Lecture #9,10 Network Security PDF

Summary

This lecture provides an overview of network security principles, covering cryptography, message integrity, and authentication, focusing on how email communication can be secured. This presentation is a helpful guide for undergraduates studying computer networks.

Full Transcript

COMPUTER NETWORKS

M. ZAHID SARWAR
ASSISTANT PROFESSOR
COMPUTER SCIENCE DEPARTMENT

LECTURE # 9,10 NETWORK SECURITY

1
 COURSE INTRODUCTION

OBJECTIVES

This lecture forms to understand principles of
network security, cryptography and its many
uses beyond “confidentiality”, authentication,
message integrity, security in practice..

2
CONTENTS

 What is network security?
 Principles of cryptography
 Message integrity, authentication
 Securing e-mail
 Securing TCP connections: TLS(Transport Layer
Security)
 Network layer security: IPsec(Internet protocol
Security)
 Security in wireless and mobile networks
 Operational security: firewalls and IDS(Intrusion Detection
System) 3)
NETWORK SECURITY
 WHAT IS NETWORK SECURITY
 Confidentiality:
 Only sender, and receiver should “understand” message contents.

 Sender encrypts message

 Receiver decrypts message

 Authentication:
 Sender & receiver confirmation about identity of each other.

 Message integrity:
 Sender, receiver want to ensure message not altered (during
transmission , or afterwards).

 Access and availability:
 services must be accessible and available to users
FRIENDS AND ENEMIES: ALICE, BOB,
TRUDY

 well-known in network security world
 Bob, Alice (lovers!) want to communicate
“securely”
 Trudy (intruder) may intercept, delete, add
messages
Alice channel data, Bob
control
secure messages
data secure
sender data
receiver

Trudy
FRIENDS AND ENEMIES: ALICE, BOB,
TRUDY

Who might Bob and Alice be?
 … well, real-life Bobs and Alices!
 Web browser/server for electronic
transactions (e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 BGP routers exchanging routing table
updates.
Border Gateway Protocol (BGP) is a set of rules
that determine the best network routes for data
transmission on the internet
WHAT CAN A “BAD GUY” DO

 Eavesdrop: intercept messages
 actively insert messages into connection
 Impersonation: can fake (spoof) source address
in packet (or any field in packet)
 Hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in
place
 Denial of service: prevent service from being
used by others (e.g., by overloading resources) 8
 PRINCIPLES OF CRYPTOGRAPHY
 Cryptography is the study of techniques for secure
communication in the presence of third parties.
 It involves the use of mathematical algorithms and protocols
to secure the :
 Confidentiality
 Integrity

 And authenticity of communication..
 Cryptography is used in a wide range of applications,
including:
 Securing communication over the internet,
 Protecting sensitive data, and
 Authenticating the identity of users.
 TYPES OF CRYPTOGRAPHY

 There are two main types of cryptography
 Symmetric cryptography.
 In symmetric cryptography, the same key is used for both encryption and
decryption.
 This is suitable for situations where the sender and receiver of a
message have a shared secret key.
 Asymmetric cryptography.
 In asymmetric cryptography, also known as public-key
cryptography, different keys are used for encryption and
decryption.
 This is suitable for situations where the sender and receiver of a
message do not have a shared secret key, as it allows them to
exchange messages securely without needing to share a secret
key.
 MODERN CRYPTOGRAPHIC

 Modern cryptography refers to the techniques
and protocols that are used for secure
communication in the present day.
 It builds upon the principles and techniques of
classical cryptography, but also incorporates
newer technologies and advances in
mathematics and computer science.
 Overall, modern cryptography involves the use
of a wide range of techniques and protocols to
secure communication and protect data in the
modern world.
 KEY AREAS OF MODERN CRYPTOGRAPHIC

 Key areas of modern cryptography include:
 Symmetric cryptography − Symmetric cryptography
involves the use of a shared secret key for both
encryption and decryption. This type of cryptography is
suitable for situations where the sender and receiver of
a message have a shared secret key.
 Asymmetric cryptography − Asymmetric
cryptography, also known as public-key cryptography,
involves the use of different keys for encryption and
decryption. This type of cryptography is suitable for
situations where the sender and receiver of a message
do not have a shared secret key, as it allows them to
exchange messages securely without needing to share
a secret key.
 KEY AREAS OF MODERN CRYPTOGRAPHIC CON…

