Professional Documents
Culture Documents
DNS LONG PP Question
DNS LONG PP Question
DNS LONG PP Question
BSIT 5
o PGP was designed to provide all four aspects of security, iyey, privacy,
integrity, authentication, and non-repudiation in the sending of emaily
o PGP is an open source and freely available software package for email
securityy
o The digest is then encrypted to form a signed digest by using the sender's
private key, and then signed digest is added to the original email
messagey
o The original message and signed digest are encrypted by using a one-time
secret key created by the sendery
o The encrypted secret key is decrypted by using the receiver's private key
to get the one-time secret keyy
o The secret key is then used to decrypt the combination of message and
digesty
o The digest is decrypted by using the sender's public key, and the original
message is hashed by using a hash function to create a digesty
o Both the digests are compared if both of them are equal means that all
the aspects of security are preserved
o Compatibility issuesl Both the sender and the receiver must have
compatible versions of PGPy For example, if you encrypt an email by using
PGP with one of the encryption technique, the receiver has a diferent
version of PGP which cannot read the datay
There are two main types of challenge-response questions: static and dynamic. Each
varies in terms of complexity and response variability.
Static challenges are requests that can be satisfied using the same answer or process
every time. A static challenge includes the password recovery questions one needs to
answer to verify identity. A common example is the password for the lock screen on a
smartphone.
Dynamic challenges require a different answer with each attempt. Often, the
challenges themselves randomly change, and the user is expected to respond. Some
financial institutions provide their account holders with a small security token, a device
that can either receive codes or input them. Devices like these also provide a physical
element to the authentication process, which makes it even harder for cybercriminals to
exploit.
In addition to login authentication, there are two main areas in which challenge-response
can be utilized, particularly when it comes to cybersecurity.
Human verification
Sometimes, when users log in to a website, they are asked to complete a series of
challenges to prove that they are not a robot (bot). Challenges like this are designed to
block programs, not users, from accessing certain webpages or activities. For instance,
many electronic commerce (e-commerce) platforms use human verification in order to
prevent bots from automatically buying up massive amounts of supplies. Not only can
these bots limit the experience of regular users, but they may also be using fraudulent or
stolen information to complete purchases. Challenge-response authentication is a way to
avoid this outcome and ensure the safety and security of specific web services. A
common challenge used to verify human activity includes selecting images that contain a
specific item or object, such as a fire hydrant, for example. CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) is an example of this
type of tool being put to use.
One of the greatest advantages of machine learning is its ability to complete many tasks
at the same time. In cybersecurity, ML or artificial intelligence (AI) software combs
systems for suspicious or dangerous behavior. Challenge-response authentication tests
and trains machine learning models to help them solve complex problems. Some ML
programs are given human verification puzzles and their answers are matched and
compared to those of humans. Over time, the ML program learns from the human
examples to inform its future decision-making.
, there are some things you can do to improve router security. We'll go through some of
them now.
The label on your router will tell you how to access your router settings - typically you
have to type an address into a web browser. The exact address will vary depending on
your router, but it'll look something like: 192.168.0.1 (read our guide on the subject for
more information).
From there, you'll be able to change username and password. Just make sure that it's
secure and uses a combination of lower and upper case, symbols and numbers - don't
use 'password' as a password, for example.
One drawback of this is that it tells any would-be attackers the likely type of router
you're using, and what type of exploits they can use to get access. Change the name to
avoid that problem but just don't use any personal information that can identify you.
You can do this by accessing your router settings (see point one).
4. Deactivate WPS
Wi-Fi Protected Setup (WPS) is only available on some routers. It makes it much easier
to connect wireless devices to the network - simply push the button marked WPS on
the router and you can connect without entering a password.
Some experts have complained that WPS isn't fully secure - particularly if the nefarious
types have physical access to your equipment, That's unlikely, of course, but the risk
can be fully removed by simply deactivating it in your router settings.
Go into the access control settings (this may vary from router to router, but a Google
search should help you fnd it on yours if necessary), and you should see a list of
connected devices, with MAC addresses. You can use this to confrm or deny access
as needed.
Alternatively, all devices will list their MAC address in their settings somewhere. For
example, on an iPhone , it can be found under Settings > General > About > Wi-Fi
settings, and on Android it's in Settings > About > Wi-Fi MAC address. The exact path
will vary depending on your Android model, however.
