Chapter No.

– 2

Network Security

 NETWORK SECURITY:-
Network security issues include protecting data from unauthorized access,
protecting data from damage & development & implementing policies & procedure
for recovery from breaches & data losses.
Network security consists of the provisions & policies adopted by a network
administrator to prevent & monitor unauthorized access, misuse, modification or
denial of a computer network & network accessible resources.
Network security involves the authorization of access to data in network which
is controlled by network administrator.

 Security Techniques:-
1. ENCRYPTION AND DECRYPTION:-
i. The process of encoding or converting plain text message (original message)
into cipher text message is called as encryption.
ii. The original message, before being transformed (converted) is called
plaintext. Plaintext signifies a message that can be understood by the sender,
the recipient & also by anyone else who gets an access to that message.
iii. After the message is transformed (converted), it is called cipher text. When a
plaintext message is codified using any suitable scheme, the resulting
message is called as cipher text.
ENCRYPTION=plain text=======>cipher text
|| ||
readable coded

Fig.:- Encryption

Page 1 Prof. Nale V.D.

 iv. The reverse process of transforming cipher text message back to plain text
(original message) is called as decryption.
DECRYPTION=cipher text=======>plain text
|| ||
coded readable

Fig.:- Decryption

v. In computer to computer communication, the computer at the sender’s end

usually transforms a plain text into cipher text by performing encryption.
vi. The encrypted cipher text message is then sent to the receiver over a network.
vii. The receiver’s computer then takes the encrypted message & perform the
decryption process to obtain the original plain text message.

viii. To encrypt a plain text, the sender performs encryption, i.e. applies the
encryption algorithm. To decrypt a received encrypted message, the recipient
performs decryption, i.e. applies the decryption algorithm.
ix. The decryption algorithm must be same as the encryption algorithm.
Otherwise, decryption would not be able to retrieve the original message.
x. The sender & receiver must agree on a common algorithm for any
meaningful communication can take place. The algorithm basically takes one
text as input & produces another as the output.

Page 2 Prof. Nale V.D.

2. CRYPTIONGRAPHY:-
i. Cryptography is one of the fundamental mechanisms used in network security.
ii. If confidential data is to be transmitted over a network which is not secure
(anyone can access data), we can achieve confidentiality by hiding the message
in some way.
iii. The word cryptography comes from the Greek word for “Hidden or Secret
writing”.
iv. The basic service provided by cryptography is the ability to send information
between users in a way that prevents other from reading it.
v. In simple term, cryptography is a technique of encoding (i.e. encrypting) &
decoding (i.e. decrypting) message, so that they are not understood by anybody
except the sender & the intended recipient.
vi. The original message, before being transformed (encrypted) is called
plaintext. After the message is transformed (encrypted), it is called cipher
text.
vii. In technical terms, the process of converting the plaintext (message) to cipher
text is called encryption. And the process to retrieve (extract) the plaintext
from the cipher text is called decryption.

Fig.:- Encryption and Decryption process of cryptography

viii. To encrypt message sender need an encryption algorithm, a encryption key &
the plaintext. These create a cipher text. To decrypt message, receiver need a
decryption algorithm, decryption key & the cipher text. These reveal the
original plaintext. Key is a number or set of numbers that the cipher
(algorithm) operates on it.
ix. Based on the number of keys used for encryption & encryption, cryptography
can be classified into two categories-
A) Symmetric key cryptography.
B) Asymmetric key cryptography.

Page 3 Prof. Nale V.D.

 A) Symmetric key cryptography:–
a. It is also known as secret key cryptography.
b. In symmetric key cryptography, the same key is used by both parties (sender
& receiver).
c. The sender uses this key & an encryption algorithm to encrypt data, the
receiver uses the same key & the corresponding decryption algorithm to
decrypt the data.
d. Common examples of symmetric key cryptography algorithms are- DSE
(Data Encryption Standard), Blowfish, MARS.

Fig.:- Symmetric key Cryptography

known as secret key cryptography.
sender encryption key=== receiver decryption key
Ex=DSE (Data Encryption Standard), Blowfish, MARS.

B) Asymmetric key cryptography:-

a. Asymmetric key cryptography is also known as public key cryptography.
b. In asymmetric key cryptography, there are two keys- a private key & a
public key.
c. The private key is kept by receiver to decrypt the cipher text. The public
key is announced to the public & is used by sender to encrypt the message.
d. No other key can decrypt the message not even the original key used for
encryption.
e. The public key used for encryption is different from private key used for
decryption.
f. We can generate both key using standard algorithms. In this, each party or
node publishes his public key. E.g.:- Suppose ‘A’ wants to send message to

Page 4 Prof. Nale V.D.

known as public key cryptography.
two types private key & a public key.
private key=for decryption side of receiver
 ‘B’. ‘B’s’ private key should be known only to ‘B’. However, ‘B’s’ public
key should be known to ‘A’.
g. Common examples of Asymmetric key cryptography algorithms are- RSA
(Rivest-Shamir-Adleman), Diffie-Hellman, DSA (Digital Signature
Algorithm).

