🔐 PEC321 — Network Security

Osmania University MCA 3 Credits 2025–2026

✏️ Complete Visual Study Notes — All 5 Units ✏️

📘 Unit I — Introduction to Network Security

🛡️ Security Attributes (CIA + extras)

🔒
Confidentiality
Only authorized can read

✅
Integrity
Data not tampered

⚡
Availability
System always accessible

🪪
Authenticity
Identity verified

📜
Non-Repudiation
Can't deny actions

🗝️
Authorization
Permission granted

🎭
Anonymity
Identity hidden

⚔️ Types of Attacks

💣 DoS / DDoS

Denial of Service — Overwhelms server with fake requests so legitimate users can't connect.
DDoS = Distributed (many sources)

Many Bots

→

Flood Server

→

🔴 Server Down

🎭 IP Spoofing

Attacker fakes their IP address to impersonate a trusted host and bypass security filters.

Attacker
IP: X

→

Fake IP
sends: Y

→

Server
trusts Y

🔁 Replay Attack

Attacker captures valid data and retransmits it later to deceive the receiver.

Capture
Packet

→

Wait &
Replay

→

Server
deceived

🕵️ Man-in-the-Middle (MITM)

Attacker intercepts communication between two parties without their knowledge, can read, modify, or inject messages.

👩 Alice

→

😈 Attacker
(intercepts)

→

👨 Bob

← Alice thinks she's talking to Bob directly!

🦠 General Threats — Worms, Viruses & Trojans

🦠 Virus

Attaches to legitimate files.
Needs human action to spread (opening file).
Corrupts or deletes data.
Example: ILOVEYOU virus

🪱 Worm

Self-replicating — no human needed.
Spreads across networks automatically.
Consumes bandwidth & resources.
Example: WannaCry worm

🐴 Trojan

Disguised as legitimate software.
Creates backdoor for attackers.
Doesn't self-replicate.
Example: RAT (Remote Access Trojan)

📝 Key difference: Virus needs host file, Worm is standalone, Trojan looks legitimate but is malicious!

📗 Unit II — Cryptography (Secret & Public Key)

🔵 DES — Data Encryption Standard

📄 Plaintext
(64-bit)

→

🔀 Initial
Permutation

→

L₀ Left 32-bit

R₀ Right 32-bit

→

🔁 16 Feistel Rounds

Rᵢ₋₁

→

F(Rᵢ₋₁, Kᵢ)

→

⊕ Lᵢ₋₁

🔑 56-bit key → 16 subkeys K₁…K₁₆

→

🔄 Swap

→

📋 Final
Perm

→

🔒 Cipher
64-bit

📝 Symmetric, 56-bit key, 64-bit block, 16 rounds — now considered WEAK, replaced by AES

🟢 Triple DES (3DES) — EDE Mode

📄 Plaintext

→

🔐 E(K₁)
Encrypt

→

🔓 D(K₂)
Decrypt

→

🔐 E(K₃)
Encrypt

→

🔒 Ciphertext

📝 168-bit key (3×56), backward compatible with DES if K₁=K₂=K₃, used in banking/legacy

🟩 AES — Advanced Encryption Standard

📄 Plaintext
128-bit

→

➕ Initial
AddRoundKey

→

N
Rounds

→

🔒 Ciphertext

🔡SubBytes

S-Box substitution

↔️ShiftRows

Cyclic row shifts

🔀MixColumns

GF(2⁸) multiply

⊕AddRoundKey

XOR round key

128-bit → 10 rounds 192-bit → 12 rounds 256-bit → 14 rounds

📝 Current gold standard — used in WPA2, TLS, file encryption. Much stronger than DES!

🔑 Key Distribution Problem & Solutions

❌ Problem

How do Alice & Bob share a secret key securely without meeting in person?
If you send key over insecure channel → attacker intercepts it!

✅ Solutions

1️⃣ Physical exchange (meet in person)
2️⃣ Trusted Key Distribution Center (KDC)
3️⃣ Diffie-Hellman key exchange
4️⃣ Public Key Infrastructure (PKI)

🔴 RSA — Public Key Cryptography

🗝️ Key Generation Steps

① Choose large primes p and q
② Compute n = p × q
③ φ(n) = (p−1)(q−1)
④ Choose e: gcd(e, φ) = 1
⑤ Compute d: d·e ≡ 1 (mod φ)

📢 Public Key: (e,n) 🔒 Private Key: (d,n)

📨 Message M

↓

🔐 C = Mᵉ mod n (use Public Key)

↓

🔒 Ciphertext C

↓

🔓 M = Cᵈ mod n (use Private Key)

↓

📨 Original Message M

📝 Asymmetric — 2 different keys. Security based on difficulty of factoring large numbers. Used in HTTPS, digital signatures.

🟣 ECC — Elliptic Curve Cryptography

📐 What is ECC?

