Chapter Four

Managing
communication and
network security
 Remote access technologies
☛
Remote access technologies refer to the various methods
and technologies that enable users to connect to
computer systems or networks from a location other
than the physical site.
☛
These technologies are essential for individuals or
employees who need to access resources, data, or
applications from outside the traditional office
environment.
☛
remote access technology has reshaped modern work
environments by promoting flexibility, collaboration,
and efficiency.
Remote Access Modern Work Environments

 Flexibility and Work-Life  Technology Advancements

Balance
 Increased Productivity
 Global Collaboration
 Cost Saving
 Security and Compliance
 Business Continuity
 Employee Satisfaction and
Retention
 Challenges and Solutions
 Common Remote access technologies
1. Virtual Private Network (VPN):
A VPN establishes a secure and encrypted connection over the internet,
allowing users to access a private network from a remote location. This is often
used for accessing company networks securely.
2. Remote Desktop Services (RDS):
RDS allows users to connect to a desktop environment or specific applications
on a remote server. It provides a virtualized desktop experience, making it
possible to access a remote computer as if you were sitting in front of it.
3. Cloud-Based Solutions:
Cloud services, such as cloud-based applications and storage, enable users to
access resources hosted in the cloud from any device with an internet
connection.
4. Secure Shell (SSH):
SSH is a cryptographic network protocol that provides a secure way to access
and manage network devices remotely. It is commonly used for command-line
access to servers.
5. Mobile Device Management (MDM):
MDM solutions allow organizations to manage and secure mobile
devices remotely. This is important for ensuring that mobile devices
used for work are compliant with security policies.
6. Web-Based Remote Access:
Accessing resources and applications through a web browser, often
utilizing HTTPS for secure connections.
7. Remote File Access:

Tools like FTP (File Transfer Protocol), SFTP (Secure File Transfer
Protocol), and cloud storage services enable users to access and
transfer files remotely
9. Remote Access Software:

Various remote access software, such as TeamViewer, LogMeIn, or
AnyDesk, Splashtop, allows users to connect to and control remote
computers for support or collaboration purposes.
 Network Security
Hana, Bob and Alemu
“Amies” and “Enemies”
Bob and Hana want to communicate securely
Alemu may intrude to intercept, delete or add
messages
Hana Bob
channel data, control
messages

data data
sender receiver

Alemu
Insecure Channel
 Network Security
Model
Model for
for Secure
Secure Transmission
Transmission
Trusted
Third Party

Secure Secure
Transmission Transmission

Opponent
Secure Channel
 Network Security
Introduction
Introduction
In
In today’s
today’s highly
highly networked
networked world,
world,
computer
computer security
security is
is highly
highly
dependent
dependent on on network
network security
security
Focus
Focus is
is on:
on:

 Internet/Intranet
Internet/Intranet security
security issues
issues in in
TCP/IP
TCP/IP based
based networks
networks (application,
(application,
transport
transport andand network)
network) linklink andand
physical
physical layers
layers are
are not
not also
also free
free from
from
attack
attack

 Attacks
Attacks that
that use
use security
security holes
holes of
of the
the
network
network protocol
protocol and
and their
their defenses
defenses
Does
Does not
not include
include attacks
attacks that
that use
use
 Network Security
Concerns
Concerns in
in Network
Network Security
Security
Confidentiality:
Confidentiality: only
only sender
sender and
and
intended
intended receiver
receiver should
should “understand”
“understand”
message
message contents
contents
Authentication:
Authentication: sender
sender andand receiver
receiver
want
want to
to confirm
confirm identity
identity of
of each
each other
other
Message
Message integrity:
integrity: sender
sender and
and receiver
receiver
want
want to
to ensure
ensure message
message notnot altered
altered (in
(in
transit,
transit, or
or afterwards)
afterwards) without
without
detection
detection
Access
Access and
and availability:
availability: services
services must
must
be
be accessible
accessible and
and available
available to
to users
users
 Network Security/ Types of
Attacks
Passive
Passive attacks
attacks

Listen
Listen to
to the
the network
network and
and make
make
use
use ofof the
the information
information without
without
altering
altering

 Passive
Passive wiretapping
wiretapping attack
attack

 Traffic
Traffic analysis
analysis
Most
Most networks
networks use
use aa broadcast
broadcast
medium
medium and
and it
it is
is easy
easy to
to access
access
other
other machines
machines packets
packets

