Network Security Services

Network security is a broad term that covers a multitude of technologies, devices and
processes. In its simplest term, it is a set of rules and configurations designed to
protect the integrity, confidentiality and accessibility of computer networks and data
using both software and hardware technologies.

1. Message confidentiality

• It means that the content of a message when transmitted across a network must
remain confidential, i.e. only the intended receiver and no one else should be able
to read the message.
• The users; therefore, want to encrypt the message they send so that an
eavesdropper on the network will not be able to read the contents of the message.
2. Message Integrity

• It means the data must reach the destination without any adulteration i.e. exactly
as it was sent.
• There must be no changes during transmission, neither accidentally nor
maliciously.
• Integrity of a message is ensured by attaching a checksum to the message.
3. Message Authentication

• In message authentication the receiver needs to be sure of the sender’s

identity i.e. the receiver has to make sure that the actual sender is the same as
claimed to be.
• There are different methods to check the genuineness of the sender:
1. The two parties share a common secret code word. A party is required to show
the secret code word to the other for authentication.
2. Authentication can be done by sending digital signature.
3. A trusted third party verifies the authenticity. One such way is to use digital
certificates issued by a recognized certification authority.
4. Message non-repudiation

• Non-repudiation means that a sender must not be able to deny sending a

message that it actually sent.
• The burden of proof falls on the receiver.
• Non-reproduction is not only in respect of the ownership of the message; the
receiver must prove that the contents of the message are also the same as the
sender sent.
• Non-repudiation is achieved by authentication and integrity mechanisms.
5. Entity Authentication

• In entity authentication (or user identification) the entity or user is verified prior to
access to the system resources.

Message Authentication Code (MAC)

Message Authentication Code (MAC), also referred to as a tag, is used to authenticate

the origin and nature of a message. MACs use authentication cryptography to verify the
legitimacy of data sent through a network or transferred from one person to another.

In other words, MAC ensures that the message is coming from the correct sender, has
not been changed, and that the data transferred over a network or stored in or outside a
system is legitimate and does not contain harmful code.

How Does a Message Authentication Code Work?

The first step in the MAC process is the establishment of a secure channel between the
receiver and the sender. To encrypt a message, the MAC system uses an algorithm,
which uses a symmetric key and the plain text message being sent. The MAC algorithm
then generates authentication tags of a fixed length by processing the message. The
resulting computation is the message's MAC.

This MAC is then appended to the message and transmitted to the receiver. The
receiver computes the MAC using the same algorithm. If the resulting MAC the receiver
arrives at equals the one sent by the sender, the message is verified as authentic,
legitimate, and not tampered with.
In effect, MAC uses a secure key only known to the sender and the recipient. Without
this information, the recipient will not be able to open, use, read, or even receive the
data being sent. If the data is to be altered between the time the sender initiates the
transfer and when the recipient receives it, the MAC information will also be affected.

Therefore, when the recipient attempts to verify the authenticity of the data, the key will
not work, and the end result will not match that of the sender. When this kind of
discrepancy is detected, the data packet can be discarded, protecting the recipient’s
system.

