The Main Notes Chapter 0

8/6/2019 The Main Notes Chapter 0

1/16

Notes of Internet Security for B.Sc.(IT) 5th Semester

Chapter 0

Revision of part of Data Communication andNetworking syllabus, which is prerequisite forInternet Security.

Chapter Index

Chapter

Section

Topic PageNo.

0.0 Introduction

0.1 Three way handshake 2

0.2 Understanding O.S.I. Model at a glance 5

0.3Differentiate between O.S.I. Protocol suite &T.C.P./I.P. Protocol suite.

6

0.4 Attacks with reference to the OSI model 7

0.5 Node-to-Node, Host-to-Host and Process-to-Process deliveries? 9

0.6 Understanding SSL Layer 10

0.7 Position of SSL layer in TCP/IP suit 11

0.8 TCP Header 13

0.9What is connection oriented and what isconnectionless?

15

0.10 TCP v/s UTP 16

0.11 17

Page 1 of 16


2/16


Chapter 0

Revision of a part of Data Communication and Networkingsyllabus found prerequisite in Internet Security.

0.1 What is Three-way handshake? Why do you need four steps forconnection termination? What do you understand by the term half openand half closed?

ConnectionTCP is a connection-oriented protocol. It establishes a virtual path between thesource and destination. All the segments belonging to a message are then sentover this virtual path. Using a single virtual pathway for the entire messagefacilitates the acknowledgment process as well as retransmission of damaged or

lost frames. In TCP, connection-oriented transmission requires two procedures:

1. Connection Establishment and 2. Connection Termination.

Connection EstablishmentTCP transmits data in full-duplex mode. When two TCPs in two machines areconnected, they are able to send segments to each other simultaneously. Thisimplies that each party must initialize communication and get approval from theother party before any data transfer.

Four steps are needed to establish the connection, as discussed before.

However, the second and third steps can be combined to create a three-stepconnection, called a three-way handshake, as shown in Figure.

Page 2 of 16


3/16


The steps of the process are as follows:

1. The client sends the first segment, a SYN segment. The segment includesthe source and destination port numbers. The destination port numberclearly defines the server to which the client wants to be connected. The

segment also contains the client initialization sequence number (ISN)used for numbering the bytes of data sent from the client to the server.

2. The server sends the second segment; a SYN and an ACK segment. Thissegment has a dual purpose. First, it acknowledges the receipt of the firstsegment, using the ACK flag and acknowledgment number field. Note thatthe acknowledgment number is the client initialization sequence numberplus 1 because no user data have been sent in segment 1. The servermust also define the client window size. Second, the segment is used asthe initialization segment for the server. It contains the initializationsequence number used to number the bytes sent from the server to the

client.

3. The client sends the third segment. This is just an ACK segment. Itacknowledges the receipt of the second segment, using the ACK flag andacknowledgment number field. Note that the acknowledgment number isthe server initialization sequence number plus 1 because no user datahave been sent in segment 2. The client must also define the serverwindow size. Data can be sent with the third packet.

Connection Termination

Any of the two parties involved in exchanging data (client or server) can close theconnection. When connection in one direction is terminated, the other party cancontinue sending data in the other direction. Therefore, four steps are needed toclose the connections in both directions, as shown in Figure.

Page 3 of 16


4/16


The four steps are as follows:

1. The client TCP sends the first segment, a FIN segment.

2. The server TCP sends the second segment, an ACK segment, to confirm

the receipt of the FIN segment from the client. Note that theacknowledgment number is 1 plus the sequence number received in theFIN segment because no user data have been sent in segment 1.

3. The server TCP can continue sending data in the server-client direction.When it does not have any more data to send, it sends the third segment.This segment is a FIN segment.

4. The client TCP sends the fourth segment, an ACK segment, to confirm thereceipt of the FIN segment from the TCP server. Note that theacknowledgment number is 1 plus the sequence number received in the

FIN segment from the server.

Connection Resetting

TCP may request the resetting of a connection. Resetting here means that thecurrent connection is destroyed. This happens in one of three cases:

1. The TCP on one side has requested a connection to a nonexistentport. The TCP on the other side may send a segment with its RST (1) bitset to annul the request.

2. One TCP may want to abort the connection due to an abnormal

situation. It can send an RST

(1)

segment to close the connection.3. The TCP on one side may discover that the TCP on the other side hasbeen idle for a long time. It may send an RST(1) segment to destroythe connection

(Note: 1. What is RST? RST is one of the flags in the control field of a TCPsegment indicating that the connection must be reset.)

When is TCP open, TCP half opened?

