Download presentation
Presentation is loading. Please wait.
1
ECE 544 Spring 2010 Lecture 9: Network Security
D. Raychaudhuri
2
Today’s Lecture Introduction Security Protocols System Security
Security Services and Mechanisms, Security Attacks Model for Internet Security Cryptography Symmetric Key algorithms: DES, 3DES, RC4, etc. Asymmetric Key algorithms: Public-keys, Hash Algorithms, Digital signatures Security Protocols Authentication, IP security (IPSec),SSL(TSL), Mail Security(PGP) System Security viruses, intruders, worms Firewalls
3
Introduction, Security Services
Confidentiality Protection of transmitted data Authentication Assuring that communication is authentic Integrity Assuring that received message was not duplicated, modified, reordered, and replayed Non-repudiation Proving that message was in fact sent by the alleged sender. Access Control Ability to limit and control access to system Availability Loss of or reduction of availability(denial of service)
4
Introduction, Security Mechanisms
Encryption DES, RC4, AES Hash algorithms MD5, SHA Public key algorithms RSA, Diffie-Hellman Message integrity Digital signatures & certificates Public key distribution Authentication algorithms Kerberos
5
Introduction, Security Attacks
Interruption System is destroyed or becomes unavailable or usable, blocking the communication. Link high-jacking Interception Unauthorized party gains access to communication, attack on confidentiality, decrypting communication, traffic analysis Modification Unauthorized party not only gains access but also tampers with communication. Changing value in data file Fabrication Unauthorized party inserts counterfeit information into communication, attack on integrity. Creating artificial messages.
6
Security Threats
7
Security Threats
8
Cryptography, Conventional Encryption Model
Operation used for transforming plaintext to ciphertext Substitution: elements in plaintext are mapped into another element Transposition: elements in plaintext are rearranged Number of key used Both sender and receiver use the same key, system is symmetric single-key, secret-key or conventional encryption Sender and receiver each uses a different key, system is asymmetric key Way in which the plaintext is processed Block cipher, input data processed block by block Stream cipher, input data processed continuously Cryptanalysis Process (science) to break encryption
9
Conventional Encryption
Ciphertext=Plaintext Key Plaintext=Ciphertext Key = (Plaintext Key) Key = Plaintext (Key Key) = Plaintext
10
Classical Encryption Techniques
Cesar Cipher Plain: meet me after the party Cipher: PHHW PH DIWHU WKH SDUWB C=E(p)=(p+3) mod(26) P=m+3 (m, 1-n,2-l, 3-o, “P”) Polyalphabetic Cipher Key: deceptiondeceptiond Plain meetmeaftertheparty Cipher qjhxcyjuhiwwkujjghc C=E(kp), is exclusive-or(XOR) Rotor Machines: Famous “ENIGMA” These techniques became very weak around and after World War II.
11
Modern Security Taxonomy
Cryptography algorithms Public key (e.g., RSA) Secret (e.g., DES) Message digest (e.g., MD5) services Authentication Privacy integrity
12
Modern Cryptographic Algorithms
Cryptography Algorithms Secret Key (Symmetric) Symmetric key Block cipher (DES, AES) Stream ciphers (RC4) Public Key(Asymmetric) Asymmetric key Public-Private keys (Diffie-Hellman, RSA) Hash algorithms Authentication and integrity checking (MD5, SHA)
13
What Cryptography Does?
