Cryptography and Network Security Third Edition About the Author Atul Kahate has over 17 years of experience in Information Technology in India and abroad in various capacities. He currently works as Adjunct Professor in Computer Science in Pune University and Symbiosis Internation- al University. His last IT employment was as Consulting Practice Director at Oracle Financial Services Software Limited (earlier known as i-flex solutions limited). He has conducted several training programs/seminars in institutions such as IIT, Symbiosis, Pune University, and many other colleges. A prolific writer, Kahate is also the author of 38 books on Computer Science, Science, Technology, Medicine, Economics, Cricket, Management, and History. Books such as Web Technologies, Cryptography and Network Security, Operating Systems, Data Com- munications and Networks, An Introduction to Database Management Systems are used as texts in several universities in India and many other countries. Some of these have been translated into Chinese. Atul Kahate has won prestigious awards such as Computer Society of India’s award for contribution to IT literacy, Indradhanu’s Yuvonmesh Puraskar, Indira Group’s Excellence Award, Maharashtra Sahitya Parishad’s “Granthakar Puraskar”, and several others. He has appeared on quite a few programmes on TV channels such as Doordarshan’s Sahyadri channel, IBN Lokmat, Star Maaza, and Saam TV related to IT, education, and careers. He has also worked as official cricket scorer and statistician in several international cricket matches. Besides these achievements, he has written over 4000 articles and various columns on IT, cricket, science, technology, history, medicine, economics, management, careers in popular newspapers/ magazines such as Loksatta, Sakal, Maharashtra Times, Lokmat, Lokprabha, Saptahik Sakal, Divya Marathi, and others. C ryptography and N S etwork ecurity Third Edition Atul Kahate Adjunct Professor Pune University and Symbiosis International University Author in Computer Science McGraw Hill Education (India) Private Limited NEW DELHI McGraw Hill Education Offices New Delhi NewYork St Louis SanFrancisco Auckland Bogotá Caracas Kuala Lumpur Lisbon London Madrid Mexico City Milan Montreal San Juan Santiago Singapore Sydney Tokyo Toronto McGraw Hill Education (India) Private Limited Published by McGraw Hill Education (India) Private Limited P-24, Green Park Extension, New Delhi 110 016 Cryptography and Network Security, 3/e Copyright © 2013, 2008, 2003, by McGraw Hill Education (India) Private Limited No part of this publication may be reproduced or distributed in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise or stored in a database or retrieval system without the prior written permis- sion of the publishers. The program listings (if any) may be entered, stored and executed in a computer system, but they may not be reproduced for publication. This edition can be exported from India only by the publishers, McGraw Hill Education (India) Private Limited, ISBN 13: 978-1-25-902988-2 ISBN 10: 1-25-902988-3 Vice President and Managing Director: Ajay Shukla Head—Higher Education (Publishing and Marketing): Vibha Mahajan Publishing Manager (SEM & Tech. Ed.): Shalini Jha Asst. Sponsoring Editor: Smruti Snigdha Editorial Researcher: Sourabh Maheshwari Manager—Production Systems: Satinder S Baveja Asst. Manager—Editorial Services: Sohini Mukherjee Sr. Production Manager: P L Pandita Asst. General Manager (Marketing)—Higher Education: Vijay Sarathi Sr. Product Specialist (SEM & Tech. Ed.): Tina Jajoriya Sr. Graphic Designer (Cover): Meenu Raghav General Manager—Production: Rajender P Ghansela Manager—Production:Reji Kumar Information contained in this work has been obtained by McGraw Hill Education (India), from sources believed to be reliable. However, neither McGraw Hill Education (India) nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw Hill Education (India) nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw Hill Education (India) and its authors are supplying informa- tion but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought. Typeset at The Composers, 260, C.A. Apt., Paschim Vihar, New Delhi 110 063, and printed at SDR Printers, A-28, West Jyoti Nagar, Loni Road, Shadara, Delhi 110 094 Cover: SDR RYZCRRLORQLLD CONTENTS Preface ix Important Terms and Abbreviations xiii 1. Introduction to the Concepts of Security 1 1.1 Introduction 1 1.2 The Need for Security 2 1.3 Security Approaches 6 1.4 Principles of Security 8 1.5 Types of Attacks 12 Summary 27 Key Terms and Concepts 28 Practice Set 29 2. Cryptography Techniques 