Presentation

on
Network And Information Security
(22620)

By

Ms.Pritee H. Raut
(Assistante Professor)

COMPUTER ENGINEERING DEPARTMENT

G. H. RAISONI POLYTECHNIC,NAGPUR
 UNIT-5
Network Security, Cyber Laws And
Compliance Standards

(MARKS-14)
 kerberos
 Kerberos is a network authentication protocol designed to provide strong authentication for client/server
applications by means of secret-key cryptography. Kerberos ensures the highest level of security to network
resources.

Here are the principal entities involved in the typical Kerberos workflow: (2m)
1. Client. The client acts on behalf of the user and initiates communication for a service request
2. Server. The server hosts the service the user wants to access
3. Authentication Server (AS). The AS performs the desired client authentication. If the authentication
happens successfully, the AS issues the client a ticket called TGT (Ticket Granting Ticket).
4. Key Distribution Center (KDC). In a Kerberos environment, the authentication server logically separated
into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS).
These three parts, in turn, exist in a single server called the Key Distribution Center
5. Ticket Granting Server (TGS). The TGS is an application server that issues ticket for the server
working of kerberos
Step-1:
User login and request services on the host. Thus user requests for. ticket-granting service(TGS)

Step-2:
Authentication Server verifies user’s access right using database and timestamp is created (time stamp tells the expiration date
and time of encrypted key , default expiration time is 8 hours for time stamp) and then gives ticket-granting-ticket(TGT) and
session key.

Step-3:
then client submit this ticket-granting-ticket(TGT) to ticket-granting service(TGS) for authentication.

Step-4:
If the TGS can authenticate the client, it sends credentials and a service ticket to access the requested service to the client.

Step-5:
The client sends a request to access the Application server(AP). This request includes the service ticket received in step 4. If the
application server can authenticate this request, the client can access the server.

Step-6:

The server provides the requested services to the client.

 IP Sec(security)
 The IP packet contain data in plain text form i.e., anyone watching the IP packet passes by can read the
data and can even can change it. Some kind of higher level mechanism are there to prevent such kind of
attacks.
 Hence., there is a need to secure the network infrastructure from unauthorized monitoring. Also there is
a need to control the network traffic and to secure end user to end user traffic using authentication and
encryption mechanisms.
 IPSec is a protocol which is develop to support secure exchange of packet at the IP layer. It provides the
secure communication across a LAN, private and public WANS, and the internet.
 The overall idea of IPSec is to encrypt and seal the transport and application layer data during
transmission.
 IPSec Architecture
 IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These protocols are
ESP (Encapsulation Security Payload) and AH (Authentication Header).

IPSec provides:
 Confidentiality
 Authentication
 Integrity
IP Security Architecture:
1. Architecture:
Architecture or IP Security Architecture covers the general concepts, definitions, protocols, algorithms and security
requirements of IP Security technology.

2. ESP Protocol:
ESP(Encapsulation Security Payload) provide the confidentiality service. Encapsulation Security Payload is
implemented in either two ways:

• ESP with optional Authentication.

• ESP with Authentication.

3. Encryption algorithm:
Encryption algorithm is the document that describes various encryption algorithm used for Encapsulation Security
Payload.

4. AH Protocol:
AH (Authentication Header) Protocol provides both Authentication and Integrity service. Authentication Header is
implemented in one way only: Authentication along with Integrity.
5. Authentication Algorithm:

Authentication Algorithm contains the set of the documents that describe authentication algorithm used for AH and for the
authentication option of ESP.

6. DOI (Domain of Interpretation):

DOI is the identifier(approved encryption algorithm, authentication algorithm) which support both AH and ESP protocols. It
contains values needed for documentation related to each other.

7. Key Management:

Key Management contains the document that describes how the keys are exchanged between sender and receiver.
 Simple Mail Transfer Protocol-
 SMTP is short for Simple Mail Transfer Protocol.
 It is an application layer protocol.
 It is used for sending the emails efficiently and reliably over the internet.

Working-

 SMTP server is always on a listening mode.

