Unit V

Cryptography-
Cryptography is the study and practice of techniques for
secure communication in the presence of third parties
called adversaries.

It deals with developing and analyzing protocols which

prevents malicious third parties from retrieving information
being shared between two entities thereby following the
various aspects of information security.

Secure Communication refers to the scenario where the

message or data shared between two parties can’t be
accessed by an adversary.
• Some terminologies related to Cryptography:
• Encryption: Conversion of normal text to a random
sequence of bits.

• Key: Some amount of information is required to get the

information of the cryptographic algorithm.

• Decryption: The inverse process of encryption,

conversion of Random sequence of bits to plaintext.

• Cipher: The mathematical function, i.e. a cryptographic

algorithm which is used to convert plaintext to
ciphertext(Random sequence of bits).
Data Confidentiality, Data Integrity, Authentication and
Non-repudiation are core principles of modern-day
cryptography.

•Confidentiality refers to certain rules and guidelines

usually executed under confidentiality agreements which
ensure that the information is restricted to certain people or
places.

•Data integrity refers to maintaining and making sure that

the data stays accurate and consistent over its entire life
cycle.
•Authentication is the process of making sure that the
piece of data being claimed by the user belongs to it.

•Non-repudiation(refuse)- refers to ability to make sure

that a person or a party associated with a contract or a
communication cannot deny the authenticity of their
signature over their document or the sending of a message.
Access control:

The principle of access control is determined by role

management and rule management. Role management
determines who should access the data while rule
management determines up to what extent one can access
the data.

The information displayed is dependent on the person

who is accessing it.
Availability:
The principle of availability states that the resources will be
available to authorize party at all times. Information will
not be useful if it is not available to be accessed.

Systems should have sufficient availability of information

to satisfy the user request.
Issues of ethics and law
The following categories are used to categorize ethical
dilemmas in the security system.
Individuals’ right to access personal information is referred
to as privacy.

Property: It is concerned with the information’s owner.

Accessibility: is concerned with an organization’s right to

collect information.

Accuracy: It is concerned with the obligation of

information authenticity, fidelity, and accuracy.
Types Of Cryptography:
In general there are three types of cryptography:
Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of
message use a single common key to encrypt and decrypt
messages.
Symmetric Key Systems are faster and simpler but the
problem is that sender and receiver have to somehow
exchange key in a secure manner.

The most popular symmetric key cryptography system is

Data Encryption System(DES).
Hash Functions:
There is no usage of any key in this algorithm. A hash value
with fixed length is calculated as per the plain text which
makes it impossible for contents of plain text to be
recovered.
Many operating systems use hash functions to encrypt
passwords.
Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and
decrypt information. A public key is used for encryption
and a private key is used for decryption.

Public key and Private Key are different. Even if the public
key is known by everyone the intended receiver can only
decode it because he alone knows the private key.
Message authentication-
Message authentication is another form of security.
Similar to data encryption to ensure data confidentiality, the
message authentication data security feature.
OR
A mechanism of source used to notify the integrity of
message. Assures the data received are exactly as sent (i.e.
contain no modification, insertion ,deletion or replay)
Assures that identity of the sender is valid.
Authentication Requirements:
Revelation: It means releasing the content of the message
to someone who does not have an appropriate
cryptographic key.

Analysis of Traffic: Determination of the pattern of traffic

through the duration of connection and frequency of
connections between different parties.

Deception: Adding out of context messages from a

fraudulent source into a communication network. This will
lead to mistrust between the parties communicating and
may also cause loss of critical data.
Modification in the Content: Changing the content of a
message. This includes inserting new information or
deleting/changing the existing one.
Modification in the sequence: Changing the order of
messages between parties. This includes insertion, deletion,
and reordering of messages.
Modification in the Timings: This includes replay and
delay of messages sent between different parties. This way
session tracking is also disrupted.
Source Refusal: When the source denies being the
originator of a message.
Destination refusal: When the receiver of the message
denies the reception.
Message Authentication Functions:
All message authentication and digital signature
mechanisms are based on two functionality levels:

Lower level: At this level, there is a need for a function

that produces an authenticator, which is the value that will
further help in the authentication of a message.