 Working of asymmetric key cryptography:-

1. When ‘A’ wants to send a message to ‘B’. ‘A’ encrypts the message using B’s
public key.
2. This is possible because ‘A’ knows public key.
3. ‘A’ sends this message to ‘B’.
4. ‘B’ decrypts A’s message using B’s private key only ‘B’ know about his
private key.
5. When B wants to send message to A , an exactly reverse process take place.

Page 5 Prof. Nale V.D.

3. Firewalls:-
i. A firewall is a device (usually a router or a computer) installed between the
internal network of an organization & the rest of the Internet.
ii. It is designed to forward some packets & filter (not forward) others.
iii. All traffic between the organization’s network & the internet in either direction
must pass through the firewall.

Fig.:- Firewall

iv. Firewalls are frequently used to prevent unauthorized internet user from
accessing private network connected to the Internet, especially Intranets.
v. A firewall can be used to deny (Prevent) access to a specific host or specific
server or specific services in the organization.
vi. A firewall may filter all incoming packets destined for a specific host or a
specific server such as HTTP.

 Types of Firewall :-
Based on the criteria that they use for filtering traffic, firewalls are generally
classified into following types-
1) Packet Filter.
2) Application Gateways.
1) Packet Filters:-
a) As the name suggests, a packet filter applies a set of rules to each packet & the
based on the on the outcome, decides to either forward or discard the packet.
b) It is also called as screening router or screening filter.
c) Such a firewall implementation involve a router, which is configured to filter
packets going in either direction.

Page 6 Prof. Nale V.D.

 d) Conceptually a packet filter can be considered as a router that performs three
main actions-
i. Receive each packet as it arrives.
ii. Pass the packet through a set of rules, based on the content of IP & transport
header fields of the packet. If there is a match with one of the set rules, decide
whether to accept or discard the packet based on that rule.
E.g.:- a rule could specify - disallow all incoming traffic from an IP address
192.162.1.10 or disallow all traffic that uses UDP as the higher (transport)
layer protocol.
iii. If there is no match with any rule; take the default action (discard or accept
packet).
A packet filter firewall is a router that uses a filtering table to decide
which packets must be discarded.
2) Application Gateway :-
a) Application gateway is also called as proxy server.
b) Sometime we need to filter a message based on the information available in the
message itself (at the application layer) at that time proxy firewall is used.
c) In application gateway testing is done at the application level (using URL)
instead of testing each packet.
d) The proxy firewall is installed between the customer (user client) & the
corporation computer.
e) When the user client process sends a message, the proxy firewall runs a server
process to receive the request. The server opens the packet at the application
layer and finds out if the request is the legitimate. If it is, the server acts as a
client process & send the message to real server in the corporation. If it is not,
the message is dropped and error message is sent to external user.
f) A proxy firewall filters at the application layer.

Page 7 Prof. Nale V.D.

3. Digital Signature:-
i. A digital signature is a mathematical scheme for demonstrating the authenticity
of digital message or document.
ii. A valid digital signature gives a recipient reason to believe that the message
was created by a known sender, such that the sender can’t deny having sent the
message (authentication & non-repudiation) & that the message was not
altered in transit (integrity).
iii. Digital signature are commonly used for software distribution, financial
transactions etc.
iv. Digital signature employs a type of asymmetric cryptography.
v. A digital signature scheme typically consists of three algorithms :-
a. A key generation algorithm, that selects a private key uniformly at
random from set of possible private key and a corresponding public key.
Private Key :- Used for making digital signature.
Public Key :- Used to verify the digital signature.
b. A signing algorithm that gives a message & a private key produces a
signature.
c. A signature verifying algorithm, that gives a message, public key & a
signature, either accept or rejects the message’s claim to authenticity.
Receiver needs to check the authenticity of the sender. The receiver needs
to be sure that the message comes from the sender & not from the unauthorized
user. The receiver can ask the sender to sign the message electronically &
electronic signature can prove the authenticity of the sender, we refer this type
of signature as digital signature.

Page 8 Prof. Nale V.D.

