Sir, I live in Darbhanga, Bihar India, which

is one of most flood prone region of north

India, during this year also we have similar
situation , so due to frequent power cut of
many days I couldn’t able to upload the
homework 2 that’s why I am attaching it
with homework three
For verification I am sharing a hod mail
regarding it when first time power cut
occur this year
HOMEWORK 2
VIRTUAL PRIVATE NETWORK
A virtual private network allow user to securely
communicate without revealing his
his personal information
VPN technology provide big companies to share application
and resource to office
and mobile user
A VPN is created by establishing a virtual point-to-point
connection through
the use of tunnelling protocol over existing network
VPN cannot make online connections completely anonymous
but they can usually
increase privacy and security

THE VPN SECURITY MODEL PROVIDES:

*CONFIDENTIALITY-:No one else the sender and receiver
can see the massage the
hacker only can see the encrypted text USE:-see the
network sniffer and deep
packet inspection
*AUTHENTICATION-: Sender authentication to prevent
unauthorized user from accesing
the VPN
*Integrity:- To detect any instances of tampering of
transmitted massage

SECURE VPN USE FOLLOWING SECURITY

MACHENISM

INTERNER PROTOCOL SECURITY

 IPsec uses encryption, encapsulating an IP packet
inside an IPsec packet.

IPSec with digital certificate provides the most secure

and scalable way to implement a VPN. Authentication
in
IPSec can be provided through pre-shared keys (easy
to implement) or digital certificate (requires a CA
Server trusted by both parties).
First step is to obtain a digital certificate from the trusted CA
Server. This requires a hostname and domain-name on both
Branch routers. It also requires time synchronization
between routers and CA Server.

Then we generate general-purpose RSA keys. This process

generates a Public Key and a Private Key.

After creating the trust point, we request the CA Certificate

for this trust point. This is to validate the CA Server.
 And the last step in the process of obtaining certificate is to
actually request a digital certificate from the CA Server for
the router itself

The CA Server will generate a unique digital certificate for

each routers.

Verification

When Branch1 router initiates a Ping to remote LAN using the

source-interface as its LAN interface, the traffic matches the
ACL and is considered interesting traffic. IKE Phase 1 begins at
this stage. No traffic is sent successfully until IKE Phase 1 and
2 are successfully completed.

The purpose of IKE Phase 1 is to establish a secure

communication channel (sometimes called management
connection) and generate keys for IPSec.

Branch1 router initiates IKE negotiation by sending a Policy

Proposal message to its peer. This message contains one or
more IKE policies containing parameters such as encryption
algorithm, authentication method, hash algorithm, Diffie-
Hellman group and SA lifetime.

The next two message serve to exchange Diffie-Hellman

Public-Key values. Diffie-Hellman is a public-key algorithm
that allows peers to exchange Public Key values over an
insecure network. Combined together with their own Private
Keys, both routers derive a same shared secret key (also
called session key).

De-encapsulation happens at the end of the tunnel, where the

original IP packet is decrypted and forwarded to its intended
destination

Transport Layer Security (SSL/TLS)

An SSL VPN can connect from locations where IPsec runs into
trouble with Network Address Translation and firewall rules.

The TLS protocol aims primarily to provide privacy and data

integrity between two or more communicating computer
applications.[2]:3 When secured by TLS, connections
between a client (e.g., a web browser) and a serve

The handshake begins when a client connects to a TLS-

enabled server requesting a secure connection and the client
presents a list of supported cipher suites

From this list, the server picks a cipher and hash function that
it also supports and notifies the client of the decision.
The server usually then provides identification in the form of
a digital certificate. The certificate contains the server name,
the trusted certificate authority (CA) that vouches for the
authenticity of the certificate, and the server's public
encryption key.

The client confirms the validity of the certificate before

proceeding.

To generate the session keys used for the secure connection,

the client either:
encrypts a random number with the server's public key and
sends the result to the server (which only the server should
be able to decrypt with its private key); both parties then use
the random number to generate a unique session key for
subsequent encryption and decryption of data during the
session

uses Diffie–Hellman key exchange to securely generate a

random and unique session key for encryption and
decryption that has the additional property of forward
secrecy: if the server's private key is disclosed in future, it
cannot be used to decrypt the current session, even if the
session is intercepted and recorded by a third party.
This concludes the handshake and begins the secured
connection, which is encrypted and decrypted with the
session key until the connection closes

SECURE SHELL

OPEN SSH

SSH, or Secure Shell, is a remote administration protocol that

allows users to control and modify their remote servers over
the Internet. The service was created as a secure
replacement for the unencrypted Telnet and uses
cryptographic techniques
1.Both the client and the server agree on a very large prime
number, which of course does not have any factor in
common. This prime number value is also known as the seed
value.

2.Next, the two parties agree on a common encryption

mechanism to generate another set of values by
manipulating the seed values in a specific algorithmic
manner. These mechanisms, also known as encryption
generators, perform large operations on the seed. An
example of such a generator is AES (Advanced Encryption
Standard)

3.Both the parties independently generate another prime

number. This is used as a secret private key for the
interaction

4.This newly generated private key, with the shared number

and encryption algorithm (e.g. AES), is used to compute a
public key which is distributed to the other computer.

5.The parties then use their personal private key, the other
machine’s shared public key and the original prime number
to create a final shared key. This key is independently
computed by both computers but will create the same
encryption key on both sides

6.Now that both sides have a shared key, they can

symmetrically encrypt the entire SSH session. The same key
can be used to encrypt and decrypt messages (read: section
on symmetrical encryption).

Authenticating the User

The final stage before the user is granted access to the server
is authenticating his/her credentials. For this, most SSH users
use a password. The user is asked to enter the username,
followed by the password. These credentials securely pass
through the symmetrically encrypted tunnel, so there is no
chance of them being captured by a third party.