 Utilities
Utilities such
such as
as EtherDetect
EtherDetect and
and
 Network Security/ Types of
Attacks
Active
Active attacks
attacks
An
An active
active attack
attack threatens
threatens the
the integrity
integrity and
and availability
availability
of
of data
data being
being transmitted
transmitted

 The
Thetransmitted
transmitteddata
datais
isfully
fullycontrolled
controlledby
bythe
theintruder
intruder

 The
Theattacker
attackercan
canmodify,
modify,extend,
extend,delete
deleteor
orplay
playany
anydata
data
This
This is
is quite
quite possible
possible in
in TCP/IP
TCP/IP since
since the
the frames
frames and
and
packets
packets are
are not
not protected
protected in
in terms
terms ofof authenticity
authenticity and
and
integrity
integrity
Denial
Denial of
of service
service or
or degrading
degrading ofof service
service attack
attack

 Prevention
Preventionof
ofauthorized
authorizedaccess
accessto
toresources
resources

 Examples
Examples
 E-mail
E-mailbombing:
bombing:flooding
floodingsomeone's
someone'smailmailstore
store
 Smurf
Smurf attack:
attack: Sending
Sending aa “ping”
“ping” multicast
multicast or or broadcast
broadcast with
with aa
spoofed
spoofedIPIPof
ofaavictim.
victim.The
Therecipients
recipientswill
willrespond
respondwith
withaa“pong”
“pong”toto
the victim
the victim
 There had been reports of incidences of distributed denial of
There had been reports of incidences of distributed denial of
service
service attacks
attacks against
against major
major sites
sites such
such as
as Amazon,
Amazon, Yahoo,
Yahoo, CNN
CNN
 Network Security/ Types of
Attacks
Active
Activeattacks
attacks…
…
Spoofing
Spoofing attack:
attack: aa situation
situation in
in which
which one
one
person
person or or program
program imitates
imitates another
another by
by
falsifying
falsifying data
data and
and thereby
thereby gaining
gaining an
an
illegitimate
illegitimate advantage.
advantage.

 IP
IP spoofing
spoofing
 Putting
Putting aa wrong
wrong IP
IP address
address in
in the
the source
source IPIP address
address of
of
an
anIP
IPpacket
packet

 DNS
DNS spoofing
spoofing
 Changing
Changing thethe DNS
DNS information
information so so that
that it
it directs
directs to
to aa
wrong
wrongmachine
machine

 URL spoofing/Webpage phishing
URL spoofing/Webpage phishing
 AA legitimate
 legitimate web
web page
page such
such asas aa bank's
bank's site
site is
is
reproduced in "look and feel" on another server under
reproduced in "look and feel" on another server under
control
controlof
ofthe
theattacker
attacker

 E-mail
E-mail address
address spoofing
spoofing

 Network Security/ Protocols and
Vulnerabilities
Security
Security in
in TCP/IP
TCP/IP Networks
Networks

TCP/IP
TCP/IP was
was designed
designed toto be
be used
used by
by aa
trusted
trusted group
group of
of users
users
The
The protocols
protocols are
are not
not designed
designed to to
withstand
withstand attacks
attacks
Internet
Internet is
is now
now used
used by
by all
all sorts
sorts of
of
people
people
Attackers
Attackers exploit
exploit vulnerabilities
vulnerabilities ofof
every
every protocol
protocol to
to achieve
achieve their
their goals
goals
The
The next
next slides
slides show
show some
some attacks
attacks at
at
each
each layer
layer of
of the
the TCP/IP
TCP/IP stack
stack
 Network Security/ Protocols and
Vulnerabilities
Link
Link and
and Physical
Physical Layers:
Layers: ARP
ARPSpoofing,
Spoofing,Wiretapping
Wiretapping

Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26

.1 .2 .3 .4 .5

140.252.13
arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0

Read more on ARP Spoofing and Wiretapping!

