Cryptography and

Network Security

QUESTIONS COVERED:

1. List the advantages of TLS over SSL

2. DIFFERENTIATE BETWEEN transfer mode and tunnel mode

3. List the transfer encoding provided by SMIME

4. Explain the working of Kerberos and discuss its uses

5. Explain the features of IEEE 802.11I Wireless LAN security system

6. Discuss the requirement of web security

7. Explain the working of HTTPS protocol

8. With the help of block diagram explain how PGP is used to provide email
security

9. Explain the working of IPsec Architecture with the help of a neat diagram

1
The information provided by me in this portable document format is for general
informational purposes only. All information here is provided in good faith,
however I make no representation or warranty of any kind, express or implied,
regarding the accuracy, adequacy, validity, reliability, availability, or
completeness of any information.

UNDER NO CIRCUMSTANCE SHALL I HAVE ANY LIABILITY TO YOU

FOR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT
OF THE USE OF THIS FILE OR RELIANCE ON ANY INFORMATION
PROVIDED HERE. YOUR USE OF THIS FILE AND YOUR RELIANCE ON
ANY INFORMATION IS SOLELY AT YOUR OWN RISK.

- Safwan Rasheed

2
1. List the advantages of TLS over SSL

source: ( dcet notes,

https://www.ibm.com/docs/en/connect-direct/5.2.0?topic=protocol-benefits-tls)

SSL was developed by Netscape to provide security when transmitting information

on the Internet. The Secure Sockets Layer protocol is a protocol layer which may be
placed between a reliable connection-oriented network layer protocol (e.g. TCP/IP)
and the application protocol layer (e.g. HTTP).
SSL provides for secure communication between client and server by allowing
mutual
authentication, the use of digital signatures for integrity and encryption for privacy.

TLS was released in response to the Internet community’s demands for a

standardized protocol. TLS (Transport Layer Security), defined in RFC 2246, is a
protocol for establishing a secure connection between a client and a server. TLS
(Transport Layer Security) is capable of authenticating both the client and the server
and creating a encrypted connection between the two. Many protocols use TLS
(Transport Layer Security) to establish secure connections, including HTTP, IMAP,
POP3, and SMTP. The TLS Handshake Protocol first negotiates key exchange using
an
asymmetric algorithm such as RSA or Diffie-Hellman.

Both the SSL protocol and the TLS protocol manage secure communication in a
similar way. However, TLS provides a more secure method for managing
authentication and exchanging messages, using the following features:

• While SSL provides keyed message authentication, TLS uses the more secure Key-
Hashing for Message Authentication Code (HMAC) to ensure that a record cannot
be altered during transmission over an open network such as the Internet.
• TLS defines the Enhanced Pseudorandom Function (PRF), which uses two hash
algorithms to generate key data with the HMAC. Two algorithms increase security
by preventing the data from being changed if only one algorithm is compromised.
The data remains secure as long as the second algorithm is not compromised.
• While SSL and TLS both provide a message to each node to authenticate that the
exchanged messages were not altered, TLS uses PRF and HMAC values in the
message to provide a more secure authentication method.
• To provide more consistency, the TLS protocol specifies the type of certificate that
must be exchanged between nodes.
• TLS provides more specific alerts about problems with a session and documents
when certain alerts are sent.
• If you are required to have a FIPS 140-2-validated solution, a FIPS-mode of
operation is available in Sterling Connect:Direct® for the TLS protocol.

3
 2. DIFFERENTIATE BETWEEN transfer mode and tunnel mode

(source: dcet notes,

https://www.ques10.com/p/13442/differentiate-between-the-transport-mode-and-
tunne/)

IP sec can be used (both AH packets and ESP packets) in two modes
• Transport mode: the IP sec header is inserted just after the IP header –this
contains the security information, such as SA identifier, encryption, authentication
Typically used in end-to-end communication IP header not protected
• Tunnel mode: the entire IP packet, header and all, is encapsulated in the body of a
new IP packet with a completely new IP header
Typically used in firewall-to-firewall communication Provides protection for the
whole IP packet
No routers along the way will be able (and will not need) to check
the content of the packets

4
3. List the transfer encoding provided by SMIME

source: (dcet notes)

S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to

the MIME Internet e-mail format standard, which in turn provided support for
varying
content types and multi-part messages over the text only support in the original
Internet RFC822 email standard. MIME allows encoding of binary data to textual
form
for transport over traditional RFC822 email systems. S/MIME is defined in a number
of documents, most importantly RFCs 3369, 3370, 3850 and 3851 and S/MIME
support
is now included in many modern mail agents.

