Secure HTTP (S-HTTP)

An extension to the HTTP protocol to
support sending data securely over the web.
• Difference from SSL:
– SSL is designed to establish a secure connection
between two hosts.
– s-HTTP is designed to send individual messages

Some Features:
– Provides a variety of security mechanisms to HTTP
clients and servers.
– Does not require client-side public certificates (or
public keys), as it supports symmetric key-only
operation modes.
– Provides full flexibility of cryptographic algorithms.
• s-HTTP and HTTPS are not the same.
• HTTPS is an alternative to s-HTTP.
– HTTP runs on top of SSL or TSL.

What is a Penetration Test?

A process of actively evaluating the
information security measures in an
• Most common procedure:
– The security measures are actively analyzed for
design weaknesses, technical flaws and
– Results are delivered in a comprehensive report.

Ethical Hacking ….

Definition of ethical hacking
– A situation where a computer and network expert
attacks a security system on behalf of its owners,
seeking vulnerabilities that a malicious hacker
could exploit.
– To test a security system, ethical hacking uses
the same methods as their less principled
counterparts (hackers), but report problems
instead of taking advantage of them.
• Also called penetration testing.

Why is it Required?

There are several reasons why organizations
choose to perform a penetration test.
– To identify the threats facing the information
assets of the organization.
– Reduce the IT security costs by identifying and
resolving vulnerabilities and weaknesses.
– Provide the organization with information
– Gain and maintain certification to an industry
regulation (BS7789, HIPAA, etc.).

Secure Socket Layer (SSL)

SSL was first used by Netscape.
– To ensure security of data sent through HTTP,
• Uses TCP to provide reliable end-to-end
secure service.
• In general, SSL can be used for secure data
transfer for any network service running over

The main objectives of SSL are:
– Authenticate the client and server to each other.
– Ensure data integrity.
– Ensure data privacy.
• Required for both the protocol data and also
the application data.

SSL Architecture

SSL consists of two layers of protocols:
– SSL Record Protocol
• Ensures data security and integrity.
– Protocols required to establish SSL connection.
• Three protocols used in this layer:
SSL Handshake Protocol
SSL ChangeCipherSpec Protocol
SSL Alert Protocol

SSL Record Protocol

Mainly responsible for data encryption and
• Basic function:
– Take an application message to be sent.
– Fragment the application message data.
• 16 Kbytes or smaller.
– Encapsulate it with appropriate headers and
create an object called a record.
– Encrypt the record and forward it to TCP.

The Higher Layer Protocols

SSL Alert Protocol
– Used to send session messages associated with
data exchange and functioning of the protocol.
– Each message consists of two bytes:
• First byte is either 1 (warning) or 2 (fatal). If “fatal”, the
SSL session is terminated.
• Second byte contains one of the defined error codes.

SSL ChangeCipherSpec Protocol

Consists of a single message that carries the
value of 1.
– Purpose of this message is to cause the pending
session state to be established as a fixed state.
• Define the set of protocols to be used.
• Must be sent from client to server, and vice versa.

SSL Handshake Protocol

Used to initiate a session between the server and
the client.
– Within the application data, algorithms and keys
used for data encryption can be negotiated.
– Provides mutual authentication.
– Process of negotiation divided into four phases.

Client sends to the server
• SSL version
• Random (used to protect key exchange)
• Session ID
• CipherSuite
– Server sends back
• SSL version
• Random (a different number is generated)
• Session ID
• CipherSuite

Transport Layer Security (TLS)

Extension of SSL.
• Aim is to provide security and data integrity
features at the transport layer between two
web applications.
• Supported my most web servers and
browsers today.

Secure Shell (SSH)

Originally developed in 1995.
– As a secure replacement for telnet, rlogin, rcp,
– Allows port forwarding (tunneling over SSH)
– Built-in support for proxies/firewalls.
• Widely used nowadays.

In SSHv1 protocol, the server uses two keys:
– Long-term server identification key.
• Binds the connection to the server.
• 1024 bit RSA.
– Short-term encryption key, changed every hour.
• Makes later recovery impossible.
• Short-term keys are regenerated as a background task.
• 768 bit RSA.

Multiple authentication mechanisms
– Straight passwords (protected by SSH
– RSA based authentication.
• Client decrypts a challenge from the server; returns the
hash to the server.
– Plug-in mechanisms (biometrics, smartcard, etc.).

IP Security (IPSec)

Security built into the IP layer.
– Provides host-to-host (or firewall-to-firewall)
encryption and authentication.
– Required for IPv6, but optional for IPv4.
• Consists of two parts:
– IPSec proper (for encryption and authentication).
– IPSec key management.


