Chapter 8

Security in Computer Network

By Pavan Poudel
 2
By Pavan Poudel

Properties of Secure Communication

• Confidentiality/Secrecy
▫ Data is only understandable to the communicating parties
• Authentication
▫ Can you prove who you are?
▫ Sender and receiver should be able to confirm identity of other
party involved.
• Integrity and Non-repudiability
▫ Even if sender and receiver are able to authenticate each other,
they must ensure that the data received is not altered either
maliciously or by accident.
▫ Refuse to Accept
• Access control and availability
▫ Using firewall
 3
By Pavan Poudel

Network Security Issues

 4
By Pavan Poudel

Principles of Cryptography
• Techniques employed in protecting integrity or secrecy of
electronic messages by converting them into unreadable
(cipher text) form.
• Only the use of a secret key can convert the cipher text back
into human readable (clear text) form.
• Cryptography software and/or hardware devices use
mathematical formulas (algorithms) to change text from one
form to another.
• Two principles:
▫ Symmetric Key Cryptography (Secret Key)
▫ Asymmetric Key Cryptography (Public Key)
 5
By Pavan Poudel

Symmetric Key Cryptography Principles

• Use a single secret key
• The cipher text has almost the same size as the original
message
• Built on a shared secret or some random unpredictable data
• The strength mostly depends on the key length
• Encrypt large files fast and efficiently
• Go by many names(session key, single key, bulk encryption)
 6
By Pavan Poudel

Symmetric Key Cryptography Principles

 7
By Pavan Poudel

Symmetric Key Cryptography Principles

• Mono Alphabetic
• Poly Alphabetic
• DES, 3DES
• Rijndael (AES Winner)
 8
By Pavan Poudel

Mono Alphabetic
• Caesar Cipher
▫ Very old and simple symmetric key algorithm
▫ Take each alphabet in plain text and replace it by letter that is ‘k’
letters ahead.
 Eg. For k=5 => ‘a’ is replaced by ‘f’, ‘x’ by ‘c’ and so on
▫ Very easy to break => only 25 values of Keys
• Monoalphabetic cipher:
▫ Any letter can be substituted by other as ling as each letter has
unique substitute letter

 Eg. Plaintext: bob. i love you. alice

 Ciphertext: nkn. s gktc wky. mgsbc
▫ Better than Caesar cipher in that there are 26!(1026) possible
pairing of letters.
 9
By Pavan Poudel

Poly Alphabetic cipher

• Key: C1C2C2
▫ Then text “abcde” would be transmitted as “fuvix”
 10
By Pavan Poudel

Data Encryption Standard (DES)

• DES is the block cipher — an algorithm that takes a fixed-length
string of plaintext bits and transforms it through a series of
complicated operations into another cipher text bit string of the
same length.
• In the case of DES, the block size is 64 bits.
• DES also uses a key to customize the transformation, so that
decryption can supposedly only be performed by those who know
the particular key used to encrypt.
• The key ostensibly consists of 64 bits; however, only 56 of these are
actually used by the algorithm.
• Eight bits are used solely for checking parity, and are thereafter
discarded.
• Hence the effective key length is 56 bits, and it is always quoted as
such.
• Every 8th bit of the selected key is discarded, that is, positions 8,
16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving
behind only the 56 bit key.
 11
By Pavan Poudel

Data Encryption Standard (DES)

 12
By Pavan Poudel

Data Encryption Standard (DES)

• The operation of one of these intermediate stages is illustrated in (b).
• Each stage takes two 32-bit inputs and produces two 32-bit outputs.
• The left output is simply a copy of the right input.
• The right output is the bitwise XOR of the left input and a function of
the right input and the key for this stage, Ki
• All the complexity lies in this function.
• The function consists of four steps, carried out in sequence.
• First, a 48-bit number, E, is constructed by expanding the 32-bit Ri-1
according to a fixed transposition and duplication rule.
• Second, E and Ki are XORed together.
• This output is then partitioned into eight groups of 6 bits each, each
of which is fed into a different S-box. Each of the 64 possible inputs
to an S-box is mapped onto a 4-bit output.
• Finally, these 8 x 4 bits are passed through a P-box..
 13
By Pavan Poudel

Data Encryption Standard (DES)

