UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 1 06CS64:Computer Networks-II Chapter-05: Network Management, Security By Shivakumar.C Department of Computer Science & Information science

PART – B UNIT – 5 NETWORK MANAGEMENT SECURITY Nader F Mir Chapter 9.7,10 Leon Garcia Appendix B,Chapter 11

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 3 Topics Covered Network Management Overview Simple Network Management Protocol (SNMP) Structure Of Management Information (SMI) Management Information Base (MIB) Remote Network Monitoring Security and Cryptographic algorithm Security Protocols Cryptographic Algorithms

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 4 NETWORK MANAGEMENT The main purpose of network management is to monitor,manage and control a network. Network Management tasks can be characterized as follows : 1.QoS and performance management 2.Network failure management 3.Configuration management 4.Security management 5.Billing and accounting management.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 5 Simple network management in a scenario of LANs connecting to the Internet

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 6 QoS and Performance Management A network administrator periodically monitors and analyzes routers, hosts and utilization of links and then redirect traffic flow to avoid any overloaded spots. Certain tools are available to detect rapid changes in traffic flow

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 7 Network Failure Management Any fault in a network such as link, host or router hardware or software outages, must be detected, located and responded to by the network. Figure shows adapter failure at router R3 and host H37 these failures can be detected through network management.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 8 Configuration Management This task involves tracking all the devices under management and ensuring that all devices are connected and operate properly. If there is an unexpected change in routing tables a network administrator wants to discover the misconfigured spot and reconfigure the network before the error affects the network substantially.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 9 Security Management A network administrator is responsible for the security of its network. This task is handled mainly through firewalls. A firewall can monitor and control access points.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 10 Billing and Accounting Management The network administrator specifies user access or restrictions to network resources and issue all billing and charges, if any to users

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 11 Elements of Network Management Network management has three main components : 1.A Managing Center 2.A Managed Device 3.A Network Management Protocol.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 12 Elements of Network Management The managing center consists of the network administrator and his/her facilities. A managed device is the network equipment, including its software that is controlled by managing center. Example :hub,bridge,server,router,printer, modem The network management protocol is a policy between the managing center and the managed devices.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 13 Structure of Management Information (SMI) The structure of management information (SMI) language is used to define the rules for naming objects and to encode objects in a managed network center. SMI is a language by which a specific instance of the data in a managed network center is defined.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 14 Management Information Base (MIB) MIB is an information storage medium that contains managed objects reflecting the current status of the network. Objects are organized in a hierarchical manner and are identified by the abstract syntax notation one (ASN.1) object definition language. The hierarchy of object names known as ASN.1 object identifier, is an object identifier tree in which each branch has both a name and a number

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 15 ASN.1 object identifier organized hierarchically

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 16 Simple Network Management Protocol (SNMP) SNMP is designed to monitor the performance of network protocols and devices. SNMP PDUs can be carried in the payload of a UDP datagram, and so its delivery to a destination is not guaranteed. SNMP runs on top of UDP and uses client/server configuration

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 17 TASK OF SNMP SNMP transport MIB information among managing centers and agents executing on behalf of managing centers. Second version of SNMP is SNMPv2 runs on top of more protocols and has more messaging options resulting in more effective network management. SNMPv3 has more security options.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 18 Seven PDUs of SNMPv2 1.GetRequest is used to obtain a MIB value. 2.GetNextRequest is used to obtain the next value of a MIB object. 3.GetBulkRequest gets multiple values equivalent to multiple GetRequest but without using multiple overheads. 4.InformRequest is a manager-to-manager message that two communicating management centers are remote to each other. 5.SetRequest is used by managing center to initiate the value of a MIB object. 6.Response is a reply message to a request-type PDU. 7.Trap notifies a managing center that an unexpected event has occurred.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 19 SNMP PDU Format

