Table Of ContentCryptography
and
Network Security
Third Edition
About the Author
Atul Kahate has over 17 years of experience in Information Technology in
India and abroad in various capacities. He currently works as Adjunct
Professor in Computer Science in Pune University and Symbiosis Internation-
al University. His last IT employment was as Consulting Practice Director at
Oracle Financial Services Software Limited (earlier known as i-flex solutions
limited). He has conducted several training programs/seminars in institutions
such as IIT, Symbiosis, Pune University, and many other colleges.
A prolific writer, Kahate is also the author of 38 books on Computer Science,
Science, Technology, Medicine, Economics, Cricket, Management, and History.
Books such as Web Technologies, Cryptography and Network Security, Operating Systems, Data Com-
munications and Networks, An Introduction to Database Management Systems are used as texts in
several universities in India and many other countries. Some of these have been translated into Chinese.
Atul Kahate has won prestigious awards such as Computer Society of India’s award for contribution to
IT literacy, Indradhanu’s Yuvonmesh Puraskar, Indira Group’s Excellence Award, Maharashtra Sahitya
Parishad’s “Granthakar Puraskar”, and several others.
He has appeared on quite a few programmes on TV channels such as Doordarshan’s Sahyadri channel,
IBN Lokmat, Star Maaza, and Saam TV related to IT, education, and careers. He has also worked as
official cricket scorer and statistician in several international cricket matches.
Besides these achievements, he has written over 4000 articles and various columns on IT, cricket,
science, technology, history, medicine, economics, management, careers in popular newspapers/
magazines such as Loksatta, Sakal, Maharashtra Times, Lokmat, Lokprabha, Saptahik Sakal, Divya
Marathi, and others.
C
ryptography
and
N S
etwork ecurity
Third Edition
Atul Kahate
Adjunct Professor
Pune University and Symbiosis International University
Author in Computer Science
McGraw Hill Education (India) Private Limited
NEW DELHI
McGraw Hill Education Offices
New Delhi NewYork St Louis SanFrancisco Auckland Bogotá Caracas
Kuala Lumpur Lisbon London Madrid Mexico City Milan Montreal
San Juan Santiago Singapore Sydney Tokyo Toronto
McGraw Hill Education (India) Private Limited
Published by McGraw Hill Education (India) Private Limited
P-24, Green Park Extension, New Delhi 110 016
Cryptography and Network Security, 3/e
Copyright © 2013, 2008, 2003, by McGraw Hill Education (India) Private Limited
No part of this publication may be reproduced or distributed in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise or stored in a database or retrieval system without the prior written permis-
sion of the publishers. The program listings (if any) may be entered, stored and executed in a computer system, but
they may not be reproduced for publication.
This edition can be exported from India only by the publishers,
McGraw Hill Education (India) Private Limited,
ISBN 13: 978-1-25-902988-2
ISBN 10: 1-25-902988-3
Vice President and Managing Director: Ajay Shukla
Head—Higher Education (Publishing and Marketing): Vibha Mahajan
Publishing Manager (SEM & Tech. Ed.): Shalini Jha
Asst. Sponsoring Editor: Smruti Snigdha
Editorial Researcher: Sourabh Maheshwari
Manager—Production Systems: Satinder S Baveja
Asst. Manager—Editorial Services: Sohini Mukherjee
Sr. Production Manager: P L Pandita
Asst. General Manager (Marketing)—Higher Education: Vijay Sarathi
Sr. Product Specialist (SEM & Tech. Ed.): Tina Jajoriya
Sr. Graphic Designer (Cover): Meenu Raghav
General Manager—Production: Rajender P Ghansela
Manager—Production:Reji Kumar
Information contained in this work has been obtained by McGraw Hill Education (India), from sources believed
to be reliable. However, neither McGraw Hill Education (India) nor its authors guarantee the accuracy or
completeness of any information published herein, and neither McGraw Hill Education (India) nor its authors
shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is
published with the understanding that McGraw Hill Education (India) and its authors are supplying informa-
tion but are not attempting to render engineering or other professional services. If such services are required,
the assistance of an appropriate professional should be sought.