A three-step process is shown in Figure above. After the server receives theinitial SYN packet, the connection is in a half-opened state. The server replieswith its own sequence number, and awaits an acknowledgment, the third andfinal packet of a TCP open.

Attackers have gamed this half-open state. SYN attacks flood the server with thefirst packet only, hoping to swamp the host with half-open connections that willnever be completed. In addition, the first part of this three-step process can beused to detect active TCP services without alerting the application programs,

Page 4 of 16


5/16


which usually aren't informed of incoming connections until the three-packethandshake is complete.

The sequence numbers have another function. Because the initial sequencenumber for new connections changes constantly, it is possible for TCP to detect

stale packets from previous incarnations of the same circuit (i.e., from previoususes of the same 4-tuple).

There is also a modest security benefit: A connection cannot be fully establisheduntil both sides have acknowledged the other's initial sequence number.

0. 2 Understanding OSI model at glance:

Page 5 of 16


6/16


0.3 Differentiate between O.S.I. Protocol suite & T.C.P./I.P. Protocolsuite.

Differentiate between O.S.I. Protocol & T.C.P./I.P. Protocol.

Parameter O.S.I. Model T.C.P./I.P.

Expand theacronym

Open SystemInterconnect

Transmission Control Protocol/ Internet Protocol

No. of layers 7 4

Diagram

Protocols Good as a model. Theprotocols are not verypopular

The model is just descriptionof protocols. Not so good as amodel but protocols are moreuseful

Orientation Both connectionoriented andconnection less in theNetwork LayerOnly connectionoriented in thetransport Layer

Only connectionless in theNetwork layer

Supports both (connectionoriented and connectionless)in the transport layer

Services OSI differentiatesclearly betweenspecification and theimplementations O.S.I.Made the distinction

Does not clearly distinguishthe concepts of Service,interface and protocol

Page 6 of 16

Transport Layer

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

PhysicalLayer

Application Layer

Host to Network

Internet Layer


7/16


between the followingconcepts explicitly:1.Services2.Interface3.Protocols

Suitability More general protocols Only for TCP/IP protocolsCannot describe Blue tooth

Physical layer Data Link & Physicalare separate

Doesnt even mention aboutthese

Top layersmerged

Separate Application,Presentation andsession layers

TCP/IP does not haveseparate Session andPresentation LayerIt is a part of Application Layer

0.4 Discuss the attacks with reference to the OSI model. Give details ofprotocols, controlling device and attacks?

WhichLayer

Details of protocols Controlling device

Attacks

ApplicationLayer

SMTP: Simple Mail TransferProtocol (1)

MIME (2)

POP3: Post office Protocol(3)

IMAP(4)

Instant Messaging (5)

Email security Protocols:1. PEM (Privacy Enhanced Mail)2. PGP (Pretty Good Privacy)3. S/MIME Secure MimeHTTP: Hyper Text TransferProtocolHTML: Hyper Text MarkupLanguageFTP: File Transfer ProtocolTELNET(6) Remote LoginDNS (7) Domain Name System

SHTTP: Secure Hyper TextTransfer Protocol)LDAP(8) Light Weight DirectoryAccess Protocol

ApplicationGateway(ProxyServer)Applets andActiveX

JavaappletsSignedappletsJavasandboxJavasecurityWebbrowsercookies

Application levelattacks:InterceptionFabrication(Denial of services DOS)

Modification(Replay attacks)Interruption(Masquerade)Steal credit cardinformation.Change theamount of transactionSpamDNS spoofing

SSL Layer Secure Socket Layer(9)

1. Handshake Protocol2. Record Protocol

Page 7 of 16


8/16


3. Alert Protocol

TransportLayer

TLS: Transport Layer Security(similar to SSL)TCP: Transmission ControlProtocol

UDP: User Datagram ProtocolTFTP: Trivial File TransferProtocol

PacketFilterGateway

Packet Spoofing

IPSec. AH: Authentication Header ESP: Encapsulation SecurityPayloadIP Sec Key ManagementIP: Internet Protocol

PacketFilterGateway

IP addresssniffing(snooping)Source RoutingattacksIP sniffingIP spoofing

Internet

(Network)Layer

IP: Internet Protocol

ICMP:ARPRARP:IP From spammings to crash ofsoftware on target hostKiller and ICMP packetsSYN Packets Attacks

Packet

FilterGateway

Network Level

attacks:IP addressspoofingSource Routingattacks

Data LinkLayer

Physical inserting a RJ45 socketin your hub!

Physical

layer

Physical removal of hard disk!

Foot notes:1. You do no know for sure who sent the mail based on SMTP. You must

use some higher-level mechanism if you need trust or privacy.2. MIME too is potentially quite dangerous3. POP3 is simple but insure4. IMAP more secure than POP3, but complex5. Instant Messaging: various proprietary protocols (America on line, ICQ,

Yahoo messenger) False meeting places could be used to attractmessaging traffic

6. Most TELNET sessions come from un-trusted machines.7. A compromised DNS can do havocs.8. More and more sites are using LDAP for supplying information about user

SSL much better and safer facilities, but still no guarantee againstnegotiated SSL

Page 8 of 16


9/16


0.5 What do you understand by Node-to-Node, Host-to-Host and Process-to-Process deliveries?

OSI SuitLayers

TCP/IPSuitLayers

Type of Delivery

Name ofthe Dataunitcalled

Devicesin use

Protocolsused inthis layer

7. ApplicationLayer

Application

--- APDU ---SMTPFTP

TELNETDNS

SNMPTFTP

6. PresentationLayer

--- PPDU ---

5. SessionLayer

--- SPDU ---

4.Transport

Layer

TransportLayer(TCP)

Process toprocess

Segments RoutersTCP /UDP

3.Network

Layer

Network(IP)

Host to host Packets Routers

ICMPIGMP

IPARP

RARP

2. DataLink

Layer Host-to-network

Node to node FramesBridges

and

switches

Protocolsdefined by

theunderlyingNetworks

1.Physical

Layer

Electromagnetic or electro-optical signal

Bit by bitAmplifierRepeater

Hub

Page 9 of 16


10/16


0.6.Understanding SSL Layer.

SECURE SOCKET LAYER (SSL)

Introduction:

Page 10 of 16

X

L5

data

01010101010001010101001

0

Transmission

medium

H

4L5 data

H3

L4 data

Applicati

on

Transpor

t

Internet

Physical

L5

dataSSL

S

H

H

2L3 data

Data

Link

Y

L5

data

01010101010001010101001

0

H

4L5 data

H3

L4 data

L5

data

S

H

H

2L3 data

Application Layer

Transport Layer

Internet Layer

Data Link Layer

Application Layer

The typical TCP/IP suit has the structureas shown in the figure on the right hand

side.We need to secure communicationbetween the Web browser and the WebServer. We need one additional layer tobe introduced.Where should that be?


11/16


The Secure Socket Layer (SSL) protocol is an Internet protocol for secureexchange of information between a Web browser and a Web server. I

It provides two basic security services: authentication and confidentiality.

Logically, it provides a secure pipe between the Web browser and the Webserver. Netscape Corporation developed SSL in 1994. Since then, SSL hasbecome the world's most popular Web security mechanism. All the major Webbrowsers support SSL. SSL Version 3, which was released in 1995.

0.7 The Position of SSL in TCP/IP Protocol Suite

SSL can be conceptually considered as an additional layer in the TCP/IP protocolsuite. The SSL layer is located between the application layer and the transportlayer, as shown in Figure

As such, the communication between the various TCP/IP protocol layers is nowas shown in Fig. Above

As we can see, the application layer of the sending computer (X) prepares thedata to be sent to the receiving computer (Y), as usual. However, unlike what

happens in the normal case, the application layer data is not passed directly tothe transport layer now. Instead, the application layer data is passed to the SSLlayer.

Here, the SSL layer performs encryption on the data received from theapplication layer (which is indicated by a different color), and also adds its ownencryption information header, called as SSL Header (SH) to the encrypted data.

Page 11 of 16

S.S.L. Layer

Transport Layer

Internet Layer

Data Link Layer

Application Layer

Application Layer


12/16


After this, the SSL layer data (L5) becomes the input for the transport layer. Itadds its own header (H4), and passes it on to the Internet layer, and so on. Thisprocess happens exactly the way it happens in the case of a normal TCP/IP datatransfer. Finally, when the data reaches the physical layer, it is sent in the form ofvoltage pulses across the transmission medium.

At the receiver's end, the process happens pretty similar to how it happens in thecase or a normal TCP/IP connection, until it reaches the new SSL layer. The SSLlayer at the receiver's end removes the SSL Header (SH), decrypts the encrypteddata, and gives the plain text data back to the application layer of the receivingcomputer.

Thus, only the application layer data is encrypted by SSL. The lower layerheaders are not encrypted.

This is quite obvious: if SSL has to encrypt all the headers, it must be I positioned

below the data link layer. That would serve no purpose at all. In fact, it would leadto problems. If SSL encrypted all the lower layer headers, even the IP andphysical i addresses of the computers (sender, receiver, and intermediate nodes)would be encrypted, and become unreadable. Thus, where to deliver the packetswould be a big question. To understand the problem, imagine what wouldhappen if we put the address of the sender and the receiver of a letter inside theenvelope! Clearly, the postal service would not know where to send the letter!This is also why there is no point in encrypting the lower layer headers.