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 20 The Get or Set PDU Format PDU Type indicates one of the seven PDU types. Request ID is an ID used to verify the response of a request. Thus a managing center can detect lost requests or replies. Error Status is used only by Response PDUs to indicate types of errors reported by an agent. Error Index is a parameter indicating to a network administrator which names has caused an error.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 21 The Trap PDU Format Enterprise field is for use in multiple networks. Timestamp field for measuring up time. Agent Address field for indicating that the address of the managed agent is included in the PDU header.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 22 Topics Covered Overview of Network Security Security and Cryptographic algorithms Security Protocols Cryptographic Algorithms

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 23 Network Security Network Security can be divided into two broad categories : 1.Cryptographic Techniques 2.Authentication Techniques.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 24 Elements of Network Security Network Security is a top priority issue in data- networks. Network Security is concerned mainly with the following two elements : 1.Confidentiality : Information must be available only to those who have right to access it. 2.Authenticity and Integrity : The sender of the message and the message itself should be verified at the receiving point

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 25 (a)Message content and sender identity falsified by intruder (b)A method of applied security

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 26 Passive Attacks

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 27 Passive Attacks Attempt to learn or make use of information from the system but do not affect system resources Two types:  Release of message contents ex: telephone conversation, sensitive info in the form of a file, etc.  Traffic analysis Pattern analysis Difficult to detect, so emphasis on prevention rather than detection

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 28 Active Attacks

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 29 Active Attacks Attempt to modify data stream or create a false stream. Easy to detect but difficult to prevent. Types:  Masquerade - impersonating by replay of valid authentication sequence.  Replay – capture data unit and use it in retransmissions to produce unauthorized effect.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 30 DNS Hacking DNS server is a distributed hierarchical and global directory that translates domain names to numerical IP address. DNS is a critical infrastructure and all hosts contact DNS to access servers and start connections. In normal mode of operation hosts send UDP queries to the DNS server, Servers reply with a proper answer or direct the query to smarter servers.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 31 DNS Hacking DNS Hacking attack may result in the lack of data authenticity and integrity and can appear in any of the following forms: 1.Information-level Attack 2.Masquerade Attack 3.Information Leakage Attack 4.Domain Hijacking Attack

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 32 Information-level Attack It forces a server to correspond with other than the correct answer With cache poisoning,a hacker tricks a remote name server into caching the answer for a third party domain by providing malicious information for the domains authorized servers. Hackers can then redirect traffic to pre-selected site.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 33 Masquerade Attack The adversary poses as a trusted entity and obtains all the secret information. The attacker can stop any message from being transmitted further or can change the content or redirect the packet to bogus servers. This action is also known as middle-man attack.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 34 Information Leakage Attack The attacker normally sends queries to each host and receives in reply the DNS host name. In an Information Leakage Attack the attacker sends queries to all hosts and identifies which IP addresses are not used. Later on the intruder can use those IP addresses to make other types of attacks.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 35 Domain Hijacking Attack Once a domain name is selected it has to be registered Various tools are available to register domain names over the Internet. If the tools are not smart enough an invader might obtain secure information and use it to hijack the domain later. In the Domain Hijacking Attack whenever a user enters a domain name address she/he is forced to enter the attackers website. This can be very irritating and can cause great loss of Internet usage ability.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 36 Routing Table Poisoning Attacks It is the undesired modification of routing tables. An attacker can do this by maliciously modifying the routing information update packets sent by routers. Two types of routing table poisoning attacks are the link attack and the router attack.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 37 Packet Mistreatment Attacks A packet mistreatment attack can occur during any data transmission. A hacker may capture certain data packets and mistreat them. This type of attack is very difficult to detect. The attack may result in congestion, lowering throughput and denial of service

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 38 This attack can also be sub classified into link attacks and router attacks. The link attack causes interruption, modification or replication of data packets. A router attack can misroute all packets and may result in congestion or denial of service

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 39 Example of Packet Mistreatment Attacks 1.Interruption 2.Modification 3.Replication 4.Ping of Death 5.Malicious Misrouting of Packets

