Internet.Security

Since Sun’s Remote Procedure Call (RPC) and eXternal Data Representation (XDR) are defined separately from NFS, programmers can use them to build distributed applications.

2.5 Electronic Mail

In this section, we consider electronic mail service and the protocols that support it. An electronic mail (e-mail) facility allows users to send small notes or large voluminous memos across the Internet. E-mail is popular because it offers a fast, convenient method of transferring information and communicating.

2.5.1 Simple Mail Transfer Protocol (SMTP)

The Simple Mail Transfer Protocol (SMTP) provides a basic e-mail facility. SMTP is the protocol that transfers e-mail from one server to another. It provides a mechanism for transferring messages among separate servers. Features of SMTP include mailing lists, return receipts and forwarding. SMTP accepts the incoming message and makes use of TCP to send it to an SMTP module on another servers. The target SMTP module will make use of a local electronic mail package to store the incoming message in a user’s mailbox. Once the SMTP server identifies the IP address for the recipient’s e-mail server, it sends the message through standard TCP/IP routing procedures.

Since SMTP is limited in its ability to queue messages at the receiving end, it’s usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving messages that have been received for them at their local server. Most mail programs (such as Eudora) let you specify both an SMTP server and a POP server. On UNIX-based systems, sendmail is the most widely-used SMTP server for e-mail. Earlier versions of sendmail presented many security risk problems. Through the years, however, sendmail has become much more secure, and can now be used with confidence. A commercial package, sendmail, includes a POP3 server and there is also a version for Windows NT.

Hackers often use different forms of attack with SMTP. A hacker might create a fake e-mail message and send it directly to an SMTP server. Other security risks associated with SMTP servers are denial-of-service attacks. Hackers will often flood an SMTP server with so many e-mails that the server cannot handle legitimate e-mail traffic. This type of flood effectively makes the SMTP server useless, thereby denying service to legitimate e-mail users. Another well-known risk of SMTP is the sending and receiving of viruses and Trojan horses. The information in the header of an e-mail message is easily forged. The body of an e-mail message contains standard text or a real message. Newer e-mail programs can send messages in HTML format. No viruses and Trojans can be contained within the header and body of an e-mail message, but they may be sent as attachments. The best defence against malicious attachments is to purchase an SMTP server that scans all messages for viruses, or to use a proxy server that scans all incoming and outgoing messages.

SMTP is usually implemented to operate over TCP port 25. The details of SMTP are in RFC 2821 of the Internet Engineering Task Force (IETF). An alternative to SMTP that is widely used in Europe is X.400.

2.5.2Post Office Protocol Version 3 (POP3)

The most popular protocol used to transfer e-mail messages from a permanent mailbox to a local computer is known as the Post Office Protocol version 3 (POP3). The user invokes a POP3 client, which creates a TCP connection to a POP3 server on the mailbox computer. The user first sends a login and a password to authenticate the session. Once authentication has been accepted, the user client sends commands to retrieve a copy of one or more messages and to delete the message from the permanent mailbox. The messages are stored and transferred as text files in RFC 2822 standard format.

Note that computers with a permanent mailbox must run two servers – an SMTP server accepts mail sent to a user and adds each incoming message to the user’s permanent mailbox, and a POP3 server allows a user to extract messages from the mailbox and delete them. To ensure correct operation, the two servers must coordinate with the mailbox so that if a message arrives via SMTP while a user extracts messages via POP3, the mailbox is left in a valid state.

2.5.3 Internet Message Access Protocol (IMAP)

The Internet Message Access Protocol (IMAP) is a standard protocol for accessing e- mail from your local server. IMAP4 (the latest version) is a client – server protocol in which e-mail is received and held for you by your Internet server. You (or your e-mail client) can view just the subject and the sender of the e-mail and then decide whether to download the mail. You can also create, manipulate and delete folders or mailboxes on the server, delete messages or search for certain e-mails. IMAP requires continual access to the server during the time that you are working with your mail.

A less sophisticated protocol is Post Office Protocol 3 (POP3). With POP3, your mail is saved for you in your mailbox on the server. When you read your mail, it is immediately downloaded to your computer and no longer maintained on the server.

