Cloud Security Unit 1: Security Concepts Content: Confidentiality, privacy, integrity, authentication, non-tepudiation, availability, access control, defence in depth, least privilege, how these concepts apply in the cloud, what these concepts mean and their importance in PaaS, leaS and SaaS, eg, User authentication in the cloud; Cryptographic Systems - Symmetiic ‘cryptography, stream ciphers, block ciphers, modes of operation, public-key cryptography, hashing, digital signatures, public-key infrastructures, key management, X.509 certificates, OpenSSL. Confidentiality The concept of confidentiality states that sensitive or classified data can only be viewed by authorized users or systems. It is not acceptable for unauthorized people to access the data being transferred across the network The attacker might attempt to obtain your information by capturing the data with various online tools. Using ‘encryption techniques to protect your data is one of the main ways to prevent this since they prevent the attacker from being able to decrypt it, even if they manage to obtain access to it. The Advanced Encryption Standard (AES) and the Data Encryption Standard (DES) are two examples of encryption standards. Using a VPN tunnel to protect your data is an additional method. Virtual Private Networks, or VPNs, facilitate safe data transfer across networks. Bob —— Integrity The goal here is to ensure that the data has not been altered, Data corruption occurs when data integrity is compromised. We utilize a hash algorithm to determine whether our data has been altered There are two varieties that are commonly used: SHA (Secure Hash Algorithm) and MDS (Message Direct 5). Now, SHA is 2 160-bit hash if we're using SHA-1, and MDS is @ 128-bit hash. We could also use SHA-O, SHA- 2, and SHA-3, among other SHA techniques. Assume that to preserve integrity, Host "A" wishes to communicate data to Host “B." The data will be subjected to a hash function, which will generate an arbitrary hash value H1 and append it to the data. The same hash function is applied to the data by Host ‘B upon receiving the packet, yielding a hash value of H2. Therefore, if H1 = H2, it indicates that the contents were not altered, and that the data's integrity was preservedAvailal ty ‘This means that the network should be readily available to its users. This applies to systems and to data, To ‘ensure availability, the network administrator should maintain hardware, make regular upgrades, have a plan for fail-over, and prevent bottlenecks ina network, Attacks such as DoS or DDoS may render a network Unavailable as the resources of the network get exhausted, The impact may be significant to the companies and users who rely on the network as a business tool. Thus, proper measures should be taken to pravent such attacks Privacy Information privacy or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal issues surrounding them, Personally identifiable information (Pll), as used in information security, refers to information that can be used to uniquely ident ify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual “The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information." Privacy concems in cloud computing encompass various aspects: I. Access: Users have a right to access and control their personal information, but ensuring this in the cloud can be challenging, particularly regarding data deletion 2 Compliance: Cloud computing raises questions about meeting privacy regulations and laws that can vary across jurisdictions. Determining the governing jurisdiction is crucial. 3. Storage: The location of data in the cloud and potential transfers between data centers can raise legal issues related to privacy and data transfer restrictions, 4 Retention: Cloud storage can lead to uncertainty about data retention policies, ownership, and enforcement. Managing exceptions like litigation holds is ertical Destruction: Ensuring the proper and complete destruction of personal data in the cloud is challenging due to data replication and potential data retention by the cloud service provider. 6 Audit and Monitoring: Organizations need to monitor their cloud service providers to ensure compliance with privacy requirements and provide assurance to stakeholders. 7. Privacy Breaches: Detecting and managing privacy breaches in the cloud, as well as determining liability and enforcing contractual agreements related to breaches, are important concems. Several laws and regulations gover privacy in cloud computing 1. General Data Protection Regulation (GDPR): Applies to the processing of personal data in the European Union, imposing strict data protection requirements on organizations, including cloud service providers,Health Insurance Portability and Accountability Act (HIPAA): Govems the security and privacy of healthcare data, including when it's stored in the cloud. California Consumer Privacy Act (CCPA): Provides California residents with rights regarding their personal information, affecting how businesses handle data in the cloud. Federal Risk and Authorization Management Program (FedRAMP): Ensures cloud providers meet security standards when working with U.S. federal agencies, Cloud Security Alliance (CSA): While not a law, it offers guidelines and best practices for securing data in the cloud. Privacy Shield (EU-U.S. Privacy Shield): Formerly allowed U.S. companies to transfer personal data from the EU but was invalidated in 2020; altemative mechanisms now apply. Authentication Authentication is the process of verifying the identity of a user or information. User authentication is the process of veriying the identity of a user when that user logs in to a computer system. ‘There are different types of authentication systems which are: - 1. Single-Factor authentication: - This was the first method of security that was developed. On this authentication system, the user has to enter the usemame and the password to confirm whether that user is logging in or not. Now if the username or password is wrong, then the user will not be allowed to log in or access the system. 