MIME Transfer Encodings The other major component of the MIME specification, in
addition to content type specification, is a definition of transfer encodings for
message
bodies. The objective is to provide reliable delivery across the largest range of
environments.

The MIME standard defines two methods of encoding data. The Content-Transfer-
Encoding
field can actually take on six values. Three of these values (7bit, 8bit, and binary)
indicate
that no encoding has been done but provide some information about the nature of the
data.
Another Content-Transfer-Encoding value is x-token, which indicates that some other

5
encoding scheme is used, for which a name is to be supplied. The two actual
encoding
schemes defined are quoted- printable and base64. Two schemes are defined to
provide a
choice between a transfer technique that is essentially human
readable and one that is safe for all types of data in a way that is reasonably compact.

Canonical Form
An important concept in MIME and S/MIME is that of canonical form. Canonical
form
is a format, appropriate to the content type, that is standardized for use between
systems. This is in contrast to native form, which is a format that may be peculiar to a
particular system.

4. Explain the working of Kerberos and discuss its uses

source: (dcet notes)

Kerberos is an authentication service developed as part of Project Athena at MIT.

It addresses the threats posed in an open distributed environment in which users at
workstations wish to access services on servers distributed throughout the network.
Some of these threats are:
 A user may gain access to a particular workstation and pretend to be another
user operating from that workstation.
 A user may alter the network address of a workstation so that the requests
sent from the altered workstation appear to come from the impersonated
workstation.
 A user may eavesdrop on exchanges and use a replay attack to gain entrance
to a server or to disrupt operations.

Two versions of Kerberos are in current use: Version-4 and Version-5. The first
published report on Kerberos listed the following requirements:

Secure: A network eavesdropper should not be able to obtain the necessary

information to impersonate a user. More generally, Kerberos should be strong enough
that a potential opponent does not find it to be the weak link.

Reliable: For all services that rely on Kerberos for access control, lack of availability
of
the Kerberos service means lack of availability of the supported services. Hence,
Kerberos should be highly reliable and should employ a distributed server
architecture, with one system able to back up another.

6
Transparent: Ideally, the user should not be aware that authentication is taking
place, beyond the requirement to enter a password.

Scalable: The system should be capable of supporting large numbers of clients and
servers. This suggests a modular, distributed architecture

Two versions of Kerberos are in common use: Version 4 is most widely used version.
Version 5 corrects some of the security deficiencies of Version 4. Version 5 has been
issued as a draft Internet Standard (RFC 1510)

Advantages of Kerberos:

User's passwords are never sent across the network,

encrypted or in plain text Secret keys are only passed across
the network in encrypted form
Client and server systems

7
mutually authenticate limits the
It duration of their users'
authentication.
Authentications are reusable and durable
Kerberos has been scrutinized by many of the top programmers,
cryptologists and security experts in the industry

5. Explain the features of IEEE 802.11I Wireless LAN security system

source: ( https://www.brainkart.com/article/IEEE-802-11i-Wireless-LAN-
Security_8486/)

There are two characteristics of a wired LAN that are not inherent in a wireless LAN.

In order to transmit over a wired LAN, a station must be physically connected to the
LAN. On the other hand, with a wireless LAN, any station within radio range of the
other devices on the LAN can transmit. In a sense, there is a form of authentication
with a wired LAN in that it requires some positive and presumably observable action
to connect a station to a wired LAN.

