Basics of Networking:

Open system:
A system which is connected to the network and is ready for communication.

Closed system:
A system which is not connected to the network and can’t be communicated with.

Computer Network:
It is the interconnection of multiple devices, generally termed as Hosts connected using
multiple paths for sending/receiving data or media.
There are also multiple devices or mediums which helps in the communication
between two different devices which are known as Network devices.
Ex: Router, Switch, Hub, Bridge.

Network Devices:
1. Repeater: A repeater operates at the physical layer. Its job is to regenerate the signal over the
same network before the signal becomes too weak or corrupted to extend the length to which
the signal can be transmitted over the same network. An important point to be noted about
repeaters is that they do not amplify the signal. When the signal becomes weak, they copy
the signal bit by bit and regenerate it at the original strength. It is a 2-port device.

2. Hub: A hub is basically a multiport repeater. A hub connects multiple wires coming from
different branches, for example, the connector in star topology which connects different
stations. Hubs cannot filter data, so data packets are sent to all connected devices. In other
words, collision domain of all hosts connected through Hub remains one. Also, they do not
have intelligence to find out best path for data packets which leads to inefficiencies and
wastage.

3. Bridge: A bridge operates at data link layer. A bridge is a repeater, with add on functionality
of filtering content by reading the MAC addresses of source and destination. It is also used
for interconnecting two LANs working on the same protocol. It has a single input and single
output port, thus making it a 2-port device.
Types of Bridges
▪ Transparent Bridges: - These are the bridge in which the stations are completely unaware of
the bridge’s existence i.e. whether a bridge is added or deleted from the network,

Prachi P. Agrawal
 reconfiguration of the stations is unnecessary. These bridges make use of two processes i.e.
bridge forwarding and bridge learning.
▪ Source Routing Bridges: - In these bridges, routing operation is performed by source station
and the frame specifies which route to follow. The host can discover frame by sending a
special frame called discovery frame, which spreads through the entire network using all
possible paths to destination.

4. Switch: A switch is a multi-port bridge with a buffer and a design that can boost its efficiency
(large number of ports imply less traffic) and performance. Switch is data link layer device. Switch can
perform error checking before forwarding data, that makes it very efficient as it does not forward
packets that have errors and forward good packets selectively to correct port only. In other words,
switch divides collision domain of hosts, but broadcast domain remains same.

5. Routers: A router is a device like a switch that routes data packets based on their IP
addresses. Router is mainly a Network Layer device. Routers normally connect LANs and WANs
together and have a dynamically updating routing table based on which they make decisions on
routing the data packets. Router divide broadcast domains of hosts connected through it.

6. Gateway: A gateway, as the name suggests, is a passage to connect two networks

together that may work upon different networking models. They basically work as the messenger
agents that take data from one system, interpret it, and transfer it to another system. Gateways are
also called protocol converters and can operate at any network layer. Gateways are generally more
complex than switch or router.

The layout pattern using which devices are interconnected is called as network topology.
Such as Bus, Star, Mesh, Ring, Daisy chain.

Layers of OSI Model:

OSI stands for Open Systems Interconnection.

Prachi P. Agrawal
 1. Physical Layer (Layer 1): The lowest layer of the OSI reference model is the physical layer. It is
responsible for the actual physical connection between the devices. The physical layer
contains information in the form of bits. When receiving data, this layer will get the signal
received and convert it into 0s and 1s and send them to the Data Link layer, which will put
the frame back together. Hub, Repeater, Modem, Cables are Physical Layer
devices.

2. Data Link Layer (DLL) (Layer 2): The data link layer is responsible for the node to node
delivery of the message. The main function of this layer is to make sure data transfer is error
free from one node to another, over the physical layer. When a packet arrives in a network, it
is the responsibility of DLL to transmit it to the Host using its MAC address.
Data Link Layer is divided into two sub layers: Logical Link Control (LLC) and Media Access
Control (MAC).
• Packet received from Network layer is further divided into frames depending on the
frame size of NIC (Network Interface Card). DLL also encapsulates Sender and
Receiver’s MAC address in the header.
• The Receiver’s MAC address is obtained by placing an ARP (Address Resolution
Protocol) request onto the wire asking, “Who has that IP address?” and the destination
host will reply with its MAC address.
Switch & Bridge are Data Link Layer devices.

3. Network Layer (Layer 3): Network layer works for the transmission of data from one host to
the other located in different networks. It also takes care of packet routing i.e. selection of
shortest path to transmit the packet, from the number of routes available. The sender &
receiver’s IP address are placed in the header by network layer.
Network layer is implemented by networking devices such as routers.

4. Transport Layer (Layer 4): Transport layer provides services to application layer and takes
services from network layer. The data in the transport layer is referred to as Segments. It is
responsible for the End to End delivery of the complete message. Transport layer also
provides the acknowledgement of the successful data transmission and re-transmits the data
if error is found.
• Connection Oriented Service: It is a three-phase process which include
– Connection Establishment
– Data Transfer
– Termination / disconnection
In this type of transmission the receiving device sends an acknowledgment, back
to the source after a packet or group of packets is received. This type of
transmission is reliable and secure.
• Connection less service: It is a one phase process and includes Data Transfer. In
this type of transmission, the receiver does not acknowledge receipt of a packet.
This approach allows for much faster communication between devices.
Connection oriented Service is more reliable than connection less Service.

Prachi P. Agrawal
 5. Session Layer (Layer 5): This layer is responsible for establishment of connection,
maintenance of sessions, authentication and ensures security.

6. Presentation Layer (Layer 6): Presentation layer is also called the Translation layer. The data
from the application layer is extracted here and manipulated as per the required format to
transmit over the network.

7. Application Layer (Layer 7): At the very top of the OSI Reference Model stack of layers, we
find Application layer which is implemented by the network applications. These applications
produce the data, which must be transferred over the network. This layer also serves as
window for the application services to access the network and for displaying the received
information to the user.

Networking Protocols:
1. Transmission Control Protocol (TCP):
• connection-oriented protocol.
• defines how to establish and maintain a network conversation via which application
programs can exchange data.
• works with the Internet Protocol (IP), which defines how computers send packets
of data to each other.
2. Internet Protocol (IP):
https://www.youtube.com/watch?v=ThdO9beHhpA

https://www.youtube.com/watch?v=8npT9AALbrI
• is the method by which data is sent from one computer to another on the Internet.
• IP is a connectionless protocol.
• Two types:
o IPv4:
▪ 32-bit unique address.
▪ divided into five sub-classes: Class A, B, C, D, E.
▪ 4 sets of 8bits
▪ divided into two parts:
• Network ID
• Host ID
o IPv6:
▪ 128-bit hexadecimal address (uses numbers and alphabets)
▪ 340 undecillion addresses
▪ 8 sets of 16bits
3. User Datagram Protocol (UDP):
• Connectionless protocol
• enables process-to-process communication
• UDP just sends the packets, which means that it has much lower bandwidth
overhead and latency.

