Department of Information Science & Engineering

CRYPTOGRAPHY AND NETWORK SECURITY

IS62214IC
By
Prof. Prajna U R
Assistant Professor
Department of Information Science & Engineering
Sahyadri College of Engineering and Management, Adyar Mangaluru
Email:[email protected]
Mob:8495971075
COURSE OUTCOMES (COs)
Understand the fundamentals of networks security,
CO1 1 CL2
security architecture, threats and vulnerabilities
Apply the different cryptographic operations of symmetric
CO2 2 CL3
cryptographic algorithms.

Apply the different cryptographic operations of public key

CO3 3 CL3
cryptography
Apply the various Authentication schemes to simulate
CO4 4 CL3
different applications.

Understand various Security practices and System security

CO5 5 CL 4
standards.
 Text Book List
AtulKahate, Cryptography and Network Security, 4th Edition,2019
TB1.

William Stallings, Cryptography and Network Security: Principles and Practices,

7th Edition,2019.
TB2.

TB3. Nina Godbole and SunitBelapure, Cyber Security, 1st Edition, 2019.
 MODULE-1
Introduction to Network Security
What is Computer network?
A computer network is a group of computers that use a
set of common communication protocols over digital
interconnections for the purpose of sharing recourses
located on or provided by the network nodes.
What is Network Security?
Is described as the implementation of technologies,
processes and protocols designed to safeguard an
individual or organizations communications and
information
ComputeComputer Security cur

The protection afforded to an automated information system in order to

attain the applicable objectives of preserving the integrity, availability,
and confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications).
Security Approaches

• Prevention- Prevent the treat by identifying

underlying causes before they occur.
• Protection- Treats are ready to occur and eliminating
the threat
• Resilience-Treat is already occurred- Need to adopt
some mechanism through which we have to solve the
threat
Modern nature of attack
• Automating attacks-Mirai Botnet, SolarWinds Supply Chain Attack
• Privacy concerns - Aadhaar Data Breach
• Distance does not matter-DDoS Attack on GitHub
Security approaches
1) Trusted system
A Trusted system is a computer system that can be trusted to a specified extent
to enforce a specified security policy.
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
• Trusted Computing (TC) & Hardware Security-TPM Chips in Laptops – Used in
Windows BitLocker to encrypt data.
• Zero Trust Security Model
• Blockchain for Trusted Transactions
• Multi-Factor Authentication (MFA) & Biometric Security
• End-to-End Encryption (E2EE) for Secure Communication
• A trusted system integrates multiple security layers to protect data and
prevent cyber threats. Organizations use trusted computing, access control
models, encryption
2) Security Models

• No security

• Security through obscurity

• Host security

• Network security
3) Security management practices
• Security policy
Key aspects
• Affordability(Cost-Effectiveness)
• Functionality(Effectiveness)
• Cultural Issues
• Legality(Compliance with Laws)
• A good security policy balances cost, effectiveness, cultural
differences, and legal requirements to ensure strong protection
without causing unnecessary difficulties.
 CIA triad
Key Security Concepts
PPrinciples of Security
• Confidentiality
• Integrity
• Authentication
• Non repudiation
• Access control
• Availability
Confidentiality

• Type of attack- Interception

• Interception Causes loss of message confidentiality
• Confidentiality: (Account Information)
o Data confidentiality: Assures confidential information is not
made available or disclosed to unauthorized individuals.
o Privacy: Assures that individuals control or influence what
information related to them may be collected and stored and
by whom and to whom that information may be disclosed.
Integrity

• Type of attack- Modification

• Modification Causes loss of message Integrity.
• Integrity: (Patient information)
o Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
o System integrity: Assures that a system performs its
intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the
system.
• Any modification in message should be identified by the security system
Authentication

• Type of attack- Fabrication

• Fabrication is possible in the absence of proper authentication mechanisms.
Availability

• Type of attack- Interruption

• Interruption puts the availability of recourses in danger.
• Availability: Google vs Banking sites
o Assures that systems work promptly and service is not
denied to authorized users.

• Authenticity:
o The property of being genuine and being able to be
verified and trusted; confidence in the validity of a
transmission, a message, or message originator.

• Accountability:

o truly secure systems are not yet an achievable goal, must be

able to trace a security breach to a responsible party
Non Repudiation

Non repudiation does not allow the sender of a message to refute the claim
of not sending that message.
Access control

• The principle of Access control determines who should be able to

access what.

• Access control broadly related to two areas.

• Role management-user side
• Rule management-resources side

Access control specifies and controls who can access what.

OSI SECURITY ARCHITECTURE
OSI SECURITY ARCHITECTURE
Threat v/s Attack
Threat
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and
cause harm. That is, a threat is a possible danger that might exploit a
vulnerability.

Attack
An assault on system security that derives from an intelligent threat; that
is, an intelligent act that is a deliberate attempt (especially in the sense of
a method or technique) to evade security services and violate the security
policy of a system.
Types of attack
• General View
Criminal attacks
Publicity Attack
Legal Attacks

• Technical View
Theoretical concepts
Practical approaches
Criminal attacks- Financial Gain
Theorical concepts
• Interception
• Fabrication
• Modification
• Interruption

• Passive attack and Active attack

Practical side of attacks
• Application level attacks
Attacks happen at Application level –attempts to access
modify or prevent access to information

• Network level attacks-Aim to reducing the capabilities of a network-

slow down,bring to halt, on CN.
Attacks on wireless Networks
• Passive attacks
• Active attacks
• Person in the middle attacks
• Jamming attacks
Programs that attack computer
system
• 1. Virus
Virus
Four phases of Virus Classification of viruses

• Dormant • Parasitic
• Propagation • Memory Resident
• Triggering • Boot sector
• Execution • Stealth
• Polymorphic
• Metamorphic
• Macro
2. Worm
3. Trojan Horse
Dealing with viruses

Virus elimination steps

Generations of anti-virus software
Specific attacks
1. Sniffing and Spoofing
Two forms
1. packet Sniffing(IP sniffing)
2. Packet Spoofing (IP Spoofing)
2.Phishing
3.Pharming(DNS Spoofing)
Phishing
• Phishing is a form of online fraud in which hackers
attempt to get your private information such as
passwords, credit cards, or bank account data. This is
usually done by sending false emails or messages that
appear to be from trusted sources like banks or well-
known websites.
Pharming (DNS Spoofing)

DNS spoofing or DNS cache poisoning is an attack in

which altered DNS records are used to redirect users or
data to a fraudulent website or link

Secure DNS-Protocol