1. Network security & Cryptography
Nancy Carrier
CNT 5505 – Sprint 2018
Professor Dr. Ahuja

2. What happened at Equifax in September?

3. Cost of Equifax data breach
Smith threw two Equifax executives under the bus. Chief Information Officer Susan Maulin and Chief Security Officer David Webb have retired.
Smith blamed “one individual”
Cost of Equifax data breach
Sept …Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.
IBM® sponsored Cost of Data Breach Study reported the global average cost of a data breach was $3.62 million.
The average cost for each lost or stolen record containing sensitive and confidential information $141.
Larry Ponemon, chairman of Ponemon Institute, told Reuters the final cost of the breach could end up being more than $600 million.
143mm * $141 = $20,163,000,000

4. Network Security & Cryptography
Network Threats: Passive and Active
Denial of Service (DOS)
IP Spoofing
Confidentiality, Integrity, Availability (&Repudiation)
Physical Security
Firewalls, Intrusion Detection/Prevention
VPNs
SSL Secure Socket Layer
Authentication with Digital Signature
Confidentiality through Symmetric Encryption
Public Key Encryption
= Required Material

5. Why network security?
In the beginning, there were University Researchers and Shared Printers… security was not very important.
Not any more! Weak points are exploited by criminals, hackers, attention seekers, and marketers.
Adversary
Goal
Competitors
Steal proprietary design, strategy
Employees
Add points to rewards program
Students
Prove it can be done
Politician
Influence election
Terrorist
Bring down critical system
Tax Fraudster
Obtain fake tax refunds
Government
Obtain enemy’s military secrets
Neighbor
Get free internet service

6. NETWORK attacks Passive vs. Active
Passive attacks do not alter the network.
Hard to detect.
Attacks can occur through vulnerabilities at every layer (including user)
The inventory of possibilities changes fast and continually.
Software updates and patches
Consider the role of Machine Learning

7. Denial of service – every layer
Denial of Service (DoS) attacks are one of the most basic and most prolific threats to networks.
Since the second half of 2010, DoS has been the most common attack in the United States.
The goal of a DoS attack is to deny legitimate users from accessing the servers which host your web application. 

8. Man in the middle Uses IP Spoofing
Someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently.

9. IP Spoofing
A sender’s IP address is replaced by another address, invisibly to the receiver .
How does this happen?
Internet Protocol provides best-effort services to deliver information to final destination.
IP does not validate that the IP addresses in the datagram match the IP address of the sender/receiver.
Layers above IP use the source address in an incoming packet to identify the sender.
The header of the datagram is changed to refer to a different IP address than was intended. “Packet crafting” involves creating a custom header for the IP datagram.
Easily found on the internet… “Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network.”
You can spoof at various network layers; for example, you can use Address Resolution Protocol (ARP) spoofing to divert the traffic intended for one station to someone else. The Simple Mail Transfer Protocol (SMTP) is also a target for spoofing; because SMTP does not verify the sender's address, you can send any to anybody pretending to be someone else. 
IP Spoofing Article by Farha Ali, Lander University via Cisco

10. Security Definition & Requirements
Network Security
strategy and provisions
hardware and software (and personnel)
to protect assets and network traffic
as defined by the organization’s Security Policy
The CIA Triad
Confidentiality: protect assets from unauthorized entities
Integrity: ensure the modification of assets is only through specified and authorized manner
Availability: maintain a system state in which authorized users have required access to assets

11. Network security: the mission
Only the sender and intended receiver should be able to read the message or modify the message. (privacy)
The sender and receiver should be who they seem to be. (authentication)
The sender and receiver should not be changeable. The contents should be trustable. (repudiation)
The bad actors are intelligent, dedicated and sometimes well-funded. They have more time than the network security people.
Protect network from both outsiders and insiders. Bad actors can be deliberate or without malice.
Meanwhile, keep the network up and performing acceptably!