Finally…
Those are just some of the simple things you can do to improve security on your router.
Hopefully it proved useful.
(~~~~~~)
(2018)
The Playfair cipher was the first practical digraph substitution cipher.
The scheme was invented in 1854 by Charles Wheatstone but was
named after Lord Playfair who promoted the use of the cipher. In
playfair cipher unlike traditional cipher we encrypt a pair of
alphabets(digraphs) instead of a single alphabet.
It was used for tactical purposes by British forces in the Second Boer
War and in World War I and for the same purpose by the Australians
during World War II. This was because Playfair is reasonably fast to
use and requires no special equipment.
Encryption Technique
For the encryption process let us consider the following example:
The Playfair Cipher Encryption Algorithm:
The Algorithm consists of 2 steps:
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
1. Pair cannot be made with same letter. Break the letter in single
and add a bogus letter to the previous letter.
Plain Text: “hello”
After Split: ‘he’ ‘lx’ ‘lo’
Here ‘x’ is the bogus letter.
2. If the letter is standing alone in the process of pairing, then add an
extra bogus letter with the alone letter
Plain Text: “helloe”
AfterSplit: ‘he’ ‘lx’ ‘lo’ ‘ez’
Here ‘z’ is the bogus letter.
Rules for Encryption:
If both the letters are in the same column: Take the letter below
each one (going back to the top if at the bottom).
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l
If both the letters are in the same row: Take the letter to the right of
each one (going back to the leftmost if at the rightmost position).
For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l
If neither of the above rules is true: Form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the
rectangle.
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q
Playfair Cipher with Examples
Difculty Level : Easy
Last Updated : 26 Jul, 2022
Encryption Technique
For the encryption process let us consider the following
example:
The Playfair Cipher Encryption Algorithm:
The Algorithm consists of 2 steps:
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
4y If both the letters are in the same column: Take the letter
below each one (going back to the top if at the bottom)y
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l
7y
o
o If both the letters are in the same row: Take the letter to the
right of each one (going back to the leftmost if at the
rightmost position)y
For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l
o
o If neither of the above rules is true: Form a rectangle with
the two letters and take the letters on the horizontal
opposite corner of the rectangley
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q
o
For example:
CipherText: "gatlmzclrqtx"
After Split: 'ga' 'tl' 'mz' 'cl' 'rq' 'tx'
Diagraph: "cl"
Decrypted Text: me
Decryption:
c -> m
l -> e
If both the letters are in the same row: Take the letter to the left of
each one (going back to the rightmost if at the leftmost position).
For example:
Diagraph: "tl"
Decrypted Text: st
Decryption:
t -> s
l -> t
5.
8.
If neither of the above rules is true: Form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the
rectangle.
For example:
Diagraph: "rq"
Decrypted Text: nt
Decryption:
r -> n
q -> t
For example:
Decryption:
(red)-> (green)
ga -> in
tl -> st
mz -> ru
cl -> me
rq -> nt
tx -> sz
Advantages and Disadvantages
Advantages:
o It is significantly harder to break since the frequency
analysis technique used to break simple substitution
ciphers is difficult but still can be used on (25*25) = 625
digraphs rather than 25 monographs which is difficult.
Disadvantages:
o An interesting weakness is the fact that a digraph in the
ciphertext (AB) and it’s reverse (BA) will have
corresponding plaintexts like UR and RU (and also
ciphertext UR and RU will correspond to plaintext AB and
BA, i.e. the substitution is self-inverse). That can easily be
exploited with the aid of frequency analysis, if the
language of the plaintext is known.
Key Management
In cryptography, it is a very tedious task to distribute the public and
private keys between sender and receiver. If the key is known to the
third party (forger/eavesdropper) then the whole security mechanism
becomes worthless. So, there comes the need to secure the
exchange of keys.
There are two aspects for Key Management:
Distribution of public keys.
Use of public-key encryption to distribute secrets.
Distribution of Public Key:
The public key can be distributed in four ways:
Public announcement
Publicly available directory
Public-key authority
Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to
everyone. The major weakness of this method is a forgery. Anyone
can create a key claiming to be someone else and broadcast it. Until
forgery is discovered can masquerade as claimed user.