 Hash functions − Hash functions are used to ensure the
integrity of data by providing a way to detect any changes to
the data. They are often used in combination with other
cryptographic techniques, such as digital signatures, to provide
strong security.
 Digital signatures − Digital signatures are used to authenticate
the identity of the sender of a message and to provide non-
repudiation. They are based on the principles of public-key
cryptography and are used to ensure the integrity and
authenticity of a message.
 Key management − Key management refers to the process of
generating, distributing, and managing cryptographic keys.
Proper key management is essential for the security of a
cryptographic system, as the security of the system depends on
the secrecy of the key.
 CRYPTOGRAPHIC PRINCIPLES

 Cryptographic principles are the fundamental concepts and
techniques that are used in the field of cryptography to secure
communication and protect data.
 These principles include:
 Confidentiality − Confidentiality refers to the ability to keep
information private and secure. Cryptographic techniques, such
as encryption, can be used to protect the confidentiality of
information by making it unreadable to anyone who does not
have the proper decryption key.
 Integrity − Integrity refers to the ability to ensure that
information has not been altered or tampered with.
Cryptographic techniques, such as hash functions, can be used
to ensure the integrity of information by providing a way to
detect any changes to the data.
 CRYPTOGRAPHIC PRINCIPLES CON….

 Authentication − Authentication refers to the process of
verifying the identity of a user or device. Cryptographic
techniques, such as digital signatures, can be used to
authenticate the identity of a user or device in a secure manner.
 Non-repudiation − Non-repudiation refers to the ability to
prevent someone from denying that they performed a particular
action. Cryptographic techniques, such as digital signatures, can
be used to provide non-repudiation by allowing the sender of a
message to prove that they sent the message and the receiver
to prove that they received the message. ensures that no party
can deny that it sent or received a message.
 Key management − Key management refers to the process of
generating, distributing, and managing cryptographic keys.
Proper key management is essential for the security of a
cryptographic system, as the security of the system depends on
the secrecy of the key.
 NETWORK SECURITY
AUTHENTICATION

 Authentication in computer networks is the process
of verifying the identity of a device or user on a
network.
 This is done to ensure that only authorized devices
and users are able to access network resources.
 There are many different methods that can be used
for authentication, including passwords, biometric
factors such as fingerprints or facial recognition, and
security tokens.
 It helps to ensure that only authorized devices and
users are able to access network resources,
protecting against unauthorized access and
potential security breaches.
 MOST POPULAR AUTHENTICATION METHODS
 Passwords − As mentioned earlier, passwords are a
common method of authentication. Users are prompted
to enter a combination of their username and password in
order to log in to a system or access network resources.
 Biometric authentication − This method relies on
unique physical characteristics of the user, such as
fingerprints, facial recognition, or iris scans, to verify their
identity. Biometric authentication can be more secure
than passwords, as it is difficult to forge or steal
someone's fingerprints or facial features.
 Security tokens − Security tokens are physical devices
that generate one-time codes or passwords that can be
used to log in to a system. The codes generated by the
security token are typically only valid for a short period of
time and can't be used again, adding an additional layer
of security.
 MOST POPULAR AUTHENTICATION METHODS CON...

 Two-factor authentication (2FA) − This method requires
users to provide two different types of credentials in order to
log in. For example, a user might be prompted to enter their
password and then confirm their identity by entering a code
sent to their phone.
 Certificates and PKI − Some networks use certificates or
public key infrastructure (PKI) to verify the identity of devices.
In these systems, each device is issued a unique digital
certificate that is used to authenticate its identity.
 Single sign-on (SSO) − SSO systems allow users to log in to
multiple applications with a single set of credentials. This can
make it easier for users to access the resources they need,
while still maintaining strong security controls.
 MOST POPULAR AUTHENTICATION METHODS CON...
 One-time passwords (OTP) − OTPs are passwords that are
valid for only a single use. They are often used in conjunction
with other authentication methods, such as passwords or security
tokens. OTPs can add an additional layer of security, as they
can't be used again once they have been used to log in.
 Multi-factor authentication (MFA) − MFA requires users to
provide multiple types of credentials in order to log in. This can
include passwords, security tokens, biometric authentication, and
more. MFA can be more secure than other methods, as it requires
multiple types of credentials to be provided.
 Smart cards − Smart cards are physical cards that contain a
chip that stores information about the user, such as their
credentials or other identifying information. Users can use smart
cards to log in to systems or access network resources by
inserting the card into a card reader.
 MOST POPULAR AUTHENTICATION METHODS CON...