• In each of the 16 iterations, a different key is used.
• Before the algorithm starts, a 56-bit transposition is applied to
the key.
• Just before each iteration, the key is partitioned into two 28-bit
units, each of which is rotated left by a number of bits
dependent on the iteration number.
• Ki is derived from this rotated key by applying yet another 56-bit
transposition to it.
• A different 48-bit subset of the 56 bits is extracted and
permuted on each round.
 14
By Pavan Poudel

Data Encryption Standard (DES)

 15
By Pavan Poudel

Public Key Encryption

• Two keys:
▫ public encryption key e
▫ private decryption key d
• encryption easy when e is known
• decryption hard when d is not known
• decryption easy when d is known
• The most famous algorithm: RSA
 16
By Pavan Poudel

Public Key Encryption

 17
By Pavan Poudel

RSA Algorithm
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
K+ K-
B B
 18
By Pavan Poudel

RSA Algorithm
* Given (n,e) and (n,d) as computed above

* To encrypt bit pattern, m, compute

e e
c = m mod n (i.e., remainder when m is divided by n)

* To decrypt received bit pattern, c, compute

d
m = cd mod n (i.e., remainder when c is divided by n)

m = (m e mod n) d mod n
Magic
happens!
c
 19
By Pavan Poudel

RSA Algorithm
• Encrypt Message “LOVE” using RSA Algorithm
▫ Let p=5, q=7 (Smaller numbers are selected for simplicity)
▫ Then n = pq = 5*7 = 35
▫ And z = (p-1)(q-1) = 4*6 = 24
▫ Selecting e = 5 (e < n and no common factor with z) and
d = 29 (such that : ed mod z = 1)
 => Public Key (n, e) = (35, 5)
 => Private Key (n, d) = (35, 29)
 20
By Pavan Poudel

RSA Algorithm
Plain m (numeric Cipher Message
Text Representation)
me c = me mod n
L 12 248832 17 (Q)
O 15 759375 15 (O)
V 22 5153632 22 (V)
E 5 3125 10 (J)
Encryption ( LOVE => QOVJ )

c cd m = cd mod n Character
17 (Q) 1729 12 L
15 (O) 1529 15 O
22 (V) 2229 22 V
10 (J) 529 5 E
Decryption ( QOVJ => LOVE )
 21
By Pavan Poudel

RSA Algorithm

An important property of RSA Algorithm:

- + + -
K B(K (m)) = m = K B(K B (m))
B

use public key first, use private key first,

followed by private followed by public
key key

Result is the same!

 22
By Pavan Poudel

Digital Signature
• Cryptographic technique analogous to hand-written
signatures.
• Sender (Bob) digitally signs document, establishing he is
document owner/creator.
• Verifiable: recipient (Alice) can prove to someone that Bob,
and no one else (including Alice), must have signed
document
 23
By Pavan Poudel

Digital Signature
Bob signs m by encrypting with his private
-
key KB-, creating “signed” message, KB (m)
 24
By Pavan Poudel

Digital Signature
-
• Suppose Alice receives msg m, digital signature KB(m)
• Alice verifies m signed by Bob by applying Bob’s public
+ - + -
key KB to KB(m) then checks KB(KB(m) ) = m.
+ -
• If KB(KB(m) ) = m, whoever signed m must have used
Bob’s private key.
Alice thus verifies that:
 Bob signed m. (Authentication)
 No one else signed m.
 Bob signed m and not m’. (Message Integrity)
Non-repudiation:
 Alice can take m, and signature KB(m) to court and prove
that Bob signed m.
 25
By Pavan Poudel

Diffie-Hellman Algorithm
• A Key Exchange Algorithm
• Exponential key agreement
• Allows two users to exchange a secret key
• Requires no prior secrets
• Real-time over an un-trusted network
• Based on the difficulty of computing discrete logarithms of
large numbers.
• Used in SSL, SSH, IPSec, Cisco encrypting routers, Sun
secure RPC and etc.
• # Alice and Bob want to share a secret key for use in a
symmetric cipher, but their only means of communication is
insecure.
 26
By Pavan Poudel

