2. MODEL OF NETWORK SECURITY
3. MESSAGE AUTHENTICATION
4. ELECTRONIC MAIL SECURITY
i) Pretty Good Privacy (PGP)
5. IP SECURITY
iv) Security association
v) Authentication Header
6. WEB SECURITY
i) Secure Socket Layer (SSL)
ii) Secure Electronic Transaction (SET)
Network security measures are needed to protect data during their transmission.
In fact, the term network security is somewhat misleading, because virtually all business,
government, and academic organizations interconnect their data processing equipment
with a collection of interconnected networks.
The age of universal electronic connectivity, of viruses and hackers, of electronic
eavesdropping and electronic fraud, there is indeed no time at which security does not
matter. This, in turn, has led to a heightened awareness of the need to protect data and
resources from disclosure, to guarantee the authenticity of data and messages, and to
protect systems from network-based attacks.
In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful attacks
are designed by looking at the problem in a completely different way, therefore
exploiting an unexpected weakness in the mechanism.
MODEL OF NETWORK SECURITY:
A message is to be transferred from one party to another across some sort of
internet. The two parties, who are the principals in this transaction, must cooperate for
the exchange to take place.
A logical information channel is established by defining a route through the
internet from source to destination and by the cooperative use of communication
protocols by the two principals
Security aspects come into play when it is necessary or desirable to protect the
information transmission from an opponent who may present a threat to confidentiality,
authenticity and so on. A security-related transformation on the information to be sent.
Examples include the encryption of the message, which scrambles the message so that it
is unreadable by the opponent and the addition of a code based on the contents of the
message, which can be used to verify the identity of the sender.
Some secret information shared by the two principals and, it is hoped, unknown to
the opponent. Example is an encryption key used in conjunction with the transformation
to scramble the message before transmission and unscramble it on reception.
Trusted third parity
Secrete Information Secrete Information
DISCLOSURE: Release of message contents to any person or process not possessing
the appropriate cryptographic key
TRAFFIC ANALYSIS: Discovery of the pattern of traffic between parties. In a
connection-oriented application, the frequency and duration of connections could be
MASQUERADE: Insertion of messages into the network from a fraudulent source.
CONTENT MODIFICATION: Changes to the contents of a message, including
insertion, deletion, transposition and modification.
SEQUENCE MODIFICATION: Any modification to a sequence of messages between
parties, including insertion, deletion and reordering.
TIMING MODIFICATION: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of some previous
valid session, or individual messages in the sequence could be a delayed or replayed.
SOURCE REPUDIATION: Denial of transmission of message by source.
DESTINATION REPUDIATION: Denial of receipt of message by destination.
In a network environment, there are three aspects of information security-attacks,
security mechanisms and security services. Authentication is a security service which
verifies the identity of the terminals being communicated.
Kerberos is an authentication protocol. In Greek Kerberos is a multithreaded dog
which keeps intruders away. Here head of Kerberos represents three components used to
guard gate of network these are authentication accounting and audit.
REQUIREMENTS FOR KERBEROS:
ELECTRONIC MAIL SECURITY:
Electronic mail is the only distributed application that is widely used across all
architectures and vendor platforms. Users expect to be able to and do, send mail to others
who are connected directly or indirectly to the Internet, regardless of host operating
system or communications suite.
Two commonly used approaches for the security of the electronic mails are:
PRETTY GOOD PRIVACY (PGP):
PGP uses existing cryptographic algorithms. PGP is based on RSA, MD5 and IDEA.
PGP also support text compression, secrecy and digital signatures and also provides
extensive key management.
CHARACTERISTICS OF PGP:
PGP is available free world wide.
PGP can run on various platform windows, UNIX and Macintosh.
The algorithms used are extremely secure.
A PGP operation involves five different services.
S/MIME (Secure/Multipurpose Internet Mail Extension):
It is a security enhancement to the MIME standard, which is based on technology
from RSA Data Security PGP, is most preferred for personal e-mail security of general
user while S/MIME is emerges as an industry for commercial and organizational use.
Similar to PGP, S/MIME provides for digital signatures and encryption of e-mail
messages. S/MIME provides the following functions.
Enveloped and Signed data
S/MIME use following cryptographic algorithms.
Digital signature standards (DSS) for signatures.