Components of WLANs
The components of WLAN architecture as laid down in IEEE 802y11 are −
Stations (STA) − Stations comprises of all devices and equipment
that are connected to the wireless LANy Each station has a wireless
network interface controllery A station can be of two types −
o Wireless Access Point (WAP or AP)
o Client
Basic Service Set (BSS) − A basic service set is a group of stations
communicating at the physical layer levely BSS can be of two
categories −
o Infrastructure BSS
o Independent BSS
Extended Service Set (ESS) − It is a set of all connected BSSy
Distribution System (DS) − It connects access points in ESSy
Types of WLANS
WLANs, as standardized by IEEE 802y11, operates in two basic modes,
infrastructure, and ad hoc modey
Infrastructure Mode − Mobile devices or clients connect to an access
point (AP) that in turn connects via a bridge to the LAN or Internety
The client transmits frames to other clients via the APy
Ad Hoc Mode − Clients transmit frames directly to each other in a
peer-to-peer fashiony
Advantages of WLANs
They provide clutter-free homes, ofces and other networked
placesy
The LANs are scalable in nature, iyey devices may be added or
removed from the network at greater ease than wired LANsy
The system is portable within the network coveragey Access to the
network is not bounded by the length of the cablesy
Installation and setup are much easier than wired counterpartsy
The equipment and setup costs are reducedy
Disadvantages of WLANs
Since radio waves are used for communications, the signals are
noisier with more interference from nearby systemsy
Greater care is needed for encrypting informationy Also, they are
more prone to errorsy So, they require greater bandwidth than the
wired LANsy
WLANs are slower than wired LANsy
Q.NO.7. What is message authentication?
Explain authentication functions?
Message Authentication
In the last chapter, we discussed the data integrity threats and the use of
hashing technique to detect if any modifcation attacks have taken place on the
datay
Another type of threat that exist for data is the lack of message
authenticationy In this threat, the user is not sure about the originator of the
messagey Message authentication can be provided using the cryptographic
techniques that use secret keys as done in case of encryptiony
Authentication Functions
The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the same secret key,
to generate a new MAC. The received MAC is compared to the calculated MAC. If
we assume that only the receiver and the sender know the identity of the secret key,
and if the received MAC matches the calculated MAC, then
1. The receiver is assured that the message has not been altered. If an attacker
alters the message but does not alter the MAC, then the receiver's calculation of the
MAC will differ from the received MAC. Because the attacker is assumed not to know
the secret key, the attacker cannot alter the MAC to correspond to the alterations in
the message.
2. The receiver is assured that the message is from the alleged sender. Because no
one else knows the secret key, no one else could prepare a message with a proper
MAC.
3. If the message includes a sequence number (such as is used with HDLC, X.25,
and TCP), then the receiver can be assured of the proper sequence because an
attacker cannot successfully alter the sequence number.
A MAC function is similar to encryption. One difference is that the MAC algorithm
need not be reversible, as it must for decryption. In general, the MAC function is a
many-to-one function. The domain of the function consists of messages of some
arbitrary length, whereas the range consists of all possible MACs and all possible
keys.
The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the same secret key,
to generate a new MAC.
(~~~~~~~)
(2018)
Q.NO.2. Suppose Alice and Bob agree on the following values p = 550 and g = 10. Moreover,
Alice chooses a = 4 Bob chooses b = 12. Compute the shared secret key for both Alice and
Bob?
Q.NO.3. How many diferent security atacks network can encounter? Give the IP security
Architecture?
IPSec Architecture
IPSec (IP Security) architecture uses two protocols to secure the
traffic or data flow. These protocols are ESP (Encapsulation Security
Payload) and AH (Authentication Header). IPSec Architecture
includes protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main
services:
Confidentiality
Authentication
Integrity
IP Security Architecture:
Remote access
A host-to-network confguration is analogous to connecting a computer to
a local area networky This type provides access to an enterprise network,
intranety This may be employed for remote
such as an
workers who need access to private resources, or to enable a mobile
worker to access important tools without exposing them to the public
Internety
Site-to-site
A site-to-site confguration connects two networksy This confguration
expands a network across geographically disparate ofces, or a group of
ofces to a data center installationy The interconnecting link may run over
a dissimilar intermediate network, such as two IPv6 networks connected
over an IPv4 networky[4]
Extranet-based site-to-site
In the context of site-to-site confgurations, the
terms intranet and extranet are used to describe two diferent
use casesy[5] An intranet site-to-site VPN describes a confguration where
the sites connected by the VPN belong to the same organization, whereas
an extranet site-to-site VPN joins sites belonging to multiple organizationsy
A Network Address Translation (NAT) is the process of mapping an internet protocol (IP)
address to another by changing the header of IP packets while in transit via a router.
