CHAPTER 5

Kerberos
Kerberos: Kerberos is a network authentication protocol. It is designed to provide strong authentication
for client/server applications by using secret-key cryptography. It uses secret key cryptography. It is a
solution to network security problems. It provides tools for authentication and strong cryptography over
the network to help you secure your information system
There are 4 parties involved in Kerberos protocol
i) User
ii) Authentication service (AS)
iii) Ticket granting server (TGS)
iv) Service server

→ Authentication Request:
The Authentication Service (AS) receives the request from the client and verifies that the
client is indeed the computer it claims to be. This is typically done through a simple
database lookup of the user’s ID.

→ Timestamp Creation:
Upon verification, a timestamp is created. This includes the current time and an expiration
time (default is 8 hours). An encryption key is then created. The timestamp ensures the
encryption key becomes useless after expiration, minimizing risk even if a hacker intercepts
the data.

→ Ticket Granting Ticket (TGT) Issuance:

The key is sent back to the client in the form of a Ticket Granting Ticket (TGT). This ticket
is issued by the AS and is used for authenticating the client in future steps.
→ TGT Submission to TGS:
The client submits the TGT to the Ticket Granting Server (TGS) to get authenticated.

→ Service Ticket Issuance:

The TGS creates an encrypted key with a timestamp and grants the client a service ticket.

→ Ticket Decryption and Service Request:

The client decrypts the service ticket, informs the TGS that it has done so, and sends its own
encrypted key to the service server.
 → Service Server Validation:
The service server decrypts the key and checks if the timestamp is still valid. If it is, the
service contacts the Key Distribution Center (KDC) to receive a session, which is returned
to the client.

→ Session Initiation:
The client decrypts the session ticket. If the keys are still valid, secure communication is
initiated between the client and server.
AS (Authentication Server):
This server handles the initial authentication process when a user attempts to access a service. The AS
verifies the user's credentials and, if successful, issues a Ticket Granting Ticket (TGT).
TGS (Ticket-Granting Service):
The TGS acts as an intermediary. After a user authenticates with the AS and obtains a TGT, they use
that TGT to request access to a specific service. The TGS then verifies the TGT and, if valid, issues a
service ticket that allows the user to connect to the service server (SS).
SS (Service Server):
This is the actual service that the user is trying to access (e.g., a file server, a database, etc.). The SS
relies on the service ticket received from the TGS to verify the user's identity and grant them access to
the specific service.

IP protocol
Authentication header (AH):
1. The AH provides support for data integrity and authentication of IP packets. The data integrity
service ensures that data inside IP packet is not altered during the transit.
2. The authentication service enables an end user or computer system to authenticate the user or the
application at the other end and decides to accept or reject packets accordingly
Encapsulation Header (ESP):
1. Used to provide confidentiality, data origin authentication, data integrity.
2. It is based on symmetric key cryptography technique.
3. ESP can be used in isolation or it can be combined with AH.
Email security-
Email Security Email is emerging as one of the most valuable services on the internet today. Most of
the internet systems use SMTP as a method to transfer mail from one user to another. SMTP is a push
protocol and is used to send the mail whereas POP (post office protocol) or IMAP (internet message
access protocol) are used to retrieve those mails at the receivers side.
1. SMTP (simple mail transfer protocol)
2. PEM (Privacy Enhance Mail)
3. PGP (Pretty Good Privacy)

→ SMTP (Simple Mail Transfer Protocol) Simple Mail Transfer Protocol, a protocol for
sending email messages between servers.
→ Most e-mail systems that send mail over the Internet use SMTP to send messages from one
server to another; the messages can then be retrieved with an e-mail client using either POP
or IMAP.
→ In addition, SMTP is generally used to send messages from a mail client to a mail server.
→ This is why you need to specify both the POP or IMAP server and the SMTP server when
you configure your e-mail application.
→ SMTP usually is implemented to operate over Internet port 25.
→ An alternative to SMTP that is widely used in Europe is X.400.
→ Many mail servers now support Extended Simple Mail Transfer Protocol (ESMTP), which
allows multimedia files to be delivered as e mail.

