COMMUNICATION

SECURITY
DR. NOR FADZILAH ABDULLAH
JKEES, FKAB

Contents adopted from William Stallings “Cryptography & Network Security” 6th Edition
(Chapter 17, 19 & 20) & other online sources
 COURSE STRUCTURE

No. Topic
1 Security principles and practices
2 Classic Ciphers
3 Symmetric Ciphers
4 Asymmetric Ciphers & Public key crytosystems
5 Authentication & Integrity
6 Communication security across different layers

2
 SECURITY ON DIFFERENT LAYERS

• Network layer: IPsec, Firewalls, VPN, 802.11i

• Transport layer security (TLS)
• Application layer
• E-mail security: PGP, S/MIME
4
 IPsec: INTRO
• Security for OSI layer 3
• Authentication and encryption for every packet
• Confidentiality & integrity/anti-replay: encryption &
packet signing
• Many standards: RFC4301 through RFC 4309, RFC 2408,RFC
2410, RFC 5996, RFC 4835, etc.
• Two core IPsec protocols:
• Authentication Header (AH)
• Encapsulation Security Payload (ESP)
5
 EXCHANGE KEYS WITH IPSEC
2 phases to be completed before any traffic can communicate via IPsec.
• Phase 1
• Establish secure channel with ISAKMP (Internet Security Association and
Key Management Protocol) Security Association
• IKEv2 (Internet Key Exchange) method: session negotiation & management
(2 devices identify hosts & exchange keys, usually using UDP port 500).

• Phase 2
• Setting up encryption between devices using Quick Mode IPsec to
coordinate ciphers and key sizes
7
 IPSEC MODES

Tunnel Mode
• Entire IP packet is encrypted and becomes the data component of a new (and
larger) IP packet
• Frequently used in an IPsec site-to-site VPN
Transport Mode
• IPsec header is inserted into the IP packet
• No new packet is created
• Works well in networks where increasing a packet’s size could cause an issue
• Frequently used for remote-access VPNs
11
 IPSec: AH
• Hash of the packet & a shared key (e.g. MD-5, SHA1 or SHA-2)
• 2 modes of transport:
• Transport mode: header is inserted just after the IP header
• Tunnel mode: whole IP packet is encapsulated with a completely new IP
header e.g. VPN

• provides authentication only

 IPsec: AH

13
anti-replay provided by sequence number field
 IPsec: ESP
• Has ESP header & trailer (padding) & Integrity Check Value (HMAC):
provide integrity & authentication
• Hash (MD5, SHA-1 or SHA-2) & encryption (3DES or AES)
IPSEC: ESP

15
 TRANSPORT ADJACENCY

• Another way to apply authentication after encryption is to use two

bundled transport SAs, with the inner being an ESP SA and the outer
being an AH SA
• In this case ESP is used without its authentication option
• Encryption is applied to the IP payload
• AH is then applied in transport mode
• Advantage of this approach is that the authentication covers more fields
• Disadvantage is the overhead of two SAs versus one SA

16
IPSEC WITH AH AND ESP

17
 IEEE 802.11i WLAN SECURITY
• There is an increased need for robust security services and mechanisms
for wireless LANs

Wired Wi-Fi WPA2/Robust

Equivalent Protected Security
Privacy (WEP) Access (WPA) Network (RSN)

The privacy A set of security

portion of the mechanisms that Final form of
802.11 eliminates most the 802.11i
standard 802.11 security standard
issues

Contained Based on the

major current state of Complex
weaknesses the 802.11i
standard
ELEMENTS OF IEEE 802.11i
IEEE 802.11i Phases of
Operation
IEEE 802.11i Phases of
Operation

• Capability Discovery
• Authentication
• Association
 IEEE 802.1X
ACCESS CONTROL APPROACH
• Port-based network access control
• The authentication protocol that is used, the extensible authentication
protocol (EAP), is defined in the IEEE 802.1X standard
• 802.1X uses:
• Controlled ports
• Allows the exchange of pdus between a supplicant and other systems on the
LAN only if the current state of the supplicant authorizes such an exchange
• Uncontrolled ports
• Allows the exchange of pdus between the supplicant and the other AS,
regardless of the authentication state of the supplicant
IEEE 802.11i Key Hierarchies
 TRANSPORT LAYER SECURITY (TLS)
Most browsers come
Can be embedded in equipped with TLS,
One of the most and most Web servers
widely used security specific packages have implemented the
services protocol

Could be provided as
part of the underlying
Defined in RFC 5246 protocol suite and
therefore be transparent
to applications

Is an Internet standard Is a general purpose

that evolved from a service implemented
commercial protocol as a set of protocols
known as Secure that rely on TCP
Sockets Layer (SSL)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

SSL/TLS PROTOCOL STACK

27
 HTTPS (HTTP OVER SSL/TLS)
• Refers to the combination of HTTP and SSL/TLS to implement secure
communication between a web browser and a web server

• The HTTPS capability is built into all modern web browsers

• A user of a web browser will see URL addresses that begin with https://
rather than http://

• If HTTPS is specified, port 443 is used, which invokes SSL or TLS.

