Unit VII – Security – Express Learning: Data Communications and Computer Networks

15

Network Security

1. What are the desirable requirements for a secure communication?

Ans: Nowadays, the computer network is used by most people for performing their tasks such as shopping, bill payment and banking. Thus, it becomes important to secure the network, so that unauthorized people could not access the information. For secured communication, there are some basic requirements that must be met. These are as follows:

Confidentiality: It refers to maintaining secrecy of the message being transmitted over the network. Only the sender and the intended receiver should be able to understand and read the message and no eavesdropper should be able to read or modify the contents of the message. Therefore, the users want their message to be transmitted over network in encrypted form.
Authentication: It is concerned with determining whom you are communicating with. Authentication is must to ensure the receiver that the message has been received from the actual sender and not from the attacker. That is, the receiver should be able to authenticate the sender, which can be achieved by sharing a common secret code word, by sending the digital signatures or by the use of digital certificates.
Integrity: Any message sent over the network must reach to its intended receiver without any modification made to it. If any changes have been made, the receiver must be able to detect that alteration has happened. Integrity can be achieved by attaching a checksum to the message. This checksum ensures that an attacker cannot alter the message; therefore, integrity can be preserved.
Non-repudiation: After a message has been sent and received, the sender and the receiver should not be able to deny about the sending and receiving of the message. The receiver should be able to prove that the message has come from the intended sender and not from anyone else. In addition, the receiver should be able to prove that the contents of the received messages are same as sent by the sender.

2.What do you understand by network security attack? Describe active and passive attacks.

Ans: A network security attack refers to an act of breaching the security provisions of a network. Such an act is a threat to the basic goals of secure communication such as confidentiality, integrity and authenticity. Network security attacks can be classified under two categories, namely, passive attack and active attack.

Passive Attack: In a passive attack, an opponent is indulged in eavesdropping, that is, listening to and monitoring the message contents over the communication channel. The term passive indicates that the main goal of the opponent is just to get the information and not to do any alteration in the message or harm the system resources. A passive attack is hard to recognize, as the message is not tampered or altered; therefore, the sender or receiver remains unaware of the message contents been read by some other party. However, some measures such as encryption are available to prevent their success. Two types of passive attacks are as follows:

   Release of Message Contents: This type of passive attack involves the learning of the sensitive information that is sent via e-mail or tapping a conversation being carried over a telephone line.

   Traffic Analysis: In this type of attack, an opponent observes the frequency and the length of messages being exchanged between the communicating nodes. This type of passive attack is more elusive, as location and identity of communicating nodes can be determined.

Active Attack: In active attack, an opponent either alters the original message or creates a fake message. This attack tries to affect the operation of system resources. It is easier to recognize an active attack but hard to prevent it. Active attacks can be classified into four different categories which are as follows:

   Masquerade: In computer terms, masquerading is said to happen when an entity impersonates another entity. In such an attack, an unauthorized entity tries to gain more privileges than it is authorized for. Masquerading is generally done by using stolen IDs and passwords or through bypassing authentication mechanisms.

   Replay: This active attack involves capturing a copy of message sent by the original sender and retransmitting it later to bring out an unauthorized result.

   Modification of Messages: This attack involves making certain modifications in the captured message or delaying or reordering the messages to cause an unauthorized effect.

   Denial of Service (DoS): This attack prevents the normal functioning or proper management of communication facilities. For example, network server can be overloaded by unwanted packets, thus, resulting in performance degradation. DoS attack can interrupt and slow down the services of a network or may completely jam a network.

3. What is meant by cryptography?

Ans: The term cryptography is derived from a Greek word kryptos which means “secret writing”. In simple terms, cryptography is the process of altering messages to hide their meaning from adversaries who might intercept them. In data and telecommunications, cryptography is an essential technique required for communicating over any untrusted medium, which includes any network, such as Internet. Cryptography provides an important tool for protecting information and is used in many aspects of computer security. By using cryptography techniques, the sender can first encrypt a message and then transmit it through the network. The receiver on the other hand, must be able to decrypt the message and recover the original contents of message.