Prachi P. Agrawal
 4. Address Resolution Protocol (ARP):
https://www.youtube.com/watch?v=cn8Zxh9bPio&t=85s

5. Domain Name Systems (DNS):

Resolves Domain name to IP addresses.
https://www.youtube.com/watch?v=mpQZVYPuDGU

6. Dynamic Host Configuration Protocol (DHCP):

https://www.youtube.com/watch?v=e6-TaH5bkjo

7. Internet Control Message Protocol (ICMP):

Error reporting protocol
https://www.youtube.com/watch?v=TV4ooT2BQT4

https://www.youtube.com/watch?v=glPuwhMNQ2s

8. File Transfer Protocol (FTP):

https://www.youtube.com/watch?v=U0LzX_tTiNw

9. Hypertext Transfer Protocol (HTTP/HTTPS):

10. Secure Socket Layer (SSL)/ Transport Layer Socket (TLS):

11. Simple Mail Transfer Protocol (SMTP):

12. Network Address Translation (NAT):

Types of Attack in Network:

1. Denial of Service Attacks:
https://www.youtube.com/watch?v=YcH7qx6HTII
2. Replay Attack:
https://www.youtube.com/watch?v=ZeuWpL-7EwY

Prachi P. Agrawal
 Advanced IT Security
Chapter 1: Introduction to IT Security

• What is IT Security?
Protection of information and information systems against unauthorized access and
modification and availability of resources to the legitimate users including measures
to thwart, discover or log treats.
Protection against unauthorized access must be ensured during storage,
processing and in transit.

• Aims of IT Security?
1. Confidentiality: Protection of information against unauthorized access.
i.e. Only those people those are supposed to access a file should be able to
access that file and no other person.
2. Integrity: Protection against unauthorized modification of information.
E-mail must be send to the correct person and no one must be able to modify it.
3. Availability: Resources and services should be available for the legitimate users.
E.g. Amazon downtime
4. Authentication: Unambiguous identification of the sender of the information or
communication peer.
We know the person whom we are talking to. E.g. I know if I am talking to my
friend that the person is he/she.
5. Non-repudiation: Ability to prove that certain information was send by whom to
a third party who was not involved in the communication.
e.g. Digital Signature
6. Authorization: Only a certain group of authenticated users can access the
resources.
e.g. Company Database

• Passive Attacks?
Attacks that are not done intentional and do not have any kind of traces about how
and who has done it. E.g. such as snooping or wiretapping.
It can be prevented just by being little paranoid about discussing things in
public and protect information.

• Active Attacks?

Prachi P. Agrawal
 Attackers have an active participation in manipulating the data and there are always
some traces that are left which can be detected and corresponding preventive
measures can be taken.

• Security Vulnerabilities?
Errors that are introduced in the software process. There are different reasons why
vulnerability gets introduced in a software,
1. Error in requirement: IT security is not at all taken into consideration.
2. Error in design: Specifications are designed wrongly.
3. Error in implementation: Improper implementation.
4. Error in installation and administration: Mistakenly or purposely
switching off the security feature.

• IT security Phase?
IT security is a continues process and needs to be checked and adapted as per the
changes made by the companies in their server or security aspects.
IT security follows a Plan-Do-Check-Act cycle to have a continues ongoing
process.

Prachi P. Agrawal
Chapter 2: Complexity Theory

• What is a Problem?
Mapping from a set of inputs and to a set of outputs.
e.g. Sorting, Prime number, RSA inversion.
• an algorithm?
An Algorithm consists of a finite number of instructions.
The execution of an instruction is called step. An algorithm must fulfil the following
five properties:
• Finiteness: For every input, an algorithm always terminates after a finite
number of steps.
• Definiteness: Each step precisely defined, actions to be carried out are
unambiguously specified.
• Input
• Output
• Effectiveness: Sufficiently basic instructions to be carried out exactly and
in finite time
• a decision problem?
is a problem with some input I, such that for each input in the input domain, output is either
YES/NO.
• decidable problem?
A Problem is decidable, if there exists an algorithm that would deterministically solve the
problem in finite no. of steps.
• Decidable decision problem?
if there exists an algorithm/mapping that can decide for each given input, whether the
output is YES/NO and terminates after finite number of steps.
There is no constraint on the run-time complexity of the problem. (i.e. no constraint
on when the problem should finish).
• Practically decidable decision problem?
Among the available decidable decision problems, only few problems can be algorithmically
solved in an acceptable finite time and such problems are called practically decidable
decision problems.

Prachi P. Agrawal
 • Undecidable problems?
cannot be algorithmically solved.
e.g. Halting problem, Totality problem, Equivalence problem.

• Halting Problem

There is no algorithm which can solve halting problem. The proof for the same is done using
contradiction.

Proof: Assume we have an algorithm which can solve halting problem HALT ()

The program HALT () takes the program P and Input ‘w’ as the input parameters.
The algorithm halts => when return value is 1
The algorithm loops => when return value is 0

Now, we take another algorithm ABSURD () which takes program P as the input and calls the
algorithm HALT () inside it.

Prachi P. Agrawal
 Here, if a is yes => ABSURD goes in infinite loop
Else, halts.
The ABSURD () does exact opposite of what the HALT () does.
i.e.
if P terminates with itself => Halt (P, P): yes => Absurd (P): no i.e. STUCK
if P does not terminate with itself => Halt (P, P): no => Absurd (P): Yes i.e. NOT STUCK

Suppose, we call absurd with itself like absurd(absurd) then,

We see that absurd(absurd) gets stuck, when Halting Problem says it should not & vice versa.
Thus, there is no algorithm to solve halting problem.

• Totality Problem

• Equivalence Problem

• Trivial
denoting a subgroup that either contains only the identity element or is identical with the
given group.

• Non-trivial
Nontrivial is a favourite word among programmers and computer people for describing any
task that is not quick and easy to accomplish. It may mean "extremely" difficult and time
consuming.

• RICE’s Theorem
Any non-trivial run time property of a program cannot be algorithmically solved. i.e. there is
no restriction to the time limit to solve the problem.
e.g. Halting Problem.

Prachi P. Agrawal
 • Big O-notation?
the running time grows at most this much, but it could grow more slowly.
Linear growth is better than exponential growth.
Factorial growth in running time complexity is worse.

• Run-time Complexity?
✓ We measure run time complexity by taking maximum running time for a given input
size.

Prachi P. Agrawal
 ✓ Run time complexity is measured a function of size of the input.
✓ As we have seen from Big O-notation and all that, a polynomial running time
complexity is better than having exponential running time complexity.
✓ Example of exponential increase in run time complexity is: Tower of Hanoi (very well
explained in: https://www.youtube.com/watch?v=q6RicK1FCUs&t=439s)

• Determinism?
Determinism means, there is no choice, the path is fixed and is predetermined.

• Non-determinism?
It means, we have a choice, there is no predetermined path and can have multiple options
out of which one path may lead to success or all may lead to a reject state.

• Turing Machine
A turning machine consists of an infinitely long tape open on both the ends, a read/write
head and a finite state machine.

A transition function,

There are two types of Turning Machine:

❖ Deterministic Turing Machine (DTM):
It is a tuple consisting of, M = {Q, Σ, Γ, ѣ , δ, q0,qY,qN}
Where,

o Run time complexity of Turing machine on input of size n is , tM(n) = O( f(n) )

o In DTM, if the path leads to final state YES => input is accepted
o if the path leads to final state NO => input is rejected

❖ Non-deterministic Turing Machine (NDTM):

It is a tuple consisting of, M = {Q, Σ, Γ, ѣ , δ, q0,qY,qN}
Where,

Prachi P. Agrawal
 o More than one choice is available
o If at least one path leads to YES => input is accepted
o If one path leads to NO, other paths are checked. If all the paths lead to NO
then only the input is rejected.
Every Deterministic algorithm can also be solved with a non-deterministic Turing machine.

• P problem?
Set of decision problems which can be solved using a Deterministic Turning Machine in a
finite time are called P problems.

• NP problems?
Set of decision problems which can be solved using a Non-Deterministic Turning Machine in
a finite time are called NP problems.