• When HTTPS is used, the following elements of the communication are

encrypted:
• URL of the requested document
• Contents of the document
• Contents of browser forms
• Cookies sent from browser to server and from server to browser
• Contents of HTTP header

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 SECURE SHELL (SSH)
A protocol for secure network
communications designed to be
relatively simple and
inexpensive to implement
SSH client and server
applications are widely
available for most operating
systems The initial version, SSH1 was
• Has become the method of choice
focused on providing a secure
for remote login and X tunneling remote logon facility to replace
• Is rapidly becoming one of the TELNET and other remote logon
most pervasive applications for schemes that provided no
encryption technology outside of security
embedded systems

SSH2 fixes a number of security SSH also provides a more

flaws in the original scheme and is general client/server
documented as a proposed standard in capability and can be used
IETF RFCs 4250 through 4256 for such network functions
as file transfer and e-mail

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
SSH: PORT FORWARDING

31
 CHANNEL TYPES
Four channel types are recognized in the SSH Connection Protocol specification

Session
• The remote execution of a program
• The program may be a shell, an application such as file transfer or e-mail, a system command,
or some built-in subsystem
• Once a session channel is opened, subsequent requests are used to start the remote program

X11
• Refers to the X Window System, a computer software system and network protocol that
provides a graphical user interface (GUI) for networked computers
• X allows applications to run on a network server but to be displayed on a desktop machine

Forwarded-TCPIP
• Remote port forwarding

Direct-TCPIP
• Local port forwarding
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 E-MAIL SECURITY

• PGP (Pretty Good Privacy)

• S/MIME (Secure/Multipurpose
Internet Mail Extension)
 INTERNET MAIL ARCHITECTURE

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 EMAIL PROTOCOLS

Two types of protocols are used for

transferring email:
Used to move messages Used to transfer messages
through the Internet from between mail servers
source to destination • IMAP and POP are the most
• Simple Mail Transfer Protocol (SMTP) commonly used

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 SMTP
Encapsulates an email
message in an envelope
Simple Mail Transfer and is used to relay the
Protocol encapsulated messages
from source to destination
through multiple MTAs

Is a text-based client-
server protocol

The term Extended SMTP

Was originally specified (ESMTP) is often used to
in 1982 as RFC 821 refer to later versions of
SMTP

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 MAIL ACCESS PROTOCOLS
• POP3 • IMAP

• Post Office Protocol • Internet Mail Access Protocol

• allows an email client to • enables an email client to access mail
download an email from an on an email server
email server (MTA)
• also uses TCP, with server TCP port 143
• POP3 user agents connect via
TCP to the server • is more complex than POP3
• after authorization, the UA can • provides stronger authentication and
issue POP3 commands to provides other functions not supported
retrieve and delete mail
by POP3

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 MULTIPURPOSE INTERNET MAIL
EXTENSIONS (MIME)
MIME SPECIFICATION INCLUDES THE FOLLOWING ELEMENTS:

• an extension to the RFC 5322

framework that is intended to
address some of the problems
Transfer encodings Five new message
and limitations of the use of are defined that header fields are
simple mail transfer protocol enable the defined, which may
conversion of any be included in an
(SMTP) content format into RFC 5322 header;
a form that is these fields provide
• is intended to resolve these protected from information about
problems in a manner that alteration by the the body of the
mail system message
is compatible with existing
RFC 5322 implementations
• the specification is provided
A number of content
in RFCs 2045 through 2049 formats are defined, thus
standardizing
representations that
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. support multimedia
electronic mail
 E-MAIL THREATS

• Email sent by unauthorized MTA in enterprise (e.g. malware botnet)

• Email message sent using spoofed or unregistered sending domain
• Email message sent using forged sending address or email address (i.e.
phishing, spear phishing)
• Email modified in transit
• Disclosure of sensitive information (e.g. PII) via monitoring and capturing
of email traffic
• Unsolicited Bulk Email (i.e. spam)
39

• DoS/DDoS attack against an enterprises’ email servers

S/MIME Services
 S/MIME:
SIMPLIFIED
FUNCTIONAL
FLOW

41
 S/MIME: AUTHENTICATION
• Provided by means of a digital signature
1. The sender creates a message
2. SHA-256 is used to generate a 256-bit message digest of the message
3. The message digest is encrypted with RSA using the sender’s private key,
and the result is appended to the message. Also appended is identifying
information for the signer, which will enable the receiver to retrieve the
signer’s public key
4. The receiver uses RSA with the sender’s public key to decrypt and recover
the message digest
5. The receiver generates a new message digest for the message and
compares it with the decrypted hash code. If the two match, the message
is accepted as authentic
• Detached signatures are supported
42
• A detached signature may be stored and transmitted separately from the
message it signs
 S/MIME: CONFIDENTIALITY
• S/MIME provides confidentiality by encrypting messages
• Most commonly AES with a 128-bit key is used, with the cipher block
chaining (CBC) mode
• The key itself is also encrypted, typically with RSA
• Each symmetric key, referred to as a content-encryption key, is used only
once
• A new key is generated as a random number for each message
• Because it is to be used only once, the content-encryption key is bound to
the message and transmitted with it
• To protect the key, it is encrypted with the receiver’s public key
• To reduce encryption time, the combination of symmetric and public-key
encryption is used
• Only the recipient is able to recover the session key that is bound to the 43

message
 S/MIME: E-MAIL COMPATIBILITY
• Many electronic mail systems only permit the use of blocks consisting of
ASCII text
• To accommodate this restriction, S/MIME provides the service of converting
the raw 8-bit binary stream to a stream of printable ASCII characters
• The scheme used for this purpose is Base-64 conversion
• Each group of three octets of binary data is mapped into four ASCII characters
• The Base-64 algorithm blindly converts the input stream to Base64 format
regardless of content, even if the input happens to be ASCII text

• RFC 5751 recommends that even if outer 7-bit encoding is not used, the
original MIME content should be 7-bit encoded

44
 S/MIME: COMPRESSION
• S/MIME offers the ability to compress a message
• This has the benefit of saving space both for email transmission and for
file storage
• Compression can be applied in any order with respect to the signing and
message encryption operations
• RFC 5751 provides these guidelines:
• Compression of binary encoded encrypted data is discouraged, since it will
not yield significant compression; Base64 encrypted data could very well
benefit, however
• If a lossy compression algorithm is used with signing, you will need to
compress first, then sign
45
 S/MIME: E-MAIL COMPATIBILITY
• Many electronic mail systems only permit the use of blocks consisting of
ASCII text
• To accommodate this restriction, S/MIME provides the service of converting
the raw 8-bit binary stream to a stream of printable ASCII characters
• The scheme used for this purpose is Base-64 conversion
• Each group of three octets of binary data is mapped into four ASCII characters
• The Base-64 algorithm blindly converts the input stream to Base64 format
regardless of content, even if the input happens to be ASCII text

• RFC 5751 recommends that even if outer 7-bit encoding is not used, the
original MIME content should be 7-bit encoded

46
 S/MIME VS. PGP
Key Certification:

• S/MIME uses X.509 certificates that are issued by Certificate Authorities (or local agencies that have
been delegated authority by a CA to issue certificates)  trusted if there is a valid PKIX chain to a
trusted root

• In OpenPGP, users generate their own OpenPGP public and private keys and then solicit signatures
for their public keys from known individuals or organizations.,  trusted if it is signed by another
OpenPGP public key that is trusted by the recipient i.e. Web-of-Trust

Key Distribution:

• OpenPGP does not include the sender’s public key with each message, thus recipients of OpenPGP
messages need to separately obtain the sender’s public key to verify the message. Many
organizations post OpenPGP keys on TLS-protected websites: People who wish to verify digital
signatures or send these organizations encrypted mail need to manually download these keys and
add them to their OpenPGP clients. Keys may also be registered with the OpenPGP public key
servers (maintain a database of PGP public keys organized by email address). Anyone may post a
public key to the OpenPGP key servers, and that public key may contain any email address. There is
no vetting of OpenPGP keys  use the Web-of-Trust to decide whether to trust a given public key.

