UNIT 5

Network Security, Cyber Laws and

Compliance Standards

Course Outcome
Maintain secured networks and describe
Information Security compliance standards
Kerberos
 Kerberos is a network authentication protocol and it is
designed to provide strong authentication for client
server applications.

 It uses secret key/ Symmetric key cryptography.

 It is a solution to your network security problems.

 It provides the tools of authentication and strong

cryptography over the network to help you secure your
information system.
 There are four parties involved in the
Kerberos protocol:

 The client workstation

 Authentication Server(AS)
 Ticket Granting Server(TGS)
 Service Server(SS)
Step 1:

 The AS, receives the request from the client and then
AS verifies the client. This is done by just looking into
a simple database of the user’s ID.
 Step 2

 After verification, a time stamp is created.

 It will put the current time in user session with an
expiry date. Then the encryption key is created.
 Timestamp tells that after 8 hours the encryption key is
useless.
Step 3

 The key is sent back to the client in the form of a ticket-

granting ticket (TGT).
 It is a simple ticket which is issued by the authentication
server(AS) and used for authenticating the client for
future reference.
 Then the client submits this TGT to the ticket granting
server (TGS), for authentication.
 Step 4
 TGS creates an encrypted key with a time stamp and grants a service ticket to
the client.
Step 5
• Then the client decrypts the ticket, intimate the TGS that is
done and sends its own encrypted key to the service server or
application.
 The service server decrypts the key send by the
client and checks the validity of the time stamp.

 If timestamp is valid, the service server contacts the

Key Distribution Center(KDC) to receive a
session which is returned to the client.
 Step 6
 The client then decrypts the session.
 If the key is still valid then the communication is
initiated between client and server.
KERBEROS
IP SECURITY
IP SECURITY
 The overall idea of IPSec is to encrypt
and seal the transport and application
layer data during transmission.

  IP Sec is a capability that is added to IP

protocol(IPv4, IPv6) by means of some
extra header to avoid attacks like –
Replay, Authentication, Integrity &
Confidentiality attack.
 Encapsulating Authentication
Security Header
Payload

IP
SECURITY
ARCHITECH
TURE Domain Of Interpretation

-ipseckey

-Internet Key Exchange

(IKE) Protocol
 IPSEC MODES
 IPSec operates in two Modes:
 Transport Mode
protects the upper layer protocols.
host to host communication

 Tunnel Mode
 Protect the entire IP payload
 Gateway to Gateway Communication
 TRANSPORT MODE
TUNNEL MODE
Payload is encrypted but Payload as well as IP
not IP header header are encrypted

New IP Header IPSec Header IP Header Payload

H P

IP Header IPSec Header Payload

Encrypte
d

Encrypte
d
AUTHENTICATION HEADER
0 8 1 3
6 1
ESP
EMAIL SECURITY
EMAIL SECURITY
PROTOCOL
1. SMTP
2. PEM
3. PGP
 SIMPLE MAIL TRANSFER
PROTOCOL- (SMTP)

 SMTP is short for Simple Mail Transfer Protocol.

 SMTP is a set of communication guidelines that
allow software to transmit an electronic mail
over the internet is called Simple Mail
Transfer Protocol.
 It is an application layer protocol.
 It is used for sending the emails efficiently and
reliably over the internet.
SMTP
 SMTP OPERATIONS IN
THREE PHASES:
 The SMTP operation follows three phases:
1. Connection set up – An SMTP sender will attempt
to set up a TCP connection with a target host when it
has one or more mail message to deliver to that host.
2. Mail transfer – After the connection has been
established, the SMTP sender may send one or more
messages to the SMTP receiver.
3. Connection termination - The SMTP sender closes
the connection.
 CHARACTERISTICS OF SMTP
 SMTP is a push protocol.
 SMTP uses TCP at the transport layer.
 SMTP uses port number 25.
 SMTP uses persistent TCP connections, so it can
send multiple emails at once.
 SMTP is a connection oriented protocol.
 SMTP is an in-band protocol.
 SMTP is a stateless protocol.
 PRIVACY-ENHANCED MAIL
(PEM) PROTOCOL
 Privacy-Enhanced Mail (PEM) is an Internet standard
which provides the secure exchange of electronic mail.
 It employs a range of cryptographic techniques that
allows -.
 The message integrity allows the user to make sure that
a message is not modified during transport from the
sender.
 The sender authentication allows a user to verify that
the PEM message which he has received is truly from
the person who claims to have sent it.
 The confidentiality allows a message to be kept secret
from other people.
 PEM supports three main cryptographic functions
of
 encryption,
 non-repudiation and
 message integrity.
1. Canonical Conversion –
This step involves the conversion of
the message into a standard format that
is independent of the computer
architecture and the operation system of
the sender and the receiver.
2. DIGITAL SIGNATURE
 The created message digest then
encrypted with the sender’s private key
to form the sender’s digital signature, as
shown in Fig
 3. ENCRYPTION
 Here original email and the digital signature
are encrypted with a symmetric key. For this
DES or DES-3 algorithm in
 Cipher Block Code (CBC) mode is used.
4. BASE 64 ENCODING
 PRETTY GOOD PRIVACY (PGP)
 This is used for encryption and decryption of e-mail over the
Internet.
 This protocol is used to send an encrypted digital signature
because of this the receiver can verify the sender’s identity and
he understands that the message was not changed during
transmission.
  PGP is freely available and cost very low for commercial
version. Basically, it is widely used as a privacy-ensuring
program by individuals and also by many organizations.
  PGP is developed by Philip R. Zimmermann in year 1991 and
become a standard for e-mail security.
  It can used to encrypt the files which are being stored hence
they are unreadable by unauthorized users or intruders.
WHAT SERVICES DOES PGP PROVIDE?

