Network Security
Malaka Pathirana
MSc in IT – Cyber Security(Reading), BSc (Hons) in IT | Cisco Certified CCNA Instructor
Outline
▪ Security inside Networks
▪ Security Threats
▪ Cryptography
▪ Security Services
References :
Data Communications and Networking By Behrouz A.Forouzan (5th Edition)
Guide to Computer Network Security by Joseph Migga Kizza (4th Edition)
Security inside Networks
▪ Computer networks are distributed networks of computers that
are connected to share many resources.
▪ Network security is not about protecting individual computers
but an entire network.
▪ Network security involves creating an environment in which a
computer network and all its users are secure.
▪ Network security issues include,
▪ protecting data from unauthorized access
▪ protecting data from damage and development
▪ implementing policies and procedures for recovery from
breaches and data losses.
▪ Broader and more complex field of study/research.
Network Security
The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity,
availability, and confidentiality of information system resources
(including hardware, software, firmware, information/data, and
telecommunications).
-NIST Computer Security Handbook
Key objectives of Computer Security:
• Confidentiality
• Integrity
• Availability
CIA Triad
Confidentiality
Ensures that information is only accessible to those who are authorized to
access it. Measures to ensure confidentiality include encryption, access
controls, and data classification.
Integrity
Information remains accurate and trustworthy throughout its lifecycle.
This involves protecting data from unauthorized modification, deletion, or
corruption. Techniques such as digital signatures, checksums, and version
control help maintain data integrity.
Availability
Information and resources are accessible and usable when needed by
authorized users.
This involves measures to prevent or mitigate disruptions such as denial-of-
service (DoS) attacks, hardware failures, or natural disasters. Redundancy,
failover systems, and disaster recovery plans are key components of
ensuring availability.
Security Threats
Sources
▪ Weaknesses in network infrastructure (Vulnerability)
▪ Rapid growth of cyberspace
▪ Growth of Hacker Community, etc.
Motives
▪ Terrorism
▪ Military Espionage - information gathering from non-disclosed
sources/ spying on potential enemies
▪ Economic Espionage - unlawful targeting and theft of critical
economic intelligence, such as trade secrets and intellectual
property
▪ Revenge, Hate, Greed etc.
Cryptography
▪ An encryption algorithm transforms the plaintext into ciphertext.
▪ To encrypt a message, we need an encryption algorithm, an
encryption key, and the plaintext. These create the ciphertext.
▪ A decryption algorithm transforms the cipher-text back into
plaintext.
▪ To decrypt a message, we need a decryption algorithm, a
decryption key, and the cipher-text. These reveal the original
plaintext.
Cryptography
▪ Plaintext
The original message, before being transformed, is called plaintext.
▪ Cipher-text
After the message is transformed, it is called ciphertext.
▪ Cipher
Refer to encryption and decryption algorithms.
▪ Key
A key is a number/set of numbers that the cipher operates on.
Cryptology
Cryptology
Cryptography Cryptanalysis
Symmetric Ciphers Asymmetric Ciphers Protocols
Block Ciphers Stream Ciphers
Cryptography Algorithms (Ciphers)
▪ We can divide all the cryptography algorithms (ciphers) into two
groups.
▪ Symmetric key (also called secret-key) cryptography algorithms
▪ Asymmetric (also called public-key) cryptography algorithms
Symmetric Cryptography
• Alternative names: private-key, single-key or secret-key cryptography.
Oscar
(bad guy)
Unsecure
channel
(e.g.Internet)
Alice Bob
(good) x x
(good)
• Problem Statement:
1)Alice and Bob would like to communicate via an unsecured channel (e.g.,
WLAN or Internet).
2)A malicious third party, Oscar (the bad guy), has channel access but should
not be able to understand the communication.
Symmetric Cryptography
Solution: Encryption with symmetric cipher.
Oscar
Oscar obtains only ciphertext y, that looks
(bad guy)
y Unsecure
like random bits channel
(e.g. Internet)
Alice Encryption y Decryption Bob
(good) x e( ) d( ) x (good)
K K
Key Generator
Secure Channel
• x is the. plaintext
• y is the ciphertext
• K is the key
• Set of all keys {K1, K2, ...,Kn} is the key space
• Encryption equation y = eK(x)
• Decryption equation x = dK(y)
• Encryption and decryption are inverse operations if the same key
K is used on both sides:
dK(y) = dK(eK(x)) = x
• Important: The key must be transmitted between Alice and Bob via a
secure channel.
• The secure channel can be realized, e.g., by manually installing the
key for the Wi-Fi Protected Access (WPA) protocol or a human courier.
• However, the system is only secure if an attacker does not learn the
key K!
The problem of secure communication is reduced to secure
transmission and storage of the key K.
Shift (or Caesar) Cipher
▪ Ancient cipher, allegedly used by Julius Caesar
▪ Each letter in the Plaintext is replaced with some other letter.
▪ That replacing letter is obtained by moving down a fixed
number of positions in the Alphabet, beginning from the
original letter.
E.g. Shifted by 3 positions.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Caesar’s Cipher Cipher-text
Plaintext
Each letter shifted QHWZRUNV
NETWORKS
by 3 positions
Symmetric Key Cryptography
▪ In symmetric-key cryptography, the same key is used by both
encryption and decryption.
▪ The sender uses this key and an encryption algorithm to encrypt
data.
▪ The receiver uses the same key and the corresponding decryption
algorithm to decrypt the data.