Provides two modes of protection
– Tunnel Mode
– Transport Mode
• Authentication and Integrity
• Confidentiality
• Replay Protection

Private and Public Key Systems:

Symmetric encryption/decryption is much
faster than asymmetric encryption/
RSA: kilobits/second
DES: megabits/second

DES is about 100 times faster than RSA

Authentication Application::

Users wish to access services on servers.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a computer.
– User eavesdrop on exchanges and use a replay

Provides a centralized authentication server
(AS) to authenticate users to servers and
servers to users.
• Relies on conventional encryption.
– Makes no use of public-key encryption.
• Two versions: version 4 and 5.
• Version 4 makes use of DES.

Electronic Mail Security:: Pretty
Good Privacy (PGP)

PGP provides a confidentiality and
authentication service that can be used for
electronic mail and file storage applications.
• Why popular?
– It is availiable free on a variety of platforms.
– Based on well known algorithms.
– Wide range of applicability

Practical Encryption Algorithms

Data Encryption Standard (DES)
– Block size is 64 bits.
– Key is 56 bits.
– Block size is 64 bits.
– Key size is 128 bits.
• Advanced Encryption Standard (AES)
– Also known as Rijndael cryptosystem.
– Block size can be 128, 192, or 256 bits.
– Key size can be 128, 192, or 256 bits.

Block Encryption Algorithms

Data Encryption Standard (DES)
– The most widely used encryption scheme.
– Known as the Data Encryption Algorithm (DEA).
– It is a block cipher.
• The plaintext is 64-bits in length.
• The key is 56-bits in length.
• Longer plaintexts are processed in 64-bit blocks.


The overall processing at each iteration:
Li = Ri-1
Ri = Li-1 ⊕ F(Ri-1, Ki)
• Concerns about:
– The algorithm and the key length (56-bits)
– Longer key lengths essential for critical


Three categories:
a) Encryption/decryption:
• The sender encrypts a message with the recipient’s
public key.
b) Digital signature / authentication:
• The sender signs a message with its private key.
c) Key exchange:
• Two sides cooperate to exhange a session key.


Computationally easy for a party B to
generate a key pair
– Public key KUB
– Private key KRB
• Easy for sender to generate ciphertext:
C = E (M, KUB)
• Easy for the receiver to decrypt ciphertext
using private key:
M = D (C, KRB) = D (E (M, KUB), KRB)

Computationally infeasible to determine
KRB knowing KUB.
• Computationally infeasible to recover
message M, knowing KUB and ciphertext C.
• Either of the two keys can be used for
encryption, with the other used for
M = D (E (M, KUB), KRB) = D (E (M, KRB), KUB)

The RSA Public Key Algorithm

RSA Algorithm
– Developed by Ron Rivest, Adi Shamir and Len
Adleman at MIT, in 1977.
– A block cipher.
– The most widely implemented.
ICDCN’06, IIT Guwahati
The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
Φ(n) = ( p −1)(q −1)
gcd(Φ(n),e) =1;1< e < Φ(n)
d = e−1 modΦ(n)
φ(n) is the number of positive numbers less than n
and relatively prime to n (called Euler totient).

The Security of RSA

RSA is secure since
– We use large number of bits in e and d.
– The problem of factoring n into two prime factors is
computationally very difficult.
• Knowing p and q will allow us to know Φ(n).
• This will help an intruder to know the values of e and d.
• Until recently, this was felt to be infeasible for numbers in the
range of 100 decimal digits or so (approximately 300 bits).
• A worldwide team cooperating over the internet and using
1600 computers recently cracked the code in eight months.
• Currently, a 1024-bit key size (about 300 decimal digits) is
considered strong enough for virtually all applications.
– Key sizes in the range of 1024 to 2048 bits seems safe.

Introduction to Wi-Fi Network

It is important to know
Nearer access point to you.
How to use it efficiently.
Firewall disable option.
Wireless radio on option.
On Demand option .
Data backup.

Radio Issues (Contd..)

Select Advanced Tab

Remove the Tick mark for 'Wireless Device Off'

Press OK

Check your Front Panel Dashboard WLAN LED status. It should glow for the Laptop to Transmit / Receive data.

Networking Components Needed for WLAN

Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
QoS Packet Scheduler
AEGIS Protocol (IEEE 802.1x) v
WLAN Transport
Internet Protocol (TCP/IP)

De-select all others

Troubleshooting with Commands

If the output shows Gateway as, your configuration is correct.
Otherwise, try the following commands:

C:\> ipconfig /release
if wrong/automatic IP address is released, it will display new IP address as
Repeat command till you get this new IP address

C:\> ipconfig /renew
It will get new IP address from DHCP server automatically. Check with 'ipconfig /all' command again to verify the gateway.

