3m ago

25 Views

5 Downloads

398.65 KB

23 Pages

Transcription

What is network security?Chapter 8Network SecurityA note on the use of these ppt slides:We’re making these slides freely available to all (faculty, students, readers).They’re in PowerPoint form so you can add, modify, and delete slides(including this one) and slide content to suit your needs. They obviouslyrepresent a lot of work on our part. In return for use, we only ask thefollowing: If you use these slides (e.g., in a class) in substantially unaltered form, thatyou mention their source (after all, we’d like people to use our book!) If you post any slides in substantially unaltered form on a www site, thatyou note that they are adapted from (or perhaps identical to) our slides, andnote our copyright of this material.Computer Networking:A Top Down Approach ,5th edition.Jim Kurose, Keith RossAddison-Wesley, April2009.Thanks and enjoy! JFK/KWRConfidentiality: only sender, intended receivershould “understand” message contents sender encrypts message receiver decrypts messageAuthentication: sender, receiver want to confirmidentity of each otherMessage integrity: sender, receiver want to ensuremessage not altered (in transit, or afterwards)without detectionAccess and availability: services must be accessibleand available to usersAll material copyright 1996-2010J.F Kurose and K.W. Ross, All Rights ReservedNetwork Security8-1Network SecurityChapter 8: Network SecurityFriends and enemies: Alice, Bob, TrudyChapter goals: understand principles of network security: cryptography and its many uses beyond“confidentiality” authentication message integrity well-known in network security worldBob, Alice (lovers!) want to communicate “securely”Trudy (intruder) may intercept, delete, add messagesAlicechannelsecurity in practice:data firewalls and intrusion detection systems security in application, transport, network, linklayersNetwork Security8-4securesenderBobdata, controlmessagessecurereceiverdataTrudy8-2Chapter 8 roadmapNetwork Security8-5Who might Bob, Alice be? well, real-life Bobs and Alices!Web browser/server for electronictransactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 Securing e-mail8.5 Securing TCP connections: SSL8.6 Network layer security: IPsec8.7 Securing wireless LANs8.8 Operational security: firewalls and IDSNetwork Security 8-3Network Security8-6

Simple encryption schemeThere are bad guys (and girls) out there!Q: What can a “bad guy” do?A: A lot! See section 1.6substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another Caesar cipher: substitute any letter with a letter that is kletters away. Mono alphabetic: substitute any letter with another letter. eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source addressin packet (or any field in packet) hijacking: “take over” ongoing connection byremoving sender or receiver, inserting himselfin place denial of service: prevent service from beingused by others (e.g., by overloading resources)Network SecurityNetwork Security For each new plaintext symbol, usesubsequent monoalphabetic pattern incyclic pattern dog: d from M1, o from M3, g from M4 Key: the n ciphers and the cyclic pattern8-8Network Security8-11Breaking an encryption schemeBob’sK decryptionB keyciphertextn monoalphabetic ciphers, M1,M2, ,MnCycling pattern: e.g., n 4, M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; The language of cryptographyencryptionalgorithm8-10Polyalphabetic encryptionNetwork xt: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc8-7 keyciphertext:Key: the mapping from the set of 26 letters to theset of 26 letters. How difficult to break?8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 Securing e-mail8.5 Securing TCP connections: SSL8.6 Network layer security: IPsec8.7 Securing wireless LANs8.8 Operational security: firewalls and IDSAlice’sabcdefghijklmnopqrstuvwxyzE.g.:Chapter 8 roadmapK encryptionAplaintext: decryption plaintextalgorithm Search through allkeys: must be able todifferentiate resultingplaintext fromgibberish Statistical analysism plaintext messageKA(m) ciphertext, encrypted with key KAm KB(KA(m))Symmetric key KA and KB are identicalPublic key uses a pair of keys, one public and one privateNetwork SecurityCipher-text onlyattack: Trudy hasciphertext that shecan analyzeTwo approaches:8-9 Known-plaintext attack:Trudy has someplaintext correspondingto some ciphertext e.g., in monoalphabeticcipher, Trudy determinespairings for a,l,i,c,e,b,o, Chosen-plaintext attack:Trudy can get theciphertext for somechosen plaintextNetwork Security8-12

