Confidentiality Using Symmetric

Encryption

Cryptography & Network Security (Fourth Edition) by

William Stallings.
Confidentiality is the Fact of Private
Information Being Kept “SECRET”
 Topics Covered

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 TOPICS COVERED

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
POTENTIAL LOCATIONS FOR CONFIDENTIALITY
ATTACK
“Another point of
Vulnerability”

“First point of
Vulnerability”

Figure: Points Of Vulnerability

 Contd..

Have many locations where attacks can occur in a typical

scenario (Stallings Figure 7.1), such as when have:

• Workstations on LANs access other workstations &

servers on LAN.
• LANs interconnected using switches/routers
• External lines or radio/satellite links.
• Wiring Station etc…
 Contd..

Consider attacks and placement in this scenario:

• snooping from another workstation by any employee

• use dial-in to LAN or server to snoop
• physically tap line in wiring closet
• use external router link to enter & snoop
• monitor and/or modify traffic one external links.
 TOPICS COVERED

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 Placement of Encryption Function

The most powerful and most common approach to securing the

points of vulnerability highlighted in the preceding section is
encryption. If encryption is to be used to counter these attacks,
then we need to decide what to encrypt and where the
encryption gear should be located.

There are two fundamental alternatives:

• link encryption
• end-to-end encryption

9
 Link Encryption

• Each vulnerable communications link is equipped on both

ends with an encryption device.
• Each pair of nodes that share a link should share a unique
key, with a different key used on each link. Thus, many
keys must be provided.
• The entire packet (header + data) is encrypted.

10
Contd..
 Disadvantages of Link Encryption

• The message must be decrypted each time it enters a

switch because the switch must read the address in the
packet header in order to route the frame. Thus, the
message is vulnerable(attackable) at each switch.
• It requires a lot of encryption devices.
• If working with a public network, the user has no control
over the security of the nodes.
 End-to-End Encryption

• The encryption process is carried out at the two end

systems.
• The source host or terminal encrypts the data. The
destination shares a key with the source and so is able to
decrypt the data.
• This encryption relieves the end user of concerns about
the degree of security of networks and links that
support the communication.
13
 Contd..

• Provides a degree of authentication. If two end systems

share an encryption key, then a recipient is assured that any
message that it receives comes from the alleged sender,
because only that sender shares the relevant key

• What part of each packet should be encrypted?

• Encrypting the entire packet?

• Impossible. The encrypted packet cannot be routed.

• Encrypting only the user data?

• Possible. But the traffic pattern is revealed.
14
 Link versus End-to-End Encryption

• To achieve greater security, both link and end-to-end

encryption are needed!
1. The source host encrypts the user data portion of a packet
using an end-to-end encryption key.

2. Then, the entire packet is encrypted using a link encryption

key.

3. As the packet traverse the network, each switch decrypts the

entire packet, using a link encryption key to read the header, and
then encrypts the entire packet for sending it out on the next
link.

15
 TOPICS COVERED

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 Traffic Confidentiality

• Information that can be derived from a traffic analysis

• Identities of partners

• How frequently the partners are communicating.

• Message pattern, message length, or quantity of messages that

suggest important information is being exchanged.

• The events that correlate with special conversations between

particular partners.

17
Contd..

• With the use of link encryption, packet headers are

encrypted, reducing the opportunity for traffic analysis.
However, it is still possible in those circumstances for an
attacker to assess the amount of traffic on a network and to
observe the amount of traffic entering and leaving each end
system.
• An effective countermeasure to this attack is traffic
padding.
 Traffic Padding
• When plaintext is available, it is encrypted and transmitted.
• When plaintext is not present, random data are encrypted and
transmitted.

• This make it impossible to distinguish between true data flow

and padding.
19
 TOPICS COVERED

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 Key Distribution

• Introduction

• For symmetric encryption to work, the two parties must share

the same key.

• Frequent key changes are usually desirable to limit the amount of

data compromised if an attacker learns the key.

• Therefore, the strength of any cryptographic system rests with

the key distribution technique.

21
 Key Distribution

• Key distribution ways

1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A

and B.

