1. Data & Network Security
4/16/2017
Data & Network Security
Mehrdad Nourani

2. Security Services & Traffic Confidentiality
4/16/2017
Session 09
Security Services &
Traffic Confidentiality

3. Security Management, Services and Threats
4/16/2017
Security Management, Services and Threats

4. 4/16/2017
Security Management
Security management functions are concerned with the management, control, and administration of security services for all secured entities within the security domain according to the defined policies.
Security management is responsible for the installation, monitoring, tuning, and restructuring of the available security services. Functions of security management include control and distribution, monitoring, event logging, event reporting, security audit trail and security recovery.
Based on the corresponding policy and target systems/network some of these functions may not apply or need not to be implemented.

5. Some of these services may appear "overlapping."
4/16/2017
Security Services
Security services are remedies, defenses, and countermeasures by which security threats are countered.
The specific implementation of each security service is based on one or more security mechanisms.
In general, we define six security services aimed to provide the following six basic security objectives.
Some of these services may appear "overlapping."
key management is an important function that has to be provided by any system involved in providing security services and data encryption.

6. 4/16/2017
Security Services (I)
Confidentiality and Privacy - is the protection of information exchange and traffic flow from unauthorized disclosure (or all passive attacks).
This service can be implemented at different layers of communication protocols and/or at several application/system levels.

7. Security Services (II)
4/16/2017
Security Services (II)
Integrity and Protection - is the protection of information exchange and storage from mostly active attacks and (wo)man-in-the-middle attacks/
It assures that information is received as sent, with no duplication, insertion, modification, reordering, or replay.

8. Security Services (III)
4/16/2017
Security Services (III)
Access Control and Authorization - in the context of network security, is the protection, limitation, and control of access to the host, operating system, and applications via communications links.
Authorization is to provide access rights as tailored to the individual user or application.

9. Security Services (IV)
4/16/2017
Security Services (IV)
Non-repudiation and Accountability - is concerned with preventing either sender or receiver from denying an exchanged information.
Sometimes, an arrangement to use an unbiased arbitrator, called a notary, is used when both parties are suspicious users.

10. 4/16/2017
Security Services (V)
Authentication - is concerned with assuring that the communication is authentic, including source of information, communicating systems or applications, and/or users.

11. Security Services (VI)
4/16/2017
Security Services (VI)
Availability and Non-Denial of Service - is concerned with assuring that a communication resource is not destroyed or blocked or becomes unavailable or unusable to its authorized users.
Denial of service means knocking off services without permission, e.g., flooding the file server with phony files causing a system crash, or congesting remote access servers with unauthorized access requests.

12. These attacks are aimed to compromise security.
4/16/2017
Security Threats
A threat or security attack is a potential violation of security or an intrusion for unauthorized, illegitimate, malicious or fraudulent purposes.
These attacks are aimed to compromise security.
The points of attack (or attacking points) can occur at various weakness points within a security perimeter, and can be at any level or layer of realization, e.g., at the physical system realization level, at the system or network level, at the communication protocol level, and so on.

13. Security Threat Classification
4/16/2017
Security Threat Classification
The nature of the attacks varies with the circumstances and according to the defined perimeter for the security.
Threats may be classified by their:
Type (e.g., accidental or intentional, passive or active)
Consequences
Sources (e.g., users or programs)
Objects of threats

14. Typical Intentional Threats
4/16/2017
Typical Intentional Threats

15. Typical Intentional Threats (cont.)
4/16/2017
Typical Intentional Threats (cont.)

16. Some Products & Solutions
4/16/2017
Some Products & Solutions
Some security products/solutions are designed for a particular environment or for a special application.
They are considered as custom-designed combinations of the above services.
Examples of these are:
PGP (Pretty Good Privacy) - a widely used authentication and confidentiality service.
Kerberos - an authentication protocol based on conventional encryption to authenticate clients to servers, and vice versa. The Version 5 Kerberos was developed within the Internet community.
PEM (Privacy Enhancement Mail) - developed specifically as an Internet Standard for electronic mail.