The process of using MAC for authentication is depicted in the following

illustration –

 The sender uses some publicly known MAC algorithm, inputs the
message and the secret key K and produces a MAC value.
 Similar to hash, MAC function also compresses an arbitrary long input
into a fixed length output. The major difference between hash and MAC
is that MAC uses secret key during the compression.
 The sender forwards the message along with the MAC. Here, we
assume that the message is sent in the clear, as we are concerned of
providing message origin authentication, not confidentiality. If
confidentiality is required, then the message needs encryption.
 On receipt of the message and the MAC, the receiver feeds the
received message and the shared secret key K into the MAC algorithm
and re-computes the MAC value.
 The receiver now checks equality of freshly computed MAC with the
MAC received from the sender. If they match, then the receiver accepts
the message and assures himself that the message has been sent by
the intended sender.
 If the computed MAC does not match the MAC sent by the sender, the
receiver cannot determine whether it is the message that has been
altered or it is the origin that has been falsified. As a bottom-line, a
receiver safely assumes that the message is not the genuine.
HMAC (Hash-Based Message Authentication Code)
Hash-based Message Authentication Code (HMAC) is a type of message
authentication code (MAC) involving a cryptographic hash function and a secret
cryptographic key. HMAC makes it possible to confirm the data integrity and
authenticity of a message. This is especially useful in scenarios like digital
signatures, certificate authorities, and transport layer security and secure sockets
layer (TLS and SSL) protocols. HMAC authenticates messages between parties
using cryptographic hashes based on shared secret keys. The HMAC process can
be used together with several encryption algorithms, such as MD5 or SHA-1.
The general formula for HMAC is:
HMAC = hashFunc(secret key + message)
Secret Key
In the HMAC process, cryptographic keys play a crucial role. The operation begins
when both the sender and receiver of a message agree on a secret key. This key
will be used in the hashing process, ensuring that both parties can verify the
authenticity of the message. The secret key is combined with the original message
to create a hash.
The secret key is not directly hashed with the message but is used in a more
complex process involving a combination of XOR operations and hash functions.
This ensures that even if an attacker knows the hash function used, they cannot
generate the correct HMAC without the correct secret key.
Hash Function
The hash function is a crucial part of the HMAC process. Once combined with the
secret key, the hash function is applied to the resulting message. This hash function
can be any cryptographic hash function, such as MD5 or SHA-1. The output of the
hash function is a fixed-size string of bytes—the final HMAC.
The hash function performs one-way encryption, meaning that once the message
has been hashed, it cannot be unhashed. This process ensures data integrity, as
any change in the message or the key will result in a different hash, allowing for
easy detection of tampering.

Benefits of Using HMAC Authentication

Combines Secret Key and Hash Function
The strength of HMAC lies in its combination of both a secret key and a hash
function. The secret key adds a layer of security by ensuring that only those with the
key can generate or verify an HMAC. This aspect is particularly important in
scenarios where confidentiality and data integrity are critical.
The hash function, on the other hand, ensures data integrity by creating a unique
output for every unique input. Any change in the input, however minor, will
significantly alter the resulting hash, making any tampering evident.
Guarantees Data Integrity and Authenticity
HMAC ensures that the data has not been tampered with during transmission by
creating a unique hash for each message based on its content and a secret key.
This hash is then sent along with the message. Upon receipt, the receiver can
generate their hash from the received message and the secret key. If the received
hash matches the generated hash, the data integrity is confirmed.
Similarly, HMAC can confirm the authenticity of a message. Because the hash is
generated with a secret key, a correctly computed HMAC assures the recipient that
the message came from a source possessing the correct shared secret key and
therefore is authentic. This double-check of both integrity and authenticity provides
a high level of security for data transmission.

Digital signatures
Digital signatures are the public-key primitives of message authentication. In
the physical world, it is common to use handwritten signatures on
handwritten or typed messages. They are used to bind signatory to the
message.

Similarly, a digital signature is a technique that binds a person/entity to the

digital data. This binding can be independently verified by receiver as well as
any third party.

Digital signature is a cryptographic value that is calculated from the data and
a secret key known only by the signer.

How digital signatures work

Digital signatures are created and verified by using public key
cryptography, also known as asymmetric cryptography. By the use of a
public key algorithm, such as RSA, one can generate two keys that are
mathematically linked- one is a private key, and another is a public key.

The user who is creating the digital signature uses their own private key
to encrypt the signature-related document. There is only one way to
decrypt that document is with the use of signer's public key.

This technology requires all the parties to trust that the individual who
creates the signature has been able to keep their private key secret. If
someone has access the signer's private key, there is a possibility that
they could create fraudulent signatures in the name of the private key
holder.

