Netwrok 2

CH 8 : Security in Computer Networks

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 1

 What is Network Security:
Network security is the policies and procedures implemented by a network
administrator to avoid and keep track of unauthorized access, exploitation, modification,
or denial of the network and network resources.

Properties of secure communication:

1. Confidentiality : Only the sender and receiver should be able to understand the
contents of the transmitted message. It means that message must be encrypted
with the Cryptography techniques.

2. Message integrity: it means that content of message must not altered either
maliciously or by accident , this can be done using checksumming techniques, data
link protocol and message integrity.

3. End-point authentication ( Authentication) : Both the sender and receiver should

be able to confirm the identity of the other party involved in the communication— to
confirm that the other party is indeed who or what they claim to be. 


4. Operational security: Almost all organizations (companies, universities, and so on)

today have networks that are attached to the public Internet. Which means that
Attacker can attempt to attack organization and obtain corporate secret. There is a
lot of operational security like Firewalls and Intrusion detection system.

5. Access and availability: services must be accessible and available to users

There are four type of attacks:

1. Eavesdrop: intercept messages (spy) .
2. Impersonation: can fake (spoof) source address in packet (or any field in packet).
3. hijacking: “take over” ongoing connection by removing sender or receiver, inserting
himself in place.
4. Denial of service: prevent service from being used by others (e.g., by overloading
resources) 


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 2

 • The intruder or Attacker can do:
1. Eavesdropping—sniffing and recording control and data messages on the channel.
2. modification, insertion, or deletion of messages or message content. 


Principles of Cryptography:
• Cryptography is the science of encryption and decryption of data.
• Cryptographic techniques allow a sender to disguise data so that an intruder can
gain no information from the intercepted data. The receiver, of course, must be able
to recover the original data from the disguised data. Figure 8.2 illustrates some of the
important terminology.
• Encryption: The process of converting plaintext information into CipherText
information which make it unreadable.
• Decryption: The process of converting CipherText back into PlaintText .

KA(m)
m ClearText

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 3

NOTE that the encryption technique or algorithm itself is known, published,
standardized, and available to everyone. Even it’s available for Intruder! That’s why
we need a Key.
In Figure 8.2, Alice provides a key, (KA), a string of numbers or characters, as input to
the encryption algorithm. The encryption algorithm takes the key and the plaintext
message, m, as input and produces cipher text as output. The notation KA(m) refers to
the cipher-text form (encrypted using the key KA) of the plaintext message, m.

Bob will provide a key, (KB), to the decryption algorithm that takes the cipher text and
Bob’s key as input and produces the original plaintext as output. That is, if Bob receives
an encrypted message KA(m), he decrypts it by computing KB(KA(m)) = m.

• Symmetric Key Cryptography :

• Symmetric key cryptography also know as Public key System.
• In symmetric key system, both key are identical and secret. Which means that the
same key is used for encryption and decryption.

• Symmetric key system is used for bulk encryption because they are fast and have few
computational requirement.

• There are common symmetric algorithm: DES, 3DES, AES and RC4.

DES Data Encryption Standard

AES Advanced Encryption Standard

RC4 Rivest Cipher 4

Before studying a modern key-based cryptographic system, we will study a very old,
very simple symmetric key algorithm known as the Caesar cipher .

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 4

Example of Caesar Cipher:
Encrypt the following phrase : ROOT Security. Using Caesar Cipher with k=4.

Cipher = VSSX WIGYVMXC

• Mono-alphabetic Cipher:
- An improvement on the Caesar cipher is the mono-alphabetic cipher, which also
substitutes one letter of the alphabet with another letter of the alphabet.
- In mono-alphabet, rearrange the alphabetic in Random way.
- A mono-alphabetic cipher would also appear to be better than the Caesar cipher in
that there are 26! possible pairings of letters rather than 25 possible pairings.
Mono alphabetic Cipher Proprites:
1. We have to create table first and it’s given from the Instructor.
2. then encrypt.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 5

Example of Mono alphabetic Cipher:
Encrypt the following phrase : ROOT Security. Using Mono alphabetic.