Figure 15.1 Cryptography Components

4. What are the various cryptography components? Show with the help of a diagram.

Ans: Cryptography allows a sender to disguise a message to prevent it from being read or altered by intruder as well as it enables receiver to recover the original message from disguised one. Various components are involved in cryptography (see Figure 15.1), which are described as follows:

Plaintext: It refers to the original unencrypted message that the sender wishes to send.
Ciphertext: It refers to the encrypted message that is received by the receiver.
Encryption: It is the process of encrypting the plaintext, so that ciphertext can be produced. The plaintext is transformed to ciphertext using the encryption algorithm.
Decryption: It is opposite of the encryption process. In this process, the ciphertext is converted back to plaintext using a decryption algorithm.
Ciphers: The encryption and decryption algorithms are together known as ciphers. Ciphers need not necessarily be unique for each communicating pair; rather a single cipher can be used for communication between multiple pairs of sender and receiver.
Key: A key is usually a number or a set of numbers on which the cipher operates. Encryption and decryption algorithms make use of a key to encrypt or decrypt messages respectively. At the sender's end, the encryption algorithm and encryption key are required to convert the plaintext to ciphertext. At the receiver's end, the decryption algorithm uses the decryption key to convert the ciphertext back to the plaintext. The longer the key is, the harder it is for an intruder to decrypt the message.

5. Define the term cryptanalysis.

Ans: Cryptanalysis is the science and art of breaking the encrypted codes that are created by applying some cryptography algorithm. The person who performs cryptanalysis is known as cryptanalyst. Cryptanalysis attack is done by cryptanalyst so as to obtain the plaintext or key that was used to encrypt the message.

6. Explain the categories of cryptography algorithms.

Ans: Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a key. Algorithms are the complex mathematical formulae and keys are strings of bits. For two parties to communicate over a network (Internet), they must use the same algorithm (or algorithms that are designed to work together). In some cases, they must also use the same key. The cryptography algorithms are broadly classified into two categories, namely, secret key cryptography and public key cryptography.

Secret Key Cryptography

The secret key cryptography also called symmetric key cryptography uses a single key (shared secret key) for both encryption and decryption of data. Thus, it is obvious that the key must be known to both the sender and the receiver. As shown in Figure 15.2, the sender uses this key and the encryption algorithm to transform the plaintext into ciphertext. The ciphertext is then sent to the receiver via a communication network. The receiver applies the same key and the decryption algorithm to decrypt the ciphertext and recover the plaintext. Some examples of secret key cryptography algorithms include data encryption standard (DES), triple DES and advanced encryption standard (AES).

Figure 15.2 Message Exchange Using Secret Key

The main problem in secret key cryptography is getting the sender and receiver to agree on the secret key without anyone else finding out. If the key is compromised, the security offered by secret key cryptography is severely reduced or eliminated. Secret key cryptography assumes that the parties who share a key rely upon each other not to disclose the key and protect it against modification. If they are in separate physical locations, they must trust on a medium such as courier, or a phone system, to prevent the disclosure of the secret key. Anyone who overhears or intercepts the key in transit can later read, modify and forge all messages encrypted or authenticated using that key.

Public Key Cryptography

The public key cryptography also known as asymmetric key cryptography solves the problem found in secret key cryptography by involving two different keys for encryption and decryption. These two keys are referred to as the public key (used for encryption) and the private key (used for decryption). Each authorized user has a pair of public key and private key. The public key of each user is known to everyone, whereas, the private key is known to its owner only.

Now suppose that user A wants to transfer some information to user B securely. The user A encrypts the data by using public key of user B and sends the encrypted message to user B. On receiving encrypted message, user B decrypts it by using his or her private key. Since decryption process requires the private key of user B, which is only known to user B, the information is transferred securely. Figure 15.3 illustrates the whole process. RSA is a well-known example of public key encryption algorithm.

