Computer Networks 18cs52

MODULE – 4
Network Security
4.1 Overview of Network Security
Protecting the data, while transmission through routers and intermediate hosts from
unauthorized person is called Network Security.

1. Elements of Network Security

• Confidentiality: Information should be available only to those who have rightful
access to it.
• Authenticity: The sender of a message should be verified at the receiving point.
That is, it should be possible to verify that the sender or receiver is who he or she
claims to be.
• Integrity: the recipient of the message should be able to confirm that a message
has not been altered during transmission.
Below figure shows the break of Network Security by Intruder and also shows the
method of applying security.

Figure 4.1: Message content and sender identity falsified by Intruder

Figure 4.2: A method of applied security

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 1
Computer Networks 18cs52
2. Threats to Network Security
• DNS Hacking: Domain Name System (DNS) server is a distributed hierarchical
and global directory that translates domain names into numerical IP address. A
DNS hacking attack may result in the lack of data authenticity and integrity and
can appear in any of the following forms.
1. Information-Level Attack: It forces a server to correspond with other
than the correct answer.
2. Masquerading Attack: The adversary poses as a trusted entity and
obtains all the secret information. It is also called man in the middle attack,
because adversary convincing the server that it is the legitimate client, and
convincing the client that it is the legitimate server.
3. Information Leakage Attack: The attacker sends queries to all hosts and
identifies which IP addresses are not used. Later on, he can use those IP
addresses to make other types of attacks.
4. Domain High Jacking Attack: Whenever a user enters a domain address,
he / she is forced to enter into the attacker website.
• Routing Table Poisoning Attacks: It is the undesired modification of routing
tables. Two types of routing table poisoning attacks.
1. Link Attack: It occurs when a hacker gets access to a link and thereby
intercepts, interrupts or modifies routing messages on packets.
2. Router Attack: It may affect the link-state protocol or even the distance-
vector protocol. If link-state protocol routers are attacked, then they may
add a non-existing link to a routing table, delete an existing link, or even
change the cost of a link. In the distance-vector protocol router, an attacker
may send wrong updates about any node in the network, thereby
misleading a router.
• Packet-Mistreatment Attacks: It can occur during any data transmission. A
hacker may capture certain data packets and mistreat them. It can also be sub
classified as link attacks and router attacks.
1. Link Attack: Causes interruption, modification, or replication of data
packets.
2. Router Attack: Can misroute all packets and may result in congestion or
denial of service.
Examples
2. 1 Interruption: If an attacker intercepts packets, they may not be allowed
to be allowed to be propagated to their destination, resulting in a lower
throughput of the network.
2.2 Modification: He can change the address of the packet or even change its
data.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 2
Computer Networks 18cs52
2.3 Replication: An attacker might trap a packet and replay it.
2.4 Ping of death: An attacker may send a ping message, which is large and
therefore must be fragmented. When the receiver reassembles the
fragments, the total packet length becomes too large and might cause
system crash.
2.5 Malicious Misrouting of Packets: A hacker may attack a router and
change its routing table entries.
• Denial of Service Attacks: Is a type of security breach that prohibits a user from
accessing normally provided services. It affects the destination rather than a data
packet or router. Usually, Dos attacks affects a specific network service such as e-
mail or DNS. Dos attacks are two types.
1. Single Source: An attacker sends a large number of packets to a target
system to overwhelm and disable it.
2. Distributed: In this type of attack, a large number of hosts are used to flood
unwanted traffic to a single target. The flood may be either a UDP flood, TCP
flood, or ICMP flood.

4.2 Overview of Security Methods

Common solutions to protect communication networks from attacks are
1. Cryptographic Techniques
2. Authentication Techniques

1. Cryptographic Techniques
• Terminology

1. Cryptography: Is the process of transforming a piece of information or

message shared by two parties into some sort of code. It is also called as
the art and science of keeping messages secure.

2. Cryptographer: Is a person who practice the cryptography.

3. Cryptanalysis: Is the art and science of breaking the encoded message.
4. Plaintext: A original message is called a plaintext or cleartext.
5. Encryption: The process of transforming message into unreadable form, is
called encryption.