• NP-complete problems?
A problem ‘L’ is said to be NP-complete if,
o The problem belongs to the class of NP-problems i.e. it can be solved using a NDTM
in polynomial time.
o All other problems in the class NP can be polynomially reduced to the problem ‘L’.

If any one problem ‘L’ in NP-complete is a subset of class P problems then, we can say that,
P=NP
Else, P! = NP
• NP-hard problems?

TSP

Prachi P. Agrawal
HALTING
PROBLEM
 The problem P is NP-hard, if all the problems in NP-class can be polynomially reduced to
problem P.

• Polynomial Reduction?
If we have a solution to any one problem in NP-complete class, then we can reduce all the
other problems in that class to this solved problem and the reduction should take
polynomial time.
L1 ≤ L2 => L1 is reducible to L2 => L1 can be solved using L2

Prachi P. Agrawal
 Polynomial reducibility also follows the law of transitivity,
i.e. if L1 <= L2 and L2 <= L3 then L1 <= L3

• Travelling Salesman Problem (TSP)

It is a NP-complete problem.

Prachi P. Agrawal
 https://www.youtube.com/watch?v=XaXsJJh-Q5Y

• TSP-D

Prachi P. Agrawal
 • TSP-D <= TSP
(i.e. we use TSP to solve TSP-D)

• TSP <= TSP-D

(i.e. use TSP-D to solve TSP)

This is comparatively not easy but can be done in polynomial time though.

Here,
➢ The minimum cost is obtained using a binary search algorithm and the time
complexity for it is log2(B).
➢ The path is not obtained from the binary search step, so we manipulate the n*n
distance matrix to find the optimal path.
o We substitute the values in the matrix with the value Bmin + 1 and compute
the TSP-D.
o If, TSP-D computes yes, it’s a part of minimal path, otherwise not.
o The time complexity of solving this is (n^2 – n) /2.
Thus, the time complexity of polynomial reduction of TSP-D to solve TSP is O(n^2).

Prachi P. Agrawal
 • Cook’s Theorem
Any Problem in class NP can be reduced in polynomial time by a DTM to the

• SAT
It is first NP-complete problem.

Literals: x1, x2, …. Xi

Clause: OR catenation of the literals (x1 v x2 v x3’ v …. v xi).
✓ The Clause is satisfiable, when there exists a truth assignment such that the
clause is satisfied. i.e. c1= {x1 v x2} is equal to 1.
✓ The set of clauses c = {c1, c2, c3} is said to be satisfiable when there exists a
truth assignment such that all the clauses are satisfied.
o Here, the set of clauses c has a conjunction of the clauses.

Definition:

• 3SAT

• SAT <= 3SAT

(Solving SAT using 3SAT)
A 3SAT problem is already a SAT problem so we don’t have to reduce anything.

Thus, as SAT is NP-complete problem,

3SAT is also NP-complete problem

• 3SAT <= SAT

(solving 3SAT using SAT)

If we have an instance of SAT problem, we can convert it to the instance of 3 SAT

problem and this instance of 3SAT problem is satisfiable only if the original instance
of SAT problem is satisfiable.

Prachi P. Agrawal
Prachi P. Agrawal
 • 3-Dimensional Matching

3-SAT ≤ 3-DMP: 3SAT can be polynomially reduced to 3DMP

And thus, 3DMP is NP-complete problem.

• Vertex Cover

i.e. it is the minimum number of vertices that cover all the edges in the graph.
3-SAT ≤ VCP: 3SAT can be polynomially reduced to VCP
And thus, VCP is NP-complete problem.

Prachi P. Agrawal
Chapter 3: Cryptography

• What is cryptography?
The study of mathematical techniques related to the aspect of information security
such as confidentiality, data integrity, data origin authentication and entity
authentication.

First person to use cryptography : Ceaser ( he used monoalphabetic technique which

is also known as ceaser’s cipher)

The data is encrypted using a encryption key and a encryption method and during
decryption, the decryption key along with the decryption method is used to obtain
back the plain text.
Cryptography ensures: Confidentiality

• Types of cryptography?
There are basically three types of cryptography:
1. Substitution Cipher: Also known as monoalphabetic substitution.
Here, a symbol or a group of symbols is substituted by another symbol or a group
of symbols. The order of the letters/symbols is preserved.

As, in this case, we shifted the letters three positions and obtained a new
encrypted text.

2. Transposition cipher: The actual letters/symbols in the plain text are not
changed, but instead they are shifted around, transposed and then the placed in
columns of a matrix and read with the rows.

Prachi P. Agrawal
 3. Product cipher: It is the combination of both the substitution and transposition
ciphering methods.

• Kirchhoff’s law?
Cryptography helps to secure the network.
Cryptography consists of

Method Key

So according to the law, the secrecy of the message should not depend on the
secrecy of the method and should only depend on the secrecy of the key.
Thus, the method is kept public and only the key is kept private as it is
difficult to expose a key than a method.

• Security of Encryption Schemes

1. Cryptanalysis: Breaking Cryptographic techniques.
2. Brute-Force-Attack: Trying out all possible decryption keys until we find the
correct key.

Suppose, we have a computer which can test 1,000,000 keys per second, so if we
have a decryption key of 16 bits it will take only 0.07 seconds to try out all the
combinations and decrypt the data.
Thus, it is necessary to use higher number of bits so that it becomes
increasingly difficult for even a powerful machine to try out all the possible keys.
From, the table we can see that key size above 128bits can be considered
comparatively safer as it takes very long time.

Prachi P. Agrawal
 3. Statistical properties of the language: In monosubstitution cipher, the statistical
properties of the original language get propagated.

Size of key space alone is insufficient criterion for judging the security of a
cryptosystem.

• One Time Pad (OTP)

Here, the length (key) = length (cipher text/plain text)

A one time pad is completely random sequence of 1’s and 0’s and it is assumed to
have never occurred again (atleast on purpose it will never be repeated).

The cipher text is obtained by X-ORing the plain text with the randomly generated
one-time pad. The special property of X-OR is that, it is self-inversible (i.e. when we
X-OR the cipher text again with the one-time pad, we will get back the plain text).
10110011
X-OR 1 0 1 1 1 0 0 0
00001011

Prachi P. Agrawal
 And, when we reverse the operation we will get the plain text back.

It is considered to be safe because,

➢ There is no means to decrypt a message and that happens because,
whatever we assume our plain text to be, we will always have a
onetime pad which will give the assumed plain text.
➢ Also, the length of the one time pad is same as the length of the
cipher text because of which brute force attack is nearly impossible.
➢ As, the one time pad is completely random, there is no such property
that is propagated and which can be studied and analysed further to
break the encryption.

But, the problem with one time pad is that,

➢ As the length of the text increases, the one time pad is of the same length
and is generated each time there is some exchange of message and this
results in lot of memory wastage.
➢ Secondly the most important one is, sharing the one time pad. It is very
necessary that the one time pad is exactly the same during encryption
and decryption and the problem comes when we want to communicate
the one time pad to the person on the other side.

• Encryption Schemes
o Symmetric Encryption

As, we can see from the diagram, we use the same key during the encryption
and decryption.
i.e. Encryption key = Decryption key

Data Encryption Scheme (DES) and Advanced Encryption Scheme (AES) use
symmetric encryption.
AES here is explained by using Rijndael-Chiffre: It consists of an initial round,
9 main rounds where the data is transposed, shifted and one final round.

