UNIT I

INTRODUCTION

Computer data often travels from one computer to another, leaving the safety of its protected
physical surroundings. Once the data is out of hand, people with bad intention could modify or
forge your data, either for amusement or for their own benefit. Cryptography can reformat and
transform our data, making it safer on its trip between computers. The technology is based on the
essentials of secret codes, augmented by modern mathematics that protects our data in powerful
ways.

 Computer Security - generic name for the collection of tools designed to protect data
from hackers
 Network Security - measures to protect data during their transmission
 Internet Security - measures to protect data during their transmission over a collection
of interconnected networks

Model for Security

The OSI security architecture is useful to managers as a way of organizing the task of providing
security. Furthermore, because this architecture was developed as an international standard,
computer and communications vendors have developed security features for their products and
services that relate to this structured definition of services and mechanisms. The OSI security
architecture focuses on security attacks, mechanisms, and services. These can be defined briefly
as follows:

 Security attack: Any action that compromises the security of information owned by an
2. Active Attacks
organization.
Active attacks involve some modification of the data stream or the creation of a false stream and
 Security mechanism: A process (or a device incorporating such a process) that is designed
can be subdivided into four categories: masquerade, replay, modification of messages, and denial
to detect, prevent, or recover from a security attack.
of service.
 Security service: A service that enhances the security of the data processing systems and
the information transfers of an organization. The services are intended to counter security
attacks and they make use of one or more security mechanisms to provide the service.
Security Attacks
Two type of attacks:
 Passive attacks
 Active attacks
A passive attack attempts to learn or make use of information from the system but does not affect
system resources. An active attack attempts to alter system resources or affect their operation.
1. Passive Attacks Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is being transmitted.
Two types of passive attacks are release of message contents and traffic analysis.

1|Page 2|Page
 SECURITY SERVICES

The classification of security services are as follows:

Confidentiality: Ensures that the information in a computer system a n d transmitted information
are accessible only for reading by authorized parties.
E.g. Printing, displaying and other forms of disclosure.
Authentication: Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating and
delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny
the transmission.
Access control: Requires that access to information resources may be controlled by or the target
system.
Availability: Requires that computer system assets be available to authorized parties when needed.

Threats in Networks

Eavesdropping
In general, the majority of network communications occur in an unsecured or "cleartext" format,
which allows an attacker who has gained access to data paths in your network to "listen in" or
interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is
referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is
generally the biggest security problem that administrators face in an enterprise. Without strong
encryption services that are based on cryptography, your data can be read by others as it traverses
the network.

Data Modification
After an attacker has read your data, the next logical step is to alter it. An attacker can modify the
data in the packet without the knowledge of the sender or receiver. Even if you do not require
confidentiality for all communications, you do not want any of your messages to be modified in
transit. For example, if you are exchanging purchase requisitions, you do not want the items,
amounts, or billing information to be modified.

Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity.
In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An
attacker might also use special programs to construct IP packets that appear to originate from valid
addresses inside the corporate intranet. After gaining access to the network with a valid IP address,
the attacker can modify, reroute, or delete your data.
Password-Based Attacks
A common denominator of most operating system and network security plans is password-based
access control. This means your access rights to a computer and network resources are determined
by who you are, that is, your user name and your password. Older applications do not always
protect identity information as it is passed through the network for validation. This might allow an
eavesdropper to gain access to the network by posing as a valid user. When an attacker finds a
valid user account, the attacker has the same rights as the real user. Therefore, if the user has

3|Page 4|Page
administrator-level rights, the attacker also can create accounts for subsequent access at a later
time. After gaining access to your network with a valid account, an attacker can do any of the
following:
 Obtain lists of valid user and computer names and network information.
 Modify server and network configurations, including access controls and routing tables.
 Modify, reroute, or delete your data.
Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of your computer
or network by valid users. After gaining access to your network, the attacker can do any of the
following:
 Randomize the attention of your internal Information Systems staff so that they do not
see the intrusion immediately, which allows the attacker to make more attacks during the
diversion.
 Send invalid data to applications or network services, which causes abnormal termination
or behavior of the applications or services.
 Flood a computer or the entire network with traffic until a shutdown occurs because of
the overload.
 Block traffic, which results in a loss of access to network resources by authorized users.
Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling your
communication transparently. For example, the attacker can re-route a data exchange. When
computers are communicating at low levels of the network layer, the computers might not be able
to determine with whom they are exchanging data. Man-in-the-middle attacks are like someone
assuming your identity in order to read your message. The person on the other end might believe
it is you because the attacker might be actively replying as you to keep the exchange going and
gain more information. This attack is capable of the same damage as an application-layer attack,
described later in this section.
Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although obtaining a
key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key. An attacker uses the compromised key
to gain access to a secured communication without the sender or receiver being aware of the attack.
With the compromised key, the attacker can decrypt or modify data, and try to use the
compromised key to compute additional keys, which might allow the attacker access to other
secured communications.
Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data exchanges
and read network packets. If the packets are not encrypted, a sniffer provides a full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless
they are encrypted and the attacker does not have access to the key. Using a sniffer, an attacker
can do any of the following:
 Analyze your network and gain information to eventually cause your network to crash or
to become corrupted.
 Read your communications.
Application-Layer Attack
5|Page
An application-layer attack targets application servers by deliberately causing a fault in a server's
operating system or applications. This results in the attacker gaining the ability to bypass normal
access controls. The attacker takes advantage of this situation, gaining control of your application,
system, or network, and can do any of the following:
 Read, add, delete, or modify your data or operating system.
 Introduce a virus program that uses your computers and software applications to copy
viruses throughout your network.
 Introduce a sniffer program to analyze your network and gain information that can
eventually be used to crash or to corrupt your systems and network.
 Abnormally terminate your data applications or operating systems.
 Disable other security controls to enable future attacks.
Stealing passwords
1 Passive Online Attack
Passive online attacks is a most common types of password attack where an attacker don’t
contact with authorizing party for stealing password, in other words he attempts password hacking
but without communicating with Victims account. Different types of Passive online Password
Attack includes Reply attack, wire sniffing, Man in the middle attack- The three common types
of Passive Online Password Attack as follows:
-Man In The Middle Attack: In Man in the middle attack or MITM in short an attacker intercepts
the authentication server and then captures traffic and forwards it to server. Man in the middle
attacks is sometimes known as fire brigade attack. To perform MITM attack a hacker inserts a
sniffer between client and server, like this he is able to sniff from both sides and can also capture
password. In MITM the attackers works between the Victims i.e whenever the information is
passed from the Client it directly transferred to the ATTACKER first (MITM) then it goes to the
server.
-Replay Attack: Replay attack is another type of password attack which occurs when the hacker
intercepts the password and en routes to the authentication server and then it captures and is been
resend the authentication packets for later authentication use. In this the hacker doesn’t have to
break the password or learn the password technique through MITM but rather it captures the
password and reuses the password-authentication packets later to authenticate as the client.
-Wire Sniffing: It is a type of attacks in computer security where it is considered as most common
types of password attacks on wired or wireless networks. The password is captured during
authentication phase and then compared to dictionary file or a complete word list. Sniffer tools are
ideally suited to sniff data in hub environment such as LAN networks. These tools comes under
passive sniffers as they passively wait for data to be sent before capturing the information.
2 Active Online Attack
This is another different types of password attack in which attack is directly termed as password
guessing. An attacker tries number of passwords one by one against victim to crack his/her
password. This is most popular password attack because they can be performed by beginners also.
Active Password Attack in network security is Password Guessing as given below:
Password Guessing: Password guessing attack comes under most common types of password
attack. It relies on human being factor involved in creating passwords and only works on weak
passwords as discussed above. In Password Guessing Active Password Attack an attacker tries to
build a dictionary of words and names to make all possible combination that can be used as
password. The attacker performs this attack with help of program that generates over hundreds and
thousands of words per second. A good and strong password is hard to guess and easy to remember,
6|Page
so you must have good password to protect yourself from this kind of attack. For generating strong
password you can refer my last article-
3.Offline Attack:
Offline attack are the most common types of computer security attacks. Offline password
attack are performed from a location other than the actual computer where the password reside or
were used earlier. Offline attacks requires physical access to the computer which stores password
file, the attacker copies the password file and then tries to break passwords in his own system.
Offline attacks include, dictionary attacks, hybrid attacks, brute force attack, precomputed hash
attacks, syllable attacks, rule based attacks and rainbow attacks.
Brute Force:
The most time-consuming type of offline password attack is a brute-force attack, which tries every
possible combination of uppercase as well as lowercase letters, numbers, and symbols. A brute-
force attack is the slowest of the three types of password attacks because of the many possible
combination of characters in the password. However, brute force is effective given enough time
and processing power, all passwords can eventually be identified. Limitation of Bruteforce
password attack is that it takes too much time to crack complex passwords.
Dictionary Attack:
A dictionary attack is the simplest ,quickest and most common types of password attack in Offline
Attack. It’s used as identify of a password that is an actual word, which can be found in a dictionary
(refer as common dictionary).This attack uses a dictionary file of limited possible words, which is
hashed using the same algorithm used by the authentication process. Then, the hashed dictionary
words are compared with hashed passwords as the user logs on, or with passwords stored in a file
on the server. The dictionary attack works only if the password is present as actual dictionary word,
therefore this type of attack has some limitations. It can’t be used against strong passwords which
contains numbers or other symbols.
Syllable Attack:
Syllable attack is combination of both bruteforce and dictionary attack. This password cracking
methods is used when the password is not an existing word. Attackers use the dictionary and other
methods to crack it. It also uses the possible combination of every word present in the dictionary.
Hybrid Attacks:
This comes to the next level of password attack. The hybrid attack starts with dictionary file and
it substitutes various numbers and symbols for characters in the password. For example, many
users add the number 1 to the end of their password to meet strong password requirements. A
hybrid attack is designed to find those types of complex passwords.
Pre-Computed Hash:
Encrypted password that are stored can prove useless against dictionary attacks. If the file contains
the encrypted password in readable format, the attacker can easily detect the hash function. He/she
can then decrypt each and every word in the dictionary using hash function an then compare with
the encrypted password. Storage of hashes requires large memory space and hence time-space
trade-off is used to reduce memory space required to store hashes.
Rule Based Attack:
This type of attack is used when attacker gets some information about the password. This is the
most powerful attack because the cracker knows about the type of password. This technique
involves use of brute force, dictionary and syllable attacks.
Rainbow Attack:
Rainbow attack is nothing but a little advancement from of pre computed hash. It uses already
calculated information stored in memory to crack the cryptography. In rainbow attack the same
7|Page
technique is used, the password hash table is created in advance and stored into the memory. Such
a plain table is known as rainbow table.
4.Non-Technical Attack
This type of password cracking methods does not require any technical knowledge hence termed
as non-technical attacks. Non technical attacks may include, social engineering, shoulder surfing,
keyboard sniffing and dumpster diving.
Social Engineering:
Social engineering is the most common types of password attack- It is the art of interacting with
people either face to face or over the telephone and getting them to give out valuable information
such as account passwords, credit card details etc. Social engineering relies on people’s good
nature and desire to help others. Many times, a help desk is the target of a social-engineering attack
because their job is to help people—and recovering or resetting passwords is a common function
of the help desk. The best defense against social engineering attacks is security awareness training
for all employees and security procedures for resetting passwords. In my opinion Social
Engineering is best suited to hack whatsapp and Facebook account easily.
Shoulder Surfing:
Shoulder surfing is password guessing attacks which involves looking over someone’s shoulder
as they type a password. This can be effective when the hacker is in close proximity to the user
and the system-they might capture your password with the help of a camera. Special screens that
make it difficult to see the computer screen from an angle can cut down on shoulder surfing.
Dumpster Diving:
In this type of password attack a hacker looks through the trash for information such as passwords,
which may be written down on a piece of paper.
Social engineering
Social engineering is the term used for a broad range of malicious activities accomplished through
human interactions. It uses psychological manipulation to trick users into making security mistakes
or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended
victim to gather necessary background information, such as potential points of entry and weak
security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s
trust and provide stimuli for subsequent actions that break security practices, such as revealing
sensitive information or granting access to critical resources.
8|Page

Social engineering attack lifecycle
What makes social engineering especially dangerous is that it relies on human error, rather than
vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less
predictable, making them harder to identify and thwart than a malware-based intrusion.
SOCIAL ENGINEERING ATTACK TECHNIQUES
Social engineering attacks come in many different forms and can be performed anywhere where
human interaction is involved. The following are the five most common forms of digital social
engineering assaults.
Baiting: As its name implies, baiting attacks use a false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals their personal information or inflicts their systems
with malware. The most reviled form of baiting uses physical media to disperse malware.
Scareware: Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to install
software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is
also referred to as deception software, rogue scanner software and fraudware.
Pretexting: Here an attacker obtains information through a series of cleverly crafted lies. The scam
is often initiated by a perpetrator pretending to need sensitive information from a victim so as to
perform a critical task.The attacker usually starts by establishing trust with their victim by
impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know
authority.
Phishing: As one of the most popular social engineering attack types, phishing scams are email
and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It
then prods them into revealing sensitive information, clicking on links to malicious websites, or
opening attachments that contain malware.
Spear phishing: This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make their attack less conspicuous. Spear
9|Page
phishing requires much more effort on behalf of the perpetrator and may take weeks and months
to pull off. They’re much harder to detect and have better success rates if done skillfully.
Authentication Failure
In the context of communication across a network, the following attacks can be identified:
1. Disclosure – releases of message contents to any person or process not possessing the
appropriate cryptographic key.
2. Traffic analysis – discovery of the pattern of traffic between parties.
3. Masquerade – insertion of messages into the network fraudulent source.
4. Content modification – changes to the content of the message, including insertion
deletion, transposition and modification.
5. Sequence modification – any modification to a sequence of messages between parties,
including insertion, deletion and reordering.
6. Timing modification – delay or replay of messages.
7. Source repudiation – denial of transmission of message by source.
8. Destination repudiation – denial of transmission of message by destination.
First two attacks are in the realm of message confidentiality. Measures to deal with 3 through 6
are regarded as message authentication. Item 7 comes under digital signature and dealing with
item 8 may require a combination of digital signature and a protocol to counter this attack.
Information Leakage
Information Leakage is an application weakness where an application reveals sensitive data, such
as technical details of the web application, environment, or user-specific data. Sensitive data may
be used by an attacker to exploit the target web application, its hosting network, or its users.
Therefore, leakage of sensitive data should be limited or prevented whenever possible. Information
Leakage, in its most common form, is the result of one or more of the following conditions: A
failure to scrub out HTML/Script comments containing sensitive information, improper
application or server configurations, or differences in page responses for valid versus invalid data.
Failure to scrub HTML/Script comments prior to a push to the production environment can result
in the leak of sensitive, contextual, information such as server directory structure, SQL query
structure, and internal network information. Often a developer will leave comments within the
HTML and/or script code to help facilitate the debugging or integration process during the pre-
production phase. Although there is no harm in allowing developers to include inline comments
within the content they develop, these comments should all be removed prior to the content's public
release.
Software version numbers and verbose error messages (such as ASP.NET version numbers) are
examples of improper server configurations. This information is useful to an attacker by providing
detailed insight as to the framework, languages, or pre-built functions being utilized by a web
application. Most default server configurations provide software version numbers and verbose
error messages for debugging and troubleshooting purposes. Configuration changes can be made
to disable these features, preventing the display of this information.
10 | P a g e
Pages that provide different responses based on the validity of the data can also lead to Information
Leakage; specifically when data deemed confidential is being revealed as a result of the web
application's design. Examples of sensitive data includes (but is not limited to): account numbers,
user identifiers (Drivers license number, Passport number, Social Security Numbers, etc.) and
user-specific information (passwords, sessions, addresses). Information Leakage in this context
deals with exposure of key user data deemed confidential, or secret, that should not be exposed in
plain view, even to the user. Credit card numbers and other heavily regulated information are prime
examples of user data that needs to be further protected from exposure or leakage even with proper
encryption and access controls already in place.
UNIT II
CLASSICAL ENCRYPTION TECHNIQUES
There are two basic building blocks of all encryption techniques: substitution and transposition.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher
The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The Caesar
cipher involves replacing each letter of the alphabet with the letter standing 3 places further down
the alphabet.
e.g., plain text : pay more money
Cipher text: SDB PRUH PRQHB
Note that the alphabet is wrapped around, so that letter following „z‟ is „a‟. For each plaintext
letter p, substitute the cipher text letter c such that
C = E(p) = (p+3) mod 26
Playfair cipher
The best known multiple letter encryption cipher is the playfair, which treats digrams in the
plaintext as single units and translates these units into cipher text digrams. The playfair algorithm
is based on the use of 5x5 matrix of letters constructed using a keyword. Let the keyword be
„monarchy‟. The matrix is constructed by filling in the letters of the keyword (minus duplicates)
from left to right and from top to bottom, and then filling in the remainder of the matrix with the
remaining letters in alphabetical order. The letter „i‟ and „j‟ count as one letter. Plaintext is
encrypted two letters at a time. According to the following rules:
 Repeating plaintext letters that would fall in the same pair are separated with a Filler
letter such as „x‟.
 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row following the last.
 Plaintext letters that fall in the same column are replaced by the letter beneath, with the
top element of the column following the last.
 Otherwise, each plaintext letter is replaced by the letter that lies in its own row And the
column occupied by the other plaintext letter.
11 | P a g e
Plaintext = meet me at the school house
Splitting two letters as a unit => me et me at th es ch o x ol ho us ex
Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU
Vigenere cipher
In this scheme, the set of related monoalphabetic substitution rules consisting of 26 caesar ciphers
with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar cipher with a shift
of 3 is denoted by the key value 'd‟ (since a=0, b=1, c=2 and so on). To aid in understanding the
scheme, a matrix known as vigenere tableau is Constructed
Each of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left. A
normal alphabet for the plaintext runs across the top. The process of Encryption is simple: Given
a key letter X and a plaintext letter y, the cipher text is at the intersection of the row labeled x and
the column labeled y; in this case, the ciphertext is V.
To encrypt a message, a key is needed that is as long as the message. Usually, the key is a repeating
keyword.
e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t i v e PT = w e a r e d i s c o v e r e d s a
v e y o u r s e l f CT = ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Decryption is equally simple. The key letter again identifies the row. The position of the cipher
text letter in that row determines the column, and the plaintext letter is at the top of that column.
One Time Pad Cipher
It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s. This can
be accomplished by writing all numbers in binary, for example, or by using ASCII. The key is a
random sequence of 0‟s and 1‟s of same length as the message. Once a key is used, it is discarded
and never used again.
e.g., plaintext = 0 0 1 0 1 0 0 1
Key = 1 0 1 0 1 1 0 0
ciphertext = 1 0 0 0 0 1 0 1
Advantage: Encryption method is completely unbreakable for a cipher text only attack.
Disadvantages: It requires a very long key which is expensive to produce and expensive to
transmit. Once a key is used, it is dangerous to reuse it for a second message; any knowledge on
the first message would give knowledge of the second.
12 | P a g e
TRANSPOSITION TECHNIQUES