17. 4/16/2017
Businesses & Threats

18. 4/16/2017
Security Mechanism
Security mechanisms are effective techniques and schemes used to implement a given security service with different degrees of complexity.
Security services are designed to detect, prevent, or recover from a security violation or attack.
For example, an abstract service like data confidentiality might be implemented using either the secret key data encryption mechanism or public key data encryption scheme.
In most practical cases, a combination of security mechanisms need to implement even one particular security service.
The services can be implemented either with strong mechanism or with weak mechanism (low, medium, or high security).

19. Well-Known Mechanisms
4/16/2017
Well-Known Mechanisms

20. Security Perimeter & Domain
4/16/2017
Security Perimeter & Domain

21. 4/16/2017
Security Borders
In communications network environment and where encryption (confidentiality and privacy) is desired, security borders can be established around:
Link-by-link
End-to-end (or application-to-application)
User-to-user (operating system to operating system)
Network edge-to-network edge

22. Link-by-Link Security
4/16/2017
Link-by-Link Security
Link-by-link security takes place at the lowest layers, where every transaction through a particular data-link is encrypted (secured).
Examples of this are data encryption devices placed at the physical and/or datalink layers.
Key management in this case can be simple because only the endpoints of the communication link need to exchange keys independent from the rest of the network.
The main problem is that leaving any link in the network unencrypted jeopardizes the security of the entire network.

23. 4/16/2017
End-to-End Security
If security is provided at higher layers, it is called end-to-end, when information is encrypted selectively and decrypted by the intended final recipient.
In this case, security devices are placed between the network layer and transport layer.
The security device must recognize protocols up to network layer (layer 3) and encrypt only the transport data units.
One problem is that the system is open to traffic analysis attack because the routing information for the data is not generally encrypted.

24. Security at Higher Levels
4/16/2017
Security at Higher Levels
Data security and encryption can be performed at higher layer and even for data storage.
At the application level, a hierarchy of security services may be defined, each providing security against a different perceived threat.
In general, security services are defined (within a particular border against outside world) for:
a user entity (either process or machine),
a network, a communication environment,
a computing environment, or
a stand-alone system.

25. 4/16/2017
Security Perimeter
A security perimeter as a homogeneous set of tools and measures, established around some communication and/or computing environment, to protect it from the outside nonsecure environment.
In general, security perimeters can be established around user, data processing and/or application, data storage, and data communication.

26. 4/16/2017
Security Domain
In practice, a security perimeter environment can be constituted of (or subdivided to) several heterogeneous security domains, each domain follows the same measures of its parent perimeter plus some possible extra measures.
A security domain is, therefore, a subset of users and resources of the global security perimeter environment, conforming to:
a unique security policy,
a single logical security management,
a single security administration,
a set of uniformly available elementary mathematical macros for provision of security services and mechanisms.

27. 4/16/2017
Domain Relationships
Entities that are subject to a single security policy, grouped together logically or physically, and administered by a single authority, called security management system (SMS), constitute a security domain.
The approach of structuring the boundaries of domains leads to various relationships between domains.
Domains may be disjoint, overlapping, or subsets of other domains.

28. Security Perimeters and Domains
4/16/2017
Security Perimeters and Domains
Each domain may be served by a central Security Management Center (SMC), which will be responsible for the policy making, management, and control of security services and activity on the network.
Some negotiation and resolutions is necessary in order to establish common sets and levels of security parameters.

29. Confidentiality Using Symmetric Encryption
4/16/2017
Confidentiality Using Symmetric Encryption

30. Confidentiality has been the main goal of encryption
4/16/2017
Confidentiality
Traditionally symmetric encryption is used to provide message confidentiality
Confidentiality has been the main goal of encryption
Other considerations added in the past few decades:
Authentication
Integrity
Digital signature
Have many locations where attacks can occur in typical scenarios.

31. Points of Vulnerability
4/16/2017
Points of Vulnerability 2 3 4 1
snooping from another workstation
use dial-in to LAN or server to snoop
use external router link to enter & snoop
monitor and/or modify traffic on external links

32. Potential Vulnerability
4/16/2017
Potential Vulnerability
consider typical scenario
workstations on LANs access other workstations & servers on LAN
LANs interconnected using switches/routers
with external lines or radio/satellite links
consider attacks and placement in this scenario
snooping from another workstation
use dial-in to LAN or server to snoop
use external router link to enter & snoop
monitor and/or modify traffic on external links
Have many locations where attacks can occur in typical scenarios.