Prachi P. Agrawal
 The problem with Symmetric Key is again the one which we read in one time
pad, that is, we cannot easily share the key over the channel as eavesdropper
can easily obtain the key.

The advantage here is, it is fast and effective.

o Asymmetric Encryption (Public-Private Key)

The drawback we saw in symmetric encryption can be overcome in this
technique.

Here, a pair of public key and private key is used, and they only work with
each other and not individually.

Public key is publically available and everyone can use it. But, only the person
having the private key can decode the encryption using the private key.

Communication using Public-private key is done something like,

The person who wants to receive the message will send out his public key on
the network. And then the sender will encrypt the message with the
Prachi P. Agrawal
 receiver’s public key and send back to him. The receiver will then use his
private key to decrypt the message.
If the recipient wants to replay the communication of message then
he needs to use different pair of public and private key.

So, the advantage here is that, even if the hacker listens to the
communication in between, he will just have a public key and an encrypted
message. But, he has no means to obtain the private key and it is only with
the person who actually should have it. And thus, this method is highly
secure.

The problem here is, it is slow and computationally intensive.

• SSL/TLS
Secure Socket Layer/Transport Layer Security uses the hybrid method, i.e.
combination of symmetric encryption and public-private key method.

The diagram itself is self-explanatory. After the session key is exchanged, there is
symmetric encryption method going on as the session key was just with A and B they
have established a secure communication network.

Prachi P. Agrawal
 • Modes of Operation
If we want to transmit more than 128-bits, we use modes of operation.

1. Electronic Code Book (ECB):

The plain text blocks are divided into 128bits blocks.

➢ Equal plain text blocks will have equal cipher text blocks, and this is
not recommended.
➢ If the cipher text is modified by the attacker, the same will reflect in
the plain text and would be unpredictable.

2. Cipher Block Chaining (CBC):

Prachi P. Agrawal
 ➢ One encryption depends on the previous block.
➢ Same plain text will have different cipher blocks.
➢ Message can be decrypted from any part but not encrypted.

What would happen if a cipher text block here goes missing?

We cannot decrypt the block and the next block as it depends on the previous
block, but the blocks after that can be decrypted as we will have the cipher text
block.
Thus, if one cipher text block is missing during decryption, it will affect 2
blocks.

3. Cipher Feedback Mode (CFB):

Prachi P. Agrawal
 ➢ Block is divided when we want to encrypt individual bits.
➢ We use encryption scheme to generate something like OTP but not
exactly random, but pseudo random.
➢ We don’t want to transmit all the 128bits but just some ‘I’ bits and so we
do the X-OR of random sequence with ‘I’ bits of plain text to obtain i-bit
long cipher text.
➢ We them do i-bit left shift and again do the encryption of next i-bits.
➢ We can observe that, in decryption method, we again use the same
encryption key instead of decryption key and this is because,
o We want to have the same X-OR operation on the bits.

4. Output Feedback Mode (OFB):

Prachi P. Agrawal
 ➢ The difference here is,
o The cipher text block is not used to fill the register but the output result.
o Here, the actual transmitted bits are not going to actual encryption
operation.
o The disadvantage here is, if we use same register felling and same key then
we get same pseudo random values.

Prachi P. Agrawal
Chapter 4: Authentication

• Authentication
Unambiguous identification of the sender of the information or a communication
peer.

• Factors of Authentication
1. What you know: e.g. Password, PIN, TAN
There is something which is known only known by you and the system against
which you are authenticating.
2. What you have: e.g. ATM card, Smart Card, Tokens, Credit Card
We need to have this object to authenticate yourself.
3. What you are: e.g. Biometer, finger print
Property possessed by humans.

• Two Factor Authentication

Using two factors from the above while authenticating. It is important because, if
there is a attack on any one of the factors, the attacker still cannot still the
information till the point he has the another factor accompanying it.
e.g. ATM card along with the PIN.

• Password Security
A password is a shared secret which the person to be authenticated and the system
against which he/she authenticate possess.

The security of password depends upon various factors such as,

o Password size, domain, choice of password policies:

If the size of the password is small, the brute force attack is easily carried out.
Thus, its better to have a long password.

Prachi P. Agrawal
 o Security of storing password:
The passwords need to be stored securely by using tools such as password
gorilla, password safe, etc.
Also, we should see to it that all the passwords are not the same.

Passwords are stored on the server side in encrypted form, and during
decryption, a cryptographic hash function is used.

A cryptographic hash function converts some input of arbitrary length into a

characteristic sequence of bits and it is as characteristic as finger print is to
the human beings. It has a fixed length.

So instead of storing the entire password, a cryptographic hash of the

password can be stored and when the user enters the password, the system
computes the hash of it, compares it with the one which it has and if its equal
then authenticates the user.

o Security while entering or transmitting password:

Cryptographical hash function converts some input of arbitrary length into a
characteristic string of fixed length.

The password can be overlooked by the attacker while entering or also

sometimes is recorded by the key strokes.
While transmitting the password, we can transmit the hash of the
password instead of transmitting the entire password clearly.

• Challenge Response using Password

Prachi P. Agrawal
 In this case, the password is never send on the communication network on the clear
and stays only with A and B.

• Disadvantages of Password
1. They are static and are changed once in a while when the user is forced to
change it.
2. Unlike Tokens or smart cards, there is no indication if the password is stolen until
there happens something wrong.

• Biometry
The unique features of the human body are considered such as finger print, iris scan,
etc.
But again, there are certain problems with this,
o The number of features in human body are very limited and very less than
the passwords.
o Not always the finger print is exact bit-by-bit. So there has to be certain
approximations made while considering those features which many a times
results in False negative (where the person is the actual person who is
authentic, but the system throws an error) or False positive (where the
person is the attacker, but the system approves the request) and thus having
a proper balance between the two is very important.
o It is very easy to get the finger print of a person as we leave them on several
things in our da-to-day life.
o It is not easy to change the finger print as easily as the password.

• Authentication by Symmetric Key

Prachi P. Agrawal
 It is like challenge response scheme which is used for tokens and smart cards. Here, the
problem is not that the attacker can/cannot get the symmetric key, but the important
issue here is, B is not sure if it is actually talking to A or not.

To overcome this problem, we use public-private key pair. But, to obtain authentication
of who is part of the connection we use the private key of the sender to encrypt the
message and the public key is used for decryption.
Even if this hampers confidentiality, it gives us authenticity.

• Authentication using public-private key method

So, if the message is encrypted by A’s private key and B has the public key of A, then B
can authenticate easily that the message was send by A.
Thus, whoever has the public key of A, will be able to find that the message was send
by A and thus, this is known as the digital signature of A.

• Digital Signature
If the sender encrypts the information by his private key then everyone including the
court of law can verify that the piece of information was send by a particular sender by
using its public key.
Thus, Digital signature also helps in proving non-repudiation.

Prachi P. Agrawal
 While doing the digital signature, the entire information is not signed by the private key
of the sender, instead only a piece of the information obtained by hashing the message
is signed.
A hash function is a characteristic sequence of bits of a fixed length and it is as
characteristic to a message as finger print is to humans.

Here, a hash of plain text is signed with the private key of the sender of the information
and the hashed cipher text is generated which is shared. The recipient then can use the
public key and obtain the hashed plain text.
The sender also sends the hashed plain text directly to the recipient and now the
receiver compares the two hash texts he has received and if they are equal then it
authenticates that the information was send by a particular sender.

Different hash functions used are MD5, SHA-I, SHA-256, etc.

If we have a message and a hash function for that message which gives some hash value,
then it is very difficult to find another message which will have a same hash value.

