CS 453 Computer Networks Lecture 25 Introduction to Network Security

Network Security Data networks have become the core communication conduit for local, regional and global communications Once the esoteric domain of computer scientists… …no longer… Now data communications network are primary means of communications worldwide

Network Security Data communications networks carry Medical records Critical health care data Banking and financial information National security secrets …. …and of course, Youtube and our

Network Security The point – data networks are critical Lives, livelihoods, economy and countries depend on them Not only must they be present and operational,.. But the must be secure …and this is not just about people to people, organization to organization communications, but The network itself

Network Security So what do we mean by secure? Confidential communications – some messages should only be read by the intended receiver Authentication – we want to have confidence that a message come from who we thought it came from Integrity and nonrepudiation – that the message received is the one sent, it has not been altered or tampered with Availability and access control – make network resilient to security threats and only let agents use the network that should be using the network and… …and only in the way they are authorized to use it

Network Security In part, network security means protecting the network Building in safeguards and protections Monitoring for attacks and intrusions… And responding to these threats and intrusions with newer better protections

Network Security Confidentiality – Encryption If we want to make sure that only the intended recipient of a message can understand the message, we need to disguise it –..That is encryption

Network Security Encryptions basics – Imagine Alice and Bob They are two routers in a network And they need to send messages to each other

Network Security Encryptions basics – Alice send a message “Bob, I Love You, Alice” to Bob The message as is is referred to as “cleartext” But Alice will encrypt it – The encrypted form is called “ciphertext”

Network Security Encryptions basics – Alice will use a key Ka to encrypt the message m… Bob will use another (possibly the same) key Kbto unencrypt the message m Alice sends Ka(m) to Bob… Bob processes the ciphertext with Kb(Ka(m))=m

Network Security Encryptions basics – Symmetric key encryption – both keys are identical and secret Public Key encryption – A pair of keys are used one known to everyone – And one known only to the receiver (or sender) but not both

Network Security Encryptions basics – Caesar ciper – encode text using an offset in the alphabet … For example, if K=3, then A=D, B=E, … …or I Love You = l oryh brx Easy to crack, crack one symbol and you crack the code

Network Security Encryptions basics – Monoalphabetic cipher – define an arbitrary mapping between cleartext symbols and ciphertext symbols So, something like a b c d e f … m n b v c x … So, maybe “I Love You” i s “s gktc wky” Caesar cipher – key has 26 possible values Monoalphabetic cipher key has 26! possible values Harder to crack… But not that hard Why?

Network Security Encryptions basics – Polyalphabetic cipher Use multiple monoalphabetic ciphers And use them in repeating sequences to encrypt a message Suppose we have two cipher c1 and c2 We could use the sequece c1, c1, c2, c1, c1 That is, encrypt the first symbol with c1, then second symbol with c1, third symbol with c2, … Its getting harder to crack

Network Security Data Encryption Standard (DES) NIST – 1993 Symmetric key for commercial and nonclassified use Encrypt messages in 64 bit pieces using 56 bit keys Involves multiple “shuffles” and permutions of the data… See Kaufman (1995) for details

Network Security Data Encryption Standard (DES) Is it good? RSA challenge to break DES encryption Group of internet volunteers – Cracked the code in less than 4 month And earn $10k In 1999 – another group of internet volunteers Cracked the code in 22 hours

Network Security Data Encryption Standard (DES) 2001 NIST proposed a successor to DES – Advanced Encryption Standard (AES) Encrypts 128 bit blocks Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack a 56 DES code in one second… It would that the same computer 149 trillion years to crack a 128 bit AES key

Network Security Data Encryption Standard (DES) 2001 NIST proposed a successor to DES – Advanced Encryption Standard (AES) Encrypts 128 bit blocks Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack a 56 DES code in one second… It would that the same computer 149 trillion years to crack a 128 bit AES key

Network Security Symmetric Key Encryption Requires sender and receiver both to have a key, … And the sender and receiver key have to be identical But how to they get these keys They can’t transmit them The can’t encrypt them then transmit them

Network Security Public Key Encryption Imagine – Bob has two keys One (Kb-pub) is a public which he will share with anyone One (Kb-pri) is private and not shared with anyone A message encrypted with Bob’s Kb-pub can only be decrypted with Bob’s Kb-pri Kb-pri(Kb-pub(m)) = m

Network Security Public Key Encryption Bob has two keys So, if Alice wants to send Bob an encrypted message… She must first request a copy of Bob’s public key – Kb-pub Alice then encrypts the message using Kb-pub and an agreed upon encryption algorithm… … and send the message Bob receives the message, and… Decrypts is using his private key Kb-pri

