SNMP 1. SNMP Versions SNMP version 1 (SNMPv1) SNMP version 2 (SNMPv2) SNMP version 3 (SNMPv3) 2.
UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic...
-
Upload
irene-blake -
Category
Documents
-
view
218 -
download
0
Transcript of UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic...
![Page 1: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/1.jpg)
UNIT-VIII
Syllabus
Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.
1
![Page 2: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/2.jpg)
Learning objectives
After the completion of this unit the student must be able to
• Explain security• Explain DES• Explain RSA• Explain Cryptography
2
![Page 3: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/3.jpg)
Network Security Deals with the Following Issues
• Secrecy (or confidentiality)– No unauthorized person can see the content
• Authentication– Determining whom you are really talking to
• Non-repudiation (digital signature) – A person cannot deny what he/she has sent
• Integrityp– Make sure a received message has not been
modified.
3
![Page 4: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/4.jpg)
Attacks on Network Security• Passive attack
– Release of message content– Traffic analysis
• Active attack– Masquerade– Replay– Modification of message contents– Denial of service
4
![Page 5: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/5.jpg)
Traditional Cryptography
5
![Page 6: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/6.jpg)
One Example: Substitution Ciphers
• Every letter is shifted by k positions in the 26-letter alphabet list.
• Or using permutation to randomly map a letter to another letter.
O SGCT NGX
Using the properties of natural languages, decoding theabove message is not difficult. 6
![Page 7: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/7.jpg)
Two Fundamental Cryptographic Principles
• All message must contain some redundancy to prevent intruders from tricking the receiver into acting on a false message.– Otherwise, a randomly generated cipher may
map to a meaningful message.– However, too much redundancy will make the
cryptanalysts’ job easier.• Some measure must be taken to prevent
intruders from playing back old valid messages.
7
![Page 8: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/8.jpg)
A Secret Key Algorithm: DES
• Data Encryption Standard (DES) is widely used in the industry.
• Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of cipher.
• Key is 56 bits. (no longer considered safe)• This algorithm has 19 stages.• Triple DES uses E-D-E and two keys (112 bits is
considered safe) for backward compatibility. (by setting k1=k2, triple DES can communicate with DES)
8
![Page 9: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/9.jpg)
Double DES Can be Attacked by “Meet-in-the-Middle”
9
![Page 10: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/10.jpg)
DES Block Diagram
10
![Page 11: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/11.jpg)
Location of Encryption Devices
11
![Page 12: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/12.jpg)
Two Locations of Encryption Devices• Link encryption devices
– All traffic on such a link is encrypted.• Both data payload and header can be encrypted.
– A passive intruder cannot know where a packet is headed for. • However, it hurts network forwarding performance a lot.
– The header of a packet needs to be decrypted each time it enters the router for forwarding.
– Vulnerable when transmitted on a link that does not support encryption and when entering a router.
• End-to-end encryption devices– Only the two end hosts know which traffic is important enough
that it need to be encrypted. Performance is thus better.• Only data payload can be encrypted. A passive intruder can know where a
packet is headed for.– Data payload is safe all the way from the source to the
destination node. 12
![Page 13: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/13.jpg)
Key Distribution is Very Important
• For traditional encryption to work, the communicating two party must have the same secret key before securely exchanging their data.
• Frequency key changes are desirable to limit the data compromised if an attacker learns the key.
• Therefore, the strength of any cryptographic systems depends on the key distribution technique!
13
![Page 14: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/14.jpg)
Key Distribution Can Be Achieved in a Number of Ways
• Suppose A and B communicate with each other:– A can select a key and physically deliver it to B.– A third party can select a key and physically deliver it to A and B.– If A and B are already using a key to communicate, one party can
transmit the new key to the other, encrypted using the old key.– If A and B each have an encrypted connection to a third party C, C
could deliver a key on the encrypted links to A and B.• Security, flexibility, and convenience determine whether a
method can gain popular uses.• The hardest problem is how to set up the first secret key.
– Public key – Diffie-Hellman method
14
![Page 15: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/15.jpg)
An Automatic Key Distribution Example
15
![Page 16: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/16.jpg)
Message Authentication (Also Called Digital Signature)
• A message is said to be authentic when it is genuine and came from its alleged source.
• Message authentication is a procedure that allows communicating parties to verify the received message are authentic.– The receiver can make sure that the message content is
not altered.– The receiver can make sure that the message really
came from the alleged source.– The sender later cannot repudiate that he/she sent this
message.– The receiver can make sure that the message is not a
replay. 16
![Page 17: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/17.jpg)
Message Can Be Authenticated by Encryption • Encrypt the content of a message by a key owned by
the source.• The receiver uses the same key to decrypt the
received message.• If the decoded message looks reasonable, then this
message is not altered and came from the alleged source.
