EEC4113Data Communication &
Multimedia SystemChapter 9: Session Layer – Network Security
by Muhazam Mustapha, November 2011
Learning Outcome
• By the end of this chapter, students are expected to be able to explain issues related to network security
Chapter Content
• Network Security Issues
• Security Key, Cryptography and Authentication Techniques
• Firewall
• Steganography
Security Requirements
• Confidentiality– Requires that data only be accessible by
authorized party
• Integrity– Requires that data can be modified only by
authorized party– Modification includes writing, changing,
deleting and creating
CO1
Security Requirements
• Availability– Requires that data are available to authorized
parties
• Authenticity– Requires that a host or service be able to
verify the identity of a user
CO1
Types of Attacks
• A useful means of classifying security attacks is in terms of passive attacks and active attacks
• The purpose of attacks are not necessarily to obtain information, but might be just to cause some kind of problem at the target
• 2 types of attacks:– Passive attacks– Active attacks
CO1
Passive Attacks
• Eavesdropping on transmissions to obtain information– Secretly listening to people’s conversation
• Two types:– Release of message contents
• Outsider learns content of transmission
– Traffic analysis• By monitoring frequency and length of messages,
even encrypted, nature of communication can be guessed
CO1
Passive Attacks
• Difficult to detect because do not involve any alteration of the data
• Can be prevented, usually by means of encryption
CO1
Active Attacks
• Involve some modification of the data stream or the creation of a false stream
• 4 types:– Masquerade– Replay– Modification of messages– Denial of service (DoS)
• Easy to detect but hard to prevent
• Goal: Detect and recover from any disruption or delays caused by themCO1
Active Attacks
• Masquerade– Pretending to be a different entity
• Replay– Passive capture of data unit and its
subsequent retransmission to produce an unauthorized effect
• capture a password during an eavesdropping and reusing it to dishonestly access a system
CO1
Active Attacks
• Modification of Messages– Portion of legitimate message is altered into a
content wanted by the attacker
• Denial of Services (DoS)– Disruption of entire network or a server, either
by disabling the network server or by overloading it with messages so as to degrade performance
CO1
Maintaining Confidentiality
• The universal technique for providing confidentiality for transmitted data is symmetric encryption
• Also referred to as conventional encryption or single-key encryption
CO1
Symmetric Encryption
Performs various substitutions &
transformations on the plaintext
Scrambled message, produced as output. Depends
on plaintext & secret key. Different
keys will produce different ciphertext
Input to the encryption algorithm. Exact substitutions & transformation performed
by the algorithm depend on the key
Takes ciphertext & secret key as input
to produce the original plaintext
Original message or data that is fed into
the algorithm as input
CO1
Encryption Requirements
• Strong encryption algorithm– Even if known, should not be able to decrypt
or work out key– Even if a number of cipher texts are available
together with plain texts of them
• Sender and receiver must obtain secret key securely– Once key is known, all communication using
this key is readable
CO1
Attacking Encryption
• There are 2 general approaches to attacking symmetric scheme:– Cryptanalysis
• Rely on nature of algorithm plus some knowledge of general characteristics of plain text
• Attempt to deduce plain text or key
CO1
Encryption Algorithms
• The most commonly used symmetric encryption algorithm are block ciphers
• Block cipher processes plaintext in fixed block sizes producing block of ciphertext of equal size
CO1
Encryption Algorithms
• Two most important block cipher algorithms:– Data Encryption Standard (DES) – 56-bit key
• Extension of DES - 3DES – 112 / 168-bit key
– Advanced Encryption Standard (AES) – up to 256-bit key
CO1
Link Encryption
• All traffic secure
• High level of security
• Requires lots of encryption devices
• Message must be decrypted at each switch to read address (virtual circuit number)
• Security vulnerable at switches– Particularly on public switched network
CO1
End-to-End Encryption
• Encryption done at ends of system
• Data in encrypted form crosses network unaltered
• Destination shares key with source to decrypt
• Host can only encrypt user data– Otherwise switching nodes could not read
header or route packet
• Traffic pattern not secureCO1
Secure Hash Functions
• Hash function must have following properties:– Can be applied to any size data block– Produce fixed length output– Easy to compute– Not feasible to reverse– Not feasible to find two message that give the
same hash
CO1
SHA-1
• Secure Hash Algorithm 1
• Input message less than 264 bits– Processed in 512 bit blocks
• Output 160 bit digest
CO1
Public Key Cryptography
• Based on mathematical algorithms
• Asymmetric– Use two separate keys
• Ingredients– Plain text– Encryption algorithm– Public and private key– Cipher text– Decryption algorithm
CO1
Public Key Cryptography: Encryption Operation• User generates pair of keys
• User places one key in public domain
• Infeasible to determine decryption key given encryption key and algorithm
• To send a message to user, encrypt using the user’s public key
• User decrypts using his private key• His own public key could NOT decrypt it
CO1
