0% found this document useful (0 votes)

2 views

368 Lecture Compile

The document outlines the Network Security course (CSCI368/968) taught by Dr. Fuchun Guo at the University of Wollongong, covering various topics in computer network security including cryptography, network protocols, and security technologies. It emphasizes the importance of understanding network vulnerabilities, applying security standards, and using appropriate tools to enhance system security. Assessments include programming and protocol design assignments, along with a final exam, with strict policies on submissions and academic integrity.

Uploaded by

tangdylan89

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2 views

368 Lecture Compile

Uploaded by

tangdylan89

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 576

Network Security

CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Contact details

A/Prof. Fuchun Guo

[email protected]

If you email me it please include the subject and topic in the subject
line: For example: CSCI368: A1.

– This way I can tell if an email is about almost due assessment or similar
important matters. (Start with: Hi Fuchun,)
– While I generally reply to emails within a couple of working days there will be
times when other activities will take priority.
– If possible, use your university account for email.
– Send emails to both of us if it is related to Fuchun and Tutor.
2
About Me
Dr Fuchun Guo
Associate Professor
Institute of Cybersecurity and Cryptology
www.uow.edu.au/~fuchun

3
How to Make a Question?
• You might have some questions to ask, but the questions look
“Naive”!

• Asking these questions could be “looked down” by others.

• Actually, these “naive” questions are the key for fully understanding
this subject.

How to Ask to avoid being looked down?

1. Statement (introduce the experience that makes you confusing)

2. Your question or your different understanding.
3. “Where did I misunderstand ?”
4
CSCI368: How to Secure Network and Access

5
CSCI368: How to Secure Network and Access
• Covering a wide range of topics in computer network
security
– From cryptography to network protocols
– From security programming to protocol design

• Knowledge required
– Basic cryptography (will be introduced briefly)
– Basic computer network knowledge (OSI Model)
– Programming: C, or Java or python (not introduced)

6
Aims
• Understand network vulnerabilities and network-
based attacks
• Apply a range network security technologies for
securing networks
• Use appropriate security standards and network
security tools to enhance security of a distributed
system
• Evaluate, compare, and recommend network
security applications and systems

7
Fuchun’s Personal Perspective
• Eventually, you will forget what you have learned,
but this is fine and normal.

• The most important is: You have seen how the

human tried to solve problems related to network
and it security.

• The methdology will become your muscle memory

in the future anb benefit you.

8
Textbook and References
• William Stallings, Cryptography and Network Security,
7th edition, Pearson, 2016

• Other references:
– C. Kaufman, R. Perlman, and M. Speciner, Network Security:
PRIVATE communication in a PUBLIC world, 2nd edition,
Prentice Hall, 2002.
– William Stallings, Network Security Essentials, 6th edition,
Pearson, 2016
– Colin Boyd, Anish Mathuria, Douglas Stebila, Protocols for
Authentication and Key Establishment, 2nd Edition, Springer,
2020 9
Contents

• 1 Subject introduction and network basics

• 2 Cryptography Review
• 3 Authentication and key establishment protocols.
• 4 Public key infrastructures. Centralised authentication systems,
Kerberos v5.
• 5 Email security. Secure Shell (SSH). Secure Sockets Layer
(SSL)/ Transport Layer Security (TLS)
• 6 Internet Protocol Security (IPSec), Internet Key Exchange
(IKE)
• 7 Wireless network security, Wi-Fi Protected Access (WPA),
Mobile system security
10
Contents (related to textbook)

treated as blackbox

11
Contents (related to textbook)

Authentication and key establishment protocols.

Public key infrastructures.
Centralised authentication systems, Kerberos v5. 12
Contents (related to textbook)

13
Assessments (Individual)

Assignment 1, 20% Due: See Moodle Site

programming

Assignment 2, 20% Due: See Moodle Site

protocol design & analysis

Final Exam 60% Exam Period

14
Assessment
• Assignments must be submitted via Moodle.
• It is the student’s responsibility to keep a backup of his/her work. There will be
no extension granted due to any circumstance related to the failure of students’
own equipment.
• Penalties apply to all late work, except if student academic consideration has
been granted.
• Late submissions will attract a penalty of 25% of the assessment mark per day
including weekends.

• Students who copy an assignment may receive zero for that assignment. This
also covers assignments which may be the product of community effort by
several students. Working together is acceptable, but the final coding should be
the work of the individual student, as assessment is a measure of your ability. All
students involved in plagiarism will have a zero mark for that assessment task.
• At least 45% (27/60) in the final exam, otherwise TF may be given.

15
Security Basics

16
Network Security & Cyber Security
• Cyber security is a subset of information security which refers to
a set of techniques and methodologies used to protect integrity of
networks, devices, programs, and data from damage, attack, or
unauthorized access. In simple terms, cyber security is the practice
of protecting internet-connected systems and networks from
digital attacks.

• Network security, on the other hand, is the act of protecting files

and directories in a network of computers against misuse, hacking,
and unauthorized access to the system. Network security is a
subset of cyber security which protects the integrity of your
network and network-accessible resources from unauthorized
access.
17
Network Security

• Computer network is vulnerable to attackers.

• Network Security is important because computers rely on

computer network for communication.
• There are many remote applications: e-commerce,
distributed & clouding computing, mobile
communications, IoT, etc.
• Network security provides protection to network and
applications

18
A Model for Network Security

19
Threat and Attack

Threat in a servicer: An organization uses email for communication, and employees regularly receive
emails containing sensitive information or links to important documents. The existence of phishing
emails is a threat. Phishing emails are deceptive attempts to trick individuals into revealing sensitive
information, such as usernames, passwords, or financial information.

Service under Attack: An employee receives an email that appears to be from a trusted source, such
as the organization's IT department. The email contains a link that supposedly leads to a critical
software update. If the employee clicks on the link and provides their login credentials on a fake
website, this action constitutes a phishing attack. The attacker has successfully exploited the
vulnerability of the employee being deceived by the phishing email.

20
From Attack to Mechanism& Security Service

21
Security Requirements (Aims)
• Confidentiality: Stored or transmitted information
should be accessible only by authorised parties.
• Integrity: Information should be protected from
unauthorised modification - alteration, insertion, or
deletion.
• Authenticity: The origin of a message should be assured.

• Availability: Information should be accessible to

authorised parties. (Doable by legal users)
Cannot simply deny all due to attacks.

22
Security Issues: Four Types of Attacks

• Interruption: an attack on availability (Active).

• Interception: an attack on confidentiality (Passive).
• Modification: an attack on integrity (Active)
• Fabrication: an attack on authenticity (Active) 23
Security Attacks
• Passive Attacks:
– Eavesdropping communications and releasing of messages.
– Traffic analysis on the identities, locations, frequency etc of
communications.

• Active Attacks:
– Impersonation attack
– Modification of message
– Denial of service
– ……
24
Protections again Attacks

• Cryptographic Protection...
– It is powerful, but
– it cannot protect everything.
– Mechanism and resistant

• Non-cryptographic protection
– Physical hardware support
– Detect and block (firewall)

25
Protections again Attacks

• Mechanism and resistant

– Attack 1 and Mechanism 1
– Attack 2 and Mechanism 2
– Attack 3 and Mechanism 3
– Attack 4 and Mechanism 4
– Attack 5 and Mechanism 5
– Attack 6 and Mechanism 6

• Mechanism also consider application

scenario.
• Therefore, we have many cryptography
mechanisms. 26
Security methods/mechanism: Cryptography

• Encryption:
– Symmetric Cryptosystems – Secret key
• AES, DES, RC4, ...
– Asymmetric Cryptosystems – Public key
• RSA, ElGamal, ...

• Digital signature:
– RSA, DSS, ElGamal.
• (Keyed) Hash:
– MD5, SHA-1/2/3, HMAC, etc.
• Others.....
27
Security protocols (services)

• Protocols are agreed upon rules or standards enabling

connection and interaction between parties.

– They can specify data formats.

– Rules of exchange, who does what when?
– Specify termination or error rules or handling conditions.

28
Network Security is …

• … about securing computer networks to meet the

security requirements:
– Confidentiality, availability, integrity etc.

• … using security protocols/systems:

– VPN, SSL, Kerberos, IPSec, …

– protocols are for communications

– security protocols are to secure those protocols
29
Review，Summary, and PMP

30
Terms Together (Arow and Shield)

mechanism

Threats & Attacks

Security Protocol & Service 31

All Terms Together

Answer: (1) We don’t have A in an application scenario but a solution needs A as

one of tools. Then, we have to find another solution. (2)We have a new aim (e.g.
we need integrity, while we have confidentiality only).

34
Questions: List one passive attack and one active attack.

Answer: (1) Analysis. The adversary tries to analyze the key information from
the commuinication (2) impersonation. The adversary tries to log into a user’s
account without authorization.

35
Relations
They: client-client, client-server, server-server

What they want

(protection)?

What they have

Security Protocols
(enviroment)?

What they can use (tool)?

36
Network Basics

37
Outline
• Introduction to network protocols
• OSI
• TCP/IP
• Address
• NAT Protocol
• Some network threats

38
Introduction

• For two entities to communicate successfully, they must

“speak the same language.” : What is communicated,
how it is communicated. (They are just machines)

• A network protocol is used for communication between

entities in different systems

• Simply, a protocol is a set of rules. A network protocol

is a set of rules followed by the network.

39
Example
• Assume Maria and Ann are neighbors with a lot of
common ideas. However, Maria speaks only Spanish,
and Ann speaks only English.

• Since both have learned the sign language in their

childhood, they enjoy meeting in a cafe a couple of
days per week and exchange their ideas using signs.
Communication is face to face and happens in one
layer.

Source: Behrouz A. Forouzan, TCP/IP Protocol Suite 40

Example
n Now assume that Ann has to move to another town because of her job.
Before she moves, the two meet for the last time in the same cafe.
Although both are sad, Maria surprises Ann when she opens a packet that
contains two small machines.
n The first machine can scan and transform a letter in English to a secret
code or vice versa. The other machine can scan and translate a letter in
Spanish to the same secret code or vice versa. Ann takes the first
machine; Maria keeps the second one.
n The two friends can still communicate using the secret code.

41
OSI: the seven layer model…
• …dates back to 1983 and was released by ISO.
• The OSI is an abbreviation of Open Systems Interconnection.
• the standardization of designing various protocols used in
computer networks
• Generally we distinguish between the upper layers, the top three,
and the lower layers, the bottom four.
– Effectively the upper layers are local and associated with the “end-user”, while the lower layers
relate to the actual network and communication services.

• Split a task into pieces and then solve each piece independently (or
nearly so).

42
Layering Example: Federal Express
• Letter in envelope, address on outside
• FedX guy adds addressing information, barcode.
• Local office drives to airport and delivers to hub.
• Sent via airplane to nearest city.
• Delivered to right office
• Delivered to right person

43
OSI Layers
7. identifying communication partners, determining resource
availability, and synchronizing communication
6. data form representation by translating between application and
network formats
5. establishes, manages and terminates the connections between the
local and remote application.
4. provides the functional and procedural means of transferring
variable-length data sequences from a source to a destination host,
while maintaining the quality of service functions. (port number)
3. provides the functional and procedural means of transferring
variable length data sequences from one node to another connected
in "different networks“ (IP)
2. It detects and possibly corrects errors that may occur in the
physical layer. It defines the protocol to establish and terminate a
connection between two physically connected devices. (MAC)
1. responsible for the transmission and reception of unstructured
raw data between a device and a physical transmission medium. It
converts the digital bits into other signals.
44
OSI Layers

45
OSI Layers

https://www.youtube.com/watch?v=Kb4hVvlCx40 46
Simplified 4 Layers

47
TCP/IP Suite

• The TCP/IP protocol suite was developed prior to

the OSI model. Therefore, the layers in the TCP/IP
protocol suite do not match exactly with those in
the OSI model.

• The original TCP/IP protocol suite was defined as

four software layers built upon the hardware.

• Today, however, TCP/IP is thought of as a five-

layer model with the layers named similarly to the
ones in the OSI model.

48
OSI versus TCP/IP Model
7-layer 5-layer
OSI TCP/IP
Reference Internet
Application Model Model
Application
Presentation

Session
OSI is a conceptual model. OSI is not a
Transport protocol but a reference model used for Transport
understanding and designing the system
architecture.
Network Internet

Data Link TCP/IP is a suit of protocols used for Data Link

every network including the Internet
Physical Physical
49
Communication

Segment (Transport Layer): If the transport protocol is TCP, the unit of data sent
from TCP to network layer is called Segment.

Datagram (Internet/Network Layer): If the network protocol is IP, the unit of data
is called Datagram (packet). At transport layer, if protocol is UDP, we use datagram there
as well. Hence, we differentiate them as UDP Datagram, IP Datagram.

Frame (Data Link Layer): the protocol data unit at the data link layer 50
Example

A Computer Network
51
Communication at Physical layer
Legend Source Destination

A R1 R3 R4 B
Physical Physical
layer layer
Link 1 Link 3 Link 5 Link 6

011 ... 101

01
1.
..
10
1

011 ... 101 011 ... 101

52
Communication at Data Link layer
Legend Source Destination D Data H Header
A R1 R3 R4 B
Data link Data link

Physical Physical
Link 1 Link 3 Link 5 Link 6

D2 H2
Frame
D2 am e
Fr

D2 H2 D2 H2
Frame Frame

53
Communication at Network layer
Legend Source Destination D Data H Header
A R1 R3 R4 B
Network Network

Data link Data link

Physical Physical

D3 H3
Datagram

D3 H3
Datagram
54
Communication at Transport layer
A Legend Source Destination D Data H Header B
Transport Transport
R1 R3 R4
Network Network

Data link Data link

Physical Physical

D4 H4
Segment

D4 H4
Segment 55
Communication at Application layer
A B
Application Legend Source Destination D Data H Header Application

Transport Transport
R1 R3 R4
Network Network

Data link Data link

Physical Physical

D5 D5
Message

D5 D5
Message 56
Addressing

• Each computer on a network requires a unique

address on that network

• Each application requires a unique address on that

computer to allow support for multiple applications

• address is different from address

57
Addresses in the TCP/IP protocol

• Four levels of addresses are used in a network employing

the TCP/IP protocols:
– physical address, (MAC)
– logical address, (IP)
– port address, and (80 http)
– application-specific address (e.g. email address).

58
Addresses in the TCP/IP

https://www.youtube.com/watch?v=oGoWqdlaOMI
http://www.ques10.com/p/21477/discuss-the-different-types-of-addresses-used-in-t/ 59
TCP Header
Port Address

Port addresses: FTP(20 & 21), SSH(22), TELNET(23),

SMTP(25), HTTP(80) 60
IPv4 Header

Logical/IP Address

61
Frame-Header

MAC Address

62
Example

packet packet
discarded discarded
1 packet
87 10 Data accepted
87 10 Data

2 3
4

A node with physical address 10 sends a frame to a node with physical

address 87.

hub switch & router explained - what's the difference?

63
https://www.youtube.com/watch?v=Ofjsh_E4HFY
Example

20 10 A P Data 20 10 A P Data 33 99 A P Data

Physical
addresses
changed

95 66 A P Data 95 66 A P Data
33 99 A P Data

Physical
addresses
changed

The computer with logical address A and physical address 10 needs to send a
packet to the computer with logical address P and physical address 95. 64
Example

A Sender Receiver P

Data Data
a j Data a j Data

A P a j Data A P a j Data

H2 A P a j Data H2 A P a j Data

Internet

The sending computer is running three processes at this time with port
addresses a, b, and c. The receiving computer is running two processes at 65
this
time with port addresses j and k.
NAT Protocol

• IPv4 uses 32-bit addresses which limits the address

space to 4,294,967,296 (232) addresses. (4 billions)

• Motivation: How to let more than 232 computers connect

to the internet?

66
NAT Protocol

• (NAT) Network address translation

• IP address-> Public IP and Private IP

24-bit block 10.0.0.0 – 10.255.255.255

20-bit block 172.16.0.0 – 172.31.255.255
16-bit block 192.168.0.0 – 192.168.255.255

• Remapping one IP address into another (between public and private) by

modifying network address information in the IP header of packets.

67
NAT Protocol

68
NAT Protocol- Mapping

• SNAT (Static NAT): one-to-one map

• DNAT (Dynamic NAT): several-to-many

• PAT (port address translation): one-to-many

• Port forwarding: one-to-many

69
Advantages of NAT

• The main advantage of NAT (Network Address Translation) is that it can prevent
the exhaustion of IPv4 addresses.

• • NAT (Network Address Translation) can provide an additional layer of security by

making the original source and destination addresses hidden.

• NAT (Network Address Translation) can provide Financial Savings Because an

organization does not have to purchase IP addresses for every computer in use.

• • NAT (Network Address Translation) allows to use your own private IPv4
addressing system and prevent the internal address changes if you change the service
provider.

70
Disadvantages of NAT

• • NAT (Network Address Translation) is a processor and memory resource consuming

technology, since NAT (Network Address Translation) need to translate IPv4 addresses for
all incoming and outgoing IPv4 datagrams and to keep the translation details in memory.

• • NAT (Network Address Translation) may cause delay in IPv4 communication.

• • NAT (Network Address Translation) cause loss of end-device to end-device IP

traceability

• • Some technologies and network applications will not function as expected in a NAT
(Network Address Translation) configured network.

71
Internet security threats
Packet sniffing (analyse):
– the attacker reads all packets passing by
– can read all unencrypted data (e.g. passwords)
– e.g.: C sniffs B’s packets

A C

src:B dest:A payload

https://www.youtube.com/watch?v=0_SxSYyEvos 72
Internet security threats
Replay Attack:
– the attacker resends a sniffed packet to A.
– A might respond to payload again.

A C

src:B dest:A payload

src:B dest:A payload
B

Payload: transfer100 dollars to B account to C account. 73

Internet security threats
IP Spoofing:
– can generate “raw” IP packets directly from application, putting any
value into IP source address field
– receiver can’t tell if source is spoofed
– e.g.: C pretends to be B

A C

src:B dest:A payload

https://www.youtube.com/watch?v=rxN4zWTNSds 74
Internet security threats
Denial of service (DoS):
– flood of maliciously generated packets “swamp” a receiver
– Distributed DOS (DDoS): multiple coordinated sources swamp a
receiver
– e.g., C and remote hosts SYN-attack A

A C
SYN
SYN
SYN SYN SYN

B
SYN
SYN

75
Review，Summary, and PMP

76
Review & Summary
o Each network protocol is to provide one Function; While each
network security protocol is to provide one kind of Protection.

o OSI is for understanding and designing the system architecture

due to the complexity of network communication.

o Network Protocols pades Headers after applying each function.

The headers are easier for receivers to know what to do.

o There are four types of addresses to make sure that the network
communications can be successful for multiple users(devices) and
multiple applications(software) at the same time.
77
PMP: Practice Makes Perfect
o Briefly explain the need of having Port Number.

o Briefly justify the difference beteewn IP address and MAC address.

oAlice said that the header of IPV4 protocol is for security purpose.
Justify what Alice has said.

oAlice said that the replay attack is about the confidentiality. Justify
what Alice has said.

