By : Aziz Ur Rehman

What is Security?
Protection of network from different type of
security threats is known as network security
Network security measures are needed to
protect data during transmission and to
guarantee that the data transmissions are
authentic
Why Network Security is
Important?
Computer Systems store large amounts of
information, some of which are highly
sensitive and valuable to their users
Various Resources and information of a
computer system should be protected against
destruction and unauthorized access
Security requirements are different for
different users and different environments
Transmission of important and secrete data
over network
Security in Wired
Network
 Security in Wired network is much easy as
compared to wireless network
 In wired there is a physical medium between
two connecting devices, and it is difficult for
hackers to get access in a wired network
Topics in Wired Security
Cryptography
Public Key Cryptography
 RSA
Secret Key Cryptography
 DES
 3DES

 AES

Firewall
Cryptography
Is a science of secrete writing
Different type of algorithms or keys are used
to encrypt data at sender end
On receiver end it is again decrypt with the
related key or algorithm
Types of Cryptography
Secrete Key Cryptography (Symmetric
Key)
In Secrete Key Cryptography, Sender encrypt
the data (called Cipher Text) before sending it
on network
It decrypt on receiver end with the key that is
shared between sender and receiver
Types of Secrete Key
Cryptography
Traditional Ciphers
It is a character oriented, and have two
categories…
Substitution Ciphers
 In Substitution Cipher we replace one character with
another, for example we can replace A with F and 1 with
6. However we may use
 One-to-One relationship (Monoalphabetic)

 One-to-Many relationship (Polyalphabetic) between Plain

Text and Cipher Text
 Shift Cipher is also a type of Substitution Cipher in which
Shift Up and Shift Down procedure is used.
Cont…
Transposition Ciphers
 In Transposition Cipher substitution process is not used
but here we reorder the characters in a block of
symbols. First we divide the characters into blocks then
define key and after this we replace characters
according to the defined key.
Simple Modern Ciphers
These are bit-oriented cipher. Following are some
ciphers used in Modern Ciphers
XOR Cipher
 Use the process of Exclusive-Or operation
 Plain text performs XOR with Key and both should be of
the same length
Cont…
Rotation Cipher
 Uses the idea of rotating bits in left or right direction
 It can be Keyed or Keyless

 In keyed we define the number of rotations

 In keyless the number of rotations are fixed

 If there are N notations then we always perform N-1

rotations, decryption is also same like encryption but
in opposite direction (if encrypt with Right then
decrypt with Left)
S-Box (Substitution Box)
P-Box (Permutation Box)
Modern Round Ciphers
(DES)
It uses multiple rounds or blocks and each round has a
different round key or block key.
Types of Modern Round Ciphers
Data Encryption Standard (DES)
 takes a fixed-length (64 bits) string of plaintext and
transforms them in Cipher text by applying a series
of complicated operations (64 bits keys)
 The key ostensibly consists of 64 bits however, only
56 of these are actually used by the algorithm. 8 bits
are used for the purpose of checking parity
 There are 16 identical rounds or stages including IP
(Initial Permutation) and FP (Final Permutation)
 Plain text of 64 bits divided into two blocks of 32 bits
and each block is processed alternatively
DES (Cont…)
 The F-function scrambles block with some of the key. The
output from the F-function is then combined with the other
block, and then these blocks are swapped before the next
round. After the final round, the blocks are not swapped.
 Operations of F-Function(Feistel)
 Expansion receives one block of 32 bits and expands it to 48
bits by using expansion permutation
 Key Mixing XOR the received block of 48 bits with the key of
48 bits, and each round use a different key
 Substitution Box received 48 bits data is then divided into 8
blocks of 6 bits, and then S-Box convert these 6 input bits into 4
output bits, resulting total number of bits to 32
 Permutation it rearrange the received 32 bits in another form
of 32 bits
DES (Cont…)