2. Twofactor Authentication: -In this authentication system, the user has to give a usemame, password, and ‘other information, There are various types of authentication systems that are used by the user for securing the system. Some of them are: - wireless tokens and virtual tokens. OTP and more, 4, Multifactor authentication system: - In this type of authentication, more than one factor of authentication is needed. This gives better security to the user. Any type of keylogger or phishing attack will not be possible in a MultiFactor Authentication system. This assures the user, that the information will not get stolen from them Non-Repudiation Non-Repudiation is a concept in information security and cryptography that ensures the integrity and authenticity of digital communications or transactions. It prevents a party from denying the authenticity of their actions or the validity of a transaction they were involved in. In essence, non-repudiation provides evidence that a specific action was performed, and the party responsible for that action cannot later claim otherwise. Here are key aspects of non-repudiation: Digital Signatures: Non-repudiation is often achieved using digital signatures. When 2 party digitally signs a document or transaction, it binds their identity to that document. If the signature can be verified Using the signer's public key, it proves that the signer Is responsible for the action. Legal Validity: Non-repudiation has legal implications. A digitally signed document is considered legally binding in many jurisdictions. This means that parties involved in a digital transaction cannot later deny their involvement or the validity of the agreement. Audit Trails: To establish non~epudiation, systems typically maintain detailed audit logs. These logs record the actions taken by users and provide a traceable history of who did what, when, and with what data Use Cases: Non-repudiation is important in various scenarios, including electronic contracts, financial transactions, email communications, and any situation where the validity and authenticity of digital records are critical, ‘Access Control Access control is a security technique that regulates who or what can view or use resources in a computing ‘environment. It is a fundamental concept in security that minimizes tisk to the business or organization, ‘The main models of access control are the following: Identity-Based Access Control (IBAC): By using this model network administrators can more effectively manage activity and access based on individual requirements.Mandatory Access Control (MAC): A control model in which access rights are regulated by a central authority based on multiple levels of security. Security Enhanced Linux is implemented using MAC on the Linux operating system. Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC eliminates discretion on a large scale when providing access to objects. For example, there should not be Permissions for human resources specialist to create network accounts, Rule-Based Access Control (RAC): RAC method is largely context based. Example of this would be only allowing students to use the labs during a certain time of day. Defense in Depth Defense in depth, a fundamental security strategy, involves deploying multiple layers of defense to protect systems and data. In the context of cloud security, defense in depth is crucial for mitigating various threats and ensuring @ comprehensive security posture. Here's an overview of defense in depth principles as applied to cloud security: a h Network Security: ‘+ Firewalls: Implementing firewalls at different levels, such as perimeter firewalls, subnet firewalls, and host-based firewalls, helps control and monitor incoming and outgoing traffic. + Virtual Private Clouds (VPCs): Utilizing VPCs with proper network segmentation adds an additional layer of protection by isolating different parts of the infrastructure. Identity and Access Management (IAM): ‘+ Strong Authentication: Enforcing strong authentication mechanisms, including multi-factor authentication (MFA), adds an extra layer of protection against unauthorized access: + Role-Based Access Control (RBAC): Implementing RBAC ensures that users and systems have the least privilege necessary for their roles, reducing the impact of potential breaches. Data Encryption: ‘+ Encryption at Rest: Applying encryption to stored data protects it from unauthorized access. Cloud providers often offer services to enable encryption at rest for databases, storage, and other data repositories. + Encryption in Transit: Encrypting data during transmission over networks prevents eavesdropping and manin-the-middle attacks, Least Privilege ‘The principle of least privilege (PoLP) is a fundamental concept in cloud security that emphasizes restricting User and system permissions to the minimum levels necessary for performing specific tasks or accessing particular resources. This principle is designed to minimize the potential damage caused by accidental mishandling or intentional misuse of privileges within a computing environment, ‘The principle of least privilege: Minimizes the attack surface, diminishing avenues a malicious actor can use to access sensitive data or any out an attack by protecting superuser and administrator privileges. Reduces malware propagation by not allowing users to install unauthorized applications. Improves operational performance with reductions in system downtime that might otherwise occur because of a breach, malware spread or incompatibility issues between applications. Safeguards against human error that can happen through mistake, malice or negligence.How these concepts (Confidenti access control, defense in depth, least pr lity, privacy egrity, authentication, non-epud lege) apply in the cloud? ion, availability, Confident ity: ‘+ Inthe cloud, data contidentiality is preserved through encryption mechanisms, both in transit and at rest. Cloud providers olten ol ler services Tor encrypting data, ensuring that only authorized parties can access and decipher sensitive inl ormation. 2, Privacy: + Privacy in the cloud involves adhering to data protection regulations and policies. Cloud users must be assured that their personal inlormation is handled securely. Cloud providers typically implement robust privacy controls and compliance measures to protect user data. 3, Integrity: + Cloud environments ensure data integrity by employing measures such as checksums, hashing, and digital signatures. This helps guarantee that data remains unchanged and uncorrupted during storage, transmission, and processing. 4, Authentication: + Cloud services use authentication mechanisms to verily the identity o1 users and systems. Multi actor authentication (MFA) is olten implemented to enhance identity verilication. This ensures that only authorized individuals or systems can access cloud resources 5. Kon-epudiation: ‘+ Non-repudiation is maintained in the cloud through mechanisms like digital signatures and audit trails, These measures help establish the authenticity 01 actions, making it dif licult lor users to deny their involvement in specilic transactions or activities. 6, Availability: ‘+ Cloud providers emphasize high availability through redundancy, lailover mechanisms, and distributed architectures, Service Level Agreements (SLAs) deline the availablity commitments, ensuring that users have access to their resources and data when needed, 1, Access Control: + Access control in the cloud is managed through Identity and Access Management (AM) services. Users are granted specilic roles and permissions, Jollowing the principle 01 least privilege. This ensures that access is restricted to what is necessary Tor users to perlorm their tasks. 8, Defense in Depth: + Cloud security employs delense in depth by layering mulkiple security measures. This includes nnewwork security, identity and access controls, encryption, regular audits, and other protective measures. The goal is to create a resilient securty posture that can withstand diverse and evolving threats. 9, Least Privilege: + Least privilege is crucial in cloud security to minimize the impact 01 potential security breaches. Users and systems are granted only the minimum permissions necessary lor their Tunctions, reducing the risk 01 unauthorized access and limiting the potential damage in case ol a security incident 10, Data Encryption: + Encryption is widely used in the cloud to protect data both at rest and in transit, This ensures that even il unauthorized access occurs, the data remains unreadable without the proper decryption keys.Cryptography Cryptography is the practice and study o1 techniques lor securing communication and inlormation Irom adversaries. It involves the use ol mathematical algorithms to translorm data into a lormat that is uninteligible without the appropriate knowledge or key. Symmetric Cryptography Symmetric cryptography, also known as secret-key or shared-key cryptography, is a cryptographic approach where the same key is used Tor both the encryption and decryption o1 the data. In symmetric-key cryptography, the entities involved in communication (Sender and receiver) share a common secret key that must be Kept conlidential. This shated key is used to perlorm both the encryption and the corresponding decryption 01 the inl ormation. Symmetric—key algorithms are generally Taster and computationally more elicient than their asymmetric counterparts. ‘AES (Advanced Encryption Standard) and DES (Data Encryption Standard) are both symmetric key block cipher algorithms used lor encrypting and decrypting data. However, they dil ler in terms ol key length, block size, and overall security. DES (Bata Encryption Standard) + Key Length: DES uses a lixed key length o1 56 bits + Block Size: DES operates on 64-bit blocks 01 data, + Operation: DES uses a Feistel network structure, which involves multiple rounds ol permutation and substitution operations on the data. ‘+ Rounds: DES typically uses 16 rounds ol processing lor each block o1 data, + Security Concems: DES was considered secure when it was lirst introduced in the 1970s, but as computational power increased, its vulnerability to brute—lorce attacks became apparent. By the late 1990s, DES was considered obsolete Tor many applications due to its short key length. 