Similarly, in order to receive a transmission from a station that is part of a wired

LAN, the receiving station also must be attached to the wired LAN. On the other
hand, with a wireless LAN, any station within radio range can receive. Thus, a wired
LAN provides a degree of privacy, limiting reception of data to stations connected to
the LAN.

These differences between wired and wireless LANs suggest the increased need for
robust security services and mechanisms for wireless LANs.

The final form of the 802.11i standard is referred to as Robust Security Network
(RSN). The Wi-Fi Alliance certifies vendors in compliance with the full 802.11i
specification under the WPA2 program.
The 802.11i RSN security specification defines the following services.

• Authentication: A protocol is used to define an exchange between a

user and an AS that provides mutual authentication and generates temporary keys to
be used between the client and the AP over the wireless link.

8
• Access control:1 This function enforces the use of the
authentication function, routes the messages properly, and facilitates key exchange. It
can work with a variety of authentication protocols.

• Privacy with message integrity: MAC-level data (e.g., an LLC

PDU) are encrypted along with a message integrity code that ensures that the data
have not been altered.

IEEE 802.11i Phases of Operation

The operation of an IEEE 802.11i RSN can be broken down into five distinct phases
of operation.
• Discovery: An AP uses messages called Beacons and Probe Responses to advertise
its IEEE 802.11i security policy. The STA uses these to identify an AP for a WLAN
with which it wishes to communicate. The STA associates with the AP, which it uses
to select the cipher suite and authentication mecha- nism when the Beacons and
Probe Responses present a choice.

• Authentication: During this phase, the STA and AS prove their identities to
each other. The AP blocks non-authentication traffic between the STA and AS
until the authentication transaction is successful. The AP does not participate in
the authentication transaction other than forwarding traffic between the STA
and AS.

• Key generation and distribution: The AP and the STA perform several opera- tions
that cause cryptographic keys to be generated and placed on the AP and the STA.
Frames are exchanged between the AP and STA only.

• Protected data transfer: Frames are exchanged between the STA and the end station
through the AP. As denoted by the shading and the encryption module icon, secure
data transfer occurs between the STA and the AP only; security is not provided end-
to-end.

• Connection termination: The AP and STA exchange frames. During this phase, the
secure connection is torn down and the connection is restored to the original state.

9
6. Discuss the requirement of web security

source: ( https://chat.openai.com/)

Web security is of utmost importance in today's digital landscape due to the

increasing reliance on the internet for various activities such as communication,
commerce, and information sharing. It refers to the measures and practices
implemented to protect websites, web applications, and web services from
unauthorized access, data breaches, and other malicious activities.

Here are some key requirements of web security:

1. Confidentiality: Confidentiality ensures that sensitive information remains

protected and accessible only to authorized individuals or entities. It involves
techniques such as encryption, secure data storage, and secure transmission protocols
(such as HTTPS) to prevent eavesdropping or unauthorized interception of data.

2. Authentication: Authentication verifies the identity of users or entities attempting

to access a website or its resources. Strong authentication mechanisms, such as multi-
factor authentication (MFA), help prevent unauthorized access to sensitive data or
user accounts. Implementing robust password policies and using secure
authentication protocols are crucial for web security.

10
3. Authorization: Authorization determines what actions or resources a user or entity
can access after successful authentication. Role-based access control (RBAC) and
access control lists (ACLs) are commonly used techniques to enforce proper
authorization and limit unauthorized access to sensitive areas of a website or
application.

4. Data Integrity: Data integrity ensures that data remains unchanged and uncorrupted
during transmission, storage, or processing. Techniques such as data validation,
checksums, and digital signatures help verify the integrity of data and detect any
unauthorized modifications.

5. Secure Communication: Secure communication protocols, such as HTTPS (HTTP

over SSL/TLS), are essential to protect data transmitted between a web server and a
client. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols
encrypt data to prevent unauthorized interception, tampering, or man-in-the-middle
attacks.

6. Vulnerability Management: Websites and web applications need regular

vulnerability assessments and security updates to address any weaknesses or
vulnerabilities. Patch management, code reviews, and secure coding practices help
mitigate potential security risks arising from software vulnerabilities.