All the techniques examined so far involve the substitution of a cipher text symbol for a plaintext
symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.
Rail fence
Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.
Plaintext = meet at the school house
To encipher this message with a rail fence of depth 2, we write the message as follows:
meatecolos
etthshohue
The encrypted message is
MEATECOLOSETTHSHOHUE
Row Transposition Ciphers-
A more complex scheme is to write the message in a rectangle, row by row, and read the message
off, column by column, but permute the order of the columns. The order of columns then becomes
the key of the algorithm.
e.g., plaintext = meet at the school house The basic scheme of a block cipher is depicted as follows −

Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block
of plaintext bits is selected, a series of operations is performed on this block to generate a block
of cipher-text bits. The number of bits in a block is fixed. For example, the schemes DES and
AES have block sizes of 64 and 128, respectively.
Stream Ciphers
In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and a
series of operations is performed on it to generate one bit of cipher-text. Technically, stream
ciphers are block ciphers with a block size of one bit.
A block cipher takes a block of plaintext bits and generates a block of ciphertext bits, generally
of same size. The size of block is fixed in the given scheme. The choice of block size does not
directly affect to the strength of encryption scheme. The strength of cipher depends up on the key
length.
Block Size
Though any size of block is acceptable, following aspects are borne in mind while selecting a size
of a block.
 Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits
combinations are then 2m. If the attacker discovers the plain text blocks corresponding to
some previously sent cipher-text blocks, then the attacker can launch a type of ‘dictionary
attack’ by building up a dictionary of plaintext/cipher text pairs sent using that encryption
key. A larger block size makes attack harder as the dictionary needs to be larger.

