This report involves the critical evaluation and analysis of the cryptographic protocols that can be implemented to secure a system. This system is referred to the network diagram present in the section 19 of the case study UOB manufacturing company. The network diagram consists of different means of communication where data is exchanged between client-server, Wireless access points and PBX telephone system. These communication media are prone to attacks such as Denial of Service, network eavesdropping, data tampering etc and hence providing security to these media becomes the utmost concern for maintaining integrity, confidentiality and availability of the information exchanged between them. The main aim of this report is to provide security for these communication media by using some of the efficient cryptographic protocols such as AES, TLS, WPA, PEAP etc which provide authentication, authorization and encryption to the information exchanged in both Wired as well as Wireless communication medium.
"UoB Manufacturing" is a Manufacturing Company that produces a range of general engineering products and brackets for Monitors/Displays. They also have a small subsidiary selling direct to the public, mainly credit card transactions via phone. The company mainly consists of different communication medium for Client-server communications and to provide internet service; a telephone system which will be useful for the employees to communicate with the employees in the company. It is connected to a Private Branch Exchange (PBX) which acts as a switch. To provide internet service there is CABLE/DSL ROUTER for wired connections and Wireless access point (WAP) in the first floor for wired communication devices to connect to a wireless network. A Primary Domain Controller (PDC) is provided which allows a user to be granted access to a number of computer resources with the use of a single username and password combination. CNC programming work stations are also provided for the automation of machine tools. A CAD/CAM server is also provided which allows user to design and assists all operations of manufacturing. The PBX, WAP, PDC server, CNC programming work stations through different hubs are connected to a Main room Switch. The Network diagram of Manufacturing Company can be seen in the following figure 1
Fig 1: Referred from Section 19 of UoB manufacturing Network diagram
A Cryptographic protocol or an encryption protocol performs a security-related function and applies cryptographic methods to the message and data. Some of the Cryptographic protocols providing that provide security are IPsec, Kerberos, SSH, TSL, SSL, WPA, PEAP etc. The description of these protocols can be seen in the following
Internet Protocol Security (IPsec) is a network layer protocol which provides security by authenticating and encrypting each packet of a data stream transferred between a pair of hosts, or gateways or between a security gateway and a host. It provides security services such as
Security association (SA): generates the encryption and authentication keys to be used by IPsec.
Authentication Header (AH): provide integrity and authentication for IP packets and protection against replay attacks.
Encapsulating Security Payload (ESP): provide integrity, confidentiality and limited traffic flow of data packets.
IPSec has two modes of operation transport mode and tunnel mode. In transport mode only data is encrypted and in tunnel mode whole IP packet i.e. data and IP header are encrypted. It uses AES, TripleDES and SHA1 cryptographic algorithms.
Kerberos is a network Authentication protocol which provides mutual authentication of a client-server model- where both the user and the server verify each other's identity. Kerberos uses symmetric key cryptography which requires a third party termed as a key distribution center (KDC), which consists of two parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). The KDC maintains a database of secret keys; where a client or a server shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove their identity. For communication between a client and a server, the KDC generates a session key which they can use to secure their interactions. The security of the protocol relies heavily on participants called Kerberos tickets. Kerberos works on the basis of "tickets" which serve to prove the identity of users. Kerberos also uses asymmetric key cryptography during certain phases of authentication.
SSH (Secure Shelled Protocol):
SSH is a Network layer protocol. It uses public key cryptography for to transfer, authenticate or exchange of data. For authentication it uses x.509 digital certificates and the key generations are done using DSA and RSA.
SSL (Secure Shell Layer):
SSL is an Application Layer Protocol. Its successor is known as TLS (transport layer security). TLS and SSL encrypt the segments of data at the Application Layer and ensure secure end-to-end transit at the Transport Layer. The encryption techniques used for Authentication is RSA, DSA and for key exchange it uses RSA, Diffie-Hellman Key Exchange, ECHH, SRP and PSK.
WPA (Wi-Fi Protected Access)
WPA is one of the efficient protocols in providing security for Wireless Networks. The Authentication mechanism is carried out using Extensible Authentication Protocol (EAP) protocol and data encryption is provided using Temporal Key Integrity Protocol (TKIP).