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 40 Example of Packet Mistreatment Attacks 1.Interruption : If an attacker intercepts packets they may not be allowed to be propagated to their destination, resulting in a lower throughput of the network. This kind of attack cannot be detected easily as even in normal operation routers can drop some packets for various reasons. 2.Modification: Attackers may succeed in accessing the content of a packet while in transit and change its content. They can then change the address of the packet or even change its data.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 41 Example of Packet Mistreatment Attacks 1.Replication : An attacker might trap a packet and replay it. This kind of attack can be detected by using the sequence number for each packet. 2.Ping of Death : An attacker may send a ping message which is large and therefore must be fragmented for transport. The receiver then starts to reassemble the fragments as the ping fragments arrive. The total packet length becomes too large and might cause a system crash. 3.Malicious Misrouting of Packets : A hacker may attack a router and change its routing table, resulting in misrouting of data packets, causing a denial of service.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 42 Denial of Service Attacks This is a type of security breach that prohibits a user from accessing normally provided services. Denial Of Service does not result in information theft or any kind of information loss Denial of Service attacks affect the destination rather than a data packet or router. Denial of Service attacks are easy to generate but difficult to detect.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 43 Denial of Service Attacks There are two types of Denial of Service attacks Single Source : An attacker sends a large number of packets to a target system to overwhelm and disable it. These packets are designed such that real sources cannot be identified. Distributed : A large number of hosts are used to flood unwanted traffic to single target. The target that cannot be accessible to other users in the network, as it is processing the flood of traffic.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 44 Applications of Cryptography to Security The science and art of manipulating messages to make them secure is called cryptography. Original message to be transformed is called plaintext. Resulting message after the transformation is called ciphertext. Process of converting plaintext to ciphertext is called encryption Reverse process is called decryption Algorithm used for encryption and decryption is called Cipher.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 45 Ex : Substitution and Transposition Ciphers Substitution Cipher Substitution ciphers are a common technique for altering messages in games and puzzles. Each letter of the alphabet is mapped into another letter. a b c d e f g h i j k l m n o p q r s t u v w x y z z y x w v u t s r q p o n m l k j i h g f e d c b a

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 46 Ex : Substitution and Transposition Ciphers Transposition Cipher : Here the order in which the letters of the message appear is altered. Substitution and transposition techniques are easily broken.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 47 Cryptographic method must meet several requirement 1.It must be easy to implement 2.It should be deployable on large scale 3.It must provide security to all of its users. 4.It should prevent an attacker from deriving the key even when a large sample of the plaintext and corresponding ciphertext is known

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 48 Secret Key / Symmetric Key Cryptography Secret key cryptography addresses the privacy requirement. Example : Data Encryption Standard (DES) D k (E k (P))

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 49 Secret Key Authentication Challenge Response Challenge Response If the transmitter also wants to authenticate the receiver

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 50 Cryptographic Checksums and Hashes The usual approach to providing integrity is to transmit a cryptographic checksum or hash along with the unencrypted message. A cryptographic checksum must be designed so that it is one way in that it is extremely difficult to find a message that produced a given checksum

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 51 Length Cryptographic Checksums In general the checksum is much shorter than the transmitted message. Cryptographic checksum cannot be too short.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 52 Hash Algorithm Example The Message Digest 5 (MD5) algorithm is an example of Hash Algorithm. Message of arbitrary lengthPadding Multiple of 512 bits Initialized to some value Buffer-128 bits When the process is completed the buffer holds the 128bit hash code The MD5 algorithm itself does not require a key Each step the alg modifies the content of the buffer according to next 512-bit block.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 53 Hash Algorithm Example The Keyed MD5 combines a secret key with the MD5 alg, is widely used to produce a cryptographic checksum. Message of arbitrary lengthPadding Multiple of 512 bits Initialized to some value Buffer-128 bits A hash function that depends on a secret key and on a message is called a message authentication code. This technique would also allow the receiver to authenticate that the authorized sender sent the information.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 54 The Secure Hash Algorithm 1 (SHA-1) is another example. SHA 1 was developed for use with the Digital Signature Standard (DSS) SHA 1 produces an 160 bit hash and is considered more secure than MD5. A general method of improving the strength of a given hash function is to use the Hashed Message Authentication Code (HMAC) method. Hash Algorithm Example

