1
⌄
Network Security
Secure communications on the Internet means protecting data from being intercepted, tampered with, or forged as it travels across networks. Without security, every HTTP request, email, and login credential is visible to anyone who can observe the network traffic between you and the server.
💡
The Core Security Problem
When you send data over the Internet, it travels through dozens of routers operated by different organisations. Any one of them could intercept, read, or modify your data. Security protocols ensure that even if someone intercepts the data, they cannot read it (confidentiality), alter it undetected (integrity), or impersonate the server (authenticity).
The Three Pillars of Information Security — CIA Triad
| Pillar | Definition | Threat if Violated | Protection |
|---|---|---|---|
| Confidentiality | Only authorised parties can read the data | Eavesdropping / sniffing | Encryption (TLS, AES) |
| Integrity | Data cannot be altered without detection | Tampering / man-in-the-middle | MACs, digital signatures, hashes |
| Availability | Services remain accessible to authorised users | DoS/DDoS attacks, crashes | Redundancy, rate limiting, firewalls |
Common Internet Threats
Eavesdropping
Attacker reads data passing through a shared network (Wi-Fi, ISP).
✓ Defence: Encryption (TLS/HTTPS)
Man-in-the-Middle
Attacker intercepts and relays communication — can read and modify data.
✓ Defence: Digital certificates, HSTS
Replay Attack
Attacker captures and re-sends a valid request later (e.g., a payment).
✓ Defence: Nonces, timestamps, session tokens
Phishing
Fake website impersonating a real one to steal credentials.
✓ Defence: Certificates, 2FA, user awareness
Packet Injection
Attacker injects forged packets into a TCP stream to alter data.
✓ Defence: TLS (authenticates every byte)
DoS / DDoS
Flood of requests overwhelms the server, denying service to real users.
✓ Defence: Rate limiting, CDN, anycast
🎯 Q13_1
A student sends login credentials over HTTP on a public Wi-Fi network. Someone on the same Wi-Fi captures the network traffic. Which CIA triad property has been violated?
AAvailability — the login page was too slow to load
BIntegrity — the attacker may have modified the credentials
CConfidentiality — the credentials were visible to an unauthorised party
DAll three equally — every HTTP request violates all CIA properties
✅ Correct! Sending credentials in plain text over HTTP violates Confidentiality — the information was readable by an unauthorised party (the attacker on the same Wi-Fi).
❌ The answer is C — Confidentiality. The data was intercepted and read by an unauthorised person. Use HTTPS (TLS) to encrypt data so interceptors see only ciphertext.
2
⌄
Cryptography
Cryptography is the science of encoding information so that only authorised parties can read it. Modern Internet security uses a combination of symmetric encryption (same key to encrypt and decrypt), asymmetric encryption (public/private key pair), and hash functions (one-way fingerprints).
Interactive — Caesar Cipher (Substitution Demo)
Plaintext:
Shift:
Click Encrypt to see ciphertext...
The Caesar cipher shifts each letter by the shift value. Modern AES encryption uses the same principle but with 256-bit keys and 14 rounds of complex transformations.
Symmetric vs Asymmetric Encryption
| Feature | Symmetric (AES, DES) | Asymmetric (RSA, ECC) |
|---|---|---|
| Keys | One shared key for both encrypt and decrypt | Public key (encrypt) + private key (decrypt) |
| Speed | Very fast — suitable for bulk data | Slow — only for small data / key exchange |
| Key distribution | Difficult — how do you share the key securely? | No problem — public key can be shared openly |
| Key length | 128-256 bits | 2048-4096 bits (RSA), 256 bits (ECC) |
| Used for | Encrypting the actual data stream (AES-256) | Key exchange, digital signatures, certificates |
| TLS role | Bulk encryption of data after handshake | Handshake — authenticating and exchanging session key |
Interactive — Hash Function Demo
Input:
Click to compute hash...