The basic phases of an email communication consists of the following steps :-

1. At sender„s end an SMTP server takes the message sent by uses computer
2. The SMTP server at the sender„s end then transfer the message to the SMTP server of the
receiver.
3. The receiver„s computer then pulls the email message from the SMTP server at the
receiver„s end, using the other mail protocol such as Post Office Protocol (POP) or IMAP
(Internet mail access protocol )
PEM :
Privacy Enhanced Mail (PEM) is an email security standard to provide secure electronic mail
communication over the internet. Security of email messages has become extremely important
nowadays. In order to deal with the security issues of emails the internet architecture board has adopted
it.
The PEM works basically in 4 main steps.
1. Canonical Conversion –
This step involves the conversion of the message into a standard format that is independent of
the computer architecture and the operating system of the sender and the receiver. Converts the
message into a platform-independent format to avoid discrepancies due to differing system
architectures.
This ensures consistency in message interpretation between sender and receiver.
2. Digital Signature –
In this step, the digital signature is generated by encrypting the message digest of an email
message with the sender’s private key.

3. Encryption –
The encrypted message is generated by encrypting the original message and digital signature
together along with the symmetric key as shown in the figure below. This step is very crucial in
order to obtain the confidentiality.
 4. Base-64 Encoding –
Converts binary output into ASCII characters using Base-64 encoding for safe email transmission.
This allows binary data to be sent over text-based communication channels like email.

PGP
→ Pretty Good Privacy (PGP) is an encryption software designed to ensure the confidentiality, integrity,
and authenticity of virtual communications and information.
→ It is considered as one of the best methods for securing digital facts.
→ At its core, PGP works on a hybrid cryptographic method that combines symmetric-key and public-key
cryptography techniques.
→ Symmetric-key cryptography uses one secret key for both encrypting and decrypting data. Public-key
cryptography uses two keys: a public key (shared with everyone) for encryption and a private key (kept
secret) for decryption.

The following are the services offered by PGP:

1. Authentication
2. Confidentiality
3. Email Compatibility
4. Segmentation

Public Key Infrastructure –

→ A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures
needed to create, manage, distribute, use, store and revoke digital certificates and manage public
key encryption.
→ The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of
network activities such as e-commerce, internet banking and confidential email.
→ PKI is the governing body behind issuing digital certificates.
→ It helps to protect confidential data and gives unique identities to users and systems. Thus, it
ensures security in communications.
→ The public key infrastructure uses a pair of keys: the public key and the private key to achieve
security.
→ The public keys are prone to attacks and thus an intact infrastructure is needed to maintain them.
PKI identifies a public key along with its purpose.
It usually consists of the following components:

• A digital certificate also called a public key certificate

• Private Key tokens
• Registration authority
• Certification authority
• CMS or Certification management system
Working on a PKI:
PKI and Encryption: The root of PKI involves the use of cryptography and encryption techniques. Both
symmetric and asymmetric encryption uses a public key. There is always a risk of MITM (Man in the
middle). This issue is resolved by a PKI using digital certificates. It gives identities to keys in order to
make the verification of owners easy and accurate.
Public Key Certificate or Digital Certificate: Digital certificates are issued to people and electronic
systems to uniquely identify them in the digital world.

• The Certification Authority (CA) stores the public key of a user along with other information
about the client in the digital certificate. The information is signed and a digital signature is also
included in the certificate.
• The affirmation for the public key then thus be retrieved by validating the signature using the
public key of the Certification Authority.
Certifying Authorities: A CA issues and verifies certificates. This authority makes sure that the
information in a certificate is real and correct and it also digitally signs the certificate. A CA or
Certifying Authority performs these basic roles:

• Generates the key pairs – This key pair generated by the CA can be either independent or in
collaboration with the client.

• Issuing of the digital certificates – When the client successfully provides the right details about
his identity, the CA issues a certificate to the client. Then CA further signs this certificate digitally
so that no changes can be made to the information.

• Publishing of certificates – The CA publishes the certificates so that the users can find them. They
can do this by either publishing them in an electronic telephone directory or by sending them out to
other people.

• Verification of certificate – CA gives a public key that helps in verifying if the access attempt is
authorized or not.

• Revocation – In case of suspicious behavior of a client or loss of trust in them, the CA has the
power to revoke the digital certificate.
The most popular usage example of PKI (Public Key Infrastructure) is the HTTPS (Hypertext Transfer
Protocol Secure) protocol. HTTPS is a combination of the HTTP (Hypertext Transfer Protocol) and
SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols to provide encrypted
communication and secure identification of a Web server.
In HTTPS, the Web server's PKI certificate is used by the browser for two purposes:
Validate the identity of the Web server by verify the CA's digital signature in the certificate. Encrypt a
secret key to be securely delivered to the Web server. The secret key will be used to encrypt actual data
to be exchanged between the browser and the Web server.
Other examples of PKI (Public Key Infrastructure) are:

• Digital signature - The sender of a digital message uses his/her private key to generate a digital
signature attached to the message. The receiver uses the sender's certificate to verify the digital
signature to ensure the message was sent by the claimed sender.

• Encryption of documents - The sender of a digital message uses the receiver's certificate to encrypt
the message to protect the confidentiality of the message. Only the receiver who can use his/her
private key decrypt the message.

• Digital identification - User's certificate is stored in a smart card to be used to verify card holder's
identities.
Cyber Crime-
Types of cyber crime :-
1. Hacking types
2. Digital Forgery each
3. Cyber Stalking / Harassment
4. Cyber Pornography
5. Identity Theft and Fraud
6. Cyber Terrorism
7. Cyber Defamation
Hacking-

→ Hacking refers to the unauthorized access of another computer system. It is the practice of
modifying features of assistant in order to accomplish a goal outside of the creature's original
purpose.
→ The word hacker has now taken on numerous meanings, from a person who enjoys learning the
details of computer systems and how to stretch their capabilities to a malicious or inquisitive
meddler who tries to discover information by deceptive or illegal means.
→ Every act committed towards breaking into a computer and/or network is hacking and it is an
offence. Hackers write or use readymade computer programs to attack the target computer.
→ They possess the desire to destruct and they get enjoyment out of such destruction. Some hackers
hack for personal monetary gains, such as stealing credit card information, transferring money from
various bank accounts to their own account followed by withdrawal of money.
There are different types of hackers:
There are different types of hackers:
i. White Hat
ii. Black Hat
iii. Grey Hat
iv. Elite Hacker
v. Script Kiddie
Digital Forgery:
Creating or altering digital documents to deceive others, like forging signatures, altering bank
statements, or manipulating photos to fabricate evidence.
Cyber Stalking / Harassment:
Repeatedly using electronic communication to intimidate, harass, or threaten someone, which can
include sending threatening messages, posting embarrassing content online, or tracking someone's
online activity.
Cyber Pornography:
Illegally distributing or possessing child pornography, which involves sexually explicit material
depicting minors.
Identity Theft and Fraud:
Stealing personal information like social security numbers, credit card details, or passwords to use
for fraudulent activities, such as opening new accounts, making purchases, or committing identity
theft.
Cyber Terrorism:
Using computer networks to intimidate or cause harm to individuals, organizations, or governments,
often by disrupting critical infrastructure or launching large-scale attacks.
Cyber Defamation:
Publishing false and defamatory statements about someone online, causing damage to their
reputation.
 Cyber Laws
1. Cyber terrorism against a government organization
Category: Cyber Terrorism/ Cyber Crime Against government
Description: Attacks aimed at causing disruption, fear, or damage to
government infrastructure or national security through digital means.
2. Cyber-Stalking
Category: Cyber Crime Against Individuals
Description: Repeated online harassment or threats directed at a person using
digital communication tools.
3. Copyright Infringement
Category: Intellectual Property Crime
Description: Unauthorized use, reproduction, or distribution of copyrighted
digital content (e.g., software, music, videos).
4. Email Harassment
Category: Cyber Crime Against Individuals
Description: Sending threatening, abusive, or unwanted emails to intimidate
or annoy the recipient.
(i) Cyber terrorism against a government organization:
This involves using technology to threaten or intimidate a government organization,
potentially causing fear or disruption. Examples could include disrupting government
websites, spreading malicious software, or threatening public safety.
(ii) Cyberstalking:
This is a form of online harassment where someone uses technology to follow, monitor,
or threaten another person, often with the intent to cause distress or fear. It can involve
unwanted emails, social media messages, or tracking someone's online activity.
(iii) Copyright infringement:
This occurs when someone uses, distributes, or reproduces copyrighted material without
permission from the copyright holder, like using a song or image without authorization.
(in) Email harassment:
 This involves unwanted, unsolicited, or threatening emails that are intended to cause
distress or fear to the recipient, often involving repetitive or malicious messages.
Compliance Standards
Implementing compliance standards like ISO 27001, ISO 20000, BS 25999, PCI DSS, ITIL, and
COBIT frameworks involves establishing and maintaining an Information Security Management System
(ISMS), as well as best practices for IT service management and enterprise IT governance. These
standards offer organizations a structured approach to managing information security, IT services, and
business continuity, ensuring data protection and operational efficiency.
1. Information Security Management Systems (ISMS):
• ISO/IEC 27001: A globally recognized standard for ISMS, providing a framework for
organizations to establish, implement, maintain, and continually improve their ISMS. It helps
organizations manage risks related to data security and ensure confidentiality, integrity, and
availability.
• ISO/IEC 27002: Provides guidance on implementing the controls specified in ISO/IEC 27001.
• BS 25999: A standard for Business Continuity Management (BCM), providing a framework for
planning, implementing, and maintaining business continuity measures.
2. IT Service Management (ITSM):
• ISO/IEC 20000:
An international standard for IT service management, providing a framework for organizations to plan,
establish, implement, operate, monitor, review, maintain, and continually improve their IT service
management systems. It's based on the ITIL framework.