Higher-level: The lower level function is used here in

order to help receivers verify the authenticity of messages.
Measures to deal with the attacks in Message
Authentication:
Each of the above attacks has to be dealt with differently.

•Message Confidentiality: To prevent the messages from

being revealed, care must be taken during the transmission
of messages. For this, the message should be encrypted
before it is sent over the network.
Message Authentication: To deal with the analysis of
traffic and deception issues, message authentication is
helpful. Here, the receiver can be sure of the real sender
and his identity.
To do this, these methods can be incorporated:
• Parties should share secret codes that can be used at the
time of identity authentication.
•Digital signatures are helpful in the authentication.
•A third party can be relied upon for verifying the
authenticity of parties
Digital Signatures: Digital signatures provide help against
a majority of these issues. With the help of digital
signatures, content, sequence, and timing of the messages
can be easily monitored. Moreover, it also prevents denial
of message transmission by the source.

Combination of protocols with Digital Signatures: This

is needed to deal with the denial of messages received.
Here, the use of digital signature is not sufficient and it
additionally needs protocols to support its monitoring.
Digital Signature-
A digital signature is a mathematical technique which
validates the authenticity and integrity of a message,
software or digital documents. It allows us to verify the
author name, date and time of signatures, and authenticate
the message contents.

The digital signature offers far more inherent security and

intended to solve the problem of tampering and
impersonation (Intentionally copy another person's
characteristics) in digital communications.
•The digital signatures are different from other electronic
signatures not only in terms of process and result, but also
it makes digital signatures more serviceable for legal
purposes.

Some electronic signatures that legally recognizable as

signatures may not be secure as digital signatures and
may lead to uncertainty and disputes.
Application of Digital Signature
The important reason to implement digital signature to
communication is:
•Authentication
•Non-repudiation
•Integrity

Authentication-
Authentication is a process which verifies the identity of a
user who wants to access the system. In the digital
signature, authentication helps to authenticate the sources
of messages.
Non-repudiation-
Non-repudiation means assurance of something that cannot
be denied. It ensures that someone to a contract or
communication cannot later deny the authenticity of their
signature on a document or in a file or the sending of a
message that they originated.

Integrity-
Integrity ensures that the message is real, accurate and
safeguards from unauthorized user modification during the
transmission.
Algorithms in Digital Signature-
A digital signature consists of three algorithms:
1. Key generation algorithm
The key generation algorithm selects private key randomly
from a set of possible private keys. This algorithm provides
the private key and its corresponding public key.

2. Signing algorithm
A signing algorithm produces a signature for the document.

•Signature verifying algorithm

•A signature verifying algorithm either accepts or rejects
the document's authenticity.
How digital signatures work?
Digital signatures are created and verified by using public
key cryptography, also known as asymmetric cryptography.
By the use of a public key algorithm, such as RSA, one can
generate two keys that are mathematically linked- one is a
private key, and another is a public key.

The user who is creating the digital signature uses their

own private key to encrypt the signature-related document.
There is only one way to decrypt that document is with the
use of signer's public key
The steps which are followed in creating a digital
signature are:
• Select a file to be digitally signed.
• The hash value of the message or file content is
calculated. This message or file content is encrypted by
using a private key of a sender to form the digital
signature.
• Now, the original message or file content along with the
digital signature is transmitted.

• The receiver decrypts the digital signature by using a

public key of a sender.
•The receiver now has the message or file content and can
compute it.

•Comparing these computed message or file content with

the original computed message. The comparison needs to
be the same for ensuring integrity.
Types of Digital Signature-
Different document processing platform supports different
types of digital signature
Certified Signatures-
The certified digital signature documents display a unique
blue ribbon across the top of the document.