 SMS-based authentication − In this method, users are
sent a code via text message that they must enter in order to
log in to a system. SMS-based authentication can be a
convenient way to provide an additional layer of security, as it
requires the user to have access to their phone in order to log
in.
 Token less multi-factor authentication − This method
allows users to authenticate their identity using multiple
factors without the need for a physical token. For example, a
user might be prompted to enter their password and then
confirm their identity by answering security questions or
using biometric authentication. Token less MFA can be more
convenient for users, as they don't need to carry a physical
token with them in order to log in.
 BASIC AUTHENTICATION SYSTEM STRUCTURE

 In a basic authentication system, there are typically three main
components.
 A user − The user is the individual attempting to
access network resources. They may be a person, a
device, or a software application.
 An authentication server − The authentication
server is responsible for verifying the identity of the
user. It stores the credentials of all authorized users
and checks the credentials provided by the user
against this database.
 Network resources − These are the resources on the
network that the user is attempting to access. These
could include file servers, database servers, web
applications, and more.
 HOW A BASIC AUTHENTICATION SYSTEM
WORKS
 The user attempts to access a network resource.
 The authentication server prompts the user for
their credentials (such as a username and
password).
 The user provides their credentials.
 The authentication server checks the provided
credentials against its database of authorized
users.
 If the credentials are valid, the authentication
server grants the user access to the network
resource.
 If the credentials are invalid, the authentication
server denies access to the network resource.
 BENEFITS OF AUTHENTICATION SYSTEM
 Security − The most important benefit of an
authentication system is the increased security it
provides. By verifying the identity of users and devices
before allowing access to network resources, an
authentication system helps to prevent unauthorized
access and protect against potential security breaches.
 Access control − An authentication system allows the
network administrator to control who has access to which
resources. This can help to ensure that users only have
access to the resources they need to do their job,
reducing the risk of accidental data breaches or
unauthorized access to sensitive information.
 Improved productivity − By limiting access to only
authorized users, an authentication system can help to
improve productivity by reducing the risk of unauthorized
users or devices causing disruptions or delays.
 BENEFITS OF AUTHENTICATION SYSTEM
 Compliance − In some industries, compliance with
certain regulations or standards may require the use of
an authentication system. For example, the Health
Insurance Portability and Accountability Act (HIPAA)
requires healthcare organizations to implement measures
to protect the confidentiality and security of patient data,
including the use of authentication systems.
 Convenience − An authentication system can also
provide convenience for users by allowing them to access
resources more quickly and easily. For example, a single
sign-on (SSO) system allows users to log in to multiple
systems with a single set of credentials, reducing the
need to remember multiple usernames and passwords.
 MESSAGE INTEGRITY
 Message integrity in cryptography is the process of checking the
message's authenticity. It ensures the message has not been
altered or tampered with.
 Integrity is important because it ensures that the message has
not been modified or tampered with.
 Message Integrity describes the concept of ensuring that data has
not been modified in transit.
 The most typical method is to use a hash function, which
combines all the bytes in the message with a secret key to
generate a message digest that is difficult to reverse.
 Message digest is an encrypted, abbreviated version of a
message generated through a hash function. It serves as a unique
identifier for the message and enhances security by making it
computationally infeasible to decrypt or duplicate the original
message.
 HOW MESSAGE INTEGRITY WORKS
 Integrity verification is a component of an information security
program.
 The message authentication code, also known as a digital
authenticator, is used as an integrity check that uses a secret
key held by two parties to validate information sent between
them.
 It is supported by using a cryptographic hash
function(algorithm) or symmetric encryption technique.
 Message integrity is commonly used in computing systems for
integrity verification and information authentication.
 Message integrity enhances traditional hash algorithms with
security characteristics, making it more difficult to discover
message content or receiver and sender information.
 STEPS TO VERIFY THE INTEGRITY OF A MESSAGE

 Message Authentication Codes: Message Authentication
Codes, the transmitter and receiver use the same MAC
algorithm or key.
 Certificates: A certificate is a digital document that validates
a public key. The certificate provides information about the
key, the owner's identity, and the organization's digital
signature, which has verified the certificate's contents.
 Non-repudiation(The inability to deny responsibility for
performing a specific act.) : Non-repudiation is a security
concept that ensures a user cannot deny having performed a
transaction. More specifically, It combines authentication and
integrity to authenticate the identity of a user who performs a
transaction and ensures the integrity of that transaction.
STEPS TO VERIFY THE INTEGRITY OF A MESSAGE CON….