This helps to improve security and decrease the number of IP addresses an organization
needs.
A NAT works by selecting gateways that sit between two local networks: the internal
network, and the outside network. Systems on the inside network are typically assigned
IP addresses that cannot be routed to external networks (e.g., networks in the 10.0.0.0/8
block).
A few externally valid IP addresses are assigned to the gateway. The gateway makes
outbound traffic from an inside system appear to be coming from one of the valid
external addresses. It takes incoming traffic aimed at a valid external address and sends
it to the correct internal system.
This helps ensure security. Because each outgoing or incoming request must go through
a translation process that offers the opportunity to qualify or authenticate incoming
streams and match them to outgoing requests, for example.
NAT conserves the number of globally valid IP addresses a company needs and -- in
combination with Classless Inter-Domain Routing (CIDR) -- has done a lot to extend the
useful life of IPv4 as a result. NAT is described in general terms in IETF RFC 1631.
NAT techniques?
Policies can also be used on the protocols being used ("assign out of this pool
for HTTP traffic, that pool for HTTPS") or on other factors.
A newer way to use NAT focuses on translating an ISP provider's IPv4 addresses
to IPv6, and vice versa. This provides integration of IPv4 infrastructure and end nodes
into IPv6 environments, and allows IPv6 services to interact with IPv4 systems.
What is the difference between dynamic NAT (DNAT) and static NAT (SNAT)?
An example of this can be seen with Cisco, which has developed a technique that uses
a NAT overload to map several private IP addresses to a single public IP address.
Conversely, a static NAT, also common in large organizations, provides a 1:1 mapping
between an internal IP address and a public network IP address.
RSA
General
First 1977
published
Cipher detail
Rounds 1
Best publiccryptanalysis
At the sosent RSA seess to be extresely secure It has survived over 20 years of
scruiny and is in widestread use throughout the world The attack that is sost ofen
considered for RSA is the factoring of the tublic key If this can be achieved, all
sessages written with the tublic key can be decrytted The toint is that with very
large nusbers, factoring takes an unreasonable asount of ise (see the factorizaion
secion for sore details of the difculty) It has not been troven that breaking the RSA
algoriths is equivalent to factoring large nusbers (there say be another, easier
sethod), but neither has it been troven that factoring is not equivalent
I senioned before that a chain is only as strong as its weakest link In cryttlogy terss,
the links in the chain include key generaion, key sanagesent, the cryttograthic
algoriths and the cryttograthic trotocol If there is a weakness in any one of these
areas, it undersines the enire systes Isagine an eavesdrotter was able to generate
session keys in the sase order that an e-cosserce site web server used to get credit
card details securely fros custosers over the Internet; this would allow the
eavesdrotter to read all the transacions The secion on randos nusber
generators discusses this totic
Guessing d
Another tossible attack is a known cithertext attack This ise the attacker knows both
the tlaintext and cithertext (they sistly has to encrytt sosething) They then try to
crack the key to discover the trivate extonent, d This sight involve trying every
tossible key in the systes on the cithertext unil it returns to the original tlaintext
Once d has been discovered it is easy to fnd the factors of n (for exastle use the
algoriths in chatter 8 of The Handbook of Attlied Cryttograthy) Then the systes has
been broken costletely and all further cithertexts can be decrytted
The trobles with this attack is that it is slow There are an enorsous nusber of
tossible ds to try This sethod is a factorizing algoriths as it allows us to factor n
Since factorizing is an intractable trobles we know this is very difcult This sethod is
not the fastest way to factorize n Therefore one is suggested to focus efort into using
a sore efcient algoriths stecifcally designed to factor n This advice was given in
the original tater
Cycle Attack
This attack is very sisilar to the last The idea is that we encrytt the cithertext
reteatedly, couning the iteraions, unil the original text attears This nusber of re-
cycles will decrytt any cithertext Again this sethod is very slow and for a large key it
is not a tracical attack A generalisaion of the attack allows the sodulus to be