Complete Diagram
Feistel Function
DES (Cont…)
 Key Scheduling 56 bits of the key
are selected from the initial 64 by
Permuted Choice 1 (PC-1) the
remaining eight bits are either
discarded or used as parity check
 Then 56 bits are divided into two
blocks of 28 bits
 Each block is treated separately
 In successive rounds, either blocks
are rotated left by one or two bits
(specified for each round), and then
48 bits subkey is selected by
Permuted Choice 2 (PC-2) by
selecting 24 bits from the left block,
and 24 from the right
3DES (Triple Data
Encryption Standard)
Triple Data Encryption Standard (3DES)
 Designed to overcome the problems in simple DES
 It uses three times greater key for encryption and decryption

 In 3DES we have a choice to choose1 key or 2 keys or 3 keys,

means three types of keys can be used
 1 key is just like DES, so that’s why it is not recommended

 In 2 keys, key1 = key3, and the key size will be of 112 bits,
means Key1 and Key3 are same
 In 3 keys all keys are different from each other and have key
size of 168 bits
 There will be 48 rounds for encryption and 48 for decryption
AES (Advanced Encryption
Standard)
 For example if encryption block uses a Decryption-
Encryption-Decryption combination then in receiver
end decryption block will use Decryption-Encryption-
Decryption combination to get actual data
Advanced Encryption Standard (AES)
 AES was develop to overcome the problems, that
are currently present in the existing system, e. g;
Short length Security key in DES and 3DES
 It uses three different key sizes
 128 bits have 10 rounds

 192 bits have 12 rounds

 256 bits have 14 rounds

AES (Cont…)
 Fixed length data block of 128 bits, that is called State
 It is based on the design principle of Substitution
Permutation Network
 AES encryption and decryption process have several steps
 Convert to State Array
 convert 16 byte data block to 4x4 byte state array

 SubBytes
 each byte in the state array is replaced with another byte
from lookup table (16x16) which has all permutation values
of 16 bytes
 ShiftRows
 first row left unchanged and last three rows are shifted
cyclically
AES (Cont…)
 Each byte of the second row is shifted one to the left
 The third and fourth rows are shifted by values of two and

three respectively
 MixColumns
 The four bytes of each column of the state are combined

using an invertible linear transformation

 This function takes four bytes as input and outputs four bytes

 AddRoundKey
 The subkey is combined with the state

 For each round, a subkey is derived from the main key using

Rijndael's key schedule and each subkey is the same size as

the state
 The subkey is added by combining each byte of the state

with the corresponding byte of the subkey using bitwise XOR

Convert to State Array
Input block:

0 4 8 12 S0,0 S0,1 S0,2 S0,3

=
1 5
9 13 S1,0 S1,1 S1,2 S1,3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
2 6 10 14 S2,0 S2,1 S2,2 S2,3
3 7 11 15
S3,0 S3,1 S3,2 S3,3
AddRoundKey
XOR each byte of the round key with its
corresponding byte in the state array

XOR
S0,1
S0,0 S0,1 S0,2 S0,3
S1,0 S
S11,1,1 S1,2 S1,3 S’0,1
R0,1 S’0,0 S’0,1 S’0,2 S’0,3
S2,0 S2,1 S2,2 S2,3
S2,1 R0,0 R0,1 R0,2 R0,3
S3,0 S3,1 S3,2 S3,3 R1,1 R R S’1,0 S’
S’1,11,1 S’1,2 S’1,3
R1,0 R1,1 1,2 1,3
S3,1 S’2,0 S’2,1 S’2,2 S’2,3
R2,0 R2,1 R2,2 R2,3 S’2,1
R2,1 S’3,0 S’3,1 S’3,2 S’3,3
R3,0 R3,1 R3,2 R3,3
S’3,1
R3,1
SubBytes
Replace each byte in the state array with its
corresponding value from the S-Box

00 44 88 CC
11 55
55 99 DD
22 66 AA EE
33 77 BB FF
ShiftRows
Last three rows are cyclically shifted

