Assignment Title:

Proposed Cryptographic Protocols

Student Name:
Syed Ali Imran Naqvi

Student ID:
1100247

Abstract
With the evolution of internet new methods of communication have been introduced and a new digital world has been created. Hiding of information has always been an important technique of all time. Previously by ancient people it was done through symbols and different other ways but in todays digital world where information and communication has taken electronic form hiding of such information is also an important issue to be addressed. In this paper we have assessed some wired and wireless cryptographic protocols which can be implemented on UoB manufacturing network for best performance according to their requirement.

Keywords: Cryptology; WEP; WPA; SSL; TLS; AES

Table of Contents
Assignment Title:........................................................................................................1 Proposed Cryptographic Protocols..............................................................................1 Student Name: ...........................................................................................................1 Syed Ali Imran Naqvi.................................................................................................. 1 Student ID: ................................................................................................................1 1100247..................................................................................................................... 1 Abstract...................................................................................................................... 2 Table of Contents....................................................................................................... 3 General Background...................................................................................................4 Cryptology..................................................................................................................4 Technical Aspect and Working....................................................................................5 Implementing Cryptographic Protocol........................................................................5 Important Encryption Criterias..................................................................................5 Network Segment -1...................................................................................................6

Wired Part.......................................................................................................................6
D-Link ADSL Modem.............................................................................................7 Linksys DSL Router...............................................................................................7 PBX Management Console....................................................................................7 Telephones System.............................................................................................8 Network Segment -2...................................................................................................8

Wireless Access Part......................................................................................................8

Applicable Protocols.............................................................................................8 Comparison between WEP and WPA....................................................................8 Some Weaknesses in WEP....................................................................................9

WPA......................................................................................................................9 WPA2..................................................................................................................10 Conclusion................................................................................................................ 10 References................................................................................................................11 Wright D. J. (1999) What is Cryptology. Available at: http://www.math.okstate.edu/~wrightd/crypt/crypt-intro/node2.html (Accessed: 18 April 2011)................................................................................................................13

General Background
The privacy or security of vital information was always an important matter among past civilizations just like their other expensive merchandise. Sometimes the security of such information holds much importance when it is to be kept secret from any irrelevant entities, because the disclosure of such information to any unauthorized personality might cause an unbearable impact which eventually leads to unrecoverable loss. The hiding of information or making it unreadable to unauthorized entities is practiced for many centuries. If we look few thousands year back in history, we will come to know that Egyptians carried out their secret communication using different types of pictures and symbols. These written scripts were generally unreadable for common people. Over the decades these type of secret scripting had been practiced by many civilizations till today but with difference in methodology. In todays world the purpose is still the same that is secrecy of information. Previously the messages were transferred by writing on papers, wood, stones and even through eggs, but todays methods uses electronic medium. Since todays world is considered to be a digital world all the confidential information is transmitted by the machines across the network, for example personal bank details, government secret documents, companies databases, etc. Therefore it is very important to ensure the confidentiality and integrity of such information.

Cryptology
Cryptology or Cryptography is basically a science of secure communication. Cryptology is originally a combination of two Greek words krypts Hidden, and lgos, word. Thus cryptography is the study of hiding or securing information or we can say study of secret writing (Wright D. J, 1999). Todays modern cryptography has introduced extremely new levels of data hiding and secure communication by using complex scientific mathematics and other

emerging technologies to benefit the mankind. The digital World in which we now live, the applications of cryptography can be found all around us even in the areas where we wouldnt expect it. Cryptography has many commercial and industrial uses and applications. For instance all sorts of User IDs and passwords of either E-mail accounts or any other accounts, online money transaction, banks ATM cards machines, telephone calls over the internet, etc all this can now be done without a fear of information being intercepted, thanks to cryptography.

