UNIT V

4/13/15

DNS
DNS can run over either UDP or TCP.
DNS server handles
processing functions

following

Information-

Finding the address of a particular host.

Delegating a sub-tree of server names to
another server.

Denoting the start of the sub-tree that

contains cache
and configuration parameters and giving
corresponding
addresses

DNS
Naming a host that processes incoming mail
for the
designated target.
Finding the host type and the operating
system
information.
Finding an alias for the real name of a host .
Mapping IP addresses to host names.

Domain Name Space

An IP address can also be assigned a domain
name.
Unique domain names assigned to hosts must
be selected from a name space and are
generally organized in a hierarchical fashion.
Domain names are defined in a tree-based
structure with
the root at the top.
A tree is structured with a maximum of 128
levels, starting at level 0 (root).

 A node on a tree is identified by a label, with

a string of
up to 63 characters, except for the root
label, which has
empty string.

A domain name is a sequence of labels

separated by
dots and is read from the node up to the
root.

Domain Name Server

The domain name space is divided into sub-domains,
and each domain or sub-domain is assigned a domain
name server.
A domain name server has a database consisting of all
the information for every node under that domain.
Each server at any location in the hierarchy can
partition part of its domain and delegate some
responsibility to another server.
The root server supervises the entire domain name
space.
Root servers are distributed around the world.

Figure: Hierarchy of DNS domain name

servers

Name/Address Mapping
Each host that needs to map an address to a
name or vice versa should access the closest
DNS server with its request.
Mapping can be

Recursive

Iterative

Recursive mapping
The client host makes the request to its corresponding
DNS server which is responsible for finding the answer
recursively.
The requesting client host asks for the answer through
its local DNS server.
Finally, .com server sends the query to the local DNS
server of the requested place and finds the answer.

Iterative approach
In this case, if it does not have the name to provide,
the server returns to the client host.
In Figure, the host sends the query to its own local
DNS server, thus trying the root DNS server first and
then tries .com server
Finally it ends up with the local DNS server of the
requested place: dns.company2.com.

DNS Message Format

DNS communication is made possible through query and
reply messages.
Both message types have the 12-byte header format

Identification : - A client uses the identification field to

match the reply with the query. This field may appear
with a different number each time a client transmits a
query. The server copies this number in its reply.

Flags:- The flags field contains subfields that represent

the type of the message, such as the type of answer
requested or requested DNS recursive or iterative
mapping.
Number of Questions:- The number of questions field
indicates how many queries are in the question portion
of the message.
Number of Answers:- The number of answers shows
how many answers are in the answer field. For the
query message, this field contains all zeros.

Number of authoritative records:- The number of

authoritative records field consists of the number of
authoritative records in the authority portion of a reply
message. This field is filled by zeros for a query
message.
Number of additional records:- The number of
additional records field records are in the additional
information portion of a reply message and is similarly
filled by zeros in a query message.

4/13/15

13

Remote Login Protocols

A client/server model can create a mechanism that
allows a user to establish a session on the remote
machine and then run its applications. This application
is known as remote login.
This can be done by a client/server application program
for the desired service.
Two remote login protocols are
TELNET
SSH

TELNET(terminal network)
It is a TCP/IP standard for establishing a connection to
a remote system.
TELNET allows a user to log in to a remote machine
across the Internet by first making a TCP connection
and then pass the detail of the application from the user
to the remote machine.
The remote logging operation is based on timesharing,
whereby an authorized user has a login name and a
password.

Local Log-in
Log-in is performed with a username and a
password.
Keystrokes accepted at the terminal driver and
passed to the
operating system.
Operating system interprets the keystrokes and
performs an
action

Remote Log-in
Terminal Driver accepts keystrokes and passes
them to the TELNET client
Client transforms characters to network virtual
terminal (NVT) character and delivers them to
TCP/IP protocol stack
Passed online to the servers TCP/IP stack and
then to the TELNET server which deciphers the
NVT characters
The decoded characters are passed to a pseudoterminal driver because the Operating System is
only designed to receive characters from a
terminal driver.

NVT
Uses two sets of characters one for data and the
other for control
Data characters are represented with the same 7
lowest-order bits as ASCII and the highest-order
bit is 0.
Control characters highest-order bit is 1

Secure Shell (SSH) Protocol

Secure Shell (SSH), another remote login protocol, is
based on UNIX programs.
SSH uses TCP for communications but is more powerful
and flexible than TELNET

Advantages over TELNET

SSH provides a secure communication by encrypting
and
authenticating messages.
SSH provides several additional data transfers over the
same connection by multiplexing multiple channels that
are used for remote login.

4/13/15

21

How Secure Shell Works ?

