Data Communication and Network

Unit-III
Security Vulnerabilities and Threats
 All data breaches and cyber-attacks start when a threat exploits weaknesses in your infrastructure. As a result,
your network security vulnerabilities create opportunities for threats to access, corrupt, or take hostage of your
network.
 Any potential danger to your network must be considered a network security threat – however, security
risks often begin with your infrastructure and its security.
 1. Viruses
 Viruses are malicious programs written to change the way your software or computer system operates. They are
designed to spread between hosts, from one computer to another – if one computer in your network becomes
infected, your entire network is at risk.
 Often, this malicious software is a result of the user downloading infected application files. The subsequent
infected code can spread throughout the system and completely alter the system operations
 Viruses are most commonly downloaded from:
 Email attachments, Internet advertisements, Updating software and programs, Infected software, Malicious
websites, Pirating music, movies, and software
 Viruses are cybersecurity threats that will typically threaten your network when there are vulnerabilities to
exploit. This includes using outdated antivirus software, or a lack of anti-spyware, firewalls, and backup
systems.
 Without adequate security measures, your network is consistently open to threats and vulnerabilities that may:
 Damage or disable programs, Copy your passwords and send them back to their sender/creator, Create
fake traffic in your network leading to massive downtime, Take over your computers’ processing power and
memory
Security Vulnerabilities and Threats
 2. Insider Threats
 Insider breaches typically occur as a result of actions from employees, former employees,
or contractors.
 Although some of these breaches can occur from malicious attacks by employees,
approximately 64% of insider threats are a result of employee negligent behavior or human
error.
 In order to block potential security threats within small businesses, business owners must
establish a strong culture of security awareness in their organization.
 This includes creating employee cybersecurity policies, security threat training, and the
implementation of additional security software to ensure that threats are identified and
stopped before a potential breach occurs.
Security Vulnerabilities and Threats
 3. Spyware
 Spyware is the malicious software (malware) that is designed to spy on your activities.
 These programs embed deep into your computer files and programs, collecting sensitive
information, including passwords, financial information, and employee identifications.
 Like worms and viruses, spyware slows down your bandwidth and takes over other
computing resources. It is categorized into Trojans, Adware, and tracking cookies.
 Trojans are the seemingly legitimate programs that may be downloaded for your critical
business functions. However, these programs may carry embedded malware that breaches
security and clones sensitive data.
 Conversely, Adware is the malicious and unsolicited advertising that shows us pop-ups on
your computer or mobile device. Clicking on these advertisements allows the advertiser to
track your online activities – additionally, it slows down your computer and can open the
door for future attacks.
Security Vulnerabilities and Threats
 4. Ransomware attacks
 Ransomware, much like viruses and worms, can replicate itself across the network. This
malicious program has the ability to lock you out of your computer applications, or
alternatively, out of your entire computer system until a stated ransom demand is met.
 One of the ways Ransomware gets into your network is through phishing and spam
attachments that can automatically open on your computer. This network security
threat encrypts your files, computer, or network – if this escalates, your computer files can
no longer be opened without a program key. The key is only granted when the attacker is
paid.
 5. Phishing attacks
 Phishing is one of the most common network security threats where a cyber-threat gains
access to your sensitive information through a social engineering scheme, and is often
disguised as a fake email from a recognizable source. By clicking on it, you may
inadvertently share your credentials and other critical data.
 Occasionally, the attackers may send Ransomware or a worm through these emails, linking
to a website that has the ability to harvest sensitive or encrypted information. A weak email
security structure is the most significant vulnerability exploited by phishing scammers.
Security Vulnerabilities and Threats
 6. Rogue security software
 This software misleads users into believing that there is a malicious attack on your network. As a
form of ransomware, rogue security software often convinces users to pay a fee to have their
network cleared of the false “attack.”
 These programs will also offer to clean up your system using a fake antivirus software. Once this