12. Ad hoc network with eavesdropping and jamming

13. OSI Model and Security
Harden & Monitor

14. Physical Layer Concerns
Physical security of the network seems obvious but is a critical part of defense. Third-Party Vendors can be overlooked as sources of physical vulnerability.
Jamming: Broadcast radio signals on the same frequency overpower the original signal. Jamming devices that broadcast on a wide range of frequencies at once can disrupt everything from police radar to GPS systems, and are illegal in many countries.
Eavesdropping: unauthorized real-time interception of a private communication, such as a phone call, instant message, videoconference or fax transmission. Sniffing programs can be used to record packets that can be subsequently listened to or read using cryptographic tools for analysis and decryption.
Considerably harder to protect wireless communications from physical attack.

15. Physical Layer
Hardening measures include fencing, locks, access control cards, biometric access control systems and fire suppression systems.  
Monitoring methods include surveillance cameras and notification systems, such as intrusion detection sensors, heat sensors and smoke detectors.
Wiretapping can be foiled by enclosing transmission lines in sealed tubes containing an inert gas at high pressure. Any attempt to drill into a tube will release some gas, reducing the pressure and triggering an alarm. Some military systems use this technique. (from text for class) Gas Insulated Transmission Lines (GIL) are used in some power transmission designs.
Home WiFi: Change default settings, turn off routers when not in use, place wireless router in the center of the building

16. Router to Router Encryption
OSI Model and Security
Router to Router Encryption

17. Data Link Layer In the data link layer, frames can be encrypted.
All the details can be handled in the data link layer, with higher layers oblivious to what is going on.
However, packets have to be decrypted at each router, leaving them vulnerable to attacks from within the routers.
When applied to terrestrial networks, link layer encryption creates problems of delay and expense, but it is particularly useful in satellite links, because of their vulnerability to eavesdropping. In this case the satellite service provider takes responsibility for providing encryption between any two earth stations.

18. Multi-Layer: Intrusion detection
Intrusion Protection System (IPS)
Inline (part of direct communication)
Active (monitor & actively defend)
Send alarm
Drop malicious packets
Block traffic
Reset connection
Statistical Anomaly-Based Detection
Signature Detection
Exploit
Vulnerability (detects signatures not yet in its database)
Intrusion Detection System (IDS)
Analyze copy of stream outside direct line
Passive (monitor & notify)
Signature detection:
Exploit signatures (recognize known signatures)

19. OSI Model and Security
IPSec
Firewalls

20. Network Layer Two main defenses: IPsec and Firewalls
Traffic Analysis is a special type of inference attack. Identifies communication patterns between entities in a system
Replay Attack captures and retransmits data to trick the receiver into unauthorized operations such as false identification or authentication or a duplicate transaction. 

21. IPSec
IPsec Communication: uses a Security Association (SA) to establish a virtual connection between the sender and receiver (connection-oriented)
Transport mode is point-to-point, limited purpose
Tunnel Mode provides virtual secure communication between two endpoints
Encapsulates the entire payload IP packet and makes traffic analysis more difficult
Provides for Virtual Private Network (VPN), either between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway).
Two Security Protocols
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Benefits
Confidentiality: Enables encryption, prevents eavesdropping
Origin authentication and data integrity
Key management using Internet Key Exchange (IKE)
Protection against replay attacks.

22. Virtual private network (Vpn)
IPsec provides an easy mechanism for implementing Virtual Private Network (VPN)
VPN technology allows an institution’s inter-office traffic to be sent safely over public Internet by encrypting traffic before entering the public Internet
IPsec supports 56-bit (single DES) or 168-bit (triple-DES) encryption

23. Firewalls
A firewall is the drawbridge of a castle surrounded by a moat. Everyone entering or leaving has to pass over that single drawbridge and be inspected by the I/O police.
Networks must secure information being transported, but they also must prevent malware and getting into the system.
Firewalls keep good bits in and bad bits out. They protect networks using hardware or software from unauthorized access.
Controls network traffic at the TCP/IP port level, by blocking access to unwanted ports. However, it keeps open those ports used by applications—for example, port 80 for HTTP traffic. Thus, all attacks over HTTP will not be stopped by the firewall.
Wireless routers have firewall features.
A firewall can be hardware or software. Home users with PCs can use Windows 10 firewall.

