COMPUTER

SECURITY
UNIT-6: SECURITY PROTOCOLS

1
Definition - What does Network Security Protocols mean?
Network security protocols are a type network protocol that ensures the security and integrity of data
in transit over a network connection. Network security protocols define the processes and
methodology to secure network data from any illegitimate attempt to review or extract the contents of
data.
Network Security Protocols
Network security protocols are primarily designed to prevent any unauthorized user, application,
service or device from accessing network data. This applies to virtually all data types regardless of the
network medium used.

Network security protocols generally implement cryptography and encryption techniques to secure the
data so that it can only be decrypted with a special algorithm, logical key, mathematical formula and/or
a combination of all of them. Some of the popular network security protocols include Secure File
Transfer Protocol (SFTP), Secure Hypertext Transfer Protocol (HTTPS) and Secure Socket Layer (SSL).

2
Definition - What does Network Security mean?
Network security is an over-arching term that describes that the policies and procedures implemented by a
network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of
the network and network resources.
This means that a well-implemented network security blocks viruses, malware, hackers, etc. from accessing or
altering secure information.
Network Security
The first layer of network security is enforced through a username/password mechanism, which only allows
access to authenticated users with customized privileges. When a user is authenticated and granted specific
system access, the configured firewall enforces network policies, that is, accessible user services.
However, firewalls do not always detect and stop viruses or harmful malware, which may lead to data loss. An
anti-virus software or an intrusion prevention system (IPS) is implemented to prevent the virus and/or harmful
malware from entering the network.
Network security is sometimes confused with information security, which has a different scope and relates to
data integrity of all forms, print or electronic.

3
Definition - What does Protocol mean?
A protocol is a set of rules and guidelines for communicating data. Rules are defined for each step and process
during communication between two or more computers. Networks have to follow these rules to successfully
transmit data.
Protocol
Similar to programming languages, protocols are based on specific rules and regulations for computing and are
designed for efficiency. Each rule is defined in different terms and is assigned a unique name. Protocols specify the
standards for communication and provide detailed information on processes involved in data transmission. Such
processes include:
• Type of task
• Process nature
• Data flow rate
• Data type
• Device management

A single process can be handled by more than one protocol simultaneously. This coordination of protocols creates
a protocol family.

4
Definition - What does Encryption
mean?
Encryption is the process of using an algorithm to transform information to make it unreadable for unauthorized users.
This cryptographic method protects sensitive data such as credit card numbers by encoding and transforming
information into unreadable cipher text. This encoded data may only be decrypted or made readable with a key.
Symmetric-key and asymmetric-key are the two primary types of encryption.

Encryption is essential for ensured and trusted delivery of sensitive information.

Encryption
Symmetric-key encryption uses two secret, often identical keys or codes for computers involved in message
transmission. Each secret key's data packet is self-encrypted. The first symmetric encryption algorithm is the Data
Encryption Standard (DES), which uses a 56-bit key and is not considered attack-proof. The Advanced Encryption
Standard (AES) is considered more reliable because it uses a 128-bit, a 192-bit or a 256-bit key.

Asymmetric-key encryption, also known as public-key encryption, uses private and public keys in tandem. The public
key is shared with computers attempting to communicate securely with the user’s computer. This key handles
encryption, rendering the message indecipherable in transit. The private matching key remains private on the user’s
computer. It decrypts the message and makes it readable. Pretty good privacy (PGP) is a commonly used public-key
encryption system.

5
Definition - What does Cryptography mean?
Cryptography involves creating written or generated codes that allows information to be kept
secret. Cryptography converts data into a format that is unreadable for an unauthorized user,
allowing it to be transmitted without anyone decoding it back into a readable format, thus
compromising the data.
Information security uses cryptography on several levels. The information cannot be read
without a key to decrypt it. The information maintains its integrity during transit and while being
stored. Cryptography also aids in non-repudiation. This means that neither the creator nor the
receiver of the information may claim they did not create or receive it.
Cryptography is also known as cryptology.

