
2. when 'B' receives this message ,'B' sends back 'A' message containing A's RA, his own
random number RB ,and a proposed session key KS.
3. When 'A' gets m-2, he decrypts it using his private key and agrees to session key by
sending back m-3.
4. when 'B' sends RB encrypted with session key he just generated, he confirms that m-2 is
received and RA is verified by 'A'.
So, a session is established.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
21
(6). DIGITAL SIGNATURES:
It is devised to replace hand-written signatures between 2 parties in a system in such a way that
• The receiver can verify the claimed identity of the sender
• The sender cannot later repudiate the contents of the message.
• The receiver cannot possibly have concocted the message himself.
DDiiffffeerreenntt aapppprrooaacchheess::--
� (a)Secret-key signatures
� (b)Public-key signatures
� (c)Message digests
� (d)Birthday attack
(a) . Secret-key signatures:
In this approach each user chooses a secret key and carries with by hand to a central
authority (BB) that knows everything and by everyone. So only A and BB know A’s secret key
KA and so on.
Working:-
1. When ‘A’ wants to send a signed plain text message, ‘P’ to ‘B’, she generates
KA(B, RA, t ,p)and sends it.
2. BB sees that the sender is ‘A’ & decrypts the message and sends it to B.
3. The message to B contains the plain text A’s message and also signed message KBB(A,
t, p) where ‘t’ is a timestamp.
4. ‘B’ now carries out A’s request.
(b) . PPuubblliicc kkeeyy ssiiggnnaattuurreess::
In this, an assumption is made initially that public key encryption and decryption
algorithms have the property E(D(p))=P in addition to D(E(p))=P.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
22
Working:-
1. ‘A’ sends a plain text message ‘p’ to B by transmitting EB(DA(p)).
2. When B receives the message ,he transforms it using his private key yielding DA(p)
which is stored in a safe place and then decrypted using EA to get original plain text.
( c). Message Digests:
Def:- A one-way hash function that takes an arbitrarily long of piece plain text from it
Computes a fixed-length bit string is called a message digest and has 3 important
properties. They are:-
• Given P, it is easy to compute MD (P).
• Given MD (P), it is effectively impossible to find P.
• No one generates 2 messages that have the same message digest.
Working:-
• ‘A’ first computes the message digest of her plain text ‘BB’ computes message digest
by applying MD to P, yielding MD (P).BB then encloses KBB (A, t, MD (P)) as 5th item
in list encrypted with KB that is sent to ‘B’.
• She then signs the message digest and sends both the signed digest and plain text B.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
23
(d). Birthday Attack:
If there is some mapping between inputs and outputs with ‘n’ inputs (people, messages etc..) and
‘k’ possible outputs (birthday , message digests etc..), there are [n(n-1)/2] input pairs. If [n (n-
1)/2] >k ,the chance of having at least one match likely for n>√k. This result means that a 64-bit
message digests can probably be broken by generating about 232 messages and looking for 2 with
the message digest.
The idea for this attack comes from a technique that mathematical professors often use in their
probability courses. The question is :
“ How many students do you need in a class before the probability of having 2 people with
same birthday exceeds ½? ”
The probability is 23 i.e., with 23 people, we can form (23*22)/2=253 different pairs, each of
which has a probability of being a hit.
DNS--Domain Name System:
This is primarily used for mapping host and e-mail destinations to IP addresses but can also be
used other purposes. DNS is defined in RFCs 1034 and 1035.
Working:-
• To map a name onto an IP address, an application program calls a library procedure
called Resolver, passing it the name as a parameter.
• The resolver sends a UDP packet to a local DNS server, which then looks up the name
and returns the IP address to the resolver, which then returns it to the caller.
• Armed with the IP address, the program can then establish a TCP connection with the
destination, or send it UDP packets.
���� The DNS name space.
���� Resource Records.
���� Name Servers.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
24
☼ The DNS name space:-
The Internet is divided into several hundred top level domains, where each domain covers
many hosts. Each domain is partitioned into sub domains, and these are further partitioned as so
on. All these domains can be represented by a tree, in which the leaves represent domains that
have no sub domains. A leaf domain may contain a single host, or it may represent a company
and contains thousands of hosts. Each domain is named by the path upward from it to the root.
The components are separated by periods(pronounced “dot”)
Eg: Sun Microsystems Engg. Department = eng.sun.com.
The top domain comes in 2 flavours:-
• Generic: com(commercial), edu(educational instructions), mil(the U.S armed forces,
government), int (certain international organizations), net( network providers), org(non
profit organizations).
• Country: include 1 entry for every country.
Domain names can be either absolute (ends with a period e.g. eng.sum.com) or relative
(doesn’t end with a period). Domain names are case sensitive and the component names can be
up to 63 characters long and full path names must not exceed 255 characters.
Insertions of a domain into the tree can be done in 2 days:-
• Under a generic domain ( Eg: cs.yale.edu)
• Under the domain of their country (E.g: cs.yale.ct.us)
☼ Resource Records:
Every domain can have a sent of resource records associated with it. For a single host, the
most common resource record is just its IP address. When a resolver gives a domain name to
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
25
DNS, it gets both the resource records associated with that name i.e., the real function of DNS is
to map domain names into resource records.
A resource record is a 5-tuple and its format is as follows:
Domain _name : Tells the domain to which this record applies.
Time- to- live : Gives an identification of how stable the record is
(High Stable = 86400 i.e. no. of seconds /day)
( High Volatile = 1 min)
Type: Tells what kind of record this is.
Class: It is IN for the internet information and codes for non internet information
Value: This field can be a number a domain name or an ASCII string
Type Meaning Value
SOA Start Of Authority 32-bit integer
A IP address of host 32 bit integer
MX Mail Exchange Priority domain willing to accept
NS Name Server Name of server for this domain
CNAME Canonical Name Domain name
PTR Pointer Alias for an IP address
HINIF Host Description CPU and OS in a ASCII
TXT Text Un interpreted ASCII Text
☼ Name Servers:
It contains the entire database and responds to all queries about it. DNS name space is
divided up into non-overlapping zones, in which each zone contains some part of the tree and
also contains name servers holding the authoritative information about that zone.
www.jntuworld.com
www.jntuworld.com
JNTUWORLD The Application Layer
26
When a resolver has a query about a domain name, it passes the query to one of the local name
servers:
1. If the domain being sought falls under the jurisdiction of name server, it returns the
authoritative resource records ( that comes from the authority that manages the record,
and is always correct).
2. If the domain is remote and no information about the requested domain is available
locally the name server sends a query message to the top level name server for the
domain requested.
Eg: A resolver of flits.cs.vle.nl wants to know the IP address of the host Linda.cs.yale.edu
Step 1: Resolver sends a query containing domain name sought the type and the class to
local name server, cs.vu.nl.
Step 2: Suppose local name server knows nothing about it, it asks few others near by
name servers. If none of them know, it sends a UDP packet to the server for
edu-server.net.
Step 3: This server knows nothing about Linda.cs.yale.edu or cs.yale.edu and so it
forwards the request to the name server for yale.edu.
Step 4: This one forwards the request to cs.yale.edu which must have authoritative
resource records.
Step 5 to 8: The resource record requested works its way back in steps 5-8
This query method is known as Recursive Query
3. When a query cannot be satisfied locally, the query fails but the name of the next server
along the line to try is returned.
www.jntuworld.com
