the main notes chapter 0
TRANSCRIPT
-
8/6/2019 The Main Notes Chapter 0
1/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
Chapter 0
Revision of part of Data Communication andNetworking syllabus, which is prerequisite forInternet Security.
Chapter Index
Chapter
Section
Topic PageNo.
0.0 Introduction
0.1 Three way handshake 2
0.2 Understanding O.S.I. Model at a glance 5
0.3Differentiate between O.S.I. Protocol suite &T.C.P./I.P. Protocol suite.
6
0.4 Attacks with reference to the OSI model 7
0.5 Node-to-Node, Host-to-Host and Process-to-Process deliveries? 9
0.6 Understanding SSL Layer 10
0.7 Position of SSL layer in TCP/IP suit 11
0.8 TCP Header 13
0.9What is connection oriented and what isconnectionless?
15
0.10 TCP v/s UTP 16
0.11 17
Page 1 of 16
-
8/6/2019 The Main Notes Chapter 0
2/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
Chapter 0
Revision of a part of Data Communication and Networkingsyllabus found prerequisite in Internet Security.
0.1 What is Three-way handshake? Why do you need four steps forconnection termination? What do you understand by the term half openand half closed?
ConnectionTCP is a connection-oriented protocol. It establishes a virtual path between thesource and destination. All the segments belonging to a message are then sentover this virtual path. Using a single virtual pathway for the entire messagefacilitates the acknowledgment process as well as retransmission of damaged or
lost frames. In TCP, connection-oriented transmission requires two procedures:
1. Connection Establishment and 2. Connection Termination.
Connection EstablishmentTCP transmits data in full-duplex mode. When two TCPs in two machines areconnected, they are able to send segments to each other simultaneously. Thisimplies that each party must initialize communication and get approval from theother party before any data transfer.
Four steps are needed to establish the connection, as discussed before.
However, the second and third steps can be combined to create a three-stepconnection, called a three-way handshake, as shown in Figure.
Page 2 of 16
-
8/6/2019 The Main Notes Chapter 0
3/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
The steps of the process are as follows:
1. The client sends the first segment, a SYN segment. The segment includesthe source and destination port numbers. The destination port numberclearly defines the server to which the client wants to be connected. The
segment also contains the client initialization sequence number (ISN)used for numbering the bytes of data sent from the client to the server.
2. The server sends the second segment; a SYN and an ACK segment. Thissegment has a dual purpose. First, it acknowledges the receipt of the firstsegment, using the ACK flag and acknowledgment number field. Note thatthe acknowledgment number is the client initialization sequence numberplus 1 because no user data have been sent in segment 1. The servermust also define the client window size. Second, the segment is used asthe initialization segment for the server. It contains the initializationsequence number used to number the bytes sent from the server to the
client.
3. The client sends the third segment. This is just an ACK segment. Itacknowledges the receipt of the second segment, using the ACK flag andacknowledgment number field. Note that the acknowledgment number isthe server initialization sequence number plus 1 because no user datahave been sent in segment 2. The client must also define the serverwindow size. Data can be sent with the third packet.
Connection Termination
Any of the two parties involved in exchanging data (client or server) can close theconnection. When connection in one direction is terminated, the other party cancontinue sending data in the other direction. Therefore, four steps are needed toclose the connections in both directions, as shown in Figure.
Page 3 of 16
-
8/6/2019 The Main Notes Chapter 0
4/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
The four steps are as follows:
1. The client TCP sends the first segment, a FIN segment.
2. The server TCP sends the second segment, an ACK segment, to confirm
the receipt of the FIN segment from the client. Note that theacknowledgment number is 1 plus the sequence number received in theFIN segment because no user data have been sent in segment 1.
3. The server TCP can continue sending data in the server-client direction.When it does not have any more data to send, it sends the third segment.This segment is a FIN segment.
4. The client TCP sends the fourth segment, an ACK segment, to confirm thereceipt of the FIN segment from the TCP server. Note that theacknowledgment number is 1 plus the sequence number received in the
FIN segment from the server.
Connection Resetting
TCP may request the resetting of a connection. Resetting here means that thecurrent connection is destroyed. This happens in one of three cases:
1. The TCP on one side has requested a connection to a nonexistentport. The TCP on the other side may send a segment with its RST (1) bitset to annul the request.
2. One TCP may want to abort the connection due to an abnormal
situation. It can send an RST
(1)
segment to close the connection.3. The TCP on one side may discover that the TCP on the other side hasbeen idle for a long time. It may send an RST(1) segment to destroythe connection
(Note: 1. What is RST? RST is one of the flags in the control field of a TCPsegment indicating that the connection must be reset.)
When is TCP open, TCP half opened?
A three-step process is shown in Figure above. After the server receives theinitial SYN packet, the connection is in a half-opened state. The server replieswith its own sequence number, and awaits an acknowledgment, the third andfinal packet of a TCP open.
