Chapter 7: Data security and integrity

Topics:
7.1 Fundamentals of secure networks; cryptography
7.2 Encryption and privacy
7.3 Authentication protocols
7.4 Firewalls
7.5 Virtual private networks
7.6 Transport layer security

7.1. Fundamentals of secure networks; cryptography

Network Security deals with all aspects related to the protection of the sensitive information assets existing
on the network. It covers various mechanisms developed to provide fundamental security services for data
communication.

Network security is not only concerned about the security of the computers at each end of the
communication chain; however, it aims to ensure that the entire network is secure. Network security entails
protecting the usability, reliability, integrity, and safety of network and data.
Effective network security defeats a variety of threats from entering or spreading on a network.

The primary goals of network security are Confidentiality, Integrity, and Availability. These three pillars of
Network Security are often represented as CIA triangle.

 Confidentiality – The function of confidentiality is to protect precious business data from unauthorized
persons. Confidentiality part of network security makes sure that the data is available only to the
intended and authorized persons.
 Integrity – This is maintaining and assuring the accuracy and consistency of data. The function of
integrity is to make sure that the data is reliable and is not changed by unauthorized persons.
 Availability – The function of availability in Network Security is to make sure that the data, network
resources/services are continuously available to the legitimate users, whenever they require it.
Achieving Network Security

The goals to be achieved seem to be straightforward. But in reality, the mechanisms used to achieve these
goals are highly complex, and understanding them is important. As International Telecommunication
Union (ITU) recommendation on security architecture, there are mechanisms to bring the standardization in
methods to achieve network security. Some of these mechanisms are –

En-cipherment – This mechanism provides data confidentiality services by transforming data into not-
readable forms for the unauthorized persons. This mechanism uses encryption-decryption algorithm with
secret keys.
Digital signatures – This mechanism is the electronic equivalent of ordinary signatures in electronic
data. It provides authenticity of the data.
Access control – This mechanism is used to provide access control services. These mechanisms may
use the identification and authentication of an entity to determine and enforce the access rights of the
entity.

Having developed and identified various security mechanisms for achieving network security, it is essential
to decide where to apply them; both physically (at what location) and logically (at what layer of an
architecture such as TCP/IP).

Activity 7.1

 Why we need to secure our network communication?

 Discuss some techniques which help to the network?
 Do you know about cyber security? Discuss with your classmates?

7.2. Encryption and privacy

Cryptography:

The art and science of concealing the messages to introduce secrecy in information security is recognized as
cryptography.
The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ meaning hidden and
‘graphene’ meaning writing.
Context of Cryptography:

Cryptology, the study of cryptosystems, can be subdivided into two branches –

 Cryptography
 Cryptanalysis

What is Cryptography?

Cryptography is the art and science of making a cryptosystem that is capable of providing information
security. Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms
based on mathematical algorithms that provide fundamental information security services.

What is Cryptanalysis?

The art and science of breaking the cipher text is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The cryptographic process results
in the cipher text for transmission or storage. It involves the study of cryptographic mechanism with the
intention to break them. Cryptanalysis is also used during the design of the new cryptographic techniques to
test their security strengths

Security Services of Cryptography

The possible goals intended to be fulfilled by cryptography:

Confidentiality

Confidentiality is the fundamental security service provided by cryptography. It is a security service that
keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical securing to the use of
mathematical algorithms for data encryption.

Data Integrity

It is security service that deals with identifying any alteration to the data. The data may get modified by an
unauthorized entity intentionally or accidently.
Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has
been manipulated in an unauthorized manner.
Authentication

Authentication provides the identification of the originator. It confirms to the receiver that the data received
has been sent only by an identified and verified sender.
Authentication service has two variants –

 Message authentication identifies the originator of the message without any regard router or
system that has sent the message.
 Entity authentication is assurance that data has been received from a specific entity, say a
particular website.

Apart from the originator, authentication may also provide assurance about other parameters related to data
such as the date and time of creation/transmission.

Non-repudiation

It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or
an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of
the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over
the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the
purchase order, if non-repudiation service was enabled in this transaction.

Components of a Cryptosystem

The various components of a basic cryptosystem are as follows –

 Plaintext. It is the data to be protected during transmission.

 Encryption Algorithm. It is a mathematical process that produces a ciphertext for any given
plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption
key as input and produces a ciphertext.
 Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm using a
specific encryption key. The ciphertext is not guarded. It flows on public channel. It can be
intercepted or compromised by anyone who has access to the communication channel.
  Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any given
ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a decryption
key as input, and outputs a plaintext. The decryption algorithm essentially reverses the encryption
algorithm and is thus closely related to it.
 Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key into
the encryption algorithm along with the plaintext in order to compute the ciphertext.
 Decryption Key. It is a value that is known to the receiver. The decryption key is related to the
encryption key, but is not always identical to it. The receiver inputs the decryption key into the
decryption algorithm along with the ciphertext in order to compute the plaintext.

