This document discusses network security and cryptography. It covers topics such as security requirements including confidentiality, integrity, authentication, and non-repudiation. It also discusses approaches to implementing these security requirements including encryption for confidentiality and digital signatures for authentication and non-repudiation. Additionally, it covers network threats and attacks, classifications of cryptosystems including classical and modern cryptosystems, key management, public key cryptography, and internet security protocols like IPSec and SSL/TLS.

1. Network Security
Presented by
Mr. Abhijeet A. More
(Perfect Training Center)

2. Security and Cryptography
• Security: all issues which make secure
communication (information transmission, two
(multiple) party interaction) over insecure channels.
• Cryptography: the science and art of manipulating
messages to make them secure.
• Classical cryptographic techniques.
• Along with the development of communication
networks and their broad applications, network
security is becoming a more serious problem.
• Thus, call for modern cryptography.

3. Network threats and attacks
Passive:
Active:
Eavesdropping
Traffic analysis
Masquerading
Replay
Modification
Denial of service
Client Server
Attacker Server
Client Servermodify
Clientclient ServerMan-in-middle
Client Server

4. Security Requirements
• Privacy or confidentiality: The information should
be readable only by the intended receiver. i.e.,
protect the information from eavesdropping.
• Integrity: The receiver can confirm that a message
has not been altered during transmission, i.e.,
protect the information from tampering.
• Authentication: Any party (sender or receiver) can
verify that the other party is who he or she claims
to be, i.e., validate the identity of the other party.
• Nonrepudiation: The sender can not deny having
sent a given message. i.e., if a transaction (e.g., a
purchase) has occurred between two parties, the
nonrepudiation service can prove that for any
party, he/she really performed the transaction
him/herself, not by any other person.

5. Approaches to implementing security
Confidentiality: By encryption (and decryption)
Sender: encrypts the message using a key and sends the encrypted message.
Receiver: decrypts the encrypted message using the same key as the
sender’s key or a key derivable from the sender’s key.
Integrity:By checksum or hash value/message digest.
Sender: computes checksum/hash value/message digest from the message
and sends the message along with the checksum/hash value/message digest.
Receiver: re-computes checksum/hash value/message digest from received message
and compares with the transmitted checksum/hash value/message digest.
In some sense, it likes error-detection.
Problem: the attacker, after intercepting the message, modifies the message,
computes the checksum for modified message, and resends them.
Solution: keyed checksum/hash value/message digest.
message checksum Both are transmitted
message checksumkey
Message + checksum
are transmitted

6. Approaches to implementing security (cont.)
Authentication:Traditional user ID and password.
Modern cryptography based authentication.
--Digital signature.
Nonrepudiation: Undeniable signature, i.e.,
Digital signature + verification protocol + disavowal protocol

7. Security requirements and their implementation
Confidentiality: encryption (and decryption)
Integrity:checksum or hash value/message digest or MAC.
Authentication: user ID and password or Digital signature.
Nonrepudiation: Undeniable signature
Availability: Intrusion detection and defense
Authorization: Access control
Accountability: Log, record, trace, system administration
Q: how to defense Replay attack?Timestamps and/or sequence numbers.

8. Classification of cryptosystems
• Secret key systems vs. public key systems
• Classical vs. modern
– Classical: secret key systems
• Shift, Affine, Vigenere, Hill, Permutation
(transposition) cipher, Stream cipher
– Modern:
• Secret key systems
– DES, AES, PGM
• Public key systems
– RSA, ElGamal, Elliptic Curve

9. Shift cipher--example
• Suppose a plaintext word: cryptography
• Change each letter by shifting the letter
three position rightward
• The cipherword is: FUBSWRJUDSKB
Question: if given the above cipherword, how to get original word?
Change each letter by shifting the letter three position leftward.
This kind of cryptosystem is called “Caesar Cipher”

10. Secret cryptosystem--DES
• Data Encryption Standard (DES)
• First version in 1975, developed by IBM.
• A type of iterated cipher.
• Plaintext block: 64 bits, key: 56 bits, ciphertext block:64 bits.
• Steps:
– Initial permutation (IP)
– 16 rounds of transformations
– Inverse permutation (IP-1)

11. Key management and exchange
• Key is the essential part in any
cryptosystem, especially in secret key
systems.
• How to distribute/exchange key/keys
between two users/any pair of multiple
users.
• Therefore key management and key
exchange come into play.
• Also public key systems appeared.

12. Why public-key cryptography
1. The two communicants in secret key system require
the prior communication of key, using a secure
channel. it is very difficult to achieve in practice.
Unless the two communicants meet together, phone
call, post mail, email etc., are not secure.
2. Suppose there are n users and every pair of users want
to communicate. In secret-key system, it is necessary
that the total number of keys is n(n-1)/2. Very difficult
to management and quite insecure. However, in public-
key system, every user selects his/her own private key
and public key, and publicizes the public key but keep
the private key secret. Quite easy and very secure.
The main problem with public-key system is that it is very slow.

13. Public-key cryptosystem
• Secret-key cryptosystem:
– eK & dK: dK is the same as or derived
from eK.
– Called symmetric-key cryptosystem.
– Problem: how to distribute eK & dK to
Alice & Bob securely.
• Public-key cryptosystem:
– Computationally infeasible to compute
dK from eK.
– Called asymmetric-key cryptosystem.
– eK is made public, called public key
– But dK is kept secret, called private key.

14. Public-key system: how it works
• Everybody selects its own public key P
and private key S, and publicizes P.
• Therefore Alice has (Pa , Sa), and Bob
has (Pb , Sb).
• Everybody knows Pa, Pb, …
• Suppose Alice wants to send a
message to Bob.
– Alice encrypts the message with Bob’s
public key Pb and sends out.
– (only) Bob can decrypt the message
using his private key Sb. Nobody else
can.

15. Two party key management
• By public key cryptosystems:
– Alice selects a random value k as a key
– Alice encrypts the key k with Bob’s public key
and sends to Bob
– Bob decrypts the key using his private key
– Alice and Bob encrypt/decrypt messages using
secret key systems such as DES with the key k.
– This is a typical combination of secret and public
key systems.
• By Diffie-Hellman key agreement
– Based on Discrete Logarithm Problem

16. DLP (Discrete Logarithm Problem)
– Suppose p is an odd prime.
– Zp={0,1,…,p-1} is a finite field.
– Zp
* : the set of integers which are relatively prime to p.
• {a  Zp | gcd(a, p)=1}={1,…,p-1}
• it is a cyclic multiplicative group.
– g is a generator of Zp
* ,
• i.e. , Zp
* ={g 0 mod p, g 1mod p, …, g p-2 mod p}.
– DLP problem
• Given any a, compute b=g a (mod p) is easy.
• given any b, find an a such that b = g a (mod p) is difficult.
– Denoted as a = log g b. Omit: mod p for simplicity.

17. (Two-party) Diffie-Hellman (DH) key exchange
Suppose p and g are publicly known:
g a
g b
(a (b  g b mod p)
K=(gb) a=g ab K=(ga) b=g ab
Alice Bob
 g a mod p)
Anyone else can compute g a g b = g a+b but not g ab

18. cryptology
• Cryptology = cryptography + cryptanalysis.
– Cryptography: devise cryptosystems.
– Cryptanalysis: break cryptosystems.

19. Kerckhoff principle and attack levels
• Kerckhoff principle: the cryptosystem is publicly
known, but only the key is secret. Breaking a
cryptosystem (i.e., cryptanalysis) means figuring out
the key currently used.
• Attack levels:
– Ciphertext-only: the attacker possesses a string of
ciphertext, y.
– Known plaintext: the attacker possesses a string of
plaintext, x, and the corresponding ciphertext, y.
– Chosen plaintext: the attacker has obtained
temporary access to the encryption machinery.
Hence, he can choose a plaintext string, x, and
construct the corresponding ciphertext string, y.
– Chosen ciphertext: the attacker has obtained
temporary access to the decryption machinery.
Hence, he can choose a ciphertext string, y, and
construct the corresponding plaintext string, x.

20. Internet security protocols
• The Internet has implemented a
suite of security protocols combining
secret-key, public-key, digital
signature, message digest, etc.
– IPSec (IP security): i.e., IP layer /
network layer
– SSL (Secure Socket Layer) & TLS
(Transport Layer Security): transport
layer
– SSH (Secure Shell), SFTP, HTTPS, PGP
(Pretty Good Privacy): application layer

21. IPSec key agreement
Entity A Entity B
Crypto suites I support
Crypto suite I choose
ga mod p
gb mod p
gab mod p{“Alice”, proof I am Alice}
gab mod p{“Bob”, proof I am Bob}

22. SSL position

23. SSL functionality
• Server authentication (by public certificate)
• Client authentication (Optional)
• Data encryption (by secret key system)
• Integrity protection by (MAC)

24. SSL handshake
Client Server
I want to talk, ciphers I support, RC
Certificate (PS), cipher I choose, RS
{S}PS, {keyed hash of handshake MSG}
{keyed hash of handshake MSG}
Data protected by keys derived from K
K=f(S,RC,RS) K=f(S,RC,RS)
compute compute
There are total six keys, three keys (encryption key, IV, integrity key) in each direction.

25. Questions?
Those who have any Query Contact me on my
Whats App No : 9766677504(only message)
25