Figure 15.3 Message Exchange Using Public Key

The main advantage of public key cryptography is that the need for the sender and receiver to share secret key is eliminated and all communications involve only public keys. Thus, no private key is ever transmitted or shared. Anyone can send a confidential message using the public key, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient.

7. Explain substitution ciphers and transposition ciphers.

Ans: All encryption and decryption methods have been divided into two categories, namely, substitution ciphers and transposition ciphers. Both are the character-oriented ciphers.

Substitution Cipher

This cipher replaces a symbol (a single letter or group of letters) of the plaintext with another symbol. An example of substitution cipher is the Caesar cipher in which each alphabet of plaintext is replaced by an alphabet obtained by shifting three letters from it. That is, A is replaced by D, B is replaced by E, Z is replaced by C and so on. For example, cipher formed from the plaintext TACKLE will be WDFNOH. A slight generalization of Caesar cipher is shift cipher in which the ciphertext alphabet can be obtained by shifting n letters instead of 3; thus, n becomes the key. Substitution ciphers are further categorized into two types, which are as follows.

Monoalphabetic Cipher: In monoalphabetic cipher, the characters in the plaintext have a one-to-one relationship with the characters in the ciphertext. It means that a character in the plaintext will always be replaced by the same character in the ciphertext. For example, if it is decided that a ciphertext character will be obtained by shifting two positions from the character in the plaintext and the given plaintext is HAPPY, then its ciphertext will be JCRRA.
Polyalphabetic Cipher: In polyalphabetic cipher, the characters in the plaintext may have a one-to-many relationship with the characters in the ciphertext. It means that the same character appearing in plaintext can be replaced by a different character in the ciphertext. For example, the plaintext HELLO can be encrypted to ARHIF using a polyalphabetic cipher. Due to one-to-many relationship between the characters of plaintext and ciphertext, the key used must indicate which of the possible characters can be used for replacing a character in the plaintext. For this, the plaintext is divided into groups of characters and a set of keys is used for encrypting the groups.

Transposition Cipher

This cipher changes the location of characters in plaintext to form the ciphertext. In this cipher, there is no substitution of characters and thus, the order of characters in the plaintext is no longer preserved in the ciphertext. Transposition cipher uses a key that maps the position of characters in the plaintext to that of characters in the ciphertext. One of the commonly used transposition ciphers is columnar transposition in which a word or phrase without containing any repeated letters is chosen as a key. Each letter of the key is numbered to form the columns and the numbering is done in such a way that column 1 is one under the key letter closest to the start of the 26-alphabet set. Then, the plaintext is arranged horizontally under the columns forming the rows. The rows are padded with extra characters to fill the matrix, if required. The ciphertext is then read out column-wise starting from the first column to the last column. For example, if the key is BACKIN and the plaintext is given as hellohowareyou, then ciphertext will be formed as follows:

 
B A C K I N
2 1 3 5 4 6
h e l l o h
o w a r e y
o u a b c d

Thus, the ciphertext will be ewuhoolaaoeclrbhyd.

8. What is the difference between stream cipher and block cipher?

Ans: The stream cipher and block cipher are the categories of symmetric cipher—the ciphers that use the same key for both encryption and decryption.

The stream cipher operates on one symbol of plaintext at a time and using the key applied it produces a symbol of ciphertext one at a time. The stream ciphers implement a feedback mechanism so that the key is constantly changing. Thus, the same character in plaintext may be encrypted to different characters in ciphertext. However, each character is encrypted and decrypted using the same key regardless of the fact that multiple keys are being used. For example, consider the plaintext is user and three different keys (K1, K2 and K3) are used to produce ciphertext, such that the characters u and r are encrypted using key K1, the characters s is encrypted using key K2 and the character e is encrypted using K3. Then, during decryption also, the same set of keys (K1, K2 and K3) are used, such that the characters u and r are decrypted using key K1, the character s is decrypted using key K2 and the character e is decrypted using the key K3.