• Advantages:– Achieve confidentiality, authentication, and integrity at
one time.• Disadvantage:
– Too slow. Sometime, confidentiality is not needed. For example, authentication of computer programs to detect virus. 17
![Page 18: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/18.jpg)
Authentication Messages without Encryption (Message Digests)
• An authentication tag is generated and appended to the message for transmission.
• The tag is a hash function of the content of the message and the source’s key.
• The content of the message need not be encrypted.– Much faster than using encryption for the whole
message• The receiver uses the same function and key to
compute a tag. If the tag is the same as the appended tag, the message is authentic.
• Otherwise, either the appended tag or the message content has been altered.
18
![Page 19: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/19.jpg)
Message Digests Use Secure Hash Function
• The purpose of a hash function H is to produce a “fingerprint” of a message.
• Requirements:– H can be applied to a block of data of any size.– H produces a fixed-length output.– H(x) is easy to compute, making software and hardware
implementation cost low.– For any given code h, it is computationally infeasible to
find x such that H(x) = h.– For any given block x, it is computationally infeasible
to find y != x with H(x) = H(y).– It is computationally infeasible to find any pair (x, y)
such that H(x) = H(y).• Example: SHA, MD5 19
![Page 20: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/20.jpg)
Different Ways of Doing Message Digests
Used by IPsec
20
![Page 21: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/21.jpg)
Public-Key Cryptography
• Each person has two keys – one public, the other private.• The sender uses the receiver’s public key to encrypt
message.• The receiver uses his/her private key to decrypt.• No secret key distribution is needed.
21
![Page 22: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/22.jpg)
Public-Key Can be Used For Message Authentication
Only Bob has Bob’s private key, no one else can use Bob’s private key to encrypt a message. 22
![Page 23: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/23.jpg)
Public-Key Can be Used For Both Message Authentication and Encryption
23
![Page 24: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/24.jpg)
The RSA Public-Key Encryption Algorithm
24
![Page 25: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/25.jpg)
The RSA Public-Key Encryption Example
25
![Page 26: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/26.jpg)
The Diffie-Hellman Key Exchange to Establish a Shared Secret Key
Given g, n, and g^x mod n, finding x is computationally difficult.
No need to distribute secret keys!26
![Page 27: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/27.jpg)
IPv4 and IPv6 Security: IPsec
• IPsec provides three facilities:– Authentication-only (AH)– Authentication with encryption (Encapsulating Security
Payload, ESP)– Key management
• IPsec provides two modes:– Transport mode
• Only data payload can be authenticated or/and encrypted. Packet header is exposed.
– Tunnel mode• Both packet header and data payload can be encrypted• An original packet is put into and carried as a tunnel IP
packet’s data payload.• Thus, the original packet header is not exposed.
27
![Page 28: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/28.jpg)
Transport and Tunnel Modes
28
![Page 29: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/29.jpg)
Security Association in IPsec
• An association is a one-way relationship between a sender and a receiver that offers security service to the traffic carried on it.
• For a two-way secure exchange, two associations, one for each direction, need to be set up.
• A security association is uniquely defined by – Security parameter index (like VC ID)
• So that a receiving node knows which encryption/authentication algorithm should be used to process a received packet
– IP destination address– Security protocol identifier (e.g., AH or ESP)
29
![Page 30: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/30.jpg)
Authentication Header Format• The authentication data stores the message digest.• The calculation of the digest covers:
– The IP header fields that either do not change (e.g., source IP address) or that are predictable upon arrival at the receiving node (e.g., destination IP address when source routing is used).
– The AH header itself.– The entire IP data payload.
30
![Page 31: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/31.jpg)
ESP(Encapsulating Security Payload) Header Format
31
![Page 32: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/32.jpg)
Security Can be Enforced At Different Layers
• IPsec is a security mechanism at the network layer. When used, all traffic between two nodes needs to be authenticated or encrypted. (good for VPN)– However, not all traffic is important.– Authentication and encryption operations hurt forwarding
packet performance a lot!• Secure Socket Layer (SSL) is at the transport layer.
We can use SSL to connect to a secure web server only when really needed.
• Also, we can do authentication/encryption at the application layer. That is, we can manually authenticate and encrypt a message and then send it on a normal TCP connection.
32
![Page 33: UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media. 1.](https://reader036.fdocuments.us/reader036/viewer/2022062322/5697c0191a28abf838cce921/html5/thumbnails/33.jpg)
Tutorial Questions
1. Explain about FTAM services.
2. Discuss about DNS.
3. Explain about multimedia.
4. Discuss about WWW.
5. Explain about Domain Name systems(DNS).
6. Explain about Multimedia. [8+8]
7. Write short notes on:
(a) Word Wide Web.
(b) FTAM
(c) VTP.
33