Notes of Internet Security for B.Sc.

(IT) 5th Semester

Chapter 0 Revision of part of Data Communication and Networking syllabus, which is prerequisite for Internet Security.
Chapter Index Chapte r 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.10 0.11 Sectio n Topic Introduction Three way handshake Understanding O.S.I. Model at a glance Differentiate between O.S.I. Protocol suite & T.C.P./I.P. Protocol suite. Attacks with reference to the OSI model Node-to-Node, Host-to-Host and Process-toProcess deliveries? Understanding SSL Layer Position of SSL layer in TCP/IP suit TCP Header What is connection oriented and what is connectionless? TCP v/s UTP 2 5 6 7 9 10 11 13 15 16 17 Page No.

Page 1 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester

Chapter 0

Revision of a part of Data Communication and Networking syllabus found prerequisite in Internet Security.
0.1 What is Three-way handshake? Why do you need four steps for connection termination? What do you understand by the term half open and half closed? Connection TCP is a connection-oriented protocol. It establishes a virtual path between the source and destination. All the segments belonging to a message are then sent over this virtual path. Using a single virtual pathway for the entire message facilitates the acknowledgment process as well as retransmission of damaged or lost frames. In TCP, connection-oriented transmission requires two procedures: 1. Connection Establishment and 2. Connection Termination. Connection Establishment TCP transmits data in full-duplex mode. When two TCPs in two machines are connected, they are able to send segments to each other simultaneously. This implies that each party must initialize communication and get approval from the other party before any data transfer. Four steps are needed to establish the connection, as discussed before. However, the second and third steps can be combined to create a three-step connection, called a three-way handshake, as shown in Figure.

Page 2 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester The steps of the process are as follows: 1. The client sends the first segment, a SYN segment. The segment includes the source and destination port numbers. The destination port number clearly defines the server to which the client wants to be connected. The segment also contains the client initialization sequence number (ISN) used for numbering the bytes of data sent from the client to the server. 2. The server sends the second segment; a SYN and an ACK segment. This segment has a dual purpose. First, it acknowledges the receipt of the first segment, using the ACK flag and acknowledgment number field. Note that the acknowledgment number is the client initialization sequence number plus 1 because no user data have been sent in segment 1. The server must also define the client window size. Second, the segment is used as the initialization segment for the server. It contains the initialization sequence number used to number the bytes sent from the server to the client. 3. The client sends the third segment. This is just an ACK segment. It acknowledges the receipt of the second segment, using the ACK flag and acknowledgment number field. Note that the acknowledgment number is the server initialization sequence number plus 1 because no user data have been sent in segment 2. The client must also define the server window size. Data can be sent with the third packet. Connection Termination Any of the two parties involved in exchanging data (client or server) can close the connection. When connection in one direction is terminated, the other party can continue sending data in the other direction. Therefore, four steps are needed to close the connections in both directions, as shown in Figure.

Page 3 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester The four steps are as follows: 1. The client TCP sends the first segment, a FIN segment. 2. The server TCP sends the second segment, an ACK segment, to confirm the receipt of the FIN segment from the client. Note that the acknowledgment number is 1 plus the sequence number received in the FIN segment because no user data have been sent in segment 1. 3. The server TCP can continue sending data in the server-client direction. When it does not have any more data to send, it sends the third segment. This segment is a FIN segment. 4. The client TCP sends the fourth segment, an ACK segment, to confirm the receipt of the FIN segment from the TCP server. Note that the acknowledgment number is 1 plus the sequence number received in the FIN segment from the server. Connection Resetting TCP may request the resetting of a connection. Resetting here means that the current connection is destroyed. This happens in one of three cases: 1. The TCP on one side has requested a connection to a nonexistent port. The TCP on the other side may send a segment with its RST (1) bit set to annul the request. 2. One TCP may want to abort the connection due to an abnormal situation. It can send an RST(1) segment to close the connection. 3. The TCP on one side may discover that the TCP on the other side has been idle for a long time. It may send an RST(1) segment to destroy the connection (Note: 1. What is RST? RST is one of the flags in the control field of a TCP segment indicating that the connection must be reset.) When is TCP open, TCP half opened? A three-step process is shown in Figure above. After the server receives the initial SYN packet, the connection is in a half-opened state. The server replies with its own sequence number, and awaits an acknowledgment, the third and final packet of a TCP open. Attackers have gamed this half-open state. SYN attacks flood the server with the first packet only, hoping to swamp the host with half-open connections that will never be completed. In addition, the first part of this three-step process can be used to detect active TCP services without alerting the application programs, Page 4 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester which usually aren't informed of incoming connections until the three-packet handshake is complete. The sequence numbers have another function. Because the initial sequence number for new connections changes constantly, it is possible for TCP to detect stale packets from previous incarnations of the same circuit (i.e., from previous uses of the same 4-tuple). There is also a modest security benefit: A connection cannot be fully established until both sides have acknowledged the other's initial sequence number. 0. 2 Understanding OSI model at glance:

Page 5 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester

0.3 Differentiate between O.S.I. Protocol suite & T.C.P./I.P. Protocol suite.

Differentiate between O.S.I. Protocol & T.C.P./I.P. Protocol. Parameter Expand the acronym No. of layers Diagram Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Transport Layer Internet Layer Host to Network Application Layer O.S.I. Model Open Interconnect 7 T.C.P./I.P. System Transmission Control Protocol / Internet Protocol 4

Protocols

Orientation

Services

Good as a model. The The model is just description protocols are not very of protocols. Not so good as a popular model but protocols are more useful Both connection Only connectionless in the oriented and Network layer connection less in the Network Layer Supports both (connection Only connection oriented and connectionless) oriented in the in the transport layer transport Layer OSI differentiates Does not clearly distinguish clearly between the concepts of Service, specification and the interface and protocol implementations O.S.I. Made the distinction Page 6 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester between the following concepts explicitly: 1.Services 2.Interface 3.Protocols Suitability More general protocols Only for TCP/IP protocols Cannot describe Blue tooth Physical layer Data Link & Physical Doesnt even mention about are separate these Top layers Separate Application, TCP/IP does not have merged Presentation and separate Session and session layers Presentation Layer It is a part of Application Layer

0.4 Discuss the attacks with reference to the OSI model. Give details of protocols, controlling device and attacks? Which Layer Application Layer Details of protocols Controllin g device SMTP: Simple Mail Transfer Application Protocol (1) Gateway (2) MIME (Proxy POP3: Post office Protocol(3) Server) (4) IMAP Applets and Instant Messaging (5) ActiveX Email security Protocols: Java 1. PEM (Privacy Enhanced Mail) applets 2. PGP (Pretty Good Privacy) Signed 3. S/MIME Secure Mime applets HTTP: Hyper Text Transfer Java Protocol sandbox HTML: Hyper Text Markup Java Language security FTP: File Transfer Protocol Web (6) TELNET Remote Login browser DNS (7) Domain Name System cookies SHTTP: Secure Hyper Text Transfer Protocol) LDAP(8) Light Weight Directory Access Protocol Secure Socket Layer (9) 1. Handshake Protocol 2. Record Protocol Page 7 of 16 Attacks Application level attacks: Interception Fabrication (Denial of services DOS) Modification (Replay attacks) Interruption (Masquerade) Steal credit card information. Change the amount of transaction Spam DNS spoofing

SSL Layer

Notes of Internet Security for B.Sc.(IT) 5th Semester 3. Alert Protocol TLS: Transport Layer Security (similar to SSL) TCP: Transmission Control Protocol UDP: User Datagram Protocol TFTP: Trivial File Transfer Protocol AH: Authentication Header ESP: Encapsulation Security Payload IP Sec Key Management IP: Internet Protocol

Transport Layer

Packet Filter Gateway

Packet Spoofing

IPSec.

Packet Filter Gateway

Internet (Network) Layer

Data Layer Physical layer

IP: Internet Protocol Packet ICMP: Filter ARP Gateway RARP: IP From spammings to crash of software on target host Killer and ICMP packets SYN Packets Attacks Link Physical inserting a RJ45 socket in your hub! Physical removal of hard disk!

