Network Security Essentials
Network Security Essentials
MODULE – 4
Network Security
4.1 Overview of Network Security
Protecting the data, while transmission through routers and intermediate hosts from
unauthorized person is called Network Security.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 1
Computer Networks 18cs52
2. Threats to Network Security
• DNS Hacking: Domain Name System (DNS) server is a distributed hierarchical
and global directory that translates domain names into numerical IP address. A
DNS hacking attack may result in the lack of data authenticity and integrity and
can appear in any of the following forms.
1. Information-Level Attack: It forces a server to correspond with other
than the correct answer.
2. Masquerading Attack: The adversary poses as a trusted entity and
obtains all the secret information. It is also called man in the middle attack,
because adversary convincing the server that it is the legitimate client, and
convincing the client that it is the legitimate server.
3. Information Leakage Attack: The attacker sends queries to all hosts and
identifies which IP addresses are not used. Later on, he can use those IP
addresses to make other types of attacks.
4. Domain High Jacking Attack: Whenever a user enters a domain address,
he / she is forced to enter into the attacker website.
• Routing Table Poisoning Attacks: It is the undesired modification of routing
tables. Two types of routing table poisoning attacks.
1. Link Attack: It occurs when a hacker gets access to a link and thereby
intercepts, interrupts or modifies routing messages on packets.
2. Router Attack: It may affect the link-state protocol or even the distance-
vector protocol. If link-state protocol routers are attacked, then they may
add a non-existing link to a routing table, delete an existing link, or even
change the cost of a link. In the distance-vector protocol router, an attacker
may send wrong updates about any node in the network, thereby
misleading a router.
• Packet-Mistreatment Attacks: It can occur during any data transmission. A
hacker may capture certain data packets and mistreat them. It can also be sub
classified as link attacks and router attacks.
1. Link Attack: Causes interruption, modification, or replication of data
packets.
2. Router Attack: Can misroute all packets and may result in congestion or
denial of service.
Examples
2. 1 Interruption: If an attacker intercepts packets, they may not be allowed
to be allowed to be propagated to their destination, resulting in a lower
throughput of the network.
2.2 Modification: He can change the address of the packet or even change its
data.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 2
Computer Networks 18cs52
2.3 Replication: An attacker might trap a packet and replay it.
2.4 Ping of death: An attacker may send a ping message, which is large and
therefore must be fragmented. When the receiver reassembles the
fragments, the total packet length becomes too large and might cause
system crash.
2.5 Malicious Misrouting of Packets: A hacker may attack a router and
change its routing table entries.
• Denial of Service Attacks: Is a type of security breach that prohibits a user from
accessing normally provided services. It affects the destination rather than a data
packet or router. Usually, Dos attacks affects a specific network service such as e-
mail or DNS. Dos attacks are two types.
1. Single Source: An attacker sends a large number of packets to a target
system to overwhelm and disable it.
2. Distributed: In this type of attack, a large number of hosts are used to flood
unwanted traffic to a single target. The flood may be either a UDP flood, TCP
flood, or ICMP flood.
1. Cryptographic Techniques
• Terminology
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 3
Computer Networks 18cs52
10. Secret Key: This might be any one of a large number of values used in
cryptographic algorithm for the purpose of encryption and decryption.
The encryption and decryption functions are shown below.
Ek (M) = C
Dk (C) = M
Dk (Ek (M)) = M
For example: M = 01100101, Key k = 11111111, and Exclusive-OR (⊕) function as a
cryptographic algorithm. Then
0 1 1 0 0 1 0 1 ←M
1 1 1 1 1 1 1 1 ←k
1 0 0 1 1 0 1 0 ←C
1 1 1 1 1 1 1 1 ←k
0 1 1 0 0 1 0 1 ←M
1. Secret Key Encryption: In secret key model, both sender and receiver
conventionally use the same key for encryption and decryption. It is also called
private key, single key, or symmetric encryption.
2. Public Key Encryption: In public key model, both sender and receiver use
different keys for encryption and decryption. It is also called double key or
asymmetric encryption. Here both parties having two keys called public and
private keys. To encrypt they use public keys and to decrypt they use private
keys.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 4
Computer Networks 18cs52
2. Authentication Techniques
Encryption methods offer the assurance of message confidentiality. However, a
networking system must be able to verify the authenticity of the message and the sender
of the message. These forms of security techniques in computer networks are called as
authentication techniques, and are classified as
1. Authentication with message digest
2. Authentication with digital signature.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 5
Computer Networks 18cs52
3. The 56 bits of the key are also broken into two 28-bit parts, and each part is rotated
one- or two-bit positions, depending on the round.
4. All 56 bits of the key are permuted, producing key Ki on round i.
5. Here, Exclusive-OR (⊕) operation is performed on the Li and Ri parts of the plaintext
as shown below.
