Understanding Network Security: Threats, Encryption, and Defense Mechanisms

Computer Network – Network Security

1. Overview of Network Security Issues

Network Security Threats

Network security faces two major categories of threats: passive attacks and active attacks.

Passive Attack

Attackers eavesdrop on communications, commonly called interception.

Active Attack

Tampering – attackers deliberately modify transmitted packets.

Malware – malicious programs.

Denial‑of‑Service (DoS) – attackers flood a server with packets, preventing normal service.

Exam question: What does DDOS stand for and what is its principle? Answer: Distributed Denial of Service.

Secure Computer Networks

Confidentiality – only sender and receiver understand the content.

Endpoint authentication – ability to verify true identities of parties.

Integrity – ensure information is not altered.

Operational security – ability to avoid congestion or collapse caused by attacks.

Data Encryption Model

Encryption

Key K

Decryption

Receiver uses decryption algorithm D and decryption key K to recover plaintext X.

Disciplinary Relationships

Cryptography : design of cryptosystems.

Cryptanalysis : techniques to derive plaintext or keys from ciphertext without knowing the key.

Cryptology : combination of cryptography and cryptanalysis.

2. Two Types of Cryptosystems

Symmetric‑key Cryptosystem

Encryption and decryption use the same algorithm.

Data Encryption Standard (DES) is a symmetric‑key system; its secrecy depends on key confidentiality while the algorithm is public.

Public‑key Cryptosystem

Uses different keys for encryption and decryption.

RSA is a public‑key system.

Reasons for Development

Key distribution problem of symmetric systems.

Need for digital signatures.

Basic Characteristics

Public key PK is public; private key SK is secret; algorithms are public.

Sender encrypts plaintext X with receiver’s public key PKB using E to produce ciphertext Y.

Receiver decrypts Y with private key SKB using D to recover X.

Deriving SKB from PKB is computationally infeasible.

Public key can encrypt but not decrypt.

Order of applying E and D does not affect result.

Security of encryption algorithms depends on key length and computational effort, not merely on the algorithm; public‑key encryption incurs higher overhead than symmetric.

3. Digital Signatures

Three main functions:

Message authentication – receiver can be sure the message came from the sender.

Integrity – receiver can be sure the data has not been altered.

Non‑repudiation – sender cannot deny having signed the message.

All three rely on the fact that no one else possesses the sender’s private key SKA.

4. Authentication

Authentication verifies that the communication partner is the intended entity and that the message is intact.

Message Authentication

Ensures the received message truly originates from the claimed sender and includes endpoint authentication and integrity verification.

Hash Functions

Input can be long; output is fixed‑length hash value.

Different inputs produce different hashes, but collisions are possible.

Common hash algorithms: MD5 and SHA‑1.

Message Authentication Code (MAC)

MAC is the result of encrypting a hash H with a secret key.

MAC does not encrypt the whole message, only the hash, providing integrity with low computational cost.

Entity Authentication

Unlike message authentication, entity authentication verifies the counterpart once for the entire session.

Replay Attack

An attacker captures a legitimate message from A to B and replays it to B, causing B to believe the attacker is A.

Nonce

A large random number used only once.

Nonces allow distinguishing repeated authentication requests from new ones.

Public‑key cryptosystem can implement entity authentication.

Man‑in‑the‑Middle Attack

Even with public‑key authentication, attacks are possible if public keys are not properly verified.

Thus, secure distribution and verification of public keys are critical.

5. Key Distribution

Symmetric Key Distribution

Typically uses a Key Distribution Center (KDC) to assign temporary session keys.

KDC is a trusted entity that provides session keys for secret communication.

Kerberos is a well‑known symmetric key distribution protocol.

Public‑key Distribution

Certification Authority (CA) binds public keys to entities.

Users can obtain a certificate from a CA, which includes the public key and identity information.

Certificate issuance process:

CA verifies the user’s true identity.

CA generates a public‑private key pair and creates a certificate.

CA signs the certificate with its private key.

The certificate can be distributed to any party wishing to communicate securely.

The Internet uses a Public Key Infrastructure (PKI) defined by RFCs for global certificate services.

CA functions: issuance, renewal, lookup, revocation, archiving.

Certificate issuance

Certificate renewal

Certificate lookup

Certificate revocation

Certificate archiving

6. Firewalls and Intrusion Detection

Firewalls

Firewalls enforce access control at network boundaries, blocking unnecessary traffic to reduce intrusion risk.

A firewall is a specially programmed router placed between a network segment and the rest of the network to implement access‑control policies.

(1) Packet‑filtering Router

Filters packets based on rules, either forwarding or dropping them.

Can block specific external packets or internal outbound packets.

Advantages: simple, efficient, transparent; limitation: cannot filter higher‑layer data.

(2) Application Gateway / Proxy Server

Acts as a message relay at the application layer.

Provides filtering and user authentication based on application‑layer data.

All application traffic must pass through the gateway, which inspects requests for legality.

Drawbacks:

Each application requires a separate gateway.

Heavy processing load at the application layer.

Not transparent to applications; requires client configuration.

Intrusion Detection Systems (IDS)

IDS serve as a second line of defense, analyzing network packets to detect suspicious activity and raise alerts.

(1) Signature‑based IDS

Detects known attacks by matching packet patterns against a database of signatures.

(2) Anomaly‑based IDS

Detects unknown attacks by learning normal traffic patterns and flagging deviations.