 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:IP
IPVulnerabilities
Vulnerabilities

IP
IP packets
packets can
can be
be intercepted
intercepted

 In
In the
the LAN
LAN broadcast
broadcast

 In routers and switches
In routers and switches
Since
Since thethe packets
packets are
are not
not protected
protected they
they
can
can bebe easily
easily read
read
Since
Since IPIP packets
packets are
are not
not authenticated
authenticated they
they
can
can bebe easily
easily modified
modified
Even
Even ifif the
the user
user encrypts
encrypts his/her
his/her data
data it
it will
will
still
still be
be vulnerable
vulnerable toto traffic
traffic analysis
analysis attack
attack
Information
Information exchanged
exchanged between
between routers
routers toto
maintain
maintain their their routing
routing tables
tables isis not
not
authenticated
authenticated
 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) overview
overview

IPSec
IPSec isis aa set
set of
of security
security algorithms
algorithms
plus
plus aa general
general framework
framework that
that allows
allows
aa pair
pair ofof communicating
communicating entities
entities toto
use
use whichever
whichever algorithms
algorithms provide
provide
security
security appropriate
appropriate for
for the
the
communication.
communication.
Applications
Applications of of IPSec
IPSec

 Secure
Secure branch
branch office
office connectivity
connectivity over
over the
the
Internet
Internet

 Secure
Secure remote
remote access
access over
over the
the Internet
Internet

 Establsihing extranet and intranet
 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) overview
overview …
…

Benefits
Benefits of
of IPSec
IPSec

 Transparent
Transparent to
to applications
applications (below
(below
transport
transport layer)
layer)

 Provide
Provide security
security for
for individual
individual users
users
IPSec
IPSec can
can assure
assure that:
that:

AA router
router oror neighbor
neighbor advertisement
advertisement
comes
comes from
from an
an authorized
authorized router
router

A A redirect
redirect message
message comes
comes from
from the
the router
router
to
to which
which the
the initial
initial packet
packet was
was sent
sent

A A routing
routing update
update isis not
not forged
forged
 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) services
services
Network-layer
Network-layer secrecy:
secrecy:

 Sending
Sending host
host encrypts
encrypts the
the data
data in
in IP
IP
datagram
datagram

 TCP
TCP and
and UDP
UDP segments;
segments; ICMP
ICMP and
and SNMP
SNMP
messages
messages
Network-layer
Network-layer authentication
authentication

 Destination
Destination host
host can
can authenticate
authenticate source
source IP
IP
address
address
Two
Two principal
principal protocols
protocols

 Authentication
Authentication header
header (AH)
(AH) protocol
protocol

 Encapsulation
Encapsulation security
security payload
payload (ESP)
(ESP)
protocol
protocol
 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security scenario
scenario …
…
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:IPSec
IPSec--Security
SecurityAssociations
Associations(SA)
(SA)
SA
SA isis aa one
one wayway relationship
relationship between
between aa
sender
sender and
and aa receiver
receiver that
that provides
provides security
security
services
services (authentication
(authentication and
and confidentiality)
confidentiality)
SA
SA is
is uniquely
uniquely identified
identified by:
by:

 Security
Security Parameters
Parameters Index
Index (SPI)
(SPI) in
in the
the enclosed
enclosed
extension
extension header
header of
of AH
AH or
or ESP
ESP
 AH:
 AH: Authentication
Authentication Header
Header(Authentication)
(Authentication)
 ESP:
 ESP: Encapsulating
Encapsulating Security
Security Payload
Payload (both
(both
authentication
authenticationand
andconfidentiality)
confidentiality)

 IP
IP Destination
Destination address
address in
in the
the IPv4/IPv6
IPv4/IPv6 header
header
Both
Both AH
AH and
and ESP
ESP support
support two
two modes
modes of
of use
use

 Transport Mode:
Transport Mode: Protection
Protection for
for upper
upper layer
layer
protocols
protocols (TCP,
(TCP, UDP)
UDP)
 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IPSec
IPSecAH
AHAuthentication
Authentication

(a) Before AH

(b) Transport Mode

 Network Security/ Protocols and
Vulnerabilities
Network
Network Layer:
Layer: IPSec
IPSecAH
AHAuthentication
Authentication …
…

(c) Tunnel Mode

 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:IPSec
IPSecESP
ESPEncryption
Encryptionand
andAuthentication
Authentication

a) Transport Mode
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:IPSec
IPSecESP
ESPEncryption
Encryptionand
andAuthentication…
Authentication…

b) Tunnel mode
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
ofSecurity
SecurityAssociations
Associations