▪ The key is shared. (called secret key)
E.g. DES, Triple DES, AES
Asymmetric Key Cryptography
▪ Maintain two keys: a private key and a public key.
▪ The private key is kept by the receiver.
▪ The public key is announced to the public.
▪ Sender(Alice) uses the receiver’s public key to encrypt the
message.
▪ When the message is received by the receiver (Bob), the
receiver’s private key is used to decrypt the message.
▪ E.g. RSA, Diffie-Hellman
Symmetric vs Asymmetric
Security Services
▪ Network security provides five security services.
▪ Four of these services are related to the message exchanged using
the network. (Message confidentiality, Integrity, Authentication,
Nonrepudiation)
▪ The fifth service provides entity authentication or identification.
1.Message confidentiality
▪ The transmitted message must make sense only to the intended
receiver.
▪ To all others, the message must be garbage.
For example, when a customer communicates with her bank,
she expects that the communication is totally confidential.
▪ To achieve message confidentiality (secrecy), the message
must be encrypted at the sender site and decrypted at the
receiver site.
▪ Confidentiality can be achieved using symmetric or asymmetric
cryptosystems.
2.Message Integrity
▪ The data must arrive at the receiver exactly as they were sent.
▪ There must be no changes during the transmission, neither
accidentally nor maliciously.
For Example, It would be disastrous if a request for
transferring $10,000 changed to a request for $1,000 or $100,000.
So, the integrity needs to be preserved.
▪ Encryption and decryption provide confidentiality but not integrity.
▪ Message Digest created using a hash function is used for that.
e.g. SHA-1
Digest (or called Modification Detection Code - MDC) should be sent
secretly.
3.Message Authentication
▪ The receiver needs to be sure of the sender's identity and that an
imposter has not sent the message.
For example, when Alice sends a message to Bob, Bob
needs to know if the message is coming from Alice or Eve.
▪ A hash function guarantees that the message has not been changed.
But does not authenticate the sender of the message.
▪ Message Authentication Code (MAC) can provide message
integrity and message authentication.
▪ A common approach to creating a MAC was to use block cyphers like
Data Encryption Standard (DES), but hash-based MACs (HMACs),
which use a secret key in conjunction with a cryptographic hash
function to produce a hash, have become more widely used.
• Similar to digital signatures, MACs append an authentication tag
to a message
• MACs use a symmetric key 'k' for generation and verification
• Computation of a MAC: m = MACk(x)
Hash vs MAC?
▪ Hashes are used to guarantee the integrity of data, a MAC guarantees
integrity AND authentication.
▪ A hashcode is blindly generated from the message without any kind
of external input: what you obtain is something that can be used to
check if the message got any alteration during its travel.
▪ A MAC instead uses a private key as the seed to the hash function it
uses when generating the code: this should assure the receiver
that, not only the message hasn't been modified, but also who sent
it is what we were expecting: otherwise an attacker couldn't know
the private key used to generate the code.
4.Message Nonrepudiation
▪ A sender must not be able to deny sending a message that he or she,
in fact, did send.
▪ The burden of proof falls on the receiver.
For example, when a customer sends a message to transfer
money from one account to another, the bank must prove that the
customer requested this transaction.
▪ Digital Signature can provide three out of the five services
mentioned: message integrity, message authentication, and
nonrepudiation.
5.Entity Authentication
▪ The entity or user is verified prior to access to the system resources
(files, for example).
For example, a student needing to access her
university resources must be authenticated during the logging
process.
▪ The simplest and oldest method of entity authentication is the
password.
▪ Fixed Passwords
▪ One-time Passwords (OTP)
Cryptanalysis
• The study of analyzing and breaking codes and ciphers in order to
decrypt secret messages without knowledge of the cryptographic
key.
• It involves various techniques such as frequency analysis, pattern
recognition, and computational methods to decipher encrypted
data
• Cryptanalysts typically aim to discover weaknesses or
vulnerabilities in cryptographic systems, exploiting these to
decrypt encrypted messages and reveal their contents.
• Cryptanalysis plays a crucial role in both attacking and defending
cryptographic systems, contributing to the ongoing development
of secure communication protocols and encryption algorithms.
• Classical Attacks
• Mathematical Analysis
• Brute-Force Attack
• Implementation Attack: Try to extract the key through reverse
engineering or power measurement, e.g., for a banking smart card.
• Social Engineering: E.g., trick a user into giving up her password
Letter Frequency Analysis
• Letters have very different frequencies in the English language
• Moreover, the frequency of plaintext letters is preserved in the ciphertext.
• For instance, "e" is the most common letter in English; almost 13% of all
letters in a typical English text are „e“.
• The next most common is "t“, with about 9%.
14.00 00
12.00 00
Letter frequencies in English
10.00 00
8.00 00
Frequencyin%
6.00 00
4.00 00
2.00 00
0.00 00
E T A O I N S H R D L C U M W F G Y P B V K J X Q Z
Letters
Breaking the Substitution Cipher with
Letter Frequency Attack
• Let‘s return to our example and identify the most frequent letter:
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr
bnnb hcc hwwhbsqvqbre hwq vhlq
• We replace the ciphertext letter q by E and obtain:
iE ifcc vEEr fb rdE vfllcE na rdE cfjwhwz hr
bnnb hcc hwwhbsEvEbre hwE vhlE
• By further guessing based on the frequency of the remaining
letters, we obtain the plaintext:
WE WILL MEET IN THE MIDDLE OF THE LIBRARY AT
NOON ALL ARRANGEMENTS ARE MADE
Questions ?
Thank You