Message Integrity and Security System
This document provides administrator guidance for how to set up and configure secure security systems in several scenarios. This document is not meant as a replacement for the Message Integrity and Security Information Configuration Guide, but rather as a more generally applicable hardening guide, which applies to a much broader range of specific systems which may include or exclude services specified in the security configuration.
1.2 Project brief:
The Common Criteria is designed for general purpose systems that specifically need to be compliant with the Common Criteria evaluation requirements and sacrifices some usability to do so. The document we are currently designed to provide more generic guidance for a wider range of specific system classes, without necessarily trading off basic operating system functionality. The recommendations in this generally chosen to safely allow all customers to deploy the recommended settings on existing security systems, not just on newly-built systems. We have also reviewed the default permissions on BUET and recommended those permissions here where they did not break existing our security services.
2.1 Message Integrity:
Message integrity means that the data must arrive at the receiver exactly as they were sent. There must be no changes during the transmission, neither accidentally nor maliciously. As more and more monetary exchanges occur over the internet, integrity is crucial. For example it would be disastrous if a request for transferring $1000 changed to a request for $100,000. The integrity of the message must be preserved in a secure communication.
2.1 Document and fingerprint:
One way to preserve the integrity of a document is through the use of a fingerprint. If any man needs to be sure that the contents of his document will not be illegally changed, she can put her fingerprint at the bottom of the document. Eve cannot modify the contents of this document or create a false document because he cannot forge owner’s fingerprint. To ensure that the document has not been changed, owner’s fingerprint on the document can be compared to owner’s fingerprint on file. If they are not the same, the document is not from owner.
2.2 Message and Message Digest:
The electronic equivalent of the document and fingerprint pair is the message and message digest pair. To preserve the integrity of message, the message is passed through an algorithm called hash function. The hash function creates a compressed image of the message that can be used as a fingerprint.
2.3 Creating and Checking the Digest:
The message digest is created at the sender site and is sent with the message to the receiver. To check the integrity of a message, or document, the receiver creates the hash function again and compares the new message digests with the one received. If both are the same, the receiver is sure that the original message has not been changed. Of course, we are assuming that the digest has been sent secretly.
Figure 2.1 Message Digest or hash
3.1 Security Services and Mechanisms:
A security service is the collection of mechanisms, procedures and other controls that are implemented to help reduce the risk associated with threat. For example, the identification and authentication service helps reduce the risk of the unauthorized user threat. Some services provide protection from threats, while other services provide for detection of the threat occurrence. An example of this would be a logging or monitoring service. The following services will be discussed in this section:
Figure 3.1 Communication Security Services
3.2 Identification and authentication:
Is the security service that helps ensure that the LAN is accessed by only authorized individuals. The first step toward securing the resources of a LAN is the ability to verify the identities of users. The process of verifying a user’s identity is referred to as authentication.
Provides the basis for the effectiveness of other controls used on the LAN. For example the logging mechanism provides usage information based on the userid. The access control mechanism permits access to LAN resources based on the userid. Both these controls are only effective under the assumption that the requestor of a LAN service is the valid user assigned to that specific user id.
Requires the user to be known by the LAN in some manner. This is usually based on an assigned user id. However the LAN cannot trust the validity that the user is in fact, who the user claims to be, without being authenticated. The authentication is done by having the user supply something that only the user has, such as a token, something that only the user knows, such as a password, or something that makes the user unique, such as a fingerprint. The more of these that the user has to supply, the less risk in someone masquerading as the legitimate user.
A requirement specifying the need for authentication should exist in most LAN policies. The requirement may be directed implicitly in a program level policy stressing the need to effectively control access to information and LAN resources, or may be explicitly stated in a LAN specific policy that states that all users must be uniquely identified and authenticated.
On most LANs, the identification and authentication mechanism is a userid/password scheme. States that “password systems can be effective if managed properly but seldom are. Authentication which relies solely on passwords has often failed to provide adequate protection for systems for a number of reasons. Users tend to create passwords that are easy to remember and hence easy to guess. On the other hand users that must use passwords generated from random characters, while difficult to guess, are also difficult to be remembered by users.
