Elements of Network Security

1. Network firewall
Firewalls are the first line of defense in network security. These network
applications or devices monitor and control the flow of incoming and outgoing
network traffic between a trusted internal network and untrusted external networks.
Network traffic is evaluated based on state, port and protocol, with filtering
decisions made based on both administrator-defined security policy and static
rules.
2. Intrusion prevention system
Network IPSes are software products that provide continuous monitoring of the
network or system activities and analyze them for signs of policy violations,
deviations from standard security practices or malicious activity. They log, alert
and react to discovered issues. IPS products compare current activity with a list of
signatures known to represent threats. They can also use alternative detection
methods -- such as protocol analysis, anomaly and behavioral detection or
heuristics -- to discover suspicious network activity and malicious software.
Sophisticated IPSes use threat intelligence and machine learning to increase
accuracy.

3. Unified threat management

A UTM product integrates multiple networking and network security functions
into a single appliance, while offering consolidated management. UTM
devices must include network routing, firewalling, network intrusion prevention
and gateway antivirus. They generally offer many other security applications, such
as VPN, remote access, URL filtering and quality of service. Unified management
of all these functions is required, as the converged platform is designed to increase
overall security, while reducing complexity.

UTM devices are best suited for SMBs and for branch and remote sites. UTM
products are the second-largest network security category with over $5 billion in
spending.

4. Advanced network threat prevention

Advanced network threat prevention products perform signature less malware

discovery at the network layer to detect cyber threats and attacks that employ
advanced malware and persistent remote access. These products employ heuristics,
code analysis, statistical analysis, emulation and machine learning to flag and
sandbox suspicious files. Sandboxing -- the isolation of a file from the network so
it can execute without affecting other resources -- helps identify malware based on
its behavior rather than through fingerprinting.

The benefit of advanced network threat prevention tools is their ability to detect
malware that has sophisticated evasion or obfuscation capabilities, as well as detect
new malware that hasn't been previously identified. Additionally, they validate
threat information and uncover critical indicators of compromise that can be used
for future investigations and threat hunting.

5. Network access control

NAC is an approach to network management and security that supports network
visibility and access management. It consists of policies, procedures, protocols,
tools and applications that define, restrict and regulate what an individual or
component can or cannot do on a network. NAC products enable compliant,
authenticated and trusted endpoint devices and nodes to access network resources
and infrastructure. For noncompliant devices, NAC can deny network access, place
them in quarantine or restrict access, thus keeping insecure nodes from infecting
the network.

6. Cloud access security broker

CASBs are on-premises or cloud-based security policy enforcement points for
cloud application access and data usage. By acting as an intermediary among
mobile users, in-house IT architectures and cloud vendor environments, CASBs
enable an organization to extend the reach of its security policies -- especially
regarding data protection -- into the public cloud.
CASB features include authentication, device profiling, auditing, malware
detection and prevention, data loss prevention, data encryption and logging.
The value of CASBs stems from their ability to give insight into cloud application
use across cloud platforms and identify unsanctioned use. This is especially
important in regulated industries.

7. DDoS mitigation
DDoS mitigation is a set of hardening techniques, processes and tools that enable a
network, information system or IT environment to resist or mitigate the effect of
DDoS attacks on networks. DDoS mitigation activities typically require analysis of
the underlying system, network or environment for known and unknown security
vulnerabilities targeted in a DDoS attack. This also requires identification of what
normal conditions are -- through traffic analysis -- and the ability to identify
incoming traffic to separate human traffic from humanlike bots and hijacked web
browsers.

8. Network behavior anomaly detection

NBAD products provide real-time monitoring of network traffic for deviations in
normal activity, trends or events. The tools complement traditional perimeter
security systems with their ability to detect threats and stop suspicious activities
that are unknown or specifically designed to avoid standard detection methods.
When NBAD products discover unusual activity, they generate an alert that
provides details and pass it on for further analysis.

For NBAD to be optimally effective, it must establish a baseline of normal

network or user behavior over a period of time. Once it defines certain parameters
as normal, it can then flag any departure from one or more of those parameters.
9. SD-WAN security
Advanced network security capabilities are increasingly being built into SD-WAN
products. SD-WAN security overlays security components -- such as firewalls,
IPSes, malware detection, content filtering and encryption -- onto SD-WANs to
ensure the corporate security policy is enforced at all levels. SD-WAN security
provides the ability to monitor and secure traffic that travels directly to the internet
-- e.g., SaaS and IaaS -- which is an increasing portion of branch WAN bandwidth.

Classification of Network Attacks

By definition, a network attack is an attempt to exploit vulnerability on a network
or its systems. This includes servers, firewalls, computers, routers, switches,
printers, and more.

The end-goal of a network attack is often to steal, modify, or remove access to

valuable data, whether it be temporarily or permanently. Since everything from
servers and laptops to cloud services is part of the corporate network, a breach can
offer attackers access to a wealth of digital assets.

Before diving into the different subsets of network attacks, we first need to outline
the difference between passive and active network security threats.
 Passive: During a passive attack, attackers fraudulently access a network
and monitor/steal sensitive data. However, the attackers do not alter the
source data in any manner
 Active: Under active attack, attackers gain unauthorized access and alter
source data by deleting or encrypting it
After gaining unauthorized access to a corporate network, attackers often combine
various attack techniques like compromising an endpoint or injecting malware to
wreak havoc.
Active attacks:
Active attacks are a type of cyber security attack in which an attacker attempts to
alter, destroy, or disrupt the normal operation of a system or network. Active
attacks involve the attacker taking direct action against the target system or
network, and can be more dangerous than passive attacks, which involve simply
monitoring or eavesdropping on a system or network.