Diffusion: Statistical structure of the plaintext is dissipated into long range, each plaintext digit affects many ciphertext digits. Confusion: Seeks to make the relationship between the statistics of ciphertext and the encrypted value as complex as possible. P1 K = C1 P2 K = C2 C1 C2=P1 P2
14
Key sizes and Brute Force Attacks
There are two types of attacks that are used to attempt to break a cryptographic process [CNP99]. Brute Force - The opponent has the cryptographic algorithm, the ciphered (encrypted) text, and the plain text, and attempts all possible combinations of the cryptographic key in the cryptographic algorithm to determine which cryptographic key is used. A measure of merit of the brute force attack is the length of time (and processing power) for an exhaustive analysis of the key space (2n for n-bit key) The table on this chart summarizes capabilities of an opponent using brute force and exploiting a single state-of-the-art processor (PC), or parallel processing. It was announced in 1998, that DES (used with a 56-bit key) was broken. This attack took only a few months. A cryptographic key length of bits appears to provide sufficient vulnerability against brute force attacks for an extended period of time. Cryptanalytic - The opponent analyzes the cryptographic algorithm, and attempts to discover weaknesses that allows him to reduce the effective cryptographic key space. Several cryptanalytic attacks have been reported against TIA-EIA CAVE reducing the key space to around 235 [CNP99].
15
Block Ciphers Block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Example: DES(Data Encryption Standard), AES(Advance Encryption Technique) Plaintext Encryption Blocks Of plaintext Blocks Of ciphertext Secret Key
16
General DES Encryption Algorithm
64 bit plaintext 56 bit key Initial permutation Permuted choice1 K1 Round 1 Permuted choice2 Left circular shift K2 Round 2 Permuted choice2 Left circular shift K16 Round 16 Permuted choice2 Left circular shift 32-bit swap Reverse Initial Perm. 64 bit ciphertext
17
Single Round of DES Algorithm
32 bits 32 bits 28 bits 28 bits L(i-1) R(i-1) C(i-1) D(i-1) Expansion Left shift (s) Left shift (s) 48 bits F Permutation Construction K(i) Choice/Perm C(i) D(i) L(i) R(i) L(i)=R(i-1), R(i)=L(i-1) F(R(i-1),K(i)
18
3DES DES key is 56 bit, not good enough, but widely available in HW and SW, so use three times with different keys. Plaintext DES DES DES Ciphertext Output Input Shared Secret Key1 Shared Secret Key2 Shared Secret Key3
19
Stream Ciphers Encrypt a digital data stream one bit or one byte at a time Example: RC4(Rivest Cipher-4) Plaintext Encryption Ciphertext Key stream Key Gen Shared Key
20
Hash Algorithms (requirements)
Produce a FINGERPRINT of the message, entity Can be applied to a block of data of any size Produces fixed length output Relatively easy to compute both HW and SW It should be infeasible to compute message from hash (one-way property) Computationally infeasible to get same hash value for different messages (weak collision resistance) Computationally infeasible to find any message pair whose have same hash values (strong collision resistance)
21
Hash Algorithms(one-way functions)
Integrity checking, authentication of the message Message => MD5 output (128bit) => 7c c1c0c3deda6103b10fdfa1 => eac9407dc999ae35ba5e6851e28d7c53 Plaintext Plaintext At source Hash function Hash value Plaintext Hash function At destination Hash value Compare if both same
22
Hash Algorithms(one-way functions)
Transform Initial “ digest ” (constant) Message (padded) Message digest 512 bits …
23
Using Hash Algorithm-2 MD5 message is a 512 bit data packet bit message digest Secret initial value of MD
24
View of Public Key Scheme
25
Public Key Ciphers Diffie-Hellman Key Exchange
Enable two users to exchange keys Depends on difficulty of computing discrete logarithms P is prime number, A is its primitive root of P; so numbers A mod(P), A2 mod(P), …..,AP-1 mod(P) are distinct and consists of integers from 1 through p-1 in some permutation. If P=11, then A=2 is primitive root with respect to P 21 mod(11)=2, 22mod(11)=4, 23mod(11)=9, 24mod(11)=5, … ……,210mod(11)=1
26
Diffie-Hellman Global public elements, prime number P and primitive root E, with E< P User A selects private key XA <P, Calculates public key YA =E XAmod(P) User B selects private key XB <P, Calculates public key YB =E XBmod(P) User A calculates K, K=(YB) XA mod(P) User B calculates K, K=(YA) XB mod(P)