6
Cryptography
Cryptography also allows senders and receivers to authenticate each other through the use of key
pairs. There are various types of algorithms for encryption, some common algorithms include:
Secret Key Cryptography (SKC) - Here only one key is used for both encryption and decryption.
This type of encryption is also referred to as symmetric encryption.
Public Key Cryptography (PKC): Here two keys are used. This type of encryption is also called
asymmetric encryption. One key is the public key and anyone can have access to it. The other key
is the private key, and only the owner can access it. The sender encrypts the information using
the receiver’s public key. The receiver decrypts the message using his/her private key. For non-
repudiation, the sender encrypts plain text using a private key, while the receiver uses the
sender’s public key to decrypt it. Thus, the receiver knows who sent it.
Hash Functions: These are different from SKC and PKC. They have no key at all and are also called
one-way encryption. Hash functions are mainly used to ensure that a file has remained
unchanged.

7
Definition - What does Information Security (IS)
mean?
Information security (IS) is designed to protect the confidentiality, integrity and availability of
computer system data from those with malicious intentions. Confidentiality, integrity and
availability are sometimes referred to as the CIA Triad of information security. This triad has
evolved into what is commonly termed the Parkerian hexad, which includes confidentiality,
possession (or control), integrity, authenticity, availability and utility.
Information Security (IS)
Information security handles risk management. Anything can act as a risk or a threat to the CIA
triad or Parkerian hexad. Sensitive information must be kept - it cannot be changed, altered or
transferred without permission. For example, a message could be modified during transmission
by someone intercepting it before it reaches the intended recipient. Good cryptography tools
can help mitigate this security threat.
Digital signatures can improve information security by enhancing authenticity processes and
prompting individuals to prove their identity before they can gain access to computer data.

8
The rapid growth of the Internet as both an individual and business
communication channel has created a growing demand for security
and privacy in this electronic communication channel.
Security and privacy are essential if individual communication is to
continue and e-commerce is to thrive in cyberspace

9
 Application Transport Network Data Link
The call for and desire for security and privacy Layer: Layer: Layer: Layer:
has led to several security protocols and
standards. PGP SSL IPSec PPP

Among these are: Secure Socket Layer (SSL)

and Transport Layer Security (TLS) Protocols; S/MIME TLS VPN RADIUS
secure IP (IPSec); Secure HTTP (S-HTTP),
secure E-mail ( PGP and S/MIME), DNDSEC, S-HTTP TACACS+
SSH, and others.
We discuss these protocols and standards HTTPS
within the framework of the network protocol
stack as follows: SET

KERBEROS

10
Pretty Good Privacy (PGP)
◦ The importance of sensitive communication cannot be underestimated. The best way, so far,
to protect such information is to encrypt it.
◦ Encryption of e-mails and any other forms of communication is vital for the security,
confidentiality, and privacy of everyone. This is where PGP comes in and this is why PGP is so
popular today.
◦ Pretty Good Privacy (PGP), developed by Phil Zimmermann. is a public-key cryptosystem.
◦ PGP works by creating a circle of trust among its users. In the circle of trust, users, starting
with two, form a key ring of public key/name pairs kept by each user. Joining this “trust
club” means trusting and using the keys on somebody’s key ring.
◦ Unlike the standard PKI infrastructure, this circle of trust has a built-in weakness that can be
penetrated by an intruder. However, since PGP can be used to sign messages, the presence of
its digital signature is used to verify the authenticity of a document or file. This goes a long
way in ensuring that an e-mail message or file just downloaded from the Internet is both
secure and un-tampered with.