Technical Aspect and Working

Cryptography is a combination of two methods one is called Encryption and the other is Decryption. The message that has to be originally transmitted is described as plain-text. When this message is in the process of transmission, method of encryption is applied to it which transforms it to another form of text called cipher-text. At the reception of destination, method of decryption is applied to the same message to convert it back to the plan-text from the cipher-text. The method by which cipher algorithm operates on is called Key. There are three types of keys used. Public key, private key and a secret key. The public and private key are also known as asymmetric keys. The purpose of public key is to encrypt the original message which is available to everyone. Whereas private key is used for decryption purpose but an individual receiver only holds it. A secret or symmetric key is a single key that is used for both encryption and decryption purpose. Key length plays very important role in a secure communication because it would be very difficult for any hacker to break the cipher if the length of key is long.

Implementing Cryptographic Protocol

After thoroughly analyzing the given network design of UoB manufacturing, two different network segments have been chosen from the network for the implementation of cryptographic protocol keeping their criticalness in view. It has already been stated that network supervisor has suggested Ron Rivests encryption algorithms to be suitable for the company. In these two segments every device which could be a modem, workstation, PC or laptop has been classify for a different cryptographic protocol based upon certain key encryption criterias and also the services that device provides and the task it performs. Some key criterions on which these protocols will be assessed are as follows. (Alfred J, et al, 1996, p.03): 1. 2. 3. 4. Confidentiality Data integrity mechanism Authentication Non Repudiation.

Important Encryption Criterias

1. Privacy / Confidentiality

Privacy or Confidentiality is the confirmation to hide data or information from everyone but to only those who are approved to see it. It can also be interpreted as the secrecy of the data or information. There are many different methods and ways to keep the information or data secret. This security may include its physical protection by keeping it in a safe cabinet or electronic protection by applying complex mathematical or scientific methods on it. 2. Data Integrity Data integrity means to ensure that the confidential information must not be altered or modified by any unauthorized or unknown means. This process addresses the illegitimate modification of original data. To encounter this problem one must have the skills to detect data manipulation done by prohibited person. There are different types of data manipulation such as deletion, insertion and substitution or swapping of any piece or entire message. 3. Authentication Authentication is a service that provides recognition or identification to an entity. This service is related to the recognition of both sender of the message and the information sent. This implies that the communicating between two parties must be over a secure channel and must be authenticated and both parties must identify each other. 4. Non Repudiation Non repudiation is a service that prevents an individual from denying previous actions or commitment. When conflict occurs due to an individual or a party rejects certain actions were taken, then this situation is needed to be handled properly. For example one party is allowed to sell any car by a particular entity but later on that entity denies that such permission was approved. Therefore to clearly resolve such issues a trusted third party is needed. The basic purpose of cryptography is to theoretically as well as practically focus on all these four areas. Cryptography offers secure communication while preventing and detecting all types of scams, fraud and any other malicious activities for information.

Network Segment -1
Wired Part
The first most important segment of network is the Telecom closet part. This segment is consisting of number of network devices which are connected to each other. Different cryptographic protocol will be applied to them according to their working and services they provide. Below is the list of these devices with their working and suggested cryptographic protocol.

D-Link ADSL Modem As it is evident from the network diagram that ADSL Modem can be considered as the major source for the internet connectivity for all other devices and act as a gateway therefore some strong and efficient cryptographic protocol must be used to prevent any type of intruders from accessing the network. There are few protocols that can be implemented to achieve high level of security. The best recommended cryptographic protocol for ADSL Modem would be TLS (Transport Layer Security). There are number of protocols can also be used like IPSec and SHTTP, but TLS is more suitable because it provides safe communication over the network by using authentication and encryption. It also delivers protected server to server or client to server communication. By using strong encryption algorithms, TLS ensures confidentiality of the information. TLS and SSL basically use RSA algorithms to allow security by using digital signatures. It uses RC4 algorithm as a preferred algorithm for very fast encryption and decryption of data after a connection is established (Herzberg A, 2004). It provides security against eavesdroppers, forgery and tampering. Client and server must authenticate each other and create a secure link or channel so that transmitted information must be protected (RSA Data Security, 1999). Linksys DSL Router This Linksys DSL Router is again one the most important device in this network segment. As this router also act as a gateway for other devices on the network it is very important to consider the security aspect of this device. Here again a number of protocol can be used to increase the security of the network and prevent it from different types of attacks. Few protocols that can be implemented on this route are IPSec, SSL and TLS, but the best choice for this route is IPSec. Since route is a layer 3 device IPSec is more suitable for it. IPSec is basically one of the leading standard services for authentication, confidentiality and integrity which work on IP layer. IPSec ensures that secured host to host VPNs virtual private networks or encapsulated tunnels are created. It also ensures that a packet that is transferred over a secured network between computers must not be altered and remain authentic. IPSec is based on RSA and DHM (DiffieHellman) algorithms for key exchanging. It also uses DES and Triple DES for symmetric encryption. Whenever there is requirement of high security for encryption IPSec usually use RC5 algorithm and for Hashing MD5 and SHA1 algorithms are used (Microsoft, 2011). In all those situations where it is desired to have secured communication over the insecure network especially over the internet, IPSec is the most appropriate choice. PBX Management Console PBX (Private Branch Exchange) and a PBX management console is also a part of this network segment. PBX is a private telephone system that enables users to access internal telephone extension and external phone lines over a private network. PC based PBX management consoles are designed to manage a large PBX telephone console set. It uses CTI (Computer Telephony Integration) to mange call flow (Peter D H, 2011). TLS and SSL are very appropriate