Based on algebraic structure of elliptic curves over finite fields.
Equation: y² = x³ + ax + b
Provides same security as RSA with much smaller keys!

RSA 2048-bit ≈ ECC 224-bit 🎯

✅ Advantages of ECC

🔋 Less computation — ideal for mobile
🔑 Smaller key sizes — faster operations
📶 Less bandwidth — good for IoT
🛡️ Strong security — discrete log on EC hard
Used in: Bitcoin, TLS 1.3, SSH

🟠 Diffie-Hellman Key Exchange

🌐 Public: p (prime) and g (generator)

👩 Alice

🎲 Secret: a
Compute: A = gᵃ mod p
📤 Send A to Bob
📥 Receive B
🔑 Key = Bᵃ mod p

A →

public exchange

← B

🤝 Shared Secret
S = gᵃᵇ mod p

👨 Bob

🎲 Secret: b
Compute: B = gᵇ mod p
📤 Send B to Alice
📥 Receive A
🔑 Key = Aᵇ mod p

📝 Never transmits the secret! Eavesdropper sees A & B but can't compute gᵃᵇ (discrete log problem). Foundation of TLS!

☕ Java Cryptography Extensions (JCE) & Attacks

☕ JCE Overview

Java framework providing cryptographic APIs.
Supports: AES, DES, RSA, SHA, HMAC
Key classes: Cipher, KeyGenerator, MessageDigest, Signature
Provider model: Sun, BouncyCastle etc.

⚔️ Crypto Attacks

🔑 Brute Force — try all keys
📖 Dictionary Attack — common passwords
🔤 Known Plaintext — attacker knows P & C
🎯 Chosen Plaintext — attacker chooses P
🕐 Timing Attack — measure execution time
🔢 Birthday Attack — hash collisions

📙 Unit III — Integrity, Authentication & Non-Repudiation

🟣 Hash Functions — MD5 & SHA

📝 "Hello"

→

SHA-
256

→

185f8db32921bd46d39f6a43
db8a6ce4a56a2a0de40923cd
(256-bit fixed output)

🔍 MD5 vs SHA Comparison

MD5: 128-bit output — ⚠️ BROKEN (collisions found)
SHA-1: 160-bit output — ⚠️ Deprecated
SHA-256: 256-bit output — ✅ Secure
SHA-512: 512-bit output — ✅ Very Secure

⚡ Hash Properties

✅ One-way — can't reverse hash → input
✅ Deterministic — same input = same hash
✅ Avalanche effect — 1 bit change → totally different hash
✅ Collision resistant — no two inputs same hash

📝 Uses: Password storage, file integrity, blockchain, digital certificates, HMAC

🔑 MAC — Message Authentication Code

📨 Message M

→

MAC Algorithm
+ Secret Key K

→

🏷️ MAC Tag

→

Send (M + MAC) together

Receiver computes MAC'

→

Compare MAC' == MAC?

→

✅ Authentic if equal

HMAC — Hash-based MAC

HMAC(K,M) = H((K⊕opad) || H((K⊕ipad)||M))
Uses hash function + secret key.
More secure than plain MAC.
Used in: TLS, JWT tokens, APIs

MAC vs Hash vs Encryption

🔐 Hash — integrity only, no key
🔑 MAC — integrity + authentication (shared key)
🔒 Encryption — confidentiality
🖊️ Digital Sig — integrity + non-repudiation

✍️ Digital Signature using RSA

📤 Signing (by Sender)

📨 Message M

↓

Hash(M) → digest h

↓

Sign: S = h^d mod n
(use Private Key)

↓

📤 Send (M, S)

📥 Verification (by Receiver)

📥 Receive (M, S)

↓

Recover: h' = S^e mod n
(use Public Key)

↓

Compute Hash(M) → h

↓

h == h' ? ✅ Valid!

📝 Provides Authentication + Integrity + Non-Repudiation! Sender can't deny signing!

📐 DSA — Digital Signature Algorithm

How DSA Works

Based on discrete logarithm problem.
US Government standard (FIPS 186).
Signature = pair (r, s)
Uses prime p, q, generator g
Private key: x Public key: y = gˣ mod p

RSA vs DSA

RSA: Both encrypt AND sign
DSA: Only for digital signatures
RSA: Slower verification
DSA: Faster signing, slower verification
Both: Used in SSL/TLS certificates

🫵 Biometric Authentication

👆 Physiological

Fingerprint 🖐️
Face recognition 😊
Iris scan 👁️
Retina scan
Hand geometry

🚶 Behavioral

Keystroke dynamics ⌨️
Voice recognition 🎙️
Signature dynamics ✍️
Gait analysis 🚶
Mouse movements

⚙️ Auth Flow

1. Enroll & store template
2. Scan biometric input
3. Extract features
4. Compare with template
5. Match? ✅ Grant access

📝 FAR (False Accept Rate) and FRR (False Reject Rate) are key metrics for biometric systems