7. Malware Protection: Implementing robust antivirus and anti-malware solutions

helps detect and prevent malicious software (malware) from compromising websites
or infecting users' systems. Regular scanning, intrusion detection systems (IDS), and
firewalls are crucial components of a web security strategy.

8. Security Monitoring and Incident Response: Continuous monitoring of web

applications and systems is essential to detect and respond to security incidents
promptly. Log analysis, intrusion detection systems, and security information and
event management (SIEM) tools enable proactive identification of security breaches
or suspicious activities, allowing for timely incident response.

9. User Awareness and Training: Educating users about web security best practices,
such as strong passwords, phishing awareness, and safe browsing habits, is vital to
prevent social engineering attacks and mitigate human-related security risks. Regular
security training programs help promote a security-conscious culture.

10. Compliance and Privacy: Web security should align with relevant legal and
regulatory requirements, such as data protection laws (e.g., GDPR) or industry-
specific standards (e.g., PCI DSS for payment card industry). Ensuring privacy,

11
safeguarding personal data, and providing transparent privacy policies are essential
aspects of web security.

By addressing these requirements, organizations can establish a robust web security

framework, safeguarding their websites, applications, and users from potential threats
and vulnerabilities. It is crucial to regularly update and adapt security measures to
keep pace with evolving cyber threats and maintain a strong defense against
malicious activities.

7. Explain the working of HTTPS protocol

source: ( https://www.geeksforgeeks.org/explain-working-of-https/ )

HTTPS stands for HyperText Transfer Protocol Secure. It is the most common
protocol for sending data between a web browser and a website. It is the secure
variant of HTTP used for communication between the browser and the webserver. In
order to make the data transfer more secure, it is encrypted. Encryption is required to
ensure security while transmitting sensitive information like passwords, contact
information, etc.

HTTPS establishes the communication between the browser and the webserver. It
uses the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocol for
establishing communication. The new version of SSL is TSL.

HTTPS uses the conventional HTTP protocol and adds a layer of SSL/TSL over it.
The workflow of HTTP and HTTPS remains the same, the browsers and servers still
communicate with each other using the HTTP protocol. However, this is done over a
secure SSL connection. The SSL connection is responsible for the encryption and
decryption of the data that is being exchanged in order to ensure data safety.

There are two major roles of the SSL layer –

Ensuring that the browser communicates with the required server directly.
Ensuring that only the communicating systems have access to the messages they
exchange.

12
HTTP transfers data in a hypertext format between the browser and the web server,
whereas HTTPS transfers data in an encrypted format.

It uses an asymmetric public key infrastructure for securing a communication link.

There are two different kinds of keys used for encryption –

Private Key: It is used for the decryption of the data that has been encrypted by the
public key. It resides on the server-side and is controlled by the owner of the website.
It is private in nature.

Public Key: It is public in nature and is accessible to all the users who communicate
with the server. The private key is used for the decryption of the data that has been
encrypted by the public key.

Advantage of HTTPS
• Secure Communication: HTTPS establishes a secure communication link between
the communicating system by providing encryption during transmission.
• Data Integrity: By encrypting the data, HTTPS ensures data integrity. This implies
that even if the data is compromised at any point, the hackers won’t be able to read
or modify the data being exchanged.
• Privacy and Security: HTTPS prevents attackers from accessing the data being
exchanged passively, thereby protecting the privacy and security of the users.
• Faster Performance: TTPS encrypts the data and reduces its size. Smaller size
accounts for faster data transmission in the case of HTTPS.

13
8. With the help of block diagram explain how PGP is used to provide email
security

source: ( dcet notes , https://www.javatpoint.com/computer-network-pgp )

PRETTY GOOD PRIVACY

In virtually all distributed environments, electronic mail is the most heavily
used network-based application. But current email services are roughly like
"postcards”, anyone who wants could pick it up and have a look as it’s in transit or
sitting in the recipients mailbox. PGP provides a confidentiality and authentication
service that can be used for electronic mail and file storage applications. With the
explosively growing reliance on electronic mail for every conceivable purpose, there
grows a demand for authentication and confidentiality services. The Pretty Good
Privacy (PGP) secure email program, is a remarkable phenomenon, has grown
explosively and is now widely used.