Types of Cryptosystems

Fundamentally, there are two types of cryptosystems based on the manner in which encryption/decryption is carried
out in the system:

Symmetric Key Encryption

Asymmetric Key Encryption

The main difference between these cryptosystems is the relationship between the encryption and the
decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically
impossible to decrypt the ciphertext with the key that is unrelated to the encryption key.

Symmetric Key Encryption

The encryption process where same keys are used for encrypting and decrypting the information is known
as Symmetric Key Encryption.

The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric cryptosystems are also
sometimes referred to as secret key cryptosystems.
A few well-known examples of symmetric key encryption methods are – Digital Encryption Standard (DES), Triple-
DES (3DES), IDEA, and BLOWFISH.

Challenge of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.

  Key establishment: before any communication, both the sender and the receiver need to agree on a
secret symmetric key. It requires a secure key establishment mechanism in place.
 Trust Issue: since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the
receiver has lost the key to an attacker and the sender is not informed.

Asymmetric Key Encryption

The encryption process where different keys are used for encrypting and decrypting the information is
known as Asymmetric Key Encryption. Though the keys are different, they are mathematically related and
hence, retrieving the plaintext by decrypting ciphertext is feasible.

Every user in this encryption needs to have a pair of dissimilar keys, private key and public key. These
keys are mathematically related – when one key is used for encryption, the other can decrypt the ciphertext
back to the original plaintext.

Relation between Encryption Schemes

Private Key

In Private key, the same key (secret key) is used for encryption and decryption. In this key is symmetric
because the only key is copy or share by another party to decrypt the cipher text. It is faster than the public
key cryptography.

Public Key

In Public key, two keys are used one key is used for encryption and another key is used for decryption. One
key (public key) is used for encrypt the plain text to convert it into cipher text and another key (private key)
is used by receiver to decrypt the cipher text to read the message.

7.3. Authentication protocols

Authentication protocols are methods or procedures used to verify the identity of a user, device, or system.
These protocols are designed to ensure that only authorized users or devices are able to access protected
resources, and to prevent unauthorized access or tampering.
The task of the authentication protocol is to specify the exact series of steps needed for execution of the
authentication. It has to comply with the main protocol principles:

1. A Protocol has to involve two or more parties and everyone involved in the protocol must know the
protocol in advance.
2. All the included parties have to follow the protocol.
3. A protocol has to be unambiguous - each step must be defined precisely.
4. A protocol must be complete - must include a specified action for every possible situation.
Here are some common types of authentication –

Password-based authentication − This is the most common form of authentication, in which a user
provides a username and password to log in to a system or access a protected resource. Password-based
authentication is relatively simple to implement, but can be vulnerable to attacks such as dictionary attacks
or brute force attacks.
Two-factor authentication − This is a type of authentication that requires a user to provide two forms of
identification, such as a password and a security token, to log in to a system or access a protected resource.
Two-factor authentication can provide an additional layer of security, but may be inconvenient for users and
may require additional infrastructure to support.
Biometric authentication −This is a type of authentication that uses physical or behavioral characteristics,
such as a fingerprint or facial recognition, to verify the identity of a user. Biometric authentication can be
highly secure, but may be expensive to implement and may not work well for all users (e.g., due to
differences in physical characteristics).
Kerberos

Kerberos is an authentication protocol that is used to securely identify users and devices on a network. It is
designed to prevent attacks such as eavesdropping and replay attacks, and to allow users to securely access
network resources without transmitting their passwords over the network.

The Kerberos protocol works by using a trusted third party, known as the Kerberos authentication server, to
verify the identity of users and devices. When a user or device wants to access a network resource, they
request access from the Kerberos authentication server. The authentication server verifies the user's identity
and issues a ticket granting ticket (TGT) to the user, which can be used to request access to specific
resources on the network.
Lightweight Directory Access Protocol (LDAP)

It is a network protocol used to access and manage directory services, such as those provided by Active
Directory or OpenLDAP. LDAP is designed to be a simple, fast, and secure protocol for accessing directory
services over a network.

LDAP directory services are used to store and manage information about users, devices, and other objects in
an organization. LDAP is typically used to authenticate users and devices, to look up information about
users and devices, and to manage access to network resources.

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol used to manage and
authenticate users who connect to a network. It is commonly used to authenticate users who connect to a
network using a dial-up connection, but it can also be used to authenticate users who connect to a network
using other technologies, such as wireless or VPN.

The RADIUS protocol works by allowing a user to authenticate with a RADIUS server, which is a system
that verifies the user's identity and authorizes their access to the network. When a user attempts to connect
to the network, the RADIUS server receives a request for access and authenticates the user using the user's
credentials (such as a username and password). If the user is authenticated, the RADIUS server grants
access to the network and assigns the user a set of network parameters (such as an IP address and a subnet
mask).

CHAP - Challenge-handshake authentication protocol

The authentication process in this protocol is always initialized by the server/host and can be performed
anytime during the session, even repeatedly. Server sends a random string (usually 128B long). The client
uses password and the string received as parameters for MD5 hash function and then sends the result
together with username in plain text. Server uses the username to apply the same function and compares the
calculated and received hash.

