MITA DUTTA Electrical Engineering Department Jadavpur University

NETWORK SECURITY

With the advent of computerization, information security has gained importance because, after all, "information is power". Organizations have to ensure that their information is not stolen or tampered with, either by employees or outsiders. Before the widespread use of data processing equipment, the security of information felt to be valuable to an organization was provided primarily by physical and administrative means; an example of the former is the use of rugged filing cabinets with a combination lock for storing sensitive documents; an example of the latter is personnel screening procedures used during the hiring process.

MITA DUTTA Electrical Engineering Department Jadavpur University

This has become a very challenging task. On one hand, antisocial elements use the technology to hack computers, spread viruses, and pose many security threats to the organizations. On the other hand, the organizations need to devise methods to contain the security threats by employing the latest technologies. The generic name for the collection of tools designed to protect data and to thwart hackers is computer security. The second major change that affected security is the

introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer.

What is Network Security

2

MITA DUTTA Electrical Engineering Department Jadavpur University

Network

security

involves

all

activities

that

organizations,

enterprises, and institutions undertake to protect the value and ongoing usability of assets and the integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to counteract them. Network security measures are needed to protect data during their transmission, and to guarantee that data transmissions are authentic.

Security Requirements
Computer and network security address three requirements: Secrecy: Requires that the information in a computer system only be accessible for reading by authorized parties.
3

MITA DUTTA Electrical Engineering Department Jadavpur University

Integrity: Requires that computer system assets can be modified only by authorized parties. Modification includes creating. Availability: Requires that computer system assets are available to authorized parties. writing, changing status, deleting, and

Threats to network security include:

Viruses
Viruses are the most widely known security threats, and are computer programs that are written by devious programmers and are designed to replicate themselves and infect computers when triggered by a specific event. A network can be infected by a virus only if the virus enters the network through an outside source most often through an infected floppy disk or a file downloaded from the Internet. When one computer on the network becomes
4

MITA DUTTA Electrical Engineering Department Jadavpur University

infected, the other computers on the network are highly susceptible to contracting the virus.

Trojan Horse Programs

Trojan horse programs, or trojans, are actually enemies in disguise. Trojans can delete data, and open up computers to additional attacks. Trojan horses may allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, a hacker may have access to the computer remotely and perform various operations, limited by user privileges on the target computer system and the design of the Trojan horse. Operations that could be performed by a hacker on a target computer system include: Use of the machine as part of a botnet i.e. is a collection of software agents, that run automatically and the term is most
5

MITA DUTTA Electrical Engineering Department Jadavpur University

commonly associated with malicious software (e.g. to distribute Denial-of-service attacks. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.) Data theft (e.g. retrieving passwords or credit card

information) Installation of software, including third-party malware Downloading or uploading of files on the user's computer Modification or deletion of files Watching the user's screen

Vandals
A vandal is a software application or applet that causes destruction of single file or a major portion of a computer system.

Attacks
6

MITA DUTTA Electrical Engineering Department Jadavpur University

In general, there is a flow of information from a sourceto a destination. This normal flow is depicted in Figure. The remaining parts of the figure show the following four general categories of attack: Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on availability. Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication line, or the disabling of the file management system. Interception: An unauthorized party gains access to an asset. This is an attack on confidentiality. The unauthorized party could be a person, a program, or a computer.
7

MITA DUTTA Electrical Engineering Department Jadavpur University

Examples include wiretapping to capture data in a network, and the illicit copying of files or programs. Modification: An unauthorized party not only gains access to but tampers with an asset. This is an attack on integrity. Examples include changing values in a data file, altering a program so that it performs differently, and modifying the content of messages being transmitted in a network. Fabrication: An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. Examples include the insertion of spurious messages in a network or the addition of records to a file.
8

MITA DUTTA Electrical Engineering Department Jadavpur University

Fig. Security Attacks

A useful categorization of these attacks is in terms of passive attacks and active attacks. Passive Attacks
9

MITA DUTTA Electrical Engineering Department Jadavpur University

Passive attacks mean the monitoring of transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of attacks are involved here: releaseof-message contents and traffic analysis. The release-of-message contents : A telephone conversation, an electronic mail message, a transferred file may contain sensitive or confidential information. We would like to prevent the opponent from learning the contents of these transmissions. The second passive attack, tralffic analysis: Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the

10

MITA DUTTA Electrical Engineering Department Jadavpur University

message. The common technique for masking contents is encryption. The above attacks can be difficult to detect but can be prevented.

