Computer Networks

Module 4: Network Security

Network Security
Overview of Network Security
 Network security is required by the users to communicate on the network.
 If medium is insecure then an intruder may intercept, read and modify the transmitted-data
from sender to receiver.

Elements of Network Security

1) Confidentiality: Information should be available only to those who have rightful access to it
2) Authenticity and integrity: The sender of a message and the message itself should be
verified at the receiving-point

(a) Message content and sender identity falsified by intruder; (b) a method of applied security

 In figure a, user 1 sends a message ("i am user 1") to user 2. Since the network lacks any
security system, an intruder can receive the message and change its content to a different
message ("hi i am user 1") and send it to user 2. User 2 may not know that this falsified
message is really from user 1(authentication).
 In figure 10.1b, a security block is added to each side of the communication, and a secret key
that only users 1 and 2 would know about is included. Therefore, the message is changed to a
form that cannot be altered by the intruder.

Threats To Network Security

Internet infrastructure attacks are broadly classified into 4 categories
1) DNS hacking

Mahendra M K, Assistant Professor, Dept. of ISE, Page 1

GAT,
Computer Networks
Module 4: Network Security

2) Routing table poisoning

3) Packet mistreatment
4) Denial of Service (DOS)

DNS HACKING ATTACKS

• DNS server is a distributed hierarchical and global directory that translates domain names
into numerical IP address.
• DNS is a critical infrastructure, and all hosts contact DNS to access servers and start
connections.
• Name-resolution services in the modern Internet environment are essential for email
transmission, navigation to web sites, or data transfer. Thus, an attack on DNS can
potentially affect a large portion of the Internet.
• A DNS hacking attack can appear in any of the following forms
1) Masquerading Attack: The attacker poses as a trusted entity and obtains all the secret
information. The attacker can stop any message from being transmitted further or can
change the content or redirect the packet to bogus servers. This action is also known as a
middle-man attack.
2) Domain Highjacking Attack: Whenever a user enters a domain address, he is forced to
enter into the attacker's Web site.
3) Information Leakage Attack: The attacker sends a query to all hosts identifies which IP
addresses are not used and uses those IP address to make other types of attacks
4) Information-Level Attack( Cache Poisoning): This forces a server to correspond with
other than the correct answer. The hacker tricks a remote name-servers into caching the
answer for a third-party domain by providing malicious information and redirects traffic
to a preselected site.

ROUTING TABLE POISONING

• This is the undesired modification of routing tables. This results in a lower throughput of the
network.
• Two types of attacks are: i) link attack and ii)router attack.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 2

GAT,
Computer Networks
Module 4: Network Security

Link Attack
• Link attack occurs when a hacker gets access to a link and thereby intercepts, interrupts or
modifies routing messages. This act similarly on both the link-state and the distance-vector
protocols.
• If an attacker succeeds in placing an attack in a link-state routing protocol, a router may send
incorrect updates about its neighbors or remain silent even if the link state of its neighbor has
changed

Router Attack
• Router Attack may affect the link-state protocol or even the distance-vector protocol.
• In link-state protocol, if routers are attacked, they become malicious. As a result, routers may
add a non existing link to a routing table delete an existing link or change the cost of a link.
• In the distance-vector protocol, an attacker may cause routers to send wrong updates about
any node in the network, thereby misleading a router and resulting in network problems.

PACKET MISTREATMENT ATTACKS

• Packet mistreatment attacks can occur during any data transmission.
• A hacker may capture certain data packets and mistreat them.
• The attack may result in congestion lowering throughput & DOS attacks
• Link-attack causes interruption, modification or replication of data packets. Whereas, a
router-attack can misroute all packets and may result in congestion or DOS
Following are some examples:
1) Interruption: If an attacker intercepts packets, they may not be allowed to be propagated to
their destinations.
2) Modification: Attackers may succeed in accessing the content of a packet. They can then
change the address of the packet or change the data of the packet. This kind of attack can be
detected by digital signature mechanism.
3) Replication: An attacker may trap a packet and duplicate it. This kind of attack can be
detected by using the sequence number for each packet.
4) Malicious Misrouting of Packets: A hacker may attack a router and change its routing table,
resulting in misrouting of data packets.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 3

GAT,
Computer Networks
Module 4: Network Security

5) Ping of death: An attacker may send a ping message, which is large and therefore must be
fragmented for transport. The receiver then starts to reassemble the fragments as the ping
fragments arrive. The total packet length becomes too large and might cause a system crash.