When SSHD is started , it starts listening on port22
for a socket.
When a socket get connected the secure shell
daemon spawns a child process, which in turn
generates an host key e g. RSA.
After key is generated the secure shell daemon is
ready for the local client to connect to another secure
shell daemon or waits for a connection from remote
host.

Length indicates the size of the packet, not including

the length field or the variable-length random padding
field that follows it.
Padding causes an intrusion to be more difficult
Type identifies the type of message.
CRC, or cyclic redundancy check, is an error-detection

FTP
FTP File transfer protocol. Commonly used
over the Internet.
Numerous FTP servers over the world allow
people anywhere on the Internet to log in and
download whatever files they have placed on
the FTP server, or upload other files.
Uses two TCP ports (20 data channel and 21
control channel) this is in active mode. In
passive FTP mode, it uses 21 for the control
channel, and an ephemeral port for the data
channel.
Not a secure protocol
24

SMTP
SMTP is a simple ASCII protocol.
After establishing the TCP connection to port
25, the sending machine, operating as the
client, waits for the receiving machine,
operating as the server, to talk first.
The server starts by sending a line of text
giving its identity and telling whether or not
it is prepared to receive mail.
If it is not, the client releases the connection
and tries again later.
25

SMTP

If the server is willing to accept email, the

client announces whom the email is coming
from and whom it is going to.
If such recipient exists at the destination, the
server gives the client the go-ahead to send
the message. Then the client sends the
message, and the server acknowledges it.
No checksums needed because TCP provides
a reliable byte stream.
If there is more e-mail it is now sent. When all
e-mail has been exchanged in both directions,
the connection is released.
26

SMTP

27

WWW ARCHITECTURE
The WWW today is a distributed client/server
service, in which a client using a browser
can access a service using a server.
However, the service provided is distributed
over many locations called sites.

27.28

Architecture of WWW

27.29

Browser

27.30

URL

27.31

WEB DOCUMENTS
The documents in the WWW can be grouped
into three broad categories: static, dynamic,
and active. The category is based on the time
at which the contents of the document are
determined.

27.32

HTTP
The Hypertext Transfer Protocol (HTTP) is a
protocol used mainly to access data on the
World Wide Web. HTTP functions as a
combination of FTP and SMTP.

27.33

HTTP transaction

27.34

Request and response messages

27.35

Request and status lines

27.36

NETWORK MANAGEMENT SYSTEM

We can say that the functions performed by a network
management system can be divided into five broad
categories: configuration management, fault management,
performance management, security management, and
accounting management.

28.37

Figure 28.1 Functions of a network management system

28.38

SIMPLE NETWORK MANAGEMENT

PROTOCOL (SNMP)

The Simple Network Management Protocol (SNMP) is a framework

for managing devices in an internet using the TCP/IP protocol suite.
It provides a set of fundamental operations for monitoring and
maintaining an internet.

28.39

Figure SNMP concept

28.40

Figure Components of network management on the Internet

28.41

SMI defines the general rules for naming objects,

defining object
types (including range and length), and showing how
to encode
objects and values.
SMI does not define the number of objects an entity
should
manage or name the objects to be managed or
define the
association between the objects and their values.
28.42

Figure : PDU of SNMP

Information Security Services

Confidentiality
Maintaining the privacy of data

Integrity
Detecting that the data is not tampered with

Authentication
Establishing proof of identity

Nonrepudiation
Ability to prove that the sender actually sent the data

Access Control
Access to information resources are regulated

Availability
Computer assets are available to authorized parties
when needed
44

Threats to Network Security

DNS Hacking
Information-level attack
Masquerading attack
Information leakage attack
Domain hijacking attack

Routing Table Poisoning

Link attack
Router attack

Threats to Network Security

Packet Mistreatment attacks
Interruption
Modification
Replication
Ping of Death
Malicious misrouting of packets

Denial of service attacks

Single Source
Distributed

DES is a block cipher, as shown in Figure

Figure : Encryption and decryption with DES

DES Structure
The encryption process is made of two permutations (Pboxes), which we call initial and final permutations, and
sixteen Feistel rounds.

