COMPUTER COMMUNICATION

EC 407

1
Downloaded From [Link]
 Syllabus

2
Downloaded From [Link]
 Syllabus

3
Downloaded From [Link]
 Syllabus

4
Downloaded From [Link]
 Syllabus

5
Downloaded From [Link]
 References

6
Downloaded From [Link]
 UNIT 6

7
Downloaded From [Link]
8
Downloaded From [Link]
9
Downloaded From [Link]
 Masquerade: behaviour that is intended to prevent the truth
about something unpleasant or not wanted from
10 becoming known:
Downloaded From [Link]
31­1   SECURITY SERVICES

Network security can provide five services. Four of these services

are related to the message exchanged using the network. The fifth
service provides entity authentication or identification.

Topics discussed in this section:

Message Confidentiality
Message Integrity
Message Authentication
Message Nonrepudiation
Entity Authentication
31.11

Downloaded From [Link]

Figure 31.1 Security services related to the message or entity

31.12

Downloaded From [Link]

32­1   IPSecurity (IPSec)

IPSecurity (IPSec) is a collection of protocols designed

by the Internet Engineering Task Force (IETF) to
provide security for a packet at the network level.

Topics discussed in this section:

Two Modes
Two Security Protocols

32.13

Downloaded From [Link]

Figure 32.2 TCP/IP protocol suite and IPSec at Network Layer

32.14

Downloaded From [Link]

Figure 32.3 Transport mode and tunnel modes of IPSec protocol

32.15

Downloaded From [Link]

Note

IPSec in the transport mode does not protect the IP header; it

only protects the information coming from the transport layer.

32.16

Downloaded From [Link]

Figure 32.4 Transport mode in action

Host to host protection of data

Authentication and encryption at sender side
Authentication and decryption at receiver side

32.17

Downloaded From [Link]

Figure 32.5 Tunnel mode in action

It takes an IP packet, including header, Applies IPsec methods to all packets and
then adds new IP header
Between host and a router, between router and a router

32.18

Downloaded From [Link]

Note

IPSec in tunnel mode protects the original IP header.

32.19

Downloaded From [Link]

Figure 32.6 Authentication Header (AH) Protocol in transport mode

32.20

Downloaded From [Link]

Note

The AH Protocol provides source authentication and data

integrity,
but not privacy.

32.21

Downloaded From [Link]

 Authentication Header Protocol (AHP)

To authenticate the source host and to ensure the integrity of the

payload

32.22

Downloaded From [Link]

 Authentication Header Protocol (AHP)

Hash algorithm is a function that converts a data string into a

numeric string output of fixed length. The output string is generally
much smaller than the original data.
32.23

Downloaded From [Link]

Authentication Header Protocol (AHP)

32.24

Downloaded From [Link]

Note

Encapsulating Security Payload

32.25

Downloaded From [Link]

Note

ESP provides source authentication, data integrity, and privacy.

32.26

Downloaded From [Link]

Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode

32.27

Downloaded From [Link]

Encapsulating Security Payload (ESP) Protocol in transport mode

32.28

Downloaded From [Link]

Encapsulating Security Payload (ESP) Protocol in transport mode

32.29

Downloaded From [Link]

Table 32.1 IPSec services

32.30

Downloaded From [Link]

 SSL/TLS

32.31

Downloaded From [Link]

Figure 32.14 Location of SSL and TLS in the Internet model

32.32

Downloaded From [Link]

Figure 32.14 Location of SSL and TLS in the Internet model

SSL –Secure Socket Layer Protocol

TLS- Transport Layer Security
32.33

Downloaded From [Link]

 SSL –Secure Socket Layer Protocol

 Used to provide security and compression services to data

generated from application layer.

 It receives data from application normally from HTTP

 This is compressed(optional), signed and encrypted

 The data is then passed to TCP

32.34

Downloaded From [Link]

Message Authentication Code is typically the result of a one
way hashing algorithm used to determine whether the input
data has been modified.
32.35

Downloaded From [Link]

 Security Parameters

Cipher Suite and Cryptographic secrets

32.36

Downloaded From [Link]

 Security Parameters

Cryptographic secrets

32.38

Downloaded From [Link]

Note

The client and the server have six different cryptography

secrets.