factored and it works faster the sajority of the ise But even this will sill have
difculty when a large key is used Also the use of t -- strong trises aids the security
The bottos line is that the generalized fors of the cither attack is another factoring
algoriths It is not efcient, and therefore the attack is not good enough costared
with sodern factoring algorithss (e g Nusber Field Sieve)
I noiced an istrovesent on this algoriths The suggested way is to use the tublic
extonent of the tublic key to re-encrytt the text However any extonent should work
so long as it is cotrise to (t-1) (q-1) (where t, q are factors of the sodulus) So I
suggest using an extonent such as 216 + 1 This nusber has only two 1s in its binary
retresentaion Using binary fast extoneniaion, we use only 16 sodular squarings
and 1 sodular sulitlicaion This is likely to be faster than the actual tublic extonent
The trouble is that we cannot be sure that it is cotrise to (t-1) (q-1) In tracice, sany
RSA systess use 216 + 1 as the encryting extonent for its steed
Common Modulus
One of the early weaknesses found was in a systes of RSA where the users within an
organizaion would share the tublic sodulus That is to say, the adsinistraion would
choose the tublic sodulus securely and generate tairs of encrytion and decrytion
extonents (tublic and trivate keys) and distribute thes all the estloyees/users The
reason for doing this is to sake it convenient to sanage and to write sofware for
However, Sissons shows how this would allow any eavesdrotter to view any
sessages encrytted with two keys; for exastle when a seso is sent to several
estloyees DeLaurenis went further to desonstrate how the systes was at even
sore risk fros insiders, who could break the systes costletely, allowing thes to view
all sessages and sign with anybody's key
Faulty Encryption
Joye and Quisquater showed how to catitalise on the cosson sodulus weakness due
to a transient error when transsitng the tublic key Consider the situaion where an
attacker, Malory, has access to the cossunicaion channel used by Alice and Bob In
other words, Malory can listen to anything that is transsitted, and can also change
what is transsitted Alice wishes to talk trivately to Bob, but does not know his tublic
key She requests by sending an esail, to which Bob retlies But during transsission,
Malory is able to see the tublic key and decides to fit a single bit in the tublic
extonent of Bob, changing (e,n) to (e',n)
When Alice receives the faulty key, she encrytts the tretared sessage and sends it to
Bob (Malory also gets it) But of course, Bob cannot decrytt it because the wrong key
was used So he lets Alice know and they agree to try again, staring with Bob re-
sending his tublic key This ise Malory does not interfere Alice sends the sessage
again, this ise encrytted with the correct tublic key
Malory now has two cithertexts, one encrytted with the faulty extonent and one with
the correct one She also knows both these extonents and the tublic sodulus
Therefore she can now attly the cosson sodulus attack to retrieve Alice's sessage,
assusing that Alice was foolish enough to encrytt exactly the sase sessage the
second ise
A desonstaion of the Cosson Modulus attack and the Faulty Encrytion attack can
be found in this Mathesaica notebook
Low Exponent
In the cycle attack secion above, I suggested that the encryting extonent could be
chosen to sake the systes sore efcient Many RSA systess use e=3 to sake
encryting faster However, there is a vulnerabilty with this attack If the sase sessage
is encrytted 3 ises with diferent keys (that is sase extonent, diferent soduli) then
we can retrieve the sessage The attack is based on the Chinese Resainder Theores
See The Handbook of Attlied Cryttograthy for an extlanaion and algoriths
(~~~~~~~~~)
(2018)
Q.NO.2.Explain the mechanism of DES?
Q.NO.3.How many diferent security atacks network
can encounter? Give the IP security Architecture?
Q.NO.4) a) Apply VIGENER CIPHER. Key = Encryption,
plain text = “We are Pakistani”
What will be a Cipher Text = ?
b) Write down the techniques for hiding
messages.
hiding messages)
Secret codes can be used to send fun messages between friendsy These codes
can also help messages get past censors in more serious situationsy Knowing
how to create, write, and send an encoded message using constrained language
can help get your messages out undetectedy Learning a few diferent constrained
language codes can help your messages become even more securey
Think of what you want to encode. Before you can create a coded message, you will need
to think of the message itself. You can encode any word or phrase using an acrostic code.