DES Advantages
Secure: hard to attack
Classic case: given ciphertext, get plaintext
Also: given both, get key
Achieved through diffusion, confusion

Easy to implement (in hardware, software)

Use a few fast subroutines
Decryption uses same routines

Easy to analyze
Prove that certain attacks fail

7/3/01

DEScription: Overview
plaintext

Block cipher: 64 bits

at a time
Initial permutation
rearranges 64 bits (no
cryptographic effect)
Encoding is in 16
rounds

INITIALPERMUTATION
ROUND1
ROUND2
...
ROUND16
INITIALPERMUTATION1
ciphertext

7/3/01

DEScription: One Round

64 bits divided into
left, right halves
Right half goes
through function f,
mixed with key
Right half added to
left half
Halves swapped
(except in last round)

7/3/01

Li1

Li

Ri1

Ri

DEScription: InsiDES
Expand right side from 32
to 48 bits (some get
reused)
Add 48 bits of key (chosen
by schedule)
S-boxes: each set of 6 bits
reduced to 4
P-box permutes 32 bits

Ri1

Expansion

EightSboxes
Pbox

Output
7/3/01

Ki

DESign Principles: Inverses

Equations for round i:

Li Ri 1
Ri Li 1 f Ri 1
In other words:

Ri 1 Li
Li 1 Ri f Li
So decryption is the
same as encryption
Last round, no swap:
really is the same

Li1

Li

Ri1

Ri

AES
AES is a non-Feistel cipher that encrypts and
decrypts a data block of 128 bits. It uses 10,
12, or 14 rounds. The key size, which can be
128, 192, or 256 bits, depends on the number
of rounds.
Similar to DES: block cipher (with different
modes), but 128-bit blocks
128-bit, 192-bit, or 256-bit key
Mix of permutations, S-boxes
S-boxes based on modular arithmetic with
polynomials:
Non-linear
Easy to analyze, prove attacks fail
7/3/01

General design of AES encryption cipher

AES Security
AES was designed after DES. Most of the known
attacks on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to
the larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical
analysis of the ciphertext.
Differential and Linear Attacks
There are no differential and linear attacks on
AES as yet.

Simplicity and Cost

The algorithms used in AES are so simple that
they can be easily implemented using cheap
processors and a minimum amount of memory.

Public-Key Cryptography: Asymmetric

Cryptography
Alice generates a key value (usually a number
or pair of related numbers) which she makes
public.
Alice uses her public key (and some additional
information) to determine a second key (her
private key).
Alice keeps her private key (and the additional
information she used to construct it) secret.

Public-Key Cryptography (continued)

Bob (or Carol, or anyone else) can use Alices
public key to encrypt a message for Alice.
Alice can use her private key to decrypt this
message.
No-one without access to Alices private key (or
the information used to construct it) can easily
decrypt the message.

The RSA Encryption Algorithm

Use a random process to select two large
prime numbers P and Q. Compute the product
M = P*Q. This number is called the modulus,
and is made publicly available.
RSA currently recommends a modulus thats at least
768 bits long.

Also compute the Euler totient

T = (P-1)*(Q-1). Keep this number (as well
as P and Q) secret.

RSA (continued)
Randomly choose a public key E that has no
factors in common with T = (P-1)*(Q-1).
Compute a private key D so that E*D leaves a
remainder of 1 when divided by T.
We say E*D is congruent to 1 modulo T

Note that D is easy to compute only if one

knows the value of T. This is essentially the
same as knowing the values of P and Q.

RSA (continued)
If N is any number that is not divisible by M,
then dividing NE*D by M and taking the
remainder yields the original value N.
This is a relatively deep mathematical theorem,
which we can write as NE*D mod M = N.)

If N is a numeric encoding of a block of

plaintext, the cyphertext is C = NE mod M.
Then CD mod M = (NE)D mod M =
NE*D mod M = N. Thus, we can recover the
plaintext N with the private key D.

Message Authentication
message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)

the three alternative functions used:

message encryption
hash function
message authentication code (MAC)

Hash Algorithms
Hash Functions

condense arbitrary size message to fixed size

by processing message in blocks
through some compression function
either custom or block cipher based

Examples:
MD4, MD5, SHA1

Secure Hash Functions

Hash Function Requirements

applied to any size data

H produces a fixed-length output.
H(x) is relatively easy to compute for any given x
one-way property
computationally infeasible to find x such that H(x) = h

weak collision resistance

computationally infeasible to find y x such that
H(y) = H(x)

strong collision resistance

computationally infeasible to find any pair (x, y) such
that H(x) = H(y)

SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialize 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4.

process message in 16-word (512-bit) chunks:

expand 16 words into 80 words by mixing & shifting

use 4 rounds of 20 bit operations on message block &
buffer
add output to input to form new buffer value

5. output hash value is the final buffer value

Digital Signatures
have looked at message authentication
but does not address issues of lack of trust

digital signatures provide the ability to:

verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes

hence include authentication function with

additional capabilities

Digital Signature Properties

must depend on the message signed
must use information unique to sender
to prevent both forgery and denial

must be relatively easy to produce

must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message

be practical save digital signature in storage

IP Security (IPSec)
IPSec is a framework of open standards
developed by the Internet Engineering Task Force
(IETF).
Creates secure, authenticated, reliable
communications over IP networks

IPSec Security Services

Connectionless integrity
Assurance that received traffic has not been
modified. Integrity includes anti-reply defenses.