2. AES (Advanced Encryption Standard): + Key Length: AES supports key lengths o1 128, 192, or 256 bits. + Block Size: AES operates on 128-bit blocks o} data. ‘+ Operation: AES uses a substitution—permutation network (SPN) structure. It consists o1 multiple rounds o1 substitution, permutation, and mixing operations. + Rounds: The number ol rounds in AES depends on the key length: 10 rounds for 128-bit keys, 12 rounds lor 192-bit keys, and 14 rounds lor 256-bit keys. ‘+ Security: AES is considered more secure than DES, especially when using longer key lengths. It has withstood extensive cryptanalysis and is widely used lor various cryptographic applications Example AES (Advanced Encryption Standard) is a widely used symmetric—key algorithm. it supports key sizes ol 128, 192, or 256 bits, making it suitable lor various security requirements iphers In stream cipher, one byte is encrypted at a time while in block cipher ~I28 bits are encrypted at a time. Initially, a key(k) will be supplied as input to pseudorandom bit generator and then it produces a random 8-bit output which is treated as keystream. The resulted keystream will be of size I byte, ie., 8 bits 1. Stream Cipher lollows the sequence ol pseudorandom number stream, 2. One ol the benelits oF lollowing stream cipher is to make cryptanalysis more dil licult, so the number o1 bits chosen in the Keystream must be long to make cryptanalysis more dil licult, 3. By making the key longer it is also sale against brute lorce attacks. 4 The longer the key the stronger security is achieved, preventing any attackExample — Cipher Text: olollolo Keystream: 11000011 Plain Text: 10011001 Decryption is just the reverse process 01 Encryption ie., perlorming XOR with Cipher Text. et ey Pain Ton T | (coher) ‘ —Eneryption —pecryption — Diagram of Stream Cipher Block Ciphers Block cipher is an encryption algorithm that takes a Tixed size o1 input say b bits and produces a ciphertext o1 b bits again. I! the input is larger than b bits it can be divided Turther, For dil lerent applications and uses, there are several modes 01 operations lor a block cipher. Electronic Code Book (ECB) - Electronic code book is the easiest block cipher mode 01 lunctioning. tis easier because ol direct encryption 01 each block o1 input plaintext and output is in Torm ol blocks o1 encrypted ciphertext. Generally, il a message is larger than b bits in size, it can be broken down into a bunch o1 blocks and the procedure is repeated. Procedure 01 ECB is illustrated. below:a: Cipher Block Chaining ~ CCipher block chaining or CBC is an advancement made on ECB since ECB compromises some security requirements In CBC, the previous cipher block is given as input to the next encryption algorithm alter XOR with the original plaintext block. In a nutshell here, a cipher block is produced by encrypting an XOR output of the previous cipher block and present plaintext block. ‘The process is illustrated here: Cipher Feedback Mode (CFB) ~ In this mode the cipher is given as Teedback to the next block 01 encryption with some new specilications: rst, an initial vector Vis used lor Tirst encryption and output bits are divided as a set ol s and b-s bits. The lelt-hand side s bits are selected along with plaintext bits to which an XOR operation is applied. The result is given as input to a shilt register having b-s bits to Ihs.s bits to rhs and the process continues. The encryption and decryption process Jor the same is shown below, both ol them use encryption algorithms. [ chess ae lao | i Output Feedback Mode - The output leedback mode lollows nearly the same process as the Cipher Feedback mode except that it sends the enctypted output as leedback instead ol the actual cipher which is XOR output. In this output leedback mode, all bits 1 the block are sent instead ol sending selected sbits. The Outout Feedback mode ol block cipher holds great resistance towards bit transmission errors. It also decreases the dependency or relationship 01 the cipher on the plaintext.Counter Mode — The Counter Mode or CTR is a simple counter-based block cipher implementation. Every time a counter-initiated value is enctypted and given as input to XOR with plaintext which results in ciphertext block. The CTR mode is Independent 01 leedback use and thus can be implemented in parallel. Its simple implementation is shown below: fl Public Key Cryptography Public Key Cryptography, also known as asymmetric ctyptography, is a cryptographic system that uses pairs 01 keys: public keys and private keys. This system enables secure communication and authentication between parties, even iT they have never met belore or shared a secret key previously. Public key cryptography is widely used in various security protocols, including securing intemet communications, digital signatures, and encrypting sensitive data, RSA Rivest-Shamir-Adleman}, DSA (Digital Signature Algorithm), and ECC (Elliptic Curve Cryptography) are cryptographic algorithms used lor dil lerent purposes, including public-key encryption and digital signatures. Here's an explanation o1 each L_RSA (Rivest-Shamir-Adleman): + Type: RSA is a public-key encryption algorithm + Key Generation: RSA involves the generation 01 a pair ol keys: a public key and a private key. The public key is used Tor encryption, while the private key is used lor decryption ‘+ Mathematical Basis: RSA’s security is based on the dilTicully o1 Tactoring large composite numbers Into their prime lactors. The security o1 RSA relies on the practical Impossibility o1 Tactoring the product 01 two large prime numbers + Usas RSA is widely used Jor secure data transmission, digital signatures, and key exchange protocols. It Is considered secure when used with sul iciently large key sizes. 2. DSA (Digital Signature Algorithm) + Type: DSA is a digital signature algorithm: + Key Generation: DSA also involves the generation o1 a pair o1 keys: a private key Tor signing and a corresponding public key lor signature verilication+ Mathematical Basis: DSA relies on the discrete logarithm problem lor its security. The algorithm Uses a group ol prime order, and the security is based on the dil licuty 01 computing discrete logarithms in this group. ‘+ Usage: DSA is commonly used Jor digital signatures in various security protocols, signatures lor certilicates in public Key inirastructure (PKI) systems. ECC (Elliptic Curve Cryptography): + Type: ECC can be used Jor both public-key encryption and digital signatures. + Key Generation: ECC uses elliptic curves over Tinite lields to generate key pairs. The security o1 ECC is based on the dil liculty 0! the elliptic curve discrete logarithm problem. + Advantages: ECC provides strong security with shorter key lengths compared to traditional algorithms like RSA. This makes ECC particularly attractive lor resource—constrained environments, such as mobile devices and embedded systems including digital + Usage: ECC Is increasingly used in applications where eliciency and smaller key sizes are crucial, such as in mobile communication, loT (Intemet 01 Things), and digital signatures. Hashing Hashing is @ process o1 converting input data (olten relerred to as a *message’) into a lixed-size string ol characters, which is typically a hexadecimal number. The output, known as the hash value or hash code, is generated by a hash lunction. Hash Tunctions are designed to be last and el licient, and they should produce a unique hash value lor each unique input. ‘There are majorly three components ol hashing: 1. Key: A Key can be anything string or integer which is led as input in the hash lunction the technique that determines an index or location Tor storage 01 an item in a data structure 2 Hash Function: The hash function receives the input key and retums the index ol an element in an array called hash table. The index is known as the hash index. 3. Hash Table: Hash table is a data structure that maps Keys to values using a special Tunction called a hash lunction. Hash stores the data in an associative manner in an array where each data value has its own unique index. key Hash Function Hash Table Components of Hashing Popular hash lunctions include MDS (Message Digest Algorithm 5), SHA-I Gecure Hash Algorithm 1), and the SHA-2 lamily (which includes SHA-256, SHA-384, and SHA-SI2), SHA-3 is another notable hash lunction. When considering security, i's important to use ahash Tunction that is currently considered secure and resistant to attacks. What is Collision? The hashing process generates a small number lor a big key, so there is a possibilty that two keys could produce the same value, The situation where the newly inserted key maps to an already occupied, and it must be handled using some collision handling technology.Digital Signatures AA digital signature is a mathematical technique which validates the authenticity and integrity of a message, software or digital documents. It allows us to verify the author's name, date and time of signatures, and authenticate the message contents. The digital signature offers far more inherent security and intended to solve the problem of tampering and impersonation (Intentionally copy another person's characteristics) in digital communications Digital signature consists of three algorithms: 1. Key generation algorithm ‘The key generation algorithm selects private key randomly from a set of possible private keys. This algorithm provides the private key and its comesponding public key. 2. Signing algorithm A signing algorithm produces a signature for the document. 3. Signature verifying algorithm. A signature verifying algorithm either accepts or rejects the document's authenticity ‘The steps which are followed in creating 2 digital signature are: I. Select file to be digitally signed, 2. The hash value of the message or file content is calculated. This message or file content is encrypted by using a private key of a sender to form the digital signature. Now, the original message or file content along with the digital signature is transmitted. The receiver decrypts the digital signature by using a public key of a sender. The receiver now has the message or file content and can compute it Comparing these computed message or file content with the original computed message. The comparison needs tobe the same for ensuring integrity Public Key Infrastructure Public key infrastructure or PKtis the governing body behind issuing digital certificates. It helps to protect, confidential data and gives unique identities to users and systems. Thus, it ensures security