Network security Cryptographic Principles

Slides:

Advertisements

Similar presentations

Cryptography. 8: Network Security8-2 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption.

Advertisements

1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.

Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.

8: Network Security Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.

CSE401n:Computer Networks

Network Security understand principles of network security:

Public Key Cryptography

8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Lecture 23 Cryptography CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

1-1 1DT066 Distributed Information System Chapter 8 Network Security.

Lecture 17 Network Security CPE 401/601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross All material copyright J.F.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

Computer and Internet Security. Introduction Both individuals and companies are vulnerable to data theft and hacker attacks that can compromise data,

Chapter 8, slide: 1 ECE/CS 372 – introduction to computer networks Lecture 18 Announcements: r Final exam will take place August 13 th,2012 r HW4 and Lab5.

Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.

Day 37 8: Network Security8-1. 8: Network Security8-2 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key:

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

1 Cryptography r Overview r Symmetric Key Cryptography r Public Key Cryptography r Message integrity and digital signatures References: Stallings Kurose.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

1-1 1DT066 Distributed Information System Chapter 8 Network Security.

1 Security and Cryptography: basic aspects Ortal Arazi College of Engineering Dept. of Electrical & Computer Engineering The University of Tennessee.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.

1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.

Network Security7-1 Today r Reminders m Ch6 Homework due Wed Nov 12 m 2 nd exams have been corrected; contact me to see them r Start Chapter 7 (Security)

+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.

1 Cryptography Troy Latchman Byungchil Kim. 2 Fundamentals We know that the medium we use to transmit data is insecure, e.g. can be sniffed. We know that.

 Last Class  Chapter 7 on Data Presentation Formatting and Compression  This Class  Chapter 8.1. and 8.2.

Lecture 22 Network Security (cont) CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose,

Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim

8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Public-Key Cryptography and Message Authentication

Public Key Cryptography

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

What is network security?

Chapter 7 Network Security

ECE/CS 372 – introduction to computer networks Lecture 16

Basic Network Encryption

Chapter 8: Network Security

CAP6135: Malware and Software Vulnerability Analysis Basic Knowledge on Computer Network Security Cliff Zou Spring 2010 Network Security 1.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

CAP6135: Malware and Software Vulnerability Analysis Basic Knowledge on Computer Network Security Cliff Zou Spring 2009 Network Security 1.

ECE 4450:427/527 - Computer Networks Spring 2017

Network Security Basics

Chapter 7: Network security

1DT057 Distributed Information System Chapter 8 Network Security

Cryptography Overview Symmetric Key Cryptography

Intro to Cryptography Some slides have been taken from:

Protocol ap1.0: Alice says “I am Alice”

Encryption INST 346, Section 0201 April 3, 2018.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Basic Network Encryption

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Security: Integrity, Authentication, Non-repudiation

Security: Public Key Cryptography

Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.

Chapter 8 roadmap 8.1 What is network security?

Presentation transcript:

Network security Cryptographic Principles ECE 671 – Lectures 20 and 21 Network security Cryptographic Principles

Security in networks Where do we need … ? How to achieve … ? Confidentiality Integrity and non-repudiation Authentication How to achieve … ? ECE 671

Confidentiality Encryption of information How to do encryption? Kerckhoffs’ principle System should remain secure if everything is known (except secret key) Variation: security should not be based on obfuscation ECE 671

Language of Cryptography plaintext ciphertext K A encryption algorithm decryption Alice’s key Bob’s B m plaintext message KA(m) ciphertext, encrypted with key KA m = KB(KA(m)) ECE 671

Simple Encryption Scheme substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Key: the mapping from the set of 26 letters to the set of 26 letters ECE 671

Polyalphabetic Encryption n monoalphabetic ciphers, M1,M2,…,Mn Cycling pattern: e.g., n=4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; For each new plaintext symbol, use subsequent monoalphabetic pattern in cyclic pattern dog: d from M1, o from M3, g from M4 Key: the n ciphers and the cyclic pattern ECE 671

Breaking Encryption Scheme Cipher-text only attack: Trudy has ciphertext that she can analyze Two approaches: Search through all keys: must be able to differentiate resulting plaintext from gibberish Statistical analysis Known-plaintext attack: Trudy has some plaintext corresponding to some ciphertext e.g., in monoalphabetic cipher, Trudy determines pairings for a,l,i,c,e,b,o, Chosen-plaintext attack: Trudy can get the ciphertext for some chosen plaintext ECE 671

Types of Cryptography Crypto often uses keys: Algorithm is known to everyone Only “keys” are secret Public key cryptography Involves the use of two keys Symmetric key cryptography Involves the use one key Hash functions Involves the use of no keys Nothing secret: How can this be useful? ECE 671

Symmetric Key K S K S encryption algorithm plaintext message, m ciphertext decryption algorithm plaintext K (m) m = KS(KS(m)) S symmetric key crypto: Bob and Alice share same (symmetric) key: K e.g., key is knowing substitution pattern in mono alphabetic substitution cipher Q: how do Bob and Alice agree on key value? S ECE 671