is downloaded, you may end up installing malware on your computer.
 7. DOS and DDOS attack
 A denial-of-service DDoS attack happens when a threat overwhelms your network resources with
traffic, preventing users from accessing crucial applications. A DOS attack eventually takes down
your network through:
 Excessive amounts of false traffic directed to your network address (Buffer overflow)
 Multiple and fictitious connection requests to your server (SYN flood)
 Confusing data routing in your network, causing it to crash (Teardrop attack)
 DOS attacks don’t steal or damage your data. Instead, they aim to cause massive downtimes and
extensive damage to your quality of service.
 A DDOS or distributed denial of service attack is a DOS attack that happens through the use
of several devices in your network. The damage scope in a service DDOS attack is broader, given
Security Vulnerabilities and Threats
 8. Rootkit
 A rootkit is a threat in the form of computer software that is designed to give the attackers
unauthorized remote access to your computers and network. Rootkits work subtly, copying
passwords and disabling antiviruses until it is completely through to your network.
 A rootkit can arrive in your system through legitimate software. This malicious software
can make its way into your network when you install the software and cause
severe cybersecurity risks.
 9. SQL Injection attacks
 SQL injection is among a form of network security threats where the attacker sends
information to websites or web applications that are overlooked by other security
measures. The attackers are then able to delete, modify, or add data into your SQL
database. SQL attacks affect websites and web apps that use an SQL database.
 The attack compromises individual machines, but can also affect the entire network. SQL
and other injection flaws happen when there is insufficient or unreliable scanning of data
in the database query.
Security Vulnerabilities and Threats
 10. Man-in-the-middle attacks
 This is a vulnerability that allows attackers to spy on or alter the communication between
devices in your network. A man-in-the-middle attack could lead to the installation of viruses,
warms, or Ransomware. Cybercriminals can carry out MITM through:
 IP spoofing, DNS spoofing, HTTPS spoofing ,SSL hijacking, Wi-Fi hacking, Machine
learning
 11. Hidden backdoor programs
 A computer device manufacturer or software designer can develop tools to allow your system
to be accessed via a backdoor. Usually, this is for use in technical support and diagnostic
purposes. However, attackers can take advantage of this vulnerability to access your computer
and networks illegally.
 12. Superuser accounts
 Superuser accounts can turn into network vulnerabilities. These accounts have unlimited
privileges, data, and devices and are often used for administrative purposes by IT team
leaders.
 The user can create, modify, and delete files, install software, or copy information. If a
cybercriminal gets hold of such an account, the damage to your network and your business
Classification of Security Services
Classification of Security Services
 1. Message confidentiality
 It means that the content of a message when transmitted across a network must remain
confidential, i.e. only the intended receiver and no one else should be able to read the
message.
 The users; therefore, want to encrypt the message they send so that an eavesdropper on the
network will not be able to read the contents of the message.
 2. Message Integrity
 It means the data must reach the destination without any adulteration i.e. exactly as it was
sent.
 There must be no changes during transmission, neither accidentally nor maliciously.
 Integrity of a message is ensured by attaching a checksum to the message.
 The algorithm for generating the checksum ensures that an intruder cannot alter the
checksum or the message.
Classification of Security Services
 3. Message Authentication
 In message authentication the receiver needs to be .sure of the sender’s identity i.e. the receiver has to make
sure that the actual sender is the same as claimed to be.
 There are different methods to check the genuineness of the sender :
 1. The two parties share a common secret code word. A party is required to show the secret code word to
the other for authentication.
 2. Authentication can be done by sending digital signature.
 3. A trusted third party verifies the authenticity. One such way is to use digital certificates issued by a
recognized certification authority.
 4. Message non-reproduction
 Non-repudiation means that a sender must not be able to deny sending a message that it actually sent.
 The burden of proof falls on the receiver.
 Non-reproduction is not only in respect of the ownership of the message; the receiver must prove that the
contents of the message are also the same as the sender sent.
 Non-repudiation is achieved by authentication and integrity mechanisms.
 5. Entity Authentication
 In entity authentication (or user identification) the entity or user is verified prior to access to the system
resources .
Encryption principles

