Obj

ect1

Network Security Principles

Network security consists of the policies and practices adopted to prevent and monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.

Computer security objectives are mentioned below :

1. Confidentiality (also known as secrecy) - This means that information is only being seen or used
by people who are authorized to access it.

2. Authentication - The process of identifying an individual, usually based on a username and

password. In security systems, authentication is distinct from authorization , which is the process of
giving individuals access to system objects based on their identity. Authentication merely ensures
that the individual is who he or she claims to be, but says nothing about the access rights of the
individual.

3. Integrity - This means that any changes to the information by an unauthorized user are
impossible (or at least detected), and changes by authorized users are tracked.

4. Non-repudiation - To repudiate means to deny. Nonrepudiation is the assurance that someone

cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a
contract or a communication cannot deny the authenticity of their signature on a document or the
sending of a message that they originated.

5. Access Control - Access control is a security technique that regulates who or what can view or
use resources in a computing environment. It is a fundamental concept in security that minimizes
risk to the business or organization.
Network access control (NAC), also called network admission control, is a method of
bolstering(strengthning) the security of a proprietary network by restricting the availability of
network resources to endpoint devices that comply with a defined security policy.

6. Availability - This means that the information is accessible when authorized users need it.

Types of Security attacks | Active and Passive attacks

Active attacks: An Active attack attempts to alter system resources or effect

their operations. Active attack involve some modification of the data stream or
creation of false statement. Types of active attacks are as following:
1. Masquerade –
Masquerade attack takes place when one entity pretends to be different
entity. A Masquerade attack involves one of the other form of active
attacks.

2. Modification of messages –
It means that some portion of a message is altered or that message is
delayed or reordered to produce an unauthorised effect. For example, a
message meaning “Allow JOHN to read confidential file X” is modified as
“Allow Smith to read confidential file X”.
3. Repudiation –
This attack is done by either sender or receiver. The sender or receiver can
deny later that he/she has send or receive a message. For example,
customer ask his Bank “To transfer an amount to someone” and later on
the sender(customer) deny that he had made such a request. This is
repudiation.

4. Replay –
It involves the passive capture of a message and its subsequent the
transmission to produce an authorized effect.
5. Denial of Service –
It prevents normal use of communication facilities. This attack may have a
specific target. For example, an entity may suppress all messages directed
to a particular destination. Another form of service denial is the disruption
of an entire network wither by disabling the network or by overloading it
by messages so as to degrade performance.
Passive attacks: A Passive attack attempts to learn or make use of
information from the system but does not affect system resources. Passive
Attacks are in the nature of eavesdropping on or monitoring of transmission.
The goal of the opponent is to obtain information is being transmitted. Types of
Passive attacks are as following:
1. The release of message content –
Telephonic conversation, an electronic mail message or a transferred file
may contain sensitive or confidential information. We would like to prevent
an opponent from learning the contents of these transmissions.

2. Traffic analysis –
Suppose that we had a way of masking (encryption) of information, so that
the attacker even if captured the message could not extract any
information from the message.
The opponent could determine the location and identity of communicating
host and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Cryptanalysis :

Cryptanalysis is the decryption and analysis of codes, ciphers or encrypted text. Cryptanalysis uses
mathematical formulas to search for algorithm vulnerabilities and break into cryptography or
information security systems.
Cryptanalysis attack types include:
• Known-Plaintext Analysis (KPA): Attacker decrypt ciphertexts with known partial plaintext.
• Chosen-Plaintext Analysis (CPA): Attacker uses ciphertext that matches arbitrarily selected
plaintext via the same algorithm technique.
• Ciphertext-Only Analysis (COA): Attacker uses known ciphertext collections.
• Man-in-the-Middle (MITM) Attack: Attack occurs when two parties use message or key
sharing for communication via a channel that appears secure but is actually compromised.
Attacker employs this attack for the interception of messages that pass through the
communications channel. Hash functions prevent MITM attacks.
• Adaptive Chosen-Plaintext Attack (ACPA): Similar to a CPA, this attack uses chosen
plaintext and ciphertext based on data learned from past encryptions.

Steganography :
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message
in order to avoid detection; the secret data is then extracted at its destination. The technique can be
used along with cryptography as an extra-secure method in which to protect data. Steganography
can be used to conceal almost any type of digital content, including text, image, video or audio
content; the data to be hidden can be hidden inside almost any other type of digital content.
The content to be concealed through steganography -- called hidden text -- is often encrypted before
being incorporated into the innocuous-seeming cover text file or data stream.
Steganography is practiced by those wishing to convey a secret message or code. While there are
many legitimate uses for steganography, malware developers have also been found to use
steganography to obscure the transmission of malicious code.

Steganography techniques
Data is first encrypted or obfuscated in some other way and then inserted, using a special algorithm,
into data that is part of a particular file format such as a JPEG image, audio or video file.
1. One technique is to hide data in bits that represent the same color pixels repeated in a row in an
image file.
2. The practice of adding a watermark -- a trademark or other identifying data hidden in multimedia
or other content files -- is one common use of steganography. Watermarking is a technique often
used by online publishers to identify the source of media files that have been found being shared
without permission.
3. one of the most common techniques is to embed a text file into an image file.
The primary advantage of using steganography to hide data over encryption is that it helps obscure
the fact that there is sensitive data hidden in the file or other content carrying the hidden text.