27
Diffie-Hellman(example)
Global public elements, prime number and primitive root P=97 and E=5 User A selects private XA=36 where XA <P, Calculates public YA YA =5 36mod(97)=50 User B selects private XB=58 where XB <P, Calculates public YB YB =5 58mod(P)=44 User A calculates K, K=(YB) XA mod(97) = mod(97)=75 User B calculates K, K=(YA) XA mod(97) = mod(97)=75
28
Public Key Ciphers - RSA
RSA(Rivest, Shamir, Adelman) Similar to Diffie-Hellman, but uses large exponentials, plaintext is encrypted in blocks having a binary value N. M is plaintext block, e is exponent then, C=Me mod(n) C, is the encrypted ciphertext M=Cd mod(n)= (Me)d mod(n)= Med mod(n) Public key, (e,n), Private key(d,n) Requirements Possible to find values of e,d,n to satisfy above calculations Relatively easy to calculate Me and Cd for all values of M<n Infeasible to determine d given e and n
29
RSA (example) Suppose p=7 and q=9; n=pxq = 77 Also (p-1)(q-1)=60
Choose e as a number relative prime to 60 Suppose e=7 Then d= 7 -1 mod((7-1)x(11-1)) or 7xd= 1 mod 60 So that d=43 Public key (e,n) = (7,77); Private key (d,n) = (43,77) For encryption of m=9, we compute c= m e mod n = mod 77 = 37 this is the cipertext Receiver computes m= c d mod n = c= mod 77 = 9
30
Authentication with Public Keys
31
Comparison between Public and Secret Key Algorithm
~ Mbps DES ~100 Kbps RSA Effort to crack 64 128 512 2K Key length (bits)
32
Security Protocols: (1) Authentication
Three-way hand shake, client and server have shared secret key Trusted third party (as in kerberos) Public Key Authentication (RSA) Digital signatures
33
Authentication Protocols
Authentication between two entities: Three-way hand shake, client and server have shared secret keys Challenge-response method
34
Authentication Protocols: Kerberos
Authentication between two entities via trusted third party Two 2-way handshakes with third party Challenge-response method A identifies itself and B to S T: time-stamp L: lifetime K: session key A S B E (( T , L K ), ) ( + 1, A decrypts T and encodes with session key K and passes on the second message Server sends two message To A, one with A’s key and another with B’s, both containing session keys B decrypts K and responds To A with T+1 encoded by K
35
Authentication Protocols
Public key authentication No secret shared key needed
36
Authentication with KERBEROS
37
Message Integrity Digital signature
Sender uses private key to sign message Receiver decrypts with public key, e.g RSA Keyed MD5 Sender transmits m + MD5(m+k) k is a secret key known to both sender & rx Receiver matches secret key to confirm
38
Key Distribution A key could be selected by A and physically delivered to B. A third party could select the key and physically deliver it to A and B. If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
39
Key Distribution: Certificates
User CA PCA1 PCA2 IPRA PCA3 = Internet Policy Registration Authority (root) PCA n policy certification authority certification authority
40
Overview of PGP(Pretty Good Privacy)
Consist of five services: Authentication Confidentiality Compression compatibility Segmentation
41
Security(PGP)
42
IP Layer Security (IPSec)
Suite of protocols developed by IETF to address security at the IP level, and provide secure communications across the Internet IPSec supports the following features Two security protocols: 1) Authentication Header (AH), and 2) Encapsulating Security Payload (ESP) Two modes of operation: 1) Transport, and 2) Tunnel Two key management protocols: 1) Internet Key Exchange (IKE), and 2) IP Security Association Key Management Protocol (ISAKMP) Six security services: 1) Access control, 2) Connectionless integrity, 3) Data origin authentication, 4) Rejection of replayed packets, 5) Confidentiality (encryption), and 6) Limited traffic flow confidentiality Security policies that determine how machines communicate via IPSec, and the security services they can access Support for IPSec features is optional (mandatory) for IPv4 (IPv6)
43
IP Security Overview Benefits of IPSec IPSec can assure that:
Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged
44
IP Security Scenario
45
IPSec Modes Transport Mode SA Tunnel Mode SA AH ESP
Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet.