78
PMP: Practice Makes Perfect
o Briefly explain the need of having Port Number.
Multiple applications can enjoy communication within one network.
o Briefly justify the difference beteewn IP address and MAC address.
IP address is the logic address and used for communications over different
networks; While MAC address is the physical address and good enough for
communication within one local network.
o Alice said that the header of IPV4 protocol is for security purpose. Justify
what Alice has said.
False. The information is used to diliver data packets succseefully over
networks.
o Alice said that the replay attack is about the confidentiality. Justify what
Alice has said.
False. Replay attack allows the adversary to impersonate as a sender who
sends data to a receiver. So, it is more about integrity. 79
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Cryptography Basics

Use not Design

2
Types of Cryptography (High-Level View)

Cryptography

Classical Modern

kekd
ke=kd

Symmetric Public-key

3
Providing CIA

Confidentiality Encryption

Symmetric
Integrity Message Authentication
Codes

Public Key

Authenticity Digital Signatures

4
Modern Cryptography Overview

5
1976 Modern Cryptography

1965 Computational
Complexity Theory
1960 Computer Networks

1949 Shannon’S Work 1946 Digital Computers

1936 Turing Machine

1883 Cryptography
Principle

Classical Cryptography

6
Steganography vs Cryptography

• Steganography
– Also known as secret/covered writing
– Hiding secret messages in public ones
– Focused on hiding the presence of secret information, or
communication channel
• Cryptography (before 1976)
– The communication channel is public
– Focused on transforming cleartext (plaintext) to
ciphertext

7
8
Classical Cryptography

9
Cryptography
Cryptography (before 1883)
Cryptography = Encryption + Decryption

Encryption= Encryption Algorithm

Decryption=Decryption Algorithm

Cryptography (1883-1976)
Cryptography = Encryption + Decryption

Encryption= Encryption Algorithm + Secret Key

Decryption=Decryption Algorithm + Secret Key
Classical Cryptography

• Main techniques

• Shift cipher
• Substitution cipher
• Transposition cipher

Modern symmetric-key ciphers also use these

techniques, but in a much more complex way.

11
Shift Cipher
• Replace letters of a message by other distinct letters a fixed distance away
• Famous shift cipher: Caesar Cipher
• Shift by 3 letters
• reputedly used by Julius Caesar (100 – 44 B.C.)
• Plaintext: ATTACK AT DAWN
Ciphertext: DWWDFN DW GDZQ

• A shift cipher can also be described as

Encryption EK(x) = x + K mod 26
Decryption DK(x) = x - K mod 26
for English alphabet by setting up a correspondence
between alphabetic characters and residues modulo 26.

A B C D E … X Y Z
0 1 2 3 4 … 23 24 25

K=3 in Caesar Cipher.

12
Substitution Cipher
• A key is a random permutation of the alphabetic characters.
• E.g.

• What’s the plaintext of

“VYGFFB FP YFTLUMZSO XSA ZSPFCTXMZFS
MHYGSFBFOD”

“school of computing and information

technology”
Transposition Ciphers

• These hide the message by rearranging the letter order without

altering the actual letters used
• Used also in Steganography

• Write letters of message out in rows over a specified number of columns

• Then reorder the columns according to some key before reading off the rows

Key: 4312567
Plaintext:
attackpostponeduntiltwoam 4 3 1 2 5 6 7

A T T A C K P

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ O S T P O N E

D U N T I L T
W O A M X Y Z

14
1949 Shannon’S Work

15
Shannon’S Work
• Shannon joined Bell Labs to work on fire-control systems and
cryptography during World War II

• At the close of the war, he prepared a classified report for Bell

Telephone Labs entitled "A Mathematical Theory of Cryptography"

• In 1948, he published the paper “A Mathematical Theory of

Communication“ (Information Theory)

• In 1949, a declassified version of paper was published in 1949 as

"Communication Theory of Secrecy Systems" in the Bell System
Technical Journal. (Study Cryptography with Mathematics)
Shannon’S Work
• What kinds of cryptosystem can be broken.
(Didn’t consider the time cost. Hence called Theory research)

• What kinds of cryptosystem cannot be broken.

(One-Time Pad)

One-Time Pad： K ⊕ M
• Secret key is as long as messages to be encrypted
• Each secret key will be used once only
• Choose secret key randomly.
1976 Modern Cryptography

1965 Computational
Complexity Theory
1960 Computer Networks

1949 Shannon’S Work 1946 Digital Computers

1936 Turing Machine

1883 Cryptography
Principle

Classical Cryptography

18
Alan Turing and Turing Machine

19
• one of the most influential mathematicians of the 19th and
early 20th centuries.

• He proposed 32 open problems in mathematics in 1900

• In 1928, Hilbert Asked: Is Mathematics Complete, is it

Consistent, and is it Decidable?
David Hilbert (1912)
Decision Problem: Entscheidungsproblem
Born 23 January 1862
Königsberg or Wehlau, Prussia Can any problem be decidable with True or false?
Died 14 February 1943 (aged 81)
Göttingen, Nazi Germany
Can any mathematic theorem be proved to be true or false?

20
In 1936, Turing published his paper "On Computable Numbers, with an Application to the
Entscheidungsproblem“

Some problems must be undecidable!

Turing Machine

21
Turing Machine

• Turing machine is not a computer but a computation model.

• The computation model can capture all computations by humans.

• If a computing device meets the computation model, it can perform

computations as smart as humans. (theory only)

22
Turing Machine

• A digital computer must provide computing ability captured by Turing

machine. (We have computers 10 years later)

• A turning machine was later applied in studying computational

complexity theory.

23
Computers and Network

24
2.Networks
1960s

1.Computers
1940s

3. ATM

25
Bank Sever

How to keep our money safe?

26
What has happened next?

27
• Computer Networks need protection with cryptography (encryption
and decryption)

• Computers run encryption and decryption

• Need to design cryptography for business applications

• Cryptography should be strong against very powerful computers

• The first cryptography called Modern cryptography is DES in 1970s

28
Bank Sever

Our money is safe with DES as long as the communication is encrypted!

29
2.Networks

1.Computers

3. Emails

30
Email Sever

How to keep our email safe?

31
However……

How to solve the problem of key distribution? Bottleneck

32
1976 Public-Key Cryptography

33
After 1976

• Symmetric-Key Encryption
• Asymmetric-Key Encryption
Cryptography
• Message Authentication Code
• Digital Signatures
• Hash Function
Cryptology
• Security Protocols
q Zero-Knowledge Proof
q Identification Protocol Cryptanalysis
q MPC
q Commitment

34
How to understand each cryptography?

35
Basic Concepts

• Each cryptography was invented for a security service

• Integrity/Confidentiality
• Data/Users/Computing

• Algorithm Definition
• We use algorithms for providing security service

• Security Model
• Formally define what kinds of attacks it can resist.

36
Outline of Introduced Cryptography

• Symmetric-key Encryption (Confidentiality)

• Hash Function
• Message-Authentication Code (Integerity)

• Public-key Encryption (Confidentiality)

• Digital Signatures(Integrity)
• Identification (Integrity/Authenticity of Users)
• Hybrid systems

Which Cryptography Should I use? 37

Outline: Which Cryptography Should I use?

• Protect What? (Data/User)

• Service? (Confidentiality/Integerity)

• Background? (Sharing Secret Keys or not)

38
Symmetric-Key Encryption

39
Symmetric-Key Encryption

• KeyGen(λ): Taking as input a security parameter λ, the P.P.T.

algorithms returns a key K

• Encrypt(M, K): Taking as input a message and a key K, the

P.P.T. algorithm returns a ciphertext denoted by CT.
CT←Encrypt(M, K)

• Decrypt(CT,K): Taking as input a ciphertext and a key K, the

P.P.T. algorithm returns a message M.
Symmetric-Key Encryption

Secret key Secret key

C
M E D M

41
Types of modern symmetric ciphers

RC4
DES Stream
AES Block

Block length Key space Modes

Stream ciphers
Operate on the plaintext a single bit (or sometimes byte) at a time

Block ciphers
Operate on the plaintext in groups of bits. The groups of bits are called blocks.
Typical block size is 64 bits or multiple of it (e.g. 128 bits, 256 bits).
42
Block vs Stream Ciphers

43
Stream Ciphers
• Stream Ciphers convert plaintext to ciphertext by a
key stream.
C = c1 c2 ... = Ek1(p1) Ek2(p2) ...
• The simplest stream cipher
– Keystream generator: {ki}, i=1,2, ...n
– A stream of plaintext bits: {pi}, i=1,2,...,n
– Stream of ciphertext bits: {ci}, i=1,2,...,n
– Encryption: ci = pi  ki
– Decryption: pi = ci  ki

44
Stream Ciphers
• Security issues of stream ciphers
– The security depends entirely on the insides of the
keystream generator
• If the keystream is an endless stream of zeros, ...
• If the keystream is an endless random bits, we have a
one-time pad.

45
Block Ciphers
• A block of plaintext is encrypted as a whole to produce a
ciphertext block of equal length
100111
010110
100111 ciphertext
Encryption
plaintext 010010
110100
key 110110

C = c1 c2 ... = Ek(p1) Ek(p2) ...

46
Block Ciphers

consists of a number of rounds, each

round consists of XOR-ing the subkey (i.e.,
key mixing), substitutions, and a
permutation

avalanche effect:

small changes in either plaintext or key

should result in significant changes in the
ciphertext.

47
Hash Function

48
Hash Functions
• A hash function (algorithm) is denoted by
h: {0, 1}*  {0, 1}n
where n is a security parameter.

• Let x be some message. h(x) is called the message digest.

• x can be of arbitrary length while h(x) has a fixed length
• Given x, it is easy to compute h(x).

49
Hash Functions: Original Motivation
• A hash function (algorithm) is denoted by
h: {0, 1}*  {0, 1}n
where n is a security parameter.
We want to use h(x) to represent x.
• Cryptographic computations on h(x) are much easier than
on x.

However, there exist different inputs x_1 and x_2 such that
y=h(x_1)=h(x_2).
So, will y represent x_1 or x_2? To avoid this, we make this become
computationally hard.
50
Cryptographic hash functions

• We require the following properties for cryptographic hash

functions:

1. It can be applied to any size input.

2. The output must be of fixed size.
3. Easy to compute.

4. Pre-image resistant: For any given Y, it is difficult to find an X such that

H(X)=Y.
5. Collision resistant: It is computationally infeasible to find messages X and Y
with X≠Y such that H(X)=H(Y).

51
Message Authentication Code

52
Message Authentication Code

• KeyGen(λ): Taking as input a security parameter λ, the P.P.T.

algorithms returns a key K

• MAC(M, K): Taking as input a message and a key K, the

D.P.T. algorithm returns a checksum by T.
t←MAC(M, K)
Message Authentication Code
• Symmetric tool for message integrity and
authenticity
• Produce a cryptographic checksum
• Common constructions
– Hash function based
– Block cipher based

54
What is message integrity
• Preventing unauthorised modification of data
• Different from error detection
– This is for unintentional modification of data (e.g., due to
noise)
• Both involve a checksum
– Integrity check value is based on the message and a secret
key
– Error correction/detection code does not use secret key

55
Message Authentication Code
• Transmitter and receiver share a secret key K. To transmit M, the transmitter
calculates a MAC and appends it to M, thus t=MACK(M).

MAC MAC

Oscar

• The receiver receives a message (M, t). It uses the key K and M to calculate
MACK(M) and compare it with t. If the two match, the received message is
accepted as authentic.

• The MAC is also called a cryptographic checksum.

56
HMAC
• HMAC uses cryptographic hash functions such as
SHA-2/3, etc.

• Treat a hash function as a “black box”

– Existing implementation of hash functions can be used
– It is easy to replace a hash function (if it is not secure)

57
Public-Key Encryption

58
Public-Key Encryption

• KeyGen(λ): Taking as input a security parameter λ, the P.P.T.

algorithms returns (pk,sk)

• Enc(pk, M): Taking as input a message M and a public key pk,

the P.P.T. algorithm returns a ciphertertext denoted by CT.
CT←Enc(pk, M)

• Dec(CT,sk): Taking as input ciphertext CT and the secret key

sk, the P.P.T. algorithm returns M or ┴.
One-Way Trapdoor Function(Permutation)

(Definition) A function f:{0,1}→{0,1} is a one-way function if

• Easy: There exists a P.P.T algorithm that can compute f(x) for any x.
• Hard: For every P.P.T. adversary given f(x), we have
��[�( �(�(�)) ) = �(�)] ≤ �
where � is a negligible probability.
• Invert: There exists a trapdoor td and a P.P.T algorithm that given td and f(x), it
is easy to compute x.

Note: More precisely, we should call this permutation instead of function, where the
function input and output are from the same space and a distinct input will generate
a distinct output.

60
Modular Arithmetic
• Define modulo operator
b = a mod n
to be the remainder when a is divided by n

• b is called the residue of a mod n

– since it can be represented as: a = qn + b
• usually have 0 <= b <= n-1
– E.g. -12 = -5 = 9 = 2 (mod 7)

61
RSA
• The RSA Public--Key Cryptosystem (Rivest, Shamir and
Adleman (1978)) is the most popular and versatile PKC.

• RSA uses the knowledge that it is easy to find primes and

multiply them together to construct composite numbers, but
it is difficult to factor a composite number.

62
The Textbook RSA
1. Choose two large primes p and q. Compute n = pq and m=(n)=
(p-1)(q-1).
• (n) is Euler’s totient function: It is the number of positive integers less than
n that are relatively prime to n.
2. Choose e, 1  e  m - 1, such that gcd(e,m)=1.
3. Finds d such that ed=1 mod m.
• This is possible because of the choice of e.
• d is the multiplicative inverse of e modulo m and can be found using the
extended Euclidean (gcd) algorithm.
4. The Public key is (e, n).
The Private key is (d, n).

63
RSA Encryption and decryption

• If Bob want to encrypt a message X for Alice. He uses Alice's public

key and computes the ciphertext Y as
Y = Xe mod n

• When Alice wants to decrypt Y, she uses the private key and
calculates
X = Yd mod n

• X and Y are both integers in {0, 1, …, n-1}.

64
• Example: Choose p=11 and q=13.
n=11*13=143
m=(p-1)(q-1)=10*12=120
e=37  gcd(37,120)=1

Use the extended gcd algorithm we find d

such that ed=1 mod 120:

d=13  de=481 = 1 mod 120.

65
The ElGamal Encryption

• The security of this system relies on another hard

problem
– Discrete log problem
• Operates on group Zp* = {1, 2, …, p-1} where p is
a large prime number

66
Generator of Zp*

• An element a is a generator (or primitive root) of Zp* if

ai (mod p) for 0< i ≤ p-1

generates all numbers 1,.. p-1

67
Discrete Logarithm Problem

INPUT:
• Zp*
• g in Zp* , a generator of Zp*
• h in Zp*
Find the unique number a<p such that
h=ga mod p
• DL Assumption: There is no efficient algorithm to
solve DL problem.
• It is widely believed that this assumption holds.
68
The ElGamal Cryptosystem

• Key generation:
– Alice chooses a prime p and two random numbers g and u,
both less than p, where g is a generator of Zp* .
– Then she finds:

y = gu mod p
Alice’s public key is (p, g, y), her secret key is u.

69
• To encrypt a message X for Alice, Bob chooses a random
number k < p - 1. Then he calculates:
a = gk mod p
b = yk × X mod p

• The ciphertext is (a,b)

• The length is twice the length of the plaintext.

• To decrypt (a,b) Alice calculates

b Division means
X  u mod p calculating the
a inverse mod p
70
Digital Signatures

71
Digital Signatures

• KeyGen(λ): Taking as input a security parameter λ, the P.P.T.

algorithms returns (pk,sk)

• Sign(M, sk): Taking as input a message and a secret key sk, the
P.P.T. algorithm returns a signature denoted by S.
S←Sign(M, sk)

• Verify(m,S,pk): Taking as input message, its signature and the

public key pk, the P.P.T. algorithm returns 1 or 0.
Digital Signature
Public key analogy of message authentication codes

Public key Private key

0/1 M t M
V S

Verification Signing

73
RSA Signature Scheme
• Key Generation:
– Generate primes P and Q, compute N = PQ
– Generate d and e such that de = 1 mod (P-1)(Q-1)
– Public Key (N, e)
– Private Key d
• SIGN:
– Given message m, compute s = md mod N
• VER:
– Given message m, signature s, check if m = se mod N

74
Hash-then-Sign

75
Identification (Protocol)

76
• Impersonation attack: An impersonation attack is an attack in
which an adversary successfully assumes the identity of one of the
legitimate parties in a system or in a communications protocol.
(Adversary logins as the identity Alice)

• MAC can be used for identification to resist impersonation attack

but it requires A and B to share a secret key

• Identification is used in the scenario without sharing secret key!

77
Schnorr Identification

• Alice is the prover and Bob is the verifier.

• Identification protocol is composed of three parts
(Commitment h, Challenge c , Response s)
78
Hybrid System

79
Fast.
Symmetric Key Key establishment,
distribution and management
are problems though.

Slow.
Key authenticity and
Public Key efficiency are now
the problems.

Certificates &
Public Key
Infrastructures

Hybrid System: PKC (with PKI) + one-time Symm Key 80

Fast.
Symmetric Key Key establishment,
distribution and management
are problems though.

Slow.
Key authenticity and
Public Key efficiency are now
the problems.

Using public key cryptography to negotiate a key for symmetric

key use.

This negotiation is called key agreement (key exchange)

81
Review, Summary, and PMP

82
Review and Summary
• Symmetric-Key Encryption • Message Authentication Code
• Asymmetric-Key Encryption • Identification
• Digital Signatures • Authentication
• Hash Function

1976 Modern Cryptography

1965 Computational
1960 Computer Networks Complexity Theory

1949 Shannon’S Work

1946 Digital Computers

1883 Cryptography
1936 Turing Machine
Principle

Classical Cryptography 83
Practice Makes Perfect
o Briefly describe one scenario where asymmetric-key
encryption is needed (instead of symmetric one)

o “Alice and Bob are using message-authentication code

for security protection. They should know each other.”
Justify this statement.

o Alice says “We can use hash function to encrypt

messages into H(m) and then decrypt m from H(m) ”.
Justify what Alice said.
84
Practice Makes Perfect
o Briefly describe one scenario where asymmetric-key
encryption is needed (instead of symmetric one)

Answer: Alice wants to send a sensitive message to Bob

but Bob doesn’t know Alice before. (That is, they didn’t
have a shared secret key before)

85
Practice Makes Perfect
o “Alice and Bob are using message-authentication code
for security protection. They should know each other.”
Justify this statement.

Answer: True. MAC needs a shared secret key. If Alice

and Bob have a shared secret key, they must know each
other when negotiating the secret key before.

86
Practice Makes Perfect
oAlice says “We can use hash function to encrypt
messages into H(m) and then decrypt m from H(m) ”.
Justify what Alice said.