33. have two major placement alternatives link encryption
What to Encrypt?
have two major placement alternatives
link encryption
encryption occurs independently on every link
implies must decrypt traffic between links
requires many devices, but paired keys
end-to-end encryption
encryption occurs between original source and final destination
need devices at each end with shared keys

34. Encrypt Across a Packet Network

35. Disadvantage of Link Encryption
One disadvantage of link encryption approach is that the message must be decrypted each time it enters a packet switch.
This is necessary because the packet switch must read the address (i.e., the virtual circuit number) in the packet header to route the packet.
Thus, the message is vulnerable at each switch. If this is a public packet-switching network (PSN), the user has no control over the security of the nodes.

36. Disadvantage of End-to-End Encryption
End-to-end approach would seem to secure the transmission against attacks on the network links or switches.
when using end-to-end encryption must leave headers in clear (unencrypted)
so network can correctly route information
hence although contents protected, traffic pattern flows are not (as they can be read)

37. End-to-End vs. Link Encryption
With end-to-end encryption, the user data are secure. However, the traffic pattern is not, because packet headers are transmitted in the clear.
To achieve greater security, both link and end-to-end encryption are needed.
Ideally we want both at once
end-to-end protects data contents over entire path and provides authentication
link protects traffic flows from monitoring but it requires a lot of encryption devices

38. End-to-End vs. Link Encryption (cont.)

39. Logical Placement of Encryption
can place encryption function at various layers in OSI Reference Model
link encryption occurs at layers 1 or 2
end-to-end can occur at layers 3, 4, 6, 7
E.g. the user data portion of all frames in ATM cells is encrypted
as move higher less information is encrypted but it is more secure though more complex with more entities and keys

40. Using an Encryption Processor
In network layer (layer 3):
each end system can engage in an encrypted exchange with another end system.
All the user processes and applications within each end system would employ the same encryption scheme with the same key to reach a particular target end system.
With this arrangement, it is desirable to off-load the encryption function to some sort of front-end processor.

41. Front-End Encryption Processor
The front-end processor (FEP) accepts and processes the packet
Red data: unencrypted (in clear)
Black data: encrypted

42. Scope of Encryption
Encryption service on end-to-end protocols (e.g. frame-delay or TCP) provides end-to-end security for traffic within a fully integrated inter-network.
Such scheme cannot deliver the security service to the traffic that crosses inter-network boundaries, such as electronic mail, electronic data interchange (EDI) and file transfer.

43. Scope of Encryption in OSI
Application Layer

44. Scope of Encryption in OSI (cont.)
For applications like electronic mail that have a store-and-forward capability, the only place to achieve end-to-end encryption is at the application layer.
A drawback of the application layer encryption is that the number of entities to consider increases dramatically, e.g.
Supporting hundreds of hosts
Supporting thousands of users
Need to manage (generate and distribute) many more secret keys
As we move up in the communication hierarchy, less information is encrypted but it is more secure.

45. Encryption and Protocol Levels
In application level:
Only user data portion of a TCP segment is encrypted
In transport/session (TCP) level:
the user data and the TCP header are encrypted. The IP header is needed by router to route the IP datagram.

46. Encryption and Protocol Levels (cont.)
When a message passes through a gateway:
TCP header is terminated and a new transport connection is opened for the next hop
The gateway is treated as a destination by the underlying IP. Thus, all data is decrypted in gateway.
If the next hop is over TCP/IP, then the user data and TCP header are encrypted again.

47. Encryption and Protocol Levels (cont.)
In link level:
Entire data unit except for the link header and trailer is encrypted on each link.
The entire data unit is in the clear (unencrypted) at each router or gateway.