DOS ATTACKS (DENIAL OF SERVICE)

• DOS is a type of security breach that prohibits a user from accessing normally provided
services.
• DOS can cost the target person a large amount of time and money.
• DOSaffects the destination rather than a data-packet or router.
• They take important servers out of action for few hours, thereby denying service to all users.
Two types of attacks are:
1) Single-source: An attacker sends a large number of packets to a target system to
overwhelm & disable it
2) Distributed: A large number of hosts are used to flood unwanted traffic to a single target.
The target cannot then be accessible to other users in the network.

Overview of Security Methods

Common solutions that can protect computer communication networks from attacks are
classified are cryptographic techniques or authentication techniques(verification).

Cryptographic Techniques
• Cryptography is the process of transforming a piece of information or message shared by two
parties into some sort of code.
• The message is scrambled before transmission so that it is undetectable by outside watchers.
• The scrambled-message needs to be decoded at the receiving-end before any further
processing.
• The main tool used to encrypt a message M is a secret-key K.
• The fundamental operation used to encrypt a message is the exclusive-OR( ).
• Assume that we have one-bit M and a secret-bit K. A simple encryption is carried out using
M K.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 4

GAT,
Computer Networks
Module 4: Network Security

• To decrypt this message, the second party can detect M by performing the following

operation: (M K) K=M
• In end-to-end encryption, secret coding is carried out at both end systems. In link encryption,
all the traffic passing over that link is secured.
• Two types of encryption techniques are secret-key & public-key encryption
1) In secret-key model, both sender & receiver conventionally use same key for an
encryption process.
2) In public-key model, a sender and a receiver each use a different key.
 The public-key system is more powerful than the secret key system & provides better
security and message privacy.
Drawbacks of public-key system: slow speed and more complex computationally

Authentication Techniques
Encryption methods offer the assurance of message confidentiality. A networking-system must
be able to verify the authenticity of the message and the sender of the message. These forms of
security techniques are known as authentication techniques.
Authentication techniques are categorized as
i) authentication with message digest
ii) authentication with digital signature.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 5

GAT,
Computer Networks
Module 4: Network Security

Secret Key Encryption Protocols

• This is also called as symmetric encryption or single-key encryption.
• Sender and receiver conventionally use the same key for an encryption process.
• This consist of an encryption-algorithm, a key and a decryption-algorithm
• The encrypted-message is called cipher text.
• Two popular protocols are:
1) DES (Data Encryption Standard)
2) AES (Advanced Encryption Standard)
• A shared secret-key between a transmitter and a receiver is assigned at the transmitter and
receiver points.
• At the receiving end, the encrypted information can be transformed back to the original data
by using decryption algorithm and secret key.

DES (Data Encryption Standard)

• Plaintext messages are converted into 64-bit blocks & each block is encrypted using a key.
• The key length is 56 bits.
• DES consists of 16 identical rounds of an operation.

Begin DES Algorithm

1) Initialize. Before round 1 begins, all 64 bits of the message and all 56 bits of the secret key
are separately permuted (shuffled).