Types of active attacks are as follows:

 Masquerade
 Modification of messages
 Repudiation
 Replay
 Denial of Service

Masquerade –
Masquerade is a type of cybersecurity attack in which an attacker pretends to be
someone else in order to gain access to systems or data. This can involve
impersonating a legitimate user or system to trick other users or systems into
providing sensitive information or granting access to restricted areas.
There are several types of masquerade attacks, including:
 Username and password masquerade: In a username and password
masquerade attack, an attacker uses stolen or forged credentials to log into a
system or application as a legitimate user.
 IP address masquerade: In an IP address masquerade attack, an attacker
spoofs or forges their IP address to make it appear as though they are
accessing a system or application from a trusted source.
 Website masquerade: In a website masquerade attack, an attacker creates a
fake website that appears to be legitimate in order to trick users into providing
sensitive information or downloading malware.
 Email masquerade: In an email masquerade attack, an attacker sends an
email that appears to be from a trusted source, such as a bank or government
agency, in order to trick the recipient into providing sensitive information or
downloading malware.

DoS and DDoS attacks

A denial-of-service (DoS) attack is designed to overwhelm the resources of a

system to the point where it is unable to reply to legitimate service requests. A
distributed denial-of-service (DDoS) attack is similar in that it also seeks to drain
the resources of a system. A DDoS attack is initiated by a vast array of malware-
infected host machines controlled by the attacker. These are referred to as “denial
of service” attacks because the victim site is unable to provide service to those who
want to access it.

With a DoS attack, the target site gets flooded with illegitimate requests. Because
the site has to respond to each request, its resources get consumed by all the
responses. This makes it impossible for the site to serve users as it normally does
and often results in a complete shutdown of the site.

DoS and DDoS attacks are different from other types of cyber attacks that enable
the hacker to either obtain access to a system or increase the access they currently
have. With these types of attacks, the attacker directly benefits from their efforts.
With DoS and DDoS network attacks, on the other hand, the objective is simply to
interrupt the effectiveness of the target's service. If the attacker is hired by a
business competitor, they may benefit financially from their efforts.

A DoS attack can also be used to create vulnerability for another type of attack.
With a successful DoS or DDoS attack, the system often has to come offline,
which can leave it vulnerable to other types of attacks. One common way to
prevent DoS attacks is to use a firewall that detects whether requests sent to your
site are legitimate. Imposter requests can then be discarded, allowing normal traffic
to flow without interruption. An example of a major internet attack of this kind
occurred in February 2020 to Amazon Web Services (AWS).
MITM attacks

Man-in-the-middle (MITM) types of cyber attacks refer to breaches

in cybersecurity that make it possible for an attacker to eavesdrop on the data sent
back and forth between two people, networks, or computers. It is called a “man in
the middle” attack because the attacker positions themselves in the “middle” or
between the two parties trying to communicate. In effect, the attacker is spying on
the interaction between the two parties.

In a MITM attack, the two parties involved feel like they are communicating as
they normally do. What they do not know is that the person actually sending the
message illicitly modifies or accesses the message before it reaches its destination.
Some ways to protect yourself and your organization from MITM attacks is by
using strong encryption on access points or to use a virtual private network (VPN).

Phishing attacks

A phishing attack occurs when a malicious actor sends emails that seem to be
coming from trusted, legitimate sources in an attempt to grab sensitive information
from the target. Phishing attacks combine social engineering and technology and
are so-called because the attacker is, in effect, “fishing” for access to a forbidden
area by using the “bait” of a seemingly trustworthy sender.

that then fools you into downloading malware such as viruses, or giving the
attacker your private information. In many cases, the target may not realize they
have To execute the attack, the bad actor may send a link that brings you to a
website been compromised, which allows the attacker to go after others in the
same organization without anyone suspecting malicious activity.
You can prevent phishing attacks from achieving their objectives by thinking
carefully about the kinds of emails you open and the links you click on. Pay close
attention to email headers, and do not click on anything that looks suspicious.
Check the parameters for “Reply-to” and “Return-path.” They need to connect to
the same domain presented in the email.

What are the Types of Passive Attacks?

Depending on the nature of your system, the attacker's motivation, and the
importance of the data being transferred across your network or system, passive
attacks can manifest in a variety of ways. There are a variety of passive attack
formats, however, the following seven are the ones you should watch out for:

 Traffic Analysis: In order to do this, network traffic going to and coming

from the target systems must be examined. The patterns of communication
transferred over the network are analyzed and deciphered by these assaults
using statistical techniques. This aids the hacker in learning more about the
network's users. users. These attacks can be carried out on network traffic
that is encrypted, but unencrypted traffic is more frequently the target of
them. It might be challenging to determine when sophisticated applications.
Make sure your session initiation protocol (SIP) traffic information is
encrypted to avoid having your online calls tracked during a traffic analysis
assault.

 Eavesdropping: When an attacker listens in on phone conversations or

reads unencrypted messages sent via a communication medium, it is called
eavesdropping. Snooping is comparable to eavesdropping, but it can only
access data while it is being transmitted. An illustration is when a user is
 using a public WiFi network and their social media account passwords are
taken. The best social media firms protect their users' calls and messages
with end-to-end encryption to prevent eavesdropping.