• R=O
• O=K
• O=K
• T=U
• S=I
• E=C
• C=B
• U=Y
• R=O
• I=S
• T=U
• Y=W
Cipher = OKKU ICBYOSUW

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 6

• Affine cipher:
A type of mono-alphabetic substitution cipher, Each letter in an alphabet is mapped
to its numeric equivalent, encrypted using a simple mathematical function, and
converted back to a letter.
The Affine cipher Algorithm :
• Encryption : C= a m + b mod q
• Decryption : M =a-1 (c-b) mod q

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 7




Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 8

 Polyalphabetic encryption:
Example of Polyalphabetic Cipher:
Encrypt the following phrase : ROOT Security. Using Polyalphabetic, the repeating pattern C1,
C2, C2, C1, C2.

R O O T S E C U R I T Y

C1 C2 C2 C1 C2 C1 C2 C2 C1 C2 C1 C2

W H H Y L J V N K B Y R

Cipher = WHHY LJVNKBYR

• Block Ciphers:
There are two types of symmetric encryption algorithms:

3. Block algorithms. Set lengths of bits are encrypted in blocks of electronic data

with the use of a specific secret key. As the data is being encrypted, the system
holds the data in its memory as it waits for complete blocks.

4. Stream algorithms. Data is encrypted as it streams instead of being retained in the

system’s memory.Stream Cipher, it used in security of wireless LAN.

• Block ciphers, which are used in many secure Internet protocols, including PGP (for
secure e-mail), SSL (for securing TCP connections), and IPsec (for securing the
network-layer transport).

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 9

• Today there are a number of popular block ciphers, including DES (standing for
Data Encryption Standard), 3DES, and AES (standing for Advanced Encryption
Standard).

Algorithm Name Key Size Block Size # or round

DES 56 bit 64 bit 16 round

3DES 56 bit *3 64 bit 16 round

AES 128, 192, 256 bit 128 bit 10,12,14

NOTE : the bigger key the more secure you are.

• Mode of operation ( Cipher Mode):

There is a problem in Cipher block, cipher block would in some cases produce
identical cipher-text. An attacker could potentially guess the cleartext when it sees
identical cipher-text blocks and may even be able to decrypt the entire message by
identifying identical cipher-text blocks and using knowledge about the underlying
protocol structure

Solution is to use CBC = Cipher Block Chaining.

Before encrypting the message (or the stream of data), the sender generates a random

k-bit string, called the Initialization Vector (IV). 


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 10

• Asymmetric Key (Public-key) Cryptography :
• Asymmetric encryption uses a key pair.
• Sender will generate TWO key ( Public & Private ) key.
• Public key is given to any one and used for ( encryption).
• Private key is kept with the sender and used for ( decrypt).
• We use this kind of encryption for key exchange.

• RSA ( Ron Rivest, Adi Shamir, and Leonard Alderman):

• RSA : is an Asymmetric algorithm used by modern computers to encrypt and decrypt
messages. It is an asymmetric cryptographic algorithm. Asymmetric means that there
are two different keys (Key pairs). This is also called public key cryptography, because
one of the keys can be given to anyone which is the public key. The other key must be
kept private.
• Public key is used for encryption and private key is used for decryption.
• p and q have to be large prime number, The larger the values, the more difficult it is
to break RSA
To encode we Use : c=m^e mod (n) , where m = plaintext , n = p*q.
To decode we Use: m=c^d mod (n) , where

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 11

Example: Assume the following parameters: p= 3, q= 11, e = 7 , d = 3 . Apply and
show the details of encryption and decryption for M =8.


Answer:

Encode = (8)^7 mod ( 3*11) = 2
decode = (2)^3 mod (3*11) = 8

How the encryption work?

RSA is often used in practice in combination with symmetric key cryptography.

1. First sender chooses a key that will be used to encode the data itself; this key is

referred to as a session key, and is denoted by KS.

2. Sender must inform receiver of the session key, since this is the shared symmetric

key they will use with a symmetric key cipher (e.g., with DES or AES).

3. Sender encrypts the session key using receiver’s public key, that is, computes c =
(KS)^e mod n. Receiver receives the RSA-encrypted session key, c, and decrypts it
to obtain the session key, KS. Receiver now knows the session key that Sender will
use for her encrypted data transfer.

We have to do this combination between the Symmetric and Asymmetric cryptography

because symmetric is fast and easy to encrypt large data rather than Asymmetric.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 12

 Message Integrity and Digital Signatures :
• Message integrity (also known as message authentication). Along with message
integrity, we will discuss two related topics in this section: digital signatures and
end-point authentication.