in communications, ‘The public key infrastructure uses a pair of keys: the public key and the private key to achieve security. The public keys are prone to attacks and thus an intact infrastructure is needed to maintain them. Public Key Infrastructure: Public key infrastructure affirms the usage of a public key. PKI identifies a public key along with its purpose. It Usually consists of the following components: + A digital certificate also called a public key certificate. + Private Key tokens ‘© Registration authority + Certification authority + CMS or Cettiication management system Working on a PKI + PKI and Encryption: The root of PKI involves the use of cryptography and encryption techniques. Both symmetric and asymmetric encryption uses a public key. The challenge here is - “how do you know that the public key belongs to the right person or to the person you think it belongs to’ always a risk of MITM (Man in the middle). This issue is resolved by @PKI using digital certificates. It ives identities to keys to make the verification of owners easy and accurate. + Public Key Certificate or Digital Certificate: Digital certificates are issued to people and electronic systems to uniquely identify them in the digital world, Here are a few noteworthy things about a digital certificate. Digital certificates are also called X.509 certificates. This is because they are based on the ITU standard X.509. ‘There is‘+ The Certification Authority (CA) stores the public key of a user along with other information about the client in the digital certficate. The information is signed, and a digital signature is, also included in the certificate. ‘+The affirmation for the public key then thus be retrieved by validating the signature using the public key of the Certification Authority. + Certifying Authorities: A CA issues and verifies certificates. This authority makes sure that the information in a certificate is real and correct and it also digitally signs the certificate. A CA or Certifying Authority performs these basic roles: ‘+ Generates. the key pairs - This key pair generated by the CA can be either independent or in collaboration with the client. ‘+ Issuing of the digital certificates - When the client successfully provides the right details about his identity, the CA issues a certificate to the client. Then CA further signs this certificate digitally so that no changes can be made to the information ‘+ Publishing of certificates - The CA publishes the certificates so that the users can find them. They can do this by either publishing them in an electronic telephone directory or by sending them out to other people. + Verification of certificate - CA gives a public key that helps in verifying if the access attempt is authorized or not. ‘+ Revocation - In case of suspicious behaviour of a client or loss of trust in them, the CA has the power to revoke the digital certificate. Classes of a Digital Certificate: A digital certificate can be divided into four broad categories. These are: + Class 1: These can be obtained by only providing the email address. + Class 2: These need more personal information. ‘+ Class 3: This first checks the identity of the person making a request, + Class 4: They are used by organizations and govemments, Process of creation of cattificate: ‘The creation of a certificate takes place as follows: ‘+ Private and public keys are created, ‘+ CA requests identifying attributes of the owner of a private key. ‘Public key and attributes are encoded into a CSR or Certificate Signing Request. + Key owner signs that CSR to prove the possession of a private key. + CA signs the certificate after validation, Key Management In cryptography, itis a very tedious task to distribute the public and private keys between sender and receiver. Ifthe key is known to the third party (forgerfeavesdropper) then the whole security mechanism becomes worthless. So, there comes the need to secure the exchange of keys. There are two aspects for Key Management: 1. Distribution of public keys, 2. Use of public-key encryption to distribute secrets Distribution of Public Key: ‘The public key can be distributed in four ways: 1. Public announcement 2 Publicly available directory 3, Public-key authority 4 Public-key certificates. These are explained as following below:4. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery is discovered ‘can masquerade as claimed user. +CRecipient 3 Publi Key Announcement 2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories are trusted here, with properties like Participant Registration, access and allow tomodify values at any time, contains entries ike {name, public key}, Directories can be accessed electronically still vulnerable to forgery or tampering 3. Public Key Authority: It is Ike the directory but, improves security by tightening control over the distribution of keys from the directory. It requires users to know the public key for the directory. Whenever the keys are needed, real-time access to the directory is made by the user to obtain any desired public key securely. 