This forces the user to write the password down, most likely in an area easy accessible in the work area”. Research works such as detail the ease at which passwords can be guessed.
Proper password selection (striking a balance between being easy-to-remember for the user but difficult-to-guess for everyone else) has always been an issue. Password generators that produce passwords consisting of pronounceable syllables have more potential of being remembered than generators that produce purely random characters. Password checkers are programs that enable a user to determine whether a new passwords is considered easy-to-guess, and thus unacceptable.
Password-only mechanisms, especially those that transmit the password in the clear (in an unencrypted form) are susceptible to being monitored and captured. This can become a serious problem if the LAN has any uncontrolled connections to outside networks. Agencies that are considering connecting their LANs to outside networks, particularly the Internet, should examine before doing so. If, after considering all authentication options, LAN policy determines that password-only systems are acceptable, the proper management of password creation, storage, expiration and destruction become all the more important.
A smartcard based or token based mechanism requires that a user be in possession of the token and additionally may require the user to know a PIN or password. These devices then perform a challenge/response authentication scheme using realtime parameters. Using real-time parameters helps prevent an intruder from gaining unauthorized access through a login session playback. These devices may also encrypt the authentication session, preventing the compromise of the authentication information through monitoring and capturing.
LAN devices, workstations, or PCs that require user authentication to unlock can be useful to users who must leave their work areas frequently. These locks allow users to remain logged into the LAN and leave their work areas (for an acceptable short period of time ) without exposing an entry point into the LAN.
Modems that provide users with LAN access may require additional protection. An intruder that can access the modem may gain access by successfully guessing a user password. The availability of modem use to legitimate users may also become an issue if an intruder is allowed continual access to the modem.
Mechanisms that provide a user with his or her account usage information may alert the user that the account was used in an abnormal manner (e.g. multiple login failures). These mechanisms include notifications such as date, time, and location of last successful login, and number of previous login failures. The type of security mechanisms that could be implemented to provide the identification and authentication service are listed below.
• Password based mechanism,
•smartcards/smart tokens based mechanism,
• Biometrics based mechanism,
• user notification of ’last successful login’ and ’number of login failures’,
• Real-time user verification mechanism,
• Cryptography with unique user keys.
is the security service that helps ensure that LAN resources are being utilized in an authorized manner.
This service protects against the unauthorized use of LAN resources, and can be provided by the use of access control mechanisms and privilege mechanisms. Most file servers and multi-user workstations provide this service to some extent. However, PCs which mount drives from the file servers usually do not. Users must recognize that files used locally from a mounted drive are under the access control of the PC. For this reason it may be important to incorporate access control, confidentiality and integrity services on PCs to whatever extent possible. Appendix C highlights some of the concerns that are inherent in the use of PCs.
Figure 3.2 Access Control
3.3.1 Mandatory access control:
Access control can be achieved by using discretionary access control or mandatory access control. Discretionary access control is the most common type of access control used by LANs. The basis of this kind of security is that an individual user, or program operating on the user’s behalf is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user’s control.
3.3.2 Discretionary access control:
Discretionary security differs from mandatory security in that it implements the access control decisions of the user. Mandatory controls are driven by the results of a comparison between the user’s trust level or clearance and the sensitivity designation of the information.
3.3.3 Access control mechanisms:
exist that support access granularity for acknowledging an owner, a specified group of users, and the world (all other authorized users). This allows the owner of the file (or directory) to have different access rights than all other users, and allows the owner to specify different access rights for a specified group of people, and also for the world. Generally access rights allow read access, write access, and execute access. Some LAN operating systems provide additional access rights that allow updates, append only, etc.
3.3.4 Access control list:
A LAN operating system may implement user profiles, capability lists or access control lists to specify access rights for many individual users and many different groups. Using these mechanisms allows more flexibility in granting different access rights to different users, which may provide more stringent access control for the file (or directory). (These more flexible mechanisms prevent having to give a user more access than necessary, a common problem with the three level approach.) Access control lists assign the access rights of named users and named groups to a file or directory. Capability lists and user profiles assign the files and directories that can be accessed by a named user.
User access may exist at the directory level, or the file level. Access control at the directory level places the same access rights on all the files in the directory. For example, a user that has read access to the directory can read (and perhaps copy) any file in that directory. Directory access rights may also provide an explicit negative access that prevents the user from any access to the files in the directory.