• A digital signature is a mathematical technique used to validate the authenticity and

integrity of a message, software or digital document.

• End-point authentication : is a security mechanism designed to ensure that only

authorized devices can connect to a given network, site or service.

• Cryptographic Hash Functions :

- A hash function takes an input (m), and computes a fixed- size string H(m) known as
a hash. The Internet checksum (Chapter 3) and CRCs (Chapter 4) meet this
definition.

- Hash function doesn’t encrypt, Instead it provides integrity of the data.

- Hash is a one way function , in the other hand encryption is Two way function.

- The input to the hash function is of arbitrary length but output is always of fixed
length.
- Values returned by a hash function are called message digest or simply hash
values.
- There are Two main hash function: MD5 and SHA
- The longer output length makes SHA-1 more secure.

Hash Function Stands for Output Length in bit

MD5 Message Digest 128 bit hash

SHA1 Secure Hash Algorithm 160 bit hash

SHA2 Secure Hash Algorithm 224, 256, 384 or 512 bits

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 13

• MD5 hash function

The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically
represented as a sequence of 32 hexadecimal digits.

Example:
MD5("The quick brown fox jumps over the lazy dog") =
9e107d9d372bb6826bd81d3542a419d6

• MD5 computes 128-bit message digest in 4-step process:

1. Padding step.

2. Append step.

3. An initialization of an accumulator.

4. Final looping step.


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 14

• Steps in design Message integrity:
To perform message integrity, in addition to using cryptographic hash functions, Alice
and Bob will need a shared secret (s). This shared secret, which is nothing more than
a string of bits, is called the authentication key. Using this shared secret, message
integrity can be performed as follows:

1. Alice creates message m, concatenates s with m to create m + s, and calculates

the hash H(m + s) (for example with SHA-1). H(m + s) is called the message
authentication code (MAC).

2. Alice then appends the MAC to the message m, creating an extended message (m,
H(m + s)), and sends the extended message to Bob. 


3. Bob receives an extended message (m, h) and knowing s, calculates the MAC H(m
+ s). If H(m + s) = h, Bob concludes that everything is fine. 


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 15

• HMAC :
• Hashed Massage Authentication Codes are use to determine if a message has
changed during transmission.

• When you add Secret key + Crypto function, the MAC becomes HMAC and you
also have the ability to determine authenticity in addition of integrity.

• Internet checksum: poor crypto hash function:

We considered Checksum as hashing, because it have same properties like they
always give fixed size output.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 16

• Digital Signture:
• Digital signature is a cryptographic technique to indicate the owner or creator of a
document, or to signify one’s agreement with a document’s content.

• Process of making Digital Signature:

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 17

But this way still not secure! that why we need a third party certificate (PKI)

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 18

• Difference between MAC and Digital signature
• Both digital signatures and MACs start with a message (or a document).

• To create a MAC out of the message, we append an authentication key to the message,

and then take the hash of the result. Note that neither public key nor symmetric key
encryption is involved in creating the MAC.

• To create a digital signature, we first take the hash of the message and then encrypt the
message with our private key (using public key cryptography). Thus, a digital signature is a
“heavier” technique, since it requires an underlying Public Key Infrastructure (PKI) with
certification authorities

• Public Key Certification:

• An important application of digital signatures is public key certification, that is, certifying

that a public key belongs to a specific entity.

• Public key certification is used in many popular secure networking protocols, including

IPsec and SSL.

The problem when use the digital signature

stand alone.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 19

Solution for the problem above is to Binding a public key to a particular entity is typically
done by a Certification Authority (CA), whose job is to validate identities and issue certificates.

• The important fields in a certificate.

• End Point Authentication:

• End-point authentication is the process of one entity proving its identity to another entity
over a computer network, for example, a user proving its identity to an email server.

• Authentication protocol Version

1. Ap 1.0
• Alice to Bob: “I am Alice”

• Problem: intruder “Trudy” can also send such a message

2. Ap 2.0
• Authenticate source IP address is from Alice’s machine

• Problem: IP Spoofing (send IP packets with a false address)

3. Ap 3.0 / use a secret password

• Alice to Bob: “I am Alice, here is my password” (e.g., telnet)

• Problem: Trudy can intercept Alice’s password by sniffing packets

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 20

4. Ap 3.1 / use encryption
• use a symmetric key known to Alice and Bob

• Alice & Bob (only) know secure key for encryption/decryption

• problem: failure scenarios: [ playback attack ] Trudy can intercept Alice’s message and
masquerade as Alice at a later time.