Attackers have gamed this half-open state. SYN attacks flood the server with thefirst packet only, hoping to swamp the host with half-open connections that willnever be completed. In addition, the first part of this three-step process can beused to detect active TCP services without alerting the application programs,
Page 4 of 16
-
8/6/2019 The Main Notes Chapter 0
5/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
which usually aren't informed of incoming connections until the three-packethandshake is complete.
The sequence numbers have another function. Because the initial sequencenumber for new connections changes constantly, it is possible for TCP to detect
stale packets from previous incarnations of the same circuit (i.e., from previoususes of the same 4-tuple).
There is also a modest security benefit: A connection cannot be fully establisheduntil both sides have acknowledged the other's initial sequence number.
0. 2 Understanding OSI model at glance:
Page 5 of 16
-
8/6/2019 The Main Notes Chapter 0
6/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.3 Differentiate between O.S.I. Protocol suite & T.C.P./I.P. Protocolsuite.
Differentiate between O.S.I. Protocol & T.C.P./I.P. Protocol.
Parameter O.S.I. Model T.C.P./I.P.
Expand theacronym
Open SystemInterconnect
Transmission Control Protocol/ Internet Protocol
No. of layers 7 4
Diagram
Protocols Good as a model. Theprotocols are not verypopular
The model is just descriptionof protocols. Not so good as amodel but protocols are moreuseful
Orientation Both connectionoriented andconnection less in theNetwork LayerOnly connectionoriented in thetransport Layer
Only connectionless in theNetwork layer
Supports both (connectionoriented and connectionless)in the transport layer
Services OSI differentiatesclearly betweenspecification and theimplementations O.S.I.Made the distinction
Does not clearly distinguishthe concepts of Service,interface and protocol
Page 6 of 16
Transport Layer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
PhysicalLayer
Application Layer
Host to Network
Internet Layer
-
8/6/2019 The Main Notes Chapter 0
7/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
between the followingconcepts explicitly:1.Services2.Interface3.Protocols
Suitability More general protocols Only for TCP/IP protocolsCannot describe Blue tooth
Physical layer Data Link & Physicalare separate
Doesnt even mention aboutthese
Top layersmerged
Separate Application,Presentation andsession layers
TCP/IP does not haveseparate Session andPresentation LayerIt is a part of Application Layer
0.4 Discuss the attacks with reference to the OSI model. Give details ofprotocols, controlling device and attacks?
WhichLayer
Details of protocols Controlling device
Attacks
ApplicationLayer
SMTP: Simple Mail TransferProtocol (1)
MIME (2)
POP3: Post office Protocol(3)
IMAP(4)
Instant Messaging (5)
Email security Protocols:1. PEM (Privacy Enhanced Mail)2. PGP (Pretty Good Privacy)3. S/MIME Secure MimeHTTP: Hyper Text TransferProtocolHTML: Hyper Text MarkupLanguageFTP: File Transfer ProtocolTELNET(6) Remote LoginDNS (7) Domain Name System
SHTTP: Secure Hyper TextTransfer Protocol)LDAP(8) Light Weight DirectoryAccess Protocol
ApplicationGateway(ProxyServer)Applets andActiveX
JavaappletsSignedappletsJavasandboxJavasecurityWebbrowsercookies
Application levelattacks:InterceptionFabrication(Denial of services DOS)
Modification(Replay attacks)Interruption(Masquerade)Steal credit cardinformation.Change theamount of transactionSpamDNS spoofing
SSL Layer Secure Socket Layer(9)
1. Handshake Protocol2. Record Protocol
Page 7 of 16
-
8/6/2019 The Main Notes Chapter 0
8/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
3. Alert Protocol
TransportLayer
TLS: Transport Layer Security(similar to SSL)TCP: Transmission ControlProtocol
UDP: User Datagram ProtocolTFTP: Trivial File TransferProtocol
PacketFilterGateway
Packet Spoofing
IPSec. AH: Authentication Header ESP: Encapsulation SecurityPayloadIP Sec Key ManagementIP: Internet Protocol
PacketFilterGateway
IP addresssniffing(snooping)Source RoutingattacksIP sniffingIP spoofing
Internet
(Network)Layer
IP: Internet Protocol
ICMP:ARPRARP:IP From spammings to crash ofsoftware on target hostKiller and ICMP packetsSYN Packets Attacks
Packet
FilterGateway
Network Level
attacks:IP addressspoofingSource Routingattacks
Data LinkLayer
Physical inserting a RJ45 socketin your hub!
Physical
layer
Physical removal of hard disk!
