Documente Academic
Documente Profesional
Documente Cultură
Data security involves not only protection, but also detecting offends of secured
communication and attacks on the infrastructure, and then responding to these attacks.
The main problems that occurred in network security are secrecy, authentication, non-
repudiation and integrity control.
This paper discusses with a perspective view of how a continuous cycle of
protection, detection and response can be consistently maintained. Also concerns about
different types of security attacks such as spoofing, virus, worm and security mechanisms
such as firewalls, cryptography and describes about how security provided in mobile
networks.
Cryptography is defined as information hiding. Cryptography allows two
parties to exchange sensitive information in a secure manner. Cryptography has naturally
been extended into the realm of computers such as secure access to private networks,
electronic commerce, and health care, and provides a solution to the electronic security
and privacy issue.
This paper mainly concerns about two types of cryptographic standards such as
symmetric and asymmetric algorithms and also the specification and implementation of
above methods. And also explained Encryption and Decryption Methods, Digital
Signatures, Authentication and Keys. The implementation of public key cryptography
requires several supporting components to handle key creation, distribution and
revocation –Public Key Infrastructure (PKI).While the implementation of private key
cryptography requires encryption and decryption methods which are also specified.
Today’s new cryptography system and advanced elliptic curve technology in
smartcard technology are also specified.
INTRODUCTION
1. DEFINITION: Security is defined as “a guarantee that an obligation will be met”. In
simplest form it is concerned with people trying to access remote services that they are
not authorized to use or it is concerned with making sure that nosy people cannot read, or
worse yet, modify messages intended for other recipients.
Security is a broad topic and covers a multitude of sins. Most security problems
intentionally caused by malicious people trying to gain some benefit or harm someone. A
few of the most common perpetrators are student, hacker, sales representative, business
man, ex-employee, accountant, stock broker, conman, spy, etc. The intruders would first
have a panoramic view of the victim’s network and then start digging the holes. Today
the illicit activities of the hackers are growing by leaps and bounds.
Data security problems can be divided roughly into four intertwined areas:
Secrecy, Authentication, NonRepudiation and Integrity control. The solutions for various
type of security attacks are provided by cryptography, firewalls etc.
I. D
enial-of-Service (DoS) attacks (attacks and counter-attacks): User’s system is simply
saturated by an excessive workload as the attacker sends spurious traffic into resource.
This is DoS attack. Typically, a DoS attack works by creating so much work for the
infrastructure under attack that legitimate work cannot be performed. There are two
types of DoS attacks: Operating System Attacks and Networking Attacks.
II. PACKET SNIFFING:
A Packet sniffer is a program running in a network-attached device that
passively receives all data-link layer frames passing by the device’s network adapter. In a
broadcast environment such as an Ethernet LAN, this means that the packet sniffer
receives all frames being transmitted from or to all hosts on the LAN.
III.SPOOFING:
Any Network-connected device necessarily sends IP datagrams into the
network. These data grams carry the sender’s IP address, as well as upper-layer data. A
user with complete control over that device’s software can easily modify the device’s
protocols to place an arbitrary IP address into a datagram’s Source Address Field. This is
known as IP Spoofing. IP spoofing is used in DoS attacks to hide the originator(s) of
attack.
IV.VIRUS:
It’s a piece of code that copies itself into a program and executes when the
program runs. Similarly to how viruses attack humans, computer viruses can grow,
replicate, travel, and consume resources.
There are some other attacks like DDOS, TROJAN HORSE, and WORM etc.
3. Network security in TCP/IP STACK:
a. Physical layer: Wild tapping can be foiled by enclosing transmission lines in
sealed tubes containing organ gas at high pressure. Any attempt to drill into a
tube will release some gas, reducing the pressure and triggering an alarm. Some
military systems use this technique.
b. Data link Layer: In packet transmission from one machine to another machine
packet have to traverse multiple routers because packets have to be decrypted at
each router leaving them vulnerable to attacks from with in the router. Link
Encryption method can be easily used.
c. Network layer: IP Protcol is an Internet Security Protocol for transporting
secure traffic across untrusted link. Services provided are Access Control,
Connection Less Integrity, Origin Authentication, confidentiality. IPSec
software can be directly placed into IP Source Code, or under IP Protocol Stack
or use a separate piece of equipment and attach it to a host.
d. Transport layer:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are provided
security in this layer.
e. Application layer: The PGP is used in this layer.
4 .FIRE
. WALLS::
DEFINITION: A Firewall is best described as a s/w or h/w or both s/w & h/w packet
filter that allows only selected packets to pass through from the internet to a private
internal network by listening to all ports on a system attempting to open a connection.
When it detects such an attempt, it reacts according to a predefined set of rules.
There are two types of firewalls: Packet-filtering firewalls (which operate in network
layer) and Application-level gateways (which operate at the application layer).
• WHY GO FOR A FIREWALL?
None can connect to the internet solitarily. If somehow a crazy guy
succeeds in finding an IP address he can exploit any vulnerability existing in that system-
damage the data or even use that system to hack other computers.
• HOW A FIREWALL WORKS?
This is where the firewalls are inextricable with a secured network. They,
just like their name suggests, protect from unsolicited connection probes, scans and
attacks. They listen to all ports for any connection requests received and sent. As such
an instance is recorded, it pops up a warning asking whether to allow the connection to
initiate or not. This warning message also contains the IP that is trying to initiate
connection and also the port number to which it is trying to connect i.e., the port to which
the packet was sent. It also protects a system from port scans, DoS attacks, vulnerability
attacks etc.