* Implements IPSec
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
ofSecurity
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
ofSecurity
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and
Vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
ofSecurity
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and
Vulnerabilities
IPSec:
IPSec:Encryption,
Encryption,Authentication…
Authentication…Summary
Summary
IPSec
IPSec provides
provides authentication,
authentication, confidentiality,
confidentiality, and and key
key
management
management at at the
the level
level of
of IP
IP packets.
packets.
IP-level
IP-level authentication
authentication is is provided
provided by by inserting
inserting an an
Authentication
Authentication Header
Header (AH)(AH) intointo the
the packets.
packets.
IP-level
IP-level confidentiality
confidentiality is is provided
provided by by inserting
inserting an an
Encapsulating
Encapsulating Security
Security Payload
Payload (ESP) (ESP) header
header into
into the
the
packets.
packets. AnAn ESP
ESP header
header cancan alsoalso dodo the
the job
job of
of the
the AH
AH
header
header by by providing
providing authentication
authentication in in addition
addition to to
confidentiality.
confidentiality.
Before
Before ESP
ESP cancan bebe used,
used, itit isis necessary
necessary for for the
the two
two
ends
ends of
of aa communication
communication link link to to exchange
exchange the the secret
secret
key
key that
that will
will be
be used
used for
for encryption.
encryption. Similarly,
Similarly, AH AH
needs
needs an
an authentication
authentication key. key.
IPSec
IPSec isis aa specification
specification for for thethe IP-level
IP-level security
security
features
features that
that are
are built
built into
into the
the IPv6
IPv6 internet
internet protocol.
protocol.
These
These security
security features
features cancan also
also bebe used
used with
with the
the IPv4
IPv4
 Network Security/ Protocols and
Vulnerabilities
Transport
TransportLayer
Layer::TCP
TCPSYNC
SYNCattack
attack

Sequence
Sequence Number:
Number: monotonically
monotonically
increasing
increasing 32 32 bits
bits long
long counter
counter that that
provides
provides anti-replay
anti-replay function
function
Sequence
Sequence numbers
numbers are are initialized
initialized with
with aa
“random”
“random” value
value during
during connection
connection setup
setup
The
The RFC(request
RFC(request for for comment)
comment) suggests
suggests
that
that the
the ISN
ISN (Initial
(Initial Sequence
Sequence Number)
Number) is is
incremented
incremented by by one
one at
at least
least every
every 44 s
s
In
In many
many implementations,
implementations, it
it is
is
computationally
computationally feasible
feasible toto guess
guess the
the next
next
ISN
ISN number
number
If successful, an attacker can impersonate
 Network Security/ Protocols and
Vulnerabilities
Transport
TransportLayer
Layer::TCP
TCPSYNC
SYNCattack
attack…
…
3 way handshake

client server
SYN = ISNC
SYN = ISNS, ACK(ISNC)
ISN – Initial Sequence Number
ACK(ISNS)

data transfer

attacker server
SYN = ISNX, SRC_IP = T trusted host (T)