48. Traffic Analysis is monitoring of communications flows between parties
useful both in military & commercial spheres
can also be used to create a covert channel (using the communication channel in a way that violates the security policy, e.g. an employee sends a short message as “0” and a long message as “1”. If an outsider can monitor the channel they effectively established a covert channel)
Traffic analysis violates confidentiality since by monitoring length, duration etc. of communication one can find useful information like:
Identity of partners
How frequently they communicated
Message pattern, level of importance
Correlation between events and communication …

49. A Solution to Traffic Analysis
link encryption obscures header details
but overall traffic volumes in networks and at end-points is still visible
Traffic padding:
Generate random messages (even if there is none)
Uniform the length of messages at the transport/application level
traffic padding can further obscure flows
but at cost of continuous traffic

50. A Solution to Traffic Analysis (cont.)
Protecting end-to-end encryption against traffic analysis is more difficult.
Since two sides should do encryption and decryption, the choices to defend against traffic analysis is more limited.
Still you can obscure the underlying traffic by:
Padding out data units to a uniform length at transport or application layer
Inserting null messages into the stream randomly

51. 4/16/2017
Key Distribution

52. Symmetric Encryption
All of the methods discusses so far use a single key that must be strictly kept secret. These systems are called symmetric-encryption (or secret-key or private-key) systems.
Key distribution is still a challenge. One approach is based on sending pieces of key through separate channels.

53. Importance of Key Distribution
4/16/2017
Importance of Key Distribution
symmetric schemes require both parties to share a common secret key
issue is how to securely distribute this key
often secure system failure due to a break in the key distribution scheme
This is one of the most critical areas in security systems - on many occasions systems have been broken, not because of a poor encryption algorithm, but because of poor key selection or management. It is absolutely critical to get this right!

54. Key Distribution Mechanisms
4/16/2017
Key Distribution Mechanisms
given parties A and B, there are various key distribution alternatives:
A can select key and physically deliver to B
third party can select & deliver key to A & B
if A & B have communicated previously can use previous key to encrypt a new key
if A & B have secure communications with a third party C, C can relay key between A & B
For practical large distributed systems in which many links/hosts/users need to exchange keys option 4 is the answer.
Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. Is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows.
A third party is a trusted intermediary, whom all parties trust, to mediate the establishment of secure communications between them. Must trust intermediary not to abuse the knowledge of all session keys.
As number of parties grow, some variant of 4 is only practical solution.

55. Key Distribution Mechanisms (cont.)
4/16/2017
Key Distribution Mechanisms (cont.)
Link Encryption: Use methods (1) or (2) because only two devices communicate.
End-to-end Encryption:
Manual delivery is not possible due to exponential growth.
At the network/IP level a key is needed for each pair of hosts. (For N hosts, we need N(N-1)/2 keys).
At the application level a key is needed for every pair of users/processes. (e.g nodes require C21000≈ keys)

56. Key Distribution Mechanisms (cont.)
4/16/2017
Key Distribution Mechanisms (cont.)
(3) Can be used for both link and end-to-end encryptions. However, if an attacker find one key then all subsequent keys will be revealed.
(4) is widely used for end-to-end encryption using at least 2-levels of keys:
Session key: a temporary key for the duration of logical connection (e.g. transport connection)
Master key: is used to encrypt and send session keys. It is distributed in some non-cryptographic way (e.g. physical delivery). For N pairs only N master keys are needed.

57. Key Distribution Scenario
4/16/2017
Key Distribution Scenario
Stallings Fig 7.9.
Based on concept of having a “Key Distribution Center” (KDC) which shares a unique key with each party (user).
See text for details of steps in distribution process.

58. Key Distribution Scenarios (cont.)
4/16/2017
Key Distribution Scenarios (cont.)
A issues a request to KDC for a session key. The message includes the identity of A and B and N1 (called nonce, e.g. a random number).
KDC responds with a message encrypted with Ka (master key of A). The message includes:
One-time session key Ks.
Original request and nonce of A
Ks and identifier of A (e.g. A’s network address) encrypted with Kb
A stores Ks and send EKb(Ks||IDA) to B
Using Ks, B sends a nonce N2 to A.
Using Ks A responds f(N2) (a transformation of N2 e.g. N2+1) for authentication.
According to dictionary:
Nonce=the present or particular occasion
Nonce word=a word occurring, invented or used just for a particular occasion