Mahendra M K, Assistant Professor, Dept. of ISE, Page 6

GAT,
Computer Networks
Module 4: Network Security

2) Each incoming 64-bit message is broken into two 32-bit halves denoted by Li and Ri
respectively.
3) The 56 bits of the key are also broken into two 28-halves, and each half is rotated one or two
bit positions, depending on the round.
4) All 56 bits of the key are permuted, producing version ki of the key on round i.
5) Li and Ri are determined by
Li = Ri-1
and
Ri = Li-1  F(Ri-1,ki)
6) All 64 bits of a message are permuted.
Operation of function F()
• Out of 56 bits of key ki, function F( ) chooses 48 bits.
• The 32-bit R i - 1 is expanded from 32 bits to 48 bits so that it can be combined with 48-bit k i .
The expansion of R i-1 is carried out by first breaking R i -1 into eight 4-bit chunks and then
expanding each chunk by copying the leftmost bit and the rightmost bit from left and right
adjacent chunks , respectively.
• F( ) also partitions the 48 bits of ki into eight 6-bit chunks.
• The corresponding eight chunks of Ri-1 and eight chunks of kiare combined as follows
Ri-1 = Ri-1  ki

AES (Advanced Encryption Standard)

• AES has better security strength than DES.
• In AES message is divided into 128-bit block, and it uses 128 or 192 or 256 bit key.
• Based on the key size number of rounds can be 10,12 or 14.
• The plaintext is formed as 16 bytes m0 through m15 and is fed into round 1 after an
initialization stage.
• In this round, substitute-units(S) perform a byte-by-byte substitution of blocks.
• The ciphers move through a permutation-stage to shift rows to mix-columns.
• At the end of this round, all 16 blocks of ciphers are Exclusive-ORed with the 16 bytes of
round 1 key k0(1) through k15(1).

Mahendra M K, Assistant Professor, Dept. of ISE, Page 7

GAT,
Computer Networks
Module 4: Network Security

Public Key Encryption Protocols

• This is also called as asymmetric or two key encryption.

• A sender/receiver pair use different keys.
• This is based on mathematical functions rather than on substitution or permutation.
• Two popular protocols are:
i) RSA protocol
ii) Diffie-Hillman key-exchange protocol.
• Either of the two related keys can be used for encryption; the other one for decryption.
• Each system publishes its encryption key by placing it in a public-register & sorts out key as
public one. The companion key is kept private.
• If A wishes to send a message to B, A encrypts the message by using B's public key.
• At receiving end, B decrypts the message by using its private key.
• No other recipients can decrypt the message, since only B knows its private key.
• The public-key system is more powerful than the secret key system & provides better
• Drawbacks of public-key system:
o slow speed
o more complex computationally

RSA ALGORITHM
• Assume that a plaintext m must be encrypted to a cipher text c.
• This has three phases: key generation, encryption and decryption.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 8

GAT,
Computer Networks
Module 4: Network Security

Key Generation Algorithm

1) Choose two prime numbers a and b and compute n=a.b
2) Find x. Select encryption-key x such that x and (a-1)(b-1) are relatively prime.
3) Find y. Calculate decryption-key y.
xy mod (a-1)(b-1) = 1
4) At this point, a and b can be discarded.
5) The public key = {x, n}
6) The private key = {y, n}
Encryption
1) Both sender and receiver must know the value of n.
2) The sender knows the value of x and only the receiver knows the value of y.
3) Ciphertext c is constructed by
c=mx mod n
Decryption
Given the ciphertext c, the plaintext m is extracted by
m=cy mod n.

DIFFIE-HILLMAN KEY-EXCHANGE PROTOCOL

• Two end users can agree on a shared secret-code without any information shared in advance.
• This protocol is normally used for VPN (virtual private network).
• Assume that user-1 wishes to communicate with user-2.
Key Generation Algorithm
1) User-1 selects a prime number 'a', random integer number 'x1', and a generator 'g'. Then
creates 'y1' such that
y1 = gx1 mod a
2) User-2 performs the same function and creates y2 such that
y2 = gx2 mod a
3) User-1 then sends y1 to user-2. Now, user-1 forms its key k1 using the information its partner
sent as
k1 = y2 x1 mod a
4) User-2 forms its key ka using the information its partner send it as

Mahendra M K, Assistant Professor, Dept. of ISE, Page 9

GAT,
Computer Networks
Module 4: Network Security

k2 = y1 x2 mod a
5) The two keys k1 and k2 are equal. The two users can now encrypt their messages, each using
its own key

AUTHENTICATION
• Message-authentication verifies the authenticity of both the message-sender and themessage-
content.
• Message-sender is authenticated through implementation of a digital signature.
• Message-content is authenticated through implementation of a hash function and encryption
of the resulting message-digest.
• Hash-function is used to produce a "fingerprint" of a message.
• The hash-value is added at the end of message before transmission.
• The receiver re-computes the hash-value from the received message and compares it to the
received hash value.
• If the two hash-values are the same, the message was not altered during transmission.
• Once a hash-function is applied on a message m, the result is known as a message-digest
h(m).
• The hash-function has the following properties
1) Unlike the encryption-algorithm, the authentication algorithm is not required to be
reversible.
2) Given a message-digest h(m),it is computationally infeasible to find m.
3) This is computationally infeasible to find two different messages m1 and m2 such that
h(m1)=h(m2).
• Message-authentication can be implemented by two methods.

1) In first method, a hash-function is applied on a message and then a process of encryption is

implemented. At the receiver site, the received message-digest is decrypted and the comparison
is made between the decrypted h(m) and the message-digest made locally from the received
message. compare it with the one made locally at its site for any judgments on the integrity of the
message.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 10

GAT,
Computer Networks
Module 4: Network Security

2) In second method, no encryption is involved. The two parties share a secret key. Hence, at the
receiving site, the comparison is made between the received h(m) and the message-digest made
locally from the received message.

Secure Hash Algorithm (SHA)

• The Secure Hash Algorithm (SHA) was proposed as part of the digital signature standard.
24
SHA-1, the first version of this standard, takes messages with a maximum length of 2 and
produces a 160-bit digest.
• With this algorithm, SHA-1 uses five registers, R 1 through R 5 , to maintain a "state" of 20
bytes.
• The first step is to pad a message m with length l m . The message length is forced to l m = 448
mod 512. In other words, the length of the padded message becomes 64 bits less than the
multiple of 512 bits.
• After padding, the second step is to expand each block of 512-bit (16 32 bits) words {m0, m1 ,
..., m15 } to words of 80 32 bits using:

And

where j means left rotation by j bits.

• Then, the 80 steps ( i = 0, 1, 2, ..., 79) of the four rounds are described as follows

Mahendra M K, Assistant Professor, Dept. of ISE, Page 11

GAT,
Computer Networks
Module 4: Network Security

Where C i is a constant value specified by the standard for round i .

The message digest is produced by concatenation of the values in R 1 through R 5.

Authentication and Digital Signature

• A digital signature on a message is required for the authentication and identification of the
right sender.
• RSA algorithm can be used to implement digital signature.
• The message is encrypted with the sender's private key. Thus, the entire encrypted message
serves as a digital signature.
• At the receiving end, the receiver can decrypt the message using the public key. This
authenticates that the packet comes from the right user.

Firewalls
• Firewall is placed between hosts of a certain network and the outside world.
• Firewall is used to protect the network from unwanted web sites and potential hackers.
• The main objective is to monitor and filter packets coming from unknown sources.
• Firewall can also be used to control data traffic.
• Firewall can be a software program or a hardware device.
1) Software firewalls can be installed in home computers by using an Internet connection
with gateways.
• 2) Hardware firewalls are more secure than software firewalls are not expensive.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 12

GAT,
Computer Networks
Module 4: Network Security

A firewall controls the flow of traffic by one of the following three methods:
1) Packet filtering: A firewall filters those packets that pass through. If packets can get
through the filter, they reach their destinations: otherwise, they are discarded
2) A firewall filters packets based on the source IP address. This filtering is helpful when a
host has to be protected from any unwanted external packets.
3) Denial of Service (DOS). This method controls the number of packets entering a
network.

Mahendra M K, Assistant Professor, Dept. of ISE, Page 13

GAT,