• COBIT (Control Objectives for Information and Related Technologies):

A framework for IT governance, helping organizations align IT with business objectives and manage IT
risks.
COBIT stands for ―Control Objectives for Information and related Technology, it is a framework that
was developed by ISACA (Information System Audit and Control Association). It is a set of guidance
material for IT governance to manage their requirements, technical issues, and business risks
COBIT connects IT initiatives with business requirements, monitors and improves IT management
practices, and ensures quality control and reliability of information systems in an organization.

• Plan and Organize: This domain addresses direction to solutions, Information architecture, managing
IT investments, assess the risks, quality, and project.

• Acquire and Implement: This domain acquires and maintains application software and technology
infrastructure, develops as well as maintains procedures and manages changes, implements desired
solutions and passes them to be turned into services.

• Deliver and Support: This domain defines and manages service levels, ensures the security of the
system, educates or trains, and advises users. It receives solutions and makes them usable for end users.

• Monitor and Evaluate: This domain monitors the process, assesses internal control capability, finds
independent assurance, and provides independent audit.
Principle of COBIT:

• Providing service of delivering information that an organization requires.

• Undesired events will be prevented, detected, and corrected.

• Managing and controlling IT resources using a structured set of processes. Fulfilling client’s
requirements

• ITIL (IT Infrastructure Library):

A framework of best practices for IT service management, providing a structured approach to managing
IT services. The ITIL v3 framework is based on a service lifecycle approach, ensuring coordinated and
controlled IT service management across all processes and functions.
1. Service Strategy
This stage defines the overall direction, objectives, and purpose of IT services to ensure they support
the business strategy.
It involves analyzing market needs, managing demand, and developing a service portfolio to guide all
further stages.
2. Service Design
In this phase, service requirements from the strategy stage are transformed into detailed designs and
specifications.
It ensures services are planned with performance, security, availability, and cost-effectiveness in mind,
ready for development.
3. Service Transition
Focuses on building, testing, and deploying new or modified services into the live environment without
disrupting operations.
It manages changes, ensures proper documentation, and transfers knowledge to users and support
teams.
4. Service Operation
Handles the daily tasks of delivering and managing IT services to ensure they run smoothly and meet
agreed service levels.
It includes monitoring, incident and problem management, and user support to maintain service quality.
5. Continual Service Improvement (CSI)
CSI continuously evaluates service performance using metrics and feedback to identify areas for
improvement.
It ensures services remain aligned with changing business needs and deliver increasing value over time.