47
 EMAIL SECURITY: OTHER COUNTER
THREAT PROTOCOLS
• STARTTLS
• An SMTP security extension that provides authentication, integrity, non-
repudiation and confidentiality for the entire SMTP message by running SMTP
over TLS
• DNS Security Extensions (DNSSEC)
• Provides authentication and integrity protection of DNS data, and is an
underlying tool used by various email security protocols
• DNS-based Authentication of Named Entities (DANE)
• Is designed to overcome problems in the certificate authority (CA) system by
providing an alternative channel for authenticating public keys based on
DNSSEC, with the result that the same trust relationships used to certify IP
addresses are used to certify servers operating on those addresses 48
 SUMMARY

• IPsec
• SSL/TLS
• SSH
• S/MIME

49
 INTRUDERS
• Significant issue for networked systems is hostile or unwanted access
• Either via network or local
• Can identify classes of intruders:
• Masquerader
• Misfeasor
• Clandestine user

• Varying levels of competence

 EXAMPLES OF INTRUSION
Remote root compromise
Web server defacement
Guessing / cracking passwords
Copying viewing sensitive data / databases
Running a packet sniffer
Distributing pirated software
Using an unsecured modem to access net
Impersonating a user to reset password
Using an unattended workstation
 HACKERS

• Motivated by thrill of access and status

• Hacking community a strong meritocracy
• Status is determined by level of competence

• Benign intruders might be tolerable

• Do consume resources and may slow performance
• Can’t know in advance whether benign or malign

• IDS / IPS / vpns can help counter

• Awareness led to establishment of certs
• Collect / disseminate vulnerability info / responses
 HACKER BEHAVIOR EXAMPLE
1. Select target using IP lookup tools
2. Map network for accessible services
3. Identify potentially vulnerable services
4. Brute force (guess) passwords
5. Install remote administration tool
6. Wait for admin to log on and capture password
7. Use password to access remainder of network
 CRIMINAL ENTERPRISE

• Organized groups of hackers now a threat

• Corporation / government / loosely affiliated gangs
• Typically young
• Often eastern european or russian hackers
• Often target credit cards on e-commerce server
• Criminal hackers usually have specific targets
• Once penetrated act quickly and get out
• IDS / IPS help but less effective
• Sensitive data needs strong protection
 CRIMINAL ENTERPRISE BEHAVIOR
1. Act quickly and precisely to make their activities harder to detect
2. Exploit perimeter via vulnerable ports
3. Use trojan horses (hidden software) to leave back doors for re-
entry
4. Use sniffers to capture passwords
5. Do not stick around until noticed
6. Make few or no mistakes.
 INSIDER ATTACKS
Among most difficult to detect and prevent
Employees have access & systems knowledge
May be motivated by revenge / entitlement
 When employment terminated
 Taking customer data when move to competitor

IDS / IPS may help but also need:

 Least privilege, monitor logs, strong authentication, termination process to
block access & mirror data
 INSIDER BEHAVIOR EXAMPLE
1. Create network accounts for themselves and their
friends
2. Access accounts and applications they wouldn't
normally use for their daily jobs
3. E-mail former and prospective employers
4. Conduct furtive instant-messaging chats
5. Visit web sites that cater to disgruntled employees,
such as f'dcompany.Com
6. Perform large downloads and file copying
7. Access the network during off hours.
 INTRUSION TECHNIQUES
• Aim to gain access and/or increase privileges on a system
• Often use system / software vulnerabilities
• Key goal often is to acquire passwords
• So then exercise access rights of owner
• Basic attack methodology
• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Covering tracks
 PASSWORD GUESSING
One of the most common attacks
Attacker knows a login (from email/web page etc)
Then attempts to guess password for it
 Defaults, short passwords, common word searches
 User info (variations on names, birthday, phone, common
words/interests)
 Exhaustively searching all possible passwords

Check by login or against stolen password file

Success depends on password chosen by user
Surveys show many users choose poorly
 PASSWORD CAPTURE
Another attack involves password capture
 Watching over shoulder as password is entered
 Using a trojan horse program to collect
 Monitoring an insecure network login
• Eg. Telnet, FTP, web, email
 Extracting recorded info after successful login (web history/cache, last
number dialed etc)

Using valid login/password can impersonate user

Users need to be educated to use suitable
precautions/countermeasures
 INTRUSION DETECTION
• Inevitably will have security failures
• So need also to detect intrusions so can
• Block if detected quickly
• Act as deterrent
• Collect info to improve security

• Assume intruder will behave differently to a legitimate user

• But will have imperfect distinction between
INTRUSION DETECTION
 APPROACHES TO INTRUSION
DETECTION
• Statistical anomaly detection
• Attempts to define normal/expected behavior
• Threshold
• Profile based

• Rule-based detection
• Attempts to define proper behavior
• Anomaly
• Penetration identification
 INTRUSION PREVENTION

• Honeypots
• Password management

64
 HONEYPOTS
Decoy security systems to lure potential attackers
 Away from accessing critical systems
 To collect information of their activities
 To encourage attacker to stay on system so administrator can respond
Are filled with fabricated information that appear valuable
Instrumented to collect detailed information on attackers
activities
Single or multiple networked systems
IETF intrusion detection WG standards on-going
 PASSWORD MANAGEMENT
• Front-line defense against intruders
• Users supply both:
• Login – determines privileges of that user
• Password – to identify them

• Passwords often stored encrypted

• Unix uses multiple DES (variant with salt)
• More recent operating systems use crypto hash function (e.g. MD5)

• Should protect password file on system

 FIREWALLS
• IPsec does not keep digital pests (virus, worms, etc.) and intruders from
getting onto LAN
• A firewall usually consisting of two packet filters and an application
gateway to prevent DoS (denial of service).
 SECURITY DEVICES
FIREWALLS

 Some common firewall properties:

• Firewalls are resistant to network attacks.
• All traffic flows through the firewall.
• Firewalls enforce the access control policy.
 Several benefits of using a firewall in a network:
• Prevents the exposure of sensitive hosts, resources, and applications to
untrusted users.
• Sanitizes protocol flow.
• Blocks malicious data from servers and clients.
• Reduces security management complexity.
 Firewalls also present some limitations:
• A misconfigured firewall can have serious consequences for the network.
• The data from many applications cannot be passed over firewalls securely.
• Users search for ways around the firewall to receive blocked material.
• Network performance can slow down.
• Unauthorized traffic can be tunneled as legitimate traffic through the firewall.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
FIREWALL TYPE DESCRIPTIONS

 Packet filtering (Stateless) firewalls - usually part of a router firewall, which permits or denies
traffic basedon Layer 3 and Layer 4 information.

 Stateful firewalls:
• Allows or blocks traffic based on state, port, and protocol.
• Monitors all activity from the opening of a connection until it is closed.
 Application gateway firewalls (Proxy firewall) - filters information at Layers 3, 4, 5, and 7 of the
OSI referencemodel.
 Host-based (server and personal) firewall - A PC or server with firewall software running on it.

 Transparent firewall - filters IP traffic between a pair of bridged interfaces.

 Hybrid firewall- a combination of the various firewall types.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
PACKET FILTERING FIREWALLS

 Usually part of a router firewall, which

permits or denies traffic based on Layer
3 and Layer 4 information.

 Are stateless firewalls that use a simple

policy table look-up that filters traffic
based on specific criteria.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
STATEFUL FIREWALLS
 The most versatile and common firewall technology in use.

 Provides stateful packet filtering by using connection information maintained in a state table.

 Classified at the network layer but also analyzes traffic at OSI Layer 4 and Layer 5.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
NEXT-GENERATION FIREWALLS

 Provide standard firewall capabilities like stateful inspection.

 Contain integrated intrusion prevention.

 Use application awareness and control to see and block risky apps.

 Upgrade paths to include future information feeds.

 Implement techniques to address evolving security threats.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 VIRTUAL PRIVATE NETWORKS
• VPN: tunnels can be set up on demand via IPSec (ESP) + each pair of
firewalls has to negotiate parameters e.g. the services, modes,
algorithms, and keys
• Transparent to users (like having a leased-line private network)

A leased-line private network A virtual private network

 SECURITY DEVICES
INTRUSION PREVENTION AND DETECTION DEVICES

© 2016 Cisco and/or its affiliates. All ghts reserved. Cisco 39

ri Confidential

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
ADVANTAGES AND DISADVANTAGES OF IDS AND IPS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco 40

Confidential

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 SECURITY DEVICES
TYPES OF IPS
 Host-based IPS (HIPS):
• Software installed on a single host to monitor and analyze suspicious activity.
• Monitor and protect operating system and critical system processes that are specific to that host.
• Combine antivirus software, antimalware software, and firewall.
 Network-based IPS:
• Implemented using a dedicated or non-dedicated IPS device.
• Are a critical component of intrusion prevention.
• Sensors detect malicious and unauthorized activity in real time and can take action when
required.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco identia 41
Conf l

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential