Chapter 20:
Network Security
Business Data Communications, 4e


Security Threats
✘ Passive attacks
✘ Eavesdropping on, or monitoring, transmissions
✘ Electronic mail, file transfers, and client/server exchanges
are examples of transmissions that can be monitored
✘ Active attacks
✘ Modification of transmitted data
✘ Attempts to gain unauthorized access to computer
systems
Business Data Communic
ations, 4e

2


Encryption Methods
✘ The essential technology underlying virtually all automated
network and computer security applications is cryptography
✘ Two fundamental approaches are in use:
✘ conventional encryption, also known as symmetric
encryption
✘ public-key encryption, also known as asymmetric
encryption

Business Data Communic
ations, 4e

3


Conventional Encryption
✘ The only form of encryption prior to late 1970s
✘ Five components to the algorithm
✘ Plaintext: The original message or data
✘ Encryption algorithm: Performs various substitutions and transformations on the
plaintext.
✘ Secret key: Input to the encryption algorithm. Substitutions and transformations
performed depend on this key
✘ Ciphertext: Scrambled message produced as output. depends on the plaintext and
the secret key
✘ Decryption algorithm: Encryption algorithm run in reverse. Uses ciphertext and
the secret key to produce the original plaintext.

Business Data Communic
ations, 4e

4


Conventional Encryption
Operation

Business Data Communic
ations, 4e

5



Conventional Encryption
Requirements & Weaknesses
✘ Requirements
✘ A strong encryption algorithm
✘ Secure process for sender & receiver to obtain secret keys
✘ Methods of Attack
✘ Cryptanalysis
✘ Brute force

Business Data Communic
ations, 4e

6


Data Encryption Standard (DES)
✘ Adopted in 1977, reaffirmed for 5 years in 1994, by
NBS/NIST
✘ Plaintext is 64 bits (or blocks of 64 bits), key is 56 bits
✘ Plaintext goes through 16 iterations, each producing an
intermediate value that is used in the next iteration.
✘ DES is now too easy to crack to be a useful encryption
method

Business Data Communic
ations, 4e

7



Triple DEA
✘ Alternative to DES, uses multiple encryption with DES and
multiple keys
✘ With three distinct keys, TDEA has an effective key length of
168 bits, so is essentially immune to brute force attacks
✘ Principal drawback of TDEA is that the algorithm is
relatively sluggish in software

Business Data Communic
ations, 4e

8


Public-Key Encryption
✘ Based on mathematical functions rather than on simple
operations on bit patterns
✘ Asymmetric, involving the use of two separate keys
✘ Misconceptions about public key encryption
✘ it is more secure from cryptanalysis
✘ it is a general-purpose technique that has made
conventional encryption obsolete

Business Data Communic
ations, 4e

9



Public-Key Encryption
Components
✘
✘
✘
✘
✘
✘

Plaintext
Encryption algorithm
Public key
Private key
Ciphertext
Decryption algorithm

Business Data Communic
ations, 4e

10


Public-Key Encryption Operation

Business Data Communic
ations, 4e

11



Public-Key Signature Operation

Business Data Communic
ations, 4e

12


Characteristics of Public-Key
✘ Infeasible to determine the decryption key given knowledge
of the cryptographic algorithm and the encryption key.
✘ Either of the two related keys can be used for encryption,
with the other used for decryption.
✘ Slow, but provides tremendous flexibility to perform a
number of security-related functions
✘ Most widely used algorithm is RSA

Business Data Communic
ations, 4e

13


Location of Encryption Devices
✘ Link encryption
✘ Each vulnerable communications link is equipped on both ends with an
encryption device.
✘ All traffic over all communications links is secured.
✘ Vulnerable at each switch


✘ End-to-end encryption
✘ the encryption process is carried out at the two end systems.
✘ Encrypted data are transmitted unaltered across the network to the
destination, which shares a key with the source to decrypt the data
✘ Packet headers cannot be secured

Business Data Communic
ations, 4e

14


Conventional Encryption
Key Distribution
✘ Both parties must have the secret key
✘ Key is changed frequently
✘ Requires either manual delivery of keys, or a third-party
encrypted channel
✘ Most effective method is a Key Distribution Center (e.g.
Kerberos)

Business Data Communic
ations, 4e

15


Public-Key Encryption
Key Distribution

✘ Parties create a pair of keys; public key is broadly distributed,
private key is not
✘ To reduce computational overhead, the following process is then
used:
1. Prepare a message.
2. Encrypt that message using conventional encryption with a one-time
conventional session key.
3. Encrypt the session key using public-key encryption with recipient’s public
key.
4. Attach the encrypted session key to the message and send it.

Business Data Communic
ations, 4e

16


Digital Signature Process

Business Data Communic
ations, 4e

17


Public Key Certificates
1. A public key is generated by the user and submitted to
Agency X for certification.
2. X determines by some procedure, such as a face-to-face
meeting, that this is authentically the user’s public key.

3. X appends a timestamp to the public key, generates the hash
code of the result, and encrypts that result with X’s private
key forming the signature.
4. The signature is attached to the public key.
Business Data Communic
ations, 4e

18


Web Vulnerabilities
✘ Unauthorized alteration of data at the Web site
✘ Unauthorized access to the underlying operating system at
the Web server
✘ Eavesdropping on messages passed between a Web server
and a Web browser
✘ Impersonation

Business Data Communic
ations, 4e

19


Methods for Improving
Web Security
✘ Securing the Web site itself
✘ install all operating system security patches
✘ install the Web server software with minimal system
privileges

✘ use a more secure platform
✘ Securing the Web application

Business Data Communic
ations, 4e

20


Web Application Security
✘ Secure HyperText Transfer Protocol (SHTTP)
✘ Secure Sockets Layer (SSL)
✘ Web server packages should incorporate both of these
protocols

Business Data Communic
ations, 4e

21


Virtual Private Networks (VPNs)
✘ The use of encryption and authentication in the lower
protocol layers to provide a secure connection through an
otherwise insecure network, typically the Internet.
✘ Generally cheaper than real private networks using private
lines but rely on having the same encryption and
authentication system at both ends.
✘ The encryption may be performed by firewall software or
possibly by routers.

Business Data Communic
ations, 4e

22


IPSec
✘ Can secure communications across a LAN, WANs, and/or
the Internet
✘ Examples of use:
✘ Secure branch office connectivity over the Internet
✘ Secure remote access over the Internet
✘ Establishing extranet and intranet connectivity with
partners
✘ Enhancing electronic commerce security
Business Data Communic
ations, 4e

23


Benefits of IPSec
✘ When implemented in a firewall or router, provides strong
security for all traffic crossing the perimeter
✘ IPSec in a firewall is resistant to bypass
✘ Runs below the transport layer (TCP, UDP) and so is
transparent to applications
✘ Can be transparent to end users
✘ Can provide security for individual users if needed
Business Data Communic

ations, 4e

24


IPSec Functions
✘ IPSec provides three main facilities
✘ authentication-only function referred to as Authentication
Header (AH)
✘ combined authentication/encryption function called
Encapsulating Security Payload (ESP)
✘ a key exchange function
✘ For VPNs, both authentication and encryption are generally
desired
Business Data Communic
ations, 4e

25