Network Security

Chapter goals:

 understand principles of network security:

 cryptography and its many uses beyond
“confidentiality”
 authentication
 message integrity

 security in practice:
 firewalls and intrusion detection systems
 security in application, transport, network, link
layers
1.1 What is network security?
1.2 Principles of cryptography
1.3 Message integrity
1.4 End point authentication
1.5 Securing e-mail
1.6 Securing TCP connections: SSL
1.7 Network layer security: IPsec
1.8 Securing wireless LANs
1.9 Operational security: firewalls and IDS
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
 sender encrypts message
 receiver decrypts message

Authentication: sender, receiver want to confirm

identity of each other
Message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)
without detection
Access and availability: services must be accessible
and available to users

8: Network Security 8-4

 Friends and enemies: Alice, Bob, Trudy
 well-known in network security world
 Bob, Alice (lovers!) want to communicate “securely”
 Trudy (intruder) may intercept, delete, add messages

Alice
data, control
channel
messages
Bob
data secure secure data
sender receiver

Trudy
Who might Bob, Alice be?
 Web browser/server for electronic
transactions (e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 routers exchanging routing table updates
Trudy can :

 eavesdrop: intercept messages

 actively insert messages into connection
 impersonation: can fake (spoof) source address
in packet (or any field in packet)
 hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
 denial of service: prevent service from being
used by others (e.g : by overloading resources)
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity
8.4 End point authentication
8.5 Securing e-mail
8.6 Securing TCP connections: SSL
8.7 Network layer security: IPsec
8.8 Securing wireless LANs
8.9 Operational security: firewalls and IDS
Cryptography
defined as the conversion of data into a scrambled
code that can be deciphered and sent across a public
or private network.

 uses two main styles or forms of encrypting data;

symmetrical and asymmetrical.

Symmetric encryptions, or algorithms, use the

same key for encryption as they do for decryption.
Other names for this type of encryption are secret-
key, shared-key, and private-key.
The encryption key can be loosely related to the
decryption key; it does not necessarily need to be an
exact copy.

Symmetric cryptography is susceptible to plain text

attacks and linear cryptanalysis meaning that they
are hackable and at times simple to decode. With
careful planning of the coding and functions of the
cryptographic process these threats can be greatly
reduced.

Asymmetric cryptography uses different

encryption keys for encryption and decryption. 
In this case an end user on a network, public or
private, has a pair of keys; one for encryption and
one for decryption.

These keys are labeled or known as a public and

a private key; in this instance the private key
cannot be derived from the public key.

The asymmetrical cryptography method has

been proven to be secure against computationally
limited intruders.
TYPES OF CRYPTOGRAPHIC ALGORITHMS

There are several ways of classifying cryptographic

algorithms. For purposes of this paper, they will be
categorized based on the number of keys that are
employed for encryption and decryption, and further
defined by their application and use.
Secret Key Cryptography (SKC): Uses a single
key for both encryption and decryption

Public Key Cryptography (PKC): Uses one key

for encryption and another for decryption

Hash Functions: Uses a mathematical

transformation to irreversibly "encrypt"
information
 Secret Key Cryptography
With secret key cryptography, a single key is used
for both encryption and decryption. As shown in the
figure ,the sender uses the key (or some set of rules)
to encrypt the plaintext and sends the ciphertext to
the receiver.

The receiver applies the same key (or ruleset) to

decrypt the message and recover the plaintext.

Because a single key is used for both functions,

secret key cryptography is also called symmetric
encryption.
Secret key cryptography algorithms that are in
use today include:

oDES , RC ,SMS4 ...etc

 Public-Key Cryptography

 has been said to be the most significant new

development in cryptography in the last 300-400
years.

PKC depends upon the existence of so-called one-way

functions, or mathematical functions that are easy to
computer whereas their inverse function is relatively
difficult to compute
In PKC, one of the keys is designated the public
key and may be advertised as widely as the owner
wants.

The other key is designated the private key and is

never revealed to another party. It is straight
forward to send messages under this scheme.

Suppose Alice wants to send Bob a message. Alice

encrypts some information using Bob's public key;
Bob decrypts the ciphertext using his private key.
This method could be also used to prove who sent a
message .

Alice, for example, could encrypt some plaintext

with her private key; when Bob decrypts using Alice's
public key, he knows that Alice sent the message and
Alice cannot deny having sent the message.

Public-key cryptography algorithms that are in use

today for key exchange or digital signatures include:

o RSA , DSA , LUC … etc

  Hash Functions
also called message digests and one-way encryption,
are algorithms that, in some sense, use no key.
Instead, a fixed-length hash value is computed based
upon the plaintext that makes it impossible for either
the contents or length of the plaintext to be
recovered.

typically used to provide a digital fingerprint of a

file's contents, often used to ensure that the file has
not been altered by an intruder or virus.
 commonly employed by many operating systems
to encrypt passwords.

 provide a measure of the integrity of a file.

 Hash algorithms that are in common use today

include:

 MD , SHA …etc