Presentation is loading. Please wait.

Presentation is loading. Please wait.

7: Network Security1 15: Network Security Basics Last Modified: 7/12/2015 3:54:55 PM.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "7: Network Security1 15: Network Security Basics Last Modified: 7/12/2015 3:54:55 PM."— Presentation transcript:

1 7: Network Security1 15: Network Security Basics Last Modified: 7/12/2015 3:54:55 PM

2 7: Network Security2 Importance of Network Security? r Think about… m The most private, embarrassing or valuable piece of information you’ve ever stored on a computer m How much you rely on computer systems to be available when you need them m The degree to which you question whether a piece of email really came from the person listed in the From field m How convenient it is to be able to access private information online (e.g. buy without entering all data, look up your transcript without requesting a copy,…)

3 7: Network Security3 Importance of Network Security r Society is becoming increasingly reliant on the correct and secure functioning of computer systems m Medical records, financial transactions, etc. r It is our jobs as professional computer scientists: m To evaluate the systems we use to understand their weaknesses m To educate ourselves and others to be wise network consumers m To design networked systems that are secure

4 7: Network Security4 Types of attacks  What are we worried about?  Passive:  Interception: attacks confidentiality. a.k.a., eavesdropping, “man-in-the-middle” attacks.  Traffic Analysis: attacks confidentiality, or anonymity. Can include traceback on a network, CRT radiation.  Active:  Interruption: attacks availability. (a.k.a., denial-of-service attacks  Modification: attacks integrity.  Fabrication: attacks authenticity.

5 7: Network Security5 Fundamentals of Defense r What can we do about it? r Restricted Access m Restrict physical access, close network ports, isolate from the Internet, firewalls, NAT gateways, switched networks r Monitoring m Know what normal is and watch for deviations r Heterogeneity/Randomness m Variety of Implementations, Random sequence numbers, Random port numbers r Cryptography……

6 7: Network Security6 r The most widely used tool for securing information and services is cryptography. r Cryptography relies on ciphers: mathematical functions used for encryption and decryption of a message. m Encryption: the process of disguising a message in such a way as to hide its substance. m Ciphertext: an encrypted message m Decryption: the process of returning an encrypted message back into plaintext. Cryptography Encryption Decryption PlaintextCiphertext Original Plaintext

7 7: Network Security7 What makes a good cipher? substitution cipher: substituting one thing for another m monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?: brute force (how hard?) other?

8 7: Network Security8 Ciphers r The security of a cipher (like a substitution cipher) may rest in the secrecy of its restricted algorithm. m Whenever a user leaves a group, the algorithm must change. m Can’t be scrutinized by people smarter than you. m But, secrecy is a popular approach :( r Modern cryptography relies on secret keys, a selected value from a large set (a keyspace), e.g., a 1024-bit number. 2 1024 values! m Security is based on secrecy of the key, not the details of the algorithm. m Change of authorized participants requires only a change in key.

9 7: Network Security9 Keys: Symmetric vs Assymetric r The most common cryptographic tools are m Symmetric key ciphers Use same key to encrypt and decrypt One key shared and kept secret DES, 3DES, AES, Blowfish, Twofish, IDEA Fast and simple (based on addition, masks, and shifts) Typical key lengths are 40, 128, 256, 512 m Asymmetric key ciphers Pair of keys: one encrypts and another decrpyts One key (the private key) must be kept secret; the other key (the public key) can be freely disclosed RSA, El Gamal Slow, but versatile (usually requires exponentiation) Typical key lengths are 512, 1024, 2048

10 7: Network Security10 Session Keys r Symmetric key algorithms are faster than asymmetric key algorithms r Often asymmetric key cryptography used to exchange a shared secret key r This key called a symmetric session key is then used to encrypt this conversation with symmetric key cryptograhy r Each new conversation would use a different session key r Other benefits (In addition to efficiency) m session keys also reduce the key exposure or amount of encrypted text that could be collected to aid in analysis m If session key compromised only get info in the last session

11 7: Network Security11 Symmetric key crypto: DES DES: Data Encryption Standard r US encryption standard [NIST 1993] r 56-bit symmetric key, 64 bit plaintext input m initial permutation m 16 identical “rounds” of function application, each using different 48 bits of key m final permutation r How secure is DES? m DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force) in a little over 22 hours (1999 DES Challenge III) m no known “backdoor” decryption approach r making DES more secure m use three keys sequentially (3-DES) on each datum m use cipher-block chaining

12 7: Network Security12 Public key encryption algorithms need a decryption function d B ( ) and an encryption function e B ( ) such that d (e (m)) = m B B.. need public and private keys for d B ( ) and e B ( ).. Two inter-related requirements: 1 2 e (d (m)) = m B B

13 7: Network Security13 RSA r Ronald L. Rivest, Adi Shamir and Leonard M. Adleman m Won 2002 Turing award for this work! r Want a function e B that is easy to do, but hard to undo without a special decryption key r Based on the difficulty of factoring large numbers (especially ones that have only large prime factors)

14 7: Network Security14 RSA in a nutshell 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e< n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). Why? (Will hint at) How? (Won’t discuss)

15 7: Network Security15 RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern (message), m, compute c = m mod n e (i.e., remainder when m is divided by n) e 2. To decrypt received bit pattern, c, compute m = c mod n d (i.e., remainder when c is divided by n) d m = (m mod n) e mod n d Magic happens!