PEAP (Protected Extensible Authentication Protocol)
PEAP is an authentication protocol which is applicable for Point to Point systems and in Wireless LAN. PEAP provides authentication in two ways, 1) for password-based authentication the EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2 [MS-CHAP]) methods will be used and for certificate-based authentication EAP Transport Layer Security (TLS) method is used. Encryption can be provided when PEAP is used in conjunction with Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES).
The Network diagram can be divided into three primary parts where the security aspects are considered for each part; providing security to the Telephone system with a PBX, Securing Wireless Access Point (WAP), Securing the PDC and CAD/CAM Servers.
PART 1: Providing security to Telephone System using different Cryptographic protocols
The Telephone system in the diagram uses Voice over Internet Protocol (VoIP) for communication. It is connected to a PBX. The Private Branch Exchange (PBX) is a sophisticated computer-based switch which is an essential element that supports the critical infrastructure of the company. It is very important to secure the VoIP from Network Sniffing, Message Replay attacks and Resource Exhaustion.
Securing VoIP include authorization, authentication, integrity and privacy. Authorization is achieved through proper configuration established during set-up of the subscriber by authorizing the device in the network system. After authorization Customer Premise Equipment (CPE) provides a secure identification number to the network server. An authentication key is then exchanged between CPE and the network server.
Fig 2: Referred from Section 19 UoB manufacturing Network diagram
The Telephone system in the above diagram uses Voice over Internet Protocol (VoIP) for communication in the Network. It is connected to a PBX. The Private Branch Exchange (PBX) is a sophisticated computer-based switch which is an essential element that supports the critical infrastructure of the company. PBX includes a PBX management console that allows the operator to control incoming calls, which are connected to a Telecom Closet Hub. It is very important to secure the VoIP from Network Sniffing, Message Replay attacks and Resource Exhaustion.
Authentication support to VoIP
Securing VoIP include authorization, authentication, integrity and privacy. Authorization is achieved through proper configuration established during set-up of the subscriber by authorizing the device in the network system. After authorization, Customer Premise Equipment (CPE) provides a secure identification number to the network server. An authentication key is then exchanged between CPE and the network server. The CPE gateway is authenticated, and then the server provides an encryption key. The encryption key is used for secure communication between CPE and the network server.
Encryption Support to VoIP
VoIP signal Security can is provided to the VoIP using Transport Layer Security (TLS) at Application layer, an advanced version of SSL. TLS provides encryption using Data Encryption Standard (DES). The TLS allows the server and CPE to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. This protocol is efficient in reducing the computational and processing burdens than other protocols.
VoIP packet Security can be done by using Secure Real-Time Transport Protocol at Network Layer (SRTP) with advanced encryption standard (AES). SRTP provides message authentication, integrity checking, confidentiality and replay protection for voice packets. The data is encrypted using AES. A hash of the header and encrypted data is created using Keyed-Hashing for Message Authentication Code Secure Hash Algorithm-1 (HMAC-SHA1). SRTP is presented to reduce an attacker's ability to exploit system vulnerabilities.
PART 2: Providing Security to the Wireless Access Point (WAP)
Fig 3: Referred from UoB manufacturing Network diagram
Wireless Access Point (WAP) is commonly known as WAP, is a device which connects the different communication devices that allows communication between the wireless network and wireless communicating devices with the help ofÂ different wireless technologies such as Wi-Fi, Bluetooth, etc. It acts as a transmitter and receiver of WLAN radio signals.
Features of Wireless Access Points are
It allows very high speed networking with very long coverage area for both indoor and outdoor networking.
It provides security to the communication data through MAC addressing filtering
It plays an important role in providing encrypted security where 64 bits to 128 bit of data
Wireless Network's Threats and Vulnerabilities
The four basic components of a Wireless Network are Transmission of data, Wireless Access Points in the organization, Client devices (Ex: PC's, Laptop, PDA) and Users. Each of these components can be vulnerable to different attacks that can result in the compromise of confidentiality and integrity. Some of the attacks of can be seen in the following
Accidental association : Unauthorized access to the devices from a number of different methods and intents is referred as Accidental Association
Malicious association: Instead of connecting to the Wireless Access Points of a company, the user's wireless devices are actively connected to company's network by crackers with the help of their devices (laptop, PDA etc.).
MAC spoofing: This occurs when a cracker identifies the MAC Address of a computer with network privileges.
Denial of service: This occurs when an attacker continually sends to a targeted Access point or network with invalid requests, failure of connection establishment messages, invalid commands etc.
