Academic Details of Course

Academic Details of Course

CS-7201

Network Security

(i)Course contents

CATEGORY OF COURSE / COURSE TITLE / COURSE CODE / CREDITS – 4C / THEORY PAPERS
Departmental Elective
DCO(E):II / Network Security / Network Security CS7201 / L
3 / T
1 / P
0 / Max. Marks:100
Min. Marks:35
Duration – 3 Hrs

UNIT-1

Conventional Encryption

Convention Encryption: Conventional Encryption Model,
Stenography, Classical Encryption Techniques,
Simplified DES, Block Cipher Principles,
The Data Encryption Standard,
The Strength of DES,
Differential and Linear Cryptanalysis,
Block Design Principles, Block Cipher of operation,
Conventional Encryption algorithms

UNIT-II

Public Key Encryption And Hash Functions

Public Key Crypgraphy ,
Principles of Public Key Crypsystems,
The RSA Algorithm, Key Management,
Diffie Hellman Key Exchange,
Elliptic Curve Crypgraphy,Message Authenticain and Hash Functions

Authenticain Requirements, Authenticain Functions,
Message Authentication Codes,
Hash Functions, Security of Hash Functions.

UNIT-III

Hash and Mac Algorithms

MD5 Message Digest Algorithm,
Secure Hash Algorithm (SHA:I),
RIPEMD, HMAC
Digital Signatures and Authentication Protocols
Digital Signatures, Authentication Protocols: Digital Signature Standard

UNIT-IV

Authentication Applications,
IP Security,
Web Security

UNIT-V

Intruders, Viruses and Worms

Intruders,
Viruses and Related Threats
Firewalls Firewall Design Principles,
Trusted Systems

References

(i)William Stallings, “Crypgraphy and Network Security”, Third Edition, Prentice Hall,1999

(ii)Atul Kahate, Crypgraphy & Network Security, Tata McGraw Hill Pub. Co

(ii)Lecture Plan with references

Department / Computer Science & Engineering / Session / Jul-Dec 2012
Faculty Name / Semester / Odd
Subject / Network Security / Sub. Code / CS-7201
(B) TIME SCHEDULE: Total expected periods: 53, Extra periods (if required)…
Lecture No. / Topics to be covered / Date of Completion / Remarks
1 / Introduction to Network Security
2 / Services, Mechanism and attack / R1 (1-7)
R2 (5-8)
3 / Introduction to cryptography / R1 (7-12)
R2 (59,73-80)
4 / Steganography / R3(377,755-757)
5 / Conventional Encryption mode / R1 (12-14)
6 / Classical Encryption Model / R1 (21-4 8)
7 / Block cipher principles / R1 (55-56)
R2(60,66,71,93)
8 / Simplified DES / R1(56-71)
9 / Designing Simplified DES / R1(71-82)
10 / Strength of DES, Differential & Linear Cryptanalysis / R1(82-85)
R2(65,69,658)
11 / Block Cipher Design principles / R1(85-89)
12 / Block Cipher modes of operation / R1(90-97)
13 / Modular arithmetic, euclid’s algorithm / R1(107-116)
Unit Test – I (25% of Syllabus) / Lect. No. 01 to 13
15 / Double & triple DES, meet-in-the middle attack / R1(173-178)
16 / Blowfish / R1(179-184)
17 / RC5 / R1(185-191)
18 / RC4 stream cipher / R1(192-196)
19 / Key distribution / R1(211-219)
20 / Random Number Generation / R1(220-226)
21 / Testing of primality / R1(243-245)
22 / Principles of Public Key Cryptosystem / R1(257-267)
23 / The RSA Algorithm / R1(268-278)
R2(75,80,678)
24 / Key management / R1(286-292)
R2(442,477,440,439,47,60)
25 / Diffie-Hellman Key Exchange / R1(293-296)
R2(442)
26 / Elliptic curve Cryptography / R1(297-306)
27 / Authentication Functions / R1(313-323)
R2(194)
Mid Semester (50% of Syllabus) / Lect. No. 01 to 27
29 / Message Authentication codes / R1(324-328)
30 / Hash functions / R1(328-334)
R2
(76,77,405)
31 / Security of hash function / R1(335-338)
32 / MD 5 message Digest algorithm / R1(347-356)
33 / Secure Hash Algorithm (SHA-I) / R1(357-365)
R2(77,439)
34 / RIPEMD-160 / R1(365-372)
35 / HMAC / R1(372-377)
36 / Digital signature / R1(379-384)
R2(79,107,442,593,682)
37 / Digital signature standard (DSS) / R1(384-395)
38 / Kerberos / R1(401-418)
39 / X.509 Authentication services / R1(419-428)
40 / PGP / R1(435-454)
41 / S/MIME / R1(455-472)
42 / IP Security / R1(481-490)
R2-440
43 / Authentication Header / R1(491-495)
Unit Test – II (75% of Syllabus) / Lect. No. 01 to 43
45 / Encapsulating Security Payload / R1(496-503)
46 / Key management / R1(504-515)
47 / Secure Socket Layer (SSL) / R1(527-530)
48 / Transport Layer Security / R1(531-548)
49 / Secure Electronic Transaction / R1(540-560)
50 / Intruders & Intrusion Detection / R1(563-580)
R2(14,36,387-390)
51 / Password management / R1(581-590)
52 / Virus and Related Threats / R1(597-608)
R2
(156,108,111,419,528)
53 / Virus Countermeasures / R1(609-613)
54 / Firewalls / R2(435,451,457
55 / Firewall Design Principles & Trusted System / R1(615-634)
R2(169,229,215,273)
PUT (100% of Syllabus) / 9 / Lect. No. 01 to 55

References:

Cryptography and Network Security, William Stallings PrenticeHall, 1999(R1) / R1
Security in computing Shari Charles p. pfleeger, Low price Edison (R2) / R2
Introduction to computer security,Mattbishop sathyanarayana s. vencatramanayya, Pearson Education / R3

(iii) Unit Wise blowup

UNIT 1

INTRODUCTION NETWORKING

A basic understanding of computer networks is requisite in order understand the principles of network security. In this section, we'll cover some of the foundations of computer networking, then move on an overview of some popular networks. Following that, we'll take a more in: depth look at TCP/IP, the network protocol suite that is used run the Internet and many intranets.

TYPES AND SOURCES OF NETWORK THREATS

1.Denial:of:Service

2.Unauthorized Access

3.Executing Commands Illicitly

4.Confidentiality Breaches

5.Destructive Behavior

6.Data Diddling

7.Data Destruction

SECURE NETWORK DEVICES

1.Secure Modems; Dial:Back Systems

2.Cryp:Capable Routers

3.Virtual Private Networks

4.Encryption Options Beyond DES

CRYPTANALYSIS

If brute force is the only form of attack that can be made on an encryption algorithm, then the way counter such attacks is obvious: use longer keys. For example, for a 128:bit key, which is common, it would take over 10 19 years break the code using the EFF cracker. Even if we managed speed up the cracker by a facr of 1 trillion, it would still take over 10 million years break the code. So a 128:bit key is guaranteed result in an algorithm that is unbreakable by brute force. Structure of an encryption algorithm
The exact realization of a Feistel network depends on the choice of the following parameters and design features:

Block size.
Key size .
Number of rounds.
Subkey generation algorithm.
Round function:
Fast software encryption/decryption.
Ease of analysis

Triple DES

The most widely:used alternative DES is a variant of DES known as triple DES. DES is highly resistant the known forms of cryptanalysis, so it makes sense use DES as a building block for longer:key algorithms. Triple DES preserves the existing investment in software and equipment, and operates by passing the data be encrypted through three stages of DES The data is first encrypted with one key by passing it through the DES encryption algorithm.

Then, the data is passed through the DES decryption algorithm using a second key. Finally, the output of the second stage is passed through DES encryption again using either a third key or a repetition of the first key.

In the former case, the key length is 168 bits, and in the latter, the key length is 112 bits.

Idea

The International Data Encryption Algorithm (IDEA) is a symmetric block cipher developed by Xuejia Lai and James Massey of the Swiss Federal Institute of Technology in 1991. IDEA uses a 128:bit key and differs markedly from DES both in the round function and in the subkey generation function. For the round function, IDEA does not use S:boxes. Rather, IDEA relies on three different mathematical operations: XOR, binary addition of 16:bit integers, and binary multiplication of 16:bit integers. These functions are combined produce a complex transformation that is very difficult analyze and hence very difficult cryptanalyze. The subkey generation algorithm relies solely on the use of circular shifts, but uses these in a complex way generate a tal of six subkeys for each of the eight rounds of IDEA. Because IDEA was one of the earliest of the proposed 128:bit replacements for DES, it has undergone considerable scrutiny and, so far, appears be highly resistant cryptanalysis. IDEA is used in PGP (as one alternative) and is also used in a number of commercial products.