32.39

Downloaded From [Link]

Figure 32.15 Creation of cryptographic secrets in SSL

32.40

Downloaded From [Link]

Creation of cryptographic secrets in SSL

32.41

Downloaded From [Link]

Figure 32.16 Four SSL protocols

32.42

Downloaded From [Link]

Four SSL protocols

32.43

Downloaded From [Link]

 TLS

Downloaded From [Link]

Introduction
TLS Record Protocol
TLS Handshake Protocol
Summary

Downloaded From [Link]

Introduction
Transport Layer Security (TLS)
TLS provides transport layer security for
Internet applications
It provides for confidentiality and data
integrity over a connection between two
end points
TLS operates on a reliable transport, such
as TCP, and is itself layered into
TLS Record Protocol
TLS Handshake Protocol

Downloaded From [Link]

TLS Record Protocol
TLS Record Protocol layers on top of a
reliable connection-oriented transport, such
as TCP
TLS Record Protocol
provides data confidentiality using symmetric
key cryptography
provides data integrity using a keyed
message authentication checksum (MAC)
The keys are generated uniquely for each
session based on the security parameters
agreed during the TLS handshake

Downloaded From [Link]

 Basic operation of the TLS Record Protocol
1. read messages for transmit
2. fragment messages into manageable
chunks of data
3. compress the data, if compression is
required and enabled
4. calculate a MAC
5. encrypt the data
6. transmit the resulting data to the peer

Downloaded From [Link]

 At the opposite end of the TLS connection,
the basic operation of the sender is
replicated, but in the reverse order
1. read received data from the peer
2. decrypt the data
3. verify the MAC
4. decompress the data, if compression is
required and enabled
5. reassemble the message fragments
6. deliver the message to upper protocol
layers

Downloaded From [Link]

TLS Handshake Protocol
TLS Handshake Protocol is layered on top of
the TLS Record Protocol
TLS Handshake Protocol is used to
authenticate the client and the server
exchange cryptographic keys
negotiate the used encryption and data
integrity algorithms before the applications
start to communicate with each other

Downloaded From [Link]

Summary

TLS protocol provides transport layer

security for Internet applications and
confidentiality using symmetric key
cryptography and data integrity using a
keyed MAC
It also includes functionality for client and
server authentication using public key
cryptography

Downloaded From [Link]

Figure 32.17 Handshake Protocol

32.52

Downloaded From [Link]

Figure 32.18 Processing done by the Record Protocol

32.53

Downloaded From [Link]

32­3   PGP

One of the protocols to provide security at the

application layer is Pretty Good Privacy (PGP). PGP is
designed to create authenticated and confidential
e-mails.

Topics discussed in this section:

Security Parameters
Services
A Scenario
PGP Algorithms
Key Rings

32.54

Downloaded From [Link]

Figure 32.19 Position of PGP in the TCP/IP protocol suite

32.55

Downloaded From [Link]

Note

In PGP, the sender of the message needs to include the

identifiers of the
algorithms used in the message as well as the values of the keys.

32.56

Downloaded From [Link]

 Services

Plain text(simplest case)

Message authentication
Alice create a digest of the message and signs it with her private
key. Bob verifies the message with Alic’s public key
Compression
Confidentiality with one-time session
Alice, the sender can create a session key, use the session key
to encrypt the message and digest, this session key is encrypted
with Bob’s public key and send along with the message.
Code conversion :To convert other characters not in ASCII
Segmentation

32.57

Downloaded From [Link]

Figure 32.20 A scenario in which an e-mail message is
authenticated and encrypted

32.58

Downloaded From [Link]

 Sender Side
1. Alice creates a session key(for symmetric encryption/decryption)
session key is encrypted and concatenates with identity of the
algorithm. The result is encrypted with Bob’s public key. Also adds
the identity of the algorithm
2.

32.59

Downloaded From [Link]

Receiver Side

32.60

Downloaded From [Link]

Table 32.4 PGP Algorithms

32.61

Downloaded From [Link]

Figure 32.21 Rings

32.62

Downloaded From [Link]

Note

In PGP, there can be multiple paths from fully or partially

trusted authorities to any subject.