11
Secure/Multipurpose Internet Mail Extension
(S/MIME)
◦ Secure/ Multipurpose Internet Mail Extension extends the protocols of Multipurpose
Internet Mail Extensions (MIME) by adding digital signatures and encryption to them.
◦ To understand S/MIME, let us first look at MIME. MIME is a technical specification of
communication protocols that describes the transfer of multimedia data including pictures,
audio, and video. The MIME protocol messages are described in RFC 1521; a reader with
further interest in MIME should consult RFC 1521.
◦ Because Web contents such as files consist of hyperlinks that are themselves linked onto
other hyperlinks, any e-mail must describe this kind of inter-linkage. That is what a MIME
server does whenever a client requests for a Web document. When the Web server sends
the requested file to the client’s browser, it adds a MIME header to the document and
transmits it. This means, Internet e-mail messages consist of two parts: the header and the
body.

12
◦ Within the header, two types of information are included: MIME type and subtype.
◦ The MIME type describes the general file type of the transmitted content type such as image,
text, audio, application, and others.
◦ The subtype carries the specific file type such as jpeg or gif, tiff, and so on.
◦ S/MIME was then developed to add security services that have been missing. It adds two
cryptographic elements: encryption and digital signatures
◦ Encryption
◦ S/MIME supports three public key algorithms to encrypt sessions keys for transmission
with the message: Diffie-Hallman, RSA, and triple DES.
◦ Digital signatures
◦ From a hash function of either 160-bit SHA-1 or MD5 to create message digests.

13
Secure-HTTP (S-HTTP)
◦ Secure HTTP (S-HTTP) extends the Hypertext Transfer Protocol (HTTP).
◦ When HTTP was developed, it was developed for a Web that was simple, that
did not have dynamic graphics, that did not require, at that time, hard
encryption for end-to-end transactions that have since developed.
◦ As the Web became popular for businesses users realized that current HTTP
protocols needed more cryptographic and graphic improvements if it were to
remain the e-commerce backbone it had become.

14
Secure-HTTP (S-HTTP) .. Contd..
◦ Each S-HTTP file is either encrypted, contains a digital certificate, or both.
◦ S-HTTP design provides for secure communications, primarily commercial
transactions, between a HTTP client and a server.
◦ It does this through a wide variety of mechanisms to provide for
confidentiality, authentication, and integrity while separating policy from
mechanism.
◦ HTTP messages contain two parts: the header and the body of the message.
The header contains instructions to the recipients (browser and server) on
how to process the message’s body

15
Secure-HTTP (S-HTTP) .. Contd..
◦ During the transfer transaction, both the client browser and the server, use
the information contained in the HTTP header to negotiate formats they will
use to transfer the requested information.
◦ The S-HTTP protocol extends this negotiation between the client browser and
the server to include the negotiation for security matters. Hence S-HTTP uses
additional headers for message encryption, digital certificates and
authentication in the HTTP format which contains additional instructions on
how to decrypt the message body ( see both headers)

16
Hypertext Transfer Protocol over Secure Socket
Layer (HTTPS)
◦ HTTPS is the use of Secure Sockets Layer (SSL) as a sub-layer under the regular
HTTP in the application layer. It is also referred to as Hypertext Transfer
Protocol over Secure Socket Layer (HTTPS) or HTTP over SSL, in short.
◦ HTTPS is a Web protocol developed by Netscape, and it is built into its
browser to encrypt and decrypt user page requests as well as the pages that
are returned by the Web server. HTTPS uses port 443 instead of HTTP port 80
in its interactions with the lower layer, TCP/IP

17
Secure Electronic Transactions
(SET)
◦ SET is a cryptographic protocol developed by a group of companies that
included Visa, Microsoft, IBM, RSA, Netscape, MasterCard and others.
◦ It is a highly specialized system with complex specifications contained in three
books with book one dealing with the business description, book two a
programmer’s guide, and book three giving the formal protocol description.
◦ For each transaction, SET provides the following services: authentication,
confidentiality, message integrity, and linkage
◦ SET uses public key encryption and signed certificates to establish the
identity of every one involved in the transaction and to allow every
correspondence between them to be private.