3. If A and B have previously and recently used a key, one party can
transmit the new key to the other encrypted using the old
key.

4. If A and B each has an encrypted connection to a third party

C, C can deliver a key on the encrypted links to A and B.

22
 Key Distribution

• Key distribution options 1 and 2 :-

• For link encryptions: OK

• Each node exchanges data with only its neighboring
nodes.

• For end-to-end encryptions: Awkward

• Network or IP-level encryption (N host)
• A distributed system with N nodes : N(N-1)/2 keys are
needed.
• Application level encryption
• A key is needed for every pair of users or processes that
require communication.

23
 Key Distribution

• Key distribution option 3

• It can be appropriate for link and end-to-end encryption.

• BUT if an attacker ever succeeds in gaining access to one

key, then all subsequent keys will be revealed.

• Furthermore, the initial distribution of N(N – 1)/2 keys is

awkward.

24
 Key Distribution

• Key distribution option 4

• For end-to-end encryption, some variation on it has been

widely adopted.
• Each user must share a unique key with the Key
distribution center (KDC) for purposes of key distribution.
(N keys in total.)

25
 Key Hierarchy

• Session key
• Temporary key
• Used for the duration of a logical connection between A and B.
• Generated by the key distribution center.
• [N(N – 1)] / 2 keys are needed at any one time.

• Master key
• Session keys are encrypted using a master key.
• N master keys are required.
• Physically delivered.

26
 Contd..

Figure: The Use of a Key Hierarchy

 Key Distribution Scenario

Let us assume that user A wishes to establish a logical

connection with B and requires a one-time session key to protect
the data transmitted over the connection. A has a master key,
Ka, known only to itself and the KDC; similarly, B shares the

master key Kb with the KDC. The following steps occur:

 Key Distribution Scenario

Key
Distribution
Center(KDC)

1
||N
B
||I D

||
s
K
Authentication

,[
A
D

b
(K
)I

Steps

|| E
(1

key

])
1
||N
Distribution

B
D
||I
steps
A
D
||I
s
a ,[
K
ID )E(K
A ])
(2

(3) E (Kb, [Ks,IDA])

INITIATOR RESPONDER
A B

(4) E (Ks, N2)

(5) E (Ks, f(N2))

 Key Distribution Scenario

• A Key Distribution Scenario

• (1) IDA|| IDB||N1
• A issues a request to the KDC for a session key to connect to B.
• The message includes
• The identity of A and B
• A unique identifier N1,(nonce) for this transaction.
• The nonce may be a timestamp, a counter, or a random number.
• It must differ with other request’s nonce.
• It should be difficult for an opponent to guess the nonce to prevent
masquerade.
• Thus, a random number is a good choice for a nonce.

30
 Key Distribution Scenario

• A Key Distribution Scenario

• (2) E(Ka,[Ks||IDA||IDB||N1]) || E(Kb, [Ks||IDA])
• The KDC responds with a message encrypted using Ka.
• A is the only one who can receive the message and A know that it
originated at the KDC.
• The message includes two items for A.
• The one-time session key Ks
• The original request message IDA||IDB||N1
• The message includes two items for B.
• The one-time session key Ks
• An identifier of A, IDA

31
 Key Distribution Scenario

• A Key Distribution Scenario

• (3) E (Kb, [Ks,IDA])
• A stores the session key and forward E (Kb, [Ks,IDA]) to B.
• It is encrypted by Kb so it is protected from eavesdropping.
• Now, B knows the session key Ks, knows the other party is A, and
knows that the information originated at the KDC. (because it is
encrypted using Kb)

32
 Key Distribution Scenario

• A Key Distribution Scenario

• (4) E (Ks, N2)
• B sends a nonce N2 to A encrypted with the new session key Ks.

• (5) E (Ks, f(N2))

• A responds with f(N2).
• f(N2) an arbitrary function that transforming N2
• For example, f(N2) = N2 + 1.

• Steps (4) and (5) are to confirm that both A and B have the
correct session key.

33
 Session Key Lifetime

• Session key lifetime: How often session keys are changed.