32 2.1 Introduction 32 2.2 Plain Text and Cipher Text 33 2.3 Substitution Techniques 36 2.4 Transposition Techniques 47 2.5 Encryption and Decryption 51 2.6 Symmetric and Asymmetric Key Cryptography 53 2.7 Steganography 64 2.8 Key Range and Key Size 65 2.9 Possible Types of Attacks 68 Case Study: Denial of Service (DOS) Attacks 72 Summary 74 Key Terms and Concepts 75 Practice Set 76 3. Computer-based Symmetric Key Cryptographic Algorithms 80 3.1 Introduction 80 3.2 Algorithm Types and Modes 80 3.3 An Overview of Symmetric-Key Cryptography 92 3.4 Data Encryption Standard (DES) 94 vi Contents 3.5 International Data Encryption Algorithm (IDEA) 108 3.6 RC4 116 3.7 RC5 118 3.8 Blowfish 127 3.9 Advanced Encryption Standard (AES) 130 Case Study: Secure Multiparty Calculation 141 Summary 142 Key Terms and Concepts 144 Practice Set 145 4. Computer-based Asymmetric-Key Cryptography Algorithms 148 4.1 Introduction 148 4.2 Brief History of Asymmetric-Key Cryptography 148 4.3 An Overview of Asymmetric-Key Cryptography 149 4.4 The RSA Algorithm 151 4.5 ElGamal Cryptography 157 4.6 Symmetric- and Asymmetric-Key Cryptography 158 4.7 Digital Signatures 162 4.8 Knapsack Algorithm 193 4.9 ElGamal Digital Signature 194 4.10 Attacks on Digital Signatures 194 4.11 Problems with the Public-Key Exchange 195 Case Study 1: Virtual Elections 197 Case Study 2: Contract Signing 198 Summary 199 Key Terms and Concepts 200 Practice Set 200 5. Public Key Infrastructure (PKI) 204 5.1 Introduction 204 5.2 Digital Certificates 205 5.3 Private-Key Management 234 5.4 The PKIX Model 236 5.5 Public Key Cryptography Standards (PKCS) 238 5.6 XML, PKI and Security 244 Case Study: Cross Site Scripting Vulnerability (CSSV) 256 Summary 258 Key Terms and Concepts 259 Practice Set 260 6. Internet-Security Protocols 263 6.1 Introduction 263 6.2 Basic Concepts 263 6.3 Secure Socket Layer (SSL) 271 6.4 Transport Layer Security (TLS) 282 6.5 Secure Hyper Text Transfer Protocol (SHTTP) 282 6.6 Secure Electronic Transaction (SET) 283 Contents vii 6.7 SSL Versus SET 295 6.8 3-D Secure Protocol 296 6.9 Email Security 299 6.10 Wireless Application Protocol (WAP) Security 319 6.11 Security in GSM 322 6.12 Security in 3G 324 6.13 IEEE 802.11 Security 327 6.14 Link Security Versus Network Security 331 Case Study 1: Secure Inter-branch Payment Transactions 331 Case Study 2: Cookies and Privacy 335 Summary 336 Key Terms and Concepts 338 Practice Set 339 7. User-Authentication Mechanisms 342 7.1 Introduction 342 7.2 Authentication Basics 342 7.3 Passwords 343 7.4 Authentication Tokens 356 7.5 Certificate-based Authentication 366 7.6 Biometric Authentication 372 7.7 Kerberos 374 7.8 Key Distribution Center (KDC) 380 7.9 Security Handshake Pitfalls 381 7.10 Single Sign On (SSO) Approaches 390 7.11 Attacks on Authentication Schemes 391 Case Study: Single Sign On (SSO) 392 Summary 395 Key Terms and Concepts 396 Practice Set 397 8. Practical Implementations of Cryptography/Security 400 8.1 Introduction 400 8.2 Cryptographic Solutions using Java 401 8.3 Cryptographic Solutions Using Microsoft .NET Framework 408 8.4 Cryptographic Toolkits 410 8.5 Web Services Security 411 8.6 Cloud Security 413 Summary 414 Key Terms and Concepts 415 Practice Set 416 9. Network Security, Firewalls, and Virtual Private Networks (VPN) 418 9.1 Introduction 418 9.2 Brief Introduction to TCP/IP 418 9.3 Firewalls 423 9.4 IP Security 440 viii Contents 9.5 Virtual Private Networks (VPN) 458 9.6 Intrusion 461 Case Study 1: IP Spoofing Attacks 464 Case Study 2: Creating a VPN 466 Summary 467 Key Terms and Concepts 468 Practice Set 469 Appendices 472 A. Mathematical Background 472 B. Number Systems 481 C. Information Theory 486 D. Real-life Tools 488 E. Web Resources 489 F. A Brief Introduction to ASN, BER, DER 492 References 497 Index 499 PREFACE This book has already been used by thousands of students, teachers, and IT professionals in its past edition. There is no change in the intended audience for this book. It is aimed at the same audience in the given order. The book can be used for any graduate/postgraduate course involving computer security/cryptography as a subject. It aims to explain the key concepts in cryptography to anyone who has basic understanding in computer science and networking concepts. No other assumptions are made. The new edition is updated to cover certain topics in the syllabi which were found to be covered inadequately in the earlier editions. Computer and network security is one of the most crucial areas today. With so many attacks happening on all kinds of computer systems and networks, it is imperative that the