The certified signature contains the name of the document

signer and the certificate issuer which indicate the
authorship and authenticity of the document.
Approval Signatures-
The approval digital signatures on a document can be used
in the organization's business workflow. They help to
optimize the organization's approval procedure. The
procedure involves capturing approvals made by us and
other individuals and embedding them within the PDF
document.

The approval signatures to include details such as an

image of our physical signature, location, date, and
official seal.
Visible Digital Signature-
The visible digital signature allows a user to sign a single
document digitally. This signature appears on a document
in the same way as signatures are signed on a physical
document.

Invisible Digital Signature-

The invisible digital signatures carry a visual indication of
a blue ribbon within a document in the taskbar. We can use
invisible digital signatures when we do not have or do not
want to display our signature but need to provide the
authenticity of the document, its integrity, and its origin.
Applications of Cryptography-
Some applications of cryptography in real life are as
follows-

•Authentication/Digital Signatures:
Authentication is any process through which one proves
and verifies certain information. Sometimes one may want
to verify the origin of a document, the identity of the
sender, the time and date a document was sent and/or
signed, the identity of a computer or user, and so on.

A digital signature is a cryptographic means through

which many of these may be verified.
Time Stamping-
Time stamping is a technique that can certify that a certain
electronic document or communication existed or was
delivered at a certain time. Time stamping uses an
encryption model called a blind signature scheme.

Blind signature schemes allow the sender to get a

message receipted by another party without revealing any
information about the message to the other party.
Electronic Money:
The definition of electronic money (also called electronic
cash or digital cash) is a term that is still evolving. It
includes transactions carried out electronically with a net
transfer of funds from one party to another, which may be
either debit or credit and can be either anonymous or
identified.

There are both hardware and software implementations.

Encryption/Decryption in email:
Email encryption is a method of securing the content of
emails from anyone outside of the email conversation
looking to obtain a participant’s information.

In its encrypted form, an email is no longer readable by a

human. Only with your private email key can your emails
be unlocked and decrypted back into the original message.
Encryption in WhatsApp-
WhatsApp uses the ‘signal’ protocol for encryption, which
uses a combination of asymmetric and symmetric key
cryptographic algorithms.

The symmetric key algorithms ensure confidentiality and

integrity whereas the asymmetric key cryptographic
algorithms help in achieving the other security goals
namely authentication and non-repudiation.
Encryption in Instagram:
Your interaction with Instagram is likely an encrypted
communication. When your phone requests data with
instagram it will use SSL/TLS over port 443 to encrypt
requests from Instagram servers and will send you data
over the same encrypted data stream.
This prevents malicious parties from eavesdropping on
the conversation between you and instagram.
Sim card Authentication-
Authentication To decide whether or not the SIM may
access the network, the SIM needs to be authenticated. A
random number is generated by the operator, and is sent to
the mobile device. Together with the secret key Ki, this
random number runs through the A3 algorithm (it is this Ki
that recently has been compromised).

The output of this calculation is sent back to the operator,

where the output is compared with the calculation that the
operator has executed himself (the operator possesses the
secret keys for all SIM cards the operator has distributed).
Firewall-
A firewall is a network security device, either hardware or
software-based, which monitors all incoming and outgoing
traffic and based on a defined set of security rules it
accepts, rejects or drops that specific traffic.
•Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable
error”
Drop : block the traffic with no reply