Network Security Public Key Encryption Takes care of confidentiality Recall that in symmetric key encryption— the keys were secret, so Under normal circumstances you can assume that if a message arrived that had been encrypted with that key, it came from the source that you think it came from… Unless it was stolen (that’s what spies are for)

Network Security Public Key Encryption …but with Public Key Encryption anyone can get the public key, so you don’t know if the message really came from Alice, even it is says it did. i.e. can’t do authentication

Network Security Public Key Encryption Algorithms RSA Public Key Encryption –widely used Choose two large prime numbers p and q Compute n = pq and z=(p-1)(q-1) Choose a number e, less than n- has no common factors (except 1)with z Find a number d, where ed-1 is evenly divisible by z Public key Kpub =(n,e) Private key Kpri = (n,d)

Network Security Public Key Encryption Algorithms RSA Public Key Encryption Then for a message m, we encrypt C = m e mod n And decrypt – M = c d mod n Remember Alice has e And only Bob has d

Network Security Public Key Encryption Algorithms RSA Public Key Encryption Suppose Bob picks p=5 and q=7 n=35 and z=24 Choose e=5 since 5(e) and 24(z) have no common factors Choose d=29 since ed-1 mod z = 0 (5*29)-1 mod 24 =0 Bob give Alice his Kpub which is e Alice encrypts the message “hi” and sends to Bob

Network Security RSA Public Key Encryption CleartextNumeric valuememe C=m e mod n h i Ccdcd M=c d mod ncleartext E13 68 h E4469i Bob decrypts with d=29, n=35 Alice encrypts with e=5, n=29

Network Security Authentication – is it really who we think it is? Host-based authentication Message have IP address of source So, authenicate based on IP address in message header Easy to fake, IP spoofing

Network Security Authentication Password authentication Use a password in a message … Or to establish a connection Easy to capture password, especially if cleartext Sniffing

Network Security Authentication Encrypted Password authentication Encrypt a password and use it in a message Or to establish a connection Still can capture encrypted password… And play it back when password needed Playback attack

Network Security Authentication Public Key authentication Just like data stream encryption we can use Public Keys to encrypt password for authentication Alice wants to send a message to Bob… Bob send Alice his public key Alice encrypts her password with Bob’s public key, and transmit SSH

Network Security Public Key authentication Man-in-the-middle attack Bob wants to send a message to Alice Carol sends Bob her public key saying it is from Alice, Carol also obtains Alice’s public key (it is public) Bob sends a message to Alice using Carol’s public key and Carol intercepts it Carol decrypts and reads the message Carol encrypts the message with Alice’s public key And sends it to Alice saying it is from Bob …and no one is the wiser

Network Security Data integrity – is really the right data We need some way to assure the receiver that the message contents are really the message contents that were sent In the paper world we sign reports, expense accounts statements, etc. to vouch for the accuracy (integrity) of the information in the reports or statements …so

Network Security Data integrity Digital signatures Encrypt a document using a private key What? BTW, public/private keys are two way If I encrypt with my private key, since it is not public, I had to be the one that encrypted it (my signature)

Network Security Data integrity Digital signatures Note: it the message is altered after it is digitally signed. Kpub(Kpri(M)) will not result in m i.e. it will not decrypt

Network Security Data integrity Message digests Digital signatures are expensive Alternative Create a message digest Use Hash function – like CRC, Checksum Then digitally sign the message digest MD5

Network Security Data integrity Message digests Original message is sent in cleartext… Along with digitally signed message digest Receiver computes second message digest on received message If two message digests match, message is good

Network Security Access control Firewalls Packet Filtering IP source or destination address TCP or UDP port numbers ICMP message types Connect initiation datagrams using SYN and ACK bits

Network Security Access control Firewalls Packet Filtering Controlled by rules Permit this, deny that Order of evaluation of rules important

Network Security Access control Firewalls Application Gateways Sometimes packet filtering is not enough Maybe you want certain authenticated users to be able to use a service from specific IP addresses but not others Application Gateways are intermediate services – connect to gateway, the gateway connects to the service of interest

Network Security Access control Firewalls Application Gateways For example, suppose you want to let certain users telnet out of the network, but not everyone User wanting to Telnet out, telnets to telnet gateway User authenticates to gateway User provide gateway with telnet destination Gateway telnets to destination Gateway relays telnet packet between user and service

Network Security Threats Mapping – port scanning Packet sniffing Spoofing Denial of Service Attacks See:

“That’s all I have to say about that.” Forest Gump