The steps which are followed in creating a digital signature are:

1. Select a file to be digitally signed.

2. The hash value of the message or file content is calculated. This
message or file content is encrypted by using a private key of a
sender to form the digital signature.
3. Now, the original message or file content along with the digital
signature is transmitted.
4. The receiver decrypts the digital signature by using a public key of a
sender.
5. The receiver now has the message or file content and can compute
it.
6. Comparing these computed message or file content with the original
computed message. The comparison needs to be the same for
ensuring integrity.
ypes of Digital Signature
Different document processing platform supports different types of digital
signature. They are described below:

Certified Signatures
The certified digital signature documents display a unique blue ribbon
across the top of the document. The certified signature contains the name
of the document signer and the certificate issuer which indicate the
authorship and authenticity of the document.

Approval Signatures
The approval digital signatures on a document can be used in the
organization's business workflow. They help to optimize the organization's
approval procedure. The procedure involves capturing approvals made by
us and other individuals and embedding them within the PDF document.
The approval signatures to include details such as an image of our
physical signature, location, date, and official seal.

Visible Digital Signature

The visible digital signature allows a user to sign a single document
digitally. This signature appears on a document in the same way as
signatures are signed on a physical document.
Invisible Digital Signature
The invisible digital signatures carry a visual indication of a blue ribbon
within a document in the taskbar. We can use invisible digital signatures
when we do not have or do not want to display our signature but need to
provide the authenticity of the document, its integrity, and its origin.

Key Distribution

Two parties may exchange cryptographic keys through a procedure known as

key exchange, also known as key distribution, in order to use a cryptographic
algorithm.
For messages to be exchanged via encryption, both the sender and the
recipient must be able to encrypt and decrypt them. Depending on the kind
of encryption they want to use different technologies are required. Both will
need a copy of the same codebook if they use a code.

Key Distribution is possible in-band or out-of-band.

"Channel of distribution" means the way information or keys are swapped

between two parties.

"Key exchange" is when two parties share secret codes or 'keys' to

communicate securely.

"In-band" key exchange means the keys are swapped through the same
communication channel being used for the actual data.

"Out-of-band" key exchange means the keys are shared through a separate,
different communication channel from the one used for the actual data.
Symmetric Key Distribution
The conventional approach, known as symmetric key distribution, uses a
single secret key that is shared by both sides. Before communicating, they
exchange this key via a secure channel.

When two parties share the same key (i.e. symmetric key) that protect
from access by others, the process between two parties that exchanges
that key called as symmetric key distribution. If two person wants to
communicates with each other via messages or exchange data without
interference of other. Two parties/person A and B achieved the key
distribution in various ways:

1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A and B.

3. If A and B have previously and recently used a key, one party can
transmit the new key to the other, encrypted using the old key.

4. If A and B each has an encrypted connection to a third-party C, C can

deliver a key on the encrypted links to A and B.

Key Distribution Center

A key distribution center (KDC) in cryptography is a system that is
responsible for providing keys to the users in a network that shares
sensitive or private data. Each time a connection is established
between two computers in a network, they both request the KDC to
generate a unique password which can be used by the end system
users for verification.

The KDC is typically implemented as a centralized server that

maintains a database of shared secret keys for all entities in the
network. These shared secret keys are used for encryption and
decryption purposes.

The basic idea is that every node shares a unique secret key with the KDC.
Whenever user A wants to communicate securely with user B, the following
happens:
1. The background is that A has shared secret key KA with KDC. Similarly, B is
assumed to share a secret key KB with the KDC.
2. A sends a request to KDC encrypted with KA, which includes
(a) Identities of A and B
 (b) A random number R, called a nonce
3. KDC responds with a message encrypted with KA, containing
(a) One-time symmetric key KS
(b) Original request that was sent by A, for verification
(c) Plus, KS encrypted with KB and ID of A encrypted with KB
4. A and B can now communicate by using KS for encryption.

