Unit 6 : Network Security and

Public Key Infrastructure

Saujanya Raj Shrestha
017BSCIT041
Overview of Network Security

What is Network Security?????

 Network Security is any activity designed to protect the
usability and integrity of network and data.
 It includes both hardware and software technologies.
 Effective network security manages access to the network.
 It targets variety of threats and stops them from entering or
spreading on the network.
Vulnerabilities and Attacks
 The common vulnerability that exists in networks is an
“unauthorized access” to the network.
 An attacker can connect his device to a network through
unsecure hub/switch port.

After accessing, an attacker can exploit this vulnerability to

launch attack such as
1. Sniffing the packet data to steal valuable information.
2. Denial of service to legitimate users on a network by
flooding the network medium with spurious packets.
3. Spoofing physical identities (MAC) of legitimate hosts and
then stealing data or further launching a ‘man-in-the-
middle’ attack.
Network Protocol

 Set of rules that govern communications between devices

connected on a network.
 The popular and widely used protocols are TCP/IP with
associated higher and lower-level protocols.
 TCP/IP protocols are commonly used with other protocols
such as HTTP, FTP, SMTP etc.
Vulnerabilities in TCP/IP Protocol Suite
 HTTP is an application layer protocol in TCP/IP suite used for
transfer files that make up the web pages from the web servers.
These transfers are done in plain text and an intruder can easily
read the data packets exchanged between the server and a client.
 Another HTTP vulnerability is a weak authentication between the
client and the web server during the initializing of the session. This
vulnerability can lead to a session hijacking attack where the
attacker steals an HTTP session of the legitimate user.
 TCP protocol vulnerability is three-way handshake for connection
establishment. An attacker can launch a denial of service attack
“SYN-flooding” to exploit this vulnerability. He establishes lot of
half-opened sessions by not completing handshake. This leads to
server overloading and eventually a crash.
 IP layer is susceptible to many vulnerabilities. Through an IP
protocol header modification, an attacker can launch an IP
spoofing attack.
Goals Of Network Security
The primary goal of network security are
Confidentiality, Integrity, and Availability. These
three pillars of Network Security are often
represented as CIA triangle.

 Confidentiality − The function of confidentiality

is to protect precious business data from
unauthorized persons.

 Integrity − This goal means maintaining and

assuring the accuracy and consistency of data.

 Availability − The function of availability in

Network Security is to make sure that the data,
network resources/services are continuously
available to the legitimate users, whenever they
require it.
Achieving Network Security
Security Mechanisms at Networking Layers

Several security mechanisms have been developed in such a

way that they can be developed at a specific layer of the OSI
network layer model.

• Security at Application Layer

• Security at Transport Layer
• Security at Network Layer
Security at Application Layer
 Various business services are now offered online though client-server
applications.
 The most popular forms are web application and e-mail. In both applications,
the client communicates to the designated server and obtains services.
 While using a service from any server application, the client and server
exchange a lot of information on the underlying intranet or Internet. We are
aware of fact that these information transactions are vulnerable to various
attacks.
 For securing data against attacks, many real time security protocols have
been designed. Such protocols need to provide at least following objectives:-

 The parties can negotiate interactively to authenticate each other.

 Establish a secret session key before exchanging information on network.
 Exchange the information in encrypted form.
E-mail Security
Email Security Uses Pretty Good Privacy(PGP) which is an email encryption scheme.
It uses public key cryptography, symmetric key cryptography, hash function and
digital signature.
Security at Transport Layer
 If transactions did not use confidentiality (encryption), an
attacker could obtain his payment card information. The
attacker can then make purchases at Bob's expense.

 If no data integrity measure is used, an attacker could modify

Bob's order in terms of type or quantity of goods.

 Lastly, if no server authentication is used, a server could

display Jabong's famous logo but the site could be a
malicious site maintained by an attacker, who is
masquerading as Jabong. After receiving Bob's order, he
could take Bob's money and flee. Or he could carry out an
identity theft by collecting Bob's name and credit card details.
SSL (Secure Socket Layer)
Security at Network Layer
 Any scheme that is developed for providing network security
needs to be implemented at some layer in protocol stack as
depicted in the diagram below −

 The popular framework developed for ensuring security at

network layer is Internet Protocol Security (IPsec).
Public Key Infrastructure(PKI)
 Public Key Infrastructure uses a pair of keys to achieve the
underlying security service.

 Since, the public keys are in open domain, they are likely to
be abused. It is, thus, necessary to establish and maintain
some kind of trusted infrastructure to manage these keys.

 It is a framework of encryption and cybersecurity that protects

communications between the server and the client.

 Provides authentication and confidentiality

 Authentication: confirms the owner of the keys using Digital
Certificates.
 Confidentiality : Encrypts data transmissions.
Components of PKI

 Public Key Certificate, commonly referred to as ‘digital

certificate’.
 Private key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
Digital Certificate
 Small file on computer/Electronic device.
 File extension is generally .cer
 “DC” establishes the relation between a user and the public
key.
 Digital Certificates contains
1. User Name
2. Public Key
3. Serial No
4. Valid From
5. Valid To
6. Issuer Name
Certification Authority
 CA issues certificate to a client and assist other users to
verify the certificate.

 The CA takes the responsibility for identifying correctly the

identity of the client asking for a certificate to be issued, and
ensures that the information contained within the certificate is
correct and digitally signs it.

 Often a trusted third party organization. Example:

 DigiCert
 VeriSign
Registration Authority
 CA may uses a third party Registration Authority to perform
the necessary checks on the person or company requesting
the certificate to confirm their identity.
Certificate Management System
 Management system through which certificates are
published, temporarily or permanently suspended, renewed,
or revoked.

 A CA along with associated RA runs certificate management

systems to be able to track their responsibilities and
liabilities.
Private Key Tokens
 While the public key of a client is stored on the certificate, the
associated secret private key can be stored on the key
owner’s computer. 

  If an attacker gains access to the computer, he can easily

gain access to private key.

 For this reason, a private key is stored on secure removable

storage token access to which is protected through a
password.

 Verisign, GlobalSign, and Baltimore use the standard .p12

format.
Thank You !!!