Some LAN implementations control how a file can be accessed. (This is in addition to controlling who can access the file.) Implementations may provide a parameter that allows an owner to mark a file sharable, or locked. Sharable files accept multiple accesses to the file at the same time.
A locked file will permit only one user to access it. If a file is a read only file, making it sharable allows many users to read it at the same time. These access controls can also be used to restrict usage between servers on the LAN. Many LAN operating systems can restrict the type of traffic sent between servers. There may be no restriction, which implies that all users may be able to access resources on all servers (depending on the users access rights on a particular server). Some restrictions may be in places that allow only certain types of traffic, for example only electronic mail messages, and further restrictions may allow no exchange of traffic from server to server. The LAN policy should determine what types of information need to be exchanged between servers. Information that is not necessary to be shared between servers should then be restricted.
Privilege mechanisms enable authorized users to override the access permissions, or in some manner legally bypass controls to perform a function, access a file, etc. A privilege mechanism should incorporate the concept of least privilege. A principle where each subject in a system be granted the most restrictive set or privileges needed for the performance of an authorized task.”
For example, the principle of least privilege should be implemented to perform the backup function. A user who is authorized to perform the backup function needs to have read access to all files in order to copy them to the backup media.
The user is granted a ’privilege’ to override the read restrictions on all files in order to perform the backup function. The more granular the privileges that can be granted, the more control there does not have to grant excessive privilege to perform an authorized function. For example, the user who has to perform the backup function does not need to have a write override privilege, but for privilege mechanisms that are less granular, this may occur. The types of security mechanisms that could be implemented to provide the access control service are listed below.
• Access control mechanism using access rights (defining owner, group, world permissions).
• Access control mechanism using access control lists, user profiles, capability lists.
• Access control using mandatory access control mechanisms (labels).
• Granular privilege mechanism.
Data and message confidentiality:
Is the security service that helps ensure that LAN data, software and messages are not disclosed to unauthorized parties?
Figure: 3.3 Data and message confidentiality
The data and message confidentiality service can be used when the secrecy of information is necessary. As a front line protection, this service may incorporate mechanisms associated with the access control service, but can also rely on encryption to provide further secrecy protection.
Encrypting information converts it to an unintelligible form called chipper text, decrypting converts the information back to its original form. Sensitive information can be stored in the encrypted, cipher text, form. In this way if the access control service is circumvented, the file may be accessed but the information is still protected by being in encrypted form. The use of encryption may be critical on PCs that do not provide an access control service as a front line protection. It is very difficult to control unauthorized access to LAN traffic as it is moved through the LAN.
For most LAN users, this is a realized and accepted problem. The use of encryption reduces the risk of someone capturing and reading LAN messages in transit by making the message unreadable to those who may capture it. Only the authorized user who has the correct key can decrypt the message once it is received.
A strong policy statement should dictate to users the types of information that are deemed sensitive enough to warrant encryption. A program level policy may dictate the broad categories of information that need to be stringently protected, while a system level policy may detail the specific types of information and the specific environments that warrant encryption protection.
At whatever level the policy is dictated, the decision to use encryption should be made by the authority within the organization charged with ensuring protection of sensitive information. If a strong policy does not exist that defines what information to encrypt, then the data owner should ultimately make this decision.
Cryptography can be categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties . The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. If encryption of sensitive but unclassified information (except Warner Amendment information) is needed, the use of the Data Encryption Standard (DES), is required unless a waiver is granted by the head of the federal agency. The DES is a secret key algorithm used in a cryptographic system that can provide confidentiality. The implementation of the DES algorithm in hardware, software, firmware or some combination. For an overview of DES, information addressing the applicability of DES, and waiver procedures.
3.5.2 Public key cryptography:
Public key cryptography is a form of cryptography which make use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key.
In a public key crypto system, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret. An example for providing confidentiality is as follows: two users, Scott and Jeff, wish to exchange sensitive information, and maintain the confidentiality of that information. Scott can encrypt the information with Jeff’s public key. The confidentiality of the information is maintained since only Jeff can decrypt the information using his private key.
Public key technology, in the form of digital signatures, can also provide integrity and non repudiation. This will be discussed in Section Data Integrity.
Security Requirements for Cryptographic Modules should be used by agencies to specify the security requirements needed to protect the equipment that is used encryption. This standard specifies requirements such as authentication, physical controls and proper key management for all equipment that is used for encryption. Systems that implement encryption in software have additional requirements placed on them. LAN servers, PCs, encryption boards, encryption modems, and all other LAN and data communication equipment that has an encryption capability. The types of security mechanisms that could be implemented to provide the message and data confidentiality service are listed below.
3.6 Service Type:
Data Confidentiality/Disclosure Protection
Traffic Flow Confidentiality
• file and message encryption technology,
• Protection for backup copies on tapes, diskettes, etc,
• Physical protection of physical LAN medium and devices,
• Use of routers that provide filtering to limit broadcasting (either by blocking or by masking message contents).
Data and message integrity:
The security service that helps ensures that LAN data, software and messages are not modified by unauthorized parties.
Figure: 3.4 Message Integrity
The data and message integrity service helps to protect data and software on workstations, file servers, and other LAN components from unauthorized modification. The unauthorized modification can be intentional or accidental. This service can be provided by the use of cryptographic checks ums, and very granular access control and privilege mechanisms. The more granular the access control or privilege mechanism, the less likely an unauthorized or accidental modification can occur.
3.7.1 The data and message integrity service:
Also helps to ensure that a message is not altered, deleted or added to in any manner during transmission. (The inadvertent modification of a message packet is handled through the media access control implemented within the LAN protocol.) Most of the security techniques available today cannot prevent the modification of a message, but they can detect the modification of a message (unless the message is deleted altogether).
3.8 Message Authentication Code:
The use of checksums provides a modification detection capability. A Message Authentication Code (MAC), a type of cryptographic checksum, can protect against both accidental and intentional, but unauthorized, data modification. A MAC is initially calculated by applying a cryptographic algorithm and a secret value, called the key, to the data. The initial MAC is retained. The data is later verified by applying the cryptographic algorithm and the same secret key to the data to produce another MAC; this MAC is then compared to the initial MAC. If the two MACs are equal, then the data is considered authentic. Otherwise, an unauthorized modification is assumed. Any party trying to modify the data without knowing the key would not know how to calculate the appropriate MAC corresponding to the altered data. Computer Data Authentication defines the Data Authentication Algorithm, based on the DES, which is used to calculate the MAC.
Figure: 3.5 Message Authentication Code
The use of electronic signatures can also be used to detect the modification of data or messages.
An electronic signature can be generated using public key or private key cryptography. Using a public key system, documents in a computer system are electronically signed by applying the originator’s private key to the document. The resulting digital signature and document can then be stored or transmitted. The signature can be verified using the public key of the originator. If the signature verifies properly, the receiver has confidence that the document was signed using the private key of the originator and that the message had not been altered after it was signed. Because private keys are known only to their owner, it may also possible to verify the originator of the information to a third party. A digital signature, therefore, provides two distinct services Non repudiation and message integrity. Digital Signature Standard, specifies a digital signature algorithm that should be used when message and data integrity are required.
The message authentication code (MAC) described above can also be used to provide an electronic signature capability. The MAC is calculated based on the contents of the message. After transmission another MAC is calculated on the contents of the received message. If the MAC associated with the message that was sent is not the same as the MAC associated with the message that was received, then there is proof that the message received does not exactly match the message sent. A MAC can be used to identify the signer of the information to the receiver.
However, the implementations of this technology do not inherently provide non repudiation because both the sender of the information and the receiver of the information share the same key. The types of security mechanisms that could be implemented to provide the data and message integrity service are listed below.
• Message authentication codes used for software or files,
• Use of secret key based electronic signature,
• Use of public key digital signature,
• Granular privilege mechanism,
• Appropriate access control settings (i.e. no unnecessary write permissions),
• Virus detection software,
• Workstations with no local storage (to prevent local storage of software and files),
• Workstations with no diskette drive/tape drive to prevent introduction of suspect software.
• Use of public key digital signatures.