Answer: False. Hash function was invented for integrity

purpose not for confidentiality. Once H(m) is computed,
we cannot recover m from H(m).

87
END

88
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Authentication and Key Establishment
Protocols

2
Outline

• Network security protocols

• Common attacks
• Security Assumptions
• Remote Identification/Authentication
• (Authenticated) Key Establishment
• AKE examples
• Password-based AKE

3
Network security protocols

• An interactive algorithm executed by two or multiple

parties over an insecure network (e.g., the Internet).

• Examples:
– Identification
– Key exchange
– E-voting
– E-payment
– E-auction
– ……

4
Protocol VS Scheme

In cryptography community, there are protocols and schemes.

But what are their differences?

• Protocol: The communicated parties must be all online to

run the protocol.

• Scheme: One party can be offline when the others are

running the scheme. (encryption, signature, email)

5
Protocol

• Authentication:
1. Verify the integrity of data
2. Verify the integrity of identity (Identification)
Motivation: Alice wants to authenticate Bob first, who wants
to communicate with Alice.

• Key Establishment (Agreement/Exchange)

Motivation: Some persons online want to estabilish a
symmetric-key for secure communication.
6
Protocol
• Authentication:
1. Verify the integrity of data
2. Verify the integrity of identity (Identification)
Motivation: Alice wants to authenticate Bob first, who wants to communicate with Alice.

• Key Establishment (Agreement/Exchange)

Motivation: Some persons online want to estabilish a symmetric-key for secure communication.

7
Common attacks
• Eavesdropping attack
– The attacker captures the information sent in the protocol.
• Replay attack
– The adversary records information seen in the protocol, and then
sends it to the same, or a different, entity, possibly during a later
protocol run.

• Man-in-the-middle attack
– The attacker alters the information sent in the protocol.
• Reflection attack
– The adversary sends protocol messages back to the entity who
sent them
• Known-(session)key attack
– The adversary obtains the key of one communication session, and
uses it to attack another session
• …… 8
Security Assumptions
• Assumption 1: what can do
The adversary is able to eavesdrop, modify, re-route,
insert messages during the execution of a protocol.

• Assumption 2: who A is
The adversary may be a legitimate protocol participant
(an insider), or an external party (an outsider), or a
combination of both.

9
Security Assumptions
• Assumption 3: know partial secrets
The adversary is able to compromise some past
communication sessions

• Assumption 4: consider multiple applications

The adversary may start any number of parallel protocol
runs between any parties including different runs
involving the same parties.

10
Authentication

11
Entity Authentication
• Entity authentication - Definition
– … is the process whereby one party (Alice) is assured of the
identity of a second party (Bob) involved in a protocol, and
that the second has actually participated (i.e., is active at, or
immediately prior to, the time the evidence is acquired).
--- Handbook of applied cryptography (Menezes et al.)

12
A Simple Example

• How to remotely login a server

• A naïve approach: username + password

Client username, pw Server

username, pw
username, pw

Can you identify some security risks in this approach?

13
An Improved Scheme

Client username, H(pw) Server

username, pw username, pw

• Use a transformed password, e.g., H(pw) where H

denotes a one-way cryptographic hash function

• Is this approach secure?

– No. A replay attack can still work
– Need an anti-replay mechanism

14
Improved Scheme II

Client Ns Server
username, pw username, pw
Username, H(pw, Ns)

• The server sends a nonce Ns to the client as a challenge

– Similar as a salt value in Unix
• The client gives a fresh response based on pw and Ns in
each session

15
Entity Authentication Approaches
• Password based
• Token based
• Biometric based

• Public key crypto based

– Digital signature

16
TFA: Two pieces of evidence are used for an authentication mechanism

• Password

• Biometrics

• Smart Card (connected)

• Secure Device (disconnected)

• Mobile Phone

17
Two pieces of evidence are used for an authentication mechanism

•Biometrics: scanner could be expensive

•Smart Card (connected): needs a secure reader

Password+
•Secure Device (disconnected): reasonable

•Mobile Phone: reasonable

18
Password+ •Smart Card (connected): needs a secure reader

Password is used for identifying the owner of the card.

The entity is identified with a card.
This card can conduct complicated computations, like PKC.

19
Two pieces of evidence are used for an authentication mechanism

Password+ • Secure Device (disconnected): reasonable

20
Without keypad, H(K, time) With keypad, H(K, R)
• A unique and random key is installed in each device.
• Each device also have a serial number.
• The producer(server) knows the random key for each SN.

21
Passoword + Google Authenticator

A hardware device is replaced with

a secure app

22
Notations
• A – Alice
• B – Bob
• E – Eve
• EB : E impersonating B
• i : step i of a protocol session
• i’ : step i of a concurrent/parallel protocol session

Scenario: A wants to authenticate who is the second

party! E cannot impersonate as B.
23
Entity Authentication using Public Key Crypto

• Step 0: users exchange and verify public key certificates

• First try - Protocol I
B  A: “I’m Bob", SigB(“I’m Bob”)
Any security issue?

• 1: B  A: “I’m Bob", SigB(“I’m Bob”)

1’:EB  A: “I’m Bob", SigB(“I’m Bob”)
A replay attack

24
Entity Authentication

• A revised one – Protocol II

1: A  B: “I’m Alice”, NA
2: B  A: “I’m Bob", SigB(“I’m Bob”, NA)

NA (nonce) must not repeat

fresh response = fresh signed message

25
Entity Authentication

• Another solution - Protocol III

1: B  A: “I’m Bob", SigB(“I’m Bob”, TB)

TB : a timestamp

• The protocol achieves entity authentication if

attacks cannot occur before TB

26
Key Establishment

27
Key Establishment

• Key Establishment – Definition

– … is a process or protocol whereby a
shared secret becomes available to
two or more parties, for subsequent
cryptographic use.
--- Handbook of applied cryptography (Menezes et al.)

28
Key Establishment Goals
• The shared session key is a good key for A to use
with B only if A has assurance that:

– The key is fresh (key freshness);

– The key is known only to A and B (and any mutually

trusted parties) (confidentiality )

29
Key Establishment Protocols
• There are two main categories of key establishment:

– Key transport, where one party generates and securely transfers

the key to the other.

– Key agreement/exchange, where the parties all obtain a shared

secret, which is itself a function of input from all parties.
• E.g. Diffie-Hellman key agreement.

Key Establishment= Key Transport + Key Agreementt

30
Transport VS Agreement

Key Establishment= Key Transport + Key Agreementt

• Key agreement has become much more popular than key transport in
recent years.
• There is an intuitive feeling that key agreement is 'fairer' than key
transport, and
• Can result in higher quality random keys than key transport.

31
Key Transport

(SKA,PKA) PKA
Alice Bob K
K
YB = E(PKA, K)

E: public key encryption, e.g., RSA

32
Diffie-Hellman Key Agreement

• The first public-key system (1976).

• Security is based on the difficulty of computing discrete
logarithm. (Cyclic Groups)
• System Setup (Modular Multiplicative Group)
– Z*p={1,...,p-1}.
– A generator g  Z*p.
– p and g are public.
– G is the set of all group elements
– g^x must be inside G.

33
Diffie-Hellman Key Agreement
• The Protocol:
– Alice selects a secret XA, for XA  Zp, and computes her
public key YA = gXA mod p.
– Bob selects a secret XB, for XB  Zp, and computes his public
key YB = gXB mod p.
– Alice sends YA to Bob.
– Bob sends YB to Alice.
– Alice computes the shared secret key K = YBXA mod p.
– Bob computes the shared secret key K = YAXB mod p.
K = ��∗�� 34
Diffie-Hellman Key Agreement

• The Protocol
Alice Bob
XA YA
DH DH K =YAXB
YB XB
K=
XA, g, p XB, g, p
YBXA

1: A  B: YA = gXA mod p
2: B  A: YB = gXB mod p
35
Diffie-Hellman Key Agreement

• Man-in-the-Middle Attack
Eve
Alice Bob
XE
XA YA Y K’’=YEXB
E
DH DH
YB XB
K’=YEXA Y
XA, g, p E
XB, g, p
K’=(YA)XE K’’=(YB)XE
1: A  E: YA
2: E  B: YE
How to solve the problem?
3: B  E: YB (hint: authentication)

4: E  A: YE
36
Key Agreement

(SKA,PKA) u=gx_A (SKB,PKB)

x_A v=gx_B x_B

Alice S_B=Sign(SKB;A,u,v ) Bob

K=gx_A*x_B K=gx_A*x_B
S_A=Sign(SKA;B,u,v )

E: public key encryption, e.g., RSA

37
Authenticated Key Establishment (AKE)
Protocol

• Mechanisms that allow two parties (or multiple parties)

communicating over an insecure network to authenticate each other,
and establish a common secret key.

msg 1
msg 2
msg 3

Alice …… Bob

K K

38
Symmetric-key Based AKE
long-term key

KAB msg 1 KBA

msg 2
msg 3

Alice Bob
K K

• KAB = KBA session key

• Established through another channel

Question: why not simply use the long-term key as the session
key? 39
Why session keys: Fresh Response and More (Different each time)
n ....limit the amount of ciphertext available under a
single key.

n … limit the effects, in both time and data quantity, of a

key being exposed or compromised.

n … create independence across sessions, and/or

applications. Compromise of a session due to use of a
poor application doesn’t, or ideally shouldn’t, affect the
security of other sessions and applications.

40
Public-key Based AKE
long-term key

msg 1
(PKA, SKA) (PKB, SKB)
msg 2
msg 3

Alice Bob
K K

session key

• Public key is certified by a trusted CA

• Distribution of long-term key is easy
– Digital Cert (i.e., public key) can be sent as part of a message
41
How about this one?

1: A  B: A, YA
2: B  A: B, YB, SigB(YB, YA)
3: A  B: SigA(YA, YB)

• YQ: Diffie-Hellman component of Q

– YQ = gXQ mod p
• SigQ: signature of Q (Assume that A has B’s certificate,
and vice versa)

42
An unknown key share attack

A E B
A, YA
E, YA

B, YB, SigB(YB, YA)

SigA(YA, YB)
SigE(YA, YB)

Consequence: A believes that she has agreed on a key with B, but

B believes that he has agreed on a key with E
43
Strong Entity Authentication

• Strong entity authentication of B to A is provided if

A has a fresh assurance that B has knowledge of A as his
peer entity.

• Protocol IV
1: A  B: “I’m Alice”, NA
2: B  A: “I’m Bob", SigB(“I’m Bob”, A, NA)

44
Diffie-Hellman Revisited

1: A  B: A, YA
2: B  A: B, YB, SigB(A, YB, YA),
3: A  B: SigA(B, YA, YB)

• ISO/IEC IS 9798-3

• Forward secrecy: comprising the long-term keys (i.e.,

the signing keys of A and B) does not allow the
adversary to compute any old session keys generated
by those parties.
45
Forward Secrecy

1: A  B: EPKB(A, B, KA)
2: B  A: EPKA(B, A, KB)
Shared key K = Hash(KA,KB)

No forward secrecy!

46
Key Transport

(SKA,PKA) PKA
Alice Bob K
K
YB = E(PKA, K)

E: public key encryption, e.g., RSA

Forward Secure?
47
Brief Summary
• Key aggrement is better than key tranport
• Key Agreement (Man-in-the-middle attacks work?)
• Authenticated Key Agreement
• Authenticated Key Agreement + Session Key

• Authenticated Key Agreement + Session Key+ Forward Secure

The above solution is based on the assumption that users input

random secret keys

New Attacks are coming! 48

Password-based Protocols
• Long-term secret key = shared password
• Consider the following protocol
1: A  B: A, EP_AB (A,B,RA)
2: B  A: B, EP_AB (B,A,RB)
Session key: H(RA,RB)
• This approach suffers off-line dictionary attack, since passwords
are short strings with low entropy. That is, an attacker can try each
possible password P’ to decrypt EP_AB (A,B,RA). If the resulting
plaintext has the correct format, P’ is likely the correct password.

49
Password-based Protocols
• The following Encrypted Key Exchange (EKE) protocol can
resist the off-line dictionary attack:

• PK is an ephemeral public key generated by A.

• B transfers K to A by using double encryption.
• Why is the EKE protocol immune to the off-line dictionary
attack?

50
Review, Summary, and PMP

51
Review and Summary
o Authentication and nounce

o Key Establishment
o Key Transport
o Key Agreement/Exchange

o Secure Key Establishment:

o Basic Security against Eavesdrop attack
o Authenticated Security against man-in-the-middle atatck
o Forward Security against known-(long-term)key attack
52
PMP
• What is the meaning of “Authenticated” in Authenticated
Key Exchange?

• What is the benefit of key agreement compared to key

transport?

• What is the motivation of using session key instead of

long-term key?

• Briefly describe how MITM attack works on the DH.

53
PMP
• What is the meaning of “Authenticated” in Authenticated
Key Exchange?

Answer: Party A can verify that the established key must be

generated with another known party B (cannot be an
adversary.)

54
PMP
oWhat is the benefit of key agreement compared to key
transport?

Answer: It is more secure because the final established key

is computed using random numbers from both two paties
instead of one party.

55
PMP
o What is the motivation of using session key instead of
long-term key?

Answer: It is more secure because we can reduce the impact

to the minimun when a session key in used is compromised.

56
PMP
o Briefly describe how MITM attack works on the DH.

Answer: The adversary replaces Y_A from A to B with Y,

and replaces Y_B from B to A with Y, such that the
adversary knows the established key to eavesdrop the
messages.

57
PKI

58
Outline

o Motivation (We have a Problem)

o Digital Certificate
o Public Key Infrastructure (PKI)
o X.509-based PKI
o PGP-based PKI

59
Motivation (We have a Problem)

60
Digital Signatures

Alice generates a key pair (pk,sk). pk is public key and published to all
others, while sk is secret and only known by Alice.

Alice Bob
(pk,sk,m) pk
m, Sign(sk,m)

The data that Alice sent to Bob cannot be modified by the adversary.
Bob only needs to know that pk belongs to Alice (no need to share a secret key!)
In Public-key encryption and digital signatures, we assume that an entity pre-knows the public
key of another entity.

A public key looks like:

30 82 01 0a 02 82 01 01 00 dd 9e e4 f6 88 b5 0d d7 a1 5f bc 25 6e cc 44 14 cf 34 e2 b5 73 09 1e e4 4b 12 52 38 95 36 1a
c6 66 ed f0 c8 03 c9 b3 43 45 4e 0d 6a 92 4b 1b eb 94 60 5b 11 b9 15 79 b1 a5 f6 fc 5d bf a4 30 59 84 02 dd 3f 6d 21 6a
44 b7 18 1c 24 fc f5 02 2e 87 0c 20 3e c6 c5 b6 9f ad 16 1b 76 86 e9 73 9c 8d 31 60 3a a0 f0 2f da ad 8e f6 74 c9 81 d3 ea
f7 5d ab 5d bb 05 63 b0 78 55 ed 72 13 a4 42 43 72 23 73 c0 de 33 9b 44 5c 89 a9 8a 90 d1 99 be bc f7 21 21 5f fb 22 8a
5c 50 b9 69 7c dc 87 92 ed 79 56 ed 32 55 41 9f af 41 f6 da d4 70 88 e9 a3 41 1d 66 9f a6 98 d2 7e 5b a9 52 38 1c 56 b4
cc 45 62 72 0c c7 f7 ef 2c 47 0a 3b 1a 7a ac e7 ae a9 a8 1e 98 43 b0 58 56 e9 41 44 72 e6 da 67 1c d7 b6 f4 e6 b4 90 5c
b5 0a 98 b3 23 0c e7 35 6d 10 14 73 0e 94 5d 7c 4e 0a 18 f4 05 20 67 9f 02 03 01 00 01

This is because pk is computed from sk while sk is a random string.

Scenario: How to let Bob believe that pk belongs to Alice?

Alice Bob
(pk,sk,m)
M

M= My public key is “30 82 01 0a 02 82 01 01 00 dd 9e e4 f6 88 b5 0d d7 a1 5f bc 25 6e cc

44 14 cf 34 e2 b5 73 09 1e e4 4b 12 52 38 95 36 1a c6 66 ed f0 c8 03 c9 b3 43 45 4e 0d 6a 92
4b 1b eb 94 60 5b 11 b9 15 79 b1 a5 f6 fc 5d bf a4 30 59 84 02 dd 3f 6d 21 6a 44 b7 18 1c
24 fc f5 02 2e 87 0c 20 3e c6 c5 b6 9f ad 16 1b 76 86 e9 73 9c 8d 31 60 3a a0 f0 2f da ad 8e
f6 74 c9 81 d3 ea f7 5d ab 5d bb 05 63 b0 78 55 ed 72 13 a4 42 43 72 23 73 c0 de 33 9b 44 5c
89 a9 8a 90 d1 99 be bc f7 21 21 5f fb 22 8a 5c 50 b9 69 7c dc 87 92 ed 79 56 ed 32 55 41 9f
af 41 f6 da d4 70 88 e9 a3 41 1d 66 9f a6 98 d2 7e 5b a9 52 38 1c 56 b4 cc 45 62 72 0c c7 f7
ef 2c 47 0a 3b 1a 7a ac e7 ae a9 a8 1e 98 43 b0 58 56 e9 41 44 72 e6 da 67 1c d7 b6 f4 e6 b4
90 5c b5 0a 98 b3 23 0c e7 35 6d 10 14 73 0e 94 5d 7c 4e 0a 18 f4 05 20 67 9f 02 03 01 00
01”

This is not secure!!!! (because the public key could be replaced by the adversary.)
Digital Certificate:

A mechanism for proving the validity of a public key!

64
Digital Certificate
C

Bob Alice

o Bob trusts what C will say.

o C says that “pk belongs to Alice”

o Then Bob believes that “pk belongs to Alice”

65
Digital Certificate
C

Bob Alice

o Bob trusts what C will say and pre-knows that pk* belongs to C.

o C says that m=“pk belongs to Alice” and uses sk* to sign on m.

Then, m and the corresponding signature S is called certificate.

o Bob can input (m, S) and pk* to verify that “pk belongs to Alice”
66
Digital Certificate: More than One Trust
C
D

Bob

o Bob trusts what C will say. Alice

o C trusts what D will say.

o D says that “pk belongs to Alice”
o Then Bob believes that “pk belongs to Alice” 67
Digital Certificate: Expiracy and Revocation
C

Bob Alice

o Expiracy: m=“pk belongs to Alice”

=> m=“pk belongs to Alice From Time X to Time Y”

o Revocation: Alice found that her sk was stolen before the expiracy
time Y and need to revoke it in use.

68
69
70
Public Key Infrastructure (PKI)

71
Public Key Infrastructure (PKI)
RFC 4949 (Internet Security Glossary) defines public-key
infrastructure (PKI) as the set of hardware, software,
people, policies, and procedures needed to create, manage,
store, distribute, and revoke digital certificates based on
asymmetric cryptography.

So
q Digital Certificate is a “Mechanism”, while
q PKI is a security service/protocol.