24. Transport Layer
Transport Layer Security (TLS) protocols operate above the TCP layer. Design of these protocols use popular Application Program Interfaces (API) to TCP, called “sockets" for interfacing with TCP layer.
Applications are interfaced to Transport Security Layer instead of TCP directly. Transport Security Layer provides a simple API with sockets, SSL
Another transport layer protocol, Secure Shell (SSH), designed to replace the TELNET, provides secure means of remote logon facility. It is capable of providing various services such as Secure Command Shell and SFTP.

25. Ssl – Secure Socket Layer
Confidentiality (encryption)
Authentication 
Communication entities identify each other using digital certificates.
Web-server authentication is mandatory but client authentication is optional
Reliability with integrity checks
TCP only
Record – encryption, formatting
Handshake: Server authentication, Key and algorithm negotiation, Establishing keys and Client authentication (optional).
Cipher Change: a single message exchanged between two communicating entities, the client and the server, noting that all future exchanges are secure
Alert: Report errors, send notifications

26. CRYPTOGRAPHY
Substitution & Transposition Ciphers, Symmetric Key, AES, RSA

27. Substitution Ciphers
Replaces a letter or group of letters is replaced by another letter or group of letters.
The Caesar cipher, as in Julius Caesar. Each letter is replaced by the 3rd one away. A becomes D. Variations use different offsets.
For example, Dr. Ahuja becomes gu. dkxmd.
Broken using frequency analysis.

28. Example of base64 encryption (obfuscation)
Look up original letters in table.
Convert to 8-bit binary
Break into 6-bit values
Use decimal value as index to find encoded value.
Python Code

29. Transposition Ciphers
Changes the order of the message
Reverse text, reverse words
Other cipher practices:
Remove spaces
Remove punctuation
Break into 5 letter “words”
Scytale (like Italy) aka Columnar
SEHCT AWTSI RWSSI WSERA SEHCT AWTSI RWHCI HW

30. The Key is the Key
The work factor for breaking the system by exhaustive search of the key space is exponential in the key length.
Secrecy comes from having a strong (but public) algorithm and a long key. To prevent your kid brother from reading your , 64-bit keys will do. For routine commercial use, at least 128 bits should be used. To keep major governments at bay, keys of at least 256 bits, preferably more, are needed.

31. Symmetric key encryption
Cryptography uses stable and publicly known encryption algorithms. Secrecy lies exclusively in the keys.
Kerckhoff’s principle, named after the Flemish military cryptographer Auguste Kerckhoff who first stated it in 1883:
“All algorithms must be public; only the keys are secret”
Confusion: Changing one bit of the key changes ½ of the output bits
Diffusion: Changing one bit of the plaintext changes half of the output bits

32. Advanced Encryption Standard (Aes)
Established by US National Institute of Standards and Technology (NIST) in 2001.
Belgian authors Vincent Rijmen and Joan Daemen
Known as Rijndael
Replaced Data Encryption Standard (DES) from 1977
Approved by National Security Agency (NSA) for encryption of military secrets
Symmetric-key algorithm
Considered very strong encryption
Rijndael Design Rationale
Resistance against all known attacks
Speed and code compactness on a wide range of platforms
Design simplicity

33. The Rijndael Block cipher
An iterated block cipher using rounds of transformation and permutation
A Round Key is derived using key schedule.
The number of rounds is a function of block and key length.
State is a rectangular array of bytes with 4 rows. The number of columns = block length ÷ 32.
Cipher Key is an array 4 rows * 4 columns.
Round(State, RoundKey) {
ByteSub(State); /*non-linear byte substitution */
ShiftRow(State); /*cyclic shift of each row */
MixColumn(State); /*apply function over all columns, not in final round*/
AddRoundKey(State,RoundKey); /*Bitwise XOR of Round Key */ }

34. AES Example

35. Rsa kEY
Rivest-Shamir-Adleman developed one of the first public-key cryptosystems (1978)
The encryption key is public, and the decryption key is private.
Based on two secret prime numbers
Four steps
Key generation
Key distribution
Encryption
Decryption
Euler’s Totient Function
science/cryptography/modern-crypt/v/euler-s-totient-function-phi- function’

36. RSA PYTHON EXAMPLE

37. RSA Example from Wikipedia
Choose 2 prime numbers: p = 61 nd 1

38. Public Key Encryption Asymmetric Encryption uses a pair of keys:
Public Key and Private Key
Public key is published and the corresponding private key is kept secret.
Data that is encrypted with the public key can be decrypted only with the corresponding private key.
RSA public key pairs can be any size. Typical sizes today are 1024 and 2048 bits.
Generate RSA key pairs with Unix or using Putty in Windows
oud/iaas/compute-iaas- cloud/stcsg/generating-ssh- key-pair.html

39. OSI Model and Security
Authentication
Encryption

40. Application Layer - https
User authentication and non-repudiation are handled in the application layer.
Hyper Text Transfer Protocol (HTTP) is used for web browsing. The function of HTTPS is similar to HTTP. The only difference is that HTTPS provides secure web browsing.
HTTPS stands for HTTP over SSL. This protocol is used to provide the encrypted and authenticated connection between the client web browser and the website server.
Secure browsing through HTTPS ensures that the following content are encrypted.
URL of the requested web page.
Web page contents provided by the server to the user client.
Contents of forms filled in by user.
Cookies established in both directions.

41. Authentication with Digital Signature
Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place of data. The most important reason of using hash instead of data directly for signing is efficiency of the scheme.

42. Authentication with Digital Signature
In the physical world, it is common to use handwritten signatures on handwritten or typed messages. They are used to bind signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a secret key known only by the signer.
In real world, the receiver of message needs assurance that the message belongs to the sender and he should not be able to repudiate the origination of that message. This requirement is very crucial in business applications, since likelihood of a dispute over exchanged data is very high.

43. Authentication with Digital Signature
A digital signature securely associates a signer with a document in a recorded transaction.
Digital signatures use a standard, accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance.
Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created), it means the signature isn’t Jane’s, or has been changed since it was signed. The signature is then considered invalid.
To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved in a secure manner, and often requires the services of a reliable Certificate Authority (CA). Digital signature providers, like DocuSign, meet PKI requirements for safe digital signing.
The digital signature ensures integrity, authentication and non-repudiation. To achieve confidentiality encryption is also needed.
A crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of sender and sent that data to third party. The process of encrypt-then-sign is more reliable and widely adopted.
The receiver after receiving the encrypted data and signature on it, first verifies the signature using sender’s public key. After ensuring the validity of the signature, he then retrieves the data through decryption using his private key.

44. Application Layer - Email
Pretty Good Privacy (PGP) is an encryption scheme. It has become the de-facto standard for providing security services for e- mail communication.
As discussed above, it uses public key cryptography, symmetric key cryptography, hash function, and digital signature. It provides −
Privacy
Sender Authentication
Message Integrity
Non-repudiation
Along with these security services, it also provides data compression and key management support. PGP uses existing cryptographic algorithms such as RSA, IDEA, MD5, etc., rather than inventing the new ones.

45. Application Layer - DNSSEC
DNS Cache Poisoning/Spoofing: a type of cyber-attack that exploits system vulnerabilities in the domain name server to divert traffic away from legitimate servers and directs it towards fake ones.
Domain Name System Security Extensions (DNSSEC) is an Internet standard that can foil such attacks.

46. NETWORK SECURITY: USER LAYER
Incompetent employees
Malicious employees
Overworked employees
Poor Policy Execution
Understaffed functions/Underfunded functions
Equifax CEO claims the breach was due to failure to apply software update.
Is that a failure of the person or the executive and board decisions about cost vs. risk?

47. A ChecKlist for security
Security Policy!
Firewall
VPN
Intrusion Prevention
Thorough and Minimal
No default passwords or ids
No unnecessary accounts
No unnecessary software or utilities
Password and User Management
Malware Protection
Software Patch and Update Management
Strong Encryption
Wireless Encryption (PGA2)

48. References Stallings Cryptography and Network Security
utorial.pdf
IBM Cost of Data Breach
network
Cryptography with Python
Rijndael AES Document
Docusign Digital Signature

49. Thank you! Contact: Nancy Carrier

50. Hash functions are not cryptography but are part of security…