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data
 Network Security/ Protocols and
Vulnerabilities
SSL/TLS
SSL/TLS Protocols
Protocols
Secure
Secure Socket
Socket Layer
Layer (SSL)
(SSL)
•• Widely
Widely deployed,
deployed, “real-world”
“real-world”
security
security protocol
protocol
•• Considered
Considered asas the
the de-facto
de-facto standard
standard
for
for Internet
Internet security
security
•• First
First designed
designed byby Netscape
Netscape inin 1994
1994
•• Evolved
Evolved through
through versions
versions 1.0,
1.0, 2.0
2.0
and
and 3.0
3.0
•• Version
Version 3.0
3.0 is
is renamed
renamed to to TLS
TLS byby
IETF/Internet
IETF/Internet Engineering
Engineering Task
Task
Force (Sometimes called SSL 3.1)
 Network Security/ Protocols and
Vulnerabilities
SSL/TLS
SSL/TLS Protocols
Protocols
Provides
Provides transport
transport layer
layer security
security to
to any
any TCP-
TCP-
based
based application
application using
using SSL
SSL services.
services.
e.g.,
e.g., between
between Web
Web browsers,
browsers, servers
servers for
for e-commerce
e-commerce
Provides
Provides security
security services
services like
like server
server
authentication,
authentication, data
data encryption,
encryption, client
client
authentication
authentication
Application
Application
SSL sublayer SSL
TCP TCP TCP socket
socket
IP IP
TCP TCP enhanced with SSL
 Network Security/ Protocols and
Vulnerabilities
SSL/TLS
SSL/TLSProtocols
Protocols…
…
SSL
SSL is
is used
used extensively
extensively by by web
web browsers
browsers toto provide
provide
secure
secure connections
connections for
for transferring
transferring sensitive
sensitive data.
data.
SSL-protected
SSL-protected HTTP
HTTP transfer
transfer uses
uses port
port 443
443 (instead
(instead of
of
port
port 80),
80), and
and is
is identified
identified with
with aa special
special URL
URL method
method --
. https.
https.
•• For
For example: https://www.gmail.com/ would
example: https://www.gmail.com/ would cause
cause anan SSL-
SSL-
enabled
enabled browser
browser toto open
open aa secure
secure SSL
SSL session
session to
to port
port 443
443
at
atwww.gmail.com.
www.gmail.com.
SSL,
SSL, like
like most
most modern
modern security
security protocols,
protocols, isis based
based on
on
cryptography.
cryptography.
When
When an an SSL
SSL session
session isis established,
established, thethe server
server begins
begins
by
by announcing
announcing aa public
public key
key to
to the
the client,
client, no
no encryption
encryption
is
is in
in use
use initially.
initially.
•• Both
Bothparties
parties(and
(andany
anyeavesdropper)
eavesdropper)can
canread
readthis
thiskey.
key.
The
The client
client then
then transmits
transmits information
information to
to the
the server
server in
in
aa way
way that
that no
no one
one else
else could
could decode
decode using
using the
the server's
server's
 Network Security/ Protocols and
Vulnerabilities
Application
Application layer:
layer: DNS
DNS spoofing
spoofing

If
If the
the attacker
attacker has
has access
access to
to aa
name
name server
server it
it can
can modify
modify it
it so
so
that
that it
it gives
gives false
false information
information

 Ex:
Ex: redirecting
redirecting www.ebay.com
www.ebay.com to
to
map
map to
to own
own (attacker’s)
(attacker’s) IP
IP address
address
The
The cache
cache of
of aa DNS
DNS name
name server
server
can
can bebe poisoned
poisoned with
with false
false
information
information using
using some
some simple
simple
techniques
techniques
 Network Security/ Protocols and
Vulnerabilities
E-mail
E-mail Security
Security
E-mails
E-mails transit
transit through
through various
various servers
servers
before
before reaching
reaching their
their destinations
destinations
By
By default,
default, they
they are
are visible
visible by
by anybody
anybody
who
who has
has access
access to
to the
the servers
servers
SMTP
SMTP protocol
protocol hashas security
security holes
holes and
and
operational
operational limitations
limitations
E-mail
E-mail security
security can
can be
be improved
improved using
using
tools
tools and
and protocols
protocols like
like:: PGP
PGP and
and S-MIME
S-MIME
•• PGP:
PGP:Pretty
PrettyGood
GoodPrivacy
Privacy
•• S-MIME:
S-MIME:Secure
SecureMulti-Purpose
Multi-PurposeInternet
InternetMail
MailExtension
Extension
 Network Security/ Protocols and
Vulnerabilities
E-Mail
E-Mail Security
Security -- SMTP
SMTP

SMTP
SMTP Limitations
Limitations -- Can
Can not
not transmit,
transmit, or
or has
has aa
problem
problemwith:
with:
Executable
Executable files,
files, or
or other
other binary
binary files
files (jpeg
(jpeg
image)
image)
 “national
“national language”
language” characters
characters (non-
(non-
ASCII)
ASCII)
 Messages
Messages overover aa certain
certain size
size
 ASCII
ASCII toto EBCDIC
EBCDIC translation
translation problems
problems
 Lines
Lines longer
longer than
than aa certain
certain length
length (72
(72 toto
254
254 characters)
characters)
 Network Security/ Protocols and
Vulnerabilities
E-mail
E-mail Security
Security -- PGP
PGP
Philip
Philip R.
R. Zimmerman
Zimmerman is is the
the creator
creator of of PGP
PGP
(Prety
(Prety Good
Good Protocol)
Protocol)
PGP
PGP provides
provides aa confidentiality
confidentiality and and
authentication
authentication service
service that
that can
can be be used
used for
for
electronic
electronic mail
mail and
and file
file storage
storage
applications.
applications.
Five
Five services
services of
of PGP
PGP
•• Digital
Digital Signature
Signature
•• Message
Message Encryption
Encryption
•• Compression
Compression
•• E-mail
E-mail Compatibility
Compatibility
•• Segmentation
Segmentation
 Network Security/ Protocols and
Vulnerabilities
E-mail
E-mail Security
Security––S/MIME
S/MIMEFunctions
Functions