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 55 Unlike secret key cryptography, keys are not shared between senders and receivers in public key cryptography. It was invented in 1975 by Diffie Hellman. It relies on two different keys, a public key and a private key. A sender encrypts the plaintext by using a public key and a receiver decrypt the ciphertext by using a private key. Public Key Cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 56 Public Key / Asymmetric Key Cryptography D k2 (E k1 (P)) One important requirement for public key cryptography is that it must not be possible to determine K2 from K1. Example : RSA (Rivest Shamir and Adleman ) Algorithm

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 57 Public-Key Cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 58 Asymmetric Key Authentication Public key cryptography can also be used for authentication Nonce r Transmitters public keyChallenge

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 59 Public key cryptography can also be used to provide non-repudiation by producing a Digital Signature. To sign a message the transmitter first produces a non-cryptographic checksum or hash of the message. The transmitter then encrypts the checksum or hash using its private key to produce the signature. No one else can create such a signature. The receiver confirms the signature as follows, first the receiver applies the public key encryption algorithm to the signature to obtain a checksum. The receiver then computes the checksum directly from message. If the two checksum agree, then only the given transmitter could have issued the message. Note that the digital signature confirms that the transmitter produced the message and that the message has not been altered. Public Key / Asymmetric Key Cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 60 Why Public-Key Cryptography? developed to address two key issues:developed to address two key issues: –key distribution – how to have secure communications in general without having to trust a KDC with your key –digital signatures – how to verify a message comes intact from the claimed sender

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 61 Comparison of secret key and public key cryptographic systems 1.In terms of capabilities (integrity authentication privacy ) public key systems are more powerful than secret key systems. 2.Public key systems also provide for Digital Signature. 3.Public Key Cryptography has a big drawback that is it is much slower than secret key cryptography. 4.For this reason public key cryptography is usually used only during the setup of a session to establish so-called session key

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 62 Key Distribution center (KDC) Secret key systems require every pair of users to share a separate key. Consequently the number of keys grow as the square of the number of users making these systems unfeasible for large scale use. This problem can be addresses through the introduction of KDC

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 63 Certification Authority (CA) Public key systems require only one pair of keys per user, but they still face the problem of how public key are to be distributed. The public keys must be certified somehow. One approach to address this problem is to establish a Certification Authority (CA).

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 64 Function of CA To issue certificates that consist of signed message stating the name of given user, his or her public key, s serial number identifying the certificate and an expiration date

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 65 Diffie Hellman Exchange T=g x R=g y K = R x mod p = g xy mod p K = T y mod p = g xy mod p

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 66 An alternative to key distribution using KDCs or CAs is to have the transmitter and receiver create shared key by using a series of exchanges over a public network. The procedure assumes that the transmitter and receiver have agreed on the use of a large prime number p and a generator number g that is less than p. Key Generation : Diffie-Hellman Exchange

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 67 The transmitter picks a random number x and calculates T=g x modulo p The receiver picks a random number y and calculates R=g y modulo p The transmitter sends T to the receiver and the receiver sends R to the transmitter. At this point the transmitter and receiver both have T and R so they can calculate as Transmitter R x modulo p = g xy modulo p=K Receiver T y modulo p = g xy modulo p=K Key Generation : Diffie-Hellman Exchange

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 68 Key Generation : Diffie-Hellman Exchange The transmitter picks a random number x and calculates T=g x modulo p The receiver picks a random number y and calculates R=g y modulo p The transmitter sends T to the receiver and the receiver sends R to the transmitter. At this point the transmitter and receiver both have T and R so they can calculate as Transmitter R x modulo p = g xy modulo p=K Receiver T y modulo p = g xy modulo p=K An eavesdropper would have p g T and R available but neither x nor y. To obtain these values the eavesdropper would need to be able to compute discrete logarithms that is x=log g ( T ) and y=log g ( R ). It turns out that this computation is exceedingly difficult to do for large numbers. Thus the transmitter and receiver jointly develop a shared secret K which they can use in subsequent security operations

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 69 The required exponentials need many multiplications for large prime numbers p It could produce a heavy computational burden on a machine and result in Denial Of Service to legitimate Client. Diffie-Hellman Exchange -Weakness

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 70 Diffie Hellman susceptible to Man-in-the Middle Attack

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 71 Scenarios requiring secure communication services

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 72 Packet structure for authentication and integrity service

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 73 Tunnel between two firewall systems

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 74 Packet structure for privacy service

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 75 Setting up a Security Association Series of message exchanges between two hosts to establish a security association. Exchange makes use of Digital Signature for authentication and features the use of a pair of Cookies generated by host to identify security association and to prevent flooding attack. Cookie generation must be fast and must depend on the source and destination address, date and time. Internet Key Exchange (IKE) protocol provides such a procedure

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 76 Setting up a security association

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 77 Setting up a security association Unique Pseudorandom number 64 bits Initiator cookie Ci Cookie valueAddress of responder Header (HDR) contains the initiator cookie. The security association (SA) field in the message offers a set of choices regarding encryption alg,hash alg,authentication method Cookie request msg

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 78 Setting up a security association Unique Pseudorandom number 64 bits Responder cookie Cr Cookie valueAddress of initiater The responder checks to see whether the initiators cookie is not already in use by the source address in the packet header. If not the responder generates it’s cookie Cr Cookie response msg The header includes both Cookies Ci and Cr

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 79 Setting up a security association Upon receiving the response the initiator first checks the address and initiator cookie in the arriving packet against its list. From now the on the initiator will identify the security association by the pair (Ci, Cr). At this point it records the association as “unauthenticated” Next the initiator sends a key request message including its public Diffie Hellman value T = g x modulo p and a nonce Ni

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 80 Setting up a security association The responder host first checks the responder cookie in the arriving message. If the cookie is not valid, the message is ignored. If the cookie is valid, the security association will henceforth be identified by the pair (Ci, Cr). At this point it records the association as “unauthenticated” The responder sends a key response message including its public Diffie Hellman value R = g y modulo p and a nonce Nr

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 81 Setting up a security association After this exchange both initiator and responder hosts have a secret constant K=g xy modulo p. Both parties now compute a secret string of bits SKEYID known only to them SKEYID might be 128 bits long

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 82 Setting up a security association The initiator now prepares a signature stating what it knows SKEYID,T,R,Ci,Cr, SA, initiators identification. ***************************************** Encrypted with alg specified in SA using K Ci Cr This information is sent in a signature request message

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 83 Setting up a security association If the recalculated hash agrees with the received hash Decrypts *******************************Responder Recalculates the hash (SKEYID,T,R,Ci,Cr, SA, initiators ident)

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 84 Setting up a security association The responder now prepares its signature stating what it knows SKEYID,T,R,Ci,Cr, SA, responder identification ***************************************** Encrypted This information is sent in a signature response message

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 85 Setting up a security association If the recalculated hash agrees with the received hash Decrypts *******************************Initiator Recalculates the hash (SKEYID,T,R,Ci,Cr, SA, initiators ident) At this point the security association is established. The security association and keys are recorded as authenticated.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 86 IPSec The goal of IP Security (IPSec) is to provide a set of facilities that support security services such as authentication,integrity,confidentiality and access control at the IP Layer. IPSec uses two protocols to provide traffic security : Authentication Header (AH) and Encapsulating Security Payload (ESP) Each protocol can operate in transport mode or tunnel mode

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 87 Example with IPv4 Authentication and integrity of an IP packet can be provided by an AH. The location of the AH is after the headers that are examined at each Hop and before any other headers that are examined at an intermediate hop. Protocol value in IP Header is 51

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 88 Format of authentication header

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 89 Format of ESP ESP provides Confidentiality authentication and Data Integrity. Protocol value immediately preceding the ESP Header is 50

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 90 Secure Socket Layer and Transport Layer Security SSL operates on top of a reliable stream service such as TCP and provides secure connection for applications. The TLS protocol provides a secure connection with the attributes of privacy and reliability. The TLS protocol consists of protocols that operate at two layers : TLS Record Protocol, TSL Handshake protocol along with Change Cipher Spec Protocol and the Alert Protocol

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 91 TLS in the TCP/IP protocol stack

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 92 The TLS Handshake Protocol The client and server use the handshake protocol to negotiate a session that is specified by the following parameters. 1.Session Identifier 2.Peer Certificate 3.Compression Method 4.Cipher Spec 5.Master Secret 6.Is Resumable

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 93

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 94 Step 1 The client and server exchange hello messages to negotiate algorithms exchange random values and initiate or resume the session.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 95 Step 2 The client and server exchange cryptographic parameters to allow them to agree on a premaster secret. If necessary they exchange certificates and cryptographic information to authenticate each other. They then generate a master secret from the premaster secret and exchange random values

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 96 Step 3 The client and server provide their record layer with the security parameters. The client and server verify that their peer has calculated the same security parameters and that the handshake occurred without tampering by an attacker

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 97 The Data Encryption Standard DES is the most widely used shared key cryptographic system. DES first divides the original message into blocks of 64 bits Each block of 64 bit plaintext is separately encrypted into block of 64 bit cipher text. DES uses a 56 bit secret key. The same steps with the same key are used to reverse the encryption.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 98 DES Encryption Overview

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 99 Each Iteration in DES

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 100 DES Round Structure

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 101 Electronic Codebook Book (ECB) message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K1 (P i ) uses: secure transmission of single values

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 102 Electronic Codebook Book (ECB)

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 103 Advantages and Limitations of ECB message repetitions may show in ciphertext –if aligned with message block –particularly with data such graphics –or with messages that change very little, which become a code-book analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 104 Cipher Block Chaining (CBC) message is broken into blocks linked together in encryption operation each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process C i = DES K1 (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 105 Cipher Block Chaining (CBC)

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 106 Advantages and Limitations of CBC a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector (IV) –which must be known to sender & receiver –if sent in clear, attacker can change bits of first block, and change IV to compensate –hence IV must either be a fixed value (as in EFTPOS) –or must be sent encrypted in ECB mode before rest of message

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 107 Cipher Block Chaining

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 108 The Data Encryption Standard Left hand side of figure shows the Processing of the plain text proceeds in three phases. First the 64 bit plain text passes through an Initial Permutation (IP) that rearranges the bits to produce the permuted input. This is followed by a phase consisting of 16 rounds of the same function which involves both permutation and substitution functions. The output of the last round consists of 64 bits that are a function of the input plain text and the key. The left and right halves of the output are swapped to produce the preoutput. Finally the preoutput is passed through a permutation (IP -1 ) that is the inverse of the initial permutation function to produce the 64-bit ciphertext.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 109 The Data Encryption Standard Right hand side of figure shows the way in which the 56-bit key is used. Initially the key is passed through a permutation function. It is independent of the key For each of the 16 rounds a subkey ( K i ) is produced by the combination of a left circular shift and a permutation. The permutation function is the same for each round but a different subkey is produced because of the repeated iteration of the key bits

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 110 Initial and final permutations (Ref) Initial and final permutations – input is 8-bit block of plaintext IP IP -1 chosen such that IP -1 (IP(X))=X IP IP P4 2431

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 111

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 112

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 113 S-DES Finding F: Apply expansion/permutation on 4 bits of R E/P

