This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The following report is written for Avonmore Tertiary Institute as a part of the Assessment on Advanced Network Security. This whole report is divided in four Topics, which makes sense of relationship of Cryptography in today's Network Security.
Topic1 classifies Introduction and brief history of about Cryptography. Topic 2 describes two modern types of Cryptography including some cryptographic techniques (e.g. DES,AES, RSA, DH, etc.). This topic also depicts how Asymmetric Cryptography differs from Symmetric Cryptography, objectives and applications of Cryptography.Topic 3 describes is totally based on Browsing Security and Network Security Protocols which are widely used in Web and Virtual private Networks (VPN) . The fourth and last topic is totally dedicated to Authentication techniques in Windows Server with brief narration of each.
This whole document looks into how present IT industries secure their databases and Networking Interaction with the help of Cryptography.
Cryptography and Network Security
Cryptography and Network Security is the concept of securing Data transmission over wireless networks. Main purpose of Network Security is to keep attackers far from data leakage in transmission process. Network Security is a challenging matter of concern in data communications today. The primary use is to secure communication channel, to apply strong data encryption technique and securely maintain trusted third party databases. The former methods used in cryptography now easily vulnerable which made researchers to find out new strong methods of encryption/decryption which cannot be broken even by modern computers.
Traditional cryptography was used to pass encrypted messages between parties to ensure communication privacy. Simply, traditional cryptography was using substitution or transposition method to create a coded message from plaintext, called a cipher text.The first substitution cipher was the Caesar cipher, in which each character in the plain text was replaced by another character by some fixed number of positions further down the alphabet. Encryption is used to transform a readable message (plain text) into an unreadable or hidden message (cipher text). Someone who possesses a secret key can convert the ciphertext back into its original plaintext.
Anyone who can receive both the cipher text of a coded message and the secret key can view secret communications. This person can impersonate the originator and send false messages to the recipients. Therefore, cryptography must provide reliable and secure methods in sharing decoding keys, while keeping them inaccessible by unauthorized parties. Others might know the algorithm (cipher) used to code a message and might have access to the hidden message, but only authorized recipients are able to decrypt the contents of the message with the shared secret key. Cryptography also ensuresthat the sender is authenticated and messages have not been getting intercepted or altered during communication.
Modern cryptography uses complex mathematical algorithms and other techniques to provide network and information security. These techniques include
Message digest functions
Hashed Message Authentication Code (HMAC) functions
Secret key exchange algorithms
Topic 2: Modern Cryptography
In modern Cryptography the two important methods are:Symmetric Cryptography (Secret key Cryptography) and Asymmetric Cryptography(Public key Cryptography).
Symmetric Cryptography:In Symmetric Cryptography common key is shared by both sender and receiver. A single key is used for both encryption and decryption. This key is called a Private Key. Private Key is kept secret and it cannot be accessible by public. Symmetric Cryptography is faster and simpler way, but sharing of the private key is a great concern due to the risks related of theft or replacement of key in sharing process.
Figure 1 shows Symmetric Cryptography Concept.
Private Key (Shared Secret)
PlainText CipherText Plain Text
Figure 1: Symmetric Cryptography
There are two types of ciphers used in Symmetric key cryptography or Private-key cryptography.
Block Cipher: In this type of encryption the data are encrypted in block of more than a bit or a byte (e.g. 64 bits or 128 bits) at a time.E.g. DES, 3DES, AES, RC2, RC5, IDEA,Blowfish,Twofish.
DES (Data Encryption Standard):-The best-known symmetric-key block cipher is the Data EncryptionStandard (DES), which was the first commercially available algorithm put into use in the 1970's. It was developed by IBM and NIST adopted it in 1977.
As per the U.S. government's official documents, the plain text divided in data blocks of 64 bits were processed in both encryption and decryption method, while the key length of 56 bits was used. Plaintext goes through 16 iterations, each producing an intermediate value that is used in the next iteration.
Now a day, DES is too easy to crack as its key length is very small.
3DES (Triple DES):- 3 DES is alternative to DES and uses multiple encryptions with DES and multiple keys.