6. Ciphertext: An encrypted message.

7. Decryption: The process of turning ciphertext back into plaintext.
8. Intruder: The person who tries to break the ciphertext.
9. Cryptographic Algorithm: It is the mathematical function used for
encryption and decryption.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 3
Computer Networks 18cs52
10. Secret Key: This might be any one of a large number of values used in
cryptographic algorithm for the purpose of encryption and decryption.
The encryption and decryption functions are shown below.
Ek (M) = C
Dk (C) = M
Dk (Ek (M)) = M
For example: M = 01100101, Key k = 11111111, and Exclusive-OR (⊕) function as a
cryptographic algorithm. Then
0 1 1 0 0 1 0 1 ←M
1 1 1 1 1 1 1 1 ←k
1 0 0 1 1 0 1 0 ←C
1 1 1 1 1 1 1 1 ←k
0 1 1 0 0 1 0 1 ←M

Figure 4.3: Encryption and decryption function

• Types of Cryptographic Techniques

1. Secret Key Encryption: In secret key model, both sender and receiver
conventionally use the same key for encryption and decryption. It is also called
private key, single key, or symmetric encryption.

2. Public Key Encryption: In public key model, both sender and receiver use
different keys for encryption and decryption. It is also called double key or
asymmetric encryption. Here both parties having two keys called public and
private keys. To encrypt they use public keys and to decrypt they use private
keys.

Figure 4.4: Secret Key Encryption

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 4
Computer Networks 18cs52

Figure 4.5: Public Key Encryption

2. Authentication Techniques
Encryption methods offer the assurance of message confidentiality. However, a
networking system must be able to verify the authenticity of the message and the sender
of the message. These forms of security techniques in computer networks are called as
authentication techniques, and are classified as
1. Authentication with message digest
2. Authentication with digital signature.

4.3 Secret-Key Encryption Protocols

Several standard mechanisms can be used to implement a secret-key encryption
algorithm. Here, we focus on two protocols.
1. DES (Data Encryption Standard)
2. AES (Advanced Encryption Standard)

1. DES (Data Encryption Standard)

The most widely used encryption scheme is based on the Data Encryption Standard
(DES) adopted in 1977 by the National Bureau of Standards (National Institute of
Standards and Technology (NIST)).
Assumptions
1. Plaintext messages are converted into 64-bit blocks.
2. A secret key is having 64-bit length, but only 56-bits are used, last bit of each byte is a
party bit.
3. It consists of 16 identical rounds.
4. It produces 64-bit ciphertext.
Algorithm
1. Initialize. Before round1 begins, all 64 bits of a plaintext and 56-bit of the secret key
are separately permuted.
2. Each 64-bit plaintext is broken into two 32-bit parts denoted by Li and Ri respectively.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 5
Computer Networks 18cs52
3. The 56 bits of the key are also broken into two 28-bit parts, and each part is rotated
one- or two-bit positions, depending on the round.
4. All 56 bits of the key are permuted, producing key Ki on round i.
5. Here, Exclusive-OR (⊕) operation is performed on the Li and Ri parts of the plaintext
as shown below.
Li = Ri-1
Ri = Li-1 ⊕ F (Ri-1, Ki)
6. All 64 bits of the message are permuted, and then send to next round, and steps 2-6
are repeated until it reaches round 16.
Computation of Function F (Ri-1, Ki)
1. Out of 56-bits of Ki, function F ( ) choose only 48 bits.
2. The 32-bits Ri-1 is expanded from 32-bits to 48 bits. To expand 32-bits of Ri-1 follow
the following sub steps.
a. Ri-1 is broken into eight 4-bit chunks.
b. We are copying the leftmost and rightmost bit from right and left adjacent chunks
respectively to make it eight 6-bit chunks.
3. It also partitions the 48 bits of Ki into eight 6-bit chunks.
4. Now, the eight chunks of Ri-1 and Ki are combined as follows.
Ri-1 = Ri-1 ⊕ Ki
5. Finally, the 48-bits Ri-1 is reduced to 32-bits from 48 bits. To reduce 48-bits of Ri-1
follow the following sub steps.
a. Ri-1 is broken into eight 6-bit chunks.
b. Input eight 6-bit chunks to 8 substitution boxes (S-Boxes) respectively, which
produce 4-bit chunks as an output. 4-bit chunks from each of the 8 substitution
boxes from 32-bits Ri-1.
c. S-Box contains a table of 4 rows 16 columns. Each cell in the table contains 4-bit
number.
d. The first and last bits of inputted 6-bit chunk represent a row and middle 4-bits
represents a column. The intersected row and column are the output of 4-bit
chunks.
Key Generation
1. First, all 56 bits of the key are initially permuted.
2. 56-bits key is broken into two 32-bit parts denoted by Ci and Di respectively.
3. At each round Ci-1 and Di-1 are separately subjected to a circular left shift or rotation
of 1 or 2 bits. This shifted values serve as an input to the next round. That is
Ci = Ci-1 and Di = Di-1
4. Also, the shifted values serve as an input to the permuted choice 2, which produce 48-
bits output that serve as input to the function F (Ri-1, Ki).
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 6
Computer Networks 18cs52

Figure 4.6: DES construction of encryption and decryption

Figure 4.6: Details of DES single round

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 7
Computer Networks 18cs52
2. AES (Advanced Encryption Standard)
Advanced Encryption Standard (AES) is a specification for the encryption of electronic
data established by the U.S National Institute of Standards and Technology (NIST) in
2001. AES is widely used today as it is a much stronger than DES.
Assumptions
1. Plaintext is 128-bit block.
2. It uses key having 128, 192, or 256-bit length.
3. It uses 10-14 rounds depending on the key and block sizes. In the below algorithm we
are using 10 rounds and key of 128-bit length.
4. All rounds are identical except for the last round, which has no mix column stage.
Algorithm
1. The 128-bit plaintext is formed as 16 bytes m0 through m15 and are separately
permuted.
2. Substitute units indicated by S perform a byte-by-byte substitution of blocks.
3. The ciphers in the form of rows and columns move through a permutation stage to
shift rows to mix columns. Which are illustrated in below sub steps.
a. The Shift Rows step operates on the rows of the state; it cyclically shifts the bytes
in each row by a certain offset. The first row is left unchanged. Each byte of the
second row is shifted one to the left. Similarly, the third and fourth rows are shifted
by offsets of two and three respectively.
b. In the Mix Columns step, the four bytes of each column of the state are combined
using an invertible linear transformation. The Mix Columns function takes four
bytes as input and outputs four bytes, where each input byte affects all four output
bytes.
4. Now, all 16 blocks of ciphers are Ex-ORed with the 16 bytes of round1 keys K0-K15.
5. 128-bit key is also formed as 16 bytes K0 through K15.
The AES decryption algorithm is fairly simple and is basically the reverse of the
encryption algorithm. Substitution is a one in which each character (byte) is substituted
by another character.

Figure 4.7: Overview of AES protocol

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 8
Computer Networks 18cs52

4.4 Public-Key Encryption Protocols

1. RSA Algorithm
RSA cryptosystem is a means of transporting information in a secure and encrypted
way. It is based on the principles of public key cryptography. That is, it uses two keys:
Public Key and Private Key.
Everyone which is involved in communication generates two keys. One key called Public
Key is sent to the other parties involved in communication and the other key called
Private Key is kept secret. If someone wants to send you an encrypted message, he / she
must know your public key.
The RSA Algorithm was invented by Rivest, Shamir and Adelman of MIT in 1977. It is the
best known and widely used public key scheme. This scheme has 3 phases.
1. Key Generation,
2. Encryption, and
3. Decryption.
Key Generation
1. Choose two large prime numbers (at least 256 bits each). Let them call these two
numbers as p and q, such that p ≠ q.
2. Compute their system modulus n = p * q.
3. Euler’s totient function is defined as the number of integers between 1 and n-1,
that are relatively prime to n. It is written using the Greek letter phi as φ(n) or
Φ(n), and may also be called Euler's phi function.

4. Choose an encryption key e such that e and Φ(n) are relatively prime. That is, gcd
(e, Φ(n)) = 1.
5. Compute the decryption key d, such that

6. Now, the ordered pair (e, n) is your RSA Public Key (Encryption Key).
7. Now, the ordered pair (d, n) is your RSA Private Key (Decryption Key).
Encryption Algorithm
Given a message m < n the ciphertext c is,

Decryption Algorithm
Given the ciphertext c, the plaintext m is,

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 9
Computer Networks 18cs52
Example
1. Encrypt and decrypt the message m = 30, using RSA algorithm, given p = 3
and q = 11.
Key Generation
1. Given p = 3 and q = 11
2. Compute n = p * q = 3 * 11 = 33
3. Compute Φ(n) = (p-1) (q-1) = (3-1) * (11-1) = 20
4. Find e such that gcd (e, Φ(n)) = 1, for e =3, gcd (3, 20) =1. ∴ e = 3
5. Find d such that d = e-1 mod Φ(n), d = 3-1 mod 20 =7
6. Public Key = {3, 33}
7. Private Key = {7, 33}
Encryption
Given a message m =30, and n =33 (30 < 33)

Decryption
Given the ciphertext c, the plaintext m is,

2. Encrypt and decrypt a 4-bit message of 1001 or m = 9, using RSA algorithm,

given p = 3 and q = 11.
3. Encrypt and decrypt a 4-bit message of 1101 or m = 13, using RSA algorithm,
given p = 5 and q = 11.
4. Encrypt and decrypt a 4-bit message of 1000 or m = 4, using RSA algorithm,
given p = 3 and q = 11.