46
IP Security (IPSec Services)
IPSec provides security services at the IP layer by allowing a system to: i) select the required security protocols, ii) determine the algorithms to use for the services, and iii) put in provide any cryptographic keys required to support the requested services. The table shows the six security services supported by IPSec, and the capabilities supported by the AH and ESP protocols [STA98]. They services are: Access control Connectionless integrity Data origin authentication Rejection of replayed packets (a form of partial sequence integrity) Confidentiality (encryption) Limited traffic flow confidentiality. ESP with encryption and authentication supports all six services, while ESP with encryption only does not support connectionless integrity and data origin and authentication. On the other hand, AH does not support confidentiality, and limited traffic flow confidentiality.
47
IPSec Headers IP Sec Authentication header IP Sec ESP header
48
IPSec Headers in AH
49
Tunnel Mode (AH Authentication)
50
End-to-end versus End-to-Intermediate Authentication
51
Web-Based Security SSL,TLS and WTLS
SSL was originated by Netscape TLS working group was formed within IETF First version of TLS can be viewed as an SSLv3.1 Wireless TLS (WTLS) Protocol
52
Web-Based Security (SSL Protocol)
Secure Sockets Layer (SSL) protocol is an open protocol designed by Netscape, layered between the application protocol (e.g., HTTP) and TCP/IP SSL provides data encryption, server authentication, message integrity, and (optionally) client authentication for the TCP/IP connection SSL comes in 40-bit and 128-bit strengths (session key lengths) Record Protocol SSL Handshake Protocol SSL Alert Application (HTTP) SSL Change Cipher Spec TCP IP SSL Record Protocol Secure Sockets Layer (SSL) [NET96], [STA98] is a Netscape developed, industry-standard protocol, layered between the application (e.g., HTTP) and TCP/IP, to provide communications privacy and reliability over the Internet. It is built into all major browsers and web servers. Installing a digital certificate turns on its SSL capabilities. SSL comes in 40-bit and 128-bit strengths (length of the session key generated by each encrypted transaction). SSL provides data encryption, server authentication, message integrity, and (optionally) client authentication for the TCP/IP connection. SSL (v3) has two protocol layers. At the upper layer, there are three protocols, i.e., the Handshake Protocol, the Change Cipher Protocol, and the Alert Protocol. Handshake Protocol - The most complex part of SSL. It provides initial exchange of information to establish a secure connection between client and server before any potentially sensitive application data is sent. It provides client and server authentication, negotiation of encryption and MAC algorithms, and other cryptographic inputs to protect the data. Change Cipher Spec Protocol - A single 1-byte message with value 1 used to update the cipher suite to be used on the connection. Alert Protocol - A 2-byte message used to indicate errors during the session, or to terminate the session. At the lower layer, there is one protocol, i.e., the SSL Record Protocol. Record Protocol - Used during actual application data exchanges, following handshaking, to encapsulate various higher level protocols. The data is fragmented, (optionally) compressed, sealed with a MAC, encrypted, then transmitted to the receiving entity.