 A Symmetric encryption scheme has five ingredients

 1. Plain Text: This is the original message or data which is fed into the algorithm as input.
 2. Encryption Algorithm: This encryption algorithm performs various substitutions and
transformations on the plain text.
 3. Secret Key: The key is another input to the algorithm. The substitutions and
transformations performed by algorithm depend on the key.
 4. Cipher Text: This is the scrambled (unreadable) message which is output of the
encryption algorithm. This cipher text is dependent on plaintext and secret key. For a given
plaintext, two different keys produce two different cipher texts.
 5. Decryption Algorithm: This is the reverse of encryption algorithm. It takes the cipher
text and secret key as inputs and outputs the plain text.
 Data Encryption Standard
 The Data Encryption Standard (DES) is a
symmetric-key block cipher published by the
National Institute of Standards and Technology
(NIST).
 DES is an implementation of a Feistel Cipher. It
uses 16 round Feistel structure. The block size is
64-bit. Though, key length is 64-bit, DES has an
effective key length of 56 bits, since 8 of the 64 bits
of the key are not used by the encryption algorithm
(function as check bits only). General Structure of
DES is depicted in the following illustration
(Figure)−
 Since DES is based on the Feistel Cipher, all that is
required to specify DES is −
 Round function
 Key schedule
 Any additional processing − Initial and final
 Data Encryption Standard(Conti…)
 Initial and Final Permutation
 The initial and final permutations are straight
Permutation boxes (P-boxes) that are inverses of
each other. They have no cryptography significance
in DES. The initial and final permutations are
shown as follows −
 Data Encryption Standard(Conti…)
 Round Function
 The heart of this cipher is the DES function, f. The
DES function applies a 48-bit key to the rightmost
32 bits to produce a 32-bit output. The k1 is sub
key.
 Expansion Permutation Box − Since right input is
32-bit and round key is a 48-bit, we first need to
expand right input to 48 bits. Permutation logic is
graphically depicted in the following illustration −
 Data Encryption Standard(Conti…)
 Round Function
 The graphically depicted permutation logic is
generally described as table in DES specification
illustrated as shown −

 XOR (Whitener). − After the expansion

permutation, DES does XOR operation on the
expanded right section and the round key. The
round key is used only in this operation.
 Data Encryption Standard(Conti…)
 Round Function
 Substitution Boxes. − The S-boxes carry out the
real mixing (confusion). DES uses 8 S-boxes, each
with a 6-bit input and a 4-bit output. Refer the
following illustration −

 The S-box rule is illustrated below −

 There are a total of eight S-box tables. The output
of all eight s-boxes is then combined in to 32 bit
section.
 Data Encryption Standard(Conti…)
 Round Function
 Straight Permutation − The 32 bit output of S-
boxes is then subjected to the straight permutation
with rule shown in the following illustration:
 Data Encryption Standard(Conti…)
 Key Generation
 The round-key generator creates