 Footprinting: The process of learning as much as you can about the

network, gear, software, and personnel of the target firm Footprinting
collects data on the target, including employee ID, IP address, and
information on the domain name system. In order to obtain data for a
penetration test, the process of fingerprinting is an initial step. You can
defend yourself from an unauthorized footprinting assault by encrypting
data, turning off location services, and turning off directory listings on web
servers.

 Spying: An intrusion could disguise itself as a legitimate network user and

spy without being noticed. With that access, a hacker could keep track of
network activity by switching the network adapter to promiscuous mode and
recording all encrypted data traffic. Consistent online spies ought to be able
to stay outside of your company thanks to reliable firewalls and multiple
layers of encryption.

 Wardriving: Wardriving scans nearby Wi-Fi networks with a portable

antenna to find those that are weak. Typically, this kind of passive attack is
conducted from a moving vehicle. Using a GPS, hackers will occasionally
mark vulnerable locations on a map. Wardriving can be carried out as a
stand-alone attack or as a practice run for a future assault. WLAN-using
Businesses can avoid intrusions by implementing wired equivalent privacy
(WEP) protocols or purchasing a reliable firewall.
  Dumpster diving: In this kind of assault, criminals search garbage cans for
passwords or information kept on abandoned gadgets. The attackers can
utilize this knowledge to make it easier for them to get into a system or
network.

 Packet Sniffing: In a packet sniffing attack, the attacker sets up hardware or

software to keep an eye on all data packets traveling over a network.
Without interfering with the exchange process, the attacker keeps an eye on
data traffic. Sniffer detection is greatly improved by encryption.

Types of Security Mechanism

Network Security is field in computer technology that deals with ensuring

security of computer network infrastructure. As the network is very necessary for
sharing of information whether it is at hardware level such as printer, scanner, or
at software level. Therefore security mechanism can also be termed as is set of
processes that deal with recovery from security attack. Various mechanisms are
designed to recover from these specific attacks at various protocol layers.

Types of Security Mechanism are :

1. Encipherment :
This security mechanism deals with hiding and covering of data which helps
 data to become confidential. It is achieved by applying mathematical
calculations or algorithms which reconstruct information into not readable
form. It is achieved by two famous techniques named Cryptography and
Encipherment. Level of data encryption is dependent on the algorithm used for
encipherment.
2. Access Control :
This mechanism is used to stop unattended access to data which you are
sending. It can be achieved by various techniques such as applying passwords,
using firewall, or just by adding PIN to data.
3. Notarization :
This security mechanism involves use of trusted third party in communication.
It acts as mediator between sender and receiver so that if any chance of
conflict is reduced. This mediator keeps record of requests made by sender to
receiver for later denied.
4. Data Integrity :
This security mechanism is used by appending value to data to which is
created by data itself. It is similar to sending packet of information known to
both sending and receiving parties and checked before and after data is
received. When this packet or data which is appended is checked and is the
same while sending and receiving data integrity is maintained.
5. Authentication exchange :
This security mechanism deals with identity to be known in communication.
This is achieved at the TCP/IP layer where two-way handshaking mechanism
is used to ensure data is sent or not
6. Bit stuffing :
This security mechanism is used to add some extra bits into data which is
 being transmitted. It helps data to be checked at the receiving end and is
achieved by Even parity or Odd Parity.
7. Digital Signature :
This security mechanism is achieved by adding digital data that is not visible
to eyes. It is form of electronic signature which is added by sender which is
checked by receiver electronically. This mechanism is used to preserve data
which is not more confidential but sender’s identity is to be notified.

Symmetric Key Cryptography

Symmetrical Key Cryptography also known as conventional or single-key

encryption was the primary method of encryption before the introduction of
public key cryptography in the 1970s. In symmetric-key algorithms, the same
keys are used for data encryption and decryption. This type of cryptography plays
a crucial role in securing data because the same key is used for both encryption
and decryption.
Techniques Used in Symmetric Key Cryptography
Substitution and Transposition are two principal techniques used in symmetric-
key cryptography.
Substitution Techniques
The symmetric key cryptographic method employs one secret key for the
operations of encryption and decryption. Substitution techniques provide two
significant approaches, wherein elements (letters, characters) from the plaintext
message are replaced with new elements according to the rules based on the
secret key.
 Caesar Cipher: Caesar cipher has since their predictability is so complete and
no complexity is invested.
 Monoalphabetic Ciphers: This is where the ciphers use one rule of
substitution throughout the message. This may involve replacing letters with
numbers, symbols, or another set of letters in another order.
 Playfair Cipher: Implementation of repeated letters or letter pairs can expose
patterns, and cryptanalysis techniques exist to exploit them.


 Hill Cipher: This cipher operates on blocks of letters (typically bigrams or

trigrams) using a matrix multiplication approach. The Hill ciphers have a
limitation on key size and susceptibility towards cryptanalysis for larger key
sizes.


 Polyalphabetic Ciphers: This is the type of cipher where any one of the
letters in the plaintext is substituted by a different letter to keep frequency
analysis challenging. For example, the Vigenère cipher operates with a
keyword that would determine the shift value for each letter in the plaintext.


