UNIT-2 Network Security

Authentication Authentication in computer networks is the process of

verifying the identity of a device or user on a network. This is done to ensure
that only authorized devices and users are able to access network resources.
There are many different methods that can be used for authentication,
including passwords, biometric factors such as fingerprints or facial recognition,
and security tokens.
Overall, authentication is an important aspect of computer network security. It
helps to ensure that only authorized devices and users are able to access
network resources, protecting against unauthorized access and potential
security breaches.
There are different types of authentication systems which are: –

1. Single-Factor authentication: – This was the first method of security

that was developed. On this authentication system, the user has to enter the
username and the password to confirm whether that user is logging in or not.
Now if the username or password is wrong, then the user will not be allowed
to log in or access the system.
Advantage of the Single-Factor Authentication System: –
 It is a very simple to use and straightforward system.
 it is not at all costly.
 The user does not need any huge technical skills.
The disadvantage of the Single-Factor Authentication
 It is not at all password secure. It will depend on the strength of the
password entered by the user.
 The protection level in Single-Factor Authentication is much low.

Two-factor Authentication: – In this authentication system, the user has to

give a username, password, and other information. There are various types of
authentication systems that are used by the user for securing the system. Some
of them are: – wireless tokens and virtual tokens. OTP and more.
Advantages of the Two-Factor Authentication
  The Two-Factor Authentication System provides better security than the
Single-factor Authentication system.
 The productivity and flexibility increase in the two-factor authentication
system.
 Two-Factor Authentication prevents the loss of trust.
Disadvantages of Two-Factor Authentication
 It is time-consuming.

Multi-Factor authentication system,: – In this type of authentication,

more than one factor of authentication is needed. This gives better security to
the user. Any type of keylogger or phishing attack will not be possible in a
Multi-Factor Authentication system. This assures the user, that the information
will not get stolen from them.
The advantage of the Multi-Factor Authentication System are: –
 No risk of security.
 No information could get stolen.
 No risk of any key-logger activity.
 No risk of any data getting captured.
The disadvantage of the Multi-Factor Authentication System are: –
 It is time-consuming.
 it can rely on third parties.

Authentication Applications

Kerberos
Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users. In Kerberos Authentication
server and database is used for client authentication. Kerberos runs as a third-
party trusted server known as the Key Distribution Center (KDC). Each user and
service on the network is a principal.

The main components of Kerberos are:

  Authentication Server (AS): The Authentication Server
performs the initial authentication and ticket for Ticket Granting
Service.
 Database: The Authentication Server verifies the access rights
of users in the database.
 Ticket Granting Server (TGS): The Ticket Granting Server issues
the ticket for the Server
Working of Kerberos

Step-1: User login and request services on the host. Thus user
requests for ticket-granting service.
Step-2: Authentication Server verifies user’s access right using
database and then gives ticket-granting-ticket and session key.
Results are encrypted using the Password of the user.
Step-3: The decryption of the message is done using the password
then send the ticket to Ticket Granting Server. The Ticket contains
authenticators like user names and network addresses.
Step-4: Ticket Granting Server decrypts the ticket sent by User and
authenticator verifies the request then creates the ticket for
requesting services from the Server.
Step-5: The user sends the Ticket and Authenticator to the Server.
Step-6: The server verifies the Ticket and authenticators then
generate access to the service. After this User can access the
services.