S0,0 S0,1 S0,2 S0,3

S1,0 S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,0 S3,1 S3,2 S3,3

MixColumns
Apply MixColumn transformation to each
column

S’0,c = ({02} • S0,c ) ⊕ ({03} • S1,c ) ⊕ S2,c ⊕ S3,c

MixColumns()
S0,1 S’0,1
S0,0 S’ = S
S0,11,c S0,2 S0,c0,3 ⊕ ({02} • S1,c ) ⊕ ({03} • S )⊕
S’0,02,c S S
’0,1 S’3,c0,2 S’0,3
S1,0 S
S S’1,0 S’
S’11,1,12,c S=
1,2 SS 1
0,c,3 ⊕ S1,c ⊕ ({02} • S2,c ) ⊕ ({03} S’1•,11,1SS’1),2
3,c
S’1,3
S2,0 S S S S’2,0 S’2,1 S’2,2 S’2,3
S22,1,1 2,2 2,3 S’
S’3,c = ({03} • S0,c ) ⊕ S1,c ⊕ S2,c ⊕ ({02} 2,1• S3,c
S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3
S3,1 S’3,1
Public Key Cryptography
Asymmetric Key In Public Key Cryptography,
two keys are used for encryption and
decryption
If sender encrypt the message with its private
key then receiver should decrypt the message
with the sender public key and vice versa
RSA (Rivest Shamir
Adleman)
The letters RSA are the initials of the
surnames of inventors, Ron Rivest, Adi
Shamir, and Leonard Adleman
RSA algorithm operates in three steps
Key Generation
Generate two large random (and distinct)
primes p and q each roughly the same size
Compute n = pq
Compute φ = (p − 1) (q − 1)
Select a random integer e, 1 < e < φ
RSA (Cont…)
compute the unique integer d, 1 < d < φ
“A”’s public key is (n; e)
“A”’s private key is d
The integers e in RSA key generation are called the
encryption exponent
the d is called decryption exponent
n is called the modulus
Encryption
“B” should obtain “A”’s authentic public key (n, e)
Compute c = me mod n
Send the ciphertext c to “A”
RSA (Cont…)
Decryption
To recover plaintext m from c, “A” Use the
private key d
To recover m = cd mod n
Firewall
Is a set of programs resides on a hardware
device or on a software tool that is placed
between two networks
All the data and traffic will pass through it
For better security purpose it should be
properlyUnauthorized
configured packets
Aren’t allowed in
Safe Packets
are allowed
Intern
Intern through
et
et
Firewall
User
Packets containing confidential
Data aren’t allowed out
Firewall (Cont…)
Web FTP/TFTP Telnet NNTP
Server Server Server Server