There are two basic types of encryption:

1. Symmetric algorithms: (also called “secret key”) An encryption system in which the sender and
receiver of a message use the same key for both encryption and decryption.

Symmetric-key systems are simpler and faster, but their main drawback is that the two parties must
somehow exchange the key in a secure way.

Have a look at the following image:

2. Asymmetric algorithms: (also called “public key”) use different keys for encryption and
decryption. It utilizes two keys - a public key to encrypt messages and a private key to decrypt
them.
In such a system, any person can encrypt a message using the receiver's public key, but that
encrypted message can only be decrypted with the receiver's private key.

It is computationally infeasible to compute the private key based on the public key. Because of this,
public keys can be freely shared, allowing users an easy and convenient method for encrypting
content and verifying digital signatures, and private keys can be kept secret, ensuring only the
owners of the private keys can decrypt content and create digital signatures.
Since public keys need to be shared but are too big to be easily remembered, they are stored on
digital certificates for secure transport and sharing. Since private keys are not shared, they are
simply stored in the software or operating system you use, or on hardware (e.g., USB token,
hardware security module) containing drivers that allow it to be used with your software or
operating system.
The main business applications for public-key cryptography are:
• Digital signatures - content is digitally signed with an individual’s private key and is
verified by the individual’s public key
• Encryption - content is encrypted using an individual’s public key and can only be
decrypted with the individual’s private key

Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key cryptography. The model
of digital signature scheme is depicted in the following illustration −

The following points explain the entire process in detail −

• Each person adopting this scheme has a public-private key pair.

• Generally, the key pairs used for encryption/decryption and signing/verifying are different.
The private key used for signing is referred to as the signature key and the public key as the
 verification key.
• Signer feeds data to the hash function and generates hash of data.

• Hash value and signature key are then fed to the signature algorithm which produces the
digital signature on given hash. Signature is appended to the data and then both are sent to
the verifier.
• Verifier feeds the digital signature and the verification key into the verification algorithm.
The verification algorithm gives some value as output.
• Verifier also runs same hash function on received data to generate hash value.

• For verification, this hash value and output of verification algorithm are compared. Based on
the comparison result, verifier decides whether the digital signature is valid.
• Since digital signature is created by ‘private’ key of signer and no one else can have this
key; the signer cannot repudiate signing the data in future.

Intrusion detection system (IDS)

An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered. While anomaly detection and reporting is the
primary function, some intrusion detection systems are capable of taking actions when malicious
acitivity or anomalous traffic is detected, including blocking traffic sent from suspicious IP
addresses.

Different types of intrusion detection systems

Intrusion detection systems come in different flavors and detect suspicious activities using different
methods, including the following:
• A network intrusion detection system (NIDS) is deployed at a strategic point or points
within the network, where it can monitor inbound and outbound traffic to and from all the
devices on the network.
• Host intrusion detection systems (HIDS) run on all computers or devices in the network with
direct access to both the internet and the enterprise internal network. HIDS have an
advantage over NIDS in that they may be able to detect anomalous network packets that
originate from inside the organization or malicious traffic that a NIDS has failed to detect.
HIDS may also be able to identify malicious traffic that originates from the host itself, as
when the host has been infected with malware and is attempting to spread to other systems.
• Signature-based intrusion detection systems monitor all the packets traversing the network
and compares them against a database of signatures or attributes of known malicious threats,
much like antivirus software.
• Anomaly-based intrusion detection systems monitor network traffic and compare it against
an established baseline, to determine what is considered normal for the network with respect
to bandwidth, protocols, ports and other devices. This type of IDS alerts administrators to
 potentially malicious activity.

Secure Electronic Transaction (SET) Protocol

Secure Electronic Transaction or SET is a system which ensures security and integrity of
electronic transactions done using credit cards in a scenario. SET is not some system that enables
payment but it is a security protocol applied on those payments. It uses different encryption and
hashing techniques to secure payments over internet done through credit cards. SET protocol was
supported in development by major organizations like Visa, Mastercard, Microsoft which provided
its Secure Transaction Technology (STT) and NetScape which provided technology of Secure
Socket Layer (SSL).
SET protocol restricts revealing of credit card details to merchants thus keeping hackers and thieves
at bay. SET protocol includes Certification Authorities for making use of standard Digital
Certificates like X.509 Certificate.

Requirements in SET :
SET protocol has some requirements to meet, some of the important
requirements are :
• It has to provide mutual authentication i.e., customer (or cardholder) authentication by
confirming if the customer is intended user or not and merchant authentication.
• It has to keep the PI (Payment Information) and OI (Order Information) confidential by
appropriate encryptions.
• It has to be resistive against message modifications i.e., no changes should be allowed in the
content being transmitted.
• SET also needs to provide interoperability and make use of best security mechanisms.

SET functionalities :
• Provide Authentication
• Merchant Authentication – To prevent theft, SET allows customers to check
previous relationships between merchant and financial institution. Standard X.509V3
certificates are used for this verification.
• Customer / Cardholder Authentication – SET checks if use of credit card is done
by an authorized user or not using X.509V3 certificates.
• Provide Message Confidentiality : Confidentiality refers to preventing unintended people
from reading the message being transferred. SET implements confidentiality by using
encryption techniques. Traditionally DES is used for encryption purpose.
• Provide Message Integrity : SET doesn’t allow message modification with the help of
signatures. Messages are protected against unauthorized modification using RSA digital
signatures with SHA-1 and some using HMAC with SHA-1,