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 114

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 115 Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes –outer bits 1 & 6 (row bits) select one row of 4 –inner bits 2-5 (col bits) are substituted –result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key –feature known as autoclaving (autokeying) example: –S( d ) = 5fd25e03

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 116 Substitution Boxes

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 117 Substitution Boxes

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 118 DES key schedule calculation

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 119 DES key schedule calculation

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 120 The Data Encryption Standard (DES)

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 121 Overview of Advanced Encryption Standard (AES)

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 122 RSA

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 123 RSA (Rivest Shamir Adleman) The RSA scheme is a block Cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n. A typical size for n is 1024 bits or 309 decimal digits. RSA makes use of an expression with exponentials.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 124 RSA (Rivest Shamir Adleman) The public and private keys are generated based on following rules : Plaintext is encrypted in blocks, with each block having a binary values less than some number n.. That is the block size must be less than or equal to log 2 (n). In practice the block size is k bits where 2 k <n≤2 k+1 Choose two large prime numbers p and q such that the product is equal to n. The plaintext P that is represented by a number must be less than n. in practice n is a few hundred bits long

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 125 RSA (Rivest Shamir Adleman) 1.Choose two large prime numbers p and q such that the product is equal to n. The plaintext P that is represented by a number must be less than n. in practice n is a few hundred bits long. 2.Find a number e that is relatively prime to (p-1)(q-1). Two numbers are said to be relatively prime if they have no common factors except 1. The public key consists of {e,n}. 3.Find a number d such that de=1 mod ((p-1)(q-1)). In other words d and e are multiplicative inverses of each other modulo ((p-1)(q-1)). The private key consists of {d,n}

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 126 RSA (Rivest Shamir Adleman) The RSA algorithm is based on the fact that if n,p,q,d and e satisfy properties 1 to 3 above, then for any integer P< n the following key property holds : P de (mod n) = P (mod n) The RSA algorithm uses binary keys that are several hundred bits long, typically 512 bits. RSA takes a binary block of plaintext of length smaller than the key length and produces a ciphertext that is the same length of the key. Suppose that P is an integer that corresponds to a block of plaintext. RSA encrypts P as follows C = P e ( mod n ) The above calculation will yield an integer between 0 and n, and hence will require the same number of bits as the key. RSA decrypts the ciphertext C as follows C d (mod n ) = (P e ) d ( mod n ) = P de ( mod n ) = P ( mod n ) =P

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 127 RSA Example p =5 q=11 N=pq =55 (p-1)(q-1) = 40 Find e that is relatively prime to 40 say 7 The multiplicative inverse of 7 modulo 40 yields 23. Public key {7,55} Private key {23,55} Message “RSA” is to be protected. So it is represented numerically as 18,19,1 Plaintext P1=18 P2=19 P3=1

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 128 RSA Example ciphertext C1 = 18 7 mod 55 = 17 ciphertext C2 = 19 7 mod 55 = 24 ciphertext C1 = 1 7 mod 55 = 1 Decryption produces mod 55 = mod 55 = mod 55 = 1

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 129 RSA Example p=17 q=11 M=88 N=pq 17x11=187 (p-1)(q-1) = 16x10 = 160 Select e such that it is relatively prime to 160 and less than 160 choose e = 7 Determine d such that de=1 mod 160 and d < 160. The correct value is d =23 because 23 x 7 =161 = 10 x160+1 Public Key KU { 7,187} Private Key KR = {23,187} Encryption C=88 7 mod 187 = 11 Decryption M= mod 187 = 88

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 130 A simple configuration of a secured network using a firewall

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 131 REFERENCE SLIDES

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 132 Cryptography components

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 133 In cryptography, the encryption/decryption algorithms are public; the keys are secret. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 134 In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 135 Symmetric-key cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 136 In symmetric-key cryptography, the same key is used in both directions. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 137 Caesar cipher

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 138 Transpositional cipher

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 139 DES

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 140 Iteration block

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 141 Triple DES

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 142 The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 143 Public-key cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 144 RSA

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 145 Symmetric-key cryptography is often used for long messages. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 146 Asymmetric-key algorithms are more efficient for short messages. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 147 PRIVACY Privacy means that the sender and the receiver expect confidentiality. The transmitted message must make sense to only the intended receiver. To all others, the message must be unintelligible. The topics discussed in this section include: Privacy with Symmetric-Key Cryptography Privacy with Asymmetric-Key Cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 148 Privacy using symmetric-key encryption

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 149 Privacy using asymmetric-key encryption

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 150 Digital signature can provide authentication, integrity, and nonrepudiation for a message. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 151 DIGITAL SIGNATURE Digital signature can provide authentication, integrity, and nonrepudiation for a message. The topics discussed in this section include: Signing the Whole Document Signing the Digest

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 152 Signing the whole document

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 153 Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 154 Hash function

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 155 Sender site

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 156 Receiver site

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 157 ENTITY AUTHENTICATION Entity authentication is a procedure that verifies the identity of one entity for another. An entity can be a person, a process, a client, or a server. In entity authentication, the identity is verified once for the entire duration of system access. The topics discussed in this section include: Entity Authentication with Symmetric-Key Cryptography Entity Authentication with Asymmetric-Key Cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 158 Using a symmetric key only

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 159 Using a nonce

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 160 Bidirectional authentication

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 161 KEY MANAGEMENT In this section we explain how symmetric keys are distributed and how public keys are certified. The topics discussed in this section include: Symmetric-Key Distribution Public-Key Certification Kerberos

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 162 A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 163 Diffie-Hellman method

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 164 The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 165 Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 7 3 mod 23 = Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 7 6 mod 23 = Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 4 3 mod 23 = Bob calculates the symmetric key K = 21 6 mod 23 = 18. The value of K is the same for both Alice and Bob; G xy mod N = 7 18 mod 23 = 18. Example 1

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 166 Man-in-the-middle attack

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 167 First approach using KDC

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 168 Needham-Schroeder protocol

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 169 Otway-Rees protocol

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 170 In public-key cryptography, everyone has access to everyone’s public key. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 171 X.509 fields

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 172 PKI hierarchy

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 173 Kerberos servers

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 174 Kerberos example

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 175 SECURITY IN THE INTERNET In this section we discuss a security method for each of the top 3 layers of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method called PGP. The topics discussed in this section include: IP Level Security: IPSec Transport Layer Security Application Layer Security: PGP

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 176 Transport mode

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 177 Tunnel mode

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 178 AH

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 179 The AH protocol provides message authentication and integrity, but not privacy. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 180 ESP

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 181 ESP provides message authentication, integrity, and privacy. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 182 Position of TLS

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 183 TLS layers

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 184 Handshake protocol

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 185 Record Protocol

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 186 PGP at the sender site

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 187 PGP at the receiver site

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II FIREWALLS A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. The topics discussed in this section include: Packet-Filter Firewall Proxy Firewall

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 189 Firewall

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 190 Packet-filter firewall

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 191 A packet-filter firewall filters at the network or transport layer. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 192 Proxy firewall

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 193 A proxy firewall filters at the application layer. Note:

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 194 ASSIGNMENT

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 195 Question Consider a highly simplified Diffie Hellmann exchange in which p=29 and g=5. suppose that user A chooses the random number x=3 and user B chooses the random number y=7. find the shared secret key K

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 196 Question What are the typical security threats that can arise in a network setting Explain the security requirements for information transmitted over network With examples explain the following : Substitution cipher Transposition cipher

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 197 Question Explain the secret key cryptography With an example, explain public key cryptography

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 198 Question Using RSA algorithm encrypt the following ( a) p=3, q=11, e=7 P=12 ( b ) p=7, q=11, e=17, P=25 ( c ) find the corresponding Ds for ( a ) and ( b ) and decrypt the ciphertexts.

UNIT-5/NETWORK MANAGEMENT SECURITY06CS64-COMPUTER NETWORKS-II 199 Conventional Vs Public_Key Encryption