With three distinct keys, 3DES has an effective keylength of 168 (56 * 3) bits, so it is essentially immune to brute force attacks.
The principle drawback of 3DES method is its sluggishness in software, which opened the gates of finding new alternative.
AES (Advanced Encryption System):-In 1997, NIST initiated a public process to develop a new secure cryptosystem for U.S. government applications. As a result an 'Advanced Encryption System' came in to existence in 2001 as a successor of DES. AES was designed by Belgian cryptographers Joan Daemen and Vincent Rijmen so it is also known as Rijndael cryptosystem.
AES uses block size of 128 bits (16 bytes) and key length of 128,192 or 256 bits. For 128 bits of key size,this method uses 10 round iterations, for 192 bits it uses 12 round iterations,whereas for 256 bits key size it uses 14 round iterations which make it almost impossible to crack using today's Super computers.
The four transformations used in each round are:
Add Round Key
IDEA (International Data Encryption Algorithm): It is perceived as strongest cryptographic method in 1991 by Swiss Federal Institute of Technology. Though licence is necessary to use it in commercial application, which made it less famous than DES.It uses 64 bits data block and 128 bits of key size with complex 8 rounds in process.
RC5: It was developed by Ron Rivest. It uses simple mathematical algorithms (e.g. And,XOR, Shift). But the notable feature of RC5 is one can use variable number of block size, number of rounds and key size in multiple of 8 bits.
Blowfish: It was developed in 1993 by Bruce Schneiner. This method is easy to implement and its main feature is its tremendous speed. This method can use key size up to 448 bits.
Twofish:This method is closely related to Blowfish. It uses block size of 128 bits and key size of up to 256 bits. Its main feature is unique key scheduling process, though it makes the process little slower than AES.
Stream Cipher: In this type of encryption the data are encrypted on one by one bit bases. Due to absence of buffering process this mode of symmetric encryption is faster than the former one.e.g. RC4, SEAL.
RC4: It is a well-known stream cipher. Ron Rivest has introduced RC4(Rivest Cipher 4) in 1987. SSL and WEP are the techniques which adopted RC4 for secure communications.
RC4 uses variable key length and uses byte oriented ciphers. The only problem in this process is difficulty in key Scheduling.Commercial firms like Oracle SQL and Microsoft Windows widely use this technique.
Asymmetric Cryptography:In asymmetric cryptographytwo keys (Public key and Private Key) are used. Asymmetric cryptography avoids the distribution of private key between sender and receiver, thus solve the drawback of Symmetric cryptography.
A user who wants to send an encrypted message can get the intended recipient's public key from a public administrator. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to. This process is known as a public key infrastructure. Although this process is also reversely applicable as public administrator can encrypt the message using private key and recipient can decrypt it using public key.
The basic Idea behind Asymmetric Cryptography is the use of two irreversible mathematical processes in opposite directions.
The generalphenomena of Key distribution are shown in Figure 2.
Public Administrator --------------------To Public----------------------------------------ƒ Recipient
(Sender) Private Key Public Key
Plain TextCipher TextPlain Text
Figure 1: Asymmetric Cryptography
The public key infrastructure (PKI) revolutionized cryptography, and formed the basis for secure e-mail, e-commerce, and many other information exchanges. Throughout the development of PKI, new algorithms like RSA and DH, have been developed and refined which offer higher security and better performance, resulting in improved ability to defend against the growing poise of the modern security threat.
Two most common Asymmetric cryptography techniques are: RSA and DH
RSA:RSA stands as Rivest, Shamir and Adleman, who publicly announced this Asymmetric cryptographic method in 1977. The main Idea was: To find two large prime numbers is easy but to find out the two particular factors of multiplication of these two prime numbers is nearly impossible.
RSA has increased security and convenience in key management as it is a public key cryptography. But it is very slow compared to DES process. RSA usually combines padding process in it, so resultant encryption can have with large number of cipher text combinations, which makes this process less immune to dictionary attacks.
The security of RSA algorithm depends on the ability of the hacker to factorisenumbers. Newer faster and better methods for factoring numbers are constantly being invented. Prime number of a small length that was unimaginable a mere decade ago is now factorized easily. Obviously, the larger the number is, the harder it is to factorize and so the better the security of RSA. As day by day, more sophisticated super computers are discovered, it is necessary to use higher length of keys. Though, the disadvantage in using extremely long keys is the computational overhead involved in encryption and decryption.
DH(Diffie- Hellman):DH name stands for Whitfield Diffie and Martin Hellman , who discovered this algorithm in 1976. This method is 100 times faster in software compared andup to 10,000 times faster in hardware compared to RSA. RSA was based on difficult factorization, whereas DH is based on difficulty of calculating discrete logarithms.
DH was originally designed for key exchange. In this system, both sender and receiver create the session key to exchange data without having to remember or store the key for future use.
Here two number p and g are being chosen, where p is a large prime number and g is randomly generated. And K=g^ (xy) mod p is a shared secret key. Here sender assumes random number x and calculates R1= g^x mod p and Receiver calculates random number y and calculates R2= g^y mod p. To get the key sender sends R1 to receiver and Receiver sends R2 to sender.
Sender calculates K= (R2) ^x mod p and Receiver calculates K = (R1) ^y mod p; where K = Secret key.
Thus, the key is K= (R2) ^x mod p = (R1) ^y mod p=g^ (xy) mod p. Here the transfer of R1 and R2 is done by symmetric key cryptography. This exchange is very sophisticated to man in the middle attack.
Comparison of Symmetric and Asymmetric Cryptography:
Fast and allows large data transmission with less time
Smaller keys sizes considered weak and are more vulnerable to attackAvailability
Algorithms used to encode data are freely available
Absence of Authenticity and Non-repudiation.
Very difficult to break encoded data using large key sizes
Key Distribution is major problem as same key is required for both encryption and decryption.
Robustly resists tobrute force attacks.
Since a unique symmetric key must be used between the sender and each recipient, number of keys grows geometrically with the number of users
Requires less computing power
Unique private and public key distribution is major strength in key security
Transmission of encrypted data is slower compare to symmetric key cryptography
Uses Digital Certificates or Time Stamps which is very secure
Difficult to transmit large size of documents
Provides Authenticity and Non-repudiation along with Integrity, Confidentiality and Availability.
The key size must be significantly larger to achieve same level of protection as symmetric key cryptography
This cryptography style is susceptible for man-in- the middle attack and brute force attack.
Objectives of Cryptographic Security in IT Industry and Computing
Symmetric Cryptography is used in IT industries to provide Availability, Confidentiality, Integrity and Access-control.
In addition to above applications Asymmetric Cryptography provides Authenticity and Non-repudiation facilities in IT industries.
The main objectives of Cryptography in Information Security are described below:
To understand theseobjectives, let us assume that a person A wants to send important documents to a person B by hiding it into password secured zip file via email. Also somehow a person B already possesses the password sequence of that zip file:
Availability:Ensure that data is accessible to authorized users, for that authorized users are provided the decryption key to access the key. In our situation, as person B possess the password of locked file he can any time unlock the file and read and download the documents by opening his email inbox.
Confidentiality:Ensures that only authorized parties can view the information, thus parties who possess the key can only view the information. In our situation, only a person B can view the hidden information from documents as he possess the key(password) to open that file.
Integrity:Ensures that information is correct and no unauthorized intermediate parties or malicious software have altered the data, thus encrypted information cannot be changed except by authorized parties, who have the decryption key. In our situation, even if an attacker hack the email account of a person B and download the file , still he cannot read or alter the data as the file is password secured.
Authenticity:Provides proof that the receiver party is genuine, thus cryptography proves that user trying to view or access the data is genuine and not an attacker or imposter. In our situation, a person A can be satisfied as a person B is authenticated by email server by getting a person B's email ID and password, which proves a person B is genuine and not the third party imposter.