5. Ap 4.0 / use a sequence of passwords

• pick a "once-in-a-lifetime-only" number (nonce) for each session.

• The use of a nonce and symmetric key cryptography forms the basis of ap4.0.

• BUT you have to know that Symmetric Key means both end have the same key to encrypt
and decrypt.

6. Ap 5.0 / use a sequence of passwords

• Because ap4.0 requires shared symmetric key.

• ap5.0, use nonce, public key cryptography.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 21

Securing Email (PGP):

•Security principle must be provided to all Internet protocol stack Layers.

•When security is provided for a specific application-layer protocol, the application

using the protocol will enjoy one or more security services, such as confidentiality,

authentication, or integrity.

•When security is provided for a transport-layer protocol, all applications that use that

protocol enjoy the security services of the transport protocol.

•When security is provided at the network layer on a host-to-host basis, all transport-

layer segments enjoy the security services of the network layer.

•When security is provided on a link Layer, then the data in all frames traveling over

the link receive the security services of the link.

Layer Name Security service

Application Layer e-mail ( Study case)

Transport Layer SSL protocol

Network Layer IPsec

Link Layer 802.11 witless LAN protocol

• When designing a secure e-mail system, we should consider these

security features:
1. confidentiality.
2. Sender Authentication.
3. Message Integrity.
4. Receiver Authentication.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 22

• Steps to design a secure e-mail that provide confidentiality:
5. Alice (Sender) selects a random symmetric session key (Ks).
6. Encrypts her message, m, with the symmetric key.

7. Encrypts the symmetric key with Bob’s public key, (KB+)

8. Concatenates the encrypted message and the encrypted symmetric key to form a
“package” .

9. Sends the package to Bob’s e-mail address (Receiver).

10. When Bob receives the package, he (1) uses his private key ( KB–) , to obtain the
symmetric key ( Ks ) and and (2) uses the symmetric key ( Ks ) to decrypt the message m.

Concatenation Deconcatenation

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 23

• Steps to design a secure e-mail that provide both sender
authentication and message integrity:
11. Alice (1) applies a hash function, H (for example, MD5), to her message, m, to obtain a
message digest .

12. Signs the result of the hash function with her private key, (KA–), to create a digital
signature.

13. Concatenates the original (unencrypted) message with the signature to create a package.

14. Sends the package to Bob’s e-mail address.

15. When Bob receives the package, he (1) applies Alice’s public key, (KA+), to the signed
message digest and (2) compares the result of this operation with his own hash, H, of the
message.

16. Figure 8.20. As, if the two results are the same, Bob can be pretty confident that the
message came from Alice and is unaltered.

• Pretty Good Privacy (PGP):

• PGP is is an e-mail encryption scheme.

• PGP design include :

1. MD5 or SHA for calculating the message Hashing.

2. CAST, triple-DES, or IDEA for symmetric key encryption

3. RSA for the public key encryption ( Key Exchange).

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 24

• Securing TCP connection ( SSL) :
• Cryptography can enhance TCP with security services, including confidentiality,
data integrity, and end-point authentication.

• This enhanced version of TCP is commonly known as Secure Sockets Layer (SSL).
• A slightly modified version of SSL version 3, called Transport Layer Security (TLS).
• SSL is often used to provide security to transactions that take place over HTTP.

• Because SSL secures TCP, it can be employed by any application that runs over TCP.

• SSL has three phases: handshake, key derivation, and data transfer.

1. Handshake Phase:

• Note that Bob sends Alice a hello message. Alice then responds with her certificate,
which contains her public key for encryption.

• SSL does not mandate that Alice and Bob use a specific symmetric key algorithm, a
specific public-key algorithm, or a specific MAC. Instead, SSL allows Alice and Bob

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 25

 to agree on the cryptographic algorithms at the beginning of the SSL session, during
the handshake phase.

2. Key Derivation :
Alice and Bob use the MS to generate four keys:

• EB = session encryption key for data sent from Bob to Alice

• MB = session MAC key for data sent from Bob to Alice

• EA = session encryption key for data sent from Alice to Bob

• MA = session MAC key for data sent from Alice to Bob

Note that Alice and Bob each generate the four keys from the MS (Master Key), The two
encryption keys will be used to encrypt data; the two MAC keys will be used to verify the
integrity of the data.

