network security

Published on March 2017 | Categories: Documents | Downloads: 23 | Comments: 0 | Views: 198
of 11
Download PDF   Embed   Report

Comments

Content

Network Security using Cryptography and its Methods

Network Security using Cryptography

ABSTRACT: “Privacy and security is must for me, you and others” This is the age of universal electronic connectivity, of viruses and hackers, of electronic eavesdropping and electronic fraud. Everyday people use insurance to protect their valuables from fire or theft. Businesses protect themselves from intellectual theft through patents and trademarks. Because the use of global networking has increased the information flow and dependence upon the computing technology, there is need to protect the systems, intranet, Internet and information from damage and theft. This increases the need to emphasize the subject of Internet Security. We are going to present what are the common attacks against security over network, Solutions for those attacks, Introduction of cryptography, Algorithms of Cryptography and some specialpurpose Secure Networking Devices and its applications. More over we are going to show what the best ciphers currently in use are.

TERMINOLOGY: Cryptography: It is the study of secret (crypto-) writing (-graphy) that is secret writing. Simply it is an art of code making.

• Plaintext: The original intelligible message (i.e.:
Original data)

• Cipher text: The transformed message • Cipher: An algorithm for transforming an
intelligible message into one that is unintelligible by transposition and/or substitution methods

• Key: Some critical information used by the
cipher, known only to the sender & receiver

• Encipher: (Encode or Encrypt) The process of
converting plaintext to cipher text using a cipher and a key.

• Decipher: (Decode or Decrypt) The process of
converting cipher text back into plaintext using a cipher and a key

• Cryptanalysis: It is a Science and Art of code
Breaking

• Cryptology: Both cryptography and cryptanalysis
are called as cryptology.

• Cryptographers: People who do cryptography • Cryptanalyst: Practitioners of cryptanalysis.

INTRODUCTION A basic understanding of computer networks is requisite in order to understand the principles of network security. First of all we have to know that WHAT IS A NETWORK? A “network” has been defined as “any set of interlinking lines resembling a net, a network of roads, an interconnected system, a network of alliances”. This definition suits well for network: Collection of autonomous systems.

Now our need of network security has broken into two needs. One is the need of information security and other is the need of computer security. On internet or any network of an organization, thousands of important information’s are exchanged daily. These information’s can be misused by attackers. The information security is needed for the following given reasons. > To protect the secret information users on the net only. No other person should see or access it.

> To protect the information from unwanted editing, accidentally or intentionally by unauthorized users.

>To protect the information from loss and make it to be delivered to its destination properly.

>To manage for acknowledgement of message
FIG: NETWORK

received by any node in order to protect from denial by sender in specific situations. For example let a customer orders to purchase a few shares XYZ to the broker and denies for the order after two days as the rates go down.

WHAT IS NETWORK SECURITY? Network Security is one which making sure that nosy people could not either access or alter the information intended for the recipient.

Need of Network Security: - The network
needs security against attackers and hackers. Network Security includes two basic securities. The first is the security of data information i.e. to protect the information from unauthorized access and loss. And the second is computer security i.e. to protect data and to thwart hackers. Here network security not only means security in a single network rather in any network or network of networks.

> To restrict a user to send some message to another user with name of a third one. For example a user X for his own interest makes a message containing some favorable instructions and sends it to user Y in such a manner that Y accepts the message as coming from Z, the manager of the organization.

> To protect the message from unwanted delay in the transmission lines/route in order to deliver it to required destination in time, in case of urgency.

and malicious abuse of resources, access or privileges granted to an individual by an organization. 5.Unauthorizedcessviadefaultcredentials: Instanc

> To protect the data from wandering the data packets or information packets in the network for infinitely long time and thus increasing congestion in the line in case destination machine fails to capture it because of some internal faults

es in which an attacker gains access to a system or device protected by standard preset (widely known) user names and passwords.

6. Violation of acceptable use and other policies: Accidental or purposeful disregard of acceptable 7. Unauthorized use access via policies. weak or

misconfigured access control lists (ACL’s): When ACL’s are weak or misconfigured; attackers can access resources and perform actions not intended by the victim.

Fig: systems connected through Routers

COMMON

ATTACKS

AGAINST

SECURITY

OVER

NETWORK: 1. Key logging and spy ware: Malware specifically designed to covertly collect, monitor and log the actions of a system user.

2. Backdoor or command/control: Tools that provide remote access to or control of infected systems, or both, and are designed to run covertly. 3. SQL injection: An attack technique used to exploit how Web pages communicate with back-end databases. 4. Abuse of system access/privileges: Deliberate 9. Unauthorized access via stolen credentials: Instances in which an attacker gains access to a protected system or device using valid but stolen credentials. 8. Packet sniffer: Monitors and captures data traversing a network


10. Pretexting or social engineering: A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information. 11. Authentication bypass: Circumvention mechanisms to a to of gain system

Any one on the Network

SOLUTIONS FOR ATTACKS AGAINST SECURITY OVER NETWORKS •Encryption: To protect data and passwords. •Authentication: By using digital signatures and certificates this will do verify who is sending data over the network. •Authorization: To prevent improper access of data over the network. •Integrity checking: To protect against improper alteration of messages. •Non-repudiation: To make sure that an action cannot be denied by the person who performed it.
ONE OF THE IMPORTANT SOLUTION TO PROVIDE NETWORK SECUTIY IS

normal

authentication access

unauthorized

12. Physical theft of asset: Physically stealing an asset. 13. Brute-force attack: An automated process of iterating through possible one username/password is successful. combinations until

14. RAM scraper: A fairly new form of malware designed to capture data from volatile memory (RAM) within a system.

CRYPTOGRAPHY

15. Phishing (and endless "ishing" variations): A social engineering technique in which an attacker uses fraudulent electronic communications (usually e-mail) to lure the recipient into divulging information. CONCEPT OF CRYPTOGRAPHY To keeping your data and communications secure, techniques such as encryption, decryption and authentication are used. The key factor to strong cryptography is the difficulty of reverse engineering. Strong cryptography means that the • • • • • • Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors agencies Multinational corporations to various government computational effort needed to retrieve your clear text messages without knowing the proper keys makes the retrieval infeasible. ENCRYPTION
ALGORITHMS AND DECRYPTION

Who is vulnerable?

-

CRYPTOGRAPHIC

Encryption is the transformation of a clear text message into an unreadable

form in order to hide its meaning. The opposite transformation, which retrieves the original clear text, is the decryption. The mathematical function used for encryption and decryption is the cryptographic algorithm or cipher. There are many drawbacks to restricted ciphers. It is very difficult to keep an algorithm a secret when many people use it. For these reasons, the currently used algorithms are keyed, that is, the encryption and decryption makes use of a parameter, known as the key. The key can be chosen from a set of possible values, called the key space. The key space usually is huge, the bigger the better. IMPORTANCE OF CRYPTOGRAPHY Encryption provides confidentiality to

Symmetric algorithms are keyed algorithms where the decryption key is the same as the encryption key. These are conventional cryptographic algorithms where the sender and the receiver must agree on the key before any secured communication can take place between them.

There are two types of symmetric algorithms: 1. Block ciphers: A cryptosystem in which encryption/decryption is done on blocks of data. The full message is divided into fixed length blocks, then each block is encrypted/decrypted and the blocks are grouped to get the plaintext/cipher text. 2. Stream ciphers: An encryption method that uses continuous input, as opposed to fixed length blocks of data. The algorithms used in Block Ciphers: Secret key block ciphers Data Encryption Standards (DES) International data Encryption algorithm (IDEA) Modular multiplication Block cipher (MMB) Cellular automata cipher Data Block Size (bits) 64 64 128 384 Crypto key size bits 56 128 128 1088

messages. When communicating over an un-trusted medium, such as the Internet, you may also need, in addition to •ConfidentialityProtection of information disclosure by means of data encryption to those who are not intended to receive it. •Authentication- A method for verifying that the sender of a message is really who he or she claims to be. Any intruder masquerading as someone else is detected by authentication. •Integrity checking - A method for verifying that a message has not been altered along the communication path. Any tampered message sent by an intruder is detected by an integrity check. •Non-repudiation–The possibility to prove that the sender has really sent the message. SYMMETRIC ALGORITHMS OR SECRET-KEY

shown in figure where Alice sends an encrypted SKIPJACK 64 80 message to Bob.

The most significant use of IDEA is in the freeware secure e-mail package Pretty Good Privacy (PGP). An example of a stream algorithm is A5, The advantage of the symmetric algorithms is their efficiency. They can be easily implemented in hardware. A major disadvantage is the difficulty of key management. A secure way of exchanging the keys must exist, which is often very hard to implement. ASYMMETRIC ALGORITHMS These algorithms address the major
USING

As the public key is available to anyone, privacy is assured without the need for a secure key-exchange channel. Parties who wish to communicate retrieve each other's public key.

OR

PUBLIC-KEY

AUTHENTICATION AND NON-REPUDIATION DIGITAL SIGNATURES An interesting property of the public-key

drawback of symmetric ciphers, the requirement of the secure key-exchange channel. The idea is that two different keys should be used: Public key which, as the name implies, is known to everyone, and Private key, which is to be kept in tight security by the owner. The private key cannot be determined from the public key. A clear text encrypted with the public key can only be decrypted with the corresponding private key. A clear text encrypted with the private key can only be decrypted with the corresponding public key. Thus, if someone sends a message encrypted with the recipient's public key, it can be read by the intended recipient only. The process is

algorithms is that they can provide authentication. The private key is used for encryption. Since anyone has access to the corresponding public key and can decrypt the message, This provides no privacy. However, it authenticates the message. If one can successfully decrypt it with the claimed sender's public key, then the message has been encrypted with the corresponding private key, which is known by the real sender only. Thus, the sender's identity is verified. Encryption with the private key is used in Digital Signatures. The principle is shown in figure. Alice encrypts her message with her private key ("signs" it), in order to enable Bob to verify the authenticity of the message.

A hash function that takes a key as a second input parameter and its output depends on both the message and the key is called a Message Authentication Code (MAC), as shown in figure

Going a step further, encrypting with the private key gives non-repudiation too. Additionally, if a timestamp is included, then the exact date and time can also be proven. There are protocols involving trusted third parties that prevent the sender from using phony timestamps. HASH FUNCTIONS Hash functions Put simply, if you encrypt a hash, it becomes a MAC. If you add a secret key to a message, then hash the concatenation, the result is a MAC. Both symmetric and asymmetric algorithms can be used (also called message to generate Macs. Hash functions are primarily used to assure integrity and authentication: • The sender calculates the hash of the message and appends it to the message. • The recipient calculates the hash of the received message and then compares the result with the transmitted hash. • If the hashes match, the message was not tampered with. • If the encryption key (symmetric or asymmetric) is only known by a trusted sender, a successful MAC decryption indicates that the claimed and actual senders are identical. The Message* and MAC* notations reflect the fact that the message might have been altered while crossing the untrusted

digests) are fundamental to cryptography. A hash function is a function that takes variable-length input data and produces fixed length output data (the hash value), which can be regarded as the "fingerprint" of the input. That is, if the hashes of two messages match, it is highly probable that the messages are the same. Cryptographically useful hash functions must be one-way, which means that they should be easy to compute, but infeasible to reverse. An everyday example of a one-way function is mashing a potato; it is easy to do, but once mashed, reconstructing the original potato is rather difficult. A good hash function should also be collision-resistant. It should be hard to find two different inputs that hash to the same value. As any hash function maps an input set to a smaller output set, theoretically it is possible to find collisions. The point is to provide a unique digital "fingerprint" of the message, that identifies it with high confidence, much like a real fingerprint identifying a person.

channel.

(often referred to as initialization vectors) are generated. The quality, that is the randomness of these generators, is more important than you might think. The ordinary random function provided with most programming language libraries is good enough for games, but not for cryptography. Those randomnumber generators are rather predictable; if you rely on them, be prepared for happy cryptanalysts finding interesting correlations in your encrypted output. The fundamental problem faced by the random-number generators is that the computers are ultimately deterministic machines, so real random sequences cannot be produced. As John von Neumann ironically said: "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." That's why the term “pseudorandom generator” is more appropriate. Cryptographically strong pseudorandom generators must be unpredictable. It must be computationally infeasible to determine the next random bit, even with total knowledge of the generator. A common practical solution for pseudorandom generators is to use hash functions. This approach provides use sufficient randomness and it can be efficiently implemented. Military-grade generators specialized devices that exploit the inherent randomness in physical phenomena. An interesting solution can be found in the PGP software. The initial seed of the pseudorandom generator is derived from measuring the time elapsed between the keystrokes of the user.

One could argue that the same result can be obtained with any kind of encryption, because if an intruder modifies an encrypted message, the decryption will result in nonsense, thus tampering can be detected. The answer is that many times only integrity and/or authentication is needed, maybe with encryption on some of the fields of the message. Also encryption is very processor-intensive. Examples include the personal banking machine networks, where only the Pin’s are encrypted, however Mac’s are widely used. Encrypting all the messages in their entirety would not yield noticeable benefits and performance would dramatically decrease. The encryption of a hash with the private key is called a Digital Signature. The encryption of a secret key with a public key is called a digital envelope. This is a common technique used to distribute secret keys for symmetric algorithms.

RANDOM-NUMBER GENERATORS An important component of a cryptosystem is the random-number generator. Many times random session keys and random initialization variables

SECURE NETWORK DEVICES SECURE MODEMS: WALK-UP NETWORK CONNECTIONS By "walk-up" connections, we mean network connection points located to provide a convenient way for users to connect a portable host to your network. Consider whether you need to provide this service, bearing in mind that it allows any user to attach an unauthorized host to your network. This increases the risk of attacks via techniques such as IP address spoofing, packet sniffing, etc. Users and site management must appreciate the risks involved. If you decide to provide walk-up connections, plan the service carefully and define precisely where you will provide it so that you can ensure the necessary physical access security. A walk-up host should be authenticated before its user is permitted to access resources on your network. As an alternative, it may be possible to control physical access. For example, if the service is to be used by students, you might only provide walk-up connection sockets in student laboratories. If you are providing walk-up access for visitors to connect back to their home networks (e.g., to read e-mail, etc.) in your facility, consider using a separate subnet that has no connectivity to the internal network. Keep an eye on any area that contains unmonitored access to the network, such as vacant offices. It may be sensible to disconnect such areas at the wiring closet, and consider using secure hubs and monitoring attempts to connect unauthorized hosts.

MODEMS: If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its password need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully. 1. 2. 3. 4. 5. 6. 7. Modem Lines Must Be Managed Dial-in Users Must Be Authenticated Call-back Capability All Logins Should Be Logged Choose Your Opening Banner Carefully Dial-out Authentication Make Your Modem Programming as "Bulletproof" as Possible Dial-back systems There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct user id and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips. Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like

a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys. CRYPTO-CAPABLE ROUTERS: A feature that is being built into some routers is the ability to session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.

provide mutual authentication and shared key Agreement. 2. Once the handshake is successfully completed, application data is securely exchanged by means of symmetric key encryption using the shared-key.

Security in online banking: Online Banking uses several different methods to protect your information: All information within Online Banking uses the SSL (Secure Socket Layer) protocol for transferring data. SSL is encryption that creates a secure environment for the information being transferred between your browser and Security State Bank. At a high level, SSL uses public key cryptography to secure transmissions over the Internet. In practice, your browser will send a message via SSL to the bank's server. The bank responds by sending a certificate, which contains the bank's public key. Your browser authenticates the certificate (agrees that the server is in fact Security State Bank's), then generates a random session key which is used to encrypt data traveling between your browser and the bank's server. This session key is encrypted using the bank's public key and sent back to the server. The bank decrypts this message using its private key, and then uses the session key for the remainder of the communication Digital Signatures on Mobile Transactions: Digital signatures make public key cryptography a most practical tool in real-life applications, being the most reliable method for authentication and no repudiation. As such, digital signatures are expected to become a fundamental element of mobile devices

APPLICATIONS:
Secure Browsing: Network security protocols are probably the most common use of public key methodologies by wireless devices. The Open Mobile Alliance (OMA, formerly the WAP Forum) 3 have specified a Wireless version of the IETF Transport Layer Security (TLS) protocol, known as WTLS, to secure mobile browsing. WTLS Provided for a secure channel between the mobile phone and a WAP gateway, however, did not satisfy the demand for end-to-end security in data networks. A later version of WAP (2.0) adopted the TLS protocol itself within WAP Transport Layer end-to-end Security specification. The TLS protocol allows for true end-to-end security while browsing the Internet by: 1. Allowing a web server and a client (in this case – a mobile phone) to Authenticate each other and establish an encrypted connection. The Authentication is part of the handshake process, where public key Cryptography is utilized to

business applications, as they already are being used for signing transactions, taking place in online banking and payment applications.

Bellare M. and Rogaway, P., “Optimal Asymmetric Encryption”

Websites browsed:
A new concept for mobile transactions is called actionable alerts. These are constructed by a service provider sending a message to the mobile user, and the mobile user responding with an alert. A secure version of actionable alerts application, based on digital signatures and encryption, allows the banks to facilitate mobile platforms to secure banking transactions. Similarly, other procurement transactions may be secured by engaging digital signatures, where the mobile user signs documents such as a contract, NDA, MOU, RFP, bids etc. CONCLUSION Cryptography has emerged as an www.cryptography.com www.infosyssec.net www.crypto.com

alternative to protect Internet data and it does the job well. New cryptographic products and technologies have been developed particularly for Internet applications. Thus these Crypto techniques provide sophisticated, protected and reliable networks for secure Data Interchange over the networks. . BIBLIOGRAPHY: Balenson, D., Automated Distribution of

Cryptographic Keys Bellovin, S. M., and Merrit. M., “Augmented Encrypted Key Exchange” Applied Cryptography by Bruce Schneier Handbook of Applied Cryptography by Alfred Menezes, Paul van Oorschot and Scott Vanstone

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close