A firewall establishes a barrier between secured internal

networks and outside untrusted network, such as the
Internet.
Location of Firewall-
How Firewall Works?
Firewall match the network traffic against the rule set
defined in its table. Once the rule is matched, associate
action is applied to the network traffic.
For example-
Rules are defined as any employee from HR department
cannot access the data from code server and at the same
time another rule is defined like system administrator can
access the data from both HR and technical department.
Rules can be defined on the firewall based on the
necessity and security policies of the organization.
Generation of Firewall
Firewalls can be categorized based on its generation.
First Generation- Packet Filtering Firewall : Packet
filtering firewall is used to control network access by
monitoring outgoing and incoming packet and allowing
them to pass or stop based on source and destination IP
address, protocols and ports. It analyses traffic at the
transport protocol layer.
It can allow or deny the packets based on unique packet
headers. Packet filtering firewall maintains a filtering
table which decides whether the packet will be forwarded
or discarded.
Second Generation- Stateful Inspection Firewall -
Stateful firewalls (performs Stateful Packet Inspection) are
able to determine the connection state of packet, unlike
Packet filtering firewall, which makes it more efficient.

It keeps track of the state of networks connection travelling

across it, such as TCP streams.
So the filtering decisions would not only be based on
defined rules, but also on packet’s history in the state
table.
Third Generation- Application Layer
Firewall : Application layer firewall can inspect and filter
the packets on any OSI layer, up to the application layer. It
has the ability to block specific content, also recognize
when certain application and protocols (like HTTP, FTP)
are being misused.

Application layer firewalls are hosts that run proxy servers.

A proxy firewall prevents the direct connection between
either side of the firewall, each packet has to pass through
the proxy. It can allow or block the traffic based on
predefined rules.
Next Generation Firewalls (NGFW) : Next Generation
Firewalls are being deployed these days to stop modern
security breaches like advance malware attacks and
application-layer attacks.

NGFW consists of Deep Packet Inspection, Application

Inspection, SSL/SSH inspection and many functionalities
to protect the network from these modern threats.
Types of Firewalls-
Firewalls are generally of two types: Host-
based and Network-based-
Host- based Firewalls : Host-based firewall is installed on
each network node which controls each incoming and
outgoing packet. It is a software application or suite of
applications, comes as a part of the operating system.

Host-based firewalls are needed because network firewalls

cannot provide protection inside a trusted network.

Host firewall protects each host from attacks and

unauthorized access.
Network-based Firewalls : Network firewall function on
network level. In other words, these firewalls filter all
incoming and outgoing traffic across the network. It
protects the internal network by filtering the traffic using
rules defined on the firewall.

A Network firewall might have two or more network

interface cards (NICs). A network-based firewall is
usually a dedicated system with proprietary software
installed.
User management-
User management (UM) is defined as the effective
management of users and their accounts, giving them
access to various IT resources like devices, applications,
systems, networks, SaaS services, storage systems, and
more.

User management enables administrators to grant access

and manage user access and control user accounts.
A user management system forms an integral part of
identity and access management (IAM) and serves as a
basic form of security.
With this exponential growth, the dependability and usability
of user management tools is becoming more of a factor when
procuring services.

So teams are looking to manage users in the most effective

and efficient way possible.
Why Do We Need User Management?
User management solves the problem of managing user
access to various resources. For example, the marketing
team generally requires access to different resources than
the accounting team.

User management enables IT administrators to manage

resources and provision users based on need and role while
keeping their digital assets secure. For end users, the tasks
of user management are often invisible to them, but the
results are not. End users want secure, frictionless access to
their IT resources so that they can get their jobs done.
User management factors-
When reviewing user management tools, it’s important to
understand two things:
1. Your integration and management needs, and

2. The ability of your cloud services to communicate

through an API. Each of these factors plays a crucial role in
the usability of the tool.
Integration is the ability to tie into existing systems
through an agent or by federation. This makes the
migration off of older systems a breeze, or at least eases
user adoption in that users can immediately use their
existing credentials in the new system.

Management includes all the features that allow you to

complete user management tasks once users are in the
system. This includes user and password storage, CRUD
(create, update, read, and delete) operations, policy
(security, password) management, attribute transformation,
and self service flows such as account recovery and
registration.
As the adoption of cloud services increase, so does the need
to manage user access via an API.