cryptographic protocols that can be implemented on this PBX Management Console system. TLS is used because it provides safe communication over a private network by using authentication and encryption. Telephones System A telephone device is also connected in this network structure. A telephone system can be used for credit card transaction therefore an encryption protocol is needed. ISDN technology is normally works as the backbone in telephone systems therefore DES data encryption is more appropriate for ISDN system. There are two types of keys that can be used in telephony system. First key is long and termed as public key which is actually embedded in the phone and the other is called private key which provides caller identification.

Network Segment -2
Wireless Access Part
The wireless part can be considered as the most sensitive part of the network. This is basically due to the fact that all the communication which is being done with this segment of the network is wirelessly transmitted, that is both factory buildings are connected wirelessly to each other with a wireless access point. This segment contains the managers laptop, laptops of senior management and a quality office workstation. Unfortunately from the beginning of the setup no encryption mechanism was implemented on this sensitive segment. As there is already been a rumored that those who live nearby can access the factory internet. So the major reason for choosing wireless part is due to the high level of security risk which is involved and there must be some intelligent cryptographic protocol used. If there is no identification and authentication procedure, all the information that is being transmitted wirelessly can be easily hijacked by any unknown party. Applicable Protocols Generally there are two basic wireless encryption protocols which are widely used. These are WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). WEP is a security protocol designed for IEEE 802.11 wireless standard. It was designed to provide data security as compared to traditional wired network. WEP is based on RC4 (Rivest Code 4) stream cipher algorithm (Wong L C, 2004). WPA is another wireless encryption protocol designed and introduced by Wi-Fi Alliance. WPA is basically based on 802.11i which is the next 802.11 wireless security protocol standard. WPA has two operational modes; Enterprise mode and PSK (Pre-Shared Key) mode (Wang Y, et al, 2010). The WPA (Wi-Fi Protected Access) has been chosen as the most suitable protocol that should be used at this part of the network. Comparison between WEP and WPA Initially, WEP (Wired Equivalent Privacy) was the only link-level security option defined in the 802.11 standard. Its main purpose was the protection of the Confidentiality and integrity of the