Blowfish

Blowfish was developed in 1993 by Bruce Schneier, an independent consultant and crypgrapher, and quickly became one of the most popular alternatives DES. Blow:fish was designed be easy implement and have a high execution speed. It is also a very compact algorithm that can run in less than 5k bytes of memory. An interesting feature of Blowfish is that the key length is variable and can be as long as 448 bits. Blowfish uses 128:bit keys and sixteen rounds.

Blowfish uses S:boxes and the XOR function, as does DES, but also uses binary addition. Unlike DES, which uses fixed S:boxes, Blowfish uses dynamic S:boxes that are generated as a function of the key. The subkeys and the S:boxes are generated by repeated application of the Blowfish algorithm itself the key. A tal of 521 executions of the Blowfish encryption algorithm are required produce the subkeys and S:boxes. Accordingly, Blowfish is not suitable for applications in which the secret key changes frequently.

RC5

RC5 was developed in 1994 by Ron Rivest, one of the invenrs of the public:key algorithm RSA. RC5 was designed have the following characteristics:

• Suitable for hardware or software. RC5 only uses primitive computational operations commonly found on microprocessors.

• Speed. achieve this, RC5 is a simple algorithm and is word oriented. The basic operations work on full words of data at a time.

• Adaptable processors of different word lengths . The number of bits in a word is a parameter of RC5. Diff:erent word lengths yield different algorithms.

• Variable number of rounds. The number of rounds is a second parameter of RC5. This parameter allows a trade:off between higher speed and higher security.

• Variable:length key. The key length is a third parameter of RC5. Again, this flexibility allows a trade:off between speed and security.

• Data:dependent rotations. RC5 incorporates rotations (circular bit shifts) whose amount is data dependent. This appears strengthen the algorithm against cryptanalysis.

CAST:128
CAST is a design procedure for symmetric encryption algorithms developed in 1997 by Carlisle Adams and Stafford Tavares of Entrust Technologies. One specific algorithm developed as part of the CAST project is CAST:128, which makes use of a key size that varies from 40 bits 128 bits in 8:bit increments. CAST is the result of a long process of research and development and has benefited from extensive review by cryplogists. It is beginning be used in a number of products, including PGP.

STEGANOGRAPHY

Steganography sometimes is used when encryption is not permitted. Or, more commonly, steganography is used supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.

Special software is needed for steganography, and there are freeware versions available at any good download site.

UNIT 2

PUBLIC:KEY ENCRYPTION

INTRODUCTION

A crypgraphic system that uses two keys :: a public key known everyone and a private

or secret key known only the recipient of the message. When John wants send a secure message Jane, he uses Jane's public key encrypt the message. Jane then uses her private key decrypt it. An important element the public key system is that the public and private keys are related in such a way that only the public key can be used encrypt messages and only the corresponding private key can be used decrypt them. Moreover, it is virtually impossible deduce the private key if you know the public key.

Public key crypgraphy, also known as asymmetric crypgraphy, is a form of crypgraphy in which a user has a pair of crypgraphic keys : a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

The two main branches of public key crypgraphy are:

public key encryption — a message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used ensure confidentiality.
digital signatures — a message signed with a sender's private key can be verified by anyone who has access the sender's public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used ensure authenticity.

INTRODUCTION PUBLIC:KEY CRYPGRAPHY

Public:key crypgraphy and related standards and techniques underlie security features of many Netscape products, including signed and encrypted email, form signing, object signing, single sign:on, and the Secure Sockets Layer (SSL) protocol. This document introduces the basic concepts of public:key crypgraphy.

Symmetric: Key Encryption

With symmetric:key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure 1.

Figure 1 Symmetric: key encryption

Implementations of symmetric:key encryption can be highly efficient, so that users do not experience any significant time delay as a result of the encryption and decryption.

Symmetric:key encryption also provides a degree of authentication, since information encrypted with one symmetric key cannot be decrypted with any other symmetric key. Thus, as long as the symmetric key is kept secret by the two parties using it encrypt communications, each party can be sure that it is communicating with the other as long as the decrypted messages continue make sense.

RSA ALGORITHM

The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in 1977. The basic technique was first discovered in 1973 by Clifford Cocks(part of the British GCHQ) but this was a secret until 1997. RSA algorithm can be used for both public key encryption and digital signatures. Its security is based on the difficulty of facring large integers.