 How Work:-
I. In digital signature sender calculate some value (known as hash code or
Fingerprint) by using hash function from Data or Document.
II. Then encrypt this hash code with private key of sender.
III. This encrypted message is send to the receiver along with signature.
The receiver decrypts the signature with the public key of the sender. Also
recalculate hash value/ Fingerprint from received document using hash function
& compare received hash value. If both results match then the receiver can sure
that the message has not been modify during the transmission.
Page 9 Prof. Nale V.D.
 A digital signature can provide 3 services for security system/approaches.
1. Message Authentication.
2. Message Integrity.
3. Message Non-Repudiation.

 RSA Algorithm:-

1. The RSA algorithm is the most popular & is an asymmetric key

cryptographic algorithm.
2. It is named for its inventors Rivest, Shamir & Adleman (RSA).
3. The RSA algorithm is a based on the mathematical fact that it is easy to find &
multiply large prime numbers together.
4. The private key & public keys in RSA are based on very large prime numbers.

(A) Generating public & private keys :-

i. Choose two large prime numbers p &q
ii. Calculate n = p * q
n is used as modulus for encryption & decryption.
iii. Calculate z = (p - 1) * (q - 1)
iv. Choose another prime number e, such that e is co-prime to z, i.e. z is not
divisible by e.
v. Then calculate d, so that d * e = 1 mod z or (d * e) mod z = 1.
vi. Now e & n are announced to the public, and d & z are kept private.

(B) Encrypting the message :-

For encryption, calculate the cipher text C from plaintext P as follows:-
C = Pe (mod) n.
Send C as the cipher text to the receiver.

(C) Decrypting the message:-

For decryption, calculate the plaintext P from the chipper text C as
follows-
P = Cd (mod) n.

Example of RSA algorithm:-

1. Choose the prime numbers p = 3 & q = 11.
2. Calculate n = 3 * 11 = 33.
3. Calculate n = (3 - 1) * (11 - 1) = 20
4. Choose e, such that z is not divisible by e. We have several choices for

Page 10 Prof. Nale V.D.

 e: 3, 7, 11, 13, 17, 19
e=3
So, n = 33 & e = 3 becomes the public key.
5. Calculate d,
(d * 3) = 1(mod 20)
(7 * 3) / 20 = ?
d = 7.
d is a private key for receiver.
6. For encryption calculate the cipher text. Use a alphabet numbering scheme
such as a = 1, b = 2, c = 3 & so on.
Suppose we encrypt a message for plaintext S = 19.
C = Pe mod n.
C = 193 mod 33
C = 6859 / 33 = 207.84
207 * 33 = 6831
C = 6859 - 6831= 28
C= 28 (28 is a remainder of 6859 / 33)
Sending cipher text is 28.

C = 28, this is now the value (cipher text) that the browser (sender) is going to
send to the server (receiver).

7. For decryption, calculate the plaintext from the cipher text C.

P= Cd mod n
P = 287 mod 33
P = 13492928512 (mod 33)
P = 13492928512 / 33
P = 19 (19 is a remainder of 13492928512 / 33)
P = 19 i.e. S
Plaintext = S

Page 11 Prof. Nale V.D.

 SECURITY SERVICES:-
Network security can provide one of the five services as show in following
figure. Four of these services are related to the message exchanged using the network:
1. Message Confidentiality
2. Message Authentication,
3. Message Integrity and
4. Message Non-repudiation.
5. The fifth service provides Entity authentication.

Message Confidentiality

Message Integrity
Message
Message Authentication

Security Services Message Non-Repudiation

Entity Entity Authentication

Figure:- Security Services related to the message or entity

1. Message Confidentiality:-
a. The principle of confidentiality specifies that only the sender and the intended
receiver should be able to access the content of message.
b. Message confidentiality or privacy means that the sender and the receiver expect
confidentiality.
c. The transmitted message must make sense to only the intended receiver. To all
others, the message must be garbage.
d. For privacy, the message must be encrypted at the sender site and decrypted
at the receiver site.
e. A good privacy technique guarantees to some extent that a potential intruder
(eavesdropper) cannot understand the content of the message.
f. This can be done using either symmetric-key cryptography or asymmetric key
cryptography.
Page 12 Prof. Nale V.D.
2. Message Integrity:-
a. Message integrity means that the data must arrive at the receiver exactly as
they were sent.
b. There must be no changes during the transmission, neither accidentally nor
maliciously.
c. When the content of message are changed after the sender sends it, but before it
reaches the intended recipient, we say that the integrity of the message is lost.
d. As more as monetary exchanged occur over the Internet, integrity is crucial.
e. To preserve the integrity of a message, the message is passed through an
algorithm called a hash function. The hash function creates a compressed
image of the message that can be used as a fingerprint.