Diffie-Hellman Algorithm
 27
By Pavan Poudel

Diffie-Hellman Algorithm
• First, users agree on a large prime p and a nonzero integer g.
• p and g are both publicly available numbers
▫ p is at least 512 bits
• Users pick private values a and b
• Compute public values
▫ x = ga mod p
▫ y = gb mod p
• Public values x and y are exchanged
• Compute shared, private key
▫ ka = ya mod p
▫ kb = xb mod p
• Algebraically it can be shown that ka = kb
• Users now have a symmetric secret key to encrypt
 28
By Pavan Poudel

Diffie-Hellman Algorithm
• Alice and Bob get public numbers
▫ P = 23, G = 9
• Alice and Bob compute public values
▫ X = 94 mod 23 = 6561 mod 23 = 6
▫ Y = 93 mod 23 = 729 mod 23 = 16
• Alice and Bob exchange public numbers
• Alice and Bob compute symmetric keys
▫ ka = ya mod p = 164 mod 23 = 9
▫ kb = xb mod p = 63 mod 23 = 9
• Alice and Bob now can talk securely!
 29
By Pavan Poudel

Securing Email using Pretty Good Privacy (PGP)

• Pretty Good Privacy (PGP) is an e-mail encryption scheme that
has become a de-facto standard, with thousands of users all over
the globe.
• Depending on the version, the PGP software uses MD5 or SHA
for calculating the message digest; CAST, Triple-DES or IDEA for
symmetric key encryption; and RSA for the public key encryption.
• In addition, PGP provides data compression.
• When PGP is installed, the software creates a public key pair for
the user.
• The public key can be posted on the user's Web site or placed in a
public key server.
• The private key is protected by the use of a password. The
password has to be entered every time the user accesses the
private key.
• PGP gives the user the option of digitally signing the message,
encrypting the message, or both digitally signing and encrypting.
 30
By Pavan Poudel

Securing Email using Pretty Good Privacy (PGP)

 31
By Pavan Poudel

Secure Socket Layer (SSL)

• Secure sockets layer (SSL), originally developed by Netscape, is a
protocol designed to provide data encryption and authentication
between a Web client and a Web server.
• Whenever a web surfer visits a secure site that uses SSL
technology, it creates an encrypted link between their browser
session and the web server
• The protocol begins with a handshake phase that negotiates an
encryption algorithm (e.g., DES or RSA) and keys, and
authenticates the server to the client.
• Optionally, the client can also be authenticated to the server.
• Once the handshake is complete and the transmission of application
data begins, and all data is encrypted using session keys negotiated
during the handshake phase.
• SSL is widely used in Internet commerce, being implemented in
almost all popular browsers and Web servers
 32
By Pavan Poudel

Secure Socket Layer (SSL)

 33
By Pavan Poudel

Secure Socket Layer Features

• SSL server authentication:
▫ SSL-enabled browser maintain lists of trusted CA’s along with
their public keys.
▫ Browser requests server certificate, issued by trusted CA.
▫ Server send its certificate.
▫ Browser uses CA’s public key to extract server’s public key from
certificate.
• Encrypted SSL session:
▫ Browser generates symmetric session key, encrypts it with
server’s public key, sends encrypted key to server.
▫ Using private key, server decrypts session key.
▫ Browser, server know session key
▫ All data sent into TCP socket (by client or server) encrypted with
session key.
• SSL client authentication:
▫ Analogous to server authentication
 34
By Pavan Poudel

Network Layer Security - VPN

• A virtual private network (VPN) is a private network that
interconnects remote (and often geographically separate)
networks through primarily public communication
infrastructures such as the Internet.
• It enables a computer to send and receive data across shared
or public networks as if it is directly connected to the private
network.
• A VPN is created by establishing a virtual point-to-point
connection through the use of either dedicated connection, or
virtual tunneling protocols, or traffic encryptions.
• Through VPN, you can access your private network over
internet.
• VPNs provide security through tunneling protocols and
security procedures such as encryption. For example, a VPN
could be used to securely connect the branch offices of an
organization to a head office network through the public
Internet.
 35
By Pavan Poudel

Virtual Private Network

• Host to Gateway/remote-access VPNs and
• Gateway to Gateway/Site to Site VPN
 36
By Pavan Poudel