 PGP employs public key cryptography, symmetric

key cryptography, hashing, and digital signatures. It
offers:
 Message Integrity
 Privacy
 Message Integrity
 Non-repudiation
 It also offers data compression and key management
services in addition to these security services. Rather
than creating new cryptographic algorithms, PGP
uses existing ones such as RSA, IDEA, MD5, and
others.
PGP
 WORKING – 1. AUTHENTICATION
 The sender creates a message.
 SHA-1 is used to generate 160 bit hash code of the
message.
 The hash code is encrypted using the sender’s private
key and the result is pretended to the message.
 The receiver uses sender’s public key to decrypt and
recover the hash code.
 The receiver generates a new hash code for the
message and compares it with the decrypted hash code.
If match is found, then the message is accepted as
authentic.
 2. CONFIDENTIALITY
 PGP provides one more basic service i.e.
confidentiality. It is provided by encrypted message
to be transmitted or to be stored locally as file.
 The sender generates a message, and a random 128
bit number. This 128 bit number is used as a session
key for this message only.
 Then the message is encrypted (using algorithms like
3DES) with the help of session key.
 Then the session key is also encrypted using the
recipient’s public key and it is pretended to the
message.
 The receiver with its private key can only decrypt
and recover the session key.
 Further this session key is used to decrypt the
message.
PUBLIC KEY INFRASTRUCTURE (PKI)
 A PKI is a structure which provides all of the
essential components for different types of users and
entities for secure communication in a predictable
manner.