NAT: Sharing an IP Address

Network Address Translation…that indirection thing again
Some IP addresses are *not* globally unique; designated for local use/reuse
Host has local address “behind” the NAT device
NAT translates outgoing packet headers
Rewrites source IP address to be NAT’s IP address
Rewrites source port
Saves map of internal-external address/port mappings

NAT Example

Hypothetical example:
Source’s internal socket is IP, port 1341
Translated to IP (address assigned to customer by IAP) port 5280
Traffic from NAT device identifies translated address/port as source
NAT forwards traffic sent to it (IP with port 5280 to source host ( using port 1341

NAT Advantages and Disadvantages

Rest of Internet unaffected
Transparent: benefit of indirection
Internal addresses don’t need to be globally unique
Allows simultaneous use: benefit of local namespace
Multiple hosts can share one external IP address
E.g., useful for home networks
…but protocols that depend on IP address of host (e.g., early versions of Kerberos) get confused
Host says it has an internal IP address
Different (external) address used for routing

The End-to-End Principle

If function needs to be done as endpoint-to-endpoint service, don’t implement it link-to-link
More generally, if function will need to be (re)done at higher layer, don’t do it at lower layer
Examples in TCP/IP
Error detection
Guaranteed delivery of packets
Not encryption -- implemented at higher layer

The End-to-End Principle

If function needs to be done as endpoint-to-endpoint service, don’t implement it link-to-link
More generally, if function will need to be (re)done at higher layer, don’t do it at lower layer
Examples in TCP/IP
Error detection
Guaranteed delivery of packets
Not encryption -- implemented at higher layer

Why Fragment Messages?

If part of message is lost or garbled, you only have to resend the affected packet(s)
Store-and-forward delay is minimized
A can send packet 1 to B while receiving packet 2 from S
Not possible if whole message sent at once

TCP Protocol: Guaranteed Delivery

Error Detection on TCP Packets
Checksum detects if IP packet is corrupt
E.g., parity check: even or odd number of 1s in payload
If error detected, discard packet
Sender remembers packets it sent
Receiver ACKs each packet received
Clever optimization: piggyback ACK to data packet already flowing other direction
If ACK not received within a specified timeout interval, the sender resends packet
Receiver may get two copies!
Just ignore the second one

TCP Guaranteed Delivery Demo

Same as before, except
The sender will retransmit if ACK not received within the timeout interval
When packet reaches destination, receiver must acknowledge by telling the class the sequence number of the packet received
The TCP header includes error checking information.

Identifying A Connection: Another Use Of TCP Ports

Each side of a TCP connection is referred to as a socket, and can be identified by the IP address and port
A logical connection between a source and destination host is uniquely identified by the two sockets involved

TCP Congestion

If a router is overworked
Its queues fill up
It drops additional packets
Because TCP provides guaranteed delivery through ACK, the source clients resend the packets
Even more congestion

Flow Control

Similar to congestion, but not due to network interference
Destination host’s own traffic is too much
Destination unable to receive so fast
TCP flow control implementation is similar to solution for congestion control
Receiver can explicitly request lower send rate in ACKs

Summary of TCP/IP

Best-effort delivery to remote destination
Globally unique addresses
Routers forward to next hop
Message fragmentation and reassembly
Guaranteed delivery
Port numbers
Congestion and flow control

Commercial Provision of TCP/IP

Internet Access Providers (IAPs)
Customers connect computer or network to IAP (ISP)
IAP connects to rest of the Internet
Routes may involve intermediate transit carriers
Transit traffic = neither source nor destination address is a direct customer of the carrier
Interconnection between transit carriers
NAPs (multilateral peering between IAPs)
Paid interconnects (small providers to big ones that carry lots of transit traffic)
Usually flat rate based on maximum bitrate, not actual bitrate of transfers

TCP Services

TCP picks up where IP leaves off
Message fragmentation and reassembly
Packet sequence numbers
Guarantees delivery
Error detection
ACKs and retransmits
Maintains conversational context
Specifies process at destination
Port numbers in TCP packet header

Layered Headers

Each layer adds its own header to the message that it receives from the layer above
As far as the lower layer is concerned, the higher layers’ headers are just a part of the message to be delivered
The higher layers never see the lower layer headers because the lower layers remove them before passing the message up

Layered Headers In TCP/IP

The TCP layer fragments a message into packets, puts headers on the packets, and passes them to the IP layer
The IP layer adds its own header to each packet that it receives from TCP
The IP layer removes its header before passing the delivered packet back to the TCP layer
The TCP layer removes its headers and reassembles the message before passing the result back to the layer above

TCP Protocol: Message Fragmentation And Reassembly

TCP client at source divides message into packets
Each packet gets a sequence number
Stored in the header
TCP packet becomes payload of IP packet
TCP software at destination reassembles
If arrive out of order, use sequence number

TCP Fragmentation And Sequencing Demo

Same routing tables as on Thursday
Don’t forget to decrement HopLimit
New message takes several index cards
Each index card is a TCP fragment
The card is placed in a small envelope that has a TCP header
The small envelope is placed in a big envelope with an IP header

Transmission Control Protocol

How does the router know where to send an IP packet?
What’s in the packet? What’s in the router?
How does a destination host know what order a series of packets was sent in?
If we were to define a streaming audio protocol as a spanning layer…
Where would it have to run?
Could people use different media players to listen to audio streamed with this protocol?