Foot notes:1. You do no know for sure who sent the mail based on SMTP. You must
use some higher-level mechanism if you need trust or privacy.2. MIME too is potentially quite dangerous3. POP3 is simple but insure4. IMAP more secure than POP3, but complex5. Instant Messaging: various proprietary protocols (America on line, ICQ,
Yahoo messenger) False meeting places could be used to attractmessaging traffic
6. Most TELNET sessions come from un-trusted machines.7. A compromised DNS can do havocs.8. More and more sites are using LDAP for supplying information about user
SSL much better and safer facilities, but still no guarantee againstnegotiated SSL
Page 8 of 16
-
8/6/2019 The Main Notes Chapter 0
9/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.5 What do you understand by Node-to-Node, Host-to-Host and Process-to-Process deliveries?
OSI SuitLayers
TCP/IPSuitLayers
Type of Delivery
Name ofthe Dataunitcalled
Devicesin use
Protocolsused inthis layer
7. ApplicationLayer
Application
--- APDU ---SMTPFTP
TELNETDNS
SNMPTFTP
6. PresentationLayer
--- PPDU ---
5. SessionLayer
--- SPDU ---
4.Transport
Layer
TransportLayer(TCP)
Process toprocess
Segments RoutersTCP /UDP
3.Network
Layer
Network(IP)
Host to host Packets Routers
ICMPIGMP
IPARP
RARP
2. DataLink
Layer Host-to-network
Node to node FramesBridges
and
switches
Protocolsdefined by
theunderlyingNetworks
1.Physical
Layer
Electromagnetic or electro-optical signal
Bit by bitAmplifierRepeater
Hub
Page 9 of 16
-
8/6/2019 The Main Notes Chapter 0
10/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.6.Understanding SSL Layer.
SECURE SOCKET LAYER (SSL)
Introduction:
Page 10 of 16
X
L5
data
01010101010001010101001
0
Transmission
medium
H
4L5 data
H3
L4 data
Applicati
on
Transpor
t
Internet
Physical
L5
dataSSL
S
H
H
2L3 data
Data
Link
Y
L5
data
01010101010001010101001
0
H
4L5 data
H3
L4 data
L5
data
S
H
H
2L3 data
Application Layer
Transport Layer
Internet Layer
Data Link Layer
Application Layer
The typical TCP/IP suit has the structureas shown in the figure on the right hand
side.We need to secure communicationbetween the Web browser and the WebServer. We need one additional layer tobe introduced.Where should that be?
-
8/6/2019 The Main Notes Chapter 0
11/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
The Secure Socket Layer (SSL) protocol is an Internet protocol for secureexchange of information between a Web browser and a Web server. I
It provides two basic security services: authentication and confidentiality.
Logically, it provides a secure pipe between the Web browser and the Webserver. Netscape Corporation developed SSL in 1994. Since then, SSL hasbecome the world's most popular Web security mechanism. All the major Webbrowsers support SSL. SSL Version 3, which was released in 1995.
0.7 The Position of SSL in TCP/IP Protocol Suite
SSL can be conceptually considered as an additional layer in the TCP/IP protocolsuite. The SSL layer is located between the application layer and the transportlayer, as shown in Figure
As such, the communication between the various TCP/IP protocol layers is nowas shown in Fig. Above
As we can see, the application layer of the sending computer (X) prepares thedata to be sent to the receiving computer (Y), as usual. However, unlike what
happens in the normal case, the application layer data is not passed directly tothe transport layer now. Instead, the application layer data is passed to the SSLlayer.
Here, the SSL layer performs encryption on the data received from theapplication layer (which is indicated by a different color), and also adds its ownencryption information header, called as SSL Header (SH) to the encrypted data.
Page 11 of 16
S.S.L. Layer
Transport Layer
Internet Layer
Data Link Layer
Application Layer
Application Layer
-
8/6/2019 The Main Notes Chapter 0
12/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
After this, the SSL layer data (L5) becomes the input for the transport layer. Itadds its own header (H4), and passes it on to the Internet layer, and so on. Thisprocess happens exactly the way it happens in the case of a normal TCP/IP datatransfer. Finally, when the data reaches the physical layer, it is sent in the form ofvoltage pulses across the transmission medium.
At the receiver's end, the process happens pretty similar to how it happens in thecase or a normal TCP/IP connection, until it reaches the new SSL layer. The SSLlayer at the receiver's end removes the SSL Header (SH), decrypts the encrypteddata, and gives the plain text data back to the application layer of the receivingcomputer.
Thus, only the application layer data is encrypted by SSL. The lower layerheaders are not encrypted.
This is quite obvious: if SSL has to encrypt all the headers, it must be I positioned
below the data link layer. That would serve no purpose at all. In fact, it would leadto problems. If SSL encrypted all the lower layer headers, even the IP andphysical i addresses of the computers (sender, receiver, and intermediate nodes)would be encrypted, and become unreadable. Thus, where to deliver the packetswould be a big question. To understand the problem, imagine what wouldhappen if we put the address of the sender and the receiver of a letter inside theenvelope! Clearly, the postal service would not know where to send the letter!This is also why there is no point in encrypting the lower layer headers.