 A PKI is made up of different components like –

hardware, applications, policies, services,
programming interfaces, cryptographic algorithms,
protocols, users, and utilities, such components work
together and allow communication using public key
cryptography and symmetric keys for digital
signatures, data encryption, and integrity .
 Registration authorities and certificate authorities are
part of PKI environments.
 When there are some variations in specific products,
then the registration authority will ask for a proof of
identity from the individual who is requesting a
certificate and will validate this information.
 After this the registration authority will take advice of
the certificate authority to generate a certificate. The
certificate authority will digitally sign the certificate
using its private key.
 When B receives A’s certificate and verifies that it was
actually digitally signed by a certificate authority that
he/she trusts, he/she will believe that the certificate is
actually A’s not because he/she trusts A, but because
he/she trusts the certificate authority.
 Such a scenario is generally referred as a third-party
trust model. The component of digital certificate is
Public keys, so, when B verifies the digital signature
of certificate authority, this tells that the certificate is
truly A’s and that the certificate containing public
key is also A’s and in this way A’s identity is bound
to his public key.
 This process allows A to authenticate himself to B
and communicate with B through encryption process
without prior communication or a pre-existing
relationship. Once B is convinced of the legitimacy
of A’s public key, he/she can use it to encrypt and
decrypt messages between her/him self and A.
 Certificates A digital certificate combines an
individual’s identity to a public key. Digital
certificate contained all the information a receiver
needs to be assured about the public key owner’s
identity. The certificates are created and formatted
based on the X.509 standard, which tells the
necessary fields of a certificate and possible values
that can be inserted into the fields.
 The different fields within certificates are as follows.
 1. Version Number : Version number specifies the format and fields that can be
used. It identifies the version of the X.509 standard that was followed to create a
certificate.
 2. Subject : Specifies the owner of the certificate.
 3. Public key : It contains the public key that bounds to the certified subject,
also this identifies the algorithm that was used to create the private/public key
pair.
 4. Issuer : The CA that generated and digitally signed the certificate.
 5. Serial number : It is a unique number which identifies that this specific
certificate is issued by a particular CA.
 6. Validity : Identifies the dates through which certificates are valid for use.
 7. Certificate Usage : Specifies the approved use of certificate, which says that
for what purpose the user can use this public key.
 8. Signature Algorithm : Identifies the hashing algorithm and digital signature
algorithm used to digitally signed the certificates. 9. Extensions : This allows
additional data which can be encoded into the certificate to expand the
certificate’s functionality
CERTIFICATE ATTRIBUTES
 There are four main types of certificates used
 1. End – entity Certificates : These are issued by a CA to a specific
subject. Such as accounting department or a Firewall.
 2. CA Certificates : In the case of stand alone or root CA’s, it may be
self signed or it may be issued by a superior CA within a hierarchical
model. In this model the superior CA gives the authority and allows
the sub-ordinate CA to accept request for certificate and generate
the individual certificates itself. When a company needs to have
multiple internal CAS, then this may be necessary. Different
departments within an organization need to have their own CA
servicing their specific end-entities in their section.
 3. Cross-certificates : These are used when independent CA’s
establish peer-to-peer trust relationships. Simply put, they are a
mechanism through which one CA can issue a certificate allowing its
users to trust another CA.
 4. Policy Certificate : A Policy certificate is used for placing policy
information. Within sophisticated CAS used for highsecurity
applications, a mechanism is required to provide centrally controlled
policy information to PKI clients.
CERTIFICATE AUTHORITY (CA)
 CA is the trusted authority for certifying individuals’ identities and creating an
electronic document known as a digital certificate, which indicate that
individuals are who they say they are.  Digital certificate establishes an
association between the subject’s identity and a public key. The certificate’s
public key and private key is stored separately.  The CA is made up of the
software, hardware, procedures, policies, and people who are involved in
validating individuals’ identities and generating the certificates.  If any one of
above components is compromised, it can affect the CA negatively and can
threaten the integrity of the certificates it produces.  Certificate Practices
Statement (CPS) outlines how to verify identity, the steps that the CA must
follows to generate, maintain, and transmit certificates, and why the CA can
be trusted to fulfill its responsibilities.  CPS describes how keys are secured,
what data is placed within a digital certificate, and how revocations will be
handled.  The company’s security officers, administrators, and legal
department should examine the CA’s CPS to ensure that it will properly meet
the company’s needs when a company is going to use and depend upon a
public CA. To make sure that the level of security claimed by the CA is highly
enough for companies use and environment.  The trust between the users
and the CA is the critical part of PKI, thus CPS should be reviewed and
understood to ensure the level of trust is right.  The certificate server is the
actual service which issues the certificate depending on the data given during
the initial registration process. The server constructs and populates the digital
certificates with the necessary information, it combines the user’s public key
with the resulting certificates. The certificate is then digitally signed with CA’s
private key
REGISTRATION AUTHORITY (RA)
 This component accepts a request for a digital certificate and it performs
the necessary steps for registering and authenticating the person
requesting the certificate. The authentication requirements are depend on
the type of certificate being requested and these can vary between
different CAS. Generally there are following three different types. (i) Class
1 : Generally, this is used to verify an individual’s identity through e-mail.
A person who receives a Class 1 certificate can use their public/private
key pair to digitally sign e-mail and encrypt message contents. (ii) Class
2 : This may be used for software signing. Generally software vendors will
register for this type of certificate so they can digitally sign their software.
This will provide integrity for the software after it is developed and
released, and it will allow the receiver of the software to verify originality
of the software. (iii) Class 3 : This type of certificate may be used by a
company to set up its own certificate authority, which will allow them to
carry out their own identification verification and generate certificates
internally.  Every higher class can carry out more critical and powerful
tasks so the different classes have different requirements. o For Class 1 :
Name, Email Address and physical address are necessary. o For Class 2 : It
require additional data like Driving license, Passport and company
information. o For Class 3 : It may require more information and person
may need to visit RA’s office for face to face meetings.  Every CA will
summarize the certification classes it provides and the identification
requirements that must be meet to obtain each type of certificate.
X.509/PKIX CERTIFICATE FORMAT
 The X.509 certificate format is the most widely accepted format
for public-key certificates to verify that a public key belongs to
the user.  X.509 certificates are used in most network security
applications, including IP Security (IPSEC), Secure Sockets
Layer (SSL), Secure Electronic Transactions (SET), and S/MIME,
as well as in eBusiness applications.  An X.509 certificate
contains information about the identity to which a certificate is
issued and the identity that issued it. Standard information in
an X.509 certificate includes: o Version : Which X.509 version
applies to the certificate (which indicates what data the
certificate must include). o Serial number : The identity
creating the certificate must assign it a serial number that
distinguishes it from other certificates. o Algorithm
information : The algorithm used by the issuer to sign the
certificate. o Issuer distinguished name : The name of the
entity issuing the certificate (usually a certificate authority). o
Validity period of the certificate : Start/end date and time. o
Subject distinguished name : The name of the identity the
certificate is issued to. o Subject public key information : The
public key associated with the identity. o Extensions (optional)