The security service by which the entities involved in a communication cannot deny having participated. Specifically the sending entity cannot deny having sent a message (non-repudiation with proof of origin) and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery).
Non-repudiation helps ensure that the entities in a communication cannot deny having participated in all or part of the communication. When a major function of the LAN is electronic mail, this service becomes very important. Non-repudiation with proof of origin gives the receiver some confidence that the message indeed came from the named originator. The non repudiation service can be provided through the use of public key cryptographic techniques using digital signatures. Data and Message Integrity for a description and use of digital signatures. The security mechanism that could be implemented to provide the non repudiation service is listed below.
Figure 3.6 Non-Repudiation
Non-Repudiation of Origin
Non-Repudiation of Reception
Use of public key digital signatures.
Is the security service by which uses of LAN resources can be traced throughout the LAN. The mechanisms, procedures and guidance provided in this section should not be considered as mandatory requirements in this document. Determining the appropriate controls and procedures to use in any LAN environment is the responsibility of those in each organization charged with providing adequate LAN protection.
Figure: 3.7 Audits
3.9.1 This service performs two functions:
The first is the detection of the occurrence of a threat. (However, the detection does not occur in real time unless some type of real-time monitoring capability is utilized.) Depending on the extensiveness of the logging, the detected event should be traceable throughout the system. For example, when an intruder breaks into the system, the log should indicate who was logged on to the system at the time, all sensitive files that had failed accesses, all programs that had attempted executions, etc. It should also indicate sensitive files and programs that were successfully accessed in this time period. It may be appropriate that some areas of the LAN (workstations, file servers, etc.) have some type of logging service.
The second function of this service is to provide system and network managers with statistics that indicate that systems and the network as a whole are functioning properly. This can be done by an audit mechanism that uses the log file as input and processes the file into meaningful information regarding system usage and security. A monitoring capability can also be used to detect LAN availability problems as they develop.
The types of security mechanisms that could be used to provide the logging and monitoring service are listed below.
3.9.2 Service Type:
off- line Analysis
On- line Analysis
• Logging of I&A information (including source machine, modem, etc.),
• Logging of changes to access control information,
• Logging of use of sensitive files,
• Logging of modifications made to critical software,
• utilizing LAN traffic management tools,
• Use of auditing tools
4.1 DIGITAL SIGNATURE:
Although a MAC can provide message integrity and message authentication. it has a drawback. It needs a symmetric key that must be established between the sender and the receiver. A digital signature, on the other hand, can use a pair of asymmetric keys (a public qp~ and a private one).
We are all familiar with the concept of a signature. We sign a document to show that it originated from us or was approved by us. The signature is proof to the recipient that the document comes from the correct entity. When a customer signs a check to himself, the bank needs to be sure that the check is issued by that customer and nobody else. In other words, a signature on a document, when verified, is a sign of authentication; the document is authentic. Consider a painting signed by an artist. The signature on the art, if authentic, means that the painting is probably authentic.
Figure: 4.1 Digital Signatures
When Alice sends a message to Bob, Bob needs to check the authenticity of the sender; he needs to be sure that the message comes from Alice and not Eve. Bob can ask Alice to sign the message electronically. In other words, an electronic signature can prove the authenticity of Alice as the sender of the message. We refer to this type of signature as a digital signature.
Before we continue any further, let us discuss the differences between two types of signatures: conventional and digital.
A conventional signature is included in the document; it is part of the document. When we write a check, the signature is on the check; it is not a separate document. On the other hand, when we sign a document digitally, we send the signature as a separate document. The sender sends two documents: the message and the signature. The recipient receives both documents and verifies that the signature belongs to the supposed sender. If this is proved, the message is kept; otherwise, it is rejected.
4.1.3 Verification Method:
The second difference between the two types of documents is the method of verifying the signature. In conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. If they are the same, the document is authentic. The recipient needs to have a copy of this signature on file for comparison. In digital signature, the recipient receives the message and the signature. A copy of the signature is not stored anywhere. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.
In conventional signature, there is normally a one-to-many relationship between a signature and documents. A person, for example, has a signature that is used to sign many checks, many documents, etc. In digital signature, there is a one-to-one relationship between a signature and a message. Each message has its own signature. The signature of one message cannot be used in another message. If Bob receives two messages, one after another, from Alice, he cannot use the signature of the first message to verify the second. Each message needs a new signature.
