Network Security

Major Standardization Bodies Traffic Analysis May be the data is masked, so no

information can be extracted but some
1. IETF: The Internet Engineering Task Force (IETF) is a large patterns like - sender, receiver, message
open international community of network designers, length, time of the message etc. can be
operators, vendors, and researchers concerned with the extracted to make intelligent guesses.
Modification Some portion of a legitimate message is
evolution of the Internet architecture and the smooth operation
altered or the message is delayed.
of the Internet. Standards are available in the form of RFCs Masquerading One entity pretends to be a different entity.
(Request for Comments). E.g. Hoax bank sites.
2. ITU-T: ITU is the United Nations specialized agency for Replaying Subsequent retransmission of a captured
information and communication technologies. ITU-T is one of message to produce an unauthorized effect.
the three sectors of the International Telecommunication E.g. Bill payment fake reminders with fake
Union (ITU); it coordinates standards for telecommunications. links
Repudiation Sender denies that it sent the message or the
3. NIST: National Institute of Standards and Technology (NIST)
receiver denies that it received the message.
is the US federal technology agency that works with industry Denial of Service Slowing down or totally interrupt the
to develop and apply technology, measurements, and service of the system. E.g. multiple requests
standards. to bring an exam result server down.
4. ISO: The International Organization for Standardization (ISO)
is a non-government international standard-setting body
Passive Attacks – The attacker’s goal is to just obtain the
composed of representatives from various national standards
information. The attack does not harm the system.
organizations. It works in several areas including networking
and security. Active Attacks – The attacker changes the data or harms the
system.
Information Security
Security Mechanisms
The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, Encipherment The use of mathematical algorithms to
availability, and confidentiality of information system resources transform data into a form that is not
(includes hardware, software, firmware, information/data, and readily intelligible.
telecommunications). Digital Signature A data unit that allows a recipient of the
data unit to prove the source.
The OSI Security Architecture Access Control Access rights to the resources restrained.
Data Integrity A mechanism to append a check value
1. Network Security needs some systematic way of defining the with the data. Receiver calculates check
security requirements and approaches to meet them. value on the data and compares it with
2. ITU-T Recommendation X.800, defines a systematic approach the received one.
Authentication Two entities exchange the messages to
for this purpose focusing on the following three aspects:
Exchange prove their identities to each other.
a. Security Attack: Any action that compromises the
Traffic Padding Insertion of bogus data to thwart the
security of information owned by an organization. traffic analysis.
b. Security Mechanism: A process that is designed to Routing Control Discretionary selection of routes between
detect, prevent, or recover from a specific security sender and receiver based of the security
attack. risks.
c. Security Service: A service that makes use of one or Notarization Trusted third party assures the
more security mechanisms and provides specific kind information exchange.
of protection to the system.
Security Services
Security Attacks
Authentication The assurance that the communicating
entity is the one that it claims to be.
1. Peer Entity: Sender/receiver
authentication in connection-oriented
communication.
2. Data Origin: Data source authentication
in connectionless communication.
Access Control The prevention of unauthorized access of a
resource. Access definition could be broad
here and can involve – read, write, modify,
execute etc.
Data The protection of data from unauthorized
Confidentiality disclosure. X.800 is very broad and
Snooping Data is intercepted by an unauthorized
encompasses confidentiality of the whole
person. E.g. Tapping.
1
 message or the part of the message and also The Network Security
protection against traffic analysis.
Data Integrity he assurance that data received is exactly as Model for the Network Security on the previous slide shows that
sent by an authorized entity (i.e. It contains there are four basic tasks in designing a particular security service:
no modification, insertion, deletion, or
replay). 1. Design an algorithm for performing the security-related
Non-Repudiation Provides protection against denial by one of transformation. The algorithm should be such that an
the entities involved in a communication of opponent cannot defeat its purpose (ENCRYPTION/
having participated in all or part of the
DECRYPTION).
communication
2. Generate the secret information to be used with the algorithm
(KEY MANAGEMENT).
Availability & Availability Service 3. Develop methods for the distribution and sharing of the secret
information (KEY DISTRIBUTION).
Availability: X.800 defines availability to be the inherent property 4. Specify a protocol to be used by the two users that makes use
of a system. A system resource must accessible and usable upon of the security algorithm and the secret information to achieve
demand by an authorized entity. A variety of attacks can result in a particular security service (IMPLEMENTATION).
the loss or reduction in availability.
Techniques to Implement Security Mechanisms
The availability service addresses the security concerns raised by
Denial-of-Service attacks. It can be treated as sixth type of security Cryptography: in Greek it means “secret writing”. In the network
service. security it means the science of transforming the messages to make
them secure and immune to attacks.
Security Mechanisms and Services
a. Symmetric-Key Encipherment
Security Service is a processing or communication service that is b. Asymmetric-Key Encipherment
provided by a system to give a specific kind of protection to the c. Data Integrity
system resources. Security services are implemented by security d. Mutual Trust
mechanisms. [RFC-4949]. A mechanism or combination of
mechanisms are used to provide a service. Also a mechanism can Steganography: in Greek it means “covered writing”. In contrast
be used in one or more services. with cryptography, it means concealing the message itself by
covering it with something else. Example: A letter is written on the
Security Service Security Mechanism paper using onion juice or ammonia salts which would not be
Data Confidentiality Encipherment, Routing Control visible unless exposed to heat, message hidden in paintings etc.
Data Integrity Digital Signature
Non- Repudiation Digital Signature, Notarization Symmetric-Key Encipherment
Sender encrypts the message using an encryption algorithm and
A Model for Network Security the receiver decrypts the message using a decryption algorithm.
Symmetric-Key Encipherment uses a single secret key for both
encryption and decryption.

