The document discusses network security threats and techniques. It begins by noting the importance of being prepared for attacks. It then describes various network security threats like eavesdropping, man-in-the-middle attacks, denial of service attacks, and malware. It also discusses network security requirements and various countermeasures like encryption, firewalls, and intrusion detection. Cryptographic techniques like public key cryptography, digital signatures, and key distribution protocols are explained as ways to provide security services over networks.

1. Note 11: Network Security

22. Security and Cryptography

53. Network Security Protocols

67. Initiator Host Contains C i Proposes Security Association options Contains C i & C r Selects SA options Select random # C i : initiator’s cookie Check to see if C i already in use; If not, generate C r , responder’s cookie; Associate C r with initiator’s address Check C i & address against list; Associate (C i , C r ) with SA; record SA as “unauthenticated” Responder Host HDR, SA Cookie Request HDR, SA Cookie Response

68. Initiator Host T=g x mod p Nonce N i Initiate Diffie-Hellman exchange Check responder cookie, discard if not valid; If valid identify SA with (C i , C r ) & record as “unauthenticated” R=g y mod p Nonce N r Calculate K=(g y ) x mod p Calculate K=(g x ) y mod p Calculate secret string of bits SKEYID known only to initiator & responder Calculate secret string of bits SKEYID known only to initiator & responder Responder Host HDR, KE, N i Key Request HDR, KE, N r Key Response

69. Initiator Host Prepare signature based on SKEYID, T, R, C i , C r , the SA field, initiator ID SKEYID, T, R, C i , C r , SA, ID i Hash of info in HDR encrypted Authenticates initiator comparing decrypted hash to recalculated hash. If agree, SA declared authenticated. Prepares signature based on SKEYID, T, R, C i , C r , the SA field, responder ID r SKEYID, T, R, C i , C r , SA, ID r Hash of info in HDR Authenticate initiator. If successful, SA declared authenticated. Responder Host HDR, {ID i , Sig i } Signature Request HDR, {ID r , Sig r } Signature Request

79. Request connection Includes: Version #; Time & date; Session ID (if resuming); Ciphersuite (combinations of key exchange, encryption, MAC, compression) Send ServerHello if there is acceptable Ciphersuite combination; else, send failure alert & close connection. * Optional messages Server Certificate Server part of handshake done Server part of key exchange: Diffie-Hellman, g x; ; RSA, public key ServerHello includes: Version #; Random number; Session ID ; Ciphersuite & compression selections Compute shared key May contain public key New CipherSpec pending TLS Record protocol initially specifies no compression or encryption Client Server ClientHello ServerHello Certificate * ServerKeyExchange * ServerHelloDone

80. Client’s part of key agreement: Diffie-Hellman g y ; RSA, random #s Change Cipher protocol message notifies server that subsequent records protected under new CipherSpec & keys Server changes CipherSpec Hash using new CipherSpec; allows server to verify change in Cipherspec Compute shared key Verify CipherSpec Client Server ClientKeyExchange [ChangeCipherSpec] Finished

82. Server requests certificate if client needs to be authenticated Client sends suitable certificate If server finds certificate unacceptable; server can send fatal failure alert message & close connection Client prepares digital signature based on messages sent using its private key Server verifies client has private key Client Server ClientHello ServerHello Certificate* ServerKeyExchange* CertificateRequest ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished Application Data [ChangeCipherSpec] Finished