Try: change one character and hash again. The entire output changes completely (avalanche effect).
Hash Functions — Properties and Uses
| Property | Description |
|---|---|
| One-way (pre-image resistant) | Cannot compute the original input from the hash |
| Collision resistant | Infeasible to find two different inputs with the same hash |
| Deterministic | Same input always produces the same output |
| Avalanche effect | Changing one bit changes approximately 50% of the output |
| Fixed output | SHA-256 always outputs 256 bits regardless of input length |
| Used for | Password storage, file integrity, digital signatures, TLS MACs |
🎯 Q13_2
Why do websites store password hashes instead of the actual passwords?
AHashes are shorter so they take less storage space
BHashes are encrypted so they can be decrypted if needed
CIf the database is compromised, attackers cannot recover the original passwords from hashes
DHashing speeds up the login comparison process
✅ Correct! Hash functions are one-way — you cannot reverse a hash to get the original password. If the database is stolen, attackers see only hashes, not usable passwords. (This is why adding a salt is also important to prevent rainbow table attacks.)
❌ The answer is C. Passwords are hashed because hash functions are one-way — a stolen hash cannot be reversed to recover the original password. Hashing is not encryption; you cannot decrypt a hash.
3
⌄
TLS/SSL
TLS (Transport Layer Security), the successor to SSL, is the protocol that adds security to TCP connections. It provides: confidentiality (AES encryption), integrity (HMAC), and authentication (X.509 certificates). HTTPS = HTTP + TLS. Port 443.
TLS Handshake — How a Secure Connection is Established
CLIENT
ClientHello
Client sends: TLS version, random bytes, list of supported cipher suites (e.g. TLS_AES_256_GCM_SHA384).
SERVER
ServerHello + Certificate
Server sends: chosen cipher suite, its X.509 certificate (contains public key + identity), random bytes.
CLIENT
Certificate Verification
Client verifies: certificate is signed by a trusted CA, not expired, hostname matches. Aborts if invalid.
CLIENT
Key Exchange
Client and server agree on a shared session key using Diffie-Hellman or ECDH (TLS 1.3). Neither side sends the key across the network.
BOTH
Finished — Encrypted Communication Begins
Both sides confirm handshake integrity. All subsequent data is encrypted with AES-256 using the agreed session key.
X.509 Certificates — The Trust Anchor
| Field | Content | Purpose |
|---|---|---|
| Subject | CN=navinniroula.com.np, O=Org | Identifies who this certificate belongs to |
| Issuer | CN=Let's Encrypt R3 | The Certificate Authority (CA) that signed this cert |
| Public Key | RSA 2048-bit or EC 256-bit key | Used to verify the CA's signature |
| Valid Period | Not Before / Not After dates | Certificate expires — must be renewed periodically |
| SAN | DNS:navinniroula.com.np | Additional domains this cert covers |
| Signature | CA's digital signature | Proves the CA validated the server's identity |
Implementing HTTPS with WinINet / SSPI
// Option 1: Use WinINet (Windows high-level HTTP API with TLS built-in)
HINTERNET hInt = InternetOpen("MyApp/1.0", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0);
HINTERNET hConn = InternetConnect(hInt, "navinniroula.com.np",
INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
HINTERNET hReq = HttpOpenRequest(hConn, "GET", "/", NULL, NULL, NULL,
INTERNET_FLAG_SECURE | INTERNET_FLAG_RELOAD, 0);
HttpSendRequest(hReq, NULL, 0, NULL, 0);
// WinINet handles TLS automatically — cert verification, encryption, decryption
// Option 2: Raw Winsock + SSPI/SChannel for full control
// Use SChannel provider with InitializeSecurityContext() / AcceptSecurityContext()
// More complex but handles any TLS-based protocol (HTTPS, FTPS, IMAPS, etc.)
🎯 Q13_3
During the TLS handshake, a browser connects to a bank website but finds the certificate is signed by an unknown Certificate Authority (not in the browser's trusted CA store). What should happen?