The ability to allow API communication makes your user

management tasks more accessible and increases the
efficiency and flexibility of your system.
User management system and security issues-
The implemented by the organization user management
system should not only facilitate the work of IT department
specialists, but also strengthen the security of the whole
organisation by securing access to its resources.

Eliminate weak passwords: More than 81% of all

identified breaches involve the use of a stolen or guessed
password. In other words: weak passwords are a powerful
threat to data security.
Use multi-level acceptance schemes: In this case, the
principle of limited trust applies, which means that the
granting or modification of user or application
authorizations is based on the approval of several persons
(the so-called Workflow).

Meet the internal and external control requirements:

The audit process is designed to verify whether a given
system meets both the functional requirements as well
as fully addresses any security issues.

Support the protection of sensitive and personal data:

The companies operating on the territory of the European
Union must also pay attention to GDPR requirements.
What are the Benefits of User Management?
Now that we know user management, it is now easier to
understand how user management applications solve the
riddle of managing multiple user access to various
resources.
Through UM, IT administrators can manage resources and
access based on need, thereby keeping digital assets more
secure. This also ensures a frictionless experience for the
end-user, significantly improving the user experience.
Effective user management enables organizations to
properly maintain their user-based licence compliancy so
that various software's are being used to their full
potential.
VPN Security-
VPN stands for the virtual private network. A virtual
private network (VPN) is a technology that creates a safe
and encrypted connection over a less secure network, such
as the internet.

In basic terms, a VPN provides an encrypted server and

hides your IP address from corporations, government
agencies and would-be hackers. A VPN protects your
identity even if you are using public or shared Wi-Fi, and
your data will be kept private from any prying internet eyes

It makes use of tunnelling protocols to establish a secure

connection.
Lets understand VPN by an example:
Think of a situation where corporate office of a bank is
situated in Washington, USA. This office has a local
network consisting of say 100 computers. Suppose other
branches of the bank are in Mumbai, India, and Tokyo,
Japan.
The traditional method of establishing a secure connection
between head office and branch was to have a leased line
between the branches and head office which was a very
costly as well as troublesome job.

VPN lets us overcome this issue in an effective manner.

VPN structure-
The person sitting in the Mumbai office connects to The
VPN server using a dial-up window and the VPN server
returns an IP address that belongs to the series of IP
addresses belonging to a local network of the corporate
office.

Thus person from the Mumbai branch becomes local to the

head office and information can be shared securely over the
public internet.
How does a VPN work?
A VPN provides a secure, encrypted connection between
two points. Before setting up the VPN connection, the two
endpoints of the connection create a shared encryption key.
This can be accomplished by providing a user with a
password or using a key sharing algorithm.
Once the key has been shared, it can be used to encrypt all
traffic flowing over the VPN link. For example, a client
machine will encrypt data and send it to the other VPN
endpoint. At this location, the data will be decrypted and
forwarded on to its destination. When the destination server
sends a response, the entire process will be completed in
reverse.
Types of VPNs-
VPNs are designed to provide a private, encrypted
connection between two points – but does not specify what
these points should be.

This makes it possible to use VPNs in a few different

contexts-
Site-to-Site VPN: A site-to-site VPN is designed to
securely connect two geographically-distributed sites. VPN
functionality is included in most security gateways today.
For instance- a next-generation firewall (NGFW) deployed
at the perimeter of a network protects the corporate
network and also serves as a VPN gateway.

All traffic flowing from one site to the other passes through
this gateway, which encrypts the traffic sent to the gateway
at the other site. This gateway decrypts the data and
forwards it on to its destination.
Remote Access VPN: A remote access VPN is designed to
link remote users securely to a corporate network.

For instance- when the COVID-19 pandemic emerged in

2020, many organizations transitioned to a remote
workforce, and set up secure remote access VPNs from the
remote clients to connect to critical business operations at
the corporate site.
VPN as a Service: VPN as a Service or a cloud VPN is a
VPN hosted in cloud-based infrastructure where packets
from the client enter the Internet from that cloud
infrastructure instead of the client’s local address.