sixteen 48-bit keys out of a 56-bit
Cipher is an
algorithm cipher key. However, the cipher key
which is is normally given as a 64-bit key in
applied to plain
text to get
which 8 extra bits are the parity bits,
ciphertext. It is which are dropped before the actual
the unreadable key-generation process, as shown in
output of an
encryption Fig.
algorithm. The
term "cipher" is  Parity Drop The preprocess before
sometimes used key expansion is a compression
as an
alternative term transposition step that we call parity
for ciphertext. bit drop. Itdrops the parity bits (bits
Ciphertext is
not
8, 16, 24, 32, ..., 64) from the 64-bit
understandable key and permutes the rest of the bits
until it has been according to Table 6.12. The
converted into
plain text using remaining 56-bit value is the actual
a key. cipher key which is used to generate
round keys.
 Data Encryption Standard(Conti…)
 Key Generation
 Shift Left After the straight
permutation, the key is divided into
two 28-bit parts. Each part is shifted
left (circular shift) one or two bits. In
rounds 1, 2, 9, and 16, shifting is one
bit; in the other rounds, it is two bits.
The two parts are then combined to
form a 56-bit part.
 Compression D-box The
 Cipher is an algorithm compression D-box changes the 58
which is applied to plain
text to get ciphertext. It bits to 48 bits, which are used as a
is the unreadable output
of an encryption
key for a round.
algorithm. The term
"cipher" is sometimes
used as an alternative
term for ciphertext.
Ciphertext is not
understandable until it
has been converted into
plain text using a key.
 IDEA Algorithm
 IDEA is basically an encryption algorithm. It stands for
International Data Encryption Algorithm. It was originally
called IPES (Improved proposed Encryption Standard). IDEA
is basically a Symmetric Key Block Cipher,
 Let us divide a plain text of 64 bit into four parts and name it as
p1, p2, p3, and p4.
 This implies that each of them is 16 bit (64bit/4 = 16 bit).
These keys will be fed to the first round.
 After processing(this will be discussed later), these keys will be
transferred to the next round and so on till the next 8 rounds.
 After the 8th round, they will be fed to the output
transformation round, the output of which will be a ciphertext.
 6 subkeys will be used in each round. Let’s name the keys k1,
K2… So in the first-round k1-k6 will be used and k7-k12 in the
2nd round and so on up to k43-k48 in the 8th round.
 The remaining 4 keys (k49, k50, k51, k52) will be used in the
output transformation round.
 IDEA Algorithm  First 128 bits
 Originally we will have a 128-bit key which will be  k1,k2,k3,k4,k5,k6,k7,k8
divided into subparts of 16 bit keys each.
 Second 128 bits
 So what we get now is 8 subkeys of 16 bit each. But
we need only 6 subkeys per round.  k9,k10,k11,k12,k13,k14,k15,k16,
 So the first subkeys, namely k1 to k6, will be used in  Third 128 bits
the first round and the remaining 2 will be used in  K17,k18,k19,k20,21,k22,k23,k24
the next round.
 The second 128bit key will also provide 8 subkeys
out of which only 4(k9 to k12) are used in the 2 nd
round as k7 and k8 of the first 128bit key will be  k1,k2,k3,k4,k5,k6, (Round 1)
used here to make them 6 in all.  k7,k8,k9,k10,k11,k12, (Round 2)
 The next 128bit key will give us 8 subkeys out of  k13,k14,k15,k16, K17,k18, (Round 3)
which 2 are used along with 4 subkeys of the
previous key for the 3rd round.  k19,k20,21,k22,k23,k24 (Round 4)
 And remaining 6 subkeys of the 3 rd key are used for
the 4th round. This completes 4 rounds.
 And similarly, the next 4 rounds are carried out to
 IDEA Algorithm
 Understanding IDEA Algorithm in Detail
 Step1: Multiply*p1 and k1
 Step2: Add*p2 and k2
 Step3: Add*p3 and k3
 Step4: Add*p4 and k4
 Step5: XOR the results of step1 and 2
 Step6: XOR the results of step 2 and 4
 Step7: Multiply* the results of step5 with k5
 Step8: Add the results step7 and step9
 Step9: Multiply* the results of step8 and k6
 Step10: Add* the results of step7 and step9
 Step11: XOR the results of step1 and step9
 Step12: XOR the results of step3 and step9
 Step13: XOR the results of step2 and step10
 Step14: XOR the results ofstep4 and step10
 For all multiply* and Add* refer to Multiplication modulo and addition
 IDEA Algorithm
 Understanding IDEA Algorithm in Detail
 For the output transformation round we will use the outcome of
previous rounds namely, R1 to R4,
 Step1:Multiply *R1 and K1
 Step2: Add*R2 and K2
 Step3: Add*R3 and K3
 Step4: Multiply*R4 and K4
 And what you get as a result of this is ultimately the Cipher Text
of International Data Encryption Algorithm. And this is a text of
64 bit which you got from the 64-bit plain text given as an input.
 So this is all about Understanding IDEA cipher. IDEA is
considered to be the most secure encryption and also to be the
best publicly known algorithm. One must know that this is not
the end as what is given above is just the basic level
understanding of the International Data Encryption Algorithm.
One should proceed to the advanced stages and procure more
knowledge about the same.
 Cipher Block Chaining (CBC)

 CBC mode of operation provides message dependence for

generating ciphertext and makes the system non-
deterministic.
 Operation
 The operation of CBC mode is depicted in the following
illustration. The steps are as follows −
 Load the n-bit Initialization Vector (IV) in the top register.
 XOR the n-bit plaintext block with data value in top
register.
 Encrypt the result of XOR operation with underlying
block cipher with key K.
 Feed ciphertext block into top register and continue the
operation till all plaintext blocks are processed.
 For decryption, IV data is XORed with first ciphertext
block decrypted. The first ciphertext block is also fed into
to register replacing IV for decrypting next ciphertext
 Cipher Block Chaining (CBC)
 Analysis of CBC Mode
 In CBC mode, the current plaintext block is added to
the previous ciphertext block, and then the result is
encrypted with the key.
 Decryption is thus the reverse process, which involves
decrypting the current ciphertext and then adding the
previous ciphertext block to the result.
 Advantage of CBC over ECB is that changing IV
results in different ciphertext for identical message.
 On the drawback side, the error in transmission gets
propagated to few further block during decryption due
to chaining effect.
 It is worth mentioning that CBC mode forms the basis
for a well-known data origin authentication
mechanism.
 Thus, it has an advantage for those applications that
require both symmetric encryption and data origin
 Location of Encryption Devices
 The most powerful and most common approach to countering
the threats is encryption.
 If encryption is used to counter these threats, then we need to
decide what to encrypt and where the encryption gear should
be located.
 There are two fundamental alternatives link encryption and end
to end encryption.
 With link encryption, each vulnerable communications link is
equipped on both ends with an encryption device.
 Thus, all traffic over all communications links is secured.
 Although this requires a lot of encryption devices in a larger
network, the value of this approach is clear.
 One disadvantage of the approach is that the message must be
decrypted each time it enters a packet switch; description is
necessary because the switch must read the address in the
packet header to route the packet.
 Thus, the message is vulnerable at each switch. If it is a public
packet-switching network, the user has no control over the
 Location of Encryption Devices
 With end to end encryption, the encryption process is carried out at the two
end systems.
 The source host or terminal encrypts the data.
 The data is encrypted form are then transmitted unaltered across the network
to the destination terminal, or host.
 The destination shares a key with the source and so is able to decrypt the
data.
 This approach would seem to secure the transmission against attacks on the
network links or switches.