59. Key Distribution Scenarios (cont.)
4/16/2017
Key Distribution Scenarios (cont.)
Note that the actual key distribution involves only steps 1 through 3.
After step 3, both A and B have the session key Ks and they may begin their protected exchange of information.
Steps 3, 4 and 5 together perform an authentication function.
They assume B that the original message it received in step 3 was not a replay.
According to dictionary:
Nonce=the present or particular occasion
Nonce word=a word occurring, invented or used just for a particular occasion

60. Key Distribution Issues
hierarchies of KDC’s required for large networks, but must trust each other
session key lifetimes should be limited for greater security
use of automatic key distribution on behalf of users, but must trust system
use of decentralized key distribution
controlling purposes keys are used for

61. Automatic Key Distribution
For connection-oriented protocols (e.g. at network or transport levels) the key can be generated, using Front-End Processor, in a way that is transparent to the end user.

62. Automatic Key Distribution (cont.)
The KDC provides a one-time session key for that connection. The session keys are used for the duration of a session. At the conclusion of the session, or connection, the session key is destroyed.
The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other.
Kerberos, used extensively in Microsoft Windows 2000, is modelled on a KDC.

63. Difficulties in Key Distribution
In general, a KDC supporting n sites, where each site needs a secret key with every other site, must make almost n2/2 keys.
The KDC is often burdened with extensive key management and can become a bottleneck.
If the KDC also acts as a key escrow agent, the KDC itself is an attractive target (e.g., for a distributed denial-of-service attack).
For these reasons, the symmetrical encryption is not very attractive in large networks and is avoided altogether.
Another approach to security is the public-key encryption, which makes key distribution much easier. We will discuss it in the next chapter.

64. Decentralized Key Control
4/16/2017
Decentralized Key Control
For small networks we may use a decentralized approach. Each node must maintain n-1 master keys.
A issues a request to B for a session key and includes a nonce N1.
B responds with a message that is encrypted using the shared master key (MKm). The response includes: the session key (Ks chosen by B), an identifier of B, value f(N1) and another nonce N2.
Using the new session key A returns f(N2) to B for authentication.
As the message transferred using the master key are short, cryptanalysis is difficult.
As before the session keys are used for only a limited time to protect them.

65. Controlling Key Usage
Sometimes it is useful to define different session keys on the basis of use (for various applications)
e.g. for communication, PIN-encrypted applications, file encryption, etc.
It’s often desirable to institute controls in systems that limit the ways in which keys are used, based on characteristics associated with those keys.
Method 1: Use a tag with each key
In DES, the actual key is 56 bits. 8 nonkey bits are used to indicate something, e.g.
1 bit indicate whether the key is a session key or a Master key
1 bit indicate whether it’s for encryption or decryption …
Two problems: 1) the length is limited and 2) the tag is not transmitted in clear form it can be used only at the point of decryption, limiting the ways in which the key can be controller.

66. Controlling Key Usage (cont.)
Method 2: Use control vector (CV).
KDC sends control vector in clear and can be used in any stage.
For master key Km and session key Ks :
Hash Value= H = h(CV)
Key Input = Km XOR H
Ciphertext = EKm XOR H [Ks]
Ks = DKm XOR H [EKm XOR H [Ks]
There is no restriction on length which enables arbitrarily complex controls to be imposed on each key
The control vector is available in clear form at all stages of operation. Thus, the control of key use can be exercised in multiple locations.

67. Controlling Key Usage (cont.)
To control some of the bits (for identification or hierarchy, etc.) a control vector is used. KDC sends control vector in clear and can be used in any stage.

68. 4/16/2017
Random Numbers

69. Importance of Random Numbers
4/16/2017
Importance of Random Numbers
many uses of random numbers in cryptography
nonces in authentication protocols to prevent replay (attacker stores old messages and replays them to fake his ID and get session key for A)
session keys
public key generation
Key stream for a one-time pad
in all cases its critical that these values be
statistically random
with uniform distribution, independent
unpredictable cannot infer future sequence on previous values
Getting good random numbers is important, but difficult. You don't want someone guessing the key you're using to protect your communications because your "random numbers" weren't (as happened in an early release of Netscape SSL).
Although have well-defined tests for determining that a sequence of numbers match uniform distribution, there is no such test to "prove“ independence. Rather, use a number of tests to demonstrate that a sequence does not
exhibit independence, until the confidence that independence exists is sufficiently strong.
Since often use pseudo-random number, must ensure cannot predict future elements of sequence on basis of
earlier elements.

