Network Security
&
Cryptography
Sai Kiran Rathan G. Sandeep
I / IV year B.Tech CSE 1st year B.Tech
CSE CSE
rathansaikirantrml@gmail.com
Tirumala Engineering College
Contents
1. Introduction
2. What is Cryptography
3. Network Security
4. Network security Needs
5. Cryptographic Process
6. Digital Signatures and Certificates
7. Cryptographic Technologies
8. Public Key Infrastructure (PKI)
9. Attacking Cryptography
10. Summary
11. References
1. Introduction FROM THE DAWN OF CIVILIZATION, to the
highly networked societies that we live in
Network security is a complicated
Today communication has always been an
subject, historically only tackled by well-
integral part of our existence.
trained and experienced experts. However,
as more and more people become ``wired'', Radio communication
an increasing number of people need to Telephonic communication
understand the basics of security in a Network communication
networked world. Mobile communication
All these methods and means of Authentication: It is the process of
communication have played an important providing proof of identity of the sender to
role in our lives, but in the past few years, the recipient; so that the recipient can be
network communication, especially over assured that the person sending the
the Internet, has emerged as one of the information is who and what he or she
most powerful methods of communication claims to be.
with an overwhelming impact on our lives.
Such rapid advances in communications
technology have also given rise to security Integrity: Is the method to ensure that
threats to individuals and organizations. information is not tampered with during its
transit or its storage on the network. Any
unauthorized person should not be able to
tamper with the information or change the
Information during transit
Non repudiation: It is the assurance that
someone cannot deny something. Typically,
Fundamental Requirements
non repudiation refers to the ability to
Confidential: It is the process of keeping ensure that a party to a contract or a
information private and Secret so that only communication cannot deny the
the intended recipient is able to understand authenticity of their signature on a
the information. document or the sending of a message that
they originated
Security Attacks unauthorized users. This leads to systems
being unavailable for use.
Interception: An unauthorized individual
Interruption: In an attack where one or
intercepts the message content and
more of the systems of the organization
changes it or uses it for malicious purposes.
become unusable due to attacks by
After this type of attack, the message does
not remain confidential.
Modification: The content of the message is information or transmit it across insecure
modified by a third party. networks (like the Internet) so that it
cannot be read by anyone except the
This attack affects the integrity of the intended recipient. While cryptography is
message. the science of securing data, cryptanalysis is
the science of analyzing and breaking
So for maintaining the data secretly secure communication. Cryptanalysts are
while communicating data between two also called attackers. Cryptology embraces
persons or two organizations data is to be both cryptography and cryptanalysis.
converted to other format and the data is
to be transmitted. So now we deal with the
Cryptography which is process of
transmitting data securely without any
interruption. Network security is the
security of data transmission in the
communication.
Cryptography Terminology:
2. What is Cryptography? a) Plaintext: The original intelligible
message.
The term cryptology has its origin in Greek
kryptós lógos, which means “hidden b) Cipher text: The transformed message.
word.” Cryptography is the science of
protecting data, which provides means and c) Cipher: An algorithm for transforming an
methods of converting data into unreadable intelligible message to unintelligible by
form, so that Valid User can access transposition.
Information at the Destination.
Cryptography is the science of using d) Key: Some critical information used by
mathematics to encrypt and decrypt data. the cipher, known only to the sender &
Cryptography enables you to store sensitive receiver.
e) Encipher :( Encode) the process of And many more.
converting plaintext to cipher text using a
cipher and a key.
Network Security:
f) Decipher :( Decode) the process of
converting cipher text back into plaintext For Distributed computing
using a cipher & key.
Logical set of services contain. Rather, they are often
distributed over the network compromised for practice purposes, such as
Physical security model does storage space for warez, or to create
not work anymore remote zombies for large-scale Distributed
Denial of Service (DDoS) attacks against
For Internet and Web other networks. Compromised systems
today are even being used to send SPAM.
Increase of security threat
More stringent security for E-
commerce and B2B
Most systems are not necessarily
compromised by a dedicated cracker trying
Why Is System & Network Security a variety of remote commands until he/she
Important? successfully cracks the system password.
Instead, most attacks today are performed
using automated tools which attempt to
There are those who believe that the exploit known vulnerabilities in various
security issues facing home users are OS’es and applications.
greatly exaggerated, and that the only
entities which need to be concerned about
desktop and network security are On a number of occasions, Internet traffic
businesses which have critical data on their has been bogged down by the propagation
machines. And many think that only of Viruses and Worms via un patched
broadband users or folks with high-speed systems. Among the more notable
connections need to be concerned. instances are Code Red, NIMDA, SQL
Slammer, MS Blaster, and the Sasser
worms. Given the rapid growth of home
Truth is, the vast majority of computer networks, this situation will only get worse
systems, including corporate ones, are not if security does not become more important
compromised for the data they may to more people.
Common Security Threats your Bank account and then replay that
request over the network.