Consumer VPNs commonly use this model, enabling users

to protect themselves while connecting to the Internet via
insecure public Wi-Fi and provide some anonymity while
accessing the Internet.
VPN Security-
A VPN uses cryptography to provide its security and
privacy guarantees.
In this way, VPNs can meet the three criteria of
information security-

Confidentiality: Data privacy is ensured by encrypting all

data flowing over the public network.
Message Integrity: Message authentication codes (MACs)
ensure that any modifications or errors in transmitted data
are detectable. In short, this detects when a message is
tampered with or interfered with in some way, either
intentionally or unintentionally.

Authentication: The initial authentication and key sharing

process proves the identity of both endpoints of the VPN
connection, preventing unauthorized use of the VPN.
Types of Virtual Private Network (VPN) Protocols-
Internet Protocol Security (IPSec):
Internet Protocol Security, known as IPSec, is used to
secure Internet communication across an IP network. IPSec
secures Internet Protocol communication by verifying the
session and encrypts each data packet during the
connection. IPSec runs in 2 modes:
(i) Transport mode
(ii) Tunneling mode
The work of transport mode is to encrypt the message in
the data packet and the tunneling mode encrypts the
whole data packet. IPSec can also be used with other
security protocols to improve the security system.
Layer 2 Tunneling Protocol (L2TP)-

L2TP or Layer 2 Tunneling Protocol is a tunneling protocol

that is often combined with another VPN security protocol
like IPSec to establish a highly secure VPN connection.

L2TP generates a tunnel between two L2TP connection

points and IPSec protocol encrypts the data and maintains
secure communication between the tunnel.
Point–to–Point Tunneling Protocol (PPTP)-
PPTP or Point-to-Point Tunneling Protocol generates a
tunnel and confines the data packet. Point-to-Point Protocol
(PPP) is used to encrypt the data between the connection.

PPTP is one of the most widely used VPN protocol and has
been in use since the early release of Windows.

PPTP is also used on Mac and Linux apart from

Windows.
SSL and TLS-
SSL (Secure Sockets Layer) and TLS (Transport Layer
Security) generate a VPN connection where the web
browser acts as the client and user access is prohibited to
specific applications instead of entire network.
Online shopping websites commonly uses SSL and TLS
protocol. It is easy to switch to SSL by web browsers and
with almost no action required from the user as web
browsers come integrated with SSL and TLS.

SSL connections have “https” in the initial of the URL

instead of “http”.
Open VPN-
Open VPN is an open source VPN that is commonly used
for creating Point-to-Point and Site-to-Site connections. It
uses a traditional security protocol based on SSL and TLS
protocol.

Secure Shell (SSH)-

Secure Shell or SSH generates the VPN tunnel through
which the data transfer occurs and also ensures that the
tunnel is encrypted. SSH connections are generated by a
SSH client and data is transferred from a local port on to
the remote server through the encrypted tunnel.
Difference between VPN and Proxy-
VPN-
It stands for Virtual Private Network. It is a mechanism of
employing encryption, authentication and integrity
protection so that we can use public network as private
network. It simulate a private network over public network.
It allows users to remotely access a private network.

Proxy-
Actually Proxy server uses the anonymous network id
instead of actual IP address of client (means it hides the IP
address of client), so that the actual IP address of client
couldn’t be reveal.
Security Protocols-
In today’s world, we transfer the data in bulk, and the
security of this data is very important, so Internet security
provides that feature i.e., protection of data. There are
different types of protocol exist like routing, mail transfer,
and remote communication protocol. But the Internet
security protocol helps in the security and integrity of data
over the internet.