wireless network traffic. WEP was designed to provide comparable confidentiality to a traditional wired network (Wong L C, 2004, p.06). WEP uses encryption technique to meet the security requirements for the protection of data. WEP employs (Rivest Code 4) RC4 stream cipher with a 64 or 128 bits key to provide data packet encryption. Every member of the wireless network i.e. the wireless clients, in a WEPprotected network, must share the same secret key with the Access Point (AP) (Jason S, 2001). As earlier it was stated that WEP uses a 64 or 128 bits key to encrypt the data, but in fact the actual key is smaller that is because part of the WEP key is transmitted in clear text along with the data packet. The WEP key used to encrypt the data packet is a chain of two values, First value which is a dynamic value called Initialization Vector (IV) and the second value which is a static part of the key known as the shared secret key. The Initialization Vector (IV) is a dynamic 24-bit value which gives more than 16 millions possible keys (Wong L C, 2004). Some Weaknesses in WEP When the WEP was designed, it was considered satisfactorily secure, until weaknesses were found in its mechanism. Up till now a number of tools have been developed for cracking the WEP shared secret key successfully. Below are some weaknesses of WEP. (Samadi B, at el 2009, p.02): WEP does not prevent forgery of packets. Key management is lack and updating is poor. Problem in the RC-4 algorithm. Easy forging of authentication messages. In WEP any desired replay packet will be accepted legitimate which an attacker can simply record, which implies that it does not prevent replay attacks. WEP uses RC4 which has already been cracked and the keys which are used are very short in length and can be brute-forced by any computer within few hours by any free software. Since WEP reuses the initialization vectors (VI), data can be decrypted without the availability of the encryption key by using different cryptographic methods. Any message can be undetectably modifies by the hacker without even knowing the encryption key (Hodges K, 2001). WPA The purpose of introducing WPA (Wi-Fi Protected Access) protocol was to overcome the loopholes in WEPs encryption technique; this can be achieved without any hardware up gradation. WPA consists of three main components: TKIP (Temporal Key Integrity Protocol), 802.1x, and MIC (Message Integrity Protocol). WPA can be operated in two different modes (Wong L C, 2004).

1. Personal WPA or WPA-PSK (Key Pre-Shared) this mode of WPA is designed for small offices and home users. This variant of WPA does not use any authentication server. The cryptographic key for encrypting data can go up to 256 bits." This key can be any alphanumeric string and is used only to negotiate the initial session with the access point AP. Because both the client and the AP already possess this key. The best thing about WPA is that the key is never been transmitted over the air, it also provides mutual authentication. 2. In enterprise or Commercial WPA the authentication is done by an authentication server. This creates an outstanding control and security for the traffic in wireless network This WPA variant uses 802.1X and EAP (Extensible Authentication Protocol ) for authentication, it actually replaces WEP with advanced TKIP encryption. Pre-shared key is not used here, but a RADIUS server is needed (Samadi B, at el, 2009). If we compare WPA and WEP, there are few developments in Encryption algorithm of WPA which were not in the WEP (Samadi B, at el, 2009): 1. A message integrity code, or MIC also known as Michael, is one of the components used in WPA to defeat forgeries. 2. To remove replay attacks from the attackers, a new Initialization Vector IV sequencing order is used. 3. In order to de-correlate the public IVs from weak keys, a per-packet key mixing function is embed. 4. A rekeying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse. (Samadi B, at el, 2009, p.03). WPA2 Earlier it was mentioned that WPA is a sub division of 802.11i security standard. 802.11i is also known as WPA2 which includes all WPA capability, features and it provides more security then WPA. The core difference between WPA2 and WPA is that WPA2 incorporates state of the art encryption algorithm AES (Advanced Encryption Standard) to encrypt the data packets. AES algorithm was introduced after DES (Data Encryption Standard) was cracked in a competition organized by RSA security, therefore after that AES was used by U.S government agency as an official encryption standard. The only shortcoming of AES or WPA2 is that if a wireless network wants to use 802.11i standard with its full capabilities then it may required hardware replacement or device up gradation (Wong L C, 2004).

Conclusion
Above we discussed three encryption protocols which can be used as an encryption technique in wireless segment of the network. Out of these three protocols WPA2 apparently looks the best choice for the network because of its advance encryption algorithm technique. But since it

requires hardware upgrade therefore it leaves us with a choice of WPA as WPA is more strong and reliable then WEP.

References

Wong L C (2004) 'An Overview of 802.11 Wireless Network Security Standards & Mechanisms: SANS Institute InfoSec Reading Room ', pp.02-14. SANS Institute [Online] Available at: http://www.sans.org/reading_room/whitepapers/wireless/overview-80211wireless-network-security-standards-mechanisms_1530 (Accessed: 15 April 2011). Peeters E (2004) 'Wireless security beyond WEP and WPA: SANS Institute InfoSec Reading Room ', pp.02-14. SANS Institute [Online] Available at: http://www.sans.org/reading_room/whitepapers/wireless/wireless-security-wepwpa_1425 (Accessed: 15 April 2011). Hodges K (2001) 'Is your Wireless Network Secure: SANS Institute InfoSec Reading Room ', pp.02-10. SANS Institute [Online] Available at: http://www.sans.org/reading_room/whitepapers/wireless/wireless-network-secure_149 (Accessed: 15 April 2011).