Identity interception: It means that
someone might steal your identity and use Data interception and manipulation: If
it as their own. someone can read your credit card
information while it is on the wire, they
Replay attack: They might capture your
could cause a lot of trouble for you.
request of withdrawing 1000 dollars from
Etc. It is “difficult” to get M just by knowing M'
4. Network Security Needs
a. Security Needs of an Enterprise E and D are related such that
Single sign-on Internet and intranet E(K enc , M) = M'
Controlled access to corporate
information D(K dec , M') = M
Secure business transaction over D(K dec , E(K enc , M)) = M
Internet
Centralized, easy to use security
admin tools
Transparency of security features Plaintext—M
Interoperable security systems
Cipher text—M'
Various PKI schemes, Kerbos
b. Common Network Security Needs Original Plaintext—M
Authentication (Identity verification) Decryption function—D
Access control (Authorization)
Data confidentiality (Privacy) Encryption function—E
Data integrity (Tamper-proofing)
Non-repudiation (Proof of So how does cryptographic process work?
transaction) The idea is rather simple. Let's say you have
Auditing plaintext M. By providing the encryption
key and the encryption function you get
5. Cryptographic Process cipher text, M'. The cipher text can be
a. Basic Process decrypted using a decryption function and a
decryption key and the result is the original
M is the original message K enc text. In cryptographic process the
is encryption key mathematical property is such that it is
M' is the scrambled message K dec practically impossible to derive M from M'
is decryption key unless the key is known.
b. Key Process Techniques used for both encryption and decryption, is
called a secret key (also referred to as a
Symmetric-Key Encryption: One symmetric key or session key). Symmetric-
Key
key encryption is an efficient method for
Symmetric-key encryption, also called
encrypting large amounts of data. But the
shared-key encryption or secret-key
drawback is to transfer the Key to Receiver
cryptography, uses a single key that both
as it is prone to security risks.
the sender and recipient possess. This key,
Public-Key Encryption: Two Keys Fig 5.1 Public Key method
Two keys—a public key and a private key,
From the Figure it can be observed that
which are mathematically related—are
Encryption is done with Public Key and
used in public-key encryption. To contrast it
Decryption with another key called Private
with symmetric-key encryption, public-key
Key. This is called Public Key Cryptography
encryption is also sometimes called
asymmetric-key encryption. In public-key c. Hash functions
encryption, the public key can be passed An improvement on the Public Key scheme
openly between the parties or published in is the addition of a one way hash function in
a public repository, but the related private the process. A one-way hash function takes
key remains private. Data encrypted with variable length input. In this case, a
the public key can be decrypted only using message of any length, even thousands or
the private key. Data encrypted with the millions of bits and produces a fixed-length
private key can be decrypted only using the output; say, 160-bits. The hash function
public key. In Figure 1, a sender has the ensures that, if the information is changed
receiver's public key and uses it to encrypt a in any way even by just one bit an entirely
message, but only the receiver has the different output value is produced.
related private key used to decrypt the
message. As long as a secure hash function is used,
there is no way to take someone's signature
from one document and attach it to another,
or to alter a signed message in any way. The
slightest change in a signed document will
cause the digital signature verification
process to fail.
for employing digital signatures. Digital
signatures enable the recipient of
information to verify the authenticity of the
information's origin, and also verify that the
information is intact. Thus, public key digital
signatures provide authentication and data
integrity. A digital signature also provides
non-repudiation, which means that it
prevents the sender from claiming that he
or she did not actually send the
information. These features are every bit as
fundamental to cryptography as privacy, if
not more.
Figure 5.2 Hash Functions
d. Applications Of Cryptography A digital signature serves the same
purpose as a handwritten signature.
1. Defense Services 2. However, a handwritten signature is easy to
Secure Data Manipulation counterfeit. A digital signature is superior to
3. E – Commerce a handwritten signature in that it is nearly
impossible to counterfeit, plus it attests to
4. Business Transactions 5.
the contents of the information as well as
Internet Payment Systems
to the identity of the signer.
6. Pass Phrasing
7. Secure Internet Comm. 8. b .Public-Key Encryption for Digital
Certificates
User Identification Systems
9. Access Control Digital certificates, or cert., simplify
the task of establishing whether a public
10.Computational Security
key truly belongs to the purported owner. A
11.Secure access to Corp Data
certificate is a form of credential. Examples
12.Data Security
might be your birth certificate. Each of
these has some information on it identifying
you and some authorization stating that
6. Digital Signatures and Digital someone else has confirmed your identity.
Certificates
Some certificates, such as your passport,
a. Public-Key Encryption for Digital are important enough confirmation of your
Signatures identity that you would not want to lose
A major benefit of public key them, lest someone use them to
cryptography is that it provides a method impersonate you.
A digital certificate is data that SSL, PCT(Private Communication
functions much like a physical certificate. A Technology)
digital certificate is information included Application layer
PEM (Privacy Enhanced Mail)
with a person's public key that helps others
PGP (Pretty Good Privacy)
verify that a key is genuine or valid. Digital SHTTP
certificates are used to thwart attempts to Cryptographic process can be implemented
substitute one person's key for another. at various layers starting from the link Layer
all the way up to the application layer. The
A digital certificate consists of three things:
most popular encryption scheme is SSL and
it is implemented at the transport layer. If
A public key.
the encryption is done at the transport
Certificate information. ("Identity"
information about the user, such as layer, any application that is running on the
name, user ID, and so on.) top of the transport layer can be protected.