There are many protocols that exist that help in the

security of data over the internet.
Various types of Internet Security Protocols :
SSL Protocol -
•SSL Protocol stands for Secure Sockets Layer protocol,
which is an encryption-based Internet security protocol
that protects confidentiality and integrity of data.
•SSL is used to ensure the privacy and authenticity of
data over the internet.
•SSL is located between the application and transport
layers.
•TLS/SSL website has “HTTPS” in its URL rather than
“HTTP”.
TLS Protocol -
Same as SSL, TLS which stands for Transport Layer
Security is widely used for the privacy and security of data
over the internet.
•TLS uses a pseudo-random algorithm to generate the
master secret which is a key used for the encryption
between the protocol client and protocol server.
•TLS is basically used for encrypting communication
between online servers like a web browser loading a
web page in the online server.
•TLS also has three sub-protocols the same as SSL
protocol – Handshake Protocol, Record Protocol, and
Alert Protocol.
SHTTP : SHTTP stands for Secure HyperText Transfer
Protocol, which is a collection of security measures like
Establishing strong passwords, setting up a firewall,
thinking of antivirus protection, and so on designed to
secure internet communication.
•SHTTP includes data entry forms that are used to input
data, which has previously been collected into a database.
As well as internet-based transactions.
•SHTTP can authenticate and encrypt HTTP traffic between
the client and the server.
•SHTTP operates on a message-by-message basis. It can
encrypt and sign individual messages.
Set Protocol :Secure Electronic Transaction (SET) is a
method that assures the security and integrity of electronic
transactions made using credit cards.
SET is not a payment system; rather, it is a secure
transaction protocol that is used via the internet.
The SET protocol includes the following participants:
•Cardholder
•Merchant
•Issuer
•Acquire
•Payment Gateway
•Certification Authority
PEM Protocol-
•PEM Protocol stands for privacy-enhanced mail and is
used for email security over the internet.

•It is capable of performing cryptographic operations

such as encryption, non repudiation, and message
integrity.
PGP Protocol :
•PGP Protocol stands for Pretty Good Privacy, and it is
simple to use and free, including its source code
documentation.
•It also meets the fundamental criteria of cryptography.
•When compared to the PEM protocol, the PGP protocol
has grown in popularity and use.
•The PGP protocol includes cryptographic features such
as encryption, non-repudiation, and message integrity.
Network Security – Application Layer
Network security entails securing data against attacks while
it is in transit on a network. To achieve this goal, many
real-time security protocols have been designed.
Such protocol needs to provide at least the following
primary objectives −

•The parties can negotiate interactively to authenticate each

other.
•Establish a secret session key before exchanging
information on network.
•Exchange the information in encrypted form.
In general, the e-mail infrastructure consists of a mesh of
mail servers, also termed as Message Transfer
Agents (MTAs) and client machines running an e-mail
program comprising of User Agent (UA) and local MTA.
Typically, an e-mail message gets forwarded from its UA,
goes through the mesh of MTAs and finally reaches the
UA on the recipient’s machine.
The protocols used for e-mail are as follows −

Simple mail Transfer Protocol (SMTP) used for

forwarding e-mail messages.

Post Office Protocol (POP) and Internet Message Access

Protocol (IMAP) are used to retrieve the messages by
recipient from the server.
MIME(Multipurpose Internet Mail Extensions)-
By 1992, the need was felt to improve the same. Hence, an
additional standard Multipurpose Internet Mail
Extensions (MIME) was defined.

It is a set of extensions to the basic Internet E-mail

standard. MIME provides an ability to send e-mail using
characters.

Another need fulfilled by MIME is to send non-text

contents, such as images or video clips. Due to this
features, the MIME standard became widely adopted with
SMTP for e-mail communication.
Secure/Multipurpose Internet Mail Extension
(S/MIME)- :
S/MIME is a security-enhanced version of Multipurpose
Internet Mail Extension (MIME). In this, public key
cryptography is used for digital sign, encrypt or decrypt
the email.