32.63

Downloaded From [Link]

Email Security

Downloaded From [Link]

Threats to Email
 Message interception
Emails sent in clear text over the Internet.
 Message modification
Anyone with system admin rights on the mail
servers your message visits can not only read
your message, but also delete or change the
message before it reaches its destination (and the
recipient won’t be able to tell if the message has
been modified).
 False messages
It is very easy to create an email with someone
else’s name and address. SMTP servers don’t
check for sender authenticity.

Downloaded From [Link]

Threats to Email
 Message Replay
Messages can be saved,
modified, and re-sent later.
 Repudiation
You can’t prove that someone
sent you a message since email
messages can be forged.

Downloaded From [Link]

Solutions
First, let’s review the requirements for
secure email.
Sender authenticity
Nonrepudiation
Message integrity
Message confidentiality

Downloaded From [Link]

Solutions
What do we need to meet these
requirements?
Digital Signatures
 Solves integrity, authenticity, and nonrepudiation
problems.
Encryption
 Solves confidentiality problem.

Downloaded From [Link]

Secure E-Mail Systems
Both of these systems provide encryption
and digital signatures for security.
Secure Multipurpose Internet Mail Extensions
(S/MIME)
Pretty Good Privacy (PGP)

Downloaded From [Link]

S/MIME

Stands for Secure/Multipurpose Internet

Mail Extension
Security enhancement to the MIME internet
e-mail format

Downloaded From [Link]

MIME – Header Files
There are five message header fields
MIME-Version
Content-Type
Content-Transferring Encoding
Content-ID
Content-Description

Downloaded From [Link]

MIME – Content Types
 Message
 Rfc822
 Partial
 External-body
 Image
 Jpeg
 Gif
 Video
 mpeg

Downloaded From [Link]

Mime – Content Type
Audio
Basic
Application
PostScript
Octet-stream

Downloaded From [Link]

MIME – Content Transferring
Encoding
Two types
Quoted printable
 Used when data consists largely of octets.
 Limits message lines to 76 characters.
Base64 transfer encoding
 Common for encoding arbitrary binary data.

Downloaded From [Link]

S/MIME Functionality
S/MIME provides the following functions
Enveloped Data
 Consists of encrypted content
Signed Data
 Contains a digital signature
Clear-signed data
 Encoded digital signature
Signed and enveloped data
 Encrypted and Signed data

Downloaded From [Link]

S/MIME – Cryptographic Algorithms
Create message digest to form digital
signature
Must use SHA-1, Should support MD5
Encrypt message digest to form signature
Must support DSS, Should support RSA
Encrypt session key for transmission
Should support Diffie-Hellman, Must support
RSA

Downloaded From [Link]

S/MIME – Cryptographic Algorithms
Encrypt message for transmission with one-
time session key
Must support triple DES, Should support AES,
Should support RC2/40
Create a message authentication code
Must support HMAC with SHA-1, Should
support HMAC with SHA-1

Downloaded From [Link]

S/MIME – User Agent Role
Key generation
Generating key with RSA
Registration
Register a user’s public key must be
registered with a certification authority
Certificate storage and retrieval
Access to a local list of certificates in order to
verify incoming signatures and encrypt
outgoing

Downloaded From [Link]

S/MIME – Enhanced Security
Services
Signed receipts
The receiver returns a signed receipt back to the
sender to verify the message arrived
Secure mailing lists
Sending to multiple recipients at once securely
by using a public key for the whole mailing list

Downloaded From [Link]

32­4   FIREWALLS

All previous security measures cannot prevent Eve from

sending a harmful message to a system. To control
access to a system, we need firewalls. A firewall is a
device installed between the internal network of an
organization and the rest of the Internet. It is designed
to forward some packets and filter (not forward) others.

Topics discussed in this section:

Packet-Filter Firewall
Proxy Firewall
32.80

Downloaded From [Link]

Figure 32.22 Firewall

32.81

Downloaded From [Link]

Figure 32.23 Packet-filter firewall

32.82

Downloaded From [Link]

Note
A packet-filter firewall filters at the network or transport layer.