IMAP can be thought of as a remote file server. POP can be thought of as a ‘store- and-forward’ service.

POP and IMAP deal with receiving e-mail from your local server and are not to be confused with SMTP, a protocol for transferring e-mail between points on the Internet. You send e-mail by SMTP and a mail handler receives it on your recipient’s behalf. Then the mail is read using POP or IMAP.

2.5.4 Multipurpose Internet Mail Extension (MIME)

The Multipurpose Internet Mail Extension (MIME) is defined to allow transmission of non-ASCII data via e-mail. MIME allows arbitrary data to be encoded in ASCII and then transmitted in a standard e-mail message. SMTP cannot be used for languages that are not supported by seven-bit ASCII characters. It cannot also be used for binary files or to send video or audio data.

MIME is a supplementary protocol that allows non-ASCII data to be sent through SMTP. MIME is a set of software functions that transforms non-ASCII data to ASCII data and vice versa.

2.6 Network Management Service

This section takes a look at a protocol that more directly supports administrative functions. RFC 1157 defines the Simple Network Management Protocol (SNMP).

2.6.1 Simple Network Management Protocol (SNMP)

The Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the TCP/IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems and plan for network growth.

There are two versions of SNMP, v1 and v2. Both versions have a number of features in common, but SNMP v2 offers enhancements, such as additional protocol operations.

SNMP version 1 is described in RFC 1157 and functions within the specifications of the Structure of Management Information (SMI). SNMP v1 operates over protocols such as the User Datagram Protocol (UDP), IP, OSI Connectionless Network Service (CLNS), Apple-Talk Datagram-Delivery Protocol (DDP), and Novell Internet Packet Exchange (IPX). SNMP v1 is widely used and is the de facto network management protocol in the Internet community.

SNMP is a simple request – response protocol. The network management system issues a request, and managed devices return responses. This behaviour is implemented using one of four protocol operations: Get, GetNext, Set and Trap. The Get operation is used by the network management system (NMS) to retrieve the value of one or more object instances from an agent. If the agent responding to the Get operation cannot provide values for all the object instances in a list, it provides no values. The GetNext operation is used by the NMS to retrieve the value of the next object instance in a table or list within an agent. The Set operation is used by the NMS to set the values of object instances within an agent. The Trap operation is used by agents to asynchronously inform the NMS of a significant event.

SNMP version 2 is an evolution of the SNMP v1. It was originally published as a set of proposed Internet Standards in 1993. SNMP v2 functions within the specifications of the Structure of Management Information (SMI) which defines the rules for describing management information, using Abstract Syntax Notation One (ASN.1). The Get, GetNext and Set operation used in SNMP v1 are exactly the same as those used in SNMP v2. However, SNMP v2 adds and enhances some protocol operations. SNMP v2 also defines two new protocol operations: GetBulk and Inform. The GetBulk operation is used by the NMS to efficiently retrieve large blocks of data, such as multiple rows in a table. GetBulk fills a response message with as much of the requested data as will fit. The Inform operation allows one NMS to send trap information to another NMS and receive a response.

SNMP lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include masquerading, modification of information, message sequence and timing modifications and disclosure.

2.7 Converting IP Addresses

To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the connection of a host to the Internet. However, users prefer a system that can map a name to an address or an address to a name. This section considers converting a name to an address and vice versa, mapping between high-level machine names and IP addresses.

2.7.1Domain Name System (DNS)

The Domain Name System (DNS) uses a hierarchical naming scheme known as domain names. The mechanism that implements a machine name hierarchy for TCP/IP is called DNS. DNS has two conceptual aspects: the first specifies the name syntax and rules for delegating authority over names, and the second specifies the implementation of a distributed computing system that efficiently maps names to addresses.

DNS is a protocol that can be used in different platforms. In the Internet, the domain name space is divided into three different sections: generic domain, country domain and inverse domain. A DNS server maintains a list of hostnames and IP addresses, allowing computers that query them to find remote computers by specifying hostnames rather than IP addresses. DNS is a distributed database and therefore DNS servers can be configured to use a sequence of name servers, based on the domains in the name being looked for.