 Client initiates a TCP connection with the SMTP server.
 SMTP server listens for a connection and initiates a connection on that port.
 The connection is established.
 Client informs the SMTP server that it would like to send a mail.
 Assuming the server is OK, client sends the mail to its mail server.
 Client’s mail server use DNS to get the IP Address of receiver’s mail server.
 Then, SMTP transfers the mail from sender’s mail server to the receiver’s mail server.
While sending the mail, SMTP is used two times-

Between the sender and the sender’s mail server

Between the sender’s mail server and the receiver’s mail server

NOTE-

To receive or download the email,

Another protocol is needed between the receiver’s mail server and the receiver.
The most commonly used protocols are POP3 and IMAP.

Characteristics of SMTP-

SMTP is a push protocol.

SMTP uses TCP at the transport layer.
SMTP uses port number 25.
SMTP uses persistent TCP connections, so it can send multiple emails at once.
SMTP is a connection oriented protocol.
SMTP is an in-band protocol.
SMTP is a stateless protocol.
 SMTP is a pure text based protocol.

• SMTP can only handle the messages containing 7 bit ASCII text.
• SMTP can not transfer other types of data like images, video, audio etc.
• SMTP can not transfer executable files and binary objects.
• SMTP can not transfer the text data of other languages like French, Japanese, Chinese etc.
• If an email is asked to be sent twice, then SMTP server resends it without saying that the email has already been sent.

We can not use SMTP at the receiver’s side.

This is because-

• SMTP is a push protocol.

• At receiver’s side, a pull protocol like POP3, IMAP is needed.
• Receiver periodically checks if he has any mail from his mail server.

SMTP is not suitable for client authentication.

This is because-

• SMTP does not require authentication.

• It allows anyone on the Internet to send emails to anyone or even to a large group of people.
Privacy Enhanced Mail (PEM)

 Privacy Enhanced Mail (PEM) is an email security standard to provide secure

electronic mail communication over the internet. Security of email messages has
become extremely important nowadays. In order to deal with the security issues of
emails the internet architecture board has adopted it.
The PEM mainly provides the following services –

Authentication-

sender authentication allow user to verify that the PEM message which he has received is truly from the person who claims to
have sent it

Confidentiality –

Confidentiality refers to the act of preventing unauthorized access to the information hence protecting it. The confidentiality is
obtained in PEM by encrypting the messages by using various standard algorithms such as Data Encryption Standard (DES).
DES in cipher block chaining mode is being currently used by PEM.

Integrity –

Data integrity refers to the consistency of data through out its life cycle. This is obtained by using a unique concept called as
message digest where message digest is a hash function which converts the message into an image called digest on taking the
message as input.
 Working of PEM
The PEM works basically in 4 main steps.
1.Canonical Conversion –
This step involves the conversion of the message into a standard format that is independent of the computer
architecture and the operation system of the sender and the receiver. If the sender and receiver has different computer
architecture or operating system. It may lead to generation of different message digest due to difference in their
interpretation because of syntactical difference from one operating system to an other.
2. Digital signature-
In this step, the digital signature is generated by encrypting the message digest of an email message with the sender’s
private key.
 3.Encryption
The encrypted message is generated by encrypting the original message and digital signature together along
with the symmetric key as shown in the figure below. This step is very crucial in order to obtain the
confidentiality.

4. Base-64 Encoding –

This is the last step where the binary output is transformed into character output.
 Pretty Good Privacy (PGP)
 PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
 PGP was designed to provide all four aspects of security, i.e., privacy, integrity, authentication, and non-
repudiation in the sending of email.
 PGP uses a digital signature (a combination of hashing and public key encryption) to provide integrity,
authentication, and non-repudiation.
 PGP uses a combination of secret key encryption and public key encryption to provide privacy. Therefore,
we can say that the digital signature uses one hash function, one secret key, and two private-public key pairs.
 PGP is an open source and freely available software package for email security.
 PGP provides authentication through the use of Digital Signature.
 It provides confidentiality through the use of symmetric block encryption.
 It provides compression by using the ZIP algorithm, and EMAIL compatibility using the radix-64 encoding
scheme.
Public Key Infrastructure(6m)
 Public key infrastructure or PKI is the governing body behind issuing digital certificates. It helps to protect
confidential data and gives unique identities to users and systems. Thus, it ensures security in
communications.
 The public key infrastructure uses a pair of keys: the public key and the private key to achieve security.
The public keys are prone to attacks and thus an intact infrastructure is needed to maintain them.
COMPONENT OF PKI (sample)

 Digital Certificates:
 Certificate Authority:
 Registration Authority
 Digital Certificate
 Digital certificate is issued by a trusted third party which proves sender's identity to the receiver and receiver’s
identity to the sender.
 A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the certificate
holder. The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other
identification information. Digital certificate is used to attach public key with a particular individual or an
entity.

Digital certificate contains:-

1. Name of certificate holder.
2. Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the
certificate
3. Expiration dates.
4. Copy of certificate holder's public key.(used for decrypting messages and digital signatures)
5. Digital Signature of the certificate issuing authority.
6. Digital certificate is also sent with the digital signature and the message.
 Certificate Authority (CA)
 A certificate authority (CA) is a trusted entity that manages and issues security certificates and public keys
that are used for secure communication in a public network.
 The CA is part of the public key infrastructure (PKI) along with the registration authority (RA) who verifies
the information provided by a requester of a digital certificate.
 If the information is verified as correct, the certificate authority can then issue a certificate.
 Registration Authorities (RA)
 CA may use a third-party Registration Authority (RA) to perform the necessary checks on the person or
company requesting the certificate to confirm their identity.
 The RA may appear to the client as a CA, but they do not actually sign the certificate that is issued. The
specific authentication process used depends of the class of certificate being requested:

Classes of a Digital Certificate:

 A digital certificate can be divided into four broad categories. These are :
 Class 1: These can be obtained by only providing the email address.
 Class 2: These need more personal information.
 Class 3: This first checks the identity of the person making a request.
 Class 4: They are used by organizations and governments.
 Digital Certificate Structure
 Digital certificates are structured in conformance with the X.509 standard. This standard outlines the required fields that
comprise a certificate together with acceptable values for those fields.

The fields specified by X.509 are as follows:

 Issuing CA - The name of the certificate authority which issued the certificate.
 CA Digital Signature - The digital signature of the issuing certificate authority.
 Version Number - Specifies the version of X.509 to which the certificate conforms (at time of writing the current version
is 3). The version number is important because it defines which other fields are necessary in the certificate.
 Serial Number - A unique number identifying the specific certificate issued by a particular CA.
 Subject/Owner - The owner of the certificate. Possible values include a person, company, department, network device,
application etc.
 Owner's Public Key - The public key associated with the certificate and corresponding to the certificate owner's private
key.
 Validity Period - The dates during which the certificate is deemed to be valid.
 Certificate Usage - Specifies the approved uses of the certificate.
 What is cybercrime?
 Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked
device.
 Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money. Cybercrime
is carried out by individuals or organizations.
 Cybercrime that stops users using a machine or network, or prevents a business providing a software service to
its customers, is called a Denial-of-Service (DoS) attack.
Types of cybercrime(2m)
Here are some specific examples of the different types of cybercrime:
 Email and internet fraud.
 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
 Cyberespionage (where hackers access government or company data).
 What is Hacking?
 Hacking is the activity of identifying weaknesses in a computer system or a network to exploit the
security to gain access to personal data or business data. An example of computer hacking can be: using a
password cracking algorithm to gain access to a computer system.

Who is a Hacker?
 A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain
access. Hackers are usually skilled computer programmers with knowledge of computer security.
 Types of Hackers
 Hackers are classified according to the intent of their actions. The following list classifies types of hackers
according to their intent:

1.White hat hacker or Ethical Hacker (White hat): A security hacker who gains access to systems with a view to fix the
identified weaknesses. They may also perform penetration Testing and vulnerability assessments.

2. Black hat hacker or Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain.
The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts etc.
 Types of Hackers
3. Grey hat hacker Grey hat: A hacker who is in between ethical and black hat hackers. He/she
breaks into computer systems without authority with a view to identify weaknesses and reveal them to the
system owner.

4. Script kiddies: A non-skilled person who gains access to computer systems using already made tools.
 Types of Hackers
5. Hacktivist : A hacker who use hacking to send social, religious, and political, etc. messages. This is usually
done by hijacking websites and leaving the message on the hijacked website.

6. Phreaker : A hacker who identifies and exploits weaknesses in telephones instead of computers.
 Digital forgery
 Digital forgery (or digital tampering) is the process of manipulating documents or images for the intent of
financial, social or political gain.
 Creating a fake copy or imitation of a document or an object with the intention to deceive is called forgery.
 It can involve everything from forging a signature, faking a masterpiece, creating a cheap replica of an
expensive original device to faking government documents like a licence, birth certificate etc.
 Market places are full of convincing fakes of expensive originals items like designers shoes, clothes etc. All
of these fakes can be called as forgeries.
 Digital forgery involves creating the same fakes in electronic form.
 Cyberstalking(2m)

 Cyberstalking is a crime in which the attacker harasses a victim using electronic communication, such as
e-mail or instant messaging (IM), or messages posted to a Web site or a discussion group.
 Though cyberstalking does not involve physical contact, it is still considered a crime. The offense is much
more serious when a minor child is the victim.
 Ex- Repeated and unwanted communications through phone calls, mail, emails, or social media sites.
Following the victim to work, school, home, or other places where they frequently visit. ... Repeatedly sending
the victim unwanted gifts. Posting information, or spreading rumors.
 There is no unified legal approach to cyberstalking, but many governments have moved toward making these
practices punishable by law.
Copyright, patent ,trademark(2m)

 A patent protects new inventions, processes, or scientific creations.

 trademark protects brands, logos, and slogans.
 copyright protects original works of authorship.
 Cyber Pornography
 Cyber Pornography means the publishing, distributing or designing pornography by
using cyberspace.
 Cyber pornography is the act of using cyberspace to create, display, distribute, import, or
publish pornography or obscene materials, especially materials depicting children
engaged in sexual acts with adults.
Information Technology Act, 2000

Cyber pornography is banned in many countries but legalized in some. Cyber Pornography is neither banned nor legalised
under the IT Act, 2000. The IT Act prohibits the production and distribution of cyber pornography but does not prohibit the
viewing or downloading of pornographic content if it is not child pornography.

SECTION 67

section 67 of the Information Technology Act, 2000 makes the following acts punishable with imprisonment up to 3 years and
a fine up to 5 lakhs:

• Publication– It includes uploading of pornographic content on a website, WhatsApp group or any other digital portal
where third parties can have access to such pornographic content.

• Transmission– It means to send obscene material to any person electronically.

• Causing to be published or transmitted– It is a comprehensive terminology which would end up making the intermediary
portal liable, using which the offender has published or transmitted such obscene content. The Intermediary Guidelines
under the Information Technology Act put an onus on the Intermediary/Service Provider to exercise due diligence to ensure
that their portal is not being misused.
 SECTION 67 A

Section 67A of the Information Technology Act makes publication, transmission and causing to be transmitted and published
any material containing sexually explicit act or conduct punishable with imprisonment up to 5 years and a fine up to ₹10
lakhs.

Following conclusions can be made by understanding the above provisions:

1. Viewing Cyber pornography is legal in India. Merely downloading and viewing such content does not amount to an
offence.

2. Publication of pornographic content online is illegal.

3. Storing Cyber pornographic content is not an offence.

4. Transmitting cyber pornography via instant messaging, emails or any other mode of digital transmission is an offence.
Child Pornography

Section 67B of the IT Act, 2000 makes it publishing, transmitting, viewing or downloading child pornography illegal.
The fact that the internet has made child pornography more accessible to the distributors, as well as the collectors,
cannot be denied.

According to Section 67B, any person who has not attained the age of 18 years is a child. It further states that child
pornography can be committed in the following five ways:

1. By publishing or transmitting or causing to publish or transmit any material electronically that depicts the children
engaged in a sexually explicit act or conduct.
2. By depicting children in an obscene or sexually explicit manner.
3. By inducing children to online relationship with one or more children for and on a sexually explicit act, or in a
manner that may offend a reasonable adult on the computer resource.
4. By facilitating child abuse online.
5. By recording own abuse or that of others pertaining to sexually explicit act with others.
 Cyber terrorism
 Cyber terrorism can be also defined as the intentional use of computers, networks, and public internet to
cause destruction and harm for personal objectives.
 Experienced cyber terrorists, who are very skilled in terms of hacking can cause massive damage to
government systems, hospital records, and national security programs
 There is much concern from government and media sources about potential damage that could be
caused by cyber terrorism, and this has prompted efforts by government agencies such as the Federal
Bureau of Investigations (FBI) and the Central Intelligence Agency (CIA) to put an end to cyber
attacks and cyber terrorism

 Ex- international cyber terrorist accessing and disabling or modifying the signal that control military
technology.
 Cyber defamation
 Defamation can be understood as the wrongful and intentional publication of something either in the written
or oral form about a person to harm his reputation in the society.

 Cyber defamation involves defaming a person through a new and far more effective method such as the use
of modern Electronic devices.

 It refers to the publishing of defamatory material against any person in cyberspace or with the help of
computers or the Internet.

 If a person publishes any kind of defamatory statement against any other person on a website or sends E-
mails containing defamatory material to that person to whom the statement has been made would amount to
Cyber defamation.
 Cyber law
 Cyber law is like any other legal rule or policy that should be followed in our day to day life to stay out of any
kind of trouble. These laws are formed by keeping several issues into consideration such as our society, morals,
computer ethics, etc. The only difference is that cyber law is applied to the internet and internet-related
technologies only.
 Cyber law is formed to maintain discipline and justice in the cyber world. This area in the legal system is
introduced because the crime related to computers and other technology was increasing rapidly.
 These types of crimes were not falling under the category of any existing legal category therefore a separate
section was formed named Cyber Law.
 Cyber laws help to reduce or prevent people from cybercriminal activities on a large scale with the help of
protecting information access from unauthorized people, freedom of speech related to the use of the Internet,
privacy, communications, email, websites, intellectual property, hardware and software, such as data storage
devices.
 Need of cyber law
 Like any law, a cyber law is created to help protect people and organizations on the Internet from malicious
people on the Internet and help maintain order. If someone breaks a cyber law or rule, it allows another person or
organization to take action against that person or have them sentenced to a punishment.

Area of Cyber Law:

1. Fraud
2. Copyright
3. Defamation
4. Harassment and Stalking
5. Freedom of Speech
 ISO 27001
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An
ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's
information risk management processes.

What is the purpose of ISO 27001?

 ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-
effective way, through the adoption of an Information Security Management System (ISMS).

 ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.
Why is ISO 27001 important?

Not only does the standard provide companies with the necessary know-how for protecting their most valuable information,
but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it
safeguards their data.

What are the 3 ISMS security objectives?

The basic goal of ISO 27001 is to protect three aspects of information:
Confidentiality: only the authorized persons have the right to access information.
Integrity: only the authorized persons can change the information.
Availability: the information must be accessible to authorized persons whenever it is needed.

What is an ISMS?
• An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:
• identify stakeholders and their expectations of the company in terms of information security
• identify which risks exist for the information
• define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
• set clear objectives on what needs to be achieved with information security
• implement all the controls and other risk treatment methods
• continuously measure if the implemented controls perform as expected
• make continuous improvement to make the whole ISMS work better
 ISO 20000

 The PPT shows that ISO 20000 is the international standard for IT Service
Management (ITSM), published by ISO (the International Organization for
Standardization), and ICE (the International Electoral Commission).The standard
describes a set of management processes designed to help you deliver more
effective IT services
 The information technology service management system complies with the
requirements mentioned in the clauses of ISO 20000-1:2018 . ISO 20000 gives
you the methodology and the framework to help you manage your ITSM, while
allowing you to prove your company follows best practice. With the requirements
of the standard you will achieve best practice, helping to improve your delivery of
IT services. What is ISO 20000 ?