 Signature Schemes: A signature is used to ensure
the authenticity of a document. It is another
method for determining the authenticity of
communications. Signature schemes work in the
same way as Message Authentication Codes. This
connects the user with the digital data.
ELECTRONIC MAIL SECURITY

 Email is one of the most widely used and regarded
network services.
 currently message contents are not secure may be:
 Inspected either in transit.
 Or by suitably privileged users on destination
system.
BASIC STEPS IN E-MAILING

30
WHAT IS ELECTRONIC MAIL SECURITY
 Email security is the practice/techniques of
preventing:
 Email-based cyber attacks,
 Un-authorize access,
 Loss or compromise,
 Protecting email accounts from takeover,
 and securing the contents of emails.
 Email security is multifaceted and may require
several different layers of protection or involves
encryption.
 SOME OF THE COMMON TYPES OF EMAIL ATTACKS
 Some of the common types of email attacks include:
 Phishing : A type of cyber attack that uses fraudulent emails,
text messages, phone calls or websites to trick people into
sharing sensitive data.
 Malware: Types of malware delivered over email include
spyware, scare ware, adware, and ransom ware, among others.
Attackers can deliver malware via email in several different ways.
One of the most common is including an email attachment that
contains malicious code.
 Account takeover: Attackers take over email inboxes from
legitimate users for a variety of purposes, such as monitoring
their messages, stealing information, or using legitimate email
addresses to forward malware attacks and spam to their contacts.
And much more
HOW E-MAILING SECURITY
WORKS

33
 EMAIL SECURITY ENHANCEMENTS

 Due to updated security enhancements, there is now more
stringent security to enforce strong email passwords.
 Email encryption can be done by using the programs like PGP
(Pretty Good Privacy)
 or S/MIME stands for Secure/Multipurpose Internet Mail Extensions,
and it is a standard that allows you to encrypt and sign your email
messages using public key.
 The security enhancement adds:
 Confidentiality
 Protection from disclosure
 Authentication of sender of message
 Message integrity protection from modification
 Non-repudiation of origin gives protection from denial by sender
HOW TO SECURE EMAIL

35
 CRYPTOGRAPHY ALGORITHMS

 SHA (Secure Hash Algorithm):
 SHA encryption (Secure Hash Algorithms) is a set of
cryptographic hash functions ensuring secure data hashing
for digital signatures, certificates, and crypto currencies.
 SHA-1, though widely used in the past, is now considered
weak and has been replaced by SHA-2, which offers more
robust security with versions like SHA-256 and SHA-512.
SHA-3, a newer variant, uses advanced structures for
enhanced security.
 SHA encryptions are integral to TLS/SSL protocols,
secure communications, and modern digital security
frameworks. Always choose the best SHA for your
project to ensure maximum protection.
 CRYPTOGRAPHY ALGORITHMS CON…

 The basic process behind hashing of any type– convert the
input, or original message, into binary then perform a set of
simple functions that operate through basic standard
transistor and bus processes such as AND, XOR, NOT,
Rotate and OR.
 In the case of SHA-256 hashing, newly created chips have
been specifically designed to increase the speed of creating
a hash from an input. In the use case of bitcoin mining, this
means you can calculate more hashes per second allowing
for a greater chance of gaining the mined reward.
 SHAs are widely used in security protocols and applications,
including transport layer security (TLS), secure socket layer
(SSL), digital signatures, S/MIME email certificates, PGP, and
Ipsec.
 CRYPTOGRAPHY ALGORITHMS CON…

 One of the most important uses for SHAs are within
SSL/TLS protocol as they are used as the hashing
algorithm for digital signatures.
 SSL and TLS are cryptographic protocols designed to
provide a secure communication channel between
clients and servers over the internet. TLS/SSL
certificates are a type of X.509 certificate that are
used to validate the identity of a server to a
browser.
 CRYPTOGRAPHY ALGORITHMS