• AN EXAMPLE FIREWALL- “A PROXY SERVER”:
Each of the techniques employed by the attackers to obtain the target
system’s IP address can be counter-attacked. A proxy server basically acts as a shield by
protecting your IP address form getting into malicious hands. It acts as a very own
personal secretary and a buffer between thy and thy host.
A proxy server removes the need of a system to receive or send messages
directly to the remote host. When any message is intended to be transmitted, then it is
actually sent to the proxy server, which in turn passes it on to the remote host. All
communication between the two parties is conducted indirectly, via the proxy server.
Such a scenario can be depicted in the following manner:
OUR SYS. PROXY SERVER REMOTE SYSTEM
CRYPTOGRAPHY
Since the key forms the basis of the encryption, its strength against attack is an
important feature. An indication of a key’s strength can be obtained from its length – for a
given encryption algorithm the longer the key, the stronger the key.
Asymmetric cryptosystems (also called public key cryptosystems) use one key the public
key to encrypt a message and a different key the private key to decrypt it. Given an
encryption key it is virtually impossible to determine the decryption key (and vice versa).
The main disadvantage is its slower computing speed when compared to the symmetric
encryption (due to its computing complexity).
Two different asymmetric algorithms are RSA (Rivest Shamir Adleman) which is
permutable (one key may either encrypt or decrypt) and ECDSA (Elliptic Curve Digital
Signature Algorithm, a variant of the well-known DSA), that may implement existing
algorithms using elliptic curves. The keys are smaller and consequently faster processing
times. This is shown in below fig.
4. Digital Signatures:
An authentication mechanism that enables the creator to attach a code that acts as
a signature. The signature guarantees the source and integrity of the file and provides
authenticity and integrity.
Digital signature solves
(I). Information integrity (II). Authentication (III). Non repudiation
5. AN EXAMPLE CRYPTOGRAPHY SYSTEM:
a. Security Policy:
The security policy contains definitions of the actual operation of the PKI. The
operation of the other PKI components should be detailed here, as well as procedures for
key generation, issuance, storage, and revocation. The security policy in effect acts as the
framework on which the PKI is built.
However, a key by itself does not contain supporting information such as who it
belongs to, who issued the key, and the period over which it is valid. Without this
information, then there is nothing linking a public key with its correct owner. The
solution takes the form of digital certificates. A certificate contains information linking a
specific public key to a specific individual. The current industry standard for digital
certificates is the CCITT X.509 international standard.
When a user applies for a digital certificate from a CA, the CA has to verify that the
applicant is truly who he claims to be. The role of the Registration Authority is to provide
this verification. A real-world analogy would be a Notary Public, for example.
d. Directory Service:
In our example with A sending an encrypted message to B, we have not yet
discussed where and how A gets hold of B’s certificate. The solution forms another
component of a PKI – the directory service. In the same way that you might look in a
standard phonebook to look up a telephone number, the directory service allows you to
look up the digital certificate for someone to whom you wish to send an encrypted
message.
ECC delivers the highest strength per bit of any known public-key system because
of the difficulty of the hard problem upon which it is based. This greater difficulty of the
hard problem – the elliptic curve discrete logarithm problem (ECDLP) – means that
smaller key sizes yield equivalent levels of security.
1. ECC Implementation:
An elliptic curve is a set of points specified by two variables that are elements
over a field Fq. A field is a set of elements with two custom-defined arithmetic operations,
usually addition and multiplication.
ECC requires the use of two types of mathematics:
Most of the computation for ECC takes place at the finite field level.
The two most common choices for the underlying finite field are:
Both of these finite fields are included in draft standards for ECC.
I. C
MS - Cryptographic Message Syntax:
The Cryptographic Message Syntax is used to digitally sign, digest, authenticate,
or encrypt arbitrary messages. Its main goal is to define the data structures and
processes for digitally signing and encrypting other data structures and it can Support
a variety of architectures for certificate-based key management, such as the one
defined by the PKIX working group.
II. S
SL: The SSL protocol runs above TCP/IP and below higher-level protocols such as
HTTP or IMAP. It allows a server to authenticate itself to a client, allows the Client to
authenticate itself to the server, and allows both machines to establish an encrypted
connection.
III. S
ecure e-mail / S/MIME: Security services can be added to each communication link
along a path, or it can be wrapped around the data being sent, so that it is independent of
the communication mechanism. Short for Secure Multipurpose Internet Mail Extension
- A new version of the MIME protocol that supports encryption of messages -
S/MIME is based on RSA's public-key encryption technology.
IV. VPN: A virtual private network (VPN) is a private data network that makes use of
the Public telecommunication infrastructure - instead of owned or leased lines
-maintaining privacy through the use of a tunneling protocol and security procedures. The
idea of VPN is to give a company the same capabilities at much lower cost by using the
shared public infrastructure rather than a private one. VPNs are an important part of an
e-business tool.
V.PGP: Pretty Good Privacy is a product family that enables people to securely
exchange messages, and to secure files, disk volumes and network connections with
both privacy and strong authentication. PGP is a freely available encryption program
that protects the privacy of files and electronic mail, using powerful public key.
Conclusion:
The capability of security enabled components still lags behind the claims. Basic
security challenges in the corporate realm are not yet completely addressed. A case in
point is that, E-ATTACKS are becoming notoriously peerless as compared with the
traditional nuke-wars. Consequently, in the quench of thirst for more and more secured
systems BIOMETRIC SYSTEMS, QUANTUM-CRYPTOGRAPHY and many more are
innovatively being implemented at a cumulative pace. If we are not exaggerating, let’s be
optimistic of a 100% foolproof, secured global village in the near future
Cryptography provides a solution to the problem of information security and privacy. For
electronic communications, the techniques of private and public key cryptography are
becoming increasingly popular.
BIBLIOGRAPHY: