Chapter 18:
Network Security
Business Data Communications, 5e


Types of Security
• Information Security
• Computer Security
• Network Security

Business Data Commun
ications, 5e

2


Security Requirements
•
•
•
•

Confidentiality
Integrity
Availability
Authenticity

Business Data Commun
ications, 5e

3

Security Threats
• Passive attacks
–
–
–
–

Release of message contents
Traffic analysis
Difficult to detect because there is no data alteration
Emphasis on prevention through encryption

• Active attacks
–
–
–
–

Masquerae
Replay
Modification of messages
Denial of Service

Business Data Commun
ications, 5e

4



Symmetric Encryption
• The only form of encryption prior to late 1970s
• Five components to the algorithm
–
–
–
–
–
–

Plaintext
The original message or data
Encryption algorithm
Secret key
Ciphertext
Decryption algorithm

• Two requirements
– Strong encryption algorithm
– Secure exchange of keys

Business Data Commun
ications, 5e

5


Conventional Encryption
Operation


Business Data Commun
ications, 5e

6


Symmetric Encryption Attacks
• Cryptanalysis
– Exploits the algorithm to attempt to deduce a specific
plaintext or key being used
– If successful, future and past messages encrypted with
that key are compromised

• Brute Force
– Try every possible key on a piece of ciphertext until
an intelligible translation into plaintext is obtained
– On average, half of all possible keys must be tried to
achieve success
Business Data Commun
ications, 5e

7


Data Encryption Standard (DES)
• Dominant encryption algorithm after release in
1977
• 56-bit key made it too easy to crack by 1998
• Life of DES extended by use of triple DES

(3DES
– Repeats basic DES algorithm three times, using either
two or three unique keys
– Key size of 112 or 168 bits
– Drawbacks: Algorithm is sluggish in software, 64-bit
block size is inefficient
Business Data Commun
ications, 5e

8


Advanced Encryption Standard

Business Data Commun
ications, 5e

9


Location of Encryption Devices
• Link encryption
– Each vulnerable communications link is equipped on
both ends with an encryption device.
– All traffic over all communications links is secured.
– Vulnerable at each switch

• End-to-end encryption
– Encryption process carried out at two end systems
– Encrypted data transmitted unaltered across network;

destination shares key with source to decrypt data
– Packet headers cannot be secured
Business Data Commun
ications, 5e

10


Symmetric Encryption
Key Distribution
• Both parties must have the secret key
• Key is changed frequently
• Requires either manual delivery of keys, or
a third-party encrypted channel
• Most effective method is a Key
Distribution Center (e.g. Kerberos)

Business Data Commun
ications, 5e

11


End-to-End Encryption
• Two types of keys
– Session keys
– Permanent keys

• Required components
– Key distribution center

– Security service module (SSM)

Business Data Commun
ications, 5e

12


Automated Key Distribution

Business Data Commun
ications, 5e

13


Traffic Padding
• A function that produces ciphertext output
continuously, even in the absence of plaintext
• Continuous random data stream is generated.
When plaintext is available, it is encrypted and
transmitted. When input plaintext is not present,
the random data are encrypted and transmitted
• Makes it impossible for an attacker to distinguish
between true data flow and noise and therefore
impossible to deduce the amount of traffic
Business Data Commun
ications, 5e

14



Message Authentication
• Must verify that contents have not been
altered and that source is authentic
• Approaches
–
–
–
–

Authentication using symmetric encryption
Authentication without message encryption
Message authentication code
One-way hash function
Business Data Commun
ications, 5e

15


Hash Function (H)
Requirements
•
•
•
•

Can be applied to a block of data of any size.
Produces a fixed-length output.

H(x) is relatively easy to compute for any given x
For any given code h, it is computationally
infeasible to find x such that H(x) = h.
• For any given block x, it is computationally
infeasible to find y ≠ x with H(y) = H(x).
• It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y).
Business Data Commun
ications, 5e

16


Public-Key Encryption
• Based on mathematical functions rather than on
simple operations on bit patterns
• Asymmetric, involving the use of two separate
keys
• Misconceptions about public key encryption
– it is more secure from cryptanalysis
– it is a general-purpose technique that has made
conventional encryption obsolete
– it is less cumbersome than conventional encryption
Business Data Commun
ications, 5e

17


Public-Key Encryption

Components
•
•
•
•
•

Plaintext
Encryption algorithm
Public and private key
Ciphertext
Decryption algorithm

Business Data Commun
ications, 5e

18


Public-Key Encryption
Operation

Business Data Commun
ications, 5e

19


Public-Key Signature Operation


Business Data Commun
ications, 5e

20


Characteristics of Public-Key
• Computationally infeasible to determine
the decryption key given knowledge of the
cryptographic algorithm and the encryption
key
• Either of the two related keys can be used
for encryption, with the other used for
decryption
Business Data Commun
ications, 5e

21


Steps in Public Key Encryption
• Each user generates a pair of keys to be used for the
encryption and decryption of messages.
• Each user places one of the two keys in a public register
or other accessible file. This is the public key. The
companion key is kept private.
• If Bob wishes to send a private message to Alice, Bob
encrypts the message using Alice's public key.
• When Alice receives the message, she decrypts it using
her private key. No other recipient can decrypt the

message because only Alice knows Alice's private key.
Business Data Commun
ications, 5e

22


Digital Signature Process

Business Data Commun
ications, 5e

23


RSA Encryption Algorithm
• Developed in 1977, first published in 1978
• Widely accepted and implemented approach to
public-key encryption
• For plaintext block M and ciphertext block C
– C = Me mod n
– M = Cd mod n = (Me)d mod n = Med mod n

• Both sender and receiver must know values of n and
e; only receiver knows value of d
• Public key of KU = {e, n}
• Private key of KR = {d, n}.
Business Data Commun
ications, 5e


24


RSA Requirements
• It is possible to find values of e, d, n such
that Med = M mod n for all M < n.
• It is relatively easy to calculate Me and Cd
for all values of M < n.
• It is infeasible to determine d given e and
n.
– This requirement can be met with large values
of e and n
Business Data Commun
ications, 5e

25