Another difference between the two types of signatures is a quality called duplicity. In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time (such as a timestamps) on the document. For example, suppose Alice sends a document instructing Bob to pay Eve. If Eve intercepts the document and the signature, she can resend it later to get money again from Bob.
4.2 Need for Keys:
In conventional signature a signature is like a private “key” belonging to the signer ol the document. The signer uses it to sign a document; no one else has this signature. The copy of the signature is on file like a public key; anyone can use it to verify a document, to compare it to the original signature.
Figure: 4.2.1 symmetric key
Figure: 4.2.2 Asymmetric key
In digital signature, the signer uses her private key, applied to a signing algorithm, to sign the document. The verifier, on the other hand, uses the public key of the signer. applied to the verifying algorithm, to verify the-document. Can we use a secret (symmetric) key to both sign and verify a signature? The answer is no for several reasons. First, a secret key is known only between two entities (A6,e and Bob, for example). So if Alice needs to sign another document and send it to TadL she needs to use another secret key. Second, as we will see, creating a secret key for a, session involves authentication, which normally uses digital signature. We have a%i cycle. Third, Bob could use the secret key between himself and Alice, sign a d• send it to Ted, and pretend that it came from Alice.
4.3 Signing the Document:
Probably, the easier, but less efficient way is to sign the document itself. Signing a document is encrypting it with the private key of the sender; verifying the document is decrypting it with the public key of the sender.
We all should make a distinction between private and public keys as used in digit signature and public and private keys as used for confidentiality. In the latter, the private and public keys of the receiver are used in the process. The sender uses the public key the receiver to encrypt; the receiver uses his own private key to decrypt.
In digital signature, the private and public keys of the sender are used. The sender uses her private key; the receiver uses the public key of the sender. In a cryptosystem, we use the private and public keys of the receiver; in digital signature, we use the private and public keys of the sender.
4.4 Signing the Digest:
We mentioned that the public key is very inefficient in a cryptosystem if we are dealing with long messages. In a digital signature system, our messages are normally long, but we have to use public keys.
The solution is not to sign the message itself; instead, we sign a digest of the message. As we learned, a carefully selected message digest has a one-to-one relationship with the message. The sender can sign the message digest.
4.5 Signature Schemes:
Several signature schemes have evolved during the last few decades. Some of team have been implemented. Such as RSA and DSS (Digital signature Standard) schemes.
4.6 Message Non-repudiation:
If Alice signs a message and then denies it, can Bob later prove that Alice actually signed it? For example, if Alice sends a message to a bank (Bob) and asks to transfer $10,000 from her account to Ted’s account, can Alice later deny that she sent this message? With the scheme we have presented so far, Bob might have a problem. Bob must keep the signature on file and later use Alice’s public key to create. The original message to prove the message in the file and the newly created message are the same. This is not feasible because Alice may have changed her private/public key during this time; she may also claim that the file containing the signature is not authentic.
One solution is a trusted third party. People can create a trusted party among themselves. We will see that a trusted party can solve many other problems concerning security services and key exchange. Figure-4.3 shows how a trusted party can prevent Alice from denying that she sent the message.
Figure: 4.3 Using a trusted center for nonrepudiation
Alice creates a signature from her message (SA) and sendsthe message, her identity, Bob’s identity, and the signature to the center. The center, after checking that Alice’s public key is valid, verifies through Alice’s public key that the message comes from Alice. The center then saves a copy of the message with the sender identity, recipient identity, and a timestamp in its archive. The center uses its private key to create another signature (ST) from the message. The center then sends the message, the new signature, Alice’s identity, and Bob’s identity to Bob. Bob verifies the message using the public key of the trusted center.
A digital signature provides three out of our initial five security services: message authentication, message integrity and non-repudiation.
Figure: 4.4 Service of Digital Signature
If in the future Alice denies that she has sent the message, the center can show a copy of the saved message. If Bob’s message is a duplicate of the message saved at the center, Alice will lose the dispute. To make everything confidential, a level of encryption/ decryption can be added to the scheme as discussed in the next section.