CYBER CRIME
Cyber crime refers to all criminal activities done using the medium of
computers, the Internet and the worldwide web.
 Cybercrime, also known as computer crime, it uses a computer as an
instrument for the further illegal things, such as committing fraud, trafficking
in child pornography and intellectual property, stealing identities, or violating
privacy.  Mostly the cybercrime is an attack on data or information about
individuals, corporations or governments.
 Following are type of Cyber Crimes –
 1. Financial : This crime disrupt businesses’ ability to conduct ‘e-commerce’.
 2. Piracy : This is related to the act of copying copyrighted material. The
personal computer and the Internet both offer new way for an ‘old’ crime.
Online theft is known as any type of piracy or private data that involves the
use of the Internet to market or distribute creative works protected by
copyright.
 3. Hacking : This crime is related to the act of gaining illegal access to a
computer system or network and some time making unauthorized use of such
access. Also, it is the act by which other forms of cyber-crime like fraud,
terrorism, etc. are committed.
 Cyber-terrorism : The main outcome of acts of hacking is
designed to cause terror. E-terrorism is the result of hacking
which will cause violence against persons or property, or at least
cause enough harm to generate fear like other conventional
terrorism.
 5. Online Pornography : There are laws against possessing or
distributing child pornography. Distributing pornography of any
form to a minor is illegal. The Internet is merely a new medium
for this ‘old’ crime, but how best to regulate this global medium
of communication across international boundaries and age groups
has sparked a great deal of controversy and debate.
 6. Sabotage : It is another type of hacking involves the hijacking
of a government or corporation Web site. It means a purposeful
destruction of property or slowing down of work with the
intention of damaging a business or economic system or
weakening a government or nation in a time of national
emergency.
HACKING
 Hacking is one of the most well-known types of computer
crime. A hacker is someone who find out and exploits the
weaknesses of a computer system or network.
 Hacking is also carried out as a way to take credit card
numbers, internet passwords, and other personal information.
 By accessing commercial databases, hackers are able to steal
these types of items from millions of internet users all at
once.
 There are different types of hacker :
 White hat
 Black Hat
 Grey Hat
 DIGITAL FORGERY
 Forgery has been defined as the crime of falsely altering or
manipulating a document with the intension of misleading
others.
 It may include the production of falsified documents or
counterfeited items.
 Digital forgery is falsely altering digital contents such as
pictures, images, documents, and music perhaps for
economic gain. It may involve electronic forgery and
identity theft.
 It may involve electronic forgery and identity theft.
 The majority of digital forgery occurs because digitally
altered pictures with the availability of powerful and
affordable picture-processing software (such as Adobe
Photoshop, Adobe Premiere, Corel Draw, or GIMP).
 CYBER