AContinue normally — the encryption still works regardless of who signed the certificate
BShow a security warning and block the connection by default — the certificate cannot be trusted
CAsk the server to provide a different certificate
DUse HTTP instead of HTTPS to avoid the certificate issue
✅ Correct! An unknown CA means the browser cannot verify the server's identity. The certificate could be self-signed or from a fraudulent CA. The browser blocks the connection with a security warning because encryption without authentication is vulnerable to man-in-the-middle attacks.
❌ The answer is B. An unknown CA = cannot verify identity. Encryption alone (without authentication) is useless against MITM attacks. The browser blocks the connection because you could be connecting to an attacker's server, not the real bank.
4
⌄
PKI
Public Key Infrastructure (PKI) is the system of Certificate Authorities (CAs), certificates, and trust chains that makes secure Internet communication possible. Every browser and OS ships with a list of ~150 trusted root CAs. Any certificate signed by one of these root CAs (or an intermediate CA they signed) is trusted automatically.
Digital Signatures — Proving Authenticity
// Digital Signature Process
-- Signing (done by the sender with their PRIVATE key) --
1. Compute hash of the message: h = SHA256(message)
2. Encrypt hash with private key: sig = RSA_sign(h, private_key)
3. Send: message + sig
-- Verification (done by receiver with sender's PUBLIC key) --
1. Compute hash of received message: h1 = SHA256(message)
2. Decrypt sig with public key: h2 = RSA_verify(sig, public_key)
3. If h1 == h2: message is authentic and unmodified ✓
If h1 != h2: message was tampered with or forged ✗
Certificate Chain of Trust
| Level | Example | Trust Basis |
|---|---|---|
| Root CA | DigiCert Global Root CA | Pre-installed in browsers/OS — inherently trusted |
| Intermediate CA | DigiCert TLS RSA SHA256 2020 CA1 | Signed by Root CA — trusted transitively |
| Server Certificate | CN=navinniroula.com.np | Signed by Intermediate CA — trusted transitively |
| End Entity | Your browser session | Verifies the full chain back to a trusted root |
Key Terms Drill
TLS
Tap to reveal
Transport Layer Security — encrypts TCP connections. Provides confidentiality, integrity, and authentication. HTTPS = HTTP+TLS on port 443.
X.509 Certificate
Tap to reveal
Digital document binding a public key to an identity, signed by a Certificate Authority (CA).
CA
Tap to reveal
Certificate Authority — a trusted organisation that verifies identities and signs certificates.
AES-256
Tap to reveal
Advanced Encryption Standard with 256-bit key — symmetric cipher used for bulk data in TLS.
RSA
Tap to reveal
Asymmetric algorithm for key exchange and digital signatures. 2048-4096 bit keys.
HMAC
Tap to reveal
Hash-based Message Authentication Code — ensures data integrity and authenticity in TLS records.
📌 Chapter 13 — Key Takeaways
- The CIA Triad: Confidentiality (encryption), Integrity (hashing/MAC), Availability (redundancy/DoS protection).
- Symmetric encryption (AES) uses one shared key — fast, for bulk data. Asymmetric (RSA/ECC) uses key pairs — slow, for key exchange and signatures.
- Hash functions (SHA-256) are one-way — same input always gives same output but cannot be reversed. Used for passwords, file integrity, and MACs.
- TLS handshake: ClientHello → ServerHello + Certificate → verify cert → key exchange (Diffie-Hellman) → encrypted session begins.
- X.509 certificates bind a public key to an identity, signed by a trusted Certificate Authority (CA).
- The chain of trust: Root CA → Intermediate CA → Server Certificate. Browser verifies the full chain.
- Digital signatures: hash the message, encrypt hash with private key. Receiver verifies by decrypting with public key.
- In Windows apps: use WinINet for automatic TLS handling, or SChannel/SSPI for raw TLS control over Winsock.