Non-repudiation:Proves that a sender party has sent the information, thus cryptography prevents the sender from denying any transaction has taken place between him and receiver. In our situation, a person A cannot deny of sending any file as email inbox shows the sender details. Or documents can also prove about the sender by signature or logo of sender.
Access Control:It ensureswhat information can be accessed by whom, thus cryptography can provide the separate keys to two receivers with different privileges, through which one receiver can only read the data, while other one can do both reading and editing data. In our situation, a person A can send the same zip file to a person C who has been provided the different password than a person B. Butusing this password a person C can only view the documents online and cannot download it.
Application of Cryptographic techniques in computing:
Now a days, Government Offices(Military, Spies and Diplomats), Corporations(B2B E-commerce, Proprietary Plans, Payroll ), Consumers (B2C E-commerce, Confidential personal information ), Banks (Credit Card verifications at ATMs, Debit Card verification at Shops or in Online Commerce, Internet Banking, Confidential Personal Information), Financial Industries (Insurance companies, Loan rendering institutions), Educational Institutes, Hospitals ,private companies contains gigs and gigs of information about their Clients, Consumers, Employees, Patients, Students, etc. in their databases , PCs or they use Cloud Computing for data storage. Not only they store the data they usually transfer the data through Networking. To combat for confidentiality and Integrity of such data is great deal for today's IT Industry.
Secure Network communication, Non-repudiation,message Integrity, Authentication methods etc. today using cryptography and will follow the new researches in Cryptography. Applications such like telnet, ftpand httpare now gradually being replaced by ssh, sftp and https.Wireless communications are now using WPA or WPA2 in place of its less secure WEP.
Topic 3: Cryptography on the web and VPN
Web or Internet Security generally involves Browser security, which is an Application layer security and Network security, which is a Network layer and Transport layer security. The Internet is a most unsecure network for communication and data storage as information always prone to attack by different entities. Today, Leased line and Cloud computing widely using Virtual Private Networks. Authentication, Confidentiality and Integrity is very necessary in present day Internet and VPN communications. Cryptography is widely used in Web applications and Virtual Private Networks in the form of different methods and protocols.
Some important protocols are listed below:
SSL or TLS:Secure Socket layer is first introduced in 1995 by Netscape Communication Corps. It is a predecessor of Transport layer security and it was interposed between Application layer and Transport layer. This protocol is widely used today in Internet Explorer.
The main activities of SSL include Parameter negotiation between sender and receiver, Mutual authentication of sender and receiver, Secret communication and Information Integrity. This layer accepts the requests from application layer browsers and securely transfers it at Transport layer. When HTTP is used over SSL then it is denoted as HTTPS (Secure HTTP) and FTP is used over SSL then it is called FTPS (Secure FTP). It can also be used in Lightweight Directory Access Protocol (LDAP). SSL has now several versions which are used in different application like Internet Browsing (HTTPS), Mail Transfer (SMTP), and Voice over IP, Instant Messaging, etc.
SSL uses both Asymmetric cryptography for Key management and Symmetric cryptography for Confidentiality. TLS is a handshaking protocol which mostly uses SHA-1 Hashing techniques.
IPsec:IP security provides end to end Network layer Security. It was developed by IETF to transfer packets securely in VPN infrastructure. Main applications of this protocol are to provide mutual Authentication and Confidentiality between sender and receiver. As well as it takes care of data Integrity in Network to Network, Host to Host and Host to Network communications.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol (ISAKMP), which allows the receiver to obtain a public key and authenticate the sender usingDigital Certificates.
The main features of IPsec incudes: Authentication Header (AH), Encapsulating Security Protocol (ESP), Policy Management, Internet Key Exchange (IKE), Authentication algorithms and Encryption Methods. IPsec operates in two modes: Transport mode, which encrypts only the data (payload portion) and Tunnel mode, which encrypts both the header and the payload portion. Unlike SSL, which is implemented as a part of the user application, IPsec is located in operating system or communicating hardware.