IP address sniffing (snooping) Source Routing attacks IP sniffing IP spoofing Network Level attacks: IP address spoofing Source Routing attacks

Foot notes: 1. You do no know for sure who sent the mail based on SMTP. You must use some higher-level mechanism if you need trust or privacy. 2. MIME too is potentially quite dangerous 3. POP3 is simple but insure 4. IMAP more secure than POP3, but complex 5. Instant Messaging: various proprietary protocols (America on line, ICQ, Yahoo messenger) False meeting places could be used to attract messaging traffic 6. Most TELNET sessions come from un-trusted machines. 7. A compromised DNS can do havocs. 8. More and more sites are using LDAP for supplying information about user SSL much better and safer facilities, but still no guarantee against negotiated SSL

Page 8 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester 0.5 What do you understand by Node-to-Node, Host-to-Host and Processto-Process deliveries?

OSI Suit Layers 7. Application Layer 6. Presentation Layer 5. Session Layer 4. Transport Layer 3. Network Layer 2. Data Link Layer 1. Physical Layer

TCP/IP Suit Layers

Type Delivery

of Name of Devices the Data in use unit called APDU PPDU SPDU Segments ------Routers

Protocols used in this layer SMTP FTP TELNET DNS SNMP TFTP TCP / UDP ICMP IGMP IP ARP RARP

--Application ----Transport Layer (TCP) Network (IP) Process to process

Host to host

Packets

Routers

Node to node Host-tonetwork Electromagneti c or electrooptical signal

Frames Bit by bit

Bridges Protocols and defined by switches the Amplifier underlying Repeater Networks Hub

Page 9 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester 0.6. Understanding SSL Layer.

L5 data L5 data S H H 4 H 3 H 2

Applicati on SSL Transpor t Internet Data Link Physical Transmission medium

L5 data L5 data S H H 4 H 3 H 2

L5 data L4 data

L5 data L4 data

L3 data

L3 data

01010101010001010101001 0

01010101010001010101001 0

SECURE SOCKET LAYER (SSL) Introduction: The typical TCP/IP suit has the structure as shown in the figure on the right hand side. We need to secure communication between the Web browser and the Web Server. We need one additional layer to be introduced. Where should that be? Application Layer Transport Layer Internet Layer Data Link Layer Application Layer

Page 10 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester The Secure Socket Layer (SSL) protocol is an Internet protocol for secure exchange of information between a Web browser and a Web server. I It provides two basic security services: authentication and confidentiality. Logically, it provides a secure pipe between the Web browser and the Web server. Netscape Corporation developed SSL in 1994. Since then, SSL has become the world's most popular Web security mechanism. All the major Web browsers support SSL. SSL Version 3, which was released in 1995. 0.7 The Position of SSL in TCP/IP Protocol Suite Application Layer S.S.L. Layer Transport Layer Internet Layer Data Link Layer Application Layer

SSL can be conceptually considered as an additional layer in the TCP/IP protocol suite. The SSL layer is located between the application layer and the transport layer, as shown in Figure As such, the communication between the various TCP/IP protocol layers is now as shown in Fig. Above As we can see, the application layer of the sending computer (X) prepares the data to be sent to the receiving computer (Y), as usual. However, unlike what happens in the normal case, the application layer data is not passed directly to the transport layer now. Instead, the application layer data is passed to the SSL layer. Here, the SSL layer performs encryption on the data received from the application layer (which is indicated by a different color), and also adds its own encryption information header, called as SSL Header (SH) to the encrypted data. Page 11 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester After this, the SSL layer data (L5) becomes the input for the transport layer. It adds its own header (H4), and passes it on to the Internet layer, and so on. This process happens exactly the way it happens in the case of a normal TCP/IP data transfer. Finally, when the data reaches the physical layer, it is sent in the form of voltage pulses across the transmission medium. At the receiver's end, the process happens pretty similar to how it happens in the case or a normal TCP/IP connection, until it reaches the new SSL layer. The SSL layer at the receiver's end removes the SSL Header (SH), decrypts the encrypted data, and gives the plain text data back to the application layer of the receiving computer. Thus, only the application layer data is encrypted by SSL. The lower layer headers are not encrypted. This is quite obvious: if SSL has to encrypt all the headers, it must be I positioned below the data link layer. That would serve no purpose at all. In fact, it would lead to problems. If SSL encrypted all the lower layer headers, even the IP and physical i addresses of the computers (sender, receiver, and intermediate nodes) would be encrypted, and become unreadable. Thus, where to deliver the packets would be a big question. To understand the problem, imagine what would happen if we put the address of the sender and the receiver of a letter inside the envelope! Clearly, the postal service would not know where to send the letter! This is also why there is no point in encrypting the lower layer headers. Therefore, SSL is required between the application and the transport layers. How SSL Works? SSL has three sub-protocols, namely: 1. The Handshake Protocol, 2. The Record Protocol and 3. The Alert Protocol. These three sub-protocols constitute the overall working of SSL.

