Data Communication &

Computer Networks
Course Instructor:
Mr. Aizaz Raziq

8-1
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity, authentication
4 Securing TCP connections: SSL
5 Operational security: firewalls and IDS

8-2
What is network security?
confidentiality: only sender, intended receiver should
“ understand” message contents
 sender encrypts message
 receiver decrypts message
authentication: sender, receiver want to confirm identity of
each other
message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection
access and availability: services must be accessible and
available to users
8-3
 Terminologies In cryptography

Encryption: Convert a message to hide its meaning

Decryption: Convert encrypted message back to original form

Plaintext or clear text: A message in its original form

Cipher text: a message in encrypted form

• Plain text + key = cipher text

8-4
 Terminologies In cryptography

Cryptography: The study of encryption algorithm and methods

Cryptanalysis: Attempt to finding weakness or break

cryptography algorithms

Key: The parameter used to make each encryption unique

8-5
Friends and enemies: Alice, Bob, Trudy
 well-known in network security world
 Bob, Alice want to communicate “ securely”
 Trudy (intruder) may intercept, delete, add messages

Alice Bob
channel data, control
messages

data secure secure data

sender s
receiver

Trudy

8-6
Who might Bob, Alice be?
 … well, real-life Bobs and Alices!
 Web browser/server for electronic transactions
(e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 routers exchanging routing table updates
 other examples?

8-7
There are bad guys (and girls) out there!
Q: What can a “ bad guy” do?
A: A lot!
 eavesdrop: intercept messages
 actively insert messages into connection
 impersonation: can fake (spoof) source address in
packet (or any field in packet)
 hijacking: “ take over” ongoing connection by
removing sender or receiver, inserting himself in
place
 denial of service: prevent service from being used
by others (e.g., by overloading resources)

8-8
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity, authentication
4 Securing TCP connections: SSL
5 Operational security: firewalls

8-9
Security Attack

 Any action that compromises the security of information owned

by an organization

 Information Security is about how to prevent attacks, or failing

that, to detect attacks on information-based systems
 There are wide range of attacks. Mostly we focus on the generic
types of attacks
– passive
– active

8-10
Passive attack (confidentiality)

8-11
Active attack (confidentiality & integrity)

8-12
Encryption
 Information has to be concealed from an unauthorized person
(attacker), so that in the event that it is passively accessed (e.g.,
copied or intercepted) by an attacker, it should not be useful to
them

There are actually two subjects that deal with the concealment of
information from unauthorized people:

1. Cryptography
2. Steganography

8-13
What is cryptography?
 Cryptography derived its name from a Greek word
called “krypto’s” which means “Hidden Secrets”

 Cryptography is the science of using mathematics

to encrypt and decrypt data

 To secure the communication from unauthorized

person or system

8-14
Cryptography
 Cryptography is the study of hiding critical information
by encoding it to a unintelligible form using a secret key

– The encoding is commonly called encryption

– If the information is compromised, the attacker should
not be able to decode (decrypt) it back to the original
information without knowledge of the secret key

8-15
Cryptography in detail
 It is the study of encoding meaningful information
(also called the message or the plaintext) using a
secret transformation function (called the cipher) so
that nobody will understand the encoded message
(called the ciphertext) unless they have knowledge of
the cipher.

8-16
 Types of Encryption?

Limitation: Key Compromise during transmission process through eavesdropping

8-17
Types of Encryption?
Asymmetric Available

8-18
 Comparison Symmetric and
Asymmetric cryptography

Symmetric Key Cryptography Asymmetric key cryptography

The same algorithm with the same key One algorithm is used for encryption
is used for the encryption and and other algorithm is used for
decryption decryption using the pair of keys
Single key (Private) Two keys (Public and private)
The technique is slower as compared
The technique is faster
with the symmetric algorithm
Usage: Key sharing, Digital Signature,
Usage: Confidentiality
Confidentiality

8-19
ROT-13 cipher

 The ROT-13 cipher was commonly used to hide the meaning of messages on the
Internet (particularly on E-mail).
Each letter in the plaintext is substituted with the ciphertext letter according to the
following mapping:
p : ABCDEFGHIJKLMNOPQRSTUVWXYZ
F(p) : NOPQRSTUVWXYZABCDEFGHIJKLM
Example:
– Plaintext: THIS IS A SECRET
– Ciphertext: GUVF VF N FRPERG
The ROT-13 cipher is an involution (i.e., self-inverse) so that encoding twice will
result in the original message.

8-20
Ceasar Cipher
The Roman emperor Julius Caesar used to substitute
each letter in his diplomatic communications with
the letter that was three letters further along in the
alphabet.
p : ABCDEFGHIJKLMNOPQRSTUVWXYZ
F(p) : DEFGHIJKLMNOPQRSTUVWXYZABC

Plaintext: ET TU BRUTUS
Ciphertext: HW WX EUXWXV

8-21
 The language of cryptography

Alice’s Bob’s
K encryption K decryption
A
key Bkey

plaintext encryption ciphertext decryption plaintext

algorithm algorithm

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))

8-22
Breaking an encryption scheme
 cipher-text only attack:  known-plaintext attack:
Trudy has ciphertext she Trudy has plaintext
can analyze corresponding to ciphertext
 two approaches:  e.g., in monoalphabetic
 brute force: search cipher, Trudy determines
through all keys pairings for a,l,i,c,e,b,o,
 statistical analysis  chosen-plaintext attack:
Trudy can get ciphertext for
chosen plaintext

8-23
Multiple known Cryptography
Techniques
 AES (Advanced Encryption Standard (AES)
 DES (Data Encryption Standard)
 RSA (Rivest-Shamir-Adleman)

8-24
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity, authentication
4 Securing TCP connections: SSL
5 Operational security: firewalls

8-25
 Authentication
Goal: Bob wants Alice to “ prove” her identity to him
Protocol ap1.0: Alice says “ I am Alice”

“I am Alice”
Failure scenario??

8-26
 Authentication
Goal: Bob wants Alice to “ prove” her identity to him
Protocol ap1.0: Alice says “ I am Alice”

in a network,
Bob can not “see” Alice,
so Trudy simply declares
“I am Alice” herself to be Alice

8-27
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Alice’s
IP address
“I am Alice”

Failure scenario??

8-28
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Trudy can create

a packet “spoofing”
Alice’s
Alice’s address
IP address
“I am Alice”

8-29
Authentication: another try
Protocol ap3.0: Alice says “ I am Alice” and sends her
secret password to “ prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password

Alice’s Failure scenario??

OK
IP addr

8-30
Authentication: another try
Protocol ap3.0: Alice says “ I am Alice” and sends her
secret password to “ prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later
plays it back to Bob

Alice’s Alice’s
“I’m Alice”
IP addr password

8-31
Authentication: yet another try
Protocol ap3.1: Alice says “ I am Alice” and sends her
encrypted secret password to “ prove” it.

Alice’s encrypted
“I’m Alice”
IP addr password

Alice’s Failure scenario??

OK
IP addr

8-32
Authentication: yet another try
Protocol ap3.1: Alice says “ I am Alice” and sends her
encrypted secret password to “ prove” it.

Alice’s encrypted
“I’m Alice” record
IP addr password
and
Alice’s
OK playback
IP addr
still works!

Alice’s encrypted
“I’m Alice”
IP addr password

8-33
Authentication: yet another try
Goal: avoid playback attack
nonce: number (R) used only once-in-a-lifetime
ap4.0: to prove Alice “ live” , Bob sends Alice nonce, R.
Alice
must return R, encrypted with shared secret key
“I am Alice”

R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
Failures, drawbacks? be Alice!
8-34
ap5.0: security hole
man (or woman) in the middle attack: Trudy poses as Alice
(to Bob) and as Bob (to Alice)

difficult to detect:
Bob receives everything that Alice sends, and vice versa.
(e.g., so Bob, Alice can meet one week later and recall
conversation!)
problem is that Trudy receives all messages as well!

8-35
Q/A
8-36