Using Cryptool, professor showed that, even if a slight change is made in the data, the
hash function changes considerably.

The aims of Digital Signature is to provide, authentication, non-repudiation and integrity.

The drawbacks of digital signature is, that public key is not known from before.

• Certificate Authority
A digital certificate is a small data file used as an Internet security technique through
which the identity, authenticity and reliability of a website or Web application is
established.
A certificate authority (CA) is a trusted entity that issues digital certificates.

Prachi P. Agrawal
 The public key can be shared in a secure manner if it is signed by a certificate
authority.

The information about someone’s identity and its public key is digitally signed by the
certificate authority( CA).

What the CA does is,

➢ It takes the certificate request of the user who wants itself to get authenticated
sends its private key to CA, computes hash on the user’s public key and then
encrypts it with CA’s own private key.

There is a hierarchy of CA’s

Prachi P. Agrawal
The Root CA is the one who signs his own certificate and are generally built-in in our OS and
browsers.

Advantages:
➢ Certificates are publicly available.
➢ Certificates that are not valid anymore are in revoked certificate list.

Disadvantages:
➢ If CA gets compromised they can issue wrong certificates.

Certificates generally use X.509 standard and the various fields in a certificate are:
➢ Version number (hash function)
➢ Serial number (identifies the certificate uniquely)
➢ Validity
➢ Issuer
➢ Encryption Algorithm
➢ Public key and public key algorithm

LAB Experiment:

Server -------→ Client

Between client and server, we have CA server

1. Generate the certificate on the CA server using the openSSL which is the tool to
generate certificates.

Prachi P. Agrawal
 o openssl

2. createCA
(self signed certificate)
3. createCertificate 10.2.3.47(machine for which I want to generate the certificate)
(sign it with CA’s private key)

Thus, the certificate for 10.2.3.47 is generated

Now go to that machine and you can check in the book-keeping of that machine
that there is a certificate.

4. Cd demoCA/index.txt
5. Getcert
6. Start Apache (Enter the private key of CA)
7. Open Firefox
a. We have signed our own certificate and thus its not there in the OS or
browser and we need to add it.
8. If we want to revoke the certificate we use command ‘revokeCertificate’ followed by
the serial number of the certificate which we want to revoke.
9. We see that even after the revoke is done for the certificate of server 10.2.3.47, the
client can easily browse the website. For this, we need to activate the Online
Certificate Status Protocol (OCSP) and for that run on CA server the command,
a. Start OCSP

Prachi P. Agrawal
Chapter 5: OS/Application Security

Prachi P. Agrawal
Chapter 6: Network Security

Network security is important to be considered at all the layers of the communication.

There are several threats while communicating over a network.

Intercept:
The unauthorized third party gets access to the information over the channel.

Manipulate:
The third party can modify or manipulate the message and then can forward it the receiver,
that means the message which is received by the receiver is actually not send by the sender
in original.

Spoof:
The unauthorized third party can spoof a message (i.e. it may behave as if he is the sender
of the message and send some wrong message to the receiver) and the receiver has no clue
that the message was not from the authenticated sender.

Disrupt:
If you cannot hack it, break it. If the third party fails to intercept, manipulate or spoof the
information, they will simply break the communication by disrupting it and this is known as
denial of service attack.
Denial of service attack means disrupting the communication by some electronics
means.

Prachi P. Agrawal
 Example of how the data can be intercepted:

We have a Server(A) <->Router(R)<->Client(B)

Suppose the server and client want to connect and the router is listening to the
communication.

On server: StartPictureSocketServer
On client: go to browser and connect to the server using http
We see, the connection established between client and server

On router,
We see the connection establishment.
ARP messages where router requests the MAC address
TCP/IP 3 way handshake -> SYN, SYN/ACK, ACK
HTTP protocol and then the connection is closed

We see that, on the router we can follow the TCP stream and reconstruct the entire image
as it was not encrypted while the connection and thus, such informations can be heard and
manipulated by the attacker.

• Manipulation of Message

• Address Resolution Protocol (ARP) spoofing / MAC address spoofing

It is not very good when security is concerned.
It is easy to forge a MAC address and it cannot be detected easily.
It is not a good idea to use MAC address for authentication.

Prachi P. Agrawal
The way, ARP spoofing can be avoided is by using Static ARP cache.

• IP spoofing

Attacker A spoofs the IP address of B and sends the message to C.

The C then responds to the IP address, but that is the IP address of B and thus, all the data
from C will actually will be send to B. In this way, B can be overloaded by the traffic and the
traffic seems to be coming from a legitimate user C and B will get shut down. This is called
Denial of Service attack aimed at B by A.

• TCP sequence number attack

Prachi P. Agrawal
Vulnerabilities in TCP protocol make it easy to guess the sequence number.

• Phishing and Pharming

The purpose of both is same only the way they are carried out differs.

Phishing:
The client receives an email mentioning that the client needs to make some changes to
update few things related to new security rules and is somehow forced to click the link in
the mail.

When the user, clicks the link and the website looks exactly similar to the actual website and
when the user enters his login details, the attacker gets it and then can later use it.

Pharming/ Domain Name System (DNS) Spoofing:

The attacker somehow introduces a malware into the users machine and corrupts the
system, due to which the DNS of the bank gets resolved to a wrong IP address and then,
whatever actions the user performs gets recorded at the attackers machine and later is used
by the attacker.

To be careful against such pharming attacks we can check the certificates and the
authorities that have granted the certificate if they are valid or not.

• Security at the different layers in OSI model

1. Security at Application Layer:

Prachi P. Agrawal
 The data is encrypted at the application level itself and thus, later if there is no
secure channel ahead will also not harm the information because it is end-to-end
protected

The drawback is that, as the entire encryption is at the application level itself, we
cannot reuse the components in encryption and it also increases the complexity of
the application.

2. Security at Transport layer:

The diagram above is itself very self-explanatory.

The unencrypted data is handled by the application layer to the transport layer and
then encryption takes place at the transport layer.

The integrity is provided here with the help of digital signature. Also the advantage
here is, it can be used by multiple applications.

But, the drawbacks are, the security is not ensured end-to-end and if the recipient is
not in immediate next transfer, the data gets decrypted at the transport layer of the
intermediate server and then the data is passed over the unsafe network as the
original data which is highly unsecure.

3. Security at Network layer:

The security is not end-to-end.
The security is there only between the part of communication between two
immediate routers.
It is transparent to the transport layer and application layer and can be reused for
different mechanisms.

Prachi P. Agrawal
 The drawback is, as it is transparent to the application layer, the application has no
clue whether or not there is security mechanism on the network.

4. Security at Data Link layer:

It takes care of the data that is communicated between two stations and only
authenticated stations are there in your Local Area Network.
Allows to control which stations are granted access.

The drawback is, the protection is local to the LAN.

Prachi P. Agrawal
Chapter 7: Firewall
https://www.youtube.com/watch?v=Xj654WUdDFE&list=PLBbU9-
SUUCwV7Dpk7GI8QDLu3w54TNAA6&index=4

Before getting into more details of what is firewall and the different types of firewall, it is
very necessary to know why do we even need a firewall.
Suppose Frankfurt University has its own intranet which is protected against the
malwares and are safe to use but the internet outside the world of Frankfurt university is
not very safe. So when a person from the university intranet wants to connect to internet,
he/she can but we should not allow the machines in the world of internet to connect to our
systems in the intranet. Thus, to obtain this we need firewalls, which will restrict the data
coming from the internet into our university intranet.