On the other hand, in block ciphers, an n-bit block of plaintext is encrypted together to produce an n-bit block of ciphertext. Similarly, during decryption, n-bit block of ciphertext is converted back to n-bit block of plaintext, one block at a time. Each block of bits is encrypted or decrypted using the same key. Thus, the same block of plaintext will always be encrypted to same block of ciphertext.

9. Describe S-box and P-box.

Ans: S-box (substitution box) and P-box (permutation box) are used to perform substitution and transposition function respectively. These are described as follows.

S-box: This is a substitution box having same characteristics as that of substitution cipher except that the substitution of several bits is performed in parallel. It takes n bits of plaintext at a time as input and produces m bits of ciphertext as output where the value of n and m may be same or different. An S-box can be keyed or keyless. In a keyed S-box, the mapping of n inputs to m outputs is decided with the help of a key, while in keyless S-box, the mapping from inputs to outputs is predetermined.
P-box: This is a permutation box having same characteristics as that of traditional transposition cipher except that it performs transposition at bit-level and transposition of several bits is performed at the same time. The input bits are permutated to produce the output bits. For example, the first input bit can be the second output bit, second input bit can be the third output bit and so on. P-box is normally keyless and can be classified into the following three types based on the length of input and output.

   Straight P-box: This P-box takes n bits as input, permutes them and produces n bits as output. As the number of inputs and outputs is the same, there are total n! ways to map n inputs to n outputs.

   Compression P-box: This P-box takes n bits as input and permutes them in such a way that an output of m bits is produced where m < n. This implies that two or more inputs are mapped to the same output.

   Expansion P-box: This P-box takes n bits as input and permutes them in such a way that an output of m bits is produced where m > n. This implies that a single input is mapped to more than one output.

10. Explain DES in detail.

Ans: DES is a symmetric-key cipher that was developed by IBM. This encryption standard was adopted by the U.S. government for non-classified information and by various industries for the use in security products. It is also called a block cipher, as it divides plaintext into blocks and same key is used for encryption and decryption of blocks. DES involves multiple rounds to produce the ciphertext and the key used in each round is the subset of the general key called round key produced by the round key generator. That is, if there are P rounds in cipher, then P number of keys (K1, K2…Kp) will be generated where K1 will be used in first round, K2 in second round and so on.

At the sender's end, the DES takes 64-bit block of plaintext, encrypts it using the 56-bit round key and produces 64-bit ciphertext. Originally, the round key is of 64 bits including eight parity bits, thus, the usable bits in key are only 56. The whole process of producing ciphertext from plaintext comprises 19 stages (see Figure 15.4). The first stage is the keyless transposition on the 64-bit plaintext. Next, 16 stages are the rounds that are functionally similar and in each round, a different key K1. of 48 bits derived from the original key of 56 bits is used. The second last stage performs a swap function in which leftmost 32 bits are exchanged with the rightmost 32 bits. The last stage is simply the opposite of the first stage, that is, it performs inverse transposition on 64 bits. At the receiver's end, the decryption is performed using the same key as in encryption; however, now, the steps are performed in the reverse order.

Figure 15.4 Stages Involved in the DES

The structure of one of the 16 rounds (say, ith round) during the encryption in DES is shown in Figure 15.5. It takes two inputs: the leftmost 32 bits as left input (Li) and the rightmost 32 bits as right input (Ri) and produces two outputs: left output (Li+1) and right output (Ri+1), each of 32 bits. The left output (Li+1) is just the right input (Ri). The right output (Ri+1) is obtained by first applying the DES function (f) on the right input (Ri) and the 48-bit key (Ki) being used in the ith round, denoted as f(Ri, Ki), and then performing the bitwise XOR of the result of DES function and the left input (Li). The structure of decryption round in DES is simply the opposite of the encryption round.