4, Public Certification: This time authority provides a certificate (which binds an identity to the public key) to allow key exchange without real-time access to the public authority each time. The certificate is accompanied by some other info such as period of validity, rights of use, etc. All this content is signed by the private key of the certificate authority, and it can be verified by anyone possessing the authority's public key. First sender and receiver both request CA for a certificate which contains a public key and other information and then they can exchange these certificates and can start communication. X.509 certificates X.509 is a standard that defines the format of public key certificates. These certificates are used in various security protocols to establish the authenticity of entities in a networked environment. X.509 certificates are ‘commonly associated with the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, which are used to secure communication over the internet, ‘The X.509 certificate is defined by the International Telecommunication Union's Telecommunication Standardization Sector (ITU-T). ‘The X.509 standard is based on Abstract Syntax Notation One, an interface description language. An X.509 certificate contains an identity and a public key. It binds an identity ~ such as an individual or hostname — to a public key with a digital signature. The signature is either made by a trusted certificate authority (CA) or is self-signed. Some digital certificates can also be automated ‘The first X.509 certificates were issued in 1988 as part of the ITU-T and the X.500 directory services standard. ‘The current version, version 9, was defined in October 2019, X.509 certificate fields ‘An X.509 certificate contains information about the identity to which the certificate is issued and the identity that issued il, Standard information in an X.509 certificate includes the following: + Version. Which X.509 version applies to the certificate, indicating what data the certificate must include. + Serial number. The CA creating the certificate must assign it a serial number that distinguishes the CA certificate from other certificates.+ Issuer distinguished name. The name of the entity issuing the certificate — usually, the CA, + Validity period of the certificate. The start and end date, as well as the time the certificate is valid and can be trusted, + Subject distinguished name. The name to which the certificate is issued ‘+ Subject public key information. The public key associated with the identity. ‘+ Extensions (optional). Extensions have their own unique IDs, expressed as a set of values called an object identifier. An extension can be rejected if itis not recognized or if the extension has Information that can't be processed. Applications of X.509 certificates Common applications of X.509 certificates include the following: + Digital identities. A key use of X.509 certificates can be to authenticate the digital identities of devices, people, data and applications. + TLSISSL and web browser security. PKI and X.509 are the basis for the Transport Layer Secully (TLS) and Secure Sockets Layer (SSL) protocols. Web browsers read the X.509 certificate of a webpage to verify its TLS/SSL. status, OpenssL. OpenSSL is a widely used open-source software library that provides a set of cryptographic functions and protocols. Itwas initially developed in 1998 by the OpenSSL Project, a collaborative effort to develop a full - featured, open-source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, OpenSSL is written in the C programming language and is available for various operating systems, including Unix, Linux, Windows, and macOS. Key features and components of OpenSSL include’ 1. Cryptography Functions: OpenSSL provides @ comprehensive set of cryptographic functions, including encryption, decryption, digital signatures, message digests, and more. These functions can be used to implement secure communication and data protection in applications. 2. SSLITLS Support: OpenSSL supports the SSL and TLS protocols, which are crucial for securing communication over networks such as the internet. SSL and TLS provide encryption and authentication mechanisms to ensure the confidentiality and integrity of data transmitted between clients and servers, 3. Certificates and Public Key Infrastructure (PKI): OpenSSL supports X.509 certificates, a standard format for public key certificates. It allows users to generate, manage, and verify digital certificates, facilitating the establishment of a Public Key Infrastructure (PKI) 4 Command-Line Tools: OpenSSL includes a set of command-line tools that allow users to perform various cryptographic operations, such as creating and managing key pairs, generating certificate signing requests (CSRs), and enctypting/decrypting data. 5. Random Number Generation: Secure random number generation is a critical aspect of cryptographic systems. OpenSSL. provides functions for generating random numbers, which are essential for creating cryptographic keys and nonces. 6 Hash Functions: OpenSSL supports a variety of hash functions, including MDS, SHA-1, and SHA-256, which ate used for creating message digests and ensuring data integrity, 7. Compatibility: OpenSSL is widely used in various software applications and libraries. Many web servers, including Apache and Nginx, use OpenSSL for implementing SSLITLS suppor. Additionally, humerous programming languages and frameworks provide bindings or interfaces to OpenSSL. 8 License: OpenSSL is released under the OpenSSL License, which is a permissive open-source license. This allows developers to use, modify, and distribute the software with relatively few restrictions.