3. Data Transfer :
1. First of all SSL breaks the data stream into records.

2. Appends a MAC to each record for integrity checking.

3. Then encrypts the record+MAC.

4. To create the MAC, Bob inputs the record data along with the key MB into a hash function 


First create MAC , use
Secondly append MAC
data and key MB as input
with data record and then
for hash function.
encrypt.
The type field indicates
whether the record is a
handshake message or a
message that contains
application data.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 26




• Notes For SSL handshaking:

During the handshake phase, Alice and Bob send ( nonces ) to each other, which are used in
the creation of the session keys (EB, MB, EA, and MA). The steps of the real SSL handshake
are as follows:

1. The client sends a list of cryptographic algorithms it supports, along with a client nonce.

2. From the list, the server chooses a symmetric algorithm (for example, AES), a public key
algorithm (for example, RSA with a specific key length), and a MAC algorithm. It sends
back to the client its choices, as well as a certificate and a server nonce.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 27

• Network-Layer Security: IPsec and Virtual Private Networks:
• IPsec protocol provides security at Network Layer.

• IPsec is a bunch of protocol that works together to provide security.

• VPN uses IPsec for secure communication.

• Network Layer security protocol (IPsec) could provide:

1. Confidentiality.

2. Source Authentication.

3. Data integrity.

4. Replay-Attack Prevention, meaning that Bob could detect any duplicate

datagrams that an attacker might insert.

Question : Network Layer is said to be “ Blanket Coverage”, WHY?

ANSWER: IPsec is an end-to-end security scheme operating in the Internet Layer of
the Internet Protocol Suite , which means that everything is encrypted.

• A virtual private network (VPN) gives you online privacy and anonymity by creating
a private network over the public internet connection.

• There are different protocol and technology to set VPN:

1. PPTP: Point-To-Point Tunneling Protocol.

2. L2TP: Layer 2 Tunneling Protocol.

3. Pure IPsec.

Protocol Tunneling Authentication Encryption

PPTP PPP password only No encryption

L2TP L2TP IPsec IPsec

Pure IPsec IPsec IPsec IPsec

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 28

• IPSec (Internet Protocol Security): protocol defines encryption, authentication, and
key management for TCP/IP transmissions.

• IPSec accomplishes authentication in two phases:

1. The first phase is key management.

2. The second phase is encryption.

• IKE: Internet Key Exchange

• IKE is the protocol used to set up a security association (SA) in the IPsec protocol

suite. It is used in large VPN to do SA automatically.

• Key management refers to the way in which two nodes agree on common

parameters for the keys they will use and it accomplish it two step:

1. IKE (Internet Key Exchange) to negotiate and authenticate keys.

2. ISAKMP (Internet Security Association and Key Management Protocol),

establishes policies for verifying the identity and the encryption methods that nodes

will use for data transmission.

NOTE:

After IKE has managed the shared keys and ISAKMP policies have ensured that both

parties agree on the methods of secure transmission, IPSec invokes its second phase,

encryption.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 29

• IPsec uses TWO protocol to provide traffic security
(Encryption):
1. Authentication Header (AH): provides source authentication and data integrity but
dose not provide confidentiality.

2. ESP (Encapsulation Security Payload): provides source authentication and data

integrity and provide confidentiality.

•IPsec works into TWO mode:

1. Transport mode: only the payload of the IP packet is usually encrypted or
authenticated. The transport mode encrypts only the payload and ESP trailer; so
the IP header of the original packet is not encrypted.

2. Network tunneling mode: The entire IP packet is encrypted and authenticated. It

is then encapsulated into a new IP packet with a new IP header. Tunnel mode is
used to create virtual private networks for network-to-network communications
(e.g. between routers to link sites), host-to-network communications (e.g. remote
user access) and host-to-host communications (e.g. private chat). 


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 30

• Security Associations:
- Before sending IPsec datagrams from source entity to destination entity, the source
and destination entities create a network-layer logical connection.
- This logical connection is called a security association (SA), it is unidirectional from
source to destination.

- If both entities want to send secure datagrams to each other, then two SAs (that is,
two logical connections) need to be established, one in each direction.