A connects to a packet switching network to transfer end-end encrypted

message to the host at the other end, and sets up a virtual circuit to the host.
 Data is transmitted through the network in the form of packets that consist of
a header and some user data.
 If the host at the other end tries to decrypt the entire packet, it is not possible
as only the host can perform the decryption.
 The packet switching node will receive an encrypted packet and be unable to
read the header.
 Therefore, it will not be able to route the packet.
 It follows that the host may encrypt only that portion of the packet containing
the user data and must leave the header in the clear so that it can be read by
the network.
 key Distribution
 A key distribution center (KDC) in cryptography is a system that is responsible for providing keys to the
users in a network that shares sensitive or private data. Each time a connection is established between two
computers in a network, they both request the KDC to generate a unique password which can be used by the
end system users for verification.
 1. Symmetric key distribution using symmetric encryption
 For symmetric encryption to work, the two parties to an exchange must share the same key, and that key
must be protected from access by others. The given parties A and B have various key distribution
alternatives as follows:
 1. A can select key and physically deliver to B
 2. Third party can select and deliver key to A and B
 3. If A and B have communicated previously can use previous key to encrypt a new key.
 4. If A and B have secure communication with a third party C, C can relay key between A and B.
 A key distribution center responsible for distributing keys to pairs of users(hosts, processes, applications) as
needed. Each user must share a unique key with the distribution center for purposes of key distribution. The
use of a key distribution center is based on the use of a hierarchy of keys. At a minimum, two levels of keys
are used. Communication between end systems is encrypted using a temporary key, often referred to as a
session key.
 key Distribution
 2. Symmetric key distribution using asymmetric encryption
 Because of the inefficiency of public-key cryptosystems, they are almost never used for the direct encryption
if sizable blocks of data, but are limited to relatively small blocks. One of the most important uses of a
public-key cryptosystem is to encrypt secret keys for distribution.
 Simple Secret Key Distribution:
 If A wishes to communicate with B, the following procedure is employed:
 1. A generates a public/private key pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA.
 2.B generates a secret key, Ks, and transmits it to A, which is encrypted with A’s public key.
 3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
 4. A discards PUa and PRa and B discards Pua
 A and B can now securely communicate using conventional encryption and the session key Ks. At the
completion of the exchange, both A and B discard Ks.
 key Distribution
 3.Distribution of Public Key
 The public key can be distributed in four ways:
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates.
 These are explained as following below:
 key Distribution
 1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this
method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery is
discovered can masquerade as claimed user.
 2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories are
trusted here, with properties like Participant Registration, access and allow to modify values at any time,
contains entries like {name, public-key}. Directories can be accessed electronically still vulnerable to
forgery or tampering.
 3. Public Key Authority: It is similar to the directory but, improves security by tightening control over the
distribution of keys from the directory. It requires users to know the public key for the directory. Whenever
the keys are needed, real-time access to the directory is made by the user to obtain any desired public key
securely.
 4. Public Certification: This time authority provides a certificate (which binds an identity to the public key)
to allow key exchange without real-time access to the public authority each time. The certificate is
accompanied by some other info such as period of validity, rights of use, etc. All of this content is signed by
the private key of the certificate authority and it can be verified by anyone possessing the authority’s public
key.
 First sender and receiver both request CA for a certificate which contains a public key and other information
and then they can exchange these certificates and can start communication.