72
Public Key Infrastructure (PKI)

73
Public Key Infrastructure (PKI)

■End entity: A generic term used to denote end users, devices (e.g., servers, routers), or any
other entity that can be identified in the subject field of a public-key certificate. End entities
typically consume and/or support PKI related services.
■ Certification authority (CA): The issuer of certificates and (usually) certifi_x0002_cate
revocation lists (CRLs). It may also support a variety of administrative functions, although these
are often delegated to one or more Registration Authorities.
■ Registration authority (RA): An optional component that can assume a num_x0002_ber of
administrative functions from the CA. The RA is often associated with the end entity registration
process but can assist in a number of other areas as well.
■ CRL issuer: An optional component that a CA can delegate to publish CRLs.
■ Repository: A generic term used to denote any method for storing certificates and CRLs so
74
that they can be retrieved by end entities.
Certificate Revocation List (CRL)
• A CRL is a way of telling users about revoked certificates.

• Users must ensure that they have the latest CRL.

• A CRL is a bit like the list of bad credit card numbers

which used to be kept next to the tellers in supermarkets.

75
https://www.entrust.net/customer/crlchecker
Certificate Access
• PK certificates will typically be stored in repositories
and accessed as required.

• Certificate repositories may be separated from the CA

which generates them.

• The certificates DO NOT need to be stored securely.

The browser you download has some CA already.

76
Certificate Repositories in Firefox

77
X.509 Based PKI

78
X.509 Certificate(Standard)
• X.509 defines a structure for PK Certificates.

79
X.509 Certificate(Standard)

Serial number: An integer value unique within the issuing CA that

is associated with this certificate.

Signature algorithm identifier: The algorithm used to sign the

certificate together with any associated parameters.

80
X.509 Certificate(Standard)

Issuer: X.500 name of the CA that created and signed this

certificate.

Period of validity: Consists of two dates: the first and last on

which the certificate is valid.

81
X.509 Certificate(Standard)

Subject: The name of the user to whom this certificate refers. That is,
this certificate certifies the public key of the subject (user) who holds
the corresponding private key.

Subject’s public key: The public key of the subject, plus an

identifier of the algorithm for which this key is to be used,
together with any associated parameters.
82
X.509 Certificate(Standard)

Signature: Covers all of the other fields of the certificate.

83
X.509 Certificate(Standard)
X.509 was initially issued in 1988. X.509 is an important
standard because the certificate structure and
authentication protocols defined in X.509 are used in a
variety of contexts. For example,

• S/MIME
• IP Security
• SL/TLS

84
X.509 Certificate(Standard)
• A CA assigns a unique name to each user and issues a signed
certificate, often name is the URL or email address.
• CA’s are connected in a tree structure. Each CA issues a
certificate for those beneath it.
• CA can issue certificates to other CA’s vouching for their
PK’s and vouching for their trustworthiness as CA’s.
• Users can then obtain certificates from one of the delegated
CA’s instead of having to go to the trust anchor CA.

• There is a chain of certificate that is visible to user in this model.

85
Delegated CA’s (Centralized Trust)

86
PGP Based PKI

87
PGP Certificate
• Pretty Good Privacy (PGP) was created by Phil Zimmerman
and implemented as a product (for email security) first released
in 1991. It was made available free of charge and became quite
popular for personal use.
• The initial PGP protocol was proprietary and used some
encryption algorithms with intellectual property restrictions.

• In 1996, version 5.x of PGP was defined in IETF RFC 1991,

PGP Message Exchange Formats.
• Subsequently, OpenPGP was developed as a new standard
protocol based on PGP version 5.x.
88
PGP Certificate
• In OpenPGP, users generate their own OpenPGP public and
private keys and then solicit signatures for their public keys
from individuals or organizations to which they are known.
• Whereas X.509 certificates are trusted if there is a valid PKIX
chain to a trusted root, an OpenPGP public key is trusted if it
is signed by another OpenPGP public key that is trusted by the
recipient. (A stranger called Alice sent a message m to me with
a signature under pk. Bob, my friend, has signed “pk belongs
to Alice”. Therefore, I trust that m is from Alice)

• This is called the Web-of-Trust.

89
PGP Certificate

90
Anarchy (Decentralized Trust)

• No centralised CA
• Used by PGP.
• Each user is responsible for configuring some trust
anchors, eg. PK’s of people he has met and who have
handed him a business card with a PGP fingerprint (the
message digest of the PK).
91
Web of Trust

92
PGP
• OpenPGP does not include the sender’s public key with each message,
so it is necessary for recipients of OpenPGP messages to separately
obtain the sender’s public key in order to verify the message.
• Many organizations post OpenPGP keys on TLS-protected websites:
People who wish to verify digital signatures or send these organizations
encrypted mail need to manually download these keys and add them to
their OpenPGP clients.
• Keys may also be registered with the OpenPGP public key servers,
which are servers that maintain a database of PGP public keys organized
by email address. Anyone may post a public key to the OpenPGP key
servers, and that public key may contain any email address. There is no
trust, so users must use the Web-of-Trust to decide whether to trust a
given public key.
93
Review, Summary and PMP

94
Review and Summary
• pk is a random string and certificate mechanism help users
identify the ownership of a public key.
• Certificate is some kind of digital signatures signed by trust
like CA or known individuals or organizations.
• PKI is a security protocol having lots of important services
like certificate revocation.

• X.509 certificate and PGP certificate are quite different.

95
PMP
o Briefly describe the problem of certificate without
revocation.

o What are the difference of certificate generator in

X.509 and in PGP?

96
PMP
o Briefly describe the problem of certificate without
revocation.
Answer: The certificate is to prove the ownership of a
public key. If a user’s secret key is stolen, he/she need
to generate a new one and disable the old one.
o What are the difference of certificate generator in
X.509 and in PGP?
Answer: In X.509, certificate is generated by an entity
who can be trusted by all users. In PGP, certificate is
generated by an entity who knows pk and its owner.
97
END

98
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Outline

• Centralised authentication & Key-Distribution

• NTLM
• Needham-Schroeder protocol
• Kerberos v4
• Kerberos v5

2
Centralized Authentication & Key-Distribution

3
Motivation
oAlice and Bob would like to have a secure
communication.

oSecure communication needs a secret key.

oBut they don’t have a shared secret key.

oOnly Symmetric Cryptography is available. 4

Highlights
If:
1. all users and service providers trust one TTP, and
2. all have shared secrets with this TTP, and
3. the TTP is always online,

Then, authentication (secure communication)

between any two entities is not hard with symmetric
cryptography.
5
Distributed Client-Server System
• There is a distributed client-server architecture.
– Users are using machines in an open, distributed
environment.
– They need to be able to access services on servers in
different locations.
• Servers should only serve authenticated & authorised
users.

• One server VS many users?

• Many server VS many users?
6
Centralised Approach
• There is an centralised authentication server (AS)
who manages all the long-term user credentials

• The centralised AS assists other servers to

authenticate the clients and establish session keys

• Must be online....

7
Centralised Approach (Two Models)
• User → Authentication Server:
– Pls give me something as the proof to show to server that I am
Alice.
– Service Server verifies Alice directly.

• Service Server→ Authentication Server:

– User generates something for service server.
– Pls help me check that the one wants to talk to me is the user
Alice.

Key: Who contacts the AS? 8

NTLM Protocol

Centralized Authentication Using

Symmetric Cryptography

9
NTLM Protocol
In a Windows network, NT (New Technology) LAN Manager
(NTLM) is a suite of Microsoft security protocols intended to
provide authentication, integrity, and confidentiality to users

10
NTLM: Server contacts AS

11
NTLM

Auth.
Server
E Ks (Yes/no)
E Ks (U,C,R)

C
User Server
(U) R = E Hash(pwd)(C) (S)
Yes/no

• Auth. Server has: hashed pwds

• Server sends a challenge – nonce C
• User sends a response R – encrypted C with hashed pwd
• Encrypt R is forwarded to Auth. Server (with S’s key shared with AS)
12
Needham-Schroeder protocol

Symmetric Key Distribution Using Symmetric Encryption

13
Needham-Schroeder protocol
• The Needham–Schroeder protocol is the key
transport protocol intended for use over an insecure
network, proposed by Roger Needham and Michael
Schroeder.

• The Needham–Schroeder Symmetric Key Protocol,

based on a symmetric encryption algorithm. It forms
the basis for the Kerberos protocol. This protocol
aims to establish a session key between two parties on
a network, typically to protect further communication.
14
Needham-Schroeder protocol: User contacts AS

1. Alice wants to talk to Bob and contacts the KDC.

2. KDC issues a session key and a ticket that contains the same session key.

3. Alice sends the ticket to Bob (who then has the session key).
4. Bob acknowledges receiving the session key.
5. Alice responds.

KDC
1
2
3
A 4 B
5
15
Needham-Schroeder protocol

1. A  KDC: A, B, NA
2. KDC  A: EKA( NA, B, KAB, EKB(KAB, A))
3. A  B: EK (KAB, A)
B

4. B  A: EK (NB)
AB KA, KB
5. A  B: EK (NB+1) KDC
AB
1
2
3
NX: Nonce A 4 B
KA 5
KB
16
Needham-Schroeder protocol

• The NS protocol is vulnerable to a replay attack, in which

an attacker C can impersonate A to cheat B by using a
compromised old session key K.
3’. C(A)  B: EKB(KAB, A)
4’. B  (A)C: EKAB(N’B)
5’. C(A)  B: EKAB(N’B+1)

• Repairing: Insert a timestamp T into the key certificate for

Bob.

17
Modified Needham-Schroeder protocol

1. A  KDC: A, B, NA
2. KDC  A: EKA( NA, B, KAB, T, EKB(KAB, A, T))
3. A  B: EKB(KAB, A, T)
4. B  A: EKAB(NB)
5. A  B: EKAB(NB+1)
KA, KB
KDC
1
2
3
A 4 B
KA 5
KB
18
Modified Needham-Schroeder protocol

n Suppress-replay attacks: Attacks against time

synchronisation.
– A sender’s clock is ahead of the intended recipient’s clock
– An attacker intercepts a message from a sender and
replays it later.

n Enforce the requirement that parties regularly check

their clocks against the KDC’s clock

19
Kerberos Protocol

Another Symmetric Key Distribution Using

Symmetric Encryption

20
Kerberos

• Named after the three headed watchdog that guarded the

gates of Hades in Greek mythology.
• It is an authentication service developed at MIT as part of
project Athena.
• Scenario:
– Users are using workstations in an open, distributed
environment. They need to be able to access services on
servers in different locations. There is a distributed
client/server architecture.
– Servers should only serve authorised users and should
be able to authenticate requests.
• Kerberos is an example of an Authentication and authorisation
infrastructure (AAI).
Kerberos

Kerberos has three kinds of servers:

■ Kerberos authentication server (AS):
A centralized trusted authentication server that issues long
lifetime tickets for the whole system.
■ Ticket-granting servers (TGS) :
Issue short lifetime tickets.
■ Service servers/vendor (S/V) :
Provide different services.

22
Kerberos (Two keys)

• KA: A secret key owned by A (known by AS or TTP)

• KA,B : A session key for A and B

• We need to use nonce for authentication

• We use lifetime (as nonce) to control the validity of tickets.

23
Kerberos Architecture

Kerberos

24
Kerberos Operation Overview(HighLevel)
• Once per user logon session:
– (1) C  AS: IDC, IDtgs
– (2) AS  C: E(KC, Kc,tgs), Tickettgs

• Once per type of service:

– (3) C TGS: IDC, IDv ,Tickettgs, Authc,tgs
– (4) TGS  C: E(Kc,tgs, Kc,v), Ticketv

• Once per service session:

– (5) C  V: IDC, Ticketv, Authc,v

25
Step 1: Client requests…

C  AS: IDC, IDtgs, TS1

• Once the user is authenticated to the Client (C), the Client sends
the authentication server a request on the behalf of the user:
– This request includes a time-stamp (TS1) and two identities:
• IDC - to inform AS of the user
• IDtgs - to inform AS of the Ticket Granting Service required.
– There may be multiple TGS’s.

26
Step 2: AS responds…

AS  C: EKc[Kc,tgs, IDtgs, TS2, Lifetime2, Tickettgs]

Tickettgs = EKtgs[Kc,tgs, IDC, ADC, IDtgs, TS2, Lifetime2]

§ A session key, Kc,tgs , is generated for secure communication with the

ticket granting server indicated by IDtgs.
A time-stamp (TS2) is specified, as is a lifetime (Lifetime2) for the ticket.
Tickettgs – This is for access to TGS: It includes:
• The same session key, identity, time-stamp and lifetime.
• IDC indicating the user.
• ADC indicated the address of the client/user.

27
Step 3: Ticket Granting request

C  TGS: IDV, Tickettgs, AuthenticatorC

AuthenticatorC = EKc,tgs[IDC, ADC, TS3]

• The client now has a ticket to communicate with a ticket granting

service, and in this step it communicates with the TGS to request a
Server ticket.
– IDV indicates the relevant server.
– Tickettgs is the client’s permission to access the TGS.
– AuthenticatorC
• Only C and TGS can open it.
• It is used by TGS to authenticate C.
• Contains IDC, ADC, TS3.
28
Step 4: Ticket granting response

TGS  C: EKc,tgs[KC,V , IDV, TS4, Lifetime4, TicketV]

TicketV = EKv[Kc,v, IDC, ADC, IDV, TS4, Lifetime4]

The TGS returns a ticket to C, granting access to server/service V.

– The message is encrypted:
• Provides confidentiality and authentication.
– A key, KC,V , for C to talk to V.
– IDV is the identity of the server
– There is a new time-stamp (TS4) and a lifetime for the new ticket.

29
Step 5: Client request (of server)

C  V: TicketV, AuthenticatorC
AuthenticatorC = EKc,v[IDC, ADC, TS5]

• The client now communicates with V for access.

– TicketV
– AuthenticatorC - Only C and V can open it
• Used by V to authenticate C.
• Contains IDC, ADC, TS5.
30
Step 6: Server response (to client)

V  C: EKc,v[TS5 + 1]

• In this step the server acknowledges the message

from the client.

31
Kerberos Protocol V4

1: C  AS: IDC, IDtgs, TS1

2: AS  C: EKc[Kc,tgs, IDtgs, TS2, Lifetime2, Tickettgs],
where Tickettgs = EKtgs[Kc,tgs, IDC, ADC, IDtgs, TS2, Lifetime2]
3: C  TGS: IDV, Tickettgs, AuthenticatorC
AuthenticatorC = EKc,tgs[IDC, ADC, TS3]
4: TGS  C: EKc,tgs[KC,V , IDV, TS4, Lifetime4, TicketV],
where TicketV = EKv[Kc,v, IDC, ADC, IDV, TS4, Lifetime4]
5: C  V: TicketV, AuthenticatorC
AuthenticatorC = EKc,v[IDC, ADC, TS5]
6: V  C: EKc,v[TS5 + 1]

32
Kerberos V4 Limitations
• Encryption: V4 uses DES only. V5 allows any encryption method.
• Restricted ticket lifetime: V4 uses an 8 bit lifetime, for a maximum
of about 21 hours. V5 allows the specification of start and end times.
• Authentication forwarding: V4 does not allow credentials issued to
one client to be forwarded to another host. Consider the following
example of when this might be desirable: A client issues a request to a
print server that then accesses the client’s file from a file server, using
the client’s credentials.
• Double encryption of the tickets in steps two and four. This is
unnecessary and inefficient.
• Offline dictionary attack: The message from the authentication
server to the client (step 2) can be captured. A password attack
against it can be launched where success occurs if the decrypted result
is of an appropriate form.

33
Kerberos V5
1: C  AS: Options, IDC, RC, IDtgs, Times, N1

2: AS  C: RC, IDC, Tickettgs,EKc[Kc,tgs,Times, N1, Rtgs, IDtgs]

Tickettgs = EKtgs[Flags, Kc,tgs, RC, IDC, ADC, Times]

3: C  TGS: Options, IDV,Times,N2,Tickettgs, AuthC

AuthC = EKc,tgs[IDC, RC, TS1]

4: TGS  C: RC, IDC, TicketV , EKc,tgs[KC,V , Times, N2, RV, IDV]

TicketV = EKv[Flags, Kc,v, RC, IDC, ADC, Times]

5: C  V: Options, TicketV, AuthC

AuthC = EKc,v[IDC, RC, TS2, Subkey, Seq#]

6: V  C: EKc,v[TS2 , Subkey, Seq#]

34
Kerberos Protocol V4

1: C  AS: IDC, IDtgs, TS1

35
Review, Summary, and PMP

36
Review
• Without pre-sharing keys, any two parties (known as
Client and Server) in a group can secure communication
with the help of a centralised TTP (Authentication Server).
• Who will contact the TTP/AS?

• NTLM Protoco: Centralized Authentication

• NS Protocol: Centralized Key Distribution
• Kerberos Protocol: Centralized Key Distribution

37
Summary: How to Understand a Protocol?

1: Understand the principle.

2. Understand each notation.

3. Understand the reason of having each object.

You are not asked to remember the protocols but

understand how it works!

38
PMP
• In this protocol, if A and B have secure communications.
Can we set C=1 for all authentications?

39
PMP
• In this protocol, if A and B have secure communications.
Can we set C=1 for all authentications?
Answer: NO. Otherwise, Bob can impersonate as Alice to
communicate with C (Another service server).

40
NS Protocol
• In this protocol, what is the purpose of computing

41
NS Protocol
• In this protocol, what is the purpose of computing

Answer: Make sure that B know who the client is and can
get the session key K_AB for secure communication.

42
END

43
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Background
• Bob sends a message M to Alice

• We don’t care how message is sent

• We assume that Alice will receive M.

• In real application, we must consider....

2
Background

Server Internet Server

Internet
• C-S Security Internet

• S-S Security

Client • C-C Security Client

3
ONE Question
An application (version 1) requires communication but it is
insecure. What should we do to have a secure V2?

• Totally rewrite the application into version 2.

• Version 2 with slight rewriting.

• No need to rewrite it for security.

We can achieve with the above three different ways. 4

ONE Question: From V1 to V2

Application • Add-on Support (done by clients)

• Partially rewrite without changing application protocol
• Rewrite the app with new application protocols

Transport

Internet • Rewrite the internet protocols

Data Link

Physical
5
Topic 7

6
Outline

q Email
q PGP
q S/MIME

1/22/2024 Network Security 7

Email Protocols

• Email is an application for exchanging messages.

• Email protocol is a set of rules defined to ensure that

emails can be exchanged between various servers and
email clients in a standard manner.

• This ensures that the email is universal and works for all
users.

8
Email Protocols

The common protocols for email delivery are

• Simple Mail Transfer Protocol (SMTP)

• Post Office Protocol (POP),
• Internet Message Access Protocol (IMAP)

Each of these protocols has a standard methodology to deal with

the emails and also has defined functions.

9
Email Protocols
SMTP Protocol
• SMTP stands for Simple Mail Transfer Protocol. SMTP is the principal email protocol
that is responsible for the transfer of emails between email clients and email servers.