SA will include:
1. A 32-bit identifier for the SA, called the Security Parameter Index (SPI)

2. The origin interface of the SA and the destination interface of the SA (in this case
193.68.2.23)

3. The type of encryption to be used (for example, 3DES with CBC)

4. The encryption key

5. The type of integrity check (for example, HMAC with MD5)

6. The authentication key 


Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 31

• Securing Wireless LANs:
• There are a lot of security standards : WEP , WPA , WPA2.

• Wired Equivalent Privacy (WEP) : protocol was designed to provide authentication and data
encryption between a host and a wireless access point (that is, base station) using a
symmetric shared key approach.

• WEP encrypt the data traveling using RC4 ( Streaming Cipher) algorithm to ensure
confidentiality.

• WEP support key length 40 bit + 24 bit for IV ( Initialization Vector)

• WEP uses shared key concept, WEP/PSK ( pre-shared key)
• WEP is the oldest security standards and the downside with this standard, that (IV) can be
hacked easily.

WEP Wired equivalent Privacy

WPA Wireless protected Access

WPA2 Wireless protected Access 2

• Authentication in WEP is carried out as follows:

1. A wireless host requests authentication by an access point. 


2. The access point responds to the authentication request with a 128-byte nonce 

value. 


3. The wireless host encrypts the nonce using the symmetric key that it shares 

with the access point. 


4. The access point decrypts the host-encrypted nonce.

5. If the decrypted nonce matches the nonce value originally sent to the host, then
the host is authenticated by the access point.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 32



The WEP data encryption algorithm:

A secret 40-bit symmetric key ( KS) , is assumed to be known by both a host and the
access point. In addition, a 24-bit Initialization Vector (IV) is appended to the 40-bit
key to create a 64-bit key that will be used to encrypt a single frame.

1. First a 4-byte CRC value is computed for the data payload.

2. The payload and the four CRC bytes are then encrypted using the RC4 stream
cipher.

3. the RC4 algorithm produces a stream of key values,( k1IV, k2IV, k3IV, . . . ) that are
used to encrypt the data and CRC value in a frame.

4. Encryption is performed by XOR-ing the ith byte of data, di, with the ith key, kiI

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 33



“ NOTE “
The IV is the primary reason for the weakness in WEP. (WHY)

Answer:

1. IV is sent in the plaintext part of the message.

2. The total key space is approximately 16 million keys, that means that the same key
will be reused.

3. Once the key has been repeated, attacker can retrieve the key easily.

• EEE 802.11i (WPA2)

• The solution to the weakness represented in WEP, is WPA (Wi-Fi Protected

Access ).

• WPA has 2 advantages : provides key distribution and uses authentication server separate

from access point , Separating the authentication server from the AP allows one

authentication server to serve many APs.

• WPA2 uses AES ( Block Cipher ) for better encryption from WEP.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 34



1. Discovery Phase: In the discovery phase, the AP advertises its presence and the forms of
authentication and encryption that can be provided to the wireless client node.

2. Discovery Phase: The client then requests the specific forms of authentication and
encryption that it desires. Although the client and AP are already exchanging messages,
the client has not yet been authenticated nor does it have an encryption key

3. Mutual authentication and Master Key (MK) generation: Authentication takes place
between the wireless client and the authentication server. In this phase, the access point
acts essentially as a relay, forwarding messages between the client and the authentication
server. The Extensible Authentication Protocol (EAP) defines the end-to-end message
formats used in a simple request/response mode of interaction between the client and
authentication server. As shown in Figure 8.32 EAP messages are encapsulated using EAPoL
(EAP over LAN, [IEEE 802.1X]) and sent over the 802.11 wireless link. These EAP messages
are then decapsulated at the access point, and then re-encapsulated using the RADIUS
protocol for transmission over UDP/IP to the authentication server.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 35

• Operational
Systems
Security: Firewalls and Intrusion Detection

• A firewall is a combination of hardware and software that isolates an organization’s internal

network from the Internet at large, allowing some packets to pass and blocking others.

• A firewall : is a system that is designed to prevent unauthorized access from entering a

private network by filtering packets.

• A firewall has three goals:

1. All traffic from outside to inside, and vice versa, passes through the firewall.

2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.

3. The firewall itself is immune to penetration.

• Firewalls can be classified in three categories: traditional packet filters ( Stateless) ,

stateful filters, and application gateways.