Find GCD of 161 and 112

The GCD of 161 and 112 is 7.

2. Diffie-Hellman Key Exchange Algorithm

Whitefield Diffie and Martin Hellman devised an amazing solution to the problem of
key agreement or key exchange in 1976. This solution is called as the Diffie-Hellman Key
Exchange / Agreement Algorithm. The beauty of this scheme is that the two parties, who

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 10
Computer Networks 18cs52
want to communicate securely, can agree on a symmetric key using this technique. This
key can then be used for encryption/decryption.
Algorithm
Let us assume that Alice and Bob want to agree upon a key to be used for encrypting /
decrypting messages that would be exchanged between them using following Diffie-
Hellman Key exchange algorithm.

Diffie-Hellman Key Exchange Protocol

User A User B

Example
Generate random Generate random
number x < n number y < n

Calculate A = gx mod n Calculate B = gy mod n

Send A
Send A Send B

Send B

Calculate Key Calculate Key

K1= Bx mod n K2= Ay mod n

Figure 4.8: Diffie-Hellman Key Exchange protocol

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 11
Computer Networks 18cs52
Example

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 12
Computer Networks 18cs52

4.5 Authentication
Authentication techniques are used to verify identity. Message authentication verifies
the authenticity of both the message content and the message sender. Message content is
authenticated using a hash function and encryption of the resulting message digest. The
sender authenticity can be implemented by using a digital signature.
Hash Function
It is a common technique for authenticating a message. Which produces a fingerprint
of a message also called hash value or message digest. The hash value is added at the end
of the message before transmission. The receiver recomputes the hash value from the
received message and compares it to the received hash value. If the two hash values are
the same, the message was not altered during transmission.
A hash function H accepts a variable-length block of data M as input and produces a fixed-
size hash value h = H(M).
So, a hash function is any function that can be used to map data of arbitrary size to fixed-
size values. The values returned by a hash function are called hash values, hash codes,
message digests, simply hashes, fingerprint or the summary of a message.
Let us assume that we want to calculate the message digest of a number 7391753. Then,
we multiply each digit in the number with the next digit excluding if it is 0, and discarding
the first digit of the multiplication operation, if the result is a two-digit number.

A hash function is called cryptographic hash function if it satisfies the following

properties.
1. It is deterministic, meaning that for a given message, the hash value must always
be the same.
2. Given a hash value, it should be infeasible to find the original message, this
property is called one-way property (It is not reversible).
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 13
Computer Networks 18cs52
3. For any given message M1, it is computationally infeasible to find alternative
message M2, such that message M2 produce the same hash value as message M1,
that is H(M2) = H(M1), it is called as a weak collision resistance.
4. Given any two messages M1, M2, if we calculate their hash values, the two hash
values must be different H(M1) ≠ H(M2). If any two messages produce the same
hash values, thus violating our principle, it is called as a strong collision resistance.
5. A small change to a message should change the hash value. This property is called
Confusion + Diffusion. That is if a single bit in the input string is flipped, then each
bit of the hash value is flipped with probability roughly equal to 0.5
Message authentication can be implemented by two methods as shown in below figure.
1. Encryption: A hash function is applied on a message, and then a process of
encryption is implemented. This method ensures both the message content and
the sender of the message.
2. No Encryption: It is involved in the process of message authentication. It only
ensures content of message not a sender. This technique is more popular in the
security infrastructure of the Internet Protocol, among them are MD5 hash
algorithm and Secure Hash Algorithm (SHA).

Figure 4.9: Message Authentication (a): with encryption, (b): without encryption

Secure Hash Algorithm (SHA)

The National Institute of Standards and Technology (NIST) along with NSA developed
the Secure Hash Algorithm (SHA). SHA works with any input message that is less than
264 bits in length. The output of SHA is a message digest or hash, which is 160 bits in
length. The word Secure in SHA was decided based on two features. SHA is designed to
be computationally infeasible to
3. Obtain the original message, given its message digest, and
4. Find two messages producing the same message digest.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 14
Computer Networks 18cs52
Working of SHA
Step 1, Padding: SHA is to add padding to the end of the original message in such a way
that the length of the message is 64 bits short of a multiple of 512. The padding consists
of a single 1 bit, followed by as many 0 bits, as required.

Step 2, Append length: The length of the message excluding the length of the padding is
now calculated and appended to the end of the padding as a 64-bit block.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 15
Computer Networks 18cs52
Step 3, Divide the Input Into 512-bit Blocks: The input message is now divided into blocks,
each of length 512 bits. These blocks become the input to the message-digest processing
logic.

Step 4, Initialize Chaining Variables: Now, five chaining variables A through E are
initialized, because we want to produce a message digest of length 160 bits (5 X 32 = 160
bits).

A Hex 01 23 45 67
B Hex 89 AB CD EF
C Hex FE DC BA 98
D Hex 76 54 32 10
E Hex C3 D2 E1 F0
Step 5, Process Blocks: Now the actual algorithm begins.
Step 5.1: Copy the chaining variables A-E into variables a-e. The combination of a-e, called
abcde, will be considered as a single shift register for storing the temporary intermediate
as well as the final results.

Abstract View
abcde

Internal View
a b c d e

Step 5.2: Now divide the current 512-bit block into 16 sub-blocks, each consisting of 32
bits.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 16
Computer Networks 18cs52
Step 5.3: SHA has four rounds, each round consisting of 20 steps. Each round takes the
current 512-bit block, the register abcde, and a constant K[t] (where t = 0 to 79) as the
three inputs. It then updates the contents of the register abcde using the SHA algorithm
steps.

16 sub blocks Other constants (t)

One Round

a b c d e

Step 5.4: SHA consists of four rounds, each round containing 20 iterations. This makes it
a total of 80 iterations. The logical operation of a single SHA iteration is shown below.

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 17
 Computer Networks 18cs52

e=d
d=c
c = b ≪ 30 /* s30 (b) */
b=a
a = (e + Process P + s5(a) + W[t] + K[t])

The values of W[t] are calculated as follows

For the first 16 words of W (t=0 to 15), the content of input message sub-block M[t]
becomes the content of W[t]. The remaining 64 values of W are derived from the following
equation.
W[t] = s1(W [t −16] XOR W [t −14] XOR W [t − 8] XOR W [t −3])
Where s1 indicates circular left shift by 1-bit position.

Value of W[t]

For t = 0 to 15 W[t] = Same as M[t]

For t = 16 to 79 W[t] = s1(W [t −16] XOR W [t −14] XOR W [t − 𝟖] XOR W [t −𝟑])

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 18
Computer Networks 18cs52

4. 6 Authentication and Digital Signature

A digital signature is one of the most important required security measures. It is used
for the authentication and identification of the right sender. The digital signature is
supposed to be unique to an individual and serves as a means of identifying the sender.
The technical method of providing a sender’s authentication is performed through
cryptography. Many cryptographic mechanisms have been developed. Among them is the
RSA algorithm which implements both encryption and digital signature.
When RSA is applied, the message is encrypted with the sender’s private key. Thus, the
entire encrypted message serves as a digital signature. The receiver can decrypt it using
the public key. This authenticates that the packet comes from the right user.

4. 7 Firewalls
A firewall protects data from the outside world. A firewall can be a software program
or a hardware device. A firewall may be a simple router implemented with a special
program. This unit is placed between hosts of a certain network and the outside world,
as shown in below figure.
The objective of such a configuration is to monitor and filter packets coming from
unknown sources and to protect the network from unwanted websites and potential
hackers, and it is also used to control data traffic.
Software firewall programs can be installed in home computers by using an Internet
connection with these, so-called gateways, the home computers can access web servers
through these software firewalls. Hardware firewalls are more secure than software
firewalls and are not expensive.
A firewall controls the flow of traffic by one of the following 3 methods.
1. Packet Filtering: Apart from forwarding packets between networks, a firewall
filters those packets that pass through. A firewall can be programmed to
throwaway certain packets addressed to a particular IP host or TCP port number.
2. Filter the packets based on the source IP address: It is helpful when a host has
to be protected from any unwanted external packets.
3. Denial of Service: It controls the N number of packets entering the network.

Figure 4.10: A simple configuration of a secured network using a Firewall

Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 19