POP Protocol
• POP stands for Post Office Protocol. Email clients use the POP protocol support in the
server to download the emails. This is primarily a one-way protocol and does not sync
back the emails to the server.

IMAP Protocol
• IMAP stands for Internet Message Access Protocol. IMAP Protocol is used to sync the
emails in the server with the email clients. It allows two-way sync of emails between the
server and the email client, while the emails are stored on the server.

10
Email Protocols

SMTP POP IMAP

Insecure Port Number 25 110 143

Secure Port Number

587 995 993
works over TLS/SSL

11
Email Protocols (SMTP)

12
Email Protocols (SMTP)

13
Email Protocols (POP)

• The POP3 abbreviation stands for Post Office Protocol version 3,

which provides access to an inbox stored in an email server. It
executes the download and delete operations for messages. Thus,
when a POP3 client connects to the mail server, it retrieves all
messages from the mailbox. Then it stores them on your local
computer and deletes them from the remote server.

• Thanks to this protocol, you are able to access the messages

locally in offline mode as well. It also allows you to keep a copy of
your messages on the server if you explicitly select this option.
Email Protocols (POP)
Email Protocols (POP)

16
Email Protocols (IMAP)

• The Internet Message Access Protocol (IMAP) allows you to

access and manage your email messages on the email server.

• This protocol permits you to manipulate folders, permanently

delete and efficiently search through messages. It also gives you
the option to set or remove email flags, or fetch email attributes
selectively.

• By default, all messages remain on the server until the user

specifically deletes them.

17
Email Protocols (IMAP VS POP)

• POP3 protocol assumes that your email is being accessed only

from one application, IMAP allows simultaneous access by
multiple clients. IMAP is more suitable for you if you’re going to
access your email from different locations or if your messages are
managed by multiple users.

• POP3 downloads your emails to your local computer, deleting

them from the server. Thus, it reduces the space your email
account uses on your web server. IMAP is used to sync the emails
in the server with the email clients

18
Email Protocols (IMAP)
• C: a001 login username password
• S: a001 OK LOGIN completed
• C: a002 select inbox
• S: * 18 EXISTS
• S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
• S: * 2 RECENT
• S: * OK [UNSEEN 17] Message 17 is the first unseen message
• S: * OK [UIDVALIDITY 3857529045] UIDs valid
• S: a002 OK [READ-WRITE] SELECT completed
• C: a003 fetch 12 full
• S: * 12 FETCH (FLAGS (\Seen) INTERNALDATE "17-Jul-1996 02:44:25 -0700"
• RFC822.SIZE 4286 ENVELOPE ("Wed, 17 Jul 1996 02:23:25 -0700 (PDT)"
• "IMAP4rev1 WG mtg summary and minutes"
• (("Terry Gray" NIL "gray" "cac.washington.edu"))
• (("Terry Gray" NIL "gray" "cac.washington.edu"))
• (("Terry Gray" NIL "gray" "cac.washington.edu"))
• ((NIL NIL "imap" "cac.washington.edu"))
• ((NIL NIL "minutes" "CNRI.Reston.VA.US")
• ("John Klensin" NIL "KLENSIN" "MIT.EDU")) NIL NIL
• "<[email protected]>")
• BODY ("TEXT" "PLAIN" ("CHARSET" "US-ASCII") NIL NIL "7BIT" 3028
• 92))
• S: a003 OK FETCH completed

19
Email Protocols (MIME)
• SMTP protocol was designed for purely ASCII text-based, it did not
deal well with binary files, or characters in many non-English
languages.

• Multipurpose Internet Mail Extensions (MIME) were developed to

encode binary files (therefore supporting attachments) for transfer
through SMTP.

• Mail transfer agents developed after Sendmail also tended to be

implemented for encoding to transmit arbitrary text data via SMTP.

20
Email Protocols (MIME)
■ RFC 822 (for SMTP) emails contain only ASCII characters.
■ MIME messages are intended to transport arbitrary data.

1/22/2024 Network Security 21

Email Protocols (MIME)
MIME is intended to avoid a number limitations in RFC 822:
■ Extends the capabilities of RFC 822 to allow email to carry messages
with arbitrary strings.
■ Supports long message transfer.
■ Introduces new header fields in RFC 822 email to specify the format
and content of extensions.
■ Supports a number of content types together with a number of
encoding schemes. (to use SMTP)
■ Specified in RFCs 2045-2049.

1/22/2024 Network Security 22

1. Email Security
However, email has very weak security:
■ Lack of Confidentiality
- Sent in clear over open networks.
- Stored on potentially insecure clients and servers.

■ Lack of Integrity
- Both the header and content can be modified.

■ Lack of Authentication
- The sender of an email is also forgeable.

1/22/2024 Network Security 23

PGP

24
2. PGP Overview
Basically, PGP provides confidentiality and authentication services
to enhance the security for email transmission and storage.

■ Developed by Philip Zimmermann.

■ PGP and OpenPGP operations are specified in a

few documents (RFC 2015, 3156, 4880).

1/22/2024 Network Security 25

WHAT PGP Protects

26
2. PGP Overview

1/22/2024 Network Security 27

3. PGP Operational Description

Operational Description
- Authentication
- Confidentiality
- Confidentiality and Authentication
- Email Compatibility (encoding)
- Segmentation and Reassembly

1/22/2024 Network Security 30

3. PGP Operational Description
Confidentiality only:

1/22/2024 Network Security 31

3. PGP Operational Description

Confidentiality and Authentication:

1/22/2024 Network Security 32

3. PGP Operational Description
Compression: Using ZIP.
■The order of operations: signcompressencrypt.
■More convenient to store a signature with plain message.

Q: what about encrypt then sign?

1/22/2024 Network Security 33

3. PGP Operational Description

Email Compatibility:

■ After the above security operations, the resulting message will

contain some arbitrary octets.

■ PGP needs to convert the raw 8-bit binary stream into a stream
of printable ASCII characters under SMTP.

1/22/2024 Network Security 34

3. PGP Operational Description
■ For this purpose, the radix-64 conversion is used.
■ This operation expands the message by 33%.

1/22/2024 Network Security 35

3. PGP Operational Description

Segmentation and Reassembly:

■ Email systems often limit the size of a message up to 50,000
octets (a sequence of 8 bits).
■ So, a longer message must be broken up into segments.
■ After all other operations, PGP automatically subdivides a long
message into small segments.
■ Once getting those emails, the receiver first strips of all email
headers and reassemble the block, and then perform other
processing.

1/22/2024 Network Security 36

5. PGP Public Key Management
■ In X.509, public keys are certified by trusted CAs.
■ PGP uses a completely different model – the web of trust.

- Each PGP user assigns a trust level to other users (Owner

Trust Field).
- Each user can certify (i.e., sign) the public keys of users he/she
knows.
- Stores a number of signatures that certify this public key.
- PGP automatically computes a trust level for each public key
(Key Legitimacy Field) in the key ring.

1/22/2024 Network Security 37

5. PGP Public Key Management

1/22/2024 Network Security 38

S/MIME

39
RFC 822
■ S/MIME (Secure/Multipurpose Internet Mail Extensions)
- A security enhancement to MIME email
- based on technology from RSA Data Security
- specified by RFCs 3369, 3370, 3850 and 3851.

1/22/2024 Network Security 40

RFC 822
■ RFC 822 defines a format for Internet-based text mail message.
■ In RFC 822, each email is viewed as having an envelope and
content.
■ The envelope contains all information needed for email
transmission and delivery.
■ RFC 822 applies only to the contents.
■ The content has two parts, separated by a blank line:
- The header: Date, From,To, Subject, …
- The body: containing the actual message.

1/22/2024 Network Security 41

7. S/MIME

S/MIME
- Functions
- Algorithms
- Processing
- Certificate management

1/22/2024 Network Security 42

7. S/MIME: Functions

Similar to PGP, S/MIME provides the following

functions to secure email:
■ Enveloped Data: encrypted-only.
■ Signed Data: signed-only.
■ Signed and Enveloped: nesting of signed and
encrypted entities.

1/22/2024 Network Security 43

7. S/MIME: Algorithms
S/MIME supports the following algorithms.

1/22/2024 Network Security 44

7. S/MIME: Processing

MIME PKCS S/MIME

entity object entity
S/MIME Base64
processing encoding

■ PKCS: Public Key Cryptography Standard.

■ A PKCS object includes the original content plus all
information needed for the recipient to perform security
processing.

1/22/2024 Network Security 45

7. S/MIME: EnvelopedData

S/MIME
EnvelopedDataPK
header
CS object

RecipientInfo: S/MIME body:

EP(PUb,k),
PUb etc. Base64 encoded
PKCS
Base64
object
MIME
EC(k,M)
entity Encrypted
Content

1/22/2024 Network Security 46

7. S/MIME: SignedData

SignedData S/MIME
PKCS object header

SignerInfo:
Hash S/MIME body:
PUa, signature,
and algorithms
Sign etc. Base64 encoded
Base64 PKCS
object
MIME
MIME
entity
entity

1/22/2024 Network Security 47

Review, Summary, and PMP

48
Review
oBackground: SMTP, POP, IMAP, MIME
oPGP
oS/MIME
oConfidentiality or Integrity

49
Summary

PGP S/MIME

Certificate the web of trust. X.509

On SMTP MIME
Useage Personal Enteroprise

https://security.stackexchange.com/questions/7874/how-does-
pgp-differ-from-s-mime
1/22/2024 Network Security 50
PMP
Question 1: Bob is runing an SMTP protocol to send
an email to Alice. What can the adversary see if it
serves as the server between Alice and Bob?

51
PMP
Question 1: Bob is runing an SMTP protocol to send
an email to Alice. What can the adversary see if it
serves as the server between Alice and Bob?

Answer: It can see who is sender, who is receiver, and

the email contents.

52
PMP
Question 2: Alice runs PGP to send a secure email to
Bob. While Bob runs POP to dowload the email. Can
the adversary see the email contents if POP has no
security protection?

53
PMP
Question 2: Alice runs PGP to send a secure email to
Bob. While Bob runs POP to dowload the email. Can
the adversary see the email contents if POP has no
security protection?
Answer: No. The email that Bob is downloading has
been encrypted by Alice. The adversary can only see
ciphertext from the POP protocol.

54
Topic 8

55
Secure SHell (SSH)
SSH Overview
• SSH = Secure Shell
– Initially designed to replace insecure rsh, telnet utilities.
– Secure remote administration (mostly of Unix systems).
– Latter, provide a general secure channel for network
applications.
– Only covers traffic explicitly protected.
– Applications need modification, but port-forwarding eases some
of this
SSH Overview
SSH Protocol Stack
SSH-2 Architecture

SSH-2 adopts a three layer architecture:

• SSH Transport Layer Protocol.
– Initial connection.
– Server authentication
– Sets up secure channel between client and server via key exchange etc.
• SSH Authentication Protocol
– Client authentication over secure transport layer channel.
• SSH Connection Protocol
– Supports multiple connections over a single transport layer protocol secure
channel.
– Efficiency (session re-use).
SSH-2 Security Goals
• Server authenticated in transport layer protocol.
• Client authenticated in authentication protocol.
– By public key (DSS, RSA).
– Or simple password
• Establishment of a fresh, shared secret.
– Shared secret used to derive further keys (Enc Keys, MAC
keys, IVs), similar to SSL/TLS.
– For confidentiality and authenticity in SSH transport layer
protocol.
• Secure ciphersuite negotiation.
– Encryption, MAC, and compression algorithms.
SSH Transport Layer Protocol
• Server authentication, based on server’s host key pair(s),
namely public key and secret key
• Packet exchange
– establish TCP connection
– can then exchange data (packet exchange)
• identification string exchange, algorithm negotiation, key
exchange, end of key exchange, service request
– service request: either the User Authentication or the Connection
Protocol
SSH Key Fingerprints
• The security of the connection relies on the server authenticating
itself to the client.

• When you connect to a remote host computer for the first

time, the host sends your local computer its public key in
order to identify itself. To help you to verify the host’s identity,
a fingerprint of the host’s public key is presented to you for
verification.

• Many users just blindly accept the presented key.

• SSH is not friendly to the general public.

SSH Key Fingerprints
SSH-2 Algorithms
• Key establishment through Diffie-Hellman key exchange.
– Ephemeral Diffie-Hellman
• Server authentication via RSA or DSS signatures
• HMAC-SHA1 or HMAC-SHA256 for MAC algorithm.
• 3DES, AES, RC4, etc. for Encryption algorithm
SSH Transport Layer Protocol
Diffie-Hellman Key Exchange

Client generates a random number xc and computes

yc = gxc (mod p).

Client sends yc to Server.

SSH Transport Layer Protocol
Diffie-Hellman Key Exchange

Server generates a random number xs and computes

ys = gxs (mod p).

Server computes the shared secret

xs xc xs
K=y c =g (mod p).
SSH Transport Layer Protocol
Diffie-Hellman Key Exchange

Server computes the exchange hash value

H = hash(idC ||idS ||initC ||initS ||PKS ||yc ||ys ||K )

idS , idC : Server’s and Client’s identification strings

initS , initC : Server’s and Client’s Initial Messages

SSH Transport Layer Protocol
Diffie-Hellman Key Exchange

Server generates the signature on the exchange hash value

signature = SignSKS (H) and sends

(ys, PKS , signature)

to Client.
SSH Transport Layer Protocol
Key Derivation

• After the key exchange, both Server and Client obtain two
common values:
– a shared secret value K , and
– an exchange hash value H.

• Encryption keys and MAC keys are derived from K and H.

• The exchange hash value H from the first key exchange is
additionally used as the session identifier.
SSH Transport Layer Protocol
Key Derivation

Encryption keys must be computed as hash of the shared secret K

as follows:

• Initial IV client to server: hash(K||H||“A”||session id )

• Initial IV server to client: hash(K||H||“B”||session id )
• Encryption key client to server: hash(K||H||“C”||session id )
• Encryption key server to client: hash(K||H||“D”||session id )
• MAC key client to server: hash(K||H||“E”||session id )
• MAC key server to client: hash(K||H||“F”||session id )
SSH Transport Layer Protocol
Binary Packet Protocol
SSH User Authentication Protocol

• Authenticates client to server

• Authentication methods used
– public key (digital signature)
– password
– host-based
SSH Connection Protocol
• Run on top of the SSH Transport Layer Protocol
• Assume secure authentication connection
• Used for multiple logical channels
– Different SSH communications use separate channels
– either side can open a channel with unique id number
– have three stages:
• opening a channel, data transfer, closing a channel
– four types:
• Session: The remote execution of a program.
• X11: This refers to the X Window System
• forwarded-tcpip: This is remote port forwarding
• direct-tcpip: This is local port forwarding
SSH
Connection
Protocol
Exchange
SSH Port Forwarding
Without SSH

UM User’s Mail
machine server

Web
server
SSH Port Forwarding
With SSH and port forwarding.
Mail
server

UM User’s SSH-enabled
machine Login
Web
server
server

• Local Port Forwarding

• Remote Port Forwarding
SSH Port Forwarding

Port A

SSH is runing

Secure SSH Channel

All data sent to port A will be sent to another device via SSH channel
SSH Port Forwarding (Application)

SSH is runing SSH is runing

Secure SSH Channel

Two computers using firewalls to block all port numbers except SSH.

How to run other applications as normal using SSH?

SSH Port Forwarding (Local)
ssh creates an additional local port which it will forward to a port on
the remote system.

example

ssh -L 8080:127.0.0.1:80 user@webserver

Then in your browser on local use URL http://localhost:8080/

it will connect to local machines port 8080, which ssh will forward on
to remote ssh, and it will then make a request to 127.0.0.1:80. Note
127.0.0.1 is actually the remote server's localhost, but it could have
been a host/IP available at the remote machine's network.
SSH Port Forwarding (Remote)
Asks ssh to create a listening port on the remote machine which it
will forward back (Reverse) to the local ssh to forward on.

ssh -R 10123:127.0.0.1:123 user@webserver

So, after ssh connects to webserver, the remote ssh creates and lsitens
on a port 10123. A process on webserver connecting to 10123, ssh
will pick it up and send it back to the local machine's ssh, which sends
it on to 127.0.01:123 port.

• Web serve sends data to port 10123 instead of normal port.

• Client listen to 123 instead of normal port
Port Forwarding

- Client sets up an SSH connection to the remote SSL server

- Select a local port x and configure SSH to accept traffic
from this port destined for port y on a remote application
server
- Client informs SSH Server to create a connection to the
destination (application server port y)
- Client takes any bits sent to local port x and sends them to
the server via an SSH session. The SSH server decrypts the
bits and sends the plaintext to port y of the application
server
SSH Applications
• Anonymous ftp for software updates, patches...
– No client authentication needed, but clients want to be sure of origin and
integrity of software.
• Secure ftp.
– E.g.upload of webpages to webserver using sftp.
– Server now needs to authenticate clients.
– Username and password sufficient, transmitted over secure SSH transport
layer protocol.
• Secure remote administration.
– SysAdmin (client) sets up terminal on remote machine.
– SysAdmin password protected by SSH transport layer protocol.
• Virtual Private Network.
– E.g. use SSH + port forwarding to secure the communications of other
applications.
SSL/TLS

1/22/2024 Network Security 85

SSL/TLS: Background

■ SSL was originated by Netscape in 1994.

■ TLSv1.0 ~ SSLv3.1, and very close to SSLv3.
■ TLSv1.2 is specified by RFC 5246.
■ TLSv1.3 is specified by RFC 8446.

■ SSL --> TLS after standardization

1/22/2024 Network Security 86

SSL/TLS: Applications

■ Web security (or HTTPS)

■ VPN (e.g., CISCO AnyConnect)
■ Internet of Things
■ E-Commerce
■ 5G
……

1/22/2024 Network Security 87

SSL/TLS Architecture

- alert
- Handshake
- change_cipher_spec
- application data

1/22/2024 Network Security 88

SSL/TLS Architecture
SSL/TLS provides a reliable end-to-end security service by using
TCP. It has two layers of protocols:

■ Record Protocol: Provides basic security services to various

higher-layer protocols (e.g. HTTP), and supports TLS management
protocols.

■ Three management protocols:

- The Change Cipher Spec Protocol: Updates the cipher suite.
- The Alert Protocol: Conveys TLS-related alerts to the peer entity.
- The Handshake Protocol: Allow the server and client to authenticate each
other and to negotiate encryption and MAC algorithms, together with secret keys
used in an TLS record.

1/22/2024 Network Security 89

TLS Record Protocols
TLS Record Protocol provides two security services for
application data:
■ Confidentiality:
- TLS payloads are encrypted by using symmetric encryption
with a shared secret key
- AES, 3DES, RC4-128, ...
■ Integrity:
- A MAC is generated for TLS payloads with another shared
secret key
- HMAC

1/22/2024 Network Security 90

TLS Record Protocol

1/22/2024 Network Security 91

TLS Record Protocol
Fig. 5.4 TLS Record Format

1/22/2024 Network Security 92

TLS Record Protocol

TLS Record Protocol Payload

1/22/2024 Network Security 93

TLS Change Cipher Spec Protocol

- Consists of a single message with the value 1.

- The change cipher spec message is sent by both the client and
server to notify the receiving party that subsequent records will
be protected under the newly negotiated CipherSpec and keys.

1/22/2024 Network Security 94

TLS Alert Protocol

■ Alert Protocol:
- Used to convey TLS-related alerts to the peer entity. Tell the
other party that something wrong is happening.

- A number of Warning or Fatal alerts have been defined.

1/22/2024 Network Security 96

Handshake Protocol
As the most complex part of TLS, the Handshake
protocol allows the server and the client to finish the
following tasks:
■ Agree on a version of TLS to be used;
■ Authenticate each other (optional);
- Use digital certificates to learn the other’s identity and public
keys; issue and verify signatures.
■ Negotiate a set of cryptographic algorithms and shared
keys to be used in the TLS record protocol.

1/22/2024 Network Security 97

Handshake Protocol
The Handshake protocol consists of a number of messages
exchanged between client and server. Each message has
three fields:
■ Type (1 byte): Indicates one of 10 messages.
■ Length (3 byte): The length of message in bytes.
■ Content (>= 0 bytes): The parameters associated with this
message.

1/22/2024 Network Security 98

Handshake Protocol

To establish a logical connection between client and server, the

Handshake protocol will run in four phases:
■ Phase 1: Establish Security Capabilities:
- Negotiate protocol version and algorithms
■ Phase 2: Server Authentication and Key Exchange:
- Server sends key exchange messages
■ Phase 3: Client Authentication and Key Exchange
- Client sends key exchange messages
■ Phase 4: Finish
- Switch to new algorithms and keys.

1/22/2024 Network Security 99

Handshake Protocol

1/22/2024 Network Security 100

Diffie-Hellman Revisited

1: A  B: A, YA
2: B  A: B, YB, SigB(A, YB, YA),
3: A  B: SigA(B, YA, YB)

101
Key Transport

(SKA,PKA) PKA
Alice Bob K
K
YB = E(PKA, K)

E: public key encryption, e.g., RSA

102
Handshake Protocol
■ Key exchange methods supported by TLS1.2:
- RSA: Client encrypt a secret with server’s RSA public key.
- Anonymous DH: No authentication (without certificates).
- Fixed DH: Server has an authorized DH key, while client
may or may not have an authorized DH key.
- Ephemeral DH: Use one-time DH keys, which are signed by
the senders using RSA or DSS.
Handshake Protocol

• ClientHello
– Contain protocol version, client nonce as well as the
client’s list of preferred ciphersuites
• ServerHello
– Contain chosen protocol version, server nonce as well as
the chosen ciphersuite
More on Cipher Suites
• Format of a typical cipher suites:
– key exchange algorithm_authentication (signature)
algorithm_symmetric encryption algorithm_MAC
algorithm
• Some key exchange algorithms: RSA, DH, ECDH, ECDHE
• Some authentication algorithms: RSA, DSA, ECDSA
• Some symmetric encryption algorithms: AES, 3DES, CAMELLIA (old)
• Some MAC algorithms: SHA, MD5
• Sometimes key length is specified.

105
More on Cipher Suites
• Example : TLS_DHE_RSA_WITH_3DES_CBC_SHA
– The key exchange algorithm: DHE
– The authentication algorithm: RSA
– The symmetric encryption algorithm: 3DES_CBC
– The MAC algorithm: SHA
• Example: TLS allocates ID for each cipher suite.

Cipher Suite name TLS ID Since

TLS_RSA_WITH_AES_128_CBC_SHA25
0x003C TLS1.2
6
TLS_RSA_WITH_AES_256_CBC_SHA25
0x003D TLS1.2
6

106
Handshake Protocol

• Server Certificate
– Required when server authentication is needed
– X.509 certificate for one of the following type (depending
on the key exchange method)
• RSA Encryption Key
• Fixed Diffie-Hellman Public Key
• Digitial Signature Public Key
Handshake Protocol

•Server Key Exchange

（send something in random from server）
– Required when Ephemeral Diffie-Hellman is used
• The server’s signature over the client random, server
random, and Diffie–Hellman parameters is included
– Not required when RSA key transport is used as the key
exchange method (because client will generate a key and
encrypt with RSA key)
Handshake Protocol

•Client Key Exchange: Always included regardless of

the key exchange method
（send something in random from server）

– RSA key transport: encryption of a random number

under server’s RSA public key
– Diffie-Hellman key agreement: client’s Diffie-Hellman
key
Handshake Protocol

• Certificate Verify
– Required when client has a certificate for RSA/DSS
signature
– Client signs all the handshake messages it has sent and
received previously
Handshake Protocol

• Change Cipher Spec

– A single-byte message to indicate that all future messages
it sends will be encrypted and authenticated.
• Finished
– A MAC calculated using the master secret key (derived
from the key exchange) and the communication
transcripts in the Handshake protocol
Handshake Protocol

■ The key derived by an TLS key exchange method is called

pre-master secret (48 bytes), which can be

- a secret encrypted with server’s RSA public key or

- a value derived by the DH key exchange technique.

■ pre-master secret master secret  shared keys

1/22/2024 Network Security 112

SSL Key Derivation

‘A’||PMS||Nc||Ns ‘BB’||PMS||Nc||Ns ‘CCC’||PMS||Nc||Ns

SHA-1 SHA-1 SHA-1

PMS PMS PMS

MD5 MD5 MD5

MS (48 bytes)
PMS: Pre-Master Secret
MS: Master Secret
Nc: ClientHello.random
Ns: SeverHello.random

1/22/2024 Network Security 113

SSL Key Derivation

‘A’||MS||Ns||Nc ‘BB’||MS||Ns||Nc ‘CCC’||MS||Ns||Nc …

SHA-1 SHA-1 SHA-1

MS MS MS …

MD5 MD5 MD5

key-block …

Key-block consists of shared keys for different purposes

• Encrypt/Decrypt and other confidentiality
• MAC and other integrity

1/22/2024 Network Security 114

TLS Key Derivation
Cryptographic computations by using PRF:

Handshake protocol  pre_master_secret  master_secret  key-block.

■ master_secret=
PRF(pre_master_secret, ‘master secret’, client_random||server_random)

■ key-block=
PRF(master_secret, ‘key expansion’, server_random||client_random)

1/22/2024 Network Security 115

Handshake Protocol

■ Session resumption
It allows client and server to use an abbreviated
handshake to resume a previously established session.
– More efficient than a full handshake
– Only to re-establish the encryption and MAC keys with
new server nonce and client nonce
HTTPS
HTTPS (HTTP over SSL/TLS)
• use https:// rather than http://
and port 443 rather than 80
• encrypts
URL, document contents, form data, cookies, HTTP headers

• HTTP basic user authentication can be used!

What is a Virtual Private Network (VPN)?

• VPN is a generic term used to describe any combination of

technologies used to secure a connection through an otherwise
insecure network.
• A VPN extends a private network into a transit inter-network, such
as the Internet or a shared network.
• The extension logically behaves like a private, point-to-point link in the
transit inter-network, connecting two private networks across the
inter-network.
• It allows, for example, authorised remote users to access a company
network.
• Traditional VPN’s rely on IPSec. There are also SSL and SSH based
VPN’s.
Review, Summary, and PMP

119
Review and Summary
oSSH
oClient doesn’t need to pre-share a secret key with the server.
oClient does need to pre-know the public key of the server.
oTLS/SSL
oClient doesn’t need to pre-share a secret key with the server.
oClient doesn’t need to pre-know the public key of the server
with the help of certificate
o All applications (software) need (different)
modification (part of rewriting) to enjoy protections
from SSH or TLS.
120
PMP
• Question 1: Devices A and B are running SSH
protocol. It must be that an admin is trying to connect
to server for remote administration purpose.

121
PMP
• Question 1: Devices A and B are running SSH
protocol. It must be that an admin is trying to connect
to server for remote administration purpose.

Answer: False. For example, A could use the port

forwarding to have the VPN service with the help of SSH.

122
PMP
• Question 2: In the handshake protocol, what will the
client and server (not) know after the protocol if the
client doesn’t have a certificate?

123
PMP
• Question 2: In the handshake protocol, what will the
client and server (not) know after the protocol if the
client doesn’t have a certificate?

• Answer: The client knows that he/she has a secure

connection with an authenticated server; While the
server knows that he/she has a secure connection with
someone only.

124
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Topic 9

2
3
IP Security
IP Security Overview

• IPSec (Internet Protocol Security) is a suite of standards

for providing a rich set of security services at the
network layer.
• Transparent to applications (below transport layer –
TCP, UDP)
• IPSec Main Features:
• Source authentication
• Message authentication and integrity check
• Data confidentiality
• Access control

22 January 2024 Network Security 5

IP Security Overview
Applications of IPSec:
■ Secure branch office connectivity over the Internet:
A company can build a secure virtual private network over the internet
to reduce cost.
■ Secure remote access over the Internet:
Using IPSec an remote user can make a local call to an ISP and gain
secure access to a company network.

IPSec can provide security for varied applications since it

encrypts and/or authenticates all traffic at the IP level.

22 January 2024 Network Security 6

IPSec Overview: A Typical Scenario

LAN
LAN

22 January 2024 Network Security 7

IPSec Overview: A Typical Scenario
■ A company maintains LANs at dispersed locations, where
nonsecure traffic is conducted in each LAN.
■ IPSec protocols operate in networking devices (routers and
firewalls) to secure offsite traffic.
■ These devices encrypt & compress all outbound traffic, and
decrypt & decompress all inbound traffic.
■ These security operations are transparent to workstations and
servers on each LAN.
■ Security service is also possible for individual users who dial into
the public network.

22 January 2024 Network Security 8

IPSec Security Protocols

• In IPSec, there are two major components:

– security protocols
• AH protocols
• ESP protocols
– modes
• transport mode
• tunnel mode

22 January 2024 Network Security 9

IPSec Security Protocols

ESP ESP
AH (encr.) (encr.+auth.)
Access control   
Connectionless integrity  
Data origin auth.  
Anti-replay   
Confidentiality  
Limited traffic flow conf.  

22 January 2024 Network Security 10

IPSec Protocols

• AH and ESP protocols are largely independent of

the cryptographic algorithms used to secure the IP
traffic.
• These protocols can use any underlying
cryptographic algorithm to implement the
authentication and confidentiality services, such as
AES for encrypting the outbound traffic, HMAC-
SHA256 to create hashed MAC.

22 January 2024 Network Security 11

IPSec Modes
• The AH & ESP protocols operate in one of two possible modes:
– transport mode (A sends to B) or
– tunnel mode (A sends to C that is fowarded to B)
• In tunnel mode, an IP datagram contains two IP headers:
– an outer IP header: specifies the IPSec processing destination
– an inner IP header: contains the source and the ultimate destination of the
packet.
• In transport mode, IP datagram contains only one IP header,
which specifies the apparent source address and the ultimate
destination address of the packet.

22 January 2024 Network Security 12

AH in Transport Mode IPv4

TCP/UDP Before AH
IP header Payload
header

IPSec AH TCP/UDP
IP header Payload After AH
header header

Next Payload Sequence Authentication

header length
Reserved SPI number data

SPI: Security parameters index

Authentication is across all immutable fields
22 January 2024 Network Security 13
AH Header Fields

14
AH in Tunnel mode IPv4

TCP/UDP Before AH
IP header Payload
header

Transit IPSec AH Original TCP/UDP After AH

Payload
IP header header IP header header

Next Payload Sequence Authentication

Reserved SPI
header length number data

Authentication is across all immutable fields

22 January 2024 Network Security 15

Integrity Check Value (ICV)

• AH protocol excludes any unpredictable mutable fields

when calculating ICV.
• AH protocol includes only the immutable fields and
mutable but predictable fields when calculating an ICV for
a packet.

22 January 2024 Network Security 16

Mutable vs Immutable Header Fields (IP V4)

Field Immutable Mutable

Version 
Internet header length 
Total length 
Identification 
Protocol 
Source address 
Destination address 

Type of service (TOS) 

Flags 
Time to Live(TTL) 
Header checksum 

22 January 2024 Network Security 17

AH Protocol - ICV
• AH security protocol can use keyed message
authentication codes (MACs) based on symmetric
encryption algorithms or hashed MACs based on
hash functions for calculations of ICV
authentication data.
• Standards-compliant AH implementations must
support HMAC.

22 January 2024 Network Security 18

Encapsulating Security Payload (ESP)
Protocol
• ESP security protocol selectively affords the confidentiality service or
authentication service to IP traffic.

• In transport mode, ESP secures upper-layer protocols.

• In tunnel mode, ESP extends protection to the inner IP header.

22 January 2024 Network Security 19

ESP in Transport Mode IPv4
TCP/UDP
IP header Payload
header

IPSec ESP TCP/UDP IPSec ESP IPSec ESP

IP header Payload
header header trailer auth

Sequence Padding Next

SPI Padding
number length header

IPSec ESP TCP/UDP IPSec ESP IPSec ESP

IP header Payload
header header trailer auth

Neither Authenticated Auth. & Enc.

22 January 2024 Network Security 20

ESP in Tunnel Mode IPv4
TCP/UDP Before ESP
IP header Payload
header

Transit IPSec ESP Original TCP/UDP IPSec ESP IPSec ESP

Payload
IP header header IP header header trailer auth

Sequence Padding Next

SPI Padding
number length header

Transit IPSec ESP Original TCP/UDP IPSec ESP IPSec ESP

Payload
IP header header IP header header trailer auth

Neither Authenticated Auth. & Enc.

22 January 2024 Network Security 21

Policy inside IPSec

22
IPSec Policy Based Approach

• IPSec follows a policy-based approach to enforce the

local security decisions of a system.
• Policy-based security enables an administrator to specify
the local security requirements of a system through a
policy database.
• IPSec consults this database and provides security
protection to traffic so as to satisfy the local system
policy.

22 January 2024 Network Security 23

IPSec Policy
• IPSec policy file contains a list of entries, each
having three attributes:
– An IPSec policy option
– A Selector
– A Security Association

22 January 2024 Network Security 24

IPSec Policy Options

• IPSec policy options specifies the security protections,

if any, that IPSec should afford to the traffic.
• 3 IPSec policy choices when processing an IP packet:
– Discard the packet
– Protecting the packet with the AH and the ESP security
protocols
– Letting the packet bypass the IPSec processing

22 January 2024 Network Security 25

IPSec Policy Options

• Discard Policy Option prevents the packet from exiting an IP

host, being delivered to an upper-layer protocol in a host, or
transiting through a security gateway.
• Protect policy option instructs IPSec to afford AH, ESP, or a
combination of AH and ESP to the packet before the packet
exits a host or transits via a security gateway.
• Bypass policy option informs IPSec that the packet should leave
the IPSec environment without any processing.

22 January 2024 Network Security 26

Selectors
• Selectors map IP traffic to IPSec policies based on
information in an IP header and higher-layer protocols.

Network Security
Security Associations (SA)

• SA is a simplex (unidirectional), logical connection that

provides security services to a traffic stream
between two IP nodes.

• An SA serves as a contract between two or more

entities and completely specifies how they use
security services to communicate securely.

22 January 2024 Network Security 28

Security Association
• An SA specifies a number of parameters, such as the
AH authentication algorithm, the ESP encryption
algorithm, the ESP authentication algorithm, keys,
IVs, IPSec protocol transport or tunnel mode and
lifetime.

22 January 2024 Network Security 29

SA Lifetime
• The lifetime of an SA is the interval after which the
SA is no longer valid and must be terminated.
• If the key-management scheme uses PKI certificate
for the identification of a peer node, the lifetime of
the established SA must not exceed the validity
period of the certificate.

22 January 2024 Network Security 30

IKE inside IPSec

31
IPSec Internet Key Exchange (IKE)
Protocols

• The IKE protocol operates in two phases:

– IKE establishes an SA to secure its own traffic.
– It establishes another SA to provide security to
application data.

Note: IPsec can use pre-shared keys, where both parties

involved in the communication share a secret key in
advance. This key is then used for authentication during the
IPsec negotiation process.

22 January 2024 Network Security 32

IKE Phase 1
• There are two types of phase-1 exchanges, called modes:
– Aggressive mode:
• mutual authentication and session key establishment in
three messages.
– Main mode:
• uses six messages and has additional functionality such as
the ability to hide endpoint identifiers from eavesdroppers.

22 January 2024 Network Security 33

IKE Phase 1 – Main Mode
Initiator (Alice) Responder (Bob)
CKY-A, <list>
CKY-A, CKY-B, <algo> } negotiation
CKY-A, CKY-B, gx, NA
CKY-A, CKY-B, gy, NB } key exchange
CKY-A, CKY-B, {A, SigA(MAB)}Ke

CKY-A, CKY-B, {B, SigB(MBA)}Ke } authentication

22 January 2024 Network Security 34

Features of IKE key establishment
• Cookies are used to avoid denial of service attacks which exploit
the computational expense of calculating keys.
– The idea is to force legitimate parties to carry out a cookie
exchange before significant computations are carried out.
• Parameters for the Diffie-Hellman key exchange can be negotiated.
– Including the group, with the option of some Elliptic curve
based DH exchanges possible.
– Public keys for DH can be exchanged, with authenticity to
avoid man-in-the-middle attacks.
• Nonces are used to protect against replay attacks.

22 January 2024 Network Security 35

IKE Phase 1 – Aggressive Mode

1. Alice  Bob: Alice, ga mod p, crypto proposal

2. Bob  Alice: gb mod p, crypto choice, proof I’m Bob
3. Alice  Bob: proof I’m Alice

22 January 2024 Network Security 36

IKE Aggressive Mode using Digital
Signature

Initiator (Alice) Responder (Bob)

CKY-A, <list>, gx, NA, A

CKY-A, CKY-B, <algo>, gy, NB, B, SigB(MBA)

CKY-A, CKY-B, SigA(MAB)

• Only three message flows

• No identity protection

22 January 2024 Network Security 37

IKE Phase 2
• Once an IKE SA is setup between Alice and Bob, either
Alice or Bob can initiate an IPSec SA through the phase 2
“quick mode” exchange.

• The quick mode exchange negotiates IPSec ESP/AH SAs,

and optionally does a Diffie-Hellman exchange.
– All the information exchanged are protected by the IKE SA
– Optional DH exchange – to provide forward secrecy

22 January 2024 Network Security 38

Review and Summary

o IPSec protocol working at the Network Layer is a secure

network protocol suite that authenticates and encrypts packets of
data to provide secure encrypted communication between two
computers (IP Addresses) over an Internet Protocol network.

o Transport mode OR Tunnel mode

o Confidentiality&Authenticity OR Authenticity

o IPSec Policy

39
PMP
Question 1: Computer A and Computer B are running
the IPSec protocol. Alice said that the adversary must
not be able to see communicated messages. Justify
what Alice said.

40
PMP
Question 1: Computer A and Computer B are running
the IPSec protocol. Alice said that the adversary must
not be able to see communicated messages. Justify
what Alice said.