Keberos:
Kerberos is a computer network security protocol that authenticates service requests
between two or more trusted hosts across an untrusted network, like the internet.
In general, the Kerberos protocol provides security for client-server interactions in a
network. The servers such as printer servers, database servers, news servers, FTP servers,
and so on.
In the Kerberos protocol, the Key Distribution Centre (KDC) is divided into two parts, one
devoted to client authentication, and the other in charge of providing security to the service
providers.
The former is called the Authentication Server (AS) and the latter the Ticket Granting Server
(TGS).
The client cannot gain direct access to TGS and only the TGS can provide a session key to
communicate with a service provider. A client must first authenticate himself/herself/itself
to AS and obtain from AS a session key for accessing TGS.

Kerberos uses symmetric key cryptography and a key distribution center (KDC) to
authenticate and verify user identities. A KDC involves three aspects:

1. A ticket-granting server (TGS) that connects the user with the service server (SS)
2. A Kerberos database that stores the password and identification of all verified users
3. An authentication server (AS) that performs the initial authentication

During authentication, Kerberos stores the specific ticket for each session on the end-
user's device. Instead of a password, a Kerberos-aware service looks for this
 ticket. Kerberos authentication takes place in a Kerberos realm, an environment in which
a KDC is authorized to authenticate a service, host, or user.

Kerberos authentication is a multistep process that consists of the following

components:

1. The client who initiates the need for a service request on the user's behalf
2. The server, which hosts the service that the user needs access to
3. The AS, which performs client authentication. If authentication is successful, the client is
issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the
client has been authenticated.
4. The KDC and its three components: the AS, the TGS, and the Kerberos database
5. The TGS application that issues service tickets

Public Key Distribution

There are four methods of public key distribution: Public announcement of
Public Keys, Publicly Available Directory, Public Key Authority and Public Key
Certificates.

Public-Key Authority
Stronger security for public-key distribution can be achieved by providing
tighter control over the distribution of public keys from the directory.

Step – 1: A sends a time stamped message to the public-key authority

containing a request for the current public key of B.

Step – 2: The authority responds with a message that is encrypted using

the authority’s private key, PRauth. Thus, A is able to decrypt the message
using the authority’s public key. Therefore, A is assured that the message
originated with the authority.

The message includes the following: B’s public key, PU b, which A can use to
encrypt messages destined for B. The original request used to enable A to
match this response with the corresponding earlier request and to verify
that the original request was not altered before reception by the authority.
The original timestamp given so A can determine that this is not an old
message from the authority containing a key other than B’s current public
key.

Step – 3: A stores B’s public key and also uses it to encrypt a message to B
containing an identifier of A (IDA) and a nonce (N1), which is used to
identify this transaction uniquely.
 Step – 4 & 5: B retrieves A’s public key from the authority in the same
manner as A retrieved B’s public key.

Step – 6: B sends a message to A encrypted with PUa and containing A’s

nonce (N1) as well as a new nonce generated by B (N 2). Because only B
could have decrypted message (3), the presence of in message (6) assures
A that the correspondent is B.

Step – 7: A returns N2, which is encrypted using B’s public key, to assure B
that its correspondent is A.

Public-Key Certificates
The directory of names and public keys maintained by the authority is
vulnerable to tampering. An alternative approach, first suggested by Kohn
Felder, is to use certificates. In essence, a certificate consists of a public key, an
identifier of the key owner, and the whole block signed by a trusted third
party. Typically, the third party is a certificate authority, such as a government
agency or a financial institution that is trusted by the user community. A user
can present his or her public key to the authority in a secure manner and
obtain a certificate. The user can then publish the certificate. Anyone needing
this user’s public key can obtain the certificate and verify that it is valid by
way of the attached trusted signature. A participant can also convey its key
information to another by transmitting its certificate. Other participants can
verify that the certificate was created by the authority.

Step – 1: Any participant can read a certificate to determine the name and
public key of the certificate’s owner.

Step – 2: Any participant can verify that the certificate originated from the
certificate authority and is not counterfeit.

Step – 3: Only the certificate authority can create and update certificates.

Step – 4: Any participant can verify the certificate.