Understand TCP and relationship to IP
Commercial Internet Provision
Network Address Translation
The End-to-End Principle

Transmission efficiency

Transmission efficiency = (useful data/total No bits transmitted)*100
For example for asynchronous transmission of 8-bit characters with one start and one stop bits, we have:
Transmission efficiency = (8/10)*100 = 80%
Let's consider now the synchronous transmission of a block of 480 8-bit characters, assuming 7 synchronisation characters, one start of block character, and one end of block character.
The total number of bits transmitted is 480*8 + 7*8 + 2*8 = 3912 bits. So, we have:
Transmission efficiency = (3840/3912)*100 = 98.16%
Effective Data Rate = (Transmission Efficiency/100)*Capacity

Interfacing (6) - Multiplexing

Another form of interfacing a number of DTEs located together to a resource like a central computer is Multiplexing.
Multiplexing is a data transmission function that permits two or more data sources to share a common transmission medium such that each data source has its own channel. This is achieved by the use of Multiplexers.
A Multiplexer is a communications device that enable a number of lower data rate devices, normally situated in the same location, to share a single higher data rate transmission line. The capacity of the latter must be in excess of the combined rates of the low rate devices.

Interfacing (8) - Protocols

A Protocol is the set of rules that regulate and control the communication between two or more entities.
The communication interfaces define the physical level protocol between communicating devices. They define:
Transmission mode
The connectors, and
Control to be used during communication.
In computer based communications a communication interface is accessed and controlled by software. This control software is normally called the interface/device controller/driver

What is understood by the term Communication?

The term communication is defined as the act of disseminating information. It presupposes that:

there is information to disseminate
the desire to disseminate exists
there is an agency to send/transmit information
there is a means of encoding information
there is a medium to carry the information
there is a recipient to receive the information
the recipient is capable of understanding the information received

Data Transfer Requirements (1)

Consider the internal work of The Little Man Computer when data is to be transferred from the calculator to a memory location (for example location 99). This transfer will require:

identifying the destination, i.e. getting its address (in this case 99)

advising it that data will be written into it

preparing the internal bus structure for data transfer

instructing the calculator when and how to send its data.

Data Transfer Requirements (2)

From this example, you will have noted that transferral of data requires:

a sender to send the message, in this case the calculator
addressing to identify the destination, in this case memory address 99
a transmission medium to allow data flow, in this case the Little Man Computer’s internal bus
a receiver to receive the message - the memory location addressed as 99
co-operation between sender and receiver.
to be error free
is compatible with the transmission medium
is in a format which can be used by the receiver
has been successfully received

Basic Elements of a Communication System

From the above discussion, in any communication between two entities we can
identify the following basic elements:

1. Sender
2. Receiver
3. Addressing - identifies where the Receiver is
4. Protocol - set of co-operation rules to achieve communication
5. Transmission code - “language” being used
6. Transmission rate - speed at which “what is being communicated” is being sent
7. Transmission synchronisation - how to recognise what is being communicated
8. Transmission medium
9. Error detection and correction
10. Transmission efficiency - how much of what is being sent is useful to the receiver

Data Transmission Fundamentals - Some Terminology

Data transmission between sender and receiver occurs over some transmission medium.
Transmission may be simplex, half-duplex, or full-duplex
Transmission media may be classified as guided or unguided. In both cases communications is in the form of electromagnetic waves.
The term direct link, also known as data link, is used to refer to a transmission path in which signals propagate directly from transmitter (sender) to receiver with no intermediate devices, other than amplifiers or repeaters used to increase signal strength.
A guided transmission medium is point-to-point if it provides a direct link between two devices, and those are the only two devices sharing the medium.
In a multipoint guided configuration, more than two devices share the same medium.

Signalling Technologies

Baseband is the transmission of digital signals without modulation. In a baseband communication network, digital signals (0s and 1s) are put onto the medium as voltage pulses. The entire bandwidth is consumed by the signal.
Broadband uses coaxial cable to provide data transfer by means of analogue signals. The bandwidth is divided in different frequency bands or channels. In a broadband communication network involving computers, digital signals are passed onto the medium through a modem and transmitted over one of the channels. So, several different communication networks can be implemented over the same medium.
Analogue transmission is used to mean the transmission of analogue signals without regard to their content.
Digital transmission, on the other hand, is used to mean the content of the signal.