16 7: Network Security16 RSA: small example Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. letter m m e c = m mod n e l 12 1524832 17 c m = c mod n d 17 481968572106750915091411825223072000 12 c d letter l encrypt: decrypt:

17 7: Network Security17 RSA: Why? m = (m ) e mod n d (m ) e mod n = m mod n d ed Number theory result: If p,q prime, n = pq, then x mod n = x mod n yy mod (p-1)(q-1) = m mod n ed mod (p-1)(q-1) = m mod n 1 = m (using number theory result above) (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) If it were easy to factor n into p and q then we would be in trouble!

18 7: Network Security18 Reversible r What the private key encrypts the public key decrypts r What the public key encrypts the private key decrypts

19 7: Network Security19 Practical matters r Big primes like 5 and 7 ( ) already generated big numbers like m What would happen with 1024 bit keys? m Costly operations! r Finding big primes? 481968572106750915091411825223072000

20 7: Network Security20 Storing your keys r For both symmetric and asymmetric cryptography how do you store the keys? m Typical key lengths are 512, 1024, 2048 r Can’t exactly memorize it r Ok to store in on your computer? In a shared file system? No! r Normally stored in a file encrypted with a pass phrase r Pass phrase != your key

21 7: Network Security21 Using Cryptography

22 7: Network Security22 Uses of Cryptography r Secrecy/Confidentiality : ensuring information is accessible only by authorized persons m Traditionally, the primary objective of cryptography. m E.g. encrypting a message r Authentication : corroboration of the identity of an entity m allows receivers of a message to identify its origin m makes it difficult for third parties to masquerade as someone else m e.g., your driver’s license and photo authenticates your image to a name, address, and birth date.

23 7: Network Security23 Uses of Cryptography r Integrity : ensuring information has not been altered by unauthorized or unknown means m Integrity makes it difficult for a third party to substitute one message for another. m It allows the recipient of a message to verify it has not been modified in transit. r Nonrepudiation : preventing the denial of previous commitments or actions m makes it difficult for the originator of a message to falsely deny later that they were the party that sent the message. m E.g., your signature on a document.

24 7: Network Security24 Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice want to communicate “securely” r Trudy, the “intruder” may intercept, delete, add messages Figure 7.1 goes here

25 7: Network Security25 The language of cryptography Figure 7.3 goes here plaintext ciphertext K A K B

26 7: Network Security26 Digital Signatures Cryptographic technique analogous to hand- written signatures. r Sender (Bob) digitally signs document, establishing he is document owner/creator. r Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document. Simple digital signature for message m: r Bob encrypts m with his private key d B, creating signed message, d B (m). r Bob sends m and d B (m) to Alice.

27 7: Network Security27 Digital Signatures (more) r Suppose Alice receives msg m, and digital signature d B (m) r Alice verifies m signed by Bob by applying Bob’s public key e B to d B (m) then checks e B (d B (m) ) = m. r If e B (d B (m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: m Bob signed m. m No one else signed m. m Bob signed m and not m’. Non-repudiation: m Alice can take m, and signature d B (m) to court and prove that Bob signed m.

28 7: Network Security28 Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length,easy to compute digital signature, “fingerprint” r apply hash function H to m, get fixed size message digest, H(m). Hash function properties: r Many-to-1 r Produces fixed-size msg digest (fingerprint) r Given message digest x, computationally infeasible to find m such that x = H(m) r computationally infeasible to find any two messages m and m’ such that H(m) = H(m’).

29 7: Network Security29 Digital signature = Signed message digest Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message:

30 7: Network Security30 Hash Function Algorithms r Internet checksum would make a poor message digest. m Too easy to find two messages with same checksum. r MD5 hash function widely used. m Computes 128-bit message digest in 4-step process. m arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. r SHA-1 is also used. m US standard m 160-bit message digest

31 7: Network Security31 Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario??

32 7: Network Security32 Authentication: another try Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario?

33 7: Network Security33 Authentication: yet another try Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Failure scenario? Trudy can’t decrypt password But can still replay it I am Alice encrypt(password)

34 7: Network Security34 ap4.0: Authentication: yet another try Goal: avoid playback attack Failures, drawbacks? Figure 7.11 goes here Nonce: number (R) used onlyonce in a lifetime ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key

35 7: Network Security35 Figure 7.12 goes here Authentication: ap5.0 ap4.0 requires shared symmetric key m problem: how do Bob, Alice agree on key? m are public key techniques any better? ap5.0: use nonce, public key cryptography What proves e A is Alice’s public key?