Enveloped
Enveloped Data:
Data: Encrypted
Encrypted content
content and
and
encrypted
encrypted session
session keys
keys for
for recipients
recipients
Signed
Signed Data:
Data: Message
Message Digest
Digest encrypted
encrypted
with
with private
private key
key of
of “signer.”
“signer.”
Clear-Signed
Clear-Signed Data:Data: Signed
Signed butbut not
not
encrypted
encrypted
Signed
Signed andand Enveloped
Enveloped Data: Data: Various
Various
orderings
orderings for
for encrypting
encrypting andand signing.
signing.
 Network Security/ Protocols and
Vulnerabilities
Application
Application layer:
layer: Web
Web browser
browser
Types
Types of
of Web
Web threats
threats and
and counter
counter measures:
measures:

 Integrity 
 Denial
Integrity Denialof ofService
Service
 Data, memory and/or message  Killing of user thread
Data, memory and/or message Killing of user thread
modification
modification  Machine flooding
Machine flooding
 Trojan horse browser  Filling up disk/memory
Trojan horse browser Filling up disk/memory
 Cryptographic
Cryptographicchecksums
checksums  Isolating machine by
Isolating machine by

 Confidentiality DNS
DNSattacks
attacks
Confidentiality
 Eavesdropping  Detection
Detection andand action
action
Eavesdropping
 Theft (suspicious pattern)
(suspicious pattern)
Theft ofof data
data from
from client
client &
&
information from Server 
 Authentication
information from Server Authentication
 Access to information about  Impersonation
Access to information about Impersonation
network
networkconfiguration
configuration  Data forgery
Data forgery
 Access to information about
Access to information about  Cryptographic
Cryptographic
which
whichclient
clientis
iscommunicating
communicating techniques
techniques
Encryption
Encryption
 Network Security
Network / Protocols and
Security
Vulnerabilities
Web Security: Secure
WebSecurity: Secure Electronic
Electronic Transactions
Transactions
(SET)
(SET)
An
An open
open encryption
encryption and
and security
security
specification.
specification.
Protect
Protect credit
credit card
card transaction
transaction on
on
the
the Internet.
Internet.
Companies
Companies involved:
involved:

 MasterCard,
MasterCard, Visa,
Visa, IBM,
IBM, Microsoft,
Microsoft,
Netscape,
Netscape, RSA,
RSA, Terisa
Terisa and
and Verisign
Verisign
Not
Not aa payment
payment system
system but
but enables
enables
users
users to
to employ
employ the
the existing
existing credit
credit
card
card payment
payment infrastructure
infrastructure on
on an
an
 Network Security/
Network Protocols and
Security
Vulnerabilities

Web
Web Security:
Security: SET
SET Services
Services

Provides
Provides aa secure
secure communication
communication
channel
channel inin aa transaction.
transaction.
Provides
Provides trust
trust byby the
the use
use of
of X.509v3
X.509v3
digital
digital certificates.
certificates.
Key
Key Features
Features of
of SET:
SET:

 Confidentiality
Confidentiality of
of information
information

 Integrity
Integrity of
of data
data

 Cardholder
Cardholder account
account authentication
authentication

 Merchant
Merchant authentication
authentication
 Network Security
Network / Protocols and
Security
Vulnerabilities
Web
Web Security:
Security: SET
SET Participants
Participants
 Network Security/ Protocols and
Vulnerabilities
Web Security: SET
WebSecurity: SET Participants
Participants ...
...
Cardholder:
Cardholder: Authorized
Authorized holder
holder of of Payment
Payment
Card
Card
Merchant:
Merchant: Has Has goods
goods to to sell
sell to to the
the
Cardholder.
Cardholder.
Issuer:
Issuer: Financial
Financial institution
institution (such
(such asas bank)
bank) ––
connected
connected with
with the
the Cardholder.
Cardholder.
Acquirer:
Acquirer: Verifies
Verifies that
that aa card
card account
account is is
active
active and
and the
the proposed
proposed purchase
purchase doesdoes not
not
exceed
exceed the
the credit
credit limit
limit –– Connected
Connected withwith the
the
Merchant.
Merchant.
Payment
Payment gateway:
gateway: Operated
Operated by by the
the acquirer
acquirer
or
or aa designated
designated third
third party
party that
that processes
processes
merchant
merchant payment
payment messages
messages
 Network Security/ Protocols and
Vulnerabilities

Web
Web Security:
Security: SET
SET ((Sequence
Sequence of
of events
events for
for
transactions)
transactions)
1.
1. The
The customer
customer opens
opens anan account.
account.
2.
2. The
The customer
customer receives
receives aa certificate.
certificate.
3.
3. Merchants
Merchants have
have their
their own
own certificates.
certificates.
4.
4. The
The customer
customer places
places anan order.
order.
5.
5. The
The merchant
merchant isis verified.
verified.
6.
6. The
The order
order and
and payment
payment are are sent.
sent.
7.
7. The
The merchant
merchant request
request payment
payment
authorization.
authorization.
8.
8. The
The merchant
merchant confirm
confirm thethe order.
order.
9.
9. The
The merchant
merchant provides
provides the the goods
goods or
or
service.
service.
 Network Security/ Protocols and
Vulnerabilities

Web
Web Security:
Security: SET
SET -- Dual
Dual Signature
Signature

Dual
Dual signature
signature is is an
an important
important innovation
innovation byby
SET
SET
Used
Used to to link
link two
two messages
messages that
that are
are intended
intended
for
for two
two different
different recipients.
recipients.
The
The customer
customer wants
wants to
to send
send Order
Order Information
Information
(OI)
(OI) to
to the
the merchant
merchant andand Payment
Payment Information
Information
(PI)
(PI) to
to the
the bank.
bank.
Merchant
Merchant –– DoesDoes not
not need
need toto know
know customer’s
customer’s
CC
CC number.
number.
Bank
Bank –– DoesDoes notnot need
need toto know
know details
details of
of
customer’s
customer’s order.
order.
Privacy!!
Privacy!!
 Network Security/ Summary

Security
Securityfeatures
featuresin
inthe
theTCP/IP
TCP/IPprotocol
protocol stack
stack
 Network Security/ Summary

Use
Use of
of IP
IP Security
Security (IPSec)
(IPSec) (Figure
(Figure a)
a)

 Transparent
Transparent to to applications
applications

 Provide
Provide general
general purpose
purpose solution
solution

 Provides
Provides filtering
filtering capability
capability
Security
Security just
just above
above TCP
TCP (Figure
(Figure b)
b)

 SSL:
SSL: Secure
Secure Socket
Socket Layer
Layer

 TLS: Transport Layer Security
TLS: Transport Layer Security
 SSL/TLS
 SSL/TLS could
could be
be provided
provided as
as part
part of
of the
the underlying
underlying
protocol
protocol suite
suite =>
=> Transparent
Transparent to
to applications
applications
 Alternatively,
 Alternatively, can
can be
be embedded
embedded into
into applications
applications
 Example:
 Example: Netscape
Netscape and
and Microsoft
Microsoft Explorer
Explorer browsers
browsers
are
areequipped
equippedwith
withSSL
SSL
Application
Application specific
specific security
security services
services (Figure
(Figure
c)
c)

 Embedded
Embedded within
within specific
specific application
application
 Best examples are SET (Secure Electronic
 Network Security/ Summary

Security-enhanced
Security-enhanced application
application protocols
protocols
Solution
Solution to
to most
most application
application layer
layer
security
security problems
problems areare tackled
tackled byby
developing
developing security-enhanced
security-enhanced
application
application protocols
protocols
Examples
Examples

 For
For FTP
FTP =>
=> FTPS
FTPS

 For
For HTTP
HTTP =>
=> HTTPS
HTTPS

 For
For SMTP
SMTP =>
=> SMTPS
SMTPS

 For
For DNS
DNS =>
=> DNSSEC
DNSSEC