Lee H K, Malkin T and Nahum E (2007) 'Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices: 7th ACM SIGCOMM conference on Internet measurement', pp.83-92. ACM Association for Computing Machinery [Online] Available at: http://conferences.sigcomm.org/imc/2007/papers/imc130.pdf (Assessed: 27 April 2011)

Microsoft, (2011) How IPSec Works. Available at: http://technet.microsoft.com/enus/library/cc759130(WS.10).aspx (Accessed: 29 April 2011). Wiess J (2002) 'Wireless Networks: Security Problems and Solutions: SANS Institute InfoSec Reading Room ', pp.02-11. SANS Institute [Online] Available at:

http://www.sans.org/reading_room/whitepapers/wireless/wireless-networks-securityproblems-solutions_172 (Accessed: 29 April 2011).

Alfred, J, Paul C V O and Scott A V, (1996) Handbook of applied cryptography [Online] available at: http://citeseerx.ist.psu.edu/viewdoc/download? doi=10.1.1.99.2838&rep=rep1&type=pdf (Accessed: 23 April 2011). RSA Data Security, (1999) Security Protocols Overview. Available at: http://www.comms.engg.susx.ac.uk/fft/crypto/security_protocols.pdf (Accessed: 03 May 2011). Wang Y, Jin Z, Zhao X, (2010) 'Practical Defence against WEP and WPA-PSK Attack for WLAN: Wireless Communications Networking and Mobile Computing (WiCOM), 2010 6th International Conference on', pp.01-04. IEEE [Online] Available at: http://ieeexplore.ieee.org/search/freesearchresult.jsp? reload=true&newsearch=true&queryText=Practical+Defence+against+WEP+and+WPAPSK&x=0&y=0 (Accessed: 8 May 2011). Peter D H, (2011) The PBX Attendant Console. Available at: http://www.answerstat.com/suppliers/attendant-console.html (Accessed: 22 April 2011). Samadi B, Lashkari A H and Danesh M M S, (2009) 'A Survey on Wireless Security protocols (WEP,WPA and WPA2/802.11i): 2nd IEEE International Conference on Computer Science and Information Technology, ICCSIT 2009', pp.48-52. IEEE [Online] http://www.ivanescobar.com/survey%20wifi.pdf (Accessed: 2 May 2011) Oscar P, Guerrero F.G and Argote D R, (2008) 'Basic Security Measures for IEEE 802.11 Wireless Networks: Ingenierae Investigacin' (VOL.28, No.2), pp.89-96. [Online] available at: http://www.scielo.org.co/pdf/iei/v28n2/v28n2a12.pdf (Accessed: 5 May 2011). Herzberg A, (2004) Transport Layer Security: TLS and SSL. Available at: http://u.cs.biu.ac.il/~herzbea/foils/SSL%20and%20TLS.pdf (Accessed: 28 April 2011). Jason S, (2001) 'An IEEE 802.11 Wireless LAN Security White Paper: US Department of Energy', (UCRL-ID-147478), pp.03-10. [Online] Available at: http://www.freewebs.com/bflowifi/pdfs/ucrl-id-147478.pdf (Accessed: 4 May 2011) Davis T, (2003) RSA Encryption. [Online] Available at: http://www.geometer.org/mathcircles/RSA.pdf (Accessed: 22 April 2011).

Wright D. J. (1999) What is Cryptology. Available at: http://www.math.okstate.edu/~wrightd/crypt/crypt-intro/node2.html (Accessed: 18 April 2011).

Wi-Fi Alliance, (2003) Wi-Fi Protected Access:Strong, standards-based, interoperable security for todays Wi-Fi networks [Online] Available at: http://www.ansvb.com/Docs/Whitepaper_Wi-Fi_Security4-29-03.pdf (Accessed 10 May 2011).