📕 Unit IV — PKI, Smart Cards & Firewalls

🔏 PKI — Public Key Infrastructure

Root CA
🏛️ (Trust Anchor)

→

Intermediate CA
🏢

→

End Entity
Certificate 📜

→

User/Server
🖥️👩

🏛️ Digital Certificates (X.509)

Certificate contains:
📋 Owner's name & public key
🔏 CA's digital signature
📅 Validity period
🔢 Serial number
🌐 Subject Alternative Name (SAN)

🏢 Certifying Authority (CA)

Trusted third party that issues certificates.
Verifies identity before issuing.
Maintains Certificate Revocation List (CRL).
Examples: DigiCert, Let's Encrypt, VeriSign
OCSP — Online Certificate Status Protocol

🔑 POP — Proof of Possession Key Interface

Proves the user actually possesses the private key corresponding to the public key in the certificate.
Methods: Signature-based POP (sign a challenge), Encryption-based POP (decrypt a challenge), Key agreement POP.
Used in certificate enrollment protocols like CRMF/CMP.

🔥 Firewalls — System Security

🌐 Internet
(Untrusted)

→

🔥
FIREWALL
Block / Allow rules

→

🏠 Internal
Network (Safe)

📦 Packet Filter

Inspects IP headers.
Rules based on src/dest IP, port, protocol.
Stateless — no connection memory.
Fast but limited!

🔍 Stateful Inspection

Tracks TCP connection state.
Maintains connection table.
More secure than packet filter.
Knows if packet is NEW or ESTABLISHED

🖥️ Application Gateway

Works at application layer.
Acts as proxy server.
Deep packet inspection.
Understands HTTP, FTP, SMTP etc.

🛡️ VPN — Virtual Private Network

🏠 User
(Home)

→

🔐 Encrypted
Tunnel

→

🔒 VPN
Server

→

🏢 Corporate
Network

VPN Protocols

🔵 IPSec — network layer, strong encryption
🟢 SSL/TLS — application layer, web-based
🟠 OpenVPN — open source, flexible
🟣 WireGuard — modern, fast, simple

VPN Modes

👤 Remote Access — user to network
🏢 Site-to-Site — network to network
📱 Client VPN — device to server
Tunneling: encapsulates encrypted packets inside normal packets

💳 Smart Cards & Zero Knowledge Protocols

💳 Smart Card Anatomy

Contains: Microprocessor + Memory (ROM/RAM/EEPROM)
📡 Contact or contactless interface
🔑 Stores cryptographic keys securely
🛡️ Tamper-resistant hardware
Types: EMV cards, SIM cards, ID cards, transit cards

💳 Card
Inserted

→

Mutual
Auth

→

✅ Access
Granted

🧙 Zero Knowledge Proof (ZKP)

Prover convinces Verifier they know a secret without revealing the secret!

🎮 Classic example: Peggy knows path in a cave, Victor verifies without seeing the path.

Properties:
✅ Completeness — honest prover always convinces
✅ Soundness — cheater can't fool verifier
✅ Zero-Knowledge — no info leaked

Used in: Smart cards, zkSNARKs, blockchain privacy

⚔️ Attacks on Smart Cards

⚡ Power Analysis (SPA/DPA)
Measures power consumption to extract keys

⏱️ Timing Attack
Measures time to execute operations to infer secrets

🔧 Fault Injection
Induces errors via voltage glitches, laser, EM fields

📒 Unit V — Applications of Network Security

🎫 Kerberos Authentication Protocol

Ticket-based authentication — no passwords sent over network!

Step 1: AS Exchange

👤 Client → AS (Auth Server)
Send: Username
Receive: TGT (Ticket Granting Ticket)
encrypted with client's password hash

Step 2: TGS Exchange

👤 Client → TGS (Ticket Granting Server)
Send: TGT + requested service
Receive: Service Ticket (ST)
encrypted with service's key

Step 3: Client-Server

👤 Client → Application Server
Send: Service Ticket (ST)
Server decrypts → verifies
✅ Access Granted!

👤 Client

⇄

🏛️ AS
Auth Server

⇄

🎫 TGS
Ticket Server

⇄

🖥️ App
Server

📝 Kerberos uses symmetric key crypto (AES). Uses timestamps to prevent replay attacks. Default in Windows AD!

🌐 SSL / TLS — Web Security Protocol

🤝 TLS Handshake

1️⃣ Client Hello — supported ciphers, random
2️⃣ Server Hello — chosen cipher, certificate
3️⃣ Client verifies certificate (CA chain)
4️⃣ Key Exchange (RSA or DH)
5️⃣ Both compute session key
6️⃣ Finished — encrypted channel ready! 🔐

📋 TLS Protocol Stack

Application (HTTP, FTP, SMTP)

↕

TLS Record Layer (encrypt/decrypt)

↕

TLS Handshake Protocol

↕

TCP / IP Transport

📝 SSL 3.0 is deprecated! Use TLS 1.2 or TLS 1.3. HTTPS = HTTP over TLS. Provides confidentiality + authentication + integrity!

🔐 IPSec — IP Security Protocol

📦 IPSec Protocols

AH (Authentication Header)
→ Provides Integrity + Authentication
→ No encryption of payload

ESP (Encapsulating Security Payload)
→ Provides Confidentiality + Integrity + Auth
→ Encrypts the payload

🚇 IPSec Modes

Transport Mode:
→ Encrypts only payload
→ Original IP header preserved
→ Used for host-to-host

Tunnel Mode:
→ Encrypts entire IP packet
→ New IP header added
→ Used for VPNs (gateway-to-gateway)

Original
IP Packet

→

IKE
Key Exchange

→

SA
(Security Assoc.)

→

ESP/AH
Applied

→

🔒 Secure
Packet

💳 Electronic Payments, E-Cash & Micro Payments

💻 E-Commerce Payment

Customer → Merchant → Payment Gateway → Bank

Uses SSL/TLS for transmission.
Credit card details encrypted.
3D Secure (3DS) for extra auth.
PCI-DSS compliance required.

💰 E-Cash (Digital Cash)

Electronic equivalent of physical cash.
Anonymous — like real cash!
Uses blind signatures (Chaum protocol).
Bank issues signed digital coins.
Can't trace who spent which coin.

🪙 Micro Payments

Very small transactions (< $1).
Need low overhead protocols.
Examples: Pay-per-article, streaming bits.
Protocols: HashCash, PayWord, MicroMint.
Also: Lightning Network (Bitcoin)

🛒 SET — Secure Electronic Transaction

🎭 SET Participants

👤 Cardholder — buyer
🏪 Merchant — seller
🏦 Issuer — cardholder's bank
🏛️ Acquirer — merchant's bank
🔏 CA — issues digital certificates
💳 Payment Gateway — connects networks

🔐 SET Security Features

✅ Dual Signature — merchant sees order, bank sees payment info (neither sees both!)
✅ Cardholder authentication via certificate
✅ Merchant authentication via certificate
✅ DES for bulk encryption
✅ RSA for key exchange

🏢 Case Studies — .NET & J2EE Security

🔷 .NET Security Model

Code Access Security (CAS) — controls what code can do
Role-Based Security — user roles & permissions
Cryptography: System.Security.Cryptography namespace
AES, RSA, SHA, HMAC built-in
ASP.NET: Forms auth, Windows auth, SSL
Claims-based identity — modern approach

☕ J2EE Security Model

JAAS — Java Authentication & Authorization Service
JSSE — Java Secure Socket Extension (SSL/TLS)
JCE — Java Cryptography Extension
Declarative Security — in deployment descriptor
Programmatic Security — in code
Servlet containers handle authentication

📊 Master Quick Reference Table

Topic	Unit	Key Points	Use Case
🔵 DES	II	Symmetric, 56-bit key, 16 Feistel rounds	⚠️ Legacy only
🟢 3DES	II	EDE mode, 168-bit, 3× DES operations	Banking (legacy)
🟩 AES	II	Symmetric, 128/192/256-bit, 128-bit block	✅ WPA2, TLS, files
🔴 RSA	II	Asymmetric, public/private key pair	✅ HTTPS, email
🟣 ECC	II	Asymmetric, smaller keys, elliptic curves	✅ Mobile, IoT, TLS 1.3
🟠 Diffie-Hellman	II	Key exchange, discrete log problem	✅ TLS handshake
🟣 SHA-256/MD5	III	Hash function, one-way, fixed output	✅ Passwords, blockchain
🔑 MAC/HMAC	III	Message authentication + integrity	✅ API auth, JWT
✍️ Digital Sig RSA/DSA	III	Non-repudiation + authentication	✅ Certs, contracts
🔏 PKI/CA	IV	Certificate hierarchy, X.509	✅ HTTPS everywhere
🔥 Firewall	IV	Packet filter / Stateful / App gateway	✅ Network protection
💳 Smart Card/ZKP	IV	Tamper-resistant, zero knowledge proofs	✅ Banking, ID cards
🎫 Kerberos	V	Ticket-based auth, AS+TGS+Service	✅ Windows AD, SSO
🌐 SSL/TLS	V	Handshake → session key → encrypted channel	✅ All HTTPS traffic
🔐 IPSec	V	AH + ESP, Transport/Tunnel mode	✅ VPNs, site-to-site
🛒 SET	V	Dual signature, e-commerce security	E-commerce

✏️ Osmania University MCA — PEC321 Network Security — 2025-2026 🔐