2.8 Routing Protocols

An Internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many routers until it reaches the router attached to the destination network. A router chooses the route with the shortest metric. The metric assigned to each network depends on the type of protocol. The Routing Information Protocol (RIP) is a simple protocol which treats each network as equals. The Open Shortest Path First (OSPF) protocol is an interior routing protocol that is becoming very popular. Border Gateway Protocol (BGP) is an inter-autonomous system routing protocol which first appeared in 1989.

2.8.1 Routing Information Protocol (RIP)

The Routing Information Protocol (RIP) is a protocol used to propagate routing information inside an autonomous system. Today, the Internet is so large that one routing protocol cannot handle the task of updating the routing tables of all routers.

Therefore, the Internet is divided into autonomous systems. An Autonomous System (AS) is a group of networks and routers under the authority of a single administration. Routing inside an autonomous system is referred to as interior routing. RIP and OSPF are popular interior routing protocols used to update routing tables in an AS. Routing between autonomous systems is referred to as exterior routing. RIP is a popular protocol which

belongs to the interior routing protocol. It is a very simple protocol based on distance vector routing, which uses the Bellman – Ford algorithm for calculating routing tables. A RIP routing table entry consists of a destination network address, the hop count to that destination and the IP address of the next router. RIP uses three timers: the periodic timer controls the advertising of the update message, the expiration timer governs the validity of a route, and the garbage collection timer advertises the failure of a route. However, two shortcomings associated with the RIP protocol are slow convergence and instability.

2.8.2Open Shortest Path First (OSPF)

The Open Shortest Path First (OSPF) is a new alternative to RIP as an interior routing protocol. It overcomes all the limitations of RIP. Link-state routing is a process by which each router shares its knowledge about its neighbourhood with every other router in the area. OSPF uses link-state routing to update the routing tables in an area, as opposed to RIP which is a distance-vector protocol. The term distance-vector means that messages sent by RIP contain a vector of distances (hop counts). In reality, the important difference between two protocols is that a link-state protocol always converges faster than a distancevector protocol.

OSPF divides an autonomous system (AS) in areas, defined as collections of networks, hosts and routers. At the border of an area, area border routers summarise information about the area and send it to other areas. There is a special area called the backbone among the areas inside an autonomous system. All the areas inside an AS must be connected to the backbone whose area identification is zero. OSPF defines four types of links: point- to-point, transient, stub and virtual. Point-to-point links between routers do not need an IP address at each end. Unnumbered links can save IP addresses. A transient link is a network with several routers attached to it. A stub link is a network that is connected to only one router. When the link between two routers is broken, the administration may create a virtual link between them using a longer path that probably goes through several routers.

A simple authentication scheme can be used in OSPF. OSPF uses multicasting rather than broadcasting in order to reduce the load on systems not participating in OSPF. Distance-vector Multicast Routing Protocol (DVMRP) is used in conjunction with IGMP to handle multicast routing. DVMRP is a simple protocol based on distance-vector routing and the idea of MBONE. Multicast Open Shortest Path First (MOSPF), an extension to the OSPF protocol, adds a new type of packet (called the group membership packet) to the list of link state advertisement packets. MOSPF also uses the configuration of MBONE and islands.

2.8.3Border Gateway Protocol (BGP)

BGP is an exterior gateway protocol for communication between routers in different autonomous systems. BGP is based on a routing method called path-vector routing. Refer to RFC 1772 (1991) which describes the use of BGP in the Internet. BGP version 3 is defined in RFC 1267 (1991) and BGP version 4 in RFC 1467 (1993).

Path-vector routing is different from both distance-vector routing and link-state routing. Path-vector routing does not have the instability nor looping problems of distance-vector routing. Each entry in the routing table contains the destination network, the next router

and the path to reach the destination. The path is usually defined as an ordered list of autonomous systems that a packet should travel through to reach the destination.

BGP is different from RIP and OSPF in that BGP uses TCP as its transport protocol. There are four types of BGP messages: open, update, keepalive and notification. BGP detects the failure of either the link or the host on the other end of the TCP connection by sending a keepalive message to its neighbour on a regular basis.

2.9 Remote System Programs

High-level services allow users and programs to interact with automated services on remote machines and with remote users. This section describes programs that include Rlogin (Remote login) and TELNET (TErminaL NETwork).

2.9.1 TELNET

TELNET is a simple remote terminal protocol that allows a user to log on to a computer across an Internet. TELNET establishes a TCP connection, and then passes keystrokes from the user’s keyboard directly to the remote computer as if they had been typed on a keyboard attached to the remote machine. TELNET also carries output from the remote machine back to the user’s screen. The service is called transparent because it looks as if the user’s keyboard and display attach directly to the remote machine. TELNET client software allows the user to specify a remote machine either by giving its domain name or IP address.

TELNET offers three basic services. First, it defines a network virtual terminal that provides a standard interface to remote systems. Second, TELNET includes a mechanism that allows the client and server to negotiate options. Finally, TELNET treats both ends of the connection symmetrically.

2.9.2 Remote Login (Rlogin)

Rlogin was designed for remote login only between UNIX hosts. This makes it a simpler protocol than TELNET because option negotiation is not required when the operating system on the client and server are known in advance. Over the past few years, Rlogin has also ported to several non-UNIX environments. RFC 1282 specifies the Rlogin protocol.

When a user wants to access an application program or utility located on a remote machine, the user performs remote login. The user sends the keystrokes to the terminal driver where the local operating system accepts the characters but does not interpret them. The characters are sent to the TELNET client, which transforms the characters into a universal character set called Network Virtual Terminal (NVT) characters and delivers them to the local TCP/IP stack.

The commands or text (in NVT form) travel through the Internet and arrive at the TCP/IP stack at the remote machine. Here the characters are delivered to the operating system and passed to the TELNET server, which changes the characters to the corresponding characters understandable by the remote computer.

6 March 1987 the NBS published in the Federal Register a request for comments on the second five-year review. The comment period closed on 10 December 1992. After much debate, DES was reaffirmed as a US government standard until 1992 because there was still no alternative for DES. The NIST again solicited a review to assess the continued adequacy of DES to protect computer data. In 1993, NIST formally solicited comments on the recertification of DES. After reviewing many comments and technical inputs, NIST recommend that the useful lifetime of DES would end in the late 1990s. In 2001, the Advanced Encryption Standard (AES), known as the Rijndael algorithm, became an FIPSapproved advanced symmetric cipher algorithm. AES will be a strong advanced algorithm in lieu of DES.

The DES is now a basic security device employed by worldwide organisations. Therefore, it is likely that DES will continue to provide network communications, stored data, passwords and access control systems.

3.1.1 Description of the Algorithm

DES is the most notable example of a conventional cryptosystem. Since it has been well documented for over 20 years, it will not be discussed in detail here.

DES is a symmetric block cipher, operating on 64-bit blocks using a 56-bit key. DES encrypts data in blocks of 64 bits. The input to the algorithm is a 64-bit block of plaintext and the output from the algorithm is a 64-bit block of ciphertext after 16 rounds of identical operations. The key length is 56 bits by stripping off the 8 parity bits, ignoring every eighth bit from the given 64-bit key.

As with any block encryption scheme, there are two inputs to the encryption function: the 64-bit plaintext to be encrypted and the 56-bit key. The basic building block of DES is a suitable combination of permutation and substitution on the plaintext block (16 times). Substitution is accomplished via table lookups in S-boxes. Both encryption and decryption use the same algorithm except for processing the key schedule in the reverse order.

The plaintext block X is first transposed under the initial permutation IP, giving X0 = IP(X) = (L0, R0). After passing through 16 rounds of permutation, XORs and substitutions, it is transposed under the inverse permutation IP−1 to generate the ciphertext block Y. If Xi = (Li , Ri ) denotes the result of the ith round encryption, then we have

Li = Ri−1

Ri = Li−1 f (Ri−1, Ki )

The ith round encryption of DES algorithm is shown in Figure 3.1. The block diagram for computing the f(R, K)-function is shown in Figure 3.2. The decryption process can be derived from the encryption terms as follows:

Ri−1 = Li

Li−1 = Ri f (Ri−1, Ki ) = Ri f (Li , Ki )

If the output of the ith round encryption be Li ||Ri , then the corresponding input to the (16 – i)th round decryption is Ri ||Li . The input to the first round decryption is equal to