Page 12 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester

0.8 The TCP header: Segment The unit of data transfer between two devices using TCP is a segment. The format of a segment is shown in Figure.

TCP Header The segment consists of a 20-byte to 60-byte header, followed by data from the application program. The header is 20 bytes if there are no options and up to 60 bytes if it contains options. We will discuss some of the header fields in this section. 1. Source port address. This is a 16-bit field that defines the port number of the application program in the host that is sending the segment. 2. Destination port address. This is a 16-bit field that defines the port number of the application program in the host that is receiving the segment.

Page 13 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester 3. Sequence number. This 32-bit field defines the number assigned to the first byte of data contained in this segment. As we said before, TCP is a stream transport protocol. To ensure connectivity, each byte to be transmitted is numbered. The sequence number tells the destination which byte in this sequence comprises the first byte in the segment. 4. Acknowledgment number. This 32-bit field defines the byte number that the sender of the segment is expecting to receive from the other party. If the byte numbered x has been successfully received, x + 1 is the acknowledgment number. 5. Header length. This 4-bit field indicates the number of 4-byte words in the TCP header. The length of the header can be between 20 and 60 bytes. Therefore, the value of this field can be between 5 (5 x 4 = 20) and 15 (15 x 4 = 60). 6. Reserved. This is a 6-bit field reserved for future use. 7. Control. This field defines 6 different control bits or flags, as shown in One or more of these bits can be set at a time. These bits enable flow control.

UDP Header

UDP Header

Page 14 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester 0.9 What is Connection Oriented? 0.9 What is Connectionless? What is connection oriented v/s connectionless deliveries Parameter Definition Connection oriented A characteristic of a network system that requires a pair of computers to establish a connection before sending data. Example Telephone line Sequential Connection establishment requires three-way hand shake Three simple steps: Connection establishment Agree on : o Syntax, o Semantics & o Timing Data Transfer & Connection termination Only at the beginning Keeps the sequence TCP Reliable Connectionless A characteristic of network system that allows a computer to send data to any other computer at any time without any prerequisite of destination connection Example: Postal system To transmit data in such a way that each PDU is treated independently of all prior PDUs Nothing of this sort Nothing of this sort

PDU movement Three way handshake Modus Operandi

Decision on path Sequence Example Reliable

At every node Can arrive out of sequence UDP Unreliable

Page 15 of 16

Notes of Internet Security for B.Sc.(IT) 5th Semester

0.10 Distinguish between TCP and UDP. Parameter Common in both Reliability Connection orientation Overheads Speed Protocol Data unit Expand the acronym Flow control mechanism Error Detection and correction Mechanism Timers TCP UDP UDP and TCP are transport-layer protocols that create a process-to-process communication Reliable UDP is an unreliable protocol Connection oriented Connectionless Considerable Slower The TCP packet is called a segment. Transmission Control Protocol TCP uses a sliding window mechanism for flow control. Error detection is handled in TCP by the checksum, CRC acknowledgment, and time-out. TCP uses four timers retransmission, persistence, keep-alive, and time-waitedin its operation. TCP is preferred & used for: reliable, byte-stream delivery between processes. The TCP header is much larger than the UDP header TELNET Required to have explicit connection between the hosts. Three Way Handshake Little Faster The UDP packet is called a user datagram. User Datagram Protocol UDP has no flow control mechanism at all. UDP has no Error control mechanism at all. No Acknowledgement, No guaranteed delivery No sequence guarantee Nothing of this sort.

Preference & Use

Headers & Overheads: Example of application Connection

UDP is preferred & Used for oneshot, client-server type requestreply queries, Example: DNS Where prompt delivery is more important than accurate delivery, such as: Transmitting speech or video The UDP header is much smaller than the TCP header DNS No prior connection at all: It is connectionless

Page 16 of 16