Caffe Latte attack: This attack is used to break a cryptographic protocol such as WEP. An attacker tries to obtain a WEP key from a remote client by sending a flood of encrypted ARP requests. The assailant uses the ARP responses to obtain the WEP key within a short span of time.
Security Protocols for Wireless Networks
Effective Encryption using cryptographic protocols is the best possible way of providing security and confidentiality of information transmitted over wireless networks. This is especially important for companies where Communication devices are connected all over and security is an important aspect. The efficient protocol for wireless networks used now-a-days is Wi-Fi Protected Access (WPA) which overcomes some of the weakness of Wireless Equivalent Privacy (WEP) designed by Wi-Fi Alliance designed to work with existing IEEE802.11 products and offers compatibility with IEEE802.11i.
Key Features of WPA
Encryption Key Management using Temporal Key Integrity Protocol (TKIP), Michael message integrity code (MIC) mechanism and AES Support
Support for both of WPA and WEP clients and mixture of them.
The strength of WPA is by using 802.1X/EAP authentication and sophisticated key management and encryption techniques.
Authentication mechanism using WPA v2
WPA supports Extensible Authentication Protocol (EAP) for environments with a RADIUS infrastructure and for environments without a RADIUS infrastructure; it supports the use of a Pre-Shared Key (PSK). PSK is especially designed for home user and RADIUS is designed for enterprise usage. In a wireless network the RADIUS server holds user credentials (user names and passwords) and authenticates before they gain access to the network. IEEE 802.1x offers an effective framework for authentication and control of user traffic to a network and varying data encryption keys via EAP from a RADIUS server.
Authentication steps using WPAv2
The client device (unauthenticated supplicant) which attempts to connect to a Wireless Access Point (authenticator) sends an EAP start-up message. A series of messages are exchanged for the authentication of the client
The Wireless access point replies with an EAP-request identity message.
After receiving the reply from the access point, the client sends an EAP-response packet containing its identity to the authentication server.
3(a) the access point responds to this packet by enabling a port for passing only EAP packets from the client to an authentication server (for example, RADIUS). Until the access point verifies the client's identity, it blocks all other packets such as HTTP, RTP and POP3 packets.
The authentication server verifies the client's identity by using a specific authentication algorithm, either using digital certificates or types of EAP.
Depending on the authenticity of the user, the authentication server will either send an accept message or reject message to the access point.
If the authentication server sends an accept message, the access point sends a success packet to the client or else a reject packet.
Once the authentication server accepts the client, the access point allows transition of all other packets previously blocked.
Fig 4: Figure showing the Authentication Mechanism using WPAv2 referred from 
Data Encryption using WPAv2
WPA uses Temporal Key Integrity Protocol (TKIP) for data encryption which includes a key mixing function per packet, an Initialization Vector (IV) with sequencing rules, a message integrity check (MIC) named Michael, and a rekeying mechanism. Including these TKIP provides the following
Verification of security configuration,
Changing of the unicast encryption keys for each frame in synchronization.
For each pre-shared key, determining a unique starting unicast encryption key.
Data Integrity using WPAv2
IEEE 802.11 and WEP provide data integrity by appending a 32-bit Integrity check value (ICV) to 802.11 payload and is encrypted with WEP. With WPA a new algorithm is known that calculates an 8-byte message integrity code (MIC) using wireless devices which is called Michael. The MIC is placed between the data portion of the IEEE 802.11 frame and the 32 bit ICV. The MIC field is encrypted together with the frame data and the ICV. Michael provides protection from replay attacks using a frame counter present in the IEEE 802.11 frame.
Besides using TKIP, WPA uses advanced encryption standard (AES). AES can be viewed as the optimal choice for companies which are concerned with security aspects.
PART 3 Providing Security to PDX and CAD/CAM servers
Fig 5: Referred from UoB manufacturing Network diagram
The network diagram shows the client devices communicating with the servers. The services for the telephone system and the first floor PCs are provided by PDC server. The CADCAM server provides services to the CNC programming workstations and CADCAM workstations. As both the servers provide the whole services to the clients in the UoB manufacturing company, client -server security is an important issue to be focussed which should provide efficient Authentication, Authorization and Association of User credentials and Data Encryption.