13 | P a g e 14 | P a g e
  Do not have very large block size − With very large block size, the cipher becomes Traditionally symmetric encryption is used to provide message confidentiality

inefficient to operate. Such plaintexts will need to be padded before being encrypted. Consider typical scenario

 Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for  Workstations on LANs access other workstations & servers on LAN
implementation as most computer processor handle data in multiple of 8 bits.  LANs interconnected using switches/routers
 With external lines or radio/satellite links
Padding in Block Cipher
Consider attacks and placement in this scenario
Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a
multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each  Snooping from another workstation
with third block of balance 22 bits. The last block of bits needs to be padded up with redundant  Use dial-in to LAN or server to snoop
information so that the length of the final block equal to block size of the scheme. In our example,  Use external router link to enter & snoop
 Monitor and/or modify traffic on external links
the remaining 22 bits need to have additional 42 redundant bits added to provide a complete block.
The process of adding bits to the last block is referred to as padding. Placement of Encryption Function

Too much padding makes the system inefficient. Also, padding may render the system insecure If encryption is to be used to counter attacks on confidentiality, we need to decide what to
at times, if the padding is done with same bits always. encrypt and where the encryption function should be located. As an example, consider a
user workstation in a typical business organization
Block Cipher Schemes
There is a vast number of block ciphers schemes that are in use. Many of them are publically
known. Most popular and prominent block ciphers are listed below.

 Digital Encryption Standard (DES) − The popular block cipher of the 1990s. It is now
considered as a ‘broken’ block cipher, due primarily to its small key size.

 Triple DES − It is a variant scheme based on repeated DES applications. It is still a

respected block ciphers but inefficient compared to the new faster block ciphers available.

 Advanced Encryption Standard (AES) − It is a relatively new block cipher based on the
encryption algorithm Rijndael that won the AES design competition.

 IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of
128 bits. A number of applications use IDEA encryption, including early versions of
Pretty Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption
due to patent issues.
 Twofish − This scheme of block cipher uses block size of 128 bits and a key of variable
length. It was one of the AES finalists. It is based on the earlier block cipher Blowfish
with a block size of 64 bits.
 Serpent − A block cipher with a block size of 128 bits and key lengths of 128, 192, or 256
bits, which was also an AES competition finalist. It is a slower but has more secure design
than other block cipher.
Confidentiality using Symmetric Encryption
In most organizations, workstations are attached to local area networks (LANs). Typically,
the user can reach other workstations, hosts, and servers directly on the LAN or on other
LANs in the same building that are interconnected with bridges and routers. Here, then, is
the first point of vulnerability. In this case, the main concern is eavesdropping (secretly
listen to a conversation.) by another employee. Typically, a LAN is a broadcast network:
Transmission from any station to any other station is visible on the LAN medium to all
stations. Data are transmitted in the form of frames, with each frame containing the source
and destination address. An eavesdropper can monitor the traffic on the LAN and capture
any traffic desired on the basis of source and destination addresses. If part or all of the LAN
is wireless, then the potential for eavesdropping is greater.

15 | P a g e 16 | P a g e
 Access to the outside world from the LAN is almost always available in the form of a router
that connects to the Internet, a bank of dial-out modems, or some other type of
communications server. From the communications server, there is a line leading to a wiring
closet. The wiring closet serves as a patch panel for interconnecting internal data and phone
lines and for providing a staging point for external communications.

The wiring closet itself is vulnerable. If an intruder can penetrate to the closet, he or she
can tap into each wire to determine which are used for data transmission. After isolating
one or more lines, the intruder can attach a low-power radio transmitter. The resulting
signals can be picked up from a nearby location (e.g., a parked van or a nearby building).

Link Vs End to End System

A drawback of application-layer encryption is that the number of entities to consider

increases dramatically. A network that supports hundreds of hosts may support thousands
of users and processes. Thus, many more secret keys need to be generated and distributed.

UNIT III

Internet security refers to securing communication over the internet. It includes specific security
protocols such as:

 Internet Security Protocol (IPsec)

 Secure Socket Layer (SSL)

Internet Security Protocol (IPsec)

It consists of a set of protocols designed by Internet Engineering Task Force (IETF). It provides
security at network level and helps to create authenticated and confidential packets for IP layer.

Secure Socket Layer (SSL)

It is a security protocol developed by Netscape Communications Corporation. ). It provides
Encryption Coverage Implications of Store-and-Forward Communications security at transport layer. It addresses the following security issues:

 Privacy

 Integrity

 Authentication

17 | P a g e 18 | P a g e
Threats
Internet security threats impact the network, data security and other internet connected systems. Goals of Server Attacks
Cyber criminals have evolved several techniques to threat privacy and integrity of bank accounts,
businesses, and organizations. Even with the prevalence of wireless, mobile, and cloud-based technologies, physical connections
between network devices are still largely the norm – and there’s hardware involved in those “cable-
Following are some of the internet security threats: free” network infrastructures, as well. Part of ensuring that a network remains both operational
and secure involves taking steps to protect its physical infrastructure.
 Mobile worms

 Malware So data centers must typically be housed in physically secure facilities with strict access controls
and surveillance – preferably on sites free from the risk of earthquakes, floods, and other natural
 PC and Mobile ransomware disasters.

 Large scale attacks like Stuxnet that attempts to destroy infrastructure. Redundancy (having duplicate or alternate versions of critical hardware and software so another
 Hacking as a Service can be called up if the first one fails), auxiliary power generators, surge protection for public power
supplies, environmental controls like air-conditioning and cooling, and Uninterruptible Power
 Spam Supply (UPS) units are also standard.

 Phishing Securing Data On The Network

Email Phishing As information travels within and outside a network, it faces the threat of interception or
interference by third parties not authorized to have access to it. So keeping data secure on a network
Email phishing is an activity of sending emails to a user claiming to be a legitimate enterprise. is undertaken with three objectives in mind:
Its main purpose is to steal sensitive information such as usernames, passwords, and credit card
details. 1. Confidentiality: Keeping sensitive or private data and intellectual property exclusive to the
individual or corporate body that owns it. Eavesdropping on communications and data
Such emails contains link to websites that are infected with malware and direct the user to enter transmissions or the outright theft of information are the threats to be guarded against.
details at a fake website whose look and feels are same to legitimate one. 2. Integrity: Making sure that data originating within a network, stored in its servers,
transmitted, or received retains its original form – one that reflects the real-world conditions
What a phishing email may contain? that it’s supposed to represent. Interception of data in transit or tampering with data in storage
to corrupt or manipulate it are the threats here.
Following are the symptoms of a phishing email: 3. Availability: Ensuring that documents, data and network resources vital to an organization
and its users/customers remain accessible to those authorized, at all times. Denial of Service
SPELLING AND BAD GRAMMAR
(see below) is a major threat to this.
Most often such emails contain grammatically incorrect text. Ignore such emails, since it can be
a spam. Dealing with Threats
The threats facing network security are wide-ranging, and often expressed in categories. And as
BEWARE OF LINKS IN EMAIL with other sciences, security analysts have a range of views as to which of them are the most
Don’t click on any links in suspicious emails. important.

THREATS
Some consider logic attacks and resource attacks to be the most critical. Logic attacks seek to
Such emails contain threat like “your account will be closed if you didn’t respond to an email exploit software vulnerabilities and flaws to give intruders access to targeted systems, degrade
message”. network performance, or crash systems entirely. Resource attacks are intended to overwhelm
CPUs, memory, and other critical resources with multiple requests or huge volumes of data
SPOOFING POPULAR WEBSITES OR COMPANIES packets.
These emails contain graphics that appear to be connected to legitimate website but they actually
are connected to fake websites.

19 | P a g e 20 | P a g e
1. Unstructured threats: Largely impulsive or experimental attacks on a network(s) often
staged without a particular target or motive in mind, but to test out techniques, technologies,
and/or hacking skills.
2. Structured threats: The larger body of attacks carried out by one or more individuals with
some skill in the use of hacking tools and techniques, and targeted at a specific network(s),
with a specific aim in mind.
3. Internal threats: These derive from individuals who currently have access to a given network,
or who had it in the past. Former employees with a grudge or a profit motive are typical of this
breed of attack – and such individuals may have paved the way for their assault by creating
ghost user identities for themselves before leaving an organization.
4. External threats: Attacks by perpetrators outside an organization, typically using the internet
or telecoms access.
FTP (File Transfer Protocol)
FTP was created with the overall goal of allowing indirect use of computers on a network, by
making it easy for users to move files from one place to another. Like most TCP/IP protocols, it is
based on a client/server model, with an FTP client on a user machine creating a connection to an
FTP server to send and retrieve files to and from the server. The main objectives of FTP were to
make file transfer simple, and to shield the user from implementation details of how the files are
actually moved from one place to another. To this end, FTP is designed to automatically deal with
many of the issues that can potentially arise due to format differences in files stored on differing
system
► Interactive Access FTP provides an interactive interface to allow humans to interact with remote
servers.
► Format Specification FTP allows the client to specify the type and representation of stored data.
►The user can specify whether a file contains text or binary data.
► Authentication Control FTP requires clients to authorize themselves by sending a login name
and password to the server before requesting file transfers.
►The server refuses access to clients that cannot provide a valid login and password.
FTP Process Mode
FTP server implementations allow simultaneous access by multiple clients
► Clients use TCP to connect to a server.
► The FTP server process awaits connections and creates a slave process to handle each
connection.
► The slave process accepts and handles a control connection from the client. The control
connection carries commands that tell the server which file to transfer

Overview of how FTP works
After a TCP connection is established, an FTP control connection is created. Internal FTP
commands are passed over this logical connection based on formatting rules established by the
Telnet protocol. Each command sent by the client receives a reply from the server to indicate
whether it succeeded or failed. A data connection is established for each individual data transfer
to be performed. FTP supports either normal or passive data connections, allowing either the server
or client to initiate the data connection. Multiple data types and file types are supported to allow
flexibility for various types of transfers.
An additional TCP connection and process is created to handle each data transfer operation. The
new TCP connection and process on both the client and server is created for each data transfer
operation.
The control connection is kept alive as long as the client keeps the FTP session active.
The data transfer connection is kept alive for the duration of one file transfer. For each file that is
being transferred, a new data transfer connection is created.