User acquires a public-private key pair with a trusted

authority and then makes appropriate use of those keys
with email applications.
Working of S/MIME-
S/MIME approach uses public key cryptography,
symmetric key cryptography, hash functions, and digital
signatures
The most common symmetric ciphers used in S/MIME are
RC2 and TripleDES. The usual public key method is RSA,
and the hashing algorithm is SHA-1 or MD5.

S/MIME specifies the additional MIME type, such as

“application/pkcs7-mime”, for data enveloping after
encrypting. The whole MIME entity is encrypted and
packed into an object. S/MIME has standardized
cryptographic message formats different from PGP .
PGP(Pretty Good Privacy)-
Pretty Good Privacy (PGP) is an e-mail encryption
scheme. It has become the de-facto standard for providing
security services for e-mail communication.
It uses public key cryptography, symmetric key
cryptography, hash function, and digital signature.
It provides −
•Privacy
•Sender Authentication
•Message Integrity
•Non-repudiation
Implementation layer in network architecture for PGP and
S/MIME schemes is shown in the following image. Both
these schemes provide application level security of for e-
mail communication.
Security at Transport Layer- SSL and TLS-
The SSL and TLS protocols enable two parties to identify
and authenticate each other and communicate with
confidentiality and data integrity.

The SSL and TLS protocols provide communications

security over the internet, and allow client/server
applications to communicate in a way that is confidential
and reliable.
An SSL or TLS connection is initiated by an application,
which becomes the SSL or TLS client. The application
which receives the connection becomes the SSL or TLS
server.

Every new session begins with a handshake, as defined by

the SSL or TLS protocols.
TLS Design-
Transport Layer Security (TLS) protocols operate above the
TCP layer. Design of these protocols use popular
Application Program Interfaces (API) to TCP, called
“sockets" for interfacing with TCP layer.
SSL is specific to TCP and it does not work with UDP. SSL
provides Application Programming Interface (API) to
applications. C and Java SSL libraries/classes are readily
available.
SSL protocol is designed to interwork between application
and transport layer as shown-
SSL itself is composed of two sub-layers-
Lower sub-layer comprises of the one component of SSL
protocol called as SSL Record Protocol. This component
provides integrity and confidentiality services.
Upper sub-layer comprises of three SSL-related protocol
components and an application protocol. Application
component provides the information transfer service
between client/server interactions.
Three SSL related protocol components are −
•SSL Handshake Protocol
•Change Cipher Spec Protocol
•Alert Protocol.
Security in Network Layer-
Network security needs are implemented as-
Layer Security Protocols
Application layer PGP. S/MIME, HTTPS
Transport Layer SSL, TLS, SSH
Network Layer Ipsec

The popular framework developed for ensuring security

at network layer is Internet Protocol Security (IPsec)
The IP security (IPSec) is an Internet Engineering Task
Force (IETF) standard suite of protocols between 2
communication points across the IP network that provide
data authentication, integrity, and confidentiality.

It also defines the encrypted, decrypted and authenticated

packets. The protocols needed for secure key exchange and
key management are defined in it.
Uses of IP Security –
IPsec can be used to do the following things:
•To encrypt application layer data.

•To provide security for routers sending routing data across

the public internet.

•To provide authentication without encryption, like to

authenticate that the data originates from a known sender.

•To protect network data by setting up circuits using IPsec

tunneling in which all data is being sent between the two
endpoints is encrypted.
Components of IP Security –
It has the following components:
Encapsulating Security Payload (ESP) –
It provides data integrity, encryption, authentication and
anti replay. It also provides authentication for payload.

Authentication Header (AH) –

It also provides data integrity, authentication and anti
replay and it does not provide encryption. The anti replay
protection, protects against unauthorized transmission of
packets. It does not protect data’s confidentiality.
Internet Key Exchange (IKE) –
It is a network security protocol designed to dynamically
exchange encryption keys and find a way over Security
Association (SA) between 2 devices.
Internet Key Exchange (IKE) provides message content
protection and also an open frame for implementing
standard algorithms such as SHA and MD5