The protocol used for providing security is Protected Extensible Authentication Protocol (PEAP). PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. It overcomes some of the deficiencies of Extensible Authentication Protocol (EAP). It encapsulates EAP within an encrypted and authenticated Transport Layer Security (TLS) tunnel. PEAP has three versions PEAPv0, PEAPv1, PEAPv2. PEAPv0/EAP-MSCHAPv2 (its inner authentication protocol Microsoft's Challenge Handshake Authentication Protocol) is the most common form of PEAP in use, and what is usually referred to as PEAP.
Authentication in PEAP protocol
Authentication and authorization of users or devices is a very important requirement for Network administrators that are attaching to their networks. A network administrator should allow access to the users only who are authorized where locally or remote.
PEAP provide support for a variety of authentication techniques and enables extensible authentication for network access. For example, an administrator who requires password-based authentication the EAP Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2 [MS-CHAP]) methods will be used and for certificate-based authentication EAP Transport Layer Security (TLS) method is used.
Digital certificates offer many security benefits for user credentials. It is expensive for deploying and hard to manage as they require big infrastructure. PEAP provides the security benefits of authentication with strong credentials, without incurring the cost of an infrastructure required by a client public key infrastructure (PKI) deployment. PEAP version 0 is designed to meet this need by having the client establish a TLS session with a server by using the server's certificate. Then, the client is authenticated using its credential within that TLS session.
PEAP creates a secure encrypted TLS tunnel (shown in the figure) between the client and the authentication server to protect user authentication, and uses server-side public key certificates to authenticate the server. The exchange of authentication information inside the tunnel to authenticate the client is then encrypted. Hence this ensures the safety of user credentials from eavesdropping.
Authentication Mechanism of PEAPv0
For Authentication PEAP uses any of these protocols TLS, SecureID or MS-CHAPv2. Out of these the most used and secured is TLS. Hence TLS is used for authentication purpose.
An EAP session is established between an EAP peer (client) and an EAP server.
Both the parties negotiate with each other to use EAP method. Hence PEAPv0 is selected. They are followed with PEAP peer (client) and PEAP server names.
PEAP enters phase 1 where PEAP client authenticates the PEAP server and to establish a TLS session. PEAP messages are exchanged between the two parties until TLS session is established.
PEAP then enters phase 2, where PEAP server authenticates the PEAP client inside the TLS session established in phase 1. Here a new EAP negotiation is initiated by the PEAP server to authenticate the PEAP peer which is carried out in TLS records. The PEAP client and the PEAP server exchange inner method messages until the PEAP client is successfully authenticated.
Hence the security provided by the TLS session in phase 1 protects the PEAP peer authentication in phase 2 so as to provide confidentially for user password or other dictionary attackable tokens given as password.
Fig 6: Figure shows the Authentication and Encryption Mechanism referred from 
The Network diagram in the above figure discusses the deployment of PEAP in an environment consisting of Client (peer) and Server, Wireless Access points, Authentication phases of PEAP. Mutual Authentication is provided in PEAP where a peer mutually authenticates a server through network access server (NAS). NAS can be a Virtual Private Network (VPN) or a Wireless Access Point. The actual PEAP messages are carried from the peer to the NAS over protocols such as the Point-to-Point Protocol (PPP) or IEEE802.1X or WAP. From the NAS the messages are carried over protocols such as the Remote Authentication Dial-In User Service (RADIUS), Diameter or Kerberos.
Data Integrity using PEAP protocol
Data integrity is provided using Hash-based Message Authentication Code - Secure Hash Algorithm version 1 (HMAC-SHA1) to simultaneously verify both the data integrity and the authenticity of a message. A two-way handshake between the PEAP peer and the PEAP server is initiated with two messages in same format: the crypto-binding request which is sent from the PEAP server to PEAP peer and the crypto-binding response which is sent from the PEAP peer to PEAP server.
Data Encryption using PEAP protocol
Data Encryption is provided when PEAP is used in conjunction with Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). TKIP is used for providing security to Wireless LANs such as WAP. AES is a symmetric-encryption standard which comprises of block ciphers of sizes 128 bits and a key size of 128, 192 or 256 bits. It is one of the fast encryption techniques used now-a-days.
This paper successfully explains the different cryptographic protocols to be used for securing the network diagram mention in the section 19 of UoB manufacturing company. The network diagram has been divided into three parts and authentication and encryption mechanisms are explained with some of the protocols that are largely followed by companies these days. Hence this case study achieves in providing security to the telephone system connected to the internet, the Wireless Access Point and the PDC and CAD/CAM servers.