Inter
Inter
net
net
Firewall

Terminal Citrix DNS Clients

Server Server Server
Firewall in a Simple Network
Types of Firewall
Packet Filtering Firewall
It checks the source and destination addresses of the
incoming data packet
on gathered information it will either block the packet or
pass the packet to its destination network
the firewall can deny access to specific applications or
services based on access control lists (ACLs), port numbers,
or service numbers
The packet filtering firewall uses the information of the
source and destination addresses of the incoming packet,
Communication Protocol and Port Number
A packet filtering router sits between the private trusted
network and the untrusted network
Types of Firewall
(Cont…)
Application Level Firewall
commonly implemented as a proxy server
The firewall transfers a copy of each authorized data
packet from one network to another
This controls which services are allowed to be used
by the workstation
Helps to protect the network from outsiders who
may try to get information about the network
Stateful Inspection Firewall
data packets are captured by an inspection engine
operating at the faster network layer
Types of Firewall
(Cont…)
These packets are then queued and analyzed at
higher OSI layers
It maintains records of all connections passing
through the firewall
Due to this it can determine whether a packet
is either the start of a new connection, a part of
an existing connection, or is an invalid packet
This type of firewall is commonly faster than an
application level firewall
Security in Wireless
Network
Security in wireless network is difficult than wired
As in wireless network communication occurred
air, due to this it is easy for hackers to gain
access in wireless network
Once someone gain access in wireless network, it
will also gain access to main wired network
Many procedures and techniques are present to
make network secure, but only some of them will
discuss here
Topics in Wireless
Security
WEP (Wired Equivalent Privacy)
WPA (Wi-Fi Protected Access)
SSID
MAC Address Filtering
WEP (Wired Equivalent
Privacy)
WEP is a protocol in 802.11 to protect the link
data transmitted in WLAN introduced in 1999
WEP depends on the key shared by the
communication parties (Access Point and
Client) to protect the transmitted data
It is a static encryption algorithm with 64bits,
128bits or 256bits
WEP key consists of Shared Key and IV
(Initialization Vector)
IV vector is of 24bits
WEP (Cont…)
Shared Key can be of 40bits, 104bits or
232bits depending upon the version we are
using
encrypted packet is generated with bit wise
XOR of the original packet & RC4 stream
The IV is chosen by sender & can be changed
periodically, So every packet will not be
encrypted with same cipher stream
IV is sent with each packet and an additional
4-bit integrity check value ICV
WEP (Cont…)
ICV is computed on original packet &
appended to the end
Steps for Encryption and Decryption
WEP Encryption Process
Compute Integrity Check Value using CRC32
over message and concatenate to the message
Choose a random IV and concatenate Shared
Key to this IV Use IV and Secrete Key to
generate WEP Pseudo Random Number
Generator (PRNG)
WEP (Cont…)
WEP Decryption Process
Use transmitted IV and Secrete Key to generate
Key Sequence (RC4)
XOR RC4 with cipher text to generate ICV (Plain
Text)
check the ICV that it is correct or not?
WEP (Cont…)
WPA (Wi-Fi Protected
Access)
Is a protocol that was proposed by the Wi-Fi
alliance as a replacement for WEP
will be part of the future 802.11i specification
When 802.11i is finally released, the security
protocol specification will be called WPA2
WPA2 will be slightly different than the
current WPA in use
In WPA, a new key scheduling algorithm
called TKIP is used
It is basically a wrapper around the currently
used algorithms in WEP
WPA (Cont…)
The WPA2 specification will replace TKIP with a
new CCMP protocol that uses the much stronger
AES cipher
In WEP an ICV was used to protect the integrity of
the payload or data in the wireless frame
This didn't prove the integrity of the header on
the frame itself so it couldn't protect against the
frame itself being modified
WPA includes another integrity filed call Message
Integrity Check or MIC
WPA (Cont…)
The MIC is similar to ICV, but instead of using the CRC32
checksum algorithm, it uses an algorithm called Michael
While the ICV is 4bytes in size, the MIC is 8bytes
placed just before the ICV in the encrypted payload
It also includes a frame counter to help protect against a
replay attack
uses RC4 to produce a stream of pseudo random bits that is
XOR with the data packet to encrypt the frame
It also increase the size of the IV from the current 24bits to a
much larger 48 bits, that reduce the occurrence of duplicate
IV
WPA (Cont…)
To solve the problem of Common shared
secret key, the keys need to be different for
each user
This will be obtain from the TKIP (each frame
and user have different unique key from
other)
MAC Address Filtering
Some 802.11 devices have the ability to restrict
access to only those devices that have a specific
identification value, such as a MAC address
Some access point devices also contain a table of MAC
addresses, which can be modified time to time
this table enables a device administrator to specify the
exact remote devices that are authorized to make use
of the wireless service
Client computers are viewed by a unique MAC address
of its IEEE 802.11 network card
MAC Address Filtering
(Cont…)
 each access point must have a list of
authorized client MAC address in its access
control list
client MAC address must be entered manually
into each access point also MAC address list
must be kept up to date
For these reasons this method is better suited
for use in a smaller network
MAC Address Filtering
SSID (Service Set ID)
Solution
Wireless equipment manufacturers use a default SSID to
identify the network to wireless clients
All access points often broadcast the SSID in order to provide
clients with a list of accessible networks
To protect against unauthorized access to a network, these
settings should be changed from their defaults
Default SSID should be changed that does not reflect any sort of
information to the hackers
Broadcast SSID should also be Disabled, by doing these SSID
setting we can make a network secure
SSID (Cont…)