The traffic from the internet heading towards the intranet is restricted based on certain
rules that are stored in the firewall.

• What is Firewall
A firewall is placed between the intranet and the internet and its restricts the traffic
between the two based on certain rules/policies.

Anyhow, firewalls cannot be trusted completely.

There are different types of firewalls:

❖ Packet Filtering Firewalls
❖ Application Level Gateways / Proxy Firewalls
❖ Hybrid Firewalls

Firewall just adds one more level of security.

Prachi P. Agrawal
 • Packet Filtering

➢ Packet filter is indispensable component of all firewalls.

➢ The header information that comes from the transport layer, i.e. the source IP
address, the destination IP address, the protocol used to transfer the data, port
number are used to filter the packets as wanted and unwanted.
➢ Packet filters operate as transparent devices when built in the bridge which operates
at the data link layer and in this case there is no change in the time to live field.

The packet filter consists of the chain of rules and whichever packet matches the rule, will
have to go through the action that is specified in that rule.
There can be various rules like, accepting a particular packet, dropping it or maybe
redirecting it to some new rule chain and if there is no match found, the packet has to go
through the default action which will be given.
In case of default action, there can be two possibilities, suppose the entire chain of
rules consists of all the actions of accepting the packet then the default action would be to
drop that packet and if incase the action in entire rule chain is to drop the packet then the
default would be to accept the packet.

The order of rules is very very very important parameter that needs to be considered during
the packet filtering configuration.

Prachi P. Agrawal
So as in this example we can see that the order of rules play a very important role.

** If all actions are accept and default action is drop or vice versa is it possible in this case?
➔ NO, because inorder to get different treatment of packets in this case,
the order of rule only matches if the specified actions in the rule can
differ.

There are two types of packet filters:

1. Static Packet filters:
They are also known as stateless mainly because it only takes the current packet
into consideration.

Here, we see that the SYN from the internet towards the intranet is blocked by
the firewall which is absolutely right but in the case were the connection is

Prachi P. Agrawal
 established already, the static firewall cannot distinguish between who had
initiated the connection and who had accepted it and now, both the peers which
are communicating are equal and thus, now the firewall doesn’t stop a incoming
data from internet even if it gets compromised.

2. Dynamic packet Filters:

They are known as stateful, because they also consider the information received
from the previous packet.

As in case of static packet filtering, the attackers cannot spoof the

communication in this case as it has the information about the previous packet
and of the source of the communication. Can also be used incase of UDP packets.

But, it is complex and expensive to implement Dynamic packet filters.

Limitations of Packet Filters:

1. No user or application specific filtering:

All the users using a particular machine will have the same rules on the firewall.
Thus, there is no user specific rule.

2. Use of only transport layer information:

The packet filters only taken into consideration the details about the route of
the packet and there is no rule about the information content in the payload
part of the incoming packet.

3. Applications having varying port numbers

4. Tunnelling and encryption:

In some protocols, we can tunnel the information by encapsulating it into an
another protocol. If the packets are now encrypted, the packet filters cannot
decrypt the packets.

• Network Address Translation (NAT)

NAT converts a private Ip address to a public IP address.

There are certain range of IP address that are fixed for private use and others are
available publicly.
The private IP address are generally employed by the intranets and it is not
possible to route to this IP address as they are not directly connected to the
network.

Prachi P. Agrawal
 So, if the machine with private IP address wants to connect to the internet, they
have to be converted in a form which can then access the internet and this can be
done in two ways,
❖ By using Application Level Gateways
❖ By using NAT and then applying packet filtering on the communication.

We have discussed three types of NAT:

1. Symmetrical NAT:
IP source address, destination address, transport protocol, source port,
destination port are all taken into consideration.

The disadvantage here is, they block the entire incoming connection and we
need certain rules to let them in and we can obtain it using firewall.

2. Cone NAT:
Ip address and port number of external ports are irrelevant and only the port
numbers of internal system are to be considered.
a. Cone NAT:
Anything coming to suppose port z on NAT IP address N will be
redirected to port x on A.
b. Restricted Cone NAT:
Anything coming from a single machine from public IP address having
port z on IP address N will be redirected to port x on A.
c. Port Restricted Cone NAT:
Only communication from a specific port of a specific machine in
public IP address destined to port z of N will be redirected then to port x on
A.

Prachi P. Agrawal
 The problem here is, they can communicate from outside if NAT is not
restricted and again firewall is needed.

• Linux Netfilter Architecture

Packet Filtering under Linux is done using netfilter.

Basically, there are three different chains,

➢ Input Chain
➢ Output Chain
➢ Forward Chain

The packets start in a chain depending on whether they are from a local process
outbound, directed to the local process or to be routed through the machine.

If the packet is not to be routed, it is destined to the machine and thus, will go
through the input chain and if accepted to the local process.

If the packet is generated in the local process and is to be send out to the outbound
interface.

And, when the packet is coming in and is not destined to the local process instead
needs to be routed out on another interface then the packet goes from the forward
chain. (We are mainly looking into the forward chain in our lab experiments).

Prachi P. Agrawal
 Firewall Lab Setup

In the lab scenario, there are,

Client: 192.168.1.100
Server: 10.2.4.37
Public Internet Server: 172.16.2.20
Client-to-public Router (router 1): 192.168.1.5 – 172.16.2.4
Public-to-server router (router 2): 172.16.2.5-10.2.4.1

1. If we just ping from our client to server

ping 10.2.3.47
And we check on wireshark on the public network we see that, there is ICMP request
and reply messages between the client and the server and we can also see Arp
messages from Router1 to router 2.
2. To check the routeing configuration,
route -N

We see that the default gateway is given and that all the traffic that will be routed from
here, will pass through the default gateway. So next, if we ping rom the public network to
our server, as the gateway is 172.16.2.4 and not 172.16.2.5, we see that there is an ICMP
redirect happening here.

Prachi P. Agrawal
On Router 2:
1. If we want to see the netfiltering configuration,
sudo iptables -v -L
We can see the three chains and also as of now we can see there are no rules
specified for any of the chains and even when we ping from client to server it works
same as we saw above.
2. If we now want to add a rule in forward chain, were the rule is to drop the packets
which use ICMP protocol.
sudo iptables -A FORWARD -p ICMP -j DROP

-A: add the rule to

-p: Protocol
-j: action

So, now all the ICMP packets will be dropped at the router 2. So, we will see the
request coming from the router 1 but there won’t be any reply from the router 2 as
it is filtering the ICMP packets and is not processing it any further.

3. To flush all the rules suppose in Forward chain,

sudo iptables -F FORWARD

Now TCP connections are checked and filtered:

1. We run the java program for that on both client and server machines

Similarly, on the client machine.

Then, we check by going into the browser of watch of the machine and
calling the other server and see that we can successfully call them.
And, on the public server’s wireshark we see the TCP packets going from one
to other machine and there is three-way handshake taking place using SYN, SYN ACK
and ACK flags.

2. We now use static packet filtering which will outbound the TCP segments with
SYN flag set at the router 2.

Prachi P. Agrawal
 sudo iptables -A FORWARD -p TCP -d 10.2.3.0/24 --tcp-flag SYN SYN -j DROP

-d: destined to

Now, when on client machine browser we call http://10.2.3.47, we see that its
loading and then soon will timeout. This happens as we can see in the public
networks Wireshark that, because of the SYN request send by the client which
gets filtered at the router 2 and never reaches the server.