Therefore, SSL is required between the application and the transportlayers.

How SSL Works?SSL has three sub-protocols, namely:

1. The Handshake Protocol,2. The Record Protocol and3. The Alert Protocol.

These three sub-protocols constitute the overall working of SSL.

Page 12 of 16


13/16


0.8 The TCP header:

SegmentThe unit of data transfer between two devices using TCP is a segment. The

format of a segment is shown in Figure.

TCP Header

The segment consists of a 20-byte to 60-byte header, followed by data from theapplication program. The header is 20 bytes if there are no options and up to 60bytes if it contains options. We will discuss some of the header fields in thissection.

1. Source port address. This is a 16-bit field that defines the port number of

the application program in the host that is sending the segment.

2. Destination port address. This is a 16-bit field that defines the portnumber of the application program in the host that is receiving thesegment.

Page 13 of 16


14/16


3. Sequence number. This 32-bit field defines the number assigned to thefirst byte of data contained in this segment. As we said before, TCP is astream transport protocol. To ensure connectivity, each byte to betransmitted is numbered. The sequence number tells the destination whichbyte in this sequence comprises the first byte in the segment.

4. Acknowledgment number. This 32-bit field defines the byte number thatthe sender of the segment is expecting to receive from the other party. Ifthe byte numbered x has been successfully received, x + 1 is theacknowledgment number.

5. Header length. This 4-bit field indicates the number of 4-byte words in theTCP header. The length of the header can be between 20 and 60 bytes.Therefore, the value of this field can be between 5 (5 x 4 = 20) and 15 (15x 4 = 60).

6. Reserved. This is a 6-bit field reserved for future use.

7. Control. This field defines 6 different control bits or flags, as shown inOne or more of these bits can be set at a time. These bits enable flowcontrol.

UDP Header

UDP Header

Page 14 of 16


15/16


0.9 What is Connection Oriented?0.9 What is Connectionless?

What is connection oriented v/s connectionless deliveries

Parameter Connection oriented ConnectionlessDefinition A characteristic of a

network system thatrequires a pair ofcomputers to establish aconnection beforesending data.Example Telephone line

A characteristic of networksystem that allows a computer tosend data to any other computerat any time without anyprerequisite of destinationconnectionExample: Postal system

PDUmovement

Sequential To transmit data in such a waythat each PDU is treatedindependently of all prior PDUs

Three wayhandshake

Connectionestablishment requiresthree-way hand shake

Nothing of this sort

ModusOperandi

Three simple steps:

ConnectionestablishmentAgree on :

o Syntax,

o Semantics &

o Timing

Data Transfer &

Connectiontermination

Nothing of this sort

Decision onpath

Only at the beginning At every node

Sequence Keeps the sequence Can arrive out of sequence

Example TCP UDP

Reliable Reliable Unreliable

Page 15 of 16


16/16


0.10 Distinguish between TCP and UDP.

Parameter TCP UDP

Common inboth

UDP and TCP are transport-layer protocolsthat create a process-to-process communication

Reliability Reliable UDP is an unreliable protocol

Connectionorientation

Connection oriented Connectionless

Overheads Considerable Little

Speed Slower Faster

ProtocolData unit

The TCP packet is called asegment.

The UDP packet is called a userdatagram.

Expand theacronym

Transmission ControlProtocol

User Datagram Protocol

Flow controlmechanism

TCP uses a sliding windowmechanism for flow control.

UDP has no flow controlmechanism at all.

ErrorDetectionandcorrectionMechanism

Error detection is handledin TCP by the checksum,CRC acknowledgment, andtime-out.

UDP has no Error controlmechanism at all.No Acknowledgement,No guaranteed deliveryNo sequence guarantee

Timers TCP uses four timersretransmission,persistence, keep-alive,and time-waitedin its

operation.

Nothing of this sort.

Preference& Use

TCP is preferred & usedfor:reliable, byte-streamdelivery betweenprocesses.

UDP is preferred & Used for one-shot, client-server type request-reply queries, Example: DNSWhere prompt delivery is moreimportant than accurate delivery,such as: Transmitting speech orvideo

Headers &Overheads:

The TCP header is muchlarger than the UDP header

The UDP header is much smallerthan the TCP header

Example of

application

TELNET DNS

Connection Required to have explicitconnection between thehosts.Three Way Handshake

No prior connection at all: It isconnectionless

Page 16 of 16

Documents

The Main Notes Chapter 0