 One-Time Pad (OTP): It is a theoretically impossible cipher where the key is

a random string of characters that is exactly as long as the message itself. The
key is used for a single encryption and then discarded.
Applications of Symmetric Key Cryptography

 Data encrypting/decrypting: SKC widely applies to protect sensitive data

either statically stored in some device or transmitted through the network.
Some of these applications include the authentication of users’ credentials,
encryption of email messages, and financial transactions.
 Secure communication: The majority of the communication protocols
commonly used are SSL/TLS, which use the combination of symmetric and
asymmetric key encryption to ensure the confidentiality and integrity of
exchanged information between two parties. These messages will be encrypted
and decrypted using symmetric key encryption using a shared key.
 Authenticity verification: In some places, SKC is applied using techniques
like message authentication codes (MACs) and keyed-hash MACs (HMACs)
to authenticate the messages by verifying their authenticity and integrity, thus
ensuring tamper-resistant communication.
 File and disk encryption: Full-disk encryption software and file encryption
tools also apply SKC to encrypt sensitive data stored in hard disks or portable
storage devices.
 Virtual private networks: VPN technologies are technologies that aim to
provide confidential communication channels free from eavesdropping. Some
of these may use symmetric or asymmetric key encryption to connect remote
users and corporate networks.

Data encryption standard (DES)

 Data Encryption Standard (DES) is a block cipher with a 56-bit key length
that has played a significant role in data security.
 Data encryption standard (DES) has been found vulnerable to very
powerful attacks therefore, the popularity of DES has been found slightly
on the decline.
 DES is a block cipher and encrypts data in blocks of size of 64 bits each,
which means 64 bits of plain text go as the input to DES, which produces
64 bits of ciphertext.
 The same algorithm and key are used for encryption and decryption, with
minor differences. The key length is 56 bits.

DES is based on the two fundamental attributes of cryptography: substitution

(also called confusion) and transposition (also called diffusion). DES consists of
16 steps, each of which is called a round. Each round performs the steps of
substitution and transposition. Let us now discuss the broad-level steps in DES.
 In the first step, the 64-bit plain text block is handed over to an
initial Permutation (IP) function.
 The initial permutation is performed on plain text.
 Next, the initial permutation (IP) produces two halves of the permuted block;
saying Left Plain Text (LPT) and Right Plain Text (RPT).
 Now each LPT and RPT go through 16 rounds of the encryption process.
 In the end, LPT and RPT are rejoined and a Final Permutation (FP) is
performed on the combined block
 The result of this process produces 64-bit ciphertext.

Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES) is a specification for the encryption of

electronic data established by the U.S National Institute of Standards and
Technology (NIST) in 2001. AES is widely used today as it is a much stronger
than DES and triple DES despite being harder to implement.
Points to remember

 AES is a block cipher.

 The key size can be 128/192/256 bits.
 Encrypts data in blocks of 128 bits each.
That means it takes 128 bits as input and outputs 128 bits of encrypted cipher text
as output. AES relies on substitution-permutation network principle which means
it is performed using a series of linked operations which involves replacing and
shuffling of the input data.it is performed using a series of linked operations
which involves replacing and shuffling of the input data.

Working of the cipher :

AES performs operations on bytes of data rather than in bits. Since the block size
is 128 bits, the cipher processes 128 bits (or 16 bytes) of the input data at a time.
The number of rounds depends on the key length as follows :
 128 bit key – 10 rounds
 192 bit key – 12 rounds
 256 bit key – 14 rounds

Creation of Round keys :

A Key Schedule algorithm is used to calculate all the round keys from the key. So
the initial key is used to create many different round keys which will be used in
the corresponding round of the encryption.
Encryption:

AES considers each block as a 16 byte (4 byte x 4 byte = 128 ) grid in a column
major arrangement.
[ b0 | b4 | b8 | b12 |
| b1 | b5 | b9 | b13 |
| b2 | b6 | b10| b14 |
| b3 | b7 | b11| b15 ]
Each round comprises of 4 steps :

 SubBytes
 ShiftRows
 MixColumns
 Add Round Key
The last round doesn’t have the MixColumns round.

The SubBytes does the substitution and ShiftRows and MixColumns performs the
permutation in the algorithm.

Sub Bytes:
This step implements the substitution.

In this step each byte is substituted by another byte. Its performed using a lookup
table also called the S-box. This substitution is done in a way that a byte is never
substituted by itself and also not substituted by another byte which is a
compliment of the current byte. The result of this step is a 16 byte (4 x 4 ) matrix
like before.

The next two steps implement the permutation.

Shift Rows

This step is just as it sounds. Each row is shifted a particular number of times.

 The first row is not shifted

 The second row is shifted once to the left.
 The third row is shifted twice to the left.
 The fourth row is shifted thrice to the left.
 (A left circular shift is performed.)
 [ b0 | b1 | b2 | b3 ] [ b0 | b1 | b2 | b3 ]
 | b4 | b5 | b6 | b7 | -> | b5 | b6 | b7 | b4 |
 | b8 | b9 | b10 | b11 | | b10 | b11 | b8 | b9 |
 [ b12 | b13 | b14 | b15 ] [ b15 | b12 | b13 | b14 ]

Mix Columns : This step is basically a matrix multiplication. Each column is

multiplied with a specific matrix and thus the position of each byte in the column
is changed as a result.
This step is skipped in the last round.
[ c0 ] [ 2 3 1 1 ] [ b0 ]
| c1 | = | 1 2 3 1 | | b1 |
| c2 | | 1 1 2 3 | | b2 |
[ c3 ] [ 3 1 1 2 ] [ b3 ]

Add Round Keys : Now the resultant output of the previous stage is XOR-ed
with the corresponding round key. Here, the 16 bytes is not considered as a grid
but just as 128 bits of data.
After all these rounds 128 bits of encrypted data is given back as output. This
process is repeated until all the data to be encrypted undergoes this process .

Decryption:
The stages in the rounds can be easily undone as these stages have an opposite to
it which when performed reverts the changes.Each 128 blocks goes through the
10,12 or 14 rounds depending on the key size.
The stages of each round in decryption is as follows :

 Add round key

 Inverse MixColumns
 ShiftRows
 Inverse SubByte
The decryption process is the encryption process done in reverse so i will explain
the steps with notable differences.

Inverse MixColumns :
This step is similar to the MixColumns step in encryption, but differs in the
matrix used to carry out the operation.

[ b0 ] [ 14 11 13 9 ] [ c0 ]
| b1 | = | 9 14 11 13 | | c1 |
| b2 | | 13 9 14 11 | | c2 |
[ b3 ] [ 11 13 9 14 ] [ c3 ]

Inverse SubBytes :
Inverse S-box is used as a lookup table and using which the bytes are substituted
during decryption.

Applications:
AES is widely used in many applications which require secure data storage and
transmission. Some common use cases include:

 Wireless security: AES is used in securing wireless networks, such as Wi-Fi

networks, to ensure data confidentiality and prevent unauthorized access.
 Database Encryption: AES can be applied to encrypt sensitive data stored in
databases. This helps protect personal information, financial records, and other
confidential data from unauthorized access in case of a data breach.
 Secure communications: AES is widely used in protocols like such as
internet communications, email, instant messaging, and voice/video calls.It
ensures that the data remains confidential.
 Data storage: AES is used to encrypt sensitive data stored on hard drives,
USB drives, and other storage media, protecting it from unauthorized access in
case of loss or theft.
 Virtual Private Networks (VPNs): AES is commonly used in VPN protocols
to secure the communication between a user’s device and a remote server. It
ensures that data sent and received through the VPN remains private and
cannot be deciphered by eavesdroppers.
 Secure Storage of Passwords: AES encryption is commonly employed to
store passwords securely. Instead of storing plaintext passwords, the encrypted
version is stored. This adds an extra layer of security and protects user
credentials in case of unauthorized access to the storage.
 File and Disk Encryption: AES is used to encrypt files and folders on
computers, external storage devices, and cloud storage. It protects sensitive
data stored on devices or during data transfer to prevent unauthorized access.
What is Public Key Cryptography?

 Public key cryptography (sometimes referred to as asymmetric

cryptography) is a class of cryptographic protocols based on algorithms.

 This method of cryptography requires two separate keys, one that is private
or secret, and one that is public.

 Public key cryptography uses a pair of keys to encrypt and decrypt data to
protect it against unauthorized access or use.
 Network users receive a public and private key pair from certification
authorities. If other users want to encrypt data, they get the intended
recipient’s public key from a public directory.

 This key is used to encrypt the message, and to send it to the recipient. When
the message arrives, the recipient decrypts it using a private key, to which no
one else has access.

RSA Encryption Algorithm

RSA encryption algorithm is a type of public-key encryption algorithm. To better

understand RSA, lets first understand what is public-key encryption algorithm.

Public key encryption algorithm:

Public Key encryption algorithm is also called the Asymmetric algorithm.
Asymmetric algorithms are those algorithms in which sender and receiver use
different keys for encryption and decryption. Each sender is assigned a pair of
keys:
 o Public key
o Private key

The Public key is used for encryption, and the Private Key is used for decryption.
Decryption cannot be done using a public key. The two keys are linked, but the
private key cannot be derived from the public key. The public key is well known,
but the private key is secret and it is known only to the user who owns the key. It
means that everybody can send a message to the user using user's public key. But
only the user can decrypt the message using his private key.

The Public key algorithm operates in the following manner:

o The data to be sent is encrypted by sender A using the public key of the
intended receiver
o B decrypts the received ciphertext using its private key, which is known only
to B. B replies to A encrypting its message using A's public key.
o A decrypts the received ciphertext using its private key, which is known
only to him.
RSA encryption algorithm:

RSA is the most common public-key algorithm, named after its inventors Rivest,
Shamir, and Adelman (RSA).

RSA algorithm uses the following procedure to generate public and private
keys:

o Select two large prime numbers, p and q.

o Multiply these numbers to find n = p x q, where n is called the modulus for
encryption and decryption.

Choose a number e less than n, such that n is relatively prime to

(p - 1) x (q -1). It means that e and (p - 1) x (q - 1) have no common factor

except 1. Choose "e" such that 1<e < φ (n), e is prime to φ (n), gcd (e,d(n)) =1

o If n = p x q, then the public key is <e, n>. A plaintext message m is

encrypted using public key <e, n>.
o To find ciphertext from the plain text following formula is used to get
ciphertext C.
 C = me mod n
Here, m must be less than n. A larger message (>n) is treated as a
concatenation of messages, each of which is encrypted separately.
o To determine the private key, we use the following formula to calculate the
d such that:
De mod {(p - 1) x (q - 1)} = 1
Or
De mod φ (n) = 1
o The private key is <d, n>. A ciphertext message c is decrypted using private
key <d, n>. To calculate plain text m from the ciphertext c following
formula is used to get plain text m.
d
m = c mod n

What is Diffie-Hellman Key Exchange (exponential key exchange)?

The Diffie-Hellman key exchange (also known as exponential key exchange) is a
method for securely exchanging cryptographic keys over an insecure channel. It is
a fundamental building block of many secure communication protocols,
including SSL/TLS and SSH.