Li = Ri-1
Ri = Li-1 ⊕ F (Ri-1, Ki)
6. All 64 bits of the message are permuted, and then send to next round, and steps 2-6
are repeated until it reaches round 16.
Computation of Function F (Ri-1, Ki)
1. Out of 56-bits of Ki, function F ( ) choose only 48 bits.
2. The 32-bits Ri-1 is expanded from 32-bits to 48 bits. To expand 32-bits of Ri-1 follow
the following sub steps.
a. Ri-1 is broken into eight 4-bit chunks.
b. We are copying the leftmost and rightmost bit from right and left adjacent chunks
respectively to make it eight 6-bit chunks.
3. It also partitions the 48 bits of Ki into eight 6-bit chunks.
4. Now, the eight chunks of Ri-1 and Ki are combined as follows.
Ri-1 = Ri-1 ⊕ Ki
5. Finally, the 48-bits Ri-1 is reduced to 32-bits from 48 bits. To reduce 48-bits of Ri-1
follow the following sub steps.
a. Ri-1 is broken into eight 6-bit chunks.
b. Input eight 6-bit chunks to 8 substitution boxes (S-Boxes) respectively, which
produce 4-bit chunks as an output. 4-bit chunks from each of the 8 substitution
boxes from 32-bits Ri-1.
c. S-Box contains a table of 4 rows 16 columns. Each cell in the table contains 4-bit
number.
d. The first and last bits of inputted 6-bit chunk represent a row and middle 4-bits
represents a column. The intersected row and column are the output of 4-bit
chunks.
Key Generation
1. First, all 56 bits of the key are initially permuted.
2. 56-bits key is broken into two 32-bit parts denoted by Ci and Di respectively.
3. At each round Ci-1 and Di-1 are separately subjected to a circular left shift or rotation
of 1 or 2 bits. This shifted values serve as an input to the next round. That is
Ci = Ci-1 and Di = Di-1
4. Also, the shifted values serve as an input to the permuted choice 2, which produce 48-
bits output that serve as input to the function F (Ri-1, Ki).
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 6
Computer Networks 18cs52
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 7
Computer Networks 18cs52
2. AES (Advanced Encryption Standard)
Advanced Encryption Standard (AES) is a specification for the encryption of electronic
data established by the U.S National Institute of Standards and Technology (NIST) in
2001. AES is widely used today as it is a much stronger than DES.
Assumptions
1. Plaintext is 128-bit block.
2. It uses key having 128, 192, or 256-bit length.
3. It uses 10-14 rounds depending on the key and block sizes. In the below algorithm we
are using 10 rounds and key of 128-bit length.
4. All rounds are identical except for the last round, which has no mix column stage.
Algorithm
1. The 128-bit plaintext is formed as 16 bytes m0 through m15 and are separately
permuted.
2. Substitute units indicated by S perform a byte-by-byte substitution of blocks.
3. The ciphers in the form of rows and columns move through a permutation stage to
shift rows to mix columns. Which are illustrated in below sub steps.
a. The Shift Rows step operates on the rows of the state; it cyclically shifts the bytes
in each row by a certain offset. The first row is left unchanged. Each byte of the
second row is shifted one to the left. Similarly, the third and fourth rows are shifted
by offsets of two and three respectively.
b. In the Mix Columns step, the four bytes of each column of the state are combined
using an invertible linear transformation. The Mix Columns function takes four
bytes as input and outputs four bytes, where each input byte affects all four output
bytes.
4. Now, all 16 blocks of ciphers are Ex-ORed with the 16 bytes of round1 keys K0-K15.
5. 128-bit key is also formed as 16 bytes K0 through K15.
The AES decryption algorithm is fairly simple and is basically the reverse of the
encryption algorithm. Substitution is a one in which each character (byte) is substituted
by another character.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 8
Computer Networks 18cs52
4. Choose an encryption key e such that e and Φ(n) are relatively prime. That is, gcd
(e, Φ(n)) = 1.
5. Compute the decryption key d, such that
6. Now, the ordered pair (e, n) is your RSA Public Key (Encryption Key).
7. Now, the ordered pair (d, n) is your RSA Private Key (Decryption Key).
Encryption Algorithm
Given a message m < n the ciphertext c is,
Decryption Algorithm
Given the ciphertext c, the plaintext m is,
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 9
Computer Networks 18cs52
Example
1. Encrypt and decrypt the message m = 30, using RSA algorithm, given p = 3
and q = 11.
Key Generation
1. Given p = 3 and q = 11
2. Compute n = p * q = 3 * 11 = 33
3. Compute Φ(n) = (p-1) (q-1) = (3-1) * (11-1) = 20
4. Find e such that gcd (e, Φ(n)) = 1, for e =3, gcd (3, 20) =1. ∴ e = 3
5. Find d such that d = e-1 mod Φ(n), d = 3-1 mod 20 =7
6. Public Key = {3, 33}
7. Private Key = {7, 33}
Encryption
Given a message m =30, and n =33 (30 < 33)
Decryption
Given the ciphertext c, the plaintext m is,
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 10
Computer Networks 18cs52
want to communicate securely, can agree on a symmetric key using this technique. This
key can then be used for encryption/decryption.