One or more digital signatures.
b. Based on Algorithms
The purpose of the digital signature on a
Secret-key encryption algorithms
certificate is to state that the certificate
(Symmetric algorithms)
information has been attested to by
some other person or entity. The digital DES (Data Encryption Standard) -- 56
signature does not attest to the bit key
authenticity of the certificate as a Triple DES --112 bit key
whole; it vouches only that the signed IDEA (International Data Encryption
identity information goes along with, or Algorithm) --128bit key
is bound to, the public key. Thus, a
certificate is basically a public key with
one or two forms of ID attached, plus a Public-key encryption algorithms
hearty stamp of approval from some (Asymmetric algorithms)
other trusted individual.
Diffie-Hellman (DH): Exponentiation
7. Cryptographic Technologies is easy but computing discrete logarithms
a . Based on Layers from the resulting value is practically
impossible
Link layer encryption
Network layer encryption RSA: Multiplication of two large
IPSEC, VPN, SKIP prime numbers is easy but factoring the
Transport layer resulting product is practically impossible
8. Public Key Infrastructure (PKI) b. PKI concepts on Certificates
a. Introduction Certificate: A public key certificate is a
digitally signed statement used for
The term public key infrastructure authentication and secure exchange of
(PKI) is used to describe the policies, information on the networks. The issuer and
standards, and software that regulate or signer of the certificate is known as a
certification authority (CA). Certificate has
manipulate certificates and public and
No, Validity, Uses of the Key pair (Public &
private keys. In practice, PKI refers to a Secret)
system of digital certificates, certification
authorities (CA), and other registration Certification Authority: A certification
authority (CA) is an entity trusted to issue
authorities that verify and authenticate the
certificates to a requesting entity. A CA
validity of each party involved in an verifies the requester's information
electronic transaction. Standards for PKI are according to the policy of the CA, and then
still evolving, even as they are being widely uses its private key to apply its digital
implemented as a necessary element of signature to the certificate.
electronic commerce. This section will help CA Policy: A CA issues certificates to
you understand what a PKI is and what requesters based on a set of established
services are required to build a PKI. criteria. The set of criteria that a CA uses
when processing certificate requests is
referred to as CA policy. Typically, a CA
publishes its policy in a document known as
a Certification Practice Statement (CPS).
Types of Certification Authorities
Self-signed CA: The public key in the
certificate and the key used to verify the
certificate are the same
Subordinate CA: The public key in
certificate and the key used to verify the
certificates are different.
Rooted CA: This is trusted unconditionally
by a client and is at top of a certification
hierarchy.
Registration: Registration is the process by Certificate Revocation: Certificates have a
which a certificate is issued to the subject, specified lifetime, but CAs can reduce this
provided that the certificate is in compliance lifetime by the process known as certificate
with the criteria established by the CA revocation. The CAs publishes a certificate
policy. revocation list (CRL) that lists serial
Certificate enrollment: The procedure that numbers of certificates that it considers no
longer usable.
an end entity follows to request and receive
a certificate from a CA. The certificate
request provides identity information to the Certificate Chain Validation: In a network,
CA when we generate a request for a new
certificate, the information in that request
is first passed from the requesting program
to Certificate Authority (CA) then passes the
appropriate data to a program known as a
cryptographic service provider (CSP).
A CSP is an independent software module Encryption Standards (DES) when they are
that performs cryptography operations, encrypted with the same key.
such as secret-key exchange, digital signing
Linear Cryptanalysis Attack: Linear
of data, and public-key authentication.
Cryptanalysis attack was invented by
Chain-building mechanism attempts to build
Mitsuru Matsui in 1993. This method is
a certification path (a certificate chain) from
based on the concept that if you XOR some
the end-entity certificate, such as a user
of the plaintext bits together, XOR some
certificate, up to a CA root certificate,
cipher text bits together, and then XOR the
9. Attacking Cryptography results, you will get a single bit that is the
XOR of some of the key bits. A large number
Cryptanalysis
of such plain/cipher texts pairs are used to
Cryptanalysis is the process of guess the values of the key bits
attempting to discover the plaintext and/ or
10. Summary
the key. The types of Cryptanalysis attacks
are
Differential Cryptanalysis Aattack: The Cryptography protects users by
differential cryptanalysis attack looks providing functionality for the encryption of
specifically at pairs of cipher texts whose data and authentication of other users. This
plaintext has some specific differences. It technology lets the receiver of an electronic
analyzes these differences as the plaintext message verify the sender, ensures that a
propagates through various rounds of Data message can be read only by the intended
person, and assures the recipient that a
message has not be altered in transit. This exchange. The Cryptography Attacking
paper describes the cryptographic concepts techniques like Cryptanalysis and Brute
of symmetric-key encryption, public-key Force Attack. This Paper provides
encryption, types of encryption algorithms, information of Network Security Needs and
hash algorithms, digital signatures, and key Requirements.
11.References:
1. Encyclopedia of Cryptography
2. Articles on Network security
3. Discussion with college faculty