1. PKI
X.509 certificate: What is It and How It Works?
 eMudhra Editorial
 March 6, 2023

What is X.509 Certificate?

X.509 certificates are digital documents that are used to verify the identity
of individuals, organizations, or devices over the internet. They are widely
used in various applications like secure email, web browsing, online banking,
and electronic transactions.
An X.509 certificate contains information about the certificate holder's
identity, such as their name, public key, digital signature, and the name
of the certificate authority (CA) that issued the certificate. The public key
is used to encrypt messages, and the digital signature is used to verify that
the message was sent by the holder of the private key associated with the
public key.
In other words, an X.509 certificate acts like a digital identity card that
enables secure communication and transaction between two parties. The use
of X.509 certificates ensures that the communication is encrypted and
authenticated, thereby providing a high level of security for online
transactions.

The certificate includes the elements given below:

 Version number: It defines the X.509 version that concerns the
certificate.
 Serial number: It is the unique number that the certified authority
issues.
 Signature Algorithm Identifier: This is the algorithm that is used for
signing the certificate.
 Issuer name: Tells about the X.500 name of the certified authority
which signed and created the certificate.
 Period of Validity: It defines the period for which the certificate is
valid.
 Subject Name: Tells about the name of the user to whom this
certificate has been issued.
 Subject’s public key information: It defines the subject’s public key
along with an identifier of the algorithm for which this key is supposed
to be used.
 Extension block: This field contains additional standard information.
 Signature: This field contains the hash code of all other fields which is
encrypted by the certified authority private key.

How does an X.509 Certificate work?

An X.509 certificate works through a process called public-key cryptography. Here are
the basic steps of how an X.509 certificate works:
1. Certificate Request: The certificate holder generates a public-private key pair and submits
a certificate request to a trusted certificate authority (CA).

2. Verification: The CA verifies the identity of the certificate holder and validates the
certificate request.

3. Certificate Issuance: The CA issues an X.509 certificate containing the certificate holder's
public key and other identifying information, digitally signed by the CA's private key.

4. Certificate Distribution: The CA distributes the X.509 certificate to the certificate holder
and other relevant parties as necessary.

5. Certificate Verification: When the certificate holder attempts to establish a secure

communication or transaction, the recipient verifies the certificate's authenticity by checking
the digital signature of the CA and the validity period of the certificate.

6. Key Exchange: Once the certificate is verified, the recipient encrypts a session key using
the certificate holder's public key and sends it back to the certificate holder.

7. Secure Communication: The certificate holder uses their private key to decrypt the
session key and establishes a secure communication session using the session key.

Public Key Infrastructure (PKI)

Public key infrastructure (PKI) refers to tools used to create and manage public keys for
encryption, which is a common method of securing data transfers on the internet. PKI is
built into all web browsers used today, and it helps secure public internet traffic.

PKI uses cryptographic public keys that are connected to a digital

certificate, which authenticates the device or user sending the digital
communication. Digital certificates are issued by a trusted source, a
certificate authority (CA), and act as a type of digital passport to ensure
that the sender is who they say they are.

Public key infrastructure protects and authenticates communications

between servers and users, such as between the website (hosted on the
web server) and the clients (the user trying to connect through their
browser.

The main components of public key infrastructure include the following:

 Certificate authority (CA): The CA is a trusted entity that issues,

stores, and signs the digital certificate. The CA signs the digital
 certificate with their own private key and then publishes the public
key that can be accessed upon request.
 Registration authority (RA): The RA verifies the identity of the
user or device requesting the digital certificate. This can be a third
party, or the CA can also act as the RA.
 Certificate database: This database stores the digital certificate
and its metadata, which includes how long the certificate is valid.
 Central directory: This is the secure location where the
cryptographic keys are indexed and stored.
 Certificate management system: This is the system for
managing the delivery of certificates as well as access to them.
 Certificate policy: This policy outlines the procedures of the PKI. It
can be used by outsiders to determine the PKI’s trustworthiness.