STALKING/HARASSMENT
Cyberstalking involves following a person online
anonymously. The stalker will virtually follow the
victim, including his or her activities.
 This kind of cybercrime involves online harassment
where the user is subjected to a use online messages
and emails.
 Typically cyberstalkers use social media, websites
and search engines to intimidate a user and instill fear.
 Usually, the cyberstalker knows their victim and
makes the person feel afraid or concerned for their
safety. Most of the victims of cyberstalking are
women and children.
CYBER PORNOGRAPHY
 The crime of child pornography includes the
possession, production, distribution or sale of
pornographic images or videos that exploit or
portray children. In some cases writing can be
considered a form of child pornography.
 Images of children involved in explicit sexual
behavior are, child pornography, but sexual activity
does not have to be pictured for the images to be
considered pornographic.
 In pornography where photographs of real children
are altered to make it appear that they are involved
in sexual activity or photographs
IDENTITY THEFT AND
FRAUD
 Identify theft is a specific form of fraud in which
cybercriminals steal personal data, including
passwords, data about the bank account, credit cards,
debit cards, social security, and other sensitive
information. Through identity theft, and criminals
can steal money.
 Fraud is a general term used to describe a
cybercrime that intends to deceive a person in order
to gain important data or information. Fraud can be
done by altering, destroying, stealing, or suppressing
any information to secure unlawful or unfair gain .
 CYBER LAWS
 Cyber law is the rule which controls the conduct of the cyber activity
and the security under the cyber space.
 Cyber law is the law related to the cyber space which includes computers,
networks, software, data storage devices, the Internet, websites, emails and
electronic devices like cell phones, ATM machines etc.
 The ITAct, 2000 is an act that has been made punishable. The main
objective of this Act is to create a environment where Information
Technology can be used safely.
 In India, The IT Act, 2000 as altered by The IT Act, 2008 is known as the
Cyber law. It has a separate chapter entitled “Offences” in which various
cyber crimes have been declared as penal offences punishable with
imprisonment and fine.
 Cyber law includes laws relating to :
 Cyber Crimes
 Intellectual Property
 Data Protection and Privacy
 Electronic and Digital Signatures
 Categories Cyber crimes can be divided into 3 major
categories :
 (i) Crime Against Individual These crimes include cyber
harassment and stalking, distribution of child pornography,
credit card fraud, human trafficking, spoofing, identity theft,
and online libel or slander.
 (ii) Government When a cybercrime is committed against the
government, it is considered an attack on that nation’s
sovereignty. Cybercrimes against the government include
hacking, accessing confidential information, cyber warfare,
cyber terrorism, and pirated software.

 (iii) Property Some online crimes occur against property, such

as a computer or server. These crimes include DDOS attacks,
hacking, virus transmission, cyber and typo squatting,
computer vandalism, copyright infringement, and IPR
violations
ITIL FRAMEWORK
 The Information Technology Infrastructure Library (ITIL) is a
collection of best practices in IT service management
(ITSM), and focuses on the service processes of IT and
considers the central role of the user.  It was developed by
the United Kingdom's Office of Government Commerce
(OGC).  Since 2005, ITIL has evolved into ISO/IEC 20000,
which is an international standard within ITSM.  An ITIL
service management self assessment can be conducted
with the help of an online questionnaire maintained on the
website of the IT Service Management Forum.  The self
assessment questionnaire helps evaluate the following
management areas: (a) Service Level Management, (b)
Financial Management, (c) Capacity Management, (d)
Service Continuity Management, (e) Availability
Management, (f) Service Desk, (g) Incident Management,
(h) Problem Management, (i) Configuration Management, (j)
Change Management, and (k) Release Management.
 The ITIL framework is a source of good practice in service
management. The ITIL library has the following components:
o ITIL Core: Best-practice publications that may be used by
any organization that provides services to a business. o ITIL
Complementary Guidance: A complementary set of
publications with guidance specific to industry sectors,
organization types, operating models and technology
architectures.  The objective of the ITIL Service Management
framework is to provide services that are fit for purpose,
stable and so reliable that the business views them as a
trusted provider.  ITIL can be adapted and used in
conjunction with other good practices such as COBIT (a
framework for IT Governance and Controls)Six Sig,ma ( a
quality methodology), TOGAF (a framework for IT
architecture), ISO 27000 (a standard for IT security), ISO/IEC
20000 (a standard for IT service management)
COBIT FRAMEWORK
 The Control Objectives for Information and related Technology
(COBIT) is ―a control framework that links IT initiatives to
business requirements, organizes IT activities into a generally
accepted process model, identifies the major IT resources to be
leveraged and defines the management control objectives to be
considered. The IT GOVERNANCE INSTITUTE (ITGI) first released
it in 1995, and the latest update is version 4.1, published in
2007  COBIT 4.1 consists of 7 sections, which are 1) Executive
overview, 2) COBIT framework, 3) Plan and Organize, 4) Acquire
and Implement, 5) Deliver and Support, 6) Monitor and Evaluate,
and 7) Appendices, including a glossary.  Its core content can
be divided according to the 34 IT processes. COBIT is
increasingly accepted internationally as a set of guidance
materials for IT governance that allows managers to bridge the
gap between control requirements, technical issues and
business risks. Based on COBIT 4.1, the COBIT Security Baseline
focuses on the specific risks around IT security in a way that is
simple to follow and implement for small and large
organizations. COBIT can be found at ITGI or the Information
Systems Audit and Control Association (ISACA) websites.
 Services provided by the COBIT:
 1. Manage operations
 2. Manage service request and incidence
 3. Manage problems
 4. Manage continuity
 5. Manage security services
 6. Manage business process control