18
Kerberos
◦ Kerberos is a network authentication protocol designed to allow users, clients
and servers, authenticate themselves to each other.
◦ This mutual authentication is done using secret-key cryptography with parties
proving to each other their identity across an insecure network connection.
◦ Communication between the client and the server can be secure after the
client and server have used Kerberos to prove their identity. From this point
on, subsequent communication between the two can be encrypted to assure
privacy and data integrity.

19
Kerberos client/server authentication requirements are:
◦ Security – that Kerberos is strong enough to stop potential eavesdroppers from finding it to
be a weak link.
◦ Reliability – that Kerberos is highly reliable employing a distributed server architecture
where one server is able to back up another. This means that Kerberos systems is fail safe,
meaning graceful degradation, if it happens.
◦ Transparency – that users are not aware that authentication is taking place beyond
providing passwords.
◦ Scalability - that Kerberos systems accept and support new clients and servers.
◦ To meet these requirements, Kerberos designers proposed a third-party
trusted authentication service to arbitrate between the client and server in
their mutual authentication

20
Security in the Transport Layer
These protocols are at the level below the application layer.
We discuss two: Secure Socket Layer (SSL) and Transport Layer Security (TLS).
Currently, however, these two are no longer considered as two separate protocols but one
under the name SSL/TLS, after the SSL standardization was passed over to IETF, by the Netscape
consortium, and Internet Engineering Task Force (IETF) renamed it TLS.

21
Secure Socket Layer (SSL)
◦ SSL is a widely used general purpose cryptographic system used in the two
major Internet browsers: Netscape and Explorer.
◦ It provides an encrypted end-to-end data path between a client and a server
regardless of platform or OS.
◦ Secure and authenticated services are provided through data encryption,
server authentication, message integrity, and client authentication for a TCP
connection through HTTP, LDAP or POP3 application layers.
◦ It rivals S-HTTP

22
Secure Socket Layer (SSL) .
Contd..
◦ These two Web giants had a lot in common, however, there are some differences in design
goals, implementation, and acceptance.
◦ First S-HTTP was designed to work with only web protocols. Because SSL is at a lower level in
the network stack than S-HTTP, it can work in many other network protocols.
◦ Secondly, in terms of implementation, since SSL is again at a lower level than S-HTTP, it is
implemented as a replacement for the sockets API to be used by applications requiring secure
communications. On the other hand, S-HTTP has its data passed in named text fields in the
HTTP header.
◦ Finally in terms of distribution and acceptance, history has not been so good to S-HTTP. While
SSL was released in a free mass circulating browser, the Netscape Navigator, S-HTTP was
released in a much smaller and restricted NCSA Mosaic. This unfortunate choice doomed the
fortunes of S-HTTP (See SSL protocol stack).

23
The SSL Handshake
◦ Before any TCP connection between a client and a serve, both running under SSL, is
established, there must be almost a process similar to a three-way handshake we discussed in
3.2.2. This get-to-know-you process, is similarly called the SSL handshake. During the
handshake, the client and server perform the following tasks:
◦ Establish a cipher suite to use between them.
◦ Provide mandatory server authentication through the server sending its certificate to the client to
verify that the server's certificate was signed by a trusted CA.
◦ Provide optional client authentication, if required, through the client sending its own certificate to the
server to verify that the client's certificate was signed by a trusted CA.
◦ Exchange key information using public key cryptography, after mutual authentication, that leads to the
client generating a session key (usually a random number) which, with the negotiated cipher, is used
in all subsequent encryption or decryption. The customer encrypts the session key using the public
key of the merchant server (from the merchant’s certificate). The server recovers the session key by
decrypting it using the its private key. This symmetric key which now both parties have is used in all
subsequent communication.

24
Transport Layer Security (TLS)
◦ TLS is the result of the 1996 Internet Engineering Task Force (IETF) attempt at standardization
of a secure method to communicate over the Web. The 1999 outcome of that attempt was
released as RFC 2246 spelling out a new protocol- the Transport Layer Security or TLS.
◦ TLS was charged with providing security and data integrity at the transport layer between
two applications. TLS version 1.0 was an evolved SSL 3.0. Frequently, the new standard is
referred to as SSL/TLS.
◦ Since then, however, the following additional features have been added:
◦ Interoperability - ability to exchange TLS parameters by either party, with no need for one party to
know the other’s TLS implementation details.
◦ Expandability – to plan for future expansions and accommodation of new protocols

25
Security in the Network Layer
These protocols also address Internet communication security.
These protocols include: IPSec and VPN technologies.

26
Internet Protocol Security (IPSec)
◦ IPSec is a suite of authentication and encryption protocols developed by the Internet Engineering Task
Force (IETF) and designed to address the inherent lack of security for IP-based networks.
◦ IPSec, has a very complex set of protocols described in a number of RFCs including RFC 2401 and 2411.
◦ Although it was designed to run in the new version of the Internet Protocol, IP Version 6 (IPv6), it has
also successfully run in the older IPv4 as well.
◦ IPSec sets out to offer protection by providing the following services at the network layer:
◦ Access Control – to prevent an unauthorized access to the resource.
◦ Connectionless Integrity – to give an assurance that the traffic received has not been modified in any way.
◦ Confidentiality – to ensure that Internet traffic is not examined by non-authorized parties. This requires all IP
datagrams to have their data field, TCP, UDP, ICMP or any other datagram data field segment, encrypted.
◦ Authentication – particularly source authentication so that when a destination host receives an IP datagram, with a
particular IP source address, it is possible to be sure that the IP datagram was indeed generated by the host with
the source IP address. This prevents spoofed IP addresses.
◦ Replay protection – to guarantee that each packet exchanged between two parties is different.

27
Internet Protocol Security (IPSec)
◦ IPSec protocol achieves these objectives by dividing the protocol suite into two main protocols:
Authentication Header (AH) protocol and the Encapsulation Security Payload (ESP) protocol.
◦ The AH protocol provides source authentication and data integrity but no confidentiality.
◦ The ESP protocol provides authentication, data integrity, and confidentiality.
◦ Any datagram from a source must be secured with either AH or ESP ( See diagrams of these).

28
IPSec operates in two modes: transport and tunnel:

◦ Transport mode
◦ The Transport mode provides host-to-host protection to higher layer protocols in the
communication between two hosts in both IPv4 and IPv6. In IPv4, this area is the area beyond the
IP address. In IPv6, the new extensions to IPv4, the protection includes the upper protocols, the IP
address and any IPv6 header extensions( see extensions).
◦ Tunnel mode
◦ Tunnel mode offers protection to the entire IP datagram both in AH and ESP between two IPSec
gateways. This is possible because of the added new IP header in both IPv4 and IPv6. Between the
two gateways, the datagram is secure and the original IP address is also secure.
◦ However, beyond the gateways, the datagram may not be secure. Such protection is created when
the first IPSec gateway encapsulate the datagram including its IP address into a new shield
datagram with a new IP address of the receiving IPSec gateway. At the receiving gateway, the new
datagram is unwrapped and brought back to the original datagram

29
Virtual Private Networks (VPN)
◦ A VPN is a private data network that makes use of the public telecommunication
infrastructure, such as the Internet, by adding security procedures over the unsecure
communication channels.
◦ The security procedures that involve encryption are achieved through the use of a tunneling
protocol.
◦ There are two types of VPNs: remote access which lets single users connect to the protected
company network and site-to-site which supports connections between two protected
company networks.
◦ In either mode, VPN technology gives a company the facilities of expensive private leased
lines at much lower cost by using the shared public infrastructure like the Internet.

30
The two components of a VPN are:

◦ Two terminators which are either software or hardware. These perform encryption,
decryption and authentication services. They also encapsulate the information.
◦ A tunnel – connecting the end-points. The tunnel is a secure communication link between
the end-points and networks such as the Internet. In fact this tunnel is virtually created by
the end-points.

31
VPN technology must do the following activities:

◦ IP encapsulation – this involves enclosing TCP/IP data packets within another packet with an
IP-address of either a firewall or a server that acts as a VPN end-point. This encapsulation of
host IP-address helps in hiding the host.
◦ Encryption – is done on the data part of the packet. Just like in SSL, the encryption can be
done either in transport mode which encrypts its data at the time of generation, or tunnel
mode which encrypts and decrypts data during transmission encrypting both data and
header.
◦ Authentication – involves creating an encryption domain which includes authenticating
computers and data packets by use for public encryption.

32
Types of VPNs
◦ The security of VPN technologies falls into three types: trusted VPNs; secure
VPNs; and hybrid VPNs.
◦ Trusted VPNs
◦ In these VPNs a customer trusted the VPN provider to safeguard his or her privacy and
security by maintaining the integrity of the circuits. This security is based on trust.
◦ Secure VPNs
◦ Trusted VPN actually offers only virtual security, so security concerns in VPN are still there.
To address these concerns, protocols that encrypt traffic at the edge of one network or at
the originating computer, moved over the Internet like any other data, and then decrypt
when it reaches the corporate network or a receiving computer are used.

33
Types of VPNs
◦ This way it looks like encrypted traffic has traveled through a tunnel between the two networks.
Between the source and the destination points, although the data is in the clear and even an attacker
can see the traffic, still one cannot read it, and one cannot change the traffic without the changes
being seen by the receiving party and, therefore, rejected.
◦ Networks that are constructed using encryption are called secure VPNs.
◦ Secure VPNs are more secure than trusted VPNs.
◦ Hybrid VPNs
◦ Hybrid VPN is the newest type of VPN technologies that substitutes the Internet for the telephone
system as the underlying structure for communications.
◦ The trusted VPN components of the new VPN still do not offer security but they give customers a way
to easily create network segments for wide area networks (WANs). On the other hand, the secure VPN
components can be controlled from a single place and often come with guaranteed quality-of-service
(QoS) from the provider.

34
Security in the Link Layer and over
LANS
In the Data Link Layer, there are several protocols including : PPP, RADIUS and
TACAS+.
Point-to-Point Protocol (PPP)
◦ This is an old protocol because early Internet users used to dial into the Internet using a
modem and PPP. It is a protocol limited to a single data link. Each call went directly to the
remote access server (RAS) whose job was to authenticate the calls as they came in.
◦ A PPP communication begins with a handshake which involves a negotiation between the
client and the RAS to settle the transmission and security issues before the transfer of data
could begin.
◦ This negotiation is done using the Link Control Protocol (LCP). Since PPP does not require
authentication, the negotiation may result in an agreement to authenticate or not to
authenticate.

35
Remote Authentication Dial-In User Service (RADIUS)
◦ RADIUS is a server for remote user authentication and accounting. It is one of a class of Internet dial-
in security protocols that include Password Authentication Protocol (PAP) and Challenge-Handshake
Authentication Protocol (CHAP).
◦ It is mainly used by Internet Service Providers (ISPs) to provide authentication and accounting for
remote users.
◦ It can be used also in private networks to centralize authentication and accounting services on the
network for all dial-in connections for service.
◦ It has two main components: authentication and accounting protocols.

36
Terminal Access Controller Access Control System (TACACS+ )
◦ This protocol, commonly referred to as “tac-plus”, is a commonly used method of authentication
protocol.
◦ It is a strong protocol for dial-up and it offers:
◦ Authentication – arbitrary length and content authentication exchange which allows many
authentication mechanisms to be used with it.
◦ Authorization
◦ Auditing – a recording of what a user has been doing and in TACASCS+, it serves two purposes:
◦ To account for services used
◦ To audit for security services

37