The Diffie-Hellman key exchange works by allowing two parties (Alice and Bob)
to agree on a shared secret key over an insecure channel, without any other party
being able to intercept the key or learn anything about it. The key exchange
involves the following steps –

 Alice and Bob agree on two large prime numbers, p and g, and a public key
exchange algorithm.
 Alice chooses a secret integer, a, and computes A = g^a mod p. She sends A
to Bob.
 Bob chooses a secret integer, b, and computes B = g^b mod p. He sends B to
Alice.
 Alice computes s = B^a mod p. Bob computes s = A^b mod p.
  Alice and Bob now both have shared secret keys, which they can use to
establish a secure communication channel.

The security of the Diffie-Hellman key exchange relies on the fact that it is
computationally infeasible for an attacker to determine the shared secret keys from
the public values of p, g, A, and B. This allows Alice and Bob to exchange the key
securely, even over an insecure channel.

Where is Diffie-Hellman Key Exchange Used?

The Diffie-Hellman key exchange (also known as exponential key exchange) is a
widely used and trusted technique for securely exchanging cryptographic keys over
an insecure channel. It is used in many different contexts, including −

 Secure communication protocols − The Diffie-Hellman key exchange is

used in many secure communication protocols, such as SSL/TLS and SSH,
to establish a secure channel between two parties. It allows the parties to
agree on a shared secret key that can be used to encrypt and decrypt
messages exchanged over the channel.
 Virtual private networks (VPNs) − The Diffie-Hellman key exchange is
often used in VPNs to establish a secure connection between a client and a
server. It allows the client and server to agree on a shared secret key that can
be used to encrypt and decrypt traffic exchanged over the VPN connection.
 Secure file transfer protocols − The Diffie-Hellman key exchange is used
in many secure file transfer protocols,such as SFTP and FTPS, to establish a
secure channel for transferring files between two parties.It allows the parties
to agree on a shared secret key that can be used to encrypt and decrypt the
transferred files.
  Other applications − The Diffie-Hellman key exchange is also used in
many other applications where secure communication is required, such as
secure email, secure web browsing, and secure voice over IP (VoIP). It is a
flexible and widely supported technique for establishing secure
communication channels
 Overall, the Diffie-Hellman key exchange is an important and widely used
technique for securely exchanging cryptographic keys and establishing
secure communication channels. It is an essential component of many secure
communication protocols and applications.

How does Diffie-Hellman Key Exchange Work?

The Diffie-Hellman key exchange (also known as exponential key exchange) is a
method for securely exchanging cryptographic keys over an insecure channel. It
works by allowing two parties (Alice and Bob) to agree on a shared secret key
without any other party being able to intercept the key or learn anything about it.
The key exchange involves the following steps −

 Alice and Bob agree on two large prime numbers, p and g, and a public key
exchange algorithm.
 Alice chooses a secret integer, a, and computes A = g^a mod p. She sends A
to Bob.
 Bob chooses a secret integer, b, and computes B = g^b mod p. He sends B to
Alice.
 Alice computes s = B^a mod p. Bob computes s = A^b mod p.
 Alice and Bob now both have the shared secret key s, which they can use to
establish a secure communication channel.
The security of the Diffie-Hellman key exchange relies on the fact that it is
computationally infeasible for an attacker to determine the shared secret key s from
the public values of p, g, A, and B. This allows Alice and Bob to exchange the key
securely, even over an insecure channel.

Vulnerabilities of Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange (also known as exponential key exchange) is a
widely used and trusted technique for securely exchanging cryptographic keys over
an insecure channel. However, like all cryptographic systems, it is not completely
immune to attacks and vulnerabilities. Some potential vulnerabilities of the Diffie-
Hellman key exchange include −

 Man-in-the-middle attacks − If an attacker is able to intercept and modify

the messages exchanged between Alice and Bob during the key exchange,
they may be able to impersonate Alice or Bob and establish a secure channel
with the other party. This can be prevented by using certificate-based
authentication and/or by verifying the authenticity of the messages using
message authentication codes (MACs).
 Small subgroup attacks − If the prime number p used in the key exchange
has a small subgroup, an attacker may be able to use this to their advantage
to recover the shared secret key. To prevent this, it is important to use a large
prime number with no known small subgroups.
 Exponent attacks − If the secret exponents (a and b) used in the key
exchange are not chosen randomly, an attacker may be able to use this to
their advantage to recover the shared secret key. To prevent this, it is
 important to use a strong random number generator to generate the secret
exponents.

Examples of Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange (also known as exponential key exchange) is a
widely used and trusted technique for securely exchanging cryptographic keys over
an insecure channel. It is used in many different contexts, including secure
communication protocols, virtual private networks (VPNs), secure file transfer
protocols, and other applications where secure communication is required. Some
examples of the use of the Diffie-Hellman key exchange include −

 SSL/TLS − The Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols use the Diffie-Hellman key exchange to establish a secure
channel between a client and a server. This allows the client and server to
exchange encrypted messages over an insecure network, such as the Internet.
 SSH − The Secure Shell (SSH) protocol uses the Diffie-Hellman key
exchange to establish a secure channel between a client and a server. This
allows users to securely log in to a remote server and execute commands,
transfer files, and perform other tasks over an insecure network.
 VPNs − Many VPN protocols, such as IPSec and OpenVPN, use the Diffie-
Hellman key exchange to establish a secure connection between a client and
a server. This allows the client and server to exchange encrypted traffic over
an insecure network, such as the Internet.
 SFTP − The Secure File Transfer Protocol (SFTP) uses the Diffie-Hellman
key exchange to establish a secure channel between a client and a server.
This allows users to securely transfer files between two systems over an
insecure network.
What is a Hash Function?