70. best source is natural randomness in real world
Natural Random Noise
best source is natural randomness in real world
find a regular but random event and monitor
do generally need special hardware to do this
e.g. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc
starting to see such hardware in new CPU's
problems of bias or uneven distribution in signal
have to compensate for this when sample and use
best to only use a few noisiest bits from each sample

71. a few published collections of random numbers
Published Sources
a few published collections of random numbers
earlier Tippett in 1927 published a collection
Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel
has been used in some cipher designs, e.g. Khafre
issues are that:
these are limited
too well-known for most uses

72. Pseudorandom Number Generators (PRNGs)
For cryptography applications we need a deterministic algorithm to generate pseudorandom numbers.
how a deterministic algorithm generates random values?
A philosophical objection; not engineers’ concern
algorithmic technique to create “random numbers”
although not truly random
can pass many tests of “randomness”

73. Linear Congruential Generator
common iterative technique using:
Xn+1 = (aXn + c) mod m
where m>0 and 0≤a,c,Xn<m
X0 is the seed
m must be very large to have a long sequence
given suitable values of parameters can produce a long random-like sequence
suitable criteria to have are:
function generates a full-period
generated sequence should appear random
efficient implementation with 32-bit arithmetic
note that an attacker can reconstruct sequence given a small number of value

74. Practical Pseudorandom Generator
common iterative technique using:
Xn+1 = (16807Xn) mod (231-1)
If m is prime and c=0, the period of generating numbers is m-1
To be efficient in implementation we chose
Coefficient a=75=16807 generates very good random sequence and is widely used.
If an opponent is able to get X0, X1, X2, X3 these three equations can be solved for a, c and m.
To create unpredictability, use current clock mod m as the new seed to change the sequence every N numbers.

75. Using Block Ciphers as Stream Ciphers
can use block cipher to generate numbers
use Counter Mode
Xi = EKm[i]
use Output Feedback Mode
Xi = EKm[Xi-1]

76. Using Counter Mode
use Counter Mode
Xi = EKm[i]
The counter has period of N , e.g. 256 when 56-bit DES keys are used
Since the master key is protected it is not possible to deduce the secret key from earlier keys

77. Using Output Feedback Mode
The output of each stage is a 64-bit value of which the s leftmost bits are fed back for encryption.
Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good statistical properties.

78. ANSI X9.17 Pseudorandom Number Gen.
ANSI X9.17 PRNG
uses date-time + seed inputs and 3 triple-DES encryptions to generate new seed & random
Input: two pseudorandom inputs:
DTi : a 64-bit representation of the current date/time
a 64-bit seed Vi generated at the beginning of ith stage
Keys (K1,K2): all 3DES modules use the same pair of 56-bit keys
Output: 64-bit pseudorandom number (Ri) and 64-bit seed value (Vi+1)
Ri = EDEK1,K2[Vi  EDEK1,K2[DTi]]
Vi+1= EDEK1,K2[Ri  EDEK1,K2[DTi]]

79. Blum Blum Shub (BBS) Generator
based on public key algorithms
Choose:
two prime numbers p,q such that p≡q≡3(mod 4)
n=p.q
a random number s (seed) such that it is relatively prime to n (i.e. neither p nor q is a factor of s).
The BBS generates sequence of bits Bi as follows:
X0=s2 mod n
For i=1 to ∞
Xi=(Xi-1)2 mod n (All Xi is a number 0 ≤ Xi < n )
Bi=Xi mod (Bi is least significant bit of Xi)

80. Features of BBS Generator
unpredictable, passes next-bit test (see table for n=192649=283x503 and s=101355).
security rests on difficulty of factoring n (i.e. given n determine its two prime factors p and q)
is unpredictable given any run of bits (given k bits of the sequence it is impossible to determine bit k+1 with probability above ½)
slow, since very large numbers must be used
too slow for cipher use, good for key generation i

81. Summary have considered:
use of symmetric encryption to protect confidentiality
need for good key distribution
use of trusted third party KDC’s
random number generation