32.83

Downloaded From [Link]

Figure 32.24 Proxy firewall

32.84

Downloaded From [Link]

Note

A proxy firewall filters at the

application layer.

32.85

Downloaded From [Link]

Intrusion Detection System (IDS)

32.86

Downloaded From [Link]

An intrusion detection system (IDS) is a system that monitors
network traffic for suspicious activity and issues alerts when such
activity is discovered.

Although intrusion detection systems monitor networks for

potentially malicious activity, they are also prone to false alarms (false
positives).

Consequently, organizations need to fine-tune their IDS products

when they first install them. That means properly configuring their
intrusion detection systems to recognize what normal traffic on their
network looks like compared to potentially malicious activity.

32.87

Downloaded From [Link]

Different types of intrusion detection systems

[Link] intrusion detection system (NIDS)

[Link] intrusion detection systems (HIDS)
[Link] intrusion detection systems
[Link]-based intrusion detection systems
[Link]-based intrusion detection systems

32.88

Downloaded From [Link]

Network Intrusion Detection System:

This system monitors the traffic on individual networks or subnets

by continuously analyzing the traffic and comparing it with the
known attacks in the library.

If an attack is detected, an alert is sent to the system

administration.
It is placed mostly at important points in the network so that it can
keep an eye on the traffic travelling to and from the different devices
on the network.

The IDS is placed along the network boundary or between the

network and the server.

An advantage of this system is that it can be deployed easily and

at low cost, without having to be loaded for each system. 32.89

Downloaded From [Link]

 32.90

Downloaded From [Link]

Host Intrusion Detection System:

Such system works on individual systems where the network

connection to the system, i.e. incoming and outgoing of packets are
constantly monitored and also the auditing of system files is done

 In case of any discrepancy, the system administrator is alerted

about the same.

This system monitors the operating system of the computer. The

IDS is installed on the computer.

Advantage of this system is it can accurately monitor the whole

system and does not require installation of any other hardware.

32.91

Downloaded From [Link]

Host Intrusion Detection System:

32.92

Downloaded From [Link]

Comparison
Network Based
Host Based  Broad in scope (watches all
 Narrow in scope (watches only network activities)
specific host activities)  Easier setup
 More complex setup  Better for detecting attacks
 Better for detecting attacks from from the outside
the inside  Less expensive to implement
 More expensive to implement
 Detection is based on what can
 Detection is based on what any
be recorded on the entire
single host can record network
 Does not see packet headers  Examines packet headers
 Usually only responds after a  Near real-time response
suspicious log entry has been
made  OS-independent
 OS-specific  Detects network attacks as
 Detects local attacks before they payload is analyzed
hit the network  Detects unsuccessful attack
 Verifies success or failure of attempts
attacks

Downloaded From [Link]

Host Intrusion Detection System:

Such system works on individual systems where the network

connection to the system, i.e. incoming and outgoing of packets are
constantly monitored and also the auditing of system files is done

 In case of any discrepancy, the system administrator is alerted

about the same.

This system monitors the operating system of the computer. The

IDS is installed on the computer.

Advantage of this system is it can accurately monitor the whole

system and does not require installation of any other hardware.

32.94

Downloaded From [Link]

Hybrid Intrusion Detection
Are systems that combine both Host-based IDS,
which monitors events occurring on the host
system and Network-based IDS, which monitors
network traffic, functionality on the same
security platform.
A Hybrid IDS, can monitor system and
application events and verify a file system’s
integrity like a Host-based IDS, but only serves
to analyze network traffic destined for the
device itself.
A Hybrid IDS is often deployed on an
organization’s most critical servers.

Downloaded From [Link]

Signature based Intrusion Detection System:

This system works on the principle of matching.

The data is analyzed and compared with the signature of known
attacks. Incase of any matching, an alert is issued.
An advantage of this system is it has more accuracy and standard
alarms understood by user.

32.96

Downloaded From [Link]

Anomaly based Intrusion Detection System:

32.97

Downloaded From [Link]

Passive Intrusion Detection System:

It simply detects the kind of malware operation and issues an alert
to the system or network administrator. (What we have been seeing
till now!).
The required action is then taken by the administrator.