Types of CryptographyStream Cipherspseudo random Crypto often uses keys:key Algorithm is known to everyone Only “keys” are secret Public key cryptography Symmetric key cryptography Involves the use of two keys Involves the use one key Involves the use of no keys Nothing secret: How can this be useful? Hash functions Network SecuritySCombine each bit of keystream with bit ofplaintext to get bit of ciphertextm(i) ith bit of messageks(i) ith bit of keystreamc(i) ith bit of ciphertextc(i) ks(i) m(i) ( exclusive or)m(i) ks(i) c(i)Network Security8-16RC4 Stream CipherKSencryption ciphertextplaintextmessage, m algorithmK (m)keystream8-13Symmetric key cryptographyKSkeystreamgenerator RC4 is a popular stream cipher decryption plaintextalgorithmm KS(KS(m))Extensively analyzed and considered goodKey can be from 1 to 256 bytesUsed in WEP for 802.11Can be used in SSLsymmetric key crypto: Bob and Alice share same(symmetric) key: KS e.g., key is knowing substitution pattern in monoalphabetic substitution cipherQ: how do Bob and Alice agree on key value?Network Security8-14Stream ciphersMessage to be encrypted is processed inblocks of k bits (e.g., 64-bit blocks). 1-to-1 mapping is used to map k-bit block ofplaintext to k-bit block of ciphertextExample with k 3: encrypt one bit at time 8-17Block ciphersTwo types of symmetric ciphers Network SecurityBlock ciphers Break plaintext message in equal-size blocks Encrypt each block as a unitinput output000110001111010101011100input output100011101010110000111001What is the ciphertext for 010110001111 ?Network Security8-15Network Security8-18

Block ciphers Encrypting a large messageHow many possible mappings are there fork 3? How many 3-bit inputs? How many permutations of the 3-bit inputs? Answer: 40,320 ; not very many! If same block of plaintext appears twice, willgive same ciphertext. Table approach requires table with 264 entries,each entry with 64 bitsTable too big: instead use function thatsimulates a randomly permuted tableNetwork Security8-19From Kaufmanet alPrototype functionHow about: Generate random 64-bit number r(i) for eachplaintext block m(i) Calculate c(i) KS( m(i) r(i) ) Transmit c(i), r(i), i 1,2, At receiver: m(i) KS(c(i)) r(i) Problem: inefficient, need to send c(i) and r(i)In general, 2k! mappings; huge for k 64 Problem: Why not just break message in 64-bitblocks, encrypt each block separately?Network Security8-22Example64-bit 3S4S5S6S7S88 bits8 bits8 bits8 bits8 bits8 bits8 bits8 bits8-bit to8-bitmapping64-bit intermediateLoop forn roundsPlain text is 010 010 010 using theprevious table The ciphertext is 101 101 101 Trudy will know that the three symbols(letters) are the same. Now consider r(1 . 3) 001 111 100 m r 011 101 110 Ciphertext is 100 010 000 64-bit outputNetwork Security8-20Why rounds in prototype?Network Security8-23Cipher Block Chaining (CBC)If only a single round, then one bit of inputaffects at most 8 bits of output. In 2nd round, the 8 affected bits getscattered and inputted into multiplesubstitution boxes. How many rounds? Have encryption of current block depend on result ofprevious block c(i) KS( m(i) c(i-1) ) m(i) KS( c(i)) c(i-1) How do we encrypt first block? Initialization vector (IV): random block c(0) IV does not have to be secret How many times do you need to shuffle cards Becomes less efficient as n increasesNetwork SecurityCBC generates its own random numbers Change IV for each message (or session) Guarantees that even if the same message is sentrepeatedly, the ciphertext will be completely differenteach time8-21Network Security8-24