Algorithm
Let us assume that Alice and Bob want to agree upon a key to be used for encrypting /
decrypting messages that would be exchanged between them using following Diffie-
Hellman Key exchange algorithm.
User A User B
Example
Generate random Generate random
number x < n number y < n
Send A
Send A Send B
Send B
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 11
Computer Networks 18cs52
Example
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 12
Computer Networks 18cs52
4.5 Authentication
Authentication techniques are used to verify identity. Message authentication verifies
the authenticity of both the message content and the message sender. Message content is
authenticated using a hash function and encryption of the resulting message digest. The
sender authenticity can be implemented by using a digital signature.
Hash Function
It is a common technique for authenticating a message. Which produces a fingerprint
of a message also called hash value or message digest. The hash value is added at the end
of the message before transmission. The receiver recomputes the hash value from the
received message and compares it to the received hash value. If the two hash values are
the same, the message was not altered during transmission.
A hash function H accepts a variable-length block of data M as input and produces a fixed-
size hash value h = H(M).
So, a hash function is any function that can be used to map data of arbitrary size to fixed-
size values. The values returned by a hash function are called hash values, hash codes,
message digests, simply hashes, fingerprint or the summary of a message.
Let us assume that we want to calculate the message digest of a number 7391753. Then,
we multiply each digit in the number with the next digit excluding if it is 0, and discarding
the first digit of the multiplication operation, if the result is a two-digit number.
Figure 4.9: Message Authentication (a): with encryption, (b): without encryption
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 14
Computer Networks 18cs52
Working of SHA
Step 1, Padding: SHA is to add padding to the end of the original message in such a way
that the length of the message is 64 bits short of a multiple of 512. The padding consists
of a single 1 bit, followed by as many 0 bits, as required.
Step 2, Append length: The length of the message excluding the length of the padding is
now calculated and appended to the end of the padding as a 64-bit block.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 15
Computer Networks 18cs52
Step 3, Divide the Input Into 512-bit Blocks: The input message is now divided into blocks,
each of length 512 bits. These blocks become the input to the message-digest processing
logic.
Step 4, Initialize Chaining Variables: Now, five chaining variables A through E are
initialized, because we want to produce a message digest of length 160 bits (5 X 32 = 160
bits).
A Hex 01 23 45 67
B Hex 89 AB CD EF
C Hex FE DC BA 98
D Hex 76 54 32 10
E Hex C3 D2 E1 F0
Step 5, Process Blocks: Now the actual algorithm begins.
Step 5.1: Copy the chaining variables A-E into variables a-e. The combination of a-e, called
abcde, will be considered as a single shift register for storing the temporary intermediate
as well as the final results.
Abstract View
abcde
Internal View
a b c d e
Step 5.2: Now divide the current 512-bit block into 16 sub-blocks, each consisting of 32
bits.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 16
Computer Networks 18cs52
Step 5.3: SHA has four rounds, each round consisting of 20 steps. Each round takes the
current 512-bit block, the register abcde, and a constant K[t] (where t = 0 to 79) as the
three inputs. It then updates the contents of the register abcde using the SHA algorithm
steps.
One Round
a b c d e
Step 5.4: SHA consists of four rounds, each round containing 20 iterations. This makes it
a total of 80 iterations. The logical operation of a single SHA iteration is shown below.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 17
Computer Networks 18cs52
e=d
d=c
c = b ≪ 30 /* s30 (b) */
b=a
a = (e + Process P + s5(a) + W[t] + K[t])
Value of W[t]
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 18
Computer Networks 18cs52
4. 7 Firewalls
A firewall protects data from the outside world. A firewall can be a software program
or a hardware device. A firewall may be a simple router implemented with a special
program. This unit is placed between hosts of a certain network and the outside world,
as shown in below figure.
The objective of such a configuration is to monitor and filter packets coming from
unknown sources and to protect the network from unwanted websites and potential
hackers, and it is also used to control data traffic.
Software firewall programs can be installed in home computers by using an Internet
connection with these, so-called gateways, the home computers can access web servers
through these software firewalls. Hardware firewalls are more secure than software
firewalls and are not expensive.
A firewall controls the flow of traffic by one of the following 3 methods.
1. Packet Filtering: Apart from forwarding packets between networks, a firewall
filters those packets that pass through. A firewall can be programmed to
throwaway certain packets addressed to a particular IP host or TCP port number.
2. Filter the packets based on the source IP address: It is helpful when a host has
to be protected from any unwanted external packets.
3. Denial of Service: It controls the N number of packets entering the network.
Lokanna Kadakolmath,
Asst. Professor,
Dept of IS&E, AcIT Page 19