Diffei - Hellmann for encrypting the symmetric session keys.
RSA for either digital signature.
DES-3 for symmetric key encryption.
An IP level security can ensure secure networking not only for applications with
security mechanisms but also for many security ignorant applications. IP security is the
capability that can be added to present version of Internet Protocol (IP v4 and IPv6) by
means of additional headers for secure communication across LAN, WAN and Internet.
APPLICATIONS OF IPsec:
1. SECURE CONNECTIVITY OVER THE INTERNET:
A virtual private network (VPN) can be established over the internet. This reduces
cost of private networks and network management overheads.
2. SECURE REMOTE ACCESS OVER THE INTERNET:
With IPSec, secure access to a company network is possible.
3. EXTRANET AND INTERNET CONNECTIVITY:
With IPSec, secure communication with other organizations, ensures authentication
and confidentiality and provide a key exchange mechanism.
4. ENHNCED ELECTRONIC-COMMERCE SECURITY:
Use of IPSec enhances the security in electronic commerce applications.
IP SECURITY ARCHETECTURE:
IP security architecture involve various aspects
ESP protocol AH protocol
ARCHITECTURE: Covers security requirements, definitions and IPSec technology.
ENCAPSULATING SECURITY PAYLOAD (ESP): Covers packet format, packet
AUTHENTICATION HEADER (AH): Covers packet format, general issues.
AUTHENTICATION ALGORITHM: Encryption algorithms used for ESP.
KEY MANAGEMENT: Key management schemes.
DOMAIN OF ENCRYPTION (DOI): Values to relate documents with each other.
Data origin authentication
Rejection of replayed packets
Limited traffic flow confidentiality.
A Security association is defined by parameters.
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifiers.
Authentication header provides support for data integrity and authentication of IP
packets. A data integrity service insures that data inside IP packets is not altered during
the transit. Authentication also prevents the IP spoofing attack. Authentication is based
on the MAC protocol. Authentication header format shown in fig.
0 8 16 31
Next header Payload length
Security Parameter Index(SPI)
1. NEXT HEADER – This is 8-bit field and identifies the type of header that
immediately follows the AH.
2. PAYLOAD LENGTH- Contains the length of the AH in 32-bit words minus 2.
Suppose that the length of the authentication data field is 96-bits (or three 32-bit
words) with a three word fixed header, then we have a total of 6-words in the
header. Therefore this field will contain a value of 4.
3. RESERVED- Reserved for future use (16-bit).
4. SPI- Used in combination with the SA and DA as well as the IPSec protocol used
(AH or ESP) to uniquely the security association for the traffic to which a
5. SEQUENCE NUMBER- To prevent replay attack.
Also called integrity check value for the datagram. This value is the MAC used
for authentication and integrity purposes.
Virtually all businesses, most government agencies, and many individuals now
have Web sites. The number of individuals and companies with Internet access is
expanding rapidly, and all of these have graphical web browsers. As a result, businesses
are enthusiastic about setting up facilities on the web for electronic commerce.
SECURE SOCKET LAYER (SSL):
SSL protocol is an internet protocol for secure exchange of the information
between a web browser and a web server. SSL is designed to make used of TCP to
provide a reliable end to end secure service. SSL server authentication, allowing a user to
confirm a server’s identity. SSL client authentication, allowing a server to confirm a
SECURE ELECTRONIC TRANSACTION (SET):
SET is an open encryption and security specification designed to protect credit
card transactions on the Internet. SET is not itself a payment system. Rather it is a set of
security protocols and formats that enables users to employ the existing credit card
payment infrastructure on an open network, such as the Internet in secure fashion.
SERVICES BY SET:
SET provides a secure communication channel among all parties.
Provides trust by using X.509V3 digital certificates.
FEATURES OF SET:
Confidentiality of information.
Integrity of data.
Account authentication of card holder.
Thus, the basic issues to be addressed by a network security capability are
explored by providing a tutorial and network security technology. Then, there is
increasing interest in providing authentication and confidentiality services as part of an
electronic mail facility. IP security is transparent to applications and no upper level
software applications are affected when it is implemented. It can provide enough security
to individual users and can help create a secure virtual sub network within an
organization. In web security, the explosive growth in the use of the World Wide Web
for electronic commerce and to disseminate information has generated the need for strong