SSH: Secure Shell is a secure alternative of Telnet for Remote Management in Networking.It is widely used in UNIX - like command line base operating systems. Microsoft uses it in Remote Desktop Management application.SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user. The public key is placed on all computers that must allow access to the owner of the matching private key (the owner keeps the private key secret). While authentication is based on the private key, the key itself is never transferred through the network during authentication. SSH uses client-server model.
SSH generally uses port 22. Along with establishing secure remote authentication it also allows secure data transfer. Secure FTP (SFTP) and Secure copy (SCP) are two common protocols associated with SSH.
PGP: Pretty Good Privacy (PGP) is one of the most widely used Asymmetric cryptography method used today in e-mail communication. PGP uses 3DES or IDEA for encryption of data and RSA asymmetric algorithm to protect digital signature within the data. PGP generates random symmetric key and uses it to encrypt messages, this key is then encrypted using public key cryptography and send to or from email server using VPN.
Other, Important protocols used in secure web communication and VPN are: Kerberos, GPG, S/MIME,etc.
Topic 4: Authentication in Windows Servers
Basic Authentication Process:Basic Authentication works with any browser type as it is part of a HTTP 1.0 specification. This Authentication uses basic mechanism using base 64 encoding technique which is very unsecure. Now a days, Base 64 encoded data can easily be decoded by some online decoding tools .As a Result, HTTP over SSL (HTTPS) or Transport layer security (TLS) are secure alternatives for web browsing .
Digest Authentication Process:Digest authentication is successor of a Basic Authentication Process and it is part of a HTTP 1.1 protocol specification. Digest authentication uses a challenge/response-based authentication method same as (NTLM) New Technology LAN Manager. One of the major strength of Digest authentication is that it doesn't transfer the user's credentials (Username and Password) in the clear text over the network, like Basic authentication does, and thus doesn't require the use of SSL or TLS.
Not all browser and Web server types and versions currently support HTTP 1.1 and Digest authentication-on the Microsoft side, only IE 5.0 and later and Internet Information Services (IIS) 5.0 and later provide support. A major disadvantage of Digest authentication is that it relies on Active Directory (AD) user accounts. As a result, the user's password is stored in clear text in AD.
Integrated Windows Authentication: Integrated Windows Authentication consists of two authentication protocols: NTLM and Kerberos. Integrated Windows Authentication calls on three different Security Support Providers (SSPs): the Kerberos, NTLM, and Negotiate SSPs. These protocols and SSPs are the ones typically available and used on Windows networks. However, instead of using the remote procedure call (RPC) protocol, IIS uses HTTP to transport Integrated Windows authentication messages in a Web environment.
As with Digest authentication, Integrated Windows authentication never transmits the password in the clear text and therefore, doesn't require the use of SSL or TLS. One consideration to keep in mind when using this authentication method is that because the Negotiate SSP and the NTLM authentication protocol both require a point-to-point connection between the browser and the Web server, neither one will work across HTTP proxies.
Unlike Basic authentication, initially, Windows does not prompt users for a user name and password. The current Windows user information on the client computer is supplied to the server through a cryptographic exchange involving hashing (e.g. LM hash, NTLM hash). If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password.
The LM (LAN Manager) hash is a considered a very weak function for storing passwords. The two disadvantages of LM hash is: First, the LM hash is not Case-sensitive and Second, the LM hash separates the password in two seven characters parts. To address the security issues in the LM hash, Microsoft introduced New Technology LAN Manager (NTLM hash).
NTLM has overcome all vulnerabilities of LM, but its original version had weak cryptographic methods. Microsoft advises no to use NTLM more and introduced more secure versions like NTLM v2 which uses HMAC and MD5 hashes.
NTLM (Challenge / Response Model):
NTLM is the authentication protocol used on networks that include systems running the Windows Servers and on stand-alone systems.
The Microsoft Kerberos security package adds greater security than NTLM to systems on a network. Although Microsoft Kerberos is the protocol of choice, NTLM is still supported. NTLM must also be used for logon authentication on stand-alone systems.
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.
Interactive NTLM authentication over a network typically involves two systems: a client system, where the user is requesting authentication, and a domain controller, where information related to the user's password is kept. Noninteractive authentication, which may be required to permit an already logged-on user to access a resource such as a server application, typically involves three systems: a client, a server, and a domain controller that does the authentication calculations on behalf of the server.