Therefore, SSL is required between the application and the transportlayers.
How SSL Works?SSL has three sub-protocols, namely:
1. The Handshake Protocol,2. The Record Protocol and3. The Alert Protocol.
These three sub-protocols constitute the overall working of SSL.
Page 12 of 16
-
8/6/2019 The Main Notes Chapter 0
13/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.8 The TCP header:
SegmentThe unit of data transfer between two devices using TCP is a segment. The
format of a segment is shown in Figure.
TCP Header
The segment consists of a 20-byte to 60-byte header, followed by data from theapplication program. The header is 20 bytes if there are no options and up to 60bytes if it contains options. We will discuss some of the header fields in thissection.
1. Source port address. This is a 16-bit field that defines the port number of
the application program in the host that is sending the segment.
2. Destination port address. This is a 16-bit field that defines the portnumber of the application program in the host that is receiving thesegment.
Page 13 of 16
-
8/6/2019 The Main Notes Chapter 0
14/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
3. Sequence number. This 32-bit field defines the number assigned to thefirst byte of data contained in this segment. As we said before, TCP is astream transport protocol. To ensure connectivity, each byte to betransmitted is numbered. The sequence number tells the destination whichbyte in this sequence comprises the first byte in the segment.
4. Acknowledgment number. This 32-bit field defines the byte number thatthe sender of the segment is expecting to receive from the other party. Ifthe byte numbered x has been successfully received, x + 1 is theacknowledgment number.
5. Header length. This 4-bit field indicates the number of 4-byte words in theTCP header. The length of the header can be between 20 and 60 bytes.Therefore, the value of this field can be between 5 (5 x 4 = 20) and 15 (15x 4 = 60).
6. Reserved. This is a 6-bit field reserved for future use.
7. Control. This field defines 6 different control bits or flags, as shown inOne or more of these bits can be set at a time. These bits enable flowcontrol.
UDP Header
UDP Header
Page 14 of 16
-
8/6/2019 The Main Notes Chapter 0
15/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.9 What is Connection Oriented?0.9 What is Connectionless?
What is connection oriented v/s connectionless deliveries
Parameter Connection oriented ConnectionlessDefinition A characteristic of a
network system thatrequires a pair ofcomputers to establish aconnection beforesending data.Example Telephone line
A characteristic of networksystem that allows a computer tosend data to any other computerat any time without anyprerequisite of destinationconnectionExample: Postal system
PDUmovement
Sequential To transmit data in such a waythat each PDU is treatedindependently of all prior PDUs
Three wayhandshake
Connectionestablishment requiresthree-way hand shake
Nothing of this sort
ModusOperandi
Three simple steps:
ConnectionestablishmentAgree on :
o Syntax,
o Semantics &
o Timing
Data Transfer &
Connectiontermination
Nothing of this sort
Decision onpath
Only at the beginning At every node
Sequence Keeps the sequence Can arrive out of sequence
Example TCP UDP
Reliable Reliable Unreliable
Page 15 of 16
-
8/6/2019 The Main Notes Chapter 0
16/16
Notes of Internet Security for B.Sc.(IT) 5th Semester
0.10 Distinguish between TCP and UDP.
Parameter TCP UDP
Common inboth
UDP and TCP are transport-layer protocolsthat create a process-to-process communication
Reliability Reliable UDP is an unreliable protocol
Connectionorientation
Connection oriented Connectionless
Overheads Considerable Little
Speed Slower Faster
ProtocolData unit
The TCP packet is called asegment.
The UDP packet is called a userdatagram.
Expand theacronym
Transmission ControlProtocol
User Datagram Protocol
Flow controlmechanism
TCP uses a sliding windowmechanism for flow control.
UDP has no flow controlmechanism at all.
ErrorDetectionandcorrectionMechanism
Error detection is handledin TCP by the checksum,CRC acknowledgment, andtime-out.
UDP has no Error controlmechanism at all.No Acknowledgement,No guaranteed deliveryNo sequence guarantee
Timers TCP uses four timersretransmission,persistence, keep-alive,and time-waitedin its
operation.
Nothing of this sort.
Preference& Use
TCP is preferred & usedfor:reliable, byte-streamdelivery betweenprocesses.
UDP is preferred & Used for one-shot, client-server type request-reply queries, Example: DNSWhere prompt delivery is moreimportant than accurate delivery,such as: Transmitting speech orvideo
Headers &Overheads:
The TCP header is muchlarger than the UDP header
The UDP header is much smallerthan the TCP header
Example of
application
TELNET DNS
Connection Required to have explicitconnection between thehosts.Three Way Handshake
No prior connection at all: It isconnectionless
Page 16 of 16