36 7: Network Security36 Figure 7.14 goes here ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Need “certified” public keys

37 7: Network Security37 Trusted Intermediaries Problem: m How do two entities establish shared secret key over network? Solution: m trusted key distribution center (KDC) acting as intermediary between entities Problem: m When Alice obtains Bob’s public key (from web site, e- mail, diskette), how does she know it is Bob’s public key, not Trudy’s? Solution: m trusted certification authority (CA)

38 7: Network Security38 Key Distribution Center (KDC) r Alice,Bob need shared symmetric key. r KDC: server shares different secret key with each registered user. r Alice, Bob know own symmetric keys, K A-KDC K B-KDC, for communicating with KDC. r Alice communicates with KDC, gets session key R1, and K B-KDC (A,R1) r Alice sends Bob K B-KDC (A,R1), Bob extracts R1 r Alice, Bob now share the symmetric key R1.

39 7: Network Security39 Certification Authorities r Certification authority (CA) binds public key to particular entity. r Entity (person, router, etc.) can register its public key with CA. m Entity provides “proof of identity” to CA. m CA creates certificate binding entity to public key. m Certificate digitally signed by CA. m Public key of CA can be universally known (on billboard, embedded in software) - unless have to change because private key compromised r When Alice wants Bob’s public key: r gets Bob’s certificate (Bob or elsewhere). r Apply CA’s public key to Bob’s certificate, get Bob’s public key

40 7: Network Security40 Establishing Trust r Is the problem of establishing “trust” with a key authority or certification authority the same as establishing “trust” with anyone else? m Private Key: How do you agree on a shared secret key with the key authority? m Public Key: CA can put their public key on a bulletin board but how do you convince them that your public key really is your public key? r Problem is the same!! m Use out of band means r BUT!!!! Once you establish trust with them you can use that to bootstrap trust with others

41 7: Network Security41 Outtakes

42 7: Network Security42 Security Services r Authorization r Access Control r Availability r Anonymity r Privacy r Certification r Revocation

43 7: Network Security43 Security Services r Authorization: conveyance of official sanction to do or be something to another entity. m Allows only entities that have been authenticated and who appear on an access list to utilize a service. m E.g., your date of birth on your driver’s license authorizes you to drink as someone who is over 21. r Access Control: restricting access to resources to privileged entities. m ensures that specific entities may perform specific operations on a secure object. m E.g. Unix access control for files (read, write, execute for owner, group, world)

44 7: Network Security44 Security Services r Availability: ensuring a system is available to authorized entities when needed m ensures that a service or information is available to an (authorized) user upon demand and without delay. m Denial-of-service attacks seek to interrupt a service or make some information unavailable to legitimate users.

45 7: Network Security45 Security Services r Anonymity : concealing the identity of an entity involved in some process m Concealing the originator of a message within a set of possible entities. The degree of anonymity of an entity is the sum chance that everyone else in the set is the originator of the message. Anonymity is a technical means to privacy. r Privacy: concealing personal information, a form of confidentiality.

46 7: Network Security46 Security Services r Certification: endorsement of information by a trusted entity. r Revocation: retraction of certification or authorization r Certification and Revocation m Just as important as certifying an entity, we need to be able to take those rights away, in case the system is compromised, we change policy, or the safety that comes from a “refresh”.

47 7: Network Security47 Public key cryptography

48 7: Network Security48

49 7: Network Security49 Taxonomy of Attacks (2)  ‘Result of the attack’ taxonomy  Increased Access the quest for root  Disclosure of Information credit card numbers  Corruption of Information changing grades, etc  Denial of Service self explanatory  Theft of Resources stealing accounts, bandwidth

50 7: Network Security50 Using Cryptography for: Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Authentication: sender, receiver want to confirm identity of each other Secrecy: only sender, intended receiver should “understand” msg contents m sender encrypts msg m receiver decrypts msg

Download ppt "7: Network Security1 15: Network Security Basics Last Modified: 7/12/2015 3:54:55 PM."

Similar presentations

Cryptography. 8: Network Security8-2 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption.

Cryptography. 8: Network Security8-2 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption.
Public Key Cryptography & Message Authentication By Tahaei Fall 2012.

Public Key Cryptography & Message Authentication By Tahaei Fall 2012.
1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.

1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.
Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:

Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
8: Network Security8-1 21 - Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.

8: Network Security Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.
7: Network Security1 Chapter 7: Network security – Author? Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.

7: Network Security1 Chapter 7: Network security – Author? Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.

1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.
CSE401n:Computer Networks

CSE401n:Computer Networks
Network Security understand principles of network security:

Network Security understand principles of network security:
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,

8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
7: Network Security1 21: Network Security Basics Last Modified: 6/28/2015 2:03:02 PM Some slides based on notes from cs515 at UMass.

7: Network Security1 21: Network Security Basics Last Modified: 6/28/2015 2:03:02 PM Some slides based on notes from cs515 at UMass.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.

Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google