Answer: False. The IPSec protocol could run AH

protocol that provides authenticity purpose only and
the adversary can see the contents.

41
PMP
Question 2: Computer A is running the IPSec
protocol. All messages sent from A to outside have
security protections.

42
PMP
Question 2: Computer A is running the IPSec
protocol. All messages sent from Alice to outside
have security protections.

Answer: False. The IPSec protocol only protects

those data sent to some selected IP addresses.

43
44
Outline

5-layer TCP/IP Internet Model

How to send a message from one device to Application

another device?

Transport

Internet

Data Link

Physical
45
Outline

How to send a message from one device to

another device?

46
Background of Wireless Networks

• A wireless network is a computer network that

uses wireless data connections between network
nodes.

• Wireless LANs are often used for connecting to local

resources and to the Internet. A wireless local area
network (WLAN) links two or more devices over a short
distance using a wireless distribution method, usually
providing a connection through an access point (AP) for
internet access.

• The AP acts as an Ethernet bridge and forwards the

communications to the appropriate network, such as a
wired LAN or another Wireless Network.
47
Background of Wireless Networks
(WLAN vs. WiFi)

• Wifi is one specific tec implementation of WLAN.

• Wifi supports short distance only.
48
Wireless LAN

• Primary benefits of Wireless LAN:

– flexibility:
• The network can extend to areas that wires cannot reach,
with significantly lower cabling cost.
– Scalability:
• Wireless LAN configurations can be easily changed.
– Speed:
• A WLAN can be installed quickly enough to support
mobile workgroups and assist in disaster recovery
implementation.
802.11 for Wireless LANs

• IEEE 802.11 refers to a family of specifications for wireless

local area networks (WLANs).
– They have been developed by a working group of the Institute
of Electrical and Electronics Engineers (IEEE).

• The 802.11 specification identifies an over-the-air interface

between a mobile device wireless client and a base
station, or between two mobile device wireless clients.
The 802.11 family
802.11 Wireless Network Operational Modes

• IEEE 802.11 wireless networks operate in one of the two

modes:

– Infrastructure mode.
– Ad hoc mode.
Infrastructure Mode

• In infrastructure mode, each mobile device client

sends all of its communications to a network device
called an access point (AP).

• The AP acts as an Ethernet bridge and forwards the

communications to the appropriate network, such as
a wired LAN or another Wireless Network.
Ad hoc Mode
• In ad hoc mode, each mobile device client communicates
directly with the other mobile device clients within the
network.

• No access point is required to connect to any wired LAN. If

a client in an ad hoc network wants to communicate
outside of the cell, a member of the cell must operate as a
gateway and provide a routing service.
Security in Wireless Networks

55
Security in Wireless Networks

• Message must be sent via broadcasting.

• It is easier to eavesdrop a communication between A&B

• It is easier to launch the man-in-the-middle attack

56
Threats against Wireless systems
Types of Threats:

• Eavesdropping.
• Communications jamming.
– Denial of Service (DoS) jamming.
• Injection and modification of data.
– Man-in-the-Middle Attacks.
• Rogue Access Point.
• Cryptographic threats.

1
Eavesdropping

Listening in on communications.
Communications Jamming

Stopping legitimate users from accessing a network.

Jamming attacks: Two targets

Jamming Attack against client to hijack communications

Jamming attack against access point to hijack communications

Rogue Access Point

One way to do this is to fool the user into linking to a

rogue access point and then using the transmitted
information to make a real login as that user.
Extending Range of Attacks by Chaining
Access Points

Basically repeater stations

are being added.
Wireless Security - WEP
Wireless LAN Security

• The IEEE 802.11b standard defines an optional

encryption scheme called Wired Equivalent Privacy
(WEP), which includes a mechanism for securing
wireless LAN data streams.

• The standard algorithm (only) enables RC4-based, 40-

bit data encryption with a 24 bit IV to prevent an
intruder from accessing the network and capturing
wireless LAN traffic.
– WEP 2.0 uses a 104-bit key and a 24-bit IV.
Wired Equivalent Privacy (WEP)

• WEP uses symmetric key cryptography.

• It aims to provide:
– Access control: Only users with the correct WEP key can
access the network (Authentication).
– Privacy: Protect WLAN data streams by encryption.
Decryption is only possible by users who have the correct
WEP keys.
WEP security

• Two processes are applied to the plaintext:

– One to protect against unauthorised modification of the data.

– One to encrypt the plaintext.
WEP integrity

• To protect against unauthorised data, an integrity

algorithm CRC-32 operates on the plaintext to produce
the ICV.

• This is a (non-cryptographic) 32-bit checksum, or

integrity check value (ICV).

• This expands the size of the encrypted message by 4 bytes

above the length of the plaintext message.
WEP confidentiality

• Let M be the message, v the current IV and k the secret

shared key:

M ICV

XOR
keystream  RC4(v, k)

v ciphertext

transmitted data
WEP Encryption process

1. The 40-bit secret key is concatenated with an 24-bit initialisation

vector (IV), resulting in a key with an overall length of 64-bits.

2. The resulting key is put into the pseudo-random number generator

(PRNG), i.e., the stream cipher RC4.

3. The PRNG (RC4) outputs a pseudo-random key sequence based on

the input key.

4. The resulting sequence is used to encrypt the data (M and ICV) by

doing a bitwise XOR.
WEP Decryption process
1. The IV of the incoming message is used to generate
the key sequence necessary to decrypt the incoming
message.
2. The ciphertext, combined with the proper key
sequence, yields the original plaintext and ICV.
3. The decryption is verified by performing the integrity
check algorithm on the recovered plaintext and
comparing the output ICV to the ICV transmitted with
the message.
4. If the ICV is not equal to the ICV received, the
message has an error, and an indication is sent to the
sending station.
Authentication in WEP
Weaknesses in WEP
Key management: the same shared secret key is used for
both authentication and encryption.

Integrity: It is possible to modify some bits in a message so

that the resulting message still passes the ICV test.

Confidentiality: key size is too short (in version 1), Key

stream reuse (IV is too short).

WEP should not be used anymore!

802.1x Authentication
Wi-Fi Protected Access (WPA)
Outline

• 802.1x Authentication
– Port-based Network Access Control
– Extensible Authentication Protocol (EAP).

• WPA (Wi-Fi Protected Access)

– Temporal Key Integrity Protocol (TKIP).
What is IEEE 802.1X?
– A standard for passing EAP (Extensible Authentication
Protocol) messages over a wired or wireless LAN.
– Port based network access control.
– Intended to provide:
• strong authentication.
• access control.
• key management.
What is EAP?
• EAP (Extensible Authentication Protocol)
– Authentication framework.
– Supports multiple authentication methods.
– Operates directly over the Data link layer.
– Proprietary EAP types being developed by vendors, e.g., Cisco’s
Lightweight Extensible Authentication Protocol (LEAP).
Essential Components

• Supplicant - Wireless terminal, basically the user or client

• Authenticator - Access Point, responsible for communication with
Supplicant, submits information received from Supplicant to
Authentication Server, which can then check Supplicant credentials
for correct authorization.
• Authentication Server - provides authentication services to
Authenticator to determine whether Supplicant is authorized to
access services provided by the Authenticator.
– The authentication server function can be located in the same entity as the
authenticator function, but is typically in an external server (e.g. Remote Dial-
in User Service – RADIUS Server).
Setup
• IEEE 802.1X setup:
– Supplicant authenticates via Authenticator to central Authentication Server.
– Authentication Server confirms Supplicants credentials.
– Authentication Server directs Authenticator to allow the Supplicant access
to services after the successful authentication.

EAPOL Access Encapsulated EAP Authentication

Point, Server
(wireless) Ethernet messages
Switch, Any EAP Server,
etc. Typically RADIUS

“Supplicant” “Authenticator” “Authentication Server”

Port-based Access Control
• Controlled Port : accepts packets from authenticated devices.

• Uncontrolled Port : only passes 802.1X packets.

• Point of attachment : association between Wireless Terminal and Access Point.

How does the authentication work?
• On detection of a new supplicant, the port on the authenticator is
enabled and set to the "unauthorized" state. In this state, only
802.1X traffic is allowed; other traffic is dropped.

• To initiate authentication the authenticator will periodically transmit

EAP-Request Identity frames to a special Layer 2 address on the
local network segment. The supplicant listens on this address, and
on receipt of the EAP-Request Identity frame it responds with an
EAP-Response Identity frame containing an identifier for the
supplicant such as a User ID.

• The authenticator then encapsulates this Identity response in a

RADIUS Access-Request packet and forwards it on to the
authentication server.
How does the authentication work?
• The authentication server sends a reply (encapsulated in a RADIUS
Access-Challenge packet) to the authenticator, containing an EAP
Request specifying the EAP authentication Method. The
authenticator encapsulates the EAP Request in an EAPOL frame
and transmits it to the supplicant.

• If the authentication server and supplicant agree on an EAP

Method, EAP Requests and Responses are sent between the
supplicant and the authentication server (translated by the
authenticator) until the authentication server responds with either an
EAP-Success message, or an EAP-Failure message.

• If authentication is successful, the authenticator sets the port to the

"authorized" state and normal traffic is allowed, if it is unsuccessful
the port remains in the "unauthorized" state.
Handshake
• EAP and RADIUS messages in 802.1X authentication session.
Outline

• 802.1x Authentication
– Port-based Network Access Control
– Extensible Authentication Protocol (EAP).

• WPA (Wi-Fi Protected Access)

– Temporal Key Integrity Protocol (TKIP).
Wi-Fi Protected Access (WPA)
• IEEE developed the 802.11i standard for enhanced wireless
security, to address weak data encryption and user authentication
within the existing 802.11 standard.

• The WPA standard is a joint effort between Wi-Fi Alliance and

IEEE:
– WPA is a subset of IEEE 802.11i standard (Draft 3.0).
– It was designed to fill the gap between WEP and a longer term final 802.11i.

• WPA provides stronger data encryption (weak in WEP) and user

authentication (largely missing in WEP).

• Fro Simplicity in this subject: WPA  802.1x + TKIP (RC4)

TKIP
• WPA uses Temporal Key Integrity Protocol (TKIP) to provide
stronger data encryption and address known vulnerabilities
in WEP:

– Quick fix to overcome the reuse of encryption key problem in

WEP.
– Uses existing device calculation capabilities to perform the
encryption operations.
• In particular this means it is a relatively cheap method of
improving security.
• It is more like a patch though, rather than a new version.
TKIP
• TKIP implements a key mixing function that combines the
secret root key with the initialization vector before passing it to
the RC4 cipher initialization.

• WEP, in comparison, merely concatenated the initialization

vector to the root key, and passed this value to the RC4 routine.
M ICV

XOR
keystream  RC4(v, k)

v ciphertext
transmitted data
How does it work?

DA – Destination Address TKIP – Temporal Key Integrity Protocol

ICV– Integrity Check Value TSC – TKIP Sequence Counter
MPDU – Message Protocol Data Unit
TTAK– Result of phase 1 key mixing of Temporal Key and Transmitter Address
MSDU – MAC Service Data Unit RSN – Robust Security Network
WEP – Wired Equivalent Privacy
SA – Source Address WEP IV – Wired Equivalent Privacy
TA – Transmitter Address Initialisation Vector
TKIP
• TKIP is made available as firmware (chip coded
software) or software upgrades to existing legacy WEP
hardware.

• It eliminates having to replace existing hardware or

having to purchase new hardware.
WPA-Enterprise (WPA-802.1x, RADIUS):
This mode provides the security needed for wireless networks in business
environments. It is more complicated to set up, and it offers individualized and
centralized control over access to your Wi-Fi network. When users try to connect
to the network, they need to present their login credentials.

This mode supports 802.1x RADIUS authentication and is appropriate in the

cases where a RADIUS server is deployed. WPA-Enterprise should only be used
when a RADIUS server is connected for client authentication.

89
WPA-Personal (WPA-PSK):
This mode is appropriate for most home networks. When a password is set on a
wireless router or an access point (AP), it must be entered by users when
connecting to the Wi-Fi network.

o Home or Office environment, easily configured by home or office user.

o No centralised authentication server or EAP framework available.
o Requires the home or office user to manually enter the password (Master Key) to
the Access Point or Wireless Gateway and have the same password in each PC that is
allowed access to that wireless network. 90
WPA - Summary

• WPA effectively addresses WLAN security

requirements and provides an immediate and
strong encryption & authentication solution.

• WPA replaces WEP as standard Wi-Fi security

mechanism.

• Wi-Fi Alliance has adopted the full 802.11i standard

as version 2 of WPA.
From WPA to WPA2
Review, Summary, and PMP

93
Review and Summary
o Wireless local area network (WLAN) links two or more devices
over a short distance using a wireless distribution method,
usually providing a connection through an access point (AP)
for internet access.

o It is easier to launch attacks on Wireless Networks.

o 802.11 for Wireless LANs

o WEP (Wired Equivalent Privacy)

o WPA (TKIP+ 802.1x )

PMP
Question 1: Use the DOS attack to explain the reason
why attacks inside wireless network is much easier than
inside wired network.

Question 2: What are two improvements from WEP to

WPA？
PMP
Question 1: Use the DOS attack to explain the reason
why attacks inside wireless network is much easier than
inside wired network.
Answer: The aversary can easily send data packets to the
receiver even without wired connections.

Question 2: What are two improvements from WEP to

WPA？
Answer: More secure; User(key) management
Network Security
CSCI368/968

Dr. Fuchun Guo

University of Wollongong

1
Mobile IP

Mobile IP (or MIP) is an Internet Engineering Task Force (IETF) standard

communications protocol that is designed to allow mobile device users to move from one
network to another while maintaining a permanent IP address.

One example of application: Cellular Networks: Mobile IP is widely used in cellular

networks, allowing mobile devices (such as smartphones and tablets) to maintain
continuous connectivity as they move between different cell sites or handoff between
different base stations.
What is mobility?

The ability of a node

– to change its point-of-attachment from one link to another,
while
– maintaining ongoing communication using the same IP
address at its new link.

Roughly speaking, from one WLAN to another WLAN.

What is Mobile IP

• A scalable, robust, and secure protocol for providing

node mobility in the Internet.

• A standard for Internet mobility.

– It is defined in RFC’s 2002 (and later updates).

• It provides a modification to IP that allows nodes to

continue to receive datagrams no matter where they
happen to be attached to the Internet.
– Important for applications such as VoIP
Mobility problems: Existing IP

• IP addresses and the original IP were not originally

designed to support mobility.

• The existing IP protocols are associated with a fixed

network location.
– One host – one IP address.
– Must be compatible with its network prefix.
– Packet is routed according to the destination network’s
prefix.
Mobility problems: Existing IP
• Node mobility is recognised by changes in the network
prefix.
• When mobility occurs, for a node to access the network, it
has to acquire a new IP address which has the same prefix
as the new network. But …
• How do other nodes know that this node’s IP address is
changed?
• Furthermore to establish the new IP address, shutdown and
reboot are required.
– All ongoing applications will be aborted. 
Mobile IP benefits

• Provides mobility over all types of media.

• Offers “seamless roaming” which provides application

transparency…
– That is, applications do not need to be modified to be able to
use Mobile IP.
– The users don’t know something has been changed.
Mobile IP: Requirements
• A mobile node must be able to communicate with other
nodes after changing its link-layer point-of-attachment to
the Internet.
• A mobile node must be able to communicate using only
its home (permanent) IP address, regardless of its current
link-layer point-of-attachment to the Internet
• A mobile node must be able to communicate with other
computers that do not implement the Mobile IP mobility
functions.
• A mobile node must not be exposed to any (new) security
threats over and above those to which any fixed host on
the Internet is exposed.
How does Mobile IP solve the problems?

• It allows mobile nodes to have two IP addresses.

– A permanent one is used for identification.
– A variable one is used for locating the current location of a
mobile node.

– Mobile IP sets up the relationship between these two addresses

so that only the fixed address needs to be known by other nodes.
– Mobile IP establishes mobility agents.
Addresses

• Home address (permanent ):

– The permanent IP address of a mobile node which it uses in
correspondence with other nodes, regardless of its current
location.

• Care-of address (variable):

– An address used temporarily by a mobile node as a tunnel exit-
point when the mobile node is connected to a foreign link.
Care-of-addresses

• There are two types of care-of address:

– A foreign agent care-of-address
• The address of a foreign agent.
• This can be simultaneously shared by many mobile nodes.
– A collocated care-of address
• Temporarily assigned to the mobile node, by protocols such as DHCP
(Dynamic Host Configuration Protocol)
• Can be used by only one mobile node at a time.
Mobile Node

A node (host or router) which can change its point-of-

attachment to the Internet from one link to another …

– while maintaining any ongoing communications.

– using only its permanent IP home address.
Home Agent

• A router on a mobile node’s home network:

– The home agent maintains the current location (care-of-
address) of the mobile node when it moves from link to link.

– intercepts packets targeted at the mobile node’s home address,

and tunnels them to the mobile node’s current location (i.e. to
the care-of-address).
Foreign Agent

• A router on the network visited by the mobile node. It

cooperates with the home agent to complete the delivery
of datagrams to the mobile node.
– Assists the mobile node in informing its home agent of its
current care-of-address
– In some cases, provides a care-of address and de-tunnels or
tunnels packets between the mobile node and its home agent.
– Serves as a default router for packets generated by the mobile
node while connected to this foreign link.
Mobile IP Process
1. I’m a mobility agent.
Here are my details.

2. Your new address is

A B
1.0.0.2 1.0.0.3 2.0.0.254
Y
2.0.0.2

T u n n el !!! X
1.0.0.0/24 1.0.0.254 2.0.0.254 2.0.0.0 2.0.0
a
home internet foreign
UOW Router MARS
Router
1 2
C
Home Agent foreign Agent
1.0.0.4

5.MN is gone!
6. The home agent updates Its new address
their binding list. Is 2.0.0.254

Z
MN 2.0.0.3 MN
1.0.0.1 1.0.0.1

Packet to MN from CN !!! 3. MN has

been established in a new network.
CN means Correspondent Node.
4. Tells the home Agent …
care-of-address My new COA address is 2.0.0.254
Mobile IP Process
Outline of Mobile IP in operation

1. Mobility agents (home and foreign agents)

– make themselves known by sending agent advertisement
messages to all nodes in their network.
– An impatient mobile node may optionally solicit (ask for) an
agent advertisement message.
2. A mobile node
– determines its location whether it is on its home or foreign
network from an agent advertisement message.
3. A mobile node, when in it’s home network,
– works like any other fixed hosts without mobility services.
4. A mobile node, when not in it’s home network,
–obtains a care-of address from an advertisement message.
–registers its new care-of-address with its home agent either via
the foreign agent or directly.
6. A home agent
– Updates its binding list (records).
– Intercepts any datagram (packets) sent to the mobile node
which is away.
– Tunnels datagram to the care-of-address.
7. At tunnel endpoints (either at the foreign agent or the
mobile node itself) …
– the datagram is de-tunneled.
– If a foreign agent is employed, the datagram will be delivered to
the mobile node.
8. For the reverse direction (from MN to CN)
– Datagram packets sent by the mobile node are generally
delivered to the destination using standard IP routing
mechanisms.
– It is not necessary to pass through the home agent.
– Reverse tunneling will be required in some cases though (will
be discussed later)
Tunneling (What Home Agent Will Do)
CN (sender) sends a message as it would with a fixed node. A home
agent redirects the message to MN’s (receiver) current location by

• Generating a new message which comprises of

– Its own IP address as a new packet source address.
– The MN COA as a new packet destination address.
– The whole message from CN to MN as a new packet payload.