ExampleSymmetric keycrypto: DESMessage 010 010 010 IV 001c(1) Ks(010 001) Ks(011) 100 c(2) Ks(010 100) Ks(110) 000 c(3) Ks(010 000) Ks(010) 101 Transmitted message 100 000 101 DES operation initial permutation16 identical “rounds” offunction application,each using different48 bits of keyfinal permutationNetwork Security8-25Cipher Block Chaining cipher block: if inputblock repeated, willproduce same ciphertext:t 1 t 17m(1) “HTTP/1.1”m(17) “HTTP/1.1”blockcipherc(1)blockcipherc(17) “k329aM02” “k329aM02”m(i)c(i-1) blockcipher8-26Symmetric key crypto: DES Network Security8-29Public Key CryptographyDES: Data Encryption Standard new (Nov. 2001) symmetric-key NISTstandard, replacing DES processes data in 128 bit blocks 128, 192, or 256 bit keys brute force decryption (try each key)taking 1 sec on DES, takes 149 trillionyears for AES c(i)Network Security 8-28AES: Advanced Encryption Standardcipher block chaining:XOR ith input block, m(i),with previous block ofcipher text, c(i-1) c(0) transmitted toreceiver in clear what happens in“HTTP/1.1” scenariofrom above?Network Securitysymmetric key cryptoUS encryption standard [NIST 1993]56-bit symmetric key, 64-bit plaintext inputBlock cipher with cipher block chainingHow secure is DES? DES Challenge: 56-bit-key-encrypted phrasedecrypted (brute force) in less than a day No known good analytic attackmaking DES more secure: 3DES: encrypt 3 times with 3 different keys(actually encrypt, decrypt, encrypt)Network Security requires sender,receiver know sharedsecret keyQ: how to agree on keyin first place(particularly if never“met”)?public key cryptography 8-27radically differentapproach [DiffieHellman76, RSA78]sender, receiver donot share secret keypublic encryption keyknown to allprivate decryptionkey known only toreceiverNetwork Security8-30

RSA: getting readyPublic key cryptography KB Bob’s publicplaintextmessage, mencryption ciphertextalgorithm K (m) decryption plaintextalgorithm message m K B(K (m))BBNetwork Security8-311 need K ( ) and K - ( ) such thatBB- K (K (m)) m2.2. Compute n pq, z (p-1)(q-1)3. Choose e (with e n) that has no common factorswith z. (e, z are “relatively prime”).B given public key KB , it should be4. Choose d such that ed-1 is exactly divisible by z.(in other words: ed mod z 1 ).impossible to computeprivate key KB5. Public key is (n,e). Private key is (n,d).RSA: Rivest, Shamir, Adelson algorithmNetwork Security KB Network Security8-35RSA: Encryption, decryption0. Given (n,e) and (n,d) as computed abovex mod n remainder of x when divide by nFacts:1. To encrypt message m ( n), compute[(a mod n) (b mod n)] mod n (a b) mod n[(a mod n) - (b mod n)] mod n (a-b) mod n[(a mod n) * (b mod n)] mod n (a*b) mod n -KB8-32Prerequisite: modular arithmetic 8-341. Choose two large prime numbers p, q.(e.g., 1024 bits each)Requirements:BNetwork SecurityRSA: Creating public/private keypairPublic key encryption algorithms.A message is a bit pattern.A bit pattern can be uniquely represented by aninteger number. Thus encrypting a message is equivalent toencrypting a number.Example m 10010001 . This message is uniquelyrepresented by the decimal number 145. To encrypt m, we encrypt the correspondingnumber, which gives a new number (theciphertext). keyK Bob’s privateB keyc m e mod n2. To decrypt received bit pattern, c, computeThus(a mod n)d mod n ad mod nExample: x 14, n 10, d 2:(x mod n)d mod n 42 mod 10 6xd 142 196 xd mod 10 6m c d mod nMagicdm (m e mod n) mod nhappens!cNetwork Security8-33Network Security8-36

RSA example:WhyBob chooses p 5, q 7. Then n 35, z 24.e 5 (so e, z relatively prime).d 29 (so ed-1 exactly divisible by z).decrypt:bit patternmme0000l00012248832c me mod n481968572106750915091411825223071697m cd mod n12Network Security8-37Why does RSA work? BK (K (m)) m K (K (m))use public keyfirst, followedby private keyNetwork Security8-41Session keysThe following property will be very useful later: Bhave to find big primes p and qapproach: make good guess then applytesting rules (see Kaufman)8-38RSA: another important property 8-40Generating RSA keysNetwork SecurityBNetwork Securitysuppose you know Bob’s public key (n,e).How hard is it to determine d? essentially need to find factors of nwithout knowing the two factors p and q. fact: factoring a big number is hard.Thus,cd mod n (me mod n)d mod n med mod n m(ed mod z) mod n m1 mod n m-? Must show that cd mod n mwhere c me mod nFact: for any x and y: xy mod n x(y mod z) mod nBBWhy is RSA Secure? where n pq and z (p-1)(q-1) B(me mod n)d mod n med mod n mde mod n (md mod n)e mod n17dcc17 BFollows directly from modular arithmetic:Encrypting 8-bit messages.encrypt:-BK (K (m)) m K (K (m))Exponentiation is computationally intensiveDES is at least 100 times faster than RSASession key, KSBob and Alice use RSA to exchange asymmetric key KS Once both have KS, they use symmetric keycryptography use private keyfirst, followedby public keyResult is the same!Network Security8-39Network Security8-42

Internet checksum: poor messagedigestChapter 8 roadmapInternet checksum has some properties of hash function:9 produces fixed length digest (16-bit sum) of input9 is many-to-one8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 Securing e-mail8.5 Securing TCP connections: SSL8.6 Network layer security: IPsec8.7 Securing wireless LANs8.8 Operational security: firewalls and IDSNetwork SecuritymessageI O U 10 0 . 99 B O B Content of message has not been alteredSource of message is who/what you think it isMessage has not been replayedSequence of messages is maintained let’s first talk about message digests 8-44Network Security8-47Message Authentication Code (MAC)largemessagemsH: HashFunctionH(m)sH( )desirable properties: easy to calculate irreversibility: Can’tdetermine m from H(m) collision resistance:computationally difficultto produce m and m’ suchthat H(m) H(m’) seemingly random outputNetwork Securitys shared secretmessagefunction H( ) thattakes as input anarbitrary lengthmessage and outputs afixed-length string:“message signature”note that H( ) is amany-to-1 functionH( ) is often called a“hash function”MD5 hash function widely used (RFC 1321) computes 128-bit message digest in 4-stepprocess.SHA-1 is also used. US standard [NIST, FIPS PUB 180-1] 160-bit message digestmessageMessage Digests8-46Hash Function AlgorithmsNetwork Security Network Securitymessage ASCII format49 4F 55 3930 30 2E 3139 42 D2 42B2 C1 D2 ACdifferent messagesbut identical checksums!8-43allows communicating parties to verify thatreceived messages are authentic. messageI O U 90 0 . 19 B O BASCII format49 4F 55 3130 30 2E 3939 42 D2 42B2 C1 D2 ACMessage Integrity but given message with given hash value, it is easy to find anothermessage with same hash value. e.g.,: simplified checksum: add 4-byte chunks at a time: 8-45H( )compareAuthenticates senderVerifies message integrityNo encryption !Also called “keyed hash”Notation: MDm H(s m) ; send m MDmNetwork Security8-48

HMAC End-point authenticationpopular MAC standardaddresses some subtle security flawsoperation: want to be sure of the originator of themessage – end-point authentication assuming Alice and Bob have a sharedsecret, will MAC provide end-pointauthentication? concatenates secret to front of message.hashes concatenated messageconcatenates secret to front of digesthashes combination again we do know that Alice created message. but did she send it?Network Security8-49 Recall that OSPF is anintra-AS routingprotocolEach router createsmap of entire AS (orarea) and runsshortest pathalgorithm over map.Router receives linkstate advertisements(LSAs) from all otherrouters in AS.MAC f(msg,s)Attacks: Message insertion Message deletion Message modification Transfer 1M fromMACBill to Trudy8-50 no authentication shared password:inserted in clear in 64bit authentication fieldin OSPF packet cryptographic hash cryptographic hashwith MD58-53Network Security8-54“I am Alice” 64-bit authenticationfield includes 32-bitsequence number MD5 is run over aconcatenation of theOSPF packet andshared secret key MD5 hash thenappended to OSPFpacket; encapsulated inIP datagramNetwork SecurityNetwork SecurityDefending against playbackattack: nonceOSPF Authenticationwithin an AutonomousSystem, routers sendOSPF messages toeach other.OSPF providesauthentication choicesTransfer 1Mfrom Bill to Trudy MACHow do we know if anOSPF message isauthentic?Network Security 8-52Playback attackExample: OSPF Network SecurityRMAC f(msg,s,R)8-51Transfer 1Mfrom Bill to SusanMAC

Digital Signatures (more)Digital Signatures cryptographic technique analogous to handwritten signatures. sender (Bob) digitally signs document,establishing he is document owner/creator.goal is similar to that of MAC, except now usepublic-key cryptographyverifiable, nonforgeable: recipient (Alice) canprove to someone that Bob, and no one else(including Alice), must have signed document Network Security Bob signs m by encrypting with his private keyKB-, creating “signed” message, KB(m)K B Bob’s privatePublic keyencryptionalgorithm Trudy signs order with her private key Trudy sends order to Pizza Store Trudy sends to Pizza Store her public key, butsays it’s Bob’s public key. Pizza Store verifies signature; then deliversfour pizzas to Bob. Bob doesn’t even like PepperoniBobʼs message, m,signed (encrypted)with his privatekeyNetwork Security8-56Digital signature signed message digestlargemessagemH: HashfunctionBob’sprivatekey -KBlargemessagemencryptedmsg digestH: Hashfunction-KB(H(m)) encryptedmsg ickey KBNetwork Securitydigitalsignature(decrypt) Certification authority (CA): binds public key toparticular entity, E.E (person, router) registers its public key with CA. E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA– CA says “this is E’s public formationequal?Network Security8-59Certification AuthoritiesAlice verifies signature andintegrity of digitally signedmessage:H(m)motivation: Trudy plays pizza prank on BobDear Pizza Store, Please deliver to me fourpepperoni pizzas. Thank you, Bob-BobBob sends digitally signedmessage:8-58 Trudy creates e-mail order:K B(m)keyOh, how I have missedyou. I think of you allthe time! (blah blahblah)-Public-key certificationsimple digital signature for message m:Dear Alice if KB(KB(m) ) m, whoever signed m must have usedBob’s private key.8-55Digital SignaturesBob’s message, mAlice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) m.Alice thus verifies that:9 Bob signed m.9 no one else signed m.9 Bob signed m and not m’.Non-repudiation:9 Alice can take m, and signature KB(m) tocourt and prove that Bob signed m.Network Security -suppose Alice receives msg m, digital signature KB(m)8-57 KBdigitalsignature(encrypt)CAprivatekeyK CA KBcertificate forBob’s public key,signed by CANetwork Security8-60

Certification Authorities Secure e-mailwhen Alice wants Bob’s public key: gets Bob’s certificate (Bob or elsewhere). apply CA’s public key to Bob’s certificate, getBob’s public key KBd

security in application, transport, network, link layers Network Security 8-3 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security