Public Key Cryptography: Authentication Operation• To send an authentication certification to a
receiver, encrypt the certification using the sender’s private key
• Receiver authenticates the certification using the sender’s public key
CO1
SSL Transport Layer Security• Security services for TCP/IP Transport
Layer Security defined in RFC 2246
• SSL (secure socket layer) general-purpose service– Set of protocols that rely on TCP
• Two implementation options– Part of underlying protocol suite
• Transparent to applications
– Embedded in specific packages• E.g. Netscape and Microsoft Explorer and most
Web serversCO1
SSL Architecture• SSL uses TCP to provide reliable end-to-
end secure service• SSL two layers of protocols• Record Protocol provides basic security
services to various higher-layer protocols– In particular, HTTP can operate on top of SSL
• Three higher-layer protocols – Handshake Protocol– Change Cipher Spec Protocol– Alert Protocol
CO1
SSL Record Protocol• The SSL record protocol defines the
format used to transmit data• The SSL record protocols provides two
services for SSL connections:– Confidentiality: The Handshake Protocol
defines a shared secret key that is used for conventional encryption of SSL payloads
– Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC)
CO1
SSL HeaderContent Type (8 bits): The higher-layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates the major version of SSL in use. E.g. 3
Minor Version (8 bits): e.g. 0
Compressed length (16 bits): The length in bytes of the plain text fragment. The maximum value is 2^14 + 2048
CO1
SSL Handshake Protocol• The SSL handshake protocol involves using the SSL
record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions:– Authenticate the server to the client.– Allow the client and server to select the cryptographic
algorithms, or ciphers, that they both support.– Optionally authenticate the client to the server.– Use public-key encryption techniques to generate shared
secrets.– Establish an encrypted SSL connection.
CO1
SSL Change Cipher Spec Protocol• Used to change the keying material in
encryption between the client and server• Keying material is raw data that is used to
create keys for cryptographic use• The CCS sub-protocol consists of a single
message to tell other party in the SSL/TLS session, who is also known is the peer, that the sender wants to change to a new set of keys
CO1
SSL Alert Protocol• Alert messages are used to indicate a
change in status or an error condition to the peer
• There are a wide variety of alerts to notify the peer of both normal and error conditions defined in RFC 2246:– closure notify– unexpected message– bad record MAC– decompression failure– handshake failure
CO1
Firewalls• A firewall is a piece of hardware or
software program which protects a computer or network from attacks from intruders and hackers
• Today’s firewalls also include virus scanning, URL screening, and keyword scanners – or the other way around
CO1, CO3
Need for FirewallsTo protect for following:
• Loss and Manipulation of Data
• Business Secrets and Confidential Data
• Hijacked Networks
• Loss of Reputation
CO1, CO3
Firewall Operation• Authorize a connection (allow)
• Block a connection (deny)– Based on incoming source– Based on content– Based on outgoing source
• Reject a connection request without informing the issuer (drop)
• Logging of any traffic
CO1, CO3
Level of Operation• Filtration (exceptions) can be done at
various levels
• User/Destination level– certain users or IP address given certain
privileges or can be blocked
• Application level– certain applications given certain privileges
• Service level– certain services (FTP, HTTP, SMTP) on
certain port numbers may or may not be allowed
CO1, CO3
Hardware vs Software Firewall• Advantage of software firewall
– Free or cheap to install– Easy to install– Specialist skills not needed for configuration– Levels of access can be set
• Disadvantage of software firewall– May be heavy and slow down applications– Can be difficult to remove– Requires regular patching to all hosts– No centralized management
CO1, CO3
Hardware vs Software Firewall• Advantage of hardware firewall
– Centralized management possible– Secure– Fast– Less interference
• Disadvantage of hardware firewall– Expensive to purchase– Needs specialist knowledge– Takes up physical space– Hard to upgrade
CO1, CO3
Steganography• Art and science of communicating in a way
that hides the existence of a message– Hidden in plain sight
• Signal or pattern imposed on content
• Not encryption – data is sent in plain text
• Not copy protecting – the copy of data is hardly visible
CO1
Classic Techniques• Invisible ink (1st century AD -
WW II)
• Overwrite select characters in printed type in pencil– look for the gloss
• Pin punctures in type
• Microdots– e.g. microdots to protect
against car theft
CO1
Modern Motivation• Steganography received little attention in
modern computing
• Renewed interest because of industry desire to protect copyrighted digital work– audio, images, video, text
• Detect counterfeiter (plagiarism), unauthorized presentation, embed key, embed author ID
CO1
Some Modern TechniquesNull cipher
• Message hidden in plain sight and plain text
Big rumble in New Guinea.The war oncelebrity acts should end soon.Over fourbig ecstatic elephants replicated.
Bring two cases of beer.
CO1
Some Modern TechniquesImage watermarking
• Involves bit dropping, flipping, color separation, etc
From image of a tree, removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces the cat image.
CO1