• This method is called tunneling or encapsulating.

Mobile IP Authentication

Attacker
3.0.0.254

new care-of address of 1.0.0.1

is 3.0.0.254

Internet

Home Agent foreign Agent

1.0.0.254 2.0.0.254 1.0.0.1
A
1.0.0.2
Mobile IP Authentication

• If there were no authentication mechanism, the attacker

could generate a bogus registration request specifying his
own IP address as the care-of address for a mobile node.

• The result would be:

– The attackers would get every packet targeted at the mobile node.
– The real mobile node would not receive anything.
Mobile IP Authentication Extension
• Mobile IP defines authentication extensions
– to prove that the registration message is actually sent by the valid mobile
node.
• SPI - Security Parameter Index
– An index identifies a security association (SA) between MN and HA
– SA is “a collection of security contexts” shared between a pair of nodes
which defines
• Authentication algorithm.
• Shared secret key.
• Replay protection method.
• Authenticator field
– An authentication tag which is computed according to the SA
Computing the authentication tag
• Use 128-keyed MD5 as the default authentication
algorithm.
• Output a 128 bit message digest and put it in the
authenticator field.
– RFC 3220 replaces default authentication algorithm from
128-keyed MD5, in prefix-suffix mode to HMAC-MD5 with
a key size of 128 bit.
• Anti-replay mechanism
– Timestamp
– Nonce
Tag = H(m, K, Nonce)
Mobile IP Authentication

Attacker
3.0.0.254

new care-of address of 1.0.0.1

is 3.0.0.254 (tag=XXXX)

Internet

Home Agent foreign Agent

1.0.0.254 2.0.0.254 1.0.0.1
A
1.0.0.2
Mobile System Security

(Removed)
The mobile environment

Authentication Mobile
Server station

Mobile
station
Mobile
station
Mobile System Security
• 2/…/5G telecommunication systems
• Security issues:
– Authentication
– Confidentiality
– Integrity
– Anonymity
GSM Authentication and Key Agreement

Wireless Wired & Secure

IMSI: International mobile subscriber identity VLR: visitor location register
TMSI: Temporary Mobile Subscriber Identity HLR: Home location register
Ki: the long-term symmetric-key shared between MS & HLR
RAND: a freshly generated random number
A3/5/8: cryptographic algorithms
Step 0 - Setup
• MS subscribes to a mobile service provider
• A hardware token (e.g., a SIM card) is issued to the
MS
– An unique mobile ID (a.k.a. IMSI) and a secret key (i.e., Ki
in the figure) are stored in the SIM card
– The mobile ID and secret key are also stored in the
database of the mobile service provider (i.e., HLR)
Step 1
• MS  VLR: IMSI

• When the MS is powered on, it sends its IMSI to the VLR

• The IMSI will allow VLR to identify the HLR of the MS
Step 2
• VLR  HLR: IMSI

• The VLR forwards the IMSI to HLR in order to

obtain a set of authentication credentials
Step 3
• HLR  VLR: IMSI, RAND, SRES, Kc
• Upon receiving the request from VLR, HLR locates the secret key
Ki for IMSI
• It generates a random number RAND, and computes SRES =
A3(Ki, RAND), Kc = A8(Ki, RAND)
• HLR sends RAND, SRES and Kc to VLR
The communication between VLR and HLR is done through a secure channel
Step 4
• VLR  MS: RAND

• Upon receiving the authentication credentials (i.e.,

RAND, SRES, Kc) from VLR, it forwards RAND to
MS as a challenge
Step 5
• MS  VLR: SRES
• Upon receiving RAND from the VLR, MS computes SRES =
A3(Ki, RAND), Kc = A8(Ki, RAND) using the secret key Ki
stored in the SIM card
• MS sends SRES as the response to VLR’s challenge
• VLR verifies the SRES by comparing it with the SRES from HLR
• If the SRES from MS is correct, MS is authenticated
Step 6
• VLR  MS: A5(Kc, TMSI)

• VLR picks a temporary mobile ID (a.k.a. TMSI) for MS and

sends it to MS in encrypted form
• MS derives Kc based on RAND and Ki, decrypts TMSI and uses
it as its temporary ID
• TMSI is used as the identity of MS in the subsequent
communications
Questions

How does TMSI provide anonymity protection when

public-key cryptography is available?
Review, Summary, and PMP

38
Review and Summary
• Mobile IP uses two addresses: Home addres and
Care-of address.
• The motivation of having mobile IP?
• Benefits of this technique: seamless roaming when
changing the local area network.

• GSM ( Global System for Mobile Communications )

authentication protocol.

39
PMP
Question 1: Alice wants to send a message to Bob.
When using the mobile IP protocol, does Alice need to
know where Bob is currently located?

40
PMP
Question 1: Alice wants to send a message to Bob.
When using the mobile IP protocol, does Alice need to
know where Bob is currently located?

Answer: No need. Alice can send the message to

Bob’s home address. After receving the message, the
home agent will forward it to where Bob is located for
Alice.

41
PMP
Question 2: Can A5 be a hash function?

42
PMP
Question 2: Can A5 be a hash function?
Answer: No. Otherwise, MS cannot get TMSI for
future communication.

43
END of Lectures

44
Revision

45
Key Establishment + Centralized Authentication

WEP,WPA

46
Exam Questions (Like A2 and PMP)

• Focus on security protocols and solutions (high-level solution, such as

encryption no RSA or ElGamal)

• Able to compare two standard security protocols (understand each

protocol’s advantage and disadvantage)

• Understand why security protocols were designed in this way (to resist
a serial of attacks)

• Able to modify security protocols to achieve the aims

47
Questions

• Choice Questions (A, B,C, D, or E)

• Short Answer (2 marks)

• Long Answer (3-4 marks)

1- 2 sentences = 1 Mark
48

Flipper Instructions
50% (2)
Flipper Instructions
12 pages
Chapter 1
No ratings yet
Chapter 1
28 pages
CS 203 - NetSys 240. Network Security
No ratings yet
CS 203 - NetSys 240. Network Security
18 pages
Lecture 1 Introduction of Apt
No ratings yet
Lecture 1 Introduction of Apt
43 pages
Lecture 1 - Intro to Security
No ratings yet
Lecture 1 - Intro to Security
40 pages
Lecture_01_20250116_v2.pptx
No ratings yet
Lecture_01_20250116_v2.pptx
48 pages
Cybersecurity Questions With Answers
No ratings yet
Cybersecurity Questions With Answers
5 pages
COM411COURS DESCRIPTOR
No ratings yet
COM411COURS DESCRIPTOR
10 pages
Introduction To Network Security: L. Tahani Al Jehani
No ratings yet
Introduction To Network Security: L. Tahani Al Jehani
37 pages
1 - Intro To Security
No ratings yet
1 - Intro To Security
49 pages
Lecture#01 - Introduction To Information Security COncepts
No ratings yet
Lecture#01 - Introduction To Information Security COncepts
54 pages
A Review On Network Security
No ratings yet
A Review On Network Security
4 pages
Unit 1 Part 1
No ratings yet
Unit 1 Part 1
35 pages
Lecture#01 - Introduction To Information Security COncepts
No ratings yet
Lecture#01 - Introduction To Information Security COncepts
47 pages
Network Security and SWOT analysis
No ratings yet
Network Security and SWOT analysis
90 pages
Information Systems Assignment 3
No ratings yet
Information Systems Assignment 3
7 pages
Computer Networks - Chapter 8
No ratings yet
Computer Networks - Chapter 8
9 pages
CPS 319 Lecture Notes
No ratings yet
CPS 319 Lecture Notes
62 pages
CS 432/532 Computer and Network Security: Albert Levi Levi@sabanciuniv - Edu FENS 1091, Ext.9563
No ratings yet
CS 432/532 Computer and Network Security: Albert Levi Levi@sabanciuniv - Edu FENS 1091, Ext.9563
52 pages
(R17A0526) Information Security Digital Notes
No ratings yet
(R17A0526) Information Security Digital Notes
143 pages
CSF Merged Notes
No ratings yet
CSF Merged Notes
414 pages
1 Introduction Network Security Cryptography
No ratings yet
1 Introduction Network Security Cryptography
76 pages
ITC593 Topic 1
No ratings yet
ITC593 Topic 1
46 pages
1 Introduction
No ratings yet
1 Introduction
42 pages
cnns p2
No ratings yet
cnns p2
12 pages
Security Mechanisms:-: Encipherment
No ratings yet
Security Mechanisms:-: Encipherment
64 pages
Securing The Network Using Authentication Key Exchage Protocols
No ratings yet
Securing The Network Using Authentication Key Exchage Protocols
122 pages
Lesson Plan-Ns2
No ratings yet
Lesson Plan-Ns2
4 pages
Lecture 1
No ratings yet
Lecture 1
84 pages
Chapter One
No ratings yet
Chapter One
54 pages
COMPUTER NETWORK SECURITY UNIT 1
No ratings yet
COMPUTER NETWORK SECURITY UNIT 1
45 pages
10 1 Network Security Ink
No ratings yet
10 1 Network Security Ink
14 pages
Lecture 1
No ratings yet
Lecture 1
61 pages
Day1.6 InfoCyberSecurityConcepts
No ratings yet
Day1.6 InfoCyberSecurityConcepts
42 pages
Security Cram Notes PLUS
No ratings yet
Security Cram Notes PLUS
12 pages
Lecture-2_Overview_of_Cyber Security_(Revised)
No ratings yet
Lecture-2_Overview_of_Cyber Security_(Revised)
46 pages
CH 2,3,4
No ratings yet
CH 2,3,4
53 pages
CNS_UNIT 1
No ratings yet
CNS_UNIT 1
34 pages
Lecture 1
No ratings yet
Lecture 1
84 pages
Crptography and Network Security
No ratings yet
Crptography and Network Security
102 pages
Chapter 4
No ratings yet
Chapter 4
42 pages
Lecture 1: Introduction To Network Security
No ratings yet
Lecture 1: Introduction To Network Security
40 pages
Cryptography and Network Security_labmanual
No ratings yet
Cryptography and Network Security_labmanual
5 pages
Module7 InfoCyberSecurityConcpets
No ratings yet
Module7 InfoCyberSecurityConcpets
43 pages
chapter 2
No ratings yet
chapter 2
2 pages
NS Yst Em: Gagandeep AP in CSE Deptt. PPIMT, Hisar
No ratings yet
NS Yst Em: Gagandeep AP in CSE Deptt. PPIMT, Hisar
69 pages
Lectures 1 Merged
No ratings yet
Lectures 1 Merged
154 pages
12
No ratings yet
12
12 pages
4-5.Network Security. X.800 Architecture
No ratings yet
4-5.Network Security. X.800 Architecture
25 pages
Btech It Security Fundamentals
No ratings yet
Btech It Security Fundamentals
6 pages
Unit-1 ICS
No ratings yet
Unit-1 ICS
73 pages
Immediate download eTextbook 978-0134527338 Network Security Essentials: Applications and Standards (6th Edition) ebooks 2024
No ratings yet
Immediate download eTextbook 978-0134527338 Network Security Essentials: Applications and Standards (6th Edition) ebooks 2024
41 pages
System Security
No ratings yet
System Security
4 pages
Seguridad: Villanueva Llerena Julissa Tejada Condori Marcos Soto Mendoza Enrique
No ratings yet
Seguridad: Villanueva Llerena Julissa Tejada Condori Marcos Soto Mendoza Enrique
109 pages
Network Security and Cryptography
No ratings yet
Network Security and Cryptography
68 pages
Cns 1 - 5 Units
No ratings yet
Cns 1 - 5 Units
111 pages
Chapter 1 Introduction
No ratings yet
Chapter 1 Introduction
30 pages
IT-312 N.S Course Outline
No ratings yet
IT-312 N.S Course Outline
5 pages
CH01
No ratings yet
CH01
30 pages
Byte Guardians: A Cybersecurity Handbook
From Everand
Byte Guardians: A Cybersecurity Handbook
Qasim
No ratings yet
3com 3250
No ratings yet
3com 3250
70 pages
Product Specification Release: Model: L49E7800UDS/MS1369K-LA/CS4STA
No ratings yet
Product Specification Release: Model: L49E7800UDS/MS1369K-LA/CS4STA
34 pages
Legit Config Haze
No ratings yet
Legit Config Haze
31 pages
F5 Big-Ip
No ratings yet
F5 Big-Ip
81 pages
NSXTICM24 M03 Preparing Infrastructure
No ratings yet
NSXTICM24 M03 Preparing Infrastructure
80 pages
PTA Type Approval Technical Standard Regulations 2017
No ratings yet
PTA Type Approval Technical Standard Regulations 2017
14 pages
Mohamed Salah
No ratings yet
Mohamed Salah
1 page
TD 57 - v29 6 - Tap3
No ratings yet
TD 57 - v29 6 - Tap3
252 pages
Cellular JSo
No ratings yet
Cellular JSo
34 pages
SBUS Comm
No ratings yet
SBUS Comm
8 pages
Tutorial 2 + Solutions
No ratings yet
Tutorial 2 + Solutions
6 pages
1805 - GHIELMETTI - GCS 3x4x1 422 MP Product Info (En) - Public
No ratings yet
1805 - GHIELMETTI - GCS 3x4x1 422 MP Product Info (En) - Public
8 pages
Static IP - Assigning An Address Range To A Router PDF
No ratings yet
Static IP - Assigning An Address Range To A Router PDF
4 pages
2 Communication & Signal
No ratings yet
2 Communication & Signal
27 pages
Development of A Data Acquisition and Monitoring System Based On MODBUS RTU Communication Protocol
No ratings yet
Development of A Data Acquisition and Monitoring System Based On MODBUS RTU Communication Protocol
8 pages
Eduroam Installation in Zambia
No ratings yet
Eduroam Installation in Zambia
11 pages
Smart Agriculture Wireless Sensor Routing Protocol and Node Location Algorithm Based On Internet of Things Technology
No ratings yet
Smart Agriculture Wireless Sensor Routing Protocol and Node Location Algorithm Based On Internet of Things Technology
7 pages
Transmitter/Receiver Code Description Introduction To Digital Communication Receiver Design
No ratings yet
Transmitter/Receiver Code Description Introduction To Digital Communication Receiver Design
14 pages
Acknowledgement
No ratings yet
Acknowledgement
38 pages
Nec XN120 008 & 308 Expansion Card Guide
No ratings yet
Nec XN120 008 & 308 Expansion Card Guide
33 pages
Resume
No ratings yet
Resume
2 pages
Communications Service Proclamation No. 1148
No ratings yet
Communications Service Proclamation No. 1148
41 pages
Shannon and Weaver Model
No ratings yet
Shannon and Weaver Model
13 pages
Intelsat 21 at 58
No ratings yet
Intelsat 21 at 58
4 pages
Saes T 625
No ratings yet
Saes T 625
8 pages
TD-W8960N (EU) V8 Datasheet
No ratings yet
TD-W8960N (EU) V8 Datasheet
5 pages
Stealth Amateur Radio
No ratings yet
Stealth Amateur Radio
7 pages
Acm-Microwave Link
No ratings yet
Acm-Microwave Link
6 pages
Transceiver Group G12 DT Description
No ratings yet
Transceiver Group G12 DT Description
15 pages

368 Lecture Compile

Uploaded by

368 Lecture Compile

Uploaded by

Network Security

Dr. Fuchun Guo

A/Prof. Fuchun Guo

• Asking these questions could be “looked down” by others.

How to Ask to avoid being looked down?

1. Statement (introduce the experience that makes you confusing)

• The most important is: You have seen how the

• The methdology will become your muscle memory

• 1 Subject introduction and network basics

Authentication and key establishment protocols.

Assignment 1, 20% Due: See Moodle Site

Assignment 2, 20% Due: See Moodle Site

Final Exam 60% Exam Period

• Network security, on the other hand, is the act of protecting files

• Computer network is vulnerable to attackers.

• Network Security is important because computers rely on

• Availability: Information should be accessible to

• Interruption: an attack on availability (Active).

• Mechanism and resistant

• Mechanism also consider application

• Protocols are agreed upon rules or standards enabling

– They can specify data formats.

• … about securing computer networks to meet the

• … using security protocols/systems:

– protocols are for communications

Threats & Attacks

Security Protocol & Service 31

o Cyber Security & Network Security

Answer: (1) We don’t have A in an application scenario but a solution needs A as

What they want

What they have

What they can use (tool)?

• For two entities to communicate successfully, they must

• A network protocol is used for communication between

• Simply, a protocol is a set of rules. A network protocol

• Since both have learned the sign language in their

Source: Behrouz A. Forouzan, TCP/IP Protocol Suite 40

• The TCP/IP protocol suite was developed prior to

• The original TCP/IP protocol suite was defined as

• Today, however, TCP/IP is thought of as a five-

Data Link TCP/IP is a suit of protocols used for Data Link

011 ... 101

011 ... 101 011 ... 101

Data link Data link

Data link Data link

Data link Data link

• Each computer on a network requires a unique

• Each application requires a unique address on that

• address is different from address

• Four levels of addresses are used in a network employing

Port addresses: FTP(20 & 21), SSH(22), TELNET(23),

A node with physical address 10 sends a frame to a node with physical

hub switch & router explained - what's the difference?

20 10 A P Data 20 10 A P Data 33 99 A P Data

• IPv4 uses 32-bit addresses which limits the address

• Motivation: How to let more than 232 computers connect

• (NAT) Network address translation

24-bit block 10.0.0.0 – 10.255.255.255

• Remapping one IP address into another (between public and private) by

• SNAT (Static NAT): one-to-one map

• DNAT (Dynamic NAT): several-to-many

• PAT (port address translation): one-to-many

• Port forwarding: one-to-many

• • NAT (Network Address Translation) can provide an additional layer of security by

• NAT (Network Address Translation) can provide Financial Savings Because an

• • NAT (Network Address Translation) is a processor and memory resource consuming

• • NAT (Network Address Translation) may cause delay in IPv4 communication.

• • NAT (Network Address Translation) cause loss of end-device to end-device IP

src:B dest:A payload

src:B dest:A payload

Payload: transfer100 dollars to B account to C account. 73

src:B dest:A payload

o OSI is for understanding and designing the system architecture

o Network Protocols pades Headers after applying each function.

o Briefly justify the difference beteewn IP address and MAC address.

Dr. Fuchun Guo

(Definition) A function f:{0,1}→{0,1} is a one-way function if