Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.

Published byIrene Blake Modified over 8 years ago

Similar presentations

Presentation on theme: "UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media."— Presentation transcript:

1 UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.

2 Learning objectives After the completion of this unit the student must be able to Explain security Explain DES Explain RSA Explain Cryptography

3 Network Security Deals with the Following Issues
Secrecy (or confidentiality) No unauthorized person can see the content Authentication Determining whom you are really talking to Non-repudiation (digital signature) A person cannot deny what he/she has sent Integrityp Make sure a received message has not been modified.

4 Attacks on Network Security
Passive attack Release of message content Traffic analysis Active attack Masquerade Replay Modification of message contents Denial of service

5 Traditional Cryptography

6 One Example: Substitution Ciphers
Every letter is shifted by k positions in the 26-letter alphabet list. Or using permutation to randomly map a letter to another letter. O SGCT NGX Using the properties of natural languages, decoding the above message is not difficult.

7 Two Fundamental Cryptographic Principles
All message must contain some redundancy to prevent intruders from tricking the receiver into acting on a false message. Otherwise, a randomly generated cipher may map to a meaningful message. However, too much redundancy will make the cryptanalysts’ job easier. Some measure must be taken to prevent intruders from playing back old valid messages.

8 A Secret Key Algorithm: DES
Data Encryption Standard (DES) is widely used in the industry. Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of cipher. Key is 56 bits. (no longer considered safe) This algorithm has 19 stages. Triple DES uses E-D-E and two keys (112 bits is considered safe) for backward compatibility. (by setting k1=k2, triple DES can communicate with DES)

9 Double DES Can be Attacked by “Meet-in-the-Middle”

10 DES Block Diagram

11 Location of Encryption Devices

12 Two Locations of Encryption Devices
Link encryption devices All traffic on such a link is encrypted. Both data payload and header can be encrypted. A passive intruder cannot know where a packet is headed for. However, it hurts network forwarding performance a lot. The header of a packet needs to be decrypted each time it enters the router for forwarding. Vulnerable when transmitted on a link that does not support encryption and when entering a router. End-to-end encryption devices Only the two end hosts know which traffic is important enough that it need to be encrypted. Performance is thus better. Only data payload can be encrypted. A passive intruder can know where a packet is headed for. Data payload is safe all the way from the source to the destination node.

13 Key Distribution is Very Important
For traditional encryption to work, the communicating two party must have the same secret key before securely exchanging their data. Frequency key changes are desirable to limit the data compromised if an attacker learns the key. Therefore, the strength of any cryptographic systems depends on the key distribution technique!

14 Key Distribution Can Be Achieved in a Number of Ways
Suppose A and B communicate with each other: A can select a key and physically deliver it to B. A third party can select a key and physically deliver it to A and B. If A and B are already using a key to communicate, one party can transmit the new key to the other, encrypted using the old key. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Security, flexibility, and convenience determine whether a method can gain popular uses. The hardest problem is how to set up the first secret key. Public key Diffie-Hellman method

15 An Automatic Key Distribution Example

16 Message Authentication (Also Called Digital Signature)
A message is said to be authentic when it is genuine and came from its alleged source. Message authentication is a procedure that allows communicating parties to verify the received message are authentic. The receiver can make sure that the message content is not altered. The receiver can make sure that the message really came from the alleged source. The sender later cannot repudiate that he/she sent this message. The receiver can make sure that the message is not a replay.

17 Message Can Be Authenticated by Encryption
Encrypt the content of a message by a key owned by the source. The receiver uses the same key to decrypt the received message. If the decoded message looks reasonable, then this message is not altered and came from the alleged source. Advantages: Achieve confidentiality, authentication, and integrity at one time. Disadvantage: Too slow. Sometime, confidentiality is not needed. For example, authentication of computer programs to detect virus.

18 Authentication Messages without Encryption (Message Digests)
An authentication tag is generated and appended to the message for transmission. The tag is a hash function of the content of the message and the source’s key. The content of the message need not be encrypted. Much faster than using encryption for the whole message The receiver uses the same function and key to compute a tag. If the tag is the same as the appended tag, the message is authentic. Otherwise, either the appended tag or the message content has been altered.

19 Message Digests Use Secure Hash Function
The purpose of a hash function H is to produce a “fingerprint” of a message. Requirements: H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is easy to compute, making software and hardware implementation cost low. For any given code h, it is computationally infeasible to find x such that H(x) = h. For any given block x, it is computationally infeasible to find y != x with H(x) = H(y). It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). Example: SHA, MD5

20 Different Ways of Doing Message Digests
Used by IPsec

21 Public-Key Cryptography
Each person has two keys – one public, the other private. The sender uses the receiver’s public key to encrypt message. The receiver uses his/her private key to decrypt. No secret key distribution is needed.

22 Public-Key Can be Used For Message Authentication
Only Bob has Bob’s private key, no one else can use Bob’s private key to encrypt a message.

23 Public-Key Can be Used For Both Message Authentication and Encryption

24 The RSA Public-Key Encryption Algorithm

25 The RSA Public-Key Encryption Example

26 The Diffie-Hellman Key Exchange to Establish a Shared Secret Key
Given g, n, and g^x mod n, finding x is computationally difficult. No need to distribute secret keys!

27 IPv4 and IPv6 Security: IPsec
IPsec provides three facilities: Authentication-only (AH) Authentication with encryption (Encapsulating Security Payload, ESP) Key management IPsec provides two modes: Transport mode Only data payload can be authenticated or/and encrypted. Packet header is exposed. Tunnel mode Both packet header and data payload can be encrypted An original packet is put into and carried as a tunnel IP packet’s data payload. Thus, the original packet header is not exposed.

28 Transport and Tunnel Modes

29 Security Association in IPsec
An association is a one-way relationship between a sender and a receiver that offers security service to the traffic carried on it. For a two-way secure exchange, two associations, one for each direction, need to be set up. A security association is uniquely defined by Security parameter index (like VC ID) So that a receiving node knows which encryption/authentication algorithm should be used to process a received packet IP destination address Security protocol identifier (e.g., AH or ESP)

30 Authentication Header Format
The authentication data stores the message digest. The calculation of the digest covers: The IP header fields that either do not change (e.g., source IP address) or that are predictable upon arrival at the receiving node (e.g., destination IP address when source routing is used). The AH header itself. The entire IP data payload.

31 ESP(Encapsulating Security Payload) Header Format

32 Security Can be Enforced At Different Layers
IPsec is a security mechanism at the network layer. When used, all traffic between two nodes needs to be authenticated or encrypted. (good for VPN) However, not all traffic is important. Authentication and encryption operations hurt forwarding packet performance a lot! Secure Socket Layer (SSL) is at the transport layer. We can use SSL to connect to a secure web server only when really needed. Also, we can do authentication/encryption at the application layer. That is, we can manually authenticate and encrypt a message and then send it on a normal TCP connection.

33 Tutorial Questions Explain about FTAM services. Discuss about DNS.
Explain about multimedia. Discuss about WWW. Explain about Domain Name systems(DNS). Explain about Multimedia. [8+8] Write short notes on: (a) Word Wide Web. (b) FTAM (c) VTP.

Download ppt "UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media."

Similar presentations

Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Chapter 18: Network Security Business Data Communications, 5e.

Chapter 18: Network Security Business Data Communications, 5e.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.

Similar presentations

Ads by Google