Professional Documents
Culture Documents
With the explosively growing reliance on electronic mail for every conceivable pur-
pose, there grows a demand for authentication and confidentiality services. Two
schemes stand out as approaches that enjoy widespread use: Pretty Good Privacy
(PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME). The latter is a
security en-hancement to the MIME Internet e-mail format standard, based on
technology from RSA Data Security. Although both PGP and S/MIME are on an
IETF standards track, it appears likely that S/MIME will emerge as the industry
standard for commercial and organisational use, while PGP will remain the choice for
personal e-mail security for many users. In this course we will only be looking at
PGP. S/MIME is discussed in detail in the recommended text.
1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation
1 Authentication
Figure 12.2a illustrates the digital signature service provided by PGP. The figure is
similar to ones we have looked at earlier. The hash function used is SHA-1 which
creates a 160 bit message digest. EP (DP) represents public encryption (decryption)
and the algorithm used can be RSA or DSS (recall that the DSS can only be used for
the digital signature function and unlike RSA cannot be used for encryption or key
exchange). The message may be compressed using and algorithm called ZIP. This is
represented by “Z” in the figure.
The combination of SHA-1 and RSA provides an effective digital signature scheme.
Due to the strength of RSA the recipient is assured that only the possessor of the
matching private key can generate the signature. Because of the strength of SHA-1
the recipient is assured that no one else could generate a new message that matches
the hash code and hence, the signature of the original message.
2 Confidentiality
2. The message is encrypted using CAST-128, IDEA or 3DES with the session key.
3. The session key is encrypted with RSA (or another algorithm known as ElGa-
mal) using the recipients public key and is prepended to the message.
4. The receiver uses RSA with its private key to decrypt and recover the session
key.
As a default, PGP compresses the message after applying the signature but before
encryption. This has the benefit of saving space both for e-mail transmission and for
file storage.
The placement of the compression algorithm, indicated by Z for compression and
Z−1 for decompression in figure 12.2 is critical:
4 E-mail compatibility
Many electronic mail systems only permit the use of blocks consisting of ASCII text.
When PGP is used, at least part of the block to be transmitted is encrypted. This ba-
sically produces a sequence of arbitrary binary words which some mail systems
won’t accept. To accommodate this restriction PGP uses and algorithm known as
radix64 which maps 6 bits of a binary data into and 8 bit ASCII character.
Unfortunately this expands the message by 33% however, with the compression
algorithm the overall compression will be about one third (in general).
5 Segmentation
E-mail facilities are often restricted to a maximum message length. For example,
many of the facilities accessible throughout the Internet impose a maximum length of
50,000 octets. Any message longer than that must be broken up into smaller
segments, each of which is mailed separately.
To accommodate this restriction, PGP automatically subdivides a message that is
too large into segments that are small enough to sent via e-mail. The segmentation is
done after all the other processing, including the radix-64 conversion. Thus the session
key component and signature component appear only once, at the beginning of the first
segment. At the receiving end.
SET works:
Assume that a customer has a SET-enabled browser such as Netscape or Microsoft's Internet
Explorer and that the transaction provider (bank, store, etc.) has a SET-enabled server.
1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is some kind
of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card for online
purchases or other transactions. It includes a public key with an expiration date. It has been
through a digital switch to the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include the
merchant's public key and the bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the merchant is
valid.
6. The browser sends the order information. This message is encrypted with the merchant's public
key, the payment information, which is encrypted with the bank's public key (which can't be read
by the merchant), and information that ensures the payment can only be used with this particular
order.
7. The merchant verifies the customer by checking the digital signature on the customer's certificate.
This may be done by referring the certificate to the bank or to a third-party verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public key, the
customer's payment information (which the merchant can't decode), and the merchant's
certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on the
certificate with the message and verifies the payment part of the message.
10. The bank digitally signs and sends authorization to the merchant, who can then fill the order.
Bottom of Form order.
3. Intrusion Detection System (IDS) mean?
An intrusion detection system (IDS) is a type of security software designed to automatically alert
administrators when someone or something is trying to compromise information system through
malicious activities or through security policy violations.
An IDS works by monitoring system activity through examining vulnerabilities in the system,
the integrity of files and conducting an analysis of patterns based on already known attacks. It
also automatically monitors the Internet to search for any of the latest threats which could result
in a future attack.
Network Intrusion Detection System: This system monitors the traffic on individual
networks or subnets by continuously analyzing the traffic and comparing it with the
known attacks in the library. If an attack is detected, an alert is sent to the system
administration. It is placed mostly at important points in the network so that it can keep
an eye on the traffic travelling to and from the different devices on the network. The IDS
is placed along the network boundary or between the network and the server. An
advantage of this system is that it can be deployed easily and at low cost, without having
to be loaded for each system.
Host Intrusion Detection System: Such system works on individual systems where the
network connection to the system, i.e. incoming and outgoing of packets are constantly
monitored and also the auditing of system files is done and in case of any discrepancy,
the system administrator is alerted about the same. This system monitors the operating
system of the computer. The IDS is installed on the computer. Advantage of this system
is it can accurately monitor the whole system and does not require installation of any
other hardware.
Signature based Intrusion Detection System: This system works on the principle of
matching. The data is analyzed and compared with the signature of known attacks. Incase
of any matching, an alert is issued. An advantage of this system is it has more accuracy
and standard alarms understood by user.
Passive Intrusion Detection System: It simply detects the kind of malware operation
and issues an alert to the system or network administrator. (What we have been seeing till
now!).The required action is then taken by the administrator.
Reactive Intrusion Detection System: It not only detects the threat but also performs
specific action by resetting the suspicious connection or blocks the network traffic from
the suspicious source. It is also known as Intrusion Prevention System.