There are five important services in PGP

Authentication (Sign/Verify)
Confidentiality
(Encryption/Decryption) Compression
Email compatibility
Segmentation and Reassembly

Following are the steps taken by PGP to create secure e-mail at the sender site:
• The e-mail message is hashed by using a hashing function to create a digest.
• The digest is then encrypted to form a signed digest by using the sender's private
key, and then signed digest is added to the original email message.
• The original message and signed digest are encrypted by using a one-time secret
key created by the sender.
• The secret key is encrypted by using a receiver's public key.
• Both the encrypted secret key and the encrypted combination of message and digest
are sent together.

14
Following are the steps taken to show how PGP uses hashing and a combination of
three keys to generate the original message:
The receiver receives the combination of encrypted secret key and message digest is
received.
The encrypted secret key is decrypted by using the receiver's private key to get the
one-time secret key.
The secret key is then used to decrypt the combination of message and digest.
The digest is decrypted by using the sender's public key, and the original message is
hashed by using a hash function to create a digest.
Both the digests are compared if both of them are equal means that all the aspects of
security are preserved.

15
9. Explain the working of IPsec Architecture with the help of a neat diagram

source: ( dcet notes , https://www.geeksforgeeks.org/ip-security-ipsec/ )

Internet Protocol security (IPSec) is a framework of open standards for

protecting communications over Internet Protocol (IP) networks through the use of
cryptographic security services. IPSec supports network-level peer authentication,
data origin authentication, data integrity, data confidentiality (encryption), and replay
protection.

• Architecture: Covers the general concepts, security requirements, definitions, and

mechanisms defining IPSec technology
• Encapsulating Security Payload (ESP): Covers the packet format and general issues
related to the use of the ESP for packet encryption and, optionally, authentication.
• Authentication Header (AH): Covers the packet format and general issues related
to the use of AH for packet authentication.
• Encryption Algorithm: A set of documents that describe how various encryption
algorithms are used for ESP.
• Authentication Algorithm: A set of documents that describe how various
authentication algorithms are used for AH and for the authentication option ofESP.
• Key Management: Documents that describe key management schemes.
• Domain of Interpretation (DOI): Contains values needed for the other documents
to relate to each other. These include identifiers for approved encryption and
authentication algorithms, as well as operational parameters such as keylifetime.

16
Components of IP Security
It has the following components:

Encapsulating Security Payload (ESP)

Authentication Header (AH)
Internet Key Exchange (IKE)

1. Encapsulating Security Payload (ESP): It provides data integrity, encryption,

authentication, and anti-replay. It also provides authentication for payload.

2. Authentication Header (AH): It also provides data integrity, authentication, and

anti-replay and it does not provide encryption. The anti-replay protection protects
against the unauthorized transmission of packets. It does not protect data
confidentiality.

3. Internet Key Exchange (IKE): It is a network security protocol designed to

dynamically exchange encryption keys and find a way over Security Association
(SA) between 2 devices.

Working on IP Security

The host checks if the packet should be transmitted using IPsec or not. This packet
traffic triggers the security policy for itself. This is done when the system sending the
packet applies appropriate encryption. The incoming packets are also checked by the
host that they are encrypted properly or not.

Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves
to each other to start a secure channel. It has 2 modes. The Main mode provides
greater security and the Aggressive mode which enables the host to establish an IPsec
circuit more quickly.

The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agree on
secret keying material to be used with those algorithms.

Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
When the communication between the hosts is completed or the session times out
then the IPsec tunnel is terminated by discarding the keys by both hosts.

17
 ‫ سالوں میں میری طرف سے کسی‬4 ‫پچھلے‬
‫بھی پریشانی کے لئے معذرت خواہ ہوں۔‬

“apologies for any trouble from my

side over the last 4 years”

-Safwan Rasheed

18