 RSA algorithm (Rivest-Shamir-Adleman):
 The RSA algorithm (Rivest-Shamir-Adleman) is the
basis of a cryptosystem -- a suite of cryptographic
algorithms that are used for specific security services
or purposes -- which enables public key encryption and
is widely used to secure sensitive data, particularly
when it is being sent over an insecure network such as
the internet.
 RSA was first publicly described in 1977 by Ron Rivest,
Adi Shamir and Leonard Adleman of the Massachusetts
Institute of Technology, though the 1973 creation of a
public key algorithm by British mathematician Clifford
Cocks was kept classified by the U.K.'s GCHQ until
1997.
CRYPTOGRAPHY ALGORITHMS CON…

 Public key cryptography, also known as asymmetric
cryptography uses two different but mathematically
linked keys -- one public and one private. The
public key can be shared with everyone, whereas
the private key must be kept secret..
 In RSA cryptography, both the public and the private
keys can encrypt a message. The opposite key from
the one used to encrypt a message is used to
decrypt it. This attribute is one reason why RSA has
become the most widely used asymmetric algorithm
: It provides a method to assure the confidentiality,
integrity, authenticity, and non-repudiation of
electronic communications and data storage..
SECURE TRANSMISSION OF EMAILS
PGP is an encryption software program software designed to ensure
the confidentiality, integrity, and authenticity of virtual
communications , information and e-mails.
 PGP OPERATION

 With PGP, easy to use layer of security can be added
to online communication.
 In asymmetric cryptography we need two separate
keys, one of which is private (used for decryption or
digital signing) and one that is public (used to
encrypt plaintext or verify a digital signature).
 Pretty Good Privacy or PGP is a cryptographic
method for communicating privately over the
Internet.
 It encrypts data and provides cryptographic privacy
and authentication for online communication.
 PGP OPERATION CON…
 It is frequently used to encrypt documents, emails, and
files to improve email security. Data compression,
hashing, and public-key cryptography are all used in PGP
encryption.
 PGP also verifies the sender’s identity and ensures that
the message was not tampered with while in transit.
 It also encrypts data being exchanged across networks
using symmetric and asymmetric keys. It combines both
private and public-key cryptography features..
 PGP also verifies the sender’s identity and ensures that
the message was not tampered with while in transit.
 PGP is a type of hybrid cryptography. PGP combines the
best features of both symmetric and public-key
cryptography in one bundle.
 S/MIME
 S/MIME stands for Secure/Multipurpose Internet Mail
Extensions, and it is a standard that allows you to
encrypt and sign your email messages using public
key.
 S/MIME can do both symmetric encryption and digital
signatures, which are two very important functions for
securing emails in the best possible way.
 Symmetric encryption guarantees that only the
addressee will be able to read your email, and digital
signatures identify who it came from and show that it
wasn't changed on its way to your inbox. With S/MIME,
you will be able to protect your communication against
unwanted readers and establish trust with those
receiving your emails.
S/MIME

 Through encryption, S/MIME offers protection for
business emails.
 S/MIME enables non-ASCII data to be sent using
Secure Mail Transfer Protocol (SMTP) via email.
 The data which is encrypted using a public key is
then decrypted using a private key which is only
present with the receiver of the E-mail.
 The receiver then decrypts the message and then
the message is used. In this way, data is shared
using e-mails providing an end-to-end security
service using the cryptography method.
S/MIME

 S/MIME protocol (or method) has been one
of the safest ways to transmit data or share
data between companies or users.
 The benefits that S/MIME provides are data
integrity, confidentiality, verification, and
non-repudiation. Moreover.
 S/MIME has been widely used for providing
security services in various companies.
HOW TO SECURE EMAIL

47
 SSL/TLS PROTOCOL
 Secure Sockets Layer (SSL) is a security protocol that
provides privacy, authentication, and integrity to
Internet communications.
 SSL eventually evolved into Transport Layer Security
(TLS).
 SSL, or Secure Sockets Layer, is an encryption-based
Internet security protocol.
 It was first developed by Netscape in 1995 for the
purpose of ensuring privacy, authentication, and data
integrity in Internet communications.
 SSL is the predecessor to the modern TLS encryption
used today.
QUESTION ANSWERS

49
THANK YOU

50