Typeset at The Composers, 260, C.A. Apt., Paschim Vihar, New Delhi 110 063, and printed at
SDR Printers, A-28, West Jyoti Nagar, Loni Road, Shadara, Delhi 110 094
Cover: SDR
RYZCRRLORQLLD
CONTENTS
Preface ix
Important Terms and Abbreviations xiii
1. Introduction to the Concepts of Security 1
1.1 Introduction 1
1.2 The Need for Security 2
1.3 Security Approaches 6
1.4 Principles of Security 8
1.5 Types of Attacks 12
Summary 27
Key Terms and Concepts 28
Practice Set 29
2. Cryptography Techniques 32
2.1 Introduction 32
2.2 Plain Text and Cipher Text 33
2.3 Substitution Techniques 36
2.4 Transposition Techniques 47
2.5 Encryption and Decryption 51
2.6 Symmetric and Asymmetric Key Cryptography 53
2.7 Steganography 64
2.8 Key Range and Key Size 65
2.9 Possible Types of Attacks 68
Case Study: Denial of Service (DOS) Attacks 72
Summary 74
Key Terms and Concepts 75
Practice Set 76
3. Computer-based Symmetric Key Cryptographic Algorithms 80
3.1 Introduction 80
3.2 Algorithm Types and Modes 80
3.3 An Overview of Symmetric-Key Cryptography 92
3.4 Data Encryption Standard (DES) 94
vi Contents
3.5 International Data Encryption Algorithm (IDEA) 108
3.6 RC4 116
3.7 RC5 118
3.8 Blowfish 127
3.9 Advanced Encryption Standard (AES) 130
Case Study: Secure Multiparty Calculation 141
Summary 142
Key Terms and Concepts 144
Practice Set 145
4. Computer-based Asymmetric-Key Cryptography Algorithms 148
4.1 Introduction 148
4.2 Brief History of Asymmetric-Key Cryptography 148
4.3 An Overview of Asymmetric-Key Cryptography 149
4.4 The RSA Algorithm 151
4.5 ElGamal Cryptography 157
4.6 Symmetric- and Asymmetric-Key Cryptography 158
4.7 Digital Signatures 162
4.8 Knapsack Algorithm 193
4.9 ElGamal Digital Signature 194
4.10 Attacks on Digital Signatures 194
4.11 Problems with the Public-Key Exchange 195
Case Study 1: Virtual Elections 197
Case Study 2: Contract Signing 198
Summary 199
Key Terms and Concepts 200
Practice Set 200
5. Public Key Infrastructure (PKI) 204
5.1 Introduction 204
5.2 Digital Certificates 205
5.3 Private-Key Management 234
5.4 The PKIX Model 236
5.5 Public Key Cryptography Standards (PKCS) 238
5.6 XML, PKI and Security 244
Case Study: Cross Site Scripting Vulnerability (CSSV) 256
Summary 258
Key Terms and Concepts 259
Practice Set 260
6. Internet-Security Protocols 263
6.1 Introduction 263
6.2 Basic Concepts 263
6.3 Secure Socket Layer (SSL) 271
6.4 Transport Layer Security (TLS) 282
6.5 Secure Hyper Text Transfer Protocol (SHTTP) 282
6.6 Secure Electronic Transaction (SET) 283
Contents vii
6.7 SSL Versus SET 295
6.8 3-D Secure Protocol 296
6.9 Email Security 299
6.10 Wireless Application Protocol (WAP) Security 319
6.11 Security in GSM 322
6.12 Security in 3G 324
6.13 IEEE 802.11 Security 327
6.14 Link Security Versus Network Security 331
Case Study 1: Secure Inter-branch Payment Transactions 331
Case Study 2: Cookies and Privacy 335
Summary 336
Key Terms and Concepts 338
Practice Set 339
7. User-Authentication Mechanisms 342
7.1 Introduction 342
7.2 Authentication Basics 342
7.3 Passwords 343
7.4 Authentication Tokens 356
7.5 Certificate-based Authentication 366
7.6 Biometric Authentication 372
7.7 Kerberos 374
7.8 Key Distribution Center (KDC) 380
7.9 Security Handshake Pitfalls 381
7.10 Single Sign On (SSO) Approaches 390
7.11 Attacks on Authentication Schemes 391
Case Study: Single Sign On (SSO) 392
Summary 395
Key Terms and Concepts 396
Practice Set 397
8. Practical Implementations of Cryptography/Security 400
8.1 Introduction 400
8.2 Cryptographic Solutions using Java 401
8.3 Cryptographic Solutions Using Microsoft .NET Framework 408
8.4 Cryptographic Toolkits 410
8.5 Web Services Security 411
8.6 Cloud Security 413
Summary 414
Key Terms and Concepts 415
Practice Set 416
9. Network Security, Firewalls, and Virtual Private Networks (VPN) 418
9.1 Introduction 418
9.2 Brief Introduction to TCP/IP 418
9.3 Firewalls 423
9.4 IP Security 440
viii Contents
9.5 Virtual Private Networks (VPN) 458
9.6 Intrusion 461
Case Study 1: IP Spoofing Attacks 464
Case Study 2: Creating a VPN 466
Summary 467
Key Terms and Concepts 468
Practice Set 469
Appendices 472
A. Mathematical Background 472
B. Number Systems 481
C. Information Theory 486
D. Real-life Tools 488
E. Web Resources 489
F. A Brief Introduction to ASN, BER, DER 492
References 497
Index 499
PREFACE
This book has already been used by thousands of students, teachers, and IT professionals in its past
edition. There is no change in the intended audience for this book. It is aimed at the same audience
in the given order. The book can be used for any graduate/postgraduate course involving computer
security/cryptography as a subject. It aims to explain the key concepts in cryptography to anyone
who has basic understanding in computer science and networking concepts. No other assumptions are
made. The new edition is updated to cover certain topics in the syllabi which were found to be covered
inadequately in the earlier editions.