• The more often the keys are changed, the more secure they are.
• Because the opponent has less ciphertext for any given session key.

• The less often the keys are changed, the more efficient they are.
• Because the key distribution delays data transmission.

• A security manager have to balance these competing considerations

in determining the session key lifetime.

34
 Session Key Lifetime

• Session key lifetime

• Connection-oriented protocol
• Normally, a session key per connection.
• However, the session is too long, periodically changing the session
key is recommendable.

• Connectionless protocol
• A session key for a fixed period.

35
 A Transparent Key Control Scheme

The approach suggested in Previous Figure has many

variations, one of which is described in this subsection. The
scheme is useful for providing end-to-end encryption at a
network or transport level in a way that is transparent to the end
users. The approach assumes that communication makes use of
a connection-oriented end-to-end protocol, such as TCP. The
noteworthy element of this approach is a session security
module (SSM), which may consists of functionality at one
protocol layer, that performs end-to-end encryption and obtains
session keys on behalf of its host or terminal.
A Transparent Key Control Scheme

37
 Steps of Automatic Key Distribution

1. One host transmits a connection-request packet.

2. The SSM saves that packet and applies to the KDC for
permission to establish the connection.
3. The communication between the SSM and the KDC is
encrypted using a master key shared only by this SSM and
the KDC. If the KDC approves the connection request, it
generates the session key and delivers it to the two
appropriate SSMs, using a unique permanent key for each
SSM.
4. All user data exchanged between the two end systems are
encrypted by their respective SSMs using the one-time
session key.
 Decentralized key Control

• When KDC is used, the KDC should be trusted and

protected from subversion.
• But this requirement can be avoided if key distribution is fully
decentralization.
• A decentralized approach requires that each end system be
able to communicate in a secure manner with all potential
partner for purpose of session key distribution.
• n(n-1)/2 master keys are needed for a configuration with n
end systems.
• Each node must maintain (n-1) master keys.
Decentralized key Control
 Decentralized key Control

A session key may be established with the following sequence of

steps:

1. A issues a request to B for a session key and includes a

nonce, N1.
2. B responds with a message that is encrypted using the
shared master key. The response includes the session key
selected by B, an identifier of B, the value f(N1) and another
nonce, N2.
3. Using the new session key, A returns f(N2) to B.
 Topics Covered

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 Key Distribution using Asymmetric Encryption

There can be of two types of scenario is this case:

1. Simple Secret Key Distribution.
2. Secret Key Distribution with Confidentiality and
Authentication.
 Simple Secret Key Distribution

An extremely simple scheme was put forward which is illustrated

in the following Figure
 Simple Secret Key Distribution
If A wishes to communicate with B, the following procedure is
employed:
1. A generates a public/private key pair {PUa, PRa} and
transmits a message to B consisting of PUa and an identifier
of A, IDA
2. B generates a secret key, Ks, and transmits it to A, which is
encrypted with A’s public key.
3. A Decrypts D(PRa, E(PUa, Ks)) to recover the secret key.
Because only A can decrypt the message, only A and B will
know the identity of Ks.
4. A discards PUa and PRa and B discards PUa.
 Secret Key Distribution with Confidentiality
and Authentication

This Scenario provides protection against both active and

passive attacks. We begin at a point when it is assumed that

A and B have exchanged public keys by one of the schemes

described subsequently in this chapter. Then the following steps

occur…
Cont…
 The Steps…

• A uses B’s public key to encrypt a message to B containing

an identifier of A(IDA) and a nonce (N1), which is used to
identify this transaction uniquely.
• B sends a message to A encrypted with PUa and containing
A’s nonce (N1) as well as a new nonce generated by B (N2).
Because only B could have decrypted message (1), the
presence of N1 in message (2) assures A that the
correspondent is B.
 Cont…

• A returns N2, encrypted using B’s public key, to assure B that

its correspondent is A.
• A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to
B. Encryption of this message with B’s public key ensures
that only B can read it; encryption with A’s private key
ensures that only A could have sent it.
• B computes D(PUa, D(PRb, M)) to recover the secret key.
 Topics Covered

• Points of Vulnerability
• Placement of Encryption Function
• Traffic Confidentiality
• Key Distribution
• Key Distribution using Asymmetric Encryption
• Distribution of Public Keys
 Distribution of Public Keys

Several techniques have been proposed for the distribution of

public keys. Virtually all these proposals can be grouped into the
following general schemes:
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
 Public Announcement

• The point of public-key encryption is that the public key is

public. Thus, if there is some broadly accepted public-key
algorithm, such as RSA, any participant can send his or her
public key to any other participant or broadcast the key to
the community at large.
• Although this approach is convenient, it has a major
weakness. Anyone can forge such a public announcement.
That is, some user could pretend to be user A and send a
public key to another participant or broadcast such a public
key.
 Publicly Available Directory

A greater degree of security can be achieved by maintaining a

publicly available dynamic directory of public keys.
Maintenance and distribution of the public directory would have
to be the responsibility of some trusted entity or
organization like the following Figure:
 Cont..

1. The authority maintains a directory with a {name, public key}

entry for each participant.
2. Each participant registers a public key with the directory
authority. Registration would have to be in person or by
some form of secure authenticated communication.
3. A participant may replace the existing key with a new one at
any time.
4. Participants could also access the directory electronically
using a secure connection.
 Public Key Authority

Stronger security for public-key distribution can be achieved by

providing tighter control over the distribution of public keys from
the directory. A typical scenario is illustrated in the Following
Figure. As before, the scenario assumes that a central authority
maintains a dynamic directory of public keys of all
participants. In addition, each participant reliably knows a
public key for the authority, with only the authority knowing the
corresponding private key.
 Cont..

The following steps (matched by number to Figure 14.11) occur.

➢ A sends a time stamped message to the public-key authority
containing a request for the current public key of B.
➢ The authority responds with a message that is encrypted
using the authority’s private key, PRauth .Thus,A is able to
decrypt the message using the authority’s public
key.Therefore,A is assured that the message originated with
the authority.
 Cont…

The message includes the following:

• B’s public key, PUb, which A can use to encrypt messages
destined for B
• The original request used to enable A to match this response
with the corresponding earlier request and to verify that the
original request was not altered before reception by the
authority
• The original timestamp given so A can determine that this is
not an old message from the authority containing a key other
than B’s current public key
 Cont…

➢ A stores B’s public key and also uses it to encrypt a message

to B containing an identifier of A (IDA) and a nonce (N1),
which is used to identify this transaction uniquely.
➢ B retrieves A’s public key from the authority in the same
manner as A retrieved B’s public key.

At this point, public keys have been securely delivered to A and

B, and they may begin their protected exchange. However, two
additional steps are desirable:
 Cont…

➢ B sends a message to A encrypted with PUa and containing

A’s nonce (N1) as well as a new nonce generated by B (N2).
Because only B could have decrypted message (3), the
presence of N1 in message (6) assures A that the
correspondent is B.
➢ A returns N2, which is encrypted using B’s public key, to
assure B that its correspondent is A.
 Public Key Certificates

An alternative approach to the aforementioned technique is the

use of certificates that can be used by participants to exchange
keys without contacting a public-key authority. Each
certificate, containing a public key and other information, is
created by a certificate authority and is given to the
participant with the matching private key. A participant conveys
its key information to another by transmitting its certificate.
Other participants can verify that the certificate was created by
the authority.
 Cont…

Four requirements can be placed on this particular scheme:

1. Any participant can read a certificate to determine the name
and public key of the certificate’s owner.
2. Any participant can verify that the certificate originated from
the certificate authority and is not counterfeit.
3. Only the certificate authority can create and update
certificates.
4. Any participant can verify the currency of the certificate.
Cont…
 Cont…

An example of this scheme can be seen using the following

transaction:
CA = E(PRauth [T, IDA, PUA])

where CA is A’s certificate, PRauth is the private key of the

certificate authority, IDA is A’s identification and PUA is A’s public
key.
A can then pass CA to any participant who reads and verifies it as
follows:
D(PUauth ,CA) = D(PUauth,E(PRauth [T, IDA, PUA]))
= (T, IDA, PUA)