32.98

Downloaded From [Link]

Reactive Intrusion Detection System:

It not only detects the threat but also performs specific action by
resetting the suspicious connection or blocks the network traffic
from the suspicious source.

It is also known as Intrusion Prevention System.

32.99

Downloaded From [Link]

Typical Features of an Intrusion Detection System:

It monitors and analysis the user and system activities.

It performs auditing of the system files and other configurations

and the operating system.

It assesses the integrity of system and data files

It conducts analysis of patterns based on known attacks.

It detects errors in system configuration.

It detects and cautions if the system is in danger.

32.100

Downloaded From [Link]

Advantages of Intrusion Detection Systems

The network or computer is constantly monitored for any invasion

or attack.

The system can be modified and changed according to needs of

specific client and can help outside as well as inner threats to the
system and network.

It effectively prevents any damage to the network.

It provides user friendly interface which allows easy security

management systems.

Any alterations to files and directories on the system can be easily

detected and reported.
32.101

Downloaded From [Link]

Domain Name System (DNS)

32.102

Downloaded From [Link]

Domain Name System (DNS)

DNS, or the Domain Name System, translates human readable

domain names (for example, [Link]) to machine
readable IP addresses (for example, [Link]).

The Internet’s DNS system works much like a phone book by

managing the mapping between names and numbers.

DNS servers translate requests for names into IP addresses,

controlling which server an end user will reach when they type a
domain name into their web browser.

These requests are called queries.

32.103

Downloaded From [Link]

Types of DNS Service

An authoritative DNS
Its service provides an update mechanism that developers use to
manage their public DNS names.

It then answers DNS queries, translating domain names into IP

address so computers can communicate with each other.

Authoritative DNS has the final authority over a domain and is

responsible for providing answers to recursive DNS servers with the
IP address information.

32.104

Downloaded From [Link]

Types of DNS Service

Recursive DNS: Clients typically do not make queries directly to

authoritative DNS services. Instead, they generally connect to
another type of DNS service known a resolver, or a recursive
DNS service.

If a recursive DNS has the DNS reference cached, or stored for a

period of time, then it answers the DNS query by providing the
source or IP information.

If not, it passes the query to one or more authoritative DNS servers

to find the information.

32.105

Downloaded From [Link]

How Does DNS Route Traffic To Your Web Application?

32.106

Downloaded From [Link]

Domain Name System (DNS)

1. A user opens a web browser, enters [Link] in the address bar, and
presses Enter.

2. The request for [Link] is routed to a DNS resolver, which is

typically managed by the user's Internet service provider (ISP), such as a cable
Internet provider, a DSL broadband provider, or a corporate network.

3. The DNS resolver for the ISP forwards the request for [Link] to a
DNS root name server.

4. The DNS resolver for the ISP forwards the request for [Link]
again, this time to one of the TLD name servers for .com domains. The name
server for .com domains responds to the request with the names of the four
Amazon Route 53 name servers that are associated with the [Link] domain.

32.107

Downloaded From [Link]

Domain Name System (DNS)
5. The DNS resolver for the ISP chooses an Amazon Route 53 name server and
forwards the request for [Link] to that name server.

6. The Amazon Route 53 name server looks in the [Link] hosted zone for
the [Link] record, gets the associated value, such as the IP address for
a web server, [Link], and returns the IP address to the DNS resolver.

7. The DNS resolver for the ISP finally has the IP address that the user needs. The
resolver returns that value to the web browser. The DNS resolver also caches
(stores) the IP address for [Link] for an amount of time that you specify so
that it can respond more quickly the next time someone browses to [Link].
For more information, see time to live (TTL).

8. The web browser sends a request for [Link] to the IP address that it
got from the DNS resolver. This is where your content is, for example, a web
server running on an Amazon EC2 instance or an Amazon S3 bucket that's
configured as a website endpoint.

9. The web server or other resource at [Link] returns the web page for
32.108
[Link] to the web browser, and the web browser displays the page.
Downloaded From [Link]