It is analogous to the sender puts the message in a box and locks

the box with a shared key. The receiver opens the box with the
same shared key and gets the message.

1. A logical information channel is established by defining a

route through the Internet from source to destination and by
the cooperative use of communication protocols (e.g.,
TCP/IP) by the sender and receiver.
2. An opponent may present a threat to the confidentiality of the
Asymmetric-Key Encipherment
message that is being transmitted.
3. Using a secret information, sender secures the original To send a secure message, the sender first encrypts the message
message (encrypted or ciphered) and using the same secret using receiver’s public key. To decrypt the message, the receiver
information receiver recovers the original message (decrypted uses its own private key.
or deciphered).
4. A trusted third party distributes the secret information to both
the sender and receiver.
2
 How to Analyze Packets?

Data Integrity and Mutual Trust

Data Integrity: Different cryptographic techniques to ensure data An engineer captured some transmission using a packet capture
integrity. E.g. Hashing and Message digest. tool. The hex dump of a TCP segment starting from the TCP
header is: 00 19 05 BE 05 59 54 39 0D 57 59 A9 50 18 FF FF 7B
Mutual Trust: Different methods for key generation and
2E 00 00 33 35 34 20 67 6F 20 61 68 65 61 64 0D 0A 2E 0D 0A.
distribution. Entity authentication and notarization methods.
The TCP header is without the optional data. What is being
Computer Networks: A Layered Architecture conveyed through this TCP segment?

1. What is the source port address?

The 16 bits for source port address are 00 19 in hexadecimal
that is 25 in decimal.
2. So, who is sending this message?
SMTP Server.
3. How do we know that?
TCP port 25 is a well known port for SMTP server.
4. What is being conveyed by the TCP segment?
The data after 20 bytes of TCP header: 33 35 34 20 67 6F 20
61 68 65 61 64 0D 0A 2E 0D 0A
1. Similar to the airline functionality, a modern computer 5. But what is it?
network can be designed in a layered architecture. We know SMTP is a ASCII based protocol. The equivalent
2. A layer can be implemented in software, in hardware, or in a ASCII text is 354 go ahead [Link].
combination of the two. An application (e.g. HTTP) is usually Question: Few bytes are captured during some transmission using
implemented in software, whereas physical layer a packet capture tool like Wireshark. The hex dump of a IPv4
and data link layers are implemented in hardware (e.g. datagram starting from the IPv4 header is: 45 00 00 49 24 4d 40
network interface cards). 00 80 06 30 67 c0 a8 01 04 d9 0c
3. Rules for the two layers to communicate between two peer
entities (hosts) is called a protocol. When taken together, the 0b 42 05 be 00 19 0d 57 59 60 05 59 54 29 50 18 ff 3c 1c f1 00 00
protocols of the various layers are called the protocol stack.
4d 41 49 4c 20 46 52 4f 4d 3a 20 3c 78 78 78 78 78 78 40 78 78
Networking Packetization 78 78 78 2e 63 6f 2e 75 6b 3e 0d 0a.

The IP and TCP headers are without any optional data. Answer the
following questions:

1. What are the source and destination IP addresses? Answer in

dotted decimal notation.
2. From which byte do we know that it is TCP and how?
3. What are the source and destination port numbers?
4. What application protocol data is present in the datagram?
5. What is the direction of the data? Server to client or client to
server?
6. What application message is being conveyed?

Cryptography Terminology
1. Plaintext – An original message in its ‘as-it-is’ form.
2. Ciphertext – Coded message. Cannot be understood just by
reading it.