7.4. Firewalls
A firewall is a network security device that monitors incoming and outgoing network traffic and permits or
blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your
internal network and incoming traffic from external sources (such as the internet) in order to block
malicious traffic like viruses and hackers.
Firewalls carefully analyze incoming traffic based on pre-established rules and filter traffic coming from
unsecured or suspicious sources to prevent attacks. Firewalls guard traffic at a computer’s entry point, called
ports, which is where information is exchanged with external devices. For example, “Source address
172.18.1.1 is allowed to reach destination 172.18.2.1 over
port 22.”

Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted people (source
addresses) are allowed to enter the house (destination address) at all—then it’s further filtered so that people
within the house are only allowed to access certain rooms
(destination ports), depending on if they’re the owner, a child, or a guest. The owner is allowed to any room
(any port), while children and guests are allowed into a certain set of rooms (specific ports).

7.5. Virtual private networks

VPN stands for “Virtual Private Network” and describes the opportunity to establish a protected network
connection when using public networks. VPNs encrypt your internet traffic and disguise your online
identity. This makes it more difficult for third parties to track your activities online and steal data. The
encryption takes place in real time.

How does a VPN work?

A VPN hides your IP address by letting the network redirect it through a specially configured remote server
run by a VPN host. This means that if you surf online with a VPN, the VPN server becomes the source of
your data. This means your Internet Service Provider (ISP) and other third parties cannot see which websites
you visit or what data you send and receive online. A VPN works like a filter that turns all your data into
“gibberish”. Even if someone were to get their hands on your data, it would be useless.

What are the benefits of a VPN connection?

A VPN connection disguises your data traffic online and protects it from external access. Unencrypted data
can be viewed by anyone who has network access and wants to see it. With a VPN, hackers and cyber
criminals can’t decipher this data.
Secure encryption: To read the data, you need an encryption key. Without one, it would take millions of
years for a computer to decipher the code in the event of a brute force attack . With the help of a VPN, your
online activities are hidden even on public networks.
Disguising your where abouts : VPN servers essentially act as your proxies on the internet.
Because the demographic location data comes from a server in another country, your actual location cannot
be determined. In addition, most VPN services do not store logs of your activities. Some providers, on the
other hand, record your behavior, but do not pass this information on to third parties. This means that any
potential record of your user behavior
remains permanently hidden.
Access to regional content: Regional web content is not always accessible from everywhere.
Services and websites often contain content that can only be accessed from certain parts of the world.
Standard connections use local servers in the country to determine your location. This means that you
cannot access content at home while traveling, and you cannot access
international content from home. With VPN location spoofing , you can switch to a server to another
country and effectively “change” your location.
Secure data transfer: If you work remotely, you may need to access important files on your company’s
network. For security reasons, this kind of information requires a secure connection.
To gain access to the network, a VPN connection is often required. VPN services connect to private servers
and use encryption methods to reduce the risk of data leakage.

Activity 7.2

 What do you know about Virtual private network?

 Discuss with your classmate how VPN works?
 List some very popular VPN servers?

7.6. Transport layer Security

Security Mechanisms at Networking Layers

Several security mechanisms have been developed in such a way that they can be developed at a specific
layer of the OSI network layer model.

• Security at Application Layer – Security measures used at this layer are application specific. Different
types of application would need separate security measures. In ordern to ensure application layer security,
the applications need to be modified.
It is considered that designing a cryptographically sound application protocol is very difficult and
implementing it properly is even more challenging. Hence, application layer security mechanisms for
protecting network communications are preferred to be only standards-based solutions that have been in use
for some time.
An example of application layer security protocol is Secure Multipurpose Internet Mail Extensions
(S/MIME), which is commonly used to encrypt e-mail messages. DNSSEC is another protocol at this layer
used for secure exchange of DNS query messages.
• Security at Transport Layer – Security measures at this layer can be used to protect the data in a single
communication session between two hosts. The most common use for transport layer security protocols is
protecting the HTTP and FTP session traffic.
The Transport Layer Security (TLS) and Secure Socket Layer (SSL) are the most common protocols used
for this purpose.

• Network Layer – Security measures at this layer can be applied to all applications; thus,
they are not application-specific. All network communications between two hosts or networks can be
protected at this layer without modifying any application. In some environments, network layer security
protocol such as Internet Protocol Security (IPsec) provides a much better solution than transport or
application layer controls because of the difficulties in adding controls to individual applications. However,
security protocols at this layer provide less communication flexibility that may be required by some
applications.

Incidentally, a security mechanism designed to operate at a higher layer cannot provide protection for data
at lower layers, because the lower layers perform functions of which the higher layers are not aware. Hence,
it may be necessary to deploy multiple security mechanisms for enhancing the network security.
In the following chapters of the tutorial, we will discuss the security mechanisms employed at different
layers of OSI networking architecture for achieving network security.

Summary Questions:

 What are network security issues?

 Discus on three pillars of network security?
 What is cryptography?
 What is Digital signature means?
 What are Symmetric key and asymmetric key encryption techniques?
 What is Public key and private key means?