However, you should try to keep your messages short. Longer messages can be difcult to
encode and may be noticed by people that shouldn't see them.[1]
If you wanted to hide the word "HELP", you would need to use H, E, L,
and P in your messagey
Make sure you don't miss any letters, as this can change the codey For
example, missing the letter L in "HELP" would result in the code
reading "HEP"y
Write a sentence for each letter. Now that you have each letter of your word ready, you
can begin building the code. Every letter will have its own sentence written after it. The code
will be revealed by reading each frst letter of every sentence. Make sure each letter is
included in the document you are creating to ensure the code will be readable. [3]
Your frst sentence would have to start with the letter Hy "How is
everyone at home?" would be a good choicey
The next sentence would need to start with the letter Ey "Everything
still going well in town?" could be used in this casey
It's important that your sentences and message don't draw attention
to the encoded messagey Keep your tone and content neutral and
naturaly
Check your code. Complete the acrostic code and double-check it. You will want to
make sure that each letter of your original phrase or word is included. Every sentence in
your document should start with a letter from your original message. If you read the frst
letter of each sentence, you should fnd your original message.[4]
If you missed any letters, add them to your encoded message to make
sure it's readabley
Make sure you didn't add any sentences that aren't part of the codey
This could change the meaning of the original message you were
trying to encodey
"How is everyone at home? Everything still good? Looking forward to
coming backy Please take care of my dog until then!" would be an
example of encoding the word "HELP" using the acrostic methody
DES
In “modern” computing, DES was the frst standardized cipher for securing electronic
communications, and is used in variations (e.g. 2-key or 3-key 3DES). The original DES is
not used anymore as it is considered too “weak”, due to the processing power of modern
computers. Even 3DES is not recommended by NIST and PCI DSS 3.2, as well as all 64-bit
ciphers. However, 3DES is still widely used in EMV chip cards because of legacy
applications that do not have a crypto-agile infrastructure.
AES
The most commonly used symmetric algorithm is the Advanced Encryption Standard (AES),
which was originally known as Rijndael. This is the standard set by the U.S. National
Institute of Standards and Technology in 2001 for the encryption of electronic data
announced in U.S. FIPS PUB 197. This standard supersedes DES, which had been in use
since 1977. Under NIST, the AES cipher has a block size of 128 bits, but can have three
diferent key lengths as shown with AES-128, AES-192 and AES-256.
Key Exhaustion
Symmetric Encryption sufers from behavior where every use of a key ‘leaks’ some
information that can potentially be used by an attacker to reconstruct the key. The
defenses against this behavior include using a key hierarchy to ensure that master or
key-encryption keys are not over-used and the appropriate rotation of keys that do
encrypt volumes of data. To be tractable, both these solutions require competent
key-management strategies as if (for example) a retired encryption key cannot be
recovered the data is potentially lost.
Attribution data
The latter issue is somewhat addressed by standards such as ANSI X9-31 where a
key can be bound to information prescribing its usage. But for full control over what a
key can be used for and when it can be used, a key-management system is
required.
Consider an EMV payment card deployment: millions of cards multiplied by several keys-
per-card requires a dedicated provision and key-management system.
Problems with Symmetric Algorithms
One big issue with using symmetric algorithms is the key exchange problem, which can
present a classic catch-22. The other main issue is the problem of trust between two parties
that share a secret symmetric key. Problems of trust may be encountered when encryption is
used for authentication and integrity checking. As we saw in Chapter 3, a symmetric key can
be used to verify the identity of the other communicating party, but as we will now see, this
requires that one party trust the other.
In some situations, direct key exchange is possible; however, much commercial data
exchange now takes place between parties that have never previously communicated with
one another, and there is no opportunity to exchange keys in advance. These parties
generally do not know one another sufficiently to establish the required trust (a problem
described in the next section) to use symmetric algorithms for authentication purposes
either. With the explosive growth of the Internet, it is now very often a requirement that
parties who have never previously communicated be able to spontaneously communicate
with each other in a secure and authenticated manner. Fortunately, this issue can be dealt
with effectively by using asymmetric algorithms. 1
The Solution
The answer is actually rather sistle, but non-obvious:
Put your secret sessage in a box, and lock it Keet the key, and send the box to se
When I receive the box, I’ll tut sy own lock on the box as well, and keet the key for it,
then send the box back to you
When you get the box back with two locks on it, you use your key to unlock your lock
and take it of, then send the box back to se
I can now unlock sy lock on the box with sy key, and there are no longer any locks on
the box I now have access to the secret sessage inside
(~~~~~~~)