A hash function is a function that takes an input (or ‘message’) and returns a
fixed-size string of bytes. The output, typically a number, is called the hash
code or hash value. The main purpose of a hash function is to efficiently map
data of arbitrary size to fixed-size values, which are often used as indexes in
hash tables.
Key Properties of Hash Functions
 Deterministic: A hash function must consistently produce the same output for
the same input.
 Fixed Output Size: The output of a hash function should have a fixed size,
regardless of the size of the input.
 Efficiency: The hash function should be able to process input quickly.
 Uniformity: The hash function should distribute the hash values uniformly
across the output space to avoid clustering.
 Pre-image Resistance: It should be computationally infeasible to reverse the
hash function, i.e., to find the original input given a hash value.
 Collision Resistance: It should be difficult to find two different inputs that
produce the same hash value.
 Avalanche Effect: A small change in the input should produce a significantly
different hash value.
Applications of Hash Functions
 Hash Tables: The most common use of hash functions in DSA is in
hash tables, which provide an efficient way to store and retrieve
data.
 Data Integrity: Hash functions are used to ensure the integrity of
data by generating checksums.
 Cryptography: In cryptographic applications, hash functions are
used to create secure hash algorithms like SHA-256.
 Data Structures: Hash functions are utilized in various data
structures such as Bloom filters and hash sets.

SHA Algorithm in Cryptography

 Secure Hashing Algorithm, or SHA. Data and certificates are hashed with
SHA, a modified version of MD5.
 By using bitwise operations, modular additions, and compression functions,
a hashing algorithm reduces the input data into a smaller form that is
impossible to comprehend.
 Can hashing be cracked or decrypted, you may wonder? The main
distinction between hashing and encryption is that hashing is one-way; once
data has been hashed, the resultant hash digest cannot be decrypted unless a
brute force assault is applied. See the illustration below to see how the SHA
algorithm functions.
 SHA is designed to provide a different hash even if only one character in the
message changes. As an illustration, consider combining the themes Heaven
and Heaven Is Different. The only difference between a capital and tiny
letter, though, is size.
 The first message is hashed using SHA-1 to get the hash digest
"06b73bd57b3b938786daed820cb9fa4561bf0e8e".
 The hash digest for the second, analogous message will look like
"66da9f3b8d9d83f34770a14c38276a69433a535b" if it is hashed with SHA-
1.
 The avalanche effect is what is known for this.
 This phenomenon is crucial for cryptography since it implies that even the
smallest alteration to the message being entered entirely alters the output.
 As a result, attackers won't be able to decipher what the hash digest initially
said or determine whether the message was altered while in route and inform
the message's recipient.
 SHAs can aid in identifying any modifications made to an original message.
 A user can determine whether even one letter has been altered by consulting
the original hash digest since the hash digests will be entirely different. The
fact that SHAs are deterministic is one of their key features.
 This implies that any machine or user may reproduce the hash digest if they
know the hash algorithm that was used. Every SSL certificate on the Internet
must have been hashed with the SHA-2 procedure because of the
determinism of SHAs.
Digital Signature
A digital signature is a mathematical technique used to validate the authenticity
and integrity of a message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic signatures, which
assure that the message was sent by a particular sender. While performing
digital transactions authenticity and integrity should be assured, otherwise, the
data can be altered or someone can also act as if he was the sender and expect
a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like
email programs create a one-way hash of the electronic data which is to be
signed. The signing algorithm then encrypts the hash value using the private
key (signature key). This encrypted hash along with other information like the
hashing algorithm is the digital signature. This digital signature is appended
with the data and sent to the verifier. The reason for encrypting the hash
instead of the entire message or document is that a hash function converts any
arbitrary input into a much shorter fixed-length value. This saves time as now
instead of signing a long message a shorter hash value has to be signed and
moreover hashing is much faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital Signature
along with the data. It then uses Verification algorithm to process on the
digital signature and the public key (verification key) and generates some
value. It also applies the same hash function on the received data and
generates a hash value. If they both are equal, then the digital signature is
valid else it is invalid.
The steps followed in creating digital signature are :
1. Message digest is computed by applying hash function on the message and
then message digest is encrypted using private key of sender to form the
 digital signature. (digital signature = encryption (private key of sender,
message digest) and message digest = message digest algorithm(message)).
2. Digital signature is then transmitted with the message.(message + digital
signature is transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This
assures authenticity, as only sender has his private key so only sender can
encrypt using his private key which can thus be decrypted by sender’s public
key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual
message is sent with the digital signature).
6. The message digest computed by receiver and the message digest (got by
decryption on digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in
which computation of hash value of a message is easy but computation of the
message from hash value of the message is very difficult.
Assurances about digital signatures
The definitions and words that follow illustrate the kind of assurances that digital
signatures offer.
1. Authenticity: The identity of the signer is verified.
2. Integration: Since the content was digitally signed, it hasn’t been altered or
interfered with.
3. Non-repudiation: demonstrates the source of the signed content to all parties.
The act of a signer denying any affiliation with the signed material is known as
repudiation.
4. Notarization: Under some conditions, a signature in a Microsoft Word,
Microsoft Excel, or Microsoft PowerPoint document that has been time-stamped
by a secure time-stamp server is equivalent to a notarization.

What is Firewall?
A firewall is a network security device, either hardware or software-based, which
monitors all incoming and outgoing traffic and based on a defined set of security
rules accepts, rejects, or drops that specific traffic.
 Accept: allow the traffic
 Reject: block the traffic but reply with an “unreachable error”
 Drop : block the traffic with no reply

A firewall is a type of network security device that filters incoming and outgoing
network traffic with security policies that have previously been set up inside an
organization. A firewall is essentially the wall that separates a private internal
network from the open Internet at its very basic level.
Working of Firewall
Firewall match the network traffic against the rule set defined in its table. Once
the rule is matched, associate action is applied to the network traffic.

For example, Rules are defined as any employee from Human Resources
department cannot access the data from code server and at the same time another
rule is defined like system administrator can access the data from both Human
Resource and technical department.

Rules can be defined on the firewall based on the necessity and security policies
of the organization. From the perspective of a server, network traffic can be either
outgoing or incoming.

Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing
traffic, originated from the server itself, allowed to pass.

Still, setting a rule on outgoing traffic is always better in order to achieve more
security and prevent unwanted communication.

Incoming traffic is treated differently. Most traffic which reaches on the firewall
is one of these three major Transport Layer protocols- TCP, UDP or ICMP.
All these types have a source address and destination address. Also, TCP and
UDP have port numbers. ICMP uses type code instead of port number which
identifies purpose of that packet.

Advantages of using Firewall

 Protection from unauthorized access: Firewalls can be set up to restrict
incoming traffic from particular IP addresses or networks, preventing hackers or
other malicious actors from easily accessing a network or system. Protection
from unwanted access.
 Prevention of malware and other threats: Malware and other threat
prevention: Firewalls can be set up to block traffic linked to known malware or
other security concerns, assisting in the defense against these kinds of attacks.
 Control of network access: By limiting access to specified individuals or groups
for particular servers or applications, firewalls can be used to restrict access to
particular network resources or services.
 Monitoring of network activity: Firewalls can be set up to record and keep
track of all network activity.
 Regulation compliance: Many industries are bound by rules that demand the
usage of firewalls or other security measures.
 Network segmentation: By using firewalls to split up a bigger network into
smaller subnets, the attack surface is reduced and the security level is raised.

Disadvantages of using Firewall

 Complexity: Setting up and keeping up a firewall can be time-consuming and
difficult, especially for bigger networks or companies with a wide variety of
users and devices.
 Limited Visibility: Firewalls may not be able to identify or stop security risks
that operate at other levels, such as the application or endpoint level, because
they can only observe and manage traffic at the network level.
 False sense of security: Some businesses may place an excessive amount of
reliance on their firewall and disregard other crucial security measures like
endpoint security or intrusion detection systems.
 Limited adaptability: Because firewalls are frequently rule-based, they might
not be able to respond to fresh security threats.
 Performance impact: Network performance can be significantly impacted by
firewalls, particularly if they are set up to analyze or manage a lot of traffic.
 Limited scalability: Because firewalls are only able to secure one network,
businesses that have several networks must deploy many firewalls, which can be
expensive.
 Limited VPN support: Some firewalls might not allow complex VPN features
like split tunneling, which could restrict the experience of a remote worker.
 Cost: Purchasing many devices or add-on features for a firewall system can be
expensive, especially for businesses.
Packet Filter Firewall

 It works in the network layer of the OSI Model. It applies a set of rules (based on
the contents of IP and transport header fields) on each packet and based on the
outcome, decides to either forward or discard the packet.
 Packet filter firewall controls access to packets on the basis of packet source and
destination address or specific transport protocol type. It is done at the OSI
(Open Systems Interconnection) data link, network, and transport layers. Packet
filter firewall works on the network layer of the OSI model.
 Packet filters consider only the most basic attributes of each packet, and they
don’t need to remember anything about the traffic since each packet is examined
in isolation. For this reason, they can decide packet flow very quickly.
 Example: Filter can be set to block all UDP segments and all Telnet connections.
This type of configuration prevents outsiders from logging onto internal hosts
using Telnet and insider from logging onto external hosts using Telnet
connections.
Types of Packet Filtering Firewalls

Dynamic Packet Filtering Firewall

Dynamic packet filtering firewalls are adaptive and can modify rules based on
network traffic conditions. They allow for a more flexible approach to network
security. Dynamic packet filtering firewalls can be useful for handling transfer
protocols that allocate ports dynamically. Dynamic packet filtering firewalls are
beneficial because they can open and close ports as needed, which enhances
security without sacrificing the functionality of applications like FTP.

Static Packet Filtering Firewall

Static packet filtering firewalls are characterized by their fixed configuration.

Administrators manually set rules that remain unchanged unless updated by human
intervention. This type of firewall is practical for smaller networks with consistent
traffic patterns, where the administrative overhead of frequent rule changes is not
viable. Static firewalls are straightforward and dependable, providing a basic level
of security that can be sufficient for less complex network environments.
Stateless Packet Filtering Firewall

Stateless packet filtering firewalls evaluate each packet in isolation without considering
previous or future packets. They rely on predetermined rules to manage network access,
offering a fast and lightweight solution. However, the lack of contextual understanding
can make stateless firewalls less secure, as they cannot detect patterns in malicious traffic
that could indicate a sophisticated attack.

Stateful Packet Filtering Firewall

Stateful packet filtering firewalls maintain a record of active connections and make
decisions based on the state of network traffic. This means they can identify and
allow packets that are part of an established connection, which increases security
by preventing unauthorized access that a stateless system might not detect. Stateful
firewalls provide a higher level of security.