Limitations of Kerberos
 Each network service must be modified individually for use
with Kerberos
 It doesn’t work well in a timeshare environment
 Secured Kerberos Server
 Requires an always-on Kerberos server
 Stores all passwords are encrypted with a single key
 Assumes workstations are secure
 May result in cascading loss of trust.
 Scalability
Applications of Kerberos
 User Authentication: User Authentication is one of the main
applications of Kerberos. Users only have to input their
username and password once with Kerberos to gain access to
the network. The Kerberos server subsequently receives the
encrypted authentication data and issues a ticket granting ticket
(TGT).
 Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO)
solution that enables users to log in once to access a variety of
network resources. A user can access any network resource
they have been authorized to use after being authenticated by
the Kerberos server without having to provide their credentials
again.
 Mutual Authentication: Before any data is transferred,
Kerberos uses a mutual authentication technique to make sure
that both the client and server are authenticated. Using a
shared secret key that is securely kept on both the client and
server, this is accomplished.
 Authorization: Kerberos also offers a system for authorization
in addition to authentication. After being authenticated, a user
can submit service tickets for certain network resources. Users
can access just the resources they have been given permission
to use thanks to information about their privileges and
permissions contained in the service tickets.
 Network Security: Kerberos offers a central authentication
server that can regulate user credentials and access restrictions,
which helps to ensure network security. In order to prevent
unwanted access to sensitive data and resources, this server
may authenticate users before granting them access to network
resources.

Pretty Good Privacy (PGP)

 Pretty Good Privacy (PGP) is an encryption software
designed to ensure the confidentiality, integrity, and
authenticity of virtual communications and information. It is
considered as one of the best methods for securing digital
facts.
 At its core, PGP works on a hybrid cryptographic method
that combines symmetric-key and public-key cryptography
techniques. Symmetric-key cryptography uses one secret
key for both encrypting and decrypting data. Public-key
cryptography uses two keys: a public key (shared with
everyone) for encryption and a private key (kept secret) for
decryption.
 The following are the services offered by PGP:
 1. Authentication
 2. Confidentiality
 3. Email Compatibility
 4. Segmentation
 Authentication in PGP
 Authentication means something that is used to validate
something as true or real. To login into some sites
sometimes we give our account name and password, that is
an authentication verification procedure. In the email
world, checking the authenticity of an email is nothing but
to check whether it actually came from the person it says.
In emails, authentication has to be checked as there are
some people who spoof the emails or some spams and
sometimes it can cause a lot of inconvenience.
 Authentication in PGP
 Authentication means something that is used to validate
something as true or real. To login into some sites
sometimes we give our account name and password, that is
an authentication verification procedure. In the email
world, checking the authenticity of an email is nothing but
to check whether it actually came from the person it says.
In emails, authentication has to be checked as there are
some people who spoof the emails or some spams and
sometimes it can cause a lot of inconvenience.

 PGP at Sender and Receiver Site

 PGP at the sender and receiver's site can help visualize the process.
Below is a simple chart diagram showing the steps involved in using
PGP encryption at the sender's site −
 

At Sender's Site
The steps involved in using PGP encryption at the sender's site −
 Message Creation − The sender creates a message they intend
to send it safely.
 Key Generation − A sender makes a pair of encryption keys
where one is shared publicly and the other stays private.
 Encryption of Message − Encrypting the message text with the
receiver's public key ensures that only the receiver would
decrypt it through the private key.
 Digital Signature Creation − A sender can create a digital
signature on the communication using his or her private key. It
serves to prove the sender's identity and guarantee that the
message has not been altered.
  Encryption Message Sending with Signatures − The sender
forwards the encrypted message to the recipient and sends
along a digital signature. Upon receiving this message, the
receiver will use his private key for decrypting while using the
sender's public key to verify whether the message is authentic
or not.
At Receiver's Site
he steps to be followed in using PGP encryption at the receiver's site
−
 Receive Encrypted Message with Signature − When the sender
sends an encrypted message and its digital signature, the
receiver gets it.
 Decrypt Message − The receiver decrypts the encrypted
message using a private key that matches the one they have
made public.
 Digital Signature Verification − To achieve this, the receiver
utilizes the sender's public key to verify the digital signature of
the attached message. This way, it can be confirmed that the
message was truly sent by the alleged sender without changing
anything along the way.
Usage of PGP
PGP encryption is a popular tool to protect messages and data −
 Confidential communication − It enciphers emails, files, text
messages as well as disk partitions by ensuring that they can
only be decrypted and read by the person for whom they were
meant.
 Authentication and Integrity Checking − Digitally signing with
PGP helps in verifying identities of senders and finding out if
messages are changed whatsoever.
  Ensuring Message Delivery − Public keys come along with
identity certificates which contain a specific recipient
information and alert against any interference attempts.
 Email Encryption − In order to keep your data secure, it is
normal that you use PGP to encrypt email messages.
 Digital Signature Verification − By using PGP one is able to
verify whom the message was sent from by using their digital
signature. It will be in most cases combined with threat
detection tools for increased security.
 File Encryption − PGP's robust RSA encryption makes it suitable
for securiing files.
Advantages of PGP
 The primary benefit of PGP encryption lies in its unbreakable
algorithm.
 It is regarded as a top technique for improving cloud
security and is frequently utilised by users who need to encrypt
their private conversations.
 This is due to PGP’s ability to prevent hackers, governments
from accessing files or emails that are encrypted with PGP.
Disadvantage of PGP
 The main drawback of PGP encryption is that it is usually not
intuitive to use. PGP requires time and effort to fully encrypt
data and files, which might make messaging more difficult for
users. If an organisation is thinking about deploying PGP, it has
to train its employees.
 It is imperative that users comprehend the intricacies of the
PGP system to prevent unintentionally weakening their security
measures. This may occur from using PGP incorrectly or from
 losing or corrupting keys, endangering other users in situations
where security is at an extreme.
 PGP encrypts user messages but does not provide users with
any anonymity. This makes it possible to identify the source and
recipient of emails sent using a PGP solution.

Secure/Multipurpose Internet Mail Extensions

Secure/Multipurpose Internet Mail Extension (S/MIME) is an

industry-standard for email encryption and signature that is
commonly used by businesses to improve email security. S/MIME is
supported by the majority of corporate email clients.
S/MIME can do both symmetric encryption and digital signatures,
which are two very important functions for securing emails in the
best possible way. Symmetric encryption guarantees that only the
addressee will be able to read your email, and digital signatures
identify who it came from and show that it wasn't changed on its way
to your inbox. With S/MIME, you will be able to protect your
communication against unwanted readers and establish trust with
those receiving your emails.
S/MIME Certificate Characteristics
You receive a slew of cryptographic security features when you use
an S/MIME certificate for email apps.
 Authentication − It refers to the verification of a computer
user's or a website's identity.
 Message consistency − This is a guarantee that the message's
contents and data have not been tampered with. The message's
secrecy is crucial. The decryption procedure entails checking
 the message's original contents and guaranteeing that they
have not been altered.
 Use of digital signatures that invoke non-repudiation − This is a
circumstance in which the original sender's identity and digital
signatures are validated so that there is no doubt about it.
 Protection of personal information − A data breach cannot be
caused by an unintentional third party.
 Encryption is used to protect data − It relates to the procedures
described above, in which data security is ensured by a mix of
public and private keys representing asymmetric cryptography.
How S/MIME Works?
S/MIME enables non-ASCII data to be sent using Secure Mail
Transfer Protocol (SMTP) via email. Moreover, many data files are
sent, including music, video, and image files. This data is
securely sent using the encryption method. The data which is
encrypted using a public key is then decrypted using a private
key which is only present with the receiver of the E-mail. The
receiver then decrypts the message and then the message is
used. In this way, data is shared using e-mails providing an end-
to-end security service using the cryptography method.

Advantages of S/MIME
1. It offers verification.
 2. It offers integrity to the message.
3. By the use of digital signatures, it facilitates non-repudiation of
origin.
4. It offers seclusion.
5. Data security is ensured by the utilization of encryption.
6. Transfer of data files like images, audio, videos, documents, etc.
in a secure manner.

Difference Between PGP and S/MIME

S.N
O PGP S/MIME

It is designed for While it is designed to process email

1.
processing plain texts as well as many multimedia files.

PGP is less costly as While S/MIME is comparatively

2.
compared to S/MIME. expensive.

PGP is good for

3. personal as well as While it is good for industrial use.
office use.

PGP is less efficient

4. While it is more efficient than PGP.
than S/MIME.

It depends on user Whereas it relies on a hierarchically

5.
key exchange. valid certificate for key exchange.