The following steps present an outline of NTLM noninteractive authentication. The first step provides the user's NTLM credentials and occurs only as part of the interactive authentication (logon) process.
(Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hashof the password and discards the actual password.
The client sends the user name to the server.
The server generates a 16-byte random number (NTLMv2), called a challenge, and sends it to the client.
The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.
The server sends the following three items to the domain controller:
Challenge sent to the client
Response received from the client
The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
Because NTLM does not provide for server authentication, applications that use NTLM are susceptible to attacks from spoofed servers.
Kerberos (Client/Server Model):
In a client/server application model, clients are programs acting on behalf of users who need something done. This might be opening and using a file, accessing a mailbox, querying a database, or printing some documents. Servers are programs providing services to clients such as mail handling, query processing,file storage, and print spooling. Clients initiate any action, servers respond to that particular action. Typically, a server listens at a communications port waiting for clients to connect and ask for service.
In the Kerberos protocol model, every client/server connection begins with authentication. Client and server go through a sequence of actions designed to verify to the party on each end of the connection that the party on the other end is genuine. If authentication is successful, session setup completes and a secure client/server session is established.
The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Centre (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials. Here both client and server can also be referred to as security principals.
The Kerberos protocol assumes that transactions between clients and servers take place on an open network where most clients and many servers are not physically secure, and packets traveling along the network can be monitored and modified. The assumed environment is like today's Internet where an attacker can easily poise a threat as either a client or a server, and can readily eavesdrop on or tamper with communications between legitimate clients and servers.
Applications of Kerberos Protocol:
Kerberos is a key protocol in providing access control in today's industries.
The most visible benefit to Kerberos for end users is "single sign-on". The user need not
sign on to each application but instead can sign onto their computer once.
The Kerberos v5 authentication protocol provides a mechanism for authentication and mutual authentication between a client and a server, or between one server and another server. Today's Windows Operating Systems use Kerberos v5 as default authentication protocol.
Authentication in Microsoft Window Servers:
Microsoft introduced Kerberos in 1993 as primary authentication protocol and imported it in 1999, by considering it as an authentication protocol in Active Directory of Windows 2000 server. The Kerberos KDC services are tightly integrated with Active Directory, and all Kerberos authentication requests are processed using information provided by Active Directory.
Gradually, Microsoft has introduced few extensions in its Kerberos implementation and there are also some differences that can enhance interoperability with nonâ€Windows operating systems.
A Microsoft Domain Controller (DC) introduced a Ticket Granting Service that clients use to get tickets for connecting to services along with the standard KDC functions with an Authentication Server for initial authentication.Microsoft also supports GSSâ€API (Generic Security Service Application Program Interface) with Kerberos for wire level protocol exchanges. For applications built on Windows platforms, Microsoft provided the Security Support Provider Interface (SSPI) as the native Windows authentication and other security operations.
Microsoft also supports SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) for negotiating which authentication mechanisms can be supported between a client and service.
SPNEGO's most famous use is in Microsoft's "HTTP Negotiate" authentication extension. It was first imported in Internet Explorer 5.01 and IIS 5.0.
The most renowned extension to Kerberos introduced by Microsoft is the entry of the Privilege Attribute Certificate (PAC) in the authorization data field of Kerberos tickets as specified in MSâ€PAC. PAC provides comprehensive Access control, Authentication, Authorization and Integrity. Slowly and Gradually, Microsoft fully supports PKINIT (Public Key Initial Authentication) to allow clients to request initial authentication based on their certificate instead of using a preâ€shared secret key (password) in PKI.
Windows NT 4.0Server
Windows 2000 Server
Windows 2003 Server
Kerberos version 5
Windows 2008 Server
Kerberos version 5
Windows 2008 R2 Server
Kerberos version 5,NTLM SSP(128 bit min.),PKU2U SSP
Windows 2012 Server
Kerberos v5 with improved features, NTLM without any changes.