Figure:- Message and Message Digest

f. The sender calculates some value (known as message digest) by using hash
function and send to receiver. The message digest is created at the sender site
and is send with the message to the receiver. To check the integrity of the
message, or document, the receiver create the hash function again and
recalculate message digest (value) again by using the same, the receiver is sure
that the original message has not been changed. Of course, we are assuming that
the digest has been send secretly.

Figure:- Checking Integrity

Page 13 Prof. Nale V.D.

3. Message Authentication:-
a. Authentication mechanism help establish proof of identities.
b. In message authentication the receiver needs to be sure of the sender’s
identity and that an imposter has not sent the message.
E.g. - When ‘A’ sends a message to ‘B’, ‘B’ needs to known if the message is
coming from ‘A’ or ‘C’. To provide message authentication, ’A’ needs to
provides proof that it is ‘A’ sending the message and not an imposter.
c. To provide message authentication, we need to use a message
authentication code (MAC). In cryptography, a message authentication
code (often MAC) is a short piece of information used to authenticate a
message and to provide integrity and authenticity assurances on the
message.
d. Integrity assurances detect accidental and intentional message changes,
while authenticity assurances affirm the message’s origin.
e. A keyed hash function includes the symmetric key between the sender and
receiver when creating the digest.
f. A MAC algorithm, sometimes called a keyed (cryptographic) hash function,
accepts as input a secret key and an arbitrary-length message to be
authenticated, and outputs a MAC (sometimes known as a tag).
Example:

Page 14 Prof. Nale V.D.

 Sender generates a MAC using the symmetric key and a keyed hash
function. Sender then concatenates the MAC with the original massage and
sends the two to receiver. Receiver receives the message and the MAC. He
separates the message from the MAC. He applies the same keyed hash function
to the message using the symmetric key K to get a fresh MAC. He then
compares the MAC sent by Sender with the newly generated MAC. If the two
MACs are identical, the message has not been modified and the sender of the
message is definitely origin.

4. Message Non-repudiation:-
i. Message non-repudiation means that a sender must not be able to deny
sending a message that he or she, in fact, did send.
ii. The burden of proof falls on the receiver. For example, when a customer
sends a message to transfer money from one account to another, the bank
must have proof that the customer actually requested this transaction.
iii. If customer sends a message to transfer money from one account to another
to Bank, but after some time sender deny that message is sent by the sender.
One solution is use a trusted third party. People can create a trusted party
among themselves.
iv. Sender creates a signature from the message and sends the message, sender
identity, receiver’s identity, and the signature to the center (trusted third
party).
v. The center, after checking that senders public key is valid, verifies through
senders public key that the message comes from sender.
vi. The center then saves a copy of the message with the sender identity,
recipient identity, and a timestamp in its archive.
vii. The center uses its private key to create another signature (ST) from the
message. The center then sends the message, the new signature, senders
identity, and receivers identity to receiver.
viii. Receiver verifies the message using the public key of the trusted center.

Page 15 Prof. Nale V.D.

 Figure:- Using a trusted center for Non-Repudiation

5. Entity Authentication:-
i. In entity authentication (or user identification), the entity or user is verified
prior to access to the system resources (files for example). For example, a
student who needs to access her university resources needs to be
authenticated during the logging process.
ii. This is to protect the interest of the university and the student.
iii. An entity can be a person, a process, a client, or a server. The entity whose
identity needs to be proved is called the claimant; the party that tries to
prove the identity of the claimant is called the verifier.
iv. There are two differences between message authentication and entity
authentication. First, message authentication may not happen in real time;
entity authentication does. In the former, station A sends a message to
station B. When station B authenticates the message, station A may or may
not be present in the communication process. On the other hand, when
station a request entity authentication, there is no real message
communication involved until station A is authenticated by station B. Station
A need to be online and take part in the process .Only after he is
authenticated can message be communicated between station A and station
B.
v. Message authentication is required when an e-mail is sent from station A to
station B. Entity authentication is require when station A get cash from an
automatic teller machine.
vi. Second, Message authentication simply authenticates one message; the
process needs to be repeated for each new message. Entity authentication
authenticates the claimant (station A) for the entire duration of a session.

Page 16 Prof. Nale V.D.

vii. In entity authentication, the claimant must identify herself to the verifier.
This can be done with one of three kind of witness: something known,
something possessed, or something inherent.
Something known- This is a secret known only by the claimant that can be
checked by the verifier. Example, a PIN number, a secret key, and a private
key.
Something possessed- This is something that can prove the claimant identity.
Examples are a passport, a driver‘s license, an identification card a credit card,
and a smart card,
Something inherent- This is an inherit characteristic of the claimant.
Examples are conventional signature, fingerprints, voice, facial characterstics,
retinal pattern, and handwriting.

Page 17 Prof. Nale V.D.