Remote Access VPN

 37
By Pavan Poudel

Site to Site VPN

 38
By Pavan Poudel

VPN
• VPNs allow employees to securely access their company's
intranet while traveling outside the office.
• Similarly, VPNs securely connect geographically disparate
offices of an organization, creating one cohesive network.
• VPN technology is also used by Internet users to connect to
proxy servers for the purpose of protecting personal identity
and location.
 39
By Pavan Poudel

IP Security(IPSec)
• Internet Protocol Security (IPsec) is a protocol suite for
securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a
communication session.
• IPsec uses cryptographic security services to protect
communications over Internet Protocol (IP) networks.
• IPsec can be used in protecting data flows between a pair of
hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a
host (network-to-host).
• Two principal protocols
▫ Authentication Header (AH) protocol and
▫ Encapsulation Security Payload (ESP) protocol
 40
By Pavan Poudel

IP Security(IPSec)
• When a source host sends secure datagrams to a destination
host, it does so with either the AH protocol or with the ESP
protocol.
• The AH protocol provides source authentication and data
integrity but does not provide secrecy.
• The ESP protocol provides data integrity and secrecy.
Providing more services, the ESP protocol is naturally more
complicated and requires more processing than the AH
protocol.
 41
By Pavan Poudel

IPSec elements
IPSec contains the following elements:
• Encapsulating Security Payload (ESP): Provides
confidentiality, authentication, and integrity.
• Authentication Header (AH): Provides authentication and
integrity.
• Internet Key Exchange (IKE): Provides key management and
Security Association (SA) management.
 42
By Pavan Poudel

IPSec Security Features

• IPSec is the most secure method commercially available for
connecting network sites. IPSec was designed to provide the
following security features when transferring packets across
networks:
• Authentication: Verifies that the packet received is actually
from the claimed sender.
• Integrity: Ensures that the contents of the packet did not
change in transit.
• Confidentiality: Conceals the message content through
encryption.
 43
By Pavan Poudel

Wireless Security using WEP

• The 802.11 standard prescribes a data link-level security
protocol called WEP (Wired Equivalent Privacy), which is
designed to make the security of a wireless LAN as good as
that of a wired LAN.
• When 802.11 security is enabled, each station has a secret
key shared with the base station.
• How the keys are distributed is not specified by the standard.
• WEP algorithm is used to (WEP features):
▫ Protect wireless communication from eavesdropping (secretly
listening to the private conversation of others without their consent)
▫ Prevent unauthorized access to wireless network
• Goals of WEP
 1. Access Control 2. Data Integrity 3. Confidentiality
 44
By Pavan Poudel

WEP
• WEP relies on a secret key which is shared between the
sender and the receiver.
▫ Sender : Mobile station (eg: laptop with wireless ethernet)
▫ Receiver : Access Point (eg: base station)
• Secret Key is used to encrypt packets before they are
transmitted
• Integrity check is used to ensure packet are not modified in
transit.
• WEP encryption uses a stream cipher based on the Ron's
Code 4 (RC4) algorithm. RC4 was designed by Ronald
Rivest and kept secret until it leaked out and was posted to
the Internet in 1994 .
• In WEP, RC4 generates a key stream that is XORed with the
plaintext to form the cipher text.
 45
By Pavan Poudel

WEP
 46
By Pavan Poudel

WEP
• WEP uses RC4 encryption algorithm known as “stream
cipher” to protect confidentiality of its data
• uses the RC4 stream cipher, using a 64 or 128-bit key
consisting of:
▫ A 24-bit Initialization Vector (IV)
▫ A 40 or 104 -bit secret key

• The Secret Key is shared among the stations and every time
new IV is selected

• Initialization Vector(IV):
▫ Used to avoid encrypting two ciphertext with same key stream
▫ Used to produce different RC4 key for each packet
 47
By Pavan Poudel

Firewall
• A firewall is a combination of hardware and software that
isolates an organization's internal network from the Internet at
large, allowing specific connections to pass and blocking
others.
• Organizations employ firewalls for one or more of the
following reasons:
▫ To prevent intruders from interfering with the daily
operation of the internal network.
 denial of service attack, SYN FIN Attack
▫ To prevent intruders from deleting or modifying information
stored within the internal network.
▫ To prevent intruders from obtaining secret information.
 48
By Pavan Poudel

Firewall Types
• Packet Filtering
• Application Level Gateway
 49
By Pavan Poudel

Packet Filtering
• Work at the network layer.
• Internal network connected to Internet via router firewall.
• Router filters packet-by-packet and compares to a set of
criteria before it is forwarded.
• Filtering Based on
▫ Source/Destination IP address.
▫ TCP or UDP source and destination port.
▫ ICMP message type. Should arriving packet
▫ Connection initialization datagrams be allowed in? Departing
using the TCP ACK bit packet let out?
 50
By Pavan Poudel

Packet Filtering
• Example 1: block incoming and outgoing datagrams with IP
protocol field = 17 and with either source or dest port = 23.
▫ All incoming and outgoing UDP flows and telnet
connections are blocked.
• Example 2: Block inbound TCP segments with ACK=0.
▫ Prevents external clients from making TCP connections
with internal clients, but allows internal clients to connect to
outside.
 51
By Pavan Poudel

Application Level Gateway

• In order to have a finer level security, firewalls must combine
packet filters with application gateways.
• Application gateways look beyond the IP/TCP/UDP headers
and actually make policy decisions based on application data.
• An application gateway is an application-specific server
through which all application data (inbound and outbound)
must pass.
• Multiple application gateways can run on the same host, but
each gateway is a separate server with its own processes.
• Design a firewall that allows only a restricted set of internal
users to Telnet outside and prevents all external clients from
Telneting inside.
• Such a policy can be accomplished by implementing a
combination of a packet filter (in a router) and a Telnet
application gateway.
 52
By Pavan Poudel

Application Level Gateway

• The filter is configured to block all Telnet connections except
those that originate form the IP address of the application
gateway.
• Such a filter configuration forces all outbound Telnet
connections to pass through the application gateway.
• When an internal user wants to Telnet to the outside world, it
first sets up a Telnet session with the gateway.
• The gateway prompts Firewalls the user for its user id and
password; when the user supplies this information, the
gateway checks to see if the user has permission to Telnet to
the outside world.
 53
By Pavan Poudel

Application Level Gateway

• If not, the gateway terminates the Telnet session.
• If the user has permission, then the gateway
▫ 1. prompts the user for the hostname of the external host to
which the user wants to connect,
▫ 2. sets up a Telnet session between the gateway and the
external host,
▫ 3. relays to the external host all data arriving from the user,
and relays to the user all data arriving from the external
host.
• Thus the Telnet application gateway not only performs user
authorization but also acts as a Telnet server and a Telnet
client.
 54
By Pavan Poudel

Application Level Gateway

 55
By Pavan Poudel

Intrusion Detection System (IDS)

• Device or software application that monitors network or system
activities for malicious activities or policy violations and produces
reports to a Management Station.
• Inspects all inbound and outbound network activity and identifies
suspicious patterns that may indicate a network or system attack
from someone attempting to break into or compromise a system.
• Categorization of IDS
▫ misuse detection vs. anomaly detection
 MisuseDetection: IDS looks for a specific attack that has already been
documented. Like a virus detection system, misuse detection software
is only as good as the database of attack signatures that it uses to
compare packets against.
 anomaly detection: the system administrator defines the baseline, or
normal, state of the network’s traffic load, breakdown, protocol, and
typical packet size. The anomaly detector monitors network segments
to compare their state to the normal baseline and look for anomalies.
 56
By Pavan Poudel

Intrusion Detection System (IDS)

• Categorization of IDS...
▫ network-based vs. host-based systems:
 network-based system or NIDS: the individual packets flowing through
a network are analyzed. The NIDS can detect malicious packets that
are designed to be overlooked by a firewall’s simplistic filtering rules.
 host-based system: the IDS examines at the activity on each
individual computer or host.
▫ passive system vs. reactive system:
 passive system: the IDS detects a potential security breach, logs the
information and signals an alert.
 reactive system: the IDS responds to the suspicious activity by logging
off a user or by reprogramming the firewall to block network traffic
from the suspected malicious source.
• Can protect against known software exploits, like buffer
overflows.
• Open Source IDS: Snort, www.snort.org
 57
By Pavan Poudel

Intrusion Detection System (IDS)

 58
By Pavan Poudel

Thank You !