If we now check other way around, that from the server we call
http://192.168.1.100, we see there is again a timeout and that is because, when
the client sends SYN, ACK to the server it also gets dropped because we have just
set the rule whenever there is SYN just drop the packet, but we did not properly
mention that when there is ACK along with SYN, we should pass the packet.

3. Again, flush all the rules set,

sudo iptables -F FORWARD

4. We now, modify the rule which we used previously as,

sudo iptables -A FORWARD -p TCP -d 10.2.3.0/24 --tcp-flag SYN,ACK SYN -j
DROP

Here, we specify SYN, ACK and SYN which means that, in TCP protocol there are
SYN and ACK flags set and the rule should be applied only when there is a SYN
flag set.

After this rule, we see that when the client wants to contact server by
http://10.2.3.47 and we get the same timeout message. While now when we
connect from the server to http://192.168.1.100 we see that all is working
absolutely fine now as it should.

5. If instead of DROP we use the action to be REJECT above, we don’t have to wait
till timeout instead we get an error thrown immediately.
Now flush all the changes,
sudo iptables -F FORWARD

All the things we did till this point were for static packet filtering.

For dynamic packet filtering:

At Router 2:
1. We go to the /proc/net directory where we have ip_conntrack file which keeps the
track of all the tcp connections.
Linux uses time out mechanism to remove the connections that are no more active.

Prachi P. Agrawal
 2. Now, if we put a default rule for forward chain to drop then we have,
sudo iptables -P FORWARD DROP

In this case, all the incoming and outgoing packets are dropped at this router.^
3. Now, we want a rule were, the client cannot send the request to server but the
server can connect to the client.
sudo iptables -A FORWARD -s 10.2.3.0/24 -m conntrack - -ctstate NEW -j ACCEPT

-s: source
-m: module to use
--ctstate: connection state

This command, sees to it that, whichever packet coming from the source 10.2.3.47 is
the first packet (i.e. the NEW packet), we accept it and let it pass.

Later, we set a rule,

Sudo iptables -A FORWARD -m conntrack –ctstate ESTABLISHED -j ACCEPT

Again, we get want we were expecting.

Now, flush everything.

Using NAT:

Basically, in our network now what we will do is, the IP address of the client that is
192.168.1.0/100 is not know by the server and the public IP address i.e. 172.16.2.4 is what
will be visible to the world outside.

Let’s start with looking at the routes at router 2, sudo route -N

As per the highlighted entry, it is specified that the 192.168.1.0 network can be reached by
contacting the router 172.16.2.4.

Prachi P. Agrawal
We will now remove this entry,
Sudo route del -net 192.169.1.0/24 gw 172.16.2.4

Now, we can see on the public network how the route takes place,
We see that there is nothing happening on either of the sides and this is because, the syn is
sent but there is no response received as router 2 doesn’t identify the network itself.

AT ROUTER1:

1. Sudo iptables -v -L
2. We will be using NATing on this router now,
Sudo iptables -t nat -A POSTROUTING -o eth1 -j SNAT - -to 172.16.2.4

-t: table being

-o: outgoing interface
SNAT: source NATing
POSTROUTING: takes place after routing

Now, when we open http://10.2.3.47 from our client machine, we see on the
wireshark of public interface that, instead of 192.168.1.0/24 network, now the
172.16.2.4 network is contacting the server.

And, the reverse direction doesn’t work because nobody knows how to reach the
192.168.1.0/24 network. So they have to connect to the 172.16.2.4 network which
may then route it to the 192 network.

To setup destination NAT:

Sudo iptables -t nat -A PREROUTING -p TCP - -dport 8080 -I eth1 -j DNAT - - to

192.168.1.100:80

--dport: destination port

DNAT: destination NAT

This will setup a rule stating that, everything that comes to the network
172.16.2.4 at port 8080 will be routed to the 192.168.1.100 at port 80.

Prachi P. Agrawal
 • Application Level Gateways
❖ They are also called as proxy filters.
❖ The packet filtering takes into consideration only the transport layer details
while setting up the rules and doesn’t have a clue about what is there at the
application payload level. So, application level gateways take care of this.
❖ Also, here the private IP address of the machine in the intranet is not visible
to the world and is translated.
❖ Application Level gateway logs the activities.

Advantages:
❖ It allows for user specific rules.
❖ No direct connection between sender and receiver
❖ Logging activities

Disadvantages:
❖ Very application specific

• Firewall Architecture

Prachi P. Agrawal
In this case, the packet filter is placed after the servers which means the server are easily
visible to the internet and are very prone to attack and it is better to place packet filter
before the server.
But, again the problem with that would be if the server gets compromised by some
reason it will have unlimited access to the internal network. Thus, even this is not a good
idea.

The solution to this is, Demilitarized zone (DMZ):

Here, the servers are protected from internet by a packet filter and also the internal
network is protected from the servers using one more packet filter.

But, the problem here is, if one server gets compromised the other will also get
compromised. So we can instead place the servers in this was as below.

Prachi P. Agrawal
 • Weakness of Firewall
o Mobiles are carried over in the different networks and maybe attacked by a
malware so that when the mobile connects to the internal network, it will
infect the other machines as the mobile would itself be a part of the internal
network and the firewall has no clue than about the attack happening.
o Changing the port number using tunnelling

o Personal Firewalls

Prachi P. Agrawal
Chapter 8: VPN
https://www.youtube.com/watch?v=xGjGQ24cXAY&t=155s

• What is VPN?
• VPN allows to run a secure, seemingly direct point-to-point connection between two
stations.
It uses an unsafe network and operates like a least private line between the two
networks.
VPN uses tunnelling and encryption.

• Types of VPN

o REMOTE ACCESS VPN:

The remote access VPN uses tunnelling and encryption.

Suppose, we have our laptop which is currently in the public network
(i.e. internet) and the IP address assigned to our laptop is ‘x’. Now, we want to
connect to the server of Frankfurt university of applied sciences and we cannot
access the university server outside of the university campus. So, if we want to
connect to university network from outside, we will run a VPN software in our
machine, due to this software, we will connect to the VPN server between the
internet and the university intranet and it allocates our machine with the IP
address ‘z’ which can access the universities internal network.

As, we can see from the connection diagram below as well, the machine
virtually behaves as if it is in the internal network and the server has no clue if
it is connected through VPN as it is completely transparent.

Prachi P. Agrawal
 o SITE-TO-SITE VPN:

Suppose, my company office is in Frankfurt and the other branch is in Munich

and I want to connect to the server in Munich, so the two servers of the
company are connected to each other by a VPN tunnel between the
gateways of the two sites.
If, R1 wants to connect to R2 in the other site, then the packet send
by R1 is traversed to G1 were it is then encapsulated and encrypted and
transferred to G2. G2 then decapsulates and decrypts the packets and sends
to R2.
Neither R1 nor R2 have any clue about the ongoing VPN connection
between the two gateways. And, thus it is better that R1 and R2 use some
end-to-end encryption scheme as well.

Prachi P. Agrawal
 • Mechanisms to deal with VPN
IPSEC and OPENVPN

o IPsec

➢ It not only provides security in VPN but ensures security at the IP layer
(i.e. network layer). It works with both IPv4 and IPv6.
➢ It is connectionless.
➢ It provides two types of security protocols:
o Authentication Header (AH):
Allows for authentication of the sender and ensure the integrity of
the packets.
But, there is no encryption here.
o Encapsulating Security Payload (ESP):
Provides authentication of the sender, integrity protection of the
packets and encryption.
But, the integrity check with ESP is less as compared to AH. So,
mainly they are used in combination.

Both the protocols provide limited protection against Replay

Attack.