53
Web-Based Security (SSL Handshake Protocol)
Client Hello Message Server Hello Message Server Certificate Change_cipher_spec Finished Client Server Client Certificate Phase 1: Establish Security Capabilities Phase 2: Server Authentication & Key Exchange Phase 3: Client Authentication Phase 4: Finish This chart illustrates operation of the Handshake Protocol. It provides initial exchange of information to establish a secure connection between client and server before any potentially sensitive application data transfers take place. The initial exchange of information (initiated by the client) required to establish a logical connection between a client and server, can be divided into four phases as described below [STA98]: Phase 1: Establishment of Client-Server Security Capabilities - Initiated by client with a client_hello message (plus a server_hello response), establishes a logical connection, and associated security capabilities. The exchanges include highest SSL version understood by the client time-stamp and random number nonce to protect against replay attacks a session ID to indicate an existing or new connection a CipherSuite (e.g., DH, triple DES, SHA-1) supported by the client compression methods supported by the client Phase 2: Server Authentication and Key Exchange - Up to four messages, i.e., certificate (req.), server_key_exchange (op.), certificate_request (op.), server_done (req.), are sent by the server to allow the client to authenticate it. Phase 3: Client Authentication and Key Exchange (Optional) - Up to three messages, i.e., certificate (op.), client_key_exchange (req.), certificate_verify (op.), are sent by the client to allow the server to authenticate it. Phase 4: The Finish - Completes setting up of the secure connection with a two-message exchange between the client and server, i.e., change_cipher_spec and finished. The two entities can now begin to exchange application layer data.
54
Web-Based Security (SSL Record Protocol)
Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header 214 MAC (0, 16, or 20 bytes) SSL Record Header (5 bytes) The SSL Record Protocol used during the actual exchange of application data, provides two services for SSL connections [STA98] : Message Integrity - The application data is first broken up into smaller blocks, up to 214 bytes long. Each block is then compressed (optionally). Note that compression can actually result in an expansion of the block to up to bytes. The compressed data is then sealed with a MAC that can be 0, 16, or 20 bytes long, to form the integrity-protected data that is up to bytes long. The Handshake Protocol defines a shared secret key that is used to form the MAC. Data Confidentiality - The integrity-protected data is encrypted using a shared secret key defined by the the Handshake Protocol, and used for conventional encryption of SSL payloads. Following encryption, a 5-byte SSL record header is appended to the ciphered data, and then transmitted to the receiving entity. At the remote site, the recipient decrypts the data, verifies the MAC, decompresses the data (optionally), then re-assemblies the data for presentation to the application. SSL provides simplicity, flexibility, and proven robustness against Web adversaries because of the connection privacy and reliability provided at the SSL Record Protocol layer. On the other hand, SSL is susceptibility to version (2) rollback attacks, and the possibility of breaking the 40-bit session keys.
55
Web-Based Security SSL-TLS Protocol
Transport Layer Security (TLS) is an IETF standard version of SSL (version 3) that is backward compatible with SSLv3 Differences between TLS 1.0 and SSLv3 MAC Schemes: Two differences in the actual algorithm and scope of the MAC calculation PN Function: TLS uses a PN function to expand the small shared secret keys to protect against Hash function and MAC attacks Alert Codes: TLS supports all alert codes defined in SSLv3 (except no_certificate), plus 12 additional codes, 9 of which are always fatal Cipher Suites: TLS supports all SSLv3 key exchange techniques, and includes all symmetric encryption algorithms except Fortezza Client Certificate Types: TLS does not include the Fortezza scheme or ephemeral DH types Differences also exist in the certificate-verify and finished messages, cryptographic computations, and the paddings Transport Layer Security (TLS) [DIE99] is the IETF’s standard version of SSL (version 3). The main differences between TLS 1.0 and SSLv3 are [STA98]: Compatibility: TLS is backward compatible, but not interoperable, with SSLv3. If a client or server using TLS 1.0 wishes to communicate with an SSLv3 counterpart, it uses the backward compatibility option to speak SSLv3. Version Number: For the TLS Record Format, the minor version number is 1. MAC: i) TLS XORs padding bytes with the secret key padded to the block length, instead of concatenation. ii) TLS MAC calculation covers all fields covered by SSLv3 plus TLSCompressed.version, the protocol version being used. Pseudorandom Function: TLS uses a PRF to expand the secret keys so that a small shared secret value can protect against Hash function and MAC attacks. Alert Codes: TLS supports all alert codes defined in SSLv3 (except no_certificate), plus 12 additional codes, 9 of which are always fatal. Cipher Suites: TLS supports all SSLv3 key exchange techniques except Fortezza, and includes all symmetric encryption algorithms except Fortezza. Client Certificate Types: The rsa_ephemeral_dh, dss_ephemeral_dh, and fortezza_kea SSLv3 defined certificate types are excluded from TLS. Certificate_Verify: For TLS certificate_verify messages, MD5 and SHA-1 hashes are calculated over handshake messages. Finished Messages and Cryptographic Computations : For TLS, the calculations are somewhat different. Padding: TLS Padding prior to data encryption limits the total un-encrypted data size to a multiple of the cipher block length, up to 255 bytes.