• Traditional Packet Filters:

• Traditional packet filtering is also known as Stateless Firewall.
• This kind of firewall is built in the gateway router.
• A packet filter examines each datagram in isolation, determining whether the datagram
should be allowed to pass or should be dropped based on administrator-specific rules
(ACL)
• Filtering decisions are typically based on:
1. IP source or destination address.

2. Protocol type in IP datagram field: TCP, UDP, ICMP, OSPF, and so on.

3. TCP or UDP source and destination port.

4. TCP flag bits: SYN, ACK, and so on.

5. ICMP message type.

6. Different rules for datagrams leaving and entering the network.

7. Different rules for the different router interfaces.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 36

• Traditional Packet Filters:

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 37

• Statefull Packet Filters:
• In a traditional packet filter, filtering decisions are made on each packet in isolation.
Stateful filters actually track TCP connections, and use this knowledge to make filtering
decisions.

• This is possible because the firewall can observe the beginning of a new connection by
observing a three-way handshake (SYN, SYNACK, and ACK);

• Application gateways:
Application gateways look beyond the IP/TCP/UDP headers and make policy decisions

based on application data. An application gateway is an application-specific server through

which all application data (inbound and out- bound) must pass. Multiple application gateways
can run on the same host, but each gateway is a separate server with its own processes.

• Intrusion Detection Systems:

• we need to perform deep packet inspection, that is, look beyond the header fields and into
the actual application data that the packets carry.

• As we saw , application gateways often do deep packet inspection. But an application

gateway only does this for a specific application.

• A device that generates alerts when it observes potentially malicious traffic is called an
intrusion detection system (IDS).

• A device that filters out suspicious traffic is called an intrusion prevention system (IPS).

An IDS can be used to detect a wide range of attacks:

1. Port scans

2. TCP stack scans

3. DoS band- width-flooding attacks

4. worms and viruses

5. OS vulnerability attacks, and application vulnerability attacks.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 38



NOTE
In Figure 8.36, the organization has partitioned its network into two regions: a high- security
region, protected by a packet filter and an application gateway and monitored by IDS sensors;
and a lower-security region—referred to as the demilitarized zone (DMZ)—which is protected
only by the packet filter, but also monitored by IDS sensors.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 39

• Security Terms :

1. Denial of service : A denial-of-service (DoS) is any type of attack where the

attackers (hackers) attempt to prevent legitimate users from accessing the service.

2. Man in the middle attack : man-in-the-middle attack (MITM) is an attack where the
attacker secretly relays and possibly alters the communications between two
parties who believe that they are directly communicating with each other. One
example of a MITM attack is active eavesdropping, in which the attacker makes
independent connections with the victims and relays messages between them to
make them believe they are talking directly to each other over a private connection,
when in fact the entire conversation is controlled by the attacker.

3. Malware : The term malware is a contraction of malicious software. Put simply,

malware is any piece of software that was written with the intent of damaging
devices, stealing data, and generally causing a mess. Viruses, Trojans, spyware,
and ransomware are among the different kinds of malware.

4. Ransomware: The idea behind ransomware, a form of malicious software, is

simple: Lock and encrypt a victim’s computer or device data, then demand a
ransom to restore access.

5. Phishing ‫ اص ـ ـ ـ ـ ـطـيـاد‬: is a type of social engineering attack often used to steal user

data, including login credentials and credit card numbers. It occurs when an
attacker, go under (‫ )ال ـ ـ ـ ـ ـ ـتـنـكـر‬as a trusted entity, dupes a victim into opening an email,

instant message, or text message. The recipient is then tricked into clicking a
malicious link, which can lead to the installation of malware, the freezing of the
system as part of a ransomware attack or the revealing of sensitive information.

6. Sniffing ‫ مراقبة‬: means to illegally listen into another’s conversation.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 40

7. Spoofing: ‫ خداع‬means to pretend to be someone else.

• Diffe Hellman:
is a public key encryption algorithm that is used to exchange session key that is used foe
encrypting the messages.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 41

• Breaking an encryption scheme:
Attacker can break encryption in three different scenario:

1. CipherText only attack: Intruder (Attacker) has cipher-text she can analyze by two
approaches:

• brute force: search through all keys

• statistical analysis

2. Known Plaintext attack: When an intruder knows some of the ( plaintext, cipher-text )
pairings.

3. Chosen-plaintext attack: Trudy can get cipher-text for chosen plaintext.

Done by : Eng.Heba Alenzi Whatsapp: 52225912 Page 42