Key Generation Algorithm

Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length, e.g. 1024 bits. [See note 1].
Compute n = pq and (φ) phi = (p:1)(q:1).
Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. [See note 2].
Compute the secret exponent d, 1 < d < phi, such that
ed ≡ 1 (mod phi). [See note 3].
The public key is (n, e) and the private key is (n, d). The values of p, q, and phi should also be kept secret.
n is known as the modulus.
e is known as the public exponent or encryption exponent.
d is known as the secret exponent or decryption exponent.

Encryption

Sender A does the following::

Obtains the recipient B's public key (n, e).
Represents the plaintext message as a positive integer m [see note 4].
Computes the ciphertext c = m^e mod n.
Sends the ciphertext c B.

Decryption

Recipient B does the following::

Uses his private key (n, d) compute m = c^d mod n.
Extracts the plaintext from the integer representative m.

Digital signing

Sender A does the following::

Creates a message digest of the information be sent.
Represents this digest as an integer m between 0 and n:1. [See note 5].
Uses her private key (n, d) compute the signature s = m^d mod n.
Sends this signature s the recipient, B.

Signature verification

Recipient B does the following::

Uses sender A's public key (n, e) compute integer v = s^e mod n.
Extracts the message digest from this integer.

ELLIPTIC CURVE

(1) What is an elliptic curve?

Well for a start, it is not the same as an ellipse!But be more positive: from school mathematics, you probably know the equation for a circle centred on the (a,b) of radius r, which is(x:a)^2 + (y:b)^2 = r^2, where x, y, a, b and r are real numbers.An elliptic curve is also defined by an equation, but it has the slightly more complicated form:

y^2 [ + x·y ] = x^3 + a·x^2 + b

(2) What is a field?

The familiar examples of fields are real numbers, complex numbers, rational numbers (fractions) and integers modulo a prime number. The latter is an example of a "finite field". The requirements of a field are normal addition and multiplication, plus the existence of both additive and multiplicative inverses (except that 0 doesn't have a multiplicative inverse). put it another way, a field has addition, subtraction, multiplication and division : and these operations always produce a result that is in the field, with the exception of division by zero, which is undefined.It turns out that this construction works for other "reduction rules" involving higher powers of i.This construction works for all p and m, as long as p is prime; in fact every finite field can be constructed in this way; moreover two finite fields with the same number of elements are always isomorphic : that is there is a 1:1 map between them which preserves the addition and multiplication rules.

(3) How are elliptic curves used?

The crucial property of an elliptic curve is that we can define a rule for "adding" two points which are on the curve, obtain a 3rd point which is also on the curve. This addition rule satisfies the normal properties of addition. In math jargon, the points and the addition law form a finite Abelian group.The equations for the addition rule are given in (7) and (8).For addition be well defined for any two points, we need include an extra 'zero' point O, which does not satisfy the elliptic curve equation. This 'zero' point is taken be a fully paid up point of the curve. The order of the curve is the number of distinct points on the curve, including the zero point.Having defined addition of two points, we can also define multiplication k*P where k is a positive integer and P is a point as the sum of k copies of P.

Thus 2*P = P+P
3*P = P+P+P
etc.This is analagous how we define "powers" in normal arithmetic, where
x^2 = x.x
x^3 = x.x.x
etc.

(4) WHAT IS A HASH FUNCTION?

A hash function H is a transformation that takes a variable:size input m and returns a fixed:size string, which is called the hash value h (that is, h = H(m)). Hash functions with just this property have a variety of general computational uses, but when employed in crypgraphy the hash functions are usually chosen have some additional properties.

The basic requirements for a crypgraphic hash function are:

the input can be of any length,
the output has a fixed length,
H(x) is relatively easy compute for any given x ,
H(x) is one:way,
H(x) is collision:free.

A hash function H is said be one:way if it is hard invert, where "hard invert" means that given a hash value h, it is computationally infeasible find some input x such that H(x) = h.

If, given a message x, it is computationally infeasible find a message y not equal x such that H(x) = H(y) then H is said be a weakly collision:free hash function.

A strongly collision:free hash function H is one for which it is computationally infeasible find any two messages x and y such that H(x) = H(y).

UNIT 3

DIGITAL SIGNATURE ALGORITHM

DIFINITION

A digital signature (not be confused with a digital certificate) is an electronic signature that can be used authenticate the identity of the sender of a message or the signer of a document, and possibly ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time:stamped. The ability ensure that the original signed message arrived means that the sender cannot easily repudiate it later.