To ensure that files are sent and received without loss of data that could corrupt them, FTP uses
the reliable Transmission Control Protocol (TCP) at the transport layer. An authentication system
is used to ensure that only authorized clients are allowed to access a server. At the same time, a
feature sometimes called anonymous FTP allows an organization that wishes it to set up a general
information server to provide files to anyone who might want to retrieve them

The interface between an FTP user and the protocol is provided in the form of a set of interactive
user commands. After establishing a connection and completing authentication, two basic
commands can be used to send or receive files. Additional support commands are provided to
manage the FTP connection, as well as to perform support functions such as listing the contents of
a directory or deleting or renaming files. In recent years, graphical implementations of FTP have
been created to allow users to transfer files using mouse clicks instead of memorizing commands.
FTP can also be used directly by other applications to move files from one place to another.

FTP Features

21 | P a g e 22 | P a g e
 The following table describes some of the SMTP commands:

S.N. Command Description

HELLO
1
This command initiates the SMTP conversation.

EHELLO
2 This is an alternative command to initiate the conversation. ESMTP indicates that the
sender server wants to use extended SMTP protocol.

MAIL FROM
3
This indicates the sender’s address.

RCPT TO
Simple Mail Transfer Protocol 4 It identifies the recipient of the mail. In order to deliver similar message to multiple
users this command can be repeated multiple times.
SMTP stands for Simple Mail Transfer Protocol. It was first proposed in 1982. It is a standard
protocol used for sending e-mail efficiently and reliably over the internet. SIZE
5
Key Points: This command let the server know the size of attached message in bytes.

 SMTP is application level protocol. DATA

 SMTP is connection oriented protocol. 6 The DATA command signifies that a stream of data will follow. Here stream of data
refers to the body of the message.
 SMTP is text based protocol.

 It handles exchange of messages between e-mail servers over TCP/IP network. QUIT
7
This commands is used to terminate the SMTP connection.
 Apart from transferring e-mail, SMPT also provides notification regarding incoming mail.

 When you send e-mail, your e-mail client sends it to your e-mail server which further VERFY
contacts the recipient mail server using SMTP client. 8 This command is used by the receiving server in order to verify whether the given
username is valid or not.
 These SMTP commands specify the sender’s and receiver’s e-mail address, along with the
message to be send.
EXPN
 The exchange of commands between servers is carried out without intervention of any 9 It is same as VRFY, except it will list all the users name when it used with a
user. distribution list.

 In case, message cannot be delivered, an error report is sent to the sender which makes
Network Time Protocol (NTP)
SMTP a reliable protocol.

SMTP Commands Network Time Protocol (NTP) provides a mechanism to synchronize time throughout the network.
An NTP device will form an association with NTP devices closer to the time source. NTP devices

23 | P a g e 24 | P a g e
use a special measurement, called a stratum, to determine how far they are away from the time
source. For example, a device with a stratum of 1 is directly connected to the time source. A device
with a stratum of 2 is one device (or “hop”) away from the time source.
NTP can be configured one of two ways:
Client/Server – The NTP client is configured to always get its time information from the NTP
server. The server will never get its time from the client.
A signature based IDS will monitor packets on the network and compare them against a database
of signatures or attributes from known malicious threats.
This is similar to the way most antivirus software detects malware. The issue is that there will be
a lag between a new threat being discovered in the wild and the signature for detecting that threat
being applied to your IDS. During that lag time, your IDS would be unable to detect the new threat.
Anomaly Based

Peer-to-peer – Peered NTP devices can get their time from each other, depending on who is closest
to the time source (i.e., lowest stratum).
NTP associations can be secured using encrypted authentication.
Intrusion detection System
An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity
and alerts the system or network administrator. In some cases, the IDS may also respond to
anomalous or malicious traffic by taking action such as blocking the user or source IP address from
accessing the network.
An IDS which is anomaly based will monitor network traffic and compare it against an established
baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is
generally used, what protocols are used, what ports and devices generally connect to each other-
and alert the administrator or user when traffic is detected which is anomalous, or significantly
different than the baseline.
Passive IDS
A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert
is generated and sent to the administrator or user and it is up to them to take action to block the
activity or respond in some way.

IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different
ways.
Types of IDS
There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are
IDS that detect based on looking for specific signatures of known threats- similar to the
way antivirus software typically detects and protects against malware- and there are IDS that detect
based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS
that simply monitor and alert and there are IDS that perform an action or actions in response to a
detected threat.
Reactive IDS
Reactive IDS will not only detect suspicious or malicious traffic and alert the administrator but
will take pre-defined proactive actions to respond to the threat. Typically this means blocking any
further network traffic from the source IP address or user.
One of the most well-known and widely used intrusion detection systems is the open source, freely
available Snort. It is available for a number of platforms and operating systems including
both Linux and Windows.

NIDS

Network Intrusion Detection Systems are placed at a strategic point or points within the network
to monitor traffic to and from all devices on the network. Ideally, you would scan all inbound and
outbound traffic; however doing so might create a bottleneck that would impair the overall speed
of the network.