While it is more convenient than PGP

PGP is comparatively
6. due to the secure transformation of
less convenient.
all the applications.
 S.N
O PGP S/MIME

While it is also the standard for

PGP is the standard
8. strong encryption but has some
for strong encryption.
drawbacks.

PGP is also be used in While it is not used in VPNs, it is only

9.
VPNs. used in email services.

PGP uses Diffie

While it uses Elgamal digital
10. hellman digital
signature.
signature.

In PGP Trust is
In S/MIME Trust is established using
11. established using Web
Public Key Infrastructure.
of Trust.

PGP is used for

S/MIME is used for Securing
12. Securing text
Messages and attachments.
messages only.

X.509 Authentication Service

X.509 is a digital certificate that is built on top of a widely trusted
standard known as ITU or International Telecommunication Union
X.509 standard, in which the format of PKI certificates is defined.
X.509 digital certificate is a certificate-based authentication security
framework that can be used for providing secure transaction
processing and private information. These are primarily used for
handling the security and identity in computer networking and
internet-based communications.
Working of X.509 Authentication Service Certificate:
The core of the X.509 authentication service is the public key
certificate connected to each user. These user certificates are
assumed to be produced by some trusted certification authority and
positioned in the directory by the user or the certified authority.
These directory servers are only used for providing an effortless
reachable location for all users so that they can acquire certificates.
X.509 standard is built on an IDL known as ASN.1. With the help of
Abstract Syntax Notation, the X.509 certificate format uses an
associated public and private key pair for encrypting and decrypting a
message.
Once an X.509 certificate is provided to a user by the certified
authority, that certificate is attached to it like an identity card. The
chances of someone stealing it or losing it are less, unlike other
unsecured passwords. With the help of this analogy, it is easier to
imagine how this authentication works: the certificate is basically
presented like an identity at the resource that requires
authentication.

Applications of X.509 Authentication Service Certificate:

Many protocols depend on X.509 and it has many applications, some
of them are given below:
  Document signing and Digital signature
 Web server security with the help of Transport Layer Security
(TLS)/Secure Sockets Layer (SSL) certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities

Directory Authentication Service

A Directory Authentication Service is a system used in computer
networks to authenticate users and manage identities through a
centralized directory. It enables secure access control by verifying
user credentials before granting permissions to network resources.
Key Features of Directory Authentication Service
1. Centralized User Management
o Stores user credentials (e.g., usernames, passwords,
certificates) in a directory service.
o Reduces the need for multiple authentication systems
across different applications.
2. Single Sign-On (SSO) Support
o Allows users to log in once and access multiple services
without repeated authentication.
3. Access Control & Authorization
o Ensures that users have appropriate permissions based on
roles and policies.
4. Secure Credential Storage
 o Uses encryption and hashing to store sensitive
authentication data.
5. Integration with Other Security Mechanisms
o Works with encryption, multi-factor authentication (MFA),
and security policies.

Common Directory Authentication Services

1. Active Directory (AD) - Microsoft
o Uses Kerberos and NTLM for authentication.
o Supports centralized domain-based user authentication.
2. Lightweight Directory Access Protocol (LDAP)
o Open standard protocol for accessing and managing
directory services.
o Used by many authentication systems, including
OpenLDAP and Active Directory.
3. RADIUS (Remote Authentication Dial-In User Service)
o Commonly used for network access authentication (e.g.,
Wi-Fi, VPN).
4. TACACS+ (Terminal Access Controller Access-Control System
Plus)
o Provides centralized authentication for network devices,
often used in Cisco environments.
5. Identity and Access Management (IAM) Services
o Cloud-based authentication services like Azure AD, Google
Workspace IAM, and Okta.
Benefits of Directory Authentication Services
✔️Enhanced Security – Centralized authentication reduces
vulnerabilities.
✔️Improved User Experience – Enables seamless access to
resources.
✔️Simplified Administration – Easier management of user access
and roles.
✔️Scalability – Supports authentication for large organizations and
cloud-based systems.