Data origin authentication

Assurance that traffic is sent by legitimate party or
parties.

Confidentiality (encryption)
Assurance that users traffic is not examined by nonauthorized parties.

Access control
Prevention of unauthorized use of a resource.

IPSec Modes of Operation

Transport Mode: protect the upper layer
protocols
IP
Original IP
Datagram Header

TCP
Header

Data

IP
Transport Mode
protected packet Header

IPSec
Header

TCP
Header

Data

protected

Tunnel Mode: protect the entire IP

payload

New IP
Tunnel Mode
protected packetHeader

IPSec
Header

Original

IP
Header

TCP
Header

protected

Data

IPSec Security Protocols (1/2)

Authentication Header (AH)
Encapsulating Security Payload (ESP)

IPSec Security Protocols (2/2)

Authentication Header (AH) provides:
Connectionless integrity
Data origin authentication
Protection against replay attacks
Encapsulating Security Payload (ESP)
provides:
Confidentiality (encryption)
Connectionless integrity
Data origin authentication
Protection against reply attacks
Both protocols may be used alone or applied
in combination with each other.

Authentication Header

Security on wireless network

802.11 (Wi-Fi) networks are ubiquitous today
Types of encryption:
Open (No encryption)
WEP
WPA/WPA2

76

So what is WEP?

WEP is Wired Equivalent Privacy

Link-layer encryption
Defined in the IEEE 802.11 standard
Least common denominator Wi-Fi encryption
Goals of WEP
Confidentiality
Access control
Data integrity

77

WEP encryption step-by-step (1/3)

Message

CRC

Step 1: Compute CRC for the message

CRC-32 polynomial is used

78

WEP encryption step-by-step (2/3)

Keystream
IV

Key

Step 2: Compute the keystream

IV is concatenated with the key
RC4 encryption algorithm is used on the 64 or
128 bit concatenation
79

WEP encryption step-by-step (3/3)

Message
IV

CRC

Ciphertext
Keystream

Step 3: Encrypt the plaintext

The plaintext is XORed with the keystream to
form the ciphertext
The IV is prepended to the ciphertext
80

WEP decryption step-by-step (1/2)

IV

Ciphertext

Keystream
Key

Step 1: Build the keystream

Extract the IV from the incoming frame
Prepend the IV to the key
Use RC4 to build the keystream
81

WEP decryption step-by-step (2/2)

Ciphertext
Message

CRC

Keystream

Step 2: Decrypt the plaintext and verify

XOR the keystream with the ciphertext
Verify the extracted message with the CRC
82

Firewalls
Effective means of protection a local system
or network of systems from network-based
security threats while affording access to the
outside world via WAN`s or the Internet

Henric Johnson

83

Four major types of firewalls in OSI

(1/8)

Four major types of firewalls in OSI

(2/8)
Packet filters
work at the network level.
compared to a set of criteria before it is
forwarded
Advantages: low cost, low impact on network
performance.
Disadvantages: does not support sophisticated
rule based models.

Four major types of firewalls in OSI

(3/8)

Four major types of firewalls in OSI

(4/8)
Circuit level gateways
work at the session layer
monitor TCP handshaking between packets to
determine whether a requested session is
legitimate
Information passed to remote computer through a
circuit level gateway appears to have originated
from the gateway.
Advantages: relatively inexpensive , hiding
information
about
the
private
network
Disadvantages: they do not filter individual packets.
GO BACK

Four major types of firewalls in OSI

(5/8)

Four major types of firewalls in OSI

(6/8)
Application level gateways
work at the application layer
Incoming or outgoing packets cannot access
services for which there is no proxy
filter application specific commands
can also be used to log user activity and logins.
Advantages: a high level of security
Disadvantages: having a significant impact on
network performance, not transparent to end
users and require manual configuration of each
client computer.

Four major types of firewalls in OSI

(7/8)

Four major types of firewalls in OSI (8/8)

Stateful multilayer inspection firewalls
work at the application , session, network layer.
They filter packets at the network layer, determine
whether session packets are legitimate and evaluate
contents of packets at the application layer
They allow direct connection between client and
host, alleviating the problem caused by the lack of
transparency of application level gateways. can also
be used to log user activity and logins.
They rely on algorithms to recognize and process
application layer data instead of running application
specific proxies.
Advantages: a high level of security,
good
performance, transparency to end users
Disadvantages: they are expensive and complex.