Computer and network security is one of the most crucial areas today. With so many attacks happening
on all kinds of computer systems and networks, it is imperative that the subject be understood by stu-
dents who are going to be the IT professionals of the future. Consequently, topics such as Cloud secu-
rity, and Web services security have been added to this edition. The main focus of the book is to explain
every topic in a very lucid fashion with plenty of diagrams. All technical terms are explained in detail.
SALIENT FEATURES
● Uses a bottom-up approach: CryptographyÆ Network Security Æ Case Studies
● Inclusion of new topics: IEEE 802.11Security, Elgamal Cryptography, Cloud Security and Web
Services Security
● Improved treatment of Ciphers, Digital Signatures, SHA-3 Algorithm
● Practical orientation of the subject to help students for real-life implementation of the subject
through integrated case studies
● Refreshed pedagogy includes
■ 150 Design/Programming Exercises
■ 160 Exercises
■ 170 Multiple-Choice Questions
■ 530 Illustrations
■ 10 Case Studies
x Preface
CHAPTER ORGANIZATION
The organization of the book is as follows:
Chapter 1 introduces the basic concepts of security. It discusses the need for security, the principles
of security and the various types of attacks on computer systems and networks. We discuss both the
theoretical concepts behind all these aspects, as well as the practical issues and examples of each one of
them. This will cement our understanding of security. Without understanding why security is required,
and what is under threat, there is no point in trying to understand how to make computer systems and
networks secure. A new section on wireless network attacks has been included. Some obsolete material
on cookies and ActiveX controls has been deleted.
Chapter 2 introduces the concept of cryptography, the fundamental building block of computer
security. Cryptography is achieved by using various algorithms. All these algorithms are based on
either substitution of plain text with some cipher text, or by using certain transposition techniques, or
a combination of both. The chapter then introduces the important terms of encryption and decryption.
Playfair cipher and Hill cipher are covered in detail. The Diffie-Hellman Key Exchange coverage is
expanded, and types of attacks are covered in detail.
Chapter 3 discusses the various issues involved in computer-based symmetric-key cryptography. We
discuss stream and block cipher and the various chaining modes. We also discuss the chief symmetric-
key cryptographic algorithms in great detail, such as DES, IDEA, RC5 and Blowfish. The Feistel
cipher is covered in detail. Discussions related to the security of DES and attacks on the algorithm are
expanded. Similarly, the security issues pertaining to AES are also covered.
Chapter 4 examines the concepts, issues and trends in asymmetric-key cryptography. We go through
the history of asymmetric-key cryptography. Later, we discuss the major asymmetric-key cryptograph-
ic algorithms, such as RSA, MD5, SHA, and HMAC. We introduce several key terms, such as message
digests and digital signatures in this chapter. We also study how best we can combine symmetric-
key cryptography with asymmetric-key cryptography. Security issues pertaining to RSA algorithm are
included. The ElGamal Cryptography and ElGamal Digital Signature schemes are covered. SHA-3
algorithm is introduced. Issues pertaining to RSA digital signature are covered.
Chapter 5 talks about the upcoming popular technology of Public Key Infrastructure (PKI). Here, we
discuss what we mean by digital certificates, how they can be created, distributed, maintained and used.
We discuss the role of Certification Authorities (CA) and Registration Authorities (RA). We also intro-
duce the Public Key Cryptography Standards (PKCS). Some obsolete topics such as roaming digital
certificates and attribute certificates are removed.
Chapter 6 deals with the important security protocols for the Internet. These protocols include
SSL, SHTTP, TSP, SET and 3D-Secure. We also discuss how electronic money works, what are the
dangers involved therein and how best we can make use of it. An extensive coverage of email security is
provided with a detailed discussion of the key email security protocols, such as PGP, PEM and
S/MIME. We also discuss wireless security here. The obsolete SET protocol is reduced. Discussion
on 3-D Secure is expanded. Electronic money is completely removed. DomainKeys Identified Mail
(DKIM) is covered. Security in IEEE 802.11 (WiFi) is discussed in detail.
Chapter 7 tells us how to authenticate a user. There are various ways to do this. The chapter examines
each one of them in significantly great detail and addresses their pros and cons. We discuss password-