subject be understood by stu- dents who are going to be the IT professionals of the future. Consequently, topics such as Cloud secu- rity, and Web services security have been added to this edition. The main focus of the book is to explain every topic in a very lucid fashion with plenty of diagrams. All technical terms are explained in detail. SALIENT FEATURES ● Uses a bottom-up approach: CryptographyÆ Network Security Æ Case Studies ● Inclusion of new topics: IEEE 802.11Security, Elgamal Cryptography, Cloud Security and Web Services Security ● Improved treatment of Ciphers, Digital Signatures, SHA-3 Algorithm ● Practical orientation of the subject to help students for real-life implementation of the subject through integrated case studies ● Refreshed pedagogy includes ■ 150 Design/Programming Exercises ■ 160 Exercises ■ 170 Multiple-Choice Questions ■ 530 Illustrations ■ 10 Case Studies x Preface CHAPTER ORGANIZATION The organization of the book is as follows: Chapter 1 introduces the basic concepts of security. It discusses the need for security, the principles of security and the various types of attacks on computer systems and networks. We discuss both the theoretical concepts behind all these aspects, as well as the practical issues and examples of each one of them. This will cement our understanding of security. Without understanding why security is required, and what is under threat, there is no point in trying to understand how to make computer systems and networks secure. A new section on wireless network attacks has been included. Some obsolete material on cookies and ActiveX controls has been deleted. Chapter 2 introduces the concept of cryptography, the fundamental building block of computer security. Cryptography is achieved by using various algorithms. All these algorithms are based on either substitution of plain text with some cipher text, or by using certain transposition techniques, or a combination of both. The chapter then introduces the important terms of encryption and decryption. Playfair cipher and Hill cipher are covered in detail. The Diffie-Hellman Key Exchange coverage is expanded, and types of attacks are covered in detail. Chapter 3 discusses the various issues involved in computer-based symmetric-key cryptography. We discuss stream and block cipher and the various chaining modes. We also discuss the chief symmetric- key cryptographic algorithms in great detail, such as DES, IDEA, RC5 and Blowfish. The Feistel cipher is covered in detail. Discussions related to the security of DES and attacks on the algorithm are expanded. Similarly, the security issues pertaining to AES are also covered. Chapter 4 examines the concepts, issues and trends in asymmetric-key cryptography. We go through the history of asymmetric-key cryptography. Later, we discuss the major asymmetric-key cryptograph- ic algorithms, such as RSA, MD5, SHA, and HMAC. We introduce several key terms, such as message digests and digital signatures in this chapter. We also study how best we can combine symmetric- key cryptography with asymmetric-key cryptography. Security issues pertaining to RSA algorithm are included. The ElGamal Cryptography and ElGamal Digital Signature schemes are covered. SHA-3 algorithm is introduced. Issues pertaining to RSA digital signature are covered. Chapter 5 talks about the upcoming popular technology of Public Key Infrastructure (PKI). Here, we discuss what we mean by digital certificates, how they can be created, distributed, maintained and used. We discuss the role of Certification Authorities (CA) and Registration Authorities (RA). We also intro- duce the Public Key Cryptography Standards (PKCS). Some obsolete topics such as roaming digital certificates and attribute certificates are removed. Chapter 6 deals with the important security protocols for the Internet. These protocols include SSL, SHTTP, TSP, SET and 3D-Secure. We also discuss how electronic money works, what are the dangers involved therein and how best we can make use of it. An extensive coverage of email security is provided with a detailed discussion of the key email security protocols, such as PGP, PEM and S/MIME. We also discuss wireless security here. The obsolete SET protocol is reduced. Discussion on 3-D Secure is expanded. Electronic money is completely removed. DomainKeys Identified Mail (DKIM) is covered. Security in IEEE 802.11 (WiFi) is discussed in detail. Chapter 7 tells us how to authenticate a user. There are various ways to do this. The chapter examines each one of them in significantly great detail and addresses their pros and cons. We discuss password-