Figure 15.5 Structure of Encryption Round

The essence of DES is the DES function. The function f(Ri, Ki) comprises four steps (see Figure 15.6), which need to be carried out sequentially. These steps are as follows:

  1. The right output (Ri) of 32 bits is fed into the expansion P-box which produces an output (say, E) of 48 bits.
  2. A bitwise XOR is performed on 48-bit E and 48-bit key Ki generated for that round, resulting in 48 bits.
  3. The 48-bit output of XOR operation is broken down into eight groups with each group consisting of six bits. Each group of six bits is then fed to one of eight S-boxes. Each S-box maps six inputs to four outputs and thus, total 32 bits are obtained from eight S-boxes.
  4. The 32 bits obtained from S-boxes are input to a straight P-box, which permutes them and produces 32 bits as output.

Figure 15.6 DES Function

11. Write a short note on triple DES.

Ans: The length of the key used in DES was too short. Therefore, triple DES (3DES) was developed to increase the key length, thereby making the DES more secure. The encryption and decryption in 3DES are performed in three stages with the help of two keys, say K1 and K2 of 56 bits each. During encryption, the plaintext is encrypted using DES with key K1 in the first stage, then the output of first stage is decrypted using DES with key K2 in the second stage and finally, the output of second stage is encrypted using DES with key K1 in the third stage thereby producing the ciphertext. On the other hand, during decryption, the ciphertext is decrypted using DES with key K1 in the first stage, then the output of first stage is encrypted using DES with key K2 in the second stage and finally, the output of second stage is decrypted using DES with key K1 in the third stage thereby producing the plaintext. The use of two keys and three stages in 3DES increased the key size to 112 bits and provides more secured communication.

Another version of 3DES uses three keys of 56 bits each and a different key is used for encryption/ decryption in each stage. The use of three different keys further increases the key length to 168 bits; however, it results in an increased overhead due to managing and transporting one more key.

12. Explain the RSA algorithm.

Ans: In 1978, a group at M.I.T. discovered a strong method for public key encryption. It is known as RSA, the name derived from the initials of the three discoverers Ron Rivest, Adi Shamir and Len Adleman. It is the most widely accepted public key scheme, in fact most of the practically implemented security is based on RSA. The algorithm requires keys of at least 1024 bits for good security. This algorithm is based on some principles from number theory, which states that determining the prime factors of a number is extremely difficult. The algorithm follows the following steps to determine the encryption and decryption keys.

  1. Take two large distinct prime numbers, say m and n (about 1024 bits).
  2. Calculate p = m*n and q = (m - 1)*(n - 1).
  3. Find a number which is relatively prime to q, say D. That number is the decryption key.
  4. Find encryption key E such that E*D = 1 mod q.

Using these calculated keys, a block B of plaintext is encrypted as Te = BE mod p. To recover the original data, compute B = Te)D mod p. Note that E and p are needed to perform encryption whereas D and p are needed to perform decryption. Thus, the public key consists of (E , p) and the private key consists of (D, p). An important property of RSA algorithm is that the roles of E and D can be interchanged. As the number theory suggests that it is very hard to find prime factors of p, it is extremely difficult for an intruder to determine decryption key D using just E and p, because it requires factoring p which is very hard.

13. What is digital signature? How it works?

Ans: The historical legal concept of “signature” is defined as any mark made with the intention of authenticating the marked document. Digital signature refers to the digitized images of paper signature used to verify the authenticity of an electronic document. In other words, digital signatures play the role of physical handwritten signatures in verifying electronic documents. Digital signatures use public key cryptography technique, which employs an algorithm using two different but mathematically related keys: private and public keys. Both public and private keys have an important property that permits the reversal of their roles; the encryption key (E) can be used for decryption and the decryption key (D) can be used for encryption, that is, E(D(P)) = D (E (P)) where P denotes the plaintext. This property is used for creating messages with digital signature.

