What Is Network Security?
Security objectives:
- Confidentiality — only sender and receiver understand the message
- Authenticity — sender/receiver are who they claim to be
- Integrity — message was not modified in transit
- Availability — network services are accessible when needed
Principles of Cryptography
Symmetric Key Cryptography
Both sender and receiver share the same key K.
| Algorithm | Type | Key Size | Notes |
|---|---|---|---|
| Caesar cipher | Monoalphabetic | 26 | Trivially breakable (frequency analysis) |
| Polyalphabetic (Vigenere) | Polyalphabetic | Variable | Stronger but breakable |
| DES | Block cipher | 56 bits | Broken by brute force (1998) |
| 3DES | Block cipher | 168 bits | Triple DES: K1 encrypt, K2 decrypt, K3 encrypt |
| AES (Rijndael) | Block cipher | 128/192/256 bits | Current standard |
Symmetric encryption: K_A-B encrypts the message; K_A-B decrypts the message. Security depends on keeping K_A-B secret.
Public Key Encryption
Each party has a public key (known to all) and a private key (kept secret).
RSA Algorithm:
- Choose two large primes p and q
- Compute n = pq, z = (p-1)(q-1)
- Choose e where 1 < e < z and gcd(e, z) = 1
- Choose d such that e*d mod z = 1
- Public key: (n, e) — Private key: (n, d)
- Encrypt: c = m^e mod n
- Decrypt: m = c^d mod n
RSA security depends on the difficulty of factoring n = pq.
Message Integrity and Digital Signatures
Cryptographic Hash Functions
- Takes an arbitrary-length input, produces a fixed-length output (message digest)
- Properties: one-way, collision-resistant
- MD5: 128-bit hash (broken, collision found)
- SHA-1: 160-bit hash (weak, collision found)
- SHA-2/SHA-3: current standards
Message Authentication Code (MAC)
- Sender computes hash(message + s) where s is a shared secret
- Receiver recomputes and verifies
- Ensures both integrity and authenticity
Digital Signatures
- Signing: sender encrypts hash of message with private key
- Verification: receiver decrypts signature with public key, compares hashes
- Provides non-repudiation (sender cannot deny signing)
Sign then encrypt: Compute signature (sign hash with private key), then encrypt (message + signature) with receiver’s public key. Both confidentiality and authenticity.
Public Key Certification (CA):
- Certificate Authority (CA) binds a public key to an entity’s identity
- CA verifies identity, then creates a signed certificate (entity’s public key + identity, signed by CA’s private key)
- Certificate hierarchy: root CAs sign intermediate CAs, which sign server certificates
End-Point Authentication
Evolution of authentication protocols:
| Protocol | Method | Weakness |
|---|---|---|
| ap1.0 | “I am Alice” (IP address) | IP spoofing |
| ap2.0 | Secret password | Packet sniffing |
| ap3.0 | Encrypted password | Playback attack (replay) |
| ap3.1 | Encrypted password + sequence number | Sequence number prediction |
| ap4.0 | Nonce + encrypt(nonce, shared secret) | Secure — protects against replay |
Securing E-Mail
PGP (Pretty Good Privacy):
- Combines symmetric + public key cryptography
- Message encrypted with one-time session key (symmetric)
- Session key encrypted with receiver’s public key
- Signed with sender’s private key
- Provides confidentiality, integrity, authenticity
Securing TCP Connections: SSL
SSL (Secure Sockets Layer) / TLS (Transport Layer Security):
SSL Handshake (4 phases):
- Client sends: list of supported crypto algorithms + client nonce
- Server responds: chosen algorithm + certificate (with server’s public key) + server nonce
- Client: verifies certificate, generates Pre-Master Secret (PMS), encrypts with server’s public key, sends encrypted PMS + MAC key
- Client and server: both derive Master Secret from PMS + nonces, then derive encryption keys and MAC keys
Key derivation:
- MS = PRF(PMS, “master secret”, ClientNonce + ServerNonce)
- Encryption keys, MAC keys, IVs derived from MS
SSL Data Transfer Record:
- Fragment data into blocks
- Compute MAC (using MAC key)
- Pad if using CBC mode
- Encrypt (using encryption key)
- Add header (content type, version, length)
Network-Layer Security: IPsec and VPNs
IPsec services: confidentiality, integrity, authentication, replay protection.
AH (Authentication Header): provides integrity and authentication (no encryption).
ESP (Encapsulating Security Payload): provides integrity and confidentiality (encryption).
Security Association (SA): one-way logical connection between sender and receiver. Defines: key, algorithm, SPI, lifetime.
IKE (Internet Key Exchange): protocol for establishing SAs (authenticated Diffie-Hellman).
IPsec Transport Mode: SA between two hosts; only payload is encrypted. IPsec Tunnel Mode: SA between two gateways; entire original IP datagram is encrypted + new IP header added (used for VPNs).
Securing Wireless LANs
| Feature | WEP | 802.11i (WPA2) |
|---|---|---|
| Encryption | RC4 (broken) | AES-CCMP |
| Key management | Static, shared key | 4-way handshake, per-session keys |
| Integrity | CRC-32 (linear) | MIC (Michael / CCMP) |
| Authentication | Open/Shared key | 802.1X authentication |
| Security | Completely broken | Strong (with proper auth) |
WPA2 4-way handshake:
- AP sends nonce to client
- Client sends nonce + MIC to AP
- AP sends GTK + MIC to client
- Client ACKs
Operational Security: Firewalls and IDS
Firewalls:
- Isolate organization’s internal network from the public Internet
- Stateless packet filter: examines each packet independently (IP, port, protocol)
- Stateful packet filter: tracks connection state (TCP handshake, sequence numbers)
- Application gateway: proxies application-level traffic (e.g., HTTP proxy)
IDS (Intrusion Detection System):
- Signature-based: match patterns of known attacks
- Anomaly-based: detect deviations from normal traffic
IPS (Intrusion Prevention System): inline IDS that drops suspicious packets.
References
- Computer Networking: A Top-Down Approach, 7th Edition — Kurose & Ross, Pearson, 2017
- RFC 4251 — Secure Shell (SSH)
- RFC 5246 — TLS 1.2
- RFC 4301 — IPsec Architecture
- IEEE 802.11i — Wireless Security Standard