Public Key Cryptography radically different approach [Diffie-Hellman76, RSA78] sender, receiver do not share secret key public encryption key known to all private decryption key known only to receiver symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never “met”)? ECE 671

Public Key Cryptography + Bob’s public key K B - Bob’s private key K B plaintext message, m encryption algorithm ciphertext decryption algorithm plaintext message K (m) B + m = K (K (m)) B + - ECE 671

RSA: Rivest, Shamir, Adelson algorithm PKE Algorithm Requirements: . . + - 1 need K ( ) and K ( ) such that B B K (K (m)) = m B - + + 2 given public key K , it should be impossible to compute private key K B - B RSA: Rivest, Shamir, Adelson algorithm ECE 671

Detour: Modular Arithmetic x mod n = remainder of x when divide by n Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n Thus (a mod n)d mod n = ad mod n Example: x=14, n=10, d=2: (x mod n)d mod n = 42 mod 10 = 6 xd = 142 = 196 xd mod 10 = 6 ECE 671

RSA: Getting Ready A message is a bit pattern. A bit pattern can be uniquely represented by an integer number. Thus encrypting a message is equivalent to encrypting a number. Example: m= 10010001 . This message is uniquely represented by the decimal number 145. To encrypt m, we encrypt the corresponding number, which gives a new number (the ciphertext). ECE 671

RSA: Creating Private/Public Key Pair 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B - ECE 671

RSA: Encryption/Decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt message m (<n), compute c = m mod n e 2. To decrypt received bit pattern, c, compute m = c mod n d Magic happens! m = (m mod n) e mod n d c ECE 671

Bob chooses p=5, q=7. Then n=35, z=24. RSA Example Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). Encrypting 8-bit messages. e c = m mod n e bit pattern m m encrypt: 0000l000 12 24832 17 c d m = c mod n d c decrypt: 17 12 481968572106750915091411825223071697 ECE 671

Why Does RSA Work? Must show that cd mod n = m where c = me mod n Fact: for any x and y: xy mod n = x(y mod z) mod n where n= pq and z = (p-1)(q-1) Thus, cd mod n = (me mod n)d mod n = med mod n = m(ed mod z) mod n = m1 mod n = m ECE 671

RSA: Another Important Feature The following property will be very useful later: K (K (m)) = m B - + K (K (m)) = use public key first, followed by private key use private key first, followed by public key Result is the same! ECE 671

Why is RSA Secure? Generation RSA Keys suppose you know Bob’s public key (n,e). How hard is it to determine d? essentially need to find factors of n without knowing the two factors p and q. fact: factoring a big number is hard. Generation RSA Keys have to find big primes p and q approach: make good guess then apply testing rules ECE 671

Digital Signatures Alice verifies signature and integrity of digitally signed message: Bob sends digitally signed message: large message m H: Hash function KB(H(m)) - encrypted msg digest H(m) digital signature (encrypt) Bob’s private key large message m K B - Bob’s public key digital signature (decrypt) K B + KB(H(m)) - encrypted msg digest H: Hash function + H(m) H(m) equal ? ECE 671

Digital Signatures suppose Alice receives msg m, digital signature KB(m) Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) = m. if KB(KB(m) ) = m, whoever signed m must have used Bob’s private key. + - + - + - Alice thus verifies that: Bob signed m. no one else signed m. Bob signed m and not m’. Non-repudiation: Alice can take m, and signature KB(m) to court and prove that Bob signed m. - ECE 671

Public Key Certification motivation: Trudy plays pizza prank on Bob Trudy creates e-mail order: Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, but says it’s Bob’s public key. Pizza Store verifies signature; then delivers four pizzas to Bob. Bob doesn’t even like Pepperoni ECE 671

Certification Authorities Certification authority (CA): binds public key to particular entity, E. E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” digital signature (encrypt) K B + Bob’s public key K B + CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information K CA ECE 671

Certification Authorities when Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate, get Bob’s public key K B + digital signature (decrypt) Bob’s public key K B + CA public key + K CA ECE 671

Certificates Summary primary standard X.509 (RFC 2459) certificate contains: issuer name entity name, address, domain name, etc. entity’s public key digital signature (signed with issuer’s private key) Public-Key Infrastructure (PKI) certificates, certification authorities often considered “heavy” ECE 671

Certificate example Multiple certificate authorities E.g., VeriSign Example VeriSign certificate: ECE 671

SSL certificates Certification as a business: ECE 671

Chain of trust Chain of trust can go multiple levels Root certificates are final step Private keys need to protected well Security hardware: Tamper-proof On-board key generation On-board cryptographic engine E.g., IBM 4758 Cryptographic Coprocessor Many modern computers have security module ECE 671

Security in network protocols Main focus: confidentiality Protocols provide security at different layers: ECE 671

Security in network protocols IPSec provides security between network TLS / SSL provides security between sockets Security between end-systems “Lock icon” in browser How to establish trust with new end-system? ECE 671