The private key is known only to the signer who uses it for creating a digital signature or transforming data into a seemingly unintelligible form and the signed document can be made public. The public key is used for verifying the digital signature or returning the message to its original form. Any user can easily verify the authenticity of the document by using the public key that means it can be easily verified that the data is originated by the person who claims for it. However, no one can sign the document without having the private key.

To have a clear understanding of how digital signature is used, refer Figure 15.7. Suppose A wants to send his or her signed message (message with digital signature) to B through network. For this, A encrypts the message (M) using his or her private key (EA) and this process results in an encrypted message [EA(M)] bearing A's signature on it. The signed message is then sent through the network to B. Now, B attempts to decrypt the received message using A's public key (DA) in order to verify that the received message has really come from A. If the message gets decrypted {that is, DA[EA(M)] = M}, B can believe that the message has come from A. However, if the message or the digital signature has been modified during the transmission, it cannot be decrypted using A's public key. From here, B can conclude that either the message transmission has tampered or the message has not been generated by A.

Digital signatures also ensure non-repudiation. For example, on receiving the encrypted message, B can keep a copy of that message, so that A cannot later deny of sending of message. Moreover, as B is unaware of A's private key (EA), he or she cannot alter the contents of the encrypted message. However, the only problem with this mechanism is that the message can be tapped by anyone (other than the intended user B) who knows the A's public key (DA) thereby breaching confidentiality.

To ensure message confidentiality, encryption and decryption are performed twice at A's end and B's end respectively. At A's end, first the message is encrypted using A's private key (EA) and then a second encryption is performed using the B's public key (DB) as shown in Figure 15.8. Similarly, at B's end, first, the message is decrypted using B's private key (EB) and then a second decryption is performed using A's public key (DA). With this mechanism, only B can decrypt the encrypted message received from A because only he or she knows his or her own private key.

Figure 15.7 Digital Signature Using Private Key

Figure 15.8 Digital Signature Using Public and Private Keys

14. Define hash function. What are its properties?

Ans: A hash function is a cryptographic algorithm that transforms the given input (such as a message) into a fixed-length string, referred to as the hash value. Formally, the hash value (h) can be expressed as:

h = H(M),

where M = message (string) of any length, H = hash function and H(M) = a fixed-length string.

The hash value plays the role of a “signature” for the data being sent from the sender to receiver through the network. Sometimes, the hash value is also referred to as message digest or simply digest, or electronic form of fingerprint.

An ideal hash function is characterized by the following properties:

For any given message, the hash value can be computed very easily and efficiently.
Given a hash value, it is difficult, nearly impossible, to determine the message having that hash value.
No two messages, even being almost similar, are likely to have the same hash value.

15. What do you understand by the term firewall? Explain its use with the help of an example?

Ans: The ongoing occurrences of incidents pertaining to network security caused a great concern to the people, using computers as their medium to exchange data across the country. A need was felt for a method of controlling the traffic, which allows access of information to computers. Organizations required an application that could protect and isolate their internal systems from the Internet. This application is called firewall. Simply put, a firewall prevents certain outside connections from entering into the network. It traps inbound or outbound packets, analyzes them and then permits access or discards them.

Generally, firewall system comprises software (embedded in a router), computer, host or a collection of hosts set up specifically to shield a site or subnet from protocols and services that can be a threat from hosts outside the subnet. It serves as the gatekeeper between an untrusted network (Internet) and the more trusted internal networks. If a remote user tries to access the internal networks without going through the firewall, its effectiveness is diluted. For example, if a travelling manager has an office computer that he or she can dial into while travelling, and his or her computer is on the protected internal network, then an attacker who can dial into that computer has circumvented the firewall. Similarly, if a user has a dial-up Internet account, and sometimes connects to the Internet from his or her office computer, he or she opens an unsecured connection to the Internet that circumvents the firewall.