HIDS

 Host Intrusion Detection Systems are run on individual hosts or devices on the network.
 An HIDS monitors the inbound and outbound packets from the device only and will alert
the user or administrator of suspicious activity is detected

Signature Based

25 | P a g e 26 | P a g e
 UNIT IV
E-mail Security
Nowadays, e-mail has become very widely used network application. Let’s briefly discuss the e-
mail infrastructure before proceeding to know about e-mail security protocols.
E-mail Infrastructure
The simplest way of sending an e-mail would be sending a message directly from the sender’s
machine to the recipient’s machine. In this case, it is essential for both the machines to be running
on the network simultaneously. However, this setup is impractical as users may occasionally
connect their machines to the network.
Hence, the concept of setting up e-mail servers arrived. In this setup, the mail is sent to a mail
server which is permanently available on the network. When the recipient’s machine connects to
the network, it reads the mail from the mail server.
In general, the e-mail infrastructure consists of a mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and client machines running an e-mail program comprising of User
Agent (UA) and local MTA.
Typically, an e-mail message gets forwarded from its UA, goes through the mesh of MTAs and
finally reaches the UA on the recipient’s machine.
The protocols used for e-mail are as follows −
 Simple mail Transfer Protocol (SMTP) used for forwarding e-mail messages.
 Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) are used to
retrieve the messages by recipient from the server.
MIME
27 | P a g e
Basic Internet e-mail standard was written in 1982 and it describes the format of e-mail message
exchanged on the Internet. It mainly supports e-mail message written as text in basic Roman
alphabet.
By 1992, the need was felt to improve the same. Hence, an additional standard Multipurpose
Internet Mail Extensions (MIME) was defined. It is a set of extensions to the basic Internet E-
mail standard. MIME provides an ability to send e-mail using characters other than those of the
basic Roman alphabet such as Cyrillic alphabet (used in Russian), the Greek alphabet, or even
the ideographic characters of Chinese.
Another need fulfilled by MIME is to send non-text contents, such as images or video clips. Due
to this features, the MIME standard became widely adopted with SMTP for e-mail
communication.
E-Mail Security Services
Growing use of e-mail communication for important and crucial transactions demands provision
of certain fundamental security services as the following −
 Confidentiality − E-mail message should not be read by anyone but the intended recipient.
 Authentication − E-mail recipient can be sure of the identity of the sender.
 Integrity − Assurance to the recipient that the e-mail message has not been altered since
it was transmitted by the sender.
 Non-repudiation − E-mail recipient is able to prove to a third party that the sender really
did send the message.
 Proof of submission − E-mail sender gets the confirmation that the message is handed to
the mail delivery system.
 Proof of delivery − Sender gets a confirmation that the recipient received the message.
PGP
Pretty Good Privacy (PGP) is an e-mail encryption scheme. It has become the de-facto standard
for providing security services for e-mail communication.
As discussed above, it uses public key cryptography, symmetric key cryptography, hash function,
and digital signature. It provides −
 Privacy
 Sender Authentication
 Message Integrity
28 | P a g e
  Non-repudiation
Along with these security services, it also provides data compression and key management
support. PGP uses existing cryptographic algorithms such as RSA, IDEA, MD5, etc., rather than
inventing the new ones.
Working of PGP
 Hash of the message is calculated. (MD5 algorithm)
 Resultant 128 bit hash is signed using the private key of the sender (RSA Algorithm).
 The digital signature is concatenated to message, and the result is compressed.
 A 128-bit symmetric key, KS is generated and used to encrypt the compressed message
with IDEA.
 KS is encrypted using the public key of the recipient using RSA algorithm and the result
is appended to the encrypted message.
The format of PGP message is shown in the following diagram. The IDs indicate which key is
used to encrypt KS and which key is to be used to verify the signature on the hash.
29 | P a g e
In PGP scheme, a message in signed and encrypted, and then MIME is encoded before
transmission.
S / MIME
S/MIME stands for Secure Multipurpose Internet Mail Extension. S/MIME is a secure e-mail
standard. It is based on an earlier non-secure e-mailing standard called MIME.
Working of S/MIME
S/MIME approach is similar to PGP. It also uses public key cryptography, symmetric key
cryptography, hash functions, and digital signatures. It provides similar security services as PGP
for e-mail communication.
The most common symmetric ciphers used in S/MIME are RC2 and TripleDES. The usual public
key method is RSA, and the hashing algorithm is SHA-1 or MD5.
S/MIME specifies the additional MIME type, such as “application/pkcs7-mime”, for data
enveloping after encrypting. The whole MIME entity is encrypted and packed into an object.
S/MIME has standardized cryptographic message formats (different from PGP). In fact, MIME
is extended with some keywords to identify the encrypted and/or signed parts in the message.
S/MIME relies on X.509 certificates for public key distribution. It needs top-down hierarchical
PKI for certification support.
Employability of S/MIME
30 | P a g e
Due to the requirement of a certificate from certification authority for implementation, not all
users can take advantage of S/MIME, as some may wish to encrypt a message, with a
public/private key pair. For example, without the involvement or administrative overhead of
certificates.

In practice, although most e-mailing applications implement S/MIME, the certificate enrollment
process is complex. Instead PGP support usually requires adding a plug-in and that plug-in comes
with all that is needed to manage keys. The Web of Trust is not really used. People exchange their
public keys over another medium. Once obtained, they keep a copy of public keys of those with
whom e-mails are usually exchanged.

Implementation layer in network architecture for PGP and S/MIME schemes is shown in the
following image. Both these schemes provide application level security of for e-mail
communication.

One of the schemes, either PGP or S/MIME, is used depending on the environment. A secure e-
email communication in a captive network can be provided by adapting to PGP. For e-mail
security over Internet, where mails are exchanged with new unknown users very often, S/MIME
is considered as a good option.

31 | P a g e