Active Attacks
These attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: replay, modification of messages, and denial of service. Replay: involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

11

MITA DUTTA Electrical Engineering Department Jadavpur University

Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning "Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred Brown to read confidential file accounts." The denial of service prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target. For example, an entity may suppress all messages directed to a particular destination. Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
12

MITA DUTTA Electrical Engineering Department Jadavpur University

Network security tools

Antivirus software packages
These packages counter most virus threats if regularly updated and correctly maintained.

Secure network infrastructure

Switches and routers have hardware and software features support secure connectivity and security management. Dedicated network security hardware and software-Tools such as firewalls and intrusion detection systems provide protection for all areas of the network and enable secure connections.

Identity services
These services help to identify users and control their activities and transactions on the network. Services include passwords and authentication keys.

Privacy with Encryption

13

MITA DUTTA Electrical Engineering Department Jadavpur University

The

universal

technique

for

providing

privacy

for

transmitted data is conventional encryption. Conventional Encryption The original intelligible message, referred to as plaintext, is converted into apparently random nonsense, referred to as ciphertext. The encryption process consists of an algorithm and a key. The key is a value independent of the plaintext that controls the algorithm. The algorithm will produce a different output depending on the specific key being used at the time. Changing the key changes the output of the algorithm. Once the ciphertext is produced, it is transmitted. Upon reception, the ciphertext can be transformed back to the original plaintext by using a decryption algorithm and the
14

MITA DUTTA Electrical Engineering Department Jadavpur University

same key that was used for encryption. The security of conventional encryption depends on several factors. First, the encryption algorithm must be powerful enough so that it is impractical to decrypt a message on the basis of the ciphertext alone. Beyond that, the security of conventional encryption depends on the secrecy of the key, not on the secrecy of the algorithm. That is, it is assumed that it is impractical to decrypt a message on the basis of the ciphertext plus knowledge of the encryption/decryption algorithm. In other words, we don't need to keep the algorithm secret; we only need to keep the key secret. There are several ways of classifying algorithms. They will be categorized based on the number of keys that are employed for encryption and decryption
15

MITA DUTTA Electrical Engineering Department Jadavpur University

Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption. Public Key Cryptography (PKC): Uses one key for encryption and another for decryption. Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information.

Secret Key Cryptography

With secret key cryptography, a single key is used for both encryption and decryption. The sender uses the key (or some set of rules) to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key (or ruleset) to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key

cryptography is also called symmetric encryption.

16

MITA DUTTA Electrical Engineering Department Jadavpur University

With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key.

Fig. Simplified Model of Symmetric Encryption

17

MITA DUTTA Electrical Engineering Department Jadavpur University

Ingredients

Plain text Encryption algorithm Secret key Cipher text

Decryption algorithm Data Encryption Standard (DES) developed by the U.S. Department of Defense, has been used extensively as a secret key algorithm. In DES, each block of 64 bits of information is modified using a 56-bit encryption key to obtain 64-bit ciphertext. DES is not based on any mathematical foundation. If the data is received by an unauthorized person, it is very
18

MITA DUTTA Electrical Engineering Department Jadavpur University

difficult to decode the information because of the heavy computation involvedhe has to try all possible

combinations of ones and zeros of the 56-bit key to get the plain text. Through jugglery of bits, DES is a complicated algorithm. To make it more secure, triple DES has been developed, which encrypts the data three times. For each iteration, a separate key can be used, so three keys are used for the encryption. The intended recipient should know the key to decrypt the data.

Public-Key Cryptography

19

MITA DUTTA Electrical Engineering Department Jadavpur University

Public-key cryptography has been said to be the most significant new development in cryptography. One key made public Used for encryption Other kept private Used for decryption Infeasible to determine decryption key given encryption key and algorithm Either key can be used for encryption, the other for decryption

Steps
User generates pair of keys User places one key in public domain
20

MITA DUTTA Electrical Engineering Department Jadavpur University

To send a message to user, encrypt using public key User decrypts using private key
Choice of keys:

Choose two prime numbers p and q Computer n = pq and z = (p-1)(q-1) Choose e < n, it has no common factors with z Find d, ed-1 is divisible by z
Usage:

Public key: (n,e) Private key: (n,d) Encryption: c = me mod n Decryption: m = cd mod n Example : Choose p=5 and q=7 Thus, n=35 and z=24
21

MITA DUTTA Electrical Engineering Department Jadavpur University

Choose e=5, since 5 and 24 have no common factors Choose d=29, since 529-1 is divisible by 24 Public key: (35, 5)

Private key: (35, 29)

22