To understand the use of firewall, consider an example where an organization is having hundreds of computers on the network. In addition, the organization will have one or more connections to the Internet lines. Now, without a firewall in place, all the computers are directly accessible to anyone on the Internet. A person who knows what other people are doing can probe those computers; try to make FTP (file transfer protocol) connections to them, or telnet connections and so on. If one employee makes a mistake and leaves a security hole, hackers can get to the machine and exploit that hole.

With a firewall in place, the network landscape becomes much different. An organization will place a firewall at every connection to the Internet (for example, at every T1 line coming into the company). The firewall can implement security rules. For example, one of the security rules may be: out of the 300 computers inside an organization, only one is permitted to receive public FTP traffic. A company can set up rules like this for FTP servers, web servers, telnet servers and so on. In addition, an organization can have control on how employees connect to websites, whether or not files can be sent as attachments outside the company over the network and so on. Firewall provides incredible control over how people use the network.

16. What is the role of packet filtering in the firewall?

Ans: A firewall intercepts the data between the Internet and the computer. All data traffic passes through it and it allows only authorized data to pass into the corporate network. Firewalls are typically implemented using packet filtering,

Packet filtering is the most basic firewall protection technique used in an organization. It operates at the network layer to examine incoming and outgoing packets and applies a fixed set of rules to the packets to determine whether or not they will be allowed to pass. The packet filter firewall is typically very fast because it does not examine any of the data in the packet. It simply examines the IP packet header, the source and destination IP addresses and the port combinations and then it applies filtering rules. For example, it is easy to filter out all packets destined for Port 80, which might be the port for a web server. The administrator may decide that Port 80 is off limits except for specific IP subnets and a packet filter would suffice for this. Packet filtering is fast, flexible, transparent (no changes are required at the client) and cheap. This type of filter is commonly used in small to medium businesses that require control over users to use the Internet.

17. Define identification and authentication. Explain how users can be authenticated?

Ans: Often people confuse identification from authentication, as both have similar aspects. Identification is the means through which a user provides a claimed identity to the system. On the other hand, authentication refers to establishing the validity of the claim. Computer systems make use of data authentication for recognizing people, which the systems receive. Authentication presents several challenges such as collecting authentication data, transmitting the data securely and identifying the same person who was earlier authenticated and is still using the computer system.

Various methods can be used to authenticate a user, such as a secret password, some physical characteristics of the user, a smart card or a key given to the user.

Password Authentication

It is the simplest and most commonly used authentication scheme. In this scheme, the user is asked to enter the user name and password to log in into the database. The DBMS then verifies the combination of user name and password to authenticate the user and allows him or her to access the database if he or she is the legitimate user, otherwise access is denied. Generally, password is asked once when a user log in into the database; however, this process can be repeated for each operation when the user is trying to access sensitive data.

Though the password scheme is widely used by database systems, this scheme has some limitations. In this method, the security of database completely relies on the password. Thus, the password itself needs to be secured from unauthorized access. One simple way to secure the password is to store it in an encrypted form. Further, care should be taken to ensure that password would never be displayed on the screen in its decrypted (non-encrypted) form.

Physical Characteristics of User

In this method, the physical characteristics, such as fingerprints, voice, length of fingers of hand, and face structure of the users are used for the identification purpose. These characteristics of users are known to be unique and have a very low probability of duplication. Thus, the security of the database is relatively high in this scheme as compared to the password scheme. However, this method requires the use of some special hardware and software to identify physical characteristics of the user, which incurs extra cost to the organization.

Smart Card

In this method, a database user is provided with a smart card that is used for identification. The smart card has a key stored on an embedded chip and the operating system of smart card ensures that the key can never be read. Instead, it allows data to be sent to the card for encryption or decryption using that private key. The smart card is programmed in such a way that it is extremely difficult to extract the values from smart card; thus, it is considered as a secure device.

18. Write a short note on message authentication.

Ans: Message authentication is a means to verify that the message received by the receiver is from the intended sender and not from the intruder. The sender needs to send some proof along the message, so that the receiver can authenticate the message. To authenticate a message, the message authentication code (MAC) is used. MAC uses a hash function (MAC algorithm) that generates a MAC (a tag-like) with the help of a secret key shared between the sender and the receiver. Figure 15.9 depicts the use of MAC to authenticate a message at the sender's end and to verify the authenticity of message at the receiver's end.

At the sender's end, the original message that is to be authenticated along with the secret key are given as input to the MAC algorithm that produces a MAC as output. The MAC is attached with the original message and both are sent to the receiver through the network. To verify the authenticity of message at the receiver's end, the message is distinguished from MAC and the MAC algorithm is again applied on the message using the secret key to generate a new MAC. Then, the newly generated MAC is compared with the received MAC to determine whether they are same or not. If so, the receiver knows that the message has not been changed and is actually from the intended sender and thus, accepts the message. Otherwise, the message is discarded.

Figure 15.9 Message Authentication Using MAC

19. Encrypt the plaintext 6 using RSA public key encryption algorithm. Use prime numbers 11 and 3 to compute the public and private keys. Moreover, decrypt the ciphertext using the private key.

Ans: Here, m = 11 and n = 3

According to RSA algorithm (as explained in Q12)

p = m * n = 11 * 3 = 33

q = (m - 1) * (n - 1) = (11 - 1) * (3 - 1) = 10 * 2 = 20

We choose D = 3 (a number relatively prime to 20, that is, gcd (20, 3) = 1).

Now,

E * D = 1 mod q

⇒ E * 3 = 1 mod 20

⇒ E = 7

As we know, the public key consists of (E, p) and the private key consists of (D, p). Therefore, the public key is (7, 33) and the private key is (3, 33).

The plaintext 6 can be converted to ciphertext using the public key (7, 33) as follows.

Te = BE mod p

⇒ 67 mod 33

⇒ 30

On applying the private key to the ciphertext 30 to get original plaintext, we get

B = (Te)D mod p

⇒ (3o)3 mod 33

⇒ 6

Multiple Choice Questions

  1. Which of the following are necessary for secured communication?

    (a)   Authentication

    (b)   Confidentiality

    (c)   Integrity

    (d)   All of these

  2. In________attack, an opponent either alters the original message or creates a fake message.

    (a)   Passive

    (b)   Inactive

    (c)   Active

    (d)   Access

  3. _________is a type of passive attack.

    (a)   Replay

    (b)   Traffic analysis

    (c)   Masquerade

    (d)   Denial of service

  4. Which of the following is not a component of cryptography?

    (a)   Ciphertext

    (b)   Ciphers

    (c)   Key

    (d)   None of these

  5. In public key cryptography,_______key is used for encryption.

    (a)   Public

    (b)   Private

    (c)   Both (a) and (b)

    (d)   Shared

  6. ________is the means through which a user provides a claimed identity to the system.

    (a)   Authentication

    (b)   Identification

    (c)   Encryption

    (d)   Decryption

  7. In________cipher, characters in the plaintext and ciphertext are related to each other by one-to-many relationship.

    (a)   Monoalphabetic

    (b)   XOR

    (c)   Polyalphabetic

    (d)   Rotation

  8. DES takes___________-bit key as an input for encrypting the text.

    (a)   128

    (b)   64

    (c)   56

    (d)   168

  9. Which of the following applications traps inbound or outbound packets, analyze them and then permits access or discards them?

    (a)   Digital signature

    (b)   Authentication

    (c)   Identification

    (d)   Firewall

  10. MDC stands for

    (a)   Message detection code

    (b)   Modification detection code

    (c)   Masquerade detection code

    (d)   None of these

Answers

1. (d)

2. (c)

3. (b)

4. (d)

5. (a)

6. (b)

7. (c)

8. (c)

9. (d)

10. (b)