56
Firewalls Effective means of protection a local system or network of systems from network-based security threats while affording access to the outside world via WAN`s or the Internet Special router sits between a site and the rest of the network. Design goals: All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network except via the firewall) Only authorized traffic (defined by the local security police) will be allowed to pass
57
Firewall Configurations
Screened host firewall system (single-homed bastion host)
58
Firewall Configurations
Packet filtering FILTER(IP addr in, port #, IP addr out, port #) Use of wild cards such as ( *.*,*, *,*) means block all traffic from net
59
Firewall Configurations
Proxy firewalls Permits access to certain pages in a website, but not others… Often referred to as layer 4 switching… http
60
Firewall Design Principles
Information systems undergo a steady evolution (from small LAN`s to Internet connectivity) Strong security features for all workstations and servers not established The firewall is inserted between the premises network and the Internet Aims: Establish a controlled link Protect the premises network from Internet-based attacks Provide a single choke point
61
Viruses and ”Malicious Programs”
Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
62
Taxanomy of Malicious Programs
Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms
63
Definitions Virus - code that copies itself into other programs.
A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses). Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.
64
IEEE 802.11b Security, WEP Wired equivalent privacy(WEP)
Designed to provide link layer security for IEEE networks Plaintext Message CRC-32 XOR Generated Key=RC4(iv, ssk) IV Ciphertext WEP Frame
65
Shared Secret Key(40-bit) WEP Encipherment/Decipherment Block Diagram
What is WEP? IV CIPHER- TEXT (DATA +ICV) IV (24-bit) | | WEP PRNG Seed (64-bit) Key Sequence (MPDU+32) Shared Secret Key (40-bit) Encrypted Transmission | | Plaintext Integrity Algorithm (Message - Data+64) (ICV) (CRC-32) Shared Secret Key(40-bit) Seed (64-bit) | | IV CIPHER- TEXT (DATA +ICV) Plaintext WEP PRNG (ICV) Integrity Algorithm (ICV’) = ? Yes WEP Encipherment/Decipherment Block Diagram
66
SSK Authentication Mechanism
Security services provided with WEP Privacy: RC4 with 40-bit SSK (or 104-bit SSK in WEP2) Integrity: CRC-32 Authentication: Open system or SSK based Access Control: SSK based Non-repudiation: None Replay: None SSK Authentication Mechanism
67
Too much faith in “shared secret key”
Weaknesses of existing WEP RC4 is stream cipher with 40-bit (or 104-bit) SSK 40-bit is short, 104 bit long but not secure 24-bit IV can be exhausted(at 16M packet) Produces equivalent ciphertext from equivalent plaintext streams, IP packets have many common data streams CRC-32 is linear, CRC(X+Y)=CRC(X)+CRC(Y) No automatic key distribution mechanism, no scalability No user authentication Too much faith in “shared secret key”
68
Proposed solutions Better encryption algorithm: Advanced Encryption Standard(AES), 128-bit block cipher Better integrity checking: AES in offset code book (OCB) Better authentication protocols Authentication services which includes the user as well: “upper layer” authentication in addition to open system and shared secret key
69
Homework 8.8 8.11 8.15 8.23
70
References Textbook Crytography and Network Security, William Stallings, Printice Hall Internet Cryptography, Richard E. Smith, Addisson-Wesley Applied Cryptography, Bruce Schneier, Wiley
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.