Replay Attack:
It is an attempt made by an attacker to record the legitimate
packets which are encrypted and transmitted on the wire and
then replay those packets to the destined address later.

➢ System implementing IPsec has, ESP for sure but use of AH is optional.
➢ Security association use either ESP or AH and are unidirectional. However,
bi-directional is recommended.
o Security association can either be done manually
o Or by using Internet Key Exchange protocol

Prachi P. Agrawal
 ▪ It allows exchange of keys and authentication of stations
and two security associations one in either direction.
➢ IPsec also has policy database which contains the rules that are employed
on the firewall.

• Security Association Operation

They can operate in either tunnel mode or transport mode.
Tunnel Mode Transport Mode:

Packets secured by security associations IPsec supports end-to-end encryption.

are tunnelled between the stations (i.e.
the packets will be encapsulated that
means they will have a new IP header)
IP source and destination addresses are
the addresses of the system connected
by security association and the packets
are then transferred to respective
station where decapsulation, integrity
check and decryption takes place and is
forwarded ahead.
The IP header of the packet is not
changed.
Payload is processed by IPsec and are
integrity protected.
This cannot be used for VPN (because,
obviously, the source and destination
addresses are not changed and the
packet is not encapsulated in this
mode)

Remote access VPN and Site-to-site VPN use (ESP + tunnel mode)

• Authentication Header (AH)

AH in Transport Mode:

Prachi P. Agrawal
 AH in Tunnel Mode:

• Encapsulating Security Payload (ESP)

ESP in Transport mode:

Prachi P. Agrawal
 ESP in Tunnel Mode:

• OpenVPN
It is one other technology to obtain VPN.

IPsec
It is limited to receiving and transmitting the
data at the network layer only.
Uses security associations such as AH, ESP.
OpenVPN
It operated on both network layer and data link
layer.
There is no different special protocol as such
but instead uses UDP, TCP and SSL/TLS. Uses
transport layer for authentication, integrity and
confidentiality.

OpenVPN creates a direct point-to-point connection between two new virtual

interfaces.
It appears in such a way that, when we send the data from one virtual
interface to other, it is going through the virtual connection but in reality it is
encapsulated and encrypted and is send through the public network itself.
TUN device:
If OpenVPN is used on Network Layer
TAP device:
If OpenVPN is used on Datalink Layer

Prachi P. Agrawal
 • Two features of classifying VPN
➢ Where the data is received and to where is the data transmitted.
➢ How is the data transmitted between the two station like using which
technology.

• Risks of VPN
o Split Tunnelling:

o Injecting malware:

Prachi P. Agrawal
 VPN LAB

Again, the initial setup is as we had seen in firewall.

1. At server we start HTTP socket

startInfoSocketServer

2. Connect to server from the browser from client.

IPSEC

Prachi P. Agrawal
 1. Router 1:
➢ Check the configuration file

➢ Check the shared secret which is used

➢ The router 2, will also have the same configuration file with its
corresponding left and right subnets and the secret key is exactly the
same.
➢ startIPsecDemo or
➢ sudo ipsecsetupstart
Similarly, on router 2.

So, IPsec is started in both the routers which pass through the public
network. When we check the Wireshark of public network we see the key
negotiation going on.

When we now create some traffic between the client and server by calling
http://10.2.3.47 on the client machine we see that there is connection
established and what we observe in the public network Wireshark is, we get ESP
traffic and this traffic we see between the 172.16.2.4 and 172.16.2.5 network
and not between client and server. This works like site-to-site VPN.

➢ stopIPsecDemo

Prachi P. Agrawal
 OpenVPN

At router 2:
➢ Check the configuration file

➢ Same check on router 1.

➢ We now start OpenVPN on both the routers
startOpenVpnServer
➢ Now we can check that a virtual tun device must be generated at both
the routers

Similarly,

Prachi P. Agrawal
 Now, when we try connecting from the client machine to the server
http://10.2.3.47, we see on the public sniffing tool that there is no change
at the normal communication is carried out.
That is because we haven’t changed the route. So we carry out
following steps,

Similarly, we delete and add a new route when the data is destined to
192.168.1.100 network.

We now, when connect from client to server and check the sniffing tool,
We see the TCP connection between 172.16.2.4 and 172.16.2.5 and the
virtual IP’s are not shown.

OpenVPN as remote access VPN

Prachi P. Agrawal
 1.

2.

3.

Prachi P. Agrawal
Previous Exam Questions
• tsp, tsp d, solving tsp if we have tspd, tspd if we have tsp
Solving tspd if we have tsp is easy as compared to solving tsp when we have tspd.

Using TSP to solve TSP-D

Using TSP-D to solve TSP

This is comparatively not easy but can be done in polynomial time though.

Here,
➢ The minimum cost is obtained using a binary search algorithm and the time
complexity for it is log2(B).
➢ The path is not obtained from the binary search step, so we manipulate the n*n
distance matrix to find the optimal path.
o We substitute the values in the matrix with the value Bmin + 1 and compute
the TSP-D.
o If, TSP-D computes yes, it’s a part of minimal path, otherwise not.
o The time complexity of solving this is (n^2 – n) /2.
Thus, the time complexity of polynomial reduction of TSP-D to solve TSP is O(n^2).

Prachi P. Agrawal
 • What is open VPN, its working, what is tun device, tap device, its working,
protocols used in openvpn?
OpenVPN creates a point-to-point connection between two virtual interfaces.
It doesn’t use any security association as such, instead the security of SSL/TLS
protocol for TCP and UDP data is used.
It creates a virtual connection between the two routers and it seems that the
data transfer is taking place directly between the two interfaces but instead, it
actually traverses through the public network using SSL/TLS protocol.

TUN devices:
OpenVPN operates at the network layer.

TAP devices:
OpenVPN operates at datalink layer.

TCP, UDP, SSL/TLS protocols are used in OpenVPN.

• In Wireshark what IP address you see if you set up open vpn?

For site-to-site OpenVPN:
We see IP address of the two routers that create the virtual interface between them.

For remote access OpenVPN:

We see IP address of the client and the router to which it is going to connect to.

• Firewall Lab
o In client machine ping router
ping 10.2.3.47
In Wireshark there are ICMP packets
o Set up firewall in router to stop ping
Sudo iptables -a forward -p ICMP -j drop
Pinging stopped now.
o revert it. Delete rules
sudo Iptables -f forward

• sat (SATISFIABILITY PROBLEM)

Input:
Set of literals x= {x1, x2, …. xn} and collection of clauses c = {c1, c2 … cn}
Output: “yes” if there exists a truth assignment such that all the clauses are satisfied,
“no” otherwise.

• 3-dimensional problem
Input:
Set A, B, C such that |A| = |B| = |C| and a list of triplets T which is the subset of
A*B*C.
Output: “yes” if there exists a triplet T’ which is subset of T and contains A, B and C
exactly one’s and the |T’| = |A| = |B| = |C|
“no” otherwise

Prachi P. Agrawal
 • vertex cover
Input:
A graph G={V, E} and a number k which is a natural number.
Output: “yes” if there exists a vertex V’ which is the subset of V such that |V’|<= k
and for each edge E in G, we have 1 of the vertex in V’.

• cryptography
A mathematical technique related to the aspects of information security such as
confidentiality, data integrity, data origin authentication and entity authentication.
• Authentication
Unambiguous identification of the sender of the information or communication
peer.
• Certificate
A certificate authority (CA) is a trusted entity that issues digital certificates

Research Papers